Whatsapp Forensic/Stealer (Android) POC Paper

Whatsapp ?
your
LAST SEEN
wasn’t my fault
..
|| Sir I want to hack whatsapp chat ? Please give me a tutorial link :P
This question made me to write this simple POC tutorial to
hack/steal whatsapp chats
from any android mobile (in intial level), so as we know whatsapp is one of the very
famous chat messenger used in mobile this days
,
recently acquired by facebook

Download This : HERE

Read More»

Microsoft Windows Help Systems Vulnerabilities.

 

 

1)      Introduction


Microsoft Windows operating systems, until Windows 8 have had in total four help systems.  The first one released in the times of Windows 3x is called “WinHelp” and contains a file association named “HLP”.  Basicly is a set of RTF documents with some special formatting, bitmap images all compiled in a binary file (.HLP) and ability to run Macros automatically. This includes, jump help contents, display “open file” dialog, execute programs with parameters , open files and run DLL functions. There exists the 16 and 32-bits Winhelp. 16-bits “.HLP” files should be opened in “winhelp.exe” application and 32-bits “.HLP” files should be opened in “Winhlp32.exe” application. Native support for this Help System ended on Windows XP and 2003. On Windows Vista and above only 16-bits “.HLP” files can be opened, in “Winhelp.exe” application. That is, if the operating system architecture is 32-bits.

The second one released with Internet Explorer 4,  and built into Windows 98, called “HTML Help” is a set of HTML documents, a table of contents file (optional) and an Index file (optional) all compiled in a binary file with the CHM extension. It comes with an ActiveX control, that can be embedded in Internet Explorer.  It has the ability to run programs with parameters via the “Shortcut” parameter of the ActiveX, open arbitrary WinHelp (.HLP) files from the local computer or SMB and WebDAV shares, via the “winhelp” parameter of the ActiveX and inject script code in arbitrary pages when the user clicks a Table of contents topic that has a “Javascript:” URL protocol. This is called cross domain scripting.

The third one, built into Windows XP and 2003 is the “Help and Support  Center”.  It is basicly a combination between compiled HTML files (.CHM) , standalone HTML files and special XML files to use in the Window definition. Standalone HTML files are called by its internal URL protocol, called “HCP:”. This URL protocol is also registered for the “Help and Support Center” (helpctr.exe). Files invoked by this URL protocol are treated like HTML applications and have the ability to initialize and script arbitrary ActiveX controls.  It has a nicer look compared with the classic HTML Help.

The fourth one is the official new Help system after the HTML Help and started shipping with Windows Vista. It is also HTML based, but the HTML files are compiled into a binary (.H1S) file using the Windows PE file and they are invoked by the “MS-HELP:” *internal* URL protocol. They are displayed in the “Help Pane” (helppane.exe) window. There is no file or URL protocol registered for this Help system. It is used by Windows native applications and third parties vendors local files.

Because these types of files and the “HCP:” URL protocol are, by design, able to run arbitrary code on a system, anything that bypasses security mechanisms of the operating system, involving them is considered a vulnerability. Naturally, the “.HLP” and “.CHM” extensions are in the blacklist of files of Microsoft.



2)      Vulnerabilities involving these help systems.

  A)     Vulnerabilities involving Winhelp:

    1)      Microsoft VBScript  “MsgBox()” arbitrary HLP file execution vulnerability.

  This vulnerability could be exploited remotely via Internet Explorer, by pressing the “F1” key when a Message Box appeared and pointed to a help file located in a WebDAV or SMB share.  Reference: http://www.securityfocus.com/bid/38463



    2)      Microsoft “Winhlp32” HLP file processing stack overflow vulnerability.  The vector for this vulnerability was the above vulnerability, but it is kind of pointless since “.HLP” files can run arbitrary code by design, via Macros.

Reference:  http://www.securityfocus.com/bid/38473



    3)      Multiple programs “HLP” file loading hijack vulnerability.

    This vulnerability can be exploited remotely via SMB and WebDAV shares. Every program or dialog that has a question mark “?” , when the “F1” key is pressed, will run Winhlp32.exe passing a relative path parameter for a help file with specific file name and help sensitive context ID (numerical value).  By opening a file in a WebDAV or SMB share and then pressing “F1” or a combination of keys like “CTRL+O+F1” will cause a help file to be searched in the share. If it exists it will be loaded.  The context sensitive ID must be known, for this, the legitimate help file located at “%systemroot%\help” must be decompiled, using a tool such as “HelpDeco”. Programs includes Notepad, Internet Explorer, Video display properties (via .THEME files), Windows “Open file with” dialog, Mozilla Firefox, Google Chrome, etc…

    Reference:

    http://secumania.info/joomla/index.php/component/k2/item/15-multiple-programs-remote-hlp-winhelp-file-load-hijacking-vulnerability


  B)      Vulnerabilities in HTML Help

  Since HTML Help contains an ActiveX that can be embedded in IE, this has long been targeted by attackers.  It has had buffer overflows vulnerabilities, script  injection in local

  “.CHM” help files and further abusing the “shortcut” parameter of the ActiveX, local file access vulnerabilities. And finally on 2004/2005 it has been used to bypass an important security feature recently introduced in Internet Explorer 6 (on Windows XP SP2) called

  “Local machine zone lockdown”.  This feature causes  Internet Explorer to change its security setting for the local machine zone so that ActiveX controls cannot be initialized and script code cannot be run. On march 2010 I have published a vulnerability I found about an year back which is a CHM help file loading hijack, and used TXT documents as the main attack vector. This vulnerability also caused the classic “open file” security warning to be bypassed, when the user opened the TXT document from a WebDAV or SMB share and pressed the “F1” key.  On 2011, a stack overflow vulnerability has been found and could be combined with the CHM help file loading hijack vulnerability, reducing the amount of user interaction.



  References:

  http://secunia.com/advisories/38916

  http://aluigi.altervista.org/adv/chm_1-adv.txt





  C)      Vulnerabilities in Microsoft Help and Support Center

    1)      Help and Support Center DVD upgrade “website” parameter  arbitrary URL injection vulnerability (MS04-015).  This vulnerability allowed an attacker  to inject an “HTTP://” URL in Help and Support Center when the user pressed the “upgrade now” button :  HCP://system/DVDUpgrd/dvdupgrd.htm?website=somesite.com/

    Reference:  http://exploitlabs.com/files/advisories/EXPL-A-2003-027-helpctr.txt


    2)      Help and Support Center File deletion vulnerability. This vulnerability allowed attackers to delete arbitrary files on a user´s system :

    Hcp://system/dfs/uplddrvinfo.htm?c:\somefile

    Reference:  http://www.securityfocus.com/bid/5478/exploit



    3)      Help and Support Center URI Handler Buffer Overflow vulnerability

    Buffer overflow in a specially crafted HCP:// URL

    Reference: http://www.securityfocus.com/bid/8828/discuss



    4)      Help and Support Center Command Line Injection vulnerability.

    This vulnerability allowed an attacker to inject arbitrary URLs automatically in Help and Support Center:



    Hcp:// “  -url “ http://somesite.com



    5)      Help and Support Center Whitelist bypass vulnerability

    Since the release of Service Pack 1 for Windows XP, Help and Suport Center did not allow passing of parameters to internal  files anymore and just some of them were available when called by the “HCP://” URL protocol. This vulnerability allowed an attacker to bypass the whitelist, and invoke arbitrary internal files. This could also allow injection of arbitrary external URLs like an HTTP:// site if the URL



    hcp://system/errors/connection.htm?online_url=http://site.com



    was invoked. Combined with a cross domain vulnerability in IE, an attacker could run arbitrary code in the context of the local machine zone since it is allowed to access local files.



    6)      Help and Support Center Cross Site Scripting Weakness.

    A weakness exists in Help and Support Center that allowed an attacker to inject HTML and script code in an internal file (sysinfomain.htm). Since it is processed by the “HCP://” URL protocol, it can run arbitrary script code:



    hcp://system/sysinfo/sysinfomain.htm?svr=<script>a=new%20ActiveXObject(‘Wscript.Shell’);a.Run(‘calc.exe’);</script>



    7)      Help and Support Center “topic” parameter cross domain scripting vulnerability

    This vulnerability I found myself on XP SP0 and never seen it anywhere, so it was possibly silently corrected in some update.  This vulnerability would have allowed an attacker to inject script code in arbitrary domains or security zones leading to arbitrary code execution :



    Hcp://system/centers/support?topic=javascript:alert(location.href);



    Above code would inject script code in hcp://system/firstpage.htm


But an attacker could inject code in any page :



    Hcp://system/centers/support?topic=http://www.google.com



    Then after some seconds:



              Hcp://system/centers/support?topic=javascript:alert(location.href);

    Script code would be injected in google.com .



    8)      Help and Support Center of Windows ME “REALURL” parameter arbitrary script execution vulnerability.

    Another vulnerability I found out and never seen it published that allowed attackers to run arbitrary script code on the target computer, upon clicking a link. This could be combined with a click hijack vulnerability, or something similar because the user would need to click that link to trigger the vulnerability:



    Hcp://system/error.htm?REALURL=javascript:eval(alert(location.href))



    9)      Help And Support Center Drag and Drop operation URL injection weakness.

    A weakness I found in CHM help topics displayed by Help and Support Center that allows dropping links and files inside it. Upon dropping an HTTP://  URL it will be processed by Help and Support Center. This can be combined with the XSS weakness to run arbitrary code in the system.



    Reference:

    http://secumania.info/joomla/index.php/component/k2/item/16-microsoft-windows-help-and-support-center-multiple-vulnerabilities






  D)     Vulnerabilities in Microsoft Help 2.0 (Help Pane)

  No vulnerabilities up to the date of this writing because there is no attack vector. The only possible theoretical attack vector is a DNS poisoning attack which could direct the domain name of Microsoft to another IP of the attacker´s choice when using the online help of Help Pane, but the minimum amount of user interaction would be pressing the “F1” key on some application that has also online topics.



Author: Eduardo Prado.

Vendor: Microsoft Corporation

Date: April 7th, 2014

Read More»

Top 5 Social Engineering Exploit Techniques

If you want to hack a corporation fast, Social Engineering (SE) techniques work every time and more often than not it works the first time. I'm talking about in your face, Mano-a-mano, live in the flesh social engineering techniques. Securing the information that is in the human mind is a monumental, colossal, epic, task compared with securing digital data! So it is no surprise that it is also the largest gap in a corporations IT security.

The security industry is constantly trying to create techno widgets to help us with this human problem, but to date there are not bona fide solutions available. If you give someone access, no matter how many hoops you make him or her go through to get there, then they are a human risk and subject to social engineering attacks.

I've collected a list of my top 10 social engineering techniques. These techniques come from a variety of sources. Some are from my experiences, some are from my customers, and some are from buddies that use social engineering attacks in their daily job as security consultants. Are you vulnerable to these techniques in your organization? Pick up the phone and try some of them (if you are authorized to of course). I bet you won't be surprised when they all work. ?

1) Familiarity Exploit –

This is one of the best and is a corner stone of social engineering. In a nutshell, you are trying to make it appear perfectly normal to everyone that you should be there. Making yourself familiar to those that you want to exploit helps to lower their guard. People react differently to people they know, have talked to or at least seen around a lot. People are way more comfortable responding and carrying out requests by familiar people than they are with complete strangers. 

A familiar person, in the eyes of your mark, is perfectly normal, doesn't set off alarm bells in the brain of "who is that and why are they here". Once you become familiar then you strike. Tailgating into a secure area behind someone who is familiar with you works often.

2) Creating a hostile situation –  

People withdraw from those that appear to be mad, upset or angry at something or someone other than themselves. For example, if you are on the phone and fake having a heated conversation with someone people around you will absolutely notice you but they will go out of their way to avoid you as well. You can create a hostile situation in a ton of different ways; just don't create a hostile situation between you and your marks. This rarely works. Instead you want the hostile situation to be between yourself and your phone, your accomplice, or mumbling to yourself as if you just had a huge argument with someone, If you find yourself in a situation where you need to go through areas with people that are otherwise likely to stop and question your presence this technique comes in handy. If you are angry, people are much, much less likely to stop and question you. In fact, people are much more likely to obey your wishes when you are angry as well. People just want to get rid of angry people, so it works well for asking people to open doors for you or give you information on the location of things, etc. A good real world example of this is my buddy wanted to sneak some alcohol into an amusement park. The park has a guard station to check the bags and a wand to detect metal. My buddy started up a heated fight with his wife before they walked up and the guards just waved them by the checkpoint without checking or wanding them! 

3) Gathering and Using Information –

When it comes right down to it the key to being a successful social engineer is information gathering. The more information you have about your mark the more likely you are to get what you want from him or her, obviously.

Good places to gather this info:

- Parking lot – Cars that are unlocked (or are easily unlocked) might have security badges, uniforms, paperwork, intel, smart phones, wallets, all sorts of goodies you can use.
Online site like Linked In, Google, Facebook, MySpace, etc.

- Things in their workspace area (posters, pictures, books, etc.)
- Asking their friends and colleagues. Pretend to be a manager from another office or branch.
- Tail them home or to their favorite watering hole. Try to figure out their patterns, interests, places they frequent. These are all good data points you can use to help make a personal connection to the mark.
- Dumpster diving. Sure going through their trash is nasty but the gems that will be there are invaluable.

4) Get a Job There –

If the reward is worth it, just get a job at your target and grab all the information you can. Most small-medium size businesses do not perform even simple background checks on new hires. Most large companies will but they are typically not very extensive. HR and hiring managers are almost never trained on how to spot warning signs they might be hiring someone with malicious intent. Once you are on the inside you become way more trusted, even if you are a lowly clerk. Social engineering a co-worker is usually a piece of cake given the assumed trust you'll have as a fellow employee.

5) Reading body language –

An experienced SE will read and respond to their mark's body language. In the eyes of the master SE, Chris Nickerson, body language, used effectively, is one of the most powerful connections you can make to a person. Breathing when they breath, smile at the right times, recognize and adapt to their emotions, be friendly and polite but not to much so, if they appear nervous make them comfortable, if they are comfortable then exploit them, etc. etc. Reading body language, if done well, can be your ticket to the crown jewels in a corporation. It makes people WANT to help you and feel good about doing so, an act of kindness on their part. And not only will they want to help you but they won't go back later and analyze what they did "Hey now that I think about it, why did I let that guy into the datacenter today?" Instead they will dwell the on the help and goodwill they provided for you.

6) Ok I have to add a sixth one because it is so incredibly effective, probably more so than any of the previous techniques. Wait for it…..SEX!

Women manipulating men to do their bidding is just a part of being a guy. A guy trying to resist the manipulation of a great looking girl that is flirting, dressing sexy, acting promiscuous, acting interested in you, blah, blah, blah is about as easy as trying to hold your breath for 10 minutes. ? Bottom line is if your mark is a man and the SE is a woman, the SE's chances of success just shot up. Hey all's fair, why not use biology in your favor. So the last part is how do you defend against social engineering attacks? The best defense you have against the human risk (to social engineering) is personnel training and awareness programs. Sure that sounds boring and you'd much rather buy a widget or two that you get to have in your security toolbelt, but no widget will be as effective.

==== That It ====

I'd like to hear your favorite social engineering techniques or any good stories of SE you'd care to share. Huge thanks goes out to the guys in 303 for contributing content, insights and filling my head with awe-inspiring social engineering war stories!

The opinions and information presented here are my PERSONAL views and not those of my employer. I am in no way an official spokesperson for my employer.

Read More»

file/path disclosure of Hide My WP plugin

Google search: 
allinurl:/hide_my_wp=

Hits: 583
Submited: 2014-02-05

i just found a google dork that is

file/path disclosure of Hide My WP plugin

Google dork - allinurl:/hide_my_wp=

it will show the plugin file folder and all file.

thanks

kamrul hassan arman

Read More»

Search Oracle Reports

Google search: 
inurl:"/reports/rwservlet" intext:"Oracle"

Hits: 550
Submited: 2014-02-05



Search Oracle Reports likely vulnerable to DB user/password disclosure
(CVE-2012-3152 and CVE-2012-3153) -- Felipe Molina

Read More»

zimbra webmail login page lookup

Google search: 
allinurl:"zimbra/?zinitmode=http" -google -github

Hits: 563
Submited: 2014-02-05

zimbra webmail login page lookup
allinurl:"zimbra/?zinitmode=http" -google -github

Read More»