Bangalore, Karnataka, India
Technology Enthusiast !!

Sunday, August 10, 2014

DLL Injection: Executing and Testing DLL's

DLL (Dynamic Link Library) Injection is the process of loading a DLL into target process so that code in the DLL might be executed in the context of the target process.

Example Code Snippet

How to test DLL
RUNDLL32.EXE dll_name,EntryPoint [options]

AppInit_DLLs value is found at
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
We have to set Appinit_DLLs key value of the type REG_SZ to DLL's Path. Executables that do not link with User32.dll do not load AppInit DLLs.

NOTE: Above registry change might cause inconvenience as you might see too many pop-ups


Tuesday, August 5, 2014

Manual Unpacking of Compressed Binaries

In this article we will walk through manual unpacking of protected malicious Windows binaries using OllyDBG. We also need to rebuild Import Address Table (IAT) to restore the file to executable state. Most of the Anti-virus (AV) vendors flag PE packers as malicious software. There are many varieties of packer’s available, say, ASpcak, UPX, NsPack, Armadillo, Themida etc.

Packers reduce the physical size of an executable by compressing an executable and combine the compressed data with decompression stub into a single binary. At runtime, the decompression stub expands the original application and transfers control to the original entry point (OEP).

One of the methods that can be used to locate the original entry point (OEP) of the file is to apply break points on the following APIs:
These APIs are called by the packer’s start-up routine.
Following articles explain manual unpacking of UPX and AHpack

Saturday, July 26, 2014

Incidence Response: Important Linux Commands and Log Files

Most of the log files are located at

btmp, utmp, wtmp
last -f /var/log/btmp | more
recent login information for all the users

/var/log/secure       contains information about authentication and authorization


Sunday, July 20, 2014

Privilege Escalation by Exploiting SUID Binaries

There might be situations where unprivileged users need to complete tasks which needs privileges. Best examples might be ping, passwd etc.

Understanding File Permissions
There are three permission types
r - read
w - write
x - execute
_ rwx r_x __x 

Brown underscore indicates file type (d - directory, l - link, p - pipe etc.), rwx in yellow indicates permissions for file owner or User, r_x in green indicates Group permissions, __x in blue indicates  permissions for all Other users.

                                         Figure. Program to demo SUID exploitation

test_suid.c is a demo exploit file can be compiled using GCC
# gcc test_suid.c -o test_suid
Compiling as root user to make sure file is owned by root.

When test_suid binary is executed without SUID bit set, we still have prdarsha user permissions.

                                          Figure.Executing binary with SUID bit not set

Now lets execute test_suid binary after setting SUID bit which will escalate the privilege from notmal user to root user.

                                          Figure. Executing binary with SUID bit set

Checking the permissions of important file like passwd
                                          Figure. File Permissions

Finding all executable's which have SUID bit set
find / -type f \( -perm -04000 -o -perm -02000 \) \-exec ls -lg {} \;