Saiweb

Before you read any further note, I will not be including the original hack file, simply due to peoples stupidity in putting this on a production environment to play with, if you use the code you do so at your own risk, and by reading this blog entry / using the code provided you agree to accept all liability upon yourself for your own actions. Don’t be an idiot.

Around 10 days ago I came across this seemingly innocuous little file.

What I am going to cover in this entry is dissecting the ‘payload’ and not so much the web app in question or methods used to compromise it,

Whereas I will not at this time provide the original file, I will provide you with the md5 and sha1 hashes of the file so you can check it’s not lurking on your systems:

md5: 9ee3e6523d154114460d320477a8665a
sha1: 9c64fecea5620d70a716bbd74f6e89612a4a79c7

The bit we are interested in is the last line of the file:

Were you to run this line you would get

Confused yet? now I can appreciate the thinking behind packing a payload to avoid detection, but in this case the payload is packed 12 times, and no before you ask I did not manually run each returned statement to find this out.

Enter Python-Fu:

Copy the first payload lines into a file named payload.raw, take the above code and copy it into a file named dissect.py.

When dissect.py is run you will get the following output:

As such you may want to run it using the following command:

And what you will find after unpacking 12 times in total, the “payload” is the r57shell, this script is an information gathering tool and pseudo shell, meaning it will run any command on the host server that php can, providing in most cases ssh esq access to the exploited host, allowing you to do pretty much anything you wanted at this point, some of the features also include /etc/passwd /etc/shadow dumping, aswell as searching for a tirade of common file *.sql* admin* etc, it’s a one stop script for information gathering on a LAMP/WAMP based host.

Defense: modify php.ini to disable eval(), exec, shell_exec and all none essential functions.

And of course, ensure your web apps are patched and up to date as well as the host they are running on.

Or, as one of my colleagues this morning said, firmware programming which in the literal sense of the word I suppose it is firmware.

I’ve decided as some of my twitter followers may already know to produce a library / framework for the teensy arduino which is available from subversion here: http://svn.saiweb.co.uk/branches/teensy/trunk/ under the GPL v3 license

At the time of writing I have worked through this tutorial on operating an RGB LED.

I’ve taken the examples an reworked them into a re-usable library incorporating a multitude of functions,

Being as I have all the parts to work through the full set of tutorials at pjrc, the library will be first updated to incorporate these examples, once complete I’ll be heading over to the HID programming aspect, and there will be a library for a plethora of “fun” applications

In one of those you don’t believe it until you have seen it moments not bad for a mac book pro with only a 350gb HD …

Changelog

TRAC tickets closed: #68 #61 #8 #56 #7 #60

Additionally added real time updates to the colour wheel and demo player when editing the hex code manually, updated flowplayer to version 3.1.5

This code is in final review in dev subversion, and will be pushed to the wordpress plugins SVN tomorrow time allowing.

Strangely I’ve had some people reporting issues with being prompted for a username and password when accessing files on svn.saiweb.co.uk

it would appear in mod_dav_svn-1.4.2-4.el5_3.1 that this directive: AuthzSVNNoAuthWhenAnonymousAllowed

now defaults to OFF, well that was a p.i.t.a trying to track down, having never seen that directive in ANY of the documentation …

Anyway pass this on to other facing the same issue.

The default install of VI is very basic, and being as I spend a lot of my time in there I find syntax highlighting invaluable, to get this however you will need the vim-enhanced package.

So run the following to install this package and setup an alias for vi.

And you’re done:

Having little time to update my blog, I’ve been updating a wiki I keep with various tidbits, so I thought I might as well share a few, they will be appearing on here over the next few days.

First off you will want to open the “Terminal” application, not so much a play on words it is really called Terminal.

Applications -> Utilities -> Terminal

Where aaa.bbb.ccc.ddd is the IP or FQDN of your NFS server, this command will show a list of mountable exports on the device.

If you look on your desktop you will now see that the folder icon has changed to an aliased drive icon

NOTE: These changes will not persist through a reboot, I have not yet found a way of doing this short of some apple / automator script to remount the drives on startup.

A user contributed patch from James Partington can be found Here

When applied you can specify a splash image to user and your media by seperating them with a “|”

/path/to/my/spash.jpg|/path/to/my/media.flv,300,150

This will be rolled into the next update, as soon as I can get some time to actually work on it!!

EDIT: despite the date of this post, no it’s not a joke

Following on from the python bindings post I found myself with a real problem,

the netsnmp bindings I could not for the life of me get to take the redhat cluste MIB files, so what did that leave me with, walking the entire parent cluster OID, manually matching the returned OID’s to their MIB names based on the value returned as I couldn’t find a decent mib browser or script to convert them …

At any rate here is a subset of OID’s for polling the redhat cluster service using snmp, please note that are more OID’s but these vary on your cluster config.

Python code:

UPDATE 28/06/10: added –libdir=/usr/lib64 –enable-shared otherwise shared libs are not built at all!

Having spent a few hours trying to get this working on CentOS 5.4 x64 I am posting this blog entry for others to reference:

Download and complie net-snmp >= 5.4.2.1 http://net-snmp.sourceforge.net/

You may get ImportError: libnetsnmp.so.20, this is due to x64 build creating as /usr/lib64/libnetsnmp.so.10

And you are done, you can now use the netsnmp python bindings, I’d recomend seeing the examples here: http://www.ibm.com/developerworks/aix/library/au-netsnmpnipython/