[TOOL RELEASE] SQL Fingerprint powered by ENG++ Technology [Version 1.33.23-170308]
Private Release (Late 2008)
2009
H2HC Talk (November 28)
2010
MSSQLFP BETA-3 (January 5)
MSSQLFP BETA-4 (January 18)
ESF 1.00.0006 (February 10)
ESF 1.10.101008/CTP (October 8)
2012
ESF 1.12.120115/RC0 (January 15)
BUGS AND LIMITATIONS
Report ESF.pl bugs and limitations directly to the author.
AUTHOR
Nelson Brito mailto:nbr...@sekure.org.
COPYRIGHT
Copyright(c) 2010-2012 Nelson Brito. All rights reserved worldwide.
Exploit Next Generation++ Technology and/or other noted Exploit Next
Generation++ and/or ENG++ related products contained herein are
registered trademarks or trademarks of Nelson Brito. Any other
non-Exploit Next Generation++ related products, registered and/or
unregistered trademarks contained herein is only by reference and are
the sole property of their respective owners.
*Exploit Next Generation++ Technology*, innovating since 2010.
LICENSE
This program is free software: you can redistribute it and/or modify it
under the terms of the *GNU General Public License* as published by the
Free Software Foundation, either version 3 of the License, or (at your
option) any later version.
You should have received a copy of the *GNU General Public License*
along with this program. If not, see http://www.gnu.org/licenses/.
DISCLAIMER OF WARRANTY
This program is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *GNU
General Public License* for more details.
[Download and Source Code]
For immediately download, please, go to:
• http://code.google.com/p/sql-fingerprint-next-generation/
Atenciosamente / Best regards / Saludos.
Nelson Brito
http://about.me/nbrito
Quemadmodum gladius neminem occidit, occidentis telum est. (Epistulae morales
ad Lucilium, Lucius Annaeus Seneca)
Fingerprint: 1983 7E8E D6C9 CAF8 4B4F A8C9 A36D FC5B 4FFC 316C
#!/bin/sh -- # -*- perl -*-
eval 'exec `which perl` -x -S $0 ${1+$@} ;'
if 0;
{(($^O=~/^[M]*$32/i)($0=~s!.*\\!!))||($0=~s!^.*/!!)};
signature.asc
Description: Message signed with OpenPGP using GPGMail
[TOOL RELEASE] T50 - an Experimental Mixed Packet Injector ( v5.3)
___.___ \_____/| /\ _ \ T50: an Experimental Packet Injector Tool || | \ / /_\ \ Release 5.3 || / \\ \_/ \ || /__ / \_ / Copyright (c) 2001-2011 Nelson Brito \/\/ All Rights Reserved Since the previous release version (H2HC), some improvements were introduced to this new version: 1. New License: It is, finally, licensed under GPL Version 2.0. Please, refer to LICENSE document for further information. The new project leader is Fernando Mercês (@FernandoMerces) and, as soon as possible, he will upload the source code to: - http://t50.sourceforge.net/ 2. CIDR Support: Classless Inter-Domain Routing support for destination IP address, using a really tiny C algorithm. This would allow the new version to simulate DDoS/DRDoS in a laboratory environment. [...] 001 netmask= ~(0xbits); 002 __1st_addr = (ntohl(address)netmask)+1; 003 hostid = (1 (32 - bits)) - 2; [...] 3. ELEVEN NEW Protocols: ELEVEN (11) more protocols supported by T50: 1. IGMPv3: Internet Group Message Protocol v3 2. EGP:Exterior Gateway Protocol 3. RIPv1: Routing Information Protocol v1 4. RIPv2: Routing Information Protocol v2 5. DCCP: Datagram Congestion Control Protocol 6. RSVP: Resource ReSerVation Protocol 7. IPSec: Internet Protocol Security (AH/ESP) 8. GRE:Generic Routing Encapsulation 9. EIGRP: Enhanced Interior Gateway Routing Protocol 10. OSPF: Open Shortest Path First 4. Exotic Protocols: Advanced options and protocol crafting for RSVP, EIGRP, OSPF and GRE were added, allowing users to make any combination while using those exotic protocols. By the way, EIGRP is a proprietary protocol developed by CISCO Systems, Inc. 5. Encapsulation: T50 is capable now to encapsulate all its packet within the Generic Routing Encapsulation, making it the most powerful tool ever. 6. TCP Options Support: TCP Options are now supported to improve the TCP protocol, such as: 1. TCP End of Option List (RFC 793) 2. TCP No-Operation Option (RFC 793) 3. TCP Maximum Segment Size Option (RFC 793) 4. TCP Window Scale Option (RFC 1323) 5. TCP Timestamps Option (RFC 1323) 6. T/TCP Connection Count Option (RFC 1644) 7. T/TCP CC.NEW Option (RFC 1644) 8. T/TCP CC.ECHO Option (RFC 1644) 9. TCP SACK-Permitted Option (RFC 2018) 10. TCP Selective Acknowledgement Option (RFC 2018) 11. TCP MD5 Signature Option (RFC 2385) 12. TCP Authentication Option (RFC 5925) 7. Some T50 statistics (as of April 17th, 2011): - 33 code files - 13,763 code lines - 15 supported protocols - 1 socket file descriptor - 238 command line interface options You can download both slide deck announcement and source code for the new version @ http://t50.4shared.com/! If you want, you can check the demo videos: - H2HC Demo: http://www.videolog.tv/video.php?id=614528 - Web Security Forum Announcement: http://www.videolog.tv/video.php?id=643819 PS: Be nice when using T50, the authors (myself and Fernando Mercês - as of today) DENY its use for DoS/DDoS/DRDoS purposes. Best regards. -- Nelson Brito (@nbrito) Security Researcher Enthusiast 8BD6 8CAD 41B7 19C5 EC04 C66D 70ED 23E4 E5AB 95EB IP calculator - C algorithm three lines: 001 netmask = ~(0x cidr); 002 hostid= (1 (32 - cidr)) - 2; 003 _1st_addr = (ntohl(addr) netmask) + 1; pgpbqTOFhWOoi.pgp Description: PGP signature
[TOOL RELEASE] T50 Sukhoi PAK FA Mixed Packet Injector v2.45r-H2HC
T50 Sukhoi PAK FA Mixed Packet Injector (f.k.a. F22 Raptor) is a tool designed to perform Stress Testing. It is a powerful and an unique packet injection tool, that is capable of: 1. Send sequentially (i.e., ALMOST on the same time) the following protocols: - ICMP: Internet Control Message Protocol - IGMP: Internet Group Management Protocol - TCP: Transmission Control Protocol - UDP: User Datagram Protocol 2. Send an (quite) incredible amount of packets per second, making it a second to none tool: - More than 1,000,000 pps of SYN Flood (+50% of the networks uplink) in a 1000BASE-T Network (Gigabit Ethernet). - More than 120,000 pps of SYN Flood (+60% of the networks uplink) in a 100BASE-TX Network (Fast Ethernet). 3. Perform Stress Testing on a variety of network infrastructure, network devices and security solutions in place. 4. Simulate Denial-of-Service attacks, validating the Firewall rules and Intrusion Detection System/Intrusion Prevention System policies. Further information can be found @ http://fnstenv.blogspot.com (demo video and source code). PS: Yes, there are some anti-kiddo tricks, so, please, don't blame me for doing that... The new version of the T50 Sukhoi PAK FA Mixed Packet Injector (v5.2-NG) will be unleashed on WEB Security Forum (http://websecforum.com.br/evento/ / April 9th-10th 2011 / São Paulo, Brazil). The next release will include: 1. New License: It is still not licensed under GPL or any other common Open-source license, but the source code will be available and the use of any piece of source code for any free or commercial software is denied. 2. CIDR Support: Classless Inter-Domain Routing support for destination IP address, using a really tiny C algorithm. This would allow the T50 Sukhoi PAK FA Mixed Packet Injector to simulate DDoS in a laboratory environment. 001 netmask = ~(0xcidr); 002 hostid = (int)(pow(2,(32-cidr))-2); 003 __1st_host = (ntohl(addr)netmask)+1; 004 __lst_host = (ntohl(addr)netmask)+hostid; 3. TEN NEW Protocols: TEN (10) more protocols supported by T50 Sukhoi PAK FA Mixed Packet Injector (IGMPv3, EGP, DCCP, RSVP, RIPv1, RIPv2, GRE, ESP, AH and EIGRP). 4. Exotic Protocols: Advanced options and protocol crafting for EIGRP and GRE were added, allowing users to make any combination while using those exotic protocols. By the way, EIGRP is a proprietary protocol developed by CISCO Systems, Inc. 5. TCP Options Support: TCP Options (MSS, NOP, EOL, WSCALE, TSTAMP, T/TCP CC and SACK) are supported to improve the TCP protocol. 6. DATA Payload Support: The data payload support is back, and it can be rand or user defined. Best regards. Nelson Brito Security Researcher http://fnstenv.blogspot.com/
[DEMO] Sample videos about IDS/IPS evasions...
Hi, everyone! As so many highlights have been given on Intrusion Detection System and Intrusion Prevention System evasions (?) last week, I decided to send this message just to let you all know that I published a brand-new sample video, demonstrating two Exploit Next GenerationR example modules, successfully evading: . SNORT 2.8.6 detection for MS02-056 vulnerability. . SURICATA 0.9.0 detection for MS08-078 vulnerability. Here is the YouTube video: . http://www.youtube.com/watch?v=iHgtf4PXqeU PS: So, Intrusion Detection System and Intrusion Prevention System evasions are not that BIG NEWS, at least not for the H2HC Sixth Edition's audience. Before someone asks what the similarities and/or differences between Exploit Next GenerationR (ENG++) and Advanced Evasion Techniques (AET), let me get this clear: . ENG++ has a different approach and has no similarity to AET, despite the fact that both of them can be used to bypass IDS and IPS technology. Besides, ENG++ is a much older research. . ENG++ was first designed in 2004, coded in 2005, published in 2008 (Exploit creation - The random approach or Playing with random to build exploits), and became a methodology in 2009 (The Departed: Exploit Next Generation - The Philosophy). . ENG++ became a methodology when I decided to port it to work with/to any open exploit development framework, i.e., Metasploit Framework. . Ported means that ENG++ has been developed for a long, long, long time, so just some modules is working on Metasploit Framework to release some of its example and to help people understanding that really cool stuff can be done when you are innovating and creating. In a few words: Exploit Next GenerationR Compliance Methodology is not the same thing as Advanced Evasion Techniques (ENG++ != AET). For further information, please, visit the URL: . http://j.mp/ExploitNG For online information and news about Exploit Next GenerationR Compliance Methodology, please, follow @Exploit_NG on Twitter. Cheers. Nelson Brito Security Researcher http://fnstenv.blogspot.com/
[TOOL RELEASE] Exploit Next Generation SQL Fingerprint v.
The Exploit Next GenerationR SQL FingerprintT (f.k.a. Microsoft SQL Server Fingerprint Tool) is a powerful tool which performs version fingerprinting for: 1. Microsoft SQL Server 2000; 2. Microsoft SQL Server 2005; and 3. Microsoft SQL Server 2008. The Exploit Next GenerationR SQL FingerprintT (ESF) uses well-known techniques based on several public tools that are capable to identify the Microsoft SQL Server version (such as: SQLping and SQLver), but, instead of showing only the raw version (i.e., Microsoft SQL Version 10.00.2746), the Exploit Next GenerationR SQL FingerprintT shows the mapped Microsoft SQL Server version (i.e., Microsoft SQL 2008 SP1 (CU5)). The strengths of Exploit Next GenerationR SQL FingerprintT are: 1. It uses both TCP and UDP protocols to determine the Microsoft SQL version, making it much more reliable than any other public or commercial tool. 2. It is capable to identify multiple Microsoft SQL Server instances and their TCP communication ports. 3. It does not require any authentication method to identify the Microsoft SQL Server version. 4. It uses probabilistic algorithm to identify the Microsoft SQL Server version, combining both TCP and UDP fingerprint. The Exploit Next GenerationR SQL FingerprintT can also be used to identify vulnerable/unpatched Microsoft SQL Server version, and it is based on some techniques used by Exploit Next GenerationR Compliance Methodology to perform automated penetration test. The version 1.10.101008/CTP includes support to identify the following Microsoft SQL Server versions: . Microsoft SQL 2008 SP1 (CU5) . Microsoft SQL 2008 SP1 (CU6) . Microsoft SQL 2008 SP1 (CU7) . Microsoft SQL 2008 SP1 (CU8) . Microsoft SQL 2008 SP1 (CU9) . Microsoft SQL 2008 SP1 (CU10) . Microsoft SQL 2008 SP2 CTP . Microsoft SQL 2008 SP2 . Microsoft SQL 2008 R2 RTM . Microsoft SQL 2008 R2 (CU1) . Microsoft SQL 2008 R2 (CU2) . Microsoft SQL 2008 R2 (CU3) The Exploit Next GenerationR SQL FingerprintT is currently licensed by GPLv3, but, until I got all the code revised, the source code will not be available. It is available @ http://code.google.com/p/esf/. Please, be nice and wait for the code review! Best regards. Nelson Brito Security Researcher http://fnstenv.blogspot.com/
[WARNING] A fake version of T50!!!
Okay, as many of you know, I am going to present the results of a private research about Stress Testing - focusing on Denial-of-Service. Today, while searching for some references to add in my presentation, I found the following message in a hacker (?) forum: - MELHOR FERRAMENTA DE DENIAL OF SERVICE DO MUNDO (BASILEIRA) (http://www.forum.darkers.com.br/index.php?topic=12674.msg53240;topicseen) Translating it to English: WORLD'S BEST DENIAL OF SERVICE TOOL (BRAZILIAN). It is just to let you know: 1. THIS TOOL IS A FAKE. 2. I have no plans to release the source code, nor even after the H2HC 7th Edition. 3. The T50 Sukhoi PAK FA Mixed Packet Injector Tool was totally written to work on Linux environment, and has no version to work on Windows environment or any other environment other than Linux. All the beta-testers received binaries of T50 with restrictions, such as: 1. Limited time frame: no one can use it in a time frame bigger than 30 days. 2. RFC 1918 Compliance: no one can run T50 against valid IP addresses, it is only capable to test IANA IP address allocation for private internets (i.e., 10/8, 172.16/12 and 192.168/16). 3. T50 is not based on any tool publicly available, it uses unique techniques never seen before in any tool. So I have no credits for this code (http://pastebin.ca/1957112). Some coward released it, anonymously, writing my name on it. Shame on you, coward!!! Nelson Brito Security Researcher http://fnstenv.blogspot.com/
Exploit Next Generation(R) Example Codes
As all of you already know the Exploit Next Generation® Compliance Methodology is the only methodology able to apply the Z-Day Attacks concepts. Some examples demonstrated during its very first appearance are now available at: - http://code.google.com/p/exploit-ng/ To celebrate one year of its very first appearance, I will release two example modules, applying ENG++ Methodology, late this year - including the one used to subvert and bypass the SNORT detection. To be more exactly, during the H2HC 7th Edition (November 27th - 28th). Meet you @ H2HC Seventh Edition!!! Best regards. Nelson Brito Security Researcher http://fnstenv.blogspot.com/
[TOOL RELEASE] Microsoft SQL Server Fingerprint Too BETA-3l!!!
.:[Software Description: This is a tool that performs version fingerprinting on Microsoft SQL Server 2000, 2005 and 2008, using well known techniques based on several public tools that identifies the SQL Version. The strength of this tool is that it uses probabilistic algorithm to identify the version of the Microsoft SQL Server. The Microsoft SQL Server Fingerprint Tool can also be used to identify vulnerable versions of Microsoft SQL Server. .:[ Software Release Life Cycle: The initial public release will be the Version 1.00.0006, and will follow the stages: 1. January 4th, 2010: Community Technology Preview (CTP) 2. January 19th, 2010: Release Candidate (RC) 3. January 31st, 2010: Release to Marketing (RTM) 4. February 15th, 2010: General Availability (GA) Help me to develop this tool... I need Beta Testers. To help me, please, download the version BETA 3. (Nelson Brito) .:[ Microsoft SQL Server Fingerprint Tool 1. Google Code Project Hosting @ http://code.google.com/p/mssqlfp/ 2. Google Code Download @ http://mssqlfp.googlecode.com/files/mssqlfp-BETA3.exe PS: I will publish the code under GNU Lesser General Public License v3 as soon as GA Release comes out!!! /* * $Id: .siganture,v 1.3 2009-12-11 09:22:54-02 nbrito Exp $ * * Author: Nelson Brito nbrito [at] sekure [dot] org Copyright(c) 2004-2009 Nelson Brito. All rights reserved worldwide. http://fnstenv.blogspot.com */
RE: Tests about semicolon zero-day (BID 37460)
Okay, here is a good question after read the updated version of HD Moore Blog post [1]: (btw, that is the same question we are talking in twitter) - Based on the blog post Results of Investigation into Holyday ISS Claim (MSRC) [2], there is no vulnerability related to this case, right? BUT... If a user has a weak password, a guessable password, you can GUESS the user's password and get the user's access... Getting all the privileges he/she has. Okay, I know that there are a lot of best practices floating around, describing many, many ways to enforce the users to create a strong password instead... But according to my experience in pen-tests, the easiest way to get a system access is guessing users' passwords. RIGHT? In a dynamic WWW, things change and 'write' and 'execute' privileges on the same directory (QUOTED) [2] is not a IMPOSSIBLE AND UNBELIEVABLE thing. If the weather is good, the waves are good... Let's surfing! So I think they should change the term not a vulnerability to vulnerabilistic feature... I know that this word does not exist, anyway. =) PS: Don't send me any flame if you didn't check the vulnerability [3] definition. [1] http://blog.metasploit.com/2009/12/exploiting-microsoft-iis-with.html [2] http://blogs.technet.com/msrc/archive/2009/12/29/results-of-investigation-into-h oliday-iis-claim.aspx [3] http://en.wikipedia.org/wiki/Vulnerability_(computing) /* * $Id: .siganture,v 1.3 2009-12-11 09:22:54-02 nbrito Exp $ * * Author: Nelson Brito nbrito [at] sekure [dot] org Copyright(c) 2004-2009 Nelson Brito. All rights reserved worldwide. http://fnstenv.blogspot.com */ -Original Message- From: Crash - DcLabs [mailto:crash...@gmail.com] Sent: Monday, December 28, 2009 8:28 PM To: bugtraq@securityfocus.com Subject: Tests about semicolon zero-day (BID 37460) Tests about semicolon zero-day (BID 37460) Tests in Windows XP SP3 and IIS 5.1 The results are: 18:21:18 172.16.5.79 GET /t.asp;.jpg 200 The file founded, but not interpreted! IIS print the asp souce code at screen. Testing in 2003 Server IIS 6.0 SP 2 works perfect! the .jpg is interpreted as .asp 2009-12-28 18:56:37 W3SVC1 172.16.5.79 GET /t.asp;.jpg - 80 - 172.16.6.16 Mozilla/4.0+(compatible;+MSIE+ 8.0;+Windows+NT+5.2;+Trident/4.0;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.N ET+CLR+3.0.04506.30;+.NET+CLR+3.0.04506.648;+.NET+CLR+3.0.4506.2152;+.NET+C LR+3.5.30729) 200 0 0 Testing in 2008 Server IIS 7.0 SP1 Return same Windows XP, source code printed at screen. --- Crash DcLabs
RE: Tests about semicolon zero-day (BID 37460)
@hdmoore: Exploiting Microsoft IIS with Metasploit: http://bit.ly/52oJoE (ASP;JPG bug). Cheers. /* * $Id: .siganture,v 1.3 2009-12-11 09:22:54-02 nbrito Exp $ * * Author: Nelson Brito nbrito [at] sekure [dot] org Copyright(c) 2004-2009 Nelson Brito. All rights reserved worldwide. http://fnstenv.blogspot.com */ -Original Message- From: Crash - DcLabs [mailto:crash...@gmail.com] Sent: Monday, December 28, 2009 8:28 PM To: bugtraq@securityfocus.com Subject: Tests about semicolon zero-day (BID 37460) Tests about semicolon zero-day (BID 37460) Tests in Windows XP SP3 and IIS 5.1 The results are: 18:21:18 172.16.5.79 GET /t.asp;.jpg 200 The file founded, but not interpreted! IIS print the asp souce code at screen. Testing in 2003 Server IIS 6.0 SP 2 works perfect! the .jpg is interpreted as .asp 2009-12-28 18:56:37 W3SVC1 172.16.5.79 GET /t.asp;.jpg - 80 - 172.16.6.16 Mozilla/4.0+(compatible;+MSIE+ 8.0;+Windows+NT+5.2;+Trident/4.0;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.N ET+CLR+3.0.04506.30;+.NET+CLR+3.0.04506.648;+.NET+CLR+3.0.4506.2152;+.NET+C LR+3.5.30729) 200 0 0 Testing in 2008 Server IIS 7.0 SP1 Return same Windows XP, source code printed at screen. --- Crash DcLabs
Re: Exploit creation - The random approach or Playing with random to build exploits
I am glad you have enjoyed, but I do not with some of your statements. Actualy, I do not agree with almost all. 8-D On Fri, Sep 26, 2008 at 7:02 PM, Stefano Zanero [EMAIL PROTECTED] wrote: Well, no, actually, Slammer was not a flash worm. A flash worm is a worm which follows a precomputed spreading path, by using prior knowledge of all the systems that are vulnerable to the particular exploit in use. And Slammer didn't. It is actually akin to a Warhol worm. Hhmmm... Let's check the description for Flash Worm: We further observe that there is a variant of the hit-list strategy that could plausibly result in most of the vulnerable servers on the Internet being infected in tens of seconds. We term this a flash worm. The nub of our observation is that an attacker could plausibly obtain a hit-list of most servers with the relevant service open to the Internet in advance of the release of the worm. (How to 0wn the Internet in Your Spare Time) It looks like a Flash Worm for me, but, well, let's get another information from CAIDA analysis ofr Slammer (http://www.caida.org/publications/papers/2003/sapphire/sapphire.html). It still looks like a Flash Worm for me, and, AFAIR, there was a huge UDP/1434 probe (SANS Internet Storm Center) before Slammer got the Internet. Am I wrong? Does not mean the Worm creator used a hit-list? Well, let's forget this, it is just a matter of different points of view, anyway. And, AFAIR, the same conflict happened during naming tyhe Morris Worm. dissemination, it only took 15 minutes to crash all the Internet infra-structure How exagerate ;) Yeah, you're right, it took a little bit more: 30 minutes. 8-D Nope, we didn't. But people stopped writing worms, because writing bots is much more rewarding, economically. 101% true. And that's even worse than worms. Because they are stealth... The bots' owner don't want anyone watching. Right? No, indeed, it's very old. Well, I presume you are talking about polymorphic shellcode, right? for years and years, but all our attention was gave to the shellcode. Well, actually that's because the polymorphic code for viruses and worms came even before, and was already a beaten issue. I didn't get this age (Virus Age), sorry. The last virus I've heart about was the CHI. The last real virus, I presume. Right? even during my research, when I talked to someone about the perspective of having a real polymorphic code, people always got confused with polymorphic shellcode. Strange, usually it's the other way round. Really? I got the opposite. Righ now, in our conversasion I'm having the same wrong perseption. Polymorphic code means that a code will change every time it executes, making it unpredictable. What we have, so far, are static codes, and I never saw any dynamic code exploiting any vulnerability. Didn't you mention you were NOT thinking of polymorphic SHELL-code, but polymorphic code ? Well, YES... The collums showing the exploit structure should address this misunderstood. Anyway, here is a question: What happens if we apply Alpha2.c, or any other polymorphic shellcode engine, to the entiry data we should write in the stack? Will the exploit work? I don't think so. Toucheé!!! That is the reason some IPS/IDS can easily add signatures. Well, actually shellcode signatures are common, but they are not the reason. And, signature based IPS/IDS have so many faults that you don't really need polymorphic (shell)code to fool them. Correct! But, if you can do it with an extra elegance, it is better, isn't it? Now, we know how we must build the exploit, and I think we can do a great job randomizing all the fields. Here are the fields ENG needs to deal with: attack vector, buffer, return address, jumps, writable address, nops, and shellcode. This is what most of us would call obfuscating an attack, or mutating an attack. Just so that you know, a tool named SPLOIT was already made to perform a number of mutations over exploits (at this and other levels). Forgive me, I used knew this tool, but never took a look on that. But here is the question: does it use the same techniques described in this document? I really don't think so, even because in the authors papers about SPLOIT, btw a great tool, they don't describe any of the ENG techniques. Never mind, I'll figuret out. Thanks. Thanks for the write up. It's an handy cheat sheet for some things. You're very wellcome, anytime! But, in fact, I think you din't like that much and you were too much critic in your statements, but I can guarantee that I'm not sending any fake-exploit or any copied-pasted document. 8-D This second moderation is really appreciated, because I can expose much more the ideas behind any misunderstood, and there were too many just from you, sir. I do hope I could proof all the concepts behind this idea, Yep, well, you could just mention them. We already knew them ;-) Oh, really? I can give any credits, you only should
Exploit creation - The random approach or Playing with random to build exploits
Exploit creation The random approach or Playing with random to build exploits Sunday, September 21, 2008 By Nelson Brito [EMAIL PROTECTED] -[ Introduction It is just a matter of time to get things worse on the Internet. We saw worms getting more and more sophisticated in last decade, and, believe me, it could be worst. Nowadays we have botnets and a lot of worms and the respective variants, but what if a stealth worm reaches the Internet today? Are we prepared to deal with this kind of threat? Are we walk to the right direction to get this kind of threat controlled in a short period of time? Do we remember 2003? That said there is no other answer than: No, we are not prepared and we will surrender if such bad thing happens again. Why am I saying that? You will figurate. Just for the records: I will not write that much, even because it is very, very simple, and I do believe some one else will write a good stuff for academic audiences. If you still believe in Santa Claus, please, stop reading right now, because this paper will show that bad things can get worse, and worse, and worse, if we are not paying attention on the signs. And according to some people: it is all old news, and the techniques were already presented by someone, somewhere. Ok, then! -[ What happened during 2003? Two incredible things happened: 1. Slammer was the very first Flash Worm, incredible fast in its dissemination, it only took 15 minutes to crash all the Internet infra-structure and let us know that a new age was coming out. 2. Blaster was the very first worm targeting almost all Microsoft Windows OS versions, incredible infecting machines around the world. After Blaster we saw Sasser, and, apparently, underground became to use a worm template to make new worms dissemination. These two facts combined could give us a good lesson. But, even after 1988, we didn't learn how to deal with worms and I think we have a long, long path to reach this point. So, imagine a worm using polymorphic techniques. It is the worst nightmare we couldnt even imagine. -[ Polymorphic Code This is not a new topic and some researchers have been talking about this for years and years, but all our attention was gave to the shellcode. And even during my research, when I talked to someone about the perspective of having a real polymorphic code, people always got confused with polymorphic shellcode. No, I am not writing another paper about polymorphic shellcode, there are too many papers flying around since ADM created ADMutate, good papers about nop sled, jmp sled, junk code insertion, etc I am writing about a real polymorphic code: a code that every time it executes it will have a new appearance, a new fingerprint, being almost unpredictable, and, yes, I will use some of the previous techniques to move forward and step ahead creating a real polymorphic attack. I have sent the ENG code already, but this is a paper to show what the techniques are and the possible damages can be caused if hackers apply such techniques in their codes. Polymorphic code means that a code will change every time it executes, making it unpredictable. What we have, so far, are static codes, and I never saw any dynamic code exploiting any vulnerability. That is the reason some IPS/IDS can easily add signatures. -[ ENG (Encore Next Generation) Techniques First of all, to make a polymorphic code we have to be sure we have all the requirements to achieve the concept that a polymorphic code must be unpredictable, and it means random. I choose the MS02-039[1], because I have all the requirements for this proof of concept: 1. Microsoft Windows Buffer Overflow[2]; 2. Buffer to overflow is not too big; 3. More than just one Return Address[3]; 4. Incredible high number of writable addresses only in SQLSORT.DLL[4]. -[ MS02-039 Exploit Structure Before we start talking about the techniques applied in ENG, lets take a look on how the exploit structure must be. David Litchfield Very First Exploit [VECTOR] [BUFFER ] [RETURN ADDRESS] [JUMP] [WRITABLE ADDRESS ] [NOPS ] [SHELLCODE] [0x04 ] [...] [0x42b0c9dc] [0x0e] [0x42ae7001 (SP0) | 0x42ae7001 (SP1-2)] [0x90 ] [STATIC ] Slammer Worm [VECTOR] [BUFFER ] [RETURN ADDRESS] [JUMP] [WRITABLE ADDRESS ] [NOPS ] [SHELLCODE] [0x04 ] [0x01 ] [0x42b0c9dc] [0x0e] [0x42ae7001 (SP0) | 0x42ae7001 (SP1-2)] [0x90 ] [SLAMMER ] HD Moore Metsploit Framework [VECTOR] [BUFFER ] [RETURN ADDRESS] [JUMP] [WRITABLE ADDRESS ] [NOPS ] [SHELLCODE] [0x04 ] [RANDOM ] [0x42b48774] [0x69] [0x7ffde0cc (SP0) | 0x7ffde0cc (SP1-2)] [RANDOM] [SLAMMER ] Now, we know how we must build the exploit, and I think we can do a great job randomizing all the fields. Here are the fields ENG needs to deal with: attack vector, buffer, return address, jumps, writable address, nops, and shellcode. -[ Attack Vector For this vulnerability there are three vectors [5
Re: def-2001-11: MDaemon 3.5.4 Dos-Device DoS
Peter Grndl wrote: == Defcom Labs Advisory def-2001-11 MDaemon 3.5.4 Dos-Device DoS Author: Peter Grndl [EMAIL PROTECTED] Release Date: 2001-03-15 == =[Brief Description]=- Webservices in the Mdaemon package can be crashed by requesting a malicious URL. =[Affected Systems]=-- - MDaemon 3.5.4 Standard for Windows NT/2000 - MDaemon 3.5.4 Pro for Windows NT/2000 --=[Detailed Description]= There is a problem with the way the Worldclient (default port 3000) and the Webconfig service (default port 3001) handle requests for dos- devices. If a user requests eg. "http://www.foo.org:3000/aux", the Worldclient service will crash. The same fault affects the Webconfig service. The service needs to be restarted from the Mdaemon console. I don't know, but it's a CON/CON old bug, isn't it? If you pacthed your NT Box, the app is not vulnerable to this BUG, isn't it? Sem mais, -- +-----+ |Nelson Brito| Security Networks / IBQN | || Avenida General Justo, 365 - 4 Andar - Centro| |Security Analyst| 20.021-130 - Rio de Janeiro - RJ - Brasil | |Penetration Tester | +55.021.282-1351 R. 104 | || [EMAIL PROTECTED] | +-+ |"Windows NT can also be protected from nmap OS detection scans thanks| |to *Nelson Brito* ..." | | Trecho do livro "Hack Proofing your Network", pgina 93| +-+
Re: AUTORUN Vul still work.
Just a few words to clarification: Nelson Brito wrote: [...] I've read the BID 933, and I saw that there isn't a away to exploit this, so... Like I mencionated on my last post, the right BugTraq ID is 993, the 933 BID points you to a BIND's bug(je): http://www.securityfocus.com/bid/993 Step by Step: 1 - find a admin's mount point(a.k.a. home directory); Forgive-me once more again. If you already have wrote access at Admin's Home Directory, you are a Admin, so only you could be do is test the potencial vulnerability. 2 - place the autorun.inf and autorun2.exe on there; When I said "place" I just want to say: If the "root directory" is writable to you, put the files there. It's mean that is possible to exploit this using all of shares, example: ADMIN$ - %SystemRoot% C$ - %SystemDrive% By default ordinary users have write access on those shares. How you will do the initial penetration, think about Penetration Test(sorry, but it's my first goal when I sent the original post), try the folowing commands: C:\ qtip -u target 1 users.txt C:\FOR /F "tokens=1,*" %i IN (users.txt) DO net use \\TARGET\SHARE$ %i /u:%i 3 - drop the admin's connection(use your prefered DoS tool); 4 - try to connect as user nelson and password nelson; 5 - BINDO, you are now a member of "Administrators" group(Stand Alone Servers) or "Domain Admins" gourp(PDC Servers). You could define this in pre processor(/d "_PDC_SRV"). If you get a look in code, it's possible to make it more usefull making some teste, like findo PDC in domain or some others decision, easy and automatic. PS: It still works in some of Penetration Testes I have made, so it's possible usefull for all of you, I hope. I don't know why the correction from this problem still remain as default setings in Windows NT's Registry as default when you install it. Did anybody read the solution for this BUGFEATURE in some "Windows NT Checklist"? "Windows NT can also be protected from nmap OS detection scans thanks to *Nelson Brito* ..." (Ryan, thanks a lot for talk about it in your BOOK. ;) It's a great BOOK to read.) Sem mais, -- Nelson Brito "Windows NT can also be protected from nmap OS detection scans thanks to *Nelson Brito* ..." Trecho do livro "Hack Proofing your Network", pgina 93
Re: AUTORUN Vul still work.
"Jesper M. Johansson" wrote: [...] That's not to say that this is not an issue. It is, and it has been known and discussed for at least two years. MS does not seem to consider it a real serious problem because "administrators should not be mapping shares that Like I said, C$ em ADMIN$, by default instalation, is "write access" by ordinary users. So, think about this scenario: 1 - malicious user has placed both file(autorun2.exe and autorun.inf) on the Server's C$; 2 - the dumb Admin will mount this share to do something *dumb*; 3 - so, the malicious user can do the dumb Admin execute the arbritary code(?) as obscurity as possible. 4 - BINGO, the dumb Admin have added a new user or add the malicious user to Administrators/Domain Admins's group. Well, I can put a lot of other scenarios, but, is it necessary? I don't think so. When a malicious user realy want, he can do a lot of things to get Admin access on Windows NT enviroment. ordinary users have write privilege to anyway." If that, rather unreasonable, assumption holds, then this is not a problem. In most cases, this is simply expected behavior, and it is up to us, as responsible admins, to work around it. [...] Hive: HKLM if you want to apply it to all users on a system, HKCU if you only want to apply it to some users Key: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer Value: NoDriveTypeAutoRun Data 0xFF Jesper M. Johansson Like we can see at BID 993. Sem mais, -- Nelson Brito "Windows NT can also be protected from nmap OS detection scans thanks to *Nelson Brito* ..." Trecho do livro "Hack Proofing your Network", pgina 93
AUTORUN Vulnerability - Round 2
Well, like Ben told me, people are confused. OK, I'll try to make myself more clear. 1 - When I said ordinary users have *WRITE ACCESS* on C$(C:\ == %SystemDrive%) and ADMIN$(C:\WINNT == %SystemRoot%) by default, I meant ordinary(malicious) users have write access on their own C$ and ADMIN$, by default. The ordinary(maybe, malicious) users can place both files(once again AUTORUN2.EXE and AUTORUN.INF, INF instead INI) in those "ROOT DIRECTORIES"(SHARED). When Domain Admin mount the user's shared then he'll execute the "arbitary code". 2 - Like I said: "If you already have write access at Admin's Home Directory, you are a Admin, so, the only thing you could do is: test the potencial vulnerability." It was a BIG mistake to do HOME DIRECTORY as a example, excuse me, again. 3 - If you found a *WRITE SHARED* like \\MACHINE\Users or \\MACHINE\Application or \\MACHINE\Backup, on the network, you can do the folowing command I already posted: C:\ qtip -u target 1 users.txt C:\FOR /F "tokens=1,*" %i IN (users.txt) DO net use \\TARGET\SHARE$ %i /u:%i So, you can put the files there and wait for the Admin mount those SHARES to do "things". 4 - There are a lot of scenarios that we could explain and exploit, but it's not my main goal, so you can get your won ideas. ;) 5 - I never saw this problem listed in "Windows NT's Checklists", did you? PS: Thanks to Ben to let me explain my own ideas. PPS: If someone still confused about this vulnerability, please read the Eric Stevens' original post at: http://www.securityfocus.com/archive/1/47338 PPPS: The point was missundertood, the code, I can do a lot of "things" to test, to penetrate, to escale privileges, to send messages to you when the code was executed, etc... Focus... Ohhh... don't forget, change the "autorun.ini" to "autorun.inf". Thanks in Advanced. Sem mais,(in English "No More" :))) -- Nelson Brito "Windows NT can also be protected from nmap OS detection scans thanks to *Nelson Brito* ..." Trecho do livro "Hack Proofing your Network", pgina 93
Re: vixie cron possible local root compromise
"Rodrigo Barbosa (aka morcego)" wrote:
[...]
First mail:
#include wtmpx.h
main () {
printf("%d\n",__UT_NAMESIZE);
}
or, if your system does not have wtmpx.h
#include wtmp.h
main () {
printf("%d\n",UT_NAMESIZE);
}
Second mail:
On my last post, I included two simple programs to check the max length of
the login name. But the includes where wrong. Should have been utmpx.h and
utmp.h (not wtmpx.h and wtmp.h).
Sorry about the mess.
The correct codes would be:
#include wtmpx.h
main () {
printf("%d\n",__UT_NAMESIZE);
}
and
#include wtmp.h
main () {
printf("%d\n",UT_NAMESIZE);
}
Am I missing something? What's the difference bettwen codes? It is the
same code, isn't it?
Sem mais,
--
Nelson Brito
"Windows NT can also be protected from nmap OS detection scans thanks
to *Nelson Brito* ..."
Trecho do livro "Hack Proofing your Network", pgina 93
Re: AUTORUN Vul still work.
Nelson Brito wrote: Yeah, I know it's not a new BUG, but still work. I've read the BID 933, and I saw that there isn't a away to exploit this, so... Forgive me, the correct BID is 993. http://www.securityfocus.com/bid/993 Sem mais, -- Nelson Brito "Windows NT can also be protected from nmap OS detection scans thanks to *Nelson Brito* ..." Trecho do livro "Hack Proofing your Network", pgina 93
AUTORUN Vul still work.
Yeah, I know it's not a new BUG, but still work. I've read the BID 933, and I saw that there isn't a away to exploit this, so... Step by Step: 1 - find a admin's mount point(a.k.a. home directory); 2 - place the autorun.inf and autorun2.exe on there; 3 - drop the admin's connection(use your prefered DoS tool); 4 - try to connect as user nelson and password nelson; 5 - BINDO, you are now a member of "Administrators" group(Stand Alone Servers) or "Domain Admins" gourp(PDC Servers). If you get a look in code, it's possible to make it more usefull making some teste, like findo PDC in domain or some others decision, easy and automatic. PS: It still works in some of Penetration Testes I have made, so it's possible usefull for all of you, I hope. PPS: It's not just a "Privilege Escalation", it's possible to create a new account with "Administrator/Domain Admin" privilege, obscurity. Sem mais, -- Nelson Brito "Windows NT can also be protected from nmap OS detection scans thanks to *Nelson Brito* ..." Trecho do livro "Hack Proofing your Network", pgina 93 autorun2.cpp autorun.ini
