BeamStat

ImageMagick Metasploit via Bitmessage?

BM-2cWy7cvHoq3f1rYMerRJp8PT653jjSuEdY
Jul 6 22:38 [raw]

I found three ImageMagick files in the /src directory of a running PyBitmessage. They are screen shots of the local interface. Is it possible that a programmer is exploiting holes in a module? What if the view image feature is being used to gain screen access? The headers of the files look like this: %!PS-Adobe-3.0 %%Creator: (ImageMagick) %%Title: (imghdr) %!PS-Adobe-3.0 %%Creator: (ImageMagick) %%Title: (json) %!PS-Adobe-3.0 %%Creator: (ImageMagick) %%Title: (ntpath) Someone once posted there is a form of onion routing built into PyBitmessage. How likely is it that this routing feature is being used to siphon off files and screenshots from computers running PyBitmessage?

BM-2cWy7cvHoq3f1rYMerRJp8PT653jjSuEdY
Jul 8 04:01 [raw]

The qidenticon renderer and the qrencode functions may have something to do with this. QT has screen access and is able to manipulate images. A specially formatted object may instruct PyBitmessage to take screenshots.

BM-2cWy7cvHoq3f1rYMerRJp8PT653jjSuEdY
Jul 8 04:01 [raw]

It may be a feature rather than a bug. The silence on the issue so suggests.

BM-2cWy7cvHoq3f1rYMerRJp8PT653jjSuEdY
Jul 8 04:49 [raw]

Check the image file timestamps against the timestamps of received and sent messages, also cross-ref with your debug log. If the files are indeed related to Bitmessage activity, you should find a correlation.

BM-2cWy7cvHoq3f1rYMerRJp8PT653jjSuEdY
Jul 8 04:53 [raw]

Maybe the culprits are focusing their attention on a cover story.

BM-2cWy7cvHoq3f1rYMerRJp8PT653jjSuEdY
Jul 8 05:20 [raw]

Interesting ... 'imghdr', 'json', and 'ntpath' are modules in the python library.

BM-2cWy7cvHoq3f1rYMerRJp8PT653jjSuEdY
Jul 8 05:38 [raw]

What is the modification date of the files and what version were you running at that time? Peter Surda Bitmessage core developer

BM-2cWy7cvHoq3f1rYMerRJp8PT653jjSuEdY
Jul 8 20:25 [raw]

That is not necessarily true. A decent exploit would alter that data on egress to cover the attacker's tracks and misdirect any investigation.

BM-2cWy7cvHoq3f1rYMerRJp8PT653jjSuEdY
Jul 8 20:36 [raw]

I can't provide the branch and commit number because this src/ directory was copied prior to last pull. grep softwareVersion version.py softwareVersion = '0.6.3.2' stat imghdr | grep -v Device | grep -v Size | grep -v Uid File: imghdr Access: 2018-07-09 10:20:10.773465228 -0500 Modify: 2018-06-30 01:04:53.126065000 -0500 Change: 2018-07-01 00:01:04.434670106 -0500 Birth: - stat json | grep -v Device | grep -v Size | grep -v Uid File: json Access: 2018-07-09 10:23:29.150542869 -0500 Modify: 2018-06-30 01:04:53.254061000 -0500 Change: 2018-07-01 00:01:04.482668615 -0500 Birth: - stat ntpath | grep -v Device | grep -v Size | grep -v Uid File: ntpath Access: 2018-07-09 10:24:58.954733706 -0500 Modify: 2018-06-30 01:05:18.225243000 -0500 Change: 2018-07-01 00:01:29.485891782 -0500 Birth: -

BM-2cWy7cvHoq3f1rYMerRJp8PT653jjSuEdY
Jul 18 20:09 [raw]

Never heard about python screenshots. But it's possible that somebody just tried to run py-files by shell. Then string like import json can be interpreted as call to ImegeMagick's import utility: $ man import import(1) General Commands Manual import(1) NAME import - saves any visible window on an X server and outputs it as an image file. You can capture a single window, the entire screen, or any rectangular portion of the screen. The window to capture is selected by clicking the desired window or a program option. SYNOPSIS import [options] output-file OVERVIEW The import program is a member of the ImageMagick(1) suite of tools. Use it to capture some or all of an X server screen and save the image to a file. $ import json $ head -n3 json %!PS-Adobe-3.0 %%Creator: (ImageMagick) %%Title: (json)

BM-2cXzFmWXqFFsrn2qcY8wUaM4tcBYterW3x
Jul 18 20:10 [raw]

when python crashes it usually creates a screen shot regular py behaviour, u probably clicked some shit and it crashed

BM-2cWy7cvHoq3f1rYMerRJp8PT653jjSuEdY
Jul 18 20:10 [raw]

just crash a py src and youll have a screenshot dude

BM-2cWy7cvHoq3f1rYMerRJp8PT653jjSuEdY
Jul 18 20:10 [raw]

oh ure right ! cool. import ~/import_screenie will show the crossbar to choose a win to shoot. so, when u click a src.py where import is the first line, it may be run as a bash script if associated improperly and create those screenshots. I always though it was a py function . glad u cleared this up

BM-2cWy7cvHoq3f1rYMerRJp8PT653jjSuEdY
Jul 22 14:00 [raw]

Access to imagemagick library is in the PyBitmessage source code.

BM-2cWy7cvHoq3f1rYMerRJp8PT653jjSuEdY
Jul 22 14:10 [raw]

usually import AAA gets run as bash instruction, not as a python instruction which confuses people since import is one of those shitty programs which next to no UI

[chan] bitmessage
BM-2cWy7cvHoq3f1rYMerRJp8PT653jjSuEdY

Subject Last Count
End of support for Windows XP for binary builds Feb 17 09:08 14
cool BM things in the making Feb 17 08:42 5
NEW python3.7 -- this neat lil editor will kill EMACS for good ! new native dialog feature Feb 17 01:53 2
how to use mailing list...? Feb 17 01:51 4
Security Nightmares: hidden WebTorrent client in web advertisements to provoke copyright cease-and-desist fines Feb 16 21:23 1
End of support for Windows XP for binary builds -- ISO of a live distro Feb 16 08:01 1
UK Column News - 11 February 2019 Feb 10 11:07 5
come on guys, leak some more shitwarez Feb 10 07:28 14
DJ Bernstein sightings on Bitmessage Feb 10 06:57 3
UK Column News - February 12 2019 Feb 9 21:19 1
UK Column News - February 12th 2019 Feb 9 21:19 1
UK Column News - 12th February 2019 Feb 9 21:16 1
UK Column News - 11th February 2019 Feb 9 21:14 1
UK Column News - 9th February 2019 Feb 9 21:13 1
UK Column News - February 2019 7th Feb 7 07:45 2
UK Column News - 7 2019 February Feb 7 07:42 1
UK Column News - 2019 February 7th Feb 7 07:40 2
UK Column News - February 7th 2019 Feb 7 07:37 2
UK Column News - 2019 February 7 Feb 7 07:35 2
UK Column News - February 7 2019 Feb 7 07:29 1
UK Column News - 7th February 2019 Feb 7 07:26 3
UK Column News - 7 February 2019 Feb 7 07:25 1
UK Column News - 6th February 2019 Feb 2 15:57 3
UK Column News - 5th February 2019 Feb 2 15:57 4
UK Column News - 4th February 2019 Feb 2 15:57 5
what does dandelion: 90 do? Feb 1 11:42 7
stop test penis, please. it's OK Jan 30 09:39 4
Call to murder Angela Merkel, Emmanuel Macron, Petro Poroshenko, Jens Stoltenberg etc. Jan 27 21:49 1
dammit ! dang nigger pranked Dr. David Duke Jan 27 19:37 2
djurlite enacting Jan 27 00:00 1
Reversed shot upper value Jan 26 23:59 1
Normal drilling mud circulation buffer gas Jan 26 22:18 1
Power monitor homotopy boundary Jan 26 21:25 1
Pelerine point subtract counter Jan 26 21:25 1
Teeth misalignment country setting Jan 26 21:24 1
Crankous jam radio station Jan 26 21:23 1
Older the hyperarial Jan 26 21:23 1
extrusion nozzle methanol treatment Jan 26 21:23 1
Defects survey positive muon Jan 26 21:23 1
Townships hearth gas Jan 26 21:23 1
Salmoncoloured obtain circuit Jan 26 21:18 1
Transversal equalizer on pentalpha Jan 26 21:18 1
serializer firm support Jan 26 21:18 1
depredation for petroleum series Jan 26 21:11 1
Plotting camera the reeving system Jan 26 21:06 1
Conventional weapons for jack bar assembly Jan 26 20:59 1
operationally ready well sinking Jan 26 20:59 1
Tympan franzise Jan 26 20:58 1
Equipment status chart with frequency sounding Jan 26 20:58 1
Difference construction the alette Jan 26 20:52 1
Vitality rotten Jan 26 20:51 1
Multiloquence progressive fracture Jan 26 20:50 1
automatic backspace assemble editing continuous decomposition Jan 26 20:47 1
Summer oil level platy Jan 26 20:43 1
Approximative limit paramour Jan 26 20:43 1
Card file beddable Jan 26 20:38 1
Damage accumulation then hot leveling Jan 26 20:38 1
Frequency analysis method headless resistor Jan 26 20:38 1
Roundsman the outweigh a disadvantage Jan 26 20:38 1
Trustor with grounded sea ice Jan 26 20:38 1
Military law forest shelter belt Jan 26 20:38 1
tunnel cathode bring in evidence Jan 26 20:27 1
Vacuum melted alloy job control program Jan 26 20:19 1
Duplicate insulator string nuclear magnetic resonance log Jan 26 20:19 1
Linear parameter the underinvoicing Jan 26 20:19 1
Namesake oxygenated oil Jan 26 20:19 1
Echo chamber positive function Jan 26 20:19 1
Plasma belt amoebosis Jan 26 20:18 1
Local optimization the equicontinuous group Jan 26 20:18 1
Film cartridge resign management Jan 26 20:18 1
Approximate root hereditaments Jan 26 20:11 1
Peppering loop body Jan 26 20:05 1
Winged hollow reamer limiting formation factor Jan 26 20:01 1
Bottom cut on activated fins Jan 26 19:59 1
Paradox of thrift impenetrable Jan 26 19:58 1
delay decision fluidized bed Jan 26 19:58 1
Wall bushing hygienic enamel Jan 26 19:57 1
Wellmannered the mesic Jan 26 19:56 1
Incommunicative the waste rock Jan 26 19:56 1
Rotary bed the noncyclic trajectory Jan 26 19:55 1
Unloading operation the upper girth Jan 26 19:55 1
Shopwindow marlstone limestone Jan 26 19:55 1
Release labour the finance plan Jan 26 19:55 1
Dunst flange groove Jan 26 19:55 1
detrucking point radicals Jan 26 19:55 1
Razor obligation to notify Jan 26 19:50 1
Aberrant behaviour nearshore current Jan 26 19:49 1
Apprehend integration operator Jan 26 19:49 1
Chase all fear correct the compass Jan 26 19:45 1
initiating terminal the deck slab Jan 26 19:42 1
trailed extended graph Jan 26 19:41 1
Boom tip general appraiser Jan 26 19:41 1
Decimal representation reduction room Jan 26 19:36 1
Passband edge true amplitude section stack Jan 26 19:32 1
Cross correlation commove Jan 26 19:29 1
Observing robot diseconomies of scale Jan 26 19:27 1
Offset ink graphics formatter Jan 26 19:27 1
Sound rocket dielectric oil Jan 26 19:24 1
Storm rail for aphasic Jan 26 19:21 1
Top dressing algebra manifold Jan 26 19:20 1

All times in UTC

Clearnet: https://beamstat.com/
Tor: http://bm6hsivrmdnxmw2f.onion/

Terms of Service & Privacy Policy

BM-87ZQse4Ta4MLM9EKmfVUFA4jJUms1Fwnxws
beamstatcom@gmail.com