Posted on

Spring4Shell : Explained With POC

Hello, aspiring Ethical Hackers. In this article you will learn about Spring4shell, a new zero-day vulnerability that has been discovered in Spring Framework. Spring Framework is an open-source application framework for Java and is normally deployed with Apache Tomcat servers.

Vulnerability & Impact

There are two vulnerabilities affecting Spring Framework, one is in Spring Core and second is in Spring Cloud. The Spring Core RCE vulnerability impacts Java class objects. The vulnerability in Spring Core has been given name Spring4shell in the lines of Log4shell as both vulnerabilities affect a library. Although, it took its name from Log4shell, it is not as dangerous as its namesake.

This vulnerability affects all versions of Spring Core Framework running on JDK versions 9 and after. This vulnerability is tracked as CVE-2022-22965. There is another RCE in Spring Cloud Function versions <=3.1.6 and <=3.2.2.

Proof Of Concept

It’s time to see the exploitation of Spring4shell practically. Let’s create a new directory named spring4shell.

Clone the repository shown in the image below. This repository contains both vulnerable docker image and exploit.

Build the Docker image vulnerable to spring4shell as shown below.

You can check if the target is set or not by visiting the URL in browser.

If you get the above message, the target is ready. Run the exploit. The python exploit uploads a java web shell on the target after exploiting vulnerability.

spring4shell

The exploit completed successfully. The web shell can be accessed at above highlighted address.

The POC is succesful,

Posted on

Shellcode Injection into Windows Binaries

Hello aspiring Ethical Hackers. In this article, we will see how to perform Shellcode Injection into Windows executables. In hacking, Shellcode is a code usually written in machine language instructions that starts a command shell from which a hacker can control the compromised machine. Shellcode is normally used as a payload.

Windows binaries are those binaries that are already present by default on a Windows system. Just imagine you are pen testing a Windows machine and you want to gain access to it without bringing any third party Malware to the target system. How about using the files already present on the target system to execute your payload. This is also known as file less malware.

Windows by default has some binaries for its own genuine functions. However these can be utilized by malicious actors to execute their own payload which is not benign. Examples of these binaries are regsrvr32.exe, notepad.exe, calc.exe and rundll32.exe etc. Rundll32.exe is a binary used in Windows to link library for other Windows applications. Of course, readers know about Notepad and Calculator.

In this article, we will see how to inject shellcode into these Windows executables. For this, we will be using a tool named CactusTorch. CactusTorch is a shellcode launcher tool that can be used to launch 32 bit shellcode which can then be injected into any Windows binaries.

Let’s see how this tool works. CactusTorch can be cloned from GitHub as shown below from here.

Once the repository is cloned successfully, we need to create shellcode. Cactus torch is compatible with Metasploit and Cobalt strike. So let’s use msfvenom to create 32 bit shellcode.

The shellcode is successfully created and is stored in payload.bin file.

Next, encode this payload using base64 encoding as shown below.

shellcode injection

This shellcode can be hosted in different formats as shown below. These formats are already provided by Cactustorch.

Let’s see the example of hta file. Open the cactustorch.hta file using any text editor.

We can specify the binary you want to inject this shellcode into. For example, here we want to inject shellcode into rundll32.exe. Copy the base64 encoded shellcode at “Dim code”. Save the file. Start a Metasploit listener as shown below.

Next, all we have to do is make the user on target system execute the cactus torch.hta file. This can be done using social engineering. Now once someone clicks on it, we should get a successful meterpreter session as shown below.

Similarly, this shellcode can be hosted in JavaScript and also VB script and VBA files. That’s how shellcode injection can be performed in Windows binaries.

Posted on

ms08-067 exploitation to hack Windows XP

Hello aspiring ethical hackers. In this article, we will see how to exploit ms08-067 vulnerability to hack Windows XP. As our readers may already know by now, ms08-067 is a vulnerability in Windows 2000, Windows Server 2003 and Windows XP. It is a critical vulnerability that allows remote code execution on the target Windows system by sending a specially crafted RPC request to it.

This vulnerability doesn’t require any authentication or even user interaction on the target side. That’s the reason why it is ubiquitous in any ethical hacking course. We have exploited this vulnerability recently in our February 2021 Issue. But that was done using without Metasploit.

In this article, we will do this with Metasploit. For this, we have chosen our target as Windows XP SP2 and our Attacker system as Kali Linux. Most of the Antivirus ended their support to Windows XP SP2 (Windows XP SP3 is the minimum supported version. Even Real world systems running Windows XP SP2 are running without Anti Virus.)

So Nmap scan revealed a Windows target as shown below.

Start Metasploit and load the ms08_067 module.

Set all the required options and use check command to see if the target is indeed vulnerable.

The target is indeed vulnerable. Now, execute the module as shown below.

ms08-067

As readers can see, we successfully got a meterpreter session with SYSTEM privileges.

Posted on

Beginners guide to Packet sniffing

Hello, aspiring Ethical Hackers. In this blogpost, you will learn about packet sniffing. Data doesn’t get hacked when it is sitting on a computer or a hard disk. It also gets hacked when it is in transit between one system and another system over internet. For example, in 2008, the Heartland Payment Systems which is one of the world’s largest credit card payment processors was hacked by two Russian hackers. After gaining access, they placed sniffers within the Heartland system. Using these sniffers, they collected 130 million credit card credentials.

What is Packet Sniffing?

Packet sniffing is an act or method of monitoring, gathering or collecting data or information while it is in transit from one system to another system (usually from client to server). Since data or information is transferred over internet in the form of small network packets, it is known as Packet sniffing.

Types of Sniffing

Sniffing can be classified into two types. They are Passive sniffing and Active sniffing.

1. Passive Sniffing:

In this type of sniffing, we just observe or monitor the traffic going around the network. There is no need of injection of any additional traffic into the network. To do this, we should be able to view the traffic belonging to all the devices in the network. This is only possible when all the devices in the network are connected through a Network hub. In a network connected by a hub, all the devices can see the traffic sent to all other devices on the network.

2. Active Sniffing:

In this type of sniffing, additional traffic has to be injected into the network to begin sniffing. This type of sniffing is performed in network connected by a switch.

What is a Sniffer?

Packet sniffing can be performed using either software or hardware. The software or appliance used to perform sniffing is known as a sniffer.

Examples of software sniffers include Wireshark, Tcpdump, Windump, Ettercap, dsniff, Kismet, Driftnet and Network miner etc.

Examples of Sniffing attacks

1. Password Sniffing:

This is the simplest form of sniffing attack as in this type of sniffing, sniffers just collect the data in transit silently. Although, sniffers are looking to sniff on credentials. any data that is not encrypted before being transmitted between two devices can be sniffed on. For example, protocols like FTP, Telnet and HTTP etc. transmit all data including credentials in clear text. Learn more about password sniffing attack here.

2. DNS Cache Poisoning:

Also known as DNS poisoning or DNS spoofing, this attack involves poisoning the cache of a DNS server. A Domain Name Server (DNS) resolves host names to the IP addresses and vice versa. So, if a DNS cache is poisoned with malicious entries, any user trying to visit a genuine website may be redirected to a fake malicious website.

3. MAC Flooding:

In this type of sniffing attack, attacker sends a large amount of traffic to the network switch to fill the MAC address table using fake MAC addresses. When the MAC address table is full, the network switch behaves like a hub.

4. MAC Spoofing:

Also known as ARP spoofing or ARP poisoning, in this attack, the attacker tries to spoof the MAC address of another device like a switch. This results in all the devices on the networks thinking that attacker-controlled computer is the switch and start sending traffic to it.

5. TCP Session Hijacking:

In this sniffing technique, also known as Session Hijacking, attacker steals the user’s session ID and impersonates as that user.

6. JavaScript Card Sniffing:

In this type of sniffing attack, hackers take control of a website and make changes to the javascript by adding malicious lines of code to it. These changes are done to collect any valuable information, like credentials, credit card numbers and other information.

7. DHCP attacks:

In this attack, DHCP server is flooded by the attacker with fake DHCP requests to use all the allocated IP addresses for that network.

Posted on

CVE-2022-25636 : Linux Privilege Escalation

Hello aspiring Ethical Hackers. In this article you will learn about another Linux Privilege Escalation vulnerability tracked as CVE-2022-25636 and its exploitation. I am saying another because this vulnerability comes immediately after recently discovered Linux Dirty Pipe vulnerability.

CVE-2022-25636 is a vulnerability that affects the Linux Netfilter component. What is netfilter? It is an open source framework provided by the Linux kernel that allows various networking-related operations to be implemented in the form of customized handlers. Its functions include packet filtering, network address translation and port translation. All Linux Firewall utilities i.e Iptables, nftables, ufw etc use Netfilter in their operations.

Exploitation of this vulnerability can give attackers root privileges on the target system, allow them to escape containers and in worst case induce a kernel panic. This vulnerability affects Linux kernel versions 5.4 to 5.6.10. The target OS include Ubuntu, Debian, RedHat etc.

However, there’s no clarity on which kernel versions are actually vulnerable. In my testing, this failed to work on Ubuntu 21.10 kernel version 5.13.0-10 but worked every time on Ubuntu 21.10 with kernel version 5.13.0-30 (without giving any panic). Let’s have a look at how the exploitation worked for me.

To exploit this privilege escalation vulnerability, anybody needs to have access on the target system with Low User Privileges as shown below.

Once I have a shell on the target, I download the exploit from Github as shown below.

Next, I navigate into the CVE-2022-25636 directory and compile the exploit as shown below.

Then I executed the exploit as shown below.

cve-2022-25636

As readers can see, I successfully got a shell with root privileges.