Feb 23, 2013

Nagios NRPE 2.13 Code Execution

CVE-ID: CVE-2013-1362
CVSS: Base Score 7.5
Vendor: Nagios
Affected Products: NRPE
Affected Platforms: All
Affected versions: < 2.14
Remote Exploitable: Yes
Local Exploitable: No
Patch Status Vendor released a patch (See Solution)
URL: http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability

nrpe 2.13 has, in src/nrpc.c, line 52:

#define NASTY_METACHARS         "|`&><'\"\\[]{};"

This allows the passing of $() to plugins/scripts which, if run under
bash, will execute that shell command under a subprocess and pass the
output as a parameter to the called script. Using this, it is possible
to get called scripts, such as check_http, to execute arbitrary
commands under the uid that NRPE/nagios is running as (typically,

Upgrade to NRPE 2.14 or later, available at
Source: http://dl.packetstormsecurity.net/1302-exploits/OSEC-2013-01.txt 

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Feb 20, 2013

Howto: Hack website with Metasploit

This article discusses how to use Metasploit for scanning, crawling, and attacking web applications. This paper was written by myself in 08/2012 but just released in early of today. Please review it :)

 Link: https://www.dropbox.com/s/9oxkkjd66vm16r1/How%20to%20hack%20website%20with%20Metasploit.pdf

Source: http://packetstormsecurity.com/files/120406 

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Feb 18, 2013

Code injection – a simple PHP virus carried in a JPEG image

How to exploit this error?

The list of available attacks, of course, depends on the security level of the script. The easiest way is to send a PHP code in plain text file and save it under the extension of the target image/movie/file (eg virus.jpg).
(Un)fortunately many web applications validate not only the file extension but also an internal structure of the uploaded file (eg by checking the dimensions of an image file using getimagesize() function)
In that case you can not simply change the file extension of the virus (eg from virus.php to virus.jpg), because the PHP script will detect bad file format during the upload processs. Fortunately, most binary files may carry the PHP code without losing compatibility with the standard in which they were created.

A simple virus PHP step by step

While the described mechanism can be used in many different file formats, in the example here I will describe an attack on the poorly-protected PHP gallery.
To perform the code injection you just need a JPEG picture, EXIF tag editor and little knowledge of PHP.
I chosed the PHP logo as a virus carrier and this program as an EXIF editor.
To create a virus, open the image with EXIF editor:
Then add a new tag (by pressing the plus button in the green circle), the new editing window will pop up:
From the drop-down list choose DocumentName as a type of the tag and copy-paste the code below as the tag value:
<style>body{font-size: 0;} h1{font-size: 12px !important;}</style><h1><?php echo "<hr />THIS IMAGE COULD ERASE YOUR WWW ACCOUNT, it shows you the PHP info instead...<hr />"; phpinfo(); __halt_compiler(); ?></h1>
Click “Commit change (s)” to save the file:
Here is the result of my work, a JPG file with a hidden PHP code (you can download and try it yourself):

From now on, the PHP logo carries a PHP code which is invisible to most picture viewers. You can quickly test the virus by uploading it to a badly-written gallery and displaying it in a browser:

Source: http://php.webtutor.pl/en/2011/05/13/php-code-injection-a-simple-virus-written-in-php-and-carried-in-a-jpeg-image/

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

4 Nmap Scripts for Hunting 2012 popular vulnerabilities

  1. MS12-020 RDP vulnerability (CVE-2012-0152), finding DoS vulnerability inside Terminal Server. (nmap --script rdp-vuln-ms12-020 target)
  2. Php-cgi vulnerability (CVE-2012-1823), it allows attackers to retrieve source code and execute code remotely. (nmap --script http-vuln-cve2012-1823 target)
  3. Samba heap overflow vulnerability (CVE-2012-1182), Samba versions 3.6.3 and all versions previous to this are affected by a vulnerability that allows remote code execution as the "root" user from an anonymous connection.(nmap --script samba-vuln-cve-2012-1182 target)
  4. Bypassing authentication in MySQL and MariaDB servers (CVE2012-2122), All MariaDB and MySQL versions up to 5.1.61, 5.2.11, 5.3.5, 5.5.22 are vulnerable.(nmap --script mysql-vuln-cve2012-2122 target)
Source: http://news.thehackernews.com/4-nmap-scripts-for-hunting-2012-popular-vulnerabilities

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Feb 17, 2013


tcpdump -i eth0 port http or port smtp or port imap or port pop3 -l -A | egrep -i 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|userna me:|password:|login:|pass |user '

Source: http://www.commandlinefu.com/commands/view/11867/tcpdump-sniff-pop3imapsmtp-and-http

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.