Nytro

Iran's Real Life Cyberwar Description: Abstract The recent Stuxnet, Flame and CA compromises involving Comodo and DigiNotar had three common elements, each was government sponsored, each involved Iran and all three involved a PKI compromise. The presenter will share experience of dealing with the Iranian attack, highlighting the ways in which government sponsored attacks are very different from both 'ordinary' criminal attacks and the Hollywood view of 'cyberwarfare'. ***** Speaker: Phillip Hallam-Baker, Vice President and Principal Scientist, Comodo Inc. Dr Hallam-Baker is an internationally recognized computer security specialist credited with 'significant contributions' to the design of HTTP 1.0, the core protocol of the World Wide Web. His book 'dotCrime Manifesto: How to Stop Internet Crime' sets out the first technical blueprint for how to make the Web and the Internet a less crime permissive environment by introducing accountability controls for transactions that require them. Hallam-Baker has made significant contributions to core Internet security protocols, including XKMS, SAML, WS-Security, WS-Trust and KEYPROV. He has participated in standards groups in IETF, W3C and OASIS and played a key role in establishing the concept of Extended Validation certificates as an Industry standard. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Iran's Real Life Cyberwar - Phillip Hallam-Baker on Vimeo Sursa: Iran's Real Life Cyberwar

Sql Server Exploitation, Escalation And Pilfering Description: Abstract During this presentation attendees will be introduced to lesser known, yet significant vulnerabilities in SQL Server implementations related to common trust relationships, misconfigurations, and weak default settings. The issues that will be covered are often leveraged by attackers to gain unauthorized access to high value systems, applications, and sensitive data. An overview of each issue, common vectors of attack, and manual techniques will be covered. Finally newly created Metasploit modules and TSQL scripts will be demonstrated that help automate the attacks. This presentation will be valuable to penetration testers who are looking for faster ways to gain access to critical data and systems. Additionally, it should be worth while for developers and database administrators who are interested in gaining a better understanding of how to protect their applications and databases from these attacks. ***** Speakers Antti Rantasaari, Security Consultant, NetSPI Antti Rantasaari is currently a security consultant at NetSPI. He is responsible for performing security assessments and contributing to the development of the methodologies, techniques, and tools used during network and application penetration testing. Scott Sutherland, NetSPI Scott Sutherland is a Principal Security Consultant at NetSPI. Scott is responsible for the development and execution of penetration testing for the firm. He has developed a number of the proprietary tools and techniques that the company uses and also plays a major role in the skills development and training of the NetSPI network and application penetration testing team. Scott is an active participant in the information security community, regularly contributing technical security blog posts, whitepapers, and presenting at a wide variety of conferences. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: SQL Server Exploitation, Escalation and Pilfering - Antti Rantasaari and Scott Sutherland on Vimeo Sursa: Sql Server Exploitation, Escalation And Pilfering

Wireless Exploitation Using Metasploit Framework Description: In this video I will show you how to use Metasploit Auxiliary dos modules for wireless exploitations. Modules are not much effective but some modules are very effective like fuzzing became frame, flooding etc.. I will cover more auxiliary modules in the next video. I have used three modules. auxiliary/dos/wifi/fakeap This module can advertise thousands of fake access points, using random SSIDs and BSSID addresses. Inspired by Black Alchemy's fakeap tool. auxiliary/dos/wifi/deauth This module sends 802.11 DEAUTH requests to a specific wireless peer, using the specified source address and source BSSID. auxiliary/dos/wifi/ssidlist_beacon This module sends out beacon frames using SSID's identified in a specified file and randomly selected BSSID's. This is useful when combined with a Karmetasploit attack to get clients configured to not probe for networks in their PNL to start probing when they see a matching SSID in from this script. For a list of common SSID's to use with this script, check WiGLE - Wireless Geographic Logging Engine - SSID Stats. If a file of SSID's is not specified, a default list of 20 SSID's will be used. This script will run indefinitely until interrupted. Source : - Penetration Testing Software | Metasploit Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Wireless Exploitation Using Metasploit Framework

Unraveling Some Of The Mysteries Around Dom-Based Xss Description: Abstract DOM-based XSS was first revealed to the world back in 2005 by Amit Klien, when it was an interesting theoretical vulnerability. In 2012, with the push towards Web 2.0 well into the mainstream, DOM-based XSS has become a very commonly uncovered and exploited vulnerability, but it’s poorly understood. This talk will focus on the full range of issues around DOM-based XSS. It will start with a discussion of the technical details of the vulnerability, the true nature of the risk it introduces (both likelihood and impact), and some new terminology and updated definitions about what truly is a DOM-based XSS vulnerability as compared to the standard Stored and Reflected XSS that the community is well aware of. It will then discuss the difficulties that security analysts face when trying to find DOM-based XSS flaws, and provide recommended analysis techniques that help move DOM-based XSS discovery from an art towards more of a science. And finally, it will discuss simple techniques for avoiding DOM-based XSS issues in the first place as well as how to mitigate issues that are uncovered during a security review. ***** Speaker Dave Wichers, COO, Aspect Security Dave Wichers is a cofounder and the Chief Operating Officer (COO) of Aspect Security, a company that specializes in application security services. He is also a long time contributor to OWASP including being a member of the OWASP Board since it was formed in 2003. | Dave has over 20 years of experience in the information security field, and has focused exclusively on application security since 1998. At Aspect, in addition to his COO duties, he is Aspect's application security courseware… Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Unraveling Some of the Mysteries around DOM-Based XSS - Dave Wichers on Vimeo Sursa: Unraveling Some Of The Mysteries Around Dom-Based Xss

Daca tot discutam despre asa ceva, de ce nu postati si niste proiecte facute de voi? PHP: - VL Download CMS (script pentru descarcari) - Selenity CMS (un mic portal) - Site-ul "clasei" (mi-a iesit o grafica acceptabila) - Lucrarea de licenta a unui baiat Visual Basic 6: - Yahoo! Manager v1.2 - Digital Keylogger v3.0/4.0 - Royal Crypter v3.0 - Multe alte porcarii (IP locator si mai stiu eu ce...) C#: - Vreo 3 proiecte pentru munca C++: - DarkyBinder v2.0 (primul si singurul binder pentru Linux) - FileDownloader (WinAPI) - DataKiller (sterge tot ce apuca) - Chestii de liceu/facultate (liste inlantuite, clasa pentru BigInt si alte prostii) + Sunt programator C++ (Linux), deci am scris ceva linii de cod Aproximez undeva la 50.000 de linii de cod scrise in total (in toate limbajele pe care le cunosc, mai mult sau mai putin), ceea ce mi se pare cam putin, dar este timp.

Cam... MARE. Ma refer fizic. Cred ca are juma de kil...

Deci in ultimele 3 luni ai scris peste 10000 de linii de cod in 5 limbaje diferite?

Ce limbaje de programare CUNOSTI? Iar prin asta vreau sa zic "In ce limbaje de programare ai scris PESTE 2000 de linii de cod?" Ati putea si sa postati cand ati scris ultima linie de cod. Votati. Evitati caterinca.

HyperDbg HyperDbg is a kernel debugger that leverages hardware-assisted virtualization. More precisely, HyperDbg is based on a minimalistic hypervisor that is installed while the system runs. Compared to traditional kernel debuggers (e.g., WinDbg, SoftIce, Rasta R0 Debugger) HyperDbg is completely transparent to the kernel and can be used to debug kernel code without the need of serial (or USB) cables. For example, HyperDbg allows to single step the execution of the kernel, even when the kernel is executing exception and interrupt handlers. Compared to traditional virtual machine based debuggers (e.g., the VMware builtin debugger), HyperDbg does not require the kernel to be run as a guest of a virtual machine, although it is as powerful. Feel free to contact us for suggestions, criticisms, and bug reports through the HyperDbg google group: hyperdbg | Google Groups Further details about HyperDbg are available in the paper "Dynamic and Transparent Analysis of Commodity Production Systems" (published in the proceedings of ASE 2010). The paper can be downloaded here. Download: http://code.google.com/p/hyperdbg/

[h=1]Defrag Tools: #22 - WinDbg - Memory Kernel Mode[/h]By: Larry Larsen, Andrew Richards, Chad Beeder In this episode of Defrag Tools, Andrew Richards, Chad Beeder and Larry Larsen continue looking at the Debugging Tools for Windows (in particular WinDbg). WinDbg is a debugger that supports user mode debugging of a process, or kernel mode debugging of a computer. This installment goes over the commands used to show the memory used in a kernel mode debug session. We cover these commands: !vm !vm 1 !memusage 8 !poolused 2 !poolused 4 !poolfind <tag> !pool <addr> !pool <addr> 2 !pte Make sure you watch Defrag Tools Episode #1 for instructions on how to get the Debugging Tools for Windows and how to set the required environment variables for symbols and source code resolution. Resources: Microsoft Windows SDK for Windows 7 and .NET Framework 4 Sysinternals LiveKD Sysinternals RAMMap Timeline: [00:45] - Sysinternals LiveKD debug of the machine [01:47] - Virtual Memory summary (!vm 1) [05:10] - Sysinternals LiveKD live kernel dump (livekd.exe -m -o kernel.dmp) [09:30] - Sysinternals RAMMap [11:10] - Memory List summary (!memusage 8) [16:15] - Pool Usage by Non-Paged Pool (!poolused 2) [20:16] - Pool Tags (c:\debuggers\triage\pooltag.txt) [28:06] - Pool Usage by Paged Pool (!poolused 4) [29:27] - Pool issues lead to Bugchecks [34:00] - Find Pool by Address (!pool <addr>) [36:05] - Find Pool by Tag (!poolfind <tag>) [40:30] - Page Table Entry (PTE) and Page Frame Number (PFN) (!pte <addr>) [42:45] - Sometimes it is a physical hardware failure Video: Defrag Tools: #22 - WinDbg - Memory Kernel Mode | Defrag Tools | Channel 9

DoS? Then Who Was Phone? Introduction This post presents exploitation notes on a vulnerability we discovered in Asterisk, an open source telephony solution produced by Digium. We reported this bug to Digium on November 27th, 2012, and provided it to customers of the Exodus Intelligence Feed as EIP-2012-0008. Digium released the advisory AST-2012-014 for this vulnerability on January 2nd, 2013, which was picked up shortly after by some of the aggregator sites and incorrectly categorized as a denial-of-service; however, this bug is certainly exploitable. As we found it fun to analyze, and since discussions about server-side memory bugs are a little sparse now-a-days, we thought it would be cool to share for others who might also find it interesting. Vulnerability The vulnerability resides in the HTTP Asterisk Management Interface (AMI) service, and is the result of an alloca being used to “allocate” memory with a remotely-supplied, untrusted size value. The vulnerability is present in the Asterisk source code file main/http.c, specifically in the function ast_http_get_post_vars, which as the name would suggest is used to parse HTTP post variable data. A snip of the pertinent vulnerable code in this function is shown below: struct ast_variable *ast_http_get_post_vars( struct ast_tcptls_session_instance *ser, struct ast_variable *headers) { int content_length = 0; struct ast_variable *v, *post_vars=NULL, *prev = NULL; char *buf, *var, *val; for (v = headers; v; v = v->next) { if (!strcasecmp(v->name, "Content-Type")) { if (strcasecmp(v->value, "application/x-www-form-urlencoded")) { return NULL; } break; } } for (v = headers; v; v = v->next) { if (!strcasecmp(v->name, "Content-Length")) { content_length = atoi(v->value) + 1; break; } } if (!content_length) { return NULL; } if (!(buf = alloca(content_length))) { return NULL; } if (!fgets(buf, content_length, ser->f)) { return NULL; } The code shows the length value being converted from the Content-Length string using atoi, then incremented by one and stored in the content_length variable. Memory is obtained by alloca for the expected content length, and pointed to by *buf. Finally, fgets is called to read the expected amount of content data into this buffer. I found it interesting that the code looks as though it may have been written with memory management issues in mind, as the check to ensure content_length is not zero would catch an integer overflow caused by adding one to the value. Below is a snip of disassembled code for the vulnerable function as compiled in the Asterisk package shipped with Ubuntu. This snip shows the size value being set and used to subtract the stack pointer (ESP) to “allocate” stack memory: <ast_http_get_post_vars+187>: call <strtol@plt> <ast_http_get_post_vars+192>: mov edx,eax <ast_http_get_post_vars+194>: add edx,0x1 <ast_http_get_post_vars+197>: je <ast_http_get_post_vars+408> <ast_http_get_post_vars+203>: mov ecx,DWORD PTR [ebp-0x30] <ast_http_get_post_vars+206>: add eax,0x1f <ast_http_get_post_vars+209>: and eax,0xfffffff0 <ast_http_get_post_vars+212>: sub esp,eax <----- LOL <ast_http_get_post_vars+214>: lea esi,[esp+0x1b] As shown, the alloca is compiled into a simple set of instructions to ADD and AND-off the size to be allocated from the stack. It then subtracts the revised size from the stack pointer, and stores an address derived from this into the ESI register for further use. Exploitation Obstacles Since most compilers implement alloca as a fairly direct subtraction of the stack pointer, the exploitation of alloca is often as simple as providing a size value large enough to wrap the stack pointer around to a desirable location higher on the stack. Subsequent use of the pointer to store remotely supplied data would then result in stack memory corruption, and allow for vanilla exploitation techniques to gain control of program execution flow. However, here the vulnerable code uses the function fgets to read network data into the obtained memory space. This complicates the situation for exploitation as the libc implementation of fgets performs a check on its length argument to ensure that it is not beyond the signed integer boundary of 0x7FFFFFFF. If this check fails, fgets does not read data and returns an error. The code snip below shows the check performed inside of fgets as implemented in libc.6.so: <fgets+0>: sub esp,0x4c <fgets+3>: mov DWORD PTR [esp+0x48],ebp <fgets+7>: mov ebp,DWORD PTR [esp+0x54] <fgets+11>: mov DWORD PTR [esp+0x3c],ebx <fgets+15>: call <mov_esp_ebx> <fgets+20>: add ebx,0x14051c <fgets+26>: mov DWORD PTR [esp+0x40],esi <fgets+30>: mov esi,DWORD PTR [esp+0x58] <fgets+34>: test ebp,ebp <fgets+36>: mov DWORD PTR [esp+0x44],edi <fgets+36>: mov DWORD PTR [esp+0x44],edi <fgets+40>: jle <fgets+336> ... <fgets+336>: mov DWORD PTR [esp+0x50],0x0 <fgets+344>: jmp <fgets+256> ... <fgets+256>: mov eax,DWORD PTR [esp+0x50] <fgets+260>: mov ebx,DWORD PTR [esp+0x3c] <fgets+264>: mov esi,DWORD PTR [esp+0x40] <fgets+268>: mov edi,DWORD PTR [esp+0x44] <fgets+272>: mov ebp,DWORD PTR [esp+0x48] <fgets+276>: add esp,0x4c <fgets+279>: ret The EBP register, containing the length argument, is checked to be a positive signed value using the TEST and JLE instructions at <fgets+34> and <fgets+40>. If the check fails, the code jumps to return an error, making fgets unusable for exploiting a wrapped stack pointer to overwrite memory with data read from the network. While stack corruption by this means is still possible through the pushing and moving of data to the stack by other compiled code operations, the lack of control and limited set of operations make this approach undesirable. At this point some might categorize this vulnerability as purely theoretical or possibly even unexploitable. As I hope many readers would agree, a challenge of this nature is always inviting. The Exodus team loves goading and trolling one another in these scenarios, usually with something along the lines of “Yeah, it is probably too tough for you to exploit…” or “you should probably just give up.” The recipient of this pep talk usually proceeds to cry and reevaluate the code until an idea hits them or they decide to resign to a life of PCI compliance auditing. Challenge accepted. EIP Control After spending some time analyzing the problem and hating computers, I found a way to exploit this vulnerability. The HTTP listener for the Asterisk Management Interface handles every new connection by creating a new thread to execute a designated worker function to process the request. The code to setup and complete this task is spread out across multiple functions and macros and is a little messy, so we’ll try to keep details to a minimum. The HTTP AMI is started initially by a call chain of functions starting with ast_http_init, which calls __ast_http_load, which then calls ast_tcptls_server_start. The function ast_tcptls_server_start performs standard TCP socket setup operations, and is defined as: void ast_tcptls_server_start(struct ast_tcptls_session_args *desc) Despite the name, ast_tcptls_server_start is used for both TLS and non-TLS service setup. The single argument taken by this function is a structure describing aspects of the server to be started. From __ast_http_load, the call looks like: ast_tcptls_server_start(&http_desc); The structure structure http_desc is defined in main/http.c as: static struct ast_tcptls_session_args http_desc = { .accept_fd = -1, .master = AST_PTHREADT_NULL, .tls_cfg = NULL, .poll_timeout = -1, .name = "http server", .accept_fn = ast_tcptls_server_root, .worker_fn = httpd_helper_thread, }; The .accept_fn is a function pointer for a function to accept the connection, and the worker_fn is a pointer to the worker function responsible for processing the request once a new thread is created. After more setup code, a new thread is created to accept socket connections by calling the function ast_tcptls_server_root. For each TCP connection accepted on the listening HTTP port (default 8088), ast_tcptls_server_root calls the following thread creation wrapper to create a new thread and eventually call the worker function: ... if (ast_pthread_create_detached_background(&launched, NULL, handle_tcptls_connection, tcptls_session)) { ast_log(LOG_WARNING, "Unable to launch helper thread: %s\n", strerror(errno)); ast_tcptls_close_session_file(tcptls_session); ao2_ref(tcptls_session, -1); } ... The function ast_pthread_create_detached_background is a macro wrapper for the function ast_pthread_create_stack. The macro definition looks roughly like: ast_pthread_create_detached_stack(a, b, c, d, AST_BACKGROUND_STACKSIZE, ...) The important thing to note here is the argument AST_BACKGROUND_STACKSIZE. This is used by the function to set the new thread's stack size attribute before starting the thread: pthread_attr_setstacksize(attr, stacksize ? stacksize : AST_STACKSIZE) ... return pthread_create(thread, attr, start_routine, data); For builds without low memory restrictions defined, the AST_BACKGROUND_STACKSIZE and the AST_STACKSIZE macros are defined as: #define AST_BACKGROUND_STACKSIZE AST_STACKSIZE #define AST_STACKSIZE (((sizeof(void *) * 8 * 8) - 16) * 1024) /* becomes 0x3C000 */ The use of AST_STACKSIZE, or 0x3C000, to set the size of the stack for each new HTTP thread is significant, as it means the stack of the newly created thread will begin at 0x3C000 below the top of the previous thread's stack. In turn, if a value of this size or greater is used for alloca pointer subtraction, the resulting stack pointer will overlap with the stack memory of a newer thread. By carefully synchronizing the state of the threads involved so they do not collide their shared use of stack memory, it is possible to use this behavior to overwrite the contents of one thread's stack area with network data read by another thread. To visualize this, and because I love drawing stack diagrams, I present the following bad art: Synchronizing the two threads such that they do not collide and clobber each other's critical stack contents is as simple as not sending data when a given thread is expecting it. While one thread is waiting for data in a blocking read operation, the other thread may be using the stack. Using the HTTP POST method (as is required to trigger the vulnerability) allows for two separate network read operations per thread: one for the initial read of HTTP headers, and a second for reading the HTTP Content-Data. Having two individual network read operations per thread provides enough blocking opportunity to align the augmented stack pointer of the first thread to a desirable location used by the second thread. Better yet, this provides an opportunity to align the pointer of the first thread to a location that is not yet used by the second thread, but will be be used once the second thread completes its initial read and resumes execution. The following diagram steps attempt to illustrate this process, ignoring trivial details and using round numbers for simplicity. 1. Two socket connections to the HTTP AMI service are established, causing Asterisk to create two threads to handle the connections. Both threads are expecting HTTP headers and so they are both blocking on a read operation. To depict the state of these threads: 2. Thread1 is sent HTTP headers with an HTTP Content-Length string equivalent to 0x3C900. Once headers are received, Thread1's initial read operation finishes. It performs the alloca, subtracting its stack pointer by 0x3C900, which places its pointer for *buf at 0x900 bytes down from the top of Thread2's stack: 3. Thread1 is then sent approximately 0x700 bytes of the 0x3C900 it is expecting. This advances the *buf pointer index used by fgets up the stack, closer to Thread2's current stack pointer. Thread1 continues waiting as it has not yet received the full amount of data expected (0x3C900). 4. Thread2, still waiting on its initial network read, is sent HTTP POST headers with a Content-Length string equivalent to approximately 0x200, which it uses for its own alloca, subtracting from its stack pointer. Coordinating this length carefully places it precisely where the *buf pointer in Thread1 fgets currently points. Thread2 then calls fgets to receive its HTTP Content-Data, causing it to block while waiting to read in data. 5. Thread1 is sent 4 more bytes of the data it is waiting to receive, which is stored starting at its current *buf index in fgets, and overwrites where Thread2's stored return address is for fgets. A return from fgets can then be triggered by sending the remaining data expected, or a newline character, or also by simply closing the connection. Once Thread2 returns, EIP is restored from the overwritten return address value and execution flow is controlled. Protection Mechanisms Precisely overwriting only desired stack contents leaves stack canaries intact so that they do not interfere with exploitation. To avoid non-executable memory protections, typical return-oriented techniques may be employed to reuse existing executable memory once execution flow is controlled. This leaves Address Space Layout Randomization (ASLR), and more specifically, Asterisk builds compiled as Position-Independent-Executables (PIE) as the only remaining obstacle to overcome, as fixed return locations cannot be used in this case. While the default Makefile generated to compile Asterisk from source does not include flags for PIE, popular Linux distributions may package their own Asterisk built with PIE for extra security, such as with Ubuntu (props to @kees_cook for keeping us on our toes with this). ASLR via PIE significantly frustrates exploitation. Since Ubuntu is a popular distribution, and having set the bar for difficulty in this case, the Ubuntu Asterisk build is the target we challenged ourselves with. Who Was Phone I will save you from babble about entropy and efforts made to try and guess addresses in the presence of ASLR. Instead we will discuss how this vulnerability can be reliably exploited for memory disclosure, and used to determine the location of Asterisk code memory to redirect execution to. The function generic_http_callback in main/manager.c is the URL handling function executed when triggering the vulnerability, and is defined as: static int generic_http_callback(struct ast_tcptls_session_instance *ser, enum ast_http_method method, enum output_format format, struct sockaddr_in *remote_address, const char *uri, struct ast_variable *get_params, struct ast_variable *headers) { Above you can see the output_format argument format is an enumeration value for one of the possible formats used for the reply. Its expected possible values are 0, 1, or 2 for "plain", "html", "xml" respectively. This value is used to retrieve a pointer from a global array when constructing a response in generic_http_callback: /* ... */ ast_str_append(&http_header, 0, "Content-type: text/%s\r\n" "Cache-Control: no-cache;\r\n" "Set-Cookie: mansession_id=\"%08x\"; Version=1; Max-Age=%d\r\n" "Pragma: SuppressEvents\r\n", contenttype[format], session->managerid, httptimeout); /* ... */ ast_http_send(ser, method, 200, NULL, http_header, out, 0, 0); /* ... */ The contenttype array contains the pointers to the strings used for the HTTP response, and thus the pointer retrieved from this look-up directly influences data sent back to the HTTP user. By conducting the same style of stack pointer manipulation previously described, it is possible to align a thread's *buf pointer to overwrite the stack memory where format is stored, so it indexes beyond the contenttype array into other memory. With the help of some handy debugger scripting, I was able to find a pointer->pointer->code from a relative offset of contenttype. My code to do this with VDB is shown below. (Comments document the code a little bit, but a more extensive explanation of VDB is beyond the scope of this post): for m in trace.getMemoryMaps(): # check memory map name if m[3].lower() == "/usr/sbin/asterisk": # check for flags Read & Write for data segment if m[2] == 6: addr = m[0] memlen = m[1] memory = trace.readMemory(addr, memlen) # check for Execute flag elif m[2] == 5: # save beginning and ending of executable memory code = m[0] codestop = code+m[1] # from each offset in the memory for offset in range(memlen-4): # read for the size of a pointer ptr = struct.unpack("<I", memory[offset:offset+4])[0] # check if it is a pointer if ispoi(ptr): # read the value at the pointer ptr = struct.unpack("<I", trace.readMemory(ptr, 4))[0] # is that value in the asterisk code? if ptr > code and ptr < codestop: print " [*] Found 0x%08x -> 0x%08x" % (addr+offset, ptr) The script simply searches the memory maps of the attached process for the Asterisk data and code memory regions. Once they are found, the value at every possible offset in the data map is checked to be a valid memory address. Passing this check, the value at the memory it points to is then also checked to see if it is a pointer to code memory and then prints out valid matches. This script identified 8 locations of usable pointers when ran against Ubuntu's packaged Asterisk binary. By overwriting the saved format variable with an index to offset to one of these pointer sequences, it is possible to manufacture a remote memory disclosure and determine an address of Asterisk code memory. Putting this all together allows for successful remote arbitrary code execution despite ASLR/PIE/NX/STACK COOKIES/ALL_OF_THE_THINGS compiled in with the Ubuntu build. To add to an already silly amount of convenience with the conditions surrounding this bug, when gaining EIP control through the method described, the next value on the stack above the overwritten return address is a pointer to the buffer passed to fgets in the second thread. This buffer is populated with the second thread's received HTTP Content-Data (remotely-controlled data). Using the memory disclosure to calculate the address of a call to the function ast_safe_system, which takes a single string pointer argument to execute as a command line, it is simple to exploit the return in the second thread to execute arbitrary commands from the Asterisk process -- which often runs as root. Using this to spawn a remote shell with Ubuntu's default dash shell is a little obnoxious, but possible, and an exercise left up to the reader. Hope you enjoyed the post! -- Brandon Edwards @drraid Sursa: DoS? Then Who Was Phone?

[h=1]Ettercap <= 0.7.5.1 Stack Overflow Vulnerability[/h] Title: Ettercap Stack overflow (CWE-121) References: CVE-2012-0722 Discovered by: Sajjad Pourali Vendor: http://www.ettercap.sourceforge.net/ Vendor contact: 13-01-01 21:20 UTC (No response) Solution: Using the patch Patch: http://www.securation.com/files/2013/01/ec.patch Local: Yes Remote: No Impact: low Affected: - ettercap 0.7.5.1 - ettercap 0.7.5 - ettercap 0.7.4 and earlier Not affected: - ettercap 0.7.4.1 --- Trace vulnerable place: ./include/ec_inet.h:27-44 enum { NS_IN6ADDRSZ = 16, NS_INT16SZ = 2, ETH_ADDR_LEN = 6, TR_ADDR_LEN = 6, FDDI_ADDR_LEN = 6, MEDIA_ADDR_LEN = 6, IP_ADDR_LEN = 4, IP6_ADDR_LEN = 16, MAX_IP_ADDR_LEN = IP6_ADDR_LEN, ETH_ASCII_ADDR_LEN = sizeof("ff:ff:ff:ff:ff:ff")+1, IP_ASCII_ADDR_LEN = sizeof("255.255.255.255")+1, IP6_ASCII_ADDR_LEN = sizeof("ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255")+1, MAX_ASCII_ADDR_LEN = IP6_ASCII_ADDR_LEN, }; ./include/ec_resolv.h:42 #define MAX_HOSTNAME_LEN 64 ./src/ec_scan.c:610-614 char ip[MAX_ASCII_ADDR_LEN]; char mac[ETH_ASCII_ADDR_LEN]; char name[MAX_HOSTNAME_LEN]; ./src/ec_scan.c:633-635 if (fscanf(hf, "%s %s %s\n", ip, mac, name) != 3 || *ip == '#' || *mac == '#' || *name == '#') continue; --- PoC: sudo ruby -e'puts"a"*2000' > overflow && sudo ettercap -T -j overflow --- + Sajjad Pourali + http://www.securation.com + Contact: sajjad[at]securation.com Sursa: Ettercap <= 0.7.5.1 Stack Overflow Vulnerability

Hijacking Facebook Accounts Over A Network Description: In this video i show you how to Hijack facebook accounts over a network using with Ettercap, Wireshark, Grease Monkey and Cookie Injector. You will need the following stuff for this to work. Backtrack Linux - Pentesting Operating System Wireshark - Packet Analzyer comes with Backtrack 5 Firefox - Browser comes with Backtrack 5+ Grease Monkey - Firefox addon Cookie Injector - Script to Dump Wireshark Data. Links: Backtrack Linux Download: BackTrack Linux - Penetration Testing Distribution Passsniffer.sh from video: Script for sniffing passwords and data on lan/wlan using ettercap, sslstrip, urlsnarf Grease Monkey - Firefox addon: https://addons.mozilla.org/en-US/firefox/addon/greasemonkey/ Cookie Injector for Grease Monkey: Original Cookie Injector for Greasemonkey Credits to tedbear for the Passsniffer.sh script. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Hijacking Facebook Accounts Over A Network

Using Interactive Static Analysis For Early Detection Of Software Vulnerabilities Description: Abstract We present our work of using interactive static analysis to improve upon static analysis techniques by introducing a new mixed-initiative paradigm for interacting with developers to aid in the detection and prevention of security vulnerabilities. The key difference between our approach and standard static analysis is interaction with the developers. Specifically, our approach is predicated on the following principles: • Secure programming support should be targeted towards general developers who understand the application logic, but may have limited knowledge of secure programming; • Secure programming support should be provided while the code is being developed, integrated into the development tools; • Secure programming support should reduce the workload in detecting and resolving vulnerabilities; and • Developers should be able to provide feedback about the application context that can drive customized security analysis. We have performed evaluations of our approach using an active open source project, Apache Roller. Our results shows that interactive data flow analysis can potential reduce the effort of finding and fixing vulnerabilities by as much as 50%. Using interactive control flow analysis, we found cross request forgery vulnerabilities in current Roller release. The Roller team issued patches based on our report (CVE-2012-2380). We have also performed user studies, both for students and for professional developers with promising results. For example, preliminary data suggests that using ASIDE students, who do not have secure programming training, can write much more secure code. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Using Interactive Static Analysis for Early Detection of Software Vulnerabilities - Bill Chu on Vimeo Sursa: Using Interactive Static Analysis For Early Detection Of Software Vulnerabilities

Brute-Force Attack On Mysql And Crack Mysql Hash Using Metasploit Description: In this video I will show you how to perform a brute - force attack on Mysql and how to use John the Ripper Hash Cracking module in Metasploit Framework. When you are using John the Ripper Module, so make sure that your database is connected to Metasploit Framework or you will get an error. Modules are used .. auxiliary/scanner/mysql/mysql_version Enumerates the version of MySQL servers auxiliary/scanner/mysql/mysql_login This module simply queries the MySQL instance for a specific user/pass (default is root with blank). auxiliary/scanner/mysql/mysql_hashdump This module extracts the usernames and encrypted password hashes from a MySQL server and stores them for later cracking. Source : - Penetration Testing Software | Metasploit Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Brute-Force Attack On Mysql And Crack Mysql Hash Using Metasploit

Fastest Router Hacking With Hydra - Official Video Description: THC-Hydra A very fast network logon cracker which support many different services. INTRODUCTION ------------ Number one of the biggest security holes are passwords, as every password security study shows. This tool is a proof of concept code, to give researchers and security consultants the possiblity to show how easy it would be to gain unauthorized access from remote to a system. Currently this tool supports: AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, RDP, Rexec, Rlogin, Rsh, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5, SSH (v1 and v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP. However the module engine for new services is very easy so it won't take a long time until even more services are supported. Your help in writing, enhancing or fixing modules is highly appreciated!! Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Fastest Router Hacking With Hydra - Official Video

Windows Tools For Penetration Testing Most penetration testers are using either a Mac or a Linux-based platform in order to perform their penetration testing activities.However it is always a good practice to have and a Windows virtual machine with some tools ready to be used for the engagement.The reason for this is that although Windows cannot be used as a main platform for penetration testing some of the utilities and tools can still help us to extract information from our windows targets.So in this post we will see some of the tools that we can use in our windows system. HashCheck Shell Extension The HashCheck Shell Extension makes it easy for anyone to calculate and verify checksums and hashes from Windows Explorer. In addition to integrating file checksumming functionality into Windows, HashCheck can also create and verify SFV files (and other forms of checksum files, such as .md5 files). Netcat Netcat is often referred to as a “Swiss-army knife for TCP/IP”. Its list of features includes port scanning, transferring files, and port listening, and it can be used as a backdoor. Metasploit Framework The Metasploit Project is a computer security project which provides information about security vulnerabilities and aids in penetration testing and IDS signature development. RealVNC Viewer Remote access software for desktop and mobile platforms. GetIf SNMP tool that allows you to collect information about SNMP devices. Cain & Abel Cain & Abel is a password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, recovering wireless network keys, revealing password boxes, uncovering cached passwords and analyzing routing protocols. Wireshark Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development. PuTTY PuTTY is an SSH and telnet client for the Windows platform. Pass The Hash Toolkit The Pass-The-Hash Toolkit contains utilities to manipulate the Windows Logon Sessions mantained by the LSA (Local Security Authority) component. These tools allow you to list the current logon sessions with its corresponding NTLM credentials (e.g.: users remotely logged in thru Remote Desktop/Terminal Services), and also change in runtime the current username, domain name, and NTLM hashes. Cachedump Recovering Windows Password Cache Entries. Fport Identify unknown open ports and their associated applications. Nbtscan This is a command-line tool that scans for open NETBIOS nameservers on a local or remote TCP/IP network, and this is a first step in finding of open shares. Burp Suite Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities. Winfo Winfo uses null sessions to remotely try to retrieve lists of and information about user accounts, workstation/interdomain/server trust accounts, shares (also hidden), sessions, logged in users, and password/lockout policy, from Windows NT/2000/XP. It also identifies the built-in Administrator and Guest accounts, even if their names have been changed. ClearLogs ClearLogs clears the event log (Security, System or Application) that you specify. You run it from the Command Prompt, and it can also clear logs on a remote computer. SQLDict SQLdict is a dictionary attack tool for SQL Server. PMDump PMDump is a tool that lets you dump the memory contents of a process to a file without stopping the process. GrabItAll GrabItAll performs traffic redirection by sending spoofed ARP replies. It can redirect traffic from one computer to the attackers computer, or redirect traffic between two other computers through the attackers computer. In the last case you need to enable IP Forwarding which can be done with GrabItAll too. DumpUsers DumpUsers is able to dump account names and information even though RestrictAnonymous has been set to 1. BrowseList BrowseList retrieves the browse list. The output list contains computer names, and the roles they play in the network. For example you can see which are PDC, BDC, stand-alone servers and workstations. You can also see the system comments (which can be very interesting reading). Remoxec Remoxec executes a program using RPC (Task Scheduler) or DCOM (Windows Management Instrumentation). WMICracker Brute-force tool for Windows Management Instrumentation (WMI). Venom Venom is a tool to run dictionary password attacks against Windows accounts by using the Windows Management Instrumentation (WMI) service. This can be useful in those cases where the server service has been disabled. SMBAT The SMB Auditing Tool is a password auditing tool for the Windows-and the SMB-platform. It makes it possible to exploit the timeout architecture bug in Windows 2000/XP, making it extremly fast to guess passwords on these platforms. RPCScan RPCScan v2.03 is a Windows based detection and analysis utility that can quickly and accurately identify Microsoft operating systems that are vulnerable to the multiple buffer overflow vulnerabilities released in the MS03-026 and MS03-039 bulletins. LSASecretsDump LSASecretsDump is a small console application that extract the LSA secrets from the Registry, decrypt them, and dump them into the console window. SQLPing SQL Ping is a nice little command line enumerator that specifically looks for SQL servers and requires no authentication whatsoever. OAT The Oracle Auditing Tools is a toolkit that could be used to audit security within Oracle database servers. Pwdump7 Extract password hashes from local user accounts. PsTools The PsTools package provides a set of command line utilities that allow you to manage local and remote systems. Incognito Incognito is a tool for manipulating windows access tokens and is intended for use by penetration testers, security consultants and system administrators. DumpSec DumpSec is a security auditing program for Microsoft Windows® NT/XP/200x. It dumps the permissions (DACLs) and audit settings (SACLs) for the file system, registry, printers and shares in a concise, readable format, so that holes in system security are readily apparent. DumpSec also dumps user, group and replication information. X-Deep32 X-Deep/32 is an X Window Server for Windows NT/2000/9X/ME/XP that can be used to connect to host systems running UNIX, LINUX, IBM AIX etc. LC5 Windows password cracker. Ophcrack Ophcrack is a free Windows password cracker based on rainbow tables. SiVuS SiVus is the first publicly available vulnerability scanner for VoIP networks that use the SIP protocol. It provides powerful features to assess the security and robustness of VoIP implementations. Sursa: Windows Tools For Penetration Testing

SQL Injections: An Introduction Audi-1 January 07, 2013 According to the Open Web Application Security Project (OWASP), injection attacks are first on the list of the top 10 web vulnerabilities. Diving into these, SQL injections are responsible for a big chunk of this. Exploitation of SQL injections is trivial. This vulnerability is not just web related but can also occur in desktop applications that use SQL server backends. The detectability of these vulnerabilities depends on the complexity of the application in question. Most times, point-and-shoot tools fail to successfully detect these vulnerabilities. Sometimes there is difficulty in putting the desired conditions to successfully exploit the injections into these point-and-click tools, causing the vulnerability to go unnoticed. A generic solution to prevent these sorts of flaws from creeping in while programming is to sanitize all inputs and use proper encoding, furthermore using the white-list approach to allow only data which needs to be used by application. SQLI-LABS is an attempt to walk through the process of SQL injections in a dumb way. The focus is on understanding the core concepts, making it easy to be followed by people who are learning to break into the field of security and penetration testing. To help the learning process, a test bed has been prepared which can be followed along with this post. One can also follow the video explanations for each lesson for brief explanations about the topic. The test bed can be grabbed from https://github.com/Audi-1/sqli-labs. You can follow readme.txt for installation instructions or can watch the brief video. What are SQL injections? An SQL injection is a kind of injection vulnerability in which the attacker tries to inject arbitrary pieces of malicious data into the input fields of an application, which, when processed by the application, causes that data to be executed as a piece of code by the back end SQL server, thereby giving undesired results which the developer of the application did not anticipate. The backend server can be any SQL server (MySQL, MSSQL, ORACLE, POSTGRESS, to name a few) The ability of the attacker to execute code (SQL statements) through vulnerable input parameters empowers him to directly interact with the back end SQL server, thereby leveraging almost a complete compromise of system in most cases. What are different types of SQL injections? SQL injections can be classified and categorized in different ways, based on the type of data extraction channel, the response received from server, how server responses aid in leveraging the successful exploitation, impact point, etc. Based on the data extraction channel Inband or inline Out-of-band SQL injections that use the same communication channel as input to dump the information back are called inband or inline SQL Injections. This is one of the most common methods, readily explained on the Internet in different posts. For example, a query parameter, if injectable, leads to the dumping of info on the web page. Injections that use a secondary or different communication channel to dump the output of queries performed via the input channel are referred to as out-of-band SQL injections. For example, the injection is made to a web application and a secondary channel such as DNS queries is used to dump the data back to the attacker domain. Based on the response received from the server Error-based SQL injections Union query type. Double query Injections. Blind SQL Injections Boolean-based blind injections. Time based blind injections. Error-based SQL injections are primarily those in which the SQL server dumps some errors back to the user via the web application and this error aids in successful exploitation. In the image below, the yellow line displays the error. These will be discussed further in this post and in related posts to come. Blind SQL injections are those injections in which the backend database reacts to the input, but somehow the errors are concealed by the web application and not displayed to the end users. Or the output is not dumped directly to the screen. Therefore, the name “blind” comes from the fact that the injector is blindly injected using some calculated assumptions and tries. Based on how the input is treated in SQL query (what data type) String-based Numeric- or integer based Based on how the input parameter would be treated in the back end SQL query, an injection can be classified as string- or integer-based. Based on the degree/order of injections (where the impact happens) First-order injections. Second-order injections. The degree or the order of injection identifies the way in which the injection yields the output. If the injection directly delivers the result, it is considered to be a first-order injection, but if the injection input yields no successful result in extraction, but instead impacts some other result which the attacker can take advantage of on some other place/page, it is called a second-order injection. Consider second-order injections similar to stored XSS injections, where the input is stored in the application and later rendered on some other page, thereby impacting that page indirectly because of initial malicious input. Based on the injection point location Injection through user input form fields. Injection through cookies. Injection through server variables. (headers-based injections) Why does SQL injection happen? Generally when an application is communicating with the backend database, it does so in the form of queries with the help of an underlying database driver. This driver is dependent on the application platform being used and the type of backend database, such as MYSQL, MSSQL, DB2, or ORACLE. A generic login query would look something like this: `SELECT Column1, Column2,Column3 FROM table_name WHERE username=’$variable1? AND password=’$variable2?;` We can split this query into two parts, code section and the data section. The data section is the $variable1 and $variable2 and quotes are being used around the variable to define the string boundary. Let us try to walk through the process in a crude way. Say at the login form, the username entered is Admin and password is p@ssw0rd which is collected by application and values of $variable1 and $variable2 are placed at their respective locations in the query, making it something like this. `SELECT Column1, column2, Column3 FROM table_name WHERE username=’Admin’ AND password=’p@ssw0rd’;` Now the developer assumes that users of his application will always put a username and password combination to get a valid query for evaluation by database backend. What if the user is malicious and enters some characters which have some special meaning in the query? For example a single quote. So, instead of putting Admin, he puts Admin’, thereby causing an error thrown by the DB driver. Why? Because of the unpaired quote entered by the user breaking the application logic. We will discuss the process in detail. To summarize: Whenever an attacker is able to escape the data boundaries, he can append data which then gets interpreted as code by the DB Driver and is executed on the SQL backend, thereby causing SQL injection. ERROR-based SQL injections In general, all programming languages give developers a flexibility to debug and fix their applications by using some inbuilt error-handling functions/libraries. These could be some explicit function, classes, or methods that deliver friendly error messages so that the troubleshooting experience can be streamlined and detecting the part of code responsible for raising those exceptions can be easier. These functions should be controlled before an application goes to production because they can dump a lot of sensitive info about the application and underlying logic, thereby making it easy for a bad guy to exploit the application. Therefore, those applications where these error-handling functions are available to aid in gaining useful info about the application or in dumping the database info by means of SQL interaction are classified as error-based SQL Injections. Based on the way data is extracted using helpful errors, the error-based injections can be classified into two main types: Union-query type Double-query type Let’s discuss the process of SQLi in detail. To do so, let us consider Lessons 1 to 4. We will continue to explore the further lessons of Labs in coming posts. For the purpose of demonstration, I have installed the SQLI-LABS under the /var/www location on my Backtrack installation. Download and follow the install instructions to set it up to follow along. A methodological approach is always helpful in understanding the underlying logic. The major process is as follows: Enumerate the application behavior Fuzz the application with bogus data with the goal of crashing the application Try to control the injection point by guessing the query used in the backend Extract the data from the back end database Enough theory, time for some action. ENUMERATION: Let us start with enumeration of the applications. Lessons 1 to 4 look almost identical. When we load the page for Less-1, it asks us to input ID as a GET parameter, which should be a numeric value. Providing the ID as a numeric value, we see a specific username and password on screen when the value of ID is between 1 through 14. For any other value, we see nothing being displayed on screen. ANALYSIS of ENUMERATION id=15 => No output on screen. ID=1 => Login name= Dumb, Password=Dumb ID=2 => Login name= Angelina, Password=I-kill-you ID=3 => Login name= Dummy, Password=p@ssw0rd ID=4 => Login name= secure, Password=crappy ID=5 => Login name= stupid, Password=stupidity ID=6 => Login name= superman, Password=genious ID=7 => Login name= batman, Password=mob!le ID=8 => Login name= admin, Password=admin ID=9 => Login name= admin1, Password=admin1 ID=10 => Login name= admin2, Password=admin2 ID=11 => Login name= admin3, Password=admin3 ID=12 => Login name= dhakkan, Password=Dumbo ID=13 => Login name= admin4, Password=admin4 ID=14 => Login name= admin5, Password=admin5 ID=15 => No output on screen. ID=20 => No output on screen. ID=100 => No output on screen. Result of Enumeration: The database seems to have 14 records in the table and for any non-existent value ID it returns an empty set. FUZZING: Generally the developer of the application assumed that the user would input integer values. After we have enumerated the application work flow, we try to fuzz all input points of the application. So what exactly is Fuzz? It is a process for supplying arbitrary dumb patterns as input with the objective to see application behavior and try to find the discrepancies in the responses. The discrepancies indicate the possibility of vulnerability. We will fuzz all the four lessons together one by one. Below are some arbitrary inputs which we can add, append and use for purpose of detecting basic error based SQLi: ‘ “ \ ; %00 ) ( aaa Integer or string test: Because the input parameter seems to be integer value, let us try to input a string value for ID parameter and observe the behavior. Less-1 http://localhost/sqli-labs/Less-1/?id=asdf Less-2 http://localhost/sqli-labs/Less-2/?id=asdf Less-3 http://localhost/sqli-labs/Less-3/?id=asdf Less-4 http://localhost/sqli-labs/Less-4/?id=asdf Result of Integer and String Test: We see that Less-1, Less-3, and Less-4 respond by returning the empty set, whereas Less-2 returns a different behavior; it displays a MySQL error message on screen. From very basic programming knowhow, we know that a string parameter is always wrapped in single quotes or double quotes, whereas integers are used as is. Therefore we can assume that Less-1, -3, and -4 are using some sort of quotes to wrap around the user input. They consider the string entered as a non-existent value in the database and therefore respond with the empty set. Less-2 is producing a MySQL alert, meaning that there are no quotes used around the input parameter, therefore integer values work fine in a query but strings cause an error. Therefore we can deduce that Less-1, Less-2, and Less-3 are string-based injections and Less-2 is an integer-based injection. Fuzzing continued: Now let us further take the fuzz characters and try them against Less-1 through -4 one by one. Less-1 http://localhost/sqli-labs/Less-1/?id=1? Less-2 http://localhost/sqli-labs/Less-2/?id=1‘ Less-3 http://localhost/sqli-labs/Less-3/?id=1‘ All three produce a similar kind of error message with a very minute difference. Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”1” LIMIT 0,1? at line 1 And Less-4 does not produce any alert with the injection of a single quote. http://localhost/sqli-labs/Less-4/?id=1‘ Trying the same exercise with a double quote injection, we observe that this time only Less-4 crashes the application and Less-1, Less-2, and Less-3 do not crash it anymore. Therefore, from the above tests, we have discovered that the applications Less-1, Less-2, and Less-3 are reactive to a single-quote injection and Less-4 is to a double-quote injection. Time to discover the underlying query being used by applications by using info gained above. We know that Less-1, Less-3, and Less-4 are string-based and Less-2 is numeric. Let us confirm this further by injecting a backslash, which is an escape character to print characters which have special meaning in SQL (for example, to print a ‘ we need to write it as \’ so the quote does not get evaluated and dumped as another character). Appending ID=1\ yields the following output: For Less-1 Because we input 1\, let’s look at the part of error dumped on the screen containing 1\, which is near ‘ ’1\’ LIMIT 0,1? at line 1. We observe that as our input was 1\, a single quote is visible after that, indicating that single quotes are used as a wrapper for the strings. Let’s take Less-2 and try the same. Our input is same but the output has a minor change to the Less-1, near ‘ ’1\ LIMIT 0,1? at line 1. After our input 1\ there are no quotes, again proving that Less-2 is an integer-based injection and does not need any quotes to break the query. Still confused? Let us do the same test with Less-3 and Less-4 and it will get clearer as we progress. Let us do the same test with Less-3: The error message is near ‘ ’1\’) LIMIT 0,1? at line 1. In this lesson, with the same input of 1\, we see ‘) after our parenthesis, indicating that the developer of the application has wrapped the variable inside parentheses (‘ variable’). Let’s do the same with Less-4: Error message is near ‘ “1\”) LIMIT 0,1? at line 1. In this lesson, with same input of 1\, we see “) after our parenthesis indicating that the developer of the application has wrapped variable inside parentheses (“variable”). Building up the query being used behind the scene in the applications: Less-1: SELECT * FROM TABLE_NAME WHERE ID=’$ID’ LIMIT 0,1 Less-2: SELECT * FROM TABLE_NAME WHERE ID=$ID LIMIT 0,1 Less-3: SELECT * FROM TABLE_NAME WHERE ID=(‘$ID’) LIMIT 0,1 Less-4: SELECT * FROM TABLE_NAME WHERE ID=(“$ID”) LIMIT 0,1 COMMENTING OUT QUERY Until now, we have been able to detect the injection flaw, and able to guess a pseudo query with details on what is being used as a string delimiter or wrapper around the variable. One thing we need to understand is that, during the injection, we can only control the variable but not the delimiters used around it; therefore as soon as we inject an extra delimiter, it induces a syntax error. For a successful injection, we should close the open delimiter wrapped around the variable in the query, thereby making it possible for us to escape the string/integer boundary and execute SQL statements and also be able to handle the closing delimiter around the variable, which becomes stale. This can be done in two ways. One way is by commenting out the rest of query, and the second way is by adding an extra delimiter with extra values to make the query syntactically correct. Let us take an example: Less-1: SELECT * FROM TABLE_NAME WHERE ID=’ $ID ‘ LIMIT 0,1 In place of $ID, we put value of 1?, then the query becomes something like SELECT * FROM TABLE_NAME WHERE ID=’ 1? ‘ LIMIT 0,1 Now, this query is syntactically incorrect and needs to be fixed for execution. We found and confirmed that, by adding an extra quote for Less-1, we can successfully escape the string boundary, but we need to fix the extra ‘ which is there as part of original query. Way one: We can use SQL comments to fix the syntax. MySQL uses three types of comments: –+, # , /* */, so our injection can be 1? –+ or 1? #. So the query effectively becomes SELECT * FROM TABLE_NAME WHERE ID=’ 1?–+ ‘ LIMIT 0,1 SELECT * FROM TABLE_NAME WHERE ID=’ 1? # ‘ LIMIT 0,1 Complete URL with injection is: http://localhost/sqli-labs/Less-1/?id=1?–+ http://localhost/sqli-labs/Less-1/?id=1? %23 (NOTE: %23 is url-encoded value for #) For Lesson 2, we do not need any extra quotes to escape and inject queries as there are no quotes in the first place, therefore a simple commenting out should be fine. http://localhost/sqli-labs/Less-2/?id=1–+ http://localhost/sqli-labs/Less-2/?id=1 %23 (NOTE: %23 is url-encoded value for #) So the query effectively becomes SELECT * FROM TABLE_NAME WHERE ID= 1?–+ LIMIT 0,1 SELECT * FROM TABLE_NAME WHERE ID= 1? # LIMIT 0,1 Let us now look at the Less-3 and Less-4. The query for Less-3 we deduced earlier was: SELECT * FROM TABLE_NAME WHERE ID=(‘$ID’) LIMIT 0,1 Therefore, to get a working query in this case, we need to first inject ‘) as discussed above to close the initial delimiter and then comment out rest of the query. SELECT * FROM TABLE_NAME WHERE ID=(‘ 1?) –+ ‘) LIMIT 0,1 SELECT * FROM TABLE_NAME WHERE ID=(‘ 1?) # ‘) LIMIT 0,1 The query for Less-4 we deduced earlier was: SELECT * FROM TABLE_NAME WHERE ID=(“$ID”) LIMIT 0,1 Therefore, to get a working query in this case, we need to first inject ‘) as discussed above to close the initial delimiter and then comment out rest of the query. SELECT * FROM TABLE_NAME WHERE ID=(” 1?) –+ “) LIMIT 0,1 SELECT * FROM TABLE_NAME WHERE ID=(” 1?) # “) LIMIT 0,1 Injection: 1?) –+ Injection: 1?) %23 (NOTE: %23 is URLENCODE for #) Injection: 1?) –+ Injection: 1?) %23 (NOTE: %23 is URLENCODE for #) Once we are in this position, having fixed the query after successful injection, we can inject the code in between the delimiter and the comments we injected. FINDING COLUMNS USED BY DEVELOPER IN QUERIES As we saw during the enumeration phase, the application is interacting with the database and displaying some info on the web pages. Therefore we will be using UNION statements to dump the database info. A constraint to the use of the union statements is that the columns on both sides of union should be the same; therefore our last hurdle before we get something out from the database is to know number of columns used by developer in his query. To do this we use a SQL Keyword “ORDER BY”. When we use ORDER BY in a query, the result set is arranged as per the selection of ORDER BY clause. If the column is not valid, we get an error. Therefore in our injections, we start to add ORDER BY 1, ORDER BY 2 , ORDER BY 3………… and try to observe the result. Injection: 1? ORDER BY 1 –+ => No Error. Injection: 1? ORDER BY 2 –+ => No Error. Injection: 1? ORDER BY 3 –+ => No Error. Injection: 1? ORDER BY 4 –+ => Error – Unknown column ’4? in ‘order clause’, indicating we have 3 columns. For Lesson2: Injection: 1 ORDER BY 1 –+ => No Error. Injection: 1 ORDER BY 2–+ => No Error. Injection: 1 ORDER BY 3 –+ => No Error. Injection: 1 ORDER BY 4 –+ => Error – Unknown column ’4? in ‘order clause’, indicating we have 3 columns. For Lesson3 Injection: 1?) ORDER BY 1 –+ => No Error. Injection: 1?) ORDER BY 2–+ => No Error. Injection: 1?) ORDER BY 3 –+ => No Error. Injection: 1?) ORDER BY 4 –+ => Error – Unknown column ’4? in ‘order clause’, indicating we have 3 columns. For Lesson4 Injection: 1?) ORDER BY 1 –+ => No Error. Injection: 1?) ORDER BY 2–+ => No Error. Injection: 1?) ORDER BY 3 –+ => No Error. Injection: 1?) ORDER BY 4 –+ => Error – Unknown column ’4? in ‘order clause’, indicating we have 3 columns. Once we know the number of columns in the queries, we can just go ahead and dump the databases and data of our choice. We will continue further in the next part of this series. You can also refer to the video postings about the same topic from the following link: Sursa: InfoSec Institute Resources – SQL Injections: An Introduction

Sfinte cacat Cum sa faci un program ca asta: 1. Google 2. Surse Bisual Basic 6 3. Copy/Paste in VB6 4. Cateva butoane 5. Gata multi-shit Hy -1 - 0 RST

Hello World: C, Assembly, Object File and Executable Dejan Lukan January 07, 2013 Introduction Summary: In this article we’ll take a look at the C program that prints “Hello World!” to the screen, which we’ll assemble and compile. Then we’ll compare the results and try to present what’s happening beneath the curtains. Specifically, we will look at which sections are present in the transformation chain: from C code, to assembly code, to object file, to executable. Hello World Program: The Assembly First we need to write the hello world C program, which can be seen below: #include <stdio.h> int main() { printf("Hello World!"); return 0; } It’s a very simple program that doesn’t actually do anything; we intentionally kept it this simple, so we will be able to focus on the bigger picture and not tons of code. We then need to compile the program to obtain the assembly code – we don’t want to do anything else right now. To do that we can use the -S option passed to the gcc program, which takes the source code of the program and generates the assembly instructions. We also want the masm Intel assembly source code and not some other format. We can achieve that by passing the -masm=Intel to the gcc program. If we’re on the 64-bit operating system, we also want to compile the program as 32-bit, which we can achieve by passing the -m32 argument to the gcc program. The whole gcc command that we’re using can be seen in the output below: # gcc -m32 -masm=intel -S hello.c -o hello.s This command effectively takes the hello.c program and compiles it as 32-bit program into assembly instructions that are saved into the hello.s file. The hello.s file now looks like presented below: .file "hello.c" .intel_syntax noprefix .section .rodata .LC0: .string "Hello World!" .text .globl main .type main, @function main: push ebp mov ebp, esp and esp, -16 sub esp, 16 mov eax, OFFSET FLAT:.LC0 mov DWORD PTR [esp], eax call printf mov eax, 0 leave ret .size main, .-main .ident "GCC: (Gentoo 4.5.4 p1.0, pie-0.4.7) 4.5.4" .section .note.GNU-stack,"",@progbits The .file directive states the original source file name that is normally used by debuggers. The .intel_syntax line specifies that we’re using intel sytax assembly and not AT&T syntax. Afterwards we’re defining the .rodata section, which is used for read-only data variables. In our case the .rodata section contains only the zero terminated string “Hello World!” that can be accessed with the LC0 variable. Then we’re defining the .text section, which is used for the code of the program. First we must define the main function (notice the .type main,@function instruction), which is globally visible (notice the .globl main instruction). From the main: label till the ret instruction is the actual code of the program. That code first initializes the stack by pushing the value of the register EBP to the stack, moving the value of register ESP to EBP. The “and esp,-16? is used for optimization because some operations can be performed faster if the stack pointer address is in a multiple of 16 bytes. That instruction is put in there because by default, gcc uses the optimization flag -O2. Then we’re subtracting 16 bytes from the current ESP stack pointer register for local variables. Next, the address to the LC0 (our “Hello World!” string) is read into the register eax and moved to the top of the stack, which is the first and only parameter to the printf function that is called right after. The printf function prints that string on the screen and returns to the caller, which takes care of the stack and returns. The .size instruction sets the size of the main function. The .-main holds the exact size of the function main, which is written to the object file. The .ident instruction saves the ” GCC: (Gentoo 4.5.4 p1.0, pie-0.4.7) 4.5.4? string to the object file in order to save the information about the compiler which was used to compile the executable. Hello World Program: The Object File We’ve seen the assembly code that was generated by the gcc directly from the corresponding C source code. But without the actual assembler and linker we can’t run the executable. To assemble the executable into the object file, we must use the -c option with the gcc compiler, which only assembles/compiles the source file, but does not actually link it. To obtain the object file from the assembly code we need to run the command below: # gcc -m32 -masm=intel -c hello.s -o hello.o # file hello.o hello.o: ELF 32-bit LSB relocatable, Intel 80386, version 1 (SYSV), not stripped We can see that the hello.o is the object file that is actually an ELF 32-bit executable, which is not linked yet. If we want to run the executable, it will fail as noted below: # chmod +x hello.o # ./hello.o bash: ./hello.o: cannot execute binary file We can read the contents of the object file with the readelf program as follows: # readelf -a hello.o ELF Header: Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 Class: ELF32 Data: 2's complement, little endian Version: 1 (current) OS/ABI: UNIX - System V ABI Version: 0 Type: REL (Relocatable file) Machine: Intel 80386 Version: 0x1 Entry point address: 0x0 Start of program headers: 0 (bytes into file) Start of section headers: 224 (bytes into file) Flags: 0x0 Size of this header: 52 (bytes) Size of program headers: 0 (bytes) Number of program headers: 0 Size of section headers: 40 (bytes) Number of section headers: 11 Section header string table index: 8 Section Headers: [Nr] Name Type Addr Off Size ES Flg Lk Inf Al [ 0] NULL 00000000 000000 000000 00 0 0 0 [ 1] .text PROGBITS 00000000 000034 00001d 00 AX 0 0 4 [ 2] .rel.text REL 00000000 000350 000010 08 9 1 4 [ 3] .data PROGBITS 00000000 000054 000000 00 WA 0 0 4 [ 4] .bss NOBITS 00000000 000054 000000 00 WA 0 0 4 [ 5] .rodata PROGBITS 00000000 000054 00000d 00 A 0 0 1 [ 6] .comment PROGBITS 00000000 000061 00002b 01 MS 0 0 1 [ 7] .note.GNU-stack PROGBITS 00000000 00008c 000000 00 0 0 1 [ 8] .shstrtab STRTAB 00000000 00008c 000051 00 0 0 1 [ 9] .symtab SYMTAB 00000000 000298 0000a0 10 10 8 4 [10] .strtab STRTAB 00000000 000338 000015 00 0 0 1 Key to Flags: W (write), A (alloc), X (execute), M (merge), S (strings) I (info), L (link order), G (group), T (TLS), E (exclude), x (unknown) O (extra OS processing required) o (OS specific), p (processor specific) There are no section groups in this file. There are no program headers in this file. Relocation section '.rel.text' at offset 0x350 contains 2 entries: Offset Info Type Sym.Value Sym. Name 0000000a 00000501 R_386_32 00000000 .rodata 00000012 00000902 R_386_PC32 00000000 printf There are no unwind sections in this file. Symbol table '.symtab' contains 10 entries: Num: Value Size Type Bind Vis Ndx Name 0: 00000000 0 NOTYPE LOCAL DEFAULT UND 1: 00000000 0 FILE LOCAL DEFAULT ABS hello.c 2: 00000000 0 SECTION LOCAL DEFAULT 1 3: 00000000 0 SECTION LOCAL DEFAULT 3 4: 00000000 0 SECTION LOCAL DEFAULT 4 5: 00000000 0 SECTION LOCAL DEFAULT 5 6: 00000000 0 SECTION LOCAL DEFAULT 7 7: 00000000 0 SECTION LOCAL DEFAULT 6 8: 00000000 29 FUNC GLOBAL DEFAULT 1 main 9: 00000000 0 NOTYPE GLOBAL DEFAULT UND printf No version information found in this file. We can see that the file is an ELF object file that has 11 section headers. The first section header is null. The second section header is .text, which contains the executable instructions of the program. The .rel.text holds the relocation information of the .text section. The relocation entries must be present, as our program instructions call external functions, whose function pointers must be updated upon the program execution. In the output above, we can see that the .rel.text holds two relocation entries: the .rodata and printf. The .data section holds the initialized data, while the .bss section holds uninitialized data that the program uses. The .rodata holds read-only data that can be used by the program; this is where our “Hello World!” string is stored. The .comment section holds version control information and the .note.GNU-stack holds some additional data that I won’t describe here. The .shstrtab holds section names, while the .strtab holds section strings and the .symtab holds the symbol table. We can quickly figure out that in the assembly code there was only the .rodata and .text sections defined, but when we translated the assembly code into the object file, quite some sections were added to the file. Those sections are needed to successfully link the executable and properly execute the program. Hello World Program: The Executable The last step is to actually link the object file to make an executable. To do that, we must execute the command below: # gcc -m32 hello.o -o hello # ./hello Hello World! We’ve linked the object file hello.o into the executable ./hello and executed it. Upon execution of the program, the program outputted the “Hello World!” string as it should. If we take a look at the ELF again, we can see that there is a lot of other information and file sections added to the executable, which can be seen below: $ readelf -a hello ELF Header: Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 Class: ELF32 Data: 2's complement, little endian Version: 1 (current) OS/ABI: UNIX - System V ABI Version: 0 Type: EXEC (Executable file) Machine: Intel 80386 Version: 0x1 Entry point address: 0x8048330 Start of program headers: 52 (bytes into file) Start of section headers: 4392 (bytes into file) Flags: 0x0 Size of this header: 52 (bytes) Size of program headers: 32 (bytes) Number of program headers: 10 Size of section headers: 40 (bytes) Number of section headers: 30 Section header string table index: 27 Section Headers: [Nr] Name Type Addr Off Size ES Flg Lk Inf Al [ 0] NULL 00000000 000000 000000 00 0 0 0 [ 1] .interp PROGBITS 08048174 000174 000013 00 A 0 0 1 [ 2] .note.ABI-tag NOTE 08048188 000188 000020 00 A 0 0 4 [ 3] .hash HASH 080481a8 0001a8 000028 04 A 5 0 4 [ 4] .gnu.hash GNU_HASH 080481d0 0001d0 000020 04 A 5 0 4 [ 5] .dynsym DYNSYM 080481f0 0001f0 000050 10 A 6 1 4 [ 6] .dynstr STRTAB 08048240 000240 00004c 00 A 0 0 1 [ 7] .gnu.version VERSYM 0804828c 00028c 00000a 02 A 5 0 2 [ 8] .gnu.version_r VERNEED 08048298 000298 000020 00 A 6 1 4 [ 9] .rel.dyn REL 080482b8 0002b8 000008 08 A 5 0 4 [10] .rel.plt REL 080482c0 0002c0 000018 08 A 5 12 4 [11] .init PROGBITS 080482d8 0002d8 000017 00 AX 0 0 4 [12] .plt PROGBITS 080482f0 0002f0 000040 04 AX 0 0 16 [13] .text PROGBITS 08048330 000330 00019c 00 AX 0 0 16 [14] .fini PROGBITS 080484cc 0004cc 00001c 00 AX 0 0 4 [15] .rodata PROGBITS 080484e8 0004e8 000015 00 A 0 0 4 [16] .eh_frame_hdr PROGBITS 08048500 000500 000014 00 A 0 0 4 [17] .eh_frame PROGBITS 08048514 000514 000040 00 A 0 0 4 [18] .ctors PROGBITS 08049f0c 000f0c 000008 00 WA 0 0 4 [19] .dtors PROGBITS 08049f14 000f14 000008 00 WA 0 0 4 [20] .jcr PROGBITS 08049f1c 000f1c 000004 00 WA 0 0 4 [21] .dynamic DYNAMIC 08049f20 000f20 0000d0 08 WA 6 0 4 [22] .got PROGBITS 08049ff0 000ff0 000004 04 WA 0 0 4 [23] .got.plt PROGBITS 08049ff4 000ff4 000018 04 WA 0 0 4 [24] .data PROGBITS 0804a00c 00100c 000008 00 WA 0 0 4 [25] .bss NOBITS 0804a014 001014 000008 00 WA 0 0 4 [26] .comment PROGBITS 00000000 001014 00002a 01 MS 0 0 1 [27] .shstrtab STRTAB 00000000 00103e 0000e9 00 0 0 1 [28] .symtab SYMTAB 00000000 0015d8 000340 10 29 32 4 [29] .strtab STRTAB 00000000 001918 00014d 00 0 0 1 Key to Flags: W (write), A (alloc), X (execute), M (merge), S (strings) I (info), L (link order), G (group), T (TLS), E (exclude), x (unknown) O (extra OS processing required) o (OS specific), p (processor specific) There are no section groups in this file. Program Headers: Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align PHDR 0x000034 0x08048034 0x08048034 0x00140 0x00140 R E 0x4 INTERP 0x000174 0x08048174 0x08048174 0x00013 0x00013 R 0x1 [Requesting program interpreter: /lib/ld-linux.so.2] LOAD 0x000000 0x08048000 0x08048000 0x00554 0x00554 R E 0x1000 LOAD 0x000f0c 0x08049f0c 0x08049f0c 0x00108 0x00110 RW 0x1000 DYNAMIC 0x000f20 0x08049f20 0x08049f20 0x000d0 0x000d0 RW 0x4 NOTE 0x000188 0x08048188 0x08048188 0x00020 0x00020 R 0x4 GNU_EH_FRAME 0x000500 0x08048500 0x08048500 0x00014 0x00014 R 0x4 GNU_STACK 0x000000 0x00000000 0x00000000 0x00000 0x00000 RW 0x4 GNU_RELRO 0x000f0c 0x08049f0c 0x08049f0c 0x000f4 0x000f4 R 0x1 PAX_FLAGS 0x000000 0x00000000 0x00000000 0x00000 0x00000 0x4 Section to Segment mapping: Segment Sections... 00 01 .interp 02 .interp .note.ABI-tag .hash .gnu.hash .dynsym .dynstr .gnu.version .gnu.version_r .rel.dyn .rel.plt .init .plt .text .fini .rodata .eh_frame_hdr .eh_frame 03 .ctors .dtors .jcr .dynamic .got .got.plt .data .bss 04 .dynamic 05 .note.ABI-tag 06 .eh_frame_hdr 07 08 .ctors .dtors .jcr .dynamic .got 09 Dynamic section at offset 0xf20 contains 21 entries: Tag Type Name/Value 0x00000001 (NEEDED) Shared library: [libc.so.6] 0x0000000c (INIT) 0x80482d8 0x0000000d (FINI) 0x80484cc 0x00000004 (HASH) 0x80481a8 0x6ffffef5 (GNU_HASH) 0x80481d0 0x00000005 (STRTAB) 0x8048240 0x00000006 (SYMTAB) 0x80481f0 0x0000000a (STRSZ) 76 (bytes) 0x0000000b (SYMENT) 16 (bytes) 0x00000015 (DEBUG) 0x0 0x00000003 (PLTGOT) 0x8049ff4 0x00000002 (PLTRELSZ) 24 (bytes) 0x00000014 (PLTREL) REL 0x00000017 (JMPREL) 0x80482c0 0x00000011 (REL) 0x80482b8 0x00000012 (RELSZ) 8 (bytes) 0x00000013 (RELENT) 8 (bytes) 0x6ffffffe (VERNEED) 0x8048298 0x6fffffff (VERNEEDNUM) 1 0x6ffffff0 (VERSYM) 0x804828c 0x00000000 (NULL) 0x0 Relocation section '.rel.dyn' at offset 0x2b8 contains 1 entries: Offset Info Type Sym.Value Sym. Name 08049ff0 00000206 R_386_GLOB_DAT 00000000 __gmon_start__ Relocation section '.rel.plt' at offset 0x2c0 contains 3 entries: Offset Info Type Sym.Value Sym. Name 0804a000 00000107 R_386_JUMP_SLOT 00000000 printf 0804a004 00000207 R_386_JUMP_SLOT 00000000 __gmon_start__ 0804a008 00000307 R_386_JUMP_SLOT 00000000 __libc_start_main There are no unwind sections in this file. Symbol table '.dynsym' contains 5 entries: Num: Value Size Type Bind Vis Ndx Name 0: 00000000 0 NOTYPE LOCAL DEFAULT UND 1: 00000000 0 FUNC GLOBAL DEFAULT UND printf@GLIBC_2.0 (2) 2: 00000000 0 NOTYPE WEAK DEFAULT UND __gmon_start__ 3: 00000000 0 FUNC GLOBAL DEFAULT UND __libc_start_main@GLIBC_2.0 (2) 4: 080484ec 4 OBJECT GLOBAL DEFAULT 15 _IO_stdin_used Symbol table '.symtab' contains 52 entries: Num: Value Size Type Bind Vis Ndx Name 0: 00000000 0 NOTYPE LOCAL DEFAULT UND 1: 08048174 0 SECTION LOCAL DEFAULT 1 2: 08048188 0 SECTION LOCAL DEFAULT 2 3: 080481a8 0 SECTION LOCAL DEFAULT 3 4: 080481d0 0 SECTION LOCAL DEFAULT 4 5: 080481f0 0 SECTION LOCAL DEFAULT 5 6: 08048240 0 SECTION LOCAL DEFAULT 6 7: 0804828c 0 SECTION LOCAL DEFAULT 7 8: 08048298 0 SECTION LOCAL DEFAULT 8 9: 080482b8 0 SECTION LOCAL DEFAULT 9 10: 080482c0 0 SECTION LOCAL DEFAULT 10 11: 080482d8 0 SECTION LOCAL DEFAULT 11 12: 080482f0 0 SECTION LOCAL DEFAULT 12 13: 08048330 0 SECTION LOCAL DEFAULT 13 14: 080484cc 0 SECTION LOCAL DEFAULT 14 15: 080484e8 0 SECTION LOCAL DEFAULT 15 16: 08048500 0 SECTION LOCAL DEFAULT 16 17: 08048514 0 SECTION LOCAL DEFAULT 17 18: 08049f0c 0 SECTION LOCAL DEFAULT 18 19: 08049f14 0 SECTION LOCAL DEFAULT 19 20: 08049f1c 0 SECTION LOCAL DEFAULT 20 21: 08049f20 0 SECTION LOCAL DEFAULT 21 22: 08049ff0 0 SECTION LOCAL DEFAULT 22 23: 08049ff4 0 SECTION LOCAL DEFAULT 23 24: 0804a00c 0 SECTION LOCAL DEFAULT 24 25: 0804a014 0 SECTION LOCAL DEFAULT 25 26: 00000000 0 SECTION LOCAL DEFAULT 26 27: 00000000 0 FILE LOCAL DEFAULT ABS hello.c 28: 08049f0c 0 NOTYPE LOCAL DEFAULT 18 __init_array_end 29: 08049f20 0 OBJECT LOCAL DEFAULT 21 _DYNAMIC 30: 08049f0c 0 NOTYPE LOCAL DEFAULT 18 __init_array_start 31: 08049ff4 0 OBJECT LOCAL DEFAULT 23 _GLOBAL_OFFSET_TABLE_ 32: 08048490 5 FUNC GLOBAL DEFAULT 13 __libc_csu_fini 33: 08048495 0 FUNC GLOBAL HIDDEN 13 __i686.get_pc_thunk.bx 34: 0804a00c 0 NOTYPE WEAK DEFAULT 24 data_start 35: 00000000 0 FUNC GLOBAL DEFAULT UND printf@@GLIBC_2.0 36: 0804a014 0 NOTYPE GLOBAL DEFAULT ABS _edata 37: 080484cc 0 FUNC GLOBAL DEFAULT 14 _fini 38: 08049f18 0 OBJECT GLOBAL HIDDEN 19 __DTOR_END__ 39: 0804a00c 0 NOTYPE GLOBAL DEFAULT 24 __data_start 40: 00000000 0 NOTYPE WEAK DEFAULT UND __gmon_start__ 41: 0804a010 0 OBJECT GLOBAL HIDDEN 24 __dso_handle 42: 080484ec 4 OBJECT GLOBAL DEFAULT 15 _IO_stdin_used 43: 00000000 0 FUNC GLOBAL DEFAULT UND __libc_start_main@@GLIBC_ 44: 08048430 90 FUNC GLOBAL DEFAULT 13 __libc_csu_init 45: 0804a01c 0 NOTYPE GLOBAL DEFAULT ABS _end 46: 08048330 0 FUNC GLOBAL DEFAULT 13 _start 47: 080484e8 4 OBJECT GLOBAL DEFAULT 15 _fp_hw 48: 0804a014 0 NOTYPE GLOBAL DEFAULT ABS __bss_start 49: 08048404 29 FUNC GLOBAL DEFAULT 13 main 50: 00000000 0 NOTYPE WEAK DEFAULT UND _Jv_RegisterClasses 51: 080482d8 0 FUNC GLOBAL DEFAULT 11 _init Histogram for bucket list length (total of 3 buckets): Length Number % of total Coverage 0 0 ( 0.0%) 1 2 ( 66.7%) 50.0% 2 1 ( 33.3%) 100.0% Histogram for `.gnu.hash' bucket list length (total of 2 buckets): Length Number % of total Coverage 0 1 ( 50.0%) 1 1 ( 50.0%) 100.0% Version symbols section '.gnu.version' contains 5 entries: Addr: 000000000804828c Offset: 0x00028c Link: 5 (.dynsym) 000: 0 (*local*) 2 (GLIBC_2.0) 0 (*local*) 2 (GLIBC_2.0) 004: 1 (*global*) Version needs section '.gnu.version_r' contains 1 entries: Addr: 0x0000000008048298 Offset: 0x000298 Link: 6 (.dynstr) 000000: Version: 1 File: libc.so.6 Cnt: 1 0x0010: Name: GLIBC_2.0 Flags: none Version: 2 Notes at offset 0x00000188 with length 0x00000020: Owner Data size Description GNU 0x00000010 NT_GNU_ABI_TAG (ABI version tag) OS: Linux, ABI: 2.6.9 Conclusion We’ve now seen how a simple program written in C is converted into the assembly code, the object file and finally the executable file. While in the C code, the program didn’t have any sections, it had two sections in assembly dialect: the .rodata and .text. When we compiled it into an object file and finally into the executable, the file had more and more sections that are needed for the program to be executed successfully. Sursa: InfoSec Institute Resources – Hello World: C, Assembly, Object File and Executable

Forensic Artifact: Malware Analysis in Windows 8 Joseph Orekoya January 07, 2013 Windows is the most used operating system worldwide. I have met a lot of IT guys in my country and also other computer elites. My discovery was that 90 percent of them use Windows. I felt maybe that was just in my country, then I decided to contact some friends from UK, USA, India, and Pakistan, and they said the same about the wide use of Windows OS in their countries. However, the case was a bit different for that of the guy in the USA and I also noticed that a lot of my friends there use the MAC OS X. This doesn’t change the fact that Windows is still more used worldwide and because of this, hackers and intruders have had a lot more time to study Windows and create a lot of malware for it. The popular Windows OS has been tagged the most vulnerable OS. Now there is a new Windows OS. The question is: Is it vulnerable as well? This article focuses on the new version of Windows. Windows 8 was released on October 26, 2012. It was designed to work perfectly on a touch screen. The interface is so catchy!! As a computer lover, I follow a page on Facebook named “computer freaks.” Recently, this picture was posted, showing that in the timeline of the Microsoft Windows operating system they have always had a good OS, then a bad OS, and then a good one again. Kind of like an arithmetic progression with a common difference of one among the good Windows operating system. Because of this, I decided to do an analysis on this Windows 8 edition of Microsoft Windows to see what will really make it bad or “SHIT,” as the picture puts it. I began to do research on Windows 8 and I discovered that three patches have already been released for Microsoft’s new operating system. This reminds me of when Vista was released, there were so many patches that they just had to make a better version of Windows OS (Windows 7). I’ve used Windows 7 for a long time and I’ve also met some Windows 7 power users that can testify that it is a good one from Microsoft. However, I still think Windows XP stands a higher ranking when we focus on system stability. Speaking more fully of malware, one of Microsoft’s major objectives is to reduce the risk of their OS being infected by malware. As a result, several measures have been taken to reduce the chances of malware infection in Windows 8. Jason Garms of Microsoft has provided some tips on how to keep your PC free from malware in the link below: Protecting you from malware - Building Windows 8 - Site Home - MSDN Blogs Windows 8 has proven to be less vulnerable to malware, because the Windows Defender that comes with it is very active with good heuristics for detecting malwares. Even with all the new security, the common saying still remains true: there is no total security and therefore you cannot be totally secure from malware on Windows 8 but the risk of being affected by malware is just reduced. Windows 8 got better in a lot of ways to the point that their error page had a transformation. This doesn’t have to do with malware, but one thing I still don’t like about the Windows OS is the inability to retain commands on the console (command prompt) after the cmd is closed and reopened. For those who work more on the console, you can imagine using a lot of very long commands and then, simply because you mistakenly closed this console session, when you open another, all those commands are gone and you need to retype them. This is unlike the terminal (console) in Linux. I read and heard from different sources that Windows 8 was secure but I am a big time skeptic, so I had to prove it to myself. To be sure of the fact that Windows 8 is not so vulnerable to malware, I had to start by creating a proRAT Trojan server with my Windows 7 machine and then I sent it to my Windows 8. I have tried this Trojan several times and I’m no novice with it. I used it often in the days when I loved threatening schoolmates in the network, and I still have a good handle on it. As soon as I sent the server file to the Windows 8 OS with an external drive, Windows Defender deleted it. This was really amazing. I don’t have any third-party AV installed and my computer could react that way with malware. I had even seen some Windows 7 OS with third-party AVs that will not detect the server file due to poor heuristics. However, one third-party AV you can rely on to some extent is Norton with its bloodhound heuristics. The image below is what I got when I put my Trojan server on Windows 8: The image below contains the hexadecimal of the Trojan server that was used Windows 8 is indisputably the most secure Microsoft Windows, but we cannot still match its malware detection with MAC OS X. I realized that the Windows 8 defender that protects us from malware is the popular Microsoft Security Essentials. It’s good the way they saved us the cost of buying Microsoft Security Essentials separately. There are interesting testimonies everywhere about Windows 8 and its safe usage and security but this doesn’t make it impeccable. Although I’ve not personally found any faults in Windows 8, from my research I discovered that the new Windows version that was released already had its first security patch on November 13, 2012, which was just a few weeks after it was released. Also, not that I’m very sure about this, but I came across an article that said the Bitdefender company had tested some malware on Windows 8 and one piece of malware had its way with Windows 8. This particular malware is capable of creating backdoors that allow hackers to remotely control the computer of the host and also to steal gaming credentials and a lot more. However, the company used malware collected over the last six months, which is not ideal, because the test sample won’t include every threat and also because every antivirus product misses some software nastiness, giving a greater chance to the attacker. Bitdefender also tested the malware by fetching a copy of the malicious code from an internal FTP server and executing it to see how far the malware progresses–as opposed to visiting a booby-trapped web page that attempts to compromise the PC, which is a more common method of infection. In theory, there should be little difference, but this methodology bypasses Windows Defender’s SmartScreen, which filters out phishing attacks and malware downloads when using Internet Explorer. Well, this is not an issue to make you reconsider using Windows 8, because a lot of antivirus vendors are just trying to find a fault in the Windows Defender (built-in Microsoft Security Essentials) in order to provide a chance for their own AVs. Another test I tried is the backdoor. I installed WAMP server in Windows 8 on my VMware and I tried to upload a backdoor shell onto it from my host operating system. I kept trying this but to no avail. Then I tried to manually drop the shell into the guest Windows 8 OS server directory. It turned out while cleaning up the file that I received a message notifying me that malware was detected and could not be accessed. I know c99, c100, GNY, and r57 shells are very well-known and restricted by a lot of anti-malware programs. Because of this, I tried to use a WSO shell, but it was still functionless. Left to me, I will say that Windows 8 is like a means to put an end to a hacker’s invasion on web servers. Probably, if most webservers on Linux OS are moved to Windows 8, the hackers would have a lesser chance to upload backdoor shells to damage our web contents. Since some of the antivirus companies have predicted future security shortcomings on the secure Windows 8, we also have to be prepared to keep our PCs protected. I will start by providing you with good software for analyzing Windows executable files. With this software, you can check to see if there is anything attached with an executable application you want to run on your computer. It is called PEid, which identifies “portable executables.” Download with the MediaFire link: PEiD-0.95-20081103.zip If it happens an attacker successfully finds way to drop his malware on your PC, you can also remove it manually from your computer, but you must be very careful because there are some malwares with anti-tracing features that can make your OS crash the moment you detect them. So to find them, you will go to your registry and follow the given registry keys to check for these malwares: HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\explorer\Usershell folders HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrenVersion\RunServicesOnce HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\VMM32Files HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\VxD The reason for locating the malware yourself is because of polymorphic malwares. These are malwares that make it impossible for antivirus and firewalls to detect them. Some of the malwares can make themselves run at your system startup by replicating themselves to the following: Config.sys (a system32 folder) Autoexec.bat (rootdrive) System.ini (Windows folder) Before using the registry keys to locate the files, you may consider disconnecting yourself from the network where it’s likely an attacker is using the malware to attack you. After locating any suspicious file in the registry keys, you can double-click the file to find its path, as the image below shows: As a regular Windows user, you should know we can’t delete files that are working in the background, so we need to check for this file in the task manager processes and stop it. That’s not malicious software, but it’s the exact file I examined in the registry. If it were malicious, I would just click the “End Process” button to put an end to its work. Now you can go back to the directory you were given by the registry and delete the file. After this, you will need to restart your PC if you know the malicious software has not caused much damage to your computer. If it has eaten some of your system files up, you may need to upgrade your Windows OS by using an installation CD to go through the installation process again. This way your files remain intact in a folder, “WindowsOld,” in your C: directory. I have given a link to download the PEid. Now I will show you a little way to make use of this software in examining your executable files. When you unpack the rar file I gave in the link, you will see an interface like the one below: Do not mind the Windows Explorer look of my own software, it’s just a skinpack. On your PC, the three blue dots should be minimize, maximize, and close button. To check details about a particular exe file, you can select the file in the first option of the PEid GUI. Now to check the active processes that may include the malware, you can click “Task Viewer,” which gives you a result like the task manager does. When you select any task, it will show every file attached to the process and working with it. PEid is a really good solution for malware detection. Windows 8 Defender uses the colors green, yellow, and red to show its security level. To make your Windows 8 more secure from malwares, I will advise that you should update Windows Defender as often as possible, as you would any third-party antivirus if you really want to stay secure. Sometimes malware will be placed in software that you already have on your PC. For instance, suppose you downloaded a game that was functioning properly before it started malfunctioning. It is advisable to do an md5 checksum on downloaded files so when it gets suspicious, you can do a checksum again to compare with the previous test and then you will be able to say if it has been tampered with. You can download software for checking your md5 on Windows here: NetTools4.5.74 - Download - 4shared - Joseph Orekoya References Windows 8 already getting security patches | PCWorld Protecting you from malware - Building Windows 8 - Site Home - MSDN Blogs AnandTech - Windows 8 Malware Protection Detailed Windows Defender and Windows SmartScreen fight viruses and other malware - Microsoft Windows Windows 8 'harder for malware to exploit', says security analysis • The Register http://propellerheadforensics.files.wordpress.com/2012/05/thomson_windows-8-forensic-guide2.pdf Sursa: InfoSec Institute Resources – Forensic Artifact: Malware Analysis in Windows 8

Owasp Http Post Dos Apache Webserver Attack Description: This Tutorials shows, how you can easily take out an Apache Webserver with one HTTP POST Tool using a std. slow DSL Connection. This is NO Slowloris Attack! Limitations of HTTP GET DDOS attack: - Does not work on IIS web servers or web servers with timeout limits for HTTP headers. - Easily defensible using popular load balancers, such as F5 and Cisco, reverse proxies and certain Apache modules, such as mod_antiloris. - Anti-DDOS systems may use "delayed binding"/"TCP Splicing" to defend against HTTP GET attacks. Why HTTP POST DDOS attack works - This attack can evade Layer 4 detection techniques as there is no malformed TCP, just like Slowloris. - Unlike Slowloris, there is no delay in sending HTTP Header, hence nullifying IIS built-in defense, making IIS vulnerable too. - Size, character sets and time intervals can be randomised to foil any recognition of Layer 7 traffic patterns by DDOS protection systems. - Difficult to differentiate from legit connections which are slow Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Owasp Http Post Dos Apache Webserver Attack

Microsoft Internet Explorer Cbutton Object Use-After-Free Vulnerability - Metasploit Demo Description: Author: ======= Mzer0 : 4 X Security Team | Just another WordPress site https://twitter.com/4xsecurityteam Tested on Windows XP SP3 With IE 8 -------------------------------------------------------- Description: ---------------- This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CButton object is freed, but a reference is kept and used again during a page reload, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild targeting ainly China/Taiwan/and US-based computers Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Microsoft Internet Explorer Cbutton Object Use-After-Free Vulnerability - Metasploit Demo

Blended Threats And Javascript: A Plan For Permanent Network Compromise Description: This is a version of the talk I gave at Black Hat USA 2012, updated specifically for the AppSec USA audience. The original BlackHat slides are available at "scribd.com/doc/101185061/Blended-Threats-and-JavaScript", and the source code used in the demonstrations is available at "github.com/superevr/ddwrt-install-tool". During Black Hat 2006, it was shown how common Web browser attacks could be leveraged bypass perimeter firewalls and "Hack Intranet Websites from the Outside." In the years since, the fundamental problems were never addressed and the Intranet remains wide open, probably because the attack techniques described had important limitations. These limitations prevented mass scale and persistent compromise of network connected devices, which include but are not limited to home broadband routers. Now in 2012, with the help of new research and next-generation technologies like HTML5, browser-based Intranet attacks have overcome many of the old limitations and improved to a new degree of scary. This presentation will cover state-of-the-art browser-to-network threats launched with JavaScript, using zero to minimal user interaction and complete every step of the exploit attack cycle. Starting with enumeration and discovery, escalating the attack further upstream and into embedded network devices, and ultimately mass-scale permanent compromise. ***** Speaker: Phil Perviance, Application Security Consultant, AppSec Consulting, Inc. Phil Purviance is an Application Security Consultant for AppSec Consulting where he researches application security vulnerabilities and performs penetration testing. Phil's body of work includes the discovery and proof-of-concept exploitations of critical security vulnerabilities, design flaws, and system weaknesses in hundreds of custom web sites and web application frameworks. Phil also consults with clients and recommends helpful countermeasures that are useful to mitigate serious security vulnerabilities. Phil's recent exploit talks include the security of HTML5, and the revealing of cross-site scripting vulnerabilities in Skype for iOS. When asked, "Why do you look for bugs in popular websites," he answers, "Because it's fun!" Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Blended Threats and JavaScript: A Plan for Permanent Network Compromise - Phil Perviance on Vimeo Sursa: Blended Threats And Javascript: A Plan For Permanent Network Compromise

Securing The Ssl Channel Against Man-In-The-Middle Attacks Description: Abstract In the last year, 2011, major trusted CAs providing trusted certificates for SSL/TLS in browser scenarios were compromised (e.g. as seen in the Diginotar breach) and based on the current trust models (trusting all registered CAs equally for all domains) exposed vital web applications to the risk of man-in-the-middle attacks. Several approaches are currently discussed to mitigate this risk. The most advanced and closest to final adoption being the technologies discussed by the browser vendors at the recent IETF Web Security working group meetings: HSTS and pinning of certificates. To better protect content providers against the distribution of bogus certificates, an HTTP header extension containing a fingerprint of their certificates linked to a domain address has been defined. This approach, which has been partly tested in Chrome, and already helped identify and protect to some extend Google's web application in the recent Diginotar compromise. Chrome users were able to detect the bogus DigiNotar certificates because Chrome had embedded the hashes of valid Google certificates. Back in July 2011, the hacked DigiNotar certificate authority (CA), which has since gone out of business, was used to issue more than five hundred bogus certificates for companies including Google and various intelligence services. The presented technologies are cutting edge and although the specification is not final yet, they are in their final stages and currently in roll-out and ready to be used. Other models that compete or complement this approach shall also be discussed (DNSSEC, etc. ). ***** Speaker: Tobias Gondrom, Managing Director, Thames Stanley: Information Security and Risk Management Advisory Passionate about: OWASP, Application Security (yeah!), CISO training, information security & risk management in global organisations, IETF, info sec research (!), ... Tobias Gondrom is Managing Director of Thames Stanley, a CISO and Information Security & Risk Management Advisory based in Hong Kong, United Kingdom and Germany. He has fifteen years of experience in software development, application security, cryptography, electronic signatures and global standardisation organisations working for independent software vendors and large global corporations in the financial, technology and government sector, in America, EMEA and APAC. As the Global Head of the Security Team at Open Text (2005-2007) and from 2000-2004 as the lead of the Security Task Force at IXOS Software AG, he was responsible for security, risk and incident management and introduced and implemented a secure SDLC used globally by development departments in the US, Canada, UK and Germany. Since 2003 he is the chair of working groups of the IETF (ietf.org) in the security area, member of the IETF security directorate, and since 2010 chair of the formed web security WG at the IETF, and a former chapter lead of the German OWASP chapter from 2007 to 2008, and currently board member of OWASP London and member of the OWASP Global Industry Committee. Tobias is the author of the international standards RFC 4998 and RFC 6283 (Evidence Record Syntax) and co-author and contributor to a number of internet standards and papers on security and electronic signatures, as well as the co-author of the book „Secure Electronic Archiving“ (ISBN 3-87081-427-6), and frequent presenter at conferences and publication of articles (e.g. AppSec, IETF, ISSE, Moderner Staat, VOI-booklet “Electronic Signature“, iX). Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Securing the SSL channel against man-in-the-middle attacks - Tobias Gondrom on Vimeo Sursa: Securing The Ssl Channel Against Man-In-The-Middle Attacks