Abysssec Security Researches

Here we go , another tutorial about unpacking general lame packers

hope you enjoy

if you are interest you can download full tutorial from following link :

http://rapidshare.com/files/162093080/New.rar.html

good luck and have fun

hi again

i,m sure you know about this ciritical / wormable  vulnerability  . immediate after releasing vulnerability Win32.Gimmiv worm released too . this worm use this vulnerability and will run after first execute as a windows service . but i,m sure this worm is not last worm based on this vulnerability .

this vulnerability specifically exists on Server Service Remote Procedure Call (RPC) handling, where an attacker could perform a stacked-based buffer overflow by sending a request to a vulnerable function, “NetPathCanonicalize()”. In this way an attacker may escalate privileges, using the named pipe “\\pipe\srvsvc” to access other machines over the network via the pipe’s file sharing service.

exploiting this vulnerability On win 2k and XP SP1 Sp2 and Sp3  is really fun just rpc requset to based on 4b324fc8-1670-01d3-1278-5a47bf6ee188 to getting reliable eip and code executing . in windows xp sp1 and 2k and of course windows xp sp2 and sp3 with no dep you need just a jmp or call esi or edi register for code executing .

and about windows xp sp2 and sp3 with dep :

you can use address of NtSetInformationProcess call  in ACGENRAL.DLL for disable DEP  of course you need Scratch ( read/write static memory location) and you can find that in ACCGENRAL.dll too .

hd moore independent security researcher used this method for executing shellcode . in windows xp sp3 you can use this method  (using pre-process disable in ACCGENRAL.dll ) (of course with differing address of calling NtSetInformationProcess()) .

from hdm :

The actual function we use to disable NX looks like this:

push    4
lea     eax, [ebp+arg_0]
push    eax
push    22h
push    0FFFFFFFFh
mov     [ebp+arg_0], 2
call    ds:__imp__NtSetInformationProcess@16
i wrote my own reliable exploit and maybe in future i public that for all

and about GIMMIV  worm :

full discussion :

http://community.ca.com/blogs/securityadvisor/archive/2008/10/27/ms08-067-wormable-vulnerability-patched.aspx

The executable “WinbaseInst.exe” is the worm component you can see  worm service after executing binary following this picture :

you can be sure this worm use this vulnerability from founded UUID in basesvc.dll in %SystemRoot%\system32\wbem

after worm scanned and found vulnerable system using 4b324fc8-1670-01d3-1278-5a47bf6ee188 worm run download and execute shellcode following this picture :

this worm use random number and random server for downloading files . i,m sure this worm  have different compiled version (for leaked servers and AV’s ) . maybe in another post i discuss about this worm completely.

you can read full post about reversing ms08-067 patch here :

http://www.dontstuffbeansupyournose.com

next post will be patch analysis part 1

for now test your skills for write your own worm with this vulnerability .

best regards and have nice hacking

hello again .

i think this post must be interesting for iranian peoples . this theme is completely ripped from my  friend soroush dalili weblog finally don’t forgot this post and algorithm was published for educational purposes only so author is not held responsible , used for any other purposes than the one stated above.

Melli card & code

Each person in Iran has a national code which is called “Code Melli”. And, its algorithm is very similar to ISBN algorithm:

The rules are:

1-  This number has 10 digits like: C[1] C[2] C[3] C[4] C[5] C[6] C[7] C[8] C[9] C[10]

2-  3 digits of left must not be equal to 000 (c[1]c[2]c[3]000)

3-  C[10] is a control digit (like ISBN algorithm)

The formula to determine C[10] is:

Let A = (C[1]*10)+ (C[2]*9)+ (C[3]*8)+ (C[4]*7)+ (C[5]*6)+ (C[6]*5)+ (C[7]*4)+ (C[8]*3)+ (C[9]*2)

Let B = A MOD 11

If B == 0 Then C[10]=B Else C[10] = 11-B

This JavaScript function is useful to validation:

//—————Start of Iranian national code checker function—————

True-False

//Written by Soroush Dalili – October 2008

//——————————————————————————————–

function IsIRNationalCode(theNum)

{

if(theNum.length!=10)

{

return false;

}

else

{

if(theNum.substr(0,3)==’000′) return false;

var check = 0;

for(var i=0;i

{

var num = theNum.substr(i,1);

check += num*(10-i)

}

if(check%11)

{

return false;

}

else

{

return true;

}

}

}

//—————End of Iranian national code checker function—————

True-False

//——————————————————————————————–

good luck and have fun

IE8 is a new Microsoft browser, the integrity of its CSS2.1 support, HTML5 support,
built-in development tools and so on. IE8 in the browser security on a very big improvement, not a
built-in unloading the Xss Filter, non-durable type of cross-site scripting attacks do a relatively good
protection. However, 80 sec in the test IE8 found, IE8 the Xss Filter there are Vuln, resulting
in some version of the eastern countries simply can not stop the URL Xss for example,
in the Persian version, use some simple data can Bypass Filter out the strategy IE8.

Vulnerability analysis: As IE8 Xss Filter in the filter to take the coding system is built-in encoding,
in the Persian version will be gb2312, in some other Eastern countries will adopt the appropriate wide-byte coding.
Submitted a non-coding sequences such as% c1 <will be IE8 as a normal character for the East Filter keyword matching,
and in the pages displayed, because of their pages will be designated a UTF-8 encoding for example, in the analytical
time % c1 <is not a valid UTF8 encoding, this will be treated as two characters,resulting in a <bypass the check, this inconsistency has led to the formation of Vuln.
Vuln that: assume that there are web script:


<?php
header("Content-Type: text/html; charset=utf-8");
echo $_GET[c];
?>


In the east of the country IE8 system, if the conduct of conventional XSS such as:

.php?c=<script>alert()</script>

IE8 security strategy will be to stop, but if the
The code can bypass the ie8 xss filter and implementation.

vulnerability state: this vulnerability reported to microsoft (by chinese hacker ) and is awaiting a response.

here is another info-sec blog via some security researchers we are really busy in these days in our small labs  but we hope can have efficiency result and update this blog with some interesting content . we are trying update this blog everyday and finally we accept all of your discretion and comments .

labs