9 Mar 2013

AoE - Started & recent coding projects

Dear readers,

I have begun on reading The Art of Exploitation, and I love reading every bit, while doing something pratical, as in follow in the book, and complete the exploits my self on the distro I have gotten from the book I bought.

I already love this book :) - and by that I mean, every page!
I wonder why I didn't start reading this earlier on.. but anyways, I will complete this book and will post some useful information regarding exploit development.

A little example of my first program I did examine memory in x86 architecture in my Linux Distro.
Simple program that looks up from the ASCII chart and prints to the screen "Hello".


Now back to reading! - although I got my 2'th semestre examination, I hope to still be able to follow through the process.


Lately I did complete coding a Recycling system, and now finished my job with making a simple bouncing ball game!






And the ball bouncing game as follows:



That's enough information for now.
I hope to make a new post soon enough with my new acknowledgement in exploit development! =)

5 Mar 2013

Next book upcoming! - The Art of Exploitation 2nd edition

Dear Readers,


If you have been followed my postings so far, I have been posted within my expertise from the book I did read - Gret hat Hacking 3ed. I will might do a review on it soon...




4 Mar 2013

AccessChk - Win Escalate privileges






Cesar Cerrudo, an Argentinean pen-tester who focuses on Windows Access Control, coined the phrase “token kidnapping” to describe an escalation technique involving pro- cess and thread ACLs. The steps in the “token kidnapping” process are outlined here:
1. Start with SeImpersonatePrivilege and NetworkService privileges. The most likely paths to get those privileges are as follows: 

- Attacker has permission to place custom ASP pages within IIS directory running in classic ASP or “full trust” ASP.NET
- Attacker compromises SQL Server administrative account 
- Attacker compromises any Windows service
  1. The RPCSS service runs under the NetworkService account, so an attacker running as NetworkService can access internals of the RPCSS process.
  2. Use the OpenThreadToken function to get the security token from one of the RPCSS threads.
  3. Iterate through all security tokens in the RPCSS process to find one running as SYSTEM.
  4. Create a new process using the SYSTEM token found in the RPCSS process.
Microsoft addressed this specific escalation path with MS09-012. However, other similar escalation paths may exist in third-party services.
Cesar’s excellent “Practical 10 Minutes Security Audit: Oracle Case” guide has other examples of process ACL abuse, one being a NULL DACL on an Oracle process allowing code injection. You can find a link to it in the following “References” section. 


2 Mar 2013

Hunting Malicious Code


AxMan


Is a tool which enumerate all methods that an ActiveX control supports. When you’re hunting for a vulnerability and see methods such as CreateObject() or Launch() or Run(), take a close look to make sure they can’t be repurposed to run malicious code. 

Little background story:
 
WScript.Shell directly from the Internet zone will fail, as it is only to be used in a trusted environment such as the Local Machine zone. However, Russian hackers discovered that instantiating the safe-for-scripting WMIScriptUtils. WMIObjectBroker2 ActiveX control, and then calling the method CreateObject() de- fined on the ActiveX control, allowed them to create any arbitrary object, bypassing security checks! They promptly used this client-side vulnerability to install malware by hosting the exploit code on hundreds of adult websites. At the time it was being abused, no other IE zero-day vulnerability was widely known in the community, so anybody who wanted to install malware was using this vulnerability. 

For example examine this code at first:


<script>
      var o = new ActiveXObject("WMIScriptUtils.WMIObjectBroker2");
      var x = o.CreateObject("WScript.Shell");
      x.run("cmd.exe /k");
</script>

You will notice that WScript.shell is not a secure Object to call.


Microsoft Security Bulletin MS06-073 (WMIScriptUtils)
www.microsoft.com/technet/security/bulletin/ms06-073.mspx
Metasploit exploit www.metasploit.com/modules/

1 Mar 2013

Fuzzing tools and advices



Spike

is designed to assist in the creation of network-oriented fuzzers and supports sending data via TCP or UDP. Additionally, SPIKE provides several example fuzzers for protocols ranging from HTTP to Microsoft Remote Procedure Call (MSRPC). SPIKE libraries can be used to form the foundation of custom fuzzers, or SPIKE’s scripting capabilities can be used to rapidly develop fuzzers without requiring detailed knowledge of C program- ming. 

Spikes can contain static data, dynamic fuzzing variables, dynamic length val- ues, and grouping structures called blocks. 

Spike Proxy

Handles all the fuzzing and is capable of performing attacks such as SQL injection and cross-site scripting. SPIKE Proxy is written in Python and can be tailored to suit your needs. Basically it makes sure that you are able to bypass the application WAF within your attempt to i.e(Brute force every single combination of a password and username within the web application server).
  

Mangleme





References:


http://resources.infosecinstitute.com/intro-to-fuzzing/ 

http://freecode.com/projects/mangleme