null – The open security community n|u

n00bRAT

// August 29th, 2010 // No Comments » // Projects

Name: n00bRAT
Category: Backdoor
Author/Owner: Abhishek Kumar
Download URL: http://n00brat.sourceforge.net/

Description:

An undetectable Remote Administration Tool -OR- trojan, an all new approach. Easily usable, Client just requires any Web Browser to control remote machine via WebPage. Fooling firewalls/ids/ips security solutions, as it operates like any web-site.

Spiderpig

// June 8th, 2010 // No Comments » // Projects

Name: Spiderpig
Category: PDF Fuzzer
Author/Owner: cons0ul
Download URL: http://code.google.com/p/spiderpig-pdffuzzer/

Description:
Adobe and others uses javascript in pdfs to enhance standard workflow for example connecting to database ,spell checking,printing n viewing etc..when we open pdf in reader,it executes this javascript code(ya we all know that). so goal of spiderpig is to find bugs in pdf reader’s javascript engine. spiderpig reads methods prototype from an input file and creates pdf file. Most of the pdf fuzzers which are available on internet are file format fuzzers which tries to fuzz the adobe’s file format implementation.I didnt find one fuzzer which fuzzes adobe’s javascript imeplementaiton,so here we have spiderpig a javascript fuzzer for pdf file format which tries to screw up pdf reader using javascript methods.

spiderpig uses bruteforce method to abuse reader, it creates methods using all range of evil parameters.If you are aware of fuzzers like axman and dranzer,you know what I am talking about.spiderpig reads methods prototype from an input file and creates stream of javascript code and then this stream is then added into pdf file using makepdf module.
An example Input file is in spiderpig’s directory named as test.proto .
test.proto contains methods prototypes with (object/namespace scope)which helps spiderpig to understand the method and its parameters.Add prototypes of methods which are you going to test in this file.Each new method must be written on new line. For example if you want to test methods [alert] and [beep] methods from [app] object you can write prototype as follows

app.alert(nIcon,nType,cTitle,oDoc,oCheckbox)
app.beep(nType)

it will create 2 pdfs 1 for app.alert(app.alert.pdf) and another for app.beep(app.beep.pdf).

>>/parameters type:
spiderpig understands type of parameter(strin,number,boolean,object) by reading
the first character of parameter written in methods prototype.
spiderpig understands,
n for numbers
b for boolean
o for object
c for string

so while writing prototype add them as shown in above example.

spiderpig uses javascript console(console.println and console.show) functionality provided by adobe reader to create log.so you can see which method call is being called.see following screenshot

Here are the steps to use spiderpig:
1>download spiderpig
2>extract it to folder
3>create a file for example test.proto in this file write methods prototypes
4>open comand prompt and goto the folder.
4>type python sp.py <folder-path> test.proto
where <folder-path> is exsisting folder in which pdfs will be created.
5>open pdf reader.
6>attach debugger.
7>open pdf file in reader.
8>do reverse engineering

Wireplay

// March 17th, 2010 // No Comments » // Projects

Name: wireplay

Category: Generic Fuzzer

Author/Owner: Abhisek Datta

URL: http://code.google.com/p/wireplay/

Description:

A minimalist approach to replay pcap dumped TCP sessions with modification as required.

The aim of this project is to build an usable but simplistic tool which can help in selecting the TCP session to replay. It can play both client as well as the server during a replay session.

Obviously replay attacks doesn’t work against protocols which are cryptographically hardened or implements protocol specific replay prevention mechanism like challenge/response etc. Wireplay implements a plugin/hook subsystem mainly for the purpose of working around those replay prevention mechanism and also perform a certain degree of fuzz testing.

Current Features

user@linux$ ./wireplay
Wireplay - The TCP Replay Tool v0.2

Options:
        -r       --role    [ROLE]       Specify the role to play (client/server)
        -F       --file    [FILE]       Specify the pcap dump file to read packets
        -t       --target  [TARGET]     Specify the target IP to connect to when in client role
        -p       --port    [PORT]       Specify the port to connect/listen
        -S       --shost   [SOURCE]     Specify the source host for session selection
        -D       --dhost   [DEST]       Specify the destination host for session selection
        -E       --sport   [SPORT]      Specify the source port for session selection
        -G       --dport   [DPORT]      Specify the destination port for session selection
        -n       --isn     [ISN]        Specify the TCP ISN for session selection
        -c       --count   [NUMBER]     Specify the number of times to repeat the replay
        -H       --hook    [FILE]       Specify the Ruby script to load as hook
        -L       --log                  Enable logging of data sent/receive
        -K       --disable-checksum     Disable NIDS TCP checksum verification
        -T       --timeout [MS]         Set socket read timeout in microsecond
        -Q       --simulate             Simulate Socket I/O only, do not send/recv

In case the --shost && --dhost && --isn && --sport && --dport parameters are not supplied,
the program will load all the TCP sessions from file and ask the user to select a session to replay

Basic Usage

./wireplay -K --role client --port 80 --target 127.0.0.1 -L -F ./pcap/http.dump

The above runs wireplay with TCP checksum calculation disabled, replaying an HTTP session from ./pcap/http.dump file.

./wireplay --role client -F ./pcap/dcedump.dump --target 172.16.34.129 --port 135

The above example reads a dcedump (Dave Aitel’s dcedump) session from the file dcedump.dump (pcap dump file) and replays it.

What to do ?

• Fuzzing for Security Bugs
• General Software Testing
• Being cool..
• ??

Ruby Hook Interface

First: In order to have a real life example of Wireplay hooking capability and usage, take a look at hooks/rbhooks/cgen.rb

Wireplay implements a Ruby Interface for writing callback hooks. Hooks are called on occurrance of certain events like send-data, receive-data, error etc.

For a brief guide on writing Wireplay hooks in Ruby, read the Wireplay Hook Guide

Compilation

Wireplay uses a modified version of libnids library for TCP session reassembly from pcap frames. Read the Compilation Guide for some pointers.

Field Testing

• Microsoft Terminal Server Fuzzing
• Microsoft RPC Interface Fuzzing

bsqlbf-v2

// August 13th, 2009 // No Comments » // Projects

Name: bsqlbf-v2

Category: Blind SQL injection

Author/Owner: Sumit Siddharth

URL: http://code.google.com/p/bsqlbf-v2/

Description:

This tool allows extraction of data from Blind SQL Injections. It accepts custom SQL queries as a command line parameter and it works for both integer and string based injections. Databases supported:

• MS-SQL
• MySQL
• PostgreSQL
• Oracle

The tool supports 6 attack modes(-type switch):-

• Type 0: Blind SQL Injection based on true and false conditions returned by back-end server
• Type 1: Blind SQL Injection based on true and error(e.g syntax error) returned by back-end server.
• Type 2: Blind SQL Injection in “order by” and “group by”.
• Type 3: extracting data with SYS privileges (ORACLE dbms_export_extension exploit)
• Type 4: is O.S code execution (ORACLE dbms_export_extension exploit)
• Type 5: is reading files (ORACLE dbms_export_extension exploit, based on java)