Wednesday, September 10, 2008

Automated ActiveX Exploitation with COMikazi

This October i will be presenting at the Tulsa Tech Fest www.tuslatechfest.com . I will be presenting on a new tool currently in development at Bastard Labs called COMikazi. COMikazi is basically what you get when you cross a webcrawler that actively searches for new COM objects on the Internet and a ActiveX fuzzer designed to find security bugs in ActiveX controls. But we couldnt leave it there so we took it a step further and Created an Automatic Exploit Generator that will take the security vulnerabilities found by COMikazi and Automatically Generate working metasploit exploit modules for those security vulnerabilities :). yes thats right with one click COMikazi will scour the Internet looking for vulnerable code and when found automatically pump out 0day exploit modules. thats how we roll at blabs :) Automatic Exploit Generation FTW


ri0t

Monday, July 28, 2008

So simple it's scary....

does your HIP product stop me from tampering with it's system call interception hooks? It does? Can you show me, because I'm not seeing it....


That is all...

Wednesday, May 7, 2008

more xss talk

i think some of the problem with the importance of XSS lies in the availability of quality client side bugs. i read a quote once that said xss is for people that dont have client sides and while i think this is a bit short sighted it does have some merit. If you were attacking a target and you had a choice of where to put your research and development hours between a xss bug that you could do some cool shit with but not quite get shell or a client side stack overflow that you can write an exploit for with very minimal effort (thank you skylined)and gets you full system control? lets face it your average infosec guy and random company doesn't really have the understanding to fully grasp the importance of a vulnerability class they rely on whitehats to do that for them. They look at what people are working on and say oh that must be whats important if this other vuln class was important then there would be alot of people working on it. now while i agree alot of xss work has been done lately (and by lately i mean the last 2 to 3 years or so) i dont think alot of that work has had a chance to filter down to joe blow admin yet. lets face it they have to hear it 19 times before they get it anyway.


ri0t

Tuesday, May 6, 2008

The importance of the lack of importance of XSS

Am I the only one who finds the lack of importance placed on XSS a bit annoying? Can it be the lack of understanding behind the vulnerability for such reasons? I would like to think that most peeps in the security industry would raise a flag on xss issues for more than one reason, but at the very least for shitty coding practices! Thoughts on this?

Wednesday, April 2, 2008

Firewall Appliances

I've always had interest in appliance based firewall/IPS solutions. I'm going to run some tests against several smaller appliances, mostly SOHO solutions. Should include Netscreen, Watchguard, Checkpoint(Sofaware), Cisco PIX 501, and ASA5505 and perhaps a few more. I'll be posting some results here. It should be interesting to see how each responds to various tests etc..

In other news.. Blackhat/DefCon is quickly approaching. The BL crew should be in full force this year.. stay tuned for more info!

Friday, March 21, 2008

I'm not dead.. just busy.. more HIPS FUN..

HIPS.. Hope it protects something... ;-)

As usual I'm digging into various HIPS products and having fun.. I found a bit of time to post more hook exploration...

enjoy...

ZwSetLdtEntries hooked, jump to 00191BCB
ZwSetValueKey hooked, jump to 00191B97
ZwWriteVirtualMemory hooked, jump to 00190105

kernel32.dll
CopyFileA hooked, jump to 00190175
CopyFileExA hooked, jump to 00191B09
CopyFileExW hooked, jump to 0019019F
CopyFileW hooked: f=8BFF558BEC, m=FF2C258557
CreateFileA hooked, jump to 00191AD9
CreateFileMappingA hooked, jump to 00191AA4
CreateFileMappingW hooked: f=8BFF558BEC, m=8AFF368ADB
CreateFileW hooked: f=8BFF558BEC, m=87C92E3E26
CreateMailslotA hooked: f=8BFF558BEC, m=8BC036F3FF
difference at relocated offset 7C834E41 in CreateMailslotW
CreateNamedPipeA hooked: f=8BFF558BEC, m=EB07C0D200
CreateNamedPipeW hooked: f=8BFF558BEC, m=3EF38ADBF2
CreateProcessA hooked: f=8BFF558BEC, m=F30F008CA4
difference at relocated offset 7C81DA9E in CreateProcessInternalA
CreateProcessInternalW hooked, jump to 0019022E
difference at relocated offset 7C802332 in CreateProcessW
CreateRemoteThread hooked, jump to 00191A7E
CreateThread hooked: f=8BFF558BEC, m=90F2653E26
CreateToolhelp32Snapshot hooked, jump to 00191A51
CreateVirtualBuffer hooked: f=8BFF558BEC, m=8D3FC0F600
DebugActiveProcess hooked, jump to 00190251
DeleteFileA hooked, jump to 00191A32
DeleteFileW hooked: f=8BFF558BEC, m=F694A49BF1
DeviceIoControl hooked, jump to 00190286
difference at relocated offset 7C80E016 in DuplicateHandle
DuplicateHandle hooked, jump to 001902BC
GetModuleHandleA hooked, jump to 00191A19
GetModuleHandleW hooked: f=8BFF558BEC, m=653E90F29C
GetProcAddress hooked: f=8BFF558BEC, m=86C08BE467
HeapCreate hooked: f=8BFF558BEC, m=87C96765F2
LoadLibraryA hooked, jump to 001902EB
LoadLibraryExA hooked, jump to 00190310
LoadLibraryExW hooked, jump to 00190344
LoadLibraryW hooked, jump to 001919E2
difference at relocated offset 7C86125E in LoadModule
MapViewOfFile hooked: f=8BFF558BEC, m=FF2C2596B7
MapViewOfFileEx hooked: f=8BFF558BEC, m=87C9902636
MoveFileA hooked: f=8BFF558BEC, m=900FACF900
MoveFileExA hooked: f=8BFF558BEC, m=FF2C25ACD2
MoveFileExW hooked: f=8BFF558BEC, m=2E8D3F9036
MoveFileW hooked: f=8BFF558BEC, m=FF2C256396
MoveFileWithProgressA hooked, jump to 00191969
MoveFileWithProgressW hooked, jump to 00191951
OpenFile hooked, jump to 00190378
difference at relocated offset 7C81E079 in OpenProcess
OpenProcess hooked: f=8BFF558BEC, m=363E2E2EFF
OpenThread hooked: f=8BFF558BEC, m=26F22E36C0
ReadFile hooked, jump to 00191915
ReadFileEx hooked: f=8BFF558BEC, m=F2F3362EFF
ReadProcessMemory hooked: f=8BFF558BEC, m=F694E4CFF1
SetThreadContext hooked, jump to 001918DC
SetUnhandledExceptionFilter hooked, jump to 001918B3
VirtualAlloc hooked: f=8BFF558BEC, m=F266F20FAC
VirtualAllocEx hooked, jump to 00191895
VirtualFree hooked: f=8BFF558BEC, m=90FF2C251D
VirtualFreeEx hooked: f=8BFF558BEC, m=87C96A5567
VirtualProtect hooked: f=8BFF558BEC, m=3666678D34
VirtualProtectEx hooked: f=8BFF558BEC, m=8BC0EB0965
VirtualQuery hooked: f=8BFF558BEC, m=0F86B7EF93
VirtualQueryEx hooked: f=8BFF558BEC, m=8BE436F3EA
WinExec hooked: f=8BFF558BEC, m=900F862997
WriteFile hooked, jump to 00191852
WriteFileEx hooked: f=8BFF558BEC, m=9068C46176
WriteProcessMemory hooked: f=8BFF558BEC, m=86E4EB0F3E
_lcreat hooked, jump to 00191824
_lopen hooked, jump to 001917E7

user32.dll
SendInput hooked, jump to 001917CB
keybd_event hooked: f=8BFF558BEC, m=F2F23EF30F
mouse_event hooked: f=8BFF558BEC, m=3EF3F22EC1


ws2_32.dll
WSAAccept hooked: f=8BFF558BEC, m=68E4819663
difference at relocated offset 71AC0C69 in WSAConnect
WSADuplicateSocketA hooked: f=8BFF558BEC, m=67F3660FBF
WSADuplicateSocketW hooked: f=8BFF558BEC, m=260F8668F7
WSARecv hooked: f=8BFF558BEC, m=3667F2F3E9
difference at relocated offset 71ABF5D6 in WSARecvDisconnect
WSARecvDisconnect hooked: f=8BFF558BEC, m=87C9FF2C25
WSARecvFrom hooked: f=8BFF558BEC, m=6894B14693
WSASend hooked: f=8BFF558BEC, m=FF2C253E62
WSASendDisconnect hooked: f=8BFF558BEC, m=87C9900F86
WSASendTo hooked: f=8BFF558BEC, m=6586C026E9
WSASocketA hooked: f=8BFF558BEC, m=0FA4DD0036
WSASocketW hooked, jump to 00190884
accept hooked: f=8BFF558BEC, m=8D3FEB0590
connect hooked: f=8BFF558BEC, m=87C9FF2C25
recv hooked: f=8BFF558BEC, m=68C4617643
recvfrom hooked: f=8BFF558BEC, m=3E2E0FA4DD
send hooked: f=8BFF558BEC, m=6A7D689F04
sendto hooked: f=8BFF558BEC, m=90F3F22667
socket hooked: f=8BFF558BEC, m=86C03E2EFF
Terminé
psapi.dll

advapi32.dll
ControlService hooked, jump to 00190420
CreateProcessAsUserA hooked: f=8BFF558BEC, m=3E8AFF8DAD
CreateProcessAsUserW hooked: f=8BFF558BEC, m=6766678D74
difference at relocated offset 77E15C9D in CreateProcessWithLogonW
difference at relocated offset 77E15C9F in CreateProcessWithLogonW
CreateServiceA hooked, jump to 00191721
CreateServiceW hooked, jump to 0019170B
ElfClearEventLogFileA hooked, jump to 00190472
ElfClearEventLogFileW hooked, jump to 001916C8
InstallApplication hooked: f=8BFF558BEC, m=2E3EFF2C25
LogonUserA hooked: f=8BFF558BEC, m=90656894B1
LogonUserW hooked: f=8BFF558BEC, m=F39087ED65
LsaAddAccountRights hooked, jump to 00191689
LsaAddPrivilegesToAccount hooked, jump to 0019165C
LsaCreateAccount hooked, jump to 0019049D
LsaOpenAccount hooked, jump to 001904C5
LsaOpenSecret hooked, jump to 0019161B
LsaQuerySecret hooked, jump to 001904DC
difference at relocated offset 77DF02D6 in LsaRetrievePrivateData
LsaSetSecret hooked, jump to 001915EB
difference at relocated offset 77DF04A1 in LsaStorePrivateData
LsaStorePrivateData hooked, jump to 001915AD
difference at relocated offset 77DF64A0 in OpenEventLogA
OpenEventLogW hooked: f=8BFF558BEC, m=0F878A9E35
OpenProcessToken hooked, jump to 0019053F
OpenSCManagerA hooked, jump to 00191591
OpenSCManagerW hooked, jump to 00191551
OpenServiceA hooked, jump to 00190578
OpenServiceW hooked, jump to 0019153B
OpenThreadToken hooked: f=8BFF558BEC, m=680C693ECB
RegCreateKeyA hooked: f=8BFF558BEC, m=268BE490F2
RegCreateKeyExA hooked: f=8BFF558BEC, m=3E2E36EAFE
RegCreateKeyExW hooked: f=8BFF558BEC, m=2686E42E36
RegCreateKeyW hooked: f=8BFF558BEC, m=9086C02EF2
RegDeleteKeyA hooked: f=8BFF558BEC, m=6A4568E70C
RegDeleteKeyW hooked: f=8BFF558BEC, m=36650FACC9
RegDeleteValueA hooked: f=8BFF558BEC, m=86C0642E67
RegDeleteValueW hooked: f=8BFF558BEC, m=26F29C9067
difference at relocated offset 77DFC41B in RegOpenKeyA
RegOpenKeyA hooked: f=8BFF558BEC, m=660FBFD264
RegOpenKeyExA hooked: f=8BFF558BEC, m=2E36F367C0
RegOpenKeyExW hooked: f=8BFF558BEC, m=36FF2C2590
RegOpenKeyW hooked: f=8BFF558BEC, m=F29C659090
RegSetKeySecurity hooked: f=8BFF558BEC, m=F3F2F3649C
RegSetValueA hooked: f=8BFF558BEC, m=6894B14693
RegSetValueExA hooked, jump to 001905B1
RegSetValueExW hooked, jump to 00191527
RegSetValueW hooked: f=8BFF558BEC, m=8BC00F8C00
RevertToSelf hooked: f=8BFF558BEC, m=3E8D920000
SetFileSecurityA hooked: f=8BFF558BEC, m=909C0EF265
SetFileSecurityW hooked: f=8BFF558BEC, m=0F01442488
SetNamedSecurityInfoA hooked, jump to 00191512
SetNamedSecurityInfoExA hooked, jump to 001905E8
SetNamedSecurityInfoExW hooked, jump to 001914DA
SetNamedSecurityInfoW hooked: f=8BFF558BEC, m=F694E4A3FA
SetSecurityInfo hooked: f=8BFF558BEC, m=6686E486C0
SetSecurityInfoExA hooked, jump to 001905FE
difference at relocated offset 77E23AB1 in SetSecurityInfoExW
StartServiceA hooked, jump to 00190634
StartServiceW hooked, jump to 0019066E
SystemFunction029 hooked: f=8BFF558BEC, m=90FF2C256D
SystemFunction034 hooked: f=8BFF558BEC, m=9065676AAD
SystemFunction035 hooked: f=8BFF558BEC, m=670FA4ED00
SystemFunction040 hooked: f=8BFF558BEC, m=EAF18DDF77
SystemFunction041 hooked: f=8BFF558BEC, m=362E0F8612
UninstallApplication hooked, jump to 00191495

ole32.dll
CoCreateInstance hooked: f=8BFF558BEC, m=2E9086C0F2
CoCreateInstanceEx hooked: f=8BFF558BEC, m=F28ADB909C
CoGetClassObject hooked: f=8BFF558BEC, m=C1D7009026
CoGetInstanceFromFile hooked: f=8BFF558BEC, m=3666C1D300
difference at relocated offset 77596327 in CoInstall
CoInstall hooked: f=8BFF558BEC, m=36EA2F6359
CoLoadLibrary hooked, jump to 0019085F
CoRevertToSelf hooked, jump to 00191075

Tuesday, March 4, 2008

2008... what's in store?

The security game is a game of cat and mouse. Jedis vs Sith, with Sith usually having the upper hand. What is going to be the big news this year? Overflows will still rear their heads.. this is a given, but what is going to be the direction for this year? Web application security seems to be a big issue brought into the light this year. Sites like MySpace, and Facebook, both of which are constantly undergoing scruitiny, continue to errupt with vulnerabilities. There is always a trade off when attempting to design software which keeps ease of use in mind. You don't want to make something too hard, hence the users won't use it, but you don't want to leave it sitting wide open either. This will definitely be interesting to see how the web arena plays out. Any other thoughts on vulnerability directions this year?

2008... what