C Recommendations. Blog » Pwning PHP for fun and chocapicz. Hello everyone ! Today, i’m going to talk about the latest PHP vulnerability discovered by Stefan Esser and published on the 25 of june. You can read the advisory here . Esser did not publish many informations regarding this new vulnerability because of its “dangerous nature”, and probably the fact that it’s still unpatched. He only posted few indications and the output of a working exploit without its source code. I never myself really looked into the interpreter’s source code, and decided this was the perfect opportunity to start. According to the advisory, the vulnerability is caused by the way SPLObjectStorage handle unserialization. For those of you who are not familiar with PHP, the serialize() function allows you to convert native php data types (arrays, objects) to a string. unserialize do the opposite and convert a string to a php variable. If you run this code, you will see that the (un)serialized variable is identical to the original one.
According to the advisory: Why Python Pickle is Insecure | Nadia Alramli's Blog. Eval really is dangerous. Python has an eval() function which evaluates a string of Python code: assert eval("2 + 3 * len('hello')") == 17 This is very powerful, but is also very dangerous if you accept strings to evaluate from untrusted input. Suppose the string being evaluated is "os.system('rm -rf /')" ? It will really start deleting all the files on your computer.
(In the examples that follow, I'll use 'clear' instead of 'rm -rf /' to prevent accidental foot-shootings.) Some have claimed that you can make eval safe by providing it with no globals. eval() takes a second argument which are the global values to use during the evaluation. Eval("os.system('clear')", {}) But we can still import modules and use them, with the builtin function __import__. Eval("__import__('os').system('clear')", {}) The next attempt to make things safe is to refuse access to the builtins.
Are we safe now? Let's unpack this beast and see what's going on. . (). which is a fancy way of saying "object" . (). [c for c in ALL_CLASSES if c. Pickle: An interesting stack language. The pickle module provides a convenient method to add data persistence to your Python programs. How it does that, is pure magic to most people. However, in reality, it is simple.
The output of a pickle is a “program” able to create Python data-structures. A limited stack language is used to write these programs. Throughout this post, I use a simple interpreter to load pickle streams. Import code import pickle import sys sys.ps1 = "pik> " sys.ps2 = "... > " banner = "Pik -- The stupid pickle loader.
Then, launch it with Python: $ python pik.py Pik -- The stupid pickle loader. So, nothing crazy yet. Pik> ]. [] Similarly, you can also create a dictionary and a tuple: pik> }. {} pik> ). () Remark that every pickle stream ends with a period. Pik> I1 ... > I2 ... > I3 ... > . 3 As you see, an integer starts with the symbol ‘I’ and end with a newline. Pik> F1.0 ... > . 1.0 pik> S'abc' ... > . Now that you know the basics, we can move to something slightly more complex — constructing compound objects. CSRF - File Upload PoC. A couple of weeks ago I have found myself working on a CSRF File Upload Proof-of-Concept (PoC) for a bug I have found in an Oracle product. I remember that Krzysztof Kotowicz did some research on a similar PoC not long time ago.
A quick Google search brought me to his article on invisible arbitrary file upload in Flickr. So instead of reinventing the wheel, I have tried to use his PoC code available here. Unfortunately, the code was not working in my case and I was unsure whether that was depending on the browsers I was using (Firefox 8.0.1 and Chrome 15.0.874.121) and/or on the vulnerable application itself. Consequently, I have spent some time to come up with a PoC (or probably a good term would be a collage) which would work in my case. The technique used is the same illustrated in Kotowicz's research and more information can be found here. In few words, the exploitation process is divided in two steps: 1) Use XHR to get a binary file and store it as a JavaScript object; Constraint. V8 as an Alternative to SpiderMonkey for JavaScript Deobfuscation. A popular approach to obfuscating malicious browser scripts involves using JavaScript itself to decode the original script when the browser processes the malicious web page.
Malware analysts can often bypass such defensive measures by running the script in a standalone JavaScript engine to observe its execution or examine its output. Mozilla's SpiderMonkey has been a common choice for this task. Google's V8 engine is a powerful, though lesser-known alternative for accomplishing this. Deobfuscating JavaScript Using SpiderMonkey SpiderMonkey is a standalone JavaScript language that is used in Firefox.
One way to "spy" on such commands is to compile a customized version of SpiderMonkey, as Didier Steven did when tackling this challenge. You can safe these definitions into a separate file (e.g., file.js) and load it into SpiderMonkey before the file containing the malicious script (malware.js). Js -f file.js -f malware.js SpiderMonkey runs best on a Unix platform. Cd v8 scons d8 -- Lenny. Как подделывают CRC16/32. Internet-exploror-ie9-xss-filter-rules-example-regexp-mshtmldll. Php-unserialize (d0znpp) [OLD] [Honeypot Alert] phpMyAdmin Superglobal Session Manipulation Attack Detected. Our web honeypots have identified attempts to exploit CVE-2011-2505. OSVDB lists the vulnerabilty as - phpMyAdmin libraries/auth/swekey/swekey.auth.lib.php Swekey_login() Function Superglobal Session Manipulation Arbitrary PHP Code Execution.
The vulnerability lies within the following code snippet of the libraries /auth/swekey/swekey.auth.lib.php file: Line 268 has a call to "parse_str" which takes two arguments however this call only uses one. This means that any other QUERY_STRING parameters and values will be used within the same namespace. The results is that the attacker can take full control of the $_SESSION array. Here are the attacks that capture from the honeypots: 77.38.12.98 - - [17/Jan/2012:01:55:14 -0600] "GET /mysql/index.php?
Here is a URL decoded version for easier reading: As you can see, the attacker is attempting to inject new unserialized $_SESSION data. Bypassing EMET’s EAF with custom shellcode using kernel pointer | GreyHatHacker.NET. Recently I have been testing out Microsoft’s “Enhanced Mitigation Experience Toolkit” (EMET) tool for exploit mitigation. This is a free tool and is designed to harden or secure applications without having to recode them. One exploit I used to test was Adobe Flash’s “Action script type confusion” vulnerability (CVE-2010-3654). This vulnerability affects version 10.1.53.64 and below. I used the exploit downloaded from www.Abyssec.com.
After enabling EMET on the Internet Explorer executable iexplore.exe and testing again this time broke the exploit. Taken from EMET’s user guide it states: In order to do something “useful”, shellcode generally needs to call Windows APIs. I see EMET’s EAF being a great feature as even having a system that supports DEP and ALSR, EAF will be another hurdle to get round to exploit successfully. Below is my custom asm code which downloads and executes box.exe which I started first with static addresses .
To assemble our code we run To get our opcodes we run. Advanced DLL Injection. It has been a while since my last article. Special thanks to those who decided to stay with me despite the long break and welcome to new readers! In this article I am going to cover such a trivial (as it may seem) subject as DLL injection. For some reason, most of the tutorials on the web only give us a brief coverage of the topic, mostly limited to invocation of LoadLibraryA/W Windows API function in the address space of another process. While this is not bad at all, it gives us the least flexible solution.
Meaning that all the logic MUST be hardcoded in the DLL we want to inject. Let us try another approach. A short remark for nerds before we start. So, let the fun begin. Creation of target process Let's assume, that the loader has already passed the phase of loading and parsing configuration files and is ready to start the actual job. Windows provides us with all the tools we need to start a process. BOOL WINAPI CreateProcess( __in_opt LPCTSTR lpApplicationName, __in BOOL bInheritHandles,