Wednesday, August 31, 2011

Antivirus Hiding

There are a lot of choices when we want to pen test an application.
  • We can create a specific program to do this.
  • We can use an existing one.
  • We can modify (or... fork) an existing.
 Maybe, the ideal is to create your own program for attack, but again, this, has some drawbacks:
  • You don't have to reinvent the wheel.
Deadlines and cost make such approach impossible.

Sunday, August 21, 2011

Reverse shell through DLL Injection using undocumented API function

This article refers to people who already know how to program in c or c++ and have a basic knowledge of windows API calls. In addition some knowledge  of exploitation techniques is needed such as what is a reverse shell, how we can use netcat etc... If this is the first time for you to read such things then do not bother to read the article.
DLL Injection is a popular technique used by attackers to inject an executable in order to perform controlled code execution. Serveral methods for preventing this has been developed by OS creators, but w/o 100% success.
In this article I will present two methods of a successful attack to a windows 7 Ultimate OS that returns a reverse shell to the attacker. The first method uses the documented windows API function CreateRemoteThread and the second method uses the undocumented funNtCreateThreadEx. The reason that I prefer the 2nd method is because of the fact that the 1st method trigger an alarm of the windows security essentials antivirus while the 2nd does not!
In addition, a "home made" undetectable reverse shell (developed in c++) will be used in conjuction with a method of transferring or packing an executable inside another executable.

The final attack will be performed using two methods. The traditional (manual) method that I use only Netcat and the... "official" method that I use the well known Armitage of the Metasploit arsenal. Pictures of the attack will be available to you as well as a short video.

Thursday, April 28, 2011

Debugging the Native Windows API

We are going to play a little game. We will search inside the Native Windows Application Programming Interface (API) for functions that used internally by the Windows 7 operating system. The use of such functions is not suggested by Microsoft. We are not only going to uncover such functions, but also we will use them and we will examine their results. 
The Native API is behind the Base API that Microsoft suggests to use for compatibility and portability reasons.

The Native API is the last layer (in user mode) that performs direct calls to the windows kernel mode and more specific to the NTOSKRNL.EXE that is the core windows kernel.

I must say that, in my opinion, the method of checking the API of windows is not the easiest thing. I could say that it is more difficult than this in Linux while windows source is not available. Its a closed source.  How then is possible to study a specific API function? Only disassembly code can be extracted by processes that are not belong to core kernel. In case that we want to debug kernel, we will need special programs (a windows  kernel debugger for example), but this is beyond the scope of this article. We will see from a user-mode point of view the procedures and functions (even undocumented) inside the Native API, aka ntdll.dll.

A question that one might ask, is: But why we do this?
Hmm... there are more than one reason:
1. It is a very good elementary lesson for the wannabe operating systems reverser's.
2. We will learn how to administer our operating system's basic internal actions.
3. We will see live the operation of the (somehow) cryptic native windows API.

What knowledge is required to read this article?
Well, not deep.
1. Elementary knowledge of some reversing techniques, for example how to use Olly debugger.
2. Little (yes little!) knowledge of assembly. We will meet inevitability a lot of assembly code in our trip but I am not willing to make this article an assembly listing with explanations! We will see how to achieve our goals without the need to be an assembly programmer.
Lets start!

Tuesday, April 26, 2011

Resetting root pass without livecd in two steps

[tested on Gentoo 2.6.36 r8]
There are cases that we forget our root password and we don't have any live CD to boot from in order to mount our file system. Is there any solution?
Yes it is. It is a two steps procedure. We will:
1. Enter to our system in a single user mode.
2. Mount our disk volumes, chroot and create a new password.

Suppose that we have a linux box with the following configuration:
Device      Boot    Start   End    Blocks   Id  System
/dev/sda1   *         1      14    105808+  83  Linux
/dev/sda2            15      81    506520   82  Linux swap
/dev/sda3            82    3876  28690200   83  Linux


Monday, April 25, 2011

Old, Good and Funny Trick

This is a very small and simple program that just writes... something to an underused registry value (tested on Win2k, WinXP). Registry is used in Windows (from version 95 and later) to store information that will be used for several purposes by the operating system or by any other application.

There are entries that perform specific tasks...
Does anyone remember the autoexec.bat or config.sys in old good DOS times? Ok, ok... these files still exists in our disks…. but their modern counterparts located in registry, specifically in keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Anyway, I will not go too far with this, because my purpose is not to explain the use of the above, instead I would like to expose a less known and underused  (I suppose) registry value which is:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
The above key has 2 special string values named
(1)LegalNoticeCaption and
(2)LegalNoticeText.
You can go & see the above registry key using the registry editor. You can call it by Start|Run|Regedit. So, if you go in this key normally you will not see  the two special strings (1) and (2). Instead you will see other “important & useful keys” but again this is not our goal.
You can Add manually the above string by Right Click| New| StringValue.
Now,…. What is special with those string value…..  Hmmm, when the operating system starts & finds these string values it shows a message box with title the value of LegalNoticeCaption and Text the value of LegalNoticeText. …..


A required step to understand buffer overflow

This is not a buffer overflow exploit, but a required background that will help to understand how CPU & memory "collaborate" each other to execute a program.
I have read many articles about 'buffer overflow'. Most of them starting from a specific point by 'stowing' the basic knowledge one must have to deeply understand what is going on (behind the scenes). I wrote this article to cover (I hope) this gap.

If at the end of this article you feel more comfortable with concepts like CALL, RETN and how a function is executed using the memory (buffer, stack, etc) then I will consider this article as a successful one...

First, I would like to point out that everything we say, is about the processor xx86 family. In addition, most memory addresses are expressed in a decimal notation (for the shake of clarity, for beginners) instead of hexadecimal that actually represented by real world software systems.

Requirements in order to read this article:
1. A basic understanding of assembly language.
2. A basic understanding of C language.

Every process starts in a computer memory (RAM – Random Access Memory) in three basic segments:
-Code Segment
-Data Segment (the well known BSS)
-Stack Segment