Wednesday, July 13, 2011

Simple Python reverse shell

Some days ago, Rel1k published a post explaining that he decided to include a small Python backdoor in SET.

I gave it a try but I found some problems when executing the script in Linux.

  • The 'quit' command should let the backdoor close the connection and finish its execution, but it was not working.  The string 'quit\n' is received  and the backdoor sends it to the shell instead of quitting.
  • When Control+C is pressed,  the netcat listener finishes the execution and this leaves the backdoor hanging in an infinite loop, consuming lots of resources (while(True){} without any sleep).
I have made a few changes in the script to solve the problems I found and it also connects back again in case we have pressed Control+C by mistake, so we do not lose our shell :)


The modified version can be found here: python_reverse_shell.py



 

Monday, July 11, 2011

Windows Shellbags and Timeline Analysis

I have learned about the Windows Registry and the Shellbags, via this good post written Chad Tilbury on the Sans Computer Forensics blog.

These registry keys store the preferences of each folder that has been opened at least one time with Windows Explorer (local,remote, portable devices, etc.). Thus, the simple existence of these entries and the given timestamps indicates that the intruder accessed the resources, being useful as another source of information to perform our timeline analysis.

The article explains that there are some differences between Windows XP and Windows 7 and the author recommends the tool called Sbag from TZworks.

Friday, July 8, 2011

Windows ASLR and the False Sense of Security

Lately, I have read a lot about exploits bypassing the ASLR protection. In particular, this post from scriptjunkie.us and this one from corelan.be .

I believe ASLR is a really good protection in systems where all the software is making use of it and there is no room for exceptions, but it is not true for Windows. Since this feature is optional on this platform, it only takes somebody to load on your program a DLL that has ASLR disabled to bypass all the protections that were carefully planed.

We have seen these examples with Java, McAfee and Symantec and I am sure we will find many more in the future, since Microsoft will be  trapped  supporting old software for long time if not ever. The only option I see is the Operative System enforcing these protections at low level.

Friday, July 1, 2011

Monitoring Pastebin Leaks

Yesterday I got some time and I wrote a quick script that continuously monitors pastebin.com, looking for interesting keywords.

The script is called pastebin.py and accepts a file containing regular expressions, one per line.


It also permits to reload the regular expressions without stopping it by receiving a SIGHUP and to dump to the screen the  pastes we have  already found with SIGUSR1.


This is a sample output:

./pastebin.py ./file.txt
[!] My PID is: 9475
[!] Loading regular expressions



Dumping stored matches:
[!] Found Match.  http://pastebin.com/raw.php?i=XXXXXXXX :  @aol\.com [33 times] || @yahoo\.com [42 times] || @gmail\.com [729 times] || @hotmail\.com [355 times] || [\w\-][\w\-\.]+@[\w\-][\w\-\.]+[a-zA-Z]{1,4} [5344 times] || @comcast\.net [1 times] || ;
[!] Found Match.  http://pastebin.com/raw.php?i=XXXXXXXX :  @comcast\.net [1 times] || @hotmail\.com [4 times] || @gmail\.com [11 times] || @yahoo\.com [12 times] || [\w\-][\w\-\.]+@[\w\-][\w\-\.]+[a-zA-Z]{1,4} [37 times] || ;
[!] Found Match.  http://pastebin.com/raw.php?i=XXXXXXXX :  [\w\-][\w\-\.]+@[\w\-][\w\-\.]+[a-zA-Z]{1,4} [1 times] || INSERT INTO [1 times] || union.+select.+from [7 times] || ;
[!] Found Match.  http://pastebin.com/raw.php?i=XXXXXXXXX :  @yahoo\.com [2 times] || -- phpMyAdmin SQL Dump [1 times] || @gmail\.com [2 times] || [\w\-][\w\-\.]+@[\w\-][\w\-\.]+[a-zA-Z]{1,4}
 [6 times] || INSERT INTO [1 times] || CREATE TABLE [1 times] || ;
[!] Found Match.  http://pastebin.com/raw.php?i=XXXXXXXXX :  -----BEGIN RSA PRIVATE KEY----- [1 times] || ;
End of dump


Update: a maintained and improved version of this script can be found in Monitoring pastebin.com within your SIEM by Xavier Mertens. It is written in Perl, but I think you can survive the headache :p

Update: It seems that pastebin.com has changed the HTML layout and the regular expressions in the script need to be changed. Since the script is not maintained, you have to make the changes on your own.