CSAPP – Buffer Overflow Attacks / Bufbomb Lab.

CSAPP/Bufbomb assignment will help you develop a detailed understanding of IA-32 calling conventions and stack organization. It involves applying a series of buffer overflow attacks…

Link: http://seclist.us/csapp-buffer-overflow-attacks-bufbomb-lab.html

explo – Human And Machine Readable Web Vulnerability Testing Format

explo is a simple tool to describe web security issues in a human and machine readable format. By defining a request/condition workflow, explo is able to exploit security issues without the need of writing a script. This allows to share complex vulnerabilities in a simple readable and executable format.Example for extracting a csrf token and using this in a form:name: get_csrfdescription: extract csrf tokenmodule: httpparameter: url: http://example.com/contact method: GET header: user-agent: Mozilla/5.0 extract: csrf: [CSS, “#csrf"]—name: exploitdescription: exploits sql injection vulnerability with valid csrf tokenmodule: httpparameter: url: http://example.com/contact method: POST body: csrf: "" username: "’ SQL INJECTION" find: You have an error in your SQL syntaxIn this example definition file the security issue is tested by executing two steps which are run from top to bottom. The last step returns a success or failure, depending on the string ‘You have an error in your SQL syntax’ to be found.InstallationInstall via PyPIpip install exploInstall via sourcegit clone https://github.com/dtag-dev-sec/explocd explopython setup.py installUsageexplo [–verbose|-v] testcase.yamlexplo [–verbose|-v] examples/*.yamlThere are a few example testcases in the examples/ folder.$ explo examples/SQLI_simple_testphp.vulnweb.com.yamlYou can also include explo as a python lib:from explo.core import from_content as explo_from_contentfrom explo.core import ExploException, ProxyExceptiondef save_log(msg): print(msg)try: result = explo_from_content(explo_yaml_file, save_log)except ExploException as err: print(err)ModulesModules can be added to improve functionality and classes of security issues.http (basic)The http modules allows to make a http request, extract content and search/verify content.The following data is made available for following steps:the http response body: stepname.response.contentthe http response cookies: stepname.response.cookiesextracted content: response.extracted.variable_nameIf a find_regex parameter is set, a regular expression match is executed on the response body. If this fails, this module returns a failure and thus stopping the executing of the current workflow (and all steps).When extracting by regular expressions, use the match group extract to mark the value to extract (view below for an example).For referencing cookies, reference the name of the previous step where cookies should be taken from (cookies: the_other_step.response.cookies).Parameter examples:parameter: url: http://example.com method: GET allow_redirects: True headers: User-Agent: explo Content-Type: abc cookies: stepname.response.cookies body: key: value find: search for string find_regex: search for (reg|ular)expression find_in_headers: searchstring in headers extract: variable1: [CSS, ‘#csrf’] variable2: [REGEX, ‘.*?)"’]http_headerThe http header module allows to check if a response misses a specified set of headers (and values). All other parameters are identical to the http module.The following data is made available for other modules:the http response body: stepname.response.contentthe http response cookies: stepname.response.cookiesParameter examples:parameter: url: http://example.com method: GET allow_redirects: True headers: User-Agent: explo Content-Type: abc body: key: value headers_required: X-XSS-Protection: 1 Server: . # all values are validsqli_blindThe sqli_blind module is able to identify time based blind sql injections.The following data is made available for other modules:the http response body: stepname.response.contentthe http response cookies: stepname.response.cookiesParameter examples:parameter: url: http://example.com/vulnerable.php?id=1′ waitfor delay ’00:00:5′– method: GET delay_seconds: 5If the threshold of 5 seconds (delay_seconds) is exceeded, the check returns true (and thus resulting in a success).Download explo

Link: http://feedproxy.google.com/~r/PentestTools/~3/9zhNekCWw1c/explo-human-and-machine-readable-web.html

massExpConsole – Collection of Tools and Exploits with a CLI UI

Collection of Tools and Exploits with a CLI UIWhat does it do?an easy-to-use user interface (cli)execute any adapted exploit with process-level concurrencycrawler for baidu and zoomeyea simple webshell managersome built-in exploits (automated)more to come…RequirementsGNU/Linux or MacOS, WSL (Windows Subsystem Linux), fully tested under Kali Linux (Rolling, 2017), Ubuntu Linux (16.04 LTS) and Fedora 25 (it will work on other distros too as long as you have dealt with all deps)proxychains4 (in $PATH), used by exploiter, requires a working socks5 proxy (you can modify its config in mec.py)Java is required when using Java deserialization exploits, you might want to install openjdk-8-jre if you haven’t installed it yetpython packages (not complete, as some third-party scripts might need other deps as well): requestsbs4beautifulsoup4html5libdocoptpip3 install on the gonote that you have to install all the deps of your exploits or tools as wellUsagejust run mec.py, if it complains about missing modules, install themif you want to add your own exploit script (or binary file, whatever): cd exploits, mkdir your exploit should take the last argument passed to it as its target, dig into mec.py to know morechmod 755 <exploitBin> to make sure it can be executed by current useruse attack command then m to select your custom exploittype help in the console to see all available featuresDownload massExpConsole

Link: http://feedproxy.google.com/~r/PentestTools/~3/n_22lP9qR0U/massexpconsole-collection-of-tools-and.html

QuickSand.io – Tool For Scanning Streams Within Office Documents Plus Xor DB Attack

QuickSand is a compact C framework to analyze suspected malware documents to 1) identify exploits in streams of different encodings, 2) locate and extract embedded executables. By having the ability to locate embedded obfuscated executables, QuickSand could detect documents that contain zero-day or unknown obfuscated exploits.File Formats For Exploit and Active Content Detectiondoc, docx, docm, rtf, etcppt, pptx, pps, ppsx, etcxls, xlsx, etcmime msoeml emailFile Formats For Executable DetectionAll of the above, plus PDF.Any document format such as HWP.Lite Version – Mplv2 LicenseKey dictionary up to 256 byte XORBitwise ROL, ROR, NOTAddition or substraction math cipherExecutable extraction: Windows, Mac, Linux, VBAExploit searchRTF pre processingHex stream extractBase 64 Stream extractEmbedded Zip extractExOleObjStgCompressedAtom extractzLib DecodeMime Mso xml DecodingOpenXML decode (unzip)Yara signatures included: Executables, active content, exploits CVE 2014 and earlierExample results and more info blog postFull Version – Commercial LicenseKey cryptanalysis 1-1024 bytes factors of 2; or a specified odd size 1-1024 bytes1 Byte zerospace not replaced brute force XOR searchXOR Look Ahead cipherMore Yara signatures included: All lite plus most recent exploits 2014-2016 for CVE identificationTry the full version online at QuickSand.ioDependencies (not included)Yara 3.4+zlib 1.2.1+libzip 1.1.1+Distributed components under their own licensingMD5 by RSA Data Security, Inc.SHA1 by Paul E. JonesSHA2 by Aaron D. GiffordjWrite by TonyWilk for json outputtinydir by Cong Xu, Baudouin Feildel for directory processingQuick Start./build.sh./quicksand.out -h./quicksand.out malware.docDocumentationQuickSand.ioDownload QuickSand

Link: http://feedproxy.google.com/~r/PentestTools/~3/iIjwIrdBxC0/quicksandio-tool-for-scanning-streams.html

Yahoo Retires ImageMagick After Bugs Leak Server Memory

Researcher Chris Evans reported a new bug and showed how also used a previously known flaw in ImageMagick to leak Yahoo server data and steal images and authentication secrets.

Link: https://threatpost.com/yahoo-retires-imagemagick-after-bugs-leak-server-memory/125862/