Posts

Showing posts from 2013

[Tool] DLL Hijack Helper Updated with killcmd support

https://github.com/yehgdotnet/dll_hijack_helper DLL Hijack Helper - Update ++++++++++++++++++++++++++++++ 1. Run ProcMon 2. Set filter rule with result "NAME NOT FOUND" 3. Run your target application 4. Save ProcMon output as Logfile.CSV 5. Exit ProcMon 6. Edit dll-hijack-helper.py 7. Search and Replace "target.exe" with your test application name. 5. Run dll-hijack-helper.py Typical output looks like this: ------------------------------------------ Running DLL Hijack Helper - by Myo Soe , http://yehg.net hijacker_dll_m5: e6744ebb969ce6373d3702d1e7f70487 hijacker_exe_m5: a56a094461f79a3be7c672d10fc413c3 ---------------------------------- Created DLL -> D:\tmp\TestApp 32bit\msi.dll [!] Launch the application to test it. [!] Enter 'y' key if it works, other key to continue. _y Created DLL -> D:\tmp\TestApp 32bit\sfc_os.dll [!] Launch the application to test it. [!] Enter 'y' key if it works, other key to con

Testing CAPTCHA strength with GSA CAPTCHA Breaker

With sophisticated OCR technologies, today's CAPTCHA defense in web applications has become weaker and weaker partially due to a requirement to maintain usability. In this demo, we used GSA Breaker tool to test the effectiveness of sample  CAPTCHA  images.    [ View Online   |   Download   ]  

[Tool] DLL Hijack Helper

New repo:  https://github.com/yehgdotnet/dll_hijack_helper https://code.google.com/p/yehg-core-lab-misc/source/browse/#svn%2Ftrunk%2Fdll-hijack-helper This tool will aid you in your manual DLL Hijacking vulnerability hunting when automatic approach does not smoothly work. How-to ++++++++++++++++++++++++++++++ 1. Run ProcMon 2. Set filter rule with result "NAME NOT FOUND" 3. Run your target application 4. Save ProcMon output as CSV 5. Run dll-hijack-helper.py

Thick-client Application Security Testing Series - First release

Security in thick-client application has been considered as "not necessary or not required" . This misconception has been rooted in developers' mind and it has shaped the way they develop critical applications. Thus, we've started our first release of Thick-client application security testing training series using trivial consumer-based applications. We'll be adding more videos later on. http://core.yehg.net/lab/pr0js/training/thick-client-pt/ Course Materials Tools Test vulnerable softwares

Source Code:: Ultimate Web Recon

Since our release of Ultimate Web Recon, we have been receiving requests from our community to provide its source code.  Thank you for your support and encouragement which have made YEHG a name in the security world. https://github.com/yehgdotnet/Web-Recon

Tool:: Ultimate Web Recon

Image
UltimateWebRecon :: Download https://github.com/yehgdotnet/Web-Recon  UltimateWebRecon :: Intro With the prevalence of frame-busting scripts or X-Frame-Options header,  our web-based  Recon page is likely to be unusable soon in the future. So, we've coded a small Windows-based application that does the same. UltimateWebRecon ::  Minimum System Requirement - Microsoft .NET Framework 4+ http://www.microsoft.com/en-us/download/details.aspx?id=17718 UltimateWebRecon :: Database Update - Select Help > Update Database. UltimateWebRecon :: Program Update - The application should detect automatically at next launch after database update. UltimateWebRecon :: Database Structure The application uses an XML data file  reconDb.xml  which contains a list of common web resources that we use in our daily penetration testing projects.   You can examine the file's XML tag and attribute structure to add your own favorite URLs under classified categories.  An example g

OWASP WebGoat Training Complete Package

In order to ease the pain of downloading each single file, or pain of waiting for each single movie file, we have prepared the complete WebGoat movie viewer package like you see on our WebGoat page. You can simply open "index.htm" to enjoy learning WebGoat. Alternatively, you can launch our included python web server movie-server.py to enjoy learning from your browser. Download: http://sf.net/projects/webappsecmovies/files/web/webgoat/%5B20130604%5D%20Complete-Webgoat-Training-Movies--by-YGN-Ethical-Hacker-Group_Myanmar.zip/download

New OWASP WebGoat movies

We have added the following movies to our OWASP WebGoat page in accordance with the latest version 5.4 - http://yehg.net/lab/pr0js/training/webgoat.php : - CSRF Prompt By-Pass - CSRF Token By-Pass - Off-by-One Buffer Overflow - Blind Numeric SQL Injection - Modify Data with SQL Injection - Add Data with SQL Injection Enjoy Haxing WebGoat! 

KNet Web Server Buffer Overflow Exploit (SEH)

Image
This exploit takes advantage of KNet web server buffer overflow vulnerability and attempts to gain SHELL access on target host. See  demo video here. . Exploit:  https://code.google.com/p/yehg-core-exploits/source/browse/trunk/knet-web-server/knet_win7_bof-seh-sploit.rb Demo:  http://core.yehg.net/lab/pr0js/training/view/KNet_Win7_Sploit/ About KNet Web Server: KNet is a small, functioning, webserver which you can use to host a website from your very own harddrive! KNet is so small you can run your server from a floppy disk. As KNet is a freeware application you will never be charged for using the application or for updates.  You can literally have your website up and running within 30 seconds of installing, and running KNet. How's that for ease of use? And you need never see or think about KNet again as it can happily run in your task bar. Here are some key features of "KNet": ■ Custom 404 Error pages. ■ Password protection. ■ Ban IP addresses.

Huawei Mobile Partner | Permission Weakness Local Privilege Escalation

1. DESCRIPTION Huawei Mobile Partner application contains a flaw that may allow an attacker to gain access to unauthorized privileges. The issue is due to the application installing with insecure permissions. This allows a less privileged local attacker or compromised process to replace the original application binary with a malicious application which will be executed by a victim user or upon Mobile Partner application Windows service restart. 2. BACKGROUND Mobile Partner is a built-in application in Huawei 3G USB modems that allow you to connect to the 3G mobile network for Internet access. It is widely used by many telcos round the world. 3. VERSIONS AFFECTED Tested version: 23.007.09.00.203. 4. PROOF-OF-CONCEPT/EXPLOIT //// Tested on Windows c:\>wmic service get pathname | find "Mobile Partner" C:\Program Files (x86)\Mobile Partner\UpdateDog\ouc.exe C:\Program Files (x86)\Mobile Partner\eap\wifimansvc.exe c:\>accesschk -q "C:\Pro

TomatoCart 1.x | Cross Site Request Forgery Protection Bypass via JavaScript Hijacking

1. OVERVIEW TomatoCart 1.x versions are vulnerable to Cross Site Request Forgery Protection Bypass. 2. BACKGROUND TomatoCart is an innovative Open Source shopping cart solution developed by Wuxi Elootec Technology Co., Ltd. It is forked from osCommerce 3 as a separate project and is released under the GNU General Public License V2. Equipped with the web2.0 Technology Ajax and Rich Internet applications (RIAs), TomatoCart Team is devoted to building a landmark eCommerce solution. 3. VULNERABILITY DESCRIPTION TomatoCart 1.x versions contain a flaw related to the script '/admin/tocdesktop.php' failure to properly protect the JavaScript object, "token" which is used to prevent Cross Site Request Forgery attack. This allows an attacker to gain access to the token object via JavaScript Hijacking upon an administrator user's visit to his crafted page. Using the compromised token value, the attacker will then be able to perform administrator-privi

TomatoCart 1.x | Vulnerable Piwik Extension

1. OVERVIEW TomatoCart 1.x versions include outdated and vulnerable Piwik extension < 0.5.5. 2. BACKGROUND TomatoCart is an innovative Open Source shopping cart solution developed by Wuxi Elootec Technology Co., Ltd. It is forked from osCommerce 3 as a separate project and is released under the GNU General Public License V2. Equipped with the web2.0 Technology Ajax and Rich Internet applications (RIAs), TomatoCart Team is devoted to building a landmark eCommerce solution. 3. VULNERABILITY DESCRIPTION TomatoCart 1.x versions include outdated and vulnerable Piwik extension < 0.5.5 according to the the Piwik SVN checkout date specified in /ext/piwik/index.php. This Piwik version has known vulnerabilities such as Cross Site Scripting, Arbitrary URL Redirect and Denial-of-Service. 4. VERSIONS AFFECTED 1.x 5. PROOF-OF-CONCEPT/EXPLOIT Refer to REFERENCES section for the OSVDB site URL featuring known Piwik vulnerabilities. 6. SOLUTION The vendor did

TomatoCart 1.x | Unrestricted File Creation

1. OVERVIEW TomatoCart 1.x versions are vulnerable to Unrestricted File Creation. 2. BACKGROUND TomatoCart is an innovative Open Source shopping cart solution developed by Wuxi Elootec Technology Co., Ltd. It is forked from osCommerce 3 as a separate project and is released under the GNU General Public License V2. Equipped with the web2.0 Technology Ajax and Rich Internet applications (RIAs), TomatoCart Team is devoted to building a landmark eCommerce solution. 3. VULNERABILITY DESCRIPTION TomatoCart 1.x versions contain a flaw related to the /admin/json.php script's failure to properly restrict created files. This may allow an attacker to create arbitrary shell script to launch further attacks on the application server. 4. VERSIONS AFFECTED Tested on 1.1.8, 1.1.5 5. PROOF-OF-CONCEPT/EXPLOIT ///////////////////////////////////////////////////////////////////// POST /admin/json.php HTTP/1.1 Host: localhost Cookie: admin_language=en_US; t