Guest User

How to stop Blackhole Exploit Kit by using its vulnerability

a guest
Aug 29th, 2012
790
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. This is an explaination of the blackhole exploit kit vulnerability to be use to make the DoS attack to the blackhole service itself to make these evil service goes down.
  2. It was released in the internet that the latest zeroday java is in used already in the blackhole malware pack service. And the infection is in Epidemic now. Those blackhole server list was released like in the articles below:
  3. http://blog.fireeye.com/research/2012/08/java-zero-day-first-outbreak.html
  4. http://www.malwaredomains.com/wordpress/?p=2837
  5. http://community.websense.com/blogs/securitylabs/archive/2012/08/28/new-java-0-day-added-to-blackhole-exploit-kit.aspx
  6.  
  7. It has a lot of hosts serving mass blackhole army, it will be tough to make it down one by one, this is the analysis to outsmart the lowlife who serve it by making them to have the mass DoS to themself.
  8.  
  9. Most of the unwanted visited IP with the wrong parameter, while accessing blackhole main.php will be redirected w/ the PHP code to the other site (google.com by default)
  10. Below is the example:
  11.  
  12. --00:23:54-- http://91.220.35.52/main.php
  13. => `main.php'
  14. Connecting to 91.220.35.52:80... connected.
  15. HTTP request sent, awaiting response... 302 Moved Temporarily <=====THIS
  16. Location: http://google.com [following]
  17. --00:23:56-- http://google.com/ <=====THIS
  18. => `index.html.2'
  19. Resolving google.com... 173.194.38.103, 173.194.38.110, 173.194.38.104, ...
  20. Connecting to google.com|173.194.38.103|:80... connected.
  21. HTTP request sent, awaiting response... 301 Moved Permanently
  22. Location: http://www.google.com/ [following]
  23. --00:23:56-- http://www.google.com/
  24. => `index.html.2'
  25. Resolving www.google.com... 173.194.38.116, 173.194.38.115, 173.194.38.114, ...
  26. Connecting to www.google.com|173.194.38.116|:80... connected.
  27. HTTP request sent, awaiting response... 302 Found
  28. Location: http://www.google.co.jp/ [following]
  29. --00:23:56-- http://www.google.co.jp/
  30. => `index.html.2'
  31. Resolving www.google.co.jp... 173.194.38.120, 173.194.38.127, 173.194.38.119
  32. Connecting to www.google.co.jp|173.194.38.120|:80... connected.
  33. HTTP request sent, awaiting response... 200 OK
  34. Length: unspecified [text/html]
  35. [ <=> ] 11,201 --.--K/s
  36. 00:23:57 (892.23 KB/s) - `index.html.2' saved [11201]
  37.  
  38. I was analyzing the blackhole to confirm this vulnerability, found the windows base VPS hosting was used for this evil service:
  39. ---------------------------
  40. PORT STATE SERVICE
  41. ---------------------------
  42. 21/tcp open ftp
  43. 22/tcp open ssh
  44. 25/tcp open smtp
  45. 53/tcp open domain
  46. 80/tcp open http<-----------ngnix
  47. 110/tcp open pop3
  48. 135/tcp filtered msrpc
  49. 136/tcp filtered profile
  50. 137/tcp filtered netbios-ns
  51. 138/tcp filtered netbios-dgm
  52. 139/tcp filtered netbios-ssn
  53. 143/tcp open imap
  54. 445/tcp filtered microsoft-ds
  55. 587/tcp open submission
  56. 993/tcp open imaps
  57. 995/tcp open pop3s
  58. 3306/tcp open mysql
  59.  
  60. ---------------------------
  61. The other ones....
  62. ---------------------------
  63. PORT STATE SERVICE
  64. 21/tcp open ftp
  65. 22/tcp open ssh
  66. 25/tcp filtered smtp
  67. 53/tcp open domain
  68. 80/tcp open http <-----------ngnix
  69. 110/tcp open pop3
  70. 135/tcp filtered msrpc
  71. 136/tcp filtered profile
  72. 137/tcp filtered netbios-ns
  73. 138/tcp filtered netbios-dgm
  74. 139/tcp filtered netbios-ssn
  75. 143/tcp open imap
  76. 445/tcp filtered microsoft-ds
  77. 587/tcp open submission
  78. 993/tcp open imaps
  79. 995/tcp open pop3s
  80. 3306/tcp open mysql
  81.  
  82.  
  83. Q: What OS is these infected machines?
  84. A: Windows, Poc:
  85. ---------------------------
  86. TCP/IP fingerprint:
  87. ---------------------------
  88. blackhole server #1:
  89. TSeq(Class=TR%IPID=Z%TS=1000HZ)
  90. T1(Resp=Y%DF=Y%W=1380%ACK=S++%Flags=AS%Ops=MNNTNW)
  91. T2(Resp=N)
  92. T3(Resp=Y%DF=Y%W=1380%ACK=S++%Flags=AS%Ops=MNNTNW)
  93. T3(Resp=Y%DF=Y%W=1380%ACK=O%Flags=A%Ops=NNT)
  94. T4(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
  95. T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
  96. T6(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
  97. T7(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
  98. PU(Resp=Y%DF=N%TOS=0%IPLEN=164%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
  99.  
  100. blackhole server #2:
  101. T1(Resp=Y%DF=Y%W=1380%ACK=S++%Flags=AS%Ops=MNNTNW)
  102. TSeq(Class=TR%IPID=Z%TS=1000HZ)
  103. T1(Resp=Y%DF=Y%W=1380%ACK=S++%Flags=AS%Ops=MNNTNW)
  104. T2(Resp=N)
  105. T1(Resp=Y%DF=Y%W=1380%ACK=S++%Flags=AS%Ops=MNNTNW)
  106. T2(Resp=N)
  107. T3(Resp=Y%DF=Y%W=1380%ACK=S++%Flags=AS%Ops=MNNTNW)
  108. T2(Resp=N)
  109. T3(Resp=Y%DF=Y%W=1380%ACK=O%Flags=A%Ops=NNT)
  110. T4(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
  111. T3(Resp=Y%DF=Y%W=1380%ACK=O%Flags=A%Ops=NNT)
  112. T4(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
  113. T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
  114. T4(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
  115. T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
  116. T6(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
  117. T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
  118. T6(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
  119. T7(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
  120. T6(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
  121. T7(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
  122. PU(Resp=Y%DF=N%TOS=20%IPLEN=164%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
  123. T7(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
  124. PU(Resp=Y%DF=N%TOS=20%IPLEN=164%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
  125. PU(Resp=Y%DF=N%TOS=20%IPLEN=164%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
  126.  
  127. Just simply check from the http service;
  128. ---------------------------
  129. HTML/HEAD
  130. ---------------------------
  131. HTTP/1.1 200 OK
  132. Server: nginx
  133. Date: Wed, 29 Aug 2012 16:02:45 GMT
  134. Content-Type: text/html
  135. Content-Length: 13
  136. Last-Modified: Thu, 23 Aug 2012 07:24:12 GMT
  137. Connection: close
  138. Accept-Ranges: bytes
  139.  
  140.  
  141. Let's check the ngix version by requesting baaaad request:
  142.  
  143. $ echo -e "GET http://146.185.236.183/ HTTP/1.0\n\n" | nc 146.185.236.183 80 | less
  144. HTTP/1.1 500 Internal Server Error
  145. Server: nginx/1.1.18
  146. Date: Wed, 29 Aug 2012 16:26:35 GMT
  147. Content-Type: text/html
  148. Content-Length: 193
  149. Connection: close
  150.  
  151. <html>
  152. <head><title>500 Internal Server Error</title></head>
  153. <body bgcolor="white">
  154. <center><h1>500 Internal Server Error</h1></center>
  155. <hr><center>nginx/1.1.18</center>
  156. </body>
  157. </html>
  158. (END)
  159.  
  160.  
  161. then compare w/ different IP of up/alive blackhole:
  162.  
  163. $ echo -e "GET http://91.220.35.52/ HTTP/1.0\n\n" | nc 91.220.35.52 80 | less
  164. HTTP/1.1 200 OK
  165. Server: nginx
  166. Date: Wed, 29 Aug 2012 16:46:41 GMT
  167. Content-Type: text/html
  168. Content-Length: 13
  169. Last-Modified: Thu, 23 Aug 2012 07:24:12 GMT
  170. Connection: close
  171. Accept-Ranges: bytes
  172.  
  173. 404 Not Found
  174. (END)
  175.  
  176. OK, we have information like Windows NGNIX 3version behind, with PHP was used..
  177. We have two different setting of ngnix here.
  178. They are all using ngnix, but they don't set it with the common setting.
  179. The first one is what I saw yesterday, and day before yesterday is using default setting, which shows version, html base error etc, the second one is a cutomized set of ngnix.
  180. As you can see I just ask for the root access via IP address.
  181. So let's try to request the main.php to the previous blackhole IP and see what happen.
  182.  
  183. $ nc 146.185.236.183 80
  184. GET htttp://146.185.236.183/main.php HTTP/1.0
  185.  
  186. HTTP/1.1 302 Moved Temporarily
  187. Server: nginx/1.1.18
  188. Date: Wed, 29 Aug 2012 16:37:13 GMT
  189. Content-Type: text/html
  190. Connection: close
  191. X-Powered-By: PHP/5.3.10
  192. Location: http://google.com
  193.  
  194. $ nc 91.220.35.52 80
  195. GET http://91.220.35.52/main.php HTTP/1.0
  196.  
  197. HTTP/1.1 302 Moved Temporarily
  198. Server: nginx
  199. Date: Wed, 29 Aug 2012 16:53:56 GMT
  200. Content-Type: text/html
  201. Connection: close
  202. X-Powered-By: PHP/5.3.5
  203. Location: http://google.com
  204.  
  205. Yes, it confirmed the theory.
  206. in 146.185.236.183 is using the default setting, and in additional PHP/5.3.10
  207. while 91.220.35.52 is using better set of ngnix with PHP/5.3.5
  208. It is sure that character used for redirection is the same, the typo of http://google.com this look like a default string implemented in blackhole to redirect request.
  209. In additional, let's make a PoC of A nice unix trick to perform PoC of this crafted strings of blackhole. I create a text file myblackholetest.txt as per below:
  210.  
  211. //---------------start
  212. HTTP/1.1 302 Moved Temporarily
  213. Server: nginx
  214. Date: Wed, 29 Aug 2012 16:53:56 GMT
  215. Content-Type: text/html
  216. Connection: close
  217. X-Powered-By: PHP/5.3.5
  218. Location: http://google.com
  219. // end-------------
  220.  
  221. Let's put it as a daemon in the unix server w/ IP x.x.x.x bind to the port 8886 w/the netcat below:
  222.  
  223. $ cat boobytrap.txt | nc -l -p 8886
  224.  
  225. Then use the neighbor browser to access:
  226.  
  227. $ lynx http://x.x.x.x:8886
  228. (incoming answer start from here)
  229. HTTP/1.1 302 Moved Temporarily <--- response 1
  230. (and google page redirected)
  231.  
  232. In the server side goes like the below capture:
  233.  
  234. $ cat boobytrap.txt | nc -l -p 8886
  235. (incoming request for browser starts here)
  236. GET / HTTP/1.0
  237. Host: x.x.x.x:8886
  238. Accept: text/html, text/plain, audio/mod, image/*, application/msword, application/pdf, application/postscript, text/sgml, */*;q=0.01
  239. Accept-Encoding: gzip, compress
  240. Accept-Language: en
  241. User-Agent: Lynx/2.8.5dev.16 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/0.9.7a
  242.  
  243. Wowie it works just like the answer of the blackhole itself.
  244.  
  245. It is proved that blackhole written w/simple TCP/socket bind coded in main.php or other PHP files to redirect, all we have to do attack this evil service is to change the "location:" into the IP address of the blackhole server or servers.. will be an interesting chain reaction.
  246.  
  247. How to make this work? Please see the above HTTP response coming. The first one is the default setting of ngnix, the next is the one with the better configuration. For what we know by the above analysis is the version of ngnix used (1.1.18) has 3 or 4 flaws in it, well the simple File upload arbitary w/ a little SQLi of the PenTest tools will do the work just fine. For your conveniences below is the list of vulnerability affected.
  248.  
  249. Possible arbitrary code execution with null bytes in URI
  250. https://bugzilla.redhat.com/show_bug.cgi?id=717078
  251.  
  252. Possible Arbitrary Code Execution with Null Bytes, PHP, and Old Versions of nginx
  253. https://nealpoole.com/blog/2011/08/possible-arbitrary-code-execution-with-null-bytes-php-and-old-versions-of-nginx/
  254.  
  255. nginx fix for malformed HTTP responses from upstream servers
  256. http://seclists.org/bugtraq/2012/Mar/65
  257.  
  258. nginx security advisory: mp4 module vulnerability
  259. http://www.openwall.com/lists/oss-security/2012/04/12/9
  260.  
  261. *) This material is for the research purpose only.
  262.  
  263. ------
  264. - Anonymous care citizen (not related to the anonymous group at all) -
RAW Paste Data