Author Topic: MalZilla  (Read 257382 times)

0 Members and 1 Guest are viewing this topic.

November 04, 2008, 09:12:24 pm
Reply #255

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
Hmmm... POST does not seems to be so trivial.
It can also send line breaks.
So, we actually need an edit box, not one-line box for input.
Also, MIME type should be specified at sending POST, and there is a whole bunch of possible MIME types that one may want to send.
A file can also be sent in POST, and that would be another problem because it is not so generic thing like just sending some strings.

So, I'm thinking about having grid interface with 3 columns:
1. type (string or file)
2. name
3. value (just for string type)

If we do not need to POST files, the whole thing will be a lot easier to implement.

November 06, 2008, 08:27:58 pm
Reply #256

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
Here is a rudimentary POST implementation (file attached).

It does just the application/x-www-form-urlencoded POST method.

That means, when the POST dialog appears, one need to enter the POST data in the form:
name1=value1&name2=value2&...

Do not put the question mark at the beginning of the POST data.
URL where the POST will be sent needs to be put in regular URL box.
Please, you need to see the source of the page where a form requesting the data was, so that you can see the link where to POST the data.

Example:
Code: [Select]
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<html>
<head>
<title>Untitled</title>
</head>

<body>
<form action="postresult.php" method="post">
<input type="submit" name="send_button" value="send it!">
<input type="text" name="text_value" value="0123456789">
</form>


</body>
</html>
It means that you need to put postresult.php instead of the current address in the URL field before clicking on POST button.
If the page was www.some_site.com/form.php, you need to put there www.some_site.com/postresult.php, and after that click on POST button.
A dialog for POST data will appear (if you leave it blank, it will abort the operation).

November 06, 2008, 10:43:27 pm
Reply #257

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964
Is it possible to be able to enter the data in hex or something like that to allow for newline characters in the data? Good work by the way.

November 07, 2008, 04:25:44 am
Reply #258

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
You can't send newline with application/x-www-form-urlencoded.

Can you give me an example where you need to send newline, so that I can do some testing?

November 07, 2008, 10:55:45 am
Reply #259

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
You should be able to send a new line using either CrLf or Chr 10? (or /n)
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

November 07, 2008, 03:40:49 pm
Reply #260

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
In standard URL encoding, one can use %0d%0a to get CrLf, but I still do not believe it can be interpreted by the server.
There are other methods to POST such kind of data, but there is no way in which I can make a universal form/gui for such thing.

I will elaborate more on this later tonight (just got back from the job, and I need to feed the monsters in my stomach :) )

November 08, 2008, 11:58:20 am
Reply #261

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
Sorry for being a bit late with promised explanation.

First standards for POST method defined just one type of sending data: application/x-www-form-urlencoded

This way someone can send URLEncoded data. URL encoding means that chars like spaces and similar must be encoded before sent. Every such character should be replaced by % followed by the ASCII number of the character.

Anyway, with such method one can't send files. Later revisions of POST method introduces one more MIME type for POST - multipart/form-data.
This MIME type can be composed from other MIME types, where bound marks are used between the various MIME types sent.
Bound marks are random generated, and one bound should be used per POST.
Also the bound should be sent at declaring the MIME type of the POST, so that the server knows what bound mark is used.

Example:

This goes into HTTP headers sent:
MIME type: multipart/form-data, boundary=1234AB_my_unique_boundary

Data is sent like following:
Code: [Select]
--1234AB_my_unique_boundary
content-disposition: form-data; name="file"; filename="some_file.zip"
Content-Type: Application/octet-string


**here goes the some_file.zip as binary**
--1234AB_my_unique_boundary
Content-Disposition: form-data; name="some_form_element"


some_form_element's_data
--1234AB_my_unique_boundary--
As you can see, message is composed from two different MIME types, first one being a file to submit, and the 2nd one a value for a form's element.
There is a boundary mark between the two.
Message can be composed from even more elements, each being of different MIME type.

So, it is pretty impossible to make a GUI that will generate such messages.
I can eventually make a text-box where someone will type such messages manually (inclusive entering the MIME types and boundary marks.

December 19, 2008, 11:48:16 am
Reply #262

Orac

  • Special Members
  • Hero Member

  • Offline
  • *

  • 723
    • malwareremoval.com
Bobby

FYI i ran a A-Squared scan on my lappy earlier this morning and it picked up "LuckySploit" as high risk malware  ::)
Malware analysised using clarified analyzer to record and document how malware behaves in a networking environment

May 30, 2009, 09:07:11 pm
Reply #263

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964
There is a bug in Decoder tab. When you highlight text, if you start to type it will over write the highlighted text as you would expect but the highlight remains and more text starts to be over written. This bug I can only create after the debug window has been opened.

So open Malzilla, go to decoder tab. Type something incorrect that will allow you to debug it, such as an eval() with the opening parenthesis missing:

eval2321412);

Click debug, close the debug window. Then highlight the number, and start to type, this is what you will see.



-----------------------------


Second bug, again this bug I can only recreate after the debug window has been opened. Type something, like eval(2321412);
Highlight everything using select all. Type something, it will bring up a message box.


May 30, 2009, 09:09:11 pm
Reply #264

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
I've actually been able to reproduce this without having to click debug (the first error you mentioned), resulting in my having to remember to click the mouse before trying to move to the part I want to modify/delete.

Figured it was just my machine with no-one else mentioning it before ....
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

May 31, 2009, 04:12:53 am
Reply #265

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
@JohnC
I know about the first bug. The funny thing is that I does not depend on anything normal.
When I compile Malzilla it can expose this bug or not. It is random. E.g. I compile Malzilla, and the bug occurs, e.g. on Decoder tab. I compile it one more time, there is no bug on Decoder tab, but it occurs on some other tab. It can also happen it does not occur at all.
With such weird behavior, I simply can't find the source of the problem.


About the second bug - this is new to me, but it looks like it is related to the first one.

June 05, 2009, 08:38:29 pm
Reply #266

Cyborg

  • Newbie

  • Offline
  • *

  • 5
Bobby, I don't know if this has been brought up before, but just wanted to say that the Copy/Paste functions do not seem to be working.

I tried copy pasting a code snippet from Malzilla to notepad using right-click, it didn't work. The usual Ctrl+C & Ctrl+V seems to work.

By the way, glad to meet you all, some of you might know me... anyways, I'm Cyborg from Malware Removal (MWR).

June 05, 2009, 08:49:26 pm
Reply #267

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Welcome to MDL :)
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

June 08, 2009, 11:13:47 am
Reply #268

Cyborg

  • Newbie

  • Offline
  • *

  • 5
Thanks a lot Steven :D

June 08, 2009, 08:55:20 pm
Reply #269

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
Hi Cyborg and welcome.

Which version of Malzilla you use? This looks like a known bug from old versions of Malzilla, but it should be corrected long time ago.

Do you use Clipboard Monitor (option from tray icon)?