Skip to main content

Penetration Testing Lab-1

Aim to Exploit MS08-067 Vulnerability of Window XP and Window Server 2003




On 24 October 2008, Microsoft released an out-of-cycle patch that addressed a stack buffer overflow vulnerability in the Microsoft Windows Server service MS08-067, CVE-2008-4250. Per Microsoft, "This security update resolves a privately reported vulnerability in the Server service. The vulnerability could allow remote code execution if an affected system received a specially crafted RPC request. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, an attacker could exploit this vulnerability without authentication to run arbitrary code. It is possible that this vulnerability could be used in the crafting of a wormable exploit." Public exploit code and malware began circulating as soon as the patch was released. Microsoft and Symantec provided analysis on malware known as Gimmiv.A. The malware harvests and exfiltrates system information and is able to scan and exploit the MS08-067 vulnerability. The following provides analysis findings for Gimmiv.A.

 
 Those familiar with the ms06-040 attack in Metasploit will notice that, even though there are many similarities in the attack, there are some changes in the implementation in this module. In particular, in the the ‘Targets’ section, we not only see the OS specific memory.address of a desired return-to-lib location, we now also have ‘DisableNX’ for Windows XP SP2 and SP3.
What makes this exploit special is that it bypass DEP and then send the bug string(payload) which is a path function .This vulnerability is result of parsing flaw which allows attacker to exploit it and execute its malicious code by overflowing stack.So in simple works it another example of stack overflow.


Comments

Popular posts from this blog

Install Virtual Box On Kali Rolling

If you facing problem with virtualbox installation on kali rolling edition because of its outdated kernel 4.3.0-kali1-amd64 then this post is for you only.

Step1: Install latest kernel. First search the cache for list of available ones apt-cache search linux-headers
Depending upon the list choose one from the set and install install it.
you can download kernel file using wget from ubuntu source also.
example:wget kernel.ubuntu.com/~kernel-ppa/mainline/v4.4.3-wily/linux-image-4.4.3-040403-generic_4.4.3-040403.201602251634_amd64.deb
for more refer to this post: link

Step2:
Edit the boot entry /boot/vmlinuz-(New Linux kernel Version) & /boot/initrd.img-(New Linux kernel version) in grub menu.

Before making boot entry changes be sure these files exist in the /boot directory after running install command.
In my case following new file got created in /boot folder:

1)vmlinuz-4.6.0-kali1-amd64
2)initrd.img-4.6.0-kali1-amd64

Thats all you need to do to install any virtual software on kali r…

Hacking Windows 10 UWP App: DLL Injection & common Vulnerabilities

I recently started working on  widows 10 Apps( Apps not Applications) security. Before diving deep in hacking terms lets try to understand what's new in Windows 10 UWP( Universal Platform) as compared to old Apps. Lets begin with how apps actually work on windows 10(desktop/tablet). Now windows 10 comes with a container only for running apps inside the isolated environment. By default, /APPCONTAINER(Linker Flag) is off. This option modifies an executable to indicate whether the app must be run in the appcontainer process-isolation environment. Specify /APPCONTAINER for an app that must run in the appcontainer environment—for example, a Windows Store app. (The option is set automatically in Visual Studio when you create a Windows Store app from a template.) For a desktop app, specify /APPCONTAINER:NO or just omit the option. The /APPCONTAINER option was introduced in Windows 8.
Now there is no registry entry concept for these app in the System HIVE rather they install they own hiv…

Cyberoam Login Brute Force Script

#
#  ('-.               .-') _                         ) (`-.               _  .-')
#  ( OO ).-.          (  OO) )                         ( OO ).            ( \( -O )
#  / . --. / ,--.     /     '._     ,------.,--. ,--. (_/.  \_)-.  .----.  ,------.
#  | \-.  \  |  |.-') |'--...__) ('-| _.---'|  | |  |  \  `.'  /  /  ..  \ |   /`. '
#.-'-'  |  | |  | OO )'--.  .--' (OO|(_\    |  | | .-') \     /\ .  /  \  .|  /  | |
# \| |_.'  | |  |`-' |   |  |    /  |  '--. |  |_|( OO ) \   \ | |  |  '  ||  |_.' |
#  |  .-.  |(|  '---.'   |  |    \_)|  .--' |  | | `-' /.'    \_)'  \  /  '|  .  '.'
#  |  | |  | |      |    |  |      \|  |_) ('  '-'(_.-'/  .'.  \  \  `'  / |  |\  \
#  `--' `--' `------'    `--'       `--'     `-----'  '--'   '--'  `---''  `--' '--'
# Cyberaom brute force Script
# @aut…