Friday, August 21, 2020

Reversing Some C++ Io Operations

In general decompilers are not friendly with c++ let's analyse a simple program to get familiar with it.
Let's implement a simple code that loads a file into a vector and then save the vector with following functions:

  • err
  • load
  • save
  • main


Lets identify the typical way in C++ to print to stdout with the operator "<<"


The basic_ostream is initialized writing the word "error" to the cout, and then the operator<< again to add the endl.




The Main function simply calls  "vec = load(filename)"  but the compiler modified it and passed the vector pointer as a parĂ¡meter. Then it bulds and prints "loaded  " << size << " users".
And finally saves the vector to /tmp/pwd and print "saved".
Most of the mess is basically the operator "<<" to concat and print values.
Also note that the vectors and strings are automatically deallocated when exit the function.


And here is the code:


Let's take a look to the load function, which iterates the ifs.getline() and push to the vector.
First of all there is a mess on the function definition, __return_storage_ptr is the vector.
the ifstream object ifs is initialized as a basic_ifstream and then operator! checks if it wasn't possible to open the file and in that case calls err()
We see the memset and a loop, getline read a cstr like line from the file, and then is converted to a string before pushing it to the vector. lVar1 is the stack canary value.

In this situations dont obfuscate with the vector pointer vec initialization at the begining, in this case the logic is quite clear.



The function save is a bit more tricky, but it's no more than a vector iteration and ofs writing.
Looping a simple "for (auto s : *vec)" in the decompiler is quite dense, but we can see clearly two write, the second write DAT_0010400b is a "\n"



As we see, save implememtation is quite straightforward.




Related posts


Posted by at

re: Rank 1st in google with Content Marketing Strategy

hi
Get your business to the next level with a solid Content Marketing strategy
http://www.str8-creative.io/product/content-marketing/


Regards
Vicky Valdes  












Unsubscribe option is available on the footer of our website
Posted by at

Hacking Windows 95, Part 2

In the Hacking Windows 95, part 1 blog post, we covered that through a nasty bug affecting Windows 95/98/ME, the share password can be guessed in no time. In this article, I'm going to try to use this vulnerability to achieve remote code execution (with the help of publicly available tools only).

The first thing we can do when we have read access to the Windows directory through the share, is to locate all the *.pwl files on the c:\windows directory, copy them to your machine where Cain is installed, switch to Cracker tab, pwl files, load the pwl file, add username based on the filename, and try to crack it. If you can't crack it you might still try to add a .pwl file where you already know the password in the remote windows directory. Although this is a fun post-exploitation task, but still, no remote code execution. These passwords are useless without physical access.


One might think that after having a share password and user password, it is easy to achieve remote code execution. The problem is:
  • there is no "at" command (available since Windows 95 plus!)
  • there is no admin share
  • there is no RPC
  • there is no named pipes
  • there is no remote registry
  • there is no remote service management
If you think about security best practices, disabling unnecessary services is always the first task you should do. Because Windows 95 lacks all of these services, it is pretty much secure!

During my quest for a tool to hack Windows 95, I came across some pretty cool stuff:
LanSpy

But the best of the best is Fluxay, which has been written by chinese hackers. It is the metasploit from the year 2000. A screenshot is worth more than a 1000 words. 4 screenshot > 4 thousand words :)





It is pretty hard to find the installer, but it is still out there!

But at the end, no remote code execution for me.

My idea here was that if I can find a file which executes regularly (on a scheduled basis), I can change that executable to my backdoor and I'm done. Although there is no scheduler in the default Windows 95, I gave it a try. 

Let's fire up taskman.exe to get an idea what processes are running:


Looks like we need a more powerful tool here, namely Process Explorer. Let's try to download this from oldapps.com:


LOL, IE3 hangs, can't render the page. Copying files to the Win95 VM is not that simple, because there are no shared folders in Win95 VM. And you can't use pendrives either, Win95 can't handle USB (at least the retail version). After downloading the application with a newer browser from oldapps, let's start Process Explorer on the test Windows 95.


Don't try to download the Winsocks 2 patch from the official MS site, it is not there anymore, but you can download it from other sites

Now let's look at the processes running:


After staring it for minutes, turned out it is constant, no new processes appeared.
Looking at the next screenshot, one can notice this OS was not running a lot of background processes ...


My current Win7 has 1181 threads and 84 processes running, no wonder it is slow as hell :)

We have at least the following options:
  1. You are lucky and not the plain Windows 95 is installed, but Windows 95 Plus! The main difference here is that Windows 95 Plus! has built-in scheduler, especially the "at" command. Just overwrite a file which is scheduled to execution, and wait. Mission accomplished!
  2. Ping of death - you can crash the machine (no BSOD, just crash) with long (over 65535 bytes) ICMP ping commands, and wait for someone to reboot it. Just don't forget to put your backdoor on the share and add it to autoexec.bat before crashing it. 
  3. If your target is a plain Windows 95, I believe you are out of luck. No at command, no named pipes, no admin share, nothing. Meybe you can try to fuzz port 137 138 139, and write an exploit for those. Might be even Ping of Death is exploitable?
Let's do the first option, and hack Windows 95 plus!
Look at the cool features we have by installing Win95 Plus!


Cool new boot splash screen!


But our main interest is the new, scheduled tasks!


Now we can replace diskalm.exe with our backdoor executable, and wait maximum one hour to be scheduled.

Instead of a boring text based tutorial, I created a YouTube video for you. Based on the feedbacks on my previous tutorialz, it turned out I'm way too old, and can't do interesting tutorials. That's why I analyzed the cool skiddie videoz, and found that I have to do the followings so my vidz won't suck anymore:
  • use cool black windows theme
  • put meaningless performance monitor gadgets on the sidebar
  • use a cool background, something related with hacking and skullz
  • do as many opsec fails as possible
  • instead of captions, use notepad with spelling errorz
  • there is only one rule of metal: Play it fuckin' loud!!!!

Related word


  1. Pentest Recon Tools
  2. Hacking Tools Name
  3. Hack Tools Mac
  4. Best Hacking Tools 2019
  5. Hack Tools Github
  6. Hacking Tools Usb
  7. Pentest Tools For Ubuntu
  8. Pentest Tools Free
  9. Kik Hack Tools
  10. Hacking Tools Name
  11. Hacking Apps
  12. Ethical Hacker Tools
  13. Hacker Tools For Pc
  14. Hacker Tools Windows
  15. Hacking Tools For Mac
  16. Hak5 Tools
  17. Hacks And Tools
  18. Hacker Tools Mac
  19. Hak5 Tools
  20. Pentest Tools Online
  21. Beginner Hacker Tools
  22. Pentest Tools Kali Linux
  23. Beginner Hacker Tools
  24. Hacking Tools Usb
  25. Pentest Tools For Android
  26. Hacker
  27. Hacker Tools Online
  28. Hacking Tools And Software
  29. Hacker Search Tools
  30. Pentest Tools Kali Linux
  31. Hack Tools For Windows
  32. How To Hack
  33. Ethical Hacker Tools
  34. New Hack Tools
  35. Pentest Tools Framework
  36. Hack Tools 2019
  37. Hacking Tools Free Download
  38. Pentest Recon Tools
  39. Hackrf Tools
  40. Kik Hack Tools
  41. Best Hacking Tools 2019
  42. Best Hacking Tools 2019
  43. Physical Pentest Tools
  44. What Is Hacking Tools
  45. Hacker Tools Apk
  46. Hak5 Tools
  47. Hacking Tools Download
  48. Hacker Tools Github
  49. Nsa Hack Tools
  50. Hacker Tools Mac
  51. Hackrf Tools
  52. Pentest Tools Android
  53. Hacking Tools For Windows
  54. Android Hack Tools Github
  55. Hacker Tools 2020
  56. Pentest Tools Linux
  57. Blackhat Hacker Tools
  58. Pentest Tools
  59. Hack Tools For Windows
  60. Easy Hack Tools
  61. Hacker Tools Free Download
  62. Beginner Hacker Tools
  63. Underground Hacker Sites
  64. Hacker Tools Online
  65. Pentest Automation Tools
  66. Hack And Tools
  67. Easy Hack Tools
  68. Hacking Tools Free Download
  69. Pentest Tools List
  70. Hacking Tools For Games
  71. Pentest Tools Bluekeep
  72. What Are Hacking Tools
  73. Hacking Tools Windows
  74. Computer Hacker
  75. Hacking Tools Pc
  76. Hackrf Tools
  77. Free Pentest Tools For Windows
  78. Hacker Tools Linux
  79. Hack Tools 2019
  80. Hacker Tools Apk
  81. Free Pentest Tools For Windows
  82. Hacking Tools And Software
  83. Hacker Tools Mac
  84. Hacker Tools Hardware
  85. Hack Tools Online
  86. Pentest Tools Online
  87. Hacker Tools Software
  88. Hacker Tools Free
  89. Pentest Recon Tools
  90. Hacking Tools Usb
  91. What Are Hacking Tools
  92. Pentest Tools Github
  93. Pentest Tools Tcp Port Scanner
  94. Pentest Tools Website Vulnerability
  95. Hacking Tools Download
  96. Hacker Tools Mac
  97. Hacker Techniques Tools And Incident Handling
  98. Hacking Tools Software
  99. Pentest Tools Url Fuzzer
  100. Hack Tools 2019
  101. Pentest Tools Port Scanner
  102. Computer Hacker
  103. Pentest Tools Url Fuzzer
  104. Hacking Tools For Beginners
  105. Hacking Tools 2020
  106. Pentest Automation Tools
  107. How To Make Hacking Tools
  108. Pentest Tools Framework
  109. Pentest Tools Kali Linux
  110. Pentest Tools Free
  111. Hacking Tools Windows 10
  112. Hacking Tools For Mac
  113. Hacking Tools For Pc
  114. Hack Tools Github
  115. Hacking Tools Mac
  116. Pentest Tools Github
  117. Hack Tool Apk No Root
  118. Black Hat Hacker Tools
  119. Hacker Tools Apk
  120. Pentest Box Tools Download
  121. How To Hack
  122. Pentest Tools Download
  123. Usb Pentest Tools
  124. Nsa Hack Tools
  125. New Hack Tools
  126. Hacker Tools Github
  127. Pentest Tools For Android
  128. Hacking Tools For Kali Linux
  129. Hacking Tools
  130. Pentest Tools For Windows
  131. Hack Tool Apk No Root
  132. Pentest Tools For Android
  133. Pentest Tools Alternative
  134. Pentest Tools Tcp Port Scanner
  135. Hackers Toolbox
  136. Hack App
  137. Hacking Apps
  138. Hack Tool Apk
  139. Pentest Tools Kali Linux
  140. Pentest Tools Open Source
  141. Hacking App
Posted by at
Subscribe to: Posts (Atom)