Thursday, April 30, 2009

NET SEND

Its sad that Microsoft stopped the NET SEND service. If you used it u know its lot fun if u want bug anyone ...lolz :p. This service has been stopped since release of XP service pack 2 because of security issues.

I have got this trick to enable that service again. \m/....done that in XP service pack2.
To do this, follow these steps:

1. Open Windows Explorer.
2. In the left pane, right-click My Computer, and then click Manage.
3. In the Computer Management window, expand Services and Applications in the left pane, and then click Services.
4. In the right pane, double-click Messenger.
5. In the Messenger Properties (Local Computer) dialog box, click the General tab.
6. On the General tab, select Automatic from the Startup type list, and then click Apply.
7. Under Service status, click Start, and then click OK.

now type in your cmd without the bracer [[ net send "targetted pc's ip address without qoute" "your message with qoute" ]]
Example: net send 172.30.*.* "hello"

wallah!!
note: be sure to enable service in both pc .

Wednesday, April 29, 2009

Buffer overflow vulnerabilty:

Buffer overflow vulnerabilty:


Stack Overflow>
If a program is written in weakly typed language such as C/C++ and/or copies from one buffer on the stack to another then it might be vulnerable to stack overflow attack.

**should avoid using "gets()".
Example>
*************************************
#include

void f(char* s) {
char buffer[10];
strcpy(buffer, s);
}

void main(void) {
f("01234567890123456789");
}

[root /tmp]# ./stacktest

Segmentation fault
************************************

Heap Overflow>
If a code is written in weakly typed language and it doesn't use canary values or capable of using executalbe stacks then it is vulnerable.

Format string vulnerablity>
By using functions such as printf, sprintf directly, or inderctly through system services.

This situation tends to become precarious on account of the fact that a user who can supply format specifiers can perform
the following malicious actions:

Enumerate Process Stack:
This allows an adversary to view stack organization of the vulnerable process by supplying format
strings, such as %x or %p, which can lead to leakage of sensitive information. It can also be used to extract canary values
when the application is protected with a stack protection mechanism. Coupled with a stack overflow, this information can
be used to bypass the stack protector.

Control Execution Flow:
This vulnerability can also facilitate arbitrary code execution since it allows writing 4 bytes of data
to an address supplied by the adversary. The specifier %n comes handy for overwriting various function pointers in memory
with address of the malicious payload. When these overwritten function pointers get called, execution passes to the
malicious code.

Denial of Service:
If the adversary is not in a position to supply malicious code for execution, the vulnerable application can
be crashed by supplying a sequence of %x followed by %n.


Example>
******************************************
#include
#include
#include
#include

void main(void) {
char str[100] = scanf("%s");
printf("%s", str);
}
*****************************************
change the last statement to printf(str) and the input like -> %08x%08x%08x%08x%08x
from this input the program can be exploited to print the first five entries from the stack.

Unicode Overflow>
written in weakly typed language, take Unicode from user, doesn't use technique as canary values to prevent buffer overflow and doesn't sanitize the input then its vulnerable to Unicode overflow.

Integer Overflow>
When an application takes two numbers of fixed word size and perform an operation with them, the result may not fit within the same word size.

Example>
****************************************
#include
#include

void main(int argc, char *argv[]) {
int i = atoi(argv[1]); // input from user
unsigned short s = i; // truncate to a short
char buf[50]; // large buffer

if (s > 10) { // check we're not greater than 10
return;
}

memcpy(buf, argv[2], i); // copy i bytes to the buffer
buf[i] = '\0'; // add a null byte to the buffer
printf("%s\n", buf); // output the buffer contents

return;
}

[root /tmp]# ./inttest 65580 foobar
Segmentation fault
***************************************

**should examine the use of signed integers, bytes and short
after airthmetic operations
**should check for exceptions if language supports.


Log Forging>
When data is entered into application from untrusted source and the data written to the app's log file then log forging is occuring.

Example>
***************************************
String val = request.getParameter("val");
try {
int value = Integer.parseInt(val);
}
catch (NumberFormatException) {
log.info("Failed to parse val = " + val);
}
output: INFO: Failed to parse val=twenty-one __ for input, twenty-one

output: INFO: Failed to parse val=twenty-one

INFO: User logged out=badguy __ for input, "twenty-one%0a%0aINFO:+User+logged+out%3dbadguy"

***************************************

Process Control>
Excecuting commands from unknown source.

Example>
*******************************************
String home = System.getProperty("APPHOME");
String cmd = home + INITCMD;
java.lang.Runtime.getRuntime().exec(cmd);

here changing the "APPHOME" syatem proeprty an attacker can insert malicious object's path to execute
--------
String btype = request.getParameter("backuptype");
String cmd = new String("cmd.exe /K
\"c:\\util\\rmanDB.bat "+btype+"&&c:\\utl\\cleanup.bat\"")
System.Runtime.getRuntime().exec(cmd);

here btype is not validdated.If an attacker passes a string of the form "&& del c:\\dbms\\*.*", then the application will execute this command along with the others specified by the program
***********************************************


Example>(Ref from owasp testing_guide)
*********************************************
void log_create(int severity, char *inpt) {
char b[1024];
if (severity == 1)
{
strcat(b,”Error occured on”);
strcat(b,":");
strcat(b,inpt);
FILE *fd = fopen ("logfile.log", "a");
fprintf(fd, "%s", b);
fclose(fd);
. . . . . .
}

in the bove code in line "strcpy(b.input)"
overflow will occur if inpt exceeds 1024 bytes.
*******************************************************


Example>(Ref from owasp testing_guide)
******************************************************
Void func(char *path)
{
char servaddr[40];

memccpy(servaddr,path,'\');
….
}

In the above code information in the "path" can be longer than 40 bytes before "\" character can be found. In that case stack overflow would occur.
********************************************************


Tools: RATS, Flawfinder and ITS4 are available for analyzing C-style languages.

Info Ref: http://www.owasp.org/index.php/Buffer_Overflows