SlideShare a Scribd company logo
1 of 64
Download to read offline
Arseniy Reutov
Timur Yunusov
Dmitriy Nagibin
Timeline of PHP problems with random numbers


     2008: “mt_srand and not so random numbers” by Stefan
     Esser

     Early 2010: “Abusing weak PRNGs in PHP applications” by
     gat3way

     July 2010: “How I Met Your Girlfriend” by Samy Kamkar

     July 2012: “I Forgot Your Password: Randomness Attacks
     Against PHP” by George Argyros and Aggelos Kiayias

     August 2012: “Random Numbers. Take Two”
PHP Developers: meh, so what?



     Documentation still lacks security warnings
     except for uniqid()

     PHP developers refuse to use external
     crypto providers in GENERATE_SEED

     Seeds in LCG and Mersenne Twister are
     interdependent (if you know one seed you
     will know the other)
PHP Developers: meh, so what?



    Make seeding
    more secure?

    Nope, fix the
    documentation
    instead.*



* didn’t do even this.
What we are going to hack today


       OpenCart 1.5.3.1

       DataLife Engine 9.5

       UMI.CMS 2.8.5.3

       OpenCart 1.5.4.1
Basics (1)


       Apache: mpm-prefork (separate
       processes) or mpm-worker (threads
       within a process)

       PHP: non-thread safe (used with mpm-
       prefork) or thread safe (used with mpm-
       worker)

       Apache+PHP: mod_php (same process on
       keep-alive requests) or CGI/FastCGI
       (different processes on keep-alive
       requests)
Basics (2)


       In a fresh process PHP
       automatically seeds its PRNGs

       Same seed for rand and mt_rand
       (max value 2^32)

       Two different seeds for LCG (max
       value 2^32 each)
OpenCart 1.5.3.1
OpenCart 1.5.3.1


   $code = md5(mt_rand());
   //admin/controller/common/forgotten.
   php

   $this->session->data['token'] =
   md5(mt_rand());
   //admin/controller/common/login.php
OpenCart 1.5.3.1


   Fresh Process Spawning on mpm-prefork Apache

       Initiate a number of keep-alive requests that is >
       MaxSpareServers (10 by default)

       Fill the pool

       Make target request on freshly seeded process
OpenCart 1.5.3.1


       php exploits/opencart/1.5.3.1.php

       php exploits/opencart/md5crack.php <md5> or
       ./tools/hashcat/hashcat <md5> on obtained
       token

       At Amazon run “mt_seed.exe” or
       ./tools/php_mt_seed/php_mt_seed <num> on
       obtained random number

       php exploits/opencart/genlinks.php seeds.txt
OpenCart 1.5.3.1
OpenCart 1.5.3.1


       php exploits/opencart/1.5.3.1.php

       php exploits/opencart/md5crack.php <md5> or
       ./tools/hashcat/hashcat <md5> on obtained
       token

       At Amazon run “mt_seed.exe” or
       ./tools/php_mt_seed/php_mt_seed <num> on
       obtained random number

       php exploits/opencart/genlinks.php seeds.txt
OpenCart 1.5.3.1


       php exploits/opencart/1.5.3.1.php

       php exploits/opencart/md5crack.php <md5> or
       ./tools/hashcat/hashcat <md5> on obtained
       token

       At Amazon run “mt_seed.exe” or
       ./tools/php_mt_seed/php_mt_seed <num> on
       obtained random number

       php exploits/opencart/genlinks.php seeds.txt
OpenCart 1.5.3.1


       php exploits/opencart/1.5.3.1.php

       php exploits/opencart/md5crack.php <md5> or
       ./tools/hashcat/hashcat <md5> on obtained
       token

       At Amazon run “mt_seed.exe” or
       ./tools/php_mt_seed/php_mt_seed <num> on
       obtained random number

       php exploits/opencart/genlinks.php seeds.txt
OpenCart 1.5.3.1
OpenCart 1.5.3.1




    GREAT SCOTT! IT WORKED!
DataLife 9.6
DataLife 9.6

   engine/modules/lostpassword.php:
   $salt = "abchefghjkmnpqrstuvwxyz0123456789";
   srand( ( double ) microtime() * 1000000 );
   for($i = 0; $i < 15; $i ++) {
       $rand_lost .= $salt{rand( 0, 33 )};
   }
   $lostid = sha1( md5( $lostname . $lostmail ) . time
   () . $rand_lost )

   engine/modules/pm.php:
   $salt = "abchefghjkmnpqrstuvwxyz";
   $random_key = "";
   for($i = 0; $i < 8; $i ++) {
       $random_key .= $salt{rand( 0, 23 )};
   }
DataLife 9.6


       Log on as test:123456 at http://datalife

       Copy PHPSESSID (View Page Info -> Details ->
       View Cookies)

       Delete cookies, go to
       http://datalife/?do=lostpassword

       Copy PHPSESSID and symbols on captcha

       php exploits/dle/dle.php <PHPSESSID 1>
       <PHPSESSID captcha> <captcha>
DataLife 9.6


       Log on as test:123456 at http://datalife

       Copy PHPSESSID (View Page Info -> Details ->
       View Cookies)

       Delete cookies, go to
       http://datalife/?do=lostpassword

       Copy PHPSESSID and symbols on captcha

       php exploits/dle/dle.php <PHPSESSID 1>
       <PHPSESSID captcha> <captcha>
DataLife 9.6
DataLife 9.6


       Log on as test:123456 at http://datalife

       Copy PHPSESSID (View Page Info -> Details ->
       View Cookies)

       Delete cookies, go to
       http://datalife/?do=lostpassword

       Copy PHPSESSID and symbols on captcha

       php exploits/dle/dle.php <PHPSESSID 1>
       <PHPSESSID captcha> <captcha>
DataLife 9.6


       Log on as test:123456 at http://datalife

       Copy PHPSESSID (View Page Info -> Details ->
       View Cookies)

       Delete cookies, go to
       http://datalife/?do=lostpassword

       Copy PHPSESSID and symbols on captcha

       php exploits/dle/dle.php <PHPSESSID 1>
       <PHPSESSID captcha> <captcha>
DataLife 9.6


       Log on as test:123456 at http://datalife

       Copy PHPSESSID (View Page Info -> Details ->
       View Cookies)

       Delete cookies, go to
       http://datalife/?do=lostpassword

       Copy PHPSESSID and symbols on captcha

       php exploits/dle/dle.php <PHPSESSID 1>
       <PHPSESSID captcha> <captcha>
DataLife 9.6
DataLife 9.6


               GREAT
               SCOTT!
               IT
               WORKED!
UMI.CMS 2.8.5.3
Time Synchronization (ATS)




    Date: T1   T2                     T2-T1=1

Time:               msec=0            msec=0 (!)




msec=0    msec=m1      m2    msec=0     msec=m1    m2


         msec(server) ~ [0;(m2-m1)/2]
UMI.CMS 2.8.5.3


(PHP<5.4) ext/session/session.c:

gettimeofday(&tv, NULL);
...
spprintf(&buf, 0, "%.15s%ld%ld%0.8F",
remote_addr ? remote_addr : "", tv.tv_sec,
(long int)tv.tv_usec,
php_combined_lcg(TSRMLS_C) * 10);
...
return PHP_MD5Update(&md5_context, (unsigned
char *) buf, strlen(buf));
UMI.CMS 2.8.5.3


   PHPSESSID:

   md5(127.0.0.11351346648192088.00206033)

      IP (known)

      timestamp (known)

      microtime0 (need to bruteforce)

      LCG (need to find two seeds)
UMI.CMS 2.8.5.3
   ext/standard/lcg_seed.h:
   static void lcg_seed(TSRMLS_D) {
       struct timeval tv;
       if (gettimeofday(&tv, NULL) == 0) {
           LCG(s1) = tv.tv_sec ^ (tv.tv_usec<<11);
       } else {
           LCG(s1) = 1;
   }
   #ifdef ZTS
       LCG(s2) = (long) tsrm_thread_id();
   #else
       LCG(s2) = (long) getpid();
   #endif
           if (gettimeofday(&tv, NULL) == 0) {
           LCG(s2) ^= (tv.tv_usec<<11);
   }
       LCG(seeded) = 1;
   }
UMI.CMS 2.8.5.3


   LCG seeds:

   S1 = timestamp ^ microtime1 << 11

   S2 = pid ^ microtime2 << 11

      timestamp (known)

      microtime1 (need to bruteforce: microtime1 –
      microtime0 = 1…4)

      pid (need to bruteforce: 1024-32768)

      microtime2 (need to bruteforce: microtime2 -
      microtime1 = 0…3)
UMI.CMS 2.8.5.3


   ext/standard/php_rand.h:

   #ifdef PHP_WIN32

   #define GENERATE_SEED() (((long) (time(0) *
   GetCurrentProcessId())) ^ ((long) (1000000.0 *
   php_combined_lcg(TSRMLS_C))))

   #else

   #define GENERATE_SEED() (((long) (time(0) *
   getpid())) ^ ((long) (1000000.0 *
   php_combined_lcg(TSRMLS_C))))

   #endif
UMI.CMS 2.8.5.3

function getRandomPassword ($length = 12) {
    $avLetters = "$#@^&!1234567890qwertyuiopasd
fghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM";
    $size = strlen($avLetters);
    $npass = "";
    for($i = 0; $i < $length; $i++) {
        $c = rand(0, $size - 1);
        $npass .= $avLetters[$c];
    }
    return $npass;
}
UMI.CMS 2.8.5.3



    Edit exploits/umi/umi.php, add your login

    php exploits/umi/umi.php [offset=0] [delay1=10000-
    100000] [delay2=10000]

    Run phpsessid_cuda with PHPSESSID, timestamp and
    your ip

    php exploits/umi/pass_gen.php <sec> <pid> <s1>
    <s2>
UMI.CMS 2.8.5.3



    Edit exploits/umi/umi.php, add your login

    php exploits/umi/umi.php [offset=0] [delay1=10000-
    100000] [delay2=10000]

    Run phpsessid_cuda with PHPSESSID, timestamp and
    your ip

    php exploits/umi/pass_gen.php <sec> <pid> <s1>
    <s2>
UMI.CMS 2.8.5.3
UMI.CMS 2.8.5.3



    Edit exploits/umi/umi.php, add your login

    php exploits/umi/umi.php [offset=0] [delay1=10000-
    100000] [delay2=10000]

    Run phpsessid_cuda with PHPSESSID, timestamp and
    your ip

    php exploits/umi/pass_gen.php <sec> <pid> <s1>
    <s2>
PHPSESSID Bruteforcer


      1,170 billion seeds/sec on a single Amazon EC2
      GPU Instance

      Supports multiple GPUs

      Covers the whole search space within 7,5 minutes

      Supports distributed computing based on sockets

      So fast that we don’t need microtime
      synchronization with remote server any more
PHPSESSID Bruteforcer
UMI.CMS 2.8.5.3



    Edit exploits/umi/umi.php, add your login

    php exploits/umi/umi.php [offset=0] [delay1=10000-
    100000] [delay2=10000]

    Run phpsessid_cuda with PHPSESSID, timestamp and
    your ip

    php exploits/umi/pass_gen.php <sec> <pid> <s1>
    <s2>
UMI.CMS 2.8.5.3
UMI.CMS 2.8.5.3




            GREAT SCOTT!
             IT WORKED!
PHDAYS.RU OWNED!!!
OpenCart 1.5.4.1
OpenCart 1.5.4.1


   $code = md5(mt_rand());

   $code = sha1(uniqid(mt_rand(), true));

   //admin/controller/common/forgotten.php

   $this->session->data['token'] =
   md5(mt_rand());
   //admin/controller/common/login.php
OpenCart 1.5.4.1


   Sources of entropy:

       mt_rand() : 92496817

       uniqid() : 1351070918 + 616520 (in hex)

       lcg_value() : 7.41222311

   sha1(924968175087b4c6968487.41222311)
OpenCart 1.5.4.1


   ext/standard/php_rand.h:

   #ifdef PHP_WIN32

   #define GENERATE_SEED() (((long) (time(0) *
   GetCurrentProcessId())) ^ ((long) (1000000.0 *
   php_combined_lcg(TSRMLS_C))))

   #else

   #define GENERATE_SEED() (((long) (time(0) *
   getpid())) ^ ((long) (1000000.0 *
   php_combined_lcg(TSRMLS_C))))

   #endif
OpenCart 1.5.4.1


       Send 3 requests in keep-alive (get token, user
       reset, admin reset)

       Find MT seeds (some collisions are present)

       Bruteforce LCG seeds (also collisions) given MT
       seeds

       Bruteforce our sha1 -> find out proper MT seed,
       LCG seed; also microseconds to start from

       Calculate admin mt_rand(), admin LCG

       Bruteforce microseconds given starting point from
       our sha1 (Request Twins approach)
OpenCart 1.5.4.1


       php exploits/opencart/1.5.4.1.php, get hash in
       local mail

       php exploits/opencart/md5crack.php <md5> or
       ./tools/hashcat/hashcat <md5> on obtained
       token

       At Amazon run “mt_rand.exe” to get seeds

       At Amazon run “lcg_sha1.exe” with seeds file,
       timestamp and sha1 hash

       Get back to exploit, specify mt_rand, admin LCG
       and microsecs to start from
OpenCart 1.5.4.1


       php exploits/opencart/1.5.4.1.php, get hash in
       local mail

       php exploits/opencart/md5crack.php <md5> or
       ./tools/hashcat/hashcat <md5> on obtained
       token

       At Amazon run “mt_rand.exe” to get seeds

       At Amazon run “lcg_sha1.exe” with seeds file,
       timestamp and sha1 hash

       Get back to exploit, specify mt_rand, admin LCG
       and microsecs to start from
OpenCart 1.5.4.1


       php exploits/opencart/1.5.4.1.php, get hash in
       local mail

       php exploits/opencart/md5crack.php <md5> or
       ./tools/hashcat/hashcat <md5> on obtained
       token

       At Amazon run “mt_rand.exe” to get seeds

       At Amazon run “lcg_sha1.exe” with seeds file,
       timestamp and sha1 hash

       Get back to exploit, specify mt_rand, admin LCG
       and microsecs to start from
OpenCart 1.5.4.1


       php exploits/opencart/1.5.4.1.php, get hash in
       local mail

       php exploits/opencart/md5crack.php <md5> or
       ./tools/hashcat/hashcat <md5> on obtained
       token

       At Amazon run “mt_rand.exe” to get seeds

       At Amazon run “lcg_sha1.exe” with seeds file,
       timestamp and sha1 hash

       Get back to exploit, specify mt_rand, admin LCG
       and microsecs to start from
LCG via mt_rand Seed Bruteforcer


       Allows to find LCG seeds (some collision are
       present) given mt_rand seed

       GPU-based

       16 billion seeds/sec on a single Amazon EC2 GPU
       Instance

       Covers the whole search space within 1 minute
OpenCart 1.5.4.1
OpenCart 1.5.4.1


       1 0.94821643
       2 9.31809351  mt_srand
       3 1.78501767
       4 5.16258654
       5 7.25796790  User LCG
       6 1.86345598
       7 3.57376950
       8 4.59748062  Admin LCG
       9 1.85684612
       10 2.74482567
OpenCart 1.5.4.1
OpenCart 1.5.4.1
OpenCart 1.5.4.1


       php exploits/opencart/1.5.4.1.php, get hash in
       local mail

       php exploits/opencart/md5crack.php <md5> or
       ./tools/hashcat/hashcat <md5> on obtained
       token

       At Amazon run “mt_rand.exe” to get seeds

       At Amazon run “lcg_sha1.exe” with seeds file,
       timestamp and sha1 hash

       Get back to exploit, specify mt_rand, admin LCG
       and microsecs to start from
OpenCart 1.5.4.1


       Wait a moment…
OpenCart 1.5.4.1 (4)



                       GREAT
                       SCOTT!
                       IT
                       WORKED!
Thanks!

Arseniy Reutov
Timur Yunusov
Dmitriy Nagibin

More Related Content

What's hot

Blockchain Cryptography for Developers (Nakov @ BGWebSummit 2018)
Blockchain Cryptography for Developers (Nakov @ BGWebSummit 2018)Blockchain Cryptography for Developers (Nakov @ BGWebSummit 2018)
Blockchain Cryptography for Developers (Nakov @ BGWebSummit 2018)Svetlin Nakov
 
MongoDB Performance Debugging
MongoDB Performance DebuggingMongoDB Performance Debugging
MongoDB Performance DebuggingMongoDB
 
Even the LastPass Will be Stolen Deal with It!
Even the LastPass Will be Stolen Deal with It!Even the LastPass Will be Stolen Deal with It!
Even the LastPass Will be Stolen Deal with It!Martin Vigo
 
How to get rid of terraform plan diffs
How to get rid of terraform plan diffsHow to get rid of terraform plan diffs
How to get rid of terraform plan diffsYukiya Hayashi
 
Blockchain: Developer Perspective
Blockchain: Developer PerspectiveBlockchain: Developer Perspective
Blockchain: Developer PerspectiveArtur Skowroński
 
Cryptography In Silverlight
Cryptography In SilverlightCryptography In Silverlight
Cryptography In SilverlightBarry Dorrans
 
Oczyszczacz powietrza i stos sieciowy? Czas na test! Semihalf Barcamp 13/06/2018
Oczyszczacz powietrza i stos sieciowy? Czas na test! Semihalf Barcamp 13/06/2018Oczyszczacz powietrza i stos sieciowy? Czas na test! Semihalf Barcamp 13/06/2018
Oczyszczacz powietrza i stos sieciowy? Czas na test! Semihalf Barcamp 13/06/2018Semihalf
 
Mysql5.1 character set testing
Mysql5.1 character set testingMysql5.1 character set testing
Mysql5.1 character set testingPhilip Zhong
 
Mysql handle socket
Mysql handle socketMysql handle socket
Mysql handle socketPhilip Zhong
 
Blockchain: Developer's Perspective (Java Edition)
Blockchain: Developer's Perspective (Java Edition)Blockchain: Developer's Perspective (Java Edition)
Blockchain: Developer's Perspective (Java Edition)Artur Skowroński
 
FwDays 2021: Metarhia Technology Stack for Node.js
FwDays 2021: Metarhia Technology Stack for Node.jsFwDays 2021: Metarhia Technology Stack for Node.js
FwDays 2021: Metarhia Technology Stack for Node.jsTimur Shemsedinov
 
Compare mysql5.1.50 mysql5.5.8
Compare mysql5.1.50 mysql5.5.8Compare mysql5.1.50 mysql5.5.8
Compare mysql5.1.50 mysql5.5.8Philip Zhong
 
JS Fest 2019. Thomas Watson. Post-Mortem Debugging in Node.js
JS Fest 2019. Thomas Watson. Post-Mortem Debugging in Node.jsJS Fest 2019. Thomas Watson. Post-Mortem Debugging in Node.js
JS Fest 2019. Thomas Watson. Post-Mortem Debugging in Node.jsJSFestUA
 
Inventory program in mca p1
Inventory program in mca p1Inventory program in mca p1
Inventory program in mca p1rameshvvv
 
資工也該懂些資安吧
資工也該懂些資安吧資工也該懂些資安吧
資工也該懂些資安吧明旋 簡
 
“Technical Intro to Blockhain” by Yurijs Pimenovs from Paybis at CryptoCurren...
“Technical Intro to Blockhain” by Yurijs Pimenovs from Paybis at CryptoCurren...“Technical Intro to Blockhain” by Yurijs Pimenovs from Paybis at CryptoCurren...
“Technical Intro to Blockhain” by Yurijs Pimenovs from Paybis at CryptoCurren...Dace Barone
 
Mythbusting: Understanding How We Measure the Performance of MongoDB
Mythbusting: Understanding How We Measure the Performance of MongoDBMythbusting: Understanding How We Measure the Performance of MongoDB
Mythbusting: Understanding How We Measure the Performance of MongoDBMongoDB
 
How does cryptography work? by Jeroen Ooms
How does cryptography work?  by Jeroen OomsHow does cryptography work?  by Jeroen Ooms
How does cryptography work? by Jeroen OomsAjay Ohri
 
CUDA Deep Dive
CUDA Deep DiveCUDA Deep Dive
CUDA Deep Divekrasul
 

What's hot (20)

Blockchain Cryptography for Developers (Nakov @ BGWebSummit 2018)
Blockchain Cryptography for Developers (Nakov @ BGWebSummit 2018)Blockchain Cryptography for Developers (Nakov @ BGWebSummit 2018)
Blockchain Cryptography for Developers (Nakov @ BGWebSummit 2018)
 
MongoDB Performance Debugging
MongoDB Performance DebuggingMongoDB Performance Debugging
MongoDB Performance Debugging
 
Even the LastPass Will be Stolen Deal with It!
Even the LastPass Will be Stolen Deal with It!Even the LastPass Will be Stolen Deal with It!
Even the LastPass Will be Stolen Deal with It!
 
How to get rid of terraform plan diffs
How to get rid of terraform plan diffsHow to get rid of terraform plan diffs
How to get rid of terraform plan diffs
 
Blockchain: Developer Perspective
Blockchain: Developer PerspectiveBlockchain: Developer Perspective
Blockchain: Developer Perspective
 
Geth important commands
Geth important commandsGeth important commands
Geth important commands
 
Cryptography In Silverlight
Cryptography In SilverlightCryptography In Silverlight
Cryptography In Silverlight
 
Oczyszczacz powietrza i stos sieciowy? Czas na test! Semihalf Barcamp 13/06/2018
Oczyszczacz powietrza i stos sieciowy? Czas na test! Semihalf Barcamp 13/06/2018Oczyszczacz powietrza i stos sieciowy? Czas na test! Semihalf Barcamp 13/06/2018
Oczyszczacz powietrza i stos sieciowy? Czas na test! Semihalf Barcamp 13/06/2018
 
Mysql5.1 character set testing
Mysql5.1 character set testingMysql5.1 character set testing
Mysql5.1 character set testing
 
Mysql handle socket
Mysql handle socketMysql handle socket
Mysql handle socket
 
Blockchain: Developer's Perspective (Java Edition)
Blockchain: Developer's Perspective (Java Edition)Blockchain: Developer's Perspective (Java Edition)
Blockchain: Developer's Perspective (Java Edition)
 
FwDays 2021: Metarhia Technology Stack for Node.js
FwDays 2021: Metarhia Technology Stack for Node.jsFwDays 2021: Metarhia Technology Stack for Node.js
FwDays 2021: Metarhia Technology Stack for Node.js
 
Compare mysql5.1.50 mysql5.5.8
Compare mysql5.1.50 mysql5.5.8Compare mysql5.1.50 mysql5.5.8
Compare mysql5.1.50 mysql5.5.8
 
JS Fest 2019. Thomas Watson. Post-Mortem Debugging in Node.js
JS Fest 2019. Thomas Watson. Post-Mortem Debugging in Node.jsJS Fest 2019. Thomas Watson. Post-Mortem Debugging in Node.js
JS Fest 2019. Thomas Watson. Post-Mortem Debugging in Node.js
 
Inventory program in mca p1
Inventory program in mca p1Inventory program in mca p1
Inventory program in mca p1
 
資工也該懂些資安吧
資工也該懂些資安吧資工也該懂些資安吧
資工也該懂些資安吧
 
“Technical Intro to Blockhain” by Yurijs Pimenovs from Paybis at CryptoCurren...
“Technical Intro to Blockhain” by Yurijs Pimenovs from Paybis at CryptoCurren...“Technical Intro to Blockhain” by Yurijs Pimenovs from Paybis at CryptoCurren...
“Technical Intro to Blockhain” by Yurijs Pimenovs from Paybis at CryptoCurren...
 
Mythbusting: Understanding How We Measure the Performance of MongoDB
Mythbusting: Understanding How We Measure the Performance of MongoDBMythbusting: Understanding How We Measure the Performance of MongoDB
Mythbusting: Understanding How We Measure the Performance of MongoDB
 
How does cryptography work? by Jeroen Ooms
How does cryptography work?  by Jeroen OomsHow does cryptography work?  by Jeroen Ooms
How does cryptography work? by Jeroen Ooms
 
CUDA Deep Dive
CUDA Deep DiveCUDA Deep Dive
CUDA Deep Dive
 

Similar to Reutov, yunusov, nagibin random numbers take ii

Logstash for SEO: come monitorare i Log del Web Server in realtime
Logstash for SEO: come monitorare i Log del Web Server in realtimeLogstash for SEO: come monitorare i Log del Web Server in realtime
Logstash for SEO: come monitorare i Log del Web Server in realtimeAndrea Cardinale
 
Debugging: Rules & Tools
Debugging: Rules & ToolsDebugging: Rules & Tools
Debugging: Rules & ToolsIan Barber
 
Charla EHU Noviembre 2014 - Desarrollo Web
Charla EHU Noviembre 2014 - Desarrollo WebCharla EHU Noviembre 2014 - Desarrollo Web
Charla EHU Noviembre 2014 - Desarrollo WebMikel Torres Ugarte
 
The why and how of moving to PHP 5.4/5.5
The why and how of moving to PHP 5.4/5.5The why and how of moving to PHP 5.4/5.5
The why and how of moving to PHP 5.4/5.5Wim Godden
 
node.js - Eventful JavaScript on the Server
node.js - Eventful JavaScript on the Servernode.js - Eventful JavaScript on the Server
node.js - Eventful JavaScript on the ServerDavid Ruiz
 
Debugging: Rules And Tools - PHPTek 11 Version
Debugging: Rules And Tools - PHPTek 11 VersionDebugging: Rules And Tools - PHPTek 11 Version
Debugging: Rules And Tools - PHPTek 11 VersionIan Barber
 
Time tested php with libtimemachine
Time tested php with libtimemachineTime tested php with libtimemachine
Time tested php with libtimemachineNick Galbreath
 
php & performance
 php & performance php & performance
php & performancesimon8410
 
The why and how of moving to PHP 5.5/5.6
The why and how of moving to PHP 5.5/5.6The why and how of moving to PHP 5.5/5.6
The why and how of moving to PHP 5.5/5.6Wim Godden
 
Heavy Web Optimization: Backend
Heavy Web Optimization: BackendHeavy Web Optimization: Backend
Heavy Web Optimization: BackendVõ Duy Tuấn
 
Caching and tuning fun for high scalability
Caching and tuning fun for high scalabilityCaching and tuning fun for high scalability
Caching and tuning fun for high scalabilityWim Godden
 
PHP & Performance
PHP & PerformancePHP & Performance
PHP & Performance毅 吕
 
PHP Sessions and Non-Sessions
PHP Sessions and Non-SessionsPHP Sessions and Non-Sessions
PHP Sessions and Non-SessionsSven Rautenberg
 
HTTP For the Good or the Bad
HTTP For the Good or the BadHTTP For the Good or the Bad
HTTP For the Good or the BadXavier Mertens
 
Building Real-Time Applications with Android and WebSockets
Building Real-Time Applications with Android and WebSocketsBuilding Real-Time Applications with Android and WebSockets
Building Real-Time Applications with Android and WebSocketsSergi Almar i Graupera
 
The why and how of moving to php 5.4/5.5
The why and how of moving to php 5.4/5.5The why and how of moving to php 5.4/5.5
The why and how of moving to php 5.4/5.5Wim Godden
 
Xdebug - Derick Rethans - Barcelona PHP Conference 2008
Xdebug - Derick Rethans - Barcelona PHP Conference 2008Xdebug - Derick Rethans - Barcelona PHP Conference 2008
Xdebug - Derick Rethans - Barcelona PHP Conference 2008phpbarcelona
 
soft-shake.ch - Hands on Node.js
soft-shake.ch - Hands on Node.jssoft-shake.ch - Hands on Node.js
soft-shake.ch - Hands on Node.jssoft-shake.ch
 

Similar to Reutov, yunusov, nagibin random numbers take ii (20)

Logstash for SEO: come monitorare i Log del Web Server in realtime
Logstash for SEO: come monitorare i Log del Web Server in realtimeLogstash for SEO: come monitorare i Log del Web Server in realtime
Logstash for SEO: come monitorare i Log del Web Server in realtime
 
Debugging: Rules & Tools
Debugging: Rules & ToolsDebugging: Rules & Tools
Debugging: Rules & Tools
 
Charla EHU Noviembre 2014 - Desarrollo Web
Charla EHU Noviembre 2014 - Desarrollo WebCharla EHU Noviembre 2014 - Desarrollo Web
Charla EHU Noviembre 2014 - Desarrollo Web
 
The why and how of moving to PHP 5.4/5.5
The why and how of moving to PHP 5.4/5.5The why and how of moving to PHP 5.4/5.5
The why and how of moving to PHP 5.4/5.5
 
node.js - Eventful JavaScript on the Server
node.js - Eventful JavaScript on the Servernode.js - Eventful JavaScript on the Server
node.js - Eventful JavaScript on the Server
 
Debugging: Rules And Tools - PHPTek 11 Version
Debugging: Rules And Tools - PHPTek 11 VersionDebugging: Rules And Tools - PHPTek 11 Version
Debugging: Rules And Tools - PHPTek 11 Version
 
Time tested php with libtimemachine
Time tested php with libtimemachineTime tested php with libtimemachine
Time tested php with libtimemachine
 
php & performance
 php & performance php & performance
php & performance
 
The why and how of moving to PHP 5.5/5.6
The why and how of moving to PHP 5.5/5.6The why and how of moving to PHP 5.5/5.6
The why and how of moving to PHP 5.5/5.6
 
Heavy Web Optimization: Backend
Heavy Web Optimization: BackendHeavy Web Optimization: Backend
Heavy Web Optimization: Backend
 
Osol Pgsql
Osol PgsqlOsol Pgsql
Osol Pgsql
 
Caching and tuning fun for high scalability
Caching and tuning fun for high scalabilityCaching and tuning fun for high scalability
Caching and tuning fun for high scalability
 
PHP & Performance
PHP & PerformancePHP & Performance
PHP & Performance
 
PHP Sessions and Non-Sessions
PHP Sessions and Non-SessionsPHP Sessions and Non-Sessions
PHP Sessions and Non-Sessions
 
HTTP For the Good or the Bad
HTTP For the Good or the BadHTTP For the Good or the Bad
HTTP For the Good or the Bad
 
My name is Trinidad
My name is TrinidadMy name is Trinidad
My name is Trinidad
 
Building Real-Time Applications with Android and WebSockets
Building Real-Time Applications with Android and WebSocketsBuilding Real-Time Applications with Android and WebSockets
Building Real-Time Applications with Android and WebSockets
 
The why and how of moving to php 5.4/5.5
The why and how of moving to php 5.4/5.5The why and how of moving to php 5.4/5.5
The why and how of moving to php 5.4/5.5
 
Xdebug - Derick Rethans - Barcelona PHP Conference 2008
Xdebug - Derick Rethans - Barcelona PHP Conference 2008Xdebug - Derick Rethans - Barcelona PHP Conference 2008
Xdebug - Derick Rethans - Barcelona PHP Conference 2008
 
soft-shake.ch - Hands on Node.js
soft-shake.ch - Hands on Node.jssoft-shake.ch - Hands on Node.js
soft-shake.ch - Hands on Node.js
 

More from DefconRussia

[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков -  Bare-metal programming на примере Raspber...[Defcon Russia #29] Борис Савков -  Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...DefconRussia
 
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...DefconRussia
 
[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobinding[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobindingDefconRussia
 
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/LinuxDefconRussia
 
Георгий Зайцев - Reversing golang
Георгий Зайцев - Reversing golangГеоргий Зайцев - Reversing golang
Георгий Зайцев - Reversing golangDefconRussia
 
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC DefconRussia
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneDefconRussia
 
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...DefconRussia
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacksDefconRussia
 
Attacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей ТюринAttacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей ТюринDefconRussia
 
Weakpass - defcon russia 23
Weakpass - defcon russia 23Weakpass - defcon russia 23
Weakpass - defcon russia 23DefconRussia
 
nosymbols - defcon russia 20
nosymbols - defcon russia 20nosymbols - defcon russia 20
nosymbols - defcon russia 20DefconRussia
 
static - defcon russia 20
static  - defcon russia 20static  - defcon russia 20
static - defcon russia 20DefconRussia
 
Zn task - defcon russia 20
Zn task  - defcon russia 20Zn task  - defcon russia 20
Zn task - defcon russia 20DefconRussia
 
Vm ware fuzzing - defcon russia 20
Vm ware fuzzing  - defcon russia 20Vm ware fuzzing  - defcon russia 20
Vm ware fuzzing - defcon russia 20DefconRussia
 
Nedospasov defcon russia 23
Nedospasov defcon russia 23Nedospasov defcon russia 23
Nedospasov defcon russia 23DefconRussia
 
Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23DefconRussia
 
Miasm defcon russia 23
Miasm defcon russia 23Miasm defcon russia 23
Miasm defcon russia 23DefconRussia
 
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...DefconRussia
 
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условияхSergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условияхDefconRussia
 

More from DefconRussia (20)

[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков -  Bare-metal programming на примере Raspber...[Defcon Russia #29] Борис Савков -  Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
 
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
 
[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobinding[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobinding
 
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
 
Георгий Зайцев - Reversing golang
Георгий Зайцев - Reversing golangГеоргий Зайцев - Reversing golang
Георгий Зайцев - Reversing golang
 
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-one
 
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacks
 
Attacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей ТюринAttacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей Тюрин
 
Weakpass - defcon russia 23
Weakpass - defcon russia 23Weakpass - defcon russia 23
Weakpass - defcon russia 23
 
nosymbols - defcon russia 20
nosymbols - defcon russia 20nosymbols - defcon russia 20
nosymbols - defcon russia 20
 
static - defcon russia 20
static  - defcon russia 20static  - defcon russia 20
static - defcon russia 20
 
Zn task - defcon russia 20
Zn task  - defcon russia 20Zn task  - defcon russia 20
Zn task - defcon russia 20
 
Vm ware fuzzing - defcon russia 20
Vm ware fuzzing  - defcon russia 20Vm ware fuzzing  - defcon russia 20
Vm ware fuzzing - defcon russia 20
 
Nedospasov defcon russia 23
Nedospasov defcon russia 23Nedospasov defcon russia 23
Nedospasov defcon russia 23
 
Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23
 
Miasm defcon russia 23
Miasm defcon russia 23Miasm defcon russia 23
Miasm defcon russia 23
 
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
 
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условияхSergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
 

Reutov, yunusov, nagibin random numbers take ii

  • 2. Timeline of PHP problems with random numbers 2008: “mt_srand and not so random numbers” by Stefan Esser Early 2010: “Abusing weak PRNGs in PHP applications” by gat3way July 2010: “How I Met Your Girlfriend” by Samy Kamkar July 2012: “I Forgot Your Password: Randomness Attacks Against PHP” by George Argyros and Aggelos Kiayias August 2012: “Random Numbers. Take Two”
  • 3. PHP Developers: meh, so what? Documentation still lacks security warnings except for uniqid() PHP developers refuse to use external crypto providers in GENERATE_SEED Seeds in LCG and Mersenne Twister are interdependent (if you know one seed you will know the other)
  • 4. PHP Developers: meh, so what? Make seeding more secure? Nope, fix the documentation instead.* * didn’t do even this.
  • 5. What we are going to hack today OpenCart 1.5.3.1 DataLife Engine 9.5 UMI.CMS 2.8.5.3 OpenCart 1.5.4.1
  • 6. Basics (1) Apache: mpm-prefork (separate processes) or mpm-worker (threads within a process) PHP: non-thread safe (used with mpm- prefork) or thread safe (used with mpm- worker) Apache+PHP: mod_php (same process on keep-alive requests) or CGI/FastCGI (different processes on keep-alive requests)
  • 7. Basics (2) In a fresh process PHP automatically seeds its PRNGs Same seed for rand and mt_rand (max value 2^32) Two different seeds for LCG (max value 2^32 each)
  • 9. OpenCart 1.5.3.1 $code = md5(mt_rand()); //admin/controller/common/forgotten. php $this->session->data['token'] = md5(mt_rand()); //admin/controller/common/login.php
  • 10. OpenCart 1.5.3.1 Fresh Process Spawning on mpm-prefork Apache Initiate a number of keep-alive requests that is > MaxSpareServers (10 by default) Fill the pool Make target request on freshly seeded process
  • 11. OpenCart 1.5.3.1 php exploits/opencart/1.5.3.1.php php exploits/opencart/md5crack.php <md5> or ./tools/hashcat/hashcat <md5> on obtained token At Amazon run “mt_seed.exe” or ./tools/php_mt_seed/php_mt_seed <num> on obtained random number php exploits/opencart/genlinks.php seeds.txt
  • 13. OpenCart 1.5.3.1 php exploits/opencart/1.5.3.1.php php exploits/opencart/md5crack.php <md5> or ./tools/hashcat/hashcat <md5> on obtained token At Amazon run “mt_seed.exe” or ./tools/php_mt_seed/php_mt_seed <num> on obtained random number php exploits/opencart/genlinks.php seeds.txt
  • 14. OpenCart 1.5.3.1 php exploits/opencart/1.5.3.1.php php exploits/opencart/md5crack.php <md5> or ./tools/hashcat/hashcat <md5> on obtained token At Amazon run “mt_seed.exe” or ./tools/php_mt_seed/php_mt_seed <num> on obtained random number php exploits/opencart/genlinks.php seeds.txt
  • 15. OpenCart 1.5.3.1 php exploits/opencart/1.5.3.1.php php exploits/opencart/md5crack.php <md5> or ./tools/hashcat/hashcat <md5> on obtained token At Amazon run “mt_seed.exe” or ./tools/php_mt_seed/php_mt_seed <num> on obtained random number php exploits/opencart/genlinks.php seeds.txt
  • 17. OpenCart 1.5.3.1 GREAT SCOTT! IT WORKED!
  • 19. DataLife 9.6 engine/modules/lostpassword.php: $salt = "abchefghjkmnpqrstuvwxyz0123456789"; srand( ( double ) microtime() * 1000000 ); for($i = 0; $i < 15; $i ++) { $rand_lost .= $salt{rand( 0, 33 )}; } $lostid = sha1( md5( $lostname . $lostmail ) . time () . $rand_lost ) engine/modules/pm.php: $salt = "abchefghjkmnpqrstuvwxyz"; $random_key = ""; for($i = 0; $i < 8; $i ++) { $random_key .= $salt{rand( 0, 23 )}; }
  • 20. DataLife 9.6 Log on as test:123456 at http://datalife Copy PHPSESSID (View Page Info -> Details -> View Cookies) Delete cookies, go to http://datalife/?do=lostpassword Copy PHPSESSID and symbols on captcha php exploits/dle/dle.php <PHPSESSID 1> <PHPSESSID captcha> <captcha>
  • 21. DataLife 9.6 Log on as test:123456 at http://datalife Copy PHPSESSID (View Page Info -> Details -> View Cookies) Delete cookies, go to http://datalife/?do=lostpassword Copy PHPSESSID and symbols on captcha php exploits/dle/dle.php <PHPSESSID 1> <PHPSESSID captcha> <captcha>
  • 23. DataLife 9.6 Log on as test:123456 at http://datalife Copy PHPSESSID (View Page Info -> Details -> View Cookies) Delete cookies, go to http://datalife/?do=lostpassword Copy PHPSESSID and symbols on captcha php exploits/dle/dle.php <PHPSESSID 1> <PHPSESSID captcha> <captcha>
  • 24. DataLife 9.6 Log on as test:123456 at http://datalife Copy PHPSESSID (View Page Info -> Details -> View Cookies) Delete cookies, go to http://datalife/?do=lostpassword Copy PHPSESSID and symbols on captcha php exploits/dle/dle.php <PHPSESSID 1> <PHPSESSID captcha> <captcha>
  • 25. DataLife 9.6 Log on as test:123456 at http://datalife Copy PHPSESSID (View Page Info -> Details -> View Cookies) Delete cookies, go to http://datalife/?do=lostpassword Copy PHPSESSID and symbols on captcha php exploits/dle/dle.php <PHPSESSID 1> <PHPSESSID captcha> <captcha>
  • 27. DataLife 9.6 GREAT SCOTT! IT WORKED!
  • 29. Time Synchronization (ATS) Date: T1 T2 T2-T1=1 Time: msec=0 msec=0 (!) msec=0 msec=m1 m2 msec=0 msec=m1 m2 msec(server) ~ [0;(m2-m1)/2]
  • 30. UMI.CMS 2.8.5.3 (PHP<5.4) ext/session/session.c: gettimeofday(&tv, NULL); ... spprintf(&buf, 0, "%.15s%ld%ld%0.8F", remote_addr ? remote_addr : "", tv.tv_sec, (long int)tv.tv_usec, php_combined_lcg(TSRMLS_C) * 10); ... return PHP_MD5Update(&md5_context, (unsigned char *) buf, strlen(buf));
  • 31. UMI.CMS 2.8.5.3 PHPSESSID: md5(127.0.0.11351346648192088.00206033) IP (known) timestamp (known) microtime0 (need to bruteforce) LCG (need to find two seeds)
  • 32. UMI.CMS 2.8.5.3 ext/standard/lcg_seed.h: static void lcg_seed(TSRMLS_D) { struct timeval tv; if (gettimeofday(&tv, NULL) == 0) { LCG(s1) = tv.tv_sec ^ (tv.tv_usec<<11); } else { LCG(s1) = 1; } #ifdef ZTS LCG(s2) = (long) tsrm_thread_id(); #else LCG(s2) = (long) getpid(); #endif if (gettimeofday(&tv, NULL) == 0) { LCG(s2) ^= (tv.tv_usec<<11); } LCG(seeded) = 1; }
  • 33. UMI.CMS 2.8.5.3 LCG seeds: S1 = timestamp ^ microtime1 << 11 S2 = pid ^ microtime2 << 11 timestamp (known) microtime1 (need to bruteforce: microtime1 – microtime0 = 1…4) pid (need to bruteforce: 1024-32768) microtime2 (need to bruteforce: microtime2 - microtime1 = 0…3)
  • 34. UMI.CMS 2.8.5.3 ext/standard/php_rand.h: #ifdef PHP_WIN32 #define GENERATE_SEED() (((long) (time(0) * GetCurrentProcessId())) ^ ((long) (1000000.0 * php_combined_lcg(TSRMLS_C)))) #else #define GENERATE_SEED() (((long) (time(0) * getpid())) ^ ((long) (1000000.0 * php_combined_lcg(TSRMLS_C)))) #endif
  • 35. UMI.CMS 2.8.5.3 function getRandomPassword ($length = 12) { $avLetters = "$#@^&!1234567890qwertyuiopasd fghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM"; $size = strlen($avLetters); $npass = ""; for($i = 0; $i < $length; $i++) { $c = rand(0, $size - 1); $npass .= $avLetters[$c]; } return $npass; }
  • 36. UMI.CMS 2.8.5.3 Edit exploits/umi/umi.php, add your login php exploits/umi/umi.php [offset=0] [delay1=10000- 100000] [delay2=10000] Run phpsessid_cuda with PHPSESSID, timestamp and your ip php exploits/umi/pass_gen.php <sec> <pid> <s1> <s2>
  • 37. UMI.CMS 2.8.5.3 Edit exploits/umi/umi.php, add your login php exploits/umi/umi.php [offset=0] [delay1=10000- 100000] [delay2=10000] Run phpsessid_cuda with PHPSESSID, timestamp and your ip php exploits/umi/pass_gen.php <sec> <pid> <s1> <s2>
  • 39. UMI.CMS 2.8.5.3 Edit exploits/umi/umi.php, add your login php exploits/umi/umi.php [offset=0] [delay1=10000- 100000] [delay2=10000] Run phpsessid_cuda with PHPSESSID, timestamp and your ip php exploits/umi/pass_gen.php <sec> <pid> <s1> <s2>
  • 40. PHPSESSID Bruteforcer 1,170 billion seeds/sec on a single Amazon EC2 GPU Instance Supports multiple GPUs Covers the whole search space within 7,5 minutes Supports distributed computing based on sockets So fast that we don’t need microtime synchronization with remote server any more
  • 42. UMI.CMS 2.8.5.3 Edit exploits/umi/umi.php, add your login php exploits/umi/umi.php [offset=0] [delay1=10000- 100000] [delay2=10000] Run phpsessid_cuda with PHPSESSID, timestamp and your ip php exploits/umi/pass_gen.php <sec> <pid> <s1> <s2>
  • 44. UMI.CMS 2.8.5.3 GREAT SCOTT! IT WORKED!
  • 47. OpenCart 1.5.4.1 $code = md5(mt_rand()); $code = sha1(uniqid(mt_rand(), true)); //admin/controller/common/forgotten.php $this->session->data['token'] = md5(mt_rand()); //admin/controller/common/login.php
  • 48. OpenCart 1.5.4.1 Sources of entropy: mt_rand() : 92496817 uniqid() : 1351070918 + 616520 (in hex) lcg_value() : 7.41222311 sha1(924968175087b4c6968487.41222311)
  • 49. OpenCart 1.5.4.1 ext/standard/php_rand.h: #ifdef PHP_WIN32 #define GENERATE_SEED() (((long) (time(0) * GetCurrentProcessId())) ^ ((long) (1000000.0 * php_combined_lcg(TSRMLS_C)))) #else #define GENERATE_SEED() (((long) (time(0) * getpid())) ^ ((long) (1000000.0 * php_combined_lcg(TSRMLS_C)))) #endif
  • 50. OpenCart 1.5.4.1 Send 3 requests in keep-alive (get token, user reset, admin reset) Find MT seeds (some collisions are present) Bruteforce LCG seeds (also collisions) given MT seeds Bruteforce our sha1 -> find out proper MT seed, LCG seed; also microseconds to start from Calculate admin mt_rand(), admin LCG Bruteforce microseconds given starting point from our sha1 (Request Twins approach)
  • 51. OpenCart 1.5.4.1 php exploits/opencart/1.5.4.1.php, get hash in local mail php exploits/opencart/md5crack.php <md5> or ./tools/hashcat/hashcat <md5> on obtained token At Amazon run “mt_rand.exe” to get seeds At Amazon run “lcg_sha1.exe” with seeds file, timestamp and sha1 hash Get back to exploit, specify mt_rand, admin LCG and microsecs to start from
  • 52.
  • 53. OpenCart 1.5.4.1 php exploits/opencart/1.5.4.1.php, get hash in local mail php exploits/opencart/md5crack.php <md5> or ./tools/hashcat/hashcat <md5> on obtained token At Amazon run “mt_rand.exe” to get seeds At Amazon run “lcg_sha1.exe” with seeds file, timestamp and sha1 hash Get back to exploit, specify mt_rand, admin LCG and microsecs to start from
  • 54. OpenCart 1.5.4.1 php exploits/opencart/1.5.4.1.php, get hash in local mail php exploits/opencart/md5crack.php <md5> or ./tools/hashcat/hashcat <md5> on obtained token At Amazon run “mt_rand.exe” to get seeds At Amazon run “lcg_sha1.exe” with seeds file, timestamp and sha1 hash Get back to exploit, specify mt_rand, admin LCG and microsecs to start from
  • 55. OpenCart 1.5.4.1 php exploits/opencart/1.5.4.1.php, get hash in local mail php exploits/opencart/md5crack.php <md5> or ./tools/hashcat/hashcat <md5> on obtained token At Amazon run “mt_rand.exe” to get seeds At Amazon run “lcg_sha1.exe” with seeds file, timestamp and sha1 hash Get back to exploit, specify mt_rand, admin LCG and microsecs to start from
  • 56. LCG via mt_rand Seed Bruteforcer Allows to find LCG seeds (some collision are present) given mt_rand seed GPU-based 16 billion seeds/sec on a single Amazon EC2 GPU Instance Covers the whole search space within 1 minute
  • 58. OpenCart 1.5.4.1 1 0.94821643 2 9.31809351  mt_srand 3 1.78501767 4 5.16258654 5 7.25796790  User LCG 6 1.86345598 7 3.57376950 8 4.59748062  Admin LCG 9 1.85684612 10 2.74482567
  • 61. OpenCart 1.5.4.1 php exploits/opencart/1.5.4.1.php, get hash in local mail php exploits/opencart/md5crack.php <md5> or ./tools/hashcat/hashcat <md5> on obtained token At Amazon run “mt_rand.exe” to get seeds At Amazon run “lcg_sha1.exe” with seeds file, timestamp and sha1 hash Get back to exploit, specify mt_rand, admin LCG and microsecs to start from
  • 62. OpenCart 1.5.4.1 Wait a moment…
  • 63. OpenCart 1.5.4.1 (4) GREAT SCOTT! IT WORKED!