OWASP HTTP Post Tool Released

BackTrack Final: Metasploit Tutorial: "How tough is it to really compromise a system? As an ethical hacking instructor, that is a question that I get asked quite frequently. My us..."

SecTor 2010 - Ryan Linn - Metasploit Tips and Tricks from Vivek Ramachandran on Vimeo.

 GGNS3 is a graphical network simulator that allows simulation of complex networks. It’s an excellent complementary tool to real labs for network engineers, administrators and people wanting to pass certifications such as CCNA, CCNP, CCIP, CCIE, JNCIA, JNCIS, JNCIE. It can also be used to experiment features of Cisco IOS, Juniper JunOS or to check configurations that need to be deployed later on real routers.


To allow complete simulations, GNS3 is strongly linked with:

• Dynamips, the core program that allows Cisco IOS emulation.
• Dynagen, a text-based front-end for Dynamips.
• Qemu, a generic and open source machine emulator and virtualizer.

Features Overview

• Design of high quality and complex network topologies.
• Emulation of many Cisco IOS router platforms, IPS, PIX and ASA firewalls, JunOS.
• Simulation of simple Ethernet, ATM and Frame Relay switches.
• Connection of the simulated network to the real world!
• Packet capture using Wireshark.

This project is an open source, free program that may be used on multiple operating systems, including Windows, Linux, and MacOS X.
You can download GNS3 v0.7.2 here:
Windows All-in-one – GNS3-0.7.2-win32-all-in-one.exe
Windows Binary – GNS3-0.7.2-bin-win32.zip
Mac DMG Package – GNS3-0.7.2-intel-x86_64.dmg
Linux/Source – GNS3-0.7.2-src.tar.gz
Or read more here.

XSSer is an open source penetration testing tool that automates the process of detecting and exploiting XSS injections against different applications.


It contains several options to try to bypass certain filters, and various special techniques of code injection.

New Features

• Added “final remote injections” option
• Cross Flash Attack!
• Cross Frame Scripting
• Data Control Protocol Injections
• Base64 (rfc2397) PoC
• OnMouseMove PoC
• Browser launcher
• New options menu
• Pre-check system
• Crawler spidering clones
• More advanced statistics system
• “Mana” ouput results

You can download XSSer v1.0 here:
xsser-1.0.tar.gz

Or read more here.

This article is a good demonstration or we can say POC for Cisco Router how to compromise devices and get into network.

Today only lazy or out from the IT sphere person never heard about Cisco. Company specialized in developing network devices and solving all related problems. IOS (Internetwork Operation System) is installed on Cisco networking equipment and allows flexible system configuration. There is different method for attacking Cisco devices but what we will be looking at is attacking Cisco devices using TCL.

1. Advisory Information

Title: Microsoft Office Excel / Word OfficeArtSpgr Container Pointer Overwrite Vulnerability
Advisory Id: CORE-2009-0827
Advisory URL: http://www.coresecurity.com/content/excel-buffer-overflow
Date published: 2010-02-09
Date of last update: 2010-02-08
Vendors contacted: Microsoft
Release mode: Coordinated release

2. Vulnerability Information

Class: Buffer overflow [CWE-119]
Impact: Code execution
Remotely Exploitable: Yes
Locally Exploitable: No
Bugtraq ID: 38073
CVE Name: CVE-2010-0243

3. Vulnerability Description

A vulnerability exists in MSO.DLL affecting Excel 9 (Office 2000) and Excel 10 (Office XP) in the code responsible for parsing OfficeArtSpgr (recType 0xF003) containers that allows an attacker to cause a class pointer to be interpreted incorrectly, leading to code execution in the context of the currently logged on user.

4. Vulnerable packages

• Microsoft Office XP Service Pack 3
• Microsoft Office 2004 for Mac

5. Non-vulnerable packages

• Microsoft Office 2003 Service Pack 3
• 2007 Microsoft Office System Service Pack 1
• 2007 Microsoft Office System Service Pack 2
• Microsoft Office 2008 for Mac
• Open XML File Format Converter for Mac
• Microsoft Office Excel Viewer Service Pack 1 and Microsoft Office Excel Viewer Service Pack 2
• Microsoft Office Word Viewer
• PowerPoint Viewer 2007 Service Pack 1 and PowerPoint Viewer 2007 Service Pack 2
• Visio Viewer 2007 Service Pack 1 and Visio Viewer 2007 Service Pack 2
• Microsoft Works 8.5
• Microsoft Works 9

6. Vendor Information, Solutions and Workarounds

Microsoft has addressed this vulnerability by issuing an update located at http://www.microsoft.com/technet/security/bulletin/MS10-003.msp

7. Credits

This vulnerability was discovered and researched by Damián Frizza from Core Security Technologies during Bugweek 2009 [1].

8. Technical Description / Proof of Concept Code

8.1. Excel / Word - OfficeArtSpgr container - invalid recType value leads to attacker controlled pointer usage [MSRC 9368]

A vulnerability exists in MSO.DLL affecting Excel 9 (Office 2000) and Excel 10 (Office XP) in the code responsible for parsing OfficeArtSpgr (recType 0xF003) containers that allows an attacker to cause a class pointer to be interpreted incorrectly, leading to code execution in the context of the currently logged on user.

The precise affected executable version we tested is Excel.exe v10.0.6854 and the DLL is mso.dll v10.0.6845

Likely attack vectors include:

• Targeted attacks involving e-mailed malicious files combined with social engineering to entice the user to open the malicious attachment.
• Targeted attacks involving malicious files hosted on a remote web site combined with social engineering to entice the user to open the malicious attachment.

The root cause description of the vulnerability is that there is no check to make sure that there is a valid group before loading the SPGR from the file.

A disassembly of the vulnerable code follows:

8.2. Memory Corruption related to Graphic Description [MSRC case 9562]

Core Security Technologies reported a second bug in Excel which resulted non exploitable. In its investigation, MSRC has analyzed BIFF5++, BIFF4, and BIFF2 file formats for exploitability of this vulnerability. MSRC has been unable to reproduce it in such a way that an exploitable condition occurs.

9. Report Timeline

• 2009-09-04: Core Security Technologies notifies the Microsoft team of the vulnerability #1 and sends a Proof of Concept malformed file.
• 2009-09-04: Microsoft acknowledges receipt of the vulnerability report, and opens MSRC case 9368 to track this issue.
• 2009-09-07: Core sends a second Proof of Concept malformed file triggering vulnerability #2 in Excel 2000/2002.
• 2009-09-08: The Microsoft team acknowledges receipt of the information and estimates that they will have more detailed information in two weeks.
• 2009-09-11: The Microsoft team confirms that vulnerability #1 is exploitable. They inform us that they will send updated information on the fix release date as the investigation progresses.
• 2009-09-14: Core acknowledges receipt of the previous mail from the Microsoft team and reminds them that the publication date proposed by Core is November 24th, 2009.
• 2009-09-14: Core requests Microsoft's analysis of the second reported bug.
• 2009-09-14: Microsoft confirms that the first bug reported on Excel is exploitable and that they are working on defining a ship date. Microsoft also states that the bug reported as MSRC case 9154 / CORE-2009-0504 is not exploitable and no security bulletin will be issued for that case.
• 2009-09-16: Core notifies the Microsoft team that there has been a misunderstanding, and that the bug MSRC case 9154 / CORE-2009-0504 was dismissed as not exploitable in July 2009. Core sends again the Proof of Concepts for the two bugs reported as CORE-2009-0827.
• 2009-09-17: Microsoft requests Core to hold off the publication of the advisory CORE-2009-0827 until Microsoft comes up with a plan to fix the vulnerability.
• 2009-09-21: Core notifies the Microsoft team that it had made a mistake in the names of the Proof of Concept files that lead to further confusion. Core confirms that two new bugs were reported and that the third non-exploitable bug belongs to another previous case/advisory. The Excel Proof of Concept files are sent again including identifier CORE-2009-0827.
• 2009-09-22: The Microsoft team acknowledges the clarification sent by Core and estimates that they will have a deeper analysis of the proof of concept #2 sent by Core in a few days.
• 2009-10-26: Core sends a summary of the status of the reported vulnerabilities, and requests from Microsoft additional information about its technical analysis of the reported bugs (in particular concerning exploitability of the second bug) and about its schedule to produce fixes.
• 2009-10-27: Microsoft confirms that they have reproduced the reported bugs, and communicates that they will be unable to release updates for these issues until February 9th, 2010.
• 2009-10-28: Core communicates that it is willing to reschedule the publication of its advisory provided that Microsoft gives technical information that justifies this decision.
• 2009-11-02: Microsoft explains that in general both the product team (in this case within Office) as well as MSRC Engineering team look for potential variant bugs for each vulnerability that is reported to them. This is followed by the development of a fix, and the testing of the fix. Microsoft states that it will be able to share additional technical information (requested by Core) about 3-4 weeks before release.
• 2009-11-02: Core confirms that it will reschedule publication of its advisory to February 9th, 2010, and that it looks forward to receiving technical information about the vulnerabilities.
• 2009-11-02: Microsoft acknowledges receipt of the previous communication.
• 2009-11-03: Core asks whether Microsoft considers the two bugs that have been reported as variants of the same problem, or as different issues.
• 2009-11-06: Microsoft replies that the vulnerability #2 has been lost in the mix, explains how MSRC triage officers assign MSRC tracking case numbers. The vulnerability #2 is assigned MSRC case 9562.
• 2009-11-06: Core confirms that it considers the second bug (MSRC 9562) to be a different bug than MSRC 9368.
• 2009-11-18: Microsoft sends a technical analysis of bug MSRC 9562, indicating that this bug causes Excel to crash safely.
• 2009-12-02: Microsoft sends technical information about bug MSRC 9368, including the root cause of the problem and the list of affected versions.
• 2009-12-16: Microsoft sends further analysis of bug MSRC 9562, which has been analyzed in conjunction with the reported bug MSRC case 9326 in Virtual PC. MSRC indicates that it has been unable to reproduce an exploitable condition using the Excel bug (MSRC 9562).
• 2009-12-22: Core acknowledges receipt of the analysis of bug MSRC 9562, and agrees with the technical analysis.
• 2009-12-18: Microsoft sends a spreadsheet summarising Core cases, which indicates that fixes are confirmed to be released on March 9th 2010.
• 2009-12-21: Core acknowledges receipt of the technical information, and asks Microsoft whether the release of a fixed version has moved to March 9th 2010.
• 2009-12-21: Microsoft replies that the ship date for the vulnerability MSRC 9368 in MSO.dll is still February 9th 2010 (the spreadsheet contained a clerical error).
• 2010-02-01: Core requests MSRC the list of non vulnerable versions of Excel / Office, and a statement for the "vendor information" section of the advisory.
• 2010-02-03: Microsoft sends the CVE identifier for the vulnerability, and the list of affected and non affected software.
• 2010-02-09: The advisory CORE-2009-0827 is published.

10. References

[1] About Core Security's Bugweek
http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=project&name=Bugweek
[2] Microsoft Security Bulletin MS10-003
http://www.microsoft.com/technet/security/bulletin/MS10-003.msp

11. About CoreLabs

CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com.

12. About Core Security Technologies

Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com.

13. Disclaimer

The contents of this advisory are copyright (c) 2010 Core Security Technologies and (c) 2010 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.

14. PGP/GPG Keys

This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc.

Q: www.coresecurity.com