A feature which very common among malwares that is "Self-Deletion". Malware authors uses various techniques to delete it self after successful infection. Very famous malware Flame had a built-in feature called "SUICIDE" that can be used to uninstall the malware from infected computers.
Please remember this information is for Educational Purpose only and should not be used for malicious purpose.I will not assume any liability or responsibility to any person or entity with respect to loss or damages incurred from information contained in this article.
Last night I wrote a very simple program that deletes it self without making any new copy of itself or creating any new process.
It actually injects some raw machine code (ShellCode) to any legitimate process and creates a new thread under that process. So when the injected ShellCode execute it deletes the main executable.
So here how it injects code to another process in this case it injects to explorer.exe. Its very common and usual technique to inject arbitrary code into any other process's address space.
So when you execute the compiled binary,
1) It first resolves the PID of explorer.exe. We know that explorer.exe is a process which will always be present in any windows system. 2) After getting the PID it gets the Handle to explorer.exe by using OpenProcess() API. 3) After that it allocates some memory on the remote process's (explorer.exe) address space for our ShellCode using VirtualAlloc() API. 4) After successful allocation it uses WriteProcessMemory() to write the shellcode into remote process. 5) Then it creates a new thread,which will then create a thread and execute the injected shellcode.
Few things about injected shellcode:
I have written the ShellCode in such way that the executable file path (file to be deleted) can just be appended with ShellCode.
Sot the main executable actually writes the [Shellcode]+[Full path of itself] to explorer.exe
The ShellCode present in this below example is HardCoded so it should only work on WinXP SP2 system.
When our main executable transfer the control to our shellcode it waits for 5 seconds (Usign Sleep!Kernel32.dll )and then delete the main executable using DeleteFile!Kernel32.dll.
When we first power on a PC, it usually does not have an operating system in ROM or RAM. BIOS is the first prog. that runs at start-up. BIOS is actually the firmware in ROM. The actual job of BIOS is to load the first sector of available boot-able disc and execute it. This is The only thing BIOS knows. So the small program situated in the first sector of the boot-able disc is known as a bootstrap loader, bootstrap or boot loader. This small program's job is to load other data and programs which are then executed from RAM.
This boot sector program is directly loaded by the BIOS at boot time. It is only 512 bytes in size.This sector of a hard disk is also known as Master Boot Record. This code is get loaded at 7C00. The last two bytes of the sector are checked for the values 0x55 and 0xAA while loading this in memory. If these are OK, the BIOS jumps to the address 7C00.
Generally this Master Boot Code can do following things:
It can load another boot sector.
It can load a second stage boot loader
It can load the kernel directly.
So it was all about boot primary booting.Another thing,which is very important to understand,that is BIOS interrupts.
"BIOS interrupt calls are a facility that DOS programs and some other software, such as boot loaders, use to invoke the facilities of the Basic Input/Output System.Boot loaders rely on them, most operating systems do not (the Linux kernel does not use BIOS interrupts once it has been started). MSDOS does use BIOS interrupts.The boot loader has access to BIOS interrupts, which are subroutines that can be invoked by the INT instruction (software interrupts)."..wiki
In this example we will only use "INT 0x10".
It is recommended to use virtual machine and virtual floppy/disc image for this work.
So Lets get started,
So first we we need to create an empty floppy disc image.
fallocate -l 1474560 image.vfd
This will create an empty floppy image called "image.vfd"After that we need to attach this image to our virtual machine.
So now let's have look at the code. Generally all boot sector programs,(e.g. GRUB), are written in assembly. So here is a very basic code Boot Code that will only prints a line on Monitor while booting.
We have to compile this code using nasm:
nasm bootloader.asm -f bin -o bootloader.bin
After successful compilation we will get the binary and we need to write this to the first sector of the booatble disc so that the BIOS can load and execute it. In this case we will write it into our virtual floppy image we have created earlier. This can be done is this way
dd if=bootloader.bin bs=512 of=/dev/fd0
After writing this code to your disc just reboot your virtual system attaching the bootable disc,it will print "Hi!I am Debasish and this is my first Bootloader! :) :) :)" and halt.
Reference :
http://en.wikipedia.org/wiki/Booting
http://technet.microsoft.com/en-us/library/cc976786.aspx
http://static.duartes.org/img/blogPosts/masterBootRecord.png
http://lennartb.home.xs4all.nl/bootloaders/node3.html
http://en.wikipedia.org/wiki/BIOS_interrupt_call#Invoking an interrupt
Keystroke logging is the action of tracking (or logging) the keys struck on a keyboard.Malwares often use dll injection technique to do malicious activity on a system. Few days back to demonstrate the process of how malwares can inject malicious dll to an existing process to do malicious activity on a system,I have coded a very simple dll which simply logs keystrokes after getting injected into a remote process. Here I am sharing the simplest part.
Please remember this information is for Educational Purpose only and should not be used for malicious purpose.I will not assume any liability or responsibility to any person or entity with respect to loss or damages incurred from information contained in this article.
Generally a keylogger for Win32 platform uses the SetWindowsHookEx API. Here I will also use the same technique to log keystrokes.
The Dll Code is written in C:
After successful injection to any arbitrarily chosen remote process the dll will log all keystrokes to "log.txt" file in the same directory.
Generally I use this python script to quickly inject any dlls to any process. I have added few line in this script for current purpose. Now this script will inject dll to target process and execute the function called "startlog()" which resides in the newly injected dll to start key logging. This script uses python ctype library. So make sure you have it installed with your python installation to make this script work.
Hello all in this post I am gonna share one of my experiment with shellcodes with you guys. So, before we begin I wanna warn you guys about one thing that the shellcode I have used in this example is a reverse_tcp shell code. So I will suggest you to use some harmless shell code like WinExec CALC while doing such experiment.
So I started with generating a raw binary of metasploit's windows/shell_reverse_tcp payload. After generating the raw binary I ran a quick anti virus scan of that binary using VirusTotal.com. Here is the output of virustotal.com.
31/42. 31 out of 42 anti viruses detected that binary.As usual result was not so much shocking for me.
So I decided to play with that and trying to reduce the detection rate. To do that I generated the raw shellcode from metasploit with single itaration of default encoder shikata_ga_nai. Here is the generated shell code from metasploit.
Obviously I took the encoded one which is null free shellcode. So after that I quickly wrote a XOR encrypt-er in C and encrypted the generated shellcode with a random key. Here is the code of the encrypter.
C code to Encrypt ShellCode using XOR:
So compiling and running the code gave me one XOR encrypted ShellCode.
So from output I removed the extra bytes and extracted the encrypted shellcode.
Upto this its quite easy enough. But actual challenge is running the shellcode on target properly. So to do that we can do following things on run time of the binary.
Decrypt the encrypted shellcode with the key used to encrypt the shellcode.
Allocate a enough space on virtual memory for the decrypted shell code using VirtualAlloc()
Copy decrypted shellcode to the allocated memory using RtlMoveMemory()
Execute the certain region using CreateThread()
So I did exactly the same.
Here is the C code to Decrypt the shellcode and execute it on run time .
So after compiling the code before running I did a quick run time analysis of compiled binary using OllyDBG. Here is few screen shots taken at run time analysis of that binary.
And after that you know what the interesting part is?? Again I ran a quick scan of that new binary using VirusTotal. The detection rate was reduced from 31/42 to 7/42!!!!!
Thank you for reading. Feel free to leave comments for any confusion or question.
-----------------------------------------------------------------------------------------------------------------------------
Hacking email account is probably something which intrigues all of us. Phishing is an example of social engineering techniques used to take advantage of human ignorance. It allows unscrupulous people to exploit the weaknesses in web security technology.Here we will discuss about an advanced way which can be used to perform an advanced automated phishing attack.
Attack Strategy:
As cyber awareness is increasing day by day,number of failed phishing attempts is also increasing. Most of the Internet users goes through few check before entering critical information like user name password in an web form.This approach is a kind of an indirect phishing attack.Here instead of asking victims directly their user name and password attacker will put some challenges to victim which Google or any other email service provider gives us while trying to reset the password of his/her Email account. When victim solve those challenges we will take the solution of those challenges from victim and submit it to actual server and successfully reset password in an automated manner. These challenges can be related to answering security questions or SMS based password reset.
Attack Strategy at a Glance:
Setup:
Here our main intention is to abuse the same password reset functionality of various email service providers in a smarter and automated manner.We will use selenium and its Python WebDriver api to automate this entire process.Selenium is a software testing framework for web applications. Selenium can automate browser locally or remotely. http://seleniumhq.org/.) We will write a custom selenium web server in python and a dynamic fake survey form in PHP. The fake survey form will communicate with selenium web server using its custom APIs in back end(using PHP curl or something similar thing).
Execution:
Step 1: Start the custom Selenium Server
First we will start our custom selenium web server and host the fake survey form to any hosting service provider supporting PHP and PHP Curl. And we will send the link of that fake survey from to victim.
After the server is started this custom selenium web server will be always monitoring the victim’s activity. When victim visits the fake survey form its will inform the selenium web server through PHP curl that victim has opened the page.
Step 2: Send the custom form to the target
Create a fake registration form of anything you like form which will ask the user for the email id. You can create a new interesting free coupon for restaurants, free download etc. When the victim user will enter his/her email id our the custom web server will try to recover the password of that entered email id received from fake survey from using selenium webdriver api automatically. As selenium is quite fast it will take maximum 5 to 6 seconds.
Step 3: Automatically initiate the recovery password reset process
Almost all well known web mail providers (e.g. Google Yahoo etc.)uses some anti automation techniques (Captcha)in these type of critical steps. And those captchas are not very easy to crack by human being also so trying to crack those with available OCR engines will be waste of time.So human effort is must to break those captcha. How? We have a trick for that also.
Step 4: Send back the captcha/secret question/any challenge to the user to break
After detecting an anti automation on page, our selenium web server will extract the captcha from password recovery form and ask the victim to solve the same captcha.When the victim will solve the captcha it will take that answer and submit the actual captcha form.BINGO!
When captcha is cracked it will face the first security question(if its available), then it will extract the first security question from actual password recovery form and add the question in the survey from with other fake questions to make the survey form bit more realistic.
Step 5: Send the user response to Gmail and reset the password
When the victim will answer that question it will instantly take that answer and submit it in actual password recovery from.We expect that the victim will answer the security questions correctly.
After that when it will face the second security question and it will treat this in the same manner. When its done upto this level it will change the account password to our desired one automatically.
Abusing SMS/Email Based Password Recovery system using the same technique:
SMS/Email Based Password Recovery system can also be abused using the same technique. If we consider gmail then it will be like when out custom selenium web server will detect that there is not option from Security question in password recovery from of target email account it will go for SMS based password recovery option. Generally google’s web application discloses the the last two digits of given phone number and it will send the SMS to that phone. Our custom selenium web server will also do the same. It will directly extract the last two digit from recovery form and send it to victim. The phishing from is designed is such a way that it will say something like this
“Hey you have to go through a verification process to download this software package. Please enter your mobile no.We will send a verification code through Google to that number”.
Luckily Google sends the password recover code through SMS very poorly. It will just send a sms like
“Your Google Verification Code is :123456”.
Within a second after entering the mobile number our selenium web server will submit the mobile number and the victim will receive the password reset code from Google. As currently no indication is present in that SMS sent by Google that its a very critical code not like other verification code, so its very obvious for a general Internet user to trust the application and share the password reset code.
In the next step it will ask for the received code and after getting the code our selenium server will do the rest part which is changing the password.
Video Demo:
Conclusion:
As password recovery sections are very critical, service providers maintain very strict session information in these areas. Automatically passing these sections is very tough by sending http requests using any scripting languages. If some thing goes wrong it will entirely destroy the session so chances of attack getting failed is very high.If we consider gmail the application is very much dynamic so parsing java scripts from http response and getting required values is very much difficult.
A Very Basic Custom Selenium Web Server Code Used in this Demo:
From title you might think that its a useless piece of code.But let me tell you its not.I dint write this to timepass.A a pretty much good automated SQLi tool called Havij(Hope you guys are already familiar with) forced me to write this. Not exactly but its a kind of an external plugin for the tool Havij(Free Version).
Havij is an automated SQL Injection tool.No doubt its a great tool for doing automated SQL injection.But one problem with this tool is its not fully free! :( The free version also has many great features but one problem I have faced while using this free version that is,it does not allows users to scan/run database enumeration on sites which uses SSL (https://) :( So to overcome this limitation I have decided to write a proxy for it. But this proxy is not like most common http proxies. This proxy can be used to scan a ssl enabled site using Free Version of Havij. Suppose you wanna try SQLi on "https://www.target.com/search.php?name=debasish" using Havij.So when you try to fire a scan using Havij you get an error like "Havij Free does not allow https://".blah blah ....
So to overcome this limitation what you have to do is : 1. Configure your Havij Free to use a http proxy 127.0.0.1:8080 while scanning. 2. Run this python script.(It will start a proxy server on port 127.0.0.1:8080) 3. In the target field of Havij instead of entering "https://www.target.com.search.php?name=debasish" you need to add "http://www.target.com/search.php?name=debasish".So when you start scanning through havij the proxy script will do following: 3.1. Take plain http request(SQLi request) from Havij.2 3.2. Create a SSL connection to target.3 3.3. Forward the same request received from Havij to target server. 3.4. After receiving the response from server through secure shell it will feed the response to Havij.
This proxy is not suitable for web browsing. You will face some problems. Normal request/response generally used for SQLi it can handle. But one bad thing about this script is,it will make the speed of you SQLi process bit slower. It has the ability to handle gzip compressed response. So here is the code: Enjoy SQLi on SSL sites using Havij Free!I dint test it much, so let me know if it is not working properly.
QuteCom is a cross platform soft phone.QuteCom v2.2.1 suffers from a heap-based buffer-overflow vulnerability.Successful exploitation may allows execution of arbitrary code, but requires tricking a user into dialing a long phone number from vulnerable phone.Failed attacks will cause a denial-of-service condition.This bug in Qutecom v2.2.1 is caused due to a boundary error in the processing of too long phone number.This heap buffer overflow bug can be triggered by dialing a more than 5000 character phone number or character set form the soft phone. Also available at http://www.exploit-db.com/exploits/19328/
Qutecom Version 2.2.1 Heap Overflow DoS/Crash Proof of Concept Summary: QuteCom (previously called WengoPhone) is a free software SIP compliant VoIP client developed by the QuteCom (previously OpenWengo) community under the GNU General Public License (GPL). It allows users to speak to other users of SIP compliant VoIP software at no cost. (Source :http://en.wikipedia.org/wiki/QuteCom)
This bug in Qutecom v2.2.1 is caused due to a boundary error in the processing of too long phone number.This heap buffer overflow bug can be triggered by dialing a more than 5000 character phone number or character set form the soft phone. To trigger this bug the application must be connected to a VOIP/SIP server.An Asterisk-based PBX Phone System "TrixBox" was used to test this Crash.
Tested on: Tested with latest stable release http://trac.qutecom.org/downloads/QuteCom-2.2.1-setup-release.exe on Microsoft Windows XP Professional SP2 EN (32bit) An Asterisk-based PBX Phone System "TrixBox" was used as SIP server. WinDBG Output After Feeding 5000 'A's into the application:
This is a potentially exploitable condition.In this case, flink is EAX and blink is EDI. Under XP sp0-1 a basic UEF function overwrite is enough to take control.
0:000> r
eax=41414141 ebx=02d70000 ecx=0860efc0 edx=02d70178 esi=0860efb8 edi=41414141
eip=7c9111de esp=0111d42c ebp=0111d64c iopl=0 nv up ei pl nz ac pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000216
ntdll!RtlAllocateHeap+0x567:7c9111de8b10 mov edx,dword ptr [eax] ds:0023:41414141=????????0:000> d esi
0860efb84141414141414141-4141414141414141 AAAAAAAAAAAAAAAA
0860efc84141414141414141-4141414141414141 AAAAAAAAAAAAAAAA
0860efd84141414141414141-4141414141414141 AAAAAAAAAAAAAAAA
0860efe84141414141414141-4141414141414141 AAAAAAAAAAAAAAAA
0860eff84141414141414141-???????????????? AAAAAAAA????????0:000> u 7c9111de
ntdll!RtlAllocateHeap+0x567:7c9111de8b10 mov edx,dword ptr [eax]7c9111e03b5704 cmp edx,dword ptr [edi+4]7c9111e30f858c310200 jne ntdll!RtlAllocateHeap+0x579(7c934375)7c9111e93bd1 cmp edx,ecx
7c9111eb0f8584310200 jne ntdll!RtlAllocateHeap+0x579(7c934375)7c9111f18938 mov dword ptr [eax],edi
7c9111f3894704 mov dword ptr [edi+4],eax
7c9111f63bf8 cmp edi,eax
Vedor Report:
I have sent several notifications to qutecom on this bug in this application but I havn't got any response.
Bug Ticket :http://qutecom.org/ticket/399
mail to : qutecom-dev@lists.qutecom.org