Bangalore, Karnataka, India
Technology Enthusiast !!

Sunday, August 10, 2014

DLL Injection: Executing and Testing DLL's

DLL (Dynamic Link Library) Injection is the process of loading a DLL into target process so that code in the DLL might be executed in the context of the target process.

Example Code Snippet

How to test DLL
RUNDLL32.EXE dll_name,EntryPoint [options]



AppInit_DLLs value is found at
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
We have to set Appinit_DLLs key value of the type REG_SZ to DLL's Path. Executables that do not link with User32.dll do not load AppInit DLLs.

NOTE: Above registry change might cause inconvenience as you might see too many pop-ups

References
http://www.exploit-db.com/exploits/14740/
http://www.exploit-db.com/papers/14813/
http://www.exploit-db.com/wp-content/themes/exploit/docs/242.pdf
http://www.ericphelps.com/batch/rundll/
http://blog.opensecurityresearch.com/2013/01/windows-dll-injection-basics.html

Tuesday, August 5, 2014

Manual Unpacking of Compressed Binaries



INTRODUCTION
In this article we will walk through manual unpacking of protected malicious Windows binaries using OllyDBG. We also need to rebuild Import Address Table (IAT) to restore the file to executable state. Most of the Anti-virus (AV) vendors flag PE packers as malicious software. There are many varieties of packer’s available, say, ASpcak, UPX, NsPack, Armadillo, Themida etc.

PACKERS
Packers reduce the physical size of an executable by compressing an executable and combine the compressed data with decompression stub into a single binary. At runtime, the decompression stub expands the original application and transfers control to the original entry point (OEP).

One of the methods that can be used to locate the original entry point (OEP) of the file is to apply break points on the following APIs:
GetLoadLibraryA
GetVersionExA
GetEnvironmentA
LoadLibraryA
GetProcAddress
IniHeap
These APIs are called by the packer’s start-up routine.
 
Following articles explain manual unpacking of UPX and AHpack
http://blog.disects.com/2013/12/manual-unpacking-of-upx-packed-binary.html
http://blog.disects.com/2013/12/manual-unpacking-of-ahpack01.html
  
REFERENCES

Saturday, July 26, 2014

Incidence Response: Important Linux Commands and Log Files

Most of the log files are located at
/var/log/

btmp, utmp, wtmp
last -f /var/log/btmp | more
last
recent login information for all the users
lastlog                

/var/log/secure       contains information about authentication and authorization

auth.log
maillog

Sunday, July 20, 2014

Privilege Escalation by Exploiting SUID Binaries


There might be situations where unprivileged users need to complete tasks which needs privileges. Best examples might be ping, passwd etc.

Understanding File Permissions
There are three permission types
r - read
w - write
x - execute
_ rwx r_x __x 

Brown underscore indicates file type (d - directory, l - link, p - pipe etc.), rwx in yellow indicates permissions for file owner or User, r_x in green indicates Group permissions, __x in blue indicates  permissions for all Other users.

                                         Figure. Program to demo SUID exploitation

test_suid.c is a demo exploit file can be compiled using GCC
# gcc test_suid.c -o test_suid
Compiling as root user to make sure file is owned by root.

When test_suid binary is executed without SUID bit set, we still have prdarsha user permissions.

                                          Figure.Executing binary with SUID bit not set

Now lets execute test_suid binary after setting SUID bit which will escalate the privilege from notmal user to root user.

                                          Figure. Executing binary with SUID bit set

Checking the permissions of important file like passwd
                                          Figure. File Permissions

Finding all executable's which have SUID bit set
find / -type f \( -perm -04000 -o -perm -02000 \) \-exec ls -lg {} \;