Archive for November, 2008

Free issues : Linux+ and Hakin9

Posted: November 27, 2008 in Other Tutorials

* Ubuntu Installation&Configuration…
* OpenNMS on Ubuntu Linux…
* Shell Scripting…
* Virtual X Sessions…
* File System Optimization for High Load and Stability…
* An Introduction to Digital Forensics…
* Ipv6 Approach for DoS Attacks over IP Telephony…
* Secure your System with Afick Intrusion Detection Scanner…
* Scaling Linux Servers…
* MapFS: The Data Center Storage Optimizer…
* Sidebar: Gearing Up…
* Favorite Media Programs in Ubuntu…
* Tricks&Tips…
* The “killer feature” of Freedomware…
* Should Critical Infrastructure be Built on Linux?…

Download here :Linux+

———————-

hakin9 4/2008 (17) – File Inclusion Attacks:

BASICS
File Inclusion Attacks
ALI RECAI YEKTA, ERHAN YEKTA
After reading this article, you will come to know about File Inclusion Attacks’ methods and defense techniques against them.

ATTACK
Hacking RSS Feeds: Implementing RSS Feeds
ADITYA K. SOOD
This paper discusses the infection vectors that occur due to insecure coding by developers and includes other related security issues. It provides a detailed analysis of the errors and efficient measures to correct those errors, while keeping in mind the original security concerns.

Alternate Data Streams or “Doctor Jekyll and Mr. Hyde” Move to NTFS (Part II)
LAIC AURELIAN
The second part of the ADS series. This article reveals everything you should know about ADS, focusing on its practical use. You will learn how to create, use and delete ADS.

All in Memory Execution under Linux
ANTHONY DESNOS, FREDERIC GUIHERY, MICKAEL SALAUN
A vaery useful paper on all in memory execution under Linux. The authors show its rules, all in memory’s tools and protection methods against the execution.

The Real Dangers of Wireless Networks
STEPHEN ARGENT
The paper explains how to break into Wireless Networks and use Ettercap, Driftnet and Wireshark for sniffing. While reading this article, you will learn how to manipulate packets and view MSN conversations over the network.

DEFENSE
How to Deploy Robustness Testing
MIKKO VARPIOLA, ARI TAKANEN
In this article authors explore various means of testing for the security mistakes, with the focus on deploying robustness testing into the software development lifecycle.

Protecting Data in a Postgres Database
ROBERT BERNIER
Part III of the three-part series on Postgres. This article addresses the issue of restricting access to data via the use of data encryption. After reading this paper, you will manage to use cryptographic functions obtained from two contributions modules.

Download here : Hakin9_File Inclusion Attacks

Best Regards
kienmanowar

OllyEye plug-in

Posted: November 26, 2008 in OllyEye plug-in, Other Tutorials

OllyEye plug-in

Today, I would like to present a new plug-in that I wrote called OllyEye. I wrote the plug-in to speed up the process of hunting vulnerability in applications. Here is a screenshot of the OllyEye plug-in:

How does OllyEye work?

Sometimes we want to find out where in a module the code parsing is done. In the example below, we want to find the code that parses the QuickTime video codecs that are in Windows media player.  We know that the codecs support the raw, rle, jpeg, mjpb, and rpza tags, so all we need to do is to search for those tags in our module–in this case, the “quartz.dll” module.

The OllyEye hunter knows that it should check for the video codec’s tags such as code.equals (“rpza”) and that in assembly it should be done with the CMP command that represents it. For this reason, it searches for the CMP command that matches the ‘rpza’ keyword.  Here we can see the results of the OllyEye when the hunter searches for such patterns:

At the address 0x748FD28B, we see CMP EAX,617A7072. The ASCII translation of 617A7072h is ‘azpr’, which is one of the QuickTime video codec’s supported tags. Now all the hunter has to do is set a breakpoint there, load the movie file, and wait for the breakpoint to be triggered.

A QuickView in IDA shows us that our address, 0x748FD28B, is inside the QTDec::CheckInputType when the QTDec is QT=QuickTime and Dec= Decoder. Based on this information, we know that we reviewed part of QuickView codec’s decoder.

Attached here is the source code of the OleEye plugin. You are welcome to extend it and to shoot us the update.

Game 0ver.

Security Researcher: Moti Joseph


Introduction Into Windows Anti-Debugging – Josh Jackson

Anti-Reverse Engineering Guide

Author : Josh Jackson + Nicolas Falliere

Introduction

In recent times, tools for use in reverse engineering have flourished. There are plenty of resource sites for those who are interested in the field, and the field is very much worth the time invested in it. I found that learning C++ while introducing myself to reverse engineering and assembly language really helped me to understand how code works, and improved my C/C++ coding and my ASM coding at the same time. However, reverse engineering also has a darker side. Crackers are individuals who use their knowledge of reverse engineering to reverse another programmer’s code, often to decode how a serial is processed or to remove a protection from a trial. Naturally, a pioneer will want to protect their investment; this can be done with tools such as Themida, Execryptor, Armadillo, and even a protection system coded by a CodeProject resident Jim Charles named Eagle Protector. This article is meant to inform individuals of some anti-debugging techniques, and is not meant to be all-inclusive, nor does it explore some of the more complex routines that commercial protectors use.

Background

An individual reading this should have a solid understanding of ASM, how computers handle memory, the Win32 Debugging API, and at least some knowledge of Windows internals. This code most likely will not work on any *nix platform due to the fundamental differences of the Operating Systems. Any other knowledge in the field of reverse engineering is also a plus. One great thing about learning and implementing anti-debugging is that you also develop your reversing skills, which is a great plus to anyone interested in the field. Along with the other mentioned subjects, an interested reader should also be familiar with the tools used for binary application reversing such as OllyDBG, WinDBG, SoftICE, IDA Pro, and others. Here are some links to some information that is important for readers to be familiar with before reading the following text:

Download tutorial:

http://www.tuts4you.com/download.php?view.2516

Best Regards

Reversing MFC Applications

Posted: November 18, 2008 in Other Tutorials

MFC Programs seems to be the mainstream of Win32 GUI programming these days, other than QT applications that are rapidly gaining popularity recently. A few days ago, I suddenly got interested in embedded system reversing but was confronted by the task to reverse an application that uploads the firmware image to the embedded system. As expected, the application was MFC, and I was a bit taken back. I wasn’t that confident in MFC reversing.

I’ve seen many people (including me) reverse MFC applications in the same way as reversing pure Win32 API applications. Put breakpoints on certain APIs, search for a target string, search for a certain constant, etc etc… There is no problem with that. The same principles used in non-MFC app reversing can also be applied to MFC apps except…

Except you can’t find the Window Procedure within the application. Window Procedures are like the root function of where all the messages are processed, and when you know where it’s located, you can always track down your target in a root to descendant kind of approach. It may take more time than the ‘start from a certain function, string etc’ approach, but when the later approach may sometimes make you get lost in a labyrinth of code and functions, the formal usually never goes wrong.

The problem is, all the WndProc code is managed by the MFC framework, and the framework gives a slight twist to it to make it work in a different process than what we already know about Window Procedures. The principles are the same, but the structure is a little bit different, and the Message dispatcher code is no longer handled by the programmer. The question is, where is that code and what does it look like? And how could we use it to our advantage?

That will be the main focus of this tutorial, and I will start with showing the usual approach, and point out the problems that may occur in certain situations.

Download here:

http://www.tuts4you.com/download.php?view.2509

FastScanner v2.0 by AT4RE

Posted: November 17, 2008 in RE Tools

FastScanner v2.0 by AT4RE

Description:
FastScanner is a Detector for most packers , cryptors and compilers for PE Files Programmed in ASM and designed for ‎fast access to most needed plugins.

FastScanner v2.0 Change log:
11/15/2008

1- Arabic interface now available.
2- New Skin for both the scanner and the PE-Editor.
3- Bug Fixed in the scanning algorithm. Now, it’s more powerful.
4- Updated signature file to detect most compilers, packers and protectors.
5- Add a TotalScan button in the scanner.
6- Add a Disasm button in the scanner.
7- Add a sections viewer button in the scanner’s main window.
8- Display the signature file date in the scanner’s main window.
9- Add a new plugin to detect and save overlay.
10- Add a new plugin => Signs-Imitator.
11- Bug fixed in the Add-Sig plugin.
12- Big update in the PE-Editor plugin:
a- section viewer and editor ( add section – delete section – edit section header).
b- new buttons to view exports and imports table.
c- new tab to view and edit the PE’s directory table.
d- new tab to view and dump any process from memory.
e- make a backup copy of the modified files.

Download here:

http://zeak47.freehostia.com/at4re_fs_2_eng.html

.NET Framework Rootkits

Posted: November 14, 2008 in Other Tutorials

This page covers a new method that enables an attacker to change the .NET language, and to hide malicious code inside its core.

Abstract

This paper introduces a new method that enables an attacker to change the .NET
language.

The paper covers various ways to develop rootkits for the .NET framework, so that
every EXE/DLL that runs on a modified Framework will behave differently than what
it’s supposed to do. Code reviews will not detect backdoors installed inside the
Framework since the payload is not in the code itself, but rather it is inside the
Framework implementation. Writing Framework rootkits will enable the attacker to
install a reverse shell inside the framework, to steal valuable information, to fixate
encryption keys, disable security checks and to perform other nasty things as
described in this paper.

This paper also introduces “.Net-Sploit” – a new tool for building MSIL rootkits that
will enable the user to inject preloaded/custom payload to the Framework core DLL.

………

Download full paper here:

http://www.applicationsecurity.co.il/LinkClick.aspx?fileticket=ycIS1bewMBI%3d&tabid=161&mid=555

Regards


Trojan.Zhelatin.Pk Reverse Engineering

From Evilcry:
I’ve released a paper on Trojan.Zhelatin.pk RCE Analysis, that can be downloaded

http://evilcry.netsons.org/tuts/Mw/Zhelatin.pdf

Best Regards