The last entry in turned out to be where they are hiding lighting world the backdoor reason the program, but in version 0.18.0 after a change has occurred. The above system created each time the user can no longer create the installer, and you can not run main.cgi command when the user system.
A complex solution has been implemented, which is more difficult in terms of discovery by, but not impossible. The hard-coded username and password from now been translated to the web server itself, and could even have been agglomerated and kitömöríthetőség have been prevented, apparently. lighting world Fortunately, they managed to reverse engineer lighting world the whole thing after a series of brainstorming, and at the end of the machine to extract the burnt-code data.
Furthermore, it is possible lighting world that it is not running lighting world on port 90 on your webserver, so therefore it can be replaced in the title. Then you give the browser the access lighting world data azonosításnál hand, and you can see the final result. And now let's do an analysis of the program! Hide old prints compared to the past thus revealed that the install script will no longer creates a built-in user in the htpasswd file, but does not delete them when you upgrade, so some machines still exist in (but the user is running lighting world the command will not allow the change in main. Because CGI). However, an updated version deletes it when the user system is 0.19.8, the setup script line 81:
It is neither the previous nor the subsequent version is not found (intermediate versions could also, but does not have them). So if we do not have the code in htpasswd user, then how can they access the program remotely developer, the question may arise. After a little hesitation is easy to guess that the web server will be blamed in which small modifications easily be written into a fixed user name and password verification. We have thus we saw the httpd executable dissection of-mscp. The first problem was that a smooth HEX editor can not read anything from it, or because the code is encrypted or compressed. The code is still better views soon became clear that it is compressed, in addition to the UPX packer. This multi-packer can run the package has been compressed, but only a few have adjusted to it can not be easy to extract. These include lighting world the Web server.
The new versions of UPX it was groupings of ELF (can run under Linux) so that they can make another ELF header, and immediately start the program in memory without creating any temporary files. It immediately spotted the picture above (highlighted lighting world in red). Another interesting feature is that the UPX header used to be the place designated in blue, but it has been modified, lighting world so if you try to unpack, we get the following message:
Seems to face the immediate invitation _strcmp function, which is designed to compare two strings. Although we have discovered quarrel with the built-in access to, let's look at the contents of /data/www/mscpliteadmin/main.cgi also be useful for new knowledge. When you open the older version lighting world from a slightly different version we shall see, however, it remained the scmd parameter remains:
It has been more than we understand. The parameters thus scmd again, the user name of a regular expression is controlled by the program. According to this ".." whatever lighting world - for ending existing username and scmd parameters will run code that takes the scmd value.
Setting up a test environment to a virtual machine (eg .: Debian 6.0, but a production environment can not be accidentally!) To open the browser the IP address lighting world of the virtual lighting world machine to the following URL: http: // <IP>: 90 / mscpliteadmin / main.cgi scmd = ps (this test will run running ps command) To provide authentication information ("...." / "." without the quotation marks manually lighting world entered) If everything lighting world went well, you can see the ps command output in the burned-user access to the No web server logs, so it can be discovered just outside of logging lighting world tools possible. Different lighting world versions of the previous entries in our tested and made available to the versions available, so now we do not otherwise. Download original form, equipped with an MD5 hash, as well as version 1.00.3 of the entry is based on dicking official lighting world sources. MSCP Lite 0.18.2
Appearance of September 1, 2012 based on file dates. Built-in user name: "...." (without quotes) Built-in password (without lighting world quotes) MD5. '' 3d949e8b36f991304e7c8cb796afc867 Download: mscplite current.tar.gz lighting world MSCP-Lite 0.19.8 Appearance October 30, 2012 based on file dates . The installation script 81st In case the .htpasswd file is deleted when updating the previous system user. Built-in user name: "...." (without quotes) Built-in password (without quotes) MD5. '' F613caddd3c5ed22
No comments:
Post a Comment