Exploit vulnerability security

Internet Explorer XML corruption exploit on Windows vulnerability

2008-12-28T20:00:00.000-08:00

Microsoft Internet Explorer is prone to a remote code-execution vulnerability.

Attackers can exploit this vulnerability to execute arbitrary code in the context of the user running the application. Successful exploits will compromise the application and possibly the underlying computer. Failed attacks will cause denial-of-service conditions.

This Vunerability will be easy exploit thorugh metasploit modules. This IE_XML exploits a vulnerability in the XML handling code of Internet Explorer. In order to execute code reliably, this module uses the .NET DLLmemory technique pioneered by Alexander Sotirov and Mark Dowd. This method is used to create a fake vtable at a known location with all methods pointing to our payload. Since the .text segment of the .NET DLL is non-writable, a prefixed code stub is used to copy the payload into a new memory segment and continue execution from there. This code is a very early version of what the final implementation will be and the API and this module will continue to be updated as progress continues.

Vista vulnerability

2008-11-11T13:10:00.000-08:00

This is one of the many from windows vista vulnerability that i know. This vulnerability is not very danger but when it being physical attack it will be danger. This vulnerability will gain access from vista without any password at all. We do this from the backtrack. So we can call this Backtrack Owning Vista OR we can call this Linux Owning Vista.

This video i take from offensive security. So let's see this, hope this will help you all. Thank's

MS08-067 exploit critical vulnerability

2008-10-28T19:49:00.000-07:00

One of the important news about the security on October 2008 is Microsoft release the patch MS08-067. This is because Microsoft found a serious security problem that could make an attacker gain an access through the remote execution of code, and used a hand to install the trojan house to the victim machine without user interaction.

This vulnerability will exploits a parsing flaw in the path canonicalization code of NetAPI32.dll through the server service and this vuln is capable of bypassing NX on some OS and Service Packs. This vuln can be easy exploit through metasploit module. On metasploit module we need to be point to correct target must be used to prevent the server service ( along with a dozen others in the same process) from crashing. Windows XP targets seem to handle multiple successful exploitation events, but windows 2003 targets will often crash or hang on subsequent attempts.

Adobe 8.1.3 exploit vulnerability

2008-09-13T16:48:00.000-07:00

Adobe Reader is prone to a stack-based buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data. An attacker can exploit this issue to execute arbitrary code with the privileges of the user running the application or crash the application, denying service to legitimate users.

This Vulnerabilty will be easy exploit through metasploit module. This adobe_util exploits a buffer overflow in Adobe Reader and Adobe Acrobat Professional <>

Session Hijacking vulnerability

2008-08-07T13:52:00.000-07:00

In computer science, session hijacking refers to the exploitation of a valid computer session to gain unauthorized access to information or services in a computer system. In particular, it is used to refer to the theft of a magic cookie used to authenticate a user to a remote server. It has particular relevance to web developers, as the HTTP cookies used to maintain a session on many web sites can be easily stolen by an attacker using an intermediary computer or with access to the saved cookies on the victim's computer.

TCP session hijacking is when a hacker takes over a TCP session between two machines. Since most authentication only occurs at the start of a TCP session, this allows the hacker to gain access to a machine.

A popular method is using source-routed IP packets. This allows a hacker at point A on the network to participate in a conversation between B and C by encouraging the IP packets to pass through its machine.

If source-routing is turned off, the hacker can use "blind" hijacking, whereby it guesses the responses of the two machines. Thus, the hacker can send a command, but can never see the response. However, a common command would be to set a password allowing access from somewhere else on the net.

A hacker can also be "inline" between B and C using a sniffing program to watch the conversation. This is known as a "man-in-the-middle attack".

In this video from learn security online will show us session hijacking using a tool ferret and hamster.

MSSQL 2000 exploit on Windows vulnerability

2008-07-19T13:58:00.000-07:00

A vulnerability has been discovered in Microsoft SQL Server that could make it possible for remote attackers to gain access to target hosts.

It is possible for an attacker to cause a buffer overflow condition on the vulnerable SQL server with a malformed login request. This may allow a remote attacker to execute arbitrary code as the SQL Server process.

This video take from learn security online to show us how the attacker gaining access to our computer.

MS08-068 ( known as smb_relay exploit ) critical vulnerability

2008-07-10T22:20:00.000-07:00

SMBRelay and SMBRelay2 are computer programs that can be used to carry out SMB man in the middle (mitm) attacks on Windows machines.SMBrelay receives a connection on UDP port 139 and relays the packets between the client and server of the connecting Windows machine to the originating computer's port 139. It modifies these packets when necessary.

After connecting and authenticating, the target's client is disconnected and SMBRelay binds to port 139 on a new IP address. This relay address can then be connected to directly using "net use \\192.1.1.1" and then used by all of the networking functions built into Windows. The program relays all of the SMB traffic, excluding negotiation and authentication. As long as the target host remains connected, the user can disconnect from and reconnect to this virtual IP.

SMBRelay collects the NTLM password hashes and writes them to hashes.txt in a format usable by L0phtCrack for cracking at a later time.

As port 139 is a privileged port and requires administrator access for use, SMBRelay must run as an administrator access account. However, since port 139 is needed for NetBIOS sessions, it is difficult to block.

The SMB authentication relay attack was first reported by Sir Dystic on March 31st, 2001 at @lanta.con in Atlanta, Georgia

This Vulnerabilty will easy exploitable with metasploit (smb_relay). Smb relay will relay SMB authentication requests to another host, gaining access to an authenticated SMB session if successful. the connecting user is an administrator and network logins are allowed to the target machine, this smb relay module will execute an arbitrary payload. To exploit this, the target system must try to authenticate to this module. The easiest way to force a SMB authentication attempt

is by embedding a UNC path (\\\\SERVER\\SHARE) into a web page or email message. When the victim views the web page or email, their system will automatically connect to the server specified in the UNC share (the IP address of the system running this module) and attempt to authenticate. Unfortunately, this module is not able to clean up after itself. The service and payload file listed in the output will need to be manually removed after access has been gained. The service created by this tool uses a randomly chosen name and description, so the services list can become cluttered after repeated exploitation.

On November 11th 2008 Microsoft released bulletin MS08-068. This bulletin includes a patch which prevents the relaying of challenge keys back to the host which issued them, preventing this exploit from working in the default configuration

Recover password router with HYDRA

2008-06-01T21:59:00.000-07:00

If you forget your router password, don't be afraid. Now there is tool for recover it. Even tough this tool really old tool, but still useful. And tool name HYDRA. This tool you get in http://www.THC.org or link download.

This tool have many capabilities see the man-hydra. In this case perform you using hyra to recover password for router. This video credit to purehate from http://www.remote-exploit.org.

Vulnerability on Remote Dekstop Protocol Windows

2008-05-03T10:05:00.000-07:00

One of the most common techniques used by hackers to penetrate your network, is just plain-old password guessing. This goes for external hacking attempts as well as internal hacking attempts.This is the scenario how hackers can use tools to perform brute force password hacking in your Terminal Server environments and what you can to prevent these kinds of attacks.

Terminal Server environments are juicy targets for hackers. In this article I showed some techniques hackers can use to perform brute force attacks against local administrator accounts. I also showed you what you can do to prevent these attacks. Please keep in mind that these are just pointers and only make up a small part of the steps you should take to secure your Terminal Server environment.

Testing WEP security with fragmentation method

2008-04-22T12:58:00.000-07:00

This is how the attacker or the penetration tester testing your wireless security. Usually they attack using tool name aircrack-ng. This tool can be used by good guy or bad guy. So as they all say test your wireless before the bad guy do.

I have a video to show you how the scenario how to test our wireless security. This video come from offensive-security. So see carefully, hope this will help you.

ANI ANIMATION exploit on Windows vulnerability

2008-03-21T17:09:00.000-07:00

This exploit is very critical because it will attack the client. Why the client is so danger to this vulnerability? Ok let's we make some illustration here. The bank. Bank have a very good security procedure. So it almost impossible to attack it. And let's take another way "the client" what do you think?

The question is who is the client? what they use to open the e-mail? what is their operating system? what version is it? what is the browser they use? All of this question will you get if you do the social engineering technique. So when you get that information you can use some client side exploit like this example.

So, what the solution? Nothing we can do against this. All we can do is patch from the vendor. My solution here is learn some skill from bad guy world so you know how they do this and know how to prevent that. This video taken from offensive-security.

2008-02-01T14:54:00.000-08:00

This is video an old video and i think this video very awesome. this is scenario where it will tunneling some old exploit "dcom exploit" through SSH. As i read many source from the internet, they (security expert) say never put your trust 100% on security software, it just will help us to do a job. When the first time i read that, i don't believe it, but what can i say it true. The fact everyday there are many exploit out there public exploit or private exploit that have been created to hack in the server.

This video i get from the hackingdefined and this is by muts aka mati aharoni the author of backtrack. He create a good scenario here with a picture that make everybody understand.

Metasploit Autopwn

2008-01-01T17:30:00.000-08:00

This video will present how to do metasploit autopwn. it mean the framework ( Metasploit ) will search the exploit that match with the open port ( scan with Nmap ) from the victim computer. This feature from metasploit is very good for penetration tester to minimize a time for testing the server or computer client.

Backtrack Clean Install from the author

2008-01-01T10:23:00.000-08:00

This how usually people installing backtrack clean install. clean install mean no change at all from the source or never touch from the user. This video guide installing backtrack taken from offensive security from the author or maker of backtrack.

So i hope this video will help you installing backtrack a lot of easiar because i think it's very obvious and visually. And voice for explaination. Excellent video, and i recommended to see it first before installing backtrack to your harddisk.