Fork Bombs

Taken from http://en.wikipedia.org/wiki/Fork_bomb

Once a successful fork bomb is active in a computer system, one may have to reboot it to resume its normal operation. Stopping a fork bomb requires destroying all running copies of it. Trying to use a program to kill the rogue processes normally requires creating another process — a difficult or impossible task if the host machine has no empty slots in its process table, or no space in its memory structures. Furthermore, as the processes of the bomb are terminated (for example, by using the kill(8) command), process slots become free and the remaining fork bomb threads can continue reproducing again, either because there are multiple CPU cores active in the system, and/or because the scheduler moved control away from kill(8) due to the time slice being used up.

On a Microsoft Windows operating system, a fork bomb can be defused by the user's logging out of his/her computer session.

However, in practice, system administrators can suppress some of these fork bombs relatively easily. Consider the shell fork bomb shown below:

:(){ :|: & };:

One important "feature" in this computer code means that a fork bomb process which can no longer fork doesn't stick around, but rather exits. If we try often enough, eventually we start a new do-nothing process. Each new do-nothing process we run reduces the number of rampant "fork bomb" processes by one, until eventually all of them can be eradicated. At this point the do-nothing processes can exit. The following short Z Shell code will typically get rid of the above fork bomb in about a minute^{[citation needed]}:

while (sleep 100 &!) do; done

Alternatively, stopping (“freezing”) the bomb's processes can be used so that a subsequent kill/killall can terminate them without any of the parts re-replicating due to newly available process slots:

killall -STOP processWithBombName
killall -KILL processWithBombName

When a system is low on free PIDs (in Linux the maximum number of pids can be obtained from /proc/sys/kernel/pid_max), defusing a fork bomb becomes more difficult:

$ killall -9 processWithBombName
bash: fork: Cannot allocate memory

In this case, defusing the fork bomb is only possible if you have at least one open shell. You may not fork any process, but you can execve() any program from the current shell. You have only one try, so choose with care. A couple of the best choices are python and busybox, for example:

bash$ exec busybox sh
$ killall -9 processWithBombName

killall in busybox is an internal command and does not depend on fork().

Why not exec killall -9 directly from the shell? Because killall is not atomic and doesn't hold locks on the process list, so by the time it finishes the fork bomb will advance some generations ahead. So you need to launch a couple of killall processes, for example:

while :; do killall -9 processWithBombName; done

Stolen cards

https://payments.chronopay.com/index.en.html

ZeuS Tracker

https://zeustracker.abuse.ch/blocklist.php

Using ToR as network router

Few weeks ago started work on project, building tor-box. The idea is to built linux, windows box pc, with ToR client on it and using the PC as network router. Will publish soon the POC results.

Video - USBsploit 0.5 BETA: Dump, Autorun, Migration and all EXE, PDF, LNK files replaced through Railgun against XP HOME

PoC to generate Reverse TCP backdoors, malicious PDF or LNK files. But also running Auto[run|play] infections and dumping all USB files remotely on multiple targets at the same time, a set of extensions to dump can be specified. All EXE, PDF and LNK on the USB targets can also be replaced by malicious ones. USBsploit works through Meterpreter sessions (wmic, railgun, migration) with a light modified version of Metasploit. The interface is a mod of SET (The Social Engineering Toolkit). The Meterscript scripts of the USBsploit Framework can also be used with the original Metasploit Framework. - Lire l'article

http://secuobs.com/news/14122010-usbsploit_v0.5b_meterpreter_msf_1.shtml

Electronic Pickpocketing - stooling RFID

http://www.wreg.com/news/wreg-electronic-pickpocketing-story,0,5636726,full.story

Thanks Yaron M.

Black Hat Webcast Series: Web App Security: Attacking with HTML5

https://www2.gotomeeting.com/en_US/island/webinar/provideEmail.tmpl?Action=rgoto&_sf=1

Godaddy Workspace XSS

Posted DEC 11 2010 by MUTS in OFFENSIVE SECURITY with 0 COMMENTS

An interesting submission in from theExploit Database – a Godaddy workspace XSS vulnerability. Although we did not post it (live site), the vulnerability seems real, and definitely worth mentioning.

In essence, this vulnerability allows an attacker to send malicious JavaScript to a non suspecting victim – allowing stealing of cookies and other nasty stuff. Effectively, if you are using the Godaddy workspace web interface, an attacker can acquire a your session information and log to the account with no credentials. All Godaddy workspace users, ph33r. Wait, didn’t we have a demo just like this in CTP ?

Will be interesting to see how long it takes Godaddy to fix this issue. Check out the PoC movie:

You can download the original Godaddy Cross Site Scripting Exploit movie from our archive.

CATEGORY: Offensive Security

windows password audit

I am surprised that nobody mentioned the combination of fgdump
(http://www.foofus.net/~fizzgig/fgdump/) for dumping passwords and John
the Ripper (http://www.openwall.com/john/) with jumbo patch for cracking
them. Both free and open source.

--
Alla Bezroutchko
Gremwell - http://www.gremwell.com/

Zed Attack Proxy Project

The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.

It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who a new to penetration testing.

ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

The current version of ZAP is 1.1.0 and it can be downloaded from the Google Code page.

Security Tools & News Round-up for November 2010

Dear All

Security Tools & News Round-up for November 2010

Here is a round-up of the latest news and tools for IT Security and
pentesting. If you want to keep one step ahead, I recommend you to follow
me on Twitter. You'll find my account at the end of this message.

Get your copy here

http://www.firecat.fr/newsletter/SecurityToolsNews-Nov2010.pdf

Get the realtime updated news from http://www.twitter.com/toolswatch

N. OUCHN

SSA - Security System Analyzer 2.0

SSA (Security System Analyzer) is free non-intrusive OVAL and XCCDF based
scanner. It provides security testers, auditors with an advanced overview
of the security policy level applied.

What's the goal of SSA ?

Making Open Standard Security Assessment EASY !!

Getting Started ?

- Choose your standard
- Choose your policy
- Choose the baseline and Click Scan. That’s IT !!!

When did i expect SSA v2.0 Final Release ?

When i successfully implement the following features.

- Fully support of open security standards and initiatives (CVE, OVAL,
CCE, CPE, CWE, SCAP, CVSS)
- Multiplatform support (Windows, Linux, OS X)
- Comprehensive Graphical Dashboard
- Report Management


What's new in this release 002 ?

* Added the support of XCCDF 1.1.4
(http://scap.nist.gov/specifications/xccdf/)
* Display Pass / Fail testcase
* Associate Testcase to CCE reference
* Added 2 news Baselines USGCB / SCAP for IE8 and Windows 7 x86
* Added export to CSV
* Added new directory for logs
* Added the ability to maximize Windows
* Added a new community page http://teambox.com/public/ssa-v2-beta
* Fixed many bugs

My huge thanks for testing beta001 to:

- Thierry Zoler
- Jerome Athias (NETpeas.com team)
- Mouad Zahrane (NETpeas.com team)
- Maximiliano Soler
- Fernando Figueroa.

Get your copy and stay tuned with new coming released at

http://code.google.com/p/ssa/

Next Iteration Beta 003 with Database Support and Report History Management.

Stay Tuned

SSA is now fully sponsored by NETpeas (www.netpeas.com)

N.OUCHN
CTO at NETpeas

PoC/Exploit for SQL Injection vulnerability in Alguest

source: http://evuln.com/vulns/154/exploit.html

Published Proof of Concept code - SQL Injection vulnerability in Alguest.

Description

Available

Solution

Not available - check vendor's website

SQL Injection Example

Vulnerable code: $query = @mysql_query("SELECT * FROM $tabella order by id asc limit $start,$rec_pagina");

SQL Injection PoC: http://website/alguest/index.php?start='

Study for cyberwar

http://www.study4cyberwar.com/index.html

Keyloggers

http://www.pwcrack.com/keylogger.shtml

Flaw in Microsoft Windows SAM Processing Allows Continued Administrative Access

CREDITS: 
StenoPlasma (at) ExploitDevelopment.com

SUMMARY AND IMPACT:
All versions of Microsoft Windows allow real-time modifications to the
Security Accounts Manager (SAM) that enable an attacker to create a
hidden administrative backdoor account for continued access once a
system has been compromised. Once an attacker has compromised a
Microsoft Windows computer system using any method, they can either
leave behind a regular user or hijack a known user account (Such as
ASPNET). This user account will now have all of the rights of the
built-in local administrator account from local or remote connections.
The user will also share the Administrator's desktop and profile. When
inspected by system administrators, the regular user always looks like
it is just part of the built-in user's group. The attacker can also
make the regular user account hard to detect by creating a user with
the username of "ALT-0160", for blank space. Events in the audit log
pertaining to the hidden account will be created if the system
administrator has enabled auditing, but the user name fields are all
blank. Once a system has been compromised, the attacker would need to
ensure the Task Scheduler service is enabled only when starting the
method. This method can be used to masquerade as any user account on
the computer system.

DETAILS:
Use the following steps to exploit this vulnerability.

Step 1: Attacker compromises the Windows computer using any available method. 

Step 2: Attacker creates a user account with a blank username using
'net user " " P@$$w0rd /add'. In between the double quotes, you can
use ALT+0160 to create the blankspace. 

Step 3: Attacker creates an interactive scheduled task to run a minute
after creating it. This scheduled task brings up a command prompt as
the NT Authority\SYSTEM account on Windows 2000, XP, and 2003. 'at
11:24 /interactive cmd.exe'. If using Windows Vista, 7, or 2008
Server, the attacker must do all registry editing from the command
line using 'schtasks'. 

Step 4: Once the SYSTEM command prompt comes up, open regedit from the
command line. 

Step 5: Browse to 'HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names' 

Step 6: Click on the newly created user account's user name. 

Step 7: Take note of the "Type" field for that user. 

Step 8: In this example, the backdooruser's "Type" is 0x3f7 and the
built-in Administrator's is 0x01F4. 

Step 9: Under 'HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users' click
on 000003F7. 

Step 10: In the right pane, double click on the "F" key. 

Step 11: Go to the 7th row of HEX values. 

Step 12: Change the value from "F7 03" to "F4 01". 

Step 13: Log off then log on using your new backdoor account. 

Step 14: You will notice that you are now using the Administrator's
desktop and rights. 

Step 15: When you run 'net localgroup Administrators' you will see
your backdoor account listed only when you log in as the backdooruser
to check for it. If any other user runs the same command they will
only see the regular user accounts. 

Step 16: Delete any other temporary accounts you may have made during
the method.

VULNERABLE PRODUCTS:
All patch levels of Microsoft Windows 2000 Workstation, Windows 2000
Server, Windows 2003 Server, Windows XP, Windows Vista, Windows 7, and
Windows 2008 Server. (Windows Vista, Windows 7 and Windows 2008 Server
are harder to exploit because you cannot bring up an interactive
SYSTEM shell, but you can still dump the registry, edit the field,
then merge the registry back as SYSTEM to complete the method).

REFERENCES AND ADDITIONAL INFORMATION:
N/A

CREDITS:
StenoPlasma (at) ExploitDevelopment.com

TIMELINE:
Discovery: July 1, 2010
Vendor Notified: August 8, 2010
Vendor Dismissed: August 10, 2010 (MSRC says that there is nothing to
investigate because the action can only happen after a compromise.
This vulnerabilities deals with continued access without using DLL
injection or Rootkits)
Vendor Fixed: N/A
Vendor Notified of Disclosure: October 26, 2010
Disclosure to Bugtraq: December 2, 2010 

VENDOR URL:
http://www.microsoft.com 

ADVISORY URL:
http://www.ExploitDevelopment.com/Vulnerabilities/2010-M$-001.html

Hiya

Trying to POC of PHP entity heap overflow vulnerability on my VM's.

Your ideas is more than welcome.