IOActive Labs Research: Can GDB's List Source Code Be Used for Evil Purpos...

tw33t IOActive Labs Research: Can GDB's List Source Code Be Used for Evil Purpos...: By Alejandro Hernández @nitr0usmx One day while debugging an ELF executable with the GNU Debugger (GDB), I asked myself, "How...

DotDotPwn - The Directory Traversal Fuzzer: New Contributions to DotDotPwn !

tw33t DotDotPwn - The Directory Traversal Fuzzer: New Contributions to DotDotPwn !: We're happy to announce these two great contributions to DotDotPwn - The Traversal Directory Fuzzer. The 1st one was from...

ssl_hostname_resolver.pl : CN (Common Name) grabber on X.509 Certificates over HTTPS

tw33t I had this simple idea in my previous pentest where, for some reason, I couldn't resolve some IP addresses to their corresponding hostnames, but their CN fields (SSL certs on HTTPS) had resolvable hostnames. So, I did this simple script !

For some security scanners, such as Nessus and Nikto2, it's considered a security vulnerability:
"Standard certificate validation procedures require the subject CN field of a certificate to match the actual name of the entity presenting the certificate. For example, in a certificate presented by https://www.example.com/, the CN should be www.example.com."

Source:  X.509 Certificate Subject CN Does Not Match the Entity Name
http://www.rapid7.com/vulndb/lookup/certificate-common-name-mismatch

You can download it directly at:
http://packetstormsecurity.com/files/120634/Common-Name-Grabber-Script.html

Or...

#!/usr/bin/perl
# 
# ssl_hostname_resolver.pl
# CN (Common Name) grabber on X.509 Certificates over HTTPS
#
# Copyright (c) 2013 by Alejandro Hernandez, IOActive, Inc.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
#
# I had this simple idea in my previous pentest where, for 
# some reason, I couldn't resolve some IP addresses to their 
# corresponding hostnames, but their CN fields (SSL certs 
# on HTTPS) had resolvable hostnames. So, I did this simple script !
#
# ----------------------------------------------------------------- 
#
# For some security scanners, such as Nessus and Nikto2,
# it's considered a security vulnerability:
#
# "Standard certificate validation procedures require the subject 
# CN field of a certificate to match the actual name of the entity 
# presenting the certificate. For example, in a certificate presented 
# by https://www.example.com/, the CN should be www.example.com."
# Source:  X.509 Certificate Subject CN Does Not Match the Entity Name
# http://www.rapid7.com/vulndb/lookup/certificate-common-name-mismatch
#
#
# Alejandro Hernandez < alejandro.hernandez [at] ioactive.co.uk >
# http://twitter.com/nitr0usmx
#
# IOActive Labs Research
# http://blog.ioactive.com
# 

use Net::CIDR::Lite;
use NetAddr::IP;
use Net::SSL;

$connection_timeout = 3; # seconds
$SIG{ALRM} = sub { }; # Do nothing when the connection timeout is reached instead of die

print <
-=[ ssl_hostname_resolver.pl
-=[ by \@nitr0usmx
-=[
-=[ CN (Common Name) grabber on X.509 Certificates over HTTPS

HDR

sub usage
{
print <-=[ Usage: $0  [port to connect (443 default)]
-=[ E.g. CIDR block : $0 192.168.1.0/24
-=[      IP Range   : $0 192.168.1.1-192.168.13.37
-=[      Single IP  : $0 192.168.1.254

USG
}

my $targets = shift or (usage and die "No targets given!\n");
my $port    = shift || 443;

my $cidr_lite = Net::CIDR::Lite->new($targets);
@cidr_list = $cidr_lite->list;

print "-=[ Connecting every host on port: $port\n\n";

print "-------------------------------------------------\n";
print "      IP        =>   CN (Common Name)\n";
print "-------------------------------------------------\n";

for my $cidr( @cidr_list ){
  my $n = NetAddr::IP->new($cidr);

  for my $ip( @{ $n->splitref( $n->bits() ) } ){
    printf("%-15s =>   %s\n", $ip->addr, getCNFromX509($ip->addr));
  }
}

sub getCNFromX509
{
  my $ip = shift;

  eval{
    alarm($connection_timeout); # No. of seconds of connection timeout

    $ssl = Net::SSL->new(
          PeerAddr => $ip,
          PeerPort => $port,
          Timeout => 5 # Never reached, alarm() will be triggered before
          );
  };

  alarm(0);

  if($@){ # some error occurred 
    return "(Couldn't connect to port $port)";
  }

  $ssl->get_peer_certificate->subject_name =~ /CN=(.*)/g;

  return $1;
}

ch33rs !!!

IOActive Labs Research: Striking Back GDB and IDA debuggers through malfor...

tw33t IOActive Labs Research: Striking Back GDB and IDA debuggers through malformed ELF executables

By Alejandro Hernández @nitr0usmx 

Day by day the endless fight between the bad guys and good guys mostly depends on how fast a countermeasure or anti-reversing protection can be broken. These anti-reversing mechanisms can be used by attackers in a number of ways: to create malware, to be used in precompiled zero-day exploits in the black market, to hinder forensic analysis, and so on. But they can also be used by software companies or developers that want to protect the internal logic of their software products (copyright).

The other day I was thinking: why run and hide (implementing anti-reversing techniques such as the aforementioned) instead of standing up straight and give the debugger a punch in the face (crashing the debugging application). In the next paragraphs I’ll explain briefly how I could implement this anti-reversing technique on ELF binaries using a counterattack approach.

...

My experience @ Ekoparty 2012

tw33t

After a 10 hours delayed flight, finally I landed to Buenos Aires. As soon as I could, I went straight to the VIP party to meet with the IOActive team and to prepare some Mexican tacos and quesadillas with Diego Bauche @dexosexo. 

 

When the door opened, I saw my friend @XavaDu who started to take some pictures and drink some tequila from the gun-shaped bottle I brought from México XD. 

 After a while, I prepared him a special taco, with Argentinian Asado, Guacamole and Mexican spicy sauce:

Meanwhile, César Cerrudo (@cesarcer) was killing some drunk h4x0rs... 

Also, our boss, Jennifer Steffens (@SecureSun) couldn'd avoid a gun-shot of tequila B-)

After feeding some hungry people, we started to drink just a little bit more (;-D) and even played ping-pong.

The next day, Thursday, I had the chance to be at the Stephan Chanette's talk (@StephanChenette), which was a really interesting presentation about automated malware generation and future expectations. His presentation had a good structure because he started with the current state of malware generation/defense and later he explained the future of malware generation/defense passing through the actual malware trends. 

The same day, I enjoyed the Esteban Fayo's talk (@estemf) because he showed a live demo on how to crack an Oracle password taking advantage of some flaws in the Oracle authentication protocol.

The venue, KONEX, the same as the last year, was really cool, there were vendors booths, old computers, video games (where I spent like two hours playing Super Mario Bros) as well as a cocktail bar, obviously the IOActive booth ;).

In conclusion, I really had a great time with my mexican friends and my fellow workers, drinking red wine and argentine asado, besides amazing conferences.

 Mexicans rocking @ Ekoparty [ @caar2000 @dexosexo @nitr0usmx @r0bertmart1nez @_hkm ]

Definitely, I hope to be there next year !

Cheers !

Dubstep Warz 2006 - Breezeblock - BBC Radio 1 (REVIEW)

tw33t After a couple of weeks in UK, I've been looking (and still looking) for Drum n' Bass and Dubstep parties, 'cause this is the place where it all began... What I've got? FREAKING AWESOME PARTY at FabricLondon ! just take a look:

DJ Hype:

Biome:

That nite, I met a couple of Londoners very close to the local Dubstep scene. After dancing and listening crushing tunes, we were talking about the early times of the dubstep scene, the most influencing producers, etc. and suddenly, it came to the talk one of the landmarks of the genre. They suggested me to listen to:

DUBSTEP WARZ 2006 - BBC RADIO 1 - BREEZEBLOCK

(Hosted by Mary Ann Hobbs)

(Mary Ann Hobbs,  even though I consider myself a dubstep phan, I had never heard of her until the last month that my friend hkm shared me a dubstep mix by Kode9 also hosted by Mary Ann H.)

I'm listening "the warz" and throwing these lines at the same time, and after doing some research about that show, I found a couple of URLs that I'll mention bellow:

http://www.dubstep-mixes.co.uk/deep-dubstep-mixes-dj-sets/breezeblock-skream-mala-distance-loefah/ :

"Landmark Show for Dubstep hosted by Mary Ann Hobbs. Sounds of the future feat. Distance, Mala of Digital Mystikz, Skream, Kode 9 & Space Ape, Vex’d, Loefah, and Hatcha. This show is an essential for anyone who hasn't heard it!"

http://warfacelx.wordpress.com/2010/01/15/bbc-radio-1-dubstep-warz-2006/ :

"Esse especial, que foi ao ar na madrugada do dia 09/01/06 na BBC Radio 1, reuniu os principais expoentes do gênero. Comandado por Mary Anne Hobbs, o programa trouxe sons de Burial, Skream, Benga, Kode 9, Digital Mystikz, entre outros."

Yeah, it was what it was, it is what it is, that nite was a special nite for the DUBSTEP scene ! and sincerely, I was entirely shocked after listening the 2-hours set !..

The INTRO is amazing, from UK, US, Brazil and Canada, dubstep warriors broadcasting dubstep to the masses !

Some of the quotes I heard and really liked:

-- "They're getting the virus, they're being attached to something new and in '06 .."

 

-- "it's a hard job being a soldier, breaking dubstep to the masses..."

-- "This is the breezeblock dubstep warz special. Tonight you're gonna feel the energy of the most exciting underground scene in the UK. Emerging out the south of London and now... every corner of the planet, from Brighton to Baltimore, from Bristol to Brazil... From 7 of the scene's most gifted players... We've the god fathers ... Hatcha, and Kode9... And we have next generation producers that you'll see blazing on the underground this year, we've got Skream on the place, we've got Loefah, Distance is here...It's January of 2006 and if you're looking for music that's gonna change your life, it's here, it's live, on the Breezeblock tonite..."

-- "his name is Mala... u ready to do this Mala?.." "the sound has space in it... It's not the same frequency as like house music, it's not the same freq as in DnB.. It's its own frequency"

-- "With more of the sonic fire-storms we love so much... this is Vex'd ..."

And obviously, I wouldn't be cool to write too much of the warz without sharing it ! ;-)....

MP3

http://www.dubstep.com.ua/download/Dubstep_Warz_-_Breezeblock_-_10-01-06.mp3

Skream was a KID !!! he was 19 !, and nowadays, pffff, world famous dubstep producer... He played its famous "Rutten" in the min 26:54 (only for connoisseurs: you will realize that it's not as good as the modern Rutten (remixed by himself) ;-D)

Kode9 & SpaceApe , playing the famous "Space Ape" in the min 47:14 (only for connoisseurs: the same, it's not as good as the version with Burial ;-D)

Loefah, definitely I enjoyed his 13:40 minutes set, and if you only want to listen to this part only:

Distance, playing his classic hard-styled dubstep, "Traffic" at 1:50:05 :

If you really enjoy dubstep music, it's a MUST ! (Personally I liked >80% of the tracks). If you're looking for *NOISY* dubstep, this is not the right place dudeee ;-).

List of Dubstep Warriors (lineup):

Mala (Digital Mystikz)

Skream

 Kode 9 & Space Ape 

Vex'd

Hatcha & Crazy D

Loefah feat Sgt. Pokes

Distance

DJ Pinch

 

Cheers !!! B-)

- nitrØus

My experience at Ekoparty 2011

tw33t Hi fellows, after a long time, I've decided to create another entry in diz bl0g ... I'll put a few words about my experience in the most important IT security convention in Latinamerica.. Yes, I know what y0u have in mind and that'z what I'll be talking about ! EKOPARTY ! (www.ekoparty.org - @ekoparty) ;)


It all started on Wednesday the September 21st, 2011 in Buenos Aires, Argentina, when I went to KONEX cultural center to get the badge, a cool one by the way. What I really liked of this badge unlike others, is that there's no difference between speaker/attendee badge. Anyway, I went with my friends Federico Bossi (@fedebossi) and Claudio (@claudio_leon) to get the badges. After that, we saw the Bus intented to go around the streets for wardriving purposes jejeje.. It was hilarious 'cauz the bus had very funny music (such as Reggaeton =X) jajaj, and blinking lights around the windows... A picture is worth a thousand words =D. That night, I went with Fede to "Antares" a very nice pub in a city near Buenos Aires, which is called La Plata... 'til 6 am ¬¬' WTF !!





Thursday, September 22nd, I finally met in person to my br0ther Xava Du (@xavadu) !!! after 8 years !! =0 and we just were there walking around, drinking b33rs @ Immunity Sec stand, meeting some people and talking with other security researchers. In the same hall was the lockpicking village, fight with r0b0ts, a ping pong table, vendors, pop corns, old video games, wifi hack3rs, etc. etc. etc...


Also, I found my mexican friend there, Diego Bauche (@dexosexo) !! it was great to see him there 'cause we really needed to talk in 'Mexican spanish' :D jejej which is pretty different than 'Argentinian Spanish' !


At the end of that night, there was a party just right there @ KONEX ;) ... There was a funny (weird) band performing xD. In that party, I met a pretty & intelligent girl who was also involved in IT security, she totally impressed me 'cause she has deep knowledge =0 (Note: She found a security vulnerability in a mainstream SCADA platform) ! It was nice 2 meet her =)


Friday, September 23rd, the EkoFest location was finally published.


Before the Juliano Rizzo (@julianor) talk, suddenly, a üb3r-h4x0r-3l3ctr0-p0st-futur1st r0b0t appeared =D IT WAS AMAZING !! I've never seen something like that before, even in Defcon or BlackHat ! ;)


At the end of Ekoparty, and before the party, we went to Agustin Gianni's (@agustingianni) house to drink some Fernet and after that we moved to another place to have some Beers & Pizza with Xava Du, Claudio, more people and speakers such as Rubén Santamarta (@reversemode), Chema Alonso (@chemaalonso), Agustin Gianni (@agustingianni), Juliano Rizzo (@julianor) and Pedro Varangot. After that we all went to the PARTY !! (no pictures xD)


Saturday, September 24th, we moved to La Plata and prepared our ekoparty-afterasado ! jajaj I had a GREAT time with friends !! Thank you d000d3z !!!




On the other hand, I also had the chance to say hi to antoher Argentinian friends (security researchers) like Nahuel Grisolia (@cintainfinita), Maximiliano Soler (@maxisoler) and Ariel Sánchez (dymitri).


What about the CONFERENCES??!! One single word: AMAZING ;) .. All of them ! what a great level. Som3 pix:








Definitely, I'll be there the next year ! ;)

Ch33rz !!!

My research cited on a scientific technical report

tw33t Well, have past a long time since my fingers wr0te something on this wall... But today, I was just looking for advancements in vulnerability and exploit development on Google and !! something really nice appeared in front of my eyes and behind my screen jeje.

I was reading the following technical report from The Department of Mathematics, Royal Holloway, University of London:

Technical Report
RHUL-MA-2009-06
16th February 2009
Title: Buffer Overflows in Microsoft Windows Environment
Author: Parvez Anwar
Comments: Search Security Award Winning Project

... And suddenly, I read the author refering my name, comments and a c0de of mine. It made my day, obviously, B-)

Here are the paragraphs that made me feel pr0ud of myself..

... and the c0de that made me scream like crazy :@ a few years ago ajaja.. but it was worth ;)


Full report:
http://www.ma.rhul.ac.uk/static/techrep/2009/RHUL-MA-2009-06.pdf

ch33rz !!! /o/

DotDotPwn v2.1 - The Traversal Directory Fuzzer

tw33t Dewds!! we've set up the official Website:
http://dotdotpwn.sectester.net/

These are the new features included in v2.1 (transcription of CHANGELOG.txt):
----------------
DotDotPwn v2.1
Release date: 29/Oct/2010 (PUBLIC Release at BugCon Security Conferences 2010)
Release date: 14/Oct/2010 (NON-PUBLIC Version)

Changes / Enhancements / Features:

* STDOUT module implemented to be used as you wish (Read the EXAMPLES.txt to
see some examples)
* TFTP Module implemented
* -k switch for false positive avoidance making another verification once the
HTTP Status 200 is received. This option looks for the specified parameter
in the server's response.
(e.g. -k "root:" if trying with /etc/passwd file
or -k "localhost" in windows/system32/drivers/etc/hosts)
With this option enabled, the HTTP module will print the total of false
positives detected during the scan as long as there is more than one.
* -p switch for payload specification.
This option simply takes the text file passed as a parameter, replaces the
'TRAVERSAL' tokens and sends it to the target (-h switch) in the specified
port (-x switch)
(e.g. a file called request.txt that contains an HTTP request including
cookies, session ids, variables, etc. and the 'TRAVERSAL' tokens within the
request that would be fuzzed)
* For the impatient, when it's working in quiet mode (-q switch), it prints
dots each certain number of attempts to inform that it's still working ;).
* Prints the number of vulnerabilities found before exiting when an error
ocurrs (e.g. the Web server doesn't respond anymore because it has reached
the maximum number of clients/sockets/threads)
* Prints the time taken at the end of the testing
* A cleaner usage message (help message)

Supported modules:
- HTTP
- HTTP URL
- FTP
- TFTP
- Payload (Protocol independent)
- STDOUT
-------------

And again, I include some screensh0tz ... Enjoy them and stay tuned for the public release !!..

[ STDOUT Module + scripting ;) ] against Webmin 1.280



TFTP Module against TFTPDWin



Without False Positive detection


With False Positive detection



PAYLOAD Module against Webmin 1.280




Ch33333rz ! B-) c yaaa @ BugCon 2k10 !

DotDotPwn - The Directory Traversal Fuzzer

tw33t "Welly, welly, welly, well." -- A Clockwork Orange (movie).

Hell Yes !!!! B-), a few weeks ago, my brother chr1x from CubilFelino Security Labs (published a tool to detect directory traversal vulnerabilities in FTP/HTTP servers. It only relied upon 2 .txt files (databases) with the payloads to be lauched to the target. Then, some cool ideas came into my mind, so, I wrote the c0de from the skratch and in a modular basis, as well as, I included a lot of features/enhacements, but the main change was the pass from being a Checker to a Fuzzer (I c0ded a Traversal Engine for it).

Well, Stay tuned for the public release ;) s00n !! (DotDotPwn v2.0)
Official Website: http://chr1x.sectester.net/toolz/ddpwn/

----------
Release date: 2/Sept/2010 (NON-PUBLIC Version)
Author: nitrØus (nitrousenador@gmail.com)

Changes / Enhancements / Features:
* From Checker to Fuzzer
* Rewritten from the scratch
* Modular architechture (DotDotPwn packages)
* Traversal Engine to automatically create the fuzzing patterns to be sent.
This engine makes all the permutations between the dots and slashes
encodings, iterates the number of deepness passed as argument and finally,
it concatenates the filenames intelligently according to the Operating System
detected (in case of -O switch enabled), otherwise, the engine includes all
the defined file sets (Windows, UNIX and Generic).
* -O switch for Operating System (nmap) and -s switch for service detection
* -f switch available to define a specific file name to retrive
* -U and -P switches to supply specific usernames/passwords
* -d switch to specify the desired deep of traversals
(e.g. deep 3 equals to ../../../)
* -t switch to specify the time in milliseconds between each attemp
* -x switch to specify a different TCP/UDP port than the defaults
* -b switch to break after the first vulnerability is found
* -q switch for quiet mode (doesn't print each attemp in STDOUT)
* Special treatment of Slash/Backslash in filenames in order to have a
correct semantic within each traversal string.
* Improvement in the FTP module to compare against the server's response code
instead of vendor-dependent response message (in compliance with RFC 959 FTP)
* Improvement in the parameter passing
* A cool banner was included ;)

Supported modules:
- HTTP
- HTTP Parameters (url)
- FTP

And as I said before, a picture is worth a thousand words, I post some screenshots ;) .. Enjoy them !

DotDotPwn (Usage)


Traversal Engine (Description)


Traversal Engine (Resources)


Traversal Engine (Working [internals])


OS and Service detection (taken into account in the Traversal Engine for intelligent fuzzing)


HTTP-Params Module (Description)


HTTP-Params Module (Usage)


HTTP-Params Module (Vulnerabilities found)


FTP Module (Vulnerabilities found, quiet mode and retrieved files)


HTTP Module (Vulnerabilities found)


Well, stay tuned on http://chr1x.sectester.net/toolz/ddpwn/ for the public release ;).

Keep Fuzz1ng !!!!!! B-/
nitrØus