Showing posts sorted by relevance for query payload. Sort by date Show all posts
Showing posts sorted by relevance for query payload. Sort by date Show all posts

Social-Engineer Toolkit (SET) Version 4.0 Codenamed “Balls of Steel” Released

Posted by Avik Sarkar On 9/23/2012 12:05:00 am

Social-Engineer Toolkit (SET) Version 4.0 Codenamed “Balls of Steel” Released


Social Engineer Toolkit also known as SET gets another update. Now we have Social Engineer Toolkit version 4.0 codename “Balls of Steel” is officially available for public consumption. In his official blog; Trusted Sec, the developper of SET has claimed that this version of SET is the most advanced toolkit till today. This version is the collection of several months of development and over 50 new features and a number of enhancements, improvements, rewrites, and bug fixes
Lets talk about some highlights and the new major features of SET 4.0- the Java Applet attack has been completely rewritten and obfuscated with added evasion techniques. All of the payloads have been heavily encrypted with a number of heavy anti-debugging tools put in place. PyInjector is now available on the Java Applet attack natively and deploys shellcode automatically through a byte compiled executable. The powershell attack vectors now support customized payload selection through the config/set_config. A new attack vector has been added called the Dell DRAC Attack Vector (default credential finder). A new teensy payload has been added from the Offensive-Security crew – the auto-correcting attack vector with DIP switch and SDcard “Peensy”. The web cloner has been completely rewritten in native python removing the dependency for wget. The new IE zero day has been included in the Metasploit Web Attack Vector. The Java Repeater and Java Redirection has been rewritten to be more reliable. Obfuscation added to randomized droppers including OSX and Linux payloads.

Full Changelog of The Social-Engineer Toolkit (SET) 4.0:- 

  •  Added a new attack vector to SET called the Dell Drac attack vector under the Fast-Track menu.
  •  Optimized the new attack vector into SET with standard core libraries
  •  Added the source code for pyinjector to the set payloads
  •  Added an optimized and obfuscated binary for pyinjector to the set payloads
  •  Restructured menu systems to support new pyinjector payload for Java Applet Attack
  •  Added new option to SET Java Applet – PyInjector – injects shellcode straight into memory through a byte compiled python executable. Does not require python to be installed on victim
  •  Added base64 encoded to the parameters passed in shellcodexec and pyInjector
  •  Added base64 decode routine in Java Applet using sun.misc.BASE64Decoder – native base64 decoding in Java is the suck
  •  Java Applet redirect has been fixed – was a bug in how dynamic config files were changed
  •  Fixed the UNC embed to work when the flag is set properly in the config file
  •  Fixed the Java Repeater which would not work even if toggled on within the config file
  •  Fixed an operand error when selecting high payloads, it would cause a non harmful error and an additional delay when selecting certain payloads in Java Applet
  •  Added anti-debugging protection to pyinjector
  •  Added anti-debugging protection to SET interactive shell
  •  Added anti-debugging protection to Shellcodeexec
  •  Added virtual entry points and virtualized PE files to pyinjector
  •  Added virtual entry points and virtualized PE files to SET interactive shell
  •  Added virtual entry points and virtualized PE files to Shellcodeexec
  •  Added better obfsucation per generation on SET interactive shell and pyinjector
  •  Redesigned Java Applet which adds heavily obfsucated methods for deploying
  •  Removed Java Applet source code from being public – since redesign of applet, there are techniques used to obfuscate each time that are dynamic, better shelf life for applet
  •  Added a new config option to allow you to select the payloads for the powershell injection attack. By specifying the config options allows you to customize what payload gets delivered via the powershell shellcode injection attack
  •  Added double base64 encoding to make it more fun and better obfuscation per generation
  •  Added update_config() each time SET is loaded, will ensure that all of the updates are always present and in place when launching the toolkit
  •  Rewrote large portions of the Java Applet to be dynamic in nature and place a number of non descriptive things into place
  •  Added better stability to the Java Applet attack, note that the delay between execution is a couple seconds based on the obfuscation techniques in place
  •  Completely obfsucated the MAC and Linux binaries and generate a random name each time for deployment
  •  Fixed a bug that would cause custom imported executables to not always import correctly
  •  Fixed a bug that would cause a number above 16 to throw an invalid options error
  •  Added better cleanup routines for when SET starts to remove old cached information and files
  •  Fixed a bug that caused issues when deploy binaries was turned to off, would cause iterative loop for powershell and crash IE
  •  Centralized more routines into set.options – this will be where all configuration options reside eventually
  •  Added better stability when the Java Applet Repeater is loaded, the page will load properly then execute the applet.
  •  The site cloner has been completely redesigned to use urllib2 instead of wget, long time coming
  •  The cloner file has been cleaned up from a code perspective and efficiency
  •  Added better request handling with the new urllib2 modules for the website cloning
  •  Added user agent string configuration within the SET config and the new urllib2 fetching method
  •  Added a pause when generating Teensy payloads
  •  Added the Offensive-Security “Peensy” multi-attack vector for the Teensy attacks
  •  Added the Microsoft Internet Explorer execCommand Use-After-Free Vulnerability from Metasploit into the Metasploit Browser Exploits Attack vectors
  •  Fixed a bug in cleanup_routine that would cause the metasploit browser exploits to not function properly
  •  Fixed a bug that caused the X10 sniffer and jammer to throw an exceptions if the folder already existed



To Download The Social-Engineer Toolkit (SET) 4.0 Click Here



SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Skype bug gives attackers root access to Mac OS X

Posted by Avik Sarkar On 5/07/2011 03:57:00 pm


Mac users running Skype are vulnerable to self-propagating exploits that allow an attacker to gain unfettered system access by sending a specially manipulated attachment in an instant message, a hacker said.
“The long and the short of it is that an attacker needs only to send a victim a message and they can gain remote control of the victim's Mac,” Gordon Maddern of Australian security consultancy Pure Hacking blogged on Friday. “It is extremely wormable and dangerous.”
The vulnerability, which Maddern said isn't present in the Windows or Linux versions of the popular VoIP program, was confirmed by Skype spokeswoman Brianna Reynaud, who said a fix will be rolled out next week. Its disclosure comes the same week that researchers discovered a new crimekit that streamlines the production of Mac-based malware. It also comes as new malware surfaced for Apple's OS X that masquerades as a legitimate antivirus program.
Reynaud said there are no reports that the Skype vulnerability is being actively exploited.
Maddern said he stumbled on the critical flaw by accident.
“About a month ago I was chatting on skype to a colleague about a payload for one of our clients,” he wrote. “Completely by accident, my payload executed in my colleagues skype client. So I decided to test another mac and sent the payload to my girlfriend. She wasn't too happy with me as it also left the her skype unusable for several days.”
He then set out to write proof-of-concept attack code that used payloads borrowed from the Metasploit exploit framework. The result: a Skype exploit that allows him to remotely gain shell access on a targeted Mac. Because it's sent by instant messages, it might be possible to force each infected machines to send the malicious payload to a whole new set of Macs, causing the attack to grow exponentially.
Maddern didn't say what interaction is required on the part of the victim, and he didn't immediately respond to an email seeking clarification. His blog post says he notified Skype of the vulnerability more than a month ago, and that he will withhold specific details until a patch is released to prevent malicious attacks.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Son of Flynn (Social Engineer Toolkit v2.2) Released

Posted by Avik Sarkar On 10/28/2011 06:35:00 pm



Social Engineer Toolkit has been updated! This release is named “Son of Flynn”. We now have the Social Engineer Toolkit version 2.2. The Social Engineering Toolkit (SET) is a python-driven suite of custom tools which solely focuses on attacking the human element of penetration testing. It’s main purpose is to augment and simulate social-engineering attacks and allow the tester to effectively test how a targeted attack may succeed.
Official Change Log for Social Engineer Toolkit v2.2:-
* Added better handling when generating your own legitimate certifcate and ensure proper import into SET
* Adjusted java repeater time to have a little more delay, seems to be more reliable and stable if that occurs.
* Removed the check from the main launch of SET for pymssql and only added it when the fast-track menu was specified
* Removed the derbycon posting since it already happened. When we get closer I’ll re-add it back in with detailed information
* Removed old files in the java applet attack that were not needed.
* Added better granularity checking the Java Applet attack when the shellcode exec or normal attacks were being specified.
* Fixed a bug that caused infectious media bomb out if shellcodeexec was specified as a payload
* Added a legal disclaimer for first inital use of SET that is must be used for lawful purposes only and never malicious intent
* Added improved stability of the java applet attack through better payload detect/selection
* Fixed a bug with shellcodeexec and creating a payload and listener through SET, it would throw an exception, it now exports shellcodeexec properly and exports alphanumeric shellcode
* Added new config check inside core.py, will return value of config, easier..will gradually replace all config checks with this
* Fixed an issue that would cause AUTO_REDIRECT=OFF to still continue to redirect. This was caused from a rewrite of teh applet and the same parameters not being filtered properly
* Added more customizing Options to RATTE. Now you can specifiy custom filename ratte uses for evading local firewalls. So you can deploy RATTE as readme.pdf.exe and it will run as iexplore.exe to bypass local firewalls. You can although specify if RATTE should be persistent or not. For testing network firewalls you won’t need a persistent one. Doing a penetration test you may choose a persistent configuration.
* Fixed a bug in RATTE which could break connection to Server. RATTE now runs much more stable and can bypass high end network firewalls much more reliable.
* Added a new config option called POWERSHELL_INJECTION, this uses the technique discovered by Matthew Graeber which injects shellcode directly into memory through powershell
* Added a new teensy powershell attack leveraging Matthew Graebers attack vector.
* Rehauled the Java Applet attack to incorporate the powershell injectiont technique, its still experimental, so will remain OFF in the config by default. The applet will not detect if Powershell is installed, and if so, use the shellcode deployment method to gain memory execution without touching disk through PowerShell.
* Fixed a bug that would cause mssql bruter to error if powershell injection was enabled or other attack vectors

To Download SET 2.2 Click Here



SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Recent Facebook XSS Attacks Show Increasing Sophistication

Posted by Avik Sarkar On 4/25/2011 01:09:00 pm

A few weeks ago, three separate cross-site scripting (XSS) vulnerabilities on Facebook sites were uncovered within a period of about 10 days. At least two of these holes were used to launch viral links or attacks on users – and it’s clear that attacks against Facebook users are becoming increasingly sophisticated.
The first issue came from a page on the mobile version of Facebook’s site. The interface was a prompt for posting stories to a user’s wall, and the parameter for the text of the prompt did not properly escape output. On March 28, a blogger identifying themselves as “Joy CrazyDaVinci”posted code that demonstrated how the vulnerability could be used to spread viral links:
<iframe id=”CrazyDaVinci” style=”display:none;”
src=”http://m.facebook.com/connect/prompt_feed.php?display=wap&user_message_prompt=’<script>window.onload=function(){document.forms[0].message.value=’Just visited http://y.ahoo.it/gajeBA Wow.. cool! nice page dude!!!‘;document.forms[0].submit();}</script>”></iframe>
This bit of HTML would be included in a viral page. The code sets the content of the wall post to a message that includes a link to a viral page, then submits the prompt automatically. Anyone clicking the link would get the same code executed on their account. The viral page could be used for malware distribution or phishing attacks, but in most cases where I saw this trick used, the page simply loaded advertisements or “offer spam”.
By the next day, several links were spreading virally and caught the attention of security researchers. Facebook moved quickly to patch the issue, and Crazy DaVinci issued an apology for the example code, explaining that versions of it had actually been circulating for several days prior and that the demonstration was intended to push Facebook for a fix.
On April 3, another XSS problem came to light, this time with a Facebook “channel” page used for session management. Both another security researcher and I had previously looked at this interface and found it properly escaped, so it’s likely a code update mistakenly changed the page’s behavior. Facebook again patched the problem soon after news of it spread.
I didn’t observe any viral exploitation of the second vulnerability in the wild, but after the first problem came to light, I noted that it was mostly used to submit a form already on the page for posting links. The payload made use of functionality within the vulnerable page, but XSS allows an attacker to do far more. I wondered when we might see a Facebook attack that made greater use of cross-site scripting’s potential.

What a Difference a Space Makes

I didn’t have to wait long. On April 7, I got word via Twitter of a Facebook app that had live XSS, but the app had disappeared before I got to see it in action. At first, I thought this was yet another case of XSS within the context of a Facebook app. But I soon found other version of the app which were still online, and I quickly realized this was actually an XSS problem with the Facebook Platform. Also, the XSS payload being used did much more than submit a form.
The attack used FBML-based Facebook apps, which render in the context of an apps.facebook.com page. Normally, Facebook filters code to prevent any scripts from directly modifying the page’s DOM, but the XSS problem gave attackers a bypass. When a user visited the app page, they would see what appeared to be a fairly benign page with a popular video.
Unlike many Facebook page scams, the promised video actually works – if you click play, the video will load and nothing unusual seems to happen. But as the code screenshot below reveals, that click does much more than load the video.
When the page first loads, the “video” is actually just an image placeholder with a link. Part of the href parameter for that link is shown above. Note the space after the opening quotation mark – that’s where the XSS comes in. Normally, Facebook would block a link to a javascript: URL. Adding the space worked around Facebook’s filters, but the browser would still execute the rest of parameter.
According to Facebook, it turned out that some older code was using PHP’s built-in parse_url function to determine allowable URLs. For example, while parse_url(“javascript:alert(1)”) yields a scheme of “javascript” and a path of “alert(1)”, adding whitespace gives a different result: parse_url(” javascript:alert(1)”) does not return a scheme and has a path of “javascript:alert(1)”. Other PHP developers should take note of the difference if parse_url is being used in security-related code.

A More Advanced Attack

Clicking the link executed an inline script that in turn added a script element to the page. This loaded more code from a remote address and included several parameters in the GET request. The parameters set variables within the remote code that specified what video to load, what URLs to use for viral posts, and so on. Multiple Facebook apps and domains were used for the viral links, but the main script always came from the same host. This helped the attack persist, since blocking one site would not stop it and the central code was loaded dynamically.
The remote code handled actually loading the video, but also included a number of functions which make use of having script access in a facebook.com context. The script would set the user as attending spam events, invite friends to those events, “like” a viral link, and even send IMs to friends using Facebook Chat.
When I came across the attack, one block of code had been commented out, but one bloggerdiscovered a version of the attack a few days prior and saw it in action. This part loaded a fake login form which actually sent the entered username and password to a log interface on the attacker’s server. (Remember, this phishing form would appear in the context of a page with typical Facebook chrome.) Since the attack page would load even if a user was not logged in to Facebook, this could have also been a way to make sure a session was available before launching the other functions.
Fake videos and viral links are nothing new on Facebook, but most of these scams tend to be fairly simple. In fact, it’s not hard to find forums where people offer boilerplate code for launching such schemes – much like the first XSS worm above which simply submitted a form. But the April XSS attack involved multiple domains, multiple user accounts, and multiple methods for spreading and hijacking user accounts. And it still only scratched the surface of what’s possible with an XSS vulnerability. I expect we’ll see more XSS-based attacks and more powerful payloads in the future.

Postscript on Real-Time Research

I came across the April attack late one afternoon as I was preparing to leave work… so I could present on XSS at a local OWASP meeting! Those following me on Twitter saw a somewhat frantic stream of tweets as I tried to find live examples of the attack and sorted through the code while closely watching the clock and wrapping up last-minute presentation details. Earlier this week, I did some searching to review information for this post, and I came across this article from eWEEK: “Facebook Bully Video Actually an XSS Exploit“.
I was a bit surprised by it, as I hadn’t known about it before and saw that it quoted me. I then realized it was quoting my tweets! I then read that I had “confirmed to eWEEK on Twitter” one aspect of the story. At first I was confused, but then remembered that during my flood of tweeting, another user had sent an @ reply asking about the very detail the story talked about. Checking that tweet again, I found out the question had come from the article’s author.
I relate all this not because any of it bothered me, simply because (1) I found it somewhat fascinating that a few quick Twitter updates could become the primary source for a news article and (2) I was humbled to realize that a few quick Twitter updates could become the primary source for a news article! While it’s great that a story can spread so fast, it was certainly gave me a reminder to be careful when discussing topics of interest on a public forum. But I’m glad I can do my part in helping raise awareness of online dangers, particular the implications of XSS.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Famous Framework Metasploit v4.0.0

Posted by Avik Sarkar On 8/04/2011 06:55:00 pm

The Metasploit Framework is a penetration testing toolkit, exploit development platform, and research tool. The framework includes hundreds of working remote exploits for a variety of platforms. Payloads, encoders, and nop slide generators can be mixed and matched with exploit modules to solve almost any exploit-related task.

New Exploit Modules:

VSFTPD v2.3.4 Backdoor Command Execution
Java RMI Server Insecure Default Configuration Java Code Execution
HP OpenView Network Node Manager Toolbar.exe CGI Buffer Overflow
HP OpenView Network Node Manager Toolbar.exe CGI Cookie Handling Buffer Overflow
Mozilla Firefox nsTreeRange Dangling Pointer Vulnerability
Black Ice Cover Page ActiveX Control Arbitrary File Download
Microsoft Office Visio VISIODWG.DLL DXF File Handling Vulnerability
MicroP 0.1.1.1600 (MPPL File) Stack Buffer Overflow
Lotus Notes 8.0.x – 8.5.2 FP2 – Autonomy Keyview
RealWin SCADA Server DATAC Login Buffer Overflow
Siemens FactoryLink vrn.exe Opcode 9 Buffer Overflow
Iconics GENESIS32 Integer overflow version 9.21.201.01
Siemens FactoryLink 8 CSService Logging Path Param Buffer Overflow
Sielco Sistemi Winlog Buffer Overflow
Blue Coat Authentication and Authorization Agent (BCAAA) 5 Buffer Overflow
HP OmniInet.exe Opcode 20 Buffer Overflow
HP OmniInet.exe Opcode 27 Buffer Overflow
Citrix Provisioning Services 5.6 streamprocess.exe Buffer Overflow
Lotus Notes 8.0.x – 8.5.2 FP2 – Autonomy Keyview

New Post-Exploitation Modules:

Winlogon Lockout Credential Keylogger
Windows Gather Microsoft Outlook Saved Password Extraction
Windows Gather Process Memory Grep
Windows Gather Trillian Password Extractor
Windows PCI Hardware Enumeration
Windows Gather FlashFXP Saved Password Extraction
Windows Gather Local and Domain Controller Account Password Hashes
Windows Gather Nimbuzz Instant Messenger Password Extractor
Windows Gather CoreFTP Saved Password Extraction
Internet Download Manager (IDM) Password Extractor
Windows Gather SmartFTP Saved Password Extraction
Windows Gather Bitcoin wallet.dat
Windows Gather Service Info Enumeration
Windows Gather IPSwitch iMail User Data Enumeration

New Auxiliary Modules:

John the Ripper Password Cracker Fast Mode
Microsoft Windows DNSAPI.dll LLMNR Buffer Underrun DoS
Kaillera 0.86 Server Denial of Service
2Wire Cross-Site Request Forgery Password Reset Vulnerability
SIPDroid Extension Grabber
MSSQL Password Hashdump

Notable Features & Closed Bugs:-

Feature #4982 – Support for custom executable with psexec
Feature #4856 – RegLoadKey and RegUnLoadKey functions for the Meterpreter stdapi
Feature #4578 – Update Nmap XML parsers to support Nokogiri parsing
Feature #4417 – Post exploitation module to harvest OpenSSH credentials
Feature #4015 – Increase test coverage for railgun
Bug #4963 – Rework db_* commands for consistency
Bug #4892 – non-windows meterpreters upload into the wrong filename
Bug #4296 – Meterpreter stdapi registry functions create key if one doesn’t exist
Bug #3565 – framework installer fails on RHEL (postgres taking too long to start)

Armitage integrates with Metasploit 4.0 to:-

Take advantage of the new Meterpreter payload stagers
Crack credentials with the click of a button
Run post modules against multiple hosts
Automatically log all post-exploitation activity
Revision Information:
Framework Revision 13462
Several import parsers were rewritten to use Nokogiri for much faster processing of large import files. Adding to Metasploit’s extensive payload support, Windows and Java Meterpreter now both support staging over HTTP and Windows can use HTTPS. In a similar vein, POSIX Meterpreter is seeing some new development again. It still isn’t perfect nor is it nearly as complete as the Windows version, but many features already work. Java applet signing is now done directly in Ruby, removing the need for a JDK for generating self-signed certificates. The Linux installers now ship with ruby headers, making it possible to install native gems in the Metasploit ruby environment.

Another flexibility improvement comes in the form of a consolidated pcap interface. The pcaprub extension ships with the Linux installers as of this release and support for Windows will come soon. Modules that used Racket for generating raw packets have been converted to Packetfu, which provides a smoother API for modules to capture and inject packets.

To download Metasploit Framework v4.0.0 Click Here
For more information abous MSF click here

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Security firm exploits Chrome zero-day to hack browser, escape sandbox

Posted by Avik Sarkar On 5/10/2011 06:07:00 pm


 French security company Vupen said today that it's figured out how to hack Google's Chrome by sidestepping not only the browser's built-in "sandbox" but also by evading Windows 7's integrated anti-exploit technologies.
Google said it was unable to confirm Vupen's claims.
"The exploit ... is one of the most sophisticated codes we have seen and created so far, as it bypasses all security features including ASLR/DEP/Sandbox," said Vupen in a blog post Monday. "It is silent (no crash after executing the payload), it relies on undisclosed ('zero-day') vulnerabilities and it works on all Windows systems."
Vupen posted a video demonstration of its exploit on YouTube.
According to Vupen, its exploit can be served from a malicious Web site. If a Chrome user surfed to such a site, the exploit executes "various payloads to ultimately download the Calculator from a remote location and launch it outside the sandbox at Medium integrity level."
Vupen used the Windows Calculator only as an example: In an actual attack, the "calc.exe" file would be replaced by a hacker-made payload.
Historically, Chrome has been the most difficult browser to hack, primarily because of its sandbox technology, which is designed to isolate Chrome from the rest of the machine to make it very difficult for a hacker to execute attack code on the PC.
For example, Chrome has escaped unscathed in the last three Pwn2Own hacking contests, an annual challenge hosted by the CanSecWest conference in Vancouver, British Columbia, and sponsored by HP TippingPoint's bug bounty program.
Last March, a team from Vupen walked away with a $15,000 cash prize afterhacking Safari, the Apple browser that, like Chrome, is built on the open-source WebKit browser engine.
But no one took on Chrome at 2011's Pwn2Own, even though Google had offered a $20,000 prize to the first researcher who hacked the browser and its sandbox.
The Vupen attack code also bypassed Windows 7's ASLR (address space layout randomization) and DEP (data execution prevention), two other security technologies meant to make hackers' jobs tougher.
Vupen said it would not publicly release details of the exploit, or the unpatched bug(s) in Chrome. "This code and the technical details of the underlying vulnerabilities will not be publicly disclosed," said Vupen. "They are shared exclusively with our Government customers as part of our vulnerability research services."
Last year, Vupen changed its vulnerability disclosure policies when it announced it would no longer report bugs to vendors, but instead would reveal its research only to paying customers.
Other security experts reacted today to the news of one or more Chrome zero-days, and to Vupen's practice of providing details only to its clients.
"I suppose that means we have a known Chrome 0-day floating around. That's fun," said Jeremiah Grossman, CTO of WhiteHat Security, in a Twitter message today.
"That also means for that the [government] is outbidding Google for bug bounties," Grossman added in a follow-up tweet.
"For now, the [government] still has more money than Google," chimed in Charlie Miller, the only researcher who has won cash prizes at four straight Pwn2Own contests.
Google, like rival browser maker Mozilla, runs a bounty program that pays independent researchers for reporting flaws in Chrome. Last month, Google paid out a record $16,500 in bounties for bugs it patched in a single update. In the first four months of 2011, Google spent more than $77,000 on bug bounties.
Google cited Vupen's policy of not reporting flaws as the reason it could not verify the French firm's assertions.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Microsoft Issues 'fix it' To Close Internet Explorer 0-day Vulnerability

Posted by Avik Sarkar On 9/20/2012 05:40:00 pm

Microsoft Issues 'fix it' To Close Internet Explorer 0-day Vulnerability 

Last few days the whole cyber world have gone through with so many drama of Internet Explorer's security bug, as researchers have unveiled four active exploits of a zero-day vulnerability in the browser. As expected the software giant Microsoft has released an emergency fix to get rid of these major security issues. Microsoft released a “fix it” tool for a critical security flaw in most versions of Internet Explorer 6, 7, 8 and 9  that hackers have been exploiting to break into Windows systems. The company said it expects to issue an official patch (MS12-063) for the vulnerability on Friday, Sept. 21. "While we have only seen a few attempts to exploit this issue, impacting an extremely limited number of people, we are taking this proactive step to help ensure Internet Explorer customers are protected and able to safely browse online," said Yunsun Wee, director of Microsoft Trustworthy Computing in a statement. The zero-day in IE 6-9 is a use-after-free memory corruption vulnerability, similar to a buffer overflow, that would enable an attacker to remotely execute code on a compromised machine. The original exploit payload dropped the PoisonIvy remote access Trojan (RAT) via a corrupted Flash movie file. The latest payload discovered dropped the PlugX RAT via the same corrupted Flash movie, Blasco said. He also said the new exploits are the work of the Chinese hacker group Nitro, the same group behind a pair of Java zero-day exploits disclosed in August.

Blasco also said the new exploits appear to be targeting defense contractors in the United States and India.
Microsoft recommended several workarounds Tuesday morning before announcing its intention to send out a FixIt.
  • Setting Internet and local Internet security zone settings to high, which would block ActiveX Controls and Active Scripting in both zones
  • Configure IE to prompt the user before running Active Scripting, or disable Active Scripting in both zones
  • Use of Microsoft's Enhanced Mitigation Experience Toolkit provides mitigations as well, and would not impact website usability, as both of the first two options might.
Microsoft also said that IE running on Windows Server 2003, 2008 and 2008R2 runs in a restricted mode that mitigates the vulnerability. Outlook, Outlook Express and Windows Mail also open HTML messages in a restricted zone, mitigating the vulnerabilty but should a user click a link in a message, they could still be vulnerable to exploit.





SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

TeamSpeak Official Forum Hacked! Redirecting Users Into Malicious DotCache Exploit Kit

Posted by Avik Sarkar On 12/05/2013 02:35:00 am

TeamSpeak Official Forum Hacked! Infecting Users By Malicious DotCache Exploit Kit
A serious security breach has compromised official forum of TeamSpeak, according to sources hackers have gained access inside the server and injected malicious script into the landing page of TeamSpeak official forum. Expert malware analyzer have figured out that the attack was thoroughly planned in order to infect millions of users while redirecting them to a DotCache exploit kit landing page as illustrated below 
TeamSpeak is a very famous Brazilian company who offers (VoIP) software that allows computer users to speak on a chat channel with fellow computer users, much like a telephone conference call. Users use the TeamSpeak client software to connect to a TeamSpeak server of their choice, from there they can join chat channels and enjoy the excellent VoIP service. Mostly it is used by millions of gamers across the globe. 
Basically we can consider TeamSpeak is a high value target, so did the hacker. Researchers said that the exploit kit landing page is hosted on atvisti.ro, a forum for ATV enthusiasts that's also been compromised. In a statement well known malware analyst & security researcher Jerome Segura said- if the Java exploit succeeds the final payload is loaded. In this particular example, the payload was the Zero Access Trojan which an Anti-Malware from Malwarebytes detects as Rootkit.0Access. The matter of a bit relief is that the malware has not yet been spotted in the wild. According to a statistic by Virus Total, only 7 of 46 leading antivirus can detect this type of malware. Exactly like TeamSpeak, a few days earlier Kahu Security researchers uncovered a similar compromise on the forum for the Nissan Pathfinder Off Road Association (NPORA) in both cases, JJEncode was used to obfuscate the malicious script. To avoid further infection, TeamSpeak forum has already been informed, an as expected they have over come this issue. For detail analysis of the above said malware you can visit official blog post of Malwarebytes



SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Script To Bypass Antivirus & Firewall By Security Labs

Posted by Avik Sarkar On 12/15/2011 10:26:00 am



Security Labs Experts from Indian launch an automated Anti-Virus and Firewall Bypass Script. Its an Modified and Stable Version in order to work with Backtrack 5 distro. In order to compile the generated payload Mingw32 gcc must be installed on your system. 

Method:-
apt-get install mingw32-runtime mingw-w64 mingw gcc-mingw32 mingw32-binutils

After the installation you need to move the shell-script (Vanish.sh, We have mentioned the download link below) to default Metasploit folder (/pentest/exploits/framework) and execute it. Recommended Seed Number = 7000 and Number of Encode = 14.
Note: By default Script Generates Reverse TCP Payload but you can change it some modifications in Script [vanish.sh]. Virus Scan Report of Backdoor shows that its almost undetectable by most of the Antivirus programs.

To Download The Script Click Here

Security Labs Experts also released a pastebin. Rest of other information can be found from that release. 



SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Analysis of an Osama bin Laden RTF Exploit

Posted by Avik Sarkar On 5/08/2011 09:50:00 pm

Targeted/semi-targeted attacks have been utilizing exploits against Microsoft's "RTF Stack Buffer Overflow Vulnerability" (CVE-2010-3333) since last December. The vulnerability was patched last November in security bulletin MS10-087.
Many of the attacks we've seen which exploit CVE-2010-333 have used topical subject lines.
And this week is no different. So of course, there's an Osama bin Laden RTF exploit circulating in the wild which uses the subject: "FW: Courier who led U.S. to Osama bin Laden's hideout identified".
The file name is called: "Laden's Death.doc" and appears as so:
Courier who led U.S. to Osama bin Laden's hideout identified


When the RTF file is opened, the exploit executes shellcode and drops a file named server.exe inside C:/RECYCLER and executes it.

C:/RECYCLER/server.exe does the following:

  •  Drops a file in the system's temp folder: vmm2.tmp
  •  File vmm2.tmp is renamed and moved to c:\windows\system32\dhcpsrv.dll
  •  Makes registry modifications in an attempt to hijack the DHCP service.

It attempts to connect to a C&C hosted at ucparlnet.com.

The payload has the ability to:

  •  Download additional malware
  •  Connect and send sensitive data back to remote servers
  •  Act as a trojan proxy server

The folks at contagio malware dump report that "It was sent to many targets in the US Government today".

Checking our back end shows that some of our customers have also been exposed. Our detection name for the exploit is Exploit:W32/Cve-2010-3333.G and the RTF payload is detected as Trojan:W32/Agent.DSKA.

As always, the usual advice applies, exercise caution when opening attachments, patch/update your MS Word/Office, and make sure your antivirus is up to date.

You can see more examples of CVE-2010-3333 attacks at contagio.

Updated to add: Here's a picture of an email spreading this document. This was sent to analysts in Washington, D.C. The picture was published by Lotta Danielsson-Murphy. Do note that the sender information in the email is forged.
Laden's Death.doc

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

BackTrack 5 R3 Released & Available To Download

Posted by Avik Sarkar On 8/14/2012 02:44:00 am

BackTrack 5 R3 Released & Available To Download!!

In our last post about BackTrack we mention the release date of long awaited BT 5 Release 3. So finally the countdown is over. The time has come to refresh our security tool arsenal – BackTrack 5 R3 has been released world wide. First BT5 R3 preview was released  in BlackHat 2012 Las Vegas for the enjoyment of conference attendees. The main aim of that pre-release was to figure out their last bug reports and tool suggestions from the BH / Defcon crowds. This final release mainly focuses on bug-fixes as well as the addition of over 60 new tool. A whole new tool category was populated – “Physical Exploitation”, which now includes tools such as the Arduino IDE and libraries, as well as the Kautilya Teensy payload collection.
As usual KDE and GNOME, 32/64 bit ISOs, have been released a single VMware Image (Gnome, 32 bit). 
We would also like to give to reminder that the first release candidate (R1) of BackTrack 5 was released in August last year. Later in March this year we got the second release candidate (R2) of BT 5. 
For those requiring other VM flavors of BackTrack If you want to build your own VMWare image then instructions can be found in the BackTrack Wiki. Direct ISO downloads will be available once all our HTTP mirrors have synched. But still you can download BackTrack 5 R3 via torrent from the below links. 



SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

PDF Malware Using New Tricks to Exploit Vulnerability

Posted by Avik Sarkar On 4/30/2011 03:06:00 am


Security researchers have identified a new trick in PDF files being sent as email attachments that obfuscate attack code by encoding it inside an image file.

Malicious PDF files are using a new trick to avoid detection by almost all major antivirus scanners on the market, according to security researchers. Researchers from Avast and Sophos independently noticed PDF files making the rounds in March that weren’t being flagged as malicious but had the ability to compromise a machine just by being opened. The originating address was often suspicious, and the attachments accompanied emails purporting to be an order receipt. The attachments themselves often had names containing the supposed order number.
When the attachments were opened under Adobe 8.1.1 or Adobe 9.3, the compromised computer would connect to a remote site and download malware, usually SpyEye, ZBot  or FakeAV, Paul Baccas, a senior threat researcher at Sophos Labs, wrote on the company’s Naked Security blog on April 15.
“The PDFs did not seem to be using any exploit that I could see and yet they were downloading malware,” wrote Baccas.
It turned out these files were using a new trick to re-exploit the CVE-2010-0188 vulnerability Adobe had patched over a year ago on Feb. 16, 2010, according to Baccas.
The exploit is specific to Reader and would not execute in Google Chrome’s PDF Plugin, Jiri Sejtko, a senior virus analyst and researcher at Avast Software, wrote on the company blog April 22. While that’s a good sign, Chrome generally asks users if it should open the file in Reader if it can’t display the file correctly. In this day and age, many users would likely say yes, making them vulnerable, according to Sejtko.
The PDF specifications allow several filters to be used on raw data, either singly or in conjunction with each other, Sejtko said. Anyone can create valid PDF files where the data uses five different filters, or even multiple layers of the same filter. This allows malware authors to embed malicious code deep inside the filters, out of reach of even the most aggressive scanner.
“Our parser was unable to get any suitable content that we could define as malicious,” Sejtko said.
Files exploiting this vulnerability normally use an XML file that contains the raw data for a TIFF image file containing highly obfuscated code, Baccas said. In this case, the attackers were using parameters to control how the filters operate and crafting the attack code embedded in the raw data to conform to these parameters.
The filter being used to encrypt the malicious code was also meant to be used only for black and white images. The exploit detected by Avast researchers combined two filters, one for text and one for images, to hide the payload.
“Who would have thought that a pure image algorithm might be used as a standard filter on any object stream?” Sejtko said. While the “bad guys” are building a specially crafted TIFF image file in the PDF files, the trick can be used to hide special JavaScript and font files, as well.
Compared to other attacks, this attack is seen in “only a very small number” of attacks, Sejtko said, but has also been used in targeted attacks. While the CVE-2010-0188 flaw has been closed in current versions of Adobe Reader, users on older and unpatched versions of the software remain vulnerable to these malicious PDF files.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Flashback Trojan Targeting Mac OS X in VMware Fusion

Posted by Avik Sarkar On 10/18/2011 05:48:00 pm

Underscoring the growing sophistication of Mac-based malware, a trojan preying on OS X users has adopted several stealth techniques since it was discovered last month.
Updates to the Flashback trojan, which gets installed by disguising itself as an Adobe Flash update, now prevent the malware from running on Macs that use VMware Fusion. Such virtual machine software is routinely used by security researchers to test the behavior of a malware sample because it's easier to delete a virtual instance when they're finished than it is to wipe the hard drive clean and reinstall the operating system.
According to MAC Security Blog:-
The latest version, Flashback.D, has gotten a bit sneakier. First, it checks to see if the user is running Mac OS X in VMware Fusion. If so, it does not execute. It does this because many malware researchers test malware in virtual machines, rather than infect full installations, as it is easier to delete them and start over with clean copies. This means that security researchers analyzing and looking for this malware need to be running regular Macs.
Next, the installer for the malware downloads the payload when running the postinstall script.

Finally, it no longer installs the easy-to-spot ~/Library/Preferences/Preferences.dylib. Instead, it installs the backdoor inside Safari, and does so in two ways. It adds information to Safari’s info.plist file, with the location of the backdoor, and it adds the actual backdoor module at /Applications/Safari.app/Contents/Resources/UnHackMeBuild.


Even if a user removes the above file (UnHackMeBuild), they need to edit Safari’s info.plist file; if not, Safari will look for the backdoor on launch, and, if it is not found, Safari will quit.

-News Source (Intego Blog, The Register)




SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Social Engineer Toolkit (SET) Version 2.4.2 Released

Posted by Avik Sarkar On 12/01/2011 06:07:00 pm



Social Engineer Toolkit has been updated! We now have the Social Engineer Toolkit version 2.4.2

Brief About SET:-
The Social Engineering Toolkit (SET) is a python-driven suite of custom tools which solely focuses on attacking the human element of penetration testing. It’s main purpose is to augment and simulate social-engineering attacks and allow the tester to effectively test how a targeted attack may succeed.

Official Change Log For Social Engineer Toolkit v2.4.2:-


  • Fixed a bug in multiattack vector where specifying java applet attack and shellcode exec would not properly inject alphanumeric shellcode into applet properly
  • Restructured multiattack vector to properly clone, prep payload delivery, then inject alphanumeric shellcode
  • Added better handling around multiple attack vectors
  • Fixed a bug that caused msfvenom to bomb out if path was /opt/framework3/msf3 versus /opt/framework/msf3
  • Added better handling around multiattack in Social Engineer Toolkit
  • Fixed a bug with self signed certificates would continue to show Microsoft versus what you sign it with
  • Changed java applet to load and render at bottom of body versus in head. Page should now load with Java Applet appearing
  • Fixed a bug where Java Repeater would not load properly when executed due to a incorrect loop within cloner.py
  • Added the ability to use filename for import versus directory
  • Added the ability to import index.html files versus just the folder on the custom import feature


To Download Social Engineer Toolkit v2.4.2 Click Here



SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Related Posts Plugin for WordPress, Blogger...

Site search