Okay I am going to just jump right in. There was a certain website which shall remain nameless. This website had a weakness in its function to search for people who were apart of the website. This vulnerability was that there was a folder which all the previous 9000+ email address images(with multi-colored anti-ocr protections) which had been loaded in the people searcher. Now the thing is I didnt really know there was that many till I had a program count them there was around 8500 but it kept increasing until they were all reset a day or to later and then new ones started appearing.
Okay anti-ocr mechnaisms that have a color different than the color of the text(aka black) PHAIL. These is a huge reason why first of all the fact is someone can EASILY go in and remove any colors other than white and black and turn each pixel white effectivaly removing all those protections. Secondly using a common font for the images also phails. A better option would be to have the software that generates the image randmize between 3-5 fonts which are different enough to through off OCR programs. aspriseOCR is highly recommened if you know java its VERY easy ti implement and extremly accurate. The final step though guys into this ocr process us ti read out ALL the images text into a text file and then you have a list of thousands of email addresses. Remember do not use this information for malicious purposes.
Also I found a second vulnerabilty search for the last part of the email in the page finder application on this site allowed you to list something like 15,000 email addresses in plain text along with the persons name who owns it and the homepage that is their personal homepage. This being the case a program could easily be created to capture only the email, name, homepage name, and homepage link and link all of that information together possibly even under a database.
Finally this folder that listed all the images also had an Apache version of 1.3.3.1 which is over 5 years old and vulnerable to multiple attacks(just google exploit-db) and search on the site for that apache version. Anyways you get my point a server hosting this set of images most likely stores other private information which should not be released.
Anyways I would like to state that I have talked with the security staff of this website and they informed me they have/will soon fix these bugs so noone else who is more malicious will exploit said vulnerabilities. Hope you guys enjoyed this read I will be attaching the example source code(which works) on how to remove anti-ocr protection and also it implements aspriseOCR which is not free but if you use an autoclick program you can have it automatically click the nag-window so it will actually go through your images and output the text from them.
Sourcecode in java - http://www.mediafire.com/file/j1bxwdl7f880j8b/OcrSourceCode7z
===============================Disclaimer============================================
I would like to state at no time will I disclose to what party this vulnerabilty(set of vulnerabilities) were found at. I wish to keep the party's details anonymous due to the unknown effects that could happen if I were to release the parties information. Also everything I am discussing here should ONLY be done for educational purposes to study such possibilities. Do not and I repeat do not use any of this for malicious purposes.
Friday, November 12, 2010
Saturday, October 9, 2010
Windows Updates via the Command Line - The easy way
There have been many ways to try and update windows from the command line. All of which range from medium difficulty to very difficult. Now it appears there is a free solution to install these updates via the command line all from one pre-coded program.
WUInstall allows you to run this program from a command prompt allowing you to update windows without needing a GUI environment. This tool could be very useful to those who have to update a box remotely. For example in a CTF event you could download and install the updates via the command line to help you lock down the box from access from anyone else.
The command to update via the command line is WuInstall.exe /install
It's that simple after the command it will automatically download and install all the windows security updates!!
I am going to post a link at the bottom of this post I hope it helps you out!
http://www.wuinstall.com/
WUInstall allows you to run this program from a command prompt allowing you to update windows without needing a GUI environment. This tool could be very useful to those who have to update a box remotely. For example in a CTF event you could download and install the updates via the command line to help you lock down the box from access from anyone else.
The command to update via the command line is WuInstall.exe /install
It's that simple after the command it will automatically download and install all the windows security updates!!
I am going to post a link at the bottom of this post I hope it helps you out!
http://www.wuinstall.com/
Friday, October 8, 2010
Louisville,Kentucky Issa Capture the Flag 2010 - My writeup on making second place.
Okay well I guess I will just say before I get started Adrian did an amazing job with the setup of the CTF event. Now down to business. I came in at 8:30AM and adrian had that as the start time. So I went ahead and got started discovering the computers ports and services with nmap. I was there until almost 10:00 am before anyone showed up and then there were only us two who had never competed before so it took FOREVER for us to both really get off the ground due to us having limited experience. The first box 10.0.0.1 was a linux box running a apache server and openssh. The apache server version was vulnerable but metasploit was having some issues trying to encode the exploit even when I unsetg encoder it still was trying to encode the exploit before using it. Anyways 10.0.0.2 was originally a windows XP SP0 which I gained a shell to right when adrian decided to switch up the setup on it due to the fact that the other competitor having a 12 minute run with it so I was behind. He replaced the SP0 box with a SP2 or SP3 box not really sure as I focused the rest of my efforts on the wildcard box which was a windows 98 box we were getting a shell but no session in the box neither me or my competitor managed to do it so adrian ended up giving an easy opportunity for points he made the windows 98 computer share its c drive on the network. So my friend Jeff who is my next door neighbor was the one who found that he had shared the c drive on the network.
Jeff ended up just being a temporary team member seeing as he was only there for about 30 mins or so. But I "defaced" the website with my team name and scored 12 points then adrian changed the wildcard computer to a linux box. So me and my competitor were tied. I scanned the linux box 10.0.0.3 it had about 5-6 different services running and about 2 maybe 3 services could have been exploited but i found that the samba version was the easiest to exploit and the most reliable. I used a exploit located under multi/samba/ in metasploit. This gave me a reverse command shell which I then had to run the /bin/bash command to gain a remote shell with root access. First thing I did was create 1-2 users which would be decoys one was named "pwnme" and the other one I forgot the name of it. Anyways so I changed the root password aswell in order to always keep access open to the box. The computer had OpenSSH running on it already so I just ssh'ed to the box under the root user. "Purehate" who was one of the people moderating the competition repeatidly killed my metasploit exploit process and he took the bait and deleted the created users and didn't focus on the root user. So I had a constant ssh session open to the 10.0.0.3 box. I started to gain consistant points and then Purehate decided to switch things up he removed all the defaced webpages and then all of us had to go back in and redeface the pages. One of my competitors (2 more had just registered around 1PM) had gotten the exploit working in the 10.0.0.3 linux box and manged to block my ip address with ip tables. So I went in and changed my ip address to a static ip address so I could avoid the firewall rules he had instilled. I sshd back into the root user of the box then used iptables to reject all other ip addresses except mine. I did make a newbie mistake and ended up blocking my own by a typo and then noone could access the box so purehate had to go in and reset it. I had rejected connections from the 10.0.0.99 box aswell which was the score box and so i probably lost about 20 points before I relized it wasnt gaining anymore points. The site was defaced I was just not getting points for it anymore.
Then I fixed that mistake and started pulling farther ahead of my competitor. Purehate decided to pull a trick on us all and on my end he deleted the var/www/ folder which was the website folder. I recreated the html file and went to the page to find out it still said the site didnt exist. I found out it was in an apache2 config he had changed the allow website config to a directory under /root/ so I had to change it back. When I did I found out he deleted the www folder and had to recreate it and the html file. Finally I was getting points again. But there was a team "uky" who noone knew who they were but they had control of the 10.0.0.1 box or so we thought. They had setup a server with xammp and then arp poinsed the scoring box to check their ip address for the 10.0.0.1 site. This allowed them to not have to exploit the box or deface the site all it did was make it so the scorebox would see the actual site everyone else would have control of the boxes and actually deface the site but not receive points for it. I tried the password on the 10.0.0.1 box I had gotten from SQL injecting the website it was hosting. I logged in as greg and found a password which was used in the 2009 ctf. It turns out the uky team had already changed it so my easy way into the box had been eliminated and the exploit wasnt working which was supposed to work with the apache version it was running.
Anyways finally it came to a close when that team had pulled ahead of me and the other competitor. I ended up with 52 points and second place. The uky team had 130. Anyways so i learned a HUGE ammount during this conference adrian and the other people managing the competition gave us hints here and there and if we didnt know a command to do something they would tell us the base command so we could figure out which command to use and then how to use it by looking at the help pages. For the last 2 hours of the competition i had the 10.0.0.3 box under my control but the uky team basicly bypassed it for that last hour so I got no points. Anyways I really enjoyed myself and will definatly compete next year it was definatly interesting and fun to work on first hand the things everyone talk about with eachother everyday. Hope to see you there next year everyone!!
Jeff ended up just being a temporary team member seeing as he was only there for about 30 mins or so. But I "defaced" the website with my team name and scored 12 points then adrian changed the wildcard computer to a linux box. So me and my competitor were tied. I scanned the linux box 10.0.0.3 it had about 5-6 different services running and about 2 maybe 3 services could have been exploited but i found that the samba version was the easiest to exploit and the most reliable. I used a exploit located under multi/samba/ in metasploit. This gave me a reverse command shell which I then had to run the /bin/bash command to gain a remote shell with root access. First thing I did was create 1-2 users which would be decoys one was named "pwnme" and the other one I forgot the name of it. Anyways so I changed the root password aswell in order to always keep access open to the box. The computer had OpenSSH running on it already so I just ssh'ed to the box under the root user. "Purehate" who was one of the people moderating the competition repeatidly killed my metasploit exploit process and he took the bait and deleted the created users and didn't focus on the root user. So I had a constant ssh session open to the 10.0.0.3 box. I started to gain consistant points and then Purehate decided to switch things up he removed all the defaced webpages and then all of us had to go back in and redeface the pages. One of my competitors (2 more had just registered around 1PM) had gotten the exploit working in the 10.0.0.3 linux box and manged to block my ip address with ip tables. So I went in and changed my ip address to a static ip address so I could avoid the firewall rules he had instilled. I sshd back into the root user of the box then used iptables to reject all other ip addresses except mine. I did make a newbie mistake and ended up blocking my own by a typo and then noone could access the box so purehate had to go in and reset it. I had rejected connections from the 10.0.0.99 box aswell which was the score box and so i probably lost about 20 points before I relized it wasnt gaining anymore points. The site was defaced I was just not getting points for it anymore.
Then I fixed that mistake and started pulling farther ahead of my competitor. Purehate decided to pull a trick on us all and on my end he deleted the var/www/ folder which was the website folder. I recreated the html file and went to the page to find out it still said the site didnt exist. I found out it was in an apache2 config he had changed the allow website config to a directory under /root/ so I had to change it back. When I did I found out he deleted the www folder and had to recreate it and the html file. Finally I was getting points again. But there was a team "uky" who noone knew who they were but they had control of the 10.0.0.1 box or so we thought. They had setup a server with xammp and then arp poinsed the scoring box to check their ip address for the 10.0.0.1 site. This allowed them to not have to exploit the box or deface the site all it did was make it so the scorebox would see the actual site everyone else would have control of the boxes and actually deface the site but not receive points for it. I tried the password on the 10.0.0.1 box I had gotten from SQL injecting the website it was hosting. I logged in as greg and found a password which was used in the 2009 ctf. It turns out the uky team had already changed it so my easy way into the box had been eliminated and the exploit wasnt working which was supposed to work with the apache version it was running.
Anyways finally it came to a close when that team had pulled ahead of me and the other competitor. I ended up with 52 points and second place. The uky team had 130. Anyways so i learned a HUGE ammount during this conference adrian and the other people managing the competition gave us hints here and there and if we didnt know a command to do something they would tell us the base command so we could figure out which command to use and then how to use it by looking at the help pages. For the last 2 hours of the competition i had the 10.0.0.3 box under my control but the uky team basicly bypassed it for that last hour so I got no points. Anyways I really enjoyed myself and will definatly compete next year it was definatly interesting and fun to work on first hand the things everyone talk about with eachother everyday. Hope to see you there next year everyone!!
Subscribe to:
Posts (Atom)