Go beyond the impossible!
Computer Security
Cheat Sheets
Apr 25th
It seems that you people seem interested in the MySQL cheat sheet which I released some time ago.
Therefor, I took it a step further and made this PostgreSQL cheat sheet for your enjoyment!
Both of them can be found here:
Hopefully that will help you out with your struggling.
Oh yeah, there are a few rare (unknown?) techniques/methods in those pages as well.
So take a look if you’re interested!
But what is a Cheat Sheet?
Wikipedia described it like this:
A cheat sheet or crib sheet is a concise set of notes used for quick reference. “Cheat sheet” may also be rendered “cheatsheet”.
In my opinion, there is too much papers on SQL injections.
So instead of writing one by my own, i prefer to publish these cheat sheets.
They’re handier to database administrators and developers, and also points out critical security issues for people working in that area.
I hope you enjoy them!
And don’t be shy pointing out errors and/or various other techniques, it will just make them more extended!
Extended is better.
Ciao Bella!
carrot.exe
Apr 21st
Ladies and gentlemen, i will hereby release the carrot.exe!
What is it? You might ask.
Well, it’s just a compilation of various security related tools found around the net.
All from NirSoft’s password recovery utilities, to PwDump7 and the Abel backdoor (?) from Cain & Abel.
And of course some other nifty tools (like netcat). I do not take credit for their efforts of producing those applications.
As i said, this is simply a compilation. If you, got any complainants about them being released in this format, they will be removed.
Anyway, here’s a list of it’s arguments:
–[ Name: Carrot v1.0
Author: Fredrik N. A . [Big ASCII-carrot goes here.]–[ Obvious:
/help This message.–[ Parameters:
/32 Force to use only 32-bit payloads./64 Force to use only 64-bit payloads.
If non of the above arguments are specified,
carrot will use one based on the CPU architecture./file=* Specifies a file to use, where the asterix is the
name of the file.–[ Password:
/im Grabs the passwords of MSN Messenger, Windows Messenger,
Yahoo Messenger, ICQ Lite 4.x/2003, Miranda,
AOL Instant Messenger (With Netscape 7), Trillian and GAIM./ie Grabs the passwords stored for Internet Explorer 4.0, 5.0,
6.0 and 7.0./ff Grabs the passwords from Mozilla Firefox.
/gc Grabs the passwords from Google Chrome.
/wlan Enumurates all stored WEP/WPA keys on the current computer.
/vnc Recovers VNC passwords.
/ps Grabs password(s) stored in the “Protected Storage”.
/np Grabs password(s) stored for NetBIOS and various SMB services.
/mp Grabs the passwords of Outlook Express,
Microsoft Outlook 2000 (POP3 and SMTP Accounts only),
Microsoft Outlook 2002/2003 (POP3, IMAP, HTTP, SMTP Accounts),
IncrediMail, Eudora, Netscape Mail, Mozilla Thunderbird,
Group Mail Free. And various programs associated with neither
Hotmail, Gmail or Yahoo!/dialup Grabs the credentials for DialUp modems.
/pwdump Dumps the SAM file and all NT/LM password hashes.
–[ System:
/driver Dumps all installed drivers on the current machine.
/clean Removes general windows logs, all from security-logs to last
viewed files.–[ Browser:
/bm Dumps the bookmarks of Opera, Internet Explorer, Firefox
and Chrome./ieco Grabs the Internet Explorer cookies.
/ieca Grabs the Internet Explorer cache.
/iehi Grabs the Internet Explorer history.
/ffco Grabs the Firefox cookies.
/ffca Grabs the Firefox cache.
/ffhi Grabs the Firefox history.
/opca Grabs the Opera cache.
/gcca Grabs the Google Chrome cache.
–[ Network:
/ports Grabs all interal open ports and connections./net Grabs network shares on the current workgroup.
/nc Extracts netcat (nc.exe) to the current directory.
–[ Miscellaneous:
/beep Beep!/bsod Causes a Blue Screen of Death.
/mic Records the microphone for 10 seconds.
/flip0 Flips the monitor 0 degrees.
/flip90 Flips the monitor 90 degrees.
/flip180 Flips the monitor 180 degrees.
/flip270 Flips the monitor 270 degrees.
/scrshot Takes a screenshot.
/webcam Takes a picture with all webcams.
/serials Grabs up to 200 serials.
/freeze Freezes a process,
/file= must be used!/kill Kills a process,
/file= must be used!/shdown Shutsdown the computer.
/rstart Restarts the computer.
/logoff Logs off the current user.
/lock Locks the current users session.
–[ root:
/down Downloads a file,
/file= must be used!/astart Autostarts a file,
/file= must be used!/hide Gives a file “Hidden” and “System” permissions,
/file= must be used!/nowin1 Disables Windows Firewall.
/nowin2 Disables Windows Firewall.
/nouac Disables Windows UAC
/abel Extracts the Abel backdoor from Cain & Abel.
What to use it for?
Meh, don’t know, be creative. Fancy USB payload maybe?
It can be used by security professionals to demonstrate the insecurity of the target computer if it lacks a firewall and/or antivirus.
Also, it makes it easier for computer administrators to recover lost usernames and passwords for various services.
However, you may only use this utility on computers you have permission too.
Otherwise you might end up breaking the law, depending on which country you live in.
Stay safe.
Anyway, here’s the download link carrot.rar.
Oh yeah, you require the .NET framework version 3.5 or above.
So this program will run on Windows Vista, Windows 7 and Windows Server 2008 without any mess.
Another Safari Stack Overflow in JavaScriptCore.dll
Apr 21st
Unhandled exception at 0×5cfa8947 in Safari.exe: 0xC00000FD: Stack overflow.
Unhandled exception at 0×5cfa8947 in Safari.exe: 0xC0000005: Access violation reading location 0×00170000.
Meh. Enough said. The exploit can be found here.
This code bypasses the “recursion security” in most known browsers and add multiple children elements to the html tag containing an iframe with a site that will call window.print(). In this case I used document.location because I am way too lazy to upload 2 files, in fact, I’ll let Fredrik upload the single file.
Safari Stack Overflow in JavaScriptCore.dll
Apr 18th
Unhandled exception at 0×5c778947 in Safari.exe: 0xC00000FD: Stack overflow.
Meh. Enough said. The exploit can be found here.
The error seems to occur when the src property in the iframes is set to mailto:DoS. Don’t ask me why. I don’t know.
I believe Mathias will release another stack overflow really soon. Meanwhile, here’s some proof:
Proof of Concept
Blind injection in MySQL INSERT’s.
Apr 6th
So, well. There isn’t any public content on how to perform attacks against MySQL INSERT’s.
Sure, you can insert some data into some column, it doesn’t take a genius to figure that out. But what about extraction?
The INSERT-statements don’t return anything. So what can we do? Conclusion, add another row, and make it perform a blind injection with neither BENCHMARK() or SLEEP().
Proof of Concept:
INSERT INTO foo (bar) VALUES(‘<YourStuffGoesHere>‘)
INSERT INTO foo (bar) VALUES(‘NoneExistingValue‘),((SELECT IF(ASCII(SUBSTR(VERSION(),1,1))=52,NULL,SLEEP(3))))–‘)
As you can see, if the value of the new row fails (If the database isn’t running MySQL 4), the statement will take above 3 seconds to execute.
The SLEEP() function is supported on MySQL 5. However in an MySQL 4 environment, you can use the BENCHMARK() function instead.
Hopefully this will help you out!
Cheers.
Windows Vista – Remote DoS.
Apr 5th
For about half year ago (~October 2009) I played around some with the ICMP protocol, using perl.
And well, me and Mathias found a few 0-day’s for various operating systems and devices.
And here, ladies and gentlemen, I will release a remote DoS for Windows Vista.
The result is a BSoD. Go get it here: nullflood.pl.
SOCKS5
Mar 24th
Okay, i just made a library to perform SOCKS5 connection(s) in both C# and VB.Net.
Here’s a code example of how to use it:
Imports SOCKS5
Public Class PoC
Public Sub Main()
Dim Target As String = "www.google.com"
Dim Query As String = "GET / HTTP/1.1" & vbCrLf & "Host: " & Target & vbCrLf &; vbCrLf
Dim Tunnel As New SOCKS5("1.2.3.4", 1080, Target, 80)
Dim Socket As New Net.Sockets.Socket(Net.Sockets.AddressFamily.InterNetwork, Net.Sockets.SocketType.Stream, Net.Sockets.ProtocolType.Tcp)
Tunnel.Connect(Socket)
Socket.Send(Text.Encoding.ASCII.GetBytes(Query))
'...
End Sub
End Class
I hope that helps.
Also, here’s the download link: SOCKS5.rar