'script'에 해당되는 글 7건

  1. 2014.09.19 Bash Script: How read file line by line (best and worst way)
  2. 2014.04.08 JJEncode Script Leads to Drive-By (1)
  3. 2013.08.05 NMAP을 사용한 Conficker 탐지(Scanning)
2014.09.19 15:50

Bash Script: How read file line by line (best and worst way)

Input: $ cat sample.txt 
This is sample file
This is normal text file

Source: $ cat readfile.sh 
#!/bin/bash

i=1;
FILE=sample.txt

# Wrong way to read the file.
# This may cause problem, check the value of 'i' at the end of the loop
echo "###############################"
cat $FILE | while read line; do
        echo "Line # $i: $line"
        ((i++))
done
echo "Total number of lines in file: $i"

# The worst way to read file.
echo "###############################"
for fileline in $(cat $FILE);do
        echo $fileline 
done

# This is correct way to read file.

echo "################################"
k=1
while read line;do
        echo "Line # $k: $line"
        ((k++))
done < $FILE
echo "Total number of lines in file: $k"

Output: $ ./readfile.sh 
###############################
Line # 1: This is sample file
Line # 2: This is normal text file
Total number of lines in file: 1
###############################
This
is
sample
file
This
is
normal
text
file
################################
Line # 1: This is sample file
Line # 2: This is normal text file
Total number of lines in file: 3  




출처 : linuxpoison.blogspot.kr


Trackback 0 Comment 0
2014.04.08 18:31

JJEncode Script Leads to Drive-By

The use of JJEncode in a drive-by download has been around for a couple of years but has been popping up a lot recently. A couple of readers have asked how to deobfuscate this so here’s a walkthrough with a live script.

Here’s an automobile forum that’s been compromised:

Viewing the source code, this link kicks off the infection:

Then from alnera.eu, you end up getting this strange looking Javascript:

What is this? It’s output from JJEncode, a cool script made by Yosuke Hasegawa. It uses only symbols to generate valid Javascript code which, in this case, leads to the compromise of your PC.

2013-07-04_04

There’s a few ways to deobfuscate this script. I’ll show you two ways. Here’s the slow way but this is how you can understand a little of what’s happening.

First make sure you have “<!DOCTYPE>” at the beginning since this only works with HTML 4.0 and above (with IE anyway). If you’re going to use Firefox or other browser then you don’t have to do this. Now search for semi-colons and add a new line in between. Look carefully for the semi-colons in between quotes as you need to leave those alone. What you will likely end up with will look something like this (the bottom portion won’t have any semi-colons to separate on).

2013-07-04_05

Since I’m working on a malicious script, I want to do this carefully so I’m commenting out everything below what I’m working on. There’s an equal sign near the beginning of each line. This indicates that the characters before it is a variable and the characters after is the value. So all I’m doing is “alerting” on the variable so I can see what each line does. Here’s the first one:

2013-07-04_06

Here is the result:

2013-07-04_07

And the second. Notice that I left the first line uncommented. The reason is that it defines the variable “_” so if I comment the first line, nothing will happen on subsequent lines.

2013-07-04_08

Keep going until you reach the line just before the large block of symbols:

2013-07-04_09

The result tells us that this is a function call and if you look closely you at the end of the script, you’ll realize that the major portion of the script is a self-executing function.

2013-07-04_10

So we can just replace “_.$(” with “alert(“:

2013-07-04_11

And we can see the result:

2013-07-04_12

If you want to see how the original code looks like, we can make a change to the very end of the line. From this:

2013-07-04_13

To this:

2013-07-04_14

And then we get this result:

2013-07-04_15

Here’s the second way you can deobfuscate this script. It’s fast and easy but may not work 100% of the time. Just add this to the top like so:

2013-07-04_16

And the final result appears:

2013-07-04_17

Let’s take a look now at the malicious script and applet. The values of the parameters are base64-encoded. The top URL refers to the payload file. The bottom part loads a single Java applet from another URL and a parameter contains a link to the same payload but with a slightly different URL.

2013-07-04_18

This is a new exploit pack that the industry named “DotCacheF” but it looks like they changed the URL format.

The Java applet is not heavily obfuscated but has a low detection rate. Here’s an excerpt of the code that exploiting CVE-2013-2423.

2013-07-04_19

The payload appears to be ZeroAccess.


출처 : www.kahusecurity.com



Trackback 2 Comment 1
  1. Favicon of https://blog.pages.kr 날으는물고기 2014.04.08 18:31 신고 address edit & del reply

    http://utf-8.jp/public/jjencode.html
    https://hackvertor.co.uk/hvurl/2p

2013.08.05 15:50

NMAP을 사용한 Conficker 탐지(Scanning)

■ Install

1. 다운/패키지설치(소스설치-비추천 : http://nmap.org/download.html)

wget  http://nmap.org/dist/nmap-5.00-1.i386.rpm
rpm -vhU nmap-5.00-1.i386.rpm



2. nmap 사용 ( 콘피커 관련 설정 )

nmap -PN -T4 -p139,445 -n -v --script smb-check-vulns,smb-os-discovery --script-args safe=1 10.1.1.10

* 맨끝에 10.1.1.10을 타겟이 될 Windows 관련IP로 변경하시면 됩니다.


■ 사용 예제

1-1. 콘피커 비감염시 - 간편모드(grep만 줫을뿐입니다)

[root@localhost /]#  nmap -PN -T4 -p139,445 -n -v --script smb-check-vulns 10.1.1.10  | grep Conficker

|  Conficker: Likely CLEAN



1-2. 콘피커 비감염시 - 관련 풀모드

[root@localhost /]#  nmap -PN -T4 -p139,445 -n -v --script smb-check-vulns 10.1.1.10  

.................
Host script results:
|  smb-check-vulns:  
|  MS08-067: FIXED
|  Conficker: Likely CLEAN
|_ regsvc DoS: CHECK DISABLED (add '--script-args=unsafe=1' to run)



2-1. 콘피커 감염시 - 간편모드(grep만 줫을뿐입니다)

[root@localhost /]#  nmap -PN -T4 -p139,445 -n -v --script smb-check-vulns 10.1.1.10  | grep Conficker

|  Conficker: Likely INFECTED



2-2. 콘피커 감염시 - 풀모드

[root@localhost /]#  nmap -PN -T4 -p139,445 -n -v --script smb-check-vulns 10.1.1.10  | grep Conficker

.................
Host script results:
|  smb-check-vulns:
|  MS08-067: FIXED
|  Conficker: Likely INFECTED
|_ regsvc DoS: VULNERABLE



■ Reference
NMAP : http://nmap.org
NMAP 스크립트 : http://nmap.org/nsedoc/index.html



출처 : dec9.tistory.com



Trackback 0 Comment 0