null – The open security community n|u

Spraying Just in Time by cr01nk

// April 29th, 2010 // No Comments » // Blog

Written by: cr01nk
(cr01nk@gmail.com)

Before you start reading this blog, i would like you to know that i like to be wrong because i believe that it is the only way i can correct myself. So if anything you feel is wrong, or is not addressed in its proper terms. Please leave comments below. Thanks

Recently i have been working on a paper that was presented at Blackhat DC 2010 by a Dion Blazakis, in which he demonstrated technique that could be used in bypassing ASLR and DEP in software that provide JIT based capabilities in itself. For example in all browsers that have capability to use either Flash code which have its own intermediate language which is compiled once the flash is loaded into browser.

JIT compiler works with loading intermediate language code into the IL compiler (in case of flash it is Flash.ocx) and then it would compile this to x86 based code in memory location with “r+x” permission on that paper. See Figure-1 shows the user level code that has been written by the developer and Figure-2 for what actually it turns out to be when JIT compiler has done optimization and all the other usual stuff that a compiler do.

It is clear from the above instructions JIT compiler modifies code but the logic remains the same. Coming back to what Dion Blazakis presented in his paper, he demonstrated that compiler would only do optimization when required, infact he demonstrated that if we do XOR many times (as shown in Figure-1) we could control the instruction that are generated by JIT compiler (see figure-2).

Figure-1 : User level code written in Action script

Figure-2: Pervious Code that is been translated into x86 language

Thus on controlling the opcode, the paper makes a very interesting observation about the instruction and how to control them.

In this blog I would explain all the difficulties i have faced while making a stable exploitation of CVE-2010-0188 possible.

Before starting this, I got the CVE-2010-0188 code code from here go check it out. For those who dont know CVE-2010-0188 is Adobe Reader vuln. which is there in all versions of adobe reader < 9.3.0 . Now i am sure that you might have checked this code out, it is written for Windows XP2. After a small binary analysis on this vuln. i would continue with its exploitation difficulties in Adobe acrobat 9.3.0 which is both DEP and ASLR aware on windows 7.

JIt code debugging : We all love to know what happens when, but it is not easy to make this happen just as easy it sounds in JIT based debugging. I have made a script on Immunity Debugger that hooks VirtualProtect, HeapCreate and VirtualAlloc functions with all the variables and output logged once this file is loaded into any process. This method seems to be most logical implementation method of creating a process to compile as well as change the permission to “r+x” on the runtime (for more details look up MSDN for these functions). But this theory was broken or i might have messed up with the implementation but I could not get any source which could explain the internals of JIT (if you know some let me know). See Figure-3 for hooked results of VirtualProtect while loading the process.

Figure-3: VirtualProtect Hooked, It prints VirtualAlloc but it is actually VirtualAlloc

Figure-4: Jit Spraying in Acrobat Reader

Making Adobe Flash Embedd and run as soon as the PDF is opened in PDF reader. Problem is solved by this blog and with a little help with Adobe Supplement ISO32000 reference found on Adobe Acrobat SDK.

Finally after doing all this i was able to write a stable JIT spraying on Adobe Reader. There are lots of shellcode available for exploiting JIT based exploit for example have a look at this one.

The point that i want to make here is that now every other software comes with some level of JIT based code support. Some examples of intermediate languages are Java, Actionscript and .Net to name a few.

null April Fool Prank – By @

// April 2nd, 2010 // No Comments » // Blog

It was 5:30 PM, I was sitting in my cube lazying around, doing nothing and suddenly it dawned on me, Why not pwn our own site (empty mind is devil’s workshop ). I started to write a small html page that had the most common features of a defaced page, black background, red font, st3r30typ1c4l 4lph4b3t. At the end of the file I had put a message in black font color just to see if ppl take the time to go through the source of the page, actually also to prove that it was not an actual defacement , which was a more factor. I asked Ajit for a code name for the defacer and he suggest the mock of India’s biggest H4ck3r ever (yeah u guessed it right , The Lamer).  I deliberately pointed corrupt to the website and he understood that it was a prank and simultaneously sanyal also got to know about it. Abhijeet and Rohan fell for it and talked to Corrupt and Antz(who assumed it to be a prank). I had advised everyone who knew about it not to tell anyone else, not even the moderators.

At around 6:00 or so I get a call from heman(Moderator), worried and concerned he tells me that our site has been PWNED. “Damn!!! Yeah someone just told me about it” I said. Heman was at home at that time.

Meanwhile Ajit calls Murtu (Moderator) and tells him that the site has been pwned. He as usual started asking a lot of questions.

Suddenly there’s a popup in gchat…..

“Tushar: null.co.in is pwned….

<font color=”black”>BUSTED!!!!!!   Happy Pranky April fool’s day – by @ Please don’t send an email about the April fool thing to the list and spoil the fun. We will talk about it tomorrow </font>
</html>

Wait a minute…. didn’t he just see the message, well may be not…We are still alive . That was the time I created the server being pwned $hit and everyone took it. I then befriended sanyal and told him to send an email to the list about the defacement because if I do it then people might get suspicious.

Well That’s us….. End of story. Pwned or not Everyone had a laugh

CopTech … (Ajit Hatti)

// September 21st, 2009 // 3 Comments » // Blog

Event : CopTech
Date : 16th September
Venue : Commissioner Office, Pune

Introduction to CopTech :

Pune Police along with Nasscom and Data Security Council of India (DSCI) on 30 June, established the Cop Tech forum to increase sharing of ideas & knowledge on cyber security between the Cops and the IT Industry. In presence of many CXO of reknowned IT Industry and top brass cops Commissioner of police Satya Pal Singh signed a memorandum of understanding (MoU) with Nasscom.

< IT compnies see CopTech as a great business oportunity. Some how we didnt find any one from IBM who were there in last inaugural meet>

The Event :

Presence :  60+ members, mostly from IT, BPO, Security Consultants and NULL. <around 14 NULL Members, Majority >
Anchored by : DCP Rajendra Dahale.
Headed by : Comissioner of Police Dr.  Satya Pal Singh

<He has huge  popularity among the youth, probably the only tech savy commissioner who blogs, inaugurate Hacker Summits and Promotes Cyber Security at such a great level>

Other dignities :

Mr. Pratap Reddy (IPS, Security Advisor to NASSCOM)

<Guys, we were impressed by his knowledge & great visibility in the operations of IT and Police Department.> ,

Anant Shinde (Add. Comm. of Police Crime Branch)

Deepak Shikarpur (President Computer Society Of India)

<Pune’s IT Icon, he is very popular in Pune, writes columns, I have read some of his sci-fi type tech columns >.

Anand Deshpande (MD Persistent Systems)

<Persistent is higly respected organization in Pune. Its  Devang Methat auditorium is home to many technical conferences and community driven activities>

Opening Speach : Mr. Dahale
Breifed on the coptech initiative and the challanges in front of cyber crime department.
Few intresting points he maidjottings out of his speach

1. Cyber Crime Cell Pune – Formed on first 1st July 2003 and 5 cases were registered in the same year.
2. 207 casese were registered in 2008
3. 182 cases have been reported till 31 Aug 2009
4. The major cyber crime complain comprises of
1. Defacing on orkut and other social sites (67)
2. Nigerian Frauds (12)
3. Mobile Hacking (52)
4. Email account hacking (11)
5. Others.

The Highlight of CopTech : Mr. Pratap Reddy

Mr. Reddy took on the discussion further and enumurated the challanges the Police department has in fron of them

1. Modernising Police Control Room : Drawing an anlogy between Police Control room and BPO industry, Mr. Reddy said that theres a lot department can learn from BPO industry to better manage the operations. He gave 3 points of focus :
a. People : to be trained for soft skills and working with more efficiency.
b. Process : Redifine process to better manage the control romm operations &
c. Technology : to facilitalte the People to execute porcesses and operations more effectively and efficiently.

2. Effectively chanellising the information gathered from Control room to the task forces which work on the actual sight of incidents.
a. Improvements in Response time
b. Exploit the information effectively
c. Use of digital gadgets like GPS, digital Maps etc.

3. Data Mining. Department has huge data and it is ever increasing. Finding relevant information is the biggest challange. Departments is in need of appropriate technology/tools to improve their data mining capabilities.

4. Use of CCTV and Video Analytics in real time to proactively controll the incidnets and improve response time.
He said currently CCTV is used in responsive manner. Department needs technology which can analyse the videos and generate alerts/inform control room in real time.

5. Modern Cyberforensic Lab, tools and Expertise. With the current state, Cyber crime cell takes good amount of time to solve the cases. With enhanced tools and expetise there is good scope to minimize the turn around time.

6. Citizen Advisory : Stressing on Prevention, Mr. Reddy said its higly improtant to make citizens aware of threats on net. Awareness is a good way to fight cyber crime.

The IT Icon of Pune – Depak Shikarpur:

Deepak Shikarpur had mentioned said

“In my child hood I saw two films back 2 back Pandu Havaldar and James Bond. and had thought when will our Pandu Havaldar will become James Bond? And Im pleased to tell that with the modernisition, technology and the new outlook of these dedicated cops, Yes we feel that our cops are no less then James Bond”.

<Yes Sir!!! we all agree with you on that>.

The Chief – Dr. Satya Pal Singh :

Addressing the COPTech Forum Dr. Satya Pal Singh read out another lottery mail which he recieved on his black berry and challanged the corporates to come up with better SPAM filters.

“Its like a marriage of Police Department and Technology. And the relation is dominated by the stronger party. The technology is stronger party and hence department has taken up this challange to make better use of technology and work in smart, effective and efficient manner.”

He also made an early announcement of a new modern Forensic lab in Pune which will be probably best in the country

<Tentative date of official inauguration is 7th Oct. but department is yet to find some chief guest to inaugurate it>

Vote of Thanks :
Mr. Tungar thanked the Corporates, Dignities and NULL members present for the Meet.

We null members had a good long discussions with Mr.Tungar on their day today challanges, non-cooperation, loose operations of IT and Telecom industry etc.  He also discussed a famous case where a person was victim of digital evidences which were against him and how they solved the case based on their experience with humans and not with machine. We had a great time with him.

With sips of coffe, crackles of wafers and sweetness of Gulabjaumns, we were indulged in networking with many other eminent IT personalities present at Cop-Tech.

It was a great event. We were amazed by the humbleness of Police department and there drive to achieve technical excellence right from operations to dealing politely with tax payers.

Dr. Satyapal Singh told

“Control room daily recieves thousands of calls. 75% of which are irrevelent, miss guiding or just to ask some lame address. But still would like our force to work under cool and improve on their soft skills.”

Obviously this event has increased my respect for Police force and has motivited me (rather all nulls) to contribute in this drive called COP-Tech…

Enjoy,

~Ajit

Introduction to vulnerability research

// September 2nd, 2009 // No Comments » // Blog

I often get asked by many people on how we discover new vulnerabilities or code exploits. So, finally I decided to spend some time and make a small tutorial on what vulnerability research is all about. Well, it’s not a tutorial as such, more of an introduction. But I have covered all aspects of it – right from discovery to exploit creation process. I have made this three part series on discovering ActiveX vulnerability using fuzzing. This tutorial could serve as good “jump start” to all the folks looking to get into Fuzzing and vulnerability research.

Discovering ActiveX Vulnerabilities — Part 1 [ Introduction ]
Discovering ActiveX Vulnerabilities — Part 2 [ Fuzzing ]
Discovering ActiveX Vulnerabilities — Part 3 [ The Exploit ]

njoy,

~DaH4ckeR

World’s slimmest TCP port scanner – By @

// July 30th, 2009 // No Comments » // Blog

Ok, the name is a pun on Titan’s watch and is something that is an outcome of a really cool bash feature which I’ll be discussing. Bash provides a way to create a TCP connection or send UDP packets to a host on  a given port, the cool thing is that you don’t have to rely on other scripting languages or programs for creating sockets/network connections when writing a shell script. Using this feature one can write simple to complex network utilities/scripts (a sigh of relief for scriptters if that is that a word ).
NOTE: This is a bash provided feature(if it is compiled with –enable-net-redirections option) and has nothing to do with /dev Devices.

Using these sockets/connections is as simple as accessing a file which is inline with the unix philosophy. All you need to do is to read/write to files of the form:

/dev/<protocol>/<host>/<port>

where, <protocol> = tcp | udp
<host> = hostname | IP
<port> = port number.

For example, lets say you want to send a custom payload to a web server, you can do it with the following command:

$echo -en “HEAD / HTTP/1.0\r\n\r\n”  > /dev/tcp/example.com/80

You won’t get anything in return for obvious reasons(no read!). Now you’ll say what good can this be. Well, you can assign it a fd and read and write to that fd if your script is a network interactive one and expects some data in response.

Example commands:
# 15 is just random fd that I chose, you can choose any fd number you like.

$exec 15<> /dev/tcp/example.com/80
$echo -en “HEAD / HTTP/1.1\r\nhost: example.com\r\n\r\n” >&15
$cat <&15
HTTP/1.1 302 Found
Date: Thu, 30 Jul 2009 21:56:37 GMT
Server: Apache
Location: https://example.com:443/
Connection: close
Content-Type: text/html; charset=iso-8859-1

Finally, time for the slimmest TCP port scanner:

#!/bin/sh
# Usage:>$tcpscan.sh <host> <start_port> <end_port>

for p in `seq $2 $3`;do  (echo “foo” > /dev/tcp/$1/$p) &> /dev/null ; RET=$?; if [ $RET -eq 0 ]; then echo “$p/tcp open”; fi; done

I know it looks ugly , no sanity checks etc, had to keep it slim you know…
Tell me when u use it in your shell scripts.

Morro is coming… (Ajit Hatti)

// June 20th, 2009 // 2 Comments » // Blog

I have always been saying that “The best things in the world are for free ….fresh air, sunlight, friends, Linux……”

Here is some free stuff from Microsoft (not joking ), but whether it will be best, Im doubtful. After Windows Defender which is a free Anti-Mal-ware from Microsoft, it is now coming up with a new single step security solution for Windows users, code named Morro. Morro is to succeed One Care, the paid version of Microsoft’s security offering.

(Surprisingly not many people know about Windows Defender. One of the obvious reason is failure of Vista which has built in Windows Defender. And majority of people are using XP, who need to download Windows Defender, are still using third party A/V)

As we are approaching the Beta Release of Morro I have some interesting doubts/points :

1. So lately Microsoft has agreed that people out there need a “Good and Free” security solution on the problem which they have created. The question is: Morro is out of social responsibility or Microsoft’s strategy to throw antivirus giants out of market?

2. It seems Morro will be available to download and not be bundled with future Windows releases. I guess the focus is to provide the service only to the licenced users (In india many of us use pirated Windows and licenced Antivirus , so does that mean no Morro for many of us?)

3. How good Morro will be in terms of effectiveness and resource efficiency? As far the Microsoft’s image goes, experts dont rule out the possibility of security issues with Microsoft’s security products too (now this will get more interesting Microsoft releasing patches for Morro every patch Tuesdays ). And also the user experience and system performance will be another good thing to watch out for.

4. With Morro (coming for Free) it should enhance Windows reputation as a secure OS. I know many people saying no to Windows and using Linux just for security reasons and to avoid all ‘Anit’ craps. Will Morro help Windows fight Linux in the long term race?

Lets wait and watch till Morro (Beta) is released and thoroughly grilled by users…… Let me know what you guys feel about Microsoft’s Morro move.

~Ajit Hatti

(adh@null.co.in)

Web threats ..a new wave! – by Hemanshu

// June 17th, 2009 // No Comments » // Blog

Today omnipresence of internet makes your browser the favorite attack vector for bad guys. Initially content filtering solutions (think websense) looked effective in curbing malicious website, but of recent there has been a new revival in the malicious websites and what is interesting is more and more legitimate websites are getting infected(msn canda , nitie ,Bank-of-India). Once a legitimate site starts distributing malware or is compromised there is little your web filtering solution or firewall could do about it. To add to injury attackers have now turned to obfuscate the attack payload to evade any security apparatus like IPS in place. Javascript looks like to be the tool of choice; its universally supported in all browsers (and in pdfs too..but that’s again a long story). Known attacks like Gumbler have started leveraging obfuscation an excellent description is here. These obfuscations make it very hard for signature based security engine to confidently detect and attack.

I have never been a fan of signature matching solutions, they are dumb and reactive and would always do more false positive than a DPI based solution. Robert Graham does a nice analysis here .

And things are only gonna get more interesting from here. Think of a payload which do a Javascript ? VbScript ? Javascript transformation. JavaScript are just the beginning, browsers are becoming the next platforms, with every universal plugin will brings newer threats with it ( Java Applets, Flash, third party plugin).

The need of the hour is to develop more heuristic and context aware engines. Solving this problem at the network is gonna be a challenge , instead of perimeter; proxy could be a more suitable carrier (as latency is only to the web requests, in case of IPS the latency is added to the whole network). but nothing could do it faster than a end point solution (And please I am not talking the stupid Anti Virus!)